Dell Configuration Guide for the S4810 System 9.14(1.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2018 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Contents 1 About this Guide...........................................................................................................................................35 Audience........................................................................................................................................................................... 35 Conventions.....................................................................................................................................................
Upgrading Dell EMC Networking OS............................................................................................................................ 59 Verify Software Images Before Installation...................................................................................................................59 Using HTTP for File Transfers........................................................................................................................................ 60 4 Management...........
Setting Timeout for EXEC Privilege Mode................................................................................................................... 82 Using Telnet to get to Another Network Device..........................................................................................................82 Lock CONFIGURATION Mode....................................................................................................................................... 83 Viewing the Configuration Lock Status.
7 Access Control Lists (ACLs)........................................................................................................................113 IP Access Control Lists (ACLs)......................................................................................................................................114 CAM Usage................................................................................................................................................................
BFD Packet Format..................................................................................................................................................146 BFD Sessions............................................................................................................................................................ 147 BFD Three-Way Handshake....................................................................................................................................
Configuring Passive Peering...................................................................................................................................202 Maintaining Existing AS Numbers During an AS Migration................................................................................ 203 Allowing an AS Number to Appear in its Own AS Path...................................................................................... 204 Enabling Graceful Restart.............................................
CAM Optimization......................................................................................................................................................... 246 Troubleshoot CAM Profiling.......................................................................................................................................... 247 QoS CAM Region Limitation...................................................................................................................................
DCBx Operation....................................................................................................................................................... 279 DCBx Port Roles...................................................................................................................................................... 280 DCB Configuration Exchange.................................................................................................................................
DHCP MAC Source Address Validation................................................................................................................ 325 Enabling IP+MAC Source Address Validation.......................................................................................................325 Viewing the Number of SAV Dropped Packets....................................................................................................326 Clearing the Number of SAV Dropped Packets..........................
Important FRRP Concepts..................................................................................................................................... 352 Implementing FRRP.......................................................................................................................................................353 FRRP Configuration......................................................................................................................................................
IGMP Implementation Information...............................................................................................................................372 IGMP Protocol Overview.............................................................................................................................................. 372 IGMP Version 2........................................................................................................................................................
Configuring Layer 3 (Network) Mode...................................................................................................................400 Configuring Layer 3 (Interface) Mode................................................................................................................... 401 Egress Interface Selection (EIS)..................................................................................................................................402 Important Points to Remember.........
Using Ethernet Pause Frames for Flow Control........................................................................................................ 429 Enabling Pause Frames........................................................................................................................................... 429 Configure the MTU Size on an Interface....................................................................................................................430 Port-Pipes..........................
Configure UDP Helper............................................................................................................................................. 451 Important Points to Remember............................................................................................................................. 452 Enabling UDP Helper.....................................................................................................................................................
Monitoring iSCSI Traffic Flows............................................................................................................................... 479 Application of Quality of Service to iSCSI Traffic Flows......................................................................................479 Information Monitored in iSCSI Traffic Flows.......................................................................................................
Setting the LACP Long Timeout............................................................................................................................ 512 Monitoring and Debugging LACP...........................................................................................................................512 Shared LAG State Tracking...........................................................................................................................................
Enabling LLDP................................................................................................................................................................546 Disabling and Undoing LLDP.................................................................................................................................. 547 Enabling LLDP on Management Ports........................................................................................................................
Configuring Anycast RP............................................................................................................................................... 580 Reducing Source-Active Message Flooding......................................................................................................... 581 Specifying the RP Address Used in SA Messages............................................................................................... 581 MSDP Sample Configurations......................
Tracking a Layer 3 Interface.................................................................................................................................... 621 Track an IPv4/IPv6 Route...................................................................................................................................... 623 Displaying Tracked Objects...........................................................................................................................................
Configuration Task List for Policy-based Routing......................................................................................................669 PBR Exceptions (Permit)........................................................................................................................................670 Create a Redirect List..............................................................................................................................................
Decapsulation of ERPM packets at the Destination IP/ Analyzer..................................................................... 707 Port Monitoring on VLT.................................................................................................................................................707 VLT Non-fail over Scenario.....................................................................................................................................708 VLT Fail-over Scenario.....................
Displaying a DSCP Color Policy Configuration .................................................................................................... 746 Enabling QoS Rate Adjustment.................................................................................................................................... 747 Enabling Strict-Priority Queueing.................................................................................................................................
Important Points to Remember....................................................................................................................................783 RSTP and VLT.......................................................................................................................................................... 784 Configuring Interfaces for Layer 2 Mode....................................................................................................................
VTY Line Remote Authentication and Authorization...........................................................................................822 VTY MAC-SA Filter Support.................................................................................................................................. 823 Support for Change of Authorization and Disconnect Messages packets............................................................ 823 Change of Authorization (CoA) packets........................................
Honoring the Incoming DEI Value.......................................................................................................................... 859 Marking Egress Packets with a DEI Value............................................................................................................ 859 Dynamic Mode CoS for VLAN Stacking.....................................................................................................................860 Mapping C-Tag to S-Tag dot1p Values............
Copy Configuration Files Using SNMP....................................................................................................................... 884 Copying a Configuration File.................................................................................................................................. 886 Copying Configuration Files via SNMP.................................................................................................................
Stack Management Roles....................................................................................................................................... 913 Stack Master Election..............................................................................................................................................914 Virtual IP....................................................................................................................................................................
Prevent Network Disruptions with BPDU Guard.................................................................................................944 Selecting STP Root....................................................................................................................................................... 946 STP Root Guard.............................................................................................................................................................
How Uplink Failure Detection Works........................................................................................................................... 975 UFD and NIC Teaming................................................................................................................................................... 976 Important Points to Remember....................................................................................................................................
VLT Port Delayed Restoration...............................................................................................................................1007 PIM-Sparse Mode Support on VLT..................................................................................................................... 1008 VLT Routing ............................................................................................................................................................1010 Non-VLT ARP Sync..........
Assigning a Front-end Port to a Management VRF.......................................................................................... 1055 View VRF Instance Information............................................................................................................................1055 Assigning an OSPF Process to a VRF Instance................................................................................................. 1056 Configuring VRRP on a VRF Instance................................
Verifying Server certificates.................................................................................................................................. 1102 Verifying Client Certificates................................................................................................................................... 1102 Event logging.................................................................................................................................................................
1 About this Guide This guide describes the protocols and features the Dell EMC Networking Operating System (OS) supports and provides configuration instructions and examples for implementing them. For complete information about all the CLI commands, see the Dell EMC Command Line Reference Guide for your system. The S4810 platform is available with Dell EMC Networking OS version 8.3.7.0 and beyond. S4810 stacking is supported with Dell EMC Networking OS version 8.3.7.1 and beyond.
2 Configuration Fundamentals The Dell EMC Networking Operating System (OS) command line interface (CLI) is a text-based interface you can use to configure interfaces and protocols. The CLI is largely the same for each platform except for some commands and command outputs. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels.
For more information about privilege levels and security options, refer to the Privilege Levels Overview section in the Security chapter. The Dell EMC Networking OS CLI is divided into three major mode levels: • EXEC mode is the default mode and has a privilege level of 1, which is the most restricted level. Only a limited selection of commands is available, notably the show commands, which allow you to view system information.
PORT-CHANNEL FAILOVER-GROUP PREFIX-LIST PRIORITY-GROUP PROTOCOL GVRP QOS POLICY RSTP ROUTE-MAP ROUTER BGP BGP ADDRESS-FAMILY ROUTER ISIS ISIS ADDRESS-FAMILY ROUTER OSPF ROUTER OSPFV3 ROUTER RIP SPANNING TREE SUPPORTASSIST TRACE-LIST VLT DOMAIN VRRP UPLINK STATE GROUP uBoot Navigating CLI Modes The Dell EMC Networking OS prompt changes to indicate the CLI mode. The following table lists the CLI mode, its prompt, and information about how to access and exit the CLI mode.
CLI Command Mode Prompt Access Command Interface Group DellEMC(conf-if-group)# interface(INTERFACE modes) Interface Range DellEMC(conf-if-range)# interface (INTERFACE modes) Loopback Interface DellEMC(conf-if-lo-0)# interface (INTERFACE modes) Management Ethernet Interface DellEMC(conf-if-ma-0/0)# interface (INTERFACE modes) Null Interface DellEMC(conf-if-nu-0)# interface (INTERFACE modes) Port-channel Interface DellEMC(conf-if-po-1)# interface (INTERFACE modes) Tunnel Interface DellEM
CLI Command Mode Prompt Access Command SPANNING TREE DellEMC(config-span)# protocol spanning-tree 0 TRACE-LIST DellEMC(conf-trace-acl)# ip trace-list CLASS-MAP DellEMC(config-class-map)# class-map CONTROL-PLANE DellEMC(conf-control-cpuqos)# control-plane-cpuqos DHCP DellEMC(config-dhcp)# ip dhcp server DHCP POOL DellEMC(config-dhcp-pool-name)# pool (DHCP Mode) ECMP DellEMC(conf-ecmp-group-ecmpgroup-id)# ecmp-group EIS DellEMC(conf-mgmt-eis)# management egress-interfaceselection FRR
The do Command You can enter an EXEC mode command from any CONFIGURATION mode (CONFIGURATION, INTERFACE, SPANNING TREE, and so on.) without having to return to EXEC mode by preceding the EXEC mode command with the do command. The following example shows the output of the do command.
interface TenGigabitEthernet 2/17 no ip address no shutdown Layer 2 protocols are disabled by default. To enable Layer 2 protocols, use the no disable command. For example, in PROTOCOL SPANNING TREE mode, enter no disable to enable Spanning Tree. Obtaining Help Obtain a list of keywords and a brief functional description of those keywords at any CLI mode using the ? or help command: • To list the keywords available in the current mode, enter ? at the prompt or after a keyword.
Short-Cut Key Combination Action CNTL-K Deletes all characters from the cursor to the end of the command line. CNTL-L Re-enters the previous command. CNTL-N Return to more recent commands in the history buffer after recalling commands with CTRL-P or the UP arrow key. CNTL-P Recalls commands, beginning with the last command. CNTL-R Re-enters the previous command. CNTL-U Deletes the line. CNTL-W Deletes the previous word. CNTL-X Deletes the line.
NOTE: Dell EMC Networking OS accepts a space or no space before and after the pipe. To filter a phrase with spaces, underscores, or ranges, enclose the phrase with double quotation marks. The except keyword displays text that does not match the specified text. The following example shows this command used in combination with the show system brief command.
3 Getting Started This chapter describes how you start configuring your system. When you power up the chassis, the system performs a power-on self test (POST) and system then loads the Dell EMC Networking Operating System. Boot messages scroll up the terminal window during this process. No user interaction is required if the boot process proceeds without interruption. When the boot process completes, the system status LEDs remain online (green) and the console monitor displays the EXEC mode prompt.
Console Access The device has two management ports available for system access: a serial RS-232 /RJ-45 console port and an out-of-band (OOB) Ethernet port to manage the switch with an IP address. Serial Console The RJ-45/RS-232 console port is labeled on the upper right-hand side, as you face the I/O side of the chassis. Figure 1.
Table 2.
• To avoid denial of service (DoS) attacks, a rate-limit of 10 concurrent sessions per minute in SSH is devised. Therefore, you might experience a failure in executing SSH-related scripts when multiple short SSH commands are executed. • If you issue an interactive command in the SSH session, the behavior may not really be interactive.
interface ManagementEthernet slot/port 2 Assign an IP address to the interface. INTERFACE mode ip address ip-address/mask 3 • ip-address: an address in dotted-decimal format (A.B.C.D). • mask: a subnet mask in /prefix-length format (/ xx). Enable the interface. INTERFACE mode no shutdown Configure a Management Route Define a path from the system to the network from which you are accessing the system remotely.
◦ 8 — input the password that is already encrypted using sha256–based encryption method. – password: Enter the password string for the user. – dynamic-salt: Generates an additional random input to password encryption process whenever the password is configured. – privilege level: Assign a privilege levels to the user. The range is from 0 to 15. – role role-name: Assign a role name for the user.
Copy Files to and from the System The command syntax for copying files is similar to UNIX. The copy command uses the format copy source-file-url destination-file-url. NOTE: For a detailed description of the copy command, refer to the Dell EMC Networking OS Command Reference. • To copy a local file to a remote system, combine the file-origin syntax for a local file location with the file-destination syntax for a remote file location.
Before executing any CLI command to perform file operations, you must first mount the NFS file system to a mount-point on the device. Since multiple mount-points exist on a device, it is mandatory to specify the mount-point to which you want to load the system. The /f10/mnt/nfs directory is the root of all mount-points. To mount an NFS file system, perform the following steps: Table 4.
15 bytes successfully copied DellEMC#copy flash://test/capture.txt.pcap nfsmount:/// Destination file name [test.txt]: ! 15 bytes successfully copied DellEMC#copy flash://test/capture.txt.pcap nfsmount:///username/snoop.pcap ! 24 bytes successfully copied DellEMC# DellEMC#copy tftp://10.16.127.35/username/dv-maa-test ? flash: Copy to local file system ([flash://]filepath) nfsmount: Copy to nfs mount file system (nfsmount:///filepath) running-config remote host: Destination file name [test.
Configure the Overload Bit for a Startup Scenario For information about setting the router overload bit for a specific period of time after a switch reload is implemented, see the Intermediate System to Intermediate System (IS-IS) section in the Dell Command Line Reference Guide for your system. Viewing Files You can only view file information and content on local file systems. To view a list of files or the contents of a file, use the following commands. • View a list of files on the internal flash.
! Version 9.4(0.0) ! Last configuration change at Tue Mar 11 21:33:56 2014 by admin ! Startup-config last updated at Tue Mar 11 12:11:00 2014 by default !
Uncompressed Compressed ! ! interface TenGigabitEthernet 1/4 interface group Vlan 2 , Vlan 100 no ip address no ip address shutdown no shutdown ! ! interface TenGigabitEthernet 1/10 interface group Vlan 3 – 5 no ip address tagged te 1/1 shutdown no ip address ! shutdown interface TenGigabitEthernet 1/34 ! ip address 2.1.1.1/16 interface Vlan 1000 shutdown ip address 1.1.1.
Uncompressed Compressed interface Vlan 100 no ip address no shutdown ! interface Vlan 1000 ip address 1.1.1.1/16 no shutdown Uncompressed config size – 52 lines write memory compressed The write memory compressed CLI will write the operating configuration to the startup-config file in the compressed mode. In stacking scenario, it will also take care of syncing it to all the standby and member units.
• Change the default directory. EXEC Privilege mode cd directory Enabling Software Features on Devices Using a Command Option The capability to activate software applications or components on a device using a command is supported on this platform. Starting with Release 9.4(0.0), you can enable or disable specific software features or applications that need to run on a device by using a command attribute in the CLI interface.
Upgrading Dell EMC Networking OS To upgrade Dell EMC Networking Operating System (OS), refer to the Release Notes for the version you want to load on the system. You can download the release notes of your platform at https://www.force10networks.com. Use your login ID to log in to the website.
MD5 DellEMC# verify md5 flash://file-name 275ceb73a4f3118e1d6bcf7d75753459 SHA256 DellEMC# verify sha256 flash://file-name e6328c06faf814e6899ceead219afbf9360e986d692988023b749e6b2093e933 Using HTTP for File Transfers Stating with Release 9.3(0.1), you can use HTTP to copy files or configuration details to a remote server. To transfer files to an external server, use the copy source-file-url http://host[:port]/file-path command.
4 Management This chapter describes the different protocols or services used to manage the Dell EMC Networking system.
Creating a Custom Privilege Level Custom privilege levels start with the default EXEC mode command set. You can then customize privilege levels 2-14 by: • restricting access to an EXEC mode command • moving commands from EXEC Privilege to EXEC mode • restricting access A user can access all commands at his privilege level and below.
• removes the resequence command from EXEC mode by requiring a minimum of privilege level 4 • • moves the capture bgp-pdu max-buffer-size command from EXEC Privilege to EXEC mode by requiring a minimum privilege level 3, which is the configured level for VTY 0 allows access to CONFIGURATION mode with the banner command • allows access to INTERFACE tengigabitethernet and LINE modes are allowed with no commands • Remove a command from the list of available commands in EXEC mode.
exit Exit from configuration mode interface Select an interface to configure line Configure a terminal line linecard Set line card type DellEMC(conf)#interface ? fastethernet Fast Ethernet interface gigabitethernet Gigabit Ethernet interface loopback Loopback interface managementethernet Management Ethernet interface null Null interface port-channel Port-channel interface range Configure interface range sonet SONET interface tengigabitethernet TenGigabit Ethernet interface vlan VLAN interface DellEMC(conf)#
• the internal buffer • console and terminal lines • any configured syslog servers To disable logging, use the following commands. • Disable all logging except on the console. CONFIGURATION mode no logging on • Disable logging to the logging buffer. CONFIGURATION mode no logging buffer • Disable logging to terminal lines. CONFIGURATION mode no logging monitor • Disable console logging.
The security log contains security events and information. RBAC restricts access to audit and security logs based on the CLI sessions’ user roles. The types of information in this log consist of the following: • Establishment of secure traffic flows, such as SSH. • Violations on secure flows or certificate issues. • Adding and deleting of users.
Configuring Logging Format To display syslog messages in a RFC 3164 or RFC 5424 format, use the logging version {0 | 1} command in CONFIGURATION mode. By default, the system log version is set to 0.
Setting Up a Secure Connection to a Syslog Server You can use reverse tunneling with the port forwarding to securely connect to a syslog server. Figure 2.
If you do not, the system displays an error when you attempt to enable role-based only AAA authorization. DellEMC(conf)# logging localhost tcp port DellEMC(conf)#logging 127.0.0.1 tcp 5140 Sending System Messages to a Syslog Server To send system messages to a specified syslog server, use the following command. The following syslog standards are supported: RFC 5424 The SYSLOG Protocol, R.Gerhards and Adiscon GmbH, March 2009, obsoletes RFC 3164 and RFC 5426 Transmission of Syslog Messages over UDP.
Example of Configuring Login Activity Tracking The following example enables login activity tracking. The system stores the login activity details for the last 30 days. DellEMC(config)#login statistics enable The following example enables login activity tracking and configures the system to store the login activity details for 12 days.
Last login time: 13:18:42 UTC Tue Mar 22 2016 Last login location: Line vty0 ( 10.16.127.145 ) Unsuccessful login attempt(s) since the last successful login: 0 Unsuccessful login attempt(s) in last 30 day(s): 3 Successful login attempt(s) in last 30 day(s): 2 Example of the show login statistics user user-id command The show login statistics user user-id command displays the successful and failed login details of a specific user in the last 30 days or the custom defined time period.
Configuring Concurrent Session Limit To configure concurrent session limit, follow this procedure: • Limit the number of concurrent sessions for all users. CONFIGURATION mode login concurrent-session limit number-of-sessions Example of Configuring Concurrent Session Limit The following example limits the permitted number of concurrent login sessions to 4.
3 vty 1 10.14.1.97 4 vty 2 10.14.1.97 5 vty 3 10.14.1.97 Kill existing session? [line number/Enter to cancel]: Enabling Secured CLI Mode The secured CLI mode prevents the users from enhancing the permissions or promoting the privilege levels. • Enter the following command to enable the secured CLI mode: CONFIGURATION Mode secure-cli enable After entering the command, save the running-configuration. Once you save the running-configuration, the secured CLI mode is enabled.
Sending System Messages to a Syslog Server To send system messages to a specified syslog server, use the following command. The following syslog standards are supported: RFC 5424 The SYSLOG Protocol, R.Gerhards and Adiscon GmbH, March 2009, obsoletes RFC 3164 and RFC 5426 Transmission of Syslog Messages over UDP. • Specify the server to which you want to send system messages. You can configure up to eight syslog servers.
• Specify the size of the logging buffer. CONFIGURATION mode logging buffered size • NOTE: When you decrease the buffer size, Dell EMC Networking OS deletes all messages stored in the buffer. Increasing the buffer size does not affect messages in the buffer. Specify the number of messages that Dell EMC Networking OS saves to its logging history table.
To view any changes made, use the show running-config logging command in EXEC privilege mode. Configuring a UNIX Logging Facility Level You can save system log messages with a UNIX system logging facility. To configure a UNIX logging facility level, use the following command. • Specify one of the following parameters.
Synchronizing Log Messages You can configure Dell EMC Networking OS to filter and consolidate the system messages for a specific line by synchronizing the message output. Only the messages with a severity at or below the set level appear. This feature works on the terminal and console connections available on the system. 1 Enter LINE mode.
File Transfer Services With Dell EMC Networking OS, you can configure the system to transfer files over the network using the file transfer protocol (FTP). One FTP application is copying the system image files over an interface on to the system; however, FTP is not supported on virtual local area network (VLAN) interfaces. The FTP and TFTP services are enhanced to support the VRF-aware functionality.
• The default is the internal flash directory. Specify a user name for all FTP users and configure either a plain text or encrypted password. CONFIGURATION mode ftp-server username username password [encryption-type] password Configure the following optional and required parameters: – username: enter a text string. – encryption-type: enter 0 for plain text or 7 for encrypted text. – password: enter a text string.
Denying and Permitting Access to a Terminal Line Dell EMC Networking recommends applying only standard access control lists (ACLs) to deny and permit access to VTY lines. • • • • Layer 3 ACLs deny all traffic that is not explicitly permitted, but in the case of VTY lines, an ACL with no rules does not deny traffic. You cannot use the show ip accounting access-list command to display the contents of an ACL that is applied only to a VTY line.
access-class testv6deny ipv6 ! Configuring Login Authentication for Terminal Lines You can use any combination of up to six authentication methods to authenticate a user on a terminal line. A combination of authentication methods is called a method list. If the user fails the first authentication method, Dell EMC Networking OS prompts the next method until all methods are exhausted, at which point the connection is terminated.
Setting Timeout for EXEC Privilege Mode EXEC timeout is a basic security feature that returns Dell EMC Networking OS to EXEC mode after a period of inactivity on the terminal lines. To set timeout, use the following commands. • Set the number of minutes and seconds. The default is 10 minutes on the console and 30 minutes on VTY. Disable EXEC time out by setting the timeout period to 0. LINE mode • exec-timeout minutes [seconds] Return to the default timeout values.
login: admin DellEMC# Lock CONFIGURATION Mode Dell EMC Networking OS allows multiple users to make configurations at the same time. You can lock CONFIGURATION mode so that only one user can be in CONFIGURATION mode at any time (Message 2). You can set two types of lockst: auto and manual. • Set auto-lock using the configuration mode exclusive auto command from CONFIGURATION mode. When you set autolock, every time a user is in CONFIGURATION mode, all other users are denied access.
hit any key NOTE: You must enter the CLI commands. The system rejects them if they are copied and pasted. 4 Set the system parameters to ignore the startup configuration file when the system reloads. uBoot mode setenv stconfigignore true 5 To save the changes, use the saveenv command. uBoot mode saveenv 6 Reload the system. uBoot mode reset 7 Copy startup-config.bak to the running config. EXEC Privilege mode copy flash://startup-config.
5 To save the changes, use the saveenv command. uBoot mode saveenv 6 Reload the system. uBoot mode reset 7 Configure a new enable password. CONFIGURATION mode enable {password | secret | sha256–password} 8 Save the running-config to the startup-config. EXEC Privilege mode copy running-config startup-config Recovering from a Failed Start A system that does not start correctly might be attempting to boot from a corrupted Dell Networking OS image or from a mis-specified location.
Restoring the Factory Default Settings Restoring the factory-default settings deletes the existing NVRAM settings, startup configuration, and all configured settings such as, stacking or fanout. To restore the factory default settings, use the restore factory-defaults stack-unit {stack—unit—number | all} {clear-all | nvram | bootvar} command in EXEC Privilege mode. CAUTION: There is no undo for this command.
(during bootup) press any key 3 Assign the new location to the Dell EMC Networking OS image it uses when the system reloads. uBoot mode => setenv primary_boot f10boot Boot variable (f10boot) can take the following values: 4 • flash0 — to boot from flash partition A. • flash1 — to boot from flash partition B. • tftp://server-ip/image-file-name — to boot from the network. Assign an IP address to the Management Ethernet interface. uBoot mode => setenv ipaddr ip_address For example, 10.16.150.105.
Dell EMC Networking OS Image Verification Dell EMC Networking OS comes with the OS image verification and the startup configuration verification features. When enabled, these features check the integrity of The OS image and the startup configuration that the system uses while the system reboots and loads only if they are intact. Important Points to Remember • The OS image verification feature is disabled by default on the Dell EMC Networking OS.
EXEC Privilege upgrade system DellEMC# upgrade system tftp://10.16.127.35/FTOS-SE-9.11.0.1 A: Hash Value: e42e2548783c2d5db239ea2fa9de4232 !!!!!!!!!!!!!!... Startup Configuration Verification Dell EMC Networking OS comes with startup configuration verification feature. When enabled, it checks the integrity of the startup configuration that the system uses while the system reboots and loads only if it is intact.
verified boot hash startup—config hash-value NOTE: The verified boot hash command is only applicable for the startup configuration file in the local file system. After enabling and configuring startup configuration verification, the device verifies the hash checksum of the startup configuration during every reload. DellEMC# verified boot hash startup—config 619A8C1B7A2BC9692A221E2151B9DA9E Configuring the root User Password For added security, you can change the root user password.
Enter an encryption type for the boot password. – 0 directs the system to store the password as clear text. – 7 directs the system to store the password with a dynamic salt.
5 802.1X 802.1X is a port-based Network Access Control (PNAC) that provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity is verified (through a username and password, for example). 802.
Figure 4. EAP Frames Encapsulated in Ethernet and RADUIS The authentication process involves three devices: • The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests. • The device with which the supplicant communicates is the authenticator. The authenticator is the gate keeper of the network.
• Configuring the Static MAB and MAB Profile • Configuring Critical VLAN Port-Authentication Process The authentication process begins when the authenticator senses that a link status has changed from down to up: 1 When the authenticator senses a link state change, it requests that the supplicant identify itself using an EAP Identity Request frame. 2 The supplicant responds with its identity in an EAP Response Identity frame.
Figure 6. EAP Over RADIUS RADIUS Attributes for 802.1X Support Dell EMC Networking systems include the following RADIUS attributes in all 802.1X-triggered Access-Request messages: Attribute 31 Calling-station-id: relays the supplicant MAC address to the authentication server. Attribute 41 NAS-Port-Type: NAS-port physical port type. 15 indicates Ethernet. Attribute 61 NAS-Port: the physical port number by which the authenticator is connected to the supplicant.
Enabling 802.1X Enable 802.1X globally. Figure 7. 802.1X Enabled 1 Enable 802.1X globally. CONFIGURATION mode dot1x authentication 2 Enter INTERFACE mode on an interface or a range of interfaces. INTERFACE mode interface [range] 3 Enable 802.1X on the supplicant interface only. INTERFACE mode dot1x authentication Examples of Verifying that 802.1X is Enabled Globally and on an Interface Verify that 802.
In the following example, the bold lines show that 802.1X is enabled. DellEMC#show running-config | find dot1x dot1x authentication ! [output omitted] ! interface TenGigabitEthernet 2/1 no ip address dot1x authentication no shutdown ! DellEMC# To view 802.1X configuration information for an interface, use the show dot1x interface command. In the following example, the bold lines show that 802.1X is enabled on all ports unauthorized by default. DellEMC#show dot1x interface TenGigabitEthernet 2/1/ 802.
mac 00:50:56:aa:01:11 DellEMC(conf-dot1x-profile)# DellEMC(conf-dot1x-profile)#exit DellEMC(conf)# Configuring Request Identity Re-Transmissions When the authenticator sends a Request Identity frame and the supplicant does not respond, the authenticator waits for 30 seconds and then re-transmits the frame. The amount of time that the authenticator waits before re-transmitting and the maximum number of times that the authenticator retransmits can be configured.
• • after 90 seconds and a maximum of 10 times for an unresponsive supplicant re-transmits an EAP Request Identity frame The bold lines show the new re-transmit interval, new quiet period, and new maximum re-transmissions. DellEMC(conf-if-range-Te-2/1)#dot1x tx-period 90 DellEMC(conf-if-range-Te-2/1)#dot1x max-eap-req 10 DellEMC(conf-if-range-Te-2/1)#dot1x quiet-period 120 DellEMC#show dot1x interface TenGigabitEthernet 2/1 802.
Tx Period: Quiet Period: ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Auth Type: Auth PAE State: Backend State: Auth PAE State: Backend State: 90 seconds 120 seconds 2 30 seconds 30 seconds 3600 seconds 10 SINGLE_HOST Initialize Initialize Initialize Initialize Re-Authenticating a Port You can configure the authenticator for periodic re-authentication.
Auth PAE State: Backend State: Initialize Initialize Configuring Timeouts If the supplicant or the authentication server is unresponsive, the authenticator terminates the authentication process after 30 seconds by default. You can configure the amount of time the authenticator waits for a response. To terminate the authentication process, use the following commands: • Terminate the authentication process due to an unresponsive supplicant.
Configuring Dynamic VLAN Assignment with Port Authentication Dell EMC Networking OS supports dynamic VLAN assignment when using 802.1X. The basis for VLAN assignment is RADIUS attribute 81, Tunnel-Private-Group-ID.
5 Verify that the port has been authorized and placed in the desired VLAN (refer to the illustration in Dynamic VLAN Assignment with Port Authentication). Guest and Authentication-Fail VLANs Typically, the authenticator (the Dell system) denies the supplicant access to the network until the supplicant is authenticated.
Example of Configuring Maximum Authentication Attempts DellEMC(conf-if-Te-2/1)#dot1x guest-vlan 200 DellEMC(conf-if-Te 2/1)#show config ! interface TenGigabitEthernet 2/1 switchport dot1x authentication dot1x guest-vlan 200 no shutdown DellEMC(conf-if-Te-2/1)# DellEMC(conf-if-Te-2/1)#dot1x auth-fail-vlan 100 max-attempts 5 DellEMC(conf-if-Te-2/1)#show config ! interface TenGigabitEthernet 2/1 switchport dot1x authentication dot1x guest-vlan 200 dot1x auth-fail-vlan 100 max-attempts 5 no shutdown DellEMC(con
Example of Configuring and Displaying a dot1x Profile DellEMC(conf)#dot1x profile test DellEMC(conf-dot1x-profile)# DellEMC#show dot1x profile 802.1x profile information ----------------------------Dot1x Profile test Profile MACs 00:00:00:00:01:11 Configuring the Static MAB and MAB Profile Enable MAB (mac-auth-bypass) before using the dot1x static-mab command to enable static mab. To enable static MAB and configure a static MAB profile, use the following commands.
Configuring Critical VLAN By default, critical-VLAN is not configured. If authentication fails because of a server which is not reachable, user session is authenticated under critical-VLAN. To configure a critical-VLAN for users or devices when authenticating server is not reachable, use the following command. • Enable critical VLAN for users or devices INTERFACE mode dot1x critical-vlan [{vlan-id}] Specify a VLAN interface identifier to be configured as a critical VLAN. The VLAN ID range is 1– 4094.
6 Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM) This section describes the access control list (ACL) virtual local area network (VLAN) group, and content addressable memory (CAM) enhancements. Optimizing CAM Utilization During the Attachment of ACLs to VLANs To minimize the number of entries in CAM, enable and configure the ACL CAM feature. Use this feature when you apply ACLs to a VLAN (or a set of VLANs) and when you apply ACLs to a set of ports.
• The ACL VLAN group is deleted and it does not contain VLAN members. • The ACL is applied or removed from a group and the ACL group does not contain a VLAN member. • The description of the ACL group is added or removed. Guidelines for Configuring ACL VLAN Groups Keep the following points in mind when you configure ACL VLAN groups: • The interfaces where you apply the ACL VLAN group function as restricted interfaces.
acl-vlan-group {group name} 2 Add a description to the ACL VLAN group. CONFIGURATION (conf-acl-vl-grp) mode description description 3 Apply an egress IP ACL to the ACL VLAN group. CONFIGURATION (conf-acl-vl-grp) mode ip access-group {group name} out implicit-permit 4 Add VLAN member(s) to an ACL VLAN group. CONFIGURATION (conf-acl-vl-grp) mode member vlan {VLAN-range} 5 Display all the ACL VLAN groups or display a specific ACL VLAN group, identified by name.
CONFIGURATION mode cam-acl-vlan vlanaclopt <0-2> 4 View the number of FP blocks that is allocated for the different VLAN services. EXEC Privilege mode DellEMC#show cam-usage switch Stackunit|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM ========|========|=================|============|============|============= 1 | 0 | IN-L2 ACL | 1536 | 0 | 1536 | | OUT-L2 ACL | 206 | 9 | 197 Codes: * - cam usage is above 90%.
| | IN-L3 ECMP GRP | | IN-V6 ACL | | OUT-L2 ACL | | OUT-L3 ACL | | OUT-V6 ACL 2 | 0 | IN-L2 ACL | | IN-L3 ACL | | IN-V6 ACL | | OUT-L2 ACL | | OUT-L3 ACL | | OUT-V6 ACL 3 | 0 | IN-L2 ACL | | IN-L3 ACL | | IN-V6 ACL | | OUT-L2 ACL | | OUT-L3 ACL | | OUT-V6 ACL Codes: * - cam usage is above 90%.
• To allocate the number of FP blocks for VLAN iSCSI counters, use the cam-acl-vlan vlaniscsi <0-2> command. • To allocate the number of FP blocks for ACL VLAN optimization, use the cam-acl-vlan vlanaclopt <0-2> command. To reset the number of FP blocks to the default, use the no version of these commands. By default, zero groups are allocated for the ACL in VCAP. ACL VLAN groups or CAM optimization is not enabled by default. You must also allocate the slices for CAM optimization.
7 Access Control Lists (ACLs) This chapter describes access control lists (ACLs), prefix lists, and route-maps. At their simplest, access control lists (ACLs), prefix lists, and route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps. For MAC ACLS, refer to Layer 2.
Topics: • IP Access Control Lists (ACLs) • Important Points to Remember • IP Fragment Handling • Configure a Standard IP ACL • Configure an Extended IP ACL • Configure Layer 2 and Layer 3 ACLs • Assign an IP ACL to an Interface • Applying an IP ACL • Configure Ingress ACLs • Configure Egress ACLs • IP Prefix Lists • ACL Remarks • ACL Resequencing • Route Maps • Logging of ACL Processes • Flow-Based Monitoring IP Access Control Lists (ACLs) In Dell EMC Networking switch/router
CAM Usage The following section describes CAM allocation and CAM optimization. • User Configurable CAM Allocation • CAM Optimization User Configurable CAM Allocation Allocate space for IPV6 ACLs by using the cam-acl command in CONFIGURATION mode. The CAM space is allotted in filter processor (FP) blocks. The total space allocated must equal 13 FP blocks. (There are 16 FP blocks, but System Flow requires three blocks that cannot be reallocated.
If counters are enabled on ACL rules that are already configured, those counters are reset when a new rule which is inserted or prepended or appended requires a hardware shift in the flow table. Resetting the counters to 0 is transient as the proginal counter values are retained after a few seconds. If there is no need to shift the flow in the hardware, the counters are not affected.
DellEMC(config-std-nacl)#exit DellEMC(conf)#class-map match-all cmap1 DellEMC(conf-class-map)#match ip access-group acl1 DellEMC(conf-class-map)#exit DellEMC(conf)#class-map match-all cmap2 DellEMC(conf-class-map)#match ip access-group acl2 DellEMC(conf-class-map)#exit DellEMC(conf)#policy-map-input pmap DellEMC(conf-policy-map-in)#service-queue 7 class-map cmap1 DellEMC(conf-policy-map-in)#service-queue 4 class-map cmap2 DellEMC(conf-policy-map-in)#exit DellEMC(conf)#interface te 10/1 DellEMC(conf-if-te-10
Configured Route Map Examples The default action is permit and the default sequence number starts at 10. When you use the keyword deny in configuring a route map, routes that meet the match filters are not redistributed. To view the configuration, use the show config command in ROUTE-MAP mode.
Configure Route Map Filters Within ROUTE-MAP mode, there are match and set commands. • match commands search for a certain criterion in the routes. • set commands change the characteristics of routes, either adding something or specifying a level. When there are multiple match commands with the same parameter under one instance of route-map, Dell EMC Networking OS does a match between all of those match commands.
• Match routes whose next hop is a specific interface. CONFIG-ROUTE-MAP mode match interface interface The parameters are: – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. – For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. – For a Loopback interface, enter the keyword loopback then a number from 0 to 16383. – For a port channel interface, enter the keywords port-channel then a number.
To create route map instances, use these commands. There is no limit to the number of match commands per route map, but the convention is to keep the number of match filters in a route map low. Set commands do not require a corresponding match command. Configuring Set Conditions To configure a set condition, use the following commands. • Add an AS-PATH number to the beginning of the AS-PATH. CONFIG-ROUTE-MAP mode set as-path prepend as-number [...
To create route map instances, use these commands. There is no limit to the number of set commands per route map, but the convention is to keep the number of set filters in a route map low. Set commands do not require a corresponding match command. Configure a Route Map for Route Redistribution Route maps on their own cannot affect traffic and must be included in different commands to affect routing traffic.
Continue Clause Normally, when a match is found, set clauses are executed, and the packet is then forwarded; no more route-map modules are processed. If you configure the continue command at the end of a module, the next module (or a specified module) is processed even after a match is found. The following example shows a continue clause at the end of a route-map module. In this example, if a match is found in the route-map “test” module 10, module 30 is processed.
DellEMC(conf-ext-nacl)#permit ip any 10.1.1.1/32 DellEMC(conf-ext-nacl) Layer 4 ACL Rules Examples The following examples show the ACL commands for Layer 4 packet filtering. Permit an ACL line with L3 information only, and the fragments keyword is present: If a packet’s L3 information matches the L3 information in the ACL line, the packet's FO is checked. • If a packet's FO > 0, the packet is permitted. • If a packet's FO = 0, the next ACL entry is processed.
A standard IP ACL uses the source IP address as its match criterion. 1 Enter IP ACCESS LIST mode by naming a standard IP access list. CONFIGURATION mode ip access-list standard access-listname 2 Configure a drop or forward filter. CONFIG-STD-NACL mode seq sequence-number {deny | permit} {source [mask] | any | host ip-address} [count [byte] [dscp] [order] [monitor [session-id]] [fragments] NOTE: When assigning sequence numbers to filters, keep in mind that you might need to insert a new filter.
ip access-list standard access-list-name 2 Configure a drop or forward IP ACL filter. CONFIG-STD-NACL mode {deny | permit} {source [mask] | any | host ip-address} [count [byte] [dscp] [order] [monitor [session-id]] [fragments] When you use the log keyword, the CP logs details about the packets that match. Depending on how many packets match the log entry and at what rate, the CP may become busy as it has to log these packets’ details.
seq sequence-number {deny | permit} {ip-protocol-number | icmp | ip | tcp | udp} {source mask | any | host ip-address} {destination mask | any | host ip-address} [operator [portnumber ] [count [byte]] [order] [monitor [session-id]] [fragments] When you use the log keyword, the CP logs details about the packets that match. Depending on how many packets match the log entry and at what rate, the CP may become busy as it has to log these packets’ details.
Configuring Filters Without a Sequence Number If you are creating an extended ACL with only one or two filters, you can let Dell EMC Networking OS assign a sequence number based on the order in which the filters are configured. Dell EMC Networking OS assigns filters in multiples of five. To configure a filter for an extended IP ACL without a specified sequence number, use any or all of the following commands: • Configure a deny or permit filter to examine IP packets.
• L2 egress access list If a rule is simply appended, existing counters are not affected. Table 7. L2 and L3 Filtering on Switched Packets L2 ACL Behavior L3 ACL Behavior Decision on Targeted Traffic Deny Deny L3 ACL denies. Deny Permit L3 ACL permits. Permit Deny L3 ACL denies. Permit Permit L3 ACL permits. NOTE: If you configure an interface as a vlan-stack access port, only the L2 ACL filters the packets. The L3 ACL applied to such a port does not affect traffic.
ip access-list [standard | extended] name To view which IP ACL is applied to an interface, use the show config command in INTERFACE mode, or use the show runningconfig command in EXEC mode. Example of Viewing ACLs Applied to an Interface DellEMC(conf-if)#show conf ! interface TenGigabitEthernet 1/1 ip address 10.2.1.100 255.255.255.0 ip access-group nimule in no shutdown DellEMC(conf-if)# To filter traffic on Telnet sessions, use only standard ACLs in the access-class command.
seq 10 deny icmp any any seq 15 permit 1.1.1.2 Configure Egress ACLs Egress ACLs are applied to line cards and affect the traffic leaving the system. Configuring egress ACLs onto physical interfaces protects the system infrastructure from attack — malicious and incidental — by explicitly allowing only authorized traffic. These system-wide ACLs eliminate the need to apply ACLs onto each interface and achieves the same results. By localizing target traffic, it is a simpler implementation.
Applying Egress Layer 3 ACLs (Control-Plane) By default, packets originated from the system are not filtered by egress ACLs. For example, if you initiate a ping session from the system and apply an egress ACL to block this type of traffic on the interface, the ACL does not affect that ping traffic. The Control Plane Egress Layer 3 ACL feature enhances IP reachability debugging by implementing control-plane ACLs for CPU-generated and CPU-forwarded traffic.
• After a route matches a filter, the filter’s action is applied. No additional filters are applied to the route. Implementation Information In Dell EMC Networking OS, prefix lists are used in processing routes for routing protocols (for example, router information protocol [RIP], open shortest path first [OSPF], and border gateway protocol [BGP]). NOTE: It is important to know which protocol your system supports prior to implementing prefix-lists.
ip prefix-list juba seq 12 deny 134.23.0.0/16 seq 15 deny 120.0.0.0/8 le 16 seq 20 permit 0.0.0.0/0 le 32 DellEMC(conf-nprefixl)# NOTE: The last line in the prefix list Juba contains a “permit all” statement. By including this line in a prefix list, you specify that all routes not matching any criteria in the prefix list are forwarded. To delete a filter, use the no seq sequence-number command in PREFIX LIST mode.
Examples of the show ip prefix-list Command The following example shows the show ip prefix-list detail command. DellEMC>show ip prefix detail Prefix-list with the last deletion/insertion: filter_ospf ip prefix-list filter_in: count: 3, range entries: 3, sequences: 5 - 10 seq 5 deny 1.102.0.0/16 le 32 (hit count: 0) seq 6 deny 2.1.0.0/16 ge 23 (hit count: 0) seq 10 permit 0.0.0.0/0 le 32 (hit count: 0) ip prefix-list filter_ospf: count: 4, range entries: 1, sequences: 5 - 10 seq 5 deny 100.100.1.
network 10.0.0.0 DellEMC(conf-router_rip)#router ospf 34 Applying a Filter to a Prefix List (OSPF) To apply a filter to routes in open shortest path first (OSPF), use the following commands. • Enter OSPF mode. CONFIGURATION mode • router ospf Apply a configured prefix list to incoming routes. You can specify an interface. If you enter the name of a non-existent prefix list, all routes are forwarded.
ip access-list {extended | standard} access-list-name ipv6 access-list {extended | standard} access-list-name 2 Define the ACL rule. CONFIG-EXT-NACL mode or CONFIG-STD-NACL seq sequence-number {permit | deny} options 3 Write a remark. CONFIG-EXT-NACL mode or CONFIG-STD-NACL remark [remark-number] remark-text The remark number is optional.
ACL Resequencing ACL resequencing allows you to re-number the rules and remarks in an access or prefix list. The placement of rules within the list is critical because packets are matched against rules in sequential order. To order new rules using the current numbering scheme, use resequencing whenever there is no opportunity. For example, the following table contains some rules that are numbered in increments of 1.
ip access-list extended test remark 4 XYZ remark 5 this remark corresponds to permit any host 1.1.1.1 seq 5 permit ip any host 1.1.1.1 remark 9 ABC remark 10 this remark corresponds to permit ip any host 1.1.1.2 seq 10 permit ip any host 1.1.1.2 seq 15 permit ip any host 1.1.1.3 seq 20 permit ip any host 1.1.1.4 DellEMC# end DellEMC# resequence access-list ipv4 test 2 2 DellEMC# show running-config acl ! ip access-list extended test remark 2 XYZ remark 4 this remark corresponds to permit any host 1.1.1.
Route maps also have an “implicit deny.” Unlike ACLs and prefix lists; however, where the packet or traffic is dropped, in route maps, if a route does not match any of the route map conditions, the route is not redistributed. The implementation of route maps allows route maps with the no match or no set commands. When there is no match command, all traffic matches the route map and the set command applies. Logging of ACL Processes This functionality is supported on the S4810 platform.
Guidelines for Configuring ACL Logging This functionality is supported on the S4810 platform. Keep the following points in mind when you configure logging of ACL activities: • During initialization, the ACL logging application tags the ACL rule indices for which a match condition exists as being in-use, which ensures that the same rule indices are not reused by ACL logging again.
IPv6 ACLs, and standard and extended MAC ACLs. Configure ACL logging only on ACLs that are applied to ingress interfaces; you cannot enable logging for ACLs that are associated with egress interfaces. CONFIG-STD-NACL mode seq sequence-number {deny | permit} {source [mask] | any | host ip-address} [log [interval minutes]] Flow-Based Monitoring Flow-based monitoring conserves bandwidth by monitoring only the specified traffic instead of all traffic on the interface.
If you configure the flow-based enable command and do not apply an ACL on the source port or the monitored port, both flow-based monitoring and port mirroring do not function. You cannot apply the same ACL to an interface or a monitoring session context simultaneously. The port mirroring application maintains a database that contains all monitoring sessions (including port monitor sessions).
CONFIGURATION mode ip access-list For more information, see Access Control Lists (ACLs). 3 Apply the ACL to the monitored port. INTERFACE mode ip access-group access-list Example of the flow-based enable Command To view an access-list that you applied to an interface, use the show ip accounting access-list command from EXEC Privilege mode.
8 Bidirectional Forwarding Detection (BFD) BFD is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It also provides a failure detection solution for links on which no routing protocol is used. BFD is a simple hello mechanism. Two neighboring systems running BFD establish a session using a three-way handshake.
BFD Packet Format Control packets are encapsulated in user datagram protocol (UDP) packets. The following illustration shows the complete encapsulation of a BFD control packet inside an IPv4 packet. Figure 9. BFD in IPv4 Packet Format Field Description Diagnostic Code The reason that the last session failed. State The current local session state. Refer to BFD Sessions. Flag A bit that indicates packet function.
Field Description Detection Multiplier The number of packets that must be missed in order to declare a session down. Length The entire length of the BFD packet. My Discriminator A random number generated by the local system to identify the session. Your Discriminator A random number generated by the remote system to identify the session. Discriminator values are necessary to identify the session to which a control packet belongs because there can be many sessions running on a single interface.
Demand mode If one system requests Demand mode, the other system stops sending periodic control packets; it only sends a response to status inquiries from the Demand mode initiator. Either system (but not both) can request Demand mode at any time. NOTE: Dell EMC Networking OS supports Asynchronous mode only. A session can have four states: Administratively Down, Down, Init, and Up. State Description Administratively Down The local system does not participate in a particular session.
Figure 10.
Session State Changes The following illustration shows how the session state on a system changes based on the status notification it receives from the remote system. For example, if a session on a system is down and it receives a Down status notification from the remote system, the session state on the local system changes to Init. Figure 11.
• Configure BFD for OSPF • Configure BFD for OSPFv3 • Configure BFD for IS-IS • Configure BFD for BGP • Configure BFD for VRRP • Configuring Protocol Liveness Configure BFD for Physical Ports Configuring BFD for physical ports is supported on the C-Series and E-Series platforms only. BFD on physical ports is useful when you do not enable the routing protocol.
Example of Viewing Session Parameters R1(conf-if-te-4/24)#bfd interval 100 min_rx 100 multiplier 4 role passive R1(conf-if-te-4/24)#do show bfd neighbors detail Session Discriminator: 1 Neighbor Discriminator: 1 Local Addr: 2.2.2.1 Local MAC Addr: 00:01:e8:09:c3:e5 Remote Addr: 2.2.2.
Configuring BFD for static routes is a three-step process: 1 Enable BFD globally. 2 Configure static routes on both routers on the system (either local or remote). 3 Configure an IP route to connect BFD on the static routes using the ip route bfd command.
Establishing Static Route Sessions on Specific Neighbors You can selectively enable BFD sessions on specific neighbors based on a destination prefix-list. When you establish a BFD session using the ip route bfd command, all the next-hop neighbors in the static route become part of the BFD session. Starting with Dell EMC Networking OS release 9.11.0.0, you can enable BFD sessions on specific next-hop neighbors.
CONFIGURATION mode ip route bfd [prefix-list prefix-list-name] interval milliseconds min_rx milliseconds multiplier value role [active | passive] To view session parameters, use the show bfd neighbors detail command. Disabling BFD for Static Routes If you disable BFD, all static route BFD sessions are torn down. A final Admin Down packet is sent to all neighbors on the remote systems, and those neighbors change to the Down state. To disable BFD for static routes, use the following command.
Establishing Sessions with OSPF Neighbors for the Default VRF BFD sessions can be established with all OSPF neighbors at once or sessions can be established with all neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the Full state. Figure 13. Establishing Sessions with OSPF Neighbors To establish BFD with all OSPF neighbors or with OSPF neighbors on a single interface, use the following commands. • Enable BFD globally.
INTERFACE mode ip ospf bfd all-neighbors Example of Verifying Sessions with OSPF Neighbors To view the established sessions, use the show bfd neighbors command. The bold line shows the OSPF BFD sessions. R2(conf-router_ospf)#bfd all-neighbors R2(conf-router_ospf)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr * 2.2.2.2 * 2.2.3.1 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 Te 2/1 Up 100 100 3 O 2.2.3.
B C I O O3 R M V VT * * * * * * - BGP CLI ISIS OSPF OSPFv3 Static Route (RTM) MPLS VRRP Vxlan Tunnel LocalAddr 1.0.1.1 3.3.3.3 3.3.3.3 3.3.3.3 3.3.3.3 3.3.3.3 RemoteAddr 1.0.1.2 192.168.122.135 192.168.122.136 192.168.122.137 192.168.122.138 192.168.122.
ip ospf bfd all-neighbors interval milliseconds min_rx milliseconds multiplier value role [active | passive] To view session parameters, use the show bfd neighbors detail command. Disabling BFD for OSPF If you disable BFD globally, all sessions are torn down and sessions on the remote system are placed in a Down state. If you disable BFD on an interface, sessions on the interface are torn down and sessions on the remote system are placed in a Down state.
The following example shows the show bfd neighbors command output for default VRF. DellEMC#show bfd neighbors * - Active session role Ad Dn - Admin Down B - BGP C - CLI I - ISIS O - OSPF O3 - OSPFv3 R - Static Route (RTM) M - MPLS V - VRRP VT - Vxlan Tunnel LocalAddr * 1.1.1.1 RemoteAddr 1.1.1.2 Interface Te 1/1 State Rx-int Tx-int Mult Clients Up 200 200 3 O * 2.1.1.1 2.1.1.
Ad Dn B C I O O3 R M V VT - Admin Down BGP CLI ISIS OSPF OSPFv3 Static Route (RTM) MPLS VRRP Vxlan Tunnel LocalAddr Clients * 10.1.1.1 511 O RemoteAddr Interface State Rx-int Tx-int Mult VRF 10.1.1.2 Vl 100 Up 150 150 3 * 11.1.1.1 511 O 11.1.1.2 Vl 101 Up 150 150 3 * 12.1.1.1 511 O 12.1.1.2 Vl 102 Up 150 150 3 * 13.1.1.1 511 O 13.1.1.
