Dell Networking Configuration Guide for the C9000 Series Version 9.9(0.
Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your computer. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. Copyright © 2015 Dell Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws.
Contents 1 About this Guide................................................................................................. 36 Audience..............................................................................................................................................36 Conventions........................................................................................................................................ 36 Related Documents...............................................................
Upgrading the Dell Networking OS....................................................................................................59 4 Switch Management.......................................................................................... 60 Configuring Privilege Levels............................................................................................................... 60 Creating a Custom Privilege Level.......................................................................................
Using Telnet to Access Another Network Device..............................................................................79 Lock CONFIGURATION Mode........................................................................................................... 80 Viewing the Configuration Lock Status........................................................................................ 81 Recovering from a Forgotten Password ......................................................................................
MAB in Single-host and Multi-Host Mode..................................................................................114 MAB in Multi-Supplicant Authentication Mode.......................................................................... 114 Configuring MAC Authentication Bypass....................................................................................115 Dynamic CoS with 802.1X.................................................................................................................
Configure a Route Map for Route Tagging................................................................................150 Continue Clause..........................................................................................................................150 Configuring a UDF ACL.....................................................................................................................150 Hot-Lock Behavior.........................................................................................
AS Number Migration.................................................................................................................. 192 BGP4 Management Information Base (MIB).............................................................................. 194 Important Points to Remember..................................................................................................194 Configuration Information..................................................................................................
Sample Configurations..................................................................................................................... 234 9 Content Addressable Memory (CAM)...........................................................244 CAM Allocation................................................................................................................................. 244 Test CAM Usage.............................................................................................................
DCB Map: Configuration Procedure.......................................................................................... 279 Important Points to Remember..................................................................................................279 Applying a DCB Map on a Port...................................................................................................280 Configuring PFC without a DCB Map.........................................................................................
Offline Diagnostics............................................................................................................................319 Running Port Extender Offline Diagnostics on the Switch........................................................319 Running Offline Diagnostics on a Standalone Switch...............................................................326 TRACE Logs...........................................................................................................................
Configure Secure DHCP...................................................................................................................378 Option 82.................................................................................................................................... 379 DHCP Snooping.......................................................................................................................... 379 Drop DHCP Packets on Snooped VLANs Only...............................................
Displaying FIP Snooping Information.............................................................................................. 402 FCoE Transit Configuration Example.............................................................................................. 408 16 FIPS Cryptography......................................................................................... 410 Configuration Tasks...............................................................................................................
19 GARP VLAN Registration Protocol (GVRP)................................................ 433 Important Points to Remember....................................................................................................... 433 Configure GVRP................................................................................................................................434 Related Configuration Tasks......................................................................................................
Viewing IGMP Groups.......................................................................................................................453 Enabling IGMP Immediate-Leave.....................................................................................................453 IGMP Snooping................................................................................................................................. 453 IGMP Snooping Implementation Information.................................................
10/40 Gbps Interfaces in Port Channels....................................................................................479 Configuration Tasks for Port Channel Interfaces......................................................................480 Creating a Port Channel.............................................................................................................480 Adding a Physical Interface to a Port Channel..........................................................................
Configuring IPSec ............................................................................................................................508 24 IPv4 Routing................................................................................................... 509 IP Addresses......................................................................................................................................509 Implementation Information......................................................................
IPv6 Neighbor Discovery of MTU Packets..................................................................................531 Configuring the IPv6 Recursive DNS Server...............................................................................531 Secure Shell (SSH) Over an IPv6 Transport......................................................................................533 Configuration Tasks for IPv6.........................................................................................................
27 iSCSI Optimization.........................................................................................568 iSCSI Optimization Overview........................................................................................................... 568 Default iSCSI Optimization Values................................................................................................... 570 iSCSI Optimization Prerequisites..........................................................................................
mac learning-limit no-station-move......................................................................................... 597 Learning Limit Violation Actions.................................................................................................597 Setting Station Move Violation Actions......................................................................................598 Recovering from Learning Limit and Station Move Violations..................................................
Configure Multicast Source Discovery Protocol............................................................................. 634 Related Configuration Tasks...................................................................................................... 634 Enable MSDP.....................................................................................................................................638 Manage the Source-Active Cache.........................................................................
Router 1 Running-ConfigurationRouter 2 Running-ConfigurationRouter 3 RunningConfigurationExample Running-Configuration........................................................................ 668 Debugging and Verifying MSTP Configurations...............................................................................671 33 Multicast Features..........................................................................................674 Enabling IP Multicast......................................................
Setting OSPF Adjacency with Cisco Routers............................................................................. 703 Configuration Information............................................................................................................... 704 Configuration Task List for OSPFv2 (OSPF for IPv4)..................................................................704 Sample Configurations for OSPFv2................................................................................................
Send Multicast Traffic..................................................................................................................745 Configuring PIM-SSM....................................................................................................................... 746 Related Configuration Tasks.......................................................................................................746 Enable PIM-SM..................................................................................
Manually Upgrading the OS Image.............................................................................................779 De-provisioning a Port Extender...................................................................................................... 781 Troubleshooting a Port Extender..................................................................................................... 781 Supported Features...........................................................................................
Determining the Affect of a Port on the Power Budget............................................................ 811 Managing Power Priorities.......................................................................................................... 812 Configuring Power Management on the PE — Class and Static Mode.................................... 812 Allocate PoE Power to Powered Devices to a Connected PE Interface...................................
Create Policy Maps..................................................................................................................... 852 DSCP Color Maps............................................................................................................................. 856 Creating a DSCP Color Map....................................................................................................... 856 Displaying DSCP Color Maps....................................................................
48 Rapid Spanning Tree Protocol (RSTP)....................................................... 888 Protocol Overview............................................................................................................................888 Configuring Rapid Spanning Tree....................................................................................................888 Related Configuration Tasks......................................................................................................
Configuring When to Re-generate an SSH Key ........................................................................930 Configuring the SSH Server Cipher List......................................................................................931 Configuring the HMAC Algorithm for the SSH Server............................................................... 931 Configuring the SSH Server Cipher List.....................................................................................
sFlow Show Commands................................................................................................................... 957 Displaying Show sFlow Global................................................................................................... 958 Displaying Show sFlow on an Interface..................................................................................... 958 Displaying Show sFlow on a Line Card..............................................................................
Managing Overload on Startup........................................................................................................984 Enabling and Disabling a Port using SNMP......................................................................................985 Fetch Dynamic MAC Entries using SNMP........................................................................................985 Deriving Interface Indices............................................................................................
Time and Date................................................................................................................................. 1015 Configuration Task List .............................................................................................................1015 Setting the Time and Date for the Switch Software Clock......................................................1015 Setting the Timezone............................................................................................
60 VLT Proxy Gateway..................................................................................... 1043 Proxy Gateway in VLT Domains..................................................................................................... 1043 Guidelines for Enabling the VLT Proxy Gateway..................................................................... 1044 Enabling the VLT Proxy Gateway.............................................................................................
VLT and IGMP Snooping.................................................................................................................1073 VLT and Stacking.............................................................................................................................1073 VLT IPv6...........................................................................................................................................1073 VLT Port Delayed Restoration...............................................
Associating the VLT LAG or VLT VLAN in a PVLAN.................................................................. 1107 Proxy ARP Capability on VLT Peer Nodes...................................................................................... 1108 Working of Proxy ARP for VLT Peer Nodes..............................................................................1108 VLT Nodes as Rendezvous Points for Multicast Resiliency...........................................................
1 About this Guide This Configuration guide provides information about how to use and configure the software features supported in the Dell Networking operating system (OS) on a C9010 switch and C1048P port extender. You can configure each feature by entering commands from the C9010 console. Though this guide contains information on protocols, it is not intended to be a complete reference. This guide is a reference for configuring protocols on Dell Networking systems.
Configuration Fundamentals 2 The Dell Networking OS command line interface (CLI) is a text-based interface you can use to configure interfaces and protocols. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels. After you enter a command, the command is added to the running configuration file.
For more information about privilege levels and security options, refer to the Privilege Levels Overview section in the Security chapter. The Dell Networking OS CLI is divided into three major mode levels: • • • EXEC mode is the default mode and has a privilege level of 1, which is the most restricted level. Only a limited selection of commands is available, notably the show commands, which allow you to view system information.
MAC ACCESS-LIST LINE AUXILLIARY CONSOLE VIRTUAL TERMINAL LLDP LLDP MANAGEMENT INTERFACE MONITOR SESSION MULTIPLE SPANNING TREE OPENFLOW INSTANCE PVST PORT-CHANNEL FAILOVER-GROUP PREFIX-LIST PRIORITY-GROUP PROTOCOL GVRP QOS POLICY RSTP ROUTE-MAP ROUTER BGP BGP ADDRESS-FAMILY ROUTER ISIS ISIS ADDRESS-FAMILY ROUTER OSPF ROUTER OSPFV3 ROUTER RIP SPANNING TREE TRACE-LIST VLT DOMAIN VRRP UPLINK STATE GROUP GRUB Navigating CLI Modes The Dell Networking OS prompt changes to indicate the CLI mode.
CLI Command Mode Prompt Access Command • From every mode except EXEC and EXEC Privilege, enter the exit command. NOTE: Access all the following modes from CONFIGURATION mode.
CLI Command Mode Prompt Access Command PREFIX-LIST Dell(conf-nprefixl)# ip prefix-list RAPID SPANNING TREE Dell(config-rstp)# protocol spanning-tree rstp REDIRECT Dell(conf-redirect-list)# ip redirect-list ROUTE-MAP Dell(config-route-map)# route-map ROUTER BGP Dell(conf-router_bgp)# router bgp BGP ADDRESS-FAMILY Dell(conf-router_bgp_af)# address-family {ipv4 multicast | ipv6 unicast} (for IPv4) (ROUTER BGP Mode) Dell(confrouterZ_bgpv6_af)# (for IPv6) ROUTER ISIS Dell(conf-router_isis)#
CLI Command Mode Prompt Access Command LLDP MANAGEMENT INTERFACE Dell(conf-lldp-mgmtIf)# management-interface (LLDP Mode) LINE Dell(config-line-console) or Dell(config-line-vty) line console orline vty MONITOR SESSION Dell(conf-mon-sesssessionID)# monitor session OPENFLOW INSTANCE Dell(conf-of-instance-ofid)# openflow of-instance PORT-EXTENDER CONFIGURATION Dell(conf-pe-0)# interface (INTERFACE modes) PORT-CHANNEL FAILOVERGROUP Dell(conf-po-failovergrp)# port-channel failovergroup PRIORI
down TenGigabitEthernet down TenGigabitEthernet down TenGigabitEthernet down TenGigabitEthernet down 0/3 unassigned NO Manual administratively down 0/4 unassigned NO Manual administratively down 0/5 unassigned NO Manual administratively down 0/6 unassigned NO Manual administratively down Dell#show version Dell Real Time Operating System Software Dell Operating System Version: 2.0 Dell Application Software Version: E9.9(0.0) Copyright (c) 1999-2015 by Dell Inc. All Rights Reserved.
interface TenGigabitEthernet 4/17 ip address 192.168.10.1/24 no shutdown Dell(conf-if-te-4/17)#no ip address Dell(conf-if-te-4/17)#show config ! interface TenGigabitEthernet 4/17 no ip address no shutdown Layer 2 protocols are disabled by default. To enable Layer 2 protocols, use the no disable command. For example, in PROTOCOL SPANNING TREE mode, enter no disable to enable Spanning Tree.
• The BACKSPACE and DELETE keys erase the previous letter. • Key combinations are available to move quickly across the command line. The following table describes these short-cut key combinations. Short-Cut Key Combination Action CNTL-A Moves the cursor to the beginning of the command line. CNTL-B Moves the cursor back one character. CNTL-D Deletes character at cursor. CNTL-E Moves the cursor to the end of the line. CNTL-F Moves the cursor forward one character. CNTL-I Completes a keyword.
Filtering show Command Outputs Filter the output of a show command to display specific information by adding | [except | find | grep | no-more | save] specified_text after the command. The variable specified_text is the text for which you are filtering and it IS case sensitive unless you use the ignore-case sub-option. The grep command accepts an ignore-case sub-option that forces the search to case-insensitive.
244 74 30 30 3 3 10000 10000 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0 0 sh sh Example of the find Keyword The find keyword displays the output of the show command beginning from the first occurrence of specified text. The following example shows this command used in combination with the show processes command. Dell#show processes cpu cp | find system 0 72900 7290 10000 17.79% 17.93% 538 42710 4271 10000 6.52% 7.74% 535 50600 5060 10000 3.56% 3.61% 720 290 29 10000 0.20% 0.07% 614 250 25 10000 0.00% 0.
• On the system that telnets into the switch, this message appears: % Warning: The following users are currently configuring the system: User "" on line console0 • On the system that is connected over the console, this message appears: % Warning: User "" on line vty0 "10.11.130.
Getting Started 3 This chapter describes how you start configuring your operating software. When you power up the chassis, the system performs a power-on self test (POST) and loads the Dell Networking operating software. Boot messages scroll up the terminal window during this process. No user interaction is required if the boot process proceeds without interruption. When the boot process completes, the system status LED remains online (green) and the console monitor displays the EXEC mode prompt.
