Dell Networking Configuration Guide for the Z9500 Switch 9.8(0.
Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your computer. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. Copyright © 2015 Dell Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws.
Contents 1 About this Guide................................................................................................. 33 Audience..............................................................................................................................................33 Conventions........................................................................................................................................ 33 Related Documents...............................................................
Using Hashes to Validate Software Images........................................................................................56 4 Switch Management.......................................................................................... 58 Configuring Privilege Levels............................................................................................................... 58 Creating a Custom Privilege Level...........................................................................................
Using Telnet to Access Another Network Device..............................................................................79 Lock CONFIGURATION Mode........................................................................................................... 80 Viewing the Configuration Lock Status........................................................................................80 Recovering from a Forgotten Password on the Z9500.....................................................................
Configuring an ACL VLAN Group................................................................................................113 Allocating ACL VLAN CAM...........................................................................................................114 Applying an IP ACL to an Interface................................................................................................... 115 Configure Ingress ACLs.........................................................................................
Configuring Protocol Liveness....................................................................................................161 9 Border Gateway Protocol IPv4 (BGPv4).......................................................162 Autonomous Systems (AS)................................................................................................................162 Sessions and Peers............................................................................................................................
Filtering Routes with Community Lists...................................................................................... 200 Manipulating the COMMUNITY Attribute.................................................................................. 200 Changing MED Attributes........................................................................................................... 202 Changing the LOCAL_PREFERENCE Attribute..........................................................................
Configure Control Plane Policing.................................................................................................... 239 Configuring CoPP for Protocols................................................................................................ 239 Examples of Configuring CoPP for Protocols............................................................................241 Configuring CoPP for CPU Queues...........................................................................................
Generation of PFC for a Priority for Untagged Packets...................................................................277 Performing PFC Using DSCP Bits Instead of 802.1p Bits................................................................ 278 PFC and ETS Configuration Examples............................................................................................. 279 Using PFC to Manage Converged Ethernet Traffic.........................................................................
Display Transceiver Type............................................................................................................ 324 Recognize an Over-Temperature Condition.............................................................................326 Troubleshoot an Over-Temperature Condition........................................................................ 327 Troubleshooting Packet Loss...........................................................................................................
15 Equal Cost Multi-Path (ECMP)..................................................................... 359 ECMP for Flow-Based Affinity.......................................................................................................... 359 Enabling Deterministic ECMP Next Hop.................................................................................... 359 Configuring the Hash Algorithm Seed.......................................................................................
19 Force10 Resilient Ring Protocol (FRRP).....................................................389 Protocol Overview............................................................................................................................389 Ring Status.................................................................................................................................. 390 Multiple FRRP Rings........................................................................................................
Configuring a Static IGMP Group..................................................................................................... 413 Enabling IGMP Immediate-Leave.....................................................................................................414 IGMP Snooping................................................................................................................................. 414 IGMP Snooping Implementation Information......................................................
Configuration Tasks for Port Channel Interfaces...................................................................... 433 Creating a Port Channel............................................................................................................. 433 Adding a Physical Interface to a Port Channel.......................................................................... 434 Reassigning an Interface to a New Port Channel......................................................................
24 IPv4 Routing................................................................................................... 465 IP Addresses...................................................................................................................................... 465 Implementation Information...................................................................................................... 465 Configuration Tasks for IP Addresses.........................................................................
IPv6 Header Fields...................................................................................................................... 484 Extension Header Fields............................................................................................................. 486 IPv6 Addressing...........................................................................................................................487 IPv6 Implementation on the Dell Networking OS...............................................
Interface Support.........................................................................................................................515 Adjacencies.................................................................................................................................. 515 Graceful Restart.................................................................................................................................515 Timers.....................................................................
Displaying the MAC Address Table.............................................................................................556 MAC Learning Limit...........................................................................................................................556 Setting the MAC Learning Limit.................................................................................................. 557 mac learning-limit Dynamic...............................................................................
Relevant Management Objects........................................................................................................ 587 31 Microsoft Network Load Balancing............................................................ 594 NLB Unicast and Multicast Modes................................................................................................... 594 NLB Unicast Mode Example.......................................................................................................
Spanning Tree Variations..................................................................................................................626 Implementation Information...................................................................................................... 626 Configure Multiple Spanning Tree Protocol....................................................................................626 Related Configuration Tasks.................................................................................
Configuration Task List for OSPFv2 (OSPF for IPv4).................................................................. 661 Sample Configurations for OSPFv2............................................................................................ 675 Configuration Task List for OSPFv3 (OSPF for IPv6).................................................................. 677 36 Pay As You Grow ........................................................................................... 690 Installing a License.....
40 Port Monitoring.............................................................................................. 718 Local Port Monitoring....................................................................................................................... 718 Important Points to Remember.................................................................................................. 718 Examples of Port Monitoring............................................................................................
Port-Based QoS Configurations.......................................................................................................752 Setting dot1p Priorities for Incoming Traffic.............................................................................. 752 Honoring dot1p Priorities on Ingress Traffic.............................................................................. 753 Configuring Port-Based Rate Policing.....................................................................................
45 Remote Monitoring (RMON)........................................................................799 Implementation Information............................................................................................................ 799 Fault Recovery...................................................................................................................................799 Setting the RMON Alarm...................................................................................................
Configuration Task List for RADIUS........................................................................................... 839 TACACS+.......................................................................................................................................... 842 Configuration Task List for TACACS+........................................................................................842 TACACS+ Remote Authentication and Authorization..........................................................
Debugging Layer 2 Protocol Tunneling.....................................................................................874 Provider Backbone Bridging.............................................................................................................874 49 sFlow................................................................................................................ 876 Overview..................................................................................................................
Copy a Binary File to the Startup-Configuration.......................................................................899 Additional MIB Objects to View Copy Statistics........................................................................ 899 Obtaining a Value for MIB Objects............................................................................................ 900 MIB Support to Display the Available Memory Size on Flash..........................................................
Configuring Loop Guard.............................................................................................................927 Displaying STP Guard Configuration............................................................................................... 928 53 System Time and Date...................................................................................929 Network Time Protocol...............................................................................................................
57 Virtual LANs (VLANs)......................................................................................958 Default VLAN.....................................................................................................................................958 Port-Based VLANs............................................................................................................................ 959 VLANs and Port Tagging...................................................................................
RSTP and VLT.............................................................................................................................. 995 VLT Bandwidth Monitoring.........................................................................................................995 VLT and IGMP Snooping.............................................................................................................995 VLT IPv6..............................................................................................
Enabling the VLT Proxy Gateway..............................................................................................1041 LLDP Organizational TLV for Proxy Gateway...........................................................................1041 Sample Configuration for a VLT Proxy Gateway..................................................................... 1043 Configuring an LLDP VLT Proxy Gateway.....................................................................................
About this Guide 1 This guide describes the protocols and features that the Dell Networking Operating Software (OS) supports on the Z9500 system and provides configuration instructions and examples for implementing them. Though this guide contains information on protocols, it is not intended to be a complete reference. This guide is a reference for configuring protocols on Dell Networking systems.
• 34 Dell Networking Z9500 Release Notes About this Guide
Configuration Fundamentals 2 The Dell Networking OS command line interface (CLI) is a text-based interface you can use to configure interfaces and protocols. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels. After you enter a command, the command is added to the running configuration file.
You can set user access rights to commands and command modes using privilege levels; for more information about privilege levels and security options, refer to the Privilege Levels Overview section in the Security chapter. The CLI is divided into three major mode levels: • EXEC mode is the default mode and has a privilege level of 1, which is the most restricted level. Only a limited selection of commands is available, notably the show commands, which allow you to view system information.
CLI Command Mode CONFIGURATION Prompt Dell(conf)# Access Command • From any other mode, use the end command. • From EXEC privilege mode, enter the configure command. From every mode except EXEC and EXEC Privilege, enter the exit command. • NOTE: Access all of the following modes from CONFIGURATION mode.
CLI Command Mode Prompt Access Command Per-VLAN SPANNING TREE Plus Dell(config-pvst)# protocol spanning-tree pvst PREFIX-LIST Dell(conf-nprefixl)# ip prefix-list RAPID SPANNING TREE Dell(config-rstp)# protocol spanning-tree rstp REDIRECT Dell(conf-redirect-list)# ip redirect-list ROUTE-MAP Dell(config-route-map)# route-map ROUTER BGP Dell(conf-router_bgp)# router bgp BGP ADDRESS-FAMILY Dell(conf-router_bgp_af)# address-family {ipv4 multicast | ipv6 unicast} (for IPv4) (ROUTER BGP Mode)
CLI Command Mode Prompt Access Command LLDP Dell(conf-lldp)# or Dell(conf-if—interfacelldp)# protocol lldp (CONFIGURATION or INTERFACE Modes) LLDP MANAGEMENT INTERFACE Dell(conf-lldp-mgmtIf)# management-interface (LLDP Mode) LINE Dell(config-line-console) or Dell(config-line-vty) line console orline vty MONITOR SESSION Dell(conf-mon-sesssessionID)# monitor session OPENFLOW INSTANCE Dell(conf-of-instance-ofid)# openflow of-instance PORT-CHANNEL FAILOVERGROUP Dell(conf-po-failovergrp)# port
Rainier(conf)# do show ip interface brief Interface IP-Address OK Protocol TenGigabitEthernet 0/0 unassigned NO TenGigabitEthernet 0/1 unassigned NO TenGigabitEthernet 0/2 unassigned NO TenGigabitEthernet 0/3 unassigned NO TenGigabitEthernet 0/4 unassigned YES TenGigabitEthernet 0/5 unassigned YES TenGigabitEthernet 0/6 unassigned YES TenGigabitEthernet 0/7 unassigned YES TenGigabitEthernet 0/8 unassigned YES TenGigabitEthernet 0/9 unassigned YES Method Status Manual Manual Manual Manual Manual Manual Manu
interface TenGigabitEthernet 4/17 ip address 192.168.10.1/24 no shutdown Dell(conf-if-te-4/17)#no ip address Dell(conf-if-te-4/17)#show config ! interface TenGigabitEthernet 4/17 no ip address no shutdown Layer 2 protocols are disabled by default. To enable Layer 2 protocols, use the no disable command. For example, in PROTOCOL SPANNING TREE mode, enter no disable to enable Spanning Tree.
• The TAB key auto-completes keywords in commands. Enter the minimum number of letters to uniquely identify a command. • The UP and DOWN arrow keys display previously entered commands (refer to Command History). • The BACKSPACE and DELETE keys erase the previous letter. • Key combinations are available to move quickly across the command line. The following table describes these short-cut key combinations.
Filtering show Command Outputs Filter the output of a show command to display specific information by adding | [except | find | grep | no-more | save] specified_text after the command. The variable specified_text is the text for which you are filtering and it IS case sensitive unless you use the ignore-case sub-option. The grep command accepts an ignore-case sub-option that forces the search to case-insensitive.
329 655 244 74 0 270 30 30 0 27 3 3 0 10000 10000 10000 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0 0 0 0 inetd login sh sh Example of the find Keyword The find keyword displays the output of the show command beginning from the first occurrence of specified text. The following example shows this command used in combination with the show processes command. Dell#show processes cpu cp | find system 0 72900 7290 10000 17.79% 17.93% 538 42710 4271 10000 6.52% 7.
Multiple Users in Configuration Mode The Z9500 operating system notifies all users when there are multiple users logged in to CONFIGURATION mode. A warning message indicates the username, type of connection (console or VTY), and in the case of a VTY connection, the IP address of the terminal on which the connection was established.
3 Getting Started This chapter describes how you start configuring your Z9500 operating software. When you power up the chassis, the system performs a power-on self test (POST) and loads the Dell Networking operating software. Boot messages scroll up the terminal window during this process. No user interaction is required if the boot process proceeds without interruption. When the boot process completes, the system status LED remains online (green) and the console monitor displays the EXEC mode prompt.
Serial Console The RJ-45/RS-232 console port is labeled on the I/O side (upper right-hand) of the Z9500 chassis. Figure 1. RJ-45 Console Port 1. RJ-45 Console Port Accessing the Console Port To access the console port, follow these steps: For the console port pinout, refer to Accessing the RJ-45 Console Port with a DB-9 Adapter. 1. Install an RJ-45 copper cable into the console port. Use a rollover (crossover) cable to connect the Z9500 console port to a terminal server. 2.
Table 2.
Accessing the System Remotely You can configure the system to access it remotely by Telnet or SSH. • The Z9500 has a dedicated management port and a management routing table that is separate from the IP routing table. • You can manage all Dell Networking products in-band via the front-end data ports through interfaces assigned an IP address as well. Accessing the Z9500 Remotely Configuring the system for Telnet is a three-step process: 1. Configure an IP address for the management port.
CONFIGURATION mode management route ip-address/mask gateway – ip-address: the network address in dotted-decimal format (A.B.C.D). – mask: a subnet mask in /prefix-length format (/ xx). – gateway: the next hop for network traffic originating from the management port. Configuring a Username and Password To access the system remotely, you must configure a system username and password. • Configure a username and password to access the system remotely.
* 7 is for inputting a password that is already encrypted using a DES hash. Obtain the encrypted password from the configuration file of another Dell Networking system. * 5 is for inputting a password that is already encrypted using an MD5 hash. Obtain the encrypted password from the configuration file of another Dell Networking system. Manage Configuration Files Files can be stored on and accessed from various storage media. Rename, delete, and copy files on the system from EXEC Privilege mode.
• To copy a local file to a remote system, combine the file-origin syntax for a local file location with the file-destination syntax for a remote file location. • To copy a remote file to Dell Networking system, combine the file-origin syntax for a remote file location with the file-destination syntax for a local file location. Table 3.
Save the Running-Configuration The running-configuration contains the current system configuration. Dell Networking recommends coping your running-configuration to the startup-configuration. The system uses the startup-configuration during boot-up to configure the system. The startupconfiguration is stored in the internal flash on the system by default, but it can be saved on a USB flash device or a remote server.
that HTTP server to use a specific routing table. You can use the ip http vrf command to inform the HTTP server to use a specific routing table. After you configure this setting, the VRF table is used to look up the destination address. NOTE: To enable HTTP to be VRF-aware, as a prerequisite you must first define the VRF. You can specify either the management VRF or a nondefault VRF to configure the VRF awareness setting.
hostname pt-z9500-11 ! enable password 7 b125455cf679b208e79b910e85789edf ! username admin password 7 1d28e9f33f99cf5c ! linecard 0 provision Z9500LC36 --More— Enabling Software Features on Devices Using a Command Option This capability to activate software applications or components on a device using a command is supported on the S4810, S4820T, and S6000, platforms. Starting with Release 9.4(0.
View Command History The command-history trace feature captures all commands entered by all users of the system with a time stamp and writes these messages to a dedicated trace log buffer. The system generates a trace message for each executed command. No password information is saved to the file. To view the command-history trace, use the show command-history command.
1. Download Dell Networking OS software image file from the iSupport page to the local (FTP or TFTP) server. The published hash for that file is displayed next to the software image file on the iSupport page. 2. Go on to the Dell Networking system and copy the software image to the flash drive, using the copy command. 3. Run the verify {md5 | sha256} [ flash://]img-file [hash-value] command. For example, verify sha256 flash://FTOS-SE-9.5.0.0.bin 4.
4 Switch Management This chapter describes the switch management tasks supported on the Z9500. Configuring Privilege Levels Privilege levels restrict access to commands based on user or terminal line. There are 16 privilege levels, of which three are pre-defined. The default privilege level is 1. Level Description Level 0 Access to the system begins at EXEC mode, and EXEC mode commands are limited to enable, disable, and exit.
Moving a Command from EXEC Privilege Mode to EXEC Mode To move a command from EXEC Privilege to EXEC mode for a privilege level, use the privilege exec command from CONFIGURATION mode. In the command, specify the privilege level of the user or terminal line and specify all keywords in the command to which you want to allow access. Allowing Access to CONFIGURATION Mode Commands To allow access to CONFIGURATION mode, use the privilege exec level level configure command from CONFIGURATION mode.
• Allow access to CONFIGURATION mode. CONFIGURATION mode • privilege exec level level configure Allow access to INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode. Specify all the keywords in the command. CONFIGURATION mode • privilege configure level level {interface | line | route-map | router} {command-keyword ||...|| command-keyword} Allow access to a CONFIGURATION, INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode command.
range Configure interface range tengigabitethernet TenGigabit Ethernet interface vlan VLAN interface Dell(conf)#interface tengigabitethernet 1/1 Dell(conf-if-te-1/1)#? end Exit from configuration mode exit Exit from interface configuration mode Dell(conf-if-te-1/1)#exit Dell(conf)#line ? aux Auxiliary line console Primary terminal line vty Virtual terminal Dell(conf)#line vty 0 Dell(config-line-vty)#? exit Exit from line configuration mode Dell(config-line-vty)# Applying a Privilege Level to a Username To
• Disable logging to the logging buffer. CONFIGURATION mode • no logging buffer Disable logging to terminal lines. CONFIGURATION mode • no logging monitor Disable console logging. CONFIGURATION mode no logging console Audit and Security Logs This section describes how to configure, display, and clear audit and security logs.
• Adding and deleting of users. • User access and configuration changes to the security and crypto parameters (not the key information but the crypto configuration) Important Points to Remember When you enabled RBAC and extended logging: • Only the system administrator user role can execute this command. • The system administrator and system security administrator user roles can view security events and system events.
Configuring Logging Format To display syslog messages in a RFC 3164 or RFC 5424 format, use the logging version [0 | 1} command in CONFIGURATION mode. By default, the system log version is set to 0.
Setting Up a Secure Connection to a Syslog Server You can use reverse tunneling with the port forwarding to securely connect to a syslog server. Pre-requisites To configure a secure connection from the switch to the syslog server: 1. On the switch, enable the SSH server Dell(conf)#ip ssh server enable 2.
In the following example the syslog server IP address is 10.156.166.48 and the listening port is 5141. The switch IP address is 10.16.131.141 and the listening port is 5140 ssh -R 5140:10.156.166.48:5141 admin@10.16.131.141 -nNf 3. Configure logging to a local host. locahost is “127.0.0.1” or “::1”. If you do not, the system displays an error when you attempt to enable role-based only AAA authorization. Dell(conf)# logging localhost tcp port Dell(conf)#logging 127.0.0.
Example of Configuring Login Activity Tracking The following example enables login activity tracking. The system stores the login activity details for the last 30 days. Dell(config)#login statistics enable The following example enables login activity tracking and configures the system to store the login activity details for 12 days. Dell(config)#login statistics enable Dell(config)#login statistics time-period 12 Display Login Statistics To view the login statistics, use the show login statistics command.
-----------------------------------------------------------------User: admin Last login time: Mon Feb 16 04:40:00 2015 Last login location: Line vty0 ( 10.14.1.97 ) Unsuccessful login attempt(s) since the last successful login: 0 Unsuccessful login attempt(s) in last 11 day(s): 3 ------------------------------------------------------------------ Limit Concurrent Login Sessions Dell Networking OS enables you to limit the number of concurrent login sessions of users on VTY, auxiliary, and console lines.
Example of Enabling the System to Clear Existing Sessions The following example enables you to clear your existing login sessions. Dell(config)#login concurrent-session clear-line enable Example of Clearing Existing Sessions When you try to log in, the following message appears with all your existing concurrent sessions, providing an option to close any one of the existing sessions: $ telnet 10.11.178.14 Trying 10.11.178.14... Connected to 10.11.178.14. Escape character is '^]'.
• Display the Logging Buffer and the Logging Configuration • Configure a UNIX Logging Facility Level • Enable Timestamp on Syslog Messages • Synchronize Log Messages • Audit and Security Logs • • Configuring Logging Format Secure Connection to a Syslog Server Disabling System Logging By default, logging is enabled and log messages are sent to the logging buffer, all terminal lines, the console, and the syslog servers. To disable system logging, use the following commands.
Configuring a UNIX System as a Syslog Server To configure a UNIX System as a syslog server, use the following command. • Configure a UNIX system as a syslog server by adding the following lines to /etc/syslog.conf on the UNIX system and assigning write permissions to the file. – Add line on a 4.1 BSD UNIX system. local7.debugging /var/log/ftos.log – Add line on a 5.7 SunOS UNIX system. local7.debugging /var/adm/ftos.
Te 2/3 --More-To view any changes made, use the show running-config logging command in EXEC privilege mode, as shown in the example for Configure a UNIX Logging Facility Level. Changing System Logging Settings You can change the default settings of the system logging by changing the severity level and the storage location. The default is to log all messages up to debug level, that is, all system messages.
To view the logging configuration, use the show running-config logging command in privilege mode, as shown in the example for Configure a UNIX Logging Facility Level. Configuring a UNIX Logging Facility Level You can save system log messages with a UNIX system logging facility. To configure a UNIX logging facility level, use the following command. • Specify one of the following parameters.
service ! logging logging logging logging Dell# timestamps debug datetime msec trap debugging facility user source-interface Loopback 0 10.10.10.4 Synchronizing Log Messages You can configure the Dell Networking OS to filter and consolidate the system messages for a specific line by synchronizing the message output. Only the messages with a severity at or below the set level appear. This feature works on the terminal and console connections available on the system. 1. Enter LINE mode.
Specify the following optional parameters: – You can add the keyword localtime to include the localtime, msec, and show-timezone. If you do not add the keyword localtime, the time is UTC. – uptime: To view time since last boot. If you do not specify a parameter, the system configures uptime. To view the configuration, use the show running-config logging command in EXEC privilege mode. To disable time stamping on syslog messages, use the no service timestamps [log | debug] command.
Example of Viewing FTP Configuration Dell#show running ftp ! ftp-server enable ftp-server username nairobi password 0 zanzibar Dell# Configuring FTP Server Parameters After you enable the FTP server on the system, you can configure different parameters. To specify the system logging settings, use the following commands. • Specify the directory for users using FTP to reach the system. CONFIGURATION mode ftp-server topdir dir • The default is the internal flash directory.
• Configure a password. CONFIGURATION mode • ip ftp password password Enter a username to use on the FTP client. CONFIGURATION mode ip ftp username name To view the FTP configuration, use the show running-config ftp command in EXEC privilege mode, as shown in the example for Enable FTP Server. Terminal Lines You can access the system remotely and restrict access to the system by creating user profiles. Terminal lines on the system provide different means of accessing the system.
Configuring Login Authentication for Terminal Lines You can use any combination of up to six authentication methods to authenticate a user on a terminal line. A combination of authentication methods is called a method list. If the user fails the first authentication method, the system prompts the next method until all methods are exhausted, at which point the connection is terminated. The available authentication methods are: enable Prompt for the enable password.
password myvtypassword login authentication myvtymethodlist Dell(config-line-vty)# Setting Time Out of EXEC Privilege Mode EXEC time-out is a basic security feature that returns the system to EXEC mode after a period of inactivity on the terminal lines. To set time out, use the following commands. • Set the number of minutes and seconds. The default is 10 minutes on the console and 30 minutes on VTY. Disable EXEC time out by setting the time-out period to 0.
Enter an IPv6 address in the format 0000:0000:0000:0000:0000:0000:0000:0000. Elision of zeros is supported. Example of the telnet Command for Device Access Dell# telnet 10.11.80.203 Trying 10.11.80.203... Connected to 10.11.80.203. Exit character is '^]'. Login: Login: admin Password: Dell>exit Dell#telnet 2200:2200:2200:2200:2200::2201 Trying 2200:2200:2200:2200:2200::2201... Connected to 2200:2200:2200:2200:2200::2201. Exit character is '^]'. FreeBSD/i386 (freebsd2.force10networks.
If another user attempts to enter CONFIGURATION mode while a lock is in place, the following appears on their terminal (message 1): % Error: User "" on line console0 is in exclusive configuration mode. If any user is already in CONFIGURATION mode when while a lock is in place, the following appears on their terminal (message 2): % Error: Can't lock configuration mode exclusively since the following users are currently configuring the system: User "admin" on line vty1 ( 10.1.1.1 ).
Ignoring the Startup Configuration and Booting from the Factory-Default Configuration If you do not want to do not want to boot up with your current startup configuration and do not want to delete it, you can interrupt the boot process and boot up with the Z9500 factory-default configuration. To boot up with the factory-default configuration: 1. Log onto the system using the console. 2. Power-cycle the chassis by disconnecting and.then reconnecting the power cord. 3.
reload Restoring Factory-Default Settings When you restore factory-default settings on a switch, the existing NVRAM settings, startup configuration, and all configured settings are deleted. To restore the factory-default settings, enter the restore factory-defaults {clear-all | nvram} command in EXEC Privilege mode. CAUTION: There is no undo for this command. Important Points to Remember • When you restore the factory-default settings on all units in a stack, the units are placed in standalone mode.
• If the primary boot line is B: and the B: partition contains a valid image, the primary boot line is set to B:, the secondary boot line is set to A: (if A: also contains a valid image), and default boot line is set to a Null string. • If either partition contains an invalid or corrupted image, the partition is not set in any of the boot lines. If both partitions contain invalid images, the primary, secondary, and default boot lines are set to a Null string.
BOOT_USER # To boot from the network: BOOT_USER # boot change primary boot device : tftp file name : FTOS-SI-9-5-0-169.bin Server IP address : 10.16.127.35 BOOT_USER # 4. Assign an IP address and network mask to the Management Ethernet interface. BOOT_USER # interface management ethernet ip address ip_address_with_mask For example, 10.16.150.106/16. 5. Assign an IP address as the default gateway for the system. default-gateway gateway_ip_address For example, 10.16.150.254. 6.
5 802.1X 802.1X is a method of port security. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity can be verified (through a username and password, for example). This feature is named for its IEEE specification. 802.
Figure 3. EAP Frames Encapsulated in Ethernet and RADUIS The authentication process involves three devices: • The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests. • The device with which the supplicant communicates is the authenticator. The authenticator is the gate keeper of the network.
2. The supplicant responds with its identity in an EAP Response Identity frame. 3. The authenticator decapsulates the EAP response from the EAPOL frame, encapsulates it in a RADIUS Access-Request frame and forwards the frame to the authentication server. 4. The authentication server replies with an Access-Challenge frame. The Access-Challenge frame requests that the supplicant prove that it is who it claims to be, using a specified method (an EAPMethod).
EAP over RADIUS 802.1X uses RADIUS to shuttle EAP packets between the authenticator and the authentication server, as defined in RFC 3579. EAP messages are encapsulated in RADIUS packets as a type of attribute in Type, Length, Value (TLV) format. The Type value for EAP messages is 79. Figure 5. EAP Over RADIUS RADIUS Attributes for 802.1 Support Dell Networking systems include the following RADIUS attributes in all 802.
• Configuring an Authentication-Fail VLAN Important Points to Remember • The system supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0, PEAPv1, and MSCHAPv2 with PEAP. • All platforms support only RADIUS as the authentication server. • If the primary RADIUS server becomes unresponsive, the authenticator begins using a secondary RADIUS server, if configured. • 802.1X is not supported on port-channels or port-channel members. 90 802.
Enabling 802.1X Enable 802.1X globally. Figure 6. 802.1X Enabled 1. Enable 802.1X globally. CONFIGURATION mode dot1x authentication 2. Enter INTERFACE mode on an interface or a range of interfaces. INTERFACE mode interface [range] 3. Enable 802.1X on the supplicant interface only. INTERFACE mode dot1x authentication 802.
Examples of Verifying that 802.1X is Enabled Globally or on an Interface Verify that 802.1X is enabled globally and at the interface level using the show running-config | find dot1x command from EXEC Privilege mode. The bold lines show that 802.1X is enabled. Dell#show running-config | find dot1x dot1x authentication ! [output omitted] ! interface TenGigabitEthernet 2/1 no ip address dot1x authentication no shutdown ! Dell# View 802.
NOTE: There are several reasons why the supplicant might fail to respond; for example, the supplicant might have been booting when the request arrived or there might be a physical layer problem. To configure re-transmissions, use the following commands. • Configure the amount of time that the authenticator waits before re-transmitting an EAP Request Identity frame. INTERFACE mode dot1x tx-period number The range is from 1 to 65535 (1 year) • The default is 30.
• after 90 seconds and a maximum of 10 times for an unresponsive supplicant • re-transmits an EAP Request Identity frame The bold lines show the new re-transmit interval, new quiet period, and new maximum re-transmissions. Dell(conf-if-range-Te-0/0)#dot1x tx-period 90 Dell(conf-if-range-Te-0/0)#dot1x max-eap-req 10 Dell(conf-if-range-Te-0/0)#dot1x quiet-period 120 Dell#show dot1x interface TenGigabitEthernet 2/1 802.
The bold line shows the new port-control state. Dell(conf-if-Te-0/0)#dot1x port-control force-authorized Dell(conf-if-Te-0/0)#show dot1x interface TenGigabitEthernet 0/0 802.
The bold lines show that re-authentication is enabled and the new maximum and re-authentication time period. Dell(conf-if-Te-0/0)#dot1x reauthentication interval 7200 Dell(conf-if-Te-0/0)#dot1x reauth-max 10 Dell(conf-if-Te-0/0)#do show dot1x interface TenGigabitEthernet 0/0 802.
The bold lines show the new supplicant and server timeouts. Dell(conf-if-Te-0/0)#dot1x port-control force-authorized Dell(conf-if-Te-0/0)#do show dot1x interface TenGigabitEthernet 0/0 802.
Figure 7. Dynamic VLAN Assignment 1. Configure 8021.x globally (refer to Enabling 802.1X) along with relevant RADIUS server configurations (refer to the illustration inDynamic VLAN Assignment with Port Authentication). 2. Make the interface a switchport so that it can be assigned to a VLAN. 3. Create the VLAN to which the interface will be assigned. 4. Connect the supplicant to the port configured for 802.1X. 5.
If the supplicant fails authentication, the authenticator typically does not enable the port. In some cases this behavior is not appropriate. External users of an enterprise network, for example, might not be able to be authenticated, but still need access to the network. Also, some dumb-terminals, such as network printers, do not have 802.1X capability and therefore cannot authenticate themselves.
Example of Configuring Maximum Authentication Attempts Dell(conf-if-Te-2/1)#dot1x guest-vlan 200 Dell(conf-if-Te 2/1)#show config ! interface TenGigabitEthernet 2/1 switchport dot1x authentication dot1x guest-vlan 200 no shutdown Dell(conf-if-Te-2/1)# Dell(conf-if-Te-2/1)#dot1x auth-fail-vlan 100 max-attempts 5 Dell(conf-if-Te-2/1)#show config ! interface TenGigabitEthernet 2/1 switchport dot1x authentication dot1x guest-vlan 200 dot1x auth-fail-vlan 100 max-attempts 5 no shutdown Dell(conf-if-Te-2/1)# View
Access Control Lists (ACLs) 6 This chapter describes access control lists (ACLs), prefix lists, and route-maps. At their simplest, access control lists (ACLs), prefix lists, and route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps. For MAC ACLS, refer to Layer 2.
• VRF based IMPLICIT DENY Rules NOTE: In order for the VRF ACLs to take effect, ACLs configured in the Layer 3 CAM region must have an implicit-permit option. You can use the ip access-group command to configure VRF-aware ACLs on interfaces. Using the ip access-group command, in addition to a range of VLANs, you can also specify a range of VRFs as input for configuring ACLs on interfaces. The VRF range is from 1 to 63.
CAM Usage The following section describes CAM allocation and CAM optimization. • User Configurable CAM Allocation • CAM Optimization User-Configurable CAM Allocation User-configurable content-addressable memory (CAM) allows you to specify the amount of memory space that you want to allocate for ACLs. To allocate ACL CAM, use the cam-acl command in CONFIGURATION mode. For information about how to allocate CAM for ACL VLANs, see Allocating ACL VLAN CAM.
Implementing ACLs You can assign one IP ACL per physical or VLAN interface. If you do not assign an IP ACL to an interface, it is not used by the software in any other capacity. The number of entries allowed per ACL is hardware-dependent. If you enable counters on IP ACL rules that are already configured, those counters are reset when a new rule is inserted or prepended. If a rule is appended, the existing counters are not affected.
before rules with higher-order numbers so that packets are matched as you intended. By default, all ACL rules have an order of 254. Example of the order Keyword to Determine ACL Sequence Dell(conf)#ip access-list standard acl1 Dell(config-std-nacl)#permit 20.0.0.0/8 Dell(config-std-nacl)#exit Dell(conf)#ip access-list standard acl2 Dell(config-std-nacl)#permit 20.1.1.
Example of Permitting All Packets on an Interface The following configuration permits all packets (both fragmented and non-fragmented) with destination IP 10.1.1.1. The second rule does not get hit at all. Dell(conf)#ip access-list extended ABC Dell(conf-ext-nacl)#permit ip any 10.1.1.1/32Dell(conf-ext-nacl)#deny ip any 10.1.1.1./32 fragments Dell(conf-ext-nacl) Example of Denying Second and Subsequent Fragments To deny the second/subsequent fragments, use the same rules in a different order.
Example of Logging Denied Packets To log all the packets denied and to override the implicit deny rule and the implicit permit rule for TCP/ UDP fragments, use a configuration similar to the following. Dell(conf)#ip access-list extended ABC Dell(conf-ext-nacl)#permit tcp any any fragment Dell(conf-ext-nacl)#permit udp any any fragment Dell(conf-ext-nacl)#deny ip any any log Dell(conf-ext-nacl) When configuring ACLs with the fragments keyword, be aware of the following.
seq seq seq seq seq Dell# 30 35 40 45 50 deny deny deny deny deny 10.6.0.0 /16 10.7.0.0 /16 10.8.0.0 /16 10.9.0.0 /16 10.10.0.0 /16 The following example shows how the seq command orders the filters according to the sequence number assigned. In the example, filter 25 was configured before filter 15, but the show config command displays the filters in the correct order. Dell(config-std-nacl)#seq 25 deny ip host 10.5.0.0 any log Dell(config-std-nacl)#seq 15 permit tcp 10.3.0.
To view all configured IP ACLs, use the show ip accounting access-list command in EXEC Privilege mode. Dell#show ip accounting access example interface gig 4/12 Extended IP access list example seq 10 deny tcp any any eq 111 seq 15 deny udp any any eq 111 seq 20 deny udp any any eq 2049 seq 25 deny udp any any eq 31337 seq 30 deny tcp any any range 12345 12346 seq 35 permit udp host 10.21.126.225 10.4.5.0 /28 seq 40 permit udp host 10.21.126.226 10.4.5.0 /28 seq 45 permit udp 10.8.0.0 /16 10.50.188.
Configure Filters, TCP Packets To create a filter for TCP packets with a specified sequence number, use the following commands. 1. Create an extended IP ACL and assign it a unique name. CONFIGURATION mode ip access-list extended access-list-name 2. Configure an extended IP ACL filter for TCP packets.
Configuring Filters Without a Sequence Number If you are creating an extended ACL with only one or two filters, you can let the system assign a sequence number based on the order in which the filters are configured. Filters are assigned in multiples of five. To configure a filter for an extended IP ACL without a specified sequence number, use any or all of the following commands: • Configure a deny or permit filter to examine IP packets.
Configure Layer 2 and Layer 3 ACLs Both Layer 2 and Layer 3 ACLs may be configured on an interface in Layer 2 mode. If both L2 and L3 ACLs are applied to an interface, the following rules apply: • When the system routes the packets, only the L3 ACL governs them because they are not filtered against an L2 ACL. • When the system switches the packets, first the L3 ACL filters them, then the L2 ACL filters them. • When the system switches the packets, the egress L3 ACL does not filter the packet.
Guidelines for Configuring ACL VLAN Groups Keep the following points in mind when you configure ACL VLAN groups: • The VLAN member interfaces, on which the ACL in an ACL VLAN group is applied, function as restricted interfaces. The ACL VLAN group name identifies the group of VLANs on which hierarchical filtering is performed. • You can add only one ACL to an interface at a time.
You can create up to eight different ACL VLAN groups. 2. Add a description. ACL-VLAN-GROUP CONFIGURATION (conf-acl-vl-grp) mode description description 3. Apply an egress IP ACL. ACL-VLAN-GROUP CONFIGURATION (conf-acl-vl-grp) mode ip access-group access-list-name out implicit-permit 4. Specify the VLAN members in the ACL VLAN group. ACL-VLAN-GROUP CONFIGURATION (conf-acl-vl-grp) mode member vlan vlan-range 5. Verify the currently configured ACL VLAN groups on the switch.
You can configure CAM allocation for only two of these VLAN services at a time. You can allocate from 0 to 2 FP blocks for each VLAN service. To allocate the number of FP blocks for ACL VLAN optimization, enter the cam-acl-vlan vlanaclopt <0-2> command. After you configure ACL VLAN CAM, reboot the switch to enable CAM allocation for ACL VLAN optimization. To display the number of FP blocks currently allocated to different ACL VLAN services, enter the show cam-acl-vlan command.
Example of Viewing ACLs Applied to an Interface Dell(conf-if)#show conf ! interface TengigabitEthernet 0/0 ip address 10.2.1.100 255.255.255.0 ip access-group nimule in no shutdown Dell(conf-if)# To filter traffic on Telnet sessions, use only standard ACLs in the access-class command. Configure Ingress ACLs Ingress ACLs are applied to interfaces and to traffic entering the system. These system-wide ACLs eliminate the need to apply ACLs onto each interface and achieves the same results.
To restrict egress traffic, use an egress ACL. For example, when a direct operating system (DOS) attack traffic is isolated to a specific interface, you can apply an egress ACL to block the flow from the exiting the box, thus protecting downstream devices. To create an egress ACL, use the ip access-group command in EXEC Privilege mode. The example shows viewing the configuration, applying rules to the newly created access group, and viewing the access list.
permit ip {source mask | any | host ip-address} {destination mask | any | host ip-address} count Dell Networking OS Behavior: Virtual router redundancy protocol (VRRP) hellos and internet group management protocol (IGMP) packets are not affected when you enable egress ACL filtering for CPU traffic. Packets sent by the CPU with the source address as the VRRP virtual IP address have the interface MAC address instead of VRRP virtual MAC address.
• After a route matches a filter, the filter’s action is applied. No additional filters are applied to the route. Implementation Information Prefix lists are used in processing routes for routing protocols (for example, router information protocol [RIP], open shortest path first [OSPF], and border gateway protocol [BGP]). NOTE: It is important to know which protocol your system supports prior to implementing prefixlists.
The following example shows how the seq command orders the filters according to the sequence number assigned. In the example, filter 20 was configured before filter 15 and 12, but the show config command displays the filters in the correct order. Dell(conf-nprefixl)#seq 20 permit 0.0.0.0/0 le 32 Dell(conf-nprefixl)#seq 12 deny 134.23.0.0 /16 Dell(conf-nprefixl)#seq 15 deny 120.23.14.0 /8 le 16 Dell(conf-nprefixl)#show config ! ip prefix-list juba seq 12 deny 134.23.0.0/16 seq 15 deny 120.0.0.
To delete a filter, enter the show config command in PREFIX LIST mode and locate the sequence number of the filter you want to delete, then use the no seq sequence-number command in PREFIX LIST mode. Viewing Prefix Lists To view all configured prefix lists, use the following commands. • Show detailed information about configured prefix lists. EXEC Privilege mode • show ip prefix-list detail [prefix-name] Show a table of summarized information about configured Prefix lists.
• Apply a configured prefix list to incoming routes. You can specify an interface. If you enter the name of a nonexistent prefix list, all routes are forwarded. CONFIG-ROUTER-RIP mode • distribute-list prefix-list-name in [interface] Apply a configured prefix list to outgoing routes. You can specify an interface or type of route. If you enter the name of a non-existent prefix list, all routes are forwarded.
distribute-list prefix awe in Dell(conf-router_ospf)# ACL Resequencing ACL resequencing allows you to re-number the rules and remarks in an access or prefix list. The placement of rules within the list is critical because packets are matched against rules in sequential order. To order new rules using the current numbering scheme, use resequencing whenever there is no opportunity. For example, the following table contains some rules that are numbered in increments of 1.
resequence prefix-list {ipv4 | ipv6} {prefix-list-name StartingSeqNum Stepto-Increment} Examples of Resequencing ACLs When Remarks and Rules Have the Same Number or Different Numbers The example shows the resequencing of an IPv4 access-list beginning with the number 2 and incrementing by 2. Remarks and rules that originally have the same sequence number have the same sequence number after you apply the resequence command.
remark 6 this remark has no corresponding rule remark 8 this remark corresponds to permit ip any host 1.1.1.2 seq 8 permit ip any host 1.1.1.2 seq 10 permit ip any host 1.1.1.3 seq 12 permit ip any host 1.1.1.4 Route Maps Although route maps are similar to ACLs and prefix lists in that they consist of a series of commands that contain a matching criterion and an action, route maps can modify parameters in matching packets. ACLs and prefix lists can only drop or forward the packet or traffic.
Creating a Route Map Route maps, ACLs, and prefix lists are similar in composition because all three contain filters, but route map filters do not contain the permit and deny actions found in ACLs and prefix lists. Route map filters match certain routes and set or specify values. To create a route map, use the following command. • Create a route map and assign it a unique name. The optional permit and deny keywords are the action of the route map.
interface TengigabitEthernet 0/1 Set clauses: tag 35 level stub-area Dell# The following example shows a route map with multiple instances. The show config command displays only the configuration of the current route map instance. To view all instances of a specific route map, use the show route-map command.
route-map for any permit statement. If there is a match anywhere, the route is permitted. However, other instances of the route-map deny it.
• Match next-hop routes specified in a prefix list (IPv6). CONFIG-ROUTE-MAP mode • match ipv6 next-hop {access-list-name | prefix-list prefix-list-name} Match source routes specified in a prefix list (IPv4). CONFIG-ROUTE-MAP mode • match ip route-source {access-list-name | prefix-list prefix-list-name} Match source routes specified in a prefix list (IPv6). CONFIG-ROUTE-MAP mode • match ipv6 route-source {access-list-name | prefix-list prefix-list-name} Match routes with a specific value.
• Specify a value for the BGP route’s LOCAL_PREF attribute. CONFIG-ROUTE-MAP mode • set local-preference value Specify a value for redistributed routes. CONFIG-ROUTE-MAP mode • set metric {+ | - | metric-value} Specify an OSPF or ISIS type for redistributed routes. CONFIG-ROUTE-MAP mode • set metric-type {external | internal | type-1 | type-2} Assign an IP address as the route’s next hop. CONFIG-ROUTE-MAP mode • set next-hop ip-address Assign an IPv6 address as the route’s next hop.
Route maps add to that redistribution capability by allowing you to match specific routes and set or change more attributes when redistributing those routes. In the following example, the redistribute command calls the route map static ospf to redistribute only certain static routes into OSPF. According to the route map static ospf, only routes that have a next hop of Tengigabitethernet interface 0/0 and that have a metric of 255 are redistributed into the OSPF backbone area.
NOTE: If you configure the continue clause without specifying a module, the next sequential module is processed. Example of Using the continue Clause in a Route Map ! route-map test permit 10 match commu comm-list1 set community 1:1 1:2 1:3 set as-path prepend 1 2 3 4 5 continue 30! Configuring UDF ACL To configure UDF ACL, use the following commands. 1. Enable UDF ACL feature on a switch. CONFIGURATION mode feature udf-acl Dell(conf)#feature udf-acl 2.
EcfmAcl : FcoeAcl : iscsiOptAcl : ipv4pbr : vrfv4Acl : Openflow : fedgovacl : nlbclusteracl: 0 2 0 0 0 0 0 0 -- linecard 0 -Current Settings(in block sizes) 1 block = 256 entries L2Acl : 4 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 EcfmAcl : 0 FcoeAcl : 2 iscsiOptAcl : 0 ipv4pbr : 0 vrfv4Acl : 0 Openflow : 0 fedgovacl : 0 nlbclusteracl: 0 4. Create a context for UDF TCAM. CONFIGURATION mode udf-tcam name seq number Dell(conf)#udf-tcam ipnip seq 1 5.
CONFIGURATION-UDF TCAM mode show config Dell(conf-udf-tcam)#show config ! udf-tcam ipnip seq 1 match l2ethertype ipv4 ipprotocol 4 vlantag any Dell(conf-udf-tcam)# 9. Create a UDF qualifier value to assign values for all UDF IDs. CONFIGURATION-UDF TCAM mode udf-qualifier-value name Dell(conf-udf-tcam)# udf-qualifier-value ipnip_val1 10. Assign value for each configured UDF ID in the given UDF TCAM profile.
Bare Metal Provisioning (BMP) 7 Starting with Dell Networking OS Release 9.2(1.0), BMP is supported on the Z9500 switch. This chapter describes the latest Bare Metal Provisioning (BMP) enhancements that apply to the Z9500. For details about supported BMP commands and configuration procedures, refer to the Dell Networking Open Automation Guide.
8 Bidirectional Forwarding Detection (BFD) BFD is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It also provides a failure detection solution for links on which no routing protocol is used. BFD is a simple hello mechanism. Two neighboring systems running BFD establish a session using a three-way handshake.
receiving interface is faulty). The BFD manager notifies the routing protocols that are registered with it (clients) that the forwarding path is down and a link state change is triggered in all protocols. NOTE: A session state change from Up to Down is the only state change that triggers a link state change in the routing protocol client. BFD Packet Format Control packets are encapsulated in user datagram protocol (UDP) packets.
Field Description Flag A bit that indicates packet function. If the poll bit is set, the receiving system must respond as soon as possible, without regard to its transmit interval. The responding system clears the poll bit and sets the final bit in its response. The poll and final bits are used during the handshake and in Demand mode (refer to BFD Sessions).
BFD Sessions BFD must be enabled on both sides of a link in order to establish a session. The two participating systems can assume either of two roles: Active The active system initiates the BFD session. Both systems can be active for the same session. Passive The passive system does not initiate a session. It only responds to a request for session initialization from the active system.
3. The active system receives the response from the passive system and changes its session state to Up. It then sends a control packet indicating this state change. This is the third and final part of the handshake. Now the discriminator values have been exchanged and the transmit intervals have been negotiated. 4. The passive system receives the control packet and changes its state to Up. Both systems agree that a session has been established.
receives a Down status notification from the remote system, the session state on the local system changes to Init. Figure 10. Session State Changes Important Points to Remember • On the Z9500, the system supports 128 sessions at 200 minimum transmit and receive intervals with a multiplier of 3, and 64 sessions at 100 minimum transmit and receive intervals with a multiplier of 4. • Enable BFD on both ends of a link. • Demand mode, authentication, and the Echo function are not supported.
• Configure BFD for OSPF • Configure BFD for OSPFv3 • Configure BFD for IS-IS • Configure BFD for BGP • Configure BFD for VRRP • Configuring Protocol Liveness Configure BFD for Static Routes Configuring BFD for static routes is supported on the Z9500 switch.. BFD offers systems a link state detection mechanism for static routes.
Example of the show bfd neighbors Command to Verify Static Routes To verify that sessions have been created for static routes, use the show bfd neighbors command. R1(conf)#ip route 2.2.3.0/24 2.2.2.2 R1(conf)#ip route bfd R1(conf)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 2.2.2.
agent on the line card notifies the BFD manager, which in turn notifies the OSPF protocol that a link state change occurred. NOTE: If you enable BFD after OSPF with a large number (more than 100) of OSPF neighbors on a VLAN port-channel and if the VLAN has more than one port-channel, BFD does not come up immediately. (This behavior occurs only if you enable BFD after connections with all OSPF neighbors are fully established.
Establishing Sessions with OSPF Neighbors BFD sessions can be established with all OSPF neighbors at once or sessions can be established with all neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the Full state. Figure 12. Establishing Sessions with OSPF Neighbors To establish BFD with all OSPF neighbors or with OSPF neighbors on a single interface, use the following commands. • Establish sessions with all OSPF neighbors.
ip ospf bfd all-neighbors Example of Verifying Sessions with OSPF Neighbors To view the established sessions, use the show bfd neighbors command. The bold line shows the OSPF BFD sessions. R2(conf-router_ospf)#bfd all-neighbors R2(conf-router_ospf)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr * 2.2.2.2 * 2.2.3.1 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 Te 2/1 Up 100 100 3 O 2.2.3.
• Disable BFD sessions with all OSPFv3 neighbors. ROUTER-OSPFv3 mode • no bfd all-neighbors Disable BFD sessions with OSPFv3 neighbors on a single interface. INTERFACE mode ipv6 ospf bfd all-neighbors disable Configure BFD for OSPFv3 BFD for OSPFv3 provides support for IPV6. Configuring BFD for OSPFv3 is a two-step process: 1. Enable BFD globally. 2. Establish sessions with OSPFv3 neighbors.
Disabling BFD for OSPFv3 If you disable BFD globally, all sessions are torn down and sessions on the remote system are placed in a Down state. If you disable BFD on an interface, sessions on the interface are torn down and sessions on the remote system are placed in a Down state. Disabling BFD does not trigger a change in BFD clients; a final Admin Down packet is sent before the session is terminated. To disable BFD sessions, use the following commands. • Disable BFD sessions with all OSPFv3 neighbors.
• Disabling BFD for IS-IS Establishing Sessions with IS-IS Neighbors BFD sessions can be established for all IS-IS neighbors at once or sessions can be established for all neighbors out of a specific interface. Figure 13. Establishing Sessions with IS-IS Neighbors To establish BFD with all IS-IS neighbors or with IS-IS neighbors on a single interface, use the following commands. • Establish sessions with all IS-IS neighbors.
The bold line shows that IS-IS BFD sessions are enabled. R2(conf-router_isis)#bfd all-neighbors R2(conf-router_isis)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr * 2.2.2.2 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 Te 2/1 Up 100 100 3 I Changing IS-IS Session Parameters BFD sessions are configured with default intervals and a default role.
• Disable BFD sessions with IS-IS neighbors on a single interface. INTERFACE mose isis bfd all-neighbors disable Configure BFD for BGP In a BGP core network, BFD provides rapid detection of communication failures in BGP fast-forwarding paths between internal BGP (iBGP) and external BGP (eBGP) peers for faster network reconvergence. BFD for BGP is supported on 1GE, 10GE, 40GE, port-channel, and VLAN interfaces. BFD for BGP does not support IPv6 and the BGP multihop feature.
Figure 14. Establishing Sessions with BGP Neighbors The sample configuration shows alternative ways to establish a BFD session with a BGP neighbor: • By establishing BFD sessions with all neighbors discovered by BGP (the bfd all-neighbors command). • By establishing a BFD session with a specified BGP neighbor (the neighbor {ip-address | peergroup-name} bfd command) BFD packets originating from a router are assigned to the highest priority egress queue to minimize transmission delays.
typical response is to terminate the peering session for the routing protocol and reconverge by bypassing the failed neighboring router. A log message is generated whenever BFD detects a failure condition. 1. Enable BFD globally. CONFIGURATION mode bfd enable 2. Specify the AS number and enter ROUTER BGP configuration mode. CONFIGURATION mode router bgp as-number 3. Add a BGP neighbor or peer group in a remote AS. CONFIG-ROUTERBGP mode neighbor {ip-address | peer-group name} remote-as as-number 4.
