Dell EMC Networking N-Series N1100-ON, N1500, N2000, N2100-ON, N2200-ON, N3000ON, and N3100-ON Switches User’s Configuration Guide Version 6.6.
Notes and Cautions NOTE: A NOTE indicates important information that helps you make better use of your computer. CAUTION: A CAUTION indicates potential damage to hardware or loss of data if instructions are not followed. ____________ Information in this publication is subject to change without notice. Copyright © 2019 Dell EMC Inc. All rights reserved. Reproduction of these materials in any manner whatsoever without the written permission of Dell Inc. is strictly forbidden. This product is protected by U.
Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . About This Document Audience . . . . . . . . . . . . . . . . . . . 53 . . . . . . . . . . . . . . . . . . . . . . . . 54 Document Conventions . . . . . . . . . . . . . . . . . Additional Documentation . 2 53 . . . . . . . . . . . . . . . Switch Feature Overview System Management Features 54 55 . . . . . . . . . . . . 57 . . . . . . . . . . . . . 58 . . . . . . . . . . 58 . . . . . . . . . . . . 58 Log Messages . .
Single IP Management . . . . . . . . . . . . . . . Nonstop Forwarding on the Stack 65 . . . . . . . . . 65 . . 65 . . . . . . . . . . . . . . . . . . . . 66 Hot Add/Delete and Firmware Synchronization Security Features Configurable Access and Authentication Profiles 66 . . . . 66 66 TACACS+ Client . . . . . . . . . . . . . . . . . . . 66 RADIUS Support . . . . . . . . . . . . . . . . . . 67 . . . . . . . . . . . . . . . . . . . . . . 67 Strong Password Enforcement . SSH/SSL .
Legacy (Reduced Capacitor) Detection . . . . . . 75 Classification . . . . . . . . . . . . . . . . . . . . 75 Port Start Up . . . . . . . . . . . . . . . . . . . . 76 . . . . . . 76 Disconnect Detection . . . . . . . . . . . . . . . 76 IC Thermal Monitoring . . . . . . . . . . . . . . . 76 Overload Detection and Port Shutdown . . . . . . . . . . . 76 . . . . . . . . . . . . . . . . . . . . 77 Over-Temperature Protection 4-Pair Ports . IEEE 802.3bt Capability . . . . . . . . . . . . .
Connectivity Fault Management (IEEE 802.1ag) Cisco Protocol Filtering . . . . . . . . . . . . . DHCP Layer-2 Relay . . . 91 91 . . . . . . . . . . . . . . . . 91 Virtual Local Area Network Supported Features VLAN Support . . . . . 92 . . . . . . . . . . . . . . . . . . . 92 Port-Based VLANs . . . . . . . . . . . . . . . . . MAC-based VLAN. 92 . . . . . . . . . . . . . . . 92 . . . . . . . . . . . . . . . . . 92 IP Subnet-based VLAN . . . . . . . . 92 . . . . . . . . . . . . . . . . . .
Open Shortest Path First (OSPF) Border Gateway Protocol (BGP) . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 . . . . . . . . . . . . . 101 101 Virtual Routing and Forwarding (VRF) BOOTP/DHCP Relay Agent IP Helper and DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . 101 . . . . . . . . . . . . . . . . . . 101 . . . . . . . . . . . . . . . . . . . 101 Routing Information Protocol . Router Discovery Routing Table . 100 100 . . . 102 . . . . . . . . . 102 . . . . . . . . .
Protocol Independent Multicast—Dense Mode . . 107 Protocol Independent Multicast—Sparse Mode . 108 Protocol Independent Multicast—Source Specific Multicast . . . . . . . . . . . . . . . . . . . . . . . . . 108 . . . . . . . . . . 108 Protocol Independent Multicast IPv6 Support MLD/MLDv2 (RFC2710/RFC3810) 3 Hardware Overview . 108 . . . . . . . . . . . . . . . 109 Dell EMC Networking N1100-ON Series Switch Hardware 109 N1100-ON Series Front Panel . . . . . . . . . . . .
Power Consumption for N2100-ON Series PoE Switches 144 Dell EMC Networking N2200-ON Series Switch Hardware 147 N2200-ON Series Front Panel . . . . . . . . . . . 147 N2200-ON Series Rear Panel . . . . . . . . . . . . 147 N2200X-ON Series Switch Ports . . . . . . . . . . 148 N2200-ON Series Console Port . . . . . . . . . . . 149 . . . . . . . . . . . . 150 N2200-ON Series USB Port . N2200-ON Series Reset Button . 150 . . . . . . . . . . N2200-ON Series Port and System LEDs . 150 . . . . .
Understanding the Device View . . . . . . . . . . . . . Using the Device View Port Features . . . . . . . . Using the Device View Switch Locator Feature 5 Using the Command-Line Interface . Accessing the Switch Through the CLI 175 177 . . . 177 . . . . . . . . . . . . . . . . 177 . . . . . . . . . . . . . . . . . 178 Understanding Command Modes Entering CLI Commands 174 . . . . . . . . . Console Connection . Telnet Connection. . . 174 . . . . . . . . . . . . 179 . . . . . . . . . . .
Default Network Information Configuring Basic Network Information (Web) . Out-of-Band Interface 194 . . . . . . . . . . . . . . . . . . 195 . . . . . . . . . . . . . . . 195 IP Interface Configuration (Default VLAN IP Address) 196 Route Entry Configuration (Switch Default Gateway) 198 Domain Name Server . . . . . Default Domain Name . . . . Host Name Mapping . . . . . Dynamic Host Name Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Removing a Switch from the Stack . . . . . . . . . What is Stacking Standby? . 222 . . . 223 . . . . . . . . . . . . 223 How is the Firmware Updated on the Stack? . What is Nonstop Forwarding? . . . . . . . . . . . 224 Switch Stack MAC Addressing and Stack Design Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . 227 . . . . . . . . . . . . . 228 . . . . . . . . . . . . . . . . 228 NSF Network Design Considerations . Why is Stacking Needed? Default Stacking Values .
NSF and the Storage Access Network . NSF and Routed Access 9 . . . . . . 248 . . . . . . . . . . . . . . 250 Authentication, Authorization, and Accounting . . . . . . . . . . . . . . . . . . . AAA Introduction Methods . . . 253 . . . . . . . . . . . . . . . . . . . . 253 . . . . . . . . . . . . . . . . . . . . . . 254 Method Lists . . . . . . . . . . . . . . . . . . . . 255 Access Lines . . . . . . . . . . . . . . . . . . . . 256 . . . . . . . . . . . . . . . 257 . . . . . . . . . . . .
What is IEEE 802.1X? . . . . . . . . . . . . . . . . 318 . 319 What are Authentication Host Modes . . . . . . . 320 What is MAC Authentication Bypass? . . . . . . . 321 What are the 802.1X Port Authentication Modes? . 323 . . . . . . . . . . . . . . 327 What is the Role of 802.1X in VLAN Assignment? What is Monitor Mode? . How Does the Authentication Server Assign DiffServ Policy or ACLs? . . . . . . . . . . . . . . . . . 329 . . . . . . . . . . . . . . .
Monitoring System Information and Configuring Logging (Web) 400 Device Information . . . . . 402 403 404 405 406 . . . . . . . . . . . . . . . . 407 . . . . . . . . . . . . . . . . . . . . . . 408 System Health . . . . . . . . . . . . . . System Resources . . . . . . . . . . . . Unit Power Usage History . . . . . . . . Integrated Cable Test for Copper Cables. Optical Transceiver Diagnostics . . . . . Log Global Settings . RAM Log 400 . . . . . . . . . . . . . . . . . Log File . . . . .
What Are SDM Templates? . . . . . . . . . . . . . How Does SNTP Work? . 433 . . . . . . . . . 436 . . . . . . . . . . . . . . 436 Why is the System Time Needed? What Configuration Is Required for Plug-In Modules? 437 Default General System Information . . . . . . . . . . . . . . . . 438 . . . . . . . . . . . . . . . . 438 Configuring General System Settings (Web) System Information . 437 CLI Banner . . . . . . . . SDM Template Preference Clock . . . . . . . . . . . SNTP Global Settings . . .
Configuring SNTP . . . . . . . . Configuring the Time Manually . 12 SNMP . 473 . . . . . . . . . . . . . . . . . . . . . . . . . . SNMP Overview . 470 472 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . What Is SNMP? . . . . . . . . . . . . . . . . . . . 473 473 What Are SNMP Traps? . . . . . . . . . . . . . . 474 Why Is SNMP Needed? . . . . . . . . . . . . . . 475 . . . . . . . . . . . . . . . . . . 475 Default SNMP Values Configuring SNMP (Web) . . . .
13 Images and File Management Image and File Management Overview What Files Can Be Managed? 511 . . . . . . . . . . . . . . . . . 511 . . . . . . . . . . . 511 Why Is File Management Needed? . . . . . . . . . 513 What Methods Are Supported for File Management? 516 What Factors Should Be Considered When Managing Files?. . . . . . . . . . . . . . . . . . . 520 . . . . . . . . . . . 521 . . . . . . . . . . . . . . . . . . . . . 521 Managing Images and Files (Web) File System 517 . . . .
What Files Does USB Auto Configuration Use? . . 544 . . . . . . . . . . . . . 545 How Does USB Auto Configuration Use the Files on the USB Device? . What Is the Setup File Format? . 547 . . . . . . . . . . . 547 . . . . . . . . . . . . . . . 553 What Is the DHCP Auto Configuration Process? . Monitoring and Completing the DHCP Auto Configuration Process What Are the Dependencies for DHCP Auto Configuration? 554 . . . . . . . . . . . . . . . . . . .
Why is Traffic Monitoring Needed? . . . . . . . . 573 . . . . . . . . . . . 573 . . . . . . . . . . . . 574 . . . . . . . . . . . . . . . 574 Default Traffic Monitoring Values . Monitoring Switch Traffic (Web) sFlow Agent Summary sFlow Receiver Configuration . sFlow Sampler Configuration . . sFlow Poll Configuration . . . . Interface Statistics . . . . . . . Etherlike Statistics . . . . . . . GVRP Statistics . . . . . . . . . EAP Statistics . . . . . . . . . . Utilization Summary . . . . . . .
Configuring RMON . . . . . Configuring Remote Capture Configuring RSPAN . . . . . 16 iSCSI Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iSCSI Optimization Overview 611 612 617 . . . . . . . . . . . . . . . . . . . . . . . . 621 621 . . . . . . . . . . . . . . What Does iSCSI Optimization Do?. 621 . . . . . . . . What Occurs When iSCSI Optimization Is Enabled or Disabled? 622 . . . . . . . . . . . . . . . . . . . .
What Physical Port Characteristics Can Be Configured? 631 . . . . . . . . . . . . 633 633 . . . . . . . . . . . . . 634 Auto-Negotiation . . . . . . Maximum Transmission Unit What is Link Dependency? . . . . . . . . . . . . What Interface Types are Supported? . What is Interface Configuration Mode? . . . . . . 636 636 What Are the Green Ethernet Features? . . . . . . 638 . . . . . . . . . . . . . . . . . 639 . . . . . . . . . . . . . . . . . . . 640 Switchport Modes Default Port Values . .
Denial of Service 19 Access Control Lists ACL Overview 670 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 671 . . . . . . . . . . . . . . . . . . . . . . ACL Counters . . . . . . . . . . . . . . . . . . . . 673 . . . . . . . . . . . . . . . . . 674 . . . . . . . . . . . . . . . . . . . . 674 What Are IP ACLs? . . . . . . . . 675 . . . . . . . . . 676 . . . . . . . . . . . . . . . .
IPv6 ACL Rule Configuration . . . . . . . . . . . . 702 . . . . . . . . . . . . . . . . . . . . . . . . . . 704 705 . . . . . . . . . . . . . . . . . 707 ACL Binding Configuration Time Range Configuration Configuring ACLs (CLI) . Configuring an IPv4 ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 722 . . . . . . . . . . . . . . . . . . . . . 722 ACL Configuration Examples. Basic Rules Internal System ACLs . . . . . . . . . . . . . . . . . . . . . . . .
GVRP Parameters. Protocol Group . . Adding a Protocol Group 779 . . . . . . . . . . . . . . . . . . . . . 781 782 784 . . . . . . . . . . . . . . . . 785 . . . . . . . . . . . . . . . . . . 785 Double VLAN Global Configuration . . Double VLAN Interface Configuration Voice VLAN . . . . . . . . . . . . . . Configuring VLANs (CLI) . Creating a VLAN 776 778 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring VLAN Settings for a LAG Configuring Double VLAN Tagging . .
MSTP with Multiple Forwarding Paths . MSTP and VLAN IDs . . . . . . . . . . What are the Optional STP Features? . RSTP-PV . . . . . . 835 836 836 . . . . . . . . . . . . . . . . . . . . . . . . . 838 DirectLink Rapid Convergence . . . . . . . . . . . . . . . . . . . . . . . 840 IndirectLink Rapid Convergence Feature . . . . . . 842 Interoperability Between STP-PV and RSTP-PV Modes 844 Interoperability With IEEE Spanning Tree Protocols 844 Configuration Examples . Default STP Values . . . . . . . .
22 Discovering Network Devices . Device Discovery Overview . . . . . . . . 881 . . . . . . . . . . . . . . 881 What Is ISDP? . . . . . . . . . . . . . . . . . . . 881 What is IPDT? . . . . . . . . . . . . . . . . . . . . 881 What is LLDP? . . . . . . . . . . . . . . . . . . . 882 What is LLDP-MED? . . . . . . . . . . . . . . . . . . 882 . . . . . . . . . . . . . 883 . . . . . . . . . . . . . . . . . . .
Device Discovery Configuration Examples . . . . . . . 902 Configuring ISDP . . . . . . . . . . . . . . . . . . 902 Configuring LLDP . . . . . . . . . . . . . . . . . . 903 Configuring IPDT . . . . . . . . . . . . . . . . . . 905 23 Port-Based Traffic Control . . . . . . . . . . Port-Based Traffic Control Overview What is Flow Control? . . . . . . . . . . . 907 . . . . . . . . . . . . . . . 908 What is Storm Control? . . . . . . . . . . . . . . . What is Error Recovery? 909 . . . . . .
What Are the Multicast Bridging Features? . . . . 926 . . . . . . . . . . . . . . . . . . . . . . 927 927 . . . . . . . . . . . . . . 929 What Is L2 Multicast Traffic? . What Is IGMP Snooping? . . . What Is MLD Snooping? What Is Multicast VLAN Registration? . . . . . . . . 932 . . . . . . . . . . . 932 . . . . . . . . . . . . . 934 When Are Layer-3 Multicast Features Required? What Are GARP and GMRP? . Snooping Switch Restrictions . 931 MAC Address-Based Multicast Group . . . . . . .
MVR Statistics . . GARP Timers . . . GMRP Parameters . . . . . . . . . . . . . . . . . 962 963 965 MFDB GMRP Table . . . . . . . . . . . . . . . . . 967 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring L2 Multicast Features (CLI) . Configuring Layer-2 Multicasting . . . . . . . . . 968 . . . . . . . . . 968 Configuring IGMP Snooping on VLANs . Configuring IGMP Snooping Querier . . . . . . 969 . . . . . . . . 970 . . . . . . . 971 . . . . . . . . 972 . . .
Dot1ag L2 Traceroute . Dot1ag Statistics 992 . . . . . . . . . . . . . . . . . . . . . . . . . . 993 . . . . . . . . . . . . . . . . . . 993 Dot1ag L2 Traceroute Cache . Configuring Dot1ag (CLI) . 995 . . . . . . . . . . . . . . . . Configuring Dot1ag Global Settings and Creating Domains 995 . . . . . . . . . . . 996 . . . . . . . . . . . . 997 . . . . . . . . . . . . . 998 Configuring MEP Information . Dot1ag Ping and Traceroute Dot1ag Configuration Example 26 Ethernet Ring Protection . .
ERPS Subrings . . . . . . . . . . . . . . . . . . . . . 1006 . . . . . . . . . 1007 . . . . . . . . . . . 1007 Topology Change Notification . . . . . . . . . . . . . 1007 Protection Switching Triggers. . . . . . . . . . . . . 1007 . . . . . . . . . . . . . . . . 1008 Without R-APS Virtual Channel . With R-APS Virtual Channel Ring Failure Detection . 27 Snooping and Inspecting Traffic . Traffic Snooping and Inspection Overview . . . . . . 1009 . 1010 . . . . . . . . . . . . . . . . . .
DAI ACL Configuration . . . DAI ACL Rule Configuration DAI Statistics . . . . . . . . . . . . 1032 1032 . . . . . . . . . . . . . . . . . . 1033 . . . . . . . . . . . Configuring Traffic Snooping and Inspection (CLI) . Configuring DHCP Snooping . 1035 . . . . . . . . . . . 1035 Configuring IP Source Guard . . . . . . . . . . . Configuring Dynamic ARP Inspection . . . . . . 1037 1038 Traffic Snooping and Inspection Configuration Examples 1041 . . . . . . . . . . . 1041 . . . . . . . . . . .
A Complete MLAG Example . 29 MAC Addressing and Forwarding MAC Address Table Overview . 1099 . . . . . . . . . . . . . . . 1117 1117 . . . . . . . . . . . . . . . . . . 1117 What Information Is in the MAC Address Table? 1118 How Is the Address Table Populated? How Is the MAC Address Table Maintained Across a Stack? . 1118 . . . . . . . . . . . . . . . . . Default MAC Address Table Values . Managing the MAC Address Table (Web) . Static Address Table 1118 . . . . . . . . . . . . . . .
DHCP Server Reset Configuration . . . . . . . . DHCP Server Statistics . 1138 . . . . . . . . . . . . . 1139 Configuring the DHCP Server (CLI) . . . . . . . . . . . . . . 1140 1141 . . . . . . . . 1142 Configuring a Dynamic Address Pool Configuring a Static Address Pool . . . . . . 1143 . . . . . . . . 1144 Monitoring DHCP Server Information DHCP Server Configuration Examples . . . . . . 1144 . . . . . . . . 1146 Configuring a Dynamic Address Pool Configuring a Static Address Pool . .
Configuring IP Routing Features (CLI) . . . . . . . . . Configuring Global IP Routing Settings . . . . . . 1166 . . . 1167 1168 . . . 1169 . . . . . . . . . . 1171 Configuring ARP Settings . . . . . . . . . . Configuring Router Discovery (IRDP) . . . . Configuring Route Table Entries and Route Preferences . . . . . . . . . . . . . . . . . IP Routing Configuration Example . 1166 . . .
33 Layer-2 and Layer-3 Relay Features L2 and L3 Relay Overview . . . . . . . . . . . . . . . . . 1191 1191 What Is L2 DHCP Relay? . . . . . . . . . . . . . 1191 What Is L3 DHCP Relay? . . . . . . . . . . . . . 1195 . . . . . . . . . 1196 . . . . . . . . . . . . . . 1200 What Is the IP Helper Feature? . Default L2/L3 Relay Values Configuring L2 and L3 Relay Features (Web) L2 DHCP Relay Global Configuration . . . . . . 1201 . . . . . .
Stub Router . . . . . . . . . . . . . . . . . . . . LSA Pacing 1224 . . . . . . . . . . . . . . . . . . . . 1225 . . . . . . . . . . . . . . . . . . 1226 . . . . . . . . . . . . . . . . . . . . . . . 1227 Flood Blocking MTU . OSPFv3 MIB Support . . . . . . . . . . . . . . . . . . 1227 Default OSPF Values . . . . . . . . . . . . . . . . . . 1228 . . . . . . . . . . 1231 . . . . . . . . . . . . . . . 1231 Configuring OSPF Features (Web) . OSPF Configuration . OSPF Area Configuration . .
OSPFv3 Virtual Link Configuration . . . . . OSPFv3 Virtual Link Summary . . . . . . . OSPFv3 Route Redistribution Configuration OSPFv3 Route Redistribution Summary . . NSF OSPFv3 Configuration . . . . . . . . . Configuring OSPF Features (CLI) . . . 1258 1260 1261 1262 1263 . . . . . . . . . . . 1264 Configuring Global OSPF Settings . . . . . . . . . . . . . . . . . Configuring OSPF Interface Settings . Configuring Stub Areas and NSSAs . . . . . . . . . . . . . 1267 1269 . . . . . . . . . . . . .
35 VRF . . . . . . . . . . . . . . . . . . . . . . . . . . . . VRF Resource Sharing VRF ARP Entries . . . . . . . . . . . . . . . . . . 1312 . . . . . . . . . . . . . . . . . 1312 VRF Route Entries . 36 RIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RIP Overview . . . . . . . . . . . . . . . . . . . . . . What Is Split Horizon? 1318 . . . . . . . 1318 . . . . . . . . . . . . . . . . . . 1319 RIP Configuration . . . . . . . . . . . 1320 . . .
What Is VRRP Preemption? . . . . . . . . . . . . What Is VRRP Accept Mode? . . . . . . . . . . 1335 . 1335 . . . . . . . . . 1336 . . . . . . . . . . . . . . . . . 1337 What Are VRRP Route and Interface Tracking? VRRP and OSPF Interoperability Default VRRP Values . 1334 . . . . . . . . . . 1338 . . . . . . . . . . . . . . . 1338 Configuring VRRP Features (Web) . VRRP Configuration . . . . . . 1339 1340 1341 1342 1344 . . . . . . . . . . . 1346 . . . . . . . . . . . .
Authentication . . . . . . . . . . . . . . . . . . Outbound Update Groups . . . . . . . . . . . . . . . . . . . . . . 1371 1371 . . . . . . . . . . . 1373 . . . . . . . . . . . . . 1373 Resolving Interface Routes . Originating BGP Routes . . . . . . . . . . . 1374 . . . . . . . . . . . . 1375 Equal Cost Multipath (ECMP) . BGP Next-Hop Resolution . . . . . . . . . . . . . . 1377 Routing Policy . . . . . . . . . . . . . . . . . . . 1379 Inbound Policy . . . . . . . . . . . . . . . . . .
Campus Network MP-BGP and OSPF Configuration 1407 Configuring MP-eBGP and Extended Communities 1423 39 Bidirectional Forwarding Detection Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 1431 1431 BFD Operational Modes . . . . . . . . . . . . . . . . 1432 Asynchronous Mode . . . . . . . . . . . . . . . 1432 Demand Mode . . . . . . . . . . . . . . . . . . 1432 Echo Function . . . . . . . . . . . . . . . . . . . 1433 . . . . . . . . . . . . . . . . . . . . . . 1433 Limitations .
DHCPv6 Client Parameters . . . DHCPv6 Client Statistics . . . . IPv6 Router Entry Configuration IPv6 Route Table . . . . . . . . IPv6 Route Preferences . . . . . Configured IPv6 Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring IPv6 Routing Features (CLI) . . . . . . . . 1455 . . . . . 1455 . . . . . . 1456 1457 Configuring Global IP Routing Settings . Configuring IPv6 Interface Settings .
DHCPv6 Statistics . 1478 . . . . . . . . . . . . . . . . Configuring the DHCPv6 Server and Relay (CLI) 1479 . . . Configuring Global DHCP Server and Relay Agent Settings . . . . . . . . . . . . . . . . . . . . . . 1479 Configuring a DHCPv6 Pool for Stateless Server Support . . . . . . . . . . . . . . . . . . . . . . . 1480 . . . 1481 . . . . . . . . . 1482 . . . . . . . . . . . 1484 Configuring a DHCPv6 Pool for Specific Hosts .
Configuring DiffServ (CLI) . . . . . . . . . . . . . . . DiffServ Configuration (Global) . . . . . . . . . . 1504 1504 DiffServ Class Configuration for IPv4 . . . . . . . 1505 DiffServ Class Configuration for IPv6 . . . . . . . 1506 . . . . . . . . . . . 1508 1509 DiffServ Protocol Matching . DiffServ Policy Creation. . . . . . . . . . . . . . . 1509 . . . . . . . . . . 1512 . . . . . . . . . . .
Mapping Table Configuration . . . . . . . . . . 1531 Interface Configuration . . . . . . . . . . . . . . 1533 Interface Queue Configuration . . . . . . . . . . 1534 Interface Queue Drop Precedence Configuration 1535 Configuring CoS (CLI) . . . . . . . . . . . . . . . . . Mapping Table Configuration . . . . . . . . . . CoS Interface Configuration Commands . Interface Queue Configuration . 1537 . . . . 1538 . . . . . . . . . 1538 . 1540 . . . . . . . . . . . . . .
What Is IP Multicast Traffic? . Multicast Addressing . . . . . . . . . . . 1560 . . . . . . . . . . . . . . 1560 What Multicast Protocols Does the Switch Support? 1561 What Are the Multicast Protocol Roles? . . . . . . 1562 . . . . . . 1563 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1564 1565 . . . . . . . . . . . . . . . . . . . 1565 When Is L3 Multicast Required on the Switch? What Is the Multicast Routing Table? What Is IGMP? What Is MLD? .
Configuring MLD and MLD Proxy (Web) MLD Global Configuration . . . . . . . 1596 . . . . . . . . . . . . 1596 MLD Routing Interface Configuration . . . MLD Routing Interface Summary. . . . . . MLD Routing Interface Cache Information . . . . . . . . . . MLD Routing Interface Source List Information . 1597 1598 1598 1599 MLD Traffic . . . . . . . . . . . . . . . . . . . . 1600 MLD Proxy Configuration . . . . . . . . . . . . . 1601 MLD Proxy Configuration Summary . . . . . . .
Configuring and Viewing MLD . . . . Configuring and Viewing MLD Proxy . . . . . . . . . . . . . 1628 1629 Configuring and Viewing PIM-DM for IPv4 Multicast Routing . . . . . . . . . . . . . . . . . 1630 Configuring and Viewing PIM-DM for IPv6 Multicast Routing . . . . . . . . . . . . . . . . . Configuring and Viewing PIM-SM for IPv4 Multicast Routing . . . . . . . . . . . . . . Configuring and Viewing PIM-SM for IPv6 Multicast Routing . 1631 . . . 1632 . . . . . . . . . . . . . . . . 1634 . .
Usage Scenarios . . . . . . . . . . . . . . . . . OpenFlow Hybrid 1688 . . . . . . . . . . . . . . . . 1688 . . . . . . . . . . . . . . . . . . . 1689 Eligible Interfaces Example Configuration . . . . . . . . . . . . . . . . Interaction with Other Switch Functions 1689 . . . . . . . 1690 OpenSSL . . . . . . . . . . . . . . . . . . . . . 1690 IP Stack . . . . . . . . . . . . . . . . . . . . . . 1690 . . . . . . . . . . . . . . . . . . . . . . 1690 LAGs . . . . . . . . . . . . . . . .
Index 52 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1 Introduction The switches in the N-Series are stackable Layer-2 and Layer-3 switches. These switches include the following features: • 1U form factor, rack-mountable chassis design. • Support for all data-communication requirements for a multi-layer switch, including Layer-2 switching, IPv4 routing, IPv6 routing, IP multicast, quality of service, security, and system management features. • High availability with automatic failover and checkpointing of dynamic state.
examples or text may vary from the allowed range on any particular switch due to product limitations. Refer to the Feature Limits and Platform Constants section located in the Appendix of this document for range limits relevant to a particular switch model. Audience This guide is for network administrators in charge of managing one or more Dell EMC Networking N-Series switches.
Additional Documentation The following documents for the Dell EMC Networking N-Series switches are available at www.dell.com/support: • Getting Started Guide—provides information about the switch models in the series, including front and back panel features. It also describes the installation and initial configuration procedures. • CLI Reference Guide—provides information about the command-line interface (CLI) commands used to configure and manage the switch.
Introduction
Switch Feature Overview 2 This section describes the switch user-configurable software features. NOTE: Before proceeding, read the release notes for this product. The release notes are part of the firmware download.
System Management Features Multiple Management Options Any of the following methods can be used to manage the switch: • Use a web browser to access the Dell EMC OpenManage Switch Administrator interface. The switch contains an embedded Web server that serves HTML pages. Dell EMC Networking N-Series switches support HTTP and HTTPS over IPv4 or IPv6. • Use a Telnet client, SSH client, or a direct console connection to access the CLI.
For information about configuring system time settings, see "Managing General System Settings" on page 431. Log Messages The switch maintains in-memory log messages as well as persistent logs. Remote logging can be configured so that the switch sends log messages to a remote syslog server. The switch can also be configured to email log messages to a configured SMTP server. This allows the administrator to receive the log message in a specified e-mail account.
Dell EMC Networking N-Series switches include an integrated DHCP server that can deliver host-specific configuration information to hosts on the network. The switch DHCP server allows the configuration of IPv4 address pools (scopes), and when a host’s DHCP client requests an address, the switch DHCP server automatically assigns the host an address from the pool. For information about configuring the DHCP server settings, see "DHCP Server Settings" on page 1125.
File Management Files, such as configuration files and system images, can be uploaded and downloaded using HTTP (web only), TFTP, Secure FTP (SFTP), or Secure Copy (SCP). Configuration file uploads from the switch to a server are a good way to back up the switch configuration. A configuration file can also be downloaded from a server to the switch to restore the switch to the configuration in the downloaded file.
NOTE: Automatic migration of the startup configuration to the next version of firmware from the current and previous versions of firmware is supported; the syntax is automatically updated when it is read into the running-config. Check the release notes to determine if any parts of the configuration cannot be migrated. Save the running-config to maintain the updated syntax. Migration of configuration is not assured on a firmware downgrade.
CDP Interoperability Through ISDP Industry Standard Discovery Protocol (ISDP) allows the Dell EMC Networking N-Series switch to interoperate with Cisco devices running the Cisco Discovery Protocol (CDP). ISDP is a proprietary Layer-2 network protocol which inter-operates with Cisco network equipment and is used to share information between neighboring devices (routers, bridges, access servers, and switches). For information about configuring ISDP settings, see "Discovering Network Devices" on page 881.
N2000 and N2100-ON Series switches have two fixed mini-SAS stacking connectors at the rear. Any unit may be the stack master. The mixed stacking image name is N2000N2100Stdv6.5.1.X.itb. Dell EMC Networking N2100-ON and N2000 switch series firmware is also available without mixed stacking capabilities. These images are named as follows: N2100Stdv6.5.1.X.stk - N2100 only stack N2000Stdv6.5.1.X.
Master Failover with Transparent Transition The stacking feature supports a standby or backup unit that assumes the stack master role if the stack master fails. As soon as a stack master failure is detected, the standby unit initializes the control plane and enables all other stack units with the current configuration. The standby unit maintains a synchronized copy of the running configuration for the stack.
Security Features Configurable Access and Authentication Profiles Rules can be configured to limit access to the switch management interface based on criteria such as access type and source IP address of the management host. The user can also be required to be authenticated locally or by an external server, such as a RADIUS server. For information about configuring access and authentication profiles, see "Authentication, Authorization, and Accounting" on page 253.
RADIUS Support The switch has a Remote Authentication Dial In User Service (RADIUS) client and can support up to 32 named authentication and accounting RADIUS servers. The switch also supports configuration of multiple RADIUS Attributes and accepts RADIUS COA termination requests. The switch can also be configured to accept RADIUS-assigned VLANs, ACLs and DiffServ Policies. For information about configuring RADIUS client settings, see "Authentication, Authorization, and Accounting" on page 253.
Port Protection A port may be put into the error-disabled state for any of the following reasons: 68 • BPDU Storm: By default, if Spanning Tree Protocol (STP) bridge protocol data units (BPDUs) are received at a rate of 15pps or greater for three consecutive seconds on a port, the port will be error-disabled. The threshold is not configurable.
• ICMP storms: Ports on which ICMP storms are detected are errordisabled. The rate limit and burst sizes are configurable separately for IPv4 and IPv6. • PML: Interfaces on which the port security violation is configured to shut down the interface are error-disabled when a violation occurs. • Loop Protect: Loop protection diagnostically disables ports on which a loop is detected. A log message may be issued when a port is disabled by Loop Protection.
supported; however, the switch will transport encrypted packets, such as PEAP or EAP-TLS packets, between the supplicant and authentication server in support of mutual authentication and privacy. For information about configuring IEEE 802.1X settings, see "IEEE 802.1X" on page 318. MAC-Based 802.1X Authentication MAC-based authentication allows multiple supplicants connected to the same port to each authenticate individually.
Port Security The port security feature limits access on a port to users with specific MAC addresses. These addresses are manually defined or learned on that port. When a frame is seen on a locked port, and the frame source MAC address is not tied to that port, the protection mechanism is invoked. For information about configuring port security, see "Port and System Security" on page 663.
IP Source Guard (IPSG) IP source guard (IPSG) is a security feature that filters IP packets based on the source ID. The source ID may either be source IP address or a source IP address source MAC address pair as found in the local DHCP snooping database. IPSG depends on DHCP Snooping to associate IP address with MAC addresses. For information about configuring IPSG, see "Snooping and Inspecting Traffic" on page 1009.
For information about configuring IPSG, see "Port-Based Traffic Control" on page 907.
Green Technology Features For information about configuring Green Technology features, see "Port Characteristics" on page 631. Energy Detect Mode When the Energy Detect mode is enabled and the port link is down, the PHY automatically goes down for short period of time and then wakes up periodically to check link pulses. This mode reduces power consumption on the port when no link partner is present. Energy Detect is proprietary and operates independently from EEE.
Power over Ethernet (PoE) Features Dell EMC Networking PoE switches implement IEEE 802.3af and IEEE 802.3at functionality as well as legacy (capacitor) and pre-standard PDs detection. IEEE 802.3bt capability is also supported on the N2200 model. Moreover, additional protections, such as short circuit and dV/dT protection upon startup, are supported. PD Detection The PD detection feature detects a valid AF or AT load, as specified in the AF/AT standard.
• In AF mode, the classification mechanism is based on a single event, and the device is classified as a Type 1 PD. • In AT mode, the classification mechanism is based on two events as defined in IEEE802.3AT-2009, and the device is classified as a Type 1 or a Type 2 PD. Port Start Up Upon a successful detection and classification process, power is applied to the load using a controlled Start Up mechanism.
4-Pair Ports In order to have the ability to deliver more than 30w to the PD, 4-pair powering is used. 4-pair powering utilizes all eight Registered Jack-45 (RJ-45) wires for delivering the power. It is implemented by utilizing two separate front-ends, each capable of delivering maximum AT power, enabling delivery of 60W over four pairs. The two front ends drive separate pairs and connect together inside the PD.
IEEE 802.3bt Capability The Dell Networking N2224PX-ON/N2248PX-ON switches implement 802.3bt Type 3 power sourcing equipment capability. These switches are capable of negotiating the capabilities with the powered device via LLDP. IEEE 802.3bt support allows 2 pair class 0-4, 4 pair, class 0-4, and 4 pair class 5-6 power. The N2200PX-ON switch implements IEEE 802.3bt Type 3 capability. There are two modes of operation as determined by the power inline detection configuration.
Table 2-1. Switch PoE Capabilities Technology Maximum Power (at PSE) PoE 802.3af 15.4W PoE+ 802.3at 30W PoE 60W four-pair 60W 802.3bt Type 3 60W 802.3bt Type 4 99W Table 2-2.
Table 2-3. IEEE 802.3bt Class Power Limits and Margin (Continued) (Continued) Class Limit Margin 3 15.4W +6% 4 30W +6% 5 45W +6% 6 60W +6% 7 75W +6% 8 90W +6% Table 2-4. IEEE 802.3at Class Power Limits and Margin Class Limit Margin 0 16.4W +5% 1 5W +5% 2 8W +5% 3 16.4W +5% 4 32W +5% 4-pair class 4 AT 64W +5% For information about configuring PoE Plus features, see "Managing General System Settings" on page 431.
Table 2-5. PoE Plus Key Features (Continued) Feature Description Per-Port Power Prioritization Provides the ability to assign a priority to each PoE port. When the power budget of the PoE switch has been exhausted, the higher-priority ports are given preference over the lower-priority ports. Lower priority ports are automatically stopped from supplying power in order to provide power to higher-priority ports. Per-Port Power Limit Configurable power limit for each PoE-Plus port.
PoE 60W Support PoE 60W allows power to be supplied to Class 4 powered devices that require power up to 60 watts. PoE 60W power must be configured manually. Class D or better cabling is required for feeds in excess of 30 watts. Normally, CAT 5E cabling does meet this requirement. PoE-capable switches that are connected to another PSE supplying power will stop supplying power on the affected ports. PSE capability should be disabled when connecting Dell EMC PoE enabled ports to other PSE equipment.
Dynamic Power Management In this mode, power is allocated based upon the detected PD class signature. Available Power = Power Limit of the Sources – Total Allocated Power The total allocated power is calculated as the sum of the power consumed by each port. Dynamic mode does not reserve power for the port (the port power limit is 0). Dynamic power management ignores LLDP-MED packets sent by the powered device. Do not configure the powered device to send LLDPMED packets in this mode.
Table 2-6. Class-based Power Management Class Usage AF/AT Device (Watts) BT Device (Watts) PD Type 0 Default 15.4 4 1 802.3af 1 Optional 4 4 1 802.3af 2 Optional 7 7 1 802.3af 3 Optional 15.4 15.4 1 802.3af 4 802.3at or 802.3bt 30 30 2 802.3at 5 802.3bt NA 45 3 802.3bt 6 802.3bt NA 60 3 802.3bt In four-pair mode, for classes 0-4, twice the power listed in Table 2-6 above is delivered. Classes 5 and 6 may be two, three, or four-pair power.
The power management mode is configured using the power inline management command. The guard band is calculated by the switch as shown below. The user- defined threshold power limit can be found with the show power inline detailed command, and is configured with the power inline usage-threshold command. Threshold Power is reduced by the guard band when powering up a port.
PoE Plus Default Settings Table 2-7 shows the default PoE settings for the Dell EMC Networking PoEcapable switches. Table 2-7. PoE Key Features Feature Description Global Usage Threshold 90% Per-Port Admin Status Auto Per-Port Power Prioritization Enabled (globally, per-port priority is Low Per-Port Power Limit None Power Management Mode Dynamic Power Detection Mode 802.3at+legacy (802.
Switching Features Flow Control Support (IEEE 802.3x) Flow control enables lower speed switches to communicate with higher speed switches by requesting that the higher speed switch refrain from sending packets for a limited period of time. Transmissions are temporarily halted to prevent buffer overflows. For information about configuring flow control, see "Port-Based Traffic Control" on page 907.
Back Pressure Support On half-duplex links, a receiver may prevent buffer overflows by jamming the link so that it is unavailable for additional traffic. On full-duplex links, a receiver may send a PAUSE frame indicating that the transmitter should cease transmission of frames for a specified period. NOTE: Dell EMC Networking N2000/N2100-ON/N3000E-ON/N3100-ON Series switches do not support half-duplex operation.
Port Mirroring Port mirroring mirrors network traffic by forwarding copies of incoming and outgoing packets from multiple source ports to a monitoring port. Source ports may be VLANs, Ethernet interfaces, port-channels, or the CPU port. The switch also supports flow-based mirroring, which allows copying certain types of traffic to a single destination port using an ACL. This provides flexibility—instead of mirroring all ingress or egress traffic on a port the switch can mirror a subset of that traffic.
For information about configuring LLDP, settings see "Discovering Network Devices" on page 881. Link Layer Discovery Protocol (LLDP) for Media Endpoint Devices The Link Layer Discovery Protocol for Media Endpoint Devices (LLDPMED) provides an extension to the LLDP standard for network configuration and policy, device location, and Power over Ethernet. For information about configuring LLDP-MED, settings see "Discovering Network Devices" on page 881.
Connectivity Fault Management (IEEE 802.1ag) NOTE: This feature is available on the Dell EMC NetworkingN1500/N2200 Switches Series switches only. The Connectivity Fault Management (CFM) feature, also known as Dot1ag, supports Service Level Operations, Administration, and Management (OAM). CFM is the OAM Protocol provision for end-to-end service layer instance in carrier networks.
Virtual Local Area Network Supported Features For information about configuring VLAN features see "VLANs" on page 745. VLAN Support VLANs are collections of switching ports that comprise a single broadcast domain. Incoming packets are classified as belonging to a VLAN based on either the VLAN tag or a combination of the ingress port and packet contents. Transmitted packets are forwarded tagged or untagged based upon the configuration of the egress port.
Voice VLAN The Voice VLAN feature enables switch ports to carry voice traffic with a configured QoS and to optionally authenticate phones on the network. This allows preferential treatment of voice traffic over data traffic transiting the switch. Voice VLAN is the preferred solution for enterprises wishing to deploy VoIP services in their network. GARP and GVRP Support The switch supports the Generic Attribute Registration Protocol (GARP).
The Double VLAN feature (IEEE 802.1QinQ) allows the use of a second tag on network traffic. The additional tag helps differentiate between customers in the Metropolitan Area Networks (MAN) while preserving individual customer’s VLAN identification when they enter their own 802.1Q domain.
Spanning Tree Protocol Features For information about configuring Spanning Tree Protocol features, see "Spanning Tree Protocol" on page 829. Spanning Tree Protocol (STP) Spanning Tree Protocol (IEEE 802.1D) is a standard requirement of Layer-2 switches that allows bridges to automatically prevent and resolve Layer-2 forwarding loops.
Bridge Protocol Data Unit (BPDU) Guard Spanning Tree BPDU Guard is used to disable the port in case a new device tries to enter the already existing topology of STP. Thus devices, which were originally not a part of STP, are not allowed to influence the STP topology. BPDU Filtering When spanning tree is disabled on a port, the BPDU Filtering feature allows BPDU packets received on that port to be dropped.
Link Aggregation Features For information about configuring link aggregation (port-channel) features, see "Link Aggregation" on page 1045. Link Aggregation Up to eight ports can combine to form a single Link Aggregation Group (LAG). This enables fault tolerance protection from physical link disruption, higher bandwidth connections and improved bandwidth granularity. LAGs are formed from similarly configured physical links; i.e.
of-order frames. Devices unable to buffer the requisite number of frames will show excessive frame discard. Configuring copper and fiber ports together in an aggregation group is not recommended. Logically, port channels are distinct from the member ports. This means that configuration of the port channel affects the operational characteristics of the member ports, not the configured characteristics.
Routing Features NOTE: The N1100-ON Series switches do not support routing. Address Resolution Protocol (ARP) Table Management Static ARP entries can be created, and many settings for the dynamic ARP table can be managed, such as age time for entries, retries, and cache size. The ARP table supports routing by caching MAC addresses corresponding to the IP addresses of attached stations. For information about managing the ARP table, see "IP Routing" on page 1149.
Open Shortest Path First (OSPF) NOTE: This feature is not available on Dell EMC Networking N1100-ON or N1500 Series switches. Open Shortest Path First (OSPF) is a dynamic routing protocol commonly used within medium-to-large enterprise networks. OSPF is an interior gateway protocol (IGP) that operates within a single autonomous system. For information about configuring OSPF, see "OSPF and OSPFv3" on page 1219.
BOOTP/DHCP Relay Agent The switch BootP/DHCP Relay Agent feature relays BootP and DHCP messages between DHCP clients and DHCP servers that are located in different IP subnets. For information about configuring the BootP/DHCP Relay agent, see "Layer2 and Layer-3 Relay Features" on page 1191. IP Helper and DHCP Relay The IP Helper and DHCP Relay features provide the ability to relay various protocols to servers on a different subnet.
Virtual Router Redundancy Protocol (VRRP) VRRP provides hosts with redundant routers in the network topology without any need for the hosts to reconfigure or know that there are multiple routers. If the primary (master) router fails, a secondary router assumes control and continues to use the virtual router IP (VRIP) address.
IPv6 Routing Features NOTE: This feature is not available on Dell EMC Networking N1100-ON, N1500, N2000, and N2100-ON Series switches. IPv6 Configuration The switch supports IPv6, the next generation of the Internet Protocol. IPv6 can be globally enabled on the switch and settings such as the IPv6 hop limit and ICMPv6 rate limit error interval can be configured. The administrator can also control whether IPv6 is enabled on a specific interface.
For information about configuring DHCPv6 settings, see "DHCPv6 Server Settings" on page 1467. Quality of Service (QoS) Features NOTE: Some features that can affect QoS, such as ACLs and Voice VLAN, are described in other sections within this chapter. Differentiated Services (DiffServ) The QoS Differentiated Services (DiffServ) feature allows traffic to be classified into streams and given certain QoS treatment in accordance with defined per-hop behaviors.
Internet Small Computer System Interface (iSCSI) Optimization The iSCSI Optimization feature helps network administrators track iSCSI traffic between iSCSI initiator and target systems. This is accomplished by monitoring, or snooping traffic to detect packets used by iSCSI stations in establishing iSCSI sessions and connections. Data from these exchanges may optionally be used to create classification rules to assign the traffic between the stations to a configured traffic class.
IGMP Snooping Querier When Protocol Independent Multicast (PIM) and IGMP are enabled in a network with IP multicast routing, an IP multicast router acts as the IGMP querier. However, if it is desirable to keep the multicast network Layer-2 switched only, the IGMP Snooping Querier can perform the query functions of a Layer-3 multicast router.
Layer-3 Multicast Features For information about configuring Layer-3 (L3) multicast features, see "IPv4 and IPv6 Multicast" on page 1559. NOTE: This feature is not available on Dell EMC Networking N1100-ON, N1500, N2000, and N2100-ON Series switches. Distance Vector Multicast Routing Protocol Distance Vector Multicast Routing Protocol (DVMRP) exchanges probe packets with all DVMRP-enabled routers, establishing two way neighboring relationships and building a neighbor table.
Protocol Independent Multicast—Sparse Mode Protocol Independent Multicast-Sparse Mode (PIM-SM) is used to efficiently route multicast traffic to multicast groups that may span wide area networks, and where bandwidth is a constraint. PIM-SM uses shared trees by default and implements source-based trees for efficiency. This data threshold rate is used to toggle between trees.
3 Hardware Overview This section provides an overview of the switch hardware.
The Dell EMC Networking N1124-ON front panel provides 24 10/100/1000BASE-T Ethernet RJ-45 ports capable of full-duplex and half-duplex operation, and four SFP+ ports. The N1124P-ON supports six PoE+ or 12 PoE ports on Gigabit Ethernet ports 5-16. Dell EMC-qualified SFP+ transceivers are sold separately. The Dell EMC Networking N1148-ON front panel provides 48 10/100/1000BASE-T Ethernet RJ-45 ports capable of full-duplex and half-duplex operation, and four SFP+ ports.
The console port is separately configurable and can be run as an asynchronous link from 1200 baud to 115,200 baud. The Dell EMC CLI supports changing only the speed of the console port. The defaults are 115,200 baud, 8 data bits, no parity, 1 stop bit, and no flow control. USB Port The Type-A, female USB port supports a USB 2.0-compliant flash memory drive. The Dell EMC Networking N-Series switch can read or write to a flash drive with a single partition formatted as FAT-32.
N1100-ON Series Power Supply The internal power supply wattage for the Dell EMC Networking N1100-ON switches is as follows: • N1108T-ON: 24W • N1108P-ON: 80W • N1124T-ON: 40W • N1124P-ON: 250W • N1148T-ON: 60W • N1148P-ON: 500W For information about power consumption for the N1100-ON PoE switches, see "Power Consumption for N1100-ON Series PoE Switches" on page 116. N1100-ON Series Ventilation System The N1108T-ON, N1124T-ON, and N1148T-ON switches are fanless.
Figure 3-3. 100/1000/10000BASE-T Port LEDs Link/SPD Activity (non-PoE) PoE/Activity (PoE) Table 3-19 shows the 100/1000/10000BASE-T port LED definitions. Table 3-1. 100/1000/10000BASE-T Port LED Definitions LED Color Link/SPD LED Off Definition There is no link. Solid amber The port is operating at 10/100 Mbps. Solid green The port is operating at 1000 Mbps. Activity LED (on non-PoE switches) Off There is no current transmit/receive activity.
Table 3-2. SFP Port LED Definitions (N1108-ON Only) LED Color Definition Link/SPD LED Off (Left LED) Solid green There is no link. Activity LED (Right LED) Off There is no current transmit/receive activity. Blinking green The port is actively transmitting/receiving. Table 3-3. The port is operating at 1 Gbps. SFP+ Port LED Definitions (N1124-ON and N1148-ON Only) LED Color Definition Link/SPD LED Off (Left bi-color Solid green LED) Solid amber There is no link.
System LEDs The system LEDs, located on the front panel, provide information about the power supplies, thermal conditions, and diagnostics. Table 3-25 shows the System LED definitions for the Dell EMC Networking N1100-ON switches. Table 3-5. System LED Definitions LED Color Definition Status Solid green Normal operation. Blinking green The switch is booting Solid amber A critical system error has occurred. Blinking amber A noncritical system error occurred (fan or power supply failure).
Power Consumption for N1100-ON Series PoE Switches Table 3-6 describes the power consumption for N3132P-ON PoE switches. The PoE power budget is 60W for the N1108P-ON, 185W for the N1124P-ON, and 370W for the N1148P-ON. Table 3-6. Power Consumption for N3132P-ON PoE Switches Model Input Voltage Power Supply Configuration Maximum Steady Maximum Current Steady Consumption (A) Power (W) N1108P-ON 100V/60Hz Main PSU 0.95A 88.64W 110V/60Hz Main PSU 0.87A 88.43W 120V/60Hz Main PSU 0.80A 88.
N1100-ON Series Wall Installation To mount the switch on a wall: 1 Make sure that the mounting location meets the following requirements: • The surface of the wall must be capable of supporting the switch. • Allow at least two inches (5.1 cm) space on the sides for proper ventilation and five inches (12.7 cm) at the back for power cable clearance. • The location must be ventilated to prevent heat buildup.
5 Place the switch on the wall in the location where the switch is being installed. 6 On the wall, mark the locations where the screws to hold the switch must be prepared. 7 On the marked locations, drill the holes and place all plugs (not provided) in the holes. 8 Secure the switch to the wall with screws (not provided). Make sure that the ventilation holes are not obstructed.
Dell EMC Networking N1500 Series Switch Hardware This section contains information about device characteristics and modular hardware configurations for the Dell EMC Networking N1500 Series switches.
Figure 3-6. Dell EMC Networking N1524P Close-up The Dell EMC Networking 1524 front panel has status LEDs for overtemperature alarm (left), internal power (middle), and status (right) on the top row. The bottom row of status LEDs displays, from left to right, the Stack Master, redundant power supply (RPS) status, and fan alarm status. The Dell EMC Networking 1524P front panel, shown in Figure 3-6, has status LEDs for over-temperature alarm, internal power, and status on the top row.
The front-panel switch ports have the following characteristics: • The switch automatically detects the difference between crossed and straight-through cables on RJ-45 ports and automatically chooses the MDI or MDIX configuration to match the other end. • SFP+ ports support Dell EMC-qualified transceivers utilizing 10GBASESR, 10GBASE-LR, 10GBASE-CR, or 1000BASE-X technologies.
USB Port The Type-A, female USB port supports a USB 2.0-compliant flash memory drive. The Dell EMC Networking N-Series switch can read or write to a flash drive with a single partition formatted as FAT-32. Use a USB flash drive to copy switch configuration files and images between the USB flash drive and the switch. The USB flash drive may be used to move and copy configuration files and images from one switch to other switches in the network.
Figure 3-7. Dell EMC Networking N1500 Series Back Panel Fan Vents AC Power Receptacle Power Supplies Dell EMC Networking N1524 and N1548 The Dell EMC Networking N1524 and N1548 Series switches have an internal 100-watt power supply. The additional redundant power supply (Dell EMC Networking RPS720) provides 180 watts of power and gives full redundancy for the switch.
N1500 Series LED Definitions This section describes the LEDs on the front and back panels of the switch. Port LEDs Each port on a Dell EMC Networking N1500 Series switch includes two LEDs. One LED is on the left side of the port, and the second LED is on the right side of the port. This section describes the LEDs on the switch ports. 100/1000/10000BASE-T Port LEDs Each 100/1000/10000BASE-T port has two LEDs. Figure 3-8 illustrates the 100/1000/10000BASE-T port LEDs. Figure 3-8.
Stacking Port LEDs Table 3-8. Stacking Port LED Definitions LED Color Definition Link LED Off There is no link. Solid green The port is actively transmitting/receiving. Off There is no current transmit/receive activity. Blinking green The port is actively transmitting/receiving. Activity LED Console Port LEDs Table 3-9. Console Port LED Definitions LED Color Link/SPD LED Off Solid green Definition There is no link. A link is present.
Table 3-10. System LED Definitions (Continued) LED Color Definition RPS (on non-PoE Off switches) Solid green EPS (on PoE switches) Fan Stack Master Temp Stack No. There is no redundant power supply (RPS). Power to the RPS is on. Solid red An RPS is detected but it is not receiving power. Off There is no external power supply (EPS). Solid green Power to the EPS is on. Solid red An EPS is detected but it is not receiving power.
Table 3-11. Power Consumption Model Input Voltage Power Supply Configuration Max Steady Current Consumption (A) Max Steady Power (W) Dell EMC Networking N1548P 100V Main PSU+EPS PSU 17.1 1719.0 110V Main PSU+EPS PSU 15.5 1704.0 120V Main PSU+EPS PSU 14.1 1690.0 220V Main PSU+EPS PSU 7.5 1642.4 240V Main PSU+EPS PSU 6.9 1647.0 The PoE power budget for each interface is controlled by the switch firmware.
N2000 Series Front Panel The Dell EMC Networking N2000 Series front panel includes the following features: • Switch Ports • Console Port • USB Port • Reset Button • SFP+ Ports • Port and System LEDs • Stack Master LED and Stack Number Display The following images show the front panels of the switch models in the Dell EMC Networking N2000 Series. Figure 3-9.
Figure 3-10. Dell EMC Networking N2024/N2048 Close-up The Dell EMC Networking N2024/N2048 front panel, shown in Figure 3-10, has status LEDs for over-temperature alarm (left), internal power (middle), and status (right) on the top row. The bottom row of status LEDs displays, from left to right, the Stack Master, redundant power supply (RPS) status, and fan alarm status. The Dell EMC Networking N2024P/N2048P front panel has status LEDs for over-temperature alarm, internal power and status on the top row.
The front-panel switch ports have the following characteristics: • The switch automatically detects the difference between crossed and straight-through cables on RJ-45 ports and automatically chooses the MDI or MDIX configuration to match the other end. • SFP+ ports support Dell EMC-qualified transceivers. The default behavior is to log a message and generate an SNMP trap on insertion or removal of an optic that is not qualified by Dell.
the switch. The USB flash drive may be used to move and copy configuration files and images from one switch to other switches in the network. The system does not support the deletion of files on USB flash drives. The USB port does not support any other type of USB device. Reset Button The reset button is accessed through the pinhole and enables performing a hard reset on the switch. To use the reset button, insert an unbent paper clip or similar tool into the pinhole.
Figure 3-11. Dell EMC Networking N2000 Series Back Panel Fan Vents Figure 3-12. AC Power Receptacle Dell EMC Networking N2024P/N2048P Back Panel The term mini-SAS refers to the stacking port cable connections shown in Figure 3-13. See "Stacking" on page 215 for information on using the miniSAS ports to connect switches. Figure 3-13.
NOTE: PoE power is dynamically allocated. Not all ports will require the full PoE+ power. CAUTION: Remove the power cable from the power supplies prior to removing the power supply module itself. Power must not be connected prior to insertion in the chassis. Ventilation System Two internal fans cool the Dell EMC Networking N2000 Series switches. Information Tag The back panel includes a slide-out label panel that contains system information, such as the Service Tag, MAC address, and so on.
Table 3-13 shows the 100/1000/10000BASE-T port LED definitions. Table 3-13. 100/1000/10000BASE-T Port Definitions LED Color Link/SPD LED Off Definition There is no link. Solid yellow The port is operating at 10/100 Mbps. Solid green The port is operating at 1000 Mbps. Activity LED (on non-PoE switches) Off There is no current transmit/receive activity. Blinking green The port is actively transmitting/receiving.
Console Port LEDs Table 3-15. Console Port LED Definitions LED Color Link/SPD LED Off Solid green Definition There is no link. A link is present. System LEDs The system LEDs, located on the front panel, provide information about the power supplies, thermal conditions, and diagnostics. Table 3-16 shows the System LED definitions for the Dell EMC Networking N2000 Series switches. Table 3-16. System LED Definitions LED Color Definition Status Solid green Normal operation.
Table 3-16. System LED Definitions (Continued) LED Color Definition Fan Solid green The fan is powered and is operating at the expected RPM. Solid red A fan failure has occurred. Off The switch is not stack master. Solid green The switch is master for the stack. Solid green The switch is operating below the threshold temperature. Solid red The switch temperature exceeds the threshold of 75°C. – Switch ID within the stack. Stack Master Temp Stack No.
The PoE power budget for each interface is controlled by the switch firmware. The administrator can limit the power supplied on a port or prioritize power to some ports over others. Table 3-18 shows power budget data. Table 3-18. Dell EMC Networking N2000 Series PoE Power Budget Limit One PSU Two PSUs Model Name Max. PSU Output PoE+ Power Ability Turn-on Limitation Max.
Dell EMC Networking N2100-ON Series Switch Hardware This section contains information about device characteristics and modular hardware configurations for the Dell EMC Networking N2128PX-ON switch. N2100-ON Series Front Panel All N2128PX-ON PoE models are 1U, rack-mountable switches. The Dell EMC Networking N2128PX-ON front panel provides 24 10/100/1000BASE-T Ethernet RJ-45 ports and four 2.5G NBASE-T Ethernet RJ-45 ports that support auto-negotiation for speed, flow control, and duplex.
To remain consistent with prior N-Series devices, CLI and GUI port references will be non-consecutive when the port type changes. Ports labeled 1-28 on the front panel will be referred to in the UI as Gi1/0/X (where X =1 to 28), ports labeled 29-30 on the front panel will be referred to in the UI as Te1/0/Y (where Y= 1 to 2) and ports labeled 31-32 on the rear panel will be referred to as Tw1/1/W (where W=1 to 2).
Port and System LEDs The front panel contains light emitting diodes (LEDs) that indicate the status of port links, power supplies, fans, stacking, and the overall system status. See "N2100-ON Series LED Definitions" on page 140 for more information. Stack Master LED and Stack Number Display When a switch within a stack is the master unit, the Stack Master LED is solid green. If the Stack Master LED is off, the stack member is not the master unit. The Stack No.
Port LEDs Each port on a Dell EMC Networking N2100-ON Series switch includes two LEDs. One LED is on the left side of the port, and the second LED is on the right side of the port. This section describes the LEDs on the switch ports. Each 100/1000/10000BASE-T port has two LEDs. Figure 3-16 illustrates the 100/1000/10000BASE-T port LEDs. Figure 3-16. 100/1000/10000BASE-T Port LEDs Link/SPD Activity Table 3-19 shows the 100/1000/10000BASE-T port LED definitions. Table 3-19.
Table 3-20. 2500BASE-T Port LED Definitions LED Color Link/SPD LED Off (Left bi-color Solid green LED) Solid amber Activity/PoE LED (Right bi-color LED) Table 3-21. Definition There is no link. The port is operating at 2.5 Gbps. The port is operating at 100 Mbps or 1 Gbps. Off There is no current transmit/receive activity, and PoE power is off. Blinking green The port is actively transmitting/receiving, and PoE power is off.
Stacking Port LEDs Table 3-23. Stacking Port LED Definitions LED Color Definition Link LED Off There is no link. Solid green The port is actively transmitting/receiving. Off There is no current transmit/receive activity. Blinking green The port is actively transmitting/receiving. Activity LED Console Port LEDs Table 3-24. Console Port LED Definitions LED Color Link/SPD LED Off Solid green Definition There is no link. A link is present.
Table 3-25. System LED Definitions (Continued) LED Color Definition EPS (on PoE switches) Off There is no external power supply (EPS). Solid green Power to the EPS is on. Solid red An EPS is detected but it is not receiving power. Solid green The fan is powered and is operating at the expected RPM. Solid red A fan failure has occurred. Off The switch is not stack master. Solid green The switch is master for the stack. Solid green The switch is operating below the threshold temperature.
Table 3-27 shows power consumption data for the PoE-enabled N2128PX-ON switch when the power budget is 800W for the MPS. Table 3-27. Power Consumption Model Input Voltage Power Supply Configuration Maximum Steady Max Steady Current Power (W) Consumption (A) Dell EMC Networking N2128PX-ON 100V/60Hz MPS 9.92A 986.5W 110V/60Hz MPS 8.93A 975.7W 120V/60Hz MPS 8.01A 955.4W 220V/50Hz MPS 4.44A 945.4W 240V/50Hz MPS 4.08A 951.
The PoE power budget for each interface is controlled by the switch firmware. The administrator can limit the power supplied on a port or prioritize power to some ports over others. Table 3-29 shows power budget data. Table 3-29. Dell EMC Networking N2100-ON Series PoE Power Budget Limit One PSU Two PSUs Model Name Max. PSU Output PoE+ Power Ability Turn-on Limitation Max.
Dell EMC Networking N2200-ON Series Switch Hardware This section contains information about device characteristics and modular hardware configurations for the Dell EMC Networking N2200 Series switches. N2200-ON Series Front Panel The Dell EMC Networking N2224X-ON/N2124PX-ON/N2248XON/N2248PX-ON switch front panels include the following features: • 24 or 48 RJ-45 10/100/1000/2500BASE-T ports • Four SFP28 10G/25GBASE-X ports • Two QSFP 40G stacking ports • RJ-45 and Type-B micro USB 3.
Figure 3-18. Dell EMC Networking N2248PX Switch (Rear Panel) N2200X-ON Series Switch Ports The Dell EMC Networking N2200X-ON Series front panel provides 24 or 48 10/100/1000/2500BASE-T Ethernet RJ-45 ports that support auto-negotiation for speed, flow control, and duplex. Dell EMC Networking N2200X-ON Series switch front panel 2.5G ports operate in full-duplex at all speeds or half-duplex at 10/100 Mbps speeds.
N2200-ON SFP28 ports may be configured to operate using SFP+ transceivers using the speed 10000 command for fiber media or the speed auto 10000 command for copper media. All four SFP28 ports must be configured to operate at the same speed. A mix of SFP+ and SFP28 transceivers or speeds is not supported. The switch UI does not enforce this restriction. N2200-ON Series Console Port The console port provides serial communication capabilities, which allows communication using RS-232 protocol.
N2200-ON Series USB Port The Type-A, female USB port supports a USB 3.0-compliant flash memory drive. The Dell EMC Networking N-Series switch can read or write to a flash drive with a single partition formatted as FAT-32. Use a USB flash drive to copy switch configuration files and images between the USB flash drive and the switch. The USB flash drive may be used to move and copy configuration files and images to other switches in the network.
The Dell EMC Networking N2224PX-ON switches have a field-replaceable 1050-watt power supply (DPS-1050 AC) feeding up to 16x30W PoE and 2x60W devices at full power (712W). The Dell EMC Networking N2248PXON switches have an internal 1050W power supply (DPS-1050 AC) feeding up to 16x30W PoE devices and 1Xx60W at full power (624W). In both PoE models, additional field replaceable 1050W, 1300W, or 1600W power supplies are available to support redundancy or to supply full front panel demand.
Table 3-30 shows power budget data. Table 3-30. Dell EMC Networking N2200PX-ON Series PoE Power Budget Limit One PSU Two PSUs (2x1050W) Model Name PoE Power Budget Power Turn-on Limitation PoE Power Budget Power Turn-on Limitation Dell EMC Networking N2224PX-ON 712W The power budget is 1567W 712W. The switch can power all 16x30W and 3x60W ports. The power budget is 1567W. The switch can power all 16x30W and 8x60W ports at full power.
Table 3-31 shows the 100/1000/10000BASE-T port LED definitions. Table 3-31. 100/1000/10000BASE-T Port LED Definitions LED Color Link/SPD LED Off Activity/PoE LED (on PoE switches) Table 3-32. Definition There is no link. Solid yellow The port is operating at 10/100 Mbps. Solid green The port is operating at 1000 Mbps. Off There is no current transmit/receive activity and PoE power is off. Blinking green The port is actively transmitting/receiving and PoE power is off.
Table 3-33. SFP+ Port LED Definitions LED Color Definition Link/SPD LED Off (Left bi-color Solid green LED) Solid amber Activity LED (Right singlecolor LED) Table 3-34. There is no link. The port is operating at 10 Gbps. The port is operating at 1 Gbps. Off There is no current transmit/receive activity. Blinking green The port is actively transmitting/receiving. QSFP Port LED Definitions LED Color Definition Link/SPD LED Off (Left singleSolid green color LED) There is no link.
Console Port LEDs Table 3-36. Console Port LED Definitions LED Color Link/SPD LED Off Solid green Definition There is no link. A link is present. System LEDs The system LEDs, located on the front panel, provide information about the power supplies, thermal conditions, and diagnostics. Table 3-37 shows the System LED definitions for the Dell EMC Networking N2200 switches. Table 3-37. N2200-ON Series System LED Definitions LED Color Definition Status Solid green Normal operation.
Table 3-37. N2200-ON Series System LED Definitions (Continued) LED Color Definition Temp Solid green The switch is operating below the threshold temperature. Solid red The switch temperature exceeds the threshold of 75°C. – Switch ID within the stack. Stack No.
Dell EMC Networking N3100-ON Series Switch Hardware N3100-ON Series Front Panel All N3132PX-ON models are 1U, rack-mountable switches. The N3132PXON front panel provides twenty-four 10/100/1000BASE-T Ethernet RJ-45 ports and eight 5G NBASE-T Ethernet RJ-45 ports that support autonegotiation for speed, flow control, and duplex. NBASE-T interfaces require auto-negotiation to be enabled. They will not operate correctly in fixed speed mode.
Console Port The console port provides serial communication capabilities, which allows communication using RS-232 protocol. The serial port provides a direct connection to the switch and allows access to the CLI from a console terminal connected to the port through the provided serial cable (with RJ-45 YOST to female DB-9 connectors). The console port is separately configurable and can be run as an asynchronous link from 1200 baud to 115,200 baud. The Dell EMC CLI only supports changing the speed.
Stack Master LED and Stack Number Display When a switch within a stack is the master unit, the Stack Master LED is solid green. If the Stack Master LED is off, the stack member is not the master unit. The Stack No. panel displays the unit number for the stack member. If a switch is not part of a stack (in other words, it is a stack of one switch), the Stack Master LED is illuminated, and the unit number is displayed.
Port LEDs Each 100/1000/10000BASE-T port has two LEDs. Figure 3-22 illustrates the 100/1000/10000BASE-T port LEDs. Figure 3-22. 100/1000/10000BASE-T Port LEDs Link/SPD Activity Table 3-38, Table 3-39, and Table 3-40 show the port LED definitions. Table 3-38. 100/1000/10000BASE-T Port LED Definitions LED Color Link/SPD LED Off Definition There is no link. Solid yellow The port is operating at 10/100 Mbps. Solid green The port is operating at 1000 Mbps.
Table 3-39. 50000BASE-T Port LED Definitions LED Color Link/SPD LED Off (Left bi-color Solid green LED) Solid amber Activity/PoE LED (Right bi-color LED) Table 3-40. Definition There is no link. The port is operating at 2.5/5 Gbps. The port is operating at 100 Mbps or 1 Gbps. Off There is no current transmit/receive activity and PoE power is off. Blinking green The port is actively transmitting/receiving and PoE power is off.
Module Bay LEDs The following tables describe the purpose of each of the module bay LEDs when a QSFP or a Stacking module is installed. Table 3-41. QSFP Module LED Definitions LED Color Link/SPD LED Off Activity LED Table 3-42. Definition There is no link. Solid green The port is operating at 40 Gbps. Off There is no current transmit/receive activity. Blinking green The port is actively transmitting/receiving.
Table 3-44. Console Port LED Definitions LED Color Definition Link/SPD LED Off There is no link. Solid green A link is present. System LEDs The system LEDs, located on the front panel, provide information about the power supplies, thermal conditions, and diagnostics. Table 3-45 shows the System LED definitions for the Dell EMC Networking N3132PX-ON Series switches. Table 3-45. System LED Definitions LED Color Definition Status Solid green Normal operation.
Power Consumption for N3100-ON Series PoE Switches Table 3-46 shows power consumption data for the PoE-enabled N3132PX-ON switch when the power budget is 500W for one 715W power supply. Table 3-46. Power Consumption Model Input Voltage Power Supply Configuration Maximum Steady Max Steady Current Power (W) Consumption (A) Dell EMC Networking N3132PX-ON 100V/60Hz One 715W 6.47A 647.3W 110V/60Hz One 715W 5.79A 636.1W 120V/60Hz One 715W 5.12A 611.9W 220V/50Hz One 715W 2.85A 621.
Table 3-48 shows power consumption data for the PoE-enabled N3132PX-ON switch when the power budget is 750W for one 1100W power supply. Table 3-48. Power Consumption Model Input Voltage Power Supply Configuration Maximum Steady Max Current Steady Consumption (A) Power (W) Dell EMC Networking N3132PX-ON 100V/60Hz One 1100W 9.41A 937.1W 110V/60Hz One 1100W 8.48A 929.7W 120V/60Hz One 1100W 7.69A 918.3W 220V/50Hz One 1100W 4.16A 904.3W 240V/50Hz One 1100W 3.81A 902.
Table 3-50 shows power consumption data for the PoE-enabled N3132PX-ON switch when the power budget is 1440W for one 1100W power supply + one 715W power supply. Table 3-50. Power Consumption Model Input Voltage Power Supply Configuration Maximum Steady Max Current Steady Consumption (A) Power (W) Dell EMC Networking N3132PX-ON 100V/60Hz 1100W + 715W 17.51A 1748W 110V/60Hz 1100W + 715W 15.7A 1722.3W 120V/60Hz 1100W + 715W 14.36A 1704.2W 220V/50Hz 1100W + 715W 7.63A 1663.
Switch MAC Addresses The switch allocates MAC addresses from the Vital Product Data information stored locally in flash. MAC addresses are used as follows: Table 3-52.
Power Supplies: Unit Description Status ---1 1 1 ----------System Main Secondary ----------OK OK No Power Average Power (Watts) ---------42.0 N/A N/A Current Power (Watts) -------43.4 N/A N/A Since Date/Time ------------------04/06/2001 16:36:16 01/01/1970 00:00:00 USB Port Power Status: ---------------------Device Not Present console#show ip interface out-of-band IP Address..................................... Subnet Mask.................................... Default Gateway........................
Using Dell EMC OpenManage Switch Administrator 4 Dell EMC Networking N-Series Switches This section describes how to use the Dell EMC OpenManage Switch Administrator application.
Starting the Application To access the Dell EMC OpenManage Switch Administrator and log on to the switch: 1 Open a web browser. 2 Enter the IP address of the switch in the address bar and press . For information about assigning an IP address to a switch, see "Setting the IP Address and Other Basic Network Information" on page 189. 3 When the Login window displays, enter a username and password. Passwords and usernames are both case sensitive and alpha-numeric. Figure 4-1.
4 Click Submit. 5 The Dell EMC OpenManage Switch Administrator home page displays. The home page is the Device Information page, which contains a graphical representation of the front panel of the switch. For more information about the home page, see "Device Information" on page 400.
Figure 4-2.
Using the Switch Administrator Buttons and Links Table 4-2 describes the buttons and links available from the Dell EMC OpenManage Switch Administrator interface. Table 4-2. Button and Link Descriptions Button or Link Description Support Opens the Dell Support page at www.dell.com/support. About Contains the version and build number and Dell copyright information. Log Out Logs out of the application and returns to the login screen. Save Saves the running configuration to the startup configuration.
Defining Fields User-defined fields can contain 1–159 characters, unless otherwise noted on the Dell EMC OpenManage Switch Administrator web page. All characters may be used except for the following: • \ • / • : • * • ? • < • > • | Understanding the Device View The Device View shows various information about switch. This graphic appears on the Dell EMC OpenManage Switch Administrator Home page, which is the page that displays after a successful login.
Using the Device View Switch Locator Feature The Device View graphic includes a Locate button and a drop-down menu of timer settings. When the user clicks Locate, the switch locator LED blinks for the number of seconds selected from the timer menu. The blinking LED can help the administrator or a technician near the switch identify the physical location of the switch within a room or rack full of switches.
Using Dell EMC OpenManage Switch Administrator
5 Using the Command-Line Interface Dell EMC Networking N-Series Switches This section describes how to use the Command-Line Interface (CLI) on Dell EMC Networking N-Series switches. The topics covered in this section include: • Accessing the Switch Through the CLI • Understanding Command Modes • Entering CLI Commands Accessing the Switch Through the CLI The CLI provides a text-based way to manage and monitor the Dell EMC Networking N-Series switches.
NOTE: For a stack of switches, be sure to connect to the console port on the Master switch. The Master LED is illuminated on the stack Master. Alternatively, use the connect command to access the console session. 2 Start the terminal emulator, such as Microsoft HyperTerminal, and select the appropriate serial port (for example, COM 1) to connect to the console.