Accessing the Console Port To access the console port, follow these steps: For the console port pinout, refer to Accessing the RJ-45 Console Port with a DB-9 Adapter. 1. Install an RJ-45 copper cable into the console port. Use a rollover (crossover) cable to connect the switch console port to a terminal server. 2. Connect the other end of the cable to the DTE terminal server. 3.
the mount-point to which you want to load the system. The /f10/mnt/nfsdirectory is the root of all mount-points. To mount an NFS file system, perform the following steps: Table 3. Mounting an NFS File System File Operation Syntax To mount an NFS file system: mount nfs rhost:path mount-point username password The foreign file system remains mounted as long as the device is up and does not reboot.
Password to login remote host: ! Example of Copying to NFS Mount Dell#copy flash://test.txt nfsmount:// Destination file name [test.txt]: ! 15 bytes successfully copied Dell#copy flash://ashu/capture.txt.pcap nfsmount:// Destination file name [test.txt]: ! 15 bytes successfully copied Dell#copy flash://ashu/capture.txt.pcap nfsmount://username/snoop.pcap ! 24 bytes successfully copied Dell# Dell#copy tftp://10.16.127.
• You can manage all Dell Networking products in-band via the front-end data ports through interfaces assigned an IP address as well. Accessing the System Remotely Configuring the system remotely is a three-step process: 1. Configure an IP address for the management port. Configure the Management Port IP Address 2. Configure a management route with a default gateway. Configure a Management Route 3. Configure a username and password.
Configuring a Username and Password To access the system remotely, you must configure a system username and password. • Configure a username and password to access the system remotely. CONFIGURATION mode username username password [encryption-type] password – encryption-type: specifies how you are inputting the password, is 0 by default, and is not required. * 0 is for inputting the password in clear text. * 7 is for inputting a password that is already encrypted using a Type 7 hash.
File Storage The Dell Networking OS can use the internal Flash, external Flash, or remote devices to store files. The system stores files on the internal Flash by default, but can be configured to store files elsewhere. To view file system information, use the following command. • View information about each file system.
Location For a remote file location: TFTP server For a remote file location: SCP server source-file-url Syntax destination-file-url Syntax | hostname}/filepath/ filename | hostname}/ filepath/ filename copy tftp://{hostip | hostname}/filepath/ filename tftp://{hostip | hostname}/filepath/ filename copy scp://{hostip | hostname}/filepath/ filename scp://{hostip | hostname}/filepath/ filename Important Points to Remember • You may not copy a file from one remote system to another.
• Save the running-configuration to a TFTP server. EXEC Privilege mode • copy running-config tftp://{hostip | hostname}/ filepath/filename Save the running-configuration to an SCP server. EXEC Privilege mode copy running-config scp://{hostip | hostname}/ filepath/filename NOTE: When copying to a server, a host name can only be used if a DNS server is configured.
5 6 7 8 9 10 11 12 13 drwx drwx drwx d--drwx -rwx -rwx -rwx -rwx 12288 28672 4096 4096 4096 23495 25350 33901 32267 May May May May May May May Jul Aug 20 20 20 20 20 21 20 29 07 2015 2015 2015 2015 2015 2015 2015 2015 2015 10:45:42 10:45:42 10:45:42 10:45:44 10:45:44 10:53:00 16:22:44 01:48:08 14:45:26 +00:00 +00:00 +00:00 +00:00 +00:00 +00:00 +00:00 +00:00 +00:00 CRASH_LOG_DIR CORE_DUMP_DIR DEFAULT_DIAG_REPORT_DIR ADMIN_DIR RUNTIME_PATCH_DIR 0521_6unit.cfg 0520_6unit.cfg backup1 startup-config.
Upgrading the Dell Networking OS To upgrade the Dell Networking operating system on the switch, refer to the Release Notes for the software version you want to load.
4 Switch Management This chapter describes the switch management tasks supported on the switch. Configuring Privilege Levels Privilege levels restrict access to commands based on user or terminal line. There are 16 privilege levels, of which three are pre-defined. The default privilege level is 1. Level Description Level 0 Access to the system begins at EXEC mode, and EXEC mode commands are limited to enable, disable, and exit.
Allowing Access to CONFIGURATION Mode Commands To allow access to CONFIGURATION mode, use the privilege exec level level configure command from CONFIGURATION mode. A user that enters CONFIGURATION mode remains at his privilege level and has access to only two commands, end and exit. You must individually specify each CONFIGURATION mode command you want to allow access to using the privilege configure level level command.
Example of EXEC Privilege Commands The configuration in the following example creates privilege level 3. This level: removes the resequence command from EXEC mode by requiring a minimum of privilege level 4 moves the capture bgp-pdu max-buffer-size command from EXEC Privilege to EXEC mode by requiring a minimum privilege level 3, which is the configured level for VTY 0 allows access to CONFIGURATION mode with the banner command allows access to INTERFACE and LINE modes are allowed with no commands.
console Primary terminal line vty Virtual terminal Dell(conf)#line vty 0 Dell(config-line-vty)#? exit Exit from line configuration mode Dell(config-line-vty)# Applying a Privilege Level to a Username To set the user privilege level, use the following command. • Configure a privilege level for a user. CONFIGURATION mode username username privilege level Applying a Privilege Level to a Terminal Line To set a privilege level for a terminal line, use the following command.
no logging console Audit and Security Logs This section describes how to configure, display, and clear audit and security logs. The following is the configuration task list for audit and security logs: • Enabling Audit and Security Logs • Displaying Audit and Security Logs • Clearing Audit Logs Enabling Audit and Security Logs You enable audit and security logs to monitor configuration changes or determine if these changes affect the operation of the system in the network.
• The network administrator and network operator user roles can view system events. NOTE: If extended logging is disabled, you can only view system events, regardless of RBAC user role. Example of Enabling Audit and Security Logs Dell(conf)#logging extended Displaying Audit and Security Logs To display audit logs, use the show logging auditlog command in Exec mode. To view these logs, you must first enable the logging extended command. Only the RBAC system administrator user role can view the audit logs.
Setting Up a Secure Connection to a Syslog Server You can use reverse tunneling with the port forwarding to securely connect to a syslog server. Pre-requisites To configure a secure connection from the switch to the syslog server: 1. On the switch, enable the SSH server Dell(conf)#ip ssh server enable 2.
10.16.131.141 and the listening port is 5140 ssh -R 5140:10.156.166.48:5141 admin@10.16.131.141 -nNf 3. Configure logging to a local host. locahost is “127.0.0.1” or “::1”. If you do not, the system displays an error when you attempt to enable role-based only AAA authorization. Dell(conf)# logging localhost tcp port Dell(conf)#logging 127.0.0.1 tcp 5140 Track Login Activity Dell Networking OS enables you to track the login activity of users and view the successful and unsuccessful login events.
Example of Configuring Login Activity Tracking The following example enables login activity tracking. The system stores the login activity details for the last 30 days. Dell(config)#login statistics enable The following example enables login activity tracking and configures the system to store the login activity details for 12 days. Dell(config)#login statistics enable Dell(config)#login statistics time-period 12 Display Login Statistics To view the login statistics, use the show login statistics command.
User: admin Last login time: Mon Feb 16 04:40:00 2015 Last login location: Line vty0 ( 10.14.1.97 ) Unsuccessful login attempt(s) since the last successful login: 0 Unsuccessful login attempt(s) in last 11 day(s): 3 ------------------------------------------------------------------ Limit Concurrent Login Sessions Dell Networking OS enables you to limit the number of concurrent login sessions of users on VTY, auxiliary, and console lines.
Example of Clearing Existing Sessions When you try to log in, the following message appears with all your existing concurrent sessions, providing an option to close any one of the existing sessions: $ telnet 10.11.178.14 Trying 10.11.178.14... Connected to 10.11.178.14. Escape character is '^]'. Login: admin Password: Current sessions for user admin: Line Location 2 vty 0 10.14.1.97 3 vty 1 10.14.1.
• Secure Connection to a Syslog Server Disabling System Logging By default, logging is enabled and log messages are sent to the logging buffer, all terminal lines, the console, and the syslog servers. To disable system logging, use the following commands. • Disable all logging except on the console. CONFIGURATION mode • no logging on Disable logging to the logging buffer. CONFIGURATION mode • no logging buffer Disable logging to terminal lines.
Display the Logging Buffer and the Logging Configuration To display the current contents of the logging buffer and the logging settings for the system, use the show logging command in EXEC privilege mode. When RBAC is enabled, the security logs are filtered based on the user roles. Only the security administrator and system administrator can view the security logs.
To specify the system logging settings, use the following commands. • Specify the minimum severity level for logging to the logging buffer. CONFIGURATION mode • logging buffered level Specify the minimum severity level for logging to the console. CONFIGURATION mode • logging console level Specify the minimum severity level for logging to terminal lines. CONFIGURATION mode • logging monitor level Specify the minimum severity level for logging to a syslog server.
– cron (for system scheduler messages) – daemon (for system daemons) – kern (for kernel messages) – local0 (for local use) – local1 (for local use) – local2 (for local use) – local3 (for local use) – local4 (for local use) – local5 (for local use) – local6 (for local use) – local7 (for local use) – lpr (for line printer system messages) – mail (for mail system messages) – news (for USENET news messages) – sys9 (system use) – sys10 (system use) – sys11 (system use) – sys12 (system use) – sys13 (system use) –
line {console 0 | vty number [end-number] | aux 0} Configure the following parameters for the virtual terminal lines: • number: the range is from zero (0) to 8. • end-number: the range is from 1 to 8. You can configure multiple virtual terminals at one time by entering a number and an end-number. 2. Configure a level and set the maximum number of messages to print.
NOTE: To transmit large files, Dell Networking recommends configuring the switch as an FTP server. Configuration Task List for File Transfer Services The configuration tasks for file transfer services are: • Enable FTP Server (mandatory) • Configure FTP Server Parameters (optional) • Configure FTP Client Parameters (optional) Enabling the FTP Server To enable the system as an FTP server, use the following command.
To view the FTP configuration, use the show running-config ftp command in EXEC privilege mode. Configuring FTP Client Parameters To configure FTP client parameters, use the following commands. • Specify an FTP interface source. CONFIGURATION mode ip ftp source-interface interface Enter the following keywords and slot/port or number information: – For a loopback interface, enter the keyword loopback then a number between 0 and 16383.
ip access-class access-list Example of an ACL that Permits Terminal Access To view the configuration, use the show config command in LINE mode. Dell(config-std-nacl)#show config ! ip access-list standard myvtyacl seq 5 permit host 10.11.0.1 Dell(config-std-nacl)#line vty 0 Dell(config-line-vty)#show config line vty 0 access-class myvtyacl Configuring Login Authentication for Terminal Lines You can use any combination of up to six authentication methods to authenticate a user on a terminal line.
Example of Terminal Line Authentication In the following example, VTY lines 0-2 use a single authentication method, line.
• Telnet to a device with an IPv4 or IPv6 address. EXEC Privilege telnet [ip-address] If you do not enter an IP address, the system enters a Telnet dialog that prompts you for one. Enter an IPv4 address in dotted decimal format (A.B.C.D). Enter an IPv6 address in the format 0000:0000:0000:0000:0000:0000:0000:0000. Elision of zeros is supported. Example of the telnet Command for Device Access Dell# telnet 10.11.80.203 Trying 10.11.80.203... Connected to 10.11.80.203. Exit character is '^]'.
Viewing the Configuration Lock Status If you attempt to enter CONFIGURATION mode when another user has locked it, you may view which user has control of CONFIGURATION mode using the show configuration lock command from EXEC Privilege mode. You can then send any user a message using the send command from EXEC Privilege mode. Alternatively, you can clear any line using the clear command from EXEC Privilege mode. If you clear a console session, the user is returned to EXEC mode.
CONFIGURATION mode enable {secret | password} 6. Save the change in the running configuration to the startup configuration. EXEC Privilege mode copy running-config startup-config Ignoring the Startup Configuration and Booting from the Factory-Default Configuration If you do not want to do not want to boot up with your current startup configuration and do not want to delete it, you can interrupt the boot process and boot up with the C9000 series factory-default configuration.
BOOT_USER# boot change secondary BOOT_USER# boot change default 5. Reboot the chassis. BOOT_USER mode reload Restoring Factory-Default Settings When you restore factory-default settings on a switch, the existing NVRAM settings, startup configuration, and all configured settings are deleted. To restore the factory-default settings, enter the restore factory-defaults {chassis | domain | linecard | pe | rpm } command in EXEC Privilege mode. CAUTION: There is no undo for this command.
• If the primary boot line is A: and the A: partition contains a valid image, the primary boot line is set to A:, the secondary boot line is set to B: (if B: also contains a valid image), and default boot line is set to a Null String. • If the primary boot line is B: and the B: partition contains a valid image, the primary boot line is set to B:, the secondary boot line is set to A: (if A: also contains a valid image), and default boot line is set to a Null string.
file name Server IP address BOOT_USER # 4. : : FTOS-SI-9-5-0-169.bin 10.16.127.35 Assign an IP address and network mask to the Management Ethernet interface. BOOT_USER # interface management ethernet ip address ip_address_with_mask For example, 10.16.150.106/16. 5. Assign an IP address as the default gateway for the system. default-gateway gateway_ip_address For example, 10.16.150.254. 6. The environment variables are auto saved. 7. Reload the system.
To validate the software image on the flash drive after the image has been transferred to the system, but before the image has been installed, use the verify {md5 | sha256} [ flash://]img-file [hash-value] command in EXEC mode. • md5: MD5 message-digest algorithm • sha256: SHA256 Secure Hash Algorithm • flash: (Optional) Specifies the flash drive. The default is to use the flash drive. You can just enter the image file name. • hash-value: (Optional). Specify the relevant hash published on i-Support.
