FTOS Configuration Guide for the S4810 System FTOS 9.1(0.
Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your computer. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. Information in this publication is subject to change without notice. © 2013 Dell Force10. All rights reserved.
1 About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
www.dell.com | support.dell.com Configure Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55 Log Messages in the Internal Buffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55 Configuration Task List for System Log Management . . . . . . . . . . . . . . . . . . . . . . . .55 Disable System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Linktrace Message and Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80 Link Trace Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81 Enable CFM SNMP Traps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82 Display Ethernet CFM Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83 6 802.1X . . . . . . . . . . . . . .
www.dell.com | support.dell.com Configuration Task List for Prefix Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121 ACL Resequencing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125 Resequencing an ACL or Prefix List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126 Route Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4-Byte AS Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186 AS4 Number Representation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186 AS Number Migration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189 BGP4 Management Information Base (MIB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .191 Important Points to Remember . . . . . . . . . . . . . . . . .
www.dell.com | support.dell.com 11 Content Addressable Memory (CAM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Content Addressable Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .271 CAM Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .272 Microcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enabling Data Center Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .304 QoS dot1p Traffic Classification and Queue Assignment . . . . . . . . . . . . . . . . . . . . . . .305 Configuring Priority-Based Flow Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .306 Configuring Lossless Queues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .309 Configuring the PFC Buffer in a Switch Stack . . . . . . . . .
www.dell.com | support.dell.com Buffer tuning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360 Deciding to tune buffers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .362 Buffer tuning commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .363 Sample buffer profile configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Managing ECMP Group Paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .398 17 Enabling FIPS Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399 Preparing the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .399 Enabling FIPS Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .399 Generating Host-Keys . . . . . . .
www.dell.com | support.dell.com Configuring GVRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .432 Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .433 Enabling GVRP Globally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .433 Enabling GVRP on a Layer 2 Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring IGMP Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .466 Enabling IGMP Immediate-leave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .467 Disabling Multicast Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .467 Specifying a Port as Connected to a Multicast Router . . . . . . . . . . . . . . . . . . . . . .467 Configuring the Switch as Querier . . . . . . . . . . . . . . . . . . . .
www.dell.com | support.dell.com Link Bundle Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .503 Ethernet Pause Frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .503 Threshold Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .504 Enable Pause Frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Extension Header fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .539 Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541 Implementing IPv6 with FTOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .542 ICMPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
www.dell.com | support.dell.com Adjacencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572 Graceful Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 572 Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .573 Configuration Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Microsoft Clustering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .627 Default Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .628 Configuring the Switch for Microsoft Server Clustering . . . . . . . . . . . . . . . . . . . . . .628 Enable and Disable VLAN Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .629 Configuring Redundant Pairs . . . . . . . . . . . .
www.dell.com | support.dell.com Manage the Source-active Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .670 View the Source-active Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .671 Limit the Source-active Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .671 Clear the Source-active Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
IPv4 Multicast Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .710 IPv6 Multicast Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .715 Multicast Traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .717 34 Open Shortest Path First (OSPFv2 and OSPFv3) . . . . . . . . . . . . . . . . . . . . . . . 719 Protocol Overview . . . . . . . . . . . . . . . .
www.dell.com | support.dell.com Assign IPv6 addresses on an interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .755 Assign Area ID on interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .755 Assign OSPFv3 Process ID and Router ID Globally . . . . . . . . . . . . . . . . . . . . . . . .756 Configure stub areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .756 Configure Passive-Interface . . .
Private VLAN Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .799 38 Per-VLAN Spanning Tree Plus (PVST+) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 803 Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .803 Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .804 Configure Per-VLAN Spanning Tree Plus . . . . . .
www.dell.com | support.dell.com Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .842 Configuration Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .842 Configuration Task List for RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .842 RIP Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Protection from TCP Tiny and Overlapping Fragment Attacks . . . . . . . . . . . . . . . . . . .897 SCP and SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 897 Using SCP with SSH to copy a software image . . . . . . . . . . . . . . . . . . . . . . . . . . .899 Secure Shell Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .900 Troubleshooting SSH . . . . . . . . . . . . . . . . . . . . . . . . .
www.dell.com | support.dell.com sFlow Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .938 Show sFlow Globally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .938 Show sFlow on an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .938 Show sFlow on a Line Card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Virtual IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 973 Failover Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .974 MAC Addressing on S-Series Stacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .974 Stacking LAG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
www.dell.com | support.dell.com Removing an Interface from the Spanning Tree Group . . . . . . . . . . . . . . . . . . . . . . . .1008 Modifying Global Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1009 Modifying Interface STP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1010 Enabling PortFast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
53 Upgrade Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1051 Find the upgrade procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1051 Get Help with upgrades . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1051 54 Virtual LANs (VLAN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1053 Default VLAN . . . . . . . . . . . . . . . . .
www.dell.com | support.dell.com 57 Standards Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1123 26 IEEE Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1123 RFC and I-D Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1124 MIB Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1 About this Guide Objectives This guide describes the protocols and features supported by the Force10 Operating System (FTOS) and provides configuration instructions and examples for implementing them. It supports the system platforms E-Series, C-Series, S-Series and Z-Series. Though this guide contains information on protocols, it is not intended to be a complete reference. This guide is a reference for configuring protocols on Dell Force10 systems.
www.dell.com | support.dell.com Information Symbols Table 1-1 describes symbols contained in this guide. Table 1-1. Information Symbols Symbol Warning Description ces Platform Specific Feature This symbol informs you of a feature that supported on one or two platforms only: e is for E-Series, c is for C-Series, s is for S-Series.
2 Configuration Fundamentals The FTOS Command Line Interface (CLI) is a text-based interface through which you can configure interfaces and protocols. The CLI is largely the same for the E-Series, C-Series, and S-Series with the exception of some commands and command outputs. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels.
www.dell.com | support.dell.com CLI Modes Different sets of commands are available in each mode. A command found in one mode cannot be executed from another mode (with the exception of EXEC mode commands preceded by the command do; see The do Command on page 34). You can set user access rights to commands and command modes using privilege levels; for more information on privilege levels and security options, refer to Chapter 9, Security, on page 627.
Figure 2-2.
Prompt Access Command EXEC FTOS> Access the router through the console or Telnet. EXEC Privilege FTOS# • • From EXEC mode, enter the command enable. From any other mode, use the command end. CONFIGURATION FTOS(conf)# • From EXEC privilege mode, enter the command configure. From every mode except EXEC and EXEC Privilege, enter the command exit. • Note: Access all of the following modes from CONFIGURATION mode. IP ACCESS-LIST LINE 32 FTOS Command Modes CLI Command Mode INTERFACE modes www.
Table 2-1. FTOS Command Modes (continued) Prompt Access Command STANDARD ACCESSLIST FTOS(config-std-macl)# mac access-list standard EXTENDED ACCESSLIST FTOS(config-ext-macl)# mac access-list extended MULTIPLE SPANNING TREE FTOS(config-mstp)# protocol spanning-tree mstp OPENFLOW FTOS(conf-of-instance of-id)# openflow of-instance of-id of-id represents the OpenFlow instance ID.
www.dell.com | support.dell.com The do Command Enter an EXEC mode command from any CONFIGURATION mode (CONFIGURATION, INTERFACE, SPANNING TREE, etc.) without returning to EXEC mode by preceding the EXEC mode command with the command do. Figure 2-4 illustrates the do command. Note: The following commands cannot be modified by the do command: enable, disable, exit, and configure. Figure 2-4.
Obtaining Help Obtain a list of keywords and a brief functional description of those keywords at any CLI mode using the ? or help command: • Enter ? at the prompt or after a keyword to list the keywords available in the current mode. • ? after a prompt lists all of the available keywords. The output of this command is the same for the help command. Figure 2-6.
www.dell.com | support.dell.com • • • Table 2-2. The UP and DOWN arrow keys display previously entered commands (see Command History). The BACKSPACE and DELETE keys erase the previous letter. Key combinations are available to move quickly across the command line, as described in Table 2-2. Short-Cut Keys and their Actions Key Combination Action CNTL-A Moves the cursor to the beginning of the command line. CNTL-B Moves the cursor back one character. CNTL-D Deletes character at cursor.
Filtering show Command Outputs Filter the output of a show command to display specific information by adding | [except | find | grep | no-more | save] specified_text after the command. The variable specified_text is the text for which you are filtering and it IS case sensitive unless the ignore-case sub-option is implemented. Starting with FTOS 7.8.1.0, the grep command accepts an ignore-case sub-option that forces the search to case-insensitive.
www.dell.com | support.dell.com • find displays the output of the show command beginning from the first occurrence of specified text Figure 2-11 shows this command used in combination with the command show linecard all. Figure 2-11.
3 Getting Started This chapter contains the following major sections: • • • • • • Default Configuration Configure a Host Name Access the System Remotely Configure the Enable Password Configuration File Management File System Management When you power up the chassis, the system performs\ a Power-On Self Test (POST) during which Route Processor Module (RPM), Switch Fabric Module (SFM), and line card status LEDs blink green.
www.dell.com | support.dell.com To access the console port, follow the procedures below. Refer to Table 3-1 for the console port pinout. Step Task 1 Install an RJ-45 copper cable into the console port.Use a rollover (crossover) cable to connect the S4810 console port to a terminal server. 2 Connect the other end of the cable to the DTE terminal server.
Configure a Host Name The host name appears in the prompt. The default host name is FTOS. • • Host names must start with a letter and end with a letter or digit. Characters within the string can be letters, digits, and hyphens. To configure a host name: Step 1 Task Command Syntax Command Mode Create a new host name. hostname name CONFIGURATION The example below illustrates the hostname command.
www.dell.com | support.dell.com Note: Assign different IP addresses to each RPM’s management port. To configure the management port IP address: Step 1 2 Task Command Syntax Command Mode Enter INTERFACE mode for the Management port. interface ManagementEthernet slot/port CONFIGURATION Assign an IP address to the interface. • • ip address ip-address/mask • • 3 Enable the interface. slot range: 0 to 1 port range: 0 INTERFACE ip-address: an address in dotted-decimal format (A.B.C.D).
To configure a username and password: Step 1 Task Command Syntax Command Mode Configure a username and password to access the system remotely. username username password [encryption-type] password encryption-type specifies how you are inputting the password, is 0 by default, and is not required. CONFIGURATION • • 0 is for inputting the password in clear text. 7 is for inputting a password that is already encrypted using a Type 7 hash.
www.dell.com | support.dell.com Configure the Enable Password Access the EXEC Privilege mode using the enable command. The EXEC Privilege mode is unrestricted by default. Configure a password as a basic security measure. There are two types of enable passwords: • enable password stores the password in the running/startup configuration using a DES encryption method. • enable secret is stored in the running/startup configuration in using a stronger, MD5 encryption method.
Copy Files to and from the System The command syntax for copying files is similar to UNIX. The copy command uses the format copy source-file-url destination-file-url. Note: See the FTOS Command Line Reference Guide for a detailed description of the copy command. • • Table 3-2. To copy a local file to a remote system, combine the file-origin syntax for a local file location with the file-destination syntax for a remote file location shown in Table 3-2.
www.dell.com | support.dell.com • • The usbflash and rpm0usbflash commands are supported on E-Series ExaScale systems. Refer to your system’s Release Notes for a list of approved USB vendors. The usbflash command is supported on Z9000. Refer to your system’s Release Notes for a list of approved USB vendors. The following text is an example of using the copy command to save a file to an FTP server. FTOS#copy flash://FTOS-EF-8.2.1.0.bin ftp://myusername:mypassword@10.10.10.10//FTOS/FTOS-EF-8.2.1.
Task Command Syntax Command Mode Save the running-configuration to: the startup-configuration on the internal flash of the primary RPM copy running-config startup-config the internal flash on an RPM copy running-config rpm{0|1}flash://filename Note: The internal flash memories on the RPMs are synchronized whenever there is a change, but only if the RPMs are running the same version of FTOS.
www.dell.com | support.dell.com View Files File information and content can only be viewed on local file systems. To view a list of files on the internal or external Flash: Step 1 Task Command Syntax Command Mode the internal flash of an RPM dir flash: EXEC Privilege the external flash of an RPM dir slot: View a list of files on: The output of the command dir also shows the read/write privileges, size (in bytes), and date of modification for each file, as shown in the example below.
View Configuration Files Configuration files have three commented lines at the beginning of the file, as shown in the example below, to help you track the last time any user made a change to the file, which user made the changes, and when the file was last saved to the startup-configuration.
www.dell.com | support.dell.com To change the default storage location: Task Command Syntax Command Mode Change the default directory. cd directory EXEC Privilege In the example below, the default storage location is changed to the external Flash of the primary RPM. File management commands then apply to the external Flash rather than the internal Flash.
4 Management Management is supported on platforms: e c sz This chapter explains the different protocols or services used to manage the Dell Force10 system including: • • • • • • • Configure Privilege Levels Configure Logging File Transfer Services Terminal Lines Lock CONFIGURATION mode Recovering from a Forgotten Password on the S4810 Recovering from a Failed Start on the S4810 Configure Privilege Levels Privilege levels restrict access to commands based on user or terminal line.
www.dell.com | support.dell.com Removing a command from EXEC mode Remove a command from the list of available commands in EXEC mode for a specific privilege level using the command privilege exec from CONFIGURATION mode. In the command, specify a level greater than the level given to a user or terminal line, followed by the first keyword of each command to be restricted.
Task Command Syntax Command Mode Allow access to INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode. Specify all keywords in the command. privilege configure level level {interface | line | route-map | router} {command-keyword ||...|| command-keyword} CONFIGURATION Allow access to a CONFIGURATION, INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode command. privilege {configure |interface | line | route-map | router} level level {command ||...
www.dell.com | support.dell.
Note: When you assign a privilege level between 2 and 15, access to the system begins at EXEC mode, but the prompt is hostname#, rather than hostname>. Configure Logging FTOS tracks changes in the system using event and error messages. By default, FTOS logs these messages on: • • • the internal buffer console and terminal lines, and any configured syslog servers Disable Logging To disable logging: Task Command Syntax Command Mode Disable all logging except on the console.
www.dell.com | support.dell.com Disable System Logging By default, logging is enabled and log messages are sent to the logging buffer, all terminal lines, console, and syslog servers. Enable and disable system logging using the following commands: Task Command Syntax Command Mode Disable all logging except on the console. no logging on CONFIGURATION Disable logging to the logging buffer. no logging buffer CONFIGURATION Disable logging to terminal lines.
Change System Logging Settings You can change the default settings of the system logging by changing the severity level and the storage location. The default is to log all messages up to debug level, that is, all system messages. By changing the severity level in the logging commands, you control the number of system messages logged. Task Command Syntax Command Mode Specify the minimum severity level for logging to the logging buffer.
www.dell.com | support.dell.com syslog logging: enabled Console logging: level Debugging Monitor logging: level Debugging Buffer logging: level Debugging, 40 Messages Logged, Size (40960 bytes) Trap logging: level Informational %IRC-6-IRC_COMMUP: Link to peer RPM is up %RAM-6-RAM_TASK: RPM1 is transitioning to Primary RPM.
To configure a UNIX logging facility level, use the following command in the CONFIGURATION mode: Command Syntax Command Mode Purpose logging facility [facility-type] CONFIGURATION Specify one of the following parameters.
www.dell.com | support.dell.com Synchronize log messages You can configure FTOS to filter and consolidate the system messages for a specific line by synchronizing the message output. Only the messages with a severity at or below the set level appear. This feature works on the terminal and console connections available on the system.
To view the configuration, use the show running-config logging command in the EXEC privilege mode. To disable time stamping on syslog messages, enter no service timestamps [log | debug]. File Transfer Services With FTOS, you can configure the system to transfer files over the network using File Transfer Protocol (FTP). One FTP application is copying the system image files over an interface on to the system; however, FTP is not supported on VLAN interfaces.
www.dell.com | support.dell.com To configure FTP server parameters, use any or all of the following commands in the CONFIGURATION mode: Command Syntax Command Mode Purpose ftp-server topdir dir CONFIGURATION Specify the directory for users using FTP to reach the system. The default is the internal flash directory. ftp-server username username password [encryption-type] CONFIGURATION Specify a user name for all FTP users and configure either a plain text or encrypted password.
Terminal Lines You can access the system remotely and restrict access to the system by creating user profiles. The terminal lines on the system provide different means of accessing the system. The console line (console) connects you through the Console port in the RPMs. The virtual terminal lines (VTY) connect you through Telnet to the system. The auxiliary line (aux) connects secondary devices such as modems.
www.dell.com | support.dell.com • • • • • • enable—Prompt for the enable password. line—Prompt for the e password you assigned to the terminal line. You must configure a password for the terminal line to which you assign a method list that contains the line authentication method. Configure a password using the command password from LINE mode. local—Prompt for the the system username and password. none—Do not authenticate the user.
Time out of EXEC Privilege Mode EXEC timeout is a basic security feature that returns FTOS to the EXEC mode after a period of inactivity on terminal lines. To change the timeout period or disable EXEC timeout. Task Command Syntax Command Mode Set the number of minutes and seconds. Default: 10 minutes on console, 30 minutes on VTY. Disable EXEC timeout by setting the timeout period to 0. exec-timeout minutes [seconds] LINE Return to the default timeout values.
www.dell.com | support.dell.com Login: Login: admin Password: FTOS>exit FTOS#telnet 2200:2200:2200:2200:2200::2201 Trying 2200:2200:2200:2200:2200::2201... Connected to 2200:2200:2200:2200:2200::2201. Exit character is '^]'. FreeBSD/i386 (freebsd2.force10networks.com) (ttyp1) login: admin FTOS# Lock CONFIGURATION mode FTOS allows multiple users to make configurations at the same time. You can lock CONFIGURATION mode so that only one user can be in CONFIGURATION mode at any time (Message 2).
Note: The CONFIGURATION mode lock corresponds to a VTY session, not a user. Therefore, if you configure a lock and then exit CONFIGURATION mode, and another user enters CONFIGURATION mode, when you attempt to re-enter CONFIGURATION mode, you are denied access even though you are the one that configured the lock. Note: If your session times out and you return to EXEC mode, the CONFIGURATION mode lock is unconfigured.
www.dell.com | support.dell.com Step Task Command Syntax Command Mode 9 Save the running-config. copy running-config startup-config EXEC Privilege 10 Set the system parameters to use the startup configuration file when the system reloads. setenv stconfigignore false uBoot 11 Save the running-config.
Step Task Command Syntax Command Mode 3 Assign the new location to the FTOS image to be used when the system reloads. setenv [primary_image f10boot location | secondary_image f10boot location | default_image f10boot location] uBoot 4 Assign an IP address to the Management Ethernet interface. setenv ipaddre address uBoot 6 Assign an IP address as the default gateway for the system. setenv gatewayip address uBoot 7 Reload the system.
70 | Management www.dell.com | support.dell.
5 802.1ag 802.1ag is available only on platform: s Ethernet Operations, Administration, and Maintenance (OAM) is a set of tools used to install, monitor, troubleshoot and manage Ethernet infrastructure deployments. Ethernet OAM consists of three main areas: 1. Service Layer OAM: IEEE 802.1ag Connectivity Fault Management (CFM) 2. Link Layer OAM: IEEE 802.3ah OAM 3.
www.dell.com | support.dell.com There is a need for Layer 2 equivalents to manage and troubleshoot native Layer 2 Ethernet networks. With these tools, you can identify, isolate, and repair faults quickly and easily, which reduces operational cost of running the network. OAM also increases availability and reduces mean time to recovery, which allows for tighter service level agreements, resulting in increased revenue for the service provider.
These roles define the relationships between all devices so that each device can monitor the layers under its responsibility. Maintenance points drop all lower-level frames and forward all higher-level frames.
www.dell.com | support.dell.com Implementation Information • Since the S-Series has a single MAC address for all physical/LAG interfaces, only one MEP is allowed per MA (per VLAN or per MD level). Configure CFM Configuring CFM is a five-step process: 1. Configure the ecfmacl CAM region using the cam-acl command. Refer to Configure Ingress Layer 2 ACL Sub-partitions. 2. Enable Ethernet CFM. 3. Create a Maintenance Domain. 4. Create a Maintenance Association. 5. Create Maintenance Points. 6.
Enable Ethernet CFM Task Command Syntax Command Mode Spawn the CFM process. No CFM configuration is allowed until the CFM process is spawned. ethernet cfm CONFIGURATION Disable Ethernet CFM without stopping the CFM process. disable ETHERNET CFM Create a Maintenance Domain Connectivity Fault Management (CFM) divides a network into hierarchical maintenance domains, as shown in the illustration in Maintenance Domains. Step 1 Task Command Syntax Command Mode Create maintenance domain.
www.dell.com | support.dell.com Create a Maintenance Association A Maintenance Association MA is a subdivision of an MD that contains all managed entities corresponding to a single end-to-end service, typically a VLAN. An MA is associated with a VLAN ID. Task Command Syntax Command Mode Create maintenance association. service name vlan vlan-id ECFM DOMAIN Create Maintenance Points Domains are comprised of logical entities called Maintenance Points.
Task Command Syntax Command Mode FTOS#show ethernet cfm maintenance-points local mep ------------------------------------------------------------------------------MPID Domain Name Level Type Port CCM-Status MA Name VLAN Dir MAC ------------------------------------------------------------------------------100 cfm0 test0 7 10 MEP DOWN Gi 4/10 00:01:e8:59:23:45 Enabled 200 cfm1 test1 6 20 MEP DOWN Gi 4/10 00:01:e8:59:23:45 Enabled 300 cfm2 test2 5 30 MEP DOWN Gi 4/10 00:01:e8:59:23:45 Enabl
www.dell.com | support.dell.com • MIP Database (MIP-DB): Every MIP must maintain a database of all other MEPs in the MA that have announced their presence via CCM Task Command Syntax Command Mode Display the MEP Database.
MEPs and MIPs filter CCMs from higher and lower domain levels as described in Table 5-1, "Continuity Check Message Processing," in 802.1ag. Table 5-1.
www.dell.com | support.dell.com Enable Cross-checking Task Command Syntax Command Mode Enable cross-checking. mep cross-check enable ETHERNET CFM Default: Disabled Start the cross-check operation for an MEP. mep cross-check mep-id ETHERNET CFM Configure the amount of time the system waits for a remote MEP to come up before the cross-check operation is started.
Link trace messages carry a unicast target address (the MAC address of an MIP or MEP) inside a multicast frame. The destination group address is based on the MD level of the transmitting MEP (01:80:C2:00:00:3[8 to F]). The MPs on the path to the target MAC address reply to the LTM with an LTR, and relays the LTM towards the target MAC until the target MAC is reached or TTL equals 0. Task Command Syntax Command Mode Send a Linktrace message.
www.dell.com | support.dell.com Enable CFM SNMP Traps. Task Command Syntax Command Mode Enable SNMP trap messages for Ethernet CFM. snmp-server enable traps ecfm CONFIGURATION A Trap is sent only when one of the five highest priority defects occur, as shown in Table 5-2, "ECFM SNMP Traps," in 802.1ag. Table 5-2.
Display Ethernet CFM Statistics Task Command Syntax Command Mode Display MEP CCM statistics. show ethernet cfm statistics [domain {name | level} vlan-id vlan-id mpid mpid EXEC Privilege FTOS# show ethernet cfm statistics Domain Name: Customer Domain Level: 7 MA Name: My_MA MPID: 300 CCMs: Transmitted: LTRs: Unexpected Rcvd: LBRs: Received: Received Bad MSDU: Transmitted: Display CFM statistics by port.
84 | 802.1ag www.dell.com | support.dell.
6 802.1X 802.1X is supported on platforms: ecsz Protocol Overview 802.1X is a method of port security. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity can be verified (through a username and password, for example). This feature is named for its IEEE specification. 802.
www.dell.com | support.dell.
1. When the authenticator senses a link state change, it requests that the supplicant identify itself using an EAP Identity Request Frame. 2. The supplicant responds with its identity in an EAP Response Identity frame. 3. The authenticator decapsulates the EAP Response from the EAPOL frame, encapsulates it in a RADIUS Access-Request frame, and forwards the frame to the authentication server. 4. The authentication server replies with an Access-Challenge.
www.dell.com | support.dell.com Code Identifier Length Range: 1-4 Codes: 1: Access-Request 2: Access-Accept 3: Access-Reject 11: Access-Challenge Message-Authenticator Attribute Type (79) EAP-Message Attribute Length EAP-Method Data (Supplicant Requested Credentials) fnC0034mp RADIUS Attributes for 802.1 Support Dell Force10 systems includes the following RADIUS attributes in all 802.
Important Points to Remember • • • • FTOS supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0, PEAPv1, and MS-CHAPv2 with PEAP. All platforms support only RADIUS as the authentication server. If the primary RADIUS server becomes unresponsive, the authenticator begins using a secondary RADIUS server, if configured. 802.1X is not supported on port-channels or port-channel members. Enabling 802.1X 802.1X must be enabled globally. To enable 802.
www.dell.com | support.dell.com no ip address dot1x authentication no shutdown ! FTOS# View 802.1X configuration information for an interface using the command show dot1x interface, as shown in the example below. FTOS#show dot1x interface TenGigabitEthernet 2/1 802.
To configure the amount of time that the authenticator waits before re-transmitting an EAP Request Identity frame: Step 1 Task Command Syntax Command Mode Configure the amount of time that the authenticator waits before re-transmitting an EAP Request Identity frame.
www.dell.com | support.dell.com 802.1x information on Te 2/1: ----------------------------Dot1x Status: Enable Port Control: AUTO Port Auth Status: UNAUTHORIZED Re-Authentication: Disable Untagged VLAN id: None Tx Period: 90 seconds Quiet Period: 120 seconds ReAuth Max: 2 Supplicant Timeout: 30 seconds Server Timeout: 30 seconds Re-Auth Interval: 3600 seconds Max-EAP-Req: 10 Auth Type: SINGLE_HOST Auth PAE State: Backend State: Initialize Initialize Forcibly Authorizing or Unauthorizing a Port IEEE 802.
802.
www.dell.com | support.dell.com To configure a maximum number of re-authentications: Step 1 Task Command Syntax Command Mode Configure the maximum number of times that the supplicant can be reauthenticated. dot1x reauth-max number INTERFACE Range: 1-10 Default: 2 FTOS(conf-if-Te-0/0)#dot1x reauthentication interval 7200 FTOS(conf-if-Te-0/0)#dot1x reauth-max 10 FTOS(conf-if-Te-0/0)#do show dot1x interface TenGigabitEthernet 0/0 802.
To terminate the authentication process due to an unresponsive authentication server: Step 1 Task Command Syntax Command Mode Terminate the authentication process due to an unresponsive authentication server. dot1x server-timeout seconds INTERFACE Range: 1-300 Default: 30 The example below shows configuration information for a port for which the authenticator terminates the authentication process for an unresponsive supplicant or server after 15 seconds.
www.dell.com | support.dell.com Dynamic VLAN Assignment with Port Authentication FTOS supports dynamic VLAN assignment when using 802.1X. The basis for VLAN assignment is RADIUS attribute 81, Tunnel-Private-Group-ID.
Guest and Authentication-fail VLANs Typically, the authenticator (Dell Force10 system) denies the supplicant access to the network until the supplicant is authenticated. If the supplicant is authenticated, the authenticator enables the port and places it in either the VLAN for which the port is configured, or the VLAN that the authentication server indicates in the authentication data. Note: Ports cannot be dynamically assigned to the default VLAN.
www.dell.com | support.dell.com Configuring an Authentication-fail VLAN If the supplicant fails authentication, the authenticator re-attempts to authenticate after a specified amount of time (30 seconds by default, see Configuring a Quiet Period after a Failed Authentication). You can configure the maximum number of times the authenticator re-attempts authentication after a failure (3 by default), after which the port is placed in the Authentication-fail VLAN.
Auth-Fail VLAN id: Auth-Fail Max-Attempts: Tx Period: Quiet Period: ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Auth Type: 100 5 90 seconds 120 seconds 10 15 seconds 15 seconds 7200 seconds 10 SINGLE_HOST Auth PAE State: Backend State: Initialize Initialize 802.
100 | 802.1X www.dell.com | support.dell.
7 Access Control Lists (ACLs) This chapter describes the Access Control Lists (ACLs), prefix lists, and route-maps. ecsz Ingress IP and MAC ACLs are supported on platforms: e c s z Egress IP and MAC ACLs are supported on platforms: e s z Access Control Lists (ACLs) are supported on platforms: Overview At their simplest, Access Control Lists (ACLs), Prefix lists, and Route-maps permit or deny traffic based on MAC and/or IP addresses.
www.dell.com | support.dell.com • • • • Configuring ACLs to Loopback • Applying an ACL on Loopback Interfaces IP Prefix Lists ACL Resequencing Route Maps IP Access Control Lists (ACLs) In the Dell Force10 switch/routers, you can create two different types of IP ACLs: standard or extended. A standard ACL filters packets based on the source IP packet.
CAM Profiling CAM optimization is supported on platforms et The default CAM profile has 1K Layer 2 ingress ACL entries. If you need more memory for Layer 2 ingress ACLs, select the profile l2-ipv4-inacl. When budgeting your CAM allocations for ACLs and QoS configurations, remember that ACL and QoS rules might consume more than one CAM entry depending on complexity. For example, TCP and UDP rules with port range options might require more than one CAM entry.
www.dell.com | support.dell.com • • • • • L3 ACL (ipv4acl): 6 L2 ACL(l2acl): 5 IPv6 L3 ACL (ipv6acl): 0 L3 QoS (ipv4qos): 1 L2 QoS (l2qos): 1 The ipv6acl allocation must be entered as a factor of 2 (2, 4, 6, 8, 10). All other profile allocations can use either even or odd numbered ranges. You must save the new CAM settings to the startup-config (write-mem or copy run start) then reload the system for the new settings to take effect.
Implementing ACLs on FTOS One IP ACL can be assigned per interface with FTOS. If an IP ACL is not assigned to an interface, it is not used by the software in any other capacity. The number of entries allowed per ACL is hardware-dependent. Refer to your line card documentation for detailed specification on entries allowed per ACL. If counters are enabled on IP ACL rules that are already configured, those counters are reset when a new rule is inserted or prepended.
www.dell.com | support.dell.com ACLs acl1 and acl2 have overlapping rules because the address range 20.1.1.0/24 is within 20.0.0.0/8. Therefore, (without the keyword order) packets within the range 20.1.1.0/24 match positive against cmap1 and are buffered in queue 7, though you intended for these packets to match positive against cmap2 and be buffered in queue 4.
• Loopback interfaces do not support ACLs using the IP fragment option. If you configure an ACL with the fragments option and apply it to a loopback interface, the command is accepted, but the ACL entries are not actually installed the offending rule in CAM. IP fragments ACL examples The following configuration permits all packets (both fragmented & non-fragmented) with destination IP 10.1.1.1. The second rule does not get hit at all.
www.dell.com | support.dell.com FTOS(conf-ext-nacl) Note the following when configuring ACLs with the fragments keyword. When an ACL filters packets it looks at the Fragment Offset (FO) to determine whether or not it is a fragment. • • FO = 0 means it is either the first fragment or the packet is a non-fragment. FO > 0 means it is dealing with the fragments of the original packet.
Note: When assigning sequence numbers to filters, keep in mind that you might need to insert a new filter. To prevent reconfiguring multiple filters, assign sequence numbers in multiples of five or another number. When you use the log keyword, CP processor logs details about the packets that match. Depending on how many packets match the log entry and at what rate, the CP may become busy as it has to log these packets’ details.
www.dell.com | support.dell.com To configure a filter without a specified sequence number, use these commands in the following sequence, starting in the CONFIGURATION mode: Step 1 Command Syntax Command Mode Purpose ip access-list standard CONFIGURATION Create a standard IP ACL and assign it a unique name. CONFIG-STD-NACL Configure a drop or forward IP ACL filter. • log and monitor options are supported on E-Series only.
Configure an extended IP ACL Extended IP ACLs filter on source and destination IP addresses, IP host addresses, TCP addresses, TCP host addresses, UDP addresses, and UDP host addresses. Since traffic passes through the filter in the order of the filter’s sequence, you can configure the extended IP ACL by first entering the IP ACCESS LIST mode and then assigning a sequence number to the filter. Note: On E-Series ExaScale systems, TCP ACL flags are not supported in an extended ACL with IPv6 microcode.
www.dell.com | support.dell.com TCP packets: To create a filter for TCP packets with a specified sequence number, use these commands in the following sequence, starting in the CONFIGURATION mode: Step 1 Command Syntax Command Mode Purpose ip access-list extended CONFIGURATION Create an extended IP ACL and assign it a unique name. CONFIG-EXT-NACL Configure an extended IP ACL filter for TCP packets. • log and monitor options are supported on E-Series only.
The following example illustrates how the seq command orders the filters according to the sequence number assigned. In the example, filter 15 was configured before filter 5, but the show config command displays the filters in the correct order. FTOS(config-ext-nacl)#seq 15 deny ip host 112.45.0.0 any log FTOS(config-ext-nacl)#seq 5 permit tcp 12.1.3.45 0.0.255.255 any FTOS(config-ext-nacl)#show confi ! ip access-list extended dilling seq 5 permit tcp 12.1.0.0 0.0.255.255 any seq 15 deny ip host 112.45.0.
www.dell.com | support.dell.com FTOS(config-ext-nacl)#show config ! ip access-list extended nimule seq 5 deny tcp host 123.55.34.0 any seq 10 permit udp 154.44.0.0 0.0.255.255 host 34.6.0.0 FTOS(config-ext-nacl)# To view all configured IP ACLs and the number of packets processed through the ACL, use the show ip accounting access-list command in the EXEC Privilege mode as shown in the first example in Configure a standard IP ACL.
Table 7-2. L2 and L3 ACL Filtering on Switched Packets L2 ACL Behavior L3 ACL Behavior Decision on Targeted Traffic Permit Deny Denied by L3 ACL Permit Permit Permitted by L3 ACL Note: If an interface is configured as a vlan-stack access port, the packets are filtered by an L2 ACL only. The L3 ACL applied to such a port does not affect traffic. That is, existing rules for other features (such as trace-list, PBR, and QoS) are applied accordingly to the permitted traffic.
www.dell.com | support.dell.com Step Command Syntax Command Mode Purpose 3 ip access-group access-list-name {in | out} [implicit-permit] [vlan vlan-range] INTERFACE Apply an IP ACL to traffic entering or exiting an interface. • out: configure the ACL to filter outgoing traffic. This keyword is supported only on E-Series. Note: The number of entries allowed per ACL is hardware-dependent. Refer to your line card documentation for detailed specification on entries allowed per ACL.
Configuring Ingress ACLs Ingress ACLs are applied to interfaces and to traffic entering the system.These system-wide ACLs eliminate the need to apply ACLs onto each interface and achieves the same results. By localizing target traffic, it is a simpler implementation. To create an ingress ACLs, use the ip access-group command in the EXEC Privilege mode as shown below.
www.dell.com | support.dell.com To create an egress ACLs, use the ip access-group command in the EXEC Privilege mode as shown in the example below.
FTOS Behavior: VRRP hellos and IGMP packets are not affected when egress ACL filtering for CPU traffic is enabled. Packets sent by the CPU with the source address as the VRRP virtual IP address have the interface MAC address instead of VRRP virtual MAC address.
www.dell.com | support.dell.com To apply ACLs on loopback, use the ip access-group command in the INTERFACE mode as shown in the example below.
• • • • To deny only /8 prefixes, enter deny x.x.x.x/x ge 8 le 8 To permit routes with the mask greater than /8 but less than /12, enter permit x.x.x.x/x ge 8 le 12 To deny routes with a mask less than /24, enter deny x.x.x.x/x le 24 To permit routes with a mask greater than /20, enter permit x.x.x.x/x ge 20 The following rules apply to prefix lists: • • • A prefix list without any permit or deny filters allows all routes.
www.dell.com | support.dell.com Step Command Syntax Command Mode Purpose 2 seq sequence-number {deny | permit} ip-prefix [ge min-prefix-length] [le max-prefix-length] CONFIG-NPREFIXL Create a prefix list with a sequence number and a deny or permit action. The optional parameters are: • ge min-prefix-length: is the minimum prefix length to be matched (0 to 32). • le max-prefix-length: is the maximum prefix length to be matched (0 to 32).
Step Command Syntax Command Mode Purpose 2 {deny | permit} ip-prefix [ge min-prefix-length] [le max-prefix-length] CONFIG-NPREFIXL Create a prefix list filter with a deny or permit action. The optional parameters are: • ge min-prefix-length: is the minimum prefix length to be matched (0 to 32). • le max-prefix-length: is the maximum prefix length to be matched (0 to 32). The example below illustrates a prefix list in which the sequence numbers were assigned by the software.
www.dell.com | support.dell.com FTOS> FTOS>show ip prefix summary Prefix-list with the last deletion/insertion: filter_ospf ip prefix-list filter_in: count: 3, range entries: 3, sequences: 5 - 10 ip prefix-list filter_ospf: count: 4, range entries: 1, sequences: 5 - 10 FTOS> Use a prefix list for route redistribution To pass traffic through a configured prefix list, you must use the prefix list in a route redistribution command.
Command Syntax Command Mode Purpose distribute-list prefix-list-name in [interface] CONFIG-ROUTER-OSPF Apply a configured prefix list to incoming routes. You can specify an interface. If you enter the name of a non-existent prefix list, all routes are forwarded. distribute-list prefix-list-name out [connected | rip | static] CONFIG-ROUTER-OSPF Apply a configured prefix list to incoming routes. You can specify which type of routes are affected.
www.dell.com | support.dell.com Table 7-3. ACL Resequencing Example (Insert New Rules) seq 7 permit any host 1.1.1.3 seq 10 permit any host 1.1.1.4 Table 7-4. ACL Resequencing Example (Resequenced) seq 5 permit any host 1.1.1.1 seq 10 permit any host 1.1.1.2 seq 15 permit any host 1.1.1.3 seq 20 permit any host 1.1.1.4 Resequencing an ACL or Prefix List Resequencing is available for IPv4 and IPv6 ACLs and prefix lists and MAC ACLs.
! ip access-list extended test remark 2 XYZ remark 4 this remark corresponds to permit any host 1.1.1.1 seq 4 permit ip any host 1.1.1.1 remark 6 this remark has no corresponding rule remark 8 this remark corresponds to permit ip any host 1.1.1.2 seq 8 permit ip any host 1.1.1.2 seq 10 permit ip any host 1.1.1.3 seq 12 permit ip any host 1.1.1.4 Remarks and rules that originally have the same sequence number have the same sequence number after the resequence command is applied.
www.dell.com | support.dell.com Route Maps Route-maps are supported on platforms: ces z Like ACLs and prefix lists, route maps are composed of a series of commands that contain a matching criterion and an action, yet route maps can change the packets meeting the criterion. ACLs and prefix lists can only drop or forward the packet or traffic. Route maps process routes for route redistribution. For example, a route map can be called to filter only specific routes and to add a metric.
Create a route map Route maps, ACLs, and prefix lists are similar in composition because all three contain filters, but route map filters are do not contain the permit and deny actions found in ACLs and prefix lists. Route map filters match certain routes and set or specify values.
www.dell.com | support.dell.com FTOS#show route-map route-map zakho, permit, sequence 20 Match clauses: interface GigabitEthernet 0/1 Set clauses: tag 35 level stub-area FTOS# The following text shows an example of a route map with multiple instances. The show config command displays only the configuration of the current route map instance. To view all instances of a specific route map, use the show route-map command.
FTOS(config-route-map)#match metric 2000 In the above route-map, only if a route has both the characteristics mentioned in the route-map, it is matched. Explaining further, the route must have a tag value of 1000 and a metric value of 2000. Only then is there a match. Also, if there are different instances of the same route-map, then it’s sufficient if a permit match happens in any instance of that route-map.
www.dell.com | support.dell.com Command Syntax Command Mode Purpose match interface interface CONFIG-ROUTE-MAP Match routes whose next hop is a specific interface. The parameters are: • For a Fast Ethernet interface, enter the keyword FastEthernet followed by the slot/ port information. • For a 1-Gigabit Ethernet interface, enter the keyword gigabitEthernet followed by the slot/port information. • For a loopback interface, enter the keyword loopback followed by a number between zero (0) and 16383.
Command Syntax Command Mode Purpose match tag tag-value CONFIG-ROUTE-MAP Match routes with a specific tag. To configure a set condition, use any or all of the following commands in the ROUTE-MAP mode: Command Syntax Command Mode Purpose set as-path prepend as-number [... as-number] CONFIG-ROUTE-MAP Add an AS-PATH number to the beginning of the AS-PATH set automatic-tag CONFIG-ROUTE-MAP Generate a tag to be added to redistributed routes.
www.dell.com | support.dell.com Route maps add to that redistribution capability by allowing you to match specific routes and set or change more attributes when redistributing those routes. In the following example, the redistribute command calls the route map static ospf to redistribute only certain static routes into OSPF.
Note: If the continue clause is configured without specifying a module, the next sequential module is processed.
www.dell.com | support.dell.
8 Bidirectional Forwarding Detection (BFD) Bidirectional Forwarding Detection (BFD) is supported only on platforms: e c z Protocol Overview Bidirectional Forwarding Detection (BFD) is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It also provides a failure detection solution for links on which no routing protocol is used. BFD is a simple hello mechanism.
www.dell.com | support.dell.com How BFD Works Two neighboring systems running BFD establish a session using a three-way handshake. After the session has been established, the systems exchange control packets at agreed upon intervals. In addition, systems send a control packet anytime there is a state change or change in a session parameter; these control packets are sent without regard to transmit and receive intervals. Note: FTOS does not support multi-hop BFD sessions.
Version (4) IHL TOS Total Length Preamble Flags Start Frame Delimiter Frag Offset Destination MAC TTL (255) Source MAC Protocol Ethernet Type (0x888e) Header Checksum Version (1) State Range: 3784 Source Port Options Diag Code Dest IP Addr Padding Checksum UDP Packet Detect Mult My Discriminator Your Discriminator Random number generated by remote system to identify a session Required Min RX Interval Required Min Echo RX Interval Auth Type The minimum interval between Echo pac
www.dell.com | support.dell.com Table 8-1. BFD Packet Fields Field Description Diagnostic Code The reason that the last session failed. State The current local session state. See BFD sessions. Flag A bit that indicates packet function. If the poll bit is set, the receiving system must respond as soon as possible, without regard to its transmit interval. The responding system clears the poll bit and sets the final bit in its response.
• • Active—The active system initiates the BFD session. Both systems can be active for the same session. Passive—The passive system does not initiate a session. It only responds to a request for session initialization from the active system. A BFD session has two modes: • • Asynchronous mode—In Asynchronous mode, both systems send periodic control messages at an agreed upon interval to indicate that their session status is Up.
www.dell.com | support.dell.com 4. The passive system receives the control packet, changes its state to Up. Both systems agree that a session has been established. However, since both members must send a control packet—that requires a response—anytime there is a state change or change in a session parameter, the passive system sends a final response indicating the state change. After this, periodic control packets are exchanged.
Important Points to Remember • • • • • • • BFD for line card ports is hitless, but is not hitless for VLANs since they are instantiated on the RPM. FTOS supports a maximum of 100 sessions per BFD agent on C-Series and E-Series. Each linecard processor has a BFD Agent, so the limit translates to 100 BFD sessions per linecard (plus, on the E-Series, 100 BFD sessions on RP2, which handles LAG and VLANs).
www.dell.com | support.dell.com 2. Establish a session with a next-hop neighbor. Related configuration tasks • • Viewing physical port session parameters. Disabling and re-enabling BFD. Enabling BFD globally BFD must be enabled globally on both routers, as shown in the illustration in Establishing a session on physical ports. To enable BFD globally: Step 1 Task Command Syntax Command Mode Enable BFD globally.
R2: ACTIVE Role R1: ACTIVE Role 4/ 24 2/ 1 FTOS(config)# bfd enable FTOSconfig)# interface gigabitethernet 2/ 1 FTOS(conf-if-gi-2/ 1)# ip address 2.2.2.2/ 24 FTOS(conf-if-gi-2/ 1)# bfd neighbor 2.2.2.1 FTOS(config)# bfd enable FTOS(config)# interface gigabitethernet 4/ 24 FTOS(conf-if-gi-2/ 1)# ip address 2.2.2.1/ 24 FTOS(conf-if-gi-2/ 1)# bfd neighbor 2.2.2.
www.dell.com | support.dell.
Delete session on Down: False Client Registered: CLI Uptime: 00:09:06 Statistics: Number of packets received from neighbor: 4092 Number of packets sent to neighbor: 4093 Number of state changes: 1 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 7 Disabling and re-enabling BFD BFD is enabled on all interfaces by default, though sessions are not created unless explicitly configured.
www.dell.com | support.dell.com Configuring BFD for static routes is a three-step process: 1. Enabling BFD globally. 2. On the local system, establish a session with the next hop of a static route. Refer to Configuring BFD for Static Routes. 3. On the remote system, establish a session with the physical port that is the origin of the static route. Refer to Establishing a session on physical ports. Related configuration tasks • • Changing static route session parameters. Disabling BFD for static routes.
I - ISIS O - OSPF R - Static Route (RTM) LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 2.2.2.2 Gi 4/24 Up 100 100 4 R View detailed session information using the command show bfd neighbors detail, as shown in the example in Verifying BFD sessions with BGP neighbors using show bfd neighbors detail. Changing static route session parameters BFD sessions are configured with default intervals and a default role.
www.dell.com | support.dell.com Configuring BFD for OSPF is a two-step process: 1. Enabling BFD globally. 2. Establishing sessions with OSPF neighbors. Related configuration tasks • • Changing OSPF session parameters. Disabling BFD for OSPF. Establishing sessions with OSPF neighbors BFD sessions can be established with all OSPF neighbors at once or sessions can be established with all neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the full state.
To establish BFD for all OSPF neighbors on a single interface: Step 1 Task Command Syntax Command Mode Establish sessions with all OSPF neighbors on a single interface. ip ospf bfd all-neighbors INTERFACE View the established sessions using the command show bfd neighbors, as shown in the example below.
www.dell.com | support.dell.com Disabling BFD for OSPF If BFD is disabled globally, all sessions are torn down, and sessions on the remote system are placed in a Down state. If BFD is disabled on an interface, sessions on the interface are torn down, and sessions on the remote system are placed in a Down state (Message 3). Disabling BFD does not trigger a change in BFD clients; a final Admin Down packet is sent before the session is terminated.
Figure 8-2. Establishing Sessions with IS-IS Neighbors FTOS(conf )# router isis FTOS(conf-router_isis)# net 02.1921.6800.2002.00 FTOS(conf-router_isis)# interface gigabitethernet 2/ 1 FTOS(conf-if-gi-2/ 1)#ip address 2.2.2.2/ 24 FTOS(config-if-gi-2/ 1)# ip router isis FTOS(config-if-gi-2/ 1)# exit FTOS(conf )# router isis FTOS(conf-router_isis)# bfd all-neighbors FTOS(conf-router_isis)# interface gigabitethernet 2/ 2 FTOS(conf-if-gi-2/ 2)#ip address 2.2.3.
www.dell.com | support.dell.com Changing IS-IS session parameters BFD sessions are configured with default intervals and a default role. The parameters that can be configured are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. These parameters are configured for all IS-IS sessions or all IS-IS sessions out of an interface; if you change a parameter globally, the change affects all IS-IS neighbors sessions.
To disable BFD sessions with all IS-IS neighbors out of an interface: Step 1 Task Command Syntax Command Mode Disable BFD sessions with all IS-IS neighbors out of an interface. isis bfd all-neighbors disable INTERFACE Configuring BFD for BGP BFD for BGP is only supported on platforms: cez In a BGP core network, BFD provides rapid detection of communication failures in BGP fast-forwarding paths between internal BGP (iBGP) and external BGP (eBGP) peers for faster network reconvergence.
www.dell.com | support.dell.com Interior BGP Interior BGP Router 2 Router 1 1/ 1 2.2.4.3 2/ 2 2.2.4.2 Exterior BGP AS 1 FTOS(conf )# bfd enable FTOS(conf )# router bgp 1 FTOS(conf-router-bgp)# neighbor 2.2.4.3 remote-as 2 FTOS(conf-router-bgp)# neighbor 2.2.4.3 no shutdown FTOS(conf-router-bgp)# bfd all-neighbors interval 200 min_rx 200 multiplier 6 role active OR FTOS(conf-router-bgp)# neighbor 2.2.4.3 bfd AS 2 FTOS(conf )# bfd enable FTOS(conf )# router bgp 2 FTOS(conf-router-bgp)# neighbor 2.2.
As long as each BFD for BGP neighbor receives a BFD control packet within the configured BFD interval for failure detection, the BFD session remains up and BGP maintains its adjacencies. If a BFD for BGP neighbor does not receive a control packet within the detection interval, the router informs any clients of the BFD session (other routing protocols) about the failure. It then depends on the individual routing protocols that uses the BGP link to determine the appropriate response to the failure condition.
www.dell.com | support.dell.com To remove the disabled state of a BFD for BGP session with a specified neighbor, enter the no neighbor {ip-address | peer-group-name} bfd disable command in ROUTER BGP configuration mode. The BGP link with the neighbor returns to normal operation and uses the BFD session parameters globally configured with the bfd all-neighbors command or configured for the peer group to which the neighbor belongs.
