Users Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S3048-ON

971

972

973

974

975

976

977

978

979

980

Table Of Contents

Dell EMC SmartFabric OS10 User Guide Release 10.5.0
Change history
Getting Started
- Switch with factory-installed OS10
- Switch without OS installed
- Switch deployment options
- Remote access
CLI Basics
- CONFIGURATION mode
- Check device status
- Command help
- Candidate configuration
  - Prevent configuration changes
- Copy running configuration
- Restore startup configuration
- Reload system image
- Filter show commands
- Common OS10 commands
Advanced CLI tasks
- Command alias
- Batch mode
  - batch
- Linux shell commands
- Using OS9 commands
  - feature config-os9-style
Zero-touch deployment
- ZTD DHCP server configuration
- ZTD provisioning script
- ZTD CLI batch file
- Post-ZTD script
- ZTD commands
OS10 provisioning
- Using Ansible
- Example: Configure an OS10 switch using Ansible
System management
- System banners
- User session management
  - User session management commands
- Telnet server
  - Telnet commands
- Simple Network Management Protocol
- System clock
- Network Time Protocol
- Dynamic Host Configuration Protocol
Interfaces
- Ethernet interfaces
- Unified port groups
- Z9264F-ON port-group profiles
- Port-groups on S5200F-ON switches
- L2 mode configuration
- L3 mode configuration
- Fibre Channel interfaces
  - Configuring wavelength
- Management interface
  - Management interface
- VLAN interfaces
- User-configured default VLAN
- VLAN scale profile
- Loopback interfaces
- Port-channel interfaces
  - Create port-channel
  - Add port member
  - Minimum links
  - Assign Port Channel IP Address
  - Remove or disable port-channel
  - Load balance traffic
  - Change hash algorithm
- Configure interface ranges
- Switch-port profiles
  - S4148-ON Series port profiles
  - S4148U-ON port profiles
- Configure negotiation modes on interfaces
- Configure breakout mode
- Breakout auto-configuration
- Reset default configuration
- Forward error correction
- Energy-efficient Ethernet
  - Enable energy-efficient Ethernet
  - Clear EEE counters
  - View EEE status/statistics
  - EEE commands
- View interface configuration
- Digital optical monitoring
  - Enable DOM and DOM traps
- Interface commands
  - channel-group
  - default interface
  - default vlan-id
  - description (Interface)
  - duplex
  - enable dom
  - enable dom traps
  - feature auto-breakout
  - fec
  - interface breakout
  - interface ethernet
  - interface loopback
  - interface mgmt
  - interface null
  - interface port-channel
  - interface range
  - interface vlan
  - link-bundle-utilization
  - mode
  - mode l3
  - mtu
  - negotiation
  - port mode Eth
  - port-group
  - profile
  - scale-profile vlan
  - show interface
  - show interface transceiver “Tunable wavelength”
  - show inventory media
  - show link-bundle-utilization
  - show port-channel summary
  - show port-group
  - show switch-port-profile
  - show system
  - show vlan
  - shutdown
  - speed (Fibre Channel)
  - speed (Management)
  - switch-port-profile
  - switchport access vlan
  - switchport mode
  - switchport trunk allowed vlan
  - wavelength
Fibre Channel
- Fibre Channel over Ethernet
  - Configure FIP snooping
- Terminology
- Virtual fabric
- Fibre Channel zoning
- F_Port on Ethernet
- Pinning FCoE traffic to a specific port of a port-channel
- Multi-hop FIP-snooping bridge
- Configuration guidelines
- NPIV Proxy Gateway cascading
  - NPG1 switch configuration
  - NPG2 switch configuration
- F_Port commands
- NPG commands
- F_Port and NPG commands
- FIP-snooping commands
- FCoE commands
Layer 2
- 802.1X
- Far-end failure detection
- Link Aggregation Control Protocol
- Link Layer Discovery Protocol
- Media Access Control
- Spanning-tree protocol
- Virtual LANs
- Port monitoring
Layer 3
- Virtual routing and forwarding
- Bidirectional Forwarding Detection
- Border Gateway Protocol
- Equal cost multi-path
- IPv4 routing
- IPv6 routing
- Open shortest path first
- Object tracking manager
- Policy-based routing
- Virtual Router Redundancy Protocol
Multicast
- Important notes
- Configure multicast routing
- Unknown multicast flood control