To connect to the switch using Telnet, the switch must have an IP address, and the switch and management station must have network connectivity. Any Telnet client on the management station can be used to connect to the switch. A Telnet session can also be initiated from the Dell EMC OpenManage Switch Administrator. For more information, see "Initiating a Telnet Session from the Web Interface" on page 439. Understanding Command Modes The CLI groups commands into modes according to the command function.
Table 5-1 describes how to navigate between CLI Command Mode and lists the prompt that displays in each mode. Table 5-1. Command Mode Overview Command Mode Access Method User Exec console> The user is automatically in User Exec mode unless the user is defined as a privileged user. logout Privileged Exec From User Exec console# mode, enter the enable command Use the exit command, or press Ctrl-Z to return to User Exec mode.
Entering CLI Commands The switch CLI provides several techniques to help users enter commands. Using the Question Mark to Get Help Enter a question mark (?) at the command prompt to display the commands available in the current mode. console(config-vlan)#? exit help ip ipv6 protocol vlan To exit from the mode. Display help for various special keys. Configure IP parameters. Configure IPv6 parameters. Configure the Protocols associated with particular Group Ids. Create a new VLAN or delete an existing VLAN.
Using Command Completion The CLI can complete partially entered commands when the or key are pressed. console#show run console#show running-config If the characters entered are not enough for the switch to identify a single matching command, continue entering characters until the switch can uniquely identify the command. Use the question mark (?) to display the available commands matching the characters already entered.
Understanding Error Messages If a command is entered and the system is unable to execute it, an error message appears. Table 5-2 describes the most common CLI error messages. Table 5-2. CLI Error Messages Message Text Description % Invalid input detected at '^' marker. Indicates that an incorrect or unavailable command was entered. The carat (^) shows where the invalid text is detected. This message also appears if any of the parameters or values are not recognized.
Using the Command-Line Interface
6 Default Settings This section describes the default settings for many of the software features on the Dell EMC Networking N-Series switches. Table 6-1. Default Settings Feature Default IP address DHCP on OOB interface, if equipped. DHCP on VLAN1 if no OOB interface Subnet mask None Default gateway None DHCP client Enabled on out-of-band (OOB) interface or VLAN 1 if no OOB interface.
Table 6-1. Default Settings (Continued) Feature Default DNS Enabled (No servers configured) SNMP Enabled (SNMPv1) SNMP Traps Enabled Auto Configuration Enabled Auto Save Disabled Stacking Enabled Nonstop Forwarding on the Stack Enabled sFlow Disabled ISDP Enabled (Versions 1 and 2) RMON Enabled TACACS+ Not configured RADIUS Not configured SSH/SSL Disabled Telnet Enabled Denial of Service Protection Disabled Captive Portal Disabled IEEE 802.
Table 6-1.
Table 6-1. Default Settings (Continued) Feature Default Link Aggregation No LAGs configured LACP System Priority 1 Routing Mode Disabled OSPF Admin Mode Disabled OSPF Router ID 0.0.0.
Setting the IP Address and Other Basic Network Information 7 Dell EMC Networking N-Series Switches This chapter describes how to configure basic network information for the switch, such as the IP address, subnet mask, and default gateway.
Table 7-1. Basic Network Information (Continued) Feature Description Default Gateway Typically a router interface that is directly connected to the switch and is in the same subnet. The switch sends IP packets to the default gateway when it does not recognize the destination IP address in a packet. DHCP Client Requests network information from a DHCP server on the network. Domain Name System (DNS) Server Translates hostnames into IP addresses.
server on the network, the TFTP server must be identified. If configuring the switch to use a DNS server to resolve hostnames into IP addresses, it is possible to enter the hostname of the TFTP server instead of the IP address. It is often easier to remember a hostname than an IP address, and if the IP address is dynamically assigned, it might change from time-to-time. How Is Basic Network Information Configured? A console-port connection is required to perform the initial switch configuration.
recommended that the port be connected only to a physically isolated secure management network. The OOB port is a Layer-3 interface that uses an internal non-user-configurable VLAN. The out-of-band port is a logical management interface. The IP stack’s routing table contains both IPv4/IPv6 routes associated with these management interfaces and IPv4/IPv6 routes associated with routing interfaces.
The administrator can assign an IPv4 address or an IPv6 address to the OOB management port and to any VLAN. By default, all ports (other than the OOB port) are members of VLAN 1. If an IP address is assigned to VLAN 1, it is possible to connect to the switch management interface by using any of the front-panel switch ports. Assignment of an IP address to a VLAN associated to a front panel interface is required to manage the Dell EMC Networking, N1100-ON, N1500, N2000, and N2100-ON Series switches.
Default Network Information NOTE: Dell EMC Networking, N1100-ON, N1500, N2000, N2100-ON, and N2200ON Series switches do not have an out-of-band interface. By default, no network information is configured. The DHCP client is enabled on the OOB interface by default on Dell EMC Networking N3000EON and N3100-ON Series switches. The DHCP client is enabled on VLAN 1 by default on the Dell EMC Networking, N1100-ON, N1500, N2000, N2100-ON, and N2200-ON Series switches.
Configuring Basic Network Information (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring basic network information on the Dell EMC Networking N-Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. Out-of-Band Interface NOTE: Dell EMC Networking, N1100-ON, N1500, N2000, and N2100-ON Series switches do not have an out-of-band interface.
Figure 7-1. Out of Band Interface To enable the DHCP client and allow a DHCP server on your network to automatically assign the network information to the OOB interface, select DHCP from the Protocol menu. If the network information is statically assigned, ensure that the Protocol menu is set to None.
Figure 7-2. IP Interface Configuration (Default VLAN) Assigning Network Information to the Default VLAN To assign an IP Address and subnet mask to the default VLAN: 1 From the Interface menu, select VLAN 1. 2 From the Routing Mode field, select Enable. 3 From the IP Address Configuration Method field specify whether to assign a static IP address (Manual) or use DHCP for automatic address assignment.
Route Entry Configuration (Switch Default Gateway) Use the Route Entry Configuration page to configure the default gateway for the switch. The default VLAN uses the switch default gateway as its default gateway. The switch default gateway must not be on the same subnet as the OOB management port, as the OOB management port cannot route packets received on the front-panel ports. To display the Route Entry Configuration page, click Routing Router Route Entry Configuration in the navigation panel.
Configuring a Default Gateway for the Switch: To configure the switch default gateway: 1 Open the Route Entry Configuration page. 2 From the Route Type field, select Default. Figure 7-4. Default Route Configuration (Default VLAN) 3 In the Next Hop IP Address field, enter the IP address of the default gateway. 4 Click Apply. For more information about configuring routes, see "IP Routing" on page 1149.
Domain Name Server Use the Domain Name Server page to configure the IP address of the DNS server. The switch uses the DNS server to translate hostnames into IP addresses. To display the Domain Name Server page, click System IP Addressing Domain Name Server in the navigation panel. Figure 7-5. DNS Server To configure DNS server information, click the Add link and enter the IP address of the DNS server in the available field. Figure 7-6.
Default Domain Name Use the Default Domain Name page to configure the domain name the switch adds to a local (unqualified) hostname. To display the Default Domain Name page, click System IP Addressing Default Domain Name in the navigation panel. Figure 7-7.
Host Name Mapping Use the Host Name Mapping page to assign an IP address to a static host name. The Host Name Mapping page provides one IP address per host. To display the Host Name Mapping page, click System IP Addressing Host Name Mapping. Figure 7-8. Host Name Mapping To map a host name to an IP address, click the Add link, type the name of the host and its IP address in the appropriate fields, and then click Apply. Figure 7-9.
Dynamic Host Name Mapping Use the Dynamic Host Name Mapping page to view dynamic host entries the switch has learned. The switch learns hosts dynamically by using the configured DNS server to resolve a hostname. For example, if you ping www.dell.com from the CLI, the switch uses the DNS server to lookup the IP address of dell.com and adds the entry to the Dynamic Host Name Mapping table.
Configuring Basic Network Information (CLI) This section provides information about the commands used for configuring basic network information on the Dell EMC Networking N-Series switches. For more information about these commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100-ON Series Switches CLI Reference Guide at www.dell.com/support.
Command Purpose ipv6 address dhcp Enable the DHCPv6 client. CTRL + Z Exit to Privileged Exec mode. show ip interface vlan 1 Display network information for VLAN 1. Managing DHCP Leases Use the following commands to manage and troubleshoot DHCP leases on the switch. Command Purpose show dhcp lease interface [interface] Display IPv4 addresses leased from a DHCP server.
Configuring Static Network Information on the OOB Port NOTE: Dell EMC Networking N1100-ON, N1500, N2000, and N2100-ON Series switches do not have an out-of-band interface. Use the following commands to configure a static IP address, subnet mask, and default gateway on the OOB port. If no default gateway is configured, then the zero subnet (0.0.0.0) is used.
NOTE: The out-of-band port also supports IPv6 address assignment, including IPv6 auto-configuration and an IPv6 DHCP client. Configuring Static Network Information on the Default VLAN Use the following commands to configure a static IP address, subnet mask, and default gateway on the default VLAN. Alternatively, a DHCP server may be used to obtain a network address. The switch also supports IPv6 address auto-configuration.
Command Purpose ip default-gateway ip_address Configure the IPv4 default gateway. Only one IPv4 gateway may be configured per switch. ipv6 gateway ip_address Configure the default gateway for IPv6. Only one IPv6 gateway may be configured per switch. exit Exit to Privileged Exec mode. show ip interface vlan 10 Verify the network information for VLAN 10. show ipv6 interface vlan 10 Verify IPv6 network information for VLAN 10.
Command Purpose CTRL + Z Exit to Privileged Exec mode. show ip interface vlan 1 Verify the network information for VLAN 1. show ipv6 interface vlan 1 Verify the network information for VLAN 1. show hosts Verify the configured network information and view the dynamic host mappings. show ip address-conflict View the status information corresponding to the last detected address conflict. clear ip address-conflict- Clear the address conflict detection status in the switch.
Basic Network Information Configuration Examples Configuring Network Information Using the OOB Port In this example, an administrator at a Dell office in California decides not to use the Dell Easy Setup Wizard to perform the initial switch configuration. The administrator configures Dell EMC Networking N3000E-ON, and N3100-ON Series switches to obtain information from a DHCP server on the management network and creates the administrative user with read/write access.
3 Configure the DNS servers, default domain name, and static host mapping. console(config)#ip name-server 10.27.138.20 10.27.138.21 console(config)#ip domain-name sunny.dell.com console(config)#ip host admin-laptop 10.27.65.103 console(config)#exit 4 View the network information that the DHCP server on the network dynamically assigned to the switch. console#show ip interface out-of-band IP Address........................ 10.27.22.153 Subnet Mask...................... 255.255.255.0 Default Gateway..........
Configuring Network Information Using the Serial Interface In this example, the administrator configures a Dell EMC Networking N1100-ON/N1500/N2000/N2100-ON Series switch via the serial interface while using the same DHCP server and address configuration as given in the previous example. 1 Connect a front-panel port (e.g., gi1/0/24) to the management network.
Forward Net Directed Broadcasts........... Disable Proxy ARP.................................. Enable Local Proxy ARP........................... Disable Active State............................... Active MAC Address........................ 001E.C9DE.B77A Encapsulation Type....................... Ethernet IP MTU....................................... 1500 Bandwidth.............................. 10000 kbps Destination Unreachables.................. Enabled ICMP Redirects............................
Setting Basic Network Information
8 Stacking Dell EMC Networking N-Series Switches This chapter describes how to configure and manage a stack of switches. The topics covered in this chapter include: • Stacking Overview • Default Stacking Values • Managing and Monitoring the Stack (Web) • Managing the Stack (CLI) • Stacking and NSF Usage Scenarios Stacking Overview The Dell EMC Networking N2100-ON, N2200, and N3100-ON Series switches include a stacking feature that allows up to 12 switches to operate as a single unit.
Dell EMC Networking N3000E-ON Series switches stack with other Dell EMC Networking N3000E-ON Series switches and Dell EMC Networking N3100-ON Series switches, using the optional stacking module. Beginning with the 6.5.1 release, any stack containing any N3000E-ON Series switch (other than the N3000E-ON) is limited to a maximum of eight units. Dell EMC Networking N1500 Series switches stack with other N1500 Series switches using the 10G SFP+ front-panel ports.
Dell EMC Networking N2100-ON Series switches have two fixed stacking ports in the rear that accept mini-SAS cables. Dell EMC Networking N3100-ON Series switches support an optional 2x21G or 2x40G stacking module in the rear slot. Additional stacking connections can be made between adjacent switch units to increase the stacking bandwidth provided that all redundant stacking links have the same port speed.
• The switch Control Plane is active only on the master. The Control Plane is a software layer that manages system and hardware configuration and runs the network control protocols to set system configuration and state. • The switch Data Plane is active on all units in the stack, including the master. The Data Plane is the set of hardware components that forward data packets without intervention from a control CPU.
Figure 8-1. Connecting a Stack of Switches Unit 1 Unit 2 Unit 3 The stack in Figure 8-1 has the following physical connections between the switches: • The lower stacking port on Unit 1 is connected to the upper stacking port on Unit 2. • The lower stacking port on Unit 2 is connected to the upper stacking port on Unit 3. • The lower stacking port on Unit 3 is connected to the upper stacking port on Unit 1.
Dell EMC Networking N1100-ON and N1500 Series switches do not stack with different Dell EMC Networking Series switches or other Dell EMC Networking switches. Dell EMC Networking N1124T-ON/N1148TON/N1124P-ON/N1148P-ON Series switches only stack with other Dell EMC Networking N1124T-ON/N1148T-ON/N1124P-ON/N1148P-ON Series switches. Dell EMC Networking N1108T-ON/N1108P-ON switches do not stack. Dell EMC Networking N1500 Series switches only stack with other Dell EMC Networking N1500 Series switches.
If the entire stack is powered OFF and ON again, the unit that was the stack master before the reboot will remain the stack master after the stack resumes operation. The unit number for the switch can be manually configured. To avoid unitnumber conflicts, one of the following scenarios takes place when a new member is added to the stack: • If the switch has a unit number that is already in use, then the unit that is added to the stack changes its configured unit number to the lowest unassigned unit number.
If a new switch is added to a stack of switches that are powered and running and already have an elected stack master, the newly added switch becomes a stack member rather than the stack master. Use the boot auto-copy-sw command on the stack master to enable automatic firmware upgrade of newly added switches. If a firmware mismatch is detected, the newly added switch does not fully join the stack and holds until it is upgraded to the same firmware version as the master switch.
master. No changes or configuration are applied to the other stack members; however, the dynamic protocols will try to reconverge as the topology could change because of the failed unit. If you remove a unit and plan to renumber the stack, issue a no member unit command in Stack Configuration mode to delete the removed switch from the configured stack member information.
Operational state synchronization also occurs: • when the running configuration is saved to the startup configuration on the stack master. • when the standby unit changes. What is Nonstop Forwarding? Networking devices, such as the Dell EMC Networking N-Series switches, are often described in terms of three semi-independent functions called the forwarding plane, the control plane, and the management plane. The forwarding plane forwards data packets and is implemented in hardware.
back-off mechanism to reduce the load on the switch. In this case, the stack master will attempt resynchronization no more often than once every 120 seconds. The show nsf command output includes information about when the next running-config synchronization will occur. Initiating a Failover The NSF feature allows the administrator to initiate a failover using the initiate failover command.
The NSF checkpoint service allows the stack master to communicate startup configuration data to the standby unit in the stack. When the stack selects a standby unit, the checkpoint service notifies applications to start a complete checkpoint. After the initial checkpoint is done, applications checkpoint changes to their data every 120 seconds. NOTE: The switch cannot guarantee that a standby unit has exactly the same data that the stack master has when it fails.
Table 8-1. Applications that Checkpoint Data Application Checkpointed Data SIM The system's MAC addresses. System up time. IP address, network mask, default gateway on each management interface, DHCPv6 acquired IPv6 address. Voice VLAN VoIP phones identified by CDP or DHCP (not LLDP) Switch Stack MAC Addressing and Stack Design Considerations The switch stack uses the MAC addresses assigned to the stack master. NOTE: Each switch is assigned four consecutive MAC addresses.
To prevent a LAG from going down, configure LAGs with members on multiple units within the stack, when possible. If a stack unit fails, the system can continue to forward on the remaining members of the stack. If the switch stack performs VLAN routing, another way to take advantage of NSF is to configure multiple “best paths” to the same destination on different stack members.
ports in the rear of the switch. The N3100-ON supports a pluggable stacking module in the rear. Stacking on Ethernet ports is not supported. The fixed stacking ports show as TwentyGigabitStacking and are abbreviated Tw. NSF is enabled by default. NSF can be disabled to redirect the CPU resources consumed by data checkpointing; however, this is ill-advised, as checkpointing consumes almost no switch resources.
Managing and Monitoring the Stack (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring stacking on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000E-ON, and N3100-ON Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. NOTE: Changes made on the Stacking configuration pages take effect only after the device is reset.
Changing the ID or Switch Type for a Stack Member To change the switch ID or type: 1 Open the Unit Configuration page. 2 Click Add to display the Add Unit page. For the N30xx series switches, stack size is limited to 8. Figure 8-3. Add Remote Log Server Settings 3 Specify the switch ID, and select the model number of the switch. 4 Click Apply. Stack Summary Use the Stack Summary page to view a summary of switches participating in the stack.
Stack Firmware Synchronization Use the Stack Firmware Synchronization page to control whether the firmware image on a new stack member can be automatically upgraded or downgraded to match the firmware image of the stack master. To display the Stack Firmware Synchronization page, click System Stack Management Stack Firmware Synchronization in the navigation panel. Figure 8-5.
Supported Switches Use the Supported Switches page to view information regarding each type of supported switch for stacking, and information regarding the supported switches. To display the Supported Switches page, click System Stack Management Supported Switches in the navigation panel. Figure 8-6.
Stack Port Summary Use the Stack Port Summary page to configure the stack-port mode and to view information about the stackable ports. This screen displays the unit, the stackable interface, the configured mode of the interface, the running mode as well as the link status and link speed of the stackable port. NOTE: By default the ports are configured to operate as Ethernet ports.
Stack Port Counters Use the Stack Port Counters page to view the transmitted and received statistics, including data rate and error rate. To display the Stack Port Counters page, click System Stack Management Stack Port Counters in the navigation panel. Figure 8-8. Stack Port Counters Stack Port Diagnostics The Stack Port Diagnostics page is intended for Field Application Engineers (FAEs) only.
NSF Summary Use the NSF Summary page to change the administrative status of the NSF feature and to view NSF information. NOTE: The OSPF feature uses NSF to enable the hardware to continue forwarding IPv4 packets using OSPF routes while a backup unit takes over stack master responsibility. To configure NSF on a stack that uses OSPF or OSPFv3, see "NSF OSPF Configuration" on page 1246 and "NSF OSPFv3 Configuration" on page 1263.
Checkpoint Statistics Use the Checkpoint Statistics page to view information about checkpoint messages generated by the stack master. To display the Checkpoint Statistics page, click System Stack Management Checkpoint Statistics in the navigation panel. Figure 8-10.
Managing the Stack (CLI) This section provides information about the commands for managing the stack and viewing information about the switch stack. For more information about these commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100-ON Series Switches CLI Reference Guide at www.dell.com/support. Configuring Stack Member, Stack Port, SFS and NSF Settings Use the following commands to configure stacking and SFS settings.
Command Purpose member unit SID Add a switch to the stack and specify the model of the new stack member. • unit - The switch unit ID • SID - The index into the database of the supported switch types, indicating the type of the switch being preconfigured. Note: Member configuration displayed in the running config may be learned from the physical stack. Member configuration is not automatically saved in the startup configuration. Save the configuration to retain the current member settings.
NOTE: The OSPF feature uses NSF to enable the hardware to continue forwarding IPv4 packets using OSPF routes while a backup unit takes over stack master responsibility. Additional NSF commands are available in OSPF and OSPFv3 command modes. For more information, see "NSF OSPF Configuration" on page 1246 and "NSF OSPFv3 Configuration" on page 1263 Viewing and Clearing Stacking and NSF Information Use the following commands to view stacking information and to clear NSF statistics.
Connecting to the Management Console from a Stack Member From the CLI Unavailable prompt, use the following command to connect the console session to the local unit. Command Purpose connect [unit] Connect the console on the remote unit to the local unit Stacking and NSF Usage Scenarios Only a few settings are available to control the stacking configuration, such as the designation of the standby unit or enabling/disabling NSF.
Figure 8-11. Basic Stack Failover When all four units are up and running, the show switch CLI command gives the following output: console#show switch SW Management Status --1 2 3 4 --------Stack Member Stack Member Mgmt Switch Stack Member Standby Status Preconfig PluggedModel ID in Model ID ------- -------- --------Opr Stby N3048 N3048 N3048 N3048 N3048 N3048 N3048 N3048 Switch Code Status Version ------- -------OK 6.0.0.0 OK 6.0.0.0 OK 6.0.0.0 OK 6.0.0.
When the failed unit resumes normal operation, the previous configuration that exists for that unit is reapplied by the stack master. To permanently remove the unit from the stack, enter into Stack Config Mode and use the member command, as the following example shows.
The following is the output on Dell EMC Networking N1500 Series switches: console#show supported switchtype SID --1 2 3 4 Switch Model ID -------------------------------N1524 N1524P N1548 N1548P 2 Preconfigure the switch (SID = 2) as member number 2 in the stack. console#configure console(config)#stack console(config-stack)#member 2 2 console(config-stack)#exit console(config)#exit 3 Confirm the stack configuration. Some of the fields have been omitted from the following output due to space limitations.
NSF in the Data Center Figure 8-12 illustrates a data center scenario, where the stack of two Dell EMC Networking N-Series switches acts as an access switch. The access switch is connected to two aggregation switches, AS1 and AS2. The stack has a link from two different units to each aggregation switch, with each pair of links grouped together in a LAG. The two LAGs and link between AS1 and AS2 are members of the same VLAN. Spanning tree is enabled on the VLAN.
NSF and VoIP Figure 8-13 shows how NSF maintains existing voice calls during a stack master failure. Assume the top unit is the stack master. When the stack master fails, the call from phone A is immediately disconnected. The call from phone B continues. On the uplink, the forwarding plane removes the failed LAG member and continues using the remaining LAG member. If phone B has learned VLAN or priority parameters through LLDP-MED, it continues to use those parameters.
NSF and DHCP Snooping Figure 8-14 illustrates a Layer-2 access switch running DHCP snooping. DHCP snooping only accepts DHCP server messages on ports configured as trusted ports. DHCP snooping listens to DHCP messages to build a bindings database that lists the IP address the DHCP server has assigned to each host. IP Source Guard (IPSG) uses the bindings database to filter data traffic in hardware based on source IP address and source MAC address.
If a host is in the middle of an exchange with the DHCP server when the failover occurs, the exchange is interrupted while the control plane restarts. When DHCP snooping is enabled, the hardware traps all DHCP packets to the CPU. The control plane drops these packets during the restart. The DHCP client and server retransmit their DHCP messages until the control plane has resumed operation and messages get through. Thus, DHCP snooping does not miss any new bindings during a failover.
Figure 8-15. NSF and a Storage Area Network When the stack master fails, session A drops. The initiator at 10.1.1.10 detects a link down on its primary NIC and attempts to reestablish the session on its backup NIC to a different IP address on the disk array. The hardware forwards the packets to establish this new session, but assuming the session is established before the control plane is restarted on the backup unit, the new session receives no priority treatment in the hardware.
NSF and Routed Access Figure 8-16 shows a stack of three units serving as an access router for a set of hosts. Two LAGs connect the stack to two aggregation routers. Each LAG is a member of a VLAN routing interface. The stack has OSPF and PIM adjacencies with each of the aggregation routers. The top unit in the stack is the stack master. Figure 8-16. NSF and Routed Access If the stack master fails, its link to the aggregation router is removed from the LAG.
JOIN messages upstream. The control plane updates the driver with checkpointed unicast routes. The forwarding plane reconciles Layer-3 hardware tables. The OSPF graceful restart finishes, and the control plane deletes any stale unicast routes not relearned at this point. The forwarding plane reconciles Layer-3 multicast hardware tables.
Stacking
9 Authentication, Authorization, and Accounting Dell EMC Networking N-Series Switches This chapter describes how to control access to the switch management interface using authentication and authorization. These services can also be used to restrict or allow network access when used in conjunction with IEEE 802.1x. It also describes how to record this access using accounting. Together the three services are referred to by the acronym AAA.
error, the next method in the list is tried. This continues until all methods in the list have been attempted. If no method can perform the service, then the service fails. A method may return an error due to lack of network access, misconfiguration of a server, and other reasons. If there is no error, the method returns success if the user is allowed access to the service and failure if the user is not.
Methods that never return an error cannot be followed by any other methods in a method list. • The enable method uses the enable password. If there is no enable password defined, then the enable method will return an error. • The ias method is a special method that is only used for 802.1X. It uses an internal database (separate from the local user database) that acts like an 802.1X authentication server. This method never returns an error. It will always authenticate or deny a user.
Table 9-2. Default Method Lists (Continued) AAA Service (type) List Name List Methods Authorization (commands) dfltCmdAuthList none Accounting (exec) dfltExecList tacacs (start-stop) Accounting (commands) dfltCmdList tacacs (stop-only) Access Lines There are five access lines: console, Telnet, SSH, HTTP, and HTTPS. HTTP and HTTPS are not configured using AAA method lists. Instead, the authentication list for HTTP and HTTPS is configured directly (authorization and accounting are not supported).
the message (and can send back some proof that it has done so) then the response proves that switch must possess the public key, and user is authenticated without giving a username/password. The public key method is implemented in the Dell EMC Networking N-Series switch as opposed to an external server. If the user does not present a certificate, it is not considered an error and authentication will continue with challenge-response authentication.
Table 9-3.
Authentication Authentication is the process of validating a user's identity. During the authentication process, only identity validation is done. There is no determination made of which switch services the user is allowed to access. This is true even when RADIUS is used for authentication; RADIUS cannot perform separate transactions for authentication and authorization. However, the RADIUS server can provide attributes during the authentication process that are used in the authorization process.
Authentication Manager Overview The Authentication Manager supports the hierarchical configuration of host authentication methods on an interface. Use of the Authentication Manager is optional, but it is recommended when using multiple types of authentication on an interface, e.g., Captive Portal in conjunction with MAB or IEEE 802.1X. Dell switches support the following host authentication methods: • IEEE 802.
By default, Dell switches are configured with a method list that contains the methods (in order) 802.1x, MAB as the default methods for all the ports. Dell switches restrict the configuration such that no method is allowed to follow the Captive Portal method, if configured. The authentication manager controls only the order in which the authentication methods are executed.
authenticated client is removed and the authentication process begins again from the first method in the order. If 802.1X has a lower priority than the authenticated method, then the client is not removed and the 802.1X frames are ignored. If the administrator changes the priority of the methods, then all the users who are authenticated using a lower-priority method are forced to reauthenticate.
A typical use case is a wireless access point which is connected to an accesscontrolled port of a NAS. Once the access point is authenticated by the NAS, the wireless clients connected to the access point also authenticate using the switch resources. The access point must be configured to transparently pass EAPOL traffic. Voice VLAN access is supported in Multi-Auth mode. MAB access is supported in Multi-Auth mode. Multi-Auth mode does not support RADIUS VLAN assignment in switchport access mode.
MAB is not supported for Multi-Domain-Multi-Host mode. The switch does not enforce this restriction. Multi-Domain Mode Multi-Domain mode supports authentication of a single data host and a single voice device. Each host that successfully authenticates is allowed network access. Once the host limit is reached, additional host authentications are rejected. A typical use case is an IP phone connected to a NAS port and a laptop connected to the hub port of the IP phone.
3 Enable authentication and globally enable 802.1x client authentication via RADIUS: console(config)#authentication enable console(config)#aaa authentication dot1x default radius console(config)#dot1x system-auth-control 4 On the interface, set the port to access mode, assign a PVID, enable MultiDomain mode, enable MAB, and set the order of authentication to 802.1X followed by MAC authentication. Configure the switch to send CHAP attributes to the RADIUS server.
console(config-auth-radius)#usage 802.1x console(config-auth-radius)#exit 2 Create the VLANs. VLAN 2 is the secure data VLAN; VLAN 202 is the critical data VLAN; VLAN 10 is the voice VLAN. console(config)#vlan 2,202,10 console(config-vlan2,202,10)#exit 3 Enable authentication and globally enable 802.1x client authentication via RADIUS. Globally enable Voice VLAN.
Configuration Example—MAB Client This example shows how to configure a MAB client on interface Gi1/0/2 using the IAS database for authentication. 1 Enter global configuration mode and create VLAN 3. console#configure console(config)#configure console(config)#vlan 3 console(config-vlan3)#exit 2 Enable the authentication manager and globally enable 802.1x. console(config)#authentication enable console(config)#dot1x system-auth-control 3 Set IEEE 802.1x to use the local IAS user database.
console(config-if-Gi1/0/1)#show authentication interface gi1/0/2 Administrative Mode............... Dynamic VLAN Creation Mode........ VLAN Assignment Mode.............. Monitor Mode...................... Port Admin Mode Enabled Disabled Disabled Disabled Oper Mode Reauth Control --------- ------------------ ------------ -------Gi1/0/2 auto Authorized FALSE Quiet Period................................... Transmit Period................................ Maximum Requests...............................
Using RADIUS The RADIUS client on the switch supports multiple RADIUS servers. When multiple authentication servers are configured, they can help provide redundancy. One server can be designated as the primary and the other(s) will function as backup server(s). The switch attempts to use the primary server first. if the primary server does not respond, the switch attempts to use the backup servers. A priority value can be configured to determine the order in which the backup servers are contacted.
As a user attempts to connect to the switch management interface, the switch first detects the contact and prompts the user for a name and password. The switch encrypts the supplied information, and a RADIUS client transports the request to a preconfigured RADIUS server. Figure 9-1.
Which RADIUS Attributes Does the Switch Support? Table 9-6 lists the RADIUS attributes that the switch supports and indicates whether the 802.1X feature, User Manager feature, or Captive Portal feature supports the attribute. The RADIUS administrator must configure these attributes on the RADIUS server(s) when utilizing the switch RADIUS service and may also need to enable processing of the specific attribute on the switch.
Table 9-6. Supported RADIUS Attributes (Continued) Type RADIUS Attribute Name 802.1X User Manager Captive Portal 30 Called-Station-ID Yes No No 31 Calling-Station-ID Yes No Yes 32 NAS-Identifier Yes Yes No 40 Acct-Status-Type Acct. only Yes No 41 Acct-Delay-Time Acct. only No No 42 Acct-Input-Octets Yes No No 43 Acct-Output-Octets Yes No No 44 Acct-Session-ID Acct.
• SERVICE-TYPE The Service-Type attribute may be validated in the Access-Accept packet received from the RADIUS server. Only the Login-User(1), Administrative-User(6), and Call-Check(10) values are considered valid for Service-Type in the Access-Accept message returned from the RADIUS server. • SESSION-TIMEOUT Session time-out value for the session (in seconds). Used by both 802.1x and Captive Portal. • TERMINATION-ACTION Indication as to the action taken when the service is completed.
– • subscriber:command=disable-host-port (COA only) FILTER-ID Name of an existing ACL or DiffServ policy for this user. Names ending with an ".in" suffix are ACLs. • FRAMED-IP-ADDRESS The IP address assigned to the host accessing the network. Cached and transmitted in accounting packets. • FRAMED-IPv6-ADDRESS The IPv6 address assigned to the host accessing the network. Cached and transmitted in accounting packets.
Figure 9-2 shows an example of access management using TACACS+. Figure 9-2. Basic TACACS+ Topology Backup TACACS+ Server Dell EMC Networking N-Series switch Primary TACACS+ Server Management Network Management Host The TACACS+ server list can be configured with one or more hosts defined via their network IP addresses. Each can be assigned a priority to determine the order in which the TACACS+ client will contact the servers.
Table 9-7. Supported TACACS+ Attributes Attribute Name Exec Authorization Command Authorization Accounting cmd both (optional) sent sent cmd-arg sent elapsed-time priv-lvl sent received protocol sent roles both (optional) service=shell both sent sent start-time sent stop-time sent Dynamic ACL Overview NOTE: This feature is only supported in 802.1X-enabled configurations.
of filtering any matching ingress traffic, regardless of which authentication session actually instantiated the DACL. Do not apply both DACLs and DiffServ policies on a port at the same time. NOTE: 802.1X port-control auto mode ports are restricted to a single data device and a single voice device by default (host mode multi-domain multihost). This restriction is enforced by implicitly filtering incoming traffic based upon the MAC address of the authenticating client. DACLs contained in an 802.
Request contains both Filter-ID(11)and AVPair(26)attributes). No Acct-Start packet is sent and an EAP-Failure is sent to the 802.1X client. Dynamic ACLs using the Filter-ID syntax are always enabled. Filter-ID syntax: Named ACL - printable character string of the form . , for example, Filter-id="test_static.in" Filter-ID example: Named_ACL - printable character string of the form Filter-id= "test_static.in".
The VSA av-pair is coded as follows: Attribute 26, Vendor ID 9, Vendor subtype 9. Predefined ACL Selection Send the vendor proprietary VSA (009/001) AV-pair (26) attribute syntax from the RADIUS server in the Access-Accept message to select an ACL that is already configured on the switch, but is not necessarily associated to the authenticating interface. The ACL must be preconfigured on the switch. The extended-access-control-list-name is the name or number of an existing ACL.
Dynamic ACL Creation Send the vendor proprietary VSA (009/001) AV-pair (26) attribute syntax from the RADIUS server in the Access-Accept message to create an ACL that does not exist on the switch. The ACL need not be statically preconfigured on the switch prior to RADIUS creating the ACL, associating the ACL to the port, and authorizing the port. All statically configured ACLs on a port are disassociated from the port prior to configuring the dynamic ACL.
Either traffic-class av-pairs or multiple ip:inacl/ipv6:inacl av-pairs may be present in the RADIUS message, but not both. If both are present, or there are syntax errors in the received ACLs (other than duplicate rules), the ACL rules are not applied, the RADIUS Access-Accept is treated as an AccessReject, and a WARN log message or Interface X/X/X not authorized.
administrator can override the port configuration and add a manually configured ACL. If the administrator adds an ACL, only the DACL is removed when the session ends. The switch alters a dynamic ACL IP address filter configured with the any keyword for the source IP address. IP source addresses in the DACL are rewritten to use the supplicant IP address if available.
are processed after authentication if the device is authorized on the port. In the examples below, it is assumed that the default configuration of authorization—that is, no authorization—is used.
8 Enable password strength checking: console(config)#passwords strength-check 9 Create a user with the name “admin” and password “paSS1&word2”. This user is enabled for privilege level 15.
RADIUS Authentication Example Use the following configuration to require RADIUS authentication to support administrator login over a Telnet connection: 1 Create a login authentication list called “rad” that contains the method radius. If this method returns an error, the user will fail to login: console#config console(config)#aaa authentication login “rad” radius 2 Create an enable authentication list called “raden” that contains the method radius.
ACL Using Authentication Manager to Configure MAB with RADIUS Server The following is a relatively complex example of using an ACL to control access to Gi1/0/1, using the Authentication Manager to configure MAB in conjunction with a RADIUS server.
console(config)#radius server auth 172.25.129.229 console(config-auth-radius)#name Default-Radius-Server console(config-auth-radius)#primary console(config-auth-radius)#usage authmgr console(config-auth-radius)#key “dellSecret” console(config)#exit 10 Configure the management interface and bypass 802.
console(config-if-Gi1/0/22)#authentication order dot1x mab console(config-if-Gi1/0/22)#exit Combined RADIUS, CoA, MAB and 802.1x Example The following example configures RADIUS in conjunction with IEEE 802.1X to provide network access to switch clients. 1 Enable 802.1x: console#config console(config)#dot1x system-auth-control console(config)#authentication enable 2 Configure 802.
session can be issued by the RADIUS server. This means that if the RADIUS server terminates the host session and subsequently refuses to authorize the host, the host is denied access to the network: console(config)#interface Gi1/0/7 console(config-if-Gi1/0/7)#authentication host-mode multi-auth console(config-if-Gi1/0/7)#authentication order dot1x console(config-if-Gi1/0/7)#exit 10 Configure Gi1/0/6 to allow connected hosts access to network resources, regardless of RADIUS configuration.
4 Configure the second RADIUS server for host authentication/network access is located at 10.130.191.90 with a shared secret. This server will be a secondary RADIUS server: console(config)#radius server auth 10.130.191.90 console(config-auth-radius)#name Default-RADIUS-Server console(config-auth-radius)#key “shared secret” console(config-auth-radius)#exit 5 Configure the third RADIUS server for host authentication/network access is located at 10.130.191.91 with a shared secret.
3 The following command is the first step in defining a TACACS+ server at IP address 1.2.3.4. The result of this command is to place the user in tacacs-server mode to allow further configuration of the server: console(config)#tacacs-server host 1.2.3.4 4 Define the shared secret. This must be the same as the shared secret defined on the TACACS+ server: console(config-tacacs)#key “secret” console(config-tacacs)#exit 5 Enter the configuration mode for the Telnet line.
This configuration requires entering a public key, which can be generated by a tool such as PuTTYgen. Be sure to generate the correct type of key. In this case, we use an RSA key with the SSH-2 version of the protocol. Switch Configuration 1 Create a switch administrator: console#config console(config)#username “admin” password f4d77eb781360c5711ecf3700a7af623 privilege 15 encrypted 2 Set the login and enable methods for line to NOAUTH.
8 The following three lines enable the SSH server, configure it to use public key authentication, and specify use of the SSH-2 protocol.
PUTTY Configuration Main Screen On the following screen, the IP address of the switch is configured and SSH is selected as the secure login protocol.
On the next screen, PUTTY is configured to use SSH-2 only. This is an optional step that accelerates the login process.
The following screen is the key to the configuration. It is set to display the authentication banner, disable authentication with Pageant, disable keyboardinteractive authentication (unless desired), disable attempted changes of user name, and select the private key file used to authenticate with the switch.
The following screen configures the user name to be sent to the switch. A user name is always required. Alternatively, leave Auto-login name blank and the system will prompt for a user name.
After configuring Putty, be sure to save the configuration. The following screen shows the result of the login process. The user name is entered automatically and the switch confirms that public key authentication occurs. Authenticating with a Public Key from Linux The following example configures the switch to allow administrative access without a password for Linux users with correctly configured SSH clients. Dell EMC Networking SSH is configured to require a password on administrator accounts.
Substitute the login ID of the switch administrator for the User admin parameter above, and set the correct path to your account for the IdentityFile parameter.
Also, ensure that the private key ~/.ssh/id_rsa is not readable by others by executing the chmod 0600 ~/.ssh/id_rsa command in Linux. Authentication will fail if the file is readable by others. The command string to log into the switch (substituting the correct IP address) from a Linux account is: ssh -2 -i ~/.ssh/id_rsa -F ~/.ssh/ssh_config 10.27.21.70 Authenticating Without a Public Key When authenticating without the public key, the switch prompts for the user name and password.
console#config console(config)#username mylogin password XXXXXXXX privilege 15 2 Enter the externally generated key: console(config)#crypto key pubkey-chain ssh 3 Associate the key with the newly added user login: console(config-pubkey-chain)#user-key mylogin dsa 4 Add the externally generated key. All of the key information is entered between double quotes.
Authorization Authorization is used to determine which services the user is allowed to access. For example, the authorization process may assign a user’s privilege level, which determines the set of commands the user can execute. There are three kinds of authorization: commands, exec, and network. • Commands: Command authorization determines which CLI commands the user is authorized to execute.
Administrative Profiles The Administrative Profiles feature allows the network administrator to define a list of rules that control the CLI commands available to a user. These rules are collected in a “profile.” The rules in a profile can define the set of commands, or a command mode, to which a user is permitted or denied access. Within a profile, rule numbers determine the order in which the rules are applied.
Table 9-9. Default Administrative Profiles Name Description network-admin Allows access to all commands. network-security Allows access to network security features such as 802.1X, Voice VLAN, Dynamic ARP Inspection and IP Source Guard. router-admin Allows access to Layer 3 features such as IPv4 Routing, IPv6 Routing, OSPF, RIP, etc. multicast-admin Allows access to multicast features at all layers, this includes L2, IPv4 and IPv6 multicast, IGMP, IGMP Snooping, etc.
With the users that were previously configured, the guest user will still log into user Exec mode, since the guest user only has privilege level 1 (the default). The admin user will be able to login directly to Privileged Exec mode since his privilege level was configured as 15.
The RADIUS server should be configured such that it will send the Cisco AV Pair attribute with the “roles” value. For example: shell:roles=router-admin The above example attribute gives the user access to the commands permitted by the router-admin profile. RADIUS Change of Authorization Dell EMC Networking N-Series switches support the Change of Authorization Disconnect-Request and COA-Request per RFC 5176.
42 – Disconnect-NAK A CoA Disconnect-Request terminates the session without disabling the switch port. Instead, a CoA Disconnect-Request termination causes reinitialization of the authenticator state machine for the specified host. A CoA bounce host port request disables the port for 10 seconds. The bounce host port is requested using the proprietary AVPair subscriber:command= bounce-host-port.
• NAS-Port (IETF attribute #5) • Framed-IP-Address (IETF attribute #8) • Calling-Station-ID (IETF attribute #31) • Acct-Session-ID (IETF attribute #44) • Message-Authenticator (IETF attribute #80) • Error-Cause (IETF attribute #101) A CoA NAK message is not sent for all CoA requests with a key mismatch. The message is sent only for the first three requests for a client. After that, all the packets from that client are dropped.
RADIUS COA Example with Telnet and SSH The following example configures telnet and SSH clients in conjunction with RADIUS CoA. 1 Configure a login list named “login-list” that uses RADIUS as the only method: console#config console(config)#aaa authentication login “login-list” radius 2 Enable RADIUS COA: console(config)#aaa server radius dynamic-author 3 Enable the switch RADIUS client connecting to the RADIUS server at 10.130.191.89: console(config-radius-da)#client 10.130.191.
console(config-ssh)#exit 9 Enable the SSH server (the telnet server is enabled by default): console(config)#ip ssh server 310 Authentication, Authorization, and Accounting
TACACS Authorization TACACS+ Authorization Example—Direct Login to Privileged Exec Mode Apply the following configuration to use TACACS+ for authorization, such that a user can enter Privileged Exec mode directly: 1 Create an exec authorization method list called “tacex” which contains the method tacacs. console#config console(config)#aaa authorization exec “tacex” tacacs 2 Assign the tacex exec authorization method list to be used for users accessing the switch via Telnet.
The above example attribute will give the user access to the commands permitted by the router-admin profile. NOTE: If the priv-lvl attribute is also supplied, the user can also be placed directly into Privileged Exec mode. TACACS+ Authorization Example—Custom Administrative Profile This example creates a custom profile that allows the user to control user access to the switch by configuring a administrative profile that only allows access to AAA related commands.
console(admin-profile)#rule console(admin-profile)#rule console(admin-profile)#rule console(admin-profile)#rule .*” console(admin-profile)#rule .*” 88 87 86 85 permit permit permit permit command command command command “^password .*” “^username .*” “^show user.*" “^radius server 84 permit command “^tacacs-server 3 Enter rule number permit mode mode-name commands to allows all commands in the named mode.
TACACS+ Authorization Example—Per-command Authorization An alternative method for command authorization is to use the TACACS+ feature of per-command authorization. With this feature, every time the user enters a command, a request is sent to the TACACS+ server to ask if the user is permitted to execute that command. Exec authorization does not need to be configured to use per-command authorization.
Accounting Accounting is used to record security events, such as a user logging in or executing a command. Accounting records may be sent upon completion of an event (stop-only) or at both the beginning and end of an event (startstop). There are three types of accounting: commands, Dot1x, and exec. • Commands—Sends accounting records for command execution. • Dot1x—Sends accounting records for network access. • Exec—Sends accounting records for management access (logins).
• Acct-Terminate-Cause(49) • Class (25) • Acct-Authentic (45) • Acct-Session Time(46) • Acct-Input-Octets (42) • Acct-Output-Octets (43) • Acct-Input-Gigawords(52) • Acct-Output-Gigawords (53) • Framed-IPv6-Address (168) • Acct-Delay-Time (41) • Acct-Session-Id (44) • NAS-Port-Id (87) Certain of the attributes above may be sent only if received from the RADIUS server during the Access Request process, for example, Class.
• NAS-Port-Id (87) The Framed-IP-Address or Framed-IPv6-Address are only sent if available. Only one of the NAS-IP-Address or the NAS-Identifier may be sent in an Accounting Start record.
IEEE 802.1X What is IEEE 802.1X? The IEEE 802.1X standard provides a means of preventing unauthorized access by supplicants (clients) to the services the switch offers, such as access to the LAN. The 802.1X network has three components: • Supplicant — The client connected to the authenticated port that requests access to the network. • Authenticator — The network device that prevents network access prior to authentication.
As shown in Figure 9-3, the Dell EMC Networking switch is the authenticator and ensures that the supplicant (a PC) that is attached to an 802.1Xcontrolled port is authenticated by an authentication server (a RADIUS server). The result of the authentication process determines whether the supplicant is authorized to access network services on that controlled port. Dell EMC Networking N-Series switches support 802.1X authentication using remote RADIUS or using a local authentication service (IAS).
The port security feature can be utilized if it is desired to limit access on auto mode configured ports. To limit access to a phone and laptop configuration using Voice VLAN, the port security limit should be set to 3 as many IP phones also utilize the data VLAN during power up. For more information on port security, see "Port and System Security" on page 663. NOTE: Only Auto mode uses 802.1X and RADIUS to authenticate. Forceauthorized and Force-unauthorized modes are manual overrides.
are segregated into separate VLANs. The RADIUS server attribute vendor proprietary AVPair device-traffic-class=voice is used to identify the voice client. Multi-Domain-Multi-Host Mode In multi-domain-multi-host mode, one voice device and one data device may authenticate on a port. However, once the data device is authenticated, access is authorized on the data VLAN to any connected device.
• Retries – resends the EAP Request packet up to three times • Considers the client to be 802.1X unaware client (if it does not receive an EAP response packet from that client) The NAS sends a request to the authentication server with the MAC address of the client in a hexadecimal format as the username and the MD5 hash of the MAC address as the password.
By default, MAB clients are authenticated to the authentication server using EAP-MD5. MAB clients may optionally be configured to use CHAP or PAP to authenticate the MAB device.
• The host attempts to authenticate but fails because it lacks certain security credentials. • The host does not try to authenticate at all (802.1X unaware). Three separate VLANs can be configured on the switch to handle a host depending on whether the host authenticates, fails the authentication, or does not attempt authentication. The RADIUS server informs the switch of the selected VLAN as part of the authentication.
Dynamic VLAN Creation If RADIUS-assigned VLANs are enabled though the Authorization Network RADIUS configuration option, the RADIUS server is expected to include the VLAN ID in the 802.1X tunnel attributes of its response message to the switch. If dynamic VLAN creation is enabled on the switch and the RADIUSassigned VLAN does not exist, then the assigned VLAN is dynamically created and the port PVID or native VLAN is set to the RADIUS-assigned VLAN ID.
Guest VLAN The Guest VLAN feature provides a mechanism to allow users access to a guest VLAN. For example, the administrator might provide a guest VLAN to visitors and contractors to permit network access that allows visitors to connect to external network resources, such as the Internet, with no ability to access information on the internal LAN. As an example, on a port configured in auto authentication mode (authentication port-control auto) and connected to a client that does not support 802.
Additional hosts may authenticate on a switchport trunk (or general) mode port configured in authentication host-mode multi-auth and contain a VLAN assignment. If the Access-Accept contains a VLAN assignment, the VLAN assignment is honored for the client. Client packets must be tagged with the assigned VLAN to be forwarded. What is Monitor Mode? The monitor mode is a special mode that can be enabled in conjunction with 802.1X authentication.
Table 9-11. IEEE 802.1X Monitor Mode Behavior (Continued) Case Sub-case RADIUS/IAS Failure RADIUS Timeout Critical Voice VLAN 802.
Table 9-11. Case IEEE 802.1X Monitor Mode Behavior (Continued) Sub-case Port/Client Delete Guest Authenticated VLANID through on Guest VLAN Dot1Q Regular 802.1X 802.1X Monitor Mode Port State: Deny Port State: Permit VLAN: Default PVID of the port How Does the Authentication Server Assign DiffServ Policy or ACLs? The Dell EMC Networking N-Series switches allow the external 802.1X Authenticator or RADIUS server to assign ACL or DiffServ policies to users that authenticate to the switch.
Default 802.1X Values Table 9-12 lists the default values for the 802.1X features. Table 9-12. Default Port-Based Security Values Feature Description Global 802.1X status Disabled 802.1X authentication method None Per-port 802.
Configuring IEEE 802.1X (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring the IEEE 802.1X features and Port Security on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000E-ON, and N3100-ON Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. Dot1x Authentication Use the Dot1x Authentication page to configure the 802.
3 In the Ports list, select the check box in the Edit column for the port to configure. 4 Select the desired settings to change for all ports that are selected for editing. Figure 9-5. Configure Dot1x Settings 5 Click Apply. To reauthenticate a port: 1 Open the Dot1x Authentication page. 2 Click Show All. The Dot1x Authentication Table displays. 3 Check Edit to select the Unit/Port to re-authenticate. 4 Check Re-authenticate Now. 5 Click Apply. The authentication process is restarted on the specified port.
5 To re-authenticate immediately, check Re-authenticate Now for all ports to be re-authenticated. 6 Click Apply. The authentication process is restarted on the specified ports (either immediately or periodically). To change the administrative port control: 1 Open the Dot1x Authentication page. 2 Click Show All. The Dot1x Authentication Table displays. 3 Scroll to the right side of the table and select the Edit check box for each port to configure.
Port Access Control Configuration Use the Port Access Control Configuration page to globally enable or disable RADIUS-assigned VLANs and to enable Monitor Mode to help troubleshoot 802.1X configuration issues. NOTE: The VLAN Assignment Mode field is the same as the Admin Mode field on the System Management Security Authorization Network RADIUS page.
Figure 9-8. Port Access Control History Log Internal Authentication Server Users Configuration Use the Internal Authentication Server Users Configuration page to add users to the local IAS database and to view the database entries. To display the Internal Authentication Server Users Configuration page, click System Management Security Internal Authentication Server Users Configuration in the navigation panel. Figure 9-9.
Figure 9-10. Adding an IAS User 4 Click Apply. To view the Internal Authentication Server Users Table page, click Show All. To delete an IAS user: 1 Open the Internal Authentication Server Users Configuration page. 2 From the User menu, select the user to remove, select the user to remove. 3 Select the Remove check box. Figure 9-11. Removing an IAS User 4 Click Apply. Configuring IEEE 802.1X (CLI) This section provides information about commands you use to configure 802.1X and Port Security settings.
Configuring Basic 802.1X Authentication Settings Use the following commands to enable and configure 802.1X authentication on the switch. Command Purpose configure Enter Global Configuration mode. aaa authentication dot1x default method1 Specify the authentication method to use to authenticate 802.1X clients that connect to the switch. method1—The method keyword can be radius, none, or ias. authentication monitor Globally enable 802.1X authentication on the switch.
Command Purpose authentication portcontrol {forceauthorized | forceunauthorized | auto} NOTE: For standard 802.1X implementations in which one Specify the authentication mode for the port. client is connected to one port, use the authentication portcontrol auto command to enable 802.1X authentication on the port. • auto — Enables 802.1X authentication on the interface and causes the port to transition to the authorized or unauthorized state based on the 802.
NOTE: To enable 802.1X Monitor Mode to help troubleshoot authentication issues, use the authentication monitor command in Global Configuration mode. To view 802.1X authentication events and information, use the show authentication authentication-history {interface | all} [failed-auth-only] [detail] command. To clear the history, use the clear authentication authentication-history command in Privileged Exec mode. Configuring Additional 802.1X Interface Settings Use the following commands to configure 802.
Command Purpose dot1x max-req count Set the maximum number of times that the switch sends an Extensible Authentication Protocol (EAP)-request frame (assuming that no response is received) other than Request-Identity to the client before restarting the authentication process. dot1x max-reauth-req count Set the maximum number of times that the switch sends an Extensible Authentication Protocol (EAP)-Request Identify frame to client with no response before restarting the authentication process.
Command Purpose interface interface Enter interface configuration mode for the specified interface. The interface variable includes the interface type and number, for example tengigabitethernet 1/0/3. A range of interfaces can be specified using the interface range command. For example, interface range tengigabitethernet 1/0/8-12 configures interfaces 8, 9, 10, 11, and 12. authentication event no- Specify the guest VLAN.
Configuring Internal Authentication Server Users Use the following commands to add users to the IAS database and to use the database for 802.1X authentication. Command Purpose configure Enter Global Configuration mode. aaa ias-user username user Add a user to the IAS user database. This command also changes the mode to the IAS User Config mode. password password [encrypted] Configure the password associated with the user. CTRL + Z Exit to Privileged Exec mode.
The switch uses an authentication server with an IP address of 10.10.10.10 to authenticate clients. Port 7 is connected to a printer in the unsecured area. The printer is an 802.1X unaware client, so Port 7 is configured to authenticate with MAB. NOTE: The printer requires an entry in the client database that uses the printer MAC address as the username. An IP phone is directly connected to Port 8, and a PC is connected to the IP phone.
Figure 9-12. 802.1X Example Physically Unsecured Devices Physically Secured Devices Clients (Ports 1 and 3) Authentication Server (RADIUS) Dell EMC Networking N-Series switch Clients (Port 8) Printer (Port 7) LAN Uplink (Port 24) LAN Server (Port 9) The following example shows how to configure the example shown in Figure 9-12. 1 Configure the RADIUS server IP address and a global shared secret (secret). console#configure console(config)#radius server auth 10.10.10.
3 Configure ports 9 and 24 to be in the Authorized state, which allows the devices to connect to these ports to access the switch services without authentication. console(config)#interface range Gi1/0/9,Gi1/0/24 console(config-if)#authentication port-control forceauthorized console(config-if)#exit 4 Configure Port 7 to allow a single device with 802.1X or MAB. By default, EAP-MD5 authentication is used.
transmits it to the RADIUS server. If the RADIUS server grants access, the system sets the 802.1X port state of the interface to authorized and the supplicants are able to access network resources. console#show authentication clients all Interface...................................... User Name...................................... Supp MAC Address............................... Session Time................................... Filter Id...................................... DACL Name.........................
Gi1/0/1 Gi1/0/2 Gi1/0/3 Gi1/0/4 Gi1/0/5 Gi1/0/6 Gi1/0/7 Gi1/0/8 Gi1/0/9 Gi1/0/10 Gi1/0/11 auto auto auto auto auto auto auto auto force-authorized force-authorized auto Authorized N/A Authorized N/A N/A N/A Authorized N/A Authorized Authorized N/A FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE FALSE 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 3600 10 View 802.1X information about Port 8. console#show authentication interface Gi1/0/8 Authentication Manager Status..................
Controlling Authentication-Based VLAN Assignment The network in this example uses three VLANs to control access to network resources. When a client connects to the network, it is assigned to a particular VLAN based on one of the following events: • It attempts to contact the 802.1X server and is authenticated. • It attempts to contact the 802.1X server and fails to authenticate. • It does not attempt to contact the 802.1X server.
To configure the switch: 1 Create the VLANs and configure the VLAN names. console(config)#vlan 100 console(config-vlan100)#name Authorized console(config-vlan100)#exit console(config)#vlan 200 console(config-vlan200)#name Unauthorized console(config-vlan200)#exit console(config)#vlan 300 console(config-vlan300)#name Guest console(config-vlan300)#exit 2 Configure information about the external RADIUS server the switch uses to authenticate clients. The RADIUS server IP address is 10.10.10.
console(config-if)#authentication host-mode multi-auth 8 Enable periodic reauthentication of the client on the ports and set the number of seconds to wait between reauthentication attempts to 300 seconds. Reauthentication is enabled to increase security by verifying that another device is not spoofing the MAC address of the indirectly connected devices.
Allowing Dynamic Creation of RADIUS-Assigned VLANs The network in this example uses a RADIUS server to provide VLAN assignments to host that connect to the switch. In this example, the VLANs are not configured on the switch. Instead, the switch is configured to allow the dynamic creation of VLANs when a RADIUS-assigned VLAN does not already exist on the switch. In this example, Ports 1–23 are configured as downlink, or access, ports, and Port 24 is the trunk port.
console(config)#interface range Gi1/0/1-23 7 Set the downlink ports to the access mode because each downlink port connects to a single host that belongs to a single VLAN. Set the portcontrol mode to auto (the default) to allow assignment of the dynamically created VLANs to the host connected port. Allow a single host to authenticate on each port.
Filter-id (11) = “internet_access” If it is desired that an existing ACL be configured, include the following attribute in the RADIUS server configuration: Filter-ID(11) = "Existing_ACL.in" • The ACL or DiffServ policy specified in the attribute must already be configured on the switch, and the ACL names must be identical to the one sent by the RADIUS server with an ".in" suffix. For information about configuring a DiffServ policy, see "DiffServ Configuration Examples" on page 1513.
To configure the switch: 1 Configure the DiffServ traffic class that matches SSH traffic. console#configure console(config)#class-map match-all cl-ssh console(config-classmap)#match dstl4port 22 console(config-classmap)#exit 2 Configure the DiffServ traffic class that matches HTTP traffic. console(config)#class-map match-all cl-http console(config-classmap)#match dstl4port 80 console(config-classmap)#exit 3 Configure the DiffServ policy.
console(config)#interface range Gi1/0/1-23 console(config-if)#authentication host-mode single-host 9 Set the ports to access mode (default VLAN 1). Enable the policy on the ports. console(config-if)#switchport mode access console(config-if)#service-policy in con-pol console(config-if)#exit console(config)#exit Captive Portal This section describes how to configure the Captive Portal feature.
accept the terms of use. The network administrator can also configure the CP feature to redirect the user to another web page after successful authentication, for example a company home page. CP is supported in IPv4 networks only. Figure 9-13.
Is Captive Portal Dependent on Any Other Feature? If security procedures require RADIUS authentication, the administrator must configure the RADIUS server information on the switch (see "Using RADIUS" on page 269). The RADIUS administrator must also configure the RADIUS attributes for CP users on the RADIUS server. For information about the RADIUS attributes to configure, see Table 9-15.
the network. If traps are enabled, the switch also writes a message to the trap log when the event occurs. To enable the CP traps, see "Configuring SNMP Notifications (Traps and Informs)" on page 501. What Factors Should Be Considered When Designing and Configuring a Captive Portal? Before enabling the CP feature, decide what type (or types) of authentication will be supported.
Figure 9-14. Customized Captive Portal Welcome Screen How Does Captive Portal Work? When a port is enabled for CP, all the traffic coming onto the port from the unverified clients is dropped except for the ARP, DHCP, NetBIOS, and DNS packets. These packets are forwarded by the switch so that the unverified clients can get an IP address and are able to resolve host or domain names.
• Logout Page — If the user logout mode is enabled, this page displays in a pop-up window after the user successfully authenticates. This window contains the logout button. • Logout Success Page — If the user logout mode is enabled, this page displays after a user clicks the logout button and successfully deauthenticates. Understanding User Logout Mode The User Logout Mode feature allows a user who successfully authenticates to the network through the CP to explicitly deauthenticate from the network.
Captive Portal and DNS CP allows unauthenticated users access to DNS services on TCP and UDP destination port 53. CP inspects all DNS traffic to ensure that it conforms with the DNS protocol (RFC 1035/1996). CP checks the format of DNS messages and discards packets that do not conform to the minimum standards.
Table 9-13. Captive Portal Status Values (Continued) Status Value Description Browser Action RADIUS_WIP Indicates that RADIUS validation is in progress. The browser action is the same as for the WIP status. Success Indicates that authentication is Displays either the customized a success. welcome page or an external URL. Denied Indicates that the user has failed to enter credentials that match the expected configuration.
Default Captive Portal Behavior and Settings CP is disabled by default. If you enable CP, no interfaces are associated with the default CP. After you associate an interface with the CP and globally enable the CP feature, a user who connects to the switch through that interface is presented with the CP Welcome screen shown in Figure 9-15. Figure 9-15.
Table 9-14. Default Captive Portal Values Feature Value Configured Captive Portals 1 Captive Portal Name Default Protocol Mode HTTP Verification Mode Guest URL Redirect Mode Off User Group 1-Default Session Timeout 86400 seconds Local Users None configured Interface associations None Interface status Not blocked If the CP is blocked, users cannot gain access to the network through the CP.
Configuring Captive Portal (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring CP settings on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000E-ON, and N3100-ON Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page.
Figure 9-17. Captive Portal Configuration From the Captive Portal Configuration page, click Add to create a new CP instance. Figure 9-18. Add Captive Portal Configuration From the Captive Portal Configuration page, click Summary to view summary information about the CP instances configured on the switch.
Figure 9-19. Captive Portal Summary Customizing a Captive Portal The procedures in this section customize the pages that the user sees when he or she attempts to connect to (and log off of) a network through the CP. These procedures configure the English version of the Default Captive Portal. To configure the switch: 1 From the Captive Portal Configuration page click the (English) tab. The settings for the Authentication Page display, and the links to the CP customization appear.
3 Make sure Download is selected in the Available Images menu, and click Browse. 4 Browse to the directory where the image to be downloaded is located and select the image. 5 Click Apply to download the selected file to the switch. 6 To customize the Authentication Page, which is the page that a user sees upon attempting to connect to the network, click the Authentication Page link.
Figure 9-21. Captive Portal Authentication Page 7 Select the branding image to use and customize other page components such as the font for all text the page displays, the page title, and the acceptance use policy. 8 Click Apply to save the settings to the running configuration or click Preview to view what the user will see. To return to the default views, click Clear.
9 Click the Logout Page link to configure the page that contains the logout window. NOTE: The Logout Page settings can be configured only if the User Logout Mode is selected on the Configuration page. The User Logout Mode allows an authenticated client to deauthenticate from the network. Figure 9-22. Captive Portal Logout Page 10 Customize the look and feel of the Logout Page, such as the page title and logout instructions.
13 Customize the look and feel of the Logout Page, such as the background image and successful logout message. 14 Click Apply to save the settings to the running configuration or click Preview to view what the user will see. To return to the default views, click Clear. Local User A portal can be configured to accommodate guest users and authorized users. Guest users do not have assigned user names and passwords.
Figure 9-24. Local User Configuration From the Local User page, click Add to add a new user to the local database. Figure 9-25. Add Local User From the Local User page, click Show All to view summary information about the local users configured in the local database. Figure 9-26.
To delete a configured user from the database, select the Remove check box associated with the user and click Apply. Configuring Users in a Remote RADIUS Server A remote RADIUS server client authorization can be used. All users must be added to the RADIUS server. The local database does not share any information with the remote RADIUS database. Table 9-15 indicates the RADIUS attributes you use to configure authorized CP clients.
User Group Local Users can be assigned to User Groups. If the Verification Mode is Local or RADIUS, a User Group is assigned to a CP Configuration. All users who belong to the group are permitted to access the network through this portal. The User Group list is the same for all CP configurations on the switch. To display the User Group page, click System Captive Portal User Group. Figure 9-27. User Group From the User Group page, click Add to configure a new user group. Figure 9-28.
Figure 9-29. Captive Portal User Group Summary To delete a configured group, select the Remove check box associated with the group and click Apply. Interface Association Using the Interface Association page, a configured CP can be associated with specific interfaces. The CP feature only runs on the interfaces that you specify. A CP can have multiple interfaces associated with it, but an interface can be associated to only one CP at a time.
NOTE: When you associate an interface with a CP, the interface is disabled in the Interface List. Each interface can be associated with only one CP at a time. Captive Portal Global Status The Captive Portal Global Status page contains a variety of information about the CP feature, including information about the CP activity and interfaces. To display the Global Status page, click System Captive Portal Status Global Status. Figure 9-31.
Figure 9-32. Captive Portal Activation and Activity Status NOTE: Use the Block and Unblock buttons to control the blocked status. If the CP is blocked, users cannot gain access to the network through the CP. Use this function to temporarily protect the network during unexpected events, such as denial of service attacks. Interface Activation Status The Interface Activation Status page shows information for every interface assigned to a CP instance.
Interface Capability Status The Interface Capability Status page contains information about interfaces that can have CPs associated with them. The page also contains status information for various capabilities. Specifically, this page indicates what services are provided through the CP to clients connected on this interface. The list of services is determined by the interface capabilities.
Figure 9-35. Client Summary To force the CP to disconnect an authenticated client, select the Remove check box next to the client MAC address and click Apply. To disconnect all clients from all CPs, click Delete All. Client Detail The Client page shows detailed information about each client connected to the network through a CP. To display the Client page, click System Captive Portal Client Connection Status Client. Figure 9-36.
Figure 9-37. Interface - Client Status Captive Portal Client Status Use the Client Status page to view clients that are authenticated to a specific CP configuration. To display the Client Status page, click System Captive Portal Client Connection Status Client Status. Figure 9-38.
Configuring Captive Portal (CLI) This section provides information about the commands you use to create and configure Captive Portal (CP) settings. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100-ON Series Switches CLI Reference Guide at www.dell.com/support. Configuring Global Captive Portal Settings Use the following commands to configure global CP settings. Command Purpose configure Enter global configuration mode.
Command Purpose CTRL + Z Exit to Privileged Exec mode. show captive-portal [status] View the CP administrative and operational status. Use the status keyword to view additional global CP information and summary information about all configured CP instances. Creating and Configuring a Captive Portal Use the following commands to create a CP instance and configure its settings. Command Purpose configure Enter global configuration mode. captive-portal Enter Captive Portal mode.
Command Purpose user-logout (Optional) Enable user logout mode to allow an authenticated client to deauthenticate from the network. If this option is clear or the user does not specifically request logout, the client connection status remains authenticated until the CP deauthenticates the user, for example by reaching the idle timeout or session timeout values.
Command Purpose block (Optional) Block all traffic for a CP configuration. If the CP is blocked, users cannot gain access to the network through the CP. Use this function to temporarily protect the network during unexpected events, such as denial of service attacks. CTRL + Z Exit to Privileged Exec mode. show captive-portal configuration cp-id [status | interface] View summary information about a CP instance. • cp-id — The CP instance (Range: 1–10).
Command Purpose user group group-id [name name] Configure a group. Each CP that requires authentication has a group associated with it. Only the users who are members of that group can be authenticated if they connect to the CP. • group-id — Group ID (Range: 1–10). • name — Group name (Range: 1–32 characters). user user-id name name Create a new user for the local user authentication database. • user-id — User ID (Range: 1–128). • name — user name (Range: 1–32 characters).
Command Purpose clear captive portal users (Optional) Delete all CP user entries from the local database. Managing Captive Portal Clients Use the following commands to view and manage clients that are connected to a CP. Command Purpose show captive-portal configuration [cp-id] client status Display information about the clients authenticated to all CP configurations or a to specific configuration. cp-id — The CP instance (Range: 1–10).
Captive Portal Configuration Example The manager of a resort and conference center needs to provide wired Internet access to each guest room at the resort and in each conference room. Due to legal reasons, visitors and guests must agree to the resort’s acceptable use policy to gain network access. Additionally, network access from the conference rooms must be authenticated. The person who rents the conference room space receives a list username and password combinations upon arrival.
1. If a RADIUS server is selected for authentication, configure the RADIUS server settings on the switch. 2. If authentication is required, configure the user groups to associate with each CP. 3. Create (add) the CPs. 4. Configure the CP settings for each CP, such as the verification mode. 5. Associate interfaces with the CP instances. 6. Download the branding images, such as the company logo, to the switch.
Detailed Configuration Procedures Use the following steps to perform the CP configuration: 1. Configure the RADIUS server information on the switch. In this example, the RADIUS server IP address is 192.168.2.188, and the RADIUS server group name is luxury-radius. console#configure console(config)#radius server 192.168.12.182 console(config-auth-radius)#name luxury-radius console(config-auth-radius)#exit 2. Configure the CP groups.
console(config-CP 4)#interface te1/0/18 ... console(config-CP 4)#interface te1/0/40 console(config-CP 4)#exit 6. Use the web interface to customize the CP pages that are presented to users when they attempt to connect to the network. NOTE: CP page customization is supported only through the web interface. For information about customizing the CP pages, see "Customizing a Captive Portal" on page 367. 7. Add the Conference users to the local database.
In Case Of Problems in Captive Portal Deployment When configuring captive portal, many administrators will find that the web browsers or hosts are not able to reach the captive portal web page. This is most often due to network issues as opposed to issues with the captive portal service. When deploying captive portal, first ensure that web clients on the internal network can reach the external network by disabling captive portal entirely and verifying connectivity.
Authentication, Authorization, and Accounting
10 Monitoring and Logging System Information Dell EMC Networking N-Series Switches This chapter provides information about the features used for monitoring the switch, including logging, cable tests, and email alerting.
Why Is System Information Needed? The information the switch provides can help the switch administrator troubleshoot issues that might be affecting system performance. The cable diagnostics test help the administrator troubleshoot problems with the physical connections to the switch. Auditing access to the switch and the activities an administrator performed while managing the switch can help provide security and accountability.
What Are the Severity Levels? The severity of the messages to be logged for each local or remote log file can be specified. Each severity level is identified by a name and a number. Table 10-1 provides information about the severity levels. Table 10-1. Log Message Severity Severity Keyword Severity Level Description emergencies 0 The switch is unusable. alerts 1 Action must be taken immediately. critical 2 The switch is experiencing critical conditions.
To view the log messages in the system startup and operational log files, the log files must be download to an administrative host. The startup log files are named slogX.txt and the operation log files are named ologX.txt. When enabled, the system stores the startup and operation log files for the last three switch boots.
• Timestamp—This is the system up time. For systems that use SNTP, this is UTC. When time zones are enabled, local time will be used. • Host IP address or Host Name—This is the IP address of the local system, if known. • Stack Member—This is the assigned stack member number which originated the message. For the Dell EMC Networking switches, the stack ID number may range from 1 to 12. The number 1 is used for systems without stacking ability.
• Message — Contains the text of the log message. While RFC 5424 is enabled, the logging output will appear as follows. RFC 5424 may be enabled using the logging protocol command. <189>1 2013-06-13T23:24:15.652+5:30Z 10.130.185.84 TRAPMGR trapTask traputil.
Default Log Settings System logging is enabled, and messages are sent to the console (severity level: warning and above) and RAM log (severity level: informational and above). Switch auditing is enabled. CLI command logging, Web logging, and SNMP logging are disabled. By default, no messages are sent to the log file that is stored in flash, and no remote log servers are defined. Email alerting is disabled, and no recipient email address is configured. Additionally, no mail server is defined.
Monitoring System Information and Configuring Logging (Web) This section provides information about the OpenManage Switch Administrator pages to use to monitor system information and configure logging on the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000E-ON, and N3100-ON Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page.
Figure 10-2. Stack View For more information about the device view features, see "Understanding the Device View" on page 174.
System Health Use the Health page to view status information about the switch power and ventilation sources. To display the Health page, click System General Health in the navigation panel. Figure 10-3.
System Resources Use the System Resources page to view information about memory usage and task utilization. To display the System Resources page, click System General System Resources in the navigation panel. Figure 10-4.
Unit Power Usage History Use the Unit Power Usage History page to view information about switch power consumption. To display the Unit Power Usage History page, click System General Unit Power Usage History in the navigation panel. Figure 10-5.
Integrated Cable Test for Copper Cables Use the Integrated Cable Test for Copper Cables page to perform tests on copper cables. Cable testing provides information about where errors occurred in the cable, the last time a cable test was performed, and the type of cable error which occurred. The tests use Time Domain Reflectometry (TDR) technology to test the quality and characteristics of a copper cable attached to a port. Cables up to 120 meters long can be tested.
To view a summary of all integrated cable tests performed, click the Results link. Figure 10-7. Integrated Cable Test Results Optical Transceiver Diagnostics Use the Transceiver Diagnostics page to perform tests on Fiber Optic cables. To display the Transceiver Diagnostics page, click System Diagnostics Transceiver Diagnostics in the navigation panel. NOTE: Optical transceiver diagnostics can be performed only when the link is present.
Figure 10-8. Transceiver Diagnostics To view a summary of all optical transceiver diagnostics tests performed, click the Results link. Figure 10-9. Transceiver Diagnostics Results Log Global Settings Use the Global Settings page to enable logging globally, to enable other types of logging. The severity of messages that are logged to the console, RAM log, and flash-based log file can also be specified.
The Severity table lists log messages from the highest severity (Emergency) to the lowest (Debug). When a severity level is selected, all higher levels are automatically selected. To prevent log messages from being sent to the console, RAM log, or flash log file, clear all check boxes in the Severity column. To display the Global Settings page, click System Logs Global Settings in the navigation panel. Figure 10-10.
Figure 10-11.
