Dell Networking Configuration Guide for the Z9500 Switch Version 9.2(1.
Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your computer. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. Copyright © 2014 Dell Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws.
Contents 1 About this Guide......................................................................................................25 Audience..............................................................................................................................................25 Conventions........................................................................................................................................ 25 Related Documents...........................................................
Switch Management.............................................................................................. 47 Configuring Privilege Levels................................................................................................................47 Creating a Custom Privilege Level................................................................................................47 Removing a Command from EXEC Mode....................................................................................
Important Points to Remember......................................................................................................... 68 Enabling 802.1X...................................................................................................................................69 Configuring Request Identity Re-Transmissions............................................................................... 70 Configuring a Quiet Period after a Failed Authentication..........................................
Configure a Route Map for Route Redistribution...................................................................... 104 Configure a Route Map for Route Tagging................................................................................105 Continue Clause..........................................................................................................................105 7 Bare Metal Provisioning (BMP)..........................................................................
Additional Path (Add-Path) Support........................................................................................... 146 Advertise IGP Cost as MED for Redistributed Routes................................................................ 146 Ignore Router-ID for Some Best-Path Calculations.................................................................. 147 Four-Byte AS Numbers................................................................................................................
BGP Regular Expression Optimization............................................................................................. 188 Debugging BGP.................................................................................................................................188 Storing Last and Bad PDUs......................................................................................................... 189 Capturing PDUs....................................................................................
Last Restart Reason...........................................................................................................................235 Line Card Restart Causes and Reasons...................................................................................... 235 show hardware Commands............................................................................................................. 235 Environmental Monitoring...............................................................................
Enabling IP Source Address Validation...................................................................................... 268 DHCP MAC Source Address Validation......................................................................................269 Enabling IP+MAC Source Address Validation............................................................................ 269 14 Equal Cost Multi-Path (ECMP).........................................................................
Basic Interface Configuration...........................................................................................................293 Advanced Interface Configuration...................................................................................................293 Port Numbering Convention............................................................................................................293 Interface Types.....................................................................................
Define the Interface Range......................................................................................................... 316 Choosing an Interface-Range Macro.........................................................................................316 Monitoring and Maintaining Interfaces............................................................................................ 316 Displaying Traffic Statistics on High-Gigabit Ports.................................................................
Enabling ARP Learning via Gratuitous ARP...................................................................................... 339 ARP Learning via ARP Request......................................................................................................... 339 Configuring ARP Retries................................................................................................................... 340 ICMP................................................................................................
Clearing IPv6 Routes...................................................................................................................362 20 Link Aggregation Control Protocol (LACP).................................................365 Introduction to Dynamic LAGs and LACP....................................................................................... 365 Important Points to Remember................................................................................................. 365 LACP Modes.......
22 Link Layer Discovery Protocol (LLDP)...........................................................397 802.1AB (LLDP) Overview................................................................................................................. 397 Protocol Data Units.....................................................................................................................397 Optional TLVs....................................................................................................................
MSTP Sample Configurations.......................................................................................................... 430 Router 1 Running-ConfigurationRouter 2 Running-ConfigurationRouter 3 RunningConfigurationExample Running-Configuration........................................................................ 430 Debugging and Verifying MSTP Configurations.............................................................................. 433 24 Open Shortest Path First (OSPFv2 and OSPFv3)......
Port Monitoring................................................................................................................................. 477 Configuring Port Monitoring............................................................................................................ 478 26 Private VLANs (PVLAN)......................................................................................481 Private VLAN Concepts.......................................................................................
Weighted Random Early Detection.................................................................................................. 517 Creating WRED Profiles...............................................................................................................518 Applying a WRED Profile to Traffic............................................................................................. 518 Displaying Default and Configured WRED Profiles..............................................................
Configuring an EdgePort..................................................................................................................550 Configuring Fast Hellos for Link State Detection.............................................................................551 32 Security................................................................................................................. 553 AAA Accounting..................................................................................................
Marking Egress Packets with a DEI Value................................................................................... 591 Dynamic Mode CoS for VLAN Stacking........................................................................................... 591 Mapping C-Tag to S-Tag dot1p Values......................................................................................593 Layer 2 Protocol Tunneling........................................................................................................
Copy Configuration Files Using SNMP............................................................................................. 615 Copying a Configuration File...................................................................................................... 617 Copying Configuration Files via SNMP.......................................................................................618 Copying the Startup-Config Files to the Running-Config........................................................
Enabling SNMP Traps for Root Elections and Topology Changes................................................. 645 STP Loop Guard................................................................................................................................645 Configuring Loop Guard............................................................................................................ 646 Displaying STP Guard Configuration....................................................................................
Configuration Task List..................................................................................................................... 677 Creating a Port-Based VLAN.......................................................................................................677 Assigning Interfaces to a VLAN...................................................................................................678 Moving Untagged Interfaces...........................................................................
About this Guide 1 This guide describes the protocols and features that the Dell Networking Operating Software (OS) supports on the Z9500 system and provides configuration instructions and examples for implementing them. Though this guide contains information on protocols, it is not intended to be a complete reference. This guide is a reference for configuring protocols on Dell Networking systems.
Configuration Fundamentals 2 The Dell Networking OS command line interface (CLI) is a text-based interface you can use to configure interfaces and protocols. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels. After you enter a command, the command is added to the running configuration file.
• EXEC mode is the default mode and has a privilege level of 1, which is the most restricted level. Only a limited selection of commands is available, notably the show commands, which allow you to view system information. • EXEC Privilege mode has commands to view configurations, clear counters, manage configuration files, run diagnostics, and enable or disable debug operations. The privilege level is 15, which is unrestricted.
CLI Command Mode Prompt Access Command AS-PATH ACL Dell(config-as-path)# ip as-path access-list 10 Gigabit Ethernet Interface Dell(conf-if-te-0/0)# interface (INTERFACE modes) 40 Gigabit Ethernet Interface Dell(conf-if-fo-0/0)# interface (INTERFACE modes) Interface Range Dell(conf-if-range)# interface (INTERFACE modes) Loopback Interface Dell(conf-if-lo-0)# interface (INTERFACE modes) Management Ethernet Interface Dell(conf-if-ma-0/0)# interface (INTERFACE modes) Null Interface Dell(co
CLI Command Mode Prompt Access Command ROUTE-MAP Dell(config-route-map)# route-map ROUTER BGP Dell(conf-router_bgp)# router bgp BGP ADDRESS-FAMILY Dell(conf-router_bgp_af)# address-family {ipv4 multicast | ipv6 unicast} (for IPv4) (ROUTER BGP Mode) Dell(confrouterZ_bgpv6_af)# (for IPv6) ROUTER ISIS Dell(conf-router_isis)# router isis ISIS ADDRESS-FAMILY Dell(conf-router_isisaf_ipv6)# address-family ipv6 unicast (ROUTER ISIS Mode) ROUTER OSPF Dell(conf-router_ospf)# router ospf ROUTER OSP
CLI Command Mode Prompt Access Command MONITOR SESSION Dell(conf-mon-sesssessionID)# monitor session OPENFLOW INSTANCE Dell(conf-of-instance-ofid)# openflow of-instance PORT-CHANNEL FAILOVERGROUP Dell(conf-po-failovergrp)# port-channel failovergroup PRIORITY GROUP Dell(conf-pg)# priority-group PROTOCOL GVRP Dell(config-gvrp)# protocol gvrp QOS POLICY Dell(conf-qos-policy-outets)# qos-policy-output VLT DOMAIN Dell(conf-vlt-domain)# vlt domain VRRP Dell(conf-if-interfacetype-slot/port
6 7 not present not present Undoing Commands When you enter a command, the command line is added to the running configuration file (runningconfig). To disable a command and remove it from the running-config, enter the no command, then the original command. For example, to delete an IP address configured on an interface, use the no ip address ip-address command. NOTE: Use the help or ? command as described in Obtaining Help.
• Enter [space]? after a keyword lists all of the keywords that can follow the specified keyword. Dell(conf)#clock ? summer-time Configure summer (daylight savings) time timezone Configure time zone Dell(conf)#clock Entering and Editing Commands Notes for entering commands. • The CLI is not case-sensitive. • You can enter partial CLI keywords. – Enter the minimum number of letters to uniquely identify a command.
Short-Cut Key Combination Action Esc F Moves the cursor forward one word. Esc D Deletes all characters from the cursor to the end of the word. Command History The Dell Networking OS maintains a history of previously-entered commands for each mode. For example: • • When you are in EXEC mode, the UP and DOWN arrow keys display the previously-entered EXEC mode commands. When you are in CONFIGURATION mode, the UP or DOWN arrows keys recall the previously-entered CONFIGURATION mode commands.
557 615 508 720 19 30 25 22 533 12 2 1 529 523 646 445 579 329 655 244 74 190 130 290 330 410 60 1720 0 0 0 10 0 0 10 0 0 5670 0 270 30 30 19 13 29 33 41 6 172 0 0 0 1 0 0 1 0 0 567 0 27 3 3 10000 10000 10000 10000 10000 10000 10000 0 0 0 10000 0 0 10000 0 0 10000 0 10000 10000 10000 0.20% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.02% 0.02% 0.13% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.
The save command copies the output to a file for future reference. NOTE: You can filter a single command output multiple times. The save option must be the last option entered. For example: Dell# command | grep regular-expression | except regular-expression | grep other-regular-expression | find regular-expression | save. Multiple Users in Configuration Mode The Z9500 operating system notifies all users when there are multiple users logged in to CONFIGURATION mode.
Getting Started 3 This chapter describes how you start configuring your Z9500 operating software. When you power up the chassis, the system performs a power-on self test (POST) and loads the Dell Networking operating software. Boot messages scroll up the terminal window during this process. No user interaction is required if the boot process proceeds without interruption. When the boot process completes, the system status LED remains online (green) and the console monitor displays the EXEC mode prompt.
Accessing the Console Port To access the console port, follow these steps: For the console port pinout, refer to Accessing the RJ-45 Console Port with a DB-9 Adapter. 1. Install an RJ-45 copper cable into the console port. Use a rollover (crossover) cable to connect the Z9500 console port to a terminal server. 2. Connect the other end of the cable to the DTE terminal server. 3.
• Characters within the string can be letters, digits, and hyphens. To create a host name, use the following command. • Create a host name. CONFIGURATION mode hostname name Example of the hostname Command Dell(conf)#hostname R1 R1(conf)# Accessing the System Remotely You can configure the system to access it remotely by Telnet or SSH. • The Z9500 has a dedicated management port and a management routing table that is separate from the IP routing table.
3. Enable the interface. INTERFACE mode no shutdown Configure a Management Route Define a path from the Z9500 to the network from which you are accessing the system remotely. Management routes are separate from IP routes and are only used to manage the Z9500 through the management port. • Configure a management route to the network from which you are accessing the system. CONFIGURATION mode management route ip-address/mask gateway – ip-address: the network address in dotted-decimal format (A.B.C.D).
enable [password | secret] [level level] [encryption-type] password – level: is the privilege level, is 15 by default, and is not required – encryption-type: specifies how you are inputting the password, is 0 by default, and is not required. * 0 is for inputting the password in clear text. * 7 is for inputting a password that is already encrypted using a DES hash. Obtain the encrypted password from the configuration file of another Dell Networking system.
Copy Files to and from the System The command syntax for copying files is similar to UNIX. The copy command uses the format copy source-file-url destination-file-url. NOTE: For a detailed description of the copy command, refer to the Dell Networking OS Command Reference. • To copy a local file to a remote system, combine the file-origin syntax for a local file location with the file-destination syntax for a remote file location.
Save the Running-Configuration The running-configuration contains the current system configuration. Dell Networking recommends coping your running-configuration to the startup-configuration. The system uses the startup-configuration during boot-up to configure the system. The startupconfiguration is stored in the internal flash on the system by default, but it can be saved on a USB flash device or a remote server.
• dir usbflash: View the running-configuration. EXEC Privilege mode • show running-config View the startup-configuration. EXEC Privilege mode show startup-config Example of the dir Command The output of the dir command also shows the read/write privileges, size (in bytes), and date of modification for each file.
! service timestamps log datetime ! logging coredump ! hostname pt-z9500-11 ! enable password 7 b125455cf679b208e79b910e85789edf ! username admin password 7 1d28e9f33f99cf5c ! linecard 0 provision Z9500LC36 --More— View Command History The command-history trace feature captures all commands entered by all users of the system with a time stamp and writes these messages to a dedicated trace log buffer. The system generates a trace message for each executed command.
Switch Management 4 This chapter describes the switch management tasks supported on the Z9500. Configuring Privilege Levels Privilege levels restrict access to commands based on user or terminal line. There are 16 privilege levels, of which three are pre-defined. The default privilege level is 1. Level Description Level 0 Access to the system begins at EXEC mode, and EXEC mode commands are limited to enable, disable, and exit.
Allowing Access to CONFIGURATION Mode Commands To allow access to CONFIGURATION mode, use the privilege exec level level configure command from CONFIGURATION mode. A user that enters CONFIGURATION mode remains at his privilege level and has access to only two commands, end and exit. You must individually specify each CONFIGURATION mode command you want to allow access to using the privilege configure level level command.
• Allow access to a CONFIGURATION, INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode command. CONFIGURATION mode privilege {configure |interface | line | route-map | router} level level {command ||...
Dell(conf)#line vty 0 Dell(config-line-vty)#? exit Exit from line configuration mode Dell(config-line-vty)# Applying a Privilege Level to a Username To set the user privilege level, use the following command. • Configure a privilege level for a user. CONFIGURATION mode username username privilege level Applying a Privilege Level to a Terminal Line To set a privilege level for a terminal line, use the following command. • Configure a privilege level for a user.
Log Messages in the Internal Buffer All error messages, except those beginning with %BOOTUP (Message), are logged in the internal buffer. Configuration Task List for System Log Management There are two configuration tasks for system log management: • Disable System Logging • Send System Messages to a Syslog Server Disabling System Logging By default, logging is enabled and log messages are sent to the logging buffer, all terminal lines, the console, and the syslog servers.
– Add line on a 4.1 BSD UNIX system. local7.debugging /var/log/ftos.log – Add line on a 5.7 SunOS UNIX system. local7.debugging /var/adm/ftos.log In the previous lines, local7 is the logging facility level and debugging is the severity level. Changing System Logging Settings You can change the default settings of the system logging by changing the severity level and the storage location. The default is to log all messages up to debug level, that is, all system messages.
To view the logging configuration, use the show running-config logging command in privilege mode, as shown in the example for Configure a UNIX Logging Facility Level. Display the Logging Buffer and the Logging Configuration To display the current contents of the logging buffer and the logging settings for the system, use the show logging command in EXEC privilege mode.
CONFIGURATION mode logging facility [facility-type] – auth (for authorization messages) – cron (for system scheduler messages) – daemon (for system daemons) – kern (for kernel messages) – local0 (for local use) – local1 (for local use) – local2 (for local use) – local3 (for local use) – local4 (for local use) – local5 (for local use) – local6 (for local use) – local7 (for local use) – lpr (for line printer system messages) – mail (for mail system messages) – news (for USENET news messages) – sys9 (system us
Synchronizing Log Messages You can configure the Dell Networking OS to filter and consolidate the system messages for a specific line by synchronizing the message output. Only the messages with a severity at or below the set level appear. This feature works on the terminal and console connections available on the system. 1. Enter LINE mode.
To disable time stamping on syslog messages, use the no service timestamps [log | debug] command. File Transfer Services You can configure the system to transfer files over the network using the file transfer protocol (FTP). One FTP application is copying the system image files over an interface on to the system; however, FTP is not supported on virtual local area network (VLAN) interfaces. For more information about FTP, refer to RFC 959, File Transfer Protocol.
ftp-server username username password [encryption-type] password Configure the following optional and required parameters: – username: enter a text string. – encryption-type: enter 0 for plain text or 7 for encrypted text. – password: enter a text string. NOTE: You cannot use the change directory (cd) command until you have configured ftpserver topdir. To view the FTP configuration, use the show running-config ftp command in EXEC privilege mode.
Denying and Permitting Access to a Terminal Line Dell Networking recommends applying only standard access control lists (ACLs) to deny and permit access to VTY lines. • Layer 3 ACLs deny all traffic that is not explicitly permitted, but in the case of VTY lines, an ACL with no rules does not deny traffic. • You cannot use the show ip accounting access-list command to display the contents of an ACL that is applied only to a VTY line. To apply an IP ACL to a line, Use the following command.
tacacs+ 1. Prompt for a username and password and use a TACACS+ server to authenticate. Configure an authentication method list. You may use a mnemonic name or use the keyword default. The default authentication method for terminal lines is local and the default method list is empty. CONFIGURATION mode aaa authentication login {method-list-name | default} [method-1] [method-2] [method-3] [method-4] [method-5] [method-6] 2. Apply the method list from Step 1 to a terminal line.
Example of Setting the Time Out Period for EXEC Privilege Mode The following example shows how to set the time-out period and how to view the configuration using the show config command from LINE mode. Dell(conf)#line con 0 Dell(config-line-console)#exec-timeout 0 Dell(config-line-console)#show config line console 0 exec-timeout 0 0 Dell(config-line-console)# Using Telnet to Access Another Network Device To telnet to another device, use the following commands.
Lock CONFIGURATION Mode The system allows multiple users to make configurations at the same time. You can lock CONFIGURATION mode so that only one user can be in CONFIGURATION mode at any time (Message 2). You can set two types of locks: auto and manual. • Set auto-lock using the configuration mode exclusive auto command from CONFIGURATION mode. When you set auto-lock, every time a user is in CONFIGURATION mode, all other users are denied access.
Recovering from a Forgotten Password on the Z9500 If you configure authentication for the console and you exit out of EXEC mode or your console session times out, you are prompted for a password to re-enter. If you forget your password, follow these steps: 1. Log onto the system using the console. 2. Power-cycle the chassis by disconnecting and.then reconnecting the power cord. 3. During bootup, press Esc when prompted to abort the boot process. 4.
Recovering from a Failed Start on the Z9500 A switch that does not start correctly might be trying to boot from a corrupted Dell Networking OS image or from a mis-specified location. In this case, you can restart the system and interrupt the boot process to point the system to another boot location. 1. Power-cycle the chassis (pull the power cord and reinsert it). 2. During bootup, press the ESC key when this message appears: Press Esc to stop autoboot...
802.1X 5 802.1X is a method of port security. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity can be verified (through a username and password, for example). This feature is named for its IEEE specification. 802.
Figure 3. EAP Frames Encapsulated in Ethernet and RADUIS The authentication process involves three devices: • The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests. • The device with which the supplicant communicates is the authenticator. The authenticator is the gate keeper of the network.
4. The authentication server replies with an Access-Challenge frame. The Access-Challenge frame requests that the supplicant prove that it is who it claims to be, using a specified method (an EAPMethod). The challenge is translated and forwarded to the supplicant by the authenticator. 5.
Figure 5. EAP Over RADIUS RADIUS Attributes for 802.1 Support Dell Networking systems include the following RADIUS attributes in all 802.1X-triggered Access-Request messages: Attribute 31 Calling-station-id: relays the supplicant MAC address to the authentication server. Attribute 41 NAS-Port-Type: NAS-port physical port type. 15 indicates Ethernet. Attribute 61 NAS-Port: the physical port number by which the authenticator is connected to the supplicant.
• 802.1X is not supported on port-channels or port-channel members. Enabling 802.1X Enable 802.1X globally. Figure 6. 802.1X Enabled 1. Enable 802.1X globally. CONFIGURATION mode dot1x authentication 2. Enter INTERFACE mode on an interface or a range of interfaces. INTERFACE mode interface [range] 3. Enable 802.1X on the supplicant interface only. INTERFACE mode dot1x authentication 802.
Examples of Verifying that 802.1X is Enabled Globally or on an Interface Verify that 802.1X is enabled globally and at the interface level using the show running-config | find dot1x command from EXEC Privilege mode. The bold lines show that 802.1X is enabled. Dell#show running-config | find dot1x dot1x authentication ! [output omitted] ! interface TenGigabitEthernet 2/1 no ip address dot1x authentication no shutdown ! Dell# View 802.
To configure re-transmissions, use the following commands. • Configure the amount of time that the authenticator waits before re-transmitting an EAP Request Identity frame. INTERFACE mode dot1x tx-period number The range is from 1 to 65535 (1 year) • The default is 30. Configure a maximum number of times the authenticator re-transmits a Request Identity frame. INTERFACE mode dot1x max-eap-req number The range is from 1 to 10. The default is 2.
The bold lines show the new re-transmit interval, new quiet period, and new maximum re-transmissions. Dell(conf-if-range-Te-0/0)#dot1x tx-period 90 Dell(conf-if-range-Te-0/0)#dot1x max-eap-req 10 Dell(conf-if-range-Te-0/0)#dot1x quiet-period 120 Dell#show dot1x interface TenGigabitEthernet 2/1 802.
----------------------------Dot1x Status: Enable Port Control: FORCE_AUTHORIZED Port Auth Status: UNAUTHORIZED Re-Authentication: Disable Untagged VLAN id: None Tx Period: 90 seconds Quiet Period: 120 seconds ReAuth Max: 2 Supplicant Timeout: 30 seconds Server Timeout: 30 seconds Re-Auth Interval: 3600 seconds Max-EAP-Req: 10 Auth Type: SINGLE_HOST Auth PAE State: Initialize Backend State: Initialize Auth PAE State: Initialize Backend State: Initialize Re-Authenticating a Port You can configure the authent
Port Control: FORCE_AUTHORIZED Port Auth Status: UNAUTHORIZED Re-Authentication: Enable Untagged VLAN id: None Tx Period: 90 seconds Quiet Period: 120 seconds ReAuth Max: 10 Supplicant Timeout: 30 seconds Server Timeout: 30 seconds Re-Auth Interval: 7200 seconds Max-EAP-Req: 10 Auth Type: SINGLE_HOST Auth PAE State: Initialize Backend State: Initialize Auth PAE State: Initialize Backend State: Initialize Configuring Timeouts If the supplicant or the authentication server is unresponsive, the authenticator
Guest VLAN: Disable Guest VLAN id: NONE Auth-Fail VLAN: Disable Auth-Fail VLAN id: NONE Auth-Fail Max-Attempts: NONE Tx Period: 90 seconds Quiet Period: 120 seconds ReAuth Max: 10 Supplicant Timeout: 15 seconds Server Timeout: 15 seconds Re-Auth Interval: 7200 seconds Max-EAP-Req: 10 Auth Type: Auth PAE State: Backend State: SINGLE_HOST Initialize Initialize Enter the tasks the user should do after finishing this task (optional).
Figure 7. Dynamic VLAN Assignment 1. Configure 8021.x globally (refer to Enabling 802.1X) along with relevant RADIUS server configurations (refer to the illustration inDynamic VLAN Assignment with Port Authentication). 2. Make the interface a switchport so that it can be assigned to a VLAN. 3. Create the VLAN to which the interface will be assigned. 4. Connect the supplicant to the port configured for 802.1X. 5.
If the supplicant fails authentication, the authenticator typically does not enable the port. In some cases this behavior is not appropriate. External users of an enterprise network, for example, might not be able to be authenticated, but still need access to the network. Also, some dumb-terminals, such as network printers, do not have 802.1X capability and therefore cannot authenticate themselves.
! interface TenGigabitEthernet 2/1 switchport dot1x authentication dot1x guest-vlan 200 no shutdown Dell(conf-if-Te-2/1)# Dell(conf-if-Te-2/1)#dot1x auth-fail-vlan 100 max-attempts 5 Dell(conf-if-Te-2/1)#show config ! interface TenGigabitEthernet 2/1 switchport dot1x authentication dot1x guest-vlan 200 dot1x auth-fail-vlan 100 max-attempts 5 no shutdown Dell(conf-if-Te-2/1)# View your configuration using the show config command from INTERFACE mode, as shown in the example in Configuring a Guest VLAN or usin
Access Control Lists (ACLs) 6 This chapter describes access control lists (ACLs), prefix lists, and route-maps. • Access control lists (ACLs), Ingress IP and MAC ACLs , and Egress IP and MAC ACLs are supported on the Z9500. At their simplest, access control lists (ACLs), prefix lists, and route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps. For MAC ACLS, refer to Layer 2.
Ingress and egress Hot Lock ACLs allow you to append or delete new rules into an existing ACL (already written into CAM) without disrupting traffic flow. Existing entries in the CAM are shuffled to accommodate the new entries. Hot lock ACLs are enabled by default and support both standard and extended ACLs and on all platforms. NOTE: Hot lock ACLs are supported for Ingress ACLs only. CAM Usage The following section describes CAM allocation and CAM optimization.
Implementing ACLs You can assign one IP ACL per physical or VLAN interface. If you do not assign an IP ACL to an interface, it is not used by the software in any other capacity. The number of entries allowed per ACL is hardware-dependent. If you enable counters on IP ACL rules that are already configured, those counters are reset when a new rule is inserted or prepended. If a rule is appended, the existing counters are not affected.
Example of the order Keyword to Determine ACL Sequence Dell(conf)#ip access-list standard acl1 Dell(config-std-nacl)#permit 20.0.0.0/8 Dell(config-std-nacl)#exit Dell(conf)#ip access-list standard acl2 Dell(config-std-nacl)#permit 20.1.1.
Example of Denying Second and Subsequent Fragments To deny the second/subsequent fragments, use the same rules in a different order. These ACLs deny all second and subsequent fragments with destination IP 10.1.1.1 but permit the first fragment and nonfragmented packets with destination IP 10.1.1.1. Dell(conf)#ip access-list extended ABC Dell(conf-ext-nacl)#deny ip any 10.1.1.1/32 fragments Dell(conf-ext-nacl)#permit ip any 10.1.1.
When an ACL filters packets, it looks at the fragment offset (FO) to determine whether it is a fragment. • • FO = 0 means it is either the first fragment or the packet is a non-fragment. FO > 0 means it is dealing with the fragments of the original packet. Configure a Standard IP ACL To configure an ACL, use commands in IP ACCESS LIST mode and INTERFACE mode. For a complete list of all the commands related to IP ACLs, refer to the Dell Networking OS Command Line Interface Reference Guide.
! ip access-list standard dilling seq 15 permit tcp 10.3.0.0/16 any seq 25 deny ip host 10.5.0.0 any log Dell(config-std-nacl)# To delete a filter, use the no seq sequence-number command in IP ACCESS LIST mode. Configuring a Standard IP ACL Filter If you are creating a standard ACL with only one or two filters, you can let the system assign a sequence number based on the order in which the filters are configured. The software assigns filters in multiples of five. 1.
seq 50 permit tcp 10.8.0.0 /16 10.50.188.118 /31 eq 49 seq 55 permit udp 10.15.1.0 /24 10.50.188.118 /31 range 1812 1813 To delete a filter, enter the show config command in IP ACCESS LIST mode and locate the sequence number of the filter you want to delete. Then use the no seq sequence-number command in IP ACCESS LIST mode.
Configure Filters, TCP Packets To create a filter for UDP packets with a specified sequence number, use the following commands. 1. Create an extended IP ACL and assign it a unique name. CONFIGURATION mode ip access-list extended access-list-name 2. Configure an extended IP ACL filter for UDP packets.
CONFIG-EXT-NACL mode {deny | permit} udp {source mask | any | host ip-address}} [count [byte]] [order] [fragments] When you use the log keyword, the CP logs details about the packets that match. Depending on how many packets match the log entry and at what rate, the CP may become busy as it has to log these packets’ details. The following example shows an extended IP ACL in which the sequence numbers were assigned by the software.
L2 ACL Behavior L3 ACL Behavior Decision on Targeted Traffic Permit Deny L3 ACL denies. Permit Permit L3 ACL permits. NOTE: If you configure an interface as a vlan-stack access port, only the L2 ACL filters the packets. The L3 ACL applied to such a port does not affect traffic. That is, existing rules for other features (such as trace-list, policy-based routing [PBR], and QoS) are applied to the permitted traffic. For information about MAC ACLs, refer to Layer 2.
4. Apply rules to the new ACL. INTERFACE mode ip access-list [standard | extended] name To view which IP ACL is applied to an interface, use the show config command in INTERFACE mode, or use the show running-config command in EXEC mode. Example of Viewing ACLs Applied to an Interface Dell(conf-if)#show conf ! interface TengigabitEthernet 0/0 ip address 10.2.1.100 255.255.255.
Dell#configure terminal Dell(conf)#ip access-list extended abcd Dell(config-ext-nacl)#permit tcp any any Dell(config-ext-nacl)#deny icmp any any Dell(config-ext-nacl)#permit 1.1.1.2 Dell(config-ext-nacl)#end Dell#show ip accounting access-list ! Extended Ingress IP access list abcd on gigethernet 0/0 seq 5 permit tcp any any seq 10 deny icmp any any seq 15 permit 1.1.1.2 Configure Egress ACLs Egress ACLs are supported on interfaces and affect the traffic leaving the system.
Applying Egress Layer 3 ACLs (Control-Plane) By default, packets originated from the system are not filtered by egress ACLs. For example, if you initiate a ping session from the system and apply an egress ACL to block this type of traffic on the interface, the ACL does not affect that ping traffic. The Control Plane Egress Layer 3 ACL feature enhances IP reachability debugging by implementing control-plane ACLs for CPU-generated and CPU-forwarded traffic.
• To permit routes with a mask greater than /20, enter permit x.x.x.x/x ge 20. The following rules apply to prefix lists: • A prefix list without any permit or deny filters allows all routes. • An “implicit deny” is assumed (that is, the route is dropped) for all route prefixes that do not match a permit or deny filter in a configured prefix list. • After a route matches a filter, the filter’s action is applied. No additional filters are applied to the route.
Example of Assigning Sequence Numbers to Filters If you want to forward all routes that do not match the prefix list criteria, configure a prefix list filter to permit all routes (permit 0.0.0.0/0 le 32). The “permit all” filter must be the last filter in your prefix list. To permit the default route only, enter permit 0.0.0.0/0. The following example shows how the seq command orders the filters according to the sequence number assigned.
Dell(conf-nprefixl)#show conf ! ip prefix-list awe seq 5 permit 123.23.0.0/16 seq 10 deny 133.0.0.0/8 Dell(conf-nprefixl)# To delete a filter, enter the show config command in PREFIX LIST mode and locate the sequence number of the filter you want to delete, then use the no seq sequence-number command in PREFIX LIST mode. Viewing Prefix Lists To view all configured prefix lists, use the following commands. • Show detailed information about configured prefix lists.
• Enter RIP mode. CONFIGURATION mode • router rip Apply a configured prefix list to incoming routes. You can specify an interface. If you enter the name of a nonexistent prefix list, all routes are forwarded. CONFIG-ROUTER-RIP mode • distribute-list prefix-list-name in [interface] Apply a configured prefix list to outgoing routes. You can specify an interface or type of route. If you enter the name of a non-existent prefix list, all routes are forwarded.
Dell(conf-router_ospf)#show config ! router ospf 34 network 10.2.1.1 255.255.255.255 area 0.0.0.1 distribute-list prefix awe in Dell(conf-router_ospf)# ACL Resequencing ACL resequencing allows you to re-number the rules and remarks in an access or prefix list. The placement of rules within the list is critical because packets are matched against rules in sequential order. To order new rules using the current numbering scheme, use resequencing whenever there is no opportunity.
EXEC mode resequence prefix-list {ipv4 | ipv6} {prefix-list-name StartingSeqNum Stepto-Increment} Examples of Resequencing ACLs When Remarks and Rules Have the Same Number or Different Numbers The example shows the resequencing of an IPv4 access-list beginning with the number 2 and incrementing by 2. Remarks and rules that originally have the same sequence number have the same sequence number after you apply the resequence command.
remark 2 XYZ remark 4 this remark corresponds to permit any host 1.1.1.1 seq 4 permit ip any host 1.1.1.1 remark 6 this remark has no corresponding rule remark 8 this remark corresponds to permit ip any host 1.1.1.2 seq 8 permit ip any host 1.1.1.2 seq 10 permit ip any host 1.1.1.3 seq 12 permit ip any host 1.1.1.
Creating a Route Map Route maps, ACLs, and prefix lists are similar in composition because all three contain filters, but route map filters do not contain the permit and deny actions found in ACLs and prefix lists. Route map filters match certain routes and set or specify values. To create a route map, use the following command. • Create a route map and assign it a unique name. The optional permit and deny keywords are the action of the route map.