– RPM1 control processor: rmp 1 (CP) – RPM1 route processor: rmp 1 (RP) – RPM1 line-card processor: linecard 11 • The rows linecard 0 through linecard 9 list the system images for each line card installed in chassis slots 0 to 9.
Manually Resetting the System Image on a C9010 Component If the image running on the RPM CP does not match the image on a C9010 component, you can manually recover from the mismatch as follows: 1. Log in to the virtual console of the C9010 component as described in Logging in to the Virtual Console of a C9010 Component. 2. Display the boot variables that you need to configure so that the component boots from the RPM CP image by entering the show bootvar command at the BOOT_USER# prompt. show bootvar 3.
• The TFTP file path is tftp://host-ip-addr/filepath. Configuring C9010 Components to Boot from the RPM CP Image By reconfiguring boot variables and resetting a component, you should be able to resolve most issues resulting from mismatched system images. To display the boot variables for a C9010 component that you need to configure so that a component boots with the RPM CP image, enter the show bootvar command at the BOOT_USER# prompt.
5 802.1X 802.1X is a method of port security. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity can be verified (through a username and password, for example). This feature is named for its IEEE specification. 802.
Figure 3. EAP Frames Encapsulated in Ethernet and RADUIS The authentication process involves three devices: • The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests. • The device with which the supplicant communicates is the authenticator. The authenticator is the gate keeper of the network.
3. The authenticator decapsulates the EAP response from the EAPOL frame, encapsulates it in a RADIUS Access-Request frame and forwards the frame to the authentication server. 4. The authentication server replies with an Access-Challenge frame. The Access-Challenge frame requests that the supplicant prove that it is who it claims to be, using a specified method (an EAPMethod). The challenge is translated and forwarded to the supplicant by the authenticator. 5.
EAP over RADIUS 802.1X uses RADIUS to shuttle EAP packets between the authenticator and the authentication server, as defined in RFC 3579. EAP messages are encapsulated in RADIUS packets as a type of attribute in Type, Length, Value (TLV) format. The Type value for EAP messages is 79. Figure 5. EAP Over RADIUS RADIUS Attributes for 802.1 Support Dell Networking systems include the following RADIUS attributes in all 802.
• Re-Authenticating a Port • Configuring Timeouts • Configuring a Guest VLAN • Configuring an Authentication-Fail VLAN Important Points to Remember • The system supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0, PEAPv1, and MSCHAPv2 with PEAP. • All platforms support only RADIUS as the authentication server. • If the primary RADIUS server becomes unresponsive, the authenticator begins using a secondary RADIUS server, if configured. • 802.
Enabling 802.1X Enable 802.1X globally. Figure 6. 802.1X Enabled 1. Enable 802.1X globally. CONFIGURATION mode dot1x authentication 2. Enter INTERFACE mode on an interface or a range of interfaces. INTERFACE mode interface [range] 3. Enable 802.1X on the supplicant interface only. INTERFACE mode dot1x authentication 802.
NOTE: You must enabled dot1x authentication globaly as well as in interface mode on which supplicant is connected. Examples of Verifying that 802.1X is Enabled Globally or on an Interface Verify that 802.1X is enabled globally and at the interface level using the show running-config | find dot1x command from EXEC Privilege mode. The bold text show that 802.1x has been enabled. By default, ports are not authorized.
Re-Auth Interval: Max-EAP-Req: Host Mode: Auth PAE State: Backend State: 3600 seconds 2 SINGLE_HOST Initialize Initialize Dell#show int peGigE 255/0/2 peGigE 255/0/2 is up, line protocol is down(802.
802.1x profile information ----------------------------Dot1x Profile test Profile MACs 00:00:00:00:01:11 Configuring MAC addresses for a do1x Profile To configure a list of MAC addresses for a dot1x profile, use the mac command. You can configure 1 to 6 MAC addresses. • Configure a list of MAC addresses for a dot1x profile. DOT1X PROFILE CONFIG (conf-dot1x-profile) mac mac-address mac-address — Enter the keyword mac and type up to the 48– bit MAC addresses using the nn:nn:nn:nn:nn:nn format.
802.
Critical VLAN Critical VLAN id: Re-Authentication: Untagged VLAN id: Guest VLAN: Guest VLAN id: Auth-Fail VLAN: Auth-Fail VLAN id: Auth-Fail Max-Attempts: Mac-Auth-Bypass: Mac-Auth-Bypass Only: Tx Period: Quiet Period: ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Host Mode: Auth PAE State: Backend State: Enable 300 Disable 400 Enable 100 Disable NONE NONE Enable Enable 3 seconds 60 seconds 2 30 seconds 30 seconds 3600 seconds 2 SINGLE_HOST Authenticated Idle Configuring R
Configuring a Quiet Period after a Failed Authentication If the supplicant fails the authentication process, the authenticator sends another Request Identity frame after 30 seconds by default, but you can configure this period. NOTE: The quiet period (dot1x quiet-period) is a transmit interval for after a failed authentication; the Request Identity Re-transmit interval (dot1x tx-period) is for an unresponsive supplicant. To configure a quiet period, use the following command.
Forcibly Authorizing or Unauthorizing a Port IEEE 802.1X requires that a port can be manually placed into any of three states: • ForceAuthorized — an authorized state. A device connected to this port in this state is never subjected to the authentication process, but is allowed to communicate on the network. Placing the port in this state is same as disabling 802.1X on the port. • ForceUnauthorized — an unauthorized state.
Re-Authenticating a Port You can configure the authenticator for periodic re-authentication. After the supplicant has been authenticated, and the port has been authorized, you can configure the authenticator to re-authenticate the supplicant periodically. If you enable re-authentication, the supplicant is required to re-authenticate every 3600 seconds, but you can configure this interval. You can configure a maximum number of re-authentications as well.
Configuring Dynamic VLAN Assignment with Port Authentication On the switch, 802.1X authentication supports dynamic VLAN assignment. The basis for VLAN assignment is RADIUS attribute 81, Tunnel-Private-Group-ID. Dynamic VLAN assignment uses the standard dot1x procedure: 1. The host sends a dot1x packet to the Dell Networking system 2. The system forwards a RADIUS REQEST packet containing the host MAC address and ingress port number 3.
Figure 7. Dynamic VLAN Assignment 1. Configure 8021.x globally (refer to Enabling 802.1X) along with relevant RADIUS server configurations (refer to the illustration inDynamic VLAN Assignment with Port Authentication). 2. Make the interface a switchport so that it can be assigned to a VLAN. 3. Create the VLAN to which the interface will be assigned. 4. Connect the supplicant to the port configured for 802.1X. 5.
for example, might not be able to be authenticated, but still need access to the network. Also, some dumb-terminals, such as network printers, do not have 802.1X capability and therefore cannot authenticate themselves. To be able to connect such devices, they must be allowed access the network without compromising network security. The Guest VLAN 802.1X extension addresses this limitation with regard to non-802.1X capable devices and the Authentication-fail VLAN 802.
Auth PAE State: Backend State: Initialize Initialize Configuring an Authentication-Fail VLAN If the supplicant fails authentication, the authenticator re-attempts to authenticate after a specified amount of time. NOTE: For more information about authenticator re-attempts, refer to Configuring a Quiet Period after a Failed Authentication.
Output 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Time since last interface status change: 03:21:48 View your configuration using the show config command from INTERFACE mode, as shown in the example in Configuring a Guest VLAN or using the show dot1x interface command from EXEC Privilege mode. Example of Viewing Configured Authentication 802.
Example of Viewing Configured Server Timeouts The example shows configuration information for a port for which the authenticator terminates the authentication process for an unresponsive supplicant or server after 15 seconds. The bold lines show the new supplicant and server timeouts. Dell(conf-if-Te-0/0)#dot1x port-control force-authorized Dell(conf-if-Te-0/0)#do show dot1x interface TenGigabitEthernet 0/0 802.
Figure 8. Single-Host Authentication Mode When multiple end users are connected to a single authenticator port, single-host mode authentication does not authenticate all end users, and all but one are denied access to the network. For these cases, the Dell Networking OS supports multi-host mode authentication. Figure 9. Multi-Host Authentication Mode 110 802.
When you configure multi-host mode authentication, the first client to respond to an identity request is authenticated and subsequent responses are still ignored. However, because the authenticator expects the possibility of multiple responses, no system log is generated. After the first supplicant is authenticated, all end users connected to the authorized port are allowed to access the network.
Configuring Single-Host Authentication To enable single-host authentication on a port, enter the dot1x host-mode single-host command in Interface mode. Dell(conf-if-te-2/1)# dot1x host-mode single-host Dell(conf-if-te-2/1)# do show dot1x interface tengigabitethernet 2/1 802.
authorized-MAC-to-VLAN mapping table per port. Then, the system can tag all incoming untagged frames with the appropriate VLAN-ID based on the table entries. Configuring Multi-Supplicant Authentication To enable multi-supplicant authentication on a port, enter the dot1x host-mode multi-auth command in Interface mode. To return to the default single-host authentication mode, enter the no dot1x host-mode command. To verify the currently configured authentication mode, enter the show dot1x interface command.
MAC Authentication Bypass MAC authentication bypass (MAB) enables you to provide MAC-based security by allowing only known MAC addresses within the network using a RADIUS server. 802.1X-enabled clients can authenticate themselves using the 802.1X protocol. Other devices that do not use 802.1X — like IP phones, printers, and IP fax machines — still need connectivity to the network. The guest VLAN provides one way to access the network.
to the Request Identity frame. Then, if MAB authentication is enabled, the switch tries to authenticate every MAC it learns on the port, up to 128 MACs, which is the maximum number of supplicants that 802.1X can authenticate on a single port in multi-authentication mode. If a supplicant that has been authenticated using MAB starts to speak EAPoL, the switch re-authenticates that supplicant using 802.1X first, while keeping the MAC authorized through the re-authentication process.
Guest VLAN: Guest VLAN id: Auth-Fail VLAN: Auth-Fail VLAN id: Auth-Fail Max-Attempts: Critical VLAN: Critical VLAN id: Mac-Auth-Bypass: Mac-Auth-Bypass Only: Static-MAB: Static-MAB Profile: Tx Period: Quiet Period: ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Host Mode: Auth PAE State: Backend State: Disable NONE Disable NONE NONE Disable NONE Enable Disable Disable NONE 30 seconds 60 seconds 2 30 seconds 30 seconds 3600 seconds 2 SINGLE_HOST Authenticated Idle Dynamic Co
• In accordance with port-based QoS, incoming dot1p values can be mapped to only four priority values: 0, 2, 4, and 6. If the RADIUS server returns any other dot1p value (1, 3, 5, or 7), the value is not used and frames are forwarded on egress queue 0 without changing the incoming dot1p value. The example shows how dynamic CoS remaps (or does not remap) the dot1p priority in 802.
6 Access Control Lists (ACLs) This chapter describes access control lists (ACLs), prefix lists, and route-maps. • Access control lists (ACLs), Ingress IP and MAC ACLs , and Egress IP and MAC ACLs are supported on the system. At their simplest, access control lists (ACLs), prefix lists, and route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps. For MAC ACLS, refer to Layer 2.
When creating an access list, the sequence of the filters is important. You have a choice of assigning sequence numbers to the filters as you enter them, or the system assigns numbers in the order the filters are created. The sequence numbers are listed in the display output of the show config and show ip accounting access-list commands. Ingress and egress Hot Lock ACLs allow you to append or delete new rules into an existing ACL (already written into CAM) without disrupting traffic flow.
Parameters • line card — Enter the linecard keyword and one of the following options: – linecard number (from 0 to 11) and then the port-set keyword and number. – All to specify all line card numbers and then the port-set keyword and number. • stack-unit stack-unit-number — Enter the keyword stack-unit and then the stack unit number. The range is 0–7. • pe pe–id — Enter the keyword pe and then the port-extender ID.
The default CAM allocation settings for ingress ACL and QoS regions are the following: L2Acl : Ipv4Acl : Ipv6Acl : Ipv4Qos : L2Qos : L2PT : IpMacAcl : VmanQos : EcfmAcl : FcoeAcl : iscsiOptAcl : ipv4pbr : vrfv4Acl : Openflow : fedgovacl : nlbclusteracl: 5 4 0 2 1 0 0 0 0 0 0 0 0 0 0 0 Select the CAM allocation for Layer 2, IPv4, and IPv6 ACLs, Layer 2 and Layer 3 (IPv4) QoS, Layer 2 Protocol Tunneling (L2PT), IP and MAC source address validation for DHCP, and Policy-based Routing (PBR).
-- Chassis PE Cam ACL -Current Settings(in block sizes) 1 block = 256 entries L2Acl : 5 Ipv4Acl : 2 Ipv6Acl : 2 Ipv4Qos : 2 L2Qos : 1 IpMacAcl : 0 Dell(conf)#cam-acl-pe ? default Reset PE CAM ACL entries to default setting l2acl Set L2-ACL entries Dell(conf)#cam-acl-pe l2acl 3 ipv4acl 2 ipv6acl 2 ipv4qos 2 l2qos 1 ipmacacl 2 Allocating CAM for Egress ACLs on the Port Extender To allocate Content Addressable Memory (CAM) for egress ACLs on the port extender.