Verifying a BFD for BGP Configuration R2# show running-config bgp ! router bgp 2 neighbor 1.1.1.2 remote-as 1 neighbor 1.1.1.2 no shutdown neighbor 2.2.2.2 remote-as 1 neighbor 2.2.2.2 no shutdown neighbor 3.3.3.2 remote-as 1 neighbor 3.3.3.
www.dell.com | support.dell.com Delete session on Down: True Client Registered: BGP Uptime: 00:07:55 Statistics: Number of packets received from neighbor: 4762 Number of packets sent to neighbor: 4490 Number of state changes: 2 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 5 Session Discriminator: 10 Neighbor Discriminator: 11 Local Addr: 2.2.2.3 Local MAC Addr: 00:01:e8:66:da:34 Remote Addr: 2.2.2.
Protocol BGP Messages: Registration : 5 De-registration : 4 Init : 0 Up : 6 Down : 0 Admin Down : 2 Interface TenGigabitEthernet 6/2 Protocol BGP Messages: Registration : 1 De-registration : 0 Init : 0 Up : 1 Down : 0 Admin Down : 2 Displaying BFD for BGP status R2# show ip bgp summary BGP router identifier 10.0.0.
www.dell.com | support.dell.
Configuring BFD for VRRP BFD for VRRP is only supported on platforms: ec When using BFD with VRRP, the VRRP protocol registers with the BFD manager on the RPM. BFD sessions are established with all neighboring interfaces participating in VRRP. If a neighboring interface fails, the BFD agent on the line card notifies the BFD manager, which in turn notifies the VRRP protocol that a link state change occurred. Configuring BFD for VRRP is a three-step process: 1. Enable BFD globally.
www.dell.com | support.dell.com VIRTUAL IP Address: 2.2.5.4 R1: BACKUP R2: MASTER 2/ 3 4/ 25 FTOS(config-if-range-gi-4/ 25)# ip address 2.2.5.1/ 24 FTOS(config-if-range-gi-4/ 25)# no shutdown FTOS(config-if-range-gi-4/ 25)# vrrp-group 1 FTOS(config-if-range-gi-4/ 25)# virtual-address 2.2.5.4 FTOS(config-if-range-gi-4/ 25)# vrrp bfd all-neighbors FTOS(config-if-range-gi-4/ 25)# vrrp bfd neighbor 2.2.5.2 IP Address: 2.2.5.3 Gateway: 2.2.5.1 FTOS(conf-if-gi-2/ 3)#ip address 2.2.5.
C - CLI I - ISIS O - OSPF R - Static Route (RTM) V - VRRP LocalAddr * 2.2.5.1 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.5.2 Gi 4/25 Down 1000 1000 3 V Session state information is also shown in the show vrrp command output, as shown in the following example. R1(conf-if-gi-4/25)#do show vrrp -----------------GigabitEthernet 4/1, VRID: 1, Net: 2.2.5.1 State: Backup, Priority: 1, Master: 2.2.5.
www.dell.com | support.dell.com View session parameters using the command show bfd neighbors detail, as shown in the example in Verifying BFD sessions with BGP neighbors using show bfd neighbors detail. Disabling BFD for VRRP If any or all VRRP sessions are disabled, the sessions are torn down. A final Admin Down control packet is sent to all neighbors and sessions on the remote system change to the Down state (Message 3).
Related configuration tasks • Establishing sessions with OSPF neighbors. Establishing sessions with VLAN neighbors To establish a session, BFD must be enabled at interface level on both ends of the link, as shown in the illustration below. The session parameters do not need to match. R1 R2 VLAN 200 4/ 25 2/ 3 FTOS(config-if-gi-4/ 25)# switchport FTOS(config-if-gi-4/ 25)# no shutdown FTOS(config-if-gi-4/ 25)# interface vlan 200 FTOS(config-if-vl-200)# ip address 2.2.3.
www.dell.com | support.dell.com Configuring BFD for port-channels is a two-step process: 1. Enabling BFD globally. 2. Establishing sessions on port-channels. Related configuration tasks • Disabling BFD for port-channels. Establishing sessions on port-channels To establish a session, BFD must be enabled at interface level on both ends of the link, as shown in the example below. The session parameters do not need to match.
Configuring Protocol Liveness Protocol Liveness is a feature that notifies the BFD Manager when a client protocol is disabled. When a client is disabled, all BFD sessions for that protocol are torn down. Neighbors on the remote system receive an Admin Down control packet and are placed in the Down state (Message 3).
www.dell.com | support.dell.com 20 c0 03 18 00 00 00 05 00 00 00 04 00 01 86 a0 170 00 01 86 a0 00 00 00 00 00:34:14 : Sent packet for session with neighbor 2.2.2.2 on Gi 4/24 L The output for the command debug bfd event is the same as the log messages that appear on the console by default.
9 Border Gateway Protocol Platforms support BGP according to the following table: FTOS version Platform support IPv4: 8.3.11.2 IPv6: 9.0.0.0 Z9000 8.3.7.0 S4810 8.1.1.0 E-Series ExaScale 7.8.1.0 S-Series 7.7.1.0. C-Series pre-7.7.1.0 E-Series TeraScale z ex s c et This chapter is intended to provide a general description of Border Gateway Protocol version 4 (BGPv4) as it is supported in the Force10 Operating System (FTOS).
www.dell.com | support.dell.
A multihomed AS is one that maintains connections to more than one other AS. This allows the AS to remain connected to the internet in the event of a complete failure of one of their connections. However, this type of AS does not allow traffic from one AS to pass through on its way to another AS. A simple example of this is seen in Figure 9-1. A stub AS is one that is connected to only one other AS. A transit AS is one that provides connections through itself to separate networks.
www.dell.com | support.dell.com Since each BGP router talking to another router is a session, a BGP network needs to be in “full mesh”. This is a topology that has every router directly connected to every other router. Each BGP router within an AS must have iBGP sessions with all other BGP routers in the AS. For example, a BGP network within an AS needs to be in “full mesh.
Establishing a session Information exchange between peers is driven by events and timers. The focus in BGP is on the traffic routing policies. In order to make decisions in its operations with other BGP peers, a BGP process uses a simple finite state machine that consists of six states: Idle, Connect, Active, OpenSent, OpenConfirm, and Established. For each peer-to-peer session, a BGP implementation tracks which of these six states the session is in.
www.dell.com | support.dell.com Route Reflectors Route Reflectors reorganize the iBGP core into a hierarchy and allows some route advertisement rules. Note: Route Reflectors (RRs) should not be used in the forwarding path. In iBGP, hierarchal RRs maintaining forwarding plane RRs could create routing loops. Route reflection divides iBGP peers into two groups: client peers and nonclient peers. A route reflector and its client peers form a route reflection cluster.
Confederations Communities BGP communities are sets of routes with one or more common attributes. This is a way to assign common attributes to multiple routes at the same time. BGP Attributes Routes learned via BGP have associated properties that are used to determine the best route to a destination when multiple paths exist to a particular destination.
www.dell.com | support.dell.com 178 Syste Note: In 8.3.11.4, the bgp bestpath as-path multipath-relax command is disabled by default, preventing BGP from load-balancing a learned route across two or more eBGP peers. To enable load-balancing across different eBGP peers, enable the bgp bestpath as-path multipath-relax command. A system error will result if the bgp bestpath as-path ignore command and the bgp bestpath as-path multipath-relax command are configured at the same time.
Best Path selection details 1. Prefer the path with the largest WEIGHT attribute. 2. Prefer the path with the largest LOCAL_PREF attribute. 3. Prefer the path that was locally Originated via a network command, redistribute command or aggregate-address command. • Routes originated with the network or redistribute commands are preferred over routes originated with the aggregate-address command. 4.
www.dell.com | support.dell.com 11. Prefer the external path originated from the BGP router with the lowest router ID. If both paths are external, prefer the oldest path (first received path). For paths containing a Route Reflector (RR) attribute, the originator ID is substituted for the router ID. 12. If two paths have the same router ID, prefer the path with the lowest cluster ID length. Paths without a cluster ID length are set to a 0 cluster ID length. 13.
Figure 9-5. LOCAL_PREF Example Set Local Preference to 100 Router A AS 100 T1 Link Router C AS 200 Router B Router E Set Local Preference to 200 OC3 Link Router E Router D AS 300 Router F Multi-Exit Discriminators (MEDs) If two Autonomous Systems (AS) connect in more than one place, a Multi-Exit Discriminator (MED) can be used to assign a preference to a preferred path.
www.dell.com | support.dell.com Figure 9-6. MED Route Example AS 100 Set MED to 100 Router A T1 Link Router C AS 200 Router B Router E OC3 Link Router D Set MED to 50 Note: With FTOS Release 8.3.1.0, configuring the set metric-type internal command in a route-map advertises the IGP cost as MED to outbound EBGP peers when redistributing routes. The configured set metric value overwrites the default IGP cost. If the outbound route-map uses MED, it will overwrite the IGP MED.
Figure 9-7. Origin attribute reported FTOS#show ip bgp BGP table version is 0, local router ID is 10.101.15.13 Status codes: s suppressed, d damped, h history, * valid, > best Path source: I - internal, a - aggregate, c - confed-external, r - redistributed, n - network Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop *> 7.0.0.0/29 10.114.8.33 *> 7.0.0.0/30 *> 9.2.0.0/16 Metric LocPrf Weight Path 0 0 18508 ? 10.114.8.33 0 0 18508 ? 10.114.8.
www.dell.com | support.dell.com Next Hop The Next Hop is the IP address used to reach the advertising router. For EBGP neighbors, the Next-Hop address is the IP address of the connection between the neighbors. For IBGP, the EBGP Next-Hop address is carried into the local AS. A Next Hop attribute is set when a BGP speaker advertises itself to another BGP speaker outside its local AS. It can also be set when advertising routes within an AS.
Advertise IGP cost as MED for redistributed routes When using multipath connectivity to an external AS, you can advertise the MED value selectively to each peer for redistributed routes. For some peers you can set the internal/IGP cost as the MED while setting others to a constant pre-defined metric as MED value. FTOS 8.3.1.0 and later support configuring the set metric-type internal command in a route-map to advertise the IGP cost as the MED to outbound EBGP peers when redistributing routes.
www.dell.com | support.dell.com 4-Byte AS Numbers FTOS Version 7.7.1 and later support 4-Byte (32-bit) format when configuring Autonomous System Numbers (ASNs). The 4-Byte support is advertised as a new BGP capability (4-BYTE-AS) in the OPEN message. If a 4-Byte BGP speaker has sent and received this capability from another speaker, all the messages will be 4-octet. The behavior of a 4-Byte BGP speaker will be different with the peer depending on whether the peer is 4-Byte or 2-Byte BGP speaker.
ASDOT+ representation splits the full binary 4-byte AS number into two words of 16 bits separated by a decimal point (.): .. Some examples are shown in Table 9-2. • • All AS Numbers between 0-65535 are represented as a decimal number, when entered in the CLI as well as when displayed in the show command outputs. AS Numbers larger than 65535 is represented using ASDOT notation as ..
www.dell.com | support.dell.com Figure 9-9. Dynamic changes of the bgp asnotation command in the show running config ASDOT FTOS(conf-router_bgp)#bgp asnotation asdot FTOS(conf-router_bgp)#show conf ! router bgp 100 bgp asnotation asdot bgp four-octet-as-support neighbor 172.30.1.250 local-as 65057
Figure 9-10. config Dynamic changes when bgp asnotation command is disabled in the show running AS NOTATION DISABLED FTOS(conf-router_bgp)#no bgp asnotation FTOS(conf-router_bgp)#sho conf ! router bgp 100 bgp four-octet-as-support neighbor 172.30.1.250 local-as 65057
www.dell.com | support.dell.com Figure 9-11. Local-AS Scenario Router A AS 100 Router C AS 300 Router B AS 200 Before Migration Router A AS 100 AS 100 Router C AS 300 Router B Local AS 200 After Migration, with Local-AS enabled When you complete your migration, and you have reconfigured your network with the new information you must disable this feature. If the “no prepend” option is used, the local-as will not be prepended to the updates received from the eBGP peer.
BGP4 Management Information Base (MIB) The FORCE10-BGP4-V2-MIB enhances FTOS BGP Management Information Base (MIB) support with many new SNMP objects and notifications (traps) defined in the draft-ietf-idr-bgp4-mibv2-05. To see these enhancements, download the MIB from the Dell Force10 website, www.force10networks.com. Note: See the Dell Force10 iSupport webpage for the Force10-BGP4-V2-MIB and other MIB documentation.
www.dell.com | support.dell.com • • • • • • • • • • The f10BgpM2[Cfg]PeerReflectorClient field is populated based on the assumption that route-reflector clients are not in a full mesh if BGP client-2-client reflection is enabled and that the BGP speaker acting as reflector will advertise routes learned from one client to another client. If disabled, it is assumed that clients are in a full mesh, and there is no need to advertise prefixes to the other clients.
BGP Configuration To enable the BGP process and begin exchanging information, you must assign an AS number and use commands in the ROUTER BGP mode to configure a BGP neighbor. Defaults By default, BGP is disabled. By default, FTOS compares the MED attribute on different paths from within the same AS (the bgp always-compare-med command is not enabled). Note: In FTOS, all newly configured neighbors and peer groups are disabled.
www.dell.com | support.dell.
In BGP, neighbor routers or peers can be classified as internal or external. External BGP peers must be connected physically to one another (unless you enable the EBGP multihop feature), while internal BGP peers do not need to be directly connected. The IP address of an EBGP neighbor is usually the IP address of the interface directly connected to the router. First, the BGP process determines if all internal BGP peers are reachable, and then it determines which peers outside the AS are reachable.
www.dell.com | support.dell.com Step Command Syntax Command Mode Purpose You must Configure Peer Groups before assigning it a remote AS. 3 neighbor {ip-address | peer-group-name} no shutdown CONFIG-ROUTER-BGP Enable the BGP neighbor. Note: When you change the configuration of a BGP neighbor, always reset it by entering the clear ip bgp command in EXEC Privilege mode. Enter show config in CONFIGURATION ROUTER BGP mode to view the BGP configuration.
Figure 9-13. Command example: show ip bgp summary (4-Byte AS Number displayed) R2#show ip bgp summary 4-Byte AS Number BGP router identifier 192.168.10.2, local AS number 48735.
www.dell.com | support.dell.com Figure 9-14. Command example: show ip bgp neighbors FTOS#show ip bgp neighbors External BGP neighbor BGP neighbor is 10.114.8.60, remote AS 18508, external link BGP version 4, remote router ID 10.20.20.
Figure 9-15. Command example: show running-config bgp R2#show running-config bgp ! router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list ISP1in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.9 no shutdown neighbor 192.168.10.
www.dell.com | support.dell.com Only one form of AS Number Representation is supported at a time. You cannot combine the types of representations within an AS. Task Command Syntax Command Mode Enable ASPLAIN AS Number representation. Figure 9-16 bgp asnotation asplain CONFIG-ROUTER-BGP Note: ASPLAIN is the default method FTOS uses and does not appear in the configuration display. Enable ASDOT AS Number representation.
Figure 9-18. Command example and output: bgp asnotation asdot+ FTOS(conf-router_bgp)#bgp asnotation asdot+ FTOS(conf-router_bgp)#sho conf ! router bgp 100 bgp asnotation asdot+ bgp four-octet-as-support neighbor 172.30.1.250 remote-as 18508 neighbor 172.30.1.250 local-as 65057 neighbor 172.30.1.250 route-map rmap1 in neighbor 172.30.1.250 password 7 5ab3eb9a15ed02ff4f0dfd4500d6017873cfd9a267c04957 neighbor 172.30.1.
www.dell.com | support.dell.com Step Command Syntax Command Mode Purpose 5 neighbor ip-address peer-group peer-group-name CONFIG-ROUTER-BGP Add an enabled neighbor to the peer group. 6 neighbor {ip-address | peer-group name} remote-as as-number CONFIG-ROUTER-BGP Add a neighbor as a remote AS. Formats: IP Address A.B.C.D Peer-Group Name16 characters AS-number: 0-65535 (2-Byte) or 1-4294967295 | 0.1- 65535.65535 (4-Byte) or 0.1-65535.
Figure 9-19. Command example: show config (creating peer-group) FTOS(conf-router_bgp)#neighbor zanzibar peer-group Configuring neighbor zanzibar FTOS(conf-router_bgp)#show conf ! router bgp 45 bgp fast-external-fallover bgp log-neighbor-changes neighbor zanzibar peer-group neighbor zanzibar shutdown neighbor 10.1.1.1 remote-as 65535 neighbor 10.1.1.1 shutdown neighbor 10.14.8.60 remote-as 18505 neighbor 10.14.8.
www.dell.com | support.dell.com Figure 9-21. Command example: show ip bgp peer-group FTOS>show ip bgp peer-group Peer-group zanzibar, remote AS 65535 BGP version 4 Minimum time between advertisement runs is 5 seconds For address family: IPv4 Unicast BGP neighbor is zanzibar, peer-group internal, Number of peers in this group 26 Peer-group members (* - outbound optimized): 10.68.160.1 10.68.161.1 10.68.162.1 10.68.163.1 10.68.164.1 10.68.165.1 10.68.166.1 10.68.167.1 10.68.168.1 10.68.169.1 10.68.170.
BGP fast fall-over By default, a BGP session is governed by the hold time. BGP routers typically carry large routing tables, so frequent session resets are not desirable. The BGP fast fall-over feature reduces the convergence time while maintaining stability. The connection to a BGP peer is immediately reset if a link to a directly connected external peer fails. When fall-over is enabled, BGP tracks IP reachability to the peer remote address and the peer local address.
www.dell.com | support.dell.com Figure 9-22. Command example: show ip bgp neighbors FTOS#sh ip bgp neighbors BGP neighbor is 100.100.100.100, remote AS 65517, internal link Member of peer-group test for session parameters BGP version 4, remote router ID 30.30.30.
Figure 9-23. Command example: show ip bgp peer-group FTOS#sh ip bgp peer-group Peer-group test Fall-over enabled BGP version 4 Minimum time between advertisement runs is 5 seconds For address family: IPv4 Unicast BGP neighbor is test Number of peers in this group 1 Peer-group members (* - outbound optimized): 100.100.100.100* FTOS# router bgp 65517 neighbor test peer-group neighbor test fall-over Fast Fall-Over Indicator neighbor test no shutdown neighbor 100.100.100.
www.dell.com | support.dell.com Use these commands in the following sequence, starting in the CONFIGURATION ROUTER BGP mode to configure passive peering. Step Command Syntax Command Mode Purpose 1 neighbor peer-group-name peer-group passive limit CONFIG-ROUTER-BGP Configure a peer group that does not initiate TCP connections with other peers. Enter the limit keyword to restrict the number of sessions accepted.
Disable this feature, using the no neighbor local-as command in CONFIGURATION ROUTER BGP mode. Figure 9-24. Local-as information shown R2(conf-router_bgp)#show conf ! router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list Laura in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.
www.dell.com | support.dell.com Figure 9-25. Allowas-in information shown R2(conf-router_bgp)#show conf ! router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list Laura in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.
• • • • Save all FIB and CAM entries on the line card and continue forwarding traffic while the secondary RPM is coming online. Advertise to all BGP neighbors and peer-groups that the forwarding state of all routes has been saved. This prompts all peers to continue saving the routes they receive from your E-Series and to continue forwarding traffic. Bring the secondary RPM online as the primary and re-open sessions with all peers operating in “no shutdown” mode.
www.dell.com | support.dell.com Command Syntax Command Mode Purpose neighbor {ip-address | peer-group-name} graceful-restart [stale-path-time time-in-seconds] CONFIG-ROUTER-BGP Set maximum time to retain the restarting neighbor’s or peer-group’s stale paths. Default is 360 seconds. Filter on an AS-Path attribute The BGP attribute, AS_PATH, can be used to manipulate routing policies. The AS_PATH attribute contains a sequence of AS numbers representing the route’s path.
Use these commands in the following sequence, starting in the CONFIGURATION mode to configure an AS-PATH ACL to filter a specific AS_PATH value. Step Command Syntax Command Mode Purpose 1 ip as-path access-list as-path-name CONFIGURATION Assign a name to a AS-PATH ACL and enter AS-PATH ACL mode. 2 {deny | permit} filter parameter CONFIG-AS-PATH Enter the parameter to match BGP AS-PATH for filtering. This is the filter that will be used to match the AS-path.
www.dell.com | support.dell.com Figure 9-27. Filtering with Regular Expression FTOS(config)#router bgp 99 FTOS(conf-router_bgp)#neigh AAA peer-group FTOS(conf-router_bgp)#neigh AAA no shut FTOS(conf-router_bgp)#show conf ! router bgp 99 neighbor AAA peer-group neighbor AAA no shutdown neighbor 10.155.15.2 remote-as 32 neighbor 10.155.15.2 shutdown FTOS(conf-router_bgp)#neigh 10.155.15.
Table 9-4. Regular Expressions Regular Expression Definition + (plus) Matches 1 or more sequences of the immediately previous character or pattern. ? (question) Matches 0 or 1 sequence of the immediately previous character or pattern.
www.dell.com | support.dell.com Command Syntax Command Mode Purpose redistribute ospf process-id [match external {1 | 2} | match internal] [metric-type {external | internal}] [route-map map-name] ROUTER BGP or CONF-ROUTER_BGPv6_AF Include specific OSPF routes in IS-IS. Configure the following parameters: • process-id range: 1 to 65535 • match external range: 1 or 2 • match internal • metric-type: external or internal. • map-name: name of a configured route map.
• • • All routes with the NO_EXPORT_SUBCONFED (0xFFFFFF03) community attribute are not sent to CONFED-EBGP or EBGP peers, but are sent to IBGP peers within CONFED-SUB-AS. All routes with the NO_ADVERTISE (0xFFFFFF02) community attribute must not be advertised. All routes with the NO_EXPORT (0xFFFFFF01) community attribute must not be advertised outside a BGP confederation boundary, but are sent to CONFED-EBGP and IBGP peers.
www.dell.com | support.dell.com Step 2 Command Syntax Command Mode Purpose {permit | deny} {{rt | soo} {ASN:NN | IPADDR:N} | regex REGEX-LINE} CONFIG-COMMUNITYLIST Two types of extended communities are supported. Filter routes based on the type of extended communities they carry using one of the following keywords: • rt: Route Target • soo: Route Origin or Site-of-Origin. Support for matching extended communities against regular expression is also supported.
Use these commands in the following sequence, starting in the CONFIGURATION mode, To use an IP Community list or Extended Community List to filter routes, you must apply a match community filter to a route map and then apply that route map to a BGP neighbor or peer group. Step Command Syntax Command Mode Purpose 1 route-map map-name [permit | deny] [sequence-number] CONFIGURATION Enter the ROUTE-MAP mode and assign a name to a route map.
www.dell.com | support.dell.com If you want to remove or add a specific COMMUNITY number from a BGP path, you must create a route map with one or both of the following statements in the route map. Then apply that route map to a BGP neighbor or peer group.
Figure 9-29. Command example: show ip bgp community (Partial) FTOS>show ip bgp community BGP table version is 3762622, local router ID is 10.114.8.48 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path * i 3.0.0.0/8 195.171.0.16 100 0 209 701 80 i *>i 4.2.49.12/30 195.171.0.16 100 0 209 i * i 4.21.132.0/23 195.171.0.16 100 0 209 6461 16422 i *>i 4.24.118.16/30 195.
www.dell.com | support.dell.com Change MED attribute By default, FTOS uses the MULTI_EXIT_DISC or MED attribute when comparing EBGP paths from the same AS. Use any or all of the following commands in the CONFIGURATION ROUTER BGP mode to change how the MED attribute is used. Command Syntax Command Mode Purpose bgp always-compare-med CONFIG-ROUTERBGP Enable MED comparison in the paths from neighbors with different ASs. By default, this comparison is not performed.
Step Command Syntax Command Mode Purpose 2 set local-preference value CONFIG-ROUTE-MAP Change LOCAL_PREF value for routes meeting the criteria of this route map. 3 exit CONFIG-ROUTE-MAP Return to the CONFIGURATION mode. 4 router bgp as-number CONFIGURATION Enter the ROUTER BGP mode. 5 neighbor {ip-address | peer-group-name} route-map map-name {in | out} CONFIG-ROUTER-BGP Apply the route map to the neighbor or peer group’s incoming or outgoing routes.
www.dell.com | support.dell.com Use the show config command in CONFIGURATION ROUTER BGP mode or the show running-config bgp command in EXEC Privilege mode to view BGP configuration. You can also use route maps to change this and other BGP attributes. For example, you can include the following command in a route map to specify the next hop address: Command Syntax Command Mode Purpose set weight weight CONFIG-ROUTE-MAP Sets weight for the route.
• • AS-PATH ACLs (using neighbor filter-list command) route maps (using neighbor route-map command) Prior to filtering BGP routes, you must create the prefix list, AS-PATH ACL, or route map to be used. Refer to Chapter 6, “Access Control Lists (ACLs),” on page 89 for configuration information on prefix lists, AS-PATH ACLs, and route maps.
www.dell.com | support.dell.com To view the BGP configuration, use the show config command in the ROUTER BGP mode. To view a prefix list configuration, use the show ip prefix-list detail or show ip prefix-list summary commands in EXEC Privilege mode. Use these commands in the following sequence, starting in the CONFIGURATION mode to filter routes using a route map.
Step 5 Command Syntax Command Mode Purpose neighbor {ip-address | peer-group-name} filter-list as-path-name {in | out} CONFIG-ROUTER-BGP Filter routes based on the criteria in the configured route map. Configure the following parameters: • ip-address or peer-group-name: enter the neighbor’s IP address or the peer group’s name. • as-path-name: enter the name of a configured AS-PATH ACL. • in: apply the AS-PATH ACL map to inbound routes. • out: apply the AS-PATH ACL to outbound routes.
www.dell.com | support.dell.com When you enable a route reflector, FTOS automatically enables route reflection to all clients. To disable route reflection between all clients in this reflector, use the no bgp client-to-client reflection command in CONFIGURATION ROUTER BGP mode. All clients should be fully meshed before you disable route reflection. Aggregate routes FTOS provides multiple ways to aggregate routes in the BGP routing table.
Configure BGP confederations Another way to organize routers within an AS and reduce the mesh for IBGP peers is to configure BGP confederations. As with route reflectors, BGP confederations are recommended only for IBGP peering involving a large number of IBGP peering sessions per router. Basically, when you configure BGP confederations, you break the AS into smaller sub-AS, and to those outside your network, the confederations appear as one AS.
www.dell.com | support.dell.com When dampening is applied to a route, its path is described by one of the following terms: • • • history entry—an entry that stores information on a downed route dampened path—a path that is no longer advertised penalized path—a path that is assigned a penalty The CLI example below shows configuring values to start reusing or restarting a route, as well as their default values. Figure 9-31.
To view the BGP configuration, use show config in the CONFIGURATION ROUTER BGP mode or show running-config bgp in EXEC Privilege mode. To set dampening parameters via a route map, use the following command in CONFIGURATION ROUTE-MAP mode: Command Syntax Command Mode Purpose set dampening half-life reuse suppress max-suppress-time CONFIG-ROUTE-MAP Enter the following optional parameters to configure route dampening parameters: • half-life range: 1 to 45.
www.dell.com | support.dell.com To view which routes are dampened (non-active), use the show ip bgp dampened-routes command in EXEC Privilege mode. Use the following command in EXEC Privilege mode to clear information on route dampening and return suppressed routes to active state. Command Syntax Command Mode Purpose clear ip bgp dampening [ip-address mask] EXEC Privilege Clear all information or only information on a specific route.
Change BGP timers Use either or both of the following commands in the CONFIGURATION ROUTER BGP mode to configure BGP timers. Command Syntax Command Mode Purpose neighbors {ip-address | peer-group-name} timers keepalive holdtime CONFIG-ROUTER-BGP Configure timer values for a BGP neighbor or peer group. • keepalive range: 1 to 65535. Time interval, in seconds, between keepalive messages sent to the neighbor routers. (Default: 60 seconds) • holdtime range: 3 to 65536.
www.dell.com | support.dell.com Use the clear ip bgp command in EXEC Privilege mode at the system prompt to reset a BGP connection using BGP soft reconfiguration. Command Syntax Command Mode Purpose clear ip bgp {* | neighbor-address | AS Numbers | ipv4 | peer-group-name} [soft [in | out]] EXEC Privilege Clear all information or only specific details.
Route map continue The BGP route map continue feature (in ROUTE-MAP mode) allows movement from one route-map entry to a specific route-map entry (the sequence number). If the sequence number is not specified, the continue feature moves to the next sequence number (also known as an implied continue). If a match clause exists, the continue feature executes only after a successful match occurs. If there are no successful matches, continue is ignored.
www.dell.com | support.dell.com MBGP Configuration et c MBGP for IPv4 Multicast is supported on platform c et s z MBGP is not supported on the E-Series ExaScale ex platform. MBGP for IPv6 unicast is supported on platforms Multiprotocol BGP (MBGP) is an enhanced BGP that carries IP multicast routes. BGP carries two sets of routes: one set for unicast routing and one set for multicast routing.
BGP Regular Expression Optimization BGP policies that contain regular expressions to match against as-paths and communities might take a lot of CPU processing time, thus affect BGP routing convergence. Also, show bgp commands that get filtered through regular expressions can to take a lot of CPU cycles, especially when the database is large.
www.dell.com | support.dell.com Use no debug ip bgp to disable all BGP debugging. Use undebug all to disable all debugging. Storing Last and Bad PDUs FTOS stores the last notification sent/received, and the last bad PDU received on per peer basis. The last bad PDU is the one that causes a notification to be issued. These PDUs are shown in the output of the command show ip bgp neighbor, as shown in Figure 9-34. Figure 9-34.
Capturing PDUs Capture incoming and outgoing PDUs on a per-peer basis using the command capture bgp-pdu neighbor direction. Disable capturing using the no form of this command. The buffer size supports a maximum value between 40 MB (the default) and 100 MB. The capture buffers are cyclic and reaching the limit prompts the system to overwrite the oldest PDUs when new ones are received for a given neighbor or direction.
www.dell.com | support.dell.com • • New PDU are captured and there is no more space to store them The max buffer size is reduced. (This may cause PDUs to be cleared depending upon the buffer space consumed and the new limit.) With full internet feed (205K) captured, approximately 11.8MB is required to store all of the PDUs, as shown in Figure 9-36. Figure 9-36. Required Memory for Captured PDUs FTOS(conf-router_bgp)#do show capture bgp-pdu neighbor 172.30.1.
Figure 9-37 is a graphic illustration of the configurations shown on the following pages. These configurations show how to create BGP areas using physical and virtual links. They include setting up the interfaces and peers groups with each other. Figure 9-37. Sample Configuration Illustration Physical Links AS 99 Virtual Links GigE 1/ 21 10.0.1.21 / 24 GigE 2/ 11 10.0.1.22 / 24 Peer Group AAA ro rG up B BB GigE 1/ 31 10.0.3.31 / 24 e Pe Loopback ck 1 192.168.128.1 / 24 Loopback 1 Lo 192.168.128.
www.dell.com | support.dell.com Figure 9-38. Enable BGP - Router 1 R1# conf R1(conf)#int loop 0 R1(conf-if-lo-0)#ip address 192.168.128.1/24 R1(conf-if-lo-0)#no shutdown R1(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.1/24 no shutdown R1(conf-if-lo-0)#int gig 1/21 R1(conf-if-gi-1/21)#ip address 10.0.1.21/24 R1(conf-if-gi-1/21)#no shutdown R1(conf-if-gi-1/21)#show config ! interface GigabitEthernet 1/21 ip address 10.0.1.
Figure 9-39. Enable BGP - Router 2 R2# conf R2(conf)#int loop 0 R2(conf-if-lo-0)#ip address 192.168.128.2/24 R2(conf-if-lo-0)#no shutdown R2(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.2/24 no shutdown R2(conf-if-lo-0)#int gig 2/11 R2(conf-if-gi-2/11)#ip address 10.0.1.22/24 R2(conf-if-gi-2/11)#no shutdown R2(conf-if-gi-2/11)#show config ! interface GigabitEthernet 2/11 ip address 10.0.1.22/24 no shutdown R2(conf-if-gi-2/11)#int gig 2/31 R2(conf-if-gi-2/31)#ip address 10.0.2.
www.dell.com | support.dell.com Figure 9-40. Enable BGP - Router 3 R3# conf R3(conf)# R3(conf)#int loop 0 R3(conf-if-lo-0)#ip address 192.168.128.3/24 R3(conf-if-lo-0)#no shutdown R3(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.3/24 no shutdown R3(conf-if-lo-0)#int gig 3/11 R3(conf-if-gi-3/11)#ip address 10.0.3.33/24 R3(conf-if-gi-3/11)#no shutdown R3(conf-if-gi-3/11)#show config ! interface GigabitEthernet 3/11 ip address 10.0.3.
Figure 9-41. Enable Peer Group - Router 1 R1#conf R1(conf)#router bgp 99 R1(conf-router_bgp)# network 192.168.128.0/24 R1(conf-router_bgp)# neighbor AAA peer-group R1(conf-router_bgp)# neighbor AAA no shutdown R1(conf-router_bgp)# neighbor BBB peer-group R1(conf-router_bgp)# neighbor BBB no shutdown R1(conf-router_bgp)# neighbor 192.168.128.2 peer-group AAA R1(conf-router_bgp)# neighbor 192.168.128.3 peer-group BBB R1(conf-router_bgp)# R1(conf-router_bgp)#show config ! router bgp 99 network 192.168.128.
www.dell.com | support.dell.com Figure 9-42.
Figure 9-43. Enable Peer Groups - Router 2 R2#conf R2(conf)#router bgp 99 R2(conf-router_bgp)# neighbor CCC peer-group R2(conf-router_bgp)# neighbor CC no shutdown R2(conf-router_bgp)# neighbor BBB peer-group R2(conf-router_bgp)# neighbor BBB no shutdown R2(conf-router_bgp)# neighbor 192.168.128.1 peer AAA R2(conf-router_bgp)# neighbor 192.168.128.1 no shut R2(conf-router_bgp)# neighbor 192.168.128.3 peer BBB R2(conf-router_bgp)# neighbor 192.168.128.
www.dell.com | support.dell.com Figure 9-44. Enable Peer Group - Router 3 R3#conf R3(conf)#router bgp 100 R3(conf-router_bgp)# neighbor R3(conf-router_bgp)# neighbor R3(conf-router_bgp)# neighbor R3(conf-router_bgp)# neighbor R3(conf-router_bgp)# neighbor R3(conf-router_bgp)# neighbor R3(conf-router_bgp)# neighbor R3(conf-router_bgp)# neighbor R3(conf-router_bgp)# AAA peer-group AAA no shutdown CCC peer-group CCC no shutdown 192.168.128.2 peer-group BBB 192.168.128.2 no shutdown 192.168.128.
Figure 9-45.
250 | Border Gateway Protocol www.dell.com | support.dell.
10 Bare Metal Provisioning 3.0 (BMP 3.0) Bare Metal Provisioning 3.0 (BMP 3.0) is included as part of the FTOS image. It is supported on platforms z. Overview Bare Metal Provisioning (BMP) is a feature that improves operational efficiency to the system by automatically loading pre-defined configurations and FTOS images using standard protocols such as DHCP and common file transfer mechanisms. Bare Metal Provisioning: • • • reduces the time to install and configure the network device.
www.dell.com | support.dell.com • • • Pre-configuration Scripts • Post-configuration Scripts • Auto-execution Scripts Configuration Tasks Script Examples Prerequisites Before you use BMP 3.0 to auto-configure a supported Dell Force10 switch, you must first configure: • • • • An external Dynamic Host Configuration Protocol (DHCP) server (required) - a network device offering configuration parameters File Server (required) - a network device for storing and servicing files.
1. Current (new) FTOS build image. 2. Configuration file or pre-configuration script (ZSH, TCL, or Expect script). 3. A list of checksums for all these components. Note: The configuration file is to maintain normal BMP functionality when a pre-configuration script is not sent. Preparing BMP DHCP Server DHCP Configuration You must first configure a DHCP server before you can use the BMP mode on a switch. Configure the DHCP server with the set of parameters described below for each client switch.
www.dell.com | support.dell.com • 230 User port stacking Note: BMP will eventually exit when the timeout occurs. DHCP Retry Mechanism BMP requests a different DHCP offer in the following scenarios: • • • If the command reload-type config-scr-download enable is enabled, the DHCP offer specifies both the boot image and the configuration file. If either download is successful, BMP will not request another DHCP offer.
option configfile "ftp://admin:admin@30.0.0.1/pt-s4810-12"; FTP URL with IP address option configfile "http://Guest-1/pt-s4810-12"; HTTP URL with DNS option configfile "pt-s4810-12"; TFTP ##### bootfile-name could be given in the following way option bootfile-name “ftp://admin:admin@Guest-1/ FTOS-SE-8.3.10.1.bin”; FTP URL with DNS option bootfile-name "http://30.0.0.1/FTOS-SE-8.3.10.1.bin”; HTTP URL with IP address option bootfile-name "tftp://30.0.0.1/FTOS-SE-8.3.10.1.
www.dell.com | support.dell.com BMP mode is the default boot mode configured for a new system arriving from Dell Force10. This mode obtains the FTOS image and configuration file from a network source (DHCP and file servers). Use Normal mode to boot the switch up with the management port in a no shutdown mode. If the management IP address is present in the start-up configuration file, it will be assigned.
Normal Mode When reloaded in Normal mode, the switch boots up with the management port in a no shutdown mode. If the management IP address is present in the start-up configuration file, it will be assigned. If the management IP address is not present in the start-up configuration file, no IP address will be assigned to the management interface. You can connect to the management port with an IP address on the same network and log in to the system through a telnet or SSH session.
www.dell.com | support.dell.com Post-configuration Scripts In BMP 3.0, after the pre-configuration script has completed and the configuration is loaded, you can run a post-configuration script if one is present in the configuration file. Use the post-configuration script to check the status of configured ports or protocols which can then be sent as a status report to a central repository for your network administrators.
Configuration Tasks When the system boots up in BMP mode all ports, including management ports, are placed in L3 mode in a no shut state. The system acts as a DHCP client on these ports for a period of time (dhcp-timeout). This allows the system time to send out a DHCP DISCOVER on all the interface up ports to the DHCP Server in order to obtain its IP address, boot image filename and configuration file from the DHCP server. • Set up a DHCP server.
www.dell.com | support.dell.com System boot and set-up behavior in BMP Mode 1. System begins boot up process in BMP mode (default mode). 2. The system sends DHCP Discover on all the interface up ports.
• If there is a mismatch between the build images, the system upgrades to the downloaded version and reloads.
www.dell.com | support.dell.com Reload without a DHCP Server Offer A switch configured to reload in BMP mode and if the DHCP server cannot be reached, the system keeps on sending DISCOVER messages. 00:01:44: %STKUNIT0-M:CP %JUMPSTART-5-JUMPSTART_DISCOVER: DHCP DISCOVER sent on Te 0/50. 00:01:44: %STKUNIT0-M:CP %JUMPSTART-5-JUMPSTART_DISCOVER: DHCP DISCOVER sent on Te 0/51. 00:01:44: %STKUNIT0-M:CP %JUMPSTART-5-JUMPSTART_DISCOVER: DHCP DISCOVER sent on Ma 0/0.
2. The system receives a DHCP offer from a DHCP server with the following parameters: 13:23:47: %STKUNIT0-M:CP %JUMPSTART-5-BOOT_OFFER: DHCP acquired IP 10.16.134.167 mask 255.255.0.0 server IP 10.16.134.207. 13:23:48: %STKUNIT0-M:CP %JUMPSTART-5-BOOT_OFFER: DHCP tftp IP NIL sname NIL dns IP NIL router IP NIL. 13:23:48: %STKUNIT0-M:CP %JUMPSTART-5-BOOT_OFFER: DHCP image file tftp://10.16.127.53/mxl.bin. 13:23:48: %STKUNIT0-M:CP %JUMPSTART-5-BOOT_OFFER: DHCP config file NIL.
www.dell.com | support.dell.com b If the build images versions are different, the system stores the downloaded build image in the local Flash and loads the build image from the Flash. This process is repeated until the build image versions match.
3. The pre-configuration script is downloaded instead of the configuration file. 4. The pre-configuration script is run before applying the start-up configuration file. 5. The pre-configuration script has the ability to use configuration FTOS CLI commands using the utility name “F10do”. 6. When the pre-configuration script completes, the start-up configuration file will be automatically applied.
www.dell.com | support.dell.com Script Examples Auto-execution Script - Normal mode FTOS#show reload-type Reload-Type : normal-reload [Next boot : normal-reload] FTOS#show file flash://autoexec #! /usr/bin/tclsh puts [ exec f10do "show version" ] puts [ exec date ] puts "this is Autoexec script" FTOS# FTOS# FTOS#reload System configuration has been modified.
The following line indicates the start of the auto-execution script. 00:00:16: %STKUNIT1-M:CP %JUMPSTART-5-AUTOEXEC_START: 00:00:19: %STKUNIT1-M:CP %CHMGR-5-CHECKIN: Checkin from Stack unit 1 (type S4810, 64 ports) 00:00:20: %00:00:20: %STKUNIT1-M:CP %CHMGR-0-PS_UP: Power supply 0 in unit 1 is up 00:00:20: %STKUNIT1-M:CP %CHMGR-5-STACKUNITUP: Stack unit 1 is up 00:00:21: %STKUNIT1-M:CP %CHMGR-5-SYSTEM_READY: System ready 00:00:21: %STKUNIT1-M:CP %RAM-5-STACK_STATE: Stack unit 1 is in Active State.
www.dell.com | support.dell.com 268 The following line indicates the successful completion of the auto-execution script. 00:00:49: %STKUNIT1-M:CP %JUMPSTART-5-AUTOEXEC_SUCCESS: The AutoExec Script execution returned Success. The following line indicates that the Configuration file is loaded into the switch.
Pre-configuration Script - BMP Mode #! /usr/bin/expect #/DELL-FORCE10 # Execute F10do and Print proc print_f10do {cmd_str} { set str [exec f10do "$cmd_str"] set tmp_str [string map {\n \r\n} $str ] puts $tmp_str } set ftp_ip "20.0.0.1" set ftp_username "lab" set ftp_passwd "lab" set config_file "s4810-10-startup-config" set post_conf "s4810-10-post-config.exp" puts "Executing Pre-Config Script !!!!\r\n" exec rm -rf "$config_file" exec rm -rf "$post_conf" puts "Downloading Startup Config and P
www.dell.com | support.dell.com after 5000 puts "Download Complete !!!\r\n" if {[file exists $config_file]} { puts "Config File: $config_file downloaded successfully\r\n" } else { puts "ERROR: Config File: $config_file - Not Found\r\n" } if {[file exists $post_conf]} { puts "Post Config Script: $post_conf downloaded successfully\r\n" } else { puts "ERROR: Post Config Script: $post_conf - Not Found\r\n" } # Copy Config to Startup Config print_f10do "show version" after 5000 print_f10do "copy flash://$c
11 Content Addressable Memory (CAM) Content Addressable Memory (CAM) is supported on platforms: • • • • • • • • • • • • • • • • • • • et c s Content Addressable Memory CAM Profiles Microcode CAM Profiling for ACLs When to Use CAM Profiling Differences Between EtherScale and TeraScale Important Points to Remember Select CAM Profiles CAM Allocation Test CAM Usage View CAM Profiles View CAM-ACL settings View CAM-ACL settings Configure IPv4Flow Sub-partitions Configure Ingress Layer 2 ACL Sub-partitions Retur
www.dell.com | support.dell.com • Either ExaScale 10G or 40G CAM line cards can be used in a system. CAM Profiles Dell Force10 systems partition each CAM module so that it can store the different types of information. The size of each partition is specified in the CAM profile. A CAM profile is stored on every card, including each RPM. The same profile must be on every line card and RPM in the chassis.
Table 11-1. CAM Profile Descriptions CAM Profile Description ipv4-64k-ipv6 Provides IPv6 functionality; an alternate to ipv6-extacl that redistributes CAM space from the IPv4FIB to IPv4Flow and IPv6FIB. Available Microcodes: ipv6-extacl The size of CAM partitions is measured in entries. Table 11-1 shows the number of entries available in each partition for all CAM profiles.
www.dell.com | support.dell.com Table 11-3. Microcode Descriptions Microcode Description default Distributes CAM space for a typical deployment lag-hash-align For applications that require the same hashing for bi-directional traffic (for example, VoIP call or P2P file sharing). For port-channels, this microcode maps both directions of a bi-directional flow to the same output link. lag-hash-mpls For hashing based on MPLS labels (up to five labels deep).
You can re-configure the amount of space, in percentage, allocated to each sub-partition. As with the IPv4Flow partition, you can configure the Layer 2 ACL partition from EXEC Privilege mode or CONFIGURATION mode. The amount of space that you can distribute to the sub-partitions is equal to the amount of CAM space that the selected CAM profile allocates to the Layer 2 ACL partition. FTOS requires that you specify the amount of CAM space for all sub-partitions and that the sum of all sub-partitions is 100%.
www.dell.com | support.dell.com Example: EF Line Card with EG Chassis Profile (Card Problem) R1#show linecard 1 brief -- Line card Status Next Boot Required Type Current Type Hardware Rev Num Ports Up Time FTOS Version Jumbo Capable 1 : : : : : : : : : -card problem - mismatch cam profile online E48TF - 48-port 10/100/1000Base-T line card with RJ-45 interfaces (EF) E48TF - 48-port 10/100/1000Base-T line card with RJ-45 interfaces (EF) Base - 1.1 PP0 - 1.1 PP1 - 1.1 48 0 sec 7.6.1.
Important Points to Remember • • • • • • CAM Profiling is available on the E-Series TeraScale with FTOS versions 6.3.1.1 and later. All line cards within a single system must have the same CAM profile; this profile must match the system CAM profile (the profile on the primary RPM). • FTOS automatically reconfigures the CAM profile on line cards and the secondary RPM to match the system CAM profile by saving the correct profile on the card and then rebooting it.
www.dell.com | support.dell.com Step Task Command Syntax Command Mode 3 Verify that the new CAM profile will be written to the CAM on the next boot. show cam-profile summary EXEC Privilege 4 Reload the system. reload EXEC Privilege CAM Allocation User Configurable CAM Allocations is available on platforms: cs Allocate space for IPV4 ACLs and QoS regions, and IPv6 6 ACLs and QoS regions on the C-Series and S-Series by using the cam-acl command in CONFIGURATION mode.
To configure the IPv4 and IPv6 ACLs and Qos regions on the entire system: Step 1 Task Command Syntax Command Mode Select a cam-acl action cam-acl [default | l2acl] CONFIGURATION Note: Selecting default resets the CAM entries to the default settings. Select l2acl to allocate space for the ACLs, and QoS regions. 2 Enter the number of FP blocks for each region. Note: If allocation values are not entered for the CAM regions, the value is 0.
www.dell.com | support.dell.
Ipv4Qos L2Qos L2PT IpMacAcl VmanQos VmanDualQos EcfmAcl : : : : : : : 2 2 1 2 0 0 0 -- Line card 0 -Current Settings(in block sizes) L2Acl : 2 Ipv4Acl : 2 Ipv6Acl : 2 Ipv4Qos : 2 L2Qos : 2 L2PT : 1 IpMacAcl : 2 VmanQos : 0 VmanDualQos : 0 EcfmAcl : 0 -- Line card 6 -Current Settings(in block sizes) L2Acl : 2 Ipv4Acl : 2 Ipv6Acl : 2 Ipv4Qos : 2 L2Qos : 2 L2PT : 1 IpMacAcl : 2 VmanQos : 0 VmanDualQos : 0 EcfmAcl : 0 The default values for the show cam-acl command for the are: FTOS#show cam-acl -- Chassi
www.dell.com | support.dell.com L2Acl Ipv4Acl Ipv6Acl Ipv4Qos L2Qos L2PT IpMacAcl VmanQos VmanDualQos EcfmAcl FcoeAcl iscsiOptAcl : : : : : : : : : : : : 4 4 0 2 1 0 0 0 0 0 0 2 FTOS# View CAM Usage View the amount of CAM space available, used, and remaining in each partition (including IPv4Flow and Layer 2 ACL sub-partitions) using the command show cam-usage from EXEC Privilege mode, as shown in the following example.
The IPv4Flow CAM partitions have sub-partitions for several types of information. Table 11-5 lists the types of information stored in this partition and the number of entries that FTOS allocates to each type. Table 11-5.
www.dell.com | support.dell.com FTOS(conf)#cam-ipv4flow default FTOS#copy running-config startup-config File with same name already exist.
Configure Ingress Layer 2 ACL Sub-partitions IPv4Flow sub-partitions are supported on platform e The Ingress Layer 2 ACL CAM partition has sub-partitions for several types of information. Table 11-6 lists the sub-partition and the percentage of the Ingress Layer 2 ACL CAM partition that FTOS allocates to each by default. Table 11-6.
www.dell.com | support.dell.com To re-allocate CAM space within the Ingress Layer 2 ACL partition on the entire system as shown in the following example. : Step Task Command Syntax Command Mode 1 Re-allocate CAM space within the Ingress Layer 2 ACL partition. cam-l2acl CONFIGURATION 2 Save the running-configuration. copy running-config startup-config EXEC Privilege 3 Verify that FTOS will write the new CAM configuration to the CAM on the next boot.