Set clauses: tag 35 level stub-area Dell# The following example shows a route map with multiple instances. The show config command displays only the configuration of the current route map instance. To view all instances of a specific route map, use the show route-map command.
route-map for any permit statement. If there is a match anywhere, the route is permitted. However, other instances of the route-map deny it.
CONFIG-ROUTE-MAP mode • match ipv6 next-hop {access-list-name | prefix-list prefix-list-name} Match source routes specified in a prefix list (IPv4). CONFIG-ROUTE-MAP mode • match ip route-source {access-list-name | prefix-list prefix-list-name} Match source routes specified in a prefix list (IPv6). CONFIG-ROUTE-MAP mode • match ipv6 route-source {access-list-name | prefix-list prefix-list-name} Match routes with a specific value.
• set local-preference value Specify a value for redistributed routes. CONFIG-ROUTE-MAP mode • set metric {+ | - | metric-value} Specify an OSPF or ISIS type for redistributed routes. CONFIG-ROUTE-MAP mode • set metric-type {external | internal | type-1 | type-2} Assign an IP address as the route’s next hop. CONFIG-ROUTE-MAP mode • set next-hop ip-address Assign an IPv6 address as the route’s next hop. CONFIG-ROUTE-MAP mode • set ipv6 next-hop ip-address Assign an ORIGIN attribute.
that have a next hop of Tengigabitethernet interface 0/0 and that have a metric of 255 are redistributed into the OSPF backbone area. NOTE: When re-distributing routes using route-maps, you must create the route-map defined in the redistribute command under the routing protocol. If you do not create a route-map, NO routes are redistributed.
set community 1:1 1:2 1:3 set as-path prepend 1 2 3 4 5 continue 30! 106 Access Control Lists (ACLs)
Bare Metal Provisioning (BMP) 7 Starting with Dell Networking OS Release 9.2(1.0), BMP is supported on the Z9500 switch. This chapter describes the latest Bare Metal Provisioning (BMP) enhancements that apply to the Z9500. For details about supported BMP commands and configuration procedures, refer to the Dell Networking Open Automation Guide.
8 Bidirectional Forwarding Detection (BFD) BFD is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It also provides a failure detection solution for links on which no routing protocol is used. BFD is a simple hello mechanism. Two neighboring systems running BFD establish a session using a three-way handshake.
BFD Packet Format Control packets are encapsulated in user datagram protocol (UDP) packets. The following illustration shows the complete encapsulation of a BFD control packet inside an IPv4 packet. Figure 8. BFD in IPv4 Packet Format Field Description Diagnostic Code The reason that the last session failed. State The current local session state. Refer to BFD Sessions. Flag A bit that indicates packet function.
Field Description NOTE: The Dell Networking OS does not currently support multi-point sessions, Demand mode, authentication, or control plane independence; these bits are always clear. Detection Multiplier The number of packets that must be missed in order to declare a session down. Length The entire length of the BFD packet. My Discriminator A random number generated by the local system to identify the session.
Active The active system initiates the BFD session. Both systems can be active for the same session. Passive The passive system does not initiate a session. It only responds to a request for session initialization from the active system. A BFD session has two modes: Asynchronous mode In Asynchronous mode, both systems send periodic control messages at an agreed upon interval to indicate that their session status is Up.
system sends a final response indicating the state change. After this, periodic control packets are exchanged. Figure 9. BFD Three-Way Handshake State Changes Session State Changes The following illustration shows how the session state on a system changes based on the status notification it receives from the remote system.
receives a Down status notification from the remote system, the session state on the local system changes to Init. Figure 10. Session State Changes Important Points to Remember • On the Z9500, the system supports 128 sessions at 200 minimum transmit and receive intervals with a multiplier of 3, and 64 sessions at 100 minimum transmit and receive intervals with a multiplier of 4. • Enable BFD on both ends of a link. • Demand mode, authentication, and the Echo function are not supported.
• Configure BFD for IS-IS • Configure BFD for BGP • Configure BFD for VRRP • Configuring Protocol Liveness Configure BFD for Static Routes Configuring BFD for static routes is supported on the Z9500 switch.. BFD offers systems a link state detection mechanism for static routes. With BFD, systems are notified to remove static routes from the routing table as soon as the link state change occurs, rather than waiting until packets fail to reach their next hop.
R1(conf)#ip route 2.2.3.0/24 2.2.2.2 R1(conf)#ip route bfd R1(conf)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 2.2.2.2 Te 4/24 Up 100 100 4 R To view detailed session information, use the show bfd neighbors detail command, as shown in the examples in Displaying BFD for BGP Information.
2. Establish sessions with OSPF neighbors. Related Configuration Tasks • Changing OSPF Session Parameters • Disabling BFD for OSPF Establishing Sessions with OSPF Neighbors BFD sessions can be established with all OSPF neighbors at once or sessions can be established with all neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the Full state. Figure 12.
ROUTER-OSPF mode • bfd all-neighbors Establish sessions with OSPF neighbors on a single interface. INTERFACE mode ip ospf bfd all-neighbors Example of Verifying Sessions with OSPF Neighbors To view the established sessions, use the show bfd neighbors command. The bold line shows the OSPF BFD sessions.
Disabling BFD for OSPFv3 If you disable BFD globally, all sessions are torn down and sessions on the remote system are placed in a Down state. If you disable BFD on an interface, sessions on the interface are torn down and sessions on the remote system are placed in a Down state. Disabling BFD does not trigger a change in BFD clients; a final Admin Down packet is sent before the session is terminated. To disable BFD sessions, use the following commands. • Disable BFD sessions with all OSPFv3 neighbors.
ipv6 ospf bfd all-neighbors interval milliseconds min_rx milliseconds multiplier value role [active | passive] Disabling BFD for OSPFv3 If you disable BFD globally, all sessions are torn down and sessions on the remote system are placed in a Down state. If you disable BFD on an interface, sessions on the interface are torn down and sessions on the remote system are placed in a Down state.
• Disabling BFD for IS-IS Establishing Sessions with IS-IS Neighbors BFD sessions can be established for all IS-IS neighbors at once or sessions can be established for all neighbors out of a specific interface. Figure 13. Establishing Sessions with IS-IS Neighbors To establish BFD with all IS-IS neighbors or with IS-IS neighbors on a single interface, use the following commands. • Establish sessions with all IS-IS neighbors.
The bold line shows that IS-IS BFD sessions are enabled. R2(conf-router_isis)#bfd all-neighbors R2(conf-router_isis)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr * 2.2.2.2 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 Te 2/1 Up 100 100 3 I Changing IS-IS Session Parameters BFD sessions are configured with default intervals and a default role.
INTERFACE mose isis bfd all-neighbors disable Configure BFD for BGP In a BGP core network, BFD provides rapid detection of communication failures in BGP fast-forwarding paths between internal BGP (iBGP) and external BGP (eBGP) peers for faster network reconvergence. BFD for BGP is supported on 1GE, 10GE, 40GE, port-channel, and VLAN interfaces. BFD for BGP does not support IPv6 and the BGP multihop feature. Prerequisites Before configuring BFD for BGP, you must first configure the following settings: 1.
Figure 14. Establishing Sessions with BGP Neighbors The sample configuration shows alternative ways to establish a BFD session with a BGP neighbor: • By establishing BFD sessions with all neighbors discovered by BGP (the bfd all-neighbors command). • By establishing a BFD session with a specified BGP neighbor (the neighbor {ip-address | peergroup-name} bfd command) BFD packets originating from a router are assigned to the highest priority egress queue to minimize transmission delays.
typical response is to terminate the peering session for the routing protocol and reconverge by bypassing the failed neighboring router. A log message is generated whenever BFD detects a failure condition. 1. Enable BFD globally. CONFIGURATION mode bfd enable 2. Specify the AS number and enter ROUTER BGP configuration mode. CONFIGURATION mode router bgp as-number 3. Add a BGP neighbor or peer group in a remote AS. CONFIG-ROUTERBGP mode neighbor {ip-address | peer-group name} remote-as as-number 4.
ROUTER BGP mode • neighbor {ip-address | peer-group-name} bfd disable Remove the disabled state of a BFD for BGP session with a specified neighbor. ROUTER BGP mode no neighbor {ip-address | peer-group-name} bfd disable Use BFD in a BGP Peer Group You can establish a BFD session for the members of a peer group (the neighbor peer-group-name bfd command in ROUTER BGP configuration mode).
Examples of Verifying BGP Information The following example shows viewing a BGP configuration. R2# show running-config bgp ! router bgp 2 neighbor 1.1.1.2 remote-as 1 neighbor 1.1.1.2 no shutdown neighbor 2.2.2.2 remote-as 1 neighbor 2.2.2.2 no shutdown neighbor 3.3.3.2 remote-as 1 neighbor 3.3.3.2 no shutdown bfd all-neighbors The following example shows viewing all BGP neighbors.
Number of messages communicated b/w Manager and Agent: 5 Session Discriminator: 10 Neighbor Discriminator: 11 Local Addr: 2.2.2.3 Local MAC Addr: 00:01:e8:66:da:34 Remote Addr: 2.2.2.
The following example shows viewing BFD summary information. The bold line shows the message that displays when you enable BFD for BGP connections. R2# show ip bgp summary BGP router identifier 10.0.0.1, local AS number 2 BGP table version is 0, main routing table version 0 BFD is enabled, Interval 100 Min_rx 100 Multiplier 3 Role Active 3 neighbor(s) using 24168 bytes of memory Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 1.1.1.2 2.2.2.2 3.3.3.
Foreign host: 2.2.2.2, Foreign port: 179 R2# R2# show ip bgp neighbors 2.2.2.3 BGP neighbor is 2.2.2.3, remote AS 1, external link Member of peer-group pg1 for session parameters BGP version 4, remote router ID 12.0.0.4 BGP state ESTABLISHED, in this state for 00:05:33 ... Neighbor is using BGP neighbor mode BFD configuration Peer active in peer-group outbound optimization ... R2# show ip bgp neighbors 2.2.2.4 BGP neighbor is 2.2.2.
Establishing Sessions with All VRRP Neighbors BFD sessions can be established for all VRRP neighbors at once, or a session can be established with a particular neighbor. Figure 15. Establishing Sessions with All VRRP Neighbors To establish sessions with all VRRP neighbors, use the following command. • Establish sessions with all VRRP neighbors.
The following example shows viewing sessions with VRRP neighbors. The bold line shows that VRRP BFD sessions are enabled. R1(conf-if-te-4/25)#vrrp bfd all-neighbors R1(conf-if-te-4/25)#do show bfd neighbor * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) V - VRRP LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients * 2.2.5.1 2.2.5.2 Te 4/25 Down 1000 1000 3 V To view session state information, use the show vrrp command.
Disabling BFD for VRRP If you disable any or all VRRP sessions, the sessions are torn down. A final Admin Down control packet is sent to all neighbors and sessions on the remote system change to the Down state. To disable all VRRP sessions on an interface, sessions for a particular VRRP group, or for a particular VRRP session on an interface, use the following commands. • Disable all VRRP sessions on an interface. INTERFACE mode • no vrrp bfd all-neighbors Disable all VRRP sessions in a VRRP group.
Border Gateway Protocol IPv4 (BGPv4) 9 This chapter provides a general description of BGPv4 as it is supported in the Dell Networking OS. BGP protocol standards are listed in the Standards Compliance chapter. BGP is an external gateway protocol that transmits interdomain routing information within and between autonomous systems (AS). The primary function of the BGP is to exchange network reachability information with other BGP systems.
Figure 16. Interior BGP BGP version 4 (BGPv4) supports classless interdomain routing and aggregate routes and AS paths. BGP is a path vector protocol — a computer network in which BGP maintains the path that updated information takes as it diffuses through the network. Updates traveling through the network and returning to the same node are easily detected and discarded.
Figure 17. BGP Routers in Full Mesh The number of BGP speakers each BGP peer must maintain increases exponentially. Network management quickly becomes impossible. Sessions and Peers When two routers communicate using the BGP protocol, a BGP session is started. The two end-points of that session are Peers. A Peer is also called a Neighbor.
Establish a Session Information exchange between peers is driven by events and timers. The focus in BGP is on the traffic routing policies. In order to make decisions in its operations with other BGP peers, a BGP process uses a simple finite state machine that consists of six states: Idle, Connect, Active, OpenSent, OpenConfirm, and Established. For each peer-to-peer session, a BGP implementation tracks which of these six states the session is in.
Route reflection divides iBGP peers into two groups: client peers and nonclient peers. A route reflector and its client peers form a route reflection cluster. Because BGP speakers announce only the best route for a given prefix, route reflector rules are applied after the router makes its best path decision. • • If a route was received from a nonclient peer, reflect the route to all client peers. If the route was received from a client peer, reflect the route to all nonclient and all client peers.
• Local Preference • Multi-Exit Discriminators (MEDs) • Origin • AS Path • Next Hop Best Path Selection Criteria Paths for active routes are grouped in ascending order according to their neighboring external AS number (BGP best path selection is deterministic by default, which means the bgp nondeterministic-med command is NOT applied). The best path in each group is selected based on specific criteria. Only one “best path” is selected at a time.
Figure 19. BGP Best Path Selection Best Path Selection Details 1. Prefer the path with the largest WEIGHT attribute. 2. Prefer the path with the largest LOCAL_PREF attribute. 3. Prefer the path that was locally Originated via a network command, redistribute command or aggregate-address command. a. 4. Routes originated with the Originated via a network or redistribute commands are preferred over routes originated with the aggregate-address command.
c. Paths with no MED are treated as “worst” and assigned a MED of 4294967295. 7. Prefer external (EBGP) to internal (IBGP) paths or confederation EBGP paths. 8. Prefer the path with the lowest IGP metric to the BGP if next-hop is selected when synchronization is disabled and only an internal path remains. 9. The system deems the paths as equal and does not perform steps 9 through 11, if the following criteria is met: a. the IBGP multipath or EBGP multipath are configured (the maximum-path command).
and AS300. This is advertised to all routers within AS100, causing all BGP speakers to prefer the path through Router B. Figure 20. BGP Local Preference Multi-Exit Discriminators (MEDs) If two ASs connect in more than one place, a multi-exit discriminator (MED) can be used to assign a preference to a preferred path. MED is one of the criteria used to determine the best path, so keep in mind that other criteria may impact selection, as shown in the illustration in Best Path Selection Criteria.
Figure 21. Multi-Exit Discriminators Origin The origin indicates the origin of the prefix, or how the prefix came into BGP. There are three origin codes: IGP, EGP, INCOMPLETE. Origin Type Description IGP Indicates the prefix originated from information learned through an interior gateway protocol. EGP Indicates the prefix originated from information learned from an EGP protocol, which NGP replaced. INCOMPLETE Indicates that the prefix originated from an unknown source.
AS Path The AS path is the list of all ASs that all the prefixes listed in the update have passed through. The local AS number is added by the BGP speaker when advertising to a eBGP neighbor. The AS path is shown in the following example. The origin attribute is shown following the AS path information (shown in bold).
Implement BGP The following sections describe how BGP is implemented on the Z9500 switch. Additional Path (Add-Path) Support The add-path feature reduces convergence times by advertising multiple paths to its peers for the same address prefix without replacing existing paths with new ones. By default, a BGP speaker advertises only the best path to its peers for a given address prefix.
Ignore Router-ID for Some Best-Path Calculations You can avoid unnecessary BGP best-path transitions between external paths under certain conditions. The bgp bestpath router-id ignore command reduces network disruption caused by routing and forwarding plane changes and allows for faster convergence. Four-Byte AS Numbers The 4-Byte (32-bit) format is supported to configure autonomous system numbers (ASNs). The 4-Byte support is advertised as a new BGP capability (4-BYTE-AS) in the OPEN message.
• All AS numbers between 0 and 65535 are represented as a decimal number, when entered in the CLI and when displayed in the show commands outputs. • AS Numbers larger than 65535 is represented using ASDOT notation as .. For example: AS 65546 is represented as 1.10. ASDOT representation combines the ASPLAIN and ASDOT+ representations.
Example of the Running Configuration When AS Notation is Disabled AS NOTATION DISABLED Dell(conf-router_bgp)#no bgp asnotation Dell(conf-router_bgp)#sho conf ! router bgp 100 bgp four-octet-as-support neighbor 172.30.1.250 local-as 65057
Figure 22. Before and After AS Number Migration with Local-AS Enabled When you complete your migration, and you have reconfigured your network with the new information, disable this feature. If you use the “no prepend” option, the Local-AS does not prepend to the updates received from the eBGP peer. If you do not select “no prepend” (the default), the Local-AS is added to the first AS segment in the AS-PATH.
BGP4 Management Information Base (MIB) The FORCE10-BGP4-V2-MIB enhances support for the BGP management information base (MIB) with many new simple network management protocol (SNMP) objects and notifications (traps) defined in draft-ietf-idr-bgp4-mibv2-05. To see these enhancements, download the MIB from the Dell website. NOTE: For the Force10-BGP4-V2-MIB and other MIB documentation, refer to the Dell iSupport web page.
• High CPU utilization may be observed during an SNMP walk of a large BGP Loc-RIB. • To avoid SNMP timeouts with a large-scale configuration (large number of BGP neighbors and a large BGP Loc-RIB), Dell Networking recommends setting the timeout and retry count values to a relatively higher number. For example, t = 60 or r = 5. • To return all values on an snmpwalk for the f10BgpM2Peer sub-OID, use the -C c option, such as snmpwalk -v 2c -C c -c public.
Table 7. BGP Default Values Item Default BGP Neighbor Adjacency changes All BGP neighbor changes are logged.
1. Assign an AS number and enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number • as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte) or 0.1 to 65535.65535 (Dotted format). Only one AS is supported per system. NOTE: If you enter a 4-Byte AS number, 4-Byte AS support is enabled automatically. a. Enable 4-Byte support for the BGP process. NOTE: This command is OPTIONAL. Enable if you want to use 4-Byte AS numbers or if you support AS4 number representation.
Examples of the show ip bgp summary Command (2-Byte and 4–Byte AS number) NOTE: When you change the configuration of a BGP neighbor, always reset it by entering the clear ip bgp command in EXEC Privilege mode. To view the BGP configuration, enter show config in CONFIGURATION ROUTER BGP mode. To view the BGP status, use the show ip bgp summary command in EXEC Privilege mode.
NOTE: The showconfig command in CONFIGURATION ROUTER BGP mode gives the same information as the show running-config bgp command. The following example displays two neighbors: one is an external internal BGP neighbor and the second one is an internal BGP neighbor. The first line of the output for each neighbor displays the AS number and states whether the link is an external or internal (shown in bold). The third line of the show ip bgp neighbors output contains the BGP State.
network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list ISP1in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.9 no shutdown neighbor 192.168.10.1 remote-as 65123 neighbor 192.168.10.1 update-source Loopback 0 neighbor 192.168.10.1 no shutdown neighbor 192.168.12.2 remote-as 65123 neighbor 192.
Examples of the bgp asnotation Commands The following example shows the bgp asnotation asplain command. Dell(conf-router_bgp)#bgp asnotation asplain Dell(conf-router_bgp)#sho conf ! router bgp 100 bgp four-octet-as-support neighbor 172.30.1.250 remote-as 18508 neighbor 172.30.1.250 local-as 65057 neighbor 172.30.1.250 route-map rmap1 in neighbor 172.30.1.250 password 7 5ab3eb9a15ed02ff4f0dfd4500d6017873cfd9a267c04957 neighbor 172.30.1.
NOTE: Sample Configurations for enabling peer groups are found at the end of this chapter. 1. Create a peer group by assigning a name to it. CONFIG-ROUTERBGP mode neighbor peer-group-name peer-group 2. Enable the peer group. CONFIG-ROUTERBGP mode neighbor peer-group-name no shutdown By default, all peer groups are disabled. 3. Create a BGP neighbor. CONFIG-ROUTERBGP mode neighbor ip-address remote-as as-number 4. Enable the neighbor. CONFIG-ROUTERBGP mode neighbor ip-address no shutdown 5.
• • • • • • neighbor neighbor neighbor neighbor neighbor neighbor distribute-list out filter-list out next-hop-self route-map out route-reflector-client send-community A neighbor may keep its configuration after it was added to a peer group if the neighbor’s configuration is more specific than the peer group’s and if the neighbor’s configuration does not affect outgoing updates.
Peer-group zanzibar, remote AS 65535 BGP version 4 Minimum time between advertisement runs is 5 seconds For address family: IPv4 Unicast BGP neighbor is zanzibar, peer-group internal, Number of peers in this group 26 Peer-group members (* - outbound optimized): 10.68.160.1 10.68.161.1 10.68.162.1 10.68.163.1 10.68.164.1 10.68.165.1 10.68.166.1 10.68.167.1 10.68.168.1 10.68.169.1 10.68.170.1 10.68.171.1 10.68.172.1 10.68.173.1 10.68.174.1 10.68.175.1 10.68.176.1 10.68.177.1 10.68.178.1 10.68.179.1 10.68.180.
Examples of Verifying that Fast Fail-Over is Enabled To verify fast fail-over is enabled on a particular BGP neighbor, use the show ip bgp neighbors command. Because fast fail-over is disabled by default, it appears only if it has been enabled (shown in bold). Dell#sh ip bgp neighbors BGP neighbor is 100.100.100.100, remote AS 65517, internal link Member of peer-group test for session parameters BGP version 4, remote router ID 30.30.30.
For address family: IPv4 Unicast BGP neighbor is test Number of peers in this group 1 Peer-group members (* - outbound optimized): 100.100.100.100* Dell# router bgp neighbor neighbor neighbor neighbor neighbor neighbor neighbor Dell# 65517 test peer-group test fail-over test no shutdown 100.100.100.100 remote-as 65517 100.100.100.100 fail-over 100.100.100.100 update-source Loopback 0 100.100.100.
Only after the peer group responds to an OPEN message sent on the subnet does its BGP state change to ESTABLISHED. After the peer group is ESTABLISHED, the peer group is the same as any other peer group. For more information about peer groups, refer to Configure Peer Groups. Maintaining Existing AS Numbers During an AS Migration The local-as feature smooths out the BGP network migration operation and allows you to maintain existing ASNs during a BGP network migration.
neighbor 192.168.12.2 no shutdown R2(conf-router_bgp)# Allowing an AS Number to Appear in its Own AS Path This command allows you to set the number of times a particular AS number can occur in the AS path. The allow-as feature permits a BGP speaker to allow the ASN to be present for a specified number of times in the update received from the peer, even if that ASN matches its own. The AS-PATH loop is detected if the local ASN is present more than the specified number of times in the command.
With the graceful restart feature, the system enables the receiving/restarting mode by default. In Receiver-Only mode, graceful restart saves the advertised routes of peers that support this capability when they restart. This option provides support for remote peers for their graceful restart without supporting the feature itself. You can implement BGP graceful restart either by neighbor or by BGP peer-group. For more information, refer to the Dell Networking OS Command Line Interface Reference Guide.
To configure an AS-PATH ACL to filter a specific AS_PATH value, use these commands in the following sequence. 1. Assign a name to a AS-PATH ACL and enter AS-PATH ACL mode. CONFIGURATION mode ip as-path access-list as-path-name 2. Enter the parameter to match BGP AS-PATH for filtering. CONFIG-AS-PATH mode {deny | permit} filter parameter This is the filter that is used to match the AS-path. The entries can be any format, letters, numbers, or regular expressions.
0x2ffe884 0x2ff7284 0x2ff7ec4 0x2ff8544 0x736c144 0x3b8d224 0x5eb1e44 0x5cd891c --More-- 0 0 0 0 0 0 0 0 1 99 4 3 1 10 1 9 18508 18508 18508 18508 18508 18508 18508 18508 701 701 209 701 701 209 701 209 3561 9116 21350 i 1239 577 855 ? 3561 4755 17426 i 5743 2648 i 209 568 721 1494 i 701 2019 i 8584 16158 i 6453 4759 i Regular Expressions as Filters Regular expressions are used to filter AS paths or community lists.
Example of Using Regular Expression to Filter AS Paths Dell(config)#router bgp 99 Dell(conf-router_bgp)#neigh AAA peer-group Dell(conf-router_bgp)#neigh AAA no shut Dell(conf-router_bgp)#show conf ! router bgp 99 neighbor AAA peer-group neighbor AAA no shutdown neighbor 10.155.15.2 remote-as 32 neighbor 10.155.15.2 shutdown Dell(conf-router_bgp)#neigh 10.155.15.
– metric value: The value is from 0 to 16777215. The default is 0. • – map-name: name of a configured route map. Include specific OSPF routes in IS-IS. ROUTER BGP or CONF-ROUTER_BGPv6_ AF mode redistribute ospf process-id [match external {1 | 2} | match internal] [metric-type {external | internal}] [route-map map-name] Configure the following parameters: – process-id: the range is from 1 to 65535. – match external: the range is from 1 or 2. – match internal – metric-type: external or internal.
• All routes with the NO_EXPORT_SUBCONFED (0xFFFFFF03) community attribute are not sent to CONFED-EBGP or EBGP peers, but are sent to IBGP peers within CONFED-SUB-AS. • All routes with the NO_ADVERTISE (0xFFFFFF02) community attribute must not be advertised. • All routes with the NO_EXPORT (0xFFFFFF01) community attribute must not be advertised outside a BGP confederation boundary, but are sent to CONFED-EBGP and IBGP peers.
deny 14551:666 Dell# Configuring an IP Extended Community List To configure an IP extended community list, use these commands. 1. Create a extended community list and enter the EXTCOMMUNITY-LIST mode. CONFIGURATION mode ip extcommunity-list extcommunity-list-name 2. Two types of extended communities are supported.
Filtering Routes with Community Lists To use an IP community list or IP extended community list to filter routes, you must apply a match community filter to a route map and then apply that route map to a BGP neighbor or peer group. 1. Enter the ROUTE-MAP mode and assign a name to a route map. CONFIGURATION mode route-map map-name [permit | deny] [sequence-number] 2. Configure a match filter for all routes meeting the criteria in the IP community or IP extended community list.
To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode. If you want to remove or add a specific COMMUNITY number from a BGP path, you must create a route map with one or both of the following statements in the route map. Then apply that route map to a BGP neighbor or peer group. 1. Enter ROUTE-MAP mode and assign a name to a route map. CONFIGURATION mode route-map map-name [permit | deny] [sequence-number] 2.
Dell>show ip bgp community BGP table version is 3762622, local router ID is 10.114.8.48 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network * i 3.0.0.0/8 *>i 4.2.49.12/30 * i 4.21.132.0/23 *>i 4.24.118.16/30 *>i 4.24.145.0/30 *>i 4.24.187.12/30 *>i 4.24.202.0/30 *>i 4.25.88.0/30 *>i 6.1.0.0/16 *>i 6.2.0.0/22 *>i 6.3.0.0/18 *>i 6.4.0.0/16 *>i 6.5.0.0/19 *>i 6.8.0.0/20 *>i 6.9.0.0/20 *>i 6.10.0.0/15 *>i 6.14.0.0/15 *>i 6.133.0.
CONFIG-ROUTER-BGP mode bgp default local-preference value – value: the range is from 0 to 4294967295. The default is 100. To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode or the show running-config bgp command in EXEC Privilege mode. A more flexible method for manipulating the LOCAL_PREF attribute value is to use a route map. 1. Enter the ROUTE-MAP mode and assign a name to a route map. CONFIGURATION mode route-map map-name [permit | deny] [sequence-number] 2.
set next-hop ip-address Changing the WEIGHT Attribute To change how the WEIGHT attribute is used, enter the first command. You can also use route maps to change this and other BGP attributes. For example, you can include the second command in a route map to specify the next hop address. • Assign a weight to the neighbor connection. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} weight weight – weight: the range is from 0 to 65535. • The default is 0. Sets weight for the route.
• prefix lists (using the neighbor distribute-list command) • AS-PATH ACLs (using the neighbor filter-list command) • route maps (using the neighbor route-map command) Prior to filtering BGP routes, create the prefix list, AS-PATH ACL, or route map. For configuration information about prefix lists, AS-PATH ACLs, and route maps, refer to Access Control Lists (ACLs).
configure a prefix list filter to permit all routes. For example, you could have the following filter as the last filter in your prefix list permit 0.0.0.0/0 le 32). • After a route matches a filter, the filter’s action is applied. No additional filters are applied to the route. To view the BGP configuration, use the show config command in ROUTER BGP mode. To view a prefix list configuration, use the show ip prefix-list detail or show ip prefix-list summary commands in EXEC Privilege mode.
Filtering BGP Routes Using AS-PATH Information To filter routes based on AS-PATH information, use these commands. 1. Create a AS-PATH ACL and assign it a name. CONFIGURATION mode ip as-path access-list as-path-name 2. Create a AS-PATH ACL filter with a deny or permit action. AS-PATH ACL mode {deny | permit} as-regular-expression 3. Return to CONFIGURATION mode. AS-PATH ACL exit 4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5.
• Assign an ID to a router reflector cluster. CONFIG-ROUTER-BGP mode bgp cluster-id cluster-id • You can have multiple clusters in an AS. Configure the local router as a route reflector and the neighbor or peer group identified is the route reflector client. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} route-reflector-client When you enable a route reflector, the system automatically enables route reflection to all clients.
Configuring BGP Confederations Another way to organize routers within an AS and reduce the mesh for IBGP peers is to configure BGP confederations. As with route reflectors, BGP confederations are recommended only for IBGP peering involving many IBGP peering sessions per router. Basically, when you configure BGP confederations, you break the AS into smaller sub-AS, and to those outside your network, the confederations appear as one AS.
• history entry — an entry that stores information on a downed route • dampened path — a path that is no longer advertised • penalized path — a path that is assigned a penalty To configure route flap dampening parameters, set dampening parameters using a route map, clear information on route dampening and return suppressed routes to active state, view statistics on route flapping, or change the path selection from the default mode (deterministic) to non-deterministic, use the following commands.
show ip bgp flap-statistics [ip-address [mask]] [filter-list as-path-name] [regexp regular-expression] – ip-address [mask]: enter the IP address and mask. – filter-list as-path-name: enter the name of an AS-PATH ACL. – regexp regular-expression: enter a regular express to match on. • By default, the path selection is deterministic, that is, paths are compared irrespective of the order of their arrival.
Dampening enabled. 0 history paths, 0 dampened paths, 0 penalized paths Neighbor AS MsgRcvd MsgSent TblVer 10.114.8.34 18508 82883 79977 780266 10.114.8.33 18508 117265 25069 780266 Dell> InQ OutQ Up/Down State/PfxRcd 0 2 00:38:51 118904 0 20 00:38:50 102759 To view which routes are dampened (non-active), use the show ip bgp dampened-routes command in EXEC Privilege mode. Changing BGP Timers To configure BGP timers, use either or both of the following commands.
To reset a BGP connection using BGP soft reconfiguration, use the clear ip bgp command in EXEC Privilege mode at the system prompt. When you enable soft-reconfiguration for a neighbor and you execute the clear ip bgp soft in command, the update database stored in the router is replayed and updates are reevaluated. With this command, the replay and update process is triggered only if a route-refresh request is not negotiated with the peer.
Route Map Continue The BGP route map continue feature, continue [sequence-number], (in ROUTE-MAP mode) allows movement from one route-map entry to a specific route-map entry (the sequence number). If you do not specify a sequence number, the continue feature moves to the next sequence number (also known as an “implied continue”). If a match clause exists, the continue feature executes only after a successful match occurs. If there are no successful matches, continue is ignored.
• When exchanging updates with the peer, BGP sends and receives IPv4 multicast routes if the peer is marked as supporting that AFI/SAFI. • Exchange of IPv4 multicast route information occurs through the use of two new attributes called MP_REACH_NLRI and MP_UNREACH_NLRI, for feasible and withdrawn routes, respectively. • If the peer has not been activated in any AFI/SAFI, the peer remains in Idle state.
EXEC Privilege mode • debug ip bgp [ip-address | peer-group peer-group-name] notifications [in | out] View information about BGP updates and filter by prefix name. EXEC Privilege mode • debug ip bgp [ip-address | peer-group peer-group-name] updates [in | out] [prefix-list name] Enable soft-reconfiguration debug.
Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) For address family: IPv4 Unicast BGP table version 1395, neighbor version 1394 Prefixes accepted 1 (consume 4 bytes), 0 withdrawn by peer Prefixes advertised 0, rejected 0, 0 withdrawn from peer Connections established 3; dropped 2 Last reset 00:00:12, due to Missing well known attribute Notification History 'UPDATE error/Missing well-known attr' Sent : 1 Recv: 0 'Connection Reset' Sent : 1 Rec
00000000 00000000 00000000 00000000 0181a1e4 0181a25c 41af92c0 00000000 00000000 00000000 00000000 00000001 0181a1e4 0181a25c 41af9400 00000000 PDU[2] : len 19, captured 00:34:51 ago ffffffff ffffffff ffffffff ffffffff 00130400 PDU[3] : len 19, captured 00:34:51 ago ffffffff ffffffff ffffffff ffffffff 00130400 PDU[4] : len 19, captured 00:34:22 ago ffffffff ffffffff ffffffff ffffffff 00130400 [. . .] Outgoing packet capture enabled for BGP neighbor 20.20.20.
Sample Configurations The following example configurations show how to enable BGP and set up some peer groups. These examples are not comprehensive directions. They are intended to give you some guidance with typical configurations. To support your own IP addresses, interfaces, names, and so on, you can copy and paste from these examples to your CLI. Be sure that you make the necessary changes. The following illustration shows the configurations described on the following examples.
no shutdown R1(conf-if-lo-0)#int tengig 1/21 R1(conf-if-te-1/21)#ip address 10.0.1.21/24 R1(conf-if-te-1/21)#no shutdown R1(conf-if-te-1/21)#show config ! interface TenGigabitEthernet 1/21 ip address 10.0.1.21/24 no shutdown R1(conf-if-te-1/21)#int tengig 1/31 R1(conf-if-te-1/31)#ip address 10.0.3.31/24 R1(conf-if-te-1/31)#no shutdown R1(conf-if-te-1/31)#show config ! interface TenGigabitEthernet 1/31 ip address 10.0.3.31/24 no shutdown R1(conf-if-te-1/31)#router bgp 99 R1(conf-router_bgp)#network 192.168.
R2(conf-if-te-2/11)#no shutdown R2(conf-if-te-2/11)#show config ! interface TenGigabitEthernet 2/11 ip address 10.0.1.22/24 no shutdown R2(conf-if-te-2/11)#int tengig 2/31 R2(conf-if-te-2/31)#ip address 10.0.2.2/24 R2(conf-if-te-2/31)#no shutdown R2(conf-if-te-2/31)#show config ! interface TenGigabitEthernet 2/31 ip address 10.0.2.2/24 no shutdown R2(conf-if-te-2/31)# R2(conf-if-te-2/31)#router bgp 99 R2(conf-router_bgp)#network 192.168.128.0/24 R2(conf-router_bgp)#neighbor 192.168.128.
R3(conf-if-lo-0)#int tengig 3/11 R3(conf-if-te-3/11)#ip address 10.0.3.33/24 R3(conf-if-te-3/11)#no shutdown R3(conf-if-te-3/11)#show config ! interface TenGigabitEthernet 3/11 ip address 10.0.3.33/24 no shutdown R3(conf-if-lo-0)#int tengig 3/21 R3(conf-if-te-3/21)#ip address 10.0.2.3/24 R3(conf-if-te-3/21)#no shutdown R3(conf-if-te-3/21)#show config ! interface TenGigabitEthernet 3/21 ip address 10.0.2.
R1(conf-router_bgp)# neighbor 192.168.128.3 peer-group BBB R1(conf-router_bgp)# R1(conf-router_bgp)#show config ! router bgp 99 network 192.168.128.0/24 neighbor AAA peer-group neighbor AAA no shutdown neighbor BBB peer-group neighbor BBB no shutdown neighbor 192.168.128.2 remote-as 99 neighbor 192.168.128.2 peer-group AAA neighbor 192.168.128.2 update-source Loopback 0 neighbor 192.168.128.2 no shutdown neighbor 192.168.128.3 remote-as 100 neighbor 192.168.128.3 peer-group BBB neighbor 192.168.128.
Connections established 2; dropped 1 Last reset 00:00:57, due to user reset Notification History 'Connection Reset' Sent : 1 Recv: 0 Last notification (len 21) sent 00:00:57 ago ffffffff ffffffff ffffffff ffffffff 00150306 00000000 Local host: 192.168.128.1, Local port: 179 Foreign host: 192.168.128.2, Foreign port: 65464 BGP neighbor is 192.168.128.3, remote AS 100, external link Member of peer-group BBB for session parameters BGP version 4, remote router ID 192.168.128.
neighbor 192.168.128.3 neighbor 192.168.128.3 neighbor 192.168.128.3 neighbor 192.168.128.3 R2(conf-router_bgp)#end remote-as 100 peer-group BBB update-source Loopback 0 no shutdown R2# R2#show ip bgp summary BGP router identifier 192.168.128.
192.168.128.1 99 93 192.168.128.2 99 122 R3#show ip bgp neighbor 99 120 1 1 0 0 (0) (0) 00:00:15 00:00:11 1 1 BGP neighbor is 192.168.128.1, remote AS 99, external link Member of peer-group BBB for session parameters BGP version 4, remote router ID 192.168.128.
Local host: 192.168.128.2, Local port: 65464 Foreign host: 192.168.128.1, Foreign port: 179 BGP neighbor is 192.168.128.3, remote AS 100, external link Member of peer-group BBB for session parameters BGP version 4, remote router ID 192.168.128.
Content Addressable Memory (CAM) 10 CAM is a type of memory that stores information in the form of a lookup table. On the Z9500, CAM stores Layer 2 and Layer 3 forwarding information, access-lists (ACLs), flows, and routing policies. On a line card, there are one or two CAM (Dual-CAM) modules per port-pipe. CAM Allocation CAM space is allotted in filter processor (FP) blocks. The total space allocated must equal 13 FP blocks.
Ipv4Qos L2Qos L2PT IpMacAcl VmanQos EcfmAcl Openflow : : : : : : : 2 1 0 0 0 0 0 -- linecard 2 -Current Settings(in block sizes) 1 block = 256 entries L2Acl : 6 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 EcfmAcl : 0 Openflow : 0 The ipv6acl and vman-dual-qos allocations must be entered as a factor of 2 (2, 4, 6, 8, 10). All other profile allocations can use either even or odd numbered ranges.
Test CAM Usage The test cam-usage command applies to both IPv4 and IPv6 CAM profiles, but is best used when verifying QoS optimization for IPv6 ACLs. Use this command to determine whether sufficient ACL CAM space is available to enable a service-policy. Create a Class Map with all required ACL rules, then execute the test cam-usage command in Privilege mode to verify the actual CAM space required. The Status column in the command output indicates whether or not the policy can be enabled.
Openflow : 0 -- linecard 0 -Current Settings(in block sizes) 1 block = 256 entries L2Acl : 6 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 EcfmAcl : 0 Openflow : 0 -- linecard 1 -Current Settings(in block sizes) 1 block = 256 entries L2Acl : 6 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 EcfmAcl : 0 Openflow : 0 -- linecard 2 -Current Settings(in block sizes) 1 block = 256 entries L2Acl : 6 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1
| | | | | | | | 1 | | | | | --More-- | | | | | | | | 1 | | | | | IN-L3-PBR IN-V6 ACL IN-V6 FIB IN-V6-SysFlow IN-V6-McastFib OUT-L2 ACL OUT-L3 ACL OUT-V6 ACL IN-L2 ACL IN-L2 FIB IN-L3 ACL IN-L3 FIB IN-L3-SysFlow | | | | | | | | | | | | | 1024 0 0 0 0 1024 1024 0 320 32768 12288 262141 2878 | | | | | | | | | | | | | 0 0 0 0 0 0 0 0 0 1136 2 14 44 | | | | | | | | | | | | | 1024 0 0 0 0 1024 1024 0 320 31632 12286 262127 2834 Return to the Default CAM Configuration Return to the default CAM Profile, mi
Applications for CAM Profiling The following describes link aggregation group (LAG) hashing. LAG Hashing The Dell Networking OS includes a CAM profile and microcode that treats MPLS packets as non-IP packets. Normally, switching and LAG hashing is based on source and destination MAC addresses. Alternatively, you can base LAG hashing for MPLS packets on source and destination IP addresses. This type of hashing is allowed for MPLS packets with five labels or less.
Control Plane Policing (CoPP) 11 Control plane policing (CoPP) protects the Z9500 routing, control, and line-card processors from undesired or malicious traffic and Denial of Service (DoS) attacks by filtering control-plane flows. CoPP uses a dedicated control-plane service policy that consists of ACLs and QoS policies, which provide filtering and rate-limiting capabilities for control-plane packets.
Queue-based Control Plane Policing When configuring a queue-based CoPP policy, take into account that there are twenty-four CP queues divided into groups of eight queues for the Route Processor, Control Processor, and line-card CPUs: • Queues 0 to 7 process packets destined to the Control Processor CPU . • Queues 8 to 15 process packets destined to the Route Processor CPU. • Queues 16 to 23 process packets destined to the line-card CPU.
19 — 1 20 Source miss, Station move, Trace flow 600 21 BFD 7000 22 HyperPull, FRRP 800 23 sFlow 5000 NOTE: In the line-card CPU, some queues have no protocol traffic mapped to them. These rows appear blank in the preceding table. CoPP Example The illustrations in this section show the benefit of using CoPP compared to not using CoPP on a switch. The following illustration shows how CoPP rate limits protocol traffic destined to the control-plane CPU. Figure 24.
Figure 25. CoPP Versus Non-CoPP Operation Configure Control Plane Policing You can create a CoPP service policy on a per-protocol and/or a per-queue basis that serves as the system-wide configuration for filtering and rate limiting control-plane traffic. Configuring CoPP for Protocols This section describes how to create a protocol-based CoPP service policy and apply it to control plane traffic.
For complete information about creating ACL rules and QoS policies, refer to Access Control Lists (ACLs) and Quality of Service (QoS). 1. Create a Layer 2 extended ACL for specified protocol traffic. CONFIGURATION mode mac access-list extended name permit {arp | frrp | gvrp | isis | lacp | lldp | stp} cpu-qos 2. Create a Layer 3 extended ACL for specified protocol traffic.
Dell(conf-ip-acl-cpuqos)#exit Dell(conf)#mac access-list extended lacp cpu-qos Dell(conf-mac-acl-cpuqos)#permit lacp Dell(conf-mac-acl-cpuqos)#exit Dell(conf)#ipv6 access-list ipv6-icmp cpu-qos Dell(conf-ipv6-acl-cpuqos)#permit icmp Dell(conf-ipv6-acl-cpuqos)#exit Dell(conf)#ipv6 access-list ipv6-vrrp cpu-qos Dell(conf-ipv6-acl-cpuqos)#permit vrrp Dell(conf-ipv6-acl-cpuqos)#exit Example of Creating a QoS Rate-Limiting Input Policy Dell(conf)#qos-policy-in rate_limit_200k cpu-qos Dell(conf-in-qos-policy-cpuq
Configuring CoPP for CPU Queues This section describes how to create a queue-based CoPP service policy and apply it to control plane traffic. Controlling traffic on the CPU queues of the control plane does not require ACL rules; only QoS ratelimiting policies are used.
Example of Assigning a QoS Policy to a CPU Queue Dell(conf)#policy-map-input cpuq_rate_policy cpu-qos Dell(conf-qos-policy-in)#service-queue 5 qos-policy cpuq_1 Dell(conf-qos-policy-in)#service-queue 6 qos-policy cpuq_2 Dell(conf-qos-policy-in)#service-queue 7 qos-policy cpuq_1 Example of Applying a Queue-Based Rate Limit to Control Plane Traffic Dell#conf Dell(conf)#control-plane Dell(conf-control-plane)#service-policy rate-limit-cpu-queues cpuq_rate_policy Displaying CoPP Configuration The CLI provides s
ARP FRRP LACP LLDP GVRP STP ISIS any 01:01:e8:00:00:10/11 01:80:c2:00:00:02 any 01:80:c2:00:00:21 01:80:c2:00:00:00 01:80:c2:00:00:14/15 09:00:2b:00:00:04/05 0x0806 any 0x8809 0x88cc any any any any Q2/Q10/Q3/Q11 Q22 Q15 Q7 Q14 Q15 Q15 Q15 CP/RP LP RP CP RP RP RP RP 600 300 500 500 200 150 500 500 Viewing IPv4 Protocol-Queue Mapping To view the queues to which IPv4 protocol traffic is assigned, use the show ip protocol-queuemapping command.
v6 ICMP NS v6 ICMP RS Q2/Q10 Q2/Q10 CP/RP CP/RP 600 600 600 600 Viewing Complete Protocol-Queue Mapping To view the queues to which all protocol traffic is assigned, use the show protocol-queue-mapping command.
ICMP 2000 2000 IGMP 2000 2000 PIM 2000 2000 MSDP 2000 2000 BFD 3000 3000 802.
SOURCE MISS 500 500 STATION MOVE 500 500 Q20 LP 200 200 Q20 LP 200 200 Troubleshooting CoPP Operation To troubleshoot CoPP operation, use the debug commands described in this section. Enabling CPU Traffic Statistics During high-traffic network conditions, you may want to manually enable the collection of CPU traffic statistics by entering the debug cpu-traffic-stats command. Statistic collection begins as soon as you enter the command, not when the system boots up.
Troubleshooting CPU Packet Loss To troubleshoot the reason for CPU packet loss, you can display statistics about system flows on the central switch (aggregated CoPP) or on a specified set of Z9500 ports by entering the show hardware system-flow layer2 [cp-switch | linecard slot-id portset port-pipe] command. The number of hits for each system flow is also displayed.
InPorts DATA=0x0000000000000000000000000000000000000000000000000000222222222222 MASK=0x0000000000000000000000000000000000000000000000000000222222222223 DstMac Offset: 88 Width: 48 DATA=0x00000180 c2000002 MASK=0x0000ffff ffffffff action={act=DropPrecedence, param0=1(0x1), param1=0(0), param2=0(0), param3=0(0)} action={act=Drop, param0=0(0), param1=0(0), param2=0(0), param3=0(0)} action={act=CosQCpuNew, param0=3(0x3), param1=0(0), param2=0(0), param3=0(0)} action={act=CopyToCpu, param0=1(0x1), param1=4(0x4),
--More-######################## FP Entry ########################## --More-######################## FP Entry ########################## --More-######################## FP Entry ########################## --More-######################## FP Entry ########################## --More-######################## FP Entry ########################## --More-######################## FP Entry ########################## --More-######################## FP Entry ########################## --More-######################## FP E
control-plane CPU after protocol-based rate limiting is applied. Drop Counters displays the number of bytes of control-plane traffic that have been dropped as a result of protocol-based rate limiting. Dell#show control-traffic protocol linecard 2 portset 0 counters Protocol RxBytes TxBytes ------------------STP 14956278172 403036 LLDP 15029657016 559096 PVST 0 0 LACP 15122824104 556648 GVRP 14988129080 551480 ARP RESP/ARP REQ 29604578172 3559868 802.
L2PT v6 BGP v6 OSPF v6 VRRP MLD v6 ICMP NA v6 ICMP RA v6 ICMP NS v6 ICMP RS v6 ICMP BGP OSPF RIP VRRP ICMP IGMP PIM MSDP BFD ON PHYSICAL PORTS BFD ON LOGICAL PORTS 802.
Viewing Per-Queue CoPP Counters To view per-queue counters of CoPP rate-limited traffic, use the show control-traffic queue {all | queue-id queue-number} counters command. The range of queue-number values is from 0 to 23. The twenty-four control–plane queues are divided into groups of eight queues for the Route Processor, Control Processor, and line-card CPUs as follows: • Queues 0 to 7 process packets destined to the Control Processor CPU .
Debugging and Diagnostics 12 This chapter describes the debugging and diagnostics tasks you can perform on the switch. Offline Diagnostics The offline diagnostics test suite is useful for isolating faults and debugging hardware. The diagnostic tests are grouped into three levels: • • • Level 0 — Level 0 diagnostics check for the presence of various components and perform essential path verifications. In addition, they verify the identification registers of the components on the board.
3. Start diagnostics on the switch. diag system unit When the tests complete, the system displays a syslog message: 00:13:17 : Diagnostic test results are stored on file: flash:/TestReportLP-0.txt 00:13:19 : Diagnostic test results are stored on file: flash:/TestReportLP-1.txt 00:13:20 : Diagnostic test results are stored on file: flash:/TestReportLP-2.
is issued.
00:11:06: %Z9500LC12:2 %DIAGAGT-6-DA_DIAG_STARTED: Starting diags on linecard 2 00:11:06 : Approximate time to complete the Diags (all levels)... 10 Mins 00:11:06: %SYSTEM:LP %DIAGAGT-6-DA_DIAG_STARTED: Starting diags on CP unit 00:11:06 : Approximate time to complete the Diags (all levels)... 10 Mins 00:13:17 : Diagnostic test results are stored on file: flash:/TestReportLP-0.txt 00:13:19 : Diagnostic test results are stored on file: flash:/TestReportLP-1.
Example of a Test Log Report (All Levels) for Control Processor: TestReport-CP.txt Dell# show file flash://TestReport-CP.txt DELL DIAGNOSTICS-Z9500-CP00 PPID PPID Rev Service Tag Part Number Part Number Revision SW Version ------- [0] US0WGHX2779513AG00T X00 6NHW6Z1 7520072402 H 9.2(1.0B2) Available free memory: 2,231,607,296 bytes LEVEL 0 DIAGNOSTIC eepromTest .................................................. PASS Starting test: fabricAccessTest ......
PSU[3] sensor[1] temperature 30.0 C PSU[3] sensor[2] temperature 21.0 C +PSU[3] test PASS psuTest ..................................................... PASS rtcTest ..................................................... PASS sataSsdTest ................................................. PASS Starting test: temperatureTest ...... Sensor "BrdTmpPwr0" temperature 31.5 C Sensor "BrdTmpPwr1" temperature 34.0 C Sensor "BrdTmpPwr2" temperature 31.0 C Sensor "BrdTmpPwr3" temperature 33.
fabricLinkStatusTest ........................................ PASS Starting test: fanTest ...... ERROR: Tray[0] fan[1] speed 49% is out of expected range [80-100%] ERROR: Fan speed variation failed for tray[0] ERROR: Tray[1] fan[0] speed 49% is out of expected range [80-100%] ERROR: Fan speed variation failed for tray[1] +Fan tray[2] Speed test PASS +Fan tray[3] Speed test PASS ERROR: Tray[4] fan[0] speed 49% is out of expected range [80-100%] ERROR: Fan speed variation failed for tray[4] fanTest ..........
PPID PPID Rev Service Tag Part Number Part Number Revision SW Version ------- NA NA NA NA NA 9.2(1.0B2) Available free memory: 2,646,888,448 bytes LEVEL 0 DIAGNOSTIC eepromTest .................................................. i2cTest ..................................................... macPhyRegTest ............................................... Starting test: pcieScanTest ...... 22 PCI devices installed out of 22 pcieScanTest ................................................ portcardBcmIdTest .......
qsfpOpticsTest .............................................. qsfpPhyTest ................................................. qsfpPresenceTest ............................................ rtcTest ..................................................... sataSsdTest .................................................
Diode[1] temperature 35.0 C Diode[2] temperature 35.0 C Diode[4] temperature 34.5 C Port card[0]: Average temperature 38.3 C, maximum 41.1 C Port card[1]: Average temperature 40.5 C, maximum 43.3 C Port card[2]: Average temperature 42.8 C, maximum 44.9 C Ethernet MAC temperature 45.0 C temperatureTest ............................................. PASS LEVEL 1 DIAGNOSTIC eepromTest .................................................. i2cTest ..................................................... macPhyRegTest .
Auto Save on Reload, Crash, or Rollover Exception information for the switch is stored in the flash:/TRACE_LOG_DIR directory. This directory contains files that save trace information when there has been a task crash or timeout and trace information from the Route Processor and Control Processor CPUs. You can access the TRACE_LOG_DIR files by FTP or by using the show file command from the flash:// TRACE_LOG_DIR directory.
• show hardware linecard {0-2} buffer total-buffer Display the modular packet buffers details per unit and the mode of allocation. • show hardware linecard {0-2} buffer unit {0-3} total-buffer Display the forwarding plane statistics containing the packet buffer usage per port per line card. • show hardware linecard {0-2} buffer unit {0-3} port {1-104 | all} buffer-info Display the forwarding plane statistics containing the packet buffer statistics per CoS per port.
Troubleshoot a flap or fault condition on a high-Gigabit Ethernet backplane link by displaying the internal ports that are mapped to backplane links for control or data traffic and the status of backplane links. In the show hardware bp-link-state command output, 1 indicates that a backplane link is up; 0 indicates the a link is down.
-- Major Alarms -Alarm Type Duration --------------------------------------------------------------------------PEM 0 in unit 0 down 25 sec PEM 2 in unit 0 down 6 sec • Use the show environment pem command to display complete information on power supply operation. Dell#show environment pem -- Power Supplies -Unit Bay Status Type FanStatus FanSpeed(rpm) Power Usage (W) ----------------------------------------------------------------------------0 0 down AC up 1376 0.0 0 1 up AC up 18848 666.
To verify the transceiver plugged into a Z9500 port, use the show inventory media command.
QSFP QSFP QSFP QSFP QSFP 168 168 168 168 168 BR max BR min Vendor SN Datecode CheckCodeExt = = = = = 0 0 Z12I00005 130117 0xe8 QSFP 168 Diagnostic Information =================================== QSFP 168 Rx Power measurement type =================================== QSFP 168 Temp High Alarm threshold QSFP 168 Voltage High Alarm threshold QSFP 168 Bias High Alarm threshold QSFP 168 RX Power High Alarm threshold QSFP 168 Temp Low Alarm threshold QSFP 168 Voltage Low Alarm threshold QSFP 168 Bias Low Alarm
S0 S1 S2 S3 S4 S5 S6 S7 S8 S9 Minor 50 N/A 50 50 40 50 67 68 66 66 Minor Off 45 N/A 45 45 35 45 62 63 61 61 Major 50 N/A 50 50 40 50 67 68 66 66 Major Off 45 N/A 45 45 35 45 62 63 61 61 Shutdown N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A -- Switching Core --- Temperature Limits (deg C) ---------------------------------------------------------------------------Minor Minor Off Major Major Off Shutdown S0 93 86 100 95 105 S1 93 86 100 95 105 S2 93 86 100 95 105 S3 93 86 100 95 105 S4 93 86 100 95 105 S5 93
threshold crossings do not cause alarms, but are used to trigger increases in the speed of the system fans as needed to keep the component temperature within the desired range.
If the system is not able to cool down within one minute from the time the shutdown alarm is generated, a second alarm is triggered and the system shuts down immediately to avoid damaging any component due to overheating: 00:16:08: %SYSTEM:LP %CHMGR-0-TEMP_SHUTDOWN_WARN: Unit 0 a temperature sensor has exceeded its critical shutdown temperature; Unit will shutdown now. Power cycle the unit to power it on.
UNIT No: 0 Total Ingress Drops Total IngMac Drops Total Mmu Drops Total EgMac Drops Total Egress Drops : : : : : 41694 0 0 0 0 Dell#show hardware linecard 2 drops unit 0 UserPort PortNumber Ingress Drops EgMac Drops Egress Drops 0 1 0 0 0 0 4 5 0 0 0 0 8 9 0 0 0 0 12 13 41745 0 0 0 16 17 0 0 0 0 17 18 0 0 0 0 18 19 0 0 0 0 19 20 0 0 0 0 20 21 0 0 0 0 21 22 0 0 0 0 22 23 0 0 0 0 23 24 0 0 0 0 24 25 0 0 0 0 28 29 0 0 0 0 32 33 0 0 0 0 36 37 0 0 0 0 40 41 0 0 0 0 44 45 0 0 0 0 Internal 50 0 0 0 0 Internal 5
0 Internal 0 Internal 0 Internal 0 Internal 0 0 58 0 59 0 60 0 61 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Displaying Dataplane Statistics The show hardware linecard {0–2} cpu data-plane statistics command provides information about the packet types entering a line-card CPU. As shown in the following example, the show hardware linecard cpu data-plane statistics command output provides detailed RX/TX packet statistics on a per-queue basis.
Oversize frames recvd = 0 Fragments = 0 Jabber = 0 Dropped Frames = 0 Under/oversized frames = 0 FLR frames = 0 RCDE frames = 0 RCSE frames = 0 Dell#show hardware party-bus port 0 statistics Party Bus Transmit Counters for port 0: Tx Octets = 350320163 Tx Drop Packets = 0 tx_q0_pkts = 597876 tx_q1_pkts = 0 tx_q2_pkts = 0 tx_q3_pkts = 0 tx_q4_pkts = 0 tx_q5_pkts = 0 tx_broad_pkts = 114500 tx_multi_pkts = 7422 tx_uni_pkts = 475954 tx_pause_pkts = 0 tx_cols = 0 tx_single_cols = 0 tx_multi_cols = 0 tx_late_cols
transmit statistics for a port-pipe unit on a specified line card, according to the command option you enter. Dell#show hardware linecard RUC.cpu0 : ING_NIV_RX_FRAMES.cpu0 : TDBGC6.cpu0 : PERQ_PKT(0).cpu0 : PERQ_PKT(41).cpu0 : PERQ_BYTE(0).cpu0 : PERQ_BYTE(41).cpu0 : PERQ_DROP_PKT(0).cpu0 : PERQ_DROP_PKT(41).cpu0 : PERQ_DROP_BYTE(0).cpu0 : PERQ_DROP_BYTE(41).cpu0 : QUEUE_PEAK(0).cpu0 : QUEUE_PEAK(41).cpu0 : RUC.xe0 : RDBGC0.xe0 : RDBGC5.xe0 : ING_NIV_RX_FRAMES.xe0 : TDBGC3.xe0 : TDBGC6.
NOTE: On the Z9500, when you enable core dumps of application crashes to be uploaded to an FTP server, only core dumps from the Control Processor are uploaded to the server.
command in global configuration mode. The kernel core dump is copied to flash://CORE_DUMP_DIR/ f10_cpu_timestamp.kcore.gz Where cpu specifies a Z9500 CPU and is one of the following values: cp (Control Processor), cp (Route Processor), lp0 (line-card processor 0), lp1 (line-card processor 1), or lp2 (line-card processor 2); timestamp is a text string in the format: yyyyddmmhhmmss (YearDayMonthHourMinuteSecond). To disable the full kernel and other core dumps, enter the no logging coredump command.
Dynamic Host Configuration Protocol (DHCP) 13 DHCP is an application layer protocol that dynamically assigns IP addresses and other configuration parameters to network end-stations (hosts) based on configuration policies determined by network administrators.
Option Number and Description Subnet Mask Option 1 Specifies the client’s subnet mask. Router Option 3 Specifies the router IP addresses that may serve as the client’s default gateway. Domain Name Server Option 6 Domain Name Option 15 Specifies the domain name servers (DNSs) that are available to the client. Specifies the domain name that clients should use when resolving hostnames via DNS.
Option Number and Description Identifiers a user-defined string used by the Relay Agent to forward DHCP client packets to a specific server. L2 DHCP Snooping Option 82 End Option 255 Specifies IP addresses for DHCP messages received from the client that are to be monitored to build a DHCP snooping database. Signals the last option in the DHCP packet. Assign an IP Address using DHCP The following section describes DHCP and the client in a network. When a client joins a network: 1.
Figure 27. Client and Server Messaging Implementation Information The following describes DHCP implementation. • Dell Networking implements DHCP based on RFC 2131 and RFC 3046. • IP source address validation is a sub-feature of DHCP Snooping; the Dell Networking OS uses access control lists (ACLs) internally to implement this feature and as such, you cannot apply ACLs to an interface which has IP source address validation.
Configure the System to be a DHCP Server A DHCP server is a network device that has been programmed to provide network configuration parameters to clients upon request. Servers typically serve many clients, making host management much more organized and efficient. The following table lists the key responsibilities of DHCP servers. Table 8. DHCP Server Responsibilities DHCP Server Responsibility Description Address Storage and Management DHCP servers are the owners of the addresses used by DHCP clients.
3. Specify the range of IP addresses from which the DHCP server may assign addresses. DHCP mode network network/prefix-length • network: the subnet address. • prefix-length: specifies the number of bits used for the network portion of the address you specify. The prefix-length range is from 17 to 31. 4. Display the current pool configuration. DHCP mode show config After an IP address is leased to a client, only that client may release the address.
DHCP lease {days [hours] [minutes] | infinite} The default is 24 hours. Specifying a Default Gateway The IP address of the default router should be on the same subnet as the client. To specify a default gateway, follow this step. • Specify default gateway(s) for the clients on the subnet, in order of preference.
Creating Manual Binding Entries An address binding is a mapping between the IP address and the media access control (MAC) address of a client. The DHCP server assigns the client an available IP address automatically, and then creates an entry in the binding table. However, the administrator can manually create an entry for a client; manual bindings are useful when you want to guarantee that a particular network device receives a particular IP address.
Configure the System to be a Relay Agent This feature is available on the platform. DHCP clients and servers request and offer configuration information via broadcast DHCP messages. Routers do not forward broadcasts, so if there are no DHCP servers on the subnet, the client does not receive a response to its request and therefore cannot access the network.
Figure 28. Configuring a Relay Agent To view the ip helper-address configuration for an interface, use the show ip interface command from EXEC privilege mode. Example of the show ip interface Command R1_E600#show ip int gig 1/3 GigabitEthernet 1/3 is up, line protocol is down Internet address is 10.11.0.1/24 Broadcast address is 10.11.0.255 Address determined by user input IP MTU is 1500 bytes Helper address is 192.168.0.1 192.168.0.
ICMP redirects are not sent ICMP unreachables are not sent Configure the System to be a DHCP Client A DHCP client is a network device that requests an IP address and configuration parameters from a DHCP server. Implement the DHCP client functionality as follows: • The switch can obtain a dynamically assigned IP address from a DHCP server. A start-up configuration is not received. Use bare metal provisioning (BMP) to receive configuration parameters (OS version and a configuration file).
DHCP Client Operation with Other Features A DHCP client also operates with the following software features. Virtual Link Trunking (VLT) A DHCP client is not supported on VLT interfaces. VLAN and Port Channels DHCP client configuration and behavior are the same on Virtual LAN (VLAN) and port-channel (LAG) interfaces as on a physical interface.
• Source Address Validation Option 82 RFC 3046 (the relay agent information option, or Option 82) is used for class-based IP address assignment. The code for the relay agent information option is 82, and is comprised of two sub-options, circuit ID and remote ID. Circuit ID This is the interface on which the client-originated message is received. Remote ID This identifies the host from which the message is received. The value of this suboption is the MAC address of the relay agent that adds Option 82.
packet arrived on the correct port. Packets that do not pass this check are forwarded to the server for validation. This checkpoint prevents an attacker from spoofing a client and declining or releasing the real client’s address. Server-originated packets (DHCPOFFER, DHCPACK, and DHCPNACK) that arrive on a not trusted port are also dropped. This checkpoint prevents an attacker from acting as an imposter as a DHCP server to facilitate a man-in-the-middle attack.
• Delete all of the entries in the binding table. EXEC Privilege mode clear ip dhcp snooping binding Displaying the Contents of the Binding Table To display the contents of the binding table, use the following command. • Display the contents of the binding table. EXEC Privilege mode show ip dhcp snooping Example of the show ip dhcp snooping Command View the DHCP snooping statistics with the show ip dhcp snooping command.
IP Address MAC Address Expires(Sec) Type VLAN Interface ================================================================ 10.1.1.251 00:00:4d:57:f2:50 172800 D Vl 10 Te 0/2 10.1.1.252 00:00:4d:57:e6:f6 172800 D Vl 10 Te 0/1 10.1.1.253 00:00:4d:57:f8:e8 172740 D Vl 10 Te 0/3 10.1.1.
NOTE: Dynamic ARP inspection (DAI) uses entries in the L2SysFlow CAM region, a sub-region of SystemFlow. One CAM entry is required for every DAI-enabled VLAN. You can enable DAI on up to 16 VLANs on a system. However, the default CAM profile allocates only nine entries to the L2SysFlow region for DAI. You can configure 10 to 16 DAI-enabled VLANs by allocating more CAM space to the L2SysFlow region before enabling DAI. SystemFlow has 102 entries by default.
Invalid ARP Replies Dell# : 0 Bypassing the ARP Inspection You can configure a port to skip ARP inspection by defining the interface as trusted, which is useful in multi-switch environments. ARPs received on trusted ports bypass validation against the binding table. All ports are untrusted by default. To bypass the ARP inspection, use the following command. • Specify an interface as trusted so that ARPs are not validated against the binding table.
