Users Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S3048-ON

981

982

983

984

985

986

987

988

989

990

Table Of Contents

Dell EMC SmartFabric OS10 User Guide Release 10.5.0
Change history
Getting Started
- Switch with factory-installed OS10
- Switch without OS installed
- Switch deployment options
- Remote access
CLI Basics
- CONFIGURATION mode
- Check device status
- Command help
- Candidate configuration
  - Prevent configuration changes
- Copy running configuration
- Restore startup configuration
- Reload system image
- Filter show commands
- Common OS10 commands
Advanced CLI tasks
- Command alias
- Batch mode
  - batch
- Linux shell commands
- Using OS9 commands
  - feature config-os9-style
Zero-touch deployment
- ZTD DHCP server configuration
- ZTD provisioning script
- ZTD CLI batch file
- Post-ZTD script
- ZTD commands
OS10 provisioning
- Using Ansible
- Example: Configure an OS10 switch using Ansible
System management
- System banners
- User session management
  - User session management commands
- Telnet server
  - Telnet commands
- Simple Network Management Protocol
- System clock
- Network Time Protocol
- Dynamic Host Configuration Protocol
Interfaces
- Ethernet interfaces
- Unified port groups
- Z9264F-ON port-group profiles
- Port-groups on S5200F-ON switches
- L2 mode configuration
- L3 mode configuration
- Fibre Channel interfaces
  - Configuring wavelength
- Management interface
  - Management interface
- VLAN interfaces
- User-configured default VLAN
- VLAN scale profile
- Loopback interfaces
- Port-channel interfaces
  - Create port-channel
  - Add port member
  - Minimum links
  - Assign Port Channel IP Address
  - Remove or disable port-channel
  - Load balance traffic
  - Change hash algorithm
- Configure interface ranges
- Switch-port profiles
  - S4148-ON Series port profiles
  - S4148U-ON port profiles
- Configure negotiation modes on interfaces
- Configure breakout mode
- Breakout auto-configuration
- Reset default configuration
- Forward error correction
- Energy-efficient Ethernet
  - Enable energy-efficient Ethernet
  - Clear EEE counters
  - View EEE status/statistics
  - EEE commands
- View interface configuration
- Digital optical monitoring
  - Enable DOM and DOM traps
- Interface commands
  - channel-group
  - default interface
  - default vlan-id
  - description (Interface)
  - duplex
  - enable dom
  - enable dom traps
  - feature auto-breakout
  - fec
  - interface breakout
  - interface ethernet
  - interface loopback
  - interface mgmt
  - interface null
  - interface port-channel
  - interface range
  - interface vlan
  - link-bundle-utilization
  - mode
  - mode l3
  - mtu
  - negotiation
  - port mode Eth
  - port-group
  - profile
  - scale-profile vlan
  - show interface
  - show interface transceiver “Tunable wavelength”
  - show inventory media
  - show link-bundle-utilization
  - show port-channel summary
  - show port-group
  - show switch-port-profile
  - show system
  - show vlan
  - shutdown
  - speed (Fibre Channel)
  - speed (Management)
  - switch-port-profile
  - switchport access vlan
  - switchport mode
  - switchport trunk allowed vlan
  - wavelength
Fibre Channel
- Fibre Channel over Ethernet
  - Configure FIP snooping
- Terminology
- Virtual fabric
- Fibre Channel zoning
- F_Port on Ethernet
- Pinning FCoE traffic to a specific port of a port-channel
- Multi-hop FIP-snooping bridge
- Configuration guidelines
- NPIV Proxy Gateway cascading
  - NPG1 switch configuration
  - NPG2 switch configuration
- F_Port commands
- NPG commands
- F_Port and NPG commands
- FIP-snooping commands
- FCoE commands
Layer 2
- 802.1X
- Far-end failure detection
- Link Aggregation Control Protocol
- Link Layer Discovery Protocol
- Media Access Control
- Spanning-tree protocol
- Virtual LANs
- Port monitoring
Layer 3
- Virtual routing and forwarding
- Bidirectional Forwarding Detection
- Border Gateway Protocol
- Equal cost multi-path
- IPv4 routing
- IPv6 routing
- Open shortest path first
- Object tracking manager
- Policy-based routing
- Virtual Router Redundancy Protocol
Multicast
- Important notes
- Configure multicast routing
- Unknown multicast flood control