3. Reload the system. EXEC Privilege mode reload Examples of Allocating CAM for Egress ACLs on the Port Extender The following example displays the current CAM ACL settings for each egress region and configures the egress CAM settings.
ACL Optimization If an access list contains duplicate entries, the system deletes one entry to conserve CAM space. Standard and extended ACLs take up the same amount of CAM space. A single ACL rule uses two CAM entries whether it is identified as a standard or extended ACL.
• Implementing the required rules uses a significant number of CAM entries per TCP/UDP entry. • For an IP ACL, the system always applies implicit deny. You do not have to configure it. • For an IP ACL, the system applies implicit permit for second and subsequent fragment just prior to the implicit deny. • If you configure an explicit deny, the second and subsequent fragments do not hit the implicit permit rule for fragments. • Loopback interfaces do not support ACLs using the IP fragment option.
Example of Permitting All Packets from a Specified Host In this first example, TCP packets from host 10.1.1.1 with TCP destination port equal to 24 are permitted. All others are denied. Dell(conf)#ip access-list extended ABC Dell(conf-ext-nacl)#permit tcp host 10.1.1.
When you use the log keyword, the CP logs details about the packets that match. Depending on how many packets match the log entry and at what rate, the CP may become busy as it has to log these packets’ details. To view the rules of a particular ACL configured on a particular interface, use the show ip accounting access-list ACL-name interface interface command in EXEC Privilege mode. Examples of Using a Standard IP ACL The following example shows viewing the rules of a specific ACL on an interface.
When you use the log keyword, the CP logs details about the packets that match. Depending on how many packets match the log entry and at what rate, the CP may become busy as it has to log these packets’ details. The following example shows a standard IP ACL in which the system assigns the sequence numbers. The filters were assigned sequence numbers based on the order in which they were configured (for example, the first filter was given the lowest sequence number).
ip access-list extended access-list-name 2. Configure a drop or forward filter. CONFIG-EXT-NACL mode seq sequence-number {deny | permit} {ip-protocol-number | icmp | ip | tcp | udp} {source mask | any | host ip-address} {destination mask | any | host ip-address} [operator port [port]] [count [byte]] [order] [fragments] When you use the log keyword, the CP logs details about the packets that match.
Dell(config-ext-nacl)#show confi ! ip access-list extended dilling seq 5 permit tcp 12.1.0.0 0.0.255.255 any seq 15 deny ip host 112.45.0.0 any log Dell(config-ext-nacl)# Configuring Filters Without a Sequence Number If you are creating an extended ACL with only one or two filters, you can let the system assign a sequence number based on the order in which the filters are configured. Filters are assigned in multiples of five.
Configure Layer 2 and Layer 3 ACLs Both Layer 2 and Layer 3 ACLs may be configured on an interface in Layer 2 mode. If both L2 and L3 ACLs are applied to an interface, the following rules apply: • When the system routes the packets, only the L3 ACL governs them because they are not filtered against an L2 ACL. • When the system switches the packets, first the L3 ACL filters them, then the L2 ACL filters them. • When the system switches the packets, the egress L3 ACL does not filter the packet.
Guidelines for Configuring ACL VLAN Groups Keep the following points in mind when you configure ACL VLAN groups: • The VLAN member interfaces, on which the ACL in an ACL VLAN group is applied, function as restricted interfaces. The ACL VLAN group name identifies the group of VLANs on which hierarchical filtering is performed. • You can add only one ACL to an interface at a time.
You can create up to eight different ACL VLAN groups. 2. Add a description. ACL-VLAN-GROUP CONFIGURATION (conf-acl-vl-grp) mode description description 3. Apply an egress IP ACL. ACL-VLAN-GROUP CONFIGURATION (conf-acl-vl-grp) mode ip access-group access-list-name out implicit-permit 4. Specify the VLAN members in the ACL VLAN group. ACL-VLAN-GROUP CONFIGURATION (conf-acl-vl-grp) mode member vlan vlan-range 5. Verify the currently configured ACL VLAN groups on the switch.
To allocate the number of FP blocks for ACL VLAN optimization, enter the cam-acl-vlan vlanaclopt <0-2> command. After you configure ACL VLAN CAM, reboot the switch to enable CAM allocation for ACL VLAN optimization. To display the number of FP blocks currently allocated to different ACL VLAN services, enter the show cam-acl-vlan command. To display the amount of CAM space currently used and available for Layer 2 and Layer 3 ACLs on the switch, enter the show cam-usage command.
ip access-group nimule in no shutdown Dell(conf-if)# To filter traffic on Telnet sessions, use only standard ACLs in the access-class command. Applying Ingress ACLs on the Port Extender Ingress ACLs are applied to port extender interfaces and to traffic entering the system. These system-wide ACLs eliminate the need to apply ACLs onto each interface and achieves the same results. By localizing target traffic, it is a simpler implementation.
Example of Applying ACL Rules to Egress Traffic and Viewing ACL Configuration To specify ingress, use the out keyword. Begin applying rules to the ACL with the ip access-list extended abcd command. To view the access-list, use the show command.
Counting ACL Hits You can view the number of packets matching the ACL by using the count option when creating ACL entries. 1. Create an ACL that uses rules with the count option. Refer to Configure a Standard IP ACL Filter. 2. Apply the ACL as an inbound or outbound ACL on an interface. Refer to Applying an IP ACL. 3. show ip accounting access-list EXEC Privilege mode View the number of packets matching the ACL. IP Prefix Lists IP prefix lists are supported to control routing policy.
Configuration Task List for Prefix Lists To configure a prefix list, use commands in PREFIX LIST, ROUTER RIP, ROUTER OSPF, and ROUTER BGP modes. Create the prefix list in PREFIX LIST mode and assign that list to commands in ROUTER RIP, ROUTER OSPF and ROUTER BGP modes. The following list includes the configuration tasks for prefix lists, as described in the following sections.
seq 20 permit 0.0.0.0/0 le 32 Dell(conf-nprefixl)# NOTE: The last line in the prefix list Juba contains a “permit all” statement. By including this line in a prefix list, you specify that all routes not matching any criteria in the prefix list are forwarded. To delete a filter, use the no seq sequence-number command in PREFIX LIST mode.
• Show a table of summarized information about configured Prefix lists. EXEC Privilege mode show ip prefix-list summary [prefix-name] Examples of the show ip prefix-list Commands The following example shows the show ip prefix-list detail command. Dell>show ip prefix detail Prefix-list with the last deletion/insertion: filter_ospf ip prefix-list filter_in: count: 3, range entries: 3, sequences: 5 - 10 seq 5 deny 1.102.0.0/16 le 32 (hit count: 0) seq 6 deny 2.1.0.0/16 ge 23 (hit count: 0) seq 10 permit 0.0.
Example of Viewing Configured Prefix Lists (ROUTER RIP mode) To view the configuration, use the show config command in ROUTER RIP mode, or the show running-config rip command in EXEC mode. Dell(conf-router_rip)#show config ! router rip distribute-list prefix juba out network 10.0.0.0 Dell(conf-router_rip)#router ospf 34 Applying a Filter to a Prefix List (OSPF) To apply a filter to routes in open shortest path first (OSPF), use the following commands. • Enter OSPF mode.
the second table. In the same example, apply resequencing if more than two rules must be placed between rules 7 and 10. You can resequence IPv4 and IPv6 ACLs, prefixes, and MAC ACLs. No CAM writes happen as a result of resequencing, so there is no packet loss; the behavior is similar Hot-lock ACLs. NOTE: ACL resequencing does not affect the rules, remarks, or order in which they are applied. Resequencing merely renumbers the rules so that you can place new rules within the list as needed. Table 7.
remark 4 XYZ remark 5 this remark corresponds to permit any host 1.1.1.1 seq 5 permit ip any host 1.1.1.1 remark 9 ABC remark 10 this remark corresponds to permit ip any host 1.1.1.2 seq 10 permit ip any host 1.1.1.2 seq 15 permit ip any host 1.1.1.3 seq 20 permit ip any host 1.1.1.4 Dell# end Dell# resequence access-list ipv4 test 2 2 Dell# show running-config acl ! ip access-list extended test remark 2 XYZ remark 4 this remark corresponds to permit any host 1.1.1.1 seq 4 permit ip any host 1.1.1.
Route maps also have an “implicit deny.” Unlike ACLs and prefix lists; however, where the packet or traffic is dropped, in route maps, if a route does not match any of the route map conditions, the route is not redistributed. Implementation Information The implementation of route maps allows route maps with the no match or no set commands. When there is no match command, all traffic matches the route map and the set command applies.
Examples of Working with Route Maps The default action is permit and the default sequence number starts at 10. When you use the keyword deny in configuring a route map, routes that meet the match filters are not redistributed. To view the configuration, use the show config command in ROUTE-MAP mode. The following example shows viewing a configured route-map.
To delete a route map, use the no route-map map-name command in CONFIGURATION mode. Configure Route Map Filters Within ROUTE-MAP mode, there are match and set commands. • match commands search for a certain criterion in the routes. • set commands change the characteristics of routes, either adding something or specifying a level. When there are multiple match commands with the same parameter under one instance of route-map, the system does a match between all of those match commands.
• match as-path as-path-name Match routes with COMMUNITY list attributes in their path. CONFIG-ROUTE-MAP mode • match community community-list-name [exact] Match routes whose next hop is a specific interface. CONFIG-ROUTE-MAP mode match interface interface The parameters are: • – For a loopback interface, enter the keyword loopback then a number between zero (0) and 16383. – For a port channel interface, enter the keywords port-channel then a number.
• Match routes specified as internal or external to OSPF, ISIS level-1, ISIS level-2, or locally generated. CONFIG-ROUTE-MAP mode • match route-type {external [type-1 | type-2] | internal | level-1 | level-2 | local } Match routes with a specific tag. CONFIG-ROUTE-MAP mode match tag tag-value To create route map instances, use these commands. There is no limit to the number of match commands per route map, but the convention is to keep the number of match filters in a route map low.
CONFIG-ROUTE-MAP mode • set origin {egp | igp | incomplete} Specify a tag for the redistributed routes. CONFIG-ROUTE-MAP mode • set tag tag-value Specify a value as the route’s weight. CONFIG-ROUTE-MAP mode set weight value To create route map instances, use these commands. There is no limit to the number of set commands per route map, but the convention is to keep the number of set filters in a route map low. Set commands do not require a corresponding match command.
Configure a Route Map for Route Tagging One method for identifying routes from different routing protocols is to assign a tag to routes from that protocol. As the route enters a different routing domain, it is tagged. The tag is passed along with the route as it passes through different routing protocols. You can use this tag when the route leaves a routing domain to redistribute those routes again.
CONFIGURATION mode cam-acl {default | l2acl number ipv4acl number ipv6acl number ipv4qos number l2qos number l2pt number ipmacacl number [vman-qos | vman-dual-qos number] ecfmacl number [nlbclusteracl number] ipv4pbr number }openflow number | fcoe number} [ipv4udfenable] [iscsioptacl number] [vrfv4acl number] Dell(conf)#cam-acl l2acl 1 ipv4acl 8 ipv6acl 2 ipv4qos 0 l2qos 2 l2pt 0 ipmacacl 0 vman-qos 0 ecfmacl 0 ipv4udfenable 3. View the currently configured CAM allocation.
udf-tcam ipnip seq 1 match l2ethertype ipv4 ipprotocol 4 vlantag any Dell(conf-udf-tcam)# 9. Create a UDF qualifier to assign values to UDF IDs. CONFIGURATION-UDF TCAM mode udf-qualifier-value name Dell(conf-udf-tcam)# udf-qualifier-value ipnip_val1 10. Assign a value to a UDF ID. CONFIGURATION-UDF-Qualifier-Value Profile mode udf-id 1-12 value mask Dell(conf-udf-tcam-qual-val)#udf-id 1 aa ff 11. Associate the UDF qualifier value with a UDF packet profile in an IP access list.
7 Bidirectional Forwarding Detection (BFD) BFD is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It also provides a failure detection solution for links on which no routing protocol is used. BFD is a simple hello mechanism. Two neighboring systems running BFD establish a session using a three-way handshake.
NOTE: A session state change from Up to Down is the only state change that triggers a link state change in the routing protocol client. BFD Packet Format Control packets are encapsulated in user datagram protocol (UDP) packets. The following illustration shows the complete encapsulation of a BFD control packet inside an IPv4 packet. Figure 10. BFD in IPv4 Packet Format Field Description Diagnostic Code The reason that the last session failed. State The current local session state.
Field Description system clears the poll bit and sets the final bit in its response. The poll and final bits are used during the handshake and in Demand mode (refer to BFD Sessions). NOTE: The Dell Networking OS does not currently support multi-point sessions, Demand mode, authentication, or control plane independence; these bits are always clear. Detection Multiplier The number of packets that must be missed in order to declare a session down. Length The entire length of the BFD packet.
BFD Sessions BFD must be enabled on both sides of a link in order to establish a session. The two participating systems can assume either of two roles: Active The active system initiates the BFD session. Both systems can be active for the same session. Passive The passive system does not initiate a session. It only responds to a request for session initialization from the active system.
handshake. Now the discriminator values have been exchanged and the transmit intervals have been negotiated. 4. The passive system receives the control packet and changes its state to Up. Both systems agree that a session has been established. However, because both members must send a control packet — that requires a response — anytime there is a state change or change in a session parameter, the passive system sends a final response indicating the state change.
receives a Down status notification from the remote system, the session state on the local system changes to Init. Figure 12. Session State Changes Important Points to Remember • On the switch, the system supports 128 sessions at 200 minimum transmit and receive intervals with a multiplier of 3, and 64 sessions at 100 minimum transmit and receive intervals with a multiplier of 4. • Enable BFD on both ends of a link. • Demand mode, authentication, and the Echo function are not supported.