NOTE: If you enable IP source guard using the ip dhcp source-address-validation command and there are 187 entries or more in the current DHCP snooping binding table, SAV may not be applied to all entries. To ensure that SAV is applied correctly to all entries, enable the ip dhcp source-address-validation command before adding entries to the binding table. • Enable IP source address validation.
Equal Cost Multi-Path (ECMP) 14 Equal cost multi-path (ECMP) supports multiple paths in next-hop packet forwarding to a destination device. ECMP for Flow-Based Affinity ECMP for flow-based affinity includes link bundle monitoring. Enabling Deterministic ECMP Next Hop Deterministic ECMP next hop arranges all ECMPs in order before writing them into the content addressable memory (CAM). For example, suppose the RTM learns eight ECMPs in the order that the protocols and interfaces came up.
NOTE: While the seed is stored separately on each port-pipe, the same seed is used across all CAMs. NOTE: You cannot separate LAG and ECMP, but you can use different algorithms across the chassis with the same seed. If LAG member ports span multiple port-pipes and line cards, set the seed to the same value on each port-pipe to achieve deterministic behavior. NOTE: If you remove the hash algorithm configuration, the hash seed does not return to the original factory default setting.
NOTE: Save the new ECMP settings to the startup-config (write-mem) then reload the system for the new settings to take effect. • Configure the maximum number of paths per ECMP group. CONFIGURATION mode. • ip ecmp-group maximum-paths {2-64} Enable ECMP group path management. CONFIGURATION mode. ip ecmp-group path-fallback Example of the ip ecmp-group maximum-paths Command Dell(conf)#ip ecmp-group maximum-paths 3 User configuration has been changed.
• The default is 60%. Display details for an ECMP group bundle. EXEC mode show link-bundle-distribution ecmp-group ecmp-group-id The range is from 1 to 64. Viewing an ECMP Group NOTE: An ecmp-group index is generated automatically for each unique ecmp-group when you configure multipath routes to the same network. The system can generate a maximum of 512 unique ecmp-groups. The ecmp-group indices are generated in even numbers (0, 2, 4, 6... 1022) and are for information only.
Force10 Resilient Ring Protocol (FRRP) 15 Force10 resilient ring protocol (FRRP) provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a metropolitan area network (MAN) or large campuses. FRRP is similar to what can be achieved with the spanning tree protocol (STP), though even with optimizations, STP can take up to 50 seconds to converge (depending on the size of network and node of failure) may require 4 to 5 seconds to reconverge.
The Member VLAN is the VLAN used to transmit data as described earlier. The Control VLAN is used to perform the health checks on the ring. The Control VLAN can always pass through all ports in the ring, including the secondary port of the Master node. Ring Status The ring failure notification and the ring status checks provide two ways to ensure the ring remains up and active in the event of a switch or port failure.
Multiple FRRP Rings Up to 255 rings are allowed per system and multiple rings can be run on one system. More than the recommended number of rings may cause interface instability. You can configure multiple rings with a single switch connection; a single ring can have multiple FRRP groups; multiple rings can be connected with a common link. Member VLAN Spanning Two Rings Connected by One Switch A member VLAN can span two rings interconnected by a common switch, in a figure-eight style topology.
Concept Explanation Control VLAN Each ring has a unique Control VLAN through which tagged ring health frames (RHF) are sent. Control VLANs are used only for sending RHF, and cannot be used for any other purpose. Member VLAN Each ring maintains a list of member VLANs. Member VLANs must be consistent across the entire ring. Port Role Each node has two ports for each ring: Primary and Secondary. The Master node Primary port generates RHFs. The Master node Secondary port receives the RHFs.
Concept Explanation There is no periodic transmission of TCRHFs. The TCRHFs are sent on triggered events of ring failure or ring restoration only. Implementing FRRP • FRRP is media and speed independent. • FRRP is a Dell proprietary protocol that does not interoperate with any other vendor. • You must disable the spanning tree protocol (STP) on both the Primary and Secondary interfaces before you can enable FRRP. • All ring ports must be Layer 2 ports.
Configuring the Control VLAN Control and member VLANS are configured normally for Layer 2. Their status as control or member is determined at the FRRP group commands. For more information about configuring VLANS in Layer 2 mode, refer to Layer 2. Be sure to follow these guidelines: • All VLANS must be in Layer 2 mode. • You can only add ring nodes to the VLAN. • A control VLAN can belong to one FRRP group only. • Tag control VLAN ports.
4. Configure the Master node. CONFIG-FRRP mode. mode master 5. Identify the Member VLANs for this FRRP group. CONFIG-FRRP mode. member-vlan vlan-id {range} VLAN-ID, Range: VLAN IDs for the ring’s member VLANS. 6. Enable FRRP. CONFIG-FRRP mode. no disable Configuring and Adding the Member VLANs Control and member VLANS are configured normally for Layer 2. Their status as Control or Member is determined at the FRRP group commands.
3. Assign the Primary and Secondary ports and the Control VLAN for the ports on the ring. CONFIG-FRRP mode. interface primary int slot/port secondary int slot/port control-vlan vlan id Interface: • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. Slot/Port, Range: Slot and Port ID for the interface. Range is entered Slot/Port-Port.
• Clear the counters associated with all FRRP groups. EXEC PRIVELEGED mode. clear frrp Viewing the FRRP Configuration To view the configuration for the FRRP group, use the following command. • Show the configuration for this FRRP group. CONFIG-FRRP mode. show configuration Viewing the FRRP Information To view general FRRP information, use one of the following commands. • Show the information for the identified FRRP group. EXEC or EXEC PRIVELEGED mode.
Example of R1 MASTER interface TengigabitEthernet 1/24 no ip address switchport no shutdown ! interface TengigabitEthernet 1/34 no ip address switchport no shutdown ! interface Vlan 101 no ip address tagged TengigabitEthernet 1/24,34 no shutdown ! interface Vlan 201 no ip address tagged TengigabitEthernet 1/24,34 no shutdown ! protocol frrp 101 interface primary TengigabitEthernet 1/24 secondary TengigabitEthernet 1/34 control-vlan 101 member-vlan 201 mode master no disable Example of R2 TRANSIT interface T
interface TengigabitEthernet 3/21 no ip address switchport no shutdown ! interface Vlan 101 no ip address tagged TengigabitEthernet 3/14,21 no shutdown ! interface Vlan 201 no ip address tagged TengigabitEthernet 3/14,21 no shutdown ! protocol frrp 101 interface primary TengigabitEthernet 3/21 secondary TengigabitEthernet 3/14 control-vlan 101 member-vlan 201 mode transit no disable Force10 Resilient Ring Protocol (FRRP) 285
16 GARP VLAN Registration Protocol (GVRP) GARP VLAN registration protocol (GVRP), defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches. GVRP-compliant switches use GARP to register and de-register attribute values, such as VLAN IDs, with each other. Typical virtual local area network (VLAN) implementation involves manually configuring each Layer 2 switch that participates in a given VLAN.
Configure GVRP To begin, enable GVRP. To facilitate GVRP communications, enable GVRP globally on each switch. GVRP configuration is per interface on a switch-by-switch basis. Enable GVRP on each port that connects to a switch where you want GVRP information exchanged. In the following example, GVRP is configured on VLAN trunk ports. Figure 29. Global GVRP Configuration Example Basic GVRP configuration is a two-step process: 1. Enabling GVRP Globally 2.
Enabling GVRP Globally To configure GVRP globally, use the following command. • Enable GVRP for the entire switch. CONFIGURATION mode gvrp enable Example of Configuring GVRP Dell(conf)#protocol gvrp Dell(config-gvrp)#no disable Dell(config-gvrp)#show config ! protocol gvrp no disable Dell(config-gvrp)# To inspect the global configuration, use the show gvrp brief command. Enabling GVRP on a Layer 2 Interface To enable GVRP on a Layer 2 interface, use the following command.
not be unconfigured when it receives a Leave PDU. Therefore, the registration mode on that interface is FIXED. • Forbidden Mode — Disables the port to dynamically register VLANs and to propagate VLAN information except information about VLAN 1. A port with forbidden registration type thus allows only VLAN 1 to pass through even though the PDU carries information for more VLANs.
LeaveAll Timer Dell(conf)# 5000 The system displays this message if an attempt is made to configure an invalid GARP timer: Dell(conf)#garp timers join 300 % Error: Leave timer should be >= 3*Join timer.
Interfaces 17 This chapter describes interface types, both physical and logical, and how to configure them on the Z9500 switch. • 10-Gigabit Ethernet and 40-Gigabit Ethernet interfaces are supported on the Z9500.
installed, the resulting four 10GbE ports are numbered with the remaining numbers. For example, 40GbE port 0 contains 10GbE ports 0, 1, 2, and 3; 40GbE port 4 contains 10GbE ports 4, 5, 6, and 7. Line card 0 consists of ports 0 to 143; line card 1 consists of ports 0 to 191; line card 2 consists of ports 0 to 191. Figure 30. Port Numbering Interface Types The following table describes different interface types.
EXEC mode show interfaces This command has options to display the interface status, IP and MAC addresses, and multiple counters for the amount and type of traffic passing through the interface. If you configured a port channel interface, this command lists the interfaces configured in the port channel. NOTE: To end output from the system, such as the output from the show interfaces command, enter CTRL+C. The system returns you to the command prompt.
TengigabitEthernet TengigabitEthernet TengigabitEthernet TengigabitEthernet TengigabitEthernet TengigabitEthernet TengigabitEthernet TengigabitEthernet TengigabitEthernet 1/0 1/1 1/2 1/3 1/4 1/5 1/6 1/7 1/8 unassigned unassigned unassigned unassigned unassigned 10.10.10.
To confirm that the interface is enabled, use the show config command in INTERFACE mode. To leave INTERFACE mode, use the exit command or end command. You cannot delete a physical interface. Physical Interfaces The Management Ethernet interface is a single RJ-45 Fast Ethernet port on a switch. The interface provides dedicated management access to the system. Line card interfaces support Layer 2 and Layer 3 traffic over 10-Gigabit Ethernet and 40-Gigabit Ethernet interfaces.
Type of Interface Possible Modes Requires Creation Default State VLAN Layer 2 Yes, except for the default VLAN. No shutdown (active for Layer 2) Layer 3 Shutdown (disabled for Layer 3) Configuring Layer 2 (Data Link) Mode Do not configure switching or Layer 2 protocols such as spanning tree protocol (STP) on an interface unless the interface has been set to Layer 2 mode. To set Layer 2 data transmissions through an individual interface, use the following command.
• Enable Layer 3 on an individual interface INTERFACE mode • ip address Enable the interface. INTERFACE mode no shutdown Example of Error Due to Issuing a Layer 3 Command on a Layer 2 Interface If an interface is in the incorrect layer mode for a given command, an error message is displayed (shown in bold). In the following example, the ip address command triggered an error message because the interface is in Layer 2 mode and the ip address command is a Layer 3 command only.
Dell>show ip int vlan 58 Vlan 58 is up, line protocol is up Internet address is 1.1.49.1/24 Broadcast address is 1.1.49.255 Address determined by config file MTU is 1554 bytes Inbound access list is not set Proxy ARP is enabled Split Horizon is enabled Poison Reverse is disabled ICMP redirects are not sent ICMP unreachables are not sent Egress Interface Selection (EIS) EIS allows you to isolate the management and front-end port domains by preventing switch-initiated traffic routing between the two domains.
To enable and configure EIS, use the following commands: 1. Enter EIS mode. CONFIGURATION mode management egress-interface-selection 2. Configure which applications uses EIS.
The following rules apply to having two IPv6 addresses on a management interface: • IPv6 addresses on a single management interface cannot be in the same subnet. • IPv6 secondary addresses on management interfaces: – across a platform must be in the same subnet. – must not match the virtual IP address and must not be in the same subnet as the virtual IP.
• Configure an IP address. INTERFACE mode • ip address Enable the interface. INTERFACE mode • no shutdown The interface is the management interface. INTEFACE mode description Example of the show interface and show ip route Commands To display the configuration for a given port, use the show interface command in EXEC Privilege mode, as shown in the following example. To display the routing table, use the show ip route command in EXEC Privilege mode.
NOTE: You cannot simultaneously use egress rate shaping and ingress rate policing on the same VLAN. The system supports Inter-VLAN routing (Layer 3 routing in VLANs). You can add IP addresses to VLANs and use them in routing protocols in the same manner that physical interfaces are used. For more information about configuring different routing protocols, refer to the chapters on the specific protocol.
• show interface loopback number Delete a Loopback interface. CONFIGURATION mode no interface loopback number Many of the commands supported on physical interfaces are also supported on a Loopback interface. Null Interfaces The Null interface is another virtual interface. There is only one Null interface. It is always up, but no traffic is transmitted through this interface. To enter INTERFACE mode of the Null interface, use the following command. • Enter INTERFACE mode of the Null interface.
With this feature, you can create larger-capacity interfaces by utilizing a group of lower-speed links. For example, you can build a 30-Gigabit interface by aggregating three 10-Gigabit Ethernet interfaces together. If one of the five interfaces fails, traffic is redistributed across the four remaining interfaces. Port Channel Implementation The system supports static and dynamic port channels. • Static — Port channels that are statically configured.
In this example, you can change the common speed of the port channel by changing its configuration so the first enabled interface referenced in the configuration is a 10 Gb/s speed interface. You can also change the common speed of the port channel here by setting the speed of the Te 0/0 interface to 10 Gb/s. Configuration Tasks for Port Channel Interfaces To configure a port channel (LAG), use the commands similar to those found in physical interfaces.
You can add any physical interface to a port channel if the interface configuration is minimal. You can configure only the following commands on an interface if it is a member of a port channel: • description • shutdown/no shutdown • mtu • ip mtu (if the interface is on a Jumbo-enabled by default) NOTE: A logical port channel interface cannot have flow control. Flow control can only be present on the physical interfaces if they are part of a port channel.
MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 2000 Mbit Members in this channel: Te 9/10 Te 9/17 ARP type: ARPA, ARP timeout 04:00:00 Last clearing of "show interface" counters 00:00:00 Queueing strategy: fifo 1212627 packets input, 1539872850 bytes Input 1212448 IP Packets, 0 Vlans 0 MPLS 4857 64-byte pkts, 17570 over 64-byte pkts, 35209 over 127-byte pkts 69164 over 255-byte pkts, 143346 over 511-byte pkts, 942523 over 1023-byte pkts Received 0 input symbol errors, 0 runts, 0 giants, 0 throttles 42 CRC, 0 I
To reassign an interface to a new port channel, use the following commands. 1. Remove the interface from the first port channel. INTERFACE PORT-CHANNEL mode no channel-member interface 2. Change to the second port channel INTERFACE mode. INTERFACE PORT-CHANNEL mode interface port-channel id number 3. Add the interface to the second port channel.
Adding or Removing a Port Channel from a VLAN As with other interfaces, you can add Layer 2 port channel interfaces to VLANs. To add a port channel to a VLAN, place the port channel in Layer 2 mode (by using the switchport command). To add or remove a VLAN port channel and to view VLAN port channel members, use the following commands. • Add the port channel to the VLAN as a tagged interface.
CONFIGURATION mode • no interface portchannel channel-number Disable a port channel. shutdown When you disable a port channel, all interfaces within the port channel are operationally down also. Load Balancing Through Port Channels The system uses hash algorithms for distributing traffic evenly over channel members in a port channel (LAG). The hash algorithm distributes traffic among electronic commerce messaging protocol (ECMP) paths and LAG members.
Changing the Hash Algorithm The load-balance command selects the hash criteria applied to port channels. If you do not obtain even distribution with the load-balance command, you can use the hashalgorithm command to select the hash scheme for LAG, ECMP and NH-ECMP. You can rotate or shift the 12–bit Lag Hash until the desired hash is achieved. To change to another algorithm, use the second command. • Change the default (0) to another algorithm and apply it to ECMP, LAG hashing, or a particular line card.
The interface range command allows you to create an interface range allowing other commands to be applied to that range of interfaces. The interface range prompt offers the interface (with slot and port information) for valid interfaces. The maximum size of an interface range prompt is 32. If the prompt size exceeds this maximum, it displays (...) at the end of the output. NOTE: Non-existing interfaces are excluded from the interface range prompt.
Dell(conf)#interface range tengigabitethernet 2/0 - 23 , tengigabitethernet 2/0 - 23 , tengigabitethernet 2/0 - 23 Dell(conf-if-range-te-2/0-23)# Exclude a Smaller Port Range The following is an example show how the smaller of two port ranges is omitted in the interface-range prompt.
define interface-range macro_name {vlan vlan_ID - vlan_ID} | {{tengigabitethernet | fortyGigE} slot/interface - interface} [ , {vlan vlan_ID - vlan_ID} {{tengigabitethernet | fortyGigE} slot/interface interface}] Define the Interface Range The following example shows how to define an interface-range macro named “test” to select 10– GigabitEthernet interfaces 5/1 through 5/4.
• T — Increase refresh interval (by 1 second) • t — Decrease refresh interval (by 1 second) • c — Clear screen • a — Page down • q — Quit Dell#monitor interface te 3/1 FTOS uptime is 1 day(s), 4 hour(s), 31 minute(s) Monitor time: 00:00:00 Refresh Intvl.
Use the show hardware sfm hg-stats and show hardware linecard hg-stats commands to display traffic statistics about the high-Gigabit links on a line-card or SFM NPU. Use the clear hardware sfm hg-stats and clear hardware linecard hg-stats commands to reset high-Gigabit port statistics. Link Bundle Monitoring Monitoring linked LAG bundles allows traffic distribution amounts in a link to be monitored for unfair distribution at any given time.
• A line-card (leaf) NPU supports 12 front-end I/O ports and 12 backplane high-Gigabit ports. The 12 backplane links are members of a single high-Gigabit link bundle that connects the line-card NPU to each SFM (spine) NPU. Two high-Gigabit links in the bundle are used to connect to each SFM NPU. You can enable the capability to detect uneven traffic distribution in the member links of a high-Gigabit link bundle on a line-card or SFM NPU.
– Bundle usage for egress traffic exceeds the threshold configured with the hg-link-bundle monitor trigger-threshold command. Alarms are generated only when link-bundle traffic levels are high. At low traffic levels, only one or two significant flows may cause unevenness. However, uneven traffic distribution across links during low-traffic periods is not critical and does not trigger an alarm.
5. Display the traffic utilization of member links in a high-Gigabit link bundle (port channel). EXEC, EXEC Privilege modes Dell#show hg-link-bundle-distribution {sfm npu-id hg-port—channel hg-port— channel-id | slot slot npuUnit npu-id hg-port—channel 0} Splitting QSFP Ports to SFP+ Ports The Z9500 supports splitting a single 40G QSFP port into four 10G SFP+ ports using one of the supported breakout cables (for a list of supported cables, refer to the Z9500 Installation Guide or the Z9500 Release Notes).
Important Points to Remember • Link dampening is not supported on VLAN interfaces. • Link dampening is disabled when the interface is configured for port monitoring. • You can apply link dampening to Layer 2 and Layer 3 interfaces. • You can configure link dampening on individual interfaces in a LAG. Enabling Link Dampening To enable link dampening, use the following command. • Enable link dampening.
Example of the clear dampening Command Dell# clear dampening interface Te 0/1 Dell# show interfaces dampening TengigabitEthernet0/0 InterfaceStateFlapsPenaltyHalf-LifeReuseSuppressMax-Sup Te 0/1Up00205001500300 Link Dampening Support for XML View the output of the following show commands in XML by adding | display xml to the end of the command.
Restriction: Ethernet Pause Frame flow control is not supported if PFC is enabled on an interface. Control how the system responds to and generates 802.3x pause frames on Ethernet interfaces. The default is rx off tx off. INTERFACE mode. flowcontrol rx [off | on] tx [off | on] Where: rx on: Processes the received flow control frames on this port. rx off: Ignores the received flow control frames on this port.
The flow control sender and receiver must be on the same port-pipe. Flow control is not supported across different port-pipes. To enable pause frames, use the following command. • Control how the system responds to and generates 802.3x pause frames on 10 Gigabit line cards. INTERFACE mode flowcontrol rx [off | on] tx [off | on] [threshold {<1-2047> <1-2013> <1-2013>}] – rx on: enter the keywords rx on to process the received flow control frames on this port.
• • All members must have the same link MTU value and the same IP MTU value. The port channel link MTU and IP MTU must be less than or equal to the link MTU and IP MTU values configured on the channel members. For example, if the members have a link MTU of 2100 and an IP MTU 2000, the port channel’s MTU values cannot be higher than 2100 for link MTU or 2000 bytes for IP MTU. VLANs: • • • All members of a VLAN must have the same IP MTU value. Members can have different Link MTU values.
Example of the negotiation auto Command Dell(conf)# int tengig 0/0 Dell(conf-if-te-0/1)#neg auto Dell(conf-if-te-0/1)# ? end Exit from configuration mode exit Exit from autoneg configuration mode mode Specify autoneg mode no Negate a command or set its defaults show Show autoneg configuration information Dell(conf-if-te-0/1)#mode ? forced-master Force port to master mode forced-slave Force port to slave mode Dell(conf-if-te-0/1)# For details about the speed, duplex, and negotiation auto commands, refer to t
Vlan 2 Name: TengigabitEthernet 13/3 802.1QTagged: True Vlan membership: Vlan 2 --More-- Configuring the Interface Sampling Size Although you can enter any value between 30 and 299 seconds (the default), software polling is done once every 15 seconds. So, for example, if you enter “19”, you actually get a sample of the past 15 seconds. All LAG members inherit the rate interval configuration from the LAG. The following example shows how to configure rate interval when changing the default value.
Internet address is not set MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 10000 Mbit ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 1d23h45m Queueing strategy: fifo 0 packets input, 0 bytes Input 0 IP Packets, 0 Vlans 0 MPLS 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts Received 0 input symbol errors, 0 runts, 0 giants, 0 throttles 0 CRC, 0 IP Checksum, 0 overrun, 0 discarded 0 packets output, 0 byte
(OPTIONAL) Enter the following interface keywords and slot/port or number information: – For a loopback interface, enter the keyword loopback then a number from 0 to 16383. – For a Port Channel interface, enter the keywords port-channel then a number. – For the management interface, enter the keyword ManagementEthernet 0/0. The slot number is 0; the port number is 0. – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information.
IPv4 Routing 18 IPv4 routing and various IP addressing features are supported. This chapter describes the basics of domain name service (DNS), address resolution protocol (ARP), and routing principles and their implementation in the Dell Networking OS.
• Configure Static Routes for the Management Interface (optional) For a complete listing of all commands related to IP addressing, refer to the Dell Networking OS Command Line Reference Guide. Assigning IP Addresses to an Interface Assign primary and secondary IP addresses to physical or logical (for example, [virtual local area network [VLAN] or port channel) interfaces to enable IP communication between the system and hosts connected to that interface.
interface TengigabitEthernet 0/0 ip address 10.11.1.1/24 no shutdown ! Dell(conf-if)# Configuring Static Routes A static route is an IP address that you manually configure and that the routing protocol does not learn, such as open shortest path first (OSPF). Often, static routes are used as backup routes in case other dynamically learned routes are unreachable. You can enter as many static IP addresses as necessary. To configure a static route, use the following command. • Configure a static IP address.
Direct, Lo 0 --More-The system installs a next hop that is on the directly connected subnet of current IP address on the interface (for example, if interface gig 0/0 is on 172.31.5.0 subnet, the system installs the static route). The system also installs a next hop that is not on the directly connected subnet but which recursively resolves to a next hop on the interface's configured subnet. For example, if gig 0/0 has ip address on subnet 2.2.2.0 and if 172.31.5.43 recursively resolves to 2.2.2.
Resolution of Host Names Domain name service (DNS) maps host names to IP addresses. This feature simplifies such commands as Telnet and FTP by allowing you to enter a name instead of an IP address. Dynamic resolution of host names is disabled by default. Unless you enable the feature, the system resolves only host names entered into the host table with the ip host command. The following sections describe DNS and the resolution of host names.
Specifying the Local System Domain and a List of Domains If you enter a partial domain, the system can search different domains to finish or fully qualify that partial domain. A fully qualified domain name (FQDN) is any name that is terminated with a period/dot. The system searches the host table first to resolve the partial domain. The host table contains both statically configured and dynamically learnt host and IP addresses.
Dell#traceroute www.force10networks.com Translating "www.force10networks.com"...domain server (10.11.0.1) [OK] Type Ctrl-C to abort. ---------------------------------------------------------------------Tracing the route to www.force10networks.com (10.11.84.18), 30 hops max, 40 byte packets ---------------------------------------------------------------------TTL Hostname Probe1 Probe2 Probe3 1 10.11.199.190 001.000 ms 001.000 ms 002.000 ms 2 gwegress-sjc-02.force10networks.com (10.11.30.126) 005.000 ms 001.
Configuring Static ARP Entries ARP dynamically maps the MAC and IP addresses, and while most network host support dynamic mapping, you can configure an ARP entry (called a static ARP) for the ARP cache. To configure a static ARP entry, use the following command. • Configure an IP address and MAC address mapping for an interface. CONFIGURATION mode arp ip-address mac-address interface – ip-address: IP address in dotted decimal format (A.B.C.D). – mac-address: MAC address in nnnn.nnnn.nnnn format.
– ip ip-address (OPTIONAL): enter the keyword ip then the IP address of the ARP entry you wish to clear. – no-refresh (OPTIONAL): enter the keywords no-refresh to delete the ARP entry from CAM. Or to specify which dynamic ARP entries you want to delete, use this option with interface or ip ip-address. – For a port channel interface, enter the keywords port-channel then a number. – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information.
Figure 31. ARP Learning via ARP Request When you enable ARP learning via gratuitous ARP, the system installs a new ARP entry, or updates an existing entry for all received ARP requests. Figure 32. ARP Learning via ARP Request with ARP Learning via Gratuitous ARP Enabled Whether you enable or disable ARP learning via gratuitous ARP, the system does not look up the target IP. It only updates the ARP entry for the Layer 3 interface with the source IP of the request.
CONFIGURATION mode arp backoff-time The default is 30. • The range is from 1 to 3600. Display all ARP entries learned via gratuitous ARP. EXEC Privilege mode show arp retries ICMP For diagnostics, the internet control message protocol (ICMP) provides routing information to end stations by choosing the best route (ICMP redirect messages) or determining if a router is reachable (ICMP Echo or Echo Reply). ICMP error messages inform the router of problems in a particular packet.
UDP Helper User datagram protocol (UDP) helper allows you to direct the forwarding IP/UDP broadcast traffic by creating special broadcast addresses and rewriting the destination IP address of packets to match those addresses. Configure UDP Helper Configuring the system to direct UDP broadcast is a two-step process: 1. Enable UDP helper and specify the UDP ports for which traffic is forwarded. Refer to Enabling UDP Helper. 2.
-------------------------------------------------Te 1/1 1000 Configuring a Broadcast Address To configure a broadcast address, use the following command. • Configure a broadcast address on an interface. ip udp-broadcast-address Examples of Configuring and Viewing a Broadcast Address The following example shows configuring a broadcast address. Dell(conf-if-vl-100)#ip udp-broadcast-address 1.1.255.255 Dell(conf-if-vl-100)#show config ! interface Vlan 100 ip address 1.1.0.1/24 ip udp-broadcast-address 1.1.
1. Packet 1 is dropped at ingress if you did not configure UDP helper address. 2. If you enable UDP helper (using the ip udp-helper udp-port command), and the UDP destination port of the packet matches the UDP port configured, the system changes the destination address to the configured broadcast 1.1.255.255 and routes the packet to VLANs 100 and 101.
Figure 34. UDP Helper with Subnet Broadcast Addresses UDP Helper with Configured Broadcast Addresses Incoming packets with a destination IP address matching the configured broadcast address of any interface are forwarded to the matching interfaces. In the following illustration, Packet 1 has a destination IP address that matches the configured broadcast address of VLAN 100 and 101.
• If the Incoming packet has a destination IP address that matches the subnet broadcast address of any interface, the unaltered packet is routed to the matching interfaces. Troubleshooting UDP Helper To display debugging information for troubleshooting, use the debug ip udp-helper command.
IPv6 Routing 19 Internet protocol version 6 (IPv6) routing is the successor to IPv4. Due to the rapid growth in internet users and IP addresses, IPv4 is reaching its maximum usage. IPv6 will eventually replace IPv4 usage to allow for the constant expansion. This chapter provides a brief description of the differences between IPv4 and IPv6, and the Dell Networking support of IPv6. This chapter is not intended to be a comprehensive description of IPv6.
NOTE: The system provides the flexibility to add prefixes on Router Advertisements (RA) to advertise responses to Router Solicitations (RS). By default, RA response messages are sent when an RS message is received. The manipulation of IPv6 stateless autoconfiguration supports the router side only. Neighbor discovery (ND) messages are advertised so the neighbor can use this information to auto-configure its address. However, received ND messages are not used to create an IPv6 address.
IPv6 Header Fields The 40 bytes of the IPv6 header are ordered, as shown in the following illustration. Figure 36. IPv6 Header Fields Version (4 bits) The Version field always contains the number 6, referring to the packet’s IP version. Traffic Class (8 bits) The Traffic Class field deals with any data that needs special handling. These bits define the packet priority and are defined by the packet Source. Sending and forwarding routers use this field to identify different IPv6 classes and priorities.
The following lists the Next Header field values. Value Description 0 Hop-by-Hop option header 4 IPv4 6 TCP 8 Exterior Gateway Protocol (EGP) 41 IPv6 43 Routing header 44 Fragmentation header 50 Encrypted Security 51 Authentication header 59 No Next Header 60 Destinations option header NOTE: This table is not a comprehensive list of Next Header field values. For a complete and current listing, refer to the Internet Assigned Numbers Authority (IANA) web page.
However, if the Destination Address is a Hop-by-Hop options header, the Extension header is examined by every forwarding router along the packet’s route. The Hop-by-Hop options header must immediately follow the IPv6 header, and is noted by the value 0 (zero) in the Next Header field. Extension headers are processed in the order in which they appear in the packet header. Hop-by-Hop Options Header The Hop-by-Hop options header contains information that is examined by every router along the packet’s path.
of double colons is supported in a single address. Any number of consecutive 0000 groups may be reduced to two colons, as long as there is only one double colon used in an address. Leading and/or trailing zeros in a group can also be omitted (as in ::1 for localhost, 1:: for network addresses and :: for unspecified addresses). All the addresses in the following list are all valid and equivalent.
IPv6 Implementation on the Dell Networking OS The Dell Networking OS supports both IPv4 and IPv6 and both may be used simultaneously in your system. The following table lists the Dell Networking OS version in which an IPv6 feature became available for each platform. The sections following the table give greater detail about the feature. Feature and Functionality Dell Networking OS Release Introduction Documentation and Chapter Location Z9000 Basic IPv6 Commands 8.3.
Feature and Functionality Dell Networking OS Release Introduction Documentation and Chapter Location Z9000 IS-IS for IPv6 support for redistribution 8.3.11 Intermediate System to Intermediate System IPv6 IS-IS in the Dell Networking OS Command Line Reference Guide. ISIS for IPv6 support for distribute lists and administrative distance 8.3.11 OSPF for IPv6 (OSPFv3) 8.3.11 Equal Cost Multipath for IPv6 8.3.
ICMPv6 ICMP for IPv6 (ICMPv6) combines the roles of ICMP, IGMP and ARP in IPv4. Like IPv4, it provides functions for reporting delivery and forwarding errors, and provides a simple echo service for troubleshooting. The implementation of ICMPv6 is based on RFC 4443. ICMPv6 uses two message types: • Error reporting messages indicate when the forwarding or delivery of the packet failed at the destination or intermediate node.
IPv6 Neighbor Discovery The IPv6 neighbor discovery protocol (NDP) is a top-level protocol for neighbor discovery on an IPv6 network. In place of address resolution protocol (ARP), NDP uses “Neighbor Solicitation” and “Neighbor Advertisement” ICMPv6 messages for determining relationships between neighboring nodes. Using these messages, an IPv6 device learns the link-layer addresses for neighbors known to reside on attached links, quickly purging cached values that become invalid.
Secure Shell (SSH) Over an IPv6 Transport Both inbound and outbound secure shell (SSH) sessions using IPv6 addressing are supported. Inbound SSH supports accessing the system through the management interface as well as through a physical Layer 3 interface. For SSH configuration details, refer to the Security chapter in the Dell Networking OS Command Line Interface Reference Guide. Configuration Tasks for IPv6 The following are configuration tasks for the IPv6 protocol.