Disabling BFD for OSPFv3 If you disable BFD globally, all sessions are torn down and sessions on the remote system are placed in a Down state. If you disable BFD on an interface, sessions on the interface are torn down and sessions on the remote system are placed in a Down state. Disabling BFD does not trigger a change in BFD clients; a final Admin Down packet is sent before the session is terminated. To disable BFD sessions, use the following commands. • Disable BFD sessions with all OSPFv3 neighbors.
Establishing Sessions with IS-IS Neighbors BFD sessions can be established for all IS-IS neighbors at once or sessions can be established for all neighbors out of a specific interface. Figure 14. Establishing Sessions with IS-IS Neighbors To establish BFD with all IS-IS neighbors or with IS-IS neighbors on a single interface, use the following commands. • Establish sessions with all IS-IS neighbors. ROUTER-ISIS mode • bfd all-neighbors Establish sessions with IS-IS neighbors on a single interface.
Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr * 2.2.2.2 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 Te 2/1 Up 100 100 3 I Changing IS-IS Session Parameters BFD sessions are configured with default intervals and a default role. The parameters that you can configure are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. These parameters are configured for all IS-IS sessions or all IS-IS sessions out of an interface.
For example, the following illustration shows a sample BFD configuration on Router 1 and Router 2 that use eBGP in a transit network to interconnect AS1 and AS2. The eBGP routers exchange information with each other as well as with iBGP routers to maintain connectivity and accessibility within each autonomous system. Figure 15.
Prerequisites Before configuring BFD for BGP, you must first configure the following settings: • Configure BGP on the routers that you want to interconnect. Establishing Sessions with BGP Neighbors for Default VRF To establish sessions with either IPv6 or IPv4 BGP neighbors for the default VRF, follow these steps: 1 Enable BFD globally. CONFIGURATION mode bfd enable 2 Specify the AS number and enter ROUTER BGP configuration mode.
DellEMC(conf-router_bgp)#address-family ipv6 unicast DellEMC(conf-router_bgpv6_af)#neighbor 20::2 activate DellEMC(conf-router_bgpv6_af)#exit DellEMC(conf-router_bgp)#bfd all-neighbors DellEMC(conf-router_bgp)#show config ! router bgp 1 neighbor 10.1.1.2 remote-as 2 neighbor 10.1.1.
9 Activate the neighbor in IPv6 address family. CONFIG-ROUTERBGPv6_ADDRESSFAMILY mode neighbor ipv6-address activate 10 Configure parameters for a BFD session established with all neighbors discovered by BGP. Or establish a BFD session with a specified BGP neighbor or peer group using the default BFD session parameters. CONFIG-ROUTERBGP mode bfd all-neighbors DellEMC(conf)#router bgp 1 DellEMC(conf-router_bgp)#address-family ipv4 vrf vrf1 DellEMC(conf-router_bgp_af)#neighbor 10.1.1.
Use BFD in a BGP Peer Group You can establish a BFD session for the members of a peer group (the neighbor peer-group-name bfd command in ROUTER BGP configuration mode). Members of the peer group may have BFD: • Explicitly enabled (the neighbor ip-address bfd command) • Explicitly disabled (the neighbor ip-address bfd disable command) • Inherited (neither explicitly enabled or disabled) according to the current BFD configuration of the peer group.
neighbor 2.2.2.2 no shutdown neighbor 3.3.3.2 remote-as 1 neighbor 3.3.3.2 no shutdown bfd all-neighbors The following example shows viewing all BFD neighbors. R2# show bfd neighbors * - Active session role Ad Dn - Admin Down B - BGP C - CLI I - ISIS O - OSPF R - Static Route (RTM) M - MPLS V - VRRP LocalAddr * 1.1.1.3 * 2.2.2.3 * 3.3.3.3 RemoteAddr 1.1.1.2 2.2.2.2 3.3.3.
Actual parameters: TX: 200ms, RX: 200ms, Multiplier: 3 Role: Active Delete session on Down: True Client Registered: BGP Uptime: 00:02:22 Statistics: Number of packets received from neighbor: 1428 Number of packets sent to neighbor: 1428 Number of state changes: 1 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 4 The following example shows viewing BFD summary information.
BGP table version 0, neighbor version 0 Prefixes accepted 0 (consume 0 bytes), withdrawn 0 by peer, martian prefixes ignored 0 Prefixes advertised 0, denied 0, withdrawn 0 from peer Connections established 1; dropped 0 Last reset never Local host: 2.2.2.3, Local port: 63805 Foreign host: 2.2.2.2, Foreign port: 179 E1200i_R2# R2# show ip bgp neighbors 2.2.2.3 BGP neighbor is 2.2.2.3, remote AS 1, external link Member of peer-group pg1 for session parameters BGP version 4, remote router ID 12.0.0.
Establishing Sessions with All VRRP Neighbors BFD sessions can be established for all VRRP neighbors at once, or a session can be established with a particular neighbor. Figure 16. Establishing Sessions with All VRRP Neighbors To establish sessions with all VRRP neighbors, use the following command. • Establish sessions with all VRRP neighbors.
The bold line shows that VRRP BFD sessions are enabled. DellEMC(conf-if-te-4/25)#vrrp bfd all-neighbors DellEMC(conf-if-te-4/25)#do show bfd neighbor * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) V - VRRP LocalAddr * 2.2.5.1 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.5.2 Te 4/25 Down 1000 1000 3 V To view session state information, use the show vrrp command. The bold line shows the VRRP BFD session.
To disable all VRRP sessions on an interface, sessions for a particular VRRP group, or for a particular VRRP session on an interface, use the following commands. • Disable all VRRP sessions on an interface. INTERFACE mode • no vrrp bfd all-neighbors Disable all VRRP sessions in a VRRP group. VRRP mode • bfd disable Disable a particular VRRP session on an interface.
00:54:38: %RPM0-P:RP2 %BFDMGR-1-BFD_STATE_CHANGE: Changed session state to Up for neighbor 2.2.2.2 on interface Te 4/24 (diag: 0) The following example shows hexadecimal output from the debug bfd packet command. RX packet dump: 20 c0 03 18 00 00 00 05 00 00 00 04 00 01 86 a0 00 01 86 a0 00 00 00 00 00:34:13 : Sent packet for session with neighbor 2.2.2.2 on Te 4/24 TX packet dump: 20 c0 03 18 00 00 00 04 00 00 00 05 00 01 86 a0 00 01 86 a0 00 00 00 00 00:34:14 : Received packet for session with neighbor 2.
Example of the show bfd neighbors Command to Verify Static Routes To verify that sessions have been created for static routes, use the show bfd neighbors command. R1(conf)#ip route 2.2.3.0/24 2.2.2.2 R1(conf)#ip route bfd R1(conf)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 2.2.2.
• BFD sessions created using any one IP prefix list are active at any given point in time. If a new prefix list is assigned, then BFD sessions corresponding to the older (existing) prefix list are replaced with the newer ones. • Each time a prefix list is modified, only addition or deletion of new entries in that prefix list are processed for BFD session establishment or tear down.
9 BGP IP version 4 (BGPv4) Overview This section provides a general description of BGPv4 as it is supported in the Dell EMC Networking Operating System (OS). BGP protocol standards are listed in the Standards Compliance chapter. BGP is an external gateway protocol (EGP) that transmits interdomain routing information within and between autonomous systems (AS). An AS is an network managed by a single entity or administration.
• stub AS — is one that is connected to only one other AS. • transit AS — is one that provides connections through itself to separate networks. For example, in the following illustration, Router 1 can use Router 2 (the transit AS) to connect to Router 4. Internet service providers (ISPs) are always transit ASs, because they provide connections from one network to another. The ISP is considered to be “selling transit service” to the customer network, so thus the term Transit AS.
Figure 19. BGP Routers in Full Mesh The number of BGP speakers each BGP peer must maintain increases exponentially. Network management quickly becomes impossible. Sessions and Peers When two routers communicate using the BGP protocol, a BGP session is started. The two end-points of that session are called neighbors or peers. A local device does not identify a BGP peer automatically. You have to manually configure the connections between BGP running devices.
of these six states the session is in. The BGP protocol defines the messages that each peer should exchange in order to change the session from one state to another. State Description Idle BGP initializes all resources, refuses all inbound BGP connection attempts, and initiates a TCP connection to the peer. Connect In this state the router waits for the TCP connection to complete, transitioning to the OpenSent state if successful.
Figure 20. BGP Router Rules 1 Router B receives an advertisement from Router A through eBGP. Because the route is learned through eBGP, Router B advertises it to all its iBGP peers: Routers C and D. 2 Router C receives the advertisement but does not advertise it to any peer because its only other peer is Router D, an iBGP peer, and Router D has already learned it through iBGP from Router B.
In non-deterministic mode (the bgp non-deterministic-med command is applied), paths are compared in the order in which they arrive. This method can lead to Dell EMC Networking OS choosing different best paths from a set of paths, depending on the order in which they were received from the neighbors because MED may or may not get compared between the adjacent paths.
c Paths with no MED are treated as “worst” and assigned a MED of 4294967295. 7 Prefer external (EBGP) to internal (IBGP) paths or confederation EBGP paths. 8 Prefer the path with the lowest IGP metric to the BGP if next-hop is selected when synchronization is disabled and only an internal path remains.
Figure 22. BGP Local Preference Multi-Exit Discriminators (MEDs) If two ASs connect in more than one place, a multi-exit discriminator (MED) can be used to assign a preference to a preferred path. MED is one of the criteria used to determine the best path, so keep in mind that other criteria may impact selection, as shown in the illustration in Best Path Selection Criteria. One AS assigns the MED a value and the other AS uses that value to decide the preferred path.
Figure 23. Multi-Exit Discriminators NOTE: Configuring the set metric-type internal command in a route-map advertises the IGP cost as MED to outbound EBGP peers when redistributing routes. The configured set metric value overwrites the default IGP cost. If the outbound route-map uses MED, it overwrites IGP MED. Origin The origin indicates the origin of the prefix, or how the prefix came into BGP. There are three origin codes: IGP, EGP, INCOMPLETE.
AS Path The AS path is the list of all ASs that all the prefixes listed in the update have passed through. The local AS number is added by the BGP speaker when advertising to a eBGP neighbor. NOTE: Any update that contains the AS path number 0 is valid. The AS path is shown in the following example. The origin attribute is shown following the AS path information (shown in bold).
MBGP uses either an IPv4 address configured on the interface (which is used to establish the IPv6 session) or a stable IPv4 address that is available in the box as the next-hop address. As a result, while advertising an IPv6 network, exchange of IPv4 routes does not lead to martian next-hop message logs. NOTE: It is possible to configure BGP peers that exchange both unicast and multicast network layer reachability information (NLRI), but you cannot connect multiprotocol BGP with BGP.
Ignore Router-ID in Best-Path Calculation You can avoid unnecessary BGP best-path transitions between external paths under certain conditions. The bgp bestpath routerid ignore command reduces network disruption caused by routing and forwarding plane changes and allows for faster convergence. Four-Byte AS Numbers You can use the 4-Byte (32-bit) format when configuring autonomous system numbers (ASNs). The 4-Byte support is advertised as a new BGP capability (4-BYTE-AS) in the OPEN message.
ASDOT representation combines the ASPLAIN and ASDOT+ representations. AS numbers less than 65536 appear in integer format (asplain); AS numbers equal to or greater than 65536 appear in the decimal format (asdot+). For example, the AS number 65526 appears as 65526 and the AS number 65546 appears as 1.10. Dynamic AS Number Notation Application Dell EMC Networking OS applies the ASN notation type change dynamically to the running-config statements.
DellEMC(conf-router_bgp)#sho conf ! router bgp 100 neighbor 172.30.1.250 local-as 65057 DellEMC(conf-router_bgp)#do show ip bgp BGP table version is 28093, local router ID is 172.30.1.57 AS Number Migration With this feature you can transparently change the AS number of an entire BGP network and ensure that the routes are propagated throughout the network while the migration is in progress.
3 Prepend "65001 65002" to as-path. Local-AS is prepended before the route-map to give an impression that update passed through a router in AS 200 before it reached Router B. BGP4 Management Information Base (MIB) The FORCE10-BGP4-V2-MIB enhances support for BGP management information base (MIB) with many new simple network management protocol (SNMP) objects and notifications (traps) defined in draft-ietf-idr-bgp4-mibv2-05. To see these enhancements, download the MIB from the Dell website.
• Multiple BPG process instances are not supported. Thus, the f10BgpM2PeerInstance field in various tables is not used to locate a peer. • Multiple instances of the same NLRI in the BGP RIB are not supported and are set to zero in the SNMP query response. • The f10BgpM2NlriIndex and f10BgpM2AdjRibsOutIndex fields are not used. • Carrying MPLS labels in BGP is not supported. The f10BgpM2NlriOpaqueType and f10BgpM2NlriOpaquePointer fields are set to zero. • 4-byte ASN is supported.
Item Default reuse = 750 suppress = 2000 max-suppress-time = 60 minutes external distance = 20 Distance internal distance = 200 local distance = 200 keepalive = 60 seconds Timers holdtime = 180 seconds Add-path Disabled Enabling BGP By default, BGP is disabled on the system. Dell EMC Networking OS supports one autonomous system (AS) and assigns the AS number (ASN).
• ipv6-address: IPv6 address of the neighbor • peer-group name: Name of the peer group. It can contain 16 characters. • as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte) or 0.1 to 65535.65535 (Dotted format) NOTE: Neighbors that are defined using the neighbor remote-as command in the CONFIGURATION-ROUTER-BGP mode exchange IPv4 unicast address prefixes only. 3 Enable the BGP neighbor.
The following example displays two neighbors: one is an external internal BGP neighbor and the second one is an internal BGP neighbor. The first line of the output for each neighbor displays the AS number and states whether the link is an external or internal (shown in bold). The third line of the show ip bgp neighbors output contains the BGP State. If anything other than ESTABLISHED is listed, the neighbor is not exchanging information and routes.
• Enable ASPLAIN AS Number representation. CONFIG-ROUTER-BGP mode bgp asnotation asplain • NOTE: ASPLAIN is the default method Dell EMC Networking OS uses and does not appear in the configuration display. Enable ASDOT AS Number representation. CONFIG-ROUTER-BGP mode bgp asnotation asdot • Enable ASDOT+ AS Number representation. CONFIG-ROUTER-BGP mode bgp asnotation asdot+ Examples of the bgp asnotation Commands The following example shows the bgp asnotation asplain command output.
Configuring Peer Groups To configure a peer group, use the following commands. 1 Enter the router configuration mode and the AS number. CONFIG mode router bgp as-number 2 Create a peer group by assigning a name to it. CONFIG-ROUTER-BGP mode neighbor peer-group-name peer-group 3 Enable the peer group. CONFIG-ROUTER-BGP mode neighbor peer-group-name no shutdown By default, all peer groups are disabled. 4 Create a BGP neighbor.
• neighbor advertisement-interval • neighbor distribute-list out • neighbor filter-list out • neighbor next-hop-self • neighbor route-map out • neighbor route-reflector-client • neighbor send-community A neighbor may keep its configuration after it was added to a peer group if the neighbor’s configuration is more specific than the peer group’s and if the neighbor’s configuration does not affect outgoing updates.
Configuring BGP Fast Fall-Over By default, a BGP session is governed by the hold time. BGP routers typically carry large routing tables, so frequent session resets are not desirable. The BGP fast fall-over feature reduces the convergence time while maintaining stability. The connection to a BGP peer is immediately reset if a link to a directly connected external peer fails. When you enable fall-over, BGP tracks IP reachability to the peer remote address and the peer local address.
Update source set to Loopback 0 Peer active in peer-group outbound optimization For address family: IPv4 Unicast BGP table version 52, neighbor version 52 4 accepted prefixes consume 16 bytes Prefix advertised 0, denied 0, withdrawn 0 Connections established 6; dropped 5 Last reset 00:19:37, due to Reset by peer Notification History 'Connection Reset' Sent : 5 Recv: 0 Local host: 20.20.20.2, Local port: 65519 Foreign host: 10.10.10.
Enter the limit keyword to restrict the number of sessions accepted. 2 Assign a subnet to the peer group. CONFIG-ROUTER-BGP mode neighbor {ip-address | ipv6–address | peer-group-name} subnet subnet-number mask The peer group responds to OPEN messages sent on this subnet. 3 Enable the peer group. CONFIG-ROUTER-BGP mode neighbor {ip-address | ipv6–address | peer-group-name} no shutdown 4 Create and specify a remote peer for BGP neighbor.
neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.9 local-as 6500 neighbor 100.10.92.9 no shutdown neighbor 192.168.10.1 remote-as 65123 neighbor 192.168.10.1 update-source Loopback 0 neighbor 192.168.10.1 no shutdown neighbor 192.168.12.2 remote-as 65123 neighbor 192.168.12.2 update-source Loopback 0 neighbor 192.168.12.
Enabling Graceful Restart Use this feature to lessen the negative effects of a BGP restart. Dell EMC Networking OS advertises support for this feature to BGP neighbors through a capability advertisement. You can enable graceful restart by router and/or by peer or peer group. NOTE: By default, BGP graceful restart is disabled. The default role for BGP is as a receiving or restarting peer.
DellEMC(conf-router_bgp)# bgp graceful-restart DellEMC(conf-router_bgp)# exit The above example configuration shows how to enable the BGP graceful restart. If you enter this command after the BGP session is established, you must restart the session for the BGP graceful restart capability to be exchanged with the BGP neighbor. Enabling Neighbor Graceful Restart BGP graceful restart is active only when the neighbor becomes established. Otherwise, it is disabled.
You can use the no shutdown all command in the ROUTER BGP mode to re-enable all the BGP interface. You can also enable or disable BGP neighbors corresponding to the IPv4 unicast or multicast groups and the IPv6 unicast groups.
Filtering on an AS-Path Attribute You can use the BGP attribute, AS_PATH, to manipulate routing policies. The AS_PATH attribute contains a sequence of AS numbers representing the route’s path. As the route traverses an AS, the ASN is prepended to the route. You can manipulate routes based on their AS_PATH to affect interdomain routing. By identifying certain ASN in the AS_PATH, you can permit or deny routes based on the number in its AS_PATH. AS-PATH ACLs use regular expressions to search AS_PATH values.
0x559972c 0x59cd3b4 0x7128114 0x536a914 0x2ffe884 0x2ff7284 0x2ff7ec4 0x2ff8544 0x736c144 0x3b8d224 0x5eb1e44 0x5cd891c --More-- 0 0 0 0 0 0 0 0 0 0 0 0 31 2 10 3 1 99 4 3 1 10 1 9 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 209 209 209 209 701 701 209 701 701 209 701 209 18756 i 7018 15227 i 3356 13845 i 701 6347 7781 i 3561 9116 21350 i 1239 577 855 ? 3561 4755 17426 i 5743 2648 i 209 568 721 1494 i 701 2019 i 8584 16158 i 6453 4759 i Regular Expressions as Filters Regula
Example of Using Regular Expression to Filter AS Paths DellEMC(config)#router bgp 99 DellEMC(conf-router_bgp)#neigh AAA peer-group DellEMC(conf-router_bgp)#neigh AAA no shut DellEMC(conf-router_bgp)#show conf ! router bgp 99 neighbor AAA peer-group neighbor AAA no shutdown neighbor 10.155.15.2 remote-as 32 neighbor 10.155.15.2 shutdown DellEMC(conf-router_bgp)#neigh 10.155.15.
– level-1, level-1-2, or level-2: Assign all redistributed routes to a level. The default is level-2. – metric value: The value is from 0 to 16777215. The default is 0. • – route-map map-name: Specify the name of a configured route map to be consulted before adding the ISIS route. Include specific OSPF routes into BGP.
Example configuration for enabling additional paths DellEMC# configure terminal DellEMC(conf)# router bgp 400 DellEMC(conf-router_bgp)# neighbor 10.10.10.1 remote-as 500 DellEMC(conf-router_bgp)# bgp add-path both 2 DellEMC(conf-router_bgp)# address-family ipv4 multicast DellEMC(conf-router_bgp_af)# neighbor 10.10.10.1 activate DellEMC(conf-router_bgp_af)# neighbor 10.10.10.
deny 701:20 deny 702:20 deny 703:20 deny 704:20 deny 705:20 deny 14551:20 deny 701:112 deny 702:112 deny 703:112 deny 704:112 deny 705:112 deny 14551:112 deny 701:667 deny 702:667 deny 703:667 deny 704:666 deny 705:666 deny 14551:666 DellEMC# Configuring an IP Extended Community List To configure an IP extended community list, use these commands. 1 Create a extended community list and enter the EXTCOMMUNITY-LIST mode.
deny 703:667 deny 704:666 deny 705:666 deny 14551:666 DellEMC# Filtering Routes with Community Lists To use an IP community list or IP extended community list to filter routes, you must apply a match community filter to a route map and then apply that route map to a BGP neighbor or peer group. 1 Enter the ROUTE-MAP mode and assign a name to a route map.
Manipulating the COMMUNITY Attribute A COMMUNITY attribute indicates that all the routes with that attribute belong to the same community grouping. In addition to permitting or denying routes based on the values of the COMMUNITY attributes, you can manipulate the COMMUNITY attribute value and send the COMMUNITY attribute with the route information. By default, Dell EMC Networking OS does not send the COMMUNITY attribute to a BGP neighbor or a peer group.
CONFIG-ROUTER-BGP mode neighbor {ip-address | ipv6-address | peer-group-name} route-map map-name {in | out} Example of the show ip bgp community Command To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode. To view a route map configuration, use the show route-map command in EXEC Privilege mode. To view BGP routes matching a certain community number or a pre-defined BGP community, use the show ip bgp community command in EXEC Privilege mode.
Changing the LOCAL_PREFERENCE Attribute In Dell EMC Networking OS, you can change the value of the LOCAL_PREFERENCE attribute, so that the preferred path can be changed. To change the default values of this attribute for all routes received by the router, use the following command. • Change the LOCAL_PREF value. CONFIG-ROUTER-BGP mode bgp default local-preference value value: the range is from 0 to 4294967295. The default is 100.
Changing the WEIGHT Attribute To change how the WEIGHT attribute is used, enter the first command. You can also use route maps to change this and other BGP attributes. For example, you can include the second command in a route map to specify the next hop address. • Assign a weight to the neighbor connection. CONFIG-ROUTER-BGP mode neighbor {ip-address | ipv6-address | peer-group-name} weight weight • weight: the range is from 0 to 65535. The default is 0. Sets weight for the route.
DellEMC(conf-router_bgp)# maximum-paths ibgp 5 DellEMC(conf-router_bgp)# exit In the above example configuration, the maximum number of parallel internal BGP routes is set to 5, so that only 5 routes can be installed in a routing table. The show ip bgp network command includes multipath information for that network. Filtering BGP Routes Filtering routes allows you to implement BGP policies.
5 Filter routes based on the criteria in the configured route map. CONFIG-ROUTER-BGP mode neighbor {ip-address | ipv6-address | peer-group-name} route-map map-name {in | out} Configure the following parameters: • ip-address or ipv6-address or peer-group-name: enter the neighbor’s IPv4 or IPv6 address or the peer group’s name. • map-name: enter the name of a configured route map. • in: apply the route map to inbound routes. • out: apply the route map to outbound routes.
• ip-address or ip-address or peer-group-name: enter the neighbor’s IPv4 or IPv6 address or the peer group’s name. • as-path-name: enter the name of a configured AS-PATH ACL. • in: apply the AS-PATH ACL map to inbound routes. • out: apply the AS-PATH ACL to outbound routes.
automatically enables route reflection to all clients. To disable route reflection between all clients in this reflector, use the no bgp client-to-client reflection command in CONFIGURATION ROUTER BGP mode. All clients must be fully meshed before you disable route reflection. To view a route reflector configuration, use the show config command in CONFIGURATION ROUTER BGP mode or the show running-config bgp in EXEC Privilege mode.
Enabling Route Flap Dampening When EBGP routes become unavailable, they “flap” and the router issues both WITHDRAWN and UPDATE notices. A flap is when a route: • is withdrawn • is readvertised after being withdrawn • has an attribute change The constant router reaction to the WITHDRAWN and UPDATE notices causes instability in the BGP process. To minimize this instability, you may configure penalties (a numeric value) for routes that flap.
• – reuse: the range is from 1 to 20000. This number is compared to the flapping route’s Penalty value. If the Penalty value is less than the reuse value, the flapping route is once again advertised (or no longer suppressed). The default is 750. – suppress: the range is from 1 to 20000. This number is compared to the flapping route’s Penalty value. If the Penalty value is greater than the suppress value, the flapping route is no longer advertised (that is, it is suppressed). The default is 2000.
BGP table version is 855562, main routing table version 780266 122836 network entrie(s) and 221664 paths using 29697640 bytes of memory 34298 BGP path attribute entrie(s) using 1920688 bytes of memory 29577 BGP AS-PATH entrie(s) using 1384403 bytes of memory 184 BGP community entrie(s) using 7616 bytes of memory Dampening enabled. 0 history paths, 0 dampened paths, 0 penalized paths Neighbor AS MsgRcvd MsgSent TblVer 10.114.8.34 18508 82883 79977 780266 10.114.8.
In the above example configuration, the BGP timers are set with keepalive time as 80 seconds with which the system sends keepalive messages to the BGP peer and holdtime as 120 seconds with which the system waits for a message from the BGP peer before concluding that the peer is dead. To view non-default values, use the show config command in CONFIGURATION ROUTER BGP mode or the show runningconfig bgp command in EXEC Privilege mode.
– peer-group-name: Clears all members of the specified peer group. – dampening: Clears all the flap dampening information. – flap-statistics: Clears the flap statistics information. Example of Soft-reconfigration of a BGP Neighbor The example enables inbound soft-reconfiguration for the neighbor 10.108.1.1. All updates received from this neighbor are stored unmodified, regardless of the inbound policy.
CONFIGURATION Mode router bgp as-number 2 Shut down the BGP neighbors corresponding to the IPv6 unicast groups using the following command: ROUTER-BGP Mode shutdown address-family-ipv6-unicast When you configure BGP, you must explicitly enable the BGP neighbors using the following commands: neighbor {ip-address | peer-group name} remote-as as-number neighbor {ip-address | peer-group-name} no shutdown For more information on enabling BGP, see Enabling BGP.
Set a Clause with a Continue Clause If the route-map entry contains sets with the continue clause, the set actions operation is performed first followed by the continue clause jump to the specified route map entry. • If a set actions operation occurs in the first route map entry and then the same set action occurs with a different value in a subsequent route map entry, the last set of actions overrides the previous set of actions with the same set command.
To enable BGP to pick the next hop IPv6 address automatically for IPv6 prefix advertised over an IPv4 neighbor, use the following commands. • Enable the system to pick the next hop IPv6 address dynamically for IPv6 prefix advertised over an IPv4 neighbor. ROUTER-BGP mode mode neighbor {ip–address | peer-group-name} auto-local-address Enter either the neighbor IP address or the name of the peer group. NOTE: If outbound policy is applied along with auto-local-address enabled, then policy takes precedence.
address-family ipv6 unicast neighbor 10.1.1.1 activate exit-address-family ! Following is the show ip bgp ipv6 unicast command output for the above configuration. DellEMC# show ip bgp ipv6 unicast BGP local RIB : Routes to be Added 0, Replaced 0, Withdrawn 0 BGP local router ID is 1.1.1.
• debug ip bgp [ip-address | peer-group peer-group-name] updates [in | out] [prefix-list name] Enable soft-reconfiguration debug. EXEC Privilege mode debug ip bgp {ip-address | peer-group-name} soft-reconfiguration To enhance debugging of soft reconfig, use the bgp soft-reconfig-backup command only when route-refresh is not negotiated to avoid the peer from resending messages. In-BGP is shown using the show ip protocols command. Dell EMC Networking OS displays debug messages on the console.
'UPDATE error/Missing well-known attr' Sent : 1 Recv: 0 'Connection Reset' Sent : 1 Recv: 0 Last notification (len 21) sent 00:26:02 ago ffffffff ffffffff ffffffff ffffffff 00160303 03010000 Last notification (len 21) received 00:26:20 ago ffffffff ffffffff ffffffff ffffffff 00150306 00000000 Last PDU (len 41) received 00:26:02 ago that caused notification to be issued ffffffff ffffffff ffffffff ffffffff 00290200 00000e01 02040201 00024003 04141414 0218c0a8 01000000 Local host: 1.1.1.
The following example shows how to view space requirements for storing all the PDUs. With full internet feed (205K) captured, approximately 11.8MB is required to store all of the PDUs. DellEMC(conf-router_bgp)#do show capture bgp-pdu neighbor 172.30.1.250 Incoming packet capture enabled for BGP neighbor 172.30.1.250 Available buffer size 29165743, 192991 packet(s) captured using 11794257 bytes [. . .] DellEMC(conf-router_bgp)#do sho ip bg s BGP router identifier 172.30.1.
Example of Enabling BGP (Router 1) R1# conf R1(conf)#int loop 0 R1(conf-if-lo-0)#ip address 192.168.128.1/24 R1(conf-if-lo-0)#no shutdown R1(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.1/24 no shutdown R1(conf-if-lo-0)#int te 1/21 R1(conf-if-te-1/21)#ip address 10.0.1.21/24 R1(conf-if-te-1/21)#no shutdown R1(conf-if-te-1/21)#show config ! interface TengigabitEthernet 1/21 ip address 10.0.1.21/24 no shutdown R1(conf-if-te-1/21)#int te 1/31 R1(conf-if-te-1/31)#ip address 10.0.3.
R1(conf-router_bgp)#neighbor 192.168.128.3 no shut R1(conf-router_bgp)#neighbor 192.168.128.3 update-source loop 0 R1(conf-router_bgp)#show config ! router bgp 99 network 192.168.128.0/24 neighbor 192.168.128.2 remote-as 99 neighbor 192.168.128.2 update-source Loopback 0 neighbor 192.168.128.2 no shutdown neighbor 192.168.128.3 remote-as 100 neighbor 192.168.128.
! interface TengigabitEthernet 3/11 ip address 10.0.3.33/24 no shutdown R3(conf-if-lo-0)#int te 3/21 R3(conf-if-te-3/21)#ip address 10.0.2.3/24 R3(conf-if-te-3/21)#no shutdown R3(conf-if-te-3/21)#show config ! interface TengigabitEthernet 3/21 ip address 10.0.2.3/24 no shutdown R3(conf-if-te-3/21)# R3(conf-if-te-3/21)#router bgp 100 R3(conf-router_bgp)#show config ! router bgp 100 R3(conf-router_bgp)#network 192.168.128.0/24 R3(conf-router_bgp)#neighbor 192.168.128.
MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Update source set to Loopback 0 Peer active in peer-group outbound optimization For address family: IPv4 Unicast BGP table version 1, neighbor version 1 Prefixes accepted 1 (consume 4 bytes), withdrawn 0 by peer Prefixes advertised 1, denied 0, withdrawn 0 from peer Connections established 2; dropped 1 Last reset 00:00:57, due to user reset Notification History 'Connection Reset' Sent : 1 Recv: 0 Last notification (len 21) sent 00:00:57 ago fffffff
2 neighbor(s) using 9216 bytes of memory Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 192.168.128.1 99 140 136 2 0 (0) 00:11:24 1 192.168.128.3 100 138 140 2 0 (0) 00:18:31 1 Example of Enabling Peer Groups (Router 3) R3#conf R3(conf)#router bgp 100 R3(conf-router_bgp)# neighbor AAA peer-group R3(conf-router_bgp)# neighbor AAA no shutdown R3(conf-router_bgp)# neighbor CCC peer-group R3(conf-router_bgp)# neighbor CCC no shutdown R3(conf-router_bgp)# neighbor 192.168.128.
Last read 00:00:45, last write 00:00:44 Hold time is 180, keepalive interval is 60 seconds Received 138 messages, 0 in queue 7 opens, 2 notifications, 7 updates 122 keepalives, 0 route refresh requests Sent 140 messages, 0 in queue 240 BGP IP version 4 (BGPv4) Overview
10 Content Addressable Memory (CAM) CAM is a type of memory that stores information in the form of a lookup table. On Dell EMC Networking systems, CAM stores Layer 2 (L2) and Layer 3 (L3) forwarding information, access-lists (ACLs), flows, and routing policies. CAM Allocation CAM Allocation for Ingress To allocate the space for regions such has L2 ingress ACL, IPV4 ingress ACL, IPV6 ingress ACL, IPV4 QoS, L2 QoS, PBR, VRF ACL, and so forth, use the cam-acl command in CONFIGURATION mode.
NOTE: When you reconfigure CAM allocation, use the nlbclusteracl number command to change the number of NLB ARP entries. The range is from 0 to 2. The default value is 0. At the default value of 0, eight NLB ARP entries are available for use. This platform supports upto 256 CAM entries. Select 1 to configure 128 entries. Select 2 to configure 256 entries.
NOTE: If you do not enter the allocation values for the CAM regions, the value is 0. 3 Execute write memory and verify that the new settings are written to the CAM on the next boot. EXEC Privilege mode show cam-acl 4 Reload the system. EXEC Privilege mode reload Test CAM Usage To determine whether sufficient CAM space is available to enable a service-policy, use the test-cam-usage command.
VmanDualQos EcfmAcl FcoeAcl iscsiOptAcl ipv4pbr vrfv4Acl Openflow fedgovacl : : : : : : : : 0 0 0 0 0 0 0 0 0 0 0 0 2 2 0 0 DellEMC(conf)# Example of Viewing CAM-ACL Settings NOTE: If you change the cam-acl setting from CONFIGURATION mode, the output of this command does not reflect any changes until you save the running-configuration and reload the chassis.
IpMacAcl VmanQos VmanDualQos EcfmAcl FcoeAcl iscsiOptAcl ipv4pbr vrfv4Acl Openflow fedgovacl : : : : : : : : : : 0 0 0 0 0 0 0 0 0 0 DellEMC# View CAM Usage View the amount of CAM space available, used, and remaining in each partition (including IPv4 and IPv6 Flow and Layer 2 ACL subpartitions) using the show cam-usage command in EXEC Privilege mode The following output shows CAM blocks usage for Layer 2 and Layer 3 ACLs and other processes that use CAM space: Example of the show cam-usage Command DellE
cam-threshold threshold {default | threshold-percent} The range of threshold value is from 1 to 100. The default threshold value is 90 percent. • Assign the silence period for syslog warning. CONFIGURATION mode cam-threshold threshold {default | threshold-percent} silence-period {default | silenceperiod-value} The range of silence period is from 0 to 65535. The default is 0 seconds.
Troubleshoot CAM Profiling The following section describes CAM profiling troubleshooting. QoS CAM Region Limitation To store QoS service policies, the default CAM profile allocates a partition within the IPv4Flow region. If the QoS CAM space is exceeded, a message similar to the following displays.
11 Control Plane Policing (CoPP) Control plane policing (CoPP) uses access control list (ACL) rules and quality of service (QoS) policies to create filters for a system’s control plane. That filter prevents traffic not specifically identified as legitimate from reaching the system control plane, rate-limits, traffic to an acceptable level.
Figure 28. CoPP Implemented Versus CoPP Not Implemented Configure Control Plane Policing The system can process a maximum of 4200 packets per second (PPS). Protocols that share a single queue may experience flaps if one of the protocols receives a high rate of control traffic even though per protocol CoPP is applied. This happens because queue-based rate limiting is applied first.
Configuring CoPP for Protocols This section lists the commands necessary to create and enable the service-policies for CoPP. For complete information about creating ACLs and QoS rules, refer to Access Control Lists (ACLs) and Quality of Service (QoS). The basics for creating a CoPP service policy are to create a Layer 2, Layer 3, and/or an IPv6 ACL rule for the desired protocol type. Then, create a QoS input policy to rate-limit the protocol traffics according to the ACL.
CONTROL-PLANE mode service-policy rate-limit-protocols Examples of Configuring CoPP for Different Protocols The following example shows creating the IP/IPv6/MAC extended ACL.
DellEMC(conf-policy-map-in-cpuqos)#class-map class_lacp qos-policy rate_limit_200k DellEMC(conf-policy-map-in-cpuqos)#class-map class-ipv6 qos-policy rate_limit_200k DellEMC(conf-policy-map-in-cpuqos)#exit The following example shows creating the control plane service policy.
The following example shows creating the control plane service policy. DellEMC#conf DellEMC(conf)#control-plane DellEMC(conf-control-plane)#service-policy rate-limit-cpu-queues cpuq_rate_policy CoPP for OSPFv3 Packets You can create an IPv6 ACL for control-plane traffic policing for OSPFv3, in addition to the CoPP support for VRRP, BGP, and ICMP. You can use the ipv6 access-list name cpu-qos permit ospfv3 command to allow CoPP traffic for OSPFv3.
As part of enhancements, CPU queues are increased from 8 to 12 on CPU port. However, the front-end port and the backplane ports support only 8 queues. As a result, when packets are transmitted to the local CPU, the CPU uses Q0-Q11 queues. The control packets that are tunneled to the master unit are isolated from the data queues and the control queues in the backplane links. Control traffic must be sent over the control queues Q4-Q7 on higig links.
• NDP Packets in VLT peer routing enable – VLT peer routing enable cases each VLT node will have route entry for link local address of both self and peer VLT node. Peer VLT link local entry will have egress port as ICL link. And Actual link local address will have entry to CopyToCpu. But NDP packets destined to peer VLT node needs to be taken to CPU and tunneled to the peer VLT node..
unicast packets. This CLI knob to turn off the catch-all route is of use in networks where the user does not want to generate Destination Unreachable messages and have the CPU queue’s bandwidth available for higher priority control-plane traffic. Configuring CoPP for OSPFv3 You can create an IPv6 ACL for control-plane traffic policing for OSPFv3, in addition to the CoPP support for VRRPv3, BGPv6, and ICMPv6.
Viewing Queue Rates Example of Viewing Queue Rates DellEMC#show cpu-queue rate cp Service-Queue Rate (PPS) -------------- ----------Q0 1300 Q1 300 Q2 300 Q3 300 Q4 2000 Q5 400 Q6 400 Q7 1100 DellEMC# Example of Viewing Queue Mapping To view the queue mapping for each configured protocol, use the show ip protocol-queue-mapping command.
DellEMC# 258 Control Plane Policing (CoPP)
12 Data Center Bridging (DCB) Data center bridging (DCB) refers to a set of enhancements to Ethernet local area networks used in data center environments, particularly with clustering and storage area networks.
DCB-enabled network is required in a data center. The Dell EMC Networking switches that support a unified fabric and consolidate multiple network infrastructures use a single input/output (I/O) device called a converged network adapter (CNA). A CNA is a computer input/output device that combines the functionality of a host bus adapter (HBA) with a network interface controller (NIC). Multiple adapters on different devices for several traffic types are no longer required.
Figure 29. Illustration of Traffic Congestion The system supports loading two DCB_Config files: • FCoE converged traffic with priority 3. • iSCSI storage traffic with priority 4. In the Dell EMC Networking OS, PFC is implemented as follows: • PFC is supported on specified 802.1p priority traffic (dot1p 0 to 7) and is configured per interface.
Figure 30. Enhanced Transmission Selection The following table lists the traffic groupings ETS uses to select multiprotocol traffic for transmission. Table 15. ETS Traffic Groupings Traffic Groupings Description Group ID A 4-bit identifier assigned to each priority group. The range is from 0 to 7 configurable; 8 - 14 reservation and 15.0 - 15.7 is strict priority group.. Group bandwidth Percentage of available bandwidth allocated to a priority group.
PFC parameters PFC Configuration TLV and Application Priority Configuration TLV. ETS parameters ETS Configuration TLV and ETS Recommendation TLV. Data Center Bridging in a Traffic Flow The following figure shows how DCB handles a traffic flow on an interface. Figure 31. DCB PFC and ETS Traffic Handling Enabling Data Center Bridging DCB is automatically configured when you configure FCoE or iSCSI optimization. Data center bridging supports converged enhanced Ethernet (CEE) in a data center network.
dcb enable 2 Set PFC buffering on the DCB stack unit. CONFIGURATION mode DellEMC(conf)#dcb enable pfc-queues NOTE: To save the pfc buffering configuration changes, save the configuration and reboot the system. NOTE: Dell EMC Networking OS Behavior: DCB is not supported if you enable link-level flow control on one or more interfaces. For more information, refer to Ethernet Pause Frames.
If you delete the dot1p priority-priority group mapping (no priority pgid command) before you apply the new DCB map, the default PFC and ETS parameters are applied on the interfaces. This change may create a DCB mismatch with peer DCB devices and interrupt network operation. QoS dot1p Traffic Classification and Queue Assignment The following section describes QoS dot1P traffic classification and assignments.
dot1p Value in the Incoming Frame Egress Queue Assignment 4 4 5 5 6 6 7 7 Data Center Bridging: Default Configuration Before you configure PFC and ETS on a switch see the priority group setting taken into account the following default settings: DCB is enabled. PFC and ETS are globally enabled by default.
The range for priority group is from 0 to 7. Set the bandwidth in percentage. The percentage range is from 1 to 100% in units of 1%. Committed and peak bandwidth is in megabits per second. The range is from 0 to 40000. Committed and peak burst size is in kilobytes. Default is 50. The range is from 0 to 40000. The pfc on command enables priority-based flow control. 3 Specify the dot1p priority-to-priority group mapping for each priority. priority-pgid dot1p0_group_num dot1p1_group_num ...
The configuration of no-drop queues provides flexibility for ports on which PFC is not needed but lossless traffic should egress from the interface. Lossless traffic egresses out the no-drop queues. Ingress dot1p traffic from PFC-enabled interfaces is automatically mapped to the no-drop egress queues. 1 Enter INTERFACE Configuration mode. CONFIGURATION mode interface interface-type 2 Configure the port queues that will still function as no-drop queues for lossless traffic.
input policy with PFC profile is configured or unconfigured on an interface or a range of interfaces not receiving any traffic, interfaces with PFC settings that receive appropriate PFC-enabled traffic (unicast, mixed-frame-size traffic) display incremental values in the CRC and discards counters. (These ingress interfaces receiving pfc-enabled traffic have an egress interface that has a compatible PFC configuration). NOTE: DCB maps are supported only on physical Ethernet interfaces.
Table 16. DCB Map to an Ethernet Port Step Task Command Command Mode 1 Enter interface configuration mode on an Ethernet port. interface interface-type } CONFIGURATION 2 Apply the DCB map on the Ethernet port to configure it with the PFC and ETS settings in the map; for example: dcb-map name INTERFACE DellEMC# interface tengigabitEthernet 1/1 DellEMC(config-if-te-1/1)# dcb-map SAN_A_dcb_map1 Repeat Steps 1 and 2 to apply a DCB map to more than one port.
Although the system contains 9 MB of space for shared buffers, a minimum guaranteed buffer is provided to all the internal and external ports in the system for both unicast and multicast traffic. This minimum guaranteed buffer reduces the total available shared buffer to 7,787 KB. This shared buffer can be used for lossy and lossless traffic. The default behavior causes up to a maximum of 6.6 MB to be used for PFC-related traffic. The remaining approximate space of 1 MB can be used by lossy traffic.
Example: Port A —> Port B Port C —> Port B PFC no-drop queues are configured for queues 1, 2 on Port B. PFC capability is enabled on priorities 3, 4 on PORT A and C. Port B acting as Egress During the congestion, [traffic pump on priorities 3 and 4 from PORT A and PORT C is at full line rate], PORT A and C send out the PFCs to rate the traffic limit. Egress drops are not observed on Port B since traffic flow on priorities is mapped to loss less queues.
Step Task Command Command Mode You cannot configure PFC no-drop queues on an interface on which a DCB map with PFC enabled has been applied, or which is already configured for PFC using the pfc priority command. Range: 0-3. Separate queue values with a comma; specify a priority range with a dash; for example: pfc no-drop queues 1,3 or pfc no-drop queues 2-3 Default: No lossless queues are configured. Behavior of Tagged Packets The below is example for enabling PFC for priority 2 for tagged packets.
Table 19. Queue Assignments 3 4 Internalpriority 0 1 2 3 4 5 6 7 Queue 0 0 0 1 2 3 3 3 Dot1p->Queue Mapping Configuration is retained at the default value. Default dot1p-queue mapping is, DellEMC#show qos dot1p-queue-mapping Dot1p Priority : 0 1 2 3 4 5 6 Queue : 0 0 0 1 2 3 3 7 3 Default dot1p-queue mapping is, DellEMC#show qos dot1p-queue-mapping Dot1p Priority : 0 1 2 3 4 5 6 Queue : 2 0 1 3 4 5 6 7 7 Interface Configurations on server connected ports. a Enable DCB globally.
Creating an ETS Priority Group An ETS priority group specifies the range of 802.1p priority traffic to which a QoS output policy with ETS settings is applied on an egress interface. 1 Configure a DCB Map. CONFIGURATION mode dcb-map dcb-map-name The dcb-map-name variable can have a maximum of 32 characters. 2 Create an ETS priority group. CONFIGURATION mode priority-group group-num {bandwidth bandwidth | strict-priority} pfc off The range for priority group is from 0 to 7. Set the bandwidth in percentage.
By default, all 802.1p priorities are grouped in priority group 0 and 100% of the port bandwidth is assigned to priority group 0. The complete bandwidth is equally assigned to each priority class so that each class has 12 to 13%. The maximum number of priority groups supported in ETS output policies on an interface is equal to the number of data queues (8)on the port. The 802.1p priorities in a priority group can map to multiple queues.
The default is none. 3 Repeat Step 2 to configure bandwidth percentages for other priority queues on the port. QoS OUTPUT POLICY mode Dell(conf-qos-policy-out)#bandwidth-percentage 100 4 Exit QoS Output Policy Configuration mode. QoS OUTPUT POLICY mode Dell(conf-if-te-0/1)#exit 5 Enter INTERFACE Configuration mode. CONFIGURATION mode interface type slot/port 6 Apply the QoS output policy with the bandwidth percentage for specified priority queues to an egress interface.
• ETS configuration error: If an error occurs in an ETS configuration, the configuration is ignored and the scheduler and bandwidth allocation settings are reset to the ETS default value: 100% of available bandwidth is allocated to priority group 0 and the bandwidth is equally assigned to each dot1p priority. If an error occurs when a port receives a peer’s ETS configuration, the port’s configuration resets to the ETS configuration in the previously configured DCB map.
Strict-priority groups: • If priority group 3 has free bandwidth, it is distributed as follows: 20% of the free bandwidth to priority group 1 and 30% of the free bandwidth to priority group 2. • If priority group 1 or 2 has free bandwidth, (20 + 30)% of the free bandwidth is distributed to priority group 3. Priority groups 1 and 2 retain whatever free bandwidth remains up to the (20+ 30)%.
• Detects DCB mis-configuration in a peer device; that is, when DCB features are not compatibly configured on a peer device and the local switch. Mis-configuration detection is feature-specific because some DCB features support asymmetric configuration. • Reconfigures a peer device with the DCB configuration from its configuration source if the peer device is willing to accept configuration.
not stored in the switch’s running configuration. On a DCBx port that is the configuration source, all PFC and application priority TLVs are enabled. ETS recommend TLVs are disabled and ETS configuration TLVs are enabled. Manual The port is configured to operate only with administrator-configured settings and does not auto-configure with DCB settings received from a DCBx peer or from an internally propagated configuration from the configuration source.
the peer link up and continues to exchange DCBx packets. If a compatible peer configuration is later received, DCBx is enabled on the port. • If there is no configuration source, a port may elect itself as the configuration source. A port may become the configuration source if the following conditions exist: – No other port is the configuration source. – The port role is auto-upstream. – The port is enabled with link up and DCBx enabled. – The port has performed a DCBx exchange with a DCBx peer.
NOTE: Because DCBx TLV processing is best effort, it is possible that CIN frames may be processed when DCBx is configured to operate in CEE mode and vice versa. In this case, the unrecognized TLVs cause the unrecognized TLV counter to increment, but the frame is processed and is not discarded. Legacy DCBx (CIN and CEE) supports the DCBx control state machine that is defined to maintain the sequence number and acknowledge the number sent in the DCBx control TLVs.
Configuring DCBx To configure DCBx, follow these steps. For DCBx, to advertise DCBx TLVs to peers, enable LLDP. For more information, refer to Link Layer Discovery Protocol (LLDP). Configure DCBx operation at the interface level on a switch or globally on the switch. To configure the S4810 system for DCBx operation in a data center network, you must: 1 Configure ToR- and FCF-facing interfaces as auto-upstream ports. 2 Configure server-facing interfaces as auto-downstream ports.
• pfc enables: the advertisement of PFC TLVs. The default is All PFC and ETS TLVs are advertised. NOTE: You can configure the transmission of more than one TLV type at a time; for example, advertise DCBx-tlv etsconf ets-reco. You can enable ETS recommend TLVs (ets-reco) only if you enable ETS configuration TLVs (etsconf). To disable TLV transmission, use the no form of the command; for example, no advertise DCBx-tlv pfc ets-reco.
[no] advertise DCBx-tlv {ets-conf | ets-reco | pfc} [ets-conf | ets-reco | pfc] [ets-conf | ets-reco | pfc] • ets-conf: enables transmission of ETS Configuration TLVs. • ets-reco: enables transmission of ETS Recommend TLVs. • pfc: enables transmission of PFC TLVs. NOTE: You can configure the transmission of more than one TLV type at a time. You can only enable ETS recommend TLVs (ets-reco) if you enable ETS configuration TLVs (ets-conf).
DCBx Error Messages The following syslog messages appear when an error in DCBx operation occurs. LLDP_MULTIPLE_PEER_DETECTED: DCBx is operationally disabled after detecting more than one DCBx peer on the port interface. LLDP_PEER_AGE_OUT: DCBx is disabled as a result of LLDP timing out on a DCBx peer interface. DSM_DCBx_PEER_VERSION_CONFLICT: A local port expected to receive the IEEE, CIN, or CEE version in a DCBx TLV from a remote peer but received a different, conflicting DCBx version.
Command Output show interface port-type pfc {summary | detail} Displays the PFC configuration applied to ingress traffic on an interface, including priorities and link delay. To clear PFC TLV counters, use the clear pfc counters interface port-type slot/port command. show interface port-type pfc statistics Displays counters for the PFC frames received and transmitted (by dot1p priority class) on an interface. You can use the show interface pfc statistics command even without enabling DCB on the system.
The following example shows the show interfaces pfc summary command.
Fields Description Local is enabled DCBx operational status (enabled or disabled) with a list of the configured PFC priorities Operational status (local port) DCBx operational status (enabled or disabled) with a list of the configured PFC priorities. Port state for current operational PFC configuration: • • • Init: Local PFC configuration parameters were exchanged with peer. Recommend: Remote PFC configuration parameters were received from peer.
Te Te Te Te Te 1/1 1/1 1/1 1/1 1/1 P3 P4 P5 P6 P7 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 The following example shows the show interface ets summary command.
0 1 2 3 4 5 6 7 0,1,2,3,4,5,6,7 Priority# Bandwidth TSA 0 1 2 3 4 5 6 7 Remote Parameters: ------------------Remote is disabled Local Parameters : -----------------Local is enabled TC-grp Priority# 0 0,1,2,3,4,5,6,7 1 2 3 4 5 6 7 100% 0% 0% 0% 0% 0% 0% 0% ETS ETS ETS ETS ETS ETS ETS ETS 13% 13% 13% 13% 12% 12% 12% 12% ETS ETS ETS ETS ETS ETS ETS ETS Bandwidth 100% 0% 0% 0% 0% 0% 0% 0% TSA ETS ETS ETS ETS ETS ETS ETS ETS Priority# Bandwidth 0 13% 1 13% 2 13% 3 13% 4 12% 5 12% 6 12% 7 12% Oper status
Field Description Remote Parameters ETS configuration on remote peer port, including Admin mode (enabled if a valid TLV was received or disabled), priority groups, assigned dot1p priorities, and bandwidth allocation. If the ETS Admin mode is enabled on the remote port for DCBx exchange, the Willing bit received in ETS TLVs from the remote peer is included.
