Dell Configuration Guide for the S6010–ON System 9.14.2.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2019 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Contents 1 About this Guide...........................................................................................................................................37 Audience............................................................................................................................................................................37 Conventions.....................................................................................................................................................
Configuring Privilege Levels........................................................................................................................................... 58 Creating a Custom Privilege Level........................................................................................................................... 59 Removing a Command from EXEC Mode..............................................................................................................
Restoring Factory Default Environment Variables................................................................................................. 80 Viewing the Reason for Last System Reboot............................................................................................................... 81 Disabling Syslog Messages for SNMP Authentication Failure Events....................................................................... 81 5 802.1X.............................................................
Applying Egress Layer 3 ACLs (Control-Plane).................................................................................................... 108 IP Prefix Lists.................................................................................................................................................................. 108 Implementation Information....................................................................................................................................
BGP global and address family configuration........................................................................................................163 Implement BGP with Dell EMC Networking OS...................................................................................................164 Configuration Information........................................................................................................................................167 Basic BGP configuration tasks.......................
Test CAM Usage............................................................................................................................................................ 225 View CAM Profiles.........................................................................................................................................................225 View CAM-ACL Settings..............................................................................................................................................
PFC and ETS Configuration Examples........................................................................................................................ 251 Using PFC to Manage Converged Ethernet Traffic...................................................................................................252 Operations on Untagged Packets................................................................................................................................
DHCP Relay When DHCP Server and Client are in Different VRFs........................................................................ 283 Configuring Route Leaking between VRFs on DHCP Relay Agent................................................................... 284 Non-default VRF configuration for DHCPv6 helper address...................................................................................285 Configuring DHCP relay source interface................................................................
Configure a Port for a Bridge-to-FCF Link...........................................................................................................308 Impact on Other Software Features..................................................................................................................... 308 FIP Snooping Restrictions...................................................................................................................................... 309 Configuring FIP Snooping.................
Example Scenario.................................................................................................................................................... 332 Important Points to Remember..............................................................................................................................333 17 GARP VLAN Registration Protocol (GVRP).............................................................................................. 334 Important Points to Remember.................
19 Interfaces................................................................................................................................................. 358 Basic Interface Configuration.......................................................................................................................................358 Advanced Interface Configuration...............................................................................................................................358 Interface Types...
Define the Interface Range.....................................................................................................................................377 Choosing an Interface-Range Macro.....................................................................................................................377 Monitoring and Maintaining Interfaces........................................................................................................................ 377 Maintenance Using TDR............
Enabling Dynamic Resolution of Host Names.............................................................................................................401 Specifying the Local System Domain and a List of Domains.................................................................................... 401 Configuring DNS with Traceroute................................................................................................................................402 ARP...............................................
Adjusting Your CAM-Profile.....................................................................................................................................421 Assigning an IPv6 Address to an Interface........................................................................................................... 422 Assigning a Static IPv6 Route................................................................................................................................ 423 Configuring Telnet with IPv6......
Setting the Overload Bit......................................................................................................................................... 454 Debugging IS-IS....................................................................................................................................................... 455 IS-IS Metric Styles.........................................................................................................................................................
Configuring FEFD.................................................................................................................................................... 482 Enabling FEFD on an Interface...............................................................................................................................483 Debugging FEFD......................................................................................................................................................
Protocol Overview...........................................................................................................................................................511 Anycast RP......................................................................................................................................................................512 Implementation Information..................................................................................................................................
Implementation Information....................................................................................................................................538 Configure Multiple Spanning Tree Protocol................................................................................................................538 Related Configuration Tasks...................................................................................................................................
Disable MLD Snooping.............................................................................................................................................571 Configure the switch as a querier...........................................................................................................................571 Specify port as connected to multicast router..................................................................................................... 571 Enable Snooping Explicit Tracking...
Configuring Stub Areas...........................................................................................................................................609 Configuring Passive-Interface................................................................................................................................609 Redistributing Routes..............................................................................................................................................
Enabling RP to Server Specific Multicast Groups............................................................................................... 643 38 Port Monitoring....................................................................................................................................... 644 Important Points to Remember................................................................................................................................... 644 Port Monitoring............................
Create a QoS Policy.................................................................................................................................................675 DSCP Color Maps.................................................................................................................................................... 677 Create Policy Maps..................................................................................................................................................
Configuring Rapid Spanning Tree................................................................................................................................. 710 Related Configuration Tasks....................................................................................................................................710 Important Points to Remember.................................................................................................................................... 710 RSTP and VLT.......
Telnet............................................................................................................................................................................... 762 VTY Line and Access-Class Configuration................................................................................................................. 762 VTY Line Local Authentication and Authorization...............................................................................................
47 sFlow........................................................................................................................................................797 Overview......................................................................................................................................................................... 797 Implementation Information..........................................................................................................................................
Viewing the Reason for Last System Reboot Using SNMP............................................................................... 819 MIB Support for Power Monitoring............................................................................................................................. 819 MIB Support to Display the Available Memory Size on Flash...................................................................................820 Viewing the Available Flash Memory Size...............................
Stack Master Election.............................................................................................................................................845 Virtual IP................................................................................................................................................................... 845 Failover Roles..........................................................................................................................................................
Modifying Global Parameters....................................................................................................................................... 865 Modifying Interface STP Parameters..........................................................................................................................866 Enabling PortFast...........................................................................................................................................................
Configuring Tunnel source anylocal Decapsulation....................................................................................................894 Guidelines for Configuring Multipoint Receive-Only Tunnels................................................................................... 894 Multipoint Receive-Only Tunnels................................................................................................................................. 894 55 Uplink Failure Detection (UFD)................
PIM-Sparse Mode Support on VLT........................................................................................................................921 VLT Routing .............................................................................................................................................................923 Non-VLT ARP Sync................................................................................................................................................. 926 RSTP Configuration.
59 VLT Proxy Gateway..................................................................................................................................975 Proxy Gateway in VLT Domains................................................................................................................................... 975 Guidelines for Enabling the VLT Proxy Gateway.................................................................................................. 976 Enable VLT Proxy Gateway......................
Configuring NSX-based VxLAN on VLT Peer Devices...................................................................................... 1008 Configuring VLT for NSX-based VxLAN............................................................................................................. 1009 Configuring and Controlling VXLAN from the NSX Controller GUI.................................................................. 1014 61 Virtual Routing and Forwarding (VRF)...................................................
Troubleshoot an Over-temperature Condition.................................................................................................... 1057 Recognize an Under-Voltage Condition...............................................................................................................1057 Troubleshoot an Under-Voltage Condition.......................................................................................................... 1057 Buffer Tuning................................................
Configuring Revocation Behavior........................................................................................................................ 1085 Configuring OSCP responder preference........................................................................................................... 1085 Verifying certificates....................................................................................................................................................1085 Verifying Server certificates.
1 About this Guide This guide describes the protocols and features the Dell EMC Networking Operating System (OS) supports and provides configuration instructions and examples for implementing them. For complete information about all the CLI commands, see the Dell EMC Command Line Reference Guide for your system. Though this guide contains information about protocols, it is not intended to be a complete reference. This guide is a reference for configuring protocols on Dell EMC Networking systems.
2 Configuration Fundamentals The Dell EMC Networking Operating System (OS) command line interface (CLI) is a text-based interface you can use to configure interfaces and protocols. The CLI is largely the same for each platform except for some commands and command outputs. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels.
The Dell EMC Networking OS CLI is divided into three major mode levels: • EXEC mode is the default mode and has a privilege level of 1, which is the most restricted level. Only a limited selection of commands is available, notably the show commands, which allow you to view system information. • EXEC Privilege mode has commands to view configurations, clear counters, manage configuration files, run diagnostics, and enable or disable debug operations. The privilege level is 15, which is unrestricted.
CLI Command Mode Prompt Access Command 10 Gigabit Ethernet Interface interface (INTERFACE modes) 40 Gigabit Ethernet Interface interface (INTERFACE modes) Interface Group DellEMC(conf-if-group)# interface(INTERFACE modes) Interface Range DellEMC(conf-if-range)# interface (INTERFACE modes) Loopback Interface DellEMC(conf-if-lo-0)# interface (INTERFACE modes) Management Ethernet Interface interface (INTERFACE modes) Null Interface DellEMC(conf-if-nu-0)# interface (INTERFACE modes) Port-ch
CLI Command Mode Prompt Access Command ROUTER OSPFV3 DellEMC(conf-ipv6router_ospf)# ipv6 router ospf ROUTER RIP DellEMC(conf-router_rip)# router rip SPANNING TREE DellEMC(config-span)# protocol spanning-tree 0 TRACE-LIST DellEMC(conf-trace-acl)# ip trace-list CLASS-MAP DellEMC(config-class-map)# class-map CONTROL-PLANE DellEMC(conf-control-cpuqos)# control-plane-cpuqos DHCP DellEMC(config-dhcp)# ip dhcp server DHCP POOL DellEMC(config-dhcp-pool-name)# pool (DHCP Mode) ECMP DellEMC
The do Command You can enter an EXEC mode command from any CONFIGURATION mode (CONFIGURATION, INTERFACE, SPANNING TREE, and so on.) without having to return to EXEC mode by preceding the EXEC mode command with the do command. The following example shows the output of the do command. Undoing Commands When you enter a command, the command line is added to the running configuration file (running-config).
Short-Cut Key Combination Action CNTL-A Moves the cursor to the beginning of the command line. CNTL-B Moves the cursor back one character. CNTL-D Deletes character at cursor. CNTL-E Moves the cursor to the end of the line. CNTL-F Moves the cursor forward one character. CNTL-I Completes a keyword. CNTL-K Deletes all characters from the cursor to the end of the command line. CNTL-L Re-enters the previous command.
The grep command displays only the lines containing specified text. The following example shows this command used in combination with the show system brief command. Example of the grep Keyword DellEMC(conf)#do show system brief | grep 0 0 not present NOTE: Dell EMC Networking OS accepts a space or no space before and after the pipe. To filter a phrase with spaces, underscores, or ranges, enclose the phrase with double quotation marks. The except keyword displays text that does not match the specified text.
3 Getting Started This chapter describes how you start configuring your system. When you power up the chassis, the system performs a power-on self test (POST) and system then loads the Dell EMC Networking Operating System. Boot messages scroll up the terminal window during this process. No user interaction is required if the boot process proceeds without interruption. When the boot process completes, the system status LEDs remain online (green) and the console monitor displays the EXEC mode prompt.
Console Access Serial Console Figure 1. RJ-45 Console Port 1 2 RS-232 console port. USB port. Accessing the Console Port To access the console port, follow these steps: For the console port pinout, refer to Accessing the RJ-45 Console Port with a DB-9 Adapter. 1 Install an RJ-45 copper cable into the console port. Use a rollover (crossover) cable to connect the console port to a terminal server. 2 Connect the other end of the cable to the DTE terminal server.
Table 2.
Configure the Management Port IP Address To access the system remotely, assign IP addresses to the management ports. 1 Enter INTERFACE mode for the Management port. CONFIGURATION mode interface ManagementEthernet slot/port 2 Assign an IP address to the interface. INTERFACE mode ip address ip-address/mask 3 • ip-address: an address in dotted-decimal format (A.B.C.D). • mask: a subnet mask in /prefix-length format (/ xx). Enable the interface.
– secret: Specify a secret string for an user. – sha256–password: Uses sha256–based encryption method for password. – encryption-type: Enter the encryption type for securing an user password. There are four encryption types. ◦ 0 — input the password in clear text. ◦ 5 — input the password that is already encrypted using MD5 encryption method. ◦ 7 — input the password that is already encrypted using DES encryption method.
◦ 7 is to input a password that is already encrypted using DES encryption method. Obtain the encrypted password from the configuration file of another device. ◦ 8 is to input a password that is already encrypted using sha256-based encryption method. Obtain the encrypted password from the configuration file of another device. Configuration File Management Files can be stored on and accessed from various storage media. Rename, delete, and copy files on the system from EXEC Privilege mode.
Mounting an NFS File System This feature enables you to quickly access data on an NFS mounted file system. You can perform file operations on an NFS mounted file system using supported file commands. This feature allows an NFS mounted device to be recognized as a file system. This file system is visible on the device and you can execute all file commands that are available on conventional file systems such as a Flash file system.
DellEMC# DellEMC#copy nfsmount:///test.txt ftp://10.16.127.35 Destination file name [test.txt]: User name to login remote host: username Password to login remote host: ! Example of Copying to NFS Mount DellEMC#copy flash://test.txt nfsmount:/// Destination file name [test.txt]: ! 15 bytes successfully copied DellEMC#copy flash://test/capture.txt.pcap nfsmount:/// Destination file name [test.txt]: ! 15 bytes successfully copied DellEMC#copy flash://test/capture.txt.pcap nfsmount:///username/snoop.
Configure the Overload Bit for a Startup Scenario For information about setting the router overload bit for a specific period of time after a switch reload is implemented, see the Intermediate System to Intermediate System (IS-IS) section in the Dell Command Line Reference Guide for your system. Viewing Files You can only view file information and content on local file systems. To view a list of files or the contents of a file, use the following commands. • View a list of files on the internal flash.
! Version 9.4(0.0) ! Last configuration change at Tue Mar 11 21:33:56 2014 by admin ! Startup-config last updated at Tue Mar 11 12:11:00 2014 by default !
Example 2: service timestamps log datetime utc DellEMC(conf)#service timestamps log datetime utc Example 3: service timestamps log uptime DellEMC(conf)#service timestamps log uptime Example 4: no service timestamps log DellEMC(conf)#no service timestamps log DellEMC# show command-history - Repeated 1 time. [1d0h26m]: CMD-(CLI):[configure]by default from console - Repeated 1 time.
When you specify the management VRF, the copy operation that is used to transfer files to and from an HTTP server utilizes the VRF table corresponding to the Management VRF to look up the destination. When you specify a nondefault VRF, the VRF table corresponding to that nondefault VRF is used to look up the HTTP server.
MD5 DellEMC# verify md5 flash:file-name SHA256 DellEMC# verify sha256 flash://file-name Examples: Entering the Hash Value for Verification MD5 DellEMC# verify md5 flash://file-name 275ceb73a4f3118e1d6bcf7d75753459 SHA256 DellEMC# verify sha256 flash://file-name e6328c06faf814e6899ceead219afbf9360e986d692988023b749e6b2093e933 Getting Started 57
4 Management This chapter describes the different protocols or services used to manage the Dell EMC Networking system.
Creating a Custom Privilege Level Custom privilege levels start with the default EXEC mode command set. You can then customize privilege levels 2-14 by: • restricting access to an EXEC mode command • moving commands from EXEC Privilege to EXEC mode • restricting access A user can access all commands at his privilege level and below.
• removes the resequence command from EXEC mode by requiring a minimum of privilege level 4 • moves the capture bgp-pdu max-buffer-size command from EXEC Privilege to EXEC mode by requiring a minimum privilege level 3, which is the configured level for VTY 0 • allows access to CONFIGURATION mode with the banner command • allows access to INTERFACE tengigabitethernet and LINE modes are allowed with no commands • Remove a command from the list of available commands in EXEC mode.
Configuring Logging The Dell EMC Networking OS tracks changes in the system using event and error messages. By default, Dell EMC Networking OS logs these messages on: • the internal buffer • console and terminal lines • any configured syslog servers To disable logging, use the following commands. • Disable all logging except on the console. CONFIGURATION mode no logging on • Disable logging to the logging buffer. CONFIGURATION mode no logging buffer • Disable logging to terminal lines.
• Uncontrolled shutdown. Security Logs The security log contains security events and information. RBAC restricts access to audit and security logs based on the CLI sessions’ user roles. The types of information in this log consist of the following: • Establishment of secure traffic flows, such as SSH. • Violations on secure flows or certificate issues. • Adding and deleting of users.
Clearing Audit Logs To clear audit logs, use the clear logging auditlog command in Exec mode. When RBAC is enabled, only the system administrator user role can issue this command. Example of the clear logging auditlog Command DellEMC# clear logging auditlog Configuring Logging Format To display syslog messages in a RFC 3164 or RFC 5424 format, use the logging version {0 | 1} command in CONFIGURATION mode. By default, the system log version is set to 0.
Figure 2. Setting Up a Secure Connection to a Syslog Server Pre-requisites To configure a secure connection from the switch to the syslog server: 1 On the switch, enable the SSH server DellEMC(conf)#ip ssh server enable 2 On the syslog server, create a reverse SSH tunnel from the syslog server to the Dell OS switch, using following syntax: ssh -R :: user@remote_host -nNf In the following example the syslog server IP address is 10.156.166.
Log Messages in the Internal Buffer All error messages, except those beginning with %BOOTUP (Message), are log in the internal buffer.
– Add line on a 4.1 BSD UNIX system. local7.debugging /var/log/ftos.log – Add line on a 5.7 SunOS UNIX system. local7.debugging /var/adm/ftos.log In the previous lines, local7 is the logging facility level and debugging is the severity level. Track Login Activity Dell EMC Networking OS enables you to track the login activity of users and view the successful and unsuccessful login events.
Display Login Statistics To view the login statistics, use the show login statistics command. Example of the show login statistics Command The show login statistics command displays the successful and failed login details of the current user in the last 30 days or the custom defined time period. DellEMC#show login statistics -----------------------------------------------------------------User: admin Last login time: 12:52:01 UTC Tue Mar 22 2016 Last login location: Line vty0 ( 10.16.127.
Example of the show login statistics user user-id command The show login statistics user user-id command displays the successful and failed login details of a specific user in the last 30 days or the custom defined time period. DellEMC# show login statistics user admin -----------------------------------------------------------------User: admin Last login time: 12:52:01 UTC Tue Mar 22 2016 Last login location: Line vty0 ( 10.16.127.
CONFIGURATION mode login concurrent-session limit number-of-sessions Example of Configuring Concurrent Session Limit The following example limits the permitted number of concurrent login sessions to 4. DellEMC(config)#login concurrent-session limit 4 Enabling the System to Clear Existing Sessions To enable the system to clear existing login sessions, follow this procedure: • Use the following command.
Maximum concurrent sessions for the user reached. Current sessions for user admin: Line Location 2 vty 0 10.14.1.97 3 vty 1 10.14.1.97 4 vty 2 10.14.1.97 5 vty 3 10.14.1.97 Kill existing session? [line number/Enter to cancel]: Enabling Secured CLI Mode The secured CLI mode prevents the users from enhancing the permissions or promoting the privilege levels.
• NOTE: When you decrease the buffer size, Dell EMC Networking OS deletes all messages stored in the buffer. Increasing the buffer size does not affect messages in the buffer. Specify the number of messages that Dell EMC Networking OS saves to its logging history table. CONFIGURATION mode logging history size size To view the logging buffer and configuration, use the show logging command in EXEC privilege mode, as shown in the example for Display the Logging Buffer and the Logging Configuration.
Configuring a UNIX Logging Facility Level You can save system log messages with a UNIX system logging facility. To configure a UNIX logging facility level, use the following command. • Specify one of the following parameters.
Synchronizing Log Messages You can configure Dell EMC Networking OS to filter and consolidate the system messages for a specific line by synchronizing the message output. Only the messages with a severity at or below the set level appear. This feature works on the terminal and console connections available on the system. 1 Enter LINE mode.
Example 1: Default configuration service timestamps log datetime or service timestamps log datetime localtime DellEMC(conf)#service timestamps log datetime DellEMC#show clock 15:42:42.804 IST Fri May 17 2019 Example 2: service timestamps log datetime utc DellEMC(conf)#service timestamps log datetime utc DellEMC#show clock 15:47:05.661 IST Fri May 17 2019 Example 3: service timestamps log uptime DellEMC(conf)#service timestamps log uptime DellEMC#show clock 15:51:47.
For more information about FTP, refer to RFC 959, File Transfer Protocol. NOTE: To transmit large files, Dell EMC Networking recommends configuring the switch as an FTP server. Configuration Task List for File Transfer Services The configuration tasks for file transfer services are: • Enable FTP Server (mandatory) • Configure FTP Server Parameters (optional) • Configure FTP Client Parameters (optional) Enabling the FTP Server To enable the system as an FTP server, use the following command.
To view the FTP configuration, use the show running-config ftp command in EXEC privilege mode. Configuring FTP Client Parameters To configure FTP client parameters, use the following commands. • Enter the following keywords and the interface information: – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port/subport information. – For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information.
• Apply an ACL to a VTY line. LINE mode access-class access-list-name [ipv4 | ipv6] NOTE: If you already have configured generic IP ACL on a terminal line, then you cannot further apply IPv4 or IPv6 specific filtering on top of this configuration. Similarly, if you have configured either IPv4 or IPv6 specific filtering on a terminal line, you cannot apply generic IP ACL on top of this configuration.
none Do not authenticate the user. radius Prompt for a username and password and use a RADIUS server to authenticate. tacacs+ Prompt for a username and password and use a TACACS+ server to authenticate. 1 Configure an authentication method list. You may use a mnemonic name or use the keyword default. The default authentication method for terminal lines is local and the default method list is empty.
Example of Setting the Timeout Period for EXEC Privilege Mode The following example shows how to set the timeout period and how to view the configuration using the show config command from LINE mode. DellEMC(conf)#line con 0 DellEMC(config-line-console)#exec-timeout 0 DellEMC(config-line-console)#show config line console 0 exec-timeout 0 0 DellEMC(config-line-console)# Using Telnet to get to Another Network Device To telnet to another device, use the following commands.
Viewing the Configuration Lock Status If you attempt to enter CONFIGURATION mode when another user has locked it, you may view which user has control of CONFIGURATION mode using the show configuration lock command from EXEC Privilege mode. You can then send any user a message using the send command from EXEC Privilege mode. Alternatively, you can clear any line using the clear command from EXEC Privilege mode. If you clear a console session, the user is returned to EXEC mode.
Important Points to Remember • The Chassis remains in boot prompt if none of the partitions contain valid images. • To enable TFTP boot after restoring factory default settings, you must stop the boot process in BLI. Viewing the Reason for Last System Reboot You can view the reason for the last system reboot.
5 802.1X 802.1X is a port-based Network Access Control (PNAC) that provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity is verified (through a username and password, for example). 802.
Figure 4. EAP Frames Encapsulated in Ethernet and RADUIS The authentication process involves three devices: • The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests. • The device with which the supplicant communicates is the authenticator. The authenticator is the gate keeper of the network.
Port-Authentication Process The authentication process begins when the authenticator senses that a link status has changed from down to up: 1 When the authenticator senses a link state change, it requests that the supplicant identify itself using an EAP Identity Request frame. 2 The supplicant responds with its identity in an EAP Response Identity frame.
Figure 6. EAP Over RADIUS RADIUS Attributes for 802.1X Support Dell EMC Networking systems include the following RADIUS attributes in all 802.1X-triggered Access-Request messages: Attribute 31 Calling-station-id: relays the supplicant MAC address to the authentication server. Attribute 41 NAS-Port-Type: NAS-port physical port type. 15 indicates Ethernet. Attribute 61 NAS-Port: the physical port number by which the authenticator is connected to the supplicant.
Enabling 802.1X Enable 802.1X globally. Figure 7. 802.1X Enabled 1 Enable 802.1X globally. CONFIGURATION mode dot1x authentication 2 Enter INTERFACE mode on an interface or a range of interfaces. INTERFACE mode interface [range] 3 Enable 802.1X on the supplicant interface only. INTERFACE mode dot1x authentication Examples of Verifying that 802.1X is Enabled Globally and on an Interface Verify that 802.
The example in Configuring a Quiet Period after a Failed Authentication shows configuration information for a port for which the authenticator re-transmits an EAP Request Identity frame after 90 seconds and re-transmits for 10 times. Configuring a Quiet Period after a Failed Authentication If the supplicant fails the authentication process, the authenticator sends another Request Identity frame after 30 seconds by default. You can configure this period.
Re-Authenticating a Port You can configure the authenticator for periodic re-authentication. After the supplicant has been authenticated, and the port has been authorized, you can configure the authenticator to re-authenticate the supplicant periodically. If you enable re-authentication, the supplicant is required to re-authenticate every 3600 seconds by default, and you can configure this interval. You can configure the maximum number of re-authentications as well.
Enter the tasks the user should do after finishing this task (optional). Configuring Dynamic VLAN Assignment with Port Authentication Dell EMC Networking OS supports dynamic VLAN assignment when using 802.1X. The basis for VLAN assignment is RADIUS attribute 81, Tunnel-Private-Group-ID.
5 Verify that the port has been authorized and placed in the desired VLAN (refer to the illustration in Dynamic VLAN Assignment with Port Authentication). Guest and Authentication-Fail VLANs Typically, the authenticator (the Dell system) denies the supplicant access to the network until the supplicant is authenticated.
6 Access Control Lists (ACLs) This chapter describes access control lists (ACLs), prefix lists, and route-maps. At their simplest, access control lists (ACLs), prefix lists, and route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps. For MAC ACLS, refer to Layer 2.
Topics: • IP Access Control Lists (ACLs) • Important Points to Remember • IP Fragment Handling • Configure a Standard IP ACL • Configure an Extended IP ACL • Configure Layer 2 and Layer 3 ACLs • Assign an IP ACL to an Interface • Applying an IP ACL • Configure Ingress ACLs • Configure Egress ACLs • IP Prefix Lists • ACL Remarks • ACL Resequencing • Route Maps • Flow-Based Monitoring • Configuring IP Mirror Access Group IP Access Control Lists (ACLs) In Dell EMC Networking swi
CAM Usage The following section describes CAM allocation and CAM optimization. • User Configurable CAM Allocation • CAM Optimization User Configurable CAM Allocation Allocate space for IPV6 ACLs by using the cam-acl command in CONFIGURATION mode. The CAM space is allotted in filter processor (FP) blocks. The total space allocated must equal 13 FP blocks. (There are 16 FP blocks, but System Flow requires three blocks that cannot be reallocated.
In the Dell EMC Networking OS versions prior to 9.13(0.0), the system does not install any of your ACL rules if the available CAM space is lesser than what is required for your set of ACL rules. Effective with the Dell EMC Networking OS version 9.13(0.0), the system installs your ACL rules until all the allocated CAM memory is used. If there is no implicit permit in your rule, the Dell EMC Networking OS ensures that an implicit deny is installed at the end of your rule.
• When a match is found, the packet is forwarded and no more route-map sequences are processed. – If a continue clause is included in the route-map sequence, the next or a specified route-map sequence is processed after a match is found. Configuration Task List for Route Maps Configure route maps in ROUTE-MAP mode and apply the maps in various commands in ROUTER RIP and ROUTER OSPF modes. The following list includes the configuration tasks for route maps, as described in the following sections.
Match clauses: Set clauses: route-map dilling, permit, sequence 15 Match clauses: interface Loopback 23 Set clauses: tag 3444 DellEMC# To delete a route map, use the no route-map map-name command in CONFIGURATION mode. Configure Route Map Filters Within ROUTE-MAP mode, there are match and set commands. • match commands search for a certain criterion in the routes. • set commands change the characteristics of routes, either adding something or specifying a level.
• Match routes with the same AS-PATH numbers. CONFIG-ROUTE-MAP mode match as-path as-path-name • Match routes with COMMUNITY list attributes in their path. CONFIG-ROUTE-MAP mode match community community-list-name [exact] • Match routes whose next hop is a specific interface. CONFIG-ROUTE-MAP mode match interface interface The parameters are: – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port/subport information.
match route-type {external [type-1 | type-2] | internal | level-1 | level-2 | local } • Match routes with a specific tag. CONFIG-ROUTE-MAP mode match tag tag-value To create route map instances, use these commands. There is no limit to the number of match commands per route map, but the convention is to keep the number of match filters in a route map low. Set commands do not require a corresponding match command. Configuring Set Conditions To configure a set condition, use the following commands.
• Specify a value as the route’s weight. CONFIG-ROUTE-MAP mode set weight value To create route map instances, use these commands. There is no limit to the number of set commands per route map, but the convention is to keep the number of set filters in a route map low. Set commands do not require a corresponding match command. Configure a Route Map for Route Redistribution Route maps on their own cannot affect traffic and must be included in different commands to affect routing traffic.
Continue Clause Normally, when a match is found, set clauses are executed, and the packet is then forwarded; no more route-map modules are processed. If you configure the continue command at the end of a module, the next module (or a specified module) is processed even after a match is found. The following example shows a continue clause at the end of a route-map module. In this example, if a match is found in the route-map “test” module 10, module 30 is processed.
DellEMC(conf-ext-nacl)#permit ip any 10.1.1.1/32 DellEMC(conf-ext-nacl) Layer 4 ACL Rules Examples The following examples show the ACL commands for Layer 4 packet filtering. Permit an ACL line with L3 information only, and the fragments keyword is present: If a packet’s L3 information matches the L3 information in the ACL line, the packet's FO is checked. • If a packet's FO > 0, the packet is permitted. • If a packet's FO = 0, the next ACL entry is processed.
A standard IP ACL uses the source IP address as its match criterion. 1 Enter IP ACCESS LIST mode by naming a standard IP access list. CONFIGURATION mode ip access-list standard access-listname 2 Configure a drop or forward filter. CONFIG-STD-NACL mode seq sequence-number {deny | permit} {source [mask] | any | host ip-address} [count [byte] [dscp] [order] [monitor [session-id]] [fragments] NOTE: When assigning sequence numbers to filters, keep in mind that you might need to insert a new filter.
ip access-list standard access-list-name 2 Configure a drop or forward IP ACL filter. CONFIG-STD-NACL mode {deny | permit} {source [mask] | any | host ip-address} [count [byte] [dscp] [order] [monitor [session-id]] [fragments] When you use the log keyword, the CP logs details about the packets that match. Depending on how many packets match the log entry and at what rate, the CP may become busy as it has to log these packets’ details.
seq sequence-number {deny | permit} {ip-protocol-number | icmp | ip | tcp | udp} {source mask | any | host ip-address} {destination mask | any | host ip-address} [operator [portnumber ] [count [byte]] [order] [monitor [session-id]] [fragments] When you use the log keyword, the CP logs details about the packets that match. Depending on how many packets match the log entry and at what rate, the CP may become busy as it has to log these packets’ details.
Configuring Filters Without a Sequence Number If you are creating an extended ACL with only one or two filters, you can let Dell EMC Networking OS assign a sequence number based on the order in which the filters are configured. Dell EMC Networking OS assigns filters in multiples of five. To configure a filter for an extended IP ACL without a specified sequence number, use any or all of the following commands: • Configure a deny or permit filter to examine IP packets.
• L2 egress access list If a rule is simply appended, existing counters are not affected. Table 6. L2 and L3 Filtering on Switched Packets L2 ACL Behavior L3 ACL Behavior Decision on Targeted Traffic Deny Deny L3 ACL denies. Deny Permit L3 ACL permits. Permit Deny L3 ACL denies. Permit Permit L3 ACL permits. NOTE: If you configure an interface as a vlan-stack access port, only the L2 ACL filters the packets. The L3 ACL applied to such a port does not affect traffic.
ip access-list [standard | extended] name To view which IP ACL is applied to an interface, use the show config command in INTERFACE mode, or use the show runningconfig command in EXEC mode. Example of Viewing ACLs Applied to an Interface To filter traffic on Telnet sessions, use only standard ACLs in the access-class command. Counting ACL Hits You can view the number of packets matching the ACL by using the count option when creating ACL entries. 1 Create an ACL that uses rules with the count option.
Applying Egress Layer 3 ACLs (Control-Plane) By default, packets originated from the system are not filtered by egress ACLs. For example, if you initiate a ping session from the system and apply an egress ACL to block this type of traffic on the interface, the ACL does not affect that ping traffic. The Control Plane Egress Layer 3 ACL feature enhances IP reachability debugging by implementing control-plane ACLs for CPU-generated and CPU-forwarded traffic.
Implementation Information In Dell EMC Networking OS, prefix lists are used in processing routes for routing protocols (for example, router information protocol [RIP], open shortest path first [OSPF], and border gateway protocol [BGP]). NOTE: It is important to know which protocol your system supports prior to implementing prefix-lists. Configuration Task List for Prefix Lists To configure a prefix list, use commands in PREFIX LIST, ROUTER RIP, ROUTER OSPF, and ROUTER BGP modes.
seq 12 deny 134.23.0.0/16 seq 15 deny 120.0.0.0/8 le 16 seq 20 permit 0.0.0.0/0 le 32 DellEMC(conf-nprefixl)# NOTE: The last line in the prefix list Juba contains a “permit all” statement. By including this line in a prefix list, you specify that all routes not matching any criteria in the prefix list are forwarded. To delete a filter, use the no seq sequence-number command in PREFIX LIST mode.
Examples of the show ip prefix-list Command The following example shows the show ip prefix-list detail command. DellEMC>show ip prefix detail Prefix-list with the last deletion/insertion: filter_ospf ip prefix-list filter_in: count: 3, range entries: 3, sequences: 5 - 10 seq 5 deny 1.102.0.0/16 le 32 (hit count: 0) seq 6 deny 2.1.0.0/16 ge 23 (hit count: 0) seq 10 permit 0.0.0.0/0 le 32 (hit count: 0) ip prefix-list filter_ospf: count: 4, range entries: 1, sequences: 5 - 10 seq 5 deny 100.100.1.
network 10.0.0.0 DellEMC(conf-router_rip)#router ospf 34 Applying a Filter to a Prefix List (OSPF) To apply a filter to routes in open shortest path first (OSPF), use the following commands. • Enter OSPF mode. CONFIGURATION mode • router ospf Apply a configured prefix list to incoming routes. You can specify an interface. If you enter the name of a non-existent prefix list, all routes are forwarded.
ip access-list {extended | standard} access-list-name ipv6 access-list {extended | standard} access-list-name 2 Define the ACL rule. CONFIG-EXT-NACL mode or CONFIG-STD-NACL seq sequence-number {permit | deny} options 3 Write a remark. CONFIG-EXT-NACL mode or CONFIG-STD-NACL remark [remark-number] remark-text The remark number is optional.
ACL Resequencing ACL resequencing allows you to re-number the rules and remarks in an access or prefix list. The placement of rules within the list is critical because packets are matched against rules in sequential order. To order new rules using the current numbering scheme, use resequencing whenever there is no opportunity. For example, the following table contains some rules that are numbered in increments of 1.
ip access-list extended test remark 4 XYZ remark 5 this remark corresponds to permit any host 1.1.1.1 seq 5 permit ip any host 1.1.1.1 remark 9 ABC remark 10 this remark corresponds to permit ip any host 1.1.1.2 seq 10 permit ip any host 1.1.1.2 seq 15 permit ip any host 1.1.1.3 seq 20 permit ip any host 1.1.1.4 DellEMC# end DellEMC# resequence access-list ipv4 test 2 2 DellEMC# show running-config acl ! ip access-list extended test remark 2 XYZ remark 4 this remark corresponds to permit any host 1.1.1.
Route maps also have an “implicit deny.” Unlike ACLs and prefix lists; however, where the packet or traffic is dropped, in route maps, if a route does not match any of the route map conditions, the route is not redistributed. The implementation of route maps allows route maps with the no match or no set commands. When there is no match command, all traffic matches the route map and the set command applies.
If you configure the flow-based enable command and do not apply an ACL on the source port or the monitored port, both flow-based monitoring and port mirroring do not function. You cannot apply the same ACL to an interface or a monitoring session context simultaneously. The port mirroring application maintains a database that contains all monitoring sessions (including port monitor sessions).
Configuring IP Mirror Access Group To configure an IP mirror access group on an interface, use the following commands: 1 Allocate CAM profile for IPv4 ACL.
7 Bidirectional Forwarding Detection (BFD) BFD is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It also provides a failure detection solution for links on which no routing protocol is used. BFD is a simple hello mechanism. Two neighboring systems running BFD establish a session using a three-way handshake.
BFD Packet Format Control packets are encapsulated in user datagram protocol (UDP) packets. The following illustration shows the complete encapsulation of a BFD control packet inside an IPv4 packet. Figure 9. BFD in IPv4 Packet Format Field Description Diagnostic Code The reason that the last session failed. State The current local session state. Refer to BFD Sessions. Flag A bit that indicates packet function.
Field Description Detection Multiplier The number of packets that must be missed in order to declare a session down. Length The entire length of the BFD packet. My Discriminator A random number generated by the local system to identify the session. Your Discriminator A random number generated by the remote system to identify the session. Discriminator values are necessary to identify the session to which a control packet belongs because there can be many sessions running on a single interface.
Demand mode If one system requests Demand mode, the other system stops sending periodic control packets; it only sends a response to status inquiries from the Demand mode initiator. Either system (but not both) can request Demand mode at any time. NOTE: Dell EMC Networking OS supports Asynchronous mode only. A session can have four states: Administratively Down, Down, Init, and Up. State Description Administratively Down The local system does not participate in a particular session.
Figure 10.
Session State Changes The following illustration shows how the session state on a system changes based on the status notification it receives from the remote system. For example, if a session on a system is down and it receives a Down status notification from the remote system, the session state on the local system changes to Init. Figure 11.
Configure BFD This section contains the following procedures. • Configure BFD for Static Routes • Configure BFD for OSPF • Configure BFD for OSPFv3 • Configure BFD for IS-IS • Configure BFD for BGP • Configure BFD for VRRP • Configuring Protocol Liveness Configure BFD for Physical Ports Configuring BFD for physical ports is supported on the C-Series and E-Series platforms only. BFD on physical ports is useful when you do not enable the routing protocol.
Viewing Physical Port Session Parameters BFD sessions are configured with default intervals and a default role (active). Dell EMC Networking recommends maintaining the default values. To view session parameters, use the show bfd neighbors detail command. Example of Viewing Session Parameters Disabling and Re-Enabling BFD BFD is enabled on all interfaces by default, though sessions are not created unless explicitly configured.
Establishing Sessions for Static Routes for Default VRF Sessions are established for all neighbors that are the next hop of a static route on the default VRF. Figure 12. Establishing Sessions for Static Routes To establish a BFD session, use the following command. • Establish BFD sessions for all neighbors that are the next hop of a static route.
The following example shows that sessions are created for static routes for the default VRF. Dell#show bfd neighbors * Ad Dn B C I O O3 R M V VT - Active session role Admin Down BGP CLI ISIS OSPF OSPFv3 Static Route (RTM) MPLS VRRP Vxlan Tunnel LocalAddr * 11.1.1.1 RemoteAddr 11.1.1.2 Interface Te 1/1/1 State Rx-int Tx-int Mult Clients Up 200 200 3 R * 21.1.1.1 21.1.1.2 Vl 100 Up 200 200 3 R * 31.1.1.1 31.1.1.
• Deny – The deny option prevents BFD sessions from getting created for the specified prefix list or prefix list range. For more information on prefix lists, see IP Prefix Lists. To enable BFD sessions on specific neighbors, perform the following steps: Enter the following command to enable BFD session on specific next-hop neighbors: CONFIGURATION ip route bfd prefix-list prefix-list-name The BFD session is established for the next-hop neighbors that are specified in the prefix-list.
no ip route bfd [prefix-list prefix-list-name] [interval interval min_rx min_rx multiplier value role {active | passive}] Configure BFD for IPv6 Static Routes BFD offers systems a link state detection mechanism for static routes. With BFD, systems are notified to remove static routes from the routing table as soon as the link state change occurs, rather than waiting until packets fail to reach their next hop. Configuring BFD for IPv6 static routes is a three-step process: 1 Enable BFD globally.
ipv6 ipv6 ipv6 ipv6 route route route route bfd bfd bfd bfd prefix-list p6_le vrf vrf1 vrf vrf2 vrf vrf1 prefix-list p6_le The following example shows that sessions are created for static routes for the default VRF.
To view session parameters, use the show bfd neighbors detail command, as shown in the examples in Displaying BFD for BGP Information Configure BFD for OSPF When you use BFD with OSPF, the OSPF protocol registers with the BFD manager. BFD sessions are established with all neighboring interfaces participating in OSPF. If a neighboring interface fails, the BFD agent notifies the BFD manager, which in turn notifies the OSPF protocol that a link state change has occurred.
Establishing Sessions with OSPF Neighbors for the Default VRF BFD sessions can be established with all OSPF neighbors at once or sessions can be established with all neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the Full state. Figure 13. Establishing Sessions with OSPF Neighbors To establish BFD with all OSPF neighbors or with OSPF neighbors on a single interface, use the following commands. • Enable BFD globally.
INTERFACE mode ip ospf bfd all-neighbors Example of Verifying Sessions with OSPF Neighbors To view the established sessions, use the show bfd neighbors command. The bold line shows the OSPF BFD sessions. Establishing Sessions with OSPF Neighbors for nondefault VRFs To configure BFD in a nondefault VRF, follow this procedure: • Enable BFD globally. CONFIGURATION mode • bfd enable Establish sessions with all OSPF neighbors in a specific VRF.
* 7.1.1.1 7.1.1.2 Te 1/21/1 Up 200 200 3 O The following example shows the show bfd vrf neighbors command output showing the nondefault VRF. show bfd vrf VRF_blue neighbors * Ad Dn B C I O O3 R M V VT - Active session role Admin Down BGP CLI ISIS OSPF OSPFv3 Static Route (RTM) MPLS VRRP Vxlan Tunnel LocalAddr * 5.1.1.1 RemoteAddr 5.1.1.2 Interface Po 30 State Rx-int Tx-int Mult VRF Clients Up 200 200 3 255 O * 6.1.1.1 6.1.1.2 Vl 30 Up 200 200 3 255 O * 7.1.1.1 7.1.1.
Actual parameters: TX: 200ms, RX: 200ms, Multiplier: 3 Role: Active Delete session on Down: True VRF: VRF_blue Client Registered: OSPF Uptime: 00:00:15 Statistics: Number of packets received from neighbor: 78 Number of packets sent to neighbor: 78 Number of state changes: 1 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 4 Session Discriminator: 6 Neighbor Discriminator: 1 Local Addr: 7.1.1.1 Local MAC Addr: 00:a0:c9:00:00:02 Remote Addr: 7.1.1.
Disabling BFD for OSPF If you disable BFD globally, all sessions are torn down and sessions on the remote system are placed in a Down state. If you disable BFD on an interface, sessions on the interface are torn down and sessions on the remote system are placed in a Down state. Disabling BFD does not trigger a change in BFD clients; a final Admin Down packet is sent before the session is terminated. To disable BFD sessions, use the following commands. • Disable BFD sessions with all OSPF neighbors.
C I O O3 R M V VT - CLI ISIS OSPF OSPFv3 Static Route (RTM) MPLS VRRP Vxlan Tunnel LocalAddr * 1.1.1.1 RemoteAddr 1.1.1.2 Interface Te 1/21/3 State Rx-int Tx-int Mult Clients Up 200 200 3 O * 2.1.1.1 2.1.1.
R M V VT - Static Route (RTM) MPLS VRRP Vxlan Tunnel LocalAddr Clients * 10.1.1.1 511 O RemoteAddr Interface State Rx-int Tx-int Mult VRF 10.1.1.2 Vl 100 Up 150 150 3 * 11.1.1.1 511 O 11.1.1.2 Vl 101 Up 150 150 3 * 12.1.1.1 511 O 12.1.1.2 Vl 102 Up 150 150 3 * 13.1.1.1 511 O 13.1.1.
To disable BFD sessions, use the following commands. • Disable BFD sessions with all OSPFv3 neighbors. ROUTER-OSPFv3 mode no bfd all-neighbors • Disable BFD sessions with OSPFv3 neighbors on a single interface. INTERFACE mode ipv6 ospf bfd all-neighbors disable Configure BFD for IS-IS When using BFD with IS-IS, the IS-IS protocol registers with the BFD manager on the RPM. BFD sessions are then established with all neighboring interfaces participating in IS-IS.
Establishing Sessions with IS-IS Neighbors BFD sessions can be established for all IS-IS neighbors at once or sessions can be established for all neighbors out of a specific interface. Figure 14. Establishing Sessions with IS-IS Neighbors To establish BFD with all IS-IS neighbors or with IS-IS neighbors on a single interface, use the following commands. • Establish sessions with all IS-IS neighbors. ROUTER-ISIS mode bfd all-neighbors • Establish sessions with IS-IS neighbors on a single interface.
Changing IS-IS Session Parameters BFD sessions are configured with default intervals and a default role. The parameters that you can configure are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. These parameters are configured for all IS-IS sessions or all IS-IS sessions out of an interface. If you change a parameter globally, the change affects all IS-IS neighbors sessions.
Figure 15. Establishing Sessions with BGP Neighbors The sample configuration shows alternative ways to establish a BFD session with a BGP neighbor: • By establishing BFD sessions with all neighbors discovered by BGP (the bfd all-neighbors command). • By establishing a BFD session with a specified BGP neighbor (the neighbor {ip-address | peer-group-name} bfd command) BFD packets originating from a router are assigned to the highest priority egress queue to minimize transmission delays.
• Configure BGP on the routers that you want to interconnect. Establishing Sessions with BGP Neighbors for Default VRF To establish sessions with either IPv6 or IPv4 BGP neighbors for the default VRF, follow these steps: 1 Enable BFD globally. CONFIGURATION mode bfd enable 2 Specify the AS number and enter ROUTER BGP configuration mode. CONFIGURATION mode router bgp as-number 3 Add a BGP neighbor or peer group in a remote AS.
neighbor 10.1.1.2 remote-as 2 neighbor 10.1.1.2 no shutdown neighbor 20::2 remote-as 2 neighbor 20::2 no shutdown bfd all-neighbors ! address-family ipv6 unicast neighbor 20::2 activate exit-address-family DellEMC(conf-router_bgp)# Establishing Sessions with BGP Neighbors for Nondefault VRF To establish sessions with either IPv6 or IPv4 BGP neighbors for nondefault VRFs, follow these steps: 1 Enable BFD globally.
CONFIG-ROUTERBGP mode bfd all-neighbors DellEMC(conf)#router bgp 1 DellEMC(conf-router_bgp)#address-family ipv4 vrf vrf1 DellEMC(conf-router_bgp_af)#neighbor 10.1.1.2 remote-as 2 DellEMC(conf-router_bgp_af)#neighbor 10.1.1.
EXEC Privilege mode • show bfd neighbors [interface] [detail] Check to see if BFD is enabled for BGP connections. EXEC Privilege mode • show ip bgp summary Displays routing information exchanged with BGP neighbors, including BFD for BGP sessions. EXEC Privilege mode show ip bgp neighbors [ip-address] Examples of Verifying BGP Information The following example shows verifying a BGP configuration. R2# show running-config bgp ! router bgp 2 neighbor 1.1.1.2 remote-as 1 neighbor 1.1.1.
BGP state ESTABLISHED, in this state for 00:05:33 Last read 00:00:30, last write 00:00:30 Hold time is 180, keepalive interval is 60 seconds Received 8 messages, 0 in queue 1 opens, 0 notifications, 0 updates 7 keepalives, 0 route refresh requests Sent 9 messages, 0 in queue 2 opens, 0 notifications, 0 updates 7 keepalives, 0 route refresh requests Minimum time between advertisement runs is 30 seconds Minimum time before advertisements start is 0 seconds Capabilities received from neighbor for IPv4 Unicast
2 Establish VRRP BFD sessions with all VRRP-participating neighbors. 3 On the master router, establish a VRRP BFD sessions with the backup routers. Refer to Establishing Sessions with All VRRP Neighbors. Related Configuration Tasks • Changing VRRP Session Parameters. • Disabling BFD for VRRP. Establishing Sessions with All VRRP Neighbors BFD sessions can be established for all VRRP neighbors at once, or a session can be established with a particular neighbor. Figure 16.
INTERFACE mode vrrp bfd neighbor ip-address Examples of Viewing VRRP Sessions To view the established sessions, use the show bfd neighbors command. The bold line shows that VRRP BFD sessions are enabled. To view session state information, use the show vrrp command. The bold line shows the VRRP BFD session. Changing VRRP Session Parameters BFD sessions are configured with default intervals and a default role.
Configuring Protocol Liveness Protocol liveness is a feature that notifies the BFD manager when a client protocol is disabled. When you disable a client, all BFD sessions for that protocol are torn down. Neighbors on the remote system receive an Admin Down control packet and are placed in the Down state. To enable protocol liveness, use the following command. • Enable Protocol Liveness.
8 Border Gateway Protocol (BGP) Border Gateway Protocol (BGP) is an interdomain routing protocol that manages routing between edge routers. BGP uses an algorithm to exchange routing information between switches enabled with BGP. BGP determines a path to reach a particular destination using certain attributes while avoiding routing loops. BGP selects a single path as the best path to a destination network or host. You can also influence BGP to select different path by altering some of the BGP attributes.
connections from one network to another. The ISP is considered to be “selling transit service” to the customer network, so thus the term Transit AS. The devices within an AS (AS1 or AS2, as seen in the following illustration) exchange routing information using Internal BGP (IBGP), whereas the devices in different AS communicate using External BGP (EBGP). IBGP provides routers inside the AS with the knowledge to reach routers external to the AS.