Log File The Log File contains information about specific log entries, including the time the log was entered, the log severity, and a description of the log. To display the Log File, click System Logs Log File in the navigation panel. Figure 10-12. Log File SYSLOG Server Use the Remote Log Server page to view and configure the available SYSLOG servers, to define new SYSLOG servers, and to set the severity of the log events sent to the SYSLOG server.
Figure 10-13. Remote Log Server Adding a New Remote Log Server To add a SYSLOG server: 1 Open the Remote Log Server page. 2 Click Add to display the Add Remote Log Server page. 3 Specify the IP address or hostname of the remote server. 4 Define the UDP Port and Description fields.
Figure 10-14. Add Remote Log Server 5 Select the severity of the messages to send to the remote server. NOTE: When a severity level is selected, all higher (numerically lower) severity levels are automatically selected. 6 Click Apply. Click the Show All link to view or remove remote log servers configured on the system. Figure 10-15.
Email Alert Global Configuration Use the Email Alert Global Configuration page to enable the email alerting feature and configure global settings so that system log messages can be sent to from the switch to one or more email accounts. To display the Email Alert Global Configuration page, click System Email Alerts Email Alert Global Configuration in the navigation panel. Figure 10-16.
Figure 10-17. Email Alert Mail Server Configuration Adding a Mail Server To add a mail server: 1 Open the Email Alert Mail Server Configuration page. 2 Click Add to display the Email Alert Mail Server Add page. 3 Specify the hostname of the mail server. Figure 10-18. Add Mail Server 4 Click Apply. 5 If desired, click Configuration to return to the Email Alert Mail Server Configuration page to specify port and security settings for the mail server.
Figure 10-19. Show All Mali Servers Email Alert Subject Configuration Use the Email Alert Subject Configuration page to configure the subject line for email alerts that are sent by the switch. The subject for the message severity and entry status can customize be customized. To display the Email Alert Subject Configuration page, click System Email Alerts Email Alert Subject Configuration in the navigation panel. Figure 10-20.
Email Alert To Address Configuration Use the Email Alert To Address Configuration page to specify where the email alerts are sent. Multiple recipients can be configured and different message severity levels can be associated with different recipient addresses. To display the Email Alert To Address Configuration page, click System Email Alerts Email Alert To Address Configuration in the navigation panel. Figure 10-22.
Figure 10-24.
Monitoring System Information and Configuring Logging (CLI) This section provides information about the commands used for configuring features for monitoring on the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000E-ON, and N3100-ON Series switches. For more information about these commands, see the Dell EMC Networking N1100ON, N1500, N2000, N2100-ON, N2200-ON, and N3100-ON Series Switches CLI Reference Guide at www.dell.com/support.
Command Purpose test copper-port tdr interface Perform the Time Domain Reflectometry (TDR) test to diagnose the quality and characteristics of a copper cable attached to the specified port. SFP, SFP+, and QSFP cables with passive copper assemblies are not capable of performing TDR tests. CAUTION: Issuing the test copper-port tdr command will bring the interface down. NOTE: To ensure accurate measurements, disable all Green Ethernet modes (EEE and energy-detect mode) on the port before running the test.
Configuring Local Logging Use the following commands to configure the type of messages that are logged and where the messages are logged locally. Command Purpose configure Enter Global Configuration mode. logging on Globally enables logging. logging audit Enable switch auditing. logging cli-command Enable CLI command logging logging monitor Enable logging to stations other than the console. logging web-session Enable logging of the switch management Web page visits.
Command Purpose CTRL + Z Exit to Privileged Exec mode. show logging Displays the state of logging and the SYSLOG messages stored in the internal buffer. show logging file View information about the flash (persistent) log file. clear logging Use to clear messages from the logging buffer. Configuring Remote Logging Use the following commands to define a remote server to which the switch sends log messages. Command Purpose configure Enter Global Configuration mode.
Configuring Mail Server Settings Use the following commands to configure information about the mail server (SMTP host) on the network that will initially receive the email alerts from the switch and relay them to the correct recipient. Command Purpose configure Enter Global Configuration mode. mail-server ip-address Specify the IP address of the SMTP server on the network and enter the configuration mode for the mail server.
Configuring Email Alerts for Log Messages Use the following commands to configure email alerts so that log messages are sent to the specified address. Command Purpose configure Enter Global Configuration mode. logging email [severity] Enable email alerting and determine which non-critical log messages should be emailed. Use logging email with no parameter to enable email logging. Including the severity value sets the lowest severity for which log messages are emailed.
Command Purpose logging email test message-type {urgent | non-urgent | both} message-body body Send a test email to the configured recipient to verify that the feature is properly configured. CTRL + Z Exit to Privileged Exec mode. show logging email config View the configured settings for email alerts. show logging email statistics View information about the number of emails sent and the time they were sent. clear logging email statistics Clear the email alerting statistics.
Logging Configuration Examples This section contains the following examples: • Configuring Local and Remote Logging • Configuring Email Alerting Configuring Local and Remote Logging This example shows how to enable switch auditing and CLI command logging. Log messages with a severity level of Notification (level 5) and above are sent to the RAM (buffered) log. Emergency, Critical, and Alert (level 2) log messages are written to the log file on the flash drive.
4 Verify the remote log server configuration. console#show syslog-servers IP/IPv6 Address/Hostname Port ------------------------ ---192.168.2.10 514 Severity ---------debugging Description -----------Syslog Server Transport Type Authentication Certificate Index -------------- ----------------- ------------------UDP 5 Verify the local logging configuration and view the log messages stored in the buffer (RAM log). console#show logging Logging is enabled Logging protocol version: 0 Source Interface........
<189> Oct 18 07:09:12 0.0.0.0-1 OSAPI[fp_main_task]: osapi_netlink.c(551) 11 %% NOTE Unable to add the entry to /etc/iproute2/rt_protos. <186> Oct 18 07:09:12 0.0.0.0-1 General[fp_main_task]: bootos.c(191) 10 %% CRIT Event(0xaaaaaaaa) <189> Oct 18 07:09:12 0.0.0.0-1 BSP[fp_main_task]: bootos.c(175) 9 %% NOTE BSP initialization complete, starting switch firmware. <190> Oct 18 07:09:12 0.0.0.0-1 OSAPI[fp_main_task]: osapi_crash.c(1297) 8 %% INFO Oldest crashlog (5) will be deleted if another crash happens.
Configuring Email Alerting The commands in this example define the SMTP server to use for sending email alerts. The mail server does not require authentication and uses the standard TCP port for SMTP, port 25, which are the default values. Only Emergency messages (severity level 0) will be sent immediately as individual emails, and messages with a severity of alert, critical, and error (levels 1-3) will be sent in a single email every 120 minutes.
2 Configure the username and password that the switch must use to authenticate with the mail server. console(Mail-Server)#username switchN3048 console(Mail-Server)#password passwordN3048 console(Mail-Server)#exit 3 Configure emergencies and alerts to be sent immediately, and all other messages to be sent in a single email every 120 minutes.
Email Alert Non Urgent Severity Level.......... 3 Email Alert Trap Severity Level................ 6 Email Alert Notification Period................ 120 min Email Alert To Address Table: For Msg Type..........................1 Address1..............................administrator@dell.com For Msg Type..........................2 Address1..............................administrator@dell.com Email Alert Subject Table : For Msg Type 1, subject is............LOG MESSAGES - EMERGENCY For Msg Type 2, subject is....
11 Managing General System Settings Dell EMC Networking N-Series Switches This chapter describes how to set system information, such as the hostname, and time settings, and how to select the Switch Database Management (SDM) template to use on the switch. For PoE-capable switches (a P appears in the model name), this chapter also describes how to configure the Power over Ethernet (PoE) settings.
Table 11-1. System Information (Continued) Feature Description CLI Banner Displays a message upon connecting to the switch or logging on to the switch by using the CLI. SDM Template Determines the maximum resources a switch or router can use for various features. For more information, see "What Are SDM Templates?" on page 433 The switch can obtain the time from a Simple Network Time Protocol (SNTP) server, or the time can be set manually.
The Banner can provide information about the switch status. For example, if multiple users connect to the switch, the message of the day (MOTD) banner might alert everyone who connects to the switch about a scheduled switch image upgrade. What Are SDM Templates? An SDM template is a description of the maximum resources a switch or router can use for various features.
Table 11-3.
Table 11-3.
SDM Template Configuration Guidelines When the switch is configured to use an SDM template that is not currently in use, the switch must be reloaded for the configuration to take effect. NOTE: If a unit is attached to a stack and its template does not match the stack's template, then the new unit will automatically reboot using the template used by the management unit. To avoid the automatic reboot, you may first set the template to the template used by the management unit.
Requesting the time from a unicast SNTP server is more secure. Use this method if you know the IP address of the SNTP server on your network. If you allow the switch to receive SNTP broadcasts, any clock synchronization information is accepted, even if it has not been requested by the device. This method is less secure than polling a specified SNTP server. To increase security, authentication can be required between the configured SNTP server and the SNTP client on the switch.
Configuring General System Settings (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring general system settings on the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100-ON Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page.
Initiating a Telnet Session from the Web Interface NOTE: The Telnet client feature does not work with Microsoft Windows Internet Explorer 7 and later versions. Initiating this feature from any browser running on a Linux operating system is not supported. To launch a Telnet session: 1 From the System General System Information page, click the Telnet link. 2 Click the Telnet button. Figure 11-2. Telnet 3 Select the Telnet client, and click OK. Figure 11-3.
The selected Telnet client launches and connects to the switch CLI. Figure 11-4.
CLI Banner Use the CLI Banner page to configure a message for the switch to display when a user connects to the switch by using the CLI. Different banners can be configured for various CLI modes and access methods. To display the CLI Banner page, click System General CLI Banner in the navigation panel. Figure 11-5.
SDM Template Preference Use the SDM Template Preference page to view information about template resource settings and to select the template that the switch uses. If a new SDM template is selected for the switch to use, the switch must be rebooted before the template is applied. To display the SDM Template Preference page, click System General SDM Template Preference in the navigation panel. Figure 11-6.
Clock If the switch is not configured to obtain the system time from an SNTP server, the date and time can be manually set on the switch using the Clock page. The Clock page also displays information about the time settings configured on the switch. To display the Clock page, click System Time Synchronization Clock in the navigation panel. Figure 11-7. Clock NOTE: The system time cannot be set manually if the SNTP client is enabled.
SNTP Global Settings Use the SNTP Global Settings page to enable or disable the SNTP client, configure whether and how often the client sends SNTP requests, and determine whether the switch can receive SNTP broadcasts. To display the SNTP Global Settings page, click System Time Synchronization SNTP Global Settings in the navigation panel. Figure 11-8.
SNTP Authentication Use the SNTP Authentication page to enable or disable SNTP authentication, to modify the authentication key for a selected encryption key ID, to designate the selected authentication key as a trusted key, and to remove the selected encryption key ID. NOTE: The SNTP server must be configured with the same authentication information to allow time synchronization to take place between the two devices.
Figure 11-10. Add Authentication Key 3 Enter a numerical encryption key ID and an authentication key in the appropriate fields. 4 If the key is to be used to authenticate a unicast SNTP server, select the Trusted Key check box. If the check box is clear, the key is untrusted and cannot be used for authentication. 5 Click Apply. The SNTP authentication key is added, and the device is updated. To view all configured authentication keys, click the Show All link. The Authentication Key Table displays.
SNTP Server Use the SNTP Server page to view and modify information about SNTP servers, and to add new SNTP servers that the switch can use for time synchronization. The switch can accept time information from both IPv4 and IPv6 SNTP servers. To display the SNTP Server page, click System Time Synchronization SNTP Server in the navigation panel. If no servers have been configured, the fields in the following image are not displayed. Figure 11-12.
Figure 11-13. Add SNTP Server 3 In the SNTP Server field, enter the IP address or host name for the new SNTP server. 4 Specify whether the information entered in the SNTP Server field is an IPv4 address, IPv6 address, or a hostname (DNS). 5 If authentication is required between the SNTP client on the switch and the SNTP server, select the Encryption Key ID check box, and then select the key ID to use. To define a new encryption key, see "Adding an SNTP Authentication Key" on page 445.
To view all configured SNTP servers, click the Show All link. The SNTP Server Table displays. The SNTP Server Table page can also be used to remove or edit existing SNTP servers. Figure 11-14.
Summer Time Configuration Use the Summer Time Configuration page to configure summer time (daylight saving time) settings. To display the Summer Time Configuration page, click System Time Synchronization Summer Time Configuration in the navigation panel. Figure 11-15. Summer Time Configuration NOTE: The fields on the Summer Time Configuration page change when the Recurring check box is selected or cleared.
Time Zone Configuration Use the Time Zone Configuration to configure time zone information, including the amount time the local time is offset from UTC and the acronym that represents the local time zone. To display the Time Zone Configuration page, click System Time Synchronization Time Zone Configuration in the navigation panel. Figure 11-16.
Card Configuration Use the Card Configuration page to control the administrative status of the rear-panel expansion slots (Slot 1 or Slot 2), if present, and to configure the plug-in module to use in the slot. To display the Card Configuration page, click Switching Slots Card Configuration in the navigation panel. Figure 11-17.
Slot Summary Use the Slot Summary page to view information about the expansion slot status. To display the Slot Summary page, click Switching Slots Summary in the navigation panel. Figure 11-18.
Supported Cards Use the Supported Cards page to view information about the supported plug-in modules for the switch. To display the Supported Cards page, click Switching Slots Supported Cards in the navigation panel. Figure 11-19.
Power Over Ethernet Global Configuration (Dell EMC Networking N1108P-ON/N1124P-ON/N1148P-ON, N1524P/N1548P, N2024P/N2048P/N2128PX-ON, N2224PX-ON, N2248PX-ON, and N3024P/N3048P/N3132PX-ON Only) Use the PoE Global Configuration page to configure the PoE settings for the switch. To display the PoE Global Configuration page, click System General Power over Ethernet Global Configuration in the navigation panel. Figure 11-20.
Power Over Ethernet Unit Configuration (Dell EMC Networking N1124P-ON/N1148P-ON, N1524P/N1548P, N2024P/N2048P/N2128PX-ON, N2224PX-ON/N2248PX-ON, and N3024P/N3048P/N3132PX-ON Only) Use the PoE Unit Configuration page to configure the PoE settings for switch stack members. This page is not available on the N1108P-ON switch because it does not support stacking. To display the PoE Unit Configuration page, click System General Power over Ethernet Unit Configuration in the navigation panel. Figure 11-21.
Power Over Ethernet Interface Configuration (Dell EMC Networking N1108P-ON/N1124P-ON/N1148P-ON, N1524P/N1548P, N2024P/N2048P/N2128PX-ON, N2224PX-ON/N2248PXON, and N3024P/N3048P/N3132PX-ON Only) Use the PoE Interface Configuration page to configure the per-port PoE settings. This page also provides access to the PoE Counters table and PoE Port Table. The PoE Port table allows viewing and configuring PoE settings for multiple ports on the same page.
To view PoE statistics for each port, click Counters. Figure 11-23. PoE Counters Table To view the PoE Port Table, click Show All. Figure 11-24. PoE Port Table If you change any settings for one or more ports on the PoE Port Table page, click Apply to update the switch with the new settings.
Configuring System Settings (CLI) This section provides information about the commands used for configuring system information and time settings on the Dell EMC Networking N1100ON, N1500, N2000, N2100-ON, N2200-ON, and N3100-ON Series Switches. For more information about these commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100-ON Series Switches CLI Reference Guide at www.dell.com/support.
Configuring the Banner Use the following commands to configure the MOTD, login, or User Exec banner. The switch supports the following banner messages: • MOTD—Displays when a user connects to the switch. • Login—Displays after the MOTD banner and before the login prompt. • Exec—Displays immediately after the user logs on to the switch. Command Purpose configure Enter Global Configuration mode.
Managing the SDM Template Use the following commands to set the SDM template preference and to view information about the available SDM templates. Command Purpose configure Enter Global Configuration mode. sdm prefer {dual-ipv4- Select the SDM template to apply to the switch after the and-ipv6 default| ipv4- next boot. routing {data-center | default}} CTRL + Z Exit to Privileged Exec mode. show sdm prefer [template] View information about the SDM template the switch is currently using.
Command Purpose sntp trusted-key key_id Specify the authentication key the SNTP server must include in SNTP packets that it sends to the switch. The key_id number must be an encryption key ID defined in the previous step. sntp authenticate Require authentication for communication with the SNTP server. A trusted key must be configured before this command is executed. sntp server {ip_address | Define the SNTP server.
Setting the System Time and Date Manually Use the following commands to configure the time and date, time zone, and summer time settings. Command Purpose clock set {hh:mm:ss} | Configure the time and date. Enter the time first and then {mm/dd/yyyy} the date, or the date and then the time. • hh:mm:ss —Time in hours (24-hour format, from 01-24), minutes (00-59), and seconds (00-59). • mm/dd/yyyy — Two digit month (1-12), two-digit date of the month (01-31), and four-digit year.
Command Purpose clock summer-time date {date month | month date} year hh:mm {date month | month date} year hh:mm [offset offset] [zone acronym] Use this command if the summer time does not start and end every year according to a recurring pattern. Enter the month and then the date, or the date and then the month. • date— Day of the month. (Range: 1-31.) • month — Month. (Range: The first three letters by name) • hh:mm — Time in 24-hour format in hours and minutes.
Viewing Slot Information Use the following commands to view information about Slot 0 and its support. Command Purpose show slot Display status information about the expansion slots. show supported cardtype Display information about the modules the switch supports.
Command Purpose power inline detection [unit unit-id] {dot3at | dot3at+legacyonly|dot3bt|dot3bt+legacy} Set the power-management mode for the switch or the specified stack unit. • dot3at—IEEE 802.3at detection scheme is used. • dot3at+legacy-only—IEEE 802.3at 4point detection scheme is used and when it fails to detect a connected PD, legacy capacitive detection is used. • dot3bt—IEEE 802.3bt detection scheme is used. N2200PX-ON switch only. • dot3bt+legacy—A modified IEEE 802.
General System Settings Configuration Examples This section contains the following examples: • Configuring System and Banner Information • Configuring SNTP • Configuring the Time Manually Configuring System and Banner Information In this example, an administrator configures the following system information: • System name: N2048 • System contact: Jane Doe • System location: RTP100 • Asset tag: 006429 The administrator then configures the MOTD banner to alert other switch administrators of the c
System Location: RTP100 Burned In MAC Address: 001E.C9AA.AA07 System Object ID: 1.3.6.1.4.1.674.10895.3035 System Model ID: N2048 Machine Type: Dell EMC Networking N2048 Temperature Sensors: Unit Temperature (Celsius) Status ----------------------------1 43 OK Power Supplies: Unit Description Status Source ----------------------------1 Main OK AC 1 Secondary Error DC 5 View additional information about the system.
Figure 11-25.
Configuring SNTP The commands in this example configure the switch to poll an SNTP server to synchronize the time. Additionally, the SNTP sessions between the client and server must be authenticated. To configure the switch: 1 Configure the authentication information. The SNTP server must be configured with the same authentication key and ID.
4 View the SNTP status on the switch. console#show sntp status Client Mode: Last Update Time: Unicast MAR 01 09:12:43 2010 Unicast servers: Server Status Last response --------------- ------------ --------------------192.168.10.
Configuring the Time Manually The commands in this example manually set the system time and date. The time zone is set to Eastern Standard Time (EST), which has an offset of -5 hours. Summer time is enabled and uses the preconfigured United States settings. To configure the switch: 1 Configure the time zone offset and acronym. console#configure console(config)#clock timezone -5 zone EST 2 Configure the summer time (daylight saving time) to use the preconfigured settings for the United States.
SNMP 12 Dell EMC Networking N-Series Switches The topics covered in this chapter include: • SNMP Overview • Default SNMP Values • Configuring SNMP (Web) • Configuring SNMP (CLI) • SNMP Configuration Examples SNMP Overview Simple Network Management Protocol (SNMP) provides a method for managing network devices. The Dell EMC Networking N-Series switches support SNMP version 1, SNMP version 2, and SNMP version 3. Dell EMC Networking switches support SNMP over both IPv4 and IPv6.
The SNMP agent maintains a list of variables that are used to manage the switch. The variables are defined in the MIB. The MIB presents the variables controlled by the agent. The SNMP agent defines the MIB specification format, as well as the format used to access the information over the network. Access rights to the SNMP agent are controlled by access strings. SNMP v3 also applies access control and a new traps mechanism to SNMPv1 and SNMPv2 PDUs.
Various features can be configured on the switch to generate SNMP traps that inform the NMS about events or problems that occur on the switch. Traps generated by the switch can also be viewed locally by using the web-based interface or CLI. Why Is SNMP Needed? Some network administrators prefer to use SNMP as the switch management interface. Settings that you view and configure by using the web-based Dell EMC OpenManage Switch Administrator and the CLI are also available by using SNMP.
Table 12-1. SNMP Defaults Parameter Default Value QoS traps Enabled Multicast traps Disabled Captive Portal traps Disabled OSPF traps Disabled Table 12-2 describes the two views that are defined by default. Table 12-2. SNMP Default Views View Name OID Subtree View Type Default iso Included snmpVacmMIB Excluded usmUser Excluded snmpCommunityTable Excluded iso Included DefaultSuper By default, three groups are defined. Table 12-3 describes the groups.
Configuring SNMP (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring the SNMP agent on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100-ON Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page.
SNMP View Settings Use the SNMP View Settings page to create views that define which features of the device are accessible and which are blocked. A view can be created that includes or excludes OIDs corresponding to interfaces. To display the View Settings page, click System SNMP View Settings in the navigation panel. Figure 12-2. SNMP View Settings Adding an SNMP View To add a view: 1 Open the View Settings page. 2 Click Add.
Figure 12-3. Add View 3 Specify a name for the view and a valid SNMP OID string. 4 Select the view type. 5 Click Apply. The SNMP view is added, and the device is updated. Click Show All to view information about configured SNMP Views.
Access Control Group Use the Access Control Group page to view information for creating SNMP groups, and to assign SNMP access privileges. Groups allow network managers to assign access rights to specific device features or features aspects. To display the Access Control Group page, click System SNMP Access Control in the navigation panel. Figure 12-4. SNMP Access Control Group Adding an SNMP Group To add a group: 1 Open the Access Control Configuration page. 2 Click Add.
Figure 12-5. Add Access Control Group 3 Specify a name for the group. 4 Select a security model and level 5 Define the context prefix and the operation. 6 Click Apply to update the switch. Click Show All to view information about existing access control configurations.
SNMPv3 User Security Model (USM) Use the User Security Model page to assign system users to SNMP groups and to define the user authentication method. NOTE: The Local User Database page under Management Security can also be used for configuring SNMPv3 settings for users. For more information, see "Authentication, Authorization, and Accounting" on page 253. To display the User Security Model page, click System SNMP User Security Model in the navigation panel. Figure 12-6.
Figure 12-7. Add Local Users 3 Define the relevant fields. 4 Click Apply to update the switch. Click Show All to view the User Security Model Table, which contains information about configured Local and Remote Users. Adding Remote SNMPv3 Users to a USM To add remote users: 1 Open the SNMPv3 User Security Model page. 2 Click Add Remote User.
Figure 12-8. Add Remote Users 3 Define the relevant fields. 4 Click Apply to update the switch. Click Show All to view the User Security Model Table, which contains information about configured Local and Remote Users.
Communities Access rights for SNMPv1 and SNMPv2 are managed by defining communities Communities page. When the community names are changed, access rights are also changed. SNMP Communities are defined only for SNMP v1 and SNMP v2. To display the Communities page, click System SNMP Communities in the navigation panel. Figure 12-9. SNMP Communities Adding SNMP Communities To add a community: 1 Open the Communities page. 2 Click Add.
Figure 12-10. Add SNMPv1,2 Community 3 Specify the IP address of an SNMP management station and the community string to act as a password that will authenticate the management station to the SNMP agent on the switch. 4 Select the access mode. 5 Click Apply to update the switch. Click Show All to view the communities that have already been configured.
Notification Filter Use the Notification Filter page to set filtering traps based on OIDs. Each OID is linked to a device feature or a feature aspect. The Notification Filter page also allows you to filter notifications. To display the Notification Filter page, click System SNMP Notification Filters in the navigation panel. Figure 12-11. SNMP Notification Filter Adding a Notification Filter To add a filter: 1 Open the Notification Filter page. 2 Click Add. The Add Filter page displays: Figure 12-12.
3 Specify the name of the filter, the OID for the filter. 4 Choose whether to send (include) traps or informs to the trap recipient or prevent the switch from sending (exclude) the traps or informs. 5 Click Apply to update the switch. Click Show All to view information about the filters that have already been configured. Notification Recipients Use the Notification Recipients page to view information for defining filters that determine whether traps are sent to specific users, and the trap type sent.
Figure 12-13. SNMP Notification Recipient Adding a Notification Recipient To add a recipient: 1 Open the Notification Recipient page. 2 Click Add.
Figure 12-14. Add Notification Recipient 3 Specify the IP address or hostname of the host to receive notifications. 4 Select whether to send traps or informs to the specified recipient 5 Define the relevant fields for the SNMP version you use. 6 Configure information about the port on the recipient. 7 Click Apply to update the switch. Click Show All to view information about the recipients that have already been configured.
To access the Trap Flags page, click Statistics/RMON Trap Manager Trap Flags in the navigation panel. Figure 12-15. Trap Flags OSPFv2 Trap Flags The OSPFv2 Trap Flags page is used to specify which OSPFv2 traps you want to enable or disable. When the condition identified by an active trap is encountered by the switch, a trap message is sent to any enabled SNMP Trap Receivers, and a message is written to the trap log.
Figure 12-16. OSPFv2 Trap Flags OSPFv3 Trap Flags The OSPFv3 Trap Flags page is used to specify which OSPFv3 traps you want to enable or disable. When the condition identified by an active trap is encountered by the switch, a trap message is sent to any enabled SNMP Trap Receivers, and a message is written to the trap log. To access the OSPFv3 Trap Flags page, click Statistics/RMON Trap Manager OSPFv3 Trap Flags in the navigation panel.
Figure 12-17. OSPFv3 Trap Flags Trap Log The Trap Log page is used to view entries that have been written to the trap log. To access the Trap Log page, click Statistics/RMON Trap Manager Trap Log in the navigation panel.
Figure 12-18. Trap Logs Click Clear to delete all entries from the trap log.
Configuring SNMP (CLI) This section provides information about the commands you use to manage and view SNMP features on the switch. For more information about these commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100-ON Series Switches CLI Reference Guide at www.dell.com/support. Configuring the SNMPv3 Engine ID To use SNMPv3, the switch must have an engine ID configured.
Command Purpose snmp-server engineID local {engineid-string | default} Configure the SNMPv3 Engine ID. • engineid-string — The character string that identifies the engine ID. The engine ID is a concatenated hexadecimal string. Each byte in the character string consists of two hexadecimal digits. Each byte can be separated by a period or colon. (Range: 6-32 characters) • default — The engineID is created automatically, based on the device MAC address. exit Exit to Privileged Exec mode.
Command Purpose snmp-server group groupname {v1 | v2 | v3 {noauth | auth | priv} [notify view-name]} [context view-name] [read view-name] [write view-name] Specify the identity string of the receiver and set the receiver timeout value. • groupname — Specifies the name of the group. (Range: 1-30 characters.) • v1 — Indicates the SNMP Version 1 security model. • v2 — Indicates the SNMP Version 2 security model. • v3 — Indicates the SNMP Version 3 security model.
Command Purpose Configure a new SNMPv3 user. snmp-server user username groupname • username — Specifies the name of the user on the host [remote engineid-string] that connects to the agent. (Range: 1-32 characters.) [ { authmd5 • groupname — Specifies the name of the group to which password | auth-sha the user belongs. (Range: 1-32 characters.) password | auth-md5• engineid-string — Specifies the engine ID of the remote key md5-key | auth-shaSNMP entity to which the user belongs.
Command Purpose show snmp group [group_name] View SNMP group configuration information. show snmp user [user_name] View SNMP user configuration information. Configuring Communities Use the following commands to configure access rights for SNMPv1 and SNMPv2. Command Purpose configure Enter Global Configuration mode snmp-server community Configure the community string and specify access criteria for the community.
Command Purpose snmp-server community- Map the internal security name for SNMP v1 and SNMP group community-string v2 security models to the group name. group-name [ipaddress • community-string — Community string that acts like a ip-address ipmask] password and permits access to the SNMP protocol. (Range: 1-20 characters) • group-name — Name of a previously defined group. The group defines the objects available to the community.
Configuring SNMP Notifications (Traps and Informs) Use the following commands to allow the switch to send SNMP traps and to configure which traps are sent. Command Purpose configure Enter Global Configuration mode snmp-server enable traps [acl | all | auto-copy-sw | bgp state-changes limited |buffers |captive-portal cp-type | cpu |dot1q | dvrmp | link | portsecurity Specify the traps to enable. The captive portal, OSPF and OSPFv3 traps include several different traps that can be enabled.
Command Purpose snmp-server host host- For SNMPv1 and SNMPv2, identify the system to receive addr [informs [timeout SNMP traps or informs. seconds] [retries retries] • host-addr — Specifies the IP address of the host (targeted | traps version {1 | 2}]] recipient) or the name of the host. (Range:1-158 community-string [udpcharacters).
Command Purpose snmp-server v3-host {ipaddress | hostname} username {traps | informs} [noauth | auth | priv] [timeout seconds] [retries retries] [udpport port] [filter filtername] For SNMPv3, identify the system to receive SNMP traps or informs. • ip-address — Specifies the IP address of the host (targeted recipient). • hostname — Specifies the name of the host. (Range: 1158 characters.) • username — Specifies user name used to generate the notification. (Range: 1-25 characters.
SNMP Configuration Examples This section contains the following examples: • Configuring SNMPv1 and SNMPv2 • Configuring SNMPv3 Configuring SNMPv1 and SNMPv2 This example shows how to complete a basic SNMPv1/v2 configuration. The commands enable read-only access from any host to all objects on the switch using the community string public, and enable read-write access from any host to all objects on the switch using the community string private.
Community-String ---------private public Group Name ---------DefaultWrite DefaultRead IP Address ---------All All IP Mask ------All All Traps are enabled. Authentication trap is enabled.
read-write MIB access privileges are configured individually, and are then combined into a community-group which is configured for subnet 10.85.234.0/24. NOTE: The community name may need to be escaped if attempting to use it in a shell environment with tools like snmpstatus or snmpwalk. 1 Create a view with write access to the private MIB. console#configure console(config)#snmp-server view MyWriteView private included 2 Create a view with read access to the entire SNMP MIB except the community table.
console(config)#snmp-server group group_snmpv3 v3 auth read view_snmpv3 write view_snmpv3 3 Create the user admin, assign the user to the group, and specify the authentication credentials. console(config)#snmp-server user admin group_snmpv3 auth-md5 secretkey 4 Specify the IP address of the host where traps are to be sent. Packet authentication using MD5-SHA is enabled for the traps. console(config)#snmp-server v3-host 192.168.3.
Version 3 notifications Target Addr. Type Username Security UDP Filter TO Level Port Name Sec ------------ ---- --------- ------- ----- ----- --192.168.3.35 Trap admin Auth-NoP 162 15 Retries ------3 System Contact: System Location: Source Interface: SNMP trap Client Source Interface..............
Name Group Name --------admin ----------group_snmpv3 Auth Meth ----MD5 Priv Meth ----- Remote Engine ID ---------------800002a203001ec9aaaa07 SNMP 509
SNMP
13 Images and File Management Dell EMC Networking N-Series Switches This chapter describes how to upload, download, and copy files, such as firmware images and configuration files, on the switch.
Table 13-1. Files to Manage File Action Description image Download Upload Copy Firmware for the switch. The switch can maintain two images: the active image and the backup image. startup-config Download Upload Copy Contains the software configuration that loads during the boot process. running-config Download Upload Copy Contains the current switch configuration. This file may be loaded by the stack standby unit during master failover.
Table 13-1. File Files to Manage Action Download SSH certificate files (Not supported on Dell EMC Networking N1500 switches) Description Contains information to encrypt, authenticate, and validate HTTPS sessions. The switch supports the following files for SSL: • SSL Trusted Root (or Intermediary) Certificate File (PEM Encoded) [CA.pem] • SSH Server Certificate File (PEM Encoded) [ssl_cert.pem] • SSH Diffie-Hellman Weak Encryption Key File (PEM Encoded) [sslt_key.
Advvv.stk AdvLitev.stk The Dell EMC Networking N-Series firmware releases for mixed stacking environments are named as follows: N2000N2100Stdv.itb - N2000/N2100 mixed stack firmware N3000E-ONN3100Advv.itb - N3000E-ON/N3100-ON mixed stack firmware Where the switch name is: N3100 — Dell EMC Networking N3100-ON Series switch firmware for N3132PX-ON.
Version number Description Denotes the build number. Denotes a scheduled maintenance release of the firmware. Denotes a minor release of the firmware. Denotes a major release of the firmware. • Major release numbers start at 6. • Minor release numbers start at 0. • Maintenance release numbers start at 0. • Web release build numbers start at 1. A build number of 0 indicates a factory build, which should be upgraded using a web release build from www.dell.com/support. Examples: • N1500v6.2.5.0.
Configuration scripts, which are text files that contains CLI commands, can also be created. NOTE: You must use the CLI to manage configuration scripts. The configuration scripting feature is not available from the web interface. When you apply (run) a configuration script on the switch, the commands in the script are executed in the order in which they are written as if you were typing them into the CLI. The commands that are executed in the configuration script are added to the running-config file.
• SFTP • SCP • FTP • HTTP (Web only) • HTTPS (Web only) Files can also be copied between the file system on the internal flash and a USB flash drive that is connected to the external USB port. NOTE: The use of SFTP, SCP or HTTPS may require RSA/DSA keys to be generated prior to use.
switch. The PHY firmware may be updated to the firmware version supported by the switch firmware during the boot process or, in the case of switches that support the hot swap of cards, when the card is inserted into the switch. Editing and Downloading Configuration Files Each configuration file contains a list of executable CLI commands. The commands must be complete and in a logical order, as if you were entering them by using the switch CLI.
line, and all input following this character to the end of the line is ignored. Any line in the file that begins with the “!” character is recognized as a comment line and ignored by the parser.
Managing Files on a Stack Image files downloaded to the master unit of a stack are automatically downloaded to all stack members. If you activate the backup image on the master, it is activated on all units as well so that when you reload the stack, all units use the same image. The running-config, startup-config, and backup-config files, as well as all keys and certificates are synchronized across the stack when the running-config file is saved to the startup-config file.
Managing Images and Files (Web) This section provides information about the OpenManage Switch Administrator pages to use to manage images and files on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100ON Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. File System Use the File System page to view a list of the files on the device and to modify the image file descriptions.
Active Images Use the Active Images page to set the firmware image to use when the switch boots. If you change the boot image, it does not become the active image until you reset the switch. On the Dell EMC Networking N-Series switches, the images are named active and backup. To display the Active Images page, click System File Management Active Images in the navigation panel. Figure 13-2.
USB Flash Drive Use the USB Flash Drive page to view information about a USB flash drive connected to the USB port on the front panel of the switch. The page also displays information about the files stored on the USB flash drive. A USB flash drive must be un-mounted by the operator before removing it from the switch. If a new USB flash drive is installed without un-mounting the previous drive, the new flash drive may not be recognized.
File Download Use the File Download page to download image (binary) files, SSH and SSL certificates, IAS User files, and configuration (ASCII) files from a remote server to the switch. To display the File Download page, click System File Management File Download in the navigation panel. Figure 13-4. File Download Downloading Files To download a file to the switch: 1 Open the File Download page. 2 Select the type of file to download to the switch. 3 Select the transfer mode.
4 To download using HTTP, click Choose Files and select the file to download, then click Apply. 5 To download using any method other than HTTP, enter the IP address of the server that contains the file to download, the name of the file and the path on the server where it is located. For SFTP and SCP, provide the user name and password. 6 Click Apply to begin the download.
File Upload Use the File Upload: Detail page to upload configuration (ASCII), image (binary), IAS user, operational log, and startup log files from the switch to a remote server. To display the File Upload: Detail page, click System File Management File Upload in the navigation panel. Figure 13-6. File Upload Uploading Files To upload a file from the switch to a remote system: 1 Open the File Upload page. 2 Select the type of file to download to the remote server. 3 Select the transfer mode.
4 To upload by using HTTP, click Apply. A dialog box opens to allow you to open or save the file. Figure 13-7. File Upload 5 To upload by using any method other than HTTP, enter the IP address of the server and specify a name for the file. For SFTP and SCP, provide the user name and password. 6 Click Apply to begin the upload. NOTE: For some file uploads and methods, the page refreshes and a transfer status field appears to indicate the number of bytes transferred.
Copy Files Use the Copy Files page to: • Copy the active firmware image to one or all members of a stack. • Copy the running, startup, or backup configuration file to the startup or backup configuration file. • Restore the running configuration to the factory default settings. To display the Copy Files page, click System File Management Copy Files in the navigation panel. Figure 13-8.
Managing Images and Files (CLI) This section provides information about the commands you use to upload, download, and copy files to and from the Dell EMC Networking N-Series switches. For more information about these commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100ON Series Switches CLI Reference Guide at www.dell.com/support. It also describes the commands that control the Auto Configuration feature.
Downloading and Activating a New Image (TFTP) Use the following commands to download a new firmware image to the switch and to make it the active image. This example shows how to use TFTP to download the image. Command Purpose copy tftp://{ip-address| Use TFTP to download the firmware image at the hostname}/path/filespecified source to the non-active image. name {active | backup} If the image file is in the TFTP file system root (download path), you do not need to specify the path in the command.
Managing Files in Internal Flash Use the following commands to copy, rename, delete and list the files in the internal flash. Command Purpose dir [filepath] List the files in the flash file system. copy flash://filename usb://filename Copy a file from the internal flash to a USB flash drive. Use the dir command to see a list of the files that can be copied from the internal flash. Make sure a flash drive has been inserted in the USB port on the front panel before executing the command.
Managing Files on a USB Flash Device Use the following commands to manage files that are on a USB device that is plugged into the USB flash port on the front panel of the switch.
Uploading a Configuration File (SCP) Use the following commands to upload a configuration file from the switch to a remote system by using SCP. Command Purpose copy file scp://user@{ip- Copy a file from the switch using SCP.
Managing Configuration Scripts (SFTP) Use the following commands to download a configuration script from a remote system to the switch, validate the script, and activate it. NOTE: The startup-config and backup-config files are essentially configuration scripts and can be validated and applied by using the commands in this section. Command Purpose Downloads the specified script from the remote server to copy sftp://user@{ipaddress|hostname}/path the switch.
SCP Server The switch supports an SCP server that allows file transfers to be initiated remotely. The SCP server is capable of accepting pushed files from an external host over the in-band or out-of-band interface. The SCP server shares the key and certificate configuration with the SSH server. To configure security/passwords for the SCP server, follow the same steps as for configuring security/passwords the SSH server and additionally enable the SCP server.
File and Image Management Configuration Examples This section contains the following examples: • Upgrading the Firmware • Managing Configuration Scripts Upgrading the Firmware This example shows how to download a firmware image to the switch and activate it. The TFTP server in this example is PumpKIN, an open source TFTP server running on a Windows system. • TFTP server IP address: 10.27.65.103 • File path: \image • File name: dell_0308.
Figure 13-9. Image Path 3 View information about the current image. console#show version Machine Description....... System Model ID........... Machine Type.............. Serial Number............. Manufacturer.............. Burned In MAC Address..... System Object ID.......... SOC Version............... HW Version................ CPLD Version.............. Boot Version.............. Image File................ Software Capability....... unit ----1 2 active ----------6.5.0.2 6.5.0.
Use either the active or backup keyword to select the specified image to replace (which takes effect only after a reboot). In the following example, the active image is replaced. console#copy tftp://10.27.65.103/images/N2100v6.5.0.2.stk active Transfer Mode.............................. TFTP Server IP Address.......................... 10.27.65.103 Source File Path........................... images/ Source Filename............................ N2100v6.5.0.2.stk Data Type..................................
This operation may take a few minutes. Management interfaces will not be available during this time. Are you sure you want to save? (y/n)y Configuration Saved! 8 Reset the switch to boot the system with the new image. console#reload Are you sure you want to continue? (y/n)y Reloading all switches... Managing Configuration Scripts This example shows how to create a configuration script that adds three hostname-to-IP address mappings to the host table.
2 Save the file with an *.scr extension and copy it to the appropriate directory on your TFTP server. 3 Download the file from the TFTP server to the switch. console#copy tftp://10.27.65.103/labhost.scr script labhost.scr Transfer Mode.................................. TFTP Server IP Address.............................. 10.27.65.103 Source File Path............................... ./ Source Filename................................ labhost.scr Data Type......................................
ip host labpc2 192.168.3.58 ip host labpc3 192.168.3.59 Configuration script 'labhost.scr' applied. 6 Verify that the script was successfully applied. console#show hosts Host name: jmclendon Default domain: rtp.dell.com Name/address lookup is enabled DNS source interface :Default Name servers (Preference order): 192.168.3.20, 192.168.3.21 Configured host name-to-address mapping: Host Addresses ------------------------ ----------------------------------labpc1 192.168.3.56 labpc2 192.168.3.58 labpc3 192.168.
Mode................................... Binary Data Type.............................. Code Management access will be blocked for the duration of the transfer Are you sure you want to start? (y/n) y 3 Copy the running-config to the USB flash drive. console#copy running-config usb://rc_backup.scr Mode............................. Binary Data Type........................ Config Script Source Filename.................. temp-config.
14 DHCP and USB Auto-Configuration Dell EMC Networking N-Series Switches The topics covered in this chapter include: • Auto Configuration Overview • What Are the Dependencies for DHCP Auto Configuration? • Default Auto Configuration Values • Managing Auto Configuration (Web) • Managing Auto Configuration (CLI) • Auto Configuration Example Auto Configuration Overview The Auto Configuration feature can automatically update the firmware image and obtain configuration information when the switch bo
NOTE: Neither USB Configuration nor Auto Install is invoked if a saved startup configuration file is on the switch. What Is USB Auto Configuration? The USB Auto Configuration feature can be used to configure or upgrade one or more switches that have not been previously configured, such as when new switches are deployed, and it is desirable to record the IP/MAC address pairs along with the configuration and firmware version on a USB key for recovery purposes.
The Auto Configuration feature first searches the USB device for a file with a *.setup extension. If only one .setup file is present, the switch uses the file. When multiple *.setup files are present, the switch uses only the dellswitch.setup file. If no dellswitch.setup file is available, the switch checks for a file with a *.text configuration file and a *.stk image file. If multiple .text files exist, the switch uses the dellswitch.text file. If only a *.stk file is present, the switch checks the .
If the *.setup file configuration line contains an IP address but no configuration or image file names, the management IP address will be assigned, and then the feature will search the USB device for files with the .text and .stk extensions, which indicates that all switches will be using the same configuration file and/or image on the USB device. This method allows different IP addresses to be assigned, but the same configuration file or image is downloaded to multiple switches.
Image File If the Auto Configuration process includes a switch image upgrade, the name of the image file may optionally be included in the *.setup file. If it is desired to assign a specific image to a specific set of switches. If it is desired to use a single image for all switches being upgraded, it is not necessary to include the image file name in the .setup file as long as it is present on the USB device. The specified image file should exist on the USB device.
1 Assignment or configuration of an IP address for the switch 2 Assignment of a TFTP server 3 Obtaining image, network and host configuration files for the switch from a TFTP server Auto Configuration is successful when an image or configuration file is downloaded to the switch or stack master from a TFTP server and processed. NOTE: The downloaded configuration file is not automatically saved to startup- config.
After an IP address is assigned to the switch, if a hostname is not already assigned, Auto Configuration issues a DNS request for the corresponding hostname. This hostname is also displayed as the CLI prompt (as in response to the hostname command). Obtaining Other Dynamic Information The following information is also processed and if returned by a BOOTP or DHCP server: • Name of a host configuration file (boot-file-name) to be downloaded from the TFTP server.
Obtaining the Switch Firmware Image Auto Configuration attempts to download an image configuration file from a TFTP server only if no startup configuration file was found in the internal flash or a USB drive. A saved configuration with Auto Configuration enabled will not cause Auto Configuration to run. The network DHCP server may return a DHCP OFFER message with option 125 sub-option 5.
• The path or filename of the image on the TFTP server does not match the information specified in the file identified in DHCP option 125 sub option 5. • The downloaded image is the same as the current image. • The validation checks, such as valid CRC Checksum, fails. If the download or installation was unsuccessful, a message is logged. NOTE: In stack of switches, the downloaded image is pushed to all members attached to the stack at the time of download.
configuration file with the name dell-net.cfg. The switch unicasts or broadcasts TFTP requests for a network configuration file in the same manner as it attempts to download a host-specific configuration file. The network configuration file consists of a set of IP address-to-hostname mappings, using the command ip host hostname address. The switch finds its own IP address, as learned from the DHCP server, in the configuration file and extracts its hostname from the matching command.
Table 14-1. 4 Configuration File Possibilities host.cfg Default config file Yes Table 14-2 displays the determining factors for issuing unicast or broadcast TFTP requests. Table 14-2.
CLI, this is performed by issuing a write command or copy running-config startup-config command and should be done after validating the contents of saved configuration. If the downloaded configuration is not saved to the startup-config, the configuration will be reloaded by the switch every time the DHCP lease expires. Stopping and Restarting the Auto Configuration Process The Auto Configuration process can be terminated at any time before the image or configuration file is downloaded.
• An image file and a text file containing the image file name for the switch must be available from a TFTP server if a firmware update is desired. • A configuration file (a default file such as host.cfg or a specific path/file name using DHCP option 67 boot-file-name) for the switch must be available from a TFTP server if a configuration update is desired from a specific file on the TFTP server. DHCP option 67 may contain a path name in addition to the file name.
Default Auto Configuration Values Table 14-3 describes the Auto Configuration defaults. Table 14-3. Auto Configuration Defaults Feature Default Description Auto Install Mode Enabled When the switch boots and no saved configuration is found, Auto Configuration automatically begins. Retry Count 3 When the DHCP or BootP server returns information about the TFTP server and a DHCP option 67 boot-filename, the switch makes three unicast TFTP requests for the specified file.
Managing Auto Configuration (Web) This section provides information about the OpenManage Switch Administrator pages to use to manage images and files on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100ON Series Switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page.
Managing Auto Configuration (CLI) This section provides information about the commands you manage the Auto-Install Configuration feature on the switch. For more information about these commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100-ON Series Switches CLI Reference Guide at www.dell.com/support.
Auto Configuration Example A network administrator is deploying three Dell EMC Networking N-Series switches and wants to quickly and automatically install a specific version of switch firmware and a common configuration file that configures basic settings such as VLAN creation and membership, RADIUS server settings, and 802.1X information. The configuration file also contains the command boot host auto-save so that the downloaded configuration is automatically saved to the startup config.
4 Create a setup file named dellswitch.setup. The setup file contains the following lines: 192.168.0.1 255.255.255.0 switchA.txt N2000v6.1.0.1.stk 192.168.0.2 255.255.255.0 switchB.txt N2000v6.2.0.1.stk 192.168.0.3 255.255.255.0 switchC.txt N2000v6.2.0.1.stk 5 Copy the dellswitch.setup file to the USB device. 6 Connect the USB device to Switch A. 7 Insert the USB device into the USB port on the front panel of Switch A. 8 Power on Switch A.
1 Create a default config file for the switches named host.cfg. The host.cfg file contains the path and name of the image file on the TFTP server (option 125, sub-option 5). For information about creating configuration files, see Images and File Management. 2 Upload the host.cfg file to the TFTP server. 3 Upload the image file to the TFTP server.
Easy Firmware Upgrade/Downgrade via USB If a USB device is detected during bootup and there is switch firmware on the USB device (and no .setup files and no .text files), and the switch has no saved startup config file, then the latest version of firmware on the USB device is checked against the active firmware version on the switch. If a newer1 image version is found on the USB device, the image is copied to the switch backup and the switch reloads using the new firmware version.
Monitoring Switch Traffic 15 Dell EMC Networking N-Series Switches This chapter describes sFlow features, Remote Monitoring (RMON), and Port Mirroring features. The topics covered in this chapter include: • Traffic Monitoring Overview • Default Traffic Monitoring Values • Monitoring Switch Traffic (Web) • Monitoring Switch Traffic (CLI) • Traffic Monitoring Examples Traffic Monitoring Overview The switch maintains statistics about network traffic that it handles.
from monitored devices. sFlow datagrams forward sampled traffic statistics to the sFlow Collector for analysis. Up to eight different sFlow receivers can be specified to which the switch sends sFlow datagrams. Figure 15-1. sFlow Architecture The advantages of using sFlow are: 564 • It is possible to monitor all ports of the switch continuously, with no impact on the distributed switching performance. • Minimal memory/CPU is required.
sFlow Sampling The sFlow Agent in the Dell EMC Networking software uses two forms of sampling: • Statistical packet-based sampling of switched or routed Packet Flows • Time-based sampling of counters Packet Flow Sampling and Counter Sampling are performed by sFlow Instances associated with individual Data Sources within an sFlow Agent. Both types of samples are combined in sFlow datagrams. Packet Flow Sampling creates a steady, but random, stream of sFlow datagrams that are sent to the sFlow Collector.
• When a sample is taken, the counter indicating how many packets to skip before taking the next sample is reset. The value of the counter is set to a random integer where the sequence of random integers used over time is the Sampling Rate. Counter Sampling The primary objective of Counter Sampling is to efficiently, periodically export counters associated with Data Sources. A maximum Sampling Interval is assigned to each sFlow instance associated with a Data Source.
• Specify the network management system IP address or permit management access from all IP addresses. For more information about configuring SNMP, see "SNMP" on page 473. The RMON agent in the switch supports the following groups: • Group 1—Statistics. Contains cumulative traffic and error statistics. • Group 2—History. Generates reports from periodic traffic sampling that are useful for analyzing trends. • Group 3 —Alarm. Enables the definition and setting of thresholds for various counters.
in spanning tree, IGMP/MLD snooping, or GVRP; do not learn MAC addresses (learned MAC addresses are purged); do not participate in routing (route entries are purged); and do not utilize any static filter configuration. Incoming packets are dropped. Probe ports “lose” their VLAN membership, i.e. they do not forward/flood packets based on VLAN membership. Changing VLAN membership does not affect a probe port until the port is removed from probe status.
The packet that is mirrored to the destination port is normally in the same format as the original packet on the wire, except as noted in the following section: Port Mirroring Behaviors. This means that the mirrored packet is VLAN tagged or untagged as it was received/transmitted on the source port. Destinations include physical interfaces and RSPAN VLANs. Mirrored traffic is subject to the same QoS constraints as normal traffic.
• When port mirroring is enabled, all MAC address entries associated with destination ports are purged. This prevents transmitting packets out of the port that are not seen on the mirrored port. If spanning tree is enabled, this is treated as a topology change. • The spanning tree protocol is disabled on destination ports such that frames are always received from or transmitted out of the port as soon as the port is up (spanning tree status is forwarding and role is disabled).
processing stage. This means that on egress, packets may not appear as they do on the wire if processing such as VLAN or CoS value rewriting is programmed. RSPAN Administrators should consider reserving a few VLANs across the network for the exclusive use of RSPAN. The RSPAN VLANs should only be configured on the reflector interfaces (generally the uplink/transit/downlink interface). Each RSPAN session must use a unique reflector port, destination port, and RSPAN VLAN.
The reflector port must be configured as the only member of the RSPAN VLAN on the source switch. The source interface must be configured as the only member of the RSPAN VLAN on the destination switch. Configuring a source that mirrors to the RSPAN VLAN on the destination switch is not supported. RSPAN intermediate switches may also be configured with multiple source ports feeding into an existing RSPAN VLAN.
Why is Traffic Monitoring Needed? Monitoring the traffic that the switch handles, as well as monitoring all traffic in the network, can help provide information about network performance and utilization. This information can be useful in network planning and resource allocation. Information about traffic flows can also help troubleshoot problems in the network. Default Traffic Monitoring Values The sFlow agent is enabled by default, but sampling and polling are disabled on all ports.
Monitoring Switch Traffic (Web) This section provides information about the OpenManage Switch Administrator pages to use to monitor network traffic on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100ON Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. sFlow Agent Summary Use the sFlow Agent Summary page to view information about sFlow MIB and the sFlow Agent IP address.
sFlow Receiver Configuration Use the sFlow Receiver Configuration page to configure settings for the sFlow receiver to which the switch sends sFlow datagrams. Up to eight sFlow receivers can be configured to receive datagrams. To display the Receiver Configuration page, click System sFlow Receiver Configuration in the navigation panel. Figure 15-3. sFlow Receiver Configuration Click Show All to view information about configured sFlow receivers.
sFlow Sampler Configuration Use the sFlow Sampler Configuration page to configure the sFlow sampling settings for switch ports. To display the Sampler Configuration page, click System sFlow Sampler Configuration in the navigation panel. Figure 15-4. sFlow Sampler Configuration Click Show All to view information about configured sampler data sources.
sFlow Poll Configuration Use the sFlow Poll Configuration page to configure how often a port should collect counter samples. To display the Poll Configuration page, click System sFlow Poll Configuration in the navigation panel. Figure 15-5. sFlow Poll Configuration Click Show All to view information about the ports configured to collect counter samples.
Interface Statistics Use the Interface Statistics page to display statistics for both received and transmitted packets. The fields for both received and transmitted packets are identical. To display the page, click Statistics/RMON Table Views Interface Statistics in the navigation panel. Figure 15-6.
Etherlike Statistics Use the Etherlike Statistics page to display interface statistics. To display the page, click Statistics/RMON Table Views Etherlike Statistics in the navigation panel. Figure 15-7.
GVRP Statistics Use the GVRP Statistics page to display switch statistics for GVRP. To display the page, click Statistics/RMON Table Views GVRP Statistics in the navigation panel. Figure 15-8.
EAP Statistics Use the EAP Statistics page to display information about EAP packets received on a specific port. For more information about EAP, see "Port and System Security" on page 663. To display the EAP Statistics page, click Statistics/RMON Table Views EAP Statistics in the navigation panel. Figure 15-9.
Utilization Summary Use the Utilization Summary page to display interface utilization statistics. To display the page, click Statistics/RMON Table Views Utilization Summary in the navigation panel. Figure 15-10.
Counter Summary Use the Counter Summary page to display interface utilization statistics in numeric sums as opposed to percentages. To display the page, click Statistics/RMON Table Views Counter Summary in the navigation panel. Figure 15-11.
Switchport Statistics Use the Switchport Statistics page to display statistical summary information about switch traffic, address tables, and VLANs. To display the page, click Statistics/RMON Table Views Switchport Statistics in the navigation panel. Figure 15-12.
RMON Statistics Use the RMON Statistics page to display details about switch use such as packet processing statistics and errors that have occurred on the switch. To display the page, click Statistics/RMON RMON Statistics in the navigation panel. Figure 15-13. RMON Statistics RMON History Control Statistics Use the RMON History Control page to maintain a history of statistics on each port.
To display the page, click Statistics/RMON RMON History Control in the navigation panel. Figure 15-14. RMON History Control Adding a History Control Entry To add an entry: 1 Open the RMON History Control page. 2 Click Add. The Add History Entry page displays.
Figure 15-15. Add History Entry 3 Select the port or LAG on which you want to maintain a history of statistics. 4 Specify an owner, the number of historical buckets to keep, and the sampling interval. 5 Click Apply to add the entry to the RMON History Control Table. To view configured history entries, click the Show All tab. The RMON History Control Table displays. Configured history entries can be removed using this page.
RMON History Table Use the RMON History Table page to display interface-specific statistical network samplings. Each table entry represents all counter values compiled during a single sample. To display the RMON History Table page, click Statistics/RMON RMON History Table in the navigation panel. Figure 15-16.
RMON Event Control Use the RMON Events Control page to define RMON events. Events are used by RMON alarms to force some action when a threshold is crossed for a particular RMON counter. The event information can be stored in a log and/or sent as a trap to a trap receiver. To display the page, click Statistics/RMON RMON Event Control in the navigation panel. Figure 15-17. RMON Event Control Adding an RMON Event To add an event: 1 Open the RMON Event Control page. 2 Click Add.
Figure 15-18. Add an Event Entry 3 If the event sends an SNMP trap, specify the SNMP community to receive the trap. 4 Optionally, provide a description of the event and the name of the event owner. 5 Select an event type. 6 Click Apply. The event is added to the RMON Event Table, and the device is updated. Viewing, Modifying, or Removing an RMON Event To manage an event: 1 Open the RMON Event Control page. 2 Click Show All to display the Event Control Table page.
RMON Event Log Use the RMON Event Log page to display a list of RMON events. To display the page, click Statistics/RMON RMON Events Log in the navigation panel. Figure 15-19.
RMON Alarms Use the RMON Alarms page to set network alarms. Alarms occur when certain thresholds are crossed for the configured RMON counters. The alarm triggers an event to occur. The events can be configured as part of the RMON Events group. For more information about events, see "RMON Event Log" on page 591. To display the page, click Statistics/RMON RMON Alarms in the navigation panel. Figure 15-20.
Adding an Alarm Table Entry To add an alarm: 1. Open the RMON Alarms page. 2. Click Add. The Add an Alarm Entry page displays. Figure 15-21. Add an Alarm Entry 3. Complete the fields on this page as needed. Use the help menu to learn more information about the data required for each field. 4. Click Apply. The RMON alarm is added, and the device is updated. To view configured alarm entries, click the Show All tab. The Alarms Table displays. Configured alarms can be removed using this page.
Port Statistics Use the Port Statistics page to chart port-related statistics on a graph. To display the page, click Statistics/RMON Charts Port Statistics in the navigation panel. Figure 15-22. Ports Statistics To chart port statistics, select the type of statistics to chart and (if desired) the refresh rate, then click Draw.
LAG Statistics Use the LAG Statistics page to chart LAG-related statistics on a graph. To display the page, click Statistics/RMON Charts LAG Statistics in the navigation panel. Figure 15-23. LAG Statistics To chart LAG statistics, select the type of statistics to chart and (if desired) the refresh rate, then click Draw.
Port Mirroring Use the Port Mirroring page to create a mirroring session in which all traffic that is sent or received (or both) on one or more source ports is mirrored to a destination port. To display the Port Mirroring page, click Switching Ports Traffic Mirroring Port Mirroring in the navigation panel. Figure 15-24. Port Mirroring Configuring a Port Mirror Session To configure port mirroring: 1 Open the Port Mirroring page. 2 Click Add. The Add Source Port page displays.
Figure 15-25. Add Source Port 5 Click Apply. 6 Repeat the previous steps to add additional source ports. 7 Click Port Mirroring to return to the Port Mirroring page. 8 Enable the administrative mode and specify the destination port. Figure 15-26. Configure Additional Port Mirroring Settings 9 Click Apply.
Monitoring Switch Traffic (CLI) This section provides information about the commands you use to manage traffic monitoring features on the switch and to view information about switch traffic. For more information about these commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100-ON Series Switches CLI Reference Guide at www.dell.com/support.
Command Purpose sflow rcvr-index polling if_type if_number pollinterval Enable a new sFlow poller instance on an interface range. • rcvr-index — The sFlow Receiver associated with the poller (Range: 1–8). • if_type if_number — The list of interfaces to poll. The interface type can be Gigabitethernet (gi) or Tengigabitethernet (te), for example te1/0/3-5 enables polling on ports 3, 4, and 5. • poll-interval — The sFlow instance polling interval.
Command Purpose sflow rcvr-index sampling Enable a new sflow sampler instance for the interface. sampling-rate [size] show sflow agent View information about the switch sFlow agent. show sflow index destination View information about a configured sFlow receivers. show sflow index polling View information about the configured sFlow poller instances for the specified receiver. show sflow index sampling View information about the configured sFlow sampler instances for the specified receiver.
Command Purpose rmon alarm number variable interval {absolute |delta} risingthreshold value [eventnumber] risingthreshold value [eventnumber] [startup direction] [owner string] Add an alarm entry • number — The alarm index. (Range: 1–65535) • variable — A fully qualified SNMP object identifier that resolves to a particular instance of an MIB object. • interval — The interval in seconds over which the data is sampled and compared with the rising and falling thresholds.
Command Purpose rmon collection history index [owner ownername] [buckets bucket-number] [interval seconds] Enable an RMON MIB history statistics group on the interface. NOTE: You must configure RMON alarms and events before RMON collection history is able to display. • index — The requested statistics index group. (Range: 1– 65535) • ownername — Records the RMON statistics group owner name. If unspecified, the name is an empty string.
Command Purpose show interfaces traffic [interface-id] Display the current TX and RX queue congestion and congestion discards. Configuring Port Mirroring Use the following commands in Privileged Exec mode to configure a port mirroring session. Command Purpose configure Enter Global Configuration mode monitor session session_number source interface {interface-id} [rx | tx | both] Configure a source (monitored) port or CPU interface for a monitor session.
Configuring RSPAN RSPAN is an extension of port mirroring that operates across multiple switches. Mirrored traffic is tagged with the RSPAN VLAN and is flooded in the RSPAN VLAN. This allows considerable flexibility in the placement of probe ports. Use the following commands in Privileged Exec mode to configure RSPAN. Remember to assign VLANs to physical interfaces (steps not shown). Configuring RSPAN (Source Switch) Command Purpose configure Enter Global Configuration mode.
Command Purpose monitor session session- Configure a local RSPAN reflector port on the source switch. The reflector port should be configured as a trunk number destination {interface interface–id | port. remote vlan rspan-vlanid reflector-port interface–id} monitor session session_number mode Enable the administrative mode for the configured port mirroring session to start sending the traffic from the source port to the destination (probe) port. exit Exit to Privileged Exec mode.
Command Purpose monitor session Configure a source RSPAN VLAN on the destination session_id source remote switch. vlan vlan_id monitor session session_id destination interface interface Configure the destination port on the RSPAN destination switch. monitor session session_id mode Enable the monitor session. Configuring RSPAN (Filtering Traffic) Command Purpose configure Enter Global Configuration mode. vlan vlan-id Create a VLAN. remote-span Configure the VLAN as an RSPAN VLAN.
Command Purpose interface Te1/0/1 Enter Interface Configuration mode for interface Te1/0/1 (the source interface). switchport mode trunk Configure the source as a trunk port (multiple VLANs). switchport trunk allowed Remove the RSPAN VLAN from the source port. vlan remove vlan-id exit Exit to Global Configuration mode. interface Te1/0/24 Enter Interface Configuration mode for interface Te1/0/24 (the RSPAN reflector port).
Traffic Monitoring Examples This section contains the following examples: • Showing Interface Traffic • Configuring sFlow • Configuring RMON • Configuring Remote Capture • Configuring RSPAN Showing Interface Traffic Use the show interfaces utilization and show interfaces traffic commands to display information about interface traffic and internal packet buffer usage. The following are examples of the output of these commands.
console#show interfaces utilization Port ------Gi1/0/1 Gi1/0/2 Gi1/0/3 Gi1/0/4 Gi1/0/5 Gi1/0/6 Gi1/0/7 Gi1/0/8 Load Interval -------300 300 300 300 300 300 300 300 Oper.
Receiver Index.................... Owner String...................... Time out.......................... IP Address:....................... Address Type...................... Port.............................. Datagram Version.................. Maximum Datagram Size............. 1 receiver1 99994 192.168.30.
Configuring RMON This example generates a trap and creates a log entry when the number of inbound packets are undeliverable due to errors increases by 20 or more. First, an RMON event is created. Then, the alarm is created. The event (event 1) generates a trap and creates a log entry. The alarm is configured for the MIB object ifInErrors (OID: 1.3.6.1.2.1.2.2.1.14.1). The OID is the variable.
Configuring Remote Capture This example configures the switch to mirror packets transmitted and received by the switch CPU to a Wireshark client. This is useful to diagnose switch behavior and to determine if an attached device is sending properly formatted packets with correct information to the switch, or just to monitor traffic sent to the switch CPU. The capture feature can also be configured to capture to a local file in pcap format or to capture to an in-memory buffer (text format).
5 On the Capture Options dialog, click Manage Interfaces.
6 Add a new interface by giving the switch IP address and the default remote port (2002). First, select the Remote Interfaces tab and click Add. 7 Enter the switch IP address and port (2002). Choose Null authentication (default).
8 Click OK to accept the entry. 9 On the Add new interfaces dialog, click Apply and then click Close.
10 From the Wireshark:Capture Options dialog, select the remote switch and click Start. Remote Capture Caveats Remote capture over an in-band port captures the capture packets transmitted to the Wireshark client. Therefore, when using remote capture over an in-band port, it is best to configure remote capture to capture only received packets, to configure remote capture to operate over the out-of-band port, or to configure local capture to capture to the in-memory buffer or a local pcap file.
Configuring RSPAN RSPAN supports the transport of mirrored packets across the network to a remote switch. Ports may be configured as source ports, intermediate ports, or destination ports. RSPAN Source Switch This example mirrors interface gi1/0/3 to VLAN 723. VLAN 723 is the selected transit VLAN. Administrators should reserve a VLAN as the RSPAN VLAN when designing their network. The source switch requires a reflector port to carry packets to the transit switch.
RSPAN cannot use the CPU as a mirror source. Instead, configure remote capture to view packets sent to or from the switch CPU. RSPAN Transit Switch The following is an example of an RSPAN transit switch configuration. The RSPAN VLAN should be configured as a remote-span in order to disable MAC learning on the VLAN. In this case, the transit switch ports are configured as trunk ports (members of all VLANs) and may be used by other traffic.
3 Configure a mirroring session with the remote VLAN 723 as the source and interface gi1/0/1 as the destination port: console(config)#monitor session 1 source remote vlan 723 console(config)#monitor session 1 destination interface gi1/0/1 4 Enable the mirroring session: console(config)#monitor session 1 mode Monitoring Switch Traffic 619
Monitoring Switch Traffic
iSCSI Optimization 16 Dell EMC Networking N2000, N2100-ON, N3000E-ON, and N3100ON Series Switches NOTE: This feature is not available on the Dell EMC Networking N1100-ON, or N1500 Series switches. This chapter describes how to configure Internet Small Computer System Interface (iSCSI) optimization, which enables special quality of service (QoS) treatment for iSCSI traffic.
The preferential treatment of iSCSI traffic needs to be balanced against the needs of other critical data in the network. What Occurs When iSCSI Optimization Is Enabled or Disabled? The iSCSI feature is enabled on all ports by default. When iSCSI is enabled on the switch, the following actions occur: • Flow control is globally enabled, if it is not already enabled. • iSCSI LLDP monitoring starts to automatically detect Dell EqualLogic arrays.
When iSCSI CoS mode is enabled, iSCSI login sessions up to the switch limits are tracked, and data packets for those sessions are given the configured CoS treatment. iSCSI sessions in excess of the switch limits are not given the configured CoS treatment; therefore, it is not advisable to exceed the iSCSI session limit. Multiple connections within a session are counted against the session limit, even though they show in the session table as a single session.
If no iSCSI traffic is detected for a session for a configurable aging period, the session data is cleared. How Does iSCSI Optimization Interact With Dell EqualLogic and Compellent Arrays? The iSCSI feature includes auto-provisioning support with the ability to detect directly connected Dell EqualLogic (EQL) or Compellent SAN storage arrays and automatically reconfigure the switch to enhance storage traffic flows.
Default iSCSI Optimization Values Table 16-1 shows the default values for the iSCSI optimization feature. Table 16-1. iSCSI Optimization Defaults Parameter Default Value iSCSI optimization global status Enabled iSCSI CoS mode Disabled Jumbo frames Disabled Spanning tree portfast Disabled Unicast storm control Disabled Classification iSCSI packets are classified by VLAN instead of by DSCP values. VLAN priority tag iSCSI flows are assigned by default the highest 802.
Configuring iSCSI Optimization (Web) This section provides information about the OpenManage Switch Administrator pages to use to the iSCSI features on Dell EMC Networking N2000, N2100-ON, N3000-ON, and N3100-ON Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. iSCSI Global Configuration Use the Global Configuration page to configure QoS treatment for packets where the iSCSI protocol is detected.
Configuring iSCSI Optimization (CLI) This section provides information about the commands used for configuring iSCSI settings on the switch. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200ON, and N3100-ON Series Switches CLI Reference Guide at www.dell.com/support. Command Purpose configure Enter Global Configuration mode. iSCSI optimization is enabled by default.
iSCSI Optimization Configuration Examples iSCSI optimization is enabled by default. The following procedure illustrates the configuration steps required if configuring iSCSI manually. Configuring iSCSI Optimization Between Servers and a Disk Array Figure 16-2 illustrates a stack of three Dell EMC Networking N-Series switches connecting two servers (iSCSI initiators) to a disk array (iSCSI targets).
The following commands show how to configure the iSCSI example depicted in Figure 16-2. Remember that iSCSI optimization is enabled by default. 1 Set the system MTU to 9216 to enable the use of jumbo frames. console#config console(config)#system jumbo mtu 9216 2 Optionally configure the switch to associate CoS queue 5 with detected iSCSI session traffic.
iSCSI Optimization
17 Port Characteristics Dell EMC Networking N-Series Switches This chapter describes how to configure physical switch port characteristics, including settings such as administrative status and maximum frame size. This chapter also describes the link dependency feature.
Table 17-1. Port Characteristics Feature Description Speed Specifies the transmission rate for frames. Duplex mode Specifies whether the interface supports transmission between the switch and the connected client in one direction at a time (half) or both directions simultaneously (both). Maximum frame size Indicates the maximum frame size that can be handled by the port.
Auto-Negotiation Dell EMC Networking N-Series switches implement IEEE 802.3 autonegotiation for 1000BASE-T, 1000BASE-X, NBASE-T and 10GBASE-T based copper interfaces. 1000BASE-X fiber interfaces also implement autonegotiation. Auto-negotiation is required to be present and enabled for 1000BASE-T, NBASE-T, and 10GBASE-T copper interfaces in order for a clock master to be selected.
a VLAN header) to 9216 bytes. Dell EMC Networking N-Series switches assumes that all packets are in Ethernet format. Any device connecting to the same broadcast domain must support the same MTU. Dell EMC Networking N-Series switches do not fragment L2 or L3 forwarded traffic. Received frames larger than the system MTU are discarded. The switch will not transmit a frame larger than the system MTU. Packets originated by the switch are fragmented based upon path MTU discovery.
Link Action The link action specifies the action that the group members will take when the dependent port is down. The group members can transition to the same state as the dependant port, or they can transition to the opposite state. In other words, if the link action is down and the dependent port goes down, the members ports will go down as well. Conversely, when the link action is up and the dependant link goes down, the group member ports are enabled (brought up).
What Interface Types are Supported? The physical ports on the switch include the out-of-band (OOB) interface (Dell EMC Networking N3000-ON and N3100-ON Series only) and Ethernet switch ports. The OOB interface supports a limited set of features and is for switch management only. The Ethernet switch ports support many logical features that are often supported by logical interfaces.
To enter Interface Configuration mode for a physical switch port, the following information is required: • Type — For physical switch ports, the type is Gigabit Ethernet (gigabitethernet or gi) for 10/100/1000 Mbps Ethernet ports or 10-Gibabit Ethernet (tengigabitethernet or te) for 10,000 Mbps Ethernet ports. • Stack member number— The unit number within the stack. The range is 1–12. The default unit number for a switch that has not been in a stack is 1.
For many features, a range of interfaces can be specified. When you enter Interface Configuration mode for multiple interfaces, the commands you execute apply to all interfaces specified in the range. To enter Interface Configuration mode for a range of interfaces, include the keyword range and specify the interfaces to configure.
NOTE: Cable diagnostics may give misleading results if green mode is enabled on the port. Disable green mode prior to running any cable diagnostics. Switchport Modes Each port on the Dell EMC Networking N-Series switches can be configured to be in one of the following modes: • Access — Access ports are intended to connect end-stations to the system, especially when the end-stations are incapable of generating VLAN tags. Access ports support a single VLAN (the PVID).
allow additional VLANs (Voice VLAN, MVRP, GVRP) to pass traffic. Administrators can restrict the VLAN membership of general mode ports, and may configure VLANs that do not exist on the switch. General mode ports may be configured to accept only tagged traffic, or only untagged traffic, or both. When ingress filtering is enabled, the frame is dropped if the port is not a member of the VLAN identified by the VLAN ID in the tag. If ingress filtering is disabled, all tagged frames are forwarded.
Table 17-3. Default Port Values Feature Description Duplex mode Full-duplex Flow control Enabled (RX only) Maximum frame size 1518 Energy Detect mode Enabled EEE mode Enabled Link Dependency None configured Switchport mode Access The settings in Table 17-4 show recommended port settings by port type. Table 17-4. Recommended Port Settings Port Settings 1000M Copper Auto-Neg (100,1000), Full-duplex 2.
Configuring Port Characteristics (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring port characteristics on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100-ON Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. Port Configuration Use the Port Configuration page to define port parameters.