• Configure BFD for BGP • Configure BFD for VRRP • Configuring Protocol Liveness Configure BFD for Static Routes Configuring BFD for static routes is supported on the switch. BFD offers systems a link state detection mechanism for static routes. With BFD, systems are notified to remove static routes from the routing table as soon as the link state change occurs, rather than waiting until packets fail to reach their next hop. Configuring BFD for static routes is a three-step process: 1.
R1(conf)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 2.2.2.2 Te 4/24 Up 200 200 4 R To view detailed session information, use the show bfd neighbors detail command, as shown in the examples in Displaying BFD for BGP Information. Changing Static Route Session Parameters BFD sessions are configured with default intervals and a default role.
agent on the line card notifies the BFD manager, which in turn notifies the OSPF protocol that a link state change occurred. NOTE: If you enable BFD after OSPF with a large number (more than 100) of OSPF neighbors on a VLAN port-channel and if the VLAN has more than one port-channel, BFD does not come up immediately. (This behavior occurs only if you enable BFD after connections with all OSPF neighbors are fully established.
Establishing Sessions with OSPF Neighbors BFD sessions can be established with all OSPF neighbors at once or sessions can be established with all neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the Full state. Figure 14. Establishing Sessions with OSPF Neighbors To establish BFD with all OSPF neighbors or with OSPF neighbors on a single interface, use the following commands. • Establish sessions with all OSPF neighbors.
ip ospf bfd all-neighbors Example of Verifying Sessions with OSPF Neighbors To view the established sessions, use the show bfd neighbors command. The bold line shows the OSPF BFD sessions. R2(conf-router_ospf)#bfd all-neighbors R2(conf-router_ospf)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr * 2.2.2.2 * 2.2.3.1 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 Te 2/1 Up 200 200 3 O 2.2.3.
• no bfd all-neighbors Disable BFD sessions with OSPFv3 neighbors on a single interface. INTERFACE mode ipv6 ospf bfd all-neighbors disable Configure BFD for OSPFv3 BFD for OSPFv3 provides support for IPV6. Configuring BFD for OSPFv3 is a two-step process: 1. Enable BFD globally. 2. Establish sessions with OSPFv3 neighbors.
• Disable BFD sessions with all OSPFv3 neighbors. ROUTER-OSPFv3 mode • no bfd all-neighbors Disable BFD sessions with OSPFv3 neighbors on a single interface. INTERFACE mode ipv6 ospf bfd all-neighbors disable Establishing Sessions with OSPFv3 Neighbors You can establish BFD sessions with all OSPFv3 neighbors at once or with all neighbors out of a specific interface. Sessions are only established when the OSPFv3 adjacency is in the Full state.
Establishing Sessions with IS-IS Neighbors BFD sessions can be established for all IS-IS neighbors at once or sessions can be established for all neighbors out of a specific interface. Figure 15. Establishing Sessions with IS-IS Neighbors To establish BFD with all IS-IS neighbors or with IS-IS neighbors on a single interface, use the following commands. • Establish sessions with all IS-IS neighbors. ROUTER-ISIS mode • bfd all-neighbors Establish sessions with IS-IS neighbors on a single interface.
The bold line shows that IS-IS BFD sessions are enabled. R2(conf-router_isis)#bfd all-neighbors R2(conf-router_isis)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr * 2.2.2.2 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 Te 2/1 Up 200 200 3 I Changing IS-IS Session Parameters BFD sessions are configured with default intervals and a default role.
isis bfd all-neighbors disable Configure BFD for BGP In a BGP core network, BFD provides rapid detection of communication failures in BGP fast-forwarding paths between internal BGP (iBGP) and external BGP (eBGP) peers for faster network reconvergence. BFD for BGP is supported on 1GE, 10GE, 40GE, port-channel, and VLAN interfaces. BFD for BGP does not support IPv6 and the BGP multihop feature. Prerequisites Before configuring BFD for BGP, you must first configure the following settings: 1.
The sample configuration shows alternative ways to establish a BFD session with a BGP neighbor: • By establishing BFD sessions with all neighbors discovered by BGP (the bfd all-neighbors command). • By establishing a BFD session with a specified BGP neighbor (the neighbor {ip-address | peergroup-name} bfd command) BFD packets originating from a router are assigned to the highest priority egress queue to minimize transmission delays.
neighbor {ip-address | peer-group-name} bfd NOTES: 6. • When you establish a BFD session with a specified BGP neighbor or peer group using the neighbor bfd command, the default BFD session parameters are used (interval: 200 milliseconds, min_rx: 200 milliseconds, multiplier: 3 packets, and role: active).
Displaying BFD for BGP Information You can display related information for BFD for BGP. To display information about BFD for BGP sessions on a router, use the following commands and refer to the following examples. • Verify a BFD for BGP configuration. EXEC Privilege mode show running-config bgp • Verify that a BFD for BGP session has been successfully established with a BGP neighbor. A line-byline listing of established BFD adjacencies is displayed.
The following example shows viewing BFD neighbors with full detail. The bold lines show the BFD session parameters: TX (packet transmission), RX (packet reception), and multiplier (maximum number of missed packets). R2# show bfd neighbors detail Session Discriminator: 9 Neighbor Discriminator: 10 Local Addr: 1.1.1.3 Local MAC Addr: 00:01:e8:66:da:33 Remote Addr: 1.1.1.
Protocol BGP Messages: Registration De-registration Init Up Down Admin Down : : : : : : 5 4 0 6 0 2 Interface TenGigabitEthernet 6/1 Protocol BGP Messages: Registration De-registration Init Up Down Admin Down : : : : : : 5 4 0 6 0 2 Interface TenGigabitEthernet 6/2 Protocol BGP Messages: Registration De-registration Init Up Down Admin Down : : : : : : 1 0 0 1 0 2 The following example shows viewing BFD summary information.
Last read 00:00:30, last write 00:00:30 Hold time is 180, keepalive interval is 60 seconds Received 8 messages, 0 in queue 1 opens, 0 notifications, 0 updates 7 keepalives, 0 route refresh requests Sent 9 messages, 0 in queue 2 opens, 0 notifications, 0 updates 7 keepalives, 0 route refresh requests Minimum time between advertisement runs is 30 seconds Minimum time before advertisements start is 0 seconds Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_R
agent on the line card notifies the BFD manager, which in turn notifies the VRRP protocol that a link state change occurred. Configuring BFD for VRRP is a three-step process: 1. Enable BFD globally. 2. Establish VRRP BFD sessions with all VRRP-participating neighbors. 3. On the master router, establish a VRRP BFD sessions with the backup routers. Refer to Establishing Sessions with All VRRP Neighbors. Related Configuration Tasks • Changing VRRP Session Parameters.
Establishing VRRP Sessions on VRRP Neighbors The master router does not care about the state of the backup router, so it does not participate in any VRRP BFD sessions. VRRP BFD sessions on the backup router cannot change to the UP state. Configure the master router to establish an individual VRRP session the backup router. To establish a session with a particular VRRP neighbor, use the following command. • Establish a session with a particular VRRP neighbor.
To change parameters for all VRRP sessions or for a particular VRRP session, use the following commands. • Change parameters for all VRRP sessions. INTERFACE mode • vrrp bfd all-neighbors interval milliseconds min_rx milliseconds multiplier value role [active | passive] Change parameters for a particular VRRP session.
Border Gateway Protocol IPv4 (BGPv4) 8 This chapter provides a general description of BGPv4 as it is supported in the Dell Networking OS. BGP protocol standards are listed in the Standards Compliance chapter. BGP is an external gateway protocol that transmits interdomain routing information within and between autonomous systems (AS). The primary function of the BGP is to exchange network reachability information with other BGP systems.
Figure 18. Interior BGP BGP version 4 (BGPv4) supports classless interdomain routing and aggregate routes and AS paths. BGP is a path vector protocol — a computer network in which BGP maintains the path that updated information takes as it diffuses through the network. Updates traveling through the network and returning to the same node are easily detected and discarded.
Figure 19. BGP Routers in Full Mesh The number of BGP speakers each BGP peer must maintain increases exponentially. Network management quickly becomes impossible. Sessions and Peers When two routers communicate using the BGP protocol, a BGP session is started. The two end-points of that session are Peers. A Peer is also called a Neighbor.
Establish a Session Information exchange between peers is driven by events and timers. The focus in BGP is on the traffic routing policies. In order to make decisions in its operations with other BGP peers, a BGP process uses a simple finite state machine that consists of six states: Idle, Connect, Active, OpenSent, OpenConfirm, and Established. For each peer-to-peer session, a BGP implementation tracks which of these six states the session is in.
Route reflection divides iBGP peers into two groups: client peers and nonclient peers. A route reflector and its client peers form a route reflection cluster. Because BGP speakers announce only the best route for a given prefix, route reflector rules are applied after the router makes its best path decision. • If a route was received from a nonclient peer, reflect the route to all client peers. • If the route was received from a client peer, reflect the route to all nonclient and all client peers.
• Local Preference • Multi-Exit Discriminators (MEDs) • Origin • AS Path • Next Hop Best Path Selection Criteria Paths for active routes are grouped in ascending order according to their neighboring external AS number (BGP best path selection is deterministic by default, which means the bgp nondeterministic-med command is NOT applied). The best path in each group is selected based on specific criteria. Only one “best path” is selected at a time.
Figure 21. BGP Best Path Selection Best Path Selection Details 1. Prefer the path with the largest WEIGHT attribute. 2. Prefer the path with the largest LOCAL_PREF attribute. 3. Prefer the path that was locally Originated via a network command, redistribute command or aggregate-address command. a. 4. Routes originated with the Originated via a network or redistribute commands are preferred over routes originated with the aggregate-address command.
c. Paths with no MED are treated as “worst” and assigned a MED of 4294967295. 7. Prefer external (EBGP) to internal (IBGP) paths or confederation EBGP paths. 8. Prefer the path with the lowest IGP metric to the BGP if next-hop is selected when synchronization is disabled and only an internal path remains. 9. The system deems the paths as equal and does not perform steps 9 through 11, if the following criteria is met: a. the IBGP multipath or EBGP multipath are configured (the maximum-path command).
and AS300. This is advertised to all routers within AS100, causing all BGP speakers to prefer the path through Router B. Figure 22. BGP Local Preference Multi-Exit Discriminators (MEDs) If two ASs connect in more than one place, a multi-exit discriminator (MED) can be used to assign a preference to a preferred path. MED is one of the criteria used to determine the best path, so keep in mind that other criteria may impact selection, as shown in the illustration in Best Path Selection Criteria.
Figure 23. Multi-Exit Discriminators Origin The origin indicates the origin of the prefix, or how the prefix came into BGP. There are three origin codes: IGP, EGP, INCOMPLETE. Origin Type Description IGP Indicates the prefix originated from information learned through an interior gateway protocol. EGP Indicates the prefix originated from information learned from an EGP protocol, which NGP replaced. INCOMPLETE Indicates that the prefix originated from an unknown source.
AS Path The AS path is the list of all ASs that all the prefixes listed in the update have passed through. The local AS number is added by the BGP speaker when advertising to a eBGP neighbor. The AS path is shown in the following example. The origin attribute is shown following the AS path information (shown in bold).
Implement BGP The following sections describe how BGP is implemented on the switch. Additional Path (Add-Path) Support The add-path feature reduces convergence times by advertising multiple paths to its peers for the same address prefix without replacing existing paths with new ones. By default, a BGP speaker advertises only the best path to its peers for a given address prefix. If the best path becomes unavailable, the BGP speaker withdraws its path from its local RIB and recalculates a new best path.
Ignore Router-ID for Some Best-Path Calculations You can avoid unnecessary BGP best-path transitions between external paths under certain conditions. The bgp bestpath router-id ignore command reduces network disruption caused by routing and forwarding plane changes and allows for faster convergence. Four-Byte AS Numbers The 4-Byte (32-bit) format is supported to configure autonomous system numbers (ASNs). The 4-Byte support is advertised as a new BGP capability (4-BYTE-AS) in the OPEN message.
• All AS numbers between 0 and 65535 are represented as a decimal number, when entered in the CLI and when displayed in the show commands outputs. • AS Numbers larger than 65535 is represented using ASDOT notation as .. For example: AS 65546 is represented as 1.10. ASDOT representation combines the ASPLAIN and ASDOT+ representations.
Example of the Running Configuration When AS Notation is Disabled AS NOTATION DISABLED Dell(conf-router_bgp)#no bgp asnotation Dell(conf-router_bgp)#sho conf ! router bgp 100 bgp four-octet-as-support neighbor 172.30.1.250 local-as 65057
Figure 24. Before and After AS Number Migration with Local-AS Enabled When you complete your migration, and you have reconfigured your network with the new information, disable this feature. If you use the “no prepend” option, the Local-AS does not prepend to the updates received from the eBGP peer. If you do not select “no prepend” (the default), the Local-AS is added to the first AS segment in the AS-PATH.