  - Enable multicast flood control
- Multicast Commands
  - multicast snooping flood-restrict
- Internet Group Management Protocol
- Multicast Listener Discovery Protocol
  - MLD snooping
  - MLD snooping commands
- Protocol Independent Multicast
- Multicast VRF sample configuration
- VLT multicast routing
VXLAN
- VXLAN concepts
- VXLAN as NVO solution
- Configure VXLAN
- L3 VXLAN route scaling
- DHCP relay on VTEPs
- View VXLAN configuration
- VXLAN MAC addresses
- VXLAN commands
- VXLAN MAC commands
- Example: VXLAN with static VTEP
- BGP EVPN for VXLAN
- Controller-provisioned VXLAN
UFT modes
- Configure UFT modes
  - IPv6 extended prefix routes
- UFT commands
Security
- User re-authentication
- Password strength
- Simple password check
- Obscure passwords
- Role-based access control
- Assign user role
- Bootloader protection
- Linuxadmin user configuration
- RADIUS authentication
- RADIUS over TLS authentication
- TACACS+ authentication
- Unknown user role
- SSH server
- Virtual terminal line ACLs
- Restrict SNMP access
- Enable AAA accounting
- Enable user lockout
- Limit concurrent login sessions
- Enable login statistics
- Privilege levels
  - Configure privilege levels
  - Configure enable password
- Audit log
- Security commands
  - aaa accounting
  - aaa authentication login
  - aaa re-authenticate enable
  - boot protect disable username
  - boot protect enable username password
  - clear logging audit
  - crypto ssh-key generate
  - disable
  - enable
  - enable password priv-lvl
  - ip access-class
  - ip radius source-interface
  - ip tacacs source-interface
  - ipv6 access-class
  - ip ssh server challenge-response-authentication
  - ip ssh server cipher
  - ip ssh server enable
  - ip ssh server hostbased-authentication
  - ip ssh server kex
  - ip ssh server mac
  - ip ssh server password-authentication
  - ip ssh server port
  - ip ssh server pubkey-authentication
  - ip ssh server vrf
  - line vty
  - logging audit enable
  - login concurrent-session limit
  - login-statistics enable
  - password-attributes
  - password-attributes max-retry lockout-period
  - privilege
  - radius-server host
  - radius-server host tls
  - radius-server retransmit
  - radius-server timeout
  - radius-server vrf
  - service obscure-password
  - service simple-password
  - show boot protect
  - show crypto ssh-key
  - show ip ssh
  - show logging audit
  - show login-statistics
  - show privilege
  - show running-configuration privilege
  - show users
  - system-user linuxadmin disable
  - system-user linuxadmin password
  - tacacs-server host
  - tacacs-server timeout
  - tacacs-server vrf
  - username password role
  - username sshkey
  - username sshkey filename
  - userrole inherit
- X.509v3 certificates
  - X.509v3 concepts
  - Public key infrastructure
  - Manage CA certificates
  - Certificate revocation
  - Request and install host certificates
  - Self-signed certificates
  - Security profiles
  - Cluster security
  - X.509v3 commands
  - Example: Configure RADIUS over TLS with X.509v3 certificates
OpenFlow
- OpenFlow logical switch instance
- OpenFlow controller
- OpenFlow version 1.3
- OpenFlow use cases
- Configure OpenFlow
  - Establish TLS connection
- OpenFlow commands
- OpenFlow-only mode commands
Access Control Lists
- IP ACLs
- MAC ACLs
- Control-plane ACLs
  - Control-plane ACL qualifiers
- IP fragment handling
  - IP fragments ACL
- L3 ACL rules
  - Permit ACL with L3 information only
  - Deny ACL with L3 information only
  - Permit all packets from host
  - Permit only first fragments and non-fragmented packets from host
- Assign sequence number to filter
  - User-provided sequence number
  - Auto-generated sequence number
- Delete ACL rule
- L2 and L3 ACLs
- Assign and apply ACL filters
- Ingress ACL filters
- Egress ACL filters
- VTY ACLs
- SNMP ACLs
- Clear access-list counters
- IP prefix-lists
- Route-maps
- Match routes
- Set conditions
- Continue clause
- ACL flow-based monitoring
  - Flow-based mirroring
- Enable flow-based monitoring
- View ACL table utilization report
  - Known behavior
- ACL logging
  - Important notes
- ACL commands
  - clear ip access-list counters
  - clear ipv6 access-list counters