-------------------Admin is enabled TC-grp Priority# Bandwidth TSA -----------------------------------------------0 0,1,2,3,4,5,6,7 100% ETS 1 2 3 4 5 6 7 8 Stack unit 1 stack port all Max Supported TC Groups is 4 Number of Traffic Classes is 1 Admin mode is on Admin Parameters: -------------------Admin is enabled TC-grp Priority# Bandwidth TSA -----------------------------------------------0 0,1,2,3,4,5,6,7 100% ETS 1 2 3 4 5 6 7 8 The following example shows the show interface DCBx detail command (IEEE).
Interface TenGigabitEthernet 1/14 Remote Mac Address 00:01:e8:8a:df:a0 Port Role is Auto-Upstream DCBx Operational Status is Enabled Is Configuration Source? FALSE Local DCBx Compatibility mode is CEE Local DCBx Configured mode is CEE Peer Operating version is CEE Local DCBx TLVs Transmitted: ErPFi Local DCBx Status ----------------DCBx Operational Version is 0 DCBx Max Version Supported is 0 Sequence Number: 1 Acknowledgment Number: 1 Protocol State: In-Sync Peer DCBx Status: ---------------DCBx Operationa
Field Description Local DCBx Status: Acknowledgment Number Acknowledgement number transmitted in Control TLVs. Local DCBx Status: Protocol State Current operational state of DCBx protocol: ACK or IN-SYNC. Peer DCBx Status: DCBx Operational Version DCBx version advertised in Control TLVs received from peer device. Peer DCBx Status: DCBx Max Version Supported Highest DCBx version supported in Control TLVs received from peer device.
dot1p Value in the Incoming Frame Egress Queue Assignment 3 1 4 2 5 3 6 3 7 3 dot1p Value in the Incoming Frame Egress Queue Assignment 0 2 1 0 2 1 3 3 4 4 5 5 6 6 7 7 Configuring the Dynamic Buffer Method Priority-based flow control using dynamic buffer spaces is supported on the switch. To configure the dynamic buffer capability, perform the following steps: 1 Enable the DCB application. By default, DCB is enabled and link-level flow control is disabled on all interfaces.
For each priority, you can specify the shared buffer threshold limit, the ingress buffer size, buffer limit for pausing the acceptance of packets, and the buffer offset limit for resuming the acceptance of received packets.
Figure 33. PFC and ETS Applied to LAN, IPC, and SAN Priority Traffic QoS Traffic Classification: The service-class dynamic dot1p command has been used in Global Configuration mode to map ingress dot1p frames to the queues shown in the following table. For more information, refer to QoS dot1p Traffic Classification and Queue Assignment.
dot1p Value in the Incoming Frame Priority Group Assignment 5 LAN 6 LAN 7 LAN The following describes the priority group-bandwidth assignment. Priority Group Bandwidth Assignment IPC 5% SAN 50% LAN 45% PFC and ETS Configuration Command Examples The following examples show PFC and ETS configuration commands to manage your data center traffic.
13 Dynamic Host Configuration Protocol (DHCP) DHCP is an application layer protocol that dynamically assigns IP addresses and other configuration parameters to network end-stations (hosts) based on configuration policies determined by network administrators.
The following table lists common DHCP options. Option Number and Description Subnet Mask Option 1 Specifies the client’s subnet mask. Router Option 3 Specifies the router IP addresses that may serve as the client’s default gateway. Domain Name Server Option 6 Domain Name Option 15 Specifies the domain name servers (DNSs) that are available to the client. Specifies the domain name that clients should use when resolving hostnames via DNS.
Option Number and Description User Port Stacking Option 230 Set the stacking option variable to provide DHCP server stack-port detail when the DHCP offer is set. End Option 255 Signals the last option in the DHCP packet. Assign an IP Address using DHCP The following section describes DHCP and the client in a network. When a client joins a network: 1 The client initially broadcasts a DHCPDISCOVER message on the subnet to discover available DHCP servers.
Implementation Information The following describes DHCP implementation. • Dell EMC Networking implements DHCP based on RFC 2131 and RFC 3046. • IP source address validation is a sub-feature of DHCP Snooping; the Dell EMC Networking OS uses access control lists (ACLs) internally to implement this feature and as such, you cannot apply ACLs to an interface which has IP source address validation.
Configuring the Server for Automatic Address Allocation Automatic address allocation is an address assignment method by which the DHCP server leases an IP address to a client from a pool of available addresses. An address pool is a range of IP addresses that the DHCP server may assign. The subnet number indexes the address pools. To create an address pool, follow these steps. 1 Access the DHCP server CLI context. CONFIGURATION mode ip dhcp server 2 Create an address pool and give it a name.
Excluding Addresses from the Address Pool The DHCP server assumes that all IP addresses in a DHCP address pool are available for assigning to DHCP clients. You must specify the IP address that the DHCP server should not assign to clients. To exclude an address, follow this step. • Exclude an address range from DHCP assignment. The exclusion applies to all configured pools. DHCP mode excluded-address Specifying an Address Lease Time To specify an address lease time, use the following command.
Using NetBIOS WINS for Address Resolution Windows internet naming service (WINS) is a name resolution service that Microsoft DHCP clients use to correlate host names to IP addresses within a group of networks. Microsoft DHCP clients can be one of four types of NetBIOS nodes: broadcast, peer-to-peer, mixed, or hybrid. 1 Specify the NetBIOS WINS name servers, in order of preference, that are available to Microsoft Dynamic Host Configuration Protocol (DHCP) clients.
Using DHCP Clear Commands To clear DHCP binding entries, address conflicts, and server counters, use the following commands. • Clear DHCP binding entries for the entire binding table. EXEC Privilege mode. clear ip dhcp binding • Clear a DHCP binding entry for an individual IP address. EXEC Privilege mode. clear ip dhcp binding ip address Configure the System to be a Relay Agent DHCP clients and servers request and offer configuration information via broadcast DHCP messages.
Figure 36. Configuring a Relay Agent To view the ip helper-address configuration for an interface, use the show ip interface command from EXEC privilege mode. Example of the show ip interface Command R1_E600#show ip int tengigabitethernet 1/3 TenGigabitEthernet 1/3 is up, line protocol is down Internet address is 10.11.0.1/24 Broadcast address is 10.11.0.255 Address determined by user input IP MTU is 1500 bytes Helper address is 192.168.0.1 192.168.0.
Configure the System to be a DHCP Client A DHCP client is a network device that requests an IP address and configuration parameters from a DHCP server. Implement the DHCP client functionality as follows: • The switch can obtain a dynamically assigned IP address from a DHCP server. A start-up configuration is not received. Use bare metal provisioning (BMP) to receive configuration parameters (Dell EMC Networking OS version and a configuration file). BMP is enabled as a factory-default setting on a switch.
To manually configure a static IP address on an interface, use the ip address command. A prompt displays to release an existing dynamically acquired IP address. If you confirm, the ability to receive a DHCP server-assigned IP address is removed. To enable acquiring a dynamic IP address from a DHCP server on an interface configured with a static IP address, use the ip address dhcp command. A prompt displays to confirm the IP address reconfiguration.
server are in the same or different subnets. The management default route is deleted if the management IP address is released like other DHCP client management routes. • ip route for 0.0.0.0 takes precedence if it is present or added later. • Management routes added by a DHCP client display with Route Source as DHCP in the show ip management route and show ip management-route dynamic command output.
• An entry in the DHCP snooping table is not added for a DHCP client interface. DHCP Server A switch can operate as a DHCP client and a DHCP server. DHCP client interfaces cannot acquire a dynamic IP address from the DHCP server running on the switch. Acquire a dynamic IP address from another DHCP server. Virtual Router Redundancy Protocol (VRRP) Do not enable the DHCP client on an interface and set the priority to 255 or assign the same DHCP interface IP address to a VRRP virtual group.
Example configuration of global DHCP relay source IPv4 or IPv6 interface Following is the sample configuration to configure loopback interface with IPv4 and IPv6 address in CONFIGURATION MODE. Dell(conf)# interface loopback 1 Dell(conf-if-lo-1)# ip vrf forwarding vrf1 Dell(conf-if-lo-1)# ip address 1.1.1.
IPv6 configuration, and two different loopback interfaces (loopback 2 and 3). DHCP relay forwards packets using the loopback 2 interface with IPv4 and IPv6 addresses ((2.2.2.2/32 and 2::2/128) from Vlan 2. The same way, the relay uses IPv4 and IPv6 addresses (3.3.3.3/32 and 3::3/128) of loopback 3 interface from Vlan 3. Dell(conf)# interface Vlan 2 Dell(conf-if-vl-2)# ip vrf forwarding vrf1 Dell(conf-if-vl-2)# ip address 2.0.0.
• assign IP addresses according to the relay agent. This prevents generating DHCP offers in response to requests from an unauthorized relay agent. The server echoes the option back to the relay agent in its response, and the relay agent can use the information in the option to forward a reply out the interface on which the request was received rather than flooding it on the entire VLAN. The relay agent strips Option 82 from DHCP responses before forwarding them to the client.
DHCP Snooping for a Multi-Tenant Host You can configure the DHCP snooping feature such that multiple IP addresses are expected for the same MAC address. You can use the ip dhcp snooping command multiple times to map the same MAC address with different IP addresses. This configuration is also used for dynamic ARP inspection (DAI) and source address validation (SAV). The DAI and SAV tables reflect the same entries in the DHCP snooping binding table.
CONFIGURATION mode ipv6 dhcp snooping vlan vlan-id Adding a Static Entry in the Binding Table To add a static entry in the binding table, use the following command. • Add a static entry in the binding table. EXEC Privilege mode ip dhcp snooping binding mac mac-address vlan-id vlan-id ip ip-address interface interfacetype interface-number lease lease-value If multiple IP addresses are expected for the same MAC address, repeat this step for all IP addresses.
show ip dhcp snooping • Display the contents of the binding table. EXEC Privilege mode show ip dhcp snooping binding Example of the show ip dhcp snooping Command View the DHCP snooping statistics with the show ip dhcp snooping command. DellEMC#show ip dhcp snooping IP IP IP IP DHCP DHCP DHCP DHCP Snooping Snooping Mac Verification Relay Information-option Relay Trust Downstream : : : : Enabled. Disabled. Disabled. Disabled.
The following example shows a sample output of the show ip dhcp snooping binding command for a device connected to one of the VLT peers only (orphaned). The physical interface is the one that is directly connected to the VLT peer. DellEMC#show ip dhcp snooping binding Codes : S - Static D - Dynamic IP Address MAC Address Expires(Sec) Type VLAN Interface ========================================================================= 10.1.1.100 00:00:a0:00:00:00 39735 S Vl 200 Te 1/4 10.1.1.
Configuring the DHCP secondary-subnet DHCP Secondary subnet feature is an extended feature of DHCP relay agent. After enabling DHCP Relay Secondary Subnet, relay agent tries to get IP Address from secondary IP Address subnet pool, only when relay agent fails to get IP Address through primary IP Address. 1 To enable all the DHCP relay secondary — subnet interfaces.
Dynamic ARP Inspection Dynamic address resolution protocol (ARP) inspection prevents ARP spoofing by forwarding only ARP frames that have been validated against the DHCP binding table. ARP is a stateless protocol that provides no authentication mechanism. Network devices accept ARP requests and replies from any device. ARP replies are accepted even when no request was sent.
To see how many valid and invalid ARP packets have been processed, use the show arp inspection statistics command. DellEMC#show arp inspection statistics Dynamic ARP Inspection (DAI) Statistics --------------------------------------Valid ARP Requests : 0 Valid ARP Replies : 1000 Invalid ARP Requests : 1000 Invalid ARP Replies : 0 DellEMC# Configuring dynamic ARP inspection-limit To configure dynamic ARP inspection rate limit on a port, perform the following task. 1 Enter into global configuration mode.
Source Address Validation Using the DHCP binding table, Dell EMC Networking OS can perform three types of source address validation (SAV). Table 25. Three Types of Source Address Validation Source Address Validation Description IP Source Address Validation Prevents IP spoofing by forwarding only IP packets that have been validated against the DHCP binding table.
DHCP MAC Source Address Validation DHCP MAC source address validation (SAV) validates a DHCP packet’s source hardware address against the client hardware address field (CHADDR) in the payload. Dell EMC Networking OS ensures that the packet’s source MAC address is checked against the CHADDR field in the DHCP header only for packets from snooped VLANs. • Enable DHCP MAC SAV.
Viewing the Number of SAV Dropped Packets The following output of the show ip dhcp snooping source-address-validation discard-counters command displays the number of SAV dropped packets.
14 Equal Cost Multi-Path (ECMP) This chapter describes configuring ECMP. This chapter describes configuring ECMP. Configuring the Hash Algorithm TeraScale has one algorithm that is used for link aggregation groups (LAGs), ECMP, and NH-ECMP, and ExaScale can use three different algorithms for each of these features. To adjust the ExaScale behavior to match TeraScale, use the following command. • Change the ExaScale hash-algorithm for LAG, ECMP, and NH-ECMP to match TeraScale. CONFIGURATION mode.
NOTE: While the seed is stored separately on each port-pipe, the same seed is used across all CAMs. NOTE: You cannot separate LAG and ECMP, but you can use different algorithms across the chassis with the same seed. If LAG member ports span multiple port-pipes and line cards, set the seed to the same value on each port-pipe to achieve deterministic behavior. NOTE: If you remove the hash algorithm configuration, the hash seed does not return to the original factory default setting.
NOTE: For the new settings to take effect, save the new ECMP settings to the startup-config (write-mem) then reload the system. • Configure the maximum number of paths per ECMP group. CONFIGURATION mode. ip ecmp-group maximum-paths {2-64} • Enable ECMP group path management. CONFIGURATION mode. ip ecmp-group path-fallback Example of the ip ecmp-group maximum-paths Command DellEMC(conf)#ip ecmp-group maximum-paths 3 User configuration has been changed.
show link-bundle-distribution ecmp-group ecmp-group-id The range is from 1 to 64. Viewing an ECMP Group NOTE: An ecmp-group index is generated automatically for each unique ecmp-group when you configure multipath routes to the same network. The system can generate a maximum of 512 unique ecmp-groups. The ecmp-group indices are generated in even numbers (0, 2, 4, 6... 1022) and are for information only. You can configure ecmp-group with id 2 for link bundle monitoring.
15 FIP Snooping The Fibre Channel over Ethernet (FCoE) Transit feature is supported on Ethernet interfaces. When you enable the switch for FCoE transit, the switch functions as a FIP snooping bridge. NOTE: FIP snooping is not supported on Fibre Channel interfaces or in a switch stack.
FIP provides functionality for discovering and logging into an FCF. After discovering and logging in, FIP allows FCoE traffic to be sent and received between FCoE end-devices (ENodes) and the FCF. FIP uses its own EtherType and frame format. The following illustration shows the communication that occurs between an ENode server and an FCoE switch (FCF). The following table lists the FIP functions. Table 26.
FIP Snooping on Ethernet Bridges In a converged Ethernet network, intermediate Ethernet bridges can snoop on FIP packets during the login process on an FCF. Then, using ACLs, a transit bridge can permit only authorized FCoE traffic to be transmitted between an FCoE end-device and an FCF. An Ethernet bridge that provides these functions is called a FIP snooping bridge (FSB). On a FIP snooping bridge, ACLs are created dynamically as FIP login frames are processed.
Figure 38. FIP Snooping on a Dell EMC Networking Switch The following sections describe how to configure the FIP snooping feature on a switch: • Allocate CAM resources for FCoE. • Perform FIP snooping (allowing and parsing FIP frames) globally on all VLANs or on a per-VLAN basis. • To assign a MAC address to an FCoE end-device (server ENode or storage device) after a server successfully logs in, set the FCoE MAC address prefix (FC-MAP) value an FCF uses.
FIP Snooping in a Switch Stack FIP snooping supports switch stacking as follows: • A switch stack configuration is synchronized with the standby stack unit. • Dynamic population of the FCoE database (ENode, Session, and FCF tables) is synchronized with the standby stack unit. The FCoE database is maintained by snooping FIP keep-alive messages. • In case of a failover, the new master switch starts the required timers for the FCoE database tables. Timers run only on the master stack unit.
• You can configure multiple FCF-trusted interfaces in a VLAN. • When you disable FIP snooping: – ACLs are not installed, FIP and FCoE traffic is not blocked, and FIP packets are not processed. – The existing per-VLAN and FIP snooping configuration is stored. The configuration is re-applied the next time you enable the FIP snooping feature. • You must apply the CAM-ACL space for the FCoE region before enabling the FIP-Snooping feature.
Enable FIP Snooping on VLANs You can enable FIP snooping globally on a switch on all VLANs or on a specified VLAN. When you enable FIP snooping on VLANs: • FIP frames are allowed to pass through the switch on the enabled VLANs and are processed to generate FIP snooping ACLs. • FCoE traffic is allowed on VLANs only after a successful virtual-link initialization (fabric login FLOGI) between an ENode and an FCF. All other FCoE traffic is dropped.
Table 27. Impact of Enabling FIP Snooping Impact Description MAC address learning MAC address learning is not performed on FIP and FCoE frames, which are denied by ACLs dynamically created by FIP snooping on server-facing ports in ENode mode. MTU auto-configuration MTU size is set to mini-jumbo (2500 bytes) when a port is in Switchport mode, the FIP snooping feature is enabled on the switch, and FIP snooping is enabled on all or individual VLANs.
4 Enable the FCoE transit feature on a switch. CONFIGURATION mode. feature fip-snooping 5 Enable FIP snooping on all VLANs or on a specified VLAN. CONFIGURATION mode or VLAN INTERFACE mode. fip-snooping enable 6 Configure the port for bridge-to-FCF links. INTERFACE mode or CONFIGURATION mode fip-snooping port-mode fcf NOTE: To disable the FCoE transit feature or FIP snooping on VLANs, use the no version of a command; for example, no feature fip-snooping or no fip-snooping enable.
Examples of the show fip-snooping Commands The following example shows the show fip-snooping sessions command.
Table 30. show fip-snooping enode Command Description Field Description ENode MAC MAC address of the ENode. ENode Interface Slot/port number of the interface connected to the ENode. FCF MAC MAC address of the FCF. VLAN VLAN ID number used by the session. FC-ID Fibre Channel session ID assigned by the FCF. The following example shows the show fip-snooping fcf command. DellEMC# show fip-snooping fcf FCF MAC FCF Interface VLAN FC-MAP FKA_ADV_PERIOD No.
Number of Session failures due to Hardware Config :0 DellEMC(conf)# DellEMC# show fip-snooping statistics int tengigabitethernet 1/11 Number of Vlan Requests :1 Number of Vlan Notifications :0 Number of Multicast Discovery Solicits :1 Number of Unicast Discovery Solicits :0 Number of FLOGI :1 Number of FDISC :16 Number of FLOGO :0 Number of Enode Keep Alive :4416 Number of VN Port Keep Alive :3136 Number of Multicast Discovery Advertisement :0 Number of Unicast Discovery Advertisement :0 Number of FLOGI Acc
Field Description Number of Unicast Discovery Solicits Number of FIP-snooped unicast discovery solicit frames received on the interface. Number of FLOGI Number of FIP-snooped FLOGI request frames received on the interface. Number of FDISC Number of FIP-snooped FDISC request frames received on the interface. Number of FLOGO Number of FIP-snooped FLOGO frames received on the interface. Number of ENode Keep Alives Number of FIP-snooped ENode keep-alive frames received on the interface.
FCoE Transit Configuration Example The following illustration shows a switch used as a FIP snooping bridge for FCoE traffic between an ENode (server blade) and an FCF (ToR switch). The ToR switch operates as an FCF and FCoE gateway. Figure 39. Configuration Example: FIP Snooping on a Switch In this example, DCBx and PFC are enabled on the FIP snooping bridge and on the FCF ToR switch.
Example of Configuring the ENode Server-Facing Port DellEMC(conf)# interface tengigabitethernet 1/1 DellEMC(conf-if-te-1/1)# portmode hybrid DellEMC(conf-if-te-1/1)# switchport DellEMC(conf-if-te-1/1)# protocol lldp DellEMC(conf-if-te-1/1-lldp)# dcbx port-role auto-downstream NOTE: A port is enabled by default for bridge-ENode links.
16 FIPS Cryptography Federal information processing standard (FIPS) cryptography provides cryptographic algorithms conforming to various FIPS standards published by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the US Department of Commerce. FIPS mode is also validated for numerous platforms to meet the FIPS-140-2 standard for a software-based cryptographic module. This chapter describes how to enable FIPS cryptography requirements on Dell EMC Networking platforms.
Enabling FIPS Mode To enable or disable FIPS mode, use the console port. Secure the host attached to the console port against unauthorized access. Any attempts to enable or disable FIPS mode from a virtual terminal session are denied. When you enable FIPS mode, the following actions are taken: • If enabled, the SSH server is disabled. • All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, are closed.
Examples of the show fips status and show system Commands The following example shows the show fips status command. DellEMC#show fips status FIPS Mode : Enabled for the system using the show system command. The following example shows the show system command.
17 Force10 Resilient Ring Protocol (FRRP) FRRP provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a metropolitan area network (MAN) or large campuses. FRRP is similar to what can be achieved with the spanning tree protocol (STP), though even with optimizations, STP can take up to 50 seconds to converge (depending on the size of network and node of failure) and may require 4 to 5 seconds to reconverge.
Ring Status The ring failure notification and the ring status checks provide two ways to ensure the ring remains up and active in the event of a switch or port failure. Ring Checking At specified intervals, the Master node sends a ring health frame (RHF) through the ring. If the ring is complete, the frame is received on its secondary port and the Master node resets its fail-period timer and continues normal operation.
Member VLAN Spanning Two Rings Connected by One Switch A member VLAN can span two rings interconnected by a common switch, in a figure-eight style topology. A switch can act as a Master node for one FRRP group and a Transit for another FRRP group, or it can be a Transit node for both rings. In the following example, FRRP 101 is a ring with its own Control VLAN, and FRRP 202 has its own Control VLAN running on another ring. A Member VLAN that spans both rings is added as a Member VLAN to both FRRP groups.
• One Master node per ring — all other nodes are Transit. • Each node has two member interfaces — primary and secondary. • There is no limit to the number of nodes on a ring. • Master node ring port states — blocking, pre-forwarding, forwarding, and disabled. • Transit node ring port states — blocking, pre-forwarding, forwarding, and disabled. • STP disabled on ring interfaces. • Master node secondary port is in blocking state during Normal operation.
Concept Explanation • Hello RHF (HRHF) — These frames are processed only on the Master node’s Secondary port. The Transit nodes pass the HRHF through without processing it. An HRHF is sent at every Hello interval. • Topology Change RHF (TCRHF) — These frames contains ring status, keepalive, and the control and member VLAN hash. The TCRHF is processed at each node of the ring.
Configuring the Control VLAN Control and member VLANS are configured normally for Layer 2. Their status as control or member is determined at the FRRP group commands. For more information about configuring VLANS in Layer 2 mode, refer to Layer 2. Be sure to follow these guidelines: • All VLANS must be in Layer 2 mode. • You can only add ring nodes to the VLAN. • A control VLAN can belong to one FRRP group only. • Tag control VLAN ports.
CONFIG-FRRP mode. no disable Configuring and Adding the Member VLANs Control and member VLANS are configured normally for Layer 2. Their status as Control or Member is determined at the FRRP group commands. For more information about configuring VLANS in Layer 2 mode, refer to the Layer 2 chapter. Be sure to follow these guidelines: • All VLANS must be in Layer 2 mode. • Tag control VLAN ports. Member VLAN ports, except the Primary/Secondary interface, can be tagged or untagged.
no disable Setting the FRRP Timers To set the FRRP timers, use the following command. NOTE: Set the Dead-Interval time 3 times the Hello-Interval. • Enter the desired intervals for Hello-Interval or Dead-Interval times. CONFIG-FRRP mode. timer {hello-interval|dead-interval} milliseconds – Hello-Interval: the range is from 50 to 2000, in increments of 50 (default is 500). – Dead-Interval: the range is from 50 to 6000, in increments of 50 (default is 1500).
show frrp summary Ring ID: the range is from 1 to 255. Troubleshooting FRRP To troubleshoot FRRP, use the following information. Configuration Checks • • • • • • Each Control Ring must use a unique VLAN ID. Only two interfaces on a switch can be Members of the same control VLAN. There can be only one Master node for any FRRP group. You can configure FRRP on Layer 2 interfaces only. Spanning Tree (if you enable it globally) must be disabled on both Primary and Secondary interfaces when you enable FRRP.
no shutdown ! interface Vlan 101 no ip address tagged TenGigabitEthernet 2/14,31 no shutdown ! interface Vlan 201 no ip address tagged TenGigabitEthernet 2/14,31 no shutdown ! protocol frrp 101 interface primary TenGigabitEthernet 2/14 secondary TenGigabitEthernet 2/31 control-vlan 101 member-vlan 201 mode transit no disable Example of R3 TRANSIT interface TenGigabitEthernet 3/14 no ip address switchport no shutdown ! interface TenGigabitEthernet 3/21 no ip address switchport no shutdown ! interface Vlan 10
Figure 41. FRRP Ring Connecting VLT Devices You can also configure an FRRP ring where both the VLT peers are connected to the FRRP ring and the VLTi acts as the primary interface for the FRRP Master and transit nodes. This active-active FRRP configuration blocks the FRRP ring on a per VLAN or VLAN group basis enabling the configuration to spawn across different set of VLANs.
In the FRRP ring R2, the primary interface for VLT Node1 (transit node) is the VLTi. P1 is the secondary interface, which is an orphan port that is participating in the FRRP ring topology. V1 is the control VLAN through which the RFHs are exchanged indicating the health of the nodes and the FRRP ring itself. In addition to the control VLAN, multiple member VLANS are configured (for example, M11 through Mn) that carry the data traffic across the FRRP rings.
18 GARP VLAN Registration Protocol (GVRP) The generic attribute registration protocol (GARP) VLAN registration protocol (GVRP), defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches. GVRP-compliant switches use GARP to register and deregister attribute values, such as VLAN IDs, with each other.
• RPM Redundancy Configure GVRP To begin, enable GVRP. To facilitate GVRP communications, enable GVRP globally on each switch. Then, GVRP configuration is per interface on a switch-by-switch basis. Enable GVRP on each port that connects to a switch where you want GVRP information exchanged. In the following example, GVRP is configured on VLAN trunk ports. Figure 43.
Enabling GVRP Globally To configure GVRP globally, use the following command. • Enable GVRP for the entire switch. CONFIGURATION mode gvrp enable Example of Configuring GVRP DellEMC(conf)#protocol gvrp DellEMC(config-gvrp)#no disable DellEMC(config-gvrp)#show config ! protocol gvrp no disable DellEMC(config-gvrp)# To inspect the global configuration, use the show gvrp brief command. Enabling GVRP on a Layer 2 Interface To enable GVRP on a Layer 2 interface, use the following command.
Based on the configuration in the following example, the interface is not removed from VLAN 34 or VLAN 35 despite receiving a GVRP Leave message. Additionally, the interface is not dynamically added to VLAN 45 or VLAN 46, even if a GVRP Join message is received.
• RPM Synchronization GARP VLAN Registration Protocol (GVRP) 365
19 High Availability (HA) High availability (HA) is supported on Dell EMC Networking OS. HA is a collection of features that preserves system continuity by maximizing uptime and minimizing packet loss during system disruptions. To support all the features within the HA collection, you should have the latest boot code. The following table lists the boot code requirements as of this Dell EMC Networking OS release. Table 33. Boot Code Requirements Component Boot Code S4810 1 2.0.
Example of the show redundancy Command DellEMC#show redundancy -- Stack-unit Status ------------------------------------------------Mgmt ID: 0 Stack-unit ID: 0 Stack-unit Redundancy Role: Primary Stack-unit State: Active Stack-unit SW Version: 9.6(0.
Example of the redundancy force-failover stack-unit Command Dell#redundancy force-failover stack-unit System configuration has been modified. Save? [yes/no]: yes Proceed with Stack-unit hot failover [confirm yes/no]:yes Dell# Specifying an Auto-Failover Limit When a non-recoverable fatal error is detected, an automatic failover occurs. However, Dell EMC Networking OS is configured to auto-failover only three times within any 60 minute period and you cannot change that.
Status Required Type : not present : S4810 - 52-port GE/TE/FG (SE) Dell# Dell(conf)#interface tengigabitethernet 1/0 Dell(conf-if-te-1/0)# Removing a Provisioned Logical Stack Unit To remove the line card configuration, use the following command.
Software Resiliency During normal operations, Dell EMC Networking OS monitors the health of both hardware and software components in the background to identify potential failures, even before these failures manifest. Software Component Health Monitoring On each of the line cards and the stack unit, there are a number of software components.
System Log Event messages provide system administrators diagnostics and auditing information. Dell EMC Networking OS sends event messages to the internal buffer, all terminal lines, the console, and optionally to a syslog server. For more information about event messages and configurable options, refer to Management. Hot-Lock Behavior Dell EMC Networking OS hot-lock features allow you to append and delete their corresponding content addressable memory (CAM) entries dynamically without disrupting traffic.
20 Internet Group Management Protocol (IGMP) Internet group management protocol (IGMP) is a Layer 3 multicast protocol that hosts use to join or leave a multicast group. Multicast is premised on identifying many hosts by a single destination IP address; hosts represented by the same IP address are a multicast group. Multicast routing protocols (such as protocol-independent multicast [PIM]) use the information in IGMP messages to discover which groups are active and to populate the multicast routing table.
leaves a multicast group by sending an IGMP message to its IGMP Querier. The querier is the router that surveys a subnet for multicast receivers and processes survey responses to populate the multicast routing table. IGMP messages are encapsulated in IP packets, as shown in the following illustration. Figure 44.
3 Any remaining hosts respond to the query according to the delay timer mechanism (refer to Adjusting Query and Response Timers). If no hosts respond (because there are none remaining in the group), the querier waits a specified period and sends another query. If it still receives no response, the querier removes the group from the list associated with forwarding port and stops forwarding traffic for that group to the subnet. IGMP Version 3 Conceptually, IGMP version 3 behaves the same as version 2.
Figure 46. IGMP Version 3–Capable Multicast Routers Address Structure Joining and Filtering Groups and Sources The following illustration shows how multicast routers maintain the group and source information from unsolicited reports. 1 The first unsolicited report from the host indicates that it wants to receive traffic for group 224.1.1.1. 2 The host’s second report indicates that it is only interested in traffic from group 224.1.1.1, source 10.11.1.1.
Figure 47. Membership Reports: Joining and Filtering Leaving and Staying in Groups The following illustration shows how multicast routers track and refresh state changes in response to group-and-specific and general queries. 1 Host 1 sends a message indicating it is leaving group 224.1.1.1 and that the included filter for 10.11.1.1 and 10.11.1.2 are no longer necessary.
Figure 48. Membership Queries: Leaving and Staying Configure IGMP Configuring IGMP is a two-step process. 1 Enable multicast routing using the ip multicast-routing command. 2 Enable a multicast routing protocol.
Viewing IGMP Enabled Interfaces Interfaces that are enabled with PIM-SM are automatically enabled with IGMP. To view IGMP-enabled interfaces, use the following command. • View IGMP-enabled IPv4 interfaces. EXEC Privilege mode show ip igmp interface • View IGMP-enabled IPv6 interfaces. EXEC Privilege mode show ipv6 mld interface Example of the show ip igmp interface Command DellEMC#show ip igmp interface TenGigabitEthernet 3/10 Inbound IGMP access group is not set Internet address is 165.87.34.
Viewing IGMP Groups To view both learned and statically configured IGMP groups, use the following command. • View both learned and statically configured IGMP groups. EXEC Privilege mode show ip igmp groups show ipv6 mld groups Example of the show ip igmp groups Command DellEMC# show ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface 225.1.1.1 TenGigabitEthernet 1/1 225.1.2.
• Adjust the maximum response time. INTERFACE mode ip igmp query-max-resp-time • Adjust the maximum amount of time that the querier waits, for an IPv6 query response, before taking further action. Interface mode ipv6 mld query-max-response-time • Adjust the last member query interval. INTERFACE mode ip igmp last-member-query-interval • Adjust the amount of time the querier waits, for the initial query response, before sending the next IPv6 query.
Figure 49. Preventing a Host from Joining a Group The following table lists the location and description shown in the previous illustration. Table 34. Preventing a Host from Joining a Group — Description Location Description 1/21 • • • • Interface TenGigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 • • • Interface TenGigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.
Location Description • no shutdown 2/1 • • • • Interface TenGigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface TenGigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface TenGigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface TenGigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.
Enabling IGMP Immediate-Leave If the querier does not receive a response to a group-specific or group-and-source query, it sends another (querier robustness value). Then, after no response, it removes the group from the outgoing interface for the subnet. IGMP immediate leave reduces leave latency by enabling a router to immediately delete the group membership on an interface after receiving a Leave message (it does not send any group-specific or group-and-source queries before deleting the entry).
• View the configuration. CONFIGURATION mode show running-config • Disable snooping on a VLAN.
no ip igmp snooping flood Specifying a Port as Connected to a Multicast Router To statically specify or view a port in a VLAN, use the following commands. • Statically specify a port in a VLAN as connected to a multicast router. INTERFACE VLAN mode ip igmp snooping mrouter • View the ports that are connected to multicast routers. EXEC Privilege mode. show ip igmp snooping mrouter Configuring the Switch as Querier To configure the switch as a querier, use the following command.
Fast Convergence after MSTP Topology Changes When a port transitions to the Forwarding state as a result of an STP or MSTP topology change, Dell EMC Networking OS sends a general query out of all ports except the multicast router ports. The host sends a response to the general query and the forwarding database is updated without having to wait for the query interval to expire.
Table 35.
When the feature is enabled using the management egress-interface-selection command, the following events are performed: • The CLI prompt changes to the EIS mode. • In this mode, you can run the application and no application commands • Applications can be configured or unconfigured as management applications using the application or no application command. All configured applications are considered as management applications and the rest of them as non-management applications.
Handling of Switch-Initiated Traffic When the control processor (CP) initiates a control packet, the following processing occurs: • TCP/UDP port number is extracted from the sockaddr structure in the in_selectsrc call which is called as part of the connect system call or in the ip_output function.
• If route lookup in the EIS routing table fails or if the management port is down, then packets are dropped. The management application drop counter is incremented. • Whenever IP address is assigned to the management port, it is stored in a global variable in the IP stack, which is used for comparison with the source IP address of the packet. • Rest of the response traffic is handled as per existing behavior by doing route lookup in the default routing table.
Traffic type / Application type Switch initiated traffic Switch-destined traffic only. No change in the existing behavior.
Table 37.
Table 38.
• Designate an interface as a multicast router interface.
21 Interfaces This chapter describes interface types, both physical and logical, and how to configure them with Dell EMC Networking Operating System (OS). The system supports 10 Gigabit Ethernet and 40 Gigabit Ethernet interfaces. NOTE: Only Dell-qualified optics are supported on these interfaces. Non-Dell 40G optics are set to error-disabled state.
• Loopback Interfaces • Null Interfaces • Port Channel Interfaces • Bulk Configuration • Defining Interface Range Macros • Monitoring and Maintaining Interfaces • Non Dell-Qualified Transceivers • Splitting QSFP Ports to SFP+ Ports • Converting a QSFP or QSFP+ Port to an SFP or SFP+ Port • Configuring wavelength for 10–Gigabit SFP+ optics • Link Dampening • Link Bundle Monitoring • Using Ethernet Pause Frames for Flow Control • Configure the MTU Size on an Interface • Port-Pipes
NOTE: To end output from the system, such as the output from the show interfaces command, enter CTRL+C and Dell EMC Networking OS returns to the command prompt. NOTE: The CLI output may be incorrectly displayed as 0 (zero) for the Rx/Tx power values. To obtain the correct power information, perform a simple network management protocol (SNMP) query. Examples of the show Commands The following example shows the configuration and status information for one interface.
interface TenGigabitEthernet no ip address shutdown ! interface TenGigabitEthernet no ip address shutdown ! interface TenGigabitEthernet no ip address shutdown ! interface TenGigabitEthernet no ip address shutdown 2/6 2/7 2/8 2/9 Resetting an Interface to its Factory Default State You can reset the configurations applied on an interface to its factory default state. To reset the configuration, perform the following steps: 1 View the configurations applied on an interface.
interface interface 2 • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. Enable the interface. INTERFACE mode no shutdown To confirm that the interface is enabled, use the show config command in INTERFACE mode. To leave INTERFACE mode, use the exit command or end command. You cannot delete a physical interface.
Type of Interface Possible Modes Requires Creation Default State Loopback Layer 3 Yes No shutdown (enabled) Null interface N/A No Enabled Port Channel Layer 2 Yes Shutdown (disabled) Yes, except for the default VLAN.
through the interface. Layer 2 traffic is unaffected by the shutdown command. One of the interfaces in the system must be in Layer 3 mode before you configure or enter a Layer 3 protocol mode (for example, OSPF). • Enable Layer 3 on an individual interface INTERFACE mode • ip address ip-address Enable the interface.
MTU is 1554 bytes Inbound access list is not set Proxy ARP is enabled Split Horizon is enabled Poison Reverse is disabled ICMP redirects are not sent ICMP unreachables are not sent IP unicast RPF check is not supported Egress Interface Selection (EIS) EIS allows you to isolate the management and front-end port domains by preventing switch-initiated traffic routing between the two domains. This feature provides additional security by preventing flooding attacks on front-end ports.
Management Interfaces The system supports the Management Ethernet interface as well as the standard interface on any port. You can use either method to connect to the system. Configuring Management Interfaces The dedicated Management interface provides management access to the system. You can configure this interface using the CLI, but the configuration options on this interface are limited.
Input 791 packets, 62913 bytes, 775 multicast Received 0 errors, 0 discarded Output 21 packets, 3300 bytes, 20 multicast Output 0 errors, 0 invalid protocol Time since last interface status change: 00:06:03 If there are two RPMs on the system, configure each Management interface with a different IP address. Unless you configure the management route command, you can only access the Management interface from the local LAN.
Description: This is the Managment Interface Hardware is DellEMCEth, address is 00:01:e8:cc:cc:ce Current address is 00:01:e8:cc:cc:ce Pluggable media not present Interface index is 46449666 Internet address is 10.11.131.
! no shutdown Loopback Interfaces A Loopback interface is a virtual interface in which the software emulates an interface. Packets routed to it are processed locally. Because this interface is not a physical interface, you can configure routing protocols on this interface to provide protocol stability. You can place Loopback interfaces in default Layer 3 mode. To configure, view, or delete a Loopback interface, use the following commands. • Enter a number as the Loopback interface.
Port Channel Definition and Standards Link aggregation is defined by IEEE 802.3ad as a method of grouping multiple physical interfaces into a single logical interface—a link aggregation group (LAG) or port channel. A LAG is “a group of links that appear to a MAC client as if they were a single link” according to IEEE 802.3ad. In Dell EMC Networking OS, a LAG is referred to as a port channel interface. A port channel provides redundancy by aggregating physical interfaces into one logical interface.
Interfaces in Port Channels When interfaces are added to a port channel, the interfaces must share a common speed. When interfaces have a configured speed different from the port channel speed, the software disables those interfaces. The common speed is determined when the port channel is first enabled. Then, the software checks the first interface listed in the port channel configuration. If you enabled that interface, its speed configuration becomes the common speed of the port channel.
You can configure a port channel as you would a physical interface by enabling or configuring protocols or assigning access control lists. Adding a Physical Interface to a Port Channel The physical interfaces in a port channel can be on any line card in the chassis, but must be the same physical type.
Hardware address is 00:01:e8:01:46:fa Internet address is 1.1.120.
interface port-channel id number 3 Add the interface to the second port channel. INTERFACE PORT-CHANNEL mode channel-member interface Example of Moving an Interface to a New Port Channel The following example shows moving an interface from port channel 4 to port channel 3.
• Add the port channel to the VLAN as an untagged interface. INTERFACE VLAN mode untagged port-channel id number • An interface without tagging enabled can belong to only one VLAN. Remove the port channel with tagging enabled from the VLAN. INTERFACE VLAN mode no tagged port-channel id number or no untagged port-channel id number • Identify which port channels are members of VLANs.
• Configure an IP address and mask on the interface. INTERFACE mode ip address ip-address mask [secondary] – ip-address mask: enter an address in dotted-decimal format (A.B.C.D). The mask must be in slash format (/24). – secondary: the IP address is the interface’s backup IP address. You can configure up to eight secondary IP addresses. Deleting or Disabling a Port Channel To delete or disable a port channel, use the following commands. • Delete a port channel.
pipe | hg-seed seed-value stack-unit | lag {checksum | crc | xor} [number] nh-ecmp {checksum | crc | xor}[number] stack—unit number ip-sa-mask value ip-da-mask value | seed seed-value } • For more information about algorithm choices, refer to the command details in the IP Routing chapter of the Dell EMC Networking OS Command Reference Guide. Change to another algorithm.
The show configuration command is also available under Interface Range mode. This command allows you to display the running configuration only for interfaces that are part of interface range. You can avoid specifying spaces between the range of interfaces, separated by commas, that you configure by using the interface range command. For example, if you enter a list of interface ranges, such as interface range fo 2/0-1,te 10/0,te 3/0,fo 0/0, this configuration is considered valid.
Exclude a Smaller Port Range The following is an example show how the smaller of two port ranges is omitted in the interface-range prompt.
Choosing an Interface-Range Macro To use an interface-range macro, use the following command. • Selects the interfaces range to be configured using the values saved in a named interface-range macro. CONFIGURATION mode interface range macro name Example of Using a Macro to Change the Interface Range Configuration Mode The following example shows how to change to the interface-range configuration mode using the interface-range macro named “test.
Error statistics: Input underruns: Input giants: Input throttles: Input CRC: Input IP checksum: Input overrun: Output underruns: Output throttles: m l T q - 0 0 0 0 0 0 0 0 Change mode Page up Increase refresh interval Quit 0 0 0 0 0 0 0 0 pps pps pps pps pps pps pps pps 0 0 0 0 0 0 0 0 c - Clear screen a - Page down t - Decrease refresh interval q DellEMC# Maintenance Using TDR The time domain reflectometer (TDR) is supported on all Dell EMC Networking switches.
The following command output displays that the interface is in error-disabled state: DellEMC#show interfaces fortyGigE 1/50 fortyGigE 1/50 is up, line protocol is down(error-disabled[Transceiver Unsupported]) Hardware is DellEMCEth, address is 34:17:eb:f2:25:c6 Current address is 34:17:eb:f2:25:c6 Non-qualified pluggable media present, QSFP type is 40GBASE-SR4 Wavelength is 850nm No power Interface index is 2103813 Internet address is not set Mode of IPv4 Address Assignment : NONE DHCP Client-ID :3417ebf225
Converting a QSFP or QSFP+ Port to an SFP or SFP+ Port You can convert a QSFP or QSFP+ port to an SFP or SFP+ port using the Quad to Small Form Factor Pluggable Adapter (QSA). QSA provides smooth connectivity between devices that use Quad Lane Ports (such as the 40 Gigabit Ethernet adapters) and 10 Gigabit hardware that uses SFP+ based cabling. Using this adapter, you can effectively use a QSFP or QSFP+ module to connect to a lower-end switch or server that uses an SFP or SFP+ based module.
• QSFP port 12 in 40 G mode is plugged in with QSFP optical cables.
NOTE: In the following show interfaces tengigbitethernet transceiver commands, the ports 5,6, and 7 are inactive and no physical SFP or SFP+ connection actually exists on these ports. However, Dell Networking OS still perceives these ports as valid and the output shows that pluggable media (optical cables) is inserted into these ports. This is a software limitation for this release.
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Dell#show interfaces tengigabitethernet 0/0 tengigabitethernet 0/0 is up, line protocol is up Hardware is DellEth, address is 90:b1:1c:f4:9a:fa Current address is 90:b1:1c:f4:9a:fa Pluggable media present, SFP+ type is 10GBASE-SX Interface index is 35012865 Internet address is not set Mode of IPv4 Address Assignment : NONE DHCP Client-ID :90b11cf49afa MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 10000 Mbit Dell#show interfaces tengigabitethernet
LineSpeed 1000 Mbit Dell#show interfaces tengigabitethernet 0/8 TenGigabitEthernet 0/0 is up, line protocol is up Hardware is DellEth, address is 90:b1:1c:f4:9a:fa Current address is 90:b1:1c:f4:9a:fa Pluggable media present, QSFP type is 4x10GBASE-CR1-3M …….. LineSpeed 10000 Mbit The show inventory command shows the following output: NOTE: In the following show inventory media command output, the port numbers 1, 2, 3, 5, 6, and 7 ports are actually inactive.
You configure link dampening using the dampening [[[[half-life] [reuse-threshold]] [suppress-threshold]] [max-suppress-time]] command on the interface. Following is the detailed explanation of interface state change events: • suppress-threshold— The suppress threshold is a value that triggers a flapping interface to dampen. The system adds penalty when the interface state goes up and down.
Figure 50. Interface State Change Consider an interface periodically flaps as shown above. Every time the interface goes down, a penalty (1024) is added. In the above example, during the first interface flap (flap 1), the penalty is added to 1024. And, the accumulated penalty will exponentially decay based on the set half-life, which is set as 10 seconds in the above example.
accumulated. When the accumulated penalty exceeds the configured suppress threshold (2400), the interface state is set to Error-Disabled state. After the flap (flap 3), the interface flap stops. Then, the accumulated penalty decays exponentially and when it reaches below the set reuse threshold (300), the interface is unsuppressed and the interface state changes to “up” state. Enabling Link Dampening To enable link dampening, use the following command. • Enable link dampening.
Link Dampening Support for XML View the output of the following show commands in XML by adding | display xml to the end of the command. • show interfaces dampening • show interfaces dampening summary • show interfaces interface slot/port Configure MTU Size on an Interface In Dell EMC Networking OS, Maximum Transmission Unit (MTU) is defined as the entire Ethernet packet (Ethernet header + FCS + payload). The link MTU is the frame size of a packet, and the IP MTU size is used for IP fragmentation.
link-bundle-distribution trigger-threshold DellEMC(conf)#link-bundle-distribution trigger-threshold • View the link bundle monitoring status. show link-bundle-distribution Using Ethernet Pause Frames for Flow Control Ethernet pause frames and threshold settings are supported on the Dell EMC Networking OS. Ethernet Pause Frames allow for a temporary stop in data transmission. A situation may arise where a sending device may transmit data faster than a destination device can accept it.
The flow control sender and receiver must be on the same port-pipe. Flow control is not supported across different port-pipes. To enable pause frames, use the following command. • Control how the system responds to and generates 802.3x pause frames on the Ethernet ports. INTERFACE mode flowcontrol {rx [off | on] tx [off | on] [negotiate] } – rx on: enter the keywords rx on to process the received flow control frames on this port.
For example, the VLAN contains tagged members with Link MTU of 1522 and IP MTU of 1500 and untagged members with Link MTU of 1518 and IP MTU of 1500. The VLAN’s Link MTU cannot be higher than 1518 bytes and its IP MTU cannot be higher than 1500 bytes. Port-Pipes A port pipe is a Dell EMC Networking-specific term for the hardware packet-processing elements that handle network traffic to and from a set of front-end I/O ports. The physical, front-end I/O ports are referred to as a port-set.
INTERFACE mode duplex {half | full} 7 Disable auto-negotiation on the port. INTERFACE mode no negotiation auto If the speed was set to 1000, do not disable auto-negotiation. 8 Verify configuration changes. INTERFACE mode show config Example of the show interfaces status Command to View Link Status NOTE: The show interfaces status command displays link status, but not administrative status. For both link and administrative status, use the show ip interface command.
Example of the negotiation auto Command DellEMC(conf)# int tengigabitethernet 1/1 DellEMC(conf-if-te-1/1)#neg auto DellEMC(conf-if-te-1/1-autoneg)# ? end Exit from configuration mode exit Exit from autoneg configuration mode mode Specify autoneg mode no Negate a command or set its defaults show Show autoneg configuration information DellEMC(conf-if-te-1/1-autoneg)#mode ? forced-master Force port to master mode forced-slave Force port to slave mode DellEMC(conf-if-te-1/1-autoneg)# For details about the speed
In EXEC mode, the show interfaces switchport command displays only interfaces in Layer 2 mode and their relevant configuration information. The show interfaces switchport command displays the interface, whether it supports IEEE 802.1Q tagging or not, and the VLANs to which the interface belongs. Configuring the Interface Sampling Size Although you can enter any value between 30 and 299 seconds (the default), software polling is done once every 15 seconds.
0 packets output, 0 bytes, 0 underruns Output 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 IP Packets, 0 Vlans, 0 MPLS 0 throttles, 0 discarded Rate info (interval 100 seconds): Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Time since last interface status change: 1d23h42m Configuring the Traffic Sampling Size Globally You can configure the traffic sampling size for an interface in the global configuration mode.
Output 100.00 Mbits/sec, 4636111 packets/sec, 10.
Clearing Interface Counters The counters in the show interfaces command are reset by the clear counters command. This command does not clear the counters any SNMP program captures. To clear the counters, use the following the command. • Clear the counters used in the show interface commands for all VRRP groups, VLANs, and physical interfaces or selected ones. Without an interface specified, the command clears all interface counters.
22 Internet Protocol Security (IPSec) Internet protocol security (IPSec) is an end-to-end security scheme for protecting IP communications by authenticating and encrypting all packets in a communication session. Use IPSec between hosts, between gateways, or between hosts and gateways. IPSec is compatible with Telnet and FTP protocols. It supports two operational modes: Transport and Tunnel. • Transport mode — (default) Use to encrypt only the payload of the packet. Routing information is unchanged.
transform-set myXform-set session-key inbound esp 256 auth encrypt session-key outbound esp 257 auth encrypt match 0 tcp a::1 /128 0 a::2 /128 23 match 1 tcp a::1 /128 23 a::2 /128 0 match 2 tcp a::1 /128 0 a::2 /128 21 match 3 tcp a::1 /128 21 a::2 /128 0 match 4 tcp 1.1.1.1 /32 0 1.1.1.2 /32 23 match 5 tcp 1.1.1.1 /32 23 1.1.1.2 /32 0 match 6 tcp 1.1.1.1 /32 0 1.1.1.2 /32 21 match 7 tcp 1.1.1.1 /32 21 1.1.1.2 /32 0 3 Apply the crypto policy to management traffic.
23 IPv4 Routing The Dell EMC Networking Operating System (OS) supports various IP addressing features. This chapter describes the basics of domain name service (DNS), address resolution protocol (ARP), and routing principles and their implementation in the Dell EMC Networking OS.
• UDP Helper with Broadcast-All Addresses • UDP Helper with Subnet Broadcast Addresses • UDP Helper with Configured Broadcast Addresses • UDP Helper with No Configured Broadcast Addresses • Troubleshooting UDP Helper IP Addresses Dell EMC Networking OS supports IP version 4 (as described in RFC 791), classful routing, and variable length subnet masks (VLSM). With VLSM, you can configure one network with different masks. Supernetting, which increases the number of subnets, is also supported.
2 • For a Loopback interface, enter the keyword loopback then a number from 0 to 16383. • For the Management interface on the stack-unit, enter the keyword ManagementEthernet then the slot/port information. • For a port channel interface, enter the keywords port-channel then a number. • For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. Enable the interface. INTERFACE mode no shutdown 3 Configure a primary IP address and mask on the interface.
– tag tag-value: the range is from 1 to 4294967295. (optional) Example of the show ip route static Command To view the configured routes, use the show ip route static command. DellEMC#show ip route static Destination Gateway ----------------S 2.1.2.0/24 Direct, Nu 0 S 6.1.2.0/24 via 6.1.20.2, S 6.1.2.2/32 via 6.1.20.2, S 6.1.2.3/32 via 6.1.20.2, S 6.1.2.4/32 via 6.1.20.2, S 6.1.2.5/32 via 6.1.20.2, S 6.1.2.6/32 via 6.1.20.2, S 6.1.2.7/32 via 6.1.20.2, S 6.1.2.8/32 via 6.1.20.2, S 6.1.2.9/32 via 6.1.20.