BGP4 Management Information Base (MIB) The FORCE10-BGP4-V2-MIB enhances support for the BGP management information base (MIB) with many new simple network management protocol (SNMP) objects and notifications (traps) defined in draft-ietf-idr-bgp4-mibv2-05. To see these enhancements, download the MIB from the Dell website. NOTE: For the Force10-BGP4-V2-MIB and other MIB documentation, refer to the Dell iSupport web page.
• High CPU utilization may be observed during an SNMP walk of a large BGP Loc-RIB. • To avoid SNMP timeouts with a large-scale configuration (large number of BGP neighbors and a large BGP Loc-RIB), Dell Networking recommends setting the timeout and retry count values to a relatively higher number. For example, t = 60 or r = 5. • To return all values on an snmpwalk for the f10BgpM2Peer sub-OID, use the -C c option, such as snmpwalk -v 2c -C c -c public.
Table 9. BGP Default Values Item Default BGP Neighbor Adjacency changes All BGP neighbor changes are logged.
• as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte) or 0.1 to 65535.65535 (Dotted format). Only one AS is supported per system. NOTE: If you enter a 4-Byte AS number, 4-Byte AS support is enabled automatically. a. Enable 4-Byte support for the BGP process. NOTE: This command is OPTIONAL. Enable if you want to use 4-Byte AS numbers or if you support AS4 number representation.
To view the BGP configuration, enter show config in CONFIGURATION ROUTER BGP mode. To view the BGP status, use the show ip bgp summary command in EXEC Privilege mode. The first example shows the summary with a 2-byte AS number displayed (in bold); the second example shows that the summary with a 4-byte AS number using the show ip bgp summary command (displays a 4–byte AS number in bold). R2#show ip bgp summary BGP router identifier 192.168.10.
The third line of the show ip bgp neighbors output contains the BGP State. If anything other than ESTABLISHED is listed, the neighbor is not exchanging information and routes. For more information about using the show ip bgp neighbors command, refer to the Dell Nettworking OS Command Line Interface Reference Guide. NOTE: The showconfig command in CONFIGURATION ROUTER BGP mode gives the same information as the show running-config bgp command. Dell#show ip bgp neighbors BGP neighbor is 10.114.8.
neighbor neighbor neighbor neighbor neighbor neighbor neighbor neighbor neighbor neighbor neighbor R2# 10.10.21.1 no shutdown 10.10.32.3 remote-as 65123 10.10.32.3 no shutdown 100.10.92.9 remote-as 65192 100.10.92.9 no shutdown 192.168.10.1 remote-as 65123 192.168.10.1 update-source Loopback 0 192.168.10.1 no shutdown 192.168.12.2 remote-as 65123 192.168.12.2 update-source Loopback 0 192.168.12.
Examples of the bgp asnotation Commands The following example shows the bgp asnotation asplain command. Dell(conf-router_bgp)#bgp asnotation asplain Dell(conf-router_bgp)#sho conf ! router bgp 100 bgp four-octet-as-support neighbor 172.30.1.250 remote-as 18508 neighbor 172.30.1.250 local-as 65057 neighbor 172.30.1.250 route-map rmap1 in neighbor 172.30.1.250 password 7 5ab3eb9a15ed02ff4f0dfd4500d6017873cfd9a267c04957 neighbor 172.30.1.
NOTE: Sample Configurations for enabling peer groups are found at the end of this chapter. 1. Create a peer group by assigning a name to it. CONFIG-ROUTERBGP mode neighbor peer-group-name peer-group 2. Enable the peer group. CONFIG-ROUTERBGP mode neighbor peer-group-name no shutdown By default, all peer groups are disabled. 3. Create a BGP neighbor. CONFIG-ROUTERBGP mode neighbor ip-address remote-as as-number 4. Enable the neighbor. CONFIG-ROUTERBGP mode neighbor ip-address no shutdown 5.
• • • • • • neighbor neighbor neighbor neighbor neighbor neighbor distribute-list out filter-list out next-hop-self route-map out route-reflector-client send-community A neighbor may keep its configuration after it was added to a peer group if the neighbor’s configuration is more specific than the peer group’s and if the neighbor’s configuration does not affect outgoing updates.
Peer-group zanzibar, remote AS 65535 BGP version 4 Minimum time between advertisement runs is 5 seconds For address family: IPv4 Unicast BGP neighbor is zanzibar, peer-group internal, Number of peers in this group 26 Peer-group members (* - outbound optimized): 10.68.160.1 10.68.161.1 10.68.162.1 10.68.163.1 10.68.164.1 10.68.165.1 10.68.166.1 10.68.167.1 10.68.168.1 10.68.169.1 10.68.170.1 10.68.171.1 10.68.172.1 10.68.173.1 10.68.174.1 10.68.175.1 10.68.176.1 10.68.177.1 10.68.178.1 10.68.179.1 10.68.180.
Examples of Verifying that Fast Fail-Over is Enabled To verify fast fail-over is enabled on a particular BGP neighbor, use the show ip bgp neighbors command. Because fast fail-over is disabled by default, it appears only if it has been enabled (shown in bold). Dell#sh ip bgp neighbors BGP neighbor is 100.100.100.100, remote AS 65517, internal link Member of peer-group test for session parameters BGP version 4, remote router ID 30.30.30.
For address family: IPv4 Unicast BGP neighbor is test Number of peers in this group 1 Peer-group members (* - outbound optimized): 100.100.100.100* Dell# router bgp neighbor neighbor neighbor neighbor neighbor neighbor neighbor Dell# 65517 test peer-group test fail-over test no shutdown 100.100.100.100 remote-as 65517 100.100.100.100 fail-over 100.100.100.100 update-source Loopback 0 100.100.100.
Only after the peer group responds to an OPEN message sent on the subnet does its BGP state change to ESTABLISHED. After the peer group is ESTABLISHED, the peer group is the same as any other peer group. For more information about peer groups, refer to Configure Peer Groups. Maintaining Existing AS Numbers During an AS Migration The local-as feature smooths out the BGP network migration operation and allows you to maintain existing ASNs during a BGP network migration.
neighbor 192.168.12.2 no shutdown R2(conf-router_bgp)# Allowing an AS Number to Appear in its Own AS Path This command allows you to set the number of times a particular AS number can occur in the AS path. The allow-as feature permits a BGP speaker to allow the ASN to be present for a specified number of times in the update received from the peer, even if that ASN matches its own. The AS-PATH loop is detected if the local ASN is present more than the specified number of times in the command.
With the graceful restart feature, the system enables the receiving/restarting mode by default. In Receiver-Only mode, graceful restart saves the advertised routes of peers that support this capability when they restart. This option provides support for remote peers for their graceful restart without supporting the feature itself. You can implement BGP graceful restart either by neighbor or by BGP peer-group. For more information, refer to the Dell Networking OS Command Line Interface Reference Guide.
{deny | permit} filter parameter This is the filter that is used to match the AS-path. The entries can be any format, letters, numbers, or regular expressions. You can enter this command multiple times if multiple filters are desired. For accepted expressions, refer to Regular Expressions as Filters. 3. Return to CONFIGURATION mode. AS-PATH ACL mode exit 4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5. Use a configured AS-PATH ACL for route filtering and manipulation.
Regular Expressions as Filters Regular expressions are used to filter AS paths or community lists. A regular expression is a special character used to define a pattern that is then compared with an input string. For an AS-path access list, as shown in the previous commands, if the AS path matches the regular expression in the access list, the route matches the access list. The following lists the regular expressions accepted in the Dell Networking OS.
neighbor AAA no shutdown neighbor 10.155.15.2 remote-as 32 neighbor 10.155.15.2 shutdown Dell(conf-router_bgp)#neigh 10.155.15.2 filter-list 1 in Dell(conf-router_bgp)#ex Dell(conf)#ip as-path access-list Eagle Dell(config-as-path)#deny 32$ Dell(config-as-path)#ex Dell(conf)#router bgp 99 Dell(conf-router_bgp)#neighbor AAA filter-list Eagle in Dell(conf-router_bgp)#show conf ! router bgp 99 neighbor AAA peer-group neighbor AAA filter-list Eaglein neighbor AAA no shutdown neighbor 10.155.15.
redistribute ospf process-id [match external {1 | 2} | match internal] [metric-type {external | internal}] [route-map map-name] Configure the following parameters: – process-id: the range is from 1 to 65535. – match external: the range is from 1 or 2. – match internal – metric-type: external or internal. – map-name: name of a configured route map. Enabling Additional Paths The add-path feature is disabled by default.
The system also supports BGP Extended Communities as described in RFC 4360 — BGP Extended Communities Attribute. To configure an IP community list, use these commands. 1. Create a community list and enter COMMUNITY-LIST mode. CONFIGURATION mode ip community-list community-list-name 2. Configure a community list by denying or permitting specific community numbers or types of community.
Configuring an IP Extended Community List To configure an IP extended community list, use these commands. 1. Create a extended community list and enter the EXTCOMMUNITY-LIST mode. CONFIGURATION mode ip extcommunity-list extcommunity-list-name 2. Two types of extended communities are supported.
Filtering Routes with Community Lists To use an IP community list or IP extended community list to filter routes, you must apply a match community filter to a route map and then apply that route map to a BGP neighbor or peer group. 1. Enter the ROUTE-MAP mode and assign a name to a route map. CONFIGURATION mode route-map map-name [permit | deny] [sequence-number] 2. Configure a match filter for all routes meeting the criteria in the IP community or IP extended community list.
To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode. If you want to remove or add a specific COMMUNITY number from a BGP path, you must create a route map with one or both of the following statements in the route map. Then apply that route map to a BGP neighbor or peer group. 1. Enter ROUTE-MAP mode and assign a name to a route map. CONFIGURATION mode route-map map-name [permit | deny] [sequence-number] 2.
Dell>show ip bgp community BGP table version is 3762622, local router ID is 10.114.8.48 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network * i 3.0.0.0/8 *>i 4.2.49.12/30 * i 4.21.132.0/23 *>i 4.24.118.16/30 *>i 4.24.145.0/30 *>i 4.24.187.12/30 *>i 4.24.202.0/30 *>i 4.25.88.0/30 *>i 6.1.0.0/16 *>i 6.2.0.0/22 *>i 6.3.0.0/18 *>i 6.4.0.0/16 *>i 6.5.0.0/19 *>i 6.8.0.0/20 *>i 6.9.0.0/20 *>i 6.10.0.0/15 *>i 6.14.0.0/15 *>i 6.133.0.
CONFIG-ROUTER-BGP mode bgp default local-preference value – value: the range is from 0 to 4294967295. The default is 100. To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode or the show running-config bgp command in EXEC Privilege mode. A more flexible method for manipulating the LOCAL_PREF attribute value is to use a route map. 1. Enter the ROUTE-MAP mode and assign a name to a route map. CONFIGURATION mode route-map map-name [permit | deny] [sequence-number] 2.
set next-hop ip-address Changing the WEIGHT Attribute To change how the WEIGHT attribute is used, enter the first command. You can also use route maps to change this and other BGP attributes. For example, you can include the second command in a route map to specify the next hop address. • Assign a weight to the neighbor connection. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} weight weight – weight: the range is from 0 to 65535. • The default is 0. Sets weight for the route.
• prefix lists (using the neighbor distribute-list command) • AS-PATH ACLs (using the neighbor filter-list command) • route maps (using the neighbor route-map command) Prior to filtering BGP routes, create the prefix list, AS-PATH ACL, or route map. For configuration information about prefix lists, AS-PATH ACLs, and route maps, refer to Access Control Lists (ACLs).
configure a prefix list filter to permit all routes. For example, you could have the following filter as the last filter in your prefix list permit 0.0.0.0/0 le 32). • After a route matches a filter, the filter’s action is applied. No additional filters are applied to the route. To view the BGP configuration, use the show config command in ROUTER BGP mode. To view a prefix list configuration, use the show ip prefix-list detail or show ip prefix-list summary commands in EXEC Privilege mode.
ip as-path access-list as-path-name 2. Create a AS-PATH ACL filter with a deny or permit action. AS-PATH ACL mode {deny | permit} as-regular-expression 3. Return to CONFIGURATION mode. AS-PATH ACL exit 4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5. Filter routes based on the criteria in the configured route map.
• Configure the local router as a route reflector and the neighbor or peer group identified is the route reflector client. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} route-reflector-client When you enable a route reflector, the system automatically enables route reflection to all clients. To disable route reflection between all clients in this reflector, use the no bgp client-to-client reflection command in CONFIGURATION ROUTER BGP mode.
• Specifies the confederation ID. CONFIG-ROUTER-BGP mode bgp confederation identifier as-number • – as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte). Specifies which confederation sub-AS are peers. CONFIG-ROUTER-BGP mode bgp confederation peers as-number [... as-number] – as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte). All Confederation routers must be either 4 Byte or 2 Byte. You cannot have a mix of router ASN support.
bgp dampening [half-life | reuse | suppress max-suppress-time] [route-map map-name] Enter the following optional parameters to configure route dampening parameters: – half-life: the range is from 1 to 45. Number of minutes after which the Penalty is decreased. After the router assigns a Penalty of 1024 to a route, the Penalty is decreased by half after the halflife period expires. The default is 15 minutes. – reuse: the range is from 1 to 20000. This number is compared to the flapping route’s Penalty value.
• Change the best path selection method to non-deterministic. Change the best path selection method to non-deterministic. CONFIG-ROUTER-BGP mode bgp non-deterministic-med NOTE: When you change the best path selection method, path selection for existing paths remains unchanged until you reset it by entering the clear ip bgp command in EXEC Privilege mode.