  - clear mac access-list counters
  - deny
  - deny (IPv6)
  - deny (MAC)
  - deny icmp
  - deny icmp (IPv6)
  - deny ip
  - deny ipv6
  - deny tcp
  - deny tcp (IPv6)
  - deny udp
  - deny udp (IPv6)
  - description
  - ip access-group
  - ip access-list
  - ip as-path access-list
  - ip community-list standard deny
  - ip community–list standard permit
  - ip extcommunity-list standard deny
  - ip extcommunity-list standard permit
  - ip prefix-list description
  - ip prefix-list deny
  - ip prefix-list permit
  - ip prefix-list seq deny
  - ip prefix-list seq permit
  - ipv6 access-group
  - ipv6 access-list
  - ipv6 prefix-list deny
  - ipv6 prefix-list description
  - ipv6 prefix-list permit
  - ipv6 prefix-list seq deny
  - ipv6 prefix-list seq permit
  - mac access-group
  - mac access-list
  - permit
  - permit (IPv6)
  - permit (MAC)
  - permit icmp
  - permit icmp (IPv6)
  - permit ip
  - permit ipv6
  - permit tcp
  - permit tcp (IPv6)
  - permit udp
  - permit udp (IPv6)
  - remark
  - seq deny
  - seq deny (IPv6)
  - seq deny (MAC)
  - seq deny icmp
  - seq deny icmp (IPv6)
  - seq deny ip
  - seq deny ipv6
  - seq deny tcp
  - seq deny tcp (IPv6)
  - seq deny udp
  - seq deny udp (IPv6)
  - seq permit
  - seq permit (IPv6)
  - seq permit (MAC)
  - seq permit icmp
  - seq permit icmp (IPv6)
  - seq permit ip
  - seq permit ipv6
  - seq permit tcp
  - seq permit tcp (IPv6)
  - seq permit udp
  - seq permit udp (IPv6)
  - show access-group
  - show access-lists
  - show acl-table-usage detail
  - show ip as-path-access-list
  - show ip community-list
  - show ip extcommunity-list
  - show ip prefix-list
  - show logging access-list
- Route-map commands
  - continue
  - match as-path
  - match community
  - match extcommunity
  - match interface
  - match ip address
  - match ip next-hop
  - match ipv6 address
  - match ipv6 next-hop
  - match metric
  - match origin
  - match route-type
  - match tag
  - route-map
  - set comm-list add
  - set comm-list delete
  - set community
  - set extcomm-list add
  - set extcomm-list delete
  - set extcommunity
  - set local-preference
  - set metric
  - set metric-type
  - set next-hop
  - set origin
  - set tag
  - set weight
  - show route-map
Quality of service
- Configure quality of service
- Ingress traffic classification
  - Data traffic classification
  - Control-plane policing
- Egress traffic classification
- Policing traffic
- Mark Traffic
- Color traffic
- Modify packet fields
- Shaping traffic
- Bandwidth allocation
- Strict priority queuing
- Rate adjustment
- Buffer management
- Congestion avoidance
- Storm control
- RoCE for faster access and lossless connectivity
- Port to port-pipe and MMU mapping
- QoS commands
Virtual Link Trunking
- Terminology
- VLT domain
- VLT interconnect
- Graceful LACP with VLT
- Configure VLT
- Configure VRRP Active-Active mode
- Migrate VMs across data centers with eVLT
- View VLT information
- VLT commands
Uplink Failure Detection
- Configure uplink failure detection
- Uplink failure detection on VLT
  - Sample configurations of UFD on VLT
- UFD commands
Converged data center services
- Priority flow control
- Enhanced transmission selection
- Data center bridging eXchange
- Internet small computer system interface
- Converged network DCB example
sFlow
- Enable sFlow
- Max-header size configuration
- Collector configuration
  - Collector configuration for default VRF
  - Collector configuration for nondefault VRF
- Polling-interval configuration
- Sample-rate configuration
- Source interface configuration
- View sFlow information
- sFlow commands
Telemetry
- Telemetry terminology
- YANG-modeled telemetry data
- Configure telemetry
- View telemetry configuration
- Telemetry commands
- Example: Configure streaming telemetry
RESTCONF API
- Configure RESTCONF API
- CLI commands for RESTCONF API
- RESTCONF API tasks
Troubleshoot OS10
- Diagnostic tools
- Recover Linux password
- Recover OS10 user name password
- Restore factory defaults
- SupportAssist
- Support bundle
  - Event notifications
  - generate support-bundle
- System monitoring
- Log into OS10 device
- Frequently asked questions
Support resources