  - Enable multicast flood control
- Multicast Commands
  - multicast snooping flood-restrict
- Internet Group Management Protocol
- Multicast Listener Discovery Protocol
  - MLD snooping
  - MLD snooping commands
- Protocol Independent Multicast
- Multicast VRF sample configuration
- VLT multicast routing
VXLAN
- VXLAN concepts
- VXLAN as NVO solution
- Configure VXLAN
- L3 VXLAN route scaling
- DHCP relay on VTEPs
- View VXLAN configuration
- VXLAN MAC addresses
- VXLAN commands
- VXLAN MAC commands
- Example: VXLAN with static VTEP
- BGP EVPN for VXLAN
- Controller-provisioned VXLAN
UFT modes
- Configure UFT modes
  - IPv6 extended prefix routes
- UFT commands
Security
- User re-authentication
- Password strength
- Simple password check
- Obscure passwords
- Role-based access control
- Assign user role
- Bootloader protection
- Linuxadmin user configuration
- RADIUS authentication
- RADIUS over TLS authentication
- TACACS+ authentication
- Unknown user role
- SSH server
- Virtual terminal line ACLs
- Restrict SNMP access
- Enable AAA accounting
- Enable user lockout
- Limit concurrent login sessions
- Enable login statistics
- Privilege levels
  - Configure privilege levels
  - Configure enable password
- Audit log
- Security commands
  - aaa accounting
  - aaa authentication login
  - aaa re-authenticate enable
  - boot protect disable username
  - boot protect enable username password
  - clear logging audit
  - crypto ssh-key generate
  - disable
  - enable
  - enable password priv-lvl
  - ip access-class
  - ip radius source-interface
  - ip tacacs source-interface
  - ipv6 access-class
  - ip ssh server challenge-response-authentication
  - ip ssh server cipher
  - ip ssh server enable
  - ip ssh server hostbased-authentication
  - ip ssh server kex
  - ip ssh server mac
  - ip ssh server password-authentication
  - ip ssh server port
  - ip ssh server pubkey-authentication
  - ip ssh server vrf
  - line vty
  - logging audit enable
  - login concurrent-session limit
  - login-statistics enable
  - password-attributes
  - password-attributes max-retry lockout-period
  - privilege
  - radius-server host
  - radius-server host tls
  - radius-server retransmit
  - radius-server timeout
  - radius-server vrf
  - service obscure-password
  - service simple-password
  - show boot protect
  - show crypto ssh-key
  - show ip ssh
  - show logging audit
  - show login-statistics
  - show privilege
  - show running-configuration privilege
  - show users
  - system-user linuxadmin disable
  - system-user linuxadmin password
  - tacacs-server host
  - tacacs-server timeout
  - tacacs-server vrf
  - username password role
  - username sshkey
  - username sshkey filename
  - userrole inherit
- X.509v3 certificates
  - X.509v3 concepts
  - Public key infrastructure
  - Manage CA certificates
  - Certificate revocation
  - Request and install host certificates
  - Self-signed certificates
  - Security profiles
  - Cluster security
  - X.509v3 commands
  - Example: Configure RADIUS over TLS with X.509v3 certificates
OpenFlow
- OpenFlow logical switch instance
- OpenFlow controller
- OpenFlow version 1.3
- OpenFlow use cases
- Configure OpenFlow
  - Establish TLS connection
- OpenFlow commands
- OpenFlow-only mode commands
Access Control Lists
- IP ACLs
- MAC ACLs
- Control-plane ACLs
  - Control-plane ACL qualifiers
- IP fragment handling
  - IP fragments ACL
- L3 ACL rules
  - Permit ACL with L3 information only
  - Deny ACL with L3 information only
  - Permit all packets from host
  - Permit only first fragments and non-fragmented packets from host
- Assign sequence number to filter
  - User-provided sequence number
  - Auto-generated sequence number
- Delete ACL rule
- L2 and L3 ACLs
- Assign and apply ACL filters
- Ingress ACL filters
- Egress ACL filters
- VTY ACLs
- SNMP ACLs
- Clear access-list counters
- IP prefix-lists
- Route-maps
- Match routes
- Set conditions
- Continue clause
- ACL flow-based monitoring
  - Flow-based mirroring
- Enable flow-based monitoring
- View ACL table utilization report
  - Known behavior
- ACL logging
  - Important notes
- ACL commands
  - clear ip access-list counters
  - clear ipv6 access-list counters