Return to the Default CAM Configuration Return to the default CAM Profile, microcode, IPv4Flow, or Layer 2 ACL configuration using the keyword default from EXEC Privilege mode or from CONFIGURATION mode, as shown in the following example.
www.dell.com | support.dell.com • • • • When MPLS IP packets are received, FTOS looks up to 5 labels deep for the IP header. When an IP header is present, hashing is based on IP 3 tuple (source IP address, destination IP address, and IP protocol). If an IP header is not found after the 5th label, hashing is based on the MPLS labels. If the packet has more than 5 MPLS labels, hashing is based on the source and destination MAC address.
• • • Change to the default profile if downgrading to and FTOS version earlier than 6.3.1.1. Use the CONFIGURATION mode commands so that the profile is change throughout the system. Use the EXEC Privilege mode commands to match the profile of a component to the profile of the target system. QoS CAM Region Limitation The default CAM profile allocates a partition within the IPv4Flow region to store QoS service policies.
www.dell.com | support.dell.
12 Control Plane Policing (CoPP) z Control Plane Policing (CoPP) is supported on platforms: Overview Control Plane Policing (CoPP) uses ACL rules and QoS policies to create filters for a system’s control plane. That filter prevents traffic not specifically identified as legitimate from reaching the system control plane, rate-limits, traffic to an acceptable level.
Q5 Q4 CPU Processes (OSPF, LACP, STP, ICMP, etc) Q6 400 PPS (Ingress Flow Entries) Packets Protocol to Queue Classification ICMP PING Front End Ports STP Q7 1100 PPS CPU Software Queue www.dell.com | support.dell.com OPSF flood CPU at 1100 PPS ICMP fails Hardware Queue Rate Limiting No CoPP Rules Q3 Q2 Q1 STP Q0 Q7 receives STP at 1100 pps due to network storm/loop. The CPU is hit with the entire 1100 pps and the PING attemp fails intermittently.
The CoPP policies are configured by creating extended ACL rules and specifying rate-limits through QoS policies. The ACLs and QoS policies are assigned as service-policies. Configure CoPP for protocols This section lists the commands necessary to create and enable the service-policies for CoPP. Refer to Access Control Lists (ACLs) and Quality of Service (QoS) for complete information about creating ACLs and QoS rules.
www.dell.com | support.dell.
Match QoS Class Map to QoS Policy FTOS(conf)#policy-map-input egressFP_rate_policy cpu-qos FTOS(conf-policy-map-in-cpuqos)#class-map class_ospf qos-policy rate_limit_500k FTOS(conf-policy-map-in-cpuqos)#class-map class_bgp qos-policy rate_limit_400k FTOS(conf-policy-map-in-cpuqos)#class-map class_lacp qos-policy rate_limit_200k FTOS(conf-policy-map-in-cpuqos)#class-map class-ipv6 qos-policy rate_limit_200k FTOS(conf-policy-map-in-cpuqos)#exit Create Control Plane Service Policy FTOS(conf)#control-plane-cpu
www.dell.com | support.dell.
FTOS# Use the show mac protocol-queue-mapping command to view the queue mapping for the MAC protocols.
www.dell.com | support.dell.
13 Data Center Bridging (DCB) The data center bridging (DCB) features are supported on the .
www.dell.com | support.dell.com For example, instead of deploying an Ethernet network for LAN traffic, additional storage area networks (SANs) to ensure lossless fiber-channel traffic, and a separate InfiniBand network for high-performance inter-processor computing within server clusters, only one DCB-enabled network is required in a data center.
PFC enhances the existing 802.3x pause and 802.1p priority capabilities to enable flow control based on 802.1p priorities (classes of service). Instead of stopping all traffic on a link (as performed by the traditional Ethernet pause mechanism), PFC pauses traffic on a link according to the 802.1p priority set on a traffic type. You can create lossless flows for storage and server traffic while allowing for loss in case of LAN traffic congestion on the same physical interface.
www.dell.com | support.dell.com Enhanced Transmission Selection Enhanced transmission selection (ETS) supports optimized bandwidth allocation between traffic types in multiprotocol (Ethernet, FCoE, SCSI) links. ETS allows you to divide traffic according to its 802.1p priority into different priority groups (traffic classes) and configure bandwidth allocation and queue scheduling for each group to ensure that each traffic type is correctly prioritized and receives its required bandwidth.
• • • Bandwidth allocated by the ETS algorithm is made available after strict-priority groups are serviced. If a priority group does not use its allocated bandwidth, the unused bandwidth is made available to other priority groups. For ETS traffic selection, an algorithm is applied to priority groups using: • Strict-priority shaping • ETS shaping Credit-based shaping is not supported. ETS uses the DCB MIB IEEE 802.1azd2.5.
www.dell.com | support.dell.com Figure 13-3. DCB PFC and ETS Traffic Handling Enabling Data Center Bridging Data center bridging (DCB) is automatically configured when FCoE or iSCSI Optimization are configured. Data center bridging supports converged enhanced Ethernet (CEE) in a data center network. DCB is disabled by default. It must be enabled to support CEE.
Task Command Command Mode Set PFC buffering on the DCB stack unit. dcb stack-unit all pfc-buffering pfc-ports 64 pfc-queues 2 CONFIGURATION Note: Save the configuration and reboot the system to save the pfc buffering configuration changes. FTOS Behavior: DCB is not supported if you enable link-level flow control on one or more interfaces (refer to Ethernet Pause Frames on page 469).
www.dell.com | support.dell.com Table 13-1. dot1p Priority-Queue Assignment dot1p Value in Incoming Frame Egress Queue Assignment 0 0 1 0 2 0 3 1 4 2 5 3 6 3 7 3 Configuring Priority-Based Flow Control Priority-based flow control (PFC) provides a flow control mechanism based on the 802.1p priorities in converged Ethernet traffic received on an interface and is enabled by default when DCB is enabled.
Step 3 Task Command Command Mode Configure the CoS traffic to be stopped for the specified delay. Enter the 802.1p values of the frames to be paused. Range: 0-7. Default: None. Maximum number of loss less queues supported on the switch: 2. Separate priority values with a comma. Specify a priority range with a dash, for example: pfc priority pfc priority priority-range DCB INPUT POLICY 1,3,5-7.
www.dell.com | support.dell.com FTOS Behavior: As soon as you apply a DCB policy with PFC enabled on an interface, DCBx starts exchanging information with PFC-enabled peers. The IEEE802.1Qbb, CEE and CIN versions of PFC TLV are supported. DCBx also validates PFC configurations that are received in TLVs from peer devices. By applying a DCB input policy with PFC enabled, you enable PFC operation on ingress port traffic.
A DCB input policy for PFC applied to an interface may become invalid if dot1p-queue mapping is reconfigured (refer to Create Input Policy Maps in Chapter 38, Quality of Service (QoS)). This situation occurs when the new dot1p-queue assignment exceeds the maximum number (2) of lossless queues supported globally on the switch. In this case, all PFC configurations received from PFC-enabled peers are removed and re-synchronized with the peer devices.
www.dell.com | support.dell.com FTOS Behavior: By default, no lossless queues are configured on a port. A limit of two lossless queues are supported on a port. If the amount of priority traffic that you configure to be paused exceeds the two lossless queues, an error message is displayed. You must reconfigure the input policy using a smaller number of PFC priorities.
DCB and Switch Stacking Caveats for the S4820T The following is a list of behaviors and limitations regarding the use of DCB over S4820T ports involved in switch stacking: • • • • You can enable DCB only on 40 Gig (QSPF+) ports. DCB is not supported over any of the 48 RJ-45 10 Gig ports while they are configured in stacking mode. You cannot configure stacking on any of the 48 RJ-45 10 Gig ports, if DCB is enabled on any of the 40 Gig stacking ports.
www.dell.com | support.dell.com • • • When allocating bandwidth or configuring a queue scheduler for dot1p priorities in a priority group on a DCBx CIN interface, take into account the CIN bandwidth allocation (Configuring Bandwidth Allocation for DCBx CIN) and dot1p-queue mapping (Table 13-1).
Step 3 Task Command Command Mode (Optional) Configure the bandwidth percentage allocated to priority traffic in port queues. Percentage range: 1 to 100% in units of 1%. The sum of bandwidth percentage assigned to dot1p priorities/queues in a priority group should be 100%. Default: None. bandwidth-percentage percentage POLICY-MAP-OUT-ETS exit POLICY-MAP-OUT-ETS Note: If you configure bandwidth allocation, you cannot configure a scheduling method in Step 2.
www.dell.com | support.dell.com FTOS Behavior: Traffic in priority groups is assigned to strict-queue or WERR scheduling in an ETS output policy and is managed using the ETS bandwidth-assignment algorithm. FTOS de-queues all frames of strict-priority traffic before servicing any other queues. A queue with strict-priority traffic can starve other queues in the same port. ETS-assigned bandwidth allocation and scheduling apply only to data queues, not to control queues.
Creating an ETS Priority Group An ETS priority group specifies the range of 802.1p priority traffic to which a QoS output policy with ETS settings is applied on an egress interface. You can associate a priority group to more than one ETS output policy on different interfaces. To create a priority group for ETS, follow these steps: Step Task Command Command Mode 1 Create an ETS priority group to use with an ETS output policy. Maximum: 32 characters.
www.dell.com | support.dell.com Applying an ETS Output Policy for a Priority Group to an Interface 316 To apply ETS on egress port traffic, you must associate a priority group with an ETS output policy which has scheduling and bandwidth configuration in a DCB output policy, and then apply the output policy to an interface. To apply ETS on egress port traffic, follow these steps: Step | Task Command Command Mode 1 Create a DCB output policy to associate an ETS configuration with priority traffic.
FTOS Behavior: Create a DCB output policy to associate a priority group with an ETS output policy with scheduling and bandwidth configuration. You can apply a DCB output policy on multiple egress ports. The ETS configuration associated with 802.1p priority traffic in a DCB output policy is used in DCBx negotiation with ETS peers. When you apply an ETS output policy to an interface, ETS-configured scheduling and bandwidth allocation take precedence over any configured settings in the QoS output policies.
www.dell.com | support.dell.com - The priority group for strict-priority scheduling (scheduler strict command; Creating a QoS ETS Output Policy) If you configure only the priority group in an ETS output policy or only the dot1p priority for strict-priority scheduling, the flow is handled with group strict priority.
Applying DCB Policies in a Switch Stack Note: The S4820T does not support DCB on any of the 48 RJ-45 10 Gigabit stacking links. You can apply a DCB input policy with PFC configuration to all stacked ports in a switch stack or on a stacked switch. You can apply different DCB input policies to different stacked switches. Task Command Command Mode Apply the specified DCB input policy on all ports of the switch stack or a single stacked switch.
www.dell.com | support.dell.com Configuring DCBx Operation The data center bridging exchange protocol (DCBx) is used by DCB devices to exchange configuration information with directly connected peers using the link layer discovery protocol (LLDP) protocol. DCBx can detect the mis-configuration of a peer DCB device, and optionally, configure peer DCB devices with DCB feature settings to ensure consistent operation in a data center network.
• • • When an auto-upstream port (besides the configuration source) receives and overwrites its configuration with internally propagated information, one of the following actions is taken: • If the peer configuration received is compatible with the internally propagated port configuration, the link with the DCBx peer is enabled.
www.dell.com | support.dell.com Default DCBx port role: Manual. Note: On a DCBx port, application priority TLV advertisements are handled as follows: - The application priority TLV is transmitted only if the priorities in the advertisement match the configured PFC priorities on the port. - On auto-upstream and auto-downstream ports: - If a configuration source is elected, the ports send an application priority TLV based on the application priority TLV received on the configuration-source port.
• • • The port is enabled with link up and DCBx enabled. The port has performed a DCBx exchange with a DCBx peer. The switch is capable of supporting the received DCB configuration values through either a symmetric or asymmetric parameter exchange. A newly elected configuration source propagates configuration changes received from a peer to the other auto-configuration ports.
www.dell.com | support.dell.com If you configure a DCBx port to operate with a specific version (DCBx version {cee | cin | ieee-v2.5} command in the DCBx Configuration Procedure), DCBx operations are performed according to the configured version, including fast and slow transmit timers and message formats. If a DCBx frame with a different version is received, a syslog message is generated and the peer version is recorded in the peer status table.
Figure 13-4.
www.dell.com | support.dell.com DCBx Prerequisites and Restrictions The following prerequisites and restrictions apply when you configure DCBx operation on a port: • • DCBx requires LLDP in both send (TX) and receive (RX) mode to be enabled on a port interface (protocol lldp mode command; refer to the example in CONFIGURATION versus INTERFACE Configurations in the Link Layer Discovery Protocol (LLDP) chapter). If a multiple DCBx peer ports are detected on a local DCBx interface, LLDP is shut down.
Step Task Command Command Mode 3 Configure the DCBx version used on the interface, where: auto configures the port to operate using the DCBx version received from a peer. • cee configures the port to use CEE (Intel 1.01). • cin configures the port to use Cisco-Intel-Nuova (DCBx 1.0). • ieee-v2.5 configures the port to use IEEE 802.1Qaz (Draft 2.5). Default: Auto. [no] DCBx version {auto | cee | cin | ieee-v2.
www.dell.com | support.dell.com Step 6 Task Command Command Mode On manual ports only: Configure the Application Priority TLVs advertised on the interface to DCBx peers, where: • fcoe enables the advertisement of FCoE in Application Priority TLVs. • iscsi enables the advertisement of iSCSI in Application Priority TLVs. Default: Application Priority TLVs are enabled to advertise FCoE and iSCSI.
Step 4 Task Command Command Mode Configure the PFC and ETS TLVs to be advertised on un-configured interfaces with a manual port-role, where: • ets-conf enables transmission of ETS Configuration TLVs. • ets-reco enables transmission of ETS Recommend TLVs. • pfc enables transmission of PFC TLVs.
www.dell.com | support.dell.com DCBx Error Messages An error in DCBx operation is displayed using the syslog messages: LLDP_MULTIPLE_PEER_DETECTED: DCBx is operationally disabled after detecting more than one DCBx peer on the port interface. LLDP_PEER_AGE_OUT: DCBx is disabled as a result of LLDP timing out on a DCBx peer interface.
Verifying DCB Configuration Use the show commands in Table 13-2 to display DCB configurations. Table 13-2. Displaying DCB Configurations Command Output show dot1p-queue mapping Displays the current 802.1p priority-queue mapping. show dcb [stack-unit unit-number] Displays data center bridging status, number of PFC-enabled ports, and number of PFC-enabled queues. On the master switch in a stack, you can specify a stack-unit number. Range is : 0 to 5.
www.dell.com | support.dell.com Figure 13-7. show qos dcb-input Command Example FTOS(conf)# show qos dcb-input dcb-input pfc-profile pfc link-delay 32 pfc priority 0-1 dcb-input pfc-profile1 no pfc mode on pfc priority 6-7 Figure 13-8. show qos dcb-output Command Example FTOS# show qos dcb-output dcb-output ets priority-group san qos-policy san priority-group ipc qos-policy ipc priority-group lan qos-policy lan Figure 13-9.
Figure 13-10.
www.dell.com | support.dell.com Table 13-3. 334 show interface pfc summary Command Description Field | Description Remote is enabled, Priority list Remote Willing Status is enabled Operational status (enabled or disabled) of peer device for DCBx exchange of PFC configuration with a list of the configured PFC priorities. Willing status of peer device for DCBx exchange (Willing bit received in PFC TLV): enabled or disabled.
Table 13-3. show interface pfc summary Command Description Field PFC TLV Statistics: Pause Rx pkts Figure 13-11.
www.dell.com | support.dell.com Figure 13-12.
FTOS(conf)# show interfaces tengigabitethernet 0/0 ets detail Interface TenGigabitEthernet 0/0 Max Supported TC Groups is 4 Number of Traffic Classes is 8 Admin mode is on Admin Parameters : -----------------Admin is enabled TC-grp Priority# Bandwidth TSA 0 0,1,2,3,4,5,6,7 100% ETS 1 0% ETS 2 0% ETS 3 0% ETS 4 0% ETS 5 0% ETS 6 0% ETS 7 0% ETS Priority# Bandwidth TSA 0 13% ETS 1 13% ETS 2 13% ETS 3 13% ETS 4 12% ETS 5 12% ETS 6 12% ETS 7 12% ETS Remote Parameters: ------------------Remote is disabled Local
www.dell.com | support.dell.com Figure 13-13.
Table 13-4. show interface ets detail Command Description Field Description Interface Interface type with stack-unit and port number. Max Supported TC Group Maximum number of priority groups supported. Number of Traffic Classes Number of 802.1p priorities currently configured. Admin mode ETS mode: on or off. When on, the scheduling and bandwidth allocation configured in an ETS output policy or received in a DCBx TLV from a peer can take effect on an interface.
www.dell.com | support.dell.com Figure 13-14.
Figure 13-16.
www.dell.com | support.dell.com Figure 13-17.
Table 13-5. show interface DCBx detail Command Description Field Description Local DCBx Compatibility mode DCBx version accepted in a DCB configuration as compatible. In auto-upstream mode, a port can only received a DCBx version supported on the remote peer. Local DCBx Configured mode DCBx version configured on the port: CEE, CIN, IEEE v2.5, or Auto (port auto-configures to use the DCBx version received from a peer).
www.dell.com | support.dell.com PFC and ETS Configuration Examples This section contains examples of how to configure and apply DCB input and output policies on an interface. Using PFC and ETS to Manage Data Center Traffic In the following example: • • • 344 | Incoming SAN traffic is configured for priority-based flow control. Outbound LAN, IPC, and SAN traffic is mapped into three ETS priority groups and configured for enhanced traffic selection (bandwidth allocation and scheduling).
Figure 13-18. Example: PFC and ETS Applied to LAN, IPC, and SAN Priority Traffic QoS Traffic Classification: The service-class dynamic dot1p command has been used in Global Configuration mode to map ingress dot1p frames to the queues shown in Table 13-6. For more information, refer to QoS dot1p Traffic Classification and Queue Assignment.
www.dell.com | support.dell.com Table 13-6. Example: dot1p-Queue Assignment dot1p Value in Incoming Frame Queue Assignment 0 0 1 0 2 0 3 1 4 2 5 3 6 3 7 3 Lossless SAN traffic with dot1p priority 3 is assigned to queue 1. Other traffic types are assigned the 802.1p priorities shown in Table 13-7 and the bandwidth allocations shown in Table 13-8. Table 13-7. Example: dot1p-priority class group Assignment dot1p Value in Incoming Frame Table 13-8.
Figure 13-19.
www.dell.com | support.dell.com Figure 13-20.
Hierarchical Scheduling in ETS Output Policies ETS supports up to three levels of hierarchical scheduling. For example, you can apply ETS output policies with the following configurations: • • • Priority group 1 assigns traffic to one priority queue with 20% of the link bandwidth and strict-priority scheduling. Priority group 2 assigns traffic to one priority queue with 30% of the link bandwidth.
350 | Data Center Bridging (DCB) www.dell.com | support.dell.
14 S-Series Debugging and Diagnostics The chapter contains the following major sections: • • • • • • • • • • Offline diagnostics Trace logs Last restart reason show hardware commands Environmental monitoring Buffer tuning Troubleshooting packet loss Application core dumps Mini core dumps TCP dumps Offline diagnostics The offline diagnostics test suite is useful for isolating faults and debugging hardware.
www.dell.com | support.dell.com Important Points to Remember • You can only perform offline diagnostics on an offline standalone unit or offline member unit of a stack of three or more. You cannot perform diagnostics on the management or standby unit in a stack of two or more (Message 1). Message 1 Offline Diagnostics on Master/Standby Error Running Diagnostics on master/standby unit is not allowed on stack. • • • • Perform offline diagnostics on one stack member at a time.
Figure 14-2. Verifying the Offline/Online Status of an S-Series Stack Unit FTOS#show system brief | no-more Stack MAC : 00:01:e8:d6:02:39 -- Stack Info -Unit UnitType Status ReqTyp CurTyp Version Ports --------------------------------------------------------------------------0 Standby online S25V S25V 4.7.7.220 28 1 Management offline S50N S50N 4.7.7.220 52 2 Member online S25P S25P 4.7.7.
www.dell.com | support.dell.com Figure 14-3. Running Offline Diagnostics on an S-Series Standalone Unit FTOS#diag stack-unit 1 alllevels Warning - diagnostic execution will cause multiple link flaps on the peer side - advisable to shut directly connected ports Proceed with Diags [confirm yes/no]: yes 00:03:35: %S50N:1 %DIAGAGT-6-DA_DIAG_STARTED: Starting diags on stack unit 1 00:03:35 : Approximate time to complete these Diags ...
4. View the results of the diagnostic tests using the command show file flash:// from EXEC Privilege mode, as shown in Figure 14-5. Figure 14-5. Viewing the Results of Offline Diagnostics on a Standalone Unit FTOS#show file flash://TestReport-SU-0.txt **********************************S-Series Diagnostics******************** Stack Unit Board Serial Number : DL267160098 CPU Version : MPC8541, Version: 1.1 PLD Version : 5 Diag image based on build : E_MAIN4.7.7.206 Stack Unit Board Voltage levels - 3.
www.dell.com | support.dell.com Auto Save on Crash or Rollover Exception information on for master or standby units is stored in the flash:/TRACE_LOG_DIR directory. This directory contains files that save trace information when there has been a task crash or timeout. On a master unit, the TRACE_LOG_DIR files can be reached by FTP or by using the show file command from the flash://TRACE_LOG_DIR directory.
show hardware commands Note: The show hardware command tree is supported on the S4810 and Z9000. The show hardware command tree consists of EXEC Privilege commands used with the S4810 system. These commands display information from a hardware sub-component and from hardware-based feature tables. Table 14-3 lists the show hardware commands available as of the latest FTOS version on the S4810.
www.dell.com | support.dell.com Table 14-3. show hardware Commands Command Description show hardware stack-unit {0-11} unit {0-1} ipmc-replication View the Multicast IPMC replication table from the bShell. show hardware stack-unit {0-11} unit {0-1} port-stats [detail] View the internal statistics for each port-pipe (unit) on per port basis. show hardware stack-unit {0-11} unit {0-1} register View the stack-unit internal registers for each port-pipe.
To view the programmed alarm thresholds levels, including the shutdown value, execute the show alarms threshold command shown in Figure 14-7. Figure 14-7. show alarms threshold Command Example FTOS#show alarms threshold -- Temperature Limits (deg C) ---------------------------------------------------------------Minor Minor Off Major Major Off Shutdown Linecard 75 70 80 77 85 RPM 65 60 75 70 80 FTOS# Troubleshoot an over-temperature condition To troubleshoot an over-temperature condition: 1.
www.dell.com | support.dell.com Troubleshoot an under-voltage condition To troubleshoot an under-voltage condition, check that the correct number of power supplies are installed and their Status LEDs are lit. The SNMP traps and OIDs in Table 14-4 provide information on S-Series environmental monitoring hardware and hardware components. Table 14-4. SNMP Traps and OIDs OID String OID Name Description chSysPortXfpRecvPower OID to display the receiving power of the connected optics.
Table 14-5 describes the type and number of ASICs per platform. Table 14-5. ASICS by Platform Hardware FP CSF S50N, S50V 2 0 S25V, S25P, S25N 1 0 You can tune buffers at three locations, as shown in Figure 14-8. 1. CSF – Output queues going from the CSF. 2. FP Uplink—Output queues going from the FP to the CSF IDP links. 3. Front-End Link—Output queues going from the FP to the front-end PHY. All ports support eight queues, 4 for data traffic and 4 for control traffic. All 8 queues are tunable.
www.dell.com | support.dell.com Figure 14-8. Buffer Tuning Points CSF Unit 3 1 IDP Switch Links 2 FP Unit 1 3 Front-end Links PHY PHY Deciding to tune buffers Dell Force10 recommends exercising caution when configuring any non-default buffer settings, as tuning can significantly affect system performance. The default values work for most cases. As a guideline, consider tuning buffers if traffic is very bursty (and coming from several interfaces).
Buffer tuning commands Task Command Command Mode Define a buffer profile for the FP queues. buffer-profile fp fsqueue CONFIGURATION Define a buffer profile for the CSF queues. buffer-profile csf csqueue CONFIGURATION Change the dedicated buffers on a physical 1G interface. buffer dedicated BUFFER PROFILE Change the maximum amount of dynamic buffers an interface can request. buffer dynamic BUFFER PROFILE Change the number of packet-pointers per queue.
www.dell.com | support.dell.com Figure 14-9. Display the Default Buffer Profile FTOS#show buffer-profile detail interface gigabitethernet 0/1 Interface Gi 0/1 Buffer-profile Dynamic buffer 194.88 (Kilobytes) Queue# Dedicated Buffer Buffer Packets (Kilobytes) 0 2.50 256 1 2.50 256 2 2.50 256 3 2.50 256 4 9.38 256 5 9.38 256 6 9.38 256 7 9.38 256 Figure 14-10.
Using a pre-defined buffer profile FTOS provides two pre-defined buffer profiles, one for single-queue (i.e non-QoS) applications, and one for four-queue (i.e QoS) applications. Task Command Mode Apply one of two pre-defined buffer profiles for all port pipes in the system. buffer-profile global [1Q|4Q] CONFIGURATION You must reload the system for the global buffer profile to take effect (Message 5).
www.dell.com | support.dell.com Figure 14-11.
Figure 14-12.
www.dell.com | support.dell.com Figure 14-13.
Figure 14-14.
www.dell.com | support.dell.com Displaying Stack Port Statistics The show hardware stack-unit stack-port command displays input and output statistics for a stack-port interface, as shown in Figure 14-16. Figure 14-16.
Application core dumps Application core dumps are disabled by default. A core dump file can be very large. Due to memory requirements the file can only be sent directly to an FTP server. It is not stored on the local flash. Enable full application core dumps with the following: Task Command Syntax Command Mode Enable RPM core dumps and specify the shutdown mode. logging coredump server CONFIGURATION Undo this command using the no logging coredump server.
www.dell.com | support.dell.com Figure 14-19.
Task Command Syntax Command Mode Enable a TCP dump for CPU bound traffic.
www.dell.com | support.dell.
Skippy812 15 Dynamic Host Configuration Protocol (DHCP) Dynamic Host Configuration Protocol (DHCP) is available on platforms: e c s z This chapter contains the following sections: • • • • • • • Protocol Overview Implementation Information Configuration Tasks Configure the System to be a DHCP Server Configure the System to be a Relay Agent Configure the System for User Port Stacking Configure Secure DHCP Protocol Overview Dynamic Host Configuration Protocol (DHCP) is an application layer protocol that dyn
www.dell.com | support.dell.com DHCP Packet Format and Options DHCP uses UDP as its transport protocol. The server listens on port 67 and transmits to port 68; the client listens on port 68 and dhcp snoopingtransmits to port 67. The configuration parameters are carried as options in the DHCP packet in Type, Length, Value (TLV) format; many options are specified in RFC 2132.
Assigning an IP Address using DHCP When a client joins a network: 1. The client initially broadcasts a DHCPDISCOVER message on the subnet to discover available DHCP servers. This message includes the parameters that the client requires and might include suggested values for those parameters. 2. Servers unicast or broadcast a DHCPOFFER message in response to the DHCPDISCOVER that offers to the client values for the requested parameters.
www.dell.com | support.dell.com Implementation Information • • The Dell Force10 implementation of DHCP is based on RFC 2131 and RFC 3046. IP Source Address Validation is a sub-feature of DHCP Snooping; FTOS uses ACLs internally to implement this feature and as such, you cannot apply ACLs to an interface which has IP Source Address Validation.
A DHCP server is a network device that has been programmed to provide network configuration parameters to clients upon request. Servers typically serve many clients, making host management much more organized and efficient. The key responsibilities of DHCP servers are: 1. Address Storage and Management: DHCP servers are the owners of the addresses used by DHCP clients.The server stores the addresses and manages their use, keeping track of which addresses have been allocated and which are still available. 2.
www.dell.com | support.dell.com Create an IP Address Pool An address pool is a range of IP addresses that may be assigned by the DHCP server. Address pools are indexed by subnet number. To create an address pool: Step Task Command Syntax Command Mode 1 Access the DHCP server CLI context. ip dhcp server CONFIGURATION 2 Create an address pool and give it a name. pool name DHCP 3 Specify the range of IP addresses from which the DHCP server may assign addresses. • network is the subnet address.
Specify an Address Lease Time Task Command Syntax Command Mode Specify an address lease time for the addresses in a pool. lease {days [hours] [minutes] | infinite} DHCP Default: 24 hours Specify a Default Gateway The IP address of the default router should be on the same subnet as the client. Task Command Syntax Command Mode Specify default gateway(s) for the clients on the subnet, in order of preference.
www.dell.com | support.dell.com Configure a Method of Hostname Resolution Dell Force10 systems are capable of providing DHCP clients with parameters for two methods of hostname resolution. Address Resolution using DNS A domain is a group of networks. DHCP clients query DNS IP servers when they need to correlate host names to IP addresses. Step Task Command Syntax Command Mode 1 Create a domain.
To create a manual binding: Step Task Command Syntax Command Mode 1 Create an address pool pool name DHCP 2 Specify the client IP address. host address DHCP 3 Specify the client hardware address. • hardware-address is the client MAC address. type is the protocol of the hardware platform. The default protocol is Ethernet. hardware-address hardware-address type DHCP Debug DHCP server Task Command Syntax Command Mode Display debug information for DHCP server.
Note: DHCP Relay is not available on Layer 2 interfaces and VLANs. HCP Relay Device DHCP Server 10.11.2.5 Broadcast Source IP : 10.11.1.5 Destination IP: 255.255.255.255 Source Port: 67 Destination Port: 68 Unicast Source IP : 10.11.1.5 Destination IP: 10.11.0.3 Source Port: 67 Destination Port: 68 Unicast www.dell.com | support.dell.com When ip helper-address is configured, the system listens for DHCP broadcast messages on port 67.
Configure the System for User Port Stacking When you set the DHCP offer on the DHCP server, you can set the stacking-option variable to provide the stack-port detail so a stack can be formed when the units are connected. Configure Secure DHCP The following feature is available on platforms: c es z (except where noted). DHCP as defined by RFC 2131 provides no authentication or security mechanisms.
www.dell.com | support.dell.com The relay agent strips Option 82 from DHCP responses before forwarding them to the client. Task Command Syntax Command Mode Insert Option 82 into DHCP packets. For routers between the relay agent and the DHCP server, enter the trust-downstream option. ip dhcp relay information-option [trust-downstream] CONFIGURATION Manually reset the remote ID for Option 82.
Enable DCHP Snooping Step Task Command Syntax Command Mode 1 Enable DHCP Snooping globally. ip dhcp snooping CONFIGURATION 2 Specify ports connected to DHCP servers as trusted. ip dhcp snooping trust INTERFACE 3 Enable DHCP Snooping on a VLAN. ip dhcp snooping vlan CONFIGURATION Add a static entry in the binding table Task Command Syntax Command Mode Add a static entry in the binding table.
www.dell.com | support.dell.com View the DHCP Snooping statistics with the show ip dhcp snooping command. FTOS#show ip dhcp snooping IP IP IP IP DHCP DHCP DHCP DHCP Snooping Snooping Mac Verification Relay Information-option Relay Trust Downstream : : : : Enabled. Disabled. Disabled. Disabled.
View the number of entries in the table with the show ip dhcp snooping binding command. This output displays the snooping binding table created using the ACK packets from the trusted port. FTOS#show ip dhcp snooping binding Codes : S - Static D - Dynamic IP Address MAC Address Expires(Sec) Type VLAN Interface ======================================================================== 10.1.1.251 00:00:4d:57:f2:50 172800 D Vl 10 Gi 0/2 10.1.1.252 00:00:4d:57:e6:f6 172800 D Vl 10 Gi 0/1 10.1.1.
www.dell.com | support.dell.com • denial of service—an attacker can send a fraudulent ARP messages to a client to associate a false MAC address with the gateway address, which would blackhole all internet-bound packets from the client. Note: DAI uses entries in the L2SysFlow CAM region, a sub-region of SystemFlow. One CAM entry is required for every DAI-enabled VLAN. You can enable DAI on up to 16 VLANs on a system.
Use show arp inspection statistics command to see how many valid and invalid ARP packets have been processed. FTOS#show arp inspection statistics Dynamic ARP Inspection (DAI) Statistics --------------------------------------Valid ARP Requests Valid ARP Replies Invalid ARP Requests Invalid ARP Replies FTOS# : : : : 0 1000 1000 0 Bypass the ARP Inspection You can configure a port to skip ARP inspection by defining the interface as trusted, which is useful in multi-switch environments.
www.dell.com | support.dell.com The DHCP binding table associates addresses assigned by the DHCP servers, with the port on which the requesting client is attached. When IP Source Address Validation is enabled on a port, the system verifies that the source IP address is one that is associated with the incoming port. If an attacker is impostering as a legitimate client the source address appears on the wrong ingress port, and the system drops the packet.
Step 4 Task Command Syntax Command Mode Enable IP+MAC Source Address Validation. ip dhcp source-address-validation ipmac INTERFACE FTOS creates an ACL entry for each IP+MAC address pair in the binding table and applies it to the interface. Task Command Syntax Command Mode Display the IP+MAC ACL for an interface for the entire system.
www.dell.com | support.dell.
16 Equal Cost Multi-Path (ECMP) Equal Cost Multi-Path (ECMP) is supported on platforms: e c s ECMP for Flow-based Affinity ECMP for Flow-based Affinity is available on platforms e and The hashing algorithm on E-Series TeraScale and E-Series ExaScale are different. Hashing on ExaScale is based on CRC, checksum, or XOR, and the algorithm on TeraScale is based on checksum only.
www.dell.com | support.dell.com FTOS Behavior: In FTOS versions prior to 8.2.1.2, the ExaScale default hash-algorithm is 0. Beginning with version 8.2.1.2, the default hash-algorithm is 24. Deterministic ECMP Next Hop Deterministic ECMP Next Hop arranges all ECMPs in order before writing them into the CAM. For example, suppose the RTM learns 8 ECMPs in the order that the protocols and interfaces came up. In this case, the FIB and CAM sort them so that the ECMPs are always arranged.
In the illustration below, Core Router 1 is an E-Series TeraScale and Core Router 2 is an E-Series ExaScale. They have similar configurations and have routes for prefix P with two possible next-hops. When Deterministic ECMP is enabled and the hash algorithm and seed are configured the same, each flow is consistently sent to the same next hop even though they are routed through two different chassis.
www.dell.com | support.dell.com Enable link bundle monitoring using the ecmp-group command. Note: An ecmp-group index is generated automatically for each unique ecmp-group when the user configures multipath routes to the same network. The system can generate a maximum of 512 unique ecmp-groups. The ecmp-group indexes are generated in even numbers (0, 2, 4, 6... 1022) and are for information only.
17 Enabling FIPS Cryptography FIPS Cryptography is supported on the following platforms: z This chapter describes how to enable FIPS cryptography requirements on the Dell Force10 S4810 platform. This feature provides cryptographic algorithms conforming to various FIPS standards published by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the US Department of Commerce.
www.dell.com | support.dell.com To enable FIPS mode: Task Command Syntax Command Mode Enable FIPS mode from a console port. fips mode enable CONFIG When the FIPS mode is enabled, the following actions are taken: • • • • If enabled, the SSH server will be disabled. All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, will be closed. Any existing host keys (both RSA and RSA1) will be deleted from system memory and NVRAM storage. The FIPS mode is enabled.
Monitoring FIPS Mode Status The status of the current FIPS mode (Enabled/Disabled) can be viewed directly using either the show fips status command or the show system command as shown below. FTOS#show fips status FIPS Mode : Enabled for the system using the show system command.
402 | Enabling FIPS Cryptography www.dell.com | support.dell.
18 FIP Snooping FIP snooping is supported on the following platforms: z This chapter describes the FIP snooping concepts and configuration procedures: • • • • • • • Fibre Channel over Ethernet Ensuring Robustness in a Converged Ethernet Network FIP Snooping on Ethernet Bridges FIP Snooping in a Switch Stack Configuring FIP Snooping Displaying FIP Snooping Information FIP Snooping Configuration Example Fibre Channel over Ethernet Fibre Channel over Ethernet (FCoE) provides a converged Ethernet network th
www.dell.com | support.dell.com To ensure similar Fibre Channel robustness and security with FCoE in an Ethernet cloud network, the Fibre Channel over Ethernet initialization protocol (FIP) establishes virtual point-to-point links between FCoE end-devices (server ENodes and target storage devices) and FCoE forwarders (FCFs) over transit FCoE-enabled bridges.
Figure 18-1. FIP discovery and login between an ENode and an FCF FIP Snooping on Ethernet Bridges In a converged Ethernet network, intermediate Ethernet bridges can snoop on FIP packets during the login process on an FCF. Then, using ACLs, a transit bridge can permit only authorized FCoE traffic to be transmitted between an FCoE end-device and an FCF. An Ethernet bridge that provides these functions is called a FIP snooping bridge (FSB).
www.dell.com | support.dell.com • 406 • • Port-based ACLs are applied on all three port modes: on ports directly connected to an FCF, server-facing ENode ports, and bridge-to-bridge links. Port-based ACLs take precedence over global ACLs. FCoE-generated ACLs take precedence over user-configured ACLs. A user-configured ACL entry cannot deny FCoE and FIP snooping frames. Figure 18-2 shows a switch used as a FIP snooping bridge in a converged Ethernet network.
The following sections describe how to configure the FIP snooping feature on a switch that functions as a FIP snooping bridge so that it can perform the following functions: • • • • • • Allocate CAM resources for FCoE (optional in FTOS version 9.1.(0.0)). Perform FIP snooping (allowing and parsing FIP frames) globally on all VLANs or on a per-VLAN basis.
www.dell.com | support.dell.com Enabling the FIP Snooping Feature Note: FIP Snooping is disabled by default. To enable this feature, you must follow the Configuration Procedure. As soon as you enable the FIP snooping feature on a switch-bridge, existing VLAN-specific and FIP snooping configurations are applied. The FCoE database is populated when the switch connects to a converged network adapter (CNA) or FCF port and compatible DCB configurations are synchronized.
Configuring a Port for a Bridge-to-Bridge Link If a switch port is connected to another FIP snooping bridge, configure the FCoE-Trusted Port mode for bridge-bridge links. Initially, all FCoE traffic is blocked. Only FIP frames with the ALL_FCF_MAC and ALL_ENODE_MAC values in their headers are allowed to pass. After the switch learns the MAC address of a connected FCF, it allows FIP frames destined to or received from the FCF MAC address.
www.dell.com | support.dell.com • VLAN membership: • You must create the VLANs on the switch which handles FCoE traffic (interface vlan command). • You must configure each FIP snooping port to operate in Hybrid mode so that it accepts both tagged and untagged VLAN frames (portmode hybrid command).
Displaying FIP Snooping Information Use the show commands in Table 18-1 to display information on FIP snooping. Table 18-1.
www.dell.com | support.dell.com Table 18-2. show fip-snooping sessions Command Description Field Description ENode MAC MAC address of the ENode. ENode Interface Slot/ port number of the interface connected to the ENode. FCF MAC MAC address of the FCF. FCF Interface Slot/ port number of the interface to which the FCF is connected. VLAN VLAN ID number used by the session. FCoE MAC MAC address of the FCoE session assigned by the FCF. FC-ID Fibre Channel ID assigned by the FCF.
Table 18-4. show fip-snooping fcf Command Description Field Description FCF MAC MAC address of the FCF. FCF Interface Slot/port number of the interface to which the FCF is connected. VLAN VLAN ID number used by the session. FC-MAP FC-Map value advertised by the FCF. ENode Interface Slot/ number of the interface connected to the ENode. FKA_ADV_PERIOD Period of time (in milliseconds) during which FIP keep-alive advertisements are transmitted. No of ENodes Number of ENodes connected to the FCF.
www.dell.com | support.dell.com Figure 18-7.
Figure 18-8.
www.dell.com | support.dell.com Table 18-5. show fip-snooping statistics Command Descriptions Field Description Number of FDISC Rejects Number of FIP FDISC reject frames received on the interface. Number of FLOGO Accepts Number of FIP FLOGO accept frames received on the interface. Number of FLOGO Rejects Number of FIP FLOGO reject frames received on the interface. Number of CVLs Number of FIP clear virtual link frames received on the interface.
Figure 18-11. Configuration Example: FIP Snooping on an S4810 Switch In Figure 18-11, DCBX and PFC are enabled on the FIP snooping bridge and on the FCF ToR switch. On the FIP snooping bridge, DCBX is configured as follows: • • A server-facing port is configured for DCBX in an auto-downstream role. An FCF-facing port is configured for DCBX in an auto-upstream or configuration-source role.
www.dell.com | support.dell.com Figure 18-12. FIP Snooping Configuration Example Enable the FIP snooping feature on the switch (FIP snooping bridge): FTOS(conf)# feature fip-snooping Enable FIP snooping on FCoE VLAN 10: FTOS(conf)# interface vlan 10 FTOS(conf-if-vl-10)# fip-snooping enable Enable an FC-MAP value on VLAN 10: FTOS(conf-if-vl-10)# fip-snooping fc-map 0xOEFC01 Note: Configuring an FC-MAP value is only required if you do not use the default FC-MAP value (0x0EFC00).
19 Force10 Resilient Ring Protocol (FRRP) Force10 Resilient Ring Protocol (FRRP) is supported on platforms: e cs z Force10 Resilient Ring Protocol (FRRP) provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a Metropolitan Area Network (MAN) or large campuses.
www.dell.com | support.dell.com A Virtual LAN (VLAN) is configured on all node ports in the ring. All ring ports must be members of the Member VLAN and the Control VLAN. The Member VLAN is the VLAN used to transmit data as described earlier. The Control VLAN is used to perform the health checks on the ring. The Control VLAN can always pass through all ports in the ring, including the secondary port of the Master node.
During the time between the Transit node detecting that its link is restored and the Master node detecting that the ring is restored, the Master node’s Secondary port is still forwarding traffic. This can create a temporary loop in the topology. To prevent this, the Transit node places all the ring ports transiting the newly restored port into a temporary blocked state. The Transit node remembers which port has been temporarily blocked and places it into a pre- forwarding state.
www.dell.com | support.dell.com • Ring Health Frames (RHF) • Hello RHF — Sent at 500ms (hello interval) — Transmitted and processed by Master node only • Topology Change RHF — Triggered updates — Processed at all nodes Important FRRP Concepts Table 19-1, "FRRP Components," in Force10 Resilient Ring Protocol (FRRP) lists some important FRRP concepts. Table 19-1. FRRP Components Concept Explanation Ring ID Each ring has a unique 8-bit ring ID through which the ring is identified (e.g.
Table 19-1. FRRP Components (continued) Concept Explanation Ring Status The state of the FRRP ring. During initialization/configuration, the default ring status is Ring-down (disabled). The Primary and Secondary interfaces, Control VLAN, and Master and Transit node information must be configured for the ring to be up. • Ring-Up: Ring is up and operational • Ring-Down: Ring is broken or not set up Ring Health-check Frame (RHF) Two types of RHFs are generated by the Master node.
www.dell.com | support.dell.com • • • • • Configure Primary and Secondary ports Configure the Master node Configure a Transit node Set FRRP Timers (optional) Enable FRRP Other FRRP related commands are: • Clear FRRP counters Create the FRRP group The FRRP group must be created on each switch in the ring. Use the commands in the following sequence to create the FRRP group.
Step Command Syntax Command Mode Purpose 2 tagged interface slot/ port {range} CONFIG-INT-VLAN Tag the specified interface or range of interfaces to this VLAN. Interface: • For a 10/100/1000 Ethernet interface, enter the keyword keyword GigabitEthernet followed by the slot/port information.
www.dell.com | support.dell.com Be sure to follow these guidelines: • • • All VLANS must be in Layer 2 mode. Control VLAN ports must be tagged. Member VLAN ports except the Primary/Secondary interface can be tagged or untagged. The Control VLAN must be the same for all nodes on the ring. Use the commands in the following sequence, on all of the Transit switches in the ring, to create the Members VLANs for this FRRP group.
Step Command Syntax Command Mode Purpose 4 mode transit CONFIG-FRRP Configure a Transit node 5 member-vlan vlan-id {range} CONFIG-FRRP Identify the Member VLANs for this FRRP group VLAN-ID, Range: VLAN IDs for the ring’s Member VLANs. 6 no disable CONFIG-FRRP Enable this FRRP group on this switch. Set FRRP Timers Step Command Syntax Command Mode Purpose 1 timer CONFIG-FRRP Enter the desired intervals for Hello-Interval or Dead-Interval times.
www.dell.com | support.dell.com Show FRRP information Use one of the following commands show general FRRP information. Command Syntax Command Mode Purpose show frrp ring-id EXEC or EXEC PRIVELEGED Show the information for the identified FRRP group. Ring ID: 1-255 show frrp summary EXEC or EXEC PRIVELEGED Show the state of all FRRP groups.
no shutdown ! interface Vlan 201 no ip address tagged GigabitEthernet 1/24,34 no shutdown ! protocol frrp 101 interface primary GigabitEthernet 1/24 secondary GigabitEthernet 1/34 control-vlan 101 member-vlan 201 mode master no disable R2 TRANSIT interface GigabitEthernet 2/14 no ip address switchport no shutdown ! interface GigabitEthernet 2/31 no ip address switchport no shutdown ! interface Vlan 101 no ip address tagged GigabitEthernet 2/14,31 no shutdown ! interface Vlan 201 no ip address tagged Gigabi
www.dell.com | support.dell.
20 GARP VLAN Registration Protocol (GVRP) GARP VLAN Registration Protocol (GVRP) is supported on platforms: ecs z Protocol Overview Typical VLAN implementation involves manually configuring each Layer 2 switch that participates in a given VLAN. GARP VLAN Registration Protocol (GVRP), defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches.
www.dell.com | support.dell.com • On the E-Series, C-Series, and non-S60/S55/S4810 S-Series, Per-VLAN Spanning Tree (PVST+) or MSTP and GVRP cannot be enabled at the same time, as shown in the example below. If Spanning Tree and GVRP are both required, implement RSTP. The S60, S55, and S4810 systems do support enabling GVRP and MSTP at the same time. FTOS(conf)#protocol spanning-tree pvst FTOS(conf-pvst)#no disable % Error: GVRP running. Cannot enable PVST. .........
Basic GVRP configuration is a 2-step process: 1. Enabling GVRP Globally. 2. Enabling GVRP on a Layer 2 Interface. Related Configuration Tasks • • Configuring GVRP Registration Configuring a GARP Timer Enabling GVRP Globally Enable GVRP for the entire switch using the command gvrp enable in CONFIGURATION mode, as shown in the following example. Use the show gvrp brief command to inspect the global configuration.
www.dell.com | support.dell.com Configuring GVRP Registration • • Fixed Registration Mode: Configuring a port in fixed registration mode allows for manual creation and registration of VLANs, prevents VLAN de-registration, and registers all VLANs known on other ports on the port. For example, if an interface is statically configured via the CLI to belong to a VLAN, it should not be un-configured when it receives a Leave PDU. So, the registration mode on that interface is FIXED.
• LeaveAll: Upon startup, a GARP device globally starts a LeaveAll timer. Upon expiration of this interval, it will send out a LeaveAll message so that other GARP devices can re-register all relevant attribute information. The device then restarts the LeaveAll timer to begin a new cycle. The LeaveAll timer must be greater than or equal to 5x of the Leave timer. The FTOS default is 10000ms.
www.dell.com | support.dell.
21 High Availability High Availability (HA) is supported on platforms: c e s Note: High Availability is not supported on the S60 system. High availability is a collection of features that preserves system continuity by maximizing uptime and minimizing packet loss during system disruptions. To support all the features within the HA collection, you should have the latest boot code. The following table lists the boot code requirements as of this FTOS release. Component Boot Code E-Series TeraScale RPM 2.4.
www.dell.com | support.dell.com Component Redundancy Dell Force10 systems eliminate single points of failure by providing dedicated or load-balanced redundancy for each component. RPM Redundancy The current version of FTOS supports 1+1 hitless Route Processor Module (RPM) redundancy. The primary RPM performs all routing, switching, and control operations while the standby RPM monitors the primary RPM.
Version compatibility between RPMs In general, the two RPMs should have the same FTOS version. However, FTOS tolerates some degree of difference between the two versions, as described in Table 21-1, "System Behavior with RPMs with Mismatched FTOS Versions," in High Availability. View the configuration loaded on each RPM using the command show redundancy, as shown in the example in Automatic and manual RPM failover . Table 21-1.
www.dell.com | support.dell.com Automatic and manual RPM failover RPM failover is the process of the standby RPM becoming the primary RPM. FTOS fails over to the standby RPM when: 1. Communication is lost between the standby and primary RPMs 2. You request a failover via the CLI 3. You remove the primary RPM Use the command show redundancy from EXEC Privilege mode to display the reason for the last failover.
C-Series RPMs have one CPU: Control Processor (CP). The CP on the RPM communicates with the LP via IPC. Like the E-Series, the CP monitors the health status of the other processors by sending a heartbeat message. If any CPU fails to acknowledge a consecutive number of heartbeat messages, or the CP itself fails to send heartbeat messages (IPC timeout), the primary RPM requests a failover to the standby RPM, and FTOS displays a message similar to Message 4.
www.dell.com | support.dell.com Table 21-2. Failover Behaviors Platform Failover Trigger Failover Behavior e RP IPC timeout for a non-task crash reason on the primary RPM CP on primary RPM detects the RP IPC timeout and notifies standby RPM. Standby RPM initiates a failover. FTOS saves an RP application core dump, RP IPC-related system status, a CP trace log record, and the CP IPC-related system status. Then the new primary RPM reboots the failed RPM.
