Dell Networking Configuration Guide for the Z9500 Switch 9.6(0.
Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your computer. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. Copyright © 2014 Dell Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws.
Contents 1 About this Guide................................................................................................. 30 Audience..............................................................................................................................................30 Conventions........................................................................................................................................ 30 Related Documents...............................................................
Management........................................................................................................51 Configuring Privilege Levels................................................................................................................51 Creating a Custom Privilege Level................................................................................................ 51 Removing a Command from EXEC Mode....................................................................................
Restoring Factory Default Environment Variables....................................................................... 72 5 802.1X................................................................................................................... 74 The Port-Authentication Process....................................................................................................... 75 EAP over RADIUS.............................................................................................................
Implementation Information...................................................................................................... 104 Configuration Task List for Prefix Lists....................................................................................... 104 ACL Resequencing............................................................................................................................108 Resequencing an ACL or Prefix List.....................................................................
BGP Attributes................................................................................................................................... 149 Best Path Selection Criteria........................................................................................................ 150 Weight.......................................................................................................................................... 152 Local Preference............................................................
Filtering BGP Routes Using Route Maps.................................................................................... 189 Filtering BGP Routes Using AS-PATH Information.................................................................... 190 Configuring BGP Route Reflectors.............................................................................................190 Aggregating Routes.....................................................................................................................
Viewing Per-Protocol CoPP Counters.......................................................................................229 Viewing Per-Queue CoPP Counters.......................................................................................... 231 12 Z-Series Debugging and Diagnostics......................................................... 233 Offline Diagnostics............................................................................................................................
Configure the System to be a Relay Agent......................................................................................266 Configure the System to be a DHCP Client.................................................................................... 268 DHCP Client on a Management Interface................................................................................. 268 DHCP Client Operation with Other Features............................................................................
Protocol Overview............................................................................................................................ 291 Ring Status...................................................................................................................................292 Multiple FRRP Rings.................................................................................................................... 293 Important FRRP Points...........................................................
IGMP Snooping................................................................................................................................. 316 IGMP Snooping Implementation Information............................................................................316 Configuring IGMP Snooping.......................................................................................................316 Removing a Group-Port Association................................................................................
Adding a Physical Interface to a Port Channel.......................................................................... 334 Reassigning an Interface to a New Port Channel......................................................................336 Configuring the Minimum Oper Up Links in a Port Channel.................................................... 336 .....................................................................................................................................................
Configuration Tasks for IP Addresses.............................................................................................. 365 Assigning IP Addresses to an Interface............................................................................................ 366 Configuring Static Routes.................................................................................................................367 Configure Static Routes for the Management Interface................................................
Longest Prefix Match (LPM) Table and IPv6 /65 – /128 support....................................................390 ICMPv6...............................................................................................................................................391 Path MTU Discovery..........................................................................................................................391 IPv6 Neighbor Discovery............................................................................
Leaks from One Level to Another.............................................................................................. 426 Sample Configurations..................................................................................................................... 426 25 Link Aggregation Control Protocol (LACP)...............................................429 Introduction to Dynamic LAGs and LACP.......................................................................................
27 Link Layer Discovery Protocol (LLDP)........................................................460 802.1AB (LLDP) Overview.................................................................................................................460 Protocol Data Units.................................................................................................................... 460 Optional TLVs........................................................................................................................
Manage the Source-Active Cache................................................................................................... 493 Viewing the Source-Active Cache............................................................................................. 493 Limiting the Source-Active Cache............................................................................................. 494 Clearing the Source-Active Cache.......................................................................................
31 Multicast Features.......................................................................................... 526 Enabling IP Multicast.........................................................................................................................526 Multicast with ECMP......................................................................................................................... 526 Implementation Information...............................................................................
Troubleshooting OSPFv3............................................................................................................ 573 33 Pay As You Grow ............................................................................................575 Installing a License............................................................................................................................ 575 Displaying License Information..................................................................................
Important Points to Remember................................................................................................. 602 Examples of Port Monitoring..................................................................................................... 602 Configuring Port Monitoring......................................................................................................604 Remote Port Mirroring...............................................................................................
Configuring Port-Based Rate Policing.......................................................................................638 Configuring Port-Based Rate Shaping.......................................................................................638 Policy-Based QoS Configurations................................................................................................... 639 Classify Traffic............................................................................................................
Setting the rmon Alarm.............................................................................................................. 682 Configuring an RMON Event......................................................................................................683 Configuring RMON Collection Statistics................................................................................... 684 Configuring the RMON Collection History...............................................................................
Command Authorization............................................................................................................ 727 Protection from TCP Tiny and Overlapping Fragment Attacks.......................................................727 Enabling SCP and SSH.......................................................................................................................727 Using SCP with SSH to Copy a Software Image........................................................................
Overview............................................................................................................................................755 Implementation Information............................................................................................................ 755 Important Points to Remember..................................................................................................756 Enabling and Disabling sFlow...............................................................
Viewing the Software Core Files Generated by the System...................................................... 778 Manage VLANs using SNMP..............................................................................................................779 Creating a VLAN.......................................................................................................................... 779 Assigning a VLAN Alias.................................................................................................
Configure the Network Time Protocol......................................................................................805 Enabling NTP...............................................................................................................................805 Configuring NTP Broadcasts......................................................................................................805 Disabling NTP on an Interface...................................................................................
Assigning Interfaces to a VLAN.................................................................................................. 834 Moving Untagged Interfaces...................................................................................................... 836 Assigning an IP Address to a VLAN.............................................................................................837 Configuring Native VLANs............................................................................................
Interoperation of VLT Nodes in a PVLAN with ARP Requests................................................... 879 Scenarios for VLAN Membership and MAC Synchronization With VLT Nodes in PVLAN........879 Configuring a VLT VLAN or LAG in a PVLAN....................................................................................881 Creating a VLT LAG or a VLT VLAN............................................................................................ 881 Associating the VLT LAG or VLT VLAN in a PVLAN........
1 About this Guide This guide describes the protocols and features the Dell Networking Operating System (OS) supports and provides configuration instructions and examples for implementing them. This guide supports the platform. Though this guide contains information on protocols, it is not intended to be a complete reference. This guide is a reference for configuring protocols on Dell Networking systems.
Configuration Fundamentals 2 The Dell Networking Operating System (OS) command line interface (CLI) is a text-based interface you can use to configure interfaces and protocols. The CLI is largely the same for the Z9000, S6000, S4810, and S4820T except for some commands and command outputs. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels.
• EXEC mode is the default mode and has a privilege level of 1, which is the most restricted level. Only a limited selection of commands is available, notably the show commands, which allow you to view system information. • EXEC Privilege mode has commands to view configurations, clear counters, manage configuration files, run diagnostics, and enable or disable debug operations. The privilege level is 15, which is unrestricted.
CLI Command Mode Prompt Access Command AS-PATH ACL Dell(config-as-path)# ip as-path access-list Gigabit Ethernet Interface Dell(conf-if-gi-0/0)# interface (INTERFACE modes) 10 Gigabit Ethernet Interface Dell(conf-if-te-0/1–2)# interface (INTERFACE modes) Interface Group Dell(conf-if-group)# interface(INTERFACE modes) Interface Range Dell(conf-if-range)# interface (INTERFACE modes) Loopback Interface Dell(conf-if-lo-0)# interface (INTERFACE modes) Management Ethernet Interface Dell(conf
CLI Command Mode Prompt Access Command RAPID SPANNING TREE Dell(config-rstp)# protocol spanning-tree rstp REDIRECT Dell(conf-redirect-list)# ip redirect-list ROUTE-MAP Dell(config-route-map)# route-map ROUTER BGP Dell(conf-router_bgp)# router bgp BGP ADDRESS-FAMILY Dell(conf-router_bgp_af)# address-family {ipv4 multicast | ipv6 unicast} (for IPv4) (ROUTER BGP Mode) Dell(confrouterZ_bgpv6_af)# (for IPv6) ROUTER ISIS Dell(conf-router_isis)# router isis ISIS ADDRESS-FAMILY Dell(conf-router
CLI Command Mode Prompt Access Command LLDP MANAGEMENT INTERFACE Dell(conf-lldp-mgmtIf)# management-interface (LLDP Mode) LINE Dell(config-line-console) or Dell(config-line-vty) line console orline vty MONITOR SESSION Dell(conf-mon-sesssessionID)# monitor session OPENFLOW INSTANCE Dell(conf-of-instance-ofid)# openflow of-instance PORT-CHANNEL FAILOVERGROUP Dell(conf-po-failovergrp)# port-channel failovergroup PRIORITY GROUP Dell(conf-pg)# priority-group PROTOCOL GVRP Dell(config-gvrp)#
---0 1 2 3 4 5 6 7 8 9 10 11 Management Member Member Member Member Member Member Member Member Member Member Member online not present not present not present not present not present not present not present not present not present not present not present S4810 S4810 9.4(0.
Layer 2 protocols are disabled by default. To enable Layer 2 protocols, use the no disable command. For example, in PROTOCOL SPANNING TREE mode, enter no disable to enable Spanning Tree. Obtaining Help Obtain a list of keywords and a brief functional description of those keywords at any CLI mode using the ? or help command: • To list the keywords available in the current mode, enter ? at the prompt or after a keyword. • Enter ? after a prompt lists all of the available keywords.
Short-Cut Key Combination Action CNTL-B Moves the cursor back one character. CNTL-D Deletes character at cursor. CNTL-E Moves the cursor to the end of the line. CNTL-F Moves the cursor forward one character. CNTL-I Completes a keyword. CNTL-K Deletes all characters from the cursor to the end of the command line. CNTL-L Re-enters the previous command. CNTL-N Return to more recent commands in the history buffer after recalling commands with CTRL-P or the UP arrow key.
• show run | grep Ethernet returns a search result with instances containing a capitalized “Ethernet,” such as interface GigabitEthernet 0/0. • show run | grep ethernet does not return that search result because it only searches for instances containing a non-capitalized “ethernet.” • show run | grep Ethernet ignore-case returns instances containing both “Ethernet” and “ethernet.” The grep command displays only the lines containing specified text.
NOTE: You can filter a single command output multiple times. The save option must be the last option entered. For example: Dell# command | grep regular-expression | except regular-expression | grep other-regular-expression | find regular-expression | save. Multiple Users in Configuration Mode Dell Networking OS notifies all users when there are multiple users logged in to CONFIGURATION mode.
Getting Started 3 This chapter describes how you start configuring your system. When you power up the chassis, the system performs a power-on self test (POST) during which the line card status light emitting diodes (LEDs) blink green. The system then loads the Dell Networking Operating System (OS). Boot messages scroll up the terminal window during this process. No user interaction is required if the boot process proceeds without interruption.
Accessing the Console Port To access the console port, follow these steps: For the console port pinout, refer to Accessing the RJ-45 Console Port with a DB-9 Adapter. 1. Install an RJ-45 copper cable into the console port.Use a rollover (crossover) cable to connect the S4810 console port to a terminal server. 2. Connect the other end of the cable to the DTE terminal server. 3.
• Characters within the string can be letters, digits, and hyphens. To create a host name, use the following command. • Create a host name. CONFIGURATION mode hostname name Example of the hostname Command Dell(conf)#hostname R1 R1(conf)# Accessing the System Remotely You can configure the system to access it remotely by Telnet or SSH. • The platform has a dedicated management port and a management routing table that is separate from the IP routing table.
Configure a Management Route Define a path from the system to the network from which you are accessing the system remotely. Management routes are separate from IP routes and are only used to manage the system through the management port. To configure a management route, use the following command. • Configure a management route to the network from which you are accessing the system. CONFIGURATION mode management route ip-address/mask gateway – ip-address: the network address in dotted-decimal format (A.B.C.
– level: is the privilege level, is 15 by default, and is not required – encryption-type: specifies how you are inputting the password, is 0 by default, and is not required. * 0 is for inputting the password in clear text. * 7 is for inputting a password that is already encrypted using a DES hash. Obtain the encrypted password from the configuration file of another Dell Networking system. * 5 is for inputting a password that is already encrypted using an MD5 hash.
Copy Files to and from the System The command syntax for copying files is similar to UNIX. The copy command uses the format copy source-file-url destination-file-url. NOTE: For a detailed description of the copy command, refer to the Dell Networking OS Command Reference. • To copy a local file to a remote system, combine the file-origin syntax for a local file location with the file-destination syntax for a remote file location.
Save the Running-Configuration The running-configuration contains the current system configuration. Dell Networking recommends coping your running-configuration to the startup-configuration. The commands in this section follow the same format as those commands in the Copy Files to and from the System section but use the filenames startup-configuration and running-configuration. These commands assume that current directory is the internal flash, which is the system default.
• View the startup-configuration. EXEC Privilege mode show startup-config Example of the dir Command The output of the dir command also shows the read/write privileges, size (in bytes), and date of modification for each file.
2056916992 Dell# 2056540160 - FAT32 USERFLASH network network network rw rw rw rw flash: ftp: tftp: scp: View Command History The command-history trace feature captures all commands entered by all users of the system with a time stamp and writes these messages to a dedicated trace log buffer. The system generates a trace message for each executed command. No password information is saved to the file. To view the command-history trace, use the show command-history command.
1. Download Dell Networking OS software image file from the iSupport page to the local (FTP or TFTP) server. The published hash for that file is displayed next to the software image file on the iSupport page. 2. Go on to the Dell Networking system and copy the software image to the flash drive, using the copy command. 3. Run the verify {md5 | sha256} [ flash://]img-file [hash-value] command. For example, verify sha256 flash://FTOS-SE-9.5.0.0.bin 4.
Management 4 This chapter describes the different protocols or services used to manage the Dell Networking system. Configuring Privilege Levels Privilege levels restrict access to commands based on user or terminal line. There are 16 privilege levels, of which three are pre-defined. The default privilege level is 1. Level Description Level 0 Access to the system begins at EXEC mode, and EXEC mode commands are limited to enable, disable, and exit.
Moving a Command from EXEC Privilege Mode to EXEC Mode To move a command from EXEC Privilege to EXEC mode for a privilege level, use the privilege exec command from CONFIGURATION mode. In the command, specify the privilege level of the user or terminal line and specify all keywords in the command to which you want to allow access. Allowing Access to CONFIGURATION Mode Commands To allow access to CONFIGURATION mode, use the privilege exec level level configure command from CONFIGURATION mode.
• Allow access to a CONFIGURATION, INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode command. CONFIGURATION mode privilege {configure |interface | line | route-map | router} level level {command ||...|| command} Example of EXEC Privilege Commands The configuration in the following example creates privilege level 3.
exit Exit from interface configuration mode Dell(conf-if-te-1/1)#exit Dell(conf)#line ? aux Auxiliary line console Primary terminal line vty Virtual terminal Dell(conf)#line vty 0 Dell(config-line-vty)#? exit Exit from line configuration mode Dell(config-line-vty)# Applying a Privilege Level to a Username To set the user privilege level, use the following command. • Configure a privilege level for a user.
• Disable console logging. CONFIGURATION mode no logging console Audit and Security Logs This section describes how to configure, display, and clear audit and security logs.
• The system administrator user roles can view audit, security, and system events. • Only the system administrator and security administrator user roles can view security logs. • The network administrator and network operator user roles can view system events. NOTE: If extended logging is disabled, you can only view system events, regardless of RBAC user role.
Example of Configuring the Logging Message Format Dell(conf)#logging version ? <0-1> Select syslog version (default = 0) Dell(conf)#logging version 1 Setting Up a Secure Connection to a Syslog Server You can use reverse tunneling with the port forwarding to securely connect to a syslog server. Pre-requisites To configure a secure connection from the switch to the syslog server: 1. On the switch, enable the SSH server Dell(conf)#ip ssh server enable 2.
In the following example the syslog server IP address is 10.156.166.48 and the listening port is 5141. The switch IP address is 10.16.131.141 and the listening port is 5140 ssh -R 5140:10.156.166.48:5141 admin@10.16.131.141 -nNf 3. Configure logging to a local host. locahost is “127.0.0.1” or “::1”. If you do not, the system displays an error when you attempt to enable role-based only AAA authorization. Dell(conf)# logging localhost tcp port Dell(conf)#logging 127.0.0.
Sending System Messages to a Syslog Server To send system messages to a specified syslog server, use the following command. The following syslog standards are supported: RFC 5424 The SYSLOG Protocol, R.Gerhards and Adiscon GmbH, March 2009, obsoletes RFC 3164 and RFC 5426 Transmission of Syslog Messages over UDP. • Specify the server to which you want to send system messages. You can configure up to eight syslog servers.
Jan 21 03:12:54: %SYSTEM:LP changed to 60 % of the full Jan 21 03:12:54: %SYSTEM:LP % of the full speed Jan 21 03:02:51: %SYSTEM:LP changed to 80 % of the full Jan 21 03:02:51: %SYSTEM:LP % of the full speed Jan 21 02:56:54: %SYSTEM:CP WARM_START.
• Specify the number of messages that Dell Networking OS saves to its logging history table. CONFIGURATION mode logging history size size To view the logging buffer and configuration, use the show logging command in EXEC privilege mode, as shown in the example for Display the Logging Buffer and the Logging Configuration. To view the logging configuration, use the show running-config logging command in privilege mode, as shown in the example for Configure a UNIX Logging Facility Level.
Example of the show running-config logging Command To view nondefault settings, use the show running-config logging command in EXEC mode. Dell#show running-config logging ! logging buffered 524288 debugging service timestamps log datetime msec service timestamps debug datetime msec ! logging trap debugging logging facility user logging source-interface Loopback 0 logging 10.10.10.
CONFIGURATION mode service timestamps [log | debug] [datetime [localtime] [msec] [show-timezone] | uptime] Specify the following optional parameters: – You can add the keyword localtime to include the localtime, msec, and show-timezone. If you do not add the keyword localtime, the time is UTC. – uptime: To view time since last boot. If you do not specify a parameter, Dell Networking OS configures uptime. To view the configuration, use the show running-config logging command in EXEC privilege mode.
ftp-server username nairobi password 0 zanzibar Dell# Configuring FTP Server Parameters After you enable the FTP server on the system, you can configure different parameters. To specify the system logging settings, use the following commands. • Specify the directory for users using FTP to reach the system. CONFIGURATION mode ftp-server topdir dir • The default is the internal flash directory. Specify a user name for all FTP users and configure either a plain text or encrypted password.
• ip ftp password password Enter a username to use on the FTP client. CONFIGURATION mode ip ftp username name To view the FTP configuration, use the show running-config ftp command in EXEC privilege mode, as shown in the example for Enable FTP Server. Terminal Lines You can access the system remotely and restrict access to the system by creating user profiles. Terminal lines on the system provide different means of accessing the system. The console line (console) connects you through the console port.
Configuring Login Authentication for Terminal Lines You can use any combination of up to six authentication methods to authenticate a user on a terminal line. A combination of authentication methods is called a method list. If the user fails the first authentication method, Dell Networking OS prompts the next method until all methods are exhausted, at which point the connection is terminated. The available authentication methods are: enable Prompt for the enable password.
login authentication myvtymethodlist Dell(config-line-vty)# Setting Time Out of EXEC Privilege Mode EXEC time-out is a basic security feature that returns Dell Networking OS to EXEC mode after a period of inactivity on the terminal lines. To set time out, use the following commands. • Set the number of minutes and seconds. The default is 10 minutes on the console and 30 minutes on VTY. Disable EXEC time out by setting the time-out period to 0.
Enter an IPv6 address in the format 0000:0000:0000:0000:0000:0000:0000:0000. Elision of zeros is supported. Example of the telnet Command for Device Access Dell# telnet 10.11.80.203 Trying 10.11.80.203... Connected to 10.11.80.203. Exit character is '^]'. Login: Login: admin Password: Dell>exit Dell#telnet 2200:2200:2200:2200:2200::2201 Trying 2200:2200:2200:2200:2200::2201... Connected to 2200:2200:2200:2200:2200::2201. Exit character is '^]'. FreeBSD/i386 (freebsd2.force10networks.
If another user attempts to enter CONFIGURATION mode while a lock is in place, the following appears on their terminal (message 1): % Error: User "" on line console0 is in exclusive configuration mode. If any user is already in CONFIGURATION mode when while a lock is in place, the following appears on their terminal (message 2): % Error: Can't lock configuration mode exclusively since the following users are currently configuring the system: User "admin" on line vty1 ( 10.1.1.1 ).
8. Display the content of the startup-config. EXEC Privilege mode show running-config 9. Remove the previous authentication configuration. config t 10. Set the new authentication parameters. The remainder of the previous configuration is preserved. no enable password enable password [newpassword] exit 11. Save the running-config to the startup-config in flash by default. write-mem 12. Save the running-config.
command, its supporting commands, and other commands that can help recover from a failed start, the GRUB chapter in the Dell Networking OS Command Line Reference Guide. 1. Power-cycle the chassis (pull the power cord and reinsert it). 2. Press the ESC key when the following message appears: Press Esc to stop autoboot... (during bootup) Press ESC key 3. Use the arrow keys to select “Force10 Boot” from the list, then press the “C” key to enter GRUB CLI mode. The command prompt changes to grub>.
Important Points to Remember • When you restore all the units in a stack, these units are placed in standalone mode. • When you restore a single unit in a stack, only that unit is placed in standalone mode. No other units in the stack are affected. • When you restore the units in standalone mode, the units remain in standalone mode after the restoration. • After the restore is complete, the units power cycle immediately.
Important Points to Remember • The Chassis remains in boot prompt if none of the partitions contain valid images. • To enable TFTP boot after restoring factory default settings, you must stop the boot process in BLI.
802.1X 5 802.1X is a method of port security. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity can be verified (through a username and password, for example). This feature is named for its IEEE specification. 802.
Figure 3. EAP Frames Encapsulated in Ethernet and RADUIS The authentication process involves three devices: • The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests. • The device with which the supplicant communicates is the authenticator. The authenticator is the gate keeper of the network.
2. The supplicant responds with its identity in an EAP Response Identity frame. 3. The authenticator decapsulates the EAP response from the EAPOL frame, encapsulates it in a RADIUS Access-Request frame and forwards the frame to the authentication server. 4. The authentication server replies with an Access-Challenge frame. The Access-Challenge frame requests that the supplicant prove that it is who it claims to be, using a specified method (an EAPMethod).
EAP over RADIUS 802.1X uses RADIUS to shuttle EAP packets between the authenticator and the authentication server, as defined in RFC 3579. EAP messages are encapsulated in RADIUS packets as a type of attribute in Type, Length, Value (TLV) format. The Type value for EAP messages is 79. Figure 5. EAP Over RADIUS RADIUS Attributes for 802.1 Support Dell Networking systems include the following RADIUS attributes in all 802.
Important Points to Remember • Dell Networking OS supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0, PEAPv1, and MS-CHAPv2 with PEAP. • All platforms support only RADIUS as the authentication server. • If the primary RADIUS server becomes unresponsive, the authenticator begins using a secondary RADIUS server, if configured. • 802.1X is not supported on port-channels or port-channel members. Enabling 802.1X Enable 802.1X globally. Figure 6. 802.1X Enabled 1. Enable 802.1X globally.
dot1x authentication 2. Enter INTERFACE mode on an interface or a range of interfaces. INTERFACE mode interface [range] 3. Enable 802.1X on the supplicant interface only. INTERFACE mode dot1x authentication Examples of Verifying that 802.1X is Enabled Globally and on an Interface Verify that 802.1X is enabled globally and at the interface level using the show running-config | find dot1x command from EXEC Privilege mode. In the following example, the bold lines show that 802.1X is enabled.
Configuring Request Identity Re-Transmissions If the authenticator sends a Request Identity frame, but the supplicant does not respond, the authenticator waits 30 seconds and then re-transmits the frame. The amount of time that the authenticator waits before re-transmitting and the maximum number of times that the authenticator re-transmits are configurable.
Example of Configuring and Verifying Port Authentication The following example shows configuration information for a port for which the authenticator retransmits an EAP Request Identity frame: • after 90 seconds and a maximum of 10 times for an unresponsive supplicant • re-transmits an EAP Request Identity frame The bold lines show the new re-transmit interval, new quiet period, and new maximum re-transmissions.
Example of Placing a Port in Force-Authorized State and Viewing the Configuration The example shows configuration information for a port that has been force-authorized. The bold line shows the new port-control state. Dell(conf-if-Te-0/0)#dot1x port-control force-authorized Dell(conf-if-Te-0/0)#show dot1x interface TenGigabitEthernet 0/0 802.
The bold lines show that re-authentication is enabled and the new maximum and re-authentication time period. Dell(conf-if-Te-0/0)#dot1x reauthentication interval 7200 Dell(conf-if-Te-0/0)#dot1x reauth-max 10 Dell(conf-if-Te-0/0)#do show dot1x interface TenGigabitEthernet 0/0 802.
The bold lines show the new supplicant and server timeouts. Dell(conf-if-Te-0/0)#dot1x port-control force-authorized Dell(conf-if-Te-0/0)#do show dot1x interface TenGigabitEthernet 0/0 802.
Figure 7. Dynamic VLAN Assignment 1. Configure 8021.x globally (refer to Enabling 802.1X) along with relevant RADIUS server configurations (refer to the illustration inDynamic VLAN Assignment with Port Authentication). 2. Make the interface a switchport so that it can be assigned to a VLAN. 3. Create the VLAN to which the interface will be assigned. 4. Connect the supplicant to the port configured for 802.1X. 5.
If the supplicant fails authentication, the authenticator typically does not enable the port. In some cases this behavior is not appropriate. External users of an enterprise network, for example, might not be able to be authenticated, but still need access to the network. Also, some dumb-terminals, such as network printers, do not have 802.1X capability and therefore cannot authenticate themselves.
! interface TenGigabitEthernet 2/1 switchport dot1x authentication dot1x guest-vlan 200 no shutdown Dell(conf-if-Te-2/1)# Dell(conf-if-Te-2/1)#dot1x auth-fail-vlan 100 max-attempts 5 Dell(conf-if-Te-2/1)#show config ! interface TenGigabitEthernet 2/1 switchport dot1x authentication dot1x guest-vlan 200 dot1x auth-fail-vlan 100 max-attempts 5 no shutdown Dell(conf-if-Te-2/1)# Example of Viewing Configured Authentication View your configuration using the show config command from INTERFACE mode, as shown in th
6 Access Control Lists (ACLs) This chapter describes access control lists (ACLs), prefix lists, and route-maps. • Access control lists (ACLs), Ingress IP and MAC ACLs , and Egress IP and MAC ACLs are supported on the Z9500. At their simplest, access control lists (ACLs), prefix lists, and route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps. For MAC ACLS, refer to Layer 2.
numbers in the order the filters are created. The sequence numbers are listed in the display output of the show config and show ip accounting access-list commands. Ingress and egress Hot Lock ACLs allow you to append or delete new rules into an existing ACL (already written into CAM) without disrupting traffic flow. Existing entries in the CAM are shuffled to accommodate the new entries. Hot lock ACLs are enabled by default and support both standard and extended ACLs and on all platforms.
Dell# 4| 0| IPv6Flow| 0| 0|Allowed Implementing ACLs on Dell Networking OS You can assign one IP ACL per interface with Dell Networking OS. If you do not assign an IP ACL to an interface, it is not used by the software in any other capacity. The number of entries allowed per ACL is hardware-dependent. For detailed specification on entries allowed per ACL, refer to your line card documentation.
0 to 254. Dell Networking OS writes to the CAM ACL rules with lower-order numbers (order numbers closer to 0) before rules with higher-order numbers so that packets are matched as you intended. By default, all ACL rules have an order of 255. Example of the order Keyword to Determine ACL Sequence Dell(conf)#ip access-list standard acl1 Dell(config-std-nacl)#permit 20.0.0.0/8 Dell(config-std-nacl)#exit Dell(conf)#ip access-list standard acl2 Dell(config-std-nacl)#permit 20.1.1.
Example of Permitting All Packets on an Interface The following configuration permits all packets (both fragmented and non-fragmented) with destination IP 10.1.1.1. The second rule does not get hit at all. Dell(conf)#ip access-list extended ABC Dell(conf-ext-nacl)#permit ip any 10.1.1.1/32FTOS(conf-ext-nacl)#deny ip any 10.1.1.1./32 fragments Dell(conf-ext-nacl) Example of Denying Second and Subsequent Fragments To deny the second/subsequent fragments, use the same rules in a different order.
Example of Logging Denied Packets To log all the packets denied and to override the implicit deny rule and the implicit permit rule for TCP/ UDP fragments, use a configuration similar to the following. Dell(conf)#ip access-list extended ABC Dell(conf-ext-nacl)#permit tcp any any fragment Dell(conf-ext-nacl)#permit udp any any fragment Dell(conf-ext-nacl)#deny ip any any log Dell(conf-ext-nacl) When configuring ACLs with the fragments keyword, be aware of the following.
The following example shows how the seq command orders the filters according to the sequence number assigned. In the example, filter 25 was configured before filter 15, but the show config command displays the filters in the correct order. Dell(config-std-nacl)#seq 25 deny ip host 10.5.0.0 any log Dell(config-std-nacl)#seq 15 permit tcp 10.3.0.0 /16 any Dell(config-std-nacl)#show config ! ip access-list standard dilling seq 15 permit tcp 10.3.0.0/16 any seq 25 deny ip host 10.5.0.
To view all configured IP ACLs, use the show ip accounting access-list command in EXEC Privilege mode. The following examples shows how to view a standard ACL filter sequence for an interface. Dell#show ip accounting access example interface gig 4/12 Extended IP access list example seq 15 deny udp any any eq 111 seq 20 deny udp any any eq 2049 seq 25 deny udp any any eq 31337 seq 30 deny tcp any any range 12345 12346 seq 35 permit udp host 10.21.126.225 10.4.5.0 /28 seq 40 permit udp host 10.21.126.226 10.
CONFIGURATION mode ip access-list extended access-list-name 2. Configure an extended IP ACL filter for TCP packets. CONFIG-EXT-NACL mode seq sequence-number {deny | permit} tcp {source mask | any | host ipaddress}} [count [byte]] [order] [fragments] Configure Filters, TCP Packets To create a filter for UDP packets with a specified sequence number, use the following commands. 1. Create an extended IP ACL and assign it a unique name. CONFIGURATION mode ip access-list extended access-list-name 2.
• {deny | permit} {source mask | any | host ip-address} [count [byte]] [order] [fragments] Configure a deny or permit filter to examine TCP packets. CONFIG-EXT-NACL mode • {deny | permit} tcp {source mask] | any | host ip-address}} [count [byte]] [order] [fragments] Configure a deny or permit filter to examine UDP packets.
• L2 egress access list If a rule is simply appended, existing counters are not affected. Table 4. L2 and L3 Filtering on Switched Packets L2 ACL Behavior L3 ACL Behavior Decision on Targeted Traffic Deny Deny L3 ACL denies. Deny Permit L3 ACL permits. Permit Deny L3 ACL denies. Permit Permit L3 ACL permits. NOTE: If you configure an interface as a vlan-stack access port, only the L2 ACL filters the packets. The L3 ACL applied to such a port does not affect traffic.
• You cannot view the statistical details of ACL rules per VLAN and per interface if you enable the ACL VLAN group capability. You can view the counters per ACL only by using the show ip accounting access list command. • On a port, you can apply Layer 2 ACLs on a VLAN or a set of VLANs. In this case, CAM optimization is not applied.
Group Name : CustomerNumberIdentificationEleven Egress IP Acl : AnyEmployeeCustomerElevenGrantedAccess Vlan Members : 2-10,99 Group Name : HostGroup Egress IP Acl : Group5 Vlan Members : 1,1000 Dell# Allocating ACL VLAN CAM CAM optimization for ACL VLAN groups is not enabled by default. You must allocate blocks of ACL VLAN CAM to enable ACL CAM optimization by using the cam-acl-vlan command.
INTERFACE mode ip access-group access-list-name {in} [implicit-permit] [vlan vlan-range | vrf vrf-range] NOTE: The number of entries allowed per ACL is hardware-dependent. For detailed specification about entries allowed per ACL, refer to your line card documentation. 4. Apply rules to the new ACL. INTERFACE mode ip access-list [standard | extended] name To view which IP ACL is applied to an interface, use the show config command in INTERFACE mode, or use the show running-config command in EXEC mode.
Extended Ingress IP access list abcd on gigethernet 0/0 seq 5 permit tcp any any seq 10 deny icmp any any seq 15 permit 1.1.1.2 Configure Egress ACLs Egress ACLs are supported on the platform. Egress ACLs are applied to line cards and affect the traffic leaving the system. Configuring egress ACLs onto physical interfaces protects the system infrastructure from attack — malicious and incidental — by explicitly allowing only authorized traffic.
Dell(conf-if-te-0/0)# Dell(conf-if-te-0/0)# Dell(conf-if-te-0/0)#end Dell# Applying Egress Layer 3 ACLs (Control-Plane) By default, packets originated from the system are not filtered by egress ACLs. For example, if you initiate a ping session from the system and apply an egress ACL to block this type of traffic on the interface, the ACL does not affect that ping traffic.
forwards the packet based on the filter’s designated action. If the route prefix does not match any of the filters in the prefix list, the route is dropped (that is, implicit deny). A route prefix is an IP address pattern that matches on bits within the IP address. The format of a route prefix is A.B.C.D/X where A.B.C.D is a dotted-decimal address and /X is the number of bits that should be matched of the dotted decimal address. For example, in 112.24.0.0/16, the first 16 bits of the address 112.24.0.
ip prefix-list prefix-name 2. Create a prefix list with a sequence number and a deny or permit action. CONFIG-NPREFIXL mode seq sequence-number {deny | permit} ip-prefix [ge min-prefix-length] [le max-prefix-length] The optional parameters are: • ge min-prefix-length: the minimum prefix length to match (from 0 to 32). • le max-prefix-length: the maximum prefix length to match (from 0 to 32).
• • ge min-prefix-length: is the minimum prefix length to be matched (0 to 32). le max-prefix-length: is the maximum prefix length to be matched (0 to 32). Example of Creating a Filter with Dell Networking OS-Assigned Sequence Numbers The example shows a prefix list in which the sequence numbers were assigned by the software. The filters were assigned sequence numbers based on the order in which they were configured (for example, the first filter was given the lowest sequence number).
ip prefix-list filter_in: count: 3, range entries: 3, sequences: 5 - 10 ip prefix-list filter_ospf: count: 4, range entries: 1, sequences: 5 - 10 Dell> Applying a Prefix List for Route Redistribution To pass traffic through a configured prefix list, use the prefix list in a route redistribution command. Apply the prefix list to all traffic redistributed into the routing process. The traffic is either forwarded or dropped, depending on the criteria and actions specified in the prefix list.
• distribute-list prefix-list-name in [interface] Apply a configured prefix list to incoming routes. You can specify which type of routes are affected. If you enter the name of a non-existent prefix list, all routes are forwarded. CONFIG-ROUTER-OSPF mode distribute-list prefix-list-name out [connected | rip | static] Example of Viewing Configured Prefix Lists (ROUTER OSPF mode) To view the configuration, use the show config command in ROUTER OSPF mode, or the show running-config ospf command in EXEC mode.
Resequencing an ACL or Prefix List Resequencing is available for IPv4 and IPv6 ACLs, prefix lists, and MAC ACLs. To resequence an ACL or prefix list, use the following commands. You must specify the list name, starting number, and increment when using these commands.
ip access-list extended test remark 4 XYZ remark 5 this remark corresponds to permit any host 1.1.1.1 seq 5 permit ip any host 1.1.1.1 remark 9 ABC remark 10 this remark corresponds to permit ip any host 1.1.1.2 seq 10 permit ip any host 1.1.1.2 seq 15 permit ip any host 1.1.1.3 seq 20 permit ip any host 1.1.1.4 Dell# end Dell# resequence access-list ipv4 test 2 2 Dell# show running-config acl ! ip access-list extended test remark 2 XYZ remark 4 this remark corresponds to permit any host 1.1.1.
Configuration Task List for Route Maps Configure route maps in ROUTE-MAP mode and apply the maps in various commands in ROUTER RIP and ROUTER OSPF modes. The following list includes the configuration tasks for route maps, as described in the following sections.
Set clauses: tag 35 level stub-area Dell# To delete all instances of that route map, use the no route-map map-name command. To delete just one instance, add the sequence number to the command syntax. Dell(conf)#no route-map zakho 10 Dell(conf)#end Dell#show route-map route-map zakho, permit, sequence 20 Match clauses: interface GigabitEthernet 0/1 Set clauses: tag 35 level stub-area Dell# The following example shows a route map with multiple instances.
Example of the match Command to Match All Specified Values In the next example, there is a match only if a route has both of the specified characteristics. In this example, there a match only if the route has a tag value of 1000 and a metric value of 2000. Also, if there are different instances of the same route-map, then it’s sufficient if a permit match happens in any instance of that route-map.
– For a 10-Gigabit Ethernet interface, enter the keyword tengigabitEthernet then the slot/port information. – For a VLAN, enter the keyword vlan then a number from 1 to 4094. • – For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. Match destination routes specified in a prefix list (IPv4). CONFIG-ROUTE-MAP mode • match ip address prefix-list-name Match destination routes specified in a prefix list (IPv6).
Configuring Set Conditions To configure a set condition, use the following commands. • Add an AS-PATH number to the beginning of the AS-PATH. CONFIG-ROUTE-MAP mode • set as-path prepend as-number [... as-number] Generate a tag to be added to redistributed routes. CONFIG-ROUTE-MAP mode • set automatic-tag Specify an OSPF area or ISIS level for redistributed routes.
To create route map instances, use these commands. There is no limit to the number of set commands per route map, but the convention is to keep the number of set filters in a route map low. Set commands do not require a corresponding match command. Configure a Route Map for Route Redistribution Route maps on their own cannot affect traffic and must be included in different commands to affect routing traffic.
redistribute ospf 34 metric 1 route-map torip ! route-map torip permit 10 match route-type internal set tag 34 ! Continue Clause Normally, when a match is found, set clauses are executed, and the packet is then forwarded; no more route-map modules are processed. If you configure the continue command at the end of a module, the next module (or a specified module) is processed even after a match is found. The following example shows a continue clause at the end of a route-map module.
7 Bare Metal Provisioning (BMP) This chapter describes the Bare Metal Provisioning (BMP) enhancements that apply to the , , , and platforms Support for BMP on the S6000 Switch Starting with Dell Networking OS Release 9.3(0.0), BMP 3.1 is supported on the S6000 platform. For details about the commands and configuration procedures of BMP 3.1, refer the Open Automation Guide.
Replacement of stop jump-start Command With the stop bmp Command The stop jump-start command is replaced with the stop bmp in BMP 3.1 and later. BMP versions 1.5 and 2.0 continue to support the stop jump-start command.
8 Bidirectional Forwarding Detection (BFD) BFD is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It also provides a failure detection solution for links on which no routing protocol is used. BFD is a simple hello mechanism. Two neighboring systems running BFD establish a session using a three-way handshake.
NOTE: A session state change from Up to Down is the only state change that triggers a link state change in the routing protocol client. BFD Packet Format Control packets are encapsulated in user datagram protocol (UDP) packets. The following illustration shows the complete encapsulation of a BFD control packet inside an IPv4 packet. Figure 8. BFD in IPv4 Packet Format Field Description Diagnostic Code The reason that the last session failed. State The current local session state.
Field Description system clears the poll bit and sets the final bit in its response. The poll and final bits are used during the handshake and in Demand mode (refer to BFD Sessions). NOTE: Dell Networking OS does not currently support multi-point sessions, Demand mode, authentication, or control plane independence; these bits are always clear. Detection Multiplier The number of packets that must be missed in order to declare a session down. Length The entire length of the BFD packet.
BFD Sessions BFD must be enabled on both sides of a link in order to establish a session. The two participating systems can assume either of two roles: Active The active system initiates the BFD session. Both systems can be active for the same session. Passive The passive system does not initiate a session. It only responds to a request for session initialization from the active system.
handshake. Now the discriminator values have been exchanged and the transmit intervals have been negotiated. 4. The passive system receives the control packet and changes its state to Up. Both systems agree that a session has been established. However, because both members must send a control packet — that requires a response — anytime there is a state change or change in a session parameter, the passive system sends a final response indicating the state change.
receives a Down status notification from the remote system, the session state on the local system changes to Init. Figure 10. Session State Changes Important Points to Remember • On the platform, Dell Networking OS supports 128 sessions per stack unit at 200 minimum transmit and receive intervals with a multiplier of 3, and 64 sessions at 100 minimum transmit and receive intervals with a multiplier of 4. • Enable BFD on both ends of a link.
• • • Configure BFD for BGP Configure BFD for VRRP Configuring Protocol Liveness Configure BFD for Static Routes Configuring BFD for static routes is supported on , , , and. BFD offers systems a link state detection mechanism for static routes. With BFD, systems are notified to remove static routes from the routing table as soon as the link state change occurs, rather than waiting until packets fail to reach their next hop. Configuring BFD for static routes is a three-step process: 1.
R1(conf)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 2.2.2.2 Gi 4/24 Up 100 100 4 R To view detailed session information, use the show bfd neighbors detail command, as shown in the examples in Displaying BFD for BGP Information. Changing Static Route Session Parameters BFD sessions are configured with default intervals and a default role.
Related Configuration Tasks • • Changing OSPF Session Parameters Disabling BFD for OSPF Establishing Sessions with OSPF Neighbors BFD sessions can be established with all OSPF neighbors at once or sessions can be established with all neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the Full state. Figure 12.
• bfd all-neighbors Establish sessions with OSPF neighbors on a single interface. INTERFACE mode ip ospf bfd all-neighbors Example of Verifying Sessions with OSPF Neighbors To view the established sessions, use the show bfd neighbors command. The bold line shows the OSPF BFD sessions.
Disabling BFD for OSPFv3 If you disable BFD globally, all sessions are torn down and sessions on the remote system are placed in a Down state. If you disable BFD on an interface, sessions on the interface are torn down and sessions on the remote system are placed in a Down state. Disabling BFD does not trigger a change in BFD clients; a final Admin Down packet is sent before the session is terminated. To disable BFD sessions, use the following commands. • Disable BFD sessions with all OSPFv3 neighbors.
INTERFACE mode ipv6 ospf bfd all-neighbors interval milliseconds min_rx milliseconds multiplier value role [active | passive] Disabling BFD for OSPFv3 If you disable BFD globally, all sessions are torn down and sessions on the remote system are placed in a Down state. If you disable BFD on an interface, sessions on the interface are torn down and sessions on the remote system are placed in a Down state.