  - clear mac access-list counters
  - deny
  - deny (IPv6)
  - deny (MAC)
  - deny icmp
  - deny icmp (IPv6)
  - deny ip
  - deny ipv6
  - deny tcp
  - deny tcp (IPv6)
  - deny udp
  - deny udp (IPv6)
  - description
  - ip access-group
  - ip access-list
  - ip as-path access-list
  - ip community-list standard deny
  - ip community–list standard permit
  - ip extcommunity-list standard deny
  - ip extcommunity-list standard permit
  - ip prefix-list description
  - ip prefix-list deny
  - ip prefix-list permit
  - ip prefix-list seq deny
  - ip prefix-list seq permit
  - ipv6 access-group
  - ipv6 access-list
  - ipv6 prefix-list deny
  - ipv6 prefix-list description
  - ipv6 prefix-list permit
  - ipv6 prefix-list seq deny
  - ipv6 prefix-list seq permit
  - mac access-group
  - mac access-list
  - permit
  - permit (IPv6)
  - permit (MAC)
  - permit icmp
  - permit icmp (IPv6)
  - permit ip
  - permit ipv6
  - permit tcp
  - permit tcp (IPv6)
  - permit udp
  - permit udp (IPv6)
  - remark
  - seq deny
  - seq deny (IPv6)
  - seq deny (MAC)
  - seq deny icmp
  - seq deny icmp (IPv6)
  - seq deny ip
  - seq deny ipv6
  - seq deny tcp
  - seq deny tcp (IPv6)
  - seq deny udp
  - seq deny udp (IPv6)
  - seq permit
  - seq permit (IPv6)
  - seq permit (MAC)
  - seq permit icmp
  - seq permit icmp (IPv6)
  - seq permit ip
  - seq permit ipv6
  - seq permit tcp
  - seq permit tcp (IPv6)
  - seq permit udp
  - seq permit udp (IPv6)
  - show access-group
  - show access-lists
  - show acl-table-usage detail
  - show ip as-path-access-list
  - show ip community-list
  - show ip extcommunity-list
  - show ip prefix-list
  - show logging access-list
- Route-map commands
  - continue
  - match as-path
  - match community
  - match extcommunity
  - match interface
  - match ip address
  - match ip next-hop
  - match ipv6 address
  - match ipv6 next-hop
  - match metric
  - match origin
  - match route-type
  - match tag
  - route-map
  - set comm-list add
  - set comm-list delete
  - set community
  - set extcomm-list add
  - set extcomm-list delete
  - set extcommunity
  - set local-preference
  - set metric
  - set metric-type
  - set next-hop
  - set origin
  - set tag
  - set weight
  - show route-map
Quality of service
- Configure quality of service
- Ingress traffic classification
  - Data traffic classification
  - Control-plane policing
- Egress traffic classification
- Policing traffic
- Mark Traffic
- Color traffic
- Modify packet fields
- Shaping traffic
- Bandwidth allocation
- Strict priority queuing
- Rate adjustment
- Buffer management
- Congestion avoidance
- Storm control
- RoCE for faster access and lossless connectivity
- Port to port-pipe and MMU mapping
- QoS commands
Virtual Link Trunking
- Terminology
- VLT domain
- VLT interconnect
- Graceful LACP with VLT
- Configure VLT
- Configure VRRP Active-Active mode
- Migrate VMs across data centers with eVLT
- View VLT information
- VLT commands
Uplink Failure Detection
- Configure uplink failure detection
- Uplink failure detection on VLT
  - Sample configurations of UFD on VLT
- UFD commands
Converged data center services
- Priority flow control
- Enhanced transmission selection
- Data center bridging eXchange
- Internet small computer system interface
- Converged network DCB example
sFlow
- Enable sFlow
- Max-header size configuration
- Collector configuration
  - Collector configuration for default VRF
  - Collector configuration for nondefault VRF
- Polling-interval configuration
- Sample-rate configuration
- Source interface configuration
- View sFlow information
- sFlow commands
Telemetry
- Telemetry terminology
- YANG-modeled telemetry data
- Configure telemetry
- View telemetry configuration
- Telemetry commands
- Example: Configure streaming telemetry
RESTCONF API
- Configure RESTCONF API
- CLI commands for RESTCONF API
- RESTCONF API tasks
Troubleshoot OS10
- Diagnostic tools
- Recover Linux password
- Recover OS10 user name password
- Restore factory defaults
- SupportAssist
- Support bundle
  - Event notifications
  - generate support-bundle
- System monitoring
- Log into OS10 device
- Frequently asked questions
Support resources