Configuring Multiple Ports To configure port settings on multiple ports: 1 Open the Port Configuration page. 2 Click Show All to display the Port Configuration Table page. 3 In the Ports list, select the check box in the Edit column for the port to configure. 4 Select the desired settings. 5 Click Apply. Figure 17-2. Configure Port Settings 6 Select the Copy Parameters From check box, and select the port with the settings to apply to other ports.
Figure 17-3. Copy Port Settings 8 Click Apply.
Link Dependency Configuration Use the Link Dependency Configuration page to create link dependency groups. The page displays the groups whether they have been configured or not. To display the Link Dependency Configuration page, click Switching Link Dependency Configuration in the navigation panel. Figure 17-4. Link Dependency Configuration Creating a Link Dependency Group To create link dependencies: 1 Open the Link Dependency Configuration page.
Figure 17-5. Link Dependency Group Configuration 6 Click Apply. The Link Dependency settings for the group are modified, and the device is updated.
Link Dependency Summary Use the Link Dependency Summary page to view all link dependencies on the system and to access the Link Dependency Configuration page. The page displays the groups whether they have been configured or not. To display the Link Dependency Summary page, click Switching Link Dependency Link Dependency Summary in the navigation panel. Figure 17-6. Link Dependency Summary To configure a group, click the Modify link associated with the ID of the group to configure.
Port Green Ethernet Configuration Use the Green Ethernet Configuration page to enable or disable energysaving modes on each port. To display the Green Ethernet Configuration page, click System Green Ethernet Green Ethernet Configuration in the navigation panel. Figure 17-7.
Port Green Ethernet Statistics Use the Green Ethernet Statistics page to view information about per-port energy savings. To display the Green Ethernet Statistics page, click System Green Ethernet Green Ethernet Statistics in the navigation panel. Figure 17-8.
To view a summary of energy savings for the switch and all ports, click Summary. Figure 17-9. Green Ethernet Statistics Summary To view a chart that shows the estimated per-port energy savings, click Chart. Figure 17-10.
Port Green Ethernet LPI History Use the Green Ethernet LPI History page to view data about the amount of time the switch has spent in low-power idle (LPI) mode. To display the Green Ethernet LPI History page, click System Green Ethernet Green Ethernet LPI History in the navigation panel. Figure 17-11.
Configuring Port Characteristics (CLI) This section provides information about the commands used for configuring port characteristics. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100-ON Series Switches CLI Reference Guide at www.dell.com/support. Configuring Port Settings Use the following commands to configure various port settings. Command Purpose configure Enter Global Configuration mode.
Command Purpose speed {10 | 100 | 1000 | 10000 | auto [100 | 1000 | 2500 | 5000 | 10000 ]} Configure the speed of a given Ethernet interface or allow the interface to automatically detect the speed. If you use the 100, 1000, 2500, 5000, 10000 keywords with the auto keyword, the port auto-negotiates only at the specified speeds. Setting the speed without the auto keyword forces the speed to the single selected value and disables auto-negotiation.
Configuring Link Dependencies Use the following commands to configure ports that are dependent on the state of other ports. Command Purpose configure Enter Global Configuration mode. link-dependency group group_id Enter the link-dependency mode to configure a linkdependency group. add interface Add member ports to the group. The interface variable includes the interface type and number, for example tengigabitethernet 1/0/3.
Configuring Green Features Use the following commands to configure and monitor energy-saving features for the ports and the switch. EEE capability requires auto-negotiation to be enabled. Command Purpose configure Enter Global Configuration mode. interface interface Enter interface configuration mode for the specified interface. The interface variable includes the interface type and number, for example gigabitethernet 1/0/3. A range of interfaces can be specified using the interface range command.
Port Configuration Examples This section contains the following examples: • Configuring Port Settings • Configuring a Link Dependency Groups Configuring Port Settings The commands in this example specify the speed for port 1 (GigabitEthernet 1/0/1) and change the system MTU size. To configure the switch: 1 Enter Interface Configuration mode for port 1. console#configure console(config)#interface gigabitEthernet 1/0/1 2 Change the speed settings for the port.
Configuring a Link Dependency Groups The commands in this example create two link dependency groups. Group 1 has port 3 as a member port that is dependent on port 4. The group uses the default link action, which is down. This means that if port 4 goes down, port 3 goes down. When port 4 returns to the up state, port 3 is brought back up. In Group 2, port 6 dependent on port-channel (LAG) 1, and the link action is up. If port-channel 1 goes down, port 6 is brought up.
with the voice VLAN on ports configured for voice VLAN. When configuring an interface as an access mode port, the interface is automatically made a member of VLAN 1 by default and removed from all other VLAN memberships. Each interface can be configured separately, or a range of interfaces can be configured with the same settings. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified interface.
created VLANs. Trunk ports can be removed from membership in specific VLANs, including VLANs that are not yet configured on the switch. By default, the native VLAN for a trunk port is VLAN 1. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified interface. The interface variable includes the interface type and number, for example tengigabitethernet 1/0/3.
Command Purpose switchport trunk Set the list of allowed VLANs that can receive and send {allowed vlan vlantraffic on this interface in tagged format when in trunking list|native vlan vlan-id} mode. • allowed vlan-list — Set the list of allowed VLANs that can receive and send traffic on this interface in tagged format when in trunking mode. Separate non-consecutive VLAN IDs with a comma and no spaces. Use a hyphen to designate a range of IDs.
Configuring a Port in General Mode Use the following commands to configure an interface with full 802.1q support and configure the VLAN membership information for the interface. General mode allows the configuration of the full range of VLAN tagging, including configuring a port with no default or native VLAN. In general, it is recommended that operators use either trunk or access mode as their default behaviors better match operator expectations.
Command Purpose switchport general pvid vlan-id (Optional) Set the port VLAN ID. Untagged traffic that enters the switch through this port is tagged with the PVID. vlan-id — PVID. The selected PVID assignment must be to an existing VLAN. (Range: 1–4093). Entering a PVID value does not remove the previous PVID value from the list of allowed VLANs. switchport general acceptable-frame-type tagged-only (Optional) Specifies that the port will only accept tagged frames.
Port and System Security 18 Dell EMC Networking N-Series Switches This chapter describes how to configure port-based and system security features, which control access to the network through the switch ports, and the denial of service (DoS) feature. The topics covered in this chapter include: • Port Security • Denial of Service Port Security Port Security is used to enable security on a per-port basis.
Two methods are used to implement Port Security: dynamic locking and static locking. Static locking further has an optional sticky mode. Dynamic locking implements a first arrival mechanism for MAC locking. The administrator specifies how many dynamic addresses may be learned on the locked port. If the limit has not been reached, then a packet with an unknown source MAC address is learned and forwarded normally. If the MAC address limit has been reached, the packet is discarded.
the difference is that all sticky addresses for an interface are removed from the running-config when the interface is taken out of sticky mode. Static addresses must be removed from the running-config individually. Sticky MAC addresses appear in the running-config in the following form: switchport port-security mac-address sticky 0011.2233.4455 vlan 33 Statically locked MAC addresses appear in the running-config in the following form: switchport port-security mac-address 0011.2233.
To display the Port Security page, click Switching Network Security Port Security in the navigation panel. Figure 18-1. Network Security Port Security Configuring Port Security Settings on Multiple Ports To configure port security on multiple ports: 1 Open the Port Security page. 2 Click Show All to display the Port Security Table page. 3 In the Ports list, select the check box in the Edit column for the port to configure. 4 Select the desired settings for all ports that are selected for editing.
Figure 18-2. Configure Port Security Settings 5 Click Apply.
Configuring Port Security (CLI) Use the following commands to enable port security on an interface to limit the number of source MAC addresses that can be learned. Command Purpose configure Enter Global Configuration mode. switchport port-security Enable port-security administrative mode. Port security must be enabled globally in order to operate on any interfaces. interface interface Enter interface configuration mode for the specified interface.
Command Purpose show port-security [interface-id | all | dynamic interface-id | static interface-id | violation interface-id] View port security settings on all interfaces or the specified interface. Use the dynamic keyword to display learned MAC addresses and the static keyword to display configured MAC addresses.
Denial of Service Denial of Service (DoS) refers to the exploitation of a variety of vulnerabilities which would interrupt the service of a host or make a network unstable. Use the Denial of Service page to configure settings to help prevent DoS attacks. DoS protection is disabled by default. To display the Denial of Service page, click System Management Security Denial of Service in the navigation panel. Figure 18-3.
Access Control Lists 19 Dell EMC Networking N-Series Switches This chapter describes how to configure Access Control Lists (ACLs), including IPv4, IPv6, and MAC ACLs. This chapter also describes how to configure time ranges that can be applied to any of the ACL types. The topics covered in this chapter include: • ACL Overview • ACL Configuration Details • Policy-Based Routing • Configuring ACLs (Web) • Configuring ACLs (CLI) • ACL Configuration Examples.
Depending on whether an ingress or egress ACL is applied to a port, when the traffic enters (ingress) or leaves (egress) a port, the ACL compares the criteria configured in its rules, in list order, to the fields in a packet or frame to check for matching conditions. The ACL processes the traffic based on the actions contained in the rules. ACLs are organized into access groups. Access groups are numbered in priority (lowest number has highest priority).
ACLs may be used to control traffic at Layer 2, Layer 3, or Layer 4. MAC ACLs contain packet match criteria based on Layer-2 fields in Ethernet frames. IP ACLs contain packet match criteria based on Layer-3 and Layer-4 fields in the packet. Dell EMC Networking N-Series switches support both IPv4 and IPv6 ACLs and supports ACLs applied to up to 24 VLAN interfaces. ACL Counters Matching rules in an ACL are counted. The counts may be displayed using the show ip access-list or show mac access-list commands.
MAC access list actions include CoS queue assignment, logging, mirroring, redirection to another port, and logging, as well as the usual permit and deny actions. It is possible to configure MAC access groups in conjunction with IP access groups on the same interface. MAC ACLs can be configured on a VLAN interface as well as a physical interface or port channel. What Are IP ACLs? IP ACLs contain filters for layers 3 and 4 on IPv4 or IPv6 traffic.
• Log — perform the logging action on the matching packet as described below. • Mirror — forward a copy of the matching packet to the designated interface. The original packet continues to be forwarded to its original destination. • Redirect — forward the matching packet to the designated interface. The original destination of the packet is ignored. • Rate limit — forward matching packets that do not exceed the rate limit. Drop packets exceeding the rate limit.
What Is the ACL Mirror Function? ACL mirroring provides the ability to send a copy of traffic that matches a permit rule to a specific physical port or LAG. Using ACLs to mirror traffic is called flow-based mirroring, since the traffic flow is defined by the ACL classification rules. This is in contrast to port mirroring, where all traffic encountered on a specific interface is replicated out of another interface.
NOTE: Adding a conflicting periodic time range to an absolute time range will cause the time range to become inactive. For example, consider an absolute time range from 8:00 AM Tuesday March 1st 2011 to 10 PM Tuesday March 1st 2011. Adding a periodic entry using the 'weekend' keyword will cause the time-range to become inactive because Tuesdays are not on the weekend. A named time range can contain up to 10 configured time ranges. Only one absolute time range can be configured per time range.
supports a fixed number of matching criteria (values and masks). Slices operate in parallel to perform the configured matching operations. An ACL with a different offset requires the use of a new hardware slice but multiple matching values can be specified for a single slice (e.g., an IPv4 destination address with a 32-bit mask is 192.168.21.1 or 192.168.12.3).
Table 19-1.
Table 19-2. ACL Software Limits (Continued) Limitation Dell EMC Dell EMC Dell EMC Networking Networking Networking N1100 Series N1500 Series N2000/ N2100ON/N2200-ON Series Dell EMC Networking N3000-ON/ N3100-ON Series 1021 ing., 253 378 ing., 253 Maximum ACL egr. Rules per Interface egr. and Direction (IPv6) 1023 ing., 509 egr. 1021 ing.
• The order of the rules is important: when a packet matches multiple rules, the first rule takes precedence. Once a packet has matched a rule, the corresponding action is taken and no further attempts to match the packet are made. Also, once an access group is configured on an interface, all traffic not specifically permitted by an ACL is dropped by the implicit deny all the system supplies at the end of the last configured access group. • Egress (out) ACLs only affect switched/routed traffic.
ACL Configuration Details How Are ACLs Configured? To configure ACLs, follow these steps: 1 Create a IP or MAC ACL by specifying a name. 2 Add new rules to the ACL. 3 Configure the match criteria for the rules. 4 Apply the ACL to one or more interfaces. Editing Access Lists When editing access lists, entries are added in the order specified by the rule sequence number. It is recommended that rule sequence number indices be separated by a fixed offset (e.g., 10).
frame should also specify a source or destination MAC address wherever possible. Likewise, MAC ACLs that specify a source MAC address should specify an EtherType to avoid interfering with control-plane traffic. In general, any rule that specifies matching on an upper-layer protocol field should also include matching constraints for as many of the lower-layer as where possible.
Table 19-4. Common IP Protocol Numbers (Continued) IP Protocol Number Protocol 0x02 IGMP 0x06 TCP 0x08 EGP 0x09 IGP 0x11 UDP Using IP and MAC Address Masks Masks are used with IP and MAC addresses to specify what should be considered in the address for a match. Masks are expanded internally into a bit mask and are applied bit-wise in the hardware even though they are entered in decimal or hexadecimal format. Masks need not have contiguous 0 or 1 bits.
Policy-Based Routing In contemporary inter-networks, network administrators often need to implement packet forwarding/routing according to specific organizational policies. Policy-Based Routing (PBR) exactly fits this purpose. Policy-Based Routing provides a flexible mechanism to implement solutions where organizational constraints dictate that traffic be routed through specific network paths. PBR does not affect route redistribution that occurs via routing protocols. PBR is a true routing policy solution.
Additional match criteria may be configured by the administrator if desired. Since a route-map is configured in the context of a routing VLAN, a VLAN tag is automatically added to the match criteria without the need for the administrator to specify the VLAN ID. Route-Map Processing An incoming packet is matched against the criteria in the 'match' terms specified in each route-map in the policy. The 'match' terms (clauses) must refer to one or more MAC or IPv4 access-groups or a packet length.
• For a permit route-map, if the decision reached in the above step is deny, then PBR does not apply any action that is specified in set term(s) in the route-map statement. In this situation, the counter for this match statement is not incremented. The processing logic terminates, and the packet goes through the standard destination-based routing logic.
• List of default next-hop IP addresses — The set ip default next-hop command checks the list of destination IP addresses in the routing table and, if there is no explicit route for the packet's destination address in the routing table, the next-hop destinations are evaluated, and packets are routed to the first-available next hop. Packets that do not match are routed using the routing table. A default route in the routing table is not considered an explicit route for an unknown destination address.
In the last column of the table (Optimized), a Yes entry means the rule is never processed in hardware because the action, if any, is to fall through to the next match criteria. The system optimizes out deny ACL match clauses and never processes them in the system hardware. Counters for these match clauses will always show 0. ACLs and Policy Interaction Within this paragraph, the word policy refers to both DiffServ Policy and Policy Based Routing.
Policy Action (VLAN) ACL Action (Interface) Result set ip precedence deny deny mirror both redirect both (see Note 1) rate limit both deny deny (see Note 2) mirror mirror redirect redirect rate limit deny deny deny mirror both redirect both (see Note 1) rate limit both set interface null0 set ip next-hop (default) 1. In the case of redirect ACL action, both the redirect and policy actions are honored, if possible.
No Implicit “deny all” Rule When an access-group is configured on an interface, an implicit rule of “deny all” is applied to the last access-group on the interface. Since PBR processing occurs after normal ACL processing, when a “permit” route-map associated ACL is applied to an interface, the implicit “deny all” rule is not applied. When match rules in an ACL associated with a route-map are successful, packets are considered as candidates for routing according to rules specified in route-map.
PBR Associated ACLs and DiffServ Policies Processed After User-defined ACLs Each ACL in an access-group is associated with a sequence number indicating the order in which the ACL is processed by the hardware. Likewise, a route-map may have multiple statements with different sequence numbers associated with each ACL entry.
ACL Resource Sharing An ACL rule contains match and action attributes. For example, an ACL rule may have a match clause on source IP address and action attributes independent of PBR such as queue assignment as shown below: console#config console(config)#ip access-list example-1 console(config-ip-acl)#permit ip 1.1.1.1 0.0.0.
Figure 19-1. IP ACL Configuration Adding an IPv4 ACL To add an IPv4 ACL: 1 Open the IP ACL Configuration page. 2 Click Add to display the Add IP ACL page. 3 Specify an ACL name. Figure 19-2. Add IP ACL 4 Click Apply. Removing IPv4 ACLs To delete an IPv4 ACL: 1 From the IP ACL Name menu on the IP ACL Configuration page, select the ACL to remove. 2 Select the Remove checkbox. 3 Click Apply.
Viewing IPv4 ACLs To view configured ACLs, click Show All from the IP ACL Configuration page. Figure 19-3.
IP ACL Rule Configuration Use the IP ACL Rule Configuration page to define rules for IP-based ACLs. The access list definition includes rules that specify whether traffic matching the criteria is forwarded normally or discarded. Additionally, rules can be used to assign traffic to a particular queue, filter on some traffic, change a VLAN tag, and/or redirect the traffic to a particular port. NOTE: There is an implicit deny all rule at the end of an ACL list.
Figure 19-4. IP ACL - Rule Configuration Removing an IP ACL Rule To delete an IP ACL rule: 1 From the Rule ID menu, select the ID of the rule to delete. 2 Select the Remove option near the bottom of the page. 3 Click Apply to remove the selected rule.
MAC ACL Configuration Use the MAC ACL Configuration page to define a MAC-based ACL. To display the MAC ACL Configuration page, click Switching Network Security Access Control Lists MAC Access Control Lists Configuration in the navigation panel. Figure 19-5. MAC ACL Configuration Adding a MAC ACL To add a MAC ACL: 1 Open the MAC ACL Configuration page. 2 Click Add to display the Add MAC ACL page. 3 Specify an ACL name. Figure 19-6. Add MAC ACL 4 Click Apply.
1 From the MAC ACL Name menu on the MAC ACL Configuration page, select the ACL to rename or remove. 2 To rename the ACL, select the Rename checkbox and enter a new name in the associated field. 3 To remove the ACL, select the Remove checkbox. 4 Click Apply. Viewing MAC ACLs To view configured ACLs, click Show All from the MAC ACL Configuration page. Figure 19-7.
MAC ACL Rule Configuration Use the MAC ACL Rule Configuration page to define rules for MAC-based ACLs. The access list definition includes rules that specify whether traffic matching the criteria is forwarded normally or discarded. A default deny all rule is the last rule of every list. To display the MAC ACL Rule Configuration page, click Switching Network Security Access Control Lists MAC Access Control Lists Rule Configuration in the navigation panel. Figure 19-8.
IPv6 ACL Configuration Use the IPv6 ACL Configuration page to add or remove IP-based ACLs. To display the IP ACL Configuration page, click Switching Network Security Access Control Lists IPv6 Access Control Lists IPv6 ACL Configuration in the navigation panel. Figure 19-9. IPv6 ACL Configuration Adding an IPv6 ACL To add an IPv6 ACL: 1 Open the IPv6 ACL Configuration page. 2 Click Add to display the Add IPv6 ACL page. 3 Specify an ACL name. Figure 19-10. Add IPv6 ACL 4 Click Apply.
1 From the IPv6 ACL Name menu on the IPv6 ACL Configuration page, select the ACL to rename or remove. a To rename the ACL, select the Rename checkbox and enter a new name in the associated field b To delete the ACL, select the Remove checkbox. 2 Click Apply. Viewing IPv6 ACLs To view configured ACLs, click Show All from the IPv6 ACL Configuration page. The IPv6 ACL Table page displays. Figure 19-11.
Figure 19-12. IPv6 ACL - Rule Configuration Removing an IPv6 ACL Rule To delete an IPv6 ACL rule: 1 From the Rule ID menu, select the ID of the rule to delete. 2 Select the Remove option near the bottom of the page. 3 Click Apply to remove the selected rule.
ACL Binding Configuration When an ACL is bound to an interface, all the rules that have been defined are applied to the selected interface. Use the ACL Binding Configuration page to assign ACL lists to ACL Priorities and Interfaces. From the web interface, the ACLs rules can be configured in the ingress or egress direction so that they implement security rules for packets entering or exiting the port. ACLs can be applied to any physical (including 10 Gb) interface, LAG, or routing port.
Time Range Configuration Use the Time Range Configuration page to define time ranges to associate with ACL rules. To display the Time Range Configuration page, click System Time Synchronization Time Range Configuration in the navigation panel. The following image shows the page after at least one time range has been added. Otherwise, the page indicates that no time ranges are configured, and the time range configuration fields are not displayed. Figure 19-14.
Figure 19-15. Add a Time Range 3 Click Apply. 4 Click Detail to return to the Time Range Configuration page. 5 In the Time Range Name field, select the name of the time range to configure. 6 Specify an ID for the time range. Up to 10 different time range entries can be configured to include in the named range. However, only one absolute time entry is allowed per time range. 7 Configure the values for the time range entry. 8 Click Apply.
Configuring ACLs (CLI) This section provides guidelines for the commands you use to create and configure ACLs. For a complete description of the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100-ON Series Switches CLI Reference Guide at www.dell.com/support. Configuring an IPv4 ACL Use the following commands to create an IPv4 ACL, configure rules for the ACL, and bind the ACL to an interface.
Command Purpose [sequence-number] {deny | permit} {{ipv4protocol | 0-255 | every} {srcip srcmask | any | host srcip} [{range {portkey | startport} {portkey | endport} | {eq | neq | lt | gt} {portkey | 0-65535}] {dstip dstmask | any | host dstip} [{range {portkey | startport} {portkey | endport} | {eq | neq | lt | gt} {portkey | 0-65535}] [flag [+fin | -fin] [+syn | -syn] [+rst | -rst] [+psh | -psh] [+ack | ack] [+urg | -urg] [established]] [icmptype icmp-type [icmpcode icmp-code] | icmpmessage icmp-messag
Command continued Purpose – When range is specified, TCP or UDP ACL rule matches only if the Layer-4 port number falls within the specified port range. The startport and endport parameters identify the first and last ports that are part of the port range. They have values from 0 to 65535. The ending port must have a value equal or greater than the starting port. The starting port, ending port, and all ports in between will be part of the Layer-4 port range.
Command Purpose continued • flag [+fin | -fin] [+syn | -syn] [+rst | -rst] [+psh | psh] [+ack | -ack] [+urg | -urg] [established]— Specifies that the IP/TCP/UDP ACL rule matches on the TCP flags. – Ack – Acknowledgement bit – Fin – Finished bit – Psh – push bit – Rst – reset bit – Syn – Synchronize bit – Urg – Urgent bit – When “+” is specified, a match occurs if specified flag is set in the TCP header.
Command Purpose continued • igmp-type igmp-type—When igmp-type is specified, the IP ACL rule matches on the specified IGMP message type (i.e., a number from 0 to 255). • fragments—Specifies the rule matches packets that are non-initial fragments (fragment bit asserted). Not valid for rules that match L4 information such as TCP port number since that information is carried in the initial packet. This keyword is also not valid for IPv6 packets since they should never be fragmented.
Command Purpose interface interface (Optional) Enter interface configuration mode for the specified interface. The interface variable includes the interface type and number, for example tengigabitethernet 1/0/3. A range of interfaces can be specified using the interface range command. For example, interface range tengigabitethernet 1/0/8-12 configures interfaces 8, 9, 10, 11, and 12. ip access-group name direction seqnum Bind the specified ACL to an interface.
Configuring a MAC ACL Use the following commands to create an MAC ACL, configure rules for the ACL, and bind the ACL to an interface. Command Purpose configure Enter global configuration mode. mac access-list extended Create a named MAC ACL. This command also enters name MAC Access List Configuration mode. If a MAC ACL with this name already exists, this command enters the mode to update the existing ACL.
Command Purpose [sequence-number] {deny | permit} {srcmac srcmacmask | any} {dstmac dstmacmask | any | bpdu} [{ethertypekey | 0x06000xFFFF} [vlan eq 04095] [cos 0-7] [secondary-vlan eq 04095] [log] [time-range time-range-name] [assign-queue queue-id] [{mirror |redirect} interface] [rate-limit rate burst-size] Specify the rules (match conditions) for the MAC access list. • sequence-number — Identifies the order of application of the permit/deny statement.
Command Purpose continued • log—Specifies that this rule is to be logged. • time-range time-range-name—Allows imposing time limitation on the ACL rule as defined by the parameter time-range-name. If a time range with the specified name does not exist and the ACL containing this ACL rule is applied to an interface or bound to a VLAN, then the ACL rule is applied immediately.
Command Purpose mac access-group name direction seqnum NOTE: To apply this ACL to all interfaces, issue the command Bind the specified MAC ACL to an interface. in Global Configuration mode. • name — Access list name. (Range: Valid MAC access-list name up to 31 characters in length) • direction — Direction of the ACL. (Range: In or out. Default is in.) • seqnum — Precedence for this interface and direction. A lower sequence number has higher precedence. Range: 1 – 4294967295. Default is 1.
Configuring an IPv6 ACL Use the following commands to create an IPv6 ACL, configure rules for the ACL, and bind the ACL to an interface. Command Purpose configure Enter global configuration mode. ipv6 access-list name Create an extended IPv6 ACL. This command also enters IPv6 Access List Configuration mode. If an IPv6 ACL with this name already exists, this command enters the mode to update the existing ACL.
Command Purpose [sequence-number] {deny | permit} {ipv6protocol | number | every} {source-ipv6prefix/prefix-length | any | host source-ipv6address} [{range {portkey | startport} {portkey | endport} | {eq | neq | lt | gt} {portkey | 0-65535}] {destination-ipv6prefix/prefix-length | any | host destination-ipv6address} [{range {portkey | startport} {portkey | endport} | {eq | neq | lt | gt} {portkey | 0-65535}] [flag [+fin | -fin] [+syn | -syn] [+rst | -rst] [+psh | -psh] [+ack | ack] [+urg | -urg] [establis
Command (Continued) Purpose – When eq is specified, IPv6 ACL rule matches only if the Layer-4 port number is equal to the specified port number or portkey. – When lt is specified, IPv6 ACL rule matches if the Layer-4 destination port number is less than the specified port number or portkey. It is equivalent to specifying the range as 0 to . • destination ipv6 prefix — IPv6 prefix in IPv6 global address format.
Command Purpose ipv6 traffic-filter name Bind the specified IPv6 ACL to an interface. direction [sequence seq- NOTE: To apply this ACL to all interfaces, issue the command num] in Global Configuration mode. • name — Access list name. (Range: Valid IPv6 access-list name up to 31 characters in length) • direction — Direction of the ACL. (Range: In or out. Default is in.) • seqnum — Precedence for this interface and direction. A lower sequence number has higher precedence. Range: 1 – 4294967295.
Command Purpose periodic {days-of-theConfigure a recurring time entry for the named time week time} to {[days-of- range. the-week] time} • days-of-the-week —The first occurrence indicates the starting day(s) the ACL goes into effect. The second occurrence is the ending day(s) when the ACL rule is no longer in effect.
ACL Configuration Examples This section contains the following examples: • "Basic Rules" on page 722 • "Internal System ACLs" on page 723 • "Complete ACL Example" on page 724 • "Advanced Examples" on page 728 • "Policy-Based Routing Examples" on page 740 NOTE: None of these ACL rules are applicable to the OOB interface. Basic Rules • Inbound rule allowing all packets sequenced after all other rules.
• Inbound rule allowing access FROM hosts with IP addresses ranging from 10.0.46.0 to 10.0.47.254: permit ip 10.0.46.0 0.0.1.255 any • Inbound rule allowing access TO hosts with IP addresses ranging from 10.0.48.0 to 10.0.49.254: permit ip any 10.0.48.0 0.0.1.255 As the last rule in an administrator-defined list, the narrower scope of this inbound rule has no effect other than to possibly interfere with switch management access or router operations.
Complete ACL Example The following example is a complete inbound ACL that allows access for hosts connected to gi1/0/1 with IP address in 10.1.1.x range to send IP packets to 192.168.0.X hosts on gi1/0/2. IP packets not from 10.1.1.x addresses or not addressed to 192.168.0.x hosts are dropped. Packets with protocols other than IP, DNS, ARP, or ICMP are dropped. Allowing ICMP supports the 10.1.1.x hosts in reliably receiving and initiating TCP connections and pinging through the switch.
console(config-if-gi1/0/2)#exit Consider the following inbound rules that allow Telnet connections and UDP traffic from the 192.168.0.x network to host 10.1.1.23: ip access-list Host10-1-1-23 ! Permit Telnet traffic from 192.168.0.X network to host 10.1.1.23: permit tcp 192.168.0.0 0.0.0.255 host 10.1.1.23 eq telnet ! Permit TCP traffic from 192.168.0.X network to host 10.1.1.23: permit tcp 192.168.0.0 0.0.0.255 host 10.1.1.23 ! Permit UDP traffic from 192.168.0.X network to host 10.1.1.23 permit udp 192.
packets with either the RST or ACK bits set (logical OR). Flags that are neither set nor cleared in the rule are not checked in the ACL (don't care or wildcard). console(config)#ip access-list flags-demo console(config-ip-acl)#permit tcp any any flag ? established Enter a TCP Flag (+fin, -fin, +syn, -syn, +rst, -rst, +psh, -psh, +ack, -ack, +urg, -urg, established). Enter a flag (+|-) only once.
console(config-ip-acl)#permit tcp 10.1.1.0 0.0.0.255 eq ? <0-65535> Enter the Layer 4 port number in the range 0 to 65535. Enter a keyword { domain | echo | ftp | ftp-data | http | smtp | snmp | telnet | tftp | www | bgp | pop2 | pop3 | ntp | rip | time | who }. To bind an access-list to an interface, use the access-group command. The in parameter specifies that the ACL is applied to ingress packets.
Advanced Examples Configuring a Time-Based ACL The following example configures an ACL that denies HTTP traffic from 8:00 pm to 12:00 pm and 1:00 pm to 6:00 pm on weekdays and from 8:30 am to 12:30 pm on weekends. The ACL affects all hosts connected to ports that are members of VLAN 100. The ACL permits VLAN 100 members to browse the Internet only during lunch and after hours. To configure the switch: 1 Create a time range called work-hours.
console#show ip access-lists web-limit IP ACL Name: web-limit Rule Number: 1000 Action......................................... Match All...................................... Protocol....................................... Source IP Address.............................. Destination IP Address......................... Destination Layer 4 Operator................... Destination L4 Port Keyword.................... ACL Hit Count..................................
Allow FTP Traffic Only to an FTP Server This ACL limits traffic from a router to a directly connected FTP server (172.16.0.5) on gi1/0/11. Notice that this is an “out” or egress ACL. Traffic to the router from the FTP server is not affected by this rule. Traffic from the router to the FTP server is limited to ICMP and packets destined to the FTP ports. There is no need to add permit rules for all the protocols the router can send to the host (e.g., ARP, ICMP, LLDP, etc.
Block Incoming Pings and Responses This example configures an ingress ACL that blocks incoming pings and ping responses. Since packets generated by the CPU are not affected by ACLs, to block pinging from the switch we add a rule to block the ping responses on ingress.
Assign Ingress Packets to a CoS Queue Assign a range of source or destination TCP ports to CoS queue 3 to provide elevated service. Two rules are necessary to handle packets that have source or destination ports outside the range.
Schedule Forwarding of Packets to a Different Port This ACL Layer-2 forwards matching packets to a different port based on a time schedule. This is not equivalent to Policy-Based Forwarding, as the TTL in the packet is not decremented, nor is a new destination MAC address written into the packet. The access-group policy is globally configured on all switch interfaces.
Rate limit WWW traffic (ACL) This example creates an ACL to rate-limit WWW traffic ingressing the switch on te1/0/1. Initial and established values require tuning for local traffic patterns and link speeds. Note that this ACL applies to traffic sent to the switch IP address as well as traffic forwarded by the switch (in rule). Permit rules with a rate-limit parameter do not require a following deny rule as matching packets exceeding the rate limit are discarded. Compare this with the example above.
console(config-ip-acl)#permit tcp any any eq 22 flag established rate-limit 1024 128 console(config-ip-acl)#permit tcp any any eq telnet rate-limit 12 2 console(config-ip-acl)#permit tcp any any eq 22 rate-limit 12 2 console(config-ip-acl)#2147483647 permit every console(config-ip-acl)#exit console(config)#ip access-group rate-limit-inband-mgmt controlplane The following commands block fragmented traffic from being sent to the CPU: console#config console(config)#ip access-list no-frag-inband-mgmt console(c
Expedite DSCP(EF) Traffic/Limit Background Traffic By default (with no CoS or DSCP configuration), packets are assigned to User Priority 1/CoS queue 0 (see the output from show classofservice trust and show classofservice dot1p-mapping). When incast occurs (multiple ports sending to a single output port at a rate greater than can be accommodated), the switch buffer capacity can be exhausted.
3 Match source MAC 001E.C9XX.XXXX. Rate limit to 100 Kbps with a burst of 32 Kbytes: console(config-mac-access-list)#permit 001E.C900.0000 0000.00FF.
A Consolidated DoS Example This example includes some ACL rules to consider to reduce DoS attacks on the switch. It does not represent a complete DoS suite. A firewall with deep packet inspection capabilities should be used for true DoS protection. NOTE: The rate limits below should be adjusted to match the expected rates of traffic coming to the CPU.
console(config)#ip access-group squelch-dos-attacks controlplane 9 Further limit inbound traffic on in-band management ports. Allow only VLAN 99 SSH and TFTP, no telnet, HTTP, HTTPS, or SNMP. The management access list actions are performed by the switch firmware in addition to the access list actions performed by the switching silicon, e.g., squelch-dos-attacks.
Policy-Based Routing Examples Route-Map with Scheduled Redirection of RFC 1918 Addresses to a Different NextHop 1 Create a time range named “work-hours” the from 7:30 AM to 6:00 PM: console#config console(config)#time-range work-hours console(config-time-range)#periodic weekdays 07:30 to 18:00 console(config-time-range)#exit 2 Define an IP ACL named “subnet-172-16” and permit all accesses on the subnet during the work-hours time range: console(config)#ip access-list subnet-172-16 console(config-ip-acl)#pe
Complete Example of Policy-Based Routing on VLAN Routing Interfaces In this example, an Layer-3 router with four VLAN routing interfaces (VLAN 10, VLAN 20, VLAN 30 and VLAN 40) is configured. Each of these interfaces is connected to Layer-2 switches. Traffic sent to host 2.2.2.2 from host 1.1.1.2 on VLAN interface 10 is normally routed over VLAN interface 20.
console(config-if-gi1/0/2)#exit console(config)#interface gi 1/0/4 console(config-if-gi1/0/4)#switchport mode trunk console(config-if-gi1/0/4)#switchport trunk allowed vlan remove 1 console(config-if-gi1/0/4)#switchport trunk native vlan 20 console(config-if-gi1/0/4)#exit console(config)#interface gi1/0/22 console(config-if-gi1/0/22)#switchport mode trunk console(config-if-gi1/0/22)#switch trunk allowed vlan remove 1 console(config-if-gi1/0/22)#switch trunk native vlan 30 console(config-if-gi1/0/22)#exit co
5 Configure Policy Routing. To policy-route such traffic to VLAN routing interface 30, the following additional steps should be performed: a Create an access-list matching all incoming IP traffic from host 1.1.1.1 destined to host 2.2.2.2: console(config)#ip access-list Match-ip-1_1_1_2-to-2_2_2_2 console(config-ip-acl)#permit ip host 1.1.1.2 host 2.2.2.
Access Control Lists
VLANs 20 Dell EMC Networking N-Series Switches This chapter describes how to configure VLANs, including port-based VLANs, protocol-based VLANs, double-tagged VLANs, subnet-based VLANs, and Voice VLANs. The topics covered in this chapter include: • VLAN Overview • Default VLAN Behavior • Configuring VLANs (Web) • Configuring VLANs (CLI) • VLAN Configuration Examples VLAN Overview By default, all ports on Dell EMC Networking N-Series switches are in the same broadcast domain (VLAN 1).
sensitive traffic, like voice traffic, has priority over other traffic, such as data. Administrators also use VLANs to protect network resources. Traffic sent by authenticated clients might be assigned to one VLAN, while traffic sent from unauthenticated clients might be assigned to a different VLAN that allows limited network access. When one host in a VLAN sends a broadcast, the switch forwards traffic only to other members of that VLAN.
Figure 20-1. Simple VLAN Topology Router Engineering VLAN 100 Switch Payroll VLAN 300 Tech Pubs VLAN 200 In this example, each port is manually configured so that the end station attached to the port is a member of the VLAN configured for the port. The VLAN membership for this network is port-based or static.
Table 20-1 provides an overview of the types of VLANs that can be used to logically divide the network. Table 20-1. VLAN Assignment VLAN Assignment Description Port-based (Static) This is the most common way to assign hosts to VLANs. The port where the traffic enters the switch determines the VLAN membership. Trunk ports are automatically members of all VLANs, unless specifically configured otherwise. IP Subnet Hosts are assigned to a VLAN based on their IP address.
NOTE: A stack of switches behaves as a single switch, so VLAN tagging is not required for packets traversing different stack members. Tagging may be required when a single port supports multiple devices that are members of different VLANs. For example, a single port might be connected to an IP phone, a PC, and a printer (the PC and printer are connected via ports on the IP phone).
The operation of GVRP relies upon the services provided by the Generic Attribute Registration Protocol (GARP). GVRP can create up to 1024 VLANs. For information about GARP timers, see "What Are GARP and GMRP?" on page 932. Double-VLAN Tagging For trunk ports, which are ports that connect one switch to another switch, the Dell EMC Networking N-Series switches support double-VLAN tagging as an option. This feature allows service providers to connect to Virtual Metropolitan Area Networks (VMANs).
Figure 20-2. Double VLAN Tagging Network Example Voice VLAN The Voice VLAN feature enables switch ports to carry voice traffic from IP phones with an administrator-defined priority. When multiple devices, such as a PC and an IP phone, are connected to the same port, the port can be configured to use one VLAN for voice traffic and another VLAN for data traffic. Multiple IP phones per port are supported.
The Voice VLAN feature can be enabled on a per-port basis. Voice VLAN supports a configurable Voice VLAN DSCP or IEEE 802.1p value. This value is transmitted by LLDP when the LLDPDU is transmitted, if LLDP has been enabled on the port, the DSCP/802.1p value is configured, and the LLDP network policy TLV has not been suppressed for the port. LLDP-MED is enabled by default on all ports. Voice VLAN is supported on ports configured in access mode or in general mode.
Some VoIP phones contain full support for IEEE 802.1X. For each VoIP device to authenticate independently of the data device, configure the port in access or general mode, add the Voice VLAN to the port and configure the port to use multi-domain or multi-domain-multi-host authentication. With both types of authentication, voice packets are identified by the MAC address of the phone.
• DHCP vendor-specific option 176 for Avaya VoIP phones • LLDP-MED for many VoIP phones • For ports configured for 802.1X or MAB authentication, an Access-Accept received from the AAA service with a vendor-proprietary VSA devicetraffic-class = voice identifies the device as a VoIP device. DHCP/ISDP/CDP/LLDP information is not used to identify VoIP devices for assignment to the Voice VLAN. NOTE: By default, ISDP is enabled globally and per-interface on the switch.
voice data coming from the VoIP phone is tagged with VLAN 0 (or the configured Voice VLAN) and with the configured priority; regular data arriving on the switch is given the default priority of the port, and the voice traffic is received with the operator-configured priority from the IP phone. By default, the switch is configured to trust the 802.1p priority for traffic received from any device, including IP phones.
Voice VLAN when a RADIUS server becomes reachable. Configuring a RADIUS server with a deadtime of 0 (default) effectively disables features such as critical Voice VLAN as the configured server is always marked live. Use the authentication event server dead action authorize voice command to enable critical Voice VLAN treatment on an interface. A non-zero dead time must be configured on all RADIUS servers for the servers to be marked dead so a device can be placed into the critical Voice VLAN.
Private VLANs Private VLANs partition a standard VLAN domain into two or more subdomains. Each subdomain is defined by a primary VLAN and a secondary VLAN. The primary VLAN ID is the same for all subdomains that belong to a particular private VLAN instance. The secondary VLAN ID differentiates the subdomains from each other and provides Layer-2 isolation between ports on the same private VLAN.
Private VLAN Usage Scenarios Private VLANs are typically implemented in a DMZ for security reasons. Servers in a DMZ are generally not allowed to communicate with each other but they must communicate to a router, through which they are connected to the users. Such servers are connected to host ports, and the routers are attached to promiscuous ports. Then, if one of the servers is compromised, the intruder cannot use it to attack another server in the same network segment.
Figure 20-3. Private VLAN Domain R1 TE1/1/1 SW1 Gi1/0/10 H-A SW2 Gi1/0/12 Gi1/0/11 H-B H-C Gi2/0/10 H-D Gi2/0/11 H-E Promiscuous Ports An endpoint connected to a promiscuous port is allowed to communicate with any endpoint within the private VLAN. Multiple promiscuous ports can be defined for a single private VLAN domain. In the configuration shown in Figure 20-3, the port connected from SW1 to R1 (TE1/1/1) is configured as a promiscuous port.
Community Ports An endpoint connected to a community port is allowed to communicate with the endpoints within a community and can also communicate with any configured promiscuous port. The endpoints that belong to one community cannot communicate with endpoints that belong to a different community, or with endpoints connected to isolated ports. Private VLAN Operation in the Switch Stack and Inter-switch Environment The Private VLAN feature is supported in a stacked switch environment.
Table 20-2. Forwarding Rules for Traffic in Primary VLAN To From promiscuous community 1 community 2 isolated stack (trunk) promiscuous allow allow allow allow allow community 1 N/A N/A N/A N/A N/A community 2 N/A N/A N/A N/A N/A isolated N/A N/A N/A N/A N/A stack (trunk) allow allow allow allow allow Table 20-3.
Limitations and Recommendations 762 • Only a single isolated VLAN can be associated with a primary VLAN. Multiple community VLANs can be associated with a primary VLAN. • Do not configure access ports using the VLANs participating in any of the private VLANs. • Multiple primary VLANs may be configured. Each primary VLAN must be unique and each defines a separate private VLAN domain. The operator must take care to use only the secondary VLANs associated with the primary VLAN of a domain.
Private VLAN Configuration Example See "Configuring a Private VLAN" on page 813. Additional VLAN Features The Dell EMC Networking N-Series switches also support the following VLANs and VLAN-related features: • VLAN routing interfaces — See "Routing Interfaces" on page 1175. • Guest VLAN — See "Port and System Security" on page 663.
Default VLAN Behavior One VLAN is configured on the Dell EMC Networking N-Series switches by default. The VLAN ID is 1, and all ports are included in the VLAN as access ports, which are untagged. This means when a device connects to any port on the switch, the port forwards the packets without inserting a VLAN tag. If a device sends a tagged frame to a port with a VLAN ID other than 1, the frame is dropped.
Table 20-6 shows the default values or maximum values for VLAN features. Table 20-6. Additional VLAN Default and Maximum Values Feature Value Default VLAN VLAN 1 VLAN Name No VLAN name is configured except for VLAN 1, whose name “default” cannot be changed. VLAN Range 2–4093 Switchport mode Access Double-VLAN tagging Disabled If double-VLAN tagging is enabled, the default EtherType value is 802.
Configuring VLANs (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring VLANs on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100ON Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. VLAN Membership Use the VLAN Membership page to create VLANs and define VLAN groups stored in the VLAN membership table.
Table 20-7. VLAN Port Membership Definitions Port Control Definition F Forbidden: indicates that the interface is forbidden from becoming a member of the VLAN. This setting is primarily for GVRP, which enables dynamic VLAN assignment. Blank Blank: the interface is not a VLAN member. Packets in this VLAN are not forwarded on this interface. To perform additional port configuration, such as making the port a trunk port, use the Port Settings page. Figure 20-4.
Figure 20-5. Add VLAN 4 Click Apply. Configuring Ports as VLAN Members To add member ports to a VLAN: 1 Open the VLAN Membership page. 2 From the Show VLAN menu, select the VLAN to which you want to assign ports. 3 In the Static row of the VLAN Membership table, click the blank field to assign the port as an untagged member. Figure 20-6 shows Gigabit Ethernet ports 8–10 being added to VLAN 300.
Figure 20-6. Add Ports to VLAN 4 Click Apply. 5 Verify that the ports have been added to the VLAN.
In Figure 20-7, the presence of the letter U in the Current row indicates that the port is an untagged member of the VLAN. Figure 20-7.
VLAN Port Settings Use the VLAN Port Settings page to add ports to an existing VLAN and to configure settings for the port. If you select Trunk or Access as the Port VLAN Mode, some of the fields are not configurable because of the requirements for that mode. NOTE: Ports can be added to a VLAN through the table on the VLAN Membership page or through the PVID field on the Port Settings page. The PVID is the VLAN that untagged received packets are assigned to.
Figure 20-9. VLAN Settings for All Ports VLAN LAG Settings Use the VLAN LAG Settings page to map a LAG to a VLAN and to configure specific VLAN settings for the LAG. To display the LAG Settings page, click Switching VLAN LAG Settings in the navigation panel. Figure 20-10. VLAN LAG Settings From the LAG Settings page, click Show All to see the current VLAN settings for all LAGs. To change the settings for one or more LAGs, click the Edit option for a port and select or enter new values.
Figure 20-11.
Bind MAC to VLAN Use the Bind MAC to VLAN page to map a MAC address to a VLAN. After the source MAC address and the VLAN ID are specified, the MAC to VLAN configurations are shared across all ports of the switch. The MAC to VLAN table supports up to 128 entries. To display the Bind MAC to VLAN page, click Switching VLAN Bind MAC to VLAN in the navigation panel. Figure 20-12. Bind MAC to VLAN From the Bind MAC to VLAN page, click Show All to see the MAC addresses that are mapped to VLANs.
To display the Bind IP Subnet to VLAN page, click Switching VLAN Bind IP Subnet to VLAN in the navigation panel. Figure 20-14. Bind IP Subnet to VLAN From the Bind IP Subnet to VLAN page, click Show All to see the IP subnets that are mapped to VLANs. From this page, settings can be changed for one or more entries or entries can be removed. Figure 20-15.
GVRP Parameters Use the GVRP Parameters page to enable GVRP globally and configure the port settings. To display the GVRP Parameters page, click Switching VLAN GVRP Parameters in the navigation panel. Figure 20-16. GVRP Parameters From the GVRP Parameters page, click Show All to see the GVRP configuration for all ports. From this page, settings can be changed for one or more entries. NOTE: Per-port and per-LAG GVRP Statistics are available from the Statistics/RMON page.
Figure 20-17.
Protocol Group Use the Protocol Group page to configure which EtherTypes go to which VLANs, and then enable certain ports to use these settings. Protocol-based VLANs are most often used in situations where network segments contain hosts running multiple protocols. Protocol-based VLANs are not compatible with STP-PV/RSTP-PV. Ensure that the spanning tree protocol is set to something other than one of the perVLAN protocols.
Adding a Protocol Group To add a protocol group: 1 Open the Protocol Group page. 2 Click Add to display the Add Protocol Group page. 3 Create a name for the group and associate a VLAN with the group. Figure 20-19. Add Protocol Group 4 Click Apply. 5 Click Protocol Group to return to the main Protocol Group page. 6 From the Group ID field, select the group to configure. 7 In the Protocol Settings table, select the protocol and interfaces to associate with the protocol-based VLAN.
Figure 20-20. Configure Protocol Group 8 Click Apply. 9 Click Show All to see the protocol-based VLANs and their members. Figure 20-21.
Double VLAN Global Configuration Use the Double VLAN Global Configuration page to specify the value of the EtherType field in the first EtherType/tag pair of the double-tagged frame. To display the Double VLAN Global Configuration page, click Switching VLAN Double VLAN Global Configuration in the navigation panel. Figure 20-22.
Double VLAN Interface Configuration Use the Double VLAN Interface Configuration page to specify the value of the EtherType field in the first EtherType/tag pair of the double-tagged frame. To display the Double VLAN Interface Configuration page, click Switching VLAN Double VLAN Interface Configuration in the navigation panel. Figure 20-23.
Figure 20-24.
Voice VLAN Use the Voice VLAN Configuration page to configure and view Voice VLAN settings that apply to the entire system and to specific interfaces. To display the page, click Switching VLAN Voice VLAN Configuration in the navigation panel. Figure 20-25. Voice VLAN Configuration NOTE: IEEE 802.1X must be enabled on the switch before you disable IP phone authentication.
Configuring VLANs (CLI) This section provides information about the commands you use to create and configure VLANs. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100-ON Series Switches CLI Reference Guide at www.dell.com/support. Creating a VLAN Use the following commands to configure a VLAN and associate a name with the VLAN. Command Purpose configure Enter global configuration mode.
Configuring VLAN Settings for a LAG The VLAN mode and memberships settings you configure for a port are also valid for a LAG (port-channel). Use the following commands to configure the VLAN mode for a LAG. Once the switchport mode settings are specified for a LAG, other VLAN memberships settings can be specified that are valid for the switchport mode. Command Purpose configure Enter global configuration mode.
Configuring Double VLAN Tagging Dell EMC Networking N-Series switches use switchport dot1q-tunnel mode to configure an interface as a customer edge (CE) interface. The dot1qtunnel mode is an overlay on switchport access mode. In particular, configuring the access mode PVID sets the outer dot1q-tunnel VLAN ID. Changing the switchport mode on a CE port to access, general, or trunk, effectively disables tunneling on the interface. CE interfaces can be physical ports or port-channels.
DVLAN CE interfaces must be configured for tagging (dot1q-tunnel mode) for double tags to be observed on frames egressing the service provider (SP) interface. The DVLAN SP interface should be configured to accept tagged frames for the DVLAN or outer VLAN (trunk or general mode). Ensure that the native (access mode) VLAN on the customer edge (CE) port is set to the DVLAN ID. MAC address learning on DVLAN enabled ports occurs on the DVLAN CE port's native VLAN.
Command Purpose spanning-tree guard root (Optional) Disable the ability of the CE port to become spanning tree root. spanning-tree tcnguard (Optional) Ignore topology changes received from CE ports. exit Exit to global configuration mode CTRL + Z Exit to Privileged Exec mode.
Command Purpose switchport trunk allowed Only allow VLAN 100 packets on the interface. vlan 100 switchport trunk native vlan 100 Configure untagged packets to be members of VLAN 100. Configuring MAC-Based VLANs Use the following commands to associate a MAC address with a configured VLAN. The VLAN does not need to be configured on the system to associate a MAC address with it.
Command Purpose vlan association mac mac-address Associate a MAC address with a VLAN. CTRL + Z Exit to Privileged Exec mode. show vlan association mac [mac-address] Display the VLAN associated with a specific configured MAC address. If no MAC address is specified, the VLAN associations of all the configured MAC addresses are displayed. • mac-address — MAC address to associate. (Range: Any MAC address in the format xxxx.xxxx.
Configuring IP-Based VLANs Use the following commands to associate an IP subnet with a configured VLAN. The VLAN does not need to be configured on the system to associate an IP subnet with it. However, the subnet VLAN must be configured on a port in order for the system to map packets matching the IP address to the subnet VLAN and to learn the associated MAC address on the subnet VLAN so that packets addressed to the associated IP address are forwarded properly.
Command Purpose exit Exit to Global Config mode. CTRL + Z Exit to Privileged Exec mode. show vlan association subnet [ip-address ipmask ] Display the VLAN associated with a specific configured IPAddress and netmask. If no IP Address and net mask are specified, the VLAN associations of all the configured IPsubnets are displayed.
Configuring a Protocol-Based VLAN Use the following commands to create and name a protocol group, and associate VLANs with the protocol group. When you create a protocol group, the switch automatically assigns it a unique group ID number. The group ID is used for both configuration and script generation to identify the group in subsequent commands. A protocol group may have more than one interface associated with it, but each interface and protocol combination can be associated with one group only.
Command Purpose exit Exit to Global Config Mode show port protocol all Obtain the group ID for the newly configured group. configure Enter global configuration mode. vlan protocol group add Add any EtherType protocol to the protocol-based VLAN protocol groupid groups identified by groupid. A group may have more than ethertype protocol one protocol associated with it. Each interface and protocol combination can be associated with one group only.
Command Purpose protocol group groupid vlanid Attach a VLAN ID to the protocol-based group identified by groupid. A group may only be associated with one VLAN at a time. However, the VLAN association can be changed. • groupid — The protocol-based VLAN group ID, which is automatically generated when you create a protocolbased VLAN group with the vlan protocol group command. To see the group ID associated with the name of a protocol group, use the show port protocol all command. • vlanid — A valid VLAN ID.
Configuring GVRP Use the following commands to enable GVRP on the switch and on an interface, and to configure various GVRP settings. Command Purpose configure Enter global configuration mode. gvrp enable Enable GVRP on the switch. interface interface-id Enter interface configuration mode for the specified port or LAG. The interface-id parameter includes the interface type and number, for example tengigabitethernet 1/0/3 or port-channel 3.
Command Purpose vlan makestatic vlan-id (Optional) Change a dynamically created VLAN (one that is created by GVRP registration) to a static VLAN (one that is permanently configured and defined). vlan-id — Valid vlan ID. Range is 2-4093. CTRL + Z Exit to Privileged Exec mode. show gvrp configuration Display GVRP configuration information. Timer values are displayed. Other data shows whether GVRP is enabled and which ports are running GVRP.
Configuring Voice VLANs Use the following commands to enable the Voice VLAN feature on the switch and on an interface. Command Purpose configure Enter global configuration mode. switchport voice vlan Enable the Voice VLAN capability on the switch. interface interface Enter interface configuration mode for the specified interface. interface — Specific interface, such as gi1/0/8. A range of interfaces can be specified using the interface range command.
Command Purpose switchport voice vlan {vlanid | dot1p priority | none | untagged | data priority {trust | untrust} | overrideauthentication| dscp value} Enable the Voice VLAN capability on the interface. • vlanid —The Voice VLAN ID. This VLAN ID is sent to IP phones via LLDP. • priority —The IEEE 802.1p priority sent to IP phones on the port. This value is transmitted to the IP phone via LLDP. The switch must be configured locally to give packets using the transmitted priority the appropriate QoS.
Configuring a Voice VLAN (Extended Example) The commands in this example create a VLAN for voice traffic with a VLAN ID of 25 using an IP phone that does not support 802.1X authentication. Port gi1/0/10 is set to an 802.1Q VLAN. Next, Voice VLAN is enabled on the port with the Voice VLAN ID set to 25. Finally, Voice VLAN authentication is disabled on port gi1/0/10 because the phone connected to that port does not support 802.1X authentication. All other devices connected to the port are required to use 802.
console(config-if-Gi1/0/10)#authentication port-control auto console(config-if-Gi1/0/10)#authentication host-mode multihost 5 Enable the Voice VLAN feature on the interface console(config-if-Gi1/0/10)#switchport voice vlan 25 6 Disable authentication for the Voice VLAN on the port. This step is required only if the voice phone does not support port-based authentication. MAB is not enabled on this port as other devices such as a PC will still authenticate using 802.1X.
console#configure console(config)#vlan 25 console(config-vlan25)#exit 2 Globally enable the Voice VLAN feature on the switch. console(config)#switchport voice vlan 3 Configure a rate-limiting ACL to ensure that the Voice VLAN does not present a denial-of-service threat. A G.711 voice stream generates 64 Kbps, which translates to 80 bytes of uncompressed voice every 10 ms. Overhead adds 40 bytes, so the phone will generate 100 to 120 byte packets every second per voice stream, or about 96 Kbps.
8 Map 802.1p priority 5 onto internal CoS queue 2. This is the switch default mapping. console(config-if-Gi1/0/10)#classofservice dot1p-mapping 5 2 9 Rate limit incoming IEEE 802.1p priority 5 traffic console(config-if-Gi1/0/10)#mac access-group dot1p-5-limit in Steps 6–8 are required to be configured on all ports that carry voice traffic end-to-end, including the switch ports connected to other switches and the ports on other switches that will carry voice traffic.
Assign CoS for Voice Packets via Policy The following example configures a DiffServ policy that remarks the CoS value in voice packets and assigns the voice packets to an internal queue for expedited service. The policy can be assigned to an interface using the service-policy command. 1 Create the Voice VLAN in Global Configuration mode. vlan 100 exit 2 Create a class map that matches the Voice VLAN.
Figure 20-26. Network Topology for LAG with RPVST and Voice VLAN MLAG Primary Peer Configuration 1 Configure the MLAG primary switch. Keepalives are disabled on the peer links (optional). The four peer-links are placed in port-channel 3. Port-channel 1 is the northbound (partner 1) MLAG interface in VPC 1 and port-channel 4 is the southbound (partner 2) interface in VPC 4. Finally, VPC is enabled and the VPC domain is set to 1.
console(config-if-Te1/0/2)#channel-group 3 mode active console(config-if-Te1/0/2)#no keepalive console(config-if-Te1/0/2)#exit console(config)#interface Te1/0/3 console(config-if-Te1/0/3)#channel-group 3 mode active console(config-if-Te1/0/3)#no keepalive console(config-if-Te1/0/3)#exit console(config)#interface Te1/0/4 console(config-if-Te1/0/4)#channel-group 3 mode active console(config-if-Te1/0/4)#no keepalive console(config-if-Te1/0/4)#exit console(config)#interface Te1/0/19 console(config-if-Te1/0/19)#
console(config-if)#no keepalive console(config-if)#exit 3 Configure spanning-tree mode as RPVST. console(config)#spanning-tree mode rapid-pvst 4 Create VLAN-2 for voice traffic. console(config)#vlan 2 console(config)#exit 5 Enable Voice VLAN globally. console(config)#voice vlan 6 Configure CoS queue 2 as strict. By default, the VoIP phone sends voice traffic with 802.1p priority 5, which is mapped to CoS queue 2 by default.
console(config)#interface Te1/0/24 console(config-if-Te1/0/24)#channel-group 1 mode active console(config-if-Te1/0/24)#no keepalive console(config-if-Te1/0/24)#exit console(config)#interface port-channel 1 console(config-if-Po1)#vpc 1 console(config-if-Po1)#switchport mode trunk console(config-if-Po1)#exit console(config)#interface port-channel 3 console(config-if-Po3)#vpc peer-link console(config-if-Po3)#switchport mode trunk console(config-if-Po3)#exit console(config)#interface port-channel 4 console(conf
MLAG Partner Switch Configuration 1 Configure partner switch 1 with a port-channel connected to the MLAG aware switches.
console(config)#cos-queue strict 2 8 Configure an ACL to rate-limit the voice traffic in case of DoS attacks and apply the ACL on the phone-connected interfaces. The administrator should consider whether to apply this configuration on all perimeter ports.
console(config)#vlan 2 console(config-vlan-2)#exit 5 Enable Voice VLAN globally. console(config)#voice vlan 6 Configure the VoIP phone connected port as follows: console(config)#interface Gi2/0/11 console(config-if-Gi2/0/11)#switchport mode access console(config-if-Gi2/0/11)#voice vlan 2 console(config-if-Gi2/0/11)#exit 7 Configure CoS queue 2 as strict. By default, the VoIP phone sends voice traffic with 802.1p priority 5, which is mapped to egress queue 2 by default.
To ensure that CoS queue 4 packets are always transmitted first, CoS queue 4 could be made a strict-priority queue. In this case, it would be prudent to rate limit CoS queue 4 traffic. 1 Create an access list that permits all traffic and assign it to CoS queue 4. console#config console(config)#ip access-list voice-vlan console(config-ip-acl)#permit every assign-queue 4 console(config-ip-acl)#exit 2 Assign the access list to VLAN 25. The access-group is given sequence number 100.
console(config)#interface te1/1/1 console(config-if-Te1/1/1)#switchport mode private-vlan promiscuous console(config-if-Te1/1/1)#switchport private-vlan mapping 100 101-102 console(config-if-Te1/1/1)#exit 4 Assign the community VLAN ports: console(config)#interface gi1/0/11 console(config-if-Gi1/0/11)#switchport mode private-vlan host console(config-if-Gi1/0/11)#switchport private-vlan hostassociation 100 101 console(config-if-Gi1/0/11)#interface gi1/0/12 console(config-if-Gi1/0/12)#switchport mode private
console(config)#show vlan VLAN ----1 100 101 102 Name Ports ----------- ------------default Po1-128, Gi1/0/1-10, Gi1/0/13-24 VLAN0100 Te1/1/1, Gi1/0/11-12 VLAN0101 Gi1/0/11 VLAN0102 Gi1/0/12 Type ------------Default Static Static Static Configuring Inter-Switch Private VLANs This is an example of configuring transport of private VLANs across multiple switches using a trunk port. Configuration of the private VLAN on other ports is included for clarity.
VLAN Configuration Examples This section contains the following examples: • Configuring VLANs Using the Dell EMC OpenManage Switch Administrator • Configuring VLANs Using the CLI • Configuring a Voice VLAN (Extended Example) NOTE: For an example that shows how to use a RADIUS server to provide VLAN information, see "Controlling Authentication-Based VLAN Assignment" on page 348.
Figure 20-27 shows the network topology for this example. As the figure shows, there are two switches, two file servers, and many hosts. One switch has an uplink port that connects it to a Layer-3 device and the rest of the corporate network. Figure 20-27.
Table 20-9 shows the port assignments on the switches. Table 20-9. Switch Port Connections Port/LAG Function Switch 1 1 Connects to Switch 2 2–15 Host ports for Payroll 16–20 Host ports for Marketing LAG1 (ports 21–24) Connects to Payroll server Switch 2 1 Connects to Switch 1 2–10 Host ports for Marketing 11–30 Host ports for Engineering LAG1 (ports 35–39) Connects to file server LAG2 (ports 40–44) Uplink to router.
Figure 20-28. e Add VLANs Repeat steps b–d to create VLANs 300 (Sales) and 400 (Payroll). 2 Assign ports 16–20 to the Marketing VLAN. a From the Switching VLAN VLAN Membership page, select 200-Marketing from the Show VLAN field. b In the Static row, click the space for ports 16–20 so the U (untagged) displays for each port. Figure 20-29. VLAN Membership - VLAN 200 3 Click Apply. 4 Assign ports 2–15 and LAG1 to the Payroll VLAN.
a From the Switching VLAN VLAN Membership page, select 400-Payroll from the Show VLAN field. b In the Static row, click the space for ports 2–15 and LAG 1 so the U (untagged) displays for each port, and then click Apply. 5. Configure LAG 1 to be in general mode and specify that the LAG will accept tagged or untagged frames, but that untagged frames will be transmitted tagged with PVID 400. a. From the Switching VLAN LAG Settings page, make sure Po1 is selected. b.
Figure 20-31. Trunk Port Configuration 7 From the Switching VLAN VLAN Membership page, verify that port 1 is marked as a tagged member (T) for each VLAN. Figure 20-32 shows VLAN 200, in which port 1 is a tagged member, and ports 13–16 are untagged members. Figure 20-32. Trunk Port Configuration 8 Configure the MAC-based VLAN information. a Go to the Switching VLAN Bind MAC to VLAN page. b In the MAC Address field, enter a valid MAC address, for example 00:1C:23:55:E9:8B.
Figure 20-33. e Trunk Port Configuration Repeat steps b–d to add additional MAC address-to-VLAN information for the Sales department. 9 To save the configuration so that it persists across a system reset, use the following steps: a Go to the System File Management Copy Files page b Select Copy Configuration and ensure that Running Config is the source and Startup Config is the destination. c Click Apply.
c. Click Apply. 3. Configure port 1 as a trunk port. 4. Configure LAG2 as a trunk port. 5. Assign ports 2–10 to VLAN 200 as untagged (U) members. 6. Assign ports 11–30 to VLAN 100 as untagged (U) members. 7. Assign LAG1 to VLAN 100 and 200 as a tagged (T) member. 8. Assign port 1 and LAG2 to VLAN 100, VLAN 200, VLAN 300, and VLAN 400 as a tagged (T) member. 9. Configure the MAC-based VLAN information. 10. If desired, copy the running configuration to the startup configuration.
Configuring VLANs Using the CLI This example shows how to perform the same configuration by using CLI commands. Configure the VLANs and Ports on Switch 1 Use the following steps to configure the VLANs and ports on Switch 1. None of the hosts that connect to Switch 1 use the Engineering VLAN (VLAN 100), so it is not necessary to create it on that switch. To configure Switch 1: 1. Create VLANs 200 (Marketing), 300 (Sales), and 400 (Payroll), and associate the VLAN ID with the appropriate name.
4. Assign LAG1 to the Payroll VLAN and specify that frames will always be transmitted untagged with a VLAN ID of 400. By default, all VLANs are members of a trunk port. VLAN 200 and 300 frames will be transmitted tagged. This port is removed from VLAN 1 membership. console(config)#interface port-channel 1 console(config-if-Po1)#switchport mode trunk console(config-if-Po1)#switchport trunk native vlan 400 console(config-if-Po1)#exit 5.
8. View the VLAN settings. console#show vlan VLAN ----1 Name --------Default 200 Marketing 300 400 Sales Payroll Ports Type -------------------Po1-12, Te1/0/2-15, Default Te1/0/21-24 Te1/12 Te1/0/1, Static Te1/0/16-20 Te1/0/1 Static Te1/0/1-15 Static 9. View the VLAN membership information for a port.
Configure the VLANs and Ports on Switch 2 Use the following steps to configure the VLANs and ports on Switch 2. Many of the procedures in this section are the same as procedures used to configure Switch 1. For more information about specific procedures, see the details and figures in the previous section. To configure Switch 2: 1. Create the Engineering, Marketing, Sales, and Payroll VLANs.
VLANs
Spanning Tree Protocol 21 Dell EMC Networking N-Series Switches This chapter describes how to configure the Spanning Tree Protocol (STP) settings on the switch. The topics covered in this chapter include: • STP Overview • RSTP-PV • Default STP Values • Configuring Spanning Tree (Web) • Configuring Spanning Tree (CLI) • STP Configuration Examples STP Overview STP is a Layer-2 protocol that provides a tree topology for switches on a bridged LAN.
transitioning of the port to Forwarding). The difference between RSTP and the traditional STP (IEEE 802.1d) is the ability to recognize full-duplex connectivity and ports which are connected to end stations, resulting in rapid transitioning of the port to the Forwarding state and the suppression of Topology Change Notifications. MSTP is compatible with both RSTP and STP. It behaves appropriately when connected to STP and RSTP bridges.
How Does MSTP Operate in the Network? In the following diagram of a small 802.1d bridged network, STP is necessary to create an environment with full connectivity and without loops. Figure 21-1. Small Bridged Network Assume that Switch A is elected to be the Root Bridge, and Port 1 on Switch B and Switch C are calculated to be the root ports for those bridges, Port 2 on Switch B and Switch C would be placed into the Blocking state. This creates a loop-free topology.
Figure 21-2 shows the logical single STP network topology. Figure 21-2. Single STP Topology For VLAN 10 this single STP topology is fine and presents no limitations or inefficiencies. On the other hand, VLAN 20's traffic pattern is inefficient. All frames from Switch B will have to traverse a path through Switch A before arriving at Switch C. If the Port 2 on Switch B and Switch C could be used, these inefficiencies could be eliminated.
The logical representation of the MSTP environment for these three switches is shown in Figure 21-3. Figure 21-3.
In order for MSTP to correctly establish the different MSTIs as above, some additional changes are required. For example, the configuration would have to be the same on each and every bridge. That means that Switch B would have to add VLAN 10 to its list of supported VLANs (shown in Figure 21-3 with a *). This is necessary with MSTP to allow the formation of Regions made up of all switches that exchange the same MST Configuration Identifier.
MSTP with Multiple Forwarding Paths Consider the physical topology shown in Figure 21-4. It might be assumed that MSTI 2 and MSTI 3 would follow the most direct path for VLANs 20 and 30. However, using the default path costs, this is not the case. MSTI operates without considering the VLAN membership of the ports. This results in unexpected behavior if the active topology of an MSTI depends on a port that is not a member of the VLAN assigned to the MSTI and the port is selected as root port.
MSTP and VLAN IDs MSTP allows VLAN 4094 to be configured in the MD5 digest of an MSTI region for compatibility purposes. However, the switch reserves VLAN 4094 internally for use in stacking and will drop received packets tagged with VLAN 4094.
If BPDU filtering is configured globally on the switch, the feature is automatically enabled on all operational PortFast-enabled ports. These ports are typically connected to hosts that drop BPDUs. However, if an operational edge port receives a BPDU, the BPDU filtering feature disables PortFast and allows the port to participate in the spanning tree calculation. Enabling BPDU filtering on a specific port prevents the port from sending BPDUs and allows the port to drop any BPDUs it receives.
Enabling loop guard prevents such accidental loops. When a port is no longer receiving BPDUs and the max age timer expires, the port is moved to a loopinconsistent blocking state. In the loop-inconsistent blocking state, traffic is not forwarded so the port behaves as if it is in the blocking state; that is, it discards received traffic, does not learn MAC addresses, and is not part of the active topology. The port will remain in this state until it receives a BPDU.
STP-PV is the IEEE 802.1s (STP) standard implemented per VLAN. The STP-PV-related state machine, roles, and timers are similar to those defined for STP. STP-PV does not have the DirectLink Rapid Convergence (DRC) or IndirectLink Rapid Convergence (IRC) features enabled by default. These features can be enabled by the switch administrator. STP-PV/RSTP-PV are not compatible with protocol-based VLANs . Ensure that ports enabled for per-VLAN spanning tree are not configured for protocol-based VLAN capability.
DirectLink Rapid Convergence The DirectLink Rapid Convergence (DRC) feature is designed for an accesslayer switch that has redundant blocked uplinks. It operates on ports blocked by spanning tree. DRC can be configured for the entire switch; it cannot be enabled for individual VLANs. The DRC feature is based on the concept of an uplink group. An uplink group consists of all the ports that provide a path to the root bridge (the root port and any blocked ports).
by default. Delaying the switchover allows the connected port to go to through the listening and learning states while the switch is still transmitting packets on the original uplink. The optimal behavior is to keep the current uplink active and hold the new port in the blocked state for twice the forwarding delay.
IndirectLink Rapid Convergence Feature To handle indirect link failure, the STP standard requires that a switch passively wait for “max_age” seconds once a topology change has been detected. IndirectLink Rapid Convergence (IRC) handles these failures in two phases: • Rapid detection of an indirect link failure. Tracking the inferior BPDUs that a designated bridge detects when it transmits a direct link failure indicates that a failure has occurred elsewhere in the network.
on ports that should have a path to the root. The port where the switch received the inferior BPDU is excluded because it already failed; self-looped and designated ports are eliminated as they do not have a path to the root. Figure 21-5. IRC Flow Upon receiving a negative RLQ response on a port, the port has lost connection to the root and the switch ages-out its BPDU. If all other nondesignated ports received a negative answer, the switch has lost the root and restarts the STP calculation.
Interoperability Between STP-PV and RSTP-PV Modes STP-PV is derived from 802.1D and RSTP-PV is derived from 802.1w. The fallback mechanism is the same as between a standard 802.1D switch and a standard 802.1w switch. When a lower protocol version BPDU is received on a switch that runs a higher protocol version, the latter falls back to the lower version after its migration delay timer expires.
RSTP-PV region and the MSTP region, the RSTP-PV switch sends VLAN1 BPDUs in IEEE standard format, so they can be interpreted by the MSTP peers. Similarly, the RSTP-PV switch processes incoming MSTP BPDUs as though they were BPDUs for the VLAN 1 RSTP-PV instance.
Figure 21-7. RSTP-PV and RSTP Interoperability SW3 sends IEEE STP BPDUs to the IEEE multicast MAC address as untagged frames. These BPDUs are processed by the VLAN 1 STP instance on the RSTP-PV switch as part of the VLAN 1 STP instance. The RSTP-PV side sends IEEE STP BPDUs corresponding to the VLAN 1 STP to the IEEE MAC address as untagged frames across the link. At the same time, SSTP BPDUs are sent as untagged frames. IEEE switches simply flood the SSTP BPDUs throughout VLAN 1.
The VLAN 1 STP instance of SW1 and SW2 are joined with the STP instance running in SW3. VLANs 2 and 3 consider the path across SW3 as another segment linking SW1 and SW2, and their SSTP information is multicast across SW3. The bridge priority of SW1 and SW2 for VLAN1 instance is 32769 (bridge priority + VLAN identifier). The bridge priority of SW3 is 32768, per the IEEE 802.w standard.
• The MSTP domain contains the root bridge for ALL VLANs. This implies that the CIST Root Bridge ID is configured to be better than any RSTPPV STP root Bridge ID. If there is only one MSTP region connected to the RSTP-PV domain, then all boundary ports on the virtual-bridge will be unblocked and used by RSTP-PV. This is the only supported topology, as the administrator can manipulate uplink costs on the RSTP-PV side and obtain optimal traffic engineering results.