2. Establish sessions for all or particular IS-IS neighbors. Related Configuration Tasks • Changing IS-IS Session Parameters • Disabling BFD for IS-IS Establishing Sessions with IS-IS Neighbors BFD sessions can be established for all IS-IS neighbors at once or sessions can be established for all neighbors out of a specific interface. Figure 13.
isis bfd all-neighbors Example of Verifying Sessions with IS-IS Neighbors To view the established sessions, use the show bfd neighbors command. The bold line shows that IS-IS BFD sessions are enabled. R2(conf-router_isis)#bfd all-neighbors R2(conf-router_isis)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr * 2.2.2.2 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.
ROUTER-ISIS mode • no bfd all-neighbors Disable BFD sessions with IS-IS neighbors on a single interface. INTERFACE mose isis bfd all-neighbors disable Configure BFD for BGP In a BGP core network, BFD provides rapid detection of communication failures in BGP fast-forwarding paths between internal BGP (iBGP) and external BGP (eBGP) peers for faster network reconvergence. BFD for BGP is supported on 1GE, 10GE, 40GE, port-channel, and VLAN interfaces.
Figure 14. Establishing Sessions with BGP Neighbors The sample configuration shows alternative ways to establish a BFD session with a BGP neighbor: • By establishing BFD sessions with all neighbors discovered by BGP (the bfd all-neighbors command). • By establishing a BFD session with a specified BGP neighbor (the neighbor {ip-address | peergroup-name} bfd command) BFD packets originating from a router are assigned to the highest priority egress queue to minimize transmission delays.
typical response is to terminate the peering session for the routing protocol and reconverge by bypassing the failed neighboring router. A log message is generated whenever BFD detects a failure condition. 1. Enable BFD globally. CONFIGURATION mode bfd enable 2. Specify the AS number and enter ROUTER BGP configuration mode. CONFIGURATION mode router bgp as-number 3. Add a BGP neighbor or peer group in a remote AS. CONFIG-ROUTERBGP mode neighbor {ip-address | peer-group name} remote-as as-number 4.
ROUTER BGP mode • neighbor {ip-address | peer-group-name} bfd disable Remove the disabled state of a BFD for BGP session with a specified neighbor. ROUTER BGP mode no neighbor {ip-address | peer-group-name} bfd disable Use BFD in a BGP Peer Group You can establish a BFD session for the members of a peer group (the neighbor peer-group-name bfd command in ROUTER BGP configuration mode).
Examples of the BFD show Commands The following example shows verifying a BGP configuration. R2# show running-config bgp ! router bgp 2 neighbor 1.1.1.2 remote-as 1 neighbor 1.1.1.2 no shutdown neighbor 2.2.2.2 remote-as 1 neighbor 2.2.2.2 no shutdown neighbor 3.3.3.2 remote-as 1 neighbor 3.3.3.2 no shutdown bfd all-neighbors The following example shows viewing all BFD neighbors.
Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 5 Session Discriminator: 10 Neighbor Discriminator: 11 Local Addr: 2.2.2.3 Local MAC Addr: 00:01:e8:66:da:34 Remote Addr: 2.2.2.
Down Admin Down : 0 : 2 The following example shows viewing BFD summary information. The bold line shows the message displayed when you enable BFD for BGP connections. R2# show ip bgp summary BGP router identifier 10.0.0.1, local AS number 2 BGP table version is 0, main routing table version 0 BFD is enabled, Interval 100 Min_rx 100 Multiplier 3 Role Active 3 neighbor(s) using 24168 bytes of memory Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 1.1.1.2 2.2.2.2 3.3.3.
Connections established 1; dropped 0 Last reset never Local host: 2.2.2.3, Local port: 63805 Foreign host: 2.2.2.2, Foreign port: 179 E1200i_ExaScale# R2# show ip bgp neighbors 2.2.2.3 BGP neighbor is 2.2.2.3, remote AS 1, external link Member of peer-group pg1 for session parameters BGP version 4, remote router ID 12.0.0.4 BGP state ESTABLISHED, in this state for 00:05:33 ... Neighbor is using BGP neighbor mode BFD configuration Peer active in peer-group outbound optimization ...
Establishing Sessions with All VRRP Neighbors BFD sessions can be established for all VRRP neighbors at once, or a session can be established with a particular neighbor. Figure 15. Establishing Sessions with All VRRP Neighbors To establish sessions with all VRRP neighbors, use the following command. • Establish sessions with all VRRP neighbors.
The bold line shows that VRRP BFD sessions are enabled. Dell(conf-if-gi-4/25)#vrrp bfd all-neighbors Dell(conf-if-gi-4/25)#do show bfd neighbor * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) V - VRRP LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients * 2.2.5.1 2.2.5.2 Gi 4/25 Down 1000 1000 3 V To view session state information, use the show vrrp command. The bold line shows the VRRP BFD session.
Disabling BFD for VRRP If you disable any or all VRRP sessions, the sessions are torn down. A final Admin Down control packet is sent to all neighbors and sessions on the remote system change to the Down state. To disable all VRRP sessions on an interface, sessions for a particular VRRP group, or for a particular VRRP session on an interface, use the following commands. • Disable all VRRP sessions on an interface. INTERFACE mode • no vrrp bfd all-neighbors Disable all VRRP sessions in a VRRP group.
Border Gateway Protocol IPv4 (BGPv4) 9 This chapter provides a general description of BGPv4 as it is supported in the Dell Networking Operating System (OS). BGP protocol standards are listed in the Standards Compliance chapter. BGP is an external gateway protocol that transmits interdomain routing information within and between autonomous systems (AS). The primary function of the BGP is to exchange network reachability information with other BGP systems.
Figure 16. Internal BGP BGP version 4 (BGPv4) supports classless interdomain routing and aggregate routes and AS paths. BGP is a path vector protocol — a computer network in which BGP maintains the path that updated information takes as it diffuses through the network. Updates traveling through the network and returning to the same node are easily detected and discarded.
Figure 17. BGP Routers in Full Mesh The number of BGP speakers each BGP peer must maintain increases exponentially. Network management quickly becomes impossible. Sessions and Peers When two routers communicate using the BGP protocol, a BGP session is started. The two end-points of that session are Peers. A Peer is also called a Neighbor.
Establish a Session Information exchange between peers is driven by events and timers. The focus in BGP is on the traffic routing policies. In order to make decisions in its operations with other BGP peers, a BGP process uses a simple finite state machine that consists of six states: Idle, Connect, Active, OpenSent, OpenConfirm, and Established. For each peer-to-peer session, a BGP implementation tracks which of these six states the session is in.
Route reflection divides iBGP peers into two groups: client peers and nonclient peers. A route reflector and its client peers form a route reflection cluster. Because BGP speakers announce only the best route for a given prefix, route reflector rules are applied after the router makes its best path decision. • If a route was received from a nonclient peer, reflect the route to all client peers. • If the route was received from a client peer, reflect the route to all nonclient and all client peers.
• Next Hop NOTE: There are no hard coded limits on the number of attributes that are supported in the BGP. Taking into account other constraints such as the Packet Size, maximum number of attributes are supported in BGP. Communities BGP communities are sets of routes with one or more common attributes. Communities are a way to assign common attributes to multiple routes at the same time. NOTE: Duplicate communities are not rejected.
Figure 19. BGP Best Path Selection Best Path Selection Details 1. Prefer the path with the largest WEIGHT attribute. 2. Prefer the path with the largest LOCAL_PREF attribute. 3. Prefer the path that was locally Originated via a network command, redistribute command or aggregate-address command. a. 4. Routes originated with the Originated via a network or redistribute commands are preferred over routes originated with the aggregate-address command.
c. Paths with no MED are treated as “worst” and assigned a MED of 4294967295. 7. Prefer external (EBGP) to internal (IBGP) paths or confederation EBGP paths. 8. Prefer the path with the lowest IGP metric to the BGP if next-hop is selected when synchronization is disabled and only an internal path remains. 9. Dell Networking OS deems the paths as equal and does not perform steps 9 through 11, if the following criteria is met: a.
and AS300. This is advertised to all routers within AS100, causing all BGP speakers to prefer the path through Router B. Figure 20. BGP Local Preference Multi-Exit Discriminators (MEDs) If two ASs connect in more than one place, a multi-exit discriminator (MED) can be used to assign a preference to a preferred path. MED is one of the criteria used to determine the best path, so keep in mind that other criteria may impact selection, as shown in the illustration in Best Path Selection Criteria.
Figure 21. Multi-Exit Discriminators NOTE: Configuring the set metric-type internal command in a route-map advertises the IGP cost as MED to outbound EBGP peers when redistributing routes. The configured set metric value overwrites the default IGP cost. If the outbound route-map uses MED, it overwrites IGP MED. Origin The origin indicates the origin of the prefix, or how the prefix came into BGP. There are three origin codes: IGP, EGP, INCOMPLETE.
*> 7.0.0.0/30 *> 9.2.0.0/16 10.114.8.33 10.114.8.33 0 10 0 0 18508 18508 ? 701 i AS Path The AS path is the list of all ASs that all the prefixes listed in the update have passed through. The local AS number is added by the BGP speaker when advertising to a eBGP neighbor. NOTE: Any update that contains the AS path number 0 is valid. The AS path is shown in the following example. The origin attribute is shown following the AS path information (shown in bold).
Multiprotocol BGP Multiprotocol extensions for BGP (MBGP) is defined in IETF RFC 2858. MBGP allows different types of address families to be distributed in parallel. MBGP for IPv4 multicast is supported on the platform. MBGP allows information about the topology of the IP multicast-capable routers to be exchanged separately from the topology of normal IPv4 and IPv6 unicast routers. It allows a multicast routing topology different from the unicast routing topology.
• internal configured, BGP advertises the metric configured in the redistribute command as MED. If BGP peer outbound route-map has metric configured, all other metrics are overwritten by this configuration. NOTE: When redistributing static, connected, or OSPF routes, there is no metric option. Simply assign the appropriate route-map to the redistributed route. The following table lists some examples of these rules. Table 6.
Configure 4-byte AS numbers with the four-octet-support command. AS4 Number Representation Dell Networking OS supports multiple representations of 4-byte AS numbers: asplain, asdot+, and asdot. NOTE: The ASDOT and ASDOT+ representations are supported only with the 4-Byte AS numbers feature. If 4-Byte AS numbers are not implemented, only ASPLAIN representation is supported. ASPLAIN is the method Dell Networking OS has used for all previous Dell Networking OS versions.
! router bgp 100 bgp asnotation asdot+ bgp four-octet-as-support neighbor 172.30.1.250 local-as 65057
appear as if it still belongs to Router B’s old network (AS 200) as far as communicating with Router C is concerned. Figure 22. Before and After AS Number Migration with Local-AS Enabled When you complete your migration, and you have reconfigured your network with the new information, disable this feature. If you use the “no prepend” option, the Local-AS does not prepend to the updates received from the eBGP peer.
3. Prepend "65001 65002" to as-path. Local-AS is prepended before the route-map to give an impression that update passed through a router in AS 200 before it reached Router B. BGP4 Management Information Base (MIB) The FORCE10-BGP4-V2-MIB enhances Dell Networking OS BGP management information base (MIB) support with many new simple network management protocol (SNMP) objects and notifications (traps) defined in draft-ietf-idr-bgp4-mibv2-05.
• The f10BgpM2[Cfg]PeerReflectorClient field is populated based on the assumption that routereflector clients are not in a full mesh if you enable BGP client-2-client reflection and that the BGP speaker acting as reflector advertises routes learned from one client to another client. If disabled, it is assumed that clients are in a full mesh and there is no need to advertise prefixes to the other clients. • High CPU utilization may be observed during an SNMP walk of a large BGP Loc-RIB.
By default, Dell Networking OS compares the MED attribute on different paths from within the same AS (the bgp always-compare-med command is not enabled). NOTE: In Dell Networking OS, all newly configured neighbors and peer groups are disabled. To enable a neighbor or peer group, enter the neighbor {ip-address | peer-group-name} no shutdown command. The following table displays the default values for BGP on Dell Networking OS. Table 7.
NOTE: Sample Configurations for enabling BGP routers are found at the end of this chapter. 1. Assign an AS number and enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number • as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte) or 0.1 to 65535.65535 (Dotted format). Only one AS is supported per system. NOTE: If you enter a 4-Byte AS number, 4-Byte AS support is enabled automatically. a. Enable 4-Byte support for the BGP process. NOTE: This command is OPTIONAL.
CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} no shutdown Examples of the show ip bgp Commands NOTE: When you change the configuration of a BGP neighbor, always reset it by entering the clear ip bgp * command in EXEC Privilege mode. To view the BGP configuration, enter show config in CONFIGURATION ROUTER BGP mode. To view the BGP status, use the show ip bgp summary command in EXEC Privilege mode.
For the router’s identifier, Dell Networking OS uses the highest IP address of the Loopback interfaces configured. Because Loopback interfaces are virtual, they cannot go down, thus preventing changes in the router ID. If you do not configure Loopback interfaces, the highest IP address of any interface is used as the router ID. To view the status of BGP neighbors, use the show ip bgp neighbors command in EXEC Privilege mode as shown in the first example.
Connections established 0; dropped 0 Last reset never No active TCP connection Dell# The following example shows verifying the BGP configuration using the show running-config bgp command.. Dell#show running-config bgp ! router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list ISP1in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.
bgp asnotation asplain • NOTE: ASPLAIN is the default method Dell Networking OS uses and does not appear in the configuration display. Enable ASDOT AS Number representation. CONFIG-ROUTER-BGP mode • bgp asnotation asdot Enable ASDOT+ AS Number representation. CONFIG-ROUTER-BGP mode bgp asnotation asdot+ Examples of the bgp asnotation Commands The following example shows the bgp asnotation asplain command output.
Configuring Peer Groups To configure multiple BGP neighbors at one time, create and populate a BGP peer group. An advantage of peer groups is that members of a peer group inherit the configuration properties of the group and share same update policy. A maximum of 256 peer groups are allowed on the system. Create a peer group by assigning it a name, then adding members to the peer group. After you create a peer group, you can configure route policies for it.
To add an internal BGP (IBGP) neighbor, configure the as-number parameter with the same BGP asnumber configured in the router bgp as-number command. Examples of Viewing and Configuring Peer Groups After you create a peer group, you can use any of the commands beginning with the keyword neighbor to configure that peer group. When you add a peer to a peer group, it inherits all the peer group’s configured parameters.
neighbor 10.1.1.1 shutdown neighbor 10.14.8.60 remote-as 18505 neighbor 10.14.8.60 no shutdown Dell(conf-router_bgp)# To disable a peer group, use the neighbor peer-group-name shutdown command in CONFIGURATION ROUTER BGP mode. The configuration of the peer group is maintained, but it is not applied to the peer group members. When you disable a peer group, all the peers within the peer group that are in the ESTABLISHED state move to the IDLE state.
When you enable fall-over, BGP tracks IP reachability to the peer remote address and the peer local address. Whenever either address becomes unreachable (for example, no active route exists in the routing table for peer IPv6 destinations/local address), BGP brings down the session with the peer. The BGP fast fall-over feature is configured on a per-neighbor or peer-group basis and is disabled by default. To enable the BGP fast fall-over feature, use the following command.
Notification History 'Connection Reset' Sent : 5 Recv: 0 Local host: 200.200.200.200, Local port: 65519 Foreign host: 100.100.100.100, Foreign port: 179 Dell# To verify that fast fall-over is enabled on a peer-group, use the show ip bgp peer-group command (shown in bold).
CONFIG-ROUTER-BGP mode neighbor peer-group-name subnet subnet-number mask The peer group responds to OPEN messages sent on this subnet. 3. Enable the peer group. CONFIG-ROUTER-BGP mode neighbor peer-group-name no shutdown 4. Create and specify a remote peer for BGP neighbor. CONFIG-ROUTER-BGP mode neighbor peer-group-name remote-as as-number Only after the peer group responds to an OPEN message sent on the subnet does its BGP state change to ESTABLISHED.
network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list Laura in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.9 local-as 6500 neighbor 100.10.92.9 no shutdown neighbor 192.168.10.1 remote-as 65123 neighbor 192.168.10.1 update-source Loopback 0 neighbor 192.168.10.1 no shutdown neighbor 192.168.12.
neighbor 100.10.92.9 local-as 6500 neighbor 100.10.92.9 no shutdown neighbor 192.168.10.1 remote-as 65123 neighbor 192.168.10.1 update-source Loopback 0 neighbor 192.168.10.1 no shutdown neighbor 192.168.12.2 remote-as 65123 neighbor 192.168.12.2 allowas-in 9 neighbor 192.168.12.2 update-source Loopback 0 neighbor 192.168.12.2 no shutdown R2(conf-router_bgp)#R2(conf-router_bgp)# Enabling Neighbor Graceful Restart BGP graceful restart is active only when the neighbor becomes established.
AS-PATH ACLs use regular expressions to search AS_PATH values. AS-PATH ACLs have an “implicit deny.” This means that routes that do not meet a deny or match filter are dropped. To configure an AS-PATH ACL to filter a specific AS_PATH value, use these commands in the following sequence. 1. Assign a name to a AS-PATH ACL and enter AS-PATH ACL mode. CONFIGURATION mode ip as-path access-list as-path-name 2. Enter the parameter to match BGP AS-PATH for filtering.
0x559972c 0x59cd3b4 0x7128114 0x536a914 0x2ffe884 0x2ff7284 0x2ff7ec4 0x2ff8544 0x736c144 0x3b8d224 0x5eb1e44 0x5cd891c --More-- 0 0 0 0 0 0 0 0 0 0 0 0 31 2 10 3 1 99 4 3 1 10 1 9 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 209 209 209 209 701 701 209 701 701 209 701 209 18756 i 7018 15227 i 3356 13845 i 701 6347 7781 i 3561 9116 21350 i 1239 577 855 ? 3561 4755 17426 i 5743 2648 i 209 568 721 1494 i 701 2019 i 8584 16158 i 6453 4759 i Regular Expressions as Filters Regula
The following example applies access list Eagle to routes inbound from BGP peer 10.5.5.2. Access list Eagle uses a regular expression to deny routes originating in AS 32. The first lines shown in bold create the access list and filter. The second lines shown in bold are the regular expression shown as part of the access list filter.
redistribute isis [level-1 | level-1-2 | level-2] [metric value] [route-map map-name] Configure the following parameters: – level-1, level-1-2, or level-2: Assign all redistributed routes to a level. The default is level-2. – metric value: The value is from 0 to 16777215. The default is 0. • – map-name: name of a configured route map. Include specific OSPF routes in IS-IS.
IETF RFC 1997 defines the COMMUNITY attribute and the predefined communities of INTERNET, NO_EXPORT_SUBCONFED, NO_ADVERTISE, and NO_EXPORT. All BGP routes belong to the INTERNET community. In the RFC, the other communities are defined as follows: • All routes with the NO_EXPORT_SUBCONFED (0xFFFFFF03) community attribute are not sent to CONFED-EBGP or EBGP peers, but are sent to IBGP peers within CONFED-SUB-AS. • All routes with the NO_ADVERTISE (0xFFFFFF02) community attribute must not be advertised.
deny deny deny deny deny deny Dell# 701:667 702:667 703:667 704:666 705:666 14551:666 Configuring an IP Extended Community List To configure an IP extended community list, use these commands. 1. Create a extended community list and enter the EXTCOMMUNITY-LIST mode. CONFIGURATION mode ip extcommunity-list extcommunity-list-name 2. Two types of extended communities are supported.
Filtering Routes with Community Lists To use an IP community list or IP extended community list to filter routes, you must apply a match community filter to a route map and then apply that route map to a BGP neighbor or peer group. 1. Enter the ROUTE-MAP mode and assign a name to a route map. CONFIGURATION mode route-map map-name [permit | deny] [sequence-number] 2. Configure a match filter for all routes meeting the criteria in the IP community or IP extended community list.
To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode. If you want to remove or add a specific COMMUNITY number from a BGP path, you must create a route map with one or both of the following statements in the route map. Then apply that route map to a BGP neighbor or peer group. 1. Enter ROUTE-MAP mode and assign a name to a route map. CONFIGURATION mode route-map map-name [permit | deny] [sequence-number] 2.
Dell>show ip bgp community BGP table version is 3762622, local router ID is 10.114.8.48 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network * i 3.0.0.0/8 *>i 4.2.49.12/30 * i 4.21.132.0/23 *>i 4.24.118.16/30 *>i 4.24.145.0/30 *>i 4.24.187.12/30 *>i 4.24.202.0/30 *>i 4.25.88.0/30 *>i 6.1.0.0/16 *>i 6.2.0.0/22 *>i 6.3.0.0/18 *>i 6.4.0.0/16 *>i 6.5.0.0/19 *>i 6.8.0.0/20 *>i 6.9.0.0/20 *>i 6.10.0.0/15 *>i 6.14.0.0/15 *>i 6.133.0.
CONFIG-ROUTER-BGP mode bgp default local-preference value – value: the range is from 0 to 4294967295. The default is 100. To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode or the show running-config bgp command in EXEC Privilege mode. A more flexible method for manipulating the LOCAL_PREF attribute value is to use a route map. 1. Enter the ROUTE-MAP mode and assign a name to a route map. CONFIGURATION mode route-map map-name [permit | deny] [sequence-number] 2.
set next-hop ip-address Changing the WEIGHT Attribute To change how the WEIGHT attribute is used, enter the first command. You can also use route maps to change this and other BGP attributes. For example, you can include the second command in a route map to specify the next hop address. • Assign a weight to the neighbor connection. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} weight weight – weight: the range is from 0 to 65535. • The default is 0. Sets weight for the route.
For inbound and outbound updates the order of preference is: • prefix lists (using the neighbor distribute-list command) • AS-PATH ACLs (using the neighbor filter-list command) • route maps (using the neighbor route-map command) Prior to filtering BGP routes, create the prefix list, AS-PATH ACL, or route map. For configuration information about prefix lists, AS-PATH ACLs, and route maps, refer to Access Control Lists (ACLs).
• If the prefix list contains no filters, all routes are permitted. • If none of the routes match any of the filters in the prefix list, the route is denied. This action is called an implicit deny. (If you want to forward all routes that do not match the prefix list criteria, you must configure a prefix list filter to permit all routes. For example, you could have the following filter as the last filter in your prefix list permit 0.0.0.0/0 le 32).
Filtering BGP Routes Using AS-PATH Information To filter routes based on AS-PATH information, use these commands. 1. Create a AS-PATH ACL and assign it a name. CONFIGURATION mode ip as-path access-list as-path-name 2. Create a AS-PATH ACL filter with a deny or permit action. AS-PATH ACL mode {deny | permit} as-regular-expression 3. Return to CONFIGURATION mode. AS-PATH ACL exit 4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5.
• Assign an ID to a router reflector cluster. CONFIG-ROUTER-BGP mode bgp cluster-id cluster-id • You can have multiple clusters in an AS. Configure the local router as a route reflector and the neighbor or peer group identified is the route reflector client. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} route-reflector-client When you enable a route reflector, Dell Networking OS automatically enables route reflection to all clients.
Configuring BGP Confederations Another way to organize routers within an AS and reduce the mesh for IBGP peers is to configure BGP confederations. As with route reflectors, BGP confederations are recommended only for IBGP peering involving many IBGP peering sessions per router. Basically, when you configure BGP confederations, you break the AS into smaller sub-AS, and to those outside your network, the confederations appear as one AS.
• history entry — an entry that stores information on a downed route • dampened path — a path that is no longer advertised • penalized path — a path that is assigned a penalty To configure route flap dampening parameters, set dampening parameters using a route map, clear information on route dampening and return suppressed routes to active state, view statistics on route flapping, or change the path selection from the default mode (deterministic) to non-deterministic, use the following commands.
show ip bgp flap-statistics [ip-address [mask]] [filter-list as-path-name] [regexp regular-expression] – ip-address [mask]: enter the IP address and mask. – filter-list as-path-name: enter the name of an AS-PATH ACL. – regexp regular-expression: enter a regular express to match on. • By default, the path selection in Dell Networking OS is deterministic, that is, paths are compared irrespective of the order of their arrival.
Dampening enabled. 0 history paths, 0 dampened paths, 0 penalized paths Neighbor AS MsgRcvd MsgSent TblVer 10.114.8.34 18508 82883 79977 780266 10.114.8.33 18508 117265 25069 780266 Dell> InQ OutQ Up/Down State/PfxRcd 0 2 00:38:51 118904 0 20 00:38:50 102759 To view which routes are dampened (non-active), use the show ip bgp dampened-routes command in EXEC Privilege mode. Changing BGP Timers To configure BGP timers, use either or both of the following commands.
To reset a BGP connection using BGP soft reconfiguration, use the clear ip bgp command in EXEC Privilege mode at the system prompt. When you enable soft-reconfiguration for a neighbor and you execute the clear ip bgp soft in command, the update database stored in the router is replayed and updates are reevaluated. With this command, the replay and update process is triggered only if a route-refresh request is not negotiated with the peer.
Route Map Continue The BGP route map continue feature, continue [sequence-number], (in ROUTE-MAP mode) allows movement from one route-map entry to a specific route-map entry (the sequence number). If you do not specify a sequence number, the continue feature moves to the next sequence number (also known as an “implied continue”). If a match clause exists, the continue feature executes only after a successful match occurs. If there are no successful matches, continue is ignored.
• When exchanging updates with the peer, BGP sends and receives IPv4 multicast routes if the peer is marked as supporting that AFI/SAFI. • Exchange of IPv4 multicast route information occurs through the use of two new attributes called MP_REACH_NLRI and MP_UNREACH_NLRI, for feasible and withdrawn routes, respectively. • If the peer has not been activated in any AFI/SAFI, the peer remains in Idle state.
EXEC Privilege mode • debug ip bgp [ip-address | peer-group peer-group-name] notifications [in | out] View information about BGP updates and filter by prefix name. EXEC Privilege mode • debug ip bgp [ip-address | peer-group peer-group-name] updates [in | out] [prefix-list name] Enable soft-reconfiguration debug.
Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) For address family: IPv4 Unicast BGP table version 1395, neighbor version 1394 Prefixes accepted 1 (consume 4 bytes), 0 withdrawn by peer Prefixes advertised 0, rejected 0, 0 withdrawn from peer Connections established 3; dropped 2 Last reset 00:00:12, due to Missing well known attribute Notification History 'UPDATE error/Missing well-known attr' Sent : 1 Recv: 0 'Connection Reset' Sent : 1 Rec
00000000 00000000 00000000 00000000 0181a1e4 0181a25c 41af92c0 00000000 00000000 00000000 00000000 00000001 0181a1e4 0181a25c 41af9400 00000000 PDU[2] : len 19, captured 00:34:51 ago ffffffff ffffffff ffffffff ffffffff 00130400 PDU[3] : len 19, captured 00:34:51 ago ffffffff ffffffff ffffffff ffffffff 00130400 PDU[4] : len 19, captured 00:34:22 ago ffffffff ffffffff ffffffff ffffffff 00130400 [. . .] Outgoing packet capture enabled for BGP neighbor 20.20.20.
Sample Configurations The following example configurations show how to enable BGP and set up some peer groups. These examples are not comprehensive directions. They are intended to give you some guidance with typical configurations. To support your own IP addresses, interfaces, names, and so on, you can copy and paste from these examples to your CLI. Be sure that you make the necessary changes. The following illustration shows the configurations described on the following examples.
no shutdown R1(conf-if-lo-0)#int te 1/21 R1(conf-if-te-1/21)#ip address 10.0.1.21/24 R1(conf-if-te-1/21)#no shutdown R1(conf-if-te-1/21)#show config ! interface TengigabitEthernet 1/21 ip address 10.0.1.21/24 no shutdown R1(conf-if-te-1/21)#int te 1/31 R1(conf-if-te-1/31)#ip address 10.0.3.31/24 R1(conf-if-te-1/31)#no shutdown R1(conf-if-te-1/31)#show config ! interface TengigabitEthernet 1/31 ip address 10.0.3.31/24 no shutdown R1(conf-if-te-1/31)#router bgp 99 R1(conf-router_bgp)#network 192.168.128.
R2(conf-router_bgp)#network 192.168.128.0/24 R2(conf-router_bgp)#neighbor 192.168.128.1 remote 99 R2(conf-router_bgp)#neighbor 192.168.128.1 no shut R2(conf-router_bgp)#neighbor 192.168.128.1 update-source loop 0 R2(conf-router_bgp)#neighbor 192.168.128.3 remote 100 R2(conf-router_bgp)#neighbor 192.168.128.3 no shut R2(conf-router_bgp)#neighbor 192.168.128.3 update loop 0 R2(conf-router_bgp)#show config ! router bgp 99 bgp router-id 192.168.128.2 network 192.168.128.
R1(conf-router_bgp)# neighbor 192.168.128.3 peer-group BBB R1(conf-router_bgp)# R1(conf-router_bgp)#show config ! router bgp 99 network 192.168.128.0/24 neighbor AAA peer-group neighbor AAA no shutdown neighbor BBB peer-group neighbor BBB no shutdown neighbor 192.168.128.2 remote-as 99 neighbor 192.168.128.2 peer-group AAA neighbor 192.168.128.2 update-source Loopback 0 neighbor 192.168.128.2 no shutdown neighbor 192.168.128.3 remote-as 100 neighbor 192.168.128.3 peer-group BBB neighbor 192.168.128.
Minimum time between advertisement runs is 30 seconds Minimum time before advertisements start is 0 seconds Example of Enabling Peer Groups (Router 2) R2#conf R2(conf)#router bgp 99 R2(conf-router_bgp)# neighbor CCC peer-group R2(conf-router_bgp)# neighbor CC no shutdown R2(conf-router_bgp)# neighbor BBB peer-group R2(conf-router_bgp)# neighbor BBB no shutdown R2(conf-router_bgp)# neighbor 192.168.128.1 peer AAA R2(conf-router_bgp)# neighbor 192.168.128.1 no shut R2(conf-router_bgp)# neighbor 192.168.128.
BGP-RIB over all using 207 bytes of memory 2 BGP path attribute entrie(s) using 128 bytes of memory 2 BGP AS-PATH entrie(s) using 90 bytes of memory 2 neighbor(s) using 9216 bytes of memory Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 192.168.128.1 99 93 99 1 0 (0) 00:00:15 1 192.168.128.2 99 122 120 1 0 (0) 00:00:11 1 R3#show ip bgp neighbor BGP neighbor is 192.168.128.1, remote AS 99, external link Member of peer-group BBB for session parameters BGP version 4, remote router ID 192.168.
Content Addressable Memory (CAM) 10 CAM is a type of memory that stores information in the form of a lookup table. On Dell Networking systems, CAM stores Layer 2 and Layer 3 forwarding information, access-lists (ACLs), flows, and routing policies. CAM Allocation The user configurable CAM allocations feature is available on the platform.
CAM Allocation Setting vrfv4Acl 0 Openflow 0 fedgovacl 0 The following additional CAM allocation settings are supported on the S6000, S4810 or S4820T platforms only. Table 9. Additional Default CAM Allocation Settings Additional CAM Allocation Setting FCoE ACL (fcoeacl) 0 ISCSI Opt ACL (iscsioptacl) 0 The ipv6acl and vman-dual-qos allocations must be entered as a factor of 2 (2, 4, 6, 8, 10). All other profile allocations can use either even or odd numbered ranges.
NOTE: Selecting default resets the CAM entries to the default settings. Select l2acl to allocate the desired space for all other regions. 2. Enter the number of FP blocks for each region.
Ipv4Qos L2Qos L2PT IpMacAcl VmanQos VmanDualQos EcfmAcl FcoeAcl iscsiOptAcl ipv4pbr vrfv4Acl Openflow fedgovacl : : : : : : : : : : : : : 2 1 0 0 0 0 0 0 0 0 0 0 0 2 1 0 0 0 0 0 0 0 2 2 0 0 -- Stack unit 0 -Current Settings(in block sizes) Next Boot(in block sizes) 1 block = 128 entries L2Acl : 6 4 Ipv4Acl : 4 2 Ipv6Acl : 0 0 Ipv4Qos : 2 2 L2Qos : 1 1 L2PT : 0 0 IpMacAcl : 0 0 VmanQos : 0 0 VmanDualQos : 0 0 EcfmAcl : 0 0 FcoeAcl : 0 0 iscsiOptAcl : 0 0 ipv4pbr : 0 2 vrfv4Acl : 0 2 Openflow : 0 0 fedgov
Openflow fedgovacl : : 0 0 -- Stack unit 0 -Current Settings(in block sizes) 1 block = 128 entries L2Acl : 6 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 VmanDualQos : 0 EcfmAcl : 0 FcoeAcl : 0 iscsiOptAcl : 0 ipv4pbr : 0 vrfv4Acl : 0 Openflow : 0 fedgovacl : 0 -- Stack unit 7 -Current Settings(in block sizes) 1 block = 128 entries L2Acl : 6 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 VmanDualQos : 0 EcfmAcl : 0 FcoeAcl : 0 iscsiOptAc
| | | | | | | | | | Codes: * - cam usage Dell# IN-V6 ACL IN-L2 ACL OUT-L3 ACL OUT-V6 ACL OUT-L2 ACL is above 90%. | | | | | 0 768 158 158 206 | | | | | 0 0 5 0 7 | | | | | 0 768 153 158 199 Return to the Default CAM Configuration Return to the default CAM Profile, microcode, IPv4Flow, or Layer 2 ACL configuration using the keyword default from EXEC Privilege mode or CONFIGURATION mode, as shown in the following example.
• When an IP header is present, hashing is based on IP three tuples (source IP address, destination IP address, and IP protocol). • If an IP header is not found after the fifth label, hashing is based on the MPLS labels. • If the packet has more than five MPLS labels, hashing is based on the source and destination MAC address. To enable this type of hashing, use the default CAM profile with the microcode lag-hash-mpls.
Control Plane Policing (CoPP) 11 Control plane policing (CoPP) uses access control list (ACL) rules and quality of service (QoS) policies to create filters for a system’s control plane. That filter prevents traffic not specifically identified as legitimate from reaching the system control plane, rate-limits, traffic to an acceptable level.
Figure 25. CoPP Implemented Versus CoPP Not Implemented Z9500 CoPP Implementation The Z9500 control plane consists of multi-core CPUs with internal queues for handling packets destined to the Route Processor, Control Processor, and line-card CPUs. On the Z9500, CoPP is implemented as a distributed architecture. In this architecture, CoPP operates simultaneously in both distributed and aggregated modes. Distributed CoPP is achieved by applying protocol rate-limiting on each port pipe on a line card.
NOTE: The CoPP configurations described in this chapter only apply to aggregated CoPP operation on the Z9500. To configure a CoPP service policy, you create extended ACL rules and specify rate limits in QoS policies. QoS rate limits are applied to a protocol-based ACL filter or to a CPU queue. User-configured ACLs that filter protocol traffic flows to the control plane are automatically applied or disabled as the corresponding protocol is enabled or disabled in the system.
9 PIM DR, Multicast Catch All, iSCSI, IPv6 Multicast Catch All, IPv6 Multicast tunnels 400 10 ARP request, NS, RS 1800 11 ARP reply, NA, RA 1800 12 VLT 2000 13 BFD 5200 14 PVST, GVRP, FCoE, OpenFlow, IGMP, PIM, MLD, MSDP 1850 15 STP, L2PT, LACP, ECFM, BGP, RIP, OSPF, IS-IS, VRRP 12450 CPU Queue Protocols Mapped to Line-Card CPU Queues Rate Limit (in kbps) 16 — 1 17 — 1 18 — 1 19 — 1 20 Source miss, Station move, Trace flow 600 21 BFD 7000 22 HyperPull, FRRP 800 2
NOTE: On the Z9500, CoPP does not convert the input rate of control-plane traffic from kilobits per second (kbps) to packets per second (pps) as on other Dell Networking switches. On other switch, CoPP converts the input kilobit-per-second rate to a packet-per-second rate, assuming 64 bytes as the average packet size. CoPP then applies the packet-per-second rate to the appropriate queue. On these switches, 1 kbps is approximately equal to 2 pps.
PPS to allow both ICMP and BGP packets and then applying per-flow CoPP for ICMP and BGP packets. The setting of this Q6 bandwidth is dependent on the incoming traffic for the set of protocols sharing the same queue. If you are not aware of the incoming protocol traffic rate, you cannot set the required queue rate limit value. You must complete queue bandwidth tuning carefully because the system cannot open up to handle any rate, including traffic coming at the line rate.
control-plane-cpuqos 8. Assign the protocol based the service policy on the control plane. Enabling this command on a portpipe automatically enables the ACL and QoS rules creates with the cpu-qos keyword. CONTROL-PLANE mode service-policy rate-limit-protocols Examples of Configuring CoPP for Different Protocols The following example shows creating the IP/IPv6/MAC extended ACL.
The following example shows matching the QoS class map to the QoS policy.
Dell(conf-class-map-cpuqos)#match mac access-group lacp Dell(conf-class-map-cpuqos)#exit Dell(conf)#class-map match-any class-ipv6-icmp cpu-qos Dell(conf-class-map-cpuqos)#match ipv6 access-group ipv6-icmp Dell(conf-class-map-cpuqos)#exit Example of Associating a QoS Class Map with a QoS Rate-Limit Policy Dell(conf)#policy-map-input egressFP_rate_policy cpu-qos Dell(conf-policy-map-in-cpuqos)#class-map class_ospf qos-policy rate_limit_500k Dell(conf-policy-map-in-cpuqos)#class-map class_bgp qos-policy rate_
Dell(conf-qos-policy-in)#exit Dell(conf)#qos-policy-input cpuq_2 Dell(conf-qos-policy-in)#rate-police 5000 80 peak 600 50 Dell(conf-qos-policy-in)#exit The following example shows assigning the QoS policy to the queues.
Q7 Dell# 1100 Example of Viewing Queue Mapping To view the queue mapping for each configured protocol, use the show ip protocol-queuemapping command.
Troubleshooting CoPP Operation To troubleshoot CoPP operation, use the debug commands described in this section. Enabling CPU Traffic Statistics During high-traffic network conditions, you may want to manually enable the collection of CPU traffic statistics by entering the debug cpu-traffic-stats command. Statistic collection begins as soon as you enter the command, not when the system boots up. The following message is displayed when the collection of CPU traffic statistics is enabled.
system-flow layer2 [cp-switch | linecard slot-id portset port-pipe] command. The number of hits for each system flow is also displayed.
MASK=0x0000ffff ffffffff action={act=DropPrecedence, param0=1(0x1), param1=0(0), param2=0(0), param3=0(0)} action={act=Drop, param0=0(0), param1=0(0), param2=0(0), param3=0(0)} action={act=CosQCpuNew, param0=3(0x3), param1=0(0), param2=0(0), param3=0(0)} action={act=CopyToCpu, param0=1(0x1), param1=4(0x4), param2=0(0), param3=0(0)} policer= statistics={stat id 3 slice = 9 idx=1 entries=1}{Packets} --More-################# FP Entry for redirecting GVRP traffic to RSM ########### EID 0x000002fc: gid=0xa, slic
--More-######################## FP Entry ########################## --More-######################## FP Entry ########################## --More-######################## FP Entry ########################## --More-######################## FP Entry ########################## --More-######################## FP Entry ########################## --More-######################## FP Entry ########################## --More-######################## FP Entry ########################## --More-######################## FP E
GVRP 14988129080 551480 ARP RESP/ARP REQ 29604578172 3559868 802.
OSPF RIP VRRP ICMP IGMP PIM MSDP BFD ON PHYSICAL PORTS BFD ON LOGICAL PORTS 802.
In the show output, Rx Counters displays the number of bytes of control-plane traffic received, on which queue-based rate limiting is applied. Tx Counters displays the number of bytes transmitted to a controlplane CPU after queue-based rate limiting is applied. Drop Counters displays the number of bytes of control-plane traffic that have been dropped as a result of queue-based rate limiting.
Z-Series Debugging and Diagnostics 12 This chapter describes debugging and diagnostics for the Z-Series platform. Offline Diagnostics The offline diagnostics test suite is useful for isolating faults and debugging hardware. The diagnostics tests are grouped into three levels: • Level 0 — Level 0 diagnostics check for the presence of various components and perform essential path verifications. In addition, they verify the identification registers of the components on the board.
NOTE: The system reboots when the offline diagnostics completes. This is an automatic process in default mode. A warning message appears when you implement the offline stack-unit command: Warning - offline of stack unit will bring down all the protocols and the unit will be operationally down, except for running Diagnostics. Proceed with Offline-Diags [confirm yes/no]:y 2. Confirm offline status. EXEC Privilege mode show system brief Results are captured in one file whether for one unit or multiple units.
-- Stack Info -Unit UnitType Status ReqTyp CurTyp Version Ports -------------------------------------------------------0 Management offline Z9000 Z9000 9-0-0-0 128 1 Member not present 2 Member not present 3 Member not present 4 Member not present 5 Member not present 6 Member not present 7 Member not present -- Power Supplies -Unit Bay Status Type Temperature(deg C) FanSpeed(rpm) ---------------------------------------------------0 0 up AC 40 13888 0 1 up AC 42 14851 -- Fan Status -Unit Bay TrayStatus Fan0
CPU Version Stack Unit Board temperatur Stack Unit Number Serial Number Part Number Product Revision Version : : : : : : : Intel I386 49 Degree C 0 Z8FX122P00109 7520057401 H E9-0-0-23 **************************** Z9000 LEVEL 0 DIAGNOSTICS************************** + TEST - 1 PSU [0] STATUS ---> POWER ON PSU [0] STATUS ---> POWER OK PSU [0] STATUS ---> PSU OK Test 1.000 - Psu status monitor test ................................ PASS diagS3240GetPsuOnStatus[580]: ERROR: PSU-1 is not present...
directly connected ports Warning - It is highly recommended to reboot the system after Offline Diagnostics Proceed with Diags [confirm yes/no]: y 00:37:32: %Z9000:0 %DIAGAGT-6-DA_DIAG_STARTED: Starting diags on stack unit 0 Dell#00:37:32 : Approximate time to complete the Diags ... 1 Min 30 Sec Dell# WARNING: Reboot is highly recommended after running Offline Diagnostics in Debug Mode. Debug Mode can be used only for troubleshooting specific test issue.