• Disable a BFD for BGP session with a specified neighbor. ROUTER BGP mode • neighbor {ip-address | peer-group-name} bfd disable Remove the disabled state of a BFD for BGP session with a specified neighbor. ROUTER BGP mode no neighbor {ip-address | peer-group-name} bfd disable Use BFD in a BGP Peer Group You can establish a BFD session for the members of a peer group (the neighbor peer-group-name bfd command in ROUTER BGP configuration mode).
show ip bgp neighbors [ip-address] Examples of Verifying BGP Information The following example shows viewing a BGP configuration. R2# show running-config bgp ! router bgp 2 neighbor 1.1.1.2 remote-as 1 neighbor 1.1.1.2 no shutdown neighbor 2.2.2.2 remote-as 1 neighbor 2.2.2.2 no shutdown neighbor 3.3.3.2 remote-as 1 neighbor 3.3.3.2 no shutdown bfd all-neighbors The following example shows viewing all BGP neighbors.
Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 5 Session Discriminator: 10 Neighbor Discriminator: 11 Local Addr: 2.2.2.3 Local MAC Addr: 00:01:e8:66:da:34 Remote Addr: 2.2.2.
Down Admin Down : 0 : 2 The following example shows viewing BFD summary information. The bold line shows the message that displays when you enable BFD for BGP connections. R2# show ip bgp summary BGP router identifier 10.0.0.1, local AS number 2 BGP table version is 0, main routing table version 0 BFD is enabled, Interval 100 Min_rx 100 Multiplier 3 Role Active 3 neighbor(s) using 24168 bytes of memory Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 1.1.1.2 2.2.2.2 3.3.3.
Connections established 1; dropped 0 Last reset never Local host: 2.2.2.3, Local port: 63805 Foreign host: 2.2.2.2, Foreign port: 179 R2# R2# show ip bgp neighbors 2.2.2.3 BGP neighbor is 2.2.2.3, remote AS 1, external link Member of peer-group pg1 for session parameters BGP version 4, remote router ID 12.0.0.4 BGP state ESTABLISHED, in this state for 00:05:33 ... Neighbor is using BGP neighbor mode BFD configuration Peer active in peer-group outbound optimization ... R2# show ip bgp neighbors 2.2.2.
Establishing Sessions with All VRRP Neighbors BFD sessions can be established for all VRRP neighbors at once, or a session can be established with a particular neighbor. Figure 15. Establishing Sessions with All VRRP Neighbors To establish sessions with all VRRP neighbors, use the following command. • Establish sessions with all VRRP neighbors.
The following example shows viewing sessions with VRRP neighbors. The bold line shows that VRRP BFD sessions are enabled. R1(conf-if-te-4/25)#vrrp bfd all-neighbors R1(conf-if-te-4/25)#do show bfd neighbor * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) V - VRRP LocalAddr * 2.2.5.1 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.5.2 Te 4/25 Down 1000 1000 3 V To view session state information, use the show vrrp command.
To view session parameters, use the show bfd neighbors detail command, as shown in the example in Verifying BFD Sessions with BGP Neighbors Using the show bfd neighbors command example in Displaying BFD for BGP Information. Disabling BFD for VRRP If you disable any or all VRRP sessions, the sessions are torn down. A final Admin Down control packet is sent to all neighbors and sessions on the remote system change to the Down state.
Border Gateway Protocol IPv4 (BGPv4) 9 This chapter provides a general description of BGPv4 as it is supported in the Dell Networking OS. BGP protocol standards are listed in the Standards Compliance chapter. BGP is an external gateway protocol that transmits interdomain routing information within and between autonomous systems (AS). The primary function of the BGP is to exchange network reachability information with other BGP systems.
Figure 16. Interior BGP BGP version 4 (BGPv4) supports classless interdomain routing and aggregate routes and AS paths. BGP is a path vector protocol — a computer network in which BGP maintains the path that updated information takes as it diffuses through the network. Updates traveling through the network and returning to the same node are easily detected and discarded.
Figure 17. BGP Routers in Full Mesh The number of BGP speakers each BGP peer must maintain increases exponentially. Network management quickly becomes impossible. Sessions and Peers When two routers communicate using the BGP protocol, a BGP session is started. The two end-points of that session are Peers. A Peer is also called a Neighbor.
Establish a Session Information exchange between peers is driven by events and timers. The focus in BGP is on the traffic routing policies. In order to make decisions in its operations with other BGP peers, a BGP process uses a simple finite state machine that consists of six states: Idle, Connect, Active, OpenSent, OpenConfirm, and Established. For each peer-to-peer session, a BGP implementation tracks which of these six states the session is in.
Route Reflectors Route reflectors reorganize the iBGP core into a hierarchy and allow some route advertisement rules. NOTE: Do not use route reflectors (RRs) in the forwarding path. In iBGP, hierarchal RRs maintaining forwarding plane RRs could create routing loops. Route reflection divides iBGP peers into two groups: client peers and nonclient peers. A route reflector and its client peers form a route reflection cluster.
BGP Attributes Routes learned using BGP have associated properties that are used to determine the best route to a destination when multiple paths exist to a particular destination. These properties are referred to as BGP attributes, and an understanding of how BGP attributes influence route selection is required for the design of robust networks.
Figure 19. BGP Best Path Selection Best Path Selection Details 1. Prefer the path with the largest WEIGHT attribute. 2. Prefer the path with the largest LOCAL_PREF attribute. 3. Prefer the path that was locally Originated via a network command, redistribute command or aggregate-address command. a. 4. Routes originated with the Originated via a network or redistribute commands are preferred over routes originated with the aggregate-address command.
c. Paths with no MED are treated as “worst” and assigned a MED of 4294967295. 7. Prefer external (EBGP) to internal (IBGP) paths or confederation EBGP paths. 8. Prefer the path with the lowest IGP metric to the BGP if next-hop is selected when synchronization is disabled and only an internal path remains. 9. The system deems the paths as equal and does not perform steps 9 through 11, if the following criteria is met: a. the IBGP multipath or EBGP multipath are configured (the maximum-path command).
shorter (one hop instead of two), the LOCAL_PREF settings have the preferred path go through Router B and AS300. This is advertised to all routers within AS100, causing all BGP speakers to prefer the path through Router B. Figure 20. BGP Local Preference Multi-Exit Discriminators (MEDs) If two ASs connect in more than one place, a multi-exit discriminator (MED) can be used to assign a preference to a preferred path.
Figure 21. Multi-Exit Discriminators Origin The origin indicates the origin of the prefix, or how the prefix came into BGP. There are three origin codes: IGP, EGP, INCOMPLETE. Origin Type Description IGP Indicates the prefix originated from information learned through an interior gateway protocol. EGP Indicates the prefix originated from information learned from an EGP protocol, which NGP replaced. INCOMPLETE Indicates that the prefix originated from an unknown source.
AS Path The AS path is the list of all ASs that all the prefixes listed in the update have passed through. The local AS number is added by the BGP speaker when advertising to a eBGP neighbor. The AS path is shown in the following example. The origin attribute is shown following the AS path information (shown in bold).
NOTE: It is possible to configure BGP peers that exchange both unicast and multicast network layer reachability information (NLRI), but you cannot connect multiprotocol BGP with BGP. Therefore, you cannot redistribute multiprotocol BGP routes into BGP. Implement BGP The following sections describe how BGP is implemented on the Z9500 switch.
Table 6.
AS4 Number Representation Multiple representations of 4-byte AS numbers (asplain, asdot+, and asdot) are supported. NOTE: The ASDOT and ASDOT+ representations are supported only with the 4-Byte AS numbers feature. If 4-Byte AS numbers are not implemented, only ASPLAIN representation is supported. ASPLAIN is the default method the system uses. With the ASPLAIN notation, a 32-bit binary AS number is translated into a decimal value.
bgp asnotation asdot+ bgp four-octet-as-support neighbor 172.30.1.250 local-as 65057
Figure 22. Before and After AS Number Migration with Local-AS Enabled When you complete your migration, and you have reconfigured your network with the new information, disable this feature. If you use the “no prepend” option, the Local-AS does not prepend to the updates received from the eBGP peer. If you do not select “no prepend” (the default), the Local-AS is added to the first AS segment in the AS-PATH.
BGP4 Management Information Base (MIB) The FORCE10-BGP4-V2-MIB enhances support for the BGP management information base (MIB) with many new simple network management protocol (SNMP) objects and notifications (traps) defined in draft-ietf-idr-bgp4-mibv2-05. To see these enhancements, download the MIB from the Dell website. NOTE: For the Force10-BGP4-V2-MIB and other MIB documentation, refer to the Dell iSupport web page.
disabled, it is assumed that clients are in a full mesh and there is no need to advertise prefixes to the other clients. • High CPU utilization may be observed during an SNMP walk of a large BGP Loc-RIB. • To avoid SNMP timeouts with a large-scale configuration (large number of BGP neighbors and a large BGP Loc-RIB), Dell Networking recommends setting the timeout and retry count values to a relatively higher number. For example, t = 60 or r = 5.
NOTE: All newly configured neighbors and peer groups are disabled. To enable a neighbor or peer group, enter the neighbor {ip-address | peer-group-name} no shutdown command. The following table displays the default values for BGP in the Dell Networking OS. Table 7. BGP Default Values Item Default BGP Neighbor Adjacency changes All BGP neighbor changes are logged.
1. Assign an AS number and enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number • as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte) or 0.1 to 65535.65535 (Dotted format). Only one AS is supported per system. NOTE: If you enter a 4-Byte AS number, 4-Byte AS support is enabled automatically. a. Enable 4-Byte support for the BGP process. NOTE: This command is OPTIONAL. Enable if you want to use 4-Byte AS numbers or if you support AS4 number representation.
Examples of the show ip bgp summary Command (2-Byte and 4–Byte AS number) NOTE: When you change the configuration of a BGP neighbor, always reset it by entering the clear ip bgp command in EXEC Privilege mode. To view the BGP configuration, enter show config in CONFIGURATION ROUTER BGP mode. To view the BGP status, use the show ip bgp summary command in EXEC Privilege mode.
NOTE: The showconfig command in CONFIGURATION ROUTER BGP mode gives the same information as the show running-config bgp command. The following example displays two neighbors: one is an external internal BGP neighbor and the second one is an internal BGP neighbor. The first line of the output for each neighbor displays the AS number and states whether the link is an external or internal (shown in bold). The third line of the show ip bgp neighbors output contains the BGP State.
network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list ISP1in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.9 no shutdown neighbor 192.168.10.1 remote-as 65123 neighbor 192.168.10.1 update-source Loopback 0 neighbor 192.168.10.1 no shutdown neighbor 192.168.12.2 remote-as 65123 neighbor 192.
bgp asnotation asdot+ Examples of the bgp asnotation Commands The following example shows the bgp asnotation asplain command. Dell(conf-router_bgp)#bgp asnotation asplain Dell(conf-router_bgp)#sho conf ! router bgp 100 bgp four-octet-as-support neighbor 172.30.1.250 remote-as 18508 neighbor 172.30.1.250 local-as 65057 neighbor 172.30.1.250 route-map rmap1 in neighbor 172.30.1.250 password 7 5ab3eb9a15ed02ff4f0dfd4500d6017873cfd9a267c04957 neighbor 172.30.1.
Create a peer group by assigning it a name, then adding members to the peer group. After you create a peer group, you can configure route policies for it. For information about configuring route policies for a peer group, refer to Filtering BGP Routes. NOTE: Sample Configurations for enabling peer groups are found at the end of this chapter. 1. Create a peer group by assigning a name to it. CONFIG-ROUTERBGP mode neighbor peer-group-name peer-group 2. Enable the peer group.
A neighbor cannot become part of a peer group if it has any of the following commands configured: • neighbor advertisement-interval • neighbor distribute-list out • neighbor filter-list out • neighbor next-hop-self • neighbor route-map out • neighbor route-reflector-client • neighbor send-community A neighbor may keep its configuration after it was added to a peer group if the neighbor’s configuration is more specific than the peer group’s and if the neighbor’s configuration does not affect ou
To view the status of peer groups, use the show ip bgp peer-group command in EXEC Privilege mode, as shown in the following example. Dell>show ip bgp peer-group Peer-group zanzibar, remote AS 65535 BGP version 4 Minimum time between advertisement runs is 5 seconds For address family: IPv4 Unicast BGP neighbor is zanzibar, peer-group internal, Number of peers in this group 26 Peer-group members (* - outbound optimized): 10.68.160.1 10.68.161.1 10.68.162.1 10.68.163.1 10.68.164.1 10.68.165.1 10.68.166.1 10.
To disable fast fail-over, use the [no] neighbor [neighbor | peer-group] fail-over command in CONFIGURATION ROUTER BGP mode. • Enable BGP Fast Fail-Over. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} fail-over Examples of Verifying that Fast Fail-Over is Enabled To verify fast fail-over is enabled on a particular BGP neighbor, use the show ip bgp neighbors command. Because fast fail-over is disabled by default, it appears only if it has been enabled (shown in bold).
To verify that fast fail-over is enabled on a peer-group, use the show ip bgp peer-group command (shown in bold). Dell#sh ip bgp peer-group Peer-group test fail-over enabled BGP version 4 Minimum time between advertisement runs is 5 seconds For address family: IPv4 Unicast BGP neighbor is test Number of peers in this group 1 Peer-group members (* - outbound optimized): 100.100.100.
CONFIG-ROUTER-BGP mode neighbor peer-group-name no shutdown 4. Create and specify a remote peer for BGP neighbor. CONFIG-ROUTER-BGP mode neighbor peer-group-name remote-as as-number Only after the peer group responds to an OPEN message sent on the subnet does its BGP state change to ESTABLISHED. After the peer group is ESTABLISHED, the peer group is the same as any other peer group. For more information about peer groups, refer to Configure Peer Groups.
neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.9 local-as 6500 neighbor 100.10.92.9 no shutdown neighbor 192.168.10.1 remote-as 65123 neighbor 192.168.10.1 update-source Loopback 0 neighbor 192.168.10.1 no shutdown neighbor 192.168.12.2 remote-as 65123 neighbor 192.168.12.2 update-source Loopback 0 neighbor 192.168.12.
neighbor 192.168.12.2 remote-as 65123 neighbor 192.168.12.2 allowas-in 9 neighbor 192.168.12.2 update-source Loopback 0 neighbor 192.168.12.2 no shutdown R2(conf-router_bgp)#R2(conf-router_bgp)# Enabling Neighbor Graceful Restart BGP graceful restart is active only when the neighbor becomes established. Otherwise, it is disabled. Graceful-restart applies to all neighbors with established adjacency. With the graceful restart feature, the system enables the receiving/restarting mode by default.
To configure an AS-PATH ACL to filter a specific AS_PATH value, use these commands in the following sequence. 1. Assign a name to a AS-PATH ACL and enter AS-PATH ACL mode. CONFIGURATION mode ip as-path access-list as-path-name 2. Enter the parameter to match BGP AS-PATH for filtering. CONFIG-AS-PATH mode {deny | permit} filter parameter This is the filter that is used to match the AS-path. The entries can be any format, letters, numbers, or regular expressions.
0x2ffe884 0x2ff7284 0x2ff7ec4 0x2ff8544 0x736c144 0x3b8d224 0x5eb1e44 0x5cd891c --More-- 0 0 0 0 0 0 0 0 1 99 4 3 1 10 1 9 18508 18508 18508 18508 18508 18508 18508 18508 701 701 209 701 701 209 701 209 3561 9116 21350 i 1239 577 855 ? 3561 4755 17426 i 5743 2648 i 209 568 721 1494 i 701 2019 i 8584 16158 i 6453 4759 i Regular Expressions as Filters Regular expressions are used to filter AS paths or community lists.
Example of Using Regular Expression to Filter AS Paths Dell(config)#router bgp 99 Dell(conf-router_bgp)#neigh AAA peer-group Dell(conf-router_bgp)#neigh AAA no shut Dell(conf-router_bgp)#show conf ! router bgp 99 neighbor AAA peer-group neighbor AAA no shutdown neighbor 10.155.15.2 remote-as 32 neighbor 10.155.15.2 shutdown Dell(conf-router_bgp)#neigh 10.155.15.
– level-1, level-1-2, or level-2: Assign all redistributed routes to a level. The default is level-2. – metric value: The value is from 0 to 16777215. The default is 0. • – map-name: name of a configured route map. Include specific OSPF routes in IS-IS. ROUTER BGP or CONF-ROUTER_BGPv6_ AF mode redistribute ospf process-id [match external {1 | 2} | match internal] [metric-type {external | internal}] [route-map map-name] Configure the following parameters: – process-id: the range is from 1 to 65535.
IETF RFC 1997 defines the COMMUNITY attribute and the predefined communities of INTERNET, NO_EXPORT_SUBCONFED, NO_ADVERTISE, and NO_EXPORT. All BGP routes belong to the INTERNET community. In the RFC, the other communities are defined as follows: • All routes with the NO_EXPORT_SUBCONFED (0xFFFFFF03) community attribute are not sent to CONFED-EBGP or EBGP peers, but are sent to IBGP peers within CONFED-SUB-AS. • All routes with the NO_ADVERTISE (0xFFFFFF02) community attribute must not be advertised.
deny deny deny deny deny deny Dell# 701:667 702:667 703:667 704:666 705:666 14551:666 Configuring an IP Extended Community List To configure an IP extended community list, use these commands. 1. Create a extended community list and enter the EXTCOMMUNITY-LIST mode. CONFIGURATION mode ip extcommunity-list extcommunity-list-name 2. Two types of extended communities are supported.
deny 14551:666 Dell# Filtering Routes with Community Lists To use an IP community list or IP extended community list to filter routes, you must apply a match community filter to a route map and then apply that route map to a BGP neighbor or peer group. 1. Enter the ROUTE-MAP mode and assign a name to a route map. CONFIGURATION mode route-map map-name [permit | deny] [sequence-number] 2. Configure a match filter for all routes meeting the criteria in the IP community or IP extended community list.
neighbor {ip-address | peer-group-name} send-community To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode. If you want to remove or add a specific COMMUNITY number from a BGP path, you must create a route map with one or both of the following statements in the route map. Then apply that route map to a BGP neighbor or peer group. 1. Enter ROUTE-MAP mode and assign a name to a route map. CONFIGURATION mode route-map map-name [permit | deny] [sequence-number] 2.
To view BGP routes matching a certain community number or a pre-defined BGP community, use the show ip bgp community command in EXEC Privilege mode. Dell>show ip bgp community BGP table version is 3762622, local router ID is 10.114.8.48 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network * i 3.0.0.0/8 *>i 4.2.49.12/30 * i 4.21.132.0/23 *>i 4.24.118.16/30 *>i 4.24.145.0/30 *>i 4.24.187.12/30 *>i 4.24.202.0/30 *>i 4.25.88.
Changing the LOCAL_PREFERENCE Attribute In the Dell Networking OS, you can change the value of the LOCAL_PREFERENCE attribute. To change the default values of this attribute for all routes received by the router, use the following command. • Change the LOCAL_PREF value. CONFIG-ROUTER-BGP mode bgp default local-preference value – value: the range is from 0 to 4294967295. The default is 100.
You can also use route maps to change this and other BGP attributes. For example, you can include the second command in a route map to specify the next hop address. • Disable next hop processing and configure the router as the next hop for a BGP neighbor. CONFIG-ROUTER-BGP mode • neighbor {ip-address | peer-group-name} next-hop-self Sets the next hop address. CONFIG-ROUTE-MAP mode set next-hop ip-address Changing the WEIGHT Attribute To change how the WEIGHT attribute is used, enter the first command.
Filtering BGP Routes Filtering routes allows you to implement BGP policies. You can use either IP prefix lists, route maps, AS-PATH ACLs or IP community lists (using a route map) to control which routes the BGP neighbor or peer group accepts and advertises. Prefix lists filter routes based on route and prefix length, while AS-Path ACLs filter routes based on the ASN. Route maps can filter and set conditions, change attributes, and assign update policies.
CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} distribute-list prefix-list-name {in | out} Configure the following parameters: • ip-address or peer-group-name: enter the neighbor’s IP address or the peer group’s name. • prefix-list-name: enter the name of a configured prefix list. • in: apply the prefix list to inbound routes. • out: apply the prefix list to outbound routes.
Configure the following parameters: • ip-address or peer-group-name: enter the neighbor’s IP address or the peer group’s name. • map-name: enter the name of a configured route map. • in: apply the route map to inbound routes. • out: apply the route map to outbound routes. To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode. To view a route map configuration, use the show route-map command in EXEC Privilege mode.
Configuring BGP Route Reflectors BGP route reflectors are intended for ASs with a large mesh; they reduce the amount of BGP control traffic. NOTE: Dell Networking recommends not using multipath and add path simultaneously in a route reflector. With route reflection configured properly, IBGP routers are not fully meshed within a cluster but all receive routing information.
Dell#show ip bgp BGP table version is 0, local router ID is 10.101.15.13 Status codes: s suppressed, d damped, h history, * valid, > best Path source: I - internal, a - aggregate, c - confed-external, r redistributed, n - network Origin codes: i - IGP, e - EGP, ? - incomplete Network *> 7.0.0.0/29 *> 7.0.0.0/30 *>a 9.0.0.0/8 *> 9.2.0.0/16 *> 9.141.128.0/24 Dell# Next Hop 10.114.8.33 10.114.8.33 192.0.0.0 10.114.8.33 10.114.8.
• has an attribute change The constant router reaction to the WITHDRAWN and UPDATE notices causes instability in the BGP process. To minimize this instability, you may configure penalties (a numeric value) for routes that flap. When the penalty value reaches a configured limit, the route is not advertised, even if the route is up. The system uses a penalty value is 1024. As time passes and the route does not flap, the penalty value decrements or is decayed.
– half-life: the range is from 1 to 45. Number of minutes after which the Penalty is decreased. After the router assigns a Penalty of 1024 to a route, the Penalty is decreased by half after the halflife period expires. The default is 15 minutes. – reuse: the range is from 1 to 20000. This number is compared to the flapping route’s Penalty value. If the Penalty value is less than the reuse value, the flapping route is once again advertised (or no longer suppressed). The default is 750.
Dell(conf-router_bgp)#bgp dampening 2 ? <1-20000> Value to start reusing a route (default = 750) Dell(conf-router_bgp)#bgp dampening 2 2000 ? <1-20000> Value to start suppressing a route (default = 2000) Dell(conf-router_bgp)#bgp dampening 2 2000 3000 ? <1-255> Maximum duration to suppress a stable route (default = 60) Dell(conf-router_bgp)#bgp dampening 2 2000 3000 10 ? route-map Route-map to specify criteria for dampening To view a count of dampened routes, history routes, and penalized routes w
– keepalive: the range is from 1 to 65535. Time interval, in seconds, between keepalive messages sent to the neighbor routers. The default is 60 seconds. – holdtime: the range is from 3 to 65536. Time interval, in seconds, between the last keepalive message and declaring the router dead. The default is 180 seconds. To view non-default values, use the show config command in CONFIGURATION ROUTER BGP mode or the show running-config bgp command in EXEC Privilege mode.
neighbor {ip-address | peer-group-name} soft-reconfiguration inbound BGP stores all the updates received by the neighbor but does not reset the peer-session. Entering this command starts the storage of updates, which is required to do inbound soft reconfiguration. Outbound BGP soft reconfiguration does not require inbound soft reconfiguration to be enabled. Example of Soft-Reconfigration of a BGP Neighbor The example enables inbound soft reconfiguration for the neighbor 10.108.1.1.
Enabling MBGP Configurations Multiprotocol BGP (MBGP) is an enhanced BGP that carries IP multicast routes. BGP carries two sets of routes: one set for unicast routing and one set for multicast routing. The routes associated with multicast routing are used by the protocol independent multicast (PIM) to build data distribution trees. MBGP for IPv4 multicast is supported on the Z9500 switch. In the Dell Networking OS, MBGP is implemented per RFC 1858.
Debugging BGP To enable BGP debugging, use any of the following commands. • View all information about BGP, including BGP events, keepalives, notifications, and updates. EXEC Privilege mode • debug ip bgp [ip-address | peer-group peer-group-name] [in | out] View information about BGP route being dampened. EXEC Privilege mode • debug ip bgp dampening [in | out] View information about local BGP state changes and other BGP events.
To disable all debugging, use the undebug all command. Storing Last and Bad PDUs The system stores the last notification sent/received and the last bad protocol data unit (PDU) received on a per peer basis. The last bad PDU is the one that causes a notification to be issued. In the following example, the last seven lines shown in bold are the last PDUs. Example of the show ip bgp neighbor Command to View Last and Bad PDUs Dell(conf-router_bgp)#do show ip bgp neighbors 1.1.1.2 BGP neighbor is 1.1.1.
Capturing PDUs To capture incoming and outgoing PDUs on a per-peer basis, use the capture bgp-pdu neighbor direction command. To disable capturing, use the no capture bgp-pdu neighbor direction command. The buffer size supports a maximum value between 40 MB (the default) and 100 MB. The capture buffers are cyclic and reaching the limit prompts the system to overwrite the oldest PDUs when new ones are received for a given neighbor or direction.
With full internet feed (205K) captured, approximately 11.8MB is required to store all of the PDUs. The following example shows viewing space requirements for storing all PDUs. Dell(conf-router_bgp)#do show capture bgp-pdu neighbor 172.30.1.250 Incoming packet capture enabled for BGP neighbor 172.30.1.250 Available buffer size 29165743, 192991 packet(s) captured using 11794257 bytes [. . .] Dell(conf-router_bgp)#do sho ip bg s BGP router identifier 172.30.1.
Figure 23. Sample Configurations Example of Enabling BGP (Router 1) R1# conf R1(conf)#int loop 0 R1(conf-if-lo-0)#ip address 192.168.128.1/24 R1(conf-if-lo-0)#no shutdown R1(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.1/24 no shutdown R1(conf-if-lo-0)#int tengig 1/21 R1(conf-if-te-1/21)#ip address 10.0.1.21/24 R1(conf-if-te-1/21)#no shutdown R1(conf-if-te-1/21)#show config ! interface TenGigabitEthernet 1/21 ip address 10.0.1.
no shutdown R1(conf-if-te-1/31)#router bgp 99 R1(conf-router_bgp)#network 192.168.128.0/24 R1(conf-router_bgp)#neighbor 192.168.128.2 remote 99 R1(conf-router_bgp)#neighbor 192.168.128.2 no shut R1(conf-router_bgp)#neighbor 192.168.128.2 update-source loop 0 R1(conf-router_bgp)#neighbor 192.168.128.3 remote 100 R1(conf-router_bgp)#neighbor 192.168.128.3 no shut R1(conf-router_bgp)#neighbor 192.168.128.3 update-source loop 0 R1(conf-router_bgp)#show config ! router bgp 99 network 192.168.128.
R2(conf-if-te-2/31)#router bgp 99 R2(conf-router_bgp)#network 192.168.128.0/24 R2(conf-router_bgp)#neighbor 192.168.128.1 remote 99 R2(conf-router_bgp)#neighbor 192.168.128.1 no shut R2(conf-router_bgp)#neighbor 192.168.128.1 update-source loop 0 R2(conf-router_bgp)#neighbor 192.168.128.3 remote 100 R2(conf-router_bgp)#neighbor 192.168.128.3 no shut R2(conf-router_bgp)#neighbor 192.168.128.3 update loop 0 R2(conf-router_bgp)#show config ! router bgp 99 bgp router-id 192.168.128.2 network 192.168.128.
no shutdown R3(conf-if-te-3/21)# R3(conf-if-te-3/21)#router bgp 100 R3(conf-router_bgp)#show config ! router bgp 100 R3(conf-router_bgp)#network 192.168.128.0/24 R3(conf-router_bgp)#neighbor 192.168.128.1 remote 99 R3(conf-router_bgp)#neighbor 192.168.128.1 no shut R3(conf-router_bgp)#neighbor 192.168.128.1 update-source loop 0 R3(conf-router_bgp)#neighbor 192.168.128.2 remote 99 R3(conf-router_bgp)#neighbor 192.168.128.2 no shut R3(conf-router_bgp)#neighbor 192.168.128.
neighbor 192.168.128.3 update-source Loopback 0 neighbor 192.168.128.3 no shutdown R1# R1#show ip bgp summary BGP router identifier 192.168.128.
Received 30 messages, 0 in queue 4 opens, 2 notifications, 4 updates 20 keepalives, 0 route refresh requests Sent 29 messages, 0 in queue 4 opens, 1 notifications, 4 updates 20 keepalives, 0 route refresh requests Minimum time between advertisement runs is 30 seconds Minimum time before advertisements start is 0 seconds Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Up
Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 192.168.128.1 99 140 136 2 0 (0) 00:11:24 1 192.168.128.3 100 138 140 2 0 (0) 00:18:31 1 R2#show ip bgp neighbor BGP neighbor is 192.168.128.1, remote AS 99, internal link Member of peer-group AAA for session parameters BGP version 4, remote router ID 192.168.128.
85 keepalives, 0 route refresh requests Minimum time between advertisement runs is 30 seconds Minimum time before advertisements start is 0 seconds Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Update source set to Loopback 0 Peer active in peer-group outbound optimization For address family: IPv4 Unicast BGP table version 1,
Minimum time before advertisements start is 0 seconds Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Update source set to Loopback 0 Peer active in peer-group outbound optimization For address family: IPv4 Unicast BGP table version 2, neighbor version 2 Prefixes accepted 1 (consume 4 bytes), withdrawn 0 by peer Prefixes adverti
Content Addressable Memory (CAM) 10 CAM is a type of memory that stores information in the form of a lookup table. On the Z9500, CAM stores Layer 2 and Layer 3 forwarding information, access-lists (ACLs), flows, and routing policies. On a line card, there are one or two CAM (Dual-CAM) modules per port-pipe. CAM Allocation CAM space is allotted in filter processor (FP) blocks. The total space allocated must equal 13 FP blocks.
-- linecard 1 -Current Settings(in block sizes) 1 block = 256 entries L2Acl : 6 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 EcfmAcl : 0 nlbclusteracl: 0 Openflow : 0 -- linecard 2 -Current Settings(in block sizes) 1 block = 256 entries L2Acl : 6 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 EcfmAcl : 0 nlbclusteracl: 0 Openflow : 0 The ipv6acl and vman-dual-qos allocations must be entered as a factor of 2 (2, 4, 6, 8, 10).
EXEC Privilege mode reload Test CAM Usage The test cam-usage command applies to both IPv4 and IPv6 CAM profiles, but is best used when verifying QoS optimization for IPv6 ACLs. Use this command to determine whether sufficient ACL CAM space is available to enable a service-policy. Create a Class Map with all required ACL rules, then execute the test cam-usage command in Privilege mode to verify the actual CAM space required.
Ipv6Acl Ipv4Qos L2Qos L2PT IpMacAcl VmanQos EcfmAcl Openflow : : : : : : : : 0 2 1 0 0 0 0 0 -- linecard 0 -Current Settings(in block sizes) 1 block = 256 entries L2Acl : 6 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 EcfmAcl : 0 Openflow : 0 -- linecard 1 -Current Settings(in block sizes) 1 block = 256 entries L2Acl : 6 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 EcfmAcl : 0 Openflow : 0 -- linecard 2 -Current Settings(in block sizes
========|========|=============== 1 | 0 | IN-L2 ACL | | IN-L2 FIB | | IN-L3 ACL | | IN-L3 FIB | | IN-L3-SysFlow | | IN-L3-TrcList | | IN-L3-McastFib | | IN-L3-Qos | | IN-L3-PBR | | IN-V6 ACL | | IN-V6 FIB | | IN-V6-SysFlow | | IN-V6-McastFib | | OUT-L2 ACL | | OUT-L3 ACL | | OUT-V6 ACL 1 | 1 | IN-L2 ACL | | IN-L2 FIB | | IN-L3 ACL | | IN-L3 FIB | | IN-L3-SysFlow --More-- |=============|=============|============== | 1008 | 320 | 688 | 32768 | 1132 | 31636 | 12288 | 2 | 12286 | 262141 | 14 | 262127 | 2878 |
CAM Optimization The cam-optimization command allows you to optimize CAM utilization for QoS entries by minimizing the amount of required policy-map CAM space. When you enable this command, if a Policy Map containing classification rules (ACL and/or dscp/ ipprecedence rules) is applied to more than one physical interface on the same port-pipe, only a single copy of the policy is written (only 1 FP entry is used). When you disable this command, the system behaves as described in this chapter.
Table 8. UFT Modes —Table Size UFT Mode L2 MAC Table Size L3 Host Table Size L3 LPM Table Size Default 160K 144K 16K Scaled-l3-hosts 96K 208K 16K Scaled-l3-routes 32K 16K 128K Configuring UFT Modes To configure the Unified Forwarding Table (UFT) modes, follow these steps. 1. Select a mode to initialize the maximum scalability size for L2 MAC table or L3 Host table or L3 Route table.
11 Control Plane Policing (CoPP) Control plane policing (CoPP) protects the Z9500 routing, control, and line-card processors from undesired or malicious traffic and Denial of Service (DoS) attacks by filtering control-plane flows. CoPP uses a dedicated control-plane service policy that consists of ACLs and QoS policies, which provide filtering and rate-limiting capabilities for control-plane packets.
Queue-based Control Plane Policing When configuring a queue-based CoPP policy, take into account that there are twenty-four CP queues divided into groups of eight queues for the Route Processor, Control Processor, and line-card CPUs: • Queues 0 to 7 process packets destined to the Control Processor CPU . • Queues 8 to 15 process packets destined to the Route Processor CPU. • Queues 16 to 23 process packets destined to the line-card CPU.
19 — 1 20 Source miss, Station move, Trace flow 600 21 BFD 7000 22 HyperPull, FRRP 800 23 sFlow 5000 NOTE: In the line-card CPU, some queues have no protocol traffic mapped to them. These rows appear blank in the preceding table. CoPP Example The illustrations in this section show the benefit of using CoPP compared to not using CoPP on a switch. The following illustration shows how CoPP rate limits protocol traffic destined to the control-plane CPU. Figure 24.
Figure 25. CoPP Versus Non-CoPP Operation Configure Control Plane Policing You can create a CoPP service policy on a per-protocol and/or a per-queue basis that serves as the system-wide configuration for filtering and rate limiting control-plane traffic. Configuring CoPP for Protocols This section describes how to create a protocol-based CoPP service policy and apply it to control plane traffic.
permitted by the ACL. Associate the ACL and QoS policy for each protocol in a QoS input policy-map and apply the complete protocol-based rate-limiting configuration to control-plane traffic. For complete information about creating ACL rules and QoS policies, refer to Access Control Lists (ACLs) and Quality of Service (QoS). 1. Create a Layer 2 extended ACL for specified protocol traffic. CONFIGURATION mode mac access-list extended name permit {arp | frrp | gvrp | isis | lacp | lldp | stp} cpu-qos 2.
Examples of Configuring CoPP for Protocols Example of Creating an IP/IPv6/MAC Extended ACL to Select Protocol Traffic Dell(conf)#ip access-list extended ospf cpu-qos Dell(conf-ip-acl-cpuqos)#permit ospf Dell(conf-ip-acl-cpuqos)#exit Dell(conf)#ip access-list extended bgp cpu-qos Dell(conf-ip-acl-cpuqos)#permit bgp Dell(conf-ip-acl-cpuqos)#exit Dell(conf)#mac access-list extended lacp cpu-qos Dell(conf-mac-acl-cpuqos)#permit lacp Dell(conf-mac-acl-cpuqos)#exit Dell(conf)#ipv6 access-list ipv6-icmp cpu-qos De
Dell(conf-policy-map-in-cpuqos)#class-map class-ipv6 qos-policy rate_limit_200k Dell(conf-policy-map-in-cpuqos)#exit Example of Applying a Protocol-Based Rate Limit to Control Plane Traffic Dell(conf)#control-plane-cpuqos Dell(conf-control-cpuqos)#service-policy rate-limit-protocols egressFP_rate_policy Dell(conf-control-cpuqos)#exit Configuring CoPP for CPU Queues This section describes how to create a queue-based CoPP service policy and apply it to control plane traffic.
Examples of Configuring CoPP for CPU Queues Example of Creating a QoS Policy to Configure the Rate Limit Dell#conf Dell(conf)#qos-policy-input cpuq_1 cpu-qos Dell(conf-qos-policy-in)#rate-police 3000 40 peak 500 40 Dell(conf-qos-policy-in)#exit Dell(conf)#qos-policy-input cpuq_2 cpu-qos Dell(conf-qos-policy-in)#rate-police 5000 80 peak 600 50 Dell(conf-qos-policy-in)#exit Example of Assigning a QoS Policy to a CPU Queue Dell(conf)#policy-map-input cpuq_rate_policy cpu-qos Dell(conf-qos-policy-in)#service-qu
Q19 Q20 Q21 Q22 Q23 1 600 7000 800 5000 100 1000 7000 1000 5000 Viewing MAC Protocol-Queue Mapping To view the queues to which MAC protocol traffic is assigned, use the show mac protocol-queuemapping command.
ICMPV6 RA ICMPV6 NS ICMPV6 RS ICMPV6 VRRPV6 OSPFV3 any any any any any any any any any any any any _ _ _ _ _ _ Q3/Q11 Q2/Q10 Q2/Q10 Q5 Q15 Q15 CP/RP CP/RP CP/RP CP RP RP 600 600 600 300 400 2500 Viewing Per-Queue Protocol-Queue Mapping To view the protocol traffic assigned to a specified queue, use the show protocol-queue-mapping queue-id command.
1000 v6 ICMP RA 1000 v6 ICMP NS 1000 v6 ICMP RS 1000 v6 ICMP 2000 BGP 2000 OSPF 2000 RIP 1000 VRRP 2000 ICMP 2000 IGMP 2000 PIM 2000 MSDP 2000 BFD 3000 802.
BROADCAST MULTICAST CATCH ALL ACL LOGGING 1000 L3 HEADER ERROR/TTL0 IP OPTION/TTL1 VLAN L3 MTU FAIL Physical L3 MTU FAIL ICMP REDIRECT SOURCE MISS STATION MOVE Q9 Q20 RP LP 200 200 200 200 500 1000 500 Q0 Q0 Q1 Q1 Q1 Q20 Q20 CP CP CP CP CP LP LP 200 100 200 200 200 200 200 200 100 200 200 200 200 200 500 500 500 500 500 500 500 500 500 500 500 500 500 500 Troubleshooting CoPP Operation To troubleshoot CoPP operation, use the debug commands described in this section.
NOTE: When you finish troubleshooting CoPP operation, disable the collection of CPU traffic statistics by entering the no debug cpu-traffic-stats command. Troubleshooting CPU Packet Loss To troubleshoot the reason for CPU packet loss, you can display statistics about system flows on the central switch (aggregated CoPP) or on a specified set of Z9500 ports by entering the show hardware system-flow layer2 [cp-switch | linecard slot-id portset port-pipe] command.
Enabled tcam: color_indep=0, Stage InPorts DATA=0x0000000000000000000000000000000000000000000000000000222222222222 MASK=0x0000000000000000000000000000000000000000000000000000222222222223 DstMac Offset: 88 Width: 48 DATA=0x00000180 c2000002 MASK=0x0000ffff ffffffff action={act=DropPrecedence, param0=1(0x1), param1=0(0), param2=0(0), param3=0(0)} action={act=Drop, param0=0(0), param1=0(0), param2=0(0), param3=0(0)} action={act=CosQCpuNew, param0=3(0x3), param1=0(0), param2=0(0), param3=0(0)} action={act=Copy
########################## --More-######################## FP Entry --More-######################## FP Entry ########################## --More-######################## FP Entry ########################## --More-######################## FP Entry ########################## --More-######################## FP Entry ########################## --More-######################## FP Entry ########################## --More-######################## FP Entry ########################## --More-######################## FP E
control-plane CPU after protocol-based rate limiting is applied. Drop Counters displays the number of bytes of control-plane traffic that have been dropped as a result of protocol-based rate limiting. Dell#show control-traffic protocol linecard 2 portset 0 counters Protocol RxBytes TxBytes ------------------STP 14956278172 403036 LLDP 15029657016 559096 PVST 0 0 LACP 15122824104 556648 GVRP 14988129080 551480 ARP RESP/ARP REQ 29604578172 3559868 802.
L2PT v6 BGP v6 OSPF v6 VRRP MLD v6 ICMP NA v6 ICMP RA v6 ICMP NS v6 ICMP RS v6 ICMP BGP OSPF RIP VRRP ICMP IGMP PIM MSDP BFD ON PHYSICAL PORTS BFD ON LOGICAL PORTS 802.
Viewing Per-Queue CoPP Counters To view per-queue counters of CoPP rate-limited traffic, use the show control-traffic queue {all | queue-id queue-number} counters command. The range of queue-number values is from 0 to 23. The twenty-four control–plane queues are divided into groups of eight queues for the Route Processor, Control Processor, and line-card CPUs as follows: • Queues 0 to 7 process packets destined to the Control Processor CPU .
12 Data Center Bridging (DCB) NOTE: Data center bridging (DCB) is enabled in Z9500 switch. Ethernet Enhancements in Data Center Bridging The following section describes DCB.
transport protocols (for example, TCP) for reliable data transmission with the associated cost of greater processing overhead and performance impact. Storage traffic Storage traffic based on Fibre Channel media uses the Small Computer System Interface (SCSI) protocol for data transfer. This traffic typically consists of large data packets with a payload of 2K bytes that cannot recover from frame loss.
The system supports loading two DCB_Config files: • FCoE converged traffic with priority 3. • iSCSI storage traffic with priority 4. In the Dell Networking OS, PFC is implemented as follows: • PFC supports buffering to receive data that continues to arrive on an interface while the remote system reacts to the PFC operation. • PFC uses DCB MIB IEEE 802.1azd2.5 and PFC MIB IEEE 802.1bb-d2.2. • PFC is supported on specified 802.1p priority traffic (dot1p 0 to 7) and is configured per interface.
low-latency storage or server cluster traffic in a traffic class to receive more bandwidth and restrict besteffort LAN traffic assigned to a different traffic class. The following figure shows how ETS allows you to allocate bandwidth when different traffic types are classed according to 802.1p priority and mapped to priority groups. Figure 26. Enhanced Transmission Selection The following table lists the traffic groupings ETS uses to select multiprotocol traffic for transmission. Table 9.
• • • Discovery of DCB capabilities on peer-device connections. Determination of possible mismatch in DCB configuration on a peer link. Configuration of a peer device over a DCB link. DCBx requires the link layer discovery protocol (LLDP) to provide the path to exchange DCB parameters with peer devices. Exchanged parameters are sent in organizationally specific TLVs in LLDP data units.
a traffic type. You can create lossless flows for storage and server traffic while allowing for loss in case of LAN traffic congestion on the same physical interface. The following illustration shows how PFC handles traffic congestion by pausing the transmission of incoming traffic with dot1p priority 4. The system supports loading two DCB_Config files: • FCoE converged traffic with priority 3. • iSCSI storage traffic with priority 4.
Enhanced Transmission Selection Enhanced transmission selection (ETS) supports optimized bandwidth allocation between traffic types in multiprotocol (Ethernet, FCoE, SCSI) links. ETS allows you to divide traffic according to its 802.1p priority into different priority groups (traffic classes) and configure bandwidth allocation and queue scheduling for each group to ensure that each traffic type is correctly prioritized and receives its required bandwidth.
– No bandwidth limit or no ETS processing • ETS uses the DCB MIB IEEE 802.1azd2.5. Data Center Bridging Exchange Protocol (DCBx) The data center bridging exchange (DCBx) protocol is disabled by default on the S4810; ETS is also disabled. DCBx allows a switch to automatically discover DCB-enabled peers and exchange configuration information. PFC and ETS use DCBx to exchange and negotiate parameters with peer devices. DCBx capabilities include: • Discovery of DCB capabilities on peer-device connections.
DCB Maps and its Attributes This topic contains the following sections that describe how to configure a DCB map, apply the configured DCB map to a port, configure PFC without a DCB map, and configure lossless queues. DCB Map: Configuration Procedure A DCB map consists of PFC and ETS parameters. By default, PFC is not enabled on any 802.1p priority and ETS allocates equal bandwidth to each priority. To configure user-defined PFC and ETS settings, you must create a DCB map.
Applying a DCB Map on a Port When you apply a DCB map with PFC enabled on a switch interface, a memory buffer for PFC-enabled priority traffic is automatically allocated. The buffer size is allocated according to the number of PFCenabled priorities in the assigned map. To apply a DCB map to an Ethernet port, follow these steps: Step Task Command Command Mode 1 Enter interface configuration mode on an Ethernet port.
Step Task Command Command Mode Separate priority values with a comma. Specify a priority range with a dash, for example: pfc priority 3,5-7 1. You cannot configure PFC using the pfc priority command on an interface on which a DCB map has been applied or which is already configured for lossless queues (pfc no-drop queues command).
Step Task Command Command Mode The maximum number of lossless queues globally supported on a port is 2. You cannot configure PFC no-drop queues on an interface on which a DCB map with PFC enabled has been applied, or which is already configured for PFC using the pfc priority command. Range: 0-3. Separate queue values with a comma; specify a priority range with a dash; for example: pfc no-drop queues 1,3 or pfc no-drop queues 2-3 Default: No lossless queues are configured.
When traffic congestion occurs, PFC sends a pause frame to a peer device with the CoS priority values of the traffic that is to be stopped. Data Center Bridging Exchange protocol (DCBx) provides the link-level exchange of PFC parameters between peer devices. PFC allows network administrators to create zeroloss links for Storage Area Network (SAN) traffic that requires no-drop service, while retaining packetdrop congestion management for Local Area Network (LAN) traffic.
• PFC mode is off (no pfc mode on). • No PFC priority classes are configured (no pfc priority priority-range). Example: Port A —> Port B Port C —> Port B PFC no-drop queues are configured for queues 1, 2 on Port B. PFC capability is enabled on priorities 3, 4 on PORT A and C. Port B acting as Egress During the congestion, [traffic pump on priorities 3 and 4 from PORT A and PORT C is at full line rate], PORT A and C send out the PFCs to rate the traffic limit.
A limit of two lossless queues is supported on a port. If the amount of priority traffic that you configure to be paused exceeds the two lossless queues, an error message displays. In Z9500, any pfc-dot1p priorities configured on a given interface need not be the same across the system. In other words, lossless queue limit is applicable on a per-port level and not on the global-config context. For example, one of the Te/Fo interfaces can have pfc-dot1p priorities as 2 and 3.
link-level flow control. PFC is then automatically enabled on the interface because an interface is PFC-enabled by default. • To ensure no-drop handling of lossless traffic, PFC allows you to configure lossless queues on a port (see Configuring Lossless Queues). • When you configure a DCB map, an error message is displayed if the PFC dot1p priorities result in more than two lossless queues.
• Dell Networking OS supports hierarchical scheduling on an interface. The control traffic on Dell Networking OS is redirected to control queues as higher priority traffic with strict priority scheduling. After the control queues drain out, the remaining data traffic is scheduled to queues according to the bandwidth and scheduler configuration in the DCB map. The available bandwidth calculated by the ETS algorithm is equal to the link bandwidth after scheduling non-ETS higher-priority traffic.
• The maximum number of priority groups supported in a DCB map on an interface is equal to the number of data queues (4) on the port. Each priority group can support more than one data queue. • You can enable PFC on a maximum of two priority queues on an interface. • If you configure more than one priority group as strict priority, the higher numbered priority queue is given preference when scheduling data traffic.
Step Task Command Command Mode fortygigabitEthernet slot/port} 2 Enable PFC on specified priorities. Range: 0-7. Default: None. pfc priority priority-range INTERFACE Maximum number of lossless queues supported on an Ethernet port: 2. Separate priority values with a comma. Specify a priority range with a dash, for example: pfc priority 3,5-7 1.
Queue : 0 0 used no-drop queues. 0 1 2 3 3 3 -> On Egress interface[Port B] we Lossless traffic egresses out the no-drop queues. Ingress 802.1p traffic from PFC-enabled peers is automatically mapped to the no-drop egress queues. When configuring lossless queues on a port interface, consider the following points: • By default, no lossless queues are configured on a port. • A limit of two lossless queues is supported on a port.
Priority-Based Flow Control Using Dynamic Buffer Method Priority-based flow control using dynamic buffer spaces is supported on the Z9500 platform. In a data center network, priority-based flow control (PFC) manages large bursts of one traffic type in multiprotocol links so that it does not affect other traffic types and no frames are lost due to congestion. When PFC detects congestion on a queue for a specified priority, it sends a pause frame for the 802.1p priority traffic to the transmitting device.
degraded. Although you can allocate a maximum buffer size, it is used only if a PFC priority is configured and applied on the interface. The number of lossless queues supported on the system is dependent on the availability of total buffers for PFC. The default configuration in the system guarantees a minimum of 52 KB per queue if all the 128 queues are congested. However, modifying the buffer allocation per queue impacts this default behavior. By default the total available buffer for PFC is 6.
The internal Priority assigned for the packet by Ingress FP is used by the memory management unit (MMU) to assign the packet to right queue by indexing the internal-priority to queue map table (TABLE 1) in hardware. PRIO2COS setting for honoring the PFC protocol packets from the Peer switches is as per above PacketDot1p->queue table (Table 2). The packets that come in with packet-dot1p 2 alone will be assigned to PG6 on ingress.
a. Enable DCB globally. Dell(conf)#dcb enable b. Apply PFC Priority configuration. Configure priorities on which PFC is enabled. Dell(conf-if-te-1/1)#pfc priority 1,2 SNMP Support for PFC and Buffer Statistics Tracking Buffer Statistics Tracking (BST) feature provides a mechanism to aid in Resource Monitoring and Tuning of Buffer Allocation. The support for Max Use Count mode in Buffer Statistics is introduced in Dell Networking OS 9.3(0.).
map to forward the matched DSCP packet to that queue. PFC frames gets generated with PFC priority associated with the queue when the queue gets congested. Performing PFC Using DSCP Bits Instead of 802.1p Bits Priority based Flow Control (PFC) is currently supported on Dell Networking OS for tagged packets based on the packet Dot1p. In certain data center deployments, VLAN configuration is avoided on the servers and all packets from the servers are untagged.
PFC and ETS Configuration Examples This section contains examples of how to configure and apply DCB policies on an interface. Using PFC to Manage Converged Ethernet Traffic To use PFC for managing converged Ethernet traffic, use the following command: dcb-map linecard all backplane all dcb-map-name Configure Enhanced Transmission Selection ETS provides a way to optimize bandwidth allocation to outbound 802.1p classes of converged Ethernet traffic. Different traffic types have different service needs.
dcb-map dcb-map-name The dcb-map-name variable can have a maximum of 32 characters. 2. Create an ETS priority group. CONFIGURATION mode priority-group group-num {bandwidth bandwidth | strict-priority} pfc off The range for priority group is from 0 to 7. Set the bandwidth in percentage. The percentage range is from 1 to 100% in units of 1%. Committed and peak bandwidth is in megabits per second. The range is from 0 to 40000. Committed and peak burst size is in kilobytes. Default is 50.