Figure 18. BGP Routers in Full Mesh The number of BGP speakers each BGP peer must maintain increases exponentially. Network management quickly becomes impossible. AS4 Number Representation Dell EMC Networking OS supports multiple representations of 4-byte AS numbers: asplain, asdot+, and asdot. NOTE: The ASDOT and ASDOT+ representations are supported only with the 4-Byte AS numbers feature. If 4-Byte AS numbers are not implemented, only ASPLAIN representation is supported.
ASDOT+ representation splits the full binary 4-byte AS number into two words of 16 bits separated by a decimal point (.): .. Some examples are shown in the following table. • • All AS numbers between 0 and 65535 are represented as a decimal number, when entered in the CLI and when displayed in the show commands outputs. AS Numbers larger than 65535 is represented using ASDOT notation as ..
router bgp 100 bgp four-octet-as-support neighbor 172.30.1.250 local-as 65057
Establish a Session Information exchange between peers is driven by events and timers. The focus in BGP is on the traffic routing policies. In order to make decisions in its operations with other BGP peers, a BGP process uses a simple finite state machine that consists of six states: Idle, Connect, Active, OpenSent, OpenConfirm, and Established. For each peer-to-peer session, a BGP implementation tracks which of these six states the session is in.
• Next Hop NOTE: There are no hard coded limits on the number of attributes that are supported in the BGP. Taking into account other constraints such as the Packet Size, maximum number of attributes are supported in BGP. Communities BGP communities are sets of routes with one or more common attributes. Communities are a way to assign common attributes to multiple routes at the same time. NOTE: Duplicate communities are not rejected.
Best Path Selection Details 1 Prefer the path with the largest WEIGHT attribute. 2 Prefer the path with the largest LOCAL_PREF attribute. 3 Prefer the path that was locally Originated via a network command, redistribute command or aggregate-address command. a 4 Routes originated with the Originated via a network or redistribute commands are preferred over routes originated with the aggregate-address command.
Weight The weight attribute is local to the router and is not advertised to neighboring routers. If the router learns about more than one route to the same destination, the route with the highest weight is preferred. The route with the highest weight is installed in the IP routing table. Local Preference Local preference (LOCAL_PREF) represents the degree of preference within the entire AS. The higher the number, the greater the preference for the route.
One AS assigns the MED a value and the other AS uses that value to decide the preferred path. For this example, assume the MED is the only attribute applied. In the following illustration, AS100 and AS200 connect in two places. Each connection is a BGP session. AS200 sets the MED for its T1 exit point to 100 and the MED for its OC3 exit point to 50. This sets up a path preference through the OC3 link. The MEDs are advertised to AS100 routers so they know which is the preferred path.
Network *> 7.0.0.0/29 *> 7.0.0.0/30 *> 9.2.0.0/16 Next Hop 10.114.8.33 10.114.8.33 10.114.8.33 Metric 0 0 10 LocPrf 0 0 0 Weight 18508 18508 18508 Path ? ? 701 i AS Path The AS path is the list of all ASs that all the prefixes listed in the update have passed through. The local AS number is added by the BGP speaker when advertising to a EBGP neighbor. NOTE: Any update that contains the AS path number 0 is valid. The AS path is shown in the following example.
NOTE: It is possible to configure BGP peers that exchange both unicast and multicast network layer reachability information (NLRI), but you cannot connect multiprotocol BGP with BGP. Therefore, you cannot redistribute multiprotocol BGP routes into BGP. MBGP for IPv4 Multicast PIM feature uses IPv4 multicast routing for data distribution. MBGP provides a link that is dedicated specific to multicast traffic. MBGP also allows a unicast routing apart from the multicast routing.
DellEMC(conf-router_bgp)#neighbor 2001::1 no shutdown DellEMC(conf-router_bgp)#address-family ipv4 multicast DellEMC(conf-router_bgp_af)#neighbor 20.20.20.1 activate DellEMC(conf-router_bgp_af)#exit DellEMC(conf-router_bgp)#address-family ipv6 unicast DellEMC(conf-router_bgpv6_af)#neighbor 2001::1 activate DellEMC(conf-router_bgpv6_af)#exit BGP global configuration default values By default, BGP is disabled. The following table displays the default values for BGP on Dell EMC Networking OS. Table 8.
Advertise IGP Cost as MED for Redistributed Routes When using multipath connectivity to an external AS, you can advertise the MED value selectively to each peer for redistributed routes. For some peers you can set the internal/IGP cost as the MED while setting others to a constant pre-defined metric as MED value. Use the set metric-type internal command in a route-map to advertise the IGP cost as the MED to outbound EBGP peers when redistributing routes.
Figure 22. Before and After AS Number Migration with Local-AS Enabled When you complete your migration, and you have reconfigured your network with the new information, disable this feature. If you use the “no prepend” option, the Local-AS does not prepend to the updates received from the eBGP peer. If you do not select “no prepend” (the default), the Local-AS is added to the first AS segment in the AS-PATH.
• Unknown optional transitive attributes within a given path attribute (PA) are assigned indices in order. These indices correspond to the f10BgpM2PathAttrUnknownIndex field in the f10BgpM2PathAttrUnknownEntry table. • Negotiation of multiple instances of the same capability is not supported. F10BgpM2PeerCapAnnouncedIndex and f10BgpM2PeerCapReceivedIndex are ignored in the peer capability lookup.
• delayed configuration (the software at system boot reads the entire configuration file prior to sending messages to start BGP peer sessions) The following are not yet supported: • auto-summarization (the default is no auto-summary) • synchronization (the default is no synchronization) Basic BGP configuration tasks The following sections describe how to configure a basic BGP network and the basic configuration tasks that are required for the BGP to be up and running.
below configuration example, no address family is configured. So, the routing information for the IPv4 unicast address family is advertised by default. 1 Assign an AS number and enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number • as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte) or 0.1 to 65535.65535 (Dotted format). Only one AS is supported per system. NOTE: If you enter a 4-Byte AS number, 4-Byte AS support is enabled automatically.
The following example shows the show ip bgp summary command output. R2#show ip bgp summary BGP router identifier 1.1.1.1, local 65535 BGP local RIB : Routes to be Added 0, Replaced 0, Withdrawn 0 1 neighbor(s) using 40960 bytes of memory Neighbor 20.20.20.1 AS 20 MsgRcvd 0 MsgSent 0 TblVer 0 InQ 0 OutQ Up/Down State/Pfx 0 00:00:00 0 For the router’s identifier, Dell EMC Networking OS uses the highest IP address of the Loopback interfaces configured.
Enabling four-byte autonomous system numbers You can enable 4-byte support for configuring autonomous system numbers (ASN). To enable 4-byte support for the BGP process, use the following command. NOTE: When creating BGP confederations, all the routers in the Confederation must be a 4-byte or 2-byte identified routers. You cannot mix them. • Enable 4-byte support for the BGP process.
Example of changing BGP router ID DellEMC# configure terminal DellEMC(conf)# router bgp 400 DellEMC(conf-router_bgp)# bgp router-id 1.1.1.1 Following is the sample output of show ip bgp ipv4 multicast summary command. DellEMC# show ip bgp summary BGP router identifier 1.1.1.1, local AS number 400 BGP local RIB : Routes to be Added 0, Replaced 0, Withdrawn 0 1 neighbor(s) using 8192 bytes of memory Neighbor 20.20.20.
! router bgp 100 bgp four-octet-as-support neighbor 172.30.1.250 remote-as 18508 neighbor 172.30.1.250 local-as 65057 neighbor 172.30.1.250 route-map rmap1 in neighbor 172.30.1.250 password 7 5ab3eb9a15ed02ff4f0dfd4500d6017873cfd9a267c04957 neighbor 172.30.1.250 no shutdown 5332332 9911991 65057 18508 12182 7018 46164 i The following example shows the bgp asnotation asdot command output.
CONFIG-ROUTER-BGP mode address-family ipv4 [multicast | vrf vrf-name] multicast — Specifies the IPv4 multicast address family. vrf vrf-name — Specifies the name of VRF instance associated with the IPv4 address-family configuration. • Enable the neighbor to exchange prefixes for IPv4 unicast address family.
Example-Configuring BGP routing between peers Example of enabling BGP in Router A Following is an example to enable BGP configuration in the router A. RouterA# configure terminal RouterA(conf)# router bgp 40000 RouterA(conf-router_bgp)# bgp router-id 10.1.1.99 RouterA(conf-router_bgp)# timers bgp 80 130 RouterA(conf-router_bgp)# neighbor 192.168.1.
• Create a peer group by assigning it a name • Adding members (neighbors) to the peer group Configuration rules in a peer group: • You must create a peer group first before adding the neighbors in the peer group. • If you remove any configuration parameters from a peer group, it will apply to all the neighbors configured under that peer group. • If you have not configured a parameter for an individual neighbor in the peer group, the neighbor uses the value configured in the peer group.
CONFIG-ROUTER-BGP mode neighbor {ip-address | ipv6-address | peer-group-name} remote-as as-number • peer-group Name: 16 characters. • as-number: the range is from 0 to 65535 (2-Byte) or 1 to 4294967295 | 0.1 to 65535.65535 (4-Byte) or 0.1 to 65535.65535 (Dotted format) To add an external BGP (EBGP) neighbor, configure the as-number parameter with a number different from the BGP as-number configured in the router bgp as-number command.
neighbor 2001::1 peer-group zanzibar DellEMC# To disable a peer group, use the neighbor peer-group-name shutdown command in CONFIGURATION-ROUTER-BGP mode. The configuration of the peer group is maintained, but it is not applied to the peer group members. When you disable a peer group, all the peers within the peer group that are in the ESTABLISHED state move to the IDLE state. To view the status of peer groups, use the show ip bgp peer-group command in EXEC Privilege mode, as shown in the following example.
Example of Enabling BGP (Router 1) Example of Enabling BGP (Router 2) Example of Enabling BGP (Router 3) Example of Enabling Peer Groups (Router 1) conf R1(conf)#router bgp 99 R1(conf-router_bgp)# network 192.168.128.0/24 R1(conf-router_bgp)# neighbor AAA peer-group R1(conf-router_bgp)# neighbor AAA no shutdown R1(conf-router_bgp)# neighbor BBB peer-group R1(conf-router_bgp)# neighbor BBB no shutdown R1(conf-router_bgp)# neighbor 192.168.128.2 peer-group AAA R1(conf-router_bgp)# neighbor 192.168.128.
R1# R1#show ip bgp summary BGP router identifier 192.168.128.1, local AS number 99 BGP table version is 1, main routing table version 1 1 network entrie(s) using 132 bytes of memory 3 paths using 204 bytes of memory BGP-RIB over all using 207 bytes of memory 2 BGP path attribute entrie(s) using 96 bytes of memory 2 BGP AS-PATH entrie(s) using 74 bytes of memory 2 neighbor(s) using 8672 bytes of memory Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 192.168.128.
BGP router identifier 192.168.128.3, local AS number 100 BGP table version is 1, main routing table version 1 1 network entrie(s) using 132 bytes of memory 3 paths using 204 bytes of memory BGP-RIB over all using 207 bytes of memory 2 BGP path attribute entrie(s) using 128 bytes of memory 2 BGP AS-PATH entrie(s) using 90 bytes of memory 2 neighbor(s) using 9216 bytes of memory Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 192.168.128.1 99 93 99 1 0 (0) 00:00:15 1 192.168.128.
– *: Clears all peers. – neighbor-address: Clears the IPv4 or IPv6 neighbor of this IP address. – as-number: Clears the peers AS numbers. – peer-group-name: Clears all members of the specified peer group. Example of Soft-reconfigration of a BGP Neighbor The example enables inbound soft-reconfiguration for the neighbor 10.108.1.1. All updates received from this neighbor are stored unmodified, regardless of the inbound policy.
redistribute connected exit-address-family ! DellEMC(conf-router_bgp)#do clear ip bgp 20.1.1.2 soft in May 8 15:28:11 : BGP: 20.1.1.2 sending ROUTE_REFRESH AFI/SAFI (1/1) May 8 15:28:12 : BGP: 20.1.1.2 UPDATE rcvd packet len 56 May 8 15:28:12 : BGP: 20.1.1.2 rcvd UPDATE w/ attr: origin ?, path 200, nexthop 20.1.1.
Table 10.
DellEMC(conf-router_bgp)# aggregate-address 10.1.1.0/24 DellEMC(conf-router_bgp)# exit DellEMC(conf)# Following is the sample output of show ip bgp command. DellEMC# show ip bgp BGP local RIB : Routes to be Added 0, Replaced 0, Withdrawn 0 BGP local router ID is 30.30.30.
Filtering BGP The following section describes the methods used to filter the updates received from BGP neighbors. Following are the filtering methods of BGP updates: • Filtering using IP prefix lists • Filtering using route maps • Filtering using AS-PATH information • Filtering using community lists Regular Expressions as Filters Regular expressions are used to filter AS paths or community lists.
Example of Using Regular Expression to Filter AS Paths DellEMC(config)#router bgp 99 DellEMC(conf-router_bgp)#neigh AAA peer-group DellEMC(conf-router_bgp)#neigh AAA no shut DellEMC(conf-router_bgp)#show conf ! router bgp 99 neighbor AAA peer-group neighbor AAA no shutdown neighbor 10.155.15.2 remote-as 32 neighbor 10.155.15.2 shutdown DellEMC(conf-router_bgp)#neigh 10.155.15.
Filtering BGP using IP prefix lists An IP prefix lists contains a list of networks. When applying an IP prefix list to a BGP neighbor, you can able to send or receive the routes whose destination is in the IP prefix list. Filtering BGP routes based on IP prefix lists involves the following steps: • Create a prefix list. The steps 1 to 3 in the following configuration commands shows how to create a prefix list. • Applying the created prefix list to a BGP neighbor.
DellEMC(conf)# seq 10 permit 10.10.10.0/24 ge 32 DellEMC(conf)#exit DellEMC(conf)# router bgp DellEMC(conf-router_bgp)#neighbor 10.10.10.2 distribute-list route10 out The commands show the configuration of an IP prefix list named route10, which permits routes to network 10.10.10.0/24. The neighbor command configures to use IP prefix list route10 to determine, which routes to be distributed to the neighbor 10.10.10.2. So the routes from 10.10.10.1/24 network is distributed to neighbor 10.10.10.
In the above example, a route-map named route1 is created with a permit clause. Within the route-map, a set clause is configured to prepend an AS is configured. This configuration adds the configured AS number to the AS-Path for each route. The configured route-map is applied to the outbound routes of the neighbor 10.10.10.1. To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode. To view a route map configuration, use the show route-map command in EXEC Privilege mode.
20 0 20 0 20 0 20 0 20 0 20 0 20 0 20 0 20 0 20 0 20 0 20 0 20 0 20 0 20 0 20 0 20 0 20 0 --More-- 64801 64801 64801 64801 64801 64801 64801 64801 64801 64801 64801 64801 64801 64801 64801 64801 64801 64801 i i i i i i i i i i i i i i i i i i Filtering Routes with Community Lists To use an IP community list or IP extended community list to filter routes, you must apply a match community filter to a route map and then apply that route map to a BGP neighbor or peer group.
DellEMC(conf)# exit DellEMC# In the above example, add a BGP neighbor to the AS 400 and the route-map called route2 applied to inbound routes from the BGP neighbor at 10.10.10.1. A route map route2 is created with a permit clause and the route’s community attribute is matched to communities in community list 1. A community list 1 that permits routes with a communities attribute of 100. To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode.
Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) fall-over enabled Update source set to Loopback 0 Peer active in peer-group outbound optimization For address family: IPv4 Unicast BGP table version 52, neighbor version 52 4 accepted prefixes consume 16 bytes Prefix advertised 0, denied 0, withdrawn 0 Connections established 6; dr
When a BGP neighbor connection with authentication configured is rejected by a passive peer-group, Dell EMC Networking OS does not allow another passive peer-group on the same subnet to connect with the BGP neighbor. To work around this, change the BGP configuration or change the order of the peer group configuration. You can constrain the number of passive sessions accepted by the neighbor. The limit keyword allows you to set the total number of sessions the neighbor will accept, between 2 and 265.
• Bring the secondary RPM online as the primary and re-open sessions with all peers operating in No Shutdown mode. • Defer best path selection for a certain amount of time. This helps optimize path selection and results in fewer updates being sent out. To enable graceful restart, use the following command. bgp graceful-restart [restart-time seconds] [stale-path-time seconds] [role receiver-only] To return to the default, use the no bgp graceful-restart command.
ROUTER BGP or CONF-ROUTER_BGPv6_ AF mode redistribute isis [level-1 | level-1-2 | level-2] [metric value] [route-map map-name] Configure the following parameters: – isis: Indicate that you are redistributing ISIS routes into BGP. – level-1, level-1-2, or level-2: Assign all redistributed routes to a level. The default is level-2. – metric value: The value is from 0 to 16777215. The default is 0. – route-map map-name: Specify the name of a configured route map to be consulted before adding the ISIS route.
• 2 path-count: Indicate that the system sends multiple paths to peers. The range is from 2 to 64. Allow the specified neighbor or peer group to allow multiple path advertisements. CONFIG-ROUTER-BGP or CONFIG-ROUTER-BGP-AF mode neighbor [ip-address | ipv6–address | peer-group-name] add-path [send | receive | both] pathcount NOTE: The path-count parameter controls the number of paths that are advertised, not the number of paths that are received.
• • • • • local-AS: routes with the COMMUNITY attribute of NO_EXPORT_SUBCONFED. no-advertise: routes with the COMMUNITY attribute of NO_ADVERTISE. no-export: routes with the COMMUNITY attribute of NO_EXPORT. quote-regexp: then any number of regular expressions. The software applies all regular expressions in the list. regexp: then a regular expression.
deny 701:20 deny 702:20 deny 703:20 deny 704:20 deny 705:20 deny 14551:20 deny 701:112 deny 702:112 deny 703:112 deny 704:112 deny 705:112 deny 14551:112 deny 701:667 deny 702:667 deny 703:667 deny 704:666 deny 705:666 deny 14551:666 DellEMC# Configure BGP attributes Following sections explain how to configure the BGP attributes such as MED, COMMUNITY, WEIGHT, and LOCAL_PREFERENCE.
CONFIG-ROUTER-BGP mode neighbor {ip-address | ipv6-address | peer-group-name} send-community [extended | standard] extended- Allows to send the extended community attribute to a BGP neighbor or peer group. standard- Allows to send the standard community attribute to a BGP neighbor or peer group. To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode.
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network * i 3.0.0.0/8 *>i 4.2.49.12/30 * i 4.21.132.0/23 *>i 4.24.118.16/30 *>i 4.24.145.0/30 *>i 4.24.187.12/30 *>i 4.24.202.0/30 *>i 4.25.88.0/30 *>i 6.1.0.0/16 *>i 6.2.0.0/22 *>i 6.3.0.0/18 *>i 6.4.0.0/16 *>i 6.5.0.0/19 *>i 6.8.0.0/20 *>i 6.9.0.0/20 *>i 6.10.0.0/15 *>i 6.14.0.0/15 *>i 6.133.0.0/21 *>i 6.151.0.0/16 --More-- Next Hop Metric 195.171.0.16 195.171.0.16 195.171.0.
CONFIG-ROUTE-MAP mode set local-preference value 3 Return to CONFIGURATION mode. CONFIG-ROUTE-MAP mode exit 4 Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5 Apply the route-map to the neighbor or peer group’s incoming or outgoing routes.
Changing the WEIGHT Attribute To change how the WEIGHT attribute is used, enter the first command. You can also use route maps to change this and other BGP attributes. For example, you can include the second command in a route map to specify the next hop address. • Assign a weight to the neighbor connection. CONFIG-ROUTER-BGP mode neighbor {ip-address | ipv6-address | peer-group-name} weight weight weight: the range is from 0 to 65535. The default is 0. • Sets weight for the route.
DellEMC(conf-router_bgp)# maximum-paths ibgp 5 DellEMC(conf-router_bgp)# exit In the above example configuration, the maximum number of parallel internal BGP routes is set to 5, so that only 5 routes can be installed in a routing table. The show ip bgp network command includes multipath information for that network. Route Reflectors Route reflectors reorganize the iBGP core into a hierarchy and allow some route advertisement rules. NOTE: Do not use route reflectors (RRs) in the forwarding path.
To configure a route reflector, use the following commands. • Assign a cluster ID or an IP address to a router reflector cluster. CONFIG-ROUTER-BGP mode bgp cluster-id ip-address | number – ip-address: IP address as the route reflector cluster ID. – number: A route reflector cluster ID as a number from 1 to 4294967295. • You can have multiple clusters in an AS. When a BGP cluster contains only one route reflector, the cluster ID is the route reflector’s router ID.
To configure route flap dampening parameters, set dampening parameters using a route map, clear information on route dampening and return suppressed routes to active state, view statistics on route flapping, or change the path selection from the default mode (deterministic) to non-deterministic, use the following commands. • Enable route dampening.
bgp non-deterministic-med NOTE: When you change the best path selection method, path selection for existing paths remains unchanged until you reset it by entering the clear ip bgp command in EXEC Privilege mode. Examples of Configuring a Route and Viewing the Number of Dampened Routes To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode or the show runningconfig bgp command in EXEC Privilege mode.
• whichever is the lower value; one-third of the new holdtime value, or the configured keepalive value is the new keepalive value. • Configure timer values for a BGP neighbor or peer group. CONFIG-ROUTER-BGP mode neighbors {ip-address | ipv6-address | peer-group-name} timers keepalive holdtime – keepalive: Time interval, in seconds, between keepalive messages sent to the neighbor routers. The range is from 1 to 65535. The default is 60 seconds.
timers bgp extended idle holdtime idle-holdtime: the range is from 1 to 32767. Time interval, in seconds, during which the peer remains in idle state. The default is 15 seconds. Enabling or disabling BGP neighbors You can enable or disable all the configured BGP neighbors using the shutdown all command in ROUTER BGP mode.
When you configure BGP, you must explicitly enable the BGP neighbors using the following commands: neighbor {ip-address | peer-group name} remote-as as-number neighbor {ip-address | peer-group-name} no shutdown For more information on enabling BGP, see Enabling BGP. When you use the shutdown all command in global configuration mode, this command takes precedence over the shutdown address-family-ipv4-unicast, shutdown address-family-ipv4-multicast, and shutdown address-familyipv6-unicast commands.
Configuring BGP Confederations Another way to organize routers within an AS and reduce the mesh for IBGP peers is to configure BGP confederations. As with route reflectors, BGP confederations are recommended only for IBGP peering involving many IBGP peering sessions per router. Basically, when you configure BGP confederations, you break the AS into smaller sub-AS, and to those outside your network, the confederations appear as one AS.
neighbor ip-address no shutdown • Specify the number of prefixes that can be received from a neighbor. CONFIG-ROUTER-BGP-AF mode neighbor {ip-address | ipv6–address | peer-group-name} maximum—prefix maximum [threshold] [warning-only]as-number Example of configuring both IPv4 and IPv6 VRF address families The following are the sample steps performed to configure a VRF, and VRF address families for IPv4 (unicast and multicast) and IPv6.
Maintaining Existing AS Numbers During an AS Migration The local-as feature smooths out the BGP network migration operation and allows you to maintain existing ASNs during a BGP network migration. When you complete your migration, be sure to reconfigure your routers with the new information and disable this feature. • Allow external routes from this neighbor. CONFIG-ROUTERBGP mode neighbor {ip-address | ipv6-address | peer-group-name} local-as as number [no prepend] – peer-group-name: 16 characters.
CONFIG-ROUTER-BGP mode neighbor {ip-address | ipv6-address | peer-group-name} allowas-in number – peer-group-name: 16 characters. – Number: 1 through 10. Format: IP Address: A.B.C.D and IPv6 adress: X:X:X:X::X. You must Configure Peer Groups before assigning it to an AS. Example of Viewing AS Numbers in AS Paths The lines shown in bold are the number of times ASN 65123 can appear in the AS path (allows–in 9).
• If the peer has not been activated in any AFI/SAFI, the peer remains in Idle state. Most Dell EMC Networking OS BGP IPv4 unicast commands are extended to support the IPv4 multicast RIB using extra options to the command. For a detailed description of the MBGP commands, refer to the Dell EMC Networking OS Command Line Interface Reference Guide. MBGP support for IPv6 MBGP suports IPv6 with same features and functionality as IPv4 BGP.
Neighbor 2001::1 DellEMC# AS 200 MsgRcvd 0 MsgSent 0 TblVer 0 InQ 0 OutQ Up/Down State/Pfx 0 00:00:00 0 Example-Configuring IPv4 and IPv6 neighbors The following example configurations show how to enable BGP and set up some peer under IPv4 and IPv6 address families. To support your own IP addresses, interfaces, names, and so on, you can copy and paste from these examples to your CLI. Be sure that you make the necessary changes.
Neighbor 20.20.20.2 30.30.30.1 2001::2 AS 200 20 200 MsgRcvd 10 0 40 MsgSent 20 0 45 TblVer 0 0 0 InQ 0 0 0 OutQ 0 0 0 Up/Down 00:06:11 00:00:00 00:03:14 State/Pfx 0 0 0 The same output will be displayed when using show ip bgp ipv4 unicast summary command. Following is the sample output of show ip bgp ipv4 multicast summary command. R1# show ip bgp ipv4 multicast summary BGP router identifier 1.1.1.
20.20.20.1 R2# 10 10 20 0 0 0 00:06:11 0 Following is the output of show ip bgp ipv6 unicast summary command for the above configuration example. R2#show ip bgp ipv6 unicast summary BGP router identifier 2.2.2.2, local AS number 200 BGP local RIB : Routes to be Added 0, Replaced 0, Withdrawn 0 2 neighbor(s) using 24576 bytes of memory Neighbor 20.20.20.
DellEMC(conf-router_bgp)# bgp router-id 1.1.1.1 DellEMC(conf-router_bgp)# address-family ipv6 unicast DellEMC(conf-router_bgpv6_af)# neighbor 10.1.1.2 activate DellECM(conf-router_bgpv6_af)# exit Configuring the auto-local-address for a neighbor will dynamically pick the local BGP interface IPv6 address (2001::1/64) as a the next hop for all the updates over IPv4 neighbor configured under IPv6 address family. If the auto-local-address is not configured, the IPv4 mapped IPv6 address (10.1.1.1) as a next hop.
BGP Regular Expression Optimization Dell EMC Networking OS optimizes processing time when using regular expressions by caching and re-using regular expression evaluated results, at the expense of some memory in RP1 processor. BGP policies that contain regular expressions to match against as-paths and communities might take a lot of CPU processing time, thus affect BGP routing convergence.
To disable a specific debug command, use the keyword no then the debug command. For example, to disable debugging of BGP updates, use no debug ip bgp updates command. To disable all BGP debugging, use the no debug ip bgp command. To disable all debugging, use the undebug all command. Storing Last and Bad PDUs Dell EMC Networking OS stores the last notification sent/received and the last bad protocol data unit (PDU) received on a per peer basis.
PDU Counters Dell EMC Networking OS supports additional counters for various types of PDUs sent and received from neighbors. These are seen in the output of the show ip bgp neighbor command.
9 Content Addressable Memory (CAM) CAM is a type of memory that stores information in the form of a lookup table. On Dell EMC Networking systems, CAM stores Layer 2 (L2) and Layer 3 (L3) forwarding information, access-lists (ACLs), flows, and routing policies. CAM Allocation CAM Allocation for Ingress To allocate the space for regions such has L2 ingress ACL, IPV4 ingress ACL, IPV6 ingress ACL, IPV4 QoS, L2 QoS, PBR, VRF ACL, and so forth, use the cam-acl command in CONFIGURATION mode.
The following additional CAM allocation settings are supported. Table 12. Additional Default CAM Allocation Settings Additional CAM Allocation Setting FCoE ACL (fcoeacl) 0 ISCSI Opt ACL (iscsioptacl) 0 You must enter the ipv6acl and vman-dual-qos allocations as a factor of 2 (2, 4, 6, 8, 10). All other profile allocations can use either even or odd numbered ranges.
reload Test CAM Usage To determine whether sufficient CAM space is available to enable a service-policy, use the test-cam-usage command. To verify the actual CAM space required, create a Class Map with all required ACL rules, then execute the test cam-usage command in Privilege mode. The Status column in the command output indicates whether or not you can enable the policy.
View CAM Usage View the amount of CAM space available, used, and remaining in each partition (including IPv4 and IPv6 Flow and Layer 2 ACL subpartitions) using the show cam-usage command in EXEC Privilege mode The following output shows CAM blocks usage for Layer 2 and Layer 3 ACLs and other processes that use CAM space: Example of the show cam-usage Command DellEMC#show cam-usage Stackunit|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM ========|========|=================|=============|======
The range of silence period is from 0 to 65535. The default is 0 seconds. NOTE: If you delete a FP in a CAM region that is assigned with threshold, a syslog warning appears even during the silence period. The system triggers syslog during the following events: • Re-configure the CAM threshold • Add or delete an ACL rule Example of Syslog message on CAM usage Following table shows few possible scenarios during which the syslog message appear on re-configuring the CAM usage threshold value.
• Use the eg-default CAM profile in a chassis that has only EG Series line cards. If this profile is used in a chassis with non-EG line cards, the non-EG line cards enter a problem state. • Before moving a card to a new chassis, change the CAM profile on a card to match the new system profile. • After installing a secondary RPM into a chassis, copy the running-configuration to the startup-configuration. • Change to the default profile if downgrading to a Dell EMC Networking OS version earlier than 6.
Table 14. UFT Modes — Table Size UFT Mode L2 MAC Table Size L3 Host Table Size L3 LPM Table Size Default 160K 144K 16K Scaled-l3-hosts 96K 208K 16K Scaled-l3-routes 32K 16K 128K Configuring UFT Modes To configure the Unified Forwarding Table (UFT) modes, follow these steps. 1 Select a mode to initialize the maximum scalability size for L2 MAC table or L3 Host table or L3 Route table.
10 Control Plane Policing (CoPP) Control plane policing (CoPP) uses access control list (ACL) rules and quality of service (QoS) policies to create filters for a system’s control plane. That filter prevents traffic not specifically identified as legitimate from reaching the system control plane, rate-limits, traffic to an acceptable level.
Figure 28. CoPP Implemented Versus CoPP Not Implemented Configure Control Plane Policing Configuring CoPP for Protocols This section lists the commands necessary to create and enable the service-policies for CoPP. For complete information about creating ACLs and QoS rules, refer to Access Control Lists (ACLs) and Quality of Service (QoS). The basics for creating a CoPP service policy are to create a Layer 2, Layer 3, and/or an IPv6 ACL rule for the desired protocol type.
permit {arp | frrp | gvrp | isis | lacp | lldp | stp} 2 Create a Layer 3 extended ACL for control-plane traffic policing for a particular protocol. CONFIGURATION mode ip access-list extended name cpu-qos permit {bgp | dhcp | dhcp-relay | ftp | icmp | igmp | mcast-catch-all | msdp | ntp | ospf | pim | ip | ssh | telnet | vrrp} 3 Create an IPv6 ACL for control-plane traffic policing for a particular protocol.
DellEMC(conf)#ipv6 access-list ipv6-icmp cpu-qos DellEMC(conf-ipv6-acl-cpuqos)#permit icmp DellEMC(conf-ipv6-acl-cpuqos)#exit DellEMC(conf)#ipv6 access-list ipv6-vrrp cpu-qos DellEMC(conf-ipv6-acl-cpuqos)#permit vrrp DellEMC(conf-ipv6-acl-cpuqos)#exit The following example shows creating the QoS input policy.
CONFIGURATION mode qos-policy-input name cpu-qos 2 Create an input policy-map to assign the QoS policy to the desired service queues.l. CONFIGURATION mode policy-map--input name cpu-qos service-queue queue-number qos-policy name 3 Enter Control Plane mode. CONFIGURATION mode control-plane-cpuqos 4 Assign a CPU queue-based service policy on the control plane in cpu-qos mode. Enabling this command sets the queue rates according to those configured.
Example of Viewing Queue Mapping for MAC Protocols To view the queue mapping for IPv6 protocols, use the show ipv6 protocol-queue-mapping command.
11 Data Center Bridging (DCB) Data center bridging (DCB) refers to a set of enhancements to Ethernet local area networks used in data center environments, particularly with clustering and storage area networks.
DCB refers to a set of IEEE Ethernet enhancements that provide data centers with a single, robust, converged network to support multiple traffic types, including local area network (LAN), server, and storage traffic. Through network consolidation, DCB results in reduced operational cost, simplified management, and easy scalability by avoiding the need to deploy separate application-specific networks.
Figure 29. Illustration of Traffic Congestion The system supports loading two DCB_Config files: • FCoE converged traffic with priority 3. • iSCSI storage traffic with priority 4. In the Dell EMC Networking OS, PFC is implemented as follows: • PFC is supported on specified 802.1p priority traffic (dot1p 0 to 7) and is configured per interface.
Figure 30. Enhanced Transmission Selection The following table lists the traffic groupings ETS uses to select multiprotocol traffic for transmission. Table 15. ETS Traffic Groupings Traffic Groupings Description Group ID A 4-bit identifier assigned to each priority group. The range is from 0 to 7 configurable; 8 - 14 reservation and 15.0 - 15.7 is strict priority group.. Group bandwidth Percentage of available bandwidth allocated to a priority group.
ETS parameters ETS Configuration TLV and ETS Recommendation TLV. Data Center Bridging in a Traffic Flow The following figure shows how DCB handles a traffic flow on an interface. Figure 31. DCB PFC and ETS Traffic Handling Enabling Data Center Bridging DCB is automatically configured when you configure FCoE or iSCSI optimization. Data center bridging supports converged enhanced Ethernet (CEE) in a data center network. DCB is disabled by default. It must be enabled to support CEE.
DCB Maps and its Attributes This topic contains the following sections that describe how to configure a DCB map, apply the configured DCB map to a port, configure PFC without a DCB map, and configure lossless queues. DCB Map: Configuration Procedure A DCB map consists of PFC and ETS parameters. By default, PFC is not enabled on any 802.1p priority and ETS allocates equal bandwidth to each priority. To configure user-defined PFC and ETS settings, you must create a DCB map.
The default dot1p priority-queue assignments are applied as follows: DellEMC(conf)#do show qos dot1p-queue-mapping Dot1p Priority : 0 1 2 3 4 5 6 7 Queue : 0 0 0 1 2 3 3 3 DellEMC(conf)# PFC is not applied on specific dot1p priorities. ETS: Equal bandwidth is assigned to each port queue and each dot1p priority in a priority group. To configure PFC and ETS parameters on an interface, you must specify the PFC mode, the ETS bandwidth allocation for a priority group, and the 802.
Dell EMC Networking OS Behavior: As soon as you apply a DCB policy with PFC enabled on an interface, DCBx starts exchanging information with PFC-enabled peers. The IEEE802.1Qbb, CEE, and CIN versions of PFC Type, Length, Value (TLV) are supported. DCBx also validates PFC configurations that are received in TLVs from peer devices. NOTE: You cannot enable PFC and link-level flow control at the same time on an interface.
The default: No lossless queues are configured. NOTE: Dell EMC Networking OS Behavior: By default, no lossless queues are configured on a port. A limit of two lossless queues is supported on a port. If the amount of priority traffic that you configure to be paused exceeds the two lossless queues, an error message displays. It is the user responsibility to have symmetric PFC configurations on the interfaces involved in a particular PFC-enabled traffic-flow to obtain lossless behavior.
• When you apply a DCB map, an error message is displayed if link-level flow control is already enabled on an interface. You cannot enable PFC and link-level flow control at the same time on an interface. • In a switch stack, configure all stacked ports with the same PFC configuration. • Dell EMC Networking OS allows you to change the default dot1p priority-queue assignments only if the change satisfies the following requirements in DCB maps already applied to the interfaces: • All 802.
Configuring PFC without a DCB Map In a network topology that uses the default ETS bandwidth allocation (assigns equal bandwidth to each priority), you can also enable PFC for specific dot1p-priorities on individual interfaces without using a DCB map. This type of DCB configuration is useful on interfaces that require PFC for lossless traffic, but do not transmit converged Ethernet traffic. Table 17.
PFC on priority level. Queue : 0 0 0 1 2 3 3 3 -> On Egress interface[Port B] we used no-drop queues. Lossless traffic egresses out the no-drop queues. Ingress 802.1p traffic from PFC-enabled peers is automatically mapped to the no-drop egress queues. When configuring lossless queues on a port interface, consider the following points: • By default, no lossless queues are configured on a port. • A limit of two lossless queues is supported on a port.
halting the transmission of data packets. The sending device requests the recipient to restart the transmission of data traffic when the congestion eases and reduces. The time period that is specified in the pause frame defines the duration for which the flow of data packets is halted. When the time period elapses, the transmission restarts. When a device sends a pause frame to another device, the time for which the sending of packets from the other device must be stopped is contained in the pause frame.
The packets come in with packet-dot1p 2 alone use Q1 (as per dot1p to Queue classification – Table 2) on the egress port. • When Peer sends a PFC message for Priority 2, based on above PRIO2COS table (TABLE 2), Queue 1 is halted. • Queue 1 starts buffering the packets with Dot1p 2. This causes PG6 buffer counter to increase on the ingress, since P-dot1p 2 is mapped to PG6. • As the PG6 watermark threshold is reached, PFC generates for dot1p 2.
SNMP Support for PFC and Buffer Statistics Tracking Buffer Statistics Tracking (BST) feature provides a mechanism to aid in Resource Monitoring and Tuning of Buffer Allocation. The Max Use Count mode provides the maximum value of the counters accumulated over a period of time. Priority Flow Control (PFC) provides a link level flow control mechanism, which is controlled independently for each frame priority. The goal of this mechanism is to ensure zero loss under congestion in DCB networks.
In ingress, the buffers are accounted at per PG basis and would indicate the number of the packets that has ingress this port PG but still queued up in egress pipeline. However, there is no direct mapping between the PG and Queue. Packet is assigned an internal priority on the ingress pipeline based on the queue to which it is destined. This Internal-priority to Queue mapping has been modified and enhanced as follows for the device: Table 20.
Using PFC to Manage Converged Ethernet Traffic To use PFC for managing converged Ethernet traffic, use the following command: dcb-map stack-unit all dcb-map-name Operations on Untagged Packets The below is example for enabling PFC for priority 2 for tagged packets. Priority (Packet Dot1p) 2 will be mapped to PG6 on PRIO2PG setting. All other Priorities for which PFC is not enabled are mapped to default PG – PG7.
NOTE: The IEEE 802.1Qaz, CEE, and CIN versions of ETS are supported. Creating an ETS Priority Group An ETS priority group specifies the range of 802.1p priority traffic to which a QoS output policy with ETS settings is applied on an egress interface. 1 Configure a DCB Map. CONFIGURATION mode dcb-map dcb-map-name The dcb-map-name variable can have a maximum of 32 characters. 2 Create an ETS priority group.
By default, all 802.1p priorities are grouped in priority group 0 and 100% of the port bandwidth is assigned to priority group 0. The complete bandwidth is equally assigned to each priority class so that each class has 12 to 13%. The maximum number of priority groups supported in ETS output policies on an interface is equal to the number of data queues (4) (8)on the port. The 802.1p priorities in a priority group can map to multiple queues.
Dell(conf-qos-policy-out)#bandwidth-percentage 100 The default is none. 3 Repeat Step 2 to configure bandwidth percentages for other priority queues on the port. QoS OUTPUT POLICY mode Dell(conf-qos-policy-out)#bandwidth-percentage 100 4 Exit QoS Output Policy Configuration mode. QoS OUTPUT POLICY mode Dell(conf-if-te-0/1)#exit 5 Enter INTERFACE Configuration mode.
• Scheduling of priority traffic: dot1p priority traffic on the switch is scheduled to the current queue mapping. dot1p priorities within the same queue must have the same traffic properties and scheduling method.
Unused bandwidth usage: Strict-priority groups: Normally, if there is no traffic or unused bandwidth for a priority group, the bandwidth allocated to the group is distributed to the other priority groups according to the bandwidth percentage allocated to each group.
• Discovers DCB configuration (such as PFC and ETS) in a peer device. • Detects DCB mis-configuration in a peer device; that is, when DCB features are not compatibly configured on a peer device and the local switch. Mis-configuration detection is feature-specific because some DCB features support asymmetric configuration. • Reconfigures a peer device with the DCB configuration from its configuration source if the peer device is willing to accept configuration.
not stored in the switch’s running configuration. On a DCBx port that is the configuration source, all PFC and application priority TLVs are enabled. ETS recommend TLVs are disabled and ETS configuration TLVs are enabled. Manual The port is configured to operate only with administrator-configured settings and does not auto-configure with DCB settings received from a DCBx peer or from an internally propagated configuration from the configuration source.
the peer link up and continues to exchange DCBx packets. If a compatible peer configuration is later received, DCBx is enabled on the port. • If there is no configuration source, a port may elect itself as the configuration source. A port may become the configuration source if the following conditions exist: – No other port is the configuration source. – The port role is auto-upstream. – The port is enabled with link up and DCBx enabled. – The port has performed a DCBx exchange with a DCBx peer.
NOTE: Because DCBx TLV processing is best effort, it is possible that CIN frames may be processed when DCBx is configured to operate in CEE mode and vice versa. In this case, the unrecognized TLVs cause the unrecognized TLV counter to increment, but the frame is processed and is not discarded. Legacy DCBx (CIN and CEE) supports the DCBx control state machine that is defined to maintain the sequence number and acknowledge the number sent in the DCBx control TLVs.
1 Configure ToR- and FCF-facing interfaces as auto-upstream ports. 2 Configure server-facing interfaces as auto-downstream ports. 3 Configure a port to operate in a configuration-source role. 4 Configure ports to operate in a manual role. 1 Enter INTERFACE Configuration mode. CONFIGURATION mode interface type slot/port 2 Enter LLDP Configuration mode to enable DCBx operation.
6 On manual ports only: Configure the Application Priority TLVs advertised on the interface to DCBx peers. PROTOCOL LLDP mode [no] advertise DCBx-appln-tlv {fcoe | iscsi} • fcoe: enables the advertisement of FCoE in Application Priority TLVs. • iscsi: enables the advertisement of iSCSI in Application Priority TLVs. The default is Application Priority TLVs are enabled to advertise FCoE and iSCSI.
The default is All TLV types are enabled. 5 Configure the Application Priority TLVs that advertise on unconfigured interfaces with a manual port-role. PROTOCOL LLDP mode [no] advertise DCBx-appln-tlv {fcoe | iscsi} • fcoe: enables the advertisement of FCoE in Application Priority TLVs. • iscsi: enables the advertisement of iSCSI in Application Priority TLVs. The default is Application Priority TLVs are enabled and advertise FCoE and iSCSI.
– all: enables all DCBx debugging operations. – auto-detect-timer: enables traces for DCBx auto-detect timers. – config-exchng: enables traces for DCBx configuration exchanges. – fail: enables traces for DCBx failures. – mgmt: enables traces for DCBx management frames. – resource: enables traces for DCBx system resource frames. – sem: enables traces for the DCBx state machine. – tlv: enables traces for DCBx TLVs.
The following example shows the show qos priority-groups command. DellEMC#show qos priority-groups priority-group ipc priority-list 4 set-pgid 2 The following example shows the output of the show qos dcb-map test command. DellEMC#show qos dcb-map test ----------------------State :Complete PfcMode:ON -------------------PG:0 TSA:ETS BW:50 PFC:OFF Priorities:0 1 2 5 6 7 PG:1 TSA:ETS BW:50 Priorities:3 4 PFC:ON The following example shows the show interfaces pfc summary command.
Fields Description • • Feature: for legacy DCBx versions Symmetric: for an IEEE version TLV Tx Status Status of PFC TLV advertisements: enabled or disabled. PFC Link Delay Link delay (in quanta) used to pause specified priority traffic. Application Priority TLV: FCOE TLV Tx Status Status of FCoE advertisements in application priority TLVs from local DCBx port: enabled or disabled.
Field Description Admin mode is enabled on the remote port for DCBx exchange, the Willing bit received in ETS TLVs from the remote peer is included. Local Parameters ETS configuration on local port, including Admin mode (enabled when a valid TLV is received from a peer), priority groups, assigned dot1p priorities, and bandwidth allocation. Operational status (local port) Port state for current operational ETS configuration: • • • Init: Local ETS configuration parameters were exchanged with peer.
Field Description Local DCBx Configured mode DCBx version configured on the port: CEE, CIN, IEEE v2.5, or Auto (port auto-configures to use the DCBx version received from a peer). Peer Operating version DCBx version that the peer uses to exchange DCB parameters. Local DCBx TLVs Transmitted Transmission status (enabled or disabled) of advertised DCB TLVs (see TLV code at the top of the show command output). Local DCBx Status: DCBx Operational Version DCBx version advertised in Control TLVs.
Configuring the Dynamic Buffer Method Priority-based flow control using dynamic buffer spaces is supported on the switch. To configure the dynamic buffer capability, perform the following steps: 1 Enable the DCB application. By default, DCB is enabled and link-level flow control is disabled on all interfaces. CONFIGURATION mode dcb enable 2 Configure the shared PFC buffer size and the total buffer size. A maximum of 4 lossless queues are supported.
Sample DCB Configuration The following shows examples of using PFC and ETS to manage your data center traffic. In the following example: • Incoming SAN traffic is configured for priority-based flow control. • Outbound LAN, IPC, and SAN traffic is mapped into three ETS priority groups and configured for enhanced traffic selection (bandwidth allocation and scheduling). • One lossless queue is used. Figure 33.
dot1p Value in the Incoming Frame Priority Group Assignment 0 LAN 1 LAN 2 LAN 3 SAN 4 IPC 5 LAN 6 LAN 7 LAN The following describes the priority group-bandwidth assignment. Priority Group Bandwidth Assignment IPC 5% SAN 50% LAN 45% PFC and ETS Configuration Command Examples The following examples show PFC and ETS configuration commands to manage your data center traffic.
12 Dynamic Host Configuration Protocol (DHCP) DHCP is an application layer protocol that dynamically assigns IP addresses and other configuration parameters to network end-stations (hosts) based on configuration policies determined by network administrators.
Figure 34. DHCP packet Format The following table lists common DHCP options. Option Number and Description Subnet Mask Option 1 Specifies the client’s subnet mask. Router Option 3 Specifies the router IP addresses that may serve as the client’s default gateway. Domain Name Server Option 6 Domain Name Option 15 Specifies the domain name servers (DNSs) that are available to the client. Specifies the domain name that clients should use when resolving hostnames via DNS.
Option Number and Description Rebinding Time Option 59 Specifies the amount of time after the IP address is granted that the client attempts to renew its lease with any server, if the original server does not respond. Vendor Class Identifer Option 60 L2 DHCP Snooping Option 82 Identifies a user-defined string used by the Relay Agent to forward DHCP client packets to a specific server.
Figure 35. Client and Server Messaging Implementation Information The following describes DHCP implementation. • Dell EMC Networking implements DHCP based on RFC 2131 and RFC 3046. • IP source address validation is a sub-feature of DHCP Snooping; the Dell EMC Networking OS uses access control lists (ACLs) internally to implement this feature and as such, you cannot apply ACLs to an interface which has IP source address validation.
DHCP Server Responsibilities Description keeping track of which addresses have been allocated and which are still available. Configuration Parameter Storage and Management DHCP servers also store and maintain other parameters that are sent to clients when requested. These parameters specify in detail how a client is to operate. Lease Management DHCP servers use leases to allocate addresses to clients for a limited time.
Configuration Tasks To configure DHCP, an administrator must first set up a DHCP server and provide it with configuration parameters and policy information including IP address ranges, lease length specifications, and configuration data that DHCP hosts need.
Configure a Method of Hostname Resolution Dell systems are capable of providing DHCP clients with parameters for two methods of hostname resolution—using DNS or NetBIOS WINS. Using DNS for Address Resolution A domain is a group of networks. DHCP clients query DNS IP servers when they need to correlate host names to IP addresses. 1 Create a domain. DHCP domain-name name 2 Specify in order of preference the DNS servers that are available to a DHCP client.
DHCP host—address address 3 Specify the client hardware address. DHCP hardware-address hardware-address type • hardware-address: the client MAC address. • type: the protocol of the hardware platform. The default protocol is Ethernet. Debugging the DHCP Server To debug the DHCP server, use the following command. • Display debug information for DHCP server.
Configuring the DHCP Client System This section describes how to configure and view an interface as a DHCP client to receive an IP address. Dell EMC Networking OS Behavior: The ip address dhcp command enables DHCP server-assigned dynamic addresses on an interface. The setting persists after a switch reboot. To stop DHCP transactions and save the dynamically acquired IP address, use the shutdown command on the interface.