00:10:30: 00:10:30: 00:10:30: 00:10:30: 00:10:30: 00:10:30: 00:10:31: %SYSTEM:CP %SYSTEM:CP %SYSTEM:CP %SYSTEM:CP %SYSTEM:CP %SYSTEM:CP %SYSTEM:CP %CHMGR-2-UNIT_DOWN: linecard 1 down - linecard offline %IFMGR-5-OSTATE_DN: Changed interface state to down: Fo 1/0 %IFMGR-1-DEL_PORT: Removed port: Fo 1/0-44, %CHMGR-2-UNIT_DOWN: linecard 2 down - linecard offline %IFMGR-5-OSTATE_DN: Changed interface state to down: Fo 2/0 %IFMGR-1-DEL_PORT: Removed port: Fo 2/0-44, %CHMGR-2-UNIT_DOWN: CP unit down - CP unit of
00:13:17 : Diagnostic test results are stored on file: flash:/TestReportLP-0.txt 00:13:19 : Diagnostic test results are stored on file: flash:/TestReportLP-1.txt 00:13:20 : Diagnostic test results are stored on file: flash:/TestReportLP-2.
PPID Rev Service Tag Part Number Part Number Revision SW Version ------ X00 6NHW6Z1 7520072402 H 9.2(1.0B2) Available free memory: 2,231,607,296 bytes LEVEL 0 DIAGNOSTIC eepromTest .................................................. PASS Starting test: fabricAccessTest ......
Sensor "BrdTmpPwr0" temperature 31.5 C Sensor "BrdTmpPwr1" temperature 34.0 C Sensor "BrdTmpPwr2" temperature 31.0 C Sensor "BrdTmpPwr3" temperature 33.5 C Thermal Shutdown Diodes: Diode[0] temperature 31.5 C Thermal Monitor Diodes: Diode[0] temperature 32.4 C Diode[1] temperature 34.6 C Diode[2] temperature 34.5 C Diode[4] temperature 34.4 C Spine[0]: Average temperature 40.8 C, maximum 42.7 C Spine[1]: Average temperature 46.1 C, maximum 48.2 C Spine[2]: Average temperature 44.2 C, maximum 46.
+Fan tray[3] Speed test PASS ERROR: Tray[4] fan[0] speed 49% is out of expected range [80-100%] ERROR: Fan speed variation failed for tray[4] fanTest ..................................................... FAIL i2cTest ..................................................... PASS macPhyRegTest ............................................... PASS Starting test: partyLinkStatusTest ...... WM0 Link Status UP partyLinkStatusTest ......................................... PASS Starting test: pcieRwTest ......
Available free memory: 2,646,888,448 bytes LEVEL 0 DIAGNOSTIC eepromTest .................................................. i2cTest ..................................................... macPhyRegTest ............................................... Starting test: pcieScanTest ...... 22 PCI devices installed out of 22 pcieScanTest ................................................ portcardBcmIdTest ........................................... Starting test: portcardBoardRevisionTest ......
--------- Group Test Statistics --------Total : 22 Passed : 21 Failed : 1 Elapsed time : 00H:00M:56S Stop reason : after completion ------ Failed tests (level, times) -----portcardXELinkStatusTest (1, 1) Example of the show diag Command Dell# show diag linecard 0 detail Diag status of linecard member 0: -------------------------------------------------------------------------linecard is currently offline. linecard alllevels diag issued at Mon Jan 20, 2014 02:33:48 AM.
Port card[2]: Average temperature 42.8 C, maximum 44.9 C Ethernet MAC temperature 45.0 C temperatureTest ............................................. PASS LEVEL 1 DIAGNOSTIC eepromTest .................................................. i2cTest ..................................................... macPhyRegTest ............................................... Starting test: partyLinkStatusTest ...... WM0 Link Status UP partyLinkStatusTest .........................................
Last Restart Reason If a Z9000 system restarted for some reason (automatically or manually), the show system command output includes the reason for the restart. The following table shows the reasons displayed in the output and their corresponding causes.
• View the input and output statistics for a stack-port interface. • show hardware stack-unit {0-11} stack-port {0-64} View the counters in the field processors of the stack unit. • show hardware stack-unit {0-11} unit {0-1} counters View the details of the FP Devices, and Hi gig ports on the stack-unit. • show hardware stack-unit {0-11} unit {0-1} details Execute a specified bShell command from the CLI without going into the bShell.
Internal Unit User Ports Port Number from 0 to 31 on Unit 0 User Ports from 32 to 63 on Unit 1 User Ports from 64 to 95 on Unit 2 User Ports No User No User from 96 to Ports on Unit Ports on Unit 127 on Unit 3 4 5 16 15 47 79 111 Internal Internal 17 16 48 80 112 Internal Internal 18 17 49 81 113 Internal Internal 19 18 50 82 114 Internal Internal 20 19 51 83 115 Internal Internal 21 20 52 84 116 Internal Internal 22 21 53 85 117 Internal Internal 23 22
Example of the show interfaces transceiver Command Dell#show interfaces -- RPM Environment Status -Slot Status Temp Voltage ---------------------------0 active 33C ok 1 not present Display Power Supply Status To monitor the operational status of a power supply, use the show environment pem command. Use the command output to verify the operation of installed power supplies. The current operational status (up or down), power supply type, fan status and speed, and power usage are displayed.
Total power: 1309.0 W Display Fan Status To monitor the status of fan operation, use the show environment fan command. The command output displays the operational status of each fan, including tray status, and speed of each fan.
Yes 2 2 2 2 Yes 2 28 32 36 40 QSFP 44 Media not present or accessible Media not present or accessible Media not present or accessible 40GBASE-SR4 7503825H006J Media not present or accessible To display more detailed information about the transceiver type, wavelength, and power reception on a Z9500 port, use the show interfaces command.
QSFP 168 Voltage Low Alarm threshold QSFP 168 Bias Low Alarm threshold QSFP 168 RX Power Low Alarm threshold =================================== QSFP 168 Temp High Warning threshold QSFP 168 Voltage High Warning threshold QSFP 168 Bias High Warning threshold QSFP 168 RX Power High Warning threshold QSFP 168 Temp Low Warning threshold QSFP 168 Voltage Low Warning threshold QSFP 168 Bias Low Warning threshold QSFP 168 RX Power Low Warning threshold =================================== QSFP 168 Temperature QSFP
NOTE: Exercise care when removing a card; if it has exceeded the major or shutdown thresholds, the card could be hot to the touch! Troubleshooting Packet Loss The show hardware stack-unit commands are intended primarily to troubleshoot packet loss.
5 6 7 8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Z9000-B4#show hardware stack-unit UserPort PortNumber Ingress Drops Egress Drops 64 1 0 65 2 0 66 3 0 67 4 0 68 5 0 69 6 0 70 7 0 ...
txError txReqTooLarge txInternalError txDatapathErr txPkt(COS0) txPkt(COS1) txPkt(COS2) txPkt(COS3) txPkt(COS4) txPkt(COS5) txPkt(UNIT0) txPkt(UNIT1) txPkt(UNIT2) txPkt(UNIT3) :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 Dell#sh hardware stack-unit 2 cpu party-bus statistics Input Statistics: 27550 packets, 2559298 bytes 0 dropped, 0 errors Output Statistics: 1649566 packets, 1935316203 bytes 0 errors Displaying Stack Member Counters The show hardware stack-unit 0–7 {counters | details | port-stats [detail]
• Enable RPM core dumps and specify the shutdown mode. CONFIGURATION mode logging coredump server When you enable this command to allow the system to automatically upload application core dumps to an FTP server, you are required to enter a password. Use the password of the FTP server where the core files are being moved. The password can be up to 15 alphanumeric characters only; no special characters are allowed.
command in global configuration mode. The kernel core dump is copied to flash://CORE_DUMP_DIR/ f10_cpu_timestamp.kcore.gz Where cpu specifies a Z9500 CPU and is one of the following values: cp (Control Processor), cp (Route Processor), lp0 (line-card processor 0), lp1 (line-card processor 1), or lp2 (line-card processor 2); timestamp is a text string in the format: yyyyddmmhhmmss (YearDayMonthHourMinuteSecond). To disable the full kernel and other core dumps, enter the no logging coredump command.
Dynamic Host Configuration Protocol (DHCP) 13 DHCP is an application layer protocol that dynamically assigns IP addresses and other configuration parameters to network end-stations (hosts) based on configuration policies determined by network administrators.
Option Number and Description Subnet Mask Option 1 Specifies the client’s subnet mask. Router Option 3 Specifies the router IP addresses that may serve as the client’s default gateway. Domain Name Server Option 6 Domain Name Option 15 Specifies the domain name servers (DNSs) that are available to the client. Specifies the domain name that clients should use when resolving hostnames via DNS.
Option Number and Description Identifiers a user-defined string used by the Relay Agent to forward DHCP client packets to a specific server. L2 DHCP Snooping Option 82 User Port Stacking Option 230 Specifies IP addresses for DHCP messages received from the client that are to be monitored to build a DHCP snooping database. Set the stacking option variable to provide DHCP server stack-port detail when the DHCP offer is set. End Option 255 Signals the last option in the DHCP packet.
Figure 29. Client and Server Messaging Implementation Information The following describes DHCP implementation. • Dell Networking implements DHCP based on RFC 2131 and RFC 3046. • IP source address validation is a sub-feature of DHCP Snooping; the Dell Networking OS uses access control lists (ACLs) internally to implement this feature and as such, you cannot apply ACLs to an interface which has IP source address validation.
Configure the System to be a DHCP Server Configuring the system to be a DHCP server is supported only on the platform. A DHCP server is a network device that has been programmed to provide network configuration parameters to clients upon request. Servers typically serve many clients, making host management much more organized and efficient. The following table lists the key responsibilities of DHCP servers. Table 11.
3. Specify the range of IP addresses from which the DHCP server may assign addresses. DHCP mode network network/prefix-length • network: the subnet address. • prefix-length: specifies the number of bits used for the network portion of the address you specify. The prefix-length range is from 17 to 31. 4. Display the current pool configuration. DHCP mode show config After an IP address is leased to a client, only that client may release the address.
lease {days [hours] [minutes] | infinite} The default is 24 hours. Specifying a Default Gateway The IP address of the default router should be on the same subnet as the client. To specify a default gateway, follow this step. • Specify default gateway(s) for the clients on the subnet, in order of preference.
Creating Manual Binding Entries An address binding is a mapping between the IP address and the media access control (MAC) address of a client. The DHCP server assigns the client an available IP address automatically, and then creates an entry in the binding table. However, the administrator can manually create an entry for a client; manual bindings are useful when you want to guarantee that a particular network device receives a particular IP address.
Configure the System to be a Relay Agent This feature is available on the platform. DHCP clients and servers request and offer configuration information via broadcast DHCP messages. Routers do not forward broadcasts, so if there are no DHCP servers on the subnet, the client does not receive a response to its request and therefore cannot access the network.
Figure 30. Configuring a Relay Agent To view the ip helper-address configuration for an interface, use the show ip interface command from EXEC privilege mode. Example of the show ip interface Command R1_E600#show ip int gig 1/3 GigabitEthernet 1/3 is up, line protocol is down Internet address is 10.11.0.1/24 Broadcast address is 10.11.0.255 Address determined by user input IP MTU is 1500 bytes Helper address is 192.168.0.1 192.168.0.
ICMP redirects are not sent ICMP unreachables are not sent Configure the System to be a DHCP Client A DHCP client is a network device that requests an IP address and configuration parameters from a DHCP server. Implement the DHCP client functionality as follows: • The switch can obtain a dynamically assigned IP address from a DHCP server. A start-up configuration is not received. Use bare metal provisioning (BMP) to receive configuration parameters (Dell Networking OS version and a configuration file).
• To reinstall management routes added by the DHCP client that is removed or replaced by the same statically configured management routes, release the DHCP IP address and renew it on the management interface. • Management routes added by the DHCP client have higher precedence over the same statically configured management route. Static routes are not removed from the running configuration if a dynamically acquired management route added by the DHCP client overwrites a static management route.
Virtual Router Redundancy Protocol (VRRP) Do not enable the DHCP client on an interface and set the priority to 255 or assign the same DHCP interface IP address to a VRRP virtual group. Doing so guarantees that this router becomes the VRRP group owner. To use the router as the VRRP owner, if you enable a DHCP client on an interface that is added to a VRRP group, assign a priority less than 255 but higher than any other priority assigned in the group.
ip dhcp relay information-option [trust-downstream] • For routers between the relay agent and the DHCP server, enter the trust-downstream option. Manually reset the remote ID for Option 82. CONFIGURATION mode ip dhcp relay information-option remote-id DHCP Snooping DHCP snooping protects networks from spoofing. In the context of DHCP snooping, ports are either trusted or not trusted. By default, all ports are not trusted. Trusted ports are ports through which attackers cannot connect.
CONFIGURATION mode ip dhcp snooping 2. Specify ports connected to DHCP servers as trusted. INTERFACE mode ip dhcp snooping trust 3. Enable DHCP snooping on a VLAN. CONFIGURATION mode ip dhcp snooping vlan name Adding a Static Entry in the Binding Table To add a static entry in the binding table, use the following command. • Add a static entry in the binding table. EXEC Privilege mode ip dhcp snooping binding mac Clearing the Binding Table To clear the binding table, use the following command.
Snooping packets processed on L2 vlans : 142 DHCP Binding File Details Invalid File Invalid Binding Entry Binding Entry lease expired List of Trust Ports List of DHCP Snooping Enabled Vlans List of DAI Trust ports : 0 : 0 : 0 :Te 0/49 :Vl 10 :Te 0/49 Drop DHCP Packets on Snooped VLANs Only Binding table entries are deleted when a lease expires or the relay agent encounters a DHCPRELEASE. Line cards maintain a list of snooped VLANs.
Other attacks using ARP spoofing include: Broadcast An attacker can broadcast an ARP reply that specifies FF:FF:FF:FF:FF:FF as the gateway’s MAC address, resulting in all clients broadcasting all internet-bound packets. MAC flooding An attacker can send fraudulent ARP messages to the gateway until the ARP cache is exhausted, after which, traffic from the gateway is broadcast.
Internet Internet Dell# 10.1.1.253 10.1.1.254 - 00:00:4d:57:f8:e8 00:00:4d:69:e8:f2 Te 0/3 Te 0/50 Vl 10 Vl 10 CP CP To see how many valid and invalid ARP packets have been processed, use the show arp inspection statistics command.
Enabling IP Source Address Validation IP source address validation (SAV) prevents IP spoofing by forwarding only IP packets that have been validated against the DHCP binding table. A spoofed IP packet is one in which the IP source address is strategically chosen to disguise the attacker. For example, using ARP spoofing, an attacker can assume a legitimate client’s identity and receive traffic addressed to it. Then the attacker can spoof the client’s IP address to interact with other clients.
source address and MAC source address are a legitimate pair, rather than validating each attribute individually. You cannot configure IP+MAC SAV with IP SAV. 1. Allocate at least one FP block to the ipmacacl CAM region. CONFIGURATION mode cam-acl l2acl 2. Save the running-config to the startup-config. EXEC Privilege mode copy running-config startup-config 3. Reload the system. EXEC Privilege reload 4. Do one of the following. • Enable IP+MAC SAV.
deny vlan 10 count (0 packets) deny vlan 20 count (0 packets) Clearing the Number of SAV Dropped Packets To clear the number of SAV dropped packets, use the clear ip dhcp snooping source-addressvalidation discard-counters command. Dell>clear ip dhcp snooping source-address-validation discard-counters To clear the number of SAV dropped packets on a particular interface, use the clear ip dhcp snooping source-address-validation discard-counters interface interface command.
Equal Cost Multi-Path (ECMP) 14 Equal cost multi-path (ECMP) is supported on Dell Networking OS. ECMP for Flow-Based Affinity ECMP for flow-based affinity is available on theplatform. Flow-based affinity includes the following: • Link Bundle Monitoring Enabling Deterministic ECMP Next Hop Deterministic ECMP next hop arranges all ECMPs in order before writing them into the content addressable memory (CAM).
NOTE: While the seed is stored separately on each port-pipe, the same seed is used across all CAMs. NOTE: You cannot separate LAG and ECMP, but you can use different algorithms across the chassis with the same seed. If LAG member ports span multiple port-pipes and line cards, set the seed to the same value on each port-pipe to achieve deterministic behavior. NOTE: If you remove the hash algorithm configuration, the hash seed does not return to the original factory default setting.
Te 0/0 Te 0/1 Up Up 36 52 Managing ECMP Group Paths Managing ECMP group paths is supported only on the platform. Configure the maximum number of paths for an ECMP route that the L3 CAM can hold to avoid path degeneration. When you do not configure the maximum number of routes, the CAM can hold a maximum ECMP per route. To configure the maximum number of paths, use the following command.
Modifying the ECMP Group Threshold You can customize the threshold percentage for monitoring ECMP group bundles. To customize the ECMP group bundle threshold and to view the changes, use the following commands. • Modify the threshold for monitoring ECMP group bundles. CONFIGURATION mode link-bundle-distribution trigger-threshold {percent} The range is from 1 to 90%. • The default is 60%. Display details for an ECMP group bundle.
When the command is issued, you are prompted with a warning message stating that the command configuration can take effect on existing prefixes only when “clear ip route *” command is used. When you use the clear command, all the existing /32 IPv4 prefix route entries are reprogrammed in appropriate table. Also, all the other existing IPv4 entries are removed and reprogrammed as a result of the clear command. Dell Networking OS releases earlier than Release 9.3(0.
15 Enabling FIPS Cryptography This chapter describes how to enable FIPS cryptography requirements on Dell Networking platforms. This feature provides cryptographic algorithms conforming to various FIPS standards published by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the US Department of Commerce. FIPS mode is also validated for numerous platforms to meet the FIPS-140-2 standard for a software-based cryptographic module.
Enabling FIPS Mode To enable or disable FIPS mode, use the console port. Secure the host attached to the console port against unauthorized access. Any attempts to enable or disable FIPS mode from a virtual terminal session are denied. When you enable FIPS mode, the following actions are taken: • If enabled, the SSH server is disabled. • All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, are closed.
Monitoring FIPS Mode Status To view the status of the current FIPS mode (enabled/disabled), use the following commands. • Use either command to view the status of the current FIPS mode. show fips status show system Examples of the show fips status and show system Commands The following example shows the show fips status command. Dell#show fips status FIPS Mode : Enabled for the system using the show system command. The following example shows the show system command.
• New 1024–bit RSA and RSA1 host key-pairs are created. To disable FIPS mode, use the following command. • To disable FIPS mode from a console port. CONFIGURATION mode no fips mode enable The following Warning message displays: WARNING: Disabling FIPS mode will close all SSH/Telnet connections, restart those servers, and destroy all configured host keys.
Flex Hash 16 This chapter describes the Flex Hash enhancements. Using Flex Hash Capability The Flex hash feature enables you to configure a packet search key and matches packets based on the search key. When a packet matches the search key, two 16-bit hash fields are extracted from the start of the L4 header and provided as inputs (bins 2 and 3) for RTAG7 hash computation. You must specify the offset of hash fields from the start of the L4 header, which contains a flow identification field.
Dell(conf)# load-balance flexhash ipv4/ipv6 ip-proto protocol-num description offset1 value [offset2 value>] To delete the configured flex-hash settings, use the no version of the command. RDMA Over Converged Ethernet (RoCE) Overview This functionality is supported on the platform. Remote direct memory access (RDMA) reduces both CPU cycles and latency. RDMA over converged Ethernet (RoCE) implements IB over Ethernet. RRoCE sends InfiniBand (IB) packets over IP.
occurs. You can optimize the booting time of the ToR nodes that experience a single point of failure to reduce the outage in traffic-handling operations. RoCE over a routed system is called RRoCE. RRoCE has IP headers. RRoCE is bursty and uses the entire 10-Gigabit Ethernet interface. Although RRoCE and normal data traffic are propagated in separate network portions, it may be necessary in certain topologies to combine both the RRoCE and the data traffic in a single network structure.
Force10 Resilient Ring Protocol (FRRP) 17 FRRP provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a metropolitan area network (MAN) or large campuses. FRRP is similar to what can be achieved with the spanning tree protocol (STP), though even with optimizations, STP can take up to 50 seconds to converge (depending on the size of network and node of failure) may require 4 to 5 seconds to reconverge.
The Member VLAN is the VLAN used to transmit data as described earlier. The Control VLAN is used to perform the health checks on the ring. The Control VLAN can always pass through all ports in the ring, including the secondary port of the Master node. Ring Status The ring failure notification and the ring status checks provide two ways to ensure the ring remains up and active in the event of a switch or port failure.
Multiple FRRP Rings Up to 255 rings are allowed per system and multiple rings can be run on one system. More than the recommended number of rings may cause interface instability. You can configure multiple rings with a single switch connection; a single ring can have multiple FRRP groups; multiple rings can be connected with a common link. Member VLAN Spanning Two Rings Connected by One Switch A member VLAN can span two rings interconnected by a common switch, in a figure-eight style topology.
Concept Explanation Control VLAN Each ring has a unique Control VLAN through which tagged ring health frames (RHF) are sent. Control VLANs are used only for sending RHF, and cannot be used for any other purpose. Member VLAN Each ring maintains a list of member VLANs. Member VLANs must be consistent across the entire ring. Port Role Each node has two ports for each ring: Primary and Secondary. The Master node Primary port generates RHFs. The Master node Secondary port receives the RHFs.
Concept Explanation There is no periodic transmission of TCRHFs. The TCRHFs are sent on triggered events of ring failure or ring restoration only. Implementing FRRP • FRRP is media and speed independent. • FRRP is a Dell proprietary protocol that does not interoperate with any other vendor. • You must disable the spanning tree protocol (STP) on both the Primary and Secondary interfaces before you can enable FRRP. • All ring ports must be Layer 2 ports.
Configuring the Control VLAN Control and member VLANS are configured normally for Layer 2. Their status as control or member is determined at the FRRP group commands. For more information about configuring VLANS in Layer 2 mode, refer to Layer 2. Be sure to follow these guidelines: • All VLANS must be in Layer 2 mode. • You can only add ring nodes to the VLAN. • A control VLAN can belong to one FRRP group only. • Tag control VLAN ports.
• • • • For a Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/port information. For a SONET interface, enter the keyword sonet then the slot/port information. For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. Slot/Port, Range: Slot and Port ID for the interface. Range is entered Slot/Port-Port.
• Slot/Port, range: Slot and Port ID for the interface. The range is entered Slot/Port-Port. • For a 10/100/1000 Ethernet interface, enter the keyword GigabitEthernet then the slot/port information. • For a Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/port information. • For a SONET interface, enter the keyword sonet then the slot/port information. • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. • 3.
• Enter the desired intervals for Hello-Interval or Dead-Interval times. CONFIG-FRRP mode. timer {hello-interval|dead-interval} milliseconds – Hello-Interval: the range is from 50 to 2000, in increments of 50 (default is 500). – Dead-Interval: the range is from 50 to 6000, in increments of 50 (default is 1500). Clearing the FRRP Counters To clear the FRRP counters, use one of the following commands. • Clear the counters associated with this Ring ID. EXEC PRIVELEGED mode.
Troubleshooting FRRP To troubleshoot FRRP, use the following information. Configuration Checks • Each Control Ring must use a unique VLAN ID. • Only two interfaces on a switch can be Members of the same control VLAN. • There can be only one Master node for any FRRP group. • You can configure FRRP on Layer 2 interfaces only. • Spanning Tree (if you enable it globally) must be disabled on both Primary and Secondary interfaces when you enable FRRP.
no ip address switchport no shutdown ! interface Vlan 101 no ip address tagged GigabitEthernet 2/14,31 no shutdown ! interface Vlan 201 no ip address tagged GigabitEthernet 2/14,31 no shutdown ! protocol frrp 101 interface primary GigabitEthernet 2/14 secondary GigabitEthernet 2/31 controlvlan 101 member-vlan 201 mode transit no disable Example of R3 TRANSIT interface GigabitEthernet 3/14 no ip address switchport no shutdown ! interface GigabitEthernet 3/21 no ip address switchport no shutdown ! interface
18 GARP VLAN Registration Protocol (GVRP) GARP VLAN registration protocol (GVRP) is supported on Dell Networking OS. Typical virtual local area network (VLAN) implementation involves manually configuring each Layer 2 switch that participates in a given VLAN. GVRP, defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches. GVRP-compliant switches use GARP to register and de-register attribute values, such as VLAN IDs, with each other.
Configure GVRP To begin, enable GVRP. To facilitate GVRP communications, enable GVRP globally on each switch. Then, GVRP configuration is per interface on a switch-by-switch basis. Enable GVRP on each port that connects to a switch where you want GVRP information exchanged. In the following example, that type of port is referred to as a VLAN trunk port, but it is not necessary to specifically identify to the Dell Networking OS that the port is a trunk port. Figure 31.
• Configure a GARP Timer Enabling GVRP Globally To configure GVRP globally, use the following command. • Enable GVRP for the entire switch. CONFIGURATION mode gvrp enable Example of Configuring GVRP Dell(conf)#protocol gvrp Dell(config-gvrp)#no disable Dell(config-gvrp)#show config ! protocol gvrp no disable Dell(config-gvrp)# To inspect the global configuration, use the show gvrp brief command. Enabling GVRP on a Layer 2 Interface To enable GVRP on a Layer 2 interface, use the following command.
not be unconfigured when it receives a Leave PDU. Therefore, the registration mode on that interface is FIXED. • Forbidden Mode — Disables the port to dynamically register VLANs and to propagate VLAN information except information about VLAN 1. A port with forbidden registration type thus allows only VLAN 1 to pass through even though the PDU carries information for more VLANs.
LeaveAll Timer Dell(conf)# 5000 Dell Networking OS displays this message if an attempt is made to configure an invalid GARP timer: Dell(conf)#garp timers join 300 % Error: Leave timer should be >= 3*Join timer.
Internet Group Management Protocol (IGMP) 19 Internet group management protocol (IGMP) is supported on Dell Networking OS. Multicast is premised on identifying many hosts by a single destination IP address; hosts represented by the same IP address are a multicast group. IGMP is a Layer 3 multicast protocol that hosts use to join or leave a multicast group.
Figure 32. IGMP Messages in IP Packets Join a Multicast Group There are two ways that a host may join a multicast group: it may respond to a general query from its querier or it may send an unsolicited report to its querier. Responding to an IGMP Query The following describes how a host can join a multicast group. 1. One router on a subnet is elected as the querier. The querier periodically multicasts (to all-multicastsystems address 224.0.0.1) a general query to all hosts on the subnet. 2.
response, the querier removes the group from the list associated with forwarding port and stops forwarding traffic for that group to the subnet. IGMP Version 3 Conceptually, IGMP version 3 behaves the same as version 2. However, there are differences. • Version 3 adds the ability to filter by multicast source, which helps multicast routing protocols avoid forwarding traffic to subnets where there are no interested receivers.
Figure 34. IGMP Version 3–Capable Multicast Routers Address Structure Joining and Filtering Groups and Sources The following illustration shows how multicast routers maintain the group and source information from unsolicited reports. 1. The first unsolicited report from the host indicates that it wants to receive traffic for group 224.1.1.1. 2. The host’s second report indicates that it is only interested in traffic from group 224.1.1.1, source 10.11.1.1.
Figure 35. Membership Reports: Joining and Filtering Leaving and Staying in Groups The following illustration shows how multicast routers track and refresh state changes in response to group-and-specific and general queries. 1. Host 1 sends a message indicating it is leaving group 224.1.1.1 and that the included filter for 10.11.1.1 and 10.11.1.2 are no longer necessary. 2.
Figure 36. Membership Queries: Leaving and Staying Configure IGMP Configuring IGMP is a two-step process. 1. Enable multicast routing using the ip multicast-routing command. 2. Enable a multicast routing protocol.
• Fast Convergence after MSTP Topology Changes • Designating a Multicast Router Interface Viewing IGMP Enabled Interfaces Interfaces that are enabled with PIM-SM are automatically enabled with IGMP. To view IGMP-enabled interfaces, use the following command. • View IGMP-enabled interfaces. EXEC Privilege mode show ip igmp interface Example of the show ip igmp interface Command Dell#show ip igmp interface gig 7/16 GigabitEthernet 7/16 is up, line protocol is up Internet address is 10.87.3.
IGMP version is 3 Dell(conf-if-gi-1/13)# Viewing IGMP Groups To view both learned and statically configured IGMP groups, use the following command. • View both learned and statically configured IGMP groups. EXEC Privilege mode show ip igmp groups Example of the show ip igmp groups Command Dell(conf-if-gi-1/0)#do sho ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Uptime 224.1.1.1 GigabitEthernet 1/0 00:00:03 224.1.2.
INTERFACE mode • ip igmp query-interval Adjust the maximum response time. INTERFACE mode • ip igmp query-max-resp-time Adjust the last member query interval. INTERFACE mode ip igmp last-member-query-interval Adjusting the IGMP Querier Timeout Value If there is more than one multicast router on a subnet, only one is elected to be the querier, which is the router that sends queries to the subnet. 1. Routers send queries to the all multicast systems address, 224.0.0.1.
Enabling IGMP Immediate-Leave If the querier does not receive a response to a group-specific or group-and-source query, it sends another (querier robustness value). Then, after no response, it removes the group from the outgoing interface for the subnet. IGMP immediate leave reduces leave latency by enabling a router to immediately delete the group membership on an interface after receiving a Leave message (it does not send any group-specific or group-and-source queries before deleting the entry).
• View the configuration. CONFIGURATION mode • show running-config Disable snooping on a VLAN.
• Configure the switch to only forward unregistered packets to ports on a VLAN that are connected to mrouter ports. CONFIGURATION mode no ip igmp snooping flood Specifying a Port as Connected to a Multicast Router To statically specify or view a port in a VLAN, use the following commands. • Statically specify a port in a VLAN as connected to a multicast router. INTERFACE VLAN mode • ip igmp snooping mrouter View the ports that are connected to multicast routers. EXEC Privilege mode.
ip igmp snooping last-member-query-interval Fast Convergence after MSTP Topology Changes The following describes the fast convergence feature. When a port transitions to the Forwarding state as a result of an STP or MSTP topology change, Dell Networking OS sends a general query out of all ports except the multicast router ports. The host sends a response to the general query and the forwarding database is updated without having to wait for the query interval to expire.
Interfaces 20 This chapter describes interface types, both physical and logical, and how to configure them with Dell Networking Operating System (OS). • 10 Gigabit Ethernet / 40 Gigabit Ethernet interfaces are supported on the platform.
to top in multiples of four, starting with zero; for example, 0, 4, 8, 12, and so on. When a breakout cable is installed, the resulting four 10GbE ports are numbered with the remaining numbers. For example, 40GbE port 0 contains 10GbE ports 0, 1, 2, and 3; 40GbE port 4 contains 10GbE ports 4, 5, 6, and 7. Line card 0 consists of ports 0 to 143; line card 1 consists of ports 0 to 191; line card 2 consists of ports 0 to 191. Figure 37.
• Lists all configurable interfaces on the chassis. EXEC mode show interfaces This command has options to display the interface status, IP and MAC addresses, and multiple counters for the amount and type of traffic passing through the interface. If you configured a port channel interface, this command lists the interfaces configured in the port channel.
To view which interfaces are enabled for Layer 3 data transmission, use the show ip interfaces brief command in EXEC Privilege mode. In the following example, GigabitEthernet interface 1/5 is in Layer 3 mode because an IP address has been assigned to it and the interface’s status is operationally up.
• For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. Enable the interface. 2. INTERFACE mode no shutdown To confirm that the interface is enabled, use the show config command in INTERFACE mode. To leave INTERFACE mode, use the exit command or end command. You cannot delete a physical interface.
Configuration Task List for Physical Interfaces By default, all interfaces are operationally disabled and traffic does not pass through them.
interface Port-channel 1 no ip address switchport no shutdown Dell(conf-if)# Configuring Layer 2 (Interface) Mode To configure an interface in Layer 2 mode, use the following commands. • Enable the interface. INTERFACE mode • no shutdown Place the interface in Layer 2 (switching) mode. INTERFACE mode switchport For information about enabling and configuring the Spanning Tree Protocol, refer to Spanning Tree Protocol (STP).
% Error: Port is in Layer 2 mode Gi 1/2. Dell(conf-if)# To determine the configuration of an interface, use the show config command in INTERFACE mode or the various show interface commands in EXEC mode. Configuring Layer 3 (Interface) Mode To assign an IP address, use the following commands. • Enable the interface. INTERFACE mode • no shutdown Configure a primary IP address and mask on the interface.
When you enable this feature, all management routes (connected, static, and default) are copied to the management EIS routing table. Use the management route command to add new management routes to the default and EIS routing tables. Use the show ip management-eis-route command to view the EIS routes. Important Points to Remember • • • • Deleting a management route removes the route from both the EIS routing table and the default routing table.
• The slot range is 0. Configure an IP address and mask on a Management interface. INTERFACE mode ip address ip-address mask – ip-address mask: enter an address in dotted-decimal format (A.B.C.D). The mask must be in / prefix format (/x). Configuring Management Interfaces on the S-Series You can manage the S-Series from any port. To configure an IP address for the port, use the following commands.
C 10.11.130.0/23 Dell# Direct, Gi 0/48 0/0 1d2h VLAN Interfaces VLANs are logical interfaces and are, by default, in Layer 2 mode. Physical interfaces and port channels can be members of VLANs. For more information about VLANs and Layer 2, refer to Layer 2 and Virtual LANs (VLANs). NOTE: To monitor VLAN interfaces, use Management Information Base for Network Management of TCP/IP-based internets: MIB-II (RFC 1213).
To configure, view, or delete a Loopback interface, use the following commands. • Enter a number as the Loopback interface. CONFIGURATION mode interface loopback number • The range is from 0 to 16383. View Loopback interface configurations. EXEC mode • show interface loopback number Delete a Loopback interface. CONFIGURATION mode no interface loopback number Many of the same commands found in the physical interface are also found in the Loopback interfaces.
A port channel provides redundancy by aggregating physical interfaces into one logical interface. If one physical interface goes down in the port channel, another physical interface carries the traffic. Port Channel Benefits A port channel interface provides many benefits, including easy management, link redundancy, and sharing. Port channels are transparent to network configurations and can be modified and managed as one interface.
configuration becomes the common speed of the port channel. If the other interfaces configured in that port channel are configured with a different speed, Dell Networking OS disables them.
You can configure a port channel as you would a physical interface by enabling or configuring protocols or assigning access control lists. Adding a Physical Interface to a Port Channel The physical interfaces in a port channel can be on any line card in the chassis, but must be the same physical type.
Dell# Gi 13/8 (Up) Gi 13/13 (Up) Gi 13/14 (Up) The following example shows the port channel’s mode (L2 for Layer 2 and L3 for Layer 3 and L2L3 for a Layer 2-port channel assigned to a routed VLAN), the status, and the number of interfaces belonging to the port channel. Dell>show interface port-channel 20 Port-channel 20 is up, line protocol is up Hardware address is 00:01:e8:01:46:fa Internet address is 1.1.120.
Reassigning an Interface to a New Port Channel An interface can be a member of only one port channel. If the interface is a member of a port channel, remove it from the first port channel and then add it to the second port channel. Each time you add or remove a channel member from a port channel, Dell Networking OS recalculates the hash algorithm for the port channel. To reassign an interface to a new port channel, use the following commands. 1. Remove the interface from the first port channel.
Example of Configuring the Minimum Oper Up Links in a Port Channel Dell#config t Dell(conf)#int po 1 Dell(conf-if-po-1)#minimum-links 5 Dell(conf-if-po-1)# Configuring VLAN Tags for Member Interfaces To configure and verify VLAN tags for individual members of a port channel, perform the following: 1. Configure VLAN membership on individual ports INTERFACE mode Dell(conf-if-te-0/2)#vlan tagged 2,3-4 2.
– secondary: the IP address is the interface’s backup IP address. You can configure up to eight secondary IP addresses. Deleting or Disabling a Port Channel To delete or disable a port channel, use the following commands. • Delete a port channel. CONFIGURATION mode • no interface portchannel channel-number Disable a port channel. shutdown When you disable a port channel, all interfaces within the port channel are operationally down also.
– ip-selection [dest-ip | source-ip] — Distribute IP traffic based on the IP destination or source address. – mac [dest-mac | source-dest-mac | source-mac] — Distribute IPV4 traffic based on the destination or source MAC address, or both, along with the VLAN, Ethertype, source module ID and source port ID. – tcp-udp enable — Distribute traffic based on the TCP/UDP source and destination ports. – ingress-port — Option to Source Port Id for ECMP/ LAG hashing.
The hash-algorithm command is specific to ECMP group. The default ECMP hash configuration is crclower. This command takes the lower 32 bits of the hash key to compute the egress port.
Bulk Configuration Examples Use the interface range command for bulk configuration. • Create a Single-Range • Create a Multiple-Range • Exclude Duplicate Entries • Exclude a Smaller Port Range • Overlap Port Ranges • Commas • Add Ranges Create a Single-Range The following is an example of a single range.
Overlap Port Ranges The following is an example showing how the interface-range prompt extends a port range from the smallest start port number to the largest end port number when port ranges overlap. handles overlapping port ranges.
define interface-range macro_name {vlan vlan_ID - vlan_ID} | {{gigabitethernet | tengigabitethernet | fortyGigE} slot/interface interface} [ , {vlan vlan_ID - vlan_ID} {{gigabitethernet | tengigabitethernet | fortyGigE} slot/interface - interface}] Define the Interface Range The following example shows how to define an interface-range macro named “test” to select Fast Ethernet interfaces 5/1 through 5/4.
• T — Increase refresh interval (by 1 second) • t — Decrease refresh interval (by 1 second) • c — Clear screen • a — Page down • q — Quit Dell#monitor interface Te 3/1 Dell uptime is 1 day(s), 4 hour(s), 31 minute(s) Monitor time: 00:00:00 Refresh Intvl.
Use the show hardware sfm hg-stats and show hardware linecard hg-stats commands to display traffic statistics about the HiGig links on a line-card or SFM NPU. Use the clear hardware sfm hg-stats and clear hardware linecard hg-stats commands to reset HiGig port statistics. Link Bundle Monitoring Link bundle monitoring is supported only on the platform. Monitoring linked LAG bundles allows traffic distribution amounts in a link to be monitored for unfair distribution at any given time.
• A line-card (leaf) NPU supports 12 front-end I/O ports and 12 backplane HiGig ports. The 12 backplane links are members of a single HiGig link bundle that connects the line-card NPU to each SFM (spine) NPU. Two HiGig links in the bundle are used to connect to each SFM NPU. You can enable the capability to detect uneven traffic distribution in the member links of a HiGig link bundle on a line-card or SFM NPU. You can also enable a notification to be sent using alarms and SNMP traps.
– Bundle usage for egress traffic exceeds the threshold configured with the hg-link-bundle monitor trigger-threshold command. Alarms are generated only when link-bundle traffic levels are high. At low traffic levels, only one or two significant flows may cause unevenness. However, uneven traffic distribution across links during low-traffic periods is not critical and does not trigger an alarm.
Dell#show hg-link-bundle-distribution {sfm npu-id hg-port—channel hg-port— channel-id | slot slot npuUnit npu-id hg-port—channel 0} Splitting QSFP Ports to SFP+ Ports Splitting QSFP ports to SFP+ ports is supported on the platform. The platform supports splitting a single 40G QSFP port into four 10G SFP+ ports using one of the supported breakout cables (for a list of supported cables, refer to the Installation Guide or the Release Notes).
When connected to a QSFP or QSFP+ port on a 40 Gigabit adapter, QSA acts as an interface for the SFP or SFP+ cables. This interface enables you to directly plug in an SFP or SFP+ cable originating at a 10 Gigabit Ethernet port on a switch or server. You can use QSFP optical cables (without a QSA) to split a 40 Gigabit port on a switch or a server into four 10 Gigabit ports. You must enable the fan-out mode in order for this mechanism to work.
Support for LM4 Optics The newly supported LM4 optics are similar in behavior to the LR4 optics that are already supported. However, in the output of show inventory media command, an LM4 optical module is denoted as 40G-LM4. Barring this exception, the functionality and behavior of LM4 optics is similar to LR4 optics. Example Scenarios Consider the following scenarios: • QSFP port 0 is connected to a QSA with SFP+ optical cables plugged in.
SFP+ 0 Ext Id SFP+ 0 Connector ………………………. = 0x00 = 0x23 Dell#show interfaces tengigabitethernet 0/4 transceiver SFP 0 Serial ID Base Fields SFP 0 Id = 0x0d SFP 0 Ext Id = 0x00 SFP 0 Connector = 0x23 SFP 0 Transceiver Code = 0x08 0x00 0x00 0x00 0x00 0x00 0x00 0x00 SFP 0 Encoding = 0x00 ……………… ……………… SFP 0 Diagnostic Information =================================== SFP 0 Rx Power measurement type = OMA =================================== SFP 0 Temp High Alarm threshold = 0.
QSFP 0 Transceiver Code = 0x08 0x00 0x00 0x00 0x00 0x00 0x00 0x00 QSFP 0 Encoding = 0x00 ……………… ……………… QSFP 0 Diagnostic Information =================================== QSFP 0 Rx Power measurement type = OMA =================================== QSFP 0 Temp High Alarm threshold = 0.000C QSFP 0 Voltage High Alarm threshold = 0.000V QSFP 0 Bias High Alarm threshold = 0.
……….
0 0 11 12 QSFP QSFP 4x10GBASE-CR1-3M 40GBASE-SR4 APF12420031B3P Link Dampening Interface state changes occur when interfaces are administratively brought up or down or if an interface state changes. Every time an interface changes a state or flaps, routing protocols are notified of the status of the routes that are affected by the change in state. These protocols go through the momentous task of reconverging.
To view dampening information on all or specific dampened interfaces, use the show interfaces dampening command from EXEC Privilege mode. Dell# show interfaces dampening InterfaceStateFlapsPenaltyHalf-LifeReuseSuppressMax-Sup Gi 0/0Up005750250020 Gi 0/1Up21200205001500300 Gi 0/2Down4850306002000120 To view a dampening summary for the entire system, use the show interfaces dampening summary command from EXEC Privilege mode. Dell# show interfaces dampening summary 20 interfaces are configured with dampening.
Transmission Media MTU Range (in bytes) Ethernet 594-12000 = link MTU 576-9234 = IP MTU Using Ethernet Pause Frames for Flow Control Ethernet pause frames and threshold settings are supported on the Dell Networking OS. Ethernet Pause Frames allow for a temporary stop in data transmission. A situation may arise where a sending device may transmit data faster than a destination device can accept it.
Enabling Pause Frames Enable Ethernet pause frames flow control on all ports on a chassis or a line card. If not, the system may exhibit unpredictable behavior. NOTE: Changes in the flow-control values may not be reflected automatically in the show interface output. As a workaround, apply the new settings, execute shut then no shut on the interface, and then check the running-config of the port. NOTE: If you disable rx flow control, Dell Networking recommends rebooting the system.