RPM synchronization Data between the two RPMs is synchronized immediately after bootup. Once the two RPMs have done an initial full synchronization (block sync), thereafter FTOS only updates changed data (incremental sync). The data that is synchronized consists of configuration data, operational data, state and status, and statistics depending on the FTOS version.
www.dell.com | support.dell.com Specify an Auto-failover Limit When a non-recoverable fatal error is detected, an automatic failover occurs. However, FTOS is configured to auto-failover only three times within any 60 minute period. You may specify a different auto-failover count and period using the command redundancy auto-failover-limit. To re-enable the auto-failover-limit with its default parameters, in CONFIGURATION mode, use the redundancy auto-failover-limit command without parameters.
On the C-Series, when a secondary RPM with a logical SFM is inserted or removed, the system must add or remove the backplane links to the switch fabric trunk. Any time such links are changed, traffic is disrupted. Use the command redundancy sfm standby to avoid any traffic disruption when the secondary RPM is inserted. When this command is executed, the logical SFM on the standby RPM is immediately taken offline, and the SFM state set as standby. Use the command show sfm all to see SFM status information.
www.dell.com | support.dell.com Pre-configure a line card slot You may also pre-configure an empty line card slot with a logical line card using the command linecard from CONFIGURATION mode. After creating the logical line card, you can configure the interfaces on the line card as if it is present, as shown in the example below. FTOS(conf)#do show linecard 0 -- Line card 0 -Status : not present FTOS(conf)#int gig 0/0 ^ % Error: No card configured in slot at "^" marker.
-- Line cards -Slot Status NxtBoot ReqTyp CurTyp Version Ports --------------------------------------------------------------------------0 online online E48VB E48VB 7-5-1-71 48 [output omitted] Hitless Behavior Hitless Behavior is supported only on platforms: c e Hitless behavior is supported on S4810 with FTOS 8.3.12.0 and later or the E-Series ExaScale ex with FTOS 8.2.1.0. and later. Hitless is a protocol-based system behavior that makes an RPM failover on the local system transparent to remote systems.
www.dell.com | support.dell.com Graceful Restart Graceful Restart is supported on platforms: e c s Graceful restart (also called non-stop forwarding) is a protocol-based mechanism that preserves the forwarding table of the restarting router and its neighbors for a specified period to minimize the loss of packets. A graceful-restart router does not immediately assume that a neighbor is permanently down and so does not trigger a topology change.
• For ExaScale, the RPM alone RPM periodically sends out test frames that loop back through the SFM. The loopback health check determines the overall status of the backplane and can identifies a faulty SFM. If three consecutive RPM loopbacks fail, then the software initiates a fault isolation procedure that sequentially disables one SFM at a time and performs the same loopback test.
www.dell.com | support.dell.com Trace Log Developers interlace messages with software code to track a the execution of a program. These messages are called trace messages; they are primarily used for debugging and provide lower level information than event messages, which are primarily used by system administrators. FTOS retains executed trace messages for hardware and software and stores them in files (logs) on the internal flash.
• • Hot-lock IP ACLs (supported on E-Series, C-Series, and S-Series) allow you to append rules to and delete rules from an Access Control List that is already written to CAM. This behavior is enabled by default and is available for both standard and extended ACLs on ingress and egress. For information on configuring ACLs, see Access Control Lists (ACLs).
www.dell.com | support.dell.com Configure Cache Boot Cache Boot is supported on platforms: c e Cache Boot is supported on E-Series ExaScale ex with FTOS 8.2.1.0. and later. FTOS Behavior: On E-Series ExaScale, the SFM auto upgrade feature is not supported with cacheboot. If you attempt an SFM auto upgrade, you must reload the chassis to recover. The Dell Force10 system has the ability to boot the chassis using a cached FTOS image.
Power Status : AC Voltage : ok Serial Number : FX000017082 --More-- 2. The cache boot feature requires at least the boot code versions in Table 21-5, "Boot Code Requirements for Cache Boot," in High Availability. Use show rpm and show linecard commands to verify that you have the proper version. Table 21-5. Boot Code Requirements for Cache Boot Component Boot Code E-Series TeraScale RPM 2.4.2.1 E-Series TeraScale Line Card 2.3.2.1 E-Series ExaScale RPM 2.5.0.3 E-Series ExaScale Line Card 2.9.0.
www.dell.com | support.dell.com linecard 4 invalid linecard 5 is not present. 6.5.1.8 Note: [b] : booted [n] : next boot Upgrade cache boot image(4.7.5.427) for all cards [yes/no]: yes cache boot image downloading in progress... !!!!!!!!!!!!!!!!!!!!! cache boot upgrade in progress. Please do NOT power off the card. Note: Updating Flash Table of Contents... Erasing TOC area...
SECONDARY IMAGE FILE = flash://FTOS-EF-7.7.1.0.bin DEFAULT IMAGE FILE = flash://FTOS-EF-7.6.1.0.bin LOCAL CONFIG FILE = variable does not exist PRIMARY HOST CONFIG FILE = variable does not exist SECONDARY HOST CONFIG FILE = variable does not exist PRIMARY NETWORK CONFIG FILE = variable does not exist SECONDARY NETWORK CONFIG FILE = variable does not exist CURRENT IMAGE FILE = flash://FTOS-EF-7.7.1.0.
www.dell.com | support.dell.com The restart time varies by process. In general, interface-related processes are hitless and can be restarted in seconds; if a restart is successful, traffic is not interrupted. Protocol tasks and line card processes are not hitless and take longer to restart. You can select which process may attempt to restart and the number of consecutive restart attempts before failover, but by default, every process fails over.
22 Internet Group Management Protocol (IGMP) Internet Group Management Protocol (IGMP) is supported on platforms: ecsz Multicast is premised on identifying many hosts by a single destination IP address; hosts represented by the same IP address are a multicast group. Internet Group Management Protocol (IGMP) is a Layer 3 multicast protocol that hosts use to join or leave a multicast group.
www.dell.com | support.dell.com To receive multicast traffic from a particular source, a host must join the multicast group to which the source is sending traffic. A host that is a member of a group is called a receiver. A host may join many groups, and may join or leave any group at any time. A host joins and leaves a multicast group by sending an IGMP message to its IGMP Querier.
2. The querier sends a Group-Specific Query to determine whether there are any remaining hosts in the group. There must be at least one receiver in a group on a subnet for a router to forward multicast traffic for that group to the subnet. 3. Any remaining hosts respond to the query according to the delay timer mechanism (see Adjusting Query and Response Timers). If no hosts respond (because there are none remaining in the group) the querier waits a specified period and sends another query.
www.dell.com | support.dell.com Version (4) IHL TOS (0xc0) Total Length Flags Frag Offset TTL (1) Protocol (2) Header Checksum Type Reserved Src IP Addr Dest IP Addr (224.0.0.
Membership Reports: Joining and Filtering 3 Interface Multicast Group Filter Source Source Address Timer Mode Timer 1/ 1 224.1.1.1 GMI Exclude None 1/ 1 224.1.1.1 Include 10.11.1.1 GMI 1/ 1 224.1.1.1 Include 10.11.1.1 GMI IGMP Group-and-Source Specific Query Non-Querier Querier Type: 0x11 Group Address: 244.1.1.1 Number of Sources: 1 Source Address: 10.11.1.1 1/ 1 10.11.1.2 GMI 2 Change to Include Type: 0x22 Number of Group Records: 1 Record Type: 3 Number of Sources: 1 Multicast Address: 224.1.1.
www.dell.com | support.dell.com Membership Queries: Leaving and Staying Non-Querier Querier Interface Multicast Group Filter Source Source Address Timer Mode Timer 1/ 1 224.1.1.1 Include 10.11.1.1 LQMT 10.11.1.2 LQMT Non-querier builds identical table and waits Other Querier Present Interval to assume Querier role 1/ 1 2/ 1 224.2.2.2 GMI Exclude None IGMP Group-and-Source Specific Query Type: 0x11 Group Address: 224.1.1.1 Number of Sources: 2 Source Address: 10.11.1.1, 10.11.1.
Viewing IGMP Enabled Interfaces Interfaces that are enabled with PIM-SM are automatically enabled with IGMP. View IGMP-enabled interfaces using the command show ip igmp interface in the EXEC Privilege mode. FTOS#show ip igmp interface gig 7/16 GigabitEthernet 7/16 is up, line protocol is up Internet address is 10.87.3.
www.dell.com | support.dell.com Viewing IGMP Groups View both learned and statically configured IGMP groups using the command show ip igmp groups from EXEC Privilege mode. FTOS(conf-if-gi-1/0)#do sho ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Uptime 224.1.1.1 GigabitEthernet 1/0 00:00:03 224.1.2.1 GigabitEthernet 1/0 00:56:55 Expires Never 00:01:22 Last Reporter CLI 1.1.1.
Adjusting the IGMP Querier Timeout Value If there is more than one multicast router on a subnet, only one is elected to be the querier, which is the router that sends queries to the subnet. 1. Routers send queries to the all multicast systems address, 224.0.0.1. Initially, all routers send queries. 2. When a router receives a query it compares the IP address of the interface on which it was received with the source IP address given in the query.
www.dell.com | support.dell.com IGMP Snooping Multicast packets are addressed with multicast MAC addresses, which represent a group of devices, rather than one unique device. Switches forward multicast frames out of all ports in a VLAN by default, even though there may be only some interested hosts, which is a waste of bandwidth.
Enabling IGMP Immediate-leave Configure the switch to remove a group-port association upon receiving an IGMP Leave message using the command ip igmp fast-leave from INTERFACE VLAN mode. View the configuration using the command show config from INTERFACE VLAN mode, as shown in the example below.
www.dell.com | support.dell.com • • • IGMP snooping Querier does not start if there is a statically configured multicast router interface in the VLAN. The switch may lose the querier election if it does not have the lowest IP address of all potential queriers on the subnet. When enabled, IGMP snooping Querier starts after one query interval in case no IGMP general query (with IP SA lower than its VLAN IP address) is received on any of its VLAN members.
23 Interfaces This chapter describes interface types, both physical and logical, and how to configure them with FTOS. 10/100/1000 Mbps Ethernet, Gigabit Ethernet, and 10 Gigabit Ethernet interfaces are supported on platforms: e c s z SONET interfaces are only supported on platform e.
www.dell.com | support.dell.
Input Statistics: 0 packets, 0 bytes 0 Vlans 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 0 Broadcasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics: 3 packets, 192 bytes, 0 underruns 3 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 3 Broadcasts, 0 Unicasts 0 Vlans, 0 throttles, 0 discarded, 0 co
www.dell.com | support.dell.com no ip address shutdown ! interface GigabitEthernet 9/7 no ip address shutdown ! interface GigabitEthernet 9/8 no ip address shutdown ! interface GigabitEthernet 9/9 no ip address shutdown Enable a Physical Interface After determining the type of physical interfaces available, the user may enter the INTERFACE mode by entering the command interface interface slot/port to enable and configure the interfaces.
Physical Interfaces The Management Ethernet interface is a single RJ-45 Fast Ethernet port on the Route Processor Module (RPM) of the C-Series and E-Series and on each unit of the S4810. It provides dedicated management access to the system. The other S-Series (non-S4810) systems supported by FTOS do not have this dedicated management interface, but you can use any Ethernet port configured with an IP address and route.
www.dell.com | support.dell.com By default, VLANs are in Layer 2 mode. Table 23-1.
Configure Layer 3 (Network) Mode When you assign an IP address to a physical interface, you place it in Layer 3 mode. Use the ip address command and no shutdown command in INTERFACE mode to enable Layer 3 mode on an individual interface. In all interface types except VLANs, the shutdown command prevents all traffic from passing through the interface. In VLANs, the shutdown command prevents Layer 3 traffic from passing through the interface. Layer 2 traffic is unaffected by the shutdown command.
www.dell.com | support.dell.com You can only configure one (1) primary IP address per interface. You can configure up to 255 secondary IP addresses on a single interface. To view all interfaces to see with an IP address assigned, use the show ip interfaces brief command in the EXEC mode as shown in View Basic Interface Information. To view IP information on an interface in Layer 3 mode, use the show ip interface command in the EXEC Privilege mode as shown in the example below.
To configure a Management interface, use the following command in the CONFIGURATION mode: Command Syntax Command Mode Purpose interface Managementethernet interface CONFIGURATION Enter the slot and the port (0). ON the E-Series and C-Series, dual RPMs can be in use. Slot range: C-Series, E-Series: 0-1 S4810: 0 To view the Primary RPM Management port, use the show interface Managementethernet command in the EXEC Privilege mode. If there are 2 RPMs, the you cannot view information on that interface.
www.dell.com | support.dell.com • Once the virtual IP address is removed, the system is accessible through the native IP address of the primary RPM’s management interface. Primary and secondary management interface IP and virtual IP must be in the same subnet. • Configure Management Interfaces on the S-Series The user can manage the S-Series from any port. Configure an IP address for the port using the ip address command, and enable it using the command no shutdown.
VLAN Interfaces VLANs are logical interfaces and are, by default, in Layer 2 mode. Physical interfaces and port channels can be members of VLANs. For more information on VLANs and Layer 2, refer to Layer 2 and Virtual LANs (VLAN) Note: To monitor VLAN interfaces, use the Management Information Base for Network Management of TCP/IP-based internets: MIB-II (RFC 1213). Monitoring VLAN interfaces via SNMP is supported only on E-Series.
www.dell.com | support.dell.com Loopback Interfaces A Loopback interface is a virtual interface in which the software emulates an interface. Packets routed to it are processed locally. Since this interface is not a physical interface, you can configure routing protocols on this interface to provide protocol stability. You can place Loopback interfaces in default Layer 3 mode.
• • • • Port channel definition and standards Port channel benefits Port channel implementation Configuration task list for port channel interfaces Port channel definition and standards Link aggregation is defined by IEEE 802.3ad as a method of grouping multiple physical interfaces into a single logical interface—a Link Aggregation Group (LAG) or port channel. A LAG is “a group of links that appear to a MAC client as if they were a single link” according to IEEE 802.3ad.
www.dell.com | support.dell.com Note: If you are using either 10G ports or 40G ports, the Z9000 supports 8 members per LAG As soon as a port channel is configured, FTOS treats it like a physical interface. For example, IEEE 802.1Q tagging is maintained while the physical interface is in the port channel. Member ports of a LAG are added and programmed into hardware in a predictable order based on the port ID, instead of in the order in which the ports come up.
Configuration task list for port channel interfaces To configure a port channel (LAG), you use the commands similar to those found in physical interfaces. By default, no port channels are configured in the startup configuration.
www.dell.com | support.dell.com You can add any physical interface to a port channel if the interface configuration is minimal. Only the following commands can be configured on an interface if it is a member of a port channel: • • description • mtu • ip mtu (if the interface is on a Jumbo-enabled by default.
Hardware address is 00:01:e8:01:46:fa Internet address is 1.1.120.
www.dell.com | support.dell.com Reassign an interface to a new port channel An interface can be a member of only one port channel. If the interface is a member of a port channel, you must remove it from the first port channel and then add it to the second port channel. Each time you add or remove a channel member from a port channel, FTOS recalculates the hash algorithm for the port channel.
Configure the minimum oper up links in a port channel (LAG) You can configure the minimum links in a port channel (LAG) that must be in “oper up” status for the port channel to be considered to be in “oper up” status. Use the following command in the INTERFACE mode: Command Syntax minimum-links number Command Mode Purpose INTERFACE Enter the number of links in a LAG that must be in “oper up” status.
www.dell.com | support.dell.com Assign an IP address to a port channel You can assign an IP address to a port channel and use port channels in Layer 3 routing protocols. To assign an IP address, use the following command in the INTERFACE mode: Command Syntax Command Mode Purpose ip address ip-address mask [secondary] INTERFACE Configure an IP address and mask on the interface. • ip-address mask: enter an address in dotted-decimal format (A.B.C.D) and the mask must be in slash format (/24).
• • • • IP destination address Protocol type TCP/UDP source port TCP/UDP destination port Balancing may be applied to IPv4, switched IPv6, and non-IP traffic. For these traffic types, the IP-header-based hash and MAC-based hash may be applied to packets by using the following methods. Table 23-3.
www.dell.com | support.dell.com Table 23-4. 5-tuple and 3-tuple Keys Keys 5-tuple TCP/UDP source port X TCP/UDP destination port X 3-tuple Note: For IPV6, only the first 32 bits (LSB) of IP Source Address and IP Destination Address are used for hash generation. The following example shows the configuration and show command for packet-based hashing on the E-Series.
C-Series and S-Series load-balancing For LAG hashing on C-Series and S-Series, the source IP, destination IP, source TCP/UDP port, and destination TCP/UDP port are used for hash computation by default. For packets without a Layer 3 header, FTOS automatically uses load-balance mac source-dest-mac. IP hashing or MAC hashing should not be configured at the same time. If you configure an IP and MAC hashing scheme at the same time, the MAC hashing scheme takes precedence over the IP hashing scheme.
www.dell.com | support.dell.com For the E-Series TeraScale and ExaScale, you can select one of 47 possible hash algorithms (16 on EtherScale). Command Syntax Command Mode Purpose hash-algorithm {algorithm-number} | {ecmp {checksum|crc|xor} [number]} lag {checksum|crc|xor][number]}nh-ecm p {[checksum|crc|xor] [number]}}| {linecard number ip-sa-mask value ip-da-mask value} CONFIGURATION Change the default (0) to another algorithm and apply it to ECMP, LAG hashing, or a particular line card.
Bulk Configuration Bulk configuration enables you to determine if interfaces are present for physical interfaces or configured for logical interfaces. Interface Range An interface range is a set of interfaces to which other commands may be applied and may be created if there is at least one valid interface within the range. Bulk configuration excludes from configuration any non-existing interfaces from an interface range.
www.dell.com | support.dell.
FTOS(config-ifrange-gi-5/1-23-te-1/1-2)# interface range Vlan 2 – 100 , Port 1 – 25 FTOS(config-if-range-gi-5/1-23-te-1/1-2-so-5/1-vl-2-100-po-1-25)# no shutdown FTOS(config-if-range)# Interface Range Macros The user can define an interface-range macro to automatically select a range of interfaces for configuration. Before you can use the macro keyword in the interface-range macro command string, you must define the macro.
www.dell.com | support.dell.com Monitor and Maintain Interfaces Monitor interface statistics with the monitor interface command. This command displays an ongoing list of the interface status (up/down), number of packets, traffic statistics, etc. Command Syntax Command Mode Purpose monitor interface interface EXEC Privilege View the interface’s statistics.
Over 255B packets: 0 0 pps 0 Over 511B packets: 0 0 pps 0 Over 1023B packets: 0 0 pps 0 Input underruns: 0 0 pps 0 Error statistics: Input giants: 0 0 pps 0 Input throttles: 0 0 pps 0 Input CRC: 0 0 pps 0 Input IP checksum: 0 0 pps 0 Input overrun: 0 0 pps 0 Output underruns: 0 0 pps 0 Output throttles: 0 0 pps 0 m - Change mode c - Clear screen l - Page up a - Page down T - Increase refresh interval t - Decrease refresh interval q - Quit q FTOS# Maintenanc
www.dell.com | support.dell.com To test the condition of cables on 10/100/1000 BASE-T modules, use the tdr-cable-test command: Step 1 Command Syntax Command Mode Usage tdr-cable-test gigabitethernet / EXEC Privilege To test for cable faults on the GigabitEthernet cable. • Between two ports, the user must not start the test on both ends of the cable. • The user must enable the interface before starting the test. • The port should be enabled to run the test or the test prints an error message.
Link Debounce Timer Link Debounce Timer is supported on platform e The Link Debounce Timer feature isolates upper layer protocols on Ethernet switches and routers from very short-term, possibly repetitive interface flaps often caused by network jitter on the DWDM equipment connecting the switch and other devices on a SONET ring. The Link Debounce Timer delays link change notifications, thus decreasing traffic loss due to network configuration. All interfaces have a built-in timer to manage traffic.
www.dell.com | support.dell.com Show debounce times in an interface show interface debounce [type] [slot/port] EXEC Privilege Show the debounce time for the specified interface. Enter the interface type keyword followed by the type of interface and slot/port information: • For a 10/100/1000 Ethernet interface, enter the keyword GigabitEthernet followed by the slot/ port information. • For a Gigabit Ethernet interface, enter the keyword GigabitEthernet followed by the slot/port information.
Link Dampening Interface state changes occur when interfaces are administratively brought up or down or if an interface state changes. Every time an interface changes state or flaps, routing protocols are notified of the status of the routes that are affected by the change in state, and these protocols go through momentous task of re-converging. Flapping therefore puts the status of entire network at risk of transient loops and black holes.
www.dell.com | support.dell.com View the link dampening configuration on an interface using the command show config, or view dampening information on all or specific dampened interfaces using the command show interfaces dampening from EXEC Privilege mode, as shown in the following example.
Configure MTU size on an Interface The E-Series supports a link Maximum Transmission Unit (MTU) of 12000 bytes and maximum IP MTU of 9234 bytes. The link MTU is the frame size of a packet, and the IP MTU size is used for IP fragmentation. If the system determines that the IP packet must be fragmented as it leaves the interface, FTOS divides the packet into fragments no bigger than the size set in the ip mtu command.
www.dell.com | support.dell.com Ethernet Pause Frames allow for a temporary stop in data transmission. A situation may arise where a sending device may transmit data faster than a destination device can accept it. The destination sends a PAUSE frame back to the source, stopping the sender’s transmission for a period of time. The globally assigned 48-bit Multicast address 01-80-C2-00-00-01 is used to send and receive pause frames.
Enable Pause Frames Note: On the C-Series and S-Series (non-S4810) platforms, Ethernet Pause Frames TX should be enabled only after consulting with the Dell Force10 Technical Assistance Center. Note: Changes in the flow-control values may not be reflected automatically in the show interface output. As a workaround, apply the new settings, execute shut followed by no shut on the interface, and then check the running-config of the port. Note: The S4810 supports only the rx control option.
www.dell.com | support.dell.com Configure MTU Size on an Interface If a packet includes a Layer 2 header, the difference in bytes between the link MTU and IP MTU must be enough to include the Layer 2 header. For example, for VLAN packets, if the IP MTU is 1400, the Link MTU must be no less than 1422: 1400-byte IP MTU + 22-byte VLAN Tag = 1422-byte link MTU The MTU range is 592-12000, with a default of 1500.
Port-pipes A port pipe is a Dell Force10 specific term for the hardware path that packets follow through a system. Port pipes travel through a collection of circuits (ASICs) built into line cards and RPMs on which various processing events for the packets occur. One or two port pipes process traffic for a given set of physical interfaces or a port-set. The E300 only supports one port pipe per slot.
www.dell.com | support.dell.com Auto-Negotiation on Ethernet Interfaces Setting speed and duplex mode of Ethernet Interfaces By default, auto-negotiation of speed and duplex mode is enabled on 10/100/1000 Base-T Ethernet interfaces. Only 10GE interfaces do not support auto-negotiation. When using 10GE interfaces, verify that the settings on the connecting devices are set to no auto-negotiation. Note: Starting with FTOS 7.8.1.
Note: The show interfaces status command displays link status, but not administrative status. For link and administrative status, use show ip interface [interface | brief | linecard slot-number] [configuration].
www.dell.com | support.dell.
FTOS#show ip interface configured FTOS#show ip interface linecard 1 configured FTOS#show ip interface gigabitEthernet 1 configured FTOS#show ip interface br configured FTOS#show ip interface br linecard 1 configured FTOS#show ip interface br gigabitEthernet 1 configured FTOS#show running-config interfaces configured FTOS#show running-config interface gigabitEthernet 1 configured In EXEC mode, the show interfaces switchport command displays only interfaces in Layer 2 mode and their relevant configuration in
www.dell.com | support.dell.com Although any value between 30 and 299 seconds (the default) can be entered, software polling is done once every 15 seconds. So, for example, if you enter “19”, you will actually get a sample of the past 15 seconds. All LAG members inherit the rate interval configuration from the LAG.
0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts Received 0 input symbol errors, 0 runts, 0 giants, 0 throttles 0 CRC, 0 IP Checksum, 0 overrun, 0 discarded 0 packets output, 0 bytes, 0 underruns Output 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 IP Packets, 0 Vlans, 0 MPLS 0 throttles, 0 discarded Rate info (interval 100 seconds): Input 00.00 Mbits/sec, Output 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate 0 packets/sec, 0.
www.dell.com | support.dell.com To clear the counters, use the following command in the EXEC Privilege mode: Command Syntax Command Mode Purpose clear counters [interface] [vrrp [vrid] | learning-limit] EXEC Privilege Clear the counters used in the show interface commands for all VRRP groups, VLANs, and physical interfaces or selected ones. Without an interface specified, the command clears all interface counters.
24 IPv4 Routing IPv4 Routing is supported on platforms: ecsz FTOS supports various IP addressing features. This chapter explains the basics of Domain Name Service (DNS), Address Resolution Protocol (ARP), and routing principles and their implementation in FTOS. • • • • • • IP Addresses Directed Broadcast Resolution of Host Names ARP ICMP UDP Helper Table 24-1 lists the defaults for the IP addressing features described in this chapter. Table 24-1.
www.dell.com | support.dell.com For more information on IP addressing, refer to RFC 791, Internet Protocol. Implementation Information In FTOS, you can configure any IP address as a static route except IP addresses already assigned to interfaces. Note: FTOS versions 7.7.1.0 and later support 31-bit subnet masks (/31, or 255.255.255.254) as defined by RFC 3021. This feature allows you to save two more IP addresses on point-to-point links than 30-bit masks. FTOS supports RFC 3021 with ARP.
To assign an IP address to an interface, use these commands in the following sequence, starting in the CONFIGURATION mode: Step Command Syntax Command Mode Purpose interface interface CONFIGURATION Enter the keyword interface followed by the type of interface and slot/port information: • For a 1-Gigabit Ethernet interface, enter the keyword GigabitEthernet followed by the slot/port information. • For a Loopback interface, enter the keyword loopback followed by a number from 0 to 16383.
www.dell.com | support.dell.com To view the configuration, use the show config command in the INTERFACE mode as shown in the example below or show ip interface in the EXEC privilege mode as shown in the second example. FTOS(conf-if)#show conf ! interface GigabitEthernet 0/0 ip address 10.11.1.1/24 no shutdown ! FTOS(conf-if)# FTOS#show ip int gi 0/8 GigabitEthernet 0/8 is up, line protocol is up Internet address is 10.69.8.1/24 Broadcast address is 10.69.8.
To view the configured routes, use the show ip route static command. FTOS#show ip route static Destination Gateway ----------------S 2.1.2.0/24 Direct, Nu 0 S 6.1.2.0/24 via 6.1.20.2, S 6.1.2.2/32 via 6.1.20.2, S 6.1.2.3/32 via 6.1.20.2, S 6.1.2.4/32 via 6.1.20.2, S 6.1.2.5/32 via 6.1.20.2, S 6.1.2.6/32 via 6.1.20.2, S 6.1.2.7/32 via 6.1.20.2, S 6.1.2.8/32 via 6.1.20.2, S 6.1.2.9/32 via 6.1.20.2, S 6.1.2.10/32 via 6.1.20.2, S 6.1.2.11/32 via 6.1.20.2, S 6.1.2.12/32 via 6.1.20.2, S 6.1.2.13/32 via 6.1.20.
www.dell.com | support.dell.com Command Syntax Command Mode Purpose management route ip-address mask {forwarding-router-address | ManagementEthernet slot/port} CONFIGURATION Assign a static route to point to the management interface or forwarding router. To view the configured static routes for the management port, use the show ip management-route command in the EXEC privilege mode. FTOS#show ip route static Destination Gateway ----------------S 2.1.2.0/24 Direct, Nu 0 S 6.1.2.0/24 via 6.1.20.2, S 6.
Resolution of Host Names Domain Name Service (DNS) maps host names to IP addresses. This feature simplifies such commands as Telnet and FTP by allowing you to enter a name instead of an IP address. Dynamic resolution of host names is disabled by default. Unless the feature is enabled, the system resolves only host names entered into the host table with the ip host command.
www.dell.com | support.dell.com Specify local system domain and a list of domains If you enter a partial domain, FTOS can search different domains to finish or fully qualify that partial domain. A fully qualified domain name (FQDN) is any name that is terminated with a period/dot. FTOS searches the host table first to resolve the partial domain. The host table contains both statically configured and dynamically learnt host and IP addresses.
The following text is an example output of DNS using the traceroute command. FTOS#traceroute www.force10networks.com Translating "www.force10networks.com"...domain server (10.11.0.1) [OK] Type Ctrl-C to abort. -----------------------------------------------------------------------------------------Tracing the route to www.force10networks.com (10.11.84.
www.dell.com | support.dell.com Configure static ARP entries ARP dynamically maps the MAC and IP addresses, and while most network host support dynamic mapping, you can configure an ARP entry (called a static ARP) for the ARP cache. To configure a static ARP entry, use the following command in the CONFIGURATION mode: Command Syntax Command Mode Purpose arp ip-address mac-address interface CONFIGURATION Configure an IP address and MAC address mapping for an interface.
Clear ARP cache To clear the ARP cache of dynamically learnt ARP information, use the following command in the EXEC privilege mode: Command Syntax Command Mode Purpose clear arp-cache [interface | ip EXEC privilege Clear the ARP caches for all interfaces or for a specific interface by entering the following information: • For a 1-Gigabit Ethernet interface, enter the keyword GigabitEthernet followed by the slot/port information.
www.dell.com | support.dell.com 1. At time t=0 FTOS sends an ARP request for IP A.B.C.D 2. At time t=1 FTOS receives an ARP request for IP A.B.C.D 3. At time t=2 FTOS installs an ARP entry for A.B.C.D only on RP2. Beginning with version 8.3.1.0, when a Gratuitous ARP is received, FTOS installs an ARP entry on all 3 CPUs. Task Command Syntax Command Mode Enable ARP learning via gratuitous ARP. arp learn-enable CONFIGURATION ARP Learning via ARP Request In FTOS versions prior to 8.3.1.
Configurable ARP Retries In FTOS versions prior to 8.3.1.0, the number of ARP retries is set to 5 and is not configurable. After 5 retries, FTOS backs off for 20 seconds before it sends a new request. Beginning with FTOS version 8.3.1.0, the number of ARP retries is configurable. The default backoff interval remains at 20 seconds. On the S4810 platform, with FTOS version 8.3.8.0 and later, the time between ARP resend is configurable. This timer is an exponential backoff timer.
www.dell.com | support.dell.com To reenable the creation of ICMP unreachable messages on the interface, use the following command in the INTERFACE mode: Command Syntax Command Mode Purpose ip unreachable INTERFACE Set FTOS to create and send ICMP unreachable messages on the interface. To view if ICMP unreachable messages are sent on the interface, use the show config command in the INTERFACE mode. If it is not listed in the show config command output, it is enabled.
2. Configure a broadcast address on interfaces that will receive UDP broadcast traffic. Refer to Configuring a Broadcast Address. Important Points to Remember about UDP Helper • • • • The existing command ip directed broadcast is rendered meaningless if UDP helper is enabled on the same interface. The broadcast traffic rate should not exceed 200 packets per second when UDP helper is enabled. You may specify a maximum of 16 UDP ports.
www.dell.com | support.dell.com Configuring a Broadcast Address Configure a broadcast address on an interface using the command ip udp-broadcast-address, as shown in the example below. FTOS(conf-if-vl-100)#ip udp-broadcast-address 1.1.255.255 FTOS(conf-if-vl-100)#show config ! interface Vlan 100 ip address 1.1.0.1/24 ip udp-broadcast-address 1.1.255.
1. Packet 1 is dropped at ingress if no UDP helper address is configured. 2. If UDP helper (using the command ip udp-helper udp-port) is enabled, and the UDP destination port of the packet matches the UDP port configured, the system changes the destination address to the configured broadcast 1.1.255.255 and routes the packet to VLANs 100 and 101.
www.dell.com | support.dell.
Troubleshooting UDP Helper Display debugging information using the command debug ip udp-helper, as shown in the example below. FTOS(conf)# debug ip udp-helper 01:20:22: Pkt rcvd on Gi 5/0 with IP DA (0xffffffff) will be sent on Gi 5/1 Gi 5/2 Vlan 3 01:44:54: Pkt rcvd on Gi 7/0 is handed over for DHCP processing. Use the command debug ip dhcp when using the IP helper and UDP helper on the same interface, as shown in the following example. Packet 0.0.0.0:68 -> 255.255.255.
534 | IPv4 Routing www.dell.com | support.dell.
25 IPv6 Routing IPv6 Routing is supported on platforms ecs Note: The IPv6 basic commands are supported on all platforms. However, not all features are supported on all platforms, nor for all releases. See Table 25-2 to determine the FTOS version supporting which features and platforms. IPv6 (Internet Protocol Version 6) is the successor to IPv4. Due to the extremely rapid growth in internet users and IP addresses, IPv4 is reaching its maximum usage.
www.dell.com | support.dell.com • • • Stateless Autoconfiguration Header Format Simplification Improved Support for Options and Extensions Extended Address Space The address format is extended from 32 bits to 128 bits. This not only provides room for all anticipated needs, it allows for the use of a hierarchical address space structure to optimize global addressing.
IPv6 Headers The IPv6 header has a fixed length of 40 bytes. This provides 16 bytes each for Source and Destination information and 8 bytes for general header information. The IPv6 header includes the following fields: • • • • • • • • Version (4 bits) Traffic Class (8 bits) Flow Label (20 bits) Payload Length (16 bits) Next Header (8 bits) Hop Limit (8 bits) Source Address (128 bits) Destination Address (128 bits) IPv6 provides for Extension Headers. Extension Headers are used only if necessary.
www.dell.com | support.dell.com Traffic Class (8 bits) The Traffic Class field deals with any data that needs special handling. These bits define the packet priority and are defined by the packet Source. Sending and forwarding routers use this field to identify different IPv6 classes and priorities. Routers understand the priority settings and handle them appropriately during conditions of congestion.
Note: This is not a comprehensive table of Next Header field values. Refer to the Internet Assigned Numbers Authority (IANA) web page at http://www.iana.org/assignments/ protocol-numbers for a complete and current listing. Hop Limit (8 bits) The Hop Limit field shows the number of hops remaining for packet processing. In IPv4, this is known as the Time to Live (TTL) field and uses seconds rather than hops. Each time the packet moves through a forwarding router, this field decrements by 1.
www.dell.com | support.dell.com Hop-by-Hop Options header The Hop-by-Hop options header contains information that is examined by every router along the packet’s path. It follows the IPv6 header and is designated by the Next Header value 0 (zero) (Table 25-1). When a Hop-by-Hop Options header is not included, the router knows that it does not have to process any router specific information and immediately processes the packet to its final destination.
Addressing IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:). For example, 2001:0db8:0000:0000:0000:0000:1428:57ab is a valid IPv6 address. If one or more four-digit group(s) is 0000, the zeros may be omitted and replaced with two colons(::). For example, 2001:0db8:0000:0000:0000:0000:1428:57ab can be shortened to 2001:0db8::1428:57ab. Only one set of double colons is supported in a single address.
www.dell.com | support.dell.com case, a DHCP server is used, but it is specifically configured to always assign the same IPv6 address to a particular computer, and never to assign that IP address to another computer. This allows static IPv6 addresses to be configured in one place, without having to specifically configure each computer on the network in a different way.
Table 25-2. FTOS and IPv6 Feature Support (continued) Route redistribution 7.4.1 8.2.1 7.8.1 8.4.2 8.3.10.0 OSPF, IS-IS, and IPv6 BGP chapters in the FTOS Command Line Reference Guide Multiprotocol BGP extensions for IPv6 7.4.1 IPv6 BGP MD5 Authentication 8.2.1.0 IS-IS for IPv6 N/A 8.2.1 7.8.1 8.4.2 8.3.10.0 IPv6 BGP in the FTOS Command Line Reference Guide 8.2.1.0 8.2.1.0 8.4.2 8.3.10.0 IPv6 BGP in the FTOS Command Line Reference Guide N/A N/A N/A 8.3.10.
www.dell.com | support.dell.com Table 25-2. FTOS and IPv6 Feature Support (continued) IPv6 Access Control 7.4.1 Lists 8.2.1 7.8.1 8.2.1.0 8.3.10.0 IPv6 Access Control Lists in the FTOS Command Line Reference Guide IPv6 Multicast PIM-SM for IPv6 7.4.1 8.2.1 8.4.2 8.4.2 N/A IPv6 Multicast in this chapter; IPv6 PIM in the FTOS Command Line Reference Guide PIM-SSM for IPv6 7.5.1 8.2.1 8.4.2 8.4.
Path MTU Discovery IPv6 MTU Discovery is supported on platforms c e s z Path MTU (Maximum Transmission Unit), in accordance with RFC 1981, defines the largest packet size that can traverse a transmission path without suffering fragmentation. Path MTU for IPv6 uses ICMPv6 Type-2 messages to discover the largest MTU along the path from source to destination and avoid the need to fragment the packet. The recommended MTU for IPv6 is 1280.
www.dell.com | support.dell.com IPv6 Neighbor Discovery IPv6 NDP is supported on platforms c e s Neighbor Discovery Protocol (NDP) is a top-level protocol for neighbor discovery on an IPv6 network. In lieu of ARP, NDP uses “Neighbor Solicitation” and “Neighbor Advertisement” ICMPv6 messages for determining relationships between neighboring nodes.
IPv6 Neighbor Discovery of MTU packets With FTOS 8.3.1.0, you can set the MTU advertised through the RA packets to incoming routers, without altering the actual MTU setting on the interface. The ipv6 nd mtu command sets the value advertised to routers. It does not set the actual MTU rate. For example, if ipv6 nd mtu is set to 1280, the interface will still pass 1500-byte packets, if that is what is set with the mtu command.
www.dell.com | support.dell.com SSH over an IPv6 Transport IPv6 SSH is supported on platforms c e s FTOS supports both inbound and outbound SSH sessions using IPv6 addressing. Inbound SSH supports accessing the system through the management interface as well as through a physical Layer 3 interface. Refer to the Security Commands chapter in the FTOS Command Line Interface Reference document for SSH configuration details.
Figure 25-4. Command Example: show cam-profile summary (E-Series) FTOS#show cam-profile summary -- Chassis CAM Profile -: Current Settings : Next Boot Profile Name : IPV6-ExtACL : IPV6-ExtACL MicroCode Name : IPv6-ExtACL : IPv6-ExtACL -- Line card 1 -: Current Settings : Next Boot : IPV6-ExtACL : IPV6-ExtACL : IPv6-ExtACL : IPv6-ExtACL Profile Name MicroCode Name FTOS# Figure 25-5.
www.dell.com | support.dell.com The default option sets the CAM Profile as follows: • • • • • L3 ACL (ipv4acl): 6 L2 ACL(l2acl) : 5 IPv6 L3 ACL (ipv6acl): 0 L3 QoS (ipv4qos): 1 L2 QoS (l2qos): 1 Save the new CAM settings to the startup-config (write-mem or copy run start) then reload the system for the new settings to take effect. Command Syntax Command Mode Purpose cam-acl { ipv6acl } CONFIGURATION Allocate space for IPV6 ACLs. Enter the CAM profile name followed by the amount to be allotted.
One of the existing IPv6 addresses must be deleted before a new IPv6 address can be configured. Command Syntax Command Mode Purpose ipv6 address ipv6 address/mask CONFIG-INTERFACE Enter the IPv6 Address for the device. ipv6 address : x:x:x:x::x mask : prefix length 0 to 128 IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:). Omitting zeros is accepted as described in Addressing earlier in this chapter.
www.dell.com | support.dell.com Note: After you configure a static IPv6 route (ipv6 route command) and configure the forwarding router’s address (specified in the ipv6 route command) on a neighbor’s interface, the IPv6 neighbor is not displayed in the show ipv6 route command output.
Telnet with IPv6 IPv6 Telnet is supported on platforms c e s The Telnet client and server in FTOS support IPv6 connections. You can establish a Telnet session directly to the router using an IPv6 Telnet client, or an IPv6 Telnet connection can be initiated from the router. Note: Telnet to link local addresses is not supported. Command Syntax Command Mode Purpose telnet ipv6 address EXEC or EXEC Privileged Enter the IPv6 Address for the device.
www.dell.com | support.dell.com Show IPv6 Information 554 All of the following show commands are supported on platforms c e s View specific IPv6 configuration with the following commands.
Show an IPv6 Interface View the IPv6 configuration for a specific interface with the following command. Command Syntax Command Mode Purpose show ipv6 interface EXEC Show the currently running configuration for the specified interface Enter the keyword interface followed by the type of interface and slot/port information: • For all brief summary of IPv6 status and configuration, enter the keyword brief. • For all IPv6 configured interfaces, enter the keyword configured.
www.dell.com | support.dell.com Show IPv6 Routes View the global IPv6 routing information with the following command. Command Syntax Command Mode Purpose show ipv6 route type EXEC Show IPv6 routing information for the specified route type. Enter the keyword: • To display information about a network, enter the ipv6 address (X:X:X:X::X). • To display information about a host, enter the hostname. • To display information about all IPv6 routes (including non-active routes), enter all.
Figure 25-8. Command Example: show ipv6 route summary FTOS#show ipv6 route summary Route Source connected static Total Active Routes 5 0 5 Non-active Routes 0 0 0 Figure 25-9 illustrates the show ipv6 route static command output. Figure 25-9.
www.dell.com | support.dell.com Figure 25-10. Command Example: show running-config interface FTOS#show run int gi 2/2 ! interface GigabitEthernet 2/2 no ip address ipv6 address 3:4:5:6::8/24 shutdown FTOS# Clear IPv6 Routes Use the clear IPv6 route command to clear routes from the IPv6 routing table. Command Syntax Command Mode Purpose clear ipv6 route {* | ipv6 address EXEC Clear (refresh) all or a specific routes from the IPv6 routing table.
26 iSCSI Optimization iSCSI Optimization is supported on platform . This chapter describes how to configure internet small computer system interface (iSCSI) optimization, which enables quality-of-service (QoS) treatment for iSCSI traffic.
www.dell.com | support.dell.com • 560 • iSCSI QoS—A user-configured iSCSI class of service (CoS) profile is applied to all iSCSI traffic. Classifier rules are used to direct the iSCSI data traffic to queues that can be given preferential QoS treatment over other data passing through the switch. Preferential treatment helps to avoid session interruptions during times of congestion that would otherwise cause iSCSI packets to be dropped. iSCSI DCBX TLVs are supported.
Monitoring iSCSI Traffic Flows The switch snoops iSCSI session-establishment and termination packets by installing classifier rules that trap iSCSI protocol packets to the CPU for examination. Devices that initiate iSCSI sessions usually use well-known TCP ports 3260 or 860 to contact targets. When you enable iSCSI optimization, by default the switch identifies IP packets to or from these ports as iSCSI traffic.
www.dell.com | support.dell.com If no iSCSI traffic is detected for a session during a user-configurable aging period, the session data is cleared. If more than 256 simultaneous sessions are logged continuously, the following message displays indicating the queue rate limit has been reached. %STKUNIT2-M:CP %iSCSI-5-ISCSI_OPT_MAX_SESS_EXCEEDED: New iSCSI Session Ignored: ISID 400001370000 InitiatorName - iqn.1991-05.com.microsoft:dt-brcd-cna-2 TargetName iqn.2001-05.com.
Detection and Port Configuration for Dell Compellent Arrays Switches support the iscsi profile-compellent command to configure a port connected to a Dell Compellent storage array. The command configures a port for the best iSCSI traffic conditions and must be entered in INTERFACE Configuration mode.
www.dell.com | support.dell.com Enabling and Disabling iSCSI Optimization Note: iSCSI monitoring is disabled by default. iSCSI auto-configuration and auto-detection is enabled by default. If iSCSI is enabled, flow control will be automatically enabled on all interfaces. To disable the flow control on all interfaces, enter the command “no flow control rx on tx off” and save the configuration.
Table 26-1. iSCSI Optimization: Default Parameters Parameter Default Value VLAN priority tag iSCSI flows are assigned by default to dot1p priority 4 without remark setting. DSCP None: user-configurable. Remark Not configured. iSCSI session aging time 10 minutes iSCSI optimization target ports iSCSI well-known ports 3260 and 860 are configured as default (with no IP address or name) but can be removed as any other configured target. iSCSI session monitoring Disabled.
www.dell.com | support.dell.com 566 Step | Task Command Command Mode 4 (Optional) Configure the iSCSI target ports and optionally the IP addresses on which iSCSI communication will be monitored, where: • tcp-port-n is the TCP port number or a list of TCP port numbers on which the iSCSI target listens to requests. You can configure up to 16 target TCP ports on the switch in one command or multiple commands. Default: 860, 3260. Separate port numbers with a comma.
Step Task Command Command Mode 9 (Optional) Enter interface configuration mode to configure the auto-detection of Compellent disk arrays. interface port-type slot/port CONFIGURATION 10 (Optional) Configures the auto-detection of Compellent arrays on a port. Default: Compellent disk arrays are not detected. [no] iscsi profile-compellent INTERFACE Displaying iSCSI Optimization Information Use the show commands in Table 26-2 to display information on iSCSI optimization Table 26-2.
www.dell.com | support.dell.com Figure 26-3. show iscsi session Command Example VLT PEER1 FTOS#show isci session Session 0: ----------------------------------------------------------------------------------------Target: iqn.2001-05.com.equallogic:0-8a0906-0e70c2002-10a0018426a48c94-iom010 Initiator: iqn.1991-05.com.microsoft:win-x9l8v27yajg ISID: 400001370000 VLT PEER2 Session 0: ----------------------------------------------------------------------------------------Target: iqn.2001-05.com.
27 Intermediate System to Intermediate System Intermediate System to Intermediate System is supported on the following platforms: platforms. ez IS-IS is supported on the E-Series ExaScale platform with FTOS 8.1.1.0 and later. It is supported on the with FTOS 8.3.10.0 and on the z platform with FTOS 9.0.0.0 Intermediate System to Intermediate System (IS-IS) protocol is an interior gateway protocol (IGP) that uses a shortest-path-first algorithm.
www.dell.com | support.dell.com IS-IS is organized hierarchally into routing domains, and each router or system resides in at least one area. In IS-IS, routers are designated as Level 1, Level 2 or Level 1-2 systems. Level 1 routers only route traffic within an area, while Level 2 routers route traffic between areas. At its most basic, Level 1 systems route traffic within the area and any traffic destined for outside the area is sent to a Level 1-2 system.
Multi-Topology IS-IS FTOS 7.8.1.0 and later support Multi-Topology Routing IS-IS. E-Series ExaScale platform ex supports Multi-Topology IS-IS with FTOS 8.2.1.0 and later. S-Series platform supports Multi-Topology IS-IS with FTOS 8.3.10.0 and later. Multi-Topology IS-IS (MT IS-IS) allows you to create multiple IS-IS topologies on a single router with separate databases.
www.dell.com | support.dell.com Interface support MT IS-IS is supported on physical Ethernet interfaces, physical Sonet interfaces, port-channel interfaces (static & dynamic using LACP), and VLAN interfaces. Adjacencies Adjacencies on point-to-point interfaces are formed as usual, where IS-IS routers do not implement Multi-Topology (MT) extensions. If a local router does not participate in certain MTs, it will not advertise those MT IDs in its IIHs and so will not include that neighbor within its LSPs.
• • • The T1 timer specifies the wait time before unacknowledged restart requests are generated. This is the interval before the system sends a Restart Request (an IIH with RR bit set in Restart TLV) until the CSNP is received from the helping router. The duration can be set to a specific amount of time (seconds) or a number of attempts. The T2 timer is the maximum time that the system will wait for LSP database synchronization. This timer applies to the database type (level-1, level-2 or both).
www.dell.com | support.dell.com Table 27-1 displays the default values for IS-IS. Table 27-1.
• • Set the overload bit on page 591 Debug IS-IS on page 592 Enable IS-IS By default, IS-IS is not enabled. The system supports one instance of IS-IS. To enable IS-IS globally, create an IS-IS routing process and assign a NET address. To exchange protocol information with neighbors, enable IS-IS on an interface, instead of on a network as with other routing protocols. In IS-IS, neighbors form adjacencies only when they are same IS type.
www.dell.com | support.dell.com Step Task Command Syntax Command Mode 3 Enter the interface configuration mode. Enter the keyword interface followed by the type of interface and slot/port information: • For a 1-Gigabit Ethernet interface, enter the keyword GigabitEthernet followed by the slot/port information. • For the Loopback interface on the RPM, enter the keyword loopback followed by a number from 0 to 16383.
Figure 27-2. Command Example: show isis protocol FTOS#show isis protocol IS-IS Router: System Id: EEEE.EEEE.EEEE IS-Type: level-1-2 Manual area address(es): 47.0004.004d.0001 Routing for area address(es): 21.2223.2425.2627.2829.3031.3233 47.0004.004d.
www.dell.com | support.dell.com Configure Multi-Topology IS-IS (MT IS-IS) Step 1 Task Command Syntax Command Mode Enable Multi-Topology IS-IS for IPv6. Enter the transition keyword to allow an IS-IS IPv6 user to continue to use single-topology mode while upgrading to multi-topology mode.After every router has been configured with the transition keyword, and all the routers are in MT IS-IS IPv6 mode users can remove the transition keyword on each router.