The maximum number of priority groups supported in ETS output policies on an interface is equal to the number of data queues (4) on the port. The 802.1p priorities in a priority group can map to multiple queues. If you configure more than one priority queue as strict priority or more than one priority group as strict priority, the higher numbered priority queue is given preference when scheduling data traffic. ETS Operation with DCBx The following section describes DCBx negotiation with peer ETS devices.
The maximum 32 alphanumeric characters. 2. Configure the percentage of bandwidth to allocate to the dot1p priority/queue traffic in the associated L2 class map. QoS OUTPUT POLICY mode bandwidth-percentage percentage The default is none. 3. Repeat Step 2 to configure bandwidth percentages for other priority queues on the port. QoS OUTPUT POLICY mode bandwidth-percentage percentage 4. Exit QoS Output Policy Configuration mode. QoS OUTPUT POLICY mode exit 5. Enter INTERFACE Configuration mode.
• Strict-priority groups: If priority group 1 or 2 has free bandwidth, (20 + 30)% of the free bandwidth is distributed to priority group 3. Priority groups 1 and 2 retain whatever free bandwidth remains up to the (20+ 30)%. If two priority groups have strict-priority scheduling, traffic assigned from the priority group with the higher priority-queue number is scheduled first.
Using PFC and ETS to Manage Converged Ethernet Traffic Using PFC and ETS to manage converged ethernet traffic: dcb-map linecard all backplane all dcb-map-name Configure a DCBx Operation DCB devices use data center bridging exchange protocol (DCBx) to exchange configuration information with directly connected peers using the link layer discovery protocol (LLDP) protocol.
The first auto-upstream that is capable of receiving a peer configuration is elected as the configuration source. The elected configuration source then internally propagates the configuration to other auto-upstream and auto-downstream ports. A port that receives an internally propagated configuration overwrites its local configuration with the new parameter values.
Manual The port is configured to operate only with administrator-configured settings and does not auto-configure with DCB settings received from a DCBx peer or from an internally propagated configuration from the configuration source. If you enable DCBx, ports in Manual mode advertise their configurations to peer devices but do not accept or propagate internal or external configurations. Unlike other userconfigured ports, the configuration of DCBx ports in Manual mode is saved in the running configuration.
Configuration Source Election When an auto-upstream or auto-downstream port receives a DCB configuration from a peer, the port first checks to see if there is an active configuration source on the switch. • If a configuration source already exists, the received peer configuration is checked against the local port configuration. If the received configuration is compatible, the DCBx marks the port as DCBxenabled.
Auto-Detection and Manual Configuration of the DCBx Version When operating in Auto-Detection mode (the DCBx version auto command), a DCBx port automatically detects the DCBx version on a peer port. Legacy CIN and CEE versions are supported in addition to the standard IEEE version 2.5 DCBx. A DCBx port detects a peer version after receiving a valid frame for that version.
Figure 29. DCBx Sample Topology DCBx Prerequisites and Restrictions The following prerequisites and restrictions apply when you configure DCBx operation on a port: • For DCBx, on a port interface, enable LLDP in both Send (TX) and Receive (RX) mode (the protocol lldp mode command; refer to the example in CONFIGURATION versus INTERFACE Configurations in the Link Layer Discovery Protocol (LLDP) chapter). If multiple DCBx peer ports are detected on a local DCBx interface, LLDP is shut down.
[no] protocol lldp 3. Configure the DCBx version used on the interface, where: auto configures the port to operate using the DCBx version received from a peer. PROTOCOL LLDP mode [no] DCBx version {auto | cee | cin | ieee-v2.5} • cee: configures the port to use CEE (Intel 1.01). • cin: configures the port to use Cisco-Intel-Nuova (DCBx 1.0). • ieee-v2.5: configures the port to use IEEE 802.1Qaz (Draft 2.5). The default is Auto. 4.
• fcoe: enables the advertisement of FCoE in Application Priority TLVs. • iscsi: enables the advertisement of iSCSI in Application Priority TLVs. The default is Application Priority TLVs are enabled to advertise FCoE and iSCSI. NOTE: To disable TLV transmission, use the no form of the command; for example, no advertise DCBx-appln-tlv iscsi. For information about how to use iSCSI, refer to iSCSI Optimization To verify the DCBx configuration on a port, use the show interface DCBx detail command.
NOTE: You can configure the transmission of more than one TLV type at a time. You can only enable ETS recommend TLVs (ets-reco) if you enable ETS configuration TLVs (ets-conf). To disable TLV transmission, use the no form of the command; for example, no advertise DCBx-tlv pfc ets-reco. The default is All TLV types are enabled. 5. Configure the Application Priority TLVs that advertise on unconfigured interfaces with a manual portrole.
in a DCBx TLV from a remote peer but received a different, conflicting DCBx version. DSM_DCBx_PFC_PARAMETERS_MATCH and DSM_DCBx_PFC_PARAMETERS_MISMATCH: A local DCBx port received a compatible (match) or incompatible (mismatch) PFC configuration from a peer. DSM_DCBx_ETS_PARAMETERS_MATCH and DSM_DCBx_ETS_PARAMETERS_MISMATCH: A local DCBx port received a compatible (match) or incompatible (mismatch) ETS configuration from a peer.
Command Output show interface port-type slot/port pfc {summary | detail} Displays the PFC configuration applied to ingress traffic on an interface, including priorities and link delay. To clear PFC TLV counters, use the clear pfc counters interface port-type slot/port command. show interface port-type slot/port pfc statistics Displays counters for the PFC frames received and transmitted (by dot1p priority class) on an interface.
The following example shows the output of the show qos dcb-map test command. Dell#show qos dcb-map test ----------------------State :Complete PfcMode:ON -------------------PG:0 TSA:ETS BW:50 PFC:OFF Priorities:0 1 2 5 6 7 PG:1 TSA:ETS BW:50 Priorities:3 4 PFC:ON The following example shows the show interfaces pfc summary command.
The following table describes the show interface pfc summary command fields. Table 15. show interface pfc summary Command Description Fields Description Interface Interface type with linecard and port number. Admin mode is on; Admin is enabled PFC Admin mode is on or off with a list of the configured PFC priorities . When PFC admin mode is on, PFC advertisements are enabled to be sent and received from peers; received PFC configuration takes effect.
Fields Description Application Priority TLV: ISCSI TLV Tx Status Status of ISCSI advertisements in application priority TLVs from local DCBx port: enabled or disabled. Application Priority TLV: Local FCOE Priority Map Priority bitmap used by local DCBx port in FCoE advertisements in application priority TLVs. Application Priority TLV: Local ISCSI Priority Map Priority bitmap used by local DCBx port in ISCSI advertisements in application priority TLVs.
1 2 3 4 5 6 7 0,1,2 3 4,5,6,7 100% 0 % 0 % - ETS SP SP - Remote Parameters : ------------------Remote is disabled Local Parameters : -----------------Local is enabled TC-grp Priority# Bandwidth TSA -----------------------------------------------0 1 0,1,2 100% ETS 2 3 0 % SP 3 4,5,6,7 0 % SP 4 5 6 7 Oper status is init ETS DCBx Oper status is Down State Machine Type is Asymmetric Conf TLV Tx Status is enabled Reco TLV Tx Status is enabled 0 Input Conf TLV Pkts, 1955 Output Conf TLV Pkts, 0 Error Conf TLV
Local Parameters : -----------------Local is enabled TC-grp Priority# Bandwidth TSA 0 0,1,2,3,4,5,6,7 100% ETS 1 0% ETS 2 0% ETS 3 0% ETS 4 0% ETS 5 0% ETS 6 0% ETS 7 0% ETS Priority# Bandwidth TSA 0 13% ETS 1 13% ETS 2 13% ETS 3 13% ETS 4 12% ETS 5 12% ETS 6 12% ETS 7 12% ETS Oper status is init Conf TLV Tx Status is disabled Traffic Class TLV Tx Status is disabled 0 Input Conf TLV Pkts, 0 Output Conf TLV Pkts, 0 Error Conf TLV Pkts 0T LIVnput Traffic Class TLV Pkts, 0 Output Traffic Class TLV Pkts, 0 Erro
--------------------------------------------------------------------------------0 0,1,2,4,5,6,7 50 400 100 4000 400 ETS 1 3 50 - - ETS 2 - - - - 3 - - - - 4 - - - - 5 - - - - 6 - - - - 7 - - - - Oper status is init Conf TLV Tx Status is disabled Traffic Class TLV Tx Status is disabled 0 Input Conf TLV Pkts, 0 Output Conf TLV Pkts, 0 Error Conf TLV Pkts 0 Input Traffic Class TLV Pkts, 0 Output Traffic Class TLV Pkts, 0 Error Traffic Class TLV Pkts The following table describes the show interface ets detail c
Field Description ETS DCBx Oper status Operational status of ETS configuration on local port: match or mismatch. State Machine Type Type of state machine used for DCBx exchanges of ETS parameters: • • Feature: for legacy DCBx versions Asymmetric: for an IEEE version Conf TLV Tx Status Status of ETS Configuration TLV advertisements: enabled or disabled. ETS TLV Statistic: Input Conf TLV pkts Number of ETS Configuration TLVs received.
Admin is enabled, Priority list is 3 Local is enabled, Priority list is 3 Link Delay 65535 pause quantum 0 Pause Tx pkts, 0 Pause Rx pkts The following example shows the show sfm 0 backplane all ets details command Dell#sh sfm 0 backplane all ets details sfm 0 backplane all Max Supported PG is 4 Number of Traffic Classes is 8 Admin mode is on Admin Parameters: -------------------Admin is enabled PG-grp Priority# Bandwidth TSA -----------------------------------------------0 0,1,2,4,5,6,7 50 % ETS 1 3 50 % E
R-ETS Recommendation TLV enabled r-ETS Recommendation TLV disabled P-PFC Configuration TLV enabled p-PFC Configuration TLV disabled F-Application priority for FCOE enabled f-Application Priority for FCOE disabled I-Application priority for iSCSI enabled i-Application Priority for iSCSI disabled ----------------------------------------------------------------------Interface TenGigabitEthernet 1/14 Remote Mac Address 00:01:e8:8a:df:a0 Port Role is Auto-Upstream DCBx Operational Status is Enabled Is Configurat
Field Description only received a DCBx version supported on the remote peer. Local DCBx Configured mode DCBx version configured on the port: CEE, CIN, IEEE v2.5, or Auto (port auto-configures to use the DCBx version received from a peer). Peer Operating version DCBx version that the peer uses to exchange DCB parameters. Local DCBx TLVs Transmitted Transmission status (enabled or disabled) of advertised DCB TLVs (see TLV code at the top of the show command output).
Honor dot1p You can honor dot1p priorities in ingress traffic at the port or global switch level (refer to Default dot1p to Queue Mapping) using the service-class dynamic dot1p command in INTERFACE configuration mode. Layer 2 class maps You can use dot1p priorities to classify traffic in a class map and apply a service policy to an ingress port to map traffic to egress queues. NOTE: Dell Networking does not recommend mapping all ingress traffic to a single queue when using PFC and ETS.
dcb pfc-total-buffer-size 5000 3. Configure the number of PFC queues. CONFIGURATION mode dcb enable pfc-queues pfc-queues The number of ports supported based on lossless queues configured will depend on the buffer. The default number of PFC queues in the system is two for S4810 and Z9500, and one for S6000 platforms.
CONFIGURATION mode dcb pfc-shared-buffer-size buffer-size linecard {linecard-number | all} [port-set {port-pipe | all}] Using PFC and ETS to Manage Data Center Traffic The following shows examples of using PFC and ETS to manage your data center traffic. In the following example: • Incoming SAN traffic is configured for priority-based flow control.
Figure 30. PFC and ETS Applied to LAN, IPC, and SAN Priority Traffic QoS Traffic Classification: The service-class dynamic dot1p command has been used in Global Configuration mode to map ingress dot1p frames to the queues shown in the following table. For more information, refer to QoS dot1p Traffic Classification and Queue Assignment.
dot1p Value in the Incoming Frame Priority Group Assignment 3 SAN 4 IPC 5 LAN 6 LAN 7 LAN The following describes the priority group-bandwidth assignment. Priority Group Bandwidth Assignment IPC 5% SAN 50% LAN 45% PFC and ETS Configuration Command Examples The following examples show PFC and ETS configuration commands to manage your data center traffic.
13 Debugging and Diagnostics This chapter describes the debugging and diagnostics tasks you can perform on the switch. Offline Diagnostics The offline diagnostics test suite is useful for isolating faults and debugging hardware. The diagnostic tests are grouped into three levels: • Level 0 — Level 0 diagnostics check for the presence of various components and perform essential path verifications. In addition, they verify the identification registers of the components on the board.
command is issued. Proceed with Offline [confirm yes/no]: 2. Verify offline status of the switch. EXEC Privilege mode show system brief 3. Start diagnostics on the switch. diag system unit When the tests complete, the system displays a syslog message: 00:13:17 : Diagnostic test results are stored on file: flash:/TestReportLP-0.txt 00:13:19 : Diagnostic test results are stored on file: flash:/TestReportLP-1.txt 00:13:20 : Diagnostic test results are stored on file: flash:/TestReportLP-2.
Examples of Running Offline Diagnostics Example of Taking a Switch Offline Dell# offline system Warning - offline of system will bring down all the protocols and the system will be operationally down, except for running Diagnostics. The "reload" command is required for normal operation after the offline command is issued.
linecard 1 00:11:05 : Approximate time to complete the Diags (all levels)... 10 Mins 00:11:05: %Z9500LC12:0 %DIAGAGT-6-DA_DIAG_STARTED: Starting diags on linecard 0 00:11:05 : Approximate time to complete the Diags (all levels)... 10 Mins 00:11:06: %Z9500LC12:2 %DIAGAGT-6-DA_DIAG_STARTED: Starting diags on linecard 2 00:11:06 : Approximate time to complete the Diags (all levels)...
• • • Line-card CPU 1 is LP-1. Line-card CPU 2 is LP-2. The Control Processor is CP. Example of a Test Log Report (All Levels) for Control Processor: TestReport-CP.txt Dell# show file flash://TestReport-CP.txt DELL DIAGNOSTICS-Z9500-CP00 PPID PPID Rev Service Tag Part Number Part Number Revision SW Version ------- [0] US0WGHX2779513AG00T X00 6NHW6Z1 7520072402 H 9.2(1.0B2) Available free memory: 2,231,607,296 bytes LEVEL 0 DIAGNOSTIC eepromTest ..................................................
PSU[2] sensor[1] temperature 30.0 C PSU[2] sensor[2] temperature 23.0 C +PSU[2] test PASS PSU[3] sensor[0] temperature 37.0 C PSU[3] sensor[1] temperature 30.0 C PSU[3] sensor[2] temperature 21.0 C +PSU[3] test PASS psuTest ..................................................... PASS rtcTest ..................................................... PASS sataSsdTest ................................................. PASS Starting test: temperatureTest ...... Sensor "BrdTmpPwr0" temperature 31.
+ HG Link Status Test for Fabric 2: PASSED + HG Link Status Test for Fabric 3: PASSED + HG Link Status Test for Fabric 4: PASSED + HG Link Status Test for Fabric 5: PASSED fabricLinkStatusTest ........................................ PASS Starting test: fanTest ......
Example of a Test Log for Line-Card CPU 0: TestReport-LP-0.txt Dell#show file flash://TestReport-LP-0.txt DELL DIAGNOSTICS-Z9500-CP00 PPID PPID Rev Service Tag Part Number Part Number Revision SW Version ------- [0] NA NA NA NA NA 9.2(1.0B2) Available free memory: 2,646,888,448 bytes LEVEL 0 DIAGNOSTIC eepromTest .................................................. i2cTest ..................................................... macPhyRegTest ...............................................
portcardHiGigLinkStatusTest ................................. Starting test: portcardXELinkStatusTest ...... + XE Link Status Test for unit 0 (Portcard 0): PASSED + XE Link Status Test for unit 1 (Portcard 1): PASSED ERROR: Unit 2 (Portcard 2): XE 11 is DOWN + XE Link Status Test for unit 2 (Portcard 2): FAILED portcardXELinkStatusTest .................................... qsfpOpticsTest .............................................. qsfpPhyTest .................................................
qsfpOpticsTest .............................................. qsfpPhyTest ................................................. rtcTest ..................................................... sataSsdTest ................................................. Starting test: temperatureTest ...... Thermal Monitor Diodes: Diode[0] temperature 33.9 C Diode[1] temperature 35.0 C Diode[2] temperature 35.0 C Diode[4] temperature 34.5 C Port card[0]: Average temperature 38.3 C, maximum 41.
TRACE Logs In addition to the syslog buffer, to report hardware and software events and status information, the system buffers trace messages which are continuously written by various software tasks. Each TRACE message provides the date, time, and name of the system process. All messages are stored in a ring buffer that you can save to a file either manually or automatically after failover.
• The command output provides details about the packet types entering the CPU to see whether CPUbound traffic is internal (IPC traffic) or network control traffic, which the CPU must process. Display internal status and driver-level CPU port statistics of the Control Processor and Route Processor.
show hardware cp-switch {counters | details | drops | port-stats | register | table-dump} • show hardware sfm sfm-unit-num {buffer {total-buffer | unit unit-num {port | total-buffer}} | counters | details | drops | port-stats | register | tabledump} Display the operational status or the internal ports that are dynamically mapped to a backplane link or control-plane trunk group that is down.
0 0 0 0 0 1 2 3 down up down up AC AC AC AC up up up up 1376 18848 1312 18880 0.0 666.0 0.0 643.0 When an under-voltage condition occurs on a power supply (for example, a power cable is removed): • A Syslog message is displayed to inform you that the power supply is down. The power supply number (for example, power supply 0) indicates the chassis bay in which it is installed; chassis bays are numbered 0 to 4, starting from the leftmost bay 0. unit 0 refers to the switch itself.
Display Transceiver Type To monitor the types of transceivers installed in switch ports, use the show inventory media command.
LineSpeed 40000 Mbit Flowcontrol rx off tx off To display more diagnostic data when troubleshooting a transceiver, use the show interfaces tranceiver command. Additional information about QSFP temperature, voltage, and current alarm thresholds are displayed.
Recognize an Over-Temperature Condition An alarm message is generated and displayed when an over-temperature condition on a system component occurs. Either a minor or a major alarm is triggered. A minor temperature alarm is displayed when any system temperature threshold is exceeded. In this case, the system fan speed is gradually increased to 60% duty cycle (PWM).
S8 S9 S10 93 93 93 86 86 86 100 100 100 95 95 95 105 105 105 NOTE: The system software automatically shuts down the system if a critical component reaches a critical shutdown threshold. The software attempts to correct the situation by running the system and power-supply fans at their maximum prescribed levels (70% PWM for system fans, and 99% for PSU fans). If sensor’s temperature does not decrease to a non-critical level within one minute (60 seconds), the system automatically shuts down.
threshold, the fan speed will increase.
• show hardware buffer-stats-snapshot resource interface interface{prioritygroup { id | all } | queue { ucast{id | all}{ mcast {id | all} | all} • clear hardware linecard {0-2} counters • clear hardware linecard {0-2} unit {0-3} counters • clear hardware linecard {0-2} cpu data-plane statistics • clear hardware party-bus port {{0-7} | all} statistics • clear hardware cp cpu {data-plane | i2c | sata-interface} statistics • clear hardware rp cpu {data-plane | i2c | sata-interface} statistics •
0 22 0 23 0 24 0 28 0 32 0 36 0 40 0 44 0 Internal 0 Internal 0 Internal 0 Internal 0 Internal 0 Internal 0 Internal 0 Internal 0 Internal 0 Internal 0 Internal 0 Internal 0 0 0 23 0 24 0 25 0 29 0 33 0 37 0 41 0 45 0 50 0 51 0 52 0 53 0 54 0 55 0 56 0 57 0 58 0 59 0 60 0 61 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Example of show hardware drops interface interface Dell#show hardware drops interface tengigabitethernet 2/
HOL DROPS(TOTAL) HOL DROPS on COS0 HOL DROPS on COS1 HOL DROPS on COS2 HOL DROPS on COS3 HOL DROPS on COS4 HOL DROPS on COS5 HOL DROPS on COS6 HOL DROPS on COS7 HOL DROPS on COS8 HOL DROPS on COS9 HOL DROPS on COS10 HOL DROPS on COS11 HOL DROPS on COS12 HOL DROPS on COS13 HOL DROPS on COS14 HOL DROPS on COS15 HOL DROPS on COS16 HOL DROPS on COS17 TxPurge CellErr Aged Drops --- Egress MAC counters--Egress FCS Drops --- Egress FORWARD PROCESSOR IPv4 L3UC Aged & Drops TTL Threshold Drops INVALID VLAN CNTR Drop
Frames Transmitted = 125183 Mcast Frames Transmitted = 0 Bcast Frames Transmitted = 4 Pause Frames Transmitted = 0 Deferred Transmits = 0 Excessive Deferred Transmits = 0 TX single collisions = 0 TX multiple collisions = 0 TX late collisions = 0 TX Excessive collisions = 0 TX total collisions = 0 TX Drops = 0 TX Jabber = 0 TX FCS errors = 0 TX Control frames = 0 TX oversize frames = 0 TX undersize frames = 0 TX fragments = 0 Bytes received = 0 Frames received = 2868 Bcast frames recvd = 24 Mcast frames recv
Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Pause Packets = 0 64 Octet Packets = 122688 65to127octets Packets = 246245 128to255octets Packets = 441 256to511octets Packets = 3816 512to1023octets Packets = 3247 1024toMaxoctets Packets = 150599 Jabbers = 0 align errors = 0 fcs errors = 0 good octets = 251640594 Drop pkts = 0 Unicast Packets = 333370 Multicast Packets = 193621 Broadcast Packets = 45 Source Address Changes = 3 Fragments = 0 Jumbo Packets = 0 Symbol Errros = 0 In Range Errors
PortSTPnotFwd Drops : IPv4 L3 Discards : Policy Discards : Packets dropped by FP : (L2+L3) Drops : Port bitmap zero Drops : Rx VLAN Drops : --- Ingress MAC counters--Ingress FCSDrops : Ingress MTUExceeds : --- MMU Drops --HOL DROPS(TOTAL) : HOL DROPS on COS0 : HOL DROPS on COS1 : HOL DROPS on COS2 : HOL DROPS on COS3 : HOL DROPS on COS4 : HOL DROPS on COS5 :
To disable the automatic uploading of application core dumps, enter the no logging coredump server command. Mini Core Dumps The system supports mini core dumps for kernel crashes. The mini core dump applies to all Z9500 CPUs. Kernel mini core dumps are always enabled. Mini core dumps contain the stack space and some other very minimal information that can be used to debug a crash. A mini core dump is a small file that is written into flash until space is exhausted.
To disable the full kernel and other core dumps, enter the no logging coredump command. Enabling TCP Dumps A TCP dump captures CPU-bound control-plane traffic to improve troubleshooting and system manageability. You can perform a TCP dump on the Control Processor (CP) and Route Processor (RP) CPUs. When you enable TCP dumps, a dump captures all the packets on the local CPU, as specified in the CLI. You can save the traffic capture files to flash, to FTP, SCP, or TFTP.
Dynamic Host Configuration Protocol (DHCP) 14 DHCP is an application layer protocol that dynamically assigns IP addresses and other configuration parameters to network end-stations (hosts) based on configuration policies determined by network administrators.
Option Number and Description Subnet Mask Option 1 Specifies the client’s subnet mask. Router Option 3 Specifies the router IP addresses that may serve as the client’s default gateway. Domain Name Server Option 6 Domain Name Option 15 Specifies the domain name servers (DNSs) that are available to the client. Specifies the domain name that clients should use when resolving hostnames via DNS.
Option Number and Description Identifiers a user-defined string used by the Relay Agent to forward DHCP client packets to a specific server. L2 DHCP Snooping Option 82 End Option 255 Specifies IP addresses for DHCP messages received from the client that are to be monitored to build a DHCP snooping database. Signals the last option in the DHCP packet. Assign an IP Address using DHCP The following section describes DHCP and the client in a network. When a client joins a network: 1.
Figure 32. Client and Server Messaging Implementation Information The following describes DHCP implementation. • Dell Networking implements DHCP based on RFC 2131 and RFC 3046. • IP source address validation is a sub-feature of DHCP Snooping; the Dell Networking OS uses access control lists (ACLs) internally to implement this feature and as such, you cannot apply ACLs to an interface which has IP source address validation.
Configure the System to be a DHCP Server A DHCP server is a network device that has been programmed to provide network configuration parameters to clients upon request. Servers typically serve many clients, making host management much more organized and efficient. The following table lists the key responsibilities of DHCP servers. Table 18. DHCP Server Responsibilities DHCP Server Responsibility Description Address Storage and Management DHCP servers are the owners of the addresses used by DHCP clients.
pool name 3. Specify the range of IP addresses from which the DHCP server may assign addresses. DHCP mode network network/prefix-length • network: the subnet address. • prefix-length: specifies the number of bits used for the network portion of the address you specify. The prefix-length range is from 17 to 31. 4. Display the current pool configuration. DHCP mode show config After an IP address is leased to a client, only that client may release the address.
Specifying an Address Lease Time To specify an address lease time, use the following command. • Specify an address lease time for the addresses in a pool. DHCP lease {days [hours] [minutes] | infinite} The default is 24 hours. Specifying a Default Gateway The IP address of the default router should be on the same subnet as the client. To specify a default gateway, follow this step. • Specify default gateway(s) for the clients on the subnet, in order of preference.
netbios-name-server address 2. Specify the NetBIOS node type for a Microsoft DHCP client. Dell Networking recommends specifying clients as hybrid. DHCP mode netbios-node-type type Creating Manual Binding Entries An address binding is a mapping between the IP address and the media access control (MAC) address of a client. The DHCP server assigns the client an available IP address automatically, and then creates an entry in the binding table.
• Clear DHCP binding entries for the entire binding table. EXEC Privilege mode. • clear ip dhcp binding Clear a DHCP binding entry for an individual IP address. EXEC Privilege mode. clear ip dhcp binding ip address Configure the System to be a Relay Agent DHCP clients and servers request and offer configuration information via broadcast DHCP messages.
Figure 33. Configuring a Relay Agent To view the ip helper-address configuration for an interface, use the show ip interface command from EXEC privilege mode. Example of the show ip interface Command R1_E600#show ip int gig 1/3 GigabitEthernet 1/3 is up, line protocol is down Internet address is 10.11.0.1/24 Broadcast address is 10.11.0.255 Address determined by user input IP MTU is 1500 bytes Helper address is 192.168.0.1 192.168.0.
ICMP redirects are not sent ICMP unreachables are not sent Configure the System to be a DHCP Client A DHCP client is a network device that requests an IP address and configuration parameters from a DHCP server. Implement the DHCP client functionality as follows: • The switch can obtain a dynamically assigned IP address from a DHCP server. A start-up configuration is not received. Use bare metal provisioning (BMP) to receive configuration parameters (OS version and a configuration file).
DHCP Client Operation with Other Features A DHCP client also operates with the following software features. Virtual Link Trunking (VLT) A DHCP client is not supported on VLT interfaces. VLAN and Port Channels DHCP client configuration and behavior are the same on Virtual LAN (VLAN) and port-channel (LAG) interfaces as on a physical interface.
• DHCP Snooping • Dynamic ARP Inspection • Source Address Validation Option 82 RFC 3046 (the relay agent information option, or Option 82) is used for class-based IP address assignment. The code for the relay agent information option is 82, and is comprised of two sub-options, circuit ID and remote ID. Circuit ID This is the interface on which the client-originated message is received. Remote ID This identifies the host from which the message is received.
When you enable DHCP snooping, the relay agent builds a binding table — using DHCPACK messages — containing the client MAC address, IP addresses, IP address lease time, port, VLAN ID, and binding type. Every time the relay agent receives a DHCPACK on a trusted port, it adds an entry to the table.
Enabling IPv6 DHCP Snooping To enable IPv6 DHCP snooping, use the following commands. 1. Enable IPv6 DHCP snooping globally. CONFIGURATION mode ipv6 dhcp snooping 2. Specify ports connected to IPv6 DHCP servers as trusted. INTERFACE mode ipv6 dhcp snooping trust 3. Enable IPv6 DHCP snooping on a VLAN or range of VLANs. CONFIGURATION mode ipv6 dhcp snooping vlan vlan-id Adding a Static Entry in the Binding Table To add a static entry in the binding table, use the following command.
clear ipv6 dhcp snooping binding Dell# clear ipv6 dhcp snooping? binding Clear the snooping binding database Displaying the Contents of the Binding Table To display the contents of the binding table, use the following command. • Display the contents of the binding table. EXEC Privilege mode show ip dhcp snooping Example of the show ip dhcp snooping Command View the DHCP snooping statistics with the show ip dhcp snooping command.
11:11::22 33::22 333:22::22 11:22:11:22:11:22 11:22:11:22:11:23 11:22:11:22:11:24 120331 120331 120331 S S D Vl 100 Vl 200 Vl 300 Te 1/1 Te 1/1 Te 1/2 Debugging the IPv6 DHCP To debug the IPv6 DHCP, use the following command. • Display debug information for IPV6 DHCP. EXEC Privilege mode debug ipv6 dhcp IPv6 DHCP Snooping MAC-Address Verification Configure to enable verify source mac-address in the DHCP packet against the mac address stored in the snooping binding table.
receives an ARP message for which a relevant entry already exists in its ARP cache, it overwrites the existing entry with the new information. The lack of authentication in ARP makes it vulnerable to spoofing. ARP spoofing is a technique attackers use to inject false IP-to-MAC mappings into the ARP cache of a network device. It is used to launch manin-the-middle (MITM), and denial-of-service (DoS) attacks, among others.
Configuring Dynamic ARP Inspection To enable dynamic ARP inspection, use the following commands. 1. Enable DHCP snooping. 2. Validate ARP frames against the DHCP snooping binding table. INTERFACE VLAN mode arp inspection Examples of Viewing the ARP Information To view entries in the ARP database, use the show arp inspection database command.
Source Address Validation Using the DHCP binding table, the system can perform three types of source address validation (SAV). Table 19. Three Types of Source Address Validation Source Address Validation Description IP Source Address Validation Prevents IP spoofing by forwarding only IP packets that have been validated against the DHCP binding table. DHCP MAC Source Address Validation Verifies a DHCP packet’s source hardware address matches the client hardware address field (CHADDR) in the payload.
• Enable DHCP MAC SAV. CONFIGURATION mode ip dhcp snooping verify mac-address Enabling IP+MAC Source Address Validation IP source address validation (SAV) validates the IP source address of an incoming packet against the DHCP snooping binding table. IP+MAC SAV ensures that the IP source address and MAC source address are a legitimate pair, rather than validating each attribute individually. You cannot configure IP+MAC SAV with IP SAV. 1. Allocate at least one FP block to the ipmacacl CAM region.
The following output of the show ip dhcp snooping source-address-validation discardcounters interface interface command displays the number of SAV dropped packets on a particular interface.
Equal Cost Multi-Path (ECMP) 15 Equal cost multi-path (ECMP) supports multiple paths in next-hop packet forwarding to a destination device. ECMP for Flow-Based Affinity ECMP for flow-based affinity includes link bundle monitoring. Enabling Deterministic ECMP Next Hop Deterministic ECMP next hop arranges all ECMPs in order before writing them into the content addressable memory (CAM). For example, suppose the RTM learns eight ECMPs in the order that the protocols and interfaces came up.
The system provides a command line interface (CLI)-based solution for modifying the hash seed to ensure that on each configured system, the ECMP selection is same. When configured, the same seed is set for ECMP, LAG, and NH, and is used for incoming traffic only. NOTE: While the seed is stored separately on each port-pipe, the same seed is used across all CAMs. NOTE: You cannot separate LAG and ECMP, but you can use different algorithms across the chassis with the same seed.
Managing ECMP Group Paths To manage ECMP group paths, you can configure the maximum number of paths for an ECMP route that the L3 CAM can hold to avoid path degeneration. When you do not configure the maximum number of routes, the CAM can hold a maximum ECMP per route. To configure the maximum number of paths, use the following command. NOTE: Save the new ECMP settings to the startup-config (write-mem) then reload the system for the new settings to take effect.
Modifying the ECMP Group Threshold You can customize the threshold percentage for monitoring ECMP group bundles. To customize the ECMP group bundle threshold and to view the changes, use the following commands. • Modify the threshold for monitoring ECMP group bundles. CONFIGURATION mode link-bundle-distribution trigger-threshold {percent} The range is from 1 to 90%. • The default is 60%. Display details for an ECMP group bundle.
NOTE: Before moving IPv6/128 route prefixes from the host table to the LPM table, you must enable LPM CAM partitioning for extended IPv6 prefixes. See Configuring the LPM Table for IPv6 Extended Prefixes for more information. Use the ipv4 unicast-host-route or ipv6 unicast-host-route commands to program IPv4 /32 or IPv6 /128 route prefixes to be stored in the L3 host table.
16 FCoE Transit The Fibre Channel over Ethernet (FCoE) Transit feature is supported on Ethernet interfaces. When you enable the switch for FCoE transit, the switch functions as a FIP snooping bridge. NOTE: FIP snooping is not supported on Fibre Channel interfaces or in a Z9500 switch. Fibre Channel over Ethernet FCoE provides a converged Ethernet network that allows the combination of storage-area network (SAN) and LAN traffic on a Layer 2 link by encapsulating Fibre Channel data into Ethernet frames.
• Allow transit Ethernet bridges to efficiently monitor FIP frames passing between FCoE end-devices and an FCF. To dynamically configure ACLs on the bridge to only permit traffic authorized by the FCF, use the FIP snooping data. FIP enables FCoE devices to discover one another, initialize and maintain virtual links over an Ethernet network, and access storage devices in a storage area network (SAN).
Figure 34. FIP Discovery and Login Between an ENode and an FCF FIP Snooping on Ethernet Bridges In a converged Ethernet network, intermediate Ethernet bridges can snoop on FIP packets during the login process on an FCF. Then, using ACLs, a transit bridge can permit only authorized FCoE traffic to be transmitted between an FCoE end-device and an FCF. An Ethernet bridge that provides these functions is called a FIP snooping bridge (FSB).
FCoEgenerated ACLs These take precedence over user-configured ACLs. A user-configured ACL entry cannot deny FCoE and FIP snooping frames. The following illustration shows a switch used as a FIP snooping bridge in a converged Ethernet network. The top-of-rack (ToR) switch operates as an FCF for FCoE traffic. Converged LAN and SAN traffic is transmitted between the ToR switch and an Z9500 switch.
• • • • • • Allocate CAM resources for FCoE. Perform FIP snooping (allowing and parsing FIP frames) globally on all VLANs or on a per-VLAN basis. To assign a MAC address to an FCoE end-device (server ENode or storage device) after a server successfully logs in, set the FCoE MAC address prefix (FC-MAP) value an FCF uses. The FC-MAP value is used in the ACLs installed in bridge-to-bridge links on the switch.
Important Points to Remember • Enable DCBx on the switch before enabling the FIP Snooping feature. • To enable the feature on the switch, configure FIP Snooping. • To allow FIP frames to pass through the switch on all VLANs, enable FIP snooping globally on a switch. • A switch can support a maximum eight VLANs. Configure at least one FCF/bridge-to-bridge port mode interface for any FIP snooping-enabled VLAN. • You can configure multiple FCF-trusted interfaces in a VLAN.
Enabling the FCoE Transit Feature The following sections describe how to enable FCoE transit. NOTE: FCoE transit is disabled by default. To enable this feature, you must follow the Configure FIP Snooping. As soon as you enable the FCoE transit feature on a switch-bridge, existing VLAN-specific and FIP snooping configurations are applied. The FCoE database is populated when the switch connects to a converged network adapter (CNA) or FCF port and compatible DCB configurations are synchronized.
FCoE traffic is allowed on the port only after the switch learns the FC-MAP value associated with the specified FCF MAC address and verifies that it matches the configured FC-MAP value for the FCoE VLAN. Configure a Port for a Bridge-to-FCF Link If a port is directly connected to an FCF, configure the port mode as FCF. Initially, all FCoE traffic is blocked; only FIP frames are allowed to pass.
• The maximum number of FCFs supported per FIP snooping-enabled VLAN is twelve. Configuring FIP Snooping You can enable FIP snooping globally on all FCoE VLANs on a switch or on an individual FCoE VLAN. By default, FIP snooping is disabled. To enable FCoE transit on the switch and configure the FCoE transit parameters on ports, follow these steps. 1. Configure FCoE.
FCoE Transit Configuration Example The following illustration shows a switch used as a FIP snooping bridge for FCoE traffic between an ENode (server blade) and an FCF (ToR switch). The ToR switch operates as an FCF and FCoE gateway. Figure 36. Configuration Example: FIP Snooping on a Switch In this example, DCBx and PFC are enabled on the FIP snooping bridge and on the FCF ToR switch.
Example of Enabling an FC-MAP Value on a VLAN Dell(conf-if-vl-10)# fip-snooping fc-map 0xOEFC01 NOTE: Configuring an FC-MAP value is only required if you do not use the default FC-MAP value (0x0EFC00).
Command Output name (WWNN) and the worldwide port name (WWPN). show fip-snooping config Displays the FIP snooping status and configured FC-MAP values. show fip-snooping enode [enode-macaddress] Displays information on the ENodes in FIPsnooped sessions, including the ENode interface and MAC address, FCF MAC address, VLAN ID and FC-ID.
Table 23. show fip-snooping sessions Command Description Field Description ENode MAC MAC address of the ENode . ENode Interface Slot/port number of the interface connected to the ENode. FCF MAC MAC address of the FCF. FCF Interface Slot/port number of the interface to which the FCF is connected. VLAN VLAN ID number used by the session. FCoE MAC MAC address of the FCoE session assigned by the FCF. FC-ID Fibre Channel ID assigned by the FCF. Port WWPN Worldwide port name of the CNA port.
The following example shows the show fip-snooping fcf command. Dell# show fip-snooping fcf FCF MAC FCF Interface VLAN FC-MAP FKA_ADV_PERIOD No. of Enodes ------------------- ---- ------------------- ------------54:7f:ee:37:34:40 Po 22 100 0e:fc:00 4000 2 The following table describes the show fip-snooping fcf command fields. Table 25. show fip-snooping fcf Command Description Field Description FCF MAC MAC address of the FCF. FCF Interface Slot/port number of the interface to which the FCF is connected.
Number Number Number Number Number Number Number Number Number Number Number Number Number Number Number Number Number of of of of of of of of of of of of of of of of of FLOGI FDISC FLOGO Enode Keep Alive VN Port Keep Alive Multicast Discovery Advertisement Unicast Discovery Advertisement FLOGI Accepts FLOGI Rejects FDISC Accepts FDISC Rejects FLOGO Accepts FLOGO Rejects CVL FCF Discovery Timeouts VN Port Session Timeouts Session failures due to Hardware Config :1 :16 :0 :4416 :3136 :0 :0 :0 :0 :0 :0 :0
Field Description Number of FLOGI Number of FIP-snooped FLOGI request frames received on the interface. Number of FDISC Number of FIP-snooped FDISC request frames received on the interface. Number of FLOGO Number of FIP-snooped FLOGO frames received on the interface. Number of ENode Keep Alives Number of FIP-snooped ENode keep-alive frames received on the interface. Number of VN Port Keep Alives Number of FIP-snooped VN port keep-alive frames received on the interface.
The following example shows the show fip-snooping vlan command.
Enabling FIPS Cryptography 17 Federal information processing standard (FIPS) cryptography provides cryptographic algorithms conforming to various FIPS standards published by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the US Department of Commerce. FIPS mode is also validated for numerous platforms to meet the FIPS-140-2 standard for a software-based cryptographic module.
Enabling FIPS Mode To enable or disable FIPS mode, use the console port. Secure the host attached to the console port against unauthorized access. Any attempts to enable or disable FIPS mode from a virtual terminal session are denied. When you enable FIPS mode, the following actions are taken: • If enabled, the SSH server is disabled. • All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, are closed.
Monitoring FIPS Mode Status To view the status of the current FIPS mode (enabled/disabled), use the following commands. • Use either command to view the status of the current FIPS mode. show fips status show system Example of the show fips status Command Example of the show system Command Dell#show fips status FIPS Mode : Enabled for the system using the show system command.
• The Telnet server re-enables (if it is present in the configuration). • New 1024–bit RSA and RSA1 host key-pairs are created. To disable FIPS mode, use the following command. • To disable FIPS mode from a console port. CONFIGURATION mode no fips mode enable The following Warning message displays: WARNING: Disabling FIPS mode will close all SSH/Telnet connections, restart those servers, and destroy all configured host keys.
Flex Hash 18 This chapter describes the Flex Hash enhancements. Flex Hash Capability Overview This functionality is supported on the platform. The flex hash functionality enables you to configure a packet search key and matches packets based on the search key. When a packet matches the search key, two 16-bit hash fields are extracted from the start of the L4 header and provided as inputs (bins 2 and 3) for RTAG7 hash computation.
CONFIGURATION mode S6000-109-FTOS(conf)# load-balance ingress-port enable When load balancing RRoCE packets using flex hash is enabled, the show ip flow command is disabled. Similarly, when the show ip flow command is in use (ingress port-based load balancing is disabled), the hashing of RRoCE packets is disabled. Flex hash APIs do not mask out unwanted byte values after extraction of the data from the Layer 4 headers for the offset value. 2.
code points are not tagged for RRoCE. Both ECN and PFC are enabled for RRoCE traffic. For normal IP or data traffic that is not RRoCE-enabled, the packets comprise TCP and UDP packets and they can be marked with DSCP code points. Multicast is not supported in that network. RRoCE packets are received and transmitted on specific interfaces called lite-subinterfaces.
You can use the encapsulation dot1q vlan-id command in INTERFACE mode to configure lite subinterfaces.
19 Force10 Resilient Ring Protocol (FRRP) Force10 resilient ring protocol (FRRP) provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a metropolitan area network (MAN) or large campuses. FRRP is similar to what can be achieved with the spanning tree protocol (STP), though even with optimizations, STP can take up to 50 seconds to converge (depending on the size of network and node of failure) may require 4 to 5 seconds to reconverge.
A virtual LAN (VLAN) is configured on all node ports in the ring. All ring ports must be members of the Member VLAN and the Control VLAN. The Member VLAN is the VLAN used to transmit data as described earlier. The Control VLAN is used to perform the health checks on the ring. The Control VLAN can always pass through all ports in the ring, including the secondary port of the Master node.
unblocks the previously blocked ring ports on the newly restored port. Then the Transit node returns to the Normal state. Multiple FRRP Rings Up to 255 rings are allowed per system and multiple rings can be run on one system. More than the recommended number of rings may cause interface instability. You can configure multiple rings with a single switch connection; a single ring can have multiple FRRP groups; multiple rings can be connected with a common link.
Important FRRP Concepts The following table lists some important FRRP concepts. Concept Explanation Ring ID Each ring has a unique 8-bit ring ID through which the ring is identified (for example, FRRP 101 and FRRP 202, as shown in the illustration in Member VLAN Spanning Two Rings Connected by One Switch. Control VLAN Each ring has a unique Control VLAN through which tagged ring health frames (RHF) are sent. Control VLANs are used only for sending RHF, and cannot be used for any other purpose.
Concept Explanation Ring Health-Check The Master node generates two types of RHFs. RHFs never loop the ring because Frame (RHF) they terminate at the Master node’s secondary port. • Hello RHF (HRHF) — These frames are processed only on the Master node’s Secondary port. The Transit nodes pass the HRHF through without processing it. An HRHF is sent at every Hello interval. • Topology Change RHF (TCRHF) — These frames contains ring status, keepalive, and the control and member VLAN hash.
• Viewing the FRRP Information Creating the FRRP Group Create the FRRP group on each switch in the ring. To create the FRRP group, use the command. • Create the FRRP group with this Ring ID. CONFIGURATION mode protocol frrp ring-id Ring ID: the range is from 1 to 255. Configuring the Control VLAN Control and member VLANS are configured normally for Layer 2. Their status as control or member is determined at the FRRP group commands.
3. Assign the Primary and Secondary ports and the control VLAN for the ports on the ring. CONFIG-FRRP mode. interface primary int slot/port secondary int slot/port control-vlan vlan id Interface: • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. Slot/Port, Range: Slot and Port ID for the interface. Range is entered Slot/Port-Port.
CONFIG-INT-VLAN mode. tagged interface slot/port {range} Interface: • Slot/Port, range: Slot and Port ID for the interface. The range is entered Slot/Port-Port. • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. Assign the Primary and Secondary ports and the Control VLAN for the ports on the ring. 3. CONFIG-FRRP mode.
– Hello-Interval: the range is from 50 to 2000, in increments of 50 (default is 500). – Dead-Interval: the range is from 50 to 6000, in increments of 50 (default is 1500). Clearing the FRRP Counters To clear the FRRP counters, use one of the following commands. • Clear the counters associated with this Ring ID. EXEC PRIVELEGED mode. clear frrp ring-id • Ring ID: the range is from 1 to 255. Clear the counters associated with all FRRP groups. EXEC PRIVELEGED mode.
Troubleshooting FRRP To troubleshoot FRRP, use the following information. Configuration Checks • • • • • • Each Control Ring must use a unique VLAN ID. Only two interfaces on a switch can be Members of the same control VLAN. There can be only one Master node for any FRRP group. You can configure FRRP on Layer 2 interfaces only. Spanning Tree (if you enable it globally) must be disabled on both Primary and Secondary interfaces when you enable FRRP.
switchport no shutdown ! interface TengigabitEthernet 2/31 no ip address switchport no shutdown ! interface Vlan 101 no ip address tagged TengigabitEthernet 2/14,31 no shutdown ! interface Vlan 201 no ip address tagged TengigabitEthernet 2/14,31 no shutdown ! protocol frrp 101 interface primary TengigabitEthernet 2/14 secondary TengigabitEthernet 2/31 control-vlan 101 member-vlan 201 mode transit no disable Example of R3 TRANSIT interface TengigabitEthernet 3/14 no ip address switchport no shutdown ! inter
20 GARP VLAN Registration Protocol (GVRP) GARP VLAN registration protocol (GVRP), defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches. GVRP-compliant switches use GARP to register and de-register attribute values, such as VLAN IDs, with each other. Typical virtual local area network (VLAN) implementation involves manually configuring each Layer 2 switch that participates in a given VLAN.
Configure GVRP To begin, enable GVRP. To facilitate GVRP communications, enable GVRP globally on each switch. GVRP configuration is per interface on a switch-by-switch basis. Enable GVRP on each port that connects to a switch where you want GVRP information exchanged. In the following example, GVRP is configured on VLAN trunk ports. Figure 37. Global GVRP Configuration Example Basic GVRP configuration is a two-step process: 1. Enabling GVRP Globally 2.
Enabling GVRP Globally To configure GVRP globally, use the following command. • Enable GVRP for the entire switch. CONFIGURATION mode gvrp enable Example of Configuring GVRP Dell(conf)#protocol gvrp Dell(config-gvrp)#no disable Dell(config-gvrp)#show config ! protocol gvrp no disable Dell(config-gvrp)# To inspect the global configuration, use the show gvrp brief command. Enabling GVRP on a Layer 2 Interface To enable GVRP on a Layer 2 interface, use the following command.
• • Fixed Registration Mode — figuring a port in fixed registration mode allows for manual creation and registration of VLANs, prevents VLAN deregistration, and registers all VLANs known on other ports on the port. For example, if an interface is statically configured via the CLI to belong to a VLAN, it should not be unconfigured when it receives a Leave PDU. Therefore, the registration mode on that interface is FIXED.
GARP Timers Value (milliseconds) ---------------------------------------Join Timer 300 Leave Timer 1000 LeaveAll Timer 5000 Dell(conf)# The system displays this message if an attempt is made to configure an invalid GARP timer: Dell(conf)#garp timers join 300 % Error: Leave timer should be >= 3*Join timer.
Internet Group Management Protocol (IGMP) 21 Internet group management protocol (IGMP) is a Layer 3 multicast protocol that hosts use to join or leave a multicast group. Multicast is premised on identifying many hosts by a single destination IP address; hosts represented by the same IP address are a multicast group. Multicast routing protocols (such as protocol-independent multicast [PIM]) use the information in IGMP messages to discover which groups are active and to populate the multicast routing table.
Figure 38. IGMP Messages in IP Packets Join a Multicast Group There are two ways that a host may join a multicast group: it may respond to a general query from its querier or it may send an unsolicited report to its querier. Responding to an IGMP Query The following describes how a host can join a multicast group. 1. One router on a subnet is elected as the querier. The querier periodically multicasts (to all-multicastsystems address 224.0.0.1) a general query to all hosts on the subnet. 2.
3. Any remaining hosts respond to the query according to the delay timer mechanism (refer to Adjusting Query and Response Timers). If no hosts respond (because there are none remaining in the group), the querier waits a specified period and sends another query. If it still receives no response, the querier removes the group from the list associated with forwarding port and stops forwarding traffic for that group to the subnet. IGMP Version 3 Conceptually, IGMP version 3 behaves the same as version 2.
Figure 40. IGMP Version 3–Capable Multicast Routers Address Structure Joining and Filtering Groups and Sources The following illustration shows how multicast routers maintain the group and source information from unsolicited reports. 1. The first unsolicited report from the host indicates that it wants to receive traffic for group 224.1.1.1. 2. The host’s second report indicates that it is only interested in traffic from group 224.1.1.1, source 10.11.1.1.
Figure 41. Membership Reports: Joining and Filtering Leaving and Staying in Groups The following illustration shows how multicast routers track and refresh state changes in response to group-and-specific and general queries. 1. Host 1 sends a message indicating it is leaving group 224.1.1.1 and that the included filter for 10.11.1.1 and 10.11.1.2 are no longer necessary. 2.
Figure 42. Membership Queries: Leaving and Staying Configure IGMP Configuring IGMP is a two-step process. 1. Enable multicast routing using the ip multicast-routing command. 2. Enable a multicast routing protocol.
• • • IGMP Snooping Fast Convergence after MSTP Topology Changes Designating a Multicast Router Interface Viewing IGMP Enabled Interfaces Interfaces that are enabled with PIM-SM are automatically enabled with IGMP. To view IGMP-enabled interfaces, use the following command. • View IGMP-enabled interfaces.
IGMP last member query response interval is 1000 ms IGMP immediate-leave is disabled IGMP activity: 0 joins, 0 leaves, 0 channel joins, 0 channel leaves IGMP querying router is 1.1.1.1 (this system) IGMP version is 3 Dell(conf-if-te-1/13)# Viewing IGMP Groups To view both learned and statically configured IGMP groups, use the following command. • View both learned and statically configured IGMP groups.