Link MTU and IP MTU considerations for port channels and VLANs are as follows. Port Channels: • • All members must have the same link MTU value and the same IP MTU value. The port channel link MTU and IP MTU must be less than or equal to the link MTU and IP MTU values configured on the channel members. For example, if the members have a link MTU of 2100 and an IP MTU 2000, the port channel’s MTU values cannot be higher than 2100 for link MTU or 2000 bytes for IP MTU.
Example of the negotiation auto Command Dell(conf)# int tengig 0/0 Dell(conf-if-te-0/1)#neg auto Dell(conf-if-te-0/1)# ? end Exit from configuration mode exit Exit from autoneg configuration mode mode Specify autoneg mode no Negate a command or set its defaults show Show autoneg configuration information Dell(conf-if-te-0/1)#mode ? forced-master Force port to master mode forced-slave Force port to slave mode Dell(conf-if-te-0/1)# For details about the speed, duplex, and negotiation auto commands, refer to t
Name: TenGigabitEthernet 13/3 802.1QTagged: True Vlan membership: Vlan 2 --More-- Configuring the Interface Sampling Size Although you can enter any value between 30 and 299 seconds (the default), software polling is done once every 15 seconds. So, for example, if you enter “19”, you actually get a sample of the past 15 seconds. All LAG members inherit the rate interval configuration from the LAG. The following example shows how to configure rate interval when changing the default value.
MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 10000 Mbit ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 1d23h45m Queueing strategy: fifo 0 packets input, 0 bytes Input 0 IP Packets, 0 Vlans 0 MPLS 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts Received 0 input symbol errors, 0 runts, 0 giants, 0 throttles 0 CRC, 0 IP Checksum, 0 overrun, 0 discarded 0 packets output, 0 bytes, 0 underruns Output 0 Mult
(OPTIONAL) Enter the following interface keywords and slot/port or number information: – For a 1-Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/port information. – For a Loopback interface, enter the keyword loopback then a number from 0 to 16383. – For a Port Channel interface, enter the keywords port-channel then a number. – For the management interface on the RPM, enter the keyword ManagementEthernet then the slot/port information. The slot range is from 0 to 1.
Internet Protocol Security (IPSec) 21 Internet protocol security (IPSec) is available on Dell Networking OS. IPSec is an end-to-end security scheme for protecting IP communications by authenticating and encrypting all packets in a communication session. Use IPSec between hosts, between gateways, or between hosts and gateways. IPSec is compatible with Telnet and FTP protocols. It supports two operational modes: Transport and Tunnel.
Configuring IPSec The following sample configuration shows how to configure FTP and telnet for IPSec. 1. Define the transform set. CONFIGURATION mode crypto ipsec transform-set myXform-seta esp-authentication md5 espencryption des 2. Define the crypto policy.
IPv4 Routing 22 IPv4 routing is supported on Dell Networking OS. The Dell Networking Operating System (OS) supports various IP addressing features. This chapter describes the basics of domain name service (DNS), address resolution protocol (ARP), and routing principles and their implementation in the Dell Networking OS.
• • • Assigning IP Addresses to an Interface (mandatory) Configuring Static Routes (optional) Configure Static Routes for the Management Interface (optional) For a complete listing of all commands related to IP addressing, refer to the Dell Networking OS Command Line Interface Reference Guide.
interface GigabitEthernet 0/0 ip address 10.11.1.1/24 no shutdown ! Dell(conf-if)# Dell(conf-if)#show conf ! interface GigabitEthernet 0/0 ip address 10.11.1.1/24 no shutdown ! Dell(conf-if)# Configuring Static Routes A static route is an IP address that you manually configure and that the routing protocol does not learn, such as open shortest path first (OSPF). Often, static routes are used as backup routes in case other dynamically learned routes are unreachable.
S 6.1.2.7/32 S 6.1.2.8/32 S 6.1.2.9/32 S 6.1.2.10/32 S 6.1.2.11/32 S 6.1.2.12/32 S 6.1.2.13/32 S 6.1.2.14/32 S 6.1.2.15/32 S 6.1.2.16/32 S 6.1.2.17/32 S 11.1.1.0/24 Direct, Lo 0 --More-- via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.
S S S S S S S S S S 6.1.2.9/32 6.1.2.10/32 6.1.2.11/32 6.1.2.12/32 6.1.2.13/32 6.1.2.14/32 6.1.2.15/32 6.1.2.16/32 6.1.2.17/32 11.1.1.0/24 --More-- via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.
Example of the show hosts Command To view current bindings, use the show hosts command. Dell>show host Default domain is force10networks.com Name/address lookup uses domain service Name servers are not set Host Flags TTL Type Address -------- ----- ------- ------ks (perm, OK) - IP 2.2.2.2 patch1 (perm, OK) - IP 192.68.69.2 tomm-3 (perm, OK) - IP 192.68.99.2 gxr (perm, OK) - IP 192.71.18.2 f00-3 (perm, OK) - IP 192.71.23.1 Dell> To view the current configuration, use the show running-config resolve command.
ip name-server ip-address [ip-address2 ... ip-address6] • The order you entered the servers determines the order of their use. When you enter the traceroute command without specifying an IP address (Extended Traceroute), you are prompted for a target and source IP address, timeout in seconds (default is 5), a probe count (default is 3), minimum TTL (default is 1), maximum TTL (default is 30), and port number (default is 33434).
Configuration Tasks for ARP For a complete listing of all ARP-related commands, refer to the Dell Networking OS Command Line Reference Guide.
• Re-enable Proxy ARP. INTERFACE mode ip proxy-arp To view if Proxy ARP is enabled on the interface, use the show config command in INTERFACE mode. If it is not listed in the show config command output, it is enabled. Only non-default information is displayed in the show config command output. Clearing ARP Cache To clear the ARP cache of dynamically learnt ARP information, use the following command.
In Dell Networking OS versions prior to 8.3.1.0, if a gratuitous ARP is received some time after an ARP request is sent, only RP2 installs the ARP information. For example: 1. At time t=0 Dell Networking OS sends an ARP request for IP A.B.C.D 2. At time t=1 Dell Networking OS receives an ARP request for IP A.B.C.D 3. At time t=2 Dell Networking OS installs an ARP entry for A.B.C.D only on RP2. Beginning with Dell Networking OS version 8.3.1.
Figure 39. ARP Learning via ARP Request with ARP Learning via Gratuitous ARP Enabled Whether you enable or disable ARP learning via gratuitous ARP, the system does not look up the target IP. It only updates the ARP entry for the Layer 3 interface with the source IP of the request. Configuring ARP Retries In Dell Networking OS versions prior to 8.3.1.0, the number of ARP retries is set to five and is not configurable.
ICMP For diagnostics, the internet control message protocol (ICMP) provides routing information to end stations by choosing the best route (ICMP redirect messages) or determining if a router is reachable (ICMP Echo or Echo Reply). ICMP error messages inform the router of problems in a particular packet. These messages are sent only on unicast traffic. Configuration Tasks for ICMP The following lists the configuration tasks for ICMP.
2. Configure a broadcast address on interfaces that will receive UDP broadcast traffic. Refer to Configuring a Broadcast Address. Important Points to Remember • The existing ip directed broadcast command is rendered meaningless if you enable UDP helper on the same interface. • The broadcast traffic rate should not exceed 200 packets per second when you enable UDP helper. • You may specify a maximum of 16 UDP ports.
untagged GigabitEthernet 1/2 no shutdown To view the configured broadcast address for an interface, use show interfaces command. R1_E600(conf)#do show interfaces vlan 100 Vlan 100 is up, line protocol is down Address is 00:01:e8:0d:b9:7a, Current address is 00:01:e8:0d:b9:7a Interface index is 1107787876 Internet address is 1.1.0.1/24 IP UDP-Broadcast address is 1.1.255.
Figure 40. UDP Helper with Broadcast-All Addresses UDP Helper with Subnet Broadcast Addresses When the destination IP address of an incoming packet matches the subnet broadcast address of any interface, the system changes the address to the configured broadcast address and sends it to matching interface. In the following illustration, Packet 1 has the destination IP address 1.1.1.255, which matches the subnet broadcast address of VLAN 101.
UDP Helper with Configured Broadcast Addresses Incoming packets with a destination IP address matching the configured broadcast address of any interface are forwarded to the matching interfaces. In the following illustration, Packet 1 has a destination IP address that matches the configured broadcast address of VLAN 100 and 101. If you enabled UDP helper and the UDP port number matches, the packet is flooded on both VLANs with an unchanged destination address. Packet 2 is sent from a host on VLAN 101.
When using the IP helper and UDP helper on the same interface, use the debug ip dhcp command. Example Output from the debug ip dhcp Command Packet 0.0.0.0:68 -> 255.255.255.255:67 TTL 128 2005-11-05 11:59:35 %RELAY-I-PACKET, BOOTP REQUEST (Unicast) received at interface 172.21.50.193 BOOTP Request, XID = 0x9265f901, secs = 0 hwaddr = 00:02:2D:8D: 46:DC, giaddr = 0.0.0.0, hops = 2 2005-11-05 11:59:35 %RELAY-I-BOOTREQUEST, Forwarded BOOTREQUEST for 00:02:2D:8D: 46:DC to 137.138.17.
IPv6 Routing 23 Internet protocol version 6 (IPv6) routing is supported on Dell Networking OS. NOTE: The IPv6 basic commands are supported on all platforms. However, not all features are supported on all platforms, nor for all releases. To determine the Dell Networking Operating System (OS) version supporting which features and platforms, refer to Implementing IPv6 with Dell Networking OS. IPv6 is the successor to IPv4.
NOTE: As an alternative to stateless autoconfiguration, network hosts can obtain their IPv6 addresses using the dynamic host control protocol (DHCP) servers via stateful auto-configuration. NOTE: Dell Networking OS provides the flexibility to add prefixes on Router Advertisements (RA) to advertise responses to Router Solicitations (RS). By default, RA response messages are sent when an RS message is received. Dell Networking OS manipulation of IPv6 stateless autoconfiguration supports the router side only.
IPv6 Header Fields The 40 bytes of the IPv6 header are ordered, as shown in the following illustration. Figure 43. IPv6 Header Fields Version (4 bits) The Version field always contains the number 6, referring to the packet’s IP version. Traffic Class (8 bits) The Traffic Class field deals with any data that needs special handling. These bits define the packet priority and are defined by the packet Source. Sending and forwarding routers use this field to identify different IPv6 classes and priorities.
The following lists the Next Header field values. Value Description 0 Hop-by-Hop option header 4 IPv4 6 TCP 8 Exterior Gateway Protocol (EGP) 41 IPv6 43 Routing header 44 Fragmentation header 50 Encrypted Security 51 Authentication header 59 No Next Header 60 Destinations option header NOTE: This table is not a comprehensive list of Next Header field values. For a complete and current listing, refer to the Internet Assigned Numbers Authority (IANA) web page at .
However, if the Destination Address is a Hop-by-Hop options header, the Extension header is examined by every forwarding router along the packet’s route. The Hop-by-Hop options header must immediately follow the IPv6 header, and is noted by the value 0 (zero) in the Next Header field. Extension headers are processed in the order in which they appear in the packet header. Hop-by-Hop Options Header The Hop-by-Hop options header contains information that is examined by every router along the packet’s path.
of double colons is supported in a single address. Any number of consecutive 0000 groups may be reduced to two colons, as long as there is only one double colon used in an address. Leading and/or trailing zeros in a group can also be omitted (as in ::1 for localhost, 1:: for network addresses and :: for unspecified addresses). All the addresses in the following list are all valid and equivalent.
Implementing IPv6 with Dell Networking OS Dell Networking OS supports both IPv4 and IPv6 and both may be used simultaneously in your system. The following table lists the Dell Networking OS version in which an IPv6 feature became available for each platform. The sections following the table give greater detail about the feature. Feature and Functionality Documentation and Chapter Location Basic IPv6 Commands IPv6 Basic Commands in the Dell Networking OS Command Line Interface Reference Guide.
Feature and Functionality Documentation and Chapter Location IS-IS for IPv6 Intermediate System to Intermediate System IPv6 IS-IS in the Dell Networking OS Command Line Reference Guide. IS-IS for IPv6 support for redistribution Intermediate System to Intermediate System IPv6 IS-IS in the Dell Networking OS Command Line Reference Guide.
Feature and Functionality Documentation and Chapter Location Secure Shell (SSH) server support over IPv6 (inbound SSH) Layer 3 only Secure Shell (SSH) Over an IPv6 Transport IPv6 Access Control Lists IPv6 Access Control Lists in the Dell Networking OS Command Line Reference Guide. IPv6 Multicast MLDv1/v2 IPv6 PIM in the Dell Networking OS Command Line Reference Guide. Longest Prefix Match (LPM) Table and IPv6 /65 – /128 support Two partitions are available.
1. IPv4 32-bit LPM table (Holds IPv4 Prefixes) 2. IPv6 64-bit LPM table (Holds IPv6 Prefixes less than /65 Prefix Length) 3. IPv6 128-bit LPM table (Holds IPv6 Prefixes greater than /64 Prefix Length) The LPM table, which is 8K in size, is a dedicated table. It comprises eight ternary content addressable memory (CAM) blocks, with each block being 1K in size.
The recommended MTU for IPv6 is 1280. Greater MTU settings increase processing efficiency because each packet carries more data while protocol overheads (for example, headers) or underlying per-packet delays remain fixed. Figure 44. Path MTU Discovery Process IPv6 Neighbor Discovery IPv6 neighbor discovery protocol (NDP) is supported on the platform. NDP is a top-level protocol for neighbor discovery on an IPv6 network.
Figure 45. NDP Router Redirect IPv6 Neighbor Discovery of MTU Packets You can set the MTU advertised through the RA packets to incoming routers, without altering the actual MTU setting on the interface. The ipv6 nd mtu command sets the value advertised to routers. It does not set the actual MTU rate. For example, if you set ipv6 nd mtu to 1280, the interface still passes 1500-byte packets, if that is what is set with the mtu command.
Example for Configuring an IPv6 Recursive DNS Server The following example configures a RDNNS server with an IPv6 address of 1000::1 and a lifetime of 1 second.
ff02::1 ff02::2 ff02::1:ff00:12 ff02::1:ff8b:7570 ND MTU is 0 ICMP redirects are not sent DAD is enabled, number of DAD attempts: 3 ND reachable time is 20120 milliseconds ND base reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 198 to 600 seconds ND router advertisements live for 1800 seconds ND advertised hop limit is 64 IPv6 hop limit for originated packets is 64 ND dns-server ad
Adjusting Your CAM-Profile The cam-acl command is supported on the platform. Although adjusting your CAM-profile is not a mandatory step, if you plan to implement IPv6 ACLs, adjust your CAM settings. The CAM space is allotted in FP blocks. The total space allocated must equal 13 FP blocks. There are 16 FP blocks, but the System Flow requires three blocks that cannot be reallocated. You must enter the ipv6acl allocation as a factor of 2 (2, 4, 6, 8, 10).
You can configure up to two IPv6 addresses on management interfaces, allowing required default router support on the management port that is acting as host, per RFC 4861. Data ports support more than two IPv6 addresses. When you configure IPv6 addresses on multiple interfaces (the ipv6 address command) and verify the configuration (the show ipv6 interfaces command), the same link local (fe80) address is displayed for each IPv6 interface. • Enter the IPv6 Address for the device.
Configuring Telnet with IPv6 IPv6 telnet is supported on the platform. The Telnet client and server in Dell Networking OS supports IPv6 connections. You can establish a Telnet session directly to the router using an IPv6 Telnet client, or you can initiate an IPv6 Telnet connection from the router. • Enter the IPv6 Address for the device. EXEC mode or EXEC Privileged mode telnet ipv6 address – ipv6 address: x:x:x:x::x – mask: prefix length is from 0 to 128.
mroute neighbors ospf pim prefix-list route rpf Dell# IPv6 multicast-routing table IPv6 neighbor information OSPF information PIM V6 information List IPv6 prefix lists IPv6 routing information RPF table Showing an IPv6 Interface To view the IPv6 configuration for a specific interface, use the following command. • Show the currently running configuration for the specified interface.
ND base reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds ND hop limit is 64 Showing IPv6 Routes To view the global IPv6 routing information, use the following command. • Show IPv6 routing information for the specified route type. EXEC mode show ipv6 route type The following keywords are available: – To display information about a network, enter ipv6 address (X:X:X:X::X). – To display information about a host, enter hostname.
C 912::/64 [0/0] Direct, Lo 2, 00:02:33 O IA 999::1/128 [110/2] via fe80::201:e8ff:fe8b:3166, Te 0/24, 00:01:30 L fe80::/10 [0/0] Direct, Nu 0, 00:34:42 Dell# The following example shows the show ipv6 route static command.
– ipv6 address: the format is x:x:x:x::x. – mask: the prefix length is from 0 to 128. NOTE: IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:). Omitting zeros is accepted as described in Addressing.
Intermediate System to Intermediate System 24 Intermediate system to intermediate system (Is-IS) is supported on Dell Networking OS. • • • • The IS-IS protocol is an interior gateway protocol (IGP) that uses a shortest-path-first algorithm. Dell Networking supports both IPv4 and IPv6 versions of IS-IS. The IS-IS protocol standards are listed in the Standards Compliance chapter.
The NET length is variable, with a maximum of 20 bytes and a minimum of 8 bytes. It is composed of the following: • area address — within your routing domain or area, each area must have a unique area value. The first byte is called the authority and format indicator (AFI). • system address — the router’s MAC address. • N-selector — this is always 0. The following illustration is an example of the ISO-style address to show the address format IS-IS uses. In this example, the first five bytes (47.0005.
Transition Mode All routers in the area or domain must use the same type of IPv6 support, either single-topology or multitopology. A router operating in multi-topology mode does not recognize the ability of the singletopology mode router to support IPv6 traffic, which leads to holes in the IPv6 topology.
A new TLV (the Restart TLV) is introduced in the IIH PDUs, indicating that the router supports graceful restart. Timers Three timers are used to support IS-IS graceful restart functionality. After you enable graceful restart, these timers manage the graceful restart process. There are three times, T1, T2, and T3. • The T1 timer specifies the wait time before unacknowledged restart requests are generated.
• Accepts external IPv6 information and advertises this information in the PDUs. The following table lists the default IS-IS values. Table 14.
Enabling IS-IS By default, IS-IS is not enabled. The system supports one instance of IS-IS. To enable IS-IS globally, create an IS-IS routing process and assign a NET address. To exchange protocol information with neighbors, enable IS-IS on an interface, instead of on a network as with other routing protocols. In IS-IS, neighbors form adjacencies only when they are same IS type. For example, a Level 1 router never forms an adjacency with a Level 2 router.
The IP address must be on the same subnet as other IS-IS neighbors, but the IP address does not need to relate to the NET address. 5. Enter an IPv6 Address. INTERFACE mode ipv6 address ipv6-address mask • • ipv6 address: x:x:x:x::x mask: The prefix length is from 0 to 128. The IPv6 address must be on the same subnet as other IS-IS neighbors, but the IP address does not need to relate to the NET address. 6. Enable IS-IS on the IPv4 interface.
IS-IS: IS-IS: IS-IS: IS-IS: IS-IS: IS-IS: IS-IS: IS-IS: IS-IS: IS-IS: IS-IS: IS-IS: IS-IS: IS-IS: IS-IS: IS-IS: Dell# Level-2 Hellos (sent/rcvd) : 4272/1538 PTP Hellos (sent/rcvd) : 0/0 Level-1 LSPs sourced (new/refresh) : 0/0 Level-2 LSPs sourced (new/refresh) : 0/0 Level-1 LSPs flooded (sent/rcvd) : 32/19 Level-2 LSPs flooded (sent/rcvd) : 32/17 Level-1 LSPs CSNPs (sent/rcvd) : 1538/0 Level-2 LSPs CSNPs (sent/rcvd) : 1534/0 Level-1 LSPs PSNPs (sent/rcvd) : 0/0 Level-2 LSPs PSNPs (sent/rcvd) : 0/0 Level-1
Use this command for IPv6 route computation only when you enable multi-topology. If using singletopology mode, to apply to both IPv4 and IPv6 route computations, use the spf-interval command in CONFIG ROUTER ISIS mode. 4. Implement a wide metric-style globally. ROUTER ISIS AF IPV6 mode isis ipv6 metric metric-value [level-1 | level-2 | level-1-2] To configure wide or wide transition metric style, the cost can be between 0 and 16,777,215.
– level-1, level-2: identifies the database instance type to which the wait interval applies. The range is from 5 to 120 seconds. • The default is 30 seconds. Configure graceful restart timer T3 to set the time used by the restarting router as an overall maximum time to wait for database synchronization to complete.
To view all interfaces configured with IS-IS routing along with the defaults, use the show isis interface command in EXEC Privilege mode. Dell#show isis interface G1/34 GigabitEthernet 2/10 is up, line protocol is up MTU 1497, Encapsulation SAP Routing Protocol: IS-IS Circuit Type: Level-1-2 Interface Index 0x62cc03a, Local circuit ID 1 Level-1 Metric: 10, Priority: 64, Circuit ID: 0000.0000.000B.
max-lsp-lifetime seconds – seconds: the range is from 1 to 65535. The default is 1200 seconds. Example of Viewing IS-IS Configuration (ROUTER ISIS Mode) To view the configuration, use the show config command in ROUTER ISIS mode or the show running-config isis command in EXEC Privilege mode. Dell#show running-config isis ! router isis lsp-refresh-interval 902 net 47.0005.0001.000C.000A.4321.00 net 51.0005.0001.000C.000A.4321.
• Set the metric style for the IS-IS process. ROUTER ISIS mode metric-style {narrow [transition] | transition | wide [transition]} [level-1 | level-2] The default is narrow. The default is Level 1 and Level 2 (level-1–2) To view which metric types are generated and received, use the show isis protocol command in EXEC Privilege mode. The IS-IS matrixes settings are in bold. Example of Viewing IS-IS Metric Types Dell#show isis protocol IS-IS Router: System Id: EEEE.EEEE.
The default level is level-1. For more information about this command, refer to Configuring the IS-IS Metric Style. The following table describes the correct value range for the isis metric command. Metric Sytle Correct Value Range wide 0 to 16777215 narrow 0 to 63 wide transition 0 to 16777215 narrow transition 0 to 63 transition 0 to 63 To view the interface’s current metric, use the show config command in INTERFACE mode or the show isis interface command in EXEC Privilege mode.
Dell#show isis database IS-IS Level-1 Link State Database LSPID LSP Seq Num LSP Checksum B233.00-00 0x00000003 0x07BF eljefe.00-00 * 0x00000009 0xF76A eljefe.01-00 * 0x00000001 0x68DF eljefe.02-00 * 0x00000001 0x2E7F Force10.00-00 0x00000002 0xD1A7 IS-IS Level-2 Link State Database LSPID LSP Seq Num LSP Checksum B233.00-00 0x00000006 0xC38A eljefe.00-00 * 0x0000000D 0x51C6 eljefe.01-00 * 0x00000001 0x68DF eljefe.02-00 * 0x00000001 0x2E7F Force10.
distribute-list prefix-list-name in [interface] – Enter the type of interface and slot/port information: – For a 1-Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/port information. – For the Loopback interface on the RPM, enter the keyword loopback then a number from 0 to 16383. – For a port channel, enter the keywords port-channel then a number. – For a SONET interface, enter the keyword sonet then the slot/port information.
• – For a VLAN, enter the keyword vlan then a number from 1 to 4094. Apply a configured prefix list to all outgoing IPv6 IS-IS routes. ROUTER ISIS-AF IPV6 mode distribute-list prefix-list-name out [bgp as-number | connected | ospf process-id | rip | static] You can configure one of the optional parameters: – connected: for directly connected routes. – ospf process-id: for OSPF routes only. – rip: for RIP routes only. – static: for user-configured routes. • – bgp: for BGP routes only.
– process-id the range is from 1 to 65535. – level-1, level-1-2, or level-2: assign all redistributed routes to a level. The default is level-2. – metric value the range is from 0 to 16777215. The default is 0. – match external the range is from 1 or 2. – match internal – metric-type: external or internal. – map-name: enter the name of a configured route map. Redistributing IPv6 Routes To add routes from other routing instances or protocols, use the following commands.
Configuring Authentication Passwords You can assign an authentication password for routers in Level 1 and for routers in Level 2. Because Level 1 and Level 2 routers do not communicate with each other, you can assign different passwords for Level 1 routers and for Level 2 routers. However, if you want the routers in the level to communicate with each other, configure them with the same password. To configure a simple text password, use the following commands.
Example of Viewing the Overload Bit Setting When the bit is set, a 1 is placed in the OL column in the show isis database command output. The overload bit is set in both the Level-1 and Level-2 database because the IS type for the router is Level-1-2. Dell#show isis database IS-IS Level-1 Link State Database LSPID LSP Seq Num LSP Checksum B233.00-00 0x00000003 0x07BF eljefe.00-00 * 0x0000000A 0xF963 eljefe.01-00 * 0x00000001 0x68DF eljefe.02-00 * 0x00000001 0x2E7F Force10.
• – interface: Enter the type of interface and slot/port information to view IS-IS information on that interface only. View the events that triggered IS-IS shortest path first (SPF) events for debugging purposes. EXEC Privilege mode • debug isis spf-triggers View sent and received LSPs.
Metric Style Correct Value Range for the isis metric Command wide transition 0 to 16777215 narrow transition 0 to 63 transition 0 to 63 Maximum Values in the Routing Table IS-IS metric styles support different cost ranges for the route. The cost range for the narrow metric style is 0 to 1023, while all other metric styles support a range of 0 to 0xFE000000. Change the IS-IS Metric Style in One Level Only By default, the IS-IS metric style is narrow.
Beginning Metric Style Final Metric Style Resulting IS-IS Metric Value transition narrow original value transition narrow original value transition wide transition original value narrow transition wide original value narrow transition narrow original value narrow transition wide transition original value narrow transition transition original value wide transition wide original value wide transition narrow default value (10) if the original value is greater than 63.
Leaks from One Level to Another In the following scenarios, each IS-IS level is configured with a different metric style. Table 18.
NOTE: Whenever you make IS-IS configuration changes, clear the IS-IS process (re-started) using the clear isis command. The clear isis command must include the tag for the ISIS process. The following example shows the response from the router: Dell#clear isis * % ISIS not enabled. Dell#clear isis 9999 * You can configure IPv6 IS-IS routes in one of the following three different methods: • Congruent Topology — You must configure both IPv4 and IPv6 addresses on the interface.
ipv6 address 24:3::1/76 ip router isis ipv6 router isis no shutdown Dell (conf-if-te-3/17)# Dell (conf-router_isis)#show config ! router isis metric-style wide level-1 metric-style wide level-2 net 34.0000.0000.AAAA.00 Dell (conf-router_isis)# Dell (conf-if-te-3/17)#show config ! interface TenGigabitEthernet 3/17 ipv6 address 24:3::1/76 ipv6 router isis no shutdown Dell (conf-if-te-3/17)# Dell (conf-router_isis)#show config ! router isis net 34.0000.0000.AAAA.
25 Link Aggregation Control Protocol (LACP) Link aggregation control protocol (LACP) is supported on Dell Networking OS. Introduction to Dynamic LAGs and LACP A link aggregation group (LAG), referred to as a port channel by Dell Networking OS, can provide both load-sharing and port redundancy across line cards. You can enable LAGs as static or dynamic. The benefits and constraints are basically the same, as described in Port Channel Interfaces in the Interfaces chapter.
• There is a difference between the shutdown and no interface port-channel commands: – The shutdown command on LAG “xyz” disables the LAG and retains the user commands. However, the system does not allow the channel number “xyz” to be statically created. – The no interface port-channel channel-number command deletes the specified LAG, including a dynamically created LAG. This command removes all LACP-specific commands on the member interfaces.
• Configure LACP mode. LACP mode [no] port-channel number mode [active | passive | off] – number: cannot statically contain any links. • The default is LACP active. Configure port priority. LACP mode [no] lacp port-priority priority-value The range is from 1 to 65535 (the higher the number, the lower the priority). The default is 32768. LACP Configuration Tasks The following are LACP configuration tasks.
Configuring the LAG Interfaces as Dynamic After creating a LAG, configure the dynamic LAG interfaces. To configure the dynamic LAG interfaces, use the following command. • Configure the dynamic LAG interfaces. CONFIGURATION mode port-channel-protocol lacp Example of the port-channel-protocol lacp Command Dell(conf)#interface Gigabitethernet 3/15 Dell(conf-if-gi-3/15)#no shutdown Dell(conf-if-gi-3/15)#port-channel-protocol lacp Dell(conf-if-gi-3/15-lacp)#port-channel 32 mode active ...
Dell(conf-if-po-32)#switchport Dell(conf-if-po-32)#lacp long-timeout Dell(conf-if-po-32)#end Dell# show lacp 32 Port-channel 32 admin up, oper up, mode lacp Actor System ID: Priority 32768, Address 0001.e800.a12b Partner System ID: Priority 32768, Address 0001.e801.
Figure 48. Shared LAG State Tracking To avoid packet loss, redirect traffic through the next lowest-cost link (R3 to R4). Dell Networking OS has the ability to bring LAG 2 down if LAG 1 fails, so that traffic can be redirected. This redirection is what is meant by shared LAG state tracking. To achieve this functionality, you must group LAG 1 and LAG 2 into a single entity, called a failover group. Configuring Shared LAG State Tracking To configure shared LAG state tracking, you configure a failover group.
As shown in the following illustration, LAGs 1 and 2 are members of a failover group. LAG 1 fails and LAG 2 is brought down after the failure. This effect is logged by Message 1, in which a console message declares both LAGs down at the same time. Figure 49.
• • If a LAG that is part of a failover group is deleted, the failover group is deleted. If a LAG moves to the Down state due to this feature, its members may still be in the Up state. LACP Basic Configuration Example The screenshots in this section are based on the following example topology. Two routers are named ALPHA and BRAVO, and their hostname prompts reflect those names. Figure 50. LACP Basic Configuration Example Configure a LAG on ALPHA The following example creates a LAG on ALPHA.
ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 00:02:11 Queueing strategy: fifo Input statistics: 132 packets, 163668 bytes 0 Vlans 0 64-byte pkts, 12 over 64-byte pkts, 120 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 132 Multicasts, 0 Broadcasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics 136 packets, 16718 bytes, 0 underruns 0 64-byte pkts, 15 over 64-byte pkts, 121 over 127-byte pkts 0 over 255-by
Figure 52.
Figure 53.
interface GigabitEthernet 2/31 no ip address Summary of the LAG Configuration on Bravo Bravo(conf-if-gi-3/21)#int port-channel 10 Bravo(conf-if-po-10)#no ip add Bravo(conf-if-po-10)#switch Bravo(conf-if-po-10)#no shut Bravo(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Bravo(conf-if-po-10)#exit Bravo(conf)#int gig 3/21 Bravo(conf)#no ip address Bravo(conf)#no switchport Bravo(conf)#shutdown Bravo(conf-if-gi-3/21)#port-channel-protocol lacp Bravo(conf-if-gi-3/2
Figure 54.
Figure 55.
Figure 56. Inspecting the LAG Status Using the show lacp command The point-to-point protocol (PPP) is a connection-oriented protocol that enables layer two links over various different physical layer connections. It is supported on both synchronous and asynchronous lines, and can operate in Half-Duplex or Full-Duplex mode. It was designed to carry IP traffic but is general enough to allow any type of network layer datagram to be sent over a PPP connection.
Layer 2 26 Layer 2 features are supported on Dell Networking OS. Manage the MAC Address Table Dell Networking OS provides the following management activities for the MAC address table. • Clearing the MAC Address Table • Setting the Aging Time for Dynamic Entries • Configuring a Static MAC Address • Displaying the MAC Address Table Clearing the MAC Address Table You may clear the MAC address table of dynamic entries. To clear a MAC address table, use the following command.
The range is from 10 to 1000000. Configuring a Static MAC Address A static entry is one that is not subject to aging. Enter static entries manually. To create a static MAC address entry, use the following command. • Create a static MAC address entry in the MAC address table. CONFIGURATION mode mac-address-table static Displaying the MAC Address Table To display the MAC address table, use the following command. • Display the contents of the MAC address table.
interface) before the system verifies that sufficient CAM space exists. If the CAM check fails, a message is displayed: %E90MH:5 %ACL_AGENT-2-ACL_AGENT_LIST_ERROR: Unable to apply access-list MacLimit on GigabitEthernet 5/84 In this case, the configuration is still present in the running-config and show output. Remove the configuration before re-applying a MAC learning limit with a lower value. Also, ensure that you can view the Syslog messages on your session.
mac learning-limit mac-address-sticky Using sticky MAC addresses allows you to associate a specific port with MAC addresses from trusted devices. If you enable sticky MAC, the specified port retains any dynamically-learned addresses and prevents them from being transferred or learned on other ports. If you configure mac-learning-limit and you enabled sticky MAC, all dynamically-learned addresses are converted to sticky MAC addresses for the selected port.
no ip address switchport mac learning-limit 1 dynamic no-station-move mac learning-limit station-move-violation log no shutdown Learning Limit Violation Actions Learning limit violation actions are supported only on the platform. To configure the system to take an action when the MAC learning limit is reached on an interface and a new address is received using one the following options with the mac learning-limit command, use the following commands.
NOTE: When the MAC learning limit (MLL) is configured as no-station-move, the MLL will be processed as static entries internally. For static entries, the MAC address will be installed in all port-pipes, irrespective of the VLAN membership. Recovering from Learning Limit and Station Move Violations After a learning-limit or station-move violation shuts down an interface, you must manually reset it. To reset the learning limit, use the following commands.
Figure 57. Redundant NICs with NIC Teaming When you use NIC teaming, consider that the server MAC address is originally learned on Port 0/1 of the switch (shown in the following) and Port 0/5 is the failover port. When the NIC fails, the system automatically sends an ARP request for the gateway or host NIC to resolve the ARP and refresh the egress interface.
Figure 58. Configuring the mac-address-table station-move refresh-arp Command Configure Redundant Pairs Configuring redundant pairs is supported on the platform. Networks that employ switches that do not support the spanning tree protocol (STP) — for example, networks with digital subscriber line access multiplexers (DSLAM) — cannot have redundant links between switches because they create switching loops (as shown in the following illustration).
Figure 59. Configuring Redundant Layer 2 Pairs without Spanning Tree You configure a redundant pair by assigning a backup interface to a primary interface with the switchport backup interface command. Initially, the primary interface is active and transmits traffic and the backup interface remains down. If the primary fails for any reason, the backup transitions to an active Up state. If the primary interface fails and later comes back up, it remains as the backup interface for the redundant pair.
To ensure that existing network applications see no difference when a primary interface in a redundant pair transitions to the backup interface, be sure to apply identical configurations of other traffic parameters to each interface. If you remove an interface in a redundant link (remove the line card of a physical interface or delete a port channel with the no interface port-channel command), the redundant pair configuration is also removed.
00:24:55: %RPM0-P:CP %IFMGR-5-STATE_STBY_ACT: Changed interface state from standby to active: Gi 3/42 Dell(conf-if-gi-3/41)#do show ip int brief | find 3/41 GigabitEthernet 3/41 unassigned NO Manual administratively down down GigabitEthernet 3/42 unassigned YES Manual up up [output omitted] Example of Configuring Redundant Pairs on a Port-Channel () Dell#show interfaces port-channel brief Codes: L - LACP Port-channel LAG Mode Status Uptime Ports 1 L2 up 00:08:33 Te 0/0 (Up) 2 L2 up 00:00:02 Te 0/1 (Up) Dell
Figure 60. Configuring Far-End Failure Detection The report consists of several packets in SNAP format that are sent to the nearest known MAC address. In the event of a far-end failure, the device stops receiving frames and, after the specified time interval, assumes that the far-end is not available. The connecting line protocol is brought down so that upper layer protocols can detect the neighbor unavailability faster. FEFD State Changes FEFD has two operational modes, Normal and Aggressive.
4. If the FEFD enabled system is configured to use FEFD in Normal mode and neighboring echoes are not received after three intervals, (you can set each interval can be set between 3 and 300 seconds) the state changes to unknown. 5. If the FEFD system has been set to Aggressive mode and neighboring echoes are not received after three intervals, the state changes to Err-disabled.
To report interval frequency and mode adjustments, use the following commands. 1. Setup two or more connected interfaces for Layer 2 or Layer 3. INTERFACE mode ip address ip address, switchport 2. Activate the necessary ports administratively. INTEFACE mode no shutdown 3. Enable fefd globally. CONFIGURATION mode fefd {interval | mode} Example of the show fefd Command To display information about the state of each interface, use the show fefd command in EXEC privilege mode.
To set up and activate two or more connected interfaces, use the following commands. 1. Setup two or more connected interfaces for Layer 2 or Layer 3. INTERFACE mode ip address ip address, switchport 2. Activate the necessary ports administratively. INTERFACE mode no shutdown 3.
Sender state -- Bi-directional Sender info -- Mgmt Mac(00:01:e8:14:89:25), Slot-Port(Gi 1/0) Peer info -- Mgmt Mac (00:01:e8:14:89:25), Slot-Port(Gi 4/0) Sender hold time -- 3 (second) 2w1d22h : FEFD packet received on interface Gi 4/0 Sender state -- Bi-directional Sender info -- Mgmt Mac(00:01:e8:14:89:25), Slot-Port(Gi 1/0) Peer info -- Mgmt Mac (00:01:e8:14:89:25), Slot-Port(Gi 4/0) Sender hold time -- 3 (second) Layer 2 459
Link Layer Discovery Protocol (LLDP) 27 The link layer discovery protocol (LLDP) is supported on Dell Networking OS. 802.1AB (LLDP) Overview LLDP — defined by IEEE 802.1AB — is a protocol that enables a local area network (LAN) device to advertise its configuration and receive configuration information from adjacent LLDP-enabled LAN infrastructure devices.
Table 20. Type, Length, Value (TLV) Types Type TLV Description 0 End of LLDPDU Marks the end of an LLDPDU. 1 Chassis ID An administratively assigned name that identifies the LLDP agent. 2 Port ID An administratively assigned name that identifies a port through which TLVs are sent and received. 3 Time to Live An administratively assigned name that identifies a port through which TLVs are sent and received.
Figure 63. Organizationally Specific TLV IEEE Organizationally Specific TLVs Eight TLV types have been defined by the IEEE 802.1 and 802.3 working groups as a basic part of LLDP; the IEEE OUI is 00-80-C2. You can configure the Dell Networking system to advertise any or all of these TLVs. Table 21. Optional TLV Types Type TLV Description 4 Port description A user-defined alphanumeric string that describes the port. Dell Networking OS does not currently support this TLV.
Type TLV Description 127 Protocol Identity Indicates the protocols that the port can process. Dell Networking OS does not currently support this TLV. 127 MAC/PHY Configuration/Status Indicates the capability and current setting of the duplex status and bit rate, and whether the current settings are the result of auto-negotiation. This TLV is not available in the Dell Networking OS implementation of LLDP, but is available and mandatory (non-configurable) in the LLDP-MED implementation.
Regarding connected endpoint devices, LLDP-MED provides network connectivity devices with the ability to: • manage inventory • manage Power over Ethernet (PoE) • identify physical location • identify network policy LLDP-MED is designed for, but not limited to, VoIP endpoints. TIA Organizationally Specific TLVs The Dell Networking system is an LLDP-MED Network Connectivity Device (Device Type 4).
Type SubType TLV Description None or all TLVs must be supported. Dell Networking OS does not currently support these TLVs. 127 5 Inventory — Hardware Revision Indicates the hardware revision of the LLDPMED device. 127 6 Inventory — Firmware Revision Indicates the firmware revision of the LLDPMED device. 127 7 Inventory — Software Revision Indicates the software revision of the LLDPMED device. 127 8 Inventory — Serial Number Indicates the device serial number of the LLDP-MED device.
Figure 64. LLDP-MED Capabilities TLV Table 23. Dell Networking OS LLDP-MED Capabilities Bit Position TLV Dell Networking OS Support 0 LLDP-MED Capabilities Yes 1 Network Policy Yes 2 Location Identification Yes 3 Extended Power via MDI-PSE Yes 4 Extended Power via MDI-PD No 5 Inventory No 6–15 reserved No Table 24.
NOTE: As shown in the following table, signaling is a series of control packets that are exchanged between an endpoint device and a network connectivity device to establish and maintain a connection. These signal packets might require a different network policy than the media packets for which a connection is made. In this case, configure the signaling application. Table 25.
Extended Power via MDI TLV The extended power via MDI TLV enables advanced PoE management between LLDP-MED endpoints and network connectivity devices. Advertise the extended power via MDI on all ports that are connected to an 802.3af powered, LLDP-MED endpoint device. • Power Type — there are two possible power types: power source entity (PSE) or power device (PD). The Dell Networking system is a PSE, which corresponds to a value of 0, based on the TIA-1057 specification.
Important Points to Remember • LLDP is enabled by default. • Dell Networking systems support up to eight neighbors per interface. • Dell Networking systems support a maximum of 8000 total neighbors per system. If the number of interfaces multiplied by eight exceeds the maximum, the system does not configure more than 8000. • INTERFACE level configurations override all CONFIGURATION level configurations. • LLDP is not hitless.
Enabling LLDP LLDP is enabled by default. Enable and disable LLDP globally or per interface. If you enable LLDP globally, all UP interfaces send periodic LLDPDUs. To enable LLDP, use the following command. 1. Enter Protocol LLDP mode. CONFIGURATION or INTERFACE mode protocol lldp 2. Enable LLDP. PROTOCOL LLDP mode no disable Disabling and Undoing LLDP To disable or undo LLDP, use the following command. • Disable LLDP globally or for an interface.
3. Enter the disable command. LLDP-MANAGEMENT-INTERFACE mode. To undo an LLDP management port configuration, precede the relevant command with the keyword no. Advertising TLVs You can configure the system to advertise TLVs out of all interfaces or out of specific interfaces. • If you configure the system globally, all interfaces send LLDPDUs with the specified TLVs. • If you configure an interface, only the interface sends LLDPDUs with the specified TLVs.
Figure 67. Configuring LLDP Viewing the LLDP Configuration To view the LLDP configuration, use the following command. • Display the LLDP configuration.
Viewing Information Advertised by Adjacent LLDP Agents To view brief information about adjacent devices or to view all the information that neighbors are advertising, use the following commands. • Display brief information about adjacent devices. • show lldp neighbors Display all of the information that neighbors are advertising.