IPv4 Path MTU Discovery Overview The size of the packet that can be sent across each hop in the network path without being fragmented is called the path maximum transmission unit (PMTU). This value might vary for the same route between two devices, mainly over a public network, depending on the network load and speed, and it is not a consistent value. The MTU size can also be different for various types of traffic sent from one host to the same endpoint.
source-interface interface commands in Configuration mode to enable the ICMP error messages to be sent with the source interface IP address. This functionality is supported on loopback, VLAN, port channel, and physical interfaces for IPv4 and IPv6 messages. feature is not supported on tunnel interfaces. ICMP error relay, PATH MTU transmission, and fragmented packets are not supported for tunnel interfaces.
In a dual stack setup, the system sends both A ( for IPv4 — RFC 1035) and AAAA ( for IPv6 — RFC 3596) record requests to a DNS server even if you configure only the ip name-server command. The following sections describe DNS and the resolution of host names. • • • Enabling Dynamic Resolution of Host Names Specifying the Local System Domain and a List of Domains Configuring DNS with Traceroute Name server, Domain name, and Domain list are VRF specific.
• Enter up to 63 characters to configure names to complete unqualified host names. CONFIGURATION mode ip domain-list name Configure this command up to six times to specify a list of possible domain names. Dell EMC Networking OS searches the domain names in the order they were configured until a match is found or the list is exhausted. Configuring DNS with Traceroute To configure your switch to perform DNS with traceroute, use the following commands. • Enable dynamic resolution of host names.
In Dell EMC Networking OS, Proxy ARP enables hosts with knowledge of the network to accept and forward packets from hosts that contain no knowledge of the network. Proxy ARP makes it possible for hosts to be ignorant of the network, including subnetting. For more information about Proxy ARP, refer to RFC 925, Multi-LAN Address Resolution, and RFC 1027, Using ARP to Implement Transparent Subnet Gateways.
To view if Proxy ARP is enabled on the interface, use the show config command in INTERFACE mode. If it is not listed in the show config command output, it is enabled. Only non-default information is displayed in the show config command output. Clearing ARP Cache To clear the ARP cache of dynamically learnt ARP information, use the following command. • Clear the ARP caches for all interfaces or for a specific interface by entering the following information.
Figure 51. ARP Learning via ARP Request Beginning with Dell EMC Networking OS version 8.3.1.0, when you enable ARP learning via gratuitous ARP, the system installs a new ARP entry, or updates an existing entry for all received ARP requests. Figure 52. ARP Learning via ARP Request with ARP Learning via Gratuitous ARP Enabled Whether you enable or disable ARP learning via gratuitous ARP, the system does not look up the target IP.
CONFIGURATION mode arp backoff-time The default is 30. • The range is from 1 to 3600. Display all ARP entries learned via gratuitous ARP. EXEC Privilege mode show arp retries ICMP For diagnostics, the internet control message protocol (ICMP) provides routing information to end stations by choosing the best route (ICMP redirect messages) or determining if a router is reachable (ICMP Echo or Echo Reply). ICMP error messages inform the router of problems in a particular packet.
Important Points to Remember • The existing ip directed broadcast command is rendered meaningless if you enable UDP helper on the same interface. • The broadcast traffic rate should not exceed 200 packets per second when you enable UDP helper. • You may specify a maximum of 16 UDP ports.
2 If you enable UDP helper (using the ip udp-helper udp-port command), and the UDP destination port of the packet matches the UDP port configured, the system changes the destination address to the configured broadcast 1.1.255.255 and routes the packet to VLANs 100 and 101. If you do not configure an IP broadcast address (using the ip udp-broadcast-address command) on VLANs 100 or 101, the packet is forwarded using the original destination IP address 255.255.255.255.
UDP Helper with Configured Broadcast Addresses Incoming packets with a destination IP address matching the configured broadcast address of any interface are forwarded to the matching interfaces. In the following illustration, Packet 1 has a destination IP address that matches the configured broadcast address of VLAN 100 and 101. If you enabled UDP helper and the UDP port number matches, the packet is flooded on both VLANs with an unchanged destination address. Packet 2 is sent from a host on VLAN 101.
2017-08-05 11:59:35 %RELAY-I-BOOTREQUEST, Forwarded BOOTREQUEST for 00:02:2D:8D:46:DC to 137.138.17.6 2017-08-05 11:59:36 %RELAY-I-PACKET, BOOTP REPLY (Unicast) received at interface 194.12.129.98 BOOTP Reply, XID = 0x9265f901, secs = 0 hwaddr = 00:02:2D:8D:46:DC, giaddr = 172.21.50.193, hops = 2 2017-08-05 11:59:36 %RELAY-I-BOOTREPLY, Forwarded BOOTREPLY for 00:02:2D:8D:46:DC to 128.141.128.90 Packet 0.0.0.0:68 -> 255.255.255.
24 IPv6 Routing Internet protocol version 6 (IPv6) routing is the successor to IPv4. Due to the rapid growth in internet users and IP addresses, IPv4 is reaching its maximum usage. IPv6 will eventually replace IPv4 usage to allow for the constant expansion. This chapter provides a brief description of the differences between IPv4 and IPv6, and the Dell EMC Networking support of IPv6. This chapter is not intended to be a comprehensive description of IPv6.
Extended Address Space The address format is extended from 32 bits to 128 bits. This not only provides room for all anticipated needs, it allows for the use of a hierarchical address space structure to optimize global addressing. Stateless Autoconfiguration When a booting device comes up in IPv6 and asks for its network prefix, the device can get the prefix (or prefixes) from an IPv6 router on its link.
• Flow Label (20 bits) • Payload Length (16 bits) • Next Header (8 bits) • Hop Limit (8 bits) • Source Address (128 bits) • Destination Address (128 bits) IPv6 provides for extension headers. Extension headers are used only if necessary. There can be no extension headers, one extension header or more than one extension header in an IPv6 packet. Extension headers are defined in the Next Header field of the preceding IPv6 header.
Next Header (8 bits) The Next Header field identifies the next header’s type. If an Extension header is used, this field contains the type of Extension header (as shown in the following table). If the next header is a transmission control protocol (TCP) or user datagram protocol (UDP) header, the value in this field is the same as for IPv4. The Extension header is located between the IP header and the TCP or UDP header. The following lists the Next Header field values.
Source Address (128 bits) The Source Address field contains the IPv6 address for the packet originator. Destination Address (128 bits) The Destination Address field contains the intended recipient’s IPv6 address. This can be either the ultimate destination or the address of the next hop router. Extension Header Fields Extension headers are used only when necessary. Due to the streamlined nature of the IPv6 header, adding extension headers do not severely impact performance.
10 Discard the packet and send an ICMP Parameter Problem Code 2 message to the packet’s Source IP Address identifying the unknown option type. 11 Discard the packet and send an ICMP Parameter Problem, Code 2 message to the packet’s Source IP Address only if the Destination IP Address is not a multicast address. The second byte contains the Option Data Length. The third byte specifies whether the information can change en route to the destination.
the same IPv6 address to a particular computer, and never to assign that IP address to another computer. This allows static IPv6 addresses to be configured in one place, without having to specifically configure each computer on the network in a different way. In IPv6, every interface, whether using static or dynamic address assignments, also receives a local-link address automatically in the fe80::/64 subnet.
Feature and Functionality Dell EMC Networking OS Release Introduction Documentation and Chapter Location S4810 IS-IS for IPv6 support for redistribution 8.3.10 Intermediate System to Intermediate System IPv6 IS-IS in the Dell EMC Networking OS Command Line Reference Guide. ISIS for IPv6 support for distribute lists and administrative distance 8.3.10 OSPF for IPv6 (OSPFv3) 9.1(0.0) Equal Cost Multipath for IPv6 8.3.
• Error reporting messages indicate when the forwarding or delivery of the packet failed at the destination or intermediate node. These messages include Destination Unreachable, Packet Too Big, Time Exceeded and Parameter Problem messages. • Informational messages provide diagnostic functions and additional host functions, such as Neighbor Discovery and Multicast Listener Discovery. These messages also include Echo Request and Echo Reply messages.
NOTE: To avoid problems with network discovery, Dell EMC Networking recommends configuring the static route last or assigning an IPv6 address to the interface and assigning an address to the peer (the forwarding router’s address) less than 10 seconds apart. With ARP, each node broadcasts ARP requests on the entire link. This approach causes unnecessary processing by uninterested nodes.
lifetime to use the RDNSS address does not expire. A value of 0 indicates to the host that the RDNSS address should not be used. You must specify a lifetime using the lifetime or infinite parameter. The DNS server address does not allow the following: • link local addresses • loopback addresses • prefix addresses • multicast addresses • invalid host addresses If you specify this information in the IPv6 RDNSS configuration, a DNS error is displayed.
Displaying IPv6 RDNSS Information To display IPv6 interface information, including IPv6 RDNSS information, use the show ipv6 interface command in EXEC or EXEC Privilege mode. Examples of Displaying IPv6 RDNSS Information The following example displays IPv6 RDNSS information. The output in the last 3 lines indicates that the IPv6 RDNSS was correctly configured on interface te 1/1.
Configuration Tasks for IPv6 The following are configuration tasks for the IPv6 protocol. • Adjusting Your CAM-Profile • Assigning an IPv6 Address to an Interface • Assigning a Static IPv6 Route • Configuring Telnet with IPv6 • SNMP over IPv6 • Showing IPv6 Information • Clearing IPv6 Routes Adjusting Your CAM-Profile Although adjusting your CAM-profile is not a mandatory step, if you plan to implement IPv6 ACLs, adjust your CAM settings. The CAM space is allotted in FP blocks.
The total number of groups is 4. Assigning an IPv6 Address to an Interface Essentially, IPv6 is enabled in Dell EMC Networking OS simply by assigning IPv6 addresses to individual router interfaces. You can use IPv6 and IPv4 together on a system, but be sure to differentiate that usage carefully. To assign an IPv6 address to an interface, use the ipv6 address command.
Configuring Telnet with IPv6 The Telnet client and server in Dell EMC Networking OS supports IPv6 connections. You can establish a Telnet session directly to the router using an IPv6 Telnet client, or you can initiate an IPv6 Telnet connection from the router. NOTE: Telnet to link local addresses is supported on the system. • Enter the IPv6 Address for the device. EXEC mode or EXEC Privileged mode telnet [vrf vrf-name] ipv6 address – ipv6 address: x:x:x:x::x – mask: prefix length is from 0 to 128.
prefix-list route rpf DellEMC# List IPv6 prefix lists IPv6 routing information RPF table Displaying an IPv6 Interface Information To view the IPv6 configuration for a specific interface, use the following command. • Show the currently running configuration for the specified interface. EXEC mode show ipv6 interface interface {slot/port} Enter the keyword interface then the type of interface and slot/port information: – For all brief summary of IPv6 status and configuration, enter the keyword brief.
show ipv6 route [vrf vrf-name] type The following keywords are available: – To display information about a network, enter ipv6 address (X:X:X:X::X). – To display information about a host, enter hostname. – To display information about all IPv6 routes (including non-active routes), enter all. – To display information about all connected IPv6 routes, enter connected. – To display information about brief summary of all IPv6 routes, enter summary.
Showing the Running-Configuration for an Interface To view the configuration for any interface, use the following command. • Show the currently running configuration for the specified interface. EXEC mode show running-config interface type {slot/port} Enter the keyword interface then the type of interface and slot/port information: – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information.
INTERFACE no ipv6 nd disable-reachable-timer The following example shows how to disable the ND timer. DellEMC(conf-if-fo-1/1/1)#ipv6 nd disable-reachable-timer Configuring IPv6 RA Guard The IPv6 Router Advertisement (RA) guard allows you to block or reject the unwanted router advertisement guard messages that arrive at the network device platform. To configure the IPv6 RA guard, perform the following steps: 1 Configure the terminal to enter the Global Configuration mode.
router-preference maximum {high | low | medium} 10 Set the router lifetime. POLICY LIST CONFIGURATION mode router—lifetime value The router lifetime range is from 0 to 9,000 seconds. 11 Apply the policy to trusted ports. POLICY LIST CONFIGURATION mode trusted-port 12 Set the maximum transmission unit (MTU) value. POLICY LIST CONFIGURATION mode mtu value 13 Set the advertised reachability time.
INTERFACE mode ipv6 nd ra-guard attach policy policy-name [vlan [vlan 1, vland 2, vlan 3.....]] 3 Display the configurations applied on all the RA guard policies or a specific RA guard policy. EXEC Privilege mode show ipv6 nd ra-guard policy policy-name The policy name string can be up to 140 characters.
25 iSCSI Optimization This chapter describes how to configure internet small computer system interface (iSCSI) optimization, which enables quality-of-service (QoS) treatment for iSCSI traffic.
• iSCSI QoS — A user-configured iSCSI class of service (CoS) profile is applied to all iSCSI traffic. Classifier rules are used to direct the iSCSI data traffic to queues that can be given preferential QoS treatment over other data passing through the switch. Preferential treatment helps to avoid session interruptions during times of congestion that would otherwise cause dropped iSCSI packets. • iSCSI DCBx TLVs are supported.
Monitoring iSCSI Traffic Flows The switch snoops iSCSI session-establishment and termination packets by installing classifier rules that trap iSCSI protocol packets to the CPU for examination. Devices that initiate iSCSI sessions usually use well-known TCP ports 3260 or 860 to contact targets. When you enable iSCSI optimization, by default the switch identifies IP packets to or from these ports as iSCSI traffic.
If more than 256 simultaneous sessions are logged continuously, the following message displays indicating the queue rate limit has been reached: %STKUNIT2-M:CP %iSCSI-5-ISCSI_OPT_MAX_SESS_EXCEEDED: New iSCSI Session Ignored: ISID 400001370000 InitiatorName - iqn.1991-05.com.microsoft:dt-brcd-cna-2 TargetName iqn.2001-05.com.equallogic:4-52aed6-b90d9446c-162466364804fa49-wj-v1 TSIH - 0" NOTE: If you are using EqualLogic or Compellent storage arrays, more than 256 simultaneous iSCSI sessions are possible.
including jumbo frames and flow-control on all ports; no storm control and spanning-tree port fast to be enabled on the port of detection. After you execute the iscsi profile-compellent command, the following actions occur: • Jumbo frame size is set to the maximum for all interfaces on all ports and port-channels, if it is not already enabled. • Spanning-tree portfast is enabled on the interface. • Unicast storm control is disabled on the interface.
Default iSCSI Optimization Values The following table lists the default values for the iSCSI optimization feature. Table 43. iSCSI Optimization Defaults Parameter Default Value iSCSI Optimization global setting Disabled on the S4810, S4820T, S3048–ON, S4048–ON, and S3100 series. iSCSI CoS mode (802.1p priority queue mapping) dot1p priority 4 without the remark setting when you enable iSCSI. If you do not enable iSCSI, this feature is disabled.
NOTE: Content addressable memory (CAM) allocation is optional. If CAM is not allocated, the following features are disabled: • session monitoring • aging • class of service You can enable iSCSI even when allocated with zero (0) CAM blocks. However, if no CAM blocks are allocated, session monitoring is disabled and this information the show iscsi command displays this information. 2 For a non-DCB environment: Enable iSCSI.
[no] iscsi cos {enable | disable | dot1p vlan-priority-value [remark] | dscp dscp-value [remark]} • enable: enables the application of preferential QoS treatment to iSCSI traffic so that iSCSI packets are scheduled in the switch with a dot1p priority 4 regardless of the VLAN priority tag in the packet. The default is: iSCSI packets are handled with dotp1 priority 4 without remark. • disable: disables the application of preferential QoS treatment to iSCSI frames.
show run iscsi Examples of the show iscsi Commands The following example shows the show iscsi command. DellEMC#show iscsi iSCSI is enabled iSCSI session monitoring is disabled iSCSI COS : dot1p is 4 no-remark Session aging time: 10 Maximum number of connections is 256 -----------------------------------------------iSCSI Targets and TCP Ports: -----------------------------------------------TCP Port Target IP Address 3260 860 The following example shows the show iscsi session command.
26 Intermediate System to Intermediate System The intermediate system to intermediate system (IS-IS) protocol that uses a shortest-path-first algorithm. Dell EMC Networking supports both IPv4 and IPv6 versions of IS-IS.
• area address — within your routing domain or area, each area must have a unique area value. The first byte is called the authority and format indicator (AFI). • system address — the router’s MAC address. • N-selector — this is always 0. The following illustration is an example of the ISO-style address to show the address format IS-IS uses. In this example, the first five bytes (47.0005.0001) are the area address. The system portion is 000c.000a.4321 and the last byte is always 0. Figure 60.
Interface Support MT IS-IS is supported on physical Ethernet interfaces, physical synchronous optical network technologies (SONET) interfaces, portchannel interfaces (static and dynamic using LACP), and virtual local area network (VLAN) interfaces. Adjacencies Adjacencies on point-to-point interfaces are formed as usual, where IS-IS routers do not implement MT extensions.
IPv6 Reachability and IPv6 Interface Address. Also, a new IPv6 protocol identifier has also been included in the supported TLVs. The new TLVs use the extended metrics and up/down bit semantics. Multi-topology IS-IS adds TLVs: • MT TLV — contains one or more Multi-Topology IDs in which the router participates. This TLV is included in IIH and the first fragment of an LSP. • MT Intermediate Systems TLV — appears for every topology a node supports.
Configuration Tasks for IS-IS The following describes the configuration tasks for IS-IS. • Enabling IS-IS • Configure Multi-Topology IS-IS (MT IS-IS) • Configuring IS-IS Graceful Restart • Changing LSP Attributes • Configuring the IS-IS Metric Style • Configuring IS-IS Cost • Changing the IS-Type • Controlling Routing Updates • Configuring Authentication Passwords • Setting the Overload Bit • Debugging IS-IS Enabling IS-IS By default, IS-IS is not enabled.
4 • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. • For a Loopback interface, enter the keyword loopback then a number from 0 to 16383. • For a port channel interface, enter the keywords port-channel then a number. • For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. Enter an IPv4 Address. INTERFACE mode ip address ip-address mask Assign an IP address and mask to the interface.
Accept wide metrics: DellEMC# none To view IS-IS protocol statistics, use the show isis traffic command in EXEC Privilege mode.
4 Implement a wide metric-style globally. ROUTER ISIS AF IPV6 mode isis ipv6 metric metric-value [level-1 | level-2 | level-1-2] To configure wide or wide transition metric style, the cost can be between 0 and 16,777,215. Configuring IS-IS Graceful Restart To enable IS-IS graceful restart globally, use the following commands. Additionally, you can implement optional commands to enable the graceful restart settings. • Enable graceful restart on ISIS processes.
– adjacency: the restarting router receives the remaining time value from its peer and adjusts its T3 value so if user has configured this option. – manual: allows you to specify a fixed value that the restarting router should use. The range is from 50 to 120 seconds. The default is 30 seconds. Examples of the show isis graceful-restart detail Command NOTE: If this timer expires before the synchronization has completed, the restarting router sends the overload bit in the LSP.
LSP Interval: 33 Next IS-IS LAN Level-1 Hello in 4 seconds Next IS-IS LAN Level-2 Hello in 6 seconds LSP Interval: 33 Restart Capable Neighbors: 2, In Start: 0, In Restart: 0 DellEMC# Changing LSP Attributes IS-IS routers flood link state PDUs (LSPs) to exchange routing information. LSP attributes include the generation interval, maximum transmission unit (MTU) or size, and the refresh interval. You can modify the LSP attribute defaults, but it is not necessary.
Configuring the IS-IS Metric Style All IS-IS links or interfaces are associated with a cost that is used in the shortest path first (SPF) calculations. The possible cost varies depending on the metric style supported. If you configure narrow, transition, or narrow transition metric style, the cost can be a number between 0 and 63. If you configure wide or wide transition metric style, the cost can be a number between 0 and 16,777,215.
Distance: 115 Generate narrow metrics: Accept narrow metrics: Generate wide metrics: Accept wide metrics: DellEMC# level-1-2 level-1-2 none none Configuring the IS-IS Cost When you change from one IS-IS metric style to another, the IS-IS metric value could be affected. For each interface with IS-IS enabled, you can assign a cost or metric that is used in the link state calculation. To change the metric or cost of the interface, use the following commands. • Assign an IS-IS metric.
Changing the IS-Type To change the IS-type, use the following commands. You can configure the system to act as a Level 1 router, a Level 1-2 router, or a Level 2 router. To change the IS-type for the router, use the following commands. • Configure IS-IS operating level for a router. ROUTER ISIS mode is-type {level-1 | level-1-2 | level-2-only} • Default is level-1-2. Change the IS-type for the IS-IS process.
– For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. Distribute Routes Another method of controlling routing information is to filter the information through a prefix list. Prefix lists are applied to incoming or outgoing routes and routes must meet the conditions of the prefix lists or Dell EMC Networking OS does not install the route in the routing table. The prefix lists are globally applied on all interfaces running IS-IS.
• Apply a configured prefix list to all incoming IPv6 IS-IS routes. ROUTER ISIS-AF IPV6 mode distribute-list prefix-list-name in [interface] Enter the type of interface and the interface information: – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. – For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. – For a Loopback interface, enter the keyword loopback then a number from 0 to 16383.
ROUTER ISIS mode redistribute ospf process-id [level-1| level-1-2 | level-2] [metric value] [match external {1 | 2} | match internal] [metric-type {external | internal}] [route-map map-name] Configure the following parameters: – process-id the range is from 1 to 65535. – level-1, level-1-2, or level-2: assign all redistributed routes to a level. The default is level-2. – metric value the range is from 0 to 16777215. The default is 0. – match external the range is from 1 or 2.
Configuring Authentication Passwords You can assign an authentication password for routers in Level 1 and for routers in Level 2. Because Level 1 and Level 2 routers do not communicate with each other, you can assign different passwords for Level 1 routers and for Level 2 routers. However, if you want the routers in the level to communicate with each other, configure them with the same password. To configure a simple text password, use the following commands.
eljefe.00-00 * 0x0000000A 0xF963 eljefe.01-00 * 0x00000001 0x68DF eljefe.02-00 * 0x00000001 0x2E7F Force10.00-00 0x00000002 0xD1A7 IS-IS Level-2 Link State Database LSPID LSP Seq Num LSP Checksum B233.00-00 0x00000006 0xC38A eljefe.00-00 * 0x0000000E 0x53BF eljefe.01-00 * 0x00000001 0x68DF eljefe.02-00 * 0x00000001 0x2E7F Force10.
To disable a specific debug command, enter the keyword no then the debug command. For example, to disable debugging of IS-IS updates, use the no debug isis updates-packets command. To disable all IS-IS debugging, use the no debug isis command. To disable all debugging, use the undebug all command. IS-IS Metric Styles The following sections provide additional information about the IS-IS metric styles.
Table 46. Metric Value When the Metric Style Changes Beginning Metric Style Final Metric Style Resulting IS-IS Metric Value wide narrow default value (10) if the original value is greater than 63. A message is sent to the console. wide transition truncated value (the truncated value appears in the LSP only). The original isis metric value is displayed in the show config and show running-config commands and is used if you change back to transition metric style.
Beginning Metric Style Final Metric Style Resulting IS-IS Metric Value commands and is used if you change back to transition metric style. Moving to transition and then to another metric style produces different results. Table 47.
Level-1 Metric Style Level-2 Metric Style Resulting Metric Value wide transition narrow truncated value wide transition narrow transition truncated value wide transition transition truncated value Sample Configurations The following configurations are examples for enabling IPv6 IS-IS. These examples are not comprehensive directions. They are intended to give you some guidance with typical configurations.
IS-IS Sample Configuration — Congruent Topology IS-IS Sample Configuration — Multi-topology IS-IS Sample Configuration — Multi-topology Transition The following is a sample configuration for enabling IPv6 IS-IS. DellEMC(conf-if-te-3/17)#show config ! interface TenGigabitEthernet 3/17 ip address 24.3.1.
27 Link Aggregation Control Protocol (LACP) A link aggregation group (LAG), referred to as a port channel by the Dell EMC Networking OS, can provide both load-sharing and port redundancy across line cards. You can enable LAGs as static or dynamic. Introduction to Dynamic LAGs and LACP A link aggregation group (LAG), referred to as a port channel by Dell EMC Networking OS, can provide both load-sharing and port redundancy across line cards. You can enable LAGs as static or dynamic.
LACP Modes Dell EMC Networking OS provides three modes for configuration of LACP — Off, Active, and Passive. • Off — In this state, an interface is not capable of being part of a dynamic LAG. LACP does not run on any port that is configured to be in this state. • Active — In this state, the interface is said to be in the “active negotiating state.” LACP runs on any link that is configured to be in this state.
The default is 32768. LACP Configuration Tasks The following configuration tasks apply to LACP. • Creating a LAG • Configuring the LAG Interfaces as Dynamic • Setting the LACP Long Timeout • Monitoring and Debugging LACP • Configuring Shared LAG State Tracking Creating a LAG To create a dynamic port channel (LAG), use the following command. First you define the LAG and then the LAG interfaces. • Create a dynamic port channel (LAG).
DellEMC(conf)#interface TenGigabitethernet 4/15 DellEMC(conf-if-te-4/15)#no shutdown DellEMC(conf-if-te-4/15)#port-channel-protocol lacp DellEMC(conf-if-te-4/15-lacp)#port-channel 32 mode active ...
• Debug LACP, including configuration and events. EXEC mode [no] debug lacp [config | events | pdu [in | out | [interface [in | out]]]] Shared LAG State Tracking Shared LAG state tracking provides the flexibility to bring down a port channel (LAG) based on the operational state of another LAG. At any time, only two LAGs can be a part of a group such that the fate (status) of one LAG depends on the other LAG.
Example of LAGs in the Same Failover Group DellEMC#config DellEMC(conf)#port-channel failover-group DellEMC(conf-po-failover-grp)#group 1 port-channel 1 port-channel 2 To view the failover group configuration, use the show running-configuration po-failover-group command. DellEMC#show running-config po-failover-group ! port-channel failover-group group 1 port-channel 1 port-channel 2 As shown in the following illustration, LAGs 1 and 2 are members of a failover group.
Important Points about Shared LAG State Tracking The following is more information about shared LAG state tracking. • • • • • This feature is available for static and dynamic LAGs. Only a LAG can be a member of a failover group. You can configure shared LAG state tracking on one side of a link or on both sides. If a LAG that is part of a failover group is deleted, the failover group is deleted. If a LAG moves to the Down state due to this feature, its members may still be in the Up state.
Port is part of Port-channel 10 Hardware is DellEMCEth, address is 00:01:e8:06:95:c0 Current address is 00:01:e8:06:95:c0 Interface Index is 109101113 Port will not be disabled on partial SFM failure Internet address is not set MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 10000 Mbit, Mode full duplex, Slave Flowcontrol rx on tx on ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 00:02:11 Queueing strategy: fifo Input statistics: 132 packets, 163668 bytes 0 Vlans 0 64-byte pkts,
Figure 65.
Figure 66.
Figure 67.
Summary of the LAG Configuration on Bravo Bravo(conf-if-te-3/21)#int port-channel 10 Bravo(conf-if-po-10)#no ip add Bravo(conf-if-po-10)#switch Bravo(conf-if-po-10)#no shut Bravo(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Bravo(conf-if-po-10)#exit Bravo(conf)#int tengig 3/21 Bravo(conf)#no ip address Bravo(conf)#no switchport Bravo(conf)#shutdown Bravo(conf-if-te-3/21)#port-channel-protocol lacp Bravo(conf-if-te-3/21-lacp)#port-channel 10 mode active Bravo(
Figure 68.
Figure 69.
Figure 70. Inspecting the LAG Status Using the show lacp command The point-to-point protocol (PPP) is a connection-oriented protocol that enables layer two links over various different physical layer connections. It is supported on both synchronous and asynchronous lines, and can operate in Half-Duplex or Full-Duplex mode. It was designed to carry IP traffic but is general enough to allow any type of network layer datagram to be sent over a PPP connection.
28 Layer 2 This chapter describes the Layer 2 features supported on the device. Manage the MAC Address Table You can perform the following management tasks in the MAC address table. • Clearing the MAC Address Table • Setting the Aging Time for Dynamic Entries • Configuring a Static MAC Address • Displaying the MAC Address Table Clearing the MAC Address Table You may clear the MAC address table of dynamic entries. To clear a MAC address table, use the following command.
Configuring a Static MAC Address A static entry is one that is not subject to aging. Enter static entries manually. To create a static MAC address entry, use the following command. • Create a static MAC address entry in the MAC address table. CONFIGURATION mode mac-address-table static Displaying the MAC Address Table To display the MAC address table, use the following command. • Display the contents of the MAC address table.
In this case, the configuration is still present in the running-config and show output. Remove the configuration before re-applying a MAC learning limit with a lower value. Also, ensure that you can view the Syslog messages on your session. NOTE: The CAM-check failure message beginning in Dell EMC Networking OS version 8.3.1.0 is different from versions 8.2.1.
When you enable sticky mac on an interface, dynamically-learned MAC addresses do not age, even if you enabled mac-learninglimit dynamic. If you configured mac-learning-limit and mac-learning-limit dynamic and you disabled sticky MAC, any dynamically-learned MAC addresses ages. mac learning-limit station-move The mac learning-limit station-move command allows a MAC address already in the table to be learned from another interface.
Setting Station Move Violation Actions no-station-move is the default behavior. You can configure the system to take an action if a station move occurs using one the following options with the mac learning-limit command. To display a list of interfaces configured with MAC learning limit or station move violation actions, use the following commands. • Generate a system log message indicating a station move. INTERFACE mode station-move-violation log • Shut down the first port to learn the MAC address.
Disabling MAC Address Learning on the System You can configure the system to not learn MAC addresses from LACP and LLDP BPDUs. To disable source MAC address learning from LACP and LLDP BPDUs, follow this procedure: • Disable source MAC address learning from LACP BPDUs. CONFIGURATION mode mac-address-table disable-learning lacp • Disable source MAC address learning from LLDP BPDUs. CONFIGURATION mode mac-address-table disable-learning lldp • Disable source MAC address learning from LACP and LLDP BPDUs.
Figure 71. Redundant NICs with NIC Teaming When you use NIC teaming, consider that the server MAC address is originally learned on Port 0/1 of the switch (shown in the following) and Port 0/5 is the failover port. When the NIC fails, the system automatically sends an ARP request for the gateway or host NIC to resolve the ARP and refresh the egress interface.
following illustration). The redundant pairs feature allows you to create redundant links in networks that do not use STP by configuring backup interfaces for the interfaces on either side of the primary link. NOTE: For more information about STP, refer to Spanning Tree Protocol (STP). Assign a backup interface to an interface using the switchport backup command. The backup interface remains in a Down state until the primary fails, at which point it transitions to Up state.
To ensure that existing network applications see no difference when a primary interface in a redundant pair transitions to the backup interface, be sure to apply identical configurations of other traffic parameters to each interface. If you remove an interface in a redundant link (remove the line card of a physical interface or delete a port channel with the no interface port-channel command), the redundant pair configuration is also removed.
1 L2 up 00:08:33 Te 1/1 (Up) 2 L2 up 00:00:02 Te 2/1 (Up) DellEMC#configure DellEMC(conf)#interface port-channel 1 DellEMC(conf-if-po-1)#switchport backup interface port-channel 2 Apr 9 00:15:13: %STKUNIT0-M:CP %IFMGR-5-L2BKUP_WARN: Do not run any Layer2 protocols on Po 1 and Po 2 Apr 9 00:15:13: %STKUNIT0-M:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Po 2 Apr 9 00:15:13: %STKUNIT0-M:CP %IFMGR-5-STATE_ACT_STBY: Changed interface state to standby: Po 2 DellEMC(conf-if-po-1)# DellEMC# DellEMC#show
In the event of a far-end failure, the device stops receiving frames and, after the specified time interval, assumes that the far-end is not available. The connecting line protocol is brought down so that upper layer protocols can detect the neighbor unavailability faster. FEFD State Changes FEFD has two operational modes, Normal and Aggressive.
Configuring FEFD You can configure FEFD for all interfaces from CONFIGURATION mode, or on individual interfaces from INTERFACE mode. To enable FEFD globally on all interfaces, use the following command. • Enable FEFD globally on all interfaces. CONFIGURATION mode fefd-global To report interval frequency and mode adjustments, use the following commands. 1 Setup two or more connected interfaces for Layer 2 or Layer 3.
fefd [mode {aggressive | normal}] • Disable FEFD protocol on one interface. INTERFACE mode fefd disable Disabling an interface shuts down all protocols working on that interface’s connected line. It does not delete your previous FEFD configuration which you can enable again at any time. To set up and activate two or more connected interfaces, use the following commands. 1 Setup two or more connected interfaces for Layer 2 or Layer 3.
2w1d22h: %RPM0-P:CP %IFMGR-5-INACTIVE: Changed Vlan interface state to inactive: Vl 1 2w1d22h : FEFD state on Te 4/1 changed from Bi-directional to Unknown DellEMC#debug fefd packets DellEMC#2w1d22h : FEFD packet sent via interface Te 1/1 Sender state -- Bi-directional Sender info -- Mgmt Mac(00:01:e8:14:89:25), Slot-Port(Te 1/1) Peer info -- Mgmt Mac (00:01:e8:14:89:25), Slot-Port(Te 4/1) Sender hold time -- 3 (second) 2w1d22h : FEFD packet received on interface Te 4/1 Sender state -- Bi-directional Sender
29 Link Layer Discovery Protocol (LLDP) This chapter describes how to configure and use the link layer discovery protocol (LLDP). 802.1AB (LLDP) Overview LLDP — defined by IEEE 802.1AB — is a protocol that enables a local area network (LAN) device to advertise its configuration and receive configuration information from adjacent LLDP-enabled LAN infrastructure devices.
Table 50. Type, Length, Value (TLV) Types Type TLV Description 0 End of LLDPDU Marks the end of a LLDPDU. 1 Chassis ID An administratively assigned name that identifies the LLDP agent. 2 Port ID An administratively assigned name that identifies a port through which TLVs are sent and received. 3 Time to Live An administratively assigned name that identifies a port through which TLVs are sent and received.
Figure 77. Organizationally Specific TLV IEEE Organizationally Specific TLVs Eight TLV types have been defined by the IEEE 802.1 and 802.3 working groups as a basic part of LLDP; the IEEE OUI is 00-80-C2. You can configure the Dell EMC Networking system to advertise any or all of these TLVs. Table 51. Optional TLV Types Type TLV Description 4 Port description A user-defined alphanumeric string that describes the port. Dell EMC Networking OS does not currently support this TLV.
Type TLV Description in the Dell EMC Networking OS implementation of LLDP, but is available and mandatory (non-configurable) in the LLDPMED implementation. 127 Power via MDI Dell EMC Networking supports the LLDPMED protocol, which recommends that Power via MDI TLV be not implemented, and therefore Dell EMC Networking implements Extended Power via MDI TLV only.
Table 52. TIA-1057 (LLDP-MED) Organizationally Specific TLVs Type SubType TLV Description 127 1 LLDP-MED Capabilities Indicates: • • • whether the transmitting device supports LLDP-MED what LLDP-MED TLVs it supports LLDP device class 127 2 Network Policy Indicates the application type, VLAN ID, Layer 2 Priority, and DSCP value.
LLDP-MED Capabilities TLV The LLDP-MED capabilities TLV communicates the types of TLVs that the endpoint device and the network connectivity device support. LLDP-MED network connectivity devices must transmit the Network Policies TLV. • • The value of the LLDP-MED capabilities field in the TLV is a 2–octet bitmap, each bit represents an LLDP-MED capability (as shown in the following table). The possible values of the LLDP-MED device type are shown in the following.
• VLAN ID • VLAN tagged or untagged status • Layer 2 priority • DSCP value An integer represents the application type (the Type integer shown in the following table), which indicates a device function for which a unique network policy is defined. An individual LLDP-MED network policy TLV is generated for each application type that you specify with the Dell EMC Networking OS CLI (Advertising TLVs).
Extended Power via MDI TLV The extended power via MDI TLV enables advanced PoE management between LLDP-MED endpoints and network connectivity devices. Advertise the extended power via MDI on all ports that are connected to an 802.3af powered, LLDP-MED endpoint device. • Power Type — there are two possible power types: power source entity (PSE) or power device (PD). The Dell EMC Networking system is a PSE, which corresponds to a value of 0, based on the TIA-1057 specification.
• LLDP is not hitless. LLDP Compatibility • Spanning tree and force10 ring protocol “blocked” ports allow LLDPDUs. • 802.1X controlled ports do not allow LLDPDUs until the connected device is authenticated. CONFIGURATION versus INTERFACE Configurations All LLDP configuration commands are available in PROTOCOL LLDP mode, which is a sub-mode of the CONFIGURATION mode and INTERFACE mode. • Configurations made at the CONFIGURATION level are global; that is, they affect all interfaces on the system.
Disabling and Undoing LLDP To disable or undo LLDP, use the following command. • Disable LLDP globally or for an interface. disable To undo an LLDP configuration, precede the relevant command with the keyword no. Enabling LLDP on Management Ports LLDP on management ports is enabled by default. To enable LLDP on management ports, use the following command. 1 Enter Protocol LLDP mode. CONFIGURATION mode protocol lldp 2 Enter LLDP management-interface mode.
To advertise TLVs, use the following commands. 1 Enter LLDP mode. CONFIGURATION or INTERFACE mode protocol lldp 2 Advertise one or more TLVs. PROTOCOL LLDP mode advertise {dcbx-appln-tlv | dcbx-tlv | dot3-tlv | interface-port-desc | management-tlv | med } Include the keyword for each TLV you want to advertise. • For management TLVs: system-capabilities, system-description. • For 802.1 TLVs: port-protocol-vlan-id, port-vlan-id vlan-name. • For 802.3 TLVs: max-frame-size.
Viewing the LLDP Configuration To view the LLDP configuration, use the following command. • Display the LLDP configuration. CONFIGURATION or INTERFACE mode show config Examples of Viewing LLDP Configurations The following example shows viewing an LLDP global configuration.
Example of Viewing Detailed Information Advertised by Neighbors DellEMC(conf)#do show lldp neighbors detail ======================================================================== Local Interface TenGigabitEthernet 1/1 has 2 neighbors Total Frames Out: 3 Total Frames In: 8 Total Neighbor information Age outs: 0 Total Multiple Neighbors Detected: 0 Total Frames Discarded: 0 Total In Error Frames: 0 Total Unrecognized TLVs: 960 Total TLVs Discarded: 16 Next packet will be sent after 9 seconds The neighbors a
Locally assigned remote Neighbor Index: 1 Remote TTL: 300 Information valid for next 201 seconds Time since last information change of this neighbor: 00:01:39 UnknownTLVList: OrgUnknownTLVList: ((00-01-66),127, 4) ((00-01-66),126, 4) ((00-01-66),125, 4) ((00-01-66),124, ((00-01-66),122, 4) ((00-01-66),121, 4) ((00-01-66),120, 4) ((00-01-66),119, --------------------------------------------------------------------------Remote Chassis ID Subtype: Mac address (4) Remote Chassis ID: 4c:76:25:f4:ab:02 Remote Por
protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)# Configuring Transmit and Receive Mode After you enable LLDP, the system transmits and receives LLDPDUs by default. To configure the system to transmit or receive only and return to the default, use the following commands. • Transmit only. CONFIGURATION mode or INTERFACE mode mode tx • Receive only.
• Adjust the TTL value. CONFIGURATION mode or INTERFACE mode. multiplier • Return to the default multiplier value. CONFIGURATION mode or INTERFACE mode.
Figure 82. The debug lldp detail Command — LLDPDU Packet Dissection Example of debug lldp Command Output with Unrecognized Reserved and Organizational Specific LLDP TLVs The following is an example of LLDPDU with both (Reserved and Organizational specific) unrecognized TLVs.
• received and transmitted LLDP-MED TLVs Table 56. LLDP Configuration MIB Objects MIB Object Category LLDP Variable LLDP MIB Object Description LLDP Configuration adminStatus lldpPortConfigAdminStatus Whether you enable the local LLDP agent for transmit, receive, or both. msgTxHold lldpMessageTxHoldMultiplier Multiplier value. msgTxInterval lldpMessageTxInterval Transmit Interval value. rxInfoTTL lldpRxInfoTTL Time to live for received TLVs.
TLV Type 4 TLV Name Port Description 5 System Name 6 System Description 7 System Capabilities 8 Management Address TLV Variable System LLDP MIB Object port ID Local lldpLocPortId Remote lldpRemPortId Local lldpLocPortDesc Remote lldpRemPortDesc Local lldpLocSysName Remote lldpRemSysName Local lldpLocSysDesc Remote lldpRemSysDesc Local lldpLocSysCapSupported Remote lldpRemSysCapSupported Local lldpLocSysCapEnabled Remote lldpRemSysCapEnabled Local lldpLocManAddrLen R
TLV Type TLV Name TLV Variable PPVID 127 VLAN Name VID VLAN name length VLAN name System LLDP MIB Object Remote lldpXdot1RemProtoVlanEna bled Local lldpXdot1LocProtoVlanId Remote lldpXdot1RemProtoVlanId Local lldpXdot1LocVlanId Remote lldpXdot1RemVlanId Local lldpXdot1LocVlanName Remote lldpXdot1RemVlanName Local lldpXdot1LocVlanName Remote lldpXdot1RemVlanName Table 59.
TLV Sub-Type TLV Name TLV Variable System LLDP-MED MIB Object L2 Priority Local lldpXMedLocMediaPolicyPri ority Remote lldpXMedRemMediaPolicyP riority Local lldpXMedLocMediaPolicyDs cp Remote lldpXMedRemMediaPolicyD scp Local lldpXMedLocLocationSubty pe Remote lldpXMedRemLocationSubt ype Local lldpXMedLocLocationInfo Remote lldpXMedRemLocationInfo Local lldpXMedLocXPoEDeviceTy pe Remote lldpXMedRemXPoEDeviceT ype Local lldpXMedLocXPoEPSEPow erSource DSCP Value 3 Location Identi
TLV Sub-Type TLV Name TLV Variable System LLDP-MED MIB Object lldpXMedRemXPoEPDPow erReq Link Layer Discovery Protocol (LLDP) 559
30 Microsoft Network Load Balancing Network load balancing (NLB) is a clustering functionality that is implemented by Microsoft on Windows 2000 Server and Windows Server 2003 operating systems (OSs). NLB uses a distributed methodology or pattern to equally split and balance the network traffic load across a set of servers that are part of the cluster or group.
With Multicast NLB mode, the data forwards to all the servers based on the port specified using the following Layer 2 multicast command in CONFIGURATION MODE: mac-address-table static multicast vlan output-range , Limitations of the NLB Feature The following limitations apply to switches on which you configure NLB: • The NLB Unicast mode uses switch flooding to transmit all packets to all the servers that are part of the VLAN.
CONFIGURATION mode ip vlan-flooding There might be some ARP table entries that are resolved through ARP packets, which had the Ethernet MAC SA different from the MAC information inside the ARP packet. This unicast data traffic flooding occurs only for those packets that use these ARP entries.
31 Multicast Source Discovery Protocol (MSDP) Multicast source discovery protocol (MSDP) is supported on Dell EMC Networking OS. Protocol Overview MSDP is a Layer 3 protocol that connects IPv4 protocol-independent multicast-sparse mode (PIM-SM) domains. A domain in the context of MSDP is a contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as border gateway protocol (BGP).
RPs advertise each (S,G) in its domain in type, length, value (TLV) format. The total number of TLVs contained in the SA is indicated in the “Entry Count” field. SA messages are transmitted every 60 seconds, and immediately when a new source is detected. Figure 84.
active sources in the area of the other RPs. If any of the RPs fail, IP routing converges and one of the RPs becomes the active RP in more than one area. New sources register with the backup RP. Receivers join toward the new RP and connectivity is maintained. Implementation Information The Dell EMC Networking OS implementation of MSDP is in accordance with RFC 3618 and Anycast RP is in accordance with RFC 3446. Configure Multicast Source Discovery Protocol Configuring MSDP is a four-step process.
Figure 85.
Figure 86.
Figure 87.
Figure 88. Configuring MSDP Enable MSDP Enable MSDP by peering RPs in different administrative domains. 1 Enable MSDP. CONFIGURATION mode ip multicast-msdp 2 Peer PIM systems in different administrative domains. CONFIGURATION mode ip msdp peer connect-source Examples of Configuring and Viewing MSDP R3(conf)#ip multicast-msdp R3(conf)#ip msdp peer 192.168.0.
R3(conf)#do show ip msdp summary Peer Addr Description Local Addr State Source SA Up/Down To view details about a peer, use the show ip msdp peer command in EXEC privilege mode. Multicast sources in remote domains are stored on the RP in the source-active cache (SA cache). The system does not create entries in the multicast routing table until there is a local receiver for the corresponding multicast group. R3#show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.
show ip msdp sa-limit If the total number of active sources is already larger than the limit when limiting is applied, the sources that are already in Dell EMC Networking OS are not discarded. To enforce the limit in such a situation, use the clear ip msdp sa-cache command to clear all existing entries. Clearing the Source-Active Cache To clear the source-active cache, use the following command. • Clear the SA cache of all, local, or rejected entries, or entries for a specific group.
Figure 89.
Figure 90.
Figure 91. MSDP Default Peer, Scenario 4 Specifying Source-Active Messages To specify messages, use the following command. • Specify the forwarding-peer and originating-RP from which all active sources are accepted without regard for the RPF check. CONFIGURATION mode ip msdp default-peer ip-address list If you do not specify an access list, the peer accepts all sources that peer advertises. All sources from RPs that the ACL denies are subject to the normal RPF check.
GroupAddr 229.0.50.2 229.0.50.3 229.0.50.4 SourceAddr 24.0.50.2 24.0.50.3 24.0.50.4 RPAddr 200.0.0.50 200.0.0.50 200.0.0.50 LearnedFrom 10.0.50.2 10.0.50.2 10.0.50.2 DellEMC#ip msdp sa-cache rejected-sa MSDP Rejected SA Cache 3 rejected SAs received, cache-size 32766 UpTime GroupAddr SourceAddr RPAddr 00:33:18 229.0.50.64 24.0.50.64 200.0.1.50 00:33:18 229.0.50.65 24.0.50.65 200.0.1.50 00:33:18 229.0.50.66 24.0.50.66 200.0.1.50 Expire 73 73 73 UpTime 00:13:49 00:13:49 00:13:49 LearnedFrom 10.0.50.
R1_E600(conf)#do show ip msdp sa-cache R1_E600(conf)#do show ip msdp sa-cache rejected-sa MSDP Rejected SA Cache 1 rejected SAs received, cache-size 1000 UpTime GroupAddr SourceAddr RPAddr LearnedFrom 00:02:20 239.0.0.1 10.11.4.2 192.168.0.1 local Reason Redistribute Preventing MSDP from Caching a Remote Source To prevent MSDP from caching a remote source, use the following commands. 1 OPTIONAL: Cache sources that the SA filter denies in the rejected SA cache.
Example of Verifying the System is not Advertising Local Sources In the following example, R1 stops advertising source 10.11.4.2. Because it is already in the SA cache of R3, the entry remains there until it expires. [Router 1] R1(conf)#do show run msdp ! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 0 ip msdp sa-filter out 192.168.0.3 list mylocalfilter R1(conf)#do show run acl ! ip access-list extended mylocalfilter seq 5 deny ip host 239.0.0.1 host 10.11.4.
Output (S,G) filter: none [Router 1] R1(conf)#do show ip msdp peer Peer Addr: 192.168.0.3 Local Addr: 0.0.0.0(0) Connect Source: Lo 0 State: Inactive Up/Down Time: 00:00:03 Timers: KeepAlive 30 sec, Hold time 75 sec SourceActive packet count (in/out): 0/0 SAs learned from this peer: 0 SA Filtering: Clearing Peer Statistics To clear the peer statistics, use the following command. • Reset the TCP connection to the peer and clear all peer statistics.
03:17:10 : MSDP-0: Peer 192.168.0.3, 03:17:27 : MSDP-0: Peer 192.168.0.3, Input (S,G) filter: none Output (S,G) filter: none rcvd Keepalive msg sent Source Active msg MSDP with Anycast RP Anycast RP uses MSDP with PIM-SM to allow more than one active group to use RP mapping.
Figure 92. MSDP with Anycast RP Configuring Anycast RP To configure anycast RP, use the following commands. 1 In each routing domain that has multiple RPs serving a group, create a Loopback interface on each RP serving the group with the same IP address. CONFIGURATION mode interface loopback 2 Make this address the RP for the group.
4 Peer each RP with every other RP using MSDP, specifying the unique Loopback address as the connect-source. CONFIGURATION mode ip msdp peer 5 Advertise the network of each of the unique Loopback addresses throughout the network. ROUTER OSPF mode network Reducing Source-Active Message Flooding RPs flood source-active messages to all of their peers away from the RP.
interface Loopback 1 ip address 192.168.0.11/32 no shutdown ! router ospf 1 network 10.11.2.0/24 area 0 network 10.11.1.0/24 area 0 network 10.11.3.0/24 area 0 network 192.168.0.11/32 area 0 ! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 1 ip msdp peer 192.168.0.22 connect-source Loopback 1 ip msdp mesh-group AS100 192.168.0.22 ip msdp originator-id Loopback 1! ip pim rp-address 192.168.0.1 group-address 224.0.0.
The following example shows an R3 configuration for MSDP with Anycast RP. ip multicast-routing ! interface TenGigabitEthernet 3/21 ip pim sparse-mode ip address 10.11.0.32/24 no shutdown interface TenGigabitEthernet 3/41 ip pim sparse-mode ip address 10.11.6.34/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.
interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32 no shutdown ! router ospf 1 network 10.11.2.0/24 area 0 network 10.11.1.0/24 area 0 network 192.168.0.1/32 area 0 network 10.11.3.0/24 area 0 ! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 0 ! ip pim rp-address 192.168.0.1 group-address 224.0.0.0/4 MSDP Sample Configuration: R2 Running-Config ip multicast-routing ! interface TenGigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.
ip address 10.11.6.34/24 no shutdown ! interface ManagementEthernet 1/1 ip address 10.11.80.3/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.3/32 area 0 redistribute static redistribute connected redistribute bgp 200 ! router bgp 200 redistribute ospf 1 neighbor 192.168.0.2 remote-as 100 neighbor 192.168.0.2 ebgp-multihop 255 neighbor 192.168.0.2 update-source Loopback 0 neighbor 192.168.0.
32 Multiple Spanning Tree Protocol (MSTP) Multiple spanning tree protocol (MSTP) — specified in IEEE 802.1Q-2003 — is a rapid spanning tree protocol (RSTP)-based spanning tree variation that improves per-VLAN spanning tree plus (PVST+). MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances. Protocol Overview MSTP — specified in IEEE 802.
• Adding and Removing Interfaces • Creating Multiple Spanning Tree Instances • Influencing MSTP Root Selection • Interoperate with Non-Dell Bridges • Changing the Region Name or Revision • Modifying Global Parameters • Modifying the Interface Parameters • Configuring an EdgePort • Flush MAC Addresses after a Topology Change • MSTP Sample Configurations • Debugging and Verifying MSTP Configurations Spanning Tree Variations The Dell EMC Networking OS supports four variations of spanning
Related Configuration Tasks The following are the related configuration tasks for MSTP.
• spanning-tree 0 To remove an interface from the MSTP topology, use the no spanning-tree 0 command. Creating Multiple Spanning Tree Instances To create multiple spanning tree instances, use the following command. A single MSTI provides no more benefit than RSTP. To take full advantage of MSTP, create multiple MSTIs and map VLANs to them. • Create an MSTI. PROTOCOL MSTP mode msti Specify the keyword vlan then the VLANs that you want to participate in the MSTI.