When the querier receives a leave message from a host, it sends a group-specific query to the subnet. If no response is received, it sends another. The amount of time that the querier waits to receive a response to the initial query before sending a second one is the last member query interval (LMQI). The switch waits one LMQI after the second query before removing the group from the state table. • Adjust the period between queries.
• View the static groups. EXEC Privilege mode. show ip igmp groups Enabling IGMP Immediate-Leave If the querier does not receive a response to a group-specific or group-and-source query, it sends another (querier robustness value). Then, after no response, it removes the group from the outgoing interface for the subnet.
Configuring IGMP Snooping Configuring IGMP snooping is a one-step process. To enable, view, or disable IGMP snooping, use the following commands. There is no specific configuration needed for IGMP snooping with virtual link trunking (VLT). For information about VLT configurations, refer to Virtual Link Trunking (VLT). • Enable IGMP snooping on a switch. CONFIGURATION mode • ip igmp snooping enable View the configuration. CONFIGURATION mode • show running-config Disable snooping on a VLAN.
no ip address ip igmp snooping fast-leave shutdown Dell(conf-if-vl-100)# Disabling Multicast Flooding If the switch receives a multicast packet that has an IP address of a group it has not learned (unregistered frame), the switch floods that packet out of all ports on the VLAN. When you configure the no ip igmp snooping flood command, the system drops the packets immediately. The system does not forward the frames on mrouter ports, even if they are present.
When enabled, IGMP snooping querier starts after one query interval in case no IGMP general query (with IP SA lower than its VLAN IP address) is received on any of its VLAN members. Adjusting the Last Member Query Interval To adjust the last member query interval, use the following command. When the querier receives a Leave message from a receiver, it sends a group-specific query out of the ports specified in the forwarding table. If no response is received, it sends another.
Interfaces 22 This chapter describes interface types, both physical and logical, and how to configure them on the Z9500 switch. • 10-Gigabit Ethernet and 40-Gigabit Ethernet interfaces are supported on the Z9500.
to top in multiples of four, starting with zero; for example, 0, 4, 8, 12, and so on. When a breakout cable is installed, the resulting four 10GbE ports are numbered with the remaining numbers. For example, 40GbE port 0 contains 10GbE ports 0, 1, 2, and 3; 40GbE port 4 contains 10GbE ports 4, 5, 6, and 7. Line card 0 consists of ports 0 to 143; line card 1 consists of ports 0 to 191; line card 2 consists of ports 0 to 191. Figure 43.
View Basic Interface Information To view basic interface information, use the following command. You have several options for viewing interface status and configuration parameters. • Lists all configurable interfaces on the chassis. EXEC mode show interfaces This command has options to display the interface status, IP and MAC addresses, and multiple counters for the amount and type of traffic passing through the interface.
Output 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Time since last interface status change: 00:00:31 Dell# To view which interfaces are enabled for Layer 3 data transmission, use the show ip interfaces brief command in EXEC Privilege mode. In the following example, TengigabitEthernet interface 1/5 is in Layer 3 mode because an IP address has been assigned to it and the interface’s status is operationally up.
• For the Management interface, enter the keyword ManagementEthernet then the slot/port information. • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. Enable the interface. 2. INTERFACE mode no shutdown To confirm that the interface is enabled, use the show config command in INTERFACE mode.
Network Processing Units (NPUs) The Z9500 uses network processing units (NPUs) to process traffic from front-end I/O ports and interconnect packet-processing elements in the chassis to form one fully connected logical switch. The interconnect links run across 40-Gigabit Ethernet internal ports. A 40-Gigabit Ethernet internal port is also referred to as a HiGig port. On the Z9500, each NPU that constitutes a port pipe processes traffic from a set of front-end I/O ports.
Configuring Layer 2 (Data Link) Mode Do not configure switching or Layer 2 protocols such as spanning tree protocol (STP) on an interface unless the interface has been set to Layer 2 mode. To set Layer 2 data transmissions through an individual interface, use the following command. • Enable Layer 2 data transmissions through an individual interface.
• ip address Enable the interface. INTERFACE mode no shutdown Example of Error Due to Issuing a Layer 3 Command on a Layer 2 Interface If an interface is in the incorrect layer mode for a given command, an error message is displayed (shown in bold). In the following example, the ip address command triggered an error message because the interface is in Layer 2 mode and the ip address command is a Layer 3 command only.
Internet address is 1.1.49.1/24 Broadcast address is 1.1.49.255 Address determined by config file MTU is 1554 bytes Inbound access list is not set Proxy ARP is enabled Split Horizon is enabled Poison Reverse is disabled ICMP redirects are not sent ICMP unreachables are not sent Egress Interface Selection (EIS) EIS allows you to isolate the management and front-end port domains by preventing switch-initiated traffic routing between the two domains.
NOTE: If you configure SNMP as the management application for EIS and you add a default management route, when you perform an SNMP walk and check the debugging logs for the source and destination IPs, the SNMP agent uses the destination address of incoming SNMP packets as the source address for outgoing SNMP responses for security. Management Interfaces The Z9500 supports the Management Ethernet interface as well as the standard interface on any port. You can use either method to connect to the system.
– must not match the virtual IP address and must not be in the same subnet as the virtual IP. Dell#show interfaces managementethernet 0/0 ManagementEthernet 0/0 is up, line protocol is up Hardware is DellForce10Eth, address is 00:01:e8:a0:bf:f3 Current address is 00:01:e8:a0:bf:f3 Pluggable media not present Interface index is 302006472 Internet address is 10.16.130.
• Enable the interface. INTERFACE mode • no shutdown The interface is the management interface. INTEFACE mode description Example of the show interface and show ip route Commands To display the configuration for a given port, use the show interface command in EXEC Privilege mode, as shown in the following example. To display the routing table, use the show ip route command in EXEC Privilege mode.
The system supports Inter-VLAN routing (Layer 3 routing in VLANs). You can add IP addresses to VLANs and use them in routing protocols in the same manner that physical interfaces are used. For more information about configuring different routing protocols, refer to the chapters on the specific protocol. A consideration for including VLANs in routing protocols is that you must configure the no shutdown command. (For routing traffic to flow, you must enable the VLAN.
• Delete a Loopback interface. CONFIGURATION mode no interface loopback number Many of the commands supported on physical interfaces are also supported on a Loopback interface. Null Interfaces The Null interface is another virtual interface. There is only one Null interface. It is always up, but no traffic is transmitted through this interface. To enter INTERFACE mode of the Null interface, use the following command. • Enter INTERFACE mode of the Null interface.
Port Channel Benefits A port channel interface provides many benefits, including easy management, link redundancy, and sharing. Port channels are transparent to network configurations and can be modified and managed as one interface. For example, you configure one IP address for the group and that IP address is used for all routed traffic on the port channel. With this feature, you can create larger-capacity interfaces by utilizing a group of lower-speed links.
configuration becomes the common speed of the port channel. If the other interfaces configured in that port channel are configured with a different speed, the system disables them.
After you enable the port channel, you can place it in Layer 2 or Layer 3 mode. To place the port channel in Layer 2 mode or configure an IP address to place the port channel in Layer 3 mode, use the switchport command. You can configure a port channel as you would a physical interface by enabling or configuring protocols or assigning access control lists.
Dell# Te 13/8 (Up) Te 13/13 (Up) Te 13/14 (Up) The following example shows the port channel’s mode (L2 for Layer 2 and L3 for Layer 3 and L2L3 for a Layer 2-port channel assigned to a routed VLAN), the status, and the number of interfaces belonging to the port channel. Dell>show interface port-channel 20 Port-channel 20 is up, line protocol is up Hardware address is 00:01:e8:01:46:fa Internet address is 1.1.120.
Reassigning an Interface to a New Port Channel An interface can be a member of only one port channel. If the interface is a member of a port channel, remove it from the first port channel and then add it to the second port channel. Each time you add or remove a channel member from a port channel, the system recalculates the hash algorithm for the port channel. To reassign an interface to a new port channel, use the following commands. 1. Remove the interface from the first port channel.
The default is 1. Example of Configuring the Minimum Oper Up Links in a Port Channel Dell#config t Dell(conf)#int po 1 Dell(conf-if-po-1)#minimum-links 5 Dell(conf-if-po-1)# Adding or Removing a Port Channel from a VLAN As with other interfaces, you can add Layer 2 port channel interfaces to VLANs. To add a port channel to a VLAN, place the port channel in Layer 2 mode (by using the switchport command). To add or remove a VLAN port channel and to view VLAN port channel members, use the following commands.
– ip-address mask: enter an address in dotted-decimal format (A.B.C.D). The mask must be in slash format (/24). – secondary: the IP address is the interface’s backup IP address. You can configure up to eight secondary IP addresses. Deleting or Disabling a Port Channel To delete or disable a port channel, use the following commands. • Delete a port channel. CONFIGURATION mode • no interface portchannel channel-number Disable a port channel.
– ip-selection [dest-ip | source-ip] — Distribute IP traffic based on the IP destination or source address. – mac [dest-mac | source-dest-mac | source-mac] — Distribute IPV4 traffic based on the destination or source MAC address, or both, along with the VLAN, Ethertype, source module ID and source port ID. – tcp-udp enable — Distribute traffic based on the TCP/UDP source and destination ports. – ing-port — Distribute traffic based on the port ID of the IP source address.
Bulk Configuration Bulk configuration allows you to determine if interfaces are present for physical interfaces or configured for logical interfaces. Interface Range An interface range is a set of interfaces to which other commands may be applied and may be created if there is at least one valid interface within the range. Bulk configuration excludes from configuration any non-existing interfaces from an interface range.
Create a Single-Range The following is an example of a single range. Example of the interface range Command (Single Range) Dell(config)# interface range tengigabitethernet 0/1 - 23 Dell(config-if-range-te-0/1-23)# no shutdown Dell(config-if-range-te-0/1-23)# Create a Multiple-Range The following is an example of multiple range.
Commas The following is an example of how to use commas to add different interface types to the range, enabling all Ten Gigabit Ethernet interfaces in the range 5/1 to 5/23 and both Ten Gigabit Ethernet interfaces 1/1 and 1/2.
Define the Interface Range The following example shows how to define an interface-range macro named “test” to select 10– GigabitEthernet interfaces 5/1 through 5/4. Example of the define interface-range Command for Macros Dell(config)# define interface-range test tengigabitethernet 5/1 - 4 Choosing an Interface-Range Macro To use an interface-range macro, use the following command. • Selects the interfaces range to be configured using the values saved in a named interface-range macro.
• • • • t — Decrease refresh interval (by 1 second) c — Clear screen a — Page down q — Quit Dell#monitor interface te 3/1 FTOS uptime is 1 day(s), 4 hour(s), 31 minute(s) Monitor time: 00:00:00 Refresh Intvl.
Use the show hardware sfm hg-stats and show hardware linecard hg-stats commands to display traffic statistics about the HiGig links on a line-card or SFM NPU. Use the clear hardware sfm hg-stats and clear hardware linecard hg-stats commands to reset HiGig port statistics. Link Bundle Monitoring Monitoring linked LAG bundles allows traffic distribution amounts in a link to be monitored for unfair distribution at any given time.
• A line-card (leaf) NPU supports 12 front-end I/O ports and 12 backplane HiGig ports. The 12 backplane links are members of a single HiGig link bundle that connects the line-card NPU to each SFM (spine) NPU. Two HiGig links in the bundle are used to connect to each SFM NPU. You can enable the capability to detect uneven traffic distribution in the member links of a HiGig link bundle on a line-card or SFM NPU. You can also enable a notification to be sent using alarms and SNMP traps.
– Bundle usage for egress traffic exceeds the threshold configured with the hg-link-bundle monitor trigger-threshold command. Alarms are generated only when link-bundle traffic levels are high. At low traffic levels, only one or two significant flows may cause unevenness. However, uneven traffic distribution across links during low-traffic periods is not critical and does not trigger an alarm.
Dell#show hg-link-bundle-distribution {sfm npu-id hg-port—channel hg-port— channel-id | slot slot npuUnit npu-id hg-port—channel 0} Fanning out 40G Ports Dynamically Splitting QSFP Ports to SFP+ Ports The Z9500 supports splitting a single 40G QSFP port into four 10G SFP+ ports without reload using a supported breakout cable. (For the link to a list of supported cables, refer to the Z9500 Installation Guide or the Z9500 Release Notes).
However, the link UP event happens only for the first 10 Gigabit port and you can use only that port for data transfer. As a result, only the first fanned-out port is identified as the active 10 Gigabit port with a speed of 10G or 1G depending on whether you insert an SFP+ or SFP cable respectively. NOTE: Although it is possible to configure the remaining three 10 Gigabit ports, the Link UP event does not occur for these ports leaving the lanes unusable.
For these configurations, the following examples show the command output that the show interfaces tengigbitethernet transceiver, show interfaces tengigbitethernet, and show inventory media commands displays: Dell#show interfaces tengigabitethernet 0/0 transceiver SFP+ 0 Serial ID Base Fields SFP+ 0 Id = 0x0d SFP+ 0 Ext Id = 0x00 SFP+ 0 Connector = 0x23 SFP+ 0 Transceiver Code = 0x08 0x00 0x00 0x00 0x00 0x00 0x00 0x00 SFP+ 0 Encoding = 0x00 ……………… ……………… SFP+ 0 Diagnostic Information ========================
SFP 0 Temp High Alarm threshold SFP 0 Voltage High Alarm threshold SFP 0 Bias High Alarm threshold = 0.000C = 0.000V = 0.000mA NOTE: In the following show interfaces tengigbitethernet transceiver commands, the ports 5,6, and 7 are inactive and no physical SFP or SFP+ connection actually exists on these ports. However, Dell Networking OS still perceives these ports as valid and the output shows that pluggable media (optical cables) is inserted into these ports.
QSFP 0 Encoding = 0x00 ……………… ……………… QSFP 0 Diagnostic Information =================================== QSFP 0 Rx Power measurement type = OMA =================================== QSFP 0 Temp High Alarm threshold = 0.000C QSFP 0 Voltage High Alarm threshold = 0.000V QSFP 0 Bias High Alarm threshold = 0.
Dell#show interfaces tengigabitethernet 0/6 gigabitethernet 0/0 is up, line protocol is down Hardware is DellEth, address is 90:b1:1c:f4:9a:fa Current address is 90:b1:1c:f4:9a:fa Pluggable media present, SFP type is 1GBASE …………………… LineSpeed 1000 Mbit Dell#show interfaces tengigabitethernet 0/7 gigabitethernet 0/0 is up, line protocol is down Hardware is DellEth, address is 90:b1:1c:f4:9a:fa Current address is 90:b1:1c:f4:9a:fa Pluggable media present, SFP type is 1GBASE …………………… LineSpeed 1000 Mbit Dell#s
Link dampening minimizes the risk created by flapping by imposing a penalty for each interface flap and decaying the penalty exponentially. After the penalty exceeds a certain threshold, the interface is put in an Error-Disabled state and for all practical purposes of routing, the interface is deemed to be “down.” After the interface becomes stable and the penalty decays below a certain threshold, the interface comes up again and the routing protocols re-converge.
Following interfaces are currently suppressed: Te 0/2 Te 3/1 Te 4/2 Dell# Clearing Dampening Counters To clear dampening counters and accumulated penalties, use the following command. • Clear dampening counters.
Using Ethernet Pause Frames for Flow Control Ethernet Pause Frames allow for a temporary stop in data transmission. A situation may arise where a sending device may transmit data faster than a destination device can accept it. The destination sends a PAUSE frame back to the source, stopping the sender’s transmission for a period of time. An Ethernet interface starts to send pause frames to a sending device when the transmission rate of ingress traffic exceeds the egress port speed.
The flow control sender and receiver must be on the same port-pipe. Flow control is not supported across different port-pipes. To enable pause frames, use the following command. • Control how the system responds to and generates 802.3x pause frames on 10 Gigabit line cards. INTERFACE mode flowcontrol rx [off | on] tx [off | on] [threshold {<1-2047> <1-2013> <1-2013>}] – rx on: enter the keywords rx on to process the received flow control frames on this port.
• All members must have the same link MTU value and the same IP MTU value. • The port channel link MTU and IP MTU must be less than or equal to the link MTU and IP MTU values configured on the channel members. For example, if the members have a link MTU of 2100 and an IP MTU 2000, the port channel’s MTU values cannot be higher than 2100 for link MTU or 2000 bytes for IP MTU. VLANs: • All members of a VLAN must have the same IP MTU value. • Members can have different Link MTU values.
end Exit from configuration mode exit Exit from autoneg configuration mode mode Specify autoneg mode no Negate a command or set its defaults show Show autoneg configuration information Dell(conf-if-te-0/1)#mode ? forced-master Force port to master mode forced-slave Force port to slave mode Dell(conf-if-te-0/1)# For details about the speed, duplex, and negotiation auto commands, refer to the Interfaces chapter of the Dell Networking OS Command Reference Guide.
Vlan membership: Vlan 2 --More-- Configuring the Interface Sampling Size Although you can enter any value between 30 and 299 seconds (the default), software polling is done once every 15 seconds. So, for example, if you enter “19”, you actually get a sample of the past 15 seconds. All LAG members inherit the rate interval configuration from the LAG. The following example shows how to configure rate interval when changing the default value.
ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 1d23h45m Queueing strategy: fifo 0 packets input, 0 bytes Input 0 IP Packets, 0 Vlans 0 MPLS 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts Received 0 input symbol errors, 0 runts, 0 giants, 0 throttles 0 CRC, 0 IP Checksum, 0 overrun, 0 discarded 0 packets output, 0 bytes, 0 underruns Output 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 IP Packets, 0 Vlans,
(OPTIONAL) Enter the following interface keywords and slot/port or number information: – For a loopback interface, enter the keyword loopback then a number from 0 to 16383. – For a Port Channel interface, enter the keywords port-channel then a number. – For the management interface, enter the keyword ManagementEthernet 0/0. The slot number is 0; the port number is 0. – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information.
Internet Protocol Security (IPSec) 23 Internet protocol security (IPSec) is an end-to-end security scheme for protecting IP communications by authenticating and encrypting all packets in a communication session. Use IPSec between hosts, between gateways, or between hosts and gateways. IPSec is compatible with Telnet and FTP protocols. It supports two operational modes: Transport and Tunnel. • Transport mode — (default) Use to encrypt only the payload of the packet. Routing information is unchanged.
Configuring IPSec The following sample configuration shows how to configure FTP and telnet for IPSec. 1. Define the transform set. CONFIGURATION mode crypto ipsec transform-set myXform-seta esp-authentication md5 espencryption des 2. Define the crypto policy.
IPv4 Routing 24 The Dell Networking Operating System (OS) supports various IP addressing features. This chapter describes the basics of domain name service (DNS), address resolution protocol (ARP), and routing principles and their implementation in the Dell Networking OS.
Configuration Tasks for IP Addresses The following describes the tasks associated with IP address configuration. Configuration tasks for IP addresses includes: • Assigning IP Addresses to an Interface (mandatory) • Configuring Static Routes (optional) • Configure Static Routes for the Management Interface (optional) For a complete listing of all commands related to IP addressing, refer to the Dell Networking OS Command Line Reference Guide.
• secondary: add the keyword secondary if the IP address is the interface’s backup IP address. You can configure up to eight secondary IP addresses. Example the show config Command To view the configuration, use the show config command in INTERFACE mode or use the show ip interface command in EXEC privilege mode, as shown in the second example. Dell(conf-if)#show conf ! interface TengigabitEthernet 0/0 ip address 10.11.1.
----------S 2.1.2.0/24 S 6.1.2.0/24 S 6.1.2.2/32 S 6.1.2.3/32 S 6.1.2.4/32 S 6.1.2.5/32 S 6.1.2.6/32 S 6.1.2.7/32 S 6.1.2.8/32 S 6.1.2.9/32 S 6.1.2.10/32 S 6.1.2.11/32 S 6.1.2.12/32 S 6.1.2.13/32 S 6.1.2.14/32 S 6.1.2.15/32 S 6.1.2.16/32 S 6.1.2.17/32 S 11.1.1.0/24 Direct, Lo 0 --More-- ------Direct, Nu 0 via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.
----------10.11.0.0/16 172.16.1.0/24 ------ManagementEthernet 0/0 10.11.198.4 ----Connected Active -----------Connected Static Enabling Directed Broadcast By default, the system drops directed broadcast packets destined for an interface. This default setting provides some protection against denial of service (DoS) attacks. To enable the switch to receive directed broadcasts, use the following command. • Enable directed broadcast.
Dell>show host Default domain is force10networks.com Name/address lookup uses domain service Name servers are not set Host Flags TTL Type Address -------- ----- ------- ------ks (perm, OK) - IP 2.2.2.2 patch1 (perm, OK) - IP 192.68.69.2 tomm-3 (perm, OK) - IP 192.68.99.2 gxr (perm, OK) - IP 192.71.18.2 f00-3 (perm, OK) - IP 192.71.23.1 Dell> To view the current configuration, use the show running-config resolve command.
ip name-server ip-address [ip-address2 ... ip-address6] • The order you entered the servers determines the order of their use. When you enter the traceroute command without specifying an IP address (Extended Traceroute), you are prompted for a target and source IP address, timeout in seconds (default is 5), a probe count (default is 3), minimum TTL (default is 1), maximum TTL (default is 30), and port number (default is 33434).
Configuration Tasks for ARP For a complete listing of all ARP-related commands, refer to the Dell Networking OS Command Line Reference Guide.
Enabling Proxy ARP By default, Proxy ARP is enabled. To disable Proxy ARP, use the no ip proxy-arp command in the interface mode. To re-enable Proxy ARP, use the following command. • Re-enable Proxy ARP. INTERFACE mode ip proxy-arp To view if Proxy ARP is enabled on the interface, use the show config command in INTERFACE mode. If it is not listed in the show config command output, it is enabled. Only non-default information is displayed in the show config command output.
• inform switches of their presence on a port so that packets can be forwarded • update the ARP table of other nodes on the network in case of an address change In the request, the host uses its own IP address in the Sender Protocol Address and Target Protocol Address fields. When a gratuitous ARP is received, the system installs an ARP entry on all three CPUs. Enabling ARP Learning via Gratuitous ARP To enable ARP learning via gratuitous ARP, use the following command.
Figure 45. ARP Learning via ARP Request with ARP Learning via Gratuitous ARP Enabled Whether you enable or disable ARP learning via gratuitous ARP, the system does not look up the target IP. It only updates the ARP entry for the Layer 3 interface with the source IP of the request. Configuring ARP Retries The number of ARP retries is user-configurable. The default backoff interval remains at 20 seconds. To set and display ARP retries, use the following commands. • Set the number of ARP retries.
ICMP For diagnostics, the internet control message protocol (ICMP) provides routing information to end stations by choosing the best route (ICMP redirect messages) or determining if a router is reachable (ICMP Echo or Echo Reply). ICMP error messages inform the router of problems in a particular packet. These messages are sent only on unicast traffic. Configuration Tasks for ICMP The following lists the configuration tasks for ICMP.
1. Enable UDP helper and specify the UDP ports for which traffic is forwarded. Refer to Enabling UDP Helper. 2. Configure a broadcast address on interfaces that will receive UDP broadcast traffic. Refer to Configuring a Broadcast Address. Important Points to Remember • The existing ip directed broadcast command is rendered meaningless if you enable UDP helper on the same interface. • The broadcast traffic rate should not exceed 200 packets per second when you enable UDP helper.
Examples of Configuring and Viewing a Broadcast Address The following example shows configuring a broadcast address. Dell(conf-if-vl-100)#ip udp-broadcast-address 1.1.255.255 Dell(conf-if-vl-100)#show config ! interface Vlan 100 ip address 1.1.0.1/24 ip udp-broadcast-address 1.1.255.255 untagged TengigabitEthernet 1/2 no shutdown To view the configured broadcast address for an interface, use show interfaces command.
Packet 2, sent from a host on VLAN 101 has a broadcast MAC address and IP address. In this case: 1. It is flooded on VLAN 101 without changing the destination address because the forwarding process is Layer 2. 2. If you enabled UDP helper, the system changes the destination IP address to the configured broadcast address 1.1.255.255 and forwards the packet to VLAN 100. 3.
Figure 47. UDP Helper with Subnet Broadcast Addresses UDP Helper with Configured Broadcast Addresses Incoming packets with a destination IP address matching the configured broadcast address of any interface are forwarded to the matching interfaces. In the following illustration, Packet 1 has a destination IP address that matches the configured broadcast address of VLAN 100 and 101.
• If the Incoming packet has a destination IP address that matches the subnet broadcast address of any interface, the unaltered packet is routed to the matching interfaces. Troubleshooting UDP Helper To display debugging information for troubleshooting, use the debug ip udp-helper command.
IPv6 Routing 25 Internet protocol version 6 (IPv6) routing is the successor to IPv4. Due to the rapid growth in internet users and IP addresses, IPv4 is reaching its maximum usage. IPv6 will eventually replace IPv4 usage to allow for the constant expansion. This chapter provides a brief description of the differences between IPv4 and IPv6, and the Dell Networking support of IPv6. This chapter is not intended to be a comprehensive description of IPv6.
• Duplicate Address Detection (DAD) — Before configuring its IPv6 address, an IPv6 host node device checks whether that address is used anywhere on the network using this mechanism. • Prefix Renumbering — Useful in transparent renumbering of hosts in the network when an organization changes its service provider. NOTE: As an alternative to stateless autoconfiguration, network hosts can obtain their IPv6 addresses using the dynamic host control protocol (DHCP) servers via stateful auto-configuration.
IPv6 Header Fields The 40 bytes of the IPv6 header are ordered, as shown in the following illustration. Figure 49. IPv6 Header Fields Version (4 bits) The Version field always contains the number 6, referring to the packet’s IP version. Traffic Class (8 bits) The Traffic Class field deals with any data that needs special handling. These bits define the packet priority and are defined by the packet Source. Sending and forwarding routers use this field to identify different IPv6 classes and priorities.
Next Header (8 bits) The Next Header field identifies the next header’s type. If an Extension header is used, this field contains the type of Extension header (as shown in the following table). If the next header is a transmission control protocol (TCP) or user datagram protocol (UDP) header, the value in this field is the same as for IPv4. The Extension header is located between the IP header and the TCP or UDP header. The following lists the Next Header field values.
Destination Address (128 bits) The Destination Address field contains the intended recipient’s IPv6 address. This can be either the ultimate destination or the address of the next hop router. Extension Header Fields Extension headers are used only when necessary. Due to the streamlined nature of the IPv6 header, adding extension headers do not severely impact performance. Each Extension headers’s lengths vary, but they are always a multiple of 8 bytes.
11 Discard the packet and send an ICMP Parameter Problem, Code 2 message to the packet’s Source IP Address only if the Destination IP Address is not a multicast address. The second byte contains the Option Data Length. The third byte specifies whether the information can change en route to the destination. The value is 1 if it can change; the value is 0 if it cannot change.
Static and Dynamic Addressing Static IPv6 addresses are manually assigned to a computer by an administrator. Dynamic IPv6 addresses are assigned either randomly or by a server using dynamic host configuration protocol (DHCP). Even though IPv6 addresses assigned using DHCP may stay the same for long periods of time, they can change. In some cases, a network administrator may implement dynamically assigned static IPv6 addresses.
Feature and Functionality Dell Networking OS Release Introduction Documentation and Chapter Location Z9000 OS Command Line Reference Guide. Multiprotocol BGP extensions for 8.3.11 IPv6 IPv6 BGP in the Dell Networking OS Command Line Reference Guide. IPv6 BGP MD5 Authentication 8.3.11 IPv6 BGP in the Dell Networking OS Command Line Reference Guide. IS-IS for IPv6 8.3.11 Intermediate System to Intermediate System IPv6 IS-IS in the Dell Networking OS Command Line Reference Guide.
Feature and Functionality Dell Networking OS Release Introduction Documentation and Chapter Location Z9000 Secure Shell (SSH) server support 8.3.11 over IPv6 (inbound SSH) Layer 3 only Secure Shell (SSH) Over an IPv6 Transport IPv6 Access Control Lists 8.3.11 IPv6 Access Control Lists in the Dell Networking OS Command Line Reference Guide. N/A IPv6 PIM in the Dell Networking OS Command Line Reference Guide.
The ping and traceroute commands extend to support IPv6 addresses. These commands use ICMPv6 Type-2 messages. Path MTU Discovery IPv6 path maximum transmission unit (MTU), in accordance with RFC 1981, defines the largest packet size that can traverse a transmission path without suffering fragmentation. Path MTU for IPv6 uses ICMPv6 Type-2 messages to discover the largest MTU along the path from source to destination and avoid the need to fragment the packet. The recommended MTU for IPv6 is 1280.
NOTE: To avoid problems with network discovery, Dell Networking recommends configuring the static route last or assigning an IPv6 address to the interface and assigning an address to the peer (the forwarding router’s address) less than 10 seconds apart. With ARP, each node broadcasts ARP requests on the entire link. This approach causes unnecessary processing by uninterested nodes.
expire. A value of 0 indicates to the host that the RDNSS address should not be used. You must specify a lifetime using the lifetime or infinite parameter. The DNS server address does not allow the following: • link local addresses • loopback addresses • prefix addresses • multicast addresses • invalid host addresses If you specify this information in the IPv6 RDNSS configuration, a DNS error is displayed.
Displaying IPv6 RDNSS Information To display IPv6 interface information, including IPv6 RDNSS information, use the show ipv6 interface command in EXEC or EXEC Privilege mode. Examples of Displaying IPv6 RDNSS Information The following example displays IPv6 RDNSS information. The output in the last 3 lines indicates that the IPv6 RDNSS was correctly configured on interface te 0/1.
Secure Shell (SSH) Over an IPv6 Transport Both inbound and outbound secure shell (SSH) sessions using IPv6 addressing are supported. Inbound SSH supports accessing the system through the management interface as well as through a physical Layer 3 interface. For SSH configuration details, refer to the Security chapter in the Dell Networking OS Command Line Interface Reference Guide. Configuration Tasks for IPv6 The following are configuration tasks for the IPv6 protocol.
When not selecting the default option, enter all of the profiles listed and a range for each. The total space allocated must equal 13. • The ipv6acl range must be a factor of 2. Show the current CAM settings. EXEC mode or EXEC Privilege mode • show cam-acl Provides information on FP groups allocated for the egress acl. CONFIGURATION mode show cam-acl-egress Allocate at least one group for L2ACL and IPv4 ACL. The total number of groups is 4.
CONFIGURATION mode ipv6 route prefix type {slot/port} forwarding router tag – prefix: IPv6 route prefix – type {slot/port}: interface type and slot/port – forwarding router: forwarding router’s address – tag: route tag Enter the keyword interface then the type of interface and slot/port information: – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. – For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information.
• snmp-server group access-list-name ipv6 Displaying IPv6 Information To view a specified IPv6 configuration, use the show ipv6command. • List the IPv6 show options.
Link Local address: fe80::201:e8ff:fe8b:386e Global Unicast address(es): Actual address is 400::201:e8ff:fe8b:386e, subnet is 400::/64 Actual address is 412::201:e8ff:fe8b:386e, subnet is 412::/64 Virtual-IP IPv6 address is not set Received Prefix(es): 400::/64 onlink autoconfig Valid lifetime: 2592000, Preferred lifetime: 604800 Advertised by: fe80::201:e8ff:fe8b:3166 412::/64 onlink autoconfig Valid lifetime: 2592000, Preferred lifetime: 604800 Advertised by: fe80::201:e8ff:fe8b:3166 Global Anycast addres
Route Source Active Routes Non-active Routes connected 5 0 static 0 0 Total 5 0 Dell#show ipv6 route Codes: C - connected, L - local, S - static, R - RIP, B - BGP, IN - internal BGP, EX - external BGP,LO - Locally Originated, O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, Gateway of last resort is not set Desti
Clearing IPv6 Routes To clear routes from the IPv6 routing table, use the following command. • Clear (refresh) all or a specific route from the IPv6 routing table. EXEC mode clear ipv6 route {* | ipv6 address prefix-length} – *: all routes. – ipv6 address: the format is x:x:x:x::x. – mask: the prefix length is from 0 to 128. NOTE: IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:).
iSCSI Optimization 26 This chapter describes how to configure internet small computer system interface (iSCSI) optimization, which enables quality-of-service (QoS) treatment for iSCSI traffic.
• If you configure flow-control, iSCSI uses the current configuration. If you do not configure flowcontrol, iSCSI auto-configures flow control settings so that receive-only is enabled and transmit-only is disabled. . • iSCSI monitoring sessions — the switch monitors and tracks active iSCSI sessions in connections on the switch, including port information and iSCSI session information. • iSCSI QoS — A user-configured iSCSI class of service (CoS) profile is applied to all iSCSI traffic.
Default iSCSI Optimization Values The following table lists the default values for the iSCSI optimization feature. Table 28. iSCSI Optimization Defaults Parameter Default Value iSCSI Optimization global setting iSCSI CoS mode (802.1p priority queue mapping) iSCSI CoS Packet classification When you enable iSCSI, iSCSI packets are queued based on dot1p, instead of DSCP values. VLAN priority tag iSCSI flows are assigned by default to dot1p priority 4 without the remark setting.
NOTE: Content addressable memory (CAM) allocation is optional. If CAM is not allocated, the following features are disabled: • session monitoring • aging • class of service You can enable iSCSI even when allocated with zero (0) CAM blocks. However, if no CAM blocks are allocated, session monitoring is disabled and the show iscsi command displays this information. 2. For a non-DCB environment: Enable iSCSI. CONFIGURATION mode iscsi enable 3. For a DCB environment: Configure iSCSI Optimization.
• ip-address specifies the IP address of the iSCSI target. When you enter the no form of the command, and the TCP port you want to delete is one bound to a specific IP address, include the IP address value in the command. If multiple IP addresses are mapped to a single TCP port, use the no iscsi target port command to remove all IP addresses assigned to the TCP port number. To remove a single IP address from the TCP port, use the no iscsi target port ipaddress command. 7.
[no] iscsi profile-compellent. The default is: Compellent disk arrays are not detected. Displaying iSCSI Optimization Information To display information on iSCSI optimization, use the following show commands. • Display the currently configured iSCSI settings. • show iscsi Display information on active iSCSI sessions on the switch. • • show iscsi sessions Display detailed information on active iSCSI sessions on the switch .
The following example shows the show iscsi session detailed command. VLT PEER1 Dell# show iscsi session detailed Session 0: -----------------------------------------------------------Target:iqn.2010-11.com.ixia:ixload:iscsi-TG1 Initiator:iqn.2010-11.com.ixia.ixload:initiator-iscsi-2c Up Time:00:00:01:28(DD:HH:MM:SS) Time for aging out:00:00:09:34(DD:HH:MM:SS) ISID:806978696102 Initiator Initiator Target Target Connection IP Address TCP Port IP Address TCPPort ID 10.10.0.44 33345 10.10.0.
When you disable the iSCSI feature, iSCSI resources are released and the detection of EqualLogic arrays using LLDP is disabled. Disabling iSCSI does not remove the MTU, flow control, portfast, or storm control configuration applied as a result of enabling iSCSI. NOTE: By default, CAM allocation for iSCSI is set to 0. This disables session monitoring. Synchronizing iSCSI Sessions Learned on VLT-Lags with VLT-Peer The following behavior occurs during synchronization of iSCSI sessions.
• Aging • Up Time If no iSCSI traffic is detected for a session during a user-configurable aging period, the session data is cleared. If more than 256 simultaneous sessions are logged continuously, the following message displays indicating the queue rate limit has been reached: %Z9500LC48:1 %ACL_AGENT-3-ISCSI_OPT_MAX_SESS_LIMIT_REACHED: Monitored iSCSI sessionsreached maximum limit NOTE: If you are using EqualLogic or Compellent storage arrays, more than 256 simultaneous iSCSI sessions are possible.
• • Spanning-tree portfast is enabled on the interface LLDP identifies. Unicast storm control is disabled on the interface LLDP identifies. Configuring Detection and Ports for Dell Compellent Arrays To configure a port connected to a Dell Compellent storage array, use the following command. • Configure a port connected to a Dell Compellent storage array. INTERFACE Configuration mode iscsi profile-compellent The command configures a port for the best iSCSI traffic conditions.
NOTE: On a switch in which a large proportion of traffic is iSCSI, CoS queue assignments may interfere with other network control-plane traffic, such as ARP or LACP. Balance preferential treatment of iSCSI traffic against the needs of other critical data in the network.
Intermediate System to Intermediate System 27 The intermediate system to intermediate system (IS-IS) protocol that uses a shortest-path-first algorithm. Dell Networking supports both IPv4 and IPv6 versions of IS-IS. The IS-IS protocol standards are listed in the Standards Compliance chapter. IS-IS Protocol Overview The IS-IS protocol, developed by the International Organization for Standardization (ISO), is an interior gateway protocol (IGP) that uses a shortest-path-first algorithm.
The NET length is variable, with a maximum of 20 bytes and a minimum of 8 bytes. It is composed of the following: • area address — within your routing domain or area, each area must have a unique area value. The first byte is called the authority and format indicator (AFI). • system address — the router’s MAC address. • N-selector — this is always 0. The following illustration is an example of the ISO-style address to show the address format IS-IS uses. In this example, the first five bytes (47.0005.
Transition Mode All routers in the area or domain must use the same type of IPv6 support, either single-topology or multitopology. A router operating in multi-topology mode does not recognize the ability of the singletopology mode router to support IPv6 traffic, which leads to holes in the IPv6 topology.
entries, forwarding between ingress and egress ports can continue uninterrupted while the control plane IS-IS process comes back to full functionality and rebuilds its routing tables. A new TLV (the Restart TLV) is introduced in the IIH PDUs, indicating that the router supports graceful restart. Timers Three timers are used to support IS-IS graceful restart functionality. After you enable graceful restart, these timers manage the graceful restart process. There are three times, T1, T2, and T3.
• Advertises IPv6 information in the PDUs. • Processes IPv6 information received in the PDUs. • Computes routes to IPv6 destinations. • Downloads IPv6 routes to the RTM for installing in the FIB. • Accepts external IPv6 information and advertises this information in the PDUs. The following table lists the default IS-IS values. Table 29.
• Changing the IS-Type • Controlling Routing Updates • Configuring Authentication Passwords • Setting the Overload Bit • Debuging IS-IS Enabling IS-IS By default, IS-IS is not enabled. The system supports one instance of IS-IS. To enable IS-IS globally, create an IS-IS routing process and assign a NET address. To exchange protocol information with neighbors, enable IS-IS on an interface, instead of on a network as with other routing protocols.
4. Enter an IPv4 Address. INTERFACE mode ip address ip-address mask Assign an IP address and mask to the interface. The IP address must be on the same subnet as other IS-IS neighbors, but the IP address does not need to relate to the NET address. 5. Enter an IPv6 Address. INTERFACE mode ipv6 address ipv6-address mask • • ipv6 address: x:x:x:x::x mask: The prefix length is from 0 to 128.
Generate narrow metrics: Accept narrow metrics: Generate wide metrics: Accept wide metrics: Dell# level-1-2 level-1-2 none none To view IS-IS protocol statistics, use the show isis traffic command in EXEC Privilege mode.
set-overload-bit 3. Set the minimum interval between SPF calculations. ROUTER ISIS AF IPV6 mode spf-interval [level-l | level-2 | interval] [initial_wait_interval [second_wait_interval]] Use this command for IPv6 route computation only when you enable multi-topology. If using singletopology mode, to apply to both IPv4 and IPv6 route computations, use the spf-interval command in CONFIG ROUTER ISIS mode. 4. Implement a wide metric-style globally.
• – retry-times: number of times an unacknowledged restart request is sent before the restarting router gives up the graceful restart engagement with the neighbor. (The range is from 1 to 10 attempts. The default is 1.) Configure the time for the graceful restart timer T2 that a restarting router uses as the wait time for each database to synchronize.
Database Sync count : 0 (level-1), 0 (level-2) Circuit GigabitEthernet 2/10: Mode: Normal L1-State:NORMAL, L2-State: NORMAL L1: Send/Receive: RR:0/0, RA: 0/0, SA:0/0 T1 time left: 0, retry count left:0 L2: Send/Receive: RR:0/0, RA: 0/0, SA:0/0 T1 time left: 0, retry count left:0 Dell# To view all interfaces configured with IS-IS routing along with the defaults, use the show isis interface command in EXEC Privilege mode.
– size: the range is from 128 to 9195. • The default is 1497. Set the LSP refresh interval. ROUTER ISIS mode lsp-refresh-interval seconds – seconds: the range is from 1 to 65535. • The default is 900 seconds. Set the maximum time LSPs lifetime. ROUTER ISIS mode max-lsp-lifetime seconds – seconds: the range is from 1 to 65535. The default is 1200 seconds.
Table 30. Metric Styles Metric Style Characteristics Cost Range Supported on IS-IS Interfaces narrow Sends and accepts narrow or old TLVs (Type, Length, Value). 0 to 63 wide Sends and accepts wide or new TLVs. 0 to 16777215 transition Sends both wide (new) and narrow (old) TLVs. 0 to 63 narrow transition Sends narrow (old) TLVs and accepts both narrow (old) and wide (new) TLVs. 0 to 63 wide transition Sends wide (new) TLVs and accepts both narrow (old) and wide (new) TLVs.
Configuring the IS-IS Cost When you change from one IS-IS metric style to another, the IS-IS metric value could be affected. For each interface with IS-IS enabled, you can assign a cost or metric that is used in the link state calculation. To change the metric or cost of the interface, use the following commands. • Assign an IS-IS metric. INTERFACE mode isis metric default-metric [level-1 | level-2] – default-metric: the range is from 0 to 63 if the metric-style is narrow, narrow-transition, or transition.
Changing the IS-Type To change the IS-type, use the following commands. You can configure the system to act as a Level 1 router, a Level 1-2 router, or a Level 2 router. To change the IS-type for the router, use the following commands. • Configure IS-IS operating level for a router. ROUTER ISIS mode is-type {level-1 | level-1-2 | level-2-only} • Default is level-1-2. Change the IS-type for the IS-IS process.
– For a 1-Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/port information. – For the Loopback interface on the RPM, enter the keyword loopback then a number from 0 to 16383. – For a port channel, enter the keywords port-channel then a number. – For a SONET interface, enter the keyword sonet then the slot/port information. – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/ port information.
– ospf process-id: for OSPF routes only. – rip: for RIP routes only. – static: for user-configured routes. • – bgp: for BGP routes only. Deny RTM download for pre-existing redistributed IPv4 routes. ROUTER ISIS mode distribute-list redistributed-override in Applying IPv6 Routes To apply prefix lists to incoming or outgoing IPv6 routes, use the following commands. NOTE: These commands apply to IPv6 IS-IS only. To apply prefix lists to IPv4 routes, use ROUTER ISIS mode, previously shown.
Redistributing IPv4 Routes In addition to filtering routes, you can add routes from other routing instances or protocols to the IS-IS process. With the redistribute command syntax, you can include BGP, OSPF, RIP, static, or directly connected routes in the IS-IS process. NOTE: Do not route iBGP routes to IS-IS unless there are route-maps associated with the IS-IS redistribution. To add routes from other routing instances or protocols, use the following commands.
• Include BGP, directly connected, RIP, or user-configured (static) routes in IS-IS. ROUTER ISIS mode redistribute {bgp as-number | connected | rip | static} [level-1 level-1-2 | level-2] [metric metric-value] [metric-type {external | internal}] [route-map map-name] Configure the following parameters: – level-1, level-1-2, or level-2: assign all redistributed routes to a level. The default is level-2. – metric-value: the range is from 0 to 16777215. The default is 0.
• Set the authentication password for a routing domain. ROUTER ISIS mode domain-password [encryption-type | hmac-md5] password FTOS supports both DES and HMAC-MD5 authentication methods. This password is inserted in Level 2 LSPs, Complete SNPs, and Partial SNPs. To view the passwords, use the show config command in ROUTER ISIS mode or the show runningconfig isis command in EXEC Privilege mode. To remove a password, use either the no area-password or no domain-password commands in ROUTER ISIS mode.
Force10.00-00 Dell# 0x00000004 0xCDA9 1093 0/0/0 Debugging IS-IS To debug IS-IS processes, use the following commands. • View all IS-IS information. EXEC Privilege mode • debug isis View information on all adjacency-related activity (for example, hello packets that are sent and received).
To disable a specific debug command, enter the keyword no then the debug command. For example, to disable debugging of IS-IS updates, use the no debug isis updates-packets command. To disable all IS-IS debugging, use the no debug isis command. To disable all debugging, use the undebug all command. IS-IS Metric Styles The following sections provide additional information about the IS-IS metric styles.
Maximum Values in the Routing Table IS-IS metric styles support different cost ranges for the route. The cost range for the narrow metric style is 0 to 1023, while all other metric styles support a range of 0 to 0xFE000000. Change the IS-IS Metric Style in One Level Only By default, the IS-IS metric style is narrow. When you change from one IS-IS metric style to another, the IS-IS metric value (configured with the isis metric command) could be affected.
Beginning Metric Style Final Metric Style Resulting IS-IS Metric Value transition wide transition original value narrow transition wide original value narrow transition narrow original value narrow transition wide transition original value narrow transition transition original value wide transition wide original value wide transition narrow default value (10) if the original value is greater than 63. A message is sent to the console.
Leaks from One Level to Another In the following scenarios, each IS-IS level is configured with a different metric style. Table 33.
NOTE: Whenever you make IS-IS configuration changes, clear the IS-IS process (re-started) using the clear isis command. The clear isis command must include the tag for the ISIS process. The following example shows the response from the router: Dell#clear isis * % ISIS not enabled. Dell#clear isis 9999 * You can configure IPv6 IS-IS routes in one of the following three different methods: • • • Congruent Topology — You must configure both IPv4 and IPv6 addresses on the interface.
ip router isis ipv6 router isis no shutdown Dell (conf-if-te-3/17)# Dell(conf-router_isis)#show config ! router isis metric-style wide level-1 metric-style wide level-2 net 34.0000.0000.AAAA.00 Dell (conf-router_isis)# Dell(conf-if-te-3/17)#show config ! interface TenGigabitEthernet 3/17 ipv6 address 24:3::1/76 ipv6 router isis no shutdown Dell(conf-if-te-3/17)# Dell(conf-router_isis)#show config ! router isis net 34.0000.0000.AAAA.
28 Link Aggregation Control Protocol (LACP) A link aggregation group (LAG), referred to as a port channel by the Dell Networking OS, can provide both load-sharing and port redundancy across line cards. You can enable LAGs as static or dynamic. Introduction to Dynamic LAGs and LACP The Dell Networking OS uses LACP to create dynamic LAGs. LACP provides a standardized means of exchanging information between two systems (also called Partner Systems) and automatically establishes the LAG between the systems.
• There is a difference between the shutdown and no interface port-channel commands: – The shutdown command on LAG “xyz” disables the LAG and retains the user commands. However, the system does not allow the channel number “xyz” to be statically created. – The no interface port-channel channel-number command deletes the specified LAG, including a dynamically created LAG. This command removes all LACP-specific commands on the member interfaces.
• This command creates context. Configure LACP mode. LACP mode [no] port-channel number mode [active | passive | off] – number: cannot statically contain any links. • The default is LACP active. Configure port priority. LACP mode [no] lacp port-priority priority-value The range is from 1 to 65535 (the higher the number, the lower the priority). The default is 32768. LACP Configuration Tasks The following configuration tasks apply to LACP.
The LAG is in the default VLAN. To place the LAG into a non-default VLAN, use the tagged command on the LAG. Dell(conf)#interface vlan 10 Dell(conf-if-vl-10)#tagged port-channel 32 Configuring the LAG Interfaces as Dynamic After creating a LAG, configure the dynamic LAG interfaces. To configure the dynamic LAG interfaces, use the following command. • Configure the dynamic LAG interfaces.
CONFIG-INT-PO mode lacp long-timeout Example of the lacp long-timeout and show lacp Commands Dell(conf)# interface port-channel 32 Dell(conf-if-po-32)#no shutdown Dell(conf-if-po-32)#switchport Dell(conf-if-po-32)#lacp long-timeout Dell(conf-if-po-32)#end Dell# show lacp 32 Port-channel 32 admin up, oper up, mode lacp Actor System ID: Priority 32768, Address 0001.e800.a12b Partner System ID: Priority 32768, Address 0001.e801.
Figure 55. Shared LAG State Tracking To avoid packet loss, redirect traffic through the next lowest-cost link (R3 to R4). the system has the ability to bring LAG 2 down if LAG 1 fails, so that traffic can be redirected. This redirection is what is meant by shared LAG state tracking. To achieve this functionality, you must group LAG 1 and LAG 2 into a single entity, called a failover group. Configuring Shared LAG State Tracking To configure shared LAG state tracking, you configure a failover group.
As shown in the following illustration, LAGs 1 and 2 are members of a failover group. LAG 1 fails and LAG 2 is brought down after the failure. This effect is logged by Message 1, in which a console message declares both LAGs down at the same time. Figure 56.
• • • • Only a LAG can be a member of a failover group. You can configure shared LAG state tracking on one side of a link or on both sides. If a LAG that is part of a failover group is deleted, the failover group is deleted. If a LAG moves to the Down state due to this feature, its members may still be in the Up state. LACP Basic Configuration Example The screenshots in this section are based on the following example topology.
Port will not be disabled on partial SFM failure Internet address is not set MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 1000 Mbit, Mode full duplex, Slave Flowcontrol rx on tx on ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 00:02:11 Queueing strategy: fifo Input statistics: 132 packets, 163668 bytes 0 Vlans 0 64-byte pkts, 12 over 64-byte pkts, 120 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 132 Multicasts, 0 Broadcasts 0 runts, 0
Figure 59.
Figure 60.
interface TengigabitEthernet 2/31 no ip address Summary of the LAG Configuration on Bravo Bravo(conf-if-te-3/21)#int port-channel 10 Bravo(conf-if-po-10)#no ip add Bravo(conf-if-po-10)#switch Bravo(conf-if-po-10)#no shut Bravo(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Bravo(conf-if-po-10)#exit Bravo(conf)#int tengig 3/21 Bravo(conf)#no ip address Bravo(conf)#no switchport Bravo(conf)#shutdown Bravo(conf-if-te-3/21)#port-channel-protocol lacp Bravo(conf-if-
Figure 61.
Figure 62.
Figure 63. Inspecting the LAG Status Using the show lacp command The point-to-point protocol (PPP) is a connection-oriented protocol that enables layer two links over various different physical layer connections. It is supported on both synchronous and asynchronous lines, and can operate in Half-Duplex or Full-Duplex mode. It was designed to carry IP traffic but is general enough to allow any type of network layer datagram to be sent over a PPP connection.