• The ipv6acl range must be a factor of 2. Show the current CAM settings. EXEC mode or EXEC Privilege mode • show cam-acl Provides information on FP groups allocated for the egress acl. CONFIGURATION mode show cam-acl-egress Allocate at least one group for L2ACL and IPv4 ACL. The total number of groups is 4. Assigning an IPv6 Address to an Interface Essentially, IPv6 is enabled on a switch simply by assigning IPv6 addresses to individual router interfaces.
– forwarding router: forwarding router’s address – tag: route tag Enter the keyword interface then the type of interface and slot/port information: – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. – For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. – For a loopback interface, enter the keyword loopback then the loopback number.
show ipv6 ? Example of show ipv6 Command Options Dell#show ipv6 ? accounting IPv6 accounting information cam IPv6 CAM Entries fib IPv6 FIB Entries interface IPv6 interface information mbgproutes MBGP routing table mld MLD information mroute IPv6 multicast-routing table neighbors IPv6 neighbor information ospf OSPF information pim PIM V6 information prefix-list List IPv6 prefix lists route IPv6 routing information rpf RPF table Dell# Displaying an IPv6 Configuration To view the IPv6 configuration for a spec
Joined Group address(es): ff02::1 ff02::1:ff8b:386e ND MTU is 0 ICMP redirects are not sent DAD is enabled, number of DAD attempts: 3 ND reachable time is 32000 milliseconds ND base reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds ND hop limit is 64 Displaying IPv6 Routes To view the global IPv6 routing information, use the following command. • Display IPv6 routing information for the specified route type.
----------------------------------------------------C 600::/64 [0/0] Direct, Te 0/24, 00:34:42 C 601::/64 [0/0] Direct, Te 0/24, 00:34:18 C 912::/64 [0/0] Direct, Lo 2, 00:02:33 O IA 999::1/128 [110/2] via fe80::201:e8ff:fe8b:3166, Te 0/24, 00:01:30 L fe80::/10 [0/0] Direct, Nu 0, 00:34:42 Dell#show ipv6 route static Destination Dist/Metric, Gateway, Last Change ----------------------------------------------------S 8888:9999:5555:6666:1111:2222::/96 [1/0] via 2222:2222:3333:3333::1, Te 9/1, 00:03:16 S 9999:
– mask: the prefix length is from 0 to 128. NOTE: IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:). Omitting zeros is accepted as described in Addressing.
20 Link Aggregation Control Protocol (LACP) A link aggregation group (LAG), referred to as a port channel by the Dell Networking OS, can provide both load-sharing and port redundancy across line cards. You can enable LAGs as static or dynamic. Introduction to Dynamic LAGs and LACP The Dell Networking OS uses LACP to create dynamic LAGs. LACP provides a standardized means of exchanging information between two systems (also called Partner Systems) and automatically establishes the LAG between the systems.
– The shutdown command on LAG “xyz” disables the LAG and retains the user commands. However, the system does not allow the channel number “xyz” to be statically created. – The no interface port-channel channel-number command deletes the specified LAG, including a dynamically created LAG. This command removes all LACP-specific commands on the member interfaces. The interfaces are restored to a state that is ready to be configured.
– number: cannot statically contain any links. • The default is LACP active. Configure port priority. LACP mode [no] lacp port-priority priority-value The range is from 1 to 65535 (the higher the number, the lower the priority). The default is 32768. LACP Configuration Tasks The following configuration tasks apply to LACP.
• Configure the dynamic LAG interfaces. CONFIGURATION mode port-channel-protocol lacp Example of the port-channel-protocol lacp Command Dell(conf)#interface Tengigabitethernet 3/15 Dell(conf-if-te-3/15)#no shutdown Dell(conf-if-te-3/15)#port-channel-protocol lacp Dell(conf-if-te-3/15-lacp)#port-channel 32 mode active ... Dell(conf)#interface Tengigabitethernet 3/16 Dell(conf-if-te-3/16)#no shutdown Dell(conf-if-te-3/16)#port-channel-protocol lacp Dell(conf-if-te-3/16-lacp)#port-channel 32 mode active ...
Partner System ID: Priority 32768, Address 0001.e801.
To avoid packet loss, redirect traffic through the next lowest-cost link (R3 to R4). the system has the ability to bring LAG 2 down if LAG 1 fails, so that traffic can be redirected. This redirection is what is meant by shared LAG state tracking. To achieve this functionality, you must group LAG 1 and LAG 2 into a single entity, called a failover group. Configuring Shared LAG State Tracking To configure shared LAG state tracking, you configure a failover group.
Figure 40. Configuring Shared LAG State Tracking The following are shared LAG state tracking console messages: • 2d1h45m: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Po 1 • 2d1h45m: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Po 2 To view the status of a failover group member, use the show interface port-channel command.
LACP Basic Configuration Example The screenshots in this section are based on the following example topology. Two routers are named ALPHA and BRAVO, and their hostname prompts reflect those names. Figure 41. LACP Basic Configuration Example Configure a LAG on ALPHA The following example creates a LAG on ALPHA.
Input statistics: 132 packets, 163668 bytes 0 Vlans 0 64-byte pkts, 12 over 64-byte pkts, 120 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 132 Multicasts, 0 Broadcasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics 136 packets, 16718 bytes, 0 underruns 0 64-byte pkts, 15 over 64-byte pkts, 121 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 136 Multicasts, 0 Broadcasts, 0 Unicasts 0 Vlans, 0 throttle
Figure 43.
Figure 44.
interface TengigabitEthernet 2/31 no ip address Summary of the LAG Configuration on Bravo Bravo(conf-if-te-3/21)#int port-channel 10 Bravo(conf-if-po-10)#no ip add Bravo(conf-if-po-10)#switch Bravo(conf-if-po-10)#no shut Bravo(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Bravo(conf-if-po-10)#exit Bravo(conf)#int tengig 3/21 Bravo(conf)#no ip address Bravo(conf)#no switchport Bravo(conf)#shutdown Bravo(conf-if-te-3/21)#port-channel-protocol lacp Bravo(conf-if-
Figure 45.
Figure 46.
Figure 47. Inspecting the LAG Status Using the show lacp command The point-to-point protocol (PPP) is a connection-oriented protocol that enables layer two links over various different physical layer connections. It is supported on both synchronous and asynchronous lines, and can operate in Half-Duplex or Full-Duplex mode. It was designed to carry IP traffic but is general enough to allow any type of network layer datagram to be sent over a PPP connection.
Layer 2 21 This chapter describes the Layer 2 features supported on the Z9500. Manage the MAC Address Table You can perform the following management tasks inr the MAC address table. • Clearing the MAC Address Table • Setting the Aging Time for Dynamic Entries • Configuring a Static MAC Address • Displaying the MAC Address Table Clearing the MAC Address Table You may clear the MAC address table of dynamic entries. To clear a MAC address table, use the following command.
The range is from 10 to 1000000. Configuring a Static MAC Address A static entry is one that is not subject to aging. Enter static entries manually. To create a static MAC address entry, use the following command. • Create a static MAC address entry in the MAC address table. CONFIGURATION mode mac-address-table static Displaying the MAC Address Table To display the MAC address table, use the following command. • Display the contents of the MAC address table.
interface) before the system verifies that sufficient CAM space exists. If the CAM check fails, a message is displayed: %E90MH:5 %ACL_AGENT-2-ACL_AGENT_LIST_ERROR: Unable to apply access-list MacLimit on TengigabitEthernet 5/84 In this case, the configuration is still present in the running-config and show output. Remove the configuration before re-applying a MAC learning limit with a lower value. Also, ensure that you can view the Syslog messages on your session.
To save all sticky MAC addresses into a configuration file that can be used as a startup configuration file, use the write config command. If the number of existing MAC addresses is fewer than the configured MAC learning limit, additional MAC addresses are converted to sticky MACs addresse on the port. To remove all sticky MAC addresses from the running configuration file, disable sticky MAC and enter the write config command.
Learning Limit Violation Actions Learning limit violation actions are user-configurable. To configure the system to take an action when the MAC learning limit is reached on an interface and a new address is received using one the following options with the mac learning-limit command, use the following commands. • Generate a system log message when the MAC learning limit is exceeded.
NOTE: Alternatively, you can reset the interface by shutting it down using the shutdown command and then re-enabling it using the no shutdown command. • Reset interfaces in the ERR_Disabled state caused by a learning limit violation or station move violation. EXEC Privilege mode • mac learning-limit reset Reset interfaces in the ERR_Disabled state caused by a learning limit violation.
address-table station-move refresh-arp command on the switch at the time that NIC teaming is being configured on the server. NOTE: If you do not configure the mac-address-table station-move refresh-arp command, traffic continues to be forwarded to the failed NIC until the ARP entry on the switch times out. Figure 49.
Figure 50. Configuring Redundant Layer 2 Pairs without Spanning Tree You configure a redundant pair by assigning a backup interface to a primary interface with the switchport backup interface command. Initially, the primary interface is active and transmits traffic and the backup interface remains down. If the primary fails for any reason, the backup transitions to an active Up state. If the primary interface fails and later comes back up, it remains as the backup interface for the redundant pair.
To ensure that existing network applications see no difference when a primary interface in a redundant pair transitions to the backup interface, be sure to apply identical configurations of other traffic parameters to each interface. If you remove an interface in a redundant link (remove the line card of a physical interface or delete a port channel with the no interface port-channel command), the redundant pair configuration is also removed.
00:24:55: %SYSTEM-P:CP %IFMGR-5-ACTIVE: Changed Vlan interface state to active: Vl 1 00:24:55: %SYSTEM-P:CP %IFMGR-5-STATE_STBY_ACT: Changed interface state from standby to active: Te 3/42 Dell(conf-if-te-3/41)#do show ip int brief | find 3/41 TengigabitEthernet 3/41 unassigned NO Manual administratively down down TengigabitEthernet 3/42 unassigned YES Manual up up [output omitted] Example of Configuring Redundant Pairs on a Port-Channel Dell#show interfaces port-channel brief Codes: L - LACP Port-channel L
Figure 51. Configuring Far-End Failure Detection The report consists of several packets in SNAP format that are sent to the nearest known MAC address. In the event of a far-end failure, the device stops receiving frames and, after the specified time interval, assumes that the far-end is not available. The connecting line protocol is brought down so that upper layer protocols can detect the neighbor unavailability faster. FEFD State Changes FEFD has two operational modes, Normal and Aggressive.
4. If the FEFD enabled system is configured to use FEFD in Normal mode and neighboring echoes are not received after three intervals, (you can set each interval can be set between 3 and 300 seconds) the state changes to unknown. 5. If the FEFD system has been set to Aggressive mode and neighboring echoes are not received after three intervals, the state changes to Err-disabled.
To report interval frequency and mode adjustments, use the following commands. 1. Setup two or more connected interfaces for Layer 2 or Layer 3. INTERFACE mode ip address ip address, switchport 2. Activate the necessary ports administratively. INTEFACE mode no shutdown 3. Enable fefd globally. CONFIGURATION mode fefd {interval | mode} Example of the show fefd Command To display information about the state of each interface, use the show fefd command in EXEC privilege mode.
To set up and activate two or more connected interfaces, use the following commands. 1. Setup two or more connected interfaces for Layer 2 or Layer 3. INTERFACE mode ip address ip address, switchport 2. Activate the necessary ports administratively. INTERFACE mode no shutdown 3.
inactive: Vl 1 2w1d22h : FEFD state on Te 4/0 changed from Bi-directional to Unknown The following example shows the debug fefd packets command.
Link Layer Discovery Protocol (LLDP) 22 This chapter describes how to configure and use the link layer discovery protocol (LLDP) on the Z9500 switch. 802.1AB (LLDP) Overview LLDP — defined by IEEE 802.1AB — is a protocol that enables a local area network (LAN) device to advertise its configuration and receive configuration information from adjacent LLDP-enabled LAN infrastructure devices.
Table 12. Type, Length, Value (TLV) Types Type TLV Description 0 End of LLDPDU Marks the end of an LLDPDU. 1 Chassis ID An administratively assigned name that identifies the LLDP agent. 2 Port ID An administratively assigned name that identifies a port through which TLVs are sent and received. 3 Time to Live An administratively assigned name that identifies a port through which TLVs are sent and received.
Figure 54. Organizationally Specific TLV IEEE Organizationally Specific TLVs Eight TLV types have been defined by the IEEE 802.1 and 802.3 working groups as a basic part of LLDP; the IEEE OUI is 00-80-C2. You can configure the Dell Networking system to advertise any or all of these TLVs. Table 13. Optional TLV Types Type TLV Description 4 Port description A user-defined alphanumeric string that describes the port. The Dell Networking OS does not currently support this TLV.
Type TLV Description 127 Protocol Identity Indicates the protocols that the port can process. The Dell Networking OS does not currently support this TLV. 127 MAC/PHY Configuration/Status Indicates the capability and current setting of the duplex status and bit rate, and whether the current settings are the result of auto-negotiation. This TLV is not available in the Dell Networking OS implementation of LLDP, but is available and mandatory (non-configurable) in the LLDP-MED implementation.
Regarding connected endpoint devices, LLDP-MED provides network connectivity devices with the ability to: • manage inventory • manage Power over Ethernet (PoE) • identify physical location • identify network policy LLDP-MED is designed for, but not limited to, VoIP endpoints. TIA Organizationally Specific TLVs The Dell Networking system is an LLDP-MED Network Connectivity Device (Device Type 4).
Type SubType TLV Description None or all TLVs must be supported. The Dell Networking OS does not currently support these TLVs. 127 5 Inventory — Hardware Revision Indicates the hardware revision of the LLDPMED device. 127 6 Inventory — Firmware Revision Indicates the firmware revision of the LLDPMED device. 127 7 Inventory — Software Revision Indicates the software revision of the LLDPMED device. 127 8 Inventory — Serial Number Indicates the device serial number of the LLDP-MED device.
Figure 55. LLDP-MED Capabilities TLV Table 15. LLDP-MED Capabilities Bit Position TLV Supported? 0 LLDP-MED Capabilities Yes 1 Network Policy Yes 2 Location Identification Yes 3 Extended Power via MDI-PSE Yes 4 Extended Power via MDI-PD No 5 Inventory No 6–15 reserved No Table 16.
NOTE: As shown in the following table, signaling is a series of control packets that are exchanged between an endpoint device and a network connectivity device to establish and maintain a connection. These signal packets might require a different network policy than the media packets for which a connection is made. In this case, configure the signaling application. Table 17.
Extended Power via MDI TLV The extended power via MDI TLV enables advanced PoE management between LLDP-MED endpoints and network connectivity devices. Advertise the extended power via MDI on all ports that are connected to an 802.3af powered, LLDP-MED endpoint device. • Power Type — there are two possible power types: power source entity (PSE) or power device (PD). The Dell Networking system is a PSE, which corresponds to a value of 0, based on the TIA-1057 specification.
Important Points to Remember • LLDP is enabled by default. • Dell Networking systems support up to eight neighbors per interface. • Dell Networking systems support a maximum of 8000 total neighbors per system. If the number of interfaces multiplied by eight exceeds the maximum, the system does not configure more than 8000. • INTERFACE level configurations override all CONFIGURATION level configurations. • LLDP is not hitless.
Enabling LLDP LLDP is disabled by default. Enable and disable LLDP globally or per interface. If you enable LLDP globally, all UP interfaces send periodic LLDPDUs. To enable LLDP, use the following command. 1. Enter Protocol LLDP mode. CONFIGURATION or INTERFACE mode protocol lldp 2. Enable LLDP. PROTOCOL LLDP mode no disable Disabling and Undoing LLDP To disable or undo LLDP, use the following command. • Disable LLDP globally or for an interface.
3. Enter the disable command. LLDP-MANAGEMENT-INTERFACE mode. To undo an LLDP management port configuration, precede the relevant command with the keyword no. Advertising TLVs You can configure the system to advertise TLVs out of all interfaces or out of specific interfaces. • If you configure the system globally, all interfaces send LLDPDUs with the specified TLVs. • If you configure an interface, only the interface sends LLDPDUs with the specified TLVs.
Figure 58. Configuring LLDP Viewing the LLDP Configuration To view the LLDP configuration, use the following command. • Display the LLDP configuration. CONFIGURATION or INTERFACE mode show config Examples of Viewing LLDP Configurations The following example shows viewing an LLDP global configuration.
Viewing Information Advertised by Adjacent LLDP Agents To view brief information about adjacent devices or to view all the information that neighbors are advertising, use the following commands. • Display brief information about adjacent devices. • show lldp neighbors Display all of the information that neighbors are advertising.
Configuring LLDPDU Intervals LLDPDUs are transmitted periodically; the default interval is 30 seconds. To configure LLDPDU intervals, use the following command. • Configure a non-default transmit interval.
• Return to the default setting.
advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)#multiplier ? <2-10> Multiplier (default=4) R1(conf-lldp)#multiplier 5 R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description multiplier 5 no disable R1(conf-lldp)#no multiplier R1(conf-lldp)#show
Figure 59. The debug lldp detail Command — LLDPDU Packet Dissection Relevant Management Objects The system supports all IEEE 802.1AB MIB objects. The following tables list the objects associated with: • received and transmitted TLVs • the LLDP configuration on the local agent • IEEE 802.1AB Organizationally Specific TLVs • received and transmitted LLDP-MED TLVs Table 18.
MIB Object Category Basic TLV Selection LLDP Variable LLDP MIB Object Description msgTxInterval lldpMessageTxInterval Transmit Interval value. rxInfoTTL lldpRxInfoTTL Time to live for received TLVs. txInfoTTL lldpTxInfoTTL Time to live for transmitted TLVs. mibBasicTLVsTxEnable lldpPortConfigTLVsTxEnabl e Indicates which management TLVs are enabled for system ports.
Table 19.
TLV Type TLV Name TLV Variable System interface numbering Local subtype interface number OID LLDP MIB Object lldpLocManAddrIfSu btype Remote lldpRemManAddrIfS ubtype Local lldpLocManAddrIfId Remote lldpRemManAddrIfId Local lldpLocManAddrOID Remote lldpRemManAddrOI D Table 20. LLDP 802.
Table 21.
TLV Sub-Type TLV Name TLV Variable System LLDP-MED MIB Object 3 Location Data Format Local lldpXMedLocLocatio nSubtype Remote lldpXMedRemLocati onSubtype Local lldpXMedLocLocatio nInfo Remote lldpXMedRemLocati onInfo Local lldpXMedLocXPoED eviceType Remote lldpXMedRemXPoED eviceType Local lldpXMedLocXPoEPS EPowerSource Location Identifier Location ID Data 4 Extended Power via MDI Power Device Type Power Source lldpXMedLocXPoEP DPowerSource Remote lldpXMedRemXPoEP SEPowerSource lld
23 Multiple Spanning Tree Protocol (MSTP) Multiple spanning tree protocol (MSTP) — specified in IEEE 802.1Q-2003 — is a rapid spanning tree protocol (RSTP)-based spanning tree variation that improves on per-VLAN spanning tree plus (PVST+). MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances. Protocol Overview In contrast, PVST+ allows a spanning tree instance for each VLAN.
Spanning Tree Variations The Dell Networking OS supports four variations of spanning tree, as shown in the following table. Table 22. Spanning Tree Variations Dell Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .1w Multiple Spanning Tree Protocol (MSTP) 802 .
• Enabling SNMP Traps for Root Elections and Topology Changes Enable Multiple Spanning Tree Globally MSTP is not enabled by default. To enable MSTP globally, use the following commands. When you enable MSTP, all physical, VLAN, and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the MSTI 0. • • 1. Within an MSTI, only one path from any bridge to any other bridge is enabled. Bridges block a redundant path by disabling one of the link ports. Enter PROTOCOL MSTP mode.
Examples of Creating and Viewing MSTP Instances The following example shows using the msti command. Dell(conf)#protocol spanning-tree mstp Dell(conf-mstp)#msti 1 vlan 100 Dell(conf-mstp)#msti 2 vlan 200-300 Dell(conf-mstp)#show config ! protocol spanning-tree mstp no disable MSTI 1 VLAN 100 MSTI 2 VLAN 200-300 All bridges in the MSTP region must have the same VLAN-to-instance mapping. To view which instance a VLAN is mapped to, use the show spanning-tree mst vlan command from EXEC Privilege mode.
Influencing MSTP Root Selection MSTP determines the root bridge, but you can assign one bridge a lower priority to increase the probability that it becomes the root bridge. To change the bridge priority, use the following command. • Assign a number as the bridge priority. PROTOCOL MSTP mode msti instance bridge-priority priority A lower number increases the probability that the bridge becomes the root bridge. The range is from 0 to 61440, in increments of 4096. The default is 32768.
NOTE: Some non-Dell equipment may implement a non-null default region name, such as the Bridge ID or a MAC address. Changing the Region Name or Revision To change the region name or revision, use the following commands. • Change the region name. PROTOCOL MSTP mode • name name Change the region revision number. PROTOCOL MSTP mode revision number Example of the name Command To view the current region name and revision, use the show spanning-tree mst configuration command from EXEC Privilege mode.
To change the MSTP parameters, use the following commands on the root bridge. 1. Change the forward-delay parameter. PROTOCOL MSTP mode forward-delay seconds The range is from 4 to 30. The default is 15 seconds. 2. Change the hello-time parameter. PROTOCOL MSTP mode hello-time seconds NOTE: With large configurations (especially those configurations with more ports) Dell Networking recommends increasing the hello-time. The range is from 1 to 10. The default is 2 seconds. 3. Change the max-age parameter.
Modifying the Interface Parameters You can adjust two interface parameters to increase or decrease the probability that a port becomes a forwarding port. • • Port cost is a value that is based on the interface type. The greater the port cost, the less likely the port is selected to be a forwarding port. Port priority influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost.
you implement only bpduguard, although the interface is placed in an Error Disabled state when receiving the BPDU, the physical interface remains up and spanning-tree drops packets in the hardware after a BPDU violation. BPDUs are dropped in the software after receiving the BPDU violation. This feature is the same as PortFast mode in spanning tree. CAUTION: Configure EdgePort only on links connecting to an end station. EdgePort can cause loops if you enable it on an interface connected to a network.
To view the enable status of this feature, use the show running-config spanning-tree mstp command from EXEC Privilege mode. MSTP Sample Configurations The running-configurations support the topology shown in the following illustration. The configurations are from Dell Networking OS systems. Figure 61. MSTP with Three VLANs Mapped to Two Spanning Tree Instances Router 1 Running-Configuration This example uses the following steps: 1.
! (Step 3) interface Vlan 100 no ip address tagged TenGigabitEthernet 1/21,31 no shutdown ! interface Vlan 200 no ip address tagged TenGigabitEthernet 1/21,31 no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 1/21,31 no shutdown Router 2 Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3.
Router 3 Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3. Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
(Step 2) interface 1/0/31 no shutdown spanning-tree port mode enable switchport protected 0 exit interface 1/0/32 no shutdown spanning-tree port mode enable switchport protected 0 exit (Step 3) interface vlan 100 tagged 1/0/31 tagged 1/0/32 exit interface vlan 200 tagged 1/0/31 tagged 1/0/32 exit interface vlan 300 tagged 1/0/31 tagged 1/0/32 exit Debugging and Verifying MSTP Configurations To debut and verify MSTP configuration, use the following commands. • Display BPDUs.
– As shown in the following, the MSTP routers are located in the same region. – Does the debug log indicate that packets are coming from a “Different Region”? If so, one of the key parameters is not matching. • MSTP Region Name and Revision. – The configured name and revisions must be identical among all the routers.
The following example shows viewing the debug log (an unsuccessful MSTP configuration). 4w0d4h : MSTP: Received BPDU on Te 2/21 : ProtId: 0, Ver: 3, Bpdu Type: MSTP, Flags 0x78Different Region (Indicates MSTP routers are in different regions and are not communicating with each other.) CIST Root Bridge Id: 32768:0001.e806.953e, Ext Path Cost: 0 Regional Bridge Id: 32768:0001.e806.
Open Shortest Path First (OSPFv2 and OSPFv3) 24 This chapter describes how to configure and use Open Shortest Path First (OSPFv2 for IPv4) and OSPF version 3 (OSPF for IPv6) on the Z9500. NOTE: The fundamental mechanisms of OSPF (flooding, DR election, area support, SPF calculations, and so on) are the same between OSPFv2 and OSPFv3. This chapter identifies and clarifies the differences between the two versions of OSPF.
size of the routing tables on all routers. An area within the AS may not see the details of another area’s topology. AS areas are known by their area number or the router’s IP address. Figure 62. Autonomous System Areas Area Types The backbone of the network is Area 0. It is also called Area 0.0.0.0 and is the core of any AS. All other areas must connect to Area 0. Areas can be defined in such a way that the backbone is not contiguous.
In the previous example, Routers A, B, C, G, H, and I are the Backbone. • A stub area (SA) does not receive external route information, except for the default route. These areas do receive information from inter-area (IA) routes. NOTE: Configure all routers within an assigned stub area as stubby, and not generate LSAs that do not apply. For example, a Type 5 LSA is intended for external areas and the Stubby area routers may not generate external LSAs. A virtual link cannot traverse stubby areas.
Figure 63. OSPF Routing Examples Backbone Router (BR) A backbone router (BR) is part of the OSPF Backbone, Area 0. This includes all ABRs. It can also include any routers that connect only to the backbone and another ABR, but are only part of Area 0, such as Router I in the previous example. Area Border Router (ABR) Within an AS, an area border router (ABR) connects one or more areas to the backbone.
An ABR can connect to many areas in an AS, and is considered a member of each area it connects to. Autonomous System Border Router (ASBR) The autonomous system border area router (ASBR) connects to more than one AS and exchanges information with the routers in other ASs. Generally, the ASBR connects to a non-interior gate protocol (IGP) such as BGP or uses static routes.
available. An ABR floods the information for the router (for example, the ASBR where the Type 5 advertisement originated. The link-state ID for Type 4 LSAs is the router ID of the described ASBR). • Type 5: LSA — These LSAs contain information imported into OSPF from other routing processes. They are flooded to all areas, except stub areas. The link-state ID of the Type 5 LSA is the external network number.
Virtual Links In the case in which an area cannot be directly connected to Area 0, you must configure a virtual link between that area and Area 0. The two endpoints of a virtual link are ABRs, and you must configure the virtual link in both routers. The common non-backbone area to which the two routers belong is called a transit area. A virtual link specifies the transit area and the router ID of the other virtual endpoint (the other ABR).
OSPF Implementation The Dell Networking OS supports up to 10,000 OSPF routes for OSPFv2. Within the 10,000 routes, you can designate up to 8,000 routes as external and up to 2,000 as inter/intra area routes. Multiple OSPF processes (OSPF MP) are supported on OSPFv2 only; up to 32 simultaneous processes are supported. On OSPFv3, the system supports only one process at a time for all platforms. OSPFv2 and OSPFv3 can coexist on a switch, but you must configure them individually.
Processing SNMP and Sending SNMP Traps Though there are may be several OSPFv2 processes, only one process can process simple network management protocol (SNMP) requests and send SNMP traps. The mib-binding command identifies one of the OSPVFv2 processes as the process responsible for SNMP management. If you do not specify the mib-binding command, the first OSPFv2 process created manages the SNMP processes and traps. RFC-2328 Compliant OSPF Flooding In OSPF, flooding is the most resource-consuming task.
To confirm that you enabled RFC-2328–compliant OSPF flooding, use the show ip ospf command. Dell#show ip ospf Routing Process ospf 1 with ID 2.2.2.
Configuration Information The interfaces must be in Layer 3 mode (assigned an IP address) and enabled so that they can send and receive traffic. The OSPF process must know about these interfaces. To make the OSPF process aware of these interfaces, they must be assigned to OSPF areas. You must configure OSPF GLOBALLY on the system in CONFIGURATION mode. OSPF features and functions are assigned to each router using the CONFIG-INTERFACE commands for each interface. NOTE: By default, OSPF is disabled.
If implementing multi-process OSPF, create an equal number of Layer 3 enabled interfaces and OSPF process IDs. For example, if you create four OSPFv2 process IDs, you must have four interfaces with Layer 3 enabled. 1. Assign an IP address to an interface. CONFIG-INTERFACE mode ip address ip-address mask The format is A.B.C.D/M. If you are using a Loopback interface, refer to Loopback Interfaces. 2. Enable the interface. CONFIG-INTERFACE mode no shutdown 3.
• Reset the OSPFv2 process. EXEC Privilege mode • clear ip ospf process-id View the current OSPFv2 status. EXEC mode show ip ospf process-id Example of Viewing the Current OSPFv2 Status Dell#show ip ospf 55555 Routing Process ospf 55555 with ID 10.10.10.
3. Return to CONFIGURATION mode to enable the OSPFv2 process globally. CONFIGURATION mode router ospf process-id [vrf] The range is from 0 to 65535. After the OSPF process and the VRF are tied together, the OSPF process ID cannot be used again in the system. If you try to enable more OSPF processes than available Layer 3 interfaces, the following message displays: Dell(conf)#router ospf 1 % Error: No router ID available.
In the example below, an IP address is assigned to an interface and an OSPFv2 area is defined that includes the IP address of a Layer 3 interface. The first bold lines assign an IP address to a Layer 3 interface, and theno shutdown command ensures that the interface is UP. The second bold line assigns the IP address of an interface to an area. Example of Enabling OSPFv2 and Assigning an Area to an Interface Dell#(conf)#int te 4/44 Dell(conf-if-te-4/44)#ip address 10.10.10.
Example of Viewing OSPF Status on a Loopback Interface Dell#show ip ospf 1 int TengigabitEthernet 13/23 is up, line protocol is up Internet Address 10.168.0.1/24, Area 0.0.0.1 Process ID 1, Router ID 10.168.253.2, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State DROTHER, Priority 1 Designated Router (ID) 10.168.253.5, Interface address 10.168.0.4 Backup Designated Router (ID) 192.168.253.3, Interface address 10.168.0.
Example of the show ip ospf database database-summary Command To view which LSAs are transmitted, use the show ip ospf database process-id databasesummary command in EXEC Privilege mode. Dell#show ip ospf 34 database database-summary OSPF Router with ID (10.1.2.100) (Process ID 34) Area 2.2.2.2 3.3.3.3 Dell# ID Router Network S-Net S-ASBR Type-7 Subtotal 1 0 0 0 0 1 1 0 0 0 0 1 To view information on areas, use the show ip ospf process-id command in EXEC Privilege mode.
– For a 10–Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information (for example, passive-interface te 2/1). – For a port channel, enter the keywords port-channel then a number from 1 to 255 for TeraScale and ExaScale. – For a 40-Gigabit Ethernet interface, enter the keyword FortyGigabitEthernet then the slot/ port information (for example, passive-interface fo 2/3).
allows for even finer tuning of the convergence speed. The higher the number, the faster the convergence. To enable or disable fast-convergence, use the following command. • Enable OSPF fast-convergence and specify the convergence level. CONFIG-ROUTEROSPF- id mode fast-convergence {number} The parameter range is from 1 to 4. The higher the number, the faster the convergence. When disabled, the parameter is set at 0. NOTE: A higher convergence level can result in occasional loss of OSPF adjacency.
To change OSPFv2 parameters on the interfaces, use any or all of the following commands. • Change the cost associated with OSPF traffic on the interface. CONFIG-INTERFACE mode ip ospf cost • – cost: The range is from 1 to 65535 (the default depends on the interface speed). Change the time interval the router waits before declaring a neighbor dead. CONFIG-INTERFACE mode ip ospf dead-interval seconds – seconds: the range is from 1 to 65535 (the default is 40 seconds).
• Change the wait period between link state update packets sent out the interface. CONFIG-INTERFACE mode ip ospf transmit-delay seconds – seconds: the range is from 1 to 65535 (the default is 1 second). The transmit delay must be the same on all routers in the OSPF network. Example of Changing and Verifying the cost Parameter and Viewing Interface Status To view interface configurations, use the show config command in CONFIGURATION INTERFACE mode.
This setting is the amount of time OSPF has available to change its interface authentication type. During the auth-change-wait-time, OSPF sends out packets with both the new and old authentication schemes. This transmission stops when the period ends. The default is 0 seconds. Configuring Virtual Links Areas within OSPF must be connected to the backbone area (Area ID 0.0.0.0). If an OSPF area does not have a direct connection to the backbone, at least one virtual link is required.