• The alternative is that the RSTP-PV domain contains the root bridges for ALL VLANs. This is only true if all RSTP-PV root bridges’ Bridge IDs for all VLANs are better than the MSTP CIST Root Bridge ID. This is not a supported topology, because all MSTIs map to CIST on the border link, and it is not possible to load-balance the MSTIs as they enter the RSTPPV domain. The Dell EMC Networking RSTP-PV implementation does not support the second option.
Default STP Values Spanning tree is globally enabled on the switch and on all ports and LAGs. Table 21-1 summarizes the default values for STP. Table 21-1.
Configuring Spanning Tree (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring STP settings on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100-ON Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. STP Global Settings The STP Global Settings page contains fields for enabling STP on the switch.
Figure 21-9.
STP Port Settings Use the STP Port Settings page to assign STP properties to individual ports. To display the STP Port Settings page, click Switching Spanning Tree STP Port Settings in the navigation panel. Figure 21-10.
Configuring STP Settings for Multiple Ports To configure STP settings for multiple ports: 1 Open the STP Port Settings page. 2 Click Show All to display the STP Port Table. Figure 21-11. Configure STP Port Settings 3 For each port to configure, select the check box in the Edit column in the row associated with the port. 4 Select the desired settings. 5 Click Apply.
STP LAG Settings Use the STP LAG Settings page to assign STP aggregating ports parameters. To display the STP LAG Settings page, click Switching Spanning Tree STP LAG Settings in the navigation panel. Figure 21-12. STP LAG Settings Configuring STP Settings for Multiple LAGs To configure STP settings on multiple LAGS: 1 Open the STP LAG Settings page. 2 Click Show All to display the STP LAG Table.
Figure 21-13. Configure STP LAG Settings 3 For each LAG to configure, select the check box in the Edit column in the row associated with the LAG. 4 Select the desired settings. 5 Click Apply. Rapid Spanning Tree Rapid Spanning Tree Protocol (RSTP) detects and uses network topologies that allow a faster convergence of the spanning tree without creating forwarding loops. To display the Rapid Spanning Tree page, click Switching Spanning Tree Rapid Spanning Tree in the navigation panel. Figure 21-14.
To view RSTP Settings for all interfaces, click the Show All link. The Rapid Spanning Tree Table displays. Figure 21-15.
MSTP Settings The Multiple Spanning Tree Protocol (MSTP) supports multiple instances of Spanning Tree to efficiently channel VLAN traffic over different interfaces. MSTP is compatible with both RSTP and STP; a MSTP bridge can be configured to behave entirely as a RSTP bridge or a STP bridge. To display the MSTP Settings page, click Switching Spanning Tree MSTP Settings in the navigation panel. Figure 21-16.
Viewing and Modifying the Instance ID for Multiple VLANs To configure MSTP settings for multiple VLANS: 1 Open the MSTP Settings page. 2 Click Show All to display the MSTP Settings Table. Figure 21-17. Configure MSTP Settings 3 For each Instance ID to modify, select the check box in the Edit column in the row associated with the VLAN. 4 Update the Instance ID settings for the selected VLANs. 5 Click Apply.
MSTP Interface Settings Use the MSTP Interface Settings page to assign MSTP settings to specific interfaces. To display the MSTP Interface Settings page, click Switching Spanning Tree MSTP Interface Settings in the navigation panel. Figure 21-18. MSTP Interface Settings Configuring MSTP Settings for Multiple Interfaces To configure MSTP settings for multiple interfaces: 1 Open the MSTP Interface Settings page. 2 Click Show All to display the MSTP Interface Table.
PVST/RPVST Global Configuration Use the PVST/RPVST Global Configuration page to enable or disable the global per-VLAN spanning tree (PVST) and per-VLAN rapid spanning tree (RPVST) features on the switch. To display the PVST/RPVST Global Configuration page, click Switching Spanning Tree PVST Global Configuration in the navigation panel. Figure 21-19.
PVST/RPVST VLAN Configuration Use the PVST/RPVST VLAN Configuration page to configure the PVST/RPVST settings for VLANs that are enabled for PVST/RPVST. To display the PVST/RPVST VLAN Configuration page, click Switching Spanning Tree PVST VLAN Configuration in the navigation panel. Figure 21-20. PVST/RPVST VLAN Configuration Enabling a VLAN for PVST/RPVST To enable PVST/RPVST on a VLAN: 1 Open the PVST/RPVST VLAN Configuration page. 2 Click Add to display the PVST/RPVST VLAN Configuration: Add page.
Figure 21-21. PVST/RPVST VLAN Configuration: Add Only VLANS with the PVST/RPVST feature disabled appear in the list. 4 Click Apply. Viewing VLAN PVST/RPVST Settings To view PVST/RPVST settings for each VLAN, click the Show All link. The PVST/RPVST VLAN Configuration: Show All page displays. Figure 21-22.
PVST/RPVST Interface Configuration Use the PVST/RPVST Interface Configuration page to configure the PVST/RPVST settings for an interface. To display the PVST/RPVST Interface Configuration page, click Switching Spanning Tree PVST Interface Configuration in the navigation panel. Figure 21-23.
PVST/RPVST Statistics Use the PVST/RPVST Statistics page to configure the PVST/RPVST settings for an interface. To display the PVST/RPVST Statistics page, click Switching Spanning Tree PVST Statistics in the navigation panel. Figure 21-24.
Configuring Spanning Tree (CLI) This section provides information about the commands used for configuring STP settings on the switch. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200ON, and N3100-ON Series Switches CLI Reference Guide at www.dell.com/support. Configuring Global STP Bridge Settings Use the following commands to configure the global STP settings for the switch, such as the priority and timers.
Command Purpose View information about spanning tree and the spanning show spanning-tree tree configuration on the switch. [detail [active | blockedports | instance instance-id ]] Configuring Optional STP Features Use the following commands to configure the optional STP features on the switch or on specific interfaces. Command Purpose configure Enter global configuration mode.
Command Purpose spanning-tree guard {root | loop | none} Enable loop guard or root guard (or disable both) on the interface. spanning-tree tcnguard Prevent the port from propagating topology change notifications. CTRL + Z Exit to Privileged Exec mode. show spanning-tree summary View various spanning tree settings and parameters for the switch. Configuring STP Interface Settings Use the following commands to configure the STP settings for a specific interface.
Command Purpose show spanning-tree interface View spanning tree configuration information for the specified port or LAG (port-channel). Configuring MSTP Switch Settings Use the following commands to configure MSTP settings for the switch. Command Purpose configure Enter global configuration mode. spanning-tree mst configuration Enable configuring an MST region by entering the multiple spanning tree (MST) mode. name string Define the MST configuration name.
Configuring MSTP Interface Settings Use the following commands to configure MSTP settings for the switch. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified interface. The interface variable includes the interface type and number, for example tengigabitethernet 1/0/3 or port-channel 4. A range of interfaces can be specified using the interface range command.
STP Configuration Examples This section contains the following examples: • STP Configuration Example • MSTP Configuration Example • RSTP-PV Access Switch Configuration Example STP Configuration Example This example shows a LAN with four switches. On each switch, ports 1, 2, and 3 connect to other switches, and ports 4–20 connect to hosts (in Figure 21-25, each PC represents 17 host systems).
Figure 21-25. STP Example Network Diagram Of the four switches in Figure 21-25, the administrator decides that Switch A is the most centrally located in the network and is the least likely to be moved or redeployed. For these reasons, the administrator selects it as the root bridge for the spanning tree. The administrator configures Switch A with the highest priority and uses the default priority values for Switch B, Switch C, and Switch D.
The administrator also configures Port Fast BPDU filtering and Loop Guard to extend STP’s capability to prevent network loops. For all other STP settings, the administrator uses the default STP values. To configure the switch: 1 Connect to Switch A and configure the priority to be higher (a lower value) than the other switches, which use the default value of 32768. console#config console(config)#spanning-tree priority 8192 2 Configure ports 4–20 to be in Port Fast mode.
Figure 21-26. MSTP Configuration Example To make multiple switches be part of the same MSTP region, make sure the STP operational mode for all switches is MSTP. Also, make sure the MST region name and revision level are the same for all switches in the region. To configure the switches: 1 Create VLAN 10 (Switch A and Switch B) and VLAN 20 (all switches).
4 Create MST instances 20 and associate it to VLAN 20. console(config-mst)#instance 20 add vlan 20 5 Change the region name and revision number so that all the bridges that want to be part of the same region can form the region. This step is required for MST to operate properly.
RSTP-PV Access Switch Configuration Example In this configuration, all 1G ports are presumed to be connected to host machines, and the two 10G uplink ports are connected to an aggregationlayer switch with a total Layer-2 network diameter of 4. The aggregation-layer switch can be a single switch or multiple switches, running either RSTP-PV or MSTP. For fastest convergence during failover scenarios, it is recommended that the uplink switches be configured in RSTP-PV mode.
console(config)#interface range gi1/0/37-48 console(config-if)#switchport access vlan 4 console(config-if)#exit Spanning Tree Protocol 877
RSTP-PV Aggregation-Layer Switch Configuration Example In this configuration example, two aggregation-layer switches are configured. Ports 1–4 are configured in a LAG connecting the two aggregation-layer switches. Ports 12–24 are configured as down-links to twelve access-layer switches configured as in the previous example. Down-links to the accesslayer switches have physical diversity; there is one downlink to each of the twelve access-layer switches from each of the paired aggregation-layer switches.
console(config-if-fo1/0/1-2)#channel-group 1 mode active console(config-if-fo1/0/1-2)#exit 8 Configure peer switch links: console(config)#interface range te1/0/1-4 console(config-if-te1/0/1-4)#channel-group 2 mode active console(config-if-te1/0/1-4)#exit 9 Configure the uplinks into a port channel: console(config)#interface port-channel 1 console(config-if-port-channel 1)#switchport mode trunk console(config-if-port-channel 1)#exit 10 Configure the peer links into a port channel and prefer to go to the c
Spanning Tree Protocol
22 Discovering Network Devices Dell EMC Networking N-Series Switches This chapter describes the Industry Standard Discovery Protocol (ISDP) feature and the Link Layer Discovery Protocol (LLDP) feature, including LLDP for Media Endpoint Devices (LLDP-MED).
ARP traffic. Periodically, IPDT sends an ARP request to each attached host. This enables IPDT to track the state of the host more accurately than DHCP snooping. What is LLDP? LLDP is a standardized discovery protocol defined by IEEE 802.1AB. It allows stations residing on an 802 LAN to advertise major capabilities physical descriptions, and management information to physically adjacent devices allowing a network management system (NMS) to access and display this information.
ISDP interoperates with the Cisco-proprietary CDP protocol and is most effective in an environment that contains many Cisco devices. IPDT is used to track the state of the attached hosts and maintain up-to-date MAC/IPv4 address bindings. The MAC/IPv4 bindings are used to populate the RADIUS Framed-IP-Address attribute transmitted in RADIUS AccessRequest packets and to update the source IP address in Dynamic ACLs.
Table 22-2. LLDP Defaults Parameter Default Value Transmit Mode Enabled on all ports Receive Mode Enabled on all ports Transmit Interval 30 seconds Hold Multiplier 4 Reinitialization Delay 2 seconds Notification Interval 5 seconds Transmit Management Information Disabled Notification Mode Disabled Included TLVs 0 — Port Description 1 — System Name 4 — Port PVID or Native VLAN Table 22-3 summarizes the default values for LLDP-MED. Table 22-3.
Table 22-4. IPDT Defaults Parameter Default Value IPDT Mode Disabled ARP Probes Enabled Probe Interval 30 seconds Probe Count 3 missed probes Probe Delay 30 seconds Probe Source IP 0.0.0.0 Device Maximum Unlimited Configuring ISDP and LLDP (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring IDSP and LLDP/LLDPMED on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100-ON Series switches.
Figure 22-1.
ISDP Neighbor Table The ISDP Neighbor Table page enables viewing information about other devices the switch has discovered through the ISDP. To access the ISDP Neighbor Table page, click System ISDP Neighbor Table in the navigation panel. Figure 22-2.
ISDP Interface Configuration The ISDP Interface Configuration page enables configuring the ISDP settings for each interface. If ISDP is enabled on an interface, it must also be enabled globally in order for the interface to transmit ISDP packets. If the ISDP mode on the ISDP Global Configuration page is disabled, the interface will not transmit ISDP packets, regardless of the mode configured on the interface.
ISDP Statistics The ISDP Statistics page enables viewing information about the ISDP packets sent and received by the switch. To access the ISDP Statistics page, click System ISDP Statistics in the navigation panel. Figure 22-5.
LLDP Configuration Use the LLDP Configuration page to specify LLDP parameters. Parameters that affect the entire system as well as those for a specific interface can be specified here. To display the LLDP Configuration page, click Switching LLDP Configuration in the navigation panel. Figure 22-6.
To view the LLDP Interface Settings Table, click Show All. The LLDP Interface Settings Table page enables viewing and editing information about the LLDP settings for multiple interfaces. Figure 22-7.
LLDP Statistics Use the LLDP Statistics page to view LLPD-related statistics. To display the LLDP Statistics page, click Switching LLDP Statistics in the navigation panel. Figure 22-8.
LLDP Connections Use the LLDP Connections page to view the list of ports with LLDP enabled. Basic connection details are displayed. To display the LLDP Connections page, click Switching LLDP Connections in the navigation panel. Figure 22-9.
To view additional information about a device connected to a port that has been discovered through LLDP, click the port number in the Local Interface table (it is a hyperlink), or click Details and select the port with the connected device. Figure 22-10. LLDP Connection Detail LLDP-MED Global Configuration Use the LLDP-MED Global Configuration page to change or view the LLDP-MED parameters that affect the entire system.
LLDP-MED Interface Configuration Use the LLDP-MED Interface Configuration page to specify LLDP-MED parameters that affect a specific interface. To display the LLDP-MED Interface Configuration page, click Switching LLDP LLDP-MED Interface Configuration in the navigation panel. Figure 22-12. LLDP-MED Interface Configuration To view the LLDP-MED Interface Summary table, click Show All. Figure 22-13.
LLDP-MED Local Device Information Use the LLDP-MED Local Device Information page to view the advertised LLDP local data for each port. To display the LLDP-MED Local Device Information page, click Switching LLDP LLDP-MED Local Device Information in the navigation panel. Figure 22-14. LLDP-MED Local Device Information LLDP-MED Remote Device Information Use the LLDP-MED Remote Device Information page to view the advertised LLDP data advertised by remote devices.
Configuring ISDP and LLDP (CLI) This section provides information about the commands you use to manage and view the device discovery protocol features on the switch. For more information about these commands, see the Dell EMC Networking N1100ON, N1500, N2000, N2100-ON, N2200-ON, and N3100-ON Series Switches CLI Reference Guide at www.dell.com/support. Configuring Global ISDP Settings Use the following commands to configure ISDP settings that affect the entire switch.
Enabling ISDP on a Port Use the following commands to enable ISDP on a port. Command Purpose configure Enter Global Configuration mode. interface interface Enter interface configuration mode for the specified interface. isdp enable Administratively enable ISDP on the switch. exit Exit to Global Config mode. exit Exit to Privileged Exec mode. show isdp interface all View the ISDP mode on all interfaces.
Configuring Global LLDP Settings Use the following commands to configure LLDP settings that affect the entire switch. Command Purpose configure Enter Global Configuration mode. lldp notificationinterval interval Specify how often, in seconds, the switch should send remote data change notifications. Configure the timing for local data transmission on ports lldp timers [interval transmit-interval] [hold enabled for LLDP.
Command Purpose lldp tlv-select [management address][portdescription][portvlan] Specify which optional type-length-value settings (TLVs) in the 802.1AB basic management set will be transmitted in the LLDP PDUs. [systemcapabilities][systemdescription][systemname] • management-address — Include the LLDP management address TLV. • port-description — Include the LLDP port description TLV. • port-vlan — Include the LLDP port VLAN TLV. • system-capabilities — Include the LLDP system capabilities TLV.
Configuring LLDP-MED Settings Use the following commands to configure LLDP-MED settings that affect the entire switch. Command Purpose configure Enter Global Configuration mode. lldp med faststartrepeatcount count Specifies the number of LLDP PDUs that will be transmitted when the protocol is enabled. interface interface Enter interface configuration mode for the specified Ethernet interface. lldp med Enable LLDP-MED on the interface.
Viewing LLDP-MED Information Use the following commands to view information about the LLDP-MED Protocol Data Units (PDUs) that are sent and have been received. Command Purpose show lldp med localdevice detail interface View LLDP information advertised by the specified port. show lldp remote-device View LLDP-MED information received by all ports or by {all | interface | detail the specified port. Include the keyword detail to see additional information.
Hold Time................................60 Version 2 Advertisements.................Enabled Neighbors table time since last change...00 days 00:00:00 Device ID................................none Device ID format capability..............Serial Number, Host Name Device ID format.........................
7 View global LLDP settings on the switch. console#show lldp LLDP Global Configuration Transmit Interval..................... Transmit Hold Multiplier.............. Reinit Delay.......................... Notification Interval................. 60 seconds 5 3 seconds 5 seconds 8 View summary information about the LLDP configuration on port 1/0/1.
Configuring IPDT This example shows how to configure IPDT for operation on the switch. 1 Enable DHCP snooping and IPDT. IPDT relies on DHCP snooping and ARP probes to populate it's bindings table. The DHCP server is reachable from interface Te1/0/1.
Discovering Network Devices
Port-Based Traffic Control 23 Dell EMC Networking N-Series Switches This chapter describes how to configure features that provide traffic control through filtering the type of traffic or limiting the speed or amount of traffic on a per-port basis. The features this section describes includes flow control, storm control, protected ports, and Link Local Protocol Filtering (LLPF), which is also known as Cisco Protocol Filtering.
Table 23-1. Port-Based Traffic Control Features Feature Description LLPF Filters proprietary protocols that should not normally be relayed by a bridge. What is Flow Control? IEEE 802.3 Annex 31B flow control allows nodes that transmit at slower speeds to communicate with higher speed switches by requesting that the higher speed switch refrain from sending packets. Transmissions are temporarily halted to prevent buffer overflows.
PPS versus an absolute rate in Kbps. For example, if the configured limit is 10% on a 1 Gbps link, this is converted to ~25000 PPS, and this PPS limit is set in the hardware. What are Protected Ports? The switch supports up to three separate groups of protected ports. Traffic can flow between protected ports belonging to different groups, but not within the same group. A port can belong to only one protected port group. You must remove an interface from one group before adding it to another group.
The LLPF feature can be configured per-port to block any combination (or all) of the following PDUs: • Industry Standard Discovery Protocol (ISDP) • VLAN Trunking Protocol (VTP) • Dynamic Trunking Protocol (DTP) • UniDirectional Link Detection (UDLD) • Port Aggregation Protocol (PAgP) • Shared Spanning Tree Protocol (SSTP) Access Control Lists (ACLs) and LLPF can exist on the same interface. However, the ACL rules override the LLPF rules when there is a conflict.
What is Loop Protection? Dell EMC Networking implements a subset of the Configuration Testing Protocol (CTP) for the detection of network loops. The Configuration Testing Protocol is part of the original Ethernet specification. It does not appear in the IEEE 802 standard.
Default Port-Based Traffic Control Values Table 23-2 lists the default values for the port-based traffic control features that this chapter describes. Table 23-2. Default Port-Based Traffic Control Values Feature Default Flow control Enabled Storm control Disabled Protected ports None LLPF UDLD is blocked by default.
Configuring Port-Based Traffic Control (Web) This section provides information about the OpenManage Switch Administrator pages to use to control port-based traffic on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100ON Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. Flow Control (Global Port Parameters) Use the Global Parameters page for ports to enable or disable flow control support on the switch.
Storm Control Use the Storm Control page to enable and configure the storm control feature. To display the Storm Control interface, click Switching Ports Storm Control in the navigation menu. Figure 23-2. Storm Control Configuring Storm Control Settings on Multiple Ports To configure storm control on multiple ports: 1 Open the Storm Control page. 2 Click Show All to display the Storm Control Settings Table. 3 In the Ports list, select the check box in the Edit column for the port to configure.
Figure 23-3. Storm Control 5 Click Apply.
Protected Port Configuration Use the Protected Port Configuration page to prevent ports in the same protected ports group from being able to see each other’s traffic. To display the Protected Port Configuration page, click Switching Ports Protected Port Configuration in the navigation menu. Figure 23-4. Protected Port Configuration Configuring Protected Ports To configure protected ports: 1 Open the Protected Ports page. 2 Click Add to display the Add Protected Group page. 3 Select a group (0–2).
6 Click Protected Port Configuration to return to the main page. 7 Select the port to add to the group. 8 Select the protected port group ID. Figure 23-6. Add Protected Ports 9 Click Apply. 10 To view protected port group membership information, click Show All. Figure 23-7. View Protected Port Information 11 To remove a port from a protected port group, select the Remove check box associated with the port and click Apply.
LLPF Configuration Use the LLPF Interface Configuration page to filter out various proprietary protocol data units (PDUs) and/or ISDP if problems occur with these protocols running on standards-based switches. To display the LLPF Interface Configuration page, click Switching Network Security Proprietary Protocol Filtering LLPF Interface Configuration the navigation menu. Figure 23-8. LLPF Interface Configuration To view the protocol types that have been blocked for an interface, click Show All.
Configuring Port-Based Traffic Control (CLI) This section provides information about the commands used for configuring port-based traffic control settings. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100-ON Series Switches CLI Reference Guide at www.dell.com/support. Configuring Flow Control and Storm Control Use the following commands to configure the flow control and storm control features.
Command Purpose storm-control unicast [level rate] Enable unknown unicast storm recovery mode on the interface and (optionally) set the threshold. rate — threshold as percentage of port speed. The percentage is converted to a PacketsPerSecond value based on a 512 byte average packet size. CTRL + Z Exit to Privileged Exec mode. show interfaces detail interface Display detailed information about the specified interface, including the flow control status. show storm-control View whether 802.
Configuring LLPF NOTE: LLPF is not supported on the N1500 Series switches. Use the following commands to configure LLPF settings. Most of these protocols (other than CDP and UDLD) are obsolete and may cause excessive CPU usage. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified interface. The interface variable includes the interface type and number, for example tengigabitethernet 1/0/3.
Port-Based Traffic Control Configuration Example The commands in this example configure storm control, LLPF, and protected port settings for various interfaces on the switch. The storm control configuration in this example sets thresholds on the switch so that if broadcast traffic occupies more than 10% on the bandwidth on any physical port, the interface blocks the broadcast traffic until the measured amount of this traffic drops below the threshold.
5 Verify the configuration. console#show storm-control te1/0/1 Bcast Bcast Mcast Mcast Ucast Ucast Intf Mode Level Mode Level Mode Level ------ ------- ------- ------- ------- ------- ------Te1/0/1 Enable 10 Enable 5 Disable 5 console#show service-acl interface te1/0/1 Protocol --------------CDP VTP DTP UDLD PAGP SSTP ALL Mode ---------Disabled Enabled Disabled Disabled Enabled Disabled Disabled console#show switchport protected 0 Name.........................................
Port-Based Traffic Control
Layer-2 Multicast Features 24 Dell EMC Networking N-Series Switches This chapter describes the Layer-2 (L2) multicast features on the Dell EMC Networking N-Series switches. The features this chapter describes include bridge multicast flooding and forwarding, Internet Group Management Protocol (IGMP) snooping, Multicast Listener Discovery (MLD) snooping, and Multicast VLAN Registration (MVR).
desirable as it reduces the network load by sending packets only to other hosts/switches/routers that have indicated an interest in receiving the multicast. If L2 snooping is not enabled, multicast packets are flooded in the ingress VLAN. What Are the Multicast Bridging Features? The Dell EMC Networking N-Series switches support multicast forwarding and multicast flooding.
What Is L2 Multicast Traffic? L3 IP multicast traffic is traffic that is destined to a host group. Host groups are identified by class D IPv4 addresses, which range from 224.0.1.0 to 239.255.255.255, or by FF0x:: or FF3x:: IPv6 addresses. In contrast to L3 multicast traffic, Layer-2 multicast traffic is identified by the MAC address, i.e., the range 01:00:5e:00:00:00 to 01:00:5e:7f:ff:ff:ff for IPv4 multicast traffic or 33:33:xx:xx:xx:xx for IPv6 multicast traffic.
Group addresses that fall into the reserved range 224.0.0.x are never pruned by IGMP snooping—they are always flooded to all ports in the VLAN. Note that this flooding is based on the IP address, not the corresponding 01-00-5e00-00-xx MAC address. When a multicast router is discovered (or locally configured on the switch), its interface is added to the interface distribution list for all multicast groups in the VLAN.
• Unregistered multicast traffic may be flooded in the VLAN by a user configuration option. NOTE: It is strongly recommended that operators enable MLD snooping if IGMP snooping is enabled and vice-versa. This is because both IGMP snooping and MLD snooping utilize the same forwarding table. Not enabling both may cause unwanted pruning of protocol packets utilized by other protocols, e.g. OSPFv3. NOTE: IGMP snooping (and IGMP querier) validates IGMP packets.
associated with a multicast router or host that has indicated an interest in receiving a particular multicast group. In IPv6, MLD snooping performs a similar function. With MLD snooping, IPv6 multicast data is selectively forwarded to a list of ports that want to receive the data instead of being flooded to all ports in a VLAN. This list is constructed in the MFDB by snooping IPv6 multicast control packets. MLD snooping floods multicast data packets until a multicast router port has been identified.
NOTE: It is strongly recommended that users enable IGMP snooping if MLD snooping is enabled and vice-versa. This is because both IGMP snooping and MLD snooping utilize the same forwarding table, and not enabling both may cause unwanted pruning of protocol packets utilized by other protocols, e.g. OSPFv2.
Enabling MVR and IGMP Snooping on the Same Interface MVR and IGMP snooping operate independently and can both be enabled on an interface. When both MVR and IGMP snooping are enabled, MVR listens to the IGMP join and report messages for static multicast group information, and IGMP snooping manages dynamic multicast groups. When Are Layer-3 Multicast Features Required? In addition to L2 multicast features, the switch suports IPv4 and IPv6 multicast features.
• GARP Multicast Registration Protocol (GMRP) to help control the flooding of multicast traffic by keeping track of group membership information. GVRP and GMRP use the same set of GARP Timers to specify the amount of time to wait before transmitting various GARP messages. GMRP is similar to IGMP snooping in its purpose, but IGMP snooping is more widely used.
Snooping Switch Restrictions MAC Address-Based Multicast Group The L2 multicast forwarding table consists of the Multicast group MAC address filtering entries. For IPv4 multicast groups, 16 IP multicast group addresses map to the same multicast MAC address. For example, 224.1.1.1 and 225.1.1.1 map to the MAC address 01:00:5E:01:01:01, and IP addresses in the range [224-239].3.3.3 map to 01:00:5E:03:03:03. As a result, if a host requests 225.1.1.1, then it might receive the multicast traffic of group 226.1.
Default L2 Multicast Values Details about the L2 multicast are in Table 24-1. Table 24-1.
Table 24-1.
Configuring L2 Multicast Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring L2 multicast features on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100-ON Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page.
Bridge Multicast Group Use the Bridge Multicast Group page to create new multicast service groups or to modify ports and LAGs assigned to existing multicast service groups. Attached interfaces display in the Port and LAG tables and reflect the manner in which each is joined to the Multicast group. To display the Bridge Multicast Group page, click Switching Multicast Support Bridge Multicast Group in the navigation menu. Figure 24-2.
Table 24-2 contains definitions for port/LAG IGMP management settings. Table 24-2. Port/LAG IGMP Management Settings Port Control Definition D Dynamic: Indicates that the port/LAG was dynamically joined to the Multicast group (displays in the Current row). S Static: Attaches the port to the Multicast group as a static member in the Static row. Displays in the Current row once Apply is clicked. F Forbidden: Indicates that the port/LAG is forbidden entry into the Multicast group in the Static row.
4 In the Bridge Multicast Group tables, assign a setting by clicking in the Static row for a specific port/LAG. Each click toggles between S, F, and blank. (not a member). 5 Click Apply. The bridge multicast address is assigned to the multicast group, ports/LAGs are assigned to the group (with the Current rows being updated with the Static settings), and the switch is updated. Removing a Bridge Multicast Group To delete a bridge multicast group: 1 Open the Bridge Multicast Group page.
MFDB Summary Use the MFDB Summary page to view all entries in the multicast forwarding database. To access this page, click Switching Multicast Support MFDB Summary in the navigation panel. Figure 24-4.
MRouter Status Use the MRouter Status page to display the status of dynamically learned multicast router interfaces. To access this page, click Switching Multicast Support MRouter Status in the navigation panel. Figure 24-5.
General IGMP Snooping Use the General IGMP snooping page to configure IGMP snooping settings on specific VLANs. To display the General IGMP snooping page, click Switching Multicast Support IGMP Snooping General in the navigation menu. Figure 24-6. General IGMP Snooping Modifying IGMP Snooping Settings for VLANs To modify the IGMP snooping settings: 1 From the General IGMP snooping page, click Show All. The IGMP Snooping Table displays. 2 Select the Edit checkbox for each VLAN to modify.
Figure 24-7. Edit IGMP Snooping Settings 3 Edit the IGMP snooping fields as needed. 4 Click Apply. The IGMP snooping settings are modified, and the device is updated. Copying IGMP Snooping Settings to Multiple VLANs To copy IGMP snooping settings: 1 From the General IGMP snooping page, click Show All. The IGMP Snooping Table displays. 2 Select the Copy Parameters From checkbox. 3 Select a VLAN to use as the source of the desired parameters.
Figure 24-8. Copy IGMP Snooping Settings 5 Click Apply. The IGMP snooping settings are modified, and the device is updated.
Global Querier Configuration Use the Global Querier Configuration page to configure IGMP snooping querier settings, such as the IP address to use as the source in periodic IGMP queries when no source address has been configured on the VLAN. To display the Global Querier Configuration page, click Switching Multicast Support IGMP Snooping Global Querier Configuration in the navigation menu. Figure 24-9.
VLAN Querier Use the VLAN Querier page to specify the IGMP snooping querier settings for individual VLANs. To display the VLAN Querier page, click Switching Multicast Support IGMP Snooping VLAN Querier in the navigation menu. Figure 24-10. VLAN Querier Adding a New VLAN and Configuring its VLAN Querier Settings To configure a VLAN querier: 1 From the VLAN Querier page, click Add. The page refreshes, and the Add VLAN page displays. Figure 24-11.
5 Click Apply. The VLAN Querier settings are modified, and the device is updated. To view a summary of the IGMP snooping VLAN querier settings for all VLANs on the switch, click Show All. Figure 24-12.
VLAN Querier Status Use the VLAN Querier Status page to view the IGMP snooping querier settings for individual VLANs. To display the VLAN Querier Status page, click Switching Multicast Support IGMP Snooping VLAN Querier Status in the navigation menu. Figure 24-13.
MFDB IGMP Snooping Table Use the MFDB IGMP Snooping Table page to view the multicast forwarding database (MFDB) IGMP Snooping Table and Forbidden Ports settings for individual VLANs. To display the MFDB IGMP Snooping Table page, click Switching Multicast Support IGMP Snooping MFDB IGMP Snooping Table in the navigation menu. Figure 24-14.
MLD Snooping General Use the MLD Snooping General page to add MLD members. To access this page, click Switching Multicast Support MLD Snooping General in the navigation panel. Figure 24-15. MLD Snooping General Modifying MLD Snooping Settings for VLANs To configure MLD snooping: 1 From the General MLD snooping page, click Show All. The MLD Snooping Table displays.
Figure 24-16. MLD Snooping Table 2 Select the Edit checkbox for each VLAN to modify. 3 Edit the MLD snooping fields as needed. 4 Click Apply. The MLD snooping settings are modified, and the device is updated.
Copying MLD Snooping Settings to VLANs To copy MLD snooping settings: 1 From the General MLD snooping page, click Show All. The MLD Snooping Table displays. 2 Select the Copy Parameters From checkbox. 3 Select a VLAN to use as the source of the desired parameters. 4 Select the Copy To checkbox for the VLANs that these parameters will be copied to. 5 Click Apply. The MLD snooping settings are modified, and the device is updated.
MLD Snooping VLAN Querier Use the MLD Snooping VLAN Querier page to specify the MLD snooping querier settings for individual VLANs. To display the MLD Snooping VLAN Querier page, click Switching Multicast Support MLD Snooping VLAN Querier in the navigation menu. Figure 24-18. MLD Snooping VLAN Querier Adding a New VLAN and Configuring its MLD Snooping VLAN Querier Settings To configure an MLD snooping VLAN querier: 1 From the VLAN Querier page, click Add.
2 Enter the VLAN ID and, if desired, an optional VLAN name. 3 Return to the VLAN Querier page and select the new VLAN from the VLAN ID menu. 4 Specify the VLAN querier settings. 5 Click Apply. The VLAN Querier settings are modified, and the device is updated. To view a summary of the IGMP snooping VLAN querier settings for all VLANs on the switch, click Show All. Figure 24-20.
MLD Snooping VLAN Querier Status Use the VLAN Querier Status page to view the MLD snooping querier settings for individual VLANs. To display the VLAN Querier Status page, click Switching Multicast Support MLD Snooping VLAN Querier Status in the navigation menu. Figure 24-21.
MFDB MLD Snooping Table Use the MFDB MLD Snooping Table page to view the MFDB MLD snooping table settings for individual VLANs. To display the MFDB MLD Snooping Table page, click Switching Multicast Support MLD Snooping MFDB MLD Snooping Table in the navigation menu. Figure 24-22.
MVR Global Configuration Use the MVR Global Configuration page to enable the MVR feature and configure global parameters. To display the MVR Global Configuration page, click Switching MVR Configuration Global Configuration in the navigation panel. Figure 24-23.
MVR Members Use the MVR Members page to view and configure MVR group members. To display the MVR Members page, click Switching MVR Configuration MVR Members in the navigation panel. Figure 24-24. MVR Members Adding an MVR Membership Group To add an MVR membership group: 1 From the MVR Membership page, click Add. The MVR Add Group page displays. Figure 24-25. MVR Member Group 2 Specify the MVR group IP multicast address. 3 Click Apply.
Figure 24-26. MVR Interface Configuration To view a summary of the MVR interface configuration, click Show All. Figure 24-27. MVR Interface Summary Adding an Interface to an MVR Group To add an interface to an MVR group: 1 From the MVR Interface page, click Add. Figure 24-28.
2 Select the interface to add to the MVR group. 3 Specify the MVR group IP multicast address. 4 Click Apply. Removing an Interface from an MVR Group To remove an interface from an MVR group: 1 From the MVR Interface page, click Remove. Figure 24-29. MVR - Remove from Group 2 Select the interface to remove from an MVR group. 3 Specify the IP multicast address of the MVR group. 4 Click Apply.
MVR Statistics Use the MVR Statistics page to view MVR statistics on the switch. To display the MVR Statistics page, click Switching MVR Configuration MVR Statistics in the navigation panel. Figure 24-30.
GARP Timers The Timers page contains fields for setting the GARP timers used by GVRP and GMRP on the switch. To display the Timers page, click Switching GARP Timers in the navigation panel. Figure 24-31. GARP Timers Configuring GARP Timer Settings for Multiple Ports To configure GARP timers on multiple ports: 1 Open the Timers page. 2 Click Show All to display the GARP Timers Table.
Figure 24-32. Garp Timers Table 3 For each port or LAG to configure, select the check box in the Edit column in the row associated with the port. 4 Specify the desired timer values. 5 Click Apply.
Copying GARP Timer Settings From One Port to Others To copy GARP timer settings: 1 Select the Copy Parameters From check box, and select the port or LAG with the settings to apply to other ports or LAGs. 2 In the Ports or LAGs list, select the check box(es) in the Copy To column that will have the same settings as the port selected in the Copy Parameters From field. 3 Click Apply to copy the settings.
Figure 24-34. GMRP Port Configuration Table 3 For each port or LAG to configure, select the check box in the Edit column in the row associated with the port. 4 Specify the desired timer values. 5 Click Apply.
Copying Settings From One Port or LAG to Others To copy GMRP settings: 1 Select the Copy Parameters From check box, and select the port or LAG with the settings to apply to other ports or LAGs. 2 In the Ports or LAGs list, select the check box(es) in the Copy To column that will have the same settings as the port selected in the Copy Parameters From field. 3 Click Apply to copy the settings.
Configuring L2 Multicast Features (CLI) This section provides information about the commands used for configuring L2 multicast settings on the switch. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100-ON Series Switches CLI Reference Guide at www.dell.com/support. Configuring Layer-2 Multicasting Use the following commands to configure MAC address table features. Command Purpose configure Enter global configuration mode.
Command Purpose show mac address-table multicast [vlan vlan-id] [address mac-multicastaddress | ip-multicastaddress] [format ip | mac]] View entries in the multicast MAC address table. The show mac address-table multicast command shows only multicast addresses. Multicast address are shown along with unicast addresses if the multicast keyword is not used. Configuring IGMP Snooping on VLANs Use the following commands to configure IGMP snooping settings on VLANs.
Command Purpose ip igmp snooping vlan vlan-id mcrtexpiretime seconds Specify the multicast router time-out value for to associate with a VLAN. This command sets the number of seconds to wait to age out an automatically-learned multicast router port. Identify an interface as an mrouter interface. IGMP interface teX/Y/Z switchport mode trunk ip snooping floods all multicast in the VLAN until an igmp snooping vlan vlan- mrouter has either been detected or configured.
Command Purpose ip igmp snooping querier Set the IGMP version of the query that the switch sends version version periodically. The version range is 1–2. ip igmp snooping querier Enable the IGMP snooping querier on the specified vlan-id VLAN. ip igmp snooping querier Allow the IGMP snooping querier to participate in the election participate vlan- querier election process when it discovers the presence of id another querier in the VLAN.
Command Purpose ipv6 mld snooping vlan- Specify the leave time-out value for the VLAN. If an MLD id last-listener-queryreport for a multicast group is not received within the interval seconds number of seconds configured with this command after an MLD leave was received from a specific interface, the current port is deleted from the VLAN member list of that multicast group. ipv6 mld snooping vlan Enables MLD snooping immediate-leave mode on the vlan-id immediate-leave specified VLAN.
Command Purpose ipv6 mld snooping querier election participate vlan-id Allow the MLD snooping querier to participate in the querier election process when it discovers the presence of another querier in the VLAN. When this mode is enabled, if the snooping querier finds that the other querier source address is more than the snooping querier address, it stops sending periodic queries. If the snooping querier wins the election, then it continues sending periodic queries.
Command Purpose mvr querytime time Set the MVR query response time. The value for time is in units of tenths of a second. This is the time to wait for a response to the query sent after receiving a leave message and before removing the port from the group. mvr mode {compatible | Specify the MVR mode of operation. dynamic} mvr group mcast-address Add an MVR membership group.
Configuring GARP Timers and GMRP Use the following commands to configure the GARP timers and to control the administrative mode GMRP on the switch and per-interface. Command Purpose configure Enter global configuration mode. gmrp enable Enable GMRP globally on the switch. interface interface Enter interface configuration mode for the specified port or LAG. The interface variable includes the interface type and number, for example tengigabitethernet 1/0/3.
Case Study on a Real-World Network Topology Multicast Snooping Case Study Figure 24-36 shows the topology that the scenarios in this case study use. Figure 24-36. Case Study Topology The topology in Figure 24-36 includes the following elements: 976 • Snooping Switches: D1, D2, D3 with IGMP snooping enabled on VLANs 10, 20 • Multicast Router: D4 with PIM-SM enabled on VLANs 10, 20 • Multicast Listeners: Client A-G • Multicast Sources: Server A – 239.20.30.40, Server B – 239.20.30.
• Subnets: VLAN 10 – 192.168.10.x, VLAN 20 – 192.168.20.x • Mrouter ports: D3 – 1/0/20, D2 – PortChannel1, D1 – 1/0/15 Snooping Within a Subnet In the example network topology, the multicast source and listeners are in the same subnet VLAN 20 – 192.168.20.x/24. D4 sends periodic queries on VLAN 10 and 20, and these queries are forwarded to D1, D2, and D3 via trunk links. Snooping switches D1, D2, and D3 flood these queries in VLANs 10 and 20 to clients G, F, and D, respectively.
4 Client D will receive the multicast stream from Server B because it is forwarded by D1 to D3 and then to D4 because D4 is a multicast router. Because the multicast stream is present on D3, a L2 forwarding entry is created on D3, where 239.20.30.42 is not a registered group. 5 Client F does not receive the multicast stream because it did not respond to queries from D4. Snooping Switch Interaction with a Multicast Router In the example network topology, consider Client B and Server A.
2 A multicast forwarding entry is created on D2 VLAN20, 239.20.30.40 – 1/0/20, PortChannel1. 3 The Client F report message is forwarded to D3-PortChannel1 (multicast router attached port). 4 A multicast forwarding entry is created on D3 VLAN 20, 239.20.30.40 – PortChannel1, 1/0/20. 5 The Client F report message is forwarded to D4 via D3 – 1/0/20 (multicast router attached port). 6 An IP multicast routing entry is created on D4 VLAN 10 – VLAN 20 with the Layer-3 outgoing port list as VLAN 20 – 1/0/20.
Multicast Source and Listener connected to Multicast Router via intermediate snooping switches and are part of different routing VLANs: Server B Client E Clients E, B, and C are on the same subnet VLAN10 – 192.168.10.70/24. Server B is in a different subnet VLAN20 – 192.168.20.70/24. 1 Client E sends a report for 239.20.30.42. 2 A multicast forwarding entry is created on D2 VLAN10, 239.20.30.42 – 1/0/2, PortChannel 1. 3 The report from Client E is forwarded to D3 via D2 – PortChannel 1.
25 Connectivity Fault Management N1500/N2200 Switches This chapter describes how to configure the Connectivity Fault Management feature, which is specified in IEEE 802.1ag (IEEE Standard for Local and Metropolitan Area Networks Virtual Bridged Local Area Networks Amendment 5: Connectivity Fault Management). This protocol, also known as Dot1ag, enables the detection and isolation of connectivity faults at the service level for traffic that is bridged over a metropolitan Ethernet LAN.
How Does Dot1ag Work Across a Carrier Network? A typical metropolitan area network comprises operator, service provider, and customer networks. To suit this business model, CFM relies on a functional model of hierarchical maintenance domains (MDs). These domains are assigned a unique MD level. There is a maximum of 8 levels, which can be nested but cannot overlap. Each organization can have its own maintenance domain. The MD level limits administrator access to the appropriate domain.
never intersect. The operator transparently passes frames from the customer and provider, and the customer does not see the operator frames. Multiple levels within a domain (say, operator) are supported for flexibility. What Entities Make Up a Maintenance Domain? Dot1ag defines three primary entities that make up the maintenance domain: Maintenance End Points (MEPs), Maintenance Intermediate Points (MIPs), and Maintenance Associations (MAs).
Figure 25-2. Maintenance Endpoints and Intermediate Points Maintenance Associations An MA is a logical connection between one or more MEPs that enables monitoring a particular service instance. Each MA is associated with a unique SVLAN ID. An MA is identified by a maintenance association ID. All MEPs in the MA are assigned the maintenance identifier (MAID) for the association. An MD consists of one or more MAs at the same domain level.
Figure 25-3. Provider View for Service Level OAM What is the Administrator’s Role? On the switch, the administrator configures the customer-level maintenance domains, associations, and endpoints used to participate in Dot1ag services with other switches connected through the provider network. The Administrator can also use utilities to troubleshoot connectivity faults when reported via SNMP traps. All the domains within the customer domain should use different domain levels.
Troubleshooting Tasks In the event of a connectivity loss between MEPs, the administrator can perform path discovery, similar to traceroute, from one MEP to any MEP or MIP in a maintenance domain using Link Trace Messages (LTMs). The connectivity loss is narrowed down using path discovery and is verified using Loop-back Messages (LBMs), which are similar to ping operations in IP networks.
Configuring Dot1ag (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring Dot1ag features on a Dell EMC Networking N4000 switch. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. Dot1ag Global Configuration Use the Global Configuration page to enable and disable the Dot1ag admin mode and to configure the time after which inactive RMEP messages are removed from the MEP database.
Figure 25-5. Dot1ag MD Configuration Dot1ag MA Configuration Use the MA Configuration page to associate a maintenance domain level with one or more VLAN ID, provide a name for each maintenance association (MA), and to set the interval between continuity check messages sent by MEPs for the MA. To display the page, click Switching Dot1ag MA Configuration in the tree view. Figure 25-6.
To add an MA, click the Add link at the top of the page. Dot1ag MEP Configuration Use the MEP Configuration page to define switch ports as Management End Points. MEPs are configured per domain and per VLAN. To display the page, click Switching Dot1ag MEP Configuration in the tree view. Figure 25-7.
To add a MEP, click the Add link at the top of the page. A VLAN must be associated with the selected domain before you configure a MEP to be used within an MA (see the MA Configuration page). Dot1ag MIP Configuration Use the MIP Configuration page to define a switch port as an intermediate bridge for a selected domain. To display the page, click Switching Dot1ag MIP Configuration in the tree view. Figure 25-8.
Dot1ag RMEP Summary Use the RMEP Summary page to view information on remote MEPs that the switch has learned through CFM PDU exchanges with MEPs on the switch. To display the page, click Switching Dot1ag RMEP Summary in the tree view. Figure 25-9.
Dot1ag L2 Ping Use the L2 Ping page to generate a loopback message from a specified MEP. The MEP can be identified by the MEP ID or by its MAC address. To display the page, click Switching Dot1ag L2 Ping in the tree view. Figure 25-10. Dot1ag L2 Ping Dot1ag L2 Traceroute Use the L2 Traceroute page to generate a Link Trace message from a specified MEP. The MEP can be specified by the MAC address, or by the remote MEP ID. To display the page, click Switching Dot1ag L2 Traceroute in the tree view.
Figure 25-11. Dot1ag L2 Traceroute Dot1ag L2 Traceroute Cache Use the L2 Traceroute Cache page to view link traces retained in the link trace database. To display the page, click Switching Dot1ag L2 Traceroute Cache in the tree view. Figure 25-12. Dot1ag L2 Traceroute Cache Dot1ag Statistics Use the Statistics page to view Dot1ag information for a selected domain and VLAN ID. To display the page, click Switching Dot1ag Statistics in the tree view.
Figure 25-13.
Configuring Dot1ag (CLI) This section provides information about the commands used for configuring Dot1ag settings on the switch. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100-ON Series Switches CLI Reference Guide at www.dell.com/support. Configuring Dot1ag Global Settings and Creating Domains Use the following commands to configure CFM settings and to view global status and domain information.
Configuring MEP Information Use the following commands to configure the mode and view related settings. CLI Command Description configure Enter global configuration mode. interface interface Enter Interface Config mode for the specified interface, where interface is replaced by gigabitethernet unit/slot/port, or tengigabitethernet unit/slot/port. ethernet cfm mep enable level Define the port as a maintenance endpoint (MEP) level vlan vlan-id mpid mep-id and associate it with an SVLAN in a domain.
Dot1ag Ping and Traceroute Use the following commands to help identify and troubleshoot Ethernet CFM settings. CLI Command Description ping ethernet cfm mac macaddr Generate a loopback message from the MEP with the specified MAC address. ping ethernet cfm remote– mpid mep-id Generate a loopback message from the MEP with the specified MEP ID. traceroute ethernet cfm mac mac-addr Generate a Link Trace message from the MEP with the specified MAC address.
Dot1ag Configuration Example In the following example, the switch at the customer site is part of a Metro Ethernet network that is bridged to remote sites through a provider network. A service VLAN (SVID 200) identifies a particular set of customer traffic on the provider network. Figure 25-14.
2 Configure port 1/0/5 as an MEP for service VLAN 200 so that the port can exchange CFM PDUs with its counterpart MEPs on the customer network. The port is first configured as a MEP with MEP ID 20 on domain level 6 for VLAN 200. Then the port is enabled and activated as a MEP.
Connectivity Fault Management
Ethernet Ring Protection 26 Dell EMC Networking N1500, N2200 Series Switches Ethernet Ring Protection (ERP) is a highly reliable and stable protection switching mechanism Ethernet layer network rings. Ethernet rings allow a wide-range of economical multipoint connectivity topologies due to their reduced number of links. The Ethernet Ring Protection feature is based on the ITU-T G.8032 (08/15), Corrigendum 1 (08/17) standard.
Figure 26-1. Ethernet Ring Protection The ring protection architecture uses the R-APS protocol to coordinate ring protection actions within an Ethernet ring. When a failure is detected on a ring port, the node detecting the failure will generate an R-APS Signal Fail (SF) message along both the directions. This message notifies the other ring nodes of the failure and causes a protection switch to occur. The RPL nodes (owner and neighbor) unblock the RPL link.
Ethernet Ring Protection Switching Port Role Ethernet Ring Protection Switching (ERPS) defines three port roles: the RPL owner port, the RPL neighbor port, and the Normal port. Under normal conditions, the RPL is blocked (not used for data traffic), thus preventing loops. The ports at each end of the RPL are called RPL owner and RPL neighbor. RPL Owner Port It is the RPL owner that provides the main control for protection switching.
to the ERP control process for local processing and also forward the received R-APS to the next node if the next hop port is not blocked. When a node receives its own generated R-APS message, it drops the R-APS message. The node that actually generates the R-APS messages will always send messages over both of its ring ports regardless of whether or not the R-APS channels are blocked on its ring ports.
Ethernet Ring Protection Timers The following timers are used by the ERP control process to reduce protection switching occurrences. Hold-off When a link failure or defect occurs, the event will not be reported immediately to protection switching if the configured hold-off timer value is non-zero. Instead, the hold-off timer will be started. Upon the expiry of the hold-off timer, the ERP control process checks whether a defect still exists along the trail that started the timer.
Revertive and Non-Revertive Operation Modes ERP defines two operation modes: Revertive and Non-Revertive. Revertive In revertive mode, when failures in the link are removed, the traffic channel is restored to the working transport entity and RPL is blocked. When revertive operations are used, the ring will not revert back immediately. Reversion does not start until the Wait-To-Restore (WTR) timer has expired.
Figure 26-2 shows a multi-ring topology. Here the major ring is fully formed, while the sub-ring connects to the major ring at interconnection nodes. The sub-ring is not fully formed, it is a partial ring in the shape of C and it does not control the link on the major ring. Below are the two implementation options for R-APS control channel of the sub-ring. Without R-APS Virtual Channel R-APS PDU’s processing on the sub-ring terminates at the interconnection nodes.
• The incoming R-APS message requests a protection switch. Ring Failure Detection Protection switching on the ring node occurs when a Continuity Check Message (CCM) fault is reported on one of the ring links or when a physical layer failure condition is reported to the ERP control process. The Ethernet layer connectivity of ring links is periodically monitored using down Maintenance Entity Endpoints (MEPs). OAM reports a CCM fault when it does not receive the expected CCM for 3.
27 Snooping and Inspecting Traffic Dell EMC Networking N-Series Switches This chapter describes Dynamic Host Configuration Protocol (DHCP) Snooping, IP Source Guard (IPSG), and Dynamic ARP Inspection (DAI), which are Layer-2 security features that examine traffic to help prevent accidental and malicious attacks on the switch or network.
What Is DHCP Snooping? Dynamic Host Configuration Protocol (DHCP) Snooping is a security feature that monitors DHCP messages between a DHCP client and DHCP server to accomplish the following tasks: • Ensure that only authorized DHCP clients are able to utilize the network.
• On untrusted DHCP client interfaces, the switch may be configured to drop DHCP packets with a source MAC address that does not match the client hardware address. How Is the DHCP Snooping Bindings Database Populated? The DHCP snooping application uses DHCP messages to build and maintain the binding’s database. DHCP snooping creates a tentative binding from DHCP DISCOVER and REQUEST messages. Tentative bindings tie a client to a port (the port where the DHCP client message was received).
Figure 27-1. DHCP Binding No Binding Discover Request Tentative Binding Decline NACK Discover ACK Release NACK Complete Binding The binding database includes data for clients only on untrusted ports. DHCP Snooping and VLANs DHCP snooping forwards valid DHCP client messages received on nonrouting VLANs. The message is forwarded on all trusted interfaces in the VLAN. DHCP snooping can be configured on switching VLANs and routing VLANs.
If DHCP relay co-exists with DHCP snooping, DHCP client messages are sent to DHCP relay for further processing. To prevent DHCP packets from being used as a DoS attack when DHCP snooping is enabled, the snooping application enforces a rate limit for DHCP packets received on interfaces. DHCP rate limiting can be configured on both trusted and untrusted interfaces. DHCP snooping monitors the receive rate on each interface separately.
What Is IP Source Guard? IPSG is a security feature that filters IP packets based on source ID. This feature helps protect the network from attacks that use IP address spoofing to compromise or overwhelm the network. The source ID may be either the source IP address or a {source IP address, source MAC address} pair.
What is Dynamic ARP Inspection? NOTE: Dynamic ARP Inspection (DAI) is not supported on the N1100 Series switches. Dynamic ARP Inspection (DAI) is a security feature that rejects invalid and malicious ARP packets. DAI prevents a class of man-in-the-middle attacks where an unfriendly station intercepts traffic for other stations by poisoning the ARP caches of its unsuspecting neighbors. The malicious attacker sends ARP requests or responses mapping another station’s IP address to its own MAC address.
re-enable the port. DAI rate limiting cannot be enabled on trusted interfaces. Use the no ip arp inspection limit command to disable diagnostic disabling of untrusted ports due to DAI. Why Is Traffic Snooping and Inspection Necessary? DHCP Snooping, IPSG, and DAI are security features that can help protect the switch and the network against various types of accidental or malicious attacks.
Table 27-1.
Configuring Traffic Snooping and Inspection (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring DHCP snooping, IPSG, and DAI features on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100-ON Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page.
DHCP Snooping Interface Configuration Use the DHCP Snooping Interface Configuration page to configure the DHCP Snooping settings on individual ports and LAGs. To access the DHCP Snooping Interface Configuration page, click Switching DHCP Snooping Interface Configuration in the navigation panel. Figure 27-3.
To view a summary of the DHCP snooping configuration for all interfaces, click Show All. Figure 27-4.
DHCP Snooping VLAN Configuration Use the DHCP Snooping VLAN Configuration page to control the DHCP snooping mode on each VLAN. To access the DHCP Snooping VLAN Configuration page, click Switching DHCP Snooping VLAN Configuration in the navigation panel. Figure 27-5. DHCP Snooping VLAN Configuration To view a summary of the DHCP snooping status for all VLANs, click Show All. Figure 27-6.
DHCP Snooping Persistent Configuration Use the DHCP Snooping Persistent Configuration page to configure the persistent location of the DHCP snooping database. The bindings database can be stored locally on the switch or on a remote system somewhere else in the network. The switch must be able to reach the IP address of the remote system to send bindings to a remote database.
DHCP Snooping Static Bindings Configuration Use the DHCP Snooping Static Bindings Configuration page to add static DHCP bindings to the binding database. To access the DHCP Snooping Static Bindings Configuration page, click Switching DHCP Snooping Static Bindings Configuration in the navigation panel. Figure 27-8. DHCP Snooping Static Bindings Configuration To view a summary of the DHCP snooping status for all VLANs, click Show All. Figure 27-9.
DHCP Snooping Dynamic Bindings Summary The DHCP Snooping Dynamic Bindings Summary lists all the DHCP snooping dynamic binding entries learned on the switch ports. To access the DHCP Snooping Dynamic Bindings Summary page, click Switching DHCP Snooping Dynamic Bindings Summary in the navigation panel. Figure 27-10.
DHCP Snooping Statistics The DHCP Snooping Statistics page displays DHCP snooping interface statistics. To access the DHCP Snooping Statistics page, click Switching DHCP Snooping Statistics in the navigation panel. Figure 27-11.
IPSG Interface Configuration Use the IPSG Interface Configuration page to configure IPSG on an interface. To access the IPSG Interface Configuration page, click Switching IP Source Guard IPSG Interface Configuration in the navigation panel. Figure 27-12. IPSG Interface Configuration IPSG Binding Configuration Use the IPSG Binding Configuration page displays DHCP snooping interface statistics.
IPSG Binding Summary The IPSG Binding Summary page displays the IPSG Static binding list and IPSG dynamic binding list (the static bindings configured in Binding configuration page). To access the IPSG Binding Summary page, click Switching IP Source Guard IPSG Binding Summary in the navigation panel. Figure 27-14.
DAI Global Configuration Use the DAI Configuration page to configure global DAI settings. To display the DAI Configuration page, click Switching Dynamic ARP Inspection Global Configuration in the navigation panel. Figure 27-15.
DAI Interface Configuration Use the DAI Interface Configuration page to select the DAI Interface for which information is to be displayed or configured. To display the DAI Interface Configuration page, click Switching Dynamic ARP Inspection Interface Configuration in the navigation panel. Figure 27-16. Dynamic ARP Inspection Interface Configuration To view a summary of the DAI status for all interfaces, click Show All.
Figure 27-17.
DAI VLAN Configuration Use the DAI VLAN Configuration page to select the VLANs for which information is to be displayed or configured. To display the DAI VLAN Configuration page, click Switching Dynamic ARP Inspection VLAN Configuration in the navigation panel. Figure 27-18. Dynamic ARP Inspection VLAN Configuration To view a summary of the DAI status for all VLANs, click Show All. Figure 27-19.
DAI ACL Configuration Use the DAI ACL Configuration page to add or remove ARP ACLs. To display the DAI ACL Configuration page, click Switching Dynamic ARP Inspection ACL Configuration in the navigation panel. Figure 27-20. Dynamic ARP Inspection ACL Configuration To view a summary of the ARP ACLs that have been created, click Show All. Figure 27-21. Dynamic ARP Inspection ACL Summary To remove an ARP ACL, select the Remove checkbox associated with the ACL and click Apply.
Figure 27-22. Dynamic ARP Inspection Rule Configuration To view a summary of the ARP ACL rules that have been created, click Show All. Figure 27-23. Dynamic ARP Inspection ACL Rule Summary To remove an ARP ACL rule, select the Remove checkbox associated with the rule and click Apply. DAI Statistics Use the DAI Statistics page to display the statistics per VLAN. To display the DAI Statistics page, click Switching Dynamic ARP Inspection Statistics in the navigation panel.
Figure 27-24.
Configuring Traffic Snooping and Inspection (CLI) This section provides information about the commands used for configuring DHCP snooping, IPSG, and DAI settings on the switch. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100-ON Series Switches CLI Reference Guide at www.dell.com/support. Configuring DHCP Snooping Use the following commands to configure and view DHCP snooping settings.
Command Purpose ip dhcp snooping database write-delay seconds Configure the interval, in seconds, at which the DHCP Snooping database will be stored in persistent storage. The number of seconds can range from 15–86400. interface interface Enter interface configuration mode for the specified port or LAG. The interface variable includes the interface type and number, for example tengigabitethernet 1/0/3. For a LAG, the interface type is port-channel.
Command Purpose clear ip dhcp snooping bindings Clear the DHCP snooping bindings for an interface. Configuring IP Source Guard Use the following commands to configure IPSG settings on the switch. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified port or LAG. The interface variable includes the interface type and number, for example tengigabitethernet 1/0/3. For a LAG, the interface type is port-channel.
Command Purpose show ip verify interface interface View IPSG parameters for a specific port or LAG. The interface parameter includes the interface type (gigabitethernet, tengigabitethernet, or port-channel) and number. show ip verify source [interface interface] View IPSG bindings configured on the switch or on a specific port or LAG. show ip source binding View IPSG bindings. Configuring Dynamic ARP Inspection Use the following commands to configure DAI settings on the switch.
Command Purpose remark string Configure a remark for the ACL. permit ip host sender-ip Configure a rule for a valid IP address and MAC address mac host sender-mac combination used in ARP packet validation. • sender-ip — Valid IP address used by a host. • sender-mac —Valid MAC address in combination with the above sender-ip used by a host. exit Exit to Global Config mode.
Command Purpose show ip arp inspection vlan [vlan-list ] View the Dynamic ARP Inspection configuration on the specified VLAN(s). This command also displays the global configuration values for source MAC validation, destination MAC validation and invalid IP validation. show ip arp inspection statistics [vlan vlan-list] View the statistics of the ARP packets processed by Dynamic ARP Inspection for the switch or for the specified VLAN(s).
Traffic Snooping and Inspection Configuration Examples This section contains the following examples: • Configuring DHCP Snooping • Configuring IPSG Configuring DHCP Snooping In this example, DHCP snooping is enabled on VLAN 100. Ports 1-20 connect end users to the network and are members of VLAN 100. These ports are configured to limit the maximum number of DHCP packets with a rate limit of 100 packets per second.
To configure the switch: 1 Enable DHCP snooping on VLAN 100. console#config console(config)#ip dhcp snooping vlan 100 2 Configure LAG 1, which includes ports 21-24, as a trusted port. All other interfaces are untrusted by default.
Configuring IPSG This example builds on the previous example and uses the same topology shown in Figure 27-25. In this configuration example, IP source guard is enabled on ports 1-20. DHCP snooping must also be enabled on these ports. Additionally, because the ports use IP source guard with source IP and MAC address filtering, port security must be enabled on the ports as well. To configure the switch: 1 Enter interface configuration mode for the host ports and enable IPSG.
Snooping and Inspecting Traffic
Link Aggregation 28 Dell EMC Networking N-Series Switches This chapter describes how to create and configure link aggregation groups (LAGs), which are also known as port-channels. The topics covered in this chapter include: • Link Aggregation • Multi-Switch LAG (MLAG) • Configuring Link Aggregation (Web) • Configuring Link Aggregation (CLI) Link Aggregation Overview Link Aggregation allows one or more full-duplex Ethernet links of the same speed to be aggregated together to form a LAG.
Figure 28-1 shows an example of a switch in the wiring closet connected to a switch in the data center by a LAG that consists of four physical 10 Gbps links. The LAG provides full-duplex bandwidth of 40 Gbps between the two switches. Figure 28-1. LAG Configuration LAGs can be configured on stand-alone or stacked switches. In a stack of switches, the LAG can consist of ports on a single unit or across multiple stack members.
and thus cause undesirable network behavior. Both static and dynamic LAGs (via LACP) can detect physical link failures within the LAG and continue forwarding traffic through the other connected links within that same LAG. LACP can also detect switch or port failures that do not result in loss of link. This provides a more resilient LAG. Best practices suggest using dynamic link aggregation instead of static link aggregation.
• Excellent load balancing performance. How Do LAGs Interact with Other Features? From a system perspective, a LAG is treated just as a physical port, with the same configuration parameters for administrative enable/disable, spanning tree port priority, path cost as may be for any other physical port. VLAN When members are added to a LAG, they are removed from all existing VLAN membership.
• Each member of the LAG must be running at the same speed and must be in full-duplex mode. • The port cannot be a mirrored port The following are the interface restrictions • The configured speed of a LAG member cannot be changed. • An interface can be a member of only one LAG. Default Link Aggregation Values The LAGs on the switch are created by default, but no ports are members. Table 28-1 summarizes the default values for the Link Aggregation. Table 28-1.
Configuring Link Aggregation (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring LAGs on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100ON Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. LAG Configuration Use the LAG Configuration page to set the name and administrative status (up/down) of a LAG.
To view or edit settings for multiple LAGs, click Show All. LACP Parameters Dynamic link aggregation is initiated and maintained by the periodic exchanges of LACP PDUs. Use the LACP Parameters page to configure LACP LAGs. To display the LACP Parameters page, click Switching Link Aggregation LACP Parameters in the navigation panel.
Figure 28-3. LACP Parameters Configuring LACP Parameters for Multiple Ports To configure LACP settings: 1 Open the LACP Parameters page. 2 Click Show All. The LACP Parameters Table page displays.
Figure 28-4. LACP Parameters Table 3 Select the Edit check box associated with each port to configure. 4 Specify the LACP port priority and LACP timeout for each port. 5 Click Apply. LAG Membership Your switch supports 48 LAGs per system, and eight ports per LAG. Use the LAG Membership page to assign ports to static and dynamic LAGs. To display the LAG Membership page, click Switching Link Aggregation LAG Membership in the navigation panel.
Figure 28-5. LAG Membership Adding a Port to a Static LAG To add a static LAG member: 1 Open the LAG Membership page. 2 Click in the LAG row on the desired port and enter the number of the LAG to which the port should be added. For example, the following figure shows ports Gi1-Gi4 being added to LAG 1, and ports Gi5-Gi8 being added to LAG 2. 3 Click Apply. The port is assigned to the selected LAG, and the device is updated.
LAG Hash Configuration Use the LAG Hash Configuration page to set the traffic distribution mode on the LAG. The hash type can be set for each LAG. To display the LAG Hash Configuration page, click Switching Link Aggregation LAG Hash Configuration in the navigation panel. Figure 28-6. LAG Hash Configuration LAG Hash Summary The LAG Hash Summary page lists the channels on the system and their assigned hash algorithm type.
Configuring Link Aggregation (CLI) This section provides information about the commands used for configuring link aggregation settings on the switch. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100-ON Series Switches CLI Reference Guide at www.dell.com/support. Configuring LAG Characteristics Use the following commands to configure a few of the available LAG characteristics.
Configuring Link Aggregation Groups Use the following commands to add ports as LAG members and to configure the LAG hashing mode. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified port. The interface variable includes the interface type and number, for example interface tengigabitethernet 1/0/3. A range of ports can be specified using the interface range command.
Command Purpose hashing-mode mode Set the hashing algorithm on the LAG. The mode value is a number from 1 to 7.
Command Purpose interface gi1/0/1 Enter physical interface configuration mode for a member of the desired LAG. A range of physical interfaces can be specified using the interface range command. For example, interface range gi1-3,10 configures Gigabit Ethernet interfaces 1, 2, 3, and 10. lacp port-priority value Set the Link Aggregation Control Protocol priority for the port or range of ports. The priority value range is 1–65535.
Link Aggregation Configuration Examples This section contains the following examples: • Configuring Dynamic LAGs • Configuring Static LAGs NOTE: The examples in this section show the configuration of only one switch. Because LAGs involve physical links between two switches, the LAG settings and member ports must be configured on both switches. Configuring Dynamic LAGs The commands in this example show how to configure a static LAG on a switch.
3 View information about LAG 1.
3 View information about LAG 2.
Multi-Switch LAG (MLAG) NOTE: This feature is not available on the Dell EMC Networking N1100-ON, N1500 Series switch. Overview In a typical Layer-2 network, the Spanning Tree Protocol (STP) is deployed to avoid packet storms due to loops in the network. To perform this function, STP sets ports into either a forwarding state or a blocking state. Ports in the blocking state do not carry traffic. In the case of a topology change, STP reconverges to a new loop-free network and updates the port states.
Deployment Scenarios MLAG is intended to support higher bandwidth utilization in scenarios where a redundant Layer-2 network is desired. In such scenarios the effects of STP on link utilization are profound. Large percentages of links do not carry data because they are blocked and only a single path through the network carries traffic. Figure 28-8. STP Blocking MLAG reduces some of the bandwidth shortcomings of STP in a Layer-2 network.
Figure 28-9.
Definitions Refer to Figure 28-10 for the definitions that follow. Figure 28-10. MLAG Components MLAG switches: MLAG aware switches running Dell EMC Networking Series switch firmware. No more than two MLAG aware switches can pair to form one end of the LAG. Stacked switches do not support MLAGs. In the above figure, SW1 and SW2 are MLAG peer switches. These two switches form a single logical end point for the MLAG from the perspective of switch A.
switches. Port-channel limitations and capabilities like min-links and maximum number of ports supported per LAG also apply to MLAG interfaces. MLAG member ports: Ports on the peer MLAG switches that are part of the MLAG interface (P1 on SW1 and S1 on SW2). Non-redundant ports: Ports on either of the peer switches that are not part of the MLAG (ports P4 and S4). MLAG interfaces and non-redundant ports cannot be members of the same VLAN, i.e.
– LACP parameters • Actor parameters • Admin key • Collector max-delay • Partner parameters 2 STP The default STP mode for Dell EMC Networking N-Series switches is RSTP. VLANs cannot be configured to contain both MLAG ports and nonMLAG (non-redundant) ports. RSTP, MSTP, and STP-PV/RSTP-PV are supported with MLAG. The following STP configuration parameters must be the identical on both MLAG peers.
– MTU – Bandwidth – VLAN configuration The administrator should also ensure that the following are identical before enabling MLAG: – FDB entry aging timers – Static MAC entries. – ACL configuration 4 Interface Configuration – PFC configuration – CoS queue assignments 5 VLAN configuration in an L2 topology – MLAG VLANs must span the MLAG topology and be configured on both MLAG peers. This means that every MLAG VLAN must connect to two partner LAGs.
Operation in the Network Below is a sample MLAG topology and discussion: Figure 28-11. Example MLAG Topology In Figure 28-11: 1 VLAN 10 spans the MLAG network. 2 P and S are MLAG-aware peer devices. P stands for primary and S stands for secondary. The roles are elected after the DUTs exchange keep-alive messages. The two devices are connected with a peer-link {P3/P4–S3/S4}. Ports P1, S1 are members of MLAG1 and ports P2, S2 are members of MLAG2. 3 A port-channel must be configured as the peer-link.
Supported topologies and the way traffic is handled in these topologies is explained in the following sections. The MLAG component uses the keep-alive protocol to select a primary and a secondary device. The primary switch owns the MLAG member ports on the secondary device. It handles the control plane functionality of supported protocols for the MLAG member ports on the secondary. Peer-Link The peer-link is a crucial for MLAG operation. The peer-link must be configured on a port-channel interface.
MLAG switch and traffic must egress through selected ports on the MLAG peer. These filters block incoming traffic on all VLANs configured on the peer link, not just those configured as part of an MLAG. Therefore, there is no connectivity between non-redundant ports across the peer-link. Control Plane Election in MLAG Switches The MLAG component uses the keep-alive protocol running on the peer link to select a primary and a secondary switch. The keep-alive protocol is mandatory.
DCPDP and Peer Link Failures DCPDP is intended to provide a secondary layer of protection against peer link failures. If the peer-link goes down while the DCPDP protocol is enabled and remains up, the MLAG links on the MLAG secondary peer are disabled. The primary switch continues to forward traffic and, if LACP is enabled, send LACPDUs using the system MAC of the MLAG. Spanning tree reconvergence on the partner devices is avoided.
configured in a unique MST instance not shared with the MLAG domain. If the VLAN assigned to the redundant link is also configured on the peer link, traffic on that VLAN is blocked by MLAG. To configure the redundant link to be the forwarding for the redundant MST instance, the link cost needs to be reduced in order to be the root port.
console(config-vpc 1)#role 10 console(config-vpc 1)#exit Modifications to priority and timeout interval are effective only before the keep-alive protocol is enabled. Once enabled, MLAG switches contest in an election to select the primary and secondary switch. The election is non-preemptive. If configured, the system virtual MAC address MUST be the same on both of the MLAG peers. 3 Configure the peer-link. On each MLAG peer: • Configure a port-channel as the peer-link for the MLAG devices.
4 Configure DCPDP (optional): a Configure a VLAN routing interface and assign a local IP address (different from the peer address). b Configure the peer-switch IP address (the destination IP address) c If needed, configure the UDP port number to send and receive the protocol messages. d Configure the source IP address e Enable the protocol. The protocol starts running if MLAG is globally enabled.
to the primary switch for handling. FDB entries learned on MLAG interfaces are synced between the two devices.
3 Reboot the primary VPC device (VP). During the reboot, devices that are dual attached to the VPC MLAG pair detect the link loss and start forwarding the traffic towards the secondary VPC switch (VS). 4 While the VPC primary switch (VP) reboots, the secondary switch (VS) becomes the primary and forwards the traffic. 5 After the primary switch (VP) reboot is complete, it assumes the role of the secondary switch.
assigned, but MLAG VLANs cannot be used to route across MLAG or nonredundant VLANs, as the MLAG feature does not correlate failures in one VLAN with another VLAN to unblock packets crossing the MLAG peer-link. Recommended Layer-3 Connectivity The topology shown in Figure 28-12 uses the MLAG switches as Layer-2 switches. All VLANs traverse the MLAG topology from the top switches/routers to the bottom switches/routers. The LAGs for each VLAN host are in a separate VPC.
Alternative Recommended Layer-3 Connectivity The loop-free topology shown in Figure 28-13 uses the MLAG switches as Layer-2 switches in an EOR role. The single VLAN traverses the MLAG topology from the top router to the bottom storage and servers. Multiple VLANs in different VPCs may be used to isolate clusters of storage/servers from each other.
Layer-3 VLAN Termination on MLAG Not Supported In the “two-armed” fully routed scenario shown in Figure 28-14, both the routed network and the switched network are in the MLAG. Switched traffic to and from the upstream network is automatically unblocked over the peerlink when an MLAG link fails.