Layer 2 29 This chapter describes the Layer 2 features supported on the Z9500. Manage the MAC Address Table You can perform the following management tasks inr the MAC address table. • Clearing the MAC Address Table • Setting the Aging Time for Dynamic Entries • Configuring a Static MAC Address • Displaying the MAC Address Table Clearing the MAC Address Table You may clear the MAC address table of dynamic entries. To clear a MAC address table, use the following command.
CONFIGURATION mode mac-address-table aging-time seconds The range is from 10 to 1000000. Configuring a Static MAC Address A static entry is one that is not subject to aging. Enter static entries manually. To create a static MAC address entry, use the following command. • Create a static MAC address entry in the MAC address table. CONFIGURATION mode mac-address-table static Displaying the MAC Address Table To display the MAC address table, use the following command.
• Learning Limit Violation Actions • Setting Station Move Violation Actions • Recovering from Learning Limit and Station Move Violations Dell Networking OS Behavior: When configuring the MAC learning limit on a port or VLAN, the configuration is accepted (becomes part of running-config and show mac learning-limit interface) before the system verifies that sufficient CAM space exists.
mac learning-limit mac-address-sticky Using sticky MAC addresses allows you to associate a specific port with MAC addresses from trusted devices. If you enable sticky MAC, the specified port retains any dynamically-learned addresses and prevents them from being transferred or learned on other ports. Up to 1000 sticky entries are supported on a port. If you configure mac-learning-limit and you enabled sticky MAC, all dynamically-learned addresses are converted to sticky MAC addresses for the selected port.
configure the mac learning-limit station-move-violation log, as shown in the following example. Dell(conf-if-te-1/1)#show config ! interface TengigabitEthernet 1/1 no ip address switchport mac learning-limit 1 dynamic no-station-move mac learning-limit station-move-violation log no shutdown Learning Limit Violation Actions Learning limit violation actions are user-configurable.
• station-move-violation shutdown-both Display a list of all of the interfaces configured with MAC learning limit or station move violation. CONFIGURATION mode show mac learning-limit violate-action Recovering from Learning Limit and Station Move Violations After a learning-limit or station-move violation shuts down an interface, you must manually reset it. To reset the learning limit, use the following commands.
Figure 64. Redundant NICs with NIC Teaming When you use NIC teaming, consider that the server MAC address is originally learned on Port 0/1 of the switch (shown in the following) and Port 0/5 is the failover port. When the NIC fails, the system automatically sends an ARP request for the gateway or host NIC to resolve the ARP and refresh the egress interface.
Configure Redundant Pairs Networks that employ switches that do not support the spanning tree protocol (STP) — for example, networks with digital subscriber line access multiplexers (DSLAM) — cannot have redundant links between switches because they create switching loops (as shown in the following illustration). The redundant pairs feature allows you to create redundant links in networks that do not use STP by configuring backup interfaces for the interfaces on either side of the primary link.
You configure a redundant pair by assigning a backup interface to a primary interface with the switchport backup interface command. Initially, the primary interface is active and transmits traffic and the backup interface remains down. If the primary fails for any reason, the backup transitions to an active Up state. If the primary interface fails and later comes back up, it remains as the backup interface for the redundant pair.
! interface TengigabitEthernet 3/41 no ip address switchport switchport backup interface TengigabitEthernet 3/42 no shutdown ! interface TengigabitEthernet 3/42 no ip address switchport no shutdown Dell(conf-if-range-te-3/41-42)# Dell(conf-if-range-te-3/41-42)#do show ip int brief | find 3/41 TengigabitEthernet 3/41 unassigned YES Manual up up TengigabitEthernet 3/42 unassigned NO Manual up down [output omitted] Dell(conf-if-range-te-3/41-42)#interface tengig 3/41 Dell(conf-if-te-3/41)#shutdown 00:24:53: %S
protocols on Po 1 and Te 0/2 Dell(conf-if-po-1)# Far-End Failure Detection Far-end failure detection (FEFD) is a protocol that senses remote data link errors in a network. FEFD responds by sending a unidirectional report that triggers an echoed response after a specified time interval. You can enable FEFD globally or locally on an interface basis. Disabling the global FEFD configuration does not disable the interface configuration. Figure 67.
FEFD State Changes FEFD has two operational modes, Normal and Aggressive. When you enable Normal mode on an interface and a far-end failure is detected, no intervention is required to reset the interface to bring it back to an FEFD operational state. When you enable Aggressive mode on an interface in the same state, manual intervention is required to reset the interface.
Important Points to Remember • You can enable FEFD globally or on a per-interface basis. Interface FEFD configurations override global FEFD configurations. • The system supports FEFD on physical Ethernet interfaces only, excluding the management interface. Configuring FEFD You can configure FEFD for all interfaces from CONFIGURATION mode, or on individual interfaces from INTERFACE mode. To enable FEFD globally on all interfaces, use the following command. • Enable FEFD globally on all interfaces.
Enabling FEFD on an Interface To enable, change, or disable FEFD on an interface, use the following commands. • Enable FEFD on a per interface basis. INTERFACE mode fefd • Change the FEFD mode. INTERFACE mode fefd [mode {aggressive | normal}] • Disable FEFD protocol on one interface. INTERFACE mode fefd disable Disabling an interface shuts down all protocols working on that interface’s connected line. It does not delete your previous FEFD configuration which you can enable again at any time.
Debugging FEFD To debug FEFD, use the first command. To provide output for each packet transmission over the FEFD enabled connection, use the second command. • Display output whenever events occur that initiate or disrupt an FEFD enabled connection. EXEC Privilege mode • debug fefd events Provide output for each packet transmission over the FEFD enabled connection. EXEC Privilege mode debug fefd packets Examples of the debug fefd Commands The following example shows the debug fefd events command.
Link Layer Discovery Protocol (LLDP) 30 This chapter describes how to configure and use the link layer discovery protocol (LLDP) on the Z9500 switch. 802.1AB (LLDP) Overview LLDP — defined by IEEE 802.1AB — is a protocol that enables a local area network (LAN) device to advertise its configuration and receive configuration information from adjacent LLDP-enabled LAN infrastructure devices.
There are five types of TLVs. All types are mandatory in the construction of an LLDPDU except Optional TLVs. You can configure the inclusion of individual Optional TLVs. Table 35. Type, Length, Value (TLV) Types Type TLV Description 0 End of LLDPDU Marks the end of an LLDPDU. 1 Chassis ID An administratively assigned name that identifies the LLDP agent. 2 Port ID An administratively assigned name that identifies a port through which TLVs are sent and received.
Management TLVs A management TLV is an optional TLVs sub-type. This kind of TLV contains essential management information about the sender. Organizationally Specific TLVs A professional organization or a vendor can define organizationally specific TLVs. They have two mandatory fields (as shown in the following illustration) in addition to the basic TLV fields. Figure 70. Organizationally Specific TLV IEEE Organizationally Specific TLVs Eight TLV types have been defined by the IEEE 802.1 and 802.
Type TLV Description 127 Port-VLAN ID On Dell Networking systems, indicates the untagged VLAN to which a port belongs. 127 Port and Protocol VLAN ID On Dell Networking systems, indicates the tagged VLAN to which a port belongs (and the untagged VLAN to which a port belongs if the port is in Hybrid mode). 127 Protocol Identity Indicates the protocols that the port can process. The Dell Networking OS does not currently support this TLV.
TIA-1057 (LLDP-MED) Overview Link layer discovery protocol — media endpoint discovery (LLDP-MED) as defined by ANSI/ TIA-1057— provides additional organizationally specific TLVs so that endpoint devices and network connectivity devices can advertise their characteristics and configuration information; the OUI for the Telecommunications Industry Association (TIA) is 00-12-BB.
Type SubType TLV Description device expressed in one of three possible formats: • • • 127 4 Inventory Management TLVs Implementation of this set of TLVs is optional in LLDP-MED devices. None or all TLVs must be supported. The Dell Networking OS does not currently support these TLVs. 127 Coordinate Based LCI Civic Address LCI Emergency Call Services ELIN Location Identification Indicates power requirements, priority, and power status.
LLDP-MED Capabilities TLV The LLDP-MED capabilities TLV communicates the types of TLVs that the endpoint device and the network connectivity device support. LLDP-MED network connectivity devices must transmit the Network Policies TLV. • The value of the LLDP-MED capabilities field in the TLV is a 2–octet bitmap, each bit represents an LLDP-MED capability (as shown in the following table). • The possible values of the LLDP-MED device type are shown in the following.
LLDP-MED Network Policies TLV A network policy in the context of LLDP-MED is a device’s VLAN configuration and associated Layer 2 and Layer 3 configurations. LLDP-MED network policies TLV include: • VLAN ID • VLAN tagged or untagged status • Layer 2 priority • DSCP value An integer represents the application type (the Type integer shown in the following table), which indicates a device function for which a unique network policy is defined.
Type Application Description 8 Video Signaling Specify this application type only if video control packets use a separate network policy than video data. 9–255 Reserved — Figure 72. LLDP-MED Policies TLV Extended Power via MDI TLV The extended power via MDI TLV enables advanced PoE management between LLDP-MED endpoints and network connectivity devices. Advertise the extended power via MDI on all ports that are connected to an 802.3af powered, LLDP-MED endpoint device.
Configure LLDP Configuring LLDP is a two-step process. 1. Enable LLDP globally. 2. Advertise TLVs out of an interface. Related Configuration Tasks • Viewing the LLDP Configuration • Viewing Information Advertised by Adjacent LLDP Agents • Configuring LLDPDU Intervals • Configuring Transmit and Receive Mode • Configuring a Time to Live • Debugging LLDP Important Points to Remember • LLDP is enabled by default. • Dell Networking systems support up to eight neighbors per interface.
hello mode multiplier no show LLDP hello configuration LLDP mode configuration (default = rx and tx) LLDP multiplier configuration Negate a command or set its defaults Show LLDP configuration R1(conf-lldp)#exit R1(conf)#interface tengigabitethernet 1/31 R1(conf-if-te-1/31)#protocol lldp R1(conf-if-te-1/31-lldp)#? advertise Advertise TLVs disable Disable LLDP protocol on this interface end Exit from configuration mode exit Exit from LLDP configuration mode hello LLDP hello configuration mode LLDP mode conf
CONFIGURATION mode protocol lldp 2. Enable LLDP. PROTOCOL LLDP mode no disable Disabling and Undoing LLDP on Management Ports To disable or undo LLDP on management ports, use the following command. 1. Enter Protocol LLDP mode. CONFIGURATION mode. protocol lldp 2. Enter LLDP management-interface mode. LLDP-MANAGEMENT-INTERFACE mode. management-interface 3. Enter the disable command. LLDP-MANAGEMENT-INTERFACE mode.
• For 802.3 TLVs: max-frame-size. • For TIA-1057 TLVs: – guest-voice – guest-voice-signaling – location-identification – power-via-mdi – softphone-voice – streaming-video – video-conferencing – video-signaling – voice – voice-signaling In the following example, LLDP is enabled globally. R1 and R2 are transmitting periodic LLDPDUs that contain management, 802.1, and 802.3 TLVs. Figure 74. Configuring LLDP Viewing the LLDP Configuration To view the LLDP configuration, use the following command.
advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description hello 10 no disable R1(conf-lldp)# The following example shows viewing an LLDP interface configuration.
Remote Chassis ID: 00:01:e8:06:95:3e Remote Port Subtype: Interface name (5) Remote Port ID: TengigabitEthernet 2/11 Local Port ID: TengigabitEthernet 1/21 Locally assigned remote Neighbor Index: 4 Remote TTL: 120 Information valid for next 120 seconds Time since last information change of this neighbor: 01:50:16 Remote MTU: 1554 Remote System Desc: Dell Force10 Networks Real Time Operating System Software . Dell Force10 Operating System Version: 1.0. Dell Force10 App lication Software Version: 7.5.1.0.
advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)# Configuring Transmit and Receive Mode After you enable LLDP, the switch transmits and receives LLDPDUs by default. To configure the system to transmit or receive only and return to the default, use the following commands. • Transmit only. CONFIGURATION mode or INTERFACE mode • mode tx Receive only. CONFIGURATION mode or INTERFACE mode • mode rx Return to the default setting.
Configuring a Time to Live The information received from a neighbor expires after a specific amount of time (measured in seconds) called a time to live (TTL). The TTL is the product of the LLDPDU transmit interval (hello) and an integer called a multiplier. The default multiplier is 4, which results in a default TTL of 120 seconds. • Adjust the TTL value. CONFIGURATION mode or INTERFACE mode. • multiplier Return to the default multiplier value. CONFIGURATION mode or INTERFACE mode.
• View a readable version of the TLVs plus a hexadecimal version of the entire LLDPDU. debug lldp detail Figure 75. The debug lldp detail Command — LLDPDU Packet Dissection Relevant Management Objects The system supports all IEEE 802.1AB MIB objects. The following tables list the objects associated with: • received and transmitted TLVs • the LLDP configuration on the local agent • IEEE 802.
Table 41. LLDP Configuration MIB Objects MIB Object Category LLDP Variable LLDP adminStatus Configuration Basic TLV Selection LLDP MIB Object Description lldpPortConfigAdminStatus Whether you enable the local LLDP agent for transmit, receive, or both. msgTxHold lldpMessageTxHoldMultiplie Multiplier value. r msgTxInterval lldpMessageTxInterval Transmit Interval value. rxInfoTTL lldpRxInfoTTL Time to live for received TLVs. txInfoTTL lldpTxInfoTTL Time to live for transmitted TLVs.
MIB Object Category LLDP Variable LLDP MIB Object statsTLVsUnrecognizedTota lldpStatsRxPortTLVsUnreco l gnizedTotal Description Total number of all TLVs the local agent does not recognize. Table 42.
TLV Type TLV Name TLV Variable management address System LLDP MIB Object Remote lldpRemManAddrSu btype Local lldpLocManAddr Remote lldpRemManAddr interface numbering Local subtype interface number OID lldpLocManAddrIfSu btype Remote lldpRemManAddrIfS ubtype Local lldpLocManAddrIfId Remote lldpRemManAddrIfId Local lldpLocManAddrOID Remote lldpRemManAddrOI D Table 43. LLDP 802.
TLV Type TLV Name TLV Variable VLAN name System LLDP MIB Object Remote lldpXdot1RemVlanN ame Local lldpXdot1LocVlanNa me Remote lldpXdot1RemVlanN ame Table 44.
TLV Sub-Type TLV Name TLV Variable System LLDP-MED MIB Object L2 Priority Local lldpXMedLocMediaP olicyPriority Remote lldpXMedRemMedia PolicyPriority Local lldpXMedLocMediaP olicyDscp Remote lldpXMedRemMedia PolicyDscp Local lldpXMedLocLocatio nSubtype Remote lldpXMedRemLocati onSubtype Local lldpXMedLocLocatio nInfo Remote lldpXMedRemLocati onInfo Local lldpXMedLocXPoED eviceType Remote lldpXMedRemXPoED eviceType Local lldpXMedLocXPoEPS EPowerSource DSCP Value 3 Location Ident
TLV Sub-Type TLV Name TLV Variable System LLDP-MED MIB Object Power Value Local lldpXMedLocXPoEPS EPortPowerAv lldpXMedLocXPoEP DPowerReq Remote lldpXMedRemXPoEP SEPowerAv lldpXMedRemXPoEP DPowerReq Link Layer Discovery Protocol (LLDP) 593
Microsoft Network Load Balancing 31 Network Load Balancing (NLB) is a clustering functionality that is implemented by Microsoft on Windows 2000 Server and Windows Server 2003 operating systems. Microsoft NLB clustering allows multiple servers running Microsoft Windows to be represented by one MAC and one IP address to provide transparent failover and load-balancing.
With NLB, the data frame is forwarded to all servers in the cluster for the servers to perform loadbalancing. NLB Multicast Mode Example Consider a sample topology in which four servers, namely S1 through S4, are configured as a cluster or a farm. This set of servers is connected to a Layer 3 switch, which in turn is connected to the end-clients. They contain a single multicast MAC address (MAC-Cluster: 03-00-5E-11-11-11).
• The ip vlan-flooding command applies globally across all VLANs on the switch. In cases where NLB VLAN flooding is enabled and ARP replies contain a discrepancy in the Ethernet SA and ARP header SA frames, packet flooding over the relevant VLAN is performed. • The maximum number of server clusters supported at a time is eight.
mac-address-table static multicast-mac-address vlan vlan-id output-range interface 2. Configure a static ARP entry to associate the cluster IP address with the corresponding multicast NLB MAC address. Specify any of the interfaces entered in the L2 multicast configuration in Step 1.
Multicast Source Discovery Protocol (MSDP) 32 This chapter describes how to configure and use the multicast source discovery protocol (MSDP) on the Z9500 switch. Protocol Overview MSDP is a Layer 3 protocol that connects IPv4 protocol-independent multicast-sparse mode (PIM-SM) domains. A domain in the context of MSDP is a contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as border gateway protocol (BGP).
Figure 76. Multicast Source Discovery Protocol (MSDP) RPs advertise each (S,G) in its domain in type, length, value (TLV) format. The total number of TLVs contained in the SA is indicated in the “Entry Count” field. SA messages are transmitted every 60 seconds, and immediately when a new source is detected. Figure 77.
Anycast RP Using MSDP, anycast RP provides load sharing and redundancy in PIM-SM networks. Anycast RP allows two or more rendezvous points (RPs) to share the load for source registration and the ability to act as hot backup routers for each other. Anycast RP allows you to configure two or more RPs with the same IP address on Loopback interfaces. The Anycast RP Loopback address are configured with a 32-bit mask, making it a host address.
Related Configuration Tasks The following lists related MSDP configuration tasks.
Figure 78.
Figure 79.
Figure 80.
Figure 81. Configuring MSDP Enable MSDP Enable MSDP by peering RPs in different administrative domains. 1. Enable MSDP. CONFIGURATION mode ip multicast-msdp 2. Peer PIM systems in different administrative domains.
ip msdp peer connect-source Example of Configuring MSDP Example of Viewing Peer Information R3(conf)#ip multicast-msdp R3(conf)#ip msdp peer 192.168.0.1 connect-source Loopback 0 R3(conf)#do show ip msdp summary Peer Addr Description Local Addr State Source SA Up/Down To view details about a peer, use the show ip msdp peer command in EXEC privilege mode. Multicast sources in remote domains are stored on the RP in the source-active cache (SA cache).
Example of the show ip msdp sa-cache Command R3#show ip msdp sa-cache MSDP Source-Active Cache - 1 entries GroupAddr SourceAddr RPAddr LearnedFrom 239.0.0.1 10.11.4.2 192.168.0.1 192.168.0.1 Expire UpTime 76 00:10:44 Limiting the Source-Active Cache Set the upper limit of the number of active sources that the system caches. The default active source limit is 500K messages.
• In Scenario 1, all MSPD peers are up. • In Scenario 2, the peership between RP1 and RP2 is down, but the link (and routing protocols) between them is still up. In this case, RP1 learns all active sources from RP3, but the sources from RP2 and RP4 are rejected because the reverse path to these routers is through Interface A. • In Scenario 3, RP3 is configured as a default MSDP peer for RP1 and so the RPF check is disregarded for RP3. • In Scenario 4, RP1 has a default peer plus an access list.
Figure 83.
Figure 84.
Figure 85. MSDP Default Peer, Scenario 4 Specifying Source-Active Messages To specify messages, use the following command. • Specify the forwarding-peer and originating-RP from which all active sources are accepted without regard for the RPF check. CONFIGURATION mode ip msdp default-peer ip-address list If you do not specify an access list, the peer accepts all sources that peer advertises. All sources from RPs that the ACL denies are subject to the normal RPF check.
Example of the ip msdp default-peer Command and Viewing Denied Sources Dell(conf)#ip msdp peer 10.0.50.2 connect-source Vlan 50 Dell(conf)#ip msdp default-peer 10.0.50.2 list fifty Dell(conf)#ip access-list standard fifty Dell(conf)#seq 5 permit host 200.0.0.50 Dell#ip msdp sa-cache MSDP Source-Active Cache - 3 entries GroupAddr SourceAddr RPAddr LearnedFrom 229.0.50.2 24.0.50.2 200.0.0.50 10.0.50.2 229.0.50.3 24.0.50.3 200.0.0.50 10.0.50.2 229.0.50.4 24.0.50.4 200.0.0.50 10.0.50.
CONFIGURATION mode ip msdp redistribute list Example of Verifying the System is not Caching Local Sources When you apply this filter, the SA cache is not affected immediately. When sources that are denied by the ACL time out, they are not refreshed. Until they time out, they continue to reside in the cache. To apply the redistribute filter to entries already present in the SA cache, first clear the SA cache. You may optionally store denied sources in the rejected SA cache.
! ip access-list extended myremotefilter seq 5 deny ip host 239.0.0.1 host 10.11.4.2 R3(conf)#do show ip msdp sa-cache MSDP Source-Active Cache - 1 entries GroupAddr SourceAddr RPAddr LearnedFrom 239.0.0.1 10.11.4.2 192.168.0.1 192.168.0.1 R3(conf)#do show ip msdp sa-cache R3(conf)# R3(conf)#do show ip msdp peer Expire 1 UpTime 00:03:59 Peer Addr: 192.168.0.1 Local Addr: 0.0.0.
To display the configured SA filters for a peer, use the show ip msdp peer command from EXEC Privilege mode. Logging Changes in Peership States To log changes in peership states, use the following command. • Log peership state changes. CONFIGURATION mode ip msdp log-adjacency-changes Terminating a Peership MSDP uses TCP as its transport protocol. In a peering relationship, the peer with the lower IP address initiates the TCP session, while the peer with the higher IP address listens on port 639.
Clearing Peer Statistics To clear the peer statistics, use the following command. • Reset the TCP connection to the peer and clear all peer statistics. CONFIGURATION mode clear ip msdp peer peer-address Example of the clear ip msdp peer Command and Verifying Statistics are Cleared R3(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.
03:17:10 : MSDP-0: Peer 192.168.0.3, 03:17:27 : MSDP-0: Peer 192.168.0.3, Input (S,G) filter: none Output (S,G) filter: none rcvd Keepalive msg sent Source Active msg MSDP with Anycast RP Anycast RP uses MSDP with PIM-SM to allow more than one active group to use RP mapping.
Figure 86. MSDP with Anycast RP Configuring Anycast RP To configure anycast RP: 1. In each routing domain that has multiple RPs serving a group, create a Loopback interface on each RP serving the group with the same IP address. CONFIGURATION mode interface loopback 2. Make this address the RP for the group.
3. In each routing domain that has multiple RPs serving a group, create another Loopback interface on each RP serving the group with a unique IP address. CONFIGURATION mode interface loopback 4. Peer each RP with every other RP using MSDP, specifying the unique Loopback address as the connect-source. CONFIGURATION mode ip msdp peer 5. Advertise the network of each of the unique Loopback addresses throughout the network.
! interface TenGigabitEthernet 1/2 ip address 10.11.2.1/24 no shutdown ! interface TenGigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.1.12/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32 no shutdown ! interface Loopback 1 ip address 192.168.0.11/32 no shutdown ! router ospf 1 network 10.11.2.0/24 area 0 network 10.11.1.0/24 area 0 network 10.11.3.0/24 area 0 network 192.168.0.11/32 area 0 ! ip multicast-msdp ip msdp peer 192.168.0.
redistribute static redistribute connected redistribute bgp 100 ! router bgp 100 redistribute ospf 1 neighbor 192.168.0.3 remote-as 200 neighbor 192.168.0.3 ebgp-multihop 255 neighbor 192.168.0.3 no shutdown ! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 1 ip msdp peer 192.168.0.11 connect-source Loopback 1 ip msdp mesh-group AS100 192.168.0.11 ip msdp originator-id Loopback 1 ! ip route 192.168.0.3/32 10.11.0.32 ! ip pim rp-address 192.168.0.1 group-address 224.0.0.
MSDP Sample Configurations The following examples show the running-configurations described in this chapter. For more information, refer to the illustrations in the Related Configuration Tasks section. MSDP Sample Configuration: R1 Running-Config MSDP Sample Configuration: R2 Running-Config MSDP Sample Configuration: R3 Running-Config MSDP Sample Configuration: R4 Running-Config ip multicast-routing ! interface TenGigabitEthernet 1/1 ip pim sparse-mode ip address 10.11.3.
ip pim sparse-mode ip address 10.11.0.23/24 no shutdown ! interface Loopback 0 ip address 192.168.0.2/32 no shutdown ! router ospf 1 network 10.11.1.0/24 area 0 network 10.11.4.0/24 area 0 network 192.168.0.2/32 area 0 redistribute static redistribute connected redistribute bgp 100 ! router bgp 100 redistribute ospf 1 neighbor 192.168.0.3 remote-as 200 neighbor 192.168.0.3 ebgp-multihop 255 neighbor 192.168.0.3 update-source Loopback 0 neighbor 192.168.0.3 no shutdown ! ip route 192.168.0.3/32 10.11.0.
ip msdp peer 192.168.0.1 connect-source Loopback 0 ! ip route 192.168.0.2/32 10.11.0.23 ip multicast-routing ! interface TenGigabitEthernet 0/21 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown ! interface TenGigabitEthernet 0/22 ip address 10.10.42.1/24 no shutdown ! interface TenGigabitEthernet 0/31 ip pim sparse-mode ip address 10.11.6.43/24 no shutdown ! interface Loopback 0 ip address 192.168.0.4/32 no shutdown ! router ospf 1 network 10.11.5.0/24 area 0 network 10.11.6.0/24 area 0 network 192.
33 Multiple Spanning Tree Protocol (MSTP) Multiple spanning tree protocol (MSTP) — specified in IEEE 802.1Q-2003 — is a rapid spanning tree protocol (RSTP)-based spanning tree variation that improves on per-VLAN spanning tree plus (PVST+). MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances. Protocol Overview In contrast, PVST+ allows a spanning tree instance for each VLAN.
Spanning Tree Variations The Dell Networking OS supports four variations of spanning tree, as shown in the following table. Table 45. Spanning Tree Variations Dell Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .1w Multiple Spanning Tree Protocol (MSTP) 802 .
• Flush MAC Addresses after a Topology Change • Debugging and Verifying MSTP Configurations • Prevent Network Disruptions with BPDU Guard • Enabling SNMP Traps for Root Elections and Topology Changes Enable Multiple Spanning Tree Globally MSTP is not enabled by default. To enable MSTP globally, use the following commands. When you enable MSTP, all physical, VLAN, and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the MSTI 0.
Creating Multiple Spanning Tree Instances To create multiple spanning tree instances, use the following command. A single MSTI provides no more benefit than RSTP. To take full advantage of MSTP, create multiple MSTIs and map VLANs to them. • Create an MSTI. PROTOCOL MSTP mode msti Specify the keyword vlan then the VLANs that you want to participate in the MSTI. Examples of Creating and Viewing MSTP Instances The following example shows using the msti command.
Designated port id is 128.374, designated path cost 20000 Number of transitions to forwarding state 1 BPDU (MRecords): sent 93671, received 46843 The port is not in the Edge port mode Port 384 (TengigabitEthernet 1/31) is alternate Discarding Port path cost 20000, Port priority 128, Port Identifier 128.384 Designated root has priority 32768, address 0001.e806.953e Designated bridge has priority 32768, address 0001.e809.c24a Designated port id is 128.
Interoperate with Non-Dell Bridges The Dell Networking OS supports only one MSTP region. A region is a combination of three unique qualities: • Name is a mnemonic string you assign to the region. The default region name is null. • Revision is a 2-byte number. The default revision number is 0. • VLAN-to-instance mapping is the placement of a VLAN in an MSTI. For a bridge to be in the same MSTP region as another, all three of these qualities must match exactly.
Modifying Global Parameters The root bridge sets the values for forward-delay, hello-time, max-age, and max-hops and overwrites the values set on other MSTP bridges. • • • • Forward-delay — the amount of time an interface waits in the Listening state and the Learning state before it transitions to the Forwarding state. Hello-time — the time interval in which the bridge sends MSTP bridge protocol data units (BPDUs).
The default is 20. Example of the forward-delay Parameter To view the current values for MSTP parameters, use the show running-config spanning-tree mstp command from EXEC privilege mode.
For the default, refer to the default values shown in the table.. 2. Change the port priority of an interface. INTERFACE mode spanning-tree msti number priority priority The range is from 0 to 240, in increments of 16. The default is 128. To view the current values for these interface parameters, use the show config command from INTERFACE mode. Configuring an EdgePort The EdgePort feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner.
* Disabling global spanning tree (using the no spanning-tree command in CONFIGURATION mode). Example of Enabling an EdgePort on an Interface To verify that EdgePort is enabled, use the show config command from INTERFACE mode.
Figure 88. MSTP with Three VLANs Mapped to Two Spanning Tree Instances Router 1 Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3. Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 1/21,31 no shutdown Router 2 Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3. Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
name Tahiti revision 123 MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 ! (Step 2) interface TenGigabitEthernet 3/11 no ip address switchport no shutdown ! interface TenGigabitEthernet 3/21 no ip address switchport no shutdown ! (Step 3) interface Vlan 100 no ip address tagged TenGigabitEthernet 3/11,21 no shutdown ! interface Vlan 200 no ip address tagged TenGigabitEthernet 3/11,21 no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 3/11,21 no shutdown Example Running-Configuration This example
(Step 3) interface vlan 100 tagged 1/0/31 tagged 1/0/32 exit interface vlan 200 tagged 1/0/31 tagged 1/0/32 exit interface vlan 300 tagged 1/0/31 tagged 1/0/32 exit Debugging and Verifying MSTP Configurations To debut and verify MSTP configuration, use the following commands. • Display BPDUs. EXEC Privilege mode • debug spanning-tree mstp bpdu Display MSTP-triggered topology change messages.
– Are there “extra” MSTP instances in the Sending or Received logs? This may mean that an additional MSTP instance was configured on one router but not the others. The following example shows viewing an MSTP configuration. Dell#show run spanning-tree mstp ! protocol spanning-tree mstp name Tahiti revision 123 MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 The following example shows viewing the debug log (a successful MSTP configuration).
INST 2: Flags: 0x70, Reg Root: 32768:0001.e8d5.
Multicast Features 34 The Dell Networking OS supports the following multicast protocols: • PIM Sparse-Mode (PIM-SM) • Internet Group Management Protocol (IGMP) • Multicast Source Discovery Protocol (MSDP) Enabling IP Multicast Before enabling any multicast protocols, you must enable IP multicast routing. • Enable multicast routing.
Protocol Ethernet Address VRRP 01:00:5e:00:00:12 PIM-SM 01:00:5e:00:00:0d • The Dell Networking OS implementation of MTRACE is in accordance with IETF draft draft-fennertraceroute-ipm. • Multicast is not supported on secondary IP addresses. • Egress L3 ACL is not applied to multicast data traffic if you enable multicast routing. First Packet Forwarding for Lossless Multicast All initial multicast packets are forwarded to receivers to achieve lossless multicast.
Limiting the Number of Multicast Routes When the total number of multicast routes on a system limit is reached, the Dell Networking OS does not process any IGMP or multicast listener discovery protocol (MLD) joins to PIM — though it still processes leave messages — until the number of entries decreases below 95% of the limit. When the limit falls below 95% after hitting the maximum, the system begins relearning route entries through IGMP, MLD, and MSDP.
Dell Networking OS Behavior: Do not enter the ip igmp access-group command before creating the access-list. If you do, after entering your first deny rule, the system clears multicast routing table and relearns all groups, even those not covered by the rules in the access-list, because there is an implicit deny all rule at the end of all access-lists. Therefore, configuring an IGMP join request filter in this order might result in data loss.
Figure 89. Preventing a Host from Joining a Group Table 47. Preventing a Host from Joining a Group — Description Location Description 1/21 • • • • Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 • • • Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.
Location Description • no shutdown 2/1 • • • • Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface GigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.
Rate Limiting IGMP Join Requests If you expect a burst of IGMP Joins, protect the IGMP process from overload by limiting that rate at which new groups can be joined. Hosts whose IGMP requests are denied will use the retry mechanism built-in to IGMP so that they’re membership is delayed rather than permanently denied. • Limit the rate at which new groups can be joined.
Figure 90. Preventing a Source from Transmitting to a Group Table 48. Preventing a Source from Transmitting to a Group — Description Location Description 1/21 • • • • Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 • • • Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.
Location Description • no shutdown 2/1 • • • • Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface GigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.
Preventing a PIM Router from Processing a Join To permit or deny PIM Join/Prune messages on an interface using an extended IP access list, use the following command. NOTE: Dell Networking recommends not using the ip pim join-filter command on an interface between a source and the RP router. Using this command in this scenario could cause problems with the PIM-SM source registration process resulting in excessive traffic being sent to the CPU of both the RP and PIM DR of the source.
Open Shortest Path First (OSPFv2 and OSPFv3) 35 This chapter describes how to configure and use Open Shortest Path First (OSPFv2 for IPv4) and OSPF version 3 (OSPF for IPv6) on the Z9500. NOTE: The fundamental mechanisms of OSPF (flooding, DR election, area support, SPF calculations, and so on) are the same between OSPFv2 and OSPFv3. This chapter identifies and clarifies the differences between the two versions of OSPF.
Areas allow you to further organize your routers within in the AS. One or more areas are required within the AS. Areas are valuable in that they allow sub-networks to "hide" within the AS, thus minimizing the size of the routing tables on all routers. An area within the AS may not see the details of another area’s topology. AS areas are known by their area number or the router’s IP address. Figure 91. Autonomous System Areas Area Types The backbone of the network is Area 0. It is also called Area 0.0.0.
In the previous example, Routers A, B, C, G, H, and I are the Backbone. • A stub area (SA) does not receive external route information, except for the default route. These areas do receive information from inter-area (IA) routes. NOTE: Configure all routers within an assigned stub area as stubby, and not generate LSAs that do not apply. For example, a Type 5 LSA is intended for external areas and the Stubby area routers may not generate external LSAs. A virtual link cannot traverse stubby areas.
Figure 92. OSPF Routing Examples Backbone Router (BR) A backbone router (BR) is part of the OSPF Backbone, Area 0. This includes all ABRs. It can also include any routers that connect only to the backbone and another ABR, but are only part of Area 0, such as Router I in the previous example.
Area Border Router (ABR) Within an AS, an area border router (ABR) connects one or more areas to the backbone. The ABR keeps a copy of the link-state database for every area it connects to, so it may keep multiple copies of the link state database. An ABR takes information it has learned on one of its attached areas and can summarize it before sending it out on other areas it is connected to. An ABR can connect to many areas in an AS, and is considered a member of each area it connects to.
• Type 1: Router LSA — The router lists links to other routers or networks in the same area. Type 1 LSAs are flooded across their own area only. The link-state ID of the Type 1 LSA is the originating router ID. • Type 2: Network LSA — The DR in an area lists which routers are joined within the area. Type 2 LSAs are flooded across their own area only. The link-state ID of the Type 2 LSA is the IP interface address of the DR.
When you configure the LSA throttle timers, syslog messages appear, indicating the interval times, as shown below for the transmit timer (45000ms) and arrival timer (1000ms). Mar 15 09:46:00: %STKUNIT0-M:CP %OSPF-4-LSA_BACKOFF: OSPF Process 10,Router lsa id 2.2.2.2 router-id 2.2.2.2 is backed off to transmit after 45000ms Mar 15 09:46:06: %STKUNIT0-M:CP %OSPF-4-LSA_BACKOFF: OSPF Process 10,Router lsa id 3.3.3.3 rtrid 3.3.3.
OSPF Implementation The Dell Networking OS supports up to 10,000 OSPF routes for OSPFv2. Within the 10,000 routes, you can designate up to 8,000 routes as external and up to 2,000 as inter/intra area routes. Multiple OSPF processes (OSPF MP) are supported on OSPFv2 only; up to 32 simultaneous processes are supported. On OSPFv3, the system supports only one process at a time for all platforms. OSPFv2 and OSPFv3 can coexist on a switch, but you must configure them individually.
Each OSPFv2 process is independent. If one process loses adjacency, the other processes continue to function. Processing SNMP and Sending SNMP Traps Though there are may be several OSPFv2 processes, only one process can process simple network management protocol (SNMP) requests and send SNMP traps. The mib-binding command identifies one of the OSPVFv2 processes as the process responsible for SNMP management.
LSType:Type-5 AS External(5) Age:1 Seq:0x8000000c id:170.1.2.0 Adv:6.1.0.0 Netmask:255.255.255.0 fwd:0.0.0.0 E2, tos:0 metric:0 To confirm that you enabled RFC-2328–compliant OSPF flooding, use the show ip ospf command. Dell#show ip ospf Routing Process ospf 1 with ID 2.2.2.
Hello due in 00:00:04 Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 1.1.1.1 (Backup Designated Router) Dell(conf-if-te-2/2)# Configuration Information The interfaces must be in Layer 3 mode (assigned an IP address) and enabled so that they can send and receive traffic. The OSPF process must know about these interfaces. To make the OSPF process aware of these interfaces, they must be assigned to OSPF areas. You must configure OSPF GLOBALLY on the system in CONFIGURATION mode.
Example Dell# Dell#conf Dell(conf)#router ospf 1 Dell(conf-router_ospf-1)#timer spf 2 5 Dell(conf-router_ospf-1)# Dell(conf-router_ospf-1)#show config ! router ospf 1 timers spf 2 5 Dell(conf-router_ospf-1)# Dell(conf-router_ospf-1)#end Dell# For a complete list of the OSPF commands, refer to the OSPF section in the Dell Networking OS Command Line Reference Guide document. Enabling OSPFv2 To enable Layer 3 routing, assign an IP address to an interface (physical or Loopback).
If you try to enter an OSPF process ID, or if you try to enable more OSPF processes than available Layer 3 interfaces, prior to assigning an IP address to an interface and setting the no shutdown command, the following message displays: Dell(conf)#router ospf 1 % Error: No router ID available. Assigning a Router ID In CONFIGURATION ROUTER OSPF mode, assign the router ID. The router ID is not required to be the router’s IP address.
When configuring the network command, configure a network address and mask that is a superset of the IP subnet configured on the Layer-3 interface for OSPFv2 to use. You can assign the area in the following step by a number or with an IP interface address. • Enable OSPFv2 on an interface and assign a network address range to a specific OSPF area. CONFIG-ROUTER-OSPF-id mode network ip-address mask area area-id The IP Address Format is A.B.C.D/M. The area ID range is from 0 to 65535 or A.B.C.D/M.
Example of Viewing Active Interfaces and Assigned Areas Dell>show ip ospf 1 interface TengigabitEthernet 12/17 is up, line protocol is up Internet Address 10.2.2.1/24, Area 0.0.0.0 Process ID 1, Router ID 11.1.2.1, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 11.1.2.1, Interface address 10.2.2.1 Backup Designated Router (ID) 0.0.0.0, Interface address 0.0.0.
EXEC Privilege mode show ip ospf process-id [vrf] database database-summary 2. Enter CONFIGURATION mode. EXEC Privilege mode configure 3. Enter ROUTER OSPF mode. CONFIGURATION mode router ospf process-id [vrf] Process ID is the ID assigned when configuring OSPFv2 globally. 4. Configure the area as a stub area. CONFIG-ROUTER-OSPF-id mode area area-id stub [no-summary] Use the keywords no-summary to prevent transmission into the area of summary ASBR LSAs.
amount of time the system waits before sending the LSA, use the keywords max-interval. The interval range is 0 to 600,000 milliseconds. 2. Specify the interval for LSA acceptance. CONFIG-ROUTER-OSPF-id mode. timers throttle lsa all arrival-time Enabling Passive Interfaces A passive interface is one that does not send or receive routing information. Enabling passive interface suppresses routing updates on an interface.
Hello due in 13:39:46 Neighbor Count is 0, Adjacent neighbor count is 0 TengigabitEthernet 0/1 is up, line protocol is down Internet Address 10.1.3.100/24, Area 2.2.2.2 Process ID 34, Router ID 10.1.2.100, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 10.1.2.100, Interface address 10.1.3.100 Backup Designated Router (ID) 0.0.0.0, Interface address 0.0.0.
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Convergence Level 2 Min LSA origination 0 secs, Min LSA arrival 0 secs Number of area in this router is 0, normal 0 stub 0 nssa 0 Dell# To disable fast-convergence, use the no fast-converge command. Dell#(conf-router_ospf-1)#no fast-converge Dell#(conf-router_ospf-1)#ex Dell#(conf)#ex Dell##show ip ospf 1 Routing Process ospf 1 with ID 192.168.67.
ip ospf message-digest-key keyid md5 key – keyid: the range is from 1 to 255. – Key: a character string. NOTE: Be sure to write down or otherwise record the key. You cannot learn the key after it is configured. You must be careful when changing this key. • NOTE: You can configure a maximum of six digest keys on an interface. Of the available six digest keys, the switches select the MD5 key that is common. The remaining MD5 keys are unused.
Internet Address 10.1.2.100/24, Area 2.2.2.2 Process ID 34, Router ID 10.1.2.100, Network Type BROADCAST, Cost: 45 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 10.1.2.100, Interface address 10.1.2.100 Backup Designated Router (ID) 10.1.2.100, Interface address 0.0.0.
area area-id virtual-link router-id [hello-interval seconds | retransmitinterval seconds | transmit-delay seconds | dead-interval seconds | authentication-key key | message-digest-key keyid md5 key] – area ID: assigned earlier (the range is from 0 to 65535 or A.B.C.D). – router ID: IP address associated with the virtual link neighbor. – hello interval seconds: the range is from 1 to 8192 (the default is 10). – retransmit interval seconds: the range is from 1 to 3600 (the default is 5).
– ge min-prefix-length: is the minimum prefix length to match (from 0 to 32). – le max-prefix-length: is the maximum prefix length to match (from 0 to 32). For configuration information about prefix lists, refer to Access Control Lists (ACLs). Applying Prefix Lists To apply prefix lists to incoming or outgoing OSPF routes, use the following commands. • Apply a configured prefix list to incoming OSPF routes.
Troubleshooting OSPFv2 Use the information in this section to troubleshoot OSPFv2 operation on the switch. Be sure to check the following, as these questions represent typical issues that interrupt an OSPFv2 process. NOTE: The following tasks are not a comprehensive; they provide some examples of typical troubleshooting checks.
To view debug messages for a specific OSPF process ID, use the debug ip ospf process-id command. If you do not enter a process ID, the command applies to the first OSPF process. To view debug messages for a specific operation, enter one of the optional keywords: – event: view OSPF event messages. – packet: view OSPF packet information. – spf: view SPF information. – database-timers rate-limit: view the LSAs currently in the queue.
Figure 94. Basic Topology and CLI Commands for OSPFv2 OSPF Area 0 — Te 1/1 and 1/2 router ospf 11111 network 10.0.11.0/24 area 0 network 10.0.12.0/24 area 0 network 192.168.100.0/24 area 0 ! interface TengigabitEthernet 1/1 ip address 10.1.11.1/24 no shutdown ! interface TengigabitEthernet 1/2 ip address 10.2.12.2/24 no shutdown ! interface Loopback 10 ip address 192.168.100.100/24 no shutdown OSPF Area 0 — Te 3/1 and 3/2 router ospf 33333 network 192.168.100.0/24 area 0 network 10.0.13.
OSPF Area 0 — Te 2/1 and 2/2 router ospf 22222 network 192.168.100.0/24 area 0 network 10.2.21.0/24 area 0 network 10.2.22.0/24 area 0 ! interface Loopback 20 ip address 192.168.100.20/24 no shutdown ! interface TengigabitEthernet 2/1 ip address 10.2.21.2/24 no shutdown ! interface TengigabitEthernet 2/2 ip address 10.2.22.2/24 no shutdown Configuration Task List for OSPFv3 (OSPF for IPv6) This section describes the configuration tasks for Open Shortest Path First version 3 (OSPF for IPv6) on the switch.
Example Dell#conf Dell(conf)#ipv6 router ospf 1 Dell(conf-ipv6-router_ospf)#timer spf 2 5 Dell(conf-ipv6-router_ospf)# Dell(conf-ipv6-router_ospf)#show config ! ipv6 router ospf 1 timers spf 2 5 Dell(conf-ipv6-router_ospf)# Dell(conf-ipv6-router_ospf)#end Dell# Enabling IPv6 Unicast Routing To enable IPv6 unicast routing, use the following command. • Enable IPv6 unicast routing globally.
ipv6 ospf process-id area area-id – process-id: the process ID number assigned. – area-id: the area ID for this interface. Assigning OSPFv3 Process ID and Router ID Globally To assign, disable, or reset OSPFv3 globally, use the following commands. • Enable the OSPFv3 process globally and enter OSPFv3 mode. CONFIGURATION mode ipv6 router ospf {process ID} • The range is from 0 to 65535. Assign the router ID for this OSPFv3 process. CONF-IPV6-ROUTER-OSPF mode router-id {number} – number: the IPv4 address.
Configuring Passive-Interface To suppress the interface’s participation on an OSPFv3 interface, use the following command. This command stops the router from sending updates on that interface. • Specify whether some or all some of the interfaces are passive. CONF-IPV6-ROUTER-OSPF mode passive-interface {type slot/port} Interface: identifies the specific interface that is passive.
• Specify the information for the default route. CONF-IPV6-ROUTER-OSPF mode default-information originate [always [metric metric-value] [metric-type type-value]] [route-map map-name] Configure the following required and optional parameters: – always: indicate that default route information is always advertised. – metric metric-value: The range is from 0 to 4294967295. – metric-type metric-type: enter 1 for OSPFv3 external route type 1 OR 2 for OSPFv3 external route type 2.
between the two mechanisms is the extent of the coverage. ESP only protects IP header fields if they are encapsulated by ESP. You decide the set of IPsec protocols that are employed for authentication and encryption and the ways in which they are employed. When you correctly implement and deploy IPsec, it does not adversely affect users or hosts. AH and ESP are designed to be cryptographic algorithm-independent.
– Configuring IPsec Authentication on an Interface – Configuring IPsec Encryption on an Interface – Configuring IPsec Authentication for an OSPFv3 Area – Configuring IPsec Encryption for an OSPFv3 Area – Displaying OSPFv3 IPsec Security Policies Configuring IPsec Authentication on an Interface To configure, remove, or display IPsec authentication on an interface, use the following commands.
NOTE: When you configure encryption using the ipv6 ospf encryption ipsec command, you enable both IPsec encryption and authentication. However, when you enable authentication on an interface using the ipv6 ospf authentication ipsec command, you do not enable encryption at the same time. The SPI value must be unique to one IPsec security policy (authentication or encryption) on the router. Configure the same authentication policy (the same SPI and key) on each OSPFv3 interface in a link.
The security policy index (SPI) value must be unique to one IPSec security policy (authentication or encryption) on the router. Configure the same authentication policy (the same SPI and key) on each interface in an OPSFv3 link. If you have enabled IPSec encryption in an OSPFv3 area using the area encryption command, you cannot use the area authentication command in the area at the same time. The configuration of IPSec authentication on an interface-level takes precedence over an area-level configuration.
• Enable IPsec encryption for OSPFv3 packets in an area. CONF-IPV6-ROUTER-OSPF mode area area-id encryption ipsec spi number esp encryption-algorithm [keyencryption-type] key authentication-algorithm [key-authentication-type] key – area area-id: specifies the area for which OSPFv3 traffic is to be encrypted. For area-id, enter a number or an IPv6 prefix. – spi number: is the security policy index (SPI) value. The range is from 256 to 4294967295.
– – – – For a 10-Gigabit Ethernet interface, enter TenGigabitEthernet slot/port. For a Port Channel interface, enter port-channel number. For a 40-Gigabit Ethernet interface, enter FortyGigabitEthernet slot/port. For a VLAN interface, enter vlan vlan-id. The valid VLAN IDs are from 1 to 4094. Examples of the show crypto ipsec Commands In the first example, the keys are not encrypted (shown in bold). In the second and third examples, the keys are encrypted (shown in bold).
in use settings : {Transport, } replay detection support : N STATUS : ACTIVE outbound ah sas spi : 500 (0x1f4) transform : ah-md5-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE inbound esp sas outbound esp sas Interface: TenGigabitEthernet 0/1 Link Local address: fe80::201:e8ff:fe40:4d11 IPSecv6 policy name: OSPFv3-1-600 inbound ah sas outbound ah sas inbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hmac in use settings : {Transport, } replay detection suppor
• show ipv6 neighbors • show ipv6 routes Viewing Summary Information To get general route, configuration, links status, and debug information, use the following commands. • View the summary information of the IPv6 routes. EXEC Privilege mode • show ipv6 route summary View the summary information for the OSPFv3 database. EXEC Privilege mode • show ipv6 ospf database View the configuration of OSPFv3 neighbors.
Pay As You Grow 36 The Pay As You Grow (PAYG) software feature allows you to purchase a Z9500 switch with 36 40G ports (144 10G ports) and upgrade to a larger number of ports as your networking needs grow. A Z9500 switch with a 36 40G-port license has only the ports on line card 0 enabled. See the Port Numbering figure in this section for exact port location.
time. For more information about Z9500 licensing, contact your local Dell Networking support team or the Dell Networking Technical Assistance Center. To install a license on a Z9500 switch: 1. Check the currently installed port license. show license EXEC Privilege mode In the command output, System Service Tag displays the service tag of the switch on which you enter the command. License Service Tag displays the service tag read from the license file.
Enter Yes at the prompt to continue the installation; for example: Dell# install license tftp://10.11.8.12/132.lic ! 3594 bytes successfully copied Retrieving license ....... (OK) LICENSE INFORMATION Vendor : Dell Product : Dell Force10 Z9500 System Service Tag : RtHvKsJ License Service Tag : RTHVKSJ Feature : HW-Port-License 132 Ports Retrieving license data ....... (OK) Validating license ....... (OK) Validating Service Tag in license ....... (OK) Note: You must reload the chassis to activate the license.
unmounting /usr/pkg (/dev/wd0i)... unmounting /boot (/dev/wd0b)... unmounting /usr (mfs:30)... unmounting /force10 (mfs:25)... unmounting /lib (mfs:22)... unmounting /f10 (mfs:19)... unmounting /tmp (mfs:12)... unmounting /kern (kernfs)... unmounting / (/dev/md0a)... done rebooting... Displaying License Information To check the status of an installed Z9500 license and display the number of usable ports, enter the show license command. • Display the current Z9500 port license.
2 Linecard unlicensed Z9500LC48 Z9500LC48 9-5 - -- Power Supplies -Unit Bay Status Type FanStatus FanSpeed(rpm) Power Usage (W) ----------------------------------------------------------------------------0 0 up AC up 23008 217.8 0 1 up AC up 22912 189.5 0 2 up AC up 23008 184.8 0 3 up AC up 22912 192.
PIM Sparse-Mode (PIM-SM) 37 Protocol-independent multicast sparse-mode (PIM-SM) is a multicast protocol that forwards multicast traffic to a subnet only after a request using a PIM Join message; this behavior is the opposite of PIMDense mode, which forwards multicast traffic to all subnets until a request to stop. Implementation Information The following information is necessary for implementing PIM-SM.