Virtual Link to router 192.168.253.5 is up Run as demand circuit Transit area 0.0.0.1, via interface TengigabitEthernet 13/16, Cost of using 2 Transmit Delay is 1 sec, State POINT_TO_POINT, Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:02 Dell# Creating Filter Routes To filter routes, use prefix lists. OSPF applies prefix lists to incoming or outgoing routes. Incoming routes must meet the conditions of the prefix lists.
• Specify which routes are redistributed into OSPF process. CONFIG-ROUTEROSPF-id mode redistribute {bgp | connected | isis | rip | static} [metric metric-value | metric-type type-value] [route-map map-name] [tag tag-value] Configure the following required and optional parameters: – bgp, connected, isis, rip, static: enter one of the keywords to redistribute those routes. – metric metric-value: the range is from 0 to 4294967295. – metric-type metric-type: 1 for OSPF external route type 1.
• View the summary of all OSPF process IDs enables on the router. EXEC Privilege mode • show running-config ospf View the summary information of the IP routes. EXEC Privilege mode • show ip route summary View the summary information for the OSPF database. EXEC Privilege mode • show ip ospf database View the configuration of OSPF neighbors connected to the local router. EXEC Privilege mode • show ip ospf neighbor View the LSAs currently in the queue.
! router ospf 90 area 2 virtual-link 4.4.4.4 area 2 virtual-link 90.90.90.90 retransmit-interval 300 ! ipv6 router ospf 999 default-information originate always router-id 10.10.10.10 Dell# Sample Configurations for OSPFv2 The following configurations are examples for enabling OSPFv2. These examples are not comprehensive directions. They are intended to give you some guidance with typical configurations. You can copy and paste from these examples to your CLI.
ip address 10.2.12.2/24 no shutdown ! interface Loopback 10 ip address 192.168.100.100/24 no shutdown OSPF Area 0 — Te 3/1 and 3/2 router ospf 33333 network 192.168.100.0/24 area 0 network 10.0.13.0/24 area 0 network 10.0.23.0/24 area 0 ! interface Loopback 30 ip address 192.168.100.100/24 no shutdown ! interface TengigabitEthernet 3/1 ip address 10.1.13.3/24 no shutdown ! interface TengigabitEthernet 3/2 ip address 10.2.13.3/24 no shutdown OSPF Area 0 — Te 2/1 and 2/2 router ospf 22222 network 192.168.
The OSPFv3 ipv6 ospf area command enables OSPFv3 on the interface and places the interface in an area. With OSPFv2, two commands are required to accomplish the same tasks — the router ospf command to create the OSPF process, then the network area command to enable OSPF on an interface. NOTE: The OSPFv2 network area command enables OSPF on multiple interfaces with the single command. Use the OSPFv3 ipv6 ospf area command on each interface that runs OSPFv3.
NOTE: The OSPFv2 network area command enables OSPFv2 on multiple interfaces with the single command. Use the OSPFv3 ipv6 ospf area command on each interface that runs OSPFv3. • Assign the OSPFv3 process and an OSPFv3 area to this interface. CONF-INT-type slot/port mode ipv6 ospf process-id area area-id – process-id: the process ID number assigned. – area-id: the area ID for this interface.
– Area ID: a number or IP address assigned when creating the area. You can represent the area ID as a number from 0 to 65536 if you assign a dotted decimal format rather than an IP address. Configuring Passive-Interface To suppress the interface’s participation on an OSPFv3 interface, use the following command. This command stops the router from sending updates on that interface. • Specify whether some or all some of the interfaces are passive.
Configuring a Default Route To generate a default external route into the OSPFv3 routing domain, configure the following parameters. To specify the information for the default route, use the following command. • Specify the information for the default route.
Tunnel mode. However, Tunnel mode is not supported in the Dell Networking OS. For detailed information about the IP ESP protocol, refer to RFC 4303. In OSPFv3 communication, IPsec provides security services between a pair of communicating hosts or security gateways using either AH or ESP. In an authentication policy on an interface or in an OSPF area, AH and ESP are used alone; in an encryption policy, AH and ESP may be used together. The difference between the two mechanisms is the extent of the coverage.
NOTE: To encrypt all keys on a router, use the service password-encryption command in Global Configuration mode. However, this command does not provide a high level of network security. To enable key encryption in an IPsec security policy at an interface or area level, specify 7 for [key-encryption-type] when you enter the ipv6 ospf authentication ipsec or ipv6 ospf encryption ipsec command.
Configuring IPsec Encryption on an Interface To configure, remove, or display IPsec encryption on an interface, use the following commands. Prerequisite: Before you enable IPsec encryption on an OSPFv3 interface, first enable IPv6 unicast routing globally, configure an IPv6 address and enable OSPFv3 on the interface, and assign it to an area (refer to Configuration Task List for OSPFv3 (OSPF for IPv6)).
Configuring IPSec Authentication for an OSPFv3 Area To configure, remove, or display IPSec authentication for an OSPFv3 area, use the following commands. Prerequisite: Before you enable IPsec authentication on an OSPFv3 area, first enable OSPFv3 globally on the router (refer to Configuration Task List for OSPFv3 (OSPF for IPv6)). The security policy index (SPI) value must be unique to one IPSec security policy (authentication or encryption) on the router.
The configuration of IPsec encryption on an interface-level takes precedence over an area-level configuration. If you remove an interface configuration, an area encryption policy that has been configured is applied to the interface. • Enable IPsec encryption for OSPFv3 packets in an area.
To display information on the SAs used on a specific interface, enter interface interface, where interface is one of the following values: – For a 10-Gigabit Ethernet interface, enter TenGigabitEthernet slot/port. – For a Port Channel interface, enter port-channel number. – For a 40-Gigabit Ethernet interface, enter FortyGigabitEthernet slot/port. – For a VLAN interface, enter vlan vlan-id. The valid VLAN IDs are from 1 to 4094.
inbound ah sas spi : 500 (0x1f4) transform : ah-md5-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE outbound ah sas spi : 500 (0x1f4) transform : ah-md5-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE inbound esp sas outbound esp sas Interface: TenGigabitEthernet 0/1 Link Local address: fe80::201:e8ff:fe40:4d11 IPSecv6 policy name: OSPFv3-1-600 inbound ah sas outbound ah sas inbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hma
• show ipv6 protocols • debug ipv6 ospf events and/or packets • show ipv6 neighbors • show virtual links • show ipv6 routes Viewing Summary Information To get general route, configuration, links status, and debug information, use the following commands. • View the summary information of the IPv6 routes. EXEC Privilege mode • show ipv6 route summary View the summary information for the OSPFv3 database. EXEC Privilege mode • show ipv6 ospf database View the configuration of OSPFv3 neighbors.
Port Monitoring 25 Port monitoring is a feature that copies all incoming or outgoing packets on one port and forwards (mirrors) them to another port. The source port is the monitored port (MD) and the destination port is the monitoring port (MG). Port monitoring functionality is different between platforms, but the behavior is the same, with highlighted exceptions.
If you attempt to configure another destination, this message displays: % Error: Exceeding max MG ports for this MD port pipe. Configuring Port Monitoring To configure port monitoring, use the following commands. 1. Verify that the intended monitoring port has no configuration other than no shutdown, as shown in the following example. EXEC Privilege mode show interface 2. Create a monitoring session, as shown in the following example. CONFIGURATION mode monitor session 3.
Figure 66.
Private VLANs (PVLAN) 26 Private VLANs (PVLANs) extend Dell Networking OS security suite by providing Layer 2 isolation between ports within the same virtual local area network (VLAN). A PVLAN partitions a traditional VLAN into subdomains identified by a primary and secondary VLAN pair. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports or trunk ports.
– A primary VLAN and each of its secondary VLANs decrement the available number of VLAN IDs in the switch. – A primary VLAN has one or more promiscuous ports. – A primary VLAN might have one or more trunk ports, or none. • Secondary VLAN — a subdomain of the primary VLAN. – There are two types of secondary VLAN — community VLAN and isolated VLAN.
• [no] private-vlan mapping secondary-vlan vlan-list Display type and status of PVLAN interfaces. EXEC mode or EXEC Privilege mode • show interfaces private-vlan [interface interface] Display PVLANs and/or interfaces that are part of a PVLAN. EXEC mode or EXEC Privilege mode • show vlan private-vlan [community | interface | isolated | primary | primary_vlan | interface interface] Display primary-secondary VLAN mapping.
4. Select the PVLAN mode. INTERFACE mode switchport mode private-vlan {host | promiscuous | trunk} • host (isolated or community VLAN port) • promiscuous (intra-VLAN communication port) • trunk (inter-switch PVLAN hub port) Example of the switchport mode private-vlan Command For interface details, refer to Enabling a Physical Interface in the Interfaces chapter. NOTE: You cannot add interfaces that are configured as PVLAN ports to regular VLANs.
4. Map secondary VLANs to the selected primary VLAN. INTERFACE VLAN mode private-vlan mapping secondary-vlan vlan-list The list of secondary VLANs can be: 5. • Specified in comma-delimited (VLAN-ID,VLAN-ID) or hyphenated-range format (VLAN-IDVLAN-ID). • Specified with this command even before they have been created. • Amended by specifying the new secondary VLAN to be added to the list. Add promiscuous ports as tagged or untagged interfaces.
4. Add one or more host ports to the VLAN. INTERFACE VLAN mode tagged interface or untagged interface You can enter the interfaces singly or in range format, either comma-delimited (slot/ port,port,port) or hyphenated (slot/ port-port). You can only add host (isolated) ports to the VLAN. Creating an Isolated VLAN An isolated VLAN is a secondary VLAN of a primary VLAN. An isolated VLAN port can only talk with the promiscuous ports in that primary VLAN. 1.
Dell(conf-vlan-100)# private-vlan mode isolated Dell(conf-vlan-100)# untagged Te 2/2 Private VLAN Configuration Example The following example shows a private VLAN topology. Figure 67. Sample Private VLAN Topology The following configuration is based on the example diagram for the C300–1: • Te 0/0 and Te 23 are configured as promiscuous ports, assigned to the primary VLAN, VLAN 4000. • Te 0/25 is configured as a PVLAN trunk port, also assigned to the primary VLAN 4000.
• The ports in isolated VLAN 4003 can only communicate with the promiscuous ports in the primary VLAN 4000. • All the ports in the secondary VLANs (both community and isolated VLANs) can only communicate with ports in the other secondary VLANs of that PVLAN over Layer 3, and only when the ip localproxy-arp command is invoked in the primary VLAN.
• The following examples show the results of using this command without the command options in the topology diagram previously shown. Display the primary-secondary VLAN mapping. The following example shows the output from the S50V. show vlan private-vlan mapping This command is specific to the PVLAN feature. Examples of Viewing a Private VLANs The show arp and show vlan commands are revised to display PVLAN data. The following example shows viewing a private VLAN for a C300 system.
switchport mode private-vlan promiscuous no shutdown ! interface TengigabitEthernet 0/4 no ip address switchport switchport mode private-vlan host no shutdown ! interface TengigabitEthernet 0/5 no ip address switchport switchport mode private-vlan host no shutdown ! interface TengigabitEthernet 0/6 no ip address switchport switchport mode private-vlan host no shutdown ! interface TengigabitEthernet 0/25 no ip address switchport switchport mode private-vlan trunk no shutdown ! interface Vlan 4000 private-vl
Per-VLAN Spanning Tree Plus (PVST+) 27 Per-VLAN spanning tree plus (PVST+) is a variation of spanning tree — developed by a third party — that allows you to configure a separate spanning tree instance for each virtual local area network (VLAN). Protocol Overview A sample PVST+ topology is shown below. For more information about spanning tree, refer to the Spanning Tree Protocol (STP) chapter. Figure 68.
Table 24. Spanning Tree Versions Supported Dell Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .1w Multiple Spanning Tree Protocol (MSTP) 802 .1s Per-VLAN Spanning Tree Plus (PVST+) Third Party Implementation Information • The Dell Networking OS implementation of PVST+ is based on IEEE Standard 802.1w. • The Dell Networking OS implementation of PVST+ uses IEEE 802.1s costs as the default costs (as shown in the following table).
Enabling PVST+ When you enable PVST+, the system instantiates STP on each active VLAN. 1. Enter PVST context. PROTOCOL PVST mode protocol spanning-tree pvst 2. Enable PVST+. PROTOCOL PVST mode no disable Disabling PVST+ To disable PVST+ globally or on an interface, use the following commands. • Disable PVST+ globally. PROTOCOL PVST mode • disable Disable PVST+ on an interface, or remove a PVST+ parameter configuration.
Figure 69. Load Balancing with PVST+ The bridge with the bridge value for bridge priority is elected root. Because all bridges use the default priority (until configured otherwise), the lowest MAC address is used as a tie-breaker. To increase the likelihood that a bridge is selected as the STP root, assign bridges a low non-default value for bridge priority. To assign a bridge priority, use the following command. • Assign a bridge priority.
Root Identifier has priority 4096, Address 0001.e80d.b6d6 Root Bridge hello time 2, max age 20, forward delay 15 Bridge Identifier has priority 4096, Address 0001.e80d.b6d6 Configured hello time 2, max age 20, forward delay 15 We are the root of VLAN 100 Current root has priority 4096, Address 0001.e80d.b6d6 Number of topology changes 5, last change occurred 00:34:37 ago on Te 1/32 Port 375 (TengigabitEthernet 1/22) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.
PROTOCOL PVST mode vlan max-age The range is from 6 to 40. The default is 20 seconds. The values for global PVST+ parameters are given in the output of the show spanning-tree pvst command. Modifying Interface PVST+ Parameters You can adjust two interface parameters (port cost and port priority) to increase or decrease the probability that a port becomes a forwarding port. • Port cost — a value that is based on the interface type.
The range is from 0 to 240, in increments of 16. The default is 128. The values for interface PVST+ parameters are given in the output of the show spanning-tree pvst command, as previously shown. Configuring an EdgePort The EdgePort feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner. In this mode an interface forwards frames by default until it receives a BPDU that indicates that it should behave otherwise; it does not go through the Learning and Listening states.
PVST+ in Multi-Vendor Networks Some non-Dell Networking systems which have hybrid ports participating in PVST+ transmit two kinds of BPDUs: an 802.1D BPDU and an untagged PVST+ BPDU. Dell Networking systems do not expect PVST+ BPDU (tagged or untagged) on an untagged port. If this situation occurs, the system places the port in an Error-Disable state. This behavior might result in the network not converging.
Example of Viewing the Extend System ID in a PVST+ Configuration Dell(conf-pvst)#do show spanning-tree pvst vlan 5 brief VLAN 5 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32773, Address 0001.e832.73f7 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32773 (priority 32768 sys-id-ext 5), Address 0001.e832.
interface Vlan 100 no ip address tagged TengigabitEthernet 2/12,32 no shutdown ! interface Vlan 200 no ip address tagged TengigabitEthernet 2/12,32 no shutdown ! interface Vlan 300 no ip address tagged TengigabitEthernet 2/12,32 no shutdown ! protocol spanning-tree pvst no disable vlan 200 bridge-priority 4096 Example of PVST+ Configuration (R3) interface TengigabitEthernet 3/12 no ip address switchport no shutdown ! interface TengigabitEthernet 3/22 no ip address switchport no shutdown ! interface Vlan 100
Quality of Service (QoS) 28 This chapter describes how to use and configure Quality of Service (QoS) features on the switch. Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. Figure 71. Dell Networking QoS Architecture Implementation Information The Dell Networking QoS implementation complies with IEEE 802.1p User Priority Bits for QoS Indication.
• RFC 2597, Assured Forwarding PHB Group • RFC 2598, An Expedited Forwarding PHB You cannot configure port-based and policy-based QoS on the same interface. Port-Based QoS Configurations You can configure the following QoS features on an interface. NOTE: You cannot simultaneously use egress rate shaping and ingress rate policing on the same virtual local area network (VLAN).
Honoring dot1p Priorities on Ingress Traffic By default, the system does not honor dot1p priorities on ingress traffic. You can configure this feature on physical interfaces and port-channels, but you cannot configure it on individual interfaces in a port channel. You can configure service-class dynamic dot1p from CONFIGURATION mode, which applies the configuration to all interfaces. A CONFIGURATION mode service-class dynamic dot1p entry supersedes any INTERFACE entries.
Example of Configuring and Viewing Rate Policing The following example shows configuring rate policing. Dell#config t Dell(conf)#interface tengigabitethernet 1/2 Dell(conf-if)#rate police 100 40 peak 150 50 Dell(conf-if)#end Dell# The following example shows viewing the rate policing status.
Policy-Based QoS Configurations Policy-based QoS configurations consist of the components shown in the following example. Figure 72. Constructing Policy-Based QoS Configurations Classify Traffic Class maps differentiate traffic so that you can apply separate quality of service policies to each class. For both class maps, Layer 2 and Layer 3, the system matches packets against match criteria in the order that you configure them.
Use step 1 or step 2 to start creating a Layer 3 class map. 1. Create a match-any class map. CONFIGURATION mode class-map match-any 2. Create a match-all class map. CONFIGURATION mode class-map match-all 3. Specify your match criteria. CLASS MAP mode match ip After you create a class-map, you are placed in CLASS MAP mode. Match-any class maps allow up to five ACLs. Match-all class-maps allow only one ACL. 4. Link the class-map to a queue.
Use Step 1 or Step 2 to start creating a Layer 2 class map. 1. Create a match-any class map. CONFIGURATION mode class-map match-any 2. Create a match-all class map. CONFIGURATION mode class-map match-all 3. Specify your match criteria. CLASS MAP mode match mac After you create a class-map, you are placed in CLASS MAP mode. Match-any class maps allow up to five access-lists. Match-all class-maps allow only one. You can match against only one VLAN ID. 4. Link the class-map to a queue.
• Display all class-maps or a specific class map. EXEC Privilege mode show qos class-map Examples of Traffic Classifications The following example shows incorrect traffic classifications.
------------------------------------------------------------------------20416 1 18 IP 0x0 0 0 23.64.0.5/32 0.0.0.0/0 20 2 20417 1 0 IP 0x0 0 0 23.64.0.2/32 0.0.0.0/0 10 1 20418 1 0 IP 0x0 0 0 23.64.0.3/32 0.0.0.0/0 12 1 20419 1 10 0 0x0 0 0 0.0.0.0/0 0.0.0.0/0 14 1 24511 1 0 0 0x0 0 0 0.0.0.0/0 0.0.0.0/0 0 Create a QoS Policy There are two types of QoS policies — input and output. Input QoS policies regulate Layer 3 and Layer 2 ingress traffic.
Setting a DSCP Value for Egress Packets In an input QoS policy, you can set a DSCP value for egress packets based on ingress QoS classification. The 6–bits that are used for DSCP are also used to identify the queue in which traffic is buffered. When you set a DSCP value, Dell Networking OS displays an informational message advising you of the queue to which you should apply the QoS policy (using the service-queue from POLICY-MAP-IN mode).
Strict-Priority Queuing You can configure strict-priority queueing in an output QoS policy. Strict-priority means that the system de-queues all packets from the assigned queue before servicing any other queues. Strict-priority queueing is performed using the Scheduler Strict feature. When scheduler strict is applied to multiple queues, the higher queue number takes precedence. For more information, see Enabling Strict-Priority Queueing.
wred For more information, refer to Applying a WRED Profile to Traffic. Create Policy Maps There are two types of policy maps: input and output. Creating Input Policy Maps There are two types of input policy-maps: Layer 3 and Layer 2. 1. Create a Layer 3 input policy map. CONFIGURATION mode policy-map-input Create a Layer 2 input policy map by entering the policy-map-input layer2 command. 2.
Table 28.
Mapping dot1p Values to Service Queues All traffic is by default mapped to the same queue, Queue 0. If you honor dot1p on ingress, you can create service classes based the queueing strategy in Honoring dot1p Values on Ingress Packets. You may apply this queuing strategy globally by entering the following command from CONFIGURATION mode. • All dot1p traffic is mapped to Queue 0 unless you enable service-class dynamic dot1p on an interface or globally.
Creating Output Policy Maps Creating output policy maps is supported on the platform. 1. Create an output policy map. CONFIGURATION mode policy-map-output 2. After you create an output policy map, do one or more of the following: Applying an Output QoS Policy to a Queue Specifying an Aggregate QoS Policy Applying an Output Policy Map to an Interface 3. Apply the policy map to an interface. Applying an Output QoS Policy to a Queue To apply an output QoS policy to a queue, use the following command.
• Start frame delimiter (SFD): 1 byte • Destination MAC address: 6 bytes • Source MAC address: 6 bytes • Ethernet Type/Length: 2 bytes • Payload: (variable) • Cyclic redundancy check (CRC): 4 bytes • Inter-frame gap (IFG): (variable) You can optionally include overhead fields in rate metering calculations by enabling QoS rate adjustment.
Weighted Random Early Detection Weighted random early detection (WRED) is a congestion avoidance mechanism that drops packets to prevent buffering resources from being consumed. NOTE: On the Z9500, WRED and Explicit Congestion Notification (ECN) marking are supported on front-end I/O and backplane high-Gigabit ports. When you enable WRED, packets are dropped during times of network congestion based on the configured minimum and maximum WRED thresholds.
Table 30. Pre-Defined WRED Profiles Default Profile Name Minimum Threshold Maximum Threshold Maximum Drop Rate wred_drop 0 0 100 wred_teng_y 594 5941 100 wred_teng_g 594 5941 50 wred_fortyg_y 594 5941 50 wred_fortyg_g 594 5941 25 Creating WRED Profiles To create WRED profiles, use the following commands. 1. Create a WRED profile. CONFIGURATION mode wred 2. Specify the minimum and maximum threshold values.
Wred-profile-name wred_drop wred_teng_y wred_teng_g wred_fortyg_y wred_fortyg_g min-threshold 0 467 467 467 467 max-threshold 0 4671 4671 4671 4671 max-drop-rate 100 100 50 50 25 Displaying WRED Drop Statistics To display WRED drop statistics, use the following command. • Display the number of packets that the WRED profile drops.
To resolve the problem of packet loss at times of network congestion, you may need to apply WRED with ECN and more finely tune packet transmission for certain traffic types. To do so, you can configure the weight used to calculate the average queue size; the average queue size is used to determine when to drop packets with WRED and when to mark packets with ECN when WRED thresholds are exceeded.
NOTE: Service pool 1 for lossless queues is not supported in software releases that do not support PFC. You can define WRED profiles and a weight on global service-pools for both lossy and lossless (PFC) service-pools. The following events occur when you configure WRED with ECN on a global service-pool: • If WRED/ECN is enabled on the global service-pool with threshold values and if it is not enabled on the queues, WRED/ECN are not effective based on global service-pool WRED thresholds.
Queue Configuration Service-Pool Configuration WRED Threshold Relationship Q threshold = Q-T Service-pool threshold = SP-T Expected Functionality SP-T < Q-T Same as above but ECN marking starts above SP-T. Configuring a Weight for WRED and ECN Operation You can configure a WRED weight to customize WRED and ECN operation on a front-end or backplane interface.
5. Enable ECN marking on specific queues on backplane ports with a service class. CONFIGURATION mode Dell(conf)#service-class wred ecn 0, 3-5, 7 backplane Pre-Calculating Available QoS CAM Space Pre-calculating available QoS CAM space allows you to measure the number of CAM entries a policymap consumes. This feature allows you to avoid applying a policy-map on an interface that requires more CAM entries than are available and receive a CAM full error message (shown in the following example).
NOTE: The show cam-usage command provides much of the same information as the test camusage command, but whether a policy-map can be successfully applied to an interface cannot be determined without first measuring how many CAM entries the policy-map would consume; the test cam-usage command is useful because it provides this measurement. • Verify that there are enough available CAM entries.
Routing Information Protocol (RIP) 29 The Routing Information Protocol (RIP) tracks distances or hop counts to nearby routers when establishing network connections and is based on a distance-vector algorithm. RIP protocol standards are listed in the Standards Compliance chapter. Protocol Overview RIP is the oldest interior gateway protocol. There are two versions of RIP: RIP version 1 (RIPv1) and RIP version 2 (RIPv2). These versions are documented in RFCs 1058 and 2453.
Implementation Information The Dell Networking OS supports both versions of RIP and allows you to configure one version globally and the other version on interfaces or both versions on the interfaces. The following table lists the default values for RIP parameters on the switch. Table 32.
Enabling RIP Globally By default, RIP is disabled on the switch. To enable RIP globally, use the following commands. 1. Enter ROUTER RIP mode and enable the RIP process. CONFIGURATION mode router rip 2. Assign an IP network address as a RIP network to exchange routing information.
192.162.2.0/24 [120/1] via 29.10.10.12, 00:01:21, Fa 0/0 192.162.2.0/24 auto-summary 192.161.1.0/24 [120/1] via 29.10.10.12, 00:00:27, Fa 0/0 192.161.1.0/24 auto-summary 192.162.3.0/24 [120/1] via 29.10.10.12, 00:01:22, Fa 0/0 192.162.3.0/24 auto-summary To disable RIP globally, use the no router rip command in CONFIGURATION mode. Configure RIP on Interfaces When you enable RIP globally on the system, interfaces meeting certain conditions start receiving RIP routes.
• distribute-list prefix-list-name in Assign a configured prefix list to all outgoing RIP routes. ROUTER RIP mode distribute-list prefix-list-name out To view the current RIP configuration, use the show running-config command in EXEC mode or the show config command in ROUTER RIP mode. Adding RIP Routes from Other Instances In addition to filtering routes, you can add routes from other routing instances or protocols to the RIP process.
• Set the RIP versions received on that interface. INTERFACE mode • ip rip receive version [1] [2] Set the RIP versions sent out on that interface. INTERFACE mode ip rip send version [1] [2] Examples of Setting the RIP Process To see whether the version command is configured, use the show config command in ROUTER RIP mode. To view the routing protocols configuration, use the show ip protocols command in EXEC mode.
Outgoing filter for all interfaces is Incoming filter for all interfaces is Default redistribution metric is 1 Default version control: receive version 2, send version 2 Interface Recv Send FastEthernet 0/0 2 1 2 Routing for Networks: 10.0.0.0 Routing Information Sources: Gateway Distance Last Update Distance: (default is 120) Dell# Generating a Default Route Traffic is forwarded to the default route when the traffic’s network is not explicitly listed in the routing table.
Controlling Route Metrics As a distance-vector protocol, RIP uses hop counts to determine the best route, but sometimes the shortest hop count is a route over the lowest-speed link. To manipulate RIP routes so that the routing protocol prefers a different route, manipulate the route by using the offset command. Exercise caution when applying an offset command to routers on a broadcast network, as the router using the offset command is modifying RIP advertisements before sending out those advertisements.
Dell#debug ip rip RIP protocol debug is ON Dell# To disable RIP, use the no debug ip rip command. RIP Configuration Example The examples in this section show the command sequence to configure RIPv2 on the two routers shown in the following illustration — Core 2 and Core 3. The host prompts used in the following example reflect those names.
Core 2 RIP Output The examples in the section show the core 2 RIP output. Examples of the show ip Command with Core 2 Output • To display Core 2 RIP database, use the show ip rip database command. • To display Core 2 RIP setup, use the show ip route command. • To display Core 2 RIP activity, use the show ip protocols command. To view the learned RIP routes on Core 2, use the show ip rip database command.
To view the RIP configuration activity on Core 2, use the show ip protocols command.
Examples of the show ip Command with Core 3 Output To view learned RIP routes on Core 3, use the show ip rip database command. Core3#show ip rip database Total number of routes in RIP database: 7 10.11.10.0/24 [120/1] via 10.11.20.2, 00:00:13, TenGigabitEthernet 10.200.10.0/24 [120/1] via 10.11.20.2, 00:00:13, TenGigabitEthernet 10.300.10.0/24 [120/1] via 10.11.20.2, 00:00:13, TenGigabitEthernet 10.11.20.0/24 directly connected,TenGigabitEthernet 10.11.30.0/24 directly connected,TenGigabitEthernet 10.0.0.
10.11.20.0 10.11.30.0 192.168.2.0 192.168.1.0 Routing Information Sources: Gateway Distance Last Update 10.11.20.2 120 00:00:22 Distance: (default is 120) Core3# RIP Configuration Summary Examples of Viewing the RIP Configuration on Core 2 and Core 3 The following example shows viewing the RIP configuration on Core 2. ! interface TengigabitEthernet ip address 10.11.10.1/24 no shutdown ! interface TengigabitEthernet ip address 10.11.20.2/24 no shutdown ! interface TengigabitEthernet ip address 10.200.10.
! router rip version 2 network 10.11.20.0 network 10.11.30.0 network 192.168.1.0 network 192.168.2.
Remote Monitoring (RMON) 30 Remote monitoring (RMON) is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell Networking Ethernet interfaces. RMON operates with the simple network management protocol (SNMP) and monitors all nodes on a local area network (LAN) segment.
Setting the RMON Alarm To set an alarm on any MIB object, use the rmon alarm or rmon hc-alarm command in GLOBAL CONFIGURATION mode. • Set an alarm on any MIB object.
is configured with the RMON event command. Possible events include a log entry or an SNMP trap. If the 1.3.6.1.2.1.2.2.1.20.1 value changes to 0 (falling-threshold 0), the alarm is reset and can be triggered again. Dell(conf)#rmon alarm 10 1.3.6.1.2.1.2.2.1.20.1 20 delta rising-threshold 15 1 falling-threshold 0 owner nms1 Configuring an RMON Event To add an event in the RMON event table, use the rmon event command in GLOBAL CONFIGURATION mode. • Add an event in the RMON event table.
– integer: a value from 1 to 65,535 that identifies the RMON Statistics Table. The value must be unique in the RMON Statistic Table. – owner: (Optional) specifies the name of the owner of the RMON group of statistics. – ownername: (Optional) records the name of the owner of the RMON group of statistics. The default is a null-terminated string. Example of the rmon collection statistics Command To remove a specified RMON statistics collection, use the no form of this command.
Rapid Spanning Tree Protocol (RSTP) 31 The Rapid Spanning Tree Protocol (RSTP) is a Layer 2 protocol — specified by IEEE 802.1w — that is essentially the same as spanning-tree protocol (STP) but provides faster convergence and interoperability with switches configured with STP and multiple spanning tree protocol (MSTP).. Protocol Overview The Dell Networking OS supports three other versions of spanning tree, as shown in the following table. Table 33.
• • All interfaces in virtual local area networks (VLANs) and all enabled interfaces in Layer 2 mode are automatically added to the RST topology. Adding a group of ports to a range of VLANs sends multiple messages to the RSTP task, avoid using the range command. When using the range command, Dell Networking recommends limiting the range to five ports and 40 VLANs. RSTP and VLT Virtual link trunking (VLT) provides loop-free redundant topologies and does not require RSTP.
Dell(conf-if-te-1/1)#show config ! interface TenGigabitEthernet 1/1 no ip address switchport no shutdown Enabling Rapid Spanning Tree Protocol Globally Enable RSTP globally on all participating bridges; it is not enabled by default. When you enable RSTP, all physical and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the RST topology. • Only one path from any bridge to any other bridge is enabled.
Figure 75. Rapid Spanning Tree Enabled Globally To view the interfaces participating in RSTP, use the show spanning-tree rstp command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. Dell#show spanning-tree rstp Root Identifier has priority 32768, Address 0001.e801.cbb4 Root Bridge hello time 2, max age 20, forward delay 15, max hops 0 Bridge Identifier has priority 32768, Address 0001.e801.
BPDU : sent 121, received 2 The port is not in the Edge port mode Port 379 (TengigabitEthernet 2/3) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.379 Designated root has priority 32768, address 0001.e801.cbb4 Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.
Modifying Global Parameters You can modify RSTP parameters. The root bridge sets the values for forward-delay, hello-time, and max-age and overwrites the values set on other bridges participating in the Rapid Spanning Tree group. • • • Forward-delay — the amount of time an interface waits in the Listening state and the Learning state before it transitions to the Forwarding state. Hello-time — the time interval in which the bridge sends RSTP BPDUs.
• Change the max-age parameter. PROTOCOL SPANNING TREE RSTP mode max-age seconds The range is from 6 to 40. The default is 20 seconds. To view the current values for global parameters, use the show spanning-tree rstp command from EXEC privilege mode. Enabling SNMP Traps for Root Elections and Topology Changes To enable SNMP traps, use the following command. • Enable SNMP traps for RSTP, MSTP, and PVST+ collectively.