Configure Multi-Topology IS-IS (MT IS-IS) Step 1 Task Command Syntax Command Mode Enable Multi-Topology IS-IS for IPv6. Enter the transition keyword to allow an IS-IS IPv6 user to continue to use single-topology mode while upgrading to multi-topology mode.After every router has been configured with the transition keyword, and all the routers are in MT IS-IS IPv6 mode users can remove the transition keyword on each router.
www.dell.com | support.dell.com Command Syntax Command Mode Purpose graceful-restart restart-wait seconds ROUTER-ISIS Enable the Graceful Restart maximum wait time before a restarting peer comes up. Be sure to set the t3 timer to adjacency on the restarting router when implementing this command.
Use the show isis graceful-restart detail command in EXEC Privilege mode to view all Graceful Restart related configuration. Figure 27-4.
www.dell.com | support.dell.com Figure 27-5. Command Example: show isis interface FTOS#show isis interface G1/34 GigabitEthernet 2/10 is up, line protocol is up MTU 1497, Encapsulation SAP Routing Protocol: IS-IS Circuit Type: Level-1-2 Interface Index 0x62cc03a, Local circuit ID 1 Level-1 Metric: 10, Priority: 64, Circuit ID: 0000.0000.000B.01 Hello Interval: 10, Hello Multiplier: 3, CSNP Interval: 10 Number of active level-1 adjacencies: 1 Level-2 Metric: 10, Priority: 64, Circuit ID: 0000.0000.000B.
Figure 27-6. Command Example: show running-config isis FTOS#show running-config isis ! router isis lsp-refresh-interval 902 net 47.0005.0001.000C.000A.4321.00 net 51.0005.0001.000C.000A.4321.00 FTOS# Configure IS-IS metric style and cost All IS-IS links or interfaces are associated with a cost that is used in the SPF calculations. The possible cost varies depending on the metric style supported.
www.dell.com | support.dell.com Figure 27-7. Command Example: show isis protocol FTOS#show isis protocol IS-IS Router: System Id: EEEE.EEEE.EEEE IS-Type: level-1-2 Manual area address(es): 47.0004.004d.0001 Routing for area address(es): 21.2223.2425.2627.2829.3031.3233 47.0004.004d.
Table 27-3. Correct Value Range for the isis metric command Metric Style Correct Value Range narrow transition 0 to 63 transition 0 to 63 Configuring the distance of a route Configure the distance for a route using the distance command from ROUTER ISIS mode.
www.dell.com | support.dell.com Figure 27-8. Command Example: show isis database FTOS#show isis database IS-IS Level-1 Link State Database LSPID LSP Seq Num B233.00-00 0x00000003 eljefe.00-00 * 0x00000009 eljefe.01-00 * 0x00000001 eljefe.02-00 * 0x00000001 Force10.00-00 0x00000002 IS-IS Level-2 Link State Database LSPID LSP Seq Num B233.00-00 0x00000006 eljefe.00-00 * 0x0000000D eljefe.01-00 * 0x00000001 eljefe.02-00 * 0x00000001 Force10.
Configure the prefix list in the PREFIX LIST mode prior to assigning it to the IS-IS process. For configuration information on prefix lists, see Chapter 6, Access Control Lists (ACLs). IPv4 routes Use the following commands in ROUTER ISIS mode to apply prefix lists to incoming or outgoing IPv4 routes. Note: These commands apply to IPv4 IS-IS only.
www.dell.com | support.dell.com 588 IPv6 routes Use these commands in ADDRESS-FAMILY IPV6 mode to apply prefix lists to incoming or outgoing IPv6 routes. = Note: These commands apply to IPv6 IS-IS only. Use the ROUTER ISIS mode previously shown to apply prefix lists to IPv4 routes. | Command Syntax Command Mode Purpose distribute-list prefix-list-name in [interface] ROUTER ISIS-AF IPV6 Apply a configured prefix list to all incoming IPv6 IS-IS routes.
Redistribute routes In addition to filtering routes, you can add routes from other routing instances or protocols to the IS-IS process. With the redistribute command syntax, you can include BGP, OSPF, RIP, static, or directly connected routes in the IS-IS process. Note: Do not route iBGP routes to IS-IS unless there are route-maps associated with the IS-IS redistribution. IPv4 routes Use any of the following commands in ROUTER ISIS mode to add routes from other routing instances or protocols.
www.dell.com | support.dell.com IPv6 routes Use any of the these commands in ROUTER ISIS ADDRESS-FAMILY IPV6 mode to add routes from other routing instances or protocols. Note: These commands apply to IPv6 IS-IS only. Use the ROUTER ISIS mode previously shown to apply prefix lists to IPv4 routes.
Use either or both of the commands in ROUTER ISIS mode to configure a simple text password. Command Syntax Command Mode Purpose area-password [hmac-md5] password ROUTER ISIS Configure authentication password for an area. FTOS supports HMAC-MD5 authentication. This password is inserted in Level 1 LSPs, Complete SNPs, and Partial SNPs. domain-password [encryption-type | hmac-md5] password ROUTER ISIS Set the authentication password for a routing domain.
www.dell.com | support.dell.com Figure 27-9. Command Example: show isis database FTOS#show isis database IS-IS Level-1 Link State Database LSPID LSP Seq Num B233.00-00 0x00000003 eljefe.00-00 * 0x0000000A eljefe.01-00 * 0x00000001 eljefe.02-00 * 0x00000001 Force10.00-00 0x00000002 IS-IS Level-2 Link State Database LSPID LSP Seq Num B233.00-00 0x00000006 eljefe.00-00 * 0x0000000E eljefe.01-00 * 0x00000001 eljefe.02-00 * 0x00000001 Force10.
Command Syntax Command Mode Purpose debug isis update-packets [interface] EXEC Privilege View sent and received LSPs. To view specific information, enter one of the following optional parameters: • interface: Enter the type of interface and slot/port information to view IS-IS information on that interface only. FTOS displays debug messages on the console. Use the show debugging command in EXEC Privilege mode to view which debugging commands are enabled.
www.dell.com | support.dell.com For any level (Level-1, Level-2, or Level-1-2), the value range possible in the isis metric command in INTERFACE mode changes depending on the metric style. Table 27-4.
Table 27-5.
www.dell.com | support.dell.com Leaking from One Level to Another 596 In the following scenarios, each IS-IS level is configured with a different metric style. Table 27-7.
Sample Configuration The following configurations are examples for enabling IPv6 IS-IS. These are not comprehensive directions. They are intended to give you a some guidance with typical configurations. S Note: Only one IS-IS process can run on the router, even if both IPv4 and IPv6 routing is being used. You can copy and paste from these examples to your CLI. Be sure you make the necessary changes to support your own IP Addresses, Interfaces, Names, etc.
www.dell.com | support.dell.com Figure 27-10. IS-IS Sample Configuration - Congruent Topology FTOS(conf-if-te-3/17)#show config ! interface TenGigabitEthernet 3/17 ip address 24.3.1.1/24 ipv6 address 24:3::1/76 ip router isis ipv6 router isis no shutdown FTOS (conf-if-te-3/17)# FTOS (conf-router_isis)#show config ! router isis metric-style wide level-1 metric-style wide level-2 net 34.0000.0000.AAAA.00 FTOS (conf-router_isis)# Figure 27-11.
Figure 27-13.
www.dell.com | support.dell.
28 Link Aggregation Control Protocol (LACP) Link Aggregation Control Protocol (LACP) is supported on platforms: e cs The major sections in the chapter are: • • • • • Introduction to Dynamic LAGs and LACP LACP Configuration Tasks Shared LAG State Tracking Configure LACP as Hitless LACP Basic Configuration Example Introduction to Dynamic LAGs and LACP A Link Aggregation Group (LAG), referred to as a port channel by FTOS, can provide both load-sharing and port redundancy across line cards.
www.dell.com | support.dell.com Important Points to Remember • • • • • • LACP enables you to add members to a port channel (LAG) as long as it has no static members. Conversely, if the LAG already contains a statically defined member (channel-member command), the port-channel mode command is not permitted. A static LAG cannot be created if a dynamic LAG using the selected number already exists.
LACP Configuration Commands If aggregated ports are configured with compatible LACP modes (Off, Active, Passive), LACP can automatically link them, as defined in IEEE 802.3, Section 43. The following commands configure LACP: Command Syntax Command Mode Purpose [no] lacp system-priority priority-value CONFIGURATION Configure the system priority.
www.dell.com | support.dell.com The LAG is in the default VLAN. To place the LAG into a non-default VLAN, use the tagged command on the LAG as shown in the example below: FTOS(conf)#interface vlan 10 FTOS(conf-if-vl-10)#tagged port-channel 32 Configure the LAG interfaces as dynamic After creating a LAG, configure the dynamic LAG interfaces. The following example shows ports 3/15, 3/ 16, 4/15, and 4/16 added to LAG 32 in LACP mode with the command port-channel-protocol lacp.
To configure the LACP long timeout as shown in the example below: Step 1 Task Command Syntax Command Mode Set the LACP timeout value to 30 seconds. lacp long-timeout CONFIG-INT-PO FTOS(conf)# interface port-channel 32 FTOS(conf-if-po-32)#no shutdown FTOS(conf-if-po-32)#switchport FTOS(conf-if-po-32)#lacp long-timeout FTOS(conf-if-po-32)#end FTOS# show lacp 32 Port-channel 32 admin up, oper up, mode lacp Actor System ID: Priority 32768, Address 0001.e800.
Shared LAG State Tracking provides the flexibility to bring down a port channel (LAG) based on the operational state of another LAG. At any time, only two LAGs can be a part of a group such that the fate (status) of one LAG depends on the other LAG. In the following illustration, line-rate traffic from R1 destined for R4 follows the lowest-cost route via R2, as shown. Traffic is equally distributed between LAGs 1 and 2. If LAG 1 fails, all traffic from R1 to R4 flows across LAG 2 only.
R2#config R2(conf)#port-channel failover-group R2(conf-po-failover-grp)#group 1 port-channel 1 port-channel 2 View the failover group configuration using the show running-configuration po-failover-group command, as shown in the example below. R2#show running-config po-failover-group ! port-channel failover-group group 1 port-channel 1 port-channel 2 In the following illustration, LAGs 1 and 2 are members of a failover group. LAG 1 fails and LAG 2 is brought down upon the failure.
www.dell.com | support.dell.com Note: The set of console messages shown in Message 1 appear only if Shared LAG State Tracking is configured on that router (the feature can be configured on one or both sides of a link). For example, in previous illustration, if Shared LAG State Tracking is configured on R2 only, then no messages appear on R4 regarding the state of LAGs in a failover group. Important Points about Shared LAG State Tracking • • • • • This feature is available for static and dynamic LAGs.
The sections are: • • • Configuring a LAG on ALPHA Summary of the configuration on ALPHA Summary of the configuration on BRAVO Port Channel 10 ALPHA BRAVO Gig 3/21 Gig 2/31 Gig 2/32 Gig 3/22 Gig 2/33 Gig 3/23 Configuring a LAG on ALPHA Creating a LAG on ALPHA.
www.dell.com | support.dell.
Shows the status of this physical nterface, and shows it is part of port channel 10. Alpha#sh int gig 2/31 GigabitEthernet 2/31 is up, line protocol is up Port is part of Port-channel 10 Hardware is Force10Eth, address is 00:01:e8:06:95:c0 Current address is 00:01:e8:06:95:c0 Interface index is 109101113 Port will not be disabled on partial SFM failure Internet address is not set MTU 1554 bytes, IP MTU 1500 bytes Shows the speed of this physical interface.
www.dell.com | support.dell.com Inspecting configuration of LAG 10 on ALPHA. 612 Indicates the MAC address assigned to the LAG. This does NOT match any of the physical interface MAC addresses.
Using the show lacp command to verify LAG 10 status on ALPHA. Alpha#sho lacp 10 Port-channel 10 admin up, oper up, mode lacp Actor System ID: Priority 32768, Address 0001.e806.953e Partner System ID: Priority 32768, Address 0001.e809.
www.dell.com | support.dell.com Summary of the configuration on ALPHA Summary of the configuration on ALPHA.
Summary of the configuration on BRAVO Summary of the configuration on BRAVO.
www.dell.com | support.dell.com Using the show INTERFACE command to inspect a LAG port on BRAVO. 616 Shows the status of this nterface. Also shows it is part of LAG 10. Bravo#show int gig 3/21 GigabitEthernet 3/21 is up, line protocol is up Port is part of Port-channel 10 Hardware is Force10Eth, address is 00:01:e8:09:c3:82 Current address is 00:01:e8:09:c3:82 Shows that this is a Layer 2 port.
Using the show interfaces port-channel command to inspect LAG 10. Indicates the MAC address assigned to the LAG. This does NOT match any of the physical interface MAC addresses.
www.dell.com | support.dell.com Using the show lacp command to inspect LAG status. FTOS#show lacp 10 Port-channel 10 admin up, oper up, mode lacp Actor System ID: Priority 32768, Address 0001.e809.c24a Partner System ID: Priority 32768, Address 0001.e806.
29 Layer 2 Layer 2 features are supported on platforms: ecsz This chapter describes the following Layer 2 features: • • • • • • • Managing the MAC Address Table MAC Learning Limit NIC Teaming Microsoft Clustering Configuring Redundant Pairs Restricting Layer 2 Flooding Far-end Failure Detection Managing the MAC Address Table FTOS provides the following management activities for the MAC address table: • • • • Clear the MAC Address Table Set the Aging Time for Dynamic Entries Configure a Static MAC Addre
www.dell.com | support.dell.com Set the Aging Time for Dynamic Entries Learned MAC addresses are entered in the table as dynamic entries, which means that they are subject to aging. For any dynamic entry, if no packet arrives on the switch with the MAC address as the source or destination address within the timer period, the address is removed from the table. The default aging time is 1800 seconds. Task Command Syntax Command Mode Disable MAC address aging for all dynamic entries.
Display the MAC Address Table To display the contents of the MAC address table: Task Command Syntax CommandMode Display the contents of the MAC address table. • address displays the specified entry. • aging-time displays the configured aging-time. • count displays the number of dynamic and static entries for all VLANs, and the total number of entries. • dynamic displays only dynamic entries • interface displays only entries for the specified interface. • static displays only static entries.
www.dell.com | support.dell.com MAC Address Learning Limit is a method of port security on Layer 2 port-channel and physical interfaces, and VLANs. It enables you to set an upper limit on the number of MAC addresses that learned on an interface/VLAN. After the limit is reached, the system drops all traffic from a device with an unlearned MAC address.
mac learning-limit mac-address-sticky Using sticky MAC addresses allows you to associate a specific port with MAC addresses from trusted devices. If sticky MAC is enabled, the specified port will retain any dynamically-learned addresses and prevent them from being transferred or learned on other ports. If mac-learning-limit is configured and sticky MAC is enabled, all dynamically-learned addresses are converted to sticky MAC addresses for the selected port.
www.dell.com | support.dell.com Station Move Violation Actions Station Move Violation Actions are supported only on platforms: S-Series (S25/S50) is the default behavior. You can configure the system to take an action if a station move occurs using one the following options with the mac learning-limit command:. no-station-move Task Command Syntax Command Mode Generate a system log message indicating a station move.
Per-VLAN MAC Learning Limit Per-VLAN MAC Learning Limit is available only on platform: e An individual MAC learning limit can be configured for each VLAN using Per-VLAN MAC Learning Limit. One application of Per-VLAN MAC Learning Limit is on access ports. In the following illustration, an Internet Exchange Point (IXP) connects multiple Internet Service Provider (ISP). An IXP can provide several types of services to its customers including public and private peering.
www.dell.com | support.dell.
(in the above example, this is Port 0/5 of the switch). To ensure the MAC address is disassociated with one port and re-associated with another port in the ARP table, you must configure the command mac-address-table station-move refresh-arp on the Dell Force10 switch at the time that NIC teaming is being configured on the server. Note: If this command is not configured, traffic continues to be forwarded to the failed NIC until the ARP entry on the switch times out. Figure 29-2.
www.dell.com | support.dell.com Default Behavior When an ARP request is sent to a server cluster, either the active server or all of the servers send a reply, depending on the cluster configuration. If the active server sends a reply, the Dell Force10 switch learns the active server’s MAC address. If all servers reply, the switch registers only the last received ARP reply, and the switch learns one server’s actual MAC address (Figure 29-3); the virtual MAC address is never learned.
As shown in Figure 29-5, the server MAC address is given in the Ethernet frame header of the ARP reply, while the virtual MAC address representing the cluster is given in the payload. The vlan-flooding command directs the system to discover that there are different MAC addresses in an ARP reply and associate the virtual MAC address with the VLAN connected to the cluster. Then, all traffic destined for the cluster is flooded out of all member ports.
www.dell.com | support.dell.com Configuring Redundant Pairs Configuring Redundant Pairs is supported on platforms: ecs Z Networks that employ switches that do not support Spanning Tree (STP) — for example, networks with Digital Subscriber Line Access Mutiplexers (DSLAM) — cannot have redundant links between switches because they create switching loops (Figure 29-6).
You configure a redundant pair by assigning a backup interface to a primary interface with the switchport backup interface command. Initially, the primary interface is active and transmits traffic and the backup interface remains down. If the primary fails for any reason, the backup transitions to an active UP state. If the primary interface fails and later comes back up, it remains as the backup interface for the redundant pair.
www.dell.com | support.dell.com Figure 29-7.
Restricting Layer 2 Flooding Restricting Layer 2 Flooding is supported only on platform: e When Layer 2 multicast traffic must be forwarded on a VLAN that has multiple ports with different speeds on the same port-pipe, forwarding is limited to the speed of the slowest port. Restricted Layer 2 Flooding prevents slower ports from lowering the throughput of multicast traffic on faster ports by restricting flooding to ports with a speed equal to or above a link speed you specify.
www.dell.com | support.dell.com Far-end Failure Detection Far-end Failure Detection is supported on platforms e Z Far-end Failure Detection (FEFD) is a protocol that senses remote data link errors in a network. It responds by sending a unidirectional report that triggers an echoed response after a specified time interval. FEFD can be enabled globally or locally on an interface basis. Disabling the global FEFD configuration does not disable the interface configuration. Figure 29-10.
FEFD state changes FEFD has two operational modes, Normal and Aggressive. When Normal mode is enabled on an interface an a far-end failure is detected, no intervention is required to reset the interface to bring it back to an FEFD operational state.When Aggressive mode is enabled on an interface in the same state, manual intervention is required to reset the interface.
www.dell.com | support.dell.com Important Points to Remember • FEFD enabled ports are subject to an 8 to 10 second delay during an RPM failover before becoming operational. FEFD can be enabled globally or on a per interface basis. Interface FEFD configurations override global FEFD configurations. FTOS supports FEFD on physical Ethernet interfaces only, excluding the management interface.
Enable FEFD on an Interface Entering the command fefd in INTERFACE mode enables FEFD on a per interface basis. To change the FEFD mode, supplement the fefd command in INTERFACE mode by entering the command fefd [mode {aggressive | normal}]. To disable FEFD protocol on one interface, enter the command fefd disable in INTERFACE mode.
www.dell.com | support.dell.com Figure 29-13.
30 Link Layer Discovery Protocol (LLDP) Link Layer Discovery Protocol (LLDP) is supported only on platforms: ecs This chapter contains the following sections: • • • 802.1AB (LLDP) Overview TIA-1057 (LLDP-MED) Overview Configuring LLDP 802.1AB (LLDP) Overview Link Layer Discovery Protocol (LLDP)—defined by IEEE 802.1AB—is a protocol that enables a LAN device to advertise its configuration and receive configuration information from adjacent LLDP-enabled LAN infrastructure devices.
www.dell.com | support.dell.com Figure 30-1. Type, Length, Value (TLV) Segment TLVs are encapsulated in a frame called an LLDP Data Unit (LLDPDU) (Figure 30-2), which is transmitted from one LLDP-enabled device to its LLDP-enabled neighbors. LLDP is a one-way protocol. LLDP-enabled devices (LLDP agents) can transmit and/or receive advertisements, but they cannot solicit and do not respond to advertisements. There are five types of TLVs.
Figure 30-2. LLDPDU Frame Optional TLVs FTOS supports the following optional TLVs: • • • Management TLVs IEEE 802.1 and 802.3 Organizationally Specific TLVs TIA-1057 Organizationally Specific TLVs Management TLVs A Management TLV is an Optional TLVs sub-type. This kind of TLV contains essential management information about the sender. The five types are described in Table 30-2. Organizationally Specific TLVs Organizationally specific TLVs can be defined by a professional organization or a vendor.
www.dell.com | support.dell.com IEEE Organizationally Specific TLVs Eight TLV types have been defined by the IEEE 802.1 and 802.3 working groups (Table 30-2) as a basic part of LLDP; the IEEE OUI is 00-80-C2. You can configure the Dell Force10 system to advertise any or all of these TLVs. Table 30-2. Optional TLV Types Type TLV Description Optional TLVs 4 Port description A user-defined alphanumeric string that describes the port. FTOS does not currently support this TLV.
TIA-1057 (LLDP-MED) Overview Link Layer Discovery Protocol—Media Endpoint Discovery (LLDP-MED) as defined by ANSI/ TIA-1057— provides additional organizationally specific TLVs so that endpoint devices and network connectivity devices can advertise their characteristics and configuration information; the OUI for the Telecommunications Industry Association (TIA) is 00-12-BB.
www.dell.com | support.dell.com Table 30-3.
Figure 30-4. LLDP-MED Capabilities TLV Table 30-4. FTOS LLDP-MED Capabilities Bit Position TLV FTOS Support 0 LLDP-MED Capabilities Yes 1 Network Policy Yes 2 Location Identification Yes 3 Extended Power via MDI-PSE Yes 4 Extended Power via MDI-PD No 5 Inventory No 6-15 reserved No Table 30-5.
www.dell.com | support.dell.com The application type is a represented by an integer (the Type integer in Table 30-6), which indicates a device function for which a unique network policy is defined. An individual LLDP-MED Network Policy TLV is generated for each application type that you specify with the FTOS CLI (Advertising TLVs on page 650).
Extended Power via MDI TLV The Extended Power via MDI TLV enables advanced PoE management between LLDP-MED endpoints and network connectivity devices. Advertise the Extended Power via MDI on all ports that are connected to an 802.3af powered, LLDP-MED endpoint device. • • • • Power Type: there are two possible power types: Power Sourcing Entity (PSE) or Power Device (PD). The Dell Force10 system is a PSE, which corresponds to a value of 0, based on the TIA-1057 specification.
www.dell.com | support.dell.com Important Points to Remember • • • • • LLDP is disabled by default. Dell Force10 systems support up to 8 neighbors per interface. Dell Force10 systems support a maximum of 8000 total neighbors per system. If the number of interfaces multiplied by 8 exceeds the maximum, the system will not configure more than 8000. INTERFACE level configurations override all CONFIGURATION level configurations. LLDP is not hitless.
Figure 30-7.
www.dell.com | support.dell.com Advertising TLVs You can configure the system to advertise TLVs out of all interfaces or out of specific interfaces. • • If you configure the system globally, all interfaces will send LLDPDUs with the specified TLVs. If you configure an interface, only the interface will send LLDPDUs with the specified TLVs. If LLDP is configured both globally and at interface level, the interface level configuration overrides the global configuration.
Figure 30-8. Configuring LLDP Viewing the LLDP Configuration Display the LLDP configuration using the command show config in either the CONFIGURATION or INTERFACE mode, as shown in Figure 30-9 and Figure 30-10, respectively. Figure 30-9.
www.dell.com | support.dell.com Figure 30-10.
Figure 30-12.
www.dell.com | support.dell.com Figure 30-13.
Figure 30-14.
www.dell.com | support.dell.com Figure 30-15.
FTOS# debug lldp interface gigabitethernet 1/ 2 packet detail tx FTOS#1w1d19h : Transmit timer blew off for local interface Gi 1/ 2 1w1d19h : Forming LLDP pkt to send out of interface Gi 1/ 2 1w1d19h : TLV: Chassis ID, Len: 7, Subtype: Mac address (4), Value: 00:01:e8:0d:b6:d6 1w1d19h : TLV: Port ID, Len: 20, Subtype: Interface name (5), Value: GigabitEthernet 1/ 2 1w1d19h : TLV: TTL, Len: 2, Value: 120 1w1d19h : TLV: SYS_DESC, Len: 207, Value:Dell Force10 Networks Real Time Operating System Software.
www.dell.com | support.dell.com Table 30-7.
Table 30-8.
www.dell.com | support.dell.com Table 30-9. LLDP 802.
Table 30-10.
www.dell.com | support.dell.com Table 30-10.
31 Multicast Source Discovery Protocol (MSDP) Multicast Source Discovery Protocol (MSDP) is supported on platform e and . Protocol Overview Multicast Source Discovery Protocol (MSDP) is a Layer 3 protocol that connects IPv4 PIM-SM domains. A domain in the context of MSDP is contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as BGP. Each RP peers with every other RP via TCP. Through this connection, peers advertise the sources in their domain. 1.
www.dell.com | support.dell.com RPs advertise each (S,G) in its domain in Type, Length, Value (TLV) format. The total number of TLVs contained in the SA is indicated in the “Entry Count” field. SA messages are transmitted every 60 seconds, and immediately when a new source is detected. Figure 31-2. Source Port MSDP SA Message Format Dest. Port (639) Seq. Number Type Code: 1: 2: 3: 4: 5: 6: 7: Ack.
Configuring Multicast Source Discovery Protocol Configuring MSDP is a three-step process: 1. Enable an exterior gateway protocol (EGP) with at least two routing domains. Figure 31-5 and MSDP Sample Configurations on page 686 show the OSPF-BGP configuration used in this chapter for MSDP. Otherwise, see Chapter 34, Open Shortest Path First (OSPFv2) and Chapter 9, Border Gateway Protocol. 2. Configure PIM-SM within each EGP routing domain.
interface GigabitEthernet 1/1 ip pim sparse-mode ip address 10.11.3.1/24 no shutdown ! interface GigabitEthernet 1/2 ip address 10.11.2.1/24 no shutdown ! interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.1.12/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32 no shutdown Multicast Source Discovery Protocol (MSDP) 1/1 PC 1 : 10.11.3.2/24 R1 1/21 R2 2/11 interface GigabitEthernet 3/21 ip pim sparse-mode ip address 10.11.0.
router ospf 1 network 10.11.2.0/24 area 0 network 10.11.1.0/24 area 0 network 192.168.0.1/32 area 0 network 10.11.3.0/24 area 0 router ospf 1 network 192.168.0.1/32 area 0 network 10.11.1.0/24 area 0 network 10.11.4.0/24 area 0 redistribute static redistribute connected redistribute bgp 100 R2_E300(conf)#do show run bgp ! router bgp 100 redistribute ospf 1 neighbor 192.168.0.3 remote-as 200 neighbor 192.168.0.3 ebgp-multihop 255 neighbor 192.168.0.3 update-source Loopback 0 neighbor 192.168.0.
M PI P GM +I Multicast Source Discovery Protocol (MSDP) R1 1/2 RP1 PC 2 Receiver: 239.0.0.1 1/1 R3 3/41 4/31 R4 AS 200 ip multicast-routing ! ip pim rp-address 192.168.0.3 group-address 224.0.0.0/4 ip multicast-routing ! ip pim rp-address 192.168.0.3 group-address 224.0.0.0/4 4/1 P GM + I PC 3 Receiver: 239.0.0.1 RP2 3/21 ip multicast-routing ! ip pim rp-address 192.168.0.1 group-address 224.0.0.0/4 2/11 2/31 M PI | 1/21 R2 2/1 PC 2 Source: 239.0.0.
R1_E600(conf)#do show ip msdp sa-cache MSDP Source-Active Cache - 1 entries GroupAddr SourceAddr RPAddr LearnedFrom Expire UpTime 239.0.0.1 10.11.4.2 192.168.0.1 local 95 16:49:25 (10.11.4.2, 239.0.0.1), uptime 1d16h, expires 00:03:12, flags: CTA Incoming interface: GigabitEthernet 1/21, RPF neighbor 10.11.1.21 Outgoing interface list: GigabitEthernet 1/1 Forward/Sparse 22:26:37/Never (*, 239.0.0.1), uptime 22:26:37, expires 00:00:00, RP 192.168.0.
www.dell.com | support.dell.com Enable MSDP Enable MSDP by peering RPs in different administrative domains. Step Task Command Syntax Command Mode 1 Enable MSDP. ip multicast-msdp CONFIGURATION 2 PeerPIM systems in different administrative domains. ip msdp peer connect-source CONFIGURATION Figure 31-7. Configuring an MSDP Peer R3_E600(conf)#ip multicast-msdp R3_E600(conf)#ip msdp peer 192.168.0.
• • RPs can transmit SA messages periodically to prevent SA storms, and only sources that are in the cache are advertised in the SA to prevent transmitting multiple copies of the same source information. View the Source-active Cache Task Command Syntax Command Mode View the SA cache. show ip msdp sa-cache EXEC Privilege Figure 31-9. Displaying the MSDP Source-active Cache R3_E600#show ip msdp sa-cache MSDP Source-Active Cache - 1 entries GroupAddr SourceAddr RPAddr 239.0.0.1 10.11.4.2 192.168.0.
www.dell.com | support.dell.com • • Task Command Syntax Command Mode Cache rejected sources. ip msdp cache-rejected-sa CONFIGURATION Accept Source-active Messages that fail the RFP Check A default peer is a peer from which active sources are accepted even though they fail the RFP check. • • • • 672 the peer RP is unreachable, or because of an SA message format error. | In Scenario 1 of Figure 31-10, all MSPD peers are up.
Figure 31-10.
www.dell.com | support.dell.com Task Command Syntax Command Mode Specify the forwarding-peer and originating-RP from which all active sources are accepted without regard for the RPF check. If you do not specify an access list, the peer accepts all sources advertised by that peer. All sources from RPs denied by the ACL are subjected to the normal RPF check. ip msdp default-peer ip-address list CONFIGURATION Figure 31-11. Accepting Source-active Messages with FTOS(conf)#ip msdp peer 10.0.50.
Prevent MSDP from Caching a Local Source You can prevent MSDP from caching an active source based on source and/or group. Since the source is not cached, it is not advertised to remote RPs. Task Command Syntax Command Mode OPTIONAL: Cache sources that are denied by the redistribute list in the rejected SA cache. ip msdp cache-rejected-sa CONFIGURATION Prevent the system from caching local SA entries based on source and group using an extended ACL.
www.dell.com | support.dell.com Prevent MSDP from Caching a Remote Source Task Command Syntax Command Mode OPTIONAL: Cache sources that are denied by the SA filter in the rejected SA cache. ip msdp cache-rejected-sa CONFIGURATION Prevent the system from caching remote sources learned from a specific peer based on source and group. ip msdp sa-filter list out peer list ext-acl CONFIGURATION In Figure 31-14, R1 is advertising source 10.11.4.2.
Prevent MSDP from Advertising a Local Source Task Command Syntax Command Mode Prevent an RP from advertising a source in the SA cache. ip msdp sa-filter list in peer list ext-acl CONFIGURATION In Figure 31-14, R1 stops advertising source 10.11.4.2. Since it is already in the SA cache of R3, the entry remains there until it expires. Figure 31-14. Preventing MSDP from Advertising a Local Source [Router 1] R1_E600(conf)#do show run msdp ! ip multicast-msdp ip msdp peer 192.168.0.
www.dell.com | support.dell.com Log Changes in Peership States Task Command Syntax Command Mode Log peership state changes. ip msdp log-adjacency-changes CONFIGURATION Terminate a Peership MSDP uses TCP as its transport protocol. In a peering relationship, the peer with the lower IP address initiates the TCP session, while the peer with the higher IP address listens on port 639. Task Command Syntax Command Mode Terminate the TCP connection with a peer.
Clear Peer Statistics Task Command Syntax Command Mode Reset the TCP connection to the peer and clear all peer statistics. clear ip msdp peer peer-address CONFIGURATION Figure 31-16. Clearing Peer Statistics R3_E600(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.
www.dell.com | support.dell.com Debug MSDP Task Command Syntax Command Mode Display the information exchanged between peers. debug ip msdp CONFIGURATION Figure 31-17. Debugging MSDP R1_E600(conf)#do debug ip msdp All MSDP debugging has been turned on R1_E600(conf)#03:16:08 : MSDP-0: Peer 03:16:09 : MSDP-0: Peer 192.168.0.3, 03:16:27 : MSDP-0: Peer 192.168.0.3, 03:16:38 : MSDP-0: Peer 192.168.0.3, 03:16:39 : MSDP-0: Peer 192.168.0.3, 03:17:09 : MSDP-0: Peer 192.168.0.3, 03:17:10 : MSDP-0: Peer 192.
MSDP with Anycast RP (10.11.4.2, 239.0.0.1), uptime 00:00:52, expires 00:03:20, flags: FTA Incoming interface: GigabitEthernet 2/1, RPF neighbor 0.0.0.0 Outgoing interface list: GigabitEthernet 2/11 Forward/Sparse 00:00:50/00:02:40 GigabitEthernet 2/31 Forward/Sparse 00:00:50/00:02:40 + PI M PC 2 Source MP IG + MP IG PC 3 Receiver 4/1 R4 4/31 + PI M AS X Area 0 OS PF + Figure 31-18. OS PF 2/1 BGP (*, 239.0.0.1), uptime 00:00:23, expires 00:00:00, RP 192.168.0.
www.dell.com | support.dell.com Reducing Source-active Message Flooding RPs flood source-active messages to all of their peers away from the RP. When multiple RPs exist within a domain, the RPs forward received active source information back to the originating RP, which violates the RFP rule. You can prevent this unnecessary flooding by creating a mesh-group. A mesh in this context is a topology in which each RP in a set of RPs has a peership with all other RPs in the set.
Figure 31-19. R1 Configuration for MSDP with Anycast RP ip multicast-routing ! interface GigabitEthernet 1/1 ip pim sparse-mode ip address 10.11.3.1/24 no shutdown ! interface GigabitEthernet 1/2 ip address 10.11.2.1/24 no shutdown ! interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.1.12/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32 no shutdown ! interface Loopback 1 ip address 192.168.0.11/32 no shutdown ! router ospf 1 network 10.11.2.
www.dell.com | support.dell.com Figure 31-20. R2 Configuration for MSDP with Anycast RP 684 ip multicast-routing ! interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.1/24 no shutdown ! interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown ! interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32 no shutdown ! interface Loopback 1 ip address 192.168.0.
Figure 31-21. R3 Configuration for MSDP with Anycast RP ip multicast-routing ! interface GigabitEthernet 3/21 ip pim sparse-mode ip address 10.11.0.32/24 no shutdown interface GigabitEthernet 3/41 ip pim sparse-mode ip address 10.11.6.34/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.
www.dell.com | support.dell.com MSDP Sample Configurations 686 | The following figures show the running-configurations for the routers shown in figures Figure 31-5, Figure 31-4, Figure 31-5, Figure 31-6. Figure 31-22. MSDP Sample Configuration: R1 Running-config ip multicast-routing ! interface GigabitEthernet 1/1 ip pim sparse-mode ip address 10.11.3.1/24 no shutdown ! interface GigabitEthernet 1/2 ip address 10.11.2.1/24 no shutdown ! interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.
Figure 31-23. MSDP Sample Configuration: R2 Running-config ip multicast-routing ! interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.1/24 no shutdown ! interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown ! interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown ! interface Loopback 0 ip address 192.168.0.2/32 no shutdown ! router ospf 1 network 10.11.1.0/24 area 0 network 10.11.4.0/24 area 0 network 192.168.0.
www.dell.com | support.dell.com Figure 31-24. MSDP Sample Configuration: R3 Running-config 688 ip multicast-routing ! interface GigabitEthernet 3/21 ip pim sparse-mode ip address 10.11.0.32/24 no shutdown ! interface GigabitEthernet 3/41 ip pim sparse-mode ip address 10.11.6.34/24 no shutdown ! interface ManagementEthernet 0/0 ip address 10.11.80.3/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.
Figure 31-25. MSDP Sample Configuration: R4 Running-config ip multicast-routing ! interface GigabitEthernet 4/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown ! interface GigabitEthernet 4/22 ip address 10.10.42.1/24 no shutdown ! interface GigabitEthernet 4/31 ip pim sparse-mode ip address 10.11.6.43/24 no shutdown ! interface Loopback 0 ip address 192.168.0.4/32 no shutdown ! router ospf 1 network 10.11.5.0/24 area 0 network 10.11.6.0/24 area 0 network 192.168.0.
www.dell.com | support.dell.
32 Multiple Spanning Tree Protocol (MSTP) Multiple Spanning Tree Protocol (MSTP) is supported on platforms: ecsz Protocol Overview Multiple Spanning Tree Protocol (MSTP)—specified in IEEE 802.1Q-2003—is an RSTP-based spanning tree variation that improves on PVST+. MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances. In contrast, PVST+ allows a spanning tree instance for each VLAN.
www.dell.com | support.dell.com FTOS supports three other variations of Spanning Tree, as shown in Table 44. Table 32-1. FTOS Supported Spanning Tree Protocols Dell Force10 Term IEEE Specification Spanning Tree Protocol 802.1d Rapid Spanning Tree Protocol 802.1w Multiple Spanning Tree Protocol 802.1s Per-VLAN Spanning Tree Plus Third Party Implementation Information • • • • • The FTOS MSTP implementation is based on IEEE 802.
• • • Preventing Network Disruptions with BPDU Guard on page 1011 SNMP Traps for Root Elections and Topology Changes on page 873 Configuring Spanning Trees as Hitless on page 1017 Enable Multiple Spanning Tree Globally MSTP is not enabled by default. To enable MSTP: Step Task Command Syntax Command Mode 1 Enter PROTOCOL MSTP mode. protocol spanning-tree mstp CONFIGURATION 2 Enable MSTP.
www.dell.com | support.dell.com Create Multiple Spanning Tree Instances A single MSTI provides no more benefit than RSTP. To take full advantage of MSTP you must create multiple MSTIs and map VLANs to them. Create an MSTI using the command msti from PROTOCOL MSTP mode. Specify the keyword vlan followed by the VLANs that you want to participate in the MSTI, as shown in Figure 32-3. Figure 32-3.
Influence MSTP Root Selection MSTP determines the root bridge, but you can assign one bridge a lower priority to increase the probability that it will become the root bridge. To change the bridge priority: Task Command Syntax Command Mode Assign a number as the bridge priority. A lower number increases the probability that the bridge becomes the root bridge.
www.dell.com | support.dell.com For a bridge to be in the same MSTP region as another, all three of these qualities must match exactly. The default values for name and revision will match on all Dell Force10 FTOS equipment. If you have non-FTOS equipment that will participate in MSTP, ensure these values to match on all the equipment. Note: Some non-FTOS equipment may implement a non-null default region name. SFTOS, for example, uses the Bridge ID, while others may use a MAC address.
To change MSTP parameters, use the following commands on the root bridge: Task Command Syntax Command Mode Change the forward-delay parameter. • Range: 4 to 30 • Default: 15 seconds forward-delay seconds PROTOCOL MSTP Change the hello-time parameter. Note: With large configurations (especially those with more ports) Dell Force10 recommends that you increase the hello-time. Range: 1 to 10 Default: 2 seconds hello-time seconds PROTOCOL MSTP Change the max-age parameter.
www.dell.com | support.dell.com Table 32-2 lists the default values for port cost by interface. Table 32-2.
To enable EdgePort on an interface, use the following command: Task Command Syntax Command Mode Enable EdgePort on an interface. spanning-tree mstp edge-port [bpduguard | shutdown-on-violation] INTERFACE Verify that EdgePort is enabled on a port using the command show config from the INTERFACE mode, as shown in Figure 32-8. FTOS Behavior: Regarding bpduguard shutdown-on-violation behavior: 1 If the interface to be shutdown is a port channel then all the member ports are disabled in the hardware.
www.dell.com | support.dell.com MSTP Sample Configurations The running-configurations in Figure 32-10, Figure 32-11, and Figure 32-11 support the topology shown in Figure 32-9. The configurations are from FTOS systems. An S50 system using SFTOS, configured as shown Figure 32-13, could be substituted for an FTOS router in this sample following topology and MSTP would function as designed. Figure 32-9.
Figure 32-10.
www.dell.com | support.dell.com Figure 32-11.
Figure 32-12.
www.dell.com | support.dell.com Figure 32-13.
Figure 32-14. Displaying BPDUs and Events FTOS#debug spanning-tree mstp bpdu 1w1d17h : MSTP: Sending BPDU on Gi 1/31 : ProtId: 0, Ver: 3, Bpdu Type: MSTP, Flags 0x68 CIST Root Bridge Id: 32768:0001.e806.953e, Ext Path Cost: 20000 Regional Bridge Id: 32768:0001.e809.c24a, CIST Port Id: 128:384 Msg Age: 2, Max Age: 20, Hello: 2, Fwd Delay: 15, Ver1 Len: 0, Ver3 Len: 96 Name: my-mstp-region, Rev: 0, Int Root Path Cost: 20000 Rem Hops: 19, Bridge Id: 32768:0001.e80d.
www.dell.com | support.dell.com Figure 32-15. Sample Output for show running-configuration spanning-tree mstp command FTOS#show run spanning-tree mstp ! protocol spanning-tree mstp name Tahiti revision 123 MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 Figure 32-16.
33 Multicast Features Multicast Features are supported on platforms: ecs This chapter contains the following sections: • • • • • Enable IP Multicast on page 707 Multicast with ECMP on page 708 First Packet Forwarding for Lossless Multicast on page 709 Multicast Policies on page 710 Multicast Traceroute on page 717 FTOS supports the following multicast protocols: • • • PIM Sparse-Mode (PIM-SM) on page 775 Internet Group Management Protocol (IGMP) on page 457 Multicast Source Discovery Protocol (MSDP) on
www.dell.com | support.dell.com Multicast with ECMP Dell Force10 multicast uses Equal-cost Multi-path (ECMP) routing to load-balance multiple streams across equal cost links. When creating the shared-tree Protocol Independent Multicast (PIM) uses routes from all configured routing protocols to select the best route to the rendezvous point (RP). If there are multiple, equal-cost paths, the PIM selects the route with the least number of currently running multicast streams.
As the upper five bits of an IP Multicast address are dropped in the translation, 32 different multicast group IDs all map to the same Ethernet address. For example, 224.0.0.5 is a well known IP address for OSPF that maps to the multicast MAC address 01:00:5e:00:00:05. However, 225.0.0.5, 226.0.0.5, etc., map to the same multicast MAC address. The Layer 2 FIB alone cannot differentiate multicast control traffic multicast data traffic with the same address, so if you use IP address 225.0.0.
www.dell.com | support.dell.com Multicast Policies FTOS offers parallel Multicast features for IPv4 and IPv6.
Note: The IN-L3-McastFib CAM partition is used to store multicast routes and is a separate hardware limit that is exists per port-pipe. Any software-configured limit might be superseded by this hardware space limitation. The opposite is also true, the CAM partition might not be exhausted at the time the system-wide route limit set by the ip multicast-limit is reached. Prevent a Host from Joining a Group You can prevent a host from joining a particular group by blocking specific IGMP reports.
Multicast Features ip igmp snooping enable interface Vlan 400 ip pim sparse-mode ip address 10.11.4.1/ 24 untagged GigabitEthernet 1/ 2 ip igmp access-group igmpjoinfilR2G2 no shutdown (*, 239.0.0.1), uptime 00:00:06, expires 00:00:00, RP 10.11.12.2, flags: SCJ Incoming interface: GigabitEthernet 1/ 21, RPF neighbor 10.11.12.
Rate Limit IGMP Join Requests If you expect a burst of IGMP Joins, protect the IGMP process from overload by limiting that rate at which new groups can be joined using the command ip igmp group-join-limit from INTERFACE mode. Hosts whose IGMP requests are denied will use the retry mechanism built-in to IGMP so that they’re membership is delayed rather than permanently denied. View the enable status of this feature using the command show ip igmp interface from EXEC Privilege mode.
714 | Multicast Features (10.11.5.2, 239.0.0.2), uptime 00:00:33, expires 00:03:07, flags: CT Incoming interface: GigabitEthernet 1/31, RPF neighbor 10.11.13.2 Outgoing interface list: Vlan 300 Forward/Sparse 00:00:40/Never (*, 239.0.0.2), uptime 00:00:40, expires 00:00:00, RP 10.11.12.2, flags: SCJ Incoming interface: GigabitEthernet 1/21, RPF neighbor 10.11.12.2 Outgoing interface list: Vlan 300 Forward/Sparse 00:00:40/Never (10.11.5.2, 239.0.0.
Prevent a PIM Router from Processing a Join Permit or deny PIM Join/Prune messages on an interface using an extended IP access list. Use the command ip pim join-filter to prevent the PIM SM router from creating state based on multicast source and/ or group. Note: Dell Force10 recommends that you do not use the ip pim join-filter command on an interface between a source and the RP router.
www.dell.com | support.dell.com Prevent an IPv6 Neighbor from Forming an Adjacency Task Command Syntax Command Mode Prevent a router from participating in PIM.
Multicast Traceroute Multicast Traceroute is supported only on platform: e MTRACE is an IGMP-based tool that prints that network path that a multicast packet takes from a source to a destination, for a particular group. FTOS has mtrace client and mtrace transmit functionality. • • MTRACE Client—an mtrace client transmits mtrace queries and prints out the details received responses.
718 | Multicast Features www.dell.com | support.dell.
34 Open Shortest Path First (OSPFv2 and OSPFv3) Open Shortest Path First version 2 (OSPF for IPv4) is supported on platforms c e s Z Open Shortest Path First version 3 (OSPF for IPv6) is supported on platforms c eZ OSPF for IPv4 is supported on the E-Series ExaScale platform with FTOS 8.1.1.0; OSPF for IPv6 is supported on E-Series ExaScale with FTOS version 8.2.1.0 and later.
www.dell.com | support.dell.com Protocol Overview Open Shortest Path First (OSPF) routing is a link-state routing protocol that calls for the sending of Link-State Advertisements (LSAs) to all other routers within the same Autonomous System (AS) Areas. Information on attached interfaces, metrics used, and other variables is included in OSPF LSAs. As OSPF routers accumulate link-state information, they use the SPF algorithm (Shortest Path First algorithm) to calculate the shortest path to each node.
Figure 34-1. Autonomous System Areas Area Types The Backbone of the network is Area 0. It is also called Area 0.0.0.0 and is the core of any Autonomous System (AS). All other areas must connect to Area 0. Areas can be defined in such a way that the backbone is not contiguous. In this case, backbone connectivity must be restored through virtual links. Virtual links are configured between any backbone routers that share a link to a non-backbone area and function as if they were direct links.
www.dell.com | support.dell.com A Stub Area (SA) does not receive external route information, except for the default route. These areas do receive information from inter-area (IA) routes. Note that all routers within an assigned Stub area must be configured as stubby, and not generate LSAs that do not apply. For example, a Type 5 LSA is intended for external areas and the Stubby area routers may not generate external LSAs. Stubby areas cannot be traversed by a virtual link.
Figure 34-2. OSPF Routing Examples Backbone Router (BR) A Backbone Router (BR) is part of the OSPF Backbone, Area 0. This includes all Area Border Routers (ABRs). It can also include any routers that connect only to the Backbone and another ABR, but are only part of Area 0, such as Router I in Figure 34-2 above.
www.dell.com | support.dell.com Area Border Router (ABR) Within an AS, an Area Border (ABR) connects one or more areas to the Backbone. The ABR keeps a copy of the link-state database for every area it connects to, so it may keep multiple copies of the link state database. An Area Border Router (ABR) takes information it has learned on one of its attached areas and can summarize it before sending it out on other areas it is connected to.
Link-State Advertisements (LSAs) A Link-State Advertisement (LSA) communicates the router’s local routing topology to all other local routers in the same area. • • OSPFv3 can treat LSAs as having link-local flooding scope, or store and flood them as if they are understood, while ignoring them in their own SPF algorithms. OSPFv2 always discards unknown LSA types.
www.dell.com | support.dell.com For all LSA types, there are 20-byte LSA headers. One of the fields of the LSA header is the Link-State ID. Each router link is defined as one of four types: type 1, 2, 3, or 4. The LSA includes a link ID field that identifies, by the network number and mask, the object to which this link connects. Depending on the type, the link ID has different meanings.
Figure 34-3. Priority and Costs Example Implementing OSPF with FTOS FTOS supports up to 10,000 OSPF routes. Within that 10,000 up to 8,000 routes can be designated as external and up to 2,000 designated as inter/intra area routes. FTOS version 7.8.1.0 and later support multiple OSPF processes (OSPF MP). The S-Series supports up to 16 processes simultaneously. The Z-Series supports up to three OSPF processes simultaneously. Prior to 7.8.1.0, FTOS supports 1 OSPFv2 and 1 OSPFv3 process ID per system.
www.dell.com | support.dell.com • • • AS External (type 5) NSSA External (type 7) Opaque Link-local (type 9) Graceful Restart Graceful Restart for OSPFv2 is supported on Restart modes. Graceful Restart for OSPFv3 is supported on cesz et z platforms in Helper and platforms in Helper and Restart modes. When a router goes down without a Graceful Restart, there is a possibility for loss of access to parts of the network due to ongoing network topology changes.
• OSPFv3 supports “helper-only” and “restarting-only” roles. The “helper-only” role is enabled by default. To enable the restarting role in addition to the “helper-only” role, you must configure a grace period. You reconfigure OSPFv3 graceful restart to a “restarting-only” role when you enable the helper-reject role on an interface. OSPFv3 supports the helper-reject role on a per-interface basis.
www.dell.com | support.dell.com • The Z9000 supports up to 16 OSPFv2 processes. Each OSPFv2 process has a unique process ID and must have an associated Router ID. There must be an equal number of interfaces must be in Layer-3 mode for the number of processes created. For example, if 5 OSPFv2 processes are created on a system, there must be at least 5 interfaces assigned in Layer-3 mode. Each OSPFv2 process is independent. If one process loses adjacency, the other processes continue to function.