Changing BGP Timers To configure BGP timers, use either or both of the following commands. Timer values configured with the neighbor timers command override the timer values configured with the timers bgp command.
To use soft reconfiguration (or soft reset) without preconfiguration, both BGP peers must support the soft route refresh capability, which is advertised in the open message sent when the peers establish a TCP session. To determine whether a BGP router supports this capability, use the show ip bgp neighbors command. If a router supports the route refresh capability, the following message displays: Received route refresh capability from peer.
Match a Clause with a Continue Clause The continue feature can exist without a match clause. Without a match clause, the continue clause executes and jumps to the specified route-map entry. With a match clause and a continue clause, the match clause executes first and the continue clause next in a specified route map entry. The continue clause launches only after a successful match.
• Enables support for the IPv4 multicast family on the BGP node. CONFIG-ROUTER-BGP mode • address family ipv4 multicast Enable IPv4 multicast support on a BGP neighbor/peer group. CONFIG-ROUTER-BGP-AF (Address Family) mode neighbor [ip-address | peer-group-name] activate BGP Regular Expression Optimization The system optimizes processing time when using regular expressions by caching and re-using regular expression evaluated results, at the expense of some memory in RP1 processor.
• Enable soft-reconfiguration debug. EXEC Privilege mode debug ip bgp {ip-address | peer-group-name} soft-reconfiguration To enhance debugging of soft reconfig, use the bgp soft-reconfig-backup command only when route-refresh is not negotiated to avoid the peer from resending messages. In-BGP is shown using the show ip protocols command. The system displays debug messages on the console. To view which debugging commands are enabled, use the show debugging command in EXEC Privilege mode.
Last reset 00:00:12, due to Missing well known attribute Notification History 'UPDATE error/Missing well-known attr' Sent : 1 Recv: 0 'Connection Reset' Sent : 1 Recv: 0 Last notification (len 21) sent 00:26:02 ago ffffffff ffffffff ffffffff ffffffff 00160303 03010000 Last notification (len 21) received 00:26:20 ago ffffffff ffffffff ffffffff ffffffff 00150306 00000000 Last PDU (len 41) received 00:26:02 ago that caused notification to be issued ffffffff ffffffff ffffffff ffffffff 00290200 00000e01 02040201
Outgoing packet capture enabled for BGP neighbor 20.20.20.
Figure 25. Sample Configurations Example of Enabling BGP (Router 1) R1# conf R1(conf)#int loop 0 R1(conf-if-lo-0)#ip address 192.168.128.1/24 R1(conf-if-lo-0)#no shutdown R1(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.1/24 no shutdown R1(conf-if-lo-0)#int tengig 1/21 R1(conf-if-te-1/21)#ip address 10.0.1.21/24 R1(conf-if-te-1/21)#no shutdown R1(conf-if-te-1/21)#show config ! interface TenGigabitEthernet 1/21 ip address 10.0.1.
no shutdown R1(conf-if-te-1/31)#router bgp 99 R1(conf-router_bgp)#network 192.168.128.0/24 R1(conf-router_bgp)#neighbor 192.168.128.2 remote 99 R1(conf-router_bgp)#neighbor 192.168.128.2 no shut R1(conf-router_bgp)#neighbor 192.168.128.2 update-source loop 0 R1(conf-router_bgp)#neighbor 192.168.128.3 remote 100 R1(conf-router_bgp)#neighbor 192.168.128.3 no shut R1(conf-router_bgp)#neighbor 192.168.128.3 update-source loop 0 R1(conf-router_bgp)#show config ! router bgp 99 network 192.168.128.
R2(conf-if-te-2/31)#router bgp 99 R2(conf-router_bgp)#network 192.168.128.0/24 R2(conf-router_bgp)#neighbor 192.168.128.1 remote 99 R2(conf-router_bgp)#neighbor 192.168.128.1 no shut R2(conf-router_bgp)#neighbor 192.168.128.1 update-source loop 0 R2(conf-router_bgp)#neighbor 192.168.128.3 remote 100 R2(conf-router_bgp)#neighbor 192.168.128.3 no shut R2(conf-router_bgp)#neighbor 192.168.128.3 update loop 0 R2(conf-router_bgp)#show config ! router bgp 99 bgp router-id 192.168.128.2 network 192.168.128.
no shutdown R3(conf-if-te-3/21)# R3(conf-if-te-3/21)#router bgp 100 R3(conf-router_bgp)#show config ! router bgp 100 R3(conf-router_bgp)#network 192.168.128.0/24 R3(conf-router_bgp)#neighbor 192.168.128.1 remote 99 R3(conf-router_bgp)#neighbor 192.168.128.1 no shut R3(conf-router_bgp)#neighbor 192.168.128.1 update-source loop 0 R3(conf-router_bgp)#neighbor 192.168.128.2 remote 99 R3(conf-router_bgp)#neighbor 192.168.128.2 no shut R3(conf-router_bgp)#neighbor 192.168.128.
neighbor 192.168.128.3 update-source Loopback 0 neighbor 192.168.128.3 no shutdown R1# R1#show ip bgp summary BGP router identifier 192.168.128.
Received 30 messages, 0 in queue 4 opens, 2 notifications, 4 updates 20 keepalives, 0 route refresh requests Sent 29 messages, 0 in queue 4 opens, 1 notifications, 4 updates 20 keepalives, 0 route refresh requests Minimum time between advertisement runs is 30 seconds Minimum time before advertisements start is 0 seconds Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Up
Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 192.168.128.1 99 140 136 2 0 (0) 00:11:24 1 192.168.128.3 100 138 140 2 0 (0) 00:18:31 1 R2#show ip bgp neighbor BGP neighbor is 192.168.128.1, remote AS 99, internal link Member of peer-group AAA for session parameters BGP version 4, remote router ID 192.168.128.
85 keepalives, 0 route refresh requests Minimum time between advertisement runs is 30 seconds Minimum time before advertisements start is 0 seconds Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Update source set to Loopback 0 Peer active in peer-group outbound optimization For address family: IPv4 Unicast BGP table version 1,
Minimum time before advertisements start is 0 seconds Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Update source set to Loopback 0 Peer active in peer-group outbound optimization For address family: IPv4 Unicast BGP table version 2, neighbor version 2 Prefixes accepted 1 (consume 4 bytes), withdrawn 0 by peer Prefixes adverti
Content Addressable Memory (CAM) 9 CAM is a type of memory that stores information in the form of a lookup table. On the switch, CAM stores Layer 2 and Layer 3 forwarding information, access-lists (ACLs), flows, and routing policies. On a line card, there are one or two CAM (Dual-CAM) modules per port-pipe. CAM Allocation CAM space is allotted in filter processor (FP) blocks. The total space allocated must equal 12 FP blocks.
L2Acl Ipv4Acl Ipv6Acl Ipv4Qos L2Qos L2PT IpMacAcl VmanQos EcfmAcl Openflow : : : : : : : : : : 5 4 0 2 1 0 0 0 0 0 -- linecard 2 -Current Settings(in block sizes) 1 block = 256 entries L2Acl : 5 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 EcfmAcl : 0 Openflow : 0 The ipv6acl and vman-dual-qos allocations must be entered as a factor of 2 (2, 4, 6, 8, 10). All other profile allocations can use either even or odd numbered ranges.
Test CAM Usage The test cam-usage command applies to both IPv4 and IPv6 CAM profiles, but is best used when verifying QoS optimization for IPv6 ACLs. Use this command to determine whether sufficient ACL CAM space is available to enable a service-policy. Create a Class Map with all required ACL rules, then execute the test cam-usage command in Privilege mode to verify the actual CAM space required. The Status column in the command output indicates whether or not the policy can be enabled.
EcfmAcl Openflow : : 0 0 -- linecard 1 -Current Settings(in block sizes) 1 block = 256 entries L2Acl : 6 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 EcfmAcl : 0 Openflow : 0 -- linecard 2 -Current Settings(in block sizes) 1 block = 256 entries L2Acl : 6 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 EcfmAcl : 0 Openflow : 0 View CAM Usage View the amount of CAM space available, used, and remaining in each partition (including IPv4Flow
| --More-- | IN-L3-SysFlow | 2878 | 44 | 2834 Return to the Default CAM Configuration Return to the default CAM Profile, microcode, IPv4Flow, or Layer 2 ACL configuration using the keyword default from EXEC Privilege mode or CONFIGURATION mode, as shown in the following example.
• If an IP header is not found after the fifth label, hashing is based on the MPLS labels. • If the packet has more than five MPLS labels, hashing is based on the source and destination MAC address. To enable this type of hashing, use the default CAM profile with the microcode lag-hash-mpls.
Dell(conf)#hardware forwarding-table mode scaled-l3-hosts Hardware forwarding-table mode is changed. Save the configuration and reload to take effect. Dell(conf)#end Dell#write mem ! 01:13:36: %STKUNIT0-M:CP %FILEMGR-5-FILESAVED: Copied running-config to startup-config in flash by default Dell(conf)# Dell(conf)#end Dell#01:13:44: %STKUNIT0-M:CP %SYS-5-CONFIG_I: Configured from console Dell# 2. Display the hardware forwarding table mode in the current boot and in the next boot.
Control Plane Policing (CoPP) 10 Control plane policing (CoPP) protects the switch’s routing, control, and line-card processors from undesired or malicious traffic and Denial of Service (DoS) attacks by filtering control-plane flows. CoPP uses a dedicated control-plane service policy that consists of ACLs and QoS policies, which provide filtering and rate-limiting capabilities for control-plane packets.
-------ARP FRRP LACP LLDP GVRP STP ISIS ----------------------any 0x0806 01:01:e8:00:00:10/11 any 01:80:c2:00:00:02 0x8809 any 0x88cc 01:80:c2:00:00:21 any 01:80:c2:00:00:00 any 01:80:c2:00:00:14/15 any 09:00:2b:00:00:04/05 any --------------------Q1/Q8/Q2/Q9 CP/RP 100 Q19 LP 300 Q13 RP 500 Q6 CP 500 Q12 RP 200 Q13 RP 150 Q13 RP 500 Q13 RP 500 The protocols mapped to each CPU queue and the default rate limit applied to the 7 CPU queues for the Route Processor, Control Processor, and line cards are as fol
Table 13. Queues 14 to 20 Process Packets Destined to the line-card CPU Service Queue CPU Type Protocols Mapped to Control Processor Queues Rate Limit (in kbps) Burst (in kbps) 14 LP/LM — 1 4000 15 LP/LM — 1 100 16 LP/LM Trace Flow, Station Move, Source Miss 1200 100 17 LP/LM BFD, ACL LOGGING 1200 1000 18 LP/LM — 7000 1000 19 LP/LM FRRP, Hyperpull 800 7000 20 LP/LM LP/LM SFLOW 5000 1000 NOTE: In the line-card CPU, some queues have no protocol traffic mapped to them.
Figure 27. CoPP Versus Non-CoPP Operation Configure Control Plane Policing You can create a CoPP service policy on a per-protocol and/or a per-queue basis that serves as the system-wide configuration for filtering and rate limiting control-plane traffic. Configuring CoPP for Protocols This section describes how to create a protocol-based CoPP service policy and apply it to control plane traffic.
For complete information about creating ACL rules and QoS policies, see Access Control Lists (ACLs) and Quality of Service (QoS). 1. Create a Layer 2 extended ACL for specified protocol traffic. CONFIGURATION mode mac access-list extended name cpu-qos permit {arp | frrp | gvrp | isis | lacp | lldp | stp} 2. Create a Layer 3 extended ACL for specified protocol traffic.
Examples of Configuring CoPP for Protocols Example of Creating an IP/IPv6/MAC Extended ACL to Select Protocol Traffic Dell(conf)#ip access-list extended ospf cpu-qos Dell(conf-ip-acl-cpuqos)#permit ospf Dell(conf-ip-acl-cpuqos)#exit Dell(conf)#ip access-list extended bgp cpu-qos Dell(conf-ip-acl-cpuqos)#permit bgp Dell(conf-ip-acl-cpuqos)#exit Dell(conf)#mac access-list extended lacp cpu-qos Dell(conf-mac-acl-cpuqos)#permit lacp Dell(conf-mac-acl-cpuqos)#exit Dell(conf)#ipv6 access-list ipv6-icmp cpu-qos De
Example of Applying a Protocol-Based Rate Limit to Control Plane Traffic Dell(conf)#control-plane-cpuqos Dell(conf-control-cpuqos)#service-policy rate-limit-protocols egressFP_rate_policy Dell(conf-control-cpuqos)#exit Configuring CoPP for CPU Queues This section describes how to create a queue-based CoPP service policy and apply it to control plane traffic. Controlling traffic on the CPU queues of the control plane does not require ACL rules; only QoS ratelimiting policies are used.
Dell(conf-qos-policy-in)#rate-police 3000 40 peak 500 40 Dell(conf-qos-policy-in)#exit Dell(conf)#qos-policy-input cpuq_2 cpu-qos Dell(conf-qos-policy-in)#rate-police 5000 80 peak 600 50 Dell(conf-qos-policy-in)#exit Example of Assigning a QoS Policy to a CPU Queue Dell(conf)#policy-map-input cpuq_rate_policy cpu-qos Dell(conf-qos-policy-in)#service-queue 5 qos-policy cpuq_1 Dell(conf-qos-policy-in)#service-queue 6 qos-policy cpuq_2 Dell(conf-qos-policy-in)#service-queue 7 qos-policy cpuq_1 Example of Apply
Service-Queue -------------Q8 Q9 Q10 Q11 Q12 Rate (kbps) ----------600 600 3200 2600 2300 Burst (kb) ---------1000 1000 1000 6000 Viewing MAC Protocol-Queue Mapping To view the queues to which MAC protocol traffic is assigned, use the show mac protocol-queuemapping command.