4 Acquire a new IP address with renewed lease time from a DHCP server. EXEC Privilege mode renew dhcp interface type slot/port To display DHCP client information, use the following show commands in EXEC Privilege mode. • To display statistics about DHCP client interfaces, use the show ip dhcp client statistics interface type slot/ port command. • To clear DHCP client statistics on a specified or on all interfaces, use the clear ip dhcp client statistics {all | interface type slot/port} command.
VLAN and Port Channels DHCP client configuration and behavior are the same on Virtual LAN (VLAN) and port-channel (LAG) interfaces as on a physical interface.
Configuring Route Leaking between VRFs on DHCP Relay Agent To configure route leaking between VRFs on DHCP relay agent, include the configuration similar to the following along with your DHCP relay configuration on your system.
Non-default VRF configuration for DHCPv6 helper address The ipv6 helper-address command is enhanced to provide support for configuring VRF for DHCPv6 relay helper address. To forward DHCP packets between DHCP client and server if they are from different VRFs, you should configure route leak using route map between the VRFs. For more information on configuring route leak across VRF, see DHCP Relay when DHCP Server and Client are in Different VRFs.
mode level, it is applied globally. So, all the DHCP packets will be relayed or forwarded through the configured L3 interface (loopback 1) using the IPv4 (1.1.1.1/32) and IPv6 addresses (1::1/128) of the loopback configuration. Interface level DHCP relay source IPv4 or IPv6 configuration You can configure interface specific DHCP relay source IPv4 or IPv6 configuration.
Dell(conf-if-vl-4)# Dell(conf-if-vl-4)# Dell(conf-if-vl-4)# Dell(conf-if-vl-4)# 3 ip helper-address vrf vrf1 100.0.0.1 ipv6 helper-address vrf vrf1 100::1 ip dhcp relay source-interface loopback 3 ipv6 dhcp relay source-interface loopback 3 In the below configuration, the DHCP relay source interface is not configured in the VLAN interface. So, the DHCP relay uses the configured global DHCP relay source interface to forward the packets from the DHCP client to server.
• Default Agent Circuit ID is constructed in the format VLANID:LagID:SlotID:PortStr. When the port is fanned-out, the PortStr is represented as mainPort:subPort. • Default Agent Remote ID is the system MAC address (in binary format) The following example shows the format of the Circuit ID - 723:0:1:1 Table 27. Circuit ID Format VLAN ID LAG ID Slot ID 723 0 1 Port Str 1 The DHCP relay agent inserts Option 82 before forwarding DHCP packets to the server.
• • Default Agent Interface ID is constructed in the format VLANID:LagID:SlotID:PortStr. When the port is fanned-out, the PortStr is represented as mainPort:subPort. Default Agent Remote ID is the system MAC address of the relay agent that adds Option 37 (in binary format) DHCP Snooping DHCP snooping is a feature that protects networks from spoofing. It acts as a firewall between the DHCP server and DHCP clients. DHCP snooping places the ports either in trusted or non-trusted mode.
Enabling DHCP Snooping To enable DHCP snooping, use the following commands. 1 Enable DHCP snooping globally. CONFIGURATION mode ip dhcp snooping 2 Specify ports connected to DHCP servers as trusted. INTERFACE mode INTERFACE PORT EXTENDER mode ip dhcp snooping trust 3 Enable DHCP snooping on a VLAN. CONFIGURATION mode ip dhcp snooping vlan name Enabling IPv6 DHCP Snooping To enable IPv6 DHCP snooping, use the following commands. 1 Enable IPv6 DHCP snooping globally.
Adding a Static IPV6 DHCP Snooping Binding Table To add a static entry in the snooping database, use the following command. • Add a static entry in the snooping binding table. EXEC Privilege mode ipv6 dhcp snooping binding mac address vlan-id vlan-id ipv6 ipv6-address interface interfacetype | interface-number lease value Clearing the Binding Table To clear the binding table, use the following command. • Delete all of the entries in the binding table.
The following example shows a sample output of the show ip dhcp snooping binding command for a device connected to both the VLT peers. The Po 10 interface is the VLT port channel connected to a ToR switch or an end device. DellEMC#show ip dhcp snooping binding Codes : S - Static D - Dynamic IP Address MAC Address Expires(Sec) Type VLAN Interface ========================================================================= 10.1.1.10 00:00:a0:00:00:00 39735 S Vl 200 Po 10 10.1.1.
Drop DHCP Packets on Snooped VLANs Only Binding table entries are deleted when a lease expires or the relay agent encounters a DHCPRELEASE. Line cards maintain a list of snooped VLANs. When the binding table fills, DHCP packets are dropped only on snooped VLANs, while such packets are forwarded across non-snooped VLANs. Because DHCP packets are dropped, no new IP address assignments are made. However, DHCP release and decline packets are allowed so that the DHCP snooping table can decrease in size.
arp inspection Examples of Viewing the ARP Information To view entries in the ARP database, use the show arp inspection database command. To see how many valid and invalid ARP packets have been processed, use the show arp inspection statistics command.
Source Address Validation Using the DHCP binding table, Dell EMC Networking OS can perform three types of source address validation (SAV). Table 28. Three Types of Source Address Validation Source Address Validation Description IP Source Address Validation Prevents IP spoofing by forwarding only IP packets that have been validated against the DHCP binding table.
DHCP MAC Source Address Validation DHCP MAC source address validation (SAV) validates a DHCP packet’s source hardware address against the client hardware address field (CHADDR) in the payload. Dell EMC Networking OS ensures that the packet’s source MAC address is checked against the CHADDR field in the DHCP header only for packets from snooped VLANs. • Enable DHCP MAC SAV.
Viewing the Number of SAV Dropped Packets The following output of the show ip dhcp snooping source-address-validation discard-counters command displays the number of SAV dropped packets. The following output of the show ip dhcp snooping source-address-validation discard-counters interface interface command displays the number of SAV dropped packets on a particular interface.
13 Equal Cost Multi-Path (ECMP) This chapter describes configuring ECMP. This chapter describes configuring ECMP. ECMP for Flow-Based Affinity ECMP for flow-based affinity includes link bundle monitoring. Configuring the Hash Algorithm TeraScale has one algorithm that is used for link aggregation groups (LAGs), ECMP, and NH-ECMP, and ExaScale can use three different algorithms for each of these features. To adjust the ExaScale behavior to match TeraScale, use the following command.
Configuring the Hash Algorithm Seed Deterministic ECMP sorts ECMPs in order even though RTM provides them in a random order. However, the hash algorithm uses as a seed the lower 12 bits of the chassis MAC, which yields a different hash result for every chassis. This behavior means that for a given flow, even though the prefixes are sorted, two unrelated chassis can select different hops.
Example of the ip ecmp-group maximum-paths Command DellEMC(conf)#ip ecmp-group maximum-paths 3 User configuration has been changed. Save the configuration and reload to take effect DellEMC(conf)# Creating an ECMP Group Bundle Within each ECMP group, you can specify an interface. If you enable monitoring for the ECMP group, the utilization calculation is performed when the average utilization of the link-bundle (as opposed to a single link within the bundle) exceeds 60%.
Viewing an ECMP Group NOTE: An ecmp-group index is generated automatically for each unique ecmp-group when you configure multipath routes to the same network. The system can generate a maximum of 512 unique ecmp-groups. The ecmp-group indices are generated in even numbers (0, 2, 4, 6... 1022) and are for information only. You can configure ecmp-group with id 2 for link bundle monitoring.
14 FIP Snooping The Fibre Channel over Ethernet (FCoE) Transit feature is supported on Ethernet interfaces. When you enable the switch for FCoE transit, the switch functions as a FIP snooping bridge. NOTE: FIP snooping is not supported on Fibre Channel interfaces or in a switch stack.
FIP provides functionality for discovering and logging into an FCF. After discovering and logging in, FIP allows FCoE traffic to be sent and received between FCoE end-devices (ENodes) and the FCF. FIP uses its own EtherType and frame format. The following illustration shows the communication that occurs between an ENode server and an FCoE switch (FCF). The following table lists the FIP functions. Table 29.
FIP Snooping on Ethernet Bridges In a converged Ethernet network, intermediate Ethernet bridges can snoop on FIP packets during the login process on an FCF. Then, using ACLs, a transit bridge can permit only authorized FCoE traffic to be transmitted between an FCoE end-device and an FCF. An Ethernet bridge that provides these functions is called a FIP snooping bridge (FSB). On a FIP snooping bridge, ACLs are created dynamically as FIP login frames are processed.
Figure 37. FIP Snooping on a Dell EMC Networking Switch The following sections describe how to configure the FIP snooping feature on a switch: • Allocate CAM resources for FCoE. • Perform FIP snooping (allowing and parsing FIP frames) globally on all VLANs or on a per-VLAN basis. • To assign a MAC address to an FCoE end-device (server ENode or storage device) after a server successfully logs in, set the FCoE MAC address prefix (FC-MAP) value an FCF uses.
FIP Snooping in a Switch Stack FIP snooping supports switch stacking as follows: • A switch stack configuration is synchronized with the standby stack unit. • Dynamic population of the FCoE database (ENode, Session, and FCF tables) is synchronized with the standby stack unit. The FCoE database is maintained by snooping FIP keep-alive messages. • In case of a failover, the new master switch starts the required timers for the FCoE database tables. Timers run only on the master stack unit.
• You can configure multiple FCF-trusted interfaces in a VLAN. • When you disable FIP snooping: – ACLs are not installed, FIP and FCoE traffic is not blocked, and FIP packets are not processed. – The existing per-VLAN and FIP snooping configuration is stored. The configuration is re-applied the next time you enable the FIP snooping feature. • To support FIP-Snooping and set CAM-ACL, usecam-acl l2acl 4 ipv4acl 4 ipv6acl 0 ipv4qos 2 l2qos 1 l2pt 0 ipmacacl 0 vman-qos 0 ecfmacl 0 fcoeacl 2 command.
• You must configure at least one interface for FCF (FCoE Forwarder) mode on a FIP snooping-enabled VLAN. You can configure multiple FCF trusted interfaces in a VLAN. • A maximum of eight VLANS are supported for FIP snooping on the switch. When enabled globally, FIP snooping processes FIP packets in traffic only from the first eight incoming VLANs. When enabled on a per-VLAN basis, FIP snooping is supported on up to eight VLANs.
Impact Description STP If you enable an STP protocol (STP, RSTP, PVSTP, or MSTP) on the switch and ports enter a blocking state, when the state change occurs, the corresponding port-based ACLs are deleted. If a port is enabled for FIP snooping in ENode or FCF mode, the ENode/FCF MAC-based ACLs are deleted. FIP Snooping Restrictions The following restrictions apply when you configure FIP snooping. • The maximum number of FCoE VLANs supported on the switch is eight.
fip-snooping port-mode fcf NOTE: To disable the FCoE transit feature or FIP snooping on VLANs, use the no version of a command; for example, no feature fip-snooping or no fip-snooping enable. Displaying FIP Snooping Information Use the following show commands to display information on FIP snooping. Table 31.
Field Description FCF Interface Slot/port number of the interface to which the FCF is connected. VLAN VLAN ID number used by the session. FCoE MAC MAC address of the FCoE session assigned by the FCF. FC-ID Fibre Channel ID assigned by the FCF. Port WWPN Worldwide port name of the CNA port. Port WWNN Worldwide node name of the CNA port. The following example shows the show fip-snooping config command.
Field Description FKA_ADV_PERIOD Period of time (in milliseconds) during which FIP keep-alive advertisements are transmitted. No of ENodes Number of ENodes connected to the FCF. FC-ID Fibre Channel session ID assigned by the FCF. The following example shows the show fip-snooping statistics interface vlan command (VLAN and port). The following example shows the show fip-snooping statistics port-channel command.
Field Description Number of VN Port Keep Alives Number of FIP-snooped VN port keep-alive frames received on the interface. Number of Multicast Discovery Advertisements Number of FIP-snooped multicast discovery advertisements received on the interface. Number of Unicast Discovery Advertisements Number of FIP-snooped unicast discovery advertisements received on the interface. Number of FLOGI Accepts Number of FIP FLOGI accept frames received on the interface.
FCoE Transit Configuration Example The following illustration shows a switch used as a FIP snooping bridge for FCoE traffic between an ENode (server blade) and an FCF (ToR switch). The ToR switch operates as an FCF and FCoE gateway. Figure 38. Configuration Example: FIP Snooping on a Switch In this example, DCBx and PFC are enabled on the FIP snooping bridge and on the FCF ToR switch.
Example of Configuring the ENode Server-Facing Port NOTE: A port is enabled by default for bridge-ENode links. Example of Configuring the FCF-Facing Port Example of Configuring FIP Snooping Ports as Tagged Members of the FCoE VLAN After FIP packets are exchanged between the ENode and the switch, a FIP snooping session is established. ACLs are dynamically generated for FIP snooping on the FIP snooping bridge/switch.
15 Flex Hash and Optimized Boot-Up This chapter describes the Flex Hash and fast-boot enhancements. Topics: • Flex Hash Capability Overview • Configuring the Flex Hash Mechanism • Configuring Fast Boot and LACP Fast Switchover • Optimizing the Boot Time • Interoperation of Applications with Fast Boot and System States • RDMA Over Converged Ethernet (RoCE) Overview • Preserving 802.
When load balancing RRoCE packets using flex hash is enabled, the show ip flow command is disabled. Similarly, when the show ip flow command is in use (ingress port-based load balancing is disabled), the hashing of RRoCE packets is disabled. Flex hash APIs do not mask out unwanted byte values after extraction of the data from the Layer 4 headers for the offset value.
adjacency settings) is learned and installed before the traffic resumes. In a typical network scenario, a traffic disconnection of 150 seconds or more usually occurs. When you employ the optimized booting functionality, the traffic outage duration is reduced drastically.
Interoperation of Applications with Fast Boot and System States This functionality is supported on the platform. The following sections describe the application behavior when fast boot functionality is enabled: LACP and IPv4 Routing Prior to the system restart, the system implements the following changes when you perform a fast boot: The system saves all dynamic ARP entries to a database on the flash drive.
BGP Graceful Restart When the system contains one or more BGP peerings configured for BGP graceful restart, fast boot performs the following actions: • A closure of the TCP sessions is performed on all sockets corresponding to BGP sessions on which Graceful Restart has been negotiated. This behavior is to force the peer to perform the helper role so that any routes advertised by the restarting system are retained and the peering session will not go down due to BGP Hold timeout.
Changes to BGP Multipath When the system becomes active after a fast-boot restart, a change has been made to the BGP multipath and ECMP behavior. The system delays the computation and installation of additional paths to a destination into the BGP routing information base (RIB) and forwarding table for a certain period of time.
enabled, the packets comprise TCP and UDP packets and they can be marked with DSCP code points. Multicast is not supported in that network. RRoCE packets are received and transmitted on specific interfaces called lite-subinterfaces. These interfaces are similar to the normal Layer 3 physical interfaces except for the extra provisioning that they offer to enable the VLAN ID for encapsulation. You can configure a physical interface or a Layer 3 Port Channel interface as a lite subinterface.
16 Force10 Resilient Ring Protocol (FRRP) FRRP provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a metropolitan area network (MAN) or large campuses. FRRP is similar to what can be achieved with the spanning tree protocol (STP), though even with optimizations, STP can take up to 50 seconds to converge (depending on the size of network and node of failure) and may require 4 to 5 seconds to reconverge.
Ring Status The ring failure notification and the ring status checks provide two ways to ensure the ring remains up and active in the event of a switch or port failure. Ring Checking At specified intervals, the Master node sends a ring health frame (RHF) through the ring. If the ring is complete, the frame is received on its secondary port and the Master node resets its fail-period timer and continues normal operation.
In the following example, FRRP 101 is a ring with its own Control VLAN, and FRRP 202 has its own Control VLAN running on another ring. A Member VLAN that spans both rings is added as a Member VLAN to both FRRP groups. Switch R3 has two instances of FRRP running on it: one for each ring. The example topology that follows shows R3 assuming the role of a Transit node for both FRRP 101 and FRRP 202. Figure 39.
• STP disabled on ring interfaces. • Master node secondary port is in blocking state during Normal operation. • Ring health frames (RHF) – Hello RHF: sent at 500ms (hello interval); Only the Master node transmits and processes these. – Topology Change RHF: triggered updates; processed at all nodes. Important FRRP Concepts The following table lists some important FRRP concepts.
Concept Explanation number, on any topology change to ensure that all Transit nodes receive it. There is no periodic transmission of TCRHFs. The TCRHFs are sent on triggered events of ring failure or ring restoration only. Implementing FRRP • FRRP is media and speed independent. • FRRP is a Dell proprietary protocol that does not interoperate with any other vendor. • You must disable the spanning tree protocol (STP) on both the Primary and Secondary interfaces before you can enable FRRP.
Be sure to follow these guidelines: • All VLANS must be in Layer 2 mode. • You can only add ring nodes to the VLAN. • A control VLAN can belong to one FRRP group only. • Tag control VLAN ports. • All ports on the ring must use the same VLAN ID for the control VLAN. • You cannot configure a VLAN as both a control VLAN and member VLAN on the same ring. • Only two interfaces can be members of a control VLAN (the Master Primary and Secondary ports).
Configuring and Adding the Member VLANs Control and member VLANS are configured normally for Layer 2. Their status as Control or Member is determined at the FRRP group commands. For more information about configuring VLANS in Layer 2 mode, refer to the Layer 2 chapter. Be sure to follow these guidelines: • All VLANS must be in Layer 2 mode. • Tag control VLAN ports. Member VLAN ports, except the Primary/Secondary interface, can be tagged or untagged.
Setting the FRRP Timers To set the FRRP timers, use the following command. NOTE: Set the Dead-Interval time 3 times the Hello-Interval. • Enter the desired intervals for Hello-Interval or Dead-Interval times. CONFIG-FRRP mode. timer {hello-interval|dead-interval} milliseconds – Hello-Interval: the range is from 50 to 2000, in increments of 50 (default is 500). – Dead-Interval: the range is from 50 to 6000, in increments of 50 (default is 1500).
show frrp summary Ring ID: the range is from 1 to 255. Troubleshooting FRRP To troubleshoot FRRP, use the following information. Configuration Checks • Each Control Ring must use a unique VLAN ID. • Only two interfaces on a switch can be Members of the same control VLAN. • There can be only one Master node for any FRRP group. • You can configure FRRP on Layer 2 interfaces only.
Figure 40. FRRP Ring Connecting VLT Devices You can also configure an FRRP ring where both the VLT peers are connected to the FRRP ring and the VLTi acts as the primary interface for the FRRP Master and transit nodes. This active-active FRRP configuration blocks the FRRP ring on a per VLAN or VLAN group basis enabling the configuration to spawn across different set of VLANs.
In the FRRP ring R2, the primary interface for VLT Node1 (transit node) is the VLTi. P1 is the secondary interface, which is an orphan port that is participating in the FRRP ring topology. V1 is the control VLAN through which the RFHs are exchanged indicating the health of the nodes and the FRRP ring itself. In addition to the control VLAN, multiple member VLANS are configured (for example, M11 through Mn) that carry the data traffic across the FRRP rings.
17 GARP VLAN Registration Protocol (GVRP) The generic attribute registration protocol (GARP) VLAN registration protocol (GVRP), defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches. GVRP-compliant switches use GARP to register and deregister attribute values, such as VLAN IDs, with each other.
Configure GVRP To begin, enable GVRP. To facilitate GVRP communications, enable GVRP globally on each switch. Then, GVRP configuration is per interface on a switch-by-switch basis. Enable GVRP on each port that connects to a switch where you want GVRP information exchanged. In the following example, GVRP is configured on VLAN trunk ports. Figure 42.
Enabling GVRP Globally To configure GVRP globally, use the following command. • Enable GVRP for the entire switch. CONFIGURATION mode gvrp enable Example of Configuring GVRP DellEMC(conf)#protocol gvrp DellEMC(config-gvrp)#no disable DellEMC(config-gvrp)#show config ! protocol gvrp no disable DellEMC(config-gvrp)# To inspect the global configuration, use the show gvrp brief command. Enabling GVRP on a Layer 2 Interface To enable GVRP on a Layer 2 interface, use the following command.
• Join — A GARP device reliably transmits Join messages to other devices by sending each Join message two times. To define the interval between the two sending operations of each Join message, use this parameter. The Dell EMC Networking OS default is 200ms. • Leave — When a GARP device expects to de-register a piece of attribute information, it sends out a Leave message and starts this timer. If a Join message does not arrive before the timer expires, the information is de-registered.
18 Internet Group Management Protocol (IGMP) Internet group management protocol (IGMP) is a Layer 3 multicast protocol that hosts use to join or leave a multicast group. Multicast is premised on identifying many hosts by a single destination IP address; hosts represented by the same IP address are a multicast group. Multicast routing protocols (such as protocol-independent multicast [PIM]) use the information in IGMP messages to discover which groups are active and to populate the multicast routing table.
IGMP messages are encapsulated in IP packets, as shown in the following illustration. Figure 43. IGMP Messages in IP Packets Join a Multicast Group There are two ways that a host may join a multicast group: it may respond to a general query from its querier or it may send an unsolicited report to its querier. Responding to an IGMP Query The following describes how a host can join a multicast group. 1 One router on a subnet is elected as the querier.
still receives no response, the querier removes the group from the list associated with forwarding port and stops forwarding traffic for that group to the subnet. IGMP Version 3 Conceptually, IGMP version 3 behaves the same as version 2. However, there are differences. • Version 3 adds the ability to filter by multicast source, which helps multicast routing protocols avoid forwarding traffic to subnets where there are no interested receivers.
Figure 45. IGMP Version 3–Capable Multicast Routers Address Structure Joining and Filtering Groups and Sources The following illustration shows how multicast routers maintain the group and source information from unsolicited reports. 1 The first unsolicited report from the host indicates that it wants to receive traffic for group 224.1.1.1. 2 The host’s second report indicates that it is only interested in traffic from group 224.1.1.1, source 10.11.1.1.
Figure 46. Membership Reports: Joining and Filtering Leaving and Staying in Groups The following illustration shows how multicast routers track and refresh state changes in response to group-and-specific and general queries. 1 Host 1 sends a message indicating it is leaving group 224.1.1.1 and that the included filter for 10.11.1.1 and 10.11.1.2 are no longer necessary.
Figure 47. Membership Queries: Leaving and Staying Configure IGMP Configuring IGMP is a two-step process. 1 Enable multicast routing using the ip multicast-routing command. 2 Enable a multicast routing protocol.
Viewing IGMP Enabled Interfaces Interfaces that are enabled with PIM-SM are automatically enabled with IGMP. To view IGMP-enabled interfaces, use the following command. • View IGMP-enabled IPv4 interfaces. EXEC Privilege mode • show ip igmp interface View IGMP-enabled IPv6 interfaces.
Group Address Ff08::12 Interface Vlan 10 Mode MLDv2 Uptime 00:00:12 Expires 00:02:05 Last Reporter 1::2 Adjusting Timers The following sections describe viewing and adjusting timers. To view the current value of all IGMP timers, use the following command. • View the current value of all IGMP timers. EXEC Privilege mode show ip igmp interface For more information, refer to the example shown in Viewing IGMP Enabled Interfaces.
ipv6 mld last-member-query-interval Enabling IGMP Immediate-Leave If the querier does not receive a response to a group-specific or group-and-source query, it sends another (querier robustness value). Then, after no response, it removes the group from the outgoing interface for the subnet.
CONFIGURATION mode show running-config • Disable snooping on a VLAN.
no ip igmp snooping flood Specifying a Port as Connected to a Multicast Router To statically specify or view a port in a VLAN, use the following commands. • Statically specify a port in a VLAN as connected to a multicast router. INTERFACE VLAN mode ip igmp snooping mrouter • View the ports that are connected to multicast routers. EXEC Privilege mode. show ip igmp snooping mrouter Configuring the Switch as Querier To configure the switch as a querier, use the following command.
Fast Convergence after MSTP Topology Changes When a port transitions to the Forwarding state as a result of an STP or MSTP topology change, Dell EMC Networking OS sends a general query out of all ports except the multicast router ports. The host sends a response to the general query and the forwarding database is updated without having to wait for the query interval to expire.
Table 36.
When the feature is enabled using the management egress-interface-selection command, the following events are performed: • The CLI prompt changes to the EIS mode. • In this mode, you can run the application and no application commands • Applications can be configured or unconfigured as management applications using the application or no application command. All configured applications are considered as management applications and the rest of them as non-management applications.
Handling of Switch-Initiated Traffic When the control processor (CP) initiates a control packet, the following processing occurs: • TCP/UDP port number is extracted from the sockaddr structure in the in_selectsrc call which is called as part of the connect system call or in the ip_output function.
• If route lookup in the EIS routing table fails or if the management port is down, then packets are dropped. The management application drop counter is incremented. • Whenever IP address is assigned to the management port, it is stored in a global variable in the IP stack, which is used for comparison with the source IP address of the packet. • Rest of the response traffic is handled as per existing behavior by doing route lookup in the default routing table.
Traffic type / Application type Switch initiated traffic Switch-destined traffic only. No change in the existing behavior.
Table 38.
Table 39.
• Designate an interface as a multicast router interface.
19 Interfaces This chapter describes interface types, both physical and logical, and how to configure them with Dell EMC Networking Operating System (OS). NOTE: Only Dell-qualified optics are supported on these interfaces. Non-Dell 40G optics are set to error-disabled state.
• Null Interfaces • Port Channel Interfaces • Bulk Configuration • Defining Interface Range Macros • Monitoring and Maintaining Interfaces • Non Dell-Qualified Transceivers • Splitting 40G Ports without Reload • Splitting QSFP Ports to SFP+ Ports • Converting a QSFP or QSFP+ Port to an SFP or SFP+ Port • Link Dampening • Link Bundle Monitoring • Using Ethernet Pause Frames for Flow Control • Configure the MTU Size on an Interface • Port-Pipes • Auto-Negotiation on Ethernet Inter
This command has options to display the interface status, IP and MAC addresses, and multiple counters for the amount and type of traffic passing through the interface. If you configured a port channel interface, this command lists the interfaces configured in the port channel. NOTE: To end output from the system, such as the output from the show interfaces command, enter CTRL+C and Dell EMC Networking OS returns to the command prompt.
• 2 For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. Enable the interface. INTERFACE mode no shutdown To confirm that the interface is enabled, use the show config command in INTERFACE mode. To leave INTERFACE mode, use the exit command or end command. You cannot delete a physical interface. Physical Interfaces The Management Ethernet interface is a single RJ-45 Fast Ethernet port on a switch.
show interface transceiver QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP 0 0 0 0 0 0 0 0 0 0 0 0 Serial ID Base Fields Id Ext Id Connector Transceiver Code Encoding Length(SFM) Km Length(OM3) 2m Length(OM2) 1m Length(OM1) 1m Length(Copper) 1m Vendor Rev = = = = = = = = = = = 0x0d 0x00 0x0c 0x04 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x05 0x00 0x32 0x00 0x00 0x00 0 Overview of Layer Modes On all systems running Dell EMC Networking OS, you can place physical interfaces, port channels, and VLANs
switchport no shutdown DellEMC(conf-if)# Configuring Layer 2 (Interface) Mode To configure an interface in Layer 2 mode, use the following commands. • Enable the interface. INTERFACE mode no shutdown • Place the interface in Layer 2 (switching) mode. INTERFACE mode switchport To view the interfaces in Layer 2 mode, use the show interfaces switchport command in EXEC mode. Configuring Layer 3 (Network) Mode When you assign an IP address to a physical interface, you place it in Layer 3 mode.
INTERFACE mode ip address ip-address mask [secondary] The ip-address must be in dotted-decimal format (A.B.C.D) and the mask must be in slash format (/xx). Add the keyword secondary if the IP address is the interface’s backup IP address. Example of the show ip interface Command You can only configure one primary IP address per interface. You can configure up to 255 secondary IP addresses on a single interface.
Configuring an automatic recovery for an Err-disabled interface To configure automatic Err-disabled recovery of an interface and time-out interval, use the following commands. 1 Configure automatic recovery of an interface from Err-disabled state based on the cause. CONFIGURATION mode errdisable recovery cause {bpduguard | fefd | maclearnlimit | arp-insection} NOTE: This command has to be configured before the interface moves to Err-disabled state. If not, the recovery action is not performed.
• Due to protocol, ARP packets received through the management port create two ARP entries (one for the lookup in the EIS table and one for the default routing table). Configuring EIS EIS is compatible with the following protocols: DNS, FTP, NTP, RADIUS, sFlow, SNMP, SSH, Syslog, TACACS, Telnet, and TFTP. To enable and configure EIS, use the following commands: 1 Enter EIS mode. CONFIGURATION mode management egress-interface-selection 2 Configure which applications uses EIS.
INTERFACE mode ip address ip-address mask • Enable the interface. INTERFACE mode no shutdown • The interface is the management interface. INTEFACE mode description Example of the show interface and show ip route Commands To display the configuration for a given port, use the show interface command in EXEC Privilege mode, as shown in the following example. To display the routing table, use the show ip route command in EXEC Privilege mode.
interface loopback number • The range is from 0 to 16383. View Loopback interface configurations. EXEC mode show interface loopback number • Delete a Loopback interface. CONFIGURATION mode no interface loopback number Many of the commands supported on physical interfaces are also supported on a Loopback interface. Null Interfaces The Null interface is another virtual interface. There is only one Null interface. It is always up, but no traffic is transmitted through this interface.
Port Channel Benefits A port channel interface provides many benefits, including easy management, link redundancy, and sharing. Port channels are transparent to network configurations and can be modified and managed as one interface. For example, you configure one IP address for the group and that IP address is used for all routed traffic on the port channel. Port Channel Implementation Dell EMC Networking OS supports static and dynamic port channels.
Dell EMC Networking OS brings up the interfaces that are set to auto negotiate so that their speed is identical to the speed of the first channel member in the port channel. Configuration Tasks for Port Channel Interfaces To configure a port channel (LAG), use the commands similar to those found in physical interfaces. By default, no port channels are configured in the startup configuration.
NOTE: A logical port channel interface cannot have flow control. Flow control can only be present on the physical interfaces if they are part of a port channel. NOTE: To configure the MTU, use the mtu command from INTERFACE mode. To view the interface’s configuration, enter INTERFACE mode for that interface and use the show config command or from EXEC Privilege mode, use the show running-config interface interface command.
3 Add the interface to the second port channel. INTERFACE PORT-CHANNEL mode channel-member interface Example of Moving an Interface to a New Port Channel The following example shows moving an interface from port channel 4 to port channel 3. Configuring the Minimum Oper Up Links in a Port Channel You can configure the minimum links in a port channel (LAG) that must be in “oper up” status to consider the port channel to be in “oper up” status.
EXEC Privilege mode show vlan Configuring VLAN Tags for Member Interfaces To configure and verify VLAN tags for individual members of a port channel, perform the following: 1 Configure VLAN membership on individual ports INTERFACE mode DellEMC(conf-if)#vlan tagged 2,3-4 2 Use the switchport command in INTERFACE mode to enable Layer 2 data transmissions through an individual interface INTERFACE mode DellEMC(conf-if)#switchport 3 Verify the manually configured VLAN membership (show interfaces switchport
Load Balancing Through Port Channels Dell EMC Networking OS uses hash algorithms for distributing traffic evenly over channel members in a port channel (LAG). The hash algorithm distributes traffic among Equal Cost Multi-path (ECMP) paths and LAG members. The distribution is based on a flow, except for packet-based hashing. A flow is identified by the hash and is assigned to one link. In packet-based hashing, a single flow can be distributed on the LAG and uses one link.
The interface range prompt offers the interface (with slot and port information) for valid interfaces. The maximum size of an interface range prompt is 32. If the prompt size exceeds this maximum, it displays (...) at the end of the output. NOTE: Non-existing interfaces are excluded from the interface range prompt. NOTE: When creating an interface range, interfaces appear in the order they were entered and are not sorted. The show range command is available under Interface Range mode.
Create a Single-Range The following is an example of a single range. Example of the interface range Command (Single Range) Create a Multiple-Range The following is an example of multiple range. Example of the interface range Command (Multiple Ranges) Exclude Duplicate Entries The following is an example showing how duplicate entries are omitted from the interface-range prompt.
Define the Interface Range The following example shows how to define an interface-range macro named “test” to select Ten Gigabit Ethernet interfaces 5/1 through 5/4. Example of the define interface-range Command for Macros Choosing an Interface-Range Macro To use an interface-range macro, use the following command. • Selects the interfaces range to be configured using the values saved in a named interface-range macro.
TDR is useful for troubleshooting an interface that is not establishing a link; that is, when the link is flapping or not coming up. TDR is not intended to be used on an interface that is passing traffic. When a TDR test is run on a physical cable, it is important to shut down the port on the far end of the cable. Otherwise, it may lead to incorrect test results. NOTE: TDR is an intrusive test. Do not run TDR on a link that is up and passing traffic.
• When a non-supported profile release is upgraded to a supported profile release, the fan-out configured ports get automatically included in the profile. In fan-out mode, if a system is upgraded with 25 or 26 ports, only 24 ports get upgraded to fan-out mode. The rest of the ports are put to default 40G mode. • In stacking, configure profile first before provisioning for new units. Otherwise it is mandatory to reload for profile to take effect.
NOTE: When you split a 40G port (such as fo 1/4) into four 10G ports, the 40G interface configuration is still available in the startup configuration when you save the running configuration by using the write memory command. When a reload of the system occurs, the 40G interface configuration is not applicable because the 40G ports are split into four 10G ports after the reload operation. While the reload is in progress, you might see error messages when the configuration file is being loaded.
• When you insert a QSA into a 40 Gigabit port, you can use only the first 10 Gigabit port in the fan-out mode to plug-in SFP or SFP+ cables. The remaining three 10 Gigabit ports are perceived to be in Link Down state and are unusable. • You cannot use QSFP Optical cables on the same port where QSA is used. • When you remove the QSA module alone from a 40 Gigabit port, without connecting any SFP or SFP+ cables; Dell Networking OS does not generate any event.
NOTE: suppress-threshold should be greater than reuse-threshold. max-suppress-time should be at least 4 times half-life. Link dampening: • reduces processing on the CPUs by reducing excessive interface flapping. • improves network stability by penalizing misbehaving interfaces and redirecting traffic. • improves convergence times and stability throughout the network by isolating failures so that disturbances are not propagated.
Figure 48. Interface State Change Consider an interface periodically flaps as shown above. Every time the interface goes down, a penalty (1024) is added. In the above example, during the first interface flap (flap 1), the penalty is added to 1024. And, the accumulated penalty will exponentially decay based on the set half-life, which is set as 10 seconds in the above example.
accumulated. When the accumulated penalty exceeds the configured suppress threshold (2400), the interface state is set to Error-Disabled state. After the flap (flap 3), the interface flap stops. Then, the accumulated penalty decays exponentially and when it reaches below the set reuse threshold (300), the interface is unsuppressed and the interface state changes to “up” state. Enabling Link Dampening To enable link dampening, use the following command. • Enable link dampening.
Transmission Media MTU Range (in bytes) 576-9398 = IP MTU The IP MTU automatically configures. Link Bundle Monitoring Monitoring linked LAG bundles allows traffic distribution amounts in a link to be monitored for unfair distribution at any given time. A threshold of 60% is defined as an acceptable amount of traffic on a member link. Links are monitored in 15-second intervals for three consecutive instances. Any deviation within that time sends Syslog and an alarm event generates.
Control how the system responds to and generates 802.3x pause frames on Ethernet interfaces. The default is rx off tx off. INTERFACE mode. flowcontrol rx [off | on] tx [off | on]| [monitor session-ID] Where: rx on: Processes the received flow control frames on this port. rx off: Ignores the received flow control frames on this port. tx on: Sends control frames from this port to the connected device when a higher rate of traffic is received.
The following table lists the various Layer 2 overheads found in the Dell EMC Networking OS and the number of bytes. Table 42. Layer 2 Overhead Layer 2 Overhead Difference Between Link MTU and IP MTU Ethernet (untagged) 18 bytes VLAN Tag 22 bytes Untagged Packet with VLAN-Stack Header 22 bytes Tagged Packet with VLAN-Stack Header 26 bytes Link MTU and IP MTU considerations for port channels and VLANs are as follows.
Setting the Speed of Ethernet Interfaces To discover whether the remote and local interface requires manual speed synchronization, and to manually synchronize them if necessary, use the following command sequence. 1 Determine the local interface status. Refer to the following example. EXEC Privilege mode show interfaces [interface | stack—unit stack-unit-number] status 2 Determine the remote interface status.
Set Auto-Negotiation Options The negotiation auto command provides a mode option for configuring an individual port to forced master/ forced slave once autonegotiation is enabled. CAUTION: Ensure that only one end of the node is configured as forced-master and the other is configured as forced-slave. If both are configured the same (that is, both as forced-master or both as forced-slave), the show interface command flaps between an auto-neg-error and forced-master/slave states.
• Configure the number of seconds of traffic statistics to display in the show interfaces output. INTERFACE mode rate-interval Example of the rate-interval Command The bold lines shows the default value of 299 seconds, the change-rate interval of 100, and the new rate interval set to 100. Configuring the Traffic Sampling Size Globally You can configure the traffic sampling size for an interface in the global configuration mode. All LAG members inherit the rate interval configuration from the LAG.
Output 100.00 Mbits/sec, 4636111 packets/sec, 10.
Clearing Interface Counters The counters in the show interfaces command are reset by the clear counters command. This command does not clear the counters any SNMP program captures. To clear the counters, use the following the command. • Clear the counters used in the show interface commands for all VRRP groups, VLANs, and physical interfaces or selected ones. Without an interface specified, the command clears all interface counters.
The following is the sample output: DellEMC#write memory compressed ! Jul 30 08:50:26: %STKUNIT0-M:CP %FILEMGR-5-FILESAVED: Copied running-config to startup-config in flash by default copy compressed-config Copy one file, after optimizing and reducing the size of the configuration file, to another location. Dell EMC Networking OS supports IPv4 and IPv6 addressing for FTP, TFTP, and SCP (in the hostip field).
• ARP reply packets • GVRP traffic redirects • LACP traffic redirects • Common VLT control frames 2 Packets are dropped due to user defined ACLs. 3 Multicast traffic with the TTL value 1. 4 Multicast traffic is not part of any group or special group that has to be processed by the CPU. 5 In addition to the above protocols, the filter processor rule also drops Yellow and Red packets if QoS is configured on the system.
20 IPv4 Routing The Dell EMC Networking Operating System (OS) supports various IP addressing features. This chapter describes the basics of domain name service (DNS), address resolution protocol (ARP), and routing principles and their implementation in the Dell EMC Networking OS.
• Configurations Using UDP Helper • UDP Helper with Broadcast-All Addresses • UDP Helper with Subnet Broadcast Addresses • UDP Helper with Configured Broadcast Addresses • UDP Helper with No Configured Broadcast Addresses • Troubleshooting UDP Helper IP Addresses Dell EMC Networking OS supports IP version 4 (as described in RFC 791), classful routing, and variable length subnet masks (VLSM). With VLSM, you can configure one network with different masks.
2 • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. • For a Loopback interface, enter the keyword loopback then a number from 0 to 16383. • For the Management interface on the stack-unit, enter the keyword ManagementEthernet then the slot/port information. • For a port channel interface, enter the keywords port-channel then a number. • For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. Enable the interface.
Dell EMC Networking OS also installs a next hop that is not on the directly connected subnet but which recursively resolves to a next hop on the interface's configured subnet. • When the interface goes down, Dell EMC Networking OS withdraws the route. • When the interface comes up, Dell EMC Networking OS re-installs the route. • When the recursive resolution is “broken,” Dell EMC Networking OS withdraws the route.
Example of the show ip management-route Command To view the configured static routes for the management port, use the show ip management-route command in EXEC privilege mode. DellEMC#show ip management-route Destination ----------10.16.0.0/16 172.16.1.0/24 Gateway ------ManagementEthernet 1/1 10.16.151.
it is discarded. In such cases, you can configure Internet Control Message Protocol (ICMP) unreachable messages to be sent to the transmitting device. Configuring the ICMP Source Interface You can enable the ICMP error and unreachable messages to contain the configured IP address of the source device instead of the previous hop's IP address.
INTERFACE mode ip directed-broadcast To view the configuration, use the show config command in INTERFACE mode. Resolution of Host Names Domain name service (DNS) maps host names to IP addresses. This feature simplifies commands such as Telnet and FTP by allowing you to enter a name instead of an IP address. Dynamic resolution of host names is disabled by default. Unless you enable the feature, the system resolves only host names entered into the host table with the ip host command.
EMC Networking OS cannot resolve the domain, it tries the domain name assigned to the local system. If that does not resolve the partial domain, Dell EMC Networking OS searches the list of domains configured. To configure a domain name or a list of domain names, use the following commands. • Enter up to 63 characters to configure one domain name. CONFIGURATION mode ip domain-name name • Enter up to 63 characters to configure names to complete unqualified host names.
ARP Dell EMC Networking OS uses two forms of address resolution: address resolution protocol (ARP) and Proxy ARP. ARP runs over Ethernet and enables endstations to learn the MAC addresses of neighbors on an IP network. Over time, Dell EMC Networking OS creates a forwarding table mapping the MAC addresses to their corresponding IP address. This table is called the ARP Cache and dynamically learned addresses are removed after a defined period of time.
Enabling Proxy ARP By default, Proxy ARP is enabled. To disable Proxy ARP, use the no proxy-arp command in the interface mode. To re-enable Proxy ARP, use the following command. • Re-enable Proxy ARP. INTERFACE mode ip proxy-arp To view if Proxy ARP is enabled on the interface, use the show config command in INTERFACE mode. If it is not listed in the show config command output, it is enabled. Only non-default information is displayed in the show config command output.
ARP Learning via ARP Request In Dell EMC Networking OS versions prior to 8.3.1.0, Dell EMC Networking OS learns via ARP requests only if the target IP specified in the packet matches the IP address of the receiving router interface. This is the case when a host is attempting to resolve the gateway address. If the target IP does not match the incoming interface, the packet is dropped. If there is an existing entry for the requesting host, it is updated. Figure 49.
arp retries number The default is 5. • The range is from 1 to 20. Set the exponential timer for resending unresolved ARPs. CONFIGURATION mode arp backoff-time The default is 30. • The range is from 1 to 3600. Display all ARP entries learned via gratuitous ARP.
host an ICMP redirect message with the better route. The gateway router routes the packet to its destination and the host sends subsequent packets to that particular destination through the correct router. Dell EMC Networking OS supports both ICMP and ICMP6 redirect messages. The following diagram depicts a topology in which ICMP redirect messages are useful. Figure 51. ICMP Redirect Host H is connected to the same Ethernet segment as SW1 and SW2.
UDP Helper User datagram protocol (UDP) helper allows you to direct the forwarding IP/UDP broadcast traffic by creating special broadcast addresses and rewriting the destination IP address of packets to match those addresses. Configure UDP Helper To configure Dell EMC Networking OS to direct UDP broadcast, enable UDP helper and specify the UDP ports for which traffic is forwarded.
1 Packet 1 is dropped at ingress if you did not configure UDP helper address. 2 If you enable UDP helper (using the ip udp-helper udp-port command), and the UDP destination port of the packet matches the UDP port configured, the system changes the destination address to the configured broadcast 1.1.255.255 and routes the packet to VLANs 100 and 101.
UDP Helper with Configured Broadcast Addresses Incoming packets with a destination IP address matching the configured broadcast address of any interface are forwarded to the matching interfaces. In the following illustration, Packet 1 has a destination IP address that matches the configured broadcast address of VLAN 100 and 101. If you enabled UDP helper and the UDP port number matches, the packet is flooded on both VLANs with an unchanged destination address. Packet 2 is sent from a host on VLAN 101.
194.12.129.98 BOOTP Reply, XID = 0x9265f901, secs = 0 hwaddr = 00:02:2D:8D:46:DC, giaddr = 172.21.50.193, hops = 2 2017-08-05 11:59:36 %RELAY-I-BOOTREPLY, Forwarded BOOTREPLY for 00:02:2D:8D:46:DC to 128.141.128.90 Packet 0.0.0.0:68 -> 255.255.255.
21 IPv6 Routing Internet protocol version 6 (IPv6) routing is the successor to IPv4. Due to the rapid growth in internet users and IP addresses, IPv4 is reaching its maximum usage. IPv6 will eventually replace IPv4 usage to allow for the constant expansion. This chapter provides a brief description of the differences between IPv4 and IPv6, and the Dell EMC Networking support of IPv6. This chapter is not intended to be a comprehensive description of IPv6.
Extended Address Space The address format is extended from 32 bits to 128 bits. This not only provides room for all anticipated needs, it allows for the use of a hierarchical address space structure to optimize global addressing. Stateless Autoconfiguration When a booting device comes up in IPv6 and asks for its network prefix, the device can get the prefix (or prefixes) from an IPv6 router on its link.
• Flow Label (20 bits) • Payload Length (16 bits) • Next Header (8 bits) • Hop Limit (8 bits) • Source Address (128 bits) • Destination Address (128 bits) IPv6 provides for extension headers. Extension headers are used only if necessary. There can be no extension headers, one extension header or more than one extension header in an IPv6 packet. Extension headers are defined in the Next Header field of the preceding IPv6 header.
Payload Length (16 bits) The Payload Length field specifies the packet payload. This is the length of the data following the IPv6 header. IPv6 Payload Length only includes the data following the header, not the header itself. The Payload Length limit of 2 bytes requires that the maximum packet payload be 64 KB. However, the Jumbogram option type Extension header supports larger packet sizes when required. Next Header (8 bits) The Next Header field identifies the next header’s type.
Source Address (128 bits) The Source Address field contains the IPv6 address for the packet originator. Destination Address (128 bits) The Destination Address field contains the intended recipient’s IPv6 address. This can be either the ultimate destination or the address of the next hop router. Extension Header Fields Extension headers are used only when necessary. Due to the streamlined nature of the IPv6 header, adding extension headers do not severely impact performance.
10 Discard the packet and send an ICMP Parameter Problem Code 2 message to the packet’s Source IP Address identifying the unknown option type. 11 Discard the packet and send an ICMP Parameter Problem, Code 2 message to the packet’s Source IP Address only if the Destination IP Address is not a multicast address. The second byte contains the Option Data Length. The third byte specifies whether the information can change en route to the destination.
the same IPv6 address to a particular computer, and never to assign that IP address to another computer. This allows static IPv6 addresses to be configured in one place, without having to specifically configure each computer on the network in a different way. In IPv6, every interface, whether using static or dynamic address assignments, also receives a local-link address automatically in the fe80::/64 subnet.
Figure 56. Path MTU discovery process IPv6 Neighbor Discovery The IPv6 neighbor discovery protocol (NDP) is a top-level protocol for neighbor discovery on an IPv6 network. In place of address resolution protocol (ARP), NDP uses “Neighbor Solicitation” and “Neighbor Advertisement” ICMPv6 messages for determining relationships between neighboring nodes.
Figure 57. NDP Router Redirect IPv6 Neighbor Discovery of MTU Packets You can set the MTU advertised through the RA packets to incoming routers, without altering the actual MTU setting on the interface. The ipv6 nd mtu command sets the value advertised to routers. It does not set the actual MTU rate. For example, if you set ipv6 nd mtu to 1280, the interface still passes 1500-byte packets, if that is what is set with the mtu command.
Debugging IPv6 RDNSS Information Sent to the Host To verify that the IPv6 RDNSS information sent to the host is configured correctly, use the debug ipv6 nd command in EXEC Privilege mode. Example of Debugging IPv6 RDNSS Information Sent to the Host The following example debugs IPv6 RDNSS information sent to the host. The last 3 lines indicate that the IPv6 RDNSS information was configured correctly.
The CAM space is allotted in FP blocks. The total space allocated must equal 13 FP blocks. There are 16 FP blocks, but the System Flow requires three blocks that cannot be reallocated. You must enter the ipv6acl allocation as a factor of 2 (2, 4, 6, 8, 10). All other profile allocations can use either even or odd-numbered ranges.
• Enter the IPv6 Address for the device. CONFIG-INTERFACE mode ipv6 address ipv6 address/mask – ipv6 address: x:x:x:x::x – mask: The prefix length is from 0 to 128 NOTE: IPv6 addresses are normally written as eight groups of four hexadecimal digits. Separate each group by a colon (:). Omitting zeros is accepted as described in Addressing. Assigning a Static IPv6 Route To configure IPv6 static routes, use the ipv6 route command.
NOTE: IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:). Omitting zeros is accepted as described in Addressing. SNMP over IPv6 You can configure SNMP over IPv6 transport so that an IPv6 host can perform SNMP queries and receive SNMP notifications from a device running Dell EMC Networking OS IPv6. The Dell EMC Networking OS SNMP-server commands for IPv6 have been extended to support IPv6.