Figure 34-4. Enabling RFC-2328 Compliant OSPF Flooding 00:10:41 : OSPF(1000:00): Printed only for ACK packets Rcv. v:2 t:5(LSAck) l:64 Acks 2 rid:2.2.2.2 aid:1500 chk:0xdbee aut:0 auk: keyid:0 from:Vl 1000 LSType:Type-5 AS External id:160.1.1.0 adv:6.1.0.0 seq:0x8000000c LSType:Type-5 AS External id:160.1.2.0 adv:6.1.0.0 seq:0x8000000c 00:10:41 : OSPF(1000:00): Rcv. v:2 t:5(LSAck) l:64 Acks 2 rid:2.2.2.2 aid:1500 chk:0xdbee aut:0 auk: keyid:0 from:Vl 100 LSType:Type-5 AS External id:160.1.1.0 adv:6.1.0.
www.dell.com | support.dell.com To ensure equal intervals between the routers, manually set the dead interval of the Dell Force10 router to match the Cisco configuration. Use the command ip ospf dead-interval in INTERFACE mode: Figure 34-6. Command Example: ip ospf intervals FTOS(conf)#int gi 2/2 FTOS(conf-if-gi-2/2)#ip ospf hello-interval 20 FTOS(conf-if-gi-2/2)#ip ospf dead-interval 80 Dead Interval Set at 4x Hello Interval FTOS(conf-if-gi-2/2)# Figure 34-7.
2. Enable OSPF globally. Assign network area and neighbors. 3. Add interfaces or configure other attributes.
www.dell.com | support.dell.com Return to CONFIGURATION mode to enable the OSPF process. The OSPF Process ID is the identifying number assigned to the OSPF process, and the Router ID is the IP address associated with the OSPF process. Command Syntax Command Mode Usage router ospf process-id [vrf {vrf name}] CONFIGURATION Enable the OSPFv2 process globally. Range: 0-65535 vrf name: Enter the VRF keyword and instance name to tie the OSPF instance to the VRF.
Enable Multi-Process OSPF Multi-Process OSPF allows multiple OSPFv2 processes on a single router. For more information, see Multi-Process OSPF (OSPFv2, IPv4 only). Follow the same steps as above when configuring a single OSPF process. Repeat them as often as necessary for the desired number of processes. Once the process is created, all other configurations apply as usual. Step 1 Command Syntax Command Mode Usage ip address ip-address mask CONFIG-INTERFACE Assign an IP address to an interface.
www.dell.com | support.dell.com In CONFIGURATION ROUTER OSPF mode, assign the Router ID. The Router ID is not required to be the router’s IP address. Dell Force10 recommends using the IP address as the Router ID for easier management and troubleshooting. Command Syntax Command Mode Usage router-id ip address CONFIG-ROUTER-O SPF-id Assign the Router ID for the OSPFv2 process. IP Address: A.B.C.D Use the no router ospf process-id command syntax in the CONFIGURATION mode to disable OSPF.
Enable OSPFv2 on interfaces Each interface must have OSPFv2 enabled on it. It must be configured for Layer 3 protocol and not be shutdown. OSPFv2 can also be assigned to a loopback interface as a virtual interface. OSPF functions and features such as MD5 Authentication, Grace Period, Authentication Wait Time, etc., are assigned on a per interface basis. Note: If using features like MD5 Authentication, ensure all the neighboring routers are also configured for MD5.
www.dell.com | support.dell.com Figure 34-10. Command Example: show ip ospf process-id interface FTOS>show ip ospf 1 interface GigabitEthernet 12/17 is up, line protocol is up Internet Address 10.2.2.1/24, Area 0.0.0.0 Process ID 1, Router ID 11.1.2.1, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 11.1.2.1, Interface address 10.2.2.1 Backup Designated Router (ID) 0.0.0.0, Interface address 0.0.0.
Configure stub areas OSPF supports different types of LSAs to help reduce the amount of router processing within the areas. Type 5 LSAs are not flooded into stub areas; the Area Border Router (ABR) advertises a default route into the stub area to which it is attached. Stub area routers use the default route to reach external destinations. To ensure connectivity in your OSPFv2 network, never configure the backbone area as a stub area.
www.dell.com | support.dell.
Enable passive interfaces A passive interface is one that does not send or receive routing information. Enabling passive interface suppresses routing updates on an interface. Although the passive interface will neither send nor receive routing updates, the network on that interface will still be included in OSPF updates sent via other interfaces. Use the following command in the ROUTER OSPF mode to suppress the interface’s participation on an OSPF interface.
www.dell.com | support.dell.com Figure 34-13. Command Example: show ip ospf process-id interface FTOS#show ip ospf 34 int GigabitEthernet 0/0 is up, line protocol is down Internet Address 10.1.2.100/24, Area 1.1.1.1 Process ID 34, Router ID 10.1.2.100, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State DOWN, Priority 1 Designated Router (ID) 10.1.2.100, Interface address 0.0.0.0 Backup Designated Router (ID) 0.0.0.0, Interface address 0.0.0.
Figure 34-14 shows the convergence settings when fast-convergence is enabled and Figure 34-15 shows settings when fast-convergence is disabled. These displays appear with the show ip ospf command. Figure 34-14. Command Example: show ip ospf process-id (fast-convergence enabled) FTOS(conf-router_ospf-1)#fast-converge 2 FTOS(conf-router_ospf-1)#ex FTOS(conf)#ex FTOS#show ip ospf 1 Routing Process ospf 1 with ID 192.168.67.
www.dell.com | support.dell.com Use any or all of the following commands in CONFIGURATION INTERFACE mode to change OSPFv2 parameters on the interfaces: Command Syntax Command Mode Usage ip ospf cost CONFIG-INTERFACE Change the cost associated with OSPF traffic on the interface. Cost: 1 to 65535 (default depends on the interface speed). ip ospf dead-interval seconds CONFIG-INTERFACE Change the time interval the router waits before declaring a neighbor dead. Configure Seconds range: 1 to 65535.
Figure 34-16. Changing the OSPF Cost Value on an Interface FTOS(conf-if)#ip ospf cost 45 FTOS(conf-if)#show config ! interface GigabitEthernet 0/0 ip address 10.1.2.100 255.255.255.0 no shutdown The change is made on the interface and it is reflected in the OSPF configuration. ip ospf cost 45 FTOS(conf-if)#end FTOS#show ip ospf 34 interface GigabitEthernet 0/0 is up, line protocol is up Internet Address 10.1.2.100/24, Area 2.2.2.2 Process ID 34, Router ID 10.1.2.
www.dell.com | support.dell.com • helper-reject neighbors—the router ID of each restart router that does not receive assistance from the • • configured router. mode—the situation or situations that trigger a graceful restart. role—the role or roles the configured router can perform. Note: By default, OSPFv2 graceful restart is disabled. You enable OSPFv2 graceful restart in CONFIGURATION ROUTER OSPF mode.
Figure 34-17. Command Example: show run ospf FTOS#show run ospf ! router ospf 1 graceful-restart grace-period 300 graceful-restart role helper-only graceful-restart mode unplanned-only graceful-restart helper-reject 10.1.1.1 graceful-restart helper-reject 20.1.1.1 network 10.0.2.0/24 area 0 Use the following command to disable OSPFv2 graceful-restart after you have enabled it. Command Syntax Command Mode Usage no graceful-restart grace-period CONFIG-ROUTEROSPF-id Disable OSPFv2 graceful-restart.
www.dell.com | support.dell.com Use the following command in CONFIGURATION ROUTER OSPF mode to configure virtual links. Command Syntax Command Mode Usage area area-id virtual-link router-id [hello-interval seconds | retransmit-interval seconds | transmit-delay seconds | dead-interval seconds | authentication-key key | message-digest-key keyid md5 key] CONFIG-ROUTEROSPF-id Configure the optional parameters of a virtual link: • Area ID: assigned earlier (0-65535 or A.B.C.
Command Syntax Command Mode Usage seq sequence-number {deny |permit} ip-prefix [ge min-prefix-length] [le max-prefix-length] CONFIG- PREFIX LIST Create a prefix list with a sequence. number and a deny or permit action. The optional parameters are: ge min-prefix-length: is the minimum prefix length to be matched (0 to 32). le max-prefix-length: is the maximum prefix length to be matched (0 to 32).
www.dell.com | support.dell.com To view the current OSPF configuration, use the show running-config ospf command in the EXEC mode or the show config command in the ROUTER OSPF mode. Figure 34-19. Command Example: show config FTOS(conf-router_ospf)#show config ! router ospf 34 network 10.1.2.32 0.0.0.255 area 2.2.2.2 network 10.1.3.24 0.0.0.255 area 3.3.3.3 distribute-list dilling in FTOS(conf-router_ospf)# Troubleshooting OSPFv2 FTOS has several tools to make troubleshooting easier.
Use the show running-config ospf command to see the state of all the enabled OSPFv2 processes. Command Syntax Command Mode Usage show running-config ospf EXEC Privilege View the summary of all OSPF process IDs enables on the router. Figure 34-20. Command Example: show running-config ospf FTOS#show run ospf ! router ospf 3 ! router ospf 4 router-id 4.4.4.4 network 4.4.4.0/28 area 1 ! router ospf 5 ! router ospf 6 ! router ospf 7 mib-binding ! router ospf 8 ! router ospf 90 area 2 virtual-link 4.4.4.
www.dell.com | support.dell.com Use the following command in EXEC Privilege mode to configure the debugging options of an OSPFv2 process: Command Syntax Command Mode Usage debug ip ospf process-id [event | packet | spf] EXEC Privilege View debug messages. To view debug messages for a specific OSPF process ID, enter debug ip ospf process-id. If you do not enter a process ID, the command applies to the first OSPF process.
Sample Configurations for OSPFv2 The following configurations are examples for enabling OSPFv2. These are not comprehensive directions. They are intended to give you a some guidance with typical configurations. You can copy and paste from these examples to your CLI. Be sure you make the necessary changes to support your own IP addresses, interfaces, names, etc. Basic OSPFv2 Router Topology The following illustration is a sample basic OSPFv2 topology.
www.dell.com | support.dell.com Configuration Task List for OSPFv3 (OSPF for IPv6) Open Shortest Path First version 3 (OSPF for IPv6) is supported on platforms ce The configuration options of OSPFv3 are the same as those for OSPFv2, but may be configured with differently labeled commands. Process IDs and areas need to be specified. Interfaces and addresses need to be included in the process. Areas can be defined as stub or totally stubby.
Enable IPv6 Unicast Routing Command Syntax Command Mode Usage ipv6 unicast routing CONFIGURATION Enables IPv6 unicast routing globally. Assign IPv6 addresses on an interface Command Syntax Command Mode Usage ipv6 address ipv6 address CONF-INT-type slot/port Assign IPv6 address to the interface. IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:).
www.dell.com | support.dell.com Assign OSPFv3 Process ID and Router ID Globally Command Syntax Command Mode Usage ipv6 router ospf {process ID} CONFIGURATION Enable the OSPFv3 process globally and enter OSPFv3 mode. Range: 0-65535 router-id {number} CONF-IPV6-ROUTER-OSPF Assign the Router ID for this OSPFv3 process number: IPv4 address Format: A.B.C.D Note: The router-id for an OSPFv3 router is entered as an IPv4 IP address.
Configure Passive-Interface Use the following command to suppress the interface’s participation on an OSPFv3 interface. This command stops the router from sending updates on that interface. Command Syntax Command Mode Usage passive-interface {type slot/port} CONF-IPV6-ROUTER-OSPF Specify whether some or all some of the interfaces will be passive. Interface identifies the specific interface that will be passive.
www.dell.com | support.dell.com Redistribute routes You can add routes from other routing instances or protocols to the OSPFv3 process. With the redistribute command syntax, you can include RIP, static, or directly connected routes in the OSPF process. Command Syntax Command Mode Usage redistribute {bgp | connected | static} [metric metric-value | metric-type type-value] [route-map map-name] [tag tag-value] CONF-IPV6-ROUTER-OSPF Specify which routes will be redistributed into OSPF process.
Enable OSPFv3 graceful restart Graceful Restart for OSPFv3 is supported on platforms for more information on the feature. et z . Refer to Graceful Restart By default, OSPFv3 graceful restart is disabled and functions only in a helper role to help restarting neighbor routers in their graceful restarts when it receives a Grace LSA.
www.dell.com | support.dell.com To display information on the use and configuration of OSPFv3 graceful restart, enter any of the following commands: Command Syntax Command Mode Usage show run ospf EXEC Privilege Display the graceful-restart configuration for OSPFv2 and OSPFv3 (Figure 34-23). show ipv6 ospf database grace-lsa EXEC Privilege Display the Type-11 Grace LSAs sent and received on an OSPFv3 router (Figure 34-24).
Figure 34-24. Command Example: show ipv6 ospf database database-summary FTOS#show ipv6 ospf database database-summary ! OSPFv3 Router with ID (200.1.1.
www.dell.com | support.dell.com OSPFv3 Authentication Using IPsec OSPFv3 Authentication Using IPsec is supported only on platforms: etz Starting in release 8.4.2.0, OSPFv3 uses the IP Security (IPsec) to provide authentication for OSPFv3 packets. IPsec authentication ensures security in the transmission of OSPFv3 packets between IPsec-enabled routers. IPsec is a set of protocols developed by the IETF to support secure exchange of packets at the IP layer.
OSPFv3 Authentication using IPsec: Configuration Notes OSPFv3 authentication using IPsec is implemented according to the specifications in RFC 4552, including: • • • • To use IPsec, you configure an authentication (using AH) or encryption (using ESP) security policy on an interface or in an OSPFv3 area. Each security policy consists of a security policy index (SPI) and the key used to validate OSPFv3 packets. After IPsec is configured for OSPFv3, IPsec operation is invisible to the user.
www.dell.com | support.dell.com • • • Configuring IPsec Authentication for an OSPFv3 Area Configuring IPsec Encryption for an OSPFv3 Area Displaying OSPFv3 IPsec Security Policies Configuring IPsec Authentication on an Interface Prerequisite: Before you enable IPsec authentication on an OSPFv3 interface, you must first enable IPv6 unicast routing globally, configure an IPv6 address and enable OSPFv3 on the interface, and assign it to an area (see Configuration Task List for OSPFv3 (OSPF for IPv6)).
Configuring IPsec Encryption on an Interface Prerequisite: Before you enable IPsec encryption on an OSPFv3 interface, you must first enable IPv6 unicast routing globally, configure an IPv6 address and enable OSPFv3 on the interface, and assign it to an area (see Configuration Task List for OSPFv3 (OSPF for IPv6)).
www.dell.com | support.dell.com To remove an IPsec encryption policy from an interface, enter the no ipv6 ospf encryption ipsec spi number command. To remove null encryption on an interface to allow the interface to inherit the encryption policy configured for the OSPFv3 area, enter the no ipv6 ospf encryption null command. To display the configuration of IPsec encryption policies on the router, enter the show crypto ipsec policy command.
To display the configuration of IPsec authentication policies on the router, enter the show crypto ipsec policy command. Configuring IPsec Encryption for an OSPFv3 Area Prerequisite: Before you enable IPsec encryption in an OSPFv3 area, you must first enable OSPFv3 globally on the router (see Configuration Task List for OSPFv3 (OSPF for IPv6)).
www.dell.com | support.dell.com Note that when you configure encryption with the area encryption command, you enable both IPsec encryption and authentication. However, when you enable authentication on an area with the area authentication command, you do not enable encryption at the same time. If you have enabled IPsec authentication in an OSPFv3 area with the area authentication command, you cannot use the area encryption command in the area at the same time.
Figure 34-26. Command Example: show crypto ipsec policy FTOS#show crypto ipsec policy Crypto IPSec client security policy data Policy name Policy refcount Inbound ESP SPI Outbound ESP SPI Inbound ESP Auth Key Outbound ESP Auth Key Inbound ESP Cipher Key Outbound ESP Cipher Key Transform set : : : : : : : : : In this encryption policy, the keys OSPFv3-1-502 are not encrypted.
www.dell.com | support.dell.com To display the IPsec security associations (SAs) used on OSPFv3 interfaces, enter the following command: Command Syntax Command Mode Usage show crypto ipsec sa ipv6 [interface interface] EXEC Privilege Displays security associations set up for OSPFv3 links in IPsec authentication and encryption policies on the router.
Figure 34-27.
www.dell.com | support.dell.com Troubleshooting OSPFv3 FTOS has several tools to make troubleshooting easier. Be sure to check the following, as these are typical issues that interrupt the OSPFv3 process. Note that this is not a comprehensive list, just some examples of typical troubleshooting checks.
Use the following command in EXEC Privilege mode to configure the debugging options of an OSPFv3 process: Command Syntax Command Mode Usage debug ipv6 ospf [event | packet] EXEC Privilege View debug messages for all OSPFv3 interfaces. • event: View OSPF event messages. • packet: View OSPF packets. • For a Gigabit Ethernet interface, enter the keyword GigabitEthernet followed by the slot/port information (e.g., passive-interface gi 2/1).
www.dell.com | support.dell.
35 PIM Sparse-Mode (PIM-SM) PIM Sparse-Mode (PIM-SM) is supported on platforms: ecsz PIM-Sparse Mode (PIM-SM) is a multicast protocol that forwards multicast traffic to a subnet only upon request using a PIM Join message; this behavior is the opposite of PIM-Dense Mode, which forwards multicast traffic to all subnets until a request to stop. Implementation Information • • • • • • • • • • The Dell Force10 implementation of PIM-SM is based on the IETF Internet Draft draft-ietf-pim-sm-v2-new-05.
www.dell.com | support.dell.com Requesting Multicast Traffic A host requesting multicast traffic for a particular group sends an IGMP Join message to its gateway router. The gateway router is then responsible for joining the shared tree to the RP (RPT) so that the host can receive the requested traffic. 1. Upon receiving an IGMP Join message, the receiver gateway router (last-hop DR) creates a (*,G) entry in its multicast routing table for the requested group.
source, including the RP, create an (S,G) entry and list the interface on which the message was received as an outgoing interface, thus recreating a SPT to the source. 3. Once the RP starts receiving multicast traffic via the (S,G) it unicasts a Register-Stop message to the first-hop DR so that multicast packets are no longer encapsulated in PIM Register packets and unicast.
www.dell.com | support.dell.com Enable PIM-SM You must enable PIM-SM on each participating interface: Step 1 2 Task Command Command Mode Enable multicast routing on the system. ip multicast-routing CONFIGURATION Enable PIM-Sparse Mode ip pim sparse-mode INTERFACE Display which interfaces are enabled with PIM-SM using the command show ip pim interface from EXEC Privilege mode, as shown in Figure 35-1. Figure 35-1.
Figure 35-3. Viewing the PIM Multicast Routing Table FTOS#show ip pim tib PIM Multicast Routing Table Flags: D - Dense, S - Sparse, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, Timers: Uptime/Expires Interface state: Interface, next-Hop, State/Mode (*, 192.1.2.1), uptime 00:29:36, expires 00:03:26, RP 10.87.2.6, flags: SCJ Incoming interface: GigabitEthernet 4/12, RPF neighbor 10.87.3.
www.dell.com | support.dell.com Step 3 Task Command Syntax Command Mode Set the expiry time for a specific (S,G) entry (Figure 35-4). Range 211-86400 seconds Default: 210 ip pim sparse-mode sg-expiry-timer seconds sg-list CONFIGURATION access-list-name Note: The expiry time configuration is nullified, and the default global expiry time is used if: • an ACL is specified for an in the ip pim sparse-mode sg-expiry-timer command, but the ACL has not been created or is a standard ACL.
Override Bootstrap Router Updates PIM-SM routers need to know the address of the RP for each group for which they have (*,G) entry. This address is obtained automatically through the bootstrap router (BSR) mechanism or a static RP configuration. If you have configured a static RP for a group, use the option override with the command ip pim rp-address to override bootstrap router updates with your static RP configuration.
www.dell.com | support.dell.com Create Multicast Boundaries and Domains A PIM domain is a contiguous set of routers that all implement PIM and are configured to operate within a common boundary defined by PIM Multicast Border Routers (PMBRs). PMBRs connect each PIM domain to the rest of the internet. Create multicast boundaries and domains by filtering inbound and outbound Bootstrap Router (BSR) messages per interface, use the ip pim bsr-border command.
Enable PIM-SM graceful restart (non-stop forwarding capability) using the command ip pim graceful-restart nsf from CONFIGURATION mode. There are two options with this command: • • is the time required by the Dell Force10 system to restart. The default value is 180 seconds. stale-entry-time is the maximum amount of time that the Dell Force10 system preserves entries from a restarting neighbor. The default value is 60 seconds.
784 | PIM Sparse-Mode (PIM-SM) www.dell.com | support.dell.
36 Port Monitoring Port Monitoring is supported on platforms: ecsz Port Monitoring is a feature that copies all incoming or outgoing packets on one port and forwards (mirrors) them to another port. The source port is the monitored port (MD) and the destination port is the monitoring port (MG). Port Monitoring functionality is different between platforms, but the behavior is the same, with highlighted exceptions.
www.dell.com | support.dell.com • The C-Series and S-Series may only have four destination ports per port-pipe. There is no limitation on the total number of monitoring sessions. Table 36-1 lists the maximum number of monitoring sessions per system. For the C-Series and S-Series, the total number of sessions is derived by consuming a unique destination port in each session, in each port-pipe. Table 36-1.
On the E-Series TeraScale, FTOS supports a single source-destination statement in a monitor session (Message 2). E-Series TeraScale supports only one source and one destination port per port-pipe (Message 3). Therefore, the E-Series TeraScale supports as many monitoring sessions as there are port-pipes in the system. Message 2 Multiple Source-Destination Statements Error Message on E-Series TeraScale % Error: Remove existing monitor configuration.
www.dell.com | support.dell.com The number of source ports FTOS allows within a port-pipe is equal to the number of physical ports in the port-pipe (n). However, n number of ports may only have four different destination ports (Message 5). Figure 36-2.
Figure 36-4.
www.dell.com | support.dell.com Configuring Port Monitoring To configure port monitoring: Step Task Command Syntax Command Mode 1 Verify that the intended monitoring port has no configuration other than no shutdown, as shown in Figure 36-6. show interface EXEC Privilege 2 Create a monitoring session using the command monitor session from CONFIGURATION mode, as shown in Figure 36-6.
Host Traffic 1/ 1 1/ 3 Server Traffic 1/ 2 Host Server FTOS(conf-if-gi-1/ 2)#show config ! interface GigabitEthernet 1/ 2 no ip address no shutdown Sniffer FTOS(conf )#monitor session 0 FTOS(conf-mon-sess-0)#source gig 1/ 1 destination gig 1/ 2 direction rx Port Monitoring 001 Flow-based Monitoring Flow-based Monitoring is supported only on platform e Flow-based monitoring conserves bandwidth by monitoring only specified traffic instead all traffic on the interface.
www.dell.com | support.dell.com Figure 36-8. 792 Configuring Flow-based Monitoring FTOS(conf)#monitor session 0 FTOS(conf-mon-sess-0)#flow-based enable FTOS(conf)#ip access-list ext testflow FTOS(config-ext-nacl)#seq 5 permit icmp any any count bytes monitor FTOS(config-ext-nacl)#seq 10 permit ip 102.1.1.
37 Private VLANs (PVLAN) The Private VLANs (PVLAN) feature is supported on platforms cs z For syntax details on the commands discussed in this chapter, see the Private VLANs Commands chapter in the FTOS Command Line Reference.
www.dell.com | support.dell.com • • • Ports in a community VLAN can communicate with each other. Ports in a community VLAN can communicate with all promiscuous ports in the primary VLAN. A community VLAN can only contain ports configured as host. Isolated VLAN — An isolated VLAN is a type of secondary VLAN in a primary VLAN: • • • Ports in an isolated VLAN cannot talk directly to each other. Ports in an isolated VLAN can only communicate with promiscuous ports in the primary VLAN.
Private VLAN Commands The commands dedicated to supporting the Private VLANs feature are: Table 37-1. Private VLAN Commands Task Command Syntax Command Mode Enable/disable Layer 3 communication between secondary VLANs. [no] ip local-proxy-arp Note: Even after ip-local-proxy-arp is disabled (no ip-local-proxy-arp) in a secondary VLAN, Layer 3 communication may happen between some secondary VLAN hosts, until the ARP timeout happens on those secondary VLAN hosts.
www.dell.com | support.dell.com Private VLAN Configuration Task List The following sections contain the procedures that configure a private VLAN: • • • • Creating PVLAN ports Creating a Primary VLAN on page 797 Creating a Community VLAN on page 798 Creating an Isolated VLAN on page 798 Creating PVLAN ports Private VLAN ports are those that will be assigned to the private VLAN (PVLAN).
Creating a Primary VLAN A primary VLAN is a port-based VLAN that is specifically enabled as a primary VLAN to contain the promiscuous ports and PVLAN trunk ports for the private VLAN. A primary VLAN also contains a mapping to secondary VLANs, which are comprised of community VLANs and isolated VLANs. Step Command Syntax Command Mode Purpose 1 interface vlan vlan-id CONFIGURATION Access the INTERFACE VLAN mode for the VLAN to which you want to assign the PVLAN interfaces.
www.dell.com | support.dell.com Creating a Community VLAN A community VLAN is a secondary VLAN of the primary VLAN in a private VLAN. The ports in a community VLAN can talk to each other and with the promiscuous ports in the primary VLAN. Step Command Syntax Command Mode Purpose 1 interface vlan vlan-id CONFIGURATION Access the INTERFACE VLAN mode for the VLAN that you want to make a community VLAN. 2 no shutdown INTERFACE VLAN Enable the VLAN.
Figure 37-2.
www.dell.com | support.dell.com The result is that: • • • • The ports in community VLAN 4001 can communicate directly with each other and with promiscuous ports. The ports in community VLAN 4002 can communicate directly with each other and with promiscuous ports The ports in isolated VLAN 4003 can only communicate with the promiscuous ports in the primary VLAN 4000.
• show vlan private-vlan mapping: Display the primary-secondary VLAN mapping. See the example output from the S50V, above, in Figure 37-6. Two show commands revised to display PVLAN data are: • • show arp • show vlan: See Figure 37-4. revised output in Figure 37-7. show vlan private-vlan Example Output from C300 c300-1#show vlan private-vlan Primary Secondary Type Active ------- --------- --------- -----4000 Primary Yes 4001 Community Yes 4002 Community Yes 4003 Isolated Yes Figure 37-5.
www.dell.com | support.dell.com Figure 37-8.
38 Per-VLAN Spanning Tree Plus (PVST+) Per-VLAN Spanning Tree Plus (PVST+) is supported on platforms: ecsz Protocol Overview Per-VLAN Spanning Tree Plus (PVST+) is a variation of Spanning Tree—developed by a third party— that allows you to configure a separate Spanning Tree instance for each VLAN. For more information on Spanning Tree, see Chapter 50, Spanning Tree Protocol (STP). Figure 38-1.
www.dell.com | support.dell.com Table 38-1. FTOS Supported Spanning Tree Protocols Dell Force10 Term IEEE Specification Multiple Spanning Tree Protocol (MSTP) 802.1s Per-VLAN Spanning Tree Plus (PVST+) Third Party Implementation Information • • • • The FTOS implementation of PVST+ is based on IEEE Standard 802.1d. The FTOS implementation of PVST+ uses IEEE 802.1s costs as the default costs (Table 38-2). Other implementations use IEEE 802.
Enable PVST+ When you enable PVST+, FTOS instantiates STP on each active VLAN. To enable PVST+ globally: Step Task Command Syntax Command Mode 1 Enter PVST context. protocol spanning-tree pvst PROTOCOL PVST 2 Enable PVST+. no disable PROTOCOL PVST Disable PVST+ Task Command Syntax Command Mode Disable PVST+ globally. disable PROTOCOL PVST Disable PVST+ on an interface, or remove a PVST+ parameter configuration.
Load Balancing with PVST+ STI 2 root vlan 100 bridge-priority 4096 STI 3 root STI 1: VLAN 100 STI 2: VLAN 200 STI 3: VLAN 300 R2 2/32 Blocking R3 vlan 100 bridge-priority 4096 3/22 X 3/12 2/12 Forwarding www.dell.com | support.dell.com Figure 38-3. 1/22 X X 1/32 STI 1 root R1 vlan 100 bridge-priority 4096 The bridge with the bridge value for bridge priority is elected root. Since all bridges use the default priority (until configured otherwise), lowest MAC address is used as a tie-breaker.
Figure 38-4. Display the PVST+ Forwarding Topology FTOS_E600(conf)#do show spanning-tree pvst vlan 100 VLAN 100 Root Identifier has priority 4096, Address 0001.e80d.b6d6 Root Bridge hello time 2, max age 20, forward delay 15 Bridge Identifier has priority 4096, Address 0001.e80d.b6d6 Configured hello time 2, max age 20, forward delay 15 We are the root of VLAN 100 Current root has priority 4096, Address 0001.e80d.
www.dell.com | support.dell.com Task Command Syntax Command Mode Change the max-age parameter. Range: 6 to 40 Default: 20 seconds vlan max-age PROTOCOL PVST The values for global PVST+ parameters are given in the output of the command show spanning-tree pvst, as shown in Figure 38-4. Modify Interface PVST+ Parameters You can adjust two interface parameters to increase or decrease the probability that a port becomes a forwarding port: • • Port cost is a value that is based on the interface type.
Task Command Syntax Command Mode Change the port priority of an interface. Range: 0 to 240, in increments of 16 Default: 128 spanning-tree pvst vlan priority INTERFACE The values for interface PVST+ parameters are given in the output of the command show spanning-tree pvst, as shown in Figure 38-4. Configure an EdgePort The EdgePort feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner.
www.dell.com | support.dell.com FTOS Behavior: Regarding bpduguard shutdown-on-violation behavior: 1 If the interface to be shutdown is a port channel then all the member ports are disabled in the hardware. 2 When a physical port is added to a port channel already in error disable state, the new member port will also be disabled in the hardware.
Dell Force10 System VLAN unaware Hub P1 untagged in VLAN 10 X P2 untagged in VLAN 20 moves to blocking unless Extended System ID is enabled Task Command Syntax Command Mode Augment the Bridge ID with the VLAN ID. extend system-id PROTOCOL PVST FTOS(conf-pvst)#do show spanning-tree pvst vlan 5 brief VLAN 5 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32773, Address 0001.e832.
www.dell.com | support.dell.com Figure 38-6.
Figure 38-7.
www.dell.com | support.dell.
39 Quality of Service (QoS) Quality of Service (QoS) is supported on platforms: e c s z Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. The E-Series has eight unicast queues per port and 128 multicast queues per-port pipe. Traffic is queued on ingress and egress. By default, on ingress, all data traffic is mapped to Queue 0, and all control traffic is mapped to Queue 7. On egress control traffic is mapped across all eight queues.
www.dell.com | support.dell.com Table 39-1.
Figure 39-1. Dell Force10 QoS Architecture Marking (DiffServ, 802.1p, Exp) Ingress Packet Processing Packet Classification (ACL) Rate Policing Buffers Class-based Queues Switching Rate Limiting Buffers Class-based Queues Egress Congestion Management (WFQ Scheduling) Egress Packet Processing Traffic Shaping Congestion Avoidance (WRED) Implementation Information The Dell Force10 QoS implementation complies with IEEE 802.1p User Priority Bits for QoS Indication.
www.dell.com | support.dell.com • • • • Set dot1p Priorities for Incoming Traffic Configure Port-based Rate Policing Configure Port-based Rate Limiting Configure Port-based Rate Shaping Set dot1p Priorities for Incoming Traffic Change the priority of incoming traffic on the interface using the command dot1p-priority from INTERFACE mode, as shown in Figure 39-2. FTOS places traffic marked with a priority in a queue based on Table 39-2.
On the C-Series and S-Series you can configure service-class dynamic dot1p from CONFIGURATION mode, which applies the configuration to all interfaces. A CONFIGURATION mode service-class dynamic dot1p entry supersedes any INTERFACE entries. See Mapping dot1p values to service queues on page 832. Note: You cannot configure service-policy input and service-class dynamic dot1p on the same interface. Figure 39-3.
www.dell.com | support.dell.com Figure 39-5.
Figure 39-7.
www.dell.com | support.dell.com Policy-based QoS Configurations Policy-based QoS configurations consist of the components shown in Figure 39-9. Figure 39-9.
2. Once you create a class-map, FTOS places you in CLASS MAP mode. From this mode, specify your match criteria using the command match ip, as shown in Figure 39-10. Match-any class maps allow up to five ACLs, and match-all class-maps allow only one ACL. 3. After you specify your match criteria, link the class-map to a queue using the command service-queue from POLICY MAP mode, as shown in Figure 39-10. Figure 39-10.
www.dell.com | support.dell.com In cases such as these, where class-maps with overlapping ACL rules are applied to different queues, use the order keyword to specify the order in which you want to apply ACL rules, as shown in Figure 39-10. The order can range from 0 to 254. FTOS writes to the CAM ACL rules with lower order numbers (order numbers closer to 0) before rules with higher order numbers so that packets are matched as you intended. By default, all ACL rules have an order of 254.
FTOS Behavior: An explicit “deny any" rule in a Layer 3 ACL used in a (match any or match all) class-map creates a "default to Queue 0" entry in the CAM, which causes unintended traffic classification. Below, traffic is classified in two Queues, 1 and 2. Class-map ClassAF1 is “match any,” and ClassAF2 is “match all”.
www.dell.com | support.dell.com Create a QoS Policy There are two types of QoS policies: input and output. Input QoS policies regulate Layer 3 and Layer 2 ingress traffic. The regulation mechanisms for input QoS policies are rate policing and setting priority values. There are two types of input QoS policies: Layer 3 and Layer 2. • • Layer 3 QoS input policies allow you to rate police and set a DSCP or dot1p value. Layer 2 QoS input policies allow you to rate police and set a dot1p value.
Set a DSCP value for egress packets based on ingress QoS classification, as shown in Figure 39-2. The 6 bits that are used for DSCP are also used to identify the queue in which traffic is buffered. When you set a DSCP value, FTOS displays an informational message advising you of the queue to which you should apply the QoS policy (using the command service-queue from POLICY-MAP-IN mode).
www.dell.com | support.dell.com Allocate bandwidth to queue The E-Series schedules unicast, multicast, and replication traffic for egress based on the Weighted Fair Queuing algorithm. The C-Series and S-Series schedule packets for egress based on Deficit Round Robin (DRR). These strategies both offer a guaranteed data rate. To allocate bandwidth to queues on the C-Series and S-Series, assign each queue a weight ranging from 1 to 1024, in increments of 2n, using the command bandwidth-weight.
Specify WRED drop precedence Specify WRED drop precedence is supported only on platform e Specify a WRED profile to yellow and/or green traffic using the command wred from QOS-POLICY-OUT mode. See Apply a WRED profile to traffic. Create Policy Maps There are two types of policy maps: input and output. Create Input Policy Maps There are two types of input policy-maps: Layer 3 and Layer 2. 1. Create a Layer 3 input policy map using the command policy-map-input from CONFIGURATION mode.
www.dell.com | support.dell.com Table 39-5.
When using QoS service policies with multiple class maps, you can configure FTOS to use the incoming DSCP or dot1p marking as a secondary option for packet queuing in the event that no match occurs in the class maps. When class-maps are used, traffic is matched against each class-map sequentially from first to last. The sequence is based on the priority of the rules, as follows: 1. rules with lowest priority, or in the absence of a priority configuration, 2.
www.dell.com | support.dell.com To enable Fall Back to trust diffserve or dot1p: Task Command Syntax Command Mode Classify packets according to their DSCP value as a secondary option in case no match occurs against the configured class maps. trust {diffserve | dot1p} fallback POLICY-MAP-IN Mapping dot1p values to service queues Mapping dot1p values to service queues is available only on platforms: c s On the C-Series and S-Series all traffic is by default mapped to the same queue, Queue 0.
2. Once you create an output policy map, do one or more of the following: • • • Apply an output QoS policy to a queue Specify an aggregate QoS policy Apply an output policy map to an interface 3. Apply the policy map to an interface. See page 61. Apply an output QoS policy to a queue Apply an output QoS policy to queues using the command service-queue from INTERFACE mode. Specify an aggregate QoS policy Specify an aggregate QoS policy using the command policy-aggregate from POLICY-MAP-OUT mode.
www.dell.com | support.dell.com QoS Rate Adjustment is disabled by default, and no qos-rate-adjust is listed in the running-configuration. Task Command Syntax Command Mode Include a specified number of bytes of packet overhead to include in rate limiting, policing, and shaping calculations. For example, to include the Preamble and SFD, enter qos-rate-adjust 8. For variable length overhead fields you must know the number of bytes you want to include.
Figure 39-13. Packet Drop Rate for WREDl No Packets Buffered Early Warning Allotted Space Packet Drop Rate All Pckts 0 Pckts 0KB Min Total Buffer Space Max Buffer Space fnC0045mp You can create a custom WRED profile or use on of the five pre-defined profiles. Table 39-7. Pre-defined WRED Profiles (E-Series) Default Profile Name Minimum Threshold Maximum Threshold wred_drop 0 0 wred_ge_y 1024 2048 wred_ge_g 2048 4096 wred_teng_y 4096 8192 wred_teng_g 8192 16384 Table 39-8.
www.dell.com | support.dell.com 2. The command wred places you in WRED mode. From this mode, specify minimum and maximum threshold values using the command threshold. Apply a WRED profile to traffic Once you create a WRED profile you must specify to which traffic FTOS should apply the profile. FTOS assigns a color (also called drop precedence)—red, yellow, or green—to each packet based on it DSCP value before queuing it. DSCP is a 6 bit field.
Display WRED Drop Statistics Display the number of packets FTOS dropped by WRED Profile using the command show qos statistics from EXEC Privilege mode. Figure 39-16.
www.dell.com | support.dell.com Pre-calculating Available QoS CAM Space Pre-calculating Available QoS CAM Space is supported on platforms: c e s Before version 7.3.1 there was no way to measure the number of CAM entries a policy-map would consume (the number of CAM entries that a rule uses is not predictable; 1 to 16 entries might be used per rule depending upon its complexity). Therefore, it was possible to apply to an interface a policy-map that requires more entries than are available.
• Exception indicates that the number of CAM entries required to write the policy-map to the CAM is greater than the number of available CAM entries, and therefore the policy-map cannot be applied to an interface in the specified port-pipe.
840 | Quality of Service (QoS) www.dell.com | support.dell.
40 Routing Information Protocol (RIP) Routing Information Protocol (RIP) is supported only on platforms: e cs z Routing Information Protocol (RIP) is based on a distance-vector algorithm, it tracks distances or hop counts to nearby routers when establishing network connections.
www.dell.com | support.dell.com RIPv2 RIPv2 adds support for subnet fields in the RIP routing updates, thus qualifying it as a classless routing protocol. The RIPv2 message format includes entries for route tags, subnet masks, and next hop addresses. Another enhancement included in RIPv2 is multicasting for route updates on IP multicast address 224.0.0.9.
• • • • Control route metrics on page 849 (optional) Summarize routes on page 848 (optional) Control route metrics on page 849 Debug RIP on page 849 For a complete listing of all commands related to RIP, refer to the FTOS Command Reference. Enable RIP globally By default, RIP is not enabled in FTOS.
www.dell.com | support.dell.com Figure 40-2. show ip rip database Command Example (Partial) FTOS#show ip rip database Total number of routes in RIP database: 978 160.160.0.0/16 [120/1] via 29.10.10.12, 00:00:26, Fa 160.160.0.0/16 auto-summary 2.0.0.0/8 [120/1] via 29.10.10.12, 00:01:22, Fa 2.0.0.0/8 auto-summary 4.0.0.0/8 [120/1] via 29.10.10.12, 00:01:22, Fa 4.0.0.0/8 auto-summary 8.0.0.0/8 [120/1] via 29.10.10.12, 00:00:26, Fa 8.0.0.0/8 auto-summary 12.0.0.0/8 [120/1] via 29.10.10.12, 00:00:26, Fa 12.
To control the source of RIP route information, use the following commands, in the ROUTER RIP mode: Command Syntax Command Mode Purpose neighbor ip-address ROUTER RIP Define a specific router to exchange RIP information between it and the Dell Force10 system. You can use this command multiple times to exchange RIP information with as many RIP networks as you want. passive-interface interface ROUTER RIP Disable a specific interface from sending or receiving RIP routing information.
www.dell.com | support.dell.com Command Syntax Command Mode Purpose redistribute ospf process-id [match external {1 | 2} | match internal] [metric value] [route-map map-name] ROUTER RIP Include specific OSPF routes in RIP. Configure the following parameters: • process-id range: 1 to 65535 • metric range: 0 to 16 • map-name: name of a configured route map. To view the current RIP configuration, use the show running-config command in the EXEC mode or the show config command in the ROUTER RIP mode.
Figure 40-3.
www.dell.com | support.dell.com Figure 40-5.
If you must perform routing between discontiguous subnets, disable automatic summarization. With automatic route summarization disabled, subnets are advertised. The command autosummary requires no other configuration commands. To disable automatic route summarization, in the ROUTER RIP mode, enter no autosummary. Note: If the ip split-horizon command is enabled on an interface, then the system does not advertise the summarized address.
www.dell.com | support.dell.com To enable RIP debugging, use the following command in the EXEC privilege mode: Command Syntax Command Mode Purpose debug ip rip [interface | database | events | trigger] EXEC privilege Enable debugging of RIP. Figure 40-6 shows the confirmation when the debug function is enabled. Figure 40-6. debug ip rip Command Example FTOS#debug ip rip RIP protocol debug is ON FTOS# To disable RIP, use the no debug ip rip command.
Configuring RIPv2 on Core 2 Figure 40-8. Configuring RIPv2 on Core 2 Core2(conf-if-gi-2/31)# Core2(conf-if-gi-2/31)#router rip Core2(conf-router_rip)#ver 2 Core2(conf-router_rip)#network 10.200.10.0 Core2(conf-router_rip)#network 10.300.10.0 Core2(conf-router_rip)#network 10.11.10.0 Core2(conf-router_rip)#network 10.11.20.0 Core2(conf-router_rip)#show config ! router rip network 10.0.0.
www.dell.com | support.dell.com Figure 40-10.
RIP Configuration on Core 3 Figure 40-12. RIP Configuration on Core 3 Core3(conf-if-gi-3/21)#router rip Core3(conf-router_rip)#version 2 Core3(conf-router_rip)#network 192.168.1.0 Core3(conf-router_rip)#network 192.168.2.0 Core3(conf-router_rip)#network 10.11.30.0 Core3(conf-router_rip)#network 10.11.20.0 Core3(conf-router_rip)#show config ! router rip network 10.0.0.0 network 192.168.1.0 network 192.168.2.
www.dell.com | support.dell.com Figure 40-14.
RIP Configuration Summary Figure 40-16. Summary of Core 2 RIP Configuration Using Output of show run Command ! interface GigabitEthernet 2/11 ip address 10.11.10.1/24 no shutdown ! interface GigabitEthernet 2/31 ip address 10.11.20.2/24 no shutdown ! interface GigabitEthernet 2/41 ip address 10.200.10.1/24 no shutdown ! interface GigabitEthernet 2/42 ip address 10.250.10.1/24 no shutdown router rip version 2 10.200.10.0 10.300.10.0 10.11.10.0 10.11.20.0 Figure 40-17.
www.dell.com | support.dell.
41 Remote Monitoring (RMON) Remote Monitoring (RMON) is supported on platform: ecsz This chapter describes the Remote Monitoring (RMON): • • Implementation on page 857 Fault Recovery on page 858 Remote Monitoring (RMON) is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell Force10 Ethernet Interfaces.
www.dell.com | support.dell.com Fault Recovery RMON provides the following fault recovery functions: Interface Down—When an RMON-enabled interface goes down, monitoring continues. However, all data values are registered as 0xFFFFFFFF (32 bits) or ixFFFFFFFFFFFFFFFF (64 bits). When the interface comes back up, RMON monitoring processes resumes. Note: A Network Management System (NMS) should be ready to interpret a down interface and plot the interface performance graph accordingly.
Set rmon alarm To set an alarm on any MIB object, use the rmon alarm or rmon hc-alarm command in GLOBAL CONFIGURATION mode. To disable the alarm, use the no form of this command: Command Syntax Command Mode Purpose [no] rmon alarm number variable interval {delta | absolute} rising-threshold [value event-number] falling-threshold value event-number [owner string] CONFIGURATION Set an alarm on any MIB object. Use the no form of this command to disable the alarm.
www.dell.com | support.dell.com Figure 41-1. rmon alarm Command Example FTOS(conf)#rmon alarm 10 1.3.6.1.2.1.2.2.1.20.1 20 delta rising-threshold 15 1 falling-threshold 0 owner nms1 Alarm Number MIB Variable Monitor Interval Counter Value Limit Triggered Event The above example configures RMON alarm number 10. The alarm monitors the MIB variable 1.3.6.1.2.1.2.2.1.20.1 (ifEntry.ifOutErrors) once every 20 seconds until the alarm is disabled, and checks the rise or fall of the variable.
Figure 41-2. rmon event Command Example FTOS(conf)#rmon event 1 log trap eventtrap description “High ifOutErrors” owner nms1 The above configuration example creates RMON event number 1, with the description “High ifOutErrors”, and generates a log entry when the event is triggered by an alarm. The user nms1 owns the row that is created in the event table by this command. This configuration also generates an SNMP trap when the event is triggered using the SNMP community string “eventtrap”.
www.dell.com | support.dell.com Configure RMON collection history To enable the RMON MIB history group of statistics collection on an interface, use the rmon collection history command in interface configuration mode. To remove a specified RMON history group of statistics collection, use the no form of this command.
42 Rapid Spanning Tree Protocol (RSTP) Rapid Spanning Tree Protocol (RSTP) is supported on platforms: ecsz Protocol Overview Rapid Spanning Tree Protocol (RSTP) is a Layer 2 protocol—specified by IEEE 802.1w—that is essentially the same as Spanning-Tree Protocol (STP) but provides faster convergence and interoperability with switches configured with STP and MSTP. FTOS supports three other variations of Spanning Tree, as shown in Table 42-1. Table 42-1.
www.dell.com | support.dell.com • • • • • • • Configure an EdgePort on page 871 Preventing Network Disruptions with BPDU Guard on page 1011 Influence RSTP Root Selection on page 872 Configuring Spanning Trees as Hitless on page 1017 SNMP Traps for Root Elections and Topology Changes on page 873 Fast Hellos for Link State Detection on page 873 Flush MAC Addresses after a Topology Change on page 699 Important Points to Remember • • • • RSTP is disabled by default.
Configure Interfaces for Layer 2 Mode All interfaces on all bridges that will participate in Rapid Spanning Tree must be in Layer 2 and enabled. Figure 42-1.
www.dell.com | support.dell.com Enable Rapid Spanning Tree Protocol Globally Rapid Spanning Tree Protocol must be enabled globally on all participating bridges; it is not enabled by default. To enable Rapid Spanning Tree globally for all Layer 2 interfaces: Step Task Command Syntax Command Mode 1 Enter the PROTOCOL SPANNING TREE RSTP mode. protocol spanning-tree rstp CONFIGURATIO N 2 Enable Rapid Spanning Tree.
Figure 42-4. Rapid Spanning Tree Enabled Globally root R1 R2 1/ 3 Forwarding 2/ 1 1/ 4 Blocking 2/ 2 1/ 1 1/ 2 3/ 1 3/ 2 3/ 3 2/ 3 2/ 4 3/ 4 R3 Port 684 (GigabitEthernet 4/43) is alternate Discarding Port path cost 20000, Port priority 128, Port Identifier 128.684 Designated root has priority 32768, address 0001.e801.cbb4 Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.
www.dell.com | support.dell.com Figure 42-5. show spanning-tree rstp Command Example FTOS#show spanning-tree rstp Root Identifier has priority 32768, Address 0001.e801.cbb4 Root Bridge hello time 2, max age 20, forward delay 15, max hops 0 Bridge Identifier has priority 32768, Address 0001.e801.cbb4 Configured hello time 2, max age 20, forward delay 15, max hops 0 We are the root Current root has priority 32768, Address 0001.e801.
Figure 42-6. show spanning-tree rstp brief Command Example R3#show spanning-tree rstp brief Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 0001.e801.cbb4 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32768, Address 0001.e80f.1dad Configured hello time 2, max age 20, forward delay 15 Interface Designated Name PortID Prio Cost Sts Cost Bridge ID PortID ---------- -------- ---- ------- --- ------- -------------------- -------Gi 3/1 128.
www.dell.com | support.dell.com Table 42-2 displays the default values for RSTP. Table 42-2.
• Port priority influences the likelihood that a port will be selected to be a forwarding port in case that several ports have the same port cost. To change the port cost or priority of an interface, use the following commands: Task Command Syntax Command Mode Change the port cost of an interface. Range: 0 to 65535 Default: see Table 42-2. spanning-tree rstp cost cost INTERFACE Change the port priority of an interface.
www.dell.com | support.dell.com FTOS Behavior: Regarding bpduguard shutdown-on-violation behavior: 1 If the interface to be shutdown is a port channel then all the member ports are disabled in the hardware. 2 When a physical port is added to a port channel already in error disable state, the new member port will also be disabled in the hardware.