Configuring LLDPDU Intervals LLDPDUs are transmitted periodically; the default interval is 30 seconds. To configure LLDPDU intervals, use the following command. • Configure a non-default transmit interval.
• Return to the default setting.
advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)#multiplier ? <2-10> Multiplier (default=4) R1(conf-lldp)#multiplier 5 R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description multiplier 5 no disable R1(conf-lldp)#no multiplier R1(conf-lldp)#show
Figure 68. The debug lldp detail Command — LLDPDU Packet Dissection Relevant Management Objects Dell Networking OS supports all IEEE 802.1AB MIB objects. The following tables list the objects associated with: • received and transmitted TLVs • the LLDP configuration on the local agent • IEEE 802.1AB Organizationally Specific TLVs • received and transmitted LLDP-MED TLVs Table 26.
MIB Object Category Basic TLV Selection LLDP Variable LLDP MIB Object Description msgTxInterval lldpMessageTxInterval Transmit Interval value. rxInfoTTL lldpRxInfoTTL Time to live for received TLVs. txInfoTTL lldpTxInfoTTL Time to live for transmitted TLVs. mibBasicTLVsTxEnable lldpPortConfigTLVsTxEnabl e Indicates which management TLVs are enabled for system ports.
Table 27.
TLV Type TLV Name TLV Variable System interface numbering Local subtype interface number OID LLDP MIB Object lldpLocManAddrIfSu btype Remote lldpRemManAddrIfS ubtype Local lldpLocManAddrIfId Remote lldpRemManAddrIfId Local lldpLocManAddrOID Remote lldpRemManAddrOI D Table 28. LLDP 802.
Table 29.
TLV Sub-Type TLV Name TLV Variable System LLDP-MED MIB Object 3 Location Data Format Local lldpXMedLocLocatio nSubtype Remote lldpXMedRemLocati onSubtype Local lldpXMedLocLocatio nInfo Remote lldpXMedRemLocati onInfo Local lldpXMedLocXPoED eviceType Remote lldpXMedRemXPoED eviceType Local lldpXMedLocXPoEPS EPowerSource Location Identifier Location ID Data 4 Extended Power via MDI Power Device Type Power Source lldpXMedLocXPoEP DPowerSource Remote lldpXMedRemXPoEP SEPowerSource lld
Microsoft Network Load Balancing 28 Network Load Balancing (NLB) is a clustering functionality that is implemented by Microsoft on Windows 2000 Server and Windows Server 2003 operating systems. Microsoft NLB clustering allows multiple servers running Microsoft Windows to be represented by one MAC and one IP address to provide transparent failover and load-balancing.
NLB Multicast Mode Example Consider a sample topology in which four servers, namely S1 through S4, are configured as a cluster or a farm. This set of servers is connected to a Layer 3 switch, which in turn is connected to the end-clients. They contain a single multicast MAC address (MAC-Cluster: 03-00-5E-11-11-11). In the multicast NLB mode, a static ARP configuration command is configured to associate the cluster IP address with a multicast cluster MAC address.
NLB VLAN Flooding To preserve Microsoft server failover and load-balancing, configure a switch to forward the traffic destined for a server cluster on all member ports of the VLAN connected to the cluster (ip vlanfloodingcommand). Configure the switch for NLB VLAN flooding when you configure the server cluster. After you configure a switch to perform NLB VLAN flooding: • Older ARP entries are overwritten when newer NLB entries are learned.
Multicast Source Discovery Protocol (MSDP) 29 Multicast source discovery protocol (MSDP) is supported on Dell Networking OS. Protocol Overview MSDP is a Layer 3 protocol that connects IPv4 protocol-independent multicast-sparse mode (PIM-SM) domains. A domain in the context of MSDP is a contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as border gateway protocol (BGP).
Figure 69. Multicast Source Discovery Protocol (MSDP) RPs advertise each (S,G) in its domain in type, length, value (TLV) format. The total number of TLVs contained in the SA is indicated in the “Entry Count” field. SA messages are transmitted every 60 seconds, and immediately when a new source is detected. Figure 70.
Anycast RP Using MSDP, anycast RP provides load sharing and redundancy in PIM-SM networks. Anycast RP allows two or more rendezvous points (RPs) to share the load for source registration and the ability to act as hot backup routers for each other. Anycast RP allows you to configure two or more RPs with the same IP address on Loopback interfaces. The Anycast RP Loopback address are configured with a 32-bit mask, making it a host address.
• Accept Source-Active Messages that Fail the RFP Check • Specifying Source-Active Messages • Limiting the Source-Active Cache • Preventing MSDP from Caching a Local Source • Preventing MSDP from Caching a Remote Source • Preventing MSDP from Advertising a Local Source • Terminating a Peership • Clearing Peer Statistics • Debugging MSDP • MSDP with Anycast RP • MSDP Sample Configurations Figure 71.
Figure 72.
Figure 73.
Figure 74. Configuring MSDP Enable MSDP Enable MSDP by peering RPs in different administrative domains. 1. Enable MSDP. CONFIGURATION mode ip multicast-msdp 2. Peer PIM systems in different administrative domains.
Examples of Configuring and Viewing MSDP R3_E600(conf)#ip multicast-msdp R3_E600(conf)#ip msdp peer 192.168.0.1 connect-source Loopback 0 R3_E600(conf)#do show ip msdp summary Peer Addr Description Local Addr State Source SA Up/Down To view details about a peer, use the show ip msdp peer command in EXEC privilege mode. Multicast sources in remote domains are stored on the RP in the source-active cache (SA cache).
Limiting the Source-Active Cache Set the upper limit of the number of active sources that the Dell Networking OS caches. The default active source limit is 500K messages. When the total number of active sources reaches the specified limit, subsequent active sources are dropped even if they pass the reverse path forwarding (RPF) and policy check. To limit the number of sources that SA cache stores, use the following command. • Limit the number of sources that can be stored in the SA cache.
Figure 75.
Figure 76.
Figure 77.
Figure 78. MSDP Default Peer, Scenario 4 Specifying Source-Active Messages To specify messages, use the following command. • Specify the forwarding-peer and originating-RP from which all active sources are accepted without regard for the RPF check. CONFIGURATION mode ip msdp default-peer ip-address list If you do not specify an access list, the peer accepts all sources that peer advertises. All sources from RPs that the ACL denies are subject to the normal RPF check.
Dell(conf)#ip access-list standard fifty Dell(conf)#seq 5 permit host 200.0.0.50 Dell#ip msdp sa-cache MSDP Source-Active Cache - 3 entries GroupAddr SourceAddr RPAddr LearnedFrom 229.0.50.2 24.0.50.2 200.0.0.50 10.0.50.2 229.0.50.3 24.0.50.3 200.0.0.50 10.0.50.2 229.0.50.4 24.0.50.4 200.0.0.50 10.0.50.2 Dell#ip msdp sa-cache rejected-sa MSDP Rejected SA Cache 3 rejected SAs received, cache-size 32766 UpTime GroupAddr SourceAddr RPAddr 00:33:18 229.0.50.64 24.0.50.64 200.0.1.50 00:33:18 229.0.50.65 24.0.50.
Example of Verifying the System is not Caching Local Sources When you apply this filter, the SA cache is not affected immediately. When sources that are denied by the ACL time out, they are not refreshed. Until they time out, they continue to reside in the cache. To apply the redistribute filter to entries already present in the SA cache, first clear the SA cache. You may optionally store denied sources in the rejected SA cache. R1_E600(conf)#do show run msdp ! ip multicast-msdp ip msdp peer 192.168.0.
R3_E600(conf)#do show ip msdp sa-cache R3_E600(conf)# R3_E600(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 0.0.0.0(639) Connect Source: Lo 0 State: Listening Up/Down Time: 00:01:19 Timers: KeepAlive 30 sec, Hold time 75 sec SourceActive packet count (in/out): 0/0 SAs learned from this peer: 0 SA Filtering: Input (S,G) filter: myremotefilter Output (S,G) filter: none Preventing MSDP from Advertising a Local Source To prevent MSDP from advertising a local source, use the following command.
Logging Changes in Peership States To log changes in peership states, use the following command. • Log peership state changes. CONFIGURATION mode ip msdp log-adjacency-changes Terminating a Peership MSDP uses TCP as its transport protocol. In a peering relationship, the peer with the lower IP address initiates the TCP session, while the peer with the higher IP address listens on port 639. • Terminate the TCP connection with a peer.
Example of the clear ip msdp peer Command and Verifying Statistics are Cleared R3_E600(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.3(639) Connect Source: Lo 0 State: Established Up/Down Time: 00:04:26 Timers: KeepAlive 30 sec, Hold time 75 sec SourceActive packet count (in/out): 5/0 SAs learned from this peer: 0 SA Filtering: Input (S,G) filter: myremotefilter Output (S,G) filter: none R3_E600(conf)#do clear ip msdp peer 192.168.0.
technique is less effective as traffic increases because preemptive load balancing requires prior knowledge of traffic distributions. • lack of scalable register decasulation: With only a single RP per group, all joins are sent to that RP regardless of the topological distance between the RP, sources, and receivers, and data is transmitted to the RP until the SPT switch threshold is reached.
Configuring Anycast RP To configure anycast RP, use the following commands. 1. In each routing domain that has multiple RPs serving a group, create a Loopback interface on each RP serving the group with the same IP address. CONFIGURATION mode interface loopback 2. Make this address the RP for the group. CONFIGURATION mode ip pim rp-address 3. In each routing domain that has multiple RPs serving a group, create another Loopback interface on each RP serving the group with a unique IP address.
CONFIGURATION mode ip msdp originator-id Examples of R1, R2, and R3 Configuration for MSDP with Anycast RP The following example shows an R1 configuration for MSDP with Anycast RP. ip multicast-routing ! interface GigabitEthernet 1/1 ip pim sparse-mode ip address 10.11.3.1/24 no shutdown ! interface GigabitEthernet 1/2 ip address 10.11.2.1/24 no shutdown ! interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.1.12/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.
no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32 no shutdown ! interface Loopback 1 ip address 192.168.0.22/32 no shutdown ! router ospf 1 network 10.11.1.0/24 area 0 network 10.11.4.0/24 area 0 network 192.168.0.22/32 area 0 redistribute static redistribute connected redistribute bgp 100 ! router bgp 100 redistribute ospf 1 neighbor 192.168.0.3 remote-as 200 neighbor 192.168.0.3 ebgp-multihop 255 neighbor 192.168.0.3 no shutdown ! ip multicast-msdp ip msdp peer 192.168.0.
neighbor neighbor neighbor neighbor ! ip ip ip ip ! ip ip ! ip 192.168.0.22 192.168.0.22 192.168.0.22 192.168.0.22 remote-as 100 ebgp-multihop 255 update-source Loopback 0 no shutdown multicast-msdp msdp peer 192.168.0.11 connect-source Loopback 0 msdp peer 192.168.0.22 connect-source Loopback 0 msdp sa-filter out 192.168.0.22 route 192.168.0.1/32 10.11.0.23 route 192.168.0.22/32 10.11.0.23 pim rp-address 192.168.0.3 group-address 224.0.0.
interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.1/24 no shutdown ! interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown ! interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown ! interface Loopback 0 ip address 192.168.0.2/32 no shutdown ! router ospf 1 network 10.11.1.0/24 area 0 network 10.11.4.0/24 area 0 network 192.168.0.
redistribute connected redistribute bgp 200 ! router bgp 200 redistribute ospf 1 neighbor 192.168.0.2 remote-as 100 neighbor 192.168.0.2 ebgp-multihop 255 neighbor 192.168.0.2 update-source Loopback 0 neighbor 192.168.0.2 no shutdown ! ip multicast-msdp ip msdp peer 192.168.0.1 connect-source Loopback 0 ! ip route 192.168.0.2/32 10.11.0.23 ip multicast-routing ! interface GigabitEthernet 4/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown ! interface GigabitEthernet 4/22 ip address 10.10.42.
30 Multiple Spanning Tree Protocol (MSTP) Multiple spanning tree protocol (MSTP) is supported on Dell Networking OS. Protocol Overview MSTP — specified in IEEE 802.1Q-2003 — is a rapid spanning tree protocol (RSTP)-based spanning tree variation that improves on per-VLAN spanning tree plus (PVST+). MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances.
Spanning Tree Variations The Dell Networking OS supports four variations of spanning tree, as shown in the following table. Table 30. Spanning Tree Variations Dell Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .1w Multiple Spanning Tree Protocol (MSTP) 802 .1s Per-VLAN Spanning Tree Plus (PVST+) Third Party Implementation Information The following describes the MSTP implementation information.
• Enabling SNMP Traps for Root Elections and Topology Changes Enable Multiple Spanning Tree Globally MSTP is not enabled by default. To enable MSTP globally, use the following commands. When you enable MSTP, all physical, VLAN, and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the MSTI 0. • • 1. Within an MSTI, only one path from any bridge to any other bridge is enabled. Bridges block a redundant path by disabling one of the link ports. Enter PROTOCOL MSTP mode.
Examples of Configuring and Viewing MSTI The following examples shows the msti command. Dell(conf)#protocol spanning-tree mstp Dell(conf-mstp)#msti 1 vlan 100 Dell(conf-mstp)#msti 2 vlan 200-300 Dell(conf-mstp)#show config ! protocol spanning-tree mstp no disable MSTI 1 VLAN 100 MSTI 2 VLAN 200-300 All bridges in the MSTP region must have the same VLAN-to-instance mapping. To view which instance a VLAN is mapped to, use the show spanning-tree mst vlan command from EXEC Privilege mode.
Influencing MSTP Root Selection MSTP determines the root bridge, but you can assign one bridge a lower priority to increase the probability that it becomes the root bridge. To change the bridge priority, use the following command. • Assign a number as the bridge priority. PROTOCOL MSTP mode msti instance bridge-priority priority A lower number increases the probability that the bridge becomes the root bridge. The range is from 0 to 61440, in increments of 4096. The default is 32768.
NOTE: Some non-Dell Networking OS equipment may implement a non-null default region name. SFTOS, for example, uses the Bridge ID, while others may use a MAC address. Changing the Region Name or Revision To change the region name or revision, use the following commands. • Change the region name. PROTOCOL MSTP mode • name name Change the region revision number.
The default is 15 seconds. 2. Change the hello-time parameter. PROTOCOL MSTP mode hello-time seconds NOTE: With large configurations (especially those configurations with more ports) Dell Networking recommends increasing the hello-time. The range is from 1 to 10. The default is 2 seconds. 3. Change the max-age parameter. PROTOCOL MSTP mode max-age seconds The range is from 6 to 40. The default is 20 seconds. 4. Change the max-hops parameter. PROTOCOL MSTP mode max-hops number The range is from 1 to 40.
• Port priority influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost. The following lists the default values for port cost by interface. Table 31.
• Enable EdgePort on an interface. INTERFACE mode spanning-tree mstp edge-port [bpduguard | shutdown-on-violation] Dell Networking OS Behavior: Regarding bpduguard shutdown-on-violation behavior: – If the interface to be shut down is a port channel, all the member ports are disabled in the hardware. – When you add a physical port to a port channel already in the Error Disable state, the new member port is also disabled in the hardware.
Figure 81. MSTP with Three VLANs Mapped to Two Spanning Tree Instances Router 1 Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3. Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
no shutdown ! interface Vlan 300 no ip address tagged GigabitEthernet 1/21,31 no shutdown Router 2 Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3. Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
name Tahiti revision 123 MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 ! (Step 2) interface GigabitEthernet 3/11 no ip address switchport no shutdown ! interface GigabitEthernet 3/21 no ip address switchport no shutdown ! (Step 3) interface Vlan 100 no ip address tagged GigabitEthernet 3/11,21 no shutdown ! interface Vlan 200 no ip address tagged GigabitEthernet 3/11,21 no shutdown ! interface Vlan 300 no ip address tagged GigabitEthernet 3/11,21 no shutdown SFTOS Example Running-Configuration This example uses the
(Step 3) interface vlan 100 tagged 1/0/31 tagged 1/0/32 exit interface vlan 200 tagged 1/0/31 tagged 1/0/32 exit interface vlan 300 tagged 1/0/31 tagged 1/0/32 exit Debugging and Verifying MSTP Configurations To debut and verify MSTP configuration, use the following commands. • Display BPDUs. EXEC Privilege mode • debug spanning-tree mstp bpdu Display MSTP-triggered topology change messages.
– Are there “extra” MSTP instances in the Sending or Received logs? This may mean that an additional MSTP instance was configured on one router but not the others. The following example shows the show run spanning-tree mstp command. Dell#show run spanning-tree mstp ! protocol spanning-tree mstp name Tahiti revision 123 MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 The following example shows viewing the debug log of a successful MSTP configuration.
INST 2: Flags: 0x70, Reg Root: 32768:0001.e8d5.
Multicast Features 31 Multicast features are supported on Dell Networking OS. NOTE: Multicast is supported on secondary IP addresses on the platform. NOTE: Multicast routing for IPv6 is not supported. The Dell Networking Operating System (OS) supports the following multicast protocols: • PIM Sparse-Mode (PIM-SM) • Internet Group Management Protocol (IGMP) • Multicast Source Discovery Protocol (MSDP) Enabling IP Multicast Enable IP multicast is supported on the S6000 platform.
Figure 82. Multicast with ECMP Implementation Information Because protocol control traffic in Dell Networking OS is redirected using the MAC address, and multicast control traffic and multicast data traffic might map to the same MAC address, Dell Networking OS might forward data traffic with certain MAC addresses to the CPU in addition to control traffic. As the upper5 bits of an IP Multicast address are dropped in the translation, 32 different multicast group IDs all map to the same Ethernet address.
Protocol Ethernet Address PIM-SM 01:00:5e:00:00:0d • The Dell Networking OS implementation of MTRACE is in accordance with IETF draft draft-fennertraceroute-ipm. • Multicast is not supported on secondary IP addresses. • Egress L3 ACL is not applied to multicast data traffic if you enable multicast routing. First Packet Forwarding for Lossless Multicast All initial multicast packets are forwarded to receivers to achieve lossless multicast.
• If the limit is decreased after it is reached, Dell Networking OS does not clear the existing sessions. Entries are cleared after a timeout (you may also clear entries using clear ip mroute). NOTE: Dell Networking OS waits at least 30 seconds between stopping and starting IGMP join processing. You may experience this delay when manipulating the limit after it is reached.
no access list limiting Receiver 1, so both IGMP reports are accepted, and two corresponding entries are created in the routing table. Figure 83. Preventing a Host from Joining a Group Table 32. Preventing a Host from Joining a Group — Description Location Description 1/21 • • • 530 Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.
Location Description • no shutdown 1/31 • • • • Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.1/24 no shutdown 2/1 • • • • Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.
Location Description • • ip igmp access-group igmpjoinfilR2G2 no shutdown Rate Limiting IGMP Join Requests If you expect a burst of IGMP Joins, protect the IGMP process from overload by limiting that rate at which new groups can be joined. Hosts whose IGMP requests are denied will use the retry mechanism built-in to IGMP so that they’re membership is delayed rather than permanently denied. • Limit the rate at which new groups can be joined.
Figure 84. Preventing a Source from Transmitting to a Group Table 33. Preventing a Source from Transmitting to a Group — Description Location Description 1/21 • • • • Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 • • • Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.
Location Description • no shutdown 2/1 • • • • Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface GigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.
Preventing a PIM Router from Processing a Join To permit or deny PIM Join/Prune messages on an interface using an extended IP access list, use the following command. NOTE: Dell Networking recommends not using the ip pim join-filter command on an interface between a source and the RP router. Using this command in this scenario could cause problems with the PIM-SM source registration process resulting in excessive traffic being sent to the CPU of both the RP and PIM DR of the source.
Open Shortest Path First (OSPFv2 and OSPFv3) 32 Open shortest path first (OSPFv2 for IPv4) and OSPF version 3 (OSPF for IPv6) are supported on Dell Networking OS. This chapter provides a general description of OSPFv2 (OSPF for IPv4) and OSPFv3 (OSPF for IPv6) as supported in the Dell Networking Operating System (OS). NOTE: The fundamental mechanisms of OSPF (flooding, DR election, area support, SPF calculations, and so on) are the same between OSPFv2 and OSPFv3.
Areas allow you to further organize your routers within in the AS. One or more areas are required within the AS. Areas are valuable in that they allow sub-networks to "hide" within the AS, thus minimizing the size of the routing tables on all routers. An area within the AS may not see the details of another area’s topology. AS areas are known by their area number or the router’s IP address. Figure 85. Autonomous System Areas Area Types The backbone of the network is Area 0. It is also called Area 0.0.0.
The backbone is the only area with a default area number. All other areas can have their Area ID assigned in the configuration. In the previous example, Routers A, B, C, G, H, and I are the Backbone. • A stub area (SA) does not receive external route information, except for the default route. These areas do receive information from inter-area (IA) routes. NOTE: Configure all routers within an assigned stub area as stubby, and not generate LSAs that do not apply.
Figure 86. OSPF Routing Examples Backbone Router (BR) A backbone router (BR) is part of the OSPF Backbone, Area 0. This includes all ABRs. It can also include any routers that connect only to the backbone and another ABR, but are only part of Area 0, such as Router I in the previous example. Area Border Router (ABR) Within an AS, an area border router (ABR) connects one or more areas to the backbone.
An ABR can connect to many areas in an AS, and is considered a member of each area it connects to. Autonomous System Border Router (ASBR) The autonomous system border area router (ASBR) connects to more than one AS and exchanges information with the routers in other ASs. Generally, the ASBR connects to a non-interior gate protocol (IGP) such as BGP or uses static routes.
available. An ABR floods the information for the router (for example, the ASBR where the Type 5 advertisement originated. The link-state ID for Type 4 LSAs is the router ID of the described ASBR). • Type 5: LSA — These LSAs contain information imported into OSPF from other routing processes. They are flooded to all areas, except stub areas. The link-state ID of the Type 5 LSA is the external network number.
Virtual Links In the case in which an area cannot be directly connected to Area 0, you must configure a virtual link between that area and Area 0. The two endpoints of a virtual link are ABRs, and you must configure the virtual link in both routers. The common non-backbone area to which the two routers belong is called a transit area. A virtual link specifies the transit area and the router ID of the other virtual endpoint (the other ABR).
OSPF with Dell Networking OS Dell Networking OS supports up to 10,000 OSPF routes for OSPFv2. Within that 10,000 routes, you can designate up to 8,000 routes as external and up to 2,000 as inter/intra area routes. Dell Networking OS supports multiple OSPF processes (OSPF MP) on OSPFv2 only. The platform supports 32 OSPF processes simultaneously. On OSPFv3, Dell Networking OS supports only one process at a time for all platforms. OSPFv2 and OSPFv3 can coexist but you must configure them individually.
Processing SNMP and Sending SNMP Traps Though there are may be several OSPFv2 processes, only one process can process simple network management protocol (SNMP) requests and send SNMP traps. NOTE: SNMP get request corresponding to the OspfNbrOption feild in the OspfNbrTable returns a value of 66. RFC-2328 Compliant OSPF Flooding In OSPF, flooding is the most resource-consuming task.
Supports only single TOS (TOS0) routes It is an Autonomous System Boundary Router It is Flooding according to RFC 2328 SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Number of area in this router is 1, normal 0 stub 0 nssa 1 --More-- OSPF ACK Packing The OSPF ACK packing feature bundles multiple LS acknowledgements in a single packet, significantly reducing the number of ACK packets transmitted when the number of LSAs increases.
Configuration Information The interfaces must be in Layer-3 mode (assigned an IP address) and enabled so that they can send and receive traffic. The OSPF process must know about these interfaces. To make the OSPF process aware of these interfaces, they must be assigned to OSPF areas. You must configure OSPF GLOBALLY on the system in CONFIGURATION mode. NOTE: Loop back routes are not installed in the Route Table Manager (RTM) as non-active routes.
If implementing multi-process OSPF, create an equal number of Layer 3 enabled interfaces and OSPF process IDs. For example, if you create four OSPFv2 process IDs, you must have four interfaces with Layer 3 enabled. 1. Assign an IP address to an interface. CONFIG-INTERFACE mode ip address ip-address mask The format is A.B.C.D/M. If you are using a Loopback interface, refer to Loopback Interfaces. 2. Enable the interface. CONFIG-INTERFACE mode no shutdown 3.
• Reset the OSPFv2 process. EXEC Privilege mode • clear ip ospf process-id View the current OSPFv2 status. EXEC mode show ip ospf process-id Example of Viewing the Current OSPFv2 Status Dell#show ip ospf 55555 Routing Process ospf 55555 with ID 10.10.10.
If you try to enable more OSPF processes than available Layer 3 interfaces, the following message displays: C300(conf)#router ospf 1 % Error: No router ID available. Assigning an OSPFv2 Area After you enable OSPFv2, assign the interface to an OSPF area. Set up OSPF areas and enable OSPFv2 on an interface with the network command. You must have at least one AS area: Area 0. This is the backbone area. If your OSPF network contains more than one area, configure a backbone area (Area ID 0.0.0.0).
Dell(conf)#router ospf 1 Dell(conf-router_ospf-1)#network 1.2.3.4/24 area 0 Dell(conf-router_ospf-1)#network 10.10.10.10/24 area 1 Dell(conf-router_ospf-1)#network 20.20.20.20/24 area 2 Dell(conf-router_ospf-1)# Dell# Dell Networking recommends using the interface IP addresses for the OSPFv2 router ID for easier management and troubleshooting. To view the configuration, use the show config command in CONFIGURATION ROUTER OSPF mode.
Loopback 0 is up, line protocol is up Internet Address 10.168.253.2/32, Area 0.0.0.1 Process ID 1, Router ID 10.168.253.2, Network Type LOOPBACK, Cost: 1 Loopback interface is treated as a stub Host. Dell# Configuring Stub Areas OSPF supports different types of LSAs to help reduce the amount of router processing within the areas. Type 5 LSAs are not flooded into stub areas; the ABR advertises a default route into the stub area to which it is attached.
Configuring LSA Throttling Timers Configured link-state advertisement (LSA) timers replace the standard transmit and acceptance times for LSAs. The LSA throttling timers are configured in milliseconds. The interval time increases exponentially until a maximum time is reached. If the maximum time is reached, the system continues to transmit at the maximum interval. If the system is stable for twice the maximum interval time, it reverts to the startinterval timer. The cycle repeats.
To remove the passive interface from select interfaces, use the no passive-interface interface command while passive interface default is configured. To enable both receiving and sending routing updates, use the no passive-interface interface command. Example of Viewing Passive Interfaces When you configure a passive interface, the show ip ospf process-id interface command adds the words passive interface to indicate that the hello packets are not transmitted on that interface (shown in bold).
The higher the number, the faster the convergence. When disabled, the parameter is set at 0. NOTE: A higher convergence level can result in occasional loss of OSPF adjacency. Generally, convergence level 1 meets most convergence requirements. Only select higher convergence levels following consultation with Dell Technical Support.
– seconds: the range is from 1 to 65535 (the default is 40 seconds). The dead interval must be four times the hello interval. • The dead interval must be the same on all routers in the OSPF network. Change the time interval between hello-packet transmission. CONFIG-INTERFACE mode ip ospf hello-interval seconds – seconds: the range is from 1 to 65535 (the default is 10 seconds). • The hello interval must be the same on all routers in the OSPF network.
To view interface status in the OSPF process, use the show ip ospf interface command in EXEC mode. The bold lines in the example show the change on the interface. The change is reflected in the OSPF configuration. Dell(conf-if)#ip ospf cost 45 Dell(conf-if)#show config ! interface GigabitEthernet 0/0 ip address 10.1.2.100 255.255.255.0 no shutdown ip ospf cost 45 Dell(conf-if)#end Dell#show ip ospf 34 interface GigabitEthernet 0/0 is up, line protocol is up Internet Address 10.1.2.100/24, Area 2.2.2.
Configuring Virtual Links Areas within OSPF must be connected to the backbone area (Area ID 0.0.0.0). If an OSPF area does not have a direct connection to the backbone, at least one virtual link is required. Configure virtual links on an ABR connected to the backbone.
Creating Filter Routes To filter routes, use prefix lists. OSPF applies prefix lists to incoming or outgoing routes. Incoming routes must meet the conditions of the prefix lists. If they do not, OSPF does not add the route to the routing table. Configure the prefix list in CONFIGURATION PREFIX LIST mode prior to assigning it to the OSPF process. • Create a prefix list and assign it a unique name. CONFIGURATION mode ip prefix-list prefix-name • You are in PREFIX LIST mode.
Configure the following required and optional parameters: – bgp, connected, isis, rip, static: enter one of the keywords to redistribute those routes. – metric metric-value: the range is from 0 to 4294967295. – metric-type metric-type: 1 for OSPF external route type 1. 2 for OSPF external route type 2. – route-map map-name: enter a name of a configured route map. – tag tag-value: the range is from 0 to 4294967295.
• View the summary information of the IP routes. EXEC Privilege mode • show ip route summary View the summary information for the OSPF database. EXEC Privilege mode • show ip ospf database View the configuration of OSPF neighbors connected to the local router. EXEC Privilege mode • show ip ospf neighbor View the LSAs currently in the queue. EXEC Privilege mode • show ip ospf timers rate-limit View debug messages.
ipv6 router ospf 999 default-information originate always router-id 10.10.10.10 Dell# Sample Configurations for OSPFv2 The following configurations are examples for enabling OSPFv2. These examples are not comprehensive directions. They are intended to give you some guidance with typical configurations. You can copy and paste from these examples to your CLI. To support your own IP addresses, interfaces, names, and so on, be sure that you make the necessary changes.
ip address 192.168.100.100/24 no shutdown OSPF Area 0 — Gl 3/1 and 3/2 router ospf 33333 network 192.168.100.0/24 area 0 network 10.0.13.0/24 area 0 network 10.0.23.0/24 area 0 ! interface Loopback 30 ip address 192.168.100.100/24 no shutdown ! interface GigabitEthernet 3/1 ip address 10.1.13.3/24 no shutdown ! interface GigabitEthernet 3/2 ip address 10.2.13.3/24 no shutdown OSPF Area 0 — Gl 2/1 and 2/2 router ospf 22222 network 192.168.100.0/24 area 0 network 10.2.21.0/24 area 0 network 10.2.22.
NOTE: The OSPFv2 network area command enables OSPF on multiple interfaces with the single command. Use the OSPFv3 ipv6 ospf area command on each interface that runs OSPFv3. All IPv6 addresses on an interface are included in the OSPFv3 process that is created on the interface. Enable OSPFv3 for IPv6 by specifying an OSPF process ID and an area in INTERFACE mode. If you have not created an OSPFv3 process, it is created automatically.
ipv6 ospf process-id area area-id – process-id: the process ID number assigned. – area-id: the area ID for this interface. Assigning OSPFv3 Process ID and Router ID Globally To assign, disable, or reset OSPFv3 globally, use the following commands. • Enable the OSPFv3 process globally and enter OSPFv3 mode. CONFIGURATION mode ipv6 router ospf {process ID} • The range is from 0 to 65535. Assign the router ID for this OSPFv3 process. CONF-IPV6-ROUTER-OSPF mode router-id {number} – number: the IPv4 address.
• Specify whether some or all some of the interfaces are passive. CONF-IPV6-ROUTER-OSPF mode passive-interface {type slot/port} Interface: identifies the specific interface that is passive. – For a Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/port information (for example, passive-interface gi 2/1).
default-information originate [always [metric metric-value] [metric-type type-value]] [route-map map-name] Configure the following required and optional parameters: – always: indicate that default route information is always advertised. – metric metric-value: The range is from 0 to 4294967295. – metric-type metric-type: enter 1 for OSPFv3 external route type 1 OR 2 for OSPFv3 external route type 2. – route-map map-name: enter a name of a configured route map.
You decide the set of IPsec protocols that are employed for authentication and encryption and the ways in which they are employed. When you correctly implement and deploy IPsec, it does not adversely affect users or hosts. AH and ESP are designed to be cryptographic algorithm-independent. OSPFv3 Authentication Using IPsec: Configuration Notes OSPFv3 authentication using IPsec is implemented according to the specifications in RFC 4552.
– Configuring IPsec Encryption for an OSPFv3 Area – Displaying OSPFv3 IPsec Security Policies Configuring IPsec Authentication on an Interface To configure, remove, or display IPsec authentication on an interface, use the following commands.
• Enable IPsec encryption for OSPFv3 packets on an IPv6-based interface. INTERFACE mode ipv6 ospf encryption {null | ipsec spi number esp encryption-algorithm [keyencryption-type] key authentication-algorithm [key-authentication-type] key} – null: causes an encryption policy configured for the area to not be inherited on the interface. – ipsec spi number: is the security policy index (SPI) value. The range is from 256 to 4294967295.
• Enable IPSec authentication for OSPFv3 packets in an area. CONF-IPV6-ROUTER-OSPF mode area-id authentication ipsec spi number {MD5 | SHA1} [key-encryption-type] key – area area-id: specifies the area for which OSPFv3 traffic is to be authenticated. For area-id, enter a number or an IPv6 prefix. – spi number: is the SPI value. The range is from 256 to 4294967295. – MD5 | SHA1: specifies the authentication type: message digest 5 (MD5) or Secure Hash Algorithm 1 (SHA-1).
– key: specifies the text string used in the encryption. All neighboring OSPFv3 routers must share the same key to decrypt information. The required lengths of a non-encrypted or encrypted key are: 3DES - 48 or 96 hex digits; DES - 16 or 32 hex digits; AES-CBC - 32 or 64 hex digits for AES-128 and 48 or 96 hex digits for AES-192. – key-encryption-type: (optional) specifies if the key is encrypted. Valid values: 0 (key is not encrypted) or 7 (key is encrypted).
Crypto IPSec client security policy data Policy name Policy refcount Inbound ESP SPI Outbound ESP SPI Inbound ESP Auth Key Outbound ESP Auth Key Inbound ESP Cipher Key Outbound ESP Cipher Key Transform set : : : : : : : : : OSPFv3-1-502 1 502 (0x1F6) 502 (0x1F6) 123456789a123456789b123456789c12 123456789a123456789b123456789c12 123456789a123456789b123456789c123456789d12345678 123456789a123456789b123456789c123456789d12345678 esp-3des esp-md5-hmac Crypto IPSec client security policy data Policy name : OSPFv
outbound esp sas Interface: TenGigabitEthernet 0/1 Link Local address: fe80::201:e8ff:fe40:4d11 IPSecv6 policy name: OSPFv3-1-600 inbound ah sas outbound ah sas inbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE outbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE Troubleshooting OSPFv3 Dell Networking OS has several tools
• show ipv6 route summary View the summary information for the OSPFv3 database. EXEC Privilege mode • show ipv6 ospf database View the configuration of OSPFv3 neighbors. EXEC Privilege mode • show ipv6 ospf neighbor View debug messages for all OSPFv3 interfaces. EXEC Privilege mode debug ipv6 ospf [event | packet] {type slot/port} – event: View OSPF event messages. – packet: View OSPF packets.
Pay As You Grow 33 The Pay As You Grow (PAYG) software feature allows you to purchase a Z9500 switch with 36 40G ports (144 10G ports) and upgrade to a larger number of ports as your networking needs grow. A Z9500 switch with a 36 40G-port license has only the ports on line card 0 enabled. See the Port Numbering figure in this section for exact port location.
To enable licensed ports, install the license for a Z9500 port configuration and reload the switch. 1. Check the current Z9500 port configuration. show system brief EXEC Privilege mode In the command output, the status of the line cards indicates the current port configuration. As shown in the following example, if line cards 0 and 1 are online, 84 40G ports (336 10G ports) are enabled.
Reloading the chassis will affect existing network traffic. Continue to install license [yes/no] ? yes Retrieving license....... (ok) Validating license....... (ok) Installing license....... (ok) License installation successful. Restart chassis to activate license. 4. Reboot the switch to enable the licensed port configuration. reload EXEC Privilege mode Enter Yes at the prompts to save the port configuration and complete the reload; for example: ??? Dell# reload System configuration has been modified.
Display of a Newly Installed License If you have installed a new license but have not yet reloaded the switch, the following information is displayed.
PIM Sparse-Mode (PIM-SM) 34 Protocol-independent multicast sparse-mode (PIM-SM) is supported on Dell Networking OS. PIM-SM is a multicast protocol that forwards multicast traffic to a subnet only after a request using a PIM Join message; this behavior is the opposite of PIM-Dense mode, which forwards multicast traffic to all subnets until a request to stop. Implementation Information Be aware of the following PIM-SM implementation information.
received becomes the outgoing interface associated with the (*,G) entry. This process constructs an RPT branch to the RP. 3. If a host on the same subnet as another multicast receiver sends an IGMP report for the same multicast group, the gateway takes no action.
Important Point to Remember If you use a Loopback interface with a /32 mask as the RP, you must enable PIM Sparse-mode on the interface. Configuring PIM-SM Configuring PIM-SM is a three-step process. 1. Enable multicast routing (refer to the following step). 2. Select a rendezvous point. 3. Enable PIM-SM on an interface. Enable multicast routing. CONFIGURATION mode ip multicast-routing Related Configuration Tasks The following are related PIM-SM configuration tasks.
NOTE: You can influence the selection of the Rendezvous Point by enabling PIM-Sparse mode on a Loopback interface and assigning a low IP address. To display PIM neighbors for each interface, use the show ip pim neighbor command EXEC Privilege mode. Dell#show ip Neighbor Address 127.87.5.5 127.87.3.5 127.87.50.
The default is 210. 2. Create an extended ACL. CONFIGURATION mode ip access-list extended access-list-name 3. Specify the source and group to which the timer is applied using extended ACLs with permit rules only. CONFIG-EXT-NACL mode [seq sequence-number] permit ip source-address/mask | any | host sourceaddress} {destination-address/mask | any | host destination-address} 4. Set the expiry time for a specific (S,G) entry (as shown in the following example).
interface Loopback 0 ip address 1.1.1.1/32 ip pim sparse-mode no shutdown Dell#sh run pim ! ip pim rp-address 1.1.1.1 group-address 224.0.0.0/4 Overriding Bootstrap Router Updates PIM-SM routers must know the address of the RP for each group for which they have (*,G) entry. This address is obtained automatically through the bootstrap router (BSR) mechanism or a static RP configuration. Use the following command if you have configured a static RP for a group.
EXEC Privilege mode show ip pim interface Creating Multicast Boundaries and Domains A PIM domain is a contiguous set of routers that all implement PIM and are configured to operate within a common boundary defined by PIM multicast border routers (PMBRs). PMBRs connect each PIM domain to the rest of the Internet. Create multicast boundaries and domains by filtering inbound and outbound bootstrap router (BSR) messages per interface.
PIM Source-Specific Mode (PIM-SSM) 35 PIM source-specific mode (PIM-SSM) is supported on Dell Networking OS. PIM-SSM is a multicast protocol that forwards multicast traffic from a single source to a subnet. In the other versions of protocol independent multicast (PIM), a receiver subscribes to a group only. The receiver receives traffic not just from the source in which it is interested but from all sources sending to that group.
Configure PIM-SMM Configuring PIM-SSM is a two-step process. 1. Configure PIM-SMM. 2. Enable PIM-SSM for a range of addresses. Related Configuration Tasks • Use PIM-SSM with IGMP Version 2 Hosts Enabling PIM-SSM To enable PIM-SSM, follow these steps. 1. Create an ACL that uses permit rules to specify what range of addresses should use SSM. CONFIGURATION mode ip access-list standard name 2. Enter the ip pim ssm-range command and specify the ACL you created.
• • • When you remove the mapping configuration, Dell Networking OS removes the corresponding (S,G) states that it created and re-establishes the original (*,G) states. You may enter multiple ssm-map commands for different access lists. You may also enter multiple ssm-map commands for the same access list, as long as they use different source addresses. When an extended ACL is associated with this command, Dell Networking OS displays an error message.
Interface Vlan 400 Group 239.0.0.1 Uptime 00:00:05 Expires Never Router mode INCLUDE Last reporter 10.11.4.2 Last reporter mode INCLUDE Last report received ALLOW Group source list Source address Uptime Expires 10.11.5.
Policy-based Routing (PBR) 36 Policy-based Routing (PBR) allows a switch to make routing decisions based on policies applied to an interface.
To enable a PBR, you create a redirect list. Redirect lists are defined by rules, or routing policies.
Implementing Policy-based Routing with Dell Networking OS • Non-contiguous bitmasks for PBR • Hot-Lock PBR Non-contiguous bitmasks for PBR Non-contiguous bitmasks for PBR allows more granular and flexible control over routing policies. Network addresses that are in the middle of a subnet can be included or excluded. Specific bitmasks can be entered using the dotted decimal format. Non-contiguous bitmask example Dell#show ip redirect-list IP redirect-list rcl0: Defined as: seq 5 permit ip 200.200.200.
The following example creates a redirect list by the name of “xyz.” Dell(conf)#ip redirect-list ? WORD Redirect-list name (max 16 chars) Dell(conf)#ip redirect-list xyz Create a Rule for a Redirect-list Use the following command in CONFIGURATION REDIRECT-LIST mode to set the rules for the redirect list. You can enter the command multiple times and create a sequence of redirect rules. Use the seq nn redirect version of the command to organize your rules.
Dell(conf-redirect-list)#redirect 3.3.3.3 ? <0-255> An IP protocol number icmp Internet Control Message Protocol ip Any Internet Protocol tcp Transmission Control Protocol udp User Datagram Protocol Dell(conf-redirect-list)#redirect 3.3.3.3 ip ? A.B.C.D Source address any Any source host host A single source host Dell(conf-redirect-list)#redirect 3.3.3.3 ip 222.1.1.1 ? Mask A.B.C.D or /nn Mask in dotted decimal or in format Dell(conf-redirect-list)#redirect 3.3.3.3 ip 222.1.1.1 /32 ? A.B.C.
PBR Exceptions (Permit) Use the command permit to create an exception to a redirect list. Exceptions are used when a forwarding decision should be based on the routing table rather than a routing policy. Dell Networking OS assigns the first available sequence number to a rule configured without a sequence number and inserts the rule into the PBR CAM region next to the existing entries. Since the order of rules is important, ensure that you configure any necessary sequence numbers.
Applying a Redirect-list to an Interface Example: Dell(conf-if-te-2/0)#ip redirect-group xyz Dell(conf-if-te-2/0)# Applying a Redirect-list to an Interface Example: Dell(conf-if-te-1/0)#ip redirect-group test Dell(conf-if-te-1/0)#ip redirect-group xyz Dell(conf-if-te-1/0)#show config ! interface TenGigabitEthernet 1/0 no ip address ip redirect-group test ip redirect-group xyz shutdown Dell(conf-if-te-1/0)# In addition to supporting multiple redirect-lists in a redirect-group, multiple redirect-groups are su
NOTE: If, the redirect-list is applied to an interface, the output of show ip redirect-list redirect-listname command displays reachability and ARP status for the specified next-hop.