– For all brief summary of IPv6 status and configuration, enter the keyword brief. – For all IPv6 configured interfaces, enter the keyword configured. – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port/subport information. – For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. – For a Loopback interface, enter the keyword loopback then a number from 0 to 16383.
– To display information about Open Shortest Path First (OSPF) routes, enter ospf. – To display information about Routing Information Protocol (RIP), enter rip. – To display information about static IPv6 routes, enter static. – To display information about an IPv6 Prefix lists, enter list and the prefix-list name. Examples of the show ipv6 route Commands The following example shows the show ipv6 route summary command.
Disabling ND Entry Timeout When a peer system warmboots or performs an ISSU, the ND entries in the local system may time out resulting in traffic loss. You can configure the system to keep the learnt neighbor discovery entries stateless so that the ND entries do not time out.
managed-config-flag {on | off} 7 Enable verification of the sender IPv6 address in inspected messages from the authorized device source access list. POLICY LIST CONFIGURATION mode match ra{ipv6-access-list name | ipv6-prefix-list name | mac-access-list name} 8 Enable verification of the advertised other configuration parameter. POLICY LIST CONFIGURATION mode other-config-flag {on | off} 9 Enable verification of the advertised default router preference value.
reachable-time 540 retrans-timer 101 router-preference maximum medium trusted-port DellEMC(conf-ra_guard_policy_list)# Configuring IPv6 RA Guard on an Interface To configure the IPv6 Router Advertisement (RA) guard on an interface, perform the following steps: 1 Configure the terminal to enter the Interface mode. CONFIGURATION mode interface interface-type slot/port 2 Apply the IPv6 RA guard to a specific interface.
22 iSCSI Optimization This chapter describes how to configure internet small computer system interface (iSCSI) optimization, which enables quality-of-service (QoS) treatment for iSCSI traffic.
• iSCSI QoS — A user-configured iSCSI class of service (CoS) profile is applied to all iSCSI traffic. Classifier rules are used to direct the iSCSI data traffic to queues that can be given preferential QoS treatment over other data passing through the switch. Preferential treatment helps to avoid session interruptions during times of congestion that would otherwise cause dropped iSCSI packets. • iSCSI DCBx TLVs are supported.
Monitoring iSCSI Traffic Flows The switch snoops iSCSI session-establishment and termination packets by installing classifier rules that trap iSCSI protocol packets to the CPU for examination. Devices that initiate iSCSI sessions usually use well-known TCP ports 3260 or 860 to contact targets. When you enable iSCSI optimization, by default the switch identifies IP packets to or from these ports as iSCSI traffic.
If more than 256 simultaneous sessions are logged continuously, the following message displays indicating the queue rate limit has been reached: %STKUNIT2-M:CP %iSCSI-5-ISCSI_OPT_MAX_SESS_EXCEEDED: New iSCSI Session Ignored: ISID 400001370000 InitiatorName - iqn.1991-05.com.microsoft:dt-brcd-cna-2 TargetName iqn.2001-05.com.equallogic:4-52aed6-b90d9446c-162466364804fa49-wj-v1 TSIH - 0" NOTE: If you are using EqualLogic or Compellent storage arrays, more than 256 simultaneous iSCSI sessions are possible.
including jumbo frames and flow-control on all ports; no storm control and spanning-tree port fast to be enabled on the port of detection. After you execute the iscsi profile-compellent command, the following actions occur: • Jumbo frame size is set to the maximum for all interfaces on all ports and port-channels, if it is not already enabled. • Spanning-tree portfast is enabled on the interface. • Unicast storm control is disabled on the interface.
Default iSCSI Optimization Values The following table lists the default values for the iSCSI optimization feature. Table 43. iSCSI Optimization Defaults Parameter Default Value iSCSI Optimization global setting Disabled. iSCSI CoS mode (802.1p priority queue mapping) dot1p priority 4 without the remark setting when you enable iSCSI. If you do not enable iSCSI, this feature is disabled.
CONFIGURATION mode iscsi enable 3 For a DCB environment: Configure iSCSI Optimization. EXEC Privilege mode iSCSI configuration: copy CONFIG_TEMPLATE/iSCSI_DCB_Config running-config. The configuration files are stored in the flash memory in the CONFIG_TEMPLATE file. NOTE: DCB/DCBx is enabled when you apply the iSCSI configuration in step 3. If you manually apply the iSCSI configuration by following steps 1 and 2, enable link layer discovery protocol (LLDP) before enabling iSCSI in step 2.
• dscp dscp-value: specifies the DSCP value assigned to incoming packets in an iSCSI session. The range is from 0 to 63. The default is: the DSCP value in ingress packets is not changed. • 8 remark: marks incoming iSCSI packets with the configured dot1p or DSCP value when they egress the switch. The default is: the dot1 and DSCP values in egress packets are not changed. (Optional) Set the aging time for iSCSI session monitoring. CONFIGURATION mode [no] iscsi aging time time.
-----------------------------------------------iSCSI Targets and TCP Ports: -----------------------------------------------TCP Port Target IP Address 3260 860 The following example shows the show iscsi session command. VLT PEER1 DellEMC#show iscsi session Session 0: ----------------------------------------------------------------------------------Target: iqn.2001-05.com.equallogic:0-8a0906-0e70c2002-10a0018426a48c94-iom010 Initiator: iqn.1991-05.com.
23 Intermediate System to Intermediate System The intermediate system to intermediate system (IS-IS) protocol that uses a shortest-path-first algorithm. Dell EMC Networking supports both IPv4 and IPv6 versions of IS-IS.
• area address — within your routing domain or area, each area must have a unique area value. The first byte is called the authority and format indicator (AFI). • system address — the router’s MAC address. • N-selector — this is always 0. The following illustration is an example of the ISO-style address to show the address format IS-IS uses. In this example, the first five bytes (47.0005.0001) are the area address. The system portion is 000c.000a.4321 and the last byte is always 0. Figure 59.
Interface Support MT IS-IS is supported on physical Ethernet interfaces, physical synchronous optical network technologies (SONET) interfaces, portchannel interfaces (static and dynamic using LACP), and virtual local area network (VLAN) interfaces. Adjacencies Adjacencies on point-to-point interfaces are formed as usual, where IS-IS routers do not implement MT extensions.
IPv6 Reachability and IPv6 Interface Address. Also, a new IPv6 protocol identifier has also been included in the supported TLVs. The new TLVs use the extended metrics and up/down bit semantics. Multi-topology IS-IS adds TLVs: • MT TLV — contains one or more Multi-Topology IDs in which the router participates. This TLV is included in IIH and the first fragment of an LSP. • MT Intermediate Systems TLV — appears for every topology a node supports.
Configuration Tasks for IS-IS The following describes the configuration tasks for IS-IS. • Enabling IS-IS • Configure Multi-Topology IS-IS (MT IS-IS) • Configuring IS-IS Graceful Restart • Changing LSP Attributes • Configuring the IS-IS Metric Style • Configuring IS-IS Cost • Changing the IS-Type • Controlling Routing Updates • Configuring Authentication Passwords • Setting the Overload Bit • Debugging IS-IS Enabling IS-IS By default, IS-IS is not enabled.
• • • • 4 For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. For a Loopback interface, enter the keyword loopback then a number from 0 to 16383. For a port channel interface, enter the keywords port-channel then a number. For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. Enter an IPv4 Address. INTERFACE mode ip address ip-address mask Assign an IP address and mask to the interface.
IS-IS: LSP checksum errors received : 0 IS-IS: LSP authentication failures : 0 DellEMC# You can assign more NET addresses, but the System ID portion of the NET address must remain the same. Dell EMC Networking OS supports up to six area addresses. Some address considerations are: • In order to be neighbors, configure Level 1 routers with at least one common area address. • A Level 2 router becomes a neighbor with another Level 2 router regardless of the area address configured.
• Configure the time during which the graceful restart attempt is prevented. ROUTER-ISIS mode graceful-restart interval minutes The range is from 1 to 120 minutes. • The default is 5 minutes. Enable the graceful restart maximum wait time before a restarting peer comes up. ROUTER-ISIS mode graceful-restart restart-wait seconds When implementing this command, be sure to set the t3 timer to adjacency on the restarting router. The range is from 1 to 120 minutes. • The default is 30 seconds.
To view all interfaces configured with IS-IS routing along with the defaults, use the show isis interface command in EXEC Privilege mode. Changing LSP Attributes IS-IS routers flood link state PDUs (LSPs) to exchange routing information. LSP attributes include the generation interval, maximum transmission unit (MTU) or size, and the refresh interval. You can modify the LSP attribute defaults, but it is not necessary. To change the defaults, use any or all of the following commands.
Configuring the IS-IS Metric Style All IS-IS links or interfaces are associated with a cost that is used in the shortest path first (SPF) calculations. The possible cost varies depending on the metric style supported. If you configure narrow, transition, or narrow transition metric style, the cost can be a number between 0 and 63. If you configure wide or wide transition metric style, the cost can be a number between 0 and 16,777,215.
isis metric default-metric [level-1 | level-2] – default-metric: the range is from 0 to 63 if the metric-style is narrow, narrow-transition, or transition. • The range is from 0 to 16777215 if the metric style is wide or wide transition. Assign a metric for an IPv6 link or interface. INTERFACE mode isis ipv6 metric default-metric [level-1 | level-2] – default-metric: the range is from 0 to 63 for narrow and transition metric styles. The range is from 0 to 16777215 for wide metric styles.
ROUTER ISIS mode is-type {level-1 | level-1-2 | level-2} Example of the show isis database Command to View Level 1-2 Link State Databases To view which IS-type is configured, use the show isis protocol command in EXEC Privilege mode. The show config command in ROUTER ISIS mode displays only non-default information. If you do not change the IS-type, the default value (level-1-2) is not displayed. The default is Level 1-2 router.
Applying IPv4 Routes To apply prefix lists to incoming or outgoing IPv4 routes, use the following commands. NOTE: These commands apply to IPv4 IS-IS only. To apply prefix lists to IPv6 routes, use ADDRESS-FAMILY IPV6 mode, shown later. • Apply a configured prefix list to all incoming IPv4 IS-IS routes.
– For a port channel interface, enter the keywords port-channel then a number. • – For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. Apply a configured prefix list to all outgoing IPv6 IS-IS routes. ROUTER ISIS-AF IPV6 mode distribute-list prefix-list-name out [bgp as-number | connected | ospf process-id | rip | static] You can configure one of the optional parameters: – connected: for directly connected routes. – ospf process-id: for OSPF routes only. – rip: for RIP routes only.
– metric value the range is from 0 to 16777215. The default is 0. – match external the range is from 1 or 2. – match internal – metric-type: external or internal. – map-name: enter the name of a configured route map. Redistributing IPv6 Routes To add routes from other routing instances or protocols, use the following commands. NOTE: These commands apply to IPv6 IS-IS only. To apply prefix lists to IPv4 routes, use the ROUTER ISIS mode previously shown.
ROUTER ISIS mode area-password [hmac-md5] password The Dell OS supports HMAC-MD5 authentication. • This password is inserted in Level 1 LSPs, Complete SNPs, and Partial SNPs. Set the authentication password for a routing domain. ROUTER ISIS mode domain-password [encryption-type | hmac-md5] password The Dell OS supports both DES and HMAC-MD5 authentication methods. This password is inserted in Level 2 LSPs, Complete SNPs, and Partial SNPs.
Debugging IS-IS To debug IS-IS processes, use the following commands. • View all IS-IS information. EXEC Privilege mode debug isis • View information on all adjacency-related activity (for example, hello packets that are sent and received). EXEC Privilege mode debug isis adj-packets [interface] To view specific information, enter the following optional parameter: – interface: Enter the type of interface and slot/port information to view IS-IS information on that interface only.
IS-IS Metric Styles The following sections provide additional information about the IS-IS metric styles.
Table 46. Metric Value When the Metric Style Changes Beginning Metric Style Final Metric Style Resulting IS-IS Metric Value wide narrow default value (10) if the original value is greater than 63. A message is sent to the console. wide transition truncated value (the truncated value appears in the LSP only). The original isis metric value is displayed in the show config and show running-config commands and is used if you change back to transition metric style.
Beginning Metric Style Final Metric Style Resulting IS-IS Metric Value commands and is used if you change back to transition metric style. Moving to transition and then to another metric style produces different results. Table 47.
Level-1 Metric Style Level-2 Metric Style Resulting Metric Value wide transition narrow truncated value wide transition narrow transition truncated value wide transition transition truncated value Sample Configurations The following configurations are examples for enabling IPv6 IS-IS. These examples are not comprehensive directions. They are intended to give you some guidance with typical configurations.
IS-IS Sample Configuration — Congruent Topology IS-IS Sample Configuration — Multi-topology IS-IS Sample Configuration — Multi-topology Transition The following is a sample configuration for enabling IPv6 IS-IS.
24 Link Aggregation Control Protocol (LACP) A link aggregation group (LAG), referred to as a port channel by the Dell EMC Networking OS, can provide both load-sharing and port redundancy across line cards. You can enable LAGs as static or dynamic. Introduction to Dynamic LAGs and LACP A link aggregation group (LAG), referred to as a port channel by Dell EMC Networking OS, can provide both load-sharing and port redundancy across line cards. You can enable LAGs as static or dynamic.
LACP Modes Dell EMC Networking OS provides three modes for configuration of LACP — Off, Active, and Passive. • Off — In this state, an interface is not capable of being part of a dynamic LAG. LACP does not run on any port that is configured to be in this state. • Active — In this state, the interface is said to be in the “active negotiating state.” LACP runs on any link that is configured to be in this state.
The default is 32768. LACP Configuration Tasks The following configuration tasks apply to LACP. • • • • • Creating a LAG Configuring the LAG Interfaces as Dynamic Setting the LACP Long Timeout Monitoring and Debugging LACP Configuring Shared LAG State Tracking Creating a LAG To create a dynamic port channel (LAG), use the following command. First you define the LAG and then the LAG interfaces. • Create a dynamic port channel (LAG).
1 second. You can configure the default timeout value to be 30 seconds. Invoking the longer timeout might prevent the LAG from flapping if the remote system is up but temporarily unable to transmit PDUs due to a system interruption. NOTE: The 30-second timeout is available for dynamic LAG interfaces only. You can enter the lacp long-timeout command for static LAGs, but it has no effect. To configure LACP long timeout, use the following command. • Set the LACP timeout value to 30 seconds.
To avoid packet loss, redirect traffic through the next lowest-cost link (R3 to R4). Dell EMC Networking OS has the ability to bring LAG 2 down if LAG 1 fails, so that traffic can be redirected. This redirection is what is meant by shared LAG state tracking. To achieve this functionality, you must group LAG 1 and LAG 2 into a single entity, called a failover group. Configuring Shared LAG State Tracking To configure shared LAG state tracking, you configure a failover group.
• 2d1h45m: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Po 2 To view the status of a failover group member, use the show interface port-channel command. NOTE: The set of console messages shown above appear only if you configure shared LAG state tracking on that router (you can configure the feature on one or both sides of a link).
! Alpha(conf-if-po-10)# Example of Viewing a LAG Port Configuration The following example inspects a LAG port configuration on ALPHA. Figure 64.
Figure 65.
Figure 66.
Figure 67.
Figure 68.
Figure 69. Inspecting the LAG Status Using the show lacp command The point-to-point protocol (PPP) is a connection-oriented protocol that enables layer two links over various different physical layer connections. It is supported on both synchronous and asynchronous lines, and can operate in Half-Duplex or Full-Duplex mode. It was designed to carry IP traffic but is general enough to allow any type of network layer datagram to be sent over a PPP connection.
25 Layer 2 This chapter describes the Layer 2 features supported on the device. Manage the MAC Address Table You can perform the following management tasks in the MAC address table. • Clearing the MAC Address Table • Setting the Aging Time for Dynamic Entries • Configuring a Static MAC Address • Displaying the MAC Address Table Clearing the MAC Address Table You may clear the MAC address table of dynamic entries. To clear a MAC address table, use the following command.
Configuring a Static MAC Address A static entry is one that is not subject to aging. Enter static entries manually. To create a static MAC address entry, use the following command. • Create a static MAC address entry in the MAC address table. CONFIGURATION mode mac-address-table static Displaying the MAC Address Table To display the MAC address table, use the following command. • Display the contents of the MAC address table.
In this case, the configuration is still present in the running-config and show output. Remove the configuration before re-applying a MAC learning limit with a lower value. Also, ensure that you can view the Syslog messages on your session. NOTE: The CAM-check failure message beginning in Dell EMC Networking OS version 8.3.1.0 is different from versions 8.2.1.
When you enable sticky mac on an interface, dynamically-learned MAC addresses do not age, even if you enabled mac-learninglimit dynamic. If you configured mac-learning-limit and mac-learning-limit dynamic and you disabled sticky MAC, any dynamically-learned MAC addresses ages. mac learning-limit station-move The mac learning-limit station-move command allows a MAC address already in the table to be learned from another interface.
• Generate a system log message indicating a station move. INTERFACE mode • station-move-violation log Shut down the first port to learn the MAC address. INTERFACE mode • station-move-violation shutdown-original Shut down the second port to learn the MAC address. INTERFACE mode • station-move-violation shutdown-offending Shut down both the first and second port to learn the MAC address.
• Enable the port security feature. CONFIGURATION mode mac port-security NIC Teaming NIC teaming is a feature that allows multiple network interface cards in a server to be represented by one MAC address and one IP address in order to provide transparent redundancy, balancing, and to fully utilize network adapter resources. The following illustration shows a topology where two NICs have been teamed together.
Figure 71. Configuring the mac-address-table station-move refresh-arp Command Configure Redundant Pairs Networks that employ switches that do not support the spanning tree protocol (STP) — for example, networks with digital subscriber line access multiplexers (DSLAM) — cannot have redundant links between switches because they create switching loops (as shown in the following illustration).
Figure 72. Configuring Redundant Layer 2 Pairs without Spanning Tree You configure a redundant pair by assigning a backup interface to a primary interface with the switchport backup interface command. Initially, the primary interface is active and transmits traffic and the backup interface remains down. If the primary fails for any reason, the backup transitions to an active Up state. If the primary interface fails and later comes back up, it remains as the backup interface for the redundant pair.
Important Points about Configuring Redundant Pairs • You may not configure any interface to be a backup for more than one interface, no interface can have more than one backup, and a backup interface may not have a backup interface. • The active or backup interface can be a LAG, but it cannot be a member port of a LAG. • The active and standby do not have to be of the same type (1G, 10G, and so on).
FEFD State Changes FEFD has two operational modes, Normal and Aggressive. When you enable Normal mode on an interface and a far-end failure is detected, no intervention is required to reset the interface to bring it back to an FEFD operational state. When you enable Aggressive mode on an interface in the same state, manual intervention is required to reset the interface.
• Enable FEFD globally on all interfaces. CONFIGURATION mode fefd-global To report interval frequency and mode adjustments, use the following commands. 1 Setup two or more connected interfaces for Layer 2 or Layer 3. INTERFACE mode ip address ip address, switchport 2 Enable the necessary ports administratively. INTERFACE mode no shutdown 3 Enable fefd globally.
3 INTERFACE mode fefd {disable | interval | mode} Example of Viewing FEFD Configuration Debugging FEFD To debug FEFD, use the first command. To provide output for each packet transmission over the FEFD enabled connection, use the second command. • Display output whenever events occur that initiate or disrupt an FEFD enabled connection. EXEC Privilege mode debug fefd events • Provide output for each packet transmission over the FEFD enabled connection.
26 Link Layer Discovery Protocol (LLDP) This chapter describes how to configure and use the link layer discovery protocol (LLDP). 802.1AB (LLDP) Overview LLDP — defined by IEEE 802.1AB — is a protocol that enables a local area network (LAN) device to advertise its configuration and receive configuration information from adjacent LLDP-enabled LAN infrastructure devices.
Table 50. Type, Length, Value (TLV) Types Type TLV Description 0 End of LLDPDU Marks the end of a LLDPDU. 1 Chassis ID An administratively assigned name that identifies the LLDP agent. 2 Port ID An administratively assigned name that identifies a port through which TLVs are sent and received. 3 Time to Live An administratively assigned name that identifies a port through which TLVs are sent and received.
Figure 76. Organizationally Specific TLV IEEE Organizationally Specific TLVs Eight TLV types have been defined by the IEEE 802.1 and 802.3 working groups as a basic part of LLDP; the IEEE OUI is 00-80-C2. You can configure the Dell EMC Networking system to advertise any or all of these TLVs. Table 51. Optional TLV Types Type TLV Description 4 Port description A user-defined alphanumeric string that describes the port. Dell EMC Networking OS does not currently support this TLV.
Type TLV Description in the Dell EMC Networking OS implementation of LLDP, but is available and mandatory (non-configurable) in the LLDPMED implementation. 127 Power via MDI Dell EMC Networking supports the LLDPMED protocol, which recommends that Power via MDI TLV be not implemented, and therefore Dell EMC Networking implements Extended Power via MDI TLV only.
Table 52. TIA-1057 (LLDP-MED) Organizationally Specific TLVs Type SubType TLV Description 127 1 LLDP-MED Capabilities Indicates: • • • whether the transmitting device supports LLDP-MED what LLDP-MED TLVs it supports LLDP device class 127 2 Network Policy Indicates the application type, VLAN ID, Layer 2 Priority, and DSCP value.
LLDP-MED Capabilities TLV The LLDP-MED capabilities TLV communicates the types of TLVs that the endpoint device and the network connectivity device support. LLDP-MED network connectivity devices must transmit the Network Policies TLV. • • The value of the LLDP-MED capabilities field in the TLV is a 2–octet bitmap, each bit represents an LLDP-MED capability (as shown in the following table). The possible values of the LLDP-MED device type are shown in the following.
• VLAN ID • VLAN tagged or untagged status • Layer 2 priority • DSCP value An integer represents the application type (the Type integer shown in the following table), which indicates a device function for which a unique network policy is defined. An individual LLDP-MED network policy TLV is generated for each application type that you specify with the Dell EMC Networking OS CLI (Advertising TLVs).
Extended Power via MDI TLV The extended power via MDI TLV enables advanced PoE management between LLDP-MED endpoints and network connectivity devices. Advertise the extended power via MDI on all ports that are connected to an 802.3af powered, LLDP-MED endpoint device. • Power Type — there are two possible power types: power source entity (PSE) or power device (PD). The Dell EMC Networking system is a PSE, which corresponds to a value of 0, based on the TIA-1057 specification.
• LLDP is not hitless. LLDP Compatibility • Spanning tree and force10 ring protocol “blocked” ports allow LLDPDUs. • 802.1X controlled ports do not allow LLDPDUs until the connected device is authenticated. CONFIGURATION versus INTERFACE Configurations All LLDP configuration commands are available in PROTOCOL LLDP mode, which is a sub-mode of the CONFIGURATION mode and INTERFACE mode. • Configurations made at the CONFIGURATION level are global; that is, they affect all interfaces on the system.
3 Enable LLDP. PROTOCOL LLDP mode no disable Disabling and Undoing LLDP on Management Ports To disable or undo LLDP on management ports, use the following command. 1 Enter Protocol LLDP mode. CONFIGURATION mode. protocol lldp 2 Enter LLDP management-interface mode. LLDP-MANAGEMENT-INTERFACE mode. management-interface 3 Enter the disable command. LLDP-MANAGEMENT-INTERFACE mode. To undo an LLDP management port configuration, precede the relevant command with the keyword no.
– video-conferencing – video-signaling – voice – voice-signaling In the following example, LLDP is enabled globally. R1 and R2 are transmitting periodic LLDPDUs that contain management, 802.1, and 802.3 TLVs. Figure 80. Configuring LLDP Storing and Viewing Unrecognized LLDP TLVs Dell EMC Networking OS provides support to store unrecognized (reserved and organizational specific) LLDP TLVs. Also, support is extended to retrieve the stored unrecognized TLVs using SNMP.
The software assigns a temporary identification index for each unrecognized organizational specific LLDP TLVs upon receiving more than one TLV with the same OUI and subtype, but with different organizationally defined information strings.
show lldp neighbors detail Examples of Viewing Information Advertised by Neighbors Example of Viewing Brief Information Advertised by Neighbors The length of the LLDP neighbors (Remote host) name is truncated if it is above 15 characters.
Example of Viewing Detailed Information Advertised by Neighbors DellEMC(conf)#do show lldp neighbors detail ======================================================================== Local Interface FortyGigE 1/1/1 has 2 neighbors Total Frames Out: 3 Total Frames In: 8 Total Neighbor information Age outs: 0 Total Multiple Neighbors Detected: 0 Total Frames Discarded: 0 Total In Error Frames: 0 Total Unrecognized TLVs: 960 Total TLVs Discarded: 16 Next packet will be sent after 9 seconds The neighbors are give
Locally assigned remote Neighbor Index: 1 Remote TTL: 300 Information valid for next 201 seconds Time since last information change of this neighbor: 00:01:39 UnknownTLVList: OrgUnknownTLVList: ((00-01-66),127, 4) ((00-01-66),126, 4) ((00-01-66),125, 4) ((00-01-66),124, ((00-01-66),122, 4) ((00-01-66),121, 4) ((00-01-66),120, 4) ((00-01-66),119, --------------------------------------------------------------------------Remote Chassis ID Subtype: Mac address (4) Remote Chassis ID: 4c:76:25:f4:ab:02 Remote Por
advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)# Configuring LLDP Notification Interval This implementation has been introduced to adhere to the IEEE 802.1AB standard. This implementation allows a user to configure the LLDP notification interval between 5 (default) and 3600 seconds. NOTE: Before implementation of this feature, notification messages were not throttled.
CONFIGURATION mode or INTERFACE mode no mode Example of Configuring a Single Mode R1(conf)#protocol lldp R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)#mode ? rx Rx only tx Tx only R1(conf-lldp)#mode tx R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size adverti
advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description multiplier 5 no disable R1(conf-lldp)#no multiplier R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)# Debugging LLDP You can view the TLVs that your system is sending and receiving.
The following is an example of LLDPDU with both (Reserved and Organizational specific) unrecognized TLVs.
MIB Object Category LLDP Variable LLDP MIB Object Description statsFramesInTotal lldpStatsRxPortFramesTotal Total number of LLDP frames received through the port. statsFramesOutTotal lldpStatsTxPortFramesTotal Total number of LLDP frames transmitted through the port. statsTLVsDiscardedTotal lldpStatsRxPortTLVsDiscardedTotal Total number of TLVs received then discarded. statsTLVsUnrecognizedTotal lldpStatsRxPortTLVsUnrecognizedTot Total number of all TLVs the local al agent does not recognize.
TLV Type TLV Name TLV Variable System LLDP MIB Object interface numbering subtype Local lldpLocManAddrIfSubtype Remote lldpRemManAddrIfSubtype Local lldpLocManAddrIfId Remote lldpRemManAddrIfId Local lldpLocManAddrOID Remote lldpRemManAddrOID interface number OID Table 58. LLDP 802.
TLV Sub-Type TLV Name TLV Variable System LLDP-MED MIB Object lldpXMedRemConfigTLVsTx Enable LLDP-MED Class Type 2 Network Policy Application Type Unknown Policy Flag Tagged Flag VLAN ID L2 Priority DSCP Value 3 Location Identifier Location Data Format Location ID Data 4 Extended Power via MDI Power Device Type Power Source 506 Link Layer Discovery Protocol (LLDP) Local lldpXMedLocDeviceClass Remote lldpXMedRemDeviceClass Local lldpXMedLocMediaPolicyAp pType Remote lldpXMedRem
TLV Sub-Type TLV Name TLV Variable System LLDP-MED MIB Object lldpXMedLocXPoEPDPowe rSource Remote lldpXMedRemXPoEPSEPo werSource lldpXMedRemXPoEPDPow erSource Power Priority Local lldpXMedLocXPoEPDPowe rPriority lldpXMedLocXPoEPSEPort PDPriority Remote lldpXMedRemXPoEPSEPo werPriority lldpXMedRemXPoEPDPow erPriority Power Value Local lldpXMedLocXPoEPSEPort PowerAv lldpXMedLocXPoEPDPowe rReq Remote lldpXMedRemXPoEPSEPo werAv lldpXMedRemXPoEPDPow erReq Link Layer Discovery Protocol (LLDP) 5
27 Microsoft Network Load Balancing Network load balancing (NLB) is a clustering functionality that is implemented by Microsoft on Windows 2000 Server and Windows Server 2003 operating systems (OSs). NLB uses a distributed methodology or pattern to equally split and balance the network traffic load across a set of servers that are part of the cluster or group.
With Multicast NLB mode, the data forwards to all the servers based on the port specified using the following Layer 2 multicast command in CONFIGURATION MODE: mac-address-table static multicast vlan output-range , Limitations of the NLB Feature The following limitations apply to switches on which you configure NLB: • The NLB Unicast mode uses switch flooding to transmit all packets to all the servers that are part of the VLAN.
CONFIGURATION mode ip vlan-flooding There might be some ARP table entries that are resolved through ARP packets, which had the Ethernet MAC SA different from the MAC information inside the ARP packet. This unicast data traffic flooding occurs only for those packets that use these ARP entries.
28 Multicast Source Discovery Protocol (MSDP) Multicast source discovery protocol (MSDP) is supported on Dell EMC Networking OS. Protocol Overview MSDP is a Layer 3 protocol that connects IPv4 protocol-independent multicast-sparse mode (PIM-SM) domains. A domain in the context of MSDP is a contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as border gateway protocol (BGP).
RPs advertise each (S,G) in its domain in type, length, value (TLV) format. The total number of TLVs contained in the SA is indicated in the “Entry Count” field. SA messages are transmitted every 60 seconds, and immediately when a new source is detected. Figure 83.
active sources in the area of the other RPs. If any of the RPs fail, IP routing converges and one of the RPs becomes the active RP in more than one area. New sources register with the backup RP. Receivers join toward the new RP and connectivity is maintained. Implementation Information The Dell EMC Networking OS implementation of MSDP is in accordance with RFC 3618 and Anycast RP is in accordance with RFC 3446. Configure Multicast Source Discovery Protocol Configuring MSDP is a four-step process.
Figure 84.
Figure 85.
Figure 86.
Figure 87. Configuring MSDP Enable MSDP Enable MSDP by peering RPs in different administrative domains. 1 Enable MSDP. CONFIGURATION mode ip multicast-msdp 2 Peer PIM systems in different administrative domains. CONFIGURATION mode ip msdp peer connect-source Examples of Configuring and Viewing MSDP R3(conf)#ip multicast-msdp R3(conf)#ip msdp peer 192.168.0.
R3(conf)#do show ip msdp summary Peer Addr Description Local Addr State Source SA Up/Down To view details about a peer, use the show ip msdp peer command in EXEC privilege mode. Multicast sources in remote domains are stored on the RP in the source-active cache (SA cache). The system does not create entries in the multicast routing table until there is a local receiver for the corresponding multicast group. R3#show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.
show ip msdp sa-limit If the total number of active sources is already larger than the limit when limiting is applied, the sources that are already in Dell EMC Networking OS are not discarded. To enforce the limit in such a situation, use the clear ip msdp sa-cache command to clear all existing entries. Clearing the Source-Active Cache To clear the source-active cache, use the following command. • Clear the SA cache of all, local, or rejected entries, or entries for a specific group.
Figure 88.
Figure 89.
Figure 90. MSDP Default Peer, Scenario 4 Specifying Source-Active Messages To specify messages, use the following command. • Specify the forwarding-peer and originating-RP from which all active sources are accepted without regard for the RPF check. CONFIGURATION mode ip msdp default-peer ip-address list If you do not specify an access list, the peer accepts all sources that peer advertises. All sources from RPs that the ACL denies are subject to the normal RPF check.
GroupAddr 229.0.50.2 229.0.50.3 229.0.50.4 SourceAddr 24.0.50.2 24.0.50.3 24.0.50.4 RPAddr 200.0.0.50 200.0.0.50 200.0.0.50 LearnedFrom 10.0.50.2 10.0.50.2 10.0.50.2 DellEMC#ip msdp sa-cache rejected-sa MSDP Rejected SA Cache 3 rejected SAs received, cache-size 32766 UpTime GroupAddr SourceAddr RPAddr 00:33:18 229.0.50.64 24.0.50.64 200.0.1.50 00:33:18 229.0.50.65 24.0.50.65 200.0.1.50 00:33:18 229.0.50.66 24.0.50.66 200.0.1.50 Expire 73 73 73 UpTime 00:13:49 00:13:49 00:13:49 LearnedFrom 10.0.50.
R1_E600(conf)#do show ip msdp sa-cache R1_E600(conf)#do show ip msdp sa-cache rejected-sa MSDP Rejected SA Cache 1 rejected SAs received, cache-size 1000 UpTime GroupAddr SourceAddr RPAddr LearnedFrom 00:02:20 239.0.0.1 10.11.4.2 192.168.0.1 local Reason Redistribute Preventing MSDP from Caching a Remote Source To prevent MSDP from caching a remote source, use the following commands. 1 OPTIONAL: Cache sources that the SA filter denies in the rejected SA cache.
Example of Verifying the System is not Advertising Local Sources In the following example, R1 stops advertising source 10.11.4.2. Because it is already in the SA cache of R3, the entry remains there until it expires. [Router 1] R1(conf)#do show run msdp ! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 0 ip msdp sa-filter out 192.168.0.3 list mylocalfilter R1(conf)#do show run acl ! ip access-list extended mylocalfilter seq 5 deny ip host 239.0.0.1 host 10.11.4.
Output (S,G) filter: none [Router 1] R1(conf)#do show ip msdp peer Peer Addr: 192.168.0.3 Local Addr: 0.0.0.0(0) Connect Source: Lo 0 State: Inactive Up/Down Time: 00:00:03 Timers: KeepAlive 30 sec, Hold time 75 sec SourceActive packet count (in/out): 0/0 SAs learned from this peer: 0 SA Filtering: Clearing Peer Statistics To clear the peer statistics, use the following command. • Reset the TCP connection to the peer and clear all peer statistics.
03:17:10 : MSDP-0: Peer 192.168.0.3, 03:17:27 : MSDP-0: Peer 192.168.0.3, Input (S,G) filter: none Output (S,G) filter: none rcvd Keepalive msg sent Source Active msg MSDP with Anycast RP Anycast RP uses MSDP with PIM-SM to allow more than one active group to use RP mapping.
Figure 91. MSDP with Anycast RP Configuring Anycast RP To configure anycast RP, use the following commands. 1 In each routing domain that has multiple RPs serving a group, create a Loopback interface on each RP serving the group with the same IP address. CONFIGURATION mode interface loopback 2 Make this address the RP for the group.
4 Peer each RP with every other RP using MSDP, specifying the unique Loopback address as the connect-source. CONFIGURATION mode ip msdp peer 5 Advertise the network of each of the unique Loopback addresses throughout the network. ROUTER OSPF mode network Reducing Source-Active Message Flooding RPs flood source-active messages to all of their peers away from the RP.
MSDP Sample Configuration: R4 Running-Config 530 Multicast Source Discovery Protocol (MSDP)
32 Multicast Listener Discovery Protocol Dell Networking OS Supports Multicast Listener Discovery (MLD) protocol. Multicast Listener Discovery (MLD) is a Layer 3 protocol that IPv6 routers use to learn of the multicast receivers that are directly connected to them and the groups in which the receivers are interested. Multicast routing protocols (like PIM) use the information learned from MLD to route multicast traffic to all interested receivers.
Joining a Multicast Group The Querier periodically sends a General Query to the all-nodes multicast address FF02::1. A host that wants to join a multicast group responds to the general query with a report that contains the group address; the report is also addressed to the group (in the IPv6 Destination Address field). To avoid duplicate reporting, any host that hears a report from another host for the same group in which it itself is interested cancels its report for that group.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | * * | | * Source Address [1] * | | * * | | +-+ | | * * | | * Source Address [2] * | | * * | | +. -+ . . . . . . +-+ | | * * | | * Source Address [N] * | | * * | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Version 2 multicast listener reports are sent by IP nodes to report (to neighboring routers) the current multicast listening state, or changes in the multicast listening state, of their interfaces.
| | * Multicast Address * | | * * | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | * * | | * Source Address [1] * | | * * | | +-+ | | * * | | * Source Address [2] * | | * * | | +-+ . . . . . . . . . +-+ | | * * | | * Source Address [N] * | | * * | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | . . . Auxiliary Data . . .
ipv6 mld query-interval Reducing Host Response Burstiness General Queries contain a Query Response Interval value, which is the amount of time the host has to respond to a general query. Hosts set a timer to a random number less than the Query Response Interval upon receiving a general query, and send a report when the timer expires. Increasing this value spreads host responses over a greater period of time, and so reduces response burstiness.
ipv6 mld explicit-tracking Reducing Leave Latency Leave Latency is the amount of time after the last host leaves the MLD group that the router stops forwarding traffic for that group. Latency is introduced because the router attempts several times to determine if there are any remaining members before stopping traffic for the group. The Querier sends a Multicast-Address-Specific Query upon receiving a Done message to ascertain whether there are any remain receivers for a group.
30 Multiple Spanning Tree Protocol (MSTP) Multiple spanning tree protocol (MSTP) — specified in IEEE 802.1Q-2003 — is a rapid spanning tree protocol (RSTP)-based spanning tree variation that improves per-VLAN spanning tree plus (PVST+). MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances. Protocol Overview MSTP — specified in IEEE 802.
• Adding and Removing Interfaces • Creating Multiple Spanning Tree Instances • Influencing MSTP Root Selection • Interoperate with Non-Dell Bridges • Changing the Region Name or Revision • Modifying Global Parameters • Modifying the Interface Parameters • Setting STP path cost as constant • Configuring an EdgePort • Flush MAC Addresses after a Topology Change • MSTP Sample Configurations • Debugging and Verifying MSTP Configurations Spanning Tree Variations The Dell EMC Networking OS
Related Configuration Tasks The following are the related configuration tasks for MSTP.
• spanning-tree 0 To remove an interface from the MSTP topology, use the no spanning-tree 0 command. Creating Multiple Spanning Tree Instances To create multiple spanning tree instances, use the following command. A single MSTI provides no more benefit than RSTP. To take full advantage of MSTP, create multiple MSTIs and map VLANs to them. • Create an MSTI. PROTOCOL MSTP mode msti Specify the keyword vlan then the VLANs that you want to participate in the MSTI.
Example of Assigning and Verifying the Root Bridge Priority By default, the simple configuration shown previously yields the same forwarding path for both MSTIs. The following example shows how R3 is assigned bridge priority 0 for MSTI 2, which elects a different root bridge than MSTI 2. To view the bridge priority, use the show config command from PROTOCOL MSTP mode. R3(conf-mstp)#msti 2 bridge-priority 0 1d2h51m: %RPM0-P:RP2 %SPANMGR-5-STP_ROOT_CHANGE: MSTP root changed for instance 2.
Modifying Global Parameters The root bridge sets the values for forward-delay, hello-time, max-age, and max-hops and overwrites the values set on other MSTP bridges. • Forward-delay — the amount of time an interface waits in the Listening state and the Learning state before it transitions to the Forwarding state. • Hello-time — the time interval in which the bridge sends MSTP bridge protocol data units (BPDUs).
Example of the forward-delay Parameter To view the current values for MSTP parameters, use the show running-config spanning-tree mstp command from EXEC privilege mode.
For the default, refer to the default values shown in the table.. 2 Change the port priority of an interface. INTERFACE mode spanning-tree msti number priority priority The range is from 0 to 240, in increments of 16. The default is 128. To view the current values for these interface parameters, use the show config command from INTERFACE mode. Setting STP path cost as constant You can set the path cost to be constant for port-channel regardless of the operation status of the port-channel member ports.
◦ Disable the shutdown-on-violation command on the interface (using the no spanning-tree stp-id portfast [bpduguard | [shutdown-on-violation]] command). ◦ Disable spanning tree on the interface (using the no spanning-tree command in INTERFACE mode). ◦ Disabling global spanning tree (using the no spanning-tree command in CONFIGURATION mode). Example of Enabling an EdgePort on an Interface To verify that EdgePort is enabled, use the show config command from INTERFACE mode.
Router 2 Running-Configuration This example uses the following steps: 1 Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2 Assign Layer-2 interfaces to the MSTP topology. 3 Create VLANs mapped to MSTP instances tag interfaces to the VLANs. Router 3 Running-Configuration This example uses the following steps: 1 Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2 Assign Layer-2 interfaces to the MSTP topology.
interface vlan 300 tagged 1/0/31 tagged 1/0/32 exit Debugging and Verifying MSTP Configurations To debut and verify MSTP configuration, use the following commands. • Display BPDUs. EXEC Privilege mode debug spanning-tree mstp bpdu • Display MSTP-triggered topology change messages. debug spanning-tree mstp events Examples of Viewing MSTP Configurations To ensure all the necessary parameters match (region name, region version, and VLAN to instance mapping), examine your individual routers.
31 Multicast Features NOTE: Multicast routing is supported on secondary IP addresses; it is not supported on IPv6. NOTE: Multicast routing is supported across default and non-default virtual routing and forwarding (VRFs).
Protocol Ethernet Address OSPF 01:00:5e:00:00:05 01:00:5e:00:00:06 RIP 01:00:5e:00:00:09 NTP 01:00:5e:00:01:01 VRRP 01:00:5e:00:00:12 PIM-SM 01:00:5e:00:00:0d • The Dell EMC Networking OS implementation of MTRACE is in accordance with IETF draft draft-fenner-traceroute-ipm. • Multicast is not supported on secondary IP addresses. • If you enable multicast routing, egress Layer 3 ACL is not applied to multicast data traffic.
NOTE: The Dell EMC Networking OS waits at least 30 seconds between stopping and starting IGMP join processing. You may experience this delay when manipulating the limit after it is reached. When the multicast route limit is reached, the following displays: 3w1d13h: %RPM0-P:RP2 %PIM-3-PIM_TIB_LIMIT: PIM TIB limit reached. No new routes will be learnt until TIB level falls below low watermark. 3w1d13h: %RPM0-P:RP2 %PIM-3-PIM_TIB_LIMIT: PIM TIB below low watermark. Route learning will begin.
Figure 94. Preventing a Host from Joining a Group The following table lists the location and description shown in the previous illustration. Table 62. Preventing a Host from Joining a Group — Description Location Description 1/21/1 • • • • Interface TenGigabitEthernet 1/21/1 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31/1 • • • Interface TenGigabitEthernet 1/21/1 ip pim sparse-mode ip address 10.11.13.
Location Description • no shutdown 2/1/1 • • • • Interface TenGigabitEthernet 2/1/1 ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11/1 • • • • Interface TenGigabitEthernet 1/21/1 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31/1 • • • • Interface TenGigabitEthernet 1/21/1 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1/1 • • • • Interface TenGigabitEthernet 1/21/1 ip pim sparse-mode ip address 10.11.5.
Preventing a PIM Router from Forming an Adjacency To prevent a router from participating in PIM (for example, to configure stub multicast routing), use the following command. • Prevent a router from participating in PIM. INTERFACE mode ip pim neighbor-filter Setting a Threshold for Switching to the SPT The functionality to specify a threshold for switchover to the shortest path trees (SPTs) is available on the system.
Figure 95. Preventing a Source from Transmitting to a Group The following table lists the location and description shown in the previous illustration. Table 64. Preventing a Source from Transmitting to a Group — Description Location Description 1/21/1 • • • • Interface TenGigabitEthernet 1/21/1 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31/1 • • • Interface TenGigabitEthernet 1/31/1 ip pim sparse-mode ip address 10.11.13.
Location Description • no shutdown 2/1/1 • • • • Interface TenGigabitEthernet 2/1/1 ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11/1 • • • • Interface TenGigabitEthernet 2/11/1 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31/1 • • • • Interface TenGigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1/1 • • • • Interface TenGigabitEthernet 3/1/1 ip pim sparse-mode ip address 10.11.5.
Preventing a PIM Router from Processing a Join To permit or deny PIM Join/Prune messages on an interface using an extended IP access list, use the following command. NOTE: Dell EMC Networking recommends not using the ip pim join-filter command on an interface between a source and the RP router. Using this command in this scenario could cause problems with the PIM-SM source registration process resulting in excessive traffic being sent to the CPU of both the RP and PIM DR of the source.
Important Points to Remember • Destination address of the mtrace query message can be either a unicast or a multicast address. NOTE: When you use mtrace to trace a specific multicast group, the query is sent with the group's address as the destination. Retries of the query use the unicast address of the receiver. • When you issue an mtrace without specifying a group address (weak mtrace), the destination address is considered as the unicast address of the receiver.
– Forwarding code — error code as present in the response blocks – Source Network/Mask — source mask Example of the mtrace Command to View the Network Path The following is an example of tracing a multicast route. R1>mtrace 103.103.103.3 1.1.1.1 226.0.0.3 Type Ctrl-C to abort. Querying reverse path for source 103.103.103.3 to destination 1.1.1.1 via group 226.0.0.
The response data block filled in by the last-hop router contains a Forwarding code field. Forwarding code can be added at any node and is not restricted to the last hop router. This field is used to record error codes before forwarding the response to the next neighbor in the path towards the source. In a response data packet, the following error codes are supported: Table 66.
Scenario Output -4 103.103.103.3 --> Source ----------------------------------------------------------------- You can issue the mtrace command specifying the source multicast tree and multicast group without specifying the destination. Mtrace traces the complete path traversing through the multicast group to reach the source. The output displays the destination and the first hop (-1) as 0 to indicate any PIM enabled interface on the node. R1>mtrace 103.103.103.3 1.1.1.1 226.0.0.3 Type Ctrl-C to abort.
Scenario Output 103.103.103.0/24 -3 2.2.2.1 PIM 103.103.103.0/24 -4 103.103.103.3 --> Source ----------------------------------------------------------------- You can issue the mtrace command by providing the source and multicast information. However, if the multicast group is a shared group (*,G), then mtrace traces the path of the shared tree until it reaches the RP. The source mask field reflects the shared tree that is being used to trace the path.
Scenario Output -3 10.10.10.1 PIM No route default ----------------------------------------------------------------- If a multicast tree is not formed due to a configuration issue (for example, PIM is not enabled on one of the interfaces on the path), you can invoke a weak mtrace to identify the location in the network where the error has originated. R1>mtrace 6.6.6.6 4.4.4.5 Type Ctrl-C to abort.
Scenario Output -3 2.2.2.1 PIM 99.99.0.0/16 -4 * * * * ----------------------------------------------------------------- If there is no response for mtrace even after switching to expanded hop search, the command displays an error message. R1>mtrace 99.99.99.99 1.1.1.1 Type Ctrl-C to abort. While traversing the path from source to destination, if the mtrace packet exhausts the maximum buffer size of the packet, then NO SPACE error is displayed in the output.
Scenario Output scenario, a corresponding error message is displayed. ---------------------------------------------------------------|Hop| OIF IP |Proto| Forwarding Code |Source Network/ Mask| ---------------------------------------------------------------0 4.4.4.5 --> Destination -1 4.4.4.4 PIM 6.6.6.0/24 -2 20.20.20.2 PIM 6.6.6.0/24 -3 10.10.10.1 PIM Wrong interface 6.6.6.0/24 ----------------------------------------------------------------R1>mtrace 6.6.6.6 4.4.4.5 Type Ctrl-C to abort.
32 Multicast Listener Discovery Protocol Dell Networking OS Supports Multicast Listener Discovery (MLD) protocol. Multicast Listener Discovery (MLD) is a Layer 3 protocol that IPv6 routers use to learn of the multicast receivers that are directly connected to them and the groups in which the receivers are interested. Multicast routing protocols (like PIM) use the information learned from MLD to route multicast traffic to all interested receivers.
Joining a Multicast Group The Querier periodically sends a General Query to the all-nodes multicast address FF02::1. A host that wants to join a multicast group responds to the general query with a report that contains the group address; the report is also addressed to the group (in the IPv6 Destination Address field). To avoid duplicate reporting, any host that hears a report from another host for the same group in which it itself is interested cancels its report for that group.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | * * | | * Source Address [1] * | | * * | | +-+ | | * * | | * Source Address [2] * | | * * | | +. -+ . . . . . . +-+ | | * * | | * Source Address [N] * | | * * | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Version 2 multicast listener reports are sent by IP nodes to report (to neighboring routers) the current multicast listening state, or changes in the multicast listening state, of their interfaces.
| | * Multicast Address * | | * * | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | * * | | * Source Address [1] * | | * * | | +-+ | | * * | | * Source Address [2] * | | * * | | +-+ . . . . . . . . . +-+ | | * * | | * Source Address [N] * | | * * | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | . . . Auxiliary Data . . .
ipv6 mld query-interval Reducing Host Response Burstiness General Queries contain a Query Response Interval value, which is the amount of time the host has to respond to a general query. Hosts set a timer to a random number less than the Query Response Interval upon receiving a general query, and send a report when the timer expires. Increasing this value spreads host responses over a greater period of time, and so reduces response burstiness.
ipv6 mld last-member-query-interval Displaying MLD groups table Display MLD groups. Group information can be filtered. To display MLD groups, use the following command: EXEC Privilege show ipv6 mld groups Dell#show ipv6 mld groups Total Number of Groups: 1 MLD Connected Group Membership Group Address Interface Mode Ff08::12 Vlan 10 MLDv2 Uptime 00:00:12 Expires 00:02:05 Last Reporter 1::2 Displaying MLD Interfaces Display MLD interfaces.
ipv6 mld snooping enable Disable MLD Snooping When MLD is enabled globally, it is by default enabled on all the VLANs. To disable MLD snooping on a VLAN, use the following command: INTERFACE VLAN Mode no ipv6 mld snooping NOTE: Under the default configuration, there is no need to configure ipv6 mld snooping for any VLAN. Configure the switch as a querier Hosts that do not support unsolicited reporting wait for a general query before sending a membership report.