crypto security-profile radius-prof

certificate dv-fedgov-s6010-1

OS10# show running-configuration radius-server

radius-server host radius-server-2.test.com tls security-profile radius-prof key 9

2b9799adc767c0efe8987a694969b1384c541414ba18a44cd9b25fc00ff180e9

Cluster security

When you enable VLT or a fabric automation application, switches that participate in the cluster use secure channels to communicate with

each other. The secure channels are enabled only when you enable the VLT or fabric cluster conguration on a switch. OS10 installs a

default X.509v3 certicate-key pair to establish secure channels between the peer devices in a cluster.

In a deployment where untrusted devices access management or data ports on an OS10 switch, replace the default certicate-key pair

used for cluster applications. Create a custom X.509v3 certicate-key pair by conguring an application-specic security prole using the

cluster security-profile command.

Before the default or custom X.509v3 certicate-key pair used between the peer devices in a VLT domain or fabric application cluster

expires, install a valid CA certicate by following the procedures in:

• Manage CA certicates.

• Request and install host certicates.

For example, the expiration date for the default certicate-key pair installed by OS10 on a switch running the 10.5.0.0 release is July 27,

2021. To ensure secure communication in a cluster before the expiration date, install a more recent X.509v3 certicate-key pair.

When you replace the default certicate-key pair for cluster applications, ensure that all devices in the cluster use the same custom

certicate-key pair or a unique certicate-key pair issued by the same CA.

CAUTION

: While you replace the default certicate-key pair, cluster devices temporarily lose their secure channel connectivity.

Dell EMC Networking recommends that you change the cluster security conguration during a maintenance time.

This example shows how to install an X.509v3 CA and host certicate-key pair for a cluster application. For more information, see:

• Importing and installing a CA certicate — see Manage CA certicates.

• Generating a CSR and installing a host certicate — see Request and install host certicates.

1. Install a trusted CA certicate.

OS10# copy tftp://CAadmin:secret@172.11.222.1/GeoTrust_Universal_CA.crt

home:// GeoTrust_Universal_CA.crt

OS10# crypto ca-cert install home://GeoTrust_Universal_CA.crt

Processing certificate ...

Installed Root CA certificate

CommonName = GeoTrust Universal CA

IssuerName = GeoTrust Universal CA

2. Generate a CSR, copy the CSR to a CA server, download the signed certicate, and install the host certicate.

OS10# crypto cert generate request cert-file home://s4048-001.csr key-file home://tsr6.key

cname "Top of Rack 6" altname "IP:10.0.0.6 DNS:tor6.dell.com" email admin@dell.com organization

"Dell EMC" orgunit Networking locality "Santa Clara" state California country US length 1024

Processing certificate ...

Successfully created CSR file /home/admin/tor6.csr and key

OS10# copy home://tor6.csr scp://CAadmin:secret@172.11.222.1/s4048-001-csr.pem

OS10# copy scp://CAadmin:secret@172.11.222.1/s4048-001.crt usb://s4048-001.crt

OS10# crypto cert install crt-file usb://s4048-001.crt key-file usb://s4048-001.key

986

Security