Create the Redirect-List GOLD EDGE_ROUTER(conf-if-Te-2/23)#ip redirect-list GOLD EDGE_ROUTER(conf-redirect-list)#description Route GOLD traffic to ISP_GOLD. EDGE_ROUTER(conf-redirect-list)#direct 10.99.99.254 ip 192.168.1.0/24 any EDGE_ROUTER(conf-redirect-list)#redirect 10.99.99.254 ip 192.168.2.0/24 any EDGE_ROUTER(conf-redirect-list)# seq 15 permit ip any any EDGE_ROUTER(conf-redirect-list)#show config ! ip redirect-list GOLD description Route GOLD traffic to ISP_GOLD. seq 5 redirect 10.99.99.254 ip 192.
View Redirect-List GOLD EDGE_ROUTER#show ip redirect-list IP redirect-list GOLD: Defined as: seq 5 redirect 10.99.99.254 ip 192.168.1.0/24 any, Next-hop reachable (via Te 3/23), ARP resolved seq 10 redirect 10.99.99.254 ip 192.168.2.
37 Port Monitoring Port monitoring is supported on Dell Networking OS. Mirroring is used for monitoring Ingress or Egress or both Ingress and Egress traffic on a specific port(s). This mirrored traffic can be sent to a port where a network sniffer can connect and monitor the traffic.
Dell(conf-mon-sess-300)#source tegig 0/17 destination tegig 0/1 direction tx Dell(conf-mon-sess-300)#do show mon session SessionID Source Destination Direction Mode Type --------- ------ ----------- --------- ------0 Te 0/13 Gi 0/1 rx interface Port-based 10 Te 0/14 Gi 0/2 rx interface Port-based 20 Te 0/15 Gi 0/3 rx interface Port-based 30 Te 0/16 Gi 0/37 rx interface Port-based 300 Te 0/17 Gi 0/1 tx interface Port-based Dell(conf-mon-sess-300)# Example of Configuring Another Monitoring Session with a Prev
Dell Networking OS Behavior: All monitored frames are tagged if the configured monitoring direction is egress (TX), regardless of whether the monitored port (MD) is a Layer 2 or Layer 3 port. If the MD port is a Layer 2 port, the frames are tagged with the VLAN ID of the VLAN to which the MD belongs. If the MD port is a Layer 3 port, the frames are tagged with VLAN ID 4095. If the MD port is in a Layer 3 VLAN, the frames are tagged with the respective Layer 3 VLAN ID.
3 Te 0/0 4 Te 0/0 5 Te 0/0 Dell(conf-mon-sess-5)# Te 0/3 Te 0/4 Te 0/5 both Port both Port both Port N/A N/A N/A N/A N/A N/A Dell(conf)#mon ses 300 Dell(conf-mon-sess-300)#source tengig 0/17 destination tengig 0/4 direction tx %Unable to create MTP entry for MD tenG 0/17 MG tenG 0/4 in stack-unit 0 portpipe 0.
Similarly, if BPDUs are transmitted, the MG port receives them tagged with the VLAN ID 4095. This behavior might result in a difference between the number of egress packets on the MD port and monitored packets on the MG port. Dell Networking OS Behavior: The switch continues to mirror outgoing traffic even after an MD participating in spanning tree protocol (STP) transitions from the forwarding to blocking. Configuring Port Monitoring To configure port monitoring, use the following commands. 1.
Figure 91. Port Monitoring Example Remote Port Mirroring While local port monitoring allows you to monitor traffic from one or more source ports by directing it to a destination port on the same switch/router, remote port mirroring allows you to monitor Layer 2 and Layer 3 ingress and/or egress traffic on multiple source ports on different switches and forward the mirrored traffic to multiple destination ports on different switches.
The reserved VLANs transport the mirrored traffic in sessions (blue pipes) to the destination analyzers in the local network. Two destination sessions are shown: one for the reserved VLAN that transports orange-circle traffic; one for the reserved VLAN that transports green-circle traffic.
• The RPM VLAN can’t be a Private VLAN. • The RPM VLAN can be used as GVRP VLAN. • The L3 interface configuration should be blocked for RPM VLAN. • The member port of the reserved VLAN should have MTU and IPMTU value as MAX+4 (to hold the VLAN tag parameter). • To associate with source session, the reserved VLAN can have at max of only 4 member ports. • To associate with destination session, the reserved VLAN can have multiple member ports.
• • • • • • You can configure the same source port to be used in multiple source sessions. You cannot configure a source port channel or source VLAN in a source session if the port channel or VLAN has a member port that is configured as a destination port in a remote-port mirroring session. A destination port for remote port mirroring cannot be used as a source port, including the session in which the port functions as the destination port. A destination port cannot be used in any spanning tree instance.
Step Command Purpose 1 configure terminal Enter global configuration mode. 2 monitor session type rpm The needs to be unique and not already defined in the box specifying type as 'rpm' defines a RPM session. 3 source Interface | Range Specify the port or list of ports that needs to be monitored 4 direction Specify rx, tx or both in case to monitor ingress/ egress or both ingress and egress packets on the specified port..
Dell(conf)#interface vlan 30 Dell(conf-if-vl-30)#mode remote-port-mirroring Dell(conf-if-vl-30)#tagged te 0/30 Dell(conf-if-vl-30)#exit Dell(conf)#interface port-channel 10 Dell(conf-if-po-10)#channel-member te 0/28-29 Dell(conf-if-po-10)#no shutdown Dell(conf-if-po-10)#exit Dell(conf)#monitor session 3 type rpm Dell(conf-mon-sess-3)#source port-channel 10 dest remote-vlan 30 dir both Dell(conf-mon-sess-3)#no disable Dell(conf-mon-sess-3)# Dell(conf-mon-sess-3)#exit Dell(conf)#end Dell# Dell#show monitor se
Dell(conf)#monitor session 2 type rpm Dell(conf-mon-sess-2)#source remote-vlan 20 destination te 0/4 Dell(conf-mon-sess-2)#tagged destination te 0/4 Dell(conf-mon-sess-2)#exit Dell(conf)#monitor session 3 type rpm Dell(conf-mon-sess-3)#source remote-vlan 30 destination te 0/5 Dell(conf-mon-sess-3)#tagged destination te 0/5 Dell(conf-mon-sess-3)#end Dell# Dell#show monitor session SessID Source Destination Dir Mode Source IP ------ ------------------ ---- --------1 remote-vlan 10 Te 0/3 N/A N/A N/A 2 remote-
Configuring the Encapsulated Remote Port Mirroring The ERPM session copies traffic from the source ports/lags or source VLANs and forwards the traffic using routable GRE-encapsulated packets to the destination ip address specified in the session. Important: The steps to be followed for the ERPM Encapsulation : • Dell Networking OS supports ERPM Source session only. The Encapsulated packets terminate at the destination ip or at the analyzer.
6 flow-based enable Specify flow-based enable for mirroring on a flow by flow basis and also for vlan as source. 7 no enable (Optional) No disable command is mandatory in order for a erpm session to be active. The following example shows a sample configuration . Dell(conf)#monitor session 0 type erpm Dell(conf-mon-sess-0)#source tengigabitethernet 0/9 direction rx Dell(conf-mon-sess-0)#source port-channel 1 direction tx Dell(conf-mon-sess-0)#erpm source-ip 1.1.1.1 dest-ip 7.1.1.
Private VLANs (PVLAN) 38 The private VLAN (PVLAN) feature is supported on Dell Networking OS. For syntax details about the commands described in this chapter, refer to the Private VLANs commands chapter in the Dell Networking OS Command Line Reference Guide. Private VLANs extend the Dell Networking OS security suite by providing Layer 2 isolation between ports within the same virtual local area network (VLAN).
– A switch can have one or more primary VLANs, and it can have none. – A primary VLAN has one or more secondary VLANs. – A primary VLAN and each of its secondary VLANs decrement the available number of VLAN IDs in the switch. – A primary VLAN has one or more promiscuous ports. – A primary VLAN might have one or more trunk ports, or none. • Secondary VLAN — a subdomain of the primary VLAN. – There are two types of secondary VLAN — community VLAN and isolated VLAN.
• Map secondary VLANs to the selected primary VLAN. INTERFACE VLAN mode • [no] private-vlan mapping secondary-vlan vlan-list Display type and status of PVLAN interfaces. EXEC mode or EXEC Privilege mode • show interfaces private-vlan [interface interface] Display PVLANs and/or interfaces that are part of a PVLAN. EXEC mode or EXEC Privilege mode • show vlan private-vlan [community | interface | isolated | primary | primary_vlan | interface interface] Display primary-secondary VLAN mapping.
switchport 4. Select the PVLAN mode. INTERFACE mode switchport mode private-vlan {host | promiscuous | trunk} • host (isolated or community VLAN port) • promiscuous (intra-VLAN communication port) • trunk (inter-switch PVLAN hub port) Example of the switchport mode private-vlan Command For interface details, refer to Enabling a Physical Interface in the Interfaces chapter. NOTE: You cannot add interfaces that are configured as PVLAN ports to regular VLANs.
4. Map secondary VLANs to the selected primary VLAN. INTERFACE VLAN mode private-vlan mapping secondary-vlan vlan-list The list of secondary VLANs can be: 5. • Specified in comma-delimited (VLAN-ID,VLAN-ID) or hyphenated-range format (VLAN-IDVLAN-ID). • Specified with this command even before they have been created. • Amended by specifying the new secondary VLAN to be added to the list. Add promiscuous ports as tagged or untagged interfaces.
4. Add one or more host ports to the VLAN. INTERFACE VLAN mode tagged interface or untagged interface You can enter the interfaces singly or in range format, either comma-delimited (slot/ port,port,port) or hyphenated (slot/ port-port). You can only add host (isolated) ports to the VLAN. Creating an Isolated VLAN An isolated VLAN is a secondary VLAN of a primary VLAN. An isolated VLAN port can only talk with the promiscuous ports in that primary VLAN. 1.
Dell(conf-vlan-100)# private-vlan mode isolated Dell(conf-vlan-100)# untagged Gi 2/2 Private VLAN Configuration Example The following example shows a private VLAN topology. Figure 92. Sample Private VLAN Topology The following configuration is based on the example diagram for the C300–1: • Gi 0/0 and Gi 23 are configured as promiscuous ports, assigned to the primary VLAN, VLAN 4000. • Gi 0/25 is configured as a PVLAN trunk port, also assigned to the primary VLAN 4000.
• The ports in isolated VLAN 4003 can only communicate with the promiscuous ports in the primary VLAN 4000. • All the ports in the secondary VLANs (both community and isolated VLANs) can only communicate with ports in the other secondary VLANs of that PVLAN over Layer 3, and only when the ip localproxy-arp command is invoked in the primary VLAN.
• The following examples show the results of using this command without the command options on the C300 and S50V switches in the topology diagram previously shown. Display the primary-secondary VLAN mapping. The following example shows the output from the S50V. show vlan private-vlan mapping This command is specific to the PVLAN feature. Examples of Viewing a Private VLAN using the show Commands The show arp and show vlan commands are revised to display PVLAN data.
switchport mode private-vlan promiscuous no shutdown ! interface GigabitEthernet 0/4 no ip address switchport switchport mode private-vlan host no shutdown ! interface GigabitEthernet 0/5 no ip address switchport switchport mode private-vlan host no shutdown ! interface GigabitEthernet 0/6 no ip address switchport switchport mode private-vlan host no shutdown ! interface GigabitEthernet 0/25 no ip address switchport switchport mode private-vlan trunk no shutdown ! interface Vlan 4000 private-vlan mode prim
Per-VLAN Spanning Tree Plus (PVST+) 39 Per-VLAN spanning tree plus (PVST+) is supported on Dell Networking OS. Protocol Overview PVST+ is a variation of spanning tree — developed by a third party — that allows you to configure a separate spanning tree instance for each virtual local area network (VLAN). For more information about spanning tree, refer to the Spanning Tree Protocol (STP) chapter. Figure 93.
Table 34. Spanning Tree Variations Dell Networking OS Supports Dell Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .1w Multiple Spanning Tree Protocol (MSTP) 802 .1s Per-VLAN Spanning Tree Plus (PVST+) Third Party Implementation Information • The Dell Networking OS implementation of PVST+ is based on IEEE Standard 802.1w. • The Dell Networking OS implementation of PVST+ uses IEEE 802.
no disable Disabling PVST+ To disable PVST+ globally or on an interface, use the following commands. • Disable PVST+ globally. PROTOCOL PVST mode • disable Disable PVST+ on an interface, or remove a PVST+ parameter configuration. INTERFACE mode no spanning-tree pvst Example of Viewing PVST+ Configuration To display your PVST+ configuration, use the show config command from PROTOCOL PVST mode.
Figure 94. Load Balancing with PVST+ The bridge with the bridge value for bridge priority is elected root. Because all bridges use the default priority (until configured otherwise), the lowest MAC address is used as a tie-breaker. To increase the likelihood that a bridge is selected as the STP root, assign bridges a low non-default value for bridge priority. To assign a bridge priority, use the following command. • Assign a bridge priority.
Root Identifier has priority 4096, Address 0001.e80d.b6d6 Root Bridge hello time 2, max age 20, forward delay 15 Bridge Identifier has priority 4096, Address 0001.e80d.b6d6 Configured hello time 2, max age 20, forward delay 15 We are the root of VLAN 100 Current root has priority 4096, Address 0001.e80d.b6d6 Number of topology changes 5, last change occurred 00:34:37 ago on Gi 1/32 Port 375 (GigabitEthernet 1/22) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.
PROTOCOL PVST mode vlan max-age The range is from 6 to 40. The default is 20 seconds. The values for global PVST+ parameters are given in the output of the show spanning-tree pvst command. Modifying Interface PVST+ Parameters You can adjust two interface parameters (port cost and port priority) to increase or decrease the probability that a port becomes a forwarding port. • Port cost — a value that is based on the interface type.
The range is from 0 to 240, in increments of 16. The default is 128. The values for interface PVST+ parameters are given in the output of the show spanning-tree pvst command, as previously shown. Configuring an EdgePort The EdgePort feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner. In this mode an interface forwards frames by default until it receives a BPDU that indicates that it should behave otherwise; it does not go through the Learning and Listening states.
PVST+ in Multi-Vendor Networks Some non-Dell Networking systems which have hybrid ports participating in PVST+ transmit two kinds of BPDUs: an 802.1D BPDU and an untagged PVST+ BPDU. Dell Networking systems do not expect PVST+ BPDU (tagged or untagged) on an untagged port. If this situation occurs, Dell Networking OS places the port in an Error-Disable state. This behavior might result in the network not converging.
Example of Viewing the Extend System ID in a PVST+ Configuration Dell(conf-pvst)#do show spanning-tree pvst vlan 5 brief VLAN 5 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32773, Address 0001.e832.73f7 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32773 (priority 32768 sys-id-ext 5), Address 0001.e832.
no ip address tagged GigabitEthernet 2/12,32 no shutdown ! interface Vlan 200 no ip address tagged GigabitEthernet 2/12,32 no shutdown ! interface Vlan 300 no ip address tagged GigabitEthernet 2/12,32 no shutdown ! protocol spanning-tree pvst no disable vlan 200 bridge-priority 4096 Example of PVST+ Configuration (R3) interface GigabitEthernet 3/12 no ip address switchport no shutdown ! interface GigabitEthernet 3/22 no ip address switchport no shutdown ! interface Vlan 100 no ip address tagged GigabitEthe
40 Quality of Service (QoS) Quality of service (QoS) is supported on Dell Networking OS. Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. Table 36.
Feature Direction Configure a Scheduler to Queue Egress Specify WRED Drop Precedence Egress Create Policy Maps Ingress + Egress Create Input Policy Maps Ingress Honor DSCP Values on Ingress Packets Ingress Honoring dot1p Values on Ingress Packets Ingress Create Output Policy Maps Egress Specify an Aggregate QoS Policy Egress Create Output Policy Maps Egress Enabling QoS Rate Adjustment Enabling StrictPriority Queueing Weighted Random Early Detection Egress Create WRED Profiles Egress
Figure 96. Dell Networking QoS Architecture Implementation Information The Dell Networking QoS implementation complies with IEEE 802.1p User Priority Bits for QoS Indication.
• • Configuring Port-Based Rate Policing Configuring Port-Based Rate Shaping Setting dot1p Priorities for Incoming Traffic Dell Networking OS places traffic marked with a priority in a queue based on the following table. If you set a dot1p priority for a port-channel, all port-channel members are configured with the same value. You cannot assign a dot1p value to an individual interface in a port-channel. • Change the priority of incoming traffic on the interface.
class dynamic dotp or trust dot1p. When priority-tagged frames ingress a tagged port, the frames are dropped because, for a tagged port, the default VLAN is 0. Dell Networking OS Behavior: Hybrid ports can receive untagged, tagged, and priority tagged frames. The rate metering calculation might be inaccurate for untagged ports because an internal assumption is made that all frames are treated as tagged. Internally, the ASIC adds a 4-bytes tag to received untagged frames.
Policy-Based QoS Configurations Policy-based QoS configurations consist of the components shown in the following example. Figure 97. Constructing Policy-Based QoS Configurations Classify Traffic Class maps differentiate traffic so that you can apply separate quality of service policies to different types of traffic. For both class maps, Layer 2 and Layer 3, Dell Networking OS matches packets against match criteria in the order that you configure them.
Creating a Layer 3 Class Map A Layer 3 class map differentiates ingress packets based on the DSCP value or IP precedence, and characteristics defined in an IP ACL. You can also use VLAN IDs and VRF IDs to classify the traffic using layer 3 class-maps. You may specify more than one DSCP and IP precedence value, but only one value must match to trigger a positive match for the class map. NOTE: IPv6 and IP-any class maps cannot match on ACLs or VLANs. Use step 1 or step 2 to start creating a Layer 3 class map.
The following example matches IPv6 traffic with a DSCP value of 40. Dell(conf)# class-map match-all test Dell(conf-class-map)# match ipv6 dscp 40 The following example matches IPv4 and IPv6 traffic with a precedence value of 3. Dell(conf)# class-map match-any test1 Dell(conf-class-map)#match ip-any precedence 3 Creating a Layer 2 Class Map All class maps are Layer 3 by default; however, you can create a Layer 2 class map by specifying the layer2 option with the class-map command.
Dell(conf)# interface fo 0/0 INTERFACE mode Dell(conf-if-fo-0/0)# ip address 90.1.1.1/16 2. Configure a Layer 2 QoS policy with Layer 2 (Dot1p or source MAC-based) match criteria. CONFIGURATION mode Dell(conf)# policy-map-input l2p layer2 3. Apply the Layer 2 policy on a Layer 3 interface.
6. Create an input policy map. CONFIGURATION mode Dell(conf)#policy-map-input pp_policmap 7. Create a service queue to associate the class map and QoS policy map.
! class-map match-any ClassAF1 match ip access-group AF1-FB1 set-ip-dscp 10 match ip access-group AF1-FB2 set-ip-dscp 12 match ip dscp 10 set-ip-dscp 14 match ipv6 dscp 20 set-ip-dscp 14 ! class-map match-all ClassAF2 match ip access-group AF2 match ip dscp 18 Dell#show running-config ACL ! ip access-list extended AF1-FB1 seq 5 permit ip host 23.64.0.2 any seq 10 deny ip any any ! ip access-list extended AF1-FB2 seq 5 permit ip host 23.64.0.
Create a QoS Policy There are two types of QoS policies — input and output. Input QoS policies regulate Layer 3 and Layer 2 ingress traffic. The regulation mechanisms for input QoS policies are rate policing and setting priority values. • • Layer 3 — QoS input policies allow you to rate police and set a DSCP or dot1p value. In addition, you can configure a drop precedence for incoming packets based on their DSCP value by using a DSCP color map. For more information, see DSCP Color Maps.
queue other than the one specified in the informational message, Dell Networking OS replaces the first 3–bits in the DSCP field with the queue ID you specified. Example of Setting a DSCP Value for Egress Packets Dell#config Dell(conf)#qos-policy-input my-input-qos-policy Dell(conf-qos-policy-in)#set ip-dscp 34 % Info: To set the specified DSCP value 34 (100-010 b) the QoS policy must be mapped to queue 4 (100 b).
QOS-POLICY-OUT mode rate-shape Allocating Bandwidth to Queue Schedule packets for egress based on Deficit Round Robin (DRR). These strategies both offer a guaranteed data rate. The following table lists the default bandwidth weights for each queue, and their equivalent percentage which is derived by dividing the bandwidth weight by the sum of all queue weights. Table 37. Default Bandwidth Weights Queue Default Weight Equivalent Percentage 0 1 6.67% 1 2 13.33% 2 4 26.67% 3 8 53.
3. Apply the input policy map to an interface. Applying a Class-Map or Input QoS Policy to a Queue To apply a class-map or input QoS policy to a queue, use the following command. • Assign an input QoS policy to a queue. POLICY-MAP-IN mode service-queue Applying an Input QoS Policy to an Input Policy Map To apply an input QoS policy to an input policy map, use the following command. • Apply an input QoS policy to an input policy map.
Table 39. Default dot1p to Queue Mapping dot1p Queue ID 0 2 1 0 2 1 3 3 4 4 5 5 6 6 7 7 The dot1p value is also honored for frames on the default VLAN. For more information, refer to PriorityTagged Frames on the Default VLAN. • Enable the trust dot1p feature. POLICY-MAP-IN mode trust dot1p Mapping dot1p Values to Service Queues All traffic is by default mapped to the same queue, Queue 0.
• You cannot apply an input Layer 2 QoS policy on an interface you also configure with vlan-stack access. • If you apply a service policy that contains an ACL to more than one interface, Dell Networking OS uses ACL optimization to conserve CAM space. The ACL optimization behavior detects when an ACL exists in the CAM rather than writing it to the CAM multiple times. • Apply an input policy map to an interface.
You can apply the same policy map to multiple interfaces, and you can modify a policy map after you apply it. DSCP Color Maps This section describes how to configure color maps and how to display the color map and color map configuration.
qos dscp-color-policy color-map-name Example: Create a DSCP Color Map The following example creates a DSCP color map profile, color-awareness policy, and applies it to interface te 0/11. Create the DSCP color map profile, bat-enclave-map, with a yellow drop precedence , and set the DSCP values to 9,10,11,13,15,16 Dell(conf)# qos dscp-color-map bat-enclave-map Dell(conf-dscp-color-map)# dscp yellow 9,10,11,13,15,16 Dell (conf-dscp-color-map)# exit Assign the color map, bat-enclave-map to interface te 0/11.
TE 0/10 TE0/11 mapONE mapTWO Display summary information about a color policy for a specific interface.
• A queue with strict priority can starve other queues in the same port-pipe. • Assign strict priority to one unicast queue. CONFIGURATION mode strict-priority The range is from 1 to 3. Weighted Random Early Detection Weighted random early detection (WRED) is supported on the platform. The WRED congestion avoidance mechanism drops packets to prevent buffering resources from being consumed. Traffic is a mixture of various kinds of packets.
Creating WRED Profiles To create WRED profiles, use the following commands. 1. Create a WRED profile. CONFIGURATION mode wred-profile 2. Specify the minimum and maximum threshold values. WRED mode threshold Applying a WRED Profile to Traffic After you create a WRED profile, you must specify to which traffic Dell Networking OS should apply the profile. Dell Networking OS assigns a color (also called drop precedence) — red, yellow, or green — to each packet based on it DSCP value before queuing it.
Explicit Congestion Notification Explicit Congestion Notification (ECN) enhances and extends WRED functionality by marking packets for later transmission instead of dropping them when a threshold value is exceeded. Use ECN for WRED to reduce the packet transmission rate in a congested, heavily-loaded network. While WRED drops packets to indicate congestion, ECN marks packets instead of dropping them when the average queue length exceeds the threshold value.
• match ip vlan By default, all packets are marked for green handling if the rate-police and trust-diffserv commands are not used in an ingress policy map. All packets marked for red handling or “violate” are dropped. In the class map, in addition to color-marking matching packets for yellow handling, you can also configure a DSCP value for matching packets.
ip access-list standard dscp_40 seq 5 permit any dscp 40 ip access-list standard dscp_50_non_ecn seq 5 permit any dscp 50 ecn 0 ip access-list standard dscp_40_non_ecn seq 5 permit any dscp 40 ecn 0 class-map match-any class_dscp_40 match ip access-group dscp_40_non_ecn set-color yellow match ip access-group dscp_40 class-map match-any class_dscp_50 match ip access-group dscp_50_non_ecn set-color yellow match ip access-group dscp_50 policy-map-input pmap_dscp_40_50 service-queue 2 class-map class_dscp_40 se
apply a WRED profile to a policy-map so that the specified traffic can be prevented from consuming too much of the BTM resources. WRED drops packets when the average queue length exceeds the configured threshold value to signify congestion. ECN is a capability that enhances WRED by marking the packets instead of causing WRED to drop them when the threshold value is exceeded. If you configure ECN for WRED, devices employ ECN to mark the packets and reduce the rate of sending packets in a congested network.
You can define WRED profiles and weight on each of the global service-pools for both loss-based and lossless (PFC) service- pools. The following events occur when you configure WRED and ECN on global service-pools: • If WRED/ECN is enabled on the global service-pool with threshold values and if it is not enabled on the queues, WRED/ECN are not effective based on global service-pool WRED thresholds.
Queue Configuration Service-Pool Configuration WRED Threshold Relationship Q threshold = QT, Service pool threshold = SP-T Expected Functionality SP-T < Q-T Same as above but ECN marking starts above SP-T. Benefits of Using a Configurable Weight for WRED with ECN On the Z9500, using a configurable weight for WRED and ECN allows you to specify how the average queue size is calculated.
The average queue size is computed using the last calculated average-queue size and the current queue size. The following is the formula to calculate the average queue size: average-queue-size (t+1) = average-queue-size (t) + (current-queue-length - average-queue-size (t))/2^N where t is the time or the current instant at which average queue size is measured, t+1 is the next calculation of the average queue size, and N is the weight factor.
Table 41.
3. Configure another WRED profile, and specify the threshold and maximum drop rate. WRED mode Dell(conf-wred) #wred—profile thresh-2 Dell(conf-wred) #threshold min 300 max 400 max-drop-rate 80 4. Associate the service class with the WRED profile, and assign the WRED profile to specific queues on backplane ports.
many entries as possible, and then generates an CAM-full error message (shown in the following example). The partial policy-map configuration might cause unintentional system behavior.
SNMP Support for Buffer Statistics Tracking SNMP support for buffer statistics tracking (BST) counters is implemented in the F10-FPSTATS MIB. BST counters allow you to better monitor system resources and allocate buffer memory. BST counters include the Max Use Count statistic, which provides the maximum counter value over a period of time. In the F10-FPSTATS MIB, the following tables display BST counters: • fpEgrQBuffSnapshotTable: Retrieves BST statistics from the egress port used in a buffer.
Routing Information Protocol (RIP) 41 Routing information protocol (RIP) is supported on Dell Networking OS. RIP is based on a distance-vector algorithm; it tracks distances or hop counts to nearby routers when establishing network connections. RIP protocol standards are listed in the Standards Compliance chapter. Protocol Overview RIP is the oldest interior gateway protocol. There are two versions of RIP: RIP version 1 (RIPv1) and RIP version 2 (RIPv2).
Implementation Information Dell Networking OS supports both versions of RIP and allows you to configure one version globally and the other version on interfaces or both versions on the interfaces. The following table lists the defaults for RIP in Dell Networking OS. Table 42.
Enabling RIP Globally By default, RIP is not enabled in Dell Networking OS. To enable RIP globally, use the following commands. 1. Enter ROUTER RIP mode and enable the RIP process on Dell Networking OS. CONFIGURATION mode router rip 2. Assign an IP network address as a RIP network to exchange routing information.
192.162.2.0/24 [120/1] via 29.10.10.12, 00:01:21, Fa 0/0 192.162.2.0/24 auto-summary 192.161.1.0/24 [120/1] via 29.10.10.12, 00:00:27, Fa 0/0 192.161.1.0/24 auto-summary 192.162.3.0/24 [120/1] via 29.10.10.12, 00:01:22, Fa 0/0 192.162.3.0/24 auto-summary To disable RIP globally, use the no router rip command in CONFIGURATION mode. Configure RIP on Interfaces When you enable RIP globally on the system, interfaces meeting certain conditions start receiving RIP routes.
• distribute-list prefix-list-name in Assign a configured prefix list to all outgoing RIP routes. ROUTER RIP mode distribute-list prefix-list-name out To view the current RIP configuration, use the show running-config command in EXEC mode or the show config command in ROUTER RIP mode. Adding RIP Routes from Other Instances In addition to filtering routes, you can add routes from other routing instances or protocols to the RIP process.
• Set the RIP versions received on that interface. INTERFACE mode • ip rip receive version [1] [2] Set the RIP versions sent out on that interface. INTERFACE mode ip rip send version [1] [2] Examples of the RIP Process To see whether the version command is configured, use the show config command in ROUTER RIP mode. The following example shows the RIP configuration after the ROUTER RIP mode version command is set to RIPv2.
Automatic network summarization is in effect Outgoing filter for all interfaces is Incoming filter for all interfaces is Default redistribution metric is 1 Default version control: receive version 2, send version 2 Interface Recv Send FastEthernet 0/0 2 1 2 Routing for Networks: 10.0.0.
Controlling Route Metrics As a distance-vector protocol, RIP uses hop counts to determine the best route, but sometimes the shortest hop count is a route over the lowest-speed link. To manipulate RIP routes so that the routing protocol prefers a different route, manipulate the route by using the offset command. Exercise caution when applying an offset command to routers on a broadcast network, as the router using the offset command is modifying RIP advertisements before sending out those advertisements.
Dell#debug ip rip RIP protocol debug is ON Dell# To disable RIP, use the no debug ip rip command. RIP Configuration Example The examples in this section show the command sequence to configure RIPv2 on the two routers shown in the following illustration — Core 2 and Core 3. The host prompts used in the following example reflect those names.
Core 2 RIP Output The examples in the section show the core 2 RIP output. Examples of the show ip Commands to View Core 2 Information • To display Core 2 RIP database, use the show ip rip database command. • To display Core 2 RIP setup, use the show ip route command. • To display Core 2 RIP activity, use the show ip protocols command. The following example shows the show ip rip database command to view the learned RIP routes on Core 2.
The following example shows the show ip protocols command to show the RIP configuration activity on Core 2.
Examples of the show ip Commands to View Learned RIP Routes on Core 3 The following example shows the show ip rip database command to view the learned RIP routes on Core 3. Core3#show ip rip database Total number of routes in RIP database: 7 10.11.10.0/24 [120/1] via 10.11.20.2, 00:00:13, GigabitEthernet 10.200.10.0/24 [120/1] via 10.11.20.2, 00:00:13, GigabitEthernet 10.300.10.0/24 [120/1] via 10.11.20.2, 00:00:13, GigabitEthernet 10.11.20.0/24 directly connected,GigabitEthernet 10.11.30.
GigabitEthernet 3/44 2 2 GigabitEthernet 3/43 2 2 Routing for Networks: 10.11.20.0 10.11.30.0 192.168.2.0 192.168.1.0 Routing Information Sources: Gateway Distance Last Update 10.11.20.2 120 00:00:22 Distance: (default is 120) Core3# RIP Configuration Summary Examples of Viewing RIP Configuration on Core 2 and Core 3 The following example shows viewing the RIP configuration on Core 2. ! interface GigabitEthernet 2/11 ip address 10.11.10.1/24 no shutdown ! interface GigabitEthernet 2/31 ip address 10.11.20.
ip address 192.168.2.1/24 no shutdown ! router rip version 2 network 10.11.20.0 network 10.11.30.0 network 192.168.1.0 network 192.168.2.
Remote Monitoring (RMON) 42 Remote monitoring (RMON) is supported on Dell Networking OS. RMON is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell Networking Ethernet interfaces. RMON operates with the simple network management protocol (SNMP) and monitors all nodes on a local area network (LAN) segment.
• RPM Down, RPM Failover — Master and standby route processor modules (RPMs) run the RMON sampling process in the background. Therefore, when an RPM goes down, the other RPM maintains the sampled data — the new master RPM provides the same sampled data as did the old master — as long as the master RPM had been running long enough to sample all the data. NMS backs up all the long-term data collection and displays the failover downtime from the performance graph.
– owner string: (Optional) specifies an owner for the alarm, this setting is the alarmOwner object in the alarmTable of the RMON MIB. Default is a null-terminated string. Example of the rmon alarm Command To disable the alarm, use the no form of the command. The following example configures RMON alarm number 10. The alarm monitors the MIB variable 1.3.6.1.2.1.2.2.1.20.1 (ifEntry.ifOutErrors) once every 20 seconds until the alarm is disabled, and checks the rise or fall of the variable.
Configuring RMON Collection Statistics To enable RMON MIB statistics collection on an interface, use the RMON collection statistics command in INTERFACE CONFIGURATION mode. • Enable RMON MIB statistics collection. CONFIGURATION INTERFACE (config-if) mode [no] rmon collection statistics {controlEntry integer} [owner ownername] – controlEntry: specifies the RMON group of statistics using a value. – integer: a value from 1 to 65,535 that identifies the RMON Statistics Table.
The following command example enables an RMON MIB collection history group of statistics with an ID number of 20 and an owner of john, both the sampling interval and the number of buckets use their respective defaults.
Rapid Spanning Tree Protocol (RSTP) 43 Rapid spanning tree protocol (RSTP) is supported on Dell Networking OS. Protocol Overview RSTP is a Layer 2 protocol — specified by IEEE 802.1w — that is essentially the same as spanning-tree protocol (STP) but provides faster convergence and interoperability with switches configured with STP and multiple spanning tree protocol (MSTP). The Dell Networking OS supports three other variations of spanning tree, as shown in the following table. Table 43.
• Dell Networking OS supports only one Rapid Spanning Tree (RST) instance. • All interfaces in virtual local area networks (VLANs) and all enabled interfaces in Layer 2 mode are automatically added to the RST topology. • Adding a group of ports to a range of VLANs sends multiple messages to the rapid spanning tree protocol (RSTP) task, avoid using the range command. When using the range command, Dell Networking recommends limiting the range to five ports and 40 VLANs.
Example of Verifying an Interface is in Layer 2 Mode and Enabled To verify that an interface is in Layer 2 mode and enabled, use the show config command from INTERFACE mode. The bold lines indicate that the interface is in Layer 2 mode. Dell(conf-if-gi-1/1)#show config ! interface GigabitEthernet 1/1 no ip address switchport no shutdown Dell(conf-if-gi-1/1)# Enabling Rapid Spanning Tree Protocol Globally Enable RSTP globally on all participating bridges; it is not enabled by default.
Figure 100. Rapid Spanning Tree Enabled Globally To view the interfaces participating in RSTP, use the show spanning-tree rstp command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. Dell#show spanning-tree rstp Root Identifier has priority 32768, Address 0001.e801.cbb4 Root Bridge hello time 2, max age 20, forward delay 15, max hops 0 Bridge Identifier has priority 32768, Address 0001.e801.
BPDU : sent 121, received 2 The port is not in the Edge port mode Port 379 (GigabitEthernet 2/3) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.379 Designated root has priority 32768, address 0001.e801.cbb4 Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.
Modifying Global Parameters You can modify RSTP parameters. The root bridge sets the values for forward-delay, hello-time, and max-age and overwrites the values set on other bridges participating in the Rapid Spanning Tree group. • Forward-delay — the amount of time an interface waits in the Listening state and the Learning state before it transitions to the Forwarding state. • Hello-time — the time interval in which the bridge sends RSTP BPDUs.
NOTE: With large configurations (especially those configurations with more ports) Dell Networking recommends increasing the hello-time. The range is from 1 to 10. • The default is 2 seconds. Change the max-age parameter. PROTOCOL SPANNING TREE RSTP mode max-age seconds The range is from 6 to 40. The default is 20 seconds. To view the current values for global parameters, use the show spanning-tree rstp command from EXEC privilege mode.
To view the current values for interface parameters, use the show spanning-tree rstp command from EXEC privilege mode. Influencing RSTP Root Selection RSTP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it is selected as the root bridge. To change the bridge priority, use the following command. • Assign a number as the bridge priority or designate it as the primary or secondary root.
– Perform an shutdown command on the interface. – Disable the shutdown-on-violation command on the interface (the no spanning-tree stp-id portfast [bpduguard | [shutdown-on-violation]] command). – Disable spanning tree on the interface (the no spanning-tree command in INTERFACE mode). – Disable global spanning tree (the no spanning-tree command in CONFIGURATION mode). To enable EdgePort on an interface, use the following command. • Enable EdgePort on an interface.
We are the root Configured hello time 50 ms, max age 20, forward delay 15 NOTE: The hello time is encoded in BPDUs in increments of 1/256ths of a second. The standard minimum hello time in seconds is 1 second, which is encoded as 256. Millisecond. hello times are encoded using values less than 256; the millisecond hello time equals (x/1000)*256. When you configure millisecond hellos, the default hello interval of 2 seconds is still used for edge ports; the millisecond hello interval is not used.
Security 44 This chapter describes several ways to provide access security to the Dell Networking system. For details about all the commands described in this chapter, refer to the Security chapter in the Dell Networking OS Command Reference Guide. Role-Based Access Control With Role-Based Access Control (RBAC), access and authorization is controlled based on a user’s role. Users are granted permissions based on their user roles, not on their individual user ID.
created for job functions and through those roles they acquire the permissions to perform their associated job function. Each user can be assigned only a single role. Many users can have the same role. The Dell Networking OS supports the constrained RBAC model. With a constrained RBAC model, you can inherit permissions when you create a new user role, restrict or add commands a user can enter and the actions the user can perform.
3. Specify an authentication method list (RADIUS, TACACS+, or Local). You must specify at least local authentication. For consistency, the best practice is to define the same authentication method list across all lines, in the same order of comparison; for example VTY and console port. You could also use the default authentication method to apply to all the LINES (console port, VTY). NOTE: The authentication method list should be in the same order as the authorization method list.
• Network Administrator (netadmin): This user role can configure, display, and debug the network operations on the switch. You can access all of the commands that are available from the network operator user role. This role does not have access to the commands that are available to the system security administrator for cryptography operations, AAA, or the commands reserved solely for the system administrator.
and roles inherited by security administrator can only modify permissions for commands they already have access to. • Make sure you select the correct role you want to inherit. • If you inherit a user role, you cannot modify or delete the inheritance. If you want to change or remove the inheritance, delete the user role and create it again. If the user role is in use, you cannot delete the user role. 1. Create a new user role CONFIGURATION mode userrole name [inherit existing-role-name] 2.
If you add or delete command permissions using the role command, those changes only apply to the specific user role. They do not apply to other roles that have inheritance from that role. Authorization and accounting only apply to the roles specified in that configuration. When you modify a command for a role, you specify the role, the mode, and whether you want to restrict access using the deleterole keyword or grant access using the addrole keyword followed by the command you are controlling access.
Example: Verify that the Security Administrator Can Access Interface Mode The following example shows that the secadmin role can now access Interface mode (highlighted in bold). Role Inheritance netoperator Modes netadmin secadmin sysadmin MAC Exec Config Interface Router IP RouteMap Protocol MAC Exec Config Interface Line Exec Config Interface Line Router IP RouteMap Protocol Example: Remove Security Administrator Access to Line Mode.
Adding and Deleting Users from a Role To create a user name that is authenticated based on a user role, use the username name password encryption-type password role role-name command in CONFIGURATION mode. Example The following example creates a user name that is authenticated based on a user role. Dell (conf) #username john password 0 password role secadmin The following example deletes a user role.
the same or greater than the privilege level of those commands. Users with defined roles can use commands provided their role is permitted to use those commands. Role inheritance is also used to determine authorization. Users with roles and privileges are authorized with the same mechanism. There are six methods available for authorization: radius, tacacs+, local, enable, line, and none. When role-based only AAA authorization is enabled, the enable, line, and none methods are not available.
accounting commands role netadmin line vty 3 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 4 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 5 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 6 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 7 login authentication ucraaa authorization exec ucraaa accounting comman
role is Force10-avpair= ”shell:role=“ where user-role is a user defined or systemdefined role. In the following example, you create an AV pair for a system-defined role, sysadmin. Force10-avpair= "shell:role=sysadmin" In the following example, you create an AV pair for a user-defined role. You must also define a role, using the userrole myrole inherit command on the switch to associate it with this AV pair.
Active accounted actions on tty2, User john Priv 1 Role netoperator Task ID 1, EXEC Accounting record, 00:00:30 Elapsed, service=shell Active accounted actions on tty3, User admin Priv 15 Role sysadmin Task ID 2, EXEC Accounting record, 00:00:26 Elapsed, service=shell Display Information About User Roles This section describes how to display information about user roles.
Role access: secadmin,sysadmin Dell#show role mode configure interface Role access: netadmin, sysadmin Dell#show role mode configure line Role access: netadmin,sysadmin Displaying Information About Users Logged into the Switch To display information on all users logged into the switch, using the show users command in EXEC Privilege mode. The output displays privilege level and/or user role. The mode is displayed at the start of the output and both the privilege and roles for all users is also displayed.
CONFIGURATION mode aaa accounting {commands | exec | suppress | system level} {default | name} {start-stop | wait-start | stop-only} {tacacs+} The variables are: – system: sends accounting information of any other AAA configuration. – exec: sends accounting information when a user has logged in to EXEC mode. – command level: sends accounting of commands executed at the specified privilege level. – suppress: Do not generate accounting records for a specific type of user.
Configuring AAA Accounting for Terminal Lines To enable AAA accounting with a named method list for a specific terminal line (where com15 and execAcct are the method list names), use the following commands. • Configure AAA accounting for terminal lines.
method list or use the default method list. User-defined method lists take precedence over the default method list. NOTE: If a console user logs in with RADIUS authentication, the privilege level is applied from the RADIUS server if the privilege level is configured for that user in RADIUS, whether you configure RADIUS authorization. Configuration Task List for AAA Authentication The following sections provide the configuration tasks.
line {aux 0 | console 0 | vty number [... end-number]} 3. Assign a method-list-name or the default list to the terminal line. LINE mode login authentication {method-list-name | default} To view the configuration, use the show config command in LINE mode or the show runningconfig in EXEC Privilege mode. NOTE: Dell Networking recommends using the none method only as a backup. This method does not authenticate users. The none and enable methods do not work with secure shell (SSH).