1. After receiving an IGMP Join message, the receiver gateway router (last-hop DR) creates a (*,G) entry in its multicast routing table for the requested group. The interface on which the join message was received becomes the outgoing interface associated with the (*,G) entry. 2. The last-hop DR sends a PIM Join message to the RP.
tree switchover latency by copying and forwarding the first (S,G) packet received on the SPT to the PIM task immediately upon arrival. The arrival of the (S,G) packet confirms for PIM that the SPT is created, and that it can prune itself from the shared tree. Important Point to Remember If you use a Loopback interface with a /32 mask as the RP, you must enable PIM Sparse-mode on the interface. Configuring PIM-SM Configuring PIM-SM is a three-step process. 1.
Examples of Viewing PIM-SM Information To display which interfaces are enabled with PIM-SM, use the show ip pim interface command from EXEC Privilege mode. Dell#show ip pim interface Address Interface VIFindex Ver/ Mode 189.87.5.6 Te 0/11 0x2 v2/S 189.87.3.2 Te 0/12 0x3 v2/S 189.87.31.6 Te 1/11 0x0 v2/S 189.87.50.6 Te 1/13 0x4 v2/S Dell# Nbr Count 1 1 0 1 Query Intvl 30 30 30 30 DR DR Prio 1 127.87.5.6 1 127.87.3.5 1 127.87.31.6 1 127.87.50.
When you create, delete, or update an expiry time, the changes are applied when the keep alive timer refreshes. To configure a global expiry time or to configure the expiry time for a particular (S,G) entry, use the following commands. 1. Enable global expiry timer for S, G entries. CONFIGURATION mode ip pim sparse-mode sg-expiry-timer seconds The range is from 211 to 86,400 seconds. The default is 210. 2. Create an extended ACL. CONFIGURATION mode ip access-list extended access-list-name 3.
To display the expiry time configuration, use the show running-configuration [acl | pim] command from EXEC Privilege mode. Configuring a Static Rendezvous Point The rendezvous point (RP) is a PIM-enabled interface on a router that acts as the root a group-specific tree; every group must have an RP. • Identify an RP by the IP address of a PIM-enabled or Loopback interface. ip pim rp-address Example of Viewing an RP on a Loopback Interface Dell#sh run int loop0 ! interface Loopback 0 ip address 1.1.1.
Configuring a Designated Router Multiple PIM-SM routers might be connected to a single local area network (LAN) segment. One of these routers is elected to act on behalf of directly connected hosts. This router is the designated router (DR). The DR is elected using hello messages. Each PIM router learns about its neighbors by periodically sending a hello message out of each PIM-enabled interface. Hello messages contain the IP address of the interface out of which it is sent and a DR priority value.
– (option) restart-time: the time the Dell Networking system requires to restart. The default value is 180 seconds. – (option) stale-entry-time: the maximum amount of time that the Dell Networking system preserves entries from a restarting neighbor. The default value is 60 seconds. – (option) helper-only: this mode takes precedence over any graceful restart configuration.
PIM Source-Specific Mode (PIM-SSM) 38 PIM source-specific mode (PIM-SSM) is a multicast protocol that forwards multicast traffic from a single source to a subnet. In the other versions of protocol independent multicast (PIM), a receiver subscribes to a group only. The receiver receives traffic not just from the source in which it is interested but from all sources sending to that group.
Configure PIM-SMM Configuring PIM-SSM is a two-step process. 1. Configure PIM-SMM. 2. Enable PIM-SSM for a range of addresses. Related Configuration Tasks • Use PIM-SSM with IGMP Version 2 Hosts Enabling PIM-SSM To enable PIM-SSM, follow these steps. 1. Create an ACL that uses permit rules to specify what range of addresses should use SSM. CONFIGURATION mode ip access-list standard name 2. Enter the ip pim ssm-range command and specify the ACL you created.
• When an SSM map is in place and the system cannot find any matching access lists for a group, it continues to create (*,G) entries because there is an implicit deny for unspecified groups in the ACL. • When you remove the mapping configuration, the system removes the corresponding (S,G) states that it created and re-establishes the original (*,G) states. • You may enter multiple ssm-map commands for different access lists.
Source address 10.11.5.2 00:00:01 Uptime Expires Never Interface Vlan 400 Group 239.0.0.1 Uptime 00:00:05 Expires Never Router mode INCLUDE Last reporter 10.11.4.2 Last reporter mode INCLUDE Last report received ALLOW Group source list Source address Uptime Expires 10.11.5.
Policy-based Routing (PBR) 39 Policy-based Routing (PBR) allows a switch to make routing decisions based on policies applied to an interface.
To enable a PBR, you create a redirect list. Redirect lists are defined by rules, or routing policies.
a tunnel interface user needs to provide tunnel id mandatory. Instead if user provides the tunnel destination IP as next hop, that would be treated as IPv4 next hop and not tunnel next hop. PBR with Multiple Tacking Option: Policy based routing with multiple tracking option extends and introduces the capabilities of object tracking to verify the next hop IP address before forwarding the traffic to the next hop. The verification method is made transparent to the user.
• Create a Track-id list. For complete tracking information, refer to Object Tracking chapter. • Apply a Redirect-list to an Interface using a Redirect-group. Create a Redirect List Use the following command in CONFIGURATION mode: Command Syntax Command Mode ip redirect-list redirect-list- CONFIGURATION name Purpose Create a redirect list by entering the list name. Format: 16 characters Delete the redirect list with the no ip redirect-list command.
source ip-address or any or host ip-address is the Source’s IP address FORMAT: A.B.C.D/NN, or ANY or HOST IP address destination ip-address or any or host ip-address is the Destination’s IP address FORMAT: A.B.C.D/NN, or ANY or HOST IP address Delete a rule with the no redirect command.
Multiple rules can be applied to a single redirect-list. The rules are applied in ascending order, starting with the rule that has the lowest sequence number in a redirect-list displays the correct method for applying multiple rules to one list.
Apply a Redirect-list to an Interface using a Redirect-group IP redirect lists are supported on physical interfaces as well as VLAN and port-channel interfaces. NOTE: When you apply a redirect-list on a port-channel, when traffic is redirected to the next hop and the destination port-channel is shut down, the traffic is dropped. However, on the S-Series, the traffic redirected to the destination port-channel is sometimes switched.
Command Syntax Command Mode Purpose show ip redirect-list redirect-list-name EXEC View the redirect list configuration and the associated interfaces. show cam pbr View the redirect list entries programmed in the CAM. EXEC show cam-usage List the redirect list configuration using the show ip redirect-list redirect-list-name command. The noncontiguous mask is displayed in dotted format (x.x.x.x). The contiguous mask is displayed in /x format.
Showing CAM PBR Configuration Example : Dell#show cam pbr linecard 1 port-set 0 TCP Flag: Bit 5 - URG, Bit 4 - ACK, Bit 3 - PSH, Bit 2 - RST, Bit 1 - SYN, Bit 0 - FIN Cam Port VlanID Proto Tcp Src Dst SrcIp DstIp Next-hop Egress Index Flag Port Port MAC Port ---------------------------------------------------------------------------------------------------------------06080 0 N/A IP 0x0 0 0 200.200.200.200 200.200.200.200 199.199.199.199 199.199.199.199 N/A NA 06081 0 N/A TCP 0x10 0 40 234.234.234.234 255.
Create the Redirect-List GOLD EDGE_ROUTER(conf-if-Te-2/23)#ip redirect-list GOLD EDGE_ROUTER(conf-redirect-list)#description Route GOLD traffic to ISP_GOLD. EDGE_ROUTER(conf-redirect-list)#direct 10.99.99.254 ip 192.168.1.0/24 any EDGE_ROUTER(conf-redirect-list)#redirect 10.99.99.254 ip 192.168.2.0/24 any EDGE_ROUTER(conf-redirect-list)# seq 15 permit ip any any EDGE_ROUTER(conf-redirect-list)#show config ! ip redirect-list GOLD description Route GOLD traffic to ISP_GOLD. seq 5 redirect 10.99.99.254 ip 192.
View Redirect-List GOLD EDGE_ROUTER#show ip redirect-list IP redirect-list GOLD: Defined as: seq 5 redirect 10.99.99.254 ip 192.168.1.0/24 any, Next-hop reachable (via Te 3/23) seq 10 redirect 10.99.99.254 ip 192.168.2.
40 Port Monitoring Port monitoring (also referred to as mirroring) allows you to monitor ingress and/or egress traffic on specified ports. The mirrored traffic can be sent to a port to which a network analyzer is connected to inspect or troubleshoot the traffic. The Dell Networking OS supports the following mirroring techniques: • • • Port monitoring — Monitors network traffic by forwarding a copy of incoming and outgoing packets from a source port to a destination port on the same network router.
------ -----1 Te 0/0 2 Te 0/0 3 Te 0/0 4 Te 0/0 5 Te 0/0 Dell(conf-mon-sess-5)# ----------Te 0/1 Te 0/2 Te 0/3 Te 0/4 Te 0/5 Dell# show monitor session SessionID Source Destination --------- ------ ----------0 Te 0/13 Te 0/1 10 Te 0/14 Te 0/2 20 Te 0/15 Te 0/3 30 Te 0/16 Te 0/37 Direction --------rx rx rx rx --both both both both both Mode ---interface interface interface interface ---Port Port Port Port Port --------N/A N/A N/A N/A N/A -------N/A N/A N/A N/A N/A Type ---Port-based Port-based Port-
Configuring Port Monitoring To configure port monitoring, use the following commands. 1. Verify that the intended monitoring port has no configuration other than no shutdown, as shown in the following example. EXEC Privilege mode show interface 2. Create a monitoring session, as shown in the following example. CONFIGURATION mode monitor session 3. Specify the source and destination port and direction of traffic, as shown in the following example.
Figure 96. Port Monitoring Example Configuring Monitor Multicast Queue To configure monitor QoS multicast queue ID, use the following commands. 1. Configure monitor QoS multicast queue ID. CONFIGURATION mode monitor multicast-queue queue-id Dell(conf)#monitor multicast-queue 7 2. Verify information about monitor configurations.
Remote Port Mirroring While local port monitoring allows you to monitor traffic from one or more source ports by directing it to a destination port on the same switch/router, remote port mirroring allows you to monitor Layer 2 and Layer 3 ingress and/or egress traffic on multiple source ports on different switches and forward the mirrored traffic to multiple destination ports on different switches.
Configuring Remote Port Mirroring Remote port mirroring requires a source session (monitored ports on different source switches), a reserved tagged VLAN for transporting mirrored traffic (configured on source, intermediate, and destination switches), and a destination session (destination ports connected to analyzers on destination switches).
• The member port of the reserved VLAN should have MTU and IPMTU value as MAX+4 (to hold the VLAN tag parameter). • To associate with a source session, the reserved VLAN can have a maximum of 4 member ports. • To associate with a destination session, the reserved VLAN can have multiple member ports. • The reserved VLAN cannot have untagged ports. In the reserved L2 VLAN used for remote port mirroring: • MAC address learning in the reserved VLAN is automatically disabled.
• A destination port for remote port mirroring cannot be used as a source port, including the session in which the port functions as the destination port. • A destination port cannot be used in any spanning tree instance. • The reserved VLAN used to transport mirrored traffic must be a L2 VLAN. L3 VLANs are not supported.
Step Command Description 1 configure terminal Enter global configuration mode. 2 monitor session id type rpm Specify a unique session ID number and RPM as the session type, and enter Monitoring-Session configuration mode. 3 source {interface | range} Enter a source port or a range of source port destination interface direction {rx | interfaces to be monitored. Enter the destination port tx | both} interface. Specify ingress (rx), egress (tx), or both ingress and egress traffic to be monitored.
Dell(conf-if-po-10)#no shutdown Dell(conf-if-po-10)#exit Dell(conf)#monitor session 3 type rpm Dell(conf-mon-sess-3)#source port-channel 10 dest remote-vlan 30 dir both Dell(conf-mon-sess-3)#no disable Dell(conf-mon-sess-3)#exit Dell(conf)#end Dell# Dell#show monitor session SessID Source Destination ------ ---------------1 Te 0/5 remote-vlan 10 2 Vl 100 remote-vlan 20 3 Po 10 remote-vlan 30 Dell# Dir --rx rx both Mode ---Port Port Port Source IP --------N/A N/A N/A Dest IP -------N/A N/A N/A Dell(conf
------ -----1 remote-vlan 10 2 remote-vlan 20 3 remote-vlan 30 Dell# ----------Te 0/3 Te 0/4 Te 0/5 --N/A N/A N/A ---N/A N/A N/A --------N/A N/A N/A -------N/A N/A N/A Configuring RPM Source Sessions to Avoid BPD Issues When you configure an RPM source session, you can avoid BPDU issues by using the configuration: 1. Enable the MAC control-plane egress ACL. 2.
Encapsulated Remote-Port Monitoring Encapsulated Remote Port Monitoring (ERPM) copies traffic from source ports/port-channels or source VLANs and forwards the traffic using routable GRE-encapsulated packets to the destination IP address specified in the session. Important: When configuring ERPM, follow these guidelines: • The Dell Networking OS supports ERPM source sessions only. Encapsulated packets terminate at the destination IP address or at the analyzer.
5 erpm source-ip-address dest-ipaddress Specify the source IP address and the destination IP address to which encapsulated mirrored traffic is sent. 6 flow-based enable Specify ERPM to be performed on a flowby-flow basis or if you configure a VLAN source interface. Enter no flow-based disable to disable flow-based ERPM. 7 no disable Enter the no disable command to activate the ERPM session. The following example shows a sample ERPM configuration.
Private VLANs (PVLAN) 41 Private VLANs (PVLANs) extend Dell Networking OS security suite by providing Layer 2 isolation between ports within the same virtual local area network (VLAN). A PVLAN partitions a traditional VLAN into subdomains identified by a primary and secondary VLAN pair. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports or trunk ports.
– A switch can have one or more primary VLANs, and it can have none. – A primary VLAN has one or more secondary VLANs. – A primary VLAN and each of its secondary VLANs decrement the available number of VLAN IDs in the switch. – A primary VLAN has one or more promiscuous ports. – A primary VLAN might have one or more trunk ports, or none. • Secondary VLAN — a subdomain of the primary VLAN. – There are two types of secondary VLAN — community VLAN and isolated VLAN.
• [no] private-vlan mode {community | isolated | primary} Map secondary VLANs to the selected primary VLAN. INTERFACE VLAN mode • [no] private-vlan mapping secondary-vlan vlan-list Display type and status of PVLAN interfaces. EXEC mode or EXEC Privilege mode • show interfaces private-vlan [interface interface] Display PVLANs and/or interfaces that are part of a PVLAN.
no shutdown 3. Set the port in Layer 2 mode. INTERFACE mode switchport 4. Select the PVLAN mode. INTERFACE mode switchport mode private-vlan {host | promiscuous | trunk} • • • host (isolated or community VLAN port) promiscuous (intra-VLAN communication port) trunk (inter-switch PVLAN hub port) Example of the switchport mode private-vlan Command For interface details, refer to Enabling a Physical Interface in the Interfaces chapter.
3. Set the PVLAN mode of the selected VLAN to primary. INTERFACE VLAN mode private-vlan mode primary 4. Map secondary VLANs to the selected primary VLAN. INTERFACE VLAN mode private-vlan mapping secondary-vlan vlan-list 5. The list of secondary VLANs can be: • Specified in comma-delimited (VLAN-ID,VLAN-ID) or hyphenated-range format (VLAN-IDVLAN-ID). • Specified with this command even before they have been created. • Amended by specifying the new secondary VLAN to be added to the list.
3. Set the PVLAN mode of the selected VLAN to community. INTERFACE VLAN mode private-vlan mode community 4. Add one or more host ports to the VLAN. INTERFACE VLAN mode tagged interface or untagged interface You can enter the interfaces singly or in range format, either comma-delimited (slot/ port,port,port) or hyphenated (slot/ port-port). You can only add host (isolated) ports to the VLAN. Creating an Isolated VLAN An isolated VLAN is a secondary VLAN of a primary VLAN.
Dell(conf)# interface vlan 101 Dell(conf-vlan-101)# private-vlan mode community Dell(conf-vlan-101)# untagged Te 2/10 Dell(conf)# interface vlan 100 Dell(conf-vlan-100)# private-vlan mode isolated Dell(conf-vlan-100)# untagged Te 2/2 Private VLAN Configuration Example The following example shows a private VLAN topology. Figure 97.
• The ports in community VLAN 4001 can communicate directly with each other and with promiscuous ports. • The ports in community VLAN 4002 can communicate directly with each other and with promiscuous ports. • The ports in isolated VLAN 4003 can only communicate with the promiscuous ports in the primary VLAN 4000.
show vlan private-vlan [community | interface | isolated | primary | primary_vlan | interface interface] This command is specific to the PVLAN feature. • The following examples show the results of using this command without the command options in the topology diagram previously shown. Display the primary-secondary VLAN mapping. The following example shows the output from the S50V. show vlan private-vlan mapping This command is specific to the PVLAN feature.
The following example shows viewing a private VLAN configuration.
Per-VLAN Spanning Tree Plus (PVST+) 42 Per-VLAN spanning tree plus (PVST+) is a variation of spanning tree — developed by a third party — that allows you to configure a separate spanning tree instance for each virtual local area network (VLAN). Protocol Overview A sample PVST+ topology is shown below. For more information about spanning tree, refer to the Spanning Tree Protocol (STP) chapter. Figure 98.
Table 49. Spanning Tree Versions Supported Dell Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .1w Multiple Spanning Tree Protocol (MSTP) 802 .1s Per-VLAN Spanning Tree Plus (PVST+) Third Party Implementation Information • The Dell Networking OS implementation of PVST+ is based on IEEE Standard 802.1w. • The Dell Networking OS implementation of PVST+ uses IEEE 802.1s costs as the default costs (as shown in the following table).
protocol spanning-tree pvst 2. Enable PVST+. PROTOCOL PVST mode no disable Disabling PVST+ To disable PVST+ globally or on an interface, use the following commands. • Disable PVST+ globally. PROTOCOL PVST mode • disable Disable PVST+ on an interface, or remove a PVST+ parameter configuration. INTERFACE mode no spanning-tree pvst Example of Viewing PVST+ Configuration To display your PVST+ configuration, use the show config command from PROTOCOL PVST mode.
Figure 99. Load Balancing with PVST+ The bridge with the bridge value for bridge priority is elected root. Because all bridges use the default priority (until configured otherwise), the lowest MAC address is used as a tie-breaker. To increase the likelihood that a bridge is selected as the STP root, assign bridges a low non-default value for bridge priority. To assign a bridge priority, use the following command. • Assign a bridge priority.
Root Identifier has priority 4096, Address 0001.e80d.b6d6 Root Bridge hello time 2, max age 20, forward delay 15 Bridge Identifier has priority 4096, Address 0001.e80d.b6d6 Configured hello time 2, max age 20, forward delay 15 We are the root of VLAN 100 Current root has priority 4096, Address 0001.e80d.b6d6 Number of topology changes 5, last change occurred 00:34:37 ago on Te 1/32 Port 375 (TengigabitEthernet 1/22) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.
• Change the max-age parameter. PROTOCOL PVST mode vlan max-age The range is from 6 to 40. The default is 20 seconds. The values for global PVST+ parameters are given in the output of the show spanning-tree pvst command. Modifying Interface PVST+ Parameters You can adjust two interface parameters (port cost and port priority) to increase or decrease the probability that a port becomes a forwarding port. • Port cost — a value that is based on the interface type.
spanning-tree pvst vlan priority. The range is from 0 to 240, in increments of 16. The default is 128. The values for interface PVST+ parameters are given in the output of the show spanning-tree pvst command, as previously shown. Configuring an EdgePort The EdgePort feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner.
PVST+ in Multi-Vendor Networks Some non-Dell Networking systems which have hybrid ports participating in PVST+ transmit two kinds of BPDUs: an 802.1D BPDU and an untagged PVST+ BPDU. Dell Networking systems do not expect PVST+ BPDU (tagged or untagged) on an untagged port. If this situation occurs, the system places the port in an Error-Disable state. This behavior might result in the network not converging.
extend system-id Example of Viewing the Extend System ID in a PVST+ Configuration Dell(conf-pvst)#do show spanning-tree pvst vlan 5 brief VLAN 5 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32773, Address 0001.e832.73f7 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32773 (priority 32768 sys-id-ext 5), Address 0001.e832.
no ip address switchport no shutdown ! interface Vlan 100 no ip address tagged TengigabitEthernet 2/12,32 no shutdown ! interface Vlan 200 no ip address tagged TengigabitEthernet 2/12,32 no shutdown ! interface Vlan 300 no ip address tagged TengigabitEthernet 2/12,32 no shutdown ! protocol spanning-tree pvst no disable vlan 200 bridge-priority 4096 Example of PVST+ Configuration (R3) interface TengigabitEthernet 3/12 no ip address switchport no shutdown ! interface TengigabitEthernet 3/22 no ip address swi
Quality of Service (QoS) 43 This chapter describes how to use and configure Quality of Service (QoS) features on the switch. Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. Figure 101. Dell Networking QoS Architecture Implementation Information The Dell Networking QoS implementation complies with IEEE 802.1p User Priority Bits for QoS Indication.
• RFC 2474, Definition of the Differentiated Services Field (DS Field) in the IPv4 Headers • RFC 2475, An Architecture for Differentiated Services • RFC 2597, Assured Forwarding PHB Group • RFC 2598, An Expedited Forwarding PHB You cannot configure port-based and policy-based QoS on the same interface. Port-Based QoS Configurations You can configure the following QoS features on an interface.
Dell(conf-if)#end Dell# Honoring dot1p Priorities on Ingress Traffic By default, the system does not honor dot1p priorities on ingress traffic. You can configure this feature on physical interfaces and port-channels, but you cannot configure it on individual interfaces in a port channel. You can configure service-class dynamic dot1p from CONFIGURATION mode, which applies the configuration to all interfaces. A CONFIGURATION mode service-class dynamic dot1p entry supersedes any INTERFACE entries.
Example of Configuring and Viewing Rate Policing The following example shows configuring rate policing. Dell#config t Dell(conf)#interface tengigabitethernet 1/2 Dell(conf-if)#rate police 100 40 peak 150 50 Dell(conf-if)#end Dell# The following example shows viewing the rate policing status.
Policy-Based QoS Configurations Policy-based QoS configurations consist of the components shown in the following example. Figure 102. Constructing Policy-Based QoS Configurations Classify Traffic Class maps differentiate traffic so that you can apply separate quality of service policies to different types of traffic. For both class maps, Layer 2 and Layer 3, the system matches packets against match criteria in the order that you configure them.
Creating a Layer 3 Class Map A Layer 3 class map differentiates ingress packets based on the DSCP value, IP precedence, VLANs, or characteristics defined in an IP ACL. You can also use VLAN IDs and VRF IDs to classify the traffic using layer 3 class-maps. You can specify more than one DSCP and IP precedence value, but only one value must match to trigger a positive match for the class map. NOTE: IPv6 and IP-any class maps cannot match on ACLs or VLANs.
The following example matches IPv6 traffic with a DSCP value of 40. Dell(conf)# class-map match-all test Dell(conf-class-map)# match ipv6 dscp 40 The following example matches IPv4 and IPv6 traffic with a precedence value of 3. Dell(conf)# class-map match-any test1 Dell(conf-class-map)#match ip-any precedence 3 Creating a Layer 2 Class Map All class maps are Layer 3 by default; however, you can create a Layer 2 class map by specifying the layer2 option with the class-map command.
CONFIGURATION mode Dell(conf)# interface fo 0/0 INTERFACE mode Dell(conf-if-fo-0/0)# ip address 90.1.1.1/16 2. Configure a Layer 2 QoS policy with Layer 2 (Dot1p or source MAC-based) match criteria. CONFIGURATION mode Dell(conf)# policy-map-input l2p layer2 3. Apply the Layer 2 policy on a Layer 3 interface.
QOS-POLICY-IN mode Dell(conf-qos-policy-in)#set ip-dscp 5 6. Create an input policy map. CONFIGURATION mode Dell(conf)#policy-map-input pp_policmap 7. Create a service queue to associate the class map and QoS policy map.
policy-map-input PolicyMapIn service-queue 1 class-map ClassAF1 qos-policy QosPolicyIn-1 service-queue 2 class-map ClassAF2 qos-policy QosPolicyIn-2 Dell#show running-config class-map ! class-map match-any ClassAF1 match ip access-group AF1-FB1 set-ip-dscp 10 match ip access-group AF1-FB2 set-ip-dscp 12 match ip dscp 10 set-ip-dscp 14 match ipv6 dscp 20 set-ip-dscp 14 ! class-map match-all ClassAF2 match ip access-group AF2 match ip dscp 18 Dell#show running-config ACL ! ip access-list extended AF1-FB1 seq
Create a QoS Policy There are two types of QoS policies — input and output. Input QoS policies regulate Layer 3 and Layer 2 ingress traffic. The regulation mechanisms for input QoS policies are rate policing and setting priority values. • Layer 3 — QoS input policies allow you to rate police and set a DSCP or dot1p value. In addition, you can configure a drop precedence for incoming packets based on their DSCP value by using a DSCP color map. For more information, see DSCP Color Maps.
Setting a DSCP Value for Egress Packets In an input QoS policy, you can set a DSCP value for egress packets based on ingress QoS classification. The 6–bits that are used for DSCP are also used to identify the queue in which traffic is buffered. When you set a DSCP value, Dell Networking OS displays an informational message advising you of the queue to which you should apply the QoS policy (using the service-queue from POLICY-MAP-IN mode).
Strict-Priority Queuing You can configure strict-priority queueing in an output QoS policy. Strict-priority means that the system de-queues all packets from the assigned queue before servicing any other queues. Strict-priority queueing is performed using the Scheduler Strict feature. When scheduler strict is applied to multiple queues, the higher queue number takes precedence. For more information, see Enabling Strict-Priority Queueing.
Queue Default Bandwidth Percentage for Default Bandwidth Percentage for 4–Queue System 8–Queue System 2 26.67% 3% 3 53.33% 4% 4 — 5% 5 — 10% 6 — 25% 7 — 50% When you assign a percentage to one queue, note that this change also affects the amount of bandwidth that is allocated to other queues. Therefore, whenever you are allocating bandwidth to one queue, Dell Networking recommends evaluating your bandwidth requirements for all other queues as well. • Allocate bandwidth to queues.
Guaranteeing Bandwidth to dot1p-Based Service Queues Honoring dot1p Values on Ingress Packets 3. Apply the input policy map to an interface. Applying a Class-Map or Input QoS Policy to a Queue To apply a class-map or input QoS policy to a queue, use the following command. • Assign an input QoS policy to a queue. POLICY-MAP-IN mode service-queue Applying an Input QoS Policy to an Input Policy Map To apply an input QoS policy to an input policy map, use the following command.
Honoring dot1p Values on Ingress Packets In an input QoS policy, you can configure the system to honor dot1p values on ingress packets using the Trust dot1p feature. The following table specifies the queue to which the classified traffic is sent based on the dot1p value. Table 54. Default dot1p to Queue Mapping dot1p Queue ID 0 2 1 0 2 1 3 3 4 4 5 5 6 6 7 7 The dot1p value is also honored for frames on the default VLAN.
service-class bandwidth-percentage Applying an Input Policy Map to an Interface To apply an input policy map to an interface, use the following command. You can apply the same policy map to multiple interfaces, and you can modify a policy map after you apply it. • You cannot apply a class-map and QoS policies to the same interface. • You cannot apply an input Layer 2 QoS policy on an interface you also configure with vlan-stack access.
POLICY-MAP-OUT mode policy-aggregate Applying an Output Policy Map to an Interface To apply an output policy map to an interface, use the following command. • Apply an input policy map to an interface. INTERFACE mode service-policy output You can apply the same policy map to multiple interfaces, and you can modify a policy map after you apply it. DSCP Color Maps This section describes how to configure color maps and how to display the color map and color map configuration.
• If you configured a DSCP color map on an interface that does not exist or you delete a DSCP color map that is configured on an interface, that interface uses an all green color policy. To create a DSCP color map: 1. Create the color-aware map QoS DSCP color map. CONFIGURATION mode qos dscp-color-map color-map-name 2. Create the color aware map profile. DSCP-COLOR-MAP dscp {yellow | red} {list-dscp-values} 3. Apply the map profile to the interface.
Display a specific DSCP color map. Dell# show qos dscp-color-map mapTWO Dscp-color-map mapTWO yellow 16,55 Displaying a DSCP Color Policy Configuration To display the DSCP color policy configuration for one or all interfaces, use the show qos dscpcolor-policy {summary [interface] | detail {interface}} command in EXEC mode. summary: Displays summary information about a color policy on one or more interfaces.
• • Cyclic redundancy check (CRC): 4 bytes Inter-frame gap (IFG): (variable) You can optionally include overhead fields in rate metering calculations by enabling QoS rate adjustment. QoS rate adjustment is disabled by default, and no qos-rate-adjust is listed in the runningconfiguration • Include a specified number of bytes of packet overhead to include in rate limiting, policing, and shaping calculations.
Traffic is a mixture of various kinds of packets. The rate at which some types of packets arrive might be greater than others. In this case, the space on the buffer and traffic manager (BTM) (ingress or egress) can be consumed by only one or a few types of traffic, leaving no space for other types. You can apply a WRED profile to a policy-map so that specified traffic can be prevented from consuming too much of the BTM resources. WRED uses a profile to specify minimum and maximum threshold values.
Creating WRED Profiles To create WRED profiles, use the following commands. 1. Create a WRED profile. CONFIGURATION mode wred 2. Specify the minimum and maximum threshold values. WRED mode threshold Applying a WRED Profile to Traffic After you create a WRED profile, you must specify on which traffic the system applies the profile.
Displaying WRED Drop Statistics To display WRED drop statistics, use the following command. • Display the number of packets that the WRED profile drops.
Explicit Congestion Notification Explicit Congestion Notification (ECN) enhances and extends WRED functionality by marking packets for later transmission instead of dropping them when a threshold value is exceeded. Use ECN for WRED to reduce the packet transmission rate in a congested, heavily-loaded network. While WRED drops packets to indicate congestion, ECN marks packets instead of dropping them when the average queue length exceeds the threshold value.
• • match ip precedence match ip vlan By default, all packets are marked for green handling if the rate-police and trust-diffserv commands are not used in an ingress policy map. All packets marked for red handling or “violate” are dropped. In the class map, in addition to color-marking matching packets for yellow handling, you can also configure a DSCP value for matching packets.
ip access-list standard dscp_40 seq 5 permit any dscp 40 ip access-list standard dscp_50_non_ecn seq 5 permit any dscp 50 ecn 0 ip access-list standard dscp_40_non_ecn seq 5 permit any dscp 40 ecn 0 class-map match-any class_dscp_40 match ip access-group dscp_40_non_ecn set-color yellow match ip access-group dscp_40 class-map match-any class_dscp_50 match ip access-group dscp_50_non_ecn set-color yellow match ip access-group dscp_50 policy-map-input pmap_dscp_40_50 service-queue 2 class-map class_dscp_40 se
Using A Configurable Weight for WRED and ECN The Z9500 switch supports a user-configurable weight that determines the average queue size used in WRED and Explicit Congestion Notification (ECN) operation on front-end I/O and backplane interfaces. By default, the switch uses a weight factor of 0 (instantaneous ECN marking), which results in packet dropping during times of network congestion based on the configured minimum and maximum WRED thresholds.
sampling performed. You can specify a weight value for front-end and backplane ports separately. The range of weight values is from 0 to 15. You can enable WRED with ECN capabilities per queue to fine-tune packet transmission. You can disable WRED with ECN per queue while configuring the minimum and maximum buffer thresholds for each WRED color-coded profile. You can configure the maximum drop-rate percentage for yellow and green profiles.
Queue Configuration Enabled Service-Pool Configuration Disabled Disabled N/A Enabled N/A WRED Threshold Relationship Q threshold = Q-T Service-pool threshold = SP-T Expected Functionality N/A Queue-based WRED; Q-T < SP-T No ECN marking SP-T < Q-T Service-pool-based WRED; No ECN marking Enabled Enabled Disabled N/A N/A Enabled Q-T < SP-T N/A SP-T < Q-T Queue-based ECN marking above queue threshold.
Dell(conf)#service-class wred green queue5 thresh-1 queue7 thresh-2 backplane Dell(conf)#service-class wred yellow queue1 thresh-2 queue3 thresh-1 backplane Dell(conf)#service-class wred weight queue0 11 queue6 4 queue7 9 backplane 4. Create a global buffer pool that serves as a shared buffer accessed by multiple queues when the minimum guaranteed buffers for a queue are consumed. The Z9500 supports four global servicepools in the egress direction.
• The number of interfaces in a port-pipe to which the policy-map can be applied. Specifically: • Available CAM — the available number of CAM entries in the specified CAM partition for the specified line-card port pipe. • Estimated CAM — the estimated number of CAM entries that the policy will consume when it is applied to an interface. • Status — indicates whether the specified policy-map can be completely applied to an interface in the port-pipe.
used Min cells, shared cells, and headroom cells for each priority group. The table returns a value of 0 if the allocation mode is static and a value of 1 if the allocation mode is dynamic. This table is indexed by linecard number, port number and priority-group number. Enabling Buffer Statistics Tracking You can enable the tracking of statistical values of buffer spaces at a global level.
UCAST UCAST UCAST UCAST MCAST MCAST MCAST MCAST MCAST MCAST MCAST MCAST MCAST 784 8 9 10 11 0 1 2 3 4 5 6 7 8 0 0 0 0 0 0 0 0 0 0 0 0 0 Quality of Service (QoS)
Routing Information Protocol (RIP) 44 The Routing Information Protocol (RIP) tracks distances or hop counts to nearby routers when establishing network connections and is based on a distance-vector algorithm. RIP protocol standards are listed in the Standards Compliance chapter. Protocol Overview RIP is the oldest interior gateway protocol. There are two versions of RIP: RIP version 1 (RIPv1) and RIP version 2 (RIPv2). These versions are documented in RFCs 1058 and 2453.
RIPv2 RIPv2 adds support for subnet fields in the RIP routing updates, thus qualifying it as a classless routing protocol. The RIPv2 message format includes entries for route tags, subnet masks, and next hop addresses. Another enhancement included in RIPv2 is multicasting for route updates on IP multicast address 224.0.0.9.
• • • • • • • Controlling RIP Routing Updates (optional) Setting Send and Receive Version (optional) Generating a Default Route (optional) Controlling Route Metrics (optional) Summarize Routes (optional) Controlling Route Metrics Debugging RIP For a complete listing of all commands related to RIP, refer to the Dell Networking OS Command Reference Interface Guide. Enabling RIP Globally By default, RIP is disabled on the switch. To enable RIP globally, use the following commands. 1.
8.0.0.0/8 [120/1] via 29.10.10.12, 00:00:26, Fa 8.0.0.0/8 auto-summary 12.0.0.0/8 [120/1] via 29.10.10.12, 00:00:26, Fa 12.0.0.0/8 auto-summary 20.0.0.0/8 [120/1] via 29.10.10.12, 00:00:26, Fa 20.0.0.0/8 auto-summary 29.10.10.0/24 directly connected,Fa 0/0 29.0.0.0/8 auto-summary 31.0.0.0/8 [120/1] via 29.10.10.12, 00:00:26, Fa 31.0.0.0/8 auto-summary 192.162.2.0/24 [120/1] via 29.10.10.12, 00:01:21, Fa 192.162.2.0/24 auto-summary 192.161.1.0/24 [120/1] via 29.10.10.12, 00:00:27, Fa 192.161.1.
Assigning a Prefix List to RIP Routes Another method of controlling RIP (or any routing protocol) routing information is to filter the information through a prefix list. A prefix list is applied to incoming or outgoing routes. Those routes must meet the conditions of the prefix list; if not, the system drops the route. Prefix lists are globally applied on all interfaces running RIP. Configure the prefix list in PREFIX LIST mode prior to assigning it to the RIP process.
Setting the Send and Receive Version To change the RIP version globally or on an interface, use the following command. To specify the RIP version, use the version command in ROUTER RIP mode. To set an interface to receive only one or the other version, use the ip rip send version or the ip rip receive version commands in INTERFACE mode. You can set one RIP version globally on the system using system.
To configure an interface to receive or send both versions of RIP, include 1 and 2 in the command syntax. The command syntax for sending both RIPv1 and RIPv2 and receiving only RIPv2 is shown in the following example. Dell(conf-if)#ip rip send version 1 2 Dell(conf-if)#ip rip receive version 2 The following example of the show ip protocols command confirms that both versions are sent out on the interface.
Summarize Routes Routes in the RIPv2 routing table are summarized by default, thus reducing the size of the routing table and improving routing efficiency in large networks. By default, the autosummary command in ROUTER RIP mode is enabled and summarizes RIP routes up to the classful network boundary. If you must perform routing between discontiguous subnets, disable automatic summarization. With automatic route summarization disabled, subnets are advertised.
– interface: the type, slot, and number of an interface. To view the configuration changes, use the show config command in ROUTER RIP mode. Debugging RIP The debug ip rip command enables RIP debugging. When you enable debugging, you can view information on RIP protocol changes or RIP routes. To enable RIP debugging, use the following command. • debug ip rip [interface | database | events | trigger] EXEC privilege mode Enable debugging of RIP.
RIP Configuration on Core2 The following example shows how to configure RIPv2 on a host named Core2. Example of Configuring RIPv2 on Core 2 Core2(conf-if-te-2/31)# Core2(conf-if-te-2/31)#router rip Core2(conf-router_rip)#ver 2 Core2(conf-router_rip)#network 10.200.10.0 Core2(conf-router_rip)#network 10.300.10.0 Core2(conf-router_rip)#network 10.11.10.0 Core2(conf-router_rip)#network 10.11.20.0 Core2(conf-router_rip)#show config ! router rip network 10.0.0.
Gateway of last resort is not set Destination Gateway Dist/Metric Last Change ----------- ------- ----------- ----------C 10.11.10.0/24 Direct, Te 2/11 C 10.11.20.0/24 Direct, Te 2/31 R 10.11.30.0/24 via 10.11.20.1, Te 2/31 C 10.200.10.0/24 Direct, Te 2/41 C 10.300.10.0/24 Direct, Te 2/42 R 192.168.1.0/24 via 10.11.20.1, Te 2/31 R 192.168.2.0/24 via 10.11.20.1, Te 2/31 Core2# R 192.168.1.0/24 via 10.11.20.1, Te 2/31 R 192.168.2.0/24 via 10.11.20.
network 10.0.0.0 network 192.168.1.0 network 192.168.2.0 version 2 Core3(conf-router_rip)# Core 3 RIP Output The examples in this section show the core 2 RIP output. • • • To display Core 3 RIP database, use the show ip rip database command. To display Core 3 RIP setup, use the show ip route command. To display Core 3 RIP activity, use the show ip protocols command. Examples of the show ip Command with Core 3 Output To view learned RIP routes on Core 3, use the show ip rip database command.
Routing Protocol is "RIP" Sending updates every 30 seconds, next due in 6 Invalid after 180 seconds, hold down 180, flushed after 240 Output delay 8 milliseconds between packets Automatic network summarization is in effect Outgoing filter for all interfaces is Incoming filter for all interfaces is Default redistribution metric is 1 Default version control: receive version 2, send version 2 Interface Recv Send TenGigabitEthernet 3/21 2 2 TenGigabitEthernet 3/11 2 2 TenGigabitEthernet 3/44 2 2 TenGigabitEther
! interface TengigabitEthernet 3/21 ip address 10.11.20.1/24 no shutdown ! interface TengigabitEthernet 3/43 ip address 192.168.1.1/24 no shutdown ! interface TengigabitEthernet 3/44 ip address 192.168.2.1/24 no shutdown ! router rip version 2 network 10.11.20.0 network 10.11.30.0 network 192.168.1.0 network 192.168.2.
Remote Monitoring (RMON) 45 Remote monitoring (RMON) is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell Networking Ethernet interfaces. RMON operates with the simple network management protocol (SNMP) and monitors all nodes on a local area network (LAN) segment.
• Chassis Down — When a chassis goes down, all sampled data is lost. But the RMON configurations are saved in the configuration file. The sampling process continues after the chassis returns to operation. • Platform Adaptation — RMON supports all Dell Networking chassis and all Dell Networking Ethernet interfaces. Setting the RMON Alarm To set an alarm on any MIB object, use the rmon alarm or rmon hc-alarm command in GLOBAL CONFIGURATION mode. • Set an alarm on any MIB object.
The following example configures RMON alarm number 10. The alarm monitors the MIB variable 1.3.6.1.2.1.2.2.1.20.1 (ifEntry.ifOutErrors) once every 20 seconds until the alarm is disabled, and checks the rise or fall of the variable. The alarm is triggered when the 1.3.6.1.2.1.2.2.1.20.1 value shows a MIB counter increase of 15 or more (such as from 100000 to 100015). The alarm then triggers event number 1, which is configured with the RMON event command. Possible events include a log entry or an SNMP trap.
Configuring RMON Collection Statistics To enable RMON MIB statistics collection on an interface, use the RMON collection statistics command in INTERFACE CONFIGURATION mode. • Enable RMON MIB statistics collection. CONFIGURATION INTERFACE (config-if) mode [no] rmon collection statistics {controlEntry integer} [owner ownername] – controlEntry: specifies the RMON group of statistics using a value. – integer: a value from 1 to 65,535 that identifies the RMON Statistics Table.
– seconds: (Optional) the number of seconds in each polling cycle. The value is ranged from 5 to 3,600 (Seconds). The default is 1,800 (as defined in RFC-2819). Example of the rmon collection history Command To remove a specified RMON history group of statistics collection, use the no form of this command.
Rapid Spanning Tree Protocol (RSTP) 46 The Rapid Spanning Tree Protocol (RSTP) is a Layer 2 protocol — specified by IEEE 802.1w — that is essentially the same as spanning-tree protocol (STP) but provides faster convergence and interoperability with switches configured with STP and multiple spanning tree protocol (MSTP).. Protocol Overview The Dell Networking OS supports three other versions of spanning tree, as shown in the following table. Table 58.
Important Points to Remember • RSTP is disabled by default on the switch. • The system supports only one Rapid Spanning Tree (RST) instance. • All interfaces in virtual local area networks (VLANs) and all enabled interfaces in Layer 2 mode are automatically added to the RST topology. • Adding a group of ports to a range of VLANs sends multiple messages to the RSTP task, avoid using the range command.
switchport 3. Enable the interface. INTERFACE mode no shutdown Example of Verifying an Interface is in Layer 2 Mode and Enabled To verify that an interface is in Layer 2 mode and enabled, use the show config command from INTERFACE mode. The bold lines indicate that the interface is in Layer 2 mode.
Figure 105. Rapid Spanning Tree Enabled Globally To view the interfaces participating in RSTP, use the show spanning-tree rstp command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. Dell#show spanning-tree rstp Root Identifier has priority 32768, Address 0001.e801.cbb4 Root Bridge hello time 2, max age 20, forward delay 15, max hops 0 Bridge Identifier has priority 32768, Address 0001.e801.
The port is not in the Edge port mode Port 379 (TengigabitEthernet 2/3) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.379 Designated root has priority 32768, address 0001.e801.cbb4 Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.
Modifying Global Parameters You can modify RSTP parameters. The root bridge sets the values for forward-delay, hello-time, and max-age and overwrites the values set on other bridges participating in the Rapid Spanning Tree group. • Forward-delay — the amount of time an interface waits in the Listening state and the Learning state before it transitions to the Forwarding state. • Hello-time — the time interval in which the bridge sends RSTP BPDUs.
• The default is 2 seconds. Change the max-age parameter. PROTOCOL SPANNING TREE RSTP mode max-age seconds The range is from 6 to 40. The default is 20 seconds. To view the current values for global parameters, use the show spanning-tree rstp command from EXEC privilege mode. Enabling SNMP Traps for Root Elections and Topology Changes To enable SNMP traps, use the following command. • Enable SNMP traps for RSTP, MSTP, and PVST+ collectively.
Influencing RSTP Root Selection RSTP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it is selected as the root bridge. To change the bridge priority, use the following command. • Assign a number as the bridge priority or designate it as the primary or secondary root. PROTOCOL SPANNING TREE RSTP mode bridge-priority priority-value – priority-value The range is from 0 to 65535.
• You can clear the Error Disabled state with any of the following methods: – Perform an shutdown command on the interface. – Disable the shutdown-on-violation command on the interface (the no spanning-tree stp-id portfast [bpduguard | [shutdown-on-violation]] command). – Disable spanning tree on the interface (the no spanning-tree command in INTERFACE mode). – Disable global spanning tree (the no spanning-tree command in CONFIGURATION mode). To enable EdgePort on an interface, use the following command.
Root Bridge hello time 50 ms, max age 20, forward delay 15 Bridge ID Priority 0, Address 0001.e811.2233 We are the root Configured hello time 50 ms, max age 20, forward delay 15 NOTE: The hello time is encoded in BPDUs in increments of 1/256ths of a second. The standard minimum hello time in seconds is 1 second, which is encoded as 256. Millisecond. hello times are encoded using values less than 256; the millisecond hello time equals (x/1000)*256.
Security 47 This chapter describes several ways to provide access security to the Dell Networking system. For details about all the commands described in this chapter, refer to the Security chapter in the Dell Networking OS Command Reference Guide. Role-Based Access Control With Role-Based Access Control (RBAC), access and authorization is controlled based on a user’s role. Users are granted permissions based on their user roles, not on their individual user ID.
A constrained RBAC model provides for separation of duty and as a result, provides greater security than the hierarchical RBAC model. Essentially, a constrained model puts some limitations around each role’s permissions to allow you to partition of tasks. However, some inheritance is possible. Default command permissions are based on CLI mode (such as configure, interface, router), any specific command settings, and the permissions allowed by the privilege and role commands.
NOTE: The authentication method list should be in the same order as the authorization method list. For example, if you configure the authentication method list in the following order (TACACS+, local), Dell Networking recommends that authorization method list is configured in the same order (TACACS+, local). 4. Specify authorization method list (RADIUS, TACACS+, or Local). You must at least specify local authorization.
mode enablement, password policies, inactivity timeouts, banner establishment, and cryptographic key operations for secure access paths. • System Administrator (sysadmin). This role has full access to all the commands in the system, exclusive access to commands that manipulate the file system formatting, and access to the system shell. This role can also create user IDs and user roles. The following summarizes the modes that the predefined user roles can access.
• If you inherit a user role, you cannot modify or delete the inheritance. If you want to change or remove the inheritance, delete the user role and create it again. If the user role is in use, you cannot delete the user role. 1. Create a new user role CONFIGURATION mode userrole name [inherit existing-role-name] 2. Verify that the new user role has inherited the security administrator permissions. Dell(conf)#do show userroles EXEC Privilege mode 3.
When you modify a command for a role, you specify the role, the mode, and whether you want to restrict access using the deleterole keyword or grant access using the addrole keyword followed by the command you are controlling access. For information about how to create new roles, see also Creating a New User Role. The following output displays the modes available for the role command.
The following example shows that the secadmin role can now access Interface mode (highlighted in bold). Role Inheritance netoperator Modes netadmin secadmin Line sysadmin MAC Exec Config Interface Router IP RouteMap Protocol MAC Exec Config Interface Exec Config Interface Line Router IP RouteMap Protocol Example: Remove Security Administrator Access to Line Mode.
Adding and Deleting Users from a Role To create a user name that is authenticated based on a user role, use the username name password encryption-type password role role-name command in CONFIGURATION mode. Example The following example creates a user name that is authenticated based on a user role. Dell (conf) #username john password 0 password role secadmin The following example deletes a user role.
Configure AAA Authorization for Roles Authorization services determine if the user has permission to use a command in the CLI. Users with only privilege levels can use commands in privilege-or-role mode (the default) provided their privilege level is the same or greater than the privilege level of those commands. Users with defined roles can use commands provided their role is permitted to use those commands. Role inheritance is also used to determine authorization.
authorization exec ucraaa accounting commands role netadmin line vty 2 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 3 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 4 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 5 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 6 login authentication ucraaa authorization exe
Example for Creating a AVP Pair for System Defined or User-Defined Role The following section shows you how to create an AV pair to allow a user to login from a network access server to have access to commands based on the user’s role. The format to create an AV pair for a user role is Force10-avpair= ”shell:role=“ where user-role is a user defined or systemdefined role. In the following example, you create an AV pair for a system-defined role, sysadmin.
Displaying Active Accounting Sessions for Roles To display active accounting sessions for each user role, use the show accounting command in EXEC mode.
Displaying Role Permissions Assigned to a Command To display permissions assigned to a command, use the show role command in EXEC Privilege mode. The output displays the user role and or permission level.
Configuration Task List for AAA Accounting The following sections present the AAA accounting configuration tasks.
Configuring Accounting of EXEC and Privilege-Level Command Usage The network access server monitors the accounting functions defined in the TACACS+ attribute/value (AV) pairs. • Configure AAA accounting to monitor accounting functions defined in TACACS+. CONFIGURATION mode aaa accounting system default start-stop tacacs+ aaa accounting command 15 default start-stop tacacs+ System accounting can use only the default method list.
Example of the show accounting Command for AAA Accounting Dell#show accounting Active accounted actions on tty2, User admin Priv 1 Task ID 1, EXEC Accounting record, 00:00:39 Elapsed, service=shell Active accounted actions on tty3, User admin Priv 1 Task ID 2, EXEC Accounting record, 00:00:26 Elapsed, service=shell Dell# AAA Authentication The system supports a distributed client/server system implemented through authentication, authorization, and accounting (AAA) to help secure networks against unauthoriz
Configuring AAA Authentication Login Methods To configure an authentication method and method list, use the following commands. Dell Networking OS Behavior: If you use a method list on the console port in which RADIUS or TACACS is the last authentication method and the server is not reachable, the system allows access even though the username and password credentials cannot be verified.
– method-list-name: character string used to name the list of enable authentication methods activated when a user logs in. – method1 [... method4]: any of the following: RADIUS, TACACS, enable, line, none. If you do not set the default list, only the local enable is checked. This setting has the same effect as issuing an aaa authentication enable default enable command.
Therefore, the RADIUS server must have an entry for this username. Obscuring Passwords and Keys By default, the service password-encryption command stores encrypted passwords. For greater security, you can also use the service obscure-passwords command to prevent a user from reading the passwords and keys, including RADIUS, TACACS+ keys, router authentication strings, VRRP authentication by obscuring this information.
• Privilege level 1 — is the default level for EXEC mode. At this level, you can interact with the router, for example, view some show commands and Telnet and ping to test connectivity, but you cannot configure the router. This level is often called the “user” level. One of the commands available in Privilege level 1 is the enable command, which you can use to enter a specific privilege level. • Privilege level 0 — contains only the end, enable, and disable commands.