Port path cost 20000, Port priority 128, Port Identifier 128.384 Designated root has priority 32768, address 0001.e806.953e Designated bridge has priority 32768, address 0001.e809.c24a Designated port id is 128.
Changing the Region Name or Revision To change the region name or revision, use the following commands. • Change the region name. PROTOCOL MSTP mode name name • Change the region revision number. PROTOCOL MSTP mode revision number Example of the name Command To view the current region name and revision, use the show spanning-tree mst configuration command from EXEC Privilege mode.
NOTE: With large configurations (especially those configurations with more ports) Dell EMC Networking recommends increasing the hello-time. The range is from 1 to 10. The default is 2 seconds. 3 Change the max-age parameter. PROTOCOL MSTP mode max-age seconds The range is from 6 to 40. The default is 20 seconds. 4 Change the max-hops parameter. PROTOCOL MSTP mode max-hops number The range is from 1 to 40. The default is 20.
Port Cost Default Value 25-Gigabit Ethernet interfaces 1700 40-Gigabit Ethernet interfaces 1400 50-Gigabit Ethernet interfaces 1200 100-Gigabit Ethernet interfaces 200 Port Channel with 100 Mb/s Ethernet interfaces 180000 Port Channel with 1-Gigabit Ethernet interfaces 18000 Port Channel with 10-Gigabit Ethernet interfaces 1800 Port Channel with 25-Gigabit Ethernet interfaces 1200 Port Channel with 50-Gigabit Ethernet interfaces 200 Port Channel with 100-Gigabit Ethernet interfaces 180
– If the interface to be shut down is a port channel, all the member ports are disabled in the hardware. – When you add a physical port to a port channel already in the Error Disable state, the new member port is also disabled in the hardware. – When you remove a physical port from a port channel in the Error Disable state, the error disabled state is cleared on this physical port (the physical port is enabled in the hardware).
Figure 94. MSTP with Three VLANs Mapped to Two Spanning Tree Instances Router 1 Running-Configuration This example uses the following steps: 1 Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2 Assign Layer-2 interfaces to the MSTP topology. 3 Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
interface Vlan 300 no ip address tagged TenGigabitEthernet 1/21,31 no shutdown Router 2 Running-Configuration This example uses the following steps: 1 Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2 Assign Layer-2 interfaces to the MSTP topology. 3 Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
MSTI 2 VLAN 200,300 ! (Step 2) interface TenGigabitEthernet 3/11 no ip address switchport no shutdown ! interface TenGigabitEthernet 3/21 no ip address switchport no shutdown ! (Step 3) interface Vlan 100 no ip address tagged TenGigabitEthernet 3/11,21 no shutdown ! interface Vlan 200 no ip address tagged TenGigabitEthernet 3/11,21 no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 3/11,21 no shutdown SFTOS Example Running-Configuration This example uses the following steps: 1 Enable
interface vlan 200 tagged 1/0/31 tagged 1/0/32 exit interface vlan 300 tagged 1/0/31 tagged 1/0/32 exit Debugging and Verifying MSTP Configurations To debut and verify MSTP configuration, use the following commands. • Display BPDUs. EXEC Privilege mode • debug spanning-tree mstp bpdu Display MSTP-triggered topology change messages.
DellEMC# 4w0d4h : MSTP: Sending BPDU on Te 2/21 : ProtId: 0, Ver: 3, Bpdu Type: MSTP, Flags 0x6e CIST Root Bridge Id: 32768:0001.e806.953e, Ext Path Cost: 0 Regional Bridge Id: 32768:0001.e806.953e, CIST Port Id: 128:470 Msg Age: 0, Max Age: 20, Hello: 2, Fwd Delay: 15, Ver1 Len: 0, Ver3 Len: 96 Name: Tahiti, Rev: 123, Int Root Path Cost: 0 Rem Hops: 20, Bridge Id: 32768:0001.e806.953e 4w0d4h : INST 1: Flags: 0x6e, Reg Root: 32768:0001.e806.
33 Multicast Features NOTE: Multicast routing is supported on secondary IP addresses; it is not supported on IPv6. NOTE: Multicast routing is supported across default and non-default virtual routing and forwarding (VRFs).
Protocol Ethernet Address OSPF 01:00:5e:00:00:05 01:00:5e:00:00:06 RIP 01:00:5e:00:00:09 NTP 01:00:5e:00:01:01 VRRP 01:00:5e:00:00:12 PIM-SM 01:00:5e:00:00:0d • The Dell EMC Networking OS implementation of MTRACE is in accordance with IETF draft draft-fenner-traceroute-ipm. • Multicast is not supported on secondary IP addresses. • If you enable multicast routing, egress Layer 3 ACL is not applied to multicast data traffic.
• Limit the total number of multicast routes on the system. CONFIGURATION mode ip multicast-limit The range is from 1 to 16000. The default is 4000. NOTE: The IN-L3-McastFib CAM partition stores multicast routes and is a separate hardware limit that exists per port-pipe. Any software-configured limit may supersede this hardware space limitation. The opposite is also true, the CAM partition might not be exhausted at the time the system-wide route limit is reached using the ip multicast-limit command.
Figure 95. Preventing a Host from Joining a Group The following table lists the location and description shown in the previous illustration. Table 62. Preventing a Host from Joining a Group — Description Location Description 1/21 • • • • Interface TenGigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 • • • Interface TenGigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.
Location Description • no shutdown 2/1 • • • • Interface TenGigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface TenGigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface TenGigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface TenGigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.
Preventing a PIM Router from Forming an Adjacency To prevent a router from participating in PIM (for example, to configure stub multicast routing), use the following command. • Prevent a router from participating in PIM. INTERFACE mode ip pim neighbor-filter Preventing a Source from Registering with the RP To prevent the PIM source DR from sending register packets to route processor (RP) for the specified multicast source and group, use the following command.
Figure 96. Preventing a Source from Transmitting to a Group The following table lists the location and description shown in the previous illustration. Table 63. Preventing a Source from Transmitting to a Group — Description Location Description 1/21 • • • • Interface TenGigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 • • • Interface TenGigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.
Location Description • no shutdown 2/1 • • • • Interface TenGigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface TenGigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface TenGigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface TenGigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.
Preventing a PIM Router from Processing a Join To permit or deny PIM Join/Prune messages on an interface using an extended IP access list, use the following command. NOTE: Dell EMC Networking recommends not using the ip pim join-filter command on an interface between a source and the RP router. Using this command in this scenario could cause problems with the PIM-SM source registration process resulting in excessive traffic being sent to the CPU of both the RP and PIM DR of the source.
Important Points to Remember • Destination address of the mtrace query message can be either a unicast or a multicast address. NOTE: When you use mtrace to trace a specific multicast group, the query is sent with the group's address as the destination. Retries of the query use the unicast address of the receiver. • When you issue an mtrace without specifying a group address (weak mtrace), the destination address is considered as the unicast address of the receiver.
– Forwarding code — error code as present in the response blocks – Source Network/Mask — source mask Example of the mtrace Command to View the Network Path The following is an example of tracing a multicast route. R1>mtrace 103.103.103.3 1.1.1.1 226.0.0.3 Type Ctrl-C to abort. Querying reverse path for source 103.103.103.3 to destination 1.1.1.1 via group 226.0.0.
The response data block filled in by the last-hop router contains a Forwarding code field. Forwarding code can be added at any node and is not restricted to the last hop router. This field is used to record error codes before forwarding the response to the next neighbor in the path towards the source. In a response data packet, the following error codes are supported: Table 65.
Scenario Output -4 103.103.103.3 --> Source ----------------------------------------------------------------- You can issue the mtrace command specifying the source multicast tree and multicast group without specifying the destination. Mtrace traces the complete path traversing through the multicast group to reach the source. The output displays the destination and the first hop (-1) as 0 to indicate any PIM enabled interface on the node. R1>mtrace 103.103.103.3 1.1.1.1 226.0.0.3 Type Ctrl-C to abort.
Scenario Output 103.103.103.0/24 -3 2.2.2.1 PIM 103.103.103.0/24 -4 103.103.103.3 --> Source ----------------------------------------------------------------- You can issue the mtrace command by providing the source and multicast information. However, if the multicast group is a shared group (*,G), then mtrace traces the path of the shared tree until it reaches the RP. The source mask field reflects the shared tree that is being used to trace the path.
Scenario Output -3 10.10.10.1 PIM No route default ----------------------------------------------------------------- If a multicast tree is not formed due to a configuration issue (for example, PIM is not enabled on one of the interfaces on the path), you can invoke a weak mtrace to identify the location in the network where the error has originated. R1>mtrace 6.6.6.6 4.4.4.5 Type Ctrl-C to abort.
Scenario Output -3 2.2.2.1 PIM 99.99.0.0/16 -4 * * * * ----------------------------------------------------------------- If there is no response for mtrace even after switching to expanded hop search, the command displays an error message. R1>mtrace 99.99.99.99 1.1.1.1 Type Ctrl-C to abort. While traversing the path from source to destination, if the mtrace packet exhausts the maximum buffer size of the packet, then NO SPACE error is displayed in the output.
Scenario Output scenario, a corresponding error message is displayed. ---------------------------------------------------------------|Hop| OIF IP |Proto| Forwarding Code |Source Network/ Mask| ---------------------------------------------------------------0 4.4.4.5 --> Destination -1 4.4.4.4 PIM 6.6.6.0/24 -2 20.20.20.2 PIM 6.6.6.0/24 -3 10.10.10.1 PIM Wrong interface 6.6.6.0/24 ----------------------------------------------------------------R1>mtrace 6.6.6.6 4.4.4.5 Type Ctrl-C to abort.
34 Object Tracking IPv4 or IPv6 object tracking is available on Dell EMC Networking OS. Object tracking allows the Dell EMC Networking OS client processes, such as virtual router redundancy protocol (VRRP), to monitor tracked objects (for example, interface or link status) and take appropriate action when the state of an object changes. NOTE: In Dell EMC Networking OS release version 8.4.1.0, object tracking is supported only on VRRP.
Figure 97. Object Tracking Example When you configure a tracked object, such as an IPv4/IPv6 a route or interface, you specify an object number to identify the object. Optionally, you can also specify: • UP and DOWN thresholds used to report changes in a route metric. • A time delay before changes in a tracked object’s state are reported to a client. Track Layer 2 Interfaces You can create an object to track the line-protocol state of a Layer 2 interface.
Track IPv4 and IPv6 Routes You can create an object that tracks an IPv4 or IPv6 route entry in the routing table. Specify a tracked route by its IPv4 or IPv6 address and prefix-length. Optionally specify a tracked route by a virtual routing and forwarding (VRF) instance name if the route to be tracked is part of a VRF. The next-hop address is not part of the definition of the tracked object.
Set Tracking Delays You can configure an optional UP and/or DOWN timer for each tracked object to set the time delay before a change in the state of a tracked object is communicated to clients. The configured time delay starts when the state changes from UP to DOWN or the opposite way. If the state of an object changes back to its former UP/DOWN state before the timer expires, the timer is cancelled and the client is not notified.
To configure object tracking on the status of a Layer 2 interface, use the following commands. 1 Configure object tracking on the line-protocol state of a Layer 2 interface. CONFIGURATION mode track object-id interface interface line-protocol Valid object IDs are from 1 to 500. 2 (Optional) Configure the time delay used before communicating a change in the status of a tracked interface. OBJECT TRACKING mode delay {[up seconds] [down seconds]} Valid delay times are from 0 to 180 seconds. The default is 0.
For an IPv6 interface, a routing object only tracks the UP/DOWN status of the specified IPv6 interface (the track interface ipv6routing command). • The status of an IPv6 interface is UP only if the Layer 2 status of the interface is UP and the interface has a valid IPv6 address. • The Layer 3 status of an IPv6 interface goes DOWN when its Layer 2 status goes down (for a Layer 3 VLAN, all VLAN ports must be down) or the IPv6 address is removed from the routing table.
Interface TenGigabitEthernet 7/11 ipv6 routing Description: Austin access point Track an IPv4/IPv6 Route You can create an object that tracks the reachability or metric of an IPv4 or IPv6 route. You specify the route to be tracked by its address and prefix-length values. Optionally, for an IPv4 route, you can enter a VRF instance name if the route is part of a VPN routing and forwarding (VRF) table. The next-hop address is not part of the definition of a tracked IPv4/ IPv6 route.
Tracking Route Reachability Use the following commands to configure object tracking on the reachability of an IPv4 or IPv6 route. To remove object tracking, use the no track object-id command. 1 Configure object tracking on the reachability of an IPv4 or IPv6 route. CONFIGURATION mode track object-id {ip route ip-address/prefix-len | ipv6 route ipv6-address/prefix-len} reachability [vrf vrf-name] Valid object IDs are from 1 to 500.
The following example configures object tracking on the reachability of an IPv6 route: DellEMC(conf)#track 105 ipv6 route 1234::/64 reachability DellEMC(conf-track-105)#delay down 5 DellEMC(conf-track-105)#description Headquarters DellEMC(conf-track-105)#end DellEMC#show track 105 Track 105 IPv6 route 1234::/64 reachability Description: Headquarters Reachability is Down (route not in route table) 2 changes, last change 00:03:03 Configuring track reachability refresh interval If there is no entry in ARP tab
2 • OSPF routes - 1 to 1592. The efault is 1. Configure object tracking on the metric of an IPv4 or IPv6 route. CONFIGURATION mode track object-id {ip route ip-address/prefix-len | ipv6 route ipv6-address/prefix-len} metric threshold [vrf vrf-name] Valid object IDs are from 1 to 500. Enter an IPv4 address in dotted decimal format. Valid IPv4 prefix lengths are from /0 to /32. Enter an IPv6 address in X:X:X:X::X format. Valid IPv6 prefix lengths are from /0 to /128.
The following example configures object tracking on the metric threshold of an IPv6 route: DellEMC(conf)#track 8 ipv6 route 2::/64 metric threshold DellEMC(conf-track-8)#threshold metric up 30 DellEMC(conf-track-8)#threshold metric down 40 Displaying Tracked Objects To display the currently configured objects used to track Layer 2 and Layer 3 interfaces, and IPv4 and IPv6 routes, use the following show commands.
IP Route Resolution ISIS 1 OSPF 1 IPv6 Route Resolution ISIS 1 Example of the show track vrf Command DellEMC#show track vrf red Track 5 IP route 192.168.0.0/24 reachability, Vrf: red Reachability is Up (CONNECTED) 3 changes, last change 00:02:39 First-hop interface is TenGigabitEthernet 1/4 Example of Viewing Object Tracking Configuration DellEMC#show running-config track track 1 ip route 23.0.0.
35 Open Shortest Path First (OSPFv2 and OSPFv3) Open shortest path first (OSPFv2 for IPv4) and OSPF version 3 (OSPF for IPv6) are supported on Dell EMC Networking OS. This chapter provides a general description of OSPFv2 (OSPF for IPv4) and OSPFv3 (OSPF for IPv6) as supported in the Dell EMC Networking Operating System (OS). NOTE: The fundamental mechanisms of OSPF (flooding, DR election, area support, SPF calculations, and so on) are the same between OSPFv2 and OSPFv3.
Areas allow you to further organize your routers within in the AS. One or more areas are required within the AS. Areas are valuable in that they allow sub-networks to "hide" within the AS, thus minimizing the size of the routing tables on all routers. An area within the AS may not see the details of another area’s topology. AS areas are known by their area number or the router’s IP address. Figure 98. Autonomous System Areas Area Types The backbone of the network is Area 0. It is also called Area 0.0.0.
• A not-so-stubby area (NSSA) can import AS external route information and send it to the backbone. It cannot receive external AS information from the backbone or other areas. • Totally stubby areas are referred to as no summary areas in the Dell EMC Networking OS. Networks and Neighbors As a link-state protocol, OSPF sends routing information to other OSPF routers concerning the state of the links between them. The state (up or down) of those links is important.
Figure 99. OSPF Routing Examples Backbone Router (BR) A backbone router (BR) is part of the OSPF Backbone, Area 0. This includes all ABRs. It can also include any routers that connect only to the backbone and another ABR, but are only part of Area 0, such as Router I in the previous example. Area Border Router (ABR) Within an AS, an area border router (ABR) connects one or more areas to the backbone.
An ABR can connect to many areas in an AS, and is considered a member of each area it connects to. Autonomous System Border Router (ASBR) The autonomous system border area router (ASBR) connects to more than one AS and exchanges information with the routers in other ASs. Generally, the ASBR connects to a non-interior gate protocol (IGP) such as BGP or uses static routes.
• Type 7: External LSA — Routers in an NSSA do not receive external LSAs from ABRs, but are allowed to send external routing information for redistribution. They use Type 7 LSAs to tell the ABRs about these external routes, which the ABR then translates to Type 5 external LSAs and floods as normal to the rest of the OSPF network. • Type 8: Link LSA (OSPFv3) — This LSA carries the IPv6 address information of the local links.
Figure 100. Priority and Cost Examples OSPF with Dell EMC Networking OS The Dell EMC Networking OS supports up to 16,000 OSPF routes for OSPFv2. Dell EMC Networking OS version 9.4(0.0) and later support only one OSPFv2 process per VRF. Dell EMC Networking OS version 9.7(0.0) and later support OSPFv3 in VRF. Also, on OSPFv3, Dell EMC Networking OS supports only one OSPFv3 process per VRF. OSPFv2 and OSPFv3 can co-exist but you must configure them individually.
Graceful Restart Graceful restart for OSPFv2 and OSPFv3 are supported on the S4810 platform in Helper and Restart modes. When a router goes down without a graceful restart, there is a possibility for loss of access to parts of the network due to ongoing network topology changes. Additionally, LSA flooding and reconvergence can cause substantial delays. It is, therefore, desirable that the network maintains a stable topology if it is possible for data flow to continue uninterrupted.
Fast Convergence (OSPFv2, IPv4 Only) Fast convergence allows you to define the speeds at which LSAs are originated and accepted, and reduce OSPFv2 end-to-end convergence time. Dell EMC Networking OS allows you to accept and originate LSAs as soon as they are available to speed up route information propagation. NOTE: The faster the convergence, the more frequent the route calculations and updates. This impacts CPU utilization and may impact adjacency stability in larger topologies.
Examples of Setting and Viewing a Dead Interval In the following example, the dead interval is set at 4x the hello interval (shown in bold). DellEMC(conf)#int tengigabitethernet 2/2 DellEMC(conf-if-te-2/2)#ip ospf hello-interval 20 Dell(conf-if-te-2/2)#ip ospf dead-interval 80 DellEMC(conf-if-te-2/2)# In the following example, the dead interval is set at 4x the hello interval (shown in bold).
• Troubleshooting OSPFv2 1 Configure a physical interface. Assign an IP address, physical or Loopback, to the interface to enable Layer 3 routing. 2 Enable OSPF globally. Assign network area and neighbors. 3 Add interfaces or configure other attributes. 4 Set the time interval between when the switch receives a topology change and starts a shortest path first (SPF) calculation.
The OSPF process ID is the identifying number assigned to the OSPF process. The router ID is the IP address associated with the OSPF process. After the OSPF process and the VRF are tied together, the OSPF process ID cannot be used again in the system.
If you are using a Loopback interface, refer to Loopback Interfaces. 2 Enable the interface. CONFIG-INTERFACE mode no shutdown 3 Return to CONFIGURATION mode to enable the OSPFv2 process globally. CONFIGURATION mode router ospf process-id [vrf] The range is from 0 to 65535. After the OSPF process and the VRF are tied together, the OSPF process ID cannot be used again in the system.
The first bold lines assign an IP address to a Layer 3 interface, and theno shutdown command ensures that the interface is UP. The second bold line assigns the IP address of an interface to an area. Example of Enabling OSPFv2 and Assigning an Area to an Interface DellEMC#(conf)#int te 4/14 Dell(conf-if-te-4/14)#ip address 10.10.10.10/24 DellEMC(conf-if-te-4/14)#no shutdown DellEMC(conf-if-te-4/14)#ex DellEMC(conf)#router ospf 1 DellEMC(conf-router_ospf-1)#network 1.2.3.
Adjacent with neighbor 10.168.253.5 (Designated Router) Adjacent with neighbor 10.168.253.3 (Backup Designated Router) Loopback 0 is up, line protocol is up Internet Address 10.168.253.2/32, Area 0.0.0.1 Process ID 1, Router ID 10.168.253.2, Network Type LOOPBACK, Cost: 1 Loopback interface is treated as a stub Host. DellEMC# Configuring Stub Areas OSPF supports different types of LSAs to help reduce the amount of router processing within the areas.
Enabling Passive Interfaces A passive interface is one that does not send or receive routing information. Enabling passive interface suppresses routing updates on an interface. Although the passive interface does not send or receive routing updates, the network on that interface is still included in OSPF updates sent via other interfaces. To suppress the interface’s participation on an OSPF interface, use the following command. This command stops the router from sending updates on that interface.
Enabling Fast-Convergence The fast-convergence CLI sets the minimum origination and arrival LSA parameters to zero (0), allowing rapid route calculation. When you disable fast-convergence, origination and arrival LSA parameters are set to 5 seconds and 1 second, respectively. Setting the convergence parameter (from 1 to 4) indicates the actual convergence level.
To change OSPFv2 parameters on the interfaces, use any or all of the following commands. • Change the cost associated with OSPF traffic on the interface. CONFIG-INTERFACE mode ip ospf cost • – cost: The range is from 1 to 65535 (the default depends on the interface speed). Change the time interval the router waits before declaring a neighbor dead. CONFIG-INTERFACE mode ip ospf dead-interval seconds – seconds: the range is from 1 to 65535 (the default is 40 seconds).
– seconds: the range is from 1 to 65535 (the default is 1 second). The transmit delay must be the same on all routers in the OSPF network. Example of Changing and Verifying the cost Parameter and Viewing Interface Status To view interface configurations, use the show config command in CONFIGURATION INTERFACE mode. To view interface status in the OSPF process, use the show ip ospf interface command in EXEC mode. The bold lines in the example show the change on the interface.
Enabling OSPFv2 Graceful Restart Graceful restart is enabled for the global OSPF process. The Dell EMC Networking implementation of OSPFv2 graceful restart enables you to specify: • grace period — the length of time the graceful restart process can last before OSPF terminates it. • helper-reject neighbors — the router ID of each restart router that does not receive assistance from the configured router. • mode — the situation or situations that trigger a graceful restart.
For more information about OSPF graceful restart, refer to the Dell EMC Networking OS Command Line Reference Guide. Example of the show run ospf Command When you configure a graceful restart on an OSPFv2 router, the show run ospf command displays information similar to the following. DellEMC#show run ospf ! router ospf 1 graceful-restart grace-period 300 graceful-restart role helper-only graceful-restart mode unplanned-only graceful-restart helper-reject 10.1.1.1 graceful-restart helper-reject 20.1.1.
NOTE: Do not route iBGP routes to OSPF unless there are route-maps associated with the OSPF redistribution. To redistribute routes, use the following command. • Specify which routes are redistributed into OSPF process.
• show running-config ospf View the summary information of the IP routes. EXEC Privilege mode • show ip route summary View the summary information for the OSPF database. EXEC Privilege mode • show ip ospf database View the configuration of OSPF neighbors connected to the local router. EXEC Privilege mode • show ip ospf neighbor View the LSAs currently in the queue. EXEC Privilege mode • show ip ospf timers rate-limit View debug messages.
Figure 101. Basic Topology and CLI Commands for OSPFv2 OSPF Area 0 — Te 1/1 and 1/2 router ospf 11111 network 10.0.11.0/24 area 0 network 10.0.12.0/24 area 0 network 192.168.100.0/24 area 0 ! interface TenGigabitEthernet 1/1 ip address 10.1.11.1/24 no shutdown ! interface TenGigabitEthernet 1/2 ip address 10.2.12.2/24 no shutdown ! interface Loopback 10 ip address 192.168.100.100/24 no shutdown OSPF Area 0 — Te 3/1 and 3/2 router ospf 33333 network 192.168.100.0/24 area 0 network 10.0.13.
OSPF Area 0 — Te 2/1 and 2/2 router ospf 22222 network 192.168.100.0/24 area 0 network 10.2.21.0/24 area 0 network 10.2.22.0/24 area 0 ! interface Loopback 20 ip address 192.168.100.20/24 no shutdown ! interface TenGigabitEthernet 2/1 ip address 10.2.21.2/24 no shutdown ! interface TenGigabitEthernet 2/2 ip address 10.2.22.2/24 no shutdown OSPFv3 NSSA NSSA (Not-So-Stubby-Area) is a stub area that does not support Type-5 LSAs, but supports Type-7 LSAs to forward external links.
NOTE: The OSPFv2 network area command enables OSPF on multiple interfaces with the single command. Use the OSPFv3 ipv6 ospf area command on each interface that runs OSPFv3. All IPv6 addresses on an interface are included in the OSPFv3 process that is created on the interface. Enable OSPFv3 for IPv6 by specifying an OSPF process ID and an area in INTERFACE mode. If you have not created an OSPFv3 process, it is created automatically.
To return to the default bandwidth or to assign cost based on the interface type, use the no auto-cost [referencebandwidth ref-bw] command. – ref-bw: The range is from 1 to 4294967. The default is 100 megabits per second. Assigning IPv6 Addresses on an Interface To assign IPv6 addresses to an interface, use the following commands. 1 Assign an IPv6 address to the interface.
router-id {number} – number: the IPv4 address. The format is A.B.C.D. NOTE: Enter the router-id for an OSPFv3 router as an IPv4 IP address. • Disable OSPF. CONFIGURATION mode no ipv6 router ospf process-id • Reset the OSPFv3 process. EXEC Privilege mode clear ipv6 ospf process Assigning OSPFv3 Process ID and Router ID to a VRF To assign, disable, or reset OSPFv3 on a non-default VRF, use the following commands. • Enable the OSPFv3 process on a non-default VRF and enter OSPFv3 mode.
– no-summary: use these keywords to prevent transmission in to the area of summary ASBR LSAs. – Area ID: a number or IP address assigned when creating the area. You can represent the area ID as a number from 0 to 65536 if you assign a dotted decimal format rather than an IP address. Configuring Passive-Interface To suppress the interface’s participation on an OSPFv3 interface, use the following command. This command stops the router from sending updates on that interface.
• Specify the information for the default route. CONF-IPV6-ROUTER-OSPF mode default-information originate [always [metric metric-value] [metric-type type-value]] [routemap map-name] Configure the following required and optional parameters: – always: indicate that default route information is always advertised. – metric metric-value: The range is from 0 to 4294967295. – metric-type metric-type: enter 1 for OSPFv3 external route type 1 OR 2 for OSPFv3 external route type 2.
• Disable OSPFv3 graceful-restart. CONF-IPV6-ROUTER-OSPF mode no graceful-restart grace-period Displaying Graceful Restart To display information on the use and configuration of OSPFv3 graceful restart, enter any of the following commands. • Display the graceful-restart configuration for OSPFv2 and OSPFv3 (shown in the following example). EXEC Privilege mode • show run ospf Display the Type-11 Grace LSAs sent and received on an OSPFv3 router (shown in the following example).
LSA count Summary LSAs Rtr LSA Count Net LSA Count Inter Area Pfx LSA Count Inter Area Rtr LSA Count Group Mem LSA Count 12010 1 4 3 12000 0 0 The following example shows the show ipv6 ospf database grace-lsa command. DellEMC#show ipv6 ospf database grace-lsa ! Type-11 Grace LSA (Area 0) LS Age Link State ID Advertising Router LS Seq Number Checksum Length Associated Interface Restart Interval Restart Reason : : : : : : : : : 10 6.16.192.66 100.1.1.
You decide the set of IPsec protocols that are employed for authentication and encryption and the ways in which they are employed. When you correctly implement and deploy IPsec, it does not adversely affect users or hosts. AH and ESP are designed to be cryptographic algorithm-independent. OSPFv3 Authentication Using IPsec: Configuration Notes OSPFv3 authentication using IPsec is implemented according to the specifications in RFC 4552.
• Enable IPsec authentication for OSPFv3 packets on an IPv6-based interface. INTERFACE mode ipv6 ospf authentication {null | ipsec spi number {MD5 | SHA1} [key-encryption-type] key} – null: causes an authentication policy configured for the area to not be inherited on the interface. – ipsec spi number: the security policy index (SPI) value. The range is from 256 to 4294967295. – MD5 | SHA1: specifies the authentication type: Message Digest 5 (MD5) or Secure Hash Algorithm 1 (SHA-1).
• – key-authentication-type: (optional) specifies if the authentication key is encrypted. The valid values are 0 or 7. Remove an IPsec encryption policy from an interface. no ipv6 ospf encryption ipsec spi number • Remove null encryption on an interface to allow the interface to inherit the encryption policy configured for the OSPFv3 area. no ipv6 ospf encryption null • Display the configuration of IPsec encryption policies on the router.
NOTE: When you configure encryption using the area encryption command, you enable both IPsec encryption and authentication. However, when you enable authentication on an area using the area authentication command, you do not enable encryption at the same time. If you have enabled IPsec authentication in an OSPFv3 area using the area authentication command, you cannot use the area encryption command in the area at the same time.
– For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. – For a port channel interface, enter the keywords port-channel then a number. – For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. Examples of the show crypto ipsec Commands In the first example, the keys are not encrypted (shown in bold). In the second and third examples, the keys are encrypted (shown in bold). The following example shows the show crypto ipsec policy command.
STATUS : ACTIVE inbound esp sas outbound esp sas Interface: TenGigabitEthernet 1/2 Link Local address: fe80::201:e8ff:fe40:4d11 IPSecv6 policy name: OSPFv3-1-600 inbound ah sas outbound ah sas inbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE outbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE Troubleshooting OSPFv3 The
show ipv6 route [vrf vrf-name] summary • View the summary information for the OSPFv3 database. EXEC Privilege mode show ipv6 ospf [vrf vrf-name] database • View the configuration of OSPFv3 neighbors. EXEC Privilege mode show ipv6 ospf [vrf vrf-name] neighbor • View debug messages for all OSPFv3 interfaces. EXEC Privilege mode debug ipv6 ospf [vrf vrf-name] [event | packet] {type slot/port} – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information.
36 Policy-based Routing (PBR) Policy-based routing (PBR) allows a switch to make routing decisions based on policies applied to an interface. Overview When a router receives a packet, the router decides where to forward the packet based on the destination address in the packet, which is used to look up an entry in a routing table. However, in some cases, there may be a need to forward the packet based on other criteria: size, source, protocol type, destination, and so on.
• Destination port • TCP Flags After you apply a redirect-list to an interface, all traffic passing through it is subjected to the rules defined in the redirect-list. Traffic is forwarded based on the following: • Next-hop addresses are verified. If the specified next hop is reachable, traffic is forwarded to the specified next-hop. • If the specified next-hops are not reachable, the normal routing table is used to forward the traffic.
• Apply a Redirect-list to an Interface using a Redirect-group PBR Exceptions (Permit) To create an exception to a redirect list, use thepermit command. Exceptions are used when a forwarding decision should be based on the routing table rather than a routing policy. The Dell EMC Networking OS assigns the first available sequence number to a rule configured without a sequence number and inserts the rule into the PBR CAM region next to the existing entries.
• number is the number in sequence to initiate this rule • ip-address is the Forwarding router’s address • tunnel is used to configure the tunnel settings • tunnel-id is used to redirect the traffic • track is used to track the object-id • track is to enable the tracking • FORMAT: A.B.C.
You can apply multiple rules to a single redirect-list. The rules are applied in ascending order, starting with the rule that has the lowest sequence number in a redirect-list displays the correct method for applying multiple rules to one list. Example: Creating Multiple Rules for a Redirect-List DellEMC(conf)#ip redirect-list test DellEMC(conf-redirect-list)#seq 10 redirect 10.1.1.2 ip 20.1.1.0/24 any DellEMC(conf-redirect-list)#seq 15 redirect 10.1.1.3 ip 20.1.1.
Example: Applying a Redirect-list to an Interface DellEMC(conf-if-te-1/1)#ip redirect-group xyz DellEMC(conf-if-te-1/1)# Example: Applying a Redirect-list to an Interface DellEMC(conf-if-te-1/1)#ip redirect-group test DellEMC(conf-if-te-1/1)#ip redirect-group xyz DellEMC(conf-if-te-1/1)#show config ! interface TenGigabitEthernet 1/1 no ip address ip redirect-group test ip redirect-group xyz shutdown DellEMC(conf-if-te-1/1)# DellEMC(conf-if-gi-1/1)#ip redirect-group test DellEMC(conf-if-gi-1/1)#ip redirect-g
seq 35 redirect 42.1.1.2 seq 40 redirect 43.1.1.2 seq 45 redirect 31.1.1.2 [up], Next-hop reachable [up], Next-hop reachable [up], Next-hop reachable [up], Next-hop reachable [up], Next-hop reachable [up], Next-hop reachable icmp host 8.8.8.8 any, Next-hop reachable (via Vl 20) tcp 155.55.2.0/24 222.22.2.0/24, Next-hop reachable (via Vl 30) track 200 ip 12.0.0.0 255.0.0.197 13.0.0.0 255.0.0.
Create the Redirect-List GOLD EDGE_ROUTER(conf-if-Te-2/23)#ip redirect-list GOLD EDGE_ROUTER(conf-redirect-list)#description Route GOLD traffic to ISP_GOLD. EDGE_ROUTER(conf-redirect-list)#direct 10.99.99.254 ip 192.168.1.0/24 any EDGE_ROUTER(conf-redirect-list)#redirect 10.99.99.254 ip 192.168.2.0/24 any EDGE_ROUTER(conf-redirect-list)# seq 15 permit ip any any EDGE_ROUTER(conf-redirect-list)#show config ! ip redirect-list GOLD description Route GOLD traffic to ISP_GOLD. seq 5 redirect 10.99.99.254 ip 192.
View Redirect-List GOLD EDGE_ROUTER#show ip redirect-list IP redirect-list GOLD: Defined as: seq 5 redirect 10.99.99.254 ip 192.168.1.0/24 any, Next-hop reachable (via Te 3/23) seq 10 redirect 10.99.99.254 ip 192.168.2.0/24 any, Next-hop reachable (via Te 3/23) seq 15 permit ip any any Applied interfaces: Te 2/11 EDGE_ROUTER# Creating a PBR list using Explicit Track Objects for Redirect IPs Create Track Objects to track the Redirect IPs: DellEMC#configure terminal DellEMC(conf)#track 3 ip host 42.1.1.
seq 20 redirect 42.1.1.2 track 3 udp any host 144.144.144.144, Track 3 [up], Next-hop reachable (via Vl 20) seq 25 redirect 43.1.1.2 track 4 ip host 7.7.7.7 host 144.144.144.144, Track 4 [up], Next-hop reachable (via Vl 20) Applied interfaces: Te 2/28 DellEMC# Creating a PBR list using Explicit Track Objects for Tunnel Interfaces Creating steps for Tunnel Interfaces: DellEMC#configure terminal DellEMC(conf)#interface tunnel 1 DellEMC(conf-if-tu-1)#tunnel destination 40.1.1.
DellEMC(conf-if-te-2/28)#exit DellEMC(conf)#end Verify the Applied Redirect Rules: DellEMC#show ip redirect-list explicit_tunnel IP redirect-list explicit_tunnel: Defined as: seq 5 redirect tunnel 1 track 1 tcp 155.55.2.0/24 222.22.2.0/24, Track 1 [up], Next-hop reachable (via Te 1/32) seq 10 redirect tunnel 1 track 1 tcp any any, Track 1 [up], Next-hop reachable (via Te 1/32) seq 15 redirect tunnel 1 track 1 udp 155.55.0.0/16 host 144.144.144.
37 PIM Sparse-Mode (PIM-SM) Protocol-independent multicast sparse-mode (PIM-SM) is a multicast protocol that forwards multicast traffic to a subnet only after a request using a PIM Join message; this behavior is the opposite of PIM-Dense mode, which forwards multicast traffic to all subnets until a request to stop. Implementation Information The following information is necessary for implementing PIM-SM.
Refuse Multicast Traffic A host requesting to leave a multicast group sends an IGMP Leave message to the last-hop DR. If the host is the only remaining receiver for that group on the subnet, the last-hop DR is responsible for sending a PIM Prune message up the RPT to prune its branch to the RP. 1 After receiving an IGMP Leave message, the gateway removes the interface on which it is received from the outgoing interface list of the (*,G) entry.
ip multicast-routing [vrf vrf-name] Related Configuration Tasks The following are related PIM-SM configuration tasks. • • • • Configuring S,G Expiry Timers Configuring a Static Rendezvous Point Configuring a Designated Router Creating Multicast Boundaries and Domains Enable PIM-SM You must enable PIM-SM on each participating interface. 1 Enable IPv4 multicast routing on the system. CONFIGURATION mode ip multicast-routing [vrf vrf-name] 2 Enable PIM-Sparse mode.
Address 127.87.5.5 127.87.3.5 127.87.50.
To configure a global expiry time, use the following command. Enable global expiry timer for S, G entries. CONFIGURATION mode ip pim sparse-mode sg-expiry-timer seconds The range is from 211 to 86,400 seconds. The default is 210. NOTE: The global expiry time for all [S, G] entries can vary from 360 to 420 seconds. Configuring a Static Rendezvous Point The rendezvous point (RP) is a PIM-enabled interface on a router that acts as the root a group-specific tree; every group must have an RP.
with the greatest priority value is the DR. If the priority value is the same for two routers, then the router with the greatest IPv4 address is the DR. By default, the DR priority value is 192, so the IP address determines the DR. • Assign a DR priority value. INTERFACE mode ip pim dr-priority priority-value • Change the interval at which a router sends hello messages. INTERFACE mode • ip pim query-interval seconds Display the current value of these parameter.
Address : fe80::201:e8ff:fe02:140f DR : this router Te 1/11 v2/S 0 30 1 Address : fe80::201:e8ff:fe02:1417 DR : this router Dell# Creating Multicast Boundaries and Domains A PIM domain is a contiguous set of routers that all implement PIM and are configured to operate within a common boundary defined by PIM multicast border routers (PMBRs). PMBRs connect each PIM domain to the rest of the Internet.
38 PIM Source-Specific Mode (PIM-SSM) PIM source-specific mode (PIM-SSM) is a multicast protocol that forwards multicast traffic from a single source to a subnet. In the other versions of protocol independent multicast (PIM), a receiver subscribes to a group only. The receiver receives traffic not just from the source in which it is interested but from all sources sending to that group.
2 Enable PIM-SSM for a range of addresses. Related Configuration Tasks • Use PIM-SSM with IGMP Version 2 Hosts Enabling PIM-SSM To enable PIM-SSM, follow these steps. 1 Create an ACL that uses permit rules to specify what range of addresses should use SSM. CONFIGURATION mode ip access-list standard name 2 Enter the ip pim ssm-range command and specify the ACL you created.
Configuring PIM-SSM with IGMPv2 R1(conf)#do show run pim ! ip pim rp-address 10.11.12.2 group-address 224.0.0.0/4 ip pim ssm-range ssm R1(conf)#do show run acl ! ip access-list standard map seq 5 permit host 239.0.0.2 ! ip access-list standard ssm seq 5 permit host 239.0.0.2 R1(conf)#ip igmp ssm-map map 10.11.5.2 R1(conf)#do show ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Mode Uptime Expires 239.0.0.
239.0.0.2 Vlan 300 IGMPv2-Compat 00:00:07 Never Member Ports: Te 1/1 239.0.0.1 Vlan 400 INCLUDE 00:00:10 Never 10.11.4.2 R1(conf)#do show ip igmp ssm-map IGMP Connected Group Membership Group Address Interface Mode Uptime Expires 239.0.0.2 Vlan 300 IGMPv2-Compat 00:00:36 Never Member Ports: Te 1/1 R1(conf)#do show ip igmp ssm-map 239.0.0.2 SSM Map Information Group : 239.0.0.2 Source(s) : 10.11.5.
2 In E-BSR, if the C-RP advertisements are not in synchronization with the standby, first few BCM C-RP advertisement might not have the complete list of RP mappings. Due to this, there is a possibility of RP mapping timeout and momentary traffic loss in the network. 3 If you configure a secondary VLT peer as an E-BSR and in case of ICL flap or failover, the VLT lag will be down resulting a BSM timeout in the PIM domain and a new BSR will be elected.
The Configured multicast group ranges are used by the BSR protocol to advertise the candidate RPs in the bootstrap messages. You can configure the multicast group ranges as a standard ACL list of multicast prefixes. You can then associate the configured group list with the RP candidate. NOTE: • If there is no multicast group list configured for the RP-candidate, the RP candidate will be advertised for all the multicast groups.
39 Port Monitoring Port monitoring (also referred to as mirroring ) allows you to monitor ingress and/or egress traffic on specified ports. The mirrored traffic can be sent to a port to which a network analyzer is connected to inspect or troubleshoot the traffic. Mirroring is used for monitoring Ingress or Egress or both Ingress and Egress traffic on a specific port(s). This mirrored traffic can be sent to a port where a network sniffer can connect and monitor the traffic.
Port Monitoring Port monitoring is supported on both physical and logical interfaces, such as VLAN and port-channel interfaces. The source port (MD) with monitored traffic and the destination ports (MG) to which an analyzer can be attached must be on the same switch. You can configure up to 128 source ports in a monitoring session. Only one destination port is supported in a monitoring session. The platform supports multiple source-destination statements in a single monitor session.
No N/A DellEMC# N/A yes Example of Configuring Another Monitoring Session with a Previously Used Destination Port DellEMC(conf)#monitor session 300 DellEMC(conf-mon-sess-300)#source TenGig 1/17 destination TenGig 1/4 direction tx % Error: Exceeding max MG ports for this MD port pipe.
Dell EMC Networking OS Behavior: All monitored frames are tagged if the configured monitoring direction is egress (TX), regardless of whether the monitored port (MD) is a Layer 2 or Layer 3 port. If the MD port is a Layer 2 port, the frames are tagged with the VLAN ID of the VLAN to which the MD belongs. If the MD port is a Layer 3 port, the frames are tagged with VLAN ID 4095. If the MD port is in a Layer 3 VLAN, the frames are tagged with the respective Layer 3 VLAN ID.
DellEMC(conf)#monitor session 1 DellEMC(conf-mon-sess-1)#source vl 40 dest ten 1/3 dir rx DellEMC(conf-mon-sess-1)#flow-based enable DellEMC(conf-mon-sess-1)#exit DellEMC(conf)#do show monitor session SessID Source Destination Dir Mode Source IP Dest IP Gre-Protocol FcMonitor ------ ------------------ ----------------------------- --------0 Te 1/1 Te 1/2 rx Port 0.0.0.0 0.0.0.0 A N/A No 0 Po 10 Te 1/2 rx Port 0.0.0.0 0.0.0.0 A N/A No 1 Vl 40 Te 1/3 rx Flow 0.0.0.0 0.0.0.
CONFIGURATION mode monitor session session-id 2 Enable flow-based monitoring for a monitoring session. MONITOR SESSION mode flow-based enable 3 Specify the source and destination port and direction of traffic. MONITOR SESSION mode source source—port destination destination-port direction rx 4 Define IP access-list rules that include the monitor keyword. For port monitoring, Dell EMC Networking OS only considers traffic matching rules with the monitor keyword.
---0 No ---- ----------Te 1/1 Te 1/2 N/A N/A --------rx yes interface Flow-based 0.0.0.0 0.0.0.0 0 0 Remote Port Mirroring While local port monitoring allows you to monitor traffic from one or more source ports by directing it to a destination port on the same switch/router, remote port mirroring allows you to monitor Layer 2 and Layer 3 ingress and/or egress traffic on multiple source ports on different switches and forward the mirrored traffic to multiple destination ports on different switches.
Figure 104. Remote Port Mirroring Configuring Remote Port Mirroring Remote port mirroring requires a source session (monitored ports on different source switches), a reserved tagged VLAN for transporting mirrored traffic (configured on source, intermediate, and destination switches), and a destination session (destination ports connected to analyzers on destination switches).
• The L3 interface configuration should be blocked for RPM VLAN. • The member port of the reserved VLAN should have MTU and IPMTU value as MAX+4 (to hold the VLAN tag parameter). • To associate with source session, the reserved VLAN can have at max of only 4 member ports. • To associate with destination session, the reserved VLAN can have multiple member ports.
• A destination port cannot be used in any spanning tree instance. • The reserved VLAN used to transport mirrored traffic must be a L2 VLAN. L3 VLANs are not supported. • On a source switch on which you configure source ports for remote port mirroring, you can add only one port to the dedicated RPM VLAN which is used to transport mirrored traffic. You can configure multiple ports for the dedicated RPM VLAN on intermediate and destination switches.
Step Command Purpose 3 source Interface | Range Specify the port or list of ports that needs to be monitored 4 direction Specify rx, tx or both in case to monitor ingress/egress or both ingress and egress packets on the specified port.. 5 rpm source-ip dest-ip Specify the source ip address and the destination ip where the packet needs to be sent. 6 flow-based enable Specify flow-based enable for mirroring on a flow by flow basis and also for vlan as source.
DellEMC(conf)#monitor session 3 type rpm DellEMC(conf-mon-sess-3)#source port-channel 10 dest remote-vlan 30 dir both DellEMC(conf-mon-sess-3)#no disable DellEMC(conf-mon-sess-3)#exit DellEMC(conf)#end DellEMC# DellEMC#show monitor session SessID Source Destination ------ ---------------1 Te 1/5 remote-vlan 10 2 Vl 100 remote-vlan 20 3 Po 10 remote-vlan 30 DellEMC# Dir --rx rx both Mode ---Port Flow Port Source IP --------N/A N/A N/A Dest IP -------N/A N/A N/A Configuring the sample Source Remote Port
Configuring RSPAN Source Sessions to Avoid BPD Issues When ever you configure an RPM source session, you must ensure the following to avoid BPDU issues: 1 Enable control plane egress acl using the following command: mac control-plane egress-acl 2 Create an extended MAC access list and add a deny rule of (0x0180c2xxxxxx) packets using the following commands: mac access-list extended mac2 seq 5 deny any 01:80:c2:00:00:00 00:00:00:ff:ff:ff count 3 Apply ACL on that RPM VLAN.
• You can configure the same port as both source and destination in an ERSPAN session. • You can configure TTL and TOS values in the IP header of the ERSPAN traffic. Configuration steps for ERPM To configure an ERPM session: Table 68. Configuration steps for ERPM Step Command Purpose 1 configure terminal Enter global configuration mode. 2 monitor session type erpm Specify a session ID and ERPM as the type of monitoring session, and enter the Monitoring-Session configuration mode.
The next example shows the configuration of an ERPM session in which VLAN 11 is monitored as the source interface and a MAC ACL filters the monitored ingress traffic.
Decapsulation of ERPM packets at the Destination IP/ Analyzer • In order to achieve the decapsulation of the original payload from the ERPM header. The below two methods are suggested : a Using Network Analyzer – Install any well-known Network Packet Analyzer tool which is open source and free to download. – Start capture of ERPM packets on the Sniffer and save it to the trace file (for example : erpmwithheader.pcap). – The Header that gets attached to the packet is 38 bytes long.
The port monitoring or mirroring function when applied to VLT devices works as expected except with some restrictions. You can configure RPM or ERPM monitoring between two VLT peers. As VLT devices are seen as a single device in the network, when a fail over occurs, the source or destination port on one of the VLT peers becomes inactive causing the monitoring session to fail. As a result, Dell EMC Networking OS does not allow local Port mirroring based monitoring to be configured between VLT peers.
Scenario RPM Restriction Recommended Solution Mirroring VLT LAG to Orphan Port — In this No restrictions apply. scenario, the VLT LAG is mirrored to an orphan port on the same VLT device. The packet analyzer is connected to the VLT device through the orphan port.. If the packet analyzer is directly connected to the VLT device, use local Port mirroring session instead of RPM.
Scenario RPM Restriction Mirroring with an interface or LAG as source No restrictions apply. and destination --- If the source and destination interface or LAG of a monitor session are same. 710 Port Monitoring Recommended Solution None.
40 Private VLANs (PVLAN) The private VLAN (PVLAN) feature is supported on Dell EMC Networking OS. For syntax details about the commands described in this chapter, refer to the Private VLANs commands chapter in the Dell EMC Networking OS Command Line Reference Guide. Private VLANs extend the Dell EMC Networking OS security suite by providing Layer 2 isolation between ports within the same virtual local area network (VLAN).
– A primary VLAN and each of its secondary VLANs decrement the available number of VLAN IDs in the switch. – A primary VLAN has one or more promiscuous ports. – A primary VLAN might have one or more trunk ports, or none. • Secondary VLAN — a subdomain of the primary VLAN. – There are two types of secondary VLAN — community VLAN and isolated VLAN.
• Display primary-secondary VLAN mapping. EXEC mode or EXEC Privilege mode show vlan private-vlan mapping • Set the PVLAN mode of the selected port. INTERFACE switchport mode private-vlan {host | promiscuous | trunk} NOTE: Secondary VLANs are Layer 2 VLANs, so even if they are operationally down while primary VLANs are operationally up, Layer 3 traffic is still transmitted across secondary VLANs. NOTE: The outputs of the show arp and show vlan commands provide PVLAN data.
The following example shows the switchport mode private-vlan command on a port and on a port channel.
6 (OPTIONAL) Assign an IP address to the VLAN. INTERFACE VLAN mode ip address ip address 7 (OPTIONAL) Enable/disable Layer 3 communication between secondary VLANs. INTERFACE VLAN mode ip local-proxy-arp NOTE: If a promiscuous or host port is untagged in a VLAN and it receives a tagged packet in the same VLAN, the packet is NOT dropped. Creating a Community VLAN A community VLAN is a secondary VLAN of the primary VLAN in a private VLAN.
3 Set the PVLAN mode of the selected VLAN to isolated. INTERFACE VLAN mode private-vlan mode isolated 4 Add one or more host ports to the VLAN. INTERFACE VLAN mode tagged interface or untagged interface You can enter the interfaces singly or in range format, either comma-delimited (slot/port,port,port) or hyphenated (slot/ port-port). You can only add ports defined as host to the VLAN.
Private VLAN Configuration Example The following example shows a private VLAN topology. Figure 106. Sample Private VLAN Topology The following configuration is based on the example diagram for the Z9500: • Te 1/1 and Te 1/23 are configured as promiscuous ports, assigned to the primary VLAN, VLAN 4000. • Te 1/25 is configured as a PVLAN trunk port, also assigned to the primary VLAN 4000. • Te 1/24 and Te 1/47 are configured as host ports and assigned to the isolated VLAN, VLAN 4003.
In parallel, on S4810: • Te 1/3 is a promiscuous port and Te 1/25 is a PVLAN trunk port, assigned to the primary VLAN 4000. • Te 1/4-6 are host ports. Te 1/4 and Te 1/5 are assigned to the community VLAN 4001, while Te 1/6 is assigned to the isolated VLAN 4003. The result is that: • The S4810 ports would have the same intra-switch communication characteristics as described for the Z9500.
The following example shows using the show vlan private-vlan mapping command. S50-1#show vlan private-vlan mapping Private Vlan: Primary : 4000 Isolated : 4003 Community : 4001 NOTE: In the following example, notice the addition of the PVLAN codes – P, I, and C – in the left column. The following example shows viewing the VLAN status.
41 Per-VLAN Spanning Tree Plus (PVST+) Per-VLAN spanning tree plus (PVST+) is a variation of spanning tree — developed by a third party — that allows you to configure a separate spanning tree instance for each virtual local area network (VLAN). Protocol Overview PVST+ is a variation of spanning tree — developed by a third party — that allows you to configure a separate spanning tree instance for each virtual local area network (VLAN).