In the scenario shown in Figure 28-15(similar to the previous scenario), the downstream router is not configured with port-channel and uses ECMP or some other load sharing scheme to send packets to routed MLAG peers. MLAG cannot react appropriately to a link failure on the upstream router because the VLANs are routed across the MLAG peers. MLAG cannot logically connect the failure on VLAN 30 with non-redundant VLAN 20. Consequently, MLAG does not unblock VLAN 20 from traversing the peer link.
required to handle the case where a link from the router to one of the MLAG peers fails. Static routes must be added to the primary and secondary MLAG peers to route traffic addressed to the connected router across the backup routed link in the case of a failure of an MLAG link to the router.
Virtual Router Redundancy Protocol If VRRP is enabled on a VLAN that has an MLAG port as its member, both VRRP routers become VRRP masters operationally in the VLAN. This is to allow load balancing of the northbound Layer-3 traffic on the MLAG. Since the peer-link is a member of the same routing VLANs as all MLAGs, both the primary and secondary MLAG routers see VRRP advertisements sent by the other router.
transmitted with the source MAC address as the physical MAC address and not the virtual MAC address. In the example in Figure 28-17, if the virtual MAC address is used as the source MAC address in the ARP from P to A, then S will consume the packet, as it is operationally a VRRP master too. The packet is forwarded to P if the physical MAC address is used. Note that the VLANs connecting A and B to the MLAG peers are extended to R1. P and S do not actually route packets.
Routing is not supported across multiple MLAGs (i.e., in two-tier topology). This is a fundamental limitation of MLAG, which is intended as a replacement for other, less efficient Layer-2 topologies. Should a multi-tier Layer-3 topology be desired, other well established and well understood techniques, such as ECMP and redundant router pairs, will allow a Layer-3 routed network to utilize bandwidth efficiently. Layer-3 routing is capable of routing packets around failed links and failed routers.
• On a failover from the primary MLAG peer to the secondary MLAG peer, the ports are made members of the secondary MLAG peer switch's spanning tree and spanning tree reconvergence may occur.. The forwarding database and ARP cache are flushed and relearned. • MLAG (VPC) status only shows correctly on the primary MLAG peer and does not show correctly on the secondary MLAG peer. Status is not forwarded from the primary MLAG peer to the secondary MLAG peer.
work properly; e.g., port mirroring for an MLAG link must be configured on both MLAG peer switches to capture the conversation from the MLAG partner switch. • A Yes entry indicates that the feature may be configured on an MLAG VLAN and will synchronize state across the MLAG peers. The configuration for features marked Yes must be identical on both switches. MLAG does not synchronize configuration with the MLAG peer.
Table 28-2. MLAG State Synchronization Per Feature (Continued) Components MLAG State Synchronization Support DOT1S Yes Loop Guard No FDB Yes MACLOCK No DVLAN No DOT1AB No IP Subnet-based VLANs N/A MACVLAN N/A Protected Port No DHCP Snooping No IP Source Guard No Dynamic ARP Inspection No Auto-Negotiation N/A L2-Relay No MRP No MMRP No MVRP No DOT1AS No 802.
Table 28-2.
Basic Configuration Example This example shows the configuration of the two MLAG peers and a single MLAG partner in the simplest possible configuration. No MLAG peer priorities are configured, nor is UDLD enabled on the peer-link. DCPDP is not enabled. The default spanning tree configuration is used and spanningtree is disabled on the peer link. A system MAC address is assigned to both MLAG peers. The system virtual MAC address is used in the spanning-tree BPDUs and LACPDUs.
MLAG-Peer-A(config-if-Po2)#vpc 1 MLAG-Peer-A(config-if-Po2)#exit MLAG-Peer-A(config)#snmp-server engineid local 800002a203001ec9dec52b MLAG-Peer-A(config)#snmp-server agent boot count 2 MLAG-Peer-A(config)#feature vpc MLAG-Peer-A(config)#vpc domain 3 MLAG-Peer-A(config-vpc 3)#system-mac 0011.2233.
MLAG Peer B Current Configuration: • System Description “Dell EMC Networking N3024F, 6.0.0.0, Linux 3.6.5858bcf6e” • System Software Version 6.0.0.
MLAG-Peer-B(config)#exit MLAG Partner Current Configuration: • System Description “Dell EMC Networking N2048, 6.0.0.0, Linux 3.6.5858bcf6e” • System Software Version 6.0.0.
Status Reporting The status outputs of the various VPC commands are self-explanatory. Both the configured and operational status is shown in the outputs. Additional commands are shown below that may be useful in troubleshooting MLAG configuration or operational issues. All of the commands below are run on the MLAG primary switch except as noted otherwise. MLAG-Peer-A(config)#show vpc brief VPC admin status............................... Keep-alive admin status........................
LAG-SW(config)#show vpc role Self ---Keep-alive admin status........................ Keep-alive operational status.................. Priority....................................... System MAC address............................. Time-out....................................... VPC admin status............................... VPC role....................................... Disabled Disabled 100 001E.C9DE.B777 5 Disabled None Peer ---Priority....................................... 0 VPC role..................
MLAG-Peer-A(config)#show interfaces status po2 Port Description Channel ------- -----------------------------Po2 Operational State.............................. Up Admin Mode..................................... Enabled Port Channel Flap Count........................
MLAG-Peer-B#show vpc statistics peer-link Peer Peer Peer Peer Peer Peer Peer Peer Peer Peer Peer Peer Peer Peer Peer Peer Peer Peer link link link link link link link link link link link link link link link link link link control messages transmitted......... control messages Tx errors........... control messages Tx timeout.......... control messages ACK transmitted..... control messages ACK Tx errors....... control messages received............ data messages transmitted............
A Complete MLAG Example The following example configures eight VLANs (10–17) across two VPCs. VPC 1 is connected to a Dell EMC Networking N2048 over two links (gi1/0/23-24) over port-channel 2 on each MLAG peer. Interfaces Te1/0/1-2 on each MLAG peer connect to each other on port-channel 1 utilizing LACP. UDLD is enabled on the two MLAG peer-links and the timers are configured to the minimum values. DCPDP is enabled on VLAN 100 (interface gi1/0/8 on each MLAG peer).
MLAG-Peer-A(config-if-vlan100)#ip address 192.168.0.1 255.255.255.
MLAG-Peer-A(config-if-Te1/0/2)#exit MLAG-Peer-A(config)#interface port-channel 1 MLAG-Peer-A(config-if-Po1)#description “MLAG-Peer-Link” MLAG-Peer-A(config-if-Po1)#switchport mode trunk MLAG-Peer-A(config-if-Po1)#switchport trunk allowed vlan 1-99,1014093 MLAG-Peer-A(config-if-Po1)#vpc peer-link MLAG-Peer-A(config-if-Po1)#spanning-tree mst 2 cost 50000 MLAG-Peer-A(config-if-Po1)#exit MLAG-Peer-A(config)#interface port-channel 2 MLAG-Peer-A(config-if-Po2)#switchport mode trunk MLAG-Peer-A(config-if-Po2)#swit
MLAG Peer B Configuration Current Configuration: • System Description “Dell EMC Networking N3024F, 6.0.0.0, Linux 3.6.5858bcf6e” • System Software Version 6.0.0.
MLAG-Peer-B(config-if-Gi1/0/23)#description “MLAG-Partner-Link” MLAG-Peer-B(config-if-Gi1/0/23)#exit MLAG-Peer-B(config)#interface Gi1/0/24 MLAG-Peer-B(config-if-Gi1/0/24)#channel-group 2 mode active MLAG-Peer-B(config-if-Gi1/0/24)#description “MLAG-Partner-Link” MLAG-Peer-B(config-if-Gi1/0/24)#exit MLAG-Peer-B(config)#interface Te1/0/1 MLAG-Peer-B(config-if-Te1/0/1)#channel-group 1 mode active MLAG-Peer-B(config-if-Te1/0/1)#description “MLAG-Peer-Link” MLAG-Peer-B(config-if-Te1/0/1)#udld enable MLAG-Peer-B
MLAG-Peer-B(config)#snmp-server engineid local 800002a203001ec9dec513 MLAG-Peer-B(config)#snmp-server agent boot count 3 MLAG-Peer-B(config)#feature vpc MLAG-Peer-B(config)#vpc domain 1 MLAG-Peer-B(config-vpc 1)#peer-keepalive enable MLAG-Peer-B(config-vpc 1)#peer-keepalive destination 192.168.0.1 source 192.168.0.
LAG-SW(config-if-Gi1/0/3)#channel-group 1 mode active LAG-SW(config-if-Gi1/0/3)#exit LAG-SW(config)#interface Gi1/0/4 LAG-SW(config-if-Gi1/0/4)#channel-group 1 mode active LAG-SW(config-if-Gi1/0/4)#exit LAG-SW(config)#interface port-channel 1 LAG-SW(config-if-Po1)#switchport mode trunk LAG-SW(config-if-Po1)#exit LAG-SW(config)#snmp-server engineid local 800002a203001ec9deb777 LAG-SW(config)#snmp-server agent boot count 3 LAG-SW(config)#exit Cisco 3750 MLAG Partner Configuration Current configuration: 1913
vlan internal allocation policy ascending interface Port-channel1 switchport trunk encapsulation dot1q switchport mode trunk interface GigabitEthernet1/0/1 interface GigabitEthernet1/0/2 interface GigabitEthernet1/0/3 interface GigabitEthernet1/0/4 interface GigabitEthernet1/0/5 interface GigabitEthernet1/0/6 interface GigabitEthernet1/0/7 interface GigabitEthernet1/0/8 interface GigabitEthernet1/0/9 interface GigabitEthernet1/0/10 interface GigabitEthernet1/0/11 interface GigabitEthernet1/0/12 interface Gi
ip classless ip http server ip http secure-server control-plane line con 0 line vty 5 15 end Link Aggregation 1107
Status Reporting The following shows the status of various components of the switches in the above configuration. The switch prompts identify the switch on which the status is shown. To obtain accurate status, the commands below are run on the primary MLAG switch unless noted otherwise. Spanning Tree Status Old-Iron-3750#show spanning-tree MST0 Spanning tree enabled protocol mstp Root ID Priority 32768 Address 0013.c4bd.
LAG-SW#show spanning-tree Spanning tree Enabled BPDU flooding Disabled Portfast BPDU filtering Disabled mode mst CST Regional Root: 80:00:00:1E:C9:DE:B7:77 Regional Root Path Cost: 0 ###### MST 0 Vlan Mapped: 1 ROOT ID Priority 32768 Address 0013.C4BD.F080 Path Cost 5000 Root Port Po1 Hello Time 2 Sec Max Age 20 sec Forward Delay 15 sec Bridge Max Hops 20 Bridge ID Priority 32768 Address 001E.C9DE.
Gi1/0/24 Gi1/0/25 Gi1/0/26 Gi1/0/27 Gi1/0/28 Gi1/0/29 Gi1/0/30 Gi1/0/31 Gi1/0/32 Gi1/0/33 Gi1/0/34 Gi1/0/35 Gi1/0/36 Gi1/0/37 Gi1/0/38 Gi1/0/39 Gi1/0/40 Gi1/0/41 Gi1/0/42 Gi1/0/43 Gi1/0/44 Gi1/0/45 Gi1/0/46 Gi1/0/47 Gi1/0/48 Te1/0/1 Te1/0/2 Tw1/0/1 Tw1/0/2 Po1 Po2 Po3 Po4 Po5 Po6 Po7 Po8 Po9 Po10 Po11 Po12 Po13 Po14 Po15 Po16 Po17 1110 Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enab
Po18 Po19 Po20 Po21 Po22 Po23 Po24 Po25 Po26 Po27 Po28 Po29 Po30 Po31 Po32 Po33 Po34 Po35 Po36 Po37 Po38 Po39 Po40 Po41 Po42 Po43 Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled 96.667 96.668 96.669 96.670 96.671 96.672 96.673 96.674 96.675 96.676 96.677 96.678 96.679 96.680 96.681 96.682 96.683 96.684 96.685 96.686 96.687 96.688 96.689 96.690 96.
Hello Time 2 Sec Max Age 20 sec Forward Delay 15 sec TxHoldCount 6 sec Name --------Gi1/0/1 Gi1/0/2 Gi1/0/3 Gi1/0/4 Gi1/0/5 Gi1/0/6 Gi1/0/7 Gi1/0/8 Gi1/0/9 Gi1/0/10 Gi1/0/11 Gi1/0/12 Gi1/0/13 Gi1/0/14 Gi1/0/15 Gi1/0/16 Gi1/0/17 Gi1/0/18 Gi1/0/19 Gi1/0/20 Gi1/0/21 Gi1/0/22 Gi1/0/23 Gi1/0/24 Te1/0/1 Te1/0/2 Tw1/0/1 Tw1/0/2 Po1 Po2 Po3 Po4 1112 State -------Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled E
MLAG Status MLAG-Peer-A#show vpc brief VPC config Mode................................ Keepalive config mode.......................... VPC operational Mode........................... Self Role...................................... Peer Role...................................... Peer detection................................. Operational Enabled Enabled Enabled Primary Secondary Peer detected, VPC Peer-Link details ----------------Interface...................................... Po1 Peer link status........
VPC id# 2 ----------Interface...................................... Po3 Configured Vlans............................... 1,10,11,12,13,14,15,16,17 VPC Interface State............................ Active MLAG-Peer-A#show vpc 1 VPC id# 1 ----------------Config mode.................................... Enabled Operational mode............................... Enabled Port channel...................................
MLAG-Peer-A#show vpc peer-keepalive Peer IP address................................ Source IP address.............................. UDP port....................................... Peer detection................................. Peer detection operational status.............. Peer is detected............................... 192.168.0.2 192.168.0.1 50000 Enabled Up TRUE MLAG-Peer-A#show vpc statistics peer-keepalive Total transmitted.............................. Tx successful................................
Link Aggregation
29 MAC Addressing and Forwarding Dell EMC Networking N-Series Switches Dell EMC Networking N-Series switches implement a MAC Learning Bridge in compliance with IEEE 802.1Q. The N-Series switches implement independent VLAN learning (IVL).
Static addresses are configured by the administrator and added to the table. Dynamic addresses are learned by examining information in the Ethernet frame. When a frame arrives on a port, the switch looks at the frame header to learn the source MAC address of the frame, then adds the address, VLAN ID, and the ingress port to the MAC address table. The address table is constantly updated as new addresses are learned, and unused addresses age out.
Managing the MAC Address Table (Web) This section provides information about the OpenManage Switch Administrator pages to use to manage the MAC address table on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100ON Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page.
Figure 29-2. Adding Static MAC Address 3 Select the interface to associate with the static address. 4 Specify the MAC address and an associated VLAN ID. 5 Click Apply. The new static address is added to the Static MAC Address Table, and the device is updated.
Global Address Table The Global Address Table page contains fields for querying information in the MAC address table, including the interface type, MAC addresses, VLAN, and table sorting key. Packets forwarded to an address stored in the address table are forwarded directly to those ports. The Global Address Table also contains information about the type of MAC address, i.e. Static, Learned, or Other.
Managing the MAC Address Table (CLI) This section provides information about the commands you use to manage the MAC address table on the switch. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100-ON Series Switches CLI Reference Guide at www.dell.com/support.
Command Purpose show mac address-table View information about the MAC addresses that have been {vlan vlan | interface configured or learned on the switch, a specific VLAN, or an interface [vlan vlan-id]} interface (Ethernet port or LAG/port-channel). show mac address-table View information about the number of addresses that have count [{vlan vlan-id been configured or learned on the switch, a specific VLAN, |interface interface}] or an interface (Ethernet port or LAG/port-channel).
MAC Addressing and Forwarding
DHCP Server Settings 30 Dell EMC Networking N2000, N2100-ON, N2200-ON, N3000E-ON, and N3100-ON Series Switches This chapter describes how to configure the switch to dynamically assign network information to hosts by using the Dynamic Host Configuration Protocol (DHCP). NOTE: The DHCP server is not available on the Dell EMC Networking N1500 Series switch.
Dell EMC Networking N-Series switches support a DHCP client for obtaining the switch address from the network, an IPv4 DHCP server for serving IPv4 addresses to DHCP clients in the network, Layer-2 and Layer-3 DHCP relay for relaying IPv4 address assignments from network-based DHCP servers to clients in the same or different subnets, and DHCP snooping for protecting the switch and DHCP clients from certain security risks.
What are DHCP Options? DHCP options are collections of data with type codes that indicate how the options should be used. Options can specify information that is required for the DHCP protocol, IP stack configuration parameters for the client, information allowing the client to rendezvous with DHCP servers, and so on. When a client broadcasts a request for information, the request includes the option codes that correspond to the information the client wants the DHCP server to supply.
Default DHCP Server Values By default, the DHCP server is disabled, and no address pools are configured. You must create at least one address pool and enable the DHCP server to allow the switch to dynamically assign network information to hosts with DHCP clients that broadcast requests. The DHCP server can lease a maximum of 256 addresses. The Dell EMC Networking DHCP server does not offer infinite leases. The maximum lease time offered is 60 days, which corresponds to an infinite setting in the UI.
Configuring the DHCP Server (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring the DHCP server on a Dell EMC Networking N-Series switch. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. DHCP Server Network Properties Use the Network Properties page to define global DHCP server settings and to configure addresses that are not included in any address pools.
Adding Excluded Addresses To exclude an address: 1 Open the Network Properties page. 2 Click Add Excluded Addresses to display the Add Excluded Addresses page. 3 In the From field, enter the first IP address to exclude from any configured address pool. 4 If the address in the From field is the only address to exclude, or if the excluded addresses are non-contiguous, leave the To field as the default value of 0.0.0.0. Otherwise, enter the last IP address to excluded from a contiguous range of IP addresses.
Deleting Excluded Addresses To remove an excluded address: 1 Open the Network Properties page. 2 Click Delete Excluded Addresses to display the Delete Excluded Addresses page. 3 Select the check box next to the address or address range to delete. Figure 30-4. Delete Excluded Addresses 4 Click Apply. Address Pool Use the Address Pool page to create the pools of IP addresses and other network information that can be assigned by the server.
Figure 30-5. Address Pool Adding a Network Pool To create and configure a network pool: 1 Open the Address Pool page. 2 Click Add Network Pool to display the Add Network Pool page. 3 Assign a name to the pool and complete the desired fields. In Figure 30-6, the network pool name is Engineering, and the address pool contains all IP addresses in the 192.168.5.0 subnet, which means a client that receives an address from the DHCP server might lease an address in the range of 192.168.5.1 to 192.168.5.254.
Figure 30-6. Add Network Pool The Engineering pool also configures clients to use 192.168.5.1 as the default gateway IP address and 192.168.1.5 and 192.168.2.5 as the primary and secondary DNS servers. NOTE: The IP address 192.168.5.1 should be added to the global list of excluded addresses so that it is not leased to a client. 4 Click Apply. Adding a Static Pool To create and configure a static pool of IP addresses: 1 Open the Address Pool page.
In Figure 30-7, the Static pool name is Lab, and the name of the client in the pool is LabHost1. The client’s MAC address is mapped to the IP address 192.168.11.54, the default gateway is 192.168.11.1, and the DNS servers the client will use have IP addresses of 192.168.5.100 and 192.168.2.5. Figure 30-7. Add Static Pool 4 Click Apply.
Address Pool Options Use the Address Pool Options page to view manually configured options. Options can be defined when an address pool is created or can be added to existing address pools. To display the Address Pool Options page, click Routing IP DHCP Server Address Pool Options in the navigation panel. Figure 30-8. Address Pool Options Defining DHCP Options To configure DHCP options: 1 Open the Address Pool page. 2 Select the Add Options check box.
Figure 30-9. Add DHCP Option 5 Click Apply. 6 To verify that the option has been added to the address pool, open the Address Pool Options page.
Figure 30-10. View Address Pool Options DHCP Bindings Use the DHCP Bindings page to view information about the clients that have leased IP addresses from the DHCP server. To display the DHCP Bindings page, click Routing IP DHCP Server DHCP Bindings in the navigation panel. Figure 30-11. DHCP Bindings DHCP Server Reset Configuration Use the Reset Configuration page to clear the client bindings for one or more clients.
To display the Reset Configuration page, click Routing IP DHCP Server Reset Configuration in the navigation panel. Figure 30-12. Reset DHCP Bindings DHCP Server Conflicts Information Use the Conflicts Information page to view information about clients that have leased an IP address that is already in use on the network. To display the Conflicts Information page, click Routing IP DHCP Server Conflicts Information in the navigation panel. Figure 30-13.
DHCP Server Statistics Use the Server Statistics page to view general DHCP server statistics, messages received from DHCP clients, and messages sent to DHCP clients. To display the Server Statistics page, click Routing IP DHCP Server Server Statistics in the navigation panel. Figure 30-14.
Configuring the DHCP Server (CLI) This section provides information about the commands used for configuring and monitoring the DHCP server and address pools. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100-ON Series Switches CLI Reference Guide at www.dell.com/support. Configuring Global DHCP Server Settings Use the following commands to configure settings for the DHCP server.
Configuring a Dynamic Address Pool Use the following commands to create an address pool with network information that is dynamically assigned to hosts with DHCP clients that request the information. Command Purpose configure Enter Global Configuration mode. ip dhcp pool name Create a DHCP address pool and enters DHCP pool configuration mode. network network-ip [mask | prefixlength] Configure the subnet number and mask for a DHCP address pool.
Configuring a Static Address Pool Use the following commands to create a static address pool and specify the network information for the pool. The network information configured in the static address pool is assigned only to the host with the hardware address or client identifier that matches the information configured in the static pool. Command Purpose configure Enter Global Configuration mode. ip dhcp pool name Create a DHCP address pool and enters DHCP pool configuration mode.
Command Purpose lease Specify the duration of the lease for an IP address that is {days[hours][minutes] | assigned from a DHCP server to a DHCP client. infinite} • days— Days the lease is valid (Range 0–59, Default is 1). The hours and minutes can optionally be specified after the days. • infinite — 60 day lease. The Dell EMC Networking DHCP server does not offer infinite leases. A setting of infinite corresponds to 60 days. default-router address1 [address2....
Command Purpose clear ip dhcp conflict {address | *} Clear an address conflict from the DHCP Server database. Use * to clear all conflicts. show ip dhcp server statistics View DHCP server statistics. clear ip dhcp server statistics Reset all DHCP server statistics to zero.
5 Specify the domain name to be assigned to clients that lease an address from this pool. console(config-dhcp-pool)#domain-name engineering.dell.com console(config-dhcp-pool)#exit 6 In Global Configuration mode, add the addresses to exclude from the pool. Clients will not be assigned these IP addresses. console(config)#ip dhcp excluded-address 192.168.5.1 192.168.5.20 console(config)#ip dhcp excluded-address 192.168.5.100 7 Enable the DHCP server on the switch.
Configuring a Static Address Pool The commands in this example create an address pool that assigns the address 192.168.2.10 to the host with a MAC address of 00:1C:23:55:E9:F3. When this hosts sends a DHCP message requesting network information, the switch will offer the information configured in this example, which includes a custom DHCP option to assign the SMTP server IP address.
Lease Time........................ DNS Servers....................... Default Routers................... Domain Name....................... Option............................ 1 days 0 hrs 0 mins 192.168.2.101 192.168.2.1 executive.dell.com 69 ip 192.168.1.
DHCP Server Settings
31 IP Routing Dell EMC Networking N1500, N2000, N2100-ON, N2200-ON, N3000ON, N3100-ON Series Switches NOTE: Dell EMC Networking N1100-ON Series switches do not support IP routing. This chapter describes how to configure routing on the switch, including global routing settings, Address Resolution Protocol (ARP), router discovery, and static routes.
Table 31-1. IP Routing Features (Continued) Feature Description Default gateway The switch supports a single default gateway. A manually configured default gateway is more preferable than a default gateway learned from a DHCP server. ARP table The switch maintains an ARP table that maps an IP address to a MAC address. Static ARP entries can be created in the table and various ARP table settings can be managed, such as the aging time of dynamically-learned entries.
Default IP Routing Values Table 31-2 shows the default values for the IP routing features this chapter describes. Table 31-2.
Table 31-2. IP Routing Defaults (Continued) Parameter Default Value Route Preference Values Preference values are as follows: • Local—0 • Static—1 • OSPF Intra—110 • OSPF Inter—110 • OSPF External—110 • RIP—120 IP Path MTU and Path MTU Discovery The IP stack maintains an IP MTU for each route in its routing table. Conceptually, the route’s path MTU defaults to the IP MTU of the outgoing interface. The IP MTU of an interface is set automatically based upon the switch MTU.
ARP Table The router maintains an ARP table that associates a MAC address (Link layer address) and outgoing port with an IP address and VLAN (Network layer address). The ARP table is dynamically updated with the station MAC address and outgoing port information for directly attached subnets. ARP entries are associated with the VLAN (subnet) on which the IP address or route is known. The router broadcasts an ARP request in the associated VLAN for any unknown MAC address to which it needs to route packets.
Configuring IP Routing Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring IPv4 routing features on Dell EMC Networking N-Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. IP Configuration Use the Configuration page to configure routing parameters for the switch as opposed to an interface.
IP Statistics The IP statistics reported on the Statistics page are as specified in RFC 1213. To display the page, click Routing IP Statistics in the navigation panel. Figure 31-2.
ARP Create Use the Create page to add a static ARP entry to the Address Resolution Protocol table. To display the page, click Routing ARP Create in the navigation panel. Figure 31-3.
ARP Table Configuration Use the Table Configuration page to change the configuration parameters for the Address Resolution Protocol Table. This page can also display the contents of the table. To display the page, click Routing ARP Table Configuration in the navigation panel. Figure 31-4.
Router Discovery Configuration Use the Configuration page to enter or change router discovery parameters. To display the page, click Routing Router Discovery Configuration in the navigation panel. Figure 31-5.
Router Discovery Status Use the Status page to display router discovery data for each interface. To display the page, click Routing Router Discovery Status in the navigation panel. Figure 31-6.
Route Table Use the Route Table page to display the contents of the routing table. To display the page, click Routing Router Route Table in the navigation panel. Figure 31-7.
Best Routes Table Use the Best Routes Table page to display the best routes from the routing table. To display the page, click Routing Router Best Routes Table in the navigation panel. Figure 31-8.
Route Entry Configuration Use the Route Entry Configuration page to add new and configure router routes. To display the page, click Routing Router Route Entry Configuration in the navigation panel. Figure 31-9. Route Entry Configuration Adding a Route and Configuring Route Preference To configure routing table entries: 1 Open the Route Entry Configuration page. Figure 31-10.
2 Next to Route Type, use the drop-down box to add a Default, Static, or Static Reject route. The fields to configure are different for each route type. • Default — Enter the default gateway address in the Next Hop IP Address field. • Static — Enter values for Network Address, Subnet Mask, Next Hop IP Address, and Preference. • Static Reject — Enter values for Network Address, Subnet Mask, and Preference. 3 Click Apply. The new route is added to the routing table.
Configured Routes Use the Configured Routes page to display the routes that have been manually configured. NOTE: For a static reject route, the next hop interface value is Null0. Packets to the network address specified in static reject routes are intentionally dropped. To display the page, click Routing Router Configured Routes in the navigation panel. Figure 31-11. Configured Routes To remove a configured route, select the check box in the Remove column of the route to delete, and click Apply.
Route Preferences Configuration Use the Route Preferences Configuration page to configure the default preference for each protocol (for example 60 for static routes). These values are arbitrary values that range from 1 to 255, and are independent of route metrics. Most routing protocols use a route metric to determine the shortest path known to the protocol, independent of any other protocol. To display the page, click Routing Router Route Preferences Configuration in the navigation panel. Figure 31-12.
Configuring IP Routing Features (CLI) This section provides information about the commands used for configuring IPv4 routing on the switch. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200ON, and N3100-ON Series Switches CLI Reference Guide at www.dell.com/support. Configuring Global IP Routing Settings Use the following commands to configure various global IP routing settings for the switch.
Configuring ARP Settings Use the following commands to configure static ARP entries in the ARP cache and to specify the settings for the ARP cache. Command Purpose configure Enter global configuration mode. arp ip-address hardware- Create a static ARP entry in the ARP table. address • ip-address — IP address of a device on a subnet attached to an existing routing interface. • hardware-address — A unicast MAC address for that device. arp timeout seconds Configure the ARP entry ageout time.
Configuring Router Discovery (IRDP) Use the following commands to configure IRDP settings. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified VLAN routing interface. The interface variable includes the interface type (vlan) and number, for example vlan 100. ip irdp Enable IRDP on the interface. ip irdp address ip-address Configure the address that the interface uses to send the router discovery advertisements.
Configuring Route Table Entries and Route Preferences Use the following commands to configure IRDP settings. Command Purpose configure Enter global configuration mode. ip route default nextHopIp[preference ] Configure the default route. • nextHopIp— IP address of the next hop router. • preference — Specifies the preference value (administrative distance) of an individual static route.
Command Purpose show ip route [ip-address View the routing table. [mask | prefix-length] • ip-address — Specifies the network for which the route is to be displayed and displays the best matching bestroute for the address. • mask — Subnet mask of the IP address. • prefix-length — Length of prefix, in bits. Must be preceded with a forward slash (‘/’). (Range: 0-32 bits) show ip route summary View summary information about the routing table.
IP Routing Configuration Example In this example, the Dell EMC Networking N-Series switches are Layer-3 switches with VLAN routing interfaces. VLAN routing is configured on Dell EMC Networking N-Series Switch A and Dell EMC Networking N-Series Switch B. This allows the host in VLAN 10 to communicate with the server in VLAN 30. A static route to the VLAN 30 subnet is configured on Switch A.
Configuring Dell EMC Networking N-Series Switch A To configure Switch A. 1 Enable routing on the switch. console#configure console(config)#ip routing 2 Assign an IP address to VLAN 10. This command also enables IP routing on the VLAN. console(config)#interface vlan 10 console(config-if-vlan10)#ip address 192.168.10.10 255.255.255.0 console(config-if-vlan10)#exit 3 Assign an IP address to VLAN 20. console#configure console(config)#interface vlan 20 console(config-if-vlan20)#ip address 192.168.20.20 255.
Configuring Dell EMC Networking N-Series Switch B To configure Switch B: 1 Enable routing on the switch. console#configure console(config)#ip routing 2 Assign an IP address to VLAN 20. This command also enables IP routing on the VLAN. console#configure console(config)#interface vlan 20 console(config-if-vlan20)#ip address 192.168.20.25 255.255.255.0 console(config-if-vlan20)#exit 3 Assign an IP address to VLAN 30. This command also enables IP routing on the VLAN.
IP Routing
Routing Interfaces 32 Dell EMC Networking N1500, N2000, N2100-ON, N2200-ON, N3000E-ON, N3100-ON Series Switches This chapter describes the routing (Layer-3) interfaces the Dell EMC Networking N-Series switches support, which includes VLAN routing interfaces, loopback interfaces, and tunnel interfaces.
interfaces make it possible to transmit traffic between VLANs while still containing broadcast traffic within VLAN boundaries. The configuration of VLAN routing interfaces makes inter-VLAN routing possible. For each VLAN routing interface a static IP address can be assigned, or a network DHCP server can assign a dynamic IP address.
services such as Telnet and SSH. In this way, the IP address on a loopback behaves identically to any of the local addresses of the VLAN routing interfaces in terms of the processing of incoming packets. What Are Tunnel Interfaces? Tunnels are a mechanism for transporting a packet across a network so that it can be evaluated at a remote location or tunnel endpoint. The tunnel, effectively, hides the packet from the network used to transport the packet to the endpoint.
Why Are Routing Interfaces Needed? The routing interfaces this chapter describes have very different applications and uses, as this section describes. If you use the switch as a Layer-2 device that handles switching only, routing interface configuration is not required. When the switch is used as a Layer-2 device, it typically connects to an external Layer-3 device that handles the routing functions. VLAN Routing VLAN routing is required when the switch is used as a Layer-3 device.
Loopback Interfaces When packets are sent to the loopback IP address, the network should be able to deliver the packets as long as any physical interface on the switch is up. There are many cases where you need to send traffic to a switch, such as in switch management. The loopback interface IP address is a good choice for communicating with the switch in these cases because the loopback interface cannot go down when the switch is powered on and operational.
Default Routing Interface Values By default, no routing interfaces are configured. When you create a VLAN, no IP address is configured, and DHCP is disabled. After you configure an IP address on a VLAN or loopback interface, the VLAN interface is available for Layer-3 routing (if enabled) and is capable of resolved ARPs and responding to pings, and the interface has the default configuration shown in Table 32-1.
Configuring Routing Interfaces (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring VLAN routing interfaces, loopback interfaces, and tunnels on Dell EMC Networking N-Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. IP Interface Configuration Use the IP Interface Configuration page to update IP interface data for this switch.
DHCP Lease Parameters Use the DHCP Lease Parameters page to view information about the network information automatically assigned to an interface by the DHCP server. To display the page, click Routing IP DHCP Lease Parameters in the navigation panel. Figure 32-3. DHCP Lease Parameters VLAN Routing Summary Use the VLAN Routing Summary page to view summary information about VLAN routing interfaces configured on the switch.
Figure 32-4. VLAN Routing Summary Tunnel Configuration Use the Tunnels Configuration page to create, configure, or delete a tunnel. To display the page, click Routing Tunnels Configuration in the navigation panel. Figure 32-5.
Tunnels Summary Use the Tunnels Summary page to display a summary of configured tunnels. To display the page, click Routing Tunnels Summary in the navigation panel. Figure 32-6.
Loopbacks Configuration Use the Loopbacks Configuration page to create, configure, or remove loopback interfaces. A secondary address for a loopback can also be set up or deleted. To display the page, click Routing Loopback Interfaces Loopback Interfaces Configuration in the navigation panel. Figure 32-7.
Loopbacks Summary Use the Loopbacks Summary page to display a summary of configured loopback interfaces on the switch. To display the page, click Routing Loopback Interfaces Loopback Interfaces Summary in the navigation panel. Figure 32-8.
Configuring Routing Interfaces (CLI) This section provides information about the commands used for configuring VLAN routing interfaces, loopbacks, and tunnels on the switch. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100-ON Series Switches CLI Reference Guide at www.dell.com/support.
Command Purpose bandwidth size Set the configured bandwidth on this interface to communicate the speed of the interface to higher level protocols. OSPF uses the bandwidth value to compute link cost. The range is 1–10000000. ip unreachables Allow the switch to send ICMP Destination Unreachable messages in response to packets received on the interface. ip redirects Allow the switch to send ICMP Redirect messages in response to packets received on the interface. exit Exit to Global Config mode.
Configuring Loopback Interfaces Use the following commands to configure a loopback interface. Command Purpose configure Enter Global Configuration mode. interface loopback loopback-id Create the loopback interface and enter Interface Configuration mode for the specified loopback interface. ip address ip_address subnet_mask [secondary] Configure a static IP address and subnet mask. Use the secondary keyword to specify that the address is a secondary IP address. CTRL + Z Exit to Privileged Exec mode.
Configuring Tunnels Use the following commands to configure a loopback interface. NOTE: For information about configuring the IPv6 interface characteristics for a tunnel, see "IPv6 Routing" on page 1439. Command Purpose configure Enter Global Configuration mode. interface tunnel tunnel-id Create the tunnel interface and enter Interface Configuration mode for the specified tunnel. tunnel mode ipv6ip [6to4] Specify the mode of the tunnel. If you use the 6to4 keyword, the tunnel is an automatic tunnel.
33 Layer-2 and Layer-3 Relay Features Dell EMC Networking N-Series Switches NOTE: Dell EMC Networking N1100-ON Series switches do not support the L3 relay. feature. This chapter describes how to configure the Layer-2 (L2) DHCP relay, Layer3 (L3) DHCP relay, and IP Helper features on Dell EMC Networking N-Series switches.
relay agent can be used to add the information that the DHCP server needs to perform its role in address and configuration and assignment. The information added by the L2 relay agent can include location and identification information that can assist the DHCP server in applying policies such as service offerings or address assignment. Before it relays DHCP requests from clients, the switch can add a Circuit ID and a Remote ID.
The administrator globally enables DHCP relay and configures DHCP relay on the end-user ports of each switch as follows: console(config)#dhcp l2relay console(config)#interface range gi1/0/1-24 console(config-if)#dhcp l2relay console(config-if)#exit Then, the administrator configures the remote-id and circuit-id: console(config)#dhcp l2relay circuit-id vlan 10,20 console(config)#dhcp l2relay remote-id “Switch A” vlan 10,20 Finally, the administrator configures the uplink for DHCP relay and sets the interfa
subclass “Pool1” “Switch A” “Gi1/0/1”; subclass “Pool1” “Switch A” “Gi1/0/2”; subclass “Pool1” “Switch A” “Gi1/0/3”; class “Pool2” { match option agent.remote-id; match option agent.circuit-id; } subclass “Pool2” “Switch B” “Gi1/0/1”; subclass “Pool2” “Switch B” “Gi1/0/2”; subclass “Pool2” “Switch B” “Gi1/0/3”; shared-network Public { subnet 10.1.222.0 netmask 255.255.254.0 { pool { deny members of “Pool1”; deny members of “Pool2”; option routers 10.1.222.1; option subnet-mask 255.255.254.
option domain-name-servers 10.1.218.3,10.1.219.3; default-lease-time 21600; max-lease-time 43200; } } } } What Is L3 DHCP Relay? Network infrastructure devices can be used to relay packets between a DHCP client and server on different subnets. Such a device, a Layer-3 relay agent, is often a router or L3 switch. The L3 relay agent must have an IP interface on the client subnets and, if it does not have an IP interface on the server’s subnet, it should be able to route traffic toward the server’s subnet.
What Is the IP Helper Feature? The IP Helper feature provides the ability for a router to unicast-forward configured UDP broadcast packets to a particular IP address (including DHCP packets). This allows applications to reach servers on non-local subnets. This is possible even when the application is designed to assume a server is always on a local subnet or when the application uses broadcast packets to reach the server (with the limited broadcast address 255.255.255.
Table 33-1. Default Ports - UDP Port Numbers Implied By Wildcard Protocol UDP Port Number IEN-116 Name Service 42 DNS 53 NetBIOS Name Server 137 NetBIOS Datagram Server 138 TACACS Server 49 Time Service 37 DHCP 67 Trivial File Transfer Protocol 69 The system limits the total number of relay entries to four times the maximum number of routing interfaces (512 relay entries).
addresses. Otherwise, the relay agent verifies that there is a global configuration for the destination UDP port. If so, the relay agent unicasts the packet to the configured server IP addresses. Otherwise the packet is not relayed. NOTE: If the packet matches a discard relay entry on the ingress interface, the packet is not forwarded, regardless of the global configuration.
Table 33-2 shows the most common protocols and their UDP port numbers and names that are relayed. Table 33-2.
Default L2/L3 Relay Values By default L2 DHCP relay is disabled. L3 relay (UDP) is enabled, but no UDP destination ports or server addresses are defined on the switch or on any interfaces. Table 33-3.
Configuring L2 and L3 Relay Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring L2 and L3 relay features on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200ON, and N3100-ON Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. L2 DHCP Relay Global Configuration Use this page to enable or disable the switch to act as a DHCP Relay agent.
L2 DHCP Relay Interface Configuration Use this page to enable L2 DHCP relay on individual ports. NOTE: L2 DHCP relay must also be enabled globally on the switch. To access this page, click Switching DHCP Relay Interface Configuration in the navigation panel. Figure 33-2. DHCP Relay Interface Configuration To view a summary of the L2 DHCP relay configuration on all ports and LAGS, click Show All.
Figure 33-3.
L2 DHCP Relay Interface Statistics Use this page to display statistics on DHCP Relay requests received on a selected port. To access this page, click Switching DHCP Relay Interface Statistics in the navigation panel. Figure 33-4.
L2 DHCP Relay VLAN Configuration Use this page to enable and configure DHCP Relay on specific VLANs. To access this page, click Switching DHCP Relay VLAN Configuration in the navigation panel. Figure 33-5. DHCP Relay VLAN Configuration To view a summary of the L2 DHCP relay configuration on all VLANs, click Show All. Figure 33-6. DHCP Relay VLAN Summary DHCP Relay Agent Configuration Use the Configuration page to configure and display a DHCP relay agent.
Figure 33-7.
IP Helper (L3 DHCP Relay) Global Configuration NOTE: The IP Helper feature is not supported on the Dell EMC Networking N1100ON Series switches. Use the Global Configuration page to add, show, or delete UDP Relay and Helper IP configuration To display the page, click Routing IP Helper Global Configuration in the navigation panel. Figure 33-8. IP Helper Global Configuration Adding an IP Helper Entry To configure an IP helper entry: 1. Open the IP Helper Global Configuration page. 2.
Figure 33-9. Add Helper IP Address 3. Select a UDP Destination port name from the menu or enter the UDP Destination Port ID. Select the Default Set to configure for the relay entry for the default set of protocols. NOTE: If the DefaultSet option is specified, the device by default forwards UDP Broadcast packets for the following services: IEN-116 Name Service (port 42), DNS (port 53), NetBIOS Name Server (port 137), NetBIOS Datagram Server (port 138), TACACS Server (Port 49), and Time Service (port 37).
IP Helper (L3 DHCP Relay) Interface Configuration Use the Interface Configuration page to add, show, or delete UDP Relay and Helper IP configuration for a specific interface. To display the page, click Routing IP Helper Interface Configuration in the navigation panel. Figure 33-10. IP Helper Interface Configuration Adding an IP Helper Entry to an Interface To add an IP helper entry to an interface: 1. Open the IP Helper Interface Configuration page. 2.
Figure 33-11. Add Helper IP Address 3. Select the interface to use for the relay. 4. Select a UDP Destination port name from the menu or enter the UDP Destination Port ID. Select the Default Set to configure for the relay entry for the default set of protocols.
IP Helper Statistics Use the Statistics page to view UDP Relay Statistics for the switch. To display the page, click Routing IP Helper Statistics in the navigation panel. Figure 33-12.
Configuring L2 and L3 Relay Features (CLI) This section provides information about the commands used for configuring L2 and L3 relay features on the switch. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100-ON Series Switches CLI Reference Guide at www.dell.com/support. Configuring L2 DHCP Relay Use the following commands to configure switch and interface L2 DHCP relay settings.
Command Purpose dhcp l2relay remote-id remoteId vlan vlan-list Enable setting the DHCP Option 82 Remote ID for a VLAN. When enabled, the supplied string is used for the Remote ID in DHCP Option 82. The remoteId variable is a string to be used as the remote ID in the Option 82 (Range: 1 - 128 characters). exit Exit to Privileged Exec mode. show dhcp l2relay all View L2 DHCP relay settings on the switch.
Configuring L3 Relay (IP Helper) Settings Use the following commands to configure switch and interface L3 DHCP relay and IP helper settings. NOTE: The IP Helper feature is not supported on the Dell EMC Networking N1100ON Series switches. Command Purpose configure Enter global configuration mode. ip helper enable Use this command to enable the IP helper feature. It is enabled by default.
Command Purpose ip helper-address {server-address | discard} [dest-udp-port | dhcp | domain | isakmp | mobile-ip | nameserver | netbiosdgm | netbios-ns | ntp | pim-auto-rp | rip | tacacs | tftp | time] Configure the relay of certain UDP broadcast packets received on the VLAN routing interface(s). This command takes precedence over an ip helper-address command given in global configuration mode. Specify the one of the protocols defined in the command or the UDP port number.
Relay Agent Configuration Example The example in this section shows how to configure the L3 relay agent (IP helper) to relay and discard various protocols. Figure 33-13. L3 Relay Network Diagram This example assumes that multiple VLAN routing interfaces have been created, and configured with IP addresses. To configure the switch: 1 Relay DHCP packets received on VLAN 10 to 192.168.40.35 console#config console(config)#interface vlan 10 console(config-if-vlan10)#ip helper-address 192.168.40.
console(config-if-vlan10)#ip helper-address 192.168.40.35 domain console(config-if-vlan10)#exit 3 Relay SNMP traps (port 162) received on VLAN 20 to 192.168.23.1 console(config)#interface vlan 20 console(config-if-vlan20)#ip helper-address 192.168.23.
Layer-2 and Layer-3 Relay Features
OSPF and OSPFv3 34 Dell EMC Networking N2000, N2100-ON, N3000E-ON, N3100-ON Series Switches This chapter describes how to configure Open Shortest Path First (OSPF) and OSPFv3. OSPF is a dynamic routing protocol for IPv4 networks, and OSPFv3 is used to route traffic in IPv6 networks. The protocols are configured separately within the software, but their functionality is largely similar for IPv4 and IPv6 networks. NOTE: In this chapter references to OSPF apply to OSPFv2 and OSPFv3 unless otherwise noted.
OSPF Overview OSPF is an Interior Gateway Protocol (IGP) that performs dynamic routing within a network. Dell EMC Networking N-Series switches support two dynamic routing protocols: OSPF and Routing Information Protocol (RIP). Unlike RIP, OSPF is a link-state protocol. Larger networks typically use the OSPF protocol instead of RIP. What Are OSPF Areas and Other OSPF Topology Features? The top level of the hierarchy of an OSPF network is known as an OSPF domain. The domain can be divided into areas.
What Are OSPF Routers and LSAs? When a Dell EMC Networking N-Series switch is configured to use OSPF for dynamic routing, it is considered to be an OSPF router. OSPF routers keep track of the state of the various links they send data to. Routers exchange OSPF link state advertisements (LSAs) with other routers. External LSAs provide information on static routes or routes learned from other routing protocols. OSPF defines various router types: • Backbone routers have an interface in Area 0.
OSPF Feature Details This section provides details on the following OSPF features: • Stub Router • Static Area Range Cost • LSA Pacing • LSA Pacing Stub Router RFC 3137 introduced stub router behavior to OSPFv2. As a stub, a router can inform other routers that it is not available to forward data packets.
begin in stub router mode when OSPF is globally enabled. If the operator wants to avoid routing transients when he enables or configures OSPF, he can manually set OSPF in stub router mode. If OSPF is in startup stub router mode and encounters a resource limitation that would normally cause OSPF to become a stub router, OSPF cancels the timer to exit startup stub router and remains in stub router mode until the network administrator takes action.
Static Area Range Cost This feature allows a network operator to configure a fixed OSPF cost that is always advertised when an area range is active. This feature applies to both OSPFv2 and OSPFv3. An OSPF domain can be divided into areas to limit the processing required on each router. Area Border Routers (ABRs) advertise reachability across area boundaries. It is common to summarize the set of prefixes that an ABR advertises across an area boundary.
LSA Pacing OSPF refreshes each self-originated LSA every 30 minutes. Because a router tends to originate many LSAs at the same time, either at startup or when adjacencies are formed or when routes are first learned, LSA refreshes tend to be grouped. Further, Area Border Routers (ABRs) attached to the same area tend to originate summary LSAs into the area at the same time. This behavior leads to periodic bursts of LS Update packets.
Flood Blocking OSPF is a link state routing protocol. Routers describe their local environment in Link State Advertisements (LSAs), which are distributed throughout an area or OSPF domain. Through this process, each router learns enough information to compute a set of routes consistent with the routes computed by all other routers. Normally, OSPF floods an LSA on all interfaces within the LSA's flooding scope. Flooding ensures that all routers receive all LSAs.
Flood blocking cannot be enabled on virtual interfaces. While the feature could be allowed on virtual interfaces, it is less likely to be used on a virtual interface, since virtual interfaces are created specifically to allow flooding between two backbone routers. So the option of flood blocking on virtual interfaces is not supported. See "Configuring Flood Blocking" on page 1303 for a configuration example.
• ospfv3AreaNssaTranslatorEvents • ospfv3AreaTEEnabled • Ospfv3HostEntry • Ospfv3IfEntry • ospfv3IfDemandNbrProbe • ospfv3IfDemandNbrProbeRetransLimit • ospfv3IfDemandNbrProbeInterval • ospfv3VirtIfLinkScopeLsaCount • ospfv3VirtIfLinkLsaCksumSum • Ospfv3CfgNbrEntry • Ospfv3AreaAggregateEntry • ospfv3VirtLinkLsdbTable • ospfv3NssaTranslatorStatusChange • ospfv3RestartStatusChange • ospfv3NbrRestartHelperStatusChange • ospfv3VirtNbrRestartHelperStatusChange Default OSPF Values
Table 34-1.
Table 34-2 shows the per-interface default values for OSPF and OSPFv3. Table 34-2.
Configuring OSPF Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring OSPF features on Dell EMC Networking N-Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. OSPF Configuration Use the Configuration page to enable OSPF on a router and to configure the related OSPF settings.
OSPF Area Configuration The Area Configuration page lets you create a Stub area configuration and NSSA once you’ve enabled OSPF on an interface through Routing OSPF Interface Configuration. At least one router must have OSPF enabled for this web page to display. To display the page, click Routing OSPF Area Configuration in the navigation panel. If a Stub Area has been created, the fields in the Stub Area Information are available.
Configuring an OSPF Stub Area To configure the area as an OSPF stub area, click Create Stub Area. The pages refreshes, and displays additional fields that are specific to the stub area. Figure 34-3. OSPF Stub Area Configuration Use the Delete Stub Area button to remove the stub area.
Configuring an OSPF Not-So-Stubby Area To configure the area as an OSPF not-so-stubby area (NSSA), click NSSA Create. The pages refreshes, and displays additional fields that are specific to the NSSA. Figure 34-4. OSPF NSSA Configuration Use the NSSA Delete button to remove the NSSA area.
OSPF Stub Area Summary The Stub Area Summary page displays OSPF stub area detail. To display the page, click Routing OSPF Stub Area Summary in the navigation panel. Figure 34-5.
OSPF Area Range Configuration Use the Area Range Configuration page to configure and display an area range for a specified NSSA. To display the page, click Routing OSPF Area Range Configuration in the navigation panel. Figure 34-6.
OSPF Interface Statistics Use the Interface Statistics page to display statistics for the selected interface. The information is displayed only if OSPF is enabled. To display the page, click Routing OSPF Interface Statistics in the navigation panel. Figure 34-7.
OSPF Interface Configuration Use the Interface Configuration page to configure an OSPF interface. To display the page, click Routing OSPF Interface Configuration in the navigation panel. Figure 34-8.
OSPF Neighbor Table Use the Neighbor Table page to display the OSPF neighbor table list. When a particular neighbor ID is specified, detailed information about a neighbor is given. The information below is only displayed if OSPF is enabled. To display the page, click Routing OSPF Neighbor Table in the navigation panel. Figure 34-9.
OSPF Neighbor Configuration Use the Neighbor Configuration page to display the OSPF neighbor configuration for a selected neighbor ID. When a particular neighbor ID is specified, detailed information about a neighbor is given. The information below is only displayed if OSPF is enabled and the interface has a neighbor. The IP address is the IP address of the neighbor. To display the page, click Routing OSPF Neighbor Configuration in the navigation panel. Figure 34-10.
OSPF Link State Database Use the Link State Database page to display OSPF link state, external LSDB table, and AS opaque LSDB table information. To display the page, click Routing OSPF Link State Database in the navigation panel. Figure 34-11. OSPF Link State Database OSPF Virtual Link Configuration Use the Virtual Link Configuration page to create or configure virtual interface information for a specific area and neighbor. A valid OSPF area must be configured before this page can be displayed.
Figure 34-12. OSPF Virtual Link Creation After you create a virtual link, additional fields display, as the Figure 34-13 shows. Figure 34-13.
OSPF Virtual Link Summary Use the Virtual Link Summary page to display all of the configured virtual links. To display the page, click Routing OSPF Virtual Link Summary in the navigation panel. Figure 34-14.
OSPF Route Redistribution Configuration Use the Route Redistribution Configuration page to configure redistribution in OSPF for routes learned through various protocols. Routes learned from all available protocols, or from selected protocols, can be redistributed. To display the page, click Routing OSPF Route Redistribution Configuration in the navigation panel. Figure 34-15.
OSPF Route Redistribution Summary Use the Route Redistribution Summary page to display OSPF Route Redistribution configurations. To display the page, click Routing OSPF Route Redistribution Summary in the navigation panel. Figure 34-16.
NSF OSPF Configuration Use the NSF OSPF Configuration page to configure the non-stop forwarding (NSF) support mode and to view NSF summary information for the OSPF feature. NSF is a feature used in switch stacks to maintain switching and routing functions in the event of a stack unit failure. For information about NSF, see "What is Nonstop Forwarding?" on page 224 in the Stacking chapter. To display the page, click Routing OSPF NSF OSPF Configuration in the navigation panel. Figure 34-17.
Configuring OSPFv3 Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring OSPFv3 features on Dell EMC Networking N-Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. OSPFv3 Configuration Use the Configuration page to activate and configure OSPFv3 for a switch. To display the page, click IPv6 OSPFv3 Configuration in the navigation panel. Figure 34-18.
To display the page, click IPv6 OSPFv3 Area Configuration in the navigation panel. Figure 34-19.
Configuring an OSPFv3 Stub Area To configure the area as an OSPFv3 stub area, click Create Stub Area. The pages refreshes, and displays additional fields that are specific to the stub area. Figure 34-20. OSPFv3 Stub Area Configuration Use the Delete Stub Area button to remove the stub area.
Configuring an OSPFv3 Not-So-Stubby Area To configure the area as an OSPFv3 not-so-stubby area (NSSA), click Create NSSA. The pages refreshes, and displays additional fields that are specific to the NSSA. Figure 34-21. OSPFv3 NSSA Configuration Use the Delete NSSA button to remove the NSSA area.
OSPFv3 Stub Area Summary Use the Stub Area Summary page to display OSPFv3 stub area detail. To display the page, click IPv6 OSPFv3 Stub Area Summary in the navigation panel. Figure 34-22.
OSPFv3 Area Range Configuration Use the Area Range Configuration page to configure OSPFv3 area ranges. To display the page, click IPv6 OSPFv3 Area Range Configuration in the navigation panel. Figure 34-23.
OSPFv3 Interface Configuration Use the Interface Configuration page to create and configure OSPFv3 interfaces. To display the page, click IPv6 OSPFv3 Interface Configuration in the navigation panel. Figure 34-24.
OSPFv3 Interface Statistics Use the Interface Statistics page to display OSPFv3 interface statistics. Information is only displayed if OSPF is enabled. To display the page, click IPv6 OSPFv3 Interface Statistics in the navigation panel. Figure 34-25.
OSPFv3 Neighbors Use the Neighbors page to display the OSPF neighbor configuration for a selected neighbor ID. When a particular neighbor ID is specified, detailed information about that neighbor is given. Neighbor information only displays if OSPF is enabled and the interface has a neighbor. The IP address is the IP address of the neighbor. To display the page, click IPv6 OSPFv3 Neighbors in the navigation panel. Figure 34-26.
OSPFv3 Neighbor Table Use the Neighbor Table page to display the OSPF neighbor table list. When a particular neighbor ID is specified, detailed information about a neighbor is given. The neighbor table is only displayed if OSPF is enabled. To display the page, click IPv6 OSPFv3 Neighbor Table in the navigation panel. Figure 34-27.
OSPFv3 Link State Database Use the Link State Database page to display the link state and external LSA databases. The OSPFv3 Link State Database page has been updated to display external LSDB table information in addition to OSPFv3 link state information. To display the page, click IPv6 OSPFv3 Link State Database in the navigation panel. Figure 34-28.
OSPFv3 Virtual Link Configuration Use the Virtual Link Configuration page to define a new or configure an existing virtual link. To display this page, a valid OSPFv3 area must be defined through the OSPFv3 Area Configuration page. To display the page, click IPv6 OSPFv3 Virtual Link Configuration in the navigation panel. Figure 34-29.
After you create a virtual link, additional fields display, as the Figure 34-30 shows. Figure 34-30.
OSPFv3 Virtual Link Summary Use the Virtual Link Summary page to display virtual link data by Area ID and Neighbor Router ID. To display the page, click IPv6 OSPFv3 Virtual Link Summary in the navigation panel. Figure 34-31.
OSPFv3 Route Redistribution Configuration Use the Route Redistribution Configuration page to configure route redistribution. To display the page, click IPv6 OSPFv3 Route Redistribution Configuration in the navigation panel. Figure 34-32.
OSPFv3 Route Redistribution Summary Use the Route Redistribution Summary page to display route redistribution settings by source. To display the page, click IPv6 OSPFv3 Route Redistribution Summary in the navigation panel. Figure 34-33.
NSF OSPFv3 Configuration Use the NSF OSPFv3 Configuration page to configure the non-stop forwarding (NSF) support mode and to view NSF summary information for the OSPFv3 feature. NSF is a feature used in switch stacks to maintain switching and routing functions in the event of a stack unit failure. For information about NSF, see "What is Nonstop Forwarding?" on page 224 in the Stacking chapter. To display the page, click Routing OSPFv3 NSF OSPFv3 Configuration in the navigation panel. Figure 34-34.
Configuring OSPF Features (CLI) This section provides information about the commands used for configuring and viewing OSPF settings on the switch. This section does not describe all available show commands. For more information about all available OSPF commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100-ON Series Switches CLI Reference Guide at www.dell.com/support.
Command Purpose Control the advertisement of default routes. default-information originate [always] • always — Normally, OSPF originates a default route only [metric metric-value] if a default route is redistributed into OSPF (and default[metric-type type-value] information originate is configured). When the always option is configured, OSPF originates a default route, even if no default route is redistributed. • metric-value — The metric (or preference) value of the default route.
Command Purpose passive-interface default Configure OSPF interfaces as passive by default. This command overrides any interface-level passive mode settings.OSPF does not form adjacencies on passive interfaces but does advertise attached networks as stub networks. timers spf delay-time hold-time Specify the SPF delay and hold time. • delay-time — SPF delay time. (Range: 0–65535 seconds) • hold-time — SPF hold time. (Range: 0–65535 seconds) exit Exit to Global Configuration mode.
Configuring OSPF Interface Settings Use the following commands to configure per-interface OSPF settings. Command Purpose configure Enter global configuration mode. interface vlan vlan-id Enter Interface Configuration mode for the specified VLAN. ip ospf area area-id [secondaries none] Enables OSPFv2 on the interface and sets the area ID of an interface. This command supersedes the effects of network area command.
Command Purpose ip ospf dead-interval seconds Set the OSPF dead interval for the interface. The seconds variable indicates the number of seconds a router waits to see a neighbor router's Hello packets before declaring that the router is down (Range: 1–65535). This parameter must be the same for all routers attached to a network. This value should be some multiple of the Hello Interval. ip ospf transmit-delay seconds Set the OSPF Transit Delay for the interface.
Command Purpose exit Exit to Global Configuration Mode router ospf Enter OSPF configuration mode. passive-interface vlan vlan-id Make an interface passive to prevent OSPF from forming an adjacency on an interface. OSPF advertises networks attached to passive interfaces as stub networks. network ip-address Enable OSPFv2 on interfaces whose primary IP address wildcard-mask area area- matches this command, and make the interface a member id of the specified area.
Command Purpose area area-id default-cost integer Configure the metric value (default cost) for the type 3 summary LSA sent into the stub area. Range: 1– 16777215) area area-id nssa Create an NSSA for the specified area ID. area area-id nssa nosummary Configure the NSSA so that summary LSAs are not advertised into the NSSA. area area-id nssa Configure the translator role of the NSSA.
Configuring Virtual Links Use the following commands to configure OSPF Virtual Links. Command Purpose configure Enter global configuration mode. router ospf Enter OSPF configuration mode. area area-id virtual-link neighbor-id Create the OSPF virtual interface for the specified areaid and neighbor router. The neighbor-id variable is the IP address of the neighboring router.
Command Purpose area area-id virtual-link Set the OSPF hello interval for the virtual link. neighbor-id hello-interval The seconds variable indicates the number of seconds to seconds wait before sending Hello packets from the virtual interface. (Range: 1–65535). Set the OSPF dead interval for the virtual link. area area-id virtual-link neighbor-id dead-interval The seconds variable indicates the number of seconds to seconds wait before the virtual interface is assumed to be dead.
Configuring OSPF Area Range Settings Use the following commands to configure an OSPF area range. Command Purpose configure Enter global configuration mode. router ospf Enter OSPF configuration mode. area area-id range ip-address mask {summarylink | nssaexternallink} [advertise |not-advertise] Configure a summary prefix for routes learned in a given area. • area-id — Identifies the OSPF NSSA to configure. (Range: IP address or decimal from 0–4294967295) • ip-address — IP address.
Command Purpose distribute-list Specify the access list to filter routes received from the accesslistname out {bgp | source protocol. The ACL must already exist on the rip | static | connected} switch. For information about the commands used for configuring ACLs, see "Configuring ACLs (CLI)" on page 707. • accesslistname — The name used to identify an existing ACL. • bgp — Apply the specified access list when BGP is the source protocol.
Command Purpose show ip ospf View OSPF configuration and status information, including route distribution information. Configuring NSF Settings for OSPF Use the following commands to configure the non-stop forwarding settings for OSPF. Command Purpose configure Enter global configuration mode. router ospf Enter OSPF configuration mode. nsf [ietf ] helper strict-lsa- Require that an OSPF helpful neighbor exit helper mode checking whenever a topology change occurs.
Configuring OSPFv3 Features (CLI) This section provides information about the commands used for configuring OSPFv3 settings on the switch. For more information about the commands and about additional show commands, see the Dell EMC Networking N1100ON, N1500, N2000, N2100-ON, N2200-ON, and N3100-ON Series Switches CLI Reference Guide at www.dell.com/support. Configuring Global OSPFv3 Settings Use the following commands to configure various global OSPFv3 settings for the switch.
Command Purpose distance ospf {external | Set the preference values of OSPFv3 route types in the inter-area | intra-area } router. distance The range for the distance variable is 1–255. Lower route preference values are preferred when determining the best route. enable Enable OSPFv3. exit-overflow-interval seconds Specify the exit overflow interval for OSPFv3 as defined in RFC 1765.
Configuring OSPFv3 Interface Settings Use the following commands to configure per-interface OSPFv3 settings. Command Purpose configure Enter global configuration mode. interface vlan vlan-id Enter Interface Configuration mode for the specified VLAN. ipv6 ospf areaid area-id Enables OSPFv3 on the interface and sets the area ID of an interface. This command supersedes the effects of network area command.
Command Purpose ipv6 ospf dead-interval seconds Set the OSPFv3 dead interval for the interface. The seconds variable indicates the number of seconds a router waits to see a neighbor router's Hello packets before declaring that the router is down (Range: 1–65535). This parameter must be the same for all routers attached to a network. This value should be some multiple of the Hello Interval. ipv6 ospf transmit-delay Set the OSPFv3 Transit Delay for the interface.
Command Purpose show ipv6 ospf interface View summary information for all OSPFv3 interfaces [interface-type interface- configured on the switch or for the specified routing number] interface. show ipv6 ospf interface View per-interface OSPFv3 statistics. stats interface-type interface-number Configuring Stub Areas and NSSAs Use the following commands to configure OSPFv3 stub areas and NSSAs. Command Purpose configure Enter global configuration mode. ipv6 router ospf Enter OSPFv3 configuration mode.
Command Purpose Create and configure an NSSA for the specified area ID. area area-id nssa [noredistribution] [default- • metric-value—Specifies the metric of the default route information-originate advertised to the NSSA.
Configuring Virtual Links Use the following commands to configure OSPFv3 Virtual Links. Command Purpose configure Enter global configuration mode. ipv6 router ospf Enter OSPFv3 configuration mode. area area-id virtual-link neighbor-id Create the OSPFv3 virtual interface for the specified area-id and neighbor router. The neighbor-id variable is the IP address of the neighboring router.
Configuring an OSPFv3 Area Range Use the following commands to configure an OSPFv3 area range. Command Purpose configure Enter global configuration mode. ipv6 router ospf Enter OSPFv3 configuration mode. Configure a summary prefix for routes learned in a given area area-id range ipv6area. prefix/prefix-length {summarylink | • area-id — Identifies the OSPFv3 NSSA to configure.
Configuring OSPFv3 Route Redistribution Settings Use the following commands to configure OSPFv3 route redistribution settings. Command Purpose configure Enter global configuration mode. ipv6 router ospf Enter OSPFv3 configuration mode. redistribute {bgp | static Configure OSPFv3 to allow redistribution of routes from the specified source protocol/routers. | connected} [metric metric] [metric-type {1 | • bgp — Specifies BGP as the source protocol.
Configuring NSF Settings for OSPFv3 Use the following commands to configure the non-stop forwarding settings for OSPFv3. Command Purpose configure Enter global configuration mode. ipv6 router ospf Enter OSPFv3 configuration mode. nsf [ietf ] helper strict-lsa- Require that an OSPFv3 helpful neighbor exit helper checking mode whenever a topology change occurs. Use the ietf keyword to distinguish the IETF standard implementation of graceful restart from other implementations.
OSPF Configuration Examples This section contains the following examples: • Configuring an OSPF Border Router and Setting Interface Costs • Configuring Stub and NSSA Areas for OSPF and OSPFv3 • Configuring a Virtual Link for OSPF and OSPFv3 Configuring an OSPF Border Router and Setting Interface Costs This example shows how to configure the Dell EMC Networking N-Series switch as an OSPF border router.
To Configure Border Router A: 1 Enable routing on the switch. console#configure console(config)#ip routing 2 Create VLANS 70, 80, and 90 and assign them to interfaces.
5 Configure the OSPF area ID, priority, and cost for each interface. NOTE: OSPF is globally enabled by default. To make it operational on the router, you configure OSPF for particular interfaces and identify which area the interface is associated with. console(config)#interface vlan 70 console(config-if-vlan70)#ip ospf area 0.0.0.
Configuring Stub and NSSA Areas for OSPF and OSPFv3 In this example, Area 0 connects directly to two other areas: Area 1 is defined as a stub area and Area 2 is defined as an NSSA area. NOTE: OSPFv2 and OSPFv3 can operate concurrently on a network and on the same interfaces (although they do not interact). This example configures both protocols simultaneously. Figure 34-36 illustrates this example OSPF configuration. Figure 34-36.
Switch A is a backbone router. It links to an ASBR (not defined here) that routes traffic outside the AS. To configure Switch A: 1 Globally enable IPv6 and IPv4 routing: console#configure console(config)#ipv6 unicast-routing console(config)#ip routing 2 Create VLANs 6 and 12 and assign them to interfaces.
To configure Switch B: 1 Configure IPv6 and IPv4 routing. The static routes are included for illustration only. Redistributed static routes, like routes distributed from other protocols, are not injected into stub areas such as Area 1: console#configure console(config)#ipv6 unicast-routing console(config)#ipv6 route 3000:44:44::/64 3000:2:3::210:18ff:fe82:c14 console(config)#ip route 10.23.67.0 255.255.255.0 10.2.3.3 2 Create VLANs 5, 10, and 17.
console(config)#router ospf console(config-router)#router-id 2.2.2.2 console(config-router)#area 0.0.0.1 stub console(config-router)#area 0.0.0.1 stub no-summary console(config-router)#area 0.0.0.2 nssa 5 For IPv4: Enable OSPF for IPv4 on VLANs 10, 5, and 17 by globally defining the range of IP addresses associated with each interface, and then associating those ranges with Areas 1, 0, and 2, respectively. console(config-router)#network 10.1.2.0 0.0.0.255 area 0.0.0.1 console(config-router)#network 10.2.3.
Figure 34-37. OSPF Configuration—Virtual Link Switch B is an ABR that directly connects Area 0 to Area 1. Note that in the previous example, Switch B connected to a stub area and an NSSA. Virtual links cannot be created across stub areas or NSSAs. The following commands define a virtual link that traverses Area 1 to Switch C (5.5.5.5). To configure Switch B: 1 Configure the virtual link to Switch C for IPv4. console#configure console(config)#router ospf console(config-router)#area 0.0.0.1 virtual-link 5.
Switch C is a ABR that enables a virtual link from the remote Area 2 in the AS to Area 0. The following commands define a virtual link that traverses Area 1 to Switch B (2.2.2.2). To configure Switch C: 1 For IPv4, assign the router ID, create the virtual link to Switch B, and associate the VLAN routing interfaces with the appropriate areas. console(config)#router ospf console(config-router)#area 0.0.0.1 virtual-link 2.2.2.
Interconnecting an IPv4 Backbone and Local IPv6 Network In Figure 34-38, two Dell EMC Networking L3 switches are connected as shown in the diagram. The VLAN 15 routing interface on both switches connects to an IPv4 backbone network where OSPF is used as the dynamic routing protocol to exchange IPv4 routes. OSPF allows device 1 and device 2 to learn routes to each other (from the 20.20.20.x network to the 10.10.10.x network and vice versa).
4 Set the OSPFv3 router ID. console(config)#ipv6 router ospf console(config-rtr)#router-id 1.1.1.1 console(config-rtr)#exit 5 Configure the IPv4 address and OSPF area for VLAN 15. console(config)#interface vlan 15 console(config-if-vlan15)#ip address 20.20.20.1 255.255.255.0 console(config-if-vlan15)#ip ospf area 0.0.0.0 console(config-if-vlan15)#exit 6 Configure the IPv6 address and OSPFv3 information for VLAN 2.
To configure Switch B: 1 Create the VLANs. console(config)#vlan 2,15 console(config-vlan70,80,90)#interface te1/0/1 console(config-if-Te1/0/1)#switchport mode trunk console(config-if-Te1/0/1)#interface gi1/0/1 console(config-if-Gi1/0/1)#switchport access vlan 2 2 Enable IPv4 and IPv6 routing on the switch. console(config)#ip routing console(config)#ipv6 unicast-routing 3 Set the OSPF router ID. console(config)#router ospf console(config-router)#router-id 2.2.2.
8 Configure the loopback interface. The switch uses the loopback IP address as the OSPF and OSPFv3 router ID. console(config)#interface loopback 0 console(config-if-loopback0)#ip address 2.2.2.2 255.255.255.0 console(config-if-loopback0)#exit console(config)#exit Configuring the Static Area Range Cost Figure 34-39 shows a topology for the configuration that follows. Figure 34-39. Static Area Range Cost Example Topology 1 Configure R0.
network 172.20.0.0 0.0.255.255 area 0 network 172.21.0.0 0.0.255.255 area 1 area 1 range 172.21.0.0 255.255.0.0 summarylink timers spf 3 5 exit interface vlan 101 ip address 172.21.1.10 255.255.255.0 ip ospf hello-interval 1 ip ospf dead-interval 4 ip ospf network point-to-point exit interface te1/0/21 switchport mode trunk description “R1” exit interface vlan 102 ip address 172.21.2.10 255.255.255.
ip routing router ospf router-id 1.1.1.1 network 172.21.0.0 0.0.255.255 area 1 timers spf 3 5 exit interface vlan 101 ip address 172.21.1.1 255.255.255.0 ip ospf hello-interval 1 ip ospf dead-interval 4 ip ospf network point-to-point exit interface te1/0/21 switchport mode trunk exit interface vlan 104 ip address 172.21.3.1 255.255.255.0 ip ospf hello-interval 1 ip ospf dead-interval 4 ip ospf network point-to-point exit interface te1/0/22 switchport mode trunk exit interface loopback 0 ip address 172.21.
interface te1/0/21 switchport mode trunk exit interface vlan 104 ip address 172.21.3.2 255.255.255.0 ip ospf hello-interval 1 ip ospf dead-interval 4 ip ospf network point-to-point exit interface te1/0/22 switchport mode trunk exit interface loopback 0 ip address 172.21.254.2 255.255.255.255 exit exit 4 R3 config: terminal length 0 config ip routing router ospf router-id 3.3.3.3 network 172.21.0.0 0.0.255.255 area 0 timers spf 3 5 exit vlan 103 exit interface vlan 103 ip address 172.21.1.1 255.255.255.
Discussion With no area range cost specified, the range uses auto cost: (ABR-R0) #show ip ospf range 1 Prefix 172.21.0.0 Subnet Mask 255.255.0.0 Type S Action Advertise Cost Auto Active Y (ABR-R0) #show ip ospf database summary Network Summary States (Area 0.0.0.0) LS Age: 644 LS options: (E-Bit) LS Type: Network Summary LSA LS Id: 172.21.0.0 (network prefix) Advertising Router: 10.10.10.10 LS Seq Number: 0x80000002 Checksum: 0x8ee1 Length: 28 Network Mask: 255.255.0.