Enable Snooping Explicit Tracking The switch can be a querier, and therefore also has an option of updating the group table through explicit-tracking. Whether the switch is the querier or not, if snooping is enabled, the switch tracks all the MLD joins. It has a separate explicit tracking table which contains group, source, interface, VLAN, and reporter details.
33 Object Tracking IPv4 or IPv6 object tracking is available on Dell EMC Networking OS. Object tracking allows the Dell EMC Networking OS client processes, such as virtual router redundancy protocol (VRRP), to monitor tracked objects (for example, interface or link status) and take appropriate action when the state of an object changes. NOTE: In Dell EMC Networking OS release version 8.4.1.0, object tracking is supported only on VRRP.
Figure 96. Object Tracking Example When you configure a tracked object, such as an IPv4/IPv6 a route or interface, you specify an object number to identify the object. Optionally, you can also specify: • UP and DOWN thresholds used to report changes in a route metric. • A time delay before changes in a tracked object’s state are reported to a client. Track Layer 2 Interfaces You can create an object to track the line-protocol state of a Layer 2 interface.
Track IPv4 and IPv6 Routes You can create an object that tracks an IPv4 or IPv6 route entry in the routing table. Specify a tracked route by its IPv4 or IPv6 address and prefix-length. Optionally specify a tracked route by a virtual routing and forwarding (VRF) instance name if the route to be tracked is part of a VRF. The next-hop address is not part of the definition of the tracked object.
Set Tracking Delays You can configure an optional UP and/or DOWN timer for each tracked object to set the time delay before a change in the state of a tracked object is communicated to clients. The configured time delay starts when the state changes from UP to DOWN or the opposite way. If the state of an object changes back to its former UP/DOWN state before the timer expires, the timer is cancelled and the client is not notified.
To configure object tracking on the status of a Layer 2 interface, use the following commands. 1 Configure object tracking on the line-protocol state of a Layer 2 interface. CONFIGURATION mode track object-id interface interface line-protocol Valid object IDs are from 1 to 500. 2 (Optional) Configure the time delay used before communicating a change in the status of a tracked interface. OBJECT TRACKING mode delay {[up seconds] [down seconds]} Valid delay times are from 0 to 180 seconds. The default is 0.
To configure object tracking on the routing status of a Layer 3 interface, use the following commands. 1 Configure object tracking on the routing status of an IPv4 or IPv6 interface. CONFIGURATION mode track object-id interface interface {ip routing | ipv6 routing} Valid object IDs are from 1 to 500. 2 (Optional) Configure the time delay used before communicating a change in the status of a tracked interface.
a route tracked for its reachability, an attempt is made to regenerate the ARP cache entry to see if the next-hop address appears before considering the route DOWN. • By comparing the threshold for a route’s metric with current entries in the route table. The UP/DOWN state of the tracked route is determined by the threshold for the current value of the route metric in the routing table.
OBJECT TRACKING mode description text The text string can be up to 80 characters. 4 (Optional) Display the tracking configuration and the tracked object’s status. EXEC Privilege mode show track object-id Examples of IPv4 and IPv6 Tracking Route Reachability Examples of IPv4 and IPv6 Tracking Route Reachability The following example configures object tracking on the reachability of an IPv4 route: DellEMC(conf)#track 104 ip route 10.0.0.
The refresh interval range is from 0 to 60 seconds. The default is 60 seconds. Examples of IPv4 and IPv6 Tracking Route Reachability The following example shows how to change the refresh interval for tracking the reachability of the next-hop: DellEMC#configure DellEMC(conf)#track reachability refresh 20 For example, consider that the next-hop address is changed and the track reachability is checked after the set refresh interval (20 seconds).
threshold metric {[up number] [down number]} The default UP threshold is 254. The routing state is UP if the scaled route metric is less than or equal to the UP threshold. The defult DOWN threshold is 255. The routing state is DOWN if the scaled route metric is greater than or equal to the DOWN threshold. 6 (Optional) Display the tracking configuration.
IP Route Resolution ISIS 1 OSPF 1 IPv6 Route Resolution ISIS 1 Example of the show track vrf Command Example of Viewing Object Tracking Configuration Object Tracking 583
34 Open Shortest Path First (OSPFv2 and OSPFv3) Open shortest path first (OSPFv2 for IPv4) and OSPF version 3 (OSPF for IPv6) are supported on Dell EMC Networking OS. This chapter provides a general description of OSPFv2 (OSPF for IPv4) and OSPFv3 (OSPF for IPv6) as supported in the Dell EMC Networking Operating System (OS). NOTE: The fundamental mechanisms of OSPF (flooding, DR election, area support, SPF calculations, and so on) are the same between OSPFv2 and OSPFv3.
Areas allow you to further organize your routers within in the AS. One or more areas are required within the AS. Areas are valuable in that they allow sub-networks to "hide" within the AS, thus minimizing the size of the routing tables on all routers. An area within the AS may not see the details of another area’s topology. AS areas are known by their area number or the router’s IP address. Figure 97. Autonomous System Areas Area Types The backbone of the network is Area 0. It is also called Area 0.0.0.
• A not-so-stubby area (NSSA) can import AS external route information and send it to the backbone. It cannot receive external AS information from the backbone or other areas. • Totally stubby areas are referred to as no summary areas in the Dell EMC Networking OS. Networks and Neighbors As a link-state protocol, OSPF sends routing information to other OSPF routers concerning the state of the links between them. The state (up or down) of those links is important.
Figure 98. OSPF Routing Examples Backbone Router (BR) A backbone router (BR) is part of the OSPF Backbone, Area 0. This includes all ABRs. It can also include any routers that connect only to the backbone and another ABR, but are only part of Area 0, such as Router I in the previous example. Area Border Router (ABR) Within an AS, an area border router (ABR) connects one or more areas to the backbone.
An ABR can connect to many areas in an AS, and is considered a member of each area it connects to. Autonomous System Border Router (ASBR) The autonomous system border area router (ASBR) connects to more than one AS and exchanges information with the routers in other ASs. Generally, the ASBR connects to a non-interior gate protocol (IGP) such as BGP or uses static routes.
• Type 7: External LSA — Routers in an NSSA do not receive external LSAs from ABRs, but are allowed to send external routing information for redistribution. They use Type 7 LSAs to tell the ABRs about these external routes, which the ABR then translates to Type 5 external LSAs and floods as normal to the rest of the OSPF network. • Type 8: Link LSA (OSPFv3) — This LSA carries the IPv6 address information of the local links.
Figure 99. Priority and Cost Examples OSPF with Dell EMC Networking OS The Dell EMC Networking OS supports up to 128,000 OSPF routes for OSPFv2. Dell EMC Networking OS version 9.4(0.0) and later support only one OSPFv2 process per VRF. Dell EMC Networking OS version 9.7(0.0) and later support OSPFv3 in VRF. Also, on OSPFv3, Dell EMC Networking OS supports only one OSPFv3 process per VRF. OSPFv2 and OSPFv3 can co-exist but you must configure them individually.
Graceful Restart When a router goes down without a graceful restart, there is a possibility for loss of access to parts of the network due to ongoing network topology changes. Additionally, LSA flooding and reconvergence can cause substantial delays. It is, therefore, desirable that the network maintains a stable topology if it is possible for data flow to continue uninterrupted.
Fast Convergence (OSPFv2, IPv4 Only) Fast convergence allows you to define the speeds at which LSAs are originated and accepted, and reduce OSPFv2 end-to-end convergence time. Dell EMC Networking OS allows you to accept and originate LSAs as soon as they are available to speed up route information propagation. NOTE: The faster the convergence, the more frequent the route calculations and updates. This impacts CPU utilization and may impact adjacency stability in larger topologies.
ACKs 2 (shown in bold) is printed only for ACK packets. The following example shows no change in the updated packets (shown in bold). ACKs 2 (shown in bold) is printed only for ACK packets. 00:10:41 : OSPF(1000:00): Rcv. v:2 t:5(LSAck) l:64 Acks 2 rid:2.2.2.2 aid:1500 chk:0xdbee aut:0 auk: keyid:0 from:Vl 1000 LSType:Type-5 AS External id:160.1.1.0 adv:6.1.0.0 seq:0x8000000c LSType:Type-5 AS External id:160.1.2.0 adv:6.1.0.0 seq:0x8000000c 00:10:41 : OSPF(1000:00): Rcv. v:2 t:5(LSAck) l:64 Acks 2 rid:2.2.2.
In the following example, the dead interval is set at 4x the hello interval (shown in bold). Configuration Information The interfaces must be in Layer 3 mode (assigned an IP address) and enabled so that they can send and receive traffic. The OSPF process must know about these interfaces. To make the OSPF process aware of these interfaces, they must be assigned to OSPF areas. You must configure OSPF GLOBALLY on the system in CONFIGURATION mode.
! router ospf 1 timers spf 2 5 msec DellEMC(conf-router_ospf-1)# DellEMC(conf-router_ospf-1)#end DellEMC# For a complete list of the OSPF commands, refer to the OSPF section in the Dell EMC Networking OS Command Line Reference Guide document. Enabling OSPFv2 To enable Layer 3 routing, assign an IP address to an interface (physical or Loopback). By default, OSPF, similar to all routing protocols, is disabled. You must configure at least one interface for Layer 3 before enabling OSPFv2 globally.
CONFIG-ROUTER-OSPF-id mode router-id ip address • Disable OSPF. CONFIGURATION mode no router ospf process-id • Reset the OSPFv2 process. EXEC Privilege mode clear ip ospf process-id • View the current OSPFv2 status. EXEC mode show ip ospf process-id Example of Viewing the Current OSPFv2 Status DellEMC#show ip ospf 55555 Routing Process ospf 55555 with ID 10.10.10.
NOTE: If using features like MD5 Authentication, ensure all the neighboring routers are also configured for MD5. In the example below, an IP address is assigned to an interface and an OSPFv2 area is defined that includes the IP address of a Layer 3 interface. The first bold lines assign an IP address to a Layer 3 interface, and theno shutdown command ensures that the interface is UP. The second bold line assigns the IP address of an interface to an area.
Area ID is the number or IP address assigned when creating the area. Example of the show ip ospf database database-summary Command To view which LSAs are transmitted, use the show ip ospf database process-id database-summary command in EXEC Privilege mode. DellEMC#show ip ospf 34 database database-summary OSPF Router with ID (10.1.2.100) (Process ID 34) Area ID Router Network S-Net S-ASBR Type-7 Subtotal 2.2.2.2 1 0 0 0 0 1 3.3.3.
To enable or disable fast-convergence, use the following command. • Enable OSPF fast-convergence and specify the convergence level. CONFIG-ROUTEROSPF- id mode fast-convergence {number} The parameter range is from 1 to 4. The higher the number, the faster the convergence. When disabled, the parameter is set at 0. NOTE: A higher convergence level can result in occasional loss of OSPF adjacency. Generally, convergence level 1 meets most convergence requirements.
• Change the time interval the router waits before declaring a neighbor dead. CONFIG-INTERFACE mode ip ospf dead-interval seconds – seconds: the range is from 1 to 65535 (the default is 40 seconds). The dead interval must be four times the hello interval. • The dead interval must be the same on all routers in the OSPF network. Change the time interval between hello-packet transmission.
The bold lines in the example show the change on the interface. The change is reflected in the OSPF configuration. Enabling OSPFv2 Authentication To enable or change various OSPF authentication parameters, use the following commands. • Set a clear text authentication scheme on the interface. CONFIG-INTERFACE mode ip ospf authentication-key key Configure a key that is a text string no longer than eight characters. • All neighboring routers must share password to exchange OSPF information.
CONFIG-ROUTEROSPF- id mode graceful-restart helper-reject router-id • Planned-only — the OSPFv2 router supports graceful-restart for planned restarts only. A planned restart is when you manually enter a fail-over command to force the primary RPM over to the secondary RPM. During a planned restart, OSPF sends out a Grace LSA before the system switches over to the secondary RPM. OSPF also is notified that a planned restart is happening.
• Create a prefix list with a sequence number and a deny or permit action. CONFIG- PREFIX LIST mode seq sequence-number {deny |permit} ip-prefix [ge min-prefix-length] [le max-prefix-length] The optional parameters are: – ge min-prefix-length: is the minimum prefix length to match (from 0 to 32). – le max-prefix-length: is the maximum prefix length to match (from 0 to 32). For configuration information about prefix lists, refer to Access Control Lists (ACLs).
distribute-list dilling in DellEMC(conf-router_ospf)# Troubleshooting OSPFv2 Use the information in this section to troubleshoot OSPFv2 operation on the switch. Be sure to check the following, as these questions represent typical issues that interrupt an OSPFv2 process. NOTE: The following tasks are not a comprehensive; they provide some examples of typical troubleshooting checks.
If you do not enter a process ID, the command applies to the first OSPF process. To view debug messages for a specific operation, enter one of the optional keywords: – event: view OSPF event messages. – packet: view OSPF packet information. – spf: view SPF information. – database-timers rate-limit: view the LSAs currently in the queue. Example of Viewing OSPF Configuration DellEMC#show run ospf ! router ospf 4 router-id 4.4.4.4 network 4.4.4.
OSPF Area 0 — Te 1/1 and 1/2 OSPF Area 0 — Te 3/1 and 3/2 OSPF Area 0 — Te 2/1 and 2/2 OSPFv3 NSSA NSSA (Not-So-Stubby-Area) is a stub area that does not support Type-5 LSAs, but supports Type-7 LSAs to forward external links. Initially ASBR (Autonomous System Border Router) forwards the external links through Type-7 LSAs to the Area Border Router (ABR) of NSSA, which in turn converts them into Type-5 LSAs and forwards them to the rest of the OSPF domain.
timers spf delay holdtime NOTE: To set the interval time between the reception of topology changes and calculation of SPF in milli seconds, use the timers spf delay holdtime msec command.
IPv6 addresses are normally written as eight groups of four hexadecimal digits; separate each group by a colon (:). The format is A:B:C::F/128. 2 Bring up the interface. CONF-INT-type slot/port mode no shutdown Assigning Area ID on an Interface To assign the OSPFv3 process to an interface, use the following command. The ipv6 ospf area command enables OSPFv3 on an interface and places the interface in the specified area. Additionally, the command creates the OSPFv3 process with ID on the router.
Assigning OSPFv3 Process ID and Router ID to a VRF To assign, disable, or reset OSPFv3 on a non-default VRF, use the following commands. • Enable the OSPFv3 process on a non-default VRF and enter OSPFv3 mode. CONFIGURATION mode ipv6 router ospf {process ID}} • The process ID range is from 0 to 65535. Assign the router ID for this OSPFv3 process. CONF-IPV6-ROUTER-OSPF mode router-id {number} – number: the IPv4 address. The format is A.B.C.D.
Interface: identifies the specific interface that is passive. – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port/subport information. – For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. – For a port channel interface, enter the keywords port-channel then a number. – For a VLAN interface, enter the keyword vlan then a number from 1 to 4094.
Enabling OSPFv3 Graceful Restart Follow the procedure in this section to configure graceful restart for OSPFv3. By default, OSPFv3 graceful restart is disabled and functions only in a helper role to help restarting neighbor routers in their graceful restarts when it receives a Grace LSA. . By default, OSPFv3 graceful restart is disabled and functions only in a helper role to help restarting neighbor routers in their graceful restarts when it receives a Grace LSA.
• Display the graceful-restart configuration for OSPFv2 and OSPFv3 (shown in the following example). EXEC Privilege mode show run ospf • Display the Type-11 Grace LSAs sent and received on an OSPFv3 router (shown in the following example). EXEC Privilege mode show ipv6 ospf database grace-lsa • Display the currently configured OSPFv3 parameters for graceful restart (shown in the following example).
OSPFv3 Authentication Using IPsec OSPFv3 uses IPsec to provide authentication for OSPFv3 packets. IPsec authentication ensures security in the transmission of OSPFv3 packets between IPsec-enabled routers. IPsec is a set of protocols developed by the internet engineering task force (IETF) to support secure exchange of packets at the IP layer. IPsec supports two encryption modes: transport and tunnel. • Transport mode — encrypts only the data portion (payload) of each packet, but leaves the header untouched.
• Manual key configuration is supported in an authentication or encryption policy (dynamic key configuration using the internet key exchange [IKE] protocol is not supported). • In an OSPFv3 authentication policy: – AH is used to authenticate OSPFv3 headers and certain fields in IPv6 headers and extension headers. – MD5 and SHA1 authentication types are supported; encrypted and unencrypted keys are supported. • In an OSPFv3 encryption policy: – Both encryption and authentication are used.
• show crypto ipsec policy Display the security associations set up for OSPFv3 interfaces in authentication policies. show crypto ipsec sa ipv6 Configuring IPsec Encryption on an Interface To configure, remove, or display IPsec encryption on an interface, use the following commands.
If you have enabled IPSec encryption in an OSPFv3 area using the area encryption command, you cannot use the area authentication command in the area at the same time. The configuration of IPSec authentication on an interface-level takes precedence over an area-level configuration. If you remove an interface configuration, an area authentication policy that has been configured is applied to the interface. • Enable IPSec authentication for OSPFv3 packets in an area.
– key: specifies the text string used in the encryption. All neighboring OSPFv3 routers must share the same key to decrypt information. The required lengths of a non-encrypted or encrypted key are: 3DES - 48 or 96 hex digits; DES - 16 or 32 hex digits; AES-CBC - 32 or 64 hex digits for AES-128 and 48 or 96 hex digits for AES-192. – key-encryption-type: (optional) specifies if the key is encrypted. Valid values: 0 (key is not encrypted) or 7 (key is encrypted).
Crypto IPSec client security policy data Policy name Policy refcount Inbound AH SPI Outbound AH SPI Inbound AH Key Outbound AH Key Transform set : : : : : : : OSPFv3-1-500 2 500 (0x1F4) 500 (0x1F4) bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba8ed8bb5efe91e97e bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba8ed8bb5efe91e97e ah-md5-hmac Crypto IPSec client security policy data Policy name : OSPFv3-0-501 Policy refcount : 1 Inbound ESP SPI : 501 (0x1F5) Outbound ESP SPI : 501 (0x1F5) Inbound ESP Auth Key
• View the summary information for the OSPFv3 database. EXEC Privilege mode show ipv6 ospf [vrf vrf-name] database • View the configuration of OSPFv3 neighbors. EXEC Privilege mode show ipv6 ospf [vrf vrf-name] neighbor • View debug messages for all OSPFv3 interfaces. EXEC Privilege mode debug ipv6 ospf [vrf vrf-name] [event | packet] {type slot/port} – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port/subport information.
snmpwalk -c ospf1 -v2c 10.16.133.129 1.3.6.1.2.1.191.1.1 SNMPv2-SMI::mib-2.191.1.1.1.0 = Gauge32: 336860180 SNMPv2-SMI::mib-2.191.1.1.2.0 = INTEGER: 1 SNMPv2-SMI::mib-2.191.1.1.3.0 = INTEGER: 3 SNMPv2-SMI::mib-2.191.1.1.4.0 = INTEGER: 1 SNMPv2-SMI::mib-2.191.1.1.5.0 = INTEGER: 2 SNMPv2-SMI::mib-2.191.1.1.6.0 = Gauge32: 0 SNMPv2-SMI::mib-2.191.1.1.7.0 = Gauge32: 0 SNMPv2-SMI::mib-2.191.1.1.8.0 = Counter32: 10088 SNMPv2-SMI::mib-2.191.1.1.9.0 = Counter32: 10076 SNMPv2-SMI::mib-2.191.1.1.10.
35 Policy-based Routing (PBR) Policy-based routing (PBR) allows a switch to make routing decisions based on policies applied to an interface. Overview When a router receives a packet, the router decides where to forward the packet based on the destination address in the packet, which is used to look up an entry in a routing table. However, in some cases, there may be a need to forward the packet based on other criteria: size, source, protocol type, destination, and so on.
• Destination port • TCP Flags After you apply a redirect-list to an interface, all traffic passing through it is subjected to the rules defined in the redirect-list. Traffic is forwarded based on the following: • Next-hop addresses are verified. If the specified next hop is reachable, traffic is forwarded to the specified next-hop. • If the specified next-hops are not reachable, the normal routing table is used to forward the traffic.
Never apply the permit statement because the redirect list covers all source and destination IP addresses. ip redirect-list rcl0 seq 5 redirect 2.2.2.2 ip any any seq 10 permit ip host 3.3.3.3 any To ensure the permit permit statement or PBR exception is effective, use a lower sequence number, as shown: ip redirect-list rcl0 seq 10 permit ip host 3.3.3.3 any seq 15 redirect 2.2.2.2 ip any any Create a Redirect List To create a redirect list, use the following commands.
• source ip-address or any or host ip-address is the Source’s IP address • FORMAT: A.B.C.D/NN, or ANY or HOST IP address • destination ip-address or any or host ip-address is the Destination’s IP address • FORMAT: A.B.C.D/NN, or ANY or HOST IP address To delete a rule, use the no redirect command.
seq 20 redirect 10.1.1.3 ip 20.1.1.0/24 any DellEMC(conf-redirect-list)# NOTE: Starting with the Dell EMC Networking OS version 9.4(0.0), the use of multiple recursive routes with the same source-address and destination-address combination in a redirect policy on an router. A recursive route is a route for which the immediate next-hop address is learned dynamically through a routing protocol and acquired through a route lookup in the routing table.
In addition to supporting multiple redirect-lists in a redirect-group, multiple redirect-groups are supported on a single interface. Dell EMC Networking OS has the capability to support multiple groups on an interface for backup purposes. Show Redirect List Configuration To view the configuration redirect list configuration, use the following commands. 1 View the redirect list configuration and the associated interfaces.
Create the Redirect-List GOLD Assign Redirect-List GOLD to Interface 2/11 View Redirect-List GOLD Creating a PBR list using Explicit Track Objects for Redirect IPs Create Track Objects to track the Redirect IPs: DellEMC#configure terminal DellEMC(conf)#track 3 ip host 42.1.1.2 reachability DellEMC(conf-track-3)#probe icmp DellEMC(conf-track-3)#track 4 ip host 43.1.1.
DellEMC(conf-redirect-list)#redirect 43.1.1.2 track 4 ip host 7.7.7.7 host 144.144.144.144 DellEMC(conf-redirect-list)#end Verify the Status of the Track Objects (Up/Down): DellEMC#show track brief ResId 1 2 3 4 Resource Interface ip routing Interface ipv6 routing IP Host reachability IP Host reachability Parameter Tunnel 1 Tunnel 2 42.1.1.2/32 43.1.1.
Create Track Objects to track the Tunnel Interfaces: DellEMC#configure terminal DellEMC(conf)#track 1 interface tunnel 1 ip routing DellEMC(conf-track-1)#exit DellEMC(conf)#track 2 interface tunnel 2 ipv6 routing DellEMC(conf-track-2)#end Verify the Status of the Track Objects (Up/Down): DellEMC#show track brief ResId Resource 1 Interface ip routing 2 Interface ipv6 routing DellEMC# Parameter Tunnel 1 Tunnel 2 State Up Up LastChange 00:00:00 00:00:00 Create a Redirect-list with Track Objects pertaining
36 PIM Sparse-Mode (PIM-SM) Protocol-independent multicast sparse-mode (PIM-SM) is a multicast protocol that forwards multicast traffic to a subnet only after a request using a PIM Join message; this behavior is the opposite of PIM-Dense mode, which forwards multicast traffic to all subnets until a request to stop. Implementation Information The following information is necessary for implementing PIM-SM.
Refuse Multicast Traffic A host requesting to leave a multicast group sends an IGMP Leave message to the last-hop DR. If the host is the only remaining receiver for that group on the subnet, the last-hop DR is responsible for sending a PIM Prune message up the RPT to prune its branch to the RP. 1 After receiving an IGMP Leave message, the gateway removes the interface on which it is received from the outgoing interface list of the (*,G) entry.
CONFIGURATION mode {ip | ipv6} multicast-routing [vrf vrf-name] Related Configuration Tasks The following are related PIM-SM configuration tasks. • Configuring S,G Expiry Timers • Configuring a Static Rendezvous Point • Configuring a Designated Router • Creating Multicast Boundaries and Domains Enable PIM-SM You must enable PIM-SM on each participating interface. 1 Enable IPv4 or IPv6 multicast routing on the system.
To display PIM neighbors for each interface, use the show {ip | ipv6} pim neighbor [detail] command EXEC Privilege mode. Following is an example of show ip pim neighbor command output: DellEMC#show Neighbor Address 127.87.5.5 127.87.3.5 127.87.50.
FortyGigE 1/11/1 FortyGigE 1/12/1 FortyGigE 1/13/1 Configuring S,G Expiry Timers You can configure a global expiry time (for all [S,G] entries). By default, [S,G] entries expire in 210 seconds. When you create, delete, or update an expiry time, the changes are applied when the keep alive timer refreshes. To configure a global expiry time, use the following command. Enable global expiry timer for S, G entries.
no shutdown DellEMC#show running-configuration pim ! ipv6 pim rp-address 2111:dddd:0eee::22/64 group-address 2111:dddd:0eee::22/128 Overriding Bootstrap Router Updates PIM-SM routers must know the address of the RP for each group for which they have (*,G) entry. This address is obtained automatically through the bootstrap router (BSR) mechanism or a static RP configuration. Use the following command if you have configured a static RP for a group.
router with the greatest priority value is the DR. If the priority value is the same for two routers, then the router with the greatest IPv4 or IPv6 address is the DR. By default, the DR priority value is 192, so the IP address determines the DR. • Assign a DR priority value. INTERFACE mode {ip | ipv6} pim dr-priority priority-value • Change the interval at which a router sends hello messages. INTERFACE mode {ip | ipv6} pim query-interval seconds • Display the current value of these parameter.
Mode Count Intvl Prio Fo 1/3/1 v2/S 1 30 1 Address : fe80::201:e8ff:fe02:140f DR : this router Fo 1/11/1 v2/S 0 30 1 Address : fe80::201:e8ff:fe02:1417 DR : this router Dell# Creating Multicast Boundaries and Domains A PIM domain is a contiguous set of routers that all implement PIM and are configured to operate within a common boundary defined by PIM multicast border routers (PMBRs). PMBRs connect each PIM domain to the rest of the Internet.
To enable BSR election for IPv4 or IPv6, perform the following steps: 1 Enter the following IPv4 or IPv6 command to make a PIM router a BSR candidate: CONFIGURATION ip pim bsr-candidate ipv6 pim bsr-candidate 2 Enter the following IPv4 or IPv6 command to make a PIM router a RP candidate: CONFIGURATION ip pim rp-candidate ipv6 pim rp-candidate 3 Display IPv4 or IPv6 Bootstrap Router information.
37 PIM Source-Specific Mode (PIM-SSM) PIM source-specific mode (PIM-SSM) is a multicast protocol that forwards multicast traffic from a single source to a subnet. In the other versions of protocol independent multicast (PIM), a receiver subscribes to a group only. The receiver receives traffic not just from the source in which it is interested but from all sources sending to that group.
2 Enable PIM-SSM for a range of addresses. Related Configuration Tasks • Use PIM-SSM with IGMP Version 2 Hosts Enabling PIM-SSM To enable PIM-SSM, follow these steps. 1 Create an ACL that uses permit rules to specify what range of addresses should use SSM. CONFIGURATION mode ip access-list standard name 2 Enter the ip pim ssm-range command and specify the ACL you created.
Configuring PIM-SSM with IGMPv2 R1(conf)#do show run pim ! ip pim rp-address 10.11.12.2 group-address 224.0.0.0/4 ip pim ssm-range ssm R1(conf)#do show run acl ! ip access-list standard map seq 5 permit host 239.0.0.2 ! ip access-list standard ssm seq 5 permit host 239.0.0.2 R1(conf)#ip igmp ssm-map map 10.11.5.2 R1(conf)#do show ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Mode Uptime Expires 239.0.0.
Some routers within the domain are configured to be C-RPs. Other routers are configured to be Bootstrap Router candidates (C-BSRs); one router is elected the BSR for the domain and the BSR is responsible for forwarding BSM containing RP-set information to other routers. The RP election process is as follows: 1 C-BSRs flood their candidacy throughout the domain in a BSM. Each message contains a BSR priority value, and the C-BSR with the highest priority value becomes the BSR.
Example: DellEMC#show ipv6 pim bsr-router PIMv2 Bootstrap information BSR address: 200::1 (?) BSR Priority: 0, Hash mask length: 126 Expires: 00:01:43 This system is a candidate BSR Candidate BSR address: 100::1, priority: 0, hash mask length: 126 Next Cand_RP_advertisement in 00:00:25 RP: 100::1(Lo 0) DellEMC# Enabling RP to Server Specific Multicast Groups When you configure an RP candidate, its advertisement is sent to the entire multicast address range and the group-to-RP mapping is advertised for the
38 Port Monitoring Port monitoring (also referred to as mirroring ) allows you to monitor ingress and/or egress traffic on specified ports. The mirrored traffic can be sent to a port to which a network analyzer is connected to inspect or troubleshoot the traffic. Mirroring is used for monitoring Ingress or Egress or both Ingress and Egress traffic on a specific port(s). This mirrored traffic can be sent to a port where a network sniffer can connect and monitor the traffic.
• Single MD can be monitored on max. of 4 MG ports. Port Monitoring Port monitoring is supported on both physical and logical interfaces, such as VLAN and port-channel interfaces. The source port (MD) with monitored traffic and the destination ports (MG) to which an analyzer can be attached must be on the same switch. You can configure up to 128 source ports in a monitoring session. Only one destination port is supported in a monitoring session.
CONFIGURATION mode monitor session monitor session type rpm/erpm type is an optional keyword, required only for rpm and erpm 3 Specify the source and destination port and direction of traffic, as shown in the following example. MONITOR SESSION mode source Example of Viewing Port Monitoring Configuration To display information on currently configured port-monitoring sessions, use the show monitor session command from EXEC Privilege mode. Figure 102.
show run monitor session DellEMC#show run monitor session ! monitor multicast-queue 7 DellEMC# Enabling Flow-Based Monitoring Flow-based monitoring conserves bandwidth by monitoring only specified traffic instead of all traffic on the interface. This feature is particularly useful when looking for malicious traffic. It is available for Layer 3 ingress traffic. You can specify traffic using standard or extended access-lists. NOTE: Flow-based monitoring is supported for known unicast egress traffic.
Remote port mirroring helps network administrators monitor and analyze traffic to troubleshoot network problems in a time-saving and efficient way. In a remote-port mirroring session, monitored traffic is tagged with a VLAN ID and switched on a user-defined, non-routable L2 VLAN. The VLAN is reserved in the network to carry only mirrored traffic, which is forwarded on all egress ports of the VLAN.
Configuring Remote Port Mirroring Remote port mirroring requires a source session (monitored ports on different source switches), a reserved tagged VLAN for transporting mirrored traffic (configured on source, intermediate, and destination switches), and a destination session (destination ports connected to analyzers on destination switches).
• You cannot configure the dedicated VLAN used to transport mirrored traffic as a source VLAN. • Egressing remote-vlan packets are rate limited to a default value of 100 Mbps. To change the mirroring rate, configure rate-limit within the RPM session. In a destination session used for remote port mirroring: • Maximum number of destination sessions supported on a switch: 64 • Maximum number ports supported in a destination session: 64. • You can configure any port as a destination port.
Configuring a RSPAN VLAN for RPM Following are the steps for configuring a RSPAN VLAN for RPM. You must repeat the below mentioned steps on source, intermediate, and destination switches. 1 Enter global configuration mode. EXEC mode configure terminal 2 Create a VLAN to transport mirrored traffic in RPM. CONFIGURATION mode interface vlan vlan-id 3 Configure the RSPAN VLAN to be used to transport mirrored traffic in RPM.
Configuring a destination session Following are the steps for configuring a destination session on a switch. You can configure the below steps on other destination switches to configure additional destination ports for this RPM session. 1 Configure the destination session for RPM. CONFIGURATION mode monitor session session-id 2 Associate the Layer 2 VLAN used to transport monitored traffic with this destination session.
Following is a sample configuration of RPM on an intermediate switch. Configuring Remote Port Mirroring on a destination switch Following is a sample configuration of RPM on an a destination switch. Configuration Example of Remote Port Mirroring with flow-based enabled This example provides a sample configuration of remote port mirroring with the flow based monitoring enabled.
Encapsulated Remote Port Monitoring Encapsulated Remote Port Monitoring (ERPM) copies traffic from source ports/port-channels or source VLANs and forwards the traffic using routable GRE-encapsulated packets to the destination IP address specified in the session. NOTE: When configuring ERPM, follow these guidelines • The Dell EMC Networking OS supports ERPM source session only. Encapsulated packets terminate at the destination IP address or at the analyzer.
The next example shows the configuration of an ERPM session in which VLAN 11 is monitored as the source interface and a MAC ACL filters the monitored ingress traffic. ERPM Behavior on a typical Dell EMC Networking OS The Dell EMC Networking OS is designed to support only the Encapsulation of the data received / transmitted at the specified source port (Port A). An ERPM destination session / decapsulation of the ERPM packets at the destination Switch are not supported. Figure 105.
– The Header that gets attached to the packet is 38 bytes long. In case of a packet with L3 VLAN, it would be 42 bytes long. The original payload /original mirrored data starts from the 39th byte in a given ERPM packet. The first 38/42 bytes of the header needs to be ignored/ chopped off. – Some tools support options to edit the capture file. We can make use of such features (for example: editcap ) and chop the ERPM header part and save it to a new trace file. This new file (i.e.
VLT Non-fail over Scenario Consider a scenario where port monitoring is configured to mirror traffic on a VLT device's port or LAG to a destination port on some other device (TOR) on the network. When there is no fail over to the VLT peer, the VLTi link (ICL LAG) also receives the mirrored traffic as the VLTi link is added as an implicit member of the RPM vlan. As a result, the mirrored traffic also reaches the peer VLT device effecting VLTi link's bandwidth usage.
Scenario RPM Restriction Recommended Solution Mirroring using Intermediate VLT device — No restrictions apply In this scenario, the VLT device acts as the intermediate device in remote mirroring. The TOR switch contains the source-RPM configurations that enable mirroring of the VLT lag (of the TOR switch) to any orphan port in the VLT device. The packet analyzer is connected through the VLT device, but not directly to the VLT device. None.
39 Per-VLAN Spanning Tree Plus (PVST+) Per-VLAN spanning tree plus (PVST+) is a variation of spanning tree — developed by a third party — that allows you to configure a separate spanning tree instance for each virtual local area network (VLAN). Protocol Overview PVST+ is a variation of spanning tree — developed by a third party — that allows you to configure a separate spanning tree instance for each virtual local area network (VLAN).
Table 71. Spanning Tree Variations Dell EMC Networking OS Supports Dell EMC Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .1w Multiple Spanning Tree Protocol (MSTP) 802 .1s Per-VLAN Spanning Tree Plus (PVST+) Third Party Implementation Information • The Dell EMC Networking OS implementation of PVST+ is based on IEEE Standard 802.1w. • The Dell EMC Networking OS implementation of PVST+ uses IEEE 802.
no disable Disabling PVST+ To disable PVST+ globally or on an interface, use the following commands. • Disable PVST+ globally. PROTOCOL PVST mode disable • Disable PVST+ on an interface, or remove a PVST+ parameter configuration. INTERFACE mode no spanning-tree pvst Example of Viewing PVST+ Configuration To display your PVST+ configuration, use the show config command from PROTOCOL PVST mode.
Figure 107. Load Balancing with PVST+ The bridge with the bridge value for bridge priority is elected root. Because all bridges use the default priority (until configured otherwise), the lowest MAC address is used as a tie-breaker. To increase the likelihood that a bridge is selected as the STP root, assign bridges a low non-default value for bridge priority. To assign a bridge priority, use the following command. • Assign a bridge priority.
• Hello-time — the time interval in which the bridge sends bridge protocol data units (BPDUs). • Max-age — the length of time the bridge maintains configuration information before it refreshes that information by recomputing the PVST+ topology. To change PVST+ parameters on the root bridge, use the following commands. • Change the forward-delay parameter. PROTOCOL PVST mode vlan forward-delay The range is from 4 to 30. • The default is 15 seconds. Change the hello-time parameter.
Port Cost Default Value 40-Gigabit Ethernet interfaces 1400 50-Gigabit Ethernet interfaces 1200 100-Gigabit Ethernet interfaces 200 Port Channel with 100 Mb/s Ethernet interfaces 180000 Port Channel with 1-Gigabit Ethernet interfaces 18000 Port Channel with 10-Gigabit Ethernet interfaces 1800 Port Channel with 25-Gigabit Ethernet interfaces 1200 Port Channel with 50-Gigabit Ethernet interfaces 200 Port Channel with 100-Gigabit Ethernet interfaces 180 NOTE: The Dell EMC Networking OS impl
The EdgePort status of each interface is given in the output of the show spanning-tree pvst command, as previously shown. Dell EMC Networking OS Behavior: Regarding the bpduguard shutdown-on-violation command behavior: • • • • If the interface to be shut down is a port channel, all the member ports are disabled in the hardware. When you add a physical port to a port channel already in an Error Disable state, the new member port is also disabled in the hardware.
• Augment the bridge ID with the VLAN ID. PROTOCOL PVST mode extend system-id Example of Viewing the Extend System ID in a PVST+ Configuration DellEMC(conf-pvst)#do show spanning-tree pvst vlan 5 brief VLAN 5 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32773, Address 0001.e832.73f7 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32773 (priority 32768 sys-id-ext 5), Address 0001.e832.
40 Quality of Service (QoS) This chapter describes how to use and configure Quality of Service service (QoS) features on the switch. Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. Table 73.
Feature Direction Create Policy Maps Ingress + Egress Create Input Policy Maps Ingress Honor DSCP Values on Ingress Packets Ingress Honoring dot1p Values on Ingress Packets Ingress Create Output Policy Maps Egress Specify an Aggregate QoS Policy Egress Create Output Policy Maps Egress Enabling QoS Rate Adjustment Enabling Strict-Priority Queueing Weighted Random Early Detection Egress Create WRED Profiles Egress Figure 109.
• Policy-Based QoS Configurations • Enabling QoS Rate Adjustment • Enabling Strict-Priority Queueing • Queue Classification Requirements for PFC Functionality • Support for marking dot1p value in L3 Input Qos Policy • Weighted Random Early Detection • Pre-Calculating Available QoS CAM Space • Specifying Policy-Based Rate Shaping in Packets Per Second • Configuring Policy-Based Rate Shaping • Configuring Weights and ECN for WRED • Configuring WRED and ECN Attributes • Guidelines for Co
Example of Configuring a dot1p Priority on an Interface Honoring dot1p Priorities on Ingress Traffic By default, Dell EMC Networking OS does not honor dot1p priorities on ingress traffic. You can configure this feature on physical interfaces and port-channels, but you cannot configure it on individual interfaces in a port channel. You can configure service-class dynamic dot1p from CONFIGURATION mode, which applies the configuration to all interfaces.
Dell EMC Networking OS Behavior: Rate shaping is effectively rate limiting because of its smaller buffer size. Rate shaping on tagged ports is slightly greater than the configured rate and rate shaping on untagged ports is slightly less than configured rate. Rate shaping buffers, rather than drops, traffic exceeding the specified rate until the buffer is exhausted. If any stream exceeds the configured bandwidth on a continuous basis, it can consume all of the buffer space that is allocated to the port.
Classify Traffic Class maps differentiate traffic so that you can apply separate quality of service policies to different types of traffic. For both class maps, Layer 2 and Layer 3, Dell EMC Networking OS matches packets against match criteria in the order that you configure them. Creating a Layer 3 Class Map A Layer 3 class map differentiates ingress packets based on the DSCP value or IP precedence, and characteristics defined in an IP ACL.
Creating a Layer 2 Class Map All class maps are Layer 3 by default; however, you can create a Layer 2 class map by specifying the layer2 option with the class-map command. A Layer 2 class map differentiates traffic according to 802.1p value and/or VLAN and/or characteristics defined in a MAC ACL.. Use Step 1 or Step 2 to start creating a Layer 2 class map. 1 Create a match-any class map. CONFIGURATION mode class-map match-any 2 Create a match-all class map.
Displaying Configured Class Maps and Match Criteria To display all class-maps or a specific class map, use the following command. Dell EMC Networking OS Behavior: An explicit “deny any" rule in a Layer 3 ACL used in a (match any or match all) class-map creates a "default to Queue 0" entry in the CAM, which causes unintended traffic classification. In the following example, traffic is classified in two Queues, 1 and 2. Class-map ClassAF1 is “match any,” and ClassAF2 is “match all”.
Create a QoS Policy There are two types of QoS policies — input and output. Input QoS policies regulate Layer 3 and Layer 2 ingress traffic. The regulation mechanisms for input QoS policies are rate policing and setting priority values. • Layer 3 — QoS input policies allow you to rate police and set a DSCP or dot1p value. In addition, you can configure a drop precedence for incoming packets based on their DSCP value by using a DSCP color map. For more information, see DSCP Color Maps.
Constraints The systems supporting this feature should use only the default global dot1p to queue mapping configuration as described in Dot1p to Queue Mapping Requirement. Creating an Output QoS Policy To create an output QoS policy, use the following commands. 1 Create an output QoS policy.
Queue Default Bandwidth Percentage for 4– Queue System Default Bandwidth Percentage for 8– Queue System 7 - 50% NOTE: The system supports data queues. When you assign a percentage to one queue, note that this change also affects the amount of bandwidth that is allocated to other queues. Therefore, whenever you are allocating bandwidth to one queue, Dell EMC Networking recommends evaluating your bandwidth requirements for all other queues as well.
• If you configured a DSCP color map on an interface that does not exist or you delete a DSCP color map that is configured on an interface, that interface uses an all green color policy. To create a DSCP color map: 1 Create the color-aware map QoS DSCP color map. CONFIGURATION mode qos dscp-color-map color-map-name 2 Create the color aware map profile. DSCP-COLOR-MAP dscp {yellow | red} {list-dscp-values} 3 Apply the map profile to the interface.
Displaying a DSCP Color Policy Configuration To display the DSCP color policy configuration for one or all interfaces, use the show qos dscp-color-policy {summary [interface] | detail {interface}} command in EXEC mode. summary: Displays summary information about a color policy on one or more interfaces. detail: Displays detailed color policy information on an interface interface: Enter the name of the interface that has the color policy configured.
Applying an Input QoS Policy to an Input Policy Map To apply an input QoS policy to an input policy map, use the following command. • Apply an input QoS policy to an input policy map. POLICY-MAP-IN mode policy-service-queue qos-polcy Honoring DSCP Values on Ingress Packets Dell EMC Networking OS provides the ability to honor DSCP values on ingress packets using Trust DSCP feature.
dot1p Queue ID 6 6 7 7 The dot1p value is also honored for frames on the default VLAN. For more information, refer to Priority-Tagged Frames on the Default VLAN. • Enable the trust dot1p feature. POLICY-MAP-IN mode trust dot1p Mapping dot1p Values to Service Queues All traffic is by default mapped to the same queue, Queue 0. If you honor dot1p on ingress, you can create service classes based the queueing strategy in Honoring dot1p Values on Ingress Packets.
Creating Output Policy Maps 1 Create an output policy map. CONFIGURATION mode policy-map-output 2 After you create an output policy map, do one or more of the following: Applying an Output QoS Policy to a Queue Specifying an Aggregate QoS Policy Applying an Output Policy Map to an Interface 3 Apply the policy map to an interface. Applying an Output QoS Policy to a Queue To apply an output QoS policy to a queue, use the following command. • Apply an output QoS policy to queues.
• Source MAC address: 6 bytes • Ethernet Type/Length: 2 bytes • Payload: (variable) • Cyclic redundancy check (CRC): 4 bytes • Inter-frame gap (IFG): (variable) You can optionally include overhead fields in rate metering calculations by enabling QoS rate adjustment. QoS rate adjustment is disabled by default. • Specify the number of bytes of packet overhead to include in rate limiting, policing, and shaping calculations.
to be applied in switch B as well and when queue 1 gets congested, PFC would be generated for priority 2. Switch A on receiving PFC frames with priority 2 would stop scheduling queue 1. If a tagged packet with VLAN dot1p as 5 ingresses on switch A. Consider that tagged packet also has DSCP in range of 0-7.These packets will match the class map and get queued on queue 1 on both the switches.
space for other types. You can apply a WRED profile to a policy-map so that specified traffic can be prevented from consuming too much of the BTM resources. WRED uses a profile to specify minimum and maximum threshold values. The minimum threshold is the allotted buffer space for specified traffic, for example, 1000KB on egress.
• DP values of 110 and 100, 101 map to yellow; all other values map to green. • If you do not configure Dell EMC Networking OS to honor DSCP values on ingress (refer to Honoring DSCP Values on Ingress Packets), all traffic defaults to green drop precedence. • Assign a WRED profile to either yellow or green traffic. QOS-POLICY-OUT mode wred Displaying Default and Configured WRED Profiles To display the default and configured WRED profiles, use the following command.
Test the policy-map size against the CAM space for a specific port-pipe or all port-pipes using these commands: • test cam-usage service-policy input policy-map { } number port-set number • test cam-usage service-policy input policy-map { } all The output of this command, shown in the following example, displays: • The estimated number of CAM entries the policy-map will consume. • Whether or not the policy-map can be applied.
You can use the rate-shape pps peak-rate burst-packets command in the QoS Policy Out Configuration mode to configure the peak rate and burst size as a measure of pps. Alternatively, you can use the rate shape kbps peak-rate burst-KB command to configure the peak rate and peak burst size as a measure of bytes.
Using ECN, the packets are marked for transmission at a later time after the network recovers from the heavy traffic state to an optimal load. In this manner, enhanced performance and throughput are achieved. Also, the devices can respond to congestion before a queue overflows and packets are dropped, enabling improved queue management. When a packet reaches the device with ECN enabled for WRED, the average queue size is computed. To measure the average queue size, a weight factor is used.
Queue Configuration Service-Pool Configuration WRED Threshold Expected Functionality Relationship Q threshold = Q-T, Service pool threshold = SP-T 1 0 0 X X Queue based WRED, 1 X Q-T < SP-T No ECN marking SP-T < Q-T SP based WRED, No ECN marking 1 1 0 X X Queue-based ECN marking above queue threshold. 1 X Q-T < SP-T ECN marking to shared buffer limits of the service-pool and then packets are tail dropped. SP-T < Q-T Same as above but ECN marking starts above SP-T.
Guidelines for Configuring ECN for Classifying and Color-Marking Packets Keep the following points in mind while configuring the marking and mapping of incoming packets using ECN fields in IPv4 headers: • Currently Dell EMC Networking OS supports matching only the following TCP flags: – ACK – FIN – SYN – PSH – RST – URG In the existing software, ECE/CWR TCP flag qualifiers are not supported.
Classifying Incoming Packets Using ECN and Color-Marking Explicit Congestion Notification (ECN) is a capability that enhances WRED by marking the packets instead of causing WRED to drop them when the threshold value is exceeded. If you configure ECN for WRED, devices employ this functionality of ECN to mark the packets and reduce the rate of sending packets in a congested, heavily-loaded network.
Until Release 9.3(0.0), ACL supports classification based on the below TCP flags: • ACK • FIN • SYN • PSH • RST • URG You can now use the ‘ecn’ match qualifier along with the above TCP flag for classification.
seq 5 permit any dscp 50 ! ip access-list standard dscp_40 seq 5 permit any dscp 40 ! ip access-list standard dscp_50_non_ecn seq 5 permit any dscp 50 ecn 0 ! ip access-list standard dscp_40_non_ecn seq 5 permit any dscp 40 ecn 0 ! class-map match-any class_dscp_40 match ip access-group dscp_40_non_ecn set-color yellow match ip access-group dscp_40 ! class-map match-any class_dscp_50 match ip access-group dscp_50_non_ecn set-color yellow match ip access-group dscp_50 ! policy-map-input pmap_dscp_40_50 servi
To apply a Layer 2 policy on a Layer 3 interface: 1 Configure an interface with an IP address or a VLAN sub-interface CONFIGURATION mode DellEMC(conf)# interface fo 1/49/1 INTERFACE mode DellEMC(conf-if-fo-1/49/1)# ip address 90.1.1.1/16 2 Configure a Layer 2 QoS policy with Layer 2 (Dot1p or source MAC-based) match criteria. CONFIGURATION mode DellEMC(conf)# policy-map-input l2p layer2 3 Apply the Layer 2 policy on a Layer 3 interface.