Table 70. Spanning Tree Variations Dell EMC Networking OS Supports Dell EMC Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .1w Multiple Spanning Tree Protocol (MSTP) 802 .1s Per-VLAN Spanning Tree Plus (PVST+) Third Party Implementation Information • The Dell EMC Networking OS implementation of PVST+ is based on IEEE Standard 802.1w. • The Dell EMC Networking OS implementation of PVST+ uses IEEE 802.
no disable Disabling PVST+ To disable PVST+ globally or on an interface, use the following commands. • Disable PVST+ globally. PROTOCOL PVST mode disable • Disable PVST+ on an interface, or remove a PVST+ parameter configuration. INTERFACE mode no spanning-tree pvst Example of Viewing PVST+ Configuration To display your PVST+ configuration, use the show config command from PROTOCOL PVST mode.
Figure 108. Load Balancing with PVST+ The bridge with the bridge value for bridge priority is elected root. Because all bridges use the default priority (until configured otherwise), the lowest MAC address is used as a tie-breaker. To increase the likelihood that a bridge is selected as the STP root, assign bridges a low non-default value for bridge priority. To assign a bridge priority, use the following command. • Assign a bridge priority.
Number of topology changes 5, last change occurred 00:34:37 ago on Te 1/32 Port 375 (TenGigabitEthernet 1/22) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.375 Designated root has priority 4096, address 0001.e80d.b6:d6 Designated bridge has priority 4096, address 0001.e80d.b6:d6 Designated port id is 128.
Modifying Interface PVST+ Parameters You can adjust two interface parameters (port cost and port priority) to increase or decrease the probability that a port becomes a forwarding port. • Port cost — a value that is based on the interface type. The greater the port cost, the less likely the port is selected to be a forwarding port. • Port priority — influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost.
The values for interface PVST+ parameters are given in the output of the show spanning-tree pvst command, as previously shown. Configuring an EdgePort The EdgePort feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner. In this mode an interface forwards frames by default until it receives a BPDU that indicates that it should behave otherwise; it does not go through the Learning and Listening states.
Figure 109. PVST+ with Extend System ID • Augment the bridge ID with the VLAN ID. PROTOCOL PVST mode extend system-id Example of Viewing the Extend System ID in a PVST+ Configuration DellEMC(conf-pvst)#do show spanning-tree pvst vlan 5 brief VLAN 5 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32773, Address 0001.e832.73f7 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32773 (priority 32768 sys-id-ext 5), Address 0001.e832.
no ip address tagged TenGigabitEthernet 1/22,32 no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 1/22,32 no shutdown ! protocol spanning-tree pvst no disable vlan 100 bridge-priority 4096 Example of PVST+ Configuration (R2) interface TenGigabitEthernet 2/12 no ip address switchport no shutdown ! interface TenGigabitEthernet 2/32 no ip address switchport no shutdown ! interface Vlan 100 no ip address tagged TenGigabitEthernet 2/12,32 no shutdown ! interface Vlan 200 no ip address tag
protocol spanning-tree pvst no disable vlan 300 bridge-priority 4096 Per-VLAN Spanning Tree Plus (PVST+) 729
42 Quality of Service (QoS) This chapter describes how to use and configure Quality of Service service (QoS) features on the switch. Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. Table 72.
Feature Direction Create Policy Maps Ingress + Egress Create Input Policy Maps Ingress Honor DSCP Values on Ingress Packets Ingress Honoring dot1p Values on Ingress Packets Ingress Create Output Policy Maps Egress Specify an Aggregate QoS Policy Egress Create Output Policy Maps Egress Enabling QoS Rate Adjustment Enabling Strict-Priority Queueing Weighted Random Early Detection Egress Create WRED Profiles Egress Figure 110.
• Policy-Based QoS Configurations • DSCP Color Maps • Enabling QoS Rate Adjustment • Enabling Strict-Priority Queueing • Weighted Random Early Detection • Pre-Calculating Available QoS CAM Space • Configuring Weights and ECN for WRED • Configuring WRED and ECN Attributes • Guidelines for Configuring ECN for Classifying and Color-Marking Packets • Applying Layer 2 Match Criteria on a Layer 3 Interface • Applying DSCP and VLAN Match Criteria on a Service Queue • Classifying Incoming Pac
Table 73. dot1p-priority Values and Queue Numbers dot1p Queue Number 0 0 1 0 2 0 3 1 4 2 5 3 6 3 7 3 • Change the priority of incoming traffic on the interface.
When priority-tagged frames ingress an untagged port or hybrid port, the frames are classified to the default VLAN of the port and to a queue according to their dot1p priority if you configure service-class dynamic dotp or trust dot1p. When priority-tagged frames ingress a tagged port, the frames are dropped because, for a tagged port, the default VLAN is 0. Dell EMC Networking OS Behavior: Hybrid ports can receive untagged, tagged, and priority tagged frames.
Example of rate shape Command DellEMC#configure terminal DellEMC(conf)#interface tengigabitethernet 1/1 DellEMC(conf-if-te-1/1)#rate shape 500 50 DellEMC(conf-if-te-1/1)#end Policy-Based QoS Configurations Policy-based QoS configurations consist of the components shown in the following example. Figure 111. Constructing Policy-Based QoS Configurations Classify Traffic Class maps differentiate traffic so that you can apply separate quality of service policies to different types of traffic.
Creating a Layer 3 Class Map A Layer 3 class map differentiates ingress packets based on the DSCP value or IP precedence, and characteristics defined in an IP ACL. You can also use VLAN IDs and VRF IDs to classify the traffic using layer 3 class-maps. You may specify more than one DSCP and IP precedence value, but only one value must match to trigger a positive match for the class map. NOTE: IPv6 and IP-any class maps cannot match on ACLs or VLANs. Use step 1 or step 2 to start creating a Layer 3 class map.
The following example matches the IPv6 traffic with a DSCP value of 40: DellEMC(conf)# class-map match-all test DellEMC(conf-class-map)# match ipv6 dscp 40 The following example matches the IPv4 and IPv6 traffic with a precedence value of 3: DellEMC(conf)# class-map match-any test1 DellEMC(conf-class-map)#match ip-any precedence 3 Creating a Layer 2 Class Map All class maps are Layer 3 by default; however, you can create a Layer 2 class map by specifying the layer2 option with the class-map command.
The order can range from 0 to 254. By default, all ACL rules have an order of 255. Displaying Configured Class Maps and Match Criteria To display all class-maps or a specific class map, use the following command. Dell EMC Networking OS Behavior: An explicit “deny any" rule in a Layer 3 ACL used in a (match any or match all) class-map creates a "default to Queue 0" entry in the CAM, which causes unintended traffic classification. In the following example, traffic is classified in two Queues, 1 and 2.
In the previous example, the ClassAF1 does not classify traffic as intended. Traffic matching the first match criteria is classified to Queue 1, but all other traffic is classified to Queue 0 as a result of CAM entry 20419. When you remove the explicit “deny any” rule from all three ACLs, the CAM reflects exactly the desired classification. The following example shows correct traffic classifications.
Configuring Policy-Based Rate Policing To configure policy-based rate policing, use the following command. • Configure rate police ingress traffic. QOS-POLICY-IN mode rate-police Setting a dot1p Value for Egress Packets To set a dot1p value for egress packets, use the following command. • Set a dscp or dot1p value for egress packets. QOS-POLICY-IN mode set mac-dot1p Creating an Output QoS Policy To create an output QoS policy, use the following commands. 1 Create an output QoS policy.
Table 74. Default Bandwidth Weights Queue Default Bandwidth Percentage for 4– Queue System Default Bandwidth Percentage for 8– Queue System 0 6.67% 1% 1 13.33% 2% 2 26.67% 3% 3 53.33% 4% 4 - 5% 5 - 10% 6 - 25% 7 - 50% NOTE: The system supports 4 data queues. When you assign a percentage to one queue, note that this change also affects the amount of bandwidth that is allocated to other queues.
Honoring DSCP Values on Ingress Packets Honoring dot1p Values on Ingress Packets 3 Apply the input policy map to an interface. Applying a Class-Map or Input QoS Policy to a Queue To apply a class-map or input QoS policy to a queue, use the following command. • Assign an input QoS policy to a queue. POLICY-MAP-IN mode service-queue Applying an Input QoS Policy to an Input Policy Map To apply an input QoS policy to an input policy map, use the following command.
Honoring dot1p Values on Ingress Packets Dell EMC Networking OS honors dot1p values on ingress packets with the Trust dot1p feature. The following table specifies the queue to which the classified traffic is sent based on the dot1p value. Table 76. Default dot1p to Queue Mapping dot1p Queue ID 0 0 1 0 2 0 3 1 4 2 5 3 6 3 7 3 The dot1p value is also honored for frames on the default VLAN. For more information, refer to Priority-Tagged Frames on the Default VLAN.
Applying an Input Policy Map to an Interface To apply an input policy map to an interface, use the following command. You can apply the same policy map to multiple interfaces, and you can modify a policy map after you apply it. • You cannot apply a class-map and QoS policies to the same interface. • You cannot apply an input Layer 2 QoS policy on an interface you also configure with vlan-stack access.
Applying an Output Policy Map to an Interface To apply an output policy map to an interface, use the following command. • Apply an input policy map to an interface. INTERFACE mode service-policy output You can apply the same policy map to multiple interfaces, and you can modify a policy map after you apply it. DSCP Color Maps This section describes how to configure color maps and how to display the color map and color map configuration.
3 Apply the map profile to the interface. CONFIG-INTERFACE mode qos dscp-color-policy color-map-name Example: Create a DSCP Color Map The following example creates a DSCP color map profile, color-awareness policy, and applies it to interface 1/11.
Display summary information about a color policy for one or more interfaces. DellEMC# show Interface TE 1/10 TE 1/11 qos dscp-color-policy summary dscp-color-map mapONE mapTWO Display summary information about a color policy for a specific interface.
Enabling Strict-Priority Queueing In strict-priority queuing, the system de-queues all packets from the assigned queue before servicing any other queues. You can assign strict-priority to one unicast queue, using the strict-priority command. • Policy-based per-queue rate shaping is not supported on the queue configured for strict-priority queuing.
Figure 112. Packet Drop Rate for WRED You can create a custom WRED profile or use one of the five pre-defined profiles. Table 77. Pre-Defined WRED Profiles Default Profile Name Minimum Threshold Maximum Threshold Maximum Drop Rate wred_drop 0 0 100 wred_teng_y 467 4671 100 wred_teng_g 467 4671 50 wred_fortyg_y 467 4671 50 wred_fortyg_g 467 4671 25 Creating WRED Profiles To create WRED profiles, use the following commands. 1 Create a WRED profile.
Applying a WRED Profile to Traffic After you create a WRED profile, you must specify to which traffic Dell EMC Networking OS should apply the profile. Dell EMC Networking OS assigns a color (also called drop precedence) — red, yellow, or green — to each packet based on it DSCP value before queuing it. DSCP is a 6–bit field. Dell EMC Networking uses the first three bits (LSB) of this field (DP) to determine the drop precedence. • DP values of 110 and 100, 101 map to yellow; all other values map to green.
DellEMC# Displaying egress–queue Statistics To display the number of transmitted and dropped packets and their rate on the egress queues of an interface, use the following command: • Display the number of packets and number of bytes on the egress-queue profile.
Specifically: • Available CAM — the available number of CAM entries in the specified CAM partition for the specified line card or stack-unit portpipe. • Estimated CAM — the estimated number of CAM entries that the policy will consume when it is applied to an interface. • Status — indicates whether the specified policy-map can be completely applied to an interface in the port-pipe.
You can enable WRED and ECN capabilities per queue for granularity. You can disable these functionality per queue, and you can also specify the minimum and maximum buffer thresholds for each color-coding of the packets. You can configure maximum drop rate percentage of yellow and green profiles. You can set up these parameters for both front-end and backplane ports. Global Service Pools With WRED and ECN Settings Support for global service pools is now available.
Configuring WRED and ECN Attributes The functionality to configure a weight factor for the WRED and ECN functionality for backplane ports is supported on the platform. WRED drops packets when the average queue length exceeds the configured threshold value to signify congestion. Explicit Congestion Notification (ECN) is a capability that enhances WRED by marking the packets instead of causing WRED to drop them when the threshold value is exceeded.
– RST – URG In the existing software, ECE/CWR TCP flag qualifiers are not supported. • Because this functionality forcibly marks all the packets matching the specific match criteria as ‘yellow’, Dell EMC Networking OS does not support Policer based coloring and this feature concurrently.
1 Classification of incoming traffic. 2 Specify the differentiated actions for different traffic class. 3 Attach the policy-map to the interface. Dell EMC Networking OS support different types of match qualifiers to classify the incoming traffic. Match qualifiers can be directly configured in the class-map command or it can be specified through one or more ACL which in turn specifies the combination of match qualifiers. Until Release 9.3(0.
You can now use the set-color yellow keyword with the match ip access-group command to mark the color of the traffic as ‘yellow’ would be added in the ‘match ip’ sequence of the class-map configuration. By default, all packets are considered as ‘green’ (without the rate-policer and trust-diffserve configuration) and hence support would be provided to mark the packets as ‘yellow’ alone will be provided. By default Dell EMC Networking OS drops all the ‘RED’ or ‘violate’ packets.
Approach with explicit ECN match qualifiers for ECN packets: ! ip access-list standard dscp_50_ecn seq 5 permit any dscp 50 ecn 1 seq 10 permit any dscp 50 ecn 2 seq 15 permit any dscp 50 ecn 3 ! ip access-list standard dscp_40_ecn seq 5 permit any dscp 40 ecn 1 seq 10 permit any dscp 40 ecn 2 seq 15 permit any dscp 40 ecn 3 ! ip access-list standard dscp_50_non_ecn seq 5 permit any dscp 50 ecn 0 ! ip access-list standard dscp_40_non_ecn seq 5 permit any dscp 40 ecn 0 ! class-map match-any class_dscp_40 mat
Applying DSCP and VLAN Match Criteria on a Service Queue You can configure Layer 3 class maps which contain both a Layer 3 Differentiated Services Code Point (DSCP) and IP VLAN IDs as match criteria to filter incoming packets on a service queue on the switch. To configure a Layer 3 class map to classify traffic according to both an IP VLAN ID and DSCP value, use the match ip vlan vlan-id command in class-map input configuration mode.
Classifying Incoming Packets Using ECN and ColorMarking Explicit Congestion Notification (ECN) is a capability that enhances WRED by marking the packets instead of causing WRED to drop them when the threshold value is exceeded. If you configure ECN for WRED, devices employ this functionality of ECN to mark the packets and reduce the rate of sending packets in a congested, heavily-loaded network.
Similar to ‘dscp’ qualifier in the existing L3 ACL command, the ‘ecn’ qualifier can be used along with all other supported ACL match qualifiers such as SIP/DIP/TCP/UDP/SRC PORT/DST PORT/ ICMP. Until Release 9.3(0.0), ACL supports classification based on the below TCP flags: • ACK • FIN • SYN • PSH • RST • URG You can now use the ‘ecn’ match qualifier along with the above TCP flag for classification.
– FIN – SYN – PSH – RST – URG In the existing software, ECE/CWR TCP flag qualifiers are not supported. • Because this functionality forcibly marks all the packets matching the specific match criteria as ‘yellow’, Dell EMC Networking OS does not support Policer based coloring and this feature concurrently.
seq 5 permit any dscp 40 ! ip access-list standard dscp_50_non_ecn seq 5 permit any dscp 50 ecn 0 ! ip access-list standard dscp_40_non_ecn seq 5 permit any dscp 40 ecn 0 ! class-map match-any class_dscp_40 match ip access-group dscp_40_non_ecn set-color yellow match ip access-group dscp_40 ! class-map match-any class_dscp_50 match ip access-group dscp_50_non_ecn set-color yellow match ip access-group dscp_50 ! policy-map-input pmap_dscp_40_50 service-queue 2 class-map class_dscp_40 service-queue 3 class-ma
DellEMC(conf)#buffer-stats-snapshot DellEMC(conf)#no disable Enable this utility to be able to configure the parameters for buffer statistics tracking. By default, buffer statistics tracking is disabled. 2 Enable the buffer statistics tracking utility and enter the Buffer Statistics Snapshot configuration mode. CONFIGURATION mode DellEMC(conf)#buffer-stats-snapshot DellEMC(conf)#no disable Enable this utility to be able to configure the parameters for buffer statistics tracking.
Q# TYPE Q# TOTAL BUFFERED CELLS --------------------------------------MCAST 3 0 Unit 1 unit: 3 port: 33 (interface Fo 1/176) --------------------------------------Q# TYPE Q# TOTAL BUFFERED CELLS --------------------------------------MCAST 3 0 Unit 1 unit: 3 port: 37 (interface Fo 1/180) --------------------------------------Q# TYPE Q# TOTAL BUFFERED CELLS --------------------------------------4 Use show hardware buffer-stats-snapshot resource interface interface{priority-group { id | all } | queue { ucast{
43 Routing Information Protocol (RIP) The Routing Information Protocol (RIP) tracks distances or hop counts to nearby routers when establishing network connections and is based on a distance-vector algorithm. RIP is based on a distance-vector algorithm; it tracks distances or hop counts to nearby routers when establishing network connections. RIP protocol standards are listed in the Standards Compliance chapter.
Implementation Information Dell EMC Networking OS supports both versions of RIP and allows you to configure one version globally and the other version on interfaces or both versions on the interfaces. The following table lists the defaults for RIP in Dell EMC Networking OS. Table 79.
Enabling RIP Globally By default, RIP is not enabled in Dell EMC Networking OS. To enable RIP globally, use the following commands. 1 Enter ROUTER RIP mode and enable the RIP process on Dell EMC Networking OS. CONFIGURATION mode router rip 2 Assign an IP network address as a RIP network to exchange routing information.
192.161.1.0/24 auto-summary 192.162.3.0/24 [120/1] via 29.10.10.12, 00:01:22, Fa 1/4 192.162.3.0/24 auto-summary DellEMC#show ip rip database Total number of routes in RIP database: 978 160.160.0.0/16 [120/1] via 29.10.10.12, 00:00:26, Fa 1/49 160.160.0.0/16 auto-summary 2.0.0.0/8 [120/1] via 29.10.10.12, 00:01:22, Fa 1/49 2.0.0.0/8 auto-summary 4.0.0.0/8 [120/1] via 29.10.10.12, 00:01:22, Fa 1/49 4.0.0.0/8 auto-summary 8.0.0.0/8 [120/1] via 29.10.10.12, 00:00:26, Fa 1/49 8.0.0.0/8 auto-summary 12.0.0.
neighbor ip-address • You can use this command multiple times to exchange RIP information with as many RIP networks as you want. Disable a specific interface from sending or receiving RIP routing information. ROUTER RIP mode passive-interface interface Assigning a Prefix List to RIP Routes Another method of controlling RIP (or any routing protocol) routing information is to filter the information through a prefix list. A prefix list is applied to incoming or outgoing routes.
redistribute ospf process-id [match external {1 | 2} | match internal] [metric value] [routemap map-name] Configure the following parameters: – process-id: the range is from 1 to 65535. – metric: the range is from 0 to 16. – map-name: the name of a configured route map. To view the current RIP configuration, use the show running-config command in EXEC mode or the show config command in ROUTER RIP mode.
Distance: (default is 120) DellEMC# To configure an interface to receive or send both versions of RIP, include 1 and 2 in the command syntax. The command syntax for sending both RIPv1 and RIPv2 and receiving only RIPv2 is shown in the following example. DellEMC(conf-if)#ip rip send version 1 2 DellEMC(conf-if)#ip rip receive version 2 The following example of the show ip protocols command confirms that both versions are sent out that interface.
If you must perform routing between discontiguous subnets, disable automatic summarization. With automatic route summarization disabled, subnets are advertised. The autosummary command requires no other configuration commands. To disable automatic route summarization, enter no autosummary in ROUTER RIP mode. NOTE: If you enable the ip split-horizon command on an interface, the system does not advertise the summarized address.
Example of the debug ip rip Command The following example shows the confirmation when you enable the debug function. DellEMC#debug ip rip RIP protocol debug is ON DellEMC# To disable RIP, use the no debug ip rip command. RIP Configuration Example The examples in this section show the command sequence to configure RIPv2 on the two routers shown in the following illustration — Core 2 and Core 3. The host prompts used in the following example reflect those names.
Core 2 RIP Output The examples in the section show the core 2 RIP output. Examples of the show ip Commands to View Core 2 Information • To display Core 2 RIP database, use the show ip rip database command. • To display Core 2 RIP setup, use the show ip route command. • To display Core 2 RIP activity, use the show ip protocols command. The following example shows the show ip rip database command to view the learned RIP routes on Core 2.
Output delay 8 milliseconds between packets Automatic network summarization is in effect Outgoing filter for all interfaces is Incoming filter for all interfaces is Default redistribution metric is 1 Default version control: receive version 2, send version 2 Interface Recv Send TenGigabitEthernet 2/4 2 2 TenGigabitEthernet 2/5 2 2 TenGigabitEthernet 2/3 2 2 TenGigabitEthernet 2/11 2 2 Routing for Networks: 10.300.10.0 10.200.10.0 10.11.20.0 10.11.10.
10.11.30.0/24 10.0.0.0/8 192.168.1.0/24 192.168.1.0/24 192.168.2.0/24 192.168.2.0/24 Core3# directly connected,TenGigabitEthernet 3/11 auto-summary directly connected,TenGigabitEthernet 3/23 auto-summary directly connected,TenGigabitEthernet 3/24 auto-summary The following command shows the show ip routes command to view the RIP setup on Core 3.
RIP Configuration Summary Examples of Viewing RIP Configuration on Core 2 and Core 3 The following example shows viewing the RIP configuration on Core 2. ! interface TenGigabitEthernet ip address 10.11.10.1/24 no shutdown ! interface TenGigabitEthernet ip address 10.11.20.2/24 no shutdown ! interface TenGigabitEthernet ip address 10.200.10.1/24 no shutdown ! interface TenGigabitEthernet ip address 10.250.10.1/24 no shutdown router rip version 2 10.200.10.0 10.300.10.0 10.11.10.0 10.11.20.
44 Remote Monitoring (RMON) RMON is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell EMC Networking Ethernet interfaces. RMON operates with the simple network management protocol (SNMP) and monitors all nodes on a local area network (LAN) segment. RMON monitors traffic passing through the router and segment traffic not destined for the router.
Setting the RMON Alarm To set an alarm on any MIB object, use the rmon alarm or rmon hc-alarm command in GLOBAL CONFIGURATION mode. • Set an alarm on any MIB object.
CONFIGURATION mode [no] rmon event number [log] [trap community] [description string] [owner string] – number: assigned event number, which is identical to the eventIndex in the eventTable in the RMON MIB. The value must be an integer from 1 to 65,535 and be unique in the RMON Event Table. – log: (Optional) generates an RMON log entry when the event is triggered and sets the eventType in the RMON MIB to log or logand-trap. Default is no log.
[no] rmon collection history {controlEntry integer} [owner ownername] [buckets bucket-number] [interval seconds] – controlEntry: specifies the RMON group of statistics using a value. – integer: a value from 1 to 65,535 that identifies the RMON group of statistics. The value must be a unique index in the RMON History Table. – owner: (Optional) specifies the name of the owner of the RMON group of statistics. The default is a null-terminated string.
45 Rapid Spanning Tree Protocol (RSTP) The Rapid Spanning Tree Protocol (RSTP) is a Layer 2 protocol — specified by IEEE 802.1w — that is essentially the same as spanningtree protocol (STP) but provides faster convergence and interoperability with switches configured with STP and multiple spanning tree protocol (MSTP). Protocol Overview RSTP is a Layer 2 protocol — specified by IEEE 802.
• Dell EMC Networking OS supports only one Rapid Spanning Tree (RST) instance. • All interfaces in virtual local area networks (VLANs) and all enabled interfaces in Layer 2 mode are automatically added to the RST topology. • Adding a group of ports to a range of VLANs sends multiple messages to the rapid spanning tree protocol (RSTP) task, avoid using the range command. When using the range command, Dell EMC Networking recommends limiting the range to five ports and 40 VLANs.
Enabling Rapid Spanning Tree Protocol Globally Enable RSTP globally on all participating bridges; it is not enabled by default. When you enable RSTP, all physical and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the RST topology. • Only one path from any bridge to any other bridge is enabled. • Bridges block a redundant path by disabling one of the link ports. To enable RSTP globally for all Layer 2 interfaces, use the following commands.
Figure 114. Rapid Spanning Tree Enabled Globally To view the interfaces participating in RSTP, use the show spanning-tree rstp command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. DellEMC#show spanning-tree rstp Root Identifier has priority 32768, Address 0001.e801.cbb4 Root Bridge hello time 2, max age 20, forward delay 15, max hops 0 Bridge Identifier has priority 32768, Address 0001.e801.
Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.379, designated path cost 0 Number of transitions to forwarding state 1 BPDU : sent 121, received 5 The port is not in the Edge port mode Port 380 (TenGigabitEthernet 2/4) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.380 Designated root has priority 32768, address 0001.e801.cbb4 Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.
The following table displays the default values for RSTP. Table 81.
Enabling SNMP Traps for Root Elections and Topology Changes To enable SNMP traps, use the following command. • Enable SNMP traps for RSTP, MSTP, and PVST+ collectively. snmp-server enable traps xstp Modifying Interface Parameters On interfaces in Layer 2 mode, you can set the port cost and port priority values. • Port cost — a value that is based on the interface type. The previous table lists the default values. The greater the port cost, the less likely the port is selected to be a forwarding port.
• Assign a number as the bridge priority or designate it as the primary or secondary root. PROTOCOL SPANNING TREE RSTP mode bridge-priority priority-value – priority-value The range is from 0 to 65535. The lower the number assigned, the more likely this bridge becomes the root bridge. The default is 32768. Entries must be multiples of 4096. Example of the bridge-priority Command A console message appears when a new root bridge has been assigned.
interface TenGigabitEthernet 2/1 no ip address switchport spanning-tree rstp edge-port shutdown DellEMC(conf-if-te-2/1)# Configuring Fast Hellos for Link State Detection Use RSTP fast hellos to achieve sub-second link-down detection so that convergence is triggered faster. The standard RSTP link-state detection mechanism does not offer the same low link-state detection speed. To achieve sub-second link-down detection so that convergence is triggered faster, use RSTP fast hellos.
46 Software-Defined Networking (SDN) The Dell EMC Networking OS supports software-defined networking (SDN). For more information, see the SDN Deployment Guide.
47 Security This chapter describes several ways to provide security to the Dell EMC Networking system. For details about all the commands described in this chapter, refer to the Security chapter in the Dell EMC Networking OS Command Reference Guide.
Enabling AAA Accounting The aaa accounting command allows you to create a record for any or all of the accounting functions monitored. To enable AAA accounting, use the following command. • Enable AAA accounting and create a record for monitoring the accounting function. CONFIGURATION mode aaa accounting {commands | exec | suppress | system level} {default | name} {start-stop | wait-start | stop-only} {tacacs+} The variables are: – system: sends accounting information of any other AAA configuration.
Example of Configuring AAA Accounting to Track EXEC and EXEC Privilege Level Command Use In the following sample configuration, AAA accounting is set to track all usage of EXEC commands and commands on privilege level 15.
NOTE: If a console user logs in with RADIUS authentication, the privilege level is applied from the RADIUS server if the privilege level is configured for that user in RADIUS, whether you configure RADIUS authorization. NOTE: RADIUS and TACACS servers support VRF-awareness functionality. You can create RADIUS and TACACS groups and then map multiple servers to a group. The group to which you map multiple servers is bound to a single VRF.
3 Assign a method-list-name or the default list to the terminal line. LINE mode login authentication {method-list-name | default} To view the configuration, use the show config command in LINE mode or the show running-config in EXEC Privilege mode. NOTE: Dell EMC Networking recommends using the none method only as a backup. This method does not authenticate users. The none and enable methods do not work with secure shell (SSH).
The following example shows enabling local authentication for console and remote authentication for the VTY lines. DellEMC(config)# aaa authentication enable mymethodlist radius tacacs DellEMC(config)# line vty 0 9 DellEMC(config-line-vty)# enable authentication mymethodlist Server-Side Configuration Using AAA authentication, the switch acts as a RADIUS or TACACS+ client to send authentication requests to a TACACS+ or RADIUS server.
Obscuring Passwords and Keys By default, the service password-encryption command stores encrypted passwords. For greater security, you can also use the service obscure-passwords command to prevent a user from reading the passwords and keys, including RADIUS, TACACS+ keys, router authentication strings, VRRP authentication by obscuring this information. Passwords and keys are stored encrypted in the configuration file and by default are displayed in the encrypted form when the configuration is displayed.
After you configure other privilege levels, enter those levels by adding the level parameter after the enable command or by configuring a user name or password that corresponds to the privilege level. For more information about configuring user names, refer to Configuring a Username and Password. By default, commands in Dell EMC Networking OS are assigned to different privilege levels. You can access those commands only if you have access to that privilege level.
Configuring the Enable Password Command To configure Dell EMC Networking OS, use the enable command to enter EXEC Privilege level 15. After entering the command, Dell EMC Networking OS requests that you enter a password. Privilege levels are not assigned to passwords, rather passwords are assigned to a privilege level. You can always change a password for any privilege level. To change to a different privilege level, enter the enable command, then the privilege level.
• 2 Secret: Specify the secret for the user. Configure a password for privilege level. CONFIGURATION mode enable password [level level] [encryption-mode] password Configure the optional and required parameters: • level level: specify a level from 0 to 15. Level 15 includes all levels. • encryption-type: enter 0 for plain text or 7 for encrypted text. • password: enter a string up to 32 characters long. To change only the password for the enable command, configure only the password parameter.
The following example shows the Telnet session for user john. The show privilege command output confirms that john is in privilege level 8. In EXEC Privilege mode, john can access only the commands listed. In CONFIGURATION mode, john can access only the snmpserver commands. apollo% telnet 172.31.1.53 Trying 172.31.1.53... Connected to 172.31.1.53. Escape character is '^]'.
EXEC Privilege mode enable or enable privilege-level • If you do not enter a privilege level, Dell EMC Networking OS sets it to 15 by default. Move to a lower privilege level. EXEC Privilege mode disable level-number – level-number: The level-number you wish to set. If you enter disable without a level-number, your security level is 1. RADIUS Remote authentication dial-in user service (RADIUS) is a distributed client/server protocol.
Idle Time Every session line has its own idle-time. If the idle-time value is not changed, the default value of 30 minutes is used. RADIUS specifies idle-time allow for a user during a session before timeout. When a user logs in, the lower of the two idle-time values (configured or default) is used. The idle-time value is updated if both of the following happens: • The administrator changes the idle-time of the line on which the user has logged in.
• Monitoring RADIUS (optional) For a complete listing of all Dell EMC Networking OS commands related to RADIUS, refer to the Security chapter in the Dell EMC Networking OS Command Reference Guide. NOTE: RADIUS authentication and authorization are done in a single step. Hence, authorization cannot be used independent of authentication. However, if you have configured RADIUS authorization and have not configured authentication, a message is logged stating this.
Specifying a RADIUS Server Host When configuring a RADIUS server host, you can set different communication parameters, such as the UDP port, the key password, the number of retries, and the timeout. To specify a RADIUS server host and configure its communication parameters, use the following command. • Enter the host name or IP address of the RADIUS server host.
• Configure the number of times Dell EMC Networking OS retransmits RADIUS requests. CONFIGURATION mode radius-server retransmit retries • – retries: the range is from 0 to 100. Default is 3 retries. Configure the time interval the system waits for a RADIUS server host response. CONFIGURATION mode radius-server timeout seconds – seconds: the range is from 0 to 1000. Default is 5 seconds.
4 Log in to switch using console or telnet or ssh with a valid user role. When 1-factor authentication is used, the authentication succeeds enabling you to access the switch. When two-factor authentication is used, the system prompts you to enter a one-time password as a second step of authentication. If a valid one-time password is supplied, the authentication succeeds enabling you to access the switch.
Example of a Failed Authentication To view the configuration, use the show config in LINE mode or the show running-config tacacs+ command in EXEC Privilege mode. If authentication fails using the primary method, Dell EMC Networking OS employs the second method (or third method, if necessary) automatically. The fallback to the second method would happen only if the authentication failure is due to a non-reachable server or invalid TACACS server key.
the access class from the server. A user, therefore, at least sees the login prompt. If the access class denies the connection, the system closes the Telnet session immediately. The following example demonstrates how to configure the access-class from a TACACS+ server. This configuration ignores the configured access-class on the VTY line. If you have configured a deny10 ACL on the TACACS+ server, the system downloads it and applies it. If the user is found to be coming from the 10.0.0.
If rejected by the AAA server, the command is not added to the running config, and a message displays: 04:07:48: %RPM0-P:CP %SEC-3-SEC_AUTHORIZATION_FAIL: Authorization failure Command authorization failed for user (denyall) on vty0 ( 10.11.9.209 ) Certain TACACS+ servers do not authenticate the device if you use the aaa authorization commands level default local tacacs+ command. To resolve the issue, use the aaa authorization commands level default tacacs+ local command.
Password Authentication : enabled. Hostbased Authentication : disabled. RSA Authentication : disabled. Vty Encryption HMAC DellEMC(conf)# Remote IP To disable SSH server functions, use the no ip ssh server enable command. Using SCP with SSH to Copy a Software Image To use secure copy (SCP) to copy a software image through an SSH connection from one switch to another, use the following commands. 1 On Switch 1, set the SSH port number ( port 22 by default).
Port number of the server [22]: 99 Source file name []: test.cfg User name to login remote host: admin Password to login remote host: Removing the RSA Host Keys and Zeroizing Storage Use the crypto key zeroize rsa command to delete the host key pairs, both the public and private key information for RSA 1 and or RSA 2 types. Note that when FIPS mode is enabled there is no RSA 1 key pair.
• diffie-hellman-group-exchange-sha1 • diffie-hellman-group1-sha1 • diffie-hellman-group14-sha1 When FIPS is enabled, the default is diffie-hellman-group14-sha1. Example of Configuring a Key Exchange Algorithm The following example shows you how to configure a key exchange algorithm.
The following HMAC algorithms are available: • hmac-md5 • hmac-md5-96 • hmac-sha1 • hmac-sha1-96 • hmac-sha2-256 The default list of HMAC algorithm is in the following order: • hmac-sha2-256 • hmac-sha1 • hmac-sha1-96 • hmac-md5 • hmac-md5-96 When FIPS is enabled, the default HMAC algorithm is hmac-sha2-256, hmac-sha1, hmac-sha1-96. Example of Configuring a HMAC Algorithm The following example shows you how to configure a HMAC algorithm list.
Configuring the SSH Client Cipher List To configure the cipher list supported by the SSH client, use the ip ssh cipher cipher-list command in CONFIGURATION mode. cipher-list-: Enter a space-delimited list of ciphers the SSH Client supports. The following ciphers are available. • 3des-cbc • aes128-cbc • aes192-cbc • aes256-cbc • aes128-ctr • aes192-ctr • aes256-ctr The default cipher list is in the given order: aes256-ctr, aes256-cbc, aes192-ctr, aes192-cbc, aes128-ctr, aes128-cbc, 3des-cbc.
Password Authentication : enabled. Hostbased Authentication : disabled. RSA Authentication : disabled. Vty Encryption HMAC Remote IP Using RSA Authentication of SSH The following procedure authenticates an SSH client based on an RSA key using RSA authentication. This method uses SSH version 2. 1 On the SSH client (Unix machine), generate an RSA key, as shown in the following example. 2 Copy the public key id_rsa.pub to the Dell EMC Networking system. 3 Disable password authentication if enabled.
CONFIGURATION mode or EXEC Privilege mode no ip ssh password-authentication or no ip ssh rsa-authentication 6 Enable host-based authentication. CONFIGURATION mode ip ssh hostbased-authentication enable 7 Bind shosts and rhosts to host-based authentication. CONFIGURATION mode ip ssh pub-key-file flash://filename or ip ssh rhostsfile flash://filename Examples of Creating shosts and rhosts The following example shows creating shosts.
Two Factor Authentication (2FA) Two factor authentication also known as 2FA, strengthens the login security by providing one time password (OTP) in addition to username and password. 2FA supports RADIUS authentications with Console, Telnet, and SSHv2. To perform 2FA, follow these steps: • When the Network access server (NAS) prompts for the username and password, provide the inputs. • If the credentials are valid: – RADIUS server sends a request to the SMS–OTP daemon to generate an OTP for the user.
Vty 2 4 * 5 DellEMC# Encryption aes128-cbc aes128-cbc aes128-cbc HMAC hmac-md5 hmac-md5 hmac-md5 Remote IP 10.16.127.141 10.16.127.141 10.16.127.141 SMS-OTP Mechanism A short message service one time password (SMS-OTP) is a free RADIUS module to implement two factor authentication. There are multiple 2FA mechanisms that can be deployed with the RADIUS. Mechanisms such as the Google authenticator do not rely on the Access-Challenge message and the SMS-OTP module rely on the Access-challenge message.
Authentication Method VTY access-class support? Username access-class support? Remote authorization support? TACACS+ YES NO YES (with version 5.2.1.0 and later) RADIUS YES NO YES (with version 6.1.1.0 and later) provides several ways to configure access classes for VTY lines, including: • VTY Line Local Authentication and Authorization • VTY Line Remote Authentication and Authorization VTY Line Local Authentication and Authorization retrieves the access class from the local database.
displaying the login prompt. The following example shows how to deny incoming connections from subnet 10.0.0.0 without displaying a login prompt. The example uses TACACS+ as the authentication mechanism. Example of Configuring VTY Authorization Based on Access Class Retrieved from the Line (Per Network Address) DellEMC(conf)#ip access-list standard deny10 DellEMC(conf-ext-nacl)#permit 10.0.0.
Change of Authorization (CoA) packets Using the CoA packets, the NAS can handle authorization of dot1x sessions by processing the following requests from the Dynamic Authorization Client (DAC): Re-authentication of the supplicant, Port disable, and Port bounce. The CoA packets constitute one message request (CoA request) and one of the following two possible responses: • Change of Authorization Acknowledgement (CoA-Ack) - If the authorization state change is successful, then NAS sends a CoA-Ack.
Table 85. Session Identification Attributes Attribute code Attribute Description 31 Calling-Station-Id (MAC Address) The link address from which session is connected. Table 86.
Radius Attribute code Radius Attribute Description Mandatory 26 Vendor-Specific t=26(vendor-specific);l=length;vendor-identificationattribute;Length=value; Data=”cmd=re-authenticate” Yes Description Mandatory Table 89. CoA EAP/MAB Disable Port Radius Attribute code Radius Attribute NAS Identification Attributes 4 NAS-IP-Address IPv4 address of the NAS. No 95 NAS-IPv6–Address IPv6 address of the NAS.
Radius Attribute code Radius Attribute Description Mandatory 26 Vendor-Specific t=26(vendor-specific);l=length;vendor-identificationattribute;Length=value; Data=”cmd=terminate-session” Yes Description Mandatory Table 92. DM AAA Session(s) disconnect Radius Attribute code Radius Attribute NAS Identification Attributes 4 NAS-IP-Address IPv4 address of the NAS. No 95 NAS-IPv6–Address IPv6 address of the NAS.
Serial Number Error-cause 6 Resource Unavailable(506) 7 Missing Attribute(402) Scenarios • Internal CoA or DM message processing errors. • CoA or DM request without Vendor-specific attribute or invalid Vendor-specific attribute. CoA with re-authenticate or terminate request not containing calling-station-id or NAS-Port attribute. CoA with disable-port or bounce-port request not containing NAS-Port attribute. DM request not containing user-name attribute.
– Source IP address – Source UDP port – Identifier – VRF ID • discards the packets, if length of the packet is shorter than the length field value. • discards the packets, if length of the packet is shorter than 20 or longer than 4096. • discards the packets, if request authenticator does not match the calculated MD5 checksum.
radius dynamic-auth 2 Enter the following command to configure DAC: client host-name Dell(conf-dynamic-auth#)client testhost Configuring the port number You can configure the port number on which the NAS receives CoA or DM requests. This setting enables you to specify an optional port number on which to receive CoA or DM requests. The default value is 3799.
• validates the DM request and the session identification attributes. • sends a DM-Nak with an error-cause of 402 (missing attribute), if the DM request does not contain the User-Name. • sends a DM-Ack, if it is able to successfully disconnect the admin user. • sends a DM-Nak with an error-cause value of 506 (resource unavailable), if it is not able to disconnect the admin user.
in the CoA request, NAS retrieves the supplicant connected to the interface. The EAP or MAB user sessions are re-authenticated and the NAS sends a CoA-Ack to the user, in case the re-authentication is successful. 1 Enter the following command to configure the dynamic authorization feature: radius dynamic-auth 2 Enter the following command to configure the re-authentication of 802.1x sessions: coa-reauthenticate NAS re-initiates the user authentication state.
• returns an error-cause value of 503 (session context not found), if it is not able to retrieve the session using the calling-station-id or NAS-port attribute or both. • sends a DM-Ack, if it is able to terminate the session. • sends a DM-Nak with an error-cause value of 506 (resource unavailable), if it is not able to apply changes to the existing session. • discards the packet, if simultaneous requests are received for the same NAS-port or calling-station-id, or both. Disabling 802.
RPM failover scenario This section describes how the NAS handles virtual IP failovers to the secondary RPM. • The NAS Route Processor Module (RPM) processes the RADIUS dynamic authorization message only if the role of RPM is active. • The NAS standby RPM processes the retransmitted CoA or DM messages without requiring a chassis reboot if primary RPM fails and standby becomes primary. Stack failover scenario This section describes the stack failover scenario.
da-rsp-timeout value Dell(conf-dynamic-auth#)da-rsp-timeout 20 Role-Based Access Control With Role-Based Access Control (RBAC), access and authorization is controlled based on a user’s role. Users are granted permissions based on their user roles, not on their individual user ID. User roles are created for job functions and through those roles they acquire the permissions to perform their associated job function.
NOTE: When you enter a user role, you have already been authenticated and authorized. You do not need to enter an enable password because you will be automatically placed in EXEC Priv mode. For greater security, the ability to view event, audit, and security system log is associated with user roles. For information about these topics, see Audit and Security Logs.
exec-timeout 0 0 line vty 0 login authentication test authorization exec test line vty 1 login authentication test authorization exec test To enable role-based only AAA authorization, enter the following command in Configuration mode: DellEMC(conf)#aaa authorization role-only System-Defined RBAC User Roles By default, the Dell EMC Networking OS provides 4 system defined user roles. You can create up to 8 additional user roles. NOTE: You cannot delete any system defined roles.
Creating a New User Role Instead of using the system defined user roles, you can create a new user role that best matches your organization. When you create a new user role, you can first inherit permissions from one of the system defined roles. Otherwise you would have to create a user role’s command permissions from scratch. You then restrict commands or add commands to that role NOTE: You can change user role permissions on system pre-defined user roles or user-defined user roles.
Modifying Command Permissions for Roles You can modify (add or delete) command permissions for newly created user roles and system defined roles using the role mode { { { addrole | deleterole } role-name } | reset } command command in Configuration mode. NOTE: You cannot modify system administrator command permissions. If you add or delete command permissions using the role command, those changes only apply to the specific user role. They do not apply to other roles that have inheritance from that role.
DellEMC(conf)#show role mode configure interface Role access: netadmin, secadmin, sysadmin Example: Verify that the Security Administrator Can Access Interface Mode The following example shows that the secadmin role can now access Interface mode (highlighted in bold).
The following example deletes a user role. NOTE: If you already have a user ID that exists with a privilege level, you can add the user role to username that has a privilege DellEMC(conf)# no username john The following example adds a user, to the secadmin user role. DellEMC(conf)# username john role secadmin password 0 password AAA Authentication and Authorization for Roles This section describes how to configure AAA Authentication and Authorization for Roles.
To configure AAA authorization, use the aaa authorization exec command in CONFIGURATION mode. The aaa authorization exec command determines which CLI mode the user will start in for their session; for example, Exec mode or Exec Privilege mode. For information about how to configure authentication for roles, see Configure AAA Authentication for Roles.
line vty 9 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin ucraaa ! Configuring TACACS+ and RADIUS VSA Attributes for RBAC For RBAC and privilege levels, the Dell EMC Networking OS RADIUS and TACACS+ implementation supports two vendor-specific options: privilege level and roles. The Dell EMC Networking vendor-ID is 6027 and the supported option has attribute of type string, which is titled “Force10-avpair”.
Configuring AAA Accounting for Roles To configure AAA accounting for roles, use the aaa accounting command in CONFIGURATION mode. aaa accounting {system | exec | commands {level | role role-name}} {name | default} {start-stop | wait-start | stop-only} {tacacs+} Example of Configuring AAA Accounting for Roles The following example shows you how to configure AAA accounting to monitor commands executed by the users who have a secadmin user role.
netadmin secadmin sysadmin testadmin netadmin Exec Exec Exec Exec Config Interface Line Router IP Routemap Protocol MAC Config Config Interface Line Router IP Routemap Protocol MAC Config Interface Line Router IP Routemap Protocol MAC Displaying Role Permissions Assigned to a Command To display permissions assigned to a command, use the show role command in EXEC Privilege mode. The output displays the user role and or permission level.
• If the credentials are invalid, the authentication fails. NOTE: 2FA does not support RADIUS authentications done with REST, Web UI, and OMI. Handling Access-Challenge Message To provide a two-step verification in addition to the username and password, NAS prompts for additional information. An Access-Challenge request is sent from the RADIUS server to NAS.
This module requires NAS for handling the access challenge from the RADIUS server. NAS sends the input OTP in an Access-Request to the RADIUS server, and the user authentication succeeds or fails depending upon the Access-Accept or Access-Reject response received at NAS from the RADIUS server. Configuring the System to Drop Certain ICMP Reply Messages You can configure the Dell EMC Networking OS to drop ICMP reply messages.
Table 95.
48 Service Provider Bridging Service provider bridging provides the ability to add a second VLAN ID tag in an Ethernet frame and is referred to as VLAN stacking in the Dell EMC Networking OS. VLAN Stacking VLAN stacking, also called Q-in-Q, is defined in IEEE 802.1ad — Provider Bridges, which is an amendment to IEEE 802.1Q — Virtual Bridged Local Area Networks. It enables service providers to use 802.
Figure 115. VLAN Stacking in a Service Provider Network Important Points to Remember • Interfaces that are members of the Default VLAN and are configured as VLAN-Stack access or trunk ports do not switch untagged traffic. To switch traffic, add these interfaces to a non-default VLAN-Stack-enabled VLAN. • Dell EMC Networking cautions against using the same MAC address on different customer VLANs, on the same VLAN-Stack VLAN.
2 Assign access and trunk ports to a VLAN (Creating Access and Trunk Ports). 3 Enabling VLAN-Stacking for a VLAN. Related Configuration Tasks • Configuring the Protocol Type Value for the Outer VLAN Tag • Configuring Dell EMC Networking OS Options for Trunk Ports • Debugging VLAN Stacking • VLAN Stacking in Multi-Vendor Networks Creating Access and Trunk Ports To create access and trunk ports, use the following commands.
Enable VLAN-Stacking for a VLAN To enable VLAN-Stacking for a VLAN, use the following command. • Enable VLAN-Stacking for the VLAN. INTERFACE VLAN mode vlan-stack compatible Example of Viewing VLAN Stack Member Status To display the status and members of a VLAN, use the show vlan command from EXEC Privilege mode. Members of a VLAN-Stackingenabled VLAN are marked with an M in column Q.
NOTE: You can add a trunk port to an 802.1Q VLAN as well as a Stacking VLAN only when the TPID 0x8100. 2 Add the port to a 802.1Q VLAN as tagged or untagged. INTERFACE VLAN mode [tagged | untagged] Example of Configuring a Trunk Port as a Hybrid Port and Adding it to Stacked VLANs In the following example, TenGigabitEthernet 1/1 is a trunk port that is configured as a hybrid port and then added to VLAN 100 as untagged VLAN 101 as tagged, and VLAN 103, which is a stacking VLAN.
DellEMC#debug member port tengigabitethernet 2/4 vlan id : 603 (MT), 100(T), 101(NU) DellEMC# VLAN Stacking in Multi-Vendor Networks The first field in the VLAN tag is the tag protocol identifier (TPID), which is 2 bytes. In a VLAN-stacking network, after the frame is double tagged, the outer tag TPID must match the TPID of the next-hop system. While 802.1Q requires that the inner tag TPID is 0x8100, it does not require a specific value for the outer tag TPID.
Figure 116.
Figure 117.
Figure 118. Single and Double-Tag TPID Mismatch The following table details the outcome of matched and mismatched TPIDs in a VLAN-stacking network with the S-Series. Table 96. Behaviors for Mismatched TPID Network Position Incoming Packet TPID System TPID Match Type Pre-Version 8.2.1.0 Version 8.2.1.
Network Position Incoming Packet TPID System TPID Match Type Pre-Version 8.2.1.0 Version 8.2.1.
Honoring the Incoming DEI Value To honor the incoming DEI value, you must explicitly map the DEI bit to an Dell EMC Networking OS drop precedence. Precedence can have one of three colors. Precedence Description Green High-priority packets that are the least preferred to be dropped. Yellow Lower-priority packets that are treated as best-effort. Red Lowest-priority packets that are always dropped (regardless of congestion status).
Te 2/9 Te 2/10 Yellow Yellow 0 0 Dynamic Mode CoS for VLAN Stacking One of the ways to ensure quality of service for customer VLAN-tagged frames is to use the 802.1p priority bits in the tag to indicate the level of QoS desired. When an S-Tag is added to incoming customer frames, the 802.1p bits on the S-Tag may be configured statically for each customer or derived from the C-Tag using Dynamic Mode CoS. Dynamic Mode CoS maps the C-Tag 802.1p value to a S-Tag 802.1p value. Figure 119.
Likewise, in the following configuration, packets with dot1p priority 0–3 are marked as dot1p 7 in the outer tag and queued to Queue 3. Rate policing is according to qos-policy-input 3. All other packets will have outer dot1p 0 and hence are queued to Queue 1. They are therefore policed according to qos-policy-input 1.
Layer 2 Protocol Tunneling Spanning tree bridge protocol data units (BPDUs) use a reserved destination MAC address called the bridge group address, which is 01-80C2-00-00-00. Only spanning-tree bridges on the local area network (LAN) recognize this address and process the BPDU.
Dell EMC Networking OS Behavior: In Dell EMC Networking OS versions prior to 8.2.1.0, the MAC address that Dell EMC Networking systems use to overwrite the Bridge Group Address on ingress was non-configurable. The value of the L2PT MAC address was the Dell EMC Networking-unique MAC address, 01-01-e8-00-00-00.
Enabling Layer 2 Protocol Tunneling To enable Layer 2 protocol tunneling, use the following command. 1 Verify that the system is running the default CAM profile. Use this CAM profile for L2PT. EXEC Privilege mode show cam-profile 2 Enable protocol tunneling globally on the system. CONFIGURATION mode protocol-tunnel enable 3 Tunnel BPDUs the VLAN.
4 Set a maximum rate at which the RPM processes BPDUs for L2PT. VLAN STACKING mode protocol-tunnel rate-limit The default is: no rate limiting. The range is from 64 to 320 kbps. Debugging Layer 2 Protocol Tunneling To debug Layer 2 protocol tunneling, use the following command. • Display debugging information for L2PT. EXEC Privilege mode debug protocol-tunnel Provider Backbone Bridging IEEE 802.1ad—Provider Bridges amends 802.1Q—Virtual Bridged Local Area Networks so that service providers can use 802.
49 sFlow sFlow is a standard-based sampling technology embedded within switches and routers which is used to monitor network traffic. It is designed to provide traffic monitoring for high-speed networks with many switches and routers.
hardware sampling rate is backed-off from 512 to 1024. Note that port 1 maintains its sampling rate of 16384; port 1 is unaffected because it maintains its configured sampling rate of 16384.: • If the interface states are up and the sampling rate is not configured on the port, the default sampling rate is calculated based on the line speed. • If the interface states are shut down, the sampling rate is set using the global sampling rate.