Influencing RSTP Root Selection RSTP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it is selected as the root bridge. To change the bridge priority, use the following command. • Assign a number as the bridge priority or designate it as the primary or secondary root. PROTOCOL SPANNING TREE RSTP mode bridge-priority priority-value – priority-value The range is from 0 to 65535.
– Disable the shutdown-on-violation command on the interface (the no spanning-tree stp-id portfast [bpduguard | [shutdown-on-violation]] command). – Disable spanning tree on the interface (the no spanning-tree command in INTERFACE mode). – Disable global spanning tree (the no spanning-tree command in CONFIGURATION mode). To enable EdgePort on an interface, use the following command. • Enable EdgePort on an interface.
NOTE: The hello time is encoded in BPDUs in increments of 1/256ths of a second. The standard minimum hello time in seconds is 1 second, which is encoded as 256. Millisecond. hello times are encoded using values less than 256; the millisecond hello time equals (x/1000)*256. When you configure millisecond hellos, the default hello interval of 2 seconds is still used for edge ports; the millisecond hello interval is not used.
Security 32 This chapter describes several ways to provide access security to the Dell Networking system. For details about all the commands described in this chapter, refer to the Security chapter in the Dell Networking OS Command Reference Guide. AAA Accounting Accounting, authentication, and authorization (AAA) accounting is part of the AAA security model. For details about commands related to AAA security, refer to the Security chapter in the Dell Networking OS Command Reference Guide.
– command level: sends accounting of commands executed at the specified privilege level. – default | name: enter the name of a list of accounting methods. – start-stop: use for more accounting information, to send a start-accounting notice at the beginning of the requested event and a stop-accounting notice at the end. – wait-start: ensures that the TACACS+ security server acknowledges the start notice before granting the user's process request.
Example of Enabling AAA Accounting with a Named Method List Dell(config-line-vty)# accounting commands 15 com15 Dell(config-line-vty)# accounting exec execAcct Monitoring AAA Accounting The system does not support periodic interim accounting because the periodic command can cause heavy congestion when many users are logged in to the network. No specific show command exists for TACACS+ accounting. To obtain accounting records displaying information about users currently logged in, use the following command.
• Configuring AAA Authentication Login Methods • Enabling AAA Authentication • Enabling AAA Authentication—RADIUS For a complete list of all commands related to login authentication, refer to the Security chapter in the Dell Networking OS Command Reference Guide. Configure Login Authentication for Terminal Lines You can assign up to five authentication methods to a method list. The system evaluates the methods in the order in which you enter them in each list.
NOTE: Dell Networking recommends using the none method only as a backup. This method does not authenticate users. The none and enable methods do not work with secure shell (SSH). You can create multiple method lists and assign them to different terminal lines. Enabling AAA Authentication To enable AAA authentication, use the following command. • Enable AAA authentication. CONFIGURATION mode aaa authentication enable {method-list-name | default} method1 [...
To use local authentication for enable secret on the console, while using remote authentication on VTY lines, issue the following commands. Dell(config)# aaa authentication enable mymethodlist radius tacacs Dell(config)# line vty 0 9 Dell(config-line-vty)# enable authentication mymethodlist Server-Side Configuration Using AAA authentication, the switch acts as a RADIUS or TACACS+ client to send authentication requests to a TACACS+ or RADIUS server.
spanning-tree command, log in to the router, enter the enable command for privilege level 15 (this privilege level is the default level for the command) and then enter CONFIGURATION mode. You can configure passwords to control access to the box and assign different privilege levels to users. The system supports the use of passwords when you log in to the system and when you enter the enable command.
• Configure a password for a privilege level. CONFIGURATION mode enable password [level level] [encryption-mode] password Configure the optional and required parameters: – level level: Specify a level from 0 to 15. Level 15 includes all levels. – encryption-type: Enter 0 for plain text or 7 for encrypted text. – password: Enter a string. To change only the password for the enable command, configure only the password parameter.
To assign commands and passwords to a custom privilege level, use the following commands. You must be in privilege level 15. 1. Assign a user name and password. CONFIGURATION mode username name [access-class access-list-name] [privilege level] [nopassword | password [encryption-type] password] Configure the optional and required parameters: 2. • name: enter a text string (up to 63 characters). • access-class access-list-name: enter the name of a configured IP ACL.
Line 2: All other users are assigned a password to access privilege level 8. Line 3: The configure command is assigned to privilege level 8 because it needs to reach CONFIGURATION mode where the snmp-server commands are located. Line 4: The snmp-server commands, in CONFIGURATION mode, are assigned to privilege level 8.
• Configure a custom privilege level for the terminal lines. LINE mode privilege level level • – level level: The range is from 0 to 15. Levels 0, 1, and 15 are pre-configured. Levels 2 to 14 are available for custom configuration. Specify either a plain text or encrypted password. LINE mode password [encryption-type] password Configure the following optional and required parameters: – encryption-type: Enter 0 for plain text or 7 for encrypted text.
If an error occurs in the transmission or reception of RADIUS packets, you can view the error by enabling the debug radius command. Transactions between the RADIUS server and the client are encrypted (the users’ passwords are not sent in plain text). RADIUS uses UDP as the transport protocol between the RADIUS server host and the client. For more information about RADIUS, refer to RFC 2865, Remote Authentication Dial-in User Service.
NOTE: The ACL name must be a string. Only standard ACLs in authorization (both RADIUS and TACACS) are supported. Authorization is denied in cases using Extended ACLs. Auto-Command You can configure the system through the RADIUS server to automatically execute a command when you connect to a specific line. The auto-command command is executed when the user is authenticated and before the prompt appears to the user. • Automatically execute a command.
CONFIGURATION mode • aaa authentication login method-list-name radius Create a method list with RADIUS and TACACS+ as authorization methods. CONFIGURATION mode aaa authorization exec {method-list-name | default} radius tacacs+ Typical order of methods: RADIUS, TACACS+, Local, None. If RADIUS denies authorization, the session ends (RADIUS must not be the last method specified).
– key [encryption-type] key: enter 0 for plain text or 7 for encrypted text, and a string for the key. The key can be up to 42 characters long. This key must match the key configured on the RADIUS server host. If you do not configure these optional parameters, the global default values for all RADIUS host are applied. To specify multiple RADIUS server hosts, configure the radius-server host command multiple times.
– seconds: the range is from 0 to 1000. Default is 5 seconds. To view the configuration of RADIUS communication parameters, use the show running-config command in EXEC Privilege mode. Monitoring RADIUS To view information on RADIUS transactions, use the following command. • View RADIUS transactions to troubleshoot problems. EXEC Privilege mode debug radius TACACS+ The system supports terminal access controller access control system (TACACS+ client, including support for login authentication.
3. Enter LINE mode. CONFIGURATION mode line {aux 0 | console 0 | vty number [end-number]} 4. Assign the method-list to the terminal line. LINE mode login authentication {method-list-name | default} Example of a Failed Authentication To view the configuration, use the show config in LINE mode or the show running-config tacacs + command in EXEC Privilege mode. If authentication fails using the primary method, the system employs the second method (or third method, if necessary) automatically.
debug tacacs+ TACACS+ Remote Authentication and Authorization The system takes the access class from the TACACS+ server. Access class is the class of service that restricts Telnet access and packet sizes. If you have configured remote authorization, the system ignores the access class you have configured for the VTY line and gets this access class information from the TACACS+ server. The system must know the username and password of the incoming user before it can fetch the access class from the server.
– key key: enter a string for the key. The key can be up to 42 characters long. This key must match a key configured on the TACACS+ server host. This parameter must be the last parameter you configure. If you do not configure these optional parameters, the default global values are applied. Example of Connecting with a TACACS+ Server Host To specify multiple TACACS+ server hosts, configure the tacacs-server host command multiple times.
SCP is a remote file copy program that works with SSH and is supported on the switch. NOTE: The Windows-based WinSCP client software is not supported for secure copying between a PC and a Dell Networking OS-based system. Unix-based SCP client software is supported. To use the SSH client, use the following command. • Open an SSH connection and specifying the host name, username, port number, and version of the SSH client.
3. On Switch 2, invoke SCP. CONFIGURATION mode copy scp: flash: 4. On Switch 2, in response to prompts, enter the path to the desired file and enter the port number specified in Step 1. EXEC Privilege mode Example of Using SCP to Copy from an SSH Server on Another Switch Other SSH-related commands include: • crypto key generate: generate keys for the SSH server. • debug ip ssh: enables collecting SSH debug information. • ip scp topdir: identify a location for files used in secure copy transfer.
• Configuring Host-Based SSH Authentication Important Points to Remember • If you enable more than one method, the order in which the methods are preferred is based on the ssh_config file on the Unix machine. • When you enable all the three authentication methods, password authentication is the backup method when the RSA method fails. • The files known_hosts and known_hosts2 are generated when a user tries to SSH using version 1 or version 2, respectively.
Example of Generating RSA Keys admin@Unix_client#ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/admin/.ssh/id_rsa): /home/admin/.ssh/id_rsa already exists. Overwrite (y/n)? y Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/admin/.ssh/id_rsa. Your public key has been saved in /home/admin/.ssh/id_rsa.pub. Configuring Host-Based SSH Authentication Authenticate a particular host.
admin@Unix_client# ls id_rsa id_rsa.pub shosts admin@Unix_client# cat shosts 10.16.127.201, ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA8K7jLZRVfjgHJzUOmXxuIbZx/AyW hVgJDQh39k8v3e8eQvLnHBIsqIL8jVy1QHhUeb7GaDlJVEDAMz30myqQbJgXBBRTWgBpLWwL/ doyUXFufjiL9YmoVTkbKcFmxJEMkE3JyHanEi7hg34LChjk9hL1by8cYZP2kYS2lnSyQWk= The following example shows creating rhosts. admin@Unix_client# ls id_rsa id_rsa.pub rhosts shosts admin@Unix_client# cat rhosts 10.16.127.
Example of Using Telnet for Remote Login Dell(conf)#ip telnet server enable Dell(conf)#no ip telnet server enable VTY Line and Access-Class Configuration Various methods are available to restrict VTY access in the Dell Networking OS. These depend on which authentication scheme you use — line, local, or remote. Table 35.
NOTE: For more information, refer to Access Control Lists (ACLs).
Dell(conf)# Dell(conf)#line vty 0 9 Dell(config-line-vty)#access-class sourcemac Dell(config-line-vty)#end Security 579
Service Provider Bridging 33 Service provider bridging provides the ability to add a second VLAN ID tag in an Ethernet frame and is referred to as VLAN stacking in the Dell Networking OS. VLAN Stacking Virtual local area network (VLAN) stacking is supported on the platform. VLAN stacking, also called Q-in-Q, is defined in IEEE 802.1ad — Provider Bridges, which is an amendment to IEEE 802.1Q — Virtual Bridged Local Area Networks. It enables service providers to use 802.
Figure 76. VLAN Stacking in a Service Provider Network Important Points to Remember • Interfaces that are members of the Default VLAN and are configured as VLAN-Stack access or trunk ports do not switch untagged traffic. To switch traffic, add these interfaces to a non-default VLANstack-enabled VLAN. • Dell Networking cautions against using the same MAC address on different customer VLANs, on the same VLAN-stack VLAN.
Configure VLAN Stacking Configuring VLAN-Stacking is a three-step process. 1. Creating Access and Trunk Ports 2. Assign access and trunk ports to a VLAN (Creating Access and Trunk Ports). 3. Enabling VLAN-Stacking for a VLAN.
! interface TenGigabitEthernet 2/12 no ip address switchport vlan-stack trunk no shutdown Enable VLAN-Stacking for a VLAN To enable VLAN-Stacking for a VLAN, use the following command. • Enable VLAN-Stacking for the VLAN. INTERFACE VLAN mode vlan-stack compatible Example of Viewing VLAN Stack Member Status To display the status and members of a VLAN, use the show vlan command from EXEC Privilege mode. Members of a VLAN-Stacking-enabled VLAN are marked with an M in column Q.
To configure trunk ports, use the following commands. 1. Configure a trunk port to carry untagged, single-tagged, and double-tagged traffic by making it a hybrid port. INTERFACE mode portmode hybrid NOTE: You can add a trunk port to an 802.1Q VLAN as well as a Stacking VLAN only when the TPID 0x8100. 2. Add the port to a 802.1Q VLAN as tagged or untagged.
Example of Debugging a VLAN and its Ports The port notations are as follows: • • • • • MT — stacked trunk MU — stacked access port T — 802.1Q trunk port U — 802.
Therefore, a mismatched TPID results in the port not differentiating between tagged and untagged traffic. Figure 77.
Figure 78.
Figure 79. Single and Double-Tag TPID Mismatch VLAN Stacking Packet Drop Precedence VLAN stacking packet-drop precedence is supported on the switch. The drop eligible indicator (DEI) bit in the S-Tag indicates to a service provider bridge which packets it should prefer to drop when congested. Enabling Drop Eligibility Enable drop eligibility globally before you can honor or mark the DEI value. When you enable drop eligibility, DEI mapping or marking takes place according to the defaults.
Table 36. Drop Eligibility Behavior Ingress Egress DEI Disabled DEI Enabled Normal Port Normal Port Retain CFI Set CFI to 0. Trunk Port Trunk Port Retain inner tag CFI Retain inner tag CFI. Retain outer tag CFI Set outer tag CFI to 0. Retain inner tag CFI Retain inner tag CFI Set outer tag CFI to 0 Set outer tag CFI to 0 Access Port Trunk Port To enable drop eligibility globally, use the following command. • Make packets eligible for dropping based on their DEI value.
Marking Egress Packets with a DEI Value On egress, you can set the DEI value according to a different mapping than ingress. For ingress information, refer to Honoring the Incoming DEI Value. To mark egress packets, use the following command. • Set the DEI value on egress according to the color currently assigned to the packet.
• • Option 1: Mark the S-Tag dot1p and queue the frame according to the original C-Tag dot1p. In this case, you must have other dot1p QoS configurations; this option is classic dot1p marking. Option 2: Mark the S-Tag dot1p and queue the frame according to the S-Tag dot1p. For example, if frames with C-Tag dot1p values 0, 6, and 7 are mapped to an S-Tag dot1p value 0, all such frames are sent to the queue associated with the S-Tag 802.1p value 0.
service-policy input in layer2 no shutdown Mapping C-Tag to S-Tag dot1p Values To map C-Tag dot1p values to S-Tag dot1p values and mark the frames accordingly, use the following commands. 1. Allocate CAM space to enable queuing frames according to the C-Tag or the S-Tag.
Figure 81. VLAN Stacking without L2PT You might need to transport control traffic transparently through the intermediate network to the other region. Layer 2 protocol tunneling enables BPDUs to traverse the intermediate network by identifying frames with the Bridge Group Address, rewriting the destination MAC to a user-configured non-reserved address, and forwarding the frames.
Figure 82. VLAN Stacking with L2PT Implementation Information • L2PT is available for STP, RSTP, MSTP, and PVST+ BPDUs. • No protocol packets are tunneled when you enable VLAN stacking. • L2PT requires the default CAM profile.
Enabling Layer 2 Protocol Tunneling To enable Layer 2 protocol tunneling, use the following command. 1. Verify that the system is running the default CAM profile. Use this CAM profile for L2PT. EXEC Privilege mode show cam-profile 2. Enable protocol tunneling globally on the system. CONFIGURATION mode protocol-tunnel enable 3. Tunnel BPDUs the VLAN.
4. Set a maximum rate at which the BPDUs are processed for L2PT. VLAN STACKING mode protocol-tunnel rate-limit The default is: no rate limiting. The range is from 64 to 320 kbps. Debugging Layer 2 Protocol Tunneling To debug Layer 2 protocol tunneling, use the following command. • Display debugging information for L2PT. EXEC Privilege mode debug protocol-tunnel Provider Backbone Bridging IEEE 802.1ad—Provider Bridges amends 802.
sFlow 34 sFlow is a standard-based sampling technology embedded within switches and routers which is used to monitor network traffic. It is designed to provide traffic monitoring for high-speed networks with many switches and routers. Overview The Dell Networking OS supports sFlow version 5. sFlow uses two types of sampling: • Statistical packet-based sampling of switched or routed packet flows. • Time-based sampling of interface counters.
Important Points to Remember • The Dell Networking OS implementation of the sFlow MIB supports sFlow configuration via snmpset. • Dell Networking recommends the sFlow Collector be connected to the Dell Networking chassis through a line card port rather than the management Ethernet port. • Only egress sampling is supported. • The system exports all sFlow packets to the collector. A small sampling rate can equate to many exported packets.
• Displaying Show sFlow on an Interface • Displaying Show sFlow on a Line Card Displaying Show sFlow Global To view sFlow statistics, use the following command. • Display sFlow configuration information and statistics. EXEC mode show sflow Example of Viewing sFlow Configuration (Global) The first bold line indicates sFlow is globally enabled. The second bold lines indicate sFlow is enabled on linecards Te 1/16 and Te 1/17.
mtu 9252 ip mtu 9234 switchport sflow enable sflow sample-rate 8192 no shutdown Displaying Show sFlow on a Line Card To view sFlow statistics on a specified line card, use the following command. • Display sFlow configuration information and statistics on the specified interface.
– interval value: in seconds. The range is from 15 to 86400 seconds. The default is 20 seconds. Back-Off Mechanism If the sampling rate for an interface is set to a very low value, the CPU can get overloaded with flow samples under high-traffic conditions. In such a scenario, a binary back-off mechanism gets triggered, which doubles the sampling-rate (halves the number of samples per second) for all interfaces. The backoff mechanism continues to double the sampling-rate until the CPU condition is cleared.
77 UDP packets exported 0 UDP packets dropped 165 sFlow samples collected 69 sFlow samples dropped due to sub-sampling Linecard 1 Port set 0 H/W sampling rate 8192 Gi 1/16: configured rate 8192, actual rate 8192, sub-sampling rate 1 Gi 1/17: configured rate 16384, actual rate 16384, sub-sampling rate 2 Linecard 3 Port set 1 H/W sampling rate 16384 Gi 3/40: configured rate 16384, actual rate 16384, sub-sampling rate 1 If you did not enable any extended information, the show output displays the following (sho
IP SA IP DA srcAS and srcPeerAS dstAS and dstPeerAS Description routing protocols, and for cases where is source is reachable over ECMP. BGP sFlow BGP Exported Exported Extended gateway data is packed.
35 Simple Network Management Protocol (SNMP) The Simple Network Management Protocol (SNMP) is designed to manage devices on IP networks by monitoring device operation, which might require administrator intervention. NOTE: On Dell Networking routers, standard and private SNMP management information bases (MIBs) are supported, including all Get and a limited number of Set operations (such as set vlan and copy cmd).
Related Configuration Tasks • Managing Overload on Startup • Reading Managed Object Values • Writing Managed Object Values • Subscribing to Managed Object Value Updates using SNMP • Copying Configuration Files via SNMP • Manage VLANs Using SNMP • Enabling and Disabling a Port using SNMP • Fetch Dynamic MAC Entries using SNMP • Deriving Interface Indices • Monitor Port-channels Important Points to Remember • Typically, 5-second timeout and 3-second retry values on an SNMP server are suff
• Choose a name for the community. CONFIGURATION mode snmp-server community name {ro | rw} Example of Creating an SNMP Community To view your SNMP configuration, use the show running-config snmp command from EXEC Privilege mode. Dell(conf)#snmp-server community my-snmp-community ro 22:31:23: %SYSTEM-P:CP %SNMP-6-SNMP_WARM_START: Agent Initialized - SNMP WARM_START.
• Configure an SNMPv3 view. CONFIGURATION mode snmp-server view view-name 3 noauth {included | excluded} NOTE: To give a user read and write privileges, repeat this step for each privilege type. • Configure an SNMP group (with password or privacy privileges). CONFIGURATION mode • snmp-server group group-name {oid-tree} priv read name write name Configure the user with a secure authorization password and privacy password.
Examples of Reading Managed Object Values In the following example, the value “4” displays in the OID before the IP address for IPv4. For an IPv6 IP address, a value of “16” displays. > snmpget -v 2c -c mycommunity 10.11.131.161 sysUpTime.0 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (32852616) 3 days, 19:15:26.16 > snmpget -v 2c -c mycommunity 10.11.131.161 .1.3.6.1.2.1.1.3.0 The following example shows reading the value of the next managed object. > snmpgetnext -v 2c -c mycommunity 10.11.131.161 .1.
snmp-server contact text You may use up to 55 characters. • The default is None. (From a Dell Networking system) Identify the physical location of the system (for example, San Jose, 350 Holger Way, 1st floor lab, rack A1-1). CONFIGURATION mode snmp-server location text You may use up to 55 characters. • The default is None. (From a management station) Identify the system manager along with this person’s contact information (for example, an email address or phone number).
To configure the system to send SNMP notifications, use the following commands. 1. Configure the Dell Networking system to send notifications to an SNMP server. CONFIGURATION mode snmp-server host ip-address [traps | informs] [version 1 | 2c |3] [community-string] To send trap messages, enter the keyword traps. To send informational messages, enter the keyword informs. To send the SNMP version to use for notification messages, enter the keyword version.
NOTE: The envmon option enables all environment traps including those traps that are enabled with the envmon supply, envmon temperature, and envmon fan options. Example of Dell Networking Enterprise-specific SNMP Traps envmon LINECARDUP: %sLine card %d is up CARD_MISMATCH: Mismatch: line card %d is type %s - type %s required. TASK SUSPENDED: SUSPENDED - svce:%d - inst:%d - task:%s SYSTEM-P:CP %CHMGR-2-CARD_PARITY_ERR ABNORMAL_TASK_TERMINATION: CRASH - task:%s %s CPU_THRESHOLD: Cpu %s usage above threshold.
%ECFM-5-ECFM_ERROR_ALARM: Error CCM Defect detected by MEP 1 in Domain customer1 at Level 7 VLAN 1000 %ECFM-5-ECFM_MAC_STATUS_ALARM: MAC Status Defect detected by MEP 1 in Domain provider at Level 4 VLAN 3000 %ECFM-5-ECFM_REMOTE_ALARM: Remote CCM Defect detected by MEP 3 in Domain customer1 at Level 7 VLAN 1000 %ECFM-5-ECFM_RDI_ALARM: RDI Defect detected by MEP 3 in Domain customer1 at Level 7 VLAN 1000 entity Enable entity change traps Trap SNMPv2-MIB::sysUpTime.0 = Timeticks: (1487406) 4:07:54.
MIB Object OID Object Values Description • copySrcFileLocation . 1.3.6.1.4.1.6027.3.5.1.1.1. 1.3 1 = flash copySrcFileLocation is flash. If copySrcFileType is a binary file, you must also specify copySrcFileLocation and copySrcFileName. Specifies the location of source file. 2 = slot0 • 3 = tftp 4 = ftp 5 = scp If copySrcFileLocation is FTP or SCP, you must specify copyServerAddress, copyUserName, and copyUserPassword. 6 = usbflash copySrcFileName copyDestFileType . 1.3.6.1.4.1.6027.3.5.1.1.
MIB Object OID Object Values Description copyDestFileName . 1.3.6.1.4.1.6027.3.5.1.1.1. 1.7 Path (if the file is not in the default directory) and filename. Specifies the name of destination file. copyServerAddress . 1.3.6.1.4.1.6027.3.5.1.1.1. 1.8 IP Address of the server. The IP address of the server. . 1.3.6.1.4.1.6027.3.5.1.1.1. 1.9 Username for the server. Username for the FTP, TFTP, or SCP server. . 1.3.6.1.4.1.6027.3.5.1.1.1. 1.10 Password for the server.
3. On the server, use the snmpset command as shown in the following example. snmpset -v snmp-version -c community-name -m mib_path/f10-copy-config.mib force10system-ip-address mib-object.index {i | a | s} object-value... • Every specified object must have an object value and must precede with the keyword i. Refer to the previous table. • index must be unique to all previously executed snmpset commands. If an index value has been used previously, a message like the following appears.
The following example shows copying configuration files using OIDs. > snmpset -v 2c -c public -m ./f10-copy-config.mib 10.10.10.10 .1.3.6.1.4.1.6027.3.5.1.1.1.1.2.100 i 2 .1.3.6.1.4.1.6027.3.5.1.1.1.1.5.100 i 3 FTOS-COPY-CONFIG-MIB::copySrcFileType.100 = INTEGER: runningConfig(2) FTOS-COPY-CONFIG-MIB::copyDestFileType.100 = INTEGER: startupConfig(3) Copying the Startup-Config Files to the Running-Config To copy the startup-config to the running-config from a UNIX machine, use the following command.
Copying the Startup-Config Files to the Server via TFTP To copy the startup-config to the server via TFTP from the UNIX machine, use the following command. NOTE: Verify that the file exists and its permissions are set to 777. Specify the relative path to the TFTP root directory. • Copy the startup-config to the server via TFTP from the UNIX machine. snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address copySrcFileType.index i 3 copyDestFileType.index i 1 copyDestFileName.
MIB Object OID Values Description 3 = failed copyTimeStarted . 1.3.6.1.4.1.6027.3.5.1.1.1. 1.12 Time value Specifies the point in the up-time clock that the copy operation started. copyTimeCompleted . 1.3.6.1.4.1.6027.3.5.1.1.1. 1.13 Time value Specifies the point in the up-time clock that the copy operation completed. copyFailCause . 1.3.6.1.4.1.6027.3.5.1.1.1. 1.14 1 = bad filename Specifies the reason the copy request failed.
• the file f10-copy-config.mib is in the current directory NOTE: In UNIX, enter the snmpset command for help using this command. The following examples show the command syntax using MIB object names and the same command using the object OIDs. In both cases, the same index number used in the snmpset command follows the object. The following example shows getting a MIB object value using the object name. > snmpget -v 2c -c private -m ./f10-copy-config.mib 10.11.131.140 copyTimeCompleted.
Displaying the Ports in a VLAN The system identifies VLAN interfaces using an interface index number that is displayed in the output of the show interface vlan command. Add Tagged and Untagged Ports to a VLAN The value dot1qVlanStaticEgressPorts object is an array of all VLAN members. The dot1qVlanStaticUntaggedPorts object is an array of only untagged VLAN members. All VLAN members that are not in dot1qVlanStaticUntaggedPorts are tagged.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 SNMPv2-SMI::mib-2.17.7.1.4.3.1.4.
3. Enter the snmpset command to change the admin status using either the object descriptor or the OID. snmpset with descriptor: snmpset -v version -c community agent-ip ifAdminStatus.ifindex i {1 | 2} snmpset with OID: snmpset -v version -c community agent-ip . 1.3.6.1.2.1.2.2.1.7.ifindex i {1 | 2} Choose integer 1 to change the admin status to Up, or 2 to change the admin status to Down.
Example of Fetching MAC Addresses Learned on the Default VLAN Using SNMP ----------------MAC Addresses on Force10 System-----------------R1_E600#show mac-address-table VlanId Mac Address Type Interface State 1 00:01:e8:06:95:ac Dynamic Te 1/21 Active ----------------Query from Management Station--------------------->snmpwalk -v 2c -c techpubs 10.11.131.162 .1.3.6.1.2.1.17.4.3.1 SNMPv2-SMI::mib-2.17.4.3.1.1.0.1.232.6.149.
Starting from the least significant bit (LSB) in the preceding figure: • The first 14 bits represent the card type of a physical interface or the interface number of a logical interface. • The next 4 bits represent the interface type. • The next 12 bits represent the slot and port numbers. • The next bit is 0 for a physical interface and 1 for a logical interface. • The last next is unused.
Monitor Port-Channels To check the status of a Layer 2 port-channel, use f10LinkAggMib (.1.3.6.1.4.1.6027.3.2). In the following example, Po 1 is a switchport and Po 2 is in Layer 3 mode. Example of SNMP Trap for Monitored Port-Channels [senthilnathan@lithium ~]$ snmpwalk -v 2c -c public 10.11.1.1 . 1.3.6.1.4.1.6027.3.2.1.1 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.1.1 = INTEGER: 1 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.1.2 = INTEGER: 2 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.2.
SNMPv2-SMI::enterprises.6027.3.1.1.4.1.2 = STRING: "OSTATE_DN: Changed interface state to down: Po 1" 2010-02-10 14:22:40 10.16.130.4 [10.16.130.4]: SNMPv2-MIB::sysUpTime.0 = Timeticks: (8500932) 23:36:49.32 SNMPv2MIB::snmpTrapOID.0 = OID: IF-MIB::linkUp IF-MIB::ifIndex.33865785 = INTEGER: 33865785 SNMPv2SMI::enterprises.6027.3.1.1.4.1.2 = STRING: "OSTATE_UP: Changed interface state to up: Te 0/0" 2010-02-10 14:22:40 10.16.130.4 [10.16.130.4]: SNMPv2-MIB::sysUpTime.0 = Timeticks: (8500934) 23:36:49.
Storm Control 36 Storm control allows you to control unknown-unicast and broadcast traffic on Layer 2 and Layer 3 physical interfaces. Dell Networking OS Behavior: The switch supports broadcast control (the storm-control broadcast command) for Layer 2 and Layer 3 traffic. Configure Storm Control Storm control is supported in INTERFACE mode and CONFIGURATION mode. Configuring Storm Control from INTERFACE Mode To configure storm control, use the following command.
Spanning Tree Protocol (STP) 37 The spanning tree protocol (STP) is a Layer 2 protocol — specified by IEEE 802.1d — that eliminates loops in a bridged topology by enabling only a single path through the network. Protocol Overview By eliminating loops, STP improves scalability in a large network and allows you to implement redundant paths, which can be activated after the failure of active paths.
• The Dell Networking OS supports only one spanning tree instance (0). For multiple instances, enable the multiple spanning tree protocol (MSTP) or per-VLAN spanning tree plus (PVST+). You may only enable one flavor of spanning tree at any one time. • All ports in virtual local area networks (VLANs) and all enabled interfaces in Layer 2 mode are automatically added to the spanning tree topology at the time you enable the protocol.
To configure and enable the interfaces for Layer 2, use the following command. 1. If the interface has been assigned an IP address, remove it. INTERFACE mode no ip address 2. Place the interface in Layer 2 mode. INTERFACE switchport 3. Enable the interface. INTERFACE mode no shutdown Example of the show config Command To verify that an interface is in Layer 2 mode and enabled, use the show config command from INTERFACE mode.
Figure 84. Spanning Tree Enabled Globally To enable STP globally, use the following commands. 1. Enter PROTOCOL SPANNING TREE mode. CONFIGURATION mode protocol spanning-tree 0 2. Enable STP. PROTOCOL SPANNING TREE mode no disable Examples of Verifying and Viewing Spanning Tree To disable STP globally for all Layer 2 interfaces, use the disable command from PROTOCOL SPANNING TREE mode. To verify that STP is enabled, use the show config command from PROTOCOL SPANNING TREE mode.
To view the spanning tree configuration and the interfaces that are participating in STP, use the show spanning-tree 0 command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. R2#show spanning-tree 0 Executing IEEE compatible Spanning Tree Protocol Bridge Identifier has priority 32768, address 0001.e826.ddb7 Configured hello time 2, max age 20, forward delay 15 Current root has priority 32768, address 0001.e80d.
spanning-tree 0 To remove a Layer 2 interface from the spanning tree topology, enter the no spanning-tree 0 command. Modifying Global Parameters You can modify the spanning tree parameters. The root bridge sets the values for forward-delay, hellotime, and max-age and overwrites the values set on other bridges participating in STP. NOTE: Dell Networking recommends that only experienced network administrators change the spanning tree parameters.
• the default is 2 seconds. Change the max-age parameter (the refresh interval for configuration information that is generated by recomputing the spanning tree topology). PROTOCOL SPANNING TREE mode max-age seconds The range is from 6 to 40. The default is 20 seconds. To view the current values for global parameters, use the show spanning-tree 0 command from EXEC privilege mode. Refer to the second example in Enabling Spanning Tree Protocol Globally.
only implement bpduguard, although the interface is placed in an Error Disabled state when receiving the BPDU, the physical interface remains up and spanning-tree drops packets in the hardware after a BPDU violation. BPDUs are dropped in the software after receiving the BPDU violation. CAUTION: Enable PortFast only on links connecting to an end station. PortFast can cause loops if it is enabled on an interface connected to a network. To enable PortFast on an interface, use the following command.
• • • • • If the interface to be shut down is a port channel, all the member ports are disabled in the hardware. When you add a physical port to a port channel already in the Error Disable state, the new member port is also disabled in the hardware. When you remove a physical port from a port channel in the Error Disable state, the Error Disabled state is cleared on this physical port (the physical port is enabled in the hardware).