LS Seq Number: 0x80000003 Checksum: 0x78f8 Length: 28 Network Mask: 255.255.0.0 Metric: 0 The cost can be set to the maximum value, 16,777,215, which is LSInfinity. Since OSPF cannot send a type 3 summary LSA with this metric (according to RFC 2328), the summary LSA is flushed. The individual routes are not readvertised. Configuring Flood Blocking Figure 34-40 shows an example topology for flood blocking. The configuration follows. Figure 34-40.
router-id 10.10.10.10 network 172.20.0.0 0.0.255.255 area 0 network 172.21.0.0 0.0.255.255 area 0 timers spf 3 5 exit interface vlan 101 ip address 172.21.1.10 255.255.255.0 ip ospf hello-interval 1 ip ospf dead-interval 4 ip ospf network point-to-point exit interface te1/0/21 switchport mode trunk description “R1” exit interface vlan 102 ip address 172.21.2.10 255.255.255.
exit ip routing router ospf router-id 1.1.1.1 network 172.21.0.0 0.0.255.255 area 0 timers spf 3 5 exit interface vlan 101 ip address 172.21.1.1 255.255.255.0 ip ospf hello-interval 1 ip ospf dead-interval 4 ip ospf network point-to-point exit interface te1/0/21 switchport mode trunk exit interface vlan 104 ip address 172.21.3.1 255.255.255.0 ip ospf hello-interval 1 ip ospf dead-interval 4 ip ospf network point-to-point exit interface te1/0/22 switchport mode trunk exit interface loopback 0 ip address 172.
ip ospf network point-to-point exit interface te1/0/21 switchport mode trunk exit interface vlan 104 ip address 172.21.3.2 255.255.255.0 ip ospf hello-interval 1 ip ospf dead-interval 4 ip ospf network point-to-point exit interface te1/0/22 switchport mode trunk exit interface loopback 0 ip address 172.21.254.2 255.255.255.255 exit exit 4 Configure R3: terminal length 0 config ip routing router ospf router-id 3.3.3.3 network 172.21.0.0 0.0.255.
Discussion With flood blocking disabled on all interfaces, sending a T3 summary LSA from R3 to R0 will cause R0 to forward the LSA on its interface to R1. Enabling flood blocking on R0's interface to R1 will inhibit this behavior. (R0)(config-if-vlan101)ip ospf database-filter all out A trace on the R3-R0 link shows that the LSA is actually flooded from R1 to R0, since R1 received the LSA via R2.
Configuring OSPF VRFs Dell EMC Networking VRF is an implementation of Virtual Routing and Forwarding (VRF) for OSPF for IPv4 networks. Virtual Routing and Forwarding allows multiple independent instances for the forwarding plane to exist simultaneously. Refer to "VRF" on page 1311 for more information. VRF configuration follows the same steps as configuration for the default routing instance with two additional steps: creating the VRF instance and associating VLANs to the instance.
console(config-if-vlan100)#ip address 192.168.0.1 /24 Put the VLAN interface into the VRF: console(config-if-vlan100)#ip vrf forwarding red console(config-if-vlan100)#exit Routing interface moved from Default router instance to red router instance. Enable OSPF on the VRF, assign a network and enable OSPF for the VRF: console(config)#router ospf vrf red console(Config-router-vrf-red)#network 192.168.0.0 0.0.0.255 area 0 console(Config-router-vrf-red)#router-id 192.168.0.
Number of Active Areas......................... stub, 0 nssa) ABR Status..................................... ASBR Status.................................... Stub Router Status............................. External LSDB Overflow......................... External LSA Count............................. External LSA Checksum.......................... AS_OPAQUE LSA Count............................ AS_OPAQUE LSA Checksum......................... New LSAs Originated............................ LSAs Received.....
VRF 35 Dell EMC Networking N3000E-ON, N3100-ON Series Switches NOTE: This feature is not available on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, or N2200-ON Series switches. Virtual Routing and Forwarding (VRF) allows multiple independent instances of the forwarding plane to exist simultaneously. (The terms VRF, VRF instance, and virtual forwarding instance all refer to the same thing.) VRF allows the administrator to segment the network without incurring the costs of multiple routers.
VRF Resource Sharing Hardware resources such as routes and ARP entries are shared between VRFs. If a VRF allocates the maximum routes supported by the system, no VRF will be able to add a new route. VRF ARP Entries There is no support to reserve ARP entries per VRF instance as the system purges the least recently used ARP entry automatically. The maximum number of static ARP entries is enforced on a per VR instance basis. VRF Route Entries Routes are shared among the VR instances.
First, create the VLAN instances associated to the VRF. It is recommended that a VLAN numbering scheme be developed to allow for future growth and to assist in the easy recognition of which VLANs are associated to which VRFs.
Use the show ip ospf vrf command to view the configuration of the VRF: console(config)#show ip ospf vrf red Router ID...................................... OSPF Admin Mode................................ RFC 1583 Compatibility......................... External LSDB Limit............................ Exit Overflow Interval......................... Spf Delay Time................................. Spf Hold Time.................................. Flood Pacing Interval..........................
NSF NSF NSF NSF NSF NSF NSF Support.................................... Restart Interval........................... Restart Status............................. Restart Age................................ Restart Exit Reason........................ Helper Support............................. Helper Strict LSA Checking.................
VRF
RIP 36 Dell EMC Networking N2000, N2100-ON, N2200-ON, N3000E-ON, and N3100-ON Series Switches NOTE: Dell EMC Networking N1100-ON/N1500 Series switches do not support RIP. This chapter describes how to configure Routing Information Protocol (RIP) on the switch. RIP is a dynamic routing protocol for IPv4 networks.
RIP uses hop count, which is the number of routers an IP packet must pass through, to calculate the best route for a packet. A route with a low hop count is preferred over a route with a higher hop count. A directly-connected route has a hop-count of 0. With RIP, the maximum number of hops from source to destination is 15. Packets with a hop count greater than 15 are dropped because the destination network is considered unreachable.
Default RIP Values RIP is globally enabled by default. To make it operational on the router, you configure and enable RIP for particular VLAN routing interfaces. Table 36-1 shows the global default values for RIP. Table 36-1. RIP Global Defaults Parameter Default Value Admin Mode Enabled Split Horizon Mode Simple Auto Summary Mode Disabled Host Routes Accept Mode Enabled Default Information Originate Disabled Default Metric None configured Route Redistribution Disabled for all sources.
Configuring RIP Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring RIP features on Dell EMC Networking N2000, N2100-ON, N2200-ON, and N3100-ON. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. RIP Configuration Use the Configuration page to enable and configure or disable RIP in Global mode.
RIP Interface Configuration Use the Interface Configuration page to enable and configure or to disable RIP on a specific interface. To display the page, click Routing RIP Interface Configuration in the navigation panel. Figure 36-2.
RIP Interface Summary Use the Interface Summary page to display RIP configuration status on an interface. To display the page, click Routing RIP Interface Summary in the navigation panel. Figure 36-3.
RIP Route Redistribution Configuration Use the Route Redistribution Configuration page to configure the RIP Route Redistribution parameters. The allowable values for each fields are displayed next to the field. If any invalid values are entered, an alert message is displayed with the list of all the valid values. To display the page, click Routing RIP Route Redistribution Configuration in the navigation panel. Figure 36-4.
RIP Route Redistribution Summary Use the Route Redistribution Summary page to display Route Redistribution configurations. To display the page, click Routing RIP Route Redistribution Summary in the navigation panel. Figure 36-5.
Configuring RIP Features (CLI) This section provides information about the commands used for configuring RIP settings on the switch. For more information about the commands, refer to the Dell EMC Networking N2000, N2100-ON, N2200-ON, N3100-ON Series Switches CLI Reference Guide at www.dell.com/support. Configuring Global RIP Settings Use the following commands to configure various global RIP settings for the switch. NOTE: RIP is enabled by default. The Global RIP Settings are optional.
Configuring RIP Interface Settings Use the following commands to configure per-interface RIP settings. Command Purpose configure Enter global configuration mode. interface vlan vlan-id Enter Interface Configuration mode for the specified VLAN. ip rip Enable RIP on the interface. ip rip send version {rip1 Configure the interface to allow RIP control packets of the rip1c | rip2 |none} specified version(s) to be sent.
Configuring Route Redistribution Settings Use the following commands to configure an OSPF area range and to configure route redistribution settings. Command Purpose configure Enter global configuration mode. router rip Enter RIP configuration mode. distribute-list Specify the access list to filter routes received from the accesslistname out {bgp | source protocol. The ACL must already exist on the ospf | static | connected} switch.
Command Purpose redistribute ospf [metric Configure RIP to redistribute routes from OSPF. metric] [match [internal] • ospf— Specifies OSPF as the source protocol. [external 1] [external 2] • metric — Specifies the metric to use when [nssa-external 1] [nssaredistributing the route. Range: 1-15. external 2]] • internal — Adds internal matches to any match types presently being redistributed.
RIP Configuration Example This example includes four Dell EMC Networking N-Series switches that use RIP to determine network topology and route information. The commands in this example configure Switch A shown in Figure 36-6. Figure 36-6. RIP Network Diagram To configure the switch: 1 Enable routing on the switch console#config console(config)#ip routing 2 Create VLANs 10, 20, and 30.
console(config-if-vlan10)#ip address 192.168.10.1 255.255.255.0 console(config-if-vlan10)#ip rip console(config-if-vlan10)#ip rip receive version both console(config-if-vlan10)#ip rip send version rip2 console(config-if-vlan10)#exit console(config)#interface vlan 20 console(config-if-vlan20)#ip address 192.168.20.1 255.255.255.
console#show ip rip interface brief Interface IP Address ---------Vl1 Vl10 Vl20 Vl30 -----------0.0.0.0 192.168.10.1 192.168.10.1 192.168.10.
RIP
VRRP 37 Dell EMC Networking N-Series Switches This chapter describes how to configure Virtual Routing Redundancy Protocol (VRRP) on the switch. VRRP can help create redundancy on networks in which end-stations are statically configured with the default gateway IP address.
be configured. A given port may appear as more than one virtual router to the network, also, more than one port on a switch may be configured as a virtual router. With VRRP, a virtual router is associated with one or more IP addresses that serve as default gateways. In the event that the VRRP router controlling these IP addresses (formally known as the master) fails, the group of IP addresses and the default forwarding role is taken over by a Backup VRRP router.
What Is VRRP Accept Mode? The accept mode allows the switch to respond to pings (ICMP Echo Requests) sent to the VRRP virtual IP address. The VRRP specification (RFC 3768 and RFC 5798) indicates that a router may accept IP packets sent to the virtual router IP address only if the router is the address owner. In practice, this restriction makes it more difficult to troubleshoot network connectivity problems.
With standard VRRP, the backup router takes over only if the router goes down. With VRRP interface tracking, if a tracked interface goes down on the VRRP master, the priority decrement value is subtracted from the router priority. If the master router priority becomes less than the priority on the backup router, the backup router takes over. If the tracked interface becomes up, the value of the priority decrement is added to the current router priority.
Default VRRP Values Table 37-1 shows the global default values for VRRP. Table 37-1.
Configuring VRRP Features (Web) This section provides information about the VRRP pages for configuring and monitoring VRRP features on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100-ON Series switches. For details about the fields on a page, click at the top of the Dell EMC VRRP Configuration web page. VRRP Configuration Use the Configuration page to enable or disable the administrative status of a virtual router.
VRRP Virtual Router Status Use the Router Status page to display virtual router status. To display the page, click Routing VRRP Router Status in the navigation panel. Figure 37-2.
VRRP Virtual Router Statistics Use the Router Statistics page to display statistics for a specified virtual router. To display the page, click Routing VRRP Router Statistics in the navigation panel. Figure 37-3.
VRRP Router Configuration Use the Configuration page to configure a virtual router. To display the page, click Routing VRRP Router Configuration Configuration in the navigation panel. Figure 37-4.
VRRP Route Tracking Configuration Use the Route Tracking Configuration page to view routes that are tracked by VRRP and to add new tracked routes. To display the page, click Routing VRRP Router Configuration Route Tracking Configuration in the navigation panel. Figure 37-5. VRRP Route Tracking Configuration Configuring VRRP Route Tracking To configure VRRP route tracking: 1 From the Route Tracking Configuration page, click Add. The Add Route Tracking page displays. Figure 37-6.
2 Select the virtual router ID and VLAN routing interface that will track the route. 3 Specify the destination network address (track route prefix) for the route to track. Use dotted decimal format, for example 192.168.10.0. 4 Specify the prefix length for the tracked route. 5 Specify a value for the Priority Decrement to define the amount that the router priority will be decreased when a tracked route becomes unreachable. 6. Click Apply to update the switch.
VRRP Interface Tracking Configuration Use the Interface Tracking Configuration page to view interfaces that are tracked by VRRP and to add new tracked interfaces. To display the page, click Routing VRRP Router Configuration Interface Tracking Configuration in the navigation panel. Figure 37-7. VRRP Interface Tracking Configuration Configuring VRRP Interface Tracking To configure VRRP interface tracking: 1 From the Interface Tracking Configuration page, click Add.
Figure 37-8. VRRP Interface Tracking Configuration 2 Select the virtual router ID and VLAN routing interface that will track the interface. 3 Specify the interface to track. 4 Specify a value for the Priority Decrement to define the amount that the router priority will be decreased when a tracked interface goes down. 5. Click Apply to update the switch.
Configuring VRRP Features (CLI) This section provides information about the commands used for configuring VRRP settings on the switch. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200ON, and N3100-ON Series Switches CLI Reference Guide at www.dell.com/support. Configuring VRRP Settings Use the following commands to configure switch and interface VRRP settings. This set of commands also describes how to configure VRRP interface and route tracking.
Command Purpose vrrp vr-id timers {learn | Configure the VRRP timer settings. advertise seconds} Use the keyword learn to enable VRRP to learn the advertisement timer interval of the master router. Use the keyword advertise to set the frequency, in seconds, that an interface on the specified virtual router sends a virtual router advertisement. vrrp vr-id authentication Set the authorization details value for the virtual router {none | simple key} configured on a specified interface.
VRRP Configuration Example This section contains the following VRRP examples: • VRRP with Load Sharing • Troubleshooting VRRP • VRRP with Route and Interface Tracking • Configuring VRRP in a VRF VRRP with Load Sharing In Figure 37-9, two L3 Dell EMC Networking N-Series switches are performing the routing for network clients. Router A is the default gateway for some clients, and Router B is the default gateway for other clients. Figure 37-9.
This example configures two VRRP groups on each router. Router A is the VRRP master for the VRRP group with VRID 10 and the backup for VRID 20. Router B is the VRRP master for VRID 20 and the backup for VRID 10. If Router A fails, Router B will become the master of VRID 10 and will use the virtual IP address 192.168.10.1. Traffic from the clients configured to use Router A as the default gateway will be handled by Router B. To configure Router A: 1 Enable routing for the switch.
9 Configure an optional description to help identify the VRRP group. console(config-if-vlan10)#vrrp 20 description backup 10 Enable the VRRP groups on the interface. console(config-if-vlan10)#vrrp 10 mode console(config-if-vlan10)#vrrp 20 mode console(config-if-vlan10)#exit console(config)#exit The only difference between the Router A and Router B configurations is the IP address assigned to VLAN 10. On Router B, the IP address of VLAN 10 is 192.168.10.2.
8 Specify the IP address that the virtual router function will use. The router is the virtual IP address owner of this address, so the priority value is 255 by default. console(config-if-vlan10)#vrrp 20 ip 192.168.10.1 9 Configure an optional description to help identify the VRRP group. console(config-if-vlan10)#vrrp 20 description backup 10 Enable the VRRP groups on the interface.
VRRP with Route and Interface Tracking In Figure 37-10, the VRRP priorities are configured so that Router A is the VRRP master, and Router B is the VRRP backup. Router A forwards IP traffic from clients to the external network through the VLAN 25 routing interface. The clients are configured to use the virtual IP address 192.168.10.15 as the default gateway. Figure 37-10.
To configure Router A: 1 Enable routing for the switch. console#config console(config)#ip routing 2 Create and configure the VLAN routing interface to use as the default gateway for network clients. This example assumes all other routing interfaces, such as the interface to the external network, have been configured. console(config)#interface vlan 10 console(config-if-vlan10)#ip address 192.168.10.1 255.255.255.0 console(config-if-vlan10)#exit 3 Enable VRRP for the switch.
10 Track the route to the 192.168.200.0 network. If it becomes unavailable, the priority of VRID 10 on Router A is decreased by 10, which is the default decrement priority value. console(config-if-vlan10)#vrrp 10 track ip route 192.168.200.0/24 console(config-if-vlan10)#exit Router B is the backup router for VRID 10. The configured priority is 195.
7 Enable preempt mode so that the router can regain its position as VRRP master if its priority is greater than the priority of the backup router. console(config-if-vlan10)#vrrp 10 preempt 8 Enable the VRRP groups on the interface. console(config-if-vlan10)#vrrp 10 mode console(config-if-vlan10)#exit console(config)#exit Configuring VRRP in a VRF In this example, a VRRP master is configured in VRF red-1. Interface gi1/0/1 on each of the VRRP peers is connected to the other switch.
10 Set the VRRP priority and accept pings: console(config-if-vlan10)#vrrp 1 priority 1 console(config-if-vlan10)#vrrp 1 accept-mode console(config-if-vlan10)#exit 11 Configure the physical interface as a VLAN 10 member: console(config)#interface Gi1/0/1 console(config-if-Gi1/0/1)#switchport access vlan 10 console(config-if-Gi1/0/1)#exit The following steps provide configure the companion VRRP peer: 1 Create a VLAN: console#configure console(config)#vlan 10 console(config-vlan)#exit 2 Create a VRF and ena
console(config-if-vlan10)#vrrp 1 priority 2 console(config-if-vlan10)#vrrp 1 accept-mode console(config-if-vlan10)#exit 11 Configure the physical interface as a VLAN 10 member: console(config)#interface Gi1/0/1 console(config-if-Gi1/0/1)#switchport access vlan 10 console(config-if-Gi1/0/1)#exit For VRRP to become active, other interfaces need to be enabled for VLAN 10 such that the VRRP peers are able to establish connectivity to each other over those interfaces as well as over Gi1/0/1.
VRRP
38 BGP Dell EMC Networking N3000E-ON, N3100-ON Series Switches NOTE: This feature is not available on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON and N2200-ON Series switches. Border Gateway Protocol (BGP) is a standardized exterior gateway pathvector or distance-vector protocol. BGP makes routing decisions based upon paths and network policies configured by the administrator.
Table 38-1. BGP-Related Terms Term Definition RTO Routing Table Object. The common routing table, or "RIB," which collects routes from all sources (local, static, dynamic) and determines the most preferred route to each destination. TCP Transmission Control Protocol Overview BGP operates by establishing adjacencies (connections) with other BGP peers (routers). BGP peers are configured manually.
Dell EMC Networking BGP supports the following RFCs in whole or in part as indicated: • RFC 1997 – BGP Communities Attribute • RFC 2385 – Protection of BGP Sessions via the TCP MD5 Signature Option • RFC 2545 – Use of BGP-4 Multiprotocol Extensions for IPv6 InterDomain Routing • RFC 2918 – Route Refresh Capability for BGP-4 • RFC 4271 – A Border Gateway Protocol 4 (BGP-4) • RFC 4273 – Definitions of Managed Objects for BGP-4 • RFC 4456 – BGP Route Reflection: An Alternative to Full Mesh Interna
Routing must be enabled to enable Dell EMC Networking BGP. Both the AS number and the router ID are required to be configured. Enabling of BGP is automatic when the AS number and router ID are configured. The no enable command may be used to temporarily disable BGP without removing the BGP configuration. Autonomous Systems Dell EMC Networking BGP supports both exterior routing (eBGP) between autonomous systems (inter-AS) and interior routing within an AS (iBGP).
decision process applies outbound policy to routes in the local RIB and determines the status of aggregate routes. Active aggregates and individual routes that pass outbound policy are placed in an Adj-RIB-Out specific to each update group, and UPDATE messages are sent to communicate the routes to neighbors. Figure 38-1.
5 Prefer the route with the lower MED. By default, MEDs are compared for routes from any AS, but a configuration option limits comparison of MEDs to the same AS. A route with no MED is considered to have a MED of 0.
Dell EMC Networking BGP sets the AS_PATH path attribute in compliance with RFC 4271. Dell EMC Networking BGP does require that paths from external peers include the configured AS number of the peer as the first AS in the path. Dell EMC Networking BGP enforces a configurable limit to the length of the AS_PATH attribute in received paths. Paths that exceed the limit are discarded.
that other routers select for each destination. An inbound route map can override the default local preference. LOCAL_PREF is never included in paths sent to external peers. If the user changes the default local preference while BGP is running, BGP automatically initiates an immediate soft inbound reset for all external peers, updates the local preference for all locallyoriginated routes, and re-computes routes.
BGP Finite State Machine (FSM) Dell EMC Networking BGP supports all mandatory FSM session attributes and the following optional session attributes (RFC 4271 section 8): • AllowAutomaticStart — Connections are automatically restarted after an error closes a connection. An adjacency to an external peer in the IDLE state is automatically started if the routing interface to that peer comes up.
Dell EMC Networking BGP supports manual start and stop events. A manual start event occurs when the user first configures a peer (neighbor remote-as) or administratively enables a peer (no neighbor shutdown). A manual stop event occurs when the user administratively disables a neighbor (neighbor shutdown). Of the optional events in RFC 4271 section 8.1.2 - 8.1.
Detecting Loss of Adjacency Dell EMC Networking optionally drops an adjacency with an external peer when the routing interface to that peer goes down. This behavior can be enabled globally or on specific interfaces using the bgp fast-external-fallover and ip bgp fast-external-fallover commands. BGP accomplishes this behavior by listening to router events.
the adjacency to the unreachable neighbor is no longer ESTABLISHED, and if an UPDATE is sent to the neighbor's update group, BGP does not try to send to the failed neighbor. When the failed adjacency is reestablished, BGP resends all routing information to the neighbor. Both internal and external fallover should happen within a second of the loss of reachability. Enabling fast fallover should relax the need to set a short hold time and send KEEPALIVE messages rapidly.
peer session (if the network administrator activates IPv6 on the peer session) and in an IPv6 update group for an IPv6 peer session. Such a configuration is probably a misconfiguration. BGP will send IPv6 NLRI to the neighbor twice. BGP assigns peers to update groups automatically. The Dell EMC Networking UI has no configuration associated with update groups and the UI does report update group membership. Removing Private AS Numbers An organization may use private AS numbers internally.
Session parameters that may be configured in a template are as follows: Table 38-2. Configurable Session Parameters in BGP Peer Templates Parameter Description allowas-in Configure to accept routes with my ASN in the as-path. connect-retry-interval Configure the connection retry interval for the peer. description Configure a description for the peer. ebgp-multihop Configure to allow non-directly-connected eBGP neighbors. fall-over Configure fast fall-over. local-as Configure local-as.
Table 38-3. Family Session Parameters in BGP Peer Templates—Configurable Per-Address Parameter Description remove-private-as Remove private ASNs from AS_PATH when sending to inheriting peers. route-map Configure a route map for the peer. route-reflector-client Configure a peer as a route reflector client. send-community Configure this peer to send BGP communities. Resolving Interface Routes In Dell EMC Networking, the next hop of a route is always a set of next-hop IP addresses.
routes. Delay and hold timers limit how often phase 2 of the decision process runs. This phase 2 dampening limits route origination, as does IP event dampening when interface flaps would otherwise cause rapid origination. BGP originates a default route to all neighbors if the default-information originate command is given and the default route is among the routes BGP redistributes.
• origin • MED • IGP distance to the BGP next hop Dell EMC Networking BGP does not require ECMP next hops to be in a common AS. This behavior is enabled by default. To disable this behavior, use the no bgp always-compare-med command. When advertising to neighbors, BGP always advertises the single best path to each destination prefix, even if BGP has an ECMP route to a destination. NOTE: The maximum ECMP width is limited by the chosen SDM template.
A BGP NEXT_HOP can resolve to an ECMP IGP route. When BGP is configured to allow ECMP iBGP routes, the BGP NEXT_HOP resolves to multiple next hops. BGP retains up to the number of resolved next hops allowed for an iBGP route. For example, in Figure 38-2, R4 receives an iBGP route from internal peer R1. The BGP NEXT_HOP of this path resolves to an ECMP OSPF route through R2 and R3.
Figure 38-3. Combining iBGP Routes Address Aggregation Dell EMC Networking BGP supports address aggregation. The network administrator can configure up to 128 aggregate addresses. BGP compares active prefixes in the local RIB to the set of aggregate addresses. To be considered a match for an aggregate address, a prefix must be more specific (i.e., have a longer prefix length) than the aggregate address.
adds a discard route to RTO with prefix and network mask equal to those defined for the aggregate address. Aggregate addresses apply to both locallyoriginated routes and routes learned from peers. Address aggregation is done prior to application of outbound policy. Thus, an active aggregate may be advertised to a neighbor, even if the outbound policy to the neighbor filters all of the aggregate's more specific routes (but permits the aggregate itself).
• If the individual routes have communities and the aggregate does not have the ATOMIC_AGGREGATE attribute set, the aggregate is advertised with the union of the communities from the individual routes. If the aggregate carries the ATOMIC_AGGREGATE attribute, the aggregate is advertised with no communities. Dell EMC Networking BGP never aggregates paths with unknown attributes.
Inbound Policy An inbound policy is a policy applied to UPDATE messages received from peers.
When processing list terms, a match for any term indicates a match and processing stops. Routing Policy Changes When the user makes a routing policy configuration change, Dell EMC Networking BGP automatically applies the new policy. Like any other configuration change, routing policy changes are immediately saved in the running configuration, as soon as the user enters the command.
At startup, when the saved configuration is applied, there could potentially be a lot of churn to outbound update groups and filtering of routing information. This startup churn is avoided by keeping BGP globally disabled until after the entire configuration is applied and the status of all routing interfaces is known. BGP Timers Dell EMC Networking BGP supports the five mandatory timers described in RFC 4271 section 10.
Communities Dell EMC Networking BGP supports BGP standard communities as defined in RFC 1997. Dell EMC Networking supports community lists for matching routes based on community, and supports matching and setting communities in route maps. Dell EMC Networking BGP recognizes and honors the following well-known communities (RFC 1997): • NO_EXPORT — A route carrying this community is not advertised to external peers. • NO_ADVERTISE — A route carrying this community is not advertised to any peer.
in this state, BGP periodically checks if there is space available in the BGP routing table, and if so, runs phase 2. When space becomes available in the BGP routing table, these routes are added. RTO Full Condition If BGP computes a new route but the routing table does not accept the route because it is full, BGP flags the route as one not added to RTO. BGP periodically tries to add these routes to RTO. BGP will continue to advertise the best routes to neighbors, even if they are not added to RTO.
For this reason, if a route reflector client has an outbound neighbor routemap configured, the set statements in the route map are ignored. VRF Support Dell EMC Networking switches that support BGP and VRFs also support BGP in conjunction with OSPF or statically routed VRFs. When configured in a VRF, the single instance of BGP runs independent sessions to neighbors in the VRF and forwards independently.
Extended Community Attribute Structure Each Extended Community attribute has a community type code of 16 and is encoded into an 8-octet value. The first 2 octets are the attribute type and the remaining 6 octets contain the value of attribute. The values from 0 through 0x7FFF are assigned by IANA and values from 0x8000 through 0xFFFF are vendor-specific.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Global Administrator (cont.) | Local Administrator | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The value of the high-order octet of this extended type is either 0x01 or 0x41. The low-order octet of this extended type is used to indicate sub-types.
Route Origin Community Attribute The Route Origin Community attribute identifies one or more routers that advertise routes via BGP. The attribute is transitive across Autonomous System boundaries. The Route Origin Community attribute is used to prevent routing loops when BGP speakers are multi-homed to another site and that site uses the AS-Override feature.
If two VRFs use the same IPv4 address prefix, the router translates these into unique VPN-IPv4 address prefixes by prepending the RD (configured per VRF) to the address. The purpose of the RD is to allow the router to install unique routes with an identical IPv4 address prefix. The structuring of the RD provides no semantics. When BGP compares two such addresses, it ignores the RD structure completely and compares it as a 12-byte entity. It is recommended that each VPN within a site utilize a unique RD.
A VRF may be configured to associate all the routes that belong to the VRF with a particular Route Target attribute. Dell EMC Networking allows a finer selection of routes with the use of Export and Import maps. Export and Import maps provides greater flexibility to the administrator where she can associate some routes of a VRF with a particular Route Target attribute and some other routes with a different Route Target attribute.
In order for two BGP speakers to exchange labeled VPN-IPv4 NLRI, they must use the BGP Capabilities Advertisement (in the OPEN message) to ensure that they both are capable of properly processing VPN-IPv4 NLRI. This is done by using capability code 1 (multiprotocol BGP), with an AFI of 1 and an SAFI of 128. The VPNv4 NLRI is encoded as specified in the above sections, where the prefix consists of an 8-byte RD followed by an IPv4 prefix.
IPv6 prefixes can be originated through route redistribution or a network command. Both can be configured with a route map to set path attributes. BGP can also originate an IPv6 default route. Default-origination can be neighbor-specific. IPv6 routes can be filtered using prefix lists, route maps with community lists, and using AS path access lists. BGP can compute IPv6 routes with up to 16 ECMP next hops.
the NEXT_HOP to one of its own global addresses before forwarding routes from an external peer with a link local address (or the implementation must do this automatically). A primary consideration in using link-local addresses is the user interface. With IPv4 addresses and global IPv6 addresses, the user interface simply identifies the neighbor by IP address: router bgp 1 neighbor neighbor neighbor neighbor 10.1.1.1 remote-as 100 10.1.1.
configuration of the specific neighbors is time-consuming and error-prone, and where security concerns are lessened due to the closed nature of the network. Configuration includes the address range on which to listen and, optionally, a peer template from which the neighbor's properties may be inherited. Because Dell EMC Networking routing is configured on routed VLANs, it is required that dynamic neighbor peering never be configured on a multiaccess VLAN.
R3(config)#router bgp 5500 R3(config-router)#bgp log-neighbor-changes 7 The router ID is required. R3(config-router)#bgp router-id 11.11.11.11 8 Set the listen range to the local routed interface subnet and use template T1. R3(config-router)#bgp listen range 192.168.100.0/24 inherit peer T1 9 Configure template T1 to indicate an IGP peer.
Network Address of Next Hop When advertising IPv6 routes, the Network Address of Next Hop field in MP_REACH_NLRI is set according to RFC 2545. Under conditions specified in this RFC, both a global and a link local next-hop address may be included. The primary purpose of the global address is an address that can be readvertised to internal peers. The primary purpose of the link local address is for use as the next hop of routes.
Alternatively, the network administrator can configure inbound policy on the receiver to set IPv6 next hops. BGP Limitations Dell EMC Networking BGP does not support configuration via the Web interface. Dell EMC Networking supports the following RFCs with the exceptions listed in Table 38-4: Table 38-4. BGP Limitations Description Source Compliance A BGP speaker MUST be able to support the disabling advertisement of third party NEXT_HOP attributes in order to handle imperfectly bridged media.
Table 38-4. BGP Limitations (Continued) Description Source Compliance Dell EMC Networking BGP can only be Dell EMC Networking configured through the CLI. SNMP support is limited to the standard MIB, requirement which primarily provides status reporting, and a proprietary MIB which provides additional status variables. Configuration through SNMP is not supported. – BGP may learn the maximum number of routes supported by each Dell EMC Networking N-Series switch.
BGP Configuration Examples This section includes the following configuration examples: • Enabling BGP • BGP Example • Network Example • BGP Redistribution of OSPF Example • Configuring the Multi-Exit Discriminator in BGP Advertised Routes • Configuring Communities in BGP • Configuring a Route Reflector • Campus Network MP-BGP and OSPF Configuration • Configuring MP-eBGP and Extended Communities Enabling BGP The following are rules to remember when enabling BGP: • IP routing must be enable
BGP Example This example configures iBGP between two routers using the same AS and each using their own loopback address as update-source. Router A Configuration On a router, a loopback interface is created and assigned an IP address. The router ID is assigned (the same IPv4 address as the loopback interface) and the IPv4 address of the neighbor (Router B IP address) is assigned. Finally, the neighbor's update source is assigned to the local loopback interface.
Network Example The following configuration uses the network command to inject received iBGP routes into the BGP routing table. The network mask allows subnetting and super-netting. An alternative to the network command is to use the redistribute command. Interface Gi1/0/1 is configured as a member of VLAN 10, VLAN 10 is assigned an IP address, IP routing is enabled, and BGP router 65001 is created with a router ID of 129.168.1.254. A static subnet route 129.168.0.X is created for VLAN 10.
BGP Redistribution of OSPF Example The following configuration uses the redistribute command to inject received eBGP routes into the BGP routing table. Interface Te1/0/1 is configured in trunk mode with a native VLAN 10 and VLAN 10 is assigned an IP address with a /30 subnet. BGP fast fallover is enabled for VLAN 10. IP routing is enabled and a default route is configured that points to the neighbor router. BGP router 3434 is created with a router ID of 172.16.64.1. An eBGP neighbor 216.31.219.
Configuring the Multi-Exit Discriminator in BGP Advertised Routes The following example configures an egress routing policy that sets the metric for matching routes. In the example, VLAN 10 is created, followed by an access list matching directly connected source address 5.5.5.x for which the metric will be injected into the advertised routes. A route map “Inject-MED” is created. This route map sets the match criteria as ACL MED-Hosts and configures the metric for matching routes to be 100.
console(config-router)#neighbor 129.168.0.254 remote-as 65001 console(config-router)#network 129.168.0.0 mask 255.255.0.0 routemap Inject-MED console(config0router)#redistribute connected console(config-router)#exit Configuring Communities in BGP The following example configures an egress routing policy that sets the community attribute for matching routes. In the example, VLAN 10 is created, followed by an access list Comm-Hosts matching directly connected source address 5.5.5.
console(config-if-loopback0)#ip address 129.168.1.254 /24 console(config-if-loopback0)#exit console(config)#ip routing console(config)#router bgp 65001 console(config-router)#bgp router-id 129.168.1.254 console(config-router)#neighbor 129.168.0.254 remote-as 65001 console(config-router)#neighbor 129.168.0.254 send-community console(config-router)#neighbor 129.168.0.
This iBGP neighbor is designated a route reflector client. Other iBGP neighbors can be configured as route reflector clients in order to reduce the explosion of neighbor configuration required to implement a full mesh iBGP network. console(config-router)#neighbor 129.168.0.254 remote-as 65001 console(config-router)#neighbor 129.168.0.254 update-source loopback 0 console(config-router)#neighbor 129.168.0.
Campus Network MP-BGP and OSPF Configuration Consider the topology below, which is a subset of what might be found on a small campus. This network services three customers (Red, Green, and Blue). The Internet connection to the outside world is hosted in router S1. Router S2 hosts the Red and Green network. Router S3 hosts the Red and Blue network. A common service is supplied over the 192.168.99.1/24 network. Figure 38-4.
Four VRFs are created on S1. Each VRF is assigned a unique route distinguisher (RD). The RDs utilized here are taken from the private ASN address space. Three of the VRFs are assigned to the Red, Green, and Blue networks and the last VRF is utilized for the common service. We use a loopback on S1 to emulate the common service network instead of a VLAN and physical interface. The VRF configuration on the loopback is identical to the case of a VLAN and physical interface.
6 Create VRF Red, import the common service, and export the Red network. S1(config)#ip vrf Red S1(config-ip-vrf-Red)#rd 65000:1 S1(config-ip-vrf-Red)#route-target export 65000:1 S1(config-ip-vrf-Red)#route-target import 65000:99 S1(config-ip-vrf-Red)#exit 7 Create VRF Shared, import the Red and Green network, and export the common service.
12 Associate the Red VRF with a VLAN routed interface. S1(config)#interface vlan 16 S1(config-if-vlan16)#ip vrf forwarding Red S1(config-if-vlan16)#ip address 172.16.0.1 255.255.255.0 S1(config-if-vlan16)#exit 13 Associate the Green VRF with a VLAN routed interface. S1(config)#interface vlan 17 S1(config-if-vlan17)#ip vrf forwarding Green S1(config-if-vlan17)#ip address 172.17.0.1 255.255.255.0 S1(config-if-vlan17)#exit 14 Associate the Blue VRF with a VLAN routed interface.
Next, configure OSPF to exchange routes with the other routers. OSPF runs in the VRFs and area 0 is used within each VRF. Each VRF is configured to redistribute BGP subnets advertised by S1. 1 Configure router Blue. S1(config)#router ospf vrf "Blue" 2 A router ID is required. S1(config-router-vrf-Blue)#router-id 172.18.0.1 3 Configure network as 'don't care'. A non-zero IP address is required. S1(config-router-vrf-Blue)#network 172.18.0.0 255.255.255.255 area 0 4 Redistribute BGP subnets.
Next, assign the VRF associated VLANs to the interfaces connected to the rest of the Red, Green, and Blue networks: 1 Configure the S1-S2 trunk. S1(config)#interface Gi1/0/13 S1(config-if-Gi1/0/13)#switchport mode trunk S1(config-if-Gi1/0/13)#switchport trunk allowed vlan 1,16-17 S1(config-if-Gi1/0/13)#exit 2 Configure the S1-S3 trunk.
7 Emulate a network in the Green VRF. The loopback network can be replaced with a VLAN-routed interface. S2(config)#interface loopback 17 S2(config-if-loopback17)#ip vrf forwarding Green S2(config-if-loopback17)#ip address 172.17.2.1 255.255.255.0 S2(config-if-loopback17)#exit 8 Create a VLAN routed interface to router S1 for VRF Red. S2(config)#interface vlan 16 S2(config-if-vlan16)#ip vrf forwarding Red S2(config-if-vlan16)#ip address 172.16.0.2 255.255.255.
4 Enable routing. S3(config)#ip routing 5 Emulate the Red network using a loopback. S3(config)#interface loopback 16 S3(config-if-loopback16)#ip vrf forwarding Red S3(config-if-loopback16)#ip address 172.16.3.1 255.255.255.0 S3(config-if-loopback16)#exit 6 Emulate the Blue network using a loopback. S3(config)#interface loopback 18 S3(config-if-loopback18)#ip vrf forwarding Blue S3(config-if-loopback18)#ip address 172.18.3.1 255.255.255.0 S3(config-if-loopback18)#exit 7 Assign VLANs to the VRFs.
This is a very simple OSPF configuration for each of the routers. In this case, a loopback is used to emulate an OSPF connected interface. If an actual VLAN-routed interface is used, declare it a passive interface in the OSPF configuration. For router S2, VRF Green and Red are configured. 1 Create an OSPF instance for VRF Green S2(config)#router ospf vrf "Green" 2 Router ID is required. S2(config-router-vrf-Green)#router-id 172.17.0.99 3 Network is all 'don't care'.
OSPF on S3 is configured similarly to S2 with VRF Red and Blue: 1 Create OSPF sessions in each VRF. Assign area 0. Router ID assignment is required. S3(config)#router ospf vrf "Blue" S3(config-router-vrf-Blue)#router-id 172.18.0.99 S3(config-router-vrf-Blue)#network 172.18.0.0 255.255.255.255 area 0 S3(config-router-vrf-Blue)#exit S3(config)#router ospf vrf "Red" S3(config-router-vrf-Red)#router-id 172.16.0.98 S3(config-router-vrf-Red)#network 172.16.0.0 255.255.255.
The VRFs should all have full connectivity. S1#show ip route vrf Red Route Codes: R - RIP Derived, O - OSPF Derived, C - Connected, K - Kernel S - Static B - BGP Derived, E - Externally Derived, IA - OSPF Inter Area E1 - OSPF External Type 1, E2 - OSPF External Type 2 N1 - OSPF NSSA External Type 1, N2 - OSPF NSSA External Type 2 S U - Unnumbered Peer, L - Leaked Route * Indicates the best (lowest metric) route for the subnet. No default gateway is C *172.16.0.0/24 C *172.16.1.0/30 O *172.16.2.0/24 O *172.
To provision MPBGP to distribute routes for the shared service, on S1 configure a loopback to emulate the common service network: 1 Set a loopback for the BGP router. S1(config)#interface loopback 0 S1(config-if-loopback0)#ip address 192.0.2.1 255.255.255.255 S1(config-if-loopback0)#exit Next, configure a BGP router and allow route redistribution to occur. Configuration of the router ID is required. 2 Configure a BGP router.
Verify that BGP maintains routes for each of the VRFs. The common service VRF "Shared" is exported via the route-target 65000:99 and imported into the Red and Green VRFs. S1(config-router)#show ip bgp vpnv4 all BGP table version is 0, local router ID is 192.0.2.1 Status codes: s suppressed, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network ------------------Route Distinguisher *>i 172.18.0.
The best routes are placed into the route table in each of the VRFs. VRF Blue does not import or export any routes and does not have access to the common services.
S1#show ip route vrf Blue Route Codes: R - RIP Derived, O - OSPF Derived, C - Connected, K - Kernel S - Static B - BGP Derived, E - Externally Derived, IA - OSPF Inter Area E1 - OSPF External Type 1, E2 - OSPF External Type 2 N1 - OSPF NSSA External Type 1, N2 - OSPF NSSA External Type 2 S U - Unnumbered Peer, L - Leaked Route * Indicates the best (lowest metric) route for the subnet. No default gateway is C *172.18.0.0/24 C *172.18.1.0/30 O *172.18.3.0/24 configured.
* Indicates the best (lowest metric) route for the subnet. No default gateway is configured. C *172.16.0.0/24 [0/0] directly connected, O *172.16.1.0/30 [110/11] via 172.16.0.1, O *172.16.2.0/24 [110/11] via 172.16.0.2, C *172.16.3.0/24 [0/0] directly connected, O E2 *192.168.99.0/24 [110/1] via 172.16.0.
Configuring MP-eBGP and Extended Communities In this configuration, router R1 is connected to router R2 (via VLAN 100 on Gi1/0/13) and router R3 (via VLAN 200 in Gi1/0/16). Router R1 (AS 5500) and R2 (AS 6500) communicate via MP-eBGP. Router R1 and R3 are both in AS 5500 and for an iBGP relationship. R3's purpose in this configuration is to show that routes received from R2 are redistributed within the IGP and to inject routes into the IGP.
R1(config-if-Gi1/0/16)#switchport access vlan 200 R1(config-if-Gi1/0/16)#exit 7 Configure the BGP router. R1(config)#router bgp 5500 R1(config-router)#bgp log-neighbor-changes 8 Configure the router ID. R1(config-router)#bgp router-id 10.10.10.10 9 This router advertises the 192.168.100.0/24 network. R1(config-router)#network 192.168.100.0 mask 255.255.255.0 10 Redistribute connected routes (10.10.10.10/32). R1(config-router)#redistribute connected 11 Configure the R2 neighbor.
3 Disable domain lookup and enable IP routing. R2(config)#no ip domain-lookup R2(config)#ip routing 4 Create a loopback for the BGP router. R2(config)#interface loopback 0 R2(config-if-loopback0)#ip address 20.20.20.20 255.255.255.255 R2(config-if-loopback0)#exit 5 Create a loopback to emulate a subnet in the VRF. This could be assigned to a real VLAN. R2(config)#interface loopback 1 R2(config-if-loopback1)#ip vrf forwarding WAN R2(config-if-loopback1)#ip address 30.30.30.30 255.255.255.
R2(config-router-af)#redistribute static R2(config-router-af)#exit 13 Advertise the VPNv4 routes (30.30.30.0/24). These routes are transmitted with the extended community attribute (2020:1). R2(config-router)#address-family vpnv4 unicast R2(config-router-af)#neighbor 172.16.10.1 send-community both R2(config-router-af)#neighbor 172.16.10.1 activate R2(config-router-af)#exit R2(config-router)#exit R2(config)#exit Router R3 Configuration 1 Configure a VLAN for connection to R1.
R3(config-router)#neighbor 192.168.100.10 remote-as 5500 9 Redistribute connected and static routes. R3(config-router)#redistribute connected R3(config-router)#redistribute static R3(config-router)#exit R3(config)#exit R3#exit Discussion Verify that the routes on R2 are being distributed to R1 and R3. This shows the R2 BGP and routing tables.
B *192.168.100.0/24 [20/0] via 172.16.10.1, Vl100 This is the resulting R1 routing table. R1#show ip route Route Codes: R - RIP Derived, O - OSPF Derived, C - Connected, K - Kernel S - Static B - BGP Derived, E - Externally Derived, IA - OSPF Inter Area E1 - OSPF External Type 1, E2 - OSPF External Type 2 N1 - OSPF NSSA External Type 1, N2 - OSPF NSSA External Type 2 S U - Unnumbered Peer, L - Leaked Route * Indicates the best (lowest metric) route for the subnet. No default gateway is configured. C *10.
20.20.20.20/32 30.30.30.0/24 172.16.10.2 172.16.10.2 6500 6500 ? ? Use the routes option to display routes received from R2. R1#show ip bgp neighbors 172.16.10.2 routes Local router ID is 10.10.10.10 Origin codes: i - IGP, e - EGP, ? - incomplete Network ------------------172.16.10.0/24 20.20.20.20/32 30.30.30.0/24 Next Hop Metric LocPref ---------------- ---------- ---------172.16.10.2 172.16.10.2 172.16.10.
BGP
39 Bidirectional Forwarding Detection Dell EMC Networking N3000E-ON, N3100-ON Series Switches NOTE: This feature is not available on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON and N2200X-ON Series switches. Bidirectional Forwarding Detection (BFD) provides a lightweight fast failure detection mechanism to verify bidirectional connectivity between forwarding engines, which may be a single hop or multiple hops away from each other.
periodically and, if one stops receiving peer packets within the detection time limit, it considers the bidirectional path to have failed. It then notifies the application protocol of this failure. BFD allows each device to estimate how quickly it can send and receive BFD packets to agree with its neighbor upon how fast detection of failure may be performed. BFD operates between two devices on top of any underlying data protocol (network layer, link layer, tunnels, etc.
Demand mode is advantageous in cases when the overhead of a periodic protocol appears burdensome on a device, e.g., a router with a large number of BFD sessions running. Dell EMC Networking BFD does not support demand mode. Echo Function Echo mode is an auxiliary operation that may be used with either BFD mode. When the echo function is active, a stream of BFD echo packets is transmitted in such a way that the other system loops them back through its forwarding path.
BFD Example This example configures BFD for a BGP peer session. BFD is only supported in conjunction with BGP. The BGP configuration is taken from BGP Redistribution of OSPF Example in the BGP Configuration Examples section and is not explained further here. The fast-external-fallover is not enabled in this example, as BFD will provide failure detection. 1 Enable the BFD feature.
console(config-router)#neighbor 216.31.219.19 remote-as 200 console(config-router)#redistribute static console(config-router)#redistribute ospf match external 1 console(config-router)#redistribute ospf match external 2 3 Enable a BFD session on the BGP peer link: console(config-router)#neighbor 216.31.219.
Bidirectional Forwarding Detection
40 Unicast Reverse Path Forwarding Dell EMC Networking N3000-ON, N3100-ON Series Switches The Unicast Reverse Path Forwarding (uRPF) feature verifies that an incoming packet has a path that is consistent with the local routing table. It does so by doing a reverse check — that is, the source IP address look up is done in the routing table and the reachability of the path determines if the packet is forwarded or dropped.
uRPF validation may be enabled for VLAN routing interfaces and 6to4 tunnels. uRPF validation operates on both IPv4 and IPv6 packets. For ECMP routes, only loose mode validation is performed. Strict uRPF validation is useful only in networks with symmetric paths where IP datagrams to the destination and from the destination traverse the same routing interfaces. If the network has asymmetric paths then strict uRPF validation will always fail.
IPv6 Routing 41 Dell EMC Networking N3000E-ON, N3100-ON Series Switches NOTE: This feature is not available on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, and N2200-ON Series switches. This chapter describes how to configure general IPv6 routing information on the switch, including global routing settings and IPv6 static routes.
On the Dell EMC Networking N3000-ON and N3100-ON Series switches, IPv6 coexists with IPv4. As with IPv4, IPv6 routing can be enabled on loopback and VLAN interfaces. Each L3 routing interface can be used for IPv4, IPv6, or both. IP protocols running over L3 (for example, UDP and TCP) are common to both IPv4 and IPv6. How Does IPv6 Compare with IPv4? There are many conceptual similarities between IPv4 and IPv6 network operation.
Neighbor Discovery (ND) protocol is the IPv6 replacement for Address Resolution Protocol (ARP) in IPv4. The IPv6 Neighbor Discovery protocol is described in detail in RFC7048. Dell EMC Networking IPv6 supports neighbor advertise and solicit, duplicate address detection, and unreachability detection. Router advertisement is part of the Neighbor Discovery process and is required for IPv6.
Default IPv6 Routing Values IPv6 is disabled by default on the switch and on all interfaces. Table 41-1 shows the default values for the IP routing features this chapter describes. Table 41-1.
Table 41-2.
Configuring IPv6 Routing Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring IPv6 unicast routing features on a Dell EMC Networking N3000-ON and N3100-ON Series switch. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page.
Interface Configuration Use the Interface Configuration page to configure IPv6 interface parameters. This page has been updated to include the IPv6 Destination Unreachables field. To display the page, click Routing IPv6 Interface Configuration in the navigation panel. Figure 41-2.
Interface Summary Use the Interface Summary page to display settings for all IPv6 interfaces. To display the page, click Routing IPv6 Interface Summary in the navigation panel. Figure 41-3.
IPv6 Statistics Use the IPv6 Statistics page to display IPv6 traffic statistics for one or all interfaces. To display the page, click Routing IPv6 IPv6 Statistics in the navigation panel. Figure 41-4.
IPv6 Neighbor Table Use the IPv6 Neighbor Table page to display IPv6 neighbor details for a specified interface. To display the page, click IPv6 IPv6 Neighbor Table in the navigation panel. Figure 41-5.
DHCPv6 Client Parameters Use the DHCPv6 Client Parameters page to view information about the network information automatically assigned to an interface by the DHCPv6 server. This page displays information only if the DHCPv6 client has been enabled on an IPv6 routing interface. To display the page, click Routing IPv6 DHCPv6 Client Lease Parameters in the navigation panel. Figure 41-6.
DHCPv6 Client Statistics Use the DHCPv6 Client Statistics page to view information about DHCPv6 packets received and transmitted on a DHCPv6 client interface. To display the page, click Routing IPv6 DHCPv6 Client Statistics in the navigation panel. Figure 41-7.
IPv6 Router Entry Configuration Use the IPv6 Route Entry Configuration page to configure information for IPv6 routes. To display the page, click Routing IPv6 IPv6 Routes IPv6 Route Entry Configuration in the navigation panel. Figure 41-8.
IPv6 Route Table Use the IPv6 Route Table page to display all active IPv6 routes and their settings. To display the page, click Routing IPv6 IPv6 Routes IPv6 Route Table in the navigation panel. Figure 41-9.
IPv6 Route Preferences Use the IPv6 Route Preferences page to configure the default preference for each protocol. These values are arbitrary values in the range of 1 to 255 and are independent of route metrics. Most routing protocols use a route metric to determine the shortest path known to the protocol, independent of any other protocol. The best route to a destination is chosen by selecting the route with the lowest preference value.
Configured IPv6 Routes Use the Configured IPv6 Routes page to display selected IPv6 routes. NOTE: For a static reject route, the next hop interface value is Null0. Packets to the network address specified in static reject routes are intentionally dropped. To display the page, click Routing IPv6 IPv6 Routes Configured IPv6 Routes in the navigation panel. Figure 41-11.
Configuring IPv6 Routing Features (CLI) This section provides information about the commands used for configuring IPv6 routing on the switch. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200ON, and N3100-ON Series Switches CLI Reference Guide at www.dell.com/support. Configuring Global IP Routing Settings Use the following commands to configure various global IP routing settings for the switch.
Configuring IPv6 Interface Settings Use the following commands to configure IPv6 settings for VLAN, tunnel, or loopback interfaces. Command Purpose configure Enter Global Configuration mode. interface {vlan | tunnel | loopback} interface-id Enter Interface Configuration mode for the specified VLAN, tunnel, or loopback interface. ipv6 enable Enable IPv6 on the interface. Configuring an IPv6 address will automatically enable IPv6 on the interface.
Configuring IPv6 Neighbor Discovery Use the following commands to configure IPv6 Neighbor Discovery settings. Command Purpose ipv6 nd prefix prefix/prefix-length [{valid-lifetime| infinite} {preferredlifetime| infinite}] [no-autoconfig] [offlink] Configure parameters associated with network prefixes that the router advertises in its Neighbor Discovery advertisements. • ipv6-prefix—IPv6 network prefix. • prefix-length—IPv6 network prefix length. • valid-lifetime—Valid lifetime of the router in seconds.
Command Purpose ipv6 nd ns-interval milliseconds Set the interval between router advertisements for advertised neighbor solicitations. The range is 1000 to 4294967295 milliseconds. ipv6 nd other-configflag Set the other stateful configuration flag in router advertisements sent from the interface. ipv6 nd managedconfig-flag Set the managed address configuration flag in router advertisements. When the value is true, end nodes use DHCPv6.
Configuring IPv6 Route Table Entries and Route Preferences Use the following commands to configure IPv6 Static Routes. Command Purpose configure Enter global configuration mode. ipv6 route ipv6prefix/prefix-length {nexthop-address | interfacetype interface-number } [preference] [track ] Configure a static route.Use the keyword null instead of the next hop router IP address to configure a static reject route.
Command Purpose ipv6 route distance integer Set the default distance (preference) for static IPv6 routes. Lower route preference values are preferred when determining the best route. The default distance (preference) for static routes is 1. exit Exit to Global Config mode.
IPv6 Show Commands Use the following commands in Privileged Exec mode to view IPv6 configuration status and related data. Command Purpose show sdm prefer Show the currently active SDM template. show sdm prefer dualipv4-and-ipv6 default Show parameters for the SDM template. show ipv6 dhcp interface View information about the DHCPv6 lease acquired by vlan vlan-id the specified interface.
IPv6 Static Reject and Discard Routes A static configured route with a next-hop of “null” causes any packet matching the route to disappear or vanish from the network. This type of route is called a “Discard” route if the router returns an ICMP “networkunreachable” message, or is called a “Reject” route if no ICMP message is returned. The Dell EMC Networking N-Series switches support “Reject” routes, where any packets matching the route network prefix silently disappear.
• ipv6 route 2001::/16 null 254 ipv6 route 2002::/16 null 254 These address ranges are reserved and not reachable in the Internet. If for some reason you have local networks in this range, a more specific route will have precedence. Another use for the Reject route is to prevent internal hosts from communication with specific addresses or ranges of addresses. The effect is the same as an outgoing access-list with a “deny” statement.
access mode, meaning untagged incoming and outgoing packets are processed on VLAN 10. RA-Guard is enabled on interface Gi1/0/1 and then the configuration is verified with the show command.
console(config-if-Gi1/0/1)#ipv6 nd raguard attach-policy console(config-if-Gi1/0/1)#show ipv6 nd raguard policy Ipv6 RA-Guard Configured Interfaces Interface --------------Gi1/0/1 Role ------Host IPv6 Routing 1465
IPv6 Routing
DHCPv6 Server Settings 42 Dell EMC Networking N2000, N2100-ON, N3000E-ON, N3100-ON Series Switches NOTE: The DHCPv6 Server is not available on the Dell EMC Networking N1100-ON, and N1500 Series switches. This chapter describes how to configure the switch to dynamically assign network information to IPv6 hosts by using the Dynamic Host Configuration Protocol for IPv6 (DHCPv6).
What Is a DHCPv6 Pool? DHCPv6 pools are used to specify information for DHCPv6 server to distribute to DHCPv6 clients. These pools are shared between multiple interfaces over which DHCPv6 server capabilities are configured. What Is a Stateless Server? DHCPv6 incorporates the notion of the stateless server, where DHCPv6 is not used for IP address assignment to a client; rather, it provides other networking information such as DNS or NTP information.
Figure 42-1. DHCPv6 Prefix Delegation Scenario In Figure 42-1, the Dell EMC Networking switch acts as the Prefix Delegation (PD) server and defines one or more general prefixes to allocate and assign addresses to hosts that may be utilizing IPv6 auto-address configuration or acting as DHCPv6 clients. DHCPv6 clients may request multiple IPv6 prefixes. Also, DHCPv6 clients may request specific IPv6 prefixes.
Configuring the DHCPv6 Server and Relay (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring the DHCPv6 server on a Dell EMC Networking N2000, N2100-ON, N3000-ON, and N3100-ON Series switch. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. DHCPv6 Global Configuration Use the Global Configuration page to configure DHCPv6 global parameters.
DHCPv6 Pool Configuration Use the Pool Configuration page to set up a pool of DHCPv6 parameters for DHCPv6 clients. The pool is identified with a pool name and contains IPv6 addresses and domain names of DNS servers. To display the page, click Routing IPv6 DHCPv6 Pool Configuration in the navigation panel. Figure 42-3 shows the page when no pools have been created. After a pool has been created, additional fields display. Figure 42-3.
Figure 42-4. Pool Configuration 4 From the DNS Server Address menu, select an existing DNS Server Address to associate with this pool, or select Add and specify a new server to add. 5 From the Domain Name menu, select an existing domain name to associate with this pool, or select Add and specify a new domain name. 6 Click Apply.
Prefix Delegation Configuration Use the Prefix Delegation Configuration page to configure a delegated prefix for a pool. At least one pool must be created using DHCPv6 Pool Configuration before a delegated prefix can be configured. To display the page, click Routing IPv6 DHCPv6 Prefix Delegation Configuration in the navigation panel. Figure 42-5.
DHCPv6 Pool Summary Use the Pool Summary page to display settings for all DHCPv6 Pools. At least one pool must be created using DHCPv6 Pool Configuration before the Pool Summary displays. To display the page, click Routing IPv6 DHCPv6 Pool Summary in the navigation panel. Figure 42-6.
DHCPv6 Interface Configuration Use the DHCPv6 Interface Configuration page to configure a DHCPv6 interface. To display the page, click Routing IPv6 DHCPv6 Interface Configuration in the navigation panel. The fields that display on the page depend on the selected interface mode. Figure 42-7. DHCPv6 Interface Configuration Figure 42-8 shows the screen when the selected interface mode is Server. Figure 42-8.
Figure 42-9.
DHCPv6 Server Bindings Summary Use the Server Bindings Summary page to display all DHCPv6 server bindings. To display the page, click Routing IPv6 DHCPv6 Bindings Summary in the navigation panel. Figure 42-10.
DHCPv6 Statistics Use the DHCPv6 Statistics page to display DHCPv6 statistics for one or all interfaces. To display the page, click Routing IPv6 DHCPv6 Statistics in the navigation panel. Figure 42-11.
Configuring the DHCPv6 Server and Relay (CLI) This section provides information about the commands used for configuring and monitoring the DHCP server and address pools. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100-ON Series Switches CLI Reference Guide at www.dell.com/support. Configuring Global DHCP Server and Relay Agent Settings Use the following commands to configure settings for the DHCPv6 server.
Command Purpose domain-name domain Set up to five DNS domain names to provide to a DHCPv6 client by the DHCPv6 server. CTRL + Z Exit to Privileged Exec mode. show ipv6 dhcp pool [name] View the settings for all DHCPv6 pools or for the specified pool. Configuring a DHCPv6 Pool for Specific Hosts Use the following commands to create a pool and/or configure pool parameters for specific DHCPv6 clients. Command Purpose configure Enter Global Configuration mode.
Configuring DHCPv6 Interface Information Use the following commands to configure an interface as a DHCPv6 server or a DHCPv6 relay agent. The server and relay functionality are mutually exclusive. In other words, a VLAN routing interface may be configured as a DHCPv6 server or a DHCPv6 relay agent, but not both. Configuring an interface in DHCP relay mode overwrites DHCP server mode and vice-versa. An IP interface configured in relay mode cannot be configured as a DHCP client (ip address dhcp).
Command Purpose Configure the interface for DHCPv6 relay functionality. ipv6 dhcp relay {destination relay• destination — Keyword that sets the relay server IPv6 address [interface vlan address. vlan-id] | interface vlan • relay-address — An IPv6 address of a DHCPv6 relay vlan-id} | remote-id server. {duid-ifid | userdefined-string} • interface — Sets the relay server interface. • vlan-id — A valid VLAN ID.
Command Purpose show ipv6 dhcp binding View the current binding information in the DHCP server [address] database. Specify the IP address to view a specific binding. show ipv6 dhcp statistics View DHCPv6 server and relay agent statistics. clear ipv6 dhcp statistics Reset all DHCPv6 server and relay agent statistics to zero.
DHCPv6 Configuration Examples This section contains the following examples: • Configuring a DHCPv6 Stateless Server • Configuring the DHCPv6 Server for Prefix Delegation • Configuring an Interface as a DHCPv6 Relay Agent Configuring a DHCPv6 Stateless Server This example configures a DHCPv6 pool that will provide information for the DHCPv6 server to distribute to DHCPv6 clients that are members of VLAN 100.
console(config-if-vlan100)#ipv6 nd other-config-flag console(config-if-vlan100)#exit Configuring the DHCPv6 Server for Prefix Delegation In this example, VLAN routing interface 200 is configured to delegate specific prefixes to certain DHCPv6 clients. The prefix-to-DUID mapping is defined within the DHCPv6 pool. To configure the switch: 1 Create the DHCPv6 pool and specify the domain name and DNS server information. console(config)#ipv6 dhcp pool my-pool2 console(config-dhcp6s-pool)#domain-name dell.
1 Create VLAN 300 and define its IPv6 address. console(config)#interface vlan 300 console(config-if-vlan300)#ipv6 address 2001:DB8:03a::14/64 2 Configure the interface as a DHCPv6 relay agent and specify the IPv6 address of the relay server. The command also specifies that the route to the server is through the VLAN 100 routing interface.
Differentiated Services 43 Dell EMC Networking N-Series Switches This chapter describes how to configure the Differentiated Services (DiffServ) feature. DiffServ enables traffic to be classified into streams and given certain QoS treatment in accordance with defined per-hop behaviors.
How Does DiffServ Functionality Vary Based on the Role of the Switch? How you configure DiffServ support in Dell EMC Networking N-Series switch software varies depending on the role of the switch in your network: • Edge device: An edge device handles ingress traffic, flowing towards the core of the network, and egress traffic, flowing away from the core. An edge device segregates inbound traffic into a small set of traffic classes, and is responsible for determining a packet’s classification.
Dell EMC Networking N-Series switch software supports the Traffic Conditioning Policy type which is associated with an inbound traffic class and specifies the actions to be performed on packets meeting the class rules: • – Marking the packet with a given DSCP, IP precedence, or CoS value. Traffic to be processed by the DiffServ feature requires an IP header if the system uses IP Precedence or IP DSCP marking. – Policing packets by dropping or re-marking those that exceed the class’s assigned data rate.
parallel at once, and the priority of the ACL is used to implement the conceptual match process. There are no counters instantiated for ACLs referred to by a class-map. An ACL that is used in a class-map match term itself has one or more permit and/or deny rules. The incoming packet is matched sequentially against the permit rules in each ACL in the match list, in order, and a match/no match decision is reached.
Table 43-1.
Configuring DiffServ (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring DiffServ features on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100-ON Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page.
Class Configuration Use the DiffServ Class Configuration page to add a new DiffServ class name, or to rename or delete an existing class. To display the page, click Quality of Service Differentiated Services Class Configuration in the navigation panel. Figure 43-2. DiffServ Class Configuration Adding a DiffServ Class To add a DiffServ class: 1 From the DiffServ Class Configuration page, click Add to display the Add Class page. Figure 43-3.
3 Click Apply to add the new class. 4 To view a summary of the classes configured on the switch, click Show All. Figure 43-4. View DiffServ Class Summary Class Criteria Use the DiffServ Class Criteria page to define the criteria to associate with a DiffServ class. As packets are received, these DiffServ classes are used to identify packets. To display the page, click Quality of Service Differentiated Services Class Criteria in the navigation panel.
Figure 43-5.
Policy Configuration Use the DiffServ Policy Configuration page to associate a collection of classes with one or more policy statements. To display the page, click Quality of Service Differentiated Services Policy Configuration in the navigation panel. Figure 43-6. DiffServ Policy Configuration Adding a New Policy Name To add a policy: 1 From the DiffServ Policy Configuration page, click Add to display the Add Policy page.
Figure 43-7. Add DiffServ Policy 2 Enter the new Policy Name. 3 Click Apply to save the new policy. 4 To view a summary of the policies configured on the switch, click Show All. Figure 43-8.
Policy Class Definition Use the DiffServ Policy Class Definition page to associate a class to a policy, and to define attributes for that policy-class instance. To display the page, click Quality of Service Differentiated Services Policy Class Definition in the navigation panel. Figure 43-9. DiffServ Policy Class Definition To view a summary of the policy attributes, click Show All.
Figure 43-10. Policy Class Definition Packet Marking Traffic Condition Follow these steps to have packets that match the class criteria for this policy marked with a marked with either an IP DSCP, IP precedence, or CoS value: 1 Select Marking from the Traffic Conditioning drop-down menu on the DiffServ Policy Class Definition page. The Packet Marking page displays. Figure 43-11. Policy Class Definition - Attributes 2 Select IP DSCP, IP Precedence, or Class of Service to mark for this policyclass.
Policing Traffic Condition Follow these steps to perform policing on the packets that match this policy class: 1 Select Policing from the Traffic Conditioning drop-down menu on the DiffServ Policy Class Definition page to display the DiffServ Policy Policing page. Figure 43-12. Policy Class Definition - Policing The DiffServ Policy - Policing page displays the Policy Name, Class Name, and Policing Style.
Service Configuration Use the DiffServ Service Configuration page to activate a policy on a port. To display the page, click Quality of Service Differentiated Services Service Configuration in the navigation panel. Figure 43-13. DiffServ Service Configuration To view a summary of the services configured on the switch, click Show All. Figure 43-14.
Service Detailed Statistics Use the DiffServ Service Detailed Statistics page to display packet details for a particular port and class. To display the page, click Quality of Service Differentiated Services Service Detailed Statistics in the navigation panel. Figure 43-15.
Flow-Based Mirroring Use the Flow-Based Mirroring page to create a mirroring session in which the traffic that matches the specified policy and member class is mirrored to a destination port. To display the Flow-Based Mirroring page, click Switching Ports Traffic Mirroring Flow-Based Mirroring in the navigation panel. Figure 43-16.
Configuring DiffServ (CLI) This section provides information about the commands used for configuring DiffServ settings on the switch. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100-ON Series Switches CLI Reference Guide at www.dell.com/support. DiffServ Configuration (Global) Use the following commands to configure the global DiffServ mode and view related settings.
DiffServ Class Configuration for IPv4 Use the following commands to configure DiffServ classes for IPv4 and view related information. CLI Command Description configure Enter global configuration mode. class-map [match-all|matchany] class-map-name Define a new DiffServ class and enter Class-Map Configuration mode for the specified class. The match-all parameter indicates that all match criteria must match. The match-any parameter indicates that at least one match criteria must match.
CLI Command Description match ip dscp Add to the specified class definition a match condition based on the value of the IP DiffServ Code Point (DSCP) field in a packet. match ip precedence Add to the specified class definition a match condition based on the value of the IP. match ip tos Add to the specified class definition a match condition based on the value of the IP TOS field in a packet.
CLI Command Description match [any] Configure the match condition for the class-map. Match any indicates that at least one match criteria must match. This configuration does not affect the processing of access-groups. match class-map Add to the specified class definition, the set of match conditions defined for another class. match dstip6 Add to the specified class definition a match condition based on the destination IPv6 address of a packet.
DiffServ Protocol Matching DiffServ may be configured to match on protocols other than IPv4 or IPv6. Use the following commands to specify L2 or other match criteria. CLI Command Description match cos Add to the specified class definition, a match condition for the Class of Service value. match destination-address mac Add to the specified class definition, a match condition based on the destination MAC address of a packet.
DiffServ Policy Creation Use the following commands to configure DiffServ policies and view related information. CLI Command Description configure Enter global configuration mode. policy-map policy-name in Create a new DiffServ policy for ingress traffic and enter Policy Map Configuration mode for the policy. exit Exit to Privilege Exec mode. show policy-map Displays all configuration information for the specified policy.
CLI Command Description police-simple {datarate burstsize conform-action {drop | set-cos-transmit cos | set-prec-transmit cos | setdscp-transmit dscpval | transmit} [violate-action {drop | set-cos-transmit cos | set-prec-transmit cos | setdscp-transmit dscpval | transmit}]} Establish the traffic policing style for the specified class. The simple form of the police command uses a single data rate and burst size, resulting in two outcomes: conform and nonconform.
CLI Command Description mirror interface | redirect interface Use mirror to mirror all packets for the associated traffic stream that matches the defined class to the specified destination port or LAG. Use redirect to specify that all incoming packets for the associated traffic stream are redirected to the specified destination port or LAG. exit Exit to Policy-Map Config mode. exit Exit to Global Config mode. exit Exit to Privilege Exec mode.
DiffServ Service Configuration Beginning Privilege Exec mode, use the following commands to associate a policy with an interface and view related information. CLI Command Description configure Enter Global Configuration mode. interface interface-idd Enter interface configuration mode for the desired interface. service-policy {in | out} policy-map-name Attach a policy to an interface in the inbound or outbound direction.
DiffServ Configuration Examples This section contains the following examples: • Providing Subnets Equal Access to External Network • DiffServ for VoIP Providing Subnets Equal Access to External Network This example shows how a network administrator can provide equal access to the Internet (or other external network) to different departments within a company. Each of four departments has its own Class B subnet that is allocated 25% of the available bandwidth on the port accessing the Internet.
The following commands show how to configure the DiffServ example depicted in Figure 43-17. 1 Enable DiffServ operation for the switch. console#config console(config)#diffserv 2 Create a DiffServ class of type all for each of the departments, and name them. Also, define the match criteria—Source IP address—for the new classes. console(config)#class-map match-all finance_dept console(config-classmap)#match srcip 172.16.10.0 255.255.255.
console(config-policy-map)#class development_dept console(config-policy-classmap)#assign-queue 4 console(config-policy-classmap)#exit console(config-policy-map)#exit 4 Attach the defined policy to 10-Gigabit Ethernet interfaces 1/0/1 through 1/0/4 in the inbound direction console(config)#interface tengigabitethernet 1/0/1 console(config-if-Te1/0/1)#service-policy in internet_access console(config-if-Te1/0/1)#exit console(config)#interface tengigabitethernet 1/0/2 console(config-if-Te1/0/2)#service-policy i
ip access-list 1000 permit ip exit ip access-list 1000 permit ip exit ten-one-subnet 10.1.0.0 0.0.255.255 any ten-two-subnet 10.2.0.0 0.0.255.255 any Create a class map (ten-subnet) using the match-any attribute to allow matching of both access-lists. The choice of using one access list with multiple permit clauses is also possible. class-map match-any ten-subnet match access-group name ten-one-subnet match access-group name ten-two-subnet exit Create a policy map (p1) and include the matching class.
cos-queue random-detect 2 Apply the policy to an interface. Incoming traffic on this interface will be matched against the policy. Matching packets will be assigned to CoS queue 2 and policed per the above. interface Te1/0/1 service-policy in p1 exit DiffServ for VoIP One of the most valuable uses of DiffServ is to support Voice over IP (VoIP). VoIP traffic is inherently time-sensitive: for a network to provide acceptable service, a guaranteed transmission rate is vital.
Figure 43-18. DiffServ VoIP Example Network Diagram The following commands show how to configure the DiffServ example depicted in Figure 43-18. 1 Set queue 6 on all ports to use strict priority mode. This queue shall be used for all VoIP packets. Activate DiffServ for the switch.
2 Create a DiffServ classifier named class_voip and define a single match criterion to detect UDP packets. The class type match-all indicates that all match criteria defined for the class must be satisfied in order for a packet to be considered a match.
WRED NOTE: WRED is not supported on the Dell EMC Networking N1500 Series switch. WRED Processing Traffic ingressing the switch can be assigned to one of four drop probabilities based on a set of matching criteria. There are three drop probabilities for TCP traffic (green, yellow, and red) and one drop probability for non-TCP traffic (all colors). Users may configure the congestion thresholds at which packets queued for transmission are dropped for each color.
Exponential Weighting Constant The degree of congestion is determined by sampling the egress queue depth and calculating an average queue size. The exponential weighting constant smooths the result of the average queue depth calculation by the function: average depth = (previous queue depth * (1-1/2^n)) + (current queue depth * 1/2^n) The average queue depth is used to select the drop probability for packets queued for egress.
• Packets that are pre-colored yellow and exceed the PIR will be colored red. This does not apply to the simple algorithm since there is no yellow precoloring. • Packets that are pre-colored red remain colored red. Refer to RFC 2697 and RFC 2698 for further detail on color-aware and colorblind processing.
them as a result of exceeding the meter. Pre-colored packets are not re-colored to green or yellow by the meter. Yellow packets may be colored red as a result of exceeding the meter. Refer to RFC 2697 for further details. Two-Rate Meter Implementation The police-two-rate algorithm implements a two-rate Three-Color Marker (trTCM) per RFC 2698. The trTCM algorithm is useful in situations where a peak rate needs to be enforced separately from a committed rate.
Differentiated Services
Class-of-Service 44 Dell EMC Networking N-Series Switches This chapter describes how to configure the Class-of-Service (CoS) feature. The CoS queuing feature lets you directly configure certain aspects of switch queuing. This provides the desired QoS behavior for different types of network traffic when the complexities of DiffServ are not required. The priority of a packet arriving at an interface can be used to steer the packet to the appropriate outbound CoS queue through a mapping table.