VRRP any any _ Q13 RP 400 Viewing IPv6 Protocol-Queue Mapping To view the queues to which IPv6 protocol traffic is assigned, use the show ipv6 protocol-queuemapping command.
Burst(kb) -----------------------STP Q13 RP 1000 LLDP Q6 CP 1000 PVST Q12 RP 1000 LACP Q13 RP 1000 ARP Q1/Q8/Q2/Q9 CP/RP 800 GVRP Q12 RP 1000 FRRP Q19 LP 1000 ECFM Q13 RP 1000 ISIS Q13 RP 3000 L2PT Q13 RP 1000 v6 BGP Q13 RP 2000 v6 OSPF Q13 RP 2000 v6 VRRP Q13 RP 2000 MLD Q12 RP 500 v6 MULTICAST CATCH ALL Q7 RP 500 IPv6 DHCP Q6 CP 2000 v6 RAGUARD Q16 LP 1000 v6 ICMP NA Q2/Q9 CP/RP 1000 v6 ICMP RA Q2/Q9 CP/RP 1000 v6 ICMP NS Q1/Q8 CP/RP 1000 v6 ICMP RS Q1/Q8 CP/RP 1000 v6 ICMP Q4 CP 2000 BGP Q13 RP 2000 OSPF
3000 802.
500 SFLOW_EGRESS 3000 SFLOW_INGRESS 3000 Q20 LP 5000 5000 3000 Q20 LP 5000 5000 3000 Troubleshooting CoPP Operation To troubleshoot CoPP operation, use the debug commands described in this section. Enabling CPU Traffic Statistics During high-traffic network conditions, you may want to manually enable the collection of CPU traffic statistics by entering the debug cpu-traffic-stats command. Statistic collection begins as soon as you enter the command, not when the system boots up.
Troubleshooting CPU Packet Loss To troubleshoot the reason for CPU packet loss, you can display statistics about system flows on the central switch (aggregated CoPP) or on a specified set of switch ports by entering the show hardware system-flow[cp-switch | linecard slot-id portset port-pipe] command. The number of hits for each system flow is also displayed.
InPorts DATA=0x0000000000000000000000000000000000000000000000000000222222222222 MASK=0x0000000000000000000000000000000000000000000000000000222222222223 DstMac Offset: 88 Width: 48 DATA=0x00000180 c2000002 MASK=0x0000ffff ffffffff action={act=DropPrecedence, param0=1(0x1), param1=0(0), param2=0(0), param3=0(0)} action={act=Drop, param0=0(0), param1=0(0), param2=0(0), param3=0(0)} action={act=CosQCpuNew, param0=3(0x3), param1=0(0), param2=0(0), param3=0(0)} action={act=CopyToCpu, param0=1(0x1), param1=4(0x4),
0 PVST 0 LACP 0 GVRP 0 ARP RESP/ARP REQ 0 802.
0 SFLOW HYPERPULL 0 OPENFLOW 0 L2 DST HIT/BROADCAST 0 VLT TTL1/TRACEFLOW/TTL0/STATION MOVE/TTL1 /IP OPTION/L3 MTU FAIL/SOURCE MISS 0 v6 ICMP NS 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Dell#show control-traffic protocol pe 0 stack-unit 0 portset 0 counters Protocol RxBytes TxBytes Drops ----------------------STP/ARP/ICMP(v4/v6)/IGMP/MLD/NTP/FTP/TELNET/SSH 0 0 0 PE CSP/PE-CB LLDP 26157 26157 0 LLDP/LACP/8021x 0 0 0 Dell#clear control-traffic protocol pe 0 stack-unit 0 portset 0 counters Dell#show control-traf
LACP 0 ARP REQ 0 ARP RESP 0 GVRP 0 FRRP 0 ECFM 0 ISIS 0 L2PT 0 v6 BGP 0 v6 OSPF 0 v6 VRRP 0 MLD 0 v6 MULTICAST CATCH ALL 0 IPv6 DHCP 0 v6 RAGUARD 0 v6 ICMP NA 0 v6 ICMP RA 0 v6 ICMP NS 0 v6 ICMP RS 0 v6 ICMP 0 BGP 0 OSPF 0 RIP 0 VRRP 0 ICMP 0 IGMP 0 PIM 0 MSDP 0 BFD ON PHYSICAL PORTS 0 BFD ON LOGICAL PORTS 0 802.
DHCP RELAY 0 DHCP 0 NTP 0 FTP 0 TELNET 0 SSH 0 VLT GARP 0 VLT CTRL - CP CPU 0 VLT CTRL - RP CPU 0 VLT CTRL - CP & RP CPU 0 VLT CTRL - HA 0 VLT CTRL 0 VLT IPM PDU 0 VLT ARP RESP 0 VLT TTL1 0 HYPERPULL 0 OPENFLOW 0 FEFD 0 TRACEFLOW 0 FCoE 0 L3 LOCAL TERMINATED 0 L3 UNKNOWN/UNRESOLVED ARP 0 L2 DST HIT/BROADCAST 0 MULTICAST CATCH ALL 0 ACL LOGGING 0 L3 HEADER ERROR/TTL0 0 IP OPTION/TTL1 0 VLAN L3 MTU FAIL 0 Physical L3 MTU FAIL 0 SOURCE MISS 0 STATION MOVE 0 TX UNICAST ENTRY 0 Control Plane Policing (CoPP) 0
TX MULTICAST ENTRY 0 TX INTER SPINE ENTRY 0 DROP ENTRY 0 CP bound IPC 0 RP bound IPC 0 ECP bound IPC 0 SFLOW_EGRESS 0 SFLOW_INGRESS 0 0 0 0 0 0 847344 847344 9180 9180 34484 34484 0 0 0 0 0 To clear the per-protocol counters of rate-limited control-plane traffic at the aggregated (switch) or line card and port set level, use the clear control-traffic protocol [cp—switch | linecard {0– 2} portset {0–3}] counters command; for example: Dell#clear control-traffic protocol linecard 1 portset 2
Q10 Q11 Q12 Q13 Q14 Q15 Q16 Q17 Q18 Q19 Q20 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 To clear the per-queue counters of rate-limited traffic at the aggregated (switch) or individual queue level, use the clear control-traffic queue {all | queue-id queue-number} counters command; for example: Dell#show control-traffic queue queue-id 6 counters Queue-ID RxBytes TxBytes Drops ------------------------Q6 24016 24016 0 Dell#clear control-traffic queue queue-id 6 counters Dell#show cont
11 Data Center Bridging (DCB) Enabling Data Center Bridging DCB is automatically configured when you configure FCoE or iSCSI optimization. Data center bridging supports converged enhanced Ethernet (CEE) in a data center network. By default, DCB is disabled. It must be enabled to support CEE. NOTE: DCB is not supported on the Port Extender (PE) ports and cascade ports. For information about PE ports, see Interface Types and Port Extenders.
• Priority-based flow control (PFC) • Enhanced transmission selection (ETS) NOTE: DCB is not supported on the Port Extender ports and Cascade ports. DCB refers to a set of IEEE Ethernet enhancements that provide data centers with a single, robust, converged network to support multiple traffic types, including local area network (LAN), server, and storage traffic.
• Data Center Bridging Exchange (DCBx) protocol NOTE: Dell Networking OS supports only the PFC, ETS, and DCBx features in data center bridging. Priority-Based Flow Control In a data center network, priority-based flow control (PFC) manages large bursts of one traffic type in multiprotocol links so that it does not affect other traffic types and no frames are lost due to congestion. When PFC detects congestion on a queue for a specified priority, it sends a pause frame for the 802.
• During DCBx negotiation with a remote peer: – DCBx communicates with the remote peer by LLDP TLV to determine current policies, such as PFC support and ETS bandwidth allocation. – If DCBx negotiation is not successful (for example, a version or TLV mismatch), DCBx is disabled and PFC or ETS cannot be enabled. – PFC uses DCB MIB IEEE 802.1azd2.5 and PFC MIB IEEE 802.1bb-d2.2.
Table 14. ETS Traffic Groupings Traffic Groupings Description Group ID A 4-bit identifier assigned to each priority group. The range is from 0 to 7 configurable; 8 - 14 reservation and 15.0 - 15.7 is strict priority group.. Group bandwidth Percentage of available bandwidth allocated to a priority group. Group transmission selection algorithm (TSA) Type of queue scheduling a priority group uses. In Dell Networking OS, ETS is implemented as follows: • ETS supports groups of 802.
Data Center Bridging in a Traffic Flow The following figure shows how DCB handles a traffic flow on an interface. Figure 30. DCB PFC and ETS Traffic Handling QoS dot1p Traffic Classification and Queue Assignment The following section describes QoS dot1P traffic classification and assignments.
For DCB to operate effectively, you can classify ingress traffic according to its dot1p priority so that it maps to different data queues. The dot1p-queue assignments used are shown in the following table.
fpStatsPerPgTable This table fetches the Allocated Min cells, Shared cells and Headroom cells per Priority Group, the mode in which the buffer cells are allocated - Static or Dynamic and the Used Min Cells, Shared cells and Headroom cells per Priority Group. The table fetches a value of 0 if the mode of allocation is Static and a value of 1 if the mode of allocation is Dynamic. This table is indexed by stack-unit number, port number and priority group number.
ETS settings, and apply the new map to the interfaces to override the previous DCB map settings. Then, delete the original dot1p priority-priority group mapping. The maximum number of priority groups is 3. If you delete the dot1p priority-priority group mapping (no priority pgid command) before you apply the new DCB map, the default PFC and ETS parameters are applied on the interfaces. This change may create a DCB mismatch with peer DCB devices and interrupt network operation.
Configuring PFC without a DCB Map In a network topology that uses the default ETS bandwidth allocation (assigns equal bandwidth to each priority), you can also enable PFC for specific dot1p-priorities on individual interfaces without using a DCB map. This type of DCB configuration is useful on interfaces that require PFC for lossless traffic, but do not transmit converged Ethernet traffic. Table 16.
Table 17. Configuring Lossless Queues Step Task Command Command Mode 1 interface {tengigabitEthernet slot/port | fortygigabitEthernet slot} CONFIGURATION Enter INTERFACE Configuration mode. port-number is a port number from 0 to 23. 2 Open a DCB map and enter DCB map configuration mode. dcb-map name INTERFACE 3 Disable PFC. no pfc mode on DCB MAP 4 Return to interface configuration mode.
NOTE: On the C9010, linecard 10 and linecard 11 correspond to RPM0 and RPM1 respectively. To enable DCB across C9010 line cards, apply a DCB map on all installed line cards (linecard 0–9) and RPMs (linecard 10–11). NOTE: If the DCB map you apply to the backplane ports of C9010 RPMs (linecard 10–11) configures two or more priority groups, you must increase the size of the PFC shared and total buffers (dcb pfc-shared-buffer-size and dcb pfc-total-buffer-size commands).
peer devices. PFC allows network administrators to create zero-loss links for SAN traffic that requires nodrop service, while at the same time retaining packet-drop congestion management for LAN traffic. On the switch, PFC is enabled on Ethernet ports (pfc mode on command). You can configure PFC parameters using a DCB map or the pfc priority command in Interface configuration mode. For more information, see Configuring Priority-Based Flow Control.
802.1p priority class to configure different treatment for traffics with different bandwidth, latency, and best-effort needs. When you configure ETS in a DCB map: • The DCB map associates a priority group with a PFC operational mode (on or off) and an ETS scheduling and bandwidth allocation. You can apply a DCB map on multiple egress ports. • Use the ETS configuration associated with 802.1p priority traffic in a DCB map in DCBx negotiation with ETS peers.
• ETS is not supported on PE ports and C9010 cascade ports (member ports in the C9010 LAG created to connect to an attached C1048P). Priority-Group Configuration Notes When you configure priority groups in a DCB map: • • • • A priority group consists of 802.1p priority values that are grouped together for similar bandwidth allocation and scheduling, and that share the same latency and loss requirements. All 802.1p priorities mapped to the same queue must be in the same priority group.
3. Specify the dot1p priority-to-priority group mapping for each priority. priority-pgid dot1p0_group_num dot1p1_group_num ...dot1p7_group_num Priority group range is from 0 to 7. All priorities that map to the same queue must be in the same priority group. Leave a space between each priority group number.
Any pfc-dot1p priorities configured on a given interface need not be the same across the system, until the total lossless queues configured on all the ports does not exceed the maximum lossless queues configured globally. For example, one of the Te/Fo interfaces can have pfc-dot1p priorities as 2 and 3. Whereas, the other Te/Fo interface(s) can have its pfc-dot1p priorities as 4 and 5.
Priority group range is from 0 to 7. All priorities that map to the same queue must be in the same priority group. Leave a space between each priority group number. For example: priority-pgid 0 0 0 1 2 4 4 4 in which priority group 0 maps to dot1p priorities 0, 1, and 2; priority group 1 maps to dot1p priority 3; priority group