• disables spanning tree on an interface • drops all BPDUs at the line card without generating a console message Example of Blocked BPDUs Dell(conf-if-te-0/7)#do show spanning-tree rstp brief Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 0001.e805.fb07 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32768, Address 0001.e85d.0e90 Configured hello time 2, max age 20, forward delay 15 Interface Name PortID Prio ---------- -------Te 0/6 128.
Root Bridge hello time 2, max age 20, forward delay 15 Dell# STP Root Guard Use the STP root guard feature in a Layer 2 network to avoid bridging loops. In STP, the switch in the network with the lowest priority (as determined by STP or set with the bridgepriority command) is selected as the root bridge. If two switches have the same priority, the switch with the lower MAC address is selected as the root.
Figure 86. STP Root Guard Prevents Bridging Loops Configuring Root Guard Enable STP root guard on a per-port or per-port-channel basis. Dell Networking OS Behavior: The following conditions apply to a port enabled with STP root guard: • Root guard is supported on any STP-enabled port or port-channel interface.
INTERFACE mode or INTERFACE PORT-CHANNEL mode spanning-tree {0 | mstp | rstp | pvst} rootguard – 0: enables root guard on an STP-enabled port assigned to instance 0. – mstp: enables root guard on an MSTP-enabled port. – rstp: enables root guard on an RSTP-enabled port. – pvst: enables root guard on a PVST-enabled port. To disable STP root guard on a port or port-channel interface, use the no spanning-tree 0 rootguard command in an interface configuration mode.
As soon as a BPDU is received on an STP port in a Loop-Inconsistent state, the port returns to a blocking state. If you disable STP loop guard on a port in a Loop-Inconsistent state, the port transitions to an STP blocking state and restarts the max-age timer. Figure 87. STP Loop Guard Prevents Forwarding Loops Configuring Loop Guard Enable STP loop guard on a per-port or per-port channel basis.
– Rapid Spanning Tree Protocol (RSTP) – Multiple Spanning Tree Protocol (MSTP) – Per-VLAN Spanning Tree Plus (PVST+) • You cannot enable root guard and loop guard at the same time on an STP port. For example, if you configure loop guard on a port on which root guard is already configured, the following error message is displayed: % Error: RootGuard is configured. Cannot configure LoopGuard.
Te 0/2 Te 0/3 648 0 0 LIS EDS (Shut) Loopguard Bpduguard Spanning Tree Protocol (STP)
System Time and Date 38 System time and date settings are user-configurable and maintained through the network time protocol (NTP). System times and dates are also set in hardware settings using the Dell Networking OS CLI. Network Time Protocol The network time protocol (NTP) synchronizes timekeeping among a set of distributed time servers and clients. The protocol also coordinates time distribution in a large, diverse network with various interfaces.
Following conventions established by the telephone industry [BEL86], the accuracy of each server is defined by a number called the stratum, with the topmost level (primary servers) assigned as one and each level downwards (secondary servers) in the hierarchy assigned as one greater than the preceding level. The system synchronizes with a time-serving host to get the correct time. You can set the system to poll specific NTP time-serving hosts for the current time.
Related Configuration Tasks • Configuring NTP Broadcasts • Setting the Hardware Clock with the Time Derived from NTP • Disabling NTP on an Interface • Configuring a Source IP Address for NTP Packets (optional) Enabling NTP NTP is disabled by default. To enable NTP, specify an NTP server to which the Dell Networking system synchronizes. To specify multiple servers, enter the command multiple times. You may specify an unlimited number of servers at the expense of CPU resources.
R5/R8(conf)#do show calendar 12:24:11 UTC Thu Mar 12 2009 Configuring NTP Broadcasts The switch can receive broadcasts of time information. You can set interfaces within the system to receive NTP information through broadcast. To configure an interface to receive NTP broadcasts, use the following commands. • Set the interface to receive NTP packets. INTERFACE mode ntp broadcast client Example of Configuring NTP Broadcasts 2w1d11h : NTP: Maximum Slew:-0.000470, Remainder = -0.
To view the configuration, use the show running-config ntp command in EXEC privilege mode (refer to the example in Configuring NTP Authentication). Configuring NTP Authentication NTP authentication and the corresponding trusted key provide a reliable means of exchanging NTP packets with trusted time sources. NTP authentication begins when the first NTP packet is created following the configuration of keys.
(192.168.1.1) ref CD7F4F63.6BE8F000 (14:51:15.421 UTC Thu Apr 2 2009) org CD7F4F63.68000000 (14:51:15.406 UTC Thu Apr 2 2009) rec CD7F4F63.6BE8F000 (14:51:15.421 UTC Thu Apr 2 2009) xmt CD7F5368.D0535000 (15:8:24.813 UTC Thu Apr 2 2009) 1w6d23h : NTP: rcv packet from 192.168.1.1 leap 0, mode 4, version 3, stratum 1, ppoll 1024 rtdel 0000 (0.000000), rtdsp AF587 (10959.090820), refid 4C4F434C (76.79.67.76) ref CD7E14FD.43F7CED9 (16:29:49.265 UTC Wed Apr 1 2009) org CD7F5368.D0535000 (15:8:24.
NOTE: • Leap Indicator (sys.leap, peer.leap, pkt.leap) — This is a two-bit code warning of an impending leap second to be inserted in the NTP time scale. The bits are set before 23:59 on the day of insertion and reset after 00:00 on the following day. This causes the number of seconds (rollover interval) in the day of insertion to be increased or decreased by one.
Time and Date You can set the time and date in the Dell Networking OS using the CLI. Configuration Task List The following is a configuration task list for configuring the time and date settings.
– month: enter the name of one of the 12 months in English. You can enter the name of a day to change the order of the display to time day month year. – day: enter the number of the day. The range is from 1 to 31. You can enter the name of a month to change the order of the display to time day month year. – year: enter a four-digit number as the year. The range is from 1993 to 2035.
– start-month: enter the name of one of the 12 months in English. You can enter the name of a day to change the order of the display to time day month year. – start-day: enter the number of the day. The range is from 1 to 31. You can enter the name of a month to change the order of the display to time day month year. – start-year: enter a four-digit number as the year. The range is from 1993 to 2035. – start-time: enter the time in hours:minutes.
– start-year: Enter a four-digit number as the year. The range is from 1993 to 2035. – start-time: Enter the time in hours:minutes. For the hour variable, use the 24-hour format; example, 17:15 is 5:15 pm. – end-week: If you entered a start-week, enter the one of the following as the week that daylight saving ends: * week-number: Enter a number from 1 to 4 as the number of the week in the month to start daylight saving time.
Upgrade Procedures 39 For detailed upgrade procedures, refer to the Dell Networking OS Release Notes for your switch. The release notes describe the requirements and steps to follow to upgrade to a desired OS version. Upgrade Overview To upgrade system software on the switch, follow these general steps: 1. Identify the boot and system images currently stored on the Z9500 (Control Processor, Route Processor, and line-card CPUs) using the show boot system all command. 2.
local flash. This image contains independent images for the CPUs: Control Processor (CP), Route Processor (RP), and line-card processor (LP). Each separate image runs on a different CPU and are unpacked and downloaded on the appropriate CPU via the party bus. You can use TFTP or FTP to copy images to the local storage of each CPU.
Uplink Failure Detection (UFD) 40 Uplink failure detection (UFD) provides detection of the loss of upstream connectivity and, if used with network interface controller (NIC) teaming, automatic recovery from a failed link. Feature Description A switch provides upstream connectivity for devices, such as servers. If a switch loses its upstream connectivity, downstream devices also lose their connectivity.
Figure 89. Uplink Failure Detection How Uplink Failure Detection Works UFD creates an association between upstream and downstream interfaces. The association of uplink and downlink interfaces is called an uplink-state group. An interface in an uplink-state group can be a physical interface or a port-channel (LAG) aggregation of physical interfaces. An enabled uplink-state group tracks the state of all assigned upstream interfaces.
Figure 90. Uplink Failure Detection Example If only one of the upstream interfaces in an uplink-state group goes down, a specified number of downstream ports associated with the upstream interface are put into a Link-Down state. You can configure this number and is calculated by the ratio of the upstream port bandwidth to the downstream port bandwidth in the same uplink-state group.
– An uplink-state group is considered to be operationally down if it has no upstream interfaces in the Link-Up state. No uplink-state tracking is performed when a group is disabled or in an Operationally Down state. • You can assign physical port or port-channel interfaces to an uplink-state group. – You can assign an interface to only one uplink-state group. Configure each interface assigned to an uplink-state group as either an upstream or downstream interface, but not both.
Configuring Uplink Failure Detection To configure UFD, use the following commands. 1. Create an uplink-state group and enable the tracking of upstream links on the switch/router. CONFIGURATION mode uplink-state-group group-id • group-id: values are from 1 to 16. To delete an uplink-state group, use the no uplink-state-group group-id command. 2. Assign a port or port-channel to the uplink-state group as an upstream or downstream interface.
4. (Optional) Enable auto-recovery so that UFD-disabled downstream ports in the uplink-state group come up when a disabled upstream port in the group comes back up. UPLINK-STATE-GROUP mode downstream auto-recover The default is auto-recovery of UFD-disabled downstream ports is enabled. To disable auto-recovery, use the no downstream auto-recover command. 5. (Optional) Enters a text description of the uplink-state group.
Example of Syslog Messages Before and After Entering the clear ufd-disable uplink-stategroup Command The following example message shows the Syslog messages that display when you clear the UFDDisabled state from all disabled downstream interfaces in an uplink-state group by using the clear ufd-disable uplink-state-group group-id command. All downstream interfaces return to an operationally up state.
02:38:53: %SYSTEM-P:CP %IFMGR-5-OSTATE_UP: Changed interface state to up: Fo 1/16 Displaying Uplink Failure Detection To display information on the UFD feature, use any of the following commands. • Display status information on a specified uplink-state group or all groups. EXEC mode show uplink-state-group [group-id] [detail] – group-id: The values are 1 to 16. • – detail: displays additional status information on the upstream and downstream interfaces in each group.
Upstream Interfaces : Downstream Interfaces : Uplink State Group : 3 Status: Enabled, Up Upstream Interfaces : Te 0/46(Up) Te 0/47(Up) Downstream Interfaces : Te 1/0(Up) Te 1/1(Up) Te 1/3(Up) Te 1/5(Up) Te 1/6(Up) Uplink State Group : 5 Status: Enabled, Down Upstream Interfaces : Te 0/0(Dwn) Te 0/3(Dwn) Te 0/5(Dwn) Downstream Interfaces : Te 1/2(Dis) Te 1/4(Dis) Te 1/11(Dis) Te 1/12(Dis) Te 1/13(Dis) Te 1/14(Dis) Te 1/15(Dis) Uplink State Group : 6 Upstream Interfaces : Downstream Interfaces : Status: Enab
downstream TengigabitEthernet 0/2, 4, 6, 11-19 upstream TengigabitEthernet 0/48, 52 upstream PortChannel 1 ! uplink state track 2 downstream TengigabitEthernet 0/1, 3, 5, 7-10 upstream TengigabitEthernet 0/56, 60 Dell(conf-uplink-state-group-16)# show configuration ! uplink-state-group 16 no enable description test downstream disable links all downstream TengigabitEthernet 0/40 upstream TengigabitEthernet 0/41 upstream Port-channel 8 Sample Configuration: Uplink Failure Detection The following example show
Dell# show running-config uplink-state-group ! uplink-state-group 3 description Testing UFD feature downstream disable links 2 downstream TengigabitEthernet 0/1-2,5,9,11-12 upstream TengigabitEthernet 0/3-4 Dell# show uplink-state-group 3 Uplink State Group: 3 Status: Enabled, Up Dell# show uplink-state-group detail (Up): Interface up (Dwn): Interface down (Dis): Interface disabled Uplink State Group : 3 Status: Enabled, Up Upstream Interfaces : Te 0/3(Up) Te 0/4(Dwn) Downstream Interfaces : Te 0/1(Dis) Te
Virtual LANs (VLANs) 41 Virtual LANs (VLANs) are a logical broadcast domain or logical grouping of interfaces in a local area network (LAN) in which all data received is kept locally and broadcast to all members of the group. When in Layer 2 mode, VLANs move traffic at wire speed and can span multiple devices. The system supports up to 4093 port-based VLANs and one default VLAN, as specified in IEEE 802.1Q.
By default, VLAN 1 is the Default VLAN. To change that designation, use the default vlan-id command in CONFIGURATION mode. You cannot delete the Default VLAN. NOTE: You cannot assign an IP address to the Default VLAN. To assign an IP address to a VLAN that is currently the Default VLAN, create another VLAN and assign it to be the Default VLAN. For more information about assigning IP addresses, refer to Assigning an IP Address to a VLAN. • Untagged interfaces must be part of a VLAN.
preserved as the frame moves through the network. The following example shows the structure of a frame with a tag header. The VLAN ID is inserted in the tag header. Figure 91. Tagged Frame Format The tag header contains some key information that the system uses: • The VLAN protocol identifier identifies the frame as tagged according to the IEEE 802.1Q specifications (2 bytes). • Tag control information (TCI) includes the VLAN ID (2 bytes total). The VLAN ID can have 4,096 values, but two are reserved.
• Configure a port-based VLAN (if the VLAN-ID is different from the Default VLAN ID) and enter INTERFACE VLAN mode. CONFIGURATION mode interface vlan vlan-id To activate the VLAN, after you create a VLAN, assign interfaces in Layer 2 mode to the VLAN. Example of Verifying a Port-Based VLAN To view the configured VLANs, use the show vlan command in EXEC Privilege mode.
The following example shows the steps to add a tagged interface (in this case, port channel 1) to VLAN 4. To view the interface’s status. Interface (po 1) is tagged and in VLAN 2 and 3, use the show vlan command. In a port-based VLAN, use the tagged command to add the interface to another VLAN. The show vlan command output displays the interface’s (po 1) changed status. Except for hybrid ports, only a tagged interface can be a member of multiple VLANs.
Moving Untagged Interfaces To move untagged interfaces from the Default VLAN to another VLAN, use the following commands. 1. Access INTERFACE VLAN mode of the VLAN to which you want to assign the interface. CONFIGURATION mode interface vlan vlan-id 2. Configure an interface as untagged. INTERFACE mode untagged interface This command is available only in VLAN interfaces.
4 Dell# Active T U Te 2/1 Te 2/2 The only way to remove an interface from the Default VLAN is to place the interface in Default mode by using the no switchport command in INTERFACE mode. Assigning an IP Address to a VLAN VLANs are a Layer 2 feature. For two physical interfaces on different VLANs to communicate, you must assign an IP address to the VLANs to route traffic between the two interfaces.
To configure a port so that it can be a member of an untagged and tagged VLANs, use the following commands. 1. Remove any Layer 2 or Layer 3 configurations from the interface. INTERFACE mode 2. Configure the interface for Hybrid mode. INTERFACE mode portmode hybrid 3. Configure the interface for Switchport mode. INTERFACE mode switchport 4. Add the interface to a tagged or untagged VLAN.
Virtual Router Redundancy Protocol (VRRP) 42 Virtual router redundancy protocol (VRRP) is designed to eliminate a single point of failure in a statically routed network. VRRP Overview VRRP specifies a MASTER router that owns the next hop IP and MAC address for end stations on a local area network (LAN). The MASTER router is chosen from the virtual routers by an election process and forwards packets sent to the next hop IP address.
Figure 92. Basic VRRP Configuration VRRP Benefits With VRRP configured on a network, end-station connectivity to the network is not subject to a single point-of-failure. End-station connections to the network are redundant and are not dependent on internal gateway protocol (IGP) protocols to converge or update routing tables. VRRP Implementation Within a single VRRP group, up to 12 virtual IP addresses are supported.
decreases based on the dynamics of the network, the advertisement intervals may increase or decrease accordingly. CAUTION: Increasing the advertisement interval increases the VRRP Master dead interval, resulting in an increased failover time for Master/Backup election. Take caution when increasing the advertisement interval, as the increased dead interval may cause packets to be dropped during that switch-over time. Table 43.
INTERFACE mode vrrp-group vrid The VRID range is from 1 to 255. • NOTE: The interface must already have a primary IP address defined and be enabled, as shown in the second example. Delete a VRRP group. INTERFACE mode no vrrp-group vrid Examples of Configuring Verifying a VRRP Configuration The following example shows configuring a VRRP configuration. Dell(conf)#int te 1/1 Dell(conf-if-te-1/1)#vrrp-group 111 Dell(conf-if-te-1/1-vrid-111)# The following example shows verifying a VRRP configuration.
• group and the interface’s physical MAC address is changed to that of the owner VRRP group’s MAC address. If you configure multiple VRRP groups on an interface, only one of the VRRP Groups can contain the interface primary or secondary IP address. Configuring a Virtual IP Address To configure a virtual IP address, use the following commands. 1. Configure a VRRP group. INTERFACE mode vrrp-group vrrp-id The VRID range is from 1 to 255. 2. Configure virtual IP addresses for this VRID.
Virtual MAC address: 00:00:5e:00:01:6f Virtual IP address: 10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.10 Authentication: (none) -----------------TenGigabitEthernet 1/2, VRID: 111, Net: 10.10.2.1 State: Master, Priority: 100, Master: 10.10.2.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 27, Gratuitous ARP sent: 2 Virtual MAC address: 00:00:5e:00:01:6f Virtual IP address: 10.10.2.2 10.10.2.
TenGigabitEthernet 1/2, VRID: 111, Net: 10.10.2.1 State: Master, Priority: 125, Master: 10.10.2.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 601, Gratuitous ARP sent: 2 Virtual MAC address: 00:00:5e:00:01:6f Virtual IP address: 10.10.2.2 10.10.2.3 Authentication: (none) Dell(conf)# Configuring VRRP Authentication Simple authentication of VRRP packets ensures that only trusted routers participate in VRRP processes.
NOTE: You must configure all virtual routers in the VRRP group the same: you must configure all with preempt enabled or configure all with preempt disabled. Because preempt is enabled by default, disable the preempt function with the following command. • Prevent any BACKUP router with a higher priority from becoming the MASTER router. INTERFACE-VRID mode no preempt Examples of Disabling and Verifying Preempt Re-enable preempt by entering the preempt command.
Examples of Configuring and Verifying the Advertisement Interval The following example shows the advertise-interval command. Dell(conf-if-te-1/1)#vrrp-group 111 Dell(conf-if-te-1/1-vrid-111)#advertise-interval 10 Dell(conf-if-te-1/1-vrid-111)# To verify the advertise-interval setting, use the show conf command. Dell(conf-if-te-1/1-vrid-111)#show conf ! vrrp-group 111 advertise-interval 10 authentication-type simple 7 387a7f2df5969da4 no preempt priority 255 virtual-address 10.10.10.1 virtual-address 10.10.
Tracking an Interface To track an interface, use the following commands. NOTE: The sum of all the costs for all tracked interfaces must be less than the configured priority of the VRRP group. • Monitor an interface and, optionally, set a value to be subtracted from the interface’s VRRP group priority. INTERFACE-VRID mode track interface [priority-cost cost] The cost range is from 1 to 254. • The default is 10.
Track 2 IPv6 route 2040::/64 metric threshold Metric threshold is Up (STATIC/0/0) 5 changes, last change 00:02:16 Metric threshold down 255 up 254 First-hop interface is TenGigabitEthernet 1/2 Tracked by: VRRP TenGigabitEthernet 2/30 IPv6 VRID 1 Track 3 IPv6 route 2050::/64 reachability Reachability is Up (STATIC) 5 changes, last change 00:02:16 First-hop interface is TenGigabitEthernet 1/2 Tracked by: VRRP TenGigabitEthernet 2/30 IPv6 VRID 1 The following example shows verifying the VRRP status.
When you configure both CLIs, the later timer rules VRRP enabling. For example, if you set vrrp delay reload 600 and vrrp delay minimum 300, the following behavior occurs: • When the system reloads, VRRP waits 600 seconds (10 minutes) to bring up VRRP on all interfaces that are up and configured for VRRP. • When an interface comes up and becomes operational, the system waits 300 seconds (5 minutes) to bring up VRRP on that interface.
Figure 93. VRRP for IPv4 Topology Example of Configuring VRRP for IPv4 Router 2 R2(conf)#int te 2/31 R2(conf-if-te-2/31)#ip address 10.1.1.1/24 R2(conf-if-te-2/31)#vrrp-group 99 R2(conf-if-te-2/31-vrid-99)#priority 200 R2(conf-if-te-2/31-vrid-99)#virtual 10.1.1.3 R2(conf-if-te-2/31-vrid-99)#no shut R2(conf-if-te-2/31)#show conf ! interface TenGigabitEthernet 2/31 ip address 10.1.1.1/24 ! vrrp-group 99 priority 200 virtual-address 10.1.1.
no shutdown R2(conf-if-te-2/31)#end R2#show vrrp -----------------TenGigabitEthernet 2/31, VRID: 99, Net: 10.1.1.1 State: Master, Priority: 200, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 817, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:63 Virtual IP address: 10.1.1.3 Authentication: (none) R2# Router 3 R3(conf)#int te 3/21 R3(conf-if-te-3/21)#ip address 10.1.1.
Figure 94. VRRP for an IPv6 Configuration NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be MASTER even if one of two routers has a higher IP or IPv6 address. Example of Configuring VRRP for IPv6 Router 2 and Router 3 Configure a virtual link local (fe80) address for each VRRPv3 group created for an interface.
Although R2 and R3 have the same default, priority (100), R2 is elected master in the VRRPv3 group because the TenGigE 0/0 interface has a higher IPv6 address than the TenGigE 1/0 interface on R3.
VRRP in a VRF Configuration The following example shows how to enable VRRP operation in a VRF virtualized network for the following scenarios. • Multiple VRFs on physical interfaces running VRRP. • Multiple VRFs on VLAN interfaces running VRRP. To view a VRRP in a VRF configuration, use the show commands described in Displaying VRRP in a VRF Configuration. VRRP in a VRF: Non-VLAN Scenario The following example shows how to enable VRRP in a non-VLAN.
Figure 95. VRRP in a VRF: Non-VLAN Example Example of Configuring VRRP in a VRF on Switch-1 (Non-VLAN) Switch-1 S1(conf)#ip vrf default-vrf 0 ! S1(conf)#ip vrf VRF-1 1 ! S1(conf)#ip vrf VRF-2 2 ! S1(conf)#ip vrf VRF-3 3 ! S1(conf)#interface TenGigabitEthernet 2/1 S1(conf-if-te-2/1)#ip vrf forwarding VRF-1 S1(conf-if-te-2/1)#ip address 10.10.1.5/24 S1(conf-if-te-12/1)#vrrp-group 11 % Info: The VRID used by the VRRP group 11 in VRF 1 will be 177.
! S1(conf)#interface TenGigabitEthernet 2/3 S1(conf-if-te-2/3)#ip vrf forwarding VRF-3 S1(conf-if-te-2/3)#ip address 20.1.1.5/24 S1(conf-if-te-2/3)#vrrp-group 15 % Info: The VRID used by the VRRP group 15 in VRF 3 will be 243. S1(conf-if-te-2/3-vrid-105)#priority 255 S1(conf-if-te-2/3-vrid-105)#virtual-address 20.1.1.
VRRP in VRF: Switch-1 VLAN Configuration VRRP in VRF: Switch-2 VLAN Configuration Switch-1 S1(conf)#ip vrf VRF-1 1 ! S1(conf)#ip vrf VRF-2 2 ! S1(conf)#ip vrf VRF-3 3 ! S1(conf)#interface TenGigabitEthernet 2/4 S1(conf-if-te-2/4)#no ip address S1(conf-if-te-2/4)#switchport S1(conf-if-te-2/4)#no shutdown ! S1(conf-if-te-2/4)#interface vlan 100 S1(conf-if-vl-100)#ip vrf forwarding VRF-1 S1(conf-if-vl-100)#ip address 10.10.1.
S2(conf-if-vl-100-vrid-101)#priority 255 S2(conf-if-vl-100-vrid-101)#virtual-address 10.10.1.2 S2(conf-if-vl-100)#no shutdown ! S2(conf-if-te-2/4)#interface vlan 200 S2(conf-if-vl-200)#ip vrf forwarding VRF-2 S2(conf-if-vl-200)#ip address 10.10.1.2/24 S2(conf-if-vl-200)#tagged tengigabitethernet 12/4 S2(conf-if-vl-200)#vrrp-group 11 % Info: The VRID used by the VRRP group 11 in VRF 2 will be 178. S2(conf-if-vl-200-vrid-101)#priority 255 S2(conf-if-vl-200-vrid-101)#virtual-address 10.10.1.
192.168.0.
Standards Compliance 43 This chapter describes standards compliance for Dell Networking products. NOTE: Unless noted, when a standard cited here is listed as supported by the Dell Networking OS, the system also supports predecessor standards. One way to search for predecessor standards is to use the http://tools.ietf.org/ website. Click “Browse and search IETF documents,” enter an RFC number, and inspect the top of the resulting document for obsolescence citations to related RFCs.
MTU 9,252 bytes RFC and I-D Compliance The system supports the following standards. The standards are grouped by related protocol. The columns showing support by platform indicate which version of the Dell Networking OS first supports the standard. General Internet Protocols The following table lists the Dell Networking OS support per platform for general internet protocols. Table 44.
RFC# Full Name S-Series/ZSeries C-Series E-Series TeraScale E-Series ExaScale Field) in the IPv4 and IPv6 Headers 2615 PPP over SONET/SDH √ 2698 A Two Rate Three Color Marker √ 8.1.1 3164 The BSD syslog Protocol 7.5.1 √ 8.1.1 draft-ietf-bfd base-03 Bidirectional Forwarding Detection 7.6.1 √ 8.1.1 7.6.1 General IPv4 Protocols The following table lists the Dell Networking OS support per platform for general IPv4 protocols. Table 45.
RFC# Full Name S-Series/ZSeries C-Series E-Series TeraScale E-Series ExaScale Specification, Implementation and Analysis 1519 Classless InterDomain Routing (CIDR): an Address Assignment and Aggregation Strategy 7.6.1 7.5.1 √ 8.1.1 1542 Clarifications and Extensions for the Bootstrap Protocol 7.6.1 7.5.1 √ 8.1.1 1812 Requirements for IP 7.6.1 Version 4 Routers 7.5.1 √ 8.1.1 2131 Dynamic Host Configuration Protocol 7.6.1 7.5.1 √ 8.1.
General IPv6 Protocols The following table lists the Dell Networking OS support per platform for general IPv6 protocols. Table 46. General IPv6 Protocols RFC# Full Name 1886 C-Series E-Series TeraScale E-Series ExaScale DNS Extensions to 7.8.1 support IP version 6 7.8.1 √ 8.2.1 1981 (Partial) Path MTU Discovery for IP version 6 7.8.1 7.8.1 √ 8.2.1 2460 Internet Protocol, Version 6 (IPv6) Specification 7.8.1 7.8.1 √ 8.2.1 2462 (Partial) IPv6 Stateless Address Autoconfiguration 7.8.
RFC# Full Name S-Series/ZSeries 5175 IPv6 Router Advertisement Flags Option 8.3.12.0 C-Series E-Series TeraScale E-Series ExaScale Border Gateway Protocol (BGP) The following table lists the Dell Networking OS support per platform for BGP protocols. Table 47. Border Gateway Protocol (BGP) RFC# Full Name S-Series/Z-Series 1997 BGP ComAmtturnibituitees 7.8.1 2385 Protection of BGP Sessions via the TCP MD5 Signature Option 7.8.1 2439 BGP Route Flap Damping 7.8.
Open Shortest Path First (OSPF) The following table lists the Dell Networking OS support per platform for OSPF protocol. Table 48. Open Shortest Path First (OSPF) RFC# Full Name S-Series/Z-Series 1587 The OSPF Not-So-Stubby Area (NSSA) 7.6.1 Option 2154 OSPF with Digital Signatures 7.6.1 2328 OSPF Version 2 7.6.1 2370 The OSPF Opaque LSA Option 7.6.1 2740 OSPF for IPv6 9.1(0.0) 3623 Graceful OSPF Restart 7.8.1 4222 Prioritized Treatment of Specific OSPF 7.6.
RFC# Full Name S-Series C-Series E-Series TeraScale E-Series ExaScale System to Intermediate System (IS-IS) Point-to-Point Adjacencies 3567 IS-IS ACruythpetongtirca apthioicn √ 8.1.1 3784 Intermediate System to Intermediate System (IS-IS) Extensions in Support of Generalized MultiProtocol Label Switching (GMPLS) √ 8.1.1 5120 MT-ISIS: Multi Topology (MT) Routing in Intermediate System to Intermediate Systems (IS-ISs) 7.8.1 8.2.1 5306 Restart Signaling for IS-IS 8.3.1 8.3.
Routing Information Protocol (RIP) The following table lists the Dell Networking OS support per platform for RIP protocol. Table 50. Routing Information Protocol (RIP) RFC# Full Name S-Series C-Series E-Series TeraScale E-Series ExaScale 1058 Routing Information Protocol 7.8.1 7.6.1 √ 8.1.1 2453 RIP Version 7.8.1 7.6.1 √ 8.1.1 4191 Default Router Preferences and More-Specific Routes 8.3.12.
RFC# Full Name 3973 Protocol Independent Multicast - Dense Mode (PIM-DM): Protocol Specification (Revised) 4541 Considerations for Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Snooping Switches draft-ietf-pim - Protocol sm-v2-new- 05 Independent Multicast - Sparse Mode (PIM-SM): Protocol Specification (Revised) S-Series C-Series E-Series TeraScale E-Series ExaScale √ 7.6.1 (IGMPv1/v2) 7.6.1 (IGMPv1/v2) √ IGMPv1/v2/v3, MLDv1 Snooping 8.2.
RFC# Full Name 1215 A Convention for Defining 7.6.1 Traps for use with the SNMP 1493 Definitions of Managed 7.6.1 Objects for Bridges [except for the dot1dTpLearnedEntryDisc ards object] 1724 RIP Version 2 MIB Extension 1850 OSPF Version 2 7.6.1 Management Information Base 1901 Introduction to Community-based SNMPv2 7.6.1 2011 SNMPv2 Management Information Base for the Internet Protocol using SMIv2 7.6.
RFC# Full Name S4810 2571 An Architecture for 7.6.1 Describing Simple Network Management Protocol (SNMP) Management Frameworks 2572 Message Processing and Dispatching for the Simple Network Management Protocol (SNMP) 2574 User-based Security 7.6.1 Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3) 2575 View-based Access 7.6.
RFC# Full Name S4810 S4820T Z-Series radiusAuthClientPacketsD ropped 3635 Definitions of Managed Objects for the Ethernetlike Interface Types 7.6.1 2674 Definitions of Managed Objects for Bridges with Traffic Classes, Multicast Filtering and Virtual LAN Extensions 7.6.1 2787 Definitions of Managed Objects for the Virtual Router Redundancy Protocol 7.6.
RFC# Full Name S4810 3434 Remote Monitoring MIB Extensions for High Capacity Alarms, HighCapacity Alarm Table (64 bits) 7.6.1 3580 IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines 7.6.1 3815 Definitions of Managed Objects for the Multiprotocol Label Switching (MPLS), Label Distribution Protocol (LDP) 4001 Textual Conventions for Internet Network Addresses 8.3.12 5060 Protocol Independent Multicast MIB 7.8.
RFC# Full Name S4810 S4820T Z-Series 9.2(0.0) 9.2(0.0) 9.2(0.0) 9.2.(0.0) 9.2.(0.0) isisISAdjProtSuppTable draft-ietf-netmodinterfaces-cfg-03 Defines a YANG data model for the configuration of network interfaces. Used in the Programmatic Interface RESTAPI feature. IEEE 802.1AB Management Information 7.7.1 Base module for LLDP configuration, statistics, local system data and remote systems data components. IEEE 802.1AB The LLDP Management Information Base extension module for IEEE 802.
RFC# Full Name S4810 S4820T Z-Series you can use to determine the egress port of an IP packet and troubleshoot an IP reachability issue.
MIB Location You can find Force10 MIBs under the Force10 MIBs subhead on the Documentation page of iSupport: https://www.force10networks.com/csportal20/KnowledgeBase/Documentation.aspx You also can obtain a list of selected MIBs and their OIDs at the following URL: https://www.force10networks.com/csportal20/MIBs/MIB_OIDs.aspx Some pages of iSupport require a login. To request an iSupport account, go to: https://www.force10networks.com/CSPortal20/Support/AccountRequest.