Figure 42-8. bridge-priority Command Example FTOS(conf-rstp)#bridge-priority 4096 04:27:59: %RPM0-P:RP2 %SPANMGR-5-STP_ROOT_CHANGE: RSTP root changed. My Bridge ID: 4096:0001.e80b.88bd Old Root: 32768:0001.e801.cbb4 New Root: 4096:0001.e80b.88bd Old root bridge ID New root bridge ID SNMP Traps for Root Elections and Topology Changes Enable SNMP traps for RSTP, MSTP, and PVST+ collectively using the command snmp-server enable traps xstp.
www.dell.com | support.dell.
43 Software-Defined Networking (SDN) Dell Networking operating software (FTOS) supports Software-Defined Networking (SDN). For more information, refer to the SDN Deployment Guide.
www.dell.com | support.dell.
44 Security Security features are supported on platforms: ecsz This chapter discusses several ways to provide access security to the Dell Force10 system. Platform-specific features are identified by the c, e or s icons (as shown below).
www.dell.com | support.dell.com • • • • • Enable AAA Accounting on page 878 (mandatory) Suppress AAA Accounting for null username sessions on page 878 (optional) Configure Accounting of EXEC and privilege-level command usage on page 879 (optional) Configure AAA Accounting for terminal lines on page 879 (optional) Monitor AAA Accounting on page 879 (optional) Enable AAA Accounting The aaa accounting command enables you to create a record for any or all of the accounting functions monitored.
Configure Accounting of EXEC and privilege-level command usage The network access server monitors the accounting functions defined in the TACACS+ attribute/value (AV) pairs. In the following sample configuration, AAA accounting is set to track all usage of EXEC commands and commands on privilege level 15.
www.dell.com | support.dell.com AAA Authentication FTOS supports a distributed client/server system implemented through Authentication, Authorization, and Accounting (AAA) to help secure networks against unauthorized access. In the Dell Force10 implementation, the Dell Force10 system acts as a RADIUS or TACACS+ client and sends authentication requests to a central RADIUS or TACACS+ server that contains all user authentication and network service access information.
Configure AAA Authentication login methods To configure an authentication method and method list, use these commands in the following sequence in the CONFIGURATION mode: Step Command Syntax Command Mode Purpose aaa authentication login {method-list-name | default} method1 [... method4] CONFIGURATION Define an authentication method-list (method-list-name) or specify the default. The default method-list is applied to all terminal lines.
www.dell.com | support.dell.com Enable AAA Authentication To enable AAA authentication, use the following command in the CONFIGURATION mode: Command Syntax Command Mode Purpose aaa authentication enable {method-list-name | default} method1 [... method4] CONFIGURATION • • • default—Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in.
Server-side configuration TACACS+: When using TACACS+, Dell Force10 sends an initial packet with service type SVC_ENABLE, and then, a second packet with just the password. The TACACS server must have an entry for username $enable$. RADIUS: When using RADIUS authentication, FTOS sends an authentication packet with the following: Username: $enab15$ Password: Therefore, the RADIUS server must have an entry for this username. AAA Authorization FTOS enables AAA new-model by default.
www.dell.com | support.dell.com By default, commands in FTOS are assigned to different privilege levels. You can access those commands only if you have access to that privilege level. For example, to reach the protocol spanning-tree command, you must log in to the router, enter the enable command for privilege level 15 (this is the default level for the command) and then enter the CONFIGURATION mode. You can configure passwords to control access to the box and assign different privilege levels to users.
Configure the enable password command To configure FTOS, you must use the enable command to enter the EXEC Privilege level 15. After entering the command, FTOS requests that you enter a password. Privilege levels are not assigned to passwords, rather passwords are assigned to a privilege level. A password for any privilege level can always be changed. To change to a different privilege level, enter the enable command, followed by the privilege level.
www.dell.com | support.dell.com To assign commands and passwords to a custom privilege level, you must be in privilege level 15 and use these commands in the following sequence in the CONFIGURATION mode: Step Command Syntax Command Mode Purpose username name [access-class access-list-name] [privilege level] [nopassword | password [encryption-type] password] CONFIGURATION Assign a user name and password. Configure the optional and required parameters: • name: Enter a text string (up to 63 characters).
Figure 44-2. Configuring a Custom Privilege Level FTOS(conf)#username john privilege 8 password john FTOS(conf)#enable password level 8 notjohn FTOS(conf)#privilege exec level 8 configure FTOS(conf)#privilege config level 8 snmp-server FTOS(conf)#end FTOS#show running-config Current Configuration ...
www.dell.com | support.dell.com To specify a password for the terminal line, use the following commands, in any order, in the LINE mode: Command Syntax Command Mode Purpose privilege level level LINE Configure a custom privilege level for the terminal lines. • level level range: 0 to 15. Levels 0, 1 and 15 are pre-configured. Levels 2 to 14 are available for custom configuration. password [encryption-type] password LINE Specify either a plain text or encrypted password.
RADIUS Authentication and Authorization FTOS supports RADIUS for user authentication (text password) at login and can be specified as one of the login authentication methods in the aaa authentication login command. When configuring AAA authorization, you can configure to limit the attributes of services available to a user. When authorization is enabled, the network access server uses configuration information from the user profile to issue the user's session.
www.dell.com | support.dell.com Auto-command You can configure the system through the RADIUS server to automatically execute a command when you connect to a specific line. To do this, use the command auto-command. The auto-command is executed when the user is authenticated and before the prompt appears to the user.
Command Syntax Command Mode Purpose aaa authorization exec {method-list-name | default} radius tacacs+ CONFIGURATION Create methodlist with RADIUS and TACACS+ as authorization methods. Typical order of methods: RADIUS, TACACS+, Local, None. If authorization is denied by RADIUS, the session ends (radius should not be the last method specified). Apply the method list to terminal lines To enable RADIUS AAA login authentication for a method list, you must apply it to a terminal line.
www.dell.com | support.dell.com To specify multiple RADIUS server hosts, configure the radius-server host command multiple times. If multiple RADIUS server hosts are configured, FTOS attempts to connect with them in the order in which they were configured. When FTOS attempts to authenticate a user, the software connects with the RADIUS server hosts one at a time, until a RADIUS server host responds with an accept or reject response.
To view the configuration of RADIUS communication parameters, use the show running-config command in the EXEC Privilege mode. Monitor RADIUS To view information on RADIUS transactions, use the following command in the EXEC Privilege mode: Command Syntax Command Mode Purpose debug radius EXEC Privilege View RADIUS transactions to troubleshoot problems. TACACS+ FTOS supports Terminal Access Controller Access Control System (TACACS+ client, including support for login authentication.
www.dell.com | support.dell.com To select TACACS as the login authentication method, use these commands in the following sequence in the CONFIGURATION mode: Step Command Syntax Command Mode Purpose tacacs-server host {ip-address | host} CONFIGURATION Configure a TACACS+ server host. Enter the IP address or host name of the TACACS+ server. Use this command multiple times to configure multiple TACACS+ server hosts. 2 aaa authentication login {method-list-name | default} tacacs+ [...
Figure 44-4.
www.dell.com | support.dell.com Figure 44-5 demonstrates how to configure the access-class from a TACACS+ server. This causes the configured access-class on the VTY line to be ignored. If you have configured a deny10 ACL on the TACACS+ server, FTOS downloads it and applies it. If the user is found to be coming from the 10.0.0.0 subnet, FTOS also immediately closes the Telnet connection. Note, that no matter where the user is coming from, they see the login prompt. Figure 44-5.
To delete a TACACS+ server host, use the no tacacs-server host {hostname | ip-address} command. freebsd2# telnet 2200:2200:2200:2200:2200::2202 Trying 2200:2200:2200:2200:2200::2202... Connected to 2200:2200:2200:2200:2200::2202. Escape character is '^]'. Login: admin Password: FTOS# FTOS# Command Authorization The AAA command authorization feature configures FTOS to send each configuration command to a TACACS server for authorization before it is added to the running configuration.
www.dell.com | support.dell.com SCP is a remote file copy program that works with SSH and is supported by FTOS. Note: The Windows-based WinSCP client software is not supported for secure copying between a PC and an FTOS-based system. Unix-based SCP client software is supported.
Figure 44-6. Specifying an SSH version FTOS(conf)#ip ssh server version 2 FTOS(conf)#do show ip ssh SSH server : disabled. SSH server version : v2. Password Authentication : enabled. Hostbased Authentication : disabled. RSA Authentication : disabled. To disable SSH server functions, enter no ip ssh server enable.
www.dell.com | support.dell.com • • • • • • • • • • • ip ssh hostbased-authentication enable: Enable hostbased-authentication for the SSHv2 server. ip ssh key-size: Configure the size of the server-generated RSA SSHv1 key. ip ssh password-authentication enable: Enable password authentication for the SSH server. ip ssh pub-key-file: Specify the file to be used for host-based authentication. ip ssh rhostsfile: Specify the rhost file to be used for host-based authorization.
Figure 44-8. Enabling SSH Password Authentication FTOS(conf)#ip ssh server enable % Please wait while SSH Daemon initializes ... done. FTOS(conf)#ip ssh password-authentication enable FTOS#sh ip ssh SSH server : enabled. Password Authentication : enabled. Hostbased Authentication : disabled. RSA Authentication : disabled. RSA Authentication of SSH The following procedure authenticates an SSH client based on an RSA key using RSA authentication.
www.dell.com | support.dell.com Step 2 Task Command Syntax Command Mode Create shosts by copying the public RSA key to the to the file shosts in the diretory .ssh, and write the IP address of the host to the file. cp /etc/ssh/ssh_host_rsa_key.pub /.ssh/shosts Figure 44-10. Creating shosts admin@Unix_client# cd /etc/ssh admin@Unix_client# ls moduli sshd_config ssh_host_dsa_key.pub ssh_host_rsa_key.pub ssh_config ssh_host_dsa_key ssh_host_rsa_key ssh_host_key.
Figure 44-12. Client-based SSH Authentication FTOS#ssh 10.16.127.201 ? -l User name option -p SSH server port option (default 22) -v SSH protocol version Troubleshooting SSH • You may not bind id_rsa.pub to RSA authentication while logged in via the console. In this case, Message 2 appears. Message 2 RSA Authentication Error %Error: No username set for this term. • Host-based authentication must be enabled on the server (Dell Force10system) and the client (Unix machine).
www.dell.com | support.dell.com Trace Lists The Trace Lists feature is supported only on the E-Series: e You can log packet activity on a port to confirm the source of traffic attacking a system. Once the Trace list is enabled on the system, you view its traffic log to confirm the source address of the attacking traffic. In FTOS, Trace lists are similar to extended IP ACLs, except that Trace lists are not applied to an interface.
Creating a trace list Trace lists filter and log traffic based on source and destination IP addresses, IP host addresses, TCP addresses, TCP host addresses, UDP addresses, and UDP host addresses. When configuring the Trace list filters, include the count and bytes parameters so that any hits to that filter are logged.
www.dell.com | support.dell.com Step Command Syntax Command Mode Purpose 2 seq sequence-number {deny | permit} tcp {source mask | any | host ip-address} [operator port [port]] {destination mask | any | host ip-address} [operator port [port]] [established] [count [byte] | log] TRACE LIST Configure a trace list filter for TCP packets. • source: An IP address as the source IP address for the filter to match.
Figure 44-13. Trace list Using seq Command Example FTOS(config-trace-acl)#seq 15 deny ip host 12.45.0.0 any log FTOS(config-trace-acl)#seq 5 permit tcp 121.1.3.45 0.0.255.255 any FTOS(config-trace-acl)#show conf ! ip trace-list dilling seq 5 permit tcp 121.1.0.0 0.0.255.255 any seq 15 deny ip host 12.45.0.0 any log FTOS(config-trace-acl)# If you are creating a Trace list with only one or two filters, you can let FTOS assign a sequence number based on the order in which the filters are configured.
www.dell.com | support.dell.com Command Syntax Command Mode Purpose {deny | permit} tcp {source mask | any | host TRACE LIST Configure a deny or permit filter to examine TCP packets. Configure the following required and optional parameters: • source: An IP address as the source IP address for the filter to match. • mask: a network mask • any: to match any IP source address • host ip-address: to match IP addresses in a host. • destination: An IP address as the source IP address for the filter to match.
Figure 44-14. Trace List Example FTOS(config-trace-acl)#deny tcp host 123.55.34.0 any FTOS(config-trace-acl)#permit udp 154.44.123.34 0.0.255.255 host 34.6.0.0 FTOS(config-trace-acl)#show config ! ip trace-list nimule seq 5 deny tcp host 123.55.34.0 any seq 10 permit udp 154.44.0.0 0.0.255.255 host 34.6.0.0 To view all configured Trace lists and the number of packets processed through the Trace list, use the show ip accounting trace-list command (Figure 110) in the EXEC Privilege mode.
www.dell.com | support.dell.com VTY Line and Access-Class Configuration Various methods are available to restrict VTY access in FTOS. These depend on which authentication scheme you use — line, local, or remote: Table 44-1. VTY Access Authentication Method Username VTY access-class access-class support? support? Remote authorization support? Line YES NO NO Local NO YES NO TACACS+ YES NO YES (with FTOS 5.2.1.0 and later) RADIUS YES NO YES (with FTOS 6.1.1.
Figure 44-16 shows how to allow or deny a Telnet connection to a user. Users will see a login prompt, even if they cannot login. No access class is configured for the VTY line. It defaults from the local database. Figure 44-16.
www.dell.com | support.dell.com To apply a MAC ACL on a VTY line, use the same access-class command as IP ACLs (Figure 44-18). Figure 44-18 shows how to deny incoming connections from subnet 10.0.0.0 without displaying a login prompt. 912 Figure 44-18.
45 Service Provider Bridging Service Provider Bridging is supported on platforms: ecsz This chapter contains the following major sections: • • • • • VLAN Stacking VLAN Stacking Packet Drop Precedence Dynamic Mode CoS for VLAN Stacking Layer 2 Protocol Tunneling Provider Backbone Bridging VLAN Stacking VLAN Stacking is supported on platforms: cesz VLAN Stacking, also called Q-in-Q, is defined in IEEE 802.1ad—Provider Bridges, which is an amendment to IEEE 802.1Q—Virtual Bridged Local Area Networks.
VLAN Stacking in a Service Provider Network PCP TPID (0x9100) DEI VID (VLAN 300) PCP TPID (0x8100) CFI (0) VID (VLAN Red) AN 1 00 tagged 100 AN 0 10 VL VL www.dell.com | support.dell.com Figure 45-1.
Create Access and Trunk Ports An access port is a port on the service provider edge that directly connects to the customer. An access port may belong to only one service provider VLAN. A trunk port is a port on a service provider bridge that connects to another service provider bridge and is a member of multiple service provider VLANs. Physical ports and port-channels can be access or trunk ports.
www.dell.com | support.dell.com Display the status and members of a VLAN using the show vlan command from EXEC Privilege mode. Members of a VLAN-Stacking-enabled VLAN are marked with an M in column Q. Figure 45-3.
Step 2 Task Command Syntax Command Mode Add the port to a 802.1Q VLAN as tagged or untagged. [tagged | untagged] INTERFACE VLAN In Figure 45-4 GigabitEthernet 0/1 a trunk port that is configured as a hybrid port and then added to VLAN 100 as untagged VLAN 101 as tagged, and VLAN 103, which is a stacking VLAN. Figure 45-4.
www.dell.com | support.dell.com Figure 45-5. Example of Output of debug member vlan and debug member port FTOS# debug member vlan 603 vlan id : 603 ports : Gi 2/47 (MT), Gi 3/1(MU), Gi 3/25(MT), Gi 3/26(MT), Gi 3/27(MU) FTOS#debug member port gigabitethernet 2/47 vlan id : 603 (MT), 100(T), 101(NU) FTOS# VLAN Stacking in Multi-vendor Networks The first field in the VLAN tag is the Tag Protocol Identifier (TPID), which is two bytes.
Figure 45-6.
BLU E TPID Mismatch and 0x8100 Match on the E-Series TeraScale ROVIDER ICE P RV SE TPID 0x9100 VLAN GREEN LUE NB VLA R1-E-Series TeraScale TPID: 0x9100 VLA N INTE RN ET www.dell.com | support.dell.com Figure 45-7.
BLU E First-byte TPID Match on the E-Series ExaScale ROVIDER ICE P RV SE TPID 0x9191 VLAN GREEN LUE NB VLA R1-E-Series TeraScale TPID: 0x9191 X R2-E-Series ExaScale TPID: 0x9100 VLAN GREEN, VLA VL AN Building D VLA N INTE RN ET Figure 45-8. RED VLAN N PURPLE PU RP LE Building C AN VL D RE Table 45-1 details the outcome of matched and mis-matched TPIDs in a VLAN-stacking network with the E-Series. Table 45-1.
www.dell.com | support.dell.com You can configure the first eight bits of the TPID using the command vlan-stack protocol-type. The TPID on the C-Series and S-Series systems is global. Ingress frames that do not match the system TPID are treated as untagged. This rule applies for both the outer tag TPID of a double-tagged frame and the TPID of a single-tagged frame.
R2-C-Series w/ FTOS <8.2.1.0 TPID: 0x8181 N PURPLE VLAN GREEN, VLA BLU E VLA N TPID 0x8181 DEFAULT VLAN Figure 45-10. Single and Double-tag First-byte TPID Match on C-Series and S-Series RED VLAN VLAN GREEN LUE NB VLA DEFAULT VLAN R1-C-Series w/ FTOS <8.2.1.0 TPID: 0x8181 VL AN R3-C-Series w/ FTOS >=8.2.1.
www.dell.com | support.dell.com Table 45-2 details the outcome of matched and mismatched TPIDs in a VLAN-stacking network with the C-Series and S-Series. Table 45-2. C-Series and S-Series Behaviors for Mis-matched TPID Network Position Incoming Packet TPID System TPID Match Type Pre-8.2.1.0 8.2.1.
Enable Drop Eligibility You must enable Drop Eligibility globally before you can honor or mark the DEI value. Task Command Syntax Command Mode Make packets eligible for dropping based on their DEI value. By default, packets are colored green, and DEI is marked 0 on egress. dei enable CONFIGURATION When Drop Eligibility is enabled, DEI mapping or marking takes place according to the defaults. In this case, the CFI is affected according to Table 45-3. Table 45-3.
www.dell.com | support.dell.com Task Command Syntax Command Mode FTOS#show interface dei-honor Default Drop precedence: Green Interface CFI/DEI Drop precedence ------------------------------------------------------------Gi 0/1 0 Green Gi 0/1 1 Yellow Gi 8/9 1 Red Gi 8/40 0 Yellow Mark Egress Packets with a DEI Value On egress, you can set the DEI value according to a different mapping than ingress (see Honor the Incoming DEI Value).
Figure 45-12. Statically and Dynamically Assigned dot1p for VLAN Stacking Untagged S-Tag with statically-assigned dot1p S-Tag DATA 0x0800 SA DA DATA 100 1 C-Tag C-Tag 3 0x0800 0x8100 SA DA 3 100 0x8100 C-Tagged 400 0x9100 SA DA 0x9100 SA DA S-Tag 4 400 S-Tag with mapped dot1p When configuring Dynamic Mode CoS, you have two options: a mark the S-Tag dot1p and queue the frame according to the original C-Tag dot1p.
www.dell.com | support.dell.com FTOS Behavior: For Option A above, when there is a conflict between the queue selected by Dynamic Mode CoS (vlan-stack dot1p-mapping) and a QoS configuration, the queue selected by Dynamic Mode CoS takes precedence. However, rate policing for the queue is determined by QoS configuration.
To map C-Tag dot1p values to S-Tag dot1p values and mark the frames accordingly: Step Task Command Syntax Command Mode Allocate CAM space to enable queuing frames according to the C-Tag or the S-Tag. vman-qos: mark the S-Tag dot1p and queue the frame according to the original C-Tag dot1p. This method requires half as many CAM entries as vman-qos-dual-fp. vman-qos-dual-fp: mark the S-Tag dot1p and queue the frame according to the S-Tag dot1p.
SPANNI NG TR INTE RN E T no spanning-tree ETWORK EN RE SPAN NIN G www.dell.com | support.dell.com Figure 45-13. VLAN Stacking without L2PT T ING TREE ANN SP PROVIDER w/ VICE R SE EE EE TR Building B no spanning-tree X BPDU w/ destination MAC address: 01-80-C2-00-00-00 Building A You might need to transport control traffic transparently through the intermediate network to the other region.
SPANNI NG TR Figure 45-14.
www.dell.com | support.dell.com Specify a Destination MAC Address for BPDUs By default, FTOS uses a Dell Force10-unique MAC address for tunneling BPDUs. You can configure another value. Task Command Syntax Command Mode Overwrite the BPDU with a user-specified destination MAC address when BPDUs are tunneled across the provider network.
Debug Layer 2 Protocol Tunneling Task Command Syntax Command Mode Display debugging information for L2PT. debug protocol-tunnel EXEC Privilege Provider Backbone Bridging Provider Backbone Bridging is supported only on platforms: cs IEEE 802.1ad—Provider Bridges amends 802.1Q—Virtual Bridged Local Area Networks so that service providers can use 802.1Q architecture to offer separate VLANs to customers with no coordination between customers, and minimal coordination between customers and the provider.
934 | Service Provider Bridging www.dell.com | support.dell.
46 sFlow Configuring sFlow is supported on platforms: • • • • • • • • ecsz Enable and Disable sFlow sFlow Show Commands Specify Collectors Polling Intervals Sampling Rate Back-off Mechanism sFlow on LAG ports Extended sFlow Overview FTOS supports sFlow version 5. sFlow is a standard-based sampling technology embedded within switches and routers which is used to monitor network traffic. It is designed to provide traffic monitoring for high speed networks with many switches and routers.
www.dell.com | support.dell.com Figure 46-1. sFlow Traffic Monitoring System sFlow Collector Switch/Router sFlow Datagrams sFlow Agent Poll Interface Counters Interface Counters Flow Samples Switch ASIC Implementation Information The Dell Force10 sFlow is designed so that the hardware sampling rate is per line card port-pipe and is decided based upon all the ports in that port-pipe.
• • • • • • • • • • FTOS exports all sFlow packets to the collector. A small sampling rate can equate to a large number of exported packets. A backoff mechanism will automatically be applied to reduce this amount. Some sampled packets may be dropped when the exported packet rate is high and the backoff mechanism is about to or is starting to take effect. The dropEvent counter, in the sFlow packet, will always be zero.
www.dell.com | support.dell.com sFlow Show Commands FTOS includes the following sFlow display commands: • • • Show sFlow Globally Show sFlow on an Interface Show sFlow on a Line Card Show sFlow Globally Use the following command to view sFlow statistics: Command Syntax show sflow Command Mode EXEC Purpose Display sFlow configuration information and statistics. Figure 46-2 is a sample output from the show sflow command: Figure 46-2.
Figure 46-3. Command Example: show sflow interface FTOS#show sflow interface gigabitethernet 1/16 Gi 1/16 Configured sampling rate :8192 Actual sampling rate :8192 Sub-sampling rate :2 Counter polling interval :15 Samples rcvd from h/w :33 Samples dropped for sub-sampling :6 The configuration, shown in Figure 46-2, is also displayed in the running configuration (Figure 46-4): Figure 46-4.
www.dell.com | support.dell.com Specify Collectors The sflow collector command allows identification of sFlow Collectors to which sFlow datagrams are forwarded. The user can specify up to two sFlow collectors. If two Collectors are specified, the samples are sent to both. Collection through Management interface is supported on platform: e.
The sflow sample-rate command, when issued in CONFIGURATION mode, changes the default sampling rate. By default, the sampling rate of an interface is set to the same value as the current global default sampling rate.If the value entered is not a correct power of 2, the command generates an error message with the previous and next power-of-2 value. Select one of these two number and re-enter the command. (For more information on values in power-of-2, see Sub-sampling on page 941.
www.dell.com | support.dell.com Back-off Mechanism If the sampling rate for an interface is set to a very low value, the CPU can get overloaded with flow samples under high-traffic conditions. In such a scenario, a binary back-off mechanism gets triggered, which doubles the sampling-rate (halves the number of samples per second) for all interfaces. The backoff mechanism continues to double the sampling-rate until CPU condition is cleared. This is as per sFlow version 5 draft.
Figure 46-6. Confirming that Extended sFlow is Enabled FTOS#show sflow sFlow services are enabled Extended sFlow settings Global default sampling rate: 4096 show all 3 types are enabled Global default counter polling interval: 15 Global extended information enabled: gateway, router, switch 1 collectors configured Collector IP addr: 10.10.10.3, Agent IP addr: 10.10.0.
www.dell.com | support.dell.com Table 46-1. Extended Gateway Summary IP SA IP DA srcAS and srcPeerAS dstAS and dstPeerAS static/connected/IGP static/connected/IGP — — Extended gateway data is not exported because there is no AS information. static/connected/IGP BGP 0 Exported src_as & src_peer_as are zero because there is no AS information for IGP. BGP static/connected/IGP — — Prior to FTOS version 7.8.1.0, extended gateway data is not be exported because IP DA is not learned via BGP.
47 Simple Network Management Protocol (SNMP) Simple Network Management Protocol (SNMP) is supported on platforms: ecsz SNMP is supported on the E-Series ExaScale platform with FTOS 8.1.1.0 and later. Note: On Dell Force10 routers, standard and private SNMP MIBs are supported, including all Get and a limited number of Set operations (such as set vlan and copy cmd).
www.dell.com | support.dell.com 1. Create a community. See page 947. Configuring SNMP version 3 requires you to configure SNMP users in one of three methods. See Setting Up User-based Security (SNMPv3).
Create a Community For SNMPv1 and SNMPv2, you must create a community to enable the community-based security in FTOS. The management station generates requests to either retrieve or alter the value of a management object and is called the SNMP manager. A network element that processes SNMP requests is called an SNMP agent. An SNMP community is a group of SNMP agents and managers that are allowed to interact.
www.dell.com | support.dell.com Figure 47-2. Select a User-based Security Type FTOS(conf)#snmp-server host 1.1.1.1 traps {oid tree} version 3 ? auth Use the SNMPv3 authNoPriv Security Level noauth Use the SNMPv3 noAuthNoPriv Security Level priv Use the SNMPv3 authPriv Security Level FTOS(conf)#snmp-server host 1.1.1.
Read Managed Object Values You may only retrieve (read) managed object values if your management station is a member of the same community as the SNMP agent. Dell Force10 supports RFC 4001, Textual Conventions for Internet Work Addresses that defines values representing a type of internet address. These values display for ipAddressTable objects using the snmpwalk command. In the following figure, the value “4” displays in the OID before the IP address for IPv4.
www.dell.com | support.dell.com Task Command Figure 47-5. Reading the Value of Many Managed Objects at Once > snmpwalk -v 2c -c mycommunity 10.11.131.161 .1.3.6.1.2.1.1 SNMPv2-MIB::sysDescr.0 = STRING: Dell Force10 Real Time Operating System Software Dell Force10 Operating System Version: 1.0 Dell Force10 Application Soft;ware Version: E_MAIN4.7.6.350 Copyright (c) 1999-2007 by Dell Force10 Build Time: Mon May 12 14:02:22 PDT 2008 SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.6027.1.3.
Task Command Command Mode Identify the physical location of the system. For example, San Jose, 350 Holger Way, 1st floor lab, rack A1-1. You may use up to 55 characters. Default: None snmp-server location text CONFIGURATION To configure the system from the management station using SNMP: Task Command Command Mode Identify the system manager along with this person’s contact information (e.g., E-mail address or phone number). You may use up to 55 characters.
www.dell.com | support.dell.com Step Task Command Command Mode 2 Specify which traps the Dell Force10 system sends to the trap receiver. • Enable all Dell Force10 enterpriseSpecific and RFC-defined traps using the command snmp-server enable traps from CONFIGURATION mode. • Enable all of the RFC-defined traps using the command snmp-server enable traps snmp from CONFIGURATION mode. snmp-server enable traps CONFIGURATION 3 Specify the interfaces out of which FTOS sends SNMP traps.
Table 47-2. Dell Force10 Enterprise-specific SNMP Traps Command Option Trap MINOR_SFM: MInor alarm: No working standby SFM MINOR_SFM_CLR: Minor alarm cleared: Working standby SFM present TASK SUSPENDED: SUSPENDED - svce:%d - inst:%d - task:%s RPM0-P:CP %CHMGR-2-CARD_PARITY_ERR ABNORMAL_TASK_TERMINATION: CRASH - task:%s %s CPU_THRESHOLD: Cpu %s usage above threshold. Cpu5SecUsage (%d) CPU_THRESHOLD_CLR: Cpu %s usage drops below threshold. Cpu5SecUsage (%d) MEM_THRESHOLD: Memory %s usage above threshold.
www.dell.com | support.dell.com Table 47-2.
Table 47-2. Dell Force10 Enterprise-specific SNMP Traps Command Option Trap Trap SNMPv2-MIB::sysUpTime.0 = Timeticks: (1489568) 4:08:15.68,SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::mib-2.47.2.0.1, SNMPv2-SMI::enterprises.6027.3.6.1.1.2.
www.dell.com | support.dell.com Table 47-3. MIB Objects for Copying Configuration Files via SNMP MIB Object OID Object Values Description copySrcFileName .1.3.6.1.4.1.6027.3.5.1.1.1.1.4 Path (if file is not in Specifies name of the file. current directory) • If copySourceFileType is set to and filename. running-config or startup-config, copySrcFileName is not required. copyDestFileType .1.3.6.1.4.1.6027.3.5.1.1.1.1.
Step Task 3 Command Syntax Command Mode On the server, use the command snmpset as shown: snmpset -v snmp-version -c community-name -m mib_path/f10-copy-config.mib force10system-ip-address mib-object.index {i | a | s} object-value... • • • Every specified object must have an object value, which must be preceded by the keyword i. See Table 6 for ranges. index must be unique to all previously executed snmpset commands.
www.dell.com | support.dell.com Table 47-4. Copying Configuration Files via SNMP Task snmpset -v 2c -c public force10system-ip-address copySrcFileType.index i 2 copyDestFileType.index i 3 Figure 47-7 show the command syntax using MIB object names. Figure 47-8 shows the same command using the object OIDs. In both cases, the object is followed by a unique index number. Figure 47-7. Copying Configuration Files via SNMP using Object-Name Syntax > snmpset -v 2c -r 0 -t 60 -c private -m ./f10-copy-config.
Table 47-4. Copying Configuration Files via SNMP Task • • server-ip-address must be preceded by the keyword a. values for copyUsername and copyUserPassword must be preceded by the keyword s. Figure 47-11. Copying Configuration Files via SNMP and FTP to a Remote Server > snmpset -v 2c -c private -m ./f10-copy-config.mib 10.10.10.10 copySrcFileType.110 i 2 copyDestFileName.110 s /home/startup-config copyDestFileLocation.110 i 4 copyServerAddress.110 a 11.11.11.11 copyUserName.
www.dell.com | support.dell.com Dell Force10 provides additional MIB Objects to view copy statistics. These are provided in Table 47-5. Table 47-5. MIB Objects for Copying Configuration Files via SNMP MIB Object OID Values Description copyState .1.3.6.1.4.1.6027.3.5.1.1.1.1.11 1= running 2 = successful 3 = failed Specifies the state of the copy operation. copyTimeStarted .1.3.6.1.4.1.6027.3.5.1.1.1.1.12 Time value Specifies the point in the up-time clock that the copy operation started.
Figure 47-14 shows the command syntax using MIB object names, and Figure 47-15 shows the same command using the object OIDs. In both cases, the object is followed by same index number used in the snmpset command. Figure 47-14. Obtaining MIB Object Values for a Copy Operation using Object-name Syntax > snmpget -v 2c -c private -m ./f10-copy-config.mib 10.11.131.140 copyTimeCompleted.110 FTOS-COPY-CONFIG-MIB::copyTimeCompleted.110 = Timeticks: (1179831) 3:16:38.31 Figure 47-15.
www.dell.com | support.dell.com Figure 47-17. Assign a VLAN Alias using SNMP [Unix system output] > snmpset -v2c -c mycommunity 10.11.131.185 .1.3.6.1.2.1.17.7.1.4.3.1.1.1107787786 s "My VLAN" SNMPv2-SMI::mib-2.17.7.1.4.3.1.1.
The table that the Dell Force10 system sends in response to the snmpget request is a table that contains hexadecimal (hex) pairs, each pair representing a group of eight ports. • • • On the E-Series, 12 hex pairs represents a line card. Twelve pairs accommodates the greatest currently available line card port density, 96 ports. On the C-Series, 28 hex pairs represents a line card.
www.dell.com | support.dell.com The value 40 is in the first set of 7 hex pairs, indicating that these ports are in Stack Unit 0. The hex value 40 is 0100 0000 in binary. As described above, the left-most position in the string represents Port 1. The next position from the left represents Port 2 and has a value of 1, indicating that Port 0/2 is in VLAN 10. The remaining positions are 0, so those ports are not in the VLAN.
In Figure 47-22, Port 0/2 is added as a tagged member of VLAN 10. Figure 47-22. Adding Tagged Ports to a VLAN using SNMP >snmpset -v2c -c mycommunity 10.11.131.185 .1.3.6.1.2.1.17.7.1.4.3.1.2.1107787786 x "40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" .1.3.6.1.2.1.17.7.1.4.3.1.4.
www.dell.com | support.dell.com Enable and Disable a Port using SNMP Step Task Command Syntax Command Mode 1 Create an SNMP community on the Dell Force10 system. snmp-server community CONFIGURATION 2 From the Dell Force10 system, identify the interface index of the port for which you want to change the admin status. Or, from the management system, use the snmpwwalk command to identify the interface index.
Each object is comprised an OID concatenated with an instance number. In the case of these objects, the instance number is the decimal equivalent of the MAC address; derive the instance number by converting each hex pair to its decimal equivalent. For example, the decimal equivalent of E8 is 232, and so the instance number for MAC address 00:01:e8:06:95:ac is.0.1.232.6.149.172. The value of dot1dTpFdbPort is the port number of the port off which the system learns the MAC address.
www.dell.com | support.dell.com Deriving Interface Indices FTOS assigns an interface number to each (configured or unconfigured) physical and logical interface. Display the interface index number using the command show interface from EXEC Privilege mode, as shown in Figure 47-26. Figure 47-26.
Figure 47-28. Binary Representation of Interface Index For interface indexing, slot and port numbering begins with the binary one. If the Dell Force10 system begins slot and port numbering from 0, then the binary 1 represents slot and port 0. For example, the index number in Figure 47-28 gives the binary 2 for the slot number, though interface GigabitEthernet 1/21 belongs to Slot 1. This is because the port for this example is on an E-Series which begins numbering slots from 0.
www.dell.com | support.dell.com SNMPv2-SMI::enterprises.6027.3.2.1.1.6.1.4.1107755009.1 = INTEGER: 1 << Status active, 2 – status inactive If we learn MAC addresses for the LAG, status will be shown for those as well. dot3aCurAggVlanId SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.1.1.0.0.0.0.0.1.1 = INTEGER: 1 dot3aCurAggMacAddr SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.2.1.0.0.0.0.0.1.1 = Hex-STRING: 00 00 00 00 00 01 dot3aCurAggIndex SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.3.1.0.0.0.0.0.1.
48 Stacking Stacking is supported on the following platforms: s (S50/S25), Stacking is supported on the S4810 platform with FTOS version 8.3.7.1, version 8.3.10.2 and newer. Note: The S4810 commands accept Unit ID numbers 0-11, though the S4810 supports stacking up to 3 units only with FTOS version 8.3.7.1 and version 8.3.10.2. The S4810 supports stacking up to 6 units on FTOS version 8.3.12.0. The S55 supports stacking up to 8 units.
www.dell.com | support.dell.com FTOS presents all of the units like line cards; for example, to access GigabitEthernet Port 1 on Stack Unit 0, enter interface gigabitethernet 0/1 from CONFIGURATION mode. Stack Management Roles The stack elects the management units for the stack management: • • • • Stack master: The primary management unit, also called the master unit. Standby: The secondary management unit. Stack units: Also called stack members, these are the remaining units in the stack.
• MAC address (in case of priority tie): The unit with the higher MAC value becomes the master unit. The stack takes the MAC address of the master unit and retains it unless it is reloaded. To view which switch is the stack master, enter the show system command. Figure 48-1 shows sample output from an established stack. A change in the stack master occurs when: • • • You power down the stack master or bring the master switch offline. A failover of the master switch occurs.
www.dell.com | support.dell.com Failover Roles If the stack master fails (e.g., is powered off), it is removed from the stack topology. The standby unit detects the loss of peering communication and takes ownership of the stack management, switching from the standby role to the master role. The distributed forwarding tables are retained during the failover, as is the stack MAC address. The lack of a standby unit triggers an election within the remaining units for a standby role.
Figure 48-2. Adding a Standalone with a Lower MAC Address to a Stack— Before (S50-type) -------------------------------STANDALONE BEFORE CONNECTION---------------------------------Standalone#show system brief Stack MAC : 00:01:e8:d5:ef:81 -- Stack Info -Unit UnitType Status ReqTyp CurTyp Version Ports --------------------------------------------------------------------------0 Management online S50V S50V 7.8.1.
www.dell.com | support.dell.com Figure 48-3. Adding a Standalone with a Lower MAC Address and Equal Priority to a Stack—After -------------------------------STANDALONE AFTER CONNECTION---------------------------------Standalone#%STKUNIT0-M:CP %POLLMGR-2-ALT_STACK_UNIT_STATE: Alternate Stack-unit is present 00:20:20: %STKUNIT0-M:CP %CHMGR-5-STACKUNITDETECTED: Stack unit 1 present 00:20:22: %STKUNIT0-M:CP %CHMGR-5-STACKUNITDETECTED: Stack unit 2 present Going for reboot.
Figure 48-4. S4810 supported stacking topologies High Availability on S-Series Stacks S-Series stacks have master and standby management units analogous to Dell Force10 Route Processor Modules (Figure 48-5). The master unit synchronizes the running configuration and protocol states so that the system fails over in the event of a hardware or software fault on the master unit. In such an event, or when the master unit is removed, the standby unit becomes the stack manager and FTOS elects a new standby unit.
www.dell.com | support.dell.com Figure 48-5. S-Series Stack Manager Redundancy (S50-type system) Stack#show redundancy -- Stack-unit Status ------------------------------------------------Mgmt ID: 0 Stack-unit ID: 1 Stack-unit Redundancy Role: Primary Stack-unit State: Active Stack-unit SW Version: 7.8.1.0 Link to Peer: Up -- PEER Stack-unit Status ------------------------------------------------Stack-unit State: Standby Peer stack-unit ID: 2 Stack-unit SW Version: 7.8.1.
Figure 48-6.
www.dell.com | support.dell.com S-Series Stacking Installation Tasks • • • • Create an S-Series Stack Add Units to an Existing S-Series Stack Remove a Unit from an S-Series Stack Split an S-Series Stack Create an S-Series Stack Stacking is enabled on the S4810 using the front end ports. No configuration is allowed on front end ports used for stacking. Stacking can be made between 10G ports of two units or 40G ports of two units. The stack links between the two units will be grouped into a single LAG.
With FTOS 8.3.12.0, when a unit is added to a stack, the management unit performs a system check on the new unit to ensure the hardware type is compatible. A similar check is performed on the FTOS version. If the stack is running 8.3.12.0 and the new unit is running an earlier software version, the new unit is put into a card problem state. • • If the unit is running version 8.3.10.x, it is upgraded to use the same FTOS version as the stack, rebooted and join the stack.
www.dell.com | support.dell.com Task Command Syntax Command Mode Save the stacking configuration on the ports. write memory EXEC Privilege Reload the switch. FTOS automatically assigns a number to the new unit and adds it as member switch in the stack. The new unit synchronizes its running and startup configurations with the stack. reload EXEC Privilege After the units are reloaded, the system reboots. The units come up in a stack after the reboot completes.
Step Task Command Syntax Command Mode 4 Configure the switch priority for each unit to make management unit selection deterministic. stack-unit priority CONFIGURATION 5 Assign a stack group for each unit. Begin with the first port on the management unit. Next, configure both ports on each subsequent unit. Finally, return to the management unit and configure the last port. (See the example below.
www.dell.com | support.dell.com Configure the first stack group on unit 1: stack-unit 1 stack-group 13 Configure the stack groups on unit 2: stack-unit 2 stack-group 14 stack-unit 2 stack-group 15 Configure the stack groups on unit 3: stack-unit 3 stack-group 12 stack-unit 3 stack-group 13 Configure the stack groups on unit 4: stack-unit 4 stack-group 13 stack-unit 4 stack-group 14 Configure the final stack-group on unit 1 to complete the stack.
9 10 Member Member not present not present -- Power Supplies -Unit Bay Status Type FanStatus ---------------------------------------------------------------------------1 0 absent absent 1 1 up AC up 2 0 down UNKNOWN down 2 1 up AC up 3 0 absent absent 3 1 up AC up 4 0 absent absent 4 1 up AC up -- Fan Status -Unit Bay TrayStatus Fan0 Speed Fan1 Speed ---------------------------------------------------------------------------1 0 up up 9360 up 9360 1 1 up up 9360 up 9360 2 0 up up 7680 up 7680 2 1 up up 79
www.dell.com | support.dell.com • by merging two stacks. If you are adding units to an existing stack, you can either: • • allow FTOS to automatically assign the new unit a position in the stack, or manually determine each units position in the stack by configuring each unit to correspond with the stack before connecting it. If you add a unit that has a stack number that conflicts with the stack, the stack assigns the first available stack number, as shown in the examples below.
4 5 6 7 8 9 10 11 Member Member Member Member Member Member Member Member not not not not not not not not Figure 48-9.
www.dell.com | support.dell.com Step Task Command Syntax Command Mode 5 Configure the ports on the added switch for stacking, where: stack-unit 0 defines the default ID unit-number in the initial configuration of a switch. stack-group group-number configures a port for stacking. stack-unit 0 stack-group group-number CONFIGURATION 6 Save the stacking configuration on the ports. write memory EXEC Privilege 7 Reload the switch.
Split an S-Series Stack To split a stack, unplug the desired stacking cables.You may do this at any time, whether the stack is powered or unpowered, and the units are online or offline. Each portion of the split stack retains the startup and running configuration of the original stack. For a parent stack that is split into two child stacks, A and B, each with multiple units: • • • • If one of the new stacks receives the master and the standby management units, it is unaffected by the split.
www.dell.com | support.dell.com Message 1 Renumbering the Stack Manager Renumbering master unit will reload the stack. WARNING: Interface configuration for current unit will be lost! Proceed to renumber [confirm yes/no]: yes Create a Virtual Stack Unit on an S-Series Stack Use virtual stack units to configure ports on the stack before adding a new unit. Task Command Syntax Command Mode Create a virtual stack unit.
Burned In MAC No Of MACs : 00:01:e8:8a:df:e6 : 3 -- Power Supplies -Unit Bay Status Type FanStatus --------------------------------------------------------------------------0 0 absent absent 0 1 up AC up -- Fan Status -Unit Bay TrayStatus Fan0 Speed Fan1 Speed -------------------------------------------------------------------------------0 0 up up 6960 up 6960 0 1 up up 6720 up 6720 Speed in RPM -- Unit 1 -Unit Type Status Required Type : Member Unit : not present : S4810 - 52-port GE/TE/FG (SE) -- Unit
www.dell.com | support.dell.com 8 9 10 11 Member Member Member Member not not not not present present present present Display information about an S4810 stack using the show system stack-ports command.
Manage Redundancy on an S-Series Stack Task Command Syntax Command Mode Reset the current management unit, and make the standby unit the new master unit. A new standby is elected. When the former stack master comes back online, it becomes a member unit. redundancy force-failover stack-unit EXEC Privilege Prevent the stack master from rebooting after a failover. This command does not affect a forced failover, manual reset, or a stack-link disconnect.
www.dell.com | support.dell.com Display Status of Stacking Ports To display the status of the stacking ports, including the topology: Task Command Syntax Command Mode Display the stacking ports. show system stack-ports EXEC Privilege The following example shows four switches stacked together with two 40G links in a ring topology.
-- Power Supplies -Unit Bay Status Type FanStatus ---------------------------------------------------------------------------Unit Bay Status Type FanStatus ---------------------------------------------------------------------------1 0 absent absent 1 1 up AC up -- Fan Status -Unit Bay TrayStatus Fan0 Speed Fan1 Speed ---------------------------------------------------------------------------1 0 up up 7200 up 7200 1 1 up up 7200 up 7440 Speed in RPM The following example shows three switches stacked togethe
www.dell.com | support.dell.com To remove a stack member from the stack, disconnect the stacking cables from the unit. You may do this at any time, whether the unit is powered or unpowered, online or offline. Note that if you remove a unit in the middle of the daisy chain stack, the stack will be split into multiple parts and each will form a new stack according to the stacking algorithm described throughout this chapter. Figure 48-10.
Task Command Syntax Command Mode After the units are reloaded, the system reboots. The units come up as standalone units after the reboot completes.
www.dell.com | support.dell.
0 0 1 1 0 1 0 1 down up absent up DC DC AC down up absent up -- Fan Status -Unit Bay TrayStatus Fan0 Speed Fan1 Speed -------------------------------------------------------------------------------0 0 up up 6960 up 6720 0 1 up up 6720 up 6720 1 0 up up 6960 up 6720 1 1 up up 6720 up 6720 Speed in RPM stack-1# Recover from a Card Mismatch State on an S-Series Stack A card mismatch occurs if the stack has a provision for the lowest available stack number which does not match the model of a newly added u
www.dell.com | support.dell.
49 Storm Control ecsz Storm Control for Multicast is supported on platforms: c s z Storm Control is supported on platforms: The storm control feature enables you to control unknown-unicast and broadcast traffic on Layer 2 and Layer 3 physical interfaces. FTOS Behavior: On the E-Series, FTOS supports broadcast control for Layer 3 traffic only. To control Layer 2 broadcast traffic use the command storm-control unknown-unicast.
www.dell.com | support.dell.com Configure storm control from CONFIGURATION mode 1002 Configure storm control from CONFIGURATION mode using the command storm control. From CONFIGURATION mode you can configure storm control for ingress and egress traffic.
50 Spanning Tree Protocol (STP) Spanning Tree Protocol (STP) is supported on platforms: e c s z Protocol Overview Spanning Tree Protocol (STP) is a Layer 2 protocol—specified by IEEE 802.1d—that eliminates loops in a bridged topology by enabling only a single path through the network. By eliminating loops, the protocol improves scalability in a large network and enables you to implement redundant paths, which can be activated upon the failure of active paths.
www.dell.com | support.dell.com • • • • • • • • Removing an Interface from the Spanning Tree Group Modifying Global Parameters Modifying Interface STP Parameters Enabling PortFast Preventing Network Disruptions with BPDU Guard STP Root Selection SNMP Traps for Root Elections and Topology Changes Configuring Spanning Trees as Hitless Important Points to Remember • • • • • Spanning Tree Protocol (STP) is disabled by default. FTOS supports only one Spanning Tree instance (0).
Figure 50-1.
www.dell.com | support.dell.com Enabling Spanning Tree Protocol Globally Spanning Tree Protocol must be enabled globally; it is not enabled by default. To enable Spanning Tree globally for all Layer 2 interfaces: Step Task Command Syntax Command Mode 1 Enter the PROTOCOL SPANNING TREE mode. protocol spanning-tree 0 CONFIGURATION 2 Enable Spanning Tree.
Figure 50-2. Spanning Tree Enabled Globally root R1 R2 1/ 3 Forwarding 2/ 1 1/ 4 Blocking 2/ 2 1/ 1 1/ 2 3/ 1 3/ 2 3/ 3 3/ 4 R3 2/ 3 2/ 4 Port 290 (GigabitEthernet 2/4) is Blocking Port path cost 4, Port priority 8, Port Identifier 8.290 Designated root has priority 32768, address 0001.e80d.2462 Designated bridge has priority 32768, address 0001.e80d.2462 Designated port id is 8.
www.dell.com | support.dell.com Confirm that a port is participating in Spanning Tree using the show spanning-tree 0 brief command from EXEC privilege mode. FTOS#show spanning-tree 0 brief Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 0001.e80d.2462 We are the root of the spanning tree Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32768, Address 0001.e80d.
Modifying Global Parameters You can modify Spanning Tree parameters. The root bridge sets the values for forward-delay, hello-time, and max-age and overwrites the values set on other bridges participating in Spanning Tree. Note: Dell Force10 recommends that only experienced network administrators change the Spanning Tree parameters. Poorly planned modification of the Spanning Tree parameters can negatively impact network performance. Table 50-2 displays the default values for Spanning Tree. Table 50-2.
www.dell.com | support.dell.com View the current values for global parameters using the show spanning-tree 0 command from EXEC privilege mode. Refer to the second example in Enabling Spanning Tree Protocol Globally. Modifying Interface STP Parameters You can set the port cost and port priority values of interfaces in Layer 2 mode. • • Port cost is a value that is based on the interface type. The greater the port cost, the less likely the port will be selected to be a forwarding port.