Examples of Verifying Extended sFlow The bold line shows that extended sFlow settings are enabled on all three types. DellEMC#show sflow sFlow services are enabled Egress Management Interface sFlow services are disabled Global default sampling rate: 32768 Global default counter polling interval: 20 Global default extended maximum header size: 128 bytes Global extended information enabled: none 1 collectors configured Collector IP addr: 100.1.1.1, Agent IP addr: 1.1.1.
• To reset the maximum header size of a packet, use the following command [no] sflow max-header-size extended • View the maximum header size of a packet.
EXEC mode show sflow Example of Viewing sFlow Configuration (Global) The first bold line indicates sFlow is globally enabled. The second bold lines indicate sFlow is enabled on Te 1/16 and Te 1/17 DellEMC#show sflow sFlow services are enabled Global default sampling rate: 32768 Global default counter polling interval: 20 1 collectors configured Collector IP addr: 133.33.33.53, Agent IP addr: 133.33.33.
Displaying Show sFlow on a Stack-unit To view sFlow statistics on a specified Stack-unit, use the following command. • Display sFlow configuration information and statistics on the specified interface.
Back-Off Mechanism If the sampling rate for an interface is set to a very low value, the CPU can get overloaded with flow samples under high-traffic conditions. In such a scenario, a binary back-off mechanism gets triggered, which doubles the sampling-rate (halves the number of samples per second) for all interfaces. The backoff mechanism continues to double the sampling-rate until the CPU condition is cleared. This is as per sFlow version 5 draft.
Global default sampling rate: 32768 Global default counter polling interval: 20 Global extended information enabled: none 0 collectors configured 0 UDP packets exported 0 UDP packets dropped 0 sFlow samples collected 0 sFlow samples dropped due to sub-sampling Important Points to Remember • To export extended-gateway data, BGP must learn the IP destination address. • If the IP destination address is not learned via BGP the Dell EMC Networking system does not export extended-gateway data.
50 Simple Network Management Protocol (SNMP) The Simple Network Management Protocol (SNMP) is designed to manage devices on IP networks by monitoring device operation, which might require administrator intervention. NOTE: On Dell EMC Networking routers, standard and private SNMP management information bases (MIBs) are supported, including all Get and a limited number of Set operations (such as set vlan and copy cmd).
Protocol Overview Network management stations use SNMP to retrieve or alter management data from network elements. A datum of management information is called a managed object; the value of a managed object can be static or variable. Network elements store managed objects in a database called a management information base (MIB). MIBs are hierarchically structured and use object identifiers to address managed objects, but managed objects also have a textual name called an object descriptor.
In this example, for a specified user and a group, the AES128-CFB algorithm, the authentication password to enable the server to receive packets from the host, and the privacy password to encode the message contents are configured. SHA authentication needs to be used with the AES-CFB128 privacy algorithm only when FIPS is enabled because SHA is then the only available authentication level.
Important Points to Remember • Typically, 5-second timeout and 3-second retry values on an SNMP server are sufficient for both LAN and WAN applications. If you experience a timeout with these values, increase the timeout value to greater than 3 seconds, and increase the retry value to greater than 2 seconds on your SNMP server. • User ACLs override group ACLs. Set up SNMP As previously stated, Dell EMC Networking OS supports SNMP version 1 and version 2 that are community-based security models.
• auth — password privileges. Select this option to set up a user with password authentication. • priv — password and privacy privileges. Select this option to set up a user with password and privacy privileges. To set up user-based security (SNMPv3), use the following commands. • Configure the user with view privileges only (no password or privacy privileges).
Reading Managed Object Values You may only retrieve (read) managed object values if your management station is a member of the same community as the SNMP agent. Dell EMC Networking supports RFC 4001, Textual Conventions for Internet Work Addresses that defines values representing a type of internet address. These values display for ipAddressTable objects using the snmpwalk command. There are several UNIX SNMP commands that read data. • Read the value of a single managed object.
Configuring Contact and Location Information using SNMP You may configure system contact and location information from the Dell EMC Networking system or from the management station using SNMP. To configure system contact and location information from the Dell EMC Networking system and from the management station using SNMP, use the following commands.
• • Dell EMC Networking enterpriseSpecific environment traps — fan, supply, and temperature. Dell EMC Networking enterpriseSpecific protocol traps — bgp, ecfm, stp, and xstp. To configure the system to send SNMP notifications, use the following commands. 1 Configure the Dell EMC Networking system to send notifications to an SNMP server. CONFIGURATION mode snmp-server host ip-address [traps | informs] [version 1 | 2c |3] [community-string] To send trap messages, enter the keyword traps.
CARD_MISMATCH: Mismatch: line card %d is type %s - type %s required.
provider at Level 4 VLAN 3000 %ECFM-5-ECFM_REMOTE_ALARM: Remote CCM Defect detected by MEP 3 in Domain customer1 at Level 7 VLAN 1000 %ECFM-5-ECFM_RDI_ALARM: RDI Defect detected by MEP 3 in Domain customer1 at Level 7 VLAN 1000 entity Enable entity change traps Trap SNMPv2-MIB::sysUpTime.0 = Timeticks: (1487406) 4:07:54.06, SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::mib-2.47.2.0.1, SNMPv2-SMI::enterprises.6027.3.6.1.1.2.0 = INTEGER: 4 Trap SNMPv2-MIB::sysUpTime.0 = Timeticks: (1488564) 4:08:05.
The following example shows the SNMP trap that is sent when connectivity to the syslog server is lost: DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (19738) 0:03:17.38 SNMPv2-MIB::snmpTrapOID. 0 = OID: SNMPv2SMI::enterprises.6027.3.30.1.1.1 SNMPv2-SMI::enterprises.6027.3.30.1.1 = STRING: "NOT_REACHABLE: Syslog server 10.11.226.121 (port: 9140) is not reachable" SNMPv2-SMI::enterprises.6027.3.6.1.1.2.
MIB Object OID Object Values Description 6 = usbflash copySrcFileName copyDestFileType .1.3.6.1.4.1.6027.3.5.1.1.1.1.4 .1.3.6.1.4.1.6027.3.5.1.1.1.1.5 Path (if the file is not in the current directory) and filename. Specifies name of the file. 1 = Dell EMC Networking OS file Specifies the type of file to copy to. 2 = running-config 3 = startup-config • • • copyDestFileLocation .1.3.6.1.4.1.6027.3.5.1.1.1.1.
Copying a Configuration File To copy a configuration file, use the following commands. NOTE: In UNIX, enter the snmpset command for help using the following commands. Place the f10-copy-config.mib file in the directory from which you are executing the snmpset command or in the snmpset tool path. 1 Create an SNMP community string with read/write privileges. CONFIGURATION mode snmp-server community community-name rw 2 Copy the f10-copy-config.
The following example shows copying configuration files using MIB object names. > snmpset -v 2c -r 0 -t 60 -c private -m ./f10-copy-config.mib 10.10.10.10 copySrcFileType.101 i 2 copyDestFileType.101 i 3 FTOS-COPY-CONFIG-MIB::copySrcFileType.101 = INTEGER: runningConfig(2) FTOS-COPY-CONFIG-MIB::copyDestFileType.101 = INTEGER: startupConfig(3) The following example shows copying configuration files using OIDs. > snmpset -v 2c -c public -m ./f10-copy-config.mib 10.10.10.10 .1.3.6.1.4.1.6027.3.5.1.1.1.1.2.
FTOS-COPY-CONFIG-MIB::copyUserName.110 = STRING: mylogin FTOS-COPY-CONFIG-MIB::copyUserPassword.110 = STRING: mypass Copying the Startup-Config Files to the Server via TFTP To copy the startup-config to the server via TFTP from the UNIX machine, use the following command. NOTE: Verify that the file exists and its permissions are set to 777. Specify the relative path to the TFTP root directory. • Copy the startup-config to the server via TFTP from the UNIX machine. snmpset -v 2c -c public -m .
MIB Object OID Values Description copyTimeCompleted .1.3.6.1.4.1.6027.3.5.1.1.1.1.13 Time value Specifies the point in the uptime clock that the copy operation completed. copyFailCause .1.3.6.1.4.1.6027.3.5.1.1.1.1.14 1 = bad filename Specifies the reason the copy request failed. 2 = copy in progress 3 = disk full 4 = file exists 5 = file not found 6 = timeout 7 = unknown copyEntryRowStatus .1.3.6.1.4.1.6027.3.5.1.1.1.1.15 Row status Specifies the state of the copy operation.
The following command shows how to get a MIB object value using OID. > snmpget -v 2c -c private 10.11.131.140 .1.3.6.1.4.1.6027.3.5.1.1.1.1.13.110 SNMPv2-SMI::enterprises.6027.3.5.1.1.1.1.13.110 = Timeticks: (1179831) 3:16:38.31 MIB Support for Power Monitoring Dell EMC Networking provides MIB objects to display the information for Power Monitoring. The OIDs specific to Power Monitoring are appended to the DellITaMIbs.
snmpget -v2c -c public 192.168.60.120 .1.3.6.1.4.1.6027.3.10.1.2.9.1.6.1 enterprises.6027.3.10.1.2.9.1.5.1 = Gauge32: 24 The output above displays that 24% of the flash memory is used. MIB Support to Display the Software Core Files Generated by the System Dell EMC Networking provides MIB objects to display the software core files generated by the system. The chSysSwCoresTable contains the list of software core files generated by the system. The following table lists the related MIB objects. Table 105.
enterprises.6027.3.10.1.2.10.1.4.1.1 enterprises.6027.3.10.1.2.10.1.4.1.2 enterprises.6027.3.10.1.2.10.1.4.1.3 enterprises.6027.3.10.1.2.10.1.4.2.1 enterprises.6027.3.10.1.2.10.1.5.1.1 enterprises.6027.3.10.1.2.10.1.5.1.2 enterprises.6027.3.10.1.2.10.1.5.1.3 enterprises.6027.3.10.1.2.10.1.5.2.1 = = = = = = = = 0 1 1 0 "flashmntr" "l2mgr" "vrrp" Hex: 76 72 72 70 "sysd" Hex: 73 79 73 64 The output above displays that the software core files generated by the system.
• 33997973 is the count of green packet-drops (Green Drops). • 329629607 is the count of yellow packet-drops (Yellow Drops). • 31997973 is the count of red packet-drops (Out of Profile Drops). MIB Support to Display the Available Partitions on Flash Dell EMC Networking provides MIB objects to display the information of various partitions such as /flash, /tmp, /usr/pkg, and /f10/ConfD. The dellNetFlashStorageTable table contains the list of all partitions on disk.
.1.3.6.1.4.1.6027.3.26.1.4.8.1.2.3 .1.3.6.1.4.1.6027.3.26.1.4.8.1.2.4 .1.3.6.1.4.1.6027.3.26.1.4.8.1.2.5 .1.3.6.1.4.1.6027.3.26.1.4.8.1.3.1 .1.3.6.1.4.1.6027.3.26.1.4.8.1.3.2 .1.3.6.1.4.1.6027.3.26.1.4.8.1.3.3 .1.3.6.1.4.1.6027.3.26.1.4.8.1.3.4 .1.3.6.1.4.1.6027.3.26.1.4.8.1.3.5 .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.1 .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.2 .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.3 .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.4 .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.5 .1.3.6.1.4.1.6027.3.26.1.4.8.1.5.1 .1.3.6.1.4.1.6027.3.
Viewing the ECMP Group Count Information • To view the ECMP group count information generated by the system, use the following command. snmpwalk -c public -v 2c 10.16.151.191 1.3.6.1.4.1.6027.3.9 SNMPv2-SMI::enterprises.6027.3.9.1.1.1.2.1.1 = Counter64: 79 SNMPv2-SMI::enterprises.6027.3.9.1.1.1.2.1.2 = Counter64: 1 SNMPv2-SMI::enterprises.6027.3.9.1.3.0 = Gauge32: 18 SNMPv2-SMI::enterprises.6027.3.9.1.4.0 = Gauge32: 1 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.10.1.1.0.24.0.0.0.
STRING: 4C 76 25 F4 AB 02 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.80.80.80.0.24.1.4.20.1.1.1.1.4.20.1.1.1 = HexSTRING: 4C 76 25 F4 AB 02 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.80.80.80.0.24.1.4.30.1.1.1.1.4.30.1.1.1 = HexSTRING: 4C 76 25 F4 AB 02 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.90.90.90.0.24.0.0.0.0 = "" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.90.90.90.1.32.1.4.127.0.0.1.1.4.127.0.0.1 = "" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.90.90.90.2.32.1.4.90.90.90.2.1.4.
SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.70.70.70.0.24.0.0.0.0 = Gauge32: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.70.70.70.1.32.1.4.127.0.0.1.1.4.127.0.0.1 = Gauge32: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.70.70.70.2.32.1.4.70.70.70.2.1.4.70.70.70.2 = Gauge32: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.80.80.80.0.24.1.4.10.1.1.1.1.4.10.1.1.1 = Gauge32: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.80.80.80.0.24.1.4.20.1.1.1.1.4.20.1.1.
.1.3.6.1.2.1.47.1.3.2.1.2.13.0 .1.3.6.1.2.1.47.1.3.2.1.2.17.0 .1.3.6.1.2.1.47.1.3.2.1.2.21.0 .1.3.6.1.2.1.47.1.3.2.1.2.25.0 .1.3.6.1.2.1.47.1.3.2.1.2.29.0 .1.3.6.1.2.1.47.1.3.2.1.2.30.0 .1.3.6.1.2.1.47.1.3.2.1.2.31.0 = = = = = = = OID: OID: OID: OID: OID: OID: OID: .1.3.6.1.2.1.2.2.1.1.2098181 .1.3.6.1.2.1.2.2.1.1.2098693 .1.3.6.1.2.1.2.2.1.1.2099205 .1.3.6.1.2.1.2.2.1.1.2099717 .1.3.6.1.2.1.2.2.1.1.2100228 .1.3.6.1.2.1.2.2.1.1.2100356 .1.3.6.1.2.1.2.2.1.1.
MIB Object OID Description dot3adAggPartnerOperKey 1.2.840.10006.300.43.1.1.1.1.9 Contains the current operational value of the key for the Aggregator’s current protocol partner. dot3adAggCollectorMaxDelay 1.2.840.10006.300.43.1.1.1.1.10 Contains a 16–bit read–write attribute defining the maximum delay, in tens of microseconds, that may be imposed by the frame collector between receiving a frame from an Aggregator Parser, and either delivering the frame to its MAC Client or discarding the frame.
Table 112. Global MIB Objects for Port Security MIB Object OID Access or Permission Description dellNetGlobalPortSecurityMode 1.3.6.1.4.1.6027.3.31.1.1.1 read-write Enables or disables port security feature globally on the device. dellNetGlobalTotalSecureAddress 1.3.6.1.4.1.6027.3.31.1.1.2 read-only Displays the total number of MAC addresses learnt or configured in the device. dellNetGlobalClearSecureMacAd 1.3.6.1.4.1.6027.3.31.1.1.
MIB Object OID Access or Permission Description dellNetPortSecIfStickyEnable 1.3.6.1.4.1.6027.3.31.1.2.1.1.8 read-write Enables or disables sticky port security feature on this interface. dellNetPortSecIfClearSecureMa cAddresses 1.3.6.1.4.1.6027.3.31.1.2.1.1.9 read-write Deletes secure MAC addresses based on the specified type. dellNetPortSecIfResetViolationS 1.3.6.1.4.1.6027.3.31.1.2.1.1.10 tatus read-write Resets the violation status of an interface based on the specified type.
MIB Object OID Access or Permission Description dellNetPortSecSecureStaticMac AddrTable. Enabling and viewing SNMP for static MAC addresses You can enable and view SNMP for static MAC addresses using snmpset and snmpget command. Following example shows how to enable and view the static MAC addresses. To configure a static MAC address (00:00:00:00:11:11) on a vlan (100) on interface whose ifIndex is (2101252), use the following command. snmpset -v 2c -c public 10.16.129.26 1.3.6.1.4.1.6027.3.31.1.2.2.1.
Manage VLANs using SNMP The qBridgeMIB managed objects in Q-BRIDGE-MIB, defined in RFC 2674, allows you to use SNMP to manage VLANs. Creating a VLAN To create a VLAN, use the dot1qVlanStaticRowStatus object. The snmpset operation shown in the following example creates VLAN 10 by specifying a value of 4 for instance 10 of the dot1qVlanStaticRowStatus object. Example of Creating a VLAN using SNMP > snmpset -v2c -c mycommunity 123.45.6.78 .1.3.6.1.2.1.17.7.1.4.3.1.5.10 i 4 SNMPv2-SMI::mib-2.17.7.1.4.3.1.5.
The following example shows viewing VLAN ports using SNMP with no ports assigned. > snmpget -v2c -c mycommunity 10.11.131.185 .1.3.6.1.2.1.17.7.1.4.3.1.2.1107787786 SNMPv2-SMI::mib-2.17.7.1.4.3.1.2.
Example of Adding an Untagged Port to a VLAN using SNMP In the following example, Port 0/2 is added as an untagged member of VLAN 10. >snmpset -v2c -c mycommunity 10.11.131.185 .1.3.6.1.2.1.17.7.1.4.3.1.2.1107787786 x "40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" .1.3.6.1.2.1.17.7.1.4.3.1.4.
Enabling and Disabling a Port using SNMP To enable and disable a port using SNMP, use the following commands. 1 Create an SNMP community on the Dell system. CONFIGURATION mode snmp-server community 2 From the Dell EMC Networking system, identify the interface index of the port for which you want to change the admin status. EXEC Privilege mode show interface Or, from the management system, use the snmpwwalk command to identify the interface index.
The value of dot1dTpFdbPort is the port number of the port off which the system learns the MAC address. In this case, of TenGigabitEthernet 1/21, the manager returns the integer 118.
MIB Objects for Viewing the System Image on Flash Partitions To view the system image on Flash Partition A, use the chSysSwInPartitionAImgVers object or, to view the system image on Flash Partition B, use the chSysSwInPartitionBImgVers object. Table 117. MIB Objects for Viewing the System Image on Flash Partitions MIB Object OID Description MIB chSysSwInPartitionAImgVers 1.3.6.1.4.1.6027.3.10.1.2.8.1.11 List the version string of the system image in Flash Partition A.
• timers bgp 30 90 • neighbor 30.1.1.1 remote-as 200 • neighbor 30.1.1.1 no shutdown • exit-address-family To map the context to a VRF instance for SNMPv3, follow these steps: 1 2 Create a community and map a VRF to it. Create a context and map the context and community, to a community map.
SNMPv2-SMI::enterprises.6027.20.1.2.3.2.1.3.0.1.30.1.1.2.1.30.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.3.2.1.4.0.1.30.1.1.2.1.30.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.3.2.1.5.0.1.30.1.1.2.1.30.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.3.3.1.1.0.1.30.1.1.2.1.30.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.3.3.1.2.0.1.30.1.1.2.1.30.1.1.
SNMPv2-SMI::enterprises.6027.3.1.1.4.1.2 = STRING: "OSTATE_DN: Changed interface state Po 1" 2010-02-10 14:22:40 10.16.130.4 [10.16.130.4]: SNMPv2-MIB::sysUpTime.0 = Timeticks: (8500932) 23:36:49.32 SNMPv2-MIB::snmpTrapOID.0 = IF-MIB::linkUp IF-MIB::ifIndex.33865785 = INTEGER: 33865785 SNMPv2-SMI::enterprises. 6027.3.1.1.4.1.2 = STRING: "OSTATE_UP: Changed interface state to up: Te 1/1" 2010-02-10 14:22:40 10.16.130.4 [10.16.130.4]: SNMPv2-MIB::sysUpTime.0 = Timeticks: (8500934) 23:36:49.
Table 118. SNMP OIDs for Transceiver Monitoring Field (OID) Description SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.1 Device Name SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.2 Port SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.3 Optics Present SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.4 Optics Type SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.5 Vendor Name SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.6 Part Number SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.7 Serial Number SNMPv2-SMI::enterprises.6027.3.11.
51 Stacking Using the Dell EMC Networking OS stacking feature, you can interconnect multiple switch units with stacking ports or front end user ports. The stack becomes manageable as a single switch through the stack management unit. The system accepts Unit ID numbers from 0 to 11 and it supports stacking up to six units.
• Inter-switch stacking link failure • Switch insertion • Switch removal If the master switch goes off line, the standby replaces it as the new master and the switch with the next highest priority or MAC address becomes standby. Stack Master Election The stack elects a master and standby unit at bootup time based on two criteria. • Unit priority — User-configurable. The range is from 1 to 14. A higher value (14) means a higher priority. The default is 0.
Virtual IP You can manage the stack using a single IP, known as a virtual IP, that is retained in the stack even after a failover. The virtual IP address is used to log in to the current master unit of the stack. Both IPv4 and IPv6 addresses are supported as virtual IPs. Use the following command to configure a virtual IP: Dell(conf)#virtual-ip {ip-address | ipv6–address | dhcp} Failover Roles If the stack master fails (for example, is powered off), it is removed from the stack topology.
Stack MAC : 00:01:e8:d5:f9:6f -- Stack Info -Unit UnitType Status ReqTyp CurTyp Version --------------------------------------------------0 Standby online S4810 7.8.1.0 52 1 Management online S4810 7.8.1.
Supported Stacking Topologies The device supports stacking in a ring or a daisy chain topology. Dell EMC Networking recommends the ring topology when stacking the switches to provide redundant connectivity. Figure 122. Supported Stacking Topologies High Availability on Stacks Stacks have master and standby management units analogous to Dell EMC Networking route processor modules (RPM).
Example of Accessing Non-Master Units on a Stack via the Console Port -----------------CONSOLE ACCESS ON A STANDBY---------------------------Dell(standby)#? cd Change current directory clear Reset functions copy Copy from one file to another delete Delete a file dir List files on a filesystem disable Turn off privileged commands enable Turn on privileged commands exit Exit from the EXEC format Format a filesystem fsck Filesystem check utility pwd Display current working directory rename Rename a file reset
Stack Group/Port Numbers By default, each unit in Standalone mode is numbered stack-unit 0. A maximum of eight 10G stack links or two 40G stack links can be made between two units in a stack. The front end ports are divided into 16 stack groups, each with 40G of bandwidth. Stack groups 0 through 11 correspond to 10G stack groups with four ports each. Stack groups 12 to 15 are one 40G port each. The front end ports accommodate SFP, SFP+ and QSFP+.
Enabling Front End Port Stacking To enable the front ports on a unit for stacking, use the following commands. NOTE: After a port has been allocated for stacking, you can only use it for stacking. If stack-group 0 is allocated for stacking, you can use ports 0, 1, 2, and 3 for stacking but not for Ethernet anymore. If only port 0 is used for stacking, ports 1, 2, and 3 are spare; they cannot be used for Ethernet. NOTE: You can stack a maximum of eight 10G stack ports. 1 Assign a stack group for each unit.
CONFIGURATION mode stack-unit stack—unit—number priority priority 5 Assign a stack group for each unit. CONFIGURATION mode stack-unit stack-unit—id stack-group stack-group—id Begin with the first port on the management unit. Next, configure both ports on each subsequent unit. Finally, return to the management unit and configure the last port. (refer to the following example.) 6 Connect the units using stacking cables. NOTE: The device does not require special stacking cables.
Stack MAC : 00:01:e8:8c:53:32 Reload Type : normal-reload [Next boot : normal-reload] -- Stack Info -Unit UnitType Status ReqTyp CurTyp Version Ports --------------------------------------------------------------0 Member not present 1 Management online S4810 S4810 4810-8-3-12-1447 64 2 Standby online S4810 S4810 4810-8-3-12-1447 64 3 Member online S4810 S4810 4810-8-3-12-1447 64 4 Member online S4810 S4810 4810-8-3-12-1447 64 5 Member not present 6 Member not present 7 Member not present 8 Member not presen
Add Units to an Existing Stack You can add units to an existing stack in one of three ways. • By manually assigning a new unconfigured unit a position in an existing stack. • By adding a configured unit to an existing stack. • By merging two stacks.
2 3 4 5 6 7 8 9 10 11 Member Standby Member Member Member Member Member Member Member Member not present online not present not present not present not present not present not present not present not present S4810 S4810 8-3-7-13 64 The following example shows adding a stack unit with a conflicting stack number (after).
7 Reload the switch. EXEC Privilege mode reload Dell EMC Networking OS automatically assigns a number to the new unit and adds it as member switch in the stack. The new unit synchronizes its running and startup configurations with the stack. 8 If a standalone switch already has stack groups configured. Attach cables to connect the ports already configured as stack groups on the switch to one or more switches in the stack.
• Creating a Virtual Stack Unit in a Stack • Displaying Information About a Stack • Influencing Management Unit Selection on a Stack • Managing Redundancy on a Stack • Resetting a Unit on a Stack • Recover from Stack Link Flaps Assigning Unit Numbers to Units in an Stack Each unit in the stack has a stack number that is either assigned by you or Dell EMC Networking OS. Units are numbered from 0 to 11, however, you can only stack six S4810 units.
show system stack-ports [status | topology] Examples of the show system Commands Display information about a switch stack using the show system command. The following is an example of the show system command to view the stack details.
The following is an example of the show system brief command to view the stack summary information.
Managing Redundancy on a Stack Use the following commands to manage the redundancy on a stack. • Reset the current management unit and make the standby unit the new master unit. EXEC Privilege mode redundancy force-failover stack-unit • A new standby is elected. When the former stack master comes back online, it becomes a member unit. Prevent the stack master from rebooting after a failover.
Displaying the Status of Stacking Ports To display the status of the stacking ports, including the topology, use the following command. • Display the stacking ports.
1 1 up AC up -- Fan Status -Unit Bay TrayStatus Fan0 Speed Fan1 Speed -------------------------------------------1 0 up up 7200 up 7200 1 1 up up 7200 up 7440 Speed in RP The following example shows three switches stacked together in a daisy chain topology.
0 1 2 3 Management Member Member Standby online S4810 online S4810 not present online S4810 S4810 S4810 8-3-7-13 64 8-3-7-13 64 S4810 8-3-7-13 64 The following example shows removing a stack member (after).
Recover from Stack Link Flaps Stack link integrity monitoring enables units to monitor their own stack ports and disable any stack port that flaps five times within 10 seconds. Dell EMC Networking OS displays console messages for the local and remote members of a flapping link, and on the primary (master) and standby management units as KERN-2-INT messages if the flapping port belongs to either of these units. In the following example, a stack-port on the master flaps.
-- Power Supplies -Unit Bay Status Type FanStatus -----------------------------------0 0 down DC down 0 1 up DC up 1 0 absent absent 1 1 up AC up -- Fan Status -Unit Bay TrayStatus Fan0 Speed Fan1 Speed -------------------------------------------0 0 up up 9360 up 9360 0 1 up up 9600 up 9360 1 0 up up 6720 up 6720 1 1 up up 6960 up 6720 Speed in RPM stack-1# 934 Stacking
52 Storm Control Storm control allows you to control unknown-unicast, muticast, and broadcast traffic on Layer 2 and Layer 3 physical interfaces. Dell EMC Networking Operating System (OS) Behavior: Dell EMC Networking OS supports unknown-unicast, muticast, and broadcast control for Layer 2 and Layer 3 traffic. Dell EMC Networking OS Behavior: The minimum number of packets per second (PPS) that storm control can limit on the device is two.
• Configure the packets per second of broadcast traffic allowed on an interface (ingress only). INTERFACE mode storm-control broadcast packets_per_second in • Configure the packets per second of multicast traffic allowed on C-Series or S-Series interface (ingress only) network only. INTERFACE mode storm-control multicast packets_per_second in • Shut down the port if it receives the PFC/LLFC packets more than the configured rate.
53 Spanning Tree Protocol (STP) The spanning tree protocol (STP) is supported on Dell EMC Networking OS.
Configure Spanning Tree Configuring spanning tree is a two-step process.
Configuring Interfaces for Layer 2 Mode All interfaces on all switches that participate in spanning tree must be in Layer 2 mode and enabled. Figure 125. Example of Configuring Interfaces for Layer 2 Mode To configure and enable the interfaces for Layer 2, use the following command. 1 If the interface has been assigned an IP address, remove it. INTERFACE mode no ip address 2 Place the interface in Layer 2 mode. INTERFACE switchport 3 Enable the interface.
Example of the show config Command To verify that an interface is in Layer 2 mode and enabled, use the show config command from INTERFACE mode. DellEMC(conf-if-te-1/1)#show config ! interface TenGigabitEthernet 1/1 no ip address switchport no shutdown DellEMC(conf-if-te-1/1)# Enabling Spanning Tree Protocol Globally Enable the spanning tree protocol globally; it is not enabled by default.
no disable Examples of Verifying Spanning Tree Information To disable STP globally for all Layer 2 interfaces, use the disable command from PROTOCOL SPANNING TREE mode. To verify that STP is enabled, use the show config command from PROTOCOL SPANNING TREE mode.
Adding an Interface to the Spanning Tree Group To add a Layer 2 interface to the spanning tree topology, use the following command. • Enable spanning tree on a Layer 2 interface. INTERFACE mode spanning-tree 0 Modifying Global Parameters You can modify the spanning tree parameters. The root bridge sets the values for forward-delay, hello-time, and max-age and overwrites the values set on other bridges participating in STP.
The range is from 1 to 10. • the default is 2 seconds. Change the max-age parameter (the refresh interval for configuration information that is generated by recomputing the spanning tree topology). PROTOCOL SPANNING TREE mode max-age seconds The range is from 6 to 40. The default is 20 seconds. To view the current values for global parameters, use the show spanning-tree 0 command from EXEC privilege mode. Refer to the second example in Enabling Spanning Tree Protocol Globally.
CAUTION: Enable PortFast only on links connecting to an end station. PortFast can cause loops if it is enabled on an interface connected to a network. To enable PortFast on an interface, use the following command. • Enable PortFast on an interface.
– Disable spanning tree on the interface (the no spanning-tree command in INTERFACE mode). – Disabling global spanning tree (the no spanning-tree in CONFIGURATION mode). Figure 127. Enabling BPDU Guard Dell EMC Networking OS Behavior: BPDU guard and BPDU filtering both block BPDUs, but are two separate features. BPDU guard: • • is used on edgeports and blocks all traffic on edgeport if it receives a BPDU. drops the BPDU after it reaches the RP and generates a console message.
---------- ------ -------- ---- ------- --- ---------------Te 1/6 Root 128.263 128 20000 FWD 20000 P2P No Te 1/7 ErrDis 128.264 128 20000 EDS 20000 P2P No DellEMC(conf-if-te-1/7)#do show ip interface brief tengigabitEthernet 1/7 Interface IP-Address OK Method Status Protocol TenGigabitEthernet 1/7 unassigned YES Manual up up Selecting STP Root The STP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it becomes the root bridge.
In STP topology 3 (shown in the lower middle), if you have enabled the root guard feature on the STP port on Switch C that connects to device D, and device D sends a superior BPDU that would trigger the election of device D as the new root bridge, the BPDU is ignored and the port on Switch C transitions from a forwarding to a root-inconsistent state (shown by the green X icon). As a result, Switch A becomes the root bridge. Figure 128.
• Enable root guard on a port or port-channel interface. INTERFACE mode or INTERFACE PORT-CHANNEL mode spanning-tree {0 | mstp | rstp | pvst} rootguard – – – – 0: enables root guard on an STP-enabled port assigned to instance 0. mstp: enables root guard on an MSTP-enabled port. rstp: enables root guard on an RSTP-enabled port. pvst: enables root guard on a PVST-enabled port.
lower left), Switch C does not receive BPDUs from Switch B. When the max-age timer expires, the STP port on Switch C becomes unblocked and transitions to Forwarding state. A loop is created as both Switch A and Switch C transmit traffic to Switch B. As shown in the following illustration (STP topology 2, upper right), a loop can also be created if the forwarding port on Switch B becomes busy and does not forward BPDUs within the configured forward-delay time.
Configuring Loop Guard Enable STP loop guard on a per-port or per-port channel basis. The following conditions apply to a port enabled with loop guard: • Loop guard is supported on any STP-enabled port or port-channel interface.
Example of Viewing STP Guard Configuration DellEMC#show spanning-tree 0 guard Interface Name Instance Sts Guard type --------- -------- --------- ---------Te 1/1 0 INCON(Root) Rootguard Te 1/2 0 LIS Loopguard Te 1/3 0 EDS (Shut) Bpduguard Spanning Tree Protocol (STP) 951
54 SupportAssist SupportAssist sends troubleshooting data securely to Dell. SupportAssist in this Dell EMC Networking OS release does not support automated email notification at the time of hardware fault alert, automatic case creation, automatic part dispatch, or reports. SupportAssist requires Dell EMC Networking OS 9.9(0.0) and SmartScripts 9.7 or later to be installed on the Dell EMC Networking device. For more information on SmartScripts, see Dell EMC Networking Open Automation guide. Figure 130.
Configuring SupportAssist Using a Configuration Wizard You are guided through a series of queries to configure SupportAssist. The generated commands are added to the running configuration, including the DNS resolve commands, if configured. This command starts the configuration wizard for the SupportAssist. At any time, you can exit by entering Ctrl-C. If necessary, you can skip some data entry. Enable the SupportAssist service.
making such transfers, Dell shall ensure appropriate protection is in place to safeguard the Collected Data being transferred in connection with SupportAssist. If you are downloading SupportAssist on behalf of a company or other legal entity, you are further certifying to Dell that you have appropriate authority to provide this consent on behalf of that entity.
support-assist activity {full-transfer | core-transfer} start now DellEMC#support-assist activity full-transfer start now DellEMC#support-assist activity core-transfer start now Configuring SupportAssist Activity SupportAssist Activity mode allows you to configure and view the action-manifest file for a specific activity. To configure SupportAssist activity, use the following commands. 1 Move to the SupportAssist Activity mode for an activity.
action-manifest remove DellEMC(conf-supportassist-act-full-transfer)#action-manifest remove custom_file1.json DellEMC(conf-supportassist-act-full-transfer)# DellEMC(conf-supportassist-act-event-transfer)#action-manifest remove custom_event_file1.json DellEMC(conf-supportassist-act-event-transfer)# 6 Enable a specific SupportAssist activity. By default, the full transfer includes the core files. When you disable the core transfer activity, the full transfer excludes the core files.
Configuring SupportAssist Person SupportAssist Person mode allows you to configure name, email addresses, phone, method and time zone for contacting the person. SupportAssist Person configurations are optional for the SupportAssist service. To configure SupportAssist person, use the following commands. 1 Configure the contact name for an individual.
[no] server server-name DellEMC(conf-supportassist)#server default DellEMC(conf-supportassist-serv-default)# 2 Configure a proxy for reaching the SupportAssist remote server. SUPPORTASSIST SERVER mode [no] proxy-ip-address {ipv4-address | ipv6-address}port port-number [ username userid password [encryption-type] password ] DellEMC(conf-supportassist-serv-default)#proxy-ip-address 10.0.0.
show running-config support-assist DellEMC# show running-config support-assist ! support-assist enable all ! activity event-transfer enable action-manifest install default ! activity core-transfer enable ! contact-company name Dell street-address F lane , Sector 30 address city Brussels state HeadState country Belgium postalcode S328J3 ! contact-person first Fred last Nash email-address primary des@sed.com alternate sed@dol.
55 System Time and Date System time and date settings and the network time protocol (NTP) are supported on Dell EMC Networking OS. You can set system times and dates and maintained through the NTP. They are also set through the Dell EMC Networking Operating System (OS) command line interfaces (CLIs) and hardware settings. The Dell EMC Networking OS supports reaching an NTP server through different VRFs. You can configure a maximum of eight logging servers across different VRFs or the same VRF.
Following conventions established by the telephone industry [BEL86], the accuracy of each server is defined by a number called the stratum, with the topmost level (primary servers) assigned as one and each level downwards (secondary servers) in the hierarchy assigned as one greater than the preceding level. Dell EMC Networking OS synchronizes with a time-serving host to get the correct time. You can set Dell EMC Networking OS to poll specific NTP time-serving hosts for the current time.
Related Configuration Tasks • Configuring NTP Broadcasts • Disabling NTP on an Interface • Configuring a Source IP Address for NTP Packets (optional) Enabling NTP NTP is disabled by default. To enable NTP, specify an NTP server to which the Dell EMC Networking system synchronizes. To specify multiple servers, enter the command multiple times. You may specify an unlimited number of servers at the expense of CPU resources. • Specify the NTP server to which the Dell EMC Networking system synchronizes.
Disabling NTP on an Interface By default, NTP is enabled on all active interfaces. If you disable NTP on an interface, Dell EMC Networking OS drops any NTP packets sent to that interface. To disable NTP on an interface, use the following command. • Disable NTP on the interface. INTERFACE mode ntp disable To view whether NTP is configured on the interface, use the show config command in INTERFACE mode. If ntp disable is not listed in the show config command output, NTP is enabled.
To configure NTP authentication, use the following commands. 1 Enable NTP authentication. CONFIGURATION mode ntp authenticate 2 Set an authentication key. CONFIGURATION mode ntp authentication-key number {md5 | sha1} key Configure the following parameters: 3 • number: the range is from 1 to 65534. This number must be the same as the number in the ntp trusted-key command. • key: enter a text string. This text string is encrypted. Define a trusted key.
ntp server 10.16.127.144 Dell EMC (conf)# Dell EMC#show ntp associations remote vrf-Id ref clock st when poll reach delay offset disp ==================================================================================== LOCAL(0) 0 .LOCL. 7 7 16 7 0.000 0.000 0.002 10.16.127.86 0 10.16.127.26 5 3 16 7 0.498 361.760 0.184 10.16.127.144 0 10.16.127.26 5 1 16 7 0.492 359.171 0.219 10.16.127.44 0 10.16.127.26 5 5 16 7 0.498 355.501 0.
Dell EMC Networking OS Time and Date You can set the time and date using the Dell EMC Networking OS CLI. Configuration Task List The following is a configuration task list for configuring the time and date settings.
– offset: enter one of the following: ◦ a number from 1 to 23 as the number of hours in addition to UTC for the timezone. ◦ a minus sign (-) then a number from 1 to 23 as the number of hours.
Setting Recurring Daylight Saving Time Set a date (and time zone) on which to convert the switch to daylight saving time on a specific day every year. If you have already set daylight saving for a one-time setting, you can set that date and time as the recurring setting with the clock summer-time time-zone recurring command. To set a recurring daylight saving time, use the following command. • Set the clock to the appropriate timezone and adjust to daylight saving time every year.
first Week number to start last Week number to start DellEMC(conf)#clock summer-time pacific recurring DellEMC(conf)#02:10:57: %RPM0-P:CP %CLOCK-6-TIME CHANGE: Summertime configuration changed from "Summer time starts 00:00:00 Pacific Tue Mar 14 2017 ; Summer time ends 00:00:00 pacific Tue Nov 7 2017" to "Summer time starts 02:00:00 Pacific Tue Mar 14 2017;Summer time ends 02:00:00 pacific Tue Nov 7 2017" System Time and Date 969
56 Tunneling Tunnel interfaces create a logical tunnel for IPv4 or IPv6 traffic. Tunneling supports RFC 2003, RFC 2473, and 4213. DSCP, hop-limits, flow label values, open shortest path first (OSPF) v2, and OSPFv3 are supported. Internet control message protocol (ICMP) error relay, PATH MTU transmission, and fragmented packets are not supported.
tunnel destination 90.1.1.1 tunnel source 60.1.1.1 tunnel mode ipv6ip no shutdown The following sample configuration shows a tunnel configured in IPIP mode (IPv4 tunnel carries IPv4 and IPv6 traffic): DellEMC(conf)#interface tunnel 3 DellEMC(conf-if-tu-3)#tunnel source 5::5 DellEMC(conf-if-tu-3)#tunnel destination 8::9 DellEMC(conf-if-tu-3)#tunnel mode ipv6 DellEMC(conf-if-tu-3)#ip address 3.1.1.
The following sample configuration shows how to use the interface tunnel configuration commands. DellEMC(conf-if-te-1/1)#show config ! interface TenGigabitEthernet 1/1 ip address 20.1.1.1/24 ipv6 address 20:1::1/64 no shutdown DellEMC(conf)#interface tunnel 1 DellEMC(conf-if-tu-1)#ip unnumbered tengigabitethernet 1/1 DellEMC(conf-if-tu-1)#ipv6 unnumbered tengigabitethernet 1/1 DellEMC(conf-if-tu-1)#tunnel source 40.1.1.
! interface Tunnel 1 ip address 1.1.1.1/24 ipv6 address 1abd::1/64 tunnel source anylocal tunnel allow-remote 40.1.1.
57 Uplink Failure Detection (UFD) Uplink failure detection (UFD) provides detection of the loss of upstream connectivity and, if used with network interface controller (NIC) teaming, automatic recovery from a failed link. Feature Description A switch provides upstream connectivity for devices, such as servers. If a switch loses its upstream connectivity, downstream devices also lose their connectivity.
Figure 132. Uplink Failure Detection How Uplink Failure Detection Works UFD creates an association between upstream and downstream interfaces. The association of uplink and downlink interfaces is called an uplink-state group. An interface in an uplink-state group can be a physical interface or a port-channel (LAG) aggregation of physical interfaces. An enabled uplink-state group tracks the state of all assigned upstream interfaces.
Figure 133. Uplink Failure Detection Example If only one of the upstream interfaces in an uplink-state group goes down, a specified number of downstream ports associated with the upstream interface are put into a Link-Down state. You can configure this number and is calculated by the ratio of the upstream port bandwidth to the downstream port bandwidth in the same uplink-state group.
• • • If one of the upstream interfaces in an uplink-state group goes down, either a user-configurable set of downstream ports or all the downstream ports in the group are put in an Operationally Down state with an UFD Disabled error. The order in which downstream ports are disabled is from the lowest numbered port to the highest.
4 (Optional) Enable auto-recovery so that UFD-disabled downstream ports in the uplink-state group come up when a disabled upstream port in the group comes back up. UPLINK-STATE-GROUP mode downstream auto-recover The default is auto-recovery of UFD-disabled downstream ports is enabled. To disable auto-recovery, use the no downstream auto-recover command. 5 (Optional) Enter a text description of the uplink-state group.
3/52 02:36:43: 3/56 02:36:43: 02:36:43: 02:36:43: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Downstream interface set to UFD error-disabled: Fo %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Fo 3/48 %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Fo 3/52 %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Fo 3/56 02:37:29: %RPM0-P:CP %IFMGR-5-ASTATE_DN: Changed interface Admin state to down: Te 1/7 02:37:29: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: T
– group-id: The values are from 1 to 16. Examples of Viewing UFD Information (S50) The following example shows viewing the uplink state group status.
0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 throttles, 0 discarded, 0 collisions Rate info (interval 299 seconds): Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Time since last interface status change: 00:01:23 The following example shows viewing the UFD configuration.
DellEMC# 00:13:06: %STKUNIT0-M:CP %SYS-5-CONFIG_I: Configured from console by console DellEMC# show running-config uplink-state-group ! uplink-state-group 3 description Testing UFD feature downstream disable links 2 downstream TenGigabitEthernet 1/1-2,5,9,11-12 upstream TenGigabitEthernet 1/3-4 DellEMC# show uplink-state-group 3 Uplink State Group: 3 Status: Enabled, Up DellEMC# show uplink-state-group detail (Up): Interface up (Dwn): Interface down (Dis): Interface disabled Uplink State Group : 3 Status: E
58 Upgrade Procedures To find the upgrade procedures, go to the Dell EMC Networking OS Release Notes for your system type to see all the requirements needed to upgrade to the desired Dell EMC Networking OS version. To upgrade your system type, follow the procedures in the Dell EMC Networking OS Release Notes. You can download the release notes of your platform at https://www.force10networks.com. Use your login ID to log in to the website.
59 Virtual LANs (VLANs) Virtual LANs (VLANs) are a logical broadcast domain or logical grouping of interfaces in a local area network (LAN) in which all data received is kept locally and broadcast to all members of the group. When in Layer 2 mode, VLANs move traffic at wire speed and can span multiple devices. The system supports up to 4093 port-based VLANs and one default VLAN, as specified in IEEE 802.1Q.
Default VLAN When you configure interfaces for Layer 2 mode, they are automatically placed in the Default VLAN as untagged interfaces. Only untagged interfaces can belong to the Default VLAN. The following example displays the outcome of placing an interface in Layer 2 mode. To configure an interface for Layer 2 mode, use the switchport command.
VLANs and Port Tagging To add an interface to a VLAN, the interface must be in Layer 2 mode. After you place an interface in Layer 2 mode, the interface is automatically placed in the Default VLAN. supports IEEE 802.1Q tagging at the interface level to filter traffic. When you enable tagging, a tag header is added to the frame after the destination and source MAC addresses. That information is preserved as the frame moves through the network.
• Configure a port-based VLAN (if the VLAN-ID is different from the Default VLAN ID) and enter INTERFACE VLAN mode. CONFIGURATION mode interface vlan vlan-id To activate the VLAN, after you create a VLAN, assign interfaces in Layer 2 mode to the VLAN. Example of Verifying a Port-Based VLAN To view the configured VLANs, use the show vlan command in EXEC Privilege mode.
Codes: * - Default VLAN, G - GVRP VLANs NUM Status Q * 1 Inactive 2 Active T T 3 Active T T Ports Po1(So 0/0-1) Te 1/1 Po1(So 0/0-1) Te 1/2 DellEMC#config DellEMC(conf)#interface vlan 4 DellEMC(conf-if-vlan)#tagged po 1 DellEMC(conf-if-vlan)#show conf ! interface Vlan 4 no ip address tagged Port-channel 1 DellEMC(conf-if-vlan)#end DellEMC#show vlan Codes: * - Default VLAN, G - GVRP VLANs NUM Status Q * 1 Inactive 2 Active T T 3 Active T T 4 Active T Ports Po1(So 0/0-1) Te 1/1 Po1(So 0/0-1) Te 1/2 Po1(So
Codes: * - Default VLAN, G - GVRP VLANs NUM * 1 2 Status Active Active 3 Active Q U T T T T Ports Te 1/2 Po1(So 0/0-1) Te 1/3 Po1(So 0/0-1) Te 1/1 4 Inactive DellEMC#conf DellEMC(conf)#interface vlan 4 DellEMC(conf-if-vlan)#untagged tengigabitethernet 1/2 DellEMC(conf-if-vlan)#show config ! interface Vlan 4 no ip address untagged TenGigabitEthernet 1/2 DellEMC(conf-if-vlan)#end DellEMC#show vlan Codes: * - Default VLAN, G - GVRP VLANs NUM * 1 2 3 4 Status Q Inactive Active T T Active T T Active U Po
Native VLAN support breaks this barrier so that you can connect a port to both VLAN-aware and VLAN-unaware stations. Such ports are referred to as hybrid ports. Physical and port-channel interfaces may be hybrid ports. Native VLAN is useful in deployments where a Layer 2 port can receive both tagged and untagged traffic on the same physical port. The classic example is connecting a voice-over-IP (VOIP) phone and a PC to the same port of the switch.
60 VLT Proxy Gateway The virtual link trucking (VLT) proxy gateway feature allows a VLT domain to locally terminate and route L3 packets that are destined to a Layer 3 (L3) end point in another VLT domain. Enable the VLT proxy gateway using the link layer discover protocol (LLDP) method or the static configuration. For more information, see the Command Line Reference Guide.
Figure 135. Sample Configuration for a VLT Proxy Gateway Guidelines for Enabling the VLT Proxy Gateway Keep the following points in mind when you enable a VLT proxy gateway: • Proxy gateway is supported only for VLT; for example, across a VLT domain. • You must enable the VLT peer-routing command for the VLT proxy gateway to function.
• You cannot change the VLT LAG to a legacy LAG when it is part of proxy-gateway. • You cannot change the link layer discovery protocol (LLDP) port channel interface to a legacy LAG when you enable a proxy gateway. • Dell EMC Networking recommends the vlt-peer-mac transmit command only for square VLTs without diagonal links. • The virtual router redundancy (VRRP) protocol and IPv6 routing is not supported. • Private VLANs (PVLANs) are not supported.
• You must configure the interface proxy gateway LLDP to enable or disable a proxy-gateway LLDP TLV on specific interfaces. • The interface is typically a VLT port-channel that connects to a remote VLT domain. • The new proxy gateway TLV is carried on the physical links under the port channel only. • You must have at least one link connection to each unit of the VLT domain. Following are the prerequisites for Proxy Gateway LLDP configuration: • You must globally enable LLDP.
LLDP VLT Proxy Gateway in a Square VLT Topology Figure 136. Sample Configuration for a VLT Proxy Gateway • The preceding figure shows a sample square VLT Proxy gateway topology. There are no diagonal links in the square VLT connection between the C and D in VLT domain 1 and C1 and D1 in the VLT domain 2. This causes sub-optimal routing.
• Any L3 packet, when it gets an L3 hit and is routed, it has a time to live (TTL) decrement as expected. • You can disable the VLT Proxy Gateway for a particular VLAN using an "Exclude-VLAN" configuration. The configuration has to be done in both the VLT domains [C and D in VLT domain 1 and C1 and D1 in VLT domain 2].
61 Virtual Link Trunking (VLT) Virtual link trunking (VLT) is a Dell EMC technology that provides two Dell EMC switches the ability to function as a single switch. VLT allows physical links between two Dell EMC switches to appear as a single virtual link to the network core or other switches such as Edge, Access, or top-of-rack (ToR). As a result, the two physical switches appear as a single switch to the connected devices.
Figure 138. VLT providing multipath VLT reduces the role of spanning tree protocols (STPs) by allowing link aggregation group (LAG) terminations on two separate distribution or core switches and supporting a loop-free topology. To prevent the initial loop that may occur prior to VLT being established, use a spanning tree protocol. After VLT is established, you may use rapid spanning tree protocol (RSTP) to prevent loops from forming with new links that are incorrectly connected and outside the VLT domain.
Figure 139. Example of VLT Deployment VLT offers the following benefits: • Allows a single device to use a LAG across two upstream devices. • Eliminates STP-blocked ports. • Provides a loop-free topology. • Uses all available uplink bandwidth. • Provides fast convergence if either the link or a device fails. • Optimized forwarding with virtual router redundancy protocol (VRRP). • Provides link-level resiliency. • Assures high availability. • Active-Active load sharing with VRRP.
VLT on Core Switches Uplinks from servers to the access layer and from access layer to the aggregation layer are bundled in LAG groups with end-to-end Layer 2 multipathing. This set up requires “horizontal” stacking at the access layer and VLT at the aggregation layer such that all the uplinks from servers to access and access to aggregation are in Active-Active Load Sharing mode. This example provides the highest form of resiliency, scaling, and load balancing in data center switching networks.
Figure 141. Enhanced VLT VLT Terminology The following are key VLT terms. • Virtual link trunk (VLT) — The combined port channel between an attached device and the VLT peer switches. • VLT backup link — The backup link monitors the connectivity between the VLT peer switches. The backup link sends configurable, periodic keep alive messages between the VLT peer switches. • VLT interconnect (VLTi) — The link used to synchronize states between the VLT peer switches.
• With peer routing, you need not use VRRP. • You can use routing protocols in a VLT domain or between VLT domains (eVLT). • VLT Proxy Gateway enables one VLT domain to act as the default gateway for its peer VLT domain in an eVLT topology. Configure Virtual Link Trunking VLT requires that you enable the feature and then configure the same VLT domain, backup link, and VLT interconnect on both peer switches. Important Points to Remember • You cannot enable stacking simultaneously with VLT.
– Sticky MAC is enabled on an orphan port in the primary or secondary peer – MACs are currently inactive If this scenario occurs, use the clear mac-address-table sticky all command on the primary or secondary peer to correctly sync the MAC addresses. • If you enable static ARP on only one VLT peer, entries may be overwritten during bulk sync.
– The port channel must be in Default mode (not Switchport mode) to have VLTi recognize it. – The system automatically includes the required VLANs in VLTi. You do not need to manually select VLANs. – VLT peer switches operate as separate chassis with independent control and data planes for devices attached to non-VLT ports. – Port-channel link aggregation (LAG) across the ports in the VLT interconnect is required; individual ports are not supported.