Enabling Buffer Statistics Tracking You can enable the tracking of statistical values of buffer spaces at a global level. The buffer statistics tracking utility operates in the max use count mode that enables the collection of maximum values of counters. To configure the buffer statistics tracking utility, perform the following step: 1 Enable the buffer statistics tracking utility and enter the Buffer Statistics Snapshot configuration mode.
41 Routing Information Protocol (RIP) The Routing Information Protocol (RIP) tracks distances or hop counts to nearby routers when establishing network connections and is based on a distance-vector algorithm. RIP is based on a distance-vector algorithm; it tracks distances or hop counts to nearby routers when establishing network connections. RIP protocol standards are listed in the Standards Compliance chapter.
Implementation Information Dell EMC Networking OS supports both versions of RIP and allows you to configure one version globally and the other version on interfaces or both versions on the interfaces. The following table lists the defaults for RIP in Dell EMC Networking OS. Table 78.
Enabling RIP Globally By default, RIP is not enabled in Dell EMC Networking OS. To enable RIP globally, use the following commands. 1 Enter ROUTER RIP mode and enable the RIP process on Dell EMC Networking OS. CONFIGURATION mode router rip 2 Assign an IP network address as a RIP network to exchange routing information.
192.161.1.0/24 auto-summary 192.162.3.0/24 [120/1] via 29.10.10.12, 00:01:22, Fa 1/49 192.162.3.0/24 auto-summary To disable RIP globally, use the no router rip command in CONFIGURATION mode. Configure RIP on Interfaces When you enable RIP globally on the system, interfaces meeting certain conditions start receiving RIP routes. By default, interfaces that you enable and configure with an IP address in the same subnet as the RIP network address receive RIPv1 and RIPv2 routes and send RIPv1 routes.
Adding RIP Routes from Other Instances In addition to filtering routes, you can add routes from other routing instances or protocols to the RIP process. With the redistribute command, you can include open shortest path first (OSPF), static, or directly connected routes in the RIP process. To add routes from other routing instances or protocols, use the following commands. • Include directly connected or user-configured (static) routes in RIP.
The following example shows the RIP configuration after the ROUTER RIP mode version command is set to RIPv2. When you set the ROUTER RIP mode version command, the interface () participating in the RIP process is also set to send and receive RIPv2 (shown in bold). To view the routing protocols configuration, use the show ip protocols command in EXEC mode. To configure an interface to receive or send both versions of RIP, include 1 and 2 in the command syntax.
Exercise caution when applying an offset command to routers on a broadcast network, as the router using the offset command is modifying RIP advertisements before sending out those advertisements. The distance command also allows you to manipulate route metrics. To assign different weights to routes so that the ones with the lower weight or administrative distance assigned are preferred, use the distance command. To set route matrixes, use the following commands.
RIP Configuration Example The examples in this section show the command sequence to configure RIPv2 on the two routers shown in the following illustration — Core 2 and Core 3. The host prompts used in the following example reflect those names. The examples are divided into the following groups of command sequences: • Configuring RIPv2 on Core 2 • Core 2 RIP Output • RIP Configuration on Core 3 • Core 3 RIP Output • RIP Configuration Summary Figure 112.
RIP Configuration on Core3 The following example shows how to configure RIPv2 on a host named Core3. Example of Configuring RIPv2 on Core3 Core3(conf)#router rip Core3(conf-router_rip)#version 2 Core3(conf-router_rip)#network 192.168.1.0 Core3(conf-router_rip)#network 192.168.2.0 Core3(conf-router_rip)#network 10.11.30.0 Core3(conf-router_rip)#network 10.11.20.0 Core3(conf-router_rip)#show config ! router rip network 10.0.0.0 network 192.168.1.0 network 192.168.2.
42 Remote Monitoring (RMON) RMON is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell EMC Networking Ethernet interfaces. RMON operates with the simple network management protocol (SNMP) and monitors all nodes on a local area network (LAN) segment. RMON monitors traffic passing through the router and segment traffic not destined for the router.
Setting the RMON Alarm To set an alarm on any MIB object, use the rmon alarm or rmon hc-alarm command in GLOBAL CONFIGURATION mode. • Set an alarm on any MIB object.
CONFIGURATION mode [no] rmon event number [log] [trap community] [description string] [owner string] – number: assigned event number, which is identical to the eventIndex in the eventTable in the RMON MIB. The value must be an integer from 1 to 65,535 and be unique in the RMON Event Table. – log: (Optional) generates an RMON log entry when the event is triggered and sets the eventType in the RMON MIB to log or logand-trap. Default is no log.
[no] rmon collection history {controlEntry integer} [owner ownername] [buckets bucket-number] [interval seconds] – controlEntry: specifies the RMON group of statistics using a value. – integer: a value from 1 to 65,535 that identifies the RMON group of statistics. The value must be a unique index in the RMON History Table. – owner: (Optional) specifies the name of the owner of the RMON group of statistics. The default is a null-terminated string.
43 Rapid Spanning Tree Protocol (RSTP) The Rapid Spanning Tree Protocol (RSTP) is a Layer 2 protocol — specified by IEEE 802.1w — that is essentially the same as spanningtree protocol (STP) but provides faster convergence and interoperability with switches configured with STP and multiple spanning tree protocol (MSTP). Protocol Overview RSTP is a Layer 2 protocol — specified by IEEE 802.
• Dell EMC Networking OS supports only one Rapid Spanning Tree (RST) instance. • All interfaces in virtual local area networks (VLANs) and all enabled interfaces in Layer 2 mode are automatically added to the RST topology. • Adding a group of ports to a range of VLANs sends multiple messages to the rapid spanning tree protocol (RSTP) task, avoid using the range command. When using the range command, Dell EMC Networking recommends limiting the range to five ports and 40 VLANs.
Enabling Rapid Spanning Tree Protocol Globally Enable RSTP globally on all participating bridges; it is not enabled by default. When you enable RSTP, all physical and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the RST topology. • Only one path from any bridge to any other bridge is enabled. • Bridges block a redundant path by disabling one of the link ports. To enable RSTP globally for all Layer 2 interfaces, use the following commands.
Figure 113. Rapid Spanning Tree Enabled Globally To view the interfaces participating in RSTP, use the show spanning-tree rstp command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. To confirm that a port is participating in RSTP, use the show spanning-tree rstp brief command from EXEC privilege mode. Adding and Removing Interfaces To add and remove interfaces, use the following commands.
NOTE: Dell EMC Networking recommends that only experienced network administrators change the Rapid Spanning Tree group parameters. Poorly planned modification of the RSTP parameters can negatively affect network performance. The following table displays the default values for RSTP. Table 80.
Enabling SNMP Traps for Root Elections and Topology Changes To enable SNMP traps, use the following command. • Enable SNMP traps for RSTP, MSTP, and PVST+ collectively. snmp-server enable traps xstp Modifying Interface Parameters On interfaces in Layer 2 mode, you can set the port cost and port priority values. • Port cost — a value that is based on the interface type. The previous table lists the default values. The greater the port cost, the less likely the port is selected to be a forwarding port.
• Assign a number as the bridge priority or designate it as the primary or secondary root. PROTOCOL SPANNING TREE RSTP mode bridge-priority priority-value – priority-value The range is from 0 to 65535. The lower the number assigned, the more likely this bridge becomes the root bridge. The default is 32768. Entries must be multiples of 4096. Example of the bridge-priority Command A console message appears when a new root bridge has been assigned.
Configuring Fast Hellos for Link State Detection Use RSTP fast hellos to achieve sub-second link-down detection so that convergence is triggered faster. The standard RSTP link-state detection mechanism does not offer the same low link-state detection speed. To achieve sub-second link-down detection so that convergence is triggered faster, use RSTP fast hellos. The standard RSTP link-state detection mechanism does not offer the same low link-state detection speed.
44 Software-Defined Networking (SDN) The Dell EMC Networking OS supports software-defined networking (SDN). For more information, see the SDN Deployment Guide.
45 Security This chapter describes several ways to provide security to the Dell EMC Networking system. For details about all the commands described in this chapter, refer to the Security chapter in the Dell EMC Networking OS Command Reference Guide.
Enabling AAA Accounting The aaa accounting command allows you to create a record for any or all of the accounting functions monitored. To enable AAA accounting, use the following command. • Enable AAA accounting and create a record for monitoring the accounting function.
System accounting can use only the default method list. Example of Configuring AAA Accounting to Track EXEC and EXEC Privilege Level Command Use In the following sample configuration, AAA accounting is set to track all usage of EXEC commands and commands on privilege level 15.
NAS receives the accounting request from the supplicant and sends the RADIUS request packet to the accounting server after successful authentication. The RADIUS Accounting request contains a RADIUS Acct-Status-Type as Start or Stop to update the supplicant session to the accounting server. NOTE: In RADIUS accounting, fallback behavior among RADIUS and TACACS servers is not supported as the RADIUS accounting feature is not available in Dell EMC Networking OS version earlier than 9.14.1.5.
Tmp-String-9 = "ai:" Acct-Unique-Session-Id = "2d6c5beef615d18fa21bbde29411f6d5" Timestamp = 1557508935 MAB START record: Fri May 10 23:30:21 2019 User-Name = "001122334455" Called-Station-Id = "00-11-33-44-77-88" Calling-Station-Id = "00-11-22-33-44-55" NAS-IP-Address = 10.16.133.
RADIUS Attribute code RADIUS Attribute Description 40 Acct-Status-Type START 44 Acct-Session-Id CLI Session-Id - To match start and stop session requests. 61 NAS-Port-Type ASYNC - for console session. Accounting Attributes VIRTUAL - for telnet/SSH session. Table 82. RADIUS Accounting Stop Record Attributes for CLI user RADIUS Attribute code RADIUS Attribute Description 4 NAS-IP-Address IPv4 address of the NAS. 95 NAS-IPv6–Address IPv6 address of the NAS.
RADIUS Attribute code RADIUS Attribute Description 95 NAS-IPv6–Address IPv6 address of the NAS. Session Identification Attributes 1 User-Name User name/ Supplicant MAC Address (for MAB). 5 NAS-Port Port on which session is terminated. 6 Service-Type Framed (2) for EAP /Call check (10) for MAB. 8 Framed-IP-Address IPv4 address of supplicant. 168 Framed-IPV6-Address IPv6 address of supplicant. 30 Called-Station-Id Switch MAC Address. 31 Calling-Station-Id Supplicant MAC Address.
RADIUS Attribute code RADIUS Attribute Description 61 NAS-Port-Type Ethernet NOTE: During the administrative initiated reload and system failover events, the accounting Stop records for the 802.1x authorized supplicants are not sent to RADIUS server. Table 86. Use cases for dot1x supplicant to trigger RADIUS Accounting Start/Stop records dot1x event Accounting type Attributes Dot1x user authentication success Start Start record attributes for dot1x supplicant.
AAA Authentication Dell EMC Networking OS supports a distributed client/server system implemented through authentication, authorization, and accounting (AAA) to help secure networks against unauthorized access.
If you configure the enable sha256-password command, it overrules both the enable secret and enable password commands. 2 • line: use the password you defined using the password command in LINE mode. • local: use the username/password database defined in the local configuration. • none: no authentication. • radius: use the RADIUS servers configured with the radius-server host command. • tacacs+: use the TACACS+ servers configured with the tacacs-server host command. Enter LINE mode.
tacacs-server host x.x.x.x key some-password Examples of the enable commands for RADIUS To get enable authentication from the RADIUS server and use TACACS as a backup, issue the following commands. The following example shows enabling authentication from the RADIUS server. DellEMC(config)# aaa authentication enable default radius tacacs Radius and TACACS server has to be properly setup for this. DellEMC(config)# radius-server host x.x.x.x key DellEMC(config)# tacacs-server host x.x.x.
Example: DellEMC(config)#aaa authentication login vty_auth_list radius Force all logged-in users to re-authenticate (y/n)? 3 You are prompted to force the users to re-authenticate whenever there is a change in the RADIUS server list.. CONFIGURATION mode radius-server host IP Address Example: DellEMC(config)#radius-server host 192.100.0.12 Force all logged-in users to re-authenticate (y/n)? DellEMC(config)#no radius-server host 192.100.0.
Privilege Levels Overview Limiting access to the system is one method of protecting the system and your network. However, at times, you might need to allow others access to the router and you can limit that access to a subset of commands. In Dell EMC Networking OS, you can configure a privilege level for users who need limited access to the system. Every command in Dell EMC Networking OS is assigned a privilege level of 0, 1, or 15. You can configure up to 16 privilege levels in Dell EMC Networking OS.
username name [access-class access-list-name] [nopassword | password [encryption-type] password] [privilege level][secret] Configure the optional and required parameters: – name: Enter a text string up to 63 characters long. – access-class access-list-name: Enter the name of a configured IP ACL. – nopassword: Do not require the user to enter a password. – encryption-type: Enter 0 for plain text or 7 for encrypted text. – password: Enter a string. – privilege level The range is from 0 to 15.
CONFIGURATION mode username name [access-class access-list-name] [privilege level] [nopassword | password [encryption-type] password Secret] Configure the optional and required parameters: 2 • name: Enter a text string up to 63 characters(maximum) long. • access-class access-list-name: Restrict access by access-class.. • privilege level: The range is from 0 to 15. • nopassword: No password is required for the user to log in. • encryption-type: Enter 0 for plain text or 7 for encrypted text.
DellEMC(conf)#privilege config level 8 snmp-server DellEMC(conf)#end DellEMC#show running-config Current Configuration ... ! hostname Force10 ! enable password level 8 notjohn enable password Force10 ! username admin password 0 admin username john password 0 john privilege 8 ! The following example shows the Telnet session for user john. The show privilege command output confirms that john is in privilege level 8. In EXEC Privilege mode, john can access only the commands listed.
Configure the following optional and required parameters: – encryption-type: Enter 0 for plain text or 7 for encrypted text. – password: Enter a text string up to 32 characters long. To view the password configured for a terminal, use the show config command in LINE mode. Enabling and Disabling Privilege Levels To enable and disable privilege levels, use the following commands. • Set a user’s security level.
• ACL Configuration Information • Auto-Command • Privilege Levels After gaining authorization for the first time, you may configure these attributes. NOTE: RADIUS authentication/authorization is done for every login. There is no difference between first-time login and subsequent logins. Idle Time Every session line has its own idle-time. If the idle-time value is not changed, the default value of 30 minutes is used. RADIUS specifies idle-time allow for a user during a session before timeout.
Configuration Task List for RADIUS To authenticate users using RADIUS, you must specify at least one RADIUS server so that the system can communicate with and configure RADIUS as one of your authentication methods. The following list includes the configuration tasks for RADIUS.
login authentication {method-list-name | default} • This procedure is mandatory if you are not using default lists. To use the method list. CONFIGURATION mode authorization exec methodlist Specifying a RADIUS Server Host When configuring a RADIUS server host, you can set different communication parameters, such as the UDP port, the key password, the number of retries, and the timeout. To specify a RADIUS server host and configure its communication parameters, use the following command.
CONFIGURATION mode radius-server key [encryption-type] key – encryption-type: enter 7 to encrypt the password. Enter 0 to keep the password as plain text. • – key: enter a string. The key can be up to 42 characters long. You cannot use spaces in the key. Configure the number of times Dell EMC Networking OS retransmits RADIUS requests. CONFIGURATION mode radius-server retransmit retries • – retries: the range is from 0 to 100. Default is 3 retries.
CONFIGURATION mode aaa radius auth-method mschapv2 3 Establish a host address and password. CONFIGURATION mode radius-server host H key K 4 Log in to switch using console or telnet or ssh with a valid user role. When 1-factor authentication is used, the authentication succeeds enabling you to access the switch. When two-factor authentication is used, the system prompts you to enter a one-time password as a second step of authentication.
Attributes In Disconnect messsage requests and CoA-Request packets, certain attributes are used to uniquely identify the NAS as well as user sessions on the NAS. The combination of NAS and session identification attributes included in a CoA-request or a disconnect-message request must match at least one session in order for a request to be successful; otherwise, a disconnect-Nak or CoA-Nak is sent.
Attribute code Attribute Description • v=6027 (Force10);Vendor-Type=1(Force10-av-pair) Length = value Table 91. DM Attributes Attribute code Attribute Description 1 User-Name(Mandatory) Name of the user associated with one or more sessions. Mandatory attributes The following tables describe the mandatory attributes for various message types: Table 92.
Table 94. CoA EAP/MAB Bounce Port Radius Attribute code Radius Attribute Description Mandatory NAS Identification Attributes 4 NAS-IP-Address IPv4 address of the NAS. No 95 NAS-IPv6–Address IPv6 address of the NAS. No Port on which session is terminated Yes t=26(vendor-specific);l=length;vendor-identificationattribute;Length=value; Data=”cmd=bounce-host-port” Yes Session Identification Attributes 5 NAS-Port Authorization Attributes 26 Vendor-Specific Table 95.
Error-cause Values It is possible that a Dynamic Authorization Server cannot honor Disconnect Message request or CoA request packets for some reason. The Error-Cause Attribute provides more detail on the cause of the problem. It may be included within CoA-Nak and Disconnect-Nak packets. The following table describes various error causes for the CoA and DM requests: Table 97.
NOTE: The Invalid Attribute Value Error-Cause is applicable to following scenarios: – if the CoA request contains incorrect Vendor-Specific attribute value. – if the CoA request contains incorrect NAS-port or calling-station-id values. • rejects the CoA-Request containing NAS-IP-Address or NAS-IPV6-Address attribute that does not match the NAS with a CoA-Nak; Error-Cause value is “NAS Identification Mismatch” (403).
Disconnect Message Processing This section lists various actions that the NAS performs during DM processing. The following activities are performed by NAS: • responds with DM-Nak, if no matching session is found in NAS for the session identification attributes in DM; Error-Cause value is “Session Context Not Found” (503). • responds with DM-Nak for any internal processing error in NAS; Error-Cause value is “Resources Unavailable” (506).
client-key encryption-type key Dell(conf-dynamic-auth#)client-key 7 password Disconnecting administrative users logged in through RADIUS Dell EMC Networking OS enables you to configure disconnect messages (DMs) to disconnect RADIUS administrative users who are logged in through an AAA interface. Before disconnecting an administrative user using the disconnect messages, ensure that the following prerequisites are satisfied: • Shared key is configured in NAS for DAC.
NAS disables the authentication port that is hosting the session and re-enables it after 10 seconds. All user sessions connected to this authentication port are affected. Dell(conf#)radius dynamic-auth Dell(conf-dynamic-auth#)coa-bounce-port NAS takes the following actions whenever port-bounce is triggered: • validates the CoA request and the session identification attributes. • sends a CoA-Nak with an error-cause of 402 (missing attribute), if the CoA request does not contain the NAS-port attributes.
• sends-ACK if user is configured with forced-authorization. Terminating the 802.1x user session Dell EMC Networking OS provides RADIUS extension commands that terminate the 802.1x user session. When this request is initiated, the NAS disconnects the 802.1x user session without disabling the physical port that authenticated the current session. Before terminating the 802.1x user session, ensure that the following prerequisites are satisfied: • Shared key is configured in NAS for DAC.
NAS administratively shuts down the 802.1x enabled port that is hosting the session. You can re-enable this port only through a nonRADIUS mechanism or through bounce-port request. Dell(conf#)radius dynamic-auth Dell(conf-dynamic-auth#)coa-disable-port NAS takes the following actions: • validates the CoA request and the session identification attributes. • sends a CoA-Nak with an error-cause of 402 (missing attribute), if the CoA request does not contain the NAS-port attribute.
NAS considers the new replay protection window value from next window period. The range is from 1 to 10 minutes. The default is 5 minutes. Dell(conf-dynamic-auth#)replay-prot-window 10 Rate-limiting RADIUS packets NAS enables you to allow or reject RADIUS dynamic authorization packets based on the rate-limiting value that you specify. NAS lets you to configure number of RADIUS dynamic authorization packets allowed per minute. The default value is 30 packets per minute.
To select TACACS+ as the login authentication method, use the following commands. 1 Configure a TACACS+ server host. CONFIGURATION mode tacacs-server host {ip-address | host} Enter the IP address or host name of the TACACS+ server. Use this command multiple times to configure multiple TACACS+ server hosts. 2 Enter a text string (up to 16 characters long) as the name of the method list you wish to use with the TACAS+ authentication method.
Monitoring TACACS+ To view information on TACACS+ transactions, use the following command. • View TACACS+ transactions to troubleshoot problems. EXEC Privilege mode debug tacacs+ TACACS+ Remote Authentication The system takes the access class from the TACACS+ server. Access class is the class of service that restricts Telnet access and packet sizes.
To view the TACACS+ configuration, use the show running-config tacacs+ command in EXEC Privilege mode. To delete a TACACS+ server host, use the no tacacs-server host {hostname | ip-address} command. freebsd2# telnet 2200:2200:2200:2200:2200::2202 Trying 2200:2200:2200:2200:2200::2202... Connected to 2200:2200:2200:2200:2200::2202. Escape character is '^]'.
hostname is the IP address or host name of the remote device. Enter an IPv4 or IPv6 address in dotted decimal format (A.B.C.D). • • SSH V2 is enabled by default on all the modes. Display SSH connection information. EXEC Privilege mode show ip ssh Specifying an SSH Version The following example uses the ip ssh server version 2 command to enable SSH version 2 and the show ip ssh command to confirm the setting. DellEMC(conf)#ip ssh server version 2 DellEMC(conf)#do show ip ssh SSH server : enabled.
Other SSH related command include: • crypto key generate : generate keys for the SSH server. • debug ip ssh : enables collecting SSH debug information. • ip scp topdir : identify a location for files used in secure copy transfer. • ip ssh authentication-retries : configure the maximum number of attempts that should be used to authenticate a user. • ip ssh connection-rate-limit : configure the maximum number of incoming SSH connections per minute.
The following example configures the time-based rekey threshold for an SSH session to 30 minutes. DellEMC(conf)#ip ssh rekey time 30 The following example configures the volume-based rekey threshold for an SSH session to 4096 megabytes. DellEMC(conf)#ip ssh rekey volume 4096 Configuring the SSH Server Key Exchange Algorithm To configure the key exchange algorithm for the SSH server, use the ip ssh server kex key-exchange-algorithm command in CONFIGURATION mode.
• hmac-sha2-256 • hmac-sha1 • hmac-sha1-96 • hmac-md5 • hmac-md5-96 When FIPS is enabled, the default HMAC algorithm is hmac-sha2-256,hmac-sha1,hmac-sha1-96. Example of Configuring a HMAC Algorithm The following example shows you how to configure a HMAC algorithm list. DellEMC(conf)# ip ssh server mac hmac-sha1-96 Configuring the SSH Server Cipher List To configure the cipher list supported by the SSH server, use the ip ssh server cipher cipher-list command in CONFIGURATION mode.
Example of DNS Configuration in SSH Server Connections To view the status of DNS in the SSH server configuration, use the show running-config ip ssh command from EXEC mode. DellEMC#show running-config ip ssh ! ip ssh server dns enable ip ssh hostbased-authentication enable no ip ssh password-authentication enable ip ssh server enable Secure Shell Authentication Secure Shell (SSH) is enabled by default using the SSH Password Authentication method.
ip ssh rsa-authentication enable 5 Install user’s public key for RSA authentication in SSH. EXEC Privilege Mode ip ssh rsa-authentication username username my-authorized-keys flash://public_key If you provide the username, the Dell EMC Networking OS installs the public key for that specific user. In case, no user is associated with the current logged-in session, the system displays the following error message.
ssh_host_rsa_key.pub ssh_config ssh_host_dsa_key ssh_host_key ssh_host_rsa_key admin@Unix_client# cat ssh_host_rsa_key.pub ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA8K7jLZRVfjgHJzUOmXxuIbZx/ AyWhVgJDQh39k8v3e8eQvLnHBIsqIL8jVy1QHhUeb7GaDlJVEDAMz30myqQbJgXBBRTWgBpLWwL/ doyUXFufjiL9YmoVTkbKcFmxJEMkE3JyHanEi7hg34LChjk9hL1by8cYZP2kYS2lnSyQWk= admin@Unix_client# ls id_rsa id_rsa.pub shosts admin@Unix_client# cat shosts 10.16.127.
Telnet To use Telnet with SSH, first enable SSH, as previously described. By default, the Telnet daemon is enabled. If you want to disable the Telnet daemon, use the following command, or disable Telnet in the startup config. To enable or disable the Telnet daemon, use the [no] ip telnet server enable command.
The following example shows how to allow or deny a Telnet connection to a user. Users see a login prompt even if they cannot log in. No access class is configured for the VTY line. It defaults from the local database.
Role-Based Access Control With Role-Based Access Control (RBAC), access and authorization is controlled based on a user’s role. Users are granted permissions based on their user roles, not on their individual user ID. User roles are created for job functions and through those roles they acquire the permissions to perform their associated job function.
For greater security, the ability to view event, audit, and security system log is associated with user roles. For information about these topics, see Audit and Security Logs. Privilege-or-Role Mode versus Role-only Mode By default, the system provides access to commands determined by the user’s role or by the user’s privilege level. The user’s role takes precedence over a user’s privilege level.
authorization exec test line vty 1 login authentication test authorization exec test To enable role-based only AAA authorization, enter the following command in Configuration mode: DellEMC(conf)#aaa authorization role-only System-Defined RBAC User Roles By default, the Dell EMC Networking OS provides 4 system defined user roles. You can create up to 8 additional user roles. NOTE: You cannot delete any system defined roles.
NOTE: You can change user role permissions on system pre-defined user roles or user-defined user roles. Important Points to Remember Consider the following when creating a user role: • Only the system administrator and user-defined roles inherited from the system administrator can create roles and user names. Only the system administrator, security administrator, and roles inherited from these can use the "role" command to modify command permissions.
When you modify a command for a role, you specify the role, the mode, and whether you want to restrict access using the deleterole keyword or grant access using the addrole keyword followed by the command you are controlling access. The following output displays the modes available for the role command.
The following example removes the secadmin access to LINE mode and then verifies that the security administrator can no longer access LINE mode, using the show role mode configure line command in EXEC Privilege mode.
AAA Authentication and Authorization for Roles This section describes how to configure AAA Authentication and Authorization for Roles.
Examples of Applying a Method List The following configuration example applies a method list: TACACS+, RADIUS and local: ! radius-server host 10.16.150.203 key ! tacacs-server host 10.16.150.203 key ! aaa authentication login ucraaa tacacs+ radius local aaa authorization exec ucraaa tacacs+ radius local aaa accounting commands role netadmin ucraaa start-stop tacacs+ ! The following configuration example applies a method list other than default to each VTY line.
Configuring TACACS+ and RADIUS VSA Attributes for RBAC For RBAC and privilege levels, the Dell EMC Networking OS RADIUS and TACACS+ implementation supports two vendor-specific options: privilege level and roles. The Dell EMC Networking vendor-ID is 6027 and the supported option has attribute of type string, which is titled “Force10-avpair”.
The following example shows you how to configure AAA accounting to monitor commands executed by the users who have a secadmin user role. DellEMC(conf)#aaa accounting command role secadmin default start-stop tacacs+ Applying an Accounting Method to a Role To apply an accounting method list to a role executed by a user with that user role, use the accounting command in LINE mode.
Displaying Role Permissions Assigned to a Command To display permissions assigned to a command, use the show role command in EXEC Privilege mode. The output displays the user role and or permission level.
Handling Access-Challenge Message To provide a two-step verification in addition to the username and password, NAS prompts for additional information. An Access-Challenge request is sent from the RADIUS server to NAS. The RADIUS server returns one of the following responses: • Access-Challenge—If the user credentials are valid, the NAS server receives an Access-Challenge request from the RADIUS server. • Access-Accept—NAS validates the username and password.
Configuring the System to Drop Certain ICMP Reply Messages You can configure the Dell EMC Networking OS to drop ICMP reply messages. When you configure the drop icmp command, the system drops the ICMP reply messages from the front end and management interfaces. By default, the Dell EMC Networking OS responds to all the ICMP messages. • Drop the ICMP or ICMPv6 message type. drop {icmp | icmp6} CONFIGURATION mode.
Table 100.
Important Points to Remember • The OS image verification feature is disabled by default on the Dell EMC Networking OS. • The OS image verification feature is supported for images stored in the local system only. • The OS image verification feature is not supported when the fastboot or the warmboot features are enabled on the system. • If OS image verification fails after a reload, the system does not load the startup configuration.
Startup Configuration Verification Dell EMC Networking OS comes with startup configuration verification feature. When enabled, it checks the integrity of the startup configuration that the system uses while the system reboots and loads only if it is intact. Important Points to Remember • The startup configuration verification feature is disabled by default on the Dell EMC Networking OS. • The feature is supported for startup configuration files stored in the local system only.
After enabling and configuring startup configuration verification, the device verifies the hash checksum of the startup configuration during every reload. DellEMC# verified boot hash startup—config 619A8C1B7A2BC9692A221E2151B9DA9E Configuring the root User Password For added security, you can change the root user password. If you configure the secure-cli command on the system, the Dell EMC Networking OS resets any previously-configured root access password without displaying any warning message.
– 7 directs the system to store the password with a dynamic salt. When you configure the root access password, ensure that your password meets the following criteria: – A minimum of eight characters in length – A minimum of one lower case letter (a to z) – A minimum of one upper case letter (A to Z) – A minimum of one numeric character (0 to 9) – A minimum of one special character including a space (" !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~") If you enable the boot access password, the system prompts for a passwor
46 Service Provider Bridging Service provider bridging provides the ability to add a second VLAN ID tag in an Ethernet frame and is referred to as VLAN stacking in the Dell EMC Networking OS. VLAN Stacking VLAN stacking, also called Q-in-Q, is defined in IEEE 802.1ad — Provider Bridges, which is an amendment to IEEE 802.1Q — Virtual Bridged Local Area Networks. It enables service providers to use 802.
Figure 114. VLAN Stacking in a Service Provider Network Important Points to Remember • Interfaces that are members of the Default VLAN and are configured as VLAN-Stack access or trunk ports do not switch untagged traffic. To switch traffic, add these interfaces to a non-default VLAN-Stack-enabled VLAN. • Dell EMC Networking cautions against using the same MAC address on different customer VLANs, on the same VLAN-Stack VLAN.
3 Enabling VLAN-Stacking for a VLAN. Related Configuration Tasks • Configuring the Protocol Type Value for the Outer VLAN Tag • Configuring Dell EMC Networking OS Options for Trunk Ports • Debugging VLAN Stacking • VLAN Stacking in Multi-Vendor Networks Creating Access and Trunk Ports To create access and trunk ports, use the following commands. • Access port — a port on the service provider edge that directly connects to the customer. An access port may belong to only one service provider VLAN.
Configuring the Protocol Type Value for the Outer VLAN Tag The tag protocol identifier (TPID) field of the S-Tag is user-configurable. To set the S-Tag TPID, use the following command. • Select a value for the S-Tag TPID. CONFIGURATION mode vlan-stack protocol-type The default is 9100. To display the S-Tag TPID for a VLAN, use the show running-config command from EXEC privilege mode. Dell EMC Networking OS displays the S-Tag TPID only if it is a non-default value.
VLAN Stacking in Multi-Vendor Networks The first field in the VLAN tag is the tag protocol identifier (TPID), which is 2 bytes. In a VLAN-stacking network, after the frame is double tagged, the outer tag TPID must match the TPID of the next-hop system. While 802.1Q requires that the inner tag TPID is 0x8100, it does not require a specific value for the outer tag TPID.
Figure 115.
Figure 116.
Figure 117. Single and Double-Tag TPID Mismatch VLAN Stacking Packet Drop Precedence VLAN stacking packet-drop precedence is supported on the switch. The drop eligible indicator (DEI) bit in the S-Tag indicates to a service provider bridge which packets it should prefer to drop when congested. Enabling Drop Eligibility Enable drop eligibility globally before you can honor or mark the DEI value. When you enable drop eligibility, DEI mapping or marking takes place according to the defaults.
Table 101. Drop Eligibility Behavior Ingress Egress DEI Disabled DEI Enabled Normal Port Normal Port Retain CFI Set CFI to 0. Trunk Port Trunk Port Retain inner tag CFI Retain inner tag CFI. Retain outer tag CFI Set outer tag CFI to 0. Retain inner tag CFI Retain inner tag CFI Set outer tag CFI to 0 Set outer tag CFI to 0 Access Port Trunk Port To enable drop eligibility globally, use the following command. • Make packets eligible for dropping based on their DEI value.
dei mark {green | yellow} {0 | 1} Example of Viewing DEI-Marking Configuration To display the DEI-marking configuration, use the show interface dei-mark [interface slot/port ] in EXEC Privilege mode. Dynamic Mode CoS for VLAN Stacking One of the ways to ensure quality of service for customer VLAN-tagged frames is to use the 802.1p priority bits in the tag to indicate the level of QoS desired. When an S-Tag is added to incoming customer frames, the 802.
mac access-list standard a seq 5 permit any ! qos-policy-input 3 layer2 rate-police 40 Likewise, in the following configuration, packets with dot1p priority 0–3 are marked as dot1p 7 in the outer tag and queued to Queue 3. Rate policing is according to qos-policy-input 3. All other packets will have outer dot1p 0 and hence are queued to Queue 1. They are therefore policed according to qos-policy-input 1.
Figure 119. VLAN Stacking without L2PT You might need to transport control traffic transparently through the intermediate network to the other region. Layer 2 protocol tunneling enables BPDUs to traverse the intermediate network by identifying frames with the Bridge Group Address, rewriting the destination MAC to a user-configured non-reserved address, and forwarding the frames.
Figure 120. VLAN Stacking with L2PT Implementation Information • L2PT is available for STP, RSTP, MSTP, and PVST+ BPDUs. • No protocol packets are tunneled when you enable VLAN stacking. • L2PT requires the default CAM profile. Enabling Layer 2 Protocol Tunneling To enable Layer 2 protocol tunneling, use the following command. 1 Verify that the system is running the default CAM profile. Use this CAM profile for L2PT.
show cam-profile 2 Enable protocol tunneling globally on the system. CONFIGURATION mode protocol-tunnel enable 3 Tunnel BPDUs the VLAN. INTERFACE VLAN mode protocol-tunnel stp Specifying a Destination MAC Address for BPDUs By default, Dell EMC Networking OS uses a Dell EMC Networking-unique MAC address for tunneling BPDUs. You can configure another value. To specify a destination MAC address for BPDUs, use the following command.
Debugging Layer 2 Protocol Tunneling To debug Layer 2 protocol tunneling, use the following command. • Display debugging information for L2PT. EXEC Privilege mode debug protocol-tunnel Provider Backbone Bridging IEEE 802.1ad—Provider Bridges amends 802.1Q—Virtual Bridged Local Area Networks so that service providers can use 802.1Q architecture to offer separate VLANs to customers with no coordination between customers, and minimal coordination between customers and the provider. 802.
47 sFlow sFlow is a standard-based sampling technology embedded within switches and routers which is used to monitor network traffic. It is designed to provide traffic monitoring for high-speed networks with many switches and routers.
hardware sampling rate is backed-off from 512 to 1024. Note that port 1 maintains its sampling rate of 16384; port 1 is unaffected because it maintains its configured sampling rate of 16384.: • If the interface states are up and the sampling rate is not configured on the port, the default sampling rate is calculated based on the line speed. • If the interface states are shut down, the sampling rate is set using the global sampling rate.
If you did not enable any extended information, the show output displays the following (shown in bold). DellEMC#show sflow sFlow services are disabled Global default sampling rate: 32768 Global default counter polling interval: 20 Global extended information enabled: none 0 collectors configured 0 UDP packets exported 0 UDP packets dropped 0 sFlow samples collected 0 sFlow samples dropped due to sub-sampling Enabling and Disabling sFlow on an Interface By default, sFlow is disabled on all interfaces.
• Displaying Show sFlow on an Interface • Displaying Show sFlow on a Line Card Displaying Show sFlow Global To view sFlow statistics, use the following command. • Display sFlow configuration information and statistics. EXEC mode show sflow Example of Viewing sFlow Configuration (Global) The first bold line indicates sFlow is globally enabled.
Samples rcvd from h/w Total UDP packets exported UDP packets exported via RPM UDP packets dropped :0 :0 :0 :36 Configuring Specify Collectors The sflow collector command allows identification of sFlow collectors to which sFlow datagrams are forwarded. You can specify up to two sFlow collectors. If you specify two collectors, the samples are sent to both. • Identify sFlow collectors to which sFlow datagrams are forwarded.
sFlow on LAG ports When a physical port becomes a member of a LAG, it inherits the sFlow configuration from the LAG port. Enabling Extended sFlow Extended sFlow packs additional information in the sFlow datagram depend on the type of sampled packet. The platform supports extended-switch information processing only. Extended sFlow packs additional information in the sFlow datagram depending on the type of sampled packet. You can enable the following options: • extended-switch — 802.1Q VLAN ID and 802.
Table 102. Extended Gateway Summary IP SA IP DA srcAS and srcPeerAS dstAS and dstPeerAS Description static/connected/IGP static/connected/IGP — — Extended gateway data is not exported because there is no AS information. static/connected/IGP BGP 0 Exported src_as and src_peer_as are zero because there is no AS information for IGP. BGP static/connected/IGP — — Exported Exported Prior to Dell EMC Networking OS version 7.8.1.
48 Simple Network Management Protocol (SNMP) The Simple Network Management Protocol (SNMP) is designed to manage devices on IP networks by monitoring device operation, which might require administrator intervention. NOTE: On Dell EMC Networking routers, standard and private SNMP management information bases (MIBs) are supported, including all Get and a limited number of Set operations (such as set vlan and copy cmd).
• Troubleshooting SNMP Operation • Transceiver Monitoring • Configuring SNMP context name Protocol Overview Network management stations use SNMP to retrieve or alter management data from network elements. A datum of management information is called a managed object; the value of a managed object can be static or variable. Network elements store managed objects in a database called a management information base (MIB).
To enable security for SNMP packets transferred between the server and the client, you can use the snmp-server user username group groupname 3 auth authentication-type auth-password priv aes128 priv-password command to specify that AES-CFB 128 encryption algorithm needs to be used.
Important Points to Remember • Typically, 5-second timeout and 3-second retry values on an SNMP server are sufficient for both LAN and WAN applications. If you experience a timeout with these values, increase the timeout value to greater than 3 seconds, and increase the retry value to greater than 2 seconds on your SNMP server. • User ACLs override group ACLs. Set up SNMP As previously stated, Dell EMC Networking OS supports SNMP version 1 and version 2 that are community-based security models.
• auth — password privileges. Select this option to set up a user with password authentication. • priv — password and privacy privileges. Select this option to set up a user with password and privacy privileges. To set up user-based security (SNMPv3), use the following commands. • Configure the user with view privileges only (no password or privacy privileges).
Enable SNMPv3 traps You must configure notify option for the SNMPv3 traps to work. • Configure an SNMPv3 traps. CONFIGURATION mode snmp-server group group-name {oid-tree} priv read name write name notify name Enter the keyword notify then a name (a string of up to 20 characters long) as the notify view name. • Configure an SNMPv3 view for notify.
Writing Managed Object Values You may only alter (write) a managed object value if your management station is a member of the same community as the SNMP agent, and the object is writable. Use the following command to write or write-over the value of a managed object. • To write or write-over the value of a managed object. snmpset -v version -c community agent-ip {identifier.instance | descriptor.instance}syntax value Example of Writing the Value of a Managed Object > snmpset -v 2c -c mycommunity 10.11.
The default is None. Subscribing to Managed Object Value Updates using SNMP By default, the Dell EMC Networking system displays some unsolicited SNMP messages (traps) upon certain events and conditions. You can also configure the system to send the traps to a management station. Traps cannot be saved on the system. Dell EMC Networking OS supports the following three sets of traps: • • • RFC 1157-defined traps — coldStart, warmStart, linkDown, linkUp, authenticationFailure, and egpNeighbborLoss.
• Enable a subset of SNMP traps. snmp-server enable traps NOTE: The envmon option enables all environment traps including those traps that are enabled with the envmon supply, envmon temperature, and envmon fan options. NOTE: You must configure notify option for the SNMPv3 traps to work.
"REACHABLE: Syslog server 10.11.226.121 (port: 9140) is reachable"SNMPv2-SMI::enterprises.6027.3.6.1.1.2.0 = INTEGER: 2 Following is the sample audit log message that other syslog servers that are reachable receive: Oct 21 05:26:04: dv-fedgov-s4810-6: %EVL-6-REACHABLE:Syslog server 10.11.226.121 (port: 9140) is reachable Copy Configuration Files Using SNMP To do the following, use SNMP from a remote client.
MIB Object OID Object Values Description • copyDestFileLocation .1.3.6.1.4.1.6027.3.5.1.1.1.1.6 1 = flash 2 = slot0 3 = tftp If copyDestFileType is a binary, you must specify copyDestFileLocation and copyDestFileName. Specifies the location of destination file. • 4 = ftp If copyDestFileLocation is FTP or SCP, you must specify copyServerAddress, copyUserName, and copyUserPassword. 5 = scp copyDestFileName .1.3.6.1.4.1.6027.3.5.1.1.1.1.
• index must be unique to all previously executed snmpset commands. If an index value has been used previously, a message like the following appears. In this case, increment the index value and enter the command again. Error in packet. Reason: notWritable (that object does not support modification) Failed object: FTOS-COPY-CONFIG-MIB::copySrcFileType.101 • To complete the command, use as many MIB objects in the command as required by the MIB object descriptions shown in the previous table.
snmpset -c private -v 2c force10system-ip-address copySrcFileType.index i 3 copyDestFileType.index i 2 Examples of Copying Configuration Files from a UNIX Machine The following example shows how to copy configuration files from a UNIX machine using the object name. > snmpset -c public -v 2c -m ./f10-copy-config.mib 10.11.131.162 copySrcFileType.7 i 3 copyDestFileType.7 i 2 FTOS-COPY-CONFIG-MIB::copySrcFileType.7 = INTEGER: runningConfig(3) FTOS-COPY-CONFIG-MIB::copyDestFileType.
copyDestFileName.4 s /home/myfilename copyServerAddress.4 a 11.11.11.11 Copy a Binary File to the Startup-Configuration To copy a binary file from the server to the startup-configuration on the Dell EMC Networking system via FTP, use the following command. • Copy a binary file from the server to the startup-configuration on the Dell EMC Networking system via FTP. snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address copySrcFileType.index i 1 copySrcFileLocation.
MIB Object OID Values Description copy. The state is set to active when the copy is completed. Obtaining a Value for MIB Objects To obtain a value for any of the MIB objects, use the following command. • Get a copy-config MIB object value. snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address [OID.index | mibobject.index] index: the index value used in the snmpset command used to complete the copy operation. NOTE: You can use the entire OID rather than the object name.
Viewing the Reason for Last System Reboot Using SNMP • To view the reason for last system reboot using SNMP, you can use any one of the applicable SNMP commands: The following example shows a sample output of the snmpwalk command to view the last reset reason. [DellEMC ~]$ snmpwalk -c public -v 2c 10.16.133.172 1.3.6.1.4.1.6027.3.26.1.4.3.1.7 DELL-NETWORKING-CHASSIS-MIB::dellNetProcessorResetReason.stack.1.1 = STRING: Reboot by Software DELL-NETWORKING-CHASSIS-MIB::dellNetProcessorResetReason.stack.2.
MIB Support to Display the Available Memory Size on Flash Dell EMC Networking provides more MIB objects to display the available memory size on flash memory. The following table lists the MIB object that contains the available memory size on flash memory. Table 109. MIB Objects for Displaying the Available Memory Size on Flash via SNMP MIB Object OID Description chStackUnitFlashUsageUtil 1.3.6.1.4.1.6027.3.10.1.2.9.1.6 Contains flash memory usage in percentage.
MIB Object OID Description chSysCoresProcess 1.3.6.1.4.1.6027.3.10.1.2.10.1.5 Contains information that includes the process names that generated each core file. Viewing the Software Core Files Generated by the System • To view the software core files generated by the system, use the following command. snmpwalk -v2c -c public 192.168.60.120 .1.3.6.1.4.1.6027.3.10.1.2.10 enterprises.6027.3.10.1.2.10.1.1.1.1 = 1 enterprises.6027.3.10.1.2.10.1.1.1.2 = 2 enterprises.6027.3.10.1.2.10.1.1.1.
SNMPv2-SMI::enterprises.6027.3.27.1.3.1.4.2107012 = Counter64: 0 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.5.2107012 = Counter64: 0 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.6.2107012 = Counter64: 0 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.7.2107012 = Counter64: 0 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.8.2107012 = Counter64: 0 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.9.2107012 = Counter64: 0 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.10.2107012 = Counter64: 0 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.11.
Viewing the Available Partitions on Flash • • To view the available partitions on flash using SNMP, use the following command: snmpwalk -v 2c -c public -On 10.16.150.97 1.3.6.1.4.1.6027.3.26.1.4.8 .1.3.6.1.4.1.6027.3.26.1.4.8.1.2.1 = STRING: "tmpfs" .1.3.6.1.4.1.6027.3.26.1.4.8.1.2.2 = STRING: "/dev/wd0i" .1.3.6.1.4.1.6027.3.26.1.4.8.1.2.3 = STRING: "mfs:477" .1.3.6.1.4.1.6027.3.26.1.4.8.1.2.4 = STRING: "/dev/wd0e" .1.3.6.1.4.1.6027.3.26.1.4.8.1.3.1 = INTEGER: 40960 .1.3.6.1.4.1.6027.3.26.1.4.8.1.3.
MIB Support to Display Egress Queue Statistics Dell EMC Networking OS provides MIB objects to display the information of the packets transmitted or dropped per unicast or multicast egress queue. The following table lists the related MIB objects: Table 113. MIB Objects to display egress queue statistics MIB Object OID Description dellNetFpEgrQTxPacketsRate 1.3.6.1.4.1.6027.3.27.1.20.1.6 Rate of Packets transmitted per Unicast/ Multicast Egress queue. dellNetFpEgrQTxBytesRate 1.3.6.1.4.1.6027.3.27.1.
INTEGER: 1275078656 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.30.1.1.2.32.1.4.127.0.0.1.1.4.127.0.0.1 = INTEGER: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.70.70.70.0.24.0.0.0.0 = INTEGER: 2097157 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.70.70.70.1.32.1.4.127.0.0.1.1.4.127.0.0.1 = INTEGER: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.70.70.70.2.32.1.4.70.70.70.2.1.4.70.70.70.2 = INTEGER: 2097157 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.80.80.80.0.24.1.4.10.1.1.1.1.4.10.1.1.
SNMPv2-SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.30.1.1.0.24.0.0.0.0 = STRING: "CP" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.30.1.1.1.32.1.4.30.1.1.1.1.4.30.1.1.1 = STRING: "Po 20" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.30.1.1.2.32.1.4.127.0.0.1.1.4.127.0.0.1 = STRING: "CP" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.70.70.70.0.24.0.0.0.0 = STRING: "CP" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.70.70.70.1.32.1.4.127.0.0.1.1.4.127.0.0.1 = STRING: "CP" SNMPv2-SMI::enterprises.6027.3.
MIB Support for entAliasMappingTable Dell EMC Networking provides a method to map the physical interface to its corresponding ifindex value. The entAliasMappingTable table contains zero or more rows, representing the logical entity mapping and physical component to external MIB identifiers. The following table lists the related MIB objects: Table 115. MIB Objects for entAliasMappingTable MIB Object OID Description entAliasMappingTable 1.3.6.1.2.1.47.1.3.
MIB Object OID dot3adAgg 1.2.840.10006.300.43.1.1 dot3adAggTable 1.2.840.10006.300.43.1.1.1 Contains information about every Aggregator that is associated with a system. dot3adAggEntry 1.2.840.10006.300.43.1.1.1.1 Contains a list of Aggregator parameters and indexed by the ifIndex of the Aggregator. dot3adAggMACAddress 1.2.840.10006.300.43.1.1.1.1.1 Contains a six octet read–only value carrying the individual MAC address assigned to the Aggregator. dot3adAggActorSystemPriority 1.2.840.10006.