To enable PortFast on an interface: Task Enable PortFast on an interface. Command Syntax Command Mode spanning-tree stp-id portfast [bpduguard | INTERFACE [shutdown-on-violation]] Verify that PortFast is enabled on a port using the show spanning-tree command from the EXEC privilege mode or the show config command from INTERFACE mode; Dell Force10 recommends using the show config command, as shown in Figure 50-3. Figure 50-3.
www.dell.com | support.dell.com Note: Unless the shutdown-on-violation option is enabled, spanning-tree only drops packets after a BPDU violation; the physical interface remains up, as shown below. FTOS(conf-if-gi-0/7)#do show spanning-tree rstp brief Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 0001.e805.fb07 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32768, Address 0001.e85d.
Figure 50-4. Enabling BPDU Guard FTOS(conf-if-gi-3/ 41)# spanning-tree 0 portfast bpduguard shutdown-on-violation FTOS(conf-if-gi-3/ 41)#show config ! interface GigabitEthernet 3/ 41 no ip address switchport spanning-tree 0 portfast bpduguard shutdown-on-violation no shutdown 3/ 41 Hub Switch with Spanning Tree Enabled FTOS Behavior: BPDU Guard and BPDU filtering (refer to Removing an Interface from the Spanning Tree Group) both block BPDUs, but are two separate features.
www.dell.com | support.dell.com Task Command Syntax Command Mode Assign a number as the bridge priority or designate it as the root or secondary root. priority-value range: 0 to 65535. The lower the number assigned, the more likely this bridge will become the root bridge. The default is 32768. • The primary option specifies a bridge priority of 8192. • The secondary option specifies a bridge priority of 16384.
In STP topology 3 (Figure 50-6 lower middle), if the root guard feature is enabled on the STP port on Switch C that connects to device D, and device D sends a superior BPDU that would trigger the election of device D as the new root bridge, the BPDU is ignored and the port on Switch C transitions from a forwarding to a root-inconsistent state (shown by the green X icon). As a result, Switch A becomes the root bridge. All incoming and outgoing traffic is blocked on an STP port in a root-inconsistent state.
www.dell.com | support.dell.com Root Guard Configuration You enable STP root guard on a per-port or per-port-channel basis. FTOS Behavior: The following conditions apply to a port enabled with STP root guard: • Root guard is supported on any STP-enabled port or port-channel interface except when used as a stacking port.
Configuring Spanning Trees as Hitless Configuring Spanning Trees as Hitless is supported only on platforms: c e You can configure Spanning Tree (STP), Rapid Spanning Tree (RSTP), Multiple Spanning Tree (MSTP), and Per-Vlan Spanning Tree (PVST+) to be hitless (all or none must be configured as hitless). When configured as hitless, critical protocol state information is synchronized between RPMs so that RPM failover is seamless and no topology change is triggered.
www.dell.com | support.dell.com As shown in STP topology 3 (Figure 50-8 bottom middle), after you enable loop guard on an STP port or port-channel on Switch C, if no BPDUs are received and the max-age timer expires, the port transitions from a blocked state to a loop-inconsistent state (instead of to a forwarding state). Loop guard blocks the STP port so that no traffic is transmitted and no loop is created.
Figure 50-8.
www.dell.com | support.dell.com Loop Guard Configuration You enable STP loop guard on a per-port or per-port channel basis. FTOS Behavior: The following conditions apply to a port enabled with loop guard: • Loop guard is supported on any STP-enabled port or port-channel interface.
Displaying STP Guard Configuration To verify the STP guard configured on port or port-channel interfaces, enter the show spanning-tree 0 guard [interface interface] command. The example below shows an STP network (instance 0) in which: • • • Root guard is enabled on a port that is in a root-inconsistent state. Loop guard is enabled on a port that is in a listening state. BPDU guard is enabled on a port that is shut down (Error Disabled state) after receiving a BPDU.
www.dell.com | support.dell.
51 System Time and Date System Time and Date settings and Network Time Protocol are supported on platforms: ecsz System times and dates can be set and maintained through the Network Time Protocol (NTP). They are also set through FTOS CLIs and hardware settings.
www.dell.com | support.dell.com • • Roundtrip delay provides the capability to launch a message to arrive at the reference clock at a specified time. Dispersion represents the maximum error of the local clock relative to the reference clock.
Figure 51-1. NTP Fields Source Port (123) Destination Port (123) Length NTP Packet Payload Checksum Range: +32 to -32 Status Leap Indicator Code: 00: No Warning 01: +1 second 10: -1 second 11: reserved Type Precision Est. Error Est.
www.dell.com | support.dell.com Enable NTP NTP is disabled by default. To enable it, specify an NTP server to which the Dell Force10 system will synchronize. Enter the command multiple times to specify multiple servers. You may specify an unlimited number of servers at the expense of CPU resources. Task Command Command Mode Specify the NTP server to which the Dell Force10 system will synchronize.
Figure 51-4. Displaying the Calculated NTP Synchronization Variables R5/R8(conf)#do show calendar 06:31:02 UTC Mon Mar 13 1989 R5/R8(conf)#ntp update-calendar 1 R5/R8(conf)#do show calendar 06:31:26 UTC Mon Mar 13 1989 R5/R8(conf)#do show calendar 12:24:11 UTC Thu Mar 12 2009 Configure NTP broadcasts With FTOS, you can receive broadcasts of time information. You can set interfaces within the system to receive NTP information through broadcast.
www.dell.com | support.dell.com To configure an IP address as the source address of NTP packets, use the following command in the CONFIGURATION mode: Command Syntax Command Mode Purpose ntp source interface CONFIGURATION Enter the following keywords and slot/port or number information: • For a 1-Gigabit Ethernet interface, enter the keyword GigabitEthernet followed by the slot/port information. • For a loopback interface, enter the keyword loopback followed by a number between 0 and 16383.
Step Command Syntax Command Mode Purpose 2 ntp authentication-key number md5 key CONFIGURATION Set an authentication key. Configure the following parameters: number: Range 1 to 4294967295. This number must be the same as the number in the ntp trusted-key command. key: Enter a text string. This text string is encrypted. 3 ntp trusted-key number CONFIGURATION Define a trusted key. Configure a number from 1 to 4294967295.
www.dell.com | support.dell.com Command Syntax Command Mode Purpose ntp server ip-address [key keyid] [prefer] [version number] CONFIGURATION Configure an NTP server. Configure the IP address of a server and the following optional parameters: • key keyid: Configure a text string as the key exchanged between the NTP server and client. • prefer: Enter the keyword to set this NTP server as the preferred server. • version number: Enter a number 1 to 3 as the NTP version.
• • • • • • • • Root Delay (sys.rootdelay, peer.rootdelay, pkt.rootdelay): This is a signed fixed-point number indicating the total roundtrip delay to the primary reference source at the root of the synchronization subnet, in seconds. Note that this variable can take on both positive and negative values, depending on clock precision and skew. Root Dispersion (sys.rootdispersion, peer.rootdispersion, pkt.
www.dell.com | support.dell.com Set the time and date for the switch hardware clock Command Syntax Command Mode Purpose calendar set time month day year EXEC Privilege Set the hardware clock to the current time and date. time: Enter the time in hours:minutes:seconds. For the hour variable, use the 24-hour format, for example, 17:15:00 is 5:15 pm. month: Enter the name of one of the 12 months in English. You can enter the name of a day to change the order of the display to time day month year.
Set the time and date for the switch software clock You can change the order of the month and day parameters to enter the time and date as time day month year. You cannot delete the software clock. The software clock runs only when the software is up. The clock restarts, based on the hardware clock, when the switch reboots. Command Syntax Command Mode Purpose clock set time month day year EXEC Privilege Set the system software clock to the current time and date.
www.dell.com | support.dell.com 1034 Command Syntax Command Mode Purpose FTOS#conf FTOS(conf)#clock timezone Pacific -8 FTOS(conf)#01:40:19: %RPM0-P:CP %CLOCK-6-TIME CHANGE: Timezone configuration changed from "UTC 0 hrs 0 mins" to "Pacific -8 hrs 0 mins" FTOS# Set daylight saving time FTOS supports setting the system to daylight saving time once or on a recurring basis every year.
Set Daylight Saving Time Once Set a date (and time zone) on which to convert the switch to daylight saving time on a one-time basis. Command Syntax Command Mode Purpose clock summer-time time-zone date start-month start-day start-year start-time end-month end-day end-year end-time [offset] CONFIGURATION Set the clock to the appropriate timezone and daylight saving time. time-zone: Enter the three-letter name for the time zone. This name is displayed in the show clock output.
www.dell.com | support.dell.com Set Recurring Daylight Saving Time Set a date (and time zone) on which to convert the switch to daylight saving time on a specific day every year. If you have already set daylight saving for a one-time setting, you can set that date and time as the recurring setting with the clock summer-time time-zone recurring command.
Command Syntax Command Mode Purpose start-year: Enter a four-digit number as the year. Range: 1993 to 2035 start-time: Enter the time in hours:minutes. For the hour variable, use the 24-hour format, example, 17:15 is 5:15 pm. end-week: If you entered a start-week, Enter the one of the following as the week that daylight saving ends: • • • week-number: enter a number from 1-4 as the number of the week to end daylight saving time.
www.dell.com | support.dell.
52 Uplink Failure Detection (UFD) Uplink Failure Detection (UFD) is supported on the following platforms: s (S50 only), MXL, Feature Description Uplink Failure Detection (UFD) provides detection of the loss of upstream connectivity and, if used with NIC teaming, automatic recovery from a failed link. A switch provides upstream connectivity for devices, such as servers. If a switch loses its upstream connectivity, downstream devices also lose their connectivity.
www.dell.com | support.dell.com Figure 52-1. Uplink Failure Detection How Uplink Failure Detection Works UFD creates an association between upstream and downstream interfaces. The association of uplink and downlink interfaces is called an uplink-state group. An interface in an uplink-state group can be a physical interface or a port-channel (LAG) aggregation of physical interfaces. An enabled uplink-state group tracks the state of all assigned upstream interfaces.
Figure 52-2. Uplink Failure Detection Example If only one of the upstream interfaces in an uplink-state group goes down, a specified number of downstream ports associated with the upstream interface are put into a link-down state. This number is user-configurable and is calculated by the ratio of upstream port bandwidth to downstream port bandwidth in the same uplink-state group.
www.dell.com | support.dell.com Important Points to Remember When you configure Uplink Failure Detection, the following conditions apply: • You can configure up to sixteen uplink-state groups. By default, no uplink-state groups are created. An uplink-state group is considered to be operationally up if it has at least one upstream interface in the link-up state. An uplink-state group is considered to be operationally down if it has no upstream interfaces in the link-up state.
Configuring Uplink Failure Detection To configure Uplink Failure Detection, follow these steps: Step 1 Command Syntax and Mode Description uplink-state-group group-id Creates an uplink-state group and enabling the tracking of upstream links on the switch/router. Valid group-id values are 1 to 16. To delete an uplink-state group, enter the no uplink-state-group group-id command.
www.dell.com | support.dell.com Step 5 Command Syntax and Mode Description description text (Optional) Enters a text description of the uplink-state group. Maximum length: 80 alphanumeric characters. Command Mode: UPLINK-STATE-GROUP 6 no enable Command Mode: UPLINK-STATE-GROUP (Optional) Disables upstream-link tracking without deleting the uplink-state group. Default: Upstream-link tracking is automatically enabled in an uplink-state group.
Message 1 shows the Syslog messages displayed when you clear the UFD-disabled state from all disabled downstream interfaces in an uplink-state group by entering the clear ufd-disable uplink-state-group group-id command. All downstream interfaces return to an operationally up state.
www.dell.com | support.dell.com 1046 Displaying Uplink Failure Detection To display information on the Uplink Failure Detection feature, enter any of the following show commands: | Show Command Syntax Description show uplink-state-group [group-id] [detail] Command Mode: EXEC Displays status information on a specified uplink-state group or all groups. Valid group-id values are 1 to 16.
Figure 52-3.
www.dell.com | support.dell.com Figure 52-4.
Sample Configuration: Uplink Failure Detection Figure 52-7 shows a sample configuration of Uplink Failure Detection on a switch/router in which you: • • • • • • Configure uplink-state group 3. Add downstream links Gigabitethernet 0/1, 0/2, 0/5, 0/9, 0/11, and 0/12. Configure two downstream links to be disabled if an upstream link fails. Add upstream links Gigabitethernet 0/3 and 0/4. Add a text description for the group. Verify the configuration with various show commands. Figure 52-7.
www.dell.com | support.dell.
53 Upgrade Procedures Find the upgrade procedures Go to the FTOS Release Notes for your system type to see all the requirements to upgrade to the desired FTOS version. Follow the procedures in the FTOS Release Notes for the software version you wish to upgrade to. Get Help with upgrades Direct any questions or concerns about FTOS Upgrade Procedures to the Dell Force10 Technical Support Center. You can reach Technical Support: • • • On the Web: www.force10networks.
1052 | Upgrade Procedures www.dell.com | support.dell.
54 Virtual LANs (VLAN) Virtual LANs (VLAN) are supported on platforms: ecsz This section contains the following subsections: • • • • • Default VLAN Port-Based VLANs VLANs and Port Tagging Configuration Task List for VLANs Enable Null VLAN as the Default VLAN Virtual LANs, or VLANs, are a logical broadcast domain or logical grouping of interfaces in a LAN in which all data received is kept locally and broadcast to all members of the group.
www.dell.com | support.dell.com Table 54-1 displays the defaults for VLANs in FTOS. Table 54-1. VLAN Defaults on FTOS Feature Default Spanning Tree group ID All VLANs are part of Spanning Tree group 0 Mode Layer 2 (no IP address is assigned) Default VLAN ID VLAN 1 Default VLAN When interfaces are configured for Layer 2 mode, they are automatically placed in the Default VLAN as untagged interfaces. Only untagged interfaces can belong to the Default VLAN.
Untagged interfaces must be part of a VLAN. To remove an untagged interface from the Default VLAN, you must create another VLAN and place the interface into that VLAN. Alternatively, enter the no switchport command, and FTOS removes the interface from the Default VLAN. A tagged interface requires an additional step to remove it from Layer 2 mode. Since tagged interfaces can belong to multiple VLANs, you must remove the tagged interface from all VLANs, using the no tagged interface command.
www.dell.com | support.dell.com • • The VLAN protocol identifier identifies the frame as tagged according to the IEEE 802.1Q specifications (2 bytes). Tag Control Information (TCI) includes the VLAN ID (2 bytes total). The VLAN ID can have 4,096 values, but 2 are reserved. Note: The insertion of the tag header into the Ethernet frame increases the size of the frame to more than the 1518 bytes specified in the IEEE 802.3 standard. Some devices that are not compliant with IEEE 802.
Use the show vlan command (Figure 54-3) in the EXEC privilege mode to view the configured VLANs. Figure 54-3. show vlan Command Example FTOS#show vlan Codes: * - Default VLAN, G - GVRP VLANs * NUM 1 2 3 4 5 6 Status Inactive Active Active Active Active Active Q U U U T U U U Ports So 9/4-11 Gi 0/1,18 Gi 0/2,19 Gi 0/3,20 Po 1 Gi 0/12 So 9/0 FTOS# A VLAN is active only if the VLAN contains interfaces and those interfaces are operationally up.
www.dell.com | support.dell.com To tag frames leaving an interface in Layer 2 mode, you must assign that interface to a port-based VLAN to tag it with that VLAN ID. To tag interfaces, use these commands in the following sequence: Step Command Syntax Command Mode Purpose 1 interface vlan vlan-id CONFIGURATION Access the INTERFACE VLAN mode of the VLAN to which you want to assign the interface. tagged interface INTERFACE Enable an interface to include the IEEE 802.1Q tag header.
Use the untagged command to move untagged interfaces from the Default VLAN to another VLAN: Step 1 2 Command Syntax Command Mode Purpose interface vlan vlan-id CONFIGURATION Access the INTERFACE VLAN mode of the VLAN to which you want to assign the interface. untagged interface INTERFACE Configure an interface as untagged. This command is available only in VLAN interfaces.
www.dell.com | support.dell.com Assign an IP address to a VLAN VLANs are a Layer 2 feature. For two physical interfaces on different VLANs to communicate, you must assign an IP address to the VLANs to route traffic between the two interfaces. The shutdown command in INTERFACE mode does not affect Layer 2 traffic on the interface; the shutdown command only prevents Layer 3 traffic from traversing over the interface. Note: An IP address cannot be assigned to the Default VLAN, which, by default, is VLAN 1.
Native VLANs Traditionally, ports can be either untagged for membership to one VLAN or tagged for membership to multiple VLANs. An untagged port must be connected to a VLAN-unaware station (one that does not understand VLAN tags), and a tagged port must be connected to a VLAN-aware station (one that generates and understands VLAN tags). Native VLAN support breaks this barrier so that a port can be connected to both VLAN-aware and VLAN-unaware stations. Such ports are referred to as hybrid ports.
www.dell.com | support.dell.com 1062 Enable Null VLAN as the Default VLAN In a Carrier Ethernet for Metro Service environment, service providers who perform frequent reconfigurations for customers with changing requirements occasionally enable multiple interfaces, each connected to a different customer, before the interfaces are fully configured.
55 Virtual Link Trunking (VLT) Virtual Link Trunking (VLT) is supported on platforms z Overview Virtual link trunking (VLT) allows physical links between two chassis to appear as a single virtual link to the network core. VLT reduces the role of Spanning Tree protocols by allowing LAG terminations on two separate distribution or core switches, and by supporting a loop free topology. (A Spanning Tree protocol is still needed to prevent the initial loop that may occur prior to VLT being established.
www.dell.com | support.dell.com Figure 55-1. Virtual Link Trunking Management Network Backup Link Backup Link S4810 Chassiss S4810 Chassis VLT Domain Virtual Link Trunk Interconnect Virtual Link Trunk Switch or Server that supports LACP (802.1ad) VLT peer devices have independent management planes. A chassis interconnect trunk between the VLT chassis maintains synchronization of L2/L3 control planes across the two VLT peers.
Enhanced VLT An enhanced VLT (eVLT) configuration creates a port channel between two VLT domains by allowing two different VLT domains, using different VLT Domain ID numbers, connected by a standard LACP LAG to form a loop-free Layer 2 topology in the aggregation layer. This configuration supports a maximum of four (4) nodes per eVLT domain, increasing the number of available ports and allowing for dual redundancy of the VLT.
www.dell.com | support.dell.com VLT domain - This domain includes both VLT peer devices, the VLT interconnect, and all of the port channels in the VLT connected to the attached devices. It is also associated to the configuration mode that must be used to assign VLT global parameters. VLT peer device - One of a pair of devices that are connected with the special port channel known as the VLT interconnect (VLTi).
Configuration Notes When you configure VLT, the following conditions apply: • • VLT domain: • A VLT domain supports two chassis members, which appear as a single logical device to network access devices connected to VLT ports through a port channel. • A VLT domain consists of the two core chassis, the interconnect trunk, backup link, and the LAG members connected to attached devices. The domain ID can be from 1 to 1000.
www.dell.com | support.dell.com • • • • • • • • The VLT interconnect is used for data traffic only when there is a link failure that requires the VLTi to be used in order for data packets to reach their final destination. Unknown, multicast and broadcast traffic can be flooded across the VLT interconnect. MAC addresses for VLANs configured across VLT peer chassis are synchronized over the VLT interconnect on an egress port such as a VLT LAG. MAC addresses are the same on both VLT peer nodes.
• • The chassis backup link does not carry control plane information or data traffic. Its use is restricted to health checks only. Virtual link trunks (VLTs) between access devices and VLT peer switches: • To connect servers and access switches with VLT peer switches, you use a VLT port channel (see Figure 55-1). Up to 48 port-channels are supported; up to 8 member links are supported in each port channel between the VLT domain and an access device.
www.dell.com | support.dell.com • • • • • 1070 | All system management protocols are supported on VLT ports, including SNMP, RMON, AAA, ACL, DNS, FTP, SSH, Syslog, NTP, RADIUS, SCP, TACACS+, Telnet, and LLDP. • Layer 3 VLAN connectivity VLT peers is enabled by configuring a VLAN network interface for the same VLAN on both switches. • IGMP snooping is supported over VLT ports. The multicast forwarding state is synchronized on both VLT peer switches.
• • the network. In either case, upon recovery of the peer link or reestablishment of message forwarding across the interconnect trunk, the two VLT peers resynchronize any MAC addresses learned while communication was interrupted, and the VLT system continues normal data forwarding. If the primary chassis is rebooted, the secondary chassis takes on the operational role of the primary. When operation of the original, primary chassis is restored, it takes on the operational role of the secondary chassis.
www.dell.com | support.dell.com When the bandwidth usage drops below the 80% threshold, the system generates another syslog message (Message 2) and an SNMP trap. Message 2 Excessive VLTi Bandwidth Usage Drops Below Threshold Value Error %STKUNIT0-M:CP %VLTMGR-6-VLT-LAG-ICL: Overall Bandwidth utilization of VLT-ICL-LAG (port-channel 25) reaches below threshold.
PIM-Sparse Mode Support on VLT The Designated Router functionality of the PIM Sparse-Mode multicast protocol is supported on VLT peer switches for multicast sources and receivers that are connected to VLT ports. The VLT peer switches can act as a last-hop router for IGMP receivers and as a first-hop router for multicast sources. On each VLAN where the VLT peer nodes act as the first hop or last hop routers, one of the VLT peer nodes will be elected as the PIM Designated Router.
www.dell.com | support.dell.com If the VLT node elected as the designated router fails, traffic loss will occur until another VLT node is elected the designated router. RSTP Configuration The RSTP Spanning Tree protocol is supported in a VLT domain. Before you configure VLT on peer switches, you must configure the Rapid Spanning Tree Protocol (RSTP) in the network if it will be included in your configuration. RSTP is required for initial loop prevention during the VLT startup phase.
Sample RSTP Configuration Using Figure 55-1 as a sample VLT topology, the primary VLT switch will send BPDUs to an access device (switch or server) with its own RSTP bridge ID. BPDUs generated by an RSTP-enabled access device are only processed by the primary VLT switch. The secondary VLT switch tunnels the BPDUs that it receives to the primary VLT switch over the VLT interconnect.
www.dell.com | support.dell.com 4. (Optional) Manually reconfigure default VLT settings, such as MAC address and VLT primary/ secondary roles. 5. Connect the peer switches in a VLT domain to an attached access device (switch or server). Configure a VLT interconnect Step 1 Task Command Syntax Command Mode Configure the port channel to be used for the VLT interconnect on a VLT switch and enter interface configuration mode.
Use the delay-restore command at any time to set an amount of time, in seconds, to delay the system from restoring the VLT port. Refer to VLT Port Delayed Restoration for more information. Configure a VLT port delay period Step Task Command Syntax Command Mode 1 Enter VLT-domain configuration mode for a specified VLT domain. Range of domain IDs: 1 to 1000.
www.dell.com | support.dell.com (Optional) Reconfigure default VLT settings Step 4 Task Command Syntax Command Mode (Optional) When you create a VLT domain on a switch, the FTOS software automatically assigns a unique unit ID (0 or 1) to each peer switch. The unit IDs are used for internal system operations. Use the unit-id command to explicitly configure the default values on each peer switch. You must configure a different unit ID (0 or 1) on each peer switch.
Use the peer-down-vlan parameter to configure the VLAN where a VLT peer will forward received packets over the VLTi from an adjacent VLT peer that is down. When a VLT peer with BMP reboots, untagged DHCP discover packets are sent to the peer over the VLTi. Using this configuration ensures the DHCP discover packets are forwarded to the VLAN that has the DHCP server.
www.dell.com | support.dell.com (Optional) Configure Enhanced VLT (eVLT) Step Task Command Syntax Command Mode 5 Configure the IP address of the management interface on the remote VLT peer to be used as the endpoint of the VLT backup link for sending out-of-band hello messages. You can optionally specify the time interval used to send hello messages. Range: 1 to 5 seconds.
(Optional) Configure Enhanced VLT (eVLT) Step 11 Task Command Syntax Command Mode Ensure that the port channel is active. no shutdown INTERFACE PORT-CHANNEL Add links to the eVLT port. 12 Configure a range of interfaces to bulk configure. interface range {port-channel id} CONFIGURATION 13 Enable LACP on the LAN port. port-channel-protocol lacp INTERFACE 14 Configure the LACP port channel mode. port-channel number mode [active] INTERFACE 15 Ensure that the interface is active.
www.dell.com | support.dell.com Task Command Syntax Command Mode 5. show interfaces interface EXEC EXEC Privilege Configure the peer 1 management ip/ interface ip for which connectivity is present in VLT peer 1. Configure the VLT links between VLT peer 1 and VLT peer 2 to the top of rack unit. 6. Configure the static LAG/LACP between ports connected from VLT peer 1 and VLT peer 2 to the top of rack unit. show running-config entity EXEC Privilege 7.
Configure the backup link between the VLT peer units. 1. 2. Configure the peer 2 management ip/ interface ip for which connectivity is present in VLT peer 1. Configure the peer 1 management ip/ interface ip for which connectivity is present in VLT peer 2. s4810-2#show running-config vlt ! vlt domain 5 peer-link port-channel 1 back-up destination 10.11.206.58 s4810-2# s4810-2#show interfaces managementethernet 0/0 Internet address is 10.11.206.
www.dell.com | support.dell.
FTOS(conf)#show vlt brief VLT Domain Brief -----------------Domain ID: Role: Role Priority: ICL Link Status: HeartBeat Status: VLT Peer Status: Version: Local System MAC address: Remote System MAC address: Remote system version: Delay-Restore timer: 10 Primary 32768 Up Not Established Up 5(1) 00:01:e8:8b:14:3c 00:01:e8:8b:15:20 5 (1) 90 seconds FTOS#FTOS(conf-if-vl-100)#show vlt detail Local LAG Id Peer LAG Id Local Status Peer Status ------------ ----------- ------------ -----------10 10 UP UP Active VL
www.dell.com | support.dell.com eVLT Configuration Example The following example demonstrates the steps to configure enhanced VLT (eVLT) in a network. In this example there are two domains being configured. Domain 1 consists of Peer 1 and Peer 2; Domain 2 consists of Peer 3 and Peer 4 as shown below. In Domain 1, configure Peer 1 first, then configure Peer 2. When that is complete, perform the same steps for the peer nodes in Domain 2. The interface used in this example is TenGigabitEthernet.
Domain_1_Peer1(conf-if-range-te-0/16-17)#no shutdown Next, configure the VLT domain and VLTi on Peer 2: Domain_1_Peer2#configure Domain_1_Peer2(conf)#interface port-channel 1 Domain_1_Peer2(conf-if-po-1)#channel-member TenGigabitEthernet 0/8-9 Domain_1_Peer2#no shutdown Domain_1_Peer2(conf)#vlt domain 200 Domain_1_Peer2(conf-vlt-domain)#peer-link port-channel 1 Domain_1_Peer2(conf-vlt-domain)#back-up destination 10.16.130.
www.dell.com | support.dell.com Domain_2_Peer4(conf)#vlt domain 200 Domain_2_Peer4(conf-vlt-domain)#peer-link port-channel 1 Domain_2_Peer4(conf-vlt-domain)#back-up destination 10.18.130.
Verifying a VLT Configuration To monitor the operation or verify the configuration of a VLT domain, enter any of the following show commands on the primary and secondary VLT switches: Show Command Syntax Description show vlt backup-link Command Mode: EXEC Displays information on backup link operation (see Figure 55-4). show vlt brief Command Mode: EXEC Displays general status information about VLT domains currently configured on the switch (see Figure 55-5).
www.dell.com | support.dell.com Destination: Peer HeartBeat status: HeartBeat Timer Interval: HeartBeat Timeout: UDP Port: HeartBeat Messages Sent: HeartBeat Messages Received: Figure 55-5. 10.11.200.
Figure 55-8. show running-config vlt Command Output on VLT peer switches FTOS#VLTpeer1#show running-config vlt ! vlt domain 30 peer-link port-channel 60 back-up destination 10.11.200.18 FTOS#VLTpeer2#show running-config vlt ! vlt domain 30 peer-link port-channel 60 back-up destination 10.11.200.20 Figure 55-9.
www.dell.com | support.dell.com Figure 55-10. Configuring Virtual Link Trunking (VLT Peer 1) FTOS_VLTpeer1(conf)#vlt domain 999 FTOS_VLTpeer1(conf-vlt-domain)#peer-link port-channel 100 FTOS_VLTpeer1(conf-vlt-domain)#back-up destination 10.11.206.35 FTOS_VLTpeer1(conf-vlt-domain)#exit Enable VLT and create a VLT domain with a backup-link and interconnect (VLTi) FTOS_VLTpeer1(conf)#interface ManagementEthernet 0/0 FTOS_VLTpeer1(conf-if-ma-0/0)#ip address 10.11.206.
Figure 55-11. Configuring Virtual Link Trunking (VLT Peer 2) FTOS_VLTpeer2(conf)#vlt domain 999 FTOS_VLTpeer2(conf-vlt-domain)#peer-link port-channel 100 FTOS_VLTpeer2(conf-vlt-domain)#back-up destination 10.11.206.23 FTOS_VLTpeer2(conf-vlt-domain)#exit Enable VLT and create a VLT domain with a backup-link VLT interconnect (VLTi) FTOS_VLTpeer2(conf)#interface ManagementEthernet 0/0 FTOS_VLTpeer2(conf-if-ma-0/0)#ip address 10.11.206.
www.dell.com | support.dell.com 1094 Troubleshooting VLT Use the following information to help troubleshoot different VLT issues that may occur. Note: For information on VLT failure mode timing and its impact, contact your Dell Force10 representative. Description | Behavior at Peer Up Behavior During Run Time Action to Take Bandwidth monitoring A syslog error message and an SNMP trap is generated when the VLTi bandwidth usage goes above the 80% threshold and when it drops below 80%.
Description Behavior at Peer Up Behavior During Run Time Action to Take Unit ID mismatch The VLT peer does not boot up. The VLTi is forced to a down state. The VLT domain will not be formed. The VLTi will be in a down state. A syslog error message is generated. The VLT peer does not boot up. The VLTi is forced to a down state. A syslog error message is generated. Verify the unit ID is correct on both VLT peers. Unit ID numbers must be sequential on peer units; i.e.
www.dell.com | support.dell.
56 Virtual Router Redundancy Protocol (VRRP) Virtual Router Redundancy Protocol (VRRP) is supported on platforms: e cs z This chapter covers the following information: • • • • • VRRP Overview VRRP Benefits VRRP Implementation VRRP Configuration Sample Configurations VRRP Overview Virtual Router Redundancy Protocol (VRRP) is designed to eliminate a single point of failure in a statically routed network. VRRP specifies a MASTER router that owns the next hop IP and MAC address for end stations on a LAN.
www.dell.com | support.dell.com In Figure 56-1 below, Router A is configured as the MASTER router. It is configured with the IP address of the virtual router and sends any packets addressed to the virtual router through interface GigabitEthernet 1/1 to the Internet. As the BACKUP router, Router B is also configured with the IP address of the virtual router. If for any reason Router A becomes unavailable, VRRP elects a new MASTER Router. Router B assumes the duties of Router A and becomes the MASTER router.
VRRP Benefits With VRRP configured on a network, end-station connectivity to the network is not subject to a single point-of-failure. End-station connections to the network are redundant and they are not dependent on IGP protocols to converge or update routing tables. VRRP Implementation E-Series supports an unlimited total number of VRRP groups on the switch while supporting up to 255 VRRP groups on a single interface (Table 56-1).
www.dell.com | support.dell.com Though FTOS on E-Series supports unlimited VRRP groups, default VRRP settings may affect the maximum number of groups that can be configured and work efficiently, as a result of hardware throttling VRRP advertisement packets reaching the RP2 processor on the E-Series, the CP on the C-Series, S4810, S55, and S60, or the FP on the S25/S50.
VRRP Configuration By default, VRRP is not configured.
www.dell.com | support.dell.com Figure 56-3. Command Example Display: show config for the Interface FTOS(conf-if-gi-1/1)#show conf ! interface GigabitEthernet 1/1 ip address 10.10.10.1/24 ! vrrp-group 111 no shutdown FTOS(conf-if-gi-1/1)# Note that the interface has an IP Address and is enabled Assign Virtual IP addresses Virtual routers contain virtual IP addresses configured for that VRRP Group (VRID).
Configure a Virtual IP address with these commands in the following sequence in the INTERFACE mode. Step Task Command Syntax Command Mode 1 Configure a VRRP group. vrrp-group vrrp-id VRID Range: 1-255 INTERFACE 2 Configure virtual IP addresses for this VRID. virtual-address ip-address1 [...ip-address12] Range: up to 12 addresses INTERFACE -VRID Figure 56-4. Command Example: virtual-address FTOS(conf-if-gi-1/1-vrid-111)#virtual-address 10.10.10.
www.dell.com | support.dell.com Figure 56-6. Command Example Display: show vrrp FTOSshow vrrp -----------------GigabitEthernet 1/1, VRID: 111, Net: 10.10.10.1 State: Master, Priority: 255, Master: 10.10.10.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 1768, Gratuitous ARP sent: 5 Virtual MAC address: 00:00:5e:00:01:6f Virtual IP address: 10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.
Figure 56-8. Command Example Display: show vrrp FTOSshow vrrp -----------------GigabitEthernet 1/1, VRID: 111, Net: 10.10.10.1 State: Master, Priority: 255, Master: 10.10.10.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 2343, Gratuitous ARP sent: 5 Virtual MAC address: 00:00:5e:00:01:6f Virtual IP address: 10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.10 Authentication: (none) -----------------GigabitEthernet 1/2, VRID: 111, Net: 10.10.2.
www.dell.com | support.dell.com Figure 56-9. Command Example: authentication-type FTOS(conf-if-gi-1/1-vrid-111)#authentication-type ? FTOS(conf-if-gi-1/1-vrid-111)#authentication-type simple 7 force10 Encryption type (encrypted) Password Figure 56-10. Command Example: show config in VRID mode with a Simple Password Configured FTOS(conf-if-gi-1/1-vrid-111)#show conf ! vrrp-group 111 authentication-type simple 7 387a7f2df5969da4 priority 255 virtual-address 10.10.10.1 virtual-address 10.10.10.
Figure 56-12. Command Example Display: show config in VRID mode FTOS(conf-if-gi-1/1-vrid-111)#show conf ! vrrp-group 111 authentication-type simple 7 387a7f2df5969da4 no preempt priority 255 virtual-address 10.10.10.1 virtual-address 10.10.10.2 virtual-address 10.10.10.3 virtual-address 10.10.10.
www.dell.com | support.dell.com Figure 56-14. Command Example Display: advertise-interval in VRID mode FTOS(conf-if-gi-1/1-vrid-111)#show conf ! vrrp-group 111 advertise-interval 10 authentication-type simple 7 387a7f2df5969da4 no preempt priority 255 virtual-address 10.10.10.1 virtual-address 10.10.10.2 virtual-address 10.10.10.3 virtual-address 10.10.10.10 FTOS(conf-if-gi-1/1-vrid-111)# Track an Interface or Object Set FTOS to monitor the state of any interface according to the Virtual group.
Note that you can configure a tracked object for a VRRP group (using the track object-id command in INTERFACE-VRID mode) before you actually create the tracked object (using a track object-id command in CONFIGURATION mode). However, no changes in the VRRP group’s priority will occur until the tracked object is defined and determined to be down.
www.dell.com | support.dell.com Figure 56-16. Command Example Display: track in VRID mode FTOS(conf-if-gi-1/1-vrid-111)#show conf ! vrrp-group 111 advertise-interval 10 authentication-type simple 7 387a7f2df5969da4 no preempt priority 255 track GigabitEthernet 1/2 virtual-address 10.10.10.1 virtual-address 10.10.10.2 virtual-address 10.10.10.3 virtual-address 10.10.10.10 FTOS(conf-if-gi-1/1-vrid-111)# Figure 56-17.
Figure 56-19. Command Example: show running-config interface FTOS#show running-config interface gigabitethernet 7/30 interface GigabitEthernet 7/30 no ip address ipv6 address 2007::30/64 vrrp-ipv6-group 1 track 2 priority-cost 20 track 3 priority-cost 30 virtual-address 2007::1 virtual-address fe80::1 no shutdown VRRP initialization delay VRRP initialization delay is supported on the only. When configured, VRRP is enabled immediately upon system reload or boot.
www.dell.com | support.dell.com Sample Configurations VRRP for IPv4 Configuration The configuration in Figure 56-20 shows how to enable IPv4 VRRP. This example does not contain comprehensive directions and is intended to provide guidance for only a typical VRRP configuration. You can copy and paste from the example to your CLI. Be sure you make the necessary changes to support your own IP addresses, interfaces, names, etc.
Figure 56-21. Configure VRRP for IPv4 Router 2 R2(conf)#int gi 2/31 R2(conf-if-gi-2/31)#ip address 10.1.1.1/24 R2(conf-if-gi-2/31)#vrrp-group 99 R2(conf-if-gi-2/31-vrid-99)#priority 200 R2(conf-if-gi-2/31-vrid-99)#virtual 10.1.1.3 R2(conf-if-gi-2/31-vrid-99)#no shut R2(conf-if-gi-2/31)#show conf ! interface GigabitEthernet 2/31 ip address 10.1.1.1/24 ! vrrp-group 99 priority 200 virtual-address 10.1.1.
www.dell.com | support.dell.com VRRP for IPv6 Configuration Figure 56-22 shows an example of a VRRP for IPv6 configuration in which the IPv6 VRRP group consists of two routers. This example does not contain comprehensive directions and is intended to provide guidance for only a typical VRRP configuration. You can copy and paste from the example to your CLI. Be sure you make the necessary changes to support your own IP addresses, interfaces, names, etc.
Figure 56-23.
www.dell.com | support.dell.com VRRP in VRF Configuration The example in this section shows how to enable VRRP operation in a VRF virtualized network for the following scenarios: • • Multiple VRFs on physical interfaces running VRRP Multiple VRFs on VLAN interfaces running VRRP To view a VRRP in VRF configuration, use the show commands described in Displaying a VRRP in VRF Configuration on page 1121. Non-VLAN Scenario Figure 56-24. VRRP in VRF: Non-VLAN Example Switch-1 VRID 11 Node IP 10.10.1.
Both Switch-1 and Switch-2 have three VRF instances defined: VRF-1, VRF-2, and VRF-3. Each VRF has a separate physical interface to a LAN switch and an upstream VPN interface to connect to the Internet. Both Switch-1 and Switch-2 use VRRP groups on each VRF instance in order that there is one master and one backup router for each VRF. In VRF-1 and VRF-2, Switch-2 serves as owner-master of the VRRP group and Switch-1 serves as the backup. On VRF-3, Switch-1 is the owner-master and Switch-2 is the backup.
www.dell.com | support.dell.com Figure 56-26. VRRP in VRF: Switch-2 Non-VLAN Configuration Switch-2 S2(conf)#ip vrf default-vrf 0 ! S2(conf)#ip vrf VRF-1 1 ! S2(conf)#ip vrf VRF-2 2 ! S2(conf)#ip vrf VRF-3 3 ! S2(conf)#interface GigabitEthernet 12/1 S2(conf-if-gi-12/1)#ip vrf forwarding VRF-1 S2(conf-if-gi-12/1)#ip address 10.10.1.2/24 S2(conf-if-gi-12/1)#vrrp-group 11 % Info: The VRID used by the VRRP group 11 in VRF 1 will be 177.
Figure 56-27. VRRP in VRF: Switch-1 VLAN Configuration Switch-1 S1(conf)#ip vrf VRF-1 1 ! S1(conf)#ip vrf VRF-2 2 ! S1(conf)#ip vrf VRF-3 3 ! S1(conf)#interface GigabitEthernet 12/4 S1(conf-if-gi-12/4)#no ip address S1(conf-if-gi-12/4)#switchport S1(conf-if-gi-12/4)#no shutdown ! S1(conf-if-gi-12/4)#interface vlan 100 S1(conf-if-vl-100)#ip vrf forwarding VRF-1 S1(conf-if-vl-100)#ip address 10.10.1.
www.dell.com | support.dell.com Figure 56-28. VRRP in VRF: Switch-2 VLAN Configuration 1120 Switch-2 S2(conf)#ip vrf VRF-1 1 ! S2(conf)#ip vrf VRF-2 2 ! S2(conf)#ip vrf VRF-3 3 ! S2(conf)#interface GigabitEthernet 12/4 S2(conf-if-gi-12/4)#no ip address S2(conf-if-gi-12/4)#switchport S2(conf-if-gi-12/4)#no shutdown ! S2(conf-if-gi-12/4)#interface vlan 100 S2(conf-if-vl-100)#ip vrf forwarding VRF-1 S2(conf-if-vl-100)#ip address 10.10.1.
Displaying a VRRP in VRF Configuration To display information on a VRRP group that is configured on an interface that belongs to a VRF instance, enter the show running-config track [interface interface] command: Figure 56-29. Command Example: show running-config track interface FTOS#show running-config interface gigabitethernet 13/4 interface GigabitEthernet 13/4 ip vrf forwarding red ip address 192.168.0.1/24 vrrp-group 4 virtual-address 192.168.0.
www.dell.com | support.dell.
57 Standards Compliance This appendix contains the following sections: • • • IEEE Compliance RFC and I-D Compliance MIB Location Note: Unless noted, when a standard cited here is listed as supported by FTOS, FTOS also supports predecessor standards. One way to search for predecessor standards is to use the http://tools.ietf.org/ website. Click on “Browse and search IETF documents”, enter an RFC number, and inspect the top of the resulting document for obsolescence citations to related RFCs.
www.dell.com | support.dell.com • • • Force10 — PVST+ SFF-8431 — SFP+ Direct Attach Cable (10GSFP+Cu) MTU — 9,252 bytes RFC and I-D Compliance The following standards are supported by FTOS, and are grouped by related protocol. The columns showing support by platform indicate which version of FTOS first supports the standard. Note: Checkmarks () in the E-Series column indicate that FTOS support was added before FTOS version 7.5.1.
General IPv4 Protocols FTOS support, per platform RFC# Full Name s c et ex z 791 Internet Protocol 7.6.1 7.5.1 8.1.1 792 Internet Control Message Protocol 7.6.1 7.5.1 8.1.1 826 An Ethernet Address Resolution Protocol 7.6.1 7.5.1 8.1.1 1027 Using ARP to Implement Transparent Subnet Gateways 7.6.1 7.5.1 8.1.1 1035 Domain N ames- Implementation and Specification (client) 7.6.1 7.5.1 8.1.
www.dell.com | support.dell.com General IPv6 Protocols 2460 Internet Protocol, Version 6 (IPv6) Specification 7.8.1 7.8.1 8.2.1 2461 (Partial) Neighbor Discovery for IP Version 6 (IPv6) 7.8.1 7.8.1 8.2.1 2462 (Partial) IPv6 Stateless Address Autoconfiguration 7.8.1 7.8.1 8.2.1 2463 Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification 7.8.1 7.8.1 8.2.1 2464 Transmission of IPv6 Packets over Ethernet Networks 7.8.1 7.8.1 8.
Border Gateway Protocol (BGP) draft-ietf-idr A Border Gateway Protocol 4 (BGP-4) -bgp4-20 7.8.1 7.7.1 8.1.1 draft-ietf-idr -restart-06 7.8.1 7.7.1 8.1.1 Graceful Restart Mechanism for BGP Open Shortest Path First (OSPF) FTOS support, per platform RFC# Full Name s c et ex z 1587 The OSPF Not-So-Stubby Area (NSSA) Option 7.6.1 7.5.1 8.1.1 2154 OSPF with Digital Signatures 7.6.1 7.5.1 8.1.1 2328 OSPF Version 2 7.6.1 7.5.1 8.1.1 2370 The OSPF Opaque LSA Option 7.6.
www.dell.com | support.dell.com Intermediate System to Intermediate System (IS-IS) 5306 Restart Signaling for IS-IS draft-ietf-isis Point-to-point operation over LAN in link-state routing -igp-p2p-ove protocols r-lan-06 draft-ietf-isis Routing IPv6 with IS-IS -ipv6-06 draft-kaplan- Extended Ethernet Frame Size Support isis-ext-eth02 8.3.1 8.3.1 8.1.1 7.5.1 8.2.1 8.1.
Multiprotocol Label Switching (MPLS) 5036 LDP Specification 8.3.1 5063 Extensions to GMPLS Resource Reservation Protocol (RSVP) Graceful Restart 8.3.1 Multicast FTOS support, per platform RFC# Full Name s c et ex z 1112 Host Extensions for IP Multicasting 7.8.1 7.7.1 8.1.1 2236 Internet Group Management Protocol, Version 2 7.8.1 7.7.1 8.1.1 2710 Multicast Listener Discovery (MLD) for IPv6 8.2.
www.dell.com | support.dell.com 1130 Network Management FTOS support, per platform | s c et ex z Structure and Identification of Management Information for TCP/IP-based Internets 7.6.1 7.5.1 8.1.1 1156 Management Information Base for Network Management of TCP/IP-based internets 7.6.1 7.5.1 8.1.1 1157 A Simple Network Management Protocol (SNMP) 7.6.1 7.5.1 8.1.1 1212 Concise MIB Definitions 7.6.1 7.5.1 8.1.1 1215 A Convention for Defining Traps for use with the SNMP 7.6.
Network Management (continued) FTOS support, per platform s c et ex z Coexistence Between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework 7.6.1 7.5.1 8.1.1 2578 Structure of Management Information Version 2 (SMIv2) 7.6.1 7.5.1 8.1.1 2579 Textual Conventions for SMIv2 7.6.1 7.5.1 8.1.1 2580 Conformance Statements for SMIv2 7.6.1 7.5.1 8.1.
www.dell.com | support.dell.com Network Management (continued) FTOS support, per platform RFC# Full Name s c et ex z 5060 Protocol Independent Multicast MIB 7.8.1 7.8.1 7.7.1 8.1.1 ANSI/ TIA-1057 The LLDP Management Information Base extension module for TIA-TR41.4 Media Endpoint Discovery information 7.7.1 7.6.1 7.6.1 8.1.1 draft-grant-t acacs-02 The TACACS+ Protocol 7.6.1 7.5.1 8.1.1 7.8.1 7.7.1 8.1.1 8.1.
Network Management (continued) FTOS support, per platform RFC# Full Name s FORCE10-C Dell Force10 C-Series Enterprise Chassis MIB S-CHASSIS -MIB c et ex z 7.5.1 FORCE10-I Dell Force10Enterprise IF Extension MIB (extends the F-EXTENSI Interfaces portion of the MIB-2 (RFC 1213) by ON-MIB providing proprietary SNMP OIDs for other counters displayed in the "show interfaces" output) 7.6.1 7.6.1 7.6.1 8.1.1 FORCE10-L Dell Force10 Enterprise Link Aggregation MIB INKAGG-M IB 7.6.1 7.5.1 8.1.1 8.
www.dell.com | support.dell.com MIB Location Dell Force10 MIBs are under the Force10 MIBs subhead on the Documentation page of iSupport: https://www.force10networks.com/csportal20/KnowledgeBase/Documentation.aspx You also can obtain a list of selected MIBs and their OIDs at the following URL: https://www.force10networks.com/csportal20/MIBs/MIB_OIDs.aspx Some pages of iSupport require a login. To request an iSupport account, go to: https://www.force10networks.com/CSPortal20/Support/AccountRequest.
Index Numerics 10/100/1000 Base-T Ethernet line card, auto negotiation 508 100/1000 Ethernet interfaces port channels 482 4-Byte AS Numbers 186 802.1AB 1123 802.1D 1123 802.1p 1123 802.1p/Q 1123 802.1Q 1123 802.1s 1123 802.1w 1123 802.1X 1123 802.3ab 1123 802.3ac 1123 802.3ad 1123 802.3ae 1123 802.3af 1123 802.3ak 1123 802.3i 1123 802.3u 1123 802.3x 1123 802.
www.dell.com | support.dell.
forward delay 870, 1009 FRRP 419 FRRP Master Node 419 FRRP Transit Node 419 FTOS 727 FTP 61 configuring client parameters 62 configuring server parameters 62 enabling server 61 using VLANs 61 G GARP VLAN Registration Protocol (GVRP) grep option 37 grep pipe option 800 GVRP (GARP VLAN Registration Protocol) 431 431 H Hash algorithm 491 hash algorithm, LAG 484, 486, 488 hashing algorithms for flows and fragments hello time 870, 1009 host port 794 Hot Lock ACL 102 Hybrid ports 1058 hybrid ports 1061 488 I
www.dell.com | support.dell.
LSPs 570 M MAC hashing scheme 491 management interface 474 accessing 477 configuring a management interface 477 configuring IP address 477 definition 476 IP address consideration 477 management interface, switch 473 max age 870, 1009 MBGP 236 Member VLAN (FRRP) 421 MIB Location 1134 minimum oper up links in a port channel 487 mirror, port 785, 1039 remote port mirroring 1040 monitor interfaces 496 MSDP 663 MT IS-IS 571 MT IS-IS TLVs 573 MTU configuring MTU values for Port Channels 506 configuring MTU valu
www.dell.com | support.dell.
debugging RIP 850 default values 842 default version 843 disabling RIP 844 ECMP paths supported 842 enabling RIP 843 route information 845 setting route metrics 849 summarizing routes 849 timer values 842 version 1 description 841 version default on interfaces 842 RIP routes, maximum 842 RIPv1 841 RIPv2 842 root bridge 869, 1009 route maps configuring match commands 131 configuring set commands 133 creating 129 creating multiple instances 129 default action 129 definition 128 deleting 129, 130 implementatio
www.dell.com | support.dell.
remote authentication and authorization 895 remote authentication and authorization, 10.0.0.
1144 | Index www.dell.com | support.dell.