– VLT supports port-channel links with LACP between access switches and VLT peer switches. Dell EMC Networking recommends using static port channels on VLTi. – If VLTi connectivity with a peer is lost but the VLT backup connectivity indicates that the peer is still alive, the VLT ports on the Secondary peer are orphaned and are shut down.
– On a link failover, when a VLT port channel fails, the traffic destined for that VLT port channel is redirected to the VLTi to avoid flooding. – When a VLT switch determines that a VLT port channel has failed (and that no other local port channels are available), the peer with the failed port channel notifies the remote peer that it no longer has an active port channel for a link.
VLT Bandwidth Monitoring When bandwidth usage of the VLTi (ICL) exceeds 80%, a syslog error message (shown in the following message) and an SNMP trap are generated. %STKUNIT0-M:CP %VLTMGR-6-VLT-LAG-ICL: Overall Bandwidth utilization of VLT-ICL-LAG (portchannel 25) crosses threshold. Bandwidth usage (80 ) When the bandwidth usage drops below the 80% threshold, the system generates another syslog message (shown in the following message) and an SNMP trap.
The delay-restore feature waits for all saved configurations to be applied, then starts a configurable timer. After the timer expires, the VLT ports are enabled one-by-one in a controlled manner. The delay between bringing up each VLT port-channel is proportional to the number of physical members in the port-channel. The default is 90 seconds. To change the duration of the configurable timer, use the delay-restore command.
Figure 142. PIM-Sparse Mode Support on VLT On each VLAN where the VLT peer nodes act as the first hop or last hop routers, one of the VLT peer nodes is elected as the PIM designated router. If you configured IGMP snooping along with PIM on the VLT VLANs, you must configure VLTi as the static multicast router port on both VLT peer switches. This ensures that for first hop routers, the packets from the source are redirected to the designated router (DR) if they are incorrectly hashed.
Each VLT peer runs its own PIM protocol independently of other VLT peers. To ensure the PIM protocol states or multicast routing information base (MRIB) on the VLT peers are synced, if the incoming interface (IIF) and outgoing interface (OIF) are Spanned, the multicast route table is synced between the VLT peers. To verify the PIM neighbors on the VLT VLAN and on the multicast port, use the show ip pim neighbor, show ip igmp snooping mrouter, and show running config commands.
NOTE: The peer routing and peer-routing-timeout is applicable for both IPv6/ IPv4. Configuring VLT Unicast To enable and configure VLT unicast, follow these steps. 1 Enable VLT on a switch, then configure a VLT domain and enter VLT-domain configuration mode. CONFIGURATION mode vlt domain domain-id 2 Enable peer-routing. VLT DOMAIN mode peer-routing 3 Configure the peer-routing timeout. VLT DOMAIN mode peer-routing—timeout value value: Specify a value (in seconds) from 1 to 65535.
Configuring VLT Multicast To enable and configure VLT multicast, follow these steps. 1 Enable VLT on a switch, then configure a VLT domain and enter VLT-domain configuration mode. CONFIGURATION mode vlt domain domain-id 2 Enable peer-routing. VLT DOMAIN mode peer-routing 3 Configure the multicast peer-routing timeout. VLT DOMAIN mode multicast peer-routing—timeout value value: Specify a value (in seconds) from 1 to 1200. 4 Configure a PIM-SM compatible VLT node as a designated router (DR).
Preventing Forwarding Loops in a VLT Domain During the bootup of VLT peer switches, a forwarding loop may occur until the VLT configurations are applied on each switch and the primary/secondary roles are determined. To prevent the interfaces in the VLT interconnect trunk and RSTP-enabled VLT ports from entering a Forwarding state and creating a traffic loop in a VLT domain, take the following steps.
NOTE: When you remove the VLT configuration, RSTP is recommended as a backup solution to avoid spanning—tree loops. In this case, you can use the following RSTP default values: • hello–time: 2 seconds • forward–delay: 15 seconds • max–age: 20 There is no additional performance gain on VLT, if you configure the RSTP values other than the default values. Configuring VLT To configure VLT, use the following procedure.
interface: specify one of the following interface types: 4 • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. Ensure that the port channel is active. INTERFACE PORT-CHANNEL mode no shutdown 5 Repeat Steps 1 to 4 on the VLT peer switch to configure the VLT interconnect.
VLT DOMAIN CONFIGURATION mode primary-priority value The priority values are from 1 to 65535. The default is 32768. If the primary peer fails, the secondary peer (with the higher priority) takes the primary role. If the primary peer (with the lower priority) later comes back online, it is assigned the secondary role (there is no preemption). 6 (Optional) Prevent a possible loop during the bootup of a VLT peer switch or a device that accesses the VLT domain.
CONFIGURATION mode vlt domain domain-id The range of domain IDs from 1 to 1000. 2 Enter an amount of time, in seconds, to delay the restoration of the VLT ports after the system is rebooted. CONFIGURATION mode delay-restore delay-restore-time The range is from 1 to 1200. The default is 90 seconds. Reconfiguring the Default VLT Settings (Optional) To reconfigure the default VLT settings, use the following commands. 1 Enter VLT-domain configuration mode for a specified VLT domain.
Connecting a VLT Domain to an Attached Access Device (Switch or Server) To connect a VLT domain to an attached access device, use the following commands. On a VLT peer switch: To connect to an attached device, configure the same port channel ID number on each peer switch in the VLT domain. 1 Configure the same port channel to be used to connect to an attached device and enter interface configuration mode. CONFIGURATION mode interface port-channel id-number 2 Remove an IP address from the interface.
The range of domain IDs is from 1 to 1000. 2 Enter the port-channel number that acts as the interconnect trunk. VLT DOMAIN CONFIGURATION mode peer-link port-channel id-number 3 Enter the VLAN ID number of the VLAN where the VLT forwards packets received on the VLTi from an adjacent peer that is down. VLT DOMAIN CONFIGURATION mode peer-down-vlan vlan interface number Configuring Enhanced VLT (Optional) To configure enhanced VLT (eVLT) between two VLT domains on your network, use the following procedure.
The format is aaaa.bbbb.cccc. Also reconfigure the same MAC address on the VLT peer switch. Use this command to minimize the time required for the VLT system to synchronize the default MAC address of the VLT domain on both peer switches when one peer switch reboots. 7 When you create a VLT domain on a switch, Dell EMC Networking OS automatically assigns a unique unit ID (0 or 1) to each peer switch. To explicitly configure the default values on each peer switch, use the following command.
16 Enable peer routing. VLT DOMAIN CONFIGURATION mode peer-routing If you enable peer routing, a VLT node acts as the proxy gateway for its peer. 17 Repeat steps 1 through 16 for the VLT peer node in Domain 1. 18 Repeat steps 1 through 16 for the first VLT node in Domain 2. 19 Repeat steps 1 through 16 for the VLT peer node in Domain 2. To verify the configuration of a VLT domain, use any of the show commands described in Verifying a VLT Configuration.
show running-config entity 12 Verify that VLT is running. EXEC mode show vlt brief or show vlt detail 13 Verify that the VLT LAG is running in both VLT peer units. EXEC mode or EXEC Privilege mode show interfaces interface Example of Configuring VLT In the following sample VLT configuration steps, VLT peer 1 is Dell-2, VLT peer 2 is Dell-4, and the ToR is S60-1.
2 Configure the VLT peer link port channel id in VLT peer 1 and VLT peer 2. 3 In the Top of Rack unit, configure LACP in the physical ports (shown for VLT peer 1 only. Repeat steps for VLT peer 2. The bold vltpeer-lag port-channel 2 indicates that port-channel 2 is the port-channel id configured in VLT peer 2).
Role Role Priority ICL Link Status HeartBeat Status VLT Peer Status Version Local System MAC address Remote System MAC address Remote system version Delay-Restore timer Delay-Restore Abort Threshold Peer-Routing Peer-Routing-Timeout timer Multicast peer-routing timeout DellEMC# : : : : : : : : : : Secondary 32768 Up Up Up 6(3) 00:01:e8:8a:e9:91 00:01:e8:8a:e9:76 6(3) 90 seconds : : : : 60 seconds Disabled 0 seconds 150 seconds Verify that the VLT LAG is up in VLT peer unit.
Configure both ends of the VLT interconnect trunk with identical PVST+ configurations. When you enable VLT, the show spanningtree pvst brief command output displays VLT information. DellEMC#show spanning-tree pvst vlan 1000 brief VLAN 1000 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 0, Address 90b1.1cf4.9b79 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 0, Address 90b1.1cf4.
eVLT Configuration Step Examples In Domain 1, configure the VLT domain and VLTi on Peer 1. Domain_1_Peer1#configure Domain_1_Peer1(conf)#interface port-channel 1 Domain_1_Peer1(conf-if-po-1)# channel-member TenGigabitEthernet 1/8-9 Domain_1_Peer1(conf)#vlt domain 1000 Domain_1_Peer1(conf-vlt-domain)# peer-link port-channel 1 Domain_1_Peer1(conf-vlt-domain)# back-up destination 10.16.130.
Domain_2_Peer3(conf-vlt-domain)# system-mac mac-address 00:0b:00:0b:00:0b Domain_2_Peer3(conf-vlt-domain)# peer-routing Domain_2_Peer3(conf-vlt-domain)# unit-id 0 Configure eVLT on Peer 3. Domain_2_Peer3(conf)#interface port-channel 100 Domain_2_Peer3(conf-if-po-100)# switchport Domain_2_Peer3(conf-if-po-100)# vlt-peer-lag port-channel 100 Domain_2_Peer3(conf-if-po-100)# no shutdown Add links to the eVLT port-channel on Peer 3.
The following example shows how to configure the VLTi port as a static multicast router port for the VLAN. VLT_Peer1(conf)#interface vlan 4001 VLT_Peer1(conf-if-vl-4001)#ip igmp snooping mrouter interface port-channel 128 VLT_Peer1(conf-if-vl-4001)#exit VLT_Peer1(conf)#end The following example shows how to repeat these steps on VLT Peer Node 2. VLT_Peer2(conf)#ip multicast-routing VLT_Peer2(conf)#interface vlan 4001 VLT_Peer2(conf-if-vl-4001)#ip address 140.0.0.
EXEC mode show interfaces interface – interface: specify one of the following interface types: ◦ For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. ◦ For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. ◦ For a port channel interface, enter the keywords port-channel then a number. Examples of the show vlt and show spanning-tree rstp Commands The following example shows the show vlt backup-link command.
Dell_VLTpeer2# show vlt detail Local LAG Id -----------2 100 Peer LAG Id ----------127 100 Local Status -----------UP UP Peer Status ----------UP UP Active VLANs ------------20, 30 10, 20, 30 The following example shows the show vlt role command.
The bold section displays the RSTP state of port channels in the VLT domain. Port channel 100 is used in the VLT interconnect trunk (VLTi) to connect to VLT peer2. Port channels 110, 111, and 120 are used to connect to access switches or servers (vlt). Dell_VLTpeer1# show spanning-tree rstp brief Executing IEEE compatible Spanning Tree Protocol Root ID Priority 0, Address 0001.e88a.dff8 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 4096, Address 0001.e88a.
Configure the VLT interconnect (VLTi). Dell_VLTpeer1(conf)#interface port-channel 100 Dell_VLTpeer1(conf-if-po-100)#no ip address Dell_VLTpeer1(conf-if-po-100)#channel-member fortyGigE 1/48,52 Dell_VLTpeer1(conf-if-po-100)#no shutdown Dell_VLTpeer1(conf-if-po-100)#exit Configure the port channel to an attached device.
Q: U - Untagged, T - Tagged x - Dot1x untagged, X - Dot1x tagged G - GVRP tagged, M - Vlan-stack, H - Hyperpull tagged NUM Status Description Q Ports 10 Active U Po110(Fo 1/48) T Po100(Fo 1/56,60) Verifying a Port-Channel Connection to a VLT Domain (From an Attached Access Switch) On an access device, verify the port-channel connection to a VLT domain.
Description Behavior at Peer Up Behavior During Run Time Action to Take System MAC mismatch A syslog error message and an SNMP trap are generated. A syslog error message and an SNMP trap are generated. Verify that the unit ID of VLT peers is not the same on both units and that the MAC address is the same on both units. Unit ID mismatch The VLT peer does not boot up. The VLTi is forced to a down state. The VLT peer does not boot up. The VLTi is forced to a down state.
The association of PVLAN with the VLT LAG must also be identical. After the VLT LAG is configured to be a member of either the primary or secondary PVLAN (which is associated with the primary), ICL becomes an automatic member of that PVLAN on both switches. This association helps the PVLAN data flow received on one VLT peer for a VLT LAG to be transmitted on that VLT LAG from the peer. You can associate either a VLT VLAN or a VLT LAG to a PVLAN.
The PVLAN mode of VLT LAGs on one peer is validated against the PVLAN mode of VLT LAGs on the other peer. MAC addresses that are learned on that VLT LAG are synchronized between the peers only if the PVLAN mode on both the peers is identical. For example, if the MAC address is learned on a VLT LAG and the VLAN is a primary VLT VLAN on one peer and not a primary VLT VLAN on the other peer, MAC synchronization does not occur.
Scenarios for VLAN Membership and MAC Synchronization With VLT Nodes in PVLAN The following table illustrates the association of the VLTi link and PVLANs, and the MAC synchronization of VLT nodes in a PVLAN (for various modes of operations of the VLT peers): Table 122.
VLT LAG Mode Peer1 PVLAN Mode of VLT VLAN Peer2 Access Access Access Access ICL VLAN Membership Mac Synchronization Yes Yes Secondary (Isolated) Secondary (Isolated) No No - Primary VLAN X - Primary VLAN Y No No Secondary (Community) Secondary (Community) No No - Primary VLAN Y - Primary VLAN X No No Peer1 Peer2 - Primary VLAN X - Primary VLAN X Promiscuous Access Primary Secondary No No Trunk Access Primary/Normal Secondary No No Configuring a VLT VLAN or LAG in a PV
5 To configure the VLT interconnect, repeat Steps 1–4 on the VLT peer switch. 6 Enter VLT-domain configuration mode for a specified VLT domain. CONFIGURATION mode vlt domain domain-id The range of domain IDs is from 1 to 1000. 7 Enter the port-channel number that acts as the interconnect trunk.
8 Map secondary VLANs to the selected primary VLAN. INTERFACE VLAN mode private-vlan mapping secondary-vlan vlan-list The list of secondary VLANs can be: • Specified in comma-delimited (VLAN-ID,VLAN-ID) or hyphenated-range format (VLAN-ID-VLAN-ID). • Specified with this command even before they have been created. • Amended by specifying the new secondary VLAN to be added to the list. Proxy ARP Capability on VLT Peer Nodes The proxy ARP functionality is supported on VLT peer nodes.
The IP address of the VLT node VLAN interface is synchronized with the VLT peer over ICL when the VLT peers are up. Whenever you add or delete an IP address, this updated information is synchronized with the VLT peer. IP address synchronization occurs regardless of the VLAN administrative state. IP address addition and deletion serve as the trigger events for synchronization. When a VLAN state is down, the VLT peer might perform a proxy ARP operation for the IP addresses of that VLAN interface.
multicast outgoing interface (OIF), after a VLT peer node failure, using the multicast peer-routing-timeout command in VLT DOMAIN mode. Using the bootstrap router (BSR) mechanism, you can configure both the VLT nodes in a VLT domain as the candidate RP for the same group range. When an RP fails, the VLT peer automatically takes over the role of the RP. This phenomenon enables resiliency by the PIM BSR protocol. Configuring VLAN-Stack over VLT To configure VLAN-stack over VLT, follow these steps.
no ip address switchport vlan-stack access vlt-peer-lag port-channel 10 no shutdown DellEMC# DellEMC(conf)#interface port-channel 20 DellEMC(conf-if-po-20)#switchport DellEMC(conf-if-po-20)#vlt-peer-lag port-channel 20 DellEMC(conf-if-po-20)#vlan-stack trunk DellEMC(conf-if-po-20)#no shutdown DellEMC#show running-config interface port-channel 20 ! interface Port-channel 20 no ip address switchport vlan-stack trunk vlt-peer-lag port-channel 20 no shutdown DellEMC# Configure the VLAN as a VLAN-Stack VLAN and
vlt domain 1 peer-link port-channel 1 back-up destination 10.16.151.
NUM 50 Status Active Description DellEMC# Q M M V Ports Po10(Te 1/8) Po20(Te 1/20) Po1(Te 1/30-32) IPv6 Peer Routing in VLT Domains Overview VLT enables the physical links between two devices that are called VLT nodes or peers, and within a VLT domain, to be considered as a single logical link to external devices that are connected using LAG bundles to both the VLT peers.
• During failure cases, when a VLT node goes down and comes back up all the ND entries learned via VLT interface must synchronize to the peer VLT node. Synchronization of IPv6 ND Entries in a Non-VLT Domain Layer 3 VLT provides a higher resiliency at the Layer 3 forwarding level. Routed VLT allows you to replace VRRP with routed VLT to route the traffic from Layer 2 access nodes. With ND synchronization, both the VLT nodes perform Layer 3 forwarding on behalf of each other.
Figure 144. Sample Configuration of IPv6 Peer Routing in a VLT Domain Sample Configuration of IPv6 Peer Routing in a VLT Domain Consider a sample scenario as shown in the following figure in which two VLT nodes, Unit1 and Unit2, are connected in a VLT domain using an ICL or VLTi link. To the south of the VLT domain, Unit1 and Unit2 are connected to a ToR switch named Node B. Also, Unit1 is connected to another node, Node A, and Unit2 is linked to a node, Node C.
Figure 145. Sample Configuration of IPv6 Peer Routing in a VLT Domain Neighbor Solicitation from VLT Hosts Consider a case in which NS for VLT node1 IP reaches VLT node1 on the VLT interface and NS for VLT node1 IP reaches VLT node2 due to LAG level hashing in the ToR. When VLT node1 receives NS from VLT VLAN interface, it unicasts the NA packet on the VLT interface. When NS reaches VLT node2, it is flooded on all interfaces including ICL.
Consider a situation in which NA for VLT node1 reaches VLT node1 on a non-VLT interface and NA for VLT node1 reaches VLT node2 on a non-VLT interface. When VLT node1 receives NA on a VLT interface, it learns the Host MAC address on the received interface. This learned neighbor entry is synchronized to VLT node2 as it is learned on ICL.
Non-VLT host to Non-VLT host traffic flow When VLT node receives traffic from non-VLT host intended to the non-VLT host, it does neighbor entry lookup and routes traffic over ICL interface. If traffic reaches wrong VLT peer, it routes the traffic over ICL. Router Solicitation When VLT node receives router Solicitation on VLT interface/non-VLT interface it consumes the packets and will send RA back on the received interface. VLT node will drop the RS message if it is received over ICL interface.
62 Virtual Routing and Forwarding (VRF) Virtual Routing and Forwarding (VRF) allows a physical router to partition itself into multiple Virtual Routers (VRs). The control and data plane are isolated in each VR so that traffic does NOT flow across VRs.Virtual Routing and Forwarding (VRF) allows multiple instances of a routing table to co-exist within the same router at the same time. VRF Overview VRF improves functionality by allowing network paths to be segmented without using multiple devices.
Figure 146. VRF Network Example VRF Configuration Notes Although there is no restriction on the number of VLANs that can be assigned to a VRF instance, the total number of routes supported in VRF is limited by the size of the IPv4 CAM. VRF is implemented in a network device by using Forwarding Information Bases (FIBs). A network device may have the ability to configure different virtual routers, where entries in the FIB that belong to one VRF cannot be accessed by another VRF on the same device.
If the next-hop IP in a static route VRF statement is VRRP IP of another VRF, this static route does not get installed on the VRRP master. VRF supports some routing protocols only on the default VRF (default-vrf) instance. Table 1 displays the software features supported in VRF and whether they are supported on all VRF instances or only the default VRF. NOTE: To configure a router ID in a non-default VRF, configure at least one IP address in both the default as well as the nondefault VRF. Table 123.
Feature/Capability Support Status for Default VRF Support Status for Non-default VRF OSPFv3 Yes Yes IS-IS Yes Yes BGP Yes Yes ACL Yes No Multicast No No NDP Yes Yes RAD Yes Yes DHCP DHCP requests are not forwarded across VRF instances. The DHCP client and server must be on the same VRF instance.
Assigning an Interface to a VRF You must enter the ip vrf forwarding command before you configure the IP address or any other setting on an interface. NOTE: You can configure an IP address or subnet on a physical or VLAN interface that overlaps the same IP address or subnet configured on another interface only if the interfaces are assigned to different VRFs. If two interfaces are assigned to the same VRF, you cannot configure overlapping IP subnets or the same IP address on them.
show ip vrf [vrf-name] Assigning an OSPF Process to a VRF Instance OSPF routes are supported on all VRF instances. See the Open Shortest Path First (OSPFv2) chapter for complete OSPF configuration information. Assign an OSPF process to a VRF instance . Return to CONFIGURATION mode to enable the OSPF process. The OSPF Process ID is the identifying number assigned to the OSPF process, and the Router ID is the IP address associated with the OSPF process.
Task Command Syntax Command Mode 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 43, Gratuitous ARP sent: 0 Virtual MAC address: 00:00:5e:00:01:0a Virtual IP address: 10.1.1.100 Authentication: (none) Configuring Management VRF You can assign a management interface to a management VRF. NOTE: The loopback interface cannot be added into the management VRF. 1 Create a management VRF.
Configuring a Static Route • Configure a static route that points to a management interface. CONFIGURATION management route ip-address mask managementethernet ormanagement route ipv6-address prefixlength managementethernet You can also have the management route to point to a front-end port in case of the management VRF. For example: management route 2::/64 tengigabitethernet 1/1. • Configure a static entry in the IPv6 neighbor discovery.
Figure 148. Setup VRF Interfaces The following example relates to the configuration shown in the above illustrations. Router 1 ip vrf blue 1 ! ip vrf orange 2 ! ip vrf green 3 ! interface TenGigabitEthernet no ip address switchport no shutdown ! interface TenGigabitEthernet ip vrf forwarding blue ip address 10.0.0.1/24 no shutdown ! interface TenGigabitEthernet ip vrf forwarding orange ip address 20.0.0.
ip vrf forwarding green ip address 30.0.0.1/24 no shutdown ! interface Vlan 128 ip vrf forwarding blue ip address 1.0.0.1/24 tagged TenGigabitEthernet 3/1 no shutdown ! interface Vlan 192 ip vrf forwarding orange ip address 2.0.0.1/24 tagged TenGigabitEthernet 3/1 no shutdown ! interface Vlan 256 ip vrf forwarding green ip address 3.0.0.1/24 tagged TenGigabitEthernet 3/1 no shutdown ! router ospf 1 vrf blue router-id 1.0.0.1 network 1.0.0.0/24 area 0 network 10.0.0.
ip address 2.0.0.2/24 tagged TenGigabitEthernet 3/1 no shutdown ! interface Vlan 256 ip vrf forwarding green ip address 3.0.0.2/24 tagged TenGigabitEthernet 3/1 no shutdown ! router ospf 1 vrf blue router-id 1.0.0.2 network 11.0.0.0/24 area 0 network 1.0.0.0/24 area 0 passive-interface TenGigabitEthernet 2/1 ! router ospf 2 vrf orange router-id 2.0.0.2 network 21.0.0.0/24 area 0 network 2.0.0.0/24 area 0 passive-interface TenGigabitEthernet 2/2 ! ip route vrf green30.0.0.0/24 3.0.0.
DellEMC#show ip route vrf orange Codes: C - connected, S - static, R - RIP, B - BGP, IN - internal BGP, EX - external BGP,LO - Locally Originated, O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, > - non-active route, + - summary route Gateway of last resort is not set Destination ----------2.0.0.0/24 20.0.0.
O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, > - non-active route, + - summary route Gateway of last resort is not set Destination Gateway ----------------C 1.0.0.0/24 Direct, Vl 128 O 10.0.0.0/24 via 1.0.0.1, Vl 128 C 11.0.0.
The following example illustrates how route leaking between two VRFs can be performed: interface TenGigabitEthernet 1/9 ip vrf forwarding VRF1 ip address 120.0.0.1/24 interface TenGigabitEthernet 1/10 ip vrf forwarding VRF2 ip address 140.0.0.1/24 ip route vrf VRF1 20.0.0.0/16 140.0.0.2 vrf VRF2 ip route vrf VRF2 40.0.0.0/16 120.0.0.
ip vrf vrf-shared interface interface-type slot/port ip vrf forwarding vrf-shared ip address ip—address mask A non-default VRF named VRF-Shared is created and the interface 1/4 is assigned to this VRF. 2 Configure the export target in the source VRF:. ip route-export 1:1 3 Configure VRF-red. ip vrf vrf-red interface-type slot/port ip vrf forwarding VRF-red ip address ip—address mask A non-default VRF named VRF-red is created and the interface is assigned to this VRF.
The show run output for the above configuration is as follows: ip vrf ip ip ! ip vrf ip ip ! ip vrf ! ip vrf ip ip ip VRF-Red route-export route-import 2:2 1:1 VRF-Blue route-export route-import 3:3 1:1 VRF-Green VRF-shared route-export route-import route-import 1:1 2:2 3:3 Show routing tables of all the VRFs (without any route-export and route-import tags being configured) DellEMC# show ip route vrf VRF-Red O 11.1.1.1/32 via 111.1.1.1 110/0 C 111.1.1.
DellEMC# show ip route vrf VRF-Shared O 11.1.1.1/32 via VRF-Red:111.1.1.1 110/0 C 111.1.1.0/24 Direct, VRF-Red:Te 1/11 0/0 O 22.2.2.2/32 via VRF-Blue:122.2.2.2 110/0 C 122.2.2.0/24 Direct, VRF-Blue:Te 1/22 0/0 O 44.4.4.4/32 via 144.4.4.4 110/0 00:00:11 C 144.4.4.
interface-type slot/port ip vrf forwarding VRF-red ip address ip—address mask A non-default VRF named VRF-red is created and the interface is assigned to this VRF. 2 Define a route-map export_ospfbgp_protocol. DellEMC(config)route-map export_ospfbgp_protocol permit 10 3 Define the matching criteria for the exported routes.
The show VRF commands displays the following output: DellEMC# show ip route vrf VRF-Blue C 122.2.2.0/24 Direct, Te 1/22 0/0 O 22.2.2.2/32 via 122.2.2.2 110/0 00:00:11 O 44.4.4.4/32 22:39:61 via vrf-red:144.4.4.4 0/0 00:32:36 << only OSPF and BGP leaked from VRF-red Important Points to Remember • Only Active routes are eligible for leaking. For example, if VRF-A has two routes from BGP and OSPF, in which the BGP route is not active. In this scenario, the OSPF route takes precedence over BGP.
63 Virtual Router Redundancy Protocol (VRRP) Virtual router redundancy protocol (VRRP) is designed to eliminate a single point of failure in a statically routed network. VRRP Overview VRRP is designed to eliminate a single point of failure in a statically routed network. VRRP specifies a MASTER router that owns the next hop IP and MAC address for end stations on a local area network (LAN).
Figure 149. Basic VRRP Configuration VRRP Benefits With VRRP configured on a network, end-station connectivity to the network is not subject to a single point-of-failure. End-station connections to the network are redundant and are not dependent on internal gateway protocol (IGP) protocols to converge or update routing tables. In conjunction with Virtual Link Trunking (VLT), you can configure optimized forwarding with virtual router redundancy protocol (VRRP).
CAUTION: Increasing the advertisement interval increases the VRRP Master dead interval, resulting in an increased failover time for Master/Backup election. Take caution when increasing the advertisement interval, as the increased dead interval may cause packets to be dropped during that switch-over time. NOTE: In a VLT environment, VRRP configuration acts as active-active and if route is not present in any of the VRRP nodes, the packet to the destination is dropped on that VRRP node. Table 125.
The VRID range is from 1 to 255. • NOTE: The interface must already have a primary IP address defined and be enabled, as shown in the second example. Delete a VRRP group. INTERFACE mode no vrrp-group vrid Examples of Configuring and Verifying VRRP The following examples how to configure VRRP. DellEMC(conf)#interface tengigabitethernet 1/1 DellEMC(conf-if-te-1/1)#vrrp-group 111 DellEMC(conf-if-te-1/1-vrid-111)# The following examples how to verify the VRRP configuration.
Example: Migrating an IPv4 VRRP Group from VRRPv2 to VRRPv3 NOTE: Carefully following this procedure, otherwise you might introduce dual master switches issues. To migrate an IPv4 VRRP Group from VRRPv2 to VRRPv3: 1 Set the backup switches to VRRP version to both. Dell_backup_switch1(conf-if-te-1/1-vrid-100)#version both Dell_backup_switch2(conf-if-te-1/2-vrid-100)#version both 2 Set the master switch to VRRP protocol version 3.
Examples of the Configuring and Verifying a Virtual IP Address The following example shows how to configure a virtual IP address. DellEMC(conf-if-te-1/1-vrid-111)#virtual-address 10.10.10.1 DellEMC(conf-if-te-1/1-vrid-111)#virtual-address 10.10.10.2 DellEMC(conf-if-te-1/1-vrid-111)#virtual-address 10.10.10.3 The following example shows how to verify a virtual IP address configuration. NOTE: In the following example, the primary IP address and the virtual IP addresses are on the same subnet.
• Configure the priority for the VRRP group. INTERFACE -VRID mode priority priority The range is from 1 to 255. The default is 100. Examples of the priority Command DellEMC(conf-if-te-1/2)#vrrp-group 111 DellEMC(conf-if-te-1/2-vrid-111)#priority 125 To verify the VRRP group priority, use the show vrrp command. Dellshow vrrp -----------------TenGigabitEthernet 1/1, VRID: 111, Net: 10.10.10.1 VRF: 0 default State: Master, Priority: 255, Master: 10.10.10.
Examples of the authentication-type Command The bold section shows the encryption type (encrypted) and the password. DellEMC(conf-if-te-1/1-vrid-111)#authentication-type ? DellEMC(conf-if-te-1/1-vrid-111)#authentication-type simple 7 force10 The following example shows verifying the VRRP authentication configuration using the show conf command. The bold section shows the encrypted password.
Changing the Advertisement Interval By default, the MASTER router transmits a VRRP advertisement to all members of the VRRP group every one second, indicating it is operational and is the MASTER router. If the VRRP group misses three consecutive advertisements, the election process begins and the BACKUP virtual router with the highest priority transitions to MASTER.
Track an Interface or Object You can set Dell EMC Networking OS to monitor the state of any interface according to the virtual group. Each VRRP group can track up to 12 interfaces and up to 20 additional objects, which may affect the priority of the VRRP group. If the tracked interface goes down, the VRRP group’s priority decreases by a default value of 10 (also known as cost). If the tracked interface’s state goes up, the VRRP group’s priority increases by 10.
• (Optional) Display the configuration of tracked objects in VRRP groups on a specified interface. EXEC mode or EXEC Privilege mode show running-config interface interface Examples of Configuring and Viewing the track Command The following example shows how to configure tracking using the track command. DellEMC(conf-if-te-1/1)#vrrp-group 111 DellEMC(conf-if-te-1/1-vrid-111)#track Tengigabitethernet 1/2 The following example shows how to verify tracking using the show conf command.
The following example shows verifying the VRRP configuration on an interface. DellEMC#show running-config interface tengigabitethernet 1/8 interface TenGigabitEthernet 1/8 no ip address ipv6 address 2007::30/64 vrrp-ipv6-group 1 track 2 priority-cost 20 track 3 priority-cost 30 virtual-address 2007::1 virtual-address fe80::1 no shutdown Setting VRRP Initialization Delay When configured, VRRP is enabled immediately upon system reload or boot.
Sample Configurations Before you set up VRRP, review the following sample configurations. VRRP for an IPv4 Configuration The following configuration shows how to enable IPv4 VRRP. This example does not contain comprehensive directions and is intended to provide guidance for only a typical VRRP configuration. You can copy and paste from the example to your CLI. To support your own IP addresses, interfaces, names, and so on, be sure that you make the necessary changes.
Examples of Configuring VRRP for IPv4 and IPv6 The following example shows configuring VRRP for IPv4 Router 2. R2(conf)#interface tengigabitethernet 2/31 R2(conf-if-te-2/31)#ip address 10.1.1.1/24 R2(conf-if-te-2/31)#vrrp-group 99 R2(conf-if-te-2/31-vrid-99)#priority 200 R2(conf-if-te-2/31-vrid-99)#virtual 10.1.1.3 R2(conf-if-te-2/31-vrid-99)#no shut R2(conf-if-te-2/31)#show conf ! interface TenGigabitEthernet 2/31 ip address 10.1.1.1/24 ! vrrp-group 99 priority 200 virtual-address 10.1.1.
Figure 151. VRRP for an IPv6 Configuration NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be MASTER even if one of two routers has a higher IP or IPv6 address. The following example shows configuring VRRP for IPv6 Router 2 and Router 3. Configure a virtual link local (fe80) address for each VRRPv3 group created for an interface.
R2(conf-if-te-1/1-vrid-10)#virtual-address fe80::10 R2(conf-if-te-1/1-vrid-10)#virtual-address 1::10 R2(conf-if-te-1/1-vrid-10)#no shutdown R2(conf-if-te-1/1)#show config interface TenGigabitEthernet 1/1 ipv6 address 1::1/64 vrrp-group 10 priority 100 virtual-address fe80::10 virtual-address 1::10 no shutdown R2(conf-if-te-1/1)#end R2#show vrrp -----------------TenGigabitEthernet 1/1, IPv6 VRID: 10, Version: 3, Net:fe80::201:e8ff:fe6a:c59f VRF: 0 default State: Master, Priority: 100, Master: fe80::201:e8ff:
VRRP in a VRF: Non-VLAN Scenario The following example shows how to enable VRRP in a non-VLAN. The following example shows a typical use case in which you create three virtualized overlay networks by configuring three VRFs in two switches. The default gateway to reach the Internet in each VRF is a static route with the next hop being the virtual IP address configured in VRRP. In this scenario, a single VLAN is associated with each VRF.
S1(conf)#ip vrf VRF-3 3 ! S1(conf)#interface TenGigabitEthernet 1/1 S1(conf-if-te-1/1)#ip vrf forwarding VRF-1 S1(conf-if-te-1/1)#ip address 10.10.1.5/24 S1(conf-if-te-1/1)#vrrp-group 11 % Info: The VRID used by the VRRP group 11 in VRF 1 will be 177. S1(conf-if-te-1/1-vrid-101)#priority 100 S1(conf-if-te-1/1-vrid-101)#virtual-address 10.10.1.2 S1(conf-if-te-1/1)#no shutdown ! S1(conf)#interface TenGigabitEthernet 1/2 S1(conf-if-te-1/2)#ip vrf forwarding VRF-2 S1(conf-if-te-1/2)#ip address 10.10.1.
! S2(conf)#interface TenGigabitEthernet 1/3 S2(conf-if-te-1/3)#ip vrf forwarding VRF-3 S2(conf-if-te-1/3)#ip address 20.1.1.6/24 S2(conf-if-te-1/3)#vrrp-group 15 % Info: The VRID used by the VRRP group 15 in VRF 3 will be 243. S2(conf-if-te-1/3-vrid-105)#priority 100 S2(conf-if-te-1/3-vrid-105)#virtual-address 20.1.1.
DellEMC#show vrrp vrf vrf1 vlan 400 -----------------Vlan 400, IPv4 VRID: 1, Version: 2, Net: 10.1.1.1 VRF: 1 vrf1 State: Master, Priority: 100, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 278, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:01 Virtual IP address: 10.1.1.100 Authentication: (none) DellEMC#show vrrp vrf vrf2 port-channel 1 -----------------Port-channel 1, IPv4 VRID: 1, Version: 2, Net: 10.1.1.
S2(conf-if-vl-300)#no shutdown DellEMC#show vrrp vrf vrf1 vlan 400 -----------------Vlan 400, IPv4 VRID: 1, Version: 2, Net: 10.1.1.1 VRF: 1 vrf1 State: Master, Priority: 100, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 278, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:01 Virtual IP address: 10.1.1.100 Authentication: (none) Vlan 400, IPv4 VRID: 10, Version: 2, Net: 20.1.1.
Figure 153. VRRP for IPv6 Topology NOTE: This example does not contain comprehensive directions and is intended to provide guidance for only a typical VRRP configuration. You can copy and paste from the example to your CLI. Be sure you make the necessary changes to support your own IP addresses, interfaces, names, and so on.
NOTE: The virtual IPv6 address you configure should be the same as the IPv6 subnet to which the interface belongs.
Virtual MAC address: 00:00:5e:00:02:ff Virtual IP address: 10:1:1::255 fe80::255 DellEMC#show vrrp tengigabitethernet 2/8 TenGigabitEthernet 2/8, IPv6 VRID: 255, Version: 3, Net: fe80::201:e8ff:fe8a:e9ed VRF: 0 default State: Master, Priority: 110, Master: fe80::201:e8ff:fe8a:e9ed (local) Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 120 Virtual MAC address: 00:00:5e:00:02:ff Virtual IP address: 10:1:1::255
64 X.509v3 supports X.509v3 standards. Topics: • Introduction to X.509v3 certification • X.509v3 support in • Information about installing CA certificates • Information about Creating Certificate Signing Requests (CSR) • Information about installing trusted certificates • Transport layer security (TLS) • Online Certificate Status Protocol (OSCP) • Verifying certificates • Event logging Introduction to X.509v3 certification X.
1 An entity or organization that wants a digital certificate requests one through a CSR. 2 To request a digital certificate through a CSR, a key pair is generated and the CSR is signed using the secret private key. The CSR contains information identifying the applicant and the applicant's public key. This public key is used to verify the signature of the CSR and the Distinguished Name (DN). 3 This CSR is sent to a Certificate Authority (CA).
The Root CA generates a private key and a self-signed CA certificate. The Intermediate CA generates a private key and a Certificate Signing Request (CSR). Using its private key, the root CA signs the intermediate CA’s CSR generating a CA certificate for the Intermediate CA. This intermediate CA can then sign certificates for hosts in the network and also for further intermediate CAs.
During the initial TLS protocol negotiation, both participating parties also check to see if the other’s certificate is revoked by the CA. To do this check, the devices query the CA’s designated OCSP responder on the network. The OCSP responder information is included in the presented certificate, the Intermediate CA inserts the info upon signing it, or it may be statically configured on the host. Information about installing CA certificates Dell EMC Networking OS enables you to download and install X.
If you do not specify the cert-file option, the system prompts you to enter metadata information related to the CSR as follows: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields there will be a default value; if you enter '.', the field will be left blank.
NOTE: The command contains multiple options with the Common Name being a required field and blanks being filled in for unspecified fields. Information about installing trusted certificates Dell EMC Networking OS also enables you to install a trusted certificate. The system can then present this certificate for authentication to clients such as SSH and HTTPS. This trusted certificate is also presented to the TLS server implementations that require client authentication such as Syslog.
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA TLS_DH_RSA_WITH_AES_256_CBC_SHA TLS_DH_RSA_WITH_AES_128_CBC_SHA TLS compression is disabled by default. TLS session resumption is also supported to reduce processor and traffic overhead due to public key cryptographic operations and handshake traffic. However, the maximum time allowed for a TLS session to resume without repeating the TLS authentication or handshake process is configurable with a default of 1 hour.
NOTE: If you have an IPv6 address in the URL, then enclose this address in square brackets. For example, http:// [1100::203]:6514. Configuring OCSP behavior You can configure how the OCSP requests and responses are signed when the CA or the device contacts the OCSP responders. To configure this behavior, follow this step: In CONFIGURATION mode, enter the following command: crypto x509 ocsp {[nonce] [sign-request]} Both the none and sign-request parameters are optional.
Verifying Server certificates Verifying server certificates is mandatory in the TLS protocol. As a result, all TLS-enabled applications require certificate verification, including Syslog servers. The system checks the Server certificates against installed CA certificates. NOTE: As part of the certificate verification, the hostname or IP address of the server is verified against the hostname or IP address specified in the application.
65 Debugging and Diagnostics This chapter describes debugging and diagnostics for the device. Offline Diagnostics The offline diagnostics test suite is useful for isolating faults and debugging hardware. The diagnostics tests are grouped into three levels: • Level 0 — Level 0 diagnostics check for the presence of various components and perform essential path verifications. In addition, Level 0 diagnostics verify the identification registers of the components on the board.
EXEC Privilege mode show system brief 3 Start diagnostics on the unit. diag stack-unit stack-unit-number When the tests are complete, the system displays the following message and automatically reboots the unit. DellEMC#00:09:42 : Diagnostic test results are stored on file: flash:/TestReport-SU-0.txt Diags completed...
4 5 6 7 8 9 10 11 Member Member Member Member Member Member Member Member not not not not not not not not present present present present present present present present -- Power Supplies -Unit Bay Status Type FanSpeed(rpm) --------------------------------------------------------------------------0 0 down UNKNOWN 0 0 1 up AC 14000 -- Fan Status -Unit Bay TrayStatus Fan0 Speed Fan1 Speed -----------------------------------------------------------------------------------0 0 up up 13466 up 13466 0 1 up up
Diag image based on build Stack Unit Board temperature Stack Unit Number : 9-4(0-89) : 50 Degree C : 1 **************************Stack Unit EEPROM INFO************************** **************MFG INFO******************* Data in Chassis Eeprom Vendor Id : Country Code : Date Code : Serial Number : Part Number : Product Revision : Product Order Number : Mfg Info is listed as...
NOTE: Non-management member units do not support this functionality. Last Restart Reason If the system restarts for some reason (automatically or manually), the show system command output includes the reason for the restart. The following table shows the reasons displayed in the output and their corresponding causes. Table 126.
• View the forwarding plane statistics containing the packet buffer statistics per COS per port. EXEC Privilege mode show hardware stack-unit {0-11} buffer unit {0-1} port {1-64} queue {0-14 | all} buffer-info • View input and output statistics on the party bus, which carries inter-process communication traffic between CPUs.
enable optic-info-update interval Example of the show interfaces transceiver Command DellEMC#show interfaces fortyGigE 1/52 transceiver QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP 52 52 52 52 52 52 52 52 52 52 52 52 52 52 52 52 52 52 52 52 Serial ID Base Fields Id = Ext Id = Connector = Transceiver Code = Encoding = Length(SFM) Km = Length(OM3) 2m = Length(OM2) 1m = Length(OM1) 1m = Length(Copper) 1m = Vendor Rev = Laser Wavelength = CheckCodeBase =
• If directly adjacent cards are normal temperature, suspect a faulty sensor. When the system detects a genuine over-temperature condition, it powers off the card.
Table 127. SNMP Traps and OIDs OID String OID Name Description chSysPortXfpRecvPower OID displays the receiving power of the connected optics. chSysPortXfpTxPower OID displays the transmitting power of the connected optics. chSysPortXfpRecvTemp OID displays the temperature of the connected optics. Receiving Power .1.3.6.1.4.1.6027.3.10.1.2.5.1.6 Transmitting power .1.3.6.1.4.1.6027.3.10.1.2.5.1.8 Temperature .1.3.6.1.4.1.6027.3.10.1.2.5.1.
Similarly, when you configure buffer-profile global, you cannot not apply a buffer profile on any single interface. A message similar to the following displays: % Error: Global pre-defined buffer profile already applied. Failed to apply user-defined buffer profile on interface Te 1/1. Please remove global pre-defined buffer profile. To apply a predefined buffer profile, use the following command: • Apply one of the predefined buffer profiles for all port pipes in the system.
Total IngMac Drops :0 Total Mmu Drops :0 Total EgMac Drops :0 Total Egress Drops :0 UNIT No: 1 Total Ingress Drops :0 Total IngMac Drops :0 Total Mmu Drops :0 Total EgMac Drops :0 Total Egress Drops :0 DellEMC#show hardware stack-unit 0 drops unit 0 Port# :Ingress Drops :IngMac Drops :Total Mmu Drops :EgMac Drops :Egress Drops 1 0 0 0 0 0 2 0 0 0 0 0 3 0 0 0 0 0 4 0 0 0 0 0 5 0 0 0 0 0 6 0 0 0 0 0 7 0 0 0 0 0 8 0 0 0 0 0 Example of show hardware drops interface interface DellEMC#show hardware drops interfac
INVALID VLAN CNTR Drops L2MC Drops PKT Drops of ANY Conditions Hg MacUnderflow TX Err PKT Counter --- Error counters--Internal Mac Transmit Errors Unknown Opcodes Internal Mac Receive Errors : : : : : 0 0 0 0 0 : 0 : 0 : 0 Dataplane Statistics The show hardware stack-unit cpu data-plane statistics command provides insight into the packet types coming to the CPU.
txPkt(COS11) txPkt(UNIT0) :0 :0 Example of Viewing Party Bus Statistics DellEMC#sh hardware stack-unit 1 cpu party-bus statistics Input Statistics: 27550 packets, 2559298 bytes 0 dropped, 0 errors Output Statistics: 1649566 packets, 1935316203 bytes 0 errors Display Stack Port Statistics The show hardware stack-unit stack-port command displays input and output statistics for a stack-port interface.
RX RX RX RX RX RX RX RX RX RX RX RX RX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX - Unicast Packet Counter Multicast Packet Counter Broadcast Frame Counter Byte Counter Control frame counter PAUSE frame counter Oversized frame counter Jabber frame counter VLAN tag frame counter Double VLAN tag frame counter RUNT frame counter Fragment counter VLAN tagged packets 64 Byte Frame Counter 64 to 127 Byte Frame Counter 128 to 255 Byte Frame Counter 256 to 511 Byte Frame Counter 512 t
RX RX RX RX RX RX RX RX RX RX RX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX - Broadcast Frame Counter Byte Counter Control frame counter PAUSE frame counter Oversized frame counter Jabber frame counter VLAN tag frame counter Double VLAN tag frame counter RUNT frame counter Fragment counter VLAN tagged packets 64 Byte Frame Counter 64 to 127 Byte Frame Counter 128 to 255 Byte Frame Counter 256 to 511 Byte Frame Counter 512 to 1023 Byte Frame Counter 1024 to 1518 Byte Frame Coun
RX - Fragment Counter RX - VLAN Tagged Packets RX - Ingress Dropped Packet RX - MTU Check Error Frame Counter RX - PFC Frame Priority 0 RX - PFC Frame Priority 1 RX - PFC Frame Priority 2 RX - PFC Frame Priority 3 RX - PFC Frame Priority 4 RX - PFC Frame Priority 5 RX - PFC Frame Priority 6 RX - PFC Frame Priority 7 RX - Debug Counter 0 RX - Debug Counter 1 RX - Debug Counter 2
10 11 12 13 -rw-rw-rw-rw- 156 156 156 156 Aug Aug Aug Aug 28 31 29 31 2009 2009 2009 2009 19:07:36 16:18:50 14:28:34 16:14:56 +00:00 +00:00 +00:00 +00:00 f10StkUnit0.frrp.acore.mini.txt f10StkUnit2.sysd.acore.mini.txt f10StkUnit0.ipm1.acore.mini.txt f10StkUnit0.acl.acore.mini.
66 Standards Compliance This chapter describes standards compliance for Dell EMC Networking products. NOTE: Unless noted, when a standard cited here is listed as supported by the Dell EMC Networking OS, the system also supports predecessor standards. One way to search for predecessor standards is to use the http://tools.ietf.org/ website. Click “Browse and search IETF documents,” enter an RFC number, and inspect the top of the resulting document for obsolescence citations to related RFCs.
SFF-8431 SFP+ Direct Attach Cable (10GSFP+Cu) MTU 12,000 bytes RFC and I-D Compliance Dell EMC Networking OS supports the following standards. The standards are grouped by related protocol. The columns showing support by platform indicate which version of Dell EMC Networking OS first supports the standard. General Internet Protocols The following table lists the Dell EMC Networking OS support per platform for general internet protocols. Table 128.
R F C # Full Name S-Series S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 24 Definition of 7.7.1 74 the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 26 PPP over 15 SONET/SDH 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 26 A Two Rate 9 Three Color 8 Marker 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.
General IPv4 Protocols The following table lists the Dell EMC Networking OS support per platform for general IPv4 protocols. Table 129. General IPv4 Protocols RF C# Full Name S-Series S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 791 Internet Protocol 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 826 An Ethernet Address Resolution 7.6.1 Protocol 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.
General IPv6 Protocols The following table lists the Dell EMC Networking OS support per platform for general IPv6 protocols. Table 130. General IPv6 Protocols RFC # Full Name S-Series 1886 DNS Extensions to support IP 7.8.1 version 6 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 1981 Path MTU Discovery for IP (Part version 6 ial) 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.
Border Gateway Protocol (BGP) The following table lists the Dell EMC Networking OS support per platform for BGP protocols. Table 131. Border Gateway Protocol (BGP) RFC# Full Name S-Series/ZSeries S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 1997 BGP ComAmtturnibituitees 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2385 Protection of BGP Sessions via the TCP MD5 Signature Option 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2439 BGP Route Flap Damping 7.8.
Open Shortest Path First (OSPF) The following table lists the Dell EMC Networking OS support per platform for OSPF protocol. Table 132. Open Shortest Path First (OSPF) RFC # Full Name S-Series/ZSeries S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 1587 The OSPF Not-SoStubby Area (NSSA) Option 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2154 OSPF with Digital Signatures 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2370 The OSPF Opaque LSA Option 7.6.1 9.8(0.
RFC# Full Name S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 3784 Intermediate System to Intermediate System (IS-IS) Extensions in Support of Generalized Multi-Protocol Label Switching (GMPLS) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 5120 MT-ISIS: Multi Topology (MT) 9.8(0.0P2) Routing in Intermediate System to Intermediate Systems (ISISs) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 5306 Restart Signaling for IS-IS 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.
Multicast The following table lists the Dell EMC Networking OS support per platform for Multicast protocol. Table 135. Multicast RFC# Full Name S-Series S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 1112 Host Extensions for IP Multicasting 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 2236 Internet Group Management Protocol, Version 2 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 3376 Internet Group Management Protocol, Version 3 7.8.1 9.8(0.0P2) 9.8(0.
RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) dot1dTpLearnedEntryDiscards object] 1724 RIP Version 2 MIB Extension 1850 OSPF Version 2 Management Information Base 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 1901 Introduction to Community-based SNMPv2 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 2011 SNMPv2 Management Information Base for the Internet Protocol using SMIv2 7.6.1 9.8(0.
RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON Internet-standard Network Management Framework 2578 Structure of Management Information Version 2 (SMIv2) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 2579 Textual Conventions for SMIv2 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 2580 Conformance Statements for SMIv2 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.
RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON Network Management Protocol (SNMP) 3418 Management Information Base (MIB) for the Simple Network Management Protocol (SNMP) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 3434 Remote Monitoring MIB 7.6.1 Extensions for High Capacity Alarms, High-Capacity Alarm Table (64 bits) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 3580 IEEE 802.
RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 9.2(0.0) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) isisISAdjIPAddrTable isisISAdjProtSuppTable draftietfnetmod interfac escfg-03 Defines a YANG data model for the configuration of network interfaces. Used in the Programmatic Interface RESTAPI feature. IEEE 802.1A B Management Information Base 7.7.1 module for LLDP configuration, statistics, local system data and remote systems data components. 9.8(0.0P2) 9.8(0.
RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) FORCE Force10 E-Series Enterprise 10Chassis MIB CHASS IS-MIB 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) FORCE Force10 File Copy MIB (supporting 7.7.1 10SNMP SET operation) COPYCONFI G-MIB 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.
RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON FORCE Force10 Textual Convention 10-TCMIB 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) FORCE Force10 Trap Alarm MIB 10TRAPALARM -MIB 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) ONENT -MIB MIB Location You can find Force10 MIBs under the Force10 MIBs subhead on the Documentation page of iSupport: https://www.force10networks.com/CSPortal20/KnowledgeBase/Documentation.