– access-class access-list-name: Enter the name of a configured IP ACL. – nopassword: Do not require the user to enter a password. – encryption-type: Enter 0 for plain text or 7 for encrypted text. – password: Enter a string. – privilege level The range is from 0 to 15. To view usernames, use the show users command in EXEC Privilege mode. Configuring the Enable Password Command To configure the Dell Networking OS, use the enable command to enter EXEC Privilege level 15.
CONFIGURATION mode username name [access-class access-list-name] [privilege level] [nopassword | password [encryption-type] password] Configure the optional and required parameters: 2. • name: enter a text string (up to 63 characters). • access-class access-list-name: enter the name of a configured IP ACL. • privilege level: the range is from 0 to 15. • nopassword: do not require the user to enter a password. • encryption-type: enter 0 for plain text or 7 for encrypted text.
Line 4: The snmp-server commands, in CONFIGURATION mode, are assigned to privilege level 8. Dell(conf)#username john privilege 8 password john Dell(conf)#enable password level 8 notjohn Dell(conf)#privilege exec level 8 configure Dell(conf)#privilege config level 8 snmp-server Dell(conf)#end Dell#show running-config Current Configuration ...
• – level level: The range is from 0 to 15. Levels 0, 1, and 15 are pre-configured. Levels 2 to 14 are available for custom configuration. Specify either a plain text or encrypted password. LINE mode password [encryption-type] password Configure the following optional and required parameters: – encryption-type: Enter 0 for plain text or 7 for encrypted text. – password: Enter a text string up to 25 characters long. To view the password configured for a terminal, use the show config command in LINE mode.
Transactions between the RADIUS server and the client are encrypted (the users’ passwords are not sent in plain text). RADIUS uses UDP as the transport protocol between the RADIUS server host and the client. For more information about RADIUS, refer to RFC 2865, Remote Authentication Dial-in User Service.
Auto-Command You can configure the system through the RADIUS server to automatically execute a command when you connect to a specific line. The auto-command command is executed when the user is authenticated and before the prompt appears to the user. • Automatically execute a command. auto-command Privilege Levels Through the RADIUS server, you can configure a privilege level for the user to enter into when they connect to a session. This value is configured on the client system. • Set a privilege level.
CONFIGURATION mode • aaa authentication login method-list-name radius Create a method list with RADIUS and TACACS+ as authorization methods. CONFIGURATION mode aaa authorization exec {method-list-name | default} radius tacacs+ Typical order of methods: RADIUS, TACACS+, Local, None. If RADIUS denies authorization, the session ends (RADIUS must not be the last method specified).
– key [encryption-type] key: enter 0 for plain text or 7 for encrypted text, and a string for the key. The key can be up to 42 characters long. This key must match the key configured on the RADIUS server host. If you do not configure these optional parameters, the global default values for all RADIUS host are applied. To specify multiple RADIUS server hosts, configure the radius-server host command multiple times.
– seconds: the range is from 0 to 1000. Default is 5 seconds. To view the configuration of RADIUS communication parameters, use the show running-config command in EXEC Privilege mode. Monitoring RADIUS To view information on RADIUS transactions, use the following command. • View RADIUS transactions to troubleshoot problems. EXEC Privilege mode debug radius TACACS+ The system supports terminal access controller access control system (TACACS+ client, including support for login authentication.
aaa authentication login {method-list-name | default} tacacs+ [...method3] The TACACS+ method must not be the last method specified. 3. Enter LINE mode. CONFIGURATION mode line {aux 0 | console 0 | vty number [end-number]} 4. Assign the method-list to the terminal line. LINE mode login authentication {method-list-name | default} Example of a Failed Authentication To view the configuration, use the show config in LINE mode or the show running-config tacacs + command in EXEC Privilege mode.
Monitoring TACACS+ To view information on TACACS+ transactions, use the following command. • View TACACS+ transactions to troubleshoot problems. EXEC Privilege mode debug tacacs+ TACACS+ Remote Authentication and Authorization The system takes the access class from the TACACS+ server. Access class is the class of service that restricts Telnet access and packet sizes.
tacacs-server host {hostname | ip-address} [port port-number] [timeout seconds] [key key] Configure the optional communication parameters for the specific host: – port port-number: the range is from 0 to 65335. Enter a TCP port number. The default is 49. – timeout seconds: the range is from 0 to 1000. Default is 10 seconds. – key key: enter a string for the key. The key can be up to 42 characters long. This key must match a key configured on the TACACS+ server host.
Protection from TCP Tiny and Overlapping Fragment Attacks Tiny and overlapping fragment attack is a class of attack where configured ACL entries — denying TCP port-specific traffic — is bypassed and traffic is sent to its destination although denied by the ACL. RFC 1858 and 3128 proposes a countermeasure to the problem. This countermeasure is configured into the line cards and enabled by default.
Dell(conf)#ip ssh server version 2 Dell(conf)#do show ip ssh SSH server : disabled. SSH server version : v2. Password Authentication : enabled. Hostbased Authentication : disabled. RSA Authentication : disabled. To disable SSH server functions, use the no ip ssh server enable command. Using SCP with SSH to Copy a Software Image To use secure copy (SCP) to copy a software image through an SSH connection from one switch to another, use the following commands. 1.
• show crypto: display the public part of the SSH host-keys. • show ip ssh client-pub-keys: display the client public keys used in host-based authentication. • show ip ssh rsa-authentication: display the authorized-keys for the RSA authentication. The following example shows the use of SCP and SSH to copy a software image from one switch running SSH server on UDP port 99 to the local switch. Dell#copy scp: flash: Address or name of remote host []: 10.10.10.
Configuring the SSH Server Cipher List To configure the cipher list supported by the SSH server, use the ip ssh server ciphers cipher-list command in CONFIGURATION mode. cipher-list-: Enter a space-delimited list of ciphers the SSH server will support. The following ciphers are available.
• hmac-sha2-256 • hmac-sha2-256-96 When FIPS is enabled, the default HMAC algorithm is hmac-sha1-96. Example of Configuring a HMAC Algorithm The following example shows you how to configure a HMAC algorithm list. Dell(conf)# ip ssh server mac hmac-sha1-96 Configuring the SSH Server Cipher List To configure the cipher list supported by the SSH server, use the ip ssh server ciphers cipher-list command in CONFIGURATION mode.
• • When you enable all the three authentication methods, password authentication is the backup method when the RSA method fails. The files known_hosts and known_hosts2 are generated when a user tries to SSH using version 1 or version 2, respectively. Enabling SSH Authentication by Password Authenticate an SSH client by prompting for a password when attempting to connect to the Dell Networking system. This setup is the simplest method of authentication and uses SSH version 1.
Overwrite (y/n)? y Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/admin/.ssh/id_rsa. Your public key has been saved in /home/admin/.ssh/id_rsa.pub. Configuring Host-Based SSH Authentication Authenticate a particular host. This method uses SSH version 2. To configure host-based authentication, use the following commands. 1. Configure RSA Authentication. Refer to Using RSA Authentication of SSH. 2.
10.16.127.201, ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA8K7jLZRVfjgHJzUOmXxuIbZx/AyW hVgJDQh39k8v3e8eQvLnHBIsqIL8jVy1QHhUeb7GaDlJVEDAMz30myqQbJgXBBRTWgBpLWwL/ doyUXFufjiL9YmoVTkbKcFmxJEMkE3JyHanEi7hg34LChjk9hL1by8cYZP2kYS2lnSyQWk= The following example shows creating rhosts. admin@Unix_client# ls id_rsa id_rsa.pub rhosts shosts admin@Unix_client# cat rhosts 10.16.127.201 admin Using Client-Based SSH Authentication To SSH from the chassis to the SSH client, use the following command.
VTY Line and Access-Class Configuration Various methods are available to restrict VTY access in the Dell Networking OS. These depend on which authentication scheme you use — line, local, or remote. Table 60.
NOTE: For more information, refer to Access Control Lists (ACLs).
Example of Configuring VTY Authorization Based on MAC ACL for the Line (Per MAC Address) Dell(conf)#mac access-list standard sourcemac Dell(config-std-mac)#permit 00:00:5e:00:01:01 Dell(config-std-mac)#deny any Dell(conf)# Dell(conf)#line vty 0 9 Dell(config-line-vty)#access-class sourcemac Dell(config-line-vty)#end 856 Security
Service Provider Bridging 48 Service provider bridging provides the ability to add a second VLAN ID tag in an Ethernet frame and is referred to as VLAN stacking in the Dell Networking OS. VLAN Stacking Virtual local area network (VLAN) stacking is supported on the platform. VLAN stacking, also called Q-in-Q, is defined in IEEE 802.1ad — Provider Bridges, which is an amendment to IEEE 802.1Q — Virtual Bridged Local Area Networks. It enables service providers to use 802.
Figure 106. VLAN Stacking in a Service Provider Network Important Points to Remember • Interfaces that are members of the Default VLAN and are configured as VLAN-Stack access or trunk ports do not switch untagged traffic. To switch traffic, add these interfaces to a non-default VLANstack-enabled VLAN. • Dell Networking cautions against using the same MAC address on different customer VLANs, on the same VLAN-stack VLAN.
Configure VLAN Stacking Configuring VLAN-Stacking is a three-step process. 1. Creating Access and Trunk Ports 2. Assign access and trunk ports to a VLAN (Creating Access and Trunk Ports). 3. Enabling VLAN-Stacking for a VLAN.
Dell#show run interface te 2/12 ! interface TenGigabitEthernet 2/12 no ip address switchport vlan-stack trunk no shutdown Enable VLAN-Stacking for a VLAN To enable VLAN-Stacking for a VLAN, use the following command. • Enable VLAN-Stacking for the VLAN. INTERFACE VLAN mode vlan-stack compatible Example of Viewing VLAN Stack Member Status To display the status and members of a VLAN, use the show vlan command from EXEC Privilege mode.
Configuring Options for Trunk Ports 802.1ad trunk ports may also be tagged members of a VLAN so that it can carry single and double-tagged traffic. You can enable trunk ports to carry untagged, single-tagged, and double-tagged VLAN traffic by making the trunk port a hybrid port. To configure trunk ports, use the following commands. 1. Configure a trunk port to carry untagged, single-tagged, and double-tagged traffic by making it a hybrid port.
101 103 Inactive Inactive T Te 0/1 M Te 0/1 Debugging VLAN Stacking To debug VLAN stacking, use the following command. • Debug the internal state and membership of a VLAN and its ports. debug member Example of Debugging a VLAN and its Ports The port notations are as follows: • MT — stacked trunk • MU — stacked access port • T — 802.1Q trunk port • U — 802.
were treated as the same TPID, as shown in the following illustration. The system differentiates between 0x9100 and 0x91XY, as shown in the following illustration. You can configure the first 8 bits of the TPID using the vlan-stack protocol-type command. The TPID is global. Ingress frames that do not match the system TPID are treated as untagged. This rule applies for both the outer tag TPID of a double-tagged frame and the TPID of a single-tagged frame.
Figure 107.
Figure 108.
Figure 109. Single and Double-Tag TPID Mismatch VLAN Stacking Packet Drop Precedence VLAN stacking packet-drop precedence is supported on the switch. The drop eligible indicator (DEI) bit in the S-Tag indicates to a service provider bridge which packets it should prefer to drop when congested.
Enabling Drop Eligibility Enable drop eligibility globally before you can honor or mark the DEI value. When you enable drop eligibility, DEI mapping or marking takes place according to the defaults. In this case, the CFI is affected according to the following table. Table 61. Drop Eligibility Behavior Ingress Egress DEI Disabled DEI Enabled Normal Port Normal Port Retain CFI Set CFI to 0. Trunk Port Trunk Port Retain inner tag CFI Retain inner tag CFI.
Default Drop precedence: Green Interface CFI/DEI Drop precedence --------------------------------------Te 0/1 0 Green Te 0/1 1 Yellow Te 1/9 1 Red Te 1/40 0 Yellow Marking Egress Packets with a DEI Value On egress, you can set the DEI value according to a different mapping than ingress. For ingress information, refer to Honoring the Incoming DEI Value. To mark egress packets, use the following command. • Set the DEI value on egress according to the color currently assigned to the packet.
Figure 110. Statically and Dynamically Assigned dot1p for VLAN Stacking When configuring Dynamic Mode CoS, you have two options: • • Option 1: Mark the S-Tag dot1p and queue the frame according to the original C-Tag dot1p. In this case, you must have other dot1p QoS configurations; this option is classic dot1p marking. Option 2: Mark the S-Tag dot1p and queue the frame according to the S-Tag dot1p.
Likewise, in the following configuration, packets with dot1p priority 0–3 are marked as dot1p 7 in the outer tag and queued to Queue 3. Rate policing is according to qos-policy-input 3. All other packets will have outer dot1p 0 and hence are queued to Queue 1. They are therefore policed according to qospolicy-input 1.
NOTE: Because dot1p-mapping marks and queues packets, the only remaining applicable QoS configuration is rate metering. You may use Rate Shaping or Rate Policing. Layer 2 Protocol Tunneling Spanning tree bridge protocol data units (BPDUs) use a reserved destination MAC address called the bridge group address, which is 01-80-C2-00-00-00. Only spanning-tree bridges on the local area network (LAN) recognize this address and process the BPDU.
You might need to transport control traffic transparently through the intermediate network to the other region. Layer 2 protocol tunneling enables BPDUs to traverse the intermediate network by identifying frames with the Bridge Group Address, rewriting the destination MAC to a user-configured non-reserved address, and forwarding the frames. Because the frames now use a unique MAC address, BPDUs are treated as normal data frames by the switches in the intermediate network core.
Implementation Information • L2PT is available for STP, RSTP, MSTP, and PVST+ BPDUs. • No protocol packets are tunneled when you enable VLAN stacking. • L2PT requires the default CAM profile. Enabling Layer 2 Protocol Tunneling To enable Layer 2 protocol tunneling, use the following command. 1. Verify that the system is running the default CAM profile. Use this CAM profile for L2PT. EXEC Privilege mode show cam-profile 2. Enable protocol tunneling globally on the system.
For details about this command, refer to CAM Allocation. 2. Save the running-config to the startup-config. EXEC Privilege mode copy running-config startup-config 3. Reload the system. EXEC Privilege mode reload 4. Set a maximum rate at which the BPDUs are processed for L2PT. VLAN STACKING mode protocol-tunnel rate-limit The default is: no rate limiting. The range is from 64 to 320 kbps. Debugging Layer 2 Protocol Tunneling To debug Layer 2 protocol tunneling, use the following command.
Provider backbone bridging through IEEE 802.1ad eliminates the need for tunneling BPDUs with L2PT and increases the reliability of provider bridge networks as the network core need only learn the MAC addresses of core switches, as opposed to all MAC addresses received from attached customer devices. • Use the Provider Bridge Group address as the destination MAC address in BPDUs. The xstp keyword applies this functionality to STP, RSTP, and MSTP; this functionality is not available for PVST+.
sFlow 49 sFlow is a standard-based sampling technology embedded within switches and routers which is used to monitor network traffic. It is designed to provide traffic monitoring for high-speed networks with many switches and routers. Overview The Dell Networking OS supports sFlow version 5. sFlow uses two types of sampling: • Statistical packet-based sampling of switched or routed packet flows. • Time-based sampling of interface counters.
To avoid the back-off, either increase the global sampling rate or configure all the line card ports with the desired sampling rate even if some ports have no sFlow configured. Important Points to Remember • The Dell Networking OS implementation of the sFlow MIB supports sFlow configuration via snmpset. • By default, sFlow collection is supported only on data ports.
Enabling sFlow Max-Header Size Extended To configure the maximum header size of a packet to 256 bytes, use the following commands: • Set the maximum header size of a packet. CONFIGURATION mode INTERFACE mode sflow max-header-size extended By default, the maximum header size of a packet is 128 bytes. When sflow max-header-size extended is enabled, 256 bytes are copied. These bytes are useful for VxLAN, NvGRE, IPv4, and IPv6 tunneled packets. NOTE: Interface mode configuration takes priority.
sflow max-header-size extended Dell#show run int tengigabitEthernet 1/10 ! interface TenGigabitEthernet 1/10 no ip address switchport sflow ingress-enable sflow max-header-size extended no shutdown sFlow Show Commands You can display sFlow statistics at the switch, interface, and line card level. • Displaying Show sFlow Globally • Displaying Show sFlow on an Interface • Displaying Show sFlow on a Line Card Displaying Show sFlow Global To view sFlow statistics, use the following command.
EXEC mode show sflow interface interface-name Examples of Viewing a sFlow Configuration The following example shows the show sflow interface command. Dell#show sflow interface tengigabitethernet 1/16 Te 1/16 Configured sampling rate :8192 Actual sampling rate :8192 Sub-sampling rate :2 Counter polling interval :15 Samples rcvd from h/w :33 Samples dropped for sub-sampling :6 The following example shows the show running-config interface command.
sflow collector ip-address agent-addr ip-address [number [max-datagram-size number] ] | [max-datagram-size number ] The default UDP port is 6343. The default max-datagram-size is 1400. Changing the Polling Intervals The sflow polling-interval command configures the polling interval for an interface in the maximum number of seconds between successive samples of counters sent to the collector. This command changes the global default counter polling (20 seconds) interval.
sFlow on LAG ports When a physical port becomes a member of a LAG, it inherits the sFlow configuration from the LAG port. Enabling Extended sFlow Extended sFlow packs additional information in the sFlow datagram depending on the type of sampled packet. You can enable the following options: • extended-switch — 802.1Q VLAN ID and 802.1p priority information. • extended-router — Next-hop and source and destination mask length. • extended-gateway — Source and destination AS number and the BGP next-hop.
0 UDP packets dropped 0 sFlow samples collected 0 sFlow samples dropped due to sub-sampling Important Points to Remember • If the IP source address is learned via IGP, srcAS and srcPeerAS are zero. • The srcAS and srcPeerAS might be zero even though the IP source address is learned via BGP. The c system packs the srcAS and srcPeerAS information only if the route is learned via BGP and it is reachable via the ingress interface of the packet. The previous points are summarized in following table.
50 Simple Network Management Protocol (SNMP) The Simple Network Management Protocol (SNMP) is designed to manage devices on IP networks by monitoring device operation, which might require administrator intervention. NOTE: On Dell Networking routers, standard and private SNMP management information bases (MIBs) are supported, including all Get and a limited number of Set operations (such as set vlan and copy cmd).
Configuration Task List for SNMP Configuring SNMP version 1 or version 2 requires a single step. NOTE: The configurations in this chapter use a UNIX environment with net-snmp version 5.4. This environment is only one of many RFC-compliant SNMP utilities you can use to manage your Dell Networking system using SNMP. Also, these configurations use SNMP version 2c. • Creating a Community Configuring SNMP version 3 requires configuring SNMP users in one of three methods.
Creating a Community For SNMPv1 and SNMPv2, create a community to enable the community-based security on the switch. The management station generates requests to either retrieve or alter the value of a management object and is called the SNMP manager. A network element that processes SNMP requests is called an SNMP agent. An SNMP community is a group of SNMP agents and managers that are allowed to interact.
• Configure an SNMP group with view privileges only (no password or privacy privileges). CONFIGURATION mode • snmp-server group group-name 3 noauth auth read name write name Configure an SNMPv3 view. CONFIGURATION mode snmp-server view view-name oid-tree {included | excluded} NOTE: To give a user read and write view privileges, repeat this step for each privilege type. • Configure the user with an authorization password (password privileges only).
Reading Managed Object Values You may only retrieve (read) managed object values if your management station is a member of the same community as the SNMP agent. Dell Networking supports RFC 4001, Textual Conventions for Internet Work Addresses that defines values representing a type of internet address. These values display for ipAddressTable objects using the snmpwalk command. There are several UNIX SNMP commands that read data. • Read the value of a single managed object.
Writing Managed Object Values You may only alter (write) a managed object value if your management station is a member of the same community as the SNMP agent, and the object is writable. Use the following command to write or write-over the value of a managed object. • To write or write-over the value of a managed object. snmpset -v version -c community agent-ip {identifier.instance | descriptor.instance}syntax value Example of Writing the Value of a Managed Object > snmpset -v 2c -c mycommunity 10.11.
• (From a management station) Identify the physical location of the system (for example, San Jose, 350 Holger Way, 1st floor lab, rack A1-1). CONFIGURATION mode snmpset -v version -c community agent-ip sysLocation.0 s “location-info” You may use up to 55 characters. The default is None. Subscribing to Managed Object Value Updates using SNMP By default, the system displays some unsolicited SNMP messages (traps) upon certain events and conditions.
3. Specify the interfaces which send SNMP traps. CONFIGURATION mode snmp-server trap-source Example of RFC-Defined SNMP Traps and Related Enable Commands The following example lists the RFC-defined SNMP traps and the command used to enable each. The coldStart and warmStart traps are enabled using a single command. snmp authentication SNMP_AUTH_FAIL:SNMP Authentication failed.Request with invalid community string. snmp coldstart SNMP_COLD_START: Agent Initialized - SNMP COLD_START.
temperature is within threshold of %dC) envmon fan FAN_TRAY_BAD: Major alarm: fantray %d is missing or down FAN_TRAY_OK: Major alarm cleared: fan tray %d present FAN_BAD: Minor alarm: some fans in fan tray %d are down FAN_OK: Minor alarm cleared: all fans in fan tray %d are good vlt Enable VLT traps. vrrp Enable VRRP state change traps xstp %SPANMGR-5-STP_NEW_ROOT: New Spanning Tree Root, Bridge ID Priority 32768, Address 0001.e801.fc35.
threshold alarm from SNMP OID Enabling an SNMP Agent to Notify Syslog Server Failure You can configure a network device to send an SNMP trap in the event of an audit processing failure due to connectivity issues with the syslog server. If a connectivity failure occurs on a syslog server that is configured for reliable transmission, an SNMP trap is sent. Also a message is written to the console indicating that the configured syslog server has failed. The SNMP trap is sent only periodically.
SMI::enterprises.6027.3.30.1.1.2 SNMPv2-SMI::enterprises.6027.3.30.1.1 = STRING: "REACHABLE: Syslog server 10.11.226.121 (port: 9140) is reachable"SNMPv2-SMI::enterprises. 6027.3.6.1.1.2.0 = INTEGER: 2 Following is the sample audit log message that other syslog servers that are reachable receive: Oct 21 05:26:04: dv-fedgov-s4810-6: %EVL-6-REACHABLE:Syslog server 10.11.226.121 (port: 9140) is reachable Copy Configuration Files Using SNMP To do the following, use SNMP from a remote client.
MIB Object OID Object Values Description copySrcFileName . 1.3.6.1.4.1.6027.3.5.1.1.1. 1.4 Path (if the file is not in the current directory) and filename. Specifies name of the file. . 1.3.6.1.4.1.6027.3.5.1.1.1. 1.5 1 = Dell Networking OS file Specifies the type of file to copy to. 2 = running-config • copyDestFileType • 3 = startup-config • copyDestFileLocation . 1.3.6.1.4.1.6027.3.5.1.1.1. 1.
MIB Object OID Object Values Description copyUserPassword . 1.3.6.1.4.1.6027.3.5.1.1.1. 1.10 Password for the server. Password for the FTP, TFTP, or SCP server. Copying a Configuration File To copy a configuration file, use the following commands. NOTE: In UNIX, enter the snmpset command for help using the following commands. Place the f10-copy-config.mib file in the directory from which you are executing the snmpset command or in the snmpset tool path. 1.
• the community name is public • the file f10-copy-config.mib is in the current directory or in the snmpset tool path Copying Configuration Files via SNMP To copy the running-config to the startup-config from the UNIX machine, use the following command. • Copy the running-config to the startup-config from the UNIX machine. snmpset -v 2c -c public force10system-ip-address copySrcFileType.index i 2 copyDestFileType.
Copying the Startup-Config Files to the Server via FTP To copy the startup-config to the server via FTP from the UNIX machine, use the following command. Copy the startup-config to the server via FTP from the UNIX machine. snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address copySrcFileType.index i 2 copyDestFileName.index s filepath/filename copyDestFileLocation.index i 4 copyServerAddress.index a server-ip-address copyUserName.index s server-login-id copyUserPassword.
Copy a Binary File to the Startup-Configuration To copy a binary file from the server to the startup-configuration on the Dell Networking system via FTP, use the following command. • Copy a binary file from the server to the startup-configuration on the Dell Networking system via FTP. snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address copySrcFileType.index i 1 copySrcFileLocation.index i 4 copySrcFileName.index s filepath/filename copyDestFileType.index i 3 copyServerAddress.
MIB Object OID Values Description 6 = timeout 7 = unknown copyEntryRowStatus . 1.3.6.1.4.1.6027.3.5.1.1.1. 1.15 Row status Specifies the state of the copy operation. Uses CreateAndGo when you are performing the copy. The state is set to active when the copy is completed. Obtaining a Value for MIB Objects To obtain a value for any of the MIB objects, use the following command. • Get a copy-config MIB object value. snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address [OID.
MIB Support to Display the Available Memory Size on Flash Dell Networking provides more MIB objects to display the available memory size on flash memory. The following table lists the MIB object that contains the available memory size on flash memory. Table 66. MIB Objects for Displaying the Available Memory Size on Flash via SNMP MIB Object OID Description chStackUnitFlashUsageUtil 1.3.6.1.4.1.6027.3.25.1.2.3.1.5 Contains flash memory usage in percentage.
MIB Object OID Description chSysCoresTimeCreated 1.3.6.1.4.1.6027.3.25.1.2.8.1.3 Contains the time at which core files are created. chSysCoresStackUnitNumber 1.3.6.1.4.1.6027.3.25.1.2.8.1.4 Contains information that includes which stack unit or processor the core file was originated from. chSysCoresProcess 1.3.6.1.4.1.6027.3.25.1.2.8.1.5 Contains information that includes the process names that generated each core file.
Creating a VLAN To create a VLAN, use the dot1qVlanStaticRowStatus object. The snmpset operation shown in the following example creates VLAN 10 by specifying a value of 4 for instance 10 of the dot1qVlanStaticRowStatus object. Example of Creating a VLAN using SNMP > snmpset -v2c -c mycommunity 123.45.6.78 .1.3.6.1.2.1.17.7.1.4.3.1.5.10 i 4 SNMPv2-SMI::mib-2.17.7.1.4.3.1.5.10 = INTEGER: 4 Assigning a VLAN Alias Write a character string to the dot1qVlanStaticName object to assign a name to a VLAN.
Example of Adding an Untagged Port to a VLAN using SNMP >snmpset -v2c -c mycommunity 10.11.131.185 . 1.3.6.1.2.1.17.7.1.4.3.1.2.1107787786 x "40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" .1.3.6.1.2.1.17.7.1.4.3.1.4.
The following OIDs are configurable through the snmpset command. The node OID is 1.3.6.1.4.1.6027.3.18 F10-ISIS-MIB::f10IsisSysOloadSetOverload F10-ISIS-MIB::f10IsisSysOloadSetOloadOnStartupUntil F10-ISIS-MIB::f10IsisSysOloadWaitForBgp F10-ISIS-MIB::f10IsisSysOloadV6SetOverload F10-ISIS-MIB::f10IsisSysOloadV6SetOloadOnStartupUntil F10-ISIS-MIB::f10IsisSysOloadV6WaitForBgp To enable overload bit for IPv4 set 1.3.6.1.4.1.6027.3.18.1.1 and IPv6 set 1.3.6.1.4.1.6027.3.18.1.4 To set time to wait set 1.3.6.1.4.1.
Fetch Dynamic MAC Entries using SNMP Dell Networking supports the RFC 1493 dot1d table for the default VLAN and the dot1q table for all other VLANs. NOTE: The 802.1q Q-BRIDGE MIB defines VLANs regarding 802.1d, as 802.1d itself does not define them. As a switchport must belong a VLAN (the default VLAN or a configured VLAN), all MAC address learned on a switchport are associated with a VLAN. For this reason, the Q-Bridge MIB is used for MAC address query.
Example of Fetching MAC Addresses Learned on a Non-default VLAN Using SNMP In the following example, TenGigabitEthernet 1/21 is moved to VLAN 1000, a non-default VLAN. To fetch the MAC addresses learned on non-default VLANs, use the object dot1qTpFdbTable. The instance number is the VLAN number concatenated with the decimal conversion of the MAC address.
Starting from the least significant bit (LSB) in the preceding figure: • The first 14 bits represent the card type of a physical interface or the interface number of a logical interface. • The next 4 bits represent the interface type. • The next 12 bits represent the slot and port numbers. • The next bit is 0 for a physical interface and 1 for a logical interface. • The last next is unused.
SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.2.2 = Hex-STRING: 00 01 E8 13 A5 C8 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.3.1 = INTEGER: 1107755009 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.3.2 = INTEGER: 1107755010 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.4.1 = INTEGER: 1 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.4.2 = INTEGER: 1 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.5.1 = Hex-STRING: 00 00 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.5.2 = Hex-STRING: 00 00 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.6.
SNMPv2-SMI::enterprises.6027.3.1.1.4.1.2 = STRING: "OSTATE_UP: Changed interface state to up: Po 1" Troubleshooting SNMP Operation When you use SNMP to retrieve management data from an SNMP agent on a Dell Networking router, take into account the following behavior. • When you query an IPv4 icmpMsgStatsInPkts object in the ICMP table by using the snmpwalk command, the output for echo replies may be incorrectly displayed.
Storm Control 51 Storm control allows you to control unknown-unicast and broadcast traffic on Layer 2 and Layer 3 physical interfaces. Dell Networking OS Behavior: The switch supports broadcast control (the storm-control broadcast command) for Layer 2 and Layer 3 traffic. Configure Storm Control Storm control is supported in INTERFACE mode and CONFIGURATION mode. Configuring Storm Control from INTERFACE Mode To configure storm control, use the following command.
52 Spanning Tree Protocol (STP) The spanning tree protocol (STP) is a Layer 2 protocol — specified by IEEE 802.1d — that eliminates loops in a bridged topology by enabling only a single path through the network. Protocol Overview By eliminating loops, STP improves scalability in a large network and allows you to implement redundant paths, which can be activated after the failure of active paths.
Important Points to Remember • STP is disabled by default. • The Dell Networking OS supports only one spanning tree instance (0). For multiple instances, enable the multiple spanning tree protocol (MSTP) or per-VLAN spanning tree plus (PVST+). You may only enable one flavor of spanning tree at any one time. • All ports in virtual local area networks (VLANs) and all enabled interfaces in Layer 2 mode are automatically added to the spanning tree topology at the time you enable the protocol.
Configuring Interfaces for Layer 2 Mode All interfaces on all switches that participate in spanning tree must be in Layer 2 mode and enabled. Figure 113. Example of Configuring Interfaces for Layer 2 Mode To configure and enable the interfaces for Layer 2, use the following command. 1. If the interface has been assigned an IP address, remove it. INTERFACE mode no ip address 2. Place the interface in Layer 2 mode.
3. Enable the interface. INTERFACE mode no shutdown Example of the show config Command To verify that an interface is in Layer 2 mode and enabled, use the show config command from INTERFACE mode. Dell(conf-if-te-1/1)#show config ! interface TenGigabitEthernet 1/1 no ip address switchport no shutdown Dell(conf-if-te-1/1)# Enabling Spanning Tree Protocol Globally Enable the spanning tree protocol globally; it is not enabled by default.
Figure 114. Spanning Tree Enabled Globally To enable STP globally, use the following commands. 1. Enter PROTOCOL SPANNING TREE mode. CONFIGURATION mode protocol spanning-tree 0 2. Enable STP. PROTOCOL SPANNING TREE mode no disable Examples of Verifying and Viewing Spanning Tree To disable STP globally for all Layer 2 interfaces, use the disable command from PROTOCOL SPANNING TREE mode. To verify that STP is enabled, use the show config command from PROTOCOL SPANNING TREE mode.
To view the spanning tree configuration and the interfaces that are participating in STP, use the show spanning-tree 0 command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. R2#show spanning-tree 0 Executing IEEE compatible Spanning Tree Protocol Bridge Identifier has priority 32768, address 0001.e826.ddb7 Configured hello time 2, max age 20, forward delay 15 Current root has priority 32768, address 0001.e80d.
INTERFACE mode spanning-tree 0 To remove a Layer 2 interface from the spanning tree topology, enter the no spanning-tree 0 command. Modifying Global Parameters You can modify the spanning tree parameters. The root bridge sets the values for forward-delay, hellotime, and max-age and overwrites the values set on other bridges participating in STP. NOTE: Dell Networking recommends that only experienced network administrators change the spanning tree parameters.
NOTE: With large configurations (especially those with more ports) Dell Networking recommends increasing the hello-time. The range is from 1 to 10. • the default is 2 seconds. Change the max-age parameter (the refresh interval for configuration information that is generated by recomputing the spanning tree topology). PROTOCOL SPANNING TREE mode max-age seconds The range is from 6 to 40. The default is 20 seconds.
Enabling PortFast The PortFast feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner. Interfaces forward frames by default until they receive a BPDU that indicates that they should behave otherwise; they do not go through the Learning and Listening states. The bpduguard shutdown-onviolation option causes the interface hardware to be shut down when it receives a BPDU.
The following example shows a scenario in which an edgeport might unintentionally receive a BPDU. The port on the Dell Networking system is configured with Portfast. If the switch is connected to the hub, the BPDUs that the switch generates might trigger an undesirable topology change. If you enable BPDU Guard, when the edge port receives the BPDU, the BPDU is dropped, the port is blocked, and a console message is generated.
Figure 115. Enabling BPDU Guard Dell Networking OS Behavior: BPDU guard and BPDU filtering both block BPDUs, but are two separate features. BPDU guard: • is used on edgeports and blocks all traffic on edgeport if it receives a BPDU. • drops the BPDU after it reaches the Route Processor and generates a console message.
Te 0/7 128.264 128 20000 EDS 20000 32768 0001.e85d.0e90 128.264 Interface Name Role PortID Prio Cost Sts Cost Link-type Edge ---------- ------ -------- ---- ------- --- ---------------Te 0/6 Root 128.263 128 20000 FWD 20000 P2P No Te 0/7 ErrDis 128.
network behavior. The STP root guard feature ensures that the position of the root bridge does not change. Root Guard Scenario For example, as shown in the following illustration (STP topology 1, upper left) Switch A is the root bridge in the network core. Switch C functions as an access switch connected to an external device. The link between Switch C and Switch B is in a Blocking state. The flow of STP BPDUs is shown in the illustration.
Configuring Root Guard Enable STP root guard on a per-port or per-port-channel basis. Dell Networking OS Behavior: The following conditions apply to a port enabled with STP root guard: • Root guard is supported on any STP-enabled port or port-channel interface.
STP Loop Guard The STP loop guard feature provides protection against Layer 2 forwarding loops (STP loops) caused by a hardware failure, such as a cable failure or an interface fault. When a cable or interface fails, a participating STP link may become unidirectional (STP requires links to be bidirectional) and an STP port does not receive BPDUs. When an STP blocking port does not receive BPDUs, it transitions to a Forwarding state. This condition can create a loop in the network.
Figure 117. STP Loop Guard Prevents Forwarding Loops Configuring Loop Guard Enable STP loop guard on a per-port or per-port channel basis. The following conditions apply to a port enabled with loop guard: • Loop guard is supported on any STP-enabled port or port-channel interface.
• You cannot enable root guard and loop guard at the same time on an STP port. For example, if you configure loop guard on a port on which root guard is already configured, the following error message is displayed: % Error: RootGuard is configured. Cannot configure LoopGuard. • Enabling Portfast BPDU guard and loop guard at the same time on a port results in a port that remains in a blocking state and prevents traffic from flowing through it.
System Time and Date 53 System time and date settings are user-configurable and maintained through the network time protocol (NTP). System times and dates are also set in hardware settings using the Dell Networking OS CLI. Network Time Protocol The network time protocol (NTP) synchronizes timekeeping among a set of distributed time servers and clients. The protocol also coordinates time distribution in a large, diverse network with various interfaces.
Information included in the NTP message allows the client to determine the server time regarding local time and adjust the local clock accordingly. In addition, the message includes information to calculate the expected timekeeping accuracy and reliability, as well as select the best from possibly several servers.
Configure the Network Time Protocol Configuring NTP is a one-step process. • Enabling NTP Related Configuration Tasks • Configuring NTP Broadcasts • Disabling NTP on an Interface • Configuring a Source IP Address for NTP Packets (optional) Enabling NTP NTP is disabled by default. To enable NTP, specify an NTP server to which the Dell Networking system synchronizes. To specify multiple servers, enter the command multiple times.
INTERFACE mode ntp broadcast client Example of Configuring NTP Broadcasts 2w1d11h : NTP: Maximum Slew:-0.000470, Remainder = -0.496884 Disabling NTP on an Interface By default, NTP is enabled on all active interfaces. If you disable NTP on an interface, the system drops any NTP packets sent to that interface. To disable NTP on an interface, use the following command. • Disable NTP on the interface.
Configuring NTP Authentication NTP authentication and the corresponding trusted key provide a reliable means of exchanging NTP packets with trusted time sources. NTP authentication begins when the first NTP packet is created following the configuration of keys. NTP authentication in Dell Networking OS uses the message digest 5 (MD5) algorithm and the key is embedded in the synchronization packet that is sent to an NTP time source.
– ipv4-address : Enter an IPv4 address in dotted decimal format (A.B.C.D). – ipv6-address : Enter an IPv6 address in the format 0000:0000:0000:0000:0000:0000:0000:0000. Elision of zeros is supported. – key keyid : Configure a text string as the key exchanged between the NTP server and the client. – prefer: Enter the keyword prefer to set this NTP server as the preferred server. – version number : Enter a number as the NTP version. The range is from 1 to 4. 5. Configure the switch as NTP master.
NOTE: • Leap Indicator (sys.leap, peer.leap, pkt.leap) — This is a two-bit code warning of an impending leap second to be inserted in the NTP time scale. The bits are set before 23:59 on the day of insertion and reset after 00:00 on the following day. This causes the number of seconds (rollover interval) in the day of insertion to be increased or decreased by one.
Time and Date You can set the time and date in the Dell Networking OS using the CLI. Configuration Task List The following is a configuration task list for configuring the time and date settings.
• Set the clock to the appropriate timezone. CONFIGURATION mode clock timezone timezone-name offset – timezone-name: enter the name of the timezone. Do not use spaces. – offset: enter one of the following: * a number from 1 to 23 as the number of hours in addition to UTC for the timezone. * a minus sign (-) then a number from 1 to 23 as the number of hours.
– offset: (OPTIONAL) enter the number of minutes to add during the summer-time period. The range is from 1 to1440. The default is 60 minutes.
– end-year: Enter a four-digit number as the year. The range is from 1993 to 2035. – end-time: Enter the time in hours:minutes. For the hour variable, use the 24-hour format; example, 17:15 is 5:15 pm. – offset: (OPTIONAL) Enter the number of minutes to add during the summer-time period. The range is from 1 to1440. The default is 60 minutes. Examples of Configuring and Viewing the Clock Summer-Time Recurring Option The following example shows using the clock summer-time recurring command.
Tunneling 54 Tunnel interfaces create a logical tunnel for IPv4 or IPv6 traffic. Tunneling supports RFC 2003, RFC 2473, and 4213. DSCP, hop-limits, flow label values, OSPFv2, and OSPFv3 are also supported. ICMP error relay, PATH MTU transmission, and fragmented packets are not supported. Configuring a Tunnel You can configure a tunnel in IPv6 mode, IPv6IP mode, and IPIP mode. You can configure a tunnel in IPv6 mode, IPv6IP mode, and IPIP mode.
Dell(conf-if-tu-2)#show config ! interface Tunnel 2 no ip address ipv6 address 2::1/64 tunnel destination 90.1.1.1 tunnel source 60.1.1.1 tunnel mode ipv6ip no shutdown The following sample configuration shows a tunnel configured in IPIP mode (IPv4 tunnel carries IPv4 and IPv6 traffic): Dell(conf)#interface tunnel 3 Dell(conf-if-tu-3)#tunnel source 5::5 Dell(conf-if-tu-3)#tunnel destination 8::9 Dell(conf-if-tu-3)#tunnel mode ipv6 Dell(conf-if-tu-3)#ip address 3.1.1.
tunnel mode ipip no shutdown Configuring a Tunnel Interface You can configure the tunnel interface using the ip unnumbered and ipv6 unnumbered commands. To configure the tunnel interface to operate without a unique explicit ip or ipv6 address, select the interface from which the tunnel will borrow its address. The following sample configuration shows how to use the tunnel interface configuration commands. Dell(conf-if-te-0/0)#show config ! interface TenGigabitEthernet 0/0 ip address 20.1.1.
ipv6 address 1abd::1/64 tunnel source 40.1.1.1 tunnel allow-remote 40.1.1.2 tunnel mode ipip decapsulate-any no shutdown Configuring Tunnel source anylocal Decapsulation The tunnel source anylocal command allows a multipoint receive-only tunnel to decapsulate tunnel packets addressed to any IPv4 or IPv6 (depending on the tunnel mode) address configured on the switch that is operationally UP.
Multipoint Receive-Only Tunnels A multipoint receive-only IP tunnel decapsulates packets from remote end-points and never forwards packets on the tunnel. You can configure an additional level of security on a receive-only IP tunnel by specifying a valid prefix or range of remote peers. The operational status of a multipoint receive-only tunnel interface always remains up.
Upgrade Procedures 55 For detailed upgrade procedures, refer to the Dell Networking OS Release Notes for your switch. The release notes describe the requirements and steps to follow to upgrade to a desired OS version. Upgrade Overview To upgrade system software on the switch, follow these general steps: 1. Identify the boot and system images currently stored on the Z9500 (Control Processor, Route Processor, and line-card CPUs) using the show boot system all command. 2.
local flash. This image contains independent images for the CPUs: Control Processor (CP), Route Processor (RP), and line-card processor (LP). Each separate image runs on a different CPU and are unpacked and downloaded on the appropriate CPU via the party bus. You can use TFTP or FTP to copy images to the local storage of each CPU.
Uplink Failure Detection (UFD) 56 Uplink failure detection (UFD) provides detection of the loss of upstream connectivity and, if used with network interface controller (NIC) teaming, automatic recovery from a failed link. Feature Description A switch provides upstream connectivity for devices, such as servers. If a switch loses its upstream connectivity, downstream devices also lose their connectivity.
Figure 119. Uplink Failure Detection How Uplink Failure Detection Works UFD creates an association between upstream and downstream interfaces. The association of uplink and downlink interfaces is called an uplink-state group. An interface in an uplink-state group can be a physical interface or a port-channel (LAG) aggregation of physical interfaces. An enabled uplink-state group tracks the state of all assigned upstream interfaces.
result, downstream devices can execute the protection or recovery procedures they have in place to establish alternate connectivity paths, as shown in the following illustration. Figure 120. Uplink Failure Detection Example If only one of the upstream interfaces in an uplink-state group goes down, a specified number of downstream ports associated with the upstream interface are put into a Link-Down state.
Important Points to Remember When you configure UFD, the following conditions apply. • You can configure up to 16 uplink-state groups. By default, no uplink-state groups are created. – An uplink-state group is considered to be operationally up if it has at least one upstream interface in the Link-Up state. – An uplink-state group is considered to be operationally down if it has no upstream interfaces in the Link-Up state.
• group-id: values are from 1 to 16. To delete an uplink-state group, use the no uplink-state-group group-id command. 2. Assign a port or port-channel to the uplink-state group as an upstream or downstream interface.
6. (Optional) Disables upstream-link tracking without deleting the uplink-state group. UPLINK-STATE-GROUP mode no enable The default is upstream-link tracking is automatically enabled in an uplink-state group. To re-enable upstream-link tracking, use the enable command. Clearing a UFD-Disabled Interface You can manually bring up a downstream interface in an uplink-state group that UFD disabled and is in a UFD-Disabled Error state.
error-disabled: Fo 1/8 02:36:43: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: error-disabled: Fo 1/12 02:36:43: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: Fo 1/0 02:36:43: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: Fo 1/4 02:36:43: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: Fo 1/8 02:36:43: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: Fo 1/12 02:37:29: %SYSTEM-P:CP %IFMGR-5-ASTATE_DN: down: Te 0/47 02:37:29: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: Te 0/47 02:37:29 : UFD: Group:3, UplinkState: DOWN 02:37:29: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: to down: Group 3 02:37:29:
• Display the current status of a port or port-channel interface assigned to an uplink-state group. EXEC mode show interfaces interface interface specifies one of the following interface types: – 10-Gigabit Ethernet: enter tengigabitethernet slot/port. – 10-Gigabit Ethernet: enter tengigabitethernet slot/port. – Port channel: enter port-channel {1-512}.
Upstream Interfaces : Downstream Interfaces : Uplink State Group : 16 Status: Disabled, Up Upstream Interfaces : Te 0/41(Dwn) Po 8(Dwn) Downstream Interfaces : Te 0/40(Dwn) The following example shows viewing the uplink state group interface status for an S50 system.
Sample Configuration: Uplink Failure Detection The following example shows a sample configuration of UFD on a switch/router in which you configure as follows. • Configure uplink-state group 3. • Add downstream links Tengigabitethernet 0/1, 0/2, 0/5, 0/9, 0/11, and 0/12. • Configure two downstream links to be disabled if an upstream link fails. • Add upstream links Tengigabitethernet 0/3 and 0/4. • Add a text description for the group. • Verify the configuration with various show commands.
Upstream Interfaces : Te 0/3(Up) Te 0/4(Dwn) Downstream Interfaces : Te 0/1(Dis) Te 0/2(Dwn) Te 0/5(Dwn) Te 0/9(Dwn) Te 0/11(Dwn) Te 0/12(Dwn) Uplink Failure Detection (UFD) 957
57 Virtual LANs (VLANs) Virtual LANs (VLANs) are a logical broadcast domain or logical grouping of interfaces in a local area network (LAN) in which all data received is kept locally and broadcast to all members of the group. When in Layer 2 mode, VLANs move traffic at wire speed and can span multiple devices. The system supports up to 4093 port-based VLANs and one default VLAN, as specified in IEEE 802.1Q.
command places the interface in Layer 2 mode and the show vlan command in EXEC privilege mode indicates that the interface is now part of the Default VLAN (VLAN 1). By default, VLAN 1 is the Default VLAN. To change that designation, use the default vlan-id command in CONFIGURATION mode. You cannot delete the Default VLAN. NOTE: You cannot assign an IP address to the Default VLAN. To assign an IP address to a VLAN that is currently the Default VLAN, create another VLAN and assign it to be the Default VLAN.
VLANs and Port Tagging To add an interface to a VLAN, the interface must be in Layer 2 mode. After you place an interface in Layer 2 mode, the interface is automatically placed in the Default VLAN. The system supports IEEE 802.1Q tagging at the interface level to filter traffic. When you enable tagging, a tag header is added to the frame after the destination and source MAC addresses. That information is preserved as the frame moves through the network.
A VLAN is active only if the VLAN contains interfaces and those interfaces are operationally up. As shown in the following example, VLAN 1 is inactive because it does not contain any interfaces. The other VLANs contain enabled interfaces and are active. NOTE: In a VLAN, the shutdown command stops Layer 3 (routed) traffic only. Layer 2 traffic continues to pass through the VLAN. If the VLAN is not a routed VLAN (that is, configured with an IP address), the shutdown command has no affect on VLAN traffic.
To tag frames leaving an interface in Layer 2 mode, assign that interface to a port-based VLAN to tag it with that VLAN ID. To tag interfaces, use the following commands. 1. Access INTERFACE VLAN mode of the VLAN to which you want to assign the interface. CONFIGURATION mode interface vlan vlan-id 2. Enable an interface to include the IEEE 802.1Q tag header.
When you remove a tagged interface from a VLAN (using the no tagged interface command), it remains tagged only if it is a tagged interface in another VLAN. If the tagged interface is removed from the only VLAN to which it belongs, the interface is placed in the Default VLAN as an untagged interface. Moving Untagged Interfaces To move untagged interfaces from the Default VLAN to another VLAN, use the following commands. 1. Access INTERFACE VLAN mode of the VLAN to which you want to assign the interface.
NUM * 1 2 3 4 Dell# Status Q Inactive Active T T Active T T Active U Ports Po1(Te 0/0-1) Te 2/0 Po1(Te 0/0-1) Te 2/1 Te 2/2 The only way to remove an interface from the Default VLAN is to place the interface in Default mode by using the no switchport command in INTERFACE mode. Assigning an IP Address to a VLAN VLANs are a Layer 2 feature. For two physical interfaces on different VLANs to communicate, you must assign an IP address to the VLANs to route traffic between the two interfaces.
NOTE: When a hybrid port is untagged in a VLAN but it receives tagged traffic, all traffic is accepted. NOTE: You cannot configure an existing switchport or port channel interface for Native VLAN. Interfaces must have no other Layer 2 or Layer 3 configurations when using the portmode hybrid command or a message similar to this displays: % Error: Port is in Layer-2 mode Te 5/6. To configure a port so that it can be a member of an untagged and tagged VLANs, use the following commands. 1.
Virtual Routing and Forwarding (VRF) 58 Virtual Routing and Forwarding (VRF) allows a physical router to partition itself into multiple Virtual Routers (VRs). The control and data plane are isolated in each VR so that traffic does NOT flow across VRs.Virtual Routing and Forwarding (VRF) allows multiple instances of a routing table to co-exist within the same router at the same time. VRF Overview VRF improves functionality by allowing network paths to be segmented without using multiple devices.
Figure 122. VRF Network Example VRF Configuration Notes Although there is no restriction on the number of VLANs that can be assigned to a VRF instance, the total number of routes supported in VRF is limited by the size of the IPv4 CAM. VRF is implemented in a network device by using Forwarding Information Bases (FIBs). A network device may have the ability to configure different virtual routers, where entries in the FIB that belong to one VRF cannot be accessed by another VRF on the same device.
Dell Networking OS uses both the VRF name and VRF ID to manage VRF instances. The VRF name and VRF ID number are assigned using the ip vrf command. The VRF ID is displayed in show ip vrf command output. The VRF ID is not exchanged between routers. VRF IDs are local to a router. VRF supports some routing protocols only on the default VRF (default-vrf) instance. Table 1 displays the software features supported in VRF and whether they are supported on all VRF instances or only the default VRF. Table 71.
Feature/Capability Support Status for Default VRF Support Status for Non-default VRF NOTE: ACLs supported on all VRF VLAN ports. IPv4 ACLs are supported on nondefault-VRFs also. IPv6 ACLs are supported on defaultVRF only. PBR supported on default-VRF only. QoS not supported on VLANs.
DHCP DHCP requests are not forwarded across VRF instances. The DHCP client and server must be on the same VRF instance. VRF Configuration The VRF configuration tasks are: 1. Enabling VRF in Configuration Mode 2. Creating a Non-Default VRF 3. Assign an Interface to a VRF You can also: • View VRF Instance Information • Connect an OSPF Process to a VRF Instance • Configure VRRP on a VRF Load VRF CAM VRF is enabled by default on the switch.