70:18:7e:76:66:ca:13:1c:e3:9c:4d:aa:d3:67:96:be:d9:49:

5c:69:10:75:26:53:f7:50:39:06:15:d1:3a:87:47:f6:92:a2:

d4:91:35:29:b7:4b:ea:56:4c:13:5e:32:7f:c7:3f:4c:46:67:

54:8d:67:60:38:98:75:da:24:f2:64:b9:24:a1:e3:5b:42:66:

4c:c7:cb:ee:c3:ca:bd:87:1b:7a:fc:35:53:2d:74:68:db:a7:

47:db:03:a3:30:52:af:67:7f:54:a4:de:60:ca:ae:94:43:f8:

98:85:fc:18:9b:b1:db:81:44:57:0b:be:6a:56:9d:2f:7d:75:

c2:22:a4:7c:d7:ee:f8:de:10:11:26:60:35:1c:4c:87:2e:a2:

fb:1f:5f:30:6c:11:c1:fa:f2:5b:46:02:0a:18:2f:02:a4:99:

f2:43:29:cf:e6:5b:8a:d0:ec:42:bf:49:c6:8a:7e:b4:53:38:

03:1b:fd:a9:49:88:b5:f1:42:93:c7:78:38:6c:2a:1c:be:83:

97:27:b1:26:eb:16:44:ce:34:02:53:45:08:30:c9:3a:76:83:

10:f3:af:c7:6f:0c:74:ec:81:ea:d9:c4:20:a5:1d:72:64:52:

7b:e8:30:1a:9e:3a:05:9c:8a:69:e5:b7:43:b3:36:08:f2:e0:

fb:88:d9:c1:b6:f4:4a:23:27:31:3a:51:b3:68:c9:6f:3e:f5:

dd:98:4d:07:38:ed:f4:d3:ed:06:4c:84:87:3d:cf:f3:2e:e5:

1a:b6:00:71:4c:51:35:c8:95:e4:c6:7e:82:47:d3:25:64:a4:

0b:31:53:d0:e4:6b:97:98:21:4b:fc:e7:12:be:69:01:d8:b5:

74:f5:b6:39:22:8a:8c:39:23:0f:be:4b:0f:9a:01:ac:b8:5b:

12:cb:94:06:30:f5:74:45:20:af:ab:d6:af:21:0c:d8:62:84:

18:c2:cf:4f:be:73:c9:33

Delete CA server certicate

OS10# crypto ca-cert delete Dell_rootCA1.crt

Successfully removed certificate

Certicate revocation

Before the switch and an external device, such as a RADIUS or TLS server, set up a secure connection, they present CA-signed certicates

to each other. The certicate validation allows peers to authenticate each other's identity, and is followed by checking to ensure that the

certicate has not been revoked by the issuing CA.

A certicate includes the URL and other information about the certicate distribution point (CDP) that issued the certicate. Using the

URL, OS10 accesses the CDP to download a certicate revocation list (CRL). If the external device's certicate is on the list or if the CDP

server does not respond, the connection is not set up.

A certicate revocation list contains a list of all revoked certicates. The CA that issued the certicates maintains the CRL. CAs publish a

new CRL at periodic intervals. An OS10 switch automatically downloads the new CRL and uses it to verify certicates presented by

connecting devices.

When a CA issues a certicate, it usually includes the CRL distribution point in the certicate. OS10 uses the CDP URL to access the server

with the current CRL. OS10 supports using multiple CDPs and CRLs during a CRL revocation check. If a CRL check validates a certicate

from an external device, OS10 sets up a secure connection to perform the tasks initiated by the application.

Like CA certicates, CRLs are maintained in the trust store on the switch and applied to all PKI-enabled applications. To use CRLs to

validate certicates presented by external devices:

1 Congure the URL for a certicate distribution point in EXEC mode.

crypto cdp add cdp-name cdp-url

Verify the CDPs accessed by the switch in EXEC mode.

show crypto cdp [cdp-name]

To delete an installed CDP, use the crypto cdp delete cdp-name command.

2 Install CRLs that have been downloaded from CDPs in EXEC mode.

crypto crl install crl-path [crl-filename]

978

Security