Each ingress port on the switch has a default priority value (set by configuring VLAN Port Priority in the Switching sub-menu) that determines the egress queue its traffic gets forwarded to. Packets that arrive without a VLAN user priority, or packets from ports you’ve identified as “untrusted,” get forwarded according to this default. What Are Trusted and Untrusted Port Modes? Ports can be configured in “trusted” mode or “untrusted” mode with respect to ingress traffic.
How Are Traffic Queues Configured? The switch CoS queues may be configured to selectively service packets queued for transmission in a pre-defined manner when an interface is congested. If an interface is not congested, packets are transmitted in FIFO order. The switch supports 7 queues. By default, the switch selects packets in higher numbered queues more often than lower numbered queues while still ensuring fairness as described below.
that the system can respond to bursts in traffic. Setting the minimum bandwidth percentages such that they sum to 100% effectively sets the scheduler such that sharing of bandwidth is disabled, and all queues, including strict priority queues, are serviced according to their minimum bandwidth configuration during congestion.
• Simple Random Early Detection (SRED)—Drops packets queued for transmission on an interface selectively based their drop precedence level. For each of three drop precedence levels on each SRED-enabled interface queue, the following parameters can be configured: – Minimum Threshold: A percentage of the interface queue size below which no packets of the selected drop precedence level are dropped.
Table 44-1.
Configuring CoS (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring CoS features on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100-ON Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. Mapping Table Configuration Use the Mapping Table Configuration page to define how class of service is assigned to a packet.
To display the Queue Mapping Table for the selected Trust Mode, click the Show All link at the top of the page. The following figure shows the queue mapping table when CoS (802.1p) is selected as the Trust Mode. Figure 44-2.
Interface Configuration Use the Interface Configuration page to define the interface shaping rate for egress packets on an interface and the decay exponent for WRED queues defined on the interface. Each interface CoS parameter can be configured globally or per-port. A global configuration change is applied to all interfaces in the system. To display the Interface Configuration page, click Quality of Service Class of Service Interface Configuration in the navigation panel. Figure 44-3.
Interface Queue Configuration Use the Interface Queue Configuration page to configure egress queues on interfaces. The settings you configure control the amount of bandwidth the queue uses, the scheduling method, and the queue management method. The configuration process is simplified by allowing each CoS queue parameter to be configured globally or per-port. A global configuration change is applied to the same queue ID on all ports in the system.
To access the Interface Queue Status page, click the Show All link at the top of the page. Interface Queue Drop Precedence Configuration Use the Interface Queue Drop Precedence Configuration page to configure thresholds and scaling values for each of four drop precedence levels on a WRED-enabled interface queue. The settings you configure control the minimum and maximum thresholds and a drop probability scaling factor for the selected drop precedence level.
Figure 44-5. Interface Queue Drop Precedence Configuration To access the Interface Queue Drop Precedence Status page, click the Show All link at the top of the page.
Configuring CoS (CLI) This section provides information about the commands used for configuring CoS settings on the switch. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200ON, and N3100-ON Series Switches CLI Reference Guide at www.dell.com/support. The interface mode commands shown in this section may also be used in Global Configuration mode to configure CoS for all interfaces.
CLI Command Description show classofservice ip-dscpmapping Display the current IP DSCP mapping to internal traffic classes for a specific interface. show classofservice trust Display the current trust mode setting for a specific interface. CoS Interface Configuration Commands Use the following commands to configure the traffic shaping and WRED exponent values for an interface. CLI Command Description configure Enter Global Configuration mode.
CLI Command Description configure Enter Global Configuration mode. interface interface Enter Interface Configuration mode, where interface is replaced by gigabitethernet unit/slot/port, tengigabitethernet unit/slot/port., or port-channel portchannel number. cos-queue min-bandwidth bw Specify the minimum transmission bandwidth (range: 0-100% in 1% increments) for each interface queue. The sum of the configured minimum bandwidths should be less than 100% to allow for buffering of bursty traffic.
Configuring Interface Queue Drop Probability Use the following commands to configure characteristics of the drop probability and view related settings. The drop probability supports configuration in the range of 0 to 10%, and the discrete values 25%, 50%, and 75%. Values not listed are truncated to the next lower value in hardware. Not all switches support all colors (or non-TCP thresholds) or thresholds. Drop probability settings also vary among the switch families.
CoS Configuration Example Figure 44-6 illustrates the network operation as it relates to CoS mapping and queue configuration. Four packets arrive at the ingress port te1/0/10 in the order A, B, C, and D. port te1/0/10 is configured to trust the 802.1p field of the packet, which serves to direct packets A, B, and D to their respective queues on the egress port. These three packets utilize the 802.1p to CoS Mapping Table for port te1/0/10. In this example, the 802.
Continuing this example, the egress port te1/0/8 is configured for strict priority on queue 4, and a weighted scheduling scheme is configured for queues 3-0. Assuming queue 3 has a higher minimum bandwidth than queue 1 (relative bandwidth values are shown as a percentage, with 0% indicating the bandwidth is shared according to the default weighting), the queue service order, when congested, is 4 followed by 3 followed by 1.
classes generally use the default WRR scheduling mode as opposed to strict priority, to avoid starving other traffic. For example, the following commands assign 802.1p user priority 4 to CoS queue 4 and reserves 50% of the scheduler time slices to CoS queue 4. This implies that, when the switch is congested, the scheduler will service CoS queue 4 fifty percent of the time to the exclusion of all other CoS queues, including higher-priority CoS queues.
Explicit Congestion Notification Explicit Congestion Notification (ECN) is defined in RFC 3168. Conventional TCP networks signal congestion by dropping packets. A Random Early Discard scheme provides earlier notification than tail drop. ECN marks congested packets that would otherwise have been dropped and expects a ECN capable receiver to signal congestion back to the transmitter without the need to retransmit the packet that would have been dropped.
example, N1500 series) cannot support ECN. The network operator can configure any CoS queue to operate in ECN marking mode and can configure different discard thresholds for each color. Enabling ECN in Microsoft Windows On many current Windows implementations, ECN capability is enabled via the netsh command as follows: netsh int tcp set global ecncapability=enabled The capability can be verified with the command netsh int tcp show global. An example is shown below: C:\Users\jmclendo>Netsh int tcp set glob
Example 1: SLA Configuration The following example configures a simple meter and a trTCM meter is support of a network SLA. The SLA classes are segregated by CoS class as described in the comments. 1 Define a class-map so that all traffic will be in the set of traffic “cos-any”. console#config console(config)#class-map match-all cos-any ipv4 console(config-classmap)#match any console(config-classmap)#exit 2 Define a class-map such that all traffic with a CoS value of 1 will be in the set of traffic “cos1.
6 Create a simple policer in color blind mode. Packets below the committed information rate (CIR) or committed burst size (CBS) are assigned drop precedence green. Packets that exceed the CIR (in Kbps) or CBS (in Kbytes) are colored red. Both the conform and violate actions are set to transmit as WRED is used to drop packets when congested.
• TCP packets with rates higher than the PIR/PBS or which belong to neither class CoS 1 or class CoS 2 violate the rate (red). These packets will be dropped randomly at an increasing rate between 0 and 10% when the outgoing interface is congested between 50 and 100%. • Non-TCP packets in CoS queue 0 or 1 will be dropped randomly at an increasing rate between 0 and 15% when the outgoing interface is congested between 50 and 100%.
console(config)#interface Te1/0/22 console(config-if-Te1/0/22)#service-policy in simple-policy console(config-if-Te1/0/22)#exit console(config)#interface Te1/0/23 console(config-if-Te1/0/23)#service-policy in two-rate-policy console(config-if-Te1/0/23)#exit Class-of-Service 1549
Example 2: Long-Lived Congestion The following example enables WRED discard for non-color-aware traffic. Since a color-aware policer is not enabled, all traffic is treated as if it were colored “green.” This means that only the “green” TCP and non-TCP WRED thresholds are active. Since the default CoS queue is 1, this example is suitable as a starting point for configuring WRED on a switch using the default settings.
In the first line of the configuration below, the first integer after the minthresh keyword configures green-colored Congestion Enabled TCP packets in CoS queues 0 and 1 that exceed the WRED threshold (13% or ~38 Kbytes) to mark packets as Congestion Experienced. The first integer after the maxthresh parameter configures the upper threshold for green-colored TCP packets to the same value as the min-thresh threshold.
Class-of-Service
Auto VoIP 45 Dell EMC Networking N1500, N2000, N2100-ON, N2200-ON, N3000E-ON, N3100-ON Series Switches Voice over Internet Protocol (VoIP) allows you to make telephone calls using a computer network over a data network like the Internet. With the increased prominence of delay-sensitive applications (voice, video, and other multimedia applications) deployed in networks today, proper QoS configuration will ensure high-quality application performance.
Auto VoIP supports a limited number of active sessions since it makes use of the switch CPU to classify traffic. It is preferable to use the Voice VLAN feature in larger enterprise environments as it uses the switching silicon to classify voice traffic onto a VLAN. Auto VoIP is incompatible with Voice VLAN and should not be enabled on switches on which Voice VLAN is enabled. How Does Auto VoIP Use ACLs? Auto VoIP utilizes ACL lists from the global system pool.
Configuring Auto VoIP (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring Auto VoIP features on Dell EMC Networking N-Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. Auto VoIP Global Configuration Use the Global Configuration page to enable or disable Auto VoIP on all interfaces.
Figure 45-2. Auto VoIP Interface Configuration To display summary Auto VoIP configuration information for all interfaces, click the Show All link at the top of the page. Figure 45-3.
Configuring Auto VoIP (CLI) This section provides information about the commands used for configuring Auto VoIP settings on the switch. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100-ON Series Switches CLI Reference Guide at www.dell.com/support. Mapping Table Configuration Use the following commands to enable Auto VoIP and view its configuration. CLI Command Description configure Enter Global Configuration mode.
Auto VoIP
IPv4 and IPv6 Multicast 46 Dell EMC Networking N3000E-ON, N3100-ON Series Switches NOTE: This feature is available only on Dell EMC Networking N3000-ON and N3100-ON Series switches. This chapter describes how to configure and monitor Layer-3 (L3) multicast features for IPv4 and IPv6, including global IP and IPv6 multicast features as well as multicast protocols, including IGMP, DVMRP, and PIM for IPv4 and MLD and PIM for IPv6.
recipient host. The IP routing protocols can route multicast traffic, but the IP multicast protocols handle the multicast traffic more efficiently with better use of network bandwidth. Applications that often send multicast traffic include video or audio conferencing, Whiteboard tools, stock distribution tickers, and IP-based television (IP/TV). What Is IP Multicast Traffic? IP multicast traffic is traffic that is destined to a host group.
239.0.0.0/8 is the locally scoped IPv4 multicast address range. Use addresses from this block for local/intra-domain multicast data traffic. See RFC 2365 for further information 233.0.0.0/8 is the GLOP IPv4 public address range and is suitable for interdomain multicast data traffic. See RFC 2770 for further information. 232.0.0.0/8 is the PIM-SSM IPv4 public address space and is suitable for interdomain data traffic. See RFC 4608 for further information.
What Are the Multicast Protocol Roles? Hosts must have a way to identify their interest in joining any particular multicast group, and routers must have a way to collect and maintain group memberships. These functions are handled by the IGMP protocol in IPv4. In the IPv6 domain, multicast routers use the Multicast Listener Discover (MLD) protocol to maintain group membership information.
contain two ports, one on each connecting switch. A VLAN carrying multicast traffic should never traverse a multicast router, as ingress multicast traffic is Layer-2-switched across the VLAN, defeating the purpose of the multicast router. Determining Which Multicast Protocols to Enable IGMP is required on any multicast router that serves IPv4 hosts. IGMP is not required on inter-router links. MLD is required on any router that serves IPv6 hosts. MLD is not required on inter-router links.
What Is IGMP? The Internet Group Management Protocol (IGMP) is used by IPv4 systems (hosts, L3 switches, and routers) to report their IP multicast group memberships to any neighboring multicast routers. The Dell EMC Networking N-Series switch performs the multicast router role of the IGMP protocol, which means it collects the membership information needed by the active multicast routing protocol. IGMP is automatically enabled when PIM or DVMRP are enabled via the CLI.
What Is MLD? Multicast Listener Discovery (MLD) protocol enables IPv6 routers to discover the presence of multicast listeners, the hosts that wish to receive the multicast data packets, on its directly-attached interfaces. The protocol specifically discovers which multicast addresses are of interest to its neighboring nodes and provides this information to the active multicast routing protocol that makes decisions on the flow of multicast data packets.
Using PIM-SM as the Multicast Routing Protocol PIM-SM is used to efficiently route multicast traffic to multicast groups that may span wide area networks and where bandwidth is constrained. PIM-SM uses shared trees by default and implements source-based trees for efficiency. PIM-SM assumes that no hosts want the multicast traffic unless they specifically ask for it.
PIM-SM Protocol Operation This section describes the workings of PIM-SM protocol per RFC 4601. The protocol operates essentially in three phases, as explained in the following sections. Phase-1: RP Tree Figure 46-1. PIM-SM Shared Tree Join • In this example, an active receiver (attached to leaf router at the bottom of the drawing) has joined multicast group “G”.
Phase-2: Register Stop Figure 46-2. PIM-SM Sender Registration—Part1 • As soon as an active source for group G sends a packet, the designated router (DR) that is attached to this source is responsible for “Registering” this source with the RP and requesting the RP to build a tree back to that router. • To do this, the source router encapsulates the multicast data from the source in a special PIM-SM message, called the Register message, and unicasts that data to the RP.
Figure 46-3. PIM-SM Sender Registration—Part 2 • As soon as the SPT is built from the Source router to the RP, multicast traffic begins to flow unencapsulated from source S to the RP. • Once this is complete, the RP Router will send a “Register Stop” message to the first-hop router to tell it to stop sending the encapsulated data to the RP.
Phase 3: Shortest Path Tree Figure 46-4. PIM-SM SPT—Part 1 • PIM-SM has the capability for last-hop routers (i.e., routers with directly connected group members) to switch to the Shortest-Path Tree and bypass the RP. This switchover is based upon an implementation-specific function called SwitchToSptDesired(S,G) in the standard and generally takes a number of seconds to switch to the SPT.
Figure 46-5. PIM-SM SPT—Part 2 • Finally, special (S, G) RP-bit Prune messages are sent up the Shared Tree to prune off this (S, G) traffic from the Shared Tree. If this were not done, (S, G) traffic would continue flowing down the Shared Tree resulting in duplicate (S, G) packets arriving at the receiver.
Figure 46-6. • 1572 PIM-SM SPT—Part 3 At this point, (S, G) traffic is now flowing directly from the first -hop router to the last-hop router and from there to the receiver.
Figure 46-7. PIM-SM SPT—Part 4 • At this point, the RP no longer needs the flow of (S, G) traffic since all branches of the Shared Tree (in this case there is only one) have pruned off the flow of (S, G) traffic. • As a result, the RP will send (S, G) Prunes back toward the source to shut off the flow of the now unnecessary (S, G) traffic to the RP. NOTE: This will occur if the RP has received an (S, G) RP-bit Prune on all interfaces on the Shared Tree.
Figure 46-8. • PIM-SM SPT—Part 5 As a result of the SPT-Switchover, (S, G) traffic is now flowing only from the first-hop router to the last-hop router and from there to the receiver. Notice that traffic is no longer flowing to the RP. The PIM standard requires support for multi-hop RP in that a router running PIM can act as an RP even if it is multiple router hops away from the multicast source.
• Limiting the number of packets sent to the RP by the first-hop router. When a multicast data source (S) starts sending data destined for a multicast group (G), the first-hop router receives these packets and traps them to its local CPU. A Dell EMC Networking first-hop router immediately blocks further data packets in the stream and prevents them from reaching the CPU.
leads to significantly faster response times for receiving the full multicast stream directly from the first-hop router (as opposed to the typical bandwidth-limited stream traversing the RP). Using PIM-DM as the Multicast Routing Protocol Unlike PIM-SM, PIM-DM creates source-based shortest-path distribution trees that make use of reverse-path forwarding (RPF). PIM-DM assumes that when a sender starts sending data, all downstream routers and hosts want to receive a multicast datagram.
NOTE: In addition to DVMRP, the switch supports the Protocol-Independent Multicast (PIM) sparse-mode (PIM-SM) and dense-mode (PIM-SM) routing protocol. Only one multicast routing protocol can be operational on the switch at any time. If you enable DVMRP, PIM must be disabled. Similarly, if PIM is enabled, DVMRP must be disabled. DVMRP exchanges probe packets with all its DVMRP-enabled routers, it establishes two-way neighboring relationships, and it builds a neighbor table.
DVMRP is best suited for small networks where the majority of hosts request a given multicast traffic stream. DVMRP is similar to PIM-DM in that it floods multicast packets throughout the network and prunes branches where the multicast traffic is not desired. DVMRP was developed before PIM-DM, and it has several limitations that do not exist with PIM-DM. You might use DVMRP as the multicast routing protocol if it has already been widely deployed within the network.
Default L3 Multicast Values IP and IPv6 multicast is disabled by default. Table 46-2 shows the default values for L3 multicast and the multicast protocols. Table 46-2.
Table 46-2.
Configuring General IPv4 Multicast Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring the L3 multicast features that are not protocol-specific on Dell EMC Networking N3000-ON and N3100-ON Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page.
Multicast Interface Configuration Use the Interface Configuration page to configure the TTL threshold of a multicast interface. At least one VLAN routing interface must be configured on the switch before fields display on this page. To display the page, click IPv4 Multicast Multicast Interface Configuration in the navigation panel. Figure 46-10.
Multicast Route Table Use the Route Table page to view information about the multicast routes in the IPv4 multicast routing table. To display the page, click IPv4 Multicast Multicast Multicast Route Table Multicast Route Table Figure 46-11.
Multicast Admin Boundary Configuration The definition of an administratively scoped boundary is a way to stop the ingress and egress of multicast traffic for a given range of multicast addresses on a given routing interface. Use the Admin Boundary Configuration page to configure a new or existing administratively scoped boundary. To see this page, you must have configured a valid routing interface and multicast.
Multicast Admin Boundary Summary Use the Admin Boundary Summary page to display existing administratively scoped boundaries. To display the page, click IPv4 Multicast Multicast Admin Boundary Summary in the navigation panel. Figure 46-13. Multicast Admin Boundary Summary Multicast Static MRoute Configuration Use the Static MRoute Configuration page to configure a new static entry in the Mroute table or to modify an existing entry.
Multicast Static MRoute Summary Use the Static MRoute Summary page to display static routes and their configurations. To display the page, click IPv4 Multicast Multicast Static MRoute Summary in the navigation panel. Figure 46-15.
Configuring IPv6 Multicast Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring the IPv6 multicast features that are not protocol-specific on Dell EMC Networking N3000-ON and N3100-ON Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page.
Configuring IGMP and IGMP Proxy (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring the IGMP and IGMP proxy features on Dell EMC Networking N3000-ON and N3100-ON Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. IGMP Global Configuration Use the Global Configuration page to set IGMP on the system to active or inactive.
IGMP Interface Configuration Use the Interface Configuration page to configure and/or display router interface parameters. At least one valid routing interface must be configured before this page can be accessed to configure IP Multicast IGMP. To display the page, click IPv4 Multicast IGMP Routing Interface Interface Configuration in the navigation panel. Figure 46-18.
IGMP Interface Summary Use the Interface Summary page to display IGMP routing parameters and data. You must configure at least one IGMP router interface to access this page. To display the page, click IPv4 Multicast IGMP Routing Interface Interface Summary in the navigation panel. Figure 46-19. IGMP Interface Summary IGMP Cache Information Use the Cache Information page to display cache parameters and data for an IP multicast group address.
Figure 46-20. IGMP Cache Information IGMP Interface Source List Information Use the Source List Information page to display detailed membership information for an interface. Group membership reports must have been received on the selected interface for data to display information. To display the page, click IPv4 Multicast IGMP Routing Interface Source List Information in the navigation panel. Figure 46-21.
IGMP Proxy Interface Configuration The IGMP Proxy is used by IGMP Router (IPv4 system) to enable the system to issue IGMP host messages on behalf of hosts that the system discovered through standard IGMP router interfaces. Thus, this feature acts as proxy to all hosts residing on its router interfaces. Use the Interface Configuration page to configure IGMP proxy for a VLAN interface.
IGMP Proxy Configuration Summary Use the Configuration Summary page to display proxy interface configurations by interface. You must have configured at least one VLAN routing interface configured before data displays on this page. To display the page, click IPv4 Multicast IGMP Proxy Interface Configuration Summary in the navigation panel. Figure 46-23.
IGMP Proxy Interface Membership Info Use the Interface Membership Info page to display interface membership data for a specific IP multicast group address. At least one VLAN routing interface must be configured for this page to display interface membership information, and it should not be an IGMP routing interface. Also, if no group membership reports have been received on the selected interface, no data displays on this page.
Detailed IGMP Proxy Interface Membership Information Use the Interface Membership Info Detailed page to display detailed interface membership data. At least one VLAN routing interface must be configured before detailed interface membership information can be displayed, and it should not be an IGMP routing interface. Also, if no group membership reports have been received on the selected interface, then no data can be displayed.
Configuring MLD and MLD Proxy (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring the MLD and MLD proxy features on Dell EMC Networking N3000-ON and N3100-ON Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. MLD Global Configuration Use the Global Configuration page to administratively enable and disable the MLD service.
MLD Routing Interface Configuration Use the Interface Configuration page to enable selected IPv6 router interfaces to discover the presence of multicast listeners, the nodes who wish to receive the multicast data packets, on its directly attached interfaces. To access this page, click IPv6 Multicast MLD Routing Interface Interface Configuration in the navigation panel. Figure 46-27.
MLD Routing Interface Summary Use the Interface Summary page to display information and statistics on a selected MLD-enabled interface. You must configure at least one IGMP VLAN routing interface to access this page. To access this page, click IPv6 Multicast MLD Routing Interface Interface Summary in the navigation panel. Figure 46-28.
Figure 46-29. MLD Routing Interface Cache Information MLD Routing Interface Source List Information The Interface Source List Information page displays detailed membership information for an interface. You must configure at least one MLD VLAN routing interface to access this page. Also, group membership reports must have been received on the selected interface in order for data to be displayed here.
MLD Traffic The MLD Traffic page displays summary statistics on the MLD messages sent to and from the router. To access this page, click IPv6 Multicast MLD Routing Interface MLD Traffic in the navigation panel. Figure 46-31.
MLD Proxy Configuration When you configure an interface in MLD proxy mode, it acts as a proxy multicast host that sends MLD membership reports on one VLAN interface for MLD Membership reports received on all other MLD-enabled VLAN routing interfaces. Use the Interface Configuration page to enable and disable ports as MLD proxy interfaces. To display this page, click IPv6 Multicast MLD Proxy Interface Interface Configuration in the navigation panel. Figure 46-32.
MLD Proxy Configuration Summary Use the Configuration Summary page to view configuration and statistics on MLD proxy-enabled interfaces. To display this page, click IPv6 Multicast MLD Proxy Interface Configuration Summary in the navigation panel. Figure 46-33.
MLD Proxy Interface Membership Information The Interface Membership Information page lists each IP multicast group for which the MLD proxy interface has received membership reports. To display this page, click IPv6 Multicast MLD Proxy interface Interface Membership Info in the navigation panel. Figure 46-34.
Detailed MLD Proxy Interface Membership Information The Interface Membership Information Detailed page provides additional information about the IP multicast groups for which the MLD proxy interface has received membership reports. To display this page, click IPv6 Multicast MLD Proxy Interface Interface Membership Info Detailed in the navigation panel. Figure 46-35.
Configuring PIM for IPv4 and IPv6 (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring PIM-SM and PIM-DM for IPv4 and IPv6 multicast routing on Dell EMC Networking N3000-ON and N3100-ON Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. NOTE: The OpenManage Switch Administrator pages to configure IPv4 multicast routing and IPv6 multicast routing is very similar.
PIM Global Status Use the Global Status page to view the administrative status of PIM-DM or PIM-SM on the switch. To display the page, click IPv4 Multicast PIM Global Status or IPv6 Multicast PIM Global Status in the navigation panel. Figure 46-37.
PIM Interface Configuration Use the Interface Configuration page to configure specific VLAN routing interfaces with PIM. To display the page, click IPv4 Multicast PIM Interface Configuration or IPv6 Multicast PIM Interface Configuration in the navigation panel. Figure 46-38.
PIM Interface Summary Use the Interface Summary page to display a PIM-enabled VLAN routing interface and its settings. To display the page, click IPv4 Multicast PIM Interface Summary or IPv6 Multicast PIM Interface Summary in the navigation panel. Figure 46-39.
Candidate RP Configuration The Candidate RP is configured on the Add Candidate RP page. Use the Candidate RP Configuration page to display and delete the configured rendezvous points (RPs) for each port using PIM. To access the page, click IPv4 Multicast PIM Candidate RP Configuration or IPv6 Multicast PIM Candidate RP Configuration. Figure 46-40.
3 Select the VLAN interface for which the Candidate RP is to be configured. 4 Enter the group address transmitted in Candidate-RP-Advertisements. 5 Enter the prefix length transmitted in Candidate-RP-Advertisements to fully identify the scope of the group which the router supports if elected as a Rendezvous Point. 6 Click Apply Changes. The new Candidate RP is added, and the device is updated.
Static RP Configuration Use the Static RP Configuration page to display or remove the configured RP. The page also allows adding new static RPs by clicking the Add button. Only one RP address can be used at a time within a PIM domain. If the PIM domain uses the BSR to dynamically learn the RP, configuring a static RP is not required. However, the static RP can be configured to override any dynamically learned RP from the BSR.
Figure 46-43. Add Static RP 3 Enter the IP address of the RP for the group range. 4 Enter the group address of the RP. 5 Enter the group mask of the RP. 6 Check the Override option to configure the static RP to override the dynamic (candidate) RPs learned for same group ranges. 7 Click Apply. The new Static RP is added, and the device is updated.
SSM Range Configuration Use this page to display or remove the Source Specific Multicast (SSM) group IP address and group mask for the PIM router. To display the page, click IPv4 Multicast PIM SSM Range Configuration or IPv6 Multicast PIM SSM Range Configuration. Figure 46-44. SSM Range Configuration Adding an SSM Range To add the Source-Specific Multicast (SSM) Group IP Address and Group Mask (IPv4) or Prefix Length (IPv6) for the PIM router: 1 Open the SSM Range Configuration page. 2 Click Add.
Figure 46-45. Add SSM Range 3 Click the Add Default SSM Range check box to add the default SSM Range. The default SSM Range is 232.0.0.0/8 for IPv4 multicast and ff3x::/32 for IPv6 multicast. 4 Enter the SSM Group IP Address. 5 Enter the SSM Group Mask (IPv4) or SSM Prefix Length (IPv6). 6 Click Apply. The new SSM Range is added, and the device is updated.
BSR Candidate Configuration Use this page to configure information to be used if the interface is selected as a bootstrap router. To display the page, click IPv4 Multicast PIM BSR Candidate Configuration or IPv6 Multicast PIM BSR Candidate Configuration. Figure 46-46.
BSR Candidate Summary Use this page to display information about the configured BSR candidates. To display this page, click IPv4 Multicast PIM BSR Candidate Summary or IPv6 Multicast PIM BSR Elected Summary. Figure 46-47.
Configuring DVMRP (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring DVMRP on Dell EMC Networking N3000-ON and N3100-ON Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. DVMRP Global Configuration Use the Global Configuration page to configure global DVMRP settings. It is strongly recommended that IGMP be enabled on any switch on which DVMRP is enabled.
DVMRP Interface Configuration Use the Interface Configuration page to configure a DVMRP VLAN routing interface. You must configure at least one router interface before you configure a DVMRP interface. Otherwise you see a message telling you that no router interfaces are available, and the configuration screen is not displayed. It is strongly recommended that IGMP be enabled on any interface on which DVMRP is enabled. This ensures that the multicast router behaves as expected.
DVMRP Configuration Summary Use the Configuration Summary page to display the DVMRP configuration and data for a selected interface. At least one VLAN routing interface must be configured before data can be displayed for a DVMRP interface. Otherwise, a message displays that no VLAN router interfaces are available, and the configuration summary screen is not displayed. To display the page, click IPv4 Multicast DVMRP Configuration Summary in the navigation panel. Figure 46-50.
DVMRP Next Hop Summary Use the Next Hop Summary page to display the next hop summary by Source IP. To display the page, click IPv4 Multicast DVMRP Next Hop Summary in the navigation panel. Figure 46-51.
DVMRP Prune Summary Use the Prune Summary page to display the prune summary by Group IP. To display the page, click IPv4 Multicast DVMRP Prune Summary in the navigation panel. Figure 46-52. DVMRP Prune Summary DVMRP Route Summary Use the Route Summary page to display the DVMRP route summary. To display the page, click IPv4 Multicast DVMRP Route Summary in the navigation panel. Figure 46-53.
Configuring L3 Multicast Features (CLI) This section provides information about the commands used for configuring general IPv4 multicast settings on the switch. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N2200-ON, and N3100-ON Series Switches CLI Reference Guide at www.dell.com/support.
Command Purpose ip multicast ttl-threshold ttlvalue Apply a Time to Live (TTL) value to the VLAN interface. The ttlvalue is the TTL threshold which is applied to the multicast data packets forwarded through the interface. exit Exit to Global Config mode. exit Exit to Privileged Exec mode. show ip multicast View system-wide multicast information. show ip mcast boundary {vlan vlan-id | all} View all the configured administrative scoped multicast boundaries.
Configuring and Viewing IPv6 Multicast Route Information Use the following commands to configure static IPv6 multicast routes on the switch and to view IPv6 multicast table information. Command Purpose configure Enter global configuration mode. ip multicast-routing Enable IPv4/IPv6 multicast routing. ip pim sparse-mode Enable PIM/IGMP. Multicast routing is not operationally enabled until IGMP or MLD is enabled. Create a static multicast route for a source range.
Configuring and Viewing IGMP Use the following commands to configure IGMP on the switch and on VLAN routing interfaces and to view IGMP information. Command Purpose configure Enter global configuration mode. ip multicast-routing Enable IPv4/IPv6 multicast routing. ip pim sparse-mode Enable PIM/IGMP on the switch. IGMP is implicitly enabled with PIM. interface vlan vlan-id Enter Interface Configuration mode for the specified VLAN. ip igmp version version Set the version of IGMP for an interface.
Command Purpose ip igmp last-memberquery-interval tenthsofseconds Configure the Maximum Response Time inserted in Group-Specific Queries which are sent in response to Leave Group messages. The range is 0–255 tenths of a second. ip igmp last-memberquery-count count Set the number of Group-Specific Queries sent before the router assumes that there are no local members on the interface. The range for count is 1–20. CTRL + Z Exit to Privileged Exec mode. show ip igmp View system-wide IGMP information.
Configuring and Viewing IGMP Proxy Use the following commands to configure the upstream VLAN routing interface as an IGMP proxy. The IGMP proxy issues host messages on behalf of the hosts that have been discovered on IGMP-enabled interfaces. The upstream interface is the interface closest to the root multicast router, which should be running IGMP. NOTE: Configure only the upstream interface as the IGMP proxy. IGMP should be enabled on all downstream interfaces.
Configuring and Viewing MLD Use the following commands to configure MLD on the switch and on VLAN routing interfaces and to view IGMP information. Command Purpose configure Enter global configuration mode. ip multicast-routing Enable IPv4/IPv6 multicast routing. ipv6 pim sparse-mode Enable PIM/MLD on the switch. interface vlan vlan-id Enter Interface Configuration mode for the specified VLAN. ipv6 mld version version Set the version of MLD for an interface. The version variable can be 1 or 2.
Command Purpose show ipv6 mld interface stats [vlan vlan-id] View MLD statistics for all interfaces or for the specified interface. show ipv6 mld groups [interface vlan vlan-id] View the registered multicast groups on the interface. show ipv6 mld membership View the list of interfaces that have registered in any multicast group. Configuring and Viewing MLD Proxy Use the following commands to configure the upstream VLAN routing interface as an MLD proxy.
Command Purpose show ipv6 mld host-proxy interface View a detailed list of the host interface status parameters. This command displays information only when MLD Proxy is operational. show ipv6 mld host-proxy groups View a table of information about multicast groups that MLD Proxy reported. This command displays information only when MLD Proxy is operational.
Configuring and Viewing PIM-DM for IPv6 Multicast Routing Use the following commands to configure PIM-DM for IPv6 multicast routing on the switch and on VLAN routing interfaces and to view PIM-DM information. Command Purpose configure Enter global configuration mode. ipv6 unicast-routing Enable IPv6 routing. IPv6 routing is required for the operation of PIM. ipv6 pim dense-mode Enable PIM-DM on the switch. Enabling IPv6 PIM enables MLD. ip multicast-routing Enable IPv6/IPv6 multicast routing.
Configuring and Viewing PIM-SM for IPv4 Multicast Routing Use the following commands to configure PIM-SM for IPv4 multicast routing on the switch and on VLAN routing interfaces and to view PIM-SM information. Command Purpose configure Enter global configuration mode. ip routing Enable IP routing. Routing is required for PIM operation. ip pim sparse-mode Enable PIM-SM as the multicast routing protocol on the switch. This command also enables IGMP.
Command Purpose ip pim rp-candidate vlan Configure the router to advertise itself to the BSR vlan-id group-address group- router as a PIM candidate Rendezvous Point (RP) for mask [interval interval] a specific multicast group range. • vlan-id — A valid VLAN ID. • group-address — Group IP address supported by RP. • group-mask — Group subnet mask for group address. • interval — (Optional) Indicates the RP candidate advertisement interval. The range is from 1 to 16383 seconds.
Command Purpose show ip pim interface vlan vlan-id View the PIM information for the specified interface. show ip pim neighbor [interface vlan vlan-id | all] View a summary or all the details of the multicast table. show ip pim rp-hash groupaddr View the RP router being selected for the specified multicast group address from the set of active RP routers. The RP router for the group is selected by using a hash algorithm.
Command Purpose ipv6 pim bsr-candidate vlan Configure the switch to announce its candidacy as a vlan-id hash-mask-length bootstrap router (BSR) [priority] [interval interval] • vlan-id — A valid VLAN ID. • hash-mask-length — The length of a mask that is to be ANDed with the group address before the hash function is called. All groups with the same seed hash correspond to the same RP. For example, if this value is 24, only the first 24 bits of the group addresses matter.
Command Purpose ipv6 enable Enable IPv6 on the VLAN. ipv6 pim hello-interval seconds Specify the number of seconds (range: 0–65535) to wait between sending PIM hello messages on the interface. ipv6 pim bsr-border Prevent bootstrap router (BSR) messages from being sent or received through the interface. ipv6 pim dr-priority priority Set the priority value for which a router is elected as the designated router (DR). The election priority range is 0–2147483647.
Configuring and Viewing DVMRP Information Use the following commands to configure DVMRP on the switch and on VLAN routing interfaces and to view DVMRP information. Command Purpose configure Enter global configuration mode. ip dvmrp Enable DVMRP on the switch. This command also enables IGMP. ip routing Enable IP routing on the switch. IP routing is required for DVMRP. ip multicast-routing Enable IP multicast.
L3 Multicast Configuration Examples This section contains the following configuration examples: • Configuring Multicast VLAN Routing With IGMP and PIM-SM • Configuring DVMRP Configuring Multicast VLAN Routing With IGMP and PIM-SM This example describes how to configure a Dell EMC Networking N-Series switch with two VLAN routing interfaces that route IP multicast traffic between the VLANs. PIM and IGMP are enabled on the switch and interfaces to manage the multicast routing.
Figure 46-54. IPv4 Multicast VLAN Routing In addition to multicast configuration, this example includes commands to configure STP and OSPF on L3 Switch A. STP is configured on the ports that connects the switch to other switches. OSPF is configured to route unicast traffic between the VLANs and PIM is enabled to rout multicast traffic between the two VLANs. Since IGMP snooping is enabled by default on all VLANs, no commands to enable it appear in the example below.
console#configure console(config)#vlan 10,20 console(config-vlan10,20)#exit 2 Configure port 23 and 24 as trunk ports.
8 Globally enable IP multicast, IGMP, and PIM-SM on the switch. console(config)#ip multicast-routing console(config)#ip pim sparse-mode 9 Configure VLAN 10 as the RP and specify the range of multicast groups for PIM-SM to control. The 239.9.x.x address is chosen as it is a locally administered address that maps to MAC addresses that do not conflict with control plane protocols. console(config)#ip pim rp-address 192.168.10.4 239.9.0.0 255.255.0.
Configuring DVMRP The following example configures two DVMRP interfaces on the switch to enable inter-VLAN multicast routing. To configure the switch: 1 Globally enable IP routing and IP multicast. console#configure console(config)#ip routing console(config)#ip multicast-routing 2 Globally enable DVMRP and IGMP so that this L3 switch can manage group membership information for its directly-connected hosts.
47 Multiple Registration Protocol Dell EMC Networking N3000E-ON and N3100-ON Series Switches NOTE: Support for MMRP/MVRP is available on the N3100-ON and N3000E-ON models when utilizing the Advanced firmware. Overview Multiple Registration Protocol (MRP) is a suite of protocols for reserving resources in the network to facilitate configuration of the network. MRP uses the following protocols: • Multiple VLAN Registration Protocol (MVRP) — Replaces the role of GVRP in dynamic VLAN creation.
MRP propagates the attribute registrations throughout the AVB network. AVB network participants are aware of all other participants and their attribute registrations. VLAN bridges that do not support MRP forward received MRPDUs on all ports that are in forwarding state. MRP implements as many MRP Attribute Protocol (MAP) contexts as there are MSTP instances. Within each MAP context, one participant is created for each bridge port and for each MRP application (MMRP, MSRP or MVRP).
• The port where the request is received is dynamically added to the set of ports that participate in the requested VLAN. • For a bridge, the MVRP request is propagated to all other ports that are in the forwarding state in at least one instance of a Multiple Spanning Tree context. The port of a bridge that receives an MVRP request converts the Join Request into a Join Indication, and an MVRP attribute is registered on these ports.
This allows end stations that are sources of frames destined for a Group to suppress the transmission of such frames if their registered Group membership and Group service requirement information indicates that there are no valid recipients of those frames reachable via the networks to which they are attached.
console(config)#mvrp periodic state machine console(config)#mmrp global console(config)#mmrp periodic state machine 6 Use commands such as the following, among others, to verify the configuration and operation of the various protocols.
Multiple Registration Protocol
48 OpenFlow Dell EMC Networking N2000, N2100-ON, N2200-ON, N3000E-ON, N3100-ON Series Switches Dell EMC Networking OpenFlow Hybrid Overview The following acronyms are used in this chapter. Table 48-1. OpenFlow Acronyms Acronym Definition ICAP Ingress Content Aware Processor. This is a hardware flow matching table. The term ICAP is used synonymously with IFP. IFP Ingress Field Processor. The IFP is a hardware flow matching table. OVS Open vSwitch VCAP VLAN Content Aware Processor.
Dell EMC Networking partially supports the OpenFlow 1.0 and OpenFlow 1.3 standards. The Dell EMC Networking OpenFlow Hybrid switch contains OpenFlow agent version 2.3.0 from the Open vSwitch (OVS) project. The Open vSwitch code is licensed under the Apache 2 license. The OpenFlow agent has been validated with the Helium release of OpenDaylight (ODL). The OpenFlow 1.0 standard supports a single-table data forwarding path.
If the address is assigned automatically and the interface with the assigned address goes down, the switch selects another active interface if one is available. Dell EMC Networking OpenFlow Hybrid becomes operationally disabled and re-enabled when a new IP address is selected. If the address is assigned statically, the OpenFlow feature comes up only when a switch interface with the matching IP address becomes active. Automatic IP address selection is done in the following order of preference.
Interaction with OpenFlow Controllers Dell EMC Networking OpenFlow Hybrid implements a subset of the OpenFlow 1.0 protocol and a subset of the OpenFlow 1.3 protocol. Dell EMC Networking OpenFlow Hybrid also implements certain enhancements to the OpenFlow protocol to optimize it for the Data Center environment and to make it compatible with Open vSwitch. Dell EMC Networking OpenFlow Hybrid interacts with any OpenFlow controller that supports OpenFlow 1.0 or the OpenFlow 1.3 standards.
actions are automatically assumed to be OpenFlow ports, so the switch disables ingress and egress filtering on those ports and allows the ports to receive and transmit traffic for any VLAN. This change in the ingress and egress filtering behavior may affect how the switch handles the nonOpenFlow traffic on those ports. 2 The switch supports only one bridge instance. 3 In OpenFlow 1.0 mode, the switch supports several backup OpenFlow controllers.
missing port and modifies the flow when the port becomes available. This behavior can cause a flow to be added with no egress ports, which causes packets matching the flow to be dropped. 10 When the switch loses connection to the OpenFlow controller it continues to forward traffic using the flows previously programmed by the controller. When the switch reconnects to the controller, it keeps using the previously programmed flows until the OpenFlow controller tells it otherwise.
Dell EMC Networking OpenFlow Hybrid adds flows into one of the following hardware tables: the VLAN Field Processor or the Ingress Field Processor. The Ingress Field Processor is subdivided into two different hardware tables: the "MAC Forwarding Table" and the "OpenFlow 1.0 Rule Table". The hardware table to which the flow is added depends on the flow table identifier specified in the OFPT_FLOW_MOD message. The flows are added, modified, and removed using the OFPT_FLOW_MOD message.
Table 48-2. Flow Table Identifiers (Continued) ID Usage Description 25 MAC Forwarding Table IFP table containing multicast and unicast DAMAC-based forwarding rules. 26–31 Reserved Unused 32–255 Unsupported The enhanced OpenFlow 1.0 protocol only supports table IDs 0 to 31. When using multiple hardware tables, it is possible to set up the hardware so that, for example, the MAC Forwarding Table and OpenFlow 1.0 Rule Table match the same packet.
Refer to "Limitations, Restrictions, and Assumptions" on page 1693 for the list of known interferences. This section includes the following topics: • "OpenFlow 1.
OpenFlow 1.0 Rule Table The OpenFlow 1.0 rule table implements many of the OpenFlow match criteria and actions defined in the OpenFlow 1.0 standard. The table is implemented in the Ingress Field Processor using slices configured in the intra-slice double-wide mode. This means that the number of rules in each IFP slice is divided in half to provide the necessary rule width. The following sections describe the match criteria and actions supported by the OpenFlow 1.0 table. • OpenFlow 1.
Table 48-3. Supported OpenFlow Match Criteria (Continued) Match Field Description Ethernet Type The EtherType in Ethernet V2 tagged and untagged packets. VLAN ID The VLAN Identifier field in the VLAN header. The valid range for the VLAN ID is 1 to 4094. Note that all packets are classified into a VLAN when they are processed by the OpenFlow 1.0 classifier. The packets that entered the switch without a tag are assigned a VLAN either by the ingress port PVID or by the Source MAC VLAN Assignment Table.
Table 48-3. Supported OpenFlow Match Criteria (Continued) Match Field Description IP Destination Address The 4-byte IP destination address in IPv4 packets. Only packets with EtherType 0x0800 can match to the IP Destination Address field. The OpenFlow controller is not required to explicitly set up the Ethernet Type match field. The Ethernet Type field may be wildcarded and the switch can still match IPv4 packets. The switch supports subnet masking for the IP Destination Address.
• OpenFlow 1.0 Actions The switch supports single-port and multi-port forwarding actions as well as some optional packet modifications actions. Table 48-4 defines the supported and unsupported forwarding actions. Table 48-4. Supported/Unsupported OpenFlow Forwarding Actions Forwarding Action Description Forward— Physical Port The switch can redirect traffic to one or more ports. A valid port can be a physical port or a LAG.
Table 48-4. Supported/Unsupported OpenFlow Forwarding Actions (Continued) Forwarding Action Description Forward— NORMAL This is a supported forwarding action. "NORMAL" reserved port can be either the only action in the list, or can be specified along with the "CONTROLLER" port. No packet modifications are allowed when this action is specified. The packet is forwarded according to normal Layer-2 or Layer-3 tables.
Table 48-4. Supported/Unsupported OpenFlow Forwarding Actions (Continued) Forwarding Action Description Modify Field The switch supports modifying certain fields in the packet. The feature can be used to give higher priority to certain packets by modifying the 802.1p and DSCP fields. The feature can also be used to implement policy based routing. The packet modifications can be made to the single-port and multi-port flows.
Source MAC VLAN Assignment Table The Source MAC VLAN Assignment table matches on SA MAC, VLAN, and Input Port. Dell EMC Networking OpenFlow Hybrid checks the 'wildcards' field in the ofp_match structure and returns an error if any of the bits other than OFPFW_IN_PORT, OFPFW_DL_VLAN, or OFPFW_DL_SRC are set to 0. If the OpenFlow Controller specifies an unsupported action, the switch rejects the flow with an error. Table 48-5.
MAC Forwarding Table The MAC Forwarding table matches on DA MAC, SA MAC, VLAN, and Input Port. Dell EMC Networking OpenFlow Hybrid checks the 'wildcards' field in the ofp_match structure and returns an error if any of the bits other than OFPFW_IN_PORT, OFPFW_DL_VLAN, OFPFW_DL_SRC, or OFPFW_DL_DST are set to 0. 0xFFFF, a special VLAN designator indicating that entry should match untagged traffic, cannot be used as a match criteria for VLAN ID field dl_vlan. Table 48-6.
Table 48-6. MAC Forwarding Table Match Criteria (Continued) Name Description Match Criteria/Actions Local — Multicast Match on any MAC address with the multicast bit enabled. All other bits in the destination MAC are implicitly masked. dl_vlan — Valid VLAN ID dl_dst – 01:00:00:00:00:00 — Special MAC address in_port — Valid Physical Port or LAG. dl_src — Wildcard Action Type — OFPAT_OUTPUT (Can be repeated) • port — Valid physical port or LAG.
Table 48-6. MAC Forwarding Table Match Criteria (Continued) Name Description Match Criteria/Actions Controller — VLAN Match traffic for a specific VLAN and send the packet to the OpenFlow Controller. dl_vlan — Valid VLAN ID dl_dst — Wildcard in_port — Wildcard dl_src — Wildcard Action Type — OFPAT_OUTPUT (Can be specified only one time) • port — OFPP_CONTROLLER (0xfffd) • max_len — An integer from 0 to 9216.
Flow Addition and Modification Error Messages If the switch detects a problem with a newly added flow, or is unable to add or modify a flow due to lack of hardware resources, the switch generates an error message in response to the ofproto_class Flow Put function and generates a syslog message with a text string representing the error type. Table 48-7 lists the syslog messages that can be generated by the switch in response to the flow modification requests.
Flow Status and Statistics The OpenFlow Controller uses the OFPT_STATS_REQUEST message with the type OFPST_FLOW to request flow status and statistics. The switch supports all flow match criteria in the OFPT_STATS_REQUEST defined by the OpenFlow 1.0 standard. The switch supports packet and byte counters for the OpenFlow 1.0 Rule Table and the MAC Forwarding Table. The OFPT_STATS_REPLY message includes the flow match criteria and actions. OpenFlow 1.
Flow Match Fields The available match fields for Policy ACL Flow Table flow entry types are as described in the following tables. Table 48-8. Policy ACL Flow Table Layer 2 Match Fields Field Bits Maskable Optional Description or Prerequisite IN_PORT 32 No Yes Physical or logical ingress port. ETH_SRC 48 Yes Yes Ethernet source MAC ETH_DST 48 Yes Yes Ethernet destination MAC ETH_TYPE 16 No Yes Any value except 0x86dd.
Table 48-9. Policy ACL Flow Table IPv4 Match Fields (Continued) Field Bits Maskable Optional Description or Prerequisite VLAN_PCP 3 No Yes 802.1p priority field from VLAN tag. Always has a value, will be zero if packet did not have a VLAN tag.
Table 48-10. Policy ACL Flow Table IPv6 Match Fields Field Bits Maskable Optional Description IN_PORT 32 No Yes Physical or logical ingress port. ETH_SRC 48 Yes Yes Ethernet source MAC ETH_DST 48 Yes Yes Ethernet destination MAC ETH_TYPE 16 No Yes Must be 0x86dd VLAN_VID 16 Yes Yes VLAN ID. Cannot be masked for a VLAN bridging rule that redirects to a different L2 output group. Only applicable to VLAN flow entry types. VLAN_PCP 3 No Yes 802.
Table 48-10. Policy ACL Flow Table IPv6 Match Fields (Continued) Field Bits Maskable Optional Description TCP_DST 16 No Yes If EtherType = 0x86dd 00 and IP_PROTO = 6 UDP_DST 16 No Yes If EtherType = 0x86dd and IP_PROTO = 17 SCTP_DST 16 No Yes If EtherType = 0x86dd and IP_PROTO = 132 No Yes If EtherType = 0x86dd and IP_PROTO = 58 ICMPv6_COD 8 E Notes: The following table lists OpenFlow 1.3 match criteria that are NOT supported. Table 48-11.
Table 48-11. Match Criteria Not Supported (Continued) Field Description IPV6_ND_TLL Target link-layer for ND. IPV6_EXTHDR IPv6 Extension Header pseudo-field Action Set Actions The Policy ACL Flow Table action set supports the actions listed in Table 48-12. Table 48-12. Policy ACL Flow Table Flow Entry Action Set Name Argument Description Group Group Sets output group entry for processing the packet after this table.
Counters and Flow Expiration The Policy ACL Flow Table counters are listed in Table 48-13. Table 48-13. Policy ACL Flow Table Counters Name Bits Type Description Active Entries 32 Table Reference count of number of active entries in the table. Duration (sec) 32 Per-entry Seconds since this flow entry was installed Received Packets 64 Per-entry Number of packets that hit this flow entry. Received Bytes 64 Per-entry Number of bytes that hit this flow entry.
Group Table The group abstraction enables OpenFlow to represent a set of ports as a single entity for forwarding packets. Different types of groups are provided, to represent different abstractions such as multicasting or multipathing. Each group is composed of a set group buckets, and each group bucket contains the set of actions to be applied before forwarding to the port. Groups buckets can also forward to other groups, enabling groups to be chained together.
• The “All” group type creates an IPMC replication group that points to one or more next hops. Depending on the SA/DA/VLAN modifications actions, the next hops may be added to the IPMC group as routed or switches. (L3 Multicast group entry) • The “Select” group type creates an ECMP group object which points to one or more next hops. (L3 ECMP group entry) • The OpenFlow fast failover group type is unsupported. The following sections provide additional details on each of these group types.
Table 48-15. Unicast Bucket Actions (Continued) Field Argument Description Set Field MAC_DST Write the next hop destination MAC. Optional. Set Field MAC_SRC Write the source MAC corresponding to the L3 output interface. Optional. Set Field VLAN-id Write the VLAN ID corresponding to the L3 output interface. Optional. • Counters The L3 Unicast group entry counters are as shown in Table 48-16. Table 48-16.
All (L3 Multicast) Group Type L3 Multicast group entries are of OpenFlow ALL type. The action buckets describe the interfaces to which multicast packet replicas are forwarded. Figure 48-2 illustrates L3 Multicast group entries. Figure 48-2. L3 Multicast Group Entry Usage IP multicast packets are forwarded differently depending on whether they are switched or routed. Packets must be switched in the VLAN in which they came, and cannot be output to IN_PORT.
For replication of IP packets, at least one of (MAC-Src, MAC-dest and VLAN-ID) should be valid. L2 multicast is supported. It is done using IPMC L2 replication when all of (MAC-Src, MAC-dest, VLAN-ID) action bucket fields are left empty. So an "All (L3 Multicast) Group" can have a mix of buckets — few with L3 replication and few with L2 replication. To use the L2 multicast, the user should not qualify the IP fields in flow match criteria.
An L3 ECMP Group entry can be specified as a routing target instead of an L3 Unicast Group entry. Selection of an action bucket for forwarding a particular packet is hardware specific. • Action Buckets The action buckets contain the single value listed in Table 48-19. Table 48-19. L3 ECMP Group Entry Bucket Actions Field Argument Description Group Group-id May chain to an L3 Unicast Group. • Counters The L3 ECMP group entry counters are as shown in Table 48-20. Table 48-20.
The desc field in the message contains port information. This field of type ofp_ port contains the following elements: 1 port_no — Set to the MIB-2 ifIndex field for the port. 2 hw_addr — All ports in the switch have the same MAC address. The switch reports the lowest MAC assigned to the unit. This address is typically printed on the MAC address label on the switch. 3 name — A unit/slot/port designation for physical ports and LAGs. The LAGs are also identified with the symbolic name lag-.
The queue configuration reply message of type ofp_queue_get_config_reply includes an array of ofp_packet_queue structures. For each interface, the queues are numbered 0 to 7, with queue 7 representing the highest priority queue. The port queues do not have any queue properties. The OpenFlow Controller requests queue statistics using the OFPT_STATS_REQUEST message with type OFPST_QUEUE. Dell EMC Networking OpenFlow Hybrid reports the tx_bytes, tx_packets, and tx_errors statistics for each queue.
To accommodate the scenario where the Flow Controller removes many flows and quickly adds many new flows, the OpenFlow flow database is twice the size of the hardware database. The extra headroom provides enough space to buffer the new flows before the old flows are removed from the hardware. If the OpenFlow Controller adds a flow with the same match criteria as an existing flow, Dell EMC Networking OpenFlow Hybrid treats the new flow as a flow modification action.
Interaction between Flows and VLANs The OpenFlow Controller can add flows for any VLAN ID. The VLANs for which flows are added are created in the Dell EMC Networking OpenFlow Hybrid VLAN database as dynamic VLANs if they are not already configured on the switch. Learning is enabled on the dynamic VLAN. The switch never adds ports to OpenFlow dynamic VLANs, but instead disables ingress and egress filtering on the ports on which the OpenFlow flows are installed.
For the switch to receive the untagged traffic and map it to the appropriate VLAN, the OpenFlow controller can install a flow that maps the incoming MAC address to the VLAN. This is done with the flow type "Phase-1Untagged-MAC" and action OFPAT_SET_VLAN_ID (see "Source MAC VLAN Assignment Table" on page 1664).
If an unknown interface is used in the match criteria for a new flow, the flow is held in the application table until the interface is attached. Dell EMC Networking OpenFlow Hybrid does not generate any error for the flow. Once the interface is attached, the flow is added to the hardware. If the flow is already installed and the interface in the match criteria goes away, the flow is removed from the hardware.
Collect Port and Queue Status and Statistics The OpenFlow Controller can collect status and statistics for ports and queues. When ports are created, Dell EMC Networking OpenFlow Hybrid sends an OFPT_PORT_STATUS message to the OpenFlow Controller. The status message is triggered by creation of entries in the Physical Port Table. The same tables are used for reporting port status information. The port status is updated by a separate task that periodically polls the status for all physical ports.
OpenFlow Hybrid The operation of the OpenFlow switch in a network largely depends on the functionality of the OpenFlow controller. The OpenFlow feature is a powerful tool that enables the OpenFlow controller to forward packets in the network without regard to the Layer-2 forwarding database and the IPv4 routing tables. Refer to the OpenFlow Controller documentation to understand how the switch behaves in the customer network.
Interaction with Other Switch Functions The Dell EMC Networking OpenFlow Hybrid component interacts with multiple Dell EMC Networking switch components by either communicating with these components or sharing common resources with the components. The following sections describe these interactions. OpenSSL The OpenFlow component establishes SSL connections to the OpenFlow controllers and OpenFlow Managers.
LAGs When physical ports become LAG members, the flows installed by the OpenFlow Controller on these ports are removed from the hardware and the flows that are installed for the LAG are activated for the new LAG member port. The reverse action takes place when the ports are removed from the LAG. Ports The OpenFlow component installs flows in the hardware and removes flows from the hardware as ports become attached and detached or join and leave the LAG.
IP Routing, IP Multicast, and Layer-2 Multicast The OpenFlow component uses the same hardware resources as the routing and IP multicast components. Namely, the OpenFlow component uses the Next-Hop entries and Multicast Group entries in the hardware. The routing and multicast Dell EMC Networking OpenFlow Hybrid feature gracefully handles the out-of-resources errors. Port Mirroring The OpenFlow component is not active on probe ports.
Limitations, Restrictions, and Assumptions The following OpenFlow features are not supported: 1 Flow installation in the MAC Forwarding table. 2 Uplink Rate Limiting, including the flow installation in the Uplink Rate Limiter Table, traffic rate control, the rate limiter table, and the rate limiter statistics. 3 OpenFlow functionality currently interoperates with the Open vSwitch command line utility ovs-ofctl2.3.0. Higher versions may have interoperability issues.
OpenFlow Configuration Example This example enables OpenFlow 1.3 on the switch and configures a connection to a controller at IPv4 address 172.16.0.3 over TCP port 3435 using no encryption on the out-of-band interface. This example presumes the out-of-band interface has obtained an IP address on the 172.16.0.X subnet. console(config)#openflow WARNING! OpenFlow does not operate on stack members. Enable OpenFlow on stand-alone switches only. console(config-of-switch)#protocol-version 1.
Dell EMC Networking Python Support 49 Dell EMC Networking switches support installation and execution of Python applications. Python applications that are to be executed on the switch must be developed and tested offline to the maximum degree possible. The switch does not offer interactive shell access for development of Python scripts, nor does the Dell EMC Networking switch come with all of the normal Python “batteries included” modules. A list of the included packages is in the example below.
Copy the resulting file to the switch using the copy command with the application keyword. The application may be a single script, or it may be a collection of scripts in a compressed or uncompressed tarball. Applications are copied to the user-apps directory. If a single file is downloaded, the destination file name is the same as the source file name (if the optional destination file name is not given). If a tarball is downloaded, the original file names within the archive are retained.
console(config)#application install app console(config)#show application OpEN application table contains 2 entries. Name ---------------SupportAssist app StartOnBoot ----------Yes No AutoRestart ----------Yes No CPU Sharing ----------0 0 Max Memory ---------0 0 CAUTION: The application install command has an auto-restart parameter. Do NOT use this parameter while debugging or on any short-lived application. The switch does NOT limit restarts and attempts to restart a failed application immediately.
OpEN OpENUtil OpEN_py Queue SimpleHTTPServer SimpleXMLRPCServer SocketServer StringIO UserDict UserList UserString _LWPCookieJar _MozillaCookieJar _OpEN __builtin__ __future__ _abcoll _ast _bisect _codecs _codecs_cn _codecs_hk _codecs_iso2022 _codecs_jp _codecs_kr _codecs_tw _collections _csv _ctypes _ctypes_test _elementtree _functools _heapq _hotshot _io _json _locale _lsprof _md5 _multibytecodec _multiprocessing _osx_support _pyio _random _sha _sha256 1698 cProfile cStringIO calendar cgi cgitb chunk cm
_sha512 _socket _sre _ssl _strptime _struct _symtable _sysconfigdata _testcapi _threading_local _warnings _weakref _weakrefset abc aifc antigravity anydbm argparse array ast asynchat asyncore atexit audiodev functools future_builtins gc genericpath getopt getpass gettext glob grp gzip hashlib heapq hmac hotshot htmlentitydefs htmllib httplib ihooks imaplib imghdr imp importlib imputil inspect platform plistlib popen2 poplib posix posixfile posixpath pprint profile pstats pty pwd py_compile pyclbr pydoc py
import sys HOST = '127.0.0.1' PORT = 23 LOGIN_STRING = "Login:" PASSWORD_STRING = "Password:" TERMINAL_LEN_ZERO = "terminal length 0\n" TERMINAL_MONITOR = "terminal monitor\n" ENABLE_STRING = "enable\n" CONFIG_STRING = "configure\n" USERNAME = 'admin' PASSWORD = 'password' ENABLE_PASSWORD = '' TIMEOUT = 3 def do_terminal_settings(tn): tn.write(TERMINAL_MONITOR) tn.read_until("#") tn.write(TERMINAL_LEN_ZERO) tn.read_until("#") def do_login(tn): print "TN object created\n" tn.
def main(): telnet = telnetlib.Telnet(HOST,PORT) do_login(telnet) do_terminal_settings(telnet) do_config(telnet) telnet.close() sys.
Dell EMC Networking Python Support
A Appendix The topics covered in this appendix include: • Feature Limits and Platform Constants • System Process Definitions • SupportAssist Feature Limits and Platform Constants Table A-1 lists the feature limits and Table A-2 lists the platform constants for the Dell EMC Networking N-Series switches. Certain platform constants may be adjusted by selecting a different SDM template. For example, the Dell EMC Networking N3000E-ON Series switches support 16-wide ECMP using a non-default template.
Table A-1.
Table A-1. Feature Limits (Continued) Feature N1100-ON N1500 Series Series N2000/ N3000-ON/ N2100N3100-ON ON/N2200Series ON Series 802.
Table A-1.
Table A-1. Feature Limits (Continued) Feature N1100-ON N1500 Series Series N2000/ N3000-ON/ N2100N3100-ON ON/N2200Series ON Series Stacking features Max physical units per stack 4 4 8/12 12 Max physical slots per unit 1 1 3 3 Max physical ports per slot 52 52 52 52 Max physical ports per unit 56 56 56 56 Max physical ports per stack 224 224 424/636 448/672 4 4 2 2 Max active stack ports per unit Table A-2.
Table A-2. Platform Constants (Continued) Feature N1100-ON N1500 Series N2000/ Series N2100-ON/N2200ON Series Number of VLANs N3000-ON/ N3100-ON Series 512 512 4096 4096 4093 4093 4093 4093 7 7 7 7 1152 1152 1696/1696/2496 2496 32 32 64 64 Number of LAGs (max.
Table A-2.
Table A-2.
Table A-2.
Table A-2.
Table A-2.
Table A-2.
Table A-2.
Table A-2.
System Process Definitions The following process/thread definitions are intended to assist the end user in troubleshooting switch issues. Only the most often seen threads/processes are listed here. Other processes or threads may be seen occasionally but are not a cause for concern. Table A-3. System Process Definitions Name Task Summary aclClusterTask ACL tasks aclEventTask aclLogTask ARP Timer ARP tasks autoInstTask Auto Install task - USB, etc.
Table A-3.
Table A-3. System Process Definitions (Continued) Name Task Summary Dot1s transport task Spanning Tree tasks dot1s_helper_task dot1s_task dot1s_timer_task dot1xTask 802.
Table A-3. System Process Definitions (Continued) Name Task Summary hapiBpduTxTask High Level API - SDK Integration Layer hapiL2AsyncTask hapiL2FlushTask hapiL3AsyncTask hapiLinkStatusTask hapiMcAsyncTask hapiRxTask hapiTxTask hpcBroadRpcTask SDK Remote messaging task.
Table A-3.
Table A-3. System Process Definitions (Continued) Name Task Summary simPts_task System Interface Manager (time zone, system name, service port config, file transfers, ...
Table A-3. System Process Definitions (Continued) Name Task Summary TransferTask TFTP Processing trapTask Trap handler tRipTask RIP Routing tRtrDiscProcessingTask Router Discovery packet processing usbFlashDriveTask USB Flash driver processing umCfgUpdateTask Stack Management: Unit Manager tasks umWorkerTask unitMgrTask USL Worker Task USL Message processing (primarily MAC address table CLI commands) UtilTask Mgmt.
SupportAssist SupportAssist sends troubleshooting data securely to Dell. SupportAssist in this Dell EMC Networking OS release does not support automated email notification at the time of hardware fault alert, automatic case creation, automatic part dispatch, or reports. SupportAssist requires Dell EMC Networking OS 6.3 or later and the SupportAssist Package to be installed on the Dell EMC Networking device. SupportAssist is enabled by default on all Dell EMC Networking switches.
SupportAssist operates by periodically reporting switch identity (service tag and serial number), configuration, logs, status, and diagnostic information to an external SupportAssist server operated by Dell, Inc. Information is logged periodically on the SupportAssist server. It is recommended that Dell EMC Networking customers utilizing SupportAssist configure the appropriate contact information using the contact-person and contact-company commands in Support-Assist Configuration mode.
of a company or other legal entity, you are further certifying to Dell that you have appropriate authority to provide this consent on behalf of that entity. If you do not consent to the collection, transmission and/or use of the Collected Data, you may not download, install or otherwise use SupportAssist.
Index Numerics 802.x - see IEEE802.x for all related standards A AAA, 253 access lines, 257 access profiles, 66 accounting, 315 ACLs Auto-VoIP usage, 1554 binding configuration, 704 CLI configuration, 707 configuration steps, 682 counters, 673 defined, 671 examples, 722 iSCSI usage, 623 limitations, 677 logging, 676 preventing false matches, 682 supported types, 71 time based, 71 web-based configuration, 693 ACLs. See also IP ACL, IPv6 ACL, and MAC ACL. active images, 522 address table.
configuration file, 551 image, 550 IP address, obtaining, 548 example, 559 files, managing, 554 IP address lookup, 545 MAC address lookup, 545 setup file, 547 stopping, 554 using a USB device, 559 web-based configuration, 557 auto image download DHCP, 560 USB, 559 auto install. See auto configuration.
bridge multicast group table, 938 bridge table, 1117 broadcast storm control. See storm control.
N1500, 121 N2000, 130 copy, files, 528 CoS CLI configuration, 1537 configuration example, 1541 defaults, 1529 defined, 1525 iSCSI and, 622 queue management methods, 1528 traffic queues, 1527 traffic shaping, 1526 trusted mode ports, 1526 untrusted mode ports, 1526 web-based configuration, 1531 D DAI defaults, 1016 optional features, 1015 purpose, 1016 understanding, 1015 data center DHCP snooping and, 1041 NSF and, 245 SDM template, 433 date, setting, 463 daylight saving time, 432 DCBx, 91 default gateway,
web-based configuration, 1129 DHCP snooping, 72, 1127 bindings database, 1011 defaults, 1016 example, 1041 logging, 1012 purpose, 1016 understanding, 1010 VLANs, 1012 DHCPv6, 1467 client, 1449-1450 defined, 103 examples, 1484 pool, 1468 pool configuration for stateless server support, 1479 prefix delegation, 1468 relay agent, configuring, 1485 relay agent, understanding, 1468 stateless server configuring, 1484 stateless server, understanding, 1468 understanding, 1467 DHCPv6 relay CLI configuration, 1479 def
dynamic VLAN creation, 351 E EAP statistics, 581 eBGP, 1362 ECMP with BGP, 1374 email alerting, 428 log messages, 423 statistics, 416 enable authentication, 259 Energy Detect mode, 74, 632 Energy Efficient Ethernet, 74 energy savings, port, 632 EqualLogic and iSCSI, 624 error messages, CLI, 183 error-disabled state, 68 Etherlike statistics, 579 EtherType numbers, common, 683 exec authorization, 302 file management, 61 CLI, 529 considerations, 517 copying, 528 purpose, 513 supported protocols, 516 web-base
G GARP, 93, 932 general mode switchport configuration, 661 GMRP, 932 green Ethernet, 632, 638 asset tag, 431 system contact, 431 system location, 431 system name, 431 IDSP defaults, 883 head of line blocking prevention, 87 IEEE 802.1ag administrator, 985 carrier network, 982, 1003 configuration (CLI), 995 configuration (web), 987 defaults, 986 defining domains and ports, 985 example, 998 MEPs and MIPs, 983 troubleshooting tasks, 986 understanding, 981, 1002 health, system, 402 IEEE 802.
IEEE 802.3x. See flow control.
flow detection, 622 information tracking, 623 servers and a disk array, 628 understanding, 621 using, 621 web-based configuration, 626 web-based configuration, 1581 IPv4 routing template, 433 IPv6 ACL configuration, 701 compared to IPv4, 1440 DHCP client, 1449-1450 DHCPv6, 103 interface configuration, 1440 management, 60 OSPFv3, 103 routes, 103 static reject and discard routes, 1462 tunnel, 102 ISDP CDP and, 63 CLI configuration, 897 configuring, 898 enabling, 898 example, 902 understanding, 881 web-based
MLAG, 98 purpose, 1046 static and dynamic, 1046 statistics, 595 STP and, 1048 threshold, minimum links, 1056 understanding, 1045 web-based configuration, 1050 languages, captive portal, 360 LED 100/1000/10000Base-T port, 124, 133, 160 SFP port, 124, 133, 160 system, 114, 125, 134, 143, 154, 162 link aggregation group. See LAG.
M mirroring, flow-based, 1503 MAC ACL understanding, 673 MLAG, 98, 1063 MAC address table and port security, 1014 contents, 1118 defaults, 1118 defined, 1117 dynamic, 1121 managing, CLI, 1122 populating, 1117 stacking, 1118 web-based management, 1119 MAC multicast support, 105 MAC port locking, 665 MAC-based VLAN, 748 mail server adding, 414 configuring, 422 email alert, 413 management access control using TACACS+, 274 in-band and out-of-band, 191 MD5, 436 MDI/MDIX, auto, 87 MEP, configuring, 996 MIB, S
IGMP snooping, 105 IPv6, 1587 layer 2, 105 configuring (CLI), 968 configuring (web), 937 defaults, 935 understanding, 925 when to use, 932 layer 3, 107 configuring (CLI), 1622 configuring general features (web), 1581 defaults, 1579 examples, 1638 understanding, 1559 when to use, 1562 MAC layer, 105 MLD snooping, 106 protocols roles, 1562 supported, 1561 VLAN Routing with IGMP and PIM-SM, 1638 multicast bridging, 926, 968 multicast routing table, 1563 multicast snooping, 976 multicast VLAN registration, 106,
OOB port IP address, 206 ONIE, 138 OOB port, 195 DHCP client, 204 OpenManage Switch Administrator, about, 169 optical transceiver diagnostics, 406 OSPF, 100 areas, 1220 border router, 1286 CLI configuration, 1264 defaults, 1228 difference from OSPFv3, 1221 examples, 1286 flood blocking, 1226, 1303 LSA pacing, 1225 NSSA, 1289 static area range cost, 1224, 1298 stub area, 1289 stub routers, 1222 topology, 1220 trap flags, 491 understanding, 1220 web-based configuration, 1231 OSPFv3, 103 CLI configuration, 12
CLI configuration, 652 web-based configuration, 642 configuration examples, 656 configuring multiple, 643 defaults, 640 defined, 631 device view features, 174 locking, 665 power saving, 638 protected, 72, 916, 920 statistics, 594 traffic control, 907 USB N1500, 122 N2000, 130 port control, 333 port fast, STP, 836 port-based VLAN, 748 port-channel. See LAG.
supported attributes, 271 understanding, 269 RAM log, 408 real-time clock, 432 redirect, ACL, 675 relay agent DHCP, 1191 relay agent, DHCPv6, 1468 remote logging, 421 RIP, 101 CLI configuration, 1325 defaults, 1319 determining route information, 1317 example, 1329 supported versions, 1318 understanding, 1317 web-based configuration, 1320 RMON, 63 CLI management, 598 defaults, 573 example, 611 understanding, 566 web-based configuration, 574 route reflection, 1405 BGP, 1384 router discovery, 101, 1168 router,
understanding, 433 security port-based CLI configuration, 336 defaults, 330, 665 examples, 342 web-based configuration, 331 setup file format, auto configuration, 547 sFlow, 62 CLI management, 598 defaults, 573 example, 609 understanding, 563 web-based management, 574 SFP port LEDs N1500, 124 N2000, 133 N3000E-ON, 160 SFTP, managing files, 534 slots, 437 SNMP CLI configuration, 495 defaults, 475 examples, 504 MIB, 473 purpose, 475 traps, 474 understanding, 473 uploading files, 520 web-based configuration, 4
file management, 520 firmware synchronization, 223 firmware update, 223 MAC address table, 1118 MAC addresses, 227 NSF and, 65 NSF usage scenario, 241 preconfiguration, 243 purpose, 228 removing a switch, 222 standby, 223 web-based configuration, 230 static reject route, 1150 statistics Etherlike, 579 IPv6, 1447 storage arrays and iSCSI, 624 storage arrays, Compellent, 624 storm control configuring, 919 default, 912 example, 922 understanding, 908 STP classic, 829 CLI configuration, 866 defaults, 850 define
configuration options, 67 connecting to the switch, 178 TFTP, image download, 530 tiered authentication, 260 time management, 58 setting in system, 472 time zone, 451 uploading files, 526 USB auto configuration example, 559 files, 544-545 understanding, 544 USB flash drive, example, 541 time domain reflectometry, 405 USB port N1500, 122 N2000, 130 time range, 720 user security model, SNMP, 474 time-based ACLs, 676 users authenticated, 333 captive portal, 371 IAS database, 329 traffic monitoring, 563
guest, 93, 326, 350-351 IP subnet-based, 92 MAC-based, 92, 748 port-based, 92, 748 private, 757, 813 protocol-based, 92, 748 RADIUS-assigned, 351 routing, 99 routing interfaces, 1175, 1187 static, 748 support, 92 switchport modes, 639 trunk port, 658 understanding, 745 voice, 93, 754 voice traffic, 752 voice, example, 801 voice, understanding, 751 web-based configuration, 766 VLAN priority tag and iSCSI, 623 VLAN routing, 1175, 1178 VLAN tagging, 748 voice traffic, identifying, 752 sharing routes and ARP e
Index