The following example shows enabling authentication from the RADIUS server. Dell(config)# aaa authentication enable default radius tacacs Radius and TACACS server has to be properly setup for this. Dell(config)# radius-server host x.x.x.x key Dell(config)# tacacs-server host x.x.x.x key To use local authentication for enable secret on the console, while using remote authentication on VTY lines, issue the following commands.
Example of Obscuring Password and Keys Dell(config)# service obscure-passwords AAA Authorization Dell Networking OS enables AAA new-model by default. You can set authorization to be either local or remote. Different combinations of authentication and authorization yield different results. By default, Dell Networking OS sets both to local. Privilege Levels Overview Limiting access to the system is one method of protecting the system and your network.
• Specifying LINE Mode Password and Privilege (optional) • Enabling and Disabling Privilege Levels (optional) For a complete listing of all commands related to Dell Networking OS privilege levels and passwords, refer to the Security chapter in the Dell Networking OS Command Reference Guide. Configuring a Username and Password In Dell Networking OS, you can assign a specific username to limit user access to the system. To configure a username and password, use the following command.
In custom-configured privilege levels, the enable command is always available. No matter what privilege level you entered Dell Networking OS, you can enter the enable 15 command to access and configure all CLIs. Configuring Custom Privilege Levels In addition to assigning privilege levels to the user, you can configure the privilege levels of commands so that they are visible in different privilege levels. Within Dell Networking OS, commands have certain privilege levels.
• • • • mode: enter a keyword for the modes (exec, configure, interface, line, route-map, or router) level level: the range is from 0 to 15. Levels 0, 1, and 15 are pre-configured. Levels 2 to 14 are available for custom configuration. command: an Dell Networking OS CLI keyword (up to five keywords allowed). reset: return the command to its default privilege mode. Examples of Privilege Level Commands To view the configuration, use the show running-config command in EXEC Privilege mode.
show terminal traceroute Dell#confi Dell(conf)#? end exit no snmp-server Dell(conf)# Show running system information Set terminal line parameters Trace route to destination Exit from Configuration mode Exit from Configuration mode Reset a command Modify SNMP parameters Specifying LINE Mode Password and Privilege You can specify a password authentication of all users on different terminal lines.
Resetting a Z9000 Password To reset a password on a Z9000 system, follow these steps. 1. Connect to the Z9000 system using a console. 2. Disconnect and reconnect the power cord on the system to cycle the power. 3. During system boot, press ESC when prompted to display the Grub Menu (see Example 1). 4. During system boot, press ESC when prompted during the countdown to stop the auto-boot process (see Example 2). 5. Press C to access the Grub boot loader command line prompt. 6.
RADIUS Remote authentication dial-in user service (RADIUS) is a distributed client/server protocol. This protocol transmits authentication, authorization, and configuration information between a central RADIUS server and a RADIUS client (the Dell Networking system). The system sends user information to the RADIUS server and requests authentication of the user and password. The RADIUS server returns one of the following responses: • Access-Accept — the RADIUS server authenticates the user.
Auto-Command You can configure the system through the RADIUS server to automatically execute a command when you connect to a specific line. The auto-command command is executed when the user is authenticated and before the prompt appears to the user. • Automatically execute a command. auto-command Privilege Levels Through the RADIUS server, you can configure a privilege level for the user to enter into when they connect to a session. This value is configured on the client system. • Set a privilege level.
• Create a method list with RADIUS and TACACS+ as authorization methods. CONFIGURATION mode aaa authorization exec {method-list-name | default} radius tacacs+ Typical order of methods: RADIUS, TACACS+, Local, None. If RADIUS denies authorization, the session ends (RADIUS must not be the last method specified). Applying the Method List to Terminal Lines To enable RADIUS AAA login authentication for a method list, apply it to a terminal line.
To specify multiple RADIUS server hosts, configure the radius-server host command multiple times. If you configure multiple RADIUS server hosts, Dell Networking OS attempts to connect with them in the order in which they were configured. When Dell Networking OS attempts to authenticate a user, the software connects with the RADIUS server hosts one at a time, until a RADIUS server host responds with an accept or reject response.
Monitoring RADIUS To view information on RADIUS transactions, use the following command. • View RADIUS transactions to troubleshoot problems. EXEC Privilege mode debug radius TACACS+ Dell Networking OS supports terminal access controller access control system (TACACS+ client, including support for login authentication. Configuration Task List for TACACS+ The following list includes the configuration task for TACACS+ functions.
4. Assign the method-list to the terminal line. LINE mode login authentication {method-list-name | default} Example of a Failed Authentication To view the configuration, use the show config in LINE mode or the show running-config tacacs + command in EXEC Privilege mode. If authentication fails using the primary method, Dell Networking OS employs the second method (or third method, if necessary) automatically.
TACACS+ Remote Authentication When configuring a TACACS+ server host, you can set different communication parameters, such as the key password. Example of Specifying a TACACS+ Server Host Dell(conf)# Dell(conf)#aaa authentication login tacacsmethod tacacs+ Dell(conf)#aaa authentication exec tacacsauthorization tacacs+ Dell(conf)#tacacs-server host 25.1.1.
Command Authorization The AAA command authorization feature configures Dell Networking OS to send each configuration command to a TACACS server for authorization before it is added to the running configuration. By default, the AAA authorization commands configure the system to check both EXEC mode and CONFIGURATION mode commands. Use the no aaa authorization config-commands command to enable only EXEC mode command checking.
• ip ssh server version {1|2} Display SSH connection information. EXEC Privilege mode show ip ssh Specifying an SSH Version The following example uses the ip ssh server version 2 command to enable SSH version 2 and the show ip ssh command to confirm the setting. Dell(conf)#ip ssh server version 2 Dell(conf)#do show ip ssh SSH server : disabled. SSH server version : v2. Password Authentication : enabled. Hostbased Authentication : disabled. RSA Authentication : disabled.
• • • • • • • • • • • ip ssh hostbased-authentication enable: enable host-based authentication for the SSHv2 server. ip ssh key-size: configure the size of the server-generated RSA SSHv1 key. ip ssh password-authentication enable: enable password authentication for the SSH server. ip ssh pub-key-file: specify the file the host-based authentication uses. ip ssh rhostsfile: specify the rhost file the host-based authorization uses.
The following example configures the time-based rekey threshold for an SSH session to 30 minutes. Dell(conf)#ip ssh rekey time 30 The following example configures the volume-based rekey threshold for an SSH session to 4096 megabytes. Dell(conf)#ip ssh rekey volume 4096 Configuring the SSH Server Cipher List To configure the cipher list supported by the SSH server, use the ip ssh server cipher cipher-list command in CONFIGURATION mode.
The default HMAC algorithms are the following: • hmac-md5 • hmac-md5-96 • hmac-sha1 • hmac-sha1-96 • hmac-sha2-256 • hmac-sha2-256-96 When FIPS is enabled, the default HMAC algorithm is hmac-sha1-96. Example of Configuring a HMAC Algorithm The following example shows you how to configure a HMAC algorithm list.
• Using RSA Authentication of SSH • Configuring Host-Based SSH Authentication Important Points to Remember • If you enable more than one method, the order in which the methods are preferred is based on the ssh_config file on the Unix machine. • When you enable all the three authentication methods, password authentication is the backup method when the RSA method fails. • The files known_hosts and known_hosts2 are generated when a user tries to SSH using version 1 or version 2, respectively.
ip ssh rsa-authentication enable 5. Install user’s public key for RSA authentication in SSH. EXEC Privilege mode ip ssh rsa-authentication my-authorized-keys flash://public_key Example of Generating RSA Keys admin@Unix_client#ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/admin/.ssh/id_rsa): /home/admin/.ssh/id_rsa already exists.
admin@Unix_client# cat ssh_host_rsa_key.pub ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA8K7jLZRVfjgHJzUOmXxuIbZx/ AyWhVgJDQh39k8v3e8eQvLnHBIsqIL8jVy1QHhUeb7GaDlJVEDAMz30myqQbJgXBBRTWgBpLWwL/ doyUXFufjiL9YmoVTkbKcFmxJEMkE3JyHanEi7hg34LChjk9hL1by8cYZP2kYS2lnSyQWk= admin@Unix_client# ls id_rsa id_rsa.pub shosts admin@Unix_client# cat shosts 10.16.127.
Telnet To use Telnet with SSH, first enable SSH, as previously described. By default, the Telnet daemon is enabled. If you want to disable the Telnet daemon, use the following command, or disable Telnet in the startup config. To enable or disable the Telnet daemon, use the [no] ip telnet server enable command.
incoming users always see a login prompt even if you have excluded them from the VTY line with a denyall access class. After users identify themselves, Dell Networking OS retrieves the access class from the local database and applies it. (Dell Networking OS then can close the connection if a user is denied access.) NOTE: If a VTY user logs in with RADIUS authentication, the privilege level is applied from the RADIUS server only if you configure RADIUS authentication.
VTY MAC-SA Filter Support Dell Networking OS supports MAC access lists which permit or deny users based on their source MAC address. With this approach, you can implement a security policy based on the source MAC address. To apply a MAC ACL on a VTY line, use the same access-class command as IP ACLs. The following example shows how to deny incoming connections from subnet 10.0.0.0 without displaying a login prompt.
Service Provider Bridging 45 Service provider bridging is supported on Dell Networking OS. VLAN Stacking Virtual local area network (VLAN) stacking is supported on the platform. VLAN stacking, also called Q-in-Q, is defined in IEEE 802.1ad — Provider Bridges, which is an amendment to IEEE 802.1Q — Virtual Bridged Local Area Networks. It enables service providers to use 802.
Figure 101. VLAN Stacking in a Service Provider Network Important Points to Remember • Interfaces that are members of the Default VLAN and are configured as VLAN-Stack access or trunk ports do not switch untagged traffic. To switch traffic, add these interfaces to a non-default VLANStack-enabled VLAN. • Dell Networking cautions against using the same MAC address on different customer VLANs, on the same VLAN-Stack VLAN.
Configure VLAN Stacking Configuring VLAN-Stacking is a three-step process. 1. Creating Access and Trunk Ports 2. Assign access and trunk ports to a VLAN (Creating Access and Trunk Ports). 3. Enabling VLAN-Stacking for a VLAN.
interface GigabitEthernet 7/12 no ip address switchport vlan-stack trunk no shutdown Enable VLAN-Stacking for a VLAN To enable VLAN-Stacking for a VLAN, use the following command. • Enable VLAN-Stacking for the VLAN. INTERFACE VLAN mode vlan-stack compatible Example of Viewing VLAN Stack Member Status To display the status and members of a VLAN, use the show vlan command from EXEC Privilege mode. Members of a VLAN-Stacking-enabled VLAN are marked with an M in column Q.
To configure trunk ports, use the following commands. 1. Configure a trunk port to carry untagged, single-tagged, and double-tagged traffic by making it a hybrid port. INTERFACE mode portmode hybrid 2. Add the port to a 802.1Q VLAN as tagged or untagged.
• MT — stacked trunk • MU — stacked access port • T — 802.1Q trunk port • U — 802.1Q access port • NU — Native VLAN (untagged) Dell# debug member vlan 603 vlan id : 603 ports : Gi 2/47 (MT), Gi 3/1(MU), Gi 3/25(MT), Gi 3/26(MT), Gi 3/27(MU) Dell#debug member port gigabitethernet 2/47 vlan id : 603 (MT), 100(T), 101(NU) Dell# VLAN Stacking in Multi-Vendor Networks The first field in the VLAN tag is the tag protocol identifier (TPID), which is 2 bytes.
Figure 102.
Figure 103.
Figure 104. Single and Double-Tag TPID Mismatch VLAN Stacking Packet Drop Precedence VLAN stacking packet drop precedence is available on the platform. The drop eligible indicator (DEI) bit in the S-Tag indicates to a service provider bridge which packets it should prefer to drop when congested. Enabling Drop Eligibility Enable drop eligibility globally before you can honor or mark the DEI value. When you enable drop eligibility, DEI mapping or marking takes place according to the defaults.
Table 46. Drop Eligibility Behavior Ingress Egress DEI Disabled DEI Enabled Normal Port Normal Port Retain CFI Set CFI to 0. Trunk Port Trunk Port Retain inner tag CFI Retain inner tag CFI. Retain outer tag CFI Set outer tag CFI to 0. Retain inner tag CFI Retain inner tag CFI Set outer tag CFI to 0 Set outer tag CFI to 0 Access Port Trunk Port To enable drop eligibility globally, use the following command. • Make packets eligible for dropping based on their DEI value.
Marking Egress Packets with a DEI Value On egress, you can set the DEI value according to a different mapping than ingress. For ingress information, refer to Honoring the Incoming DEI Value. To mark egress packets, use the following command. • Set the DEI value on egress according to the color currently assigned to the packet.
• • Mark the S-Tag dot1p and queue the frame according to the original C-Tag dot1p. In this case, you must have other dot1p QoS configurations; this option is classic dot1p marking. Mark the S-Tag dot1p and queue the frame according to the S-Tag dot1p. For example, if frames with C-Tag dot1p values 0, 6, and 7 are mapped to an S-Tag dot1p value 0, all such frames are sent to the queue associated with the S-Tag 802.1p value 0.
service-policy input in layer2 no shutdown Mapping C-Tag to S-Tag dot1p Values To map C-Tag dot1p values to S-Tag dot1p values and mark the frames accordingly, use the following commands. 1. Allocate CAM space to enable queuing frames according to the C-Tag or the S-Tag.
Figure 106. VLAN Stacking without L2PT You might need to transport control traffic transparently through the intermediate network to the other region. Layer 2 protocol tunneling enables BPDUs to traverse the intermediate network by identifying frames with the Bridge Group Address, rewriting the destination MAC to a user-configured non-reserved address, and forwarding the frames.
the intermediate network because only Dell Networking OS could recognize the significance of the destination MAC address and rewrite it to the original Bridge Group Address. In Dell Networking OS version 8.2.1.0 and later, the L2PT MAC address is user-configurable, so you can specify an address that non-Dell Networking systems can recognize and rewrite the address at egress edge. Figure 107. VLAN Stacking with L2PT Implementation Information • L2PT is available for STP, RSTP, MSTP, and PVST+ BPDUs.
Enabling Layer 2 Protocol Tunneling To enable Layer 2 protocol tunneling, use the following command. 1. Verify that the system is running the default CAM profile. Use this CAM profile for L2PT. EXEC Privilege mode show cam-profile 2. Enable protocol tunneling globally on the system. CONFIGURATION mode protocol-tunnel enable 3. Tunnel BPDUs the VLAN.
4. Set a maximum rate at which the RPM processes BPDUs for L2PT. VLAN STACKING mode protocol-tunnel rate-limit The default is: no rate limiting. The range is from 64 to 320 kbps. Debugging Layer 2 Protocol Tunneling To debug Layer 2 protocol tunneling, use the following command. • Display debugging information for L2PT. EXEC Privilege mode debug protocol-tunnel Provider Backbone Bridging IEEE 802.1ad—Provider Bridges amends 802.
sFlow 46 Configuring sFlow is supported on Dell Networking OS. Overview The Dell Networking Operating System (OS) supports sFlow version 5. sFlow is a standard-based sampling technology embedded within switches and routers which is used to monitor network traffic. It is designed to provide traffic monitoring for high-speed networks with many switches and routers. sFlow uses two types of sampling: • Statistical packet-based sampling of switched or routed packet flows.
Important Points to Remember • The Dell Networking OS implementation of the sFlow MIB supports sFlow configuration via snmpset. • By default, sFlow collection is supported only on data ports. If you want to enable sFlow collection through management ports, use the management egress-interface-selection and application sflow-collector commands in Configuration and EIS modes respectively. • Dell Networking OS exports all sFlow packets to the collector.
• Displaying Show sFlow on a Line Card Displaying Show sFlow Global To view sFlow statistics, use the following command. • Display sFlow configuration information and statistics. EXEC mode show sflow Example of Viewing sFlow Configuration (Global) The first bold line indicates sFlow is globally enabled.
mtu 9252 ip mtu 9234 switchport sflow enable sflow sample-rate 8192 no shutdown Displaying Show sFlow on a Stack-unit To view sFlow statistics on a specified stack-unit, use the following command. • Display sFlow configuration information and statistics on the specified interface.
– interval value: in seconds. The range is from 15 to 86400 seconds. The default is 20 seconds. Back-Off Mechanism If the sampling rate for an interface is set to a very low value, the CPU can get overloaded with flow samples under high-traffic conditions. In such a scenario, a binary back-off mechanism gets triggered, which doubles the sampling-rate (halves the number of samples per second) for all interfaces. The backoff mechanism continues to double the sampling-rate until the CPU condition is cleared.
77 UDP packets exported 0 UDP packets dropped 165 sFlow samples collected 69 sFlow samples dropped due to sub-sampling Linecard 1 Port set 0 H/W sampling rate 8192 Gi 1/16: configured rate 8192, actual rate 8192, sub-sampling rate 1 Gi 1/17: configured rate 16384, actual rate 16384, sub-sampling rate 2 Linecard 3 Port set 1 H/W sampling rate 16384 Gi 3/40: configured rate 16384, actual rate 16384, sub-sampling rate 1 If you did not enable any extended information, the show output displays the following (sho
IP SA IP DA srcAS and srcPeerAS dstAS and dstPeerAS Description extended gateway data is not exported because IP DA is not learned via BGP. Version 7.8.1.0 allows extended gateway information in cases where the source and destination IP addresses are learned by different routing protocols, and for cases where is source is reachable over ECMP. BGP sFlow BGP Exported Exported Extended gateway data is packed.
47 Simple Network Management Protocol (SNMP) Simple network management protocol (SNMP) is supported on Dell Networking OS. NOTE: On Dell Networking routers, standard and private SNMP management information bases (MIBs) are supported, including all Get and a limited number of Set operations (such as set vlan and copy cmd). Protocol Overview Network management stations use SNMP to retrieve or alter management data from network elements.
Related Configuration Tasks • • • • • • • • • • Managing Overload on Startup Reading Managed Object Values Writing Managed Object Values Subscribing to Managed Object Value Updates using SNMP Copying Configuration Files via SNMP Manage VLANs Using SNMP Enabling and Disabling a Port using SNMP Fetch Dynamic MAC Entries using SNMP Deriving Interface Indices Monitor Port-channels Important Points to Remember • • Typically, 5-second timeout and 3-second retry values on an SNMP server are sufficient for both
• Choose a name for the community. CONFIGURATION mode snmp-server community name {ro | rw} Example of Creating an SNMP Community To view your SNMP configuration, use the show running-config snmp command from EXEC Privilege mode. Dell(conf)#snmp-server community my-snmp-community ro 22:31:23: %STKUNIT0-P:CP %SNMP-6-SNMP_WARM_START: Agent Initialized - SNMP WARM_START.
• Configure an SNMPv3 view. CONFIGURATION mode snmp-server view view-name 3 noauth {included | excluded} NOTE: To give a user read and write privileges, repeat this step for each privilege type. • Configure an SNMP group (with password or privacy privileges). CONFIGURATION mode • snmp-server group group-name {oid-tree} priv read name write name Configure the user with a secure authorization password and privacy password.
Examples of Reading the Value of Managed Objects In the following example, the value “4” displays in the OID before the IP address for IPv4. For an IPv6 IP address, a value of “16” displays. > snmpget -v 2c -c mycommunity 10.11.131.161 sysUpTime.0 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (32852616) 3 days, 19:15:26.16 > snmpget -v 2c -c mycommunity 10.11.131.161 .1.3.6.1.2.1.1.3.0 The following example shows reading the value of the next managed object. > snmpgetnext -v 2c -c mycommunity 10.11.131.
• The default is None. (From a Dell Networking system) Identify the physical location of the system (for example, San Jose, 350 Holger Way, 1st floor lab, rack A1-1). CONFIGURATION mode snmp-server location text You may use up to 55 characters. • The default is None. (From a management station) Identify the system manager along with this person’s contact information (for example, an email address or phone number). CONFIGURATION mode snmpset -v version -c community agent-ip sysContact.
To send informational messages, enter the keyword informs. To send the SNMP version to use for notification messages, enter the keyword version. To identify the SNMPv1 community string, enter the name of the community-string. 2. Specify which traps the Dell Networking system sends to the trap receiver. CONFIGURATION mode snmp-server enable traps Enable all Dell Networking enterprise-specific and RFC-defined traps using the snmp-server enable traps command from CONFIGURATION mode.
HOT_FAILOVER: RPM Failover Completed SFM_DISCOVERY: Found SFM 1 SFM_REMOVE: Removed SFM 1 MAJOR_SFM: Major alarm: Switch fabric down MAJOR_SFM_CLR: Major alarm cleared: Switch fabric up MINOR_SFM: MInor alarm: No working standby SFM MINOR_SFM_CLR: Minor alarm cleared: Working standby SFM present TASK SUSPENDED: SUSPENDED - svce:%d - inst:%d - task:%s RPM0-P:CP %CHMGR-2-CARD_PARITY_ERR ABNORMAL_TASK_TERMINATION: CRASH - task:%s %s CPU_THRESHOLD: Cpu %s usage above threshold.
%ECFM-5-ECFM_XCON_ALARM: Cross connect fault detected by MEP 1 in Domain customer1 at Level 7 VLAN 1000 %ECFM-5-ECFM_ERROR_ALARM: Error CCM Defect detected by MEP 1 in Domain customer1 at Level 7 VLAN 1000 %ECFM-5-ECFM_MAC_STATUS_ALARM: MAC Status Defect detected by MEP 1 in Domain provider at Level 4 VLAN 3000 %ECFM-5-ECFM_REMOTE_ALARM: Remote CCM Defect detected by MEP 3 in Domain customer1 at Level 7 VLAN 1000 %ECFM-5-ECFM_RDI_ALARM: RDI Defect detected by MEP 3 in Domain customer1 at Level 7 VLAN 1000 e
MIB Object OID Object Values Description 2 = running-config • 3 = startup-config • copySrcFileLocation . 1.3.6.1.4.1.6027.3.5.1.1.1. 1.3 1 = flash 2 = slot0 If copySrcFileType is running-config or startup-config, the default copySrcFileLocation is flash. If copySrcFileType is a binary file, you must also specify copySrcFileLocation and copySrcFileName. Specifies the location of source file.
MIB Object OID Object Values Description 4 = ftp copyServerAddress, copyUserName, and copyUserPassword. 5 = scp copyDestFileName . 1.3.6.1.4.1.6027.3.5.1.1.1. 1.7 Path (if the file is not in the default directory) and filename. Specifies the name of destination file. copyServerAddress . 1.3.6.1.4.1.6027.3.5.1.1.1. 1.8 IP Address of the server. The IP address of the server. . 1.3.6.1.4.1.6027.3.5.1.1.1. 1.9 Username for the server. Username for the FTP, TFTP, or SCP server. . 1.3.6.1.4.1.
• index must be unique to all previously executed snmpset commands. If an index value has been used previously, a message like the following appears. In this case, increment the index value and enter the command again. Error in packet. Reason: notWritable (that object does not support modification) Failed object: FTOS-COPY-CONFIG-MIB::copySrcFileType.101 • To complete the command, use as many MIB objects in the command as required by the MIB object descriptions shown in the previous table.
Copying the Startup-Config Files to the Running-Config To copy the startup-config to the running-config from a UNIX machine, use the following command. • Copy the startup-config to the running-config from a UNIX machine. snmpset -c private -v 2c force10system-ip-address copySrcFileType.index i 3 copyDestFileType.index i 2 Examples of Copying Configuration Files from a UNIX Machine The following example shows how to copy configuration files from a UNIX machine using the object name.
Copying the Startup-Config Files to the Server via TFTP To copy the startup-config to the server via TFTP from the UNIX machine, use the following command. NOTE: Verify that the file exists and its permissions are set to 777. Specify the relative path to the TFTP root directory. • Copy the startup-config to the server via TFTP from the UNIX machine. snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address copySrcFileType.index i 3 copyDestFileType.index i 1 copyDestFileName.
MIB Object OID Values Description 3 = failed copyTimeStarted . 1.3.6.1.4.1.6027.3.5.1.1.1. 1.12 Time value Specifies the point in the up-time clock that the copy operation started. copyTimeCompleted . 1.3.6.1.4.1.6027.3.5.1.1.1. 1.13 Time value Specifies the point in the up-time clock that the copy operation completed. copyFailCause . 1.3.6.1.4.1.6027.3.5.1.1.1. 1.14 1 = bad filename Specifies the reason the copy request failed.
• the file f10-copy-config.mib is in the current directory NOTE: In UNIX, enter the snmpset command for help using this command. The following examples show the command syntax using MIB object names and the same command using the object OIDs. In both cases, the same index number used in the snmpset command follows the object. The following command shows how to get a MIB object value using the object name. > snmpget -v 2c -c private -m ./f10-copy-config.mib 10.11.131.140 copyTimeCompleted.
MIB Support to Display the Software Core Files Generated by the System Dell Networking provides MIB objects to display the software core files generated by the system. The chSysSwCoresTable contains the list of software core files generated by the system. The following table lists the related MIB objects. Table 51. MIB Objects for Displaying the Software Core Files Generated by the System MIB Object OID Description chSysSwCoresTable 1.3.6.1.4.1.6027.3.25.1.2.
enterprises.6027.3.10.1.2.10.1.3.2.1 enterprises.6027.3.10.1.2.10.1.4.1.1 enterprises.6027.3.10.1.2.10.1.4.1.2 enterprises.6027.3.10.1.2.10.1.4.1.3 enterprises.6027.3.10.1.2.10.1.4.2.1 enterprises.6027.3.10.1.2.10.1.5.1.1 enterprises.6027.3.10.1.2.10.1.5.1.2 enterprises.6027.3.10.1.2.10.1.5.1.3 enterprises.6027.3.10.1.2.10.1.5.2.
Add Tagged and Untagged Ports to a VLAN The value dot1qVlanStaticEgressPorts object is an array of all VLAN members. The dot1qVlanStaticUntaggedPorts object is an array of only untagged VLAN members. All VLAN members that are not in dot1qVlanStaticUntaggedPorts are tagged. • To add a tagged port to a VLAN, write the port to the dot1qVlanStaticEgressPorts object. • To add an untagged port to a VLAN, write the port to the dot1qVlanStaticEgressPorts and dot1qVlanStaticUntaggedPorts objects.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Managing Overload on Startup If you are running IS-IS, you can set a specific amount of time to prevent ingress traffic from being received after a reload and allow the routing protocol upgrade process to complete. To prevent ingress traffic on a router while the IS reload is implemented, use the following command.
Choose integer 1 to change the admin status to Up, or 2 to change the admin status to Down. Fetch Dynamic MAC Entries using SNMP Dell Networking supports the RFC 1493 dot1d table for the default VLAN and the dot1q table for all other VLANs. NOTE: The 802.1q Q-BRIDGE MIB defines VLANs regarding 802.1d, as 802.1d itself does not define them. As a switchport must belong a VLAN (the default VLAN or a configured VLAN), all MAC address learned on a switchport are associated with a VLAN.
Example of Fetching MAC Addresses Learned on a Non-default VLAN Using SNMP In the following example, GigabitEthernet 1/21 is moved to VLAN 1000, a non-default VLAN. To fetch the MAC addresses learned on non-default VLANs, use the object dot1qTpFdbTable. The instance number is the VLAN number concatenated with the decimal conversion of the MAC address.
• Display the interface index number. EXEC Privilege mode show interface Example of Deriving the Interface Index Number To view the system image on Flash Partition A, use the chSysSwInPartitionAImgVers object or, to view the system image on Flash Partition B, use the chSysSwInPartitionBImgVers object. Table 53. MIB Objects for Viewing the System Image on Flash Partitions MIB Object OID Description MIB chSysSwInPartitionAImg 1.3.6.1.4.1.6027.3.10.1.2. Vers 8.1.
SNMPv2-SMI::enterprises.6027.3.2.1.1.6.1.4.1107755009.1 = INTEGER: 1 << Status active, 2 – status inactive Example of Viewing Status of Learned MAC Addresses If we learn MAC addresses for the LAG, status is shown for those as well. dot3aCurAggVlanId SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.1.1.0.0.0.0.0.1.1 dot3aCurAggMacAddr SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.2.1.0.0.0.0.0.1.1 00 00 00 01 dot3aCurAggIndex SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.3.1.0.0.0.0.0.1.
48 Storm Control Storm control is supported on Dell Networking OS. The storm control feature allows you to control unknown-unicast and broadcast traffic on Layer 2 and Layer 3 physical interfaces. Dell Networking Operating System (OS) Behavior: Dell Networking OS supports broadcast control (the storm-control broadcast command) for Layer 2 and Layer 3 traffic. Configure Storm Control Storm control is supported in INTERFACE mode and CONFIGURATION mode.
Spanning Tree Protocol (STP) 49 The spanning tree protocol (STP) is supported on Dell Networking OS. Protocol Overview STP is a Layer 2 protocol — specified by IEEE 802.1d — that eliminates loops in a bridged topology by enabling only a single path through the network. By eliminating loops, the protocol improves scalability in a large network and allows you to implement redundant paths, which can be activated after the failure of active paths.
Important Points to Remember • • • • • STP is disabled by default. The Dell Networking OS supports only one spanning tree instance (0). For multiple instances, enable the multiple spanning tree protocol (MSTP) or per-VLAN spanning tree plus (PVST+). You may only enable one flavor of spanning tree at any one time. All ports in virtual local area networks (VLANs) and all enabled interfaces in Layer 2 mode are automatically added to the spanning tree topology at the time you enable the protocol.
To configure and enable the interfaces for Layer 2, use the following command. 1. If the interface has been assigned an IP address, remove it. INTERFACE mode no ip address 2. Place the interface in Layer 2 mode. INTERFACE switchport 3. Enable the interface. INTERFACE mode no shutdown Example of the show config Command To verify that an interface is in Layer 2 mode and enabled, use the show config command from INTERFACE mode.
Figure 109. Spanning Tree Enabled Globally To enable STP globally, use the following commands. 1. Enter PROTOCOL SPANNING TREE mode. CONFIGURATION mode protocol spanning-tree 0 2. Enable STP. PROTOCOL SPANNING TREE mode no disable Examples of Verifying Spanning Tree Information To disable STP globally for all Layer 2 interfaces, use the disable command from PROTOCOL SPANNING TREE mode. To verify that STP is enabled, use the show config command from PROTOCOL SPANNING TREE mode.
To view the spanning tree configuration and the interfaces that are participating in STP, use the show spanning-tree 0 command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. R2#show spanning-tree 0 Executing IEEE compatible Spanning Tree Protocol Bridge Identifier has priority 32768, address 0001.e826.ddb7 Configured hello time 2, max age 20, forward delay 15 Current root has priority 32768, address 0001.e80d.
spanning-tree 0 Modifying Global Parameters You can modify the spanning tree parameters. The root bridge sets the values for forward-delay, hellotime, and max-age and overwrites the values set on other bridges participating in STP. NOTE: Dell Networking recommends that only experienced network administrators change the spanning tree parameters. Poorly planned modification of the spanning tree parameters can negatively affect network performance. The following table displays the default values for STP.
PROTOCOL SPANNING TREE mode max-age seconds The range is from 6 to 40. The default is 20 seconds. To view the current values for global parameters, use the show spanning-tree 0 command from EXEC privilege mode. Refer to the second example in Enabling Spanning Tree Protocol Globally. Modifying Interface STP Parameters You can set the port cost and port priority values of interfaces in Layer 2 mode. • Port cost — a value that is based on the interface type.
CAUTION: Enable PortFast only on links connecting to an end station. PortFast can cause loops if it is enabled on an interface connected to a network. To enable PortFast on an interface, use the following command. • Enable PortFast on an interface.
• • • • • If the interface to be shut down is a port channel, all the member ports are disabled in the hardware. When you add a physical port to a port channel already in the Error Disable state, the new member port is also disabled in the hardware. When you remove a physical port from a port channel in the Error Disable state, the Error Disabled state is cleared on this physical port (the physical port is enabled in the hardware).
• disables spanning tree on an interface • drops all BPDUs at the line card without generating a console message Example of Blocked BPDUs Dell(conf-if-gi-0/7)#do show spanning-tree rstp brief Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 0001.e805.fb07 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32768, Address 0001.e85d.0e90 Configured hello time 2, max age 20, forward delay 15 Interface Name PortID Prio ---------- -------Gi 0/6 128.
Root Bridge hello time 2, max age 20, forward delay 15 Dell# STP Root Guard STP root guard is supported on the platform. Use the STP root guard feature in a Layer 2 network to avoid bridging loops. In STP, the switch in the network with the lowest priority (as determined by STP or set with the bridge-priority command) is selected as the root bridge. If two switches have the same priority, the switch with the lower MAC address is selected as the root.
Figure 111. STP Root Guard Prevents Bridging Loops Configuring Root Guard Enable STP root guard on a per-port or per-port-channel basis. Dell Networking OS Behavior: The following conditions apply to a port enabled with STP root guard: • Root guard is supported on any STP-enabled port or port-channel interface except when used as a stacking port.
• Enable root guard on a port or port-channel interface. INTERFACE mode or INTERFACE PORT-CHANNEL mode spanning-tree {0 | mstp | rstp | pvst} rootguard – – – – 0: enables root guard on an STP-enabled port assigned to instance 0. mstp: enables root guard on an MSTP-enabled port. rstp: enables root guard on an RSTP-enabled port. pvst: enables root guard on a PVST-enabled port.
As soon as a BPDU is received on an STP port in a Loop-Inconsistent state, the port returns to a blocking state. If you disable STP loop guard on a port in a Loop-Inconsistent state, the port transitions to an STP blocking state and restarts the max-age timer. Figure 112. STP Loop Guard Prevents Forwarding Loops Configuring Loop Guard Enable STP loop guard on a per-port or per-port channel basis.
– Rapid Spanning Tree Protocol (RSTP) – Multiple Spanning Tree Protocol (MSTP) – Per-VLAN Spanning Tree Plus (PVST+) • You cannot enable root guard and loop guard at the same time on an STP port. For example, if you configure loop guard on a port on which root guard is already configured, the following error message is displayed: % Error: RootGuard is configured. Cannot configure LoopGuard.
Gi 0/2 Gi 0/3 802 0 0 LIS EDS (Shut) Loopguard Bpduguard Spanning Tree Protocol (STP)
System Time and Date 50 System time and date settings and the network time protocol (NTP) are supported on Dell Networking OS. You can set system times and dates and maintained through the NTP. They are also set through the Dell Networking Operating System (OS) command line interfaces (CLIs) and hardware settings. Network Time Protocol The network time protocol (NTP) synchronizes timekeeping among a set of distributed time servers and clients.
Information included in the NTP message allows the client to determine the server time regarding local time and adjust the local clock accordingly. In addition, the message includes information to calculate the expected timekeeping accuracy and reliability, as well as select the best from possibly several servers.
Configure the Network Time Protocol Configuring NTP is a one-step process. • Enabling NTP Related Configuration Tasks • Configuring NTP Broadcasts • Disabling NTP on an Interface • Configuring a Source IP Address for NTP Packets (optional) Enabling NTP NTP is disabled by default. To enable NTP, specify an NTP server to which the Dell Networking system synchronizes. To specify multiple servers, enter the command multiple times.
Example of Configuring NTP Broadcasts 2w1d11h : NTP: Maximum Slew:-0.000470, Remainder = -0.496884 Disabling NTP on an Interface By default, NTP is enabled on all active interfaces. If you disable NTP on an interface, Dell Networking OS drops any NTP packets sent to that interface. To disable NTP on an interface, use the following command. • Disable NTP on the interface. INTERFACE mode ntp disable To view whether NTP is configured on the interface, use the show config command in INTERFACE mode.
Dell Networking OS Behavior: Dell Networking OS uses an encryption algorithm to store the authentication key that is different from previous Dell Networking OS versions; Dell Networking OS uses data encryption standard (DES) encryption to store the key in the startup-config when you enter the ntp authentication-key command.
ntp master To configure the ntp master enter the stratum number to identify the NTP Server’s hierarchy. Examples of Configuring and Viewing an NTP Configuration The following example shows configuring an NTP server. R6_E300(conf)#1w6d23h : NTP: xmit packet to 192.168.1.1: leap 0, mode 3, version 3, stratum 2, ppoll 1024 rtdel 0219 (8.193970), rtdsp AF928 (10973.266602), refid C0A80101 (192.168.1.1) ref CD7F4F63.6BE8F000 (14:51:15.421 UTC Thu Apr 2 2009) org CD7F4F63.68000000 (14:51:15.
NOTE: • Leap Indicator (sys.leap, peer.leap, pkt.leap) — This is a two-bit code warning of an impending leap second to be inserted in the NTP time scale. The bits are set before 23:59 on the day of insertion and reset after 00:00 on the following day. This causes the number of seconds (rollover interval) in the day of insertion to be increased or decreased by one.
Dell Networking OS Time and Date You can set the time and date using the Dell Networking OS CLI. Configuration Task List The following is a configuration task list for configuring the time and date settings.
– timezone-name: enter the name of the timezone. Do not use spaces. – offset: enter one of the following: * a number from 1 to 23 as the number of hours in addition to UTC for the timezone. * a minus sign (-) then a number from 1 to 23 as the number of hours.
00:00:00 pacific Sat Nov 7 2009" Setting Recurring Daylight Saving Time Set a date (and time zone) on which to convert the switch to daylight saving time on a specific day every year. If you have already set daylight saving for a one-time setting, you can set that date and time as the recurring setting with the clock summer-time time-zone recurring command. To set a recurring daylight saving time, use the following command.
Examples of the clock summer-time recurring Command The following example shows the clock summer-time recurring command.
Tunneling 51 Tunnel interfaces create a logical tunnel for IPv4 or IPv6 traffic. Tunneling supports RFC 2003, RFC 2473, and 4213. DSCP, hop-limits, flow label values, OSPFv2, and OSPFv3 are also supported. ICMP error relay, PATH MTU transmission, and fragmented packets are not supported. Configuring a Tunnel You can configure a tunnel in IPv6 mode, IPv6IP mode, and IPIP mode. You can configure a tunnel in IPv6 mode, IPv6IP mode, and IPIP mode.
interface Tunnel 2 no ip address ipv6 address 2::1/64 tunnel destination 90.1.1.1 tunnel source 60.1.1.1 tunnel mode ipv6ip no shutdown The following sample configuration shows a tunnel configured in IPIP mode (IPv4 tunnel carries IPv4 and IPv6 traffic): Dell(conf)#interface tunnel 3 Dell(conf-if-tu-3)#tunnel source 5::5 Dell(conf-if-tu-3)#tunnel destination 8::9 Dell(conf-if-tu-3)#tunnel mode ipv6 Dell(conf-if-tu-3)#ip address 3.1.1.
Configuring a Tunnel Interface You can configure the tunnel interface using the ip unnumbered and ipv6 unnumbered commands. To configure the tunnel interface to operate without a unique explicit ip or ipv6 address, select the interface from which the tunnel will borrow its address. The following sample configuration shows how to use the tunnel interface configuration commands. Dell(conf-if-te-0/0)#show config ! interface TenGigabitEthernet 0/0 ip address 20.1.1.
Configuring Tunnel source anylocal Decapsulation The tunnel source anylocal command allows a multipoint receive-only tunnel to decapsulate tunnel packets addressed to any IPv4 or IPv6 (depending on the tunnel mode) address configured on the switch that is operationally UP. The source anylocal parameters can be used for packet decapsulation instead of the ip address or interface (tunnel allow-remote command), but only on multipoint receive-only mode tunnels.
• Control plane packets received on the multipoint-receive-only tunnel, are packets destined to the local ip address and routed to the CPU after decapsulation, would follow the regular processing in the TCP/IP stack. A response to these packets is only possible if the route back to the sender does not fall on a receive-only tunnel. • Multipath over more than one VLAN interfaces will not be working for packets routed over the tunnel interface.
Upgrade Procedures 52 To find the upgrade procedures, go to the Dell Networking OS Release Notes for your system type to see all the requirements needed to upgrade to the desired Dell Networking OS version. To upgrade your system type, follow the procedures in the Dell Networking OS Release Notes. Get Help with Upgrades Direct any questions or concerns about the Dell Networking OS upgrade procedures to the Dell Technical Support Center. You can reach Technical Support: • On the web: http://www.dell.
Uplink Failure Detection (UFD) 53 Uplink failure detection (UFD) is supported on Dell Networking OS. Feature Description UFD provides detection of the loss of upstream connectivity and, if used with network interface controller (NIC) teaming, automatic recovery from a failed link. A switch provides upstream connectivity for devices, such as servers. If a switch loses its upstream connectivity, downstream devices also lose their connectivity.
Figure 114. Uplink Failure Detection How Uplink Failure Detection Works UFD creates an association between upstream and downstream interfaces. The association of uplink and downlink interfaces is called an uplink-state group. An interface in an uplink-state group can be a physical interface or a port-channel (LAG) aggregation of physical interfaces. An enabled uplink-state group tracks the state of all assigned upstream interfaces.
Figure 115. Uplink Failure Detection Example If only one of the upstream interfaces in an uplink-state group goes down, a specified number of downstream ports associated with the upstream interface are put into a Link-Down state. You can configure this number and is calculated by the ratio of the upstream port bandwidth to the downstream port bandwidth in the same uplink-state group.
– An uplink-state group is considered to be operationally down if it has no upstream interfaces in the Link-Up state. No uplink-state tracking is performed when a group is disabled or in an Operationally Down state. • You can assign physical port or port-channel interfaces to an uplink-state group. – You can assign an interface to only one uplink-state group. Configure each interface assigned to an uplink-state group as either an upstream or downstream interface, but not both.
• Port channel: enter port-channel {1-512 | port-channel-range} Where port-range and port-channel-range specify a range of ports separated by a dash (-) and/or individual ports/port channels in any order; for example: upstream gigabitethernet 1/1-2,5,9,11-12 downstream port-channel 1-3,5 • A comma is required to separate each port and port-range entry. To delete an interface from the group, use the no {upstream | downstream} interface command. 3.
Clearing a UFD-Disabled Interface You can manually bring up a downstream interface in an uplink-state group that UFD disabled and is in a UFD-Disabled Error state. To re-enable one or more disabled downstream interfaces and clear the UFD-Disabled Error state, use the following command. • Re-enable a downstream interface on the switch/router that is in a UFD-Disabled Error State so that it can send and receive traffic.
02:36:43: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Fo 13/5 02:37:29: %RPM0-P:CP %IFMGR-5-ASTATE_DN: Changed interface Admin state to down: Te 0/ 47 02:37:29: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Te 0/47 02:37:29 : UFD: Group:3, UplinkState: DOWN 02:37:29: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed uplink state group state to down: Group 3 02:37:29: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Downstream interface set to UFD errordisabled: Fo 13/6 02:37:29: %RPM0-P:CP %IFMGR-5
interface specifies one of the following interface types: – Fast Ethernet: enter fastethernet slot/port. – 1 Gigabit Ethernet: enter gigabitethernet slot/port. – 10 Gigabit Ethernet: enter tengigabitethernet slot/port. – Port channel: enter port-channel {1-512}. • If a downstream interface in an uplink-state group is disabled (Oper Down state) by uplink-state tracking because an upstream port is down, the message error-disabled[UFD] displays in the output.
Upstream Interfaces : Gi 0/41(Dwn) Po 8(Dwn) Downstream Interfaces : Gi 0/40(Dwn) The following example shows viewing the interface status with UFD information for the S50.
Sample Configuration: Uplink Failure Detection The following example shows a sample configuration of UFD on a switch/router in which you configure as follows. • Configure uplink-state group 3. • Add downstream links Gigabitethernet 0/1, 0/2, 0/5, 0/9, 0/11, and 0/12. • Configure two downstream links to be disabled if an upstream link fails. • Add upstream links Gigabitethernet 0/3 and 0/4. • Add a text description for the group. • Verify the configuration with various show commands.
Downstream Interfaces : Gi 0/1(Dis) Gi 0/2(Dwn) Gi 0/5(Dwn) Gi 0/9(Dwn) Gi 0/11(Dwn) Gi 0/12(Dwn) 830 Uplink Failure Detection (UFD)
Virtual LANs (VLANs) 54 Virtual LANs (VLANs) are supported on Dell Networking OS. VLANs are a logical broadcast domain or logical grouping of interfaces in a local area network (LAN) in which all data received is kept locally and broadcast to all members of the group. When in Layer 2 mode, VLANs move traffic at wire speed and can span multiple devices. The Dell Networking Operating System (OS) supports up to 4093 port-based VLANs and one default VLAN, as specified in IEEE 802.1Q.
command places the interface in Layer 2 mode and the show vlan command in EXEC privilege mode indicates that the interface is now part of the Default VLAN (VLAN 1). By default, VLAN 1 is the Default VLAN. To change that designation, use the default vlan-id command in CONFIGURATION mode. You cannot delete the Default VLAN. NOTE: You cannot assign an IP address to the Default VLAN. To assign an IP address to a VLAN that is currently the Default VLAN, create another VLAN and assign it to be the Default VLAN.
VLANs and Port Tagging To add an interface to a VLAN, the interface must be in Layer 2 mode. After you place an interface in Layer 2 mode, the interface is automatically placed in the Default VLAN. Dell Networking OS supports IEEE 802.1Q tagging at the interface level to filter traffic. When you enable tagging, a tag header is added to the frame after the destination and source MAC addresses. That information is preserved as the frame moves through the network.
NOTE: In a VLAN, the shutdown command stops Layer 3 (routed) traffic only. Layer 2 traffic continues to pass through the VLAN. If the VLAN is not a routed VLAN (that is, configured with an IP address), the shutdown command has no affect on VLAN traffic. When you delete a VLAN (using the no interface vlan vlan-id command), any interfaces assigned to that VLAN are assigned to the Default VLAN as untagged interfaces. To create a port-based VLAN, use the following command.
interface vlan vlan-id 2. Enable an interface to include the IEEE 802.1Q tag header. INTERFACE mode tagged interface Add an Interface to Another VLAN To view just the interfaces that are in Layer 2 mode, use the show interfaces switchport command in EXEC Privilege mode or EXEC mode. The following example shows the steps to add a tagged interface (in this case, port channel 1) to VLAN 4. To view the interface’s status. Interface (po 1) is tagged and in VLAN 2 and 3, use the show vlan command.
Moving Untagged Interfaces To move untagged interfaces from the Default VLAN to another VLAN, use the following commands. 1. Access INTERFACE VLAN mode of the VLAN to which you want to assign the interface. CONFIGURATION mode interface vlan vlan-id 2. Configure an interface as untagged. INTERFACE mode untagged interface This command is available only in VLAN interfaces.
4 Dell# Active T U Gi 3/1 Gi 3/2 The only way to remove an interface from the Default VLAN is to place the interface in Default mode by using the no switchport command in INTERFACE mode. Assigning an IP Address to a VLAN VLANs are a Layer 2 feature. For two physical interfaces on different VLANs to communicate, you must assign an IP address to the VLANs to route traffic between the two interfaces.
To configure a port so that it can be a member of an untagged and tagged VLANs, use the following commands. 1. Remove any Layer 2 or Layer 3 configurations from the interface. INTERFACE mode 2. Configure the interface for Hybrid mode. INTERFACE mode portmode hybrid 3. Configure the interface for Switchport mode. INTERFACE mode switchport 4. Add the interface to a tagged or untagged VLAN.
Virtual Link Trunking (VLT) 55 Virtual link trunking (VLT) is supported on Dell Networking OS. Overview VLT allows physical links between two chassis to appear as a single virtual link to the network core or other switches such as Edge, Access, or top-of-rack (ToR). VLT reduces the role of spanning tree protocols (STPs) by allowing link aggregation group (LAG) terminations on two separate distribution or core switches, and by supporting a loop-free topology.
Figure 117. VLT on Switches VLT on Core Switches You can also deploy VLT on core switches. Uplinks from servers to the access layer and from access layer to the aggregation layer are bundled in LAG groups with end-to-end Layer 2 multipathing. This set up requires “horizontal” stacking at the access layer and VLT at the aggregation layer such that all the uplinks from servers to access and access to aggregation are in Active-Active Load Sharing mode.
Figure 118. Enhanced VLT VLT Terminology The following are key VLT terms. • Virtual link trunk (VLT) — The combined port channel between an attached device and the VLT peer switches. • VLT backup link — The backup link monitors the vitality of VLT peer switches. The backup link sends configurable, periodic keep alive messages between the VLT peer switches. • VLT interconnect (VLTi) — The link used to synchronize states between the VLT peer switches. Both ends must be on 10G or 40G interfaces.
Configure Virtual Link Trunking VLT requires that you enable the feature and then configure the same VLT domain, backup link, and VLT interconnect on both peer switches. Important Points to Remember • VLT port channel interfaces must be switch ports. • If you include RSTP on the system, configure it before VLT. Refer to Configure Rapid Spanning Tree. • Dell Networking strongly recommends that the VLTi (VLT interconnect) be a static LAG and that you disable LACP on the VLTi.
• In a scenario where one hundred hosts are connected to a Peer1 on a non-VLT domain and traffic flows through Peer1 to Peer2; when you move these hosts from a non-VLT domain to a VLT domain and send ARP requests to Peer1, only half of these ARP requests reach Peer1, while the remaining half reach Peer2 (beacuse of LAG hashing). The reason for this behavior is that Peer1 ignores the ARP requests that it receives on VLTi (ICL) and updates only the ARP requests that it receives on the local VLT.
– The system automatically includes the required VLANs in VLTi. You do not need to manually select VLANs. – VLT peer switches operate as separate chassis with independent control and data planes for devices attached to non-VLT ports. – Port-channel link aggregation (LAG) across the ports in the VLT interconnect is required; individual ports are not supported. Dell Networking strongly recommends configuring a static LAG for VLTi.
– The chassis backup link does not carry control plane information or data traffic. Its use is restricted to health checks only. • Virtual link trunks (VLTs) between access devices and VLT peer switches – To connect servers and access switches with VLT peer switches, you use a VLT port channel, as shown in Overview. Up to 48 port-channels are supported; up to eight member links are supported in each port channel between the VLT domain and an access device.
• Software features supported on VLT physical ports – In a VLT domain, the following software features are supported on VLT physical ports: 802.1p, LLDP, flow control, IPv6 dynamic routing, port monitoring, and jumbo frames. • Software features not supported with VLT – In a VLT domain, the following software features are supported on non-VLT ports: 802.1x, DHCP snooping, FRRP, ingress and egress QOS.
MAC address is selected as the Primary Peer. You can configure another peer as the Primary Peer using the VLT domain domain-id role priority priority-value command. If the VLTi link fails, the status of the remote VLT Primary Peer is checked using the backup link. If the remote VLT Primary Peer is available, the Secondary Peer disables all VLT ports to prevent loops.
VLT and IGMP Snooping When configuring IGMP Snooping with VLT, ensure the configurations on both sides of the VLT trunk are identical to get the same behavior on both sides of the trunk. When you configure IGMP snooping on a VLT node, the dynamically learned groups and multicast router ports are automatically learned on the VLT peer node. VLT IPv6 VLT IPv6 is supported on the platform.
Figure 119. PIM-Sparse Mode Support on VLT On each VLAN where the VLT peer nodes act as the first hop or last hop routers, one of the VLT peer nodes is elected as the PIM designated router. If you configured IGMP snooping along with PIM on the VLT VLANs, you must configure VLTi as the static multicast router port on both VLT peer switches. This ensures that for first hop routers, the packets from the source are redirected to the designated router (DR) if they are incorrectly hashed.
To route traffic to and from the multicast source and receiver, enable PIM on the L3 side connected to the PIM router using the ip pim sparse-mode command. Each VLT peer runs its own PIM protocol independently of other VLT peers. To ensure the PIM protocol states or multicast routing information base (MRIB) on the VLT peers are synced, if the incoming interface (IIF) and outgoing interface (OIF) are Spanned, the multicast route table is synced between the VLT peers.
Layer 3 on the other node. Configuration mismatches are logged in the syslog and display in the show vlt mismatch command output. If you enable VLT unicast routing, the following actions occur: • L3 routing is enabled on any new IP address / IPv6 address configured for a VLAN interface that is up. • L3 routing is enabled on any VLAN with an admin state of up. NOTE: If the CAM is full, do not enable peer-routing. NOTE: The peer routing and peer-routing-timeout is applicable for both IPv6/ IPv4.
• Optimal VLTi forwarding — Only one copy of the incoming multicast traffic is sent on the VLTi for routing or forwarding to any orphan ports, rather than forwarding all the routed copies. Important Points to Remember • You cannot configure a VLT node as a rendezvous point (RP), but any PIM-SM compatible VLT node can serve as a designated router (DR). • You can only use one spanned VLAN from a PIM-enabled VLT node to an external neighboring PIM router.
NOTE: ARP entries learned on non-VLT, non-spanned VLANs are not synced with VLT peers. RSTP Configuration RSTP is supported in a VLT domain. Before you configure VLT on peer switches, configure RSTP in the network. RSTP is required for initial loop prevention during the VLT startup phase. You may also use RSTP for loop prevention in the network outside of the VLT port channel. For information about how to configure RSTP, Rapid Spanning Tree Protocol (RSTP). Run RSTP on both VLT peer switches.
VLT switch determines the RSTP roles and states on VLT ports and ensures that the VLT interconnect link is never blocked. In the case of a primary VLT switch failure, the secondary switch starts sending BPDUs with its own bridge ID and inherits all the port states from the last synchronization with the primary switch. An access device never detects the change in primary/secondary roles and does not see it as a topology change.
NOTE: To be included in the VLTi, the port channel must be in Default mode (no switchport or VLAN assigned). 2. Remove an IP address from the interface. INTERFACE PORT-CHANNEL mode no ip address 3. Add one or more port interfaces to the port channel. INTERFACE PORT-CHANNEL mode channel-member interface interface: specify one of the following interface types: 4. • 1-Gigabit Ethernet: Enter gigabitethernet slot/port. • 10-Gigabit Ethernet: Enter tengigabitethernet slot/port.
peer-link port-channel id-number 4. (Optional) Prevent a possible loop during the bootup of a VLT peer switch or a device that accesses the VLT domain. CONFIGURATION mode lacp ungroup member-independent {vlt | port-channel port-channel-id} LACP on VLT ports (on a VLT switch or access device), which are members of the virtual link trunk, is not brought up until the VLT domain is recognized on the access device. 5.
delay-restore delay-restore-time The range is from 1 to 1200. The default is 90 seconds. Reconfiguring the Default VLT Settings (Optional) To reconfigure the default VLT settings, use the following commands. 1. Enter VLT-domain configuration mode for a specified VLT domain. CONFIGURATION mode vlt domain domain-id The range of domain IDs is from 1 to 1000. 2.
Use this command to minimize the time required for the VLT system to determine the unit ID assigned to each peer switch when one peer switch reboots. Connecting a VLT Domain to an Attached Access Device (Switch or Server) To connect a VLT domain to an attached access device, use the following commands. On a VLT peer switch: To connect to an attached device, configure the same port channel ID number on each peer switch in the VLT domain. 1.
Configuring a VLT VLAN Peer-Down (Optional) To configure a VLT VLAN peer-down, use the following commands. 1. Enter VLT-domain configuration mode for a specified VLT domain. CONFIGURATION mode vlt domain domain-id The range of domain IDs is from 1 to 1000. 2. Enter the port-channel number that acts as the interconnect trunk. VLT DOMAIN CONFIGURATION mode peer-link port-channel id-number The range is from 1 to 128. 3.
The range of domain IDs is from 1 to 1000. 4. Enter the port-channel number that acts as the interconnect trunk. VLT DOMAIN CONFIGURATION mode peer-link port-channel id-number The range is from 1 to 128. 5. Configure the IP address of the management interface on the remote VLT peer to be used as the endpoint of the VLT backup link for sending out-of-band hello messages.
INTERFACE PORT-CHANNEL mode switchport 10. Associate the port channel to the corresponding port channel in the VLT peer for the VLT connection to an attached device. INTERFACE PORT-CHANNEL mode vlt-peer-lag port-channel id-number Valid port-channel ID numbers are from 1 to 128. 11. Ensure that the port channel is active. INTERFACE PORT-CHANNEL mode no shutdown 12. Add links to the eVLT port. Configure a range of interfaces to bulk configure. CONFIGURATION mode interface range {port-channel id} 13.
interface port-channel port-channel id NOTE: To benefit from the protocol negotiations, Dell Networking recommends configuring VLTs used as facing hosts/switches with LACP. Ensure both peers use the same port channel ID. 4. Configure the peer-link port-channel in the VLT domains of each peer unit. INTERFACE PORTCHANNEL mode channel-member 5. Configure the backup link between the VLT peer units (shown in the following example). 6.
Configure the VLT domain with the same ID in VLT peer 1 and VLT peer 2. s4810-2(conf)#vlt domain 5 s4810-2(conf-vlt-domain)# s4810-4(conf)#vlt domain 5 s4810-4(conf-vlt-domain)# Configure the VLTi between VLT peer 1 and VLT peer 2. 1. You can configure the LACP/static LAG between the peer units (not shown). 2. Configure the peer-link port-channel in the VLT domains of each peer unit.
! no ip address port-channel-protocol LACP port-channel 2 mode active no shutdown s4810-2# configuring VLT peer lag in VLT s4810-2#show running-config interface port-channel 2 ! interface Port-channel 2 no ip address switchport vlt-peer-lag port-channel 2 no shutdown s4810-2# s4810-2#show interfaces port-channel 2 brief Codes: L - LACP Port-channel LAG Mode L 2 L2L3 s4810-2# Status up Uptime 03:33:14 Ports Te 0/40 (Up) In the ToR unit, configure LACP on the physical ports.
Verify VLT is up. Verify that the VLTi (ICL) link, backup link connectivity (heartbeat status), and VLT peer link (peer chassis) are all up.
Figure 120. eVLT Configuration Example eVLT Configuration Step Examples In Domain 1, configure the VLT domain and VLTi on Peer 1. Domain_1_Peer1#configure Domain_1_Peer1(conf)#interface port-channel 1 Domain_1_Peer1(conf-if-po-1)# channel-member TenGigabitEthernet 0/8-9 Domain_1_Peer1(conf)#vlt domain 1000 Domain_1_Peer1(conf-vlt-domain)# peer-link port-channel 1 Domain_1_Peer1(conf-vlt-domain)# back-up destination 10.16.130.
Domain_1_Peer2(conf-vlt-domain)# back-up destination 10.16.130.12 Domain_1_Peer2(conf-vlt-domain)# system-mac mac-address 00:0a:00:0a:00:0a Domain_1_Peer2(conf-vlt-domain)# unit-id 1 Configure eVLT on Peer 2. Domain_1_Peer2(conf)#interface port-channel 100 Domain_1_Peer2(conf-if-po-100)# switchport Domain_1_Peer2(conf-if-po-100)# vlt-peer-lag port-channel 100 Domain_1_Peer2(conf-if-po-100)# no shutdown Add links to the eVLT port-channel on Peer 2.
Configure eVLT on Peer 4. Domain_2_Peer4(conf)#interface port-channel 100 Domain_2_Peer4(conf-if-po-100)# switchport Domain_2_Peer4(conf-if-po-100)# vlt-peer-lag port-channel 100 Domain_2_Peer4(conf-if-po-100)# no shutdown Add links to the eVLT port-channel on Peer 4.
Verifying a VLT Configuration To monitor the operation or verify the configuration of a VLT domain, use any of the following show commands on the primary and secondary VLT switches. • Display information on backup link operation. EXEC mode • show vlt backup-link Display general status information about VLT domains currently configured on the switch.
Examples of the show vlt and show spanning-tree rstp Commands The following example shows the show vlt backup-link command. Dell_VLTpeer1# show vlt backup-link VLT Backup Link ----------------Destination: Peer HeartBeat status: HeartBeat Timer Interval: HeartBeat Timeout: UDP Port: HeartBeat Messages Sent: HeartBeat Messages Received: 10.11.200.
The following example shows the show vlt detail command. Dell_VLTpeer1# show vlt detail Local LAG Id -----------100 127 Peer LAG Id ----------100 2 Local Status Peer Status Active VLANs ------------ ----------- ------------UP UP 10, 20, 30 UP UP 20, 30 Dell_VLTpeer2# show vlt detail Local LAG Id -----------2 100 Peer LAG Id ----------127 100 Local Status -----------UP UP Peer Status ----------UP UP Active VLANs ------------20, 30 10, 20, 30 The following example shows the show vlt role command.
Dell_VLTpeer2# show vlt statistics VLT Statistics ---------------HeartBeat Messages Sent: HeartBeat Messages Received: ICL Hello's Sent: ICL Hello's Received: 994 978 89 89 The following example shows the show spanning-tree rstp command. The bold section displays the RSTP state of port channels in the VLT domain. Port channel 100 is used in the VLT interconnect trunk (VLTi) to connect to VLT peer2. Port channels 110, 111, and 120 are used to connect to access switches or servers (vlt).
Configuring Virtual Link Trunking (VLT Peer 1) Enable VLT and create a VLT domain with a backup-link and interconnect trunk (VLTi). Dell_VLTpeer1(conf)#vlt domain 999 Dell_VLTpeer1(conf-vlt-domain)#peer-link port-channel 100 Dell_VLTpeer1(conf-vlt-domain)#back-up destination 10.11.206.35 Dell_VLTpeer1(conf-vlt-domain)#exit Configure the backup link. Dell_VLTpeer1(conf)#interface ManagementEthernet 0/0 Dell_VLTpeer1(conf-if-ma-0/0)#ip address 10.11.206.
Configure the backup link. Dell_VLTpeer2(conf)#interface ManagementEthernet 0/0 Dell_VLTpeer2(conf-if-ma-0/0)#ip address 10.11.206.35/ Dell_VLTpeer2(conf-if-ma-0/0)#no shutdown Dell_VLTpeer2(conf-if-ma-0/0)#exit Configure the VLT interconnect (VLTi).
Troubleshooting VLT To help troubleshoot different VLT issues that may occur, use the following information. NOTE: For information on VLT Failure mode timing and its impact, contact your Dell Networking representative. Table 56. Troubleshooting VLT Description Behavior at Peer Up Behavior During Run Time Action to Take Bandwidth monitoring A syslog error message and an SNMP trap is generated when the VLTi bandwidth usage goes above the 80% threshold and when it drops below 80%.
Description Behavior at Peer Up Behavior During Run Time Action to Take that the MAC address is the same on both units. The VLT peer does not boot up. The VLTi is forced to a down state. The VLT peer does not boot up. The VLTi is forced to a down state. A syslog error message is generated. A syslog error message is generated. Version ID mismatch A syslog error message and an SNMP trap are generated. A syslog error message and an SNMP trap are generated.
Specifying VLT Nodes in a PVLAN You can configure VLT peer nodes in a private VLAN (PVLAN). VLT enables redundancy without the implementation of Spanning Tree Protocol (STP), and provides a loop-free network with optimal bandwidth utilization. Because the VLT LAG interfaces are terminated on two different nodes, PVLAN configuration of VLT VLANs and VLT LAGs are symmetrical and identical on both the VLT peers. PVLANs provide Layer 2 isolation between ports within the same VLAN.
not validated if you associate an ICL to a PVLAN. Similarly, if you dissociate an ICL from a PVLAN, although the PVLAN parity exists, ICL is removed from that PVLAN. Association of VLTi as a Member of a PVLAN If a VLAN is configured as a non-VLT VLAN on both the peers, the VLTi link is made a member of that VLAN if the VLTi link is configured as a PVLAN or normal VLAN on both the peers.
PVLAN Operations When a VLT Peer is Restarted When the VLT peer node is rebooted, the VLAN membership of the VLTi link is preserved and when the peer node comes back online, a verification is performed with the newly received PVLAN configuration from the peer. If any differences are identified, the VLTi link is either added or removed from the VLAN. When the peer node restarts and returns online, all the PVLAN configurations are exchanged across the peers.
VLT LAG Mode PVLAN Mode of VLT VLAN ICL VLAN Membership Mac Synchronization Peer1 Peer2 Peer1 Peer2 Promiscuo us Trunk Primary Primary Yes No Trunk Access Primary Secondary No No Promiscuo us Promiscuo us Primary Primary Yes Yes Promiscuo us Access Primary Secondary No No Promiscuo us Promiscuo us Primary Primary Yes Yes - Secondary (Community) - Secondary (Isolated) No No Secondary (Community) Secondary (Isolated) No No • • Yes Yes Access Promiscuo us Acc
VLT LAG Mode PVLAN Mode of VLT VLAN ICL VLAN Membership Mac Synchronization Peer1 Peer2 Peer1 Peer2 Access Access Secondary (Community) Secondary (Community) No No - Primary VLAN Y - Primary VLAN X No No Promiscuo us Access Primary Secondary No No Trunk Access Primary/Normal Secondary No No Configuring a VLT VLAN or LAG in a PVLAN You can configure the VLT peers or nodes in a private VLAN (PVLAN).
INTERFACE PORT-CHANNEL mode no shutdown 5. To configure the VLT interconnect, repeat Steps 1–4 on the VLT peer switch. 6. Enter VLT-domain configuration mode for a specified VLT domain. CONFIGURATION mode vlt domain domain-id The range of domain IDs is from 1 to 1000. 7. Enter the port-channel number that acts as the interconnect trunk. VLT DOMAIN CONFIGURATION mode peer-link port-channel id-number The range is from 1 to 128. 8.
6. Enable the VLAN. INTERFACE VLAN mode no shutdown 7. To obtain maximum VLT resiliency, configure the PVLAN IDs and mappings to be identical on both the VLT peer nodes. Set the PVLAN mode of the selected VLAN to primary. INTERFACE VLAN mode private-vlan mode primary 8. Map secondary VLANs to the selected primary VLAN.
supported only for the IP address belongs to the received interface IP network. Proxy ARP is not supported if the ARP requested IP address is different from the received interface IP subnet. For example, if VLAN 100 and 200 are configured on the VLT peers, and if the VLAN 100 IP address is configured as 10.1.1.0/24 and the VLAN 200 IP address is configured as 20.1.1.0/24, the proxy ARP is not performed if the VLT node receives an ARP request for 20.1.1.0/24 on VLAN 100.
VLT Nodes as Rendezvous Points for Multicast Resiliency You can configure virtual link trunking (VLT) peer nodes as rendezvous points (RPs) in a Protocol Independent Multicast (PIM) domain. PIM uses a VLT node as the RP to distribute multicast traffic to a multicast group. Messages to join the multicast group (Join messages) and data are sent towards the RP, so that receivers can discover who the senders are and begin receiving traffic destined for the multicast group.
VLT Proxy Gateway 56 You can configure a proxy gateway in VLT domains. A proxy gateway enables you to locally route the packets that are destined to a L3 endpoint in another VLT domain. Proxy Gateway in VLT Domains Using a proxy gateway, the VLT peers in a domain can route the L3 packets destined for VLT peers in another domain as long as they have L3 reachability of these IP destinations.
When the routing table across DCs is not symmetrical, there is a possibility of a routing miss by a DC that do not have the route for the L3 traffic. Since routing protocols will enabled and both the DC’s comes in same subnet there will not be route asymmetry dynamically. But if static route is configured on one DC and not on the other, it will result is asymmetry. Proxy routing can still be achieved locally by configuring a static route or default gateway.
8. LLDP port channel interface can’t be changed to legacy lag when proxy gateway is enabled. 9.“vlt-peer-mac transmit” is recommended only for square VLT without any diagonal links. 10. VRRP and IPv6 routing is not supported now. 11. With the existing hardware capabilities, only 512 my_station_tcam entries can be supported. 12. PVLAN not supported 13. After VM Motion, it’s expected that VM Host will send GARP in term, host previous VLT Domain will have mac movement points to newer VLT Domain 14.
• There are only a couple of MACs for each unit to be transmitted so that all current active MACs can definitely be carried on the newly defined TLV. • This TLV is recognizable only by FTOS devices with this feature support. Other device will ignore this field and should still be able to process other standard TLVs. The LLDP organizational TLV passes local DA information to peer VLT domain devices so they can act as proxy gateway.
2. Trace route across VLT domains may show extra hops. 3. IP route symmetry must be maintained across the VLT domains. Assume if the route to a destination is not available at C2, though the packet hits the MY_STATION_TCAM and routing is enabled for that VLAN, if there is no entry for that prefix in the routing table it will dropped to CPU. By default, all route miss packets are given to CPU. To avoid this static entry must be configured. 4.
8. Packet duplication – Assume exclude-vlan (say VLAN 10) is configured on C2/D2 for C1’s MAC. If packets for VLAN 10 with C1’s MAC get a hit at C2, they will be switched to both D2 (via ICL) and C1 via inter DC link. This could lead to packet duplication. So, if C1’s MAC is learnt at C2 then the packet would not have flooded (to D2) and only switched to C1 and thus avoided packet duplication.
Virtual Router Redundancy Protocol (VRRP) 57 Virtual router redundancy protocol (VRRP) is supported on Dell Networking OS. VRRP Overview VRRP is designed to eliminate a single point of failure in a statically routed network. VRRP specifies a MASTER router that owns the next hop IP and MAC address for end stations on a local area network (LAN). The MASTER router is chosen from the virtual routers by an election process and forwards packets sent to the next hop IP address.
Figure 121. Basic VRRP Configuration VRRP Benefits With VRRP configured on a network, end-station connectivity to the network is not subject to a single point-of-failure. End-station connections to the network are redundant and are not dependent on internal gateway protocol (IGP) protocols to converge or update routing tables. VRRP Implementation Within a single VRRP group, up to 12 virtual IP addresses are supported.
CAUTION: Increasing the advertisement interval increases the VRRP Master dead interval, resulting in an increased failover time for Master/Backup election. Take caution when increasing the advertisement interval, as the increased dead interval may cause packets to be dropped during that switch-over time. VRRP Configuration By default, VRRP is not configured. Configuration Task List The following list specifies the configuration tasks for VRRP.
Examples of Configuring and Verifying VRRP The following examples how to configure VRRP. Dell(conf)#int gi 1/1 Dell(conf-if-gi-1/1)#vrrp-group 111 Dell(conf-if-gi-1/1-vrid-111)# The following examples how to verify the VRRP configuration. Dell(conf-if-gi-1/1)#show conf ! interface GigabitEthernet 1/1 ip address 10.10.10.
NOTE: Carefully following this procedure, otherwise you might introduce dual master switches issues. To migrate an IPv4 VRRP Group from VRRPv2 to VRRPv3: 1. Set the backup switches to VRRP version to both. Dell_backup_switch1(conf-if-te-0/1-vrid-100)#version both Dell_backup_switch2(conf-if-te-0/2-vrid-100)#version both 2. Set the master switch to VRRP protocol version 3. Dell_master_switch(conf-if-te-0/1-vrid-100)#version 3 3. Set the backup switches to version 3.
The VRID range is from 1 to 255. 2. Configure virtual IP addresses for this VRID. INTERFACE -VRID mode virtual-address ip-address1 [...ip-address12] The range is up to 12 addresses. Examples of the Configuring and Verifying a Virtual IP Address The following example shows how to configure a virtual IP address. Dell(conf-if-gi-1/1-vrid-111)#virtual-address 10.10.10.1 Dell(conf-if-gi-1/1-vrid-111)#virtual-address 10.10.10.2 Dell(conf-if-gi-1/1-vrid-111)#virtual-address 10.10.10.
When the VRRP process completes its initialization, the State field contains either Master or Backup. Setting VRRP Group (Virtual Router) Priority Setting a virtual router priority to 255 ensures that router is the “owner” virtual router for the VRRP group. VRRP elects the MASTER router by choosing the router with the highest priority. The default priority for a virtual router is 100. The higher the number, the higher the priority.
NOTE: You must configure all virtual routers in the VRRP group the same: you must enable authentication with the same password or authentication is disabled. To configure simple authentication, use the following command. • Configure a simple text password. INTERFACE-VRID mode authentication-type simple [encryption-type] password Parameters: – encryption-type: 0 indicates unencrypted; 7 indicates encrypted. – password: plain text.
The following example shows how to disable preempt using the no preempt command. Dell(conf-if-gi-1/1)#vrrp-group 111 Dell(conf-if-gi-1/1-vrid-111)#no preempt Dell(conf-if-gi-1/1-vrid-111)# The following example shows how to verify preempt is disabled using the show conf command. Dell(conf-if-gi-1/1-vrid-111)#show conf ! vrrp-group 111 authentication-type simple 7 387a7f2df5969da4 no preempt priority 255 virtual-address 10.10.10.1 virtual-address 10.10.10.2 virtual-address 10.10.10.3 virtual-address 10.10.
advertise-interval centisecs centisecs The range is from 25 to 4075 centisecs in units of 25 centisecs. The default is 100 centisecs. Examples of the advertise-interval Command The following example shows how to change the advertise interval using the advertise-interval command. Dell(conf-if-gi-1/1)#vrrp-group 111 Dell(conf-if-gi-1/1-vrid-111)#advertise-interval 10 Dell(conf-if-gi-1/1-vrid-111)# The following example shows how to verify the advertise interval change using the show conf command.
– The valid VLAN IDs are from 1 to 4094. For a virtual group, you can also track the status of a configured object (the track object-id command) by entering its object number. NOTE: You can configure a tracked object for a VRRP group (using the track object-id command in INTERFACE-VRID mode) before you actually create the tracked object (using a track object-id command in CONFIGURATION mode).
vrrp-group 111 advertise-interval 10 authentication-type simple 7 387a7f2df5969da4 no preempt priority 255 track GigabitEthernet 1/2 virtual-address 10.10.10.1 virtual-address 10.10.10.2 virtual-address 10.10.10.3 virtual-address 10.10.10.10 Dell(conf-if-gi-1/1-vrid-111)# The following example shows verifying the tracking status.
virtual-address 2007::1 virtual-address fe80::1 no shutdown Setting VRRP Initialization Delay VRRP initialization delay is supported on the platform. When configured, VRRP is enabled immediately upon system reload or boot. You can delay VRRP initialization to allow the IGP and EGP protocols to be enabled prior to selecting the VRRP Master. This delay ensures that VRRP initializes with no errors or conflicts. You can configure the delay for up to 15 minutes, after which VRRP enables normally.
Sample Configurations Before you set up VRRP, review the following sample configurations. VRRP for an IPv4 Configuration The following configuration shows how to enable IPv4 VRRP. This example does not contain comprehensive directions and is intended to provide guidance for only a typical VRRP configuration. You can copy and paste from the example to your CLI. To support your own IP addresses, interfaces, names, and so on, be sure that you make the necessary changes.
Examples of Configuring VRRP for IPv4 and IPv6 The following example shows configuring VRRP for IPv4 Router 2. R2(conf)#int gi 2/31 R2(conf-if-gi-2/31)#ip address 10.1.1.1/24 R2(conf-if-gi-2/31)#vrrp-group 99 R2(conf-if-gi-2/31-vrid-99)#priority 200 R2(conf-if-gi-2/31-vrid-99)#virtual 10.1.1.3 R2(conf-if-gi-2/31-vrid-99)#no shut R2(conf-if-gi-2/31)#show conf ! interface GigabitEthernet 2/31 ip address 10.1.1.1/24 ! vrrp-group 99 priority 200 virtual-address 10.1.1.
Figure 123. VRRP for an IPv6 Configuration NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be MASTER even if one of two routers has a higher IP or IPv6 address. The following example shows configuring VRRP for IPv6 Router 2 and Router 3. Configure a virtual link local (fe80) address for each VRRPv3 group created for an interface.
Although R2 and R3 have the same default, priority (100), R2 is elected master in the VRRPv3 group because the GigE 0/0 interface has a higher IPv6 address than the GigE 1/0 interface on R3.
VRRP in a VRF Configuration The following example shows how to enable VRRP operation in a VRF virtualized network for the following scenarios. • Multiple VRFs on physical interfaces running VRRP. • Multiple VRFs on VLAN interfaces running VRRP. To view a VRRP in a VRF configuration, use the show commands. VRRP in a VRF: Non-VLAN Scenario The following example shows how to enable VRRP in a non-VLAN.
Figure 124. VRRP in a VRF: Non-VLAN Example Example of Configuring VRRP in a VRF on Switch-1 (Non-VLAN) Switch-1 S1(conf)#ip vrf default-vrf 0 ! S1(conf)#ip vrf VRF-1 1 ! S1(conf)#ip vrf VRF-2 2 ! S1(conf)#ip vrf VRF-3 3 ! S1(conf)#interface GigabitEthernet 12/1 S1(conf-if-gi-12/1)#ip vrf forwarding VRF-1 S1(conf-if-gi-12/1)#ip address 10.10.1.5/24 S1(conf-if-gi-12/1)#vrrp-group 11 % Info: The VRID used by the VRRP group 11 in VRF 1 will be 177.
! S1(conf)#interface GigabitEthernet 12/3 S1(conf-if-gi-12/3)#ip vrf forwarding VRF-3 S1(conf-if-gi-12/3)#ip address 20.1.1.5/24 S1(conf-if-gi-12/3)#vrrp-group 15 % Info: The VRID used by the VRRP group 15 in VRF 3 will be 243. S1(conf-if-gi-12/3-vrid-105)#priority 255 S1(conf-if-gi-12/3-vrid-105)#virtual-address 20.1.1.
VRRP in VRF: Switch-1 VLAN Configuration VRRP in VRF: Switch-2 VLAN Configuration Switch-1 S1(conf)#ip vrf VRF-1 1 ! S1(conf)#ip vrf VRF-2 2 ! S1(conf)#ip vrf VRF-3 3 ! S1(conf)#interface GigabitEthernet 12/4 S1(conf-if-gi-12/4)#no ip address S1(conf-if-gi-12/4)#switchport S1(conf-if-gi-12/4)#no shutdown ! S1(conf-if-gi-12/4)#interface vlan 100 S1(conf-if-vl-100)#ip vrf forwarding VRF-1 S1(conf-if-vl-100)#ip address 10.10.1.
S2(conf-if-vl-100-vrid-101)#priority 255 S2(conf-if-vl-100-vrid-101)#virtual-address 10.10.1.2 S2(conf-if-vl-100)#no shutdown ! S2(conf-if-gi-12/4)#interface vlan 200 S2(conf-if-vl-200)#ip vrf forwarding VRF-2 S2(conf-if-vl-200)#ip address 10.10.1.2/24 S2(conf-if-vl-200)#tagged gigabitethernet 12/4 S2(conf-if-vl-200)#vrrp-group 11 % Info: The VRID used by the VRRP group 11 in VRF 2 will be 178. S2(conf-if-vl-200-vrid-101)#priority 255 S2(conf-if-vl-200-vrid-101)#virtual-address 10.10.1.
192.168.0.
Standards Compliance 58 This chapter describes standards compliance for Dell Networking products. NOTE: Unless noted, when a standard cited here is listed as supported by the Dell Networking Operating System (OS), Dell Networking OS also supports predecessor standards. One way to search for predecessor standards is to use the http://tools.ietf.org/ website.
SFF-8431 SFP+ Direct Attach Cable (10GSFP+Cu) MTU 9,252 bytes RFC and I-D Compliance Dell Networking OS supports the following standards. The standards are grouped by related protocol. The columns showing support by platform indicate which version of Dell Networking OS first supports the standard. General Internet Protocols The following table lists the Dell Networking OS support per platform for general internet protocols. Table 58.
Border Gateway Protocol (BGP) The following table lists the Dell Networking OS support per platform for BGP protocols. Table 59. Border Gateway Protocol (BGP) RFC# Full Name S-Series/Z-Series 1997 BGP ComAmtturnibituitees 7.8.1 2385 Protection of BGP Sessions via the TCP MD5 Signature Option 7.8.1 2439 BGP Route Flap Damping 7.8.
RFC# Full Name S-Series 1035 DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION (client) 7.6.1 1042 A Standard for the Transmission of IP Datagrams over IEEE 802 Networks 7.6.1 1191 Path MTU Discovery 7.6.1 1305 Network Time Protocol (Version 3) Specification, Implementation and Analysis 7.6.1 1519 Classless Inter-Domain Routing (CIDR): an Address Assignment and Aggregation Strategy 7.6.1 1542 Clarifications and Extensions for the Bootstrap Protocol 7.6.
RFC# Full Name S-Series 2711 IPv6 Router Alert Option 8.3.12.0 3587 IPv6 Global Unicast Address Format 7.8.1 4007 IPv6 Scoped Address Architecture 8.3.12.0 4291 Internet Protocol Version 6 (IPv6) Addressing Architecture 7.8.1 4443 Internet Control Message Protocol (ICMPv6) for the IPv6 Specification 7.8.1 4861 Neighbor Discovery for IPv6 8.3.12.0 4862 IPv6 Stateless Address Autoconfiguration 8.3.12.0 5175 IPv6 Router Advertisement Flags Option 8.3.12.
RFC# Full Name S-Series 5308 Routing IPv6 with IS-IS 8.3.10.0 draft-ietf-isis-igpp2p- overlan-06 Point-to-point operation over LAN in link-state routing protocols draft-kaplan-isis-e xt-eth-02 Extended Ethernet Frame Size Support Network Management The following table lists the Dell Networking OS support per platform for network management protocol. Table 63. Network Management RFC# Full Name 1155 Structure and 7.6.
RFC# Full Name S4810 S4820T Z-Series Internet Protocol using SMIv2 2012 SNMPv2 Management Information Base for the Transmission Control Protocol using SMIv2 7.6.1 2013 SNMPv2 Management Information Base for the User Datagram Protocol using SMIv2 7.6.1 2024 Definitions of Managed Objects for Data Link Switching using SMIv2 7.6.1 2096 IP Forwarding Table MIB 7.6.
RFC# Full Name S4810 2576 Coexistence Between Version 1, Version 2, and Version 3 of the Internetstandard Network Management Framework 7.6.1 2578 Structure of Management 7.6.1 Information Version 2 (SMIv2) 2579 Textual Conventions for SMIv2 2580 Conformance Statements 7.6.1 for SMIv2 2618 RADIUS Authentication Client MIB, except the following four counters: S4820T Z-Series 9.5.(0.0) 9.5.(0.0) 7.6.1 7.6.
RFC# Full Name S4810 S4820T Z-Series 9.5.(0.0) 9.5.(0.0) Table, Ethernet History Table, Alarm Table, Event Table, Log Table 2863 The Interfaces Group MIB 7.6.1 2865 Remote Authentication Dial In User Service (RADIUS) 3273 Remote Network 7.6.1 Monitoring Management Information Base for High Capacity Networks (64 bits): Ethernet Statistics High-Capacity Table, Ethernet History HighCapacity Table 3416 Version 2 of the Protocol 7.6.
RFC# Full Name 4750 S4810 S4820T Z-Series OSPF Version 2 9.5.(0.0) Management Information Base 9.5.(0.0) 9.5.(0.0) 4502 RMON v2 MIB 9.5(0.0) 9.5(0.0) 9.5(0.0) 5060 Protocol Independent Multicast MIB 7.8.1 ANSI/TIA-1057 The LLDP Management Information Base extension module for TIA-TR41.4 Media Endpoint Discovery information 7.7.1 draft-grant-tacacs -02 The TACACS+ Protocol 7.6.
RFC# Full Name S4810 IEEE 802.1AB The LLDP Management Information Base extension module for IEEE 802.1 organizationally defined discovery information. (LLDP DOT1 MIB and LLDP DOT3 MIB) 7.7.1 IEEE 802.1AB The LLDP Management Information Base extension module for IEEE 802.3 organizationally defined discovery information. (LLDP DOT1 MIB and LLDP DOT3 MIB) 7.7.1 ruzin-mstp-mib-0 2 (Traps) Definitions of Managed Objects for Bridges with Multiple Spanning Tree Protocol 7.6.1 sFlow.
RFC# Full Name S4810 S4820T Z-Series the MIB-2 (RFC 1213) by providing proprietary SNMP OIDs for other counters displayed in the "show interfaces" output) FORCE10LINKAGG-MIB Force10 Enterprise Link Aggregation MIB FORCE10CHASSIS-MIB Force10 E-Series Enterprise Chassis MIB FORCE10-COPYCONFIG-MIB Force10 File Copy MIB (supporting SNMP SET operation) 7.6.1 7.7.1 FORCE10-MONMIB Force10 Monitoring MIB 7.6.1 FORCE10PRODUCTS-MIB Force10 Product Object Identifier MIB 7.6.
RFC# Full Name S-Series 3569 An Overview of Source-Specific Multicast (SSM) 7.8.
RFC# Full Name S-Series 4191 Default Router Preferences and More- 8.3.12.0 Specific Routes MIB Location You can find Force10 MIBs under the Force10 MIBs subhead on the Documentation page of iSupport: https://www.force10networks.com/CSPortal20/KnowledgeBase/Documentation.aspx You also can obtain a list of selected MIBs and their OIDs at the following URL: https://www.force10networks.com/CSPortal20/Main/Login.aspx Some pages of iSupport require a login. To request an iSupport account, go to: https://www.