MIB Object OID Description dot3adAggPortListPorts 1.2.840.10006.300.43.1.1.2.1.1 Contains a complete set of ports currently associated with the Aggregator. Viewing the LAG MIB • To view the LAG MIB generated by the system, use the following command. snmpbulkget -v 2c -c LagMIB 10.16.148.157 1.2.840.10006.300.43.1.1.1.1.1 iso.2.840.10006.300.43.1.1.1.1.1.1258356224 iso.2.840.10006.300.43.1.1.1.1.1.1258356736 iso.2.840.10006.300.43.1.1.1.1.2.1258356224 iso.2.840.10006.300.43.1.1.1.1.2.1258356736 iso.2.
iso.0.8802.1.1.2.1.4.1.1.6.0.3161605.2 = INTEGER: 5 iso.0.8802.1.1.2.1.4.1.1.6.0.4209668.6 = INTEGER: 5 iso.0.8802.1.1.2.1.4.1.1.6.0.4210181.2 = INTEGER: 5 iso.0.8802.1.1.2.1.4.1.1.6.0.9437185.2 = INTEGER: 5 iso.0.8802.1.1.2.1.4.1.1.7.0.2113029.2 = STRING: "fortyGigE 1/50" iso.0.8802.1.1.2.1.4.1.1.7.0.3161092.6 = STRING: "TenGigabitEthernEt 0/39" iso.0.8802.1.1.2.1.4.1.1.7.0.3161605.2 = STRING: "fortyGigE 1/49" iso.0.8802.1.1.2.1.4.1.1.7.0.4209668.6 = STRING: "TenGigabitEthernEt 0/40" iso.0.8802.1.1.2.1.4.
Viewing the Details of Organizational Specific Unrecognized LLDP TLVs • To view the information of organizational specific unrecognized LLDP TLVs using SNMP, use the following commands. snmpwalk -v2c -c public 10.16.150.83 1.0.8802.1.1.2.1.4.4.1.4 iso.0.8802.1.1.2.1.4.4.1.4.0.3161092.1.0.1.102.1.133 iso.0.8802.1.1.2.1.4.4.1.4.0.3161092.1.0.1.102.2.134 iso.0.8802.1.1.2.1.4.4.1.4.0.3161092.1.0.1.102.3.135 iso.0.8802.1.1.2.1.4.4.1.4.0.3161092.1.0.1.102.4.136 iso.0.8802.1.1.2.1.4.4.1.4.0.3161092.1.0.1.102.5.
MIB Support for LLDP Notification Interval Dell EMC Networking provides objects for controlling the transmission of LLDP notification messages. The following table lists the related MIB objects: Table 119. MIB Objects for LLDP Notification Interval MIB Object OID Description lldpNotificationInterval 1.0.8802.1.1.2.1.1.5 This object controls the transmission of LLDP notifications. SNMP Walk Output snmpwalk -c public -v 2c 10.16.132.55 1.0.8802.1.1.2.1.1.5 .1.0.8802.1.1.2.1.1.5.
MIB support for interface level port security The MIB table dellNetPortSecIfConfigTable is used to achieve port security feature (MAC address learning limit) on an interface. NOTE: Port Security is not supported in VLT port channels. The following table shows the MIB objects of the table dellNetPortSecIfConfigTable. The OID of the MIB table is 1.3.6.1.4.1.6027.3.31.1.2.1. Table 121.
To configure dellNetPortSecIfSecureMacLimit as 100 on an interface whose ifIndex is 2101252, use the following command. snmpset –v 2c –c public 10.16.129.26 1.3.6.1.4.1.6027.3.31.1.2.1.1.3. 2101252 i 100 To remove dellNetPortSecIfSecureMacLimit configuration on an interface whose ifIndex is 2101252, use the following command. snmpset –v 2c –c public 10.16.129.26 1.3.6.1.4.1.6027.3.31.1.2.1.1.3.
MIB objects for configuring MAC addresses This section describes about the MIB table dellNetPortSecSecureMacAddrTable that contains the MAC database of the system. The table is indexed by the following parameters: • MAC Address (Octet string of length 6 and MAC address ( in decimal) as value • VLAN ID Table 123. MIB Objects for configuring MAC addresses MIB Object OID Access or Permission Description dellNetSecureMacIfIndex 1.3.6.1.4.1.6027.3.31.1.3.1.1.
SNMPv2-SMI::mib-2.17.7.1.4.3.1.1.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 SNMPv2-SMI::mib-2.17.7.1.4.3.1.4.
Fetch Dynamic MAC Entries using SNMP Dell EMC Networking supports the RFC 1493 dot1d table for the default VLAN and the dot1q table for all other VLANs. NOTE: The 802.1q Q-BRIDGE MIB defines VLANs regarding 802.1d, as 802.1d itself does not define them. As a switchport must belong a VLAN (the default VLAN or a configured VLAN), all MAC address learned on a switchport are associated with a VLAN. For this reason, the Q-Bridge MIB is used for MAC address query.
You can use the show interfaces command to view the interface index. MIB Objects for Viewing the System Image on Flash Partitions To view the system image on Flash Partition A, use the chSysSwInPartitionAImgVers object or, to view the system image on Flash Partition B, use the chSysSwInPartitionBImgVers object. Table 125. MIB Objects for Viewing the System Image on Flash Partitions MIB Object OID Description MIB chSysSwInPartitionAImgVers 1.3.6.1.4.1.6027.3.10.1.2.8.1.
• snmp context context2 • timers bgp 30 90 • neighbor 30.1.1.1 remote-as 200 • neighbor 30.1.1.1 no shutdown • exit-address-family To map the context to a VRF instance for SNMPv3, follow these steps: 1 2 Create a community and map a VRF to it. Create a context and map the context and community, to a community map.
SNMPv2-SMI::enterprises.6027.20.1.2.3.2.1.2.0.1.30.1.1.2.1.30.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.3.2.1.3.0.1.30.1.1.2.1.30.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.3.2.1.4.0.1.30.1.1.2.1.30.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.3.2.1.5.0.1.30.1.1.2.1.30.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.3.3.1.1.0.1.30.1.1.2.1.30.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.3.3.1.2.0.1.30.1.1.2.1.30.1.1.
Troubleshooting SNMP Operation When you use SNMP to retrieve management data from an SNMP agent on a Dell EMC Networking router, take into account the following behavior. • When you query an IPv4 icmpMsgStatsInPkts object in the ICMP table by using the snmpwalk command, the output for echo replies may be incorrectly displayed. To correctly display this information under ICMP statistics, use the show ip traffic command.
Field (OID) Description SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.7 Serial Number SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.8 Transmit Power Lane1 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.9 Transmit Power Lane2 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.10 Transmit Power Lane3 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.11 Transmit Power Lane4 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.12 Receive Power Lane1 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.
49 Stacking Using the Dell EMC Networking OS stacking feature, you can interconnect multiple switch units with stacking ports . The stack becomes manageable as a single switch through the stack management unit.
• Switch removal If the master switch goes off line, the standby replaces it as the new master and the switch with the next highest priority or MAC address becomes standby. Stack Master Election The stack elects a master and standby unit at bootup time based on two criteria. • Unit priority — User-configurable. The range is from 1 to 14. A higher value (14) means a higher priority. The default is 0.
After the former master switch recovers, despite having a higher priority or MAC address, it does not recover its master role but instead takes the next available role. To view failover details, use the show redundancy command. MAC Addressing on Stacks The stack has three MAC addresses: the chassis MAC, interface MAC, and null interface MAC. All interfaces in the stack use the interface MAC address of the management unit, and the chassis MAC for the stack is the master’s chassis MAC.
Example of Stack Manager Redundancy Management Access on Stacks You can access the stack via the console port or VTY line. • Console access — You may access the stack through the console port of the master unit (stack manager) only. Similar to a standby RPM, the console port of the standby unit does not provide management capability; only a limited number of commands are available. Member units provide a limited set of commands.
• Add Units to an Existing Stack • Split a Stack Create a Stack Stack Group/Port Numbers By default, each unit in Standalone mode is numbered stack-unit . Enabling Front End Port Stacking To enable the front ports on a unit for stacking, use the following commands. NOTE: You can stack a maximum of eight 10G stack ports. 1 Assign a stack group for each unit. CONFIGURATION mode stack-unit id stack-group id Begin with the first port on the management unit.
stack-unit stack—unit—number renumber stack—unit—number. Renumbering causes the unit to reboot. The stack-unit default for all new units is stack-unit . 4 Configure the switch priority for each unit to make management unit selection deterministic. CONFIGURATION mode stack-unit stack—unit—number priority priority 5 Connect the units using stacking cables. NOTE: The device does not require special stacking cables. The cables used to connect the data ports are sufficient.
Manually Assigning a New Unit to an Existing Stack To manually assign a new unit a position in an existing stack, use the following steps. 1 On the stack, determine the next available stack-unit number, and the management priority of the management unit. EXEC Privilege mode show system brief or show system stack-unit 2 On the new unit, number it the next available stack-unit number.
7 Reload the switch. EXEC Privilege mode reload Dell EMC Networking OS automatically assigns a number to the new unit and adds it as member switch in the stack. The new unit synchronizes its running and startup configurations with the stack. 8 If a standalone switch already has stack groups configured. Attach cables to connect the ports already configured as stack groups on the switch to one or more switches in the stack.
• • • • • • Creating a Virtual Stack Unit in a Stack Displaying Information About a Stack Influencing Management Unit Selection on a Stack Managing Redundancy on a Stack Resetting a Unit on a Stack Recover from Stack Link Flaps Assigning Unit Numbers to Units in an Stack Each unit in the stack has a stack number that is either assigned by you or Dell EMC Networking OS. Stack numbers are stored in NVRAM and are preserved upon reload. • Assign a stack-number to a unit.
Examples of the show system Commands Display information about a switch stack using the show system command. The following is an example of the show system command to view the stack details. The following is an example of the show system brief command to view the stack summary information. The following example shows the show system stack-ports command.
Resetting a Unit on a Stack You may reset any stack unit except for the master management unit, as shown in the following message. % Error: Reset of master unit is not allowed. To rest a unit on a stack, use the following commands. • Reload a stack-unit. EXEC Privilege mode reset stack-unit unit-number • Reload a member unit, from the unit itself. EXEC Privilege mode reset-self • Reset a stack-unit when the unit is in a problem state.
Removing a Unit from a Stack The running-configuration and startup-configuration are synchronized on all stack units. A stack member that is disconnected from the stack maintains this configuration. To remove a stack member from the stack, disconnect the stacking cables from the unit. You may do this at any time, whether the unit is powered or unpowered, online or offline.
In the following example, a stack-port on the master flaps. The remote member, Member 2, displays a console message, and the master and standby display KERN-2-INT messages. To re-enable the downed stack-port, power cycle the offending unit. Example of Console Messages About Flapping Link Recover from a Card Problem State on a Stack If a unit added to a stack has a different Dell EMC Networking OS version, the unit does not come online and Dell EMC Networking OS cites a card problem error.
50 Storm Control Storm control allows you to control unknown-unicast, muticast, and broadcast traffic on Layer 2 and Layer 3 physical interfaces. Dell EMC Networking Operating System (OS) Behavior: Dell EMC Networking OS supports unknown-unicast, muticast, and broadcast control for Layer 2 and Layer 3 traffic. To view the storm control broadcast configuration show storm-control broadcast | multicast | unknown-unicast | pfc-llfc[interface] command.
INTERFACE mode storm-control broadcast packets_per_second in • Configure the packets per second of multicast traffic allowed on C-Series or S-Series interface (ingress only) network only. INTERFACE mode storm-control multicast packets_per_second in • Shut down the port if it receives the PFC/LLFC packets more than the configured rate. INTERFACE mode storm-control pfc-llfc pps in shutdown NOTE: PFC/LLFC storm control enabled interface disables the interfaces if it receives continuous PFC/LLFC packets.
Restore Queue Drop State You can restore the queue drop triggered due to the storm control PFC detection to the normal state. Once the storm control PFC is detected on a port or priority, you can activate the queue drop action. You can restore the dropped queue to normal state on the following conditions. • You can restore the queue after a particular period of time. Use the queue-drop backoff-force polling—count command to remove the queue-drop state after the specified number of polling is done.
Te 0/1 Te 0/2 Te 0/3 Te 0/4 Te 0/5 Te 0/80 3 4 5 6 3 4 5 6 3 4 5 6 3 4 5 6 3 4 5 6 3 4 5 6 DellEMC# 860 Storm Control 0 0 0 0 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
51 Spanning Tree Protocol (STP) The spanning tree protocol (STP) is supported on Dell EMC Networking OS.
Configure Spanning Tree Configuring spanning tree is a two-step process.
Configuring Interfaces for Layer 2 Mode All interfaces on all switches that participate in spanning tree must be in Layer 2 mode and enabled. Figure 121. Example of Configuring Interfaces for Layer 2 Mode To configure and enable the interfaces for Layer 2, use the following command. 1 If the interface has been assigned an IP address, remove it. INTERFACE mode no ip address 2 Place the interface in Layer 2 mode. INTERFACE switchport 3 Enable the interface.
Example of the show config Command To verify that an interface is in Layer 2 mode and enabled, use the show config command from INTERFACE mode. Enabling Spanning Tree Protocol Globally Enable the spanning tree protocol globally; it is not enabled by default. When you enable STP, all physical, VLAN, and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the Spanning Tree topology. • Only one path from any bridge to any other bridge participating in STP is enabled.
To verify that STP is enabled, use the show config command from PROTOCOL SPANNING TREE mode. DellEMC(conf)#protocol spanning-tree 0 DellEMC(config-span)#show config ! protocol spanning-tree 0 no disable DellEMC# To view the spanning tree configuration and the interfaces that are participating in STP, use the show spanning-tree 0 command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output.
The range is from 4 to 30. • The default is 15 seconds. Change the hello-time parameter (the BPDU transmission interval). PROTOCOL SPANNING TREE mode hello-time seconds NOTE: With large configurations (especially those with more ports) Dell EMC Networking recommends increasing the hello-time. The range is from 1 to 10. • the default is 2 seconds. Change the max-age parameter (the refresh interval for configuration information that is generated by recomputing the spanning tree topology).
To view the current values for interface parameters, use the show spanning-tree 0 command from EXEC privilege mode. Refer to the second example in Enabling Spanning Tree Protocol Globally. Enabling PortFast The PortFast feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner. Interfaces forward frames by default until they receive a BPDU that indicates that they should behave otherwise; they do not go through the Learning and Listening states.
– Disable the shutdown-on-violation command on the interface (the no spanning-tree stp-id portfast [bpduguard | [shutdown-on-violation]] command). – Disable spanning tree on the interface (the no spanning-tree command in INTERFACE mode). – Disabling global spanning tree (the no spanning-tree in CONFIGURATION mode). Figure 123. Enabling BPDU Guard Dell EMC Networking OS Behavior: BPDU guard and BPDU filtering both block BPDUs, but are two separate features.
bridge-priority {priority-value | primary | secondary} – priority-value: the range is from 0 to 65535. The lower the number assigned, the more likely this bridge becomes the root bridge. The primary option specifies a bridge priority of 8192. The secondary option specifies a bridge priority of 16384. The default is 32768. Example of Viewing STP Root Information To view only the root information, use the show spanning-tree root command from EXEC privilege mode.
Figure 124. STP Root Guard Prevents Bridging Loops Configuring Root Guard Enable STP root guard on a per-port or per-port-channel basis. Dell EMC Networking OS Behavior: The following conditions apply to a port enabled with STP root guard: • Root guard is supported on any STP-enabled port or port-channel interface.
– mstp: enables root guard on an MSTP-enabled port. – rstp: enables root guard on an RSTP-enabled port. – pvst: enables root guard on a PVST-enabled port. To disable STP root guard on a port or port-channel interface, use the no spanning-tree 0 rootguard command in an interface configuration mode. To verify the STP root guard configuration on a port or port-channel interface, use the show spanning-tree 0 guard [interface interface] command in a global configuration mode.
As shown in the following illustration (STP topology 2, upper right), a loop can also be created if the forwarding port on Switch B becomes busy and does not forward BPDUs within the configured forward-delay time. As a result, the blocking port on Switch C transitions to a forwarding state, and both Switch A and Switch C transmit traffic to Switch B (STP topology 2, lower right).
• Loop guard is supported on any STP-enabled port or port-channel interface. • Loop guard is supported on a port or port-channel in any spanning tree mode: – Spanning Tree Protocol (STP) – Rapid Spanning Tree Protocol (RSTP) – Multiple Spanning Tree Protocol (MSTP) – Per-VLAN Spanning Tree Plus (PVST+) • You cannot enable root guard and loop guard at the same time on an STP port.
52 SupportAssist SupportAssist sends troubleshooting data securely to Dell. SupportAssist in this Dell EMC Networking OS release does not support automated email notification at the time of hardware fault alert, automatic case creation, automatic part dispatch, or reports. SupportAssist requires Dell EMC Networking OS 9.9(0.0) and SmartScripts 9.7 or later to be installed on the Dell EMC Networking device. For more information on SmartScripts, see Dell EMC Networking Open Automation guide. Figure 126.
Configuring SupportAssist Using a Configuration Wizard You are guided through a series of queries to configure SupportAssist. The generated commands are added to the running configuration, including the DNS resolve commands, if configured. This command starts the configuration wizard for the SupportAssist. At any time, you can exit by entering Ctrl-C. If necessary, you can skip some data entry. Enable the SupportAssist service.
making such transfers, Dell shall ensure appropriate protection is in place to safeguard the Collected Data being transferred in connection with SupportAssist. If you are downloading SupportAssist on behalf of a company or other legal entity, you are further certifying to Dell that you have appropriate authority to provide this consent on behalf of that entity.
support-assist activity {full-transfer | core-transfer} start now DellEMC#support-assist activity full-transfer start now DellEMC#support-assist activity core-transfer start now Configuring SupportAssist Activity SupportAssist Activity mode allows you to configure and view the action-manifest file for a specific activity. To configure SupportAssist activity, use the following commands. 1 Move to the SupportAssist Activity mode for an activity.
action-manifest remove DellEMC(conf-supportassist-act-full-transfer)#action-manifest remove custom_file1.json DellEMC(conf-supportassist-act-full-transfer)# DellEMC(conf-supportassist-act-event-transfer)#action-manifest remove custom_event_file1.json DellEMC(conf-supportassist-act-event-transfer)# 6 Enable a specific SupportAssist activity. By default, the full transfer includes the core files. When you disable the core transfer activity, the full transfer excludes the core files.
Configuring SupportAssist Person SupportAssist Person mode allows you to configure name, email addresses, phone, method and time zone for contacting the person. SupportAssist Person configurations are optional for the SupportAssist service. To configure SupportAssist person, use the following commands. 1 Configure the contact name for an individual.
[no] server server-name DellEMC(conf-supportassist)#server default DellEMC(conf-supportassist-serv-default)# 2 Configure a proxy for reaching the SupportAssist remote server. SUPPORTASSIST SERVER mode [no] proxy-ip-address {ipv4-address | ipv6-address}port port-number [ username userid password [encryption-type] password ] DellEMC(conf-supportassist-serv-default)#proxy-ip-address 10.0.0.
show running-config support-assist DellEMC# show running-config support-assist ! support-assist enable all ! activity event-transfer enable action-manifest install default ! activity core-transfer enable ! contact-company name Dell street-address F lane , Sector 30 address city Brussels state HeadState country Belgium postalcode S328J3 ! contact-person first Fred last Nash email-address primary des@sed.com alternate sed@dol.
53 System Time and Date System time and date settings and the network time protocol (NTP) are supported on Dell EMC Networking OS. You can set system times and dates and maintained through the NTP. They are also set through the Dell EMC Networking Operating System (OS) command line interfaces (CLIs) and hardware settings. The Dell EMC Networking OS supports reaching an NTP server through different VRFs. You can configure a maximum of eight logging servers across different VRFs or the same VRF.
Following conventions established by the telephone industry [BEL86], the accuracy of each server is defined by a number called the stratum, with the topmost level (primary servers) assigned as one and each level downwards (secondary servers) in the hierarchy assigned as one greater than the preceding level. Dell EMC Networking OS synchronizes with a time-serving host to get the correct time. You can set Dell EMC Networking OS to poll specific NTP time-serving hosts for the current time.
Related Configuration Tasks • Configuring NTP Broadcasts • Disabling NTP on an Interface • Configuring a Source IP Address for NTP Packets (optional) Enabling NTP NTP is disabled by default. To enable NTP, specify an NTP server to which the Dell EMC Networking system synchronizes. To specify multiple servers, enter the command multiple times. You may specify an unlimited number of servers at the expense of CPU resources. • Specify the NTP server to which the Dell EMC Networking system synchronizes.
Disabling NTP on an Interface By default, NTP is enabled on all active interfaces. If you disable NTP on an interface, Dell EMC Networking OS drops any NTP packets sent to that interface. To disable NTP on an interface, use the following command. • Disable NTP on the interface. INTERFACE mode ntp disable To view whether NTP is configured on the interface, use the show config command in INTERFACE mode. If ntp disable is not listed in the show config command output, NTP is enabled.
To configure NTP authentication, use the following commands. 1 Enable NTP authentication. CONFIGURATION mode ntp authenticate 2 Set an authentication key. CONFIGURATION mode ntp authentication-key number {md5 | sha1} key Configure the following parameters: 3 • number: the range is from 1 to 65534. This number must be the same as the number in the ntp trusted-key command. • key: enter a text string. This text string is encrypted. Define a trusted key.
ntp server 10.16.127.144 Dell EMC (conf)# Dell EMC#show ntp associations remote vrf-Id ref clock st when poll reach delay offset disp ==================================================================================== LOCAL(0) 0 .LOCL. 7 7 16 7 0.000 0.000 0.002 10.16.127.86 0 10.16.127.26 5 3 16 7 0.498 361.760 0.184 10.16.127.144 0 10.16.127.26 5 1 16 7 0.492 359.171 0.219 10.16.127.44 0 10.16.127.26 5 5 16 7 0.498 355.501 0.
Configuring NTP control key password The Network Time Protocal daemon (NTPD) design uses NTPQ to configure NTPD. NTP control key supports encrypted and unencrypted password options. The ntp control-key- passwd command authenticates NTPQ packets. The default control-key-passwd authenticates the NTPQ packets until the user changes the control-key using the ntp control-key- passwd command. To configure NTP control key password, use the following command. Configure NTP control key password.
Setting the Timezone Universal time coordinated (UTC) is the time standard based on the International Atomic Time standard, commonly known as Greenwich Mean time. When determining system time, include the differentiator between UTC and your local timezone. For example, San Jose, CA is the Pacific Timezone with a UTC offset of -8. To set the clock timezone, use the following command. • Set the clock to the appropriate timezone.
– offset: (OPTIONAL) enter the number of minutes to add during the summer-time period. The range is from 1 to1440. The default is 60 minutes. Example of the clock summer-time Command Setting Recurring Daylight Saving Time Set a date (and time zone) on which to convert the switch to daylight saving time on a specific day every year. If you have already set daylight saving for a one-time setting, you can set that date and time as the recurring setting with the clock summer-time time-zone recurring command.
last Week number to start DellEMC(conf)#clock summer-time pacific recurring DellEMC(conf)#02:10:57: %RPM0-P:CP %CLOCK-6-TIME CHANGE: Summertime configuration changed from "Summer time starts 00:00:00 Pacific Tue Mar 14 2017 ; Summer time ends 00:00:00 pacific Tue Nov 7 2017" to "Summer time starts 02:00:00 Pacific Tue Mar 14 2017;Summer time ends 02:00:00 pacific Tue Nov 7 2017" System Time and Date 891
54 Tunneling Tunnel interfaces create a logical tunnel for IPv4 or IPv6 traffic. Tunneling supports RFC 2003, RFC 2473, and 4213. DSCP, hop-limits, flow label values, open shortest path first (OSPF) v2, and OSPFv3 are supported. Internet control message protocol (ICMP) error relay, PATH MTU transmission, and fragmented packets are not supported.
interface Tunnel 2 no ip address ipv6 address 2::1/64 tunnel destination 90.1.1.1 tunnel source 60.1.1.1 tunnel mode ipv6ip no shutdown The following sample configuration shows a tunnel configured in IPIP mode (IPv4 tunnel carries IPv4 and IPv6 traffic): DellEMC(conf)#interface tunnel 3 DellEMC(conf-if-tu-3)#tunnel source 5::5 DellEMC(conf-if-tu-3)#tunnel destination 8::9 DellEMC(conf-if-tu-3)#tunnel mode ipv6 DellEMC(conf-if-tu-3)#ip address 3.1.1.
tunnel source 40.1.1.1 tunnel allow-remote 40.1.1.2 tunnel mode ipip decapsulate-any no shutdown Configuring Tunnel source anylocal Decapsulation The tunnel source anylocal command allows a multipoint receive-only tunnel to decapsulate tunnel packets addressed to any IPv4 or IPv6 (depending on the tunnel mode) address configured on the switch that is operationally UP.
55 Uplink Failure Detection (UFD) Uplink failure detection (UFD) provides detection of the loss of upstream connectivity and, if used with network interface controller (NIC) teaming, automatic recovery from a failed link. Feature Description A switch provides upstream connectivity for devices, such as servers. If a switch loses its upstream connectivity, downstream devices also lose their connectivity.
Figure 128. Uplink Failure Detection How Uplink Failure Detection Works UFD creates an association between upstream and downstream interfaces. The association of uplink and downlink interfaces is called an uplink-state group. An interface in an uplink-state group can be a physical interface or a port-channel (LAG) aggregation of physical interfaces. An enabled uplink-state group tracks the state of all assigned upstream interfaces.
Figure 129. Uplink Failure Detection Example If only one of the upstream interfaces in an uplink-state group goes down, a specified number of downstream ports associated with the upstream interface are put into a Link-Down state. You can configure this number and is calculated by the ratio of the upstream port bandwidth to the downstream port bandwidth in the same uplink-state group.
• If one of the upstream interfaces in an uplink-state group goes down, either a user-configurable set of downstream ports or all the downstream ports in the group are put in an Operationally Down state with an UFD Disabled error. The order in which downstream ports are disabled is from the lowest numbered port to the highest.
UPLINK-STATE-GROUP mode downstream auto-recover The default is auto-recovery of UFD-disabled downstream ports is enabled. To disable auto-recovery, use the no downstream auto-recover command. 5 (Optional) Enter a text description of the uplink-state group. UPLINK-STATE-GROUP mode description text The maximum length is 80 alphanumeric characters. 6 (Optional) Disable upstream-link tracking without deleting the uplink-state group.
– group-id: The values are from 1 to 16. • – detail: displays additional status information on the upstream and downstream interfaces in each group. Display the current status of a port or port-channel interface assigned to an uplink-state group. EXEC mode show interfaces interface interface specifies one of the following interface types: – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port/subport information.
56 Upgrade Procedures To find the upgrade procedures, go to the Dell EMC Networking OS Release Notes for your system type to see all the requirements needed to upgrade to the desired Dell EMC Networking OS version. To upgrade your system type, follow the procedures in the Dell EMC Networking OS Release Notes. You can download the release notes of your platform at https://www.force10networks.com. Use your login ID to log in to the website.
57 Virtual LANs (VLANs) Virtual LANs (VLANs) are a logical broadcast domain or logical grouping of interfaces in a local area network (LAN) in which all data received is kept locally and broadcast to all members of the group. When in Layer 2 mode, VLANs move traffic at wire speed and can span multiple devices. The system supports up to 4093 port-based VLANs and one default VLAN, as specified in IEEE 802.1Q.
Default VLAN When you configure interfaces for Layer 2 mode, they are automatically placed in the Default VLAN as untagged interfaces. Only untagged interfaces can belong to the Default VLAN. The following example displays the outcome of placing an interface in Layer 2 mode. To configure an interface for Layer 2 mode, use the switchport command.
• Tag control information (TCI) includes the VLAN ID (2 bytes total). The VLAN ID can have 4,096 values, but two are reserved. NOTE: The insertion of the tag header into the Ethernet frame increases the size of the frame to more than the 1,518 bytes as specified in the IEEE 802.3 standard. Some devices that are not compliant with IEEE 802.3 may not support the larger frame size.
notes whether the interface is tagged (T) or untagged (U). For more information about this command, refer to the Layer 2 chapter of the Dell EMC Networking OS Command Reference Guide. To tag frames leaving an interface in Layer 2 mode, assign that interface to a port-based VLAN to tag it with that VLAN ID. To tag interfaces, use the following commands. 1 Access INTERFACE VLAN mode of the VLAN to which you want to assign the interface.
The only way to remove an interface from the Default VLAN is to place the interface in Default mode by using the no switchport command in INTERFACE mode. Assigning an IP Address to a VLAN VLANs are a Layer 2 feature. For two physical interfaces on different VLANs to communicate, you must assign an IP address to the VLANs to route traffic between the two interfaces.
4 Add the interface to a tagged or untagged VLAN. VLAN INTERFACE mode [tagged | untagged] Enabling Null VLAN as the Default VLAN In a Carrier Ethernet for Metro Service environment, service providers who perform frequent reconfigurations for customers with changing requirements occasionally enable multiple interfaces, each connected to a different customer, before the interfaces are fully configured.
58 Virtual Link Trunking (VLT) Virtual link trunking (VLT) is a Dell EMC technology that provides two Dell EMC switches the ability to function as a single switch. VLT allows physical links between two Dell EMC switches to appear as a single virtual link to the network core or other switches such as Edge, Access, or top-of-rack (ToR). As a result, the two physical switches appear as a single switch to the connected devices.
Figure 132. VLT providing multipath VLT reduces the role of spanning tree protocols (STPs) by allowing link aggregation group (LAG) terminations on two separate distribution or core switches and supporting a loop-free topology. To prevent the initial loop that may occur prior to VLT being established, use a spanning tree protocol. After VLT is established, you may use rapid spanning tree protocol (RSTP) to prevent loops from forming with new links that are incorrectly connected and outside the VLT domain.
Figure 133. Example of VLT Deployment VLT offers the following benefits: • Allows a single device to use a LAG across two upstream devices. • Eliminates STP-blocked ports. • Provides a loop-free topology. • Uses all available uplink bandwidth. • Provides fast convergence if either the link or a device fails. • Optimized forwarding with virtual router redundancy protocol (VRRP). • Provides link-level resiliency. • Assures high availability. • Active-Active load sharing with VRRP.
VLT Terminology The following are key VLT terms. • Virtual link trunk (VLT) — The combined port channel between an attached device and the VLT peer switches. • VLT backup link — The backup link monitors the connectivity between the VLT peer switches. The backup link sends configurable, periodic keep alive messages between the VLT peer switches. • VLT interconnect (VLTi) — The link used to synchronize states between the VLT peer switches.
Layer-2 Traffic in VLT Domains In a VLT domain, the MAC address of any host connected to the VLT peers is synchronized between the VLT nodes. In the following example, VLAN 10 is spanned across three VLT domains. Figure 134. Layer-2 Traffic in VLT Domains If Host 1 from a VLT domain sends a frame to Host 2 in another VLT domain, the frame can use any link shown to reach Host 2.
30 30 30 30 30 30 a0:00:a1:00:00:07 a0:00:a1:00:00:08 a0:00:a1:00:00:09 a0:00:a1:00:00:0a a0:00:a1:00:00:0b a0:00:a1:00:00:0c Dynamic Dynamic Dynamic Dynamic Dynamic Dynamic (N) Po 11 Active (N) Po 11 Active (N) Po 11 Active (N) Po 11 Active (N) Po 11 Active Po 11 Active VLT-10-PEER-2#show vlt statistics mac VLT MAC Statistics -------------------L2 Info Pkts sent:0, L2 Mac-sync Pkts Sent:7 L2 Info Pkts Rcvd:0, L2 Mac-sync Pkts Rcvd:9 L2 Reg Request sent:0 L2 Reg Request rcvd:0 L2 Reg Response sent:0 L2
Figure 135. VLT on Core Switches The aggregation layer is mostly in the L2/L3 switching/routing layer. For better resiliency in the aggregation, Dell EMC Networking recommends running the internal gateway protocol (IGP) on the VLTi VLAN to synchronize the L3 routing table across the two nodes on a VLT system. Enhanced VLT Enhanced VLT (eVLT)) refers to the ability to connect two VLT domains.
Figure 136. Enhanced VLT Configure Virtual Link Trunking VLT requires that you enable the feature and then configure the same VLT domain, backup link, and VLT interconnect on both peer switches. Important Points to Remember • • • • • • • • • • • You cannot enable stacking simultaneously with VLT. If you enable both at the same time, unexpected behavior can occur. VLT port channel interfaces must be switch ports. If you include RSTP on the system, configure it before VLT.
• BMP uses untagged dynamic host configuration protocol (DHCP) packets to communicate with the DHCP server. • o disable this feature on VLT and port channels, use no lacp ungroup member-independent {vlt | port-channel} command under the configuration mode. • When you enable IGMP snooping on the VLT peers, ensure the value of the delay-restore command is not less than the query interval.
– The port channel must be in Default mode (not Switchport mode) to have VLTi recognize it. – The system automatically includes the required VLANs in VLTi. You do not need to manually select VLANs. – VLT peer switches operate as separate chassis with independent control and data planes for devices attached to non-VLT ports. – Port-channel link aggregation (LAG) across the ports in the VLT interconnect is required; individual ports are not supported.
• ◦ In one possible topology, a switch uses the BMP feature to receive its IP address, configuration files, and boot image from a DHCP server that connects to the switch through the VLT domain. In the port-channel used by the switch to connect to the VLT domain, configure the port interfaces on each VLT peer as hybrid ports before adding them to the port channel (see Connecting a VLT Domain to an Attached Access Device (Switch or Server)).
channel. This mechanism ensures reachability and provides loop management. If the VLT interconnect fails, the VLT software on the primary switch checks the status of the remote peer using the backup link. If the remote peer is up, the secondary switch disables all VLT ports on its device to prevent loops.
VLT Bandwidth Monitoring When bandwidth usage of the VLTi (ICL) exceeds 80%, a syslog error message (shown in the following message) and an SNMP trap are generated. %STKUNIT0-M:CP %VLTMGR-6-VLT-LAG-ICL: Overall Bandwidth utilization of VLT-ICL-LAG (portchannel 25) crosses threshold. Bandwidth usage (80 ) When the bandwidth usage drops below the 80% threshold, the system generates another syslog message (shown in the following message) and an SNMP trap.
The delay-restore feature waits for all saved configurations to be applied, then starts a configurable timer. After the timer expires, the VLT ports are enabled one-by-one in a controlled manner. The delay between bringing up each VLT port-channel is proportional to the number of physical members in the port-channel. The default is 90 seconds. To change the duration of the configurable timer, use the delay-restore command.
Figure 137. PIM-Sparse Mode Support on VLT On each VLAN where the VLT peer nodes act as the first hop or last hop routers, one of the VLT peer nodes is elected as the PIM designated router. If you configured IGMP snooping along with PIM on the VLT VLANs, you must configure VLTi as the static multicast router port on both VLT peer switches. This ensures that for first hop routers, the packets from the source are redirected to the designated router (DR) if they are incorrectly hashed.
Each VLT peer runs its own PIM protocol independently of other VLT peers. To ensure the PIM protocol states or multicast routing information base (MRIB) on the VLT peers are synced, if the incoming interface (IIF) and outgoing interface (OIF) are Spanned, the multicast route table is synced between the VLT peers. To verify the PIM neighbors on the VLT VLAN and on the multicast port, use the show ip pim neighbor, show ip igmp snooping mrouter, and show running config commands.
Figure 138. Packets without peer routing enabled If you enable peer routing, a VLT node acts as a proxy gateway for its connected VLT peer as shown in the image below. Even though the gateway address of the packet is different, Peer-1 routes the packet to its destination on behalf of Peer-2 to avoid sub-optimal routing. Figure 139. Packets with peer routing enabled Benefits of Peer Routing • • Avoids sub-optimal routing • Reduces latency by avoiding another hop in the traffic path.
• You can reduce the number of VLTi port channel members based on your specific design. With peer routing, you need not configure VRRP for the participating VLANs. As both VLT nodes act as a gateway for its peer, irrespective of the gateway IP address, the traffic flows upstream without any latency. There is no limitation for the number of VLANS. VLT Unicast Routing VLT unicast routing is a type of VLT peer routing that locally routes unicast packets destined for the L3 endpoint of the VLT peer.
The advantages of syncing the multicast routes between VLT peers are: • VLT resiliency — After a VLT link or peer failure, if the traffic hashes to the VLT peer, the traffic continues to be routed using multicast until the PIM protocol detects the failure and adjusts the multicast distribution tree. • Optimal routing — The VLT peer that receives the incoming traffic can directly route traffic to all downstream routers connected on VLT ports.
NOTE: ARP entries learned on non-VLT, non-spanned VLANs are not synced with VLT peers. RSTP Configuration RSTP is supported in a VLT domain. Before you configure VLT on peer switches, configure RSTP in the network. RSTP is required for initial loop prevention during the VLT startup phase. You may also use RSTP for loop prevention in the network outside of the VLT port channel. For information about how to configure RSTP, Rapid Spanning Tree Protocol (RSTP). Run RSTP on both VLT peer switches.
Configure RSTP on VLT peers to prevent forwarding loops—VLT peer 1 (primary) Dell_VLTpeer1(conf)#protocol spanning-tree rstp Dell_VLTpeer1(conf-rstp)#no disable Dell_VLTpeer1(conf-rstp)#bridge-priority 4096 Configure RSTP on VLT peers to prevent forwarding loops—VLT peer 2 (secondary) Dell_VLTpeer2(conf)#protocol spanning-tree rstp Dell_VLTpeer2(conf-rstp)#no disable Dell_VLTpeer2(conf-rstp)#bridge-priority 8192 NOTE: When you remove the VLT configuration, RSTP is recommended as a backup solution to avoid
CONFIGURATION mode interface port-channel id-number Enter the same port-channel number configured with the peer-link port-channel command as described in Enabling VLT and Creating a VLT Domain. NOTE: To be included in the VLTi, the port channel must be in Default mode (no switchport or VLAN assigned). 2 Remove any IP address from the interface if already present. INTERFACE PORT-CHANNEL mode no ip address 3 Add one or more port interfaces to the port channel.
You can optionally specify the time interval used to send hello messages. The range is from 1 to 5 seconds. 3 Configure the port channel to be used as the VLT interconnect between VLT peers in the domain. VLT DOMAIN CONFIGURATION mode peer-link port-channel id-number 4 Enable peer routing. VLT DOMAIN CONFIGURATION mode peer-routing If you enable peer routing, a VLT node acts as the proxy gateway for its peer.
4 Repeat Steps 1 to 4 on the VLT peer switch. To set an amount of time, in seconds, to delay the system from restoring the VLT port, use the delay-restore command at any time. For more information, refer to VLT Port Delayed Restoration. Configuring a VLT Port Delay Period To configure a VLT port delay period, use the following commands. 1 Enter VLT-domain configuration mode for a specified VLT domain. CONFIGURATION mode vlt domain domain-id The range of domain IDs from 1 to 1000.
VLT DOMAIN CONFIGURATION mode unit-id {0 | 1} To explicitly configure the default values on each peer switch, use the unit-id command. Configure a different unit ID (0 or 1) on each peer switch. Unit IDs are used for internal system operations. Use this command to minimize the time required for the VLT system to determine the unit ID assigned to each peer switch when one peer switch reboots.
To configure the VLAN where a VLT peer forwards received packets over the VLTi from an adjacent VLT peer that is down, use the peerdown-vlan parameter. When a VLT peer with BMP reboots, untagged DHCP discover packets are sent to the peer over the VLTi. Using this configuration ensures the DHCP discover packets are forwarded to the VLAN that has the DHCP server. Configuring a VLT VLAN Peer-Down (Optional) To configure a VLT VLAN peer-down, use the following commands.
5 Configure the IP address of the management interface on the remote VLT peer to be used as the endpoint of the VLT backup link for sending out-of-band hello messages. VLT DOMAIN CONFIGURATION mode back-up destination ip-address [interval seconds] You can optionally specify the time interval used to send hello messages. The range is from 1 to 5 seconds. 6 When you create a VLT domain on a switch, Dell EMC Networking OS automatically creates a VLT-system MAC address used for internal system operations.
13 Enable LACP on the LAN port. INTERFACE mode port-channel-protocol lacp 14 Configure the LACP port channel mode. INTERFACE mode port-channel number mode [active] 15 Ensure that the interface is active. MANAGEMENT INTERFACE mode no shutdown 16 Enable peer routing. VLT DOMAIN CONFIGURATION mode peer-routing If you enable peer routing, a VLT node acts as the proxy gateway for its peer. 17 Repeat steps 1 through 16 for the VLT peer node in Domain 1.
8 Configure the VLT links between VLT peer 1 and VLT peer 2 to the top of rack unit (shown in the following example). 9 Configure the static LAG/LACP between ports connected from VLT peer 1 and VLT peer 2 to the top of rack unit. EXEC Privilege mode show running-config entity 10 Configure the VLT peer link port channel id in VLT peer 1 and VLT peer 2. EXEC mode or EXEC Privilege mode show interfaces interface 11 In the top of rack unit, configure LACP in the physical ports.
Role Role Priority ICL Link Status HeartBeat Status VLT Peer Status Version Local System MAC address Remote System MAC address Remote system version Delay-Restore timer Delay-Restore Abort Threshold Peer-Routing Peer-Routing-Timeout timer Multicast peer-routing timeout DellEMC# : : : : : : : : : : Secondary 32768 Up Up Up 6(3) 00:01:e8:8a:e9:91 00:01:e8:8a:e9:76 6(3) 90 seconds : : : : 60 seconds Disabled 0 seconds 150 seconds Verify that the VLT LAG is up in VLT peer unit.
• • • • • OSPF is configured in Dell-1, Dell-2, and R1 switches. Dell-1 is configured as the root bridge. Dell-1 is configured as the VLT primary. As the Router ID of Dell-1 is the highest in the topology (highest loopback address of 172.17.1.1), Dell-1 is the OSPF Designated Router. As the Router ID of Dell-2 is the second highest in the topology (172.16.1.1), Dell-2 is the OSPF Backup Designated Router. Figure 140.
800 900 Active Active Client-VLAN Client-VLAN-2 V Po10 (Te 0/0-1) V Po10 (Te 0/0-1) V Po10 (Te 0/0-1) The following is the configuration in interfaces: DellEMC#1#sh run int ma0/0 interface ManagementEthernet 0/0 description Used_for_VLT_Keepalive ip address 10.10.10.1/24 no shutdown (The management interfaces are part of a default VRF and are isolated from the switch’s data plane.) In Dell-1, te 0/0 and te 0/1 are used for VLTi.
Port channel 2 connects the access switch A1. DellEMC#1#sh run int po2 interface Port-channel 2 description port-channel_to_access_switch_A1 no ip address portmode hybrid switchport vlt-peer-lag port-channel 2 no shutdown Vlan 20 is used in Dell-1, Dell-2, and R1 to form OSPF adjacency. When OSPF is converged, the routing tables in all devices are synchronized. DellEMC#1#sh run int vlan 20 interface Vlan 20 description OSPF PEERING VLAN ip address 192.168.20.
----------------Destination: Peer HeartBeat status: Destination VRF: HeartBeat Timer Interval: HeartBeat Timeout: UDP Port: HeartBeat Messages Sent: HeartBeat Messages Received: 10.10.10.2 Up default 1 3 34998 4 5 Use the show vlt detail command to verify that VLT is functional and that the correct VLANs are allowed.
Verify if peer routing has populated the CAM table with the correct information using the show cam mac command.
no ip address no shutdown The following example shows that te 0/0 and te 0/1 are included in port channel 10. Also note that configuration on the VLTi links does not contain the switchport command. Dell-2#sh run int po10 interface Port-channel 10 description VLTi Port-Channel no ip address channel-member TenGigabitEthernet 0/0-1 no shutdown Te 0/4 connects to the access switch A1.
tagged Port-channel 2 no shutdown The following output shows Dell-2 is configured with VLT domain 1. The peer-link port-channel command makes port channel 10 as the VLTi link. The peer-routing command enables peer routing between VLT peers in VLT domain 1. The IP address configured with the backupdestination command is the management IP address of the VLT peer (Dell-1). A priority value of 55000 makes Dell-2 as the secondary VLT peer.
network 192.168.8.0/24 area 0 network 192.168.9.0/24 area 0 network 172.16.1.0/24 area 0 network 192.168.20.0/29 area 0 passive-interface default no passive-interface vlan 20 While the passive-interface default command prevents all interfaces from establishing an OSPF neighborship, the no passive-interface vlan 20 command allows the interface for VLAN 20, the OSPF peering VLAN, to establish OSPF adjacencies. The following output displays that Dell-1 forms neighborship with Dell-2 and R1.
! interface Loopback4 ip address 4.4.4.2 255.255.255.0 R1#show run int port-channel 1 interface Port-channel1 switchport ip address 192.168.20.3 255.255.255.248 R1#show run | find router router ospf 1 router-id 172.15.1.1 passive-interface default no passive-interface Port-channel1 network 2.2.2.0 0.0.0.255 area 0 network 3.3.3.0 0.0.0.255 area 0 network 4.4.4.0 0.0.0.255 area 0 (The above subnets correspond to loopback interfaces lo2, lo3 and lo4.
This default route is configured for testing purposes, as described in the next section. The access switch (A1) is used to generate ICMP test PINGs to a loopback interface on CR1. This default route points to DellEMC#2’s VLAN 800 SVI interface. It’s in place to ensure that routed test traffic has DellEMC#2’s MAC address as the destination address in the Ethernet frame’s header When A1 sends a packet to R1, the VLT peers act as the default gateway for each other.
Domain_1_Peer2(conf-if-po-100)# vlt-peer-lag port-channel 100 Domain_1_Peer2(conf-if-po-100)# no shutdown Add links to the eVLT port-channel on Peer 2. In Domain 2, configure the VLT domain and VLTi on Peer 3. Configure eVLT on Peer 3. Domain_2_Peer3(conf)#interface port-channel 100 Domain_2_Peer3(conf-if-po-100)# switchport Domain_2_Peer3(conf-if-po-100)# vlt-peer-lag port-channel 100 Domain_2_Peer3(conf-if-po-100)# no shutdown Add links to the eVLT port-channel on Peer 3.
VLT_Peer2(conf-if-vl-4001)#ip igmp snooping mrouter interface port-channel 128 VLT_Peer2(conf-if-vl-4001)#exit VLT_Peer2(conf)#end Verifying a VLT Configuration To monitor the operation or verify the configuration of a VLT domain, use any of the following show commands on the primary and secondary VLT switches. • Display information on backup link operation. EXEC mode • show vlt backup-link Display general status information about VLT domains currently configured on the switch.
----------------Destination: Peer HeartBeat status: HeartBeat Timer Interval: HeartBeat Timeout: UDP Port: HeartBeat Messages Sent: HeartBeat Messages Received: 10.11.200.18 Up 1 3 34998 1026 1025 Dell_VLTpeer2# show vlt backup-link VLT Backup Link ----------------Destination: Peer HeartBeat status: HeartBeat Timer Interval: HeartBeat Timeout: UDP Port: HeartBeat Messages Sent: HeartBeat Messages Received: 10.11.200.20 Up 1 3 34998 1030 1014 The following example shows the show vlt brief command.
Local System MAC address: 00:01:e8:8a:df:bc Local System Role Priority: 32768 Dell_VLTpeer2# show vlt role VLT Role ---------VLT Role: System MAC address: System Role Priority: Local System MAC address: Local System Role Priority: Secondary 00:01:e8:8a:df:bc 32768 00:01:e8:8a:df:e6 32768 The following example shows the show running-config vlt command. Dell_VLTpeer1# show running-config vlt ! vlt domain 30 peer-link port-channel 60 back-up destination 10.11.200.
Po 111 128.112 128 200000 DIS(vlt) Po 120 128.121 128 2000 FWD(vlt) 800 800 4096 4096 0001.e88a.d656 128.112 0001.e88a.d656 128.121 Dell_VLTpeer2# show spanning-tree rstp brief Executing IEEE compatible Spanning Tree Protocol Root ID Priority 0, Address 0001.e88a.dff8 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 0, Address 0001.e88a.
Verifying a Port-Channel Connection to a VLT Domain (From an Attached Access Switch) On an access device, verify the port-channel connection to a VLT domain. Troubleshooting VLT To help troubleshoot different VLT issues that may occur, use the following information. NOTE: For information on VLT Failure mode timing and its impact, contact your Dell EMC Networking representative. Table 129.
Description Behavior at Peer Up Behavior During Run Time Action to Take Version ID mismatch A syslog error message and an SNMP trap are generated. A syslog error message and an SNMP trap are generated. Verify the Dell EMC Networking OS software versions on the VLT peers is compatible. For more information, refer to the Release Notes for this release. VLT LAG ID is not configured on one VLT peer A syslog error message is generated. The peer with the VLT configured remains active.
Keep the following points in mind when you configure VLT nodes in a PVLAN: • Configure the VLTi link to be in trunk mode. Do not configure the VLTi link to be in access or promiscuous mode. • You can configure a VLT LAG or port channel to be in trunk, access, or promiscuous port modes when you include the VLT LAG in a PVLAN. The VLT LAG settings must be the same on both the peers. If you configure a VLT LAG as a trunk port, you can associate that LAG to be a member of a normal VLAN or a PVLAN.