NOTE: You can configure an IP address or subnet on a physical or VLAN interface that overlaps the same IP address or subnet configured on another interface only if the interfaces are assigned to different VRFs. If two interfaces are assigned to the same VRF, you cannot configure overlapping IP subnets or the same IP address on them. Task Command Syntax Command Mode Assign an interface to a VRF instance. ip vrf forwarding vrfname INTERFACE Assigning a Front-end Port to a Management VRF Starting in 9.
Task Command Syntax Display the interfaces assigned to show ip vrf [vrf-name] a VRF instance. To display information on all VRF instances (including the default VRF 0), do not enter a value for vrf-name. Command Mode EXEC Assigning an OSPF Process to a VRF Instance OSPF routes are supported on all VRF instances. Refer toOpen Shortest Path First (OSPFv2) for complete OSPF configuration information. Assign an OSPF process to a VRF instance . Return to CONFIGURATION mode to enable the OSPF process.
Task Command Syntax Configure the VRRP group and virtual IP address vrrp-group 10 virtual-address 10.1.1.100 show config ----------------------------! interface TenGigabitEthernet 1/13 ip vrf forwarding vrf1 ip address 10.1.1.1/24 ! vrrp-group 10 virtual-address 10.1.1.100 no shutdown View VRRP command output for the VRF vrf1 show vrrp vrf vrf1 -----------------TenGigabitEthernet 1/13, IPv4 VRID: 10, Version: 2, Net: 10.1.1.1 VRF: 2 vrf1 State: Master, Priority: 100, Master: 10.1.1.
Task Command Syntax Command Mode NOTE: You can also have the management route to point to a front-end port in case of the management VRF. For example: management route 2::/64 te 0/0. To configure a static entry in the IPv6 neighbor discovery, perform the following steps: Task Command Syntax Command Mode Configure a static neighbor.
Figure 124. Setup VRF Interfaces The following example relates to the configuration shown in Figure1 and Figure 2. Router 1 ip vrf blue 1 ! ip vrf orange 2 ! ip vrf green 3 ! interface TenGigabitEthernet 3/1 no ip address switchport no shutdown ! interface TenGigabitEthernet 1/1 ip vrf forwarding blue ip address 10.0.0.
interface TenGigabitEthernet 1/2 ip vrf forwarding orange ip address 20.0.0.1/24 no shutdown ! interface TenGigabitEthernet 1/3 ip vrf forwarding green ip address 30.0.0.1/24 no shutdown ! interface Vlan 128 ip vrf forwarding blue ip address 1.0.0.1/24 tagged TenGigabitEthernet 3/1 no shutdown ! interface Vlan 192 ip vrf forwarding orange ip address 2.0.0.1/24 tagged TenGigabitEthernet 3/1 no shutdown ! interface Vlan 256 ip vrf forwarding green ip address 3.0.0.
interface TenGigabitEthernet 2/2 ip vrf forwarding orange ip address 21.0.0.1/24 no shutdown ! interface TenGigabitEthernet 2/3 ip vrf forwarding green ip address 31.0.0.1/24 no shutdown ! interface Vlan 128 ip vrf forwarding blue ip address 1.0.0.2/24 tagged TenGigabitEthernet 3/1 no shutdown interface Vlan 192 ip vrf forwarding orange ip address 2.0.0.2/24 tagged TenGigabitEthernet 3/1 no shutdown ! interface Vlan 256 ip vrf forwarding green ip address 3.0.0.
orange 2 green 3 Dell#show ip ospf 1 neighbor Neighbor ID Pri State 1.0.0.2 1 FULL/DR Dell#sh ip ospf 2 neighbor Neighbor ID Pri State 2.0.0.2 1 FULL/DR Dell#show ip route vrf blue Te Vl Te Vl 1/2, 192 1/3, 256 Dead Time Address Interface Area 00:00:32 1.0.0.2 Vl 128 0 Dead Time Address Interface Area 00:00:37 2.0.0.
O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, > - non-active route, + - summary route Gateway of last resort is not set Destination Gateway Dist/Metric Last Change ------------------------------------C 3.0.0.0/24 Direct, Vl 256 0/0 00:20:52 C 30.0.0.0/24 Direct, Te 1/3 0/0 00:09:45 S 31.0.0.0/24 via 3.0.0.
L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, > - non-active route, + - summary route Gateway of last resort is not set Destination Gateway Last Change --------------------------C 1.0.0.0/24 Direct, Vl 128 0/0 00:27:21 O 10.0.0.0/24 via 1.0.0.1, Vl 128 110/2 00:14:24 C 11.0.0.
0/0 Dell# 00:20:19 Route Leaking VRFs Static routes can be used to redistribute routes between non-default to default/non-default VRF and vice-versa. You can configure route leaking between two VRFs using the following command: ip route vrf x.x.x.x s.s.s.s nh.nh.nh.nh vrf default. This command indicates that packets that are destined to x.x.x.x/s.s.s.s are reachable through nh.nh.nh.nh in the default VRF table. Meaning, the routes to x.x.x.x/s.s.s.
NOTE: In Dell Networking OS, you can configure at most one route-export per VRF as only one set of routes can be exposed for leaking. However, you can configure multiple route-import targets because a VRF can accept routes from multiple VRFs. After the target VRF learns routes that are leaked by the source VRF, the source VRF in turn can leak the export target corresponding to the destination VRFs that have imported its routes.
The show run output for the above configuration is as follows: ip vrf ip ip ! ip vrf ip ip ! ip vrf ! ip vrf ip ip ip VRF-Red route-export route-import 2:2 1:1 VRF-Blue route-export route-import 3:3 1:1 VRF-Green VRF-shared route-export route-import route-import 1:1 2:2 3:3 Show routing tables of all the VRFs (without any route-export and route-import tags being configured) Dell# show ip route vrf VRF-Red O 11.1.1.1/32 via 111.1.1.1 110/0 C 111.1.1.
O 33.3.3.3/32 00:00:11 via 133.3.3.3 C Direct, Te 1/13 0/0 133.3.3.0/24 110/0 22:39:61 Dell# show ip route vrf VRF-Shared O 11.1.1.1/32 via VRF-Red:111.1.1.1 110/0 C 111.1.1.0/24 Direct, VRF-Red:Te 1/11 0/0 O 22.2.2.2/32 via VRF-Blue:122.2.2.2 110/0 C 122.2.2.0/24 Direct, VRF-Blue:Te 1/22 0/0 O 44.4.4.4/32 via 144.4.4.4 110/0 00:00:11 C 144.4.4.
only the routes (OSPF and BGP) that satisfy the matching criteria defined in route-map export_ospfbgp_protocol are exposed to VRF-blue. While importing these routes into VRF-blue, you can further specify match conditions at the import end to define the filtering criteria based on which the routes are imported into VRF-blue. You can define a route-map import_ospf_protocol and then specify the match criteria as OSPF using the match sourceprotocol ospf command.
!this action accepts only OSPF routes from VRF-red even though both OSPF as well as BGP routes are shared The show VRF commands displays the following output: Dell# show ip route vrf VRF-Blue C 122.2.2.0/24 Direct, Te 1/22 O 22.2.2.2/32 via 122.2.2.2 00:00:11 O 44.4.4.4/32 0/0 110/0 22:39:61 via vrf-red:144.4.4.4 0/0 00:32:36 << only OSPF and BGP leaked from VRF-red Important Points to Remember • Only Active routes are eligible for leaking.
Virtual Link Trunking (VLT) 59 Virtual link trunking (VLT) allows physical links between two chassis to appear as a single virtual link to the network core or other switches such as Edge, Access, or top-of-rack (ToR). Overview VLT reduces the role of spanning tree protocols (STPs) by allowing link aggregation group (LAG) terminations on two separate distribution or core switches and supporting a loop-free topology.
Figure 125. Example of VLT Deployment VLT on Core Switches You can also deploy VLT on core switches. Uplinks from servers to the access layer and from access layer to the aggregation layer are bundled in LAG groups with end-to-end Layer 2 multipathing. This set up requires “horizontal” stacking at the access layer and VLT at the aggregation layer such that all the uplinks from servers to access and access to aggregation are in Active-Active Load Sharing mode.
density in the Layer 2 topology is increased using eVLT. For inter-VLAN routing and other Layer 3 routing, you need a separate Layer 3 router. Figure 126. Enhanced VLT VLT Terminology The following are key VLT terms. • Virtual link trunk (VLT) — The combined port channel between an attached device and the VLT peer switches. • VLT backup link — The backup link monitors the vitality of VLT peer switches. The backup link sends configurable, periodic keep alive messages between the VLT peer switches.
confused with failures of the VLT interconnect. VLT ensures that local traffic on a chassis does not traverse the VLTi and takes the shortest path to the destination via directly attached links. Configure Virtual Link Trunking VLT requires that you enable the feature and then configure the same VLT domain, backup link, and VLT interconnect on both peer switches. Important Points to Remember • VLT port channel interfaces must be switch ports. • If you include RSTP on the system, configure it before VLT.
– VLT peers use VLT interconnect (VLTi) – Sticky MAC is enabled on an orphan port in the primary or secondary peer – MACs are currently inactive If this scenario occurs, use the clear mac-address-table sticky all command on the primary or secondary peer to correctly sync the MAC addresses. • If static ARP is enabled on only one VLT peer, entries may be overwritten during bulk sync. Configuration Notes When you configure VLT, the following conditions apply.
– Unknown, multicast, and broadcast traffic can be flooded across the VLT interconnect. – MAC addresses for VLANs configured across VLT peer chassis are synchronized over the VLT interconnect on an egress port such as a VLT LAG. MAC addresses are the same on both VLT peer nodes. – ARP entries configured across the VLTi are the same on both VLT peer nodes.
– VLT provides a loop-free topology for port channels with endpoints on different chassis in the VLT domain. – VLT uses shortest path routing so that traffic destined to hosts via directly attached links on a chassis does not traverse the chassis-interconnect link. – VLT allows multiple active parallel paths from access switches to VLT chassis. – VLT supports port-channel links with LACP between access switches and VLT peer switches. Dell Networking recommends using static port channels on VLTi.
• master and backup roles. Each peer actively forwards L3 traffic, reducing the traffic flow over the VLT interconnect. – VRRP elects the router with the highest priority as the master in the VRRP group. To ensure VRRP operation in a VLT domain, configure VRRP group priority on each VLT peer so that a peer is either the master or backup for all VRRP groups configured on its interfaces. For more information, refer to Setting VRRP Group (Virtual Router) Priority.
reassigned as the Primary Peer retains this role and the other peer must be reassigned as a Secondary Peer. Peer role changes are reported as SNMP traps. RSTP and VLT VLT provides loop-free redundant topologies and does not require RSTP. RSTP can cause temporary port state blocking and may cause topology changes after link or node failures.
VLT IPv6 The following features have been enhanced to support VLT on IPv6. : • VLT Sync — Entries learned on the VLT interface are synced on both VLT peers. • Non-VLT Sync — Entries learned on non-VLT interfaces are synced on both VLT peers. • Tunneling — Control information is associated with tunnel traffic so that the appropriate VLT peer can mirror the ingress port as the VLT interface rather than pointing to the VLT peer’s VLTi link.
Figure 127. PIM-Sparse Mode Support on VLT On each VLAN where the VLT peer nodes act as the first hop or last hop routers, one of the VLT peer nodes is elected as the PIM designated router. If you configured IGMP snooping along with PIM on the VLT VLANs, you must configure VLTi as the static multicast router port on both VLT peer switches. This ensures that for first hop routers, the packets from the source are redirected to the designated router (DR) if they are incorrectly hashed.
To route traffic to and from the multicast source and receiver, enable PIM on the L3 side connected to the PIM router using the ip pim sparse-mode command. Each VLT peer runs its own PIM protocol independently of other VLT peers. To ensure the PIM protocol states or multicast routing information base (MRIB) on the VLT peers are synced, if the incoming interface (IIF) and outgoing interface (OIF) are Spanned, the multicast route table is synced between the VLT peers.
be symmetrical on both peers. You cannot configure the same VLAN as Layer 2 on one node and as Layer 3 on the other node. Configuration mismatches are logged in the syslog and display in the show vlt mismatch command output. If you enable VLT unicast routing, the following actions occur: • L3 routing is enabled on any new IP or IPv6 address configured for a VLAN interface that is up. • L3 routing is enabled on any VLAN with an admin state of up. NOTE: If the CAM is full, do not enable peer-routing.
• Optimal VLTi forwarding — Only one copy of the incoming multicast traffic is sent on the VLTi for routing or forwarding to any orphan ports, rather than forwarding all the routed copies. Important Points to Remember • • • • • • • You cannot configure a VLT node as a rendezvous point (RP), but any PIM-SM compatible VLT node can serve as a designated router (DR). You can only use one spanned VLAN from a PIM-enabled VLT node to an external neighboring PIM router.
NOTE: ARP entries learned on non-VLT, non-spanned VLANs are not synced with VLT peers. RSTP Configuration RSTP is supported in a VLT domain. Before you configure VLT on peer switches, configure RSTP in the network. RSTP is required for initial loop prevention during the VLT startup phase. You may also use RSTP for loop prevention in the network outside of the VLT port channel. For information about how to configure RSTP, Rapid Spanning Tree Protocol (RSTP). Run RSTP on both VLT peer switches.
Sample RSTP Configuration The following is a sample of an RSTP configuration. Using the example shown in the Overview section as a sample VLT topology, the primary VLT switch sends BPDUs to an access device (switch or server) with its own RSTP bridge ID. BPDUs generated by an RSTP-enabled access device are only processed by the primary VLT switch. The secondary VLT switch tunnels the BPDUs that it receives to the primary VLT switch over the VLT interconnect.
Configuring a VLT Interconnect To configure a VLT interconnect, follow these steps. 1. Configure the port channel for the VLT interconnect on a VLT switch and enter interface configuration mode. CONFIGURATION mode interface port-channel id-number Enter the same port-channel number configured with the peer-link port-channel command as described in Enabling VLT and Creating a VLT Domain. NOTE: To be included in the VLTi, the port channel must be in Default mode (no switchport or VLAN assigned). 2.
NOTE: Do not use MAC addresses such as “reserved” or “multicast.” 2. Configure the IP address of the management interface on the remote VLT peer to be used as the endpoint of the VLT backup link for sending out-of-band hello messages. VLT DOMAIN CONFIGURATION mode back-up destination {ipv4–address] | ipv6 ipv6–address [interval seconds]} You can optionally specify the time interval used to send hello messages. The range is from 1 to 5 seconds. 3.
Configuring a VLT Port Delay Period To configure a VLT port delay period, use the following commands. 1. Enter VLT-domain configuration mode for a specified VLT domain. CONFIGURATION mode vlt domain domain-id The range of domain IDs from 1 to 1000. 2. Enter an amount of time, in seconds, to delay the restoration of the VLT ports after the system is rebooted. CONFIGURATION mode delay-restore delay-restore-time The range is from 1 to 1200. The default is 90 seconds.
Also, reconfigure the same MAC address on the VLT peer switch. Use this command to minimize the time required for the VLT system to synchronize the default MAC address of the VLT domain on both peer switches when one peer switch reboots. 4. (Optional) When you create a VLT domain on a switch, the system automatically assigns a unique unit ID (0 or 1) to each peer switch. VLT DOMAIN CONFIGURATION mode unit-id {0 | 1} To explicitly configure the default values on each peer switch, use the unit-id command.
6. Associate the port channel to the corresponding port channel in the VLT peer for the VLT connection to an attached device. INTERFACE PORT-CHANNEL mode vlt-peer-lag port-channel id-number The valid port-channel ID numbers are from 1 to 128. 7. Repeat Steps 1 to 6 on the VLT peer switch to configure the same port channel as part of the VLT domain. 8. On an attached switch or server: To connect to the VLT domain and add port channels to it, configure a port channel.
CONFIGURATION mode interface port-channel id-number Enter the same port-channel number configured with the peer-link port-channel command in the Enabling VLT and Creating a VLT Domain. 2. Add one or more port interfaces to the port channel. INTERFACE PORT-CHANNEL mode channel-member interface interface: specify one of the following interface types: 3. • 1 Gigabit Ethernet: enter gigabitethernet slot/port. • 10 Gigabit Ethernet: enter tengigabitethernet slot/port.
VLT DOMAIN CONFIGURATION mode unit-id {0 | 1} The unit IDs are used for internal system operations. To explicitly configure the default values on each peer switch, use the unit-id command. Configure a different unit ID (0 or 1) on each peer switch. Use this command to minimize the time required for the VLT system to determine the unit ID assigned to each peer switch when one peer switch reboots. 8. Configure enhanced VLT.
no shutdown 16. Repeat steps 1 through 15 for the VLT peer node in Domain 1. 17. Repeat steps 1 through 15 for the first VLT node in Domain 2. 18. Repeat steps 1 through 15 for the VLT peer node in Domain 2. To verify the configuration of a VLT domain, use any of the show commands described in Verifying a VLT Configuration. VLT Sample Configuration To review a sample VLT configuration setup, study these steps. 1. Configure the VLT domain with the same ID in VLT peer 1 and VLT peer 2.
EXEC Privilege mode show running-config entity 12. Verify that VLT is running. EXEC mode show vlt brief or show vlt detail 13. Verify that the VLT LAG is running in both VLT peer units. EXEC mode or EXEC Privilege mode show interfaces interface Example of Configuring VLT In the following sample VLT configuration steps, VLT peer 1 is Dell-2, VLT peer 2 is Dell-4, and the ToR is S60-1.
back-up destination 10.11.206.43 Dell-4#show running-config interface managementethernet 0/0 ip address 10.11.206.58/16 no shutdown Configure the VLT links between VLT peer 1 and VLT peer 2 to the Top of Rack unit. In the following example, port Te 0/40 in VLT peer 1 is connected to Te 0/48 of TOR and port Te 0/18 in VLT peer 2 is connected to Te 0/50 of TOR. 1. Configure the static LAG/LACP between the ports connected from VLT peer 1 and VLT peer 2 to the Top of Rack unit. 2.
Dell-1#show running-config interface port-channel 100 ! interface Port-channel 100 no ip address switchport no shutdown Dell-1#show interfaces port-channel 100 brief Codes: L - LACP Port-channel L LAG 100 Mode L2 Status up Uptime 03:33:48 Ports Te 0/48 (Up) Te 0/50 (Up) Verify VLT is up. Verify that the VLTi (ICL) link, backup link connectivity (heartbeat status), and VLT peer link (peer chassis) are all up.
Run PVST+ on both VLT peer switches. PVST+ instance will be created for every VLAN configured in the system. PVST+ instances running in the Primary Peer will control the VLT-LAGs on both Primary and Secondary peers. Only the Primary VLT switch determines the PVST+ roles and states on VLT ports and ensures that the VLT interconnect link is never blocked. PVST+ instance in Primary peer will send the role/state of VLT-LAGs for all VLANs to the Secondary peer.
Te 1/13 Dell# Desg 128.233 128 2000 FWD 0 P2P No eVLT Configuration Example The following example demonstrates the steps to configure enhanced VLT (eVLT) in a network. In this example, you are configuring two domains. Domain 1 consists of Peer 1 and Peer 2; Domain 2 consists of Peer 3 and Peer 4, as shown in the following example. In Domain 1, configure Peer 1 fist, then configure Peer 2. When that is complete, perform the same steps for the peer nodes in Domain 2.
Add links to the eVLT port-channel on Peer 1. Domain_1_Peer1(conf)#interface range tengigabitethernet 0/16 - 17 Domain_1_Peer1(conf-if-range-te-0/16-17)# port-channel-protocol LACP Domain_1_Peer1(conf-if-range-te-0/16-17)# port-channel 100 mode active Domain_1_Peer1(conf-if-range-te-0/16-17)# no shutdown Next, configure the VLT domain and VLTi on Peer 2.
Domain_2_Peer3(conf-if-range-te-0/16-17)# port-channel 100 mode active Domain_2_Peer3(conf-if-range-te-0/16-17)# no shutdown Next, configure the VLT domain and VLTi on Peer 4. Domain_2_Peer4#configure Domain_2_Peer4(conf)#interface port-channel 1 Domain_2_Peer4(conf-if-po-1)# channel-member TenGigabitEthernet 0/8-9 Domain_1_Peer4#no shutdown Domain_2_Peer4(conf)#vlt domain 200 Domain_2_Peer4(conf-vlt-domain)# peer-link port-channel 1 Domain_2_Peer4(conf-vlt-domain)# back-up destination 10.18.130.
Configure the VLTi port as a static multicast router port for the VLAN. VLT_Peer1(conf)#interface vlan 4001 VLT_Peer1(conf-if-vl-4001)#ip igmp snooping mrouter interface port-channel 128 VLT_Peer1(conf-if-vl-4001)#exit VLT_Peer1(conf)#end Repeat these steps on VLT Peer Node 2. VLT_Peer2(conf)#ip multicast-routing VLT_Peer2(conf)#interface vlan 4001 VLT_Peer2(conf-if-vl-4001)#ip address 140.0.0.
• Display the RSTP configuration on a VLT peer switch, including the status of port channels used in the VLT interconnect trunk and to connect to access devices. EXEC mode • show spanning-tree rstp Display the current status of a port or port-channel interface used in the VLT domain. EXEC mode show interfaces interface – interface: specify one of the following interface types: * Fast Ethernet: enter fastethernet slot/port. * 1-Gigabit Ethernet: enter gigabitethernet slot/port.
Remote system version: Delay-Restore timer: 5(1) 90 seconds Dell_VLTpeer2# show vlt brief VLT Domain Brief -----------------Domain ID: Role: Role Priority: ICL Link Status: HeartBeat Status: VLT Peer Status: Local Unit Id: Version: Local System MAC address: Remote System MAC address: Configured System MAC address: Remote system version: Delay-Restore timer: 1000 Primary 32768 Up Up Up 1 5(1) 00:01:e8:8a:e7:e7 00:01:e8:8a:e9:70 00:0a:0a:01:01:0a 5(1) 90 seconds The following example shows the show vlt de
peer-link port-channel 60 back-up destination 10.11.200.18 Dell_VLTpeer2# show running-config vlt ! vlt domain 30 peer-link port-channel 60 back-up destination 10.11.200.20 The following example shows the show vlt statistics command.
Interface Designated Name PortID Prio Cost Sts Cost Bridge ID PortID ---------- -------- ---- ------- -------- - ------- ------------Po 1 128.2 128 200000 DIS 0 0 0001.e88a.dff8 128.2 Po 3 128.4 128 200000 DIS 0 0 0001.e88a.dff8 128.4 Po 4 128.5 128 200000 DIS 0 0 0001.e88a.dff8 128.5 Po 100 128.101 128 800 FWD(VLTi)0 0 0001.e88a.dff8 128.101 Po 110 128.111 128 00 FWD(vlt) 0 0 0001.e88a.dff8 128.111 Po 111 128.112 128 200000 DIS(vlt) 0 0 0001.e88a.dff8 128.112 Po 120 128.121 128 2000 FWD(vlt) 0 0 0001.e88a.
Verify that the port channels used in the VLT domain are assigned to the same VLAN.
10 Active U Po110(Fo 0/48) T Po100(Fo 0/46,50) Verifying a Port-Channel Connection to a VLT Domain (From an Attached Access Switch) On an access device, verify the port-channel connection to a VLT domain. Dell_TORswitch(conf)# show running-config interface port-channel 11 ! interface Port-channel 11 no ip address switchport channel-member fortyGigE 1/18,22 no shutdown Troubleshooting VLT To help troubleshoot different VLT issues that may occur, use the following information.
Description Behavior at Peer Up Behavior During Run Time Action to Take channel status information. Spanning tree mismatch All VLT port channels go at global level down on both VLT peers. A syslog error message is generated. No traffic is passed on the port channels. Spanning tree mismatch A syslog error message at port level is generated. A one-time informational syslog message is generated. Correct the spanning tree configuration on the ports.
Reconfiguring Stacked Switches as VLT To convert switches that have been stacked to VLT peers, use the following procedure. 1. Remove the current configuration from the switches. You will need to split the configuration up for each switch. 2. Copy the files to the flash memory of the appropriate switch. 3. Copy the files on the flash drive to the startup-config. 4. Reset the stacking ports to user ports for both switches. 5. Reload the stack and confirm the new configurations have been applied. 6.
Keep the following points in mind when you configure VLT nodes in a PVLAN: • Configure the VLTi link to be in trunk mode. Do not configure the VLTi link to be in access or promiscuous mode. • You can configure a VLT LAG or port channel to be in trunk, access, or promiscuous port modes when you include the VLT LAG in a PVLAN. The VLT LAG settings must be the same on both the peers. If you configure a VLT LAG as a trunk port, you can associate that LAG to be a member of a normal VLAN or a PVLAN.
and the VLAN is a primary VLT VLAN on one peer and not a primary VLT VLAN on the other peer, MAC synchronization does not occur. Whenever a change occurs in the VLAN mode of one of the peers, this modification is synchronized with the other peers. Depending on the validation mechanism that is initiated for MAC synchronization of VLT peers, MAC addresses learned on a particular VLAN are either synchronized with the other peers, or MAC addresses synchronized from the other peers on the same VLAN are deleted.
Scenarios for VLAN Membership and MAC Synchronization With VLT Nodes in PVLAN The following table illustrates the association of the VLTi link and PVLANs, and the MAC synchronization of VLT nodes in a PVLAN (for various modes of operations of the VLT peers): Table 73.
VLT LAG Mode PVLAN Mode of VLT VLAN Peer1 Peer2 Peer1 Peer2 Access Access Secondary (Community) Access Access Access Access Access Access ICL VLAN Membership Mac Synchronization Secondary (Community) Yes Yes - Primary VLAN X - Primary VLAN X Yes Yes Secondary (Isolated) Secondary (Isolated) Yes Yes - Primary VLAN X - Primary VLAN X Yes Yes Secondary (Isolated) Secondary (Isolated) No No - Primary VLAN X - Primary VLAN Y No No Secondary (Community) Secondary (Communit
NOTE: To be included in the VLTi, the port channel must be in Default mode (no switchport or VLAN assigned). 2. Remove an IP address from the interface. INTERFACE PORT-CHANNEL mode no ip address 3. Add one or more port interfaces to the port channel. INTERFACE PORT-CHANNEL mode channel-member interface interface: specify one of the following interface types: 4. • 1-Gigabit Ethernet: Enter gigabitethernet slot/port. • 10-Gigabit Ethernet: Enter tengigabitethernet slot/port.
no shutdown 3. Set the port in Layer 2 mode. INTERFACE mode switchport 4. Select the PVLAN mode. INTERFACE mode switchport mode private-vlan {host | promiscuous | trunk} • • • 5. host (isolated or community VLAN port) promiscuous (intra-VLAN communication port) trunk (inter-switch PVLAN hub port) Access INTERFACE VLAN mode for the VLAN to which you want to assign the PVLAN interfaces. CONFIGURATION mode interface vlan vlan-id 6. Enable the VLAN. INTERFACE VLAN mode no shutdown 7.
the show config command output, it is enabled. Only nondefault information is displayed in the show config command output. ARP proxy operation is performed on the VLT peer node IP address when the peer VLT node is down. The ARP proxy stops working either when the peer routing timer expires or when the peer VLT node goes up. Layer 3 VLT provides a higher resiliency at the Layer 3 forwarding level. VLT peer routing enables you to replace VRRP with routed VLT to route the traffic from Layer 2 access nodes.
When a VLT node detects peer up, it will not perform proxy ARP for the peer IP addresses. IP address synchronization occurs again between the VLT peers. Proxy ARP is enabled only if peer routing is enabled on both the VLT peers. If you disable peer routing by using the no peer-routingcommand in VLT DOMAIN node, a notification is sent to the VLT peer to disable the proxy ARP.
multicast peer-routing timeout value command. You can configure an optimal time for a VLT node to retain synced multicast routes or synced multicast outgoing interface (OIF), after a VLT peer node failure, through the multicast peer-routing-timeout command in VLT DOMAIN mode. Using the bootstrap router (BSR) mechanism, both the VLT nodes in a VLT domain can be configured as the candidate RP for the same group range. When an RP fails, the VLT peer automatically takes over the role of the RP.
Configure VLT LAG as VLAN-Stack Access or Trunk Port Dell(conf)#interface port-channel 10 Dell(conf-if-po-10)#switchport Dell(conf-if-po-10)#vlt-peer-lag port-channel 10 Dell(conf-if-po-10)#vlan-stack access Dell(conf-if-po-10)#no shutdown Dell#show running-config interface port-channel 10 ! interface Port-channel 10 no ip address switchport vlan-stack access vlt-peer-lag port-channel 10 no shutdown Dell# Dell(conf)#interface port-channel 20 Dell(conf-if-po-20)#switchport Dell(conf-if-po-20)#vlt-peer-lag po
i - Internal untagged, I - Internal tagged, v - VLT untagged, V - VLT tagged NUM 50 Status Active Description Dell# Q M M V Ports Po10(Te 1/8) Po20(Te 1/12) Po1(Te 1/30-32) Sample Configuration of VLAN-Stack Over VLT (Peer 2) Configure VLT domain Dell(conf)#vlt domain 1 Dell(conf-vlt-domain)#peer-link port-channel 1 Dell(conf-vlt-domain)#back-up destination 10.16.151.
Configure the VLAN as VLAN-Stack VLAN and add the VLT LAG as members to the VLAN Dell(conf)#interface vlan 50 Dell(conf-if-vl-50)#vlan-stack compatible Dell(conf-if-vl-50-stack)#member port-channel 10 Dell(conf-if-vl-50-stack)#member port-channel 20 Dell(conf-if-vl-50-stack)# Dell#show running-config interface vlan 50 ! interface Vlan 50 vlan-stack compatible member Port-channel 10,20 shutdown Dell# Verify that the Port Channels used in the VLT Domain are Assigned to the VLAN-Stack VLAN Dell#show vlan id 50
VLT Proxy Gateway 60 You can configure a proxy gateway in VLT domains. A proxy gateway enables you to locally route the packets that are destined to a L3 endpoint in another VLT domain. Proxy Gateway in VLT Domains Using a proxy gateway, the VLT peers in a domain can route the L3 packets destined for VLT peers in another domain as long as they have L3 reachability for the IP destinations.
Guidelines for Enabling the VLT Proxy Gateway Keep the following points in mind when you enable a VLT proxy gateway: • Proxy gateway is supported only for VLT; for example, across a VLT domain. • You must enable the VLT peer-routing command for the VLT proxy gateway to function. • Asymmetric virtual local area network (VLAN) configuration, such as the same VLAN configured with Layer 2 (L2) mode on one VLT domain and L3 mode on another VLT domain is not supported.
• If the port-channel specified in the proxy-gateway command is not a VLT LAG, the configuration is rejected by the CLI. • You cannot change the VLT LAG to a legacy LAG when it is part of proxy-gateway. • You cannot change the link layer discovery protocol (LLDP) port channel interface to a legacy LAG when you enable a proxy gateway. • Dell Networking recommends the vlt-peer-mac transmit command only for square VLTs without diagonal links.
• LLDP uses the existing infrastructure and adds a new TLV for sending and receiving on the configured ports. • There are only a few MAC addresses for each unit transmitted. All currently active MAC addresses are carried on the newly defined TLV. • Dell Networking devices not configured with VLT proxy gateway process standard TLVs and ignore TLVs configured with VLT proxy gateway.
Sample Configuration for a VLT Proxy Gateway • The above figure shows a sample VLT Proxy gateway scenario. There are no diagonal links in the square VLT connection between the C and D in VLT domain 1 and C1 and D1 in the VLT domain 2. This causes sub-optimal routing with the VLT Proxy Gateway LLDP method. For VLT Proxy Gateway to work in this scenario you must configure the VLT-peer-mac transmit command under VLT Domain Proxy Gateway LLDP mode, in both C and D (VLT domain 1) and C1 and D1 (VLT domain 2).
address of D1, it may be dropped. This behavior is applicable only in an LLDP configuration; in a static configuration, the packet is forwarded. • Any L3 packet, when it gets an L3 hit and is routed, it has a time to live (TTL) decrement as expected. • You can disable the VLT Proxy Gateway for a particular VLAN using an "Exclude-VLAN" configuration. The configuration has to be done in both the VLT domains [C and D in VLT domain 1 and C1 and D1 in VLT domain 2].
Virtual Router Redundancy Protocol (VRRP) 61 Virtual router redundancy protocol (VRRP) is designed to eliminate a single point of failure in a statically routed network. VRRP Overview VRRP specifies a MASTER router that owns the next hop IP and MAC address for end stations on a local area network (LAN). The MASTER router is chosen from the virtual routers by an election process and forwards packets sent to the next hop IP address.
Figure 129. Basic VRRP Configuration VRRP Benefits With VRRP configured on a network, end-station connectivity to the network is not subject to a single point-of-failure. End-station connections to the network are redundant and are not dependent on internal gateway protocol (IGP) protocols to converge or update routing tables. VRRP Implementation Within a single VRRP group, up to 12 virtual IP addresses are supported.
The following recommendations shown may vary depending on various factors like address resolution protocol (ARP) broadcasts, IP broadcasts, or spanning tree protocol (STP) before changing the advertisement interval. When the number of packets processed by RP2/CP/FP processor increases or decreases based on the dynamics of the network, the advertisement intervals may increase or decrease accordingly.
Creating a Virtual Router To enable VRRP, create a virtual router. In the Dell Networking Operating System, the virtual router identifier (VRID) identifies a VRRP group. To enable or delete a virtual router, use the following commands. • Create a virtual router for that interface with a VRID. INTERFACE mode vrrp-group vrid The VRID range is from 1 to 255. • NOTE: The interface must already have a primary IP address defined and be enabled, as shown in the second example. Delete a VRRP group.
The following example configures the IPv4 VRRP 100 group to use VRRP protocol version 3. Dell(conf-if-te-0/0)# vrrp-group 100 Dell (conf-if-te-0/0-vrid-100)#version ? 2 VRRPv2 3 VRRPv3 both Interoperable, send VRRPv3 receive both Dell(conf-if-te-0/0-vrid-100)#version 3 You can use the version both command in INTERFACE mode to migrate from VRRPv2 to VRRPv3. When you set the VRRP version to both, the switch sends only VRRPv3 advertisements but can receive VRRPv2 or VRRPv3 packets.
to multiple IP subnets configured on the interface, Dell Networking recommends configuring virtual IP addresses belonging to the same IP subnet for any one VRRP group. • • – For example, an interface (on which you enable VRRP) contains a primary IP address of 50.1.1.1/24 and a secondary IP address of 60.1.1.1/24. The VRRP group (VRID 1) must contain virtual addresses belonging to either subnet 50.1.1.0/24 or subnet 60.1.1.0/24, but not from both subnets (though the system allows the same).
The following example shows the same VRRP group (VRID 111) configured on multiple interfaces on different subnets. Dellshow vrrp -----------------TenGigabitEthernet 1/1, VRID: 111, Net: 10.10.10.1 State: Master, Priority: 255, Master: 10.10.10.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 1768, Gratuitous ARP sent: 5 Virtual MAC address: 00:00:5e:00:01:6f Virtual IP address: 10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.
TenGigabitEthernet 1/1, VRID: 111, Net: 10.10.10.1 State: Master, Priority: 255, Master: 10.10.10.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 2343, Gratuitous ARP sent: 5 Virtual MAC address: 00:00:5e:00:01:6f Virtual IP address: 10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.10 Authentication: (none) -----------------TenGigabitEthernet 1/2, VRID: 111, Net: 10.10.2.1 State: Master, Priority: 125, Master: 10.10.2.
virtual-address 10.10.10.10 Dell(conf-if-te-1/1-vrid-111)# Disabling Preempt The preempt command is enabled by default. The command forces the system to change the MASTER router if another router with a higher priority comes online. Prevent the BACKUP router with the higher priority from becoming the MASTER router by disabling preempt. NOTE: You must configure all virtual routers in the VRRP group the same: you must configure all with preempt enabled or configure all with preempt disabled.
50 centisecs is invalid because it not a multiple of 1 second. If you are using VRRP version 3, you must configure the timer values in multiples of 25 centisecs. If you are configured for VRRP version 2, the timer values must be in multiples of whole seconds. For example, timer value of 3 seconds or 300 centisecs are valid and equivalent. However, a timer value of 50 centisecs is invalid because it not is not multiple of 1 second.
virtual-address 10.10.10.10 Dell(conf-if-te-1/1-vrid-111)# Track an Interface or Object You can set the system to monitor the state of any interface according to the virtual group. Each VRRP group can track up to 12 interfaces and up to 20 additional objects, which may affect the priority of the VRRP group. If the tracked interface goes down, the VRRP group’s priority decreases by a default value of 10 (also known as cost).
• (Optional) Display the configuration and the UP or DOWN state of tracked objects, including the client (VRRP group) that is tracking an object’s state. EXEC mode or EXEC Privilege mode • show track (Optional) Display the configuration and the UP or DOWN state of tracked interfaces and objects in VRRP groups, including the time since the last change in an object’s state.
The following example shows verifying the VRRP status.
This time is the gap between an interface coming up and being operational, and VRRP enabling. The seconds range is from 0 to 900. • The default is 0. Set the delay time for VRRP initialization on all the interfaces in the system configured for VRRP. INTERFACE mode vrrp delay reload seconds This time is the gap between system boot up completion and VRRP enabling. The seconds range is from 0 to 900. The default is 0. Sample Configurations Before you set up VRRP, review the following sample configurations.
Figure 130. VRRP for IPv4 Topology Example of Configuring VRRP for IPv4 Router 2 R2(conf)#int te 2/31 R2(conf-if-te-2/31)#ip address 10.1.1.1/24 R2(conf-if-te-2/31)#vrrp-group 99 R2(conf-if-te-2/31-vrid-99)#priority 200 R2(conf-if-te-2/31-vrid-99)#virtual 10.1.1.3 R2(conf-if-te-2/31-vrid-99)#no shut R2(conf-if-te-2/31)#show conf ! interface TenGigabitEthernet 2/31 ip address 10.1.1.1/24 ! vrrp-group 99 priority 200 virtual-address 10.1.1.
R2(conf-if-te-2/31)#end R2#show vrrp -----------------TenGigabitEthernet 2/31, VRID: 99, Net: 10.1.1.1 State: Master, Priority: 200, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 817, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:63 Virtual IP address: 10.1.1.3 Authentication: (none) R2# Router 3 R3(conf)#int te 3/21 R3(conf-if-te-3/21)#ip address 10.1.1.
Figure 131. VRRP for an IPv6 Configuration NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be MASTER even if one of two routers has a higher IP or IPv6 address. Example of Configuring VRRP for IPv6 Router 2 and Router 3 Configure a virtual link local (fe80) address for each VRRPv3 group created for an interface.
Although R2 and R3 have the same default, priority (100), R2 is elected master in the VRRPv3 group because the TenGigE 0/0 interface has a higher IPv6 address than the TenGigE 1/0 interface on R3.
VRRP in a VRF Configuration The following example shows how to enable VRRP operation in a VRF virtualized network for the following scenarios. • Multiple VRFs on physical interfaces running VRRP. • Multiple VRFs on VLAN interfaces running VRRP. To view a VRRP in a VRF configuration, use the show commands described in Displaying VRRP in a VRF Configuration. VRRP in a VRF: Non-VLAN Scenario The following example shows how to enable VRRP in a non-VLAN.
Figure 132. VRRP in a VRF: Non-VLAN Example Example of Configuring VRRP in a VRF on Switch-1 (Non-VLAN) Switch-1 S1(conf)#ip vrf default-vrf 0 ! S1(conf)#ip vrf VRF-1 1 ! S1(conf)#ip vrf VRF-2 2 ! S1(conf)#ip vrf VRF-3 3 ! S1(conf)#interface TenGigabitEthernet 2/1 S1(conf-if-te-2/1)#ip vrf forwarding VRF-1 S1(conf-if-te-2/1)#ip address 10.10.1.5/24 S1(conf-if-te-12/1)#vrrp-group 11 % Info: The VRID used by the VRRP group 11 in VRF 1 will be 177.
S1(conf)#interface TenGigabitEthernet 2/3 S1(conf-if-te-2/3)#ip vrf forwarding VRF-3 S1(conf-if-te-2/3)#ip address 20.1.1.5/24 S1(conf-if-te-2/3)#vrrp-group 15 % Info: The VRID used by the VRRP group 15 in VRF 3 will be 243. S1(conf-if-te-2/3-vrid-105)#priority 255 S1(conf-if-te-2/3-vrid-105)#virtual-address 20.1.1.
VRRP in VRF: Switch-1 VLAN Configuration VRRP in VRF: Switch-2 VLAN Configuration Switch-1 S1(conf)#ip vrf VRF-1 1 ! S1(conf)#ip vrf VRF-2 2 ! S1(conf)#ip vrf VRF-3 3 ! S1(conf)#interface TenGigabitEthernet 2/4 S1(conf-if-te-2/4)#no ip address S1(conf-if-te-2/4)#switchport S1(conf-if-te-2/4)#no shutdown ! S1(conf-if-te-2/4)#interface vlan 100 S1(conf-if-vl-100)#ip vrf forwarding VRF-1 S1(conf-if-vl-100)#ip address 10.10.1.
S2(conf-if-vl-100-vrid-101)#priority 255 S2(conf-if-vl-100-vrid-101)#virtual-address 10.10.1.2 S2(conf-if-vl-100)#no shutdown ! S2(conf-if-te-2/4)#interface vlan 200 S2(conf-if-vl-200)#ip vrf forwarding VRF-2 S2(conf-if-vl-200)#ip address 10.10.1.2/24 S2(conf-if-vl-200)#tagged tengigabitethernet 12/4 S2(conf-if-vl-200)#vrrp-group 11 % Info: The VRID used by the VRRP group 11 in VRF 2 will be 178. S2(conf-if-vl-200-vrid-101)#priority 255 S2(conf-if-vl-200-vrid-101)#virtual-address 10.10.1.
192.168.0.
Standards Compliance 62 This chapter describes standards compliance for Dell Networking products. NOTE: Unless noted, when a standard cited here is listed as supported by the Dell Networking OS, the system also supports predecessor standards. One way to search for predecessor standards is to use the http://tools.ietf.org/ website. Click “Browse and search IETF documents,” enter an RFC number, and inspect the top of the resulting document for obsolescence citations to related RFCs.
SFF-8431 SFP+ Direct Attach Cable (10GSFP+Cu) MTU 9,252 bytes RFC and I-D Compliance The system supports the following standards. The standards are grouped by related protocol. The columns showing support by platform indicate which version of the Dell Networking OS first supports the standard. General Internet Protocols The following table lists the Dell Networking OS support per platform for general internet protocols. Table 75.
RFC# Full Name S-Series/ZSeries C-Series E-Series TeraScale E-Series ExaScale 2474 Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers 7.7.1 7.5.1 √ 8.1.1 2615 PPP over SONET/SDH √ 2698 A Two Rate Three Color Marker √ 8.1.1 3164 The BSD syslog Protocol 7.5.1 √ 8.1.1 draft-ietf-bfd base-03 Bidirectional Forwarding Detection 7.6.1 √ 8.1.1 7.6.
RFC# Full Name S-Series/Z-Series 5396 Textual Representation of Autonomous System (AS) Numbers 8.1.2 draft-ietf-idrbgp4- 20 A Border Gateway Protocol 4 (BGP-4) 7.8.1 draft-ietf-idrrestart- 06 Graceful Restart Mechanism for BGP 7.8.1 General IPv4 Protocols The following table lists the Dell Networking OS support per platform for general IPv4 protocols. Table 77. General IPv4 Protocols RFC# Full Name S-Series/ZSeries C-Series E-Series TeraScale E-Series ExaScale 791 Internet Protocol 7.6.
RFC# Full Name S-Series/ZSeries C-Series E-Series TeraScale E-Series ExaScale Aggregation Strategy 1542 Clarifications and Extensions for the Bootstrap Protocol 7.6.1 7.5.1 √ 8.1.1 1812 Requirements for IP 7.6.1 Version 4 Routers 7.5.1 √ 8.1.1 2131 Dynamic Host Configuration Protocol 7.6.1 7.5.1 √ 8.1.1 2338 Virtual Router Redundancy Protocol (VRRP) 7.6.1 7.5.1 √ 8.1.1 3021 Using 31-Bit Prefixes on IPv4 Point-to-Point Links 7.7.1 7.5.1 7.7.1 8.1.1 3046 DHCP Relay Agent 7.
RFC# Full Name S-Series/ZSeries C-Series E-Series TeraScale E-Series ExaScale 2462 (Partial) IPv6 Stateless Address Autoconfiguration 7.8.1 7.8.1 √ 8.2.1 2464 Transmission of IPv6 Packets over Ethernet Networks 7.8.1 7.8.1 √ 8.2.1 2675 IPv6 Jumbograms 7.8.1 7.8.1 √ 8.2.1 2711 IPv6 Router Alert Option 8.3.12.0 3587 IPv6 Global Unicast 7.8.1 Address Format 7.8.1 √ 8.2.1 4007 IPv6 Scoped Address Architecture 8.3.12.
RFC# Full Name S-Series C-Series E-Series TeraScale E-Series ExaScale Protocol (ISO DP 10589) 1195 Use of OSI IS-IS for Routing in TCP/IP and Dual Environments √ 8.1.1 2763 Dynamic Hostname Exchange Mechanism for ISIS √ 8.1.1 2966 Domain-wide Prefix Distribution with Two-Level ISIS √ 8.1.1 3373 Three-Way Handshake for Intermediate System to Intermediate System (IS-IS) Point-to-Point Adjacencies √ 8.2.1 3567 IS-IS ACruythpetongtirca apthioicn √ 8.1.
RFC# Full Name S-Series 5308 Routing IPv6 with IS-IS 8.3.10.0 draft-ietf-isisigpp2p- overlan-06 C-Series E-Series TeraScale E-Series ExaScale 7.5.1 8.2.1 Point-to-point operation over LAN in link-state routing protocols √ 8.1.1 draft-kaplanExtended Ethernet isis-e xt-eth-02 Frame Size Support √ 8.1.1 Network Management The following table lists the Dell Networking OS support per platform for network management protocol. Table 80. Network Management RFC# Full Name 1155 Structure and 7.
RFC# Full Name S4810 1901 Introduction to Community-based SNMPv2 7.6.1 2011 SNMPv2 Management Information Base for the Internet Protocol using SMIv2 7.6.1 2012 SNMPv2 Management Information Base for the Transmission Control Protocol using SMIv2 7.6.1 2013 SNMPv2 Management Information Base for the User Datagram Protocol using SMIv2 7.6.1 2024 Definitions of Managed Objects for Data Link Switching using SMIv2 7.6.1 2096 IP Forwarding Table MIB 7.6.
RFC# Full Name S4810 2575 View-based Access 7.6.1 Control Model (VACM) for the Simple Network Management Protocol (SNMP) 2576 Coexistence Between Version 1, Version 2, and Version 3 of the Internetstandard Network Management Framework 2578 Structure of Management 7.6.1 Information Version 2 (SMIv2) 2579 Textual Conventions for SMIv2 2580 Conformance Statements 7.6.1 for SMIv2 2618 RADIUS Authentication Client MIB, except the following four counters: S4820T Z-Series 9.5.(0.0) 9.5.(0.0) 7.
RFC# Full Name S4810 2819 Remote Network Monitoring Management Information Base: Ethernet Statistics Table, Ethernet History Control Table, Ethernet History Table, Alarm Table, Event Table, Log Table 7.6.1 2863 The Interfaces Group MIB 7.6.1 2865 Remote Authentication Dial In User Service (RADIUS) 3273 Remote Network 7.6.
RFC# Full Name S4810 S4820T Z-Series 4001 Textual Conventions for Internet Network Addresses 8.3.12 4292 IP Forwarding Table MIB 9.5.(0.0) 9.5.(0.0) 9.5.(0.0) 4750 OSPF Version 2 9.5.(0.0) Management Information Base 9.5.(0.0) 9.5.(0.0) 5060 Protocol Independent Multicast MIB 7.8.1 ANSI/TIA-1057 The LLDP Management Information Base extension module for TIA-TR41.4 Media Endpoint Discovery information 7.7.1 draft-grant-tacacs -02 The TACACS+ Protocol 7.6.
RFC# Full Name S4810 S4820T Z-Series 9.2.(0.0) 9.2.(0.0) local system data and remote systems data components. IEEE 802.1AB The LLDP Management Information Base extension module for IEEE 802.1 organizationally defined discovery information. (LLDP DOT1 MIB and LLDP DOT3 MIB) 7.7.1 IEEE 802.1AB The LLDP Management Information Base extension module for IEEE 802.3 organizationally defined discovery information. (LLDP DOT1 MIB and LLDP DOT3 MIB) 7.7.
RFC# Full Name S4810 FORCE10-IFEXTENSION-MIB Force10 Enterprise IF Extension MIB (extends the Interfaces portion of the MIB-2 (RFC 1213) by providing proprietary SNMP OIDs for other counters displayed in the "show interfaces" output) 7.6.1 FORCE10LINKAGG-MIB Force10 Enterprise Link Aggregation MIB 7.6.1 FORCE10CHASSIS-MIB Force10 E-Series Enterprise Chassis MIB FORCE10-COPYCONFIG-MIB Force10 File Copy MIB (supporting SNMP SET operation) Z-Series 7.7.1 FORCE10-MONMIB Force10 Monitoring MIB 7.
Multicast The following table lists the Dell Networking OS support per platform for Multicast protocol. Table 81. Multicast RFC# Full Name 1112 C-Series E-Series TeraScale E-Series ExaScale Host Extensions for 7.8.1 IP Multicasting 7.7.1 √ 8.1.1 2236 Internet Group 7.8.1 Management Protocol, Version 2 7.7.1 √ 8.1.1 2710 Multicast Listener Discovery (MLD) for IPv6 √ 8.2.1 3376 Internet Group 7.8.1 Management Protocol, Version 3 7.7.1 √ 8.1.
RFC# Full Name S-Series C-Series E-Series TeraScale E-Series ExaScale Multicast - Sparse Mode (PIM-SM): Protocol Specification (Revised) Open Shortest Path First (OSPF) The following table lists the Dell Networking OS support per platform for OSPF protocol. Table 82. Open Shortest Path First (OSPF) RFC# Full Name S-Series/Z-Series 1587 The OSPF Not-So-Stubby Area (NSSA) 7.6.1 Option 2154 OSPF with Digital Signatures 7.6.1 2328 OSPF Version 2 7.6.1 2370 The OSPF Opaque LSA Option 7.6.
MIB Location You can find Dell Networking MIBs under the Force10 MIBs subhead on the Documentation page of iSupport: https://www.force10networks.com/csportal20/KnowledgeBase/Documentation.aspx You also can obtain a list of selected MIBs and their OIDs at the following URL: https://www.force10networks.com/csportal20/MIBs/MIB_OIDs.aspx Some pages of iSupport require a login. To request an iSupport account, go to: https://www.force10networks.com/CSPortal20/Support/AccountRequest.