PVLAN Operations When One VLT Peer is Down When a VLT port moves to the Admin or Operationally Down state on only one of the VLT nodes, the VLT Lag is still considered to be up. All the PVLAN MAC entries that correspond to the operationally down VLT LAG are maintained as synchronized entries in the device. These MAC entries are removed when the peer VLT LAG also becomes inactive or a change in PVLAN configuration occurs.
Table 130.
VLT LAG Mode Peer1 PVLAN Mode of VLT VLAN Peer2 ICL VLAN Membership Mac Synchronization Peer1 Peer2 - Primary VLAN Y - Primary VLAN X No No Promiscuous Access Primary Secondary No No Trunk Access Primary/Normal Secondary No No Configuring a VLT VLAN or LAG in a PVLAN You can configure the VLT peers or nodes in a private VLAN (PVLAN).
7 Enter the port-channel number that acts as the interconnect trunk. VLT DOMAIN CONFIGURATION mode peer-link port-channel id-number 8 (Optional) To configure a VLT LAG, enter the VLAN ID number of the VLAN where the VLT forwards packets received on the VLTi from an adjacent peer that is down.
• Specified with this command even before they have been created. • Amended by specifying the new secondary VLAN to be added to the list. Proxy ARP Capability on VLT Peer Nodes The proxy ARP functionality is supported on VLT peer nodes. A proxy ARP-enabled device answers the ARP requests that are destined for the other router in a VLT domain. The local host forwards the traffic to the proxy ARP-enabled device, which in turn transmits the packets to the destination. By default, proxy ARP is enabled.
When a VLT node detects peer up, it does not perform proxy ARP for the peer IP addresses. IP address synchronization occurs again between the VLT peers. Proxy ARP is enabled only if you enable peer routing on both the VLT peers. If you disable peer routing by using the no peerroutingcommand in VLT DOMAIN node, a notification is sent to the VLT peer to disable the proxy ARP.
INTERFACE PORT-CHANNEL mode vlan-stack {access | trunk} 2 Configure VLAN as VLAN-stack compatible on both the peers. INTERFACE VLAN mode vlan-stack compatible 3 Add the VLT LAG as a member to the VLAN-stack on both the peers. INTERFACE VLAN mode member port-channel port—channel ID 4 Verify the VLAN-stack configurations.
DellEMC#show running-config interface port-channel 20 ! interface Port-channel 20 no ip address switchport vlan-stack trunk vlt-peer-lag port-channel 20 no shutdown DellEMC# Configure the VLAN as a VLAN-Stack VLAN and add the VLT LAG as Members to the VLAN DellEMC(conf)#interface vlan 50 DellEMC(conf-if-vl-50)#vlan-stack compatible DellEMC(conf-if-vl-50-stack)#member port-channel 10 DellEMC(conf-if-vl-50-stack)#member port-channel 20 DellEMC#show running-config interface vlan 50 ! interface Vlan 50 vlan-sta
DellEMC(conf-if-po-20)#no shutdown DellEMC#show running-config interface port-channel 20 ! interface Port-channel 20 no ip address switchport vlan-stack trunk vlt-peer-lag port-channel 20 no shutdown DellEMC# Configure the VLAN as a VLAN-Stack VLAN and add the VLT LAG as members to the VLAN DellEMC(conf)#interface vlan 50 DellEMC(conf-if-vl-50)#vlan-stack compatible DellEMC(conf-if-vl-50-stack)#member port-channel 10 DellEMC(conf-if-vl-50-stack)#member port-channel 20 DellEMC(conf-if-vl-50-stack)# DellEMC#s
hashing in the ToR switch, it is routed instead of forwarding the packet to node1. This processing occurs because of the match or hit for the entry in the TCAM of the VLT node2. Synchronization of IPv6 ND Entries in a VLT Domain Because the VLT nodes appear as a single unit, the ND entries learned via the VLT interface are expected to be the same on both VLT nodes. VLT V6 VLAN and neighbor discovery protocol monitor (NDPM) entries synchronization between VLT nodes is performed.
Unit2 is linked to a node, Node C. When an NS traverses from Unit2 to Node B(ToR) and a corresponding NA reaches Unit1 because of LAG hashing, this NA is tunneled to Unit 2 along with some control information. The control information present in the tunneled NA packet is processed in such a way so that the ingress port is marked as the link from Node B to Unit 2 rather than pointing to ICL link through which tunneled NA arrived. Figure 142.
Figure 143. Sample Configuration of IPv6 Peer Routing in a VLT Domain Neighbor Solicitation from VLT Hosts Consider a case in which NS for VLT node1 IP reaches VLT node1 on the VLT interface and NS for VLT node1 IP reaches VLT node2 due to LAG level hashing in the ToR. When VLT node1 receives NS from VLT VLAN interface, it unicasts the NA packet on the VLT interface. When NS reaches VLT node2, it is flooded on all interfaces including ICL.
Consider a situation in which NA for VLT node1 reaches VLT node1 on a non-VLT interface and NA for VLT node1 reaches VLT node2 on a non-VLT interface. When VLT node1 receives NA on a VLT interface, it learns the Host MAC address on the received interface. This learned neighbor entry is synchronized to VLT node2 as it is learned on ICL.
Non-VLT host to Non-VLT host traffic flow When VLT node receives traffic from non-VLT host intended to the non-VLT host, it does neighbor entry lookup and routes traffic over ICL interface. If traffic reaches wrong VLT peer, it routes the traffic over ICL. Router Solicitation When VLT node receives router Solicitation on VLT interface/non-VLT interface it consumes the packets and will send RA back on the received interface. VLT node will drop the RS message if it is received over ICL interface.
ToR 1 Enable BFD globally. TOR(conf)# bfd enable 2 Configure a VLT peer LAG. 3 Configure the port channel for the VLT interconnect on a ToR. TOR(conf)# interface port-channel 10 TOR(conf-if-po-111)# no ip address TOR(conf-if-po-111)# switchport TOR(conf-if-po-111)# no shutdown 4 Configure a VLAN. TOR(conf)#interface vlan 100 TOR(conf-if-vl-100)#ip address 100.1.1.
4 Configure a VLT peer LAG. VLT_Primary(conf)#interface port-channel 10 VLT_Primary(conf-if-po-10)#no ip address VLT_Primary(conf-if-po-10)#switchport VLT_Primary(conf-if-po-10)#vlt-peer-lag port-channel 10 VLT_Primary(conf-if-po-10)#no shutdown 5 Configure a VLAN. VLT_Primary(conf)#interface vlan 100 VLT_Primary(conf-if-vl-100)#ip address 100.1.1.1/24 VLT_Primary(conf-if-vl-100)#tagged port-channel 10 VLT_Primary(conf-if-vl-100)#no shutdown VLT_Primary(conf-if-vl-100)#exit 6 Enable BFD over OSPF.
ICL Link Status: HeartBeat Status: VLT Peer Status: Version: Local System MAC address: Remote System MAC address: Remote system version: Delay-Restore timer: Delay-Restore Abort Threshold: Peer-Routing : Peer-Routing-Timeout timer: Multicast peer-routing timeout: • Up Up Up 6(9) f4:8e:38:6a:97:3f 00:e6:e2:f5:5c:15 6(9) 90 seconds 60 seconds Enabled 0 seconds 150 seconds To verify the VLTi (ICL) link is up in the VLT secondary peer, use show vlt brief command.
Static VXLAN Configuration in a VLT setup Configuration steps are covered below: 1 Both Gateway VTEPs need VLT configured. • ICL port configuration interface Port-channel 1 no ip address channel-member TenGigabitEthernet 0/4-5 no shutdown • VLT Domain Configuration vlt domain 100 peer-link port-channel 1 back-up destination 10.11.70.
2 • VXLAN Instance Configuration vxlan-instance 1 static local-vtep-ip 14.14.14.14 no shutdown vni-profile test vnid 200 remote-vtep-ip 3.3.3.3 vni-profile test • VLT Access port configuration interface TengigabitEthernet 0/12 port-channel-protocol lacp port-channel 30 mode active interface Port-channel 30 no ip address vxlan-instance 1 switchport vlt-peer-lag port-channel 30 no shutdown Configure loopback interface and VXLAN instances on both the peers.
59 VLT Proxy Gateway The virtual link trucking (VLT) proxy gateway feature allows a VLT domain to locally terminate and route L3 packets that are destined to a Layer 3 (L3) end point in another VLT domain. Enable the VLT proxy gateway using the link layer discover protocol (LLDP) method or the static configuration. For more information, see the Command Line Reference Guide.
Figure 144. Sample Configuration for a VLT Proxy Gateway Guidelines for Enabling the VLT Proxy Gateway Keep the following points in mind when you enable a VLT proxy gateway: • Proxy gateway is supported only for VLT; for example, across a VLT domain. • You must enable the VLT peer-routing command for the VLT proxy gateway to function.
• You cannot change the VLT LAG to a legacy LAG when it is part of proxy-gateway. • You cannot change the link layer discovery protocol (LLDP) port channel interface to a legacy LAG when you enable a proxy gateway. • Dell EMC Networking recommends the vlt-peer-mac transmit command only for square VLTs without diagonal links. • The virtual router redundancy (VRRP) protocol and IPv6 routing is not supported. • Private VLANs (PVLANs) are not supported.
• You must configure the interface proxy gateway LLDP to enable or disable a proxy-gateway LLDP TLV on specific interfaces. • The interface is typically a VLT port-channel that connects to a remote VLT domain. • The new proxy gateway TLV is carried on the physical links under the port channel only. • You must have at least one link connection to each unit of the VLT domain. Following are the prerequisites for Proxy Gateway LLDP configuration: • You must globally enable LLDP.
LLDP VLT Proxy Gateway in a Square VLT Topology Figure 145. Sample Configuration for a VLT Proxy Gateway • The preceding figure shows a sample square VLT Proxy gateway topology. There are no diagonal links in the square VLT connection between the C and D in VLT domain 1 and C1 and D1 in the VLT domain 2. This causes sub-optimal routing.
• Any L3 packet, when it gets an L3 hit and is routed, it has a time to live (TTL) decrement as expected. • You can disable the VLT Proxy Gateway for a particular VLAN using an "Exclude-VLAN" configuration. The configuration has to be done in both the VLT domains [C and D in VLT domain 1 and C1 and D1 in VLT domain 2].
Figure 146. VLT Proxy Gateway Sample Topology VLT Domain Configuration Dell-1 and Dell-2 constitute VLT domain 120. Dell-3 and Dell-4 constitute VLT domain 110. These two VLT domains are connected using a VLT LAG P0 50. To know how to configure the interfaces in VLT domains, see the Configuring VLT section. Dell-1 VLT Configuration vlt domain 120 peer-link port-channel 120 back-up destination 10.1.1.
switchport no spanning-tree vlt-peer-lag port-channel 50 no shutdown Note that on the inter-domain link, the switchport command is enabled. On a VLTi link between VLT peers in a VLT domain, the switchport command is not used. VLAN 100 is used as the OSPF peering VLAN between Dell-1 and Dell-2. interface Vlan 100 description OSPF Peering VLAN to Dell-2 ip address 10.10.100.1/30 ip ospf network point-to-point no shutdown VLAN 101 is used as the OSPF peering VLAN between the two VLT domains.
The following output shows that Dell-1 forms OSPF neighborship with Dell-2. Dell-2#sh ip ospf nei Neighbor ID Pri State Dead Time Address Interface Area 4.4.4.4 1 FULL/ - 00:00:33 10.10.100.1 Vl 100 0 Dell-3 VLT Configuration vlt domain 110 peer-link port-channel 110 back-up destination 10.1.1.
The following output shows that Dell-4 and VLT domain 120 form OSPF neighborship with Dell-3. Dell-3#sh ip ospf nei ! Neighbor ID Pri State Dead Time Address Interface Area 4.4.4.4 1 FULL/ - 00:00:33 10.10.101.1 Vl 101 0 1.1.1.1 1 FULL/ - 00:00:34 10.10.102.2 Vl 102 0 Dell-4 VLT Configuration vlt domain 110 peer-link port-channel 110 back-up destination 10.1.1.
60 Virtual Extensible LAN (VXLAN) Virtual Extensible LAN (VXLAN) is supported on Dell EMC Networking OS. Overview The switch acts as the VXLAN gateway and performs the VXLAN Tunnel End Point (VTEP) functionality. VXLAN is a technology where in the data traffic from the virtualized servers is transparently transported over an existing legacy network. Figure 147. VXLAN Gateway NOTE: In a stack setup, the Dell EMC Networking OS does not support VXLAN.
• VXLAN Service nodes for BFD • Static Virtual Extensible LAN (VXLAN) • Preserving 802.1 p value across VXLAN tunnels • VXLAN Scenario • Routing in and out of VXLAN tunnels • NSX Controller-based VXLAN for VLT Components of VXLAN network VXLAN provides a mechanism to extend an L2 network over an L3 network. In short, VXLAN is an L2 overlay scheme over an L3 network and this overlay is termed as a VXLAN segment.
• Binds the Port and VLAN to logical networks based on messages from the NVP. • Binds MACs to the VTEP and logical network based on messages from the NVP. • Advertises MACs learnt on south-facing VXLAN capable-ports to the NVP client. VXLAN Hypervisor It is the VTEP that connects the Virtual Machines (VM) to the underlay legacy network to the physical infrastructure. Service Node(SN) It is also another VTEP, but it is fully managed by the controller.
Components of VXLAN Frame Format Some of the important fields of the VXLAN frame format are described below: Outer Ethernet Header: Outer IP Header: The Outer Ethernet Header consists of the following components: • Destination Address: Generally, it is a first hop router's MAC address when the VTEP is on a different address. • Source Address : It is the source MAC address of the router that routes the packet.
• Supports only 4 remote vteps through a single interface in a broadcast domain. – When a fifth remote VTEP configured is reachable via the same network port, traffic destined to the fifth remote VTEP flows to the first remote VTEP configured via the same network port. If any of the first four remote VTEPS configured via the same network port is removed, traffic flow to the fifth remote VTEP is not restored.
To create service node, the required fields are the IP address and SSL certificate of the server. The Service node is responsible for broadcast/unknown unicast/multicast traffic replication. The following is the snapshot of the user interface for the creation of service node: Select Home > Networking and Security > Service Definition > Hardware Devices. Under Hardware Devices, click the Add button. The Add hardware Device window opens.
3 Add a service node or replicator. Under Home > Networking and Security > Service Definition > Hardware Devices > Replication Cluster, click the Edit button. Select required hosts for replication and click OK. Figure 151. Add Service Node or Replicator NOTE: Ensure L3 reachability between the VTEP and the replicator. 4 Create Logical Switch. You can create a logical network by creating a logical switch.
Figure 152. Create Logical Switch 5 Create Logical Switch Port. A logical switch port provides a logical connection point for a VM interface (VIF) and a L2 gateway connection to an external network. It binds the virtual access ports in the gateway to logical network (VXLAN) and VLAN. In the Manage Hardware Bindings window, expand a VTEP and click Add. The Manage Hardware Bindings Window opens. Click the Select link and the Specify Hardware Port window opens. Click the hardware port and click OK.
Figure 153. Specify Hardware Port In the Manage Hardware Bindings window, under the VLAN column, enter the VLAN ID and press OK.
Figure 154. Create Logical Switch Port 6 (Optional) Enable or disable BFD globally. Go to Hardware Devices tab > BFD Configuration, and click the Edit button. The Edit BFD Configuration windows opens. Check or uncheck the Enable BFD check box. You can also change the probe interval if required.
Figure 155. Edit VXLAN BFD Configuration NOTE: For more details about NSX controller configuration, refer to the NSX user guide from VMWare . Configuring and Controling VXLAN from Nuage Controller GUI The Dell EMC Networking OS supports Nuage controller for VXLAN. You can configure and control VXLAN from the Nuage controller GUI, by adding a hardware device to the Nuage controller and authenticating the device. 1 Under the Infrastructure tab, add a datacenter gateway.
Figure 156. Add Data center Gateway 2 Create port-to-VLAN mappings. Figure 157. Port-to-VLAN mappings 3 Under the Networks tab, create an L2 domain. Under the L2 domain, create a logical network (VNI) and add access ports of the VTEP in the logical network. Figure 158.
Configuring VxLAN Gateway To configure the VxLAN gateway on the switch, follow these steps: 1 Connecting to NVP controller 2 Advertising VXLAN access ports to controller Connecting to an NVP Controller To connect to an NVP controller, use the following commands. 1 Enable the VXLAN feature. CONFIGURATION mode feature vxlan You must configure feature VXLAN to configure vxlan-instance. 2 Create a VXLAN instance that connects to the controller.
Advertising VXLAN Access Ports to Controller To advertise the access ports to the controller, use the following command. In INTERFACE mode, vxlan-instance command configures a VXLAN-Access Port into a VXLAN-instance. INTERFACE mode vxlan-instance NOTE: In NSX-based VXLAN environment, the removal of a port specific to virtual network binding from a VTEP clears all remote MAC address entries of the virtual network in remote VTEP node.
The following example shows the show vxlan vxlan-instance physical-locator command. Instance: 1 Tunnel : count 3 4.3.3.3 : vxlan_over_ipv4 (up) 6.6.6.2 : vxlan_over_ipv4 (up) 6.6.6.3 : vxlan_over_ipv4 (up) The following example shows the show vxlan vxlan-instance unicast-mac-local command.
* 3.3.3.3 * 3.3.3.3 192.168.122.138 192.168.122.139 Te 1/38 Te 1/42 Up Up 1000 1000 1000 1000 3 3 VT VT Static Virtual Extensible LAN (VXLAN) When you create a Virtual Extensible LAN (VXLAN) , you need Network Virtualization Platform (NVP) Controller to configure and control the VXLAN. When you create a VXLAN instance in static mode, you can configure the VXLAN using CLIs instead of using the Controller.
INTERFACE mode vxlan-instance Instance ID 9 Associate VNID to VLAN. INTERFACE VLAN mode vxlan-vnid VNID Displaying Static VXLAN Configurations To display the static VXLAN configurations, use the following commands. Examples of the show vxlan-instance Command The following example displays the basic configuration details. DellEMC# show vxlan vxlan-instance 1 Instance : 1 Mode : Static Admin State : Up Local vtep ip : 101.101.101.
Preserving 802.1 p value across VXLAN tunnels The 802.1p QoS marking preservation is supported over the VXLAN tunnel. The 802.1p priority is carried over from the VXLAN tunnel to the remote VTEP—VXLAN tunnel endpoint. The packets egress out to the correct queue based on the priority value. In such a scenario, if there is any congestion in the queue, the system generates a pause. The network port should be a vlan for priority to be carried by the vxlan outer header.
Physical Loopback for VXLAN RIOT The following topology shows how VXLAN RIOT can be achieved using physical loopbacks. Two port-channels, vxlan and non-vxlan loopback port-channel, are created in the device. Interface connected at one end of the physical loopback cable is/are added as member of the non-vxlan loopback port-channel (P2/P6) and other end interfaces as a member of vxlan loopback port-channel (P3/P7).
Internal Loopback for VXLAN RIOT The following topology shows how VXLAN RIOT can be achieved using an internal loopback port channel. Internal loopback port-channel is formed by adding the free ports in the device as a member to the vxlan loopback port-channel. There is no need for non-vxlan loopback port-channel in this scenario. • When you ping for 10.1.2.1 (Vlan 20’s IP on R2) from R1, the packet would get to P1 on VTEP 1 with Vlan 10, and try to get routed out of P2 on Vlan 20.
• Any frame ingressing on a VXLAN loopback port is not allowed to egress out of a VXLAN access port. • Any frame ingressing on a Non-VXLAN loopback port is not allowed to egress out of a VXLAN access port. • Any frame ingressing on a Non-VXLAN loopback port is not allowed to egress out of a VXLAN loopback port. Routing protocols and other control protocols are not supported over VXLAN tunnel (with the exception of VRRP). Admin VRRP is not supported over VXLAN tunnel.
In this topology, P2 and P3 in VTEP 1 are VLT port-channels with corresponding VLT peer LAGs being P2 and P3 in VTEP 2. Similarly, P6 and P7 in VTEP 3 are VLT port-channels with corresponding VLT peer LAGs being P6 and P7 in VTEP 4. NOTE: P2, P3, P6, and P7 can be a single port or multi-port port-channels that are VLT port-channels. NOTE: The VLT VXLAN configuration for RIOT deviates from the standard VLT behavior when these physical loopbacks are provisioned as VLT port-channels.
Figure 160. Controller-based VXLAN for VLT Providing Redundancy Important Points to Remember • The VLT peer port channel number must be the same on both VLT peers. • before configuring controller-based VXLAN with VLT, remove any existing standalone VXLAN configuration. • BFD tunnels come up only after the NSX controller sends tunnel details. The details come after the remote MAC addresses are downloaded from NSX controller.
Configuring BFD and UFD for VXLAN For controller-based VXLAN, you can optionally configure BFD and UFD for more resiliency. To configure BFD and UFD, follow these steps: 1 Enable BFD globally. CONFIGURATION mode bfd enable Enter the result of your step here (optional). 2 Create an uplink-state group. CONFIGURATION mode uplink-state-group group-id group-id: values are from 1 to 16. 3 Assign a VLT port channel to the uplink-state group as an upstream link.
peer-ovsdbserver-ip ovsdb-IP-address The peer OVSDB server is the peer VLT device. 6 Enter the fail mode. VxLAN INSTANCE mode fail-mode secure 7 Enable the VxLAN instance. VxLAN INSTANCE mode no shutdown NOTE: Dell EMC Networking recommends the non-secure fail mode if you are configuring VxLAN for a VLT setup and use a physical L3 link for peer OVSDB connectivity. Also using of controller connected IP address for peer OVSDB connectivity leads to double failure, when connected link fails..
unit-id NOTE: For controller-based VxLAN, the VLT unit ID is mandatory. 8 Repeat these steps on the VLT peer switch. VLT configuration: DellEMC#show runn vlt ! vlt domain 100 peer-link port-channel 1 back-up destination 38.0.0.
Admin State Controller Type Management IP Gateway IP MAX Backoff Controller 1 Managers Fail Mode Port List Te 1/21 : : : : : : : : : : : : Po 10 enabled Nsx 10.16.140.36 4.3.3.3 8000 10.16.140.181:6640 ssl 10.16.140.181:6640 ssl (connected) 10.16.140.182:6640 ssl (connected) 10.16.140.
DellEMC#show vxlan vxlan-instance 1 physical-locator Instance : 1 Tunnel : count 1 6.6.6.2 : vxlan_over_ipv4 (up) DellEMC# DellEMC# DellEMC#show vxlan vxlan-instance 1 unicast-mac-local Total Local Mac Count: 1 VNI MAC PORT 5000 00:00:00:cc:00:00 Te 1/21 VLAN 20 DellEMC# DellEMC#show vxlan vxlan-instance 1 unicast-mac-remote Total Remote Mac Count: 1 VNI MAC TUNNEL 5000 00:00:bb:00:00:00 4.3.3.
Mode Admin State Controller Type Management IP Gateway IP MAX Backoff Controller 1 Managers Fail Mode Port List Te 1/21 : : : : : : : : : : : : : Po 10 Controller enabled Nsx 10.16.140.37 4.3.3.3 8000 10.16.140.181:6640 ssl 10.16.140.181:6640 ssl (connected via vltPeer) 10.16.140.182:6640 ssl (connected via vltPeer) 10.16.140.
DellEMC#show cam mac stack-unit 1 port-set 0 VlanId Mac Address Region Interface 500 14:18:77:0a:53:82 STATIC Po 1 500 ff:ff:ff:ff:ff:ff STATIC 00001 28674 00:00:00:cc:00:00 DYNAMIC 0x80000001(vxlan) 28674 00:00:bb:00:00:00 DYNAMIC 0x80000006(vxlan) 0 ff:ff:ff:ff:ff:ff STATIC 00001 1 00:01:e8:8b:7a:6e DYNAMIC Po 11 20 00:00:00:cc:00:00 STATIC Po 1 0 00:10:18:ff:ff:ff STATIC Invalid 500 34:17:eb:37:11:02 DYNAMIC Po 1 0 f4:8e:38:2b:3e:87 LOCAL_DA 00001 0 f4:8e:38:2b:3e:87 LOCAL_DA 00001 0 14:18:77:0a:53:82 LO
Select Home > Networking and Security > Service Definition > Hardware Devices. Under Hardware Devices, click the Add button. The Add hardware Device window opens. Enter a name and copy the generated certificate of the VTEP to the Certificate box and click OK. Figure 161. Create VXLAN Gateway To create a VXLAN L2 Gateway, the IP address of the Gateway is required.
Under Home > Networking and Security > Service Definition > Hardware Devices > Replication Cluster, click the Edit button. Select required hosts for replication and click OK. Figure 163. Add Service Node or Replicator NOTE: Ensure L3 reachability between the VTEP and the replicator. 4 Create Logical Switch. You can create a logical network by creating a logical switch. The logical network acts as the forwarding domain for workloads on the physical as well as virtual infrastructure.
Figure 164. Create Logical Switch 5 Create Logical Switch Port. A logical switch port provides a logical connection point for a VM interface (VIF) and a L2 gateway connection to an external network. It binds the virtual access ports in the gateway to logical network (VXLAN) and VLAN. In the Manage Hardware Bindings window, expand a VTEP and click Add. The Manage Hardware Bindings Window opens. Click the Select link and the Specify Hardware Port window opens. Click the hardware port and click OK.
Figure 165. Specify Hardware Port In the Manage Hardware Bindings window, under the VLAN column, enter the VLAN ID and press OK.
Figure 166. Create Logical Switch Port 6 (Optional) Enable or disable BFD globally. Go to Hardware Devices tab > BFD Configuration, and click the Edit button. The Edit BFD Configuration windows opens. Check or uncheck the Enable BFD check box. You can also change the probe interval if required.
Figure 167. Edit VXLAN BFD Configuration NOTE: For more details about NSX controller configuration, refer to the NSX user guide from VMWare .
61 Virtual Routing and Forwarding (VRF) Virtual Routing and Forwarding (VRF) allows a physical router to partition itself into multiple Virtual Routers (VRs). The control and data plane are isolated in each VR so that traffic does NOT flow across VRs.Virtual Routing and Forwarding (VRF) allows multiple instances of a routing table to co-exist within the same router at the same time. VRF Overview VRF improves functionality by allowing network paths to be segmented without using multiple devices.
Figure 168. VRF Network Example VRF Configuration Notes Although there is no restriction on the number of VLANs that can be assigned to a VRF instance, the total number of routes supported in VRF is limited by the size of the IPv4 CAM. VRF is implemented in a network device by using Forwarding Information Bases (FIBs). A network device may have the ability to configure different virtual routers, where entries in the FIB that belong to one VRF cannot be accessed by another VRF on the same device.
If the next-hop IP in a static route VRF statement is VRRP IP of another VRF, this static route does not get installed on the VRRP master. VRF supports some routing protocols only on the default VRF (default-vrf) instance. Table 1 displays the software features supported in VRF and whether they are supported on all VRF instances or only the default VRF. NOTE: To configure a router ID in a non-default VRF, configure at least one IP address in both the default as well as the nondefault VRF. Table 131.
Feature/Capability Support Status for Default VRF Support Status for Non-default VRF OSPFv3 Yes Yes IS-IS Yes Yes BGP Yes Yes ACL Yes No Multicast No No NDP Yes Yes RAD Yes Yes DHCP DHCP requests are not forwarded across VRF instances. The DHCP client and server must be on the same VRF instance.
Assigning an Interface to a VRF You must enter the ip vrf forwarding command before you configure the IP address or any other setting on an interface. NOTE: You can configure an IP address or subnet on a physical or VLAN interface that overlaps the same IP address or subnet configured on another interface only if the interfaces are assigned to different VRFs. If two interfaces are assigned to the same VRF, you cannot configure overlapping IP subnets or the same IP address on them.
Assigning an OSPF Process to a VRF Instance OSPF routes are supported on all VRF instances. See the Open Shortest Path First (OSPFv2) chapter for complete OSPF configuration information. Assign an OSPF process to a VRF instance . Return to CONFIGURATION mode to enable the OSPF process. The OSPF Process ID is the identifying number assigned to the OSPF process, and the Router ID is the IP address associated with the OSPF process.
ip vrf management 2 Assign a management port to a management VRF.
Figure 169.
Figure 170. Setup VRF Interfaces The following example relates to the configuration shown in the above illustrations. Router 1 Router 2 The following shows the output of the show commands on Router 1. Router 1 The following shows the output of the show commands on Router 2. Router 2 Route Leaking VRFs Static routes can be used to redistribute routes between non-default to default/non-default VRF and vice-versa. You can configure route leaking between two VRFs using the following command: ip route vrf x.x.
This command indicates that packets that are destined to x.x.x.x/s.s.s.s are reachable through nh.nh.nh.nh in the default VRF table. Meaning, the routes to x.x.x.x/s.s.s.s are leaked from the default VRF routing table into the non-default VRF routing table. NOTE: The Dell EMC Networking OS supports route leaking only for transit traffic. If the system receives a packet on one VRF which is destined to another VRF, the packet is routed to that destination.
ip vrf vrf-shared interface interface-type slot/port ip vrf forwarding vrf-shared ip address ip—address mask A non-default VRF named VRF-Shared is created and the interface 1/4 is assigned to this VRF. 2 Configure the export target in the source VRF:. ip route-export 1:1 3 Configure VRF-red. ip vrf vrf-red interface-type slot/port ip vrf forwarding VRF-red ip address ip—address mask A non-default VRF named VRF-red is created and the interface is assigned to this VRF.
The show run output for the above configuration is as follows: ip vrf ip ip ! ip vrf ip ip ! ip vrf ! ip vrf ip ip ip VRF-Red route-export route-import 2:2 1:1 VRF-Blue route-export route-import 3:3 1:1 VRF-Green VRF-shared route-export route-import route-import 1:1 2:2 3:3 Show routing tables of all the VRFs (without any route-export and route-import tags being configured) Show routing tables of VRFs( after route-export and route-import tags are configured).
You can then use the ip route-import route-map command to import routes matching the filtering criteria defined in the import_ospf_protocol route-map. For a reply communication, VRF-blue is configured with a route-export tag. This value is then configured as route-import tag on the VRF-Red.
! this action exports only the OSPF and BGP routes to other VRFs ! ip vrf vrf-Blue ip route-export 2:2 ip route-import 1:1 import_ospf_protocol !this action accepts only OSPF routes from VRF-red even though both OSPF as well as BGP routes are shared The show VRF commands displays the following output: Important Points to Remember • Only Active routes are eligible for leaking. For example, if VRF-A has two routes from BGP and OSPF, in which the BGP route is not active.
62 Virtual Router Redundancy Protocol (VRRP) Virtual router redundancy protocol (VRRP) is designed to eliminate a single point of failure in a statically routed network. VRRP Overview VRRP is designed to eliminate a single point of failure in a statically routed network. VRRP specifies a MASTER router that owns the next hop IP and MAC address for end stations on a local area network (LAN).
Figure 171. Basic VRRP Configuration VRRP Benefits With VRRP configured on a network, end-station connectivity to the network is not subject to a single point-of-failure. End-station connections to the network are redundant and are not dependent on internal gateway protocol (IGP) protocols to converge or update routing tables. In conjunction with Virtual Link Trunking (VLT), you can configure optimized forwarding with virtual router redundancy protocol (VRRP).
NOTE: In a VLT environment, VRRP configuration acts as active-active and if route is not present in any of the VRRP nodes, the packet to the destination is dropped on that VRRP node. Table 133.
• NOTE: The interface must already have a primary IP address defined and be enabled, as shown in the second example. Delete a VRRP group. INTERFACE mode no vrrp-group vrid Examples of Configuring and Verifying VRRP The following examples how to configure VRRP. The following examples how to verify the VRRP configuration.
You can configure up to 12 virtual IP addresses on a single VRRP group (VRID). The following rules apply to virtual IP addresses: • The virtual IP addresses must be in the same subnet as the primary or secondary IP addresses configured on the interface. Though a single VRRP group can contain virtual IP addresses belonging to multiple IP subnets configured on the interface, Dell EMC Networking recommends configuring virtual IP addresses belonging to the same IP subnet for any one VRRP group.
INTERFACE -VRID mode priority priority The range is from 1 to 255. The default is 100. Examples of the priority Command To verify the VRRP group priority, use the show vrrp command. Configuring VRRP Authentication Simple authentication of VRRP packets ensures that only trusted routers participate in VRRP processes. When you enable authentication, Dell EMC Networking OS includes the password in its VRRP transmission. The receiving router uses that password to verify the transmission.
Examples of Disabling Preempt Re-enable preempt by entering the preempt command. When you enable preempt, it does not display in the show commands, because it is a default setting. The following example shows how to disable preempt using the no preempt command. The following example shows how to verify preempt is disabled using the show conf command.
Track an Interface or Object You can set Dell EMC Networking OS to monitor the state of any interface according to the virtual group. Each VRRP group can track up to 12 interfaces and up to 20 additional objects, which may affect the priority of the VRRP group. If the tracked interface goes down, the VRRP group’s priority decreases by a default value of 10 (also known as cost). If the tracked interface’s state goes up, the VRRP group’s priority increases by 10.
• (Optional) Display the configuration of tracked objects in VRRP groups on a specified interface. EXEC mode or EXEC Privilege mode show running-config interface interface Examples of Configuring and Viewing the track Command The following example shows how to configure tracking using the track command. The following example shows how to verify tracking using the show conf command. The following example shows verifying the tracking status. The following example shows verifying the VRRP status.
Sample Configurations Before you set up VRRP, review the following sample configurations. VRRP for an IPv4 Configuration The following configuration shows how to enable IPv4 VRRP. This example does not contain comprehensive directions and is intended to provide guidance for only a typical VRRP configuration. You can copy and paste from the example to your CLI. To support your own IP addresses, interfaces, names, and so on, be sure that you make the necessary changes.
Examples of Configuring VRRP for IPv4 and IPv6 The following example shows configuring VRRP for IPv4 Router 2. Figure 173. VRRP for an IPv6 Configuration NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be MASTER even if one of two routers has a higher IP or IPv6 address. The following example shows configuring VRRP for IPv6 Router 2 and Router 3.
VRRP in a VRF Configuration The following example shows how to enable VRRP operation in a VRF virtualized network for the following scenarios. • Multiple VRFs on physical interfaces running VRRP. • Multiple VRFs on VLAN interfaces running VRRP. To view a VRRP in a VRF configuration, use the show commands. VRRP in a VRF: Non-VLAN Scenario The following example shows how to enable VRRP in a non-VLAN.
Figure 174. VRRP in a VRF: Non-VLAN Example Example of Configuring VRRP in a VRF on Switch-1 (Non-VLAN) Example of Configuring VRRP in a VRF on Switch-2 (Non-VLAN Configuration) VLAN Scenario In another scenario, to connect to the LAN, VRF-1, VRF-2, and VRF-3 use a single physical interface with multiple tagged VLANs (instead of separate physical interfaces). In this case, you configure three VLANs: VLAN-100, VLAN-200, and VLAN-300. Each VLAN is a member of one VRF.
Consider an example VRRP for IPv6 configuration in which the IPv6 VRRP group consists of two routers. Figure 175. VRRP for IPv6 Topology NOTE: This example does not contain comprehensive directions and is intended to provide guidance for only a typical VRRP configuration. You can copy and paste from the example to your CLI. Be sure you make the necessary changes to support your own IP addresses, interfaces, names, and so on.
Proxy Gateway with VRRP VLT proxy gateway solves the inefficient traffic trombone problem when VLANs are extended between date centers and when VMs are migrated between the two DCs. Starting from Dell EMC Networking OS 9.14.0.0, VRRP provides a much simpler method to solve the traffic trombone problem. This is achieved by configuring same VRRP group IDs to the extended L3 VLANs and VRRP stays active-active across all four VLT nodes even though they are in two different VLT domains.
• The core routers C1 and D1 in local VLT Domain along with C2 and D2 in the remote VLT Domain are part of a Layer 3 cloud. • The core routers C1, D1, C2, D2 are in a VRRP group with the same vrrp-group ID. When a virtual machine running in Server Rack 1 migrates to Server Rack 2, L3 packets for that VM are routed through the default gateway. The following examples show sample configurations of the core routers.
back-up destination 10.16.140.5 system-mac mac-address 00:00:aa:00:00:00 unit-id 1 peer-routing interface port-channel 128 channel member ten 1/1/1 channel member ten 1/1/2 no shutdown int ten 1/5/1 port-channel-protocol lacp port-channel 10 mode active no shut int ten 1/4/1 port-channel-protocol lacp port-channel 20 mode active no shut interface port-channel 10 vlt-peer-lag po 10 switchport no shutdown interface port-channel 20 vlt-peer-lag po 20 switchport no shutdown int vlan 100 ip address 100.1.1.
no shut int ten 1/4/1 port-channel-protocol lacp port-channel 20 mode active no shut interface port-channel 10 vlt-peer-lag po 10 switchport no shutdown interface port-channel 20 vlt-peer-lag po 20 switchport no shutdown int vlan 100 ip address 100.1.1.3/24 tagged port-channel 10 vrrp-group 10 advertise-interval 60 virtual-ip 100.1.1.254 priority 100 no shutdown int vlan 200 tagged port-channel 20 no shutdown router ospf 10 network 100.1.1.
no shutdown int vlan 100 ip address 100.1.1.4/24 tagged port-channel 10 vrrp-group 10 advertise-interval 60 virtual-ip 100.1.1.254 priority 100 no shutdown int vlan 200 tagged port-channel 20 no shutdown router ospf 10 network 100.1.1.
63 Debugging and Diagnostics This chapter describes debugging and diagnostics for the device. Offline Diagnostics The offline diagnostics test suite is useful for isolating faults and debugging hardware. The diagnostics tests are grouped into three levels: • Level 0 — Level 0 diagnostics check for the presence of various components and perform essential path verifications. In addition, Level 0 diagnostics verify the identification registers of the components on the board.
EXEC Privilege mode show system brief 3 Start diagnostics on the unit. diag stack-unit stack-unit-number When the tests are complete, the system displays the following message and automatically reboots the unit. DellEMC#00:09:42 : Diagnostic test results are stored on file: flash:/TestReport-SU-0.txt Diags completed...
Example of the show interfaces transceiver Command DellEMC#show interfaces fortyGigE 1/52 transceiver QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP 52 52 52 52 52 52 52 52 52 52 52 52 52 52 52 52 52 52 52 52 Serial ID Base Fields Id = Ext Id = Connector = Transceiver Code = Encoding = Length(SFM) Km = Length(OM3) 2m = Length(OM2) 1m = Length(OM1) 1m = Length(Copper) 1m = Vendor Rev = Laser Wavelength = CheckCodeBase = Serial ID Extended Fields BR max =
When the system detects a genuine over-temperature condition, it powers off the card. To recognize this condition, look for the following system messages: CHMGR-2-MAJOR_TEMP: Major alarm: chassis temperature high (temperature reaches or exceeds threshold of [value]C) CHMGR-2-TEMP_SHUTDOWN_WARN: WARNING! temperature is [value]C; approaching shutdown threshold of [value]C To view the programmed alarm thresholds levels, including the shutdown value, use the show alarms threshold command.
Table 134. SNMP Traps and OIDs OID String OID Name Description chSysPortXfpRecvPower OID displays the receiving power of the connected optics. chSysPortXfpTxPower OID displays the transmitting power of the connected optics. chSysPortXfpRecvTemp OID displays the temperature of the connected optics. Receiving Power .1.3.6.1.4.1.6027.3.10.1.2.5.1.6 Transmitting power .1.3.6.1.4.1.6027.3.10.1.2.5.1.8 Temperature .1.3.6.1.4.1.6027.3.10.1.2.5.1.
Similarly, when you configure buffer-profile global, you cannot not apply a buffer profile on any single interface. A message similar to the following displays: % Error: Global pre-defined buffer profile already applied. Failed to apply user-defined buffer profile on interface Te 1/1. Please remove global pre-defined buffer profile. To apply a predefined buffer profile, use the following command: • Apply one of the predefined buffer profiles for all port pipes in the system.
Dataplane Statistics The show hardware stack-unit cpu data-plane statistics command provides insight into the packet types coming to the CPU. The show hardware stack-unit cpu party-bus statistics command displays input and output statistics on the party bus, which carries inter-process communication traffic between CPUs. The command output in the following example has been augmented, providing detailed RX/ TX packet statistics on a per-queue basis.
1649566 packets, 1935316203 bytes 0 errors Display Stack Port Statistics The show hardware stack-unit stack-port command displays input and output statistics for a stack-port interface.
A mini core dump contains critical information in the event of a crash. Mini core dump files are located in flash:/ (root dir). The application mini core filename format is f10StkUnit..acore.mini.txt. The kernel mini core filename format is f10StkUnit.kcore.mini.txt. The following are sample filenames. When a member or standby unit crashes, the mini core file gets uploaded to master unit.
64 Standards Compliance This chapter describes standards compliance for Dell EMC Networking products. NOTE: Unless noted, when a standard cited here is listed as supported by the Dell EMC Networking OS, the system also supports predecessor standards. One way to search for predecessor standards is to use the http://tools.ietf.org/ website. Click “Browse and search IETF documents,” enter an RFC number, and inspect the top of the resulting document for obsolescence citations to related RFCs.
SFF-8431 SFP+ Direct Attach Cable (10GSFP+Cu) MTU 9,216 bytes RFC and I-D Compliance Dell EMC Networking OS supports the following standards. The standards are grouped by related protocol. The columns showing support by platform indicate which version of Dell EMC Networking OS first supports the standard. General Internet Protocols The following table lists the Dell EMC Networking OS support per platform for general internet protocols. Table 135.
R F C # Full Name S-Series S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 24 Definition of 7.7.1 74 the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 26 PPP over 15 SONET/SDH 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 26 A Two Rate 9 Three Color 8 Marker 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.
General IPv4 Protocols The following table lists the Dell EMC Networking OS support per platform for general IPv4 protocols. Table 136. General IPv4 Protocols RF C# Full Name S-Series S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 791 Internet Protocol 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 826 An Ethernet Address Resolution 7.6.1 Protocol 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.
General IPv6 Protocols The following table lists the Dell EMC Networking OS support per platform for general IPv6 protocols. Table 137. General IPv6 Protocols RFC # Full Name S-Series 1886 DNS Extensions to support IP 7.8.1 version 6 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 1981 Path MTU Discovery for IP (Part version 6 ial) 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.
Border Gateway Protocol (BGP) The following table lists the Dell EMC Networking OS support per platform for BGP protocols. Table 138. Border Gateway Protocol (BGP) RFC# Full Name S-Series/ZSeries S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 1997 BGP ComAmtturnibituitees 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2385 Protection of BGP Sessions via the TCP MD5 Signature Option 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2439 BGP Route Flap Damping 7.8.
Open Shortest Path First (OSPF) The following table lists the Dell EMC Networking OS support per platform for OSPF protocol. Table 139. Open Shortest Path First (OSPF) RFC # Full Name S-Series/ZSeries S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 1587 The OSPF Not-SoStubby Area (NSSA) Option 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2154 OSPF with Digital Signatures 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2370 The OSPF Opaque LSA Option 7.6.1 9.8(0.
RFC# Full Name S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 3784 Intermediate System to Intermediate System (IS-IS) Extensions in Support of Generalized Multi-Protocol Label Switching (GMPLS) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 5120 MT-ISIS: Multi Topology (MT) 9.8(0.0P2) Routing in Intermediate System to Intermediate Systems (ISISs) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 5306 Restart Signaling for IS-IS 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.
Multicast The following table lists the Dell EMC Networking OS support per platform for Multicast protocol. Table 142. Multicast RFC# Full Name S-Series S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 1112 Host Extensions for IP Multicasting 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 2236 Internet Group Management Protocol, Version 2 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 3376 Internet Group Management Protocol, Version 3 7.8.1 9.8(0.0P2) 9.8(0.
RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) dot1dTpLearnedEntryDiscards object] 1724 RIP Version 2 MIB Extension 1850 OSPF Version 2 Management Information Base 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 1901 Introduction to Community-based SNMPv2 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 2011 SNMPv2 Management Information Base for the Internet Protocol using SMIv2 7.6.1 9.8(0.
RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON Internet-standard Network Management Framework 2578 Structure of Management Information Version 2 (SMIv2) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 2579 Textual Conventions for SMIv2 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 2580 Conformance Statements for SMIv2 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.
RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON Network Management Protocol (SNMP) 3418 Management Information Base (MIB) for the Simple Network Management Protocol (SNMP) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 3434 Remote Monitoring MIB 7.6.1 Extensions for High Capacity Alarms, High-Capacity Alarm Table (64 bits) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 3580 IEEE 802.
RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 9.2(0.0) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) isisISAdjIPAddrTable isisISAdjProtSuppTable draftietfnetmod interfac escfg-03 Defines a YANG data model for the configuration of network interfaces. Used in the Programmatic Interface RESTAPI feature. IEEE 802.1A B Management Information Base 7.7.1 module for LLDP configuration, statistics, local system data and remote systems data components. 9.8(0.0P2) 9.8(0.
RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) FORCE Force10 E-Series Enterprise 10Chassis MIB CHASS IS-MIB 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) FORCE Force10 File Copy MIB (supporting 7.7.1 10SNMP SET operation) COPYCONFI G-MIB 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.
RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON FORCE Force10 Textual Convention 10-TCMIB 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) FORCE Force10 Trap Alarm MIB 10TRAPALARM -MIB 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) ONENT -MIB MIB Location You can find Force10 MIBs under the Force10 MIBs subhead on the Documentation page of iSupport: https://www.force10networks.com/CSPortal20/KnowledgeBase/Documentation.
65 X.509v3 supports X.509v3 standards. Topics: • Introduction to X.509v3 certificates • X.509v3 support in • Information about installing CA certificates • Information about Creating Certificate Signing Requests (CSR) • Information about installing trusted certificates • Transport layer security (TLS) • Online Certificate Status Protocol (OSCP) • Verifying certificates • Event logging Introduction to X.509v3 certificates X.
1 An entity or organization that wants a digital certificate requests one through a CSR. 2 To request a digital certificate through a CSR, a key pair is generated and the CSR is signed using the secret private key. The CSR contains information identifying the applicant and the applicant's public key. This public key is used to verify the signature of the CSR and the Distinguished Name (DN). 3 This CSR is sent to a Certificate Authority (CA).
The Root CA generates a private key and a self-signed CA certificate. The Intermediate CA generates a private key and a Certificate Signing Request (CSR). Using its private key, the root CA signs the intermediate CA’s CSR generating a CA certificate for the Intermediate CA. This intermediate CA can then sign certificates for hosts in the network and also for further intermediate CAs.
During the initial TLS protocol negotiation, both participating parties also check to see if the other’s certificate is revoked by the CA. To do this check, the devices query the CA’s designated OCSP responder on the network. The OCSP responder information is included in the presented certificate, the Intermediate CA inserts the info upon signing it, or it may be statically configured on the host. Information about installing CA certificates Dell EMC Networking OS enables you to download and install X.
If you do not specify the cert-file option, the system prompts you to enter metadata information related to the CSR as follows: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields there will be a default value; if you enter '.', the field will be left blank.
NOTE: The command contains multiple options with the Common Name being a required field and blanks being filled in for unspecified fields. Information about installing trusted certificates Dell EMC Networking OS also enables you to install a trusted certificate. The system can then present this certificate for authentication to clients such as SSH and HTTPS. This trusted certificate is also presented to the TLS server implementations that require client authentication such as Syslog.
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA TLS_DH_RSA_WITH_AES_256_CBC_SHA TLS_DH_RSA_WITH_AES_128_CBC_SHA TLS compression is disabled by default. TLS session resumption is also supported to reduce processor and traffic overhead due to public key cryptographic operations and handshake traffic. However, the maximum time allowed for a TLS session to resume without repeating the TLS authentication or handshake process is configurable with a default of 1 hour.
NOTE: If you have an IPv6 address in the URL, then enclose this address in square brackets. For example, http:// [1100::203]:6514. Configuring OCSP behavior You can configure how the OCSP requests and responses are signed when the CA or the device contacts the OCSP responders. To configure this behavior, follow this step: In CONFIGURATION mode, enter the following command: crypto x509 ocsp {[nonce] [sign-request]} Both the none and sign-request parameters are optional.
Verifying Server certificates Verifying server certificates is mandatory in the TLS protocol. As a result, all TLS-enabled applications require certificate verification, including Syslog servers. The system checks the Server certificates against installed CA certificates. NOTE: As part of the certificate verification, the hostname or IP address of the server is verified against the hostname or IP address specified in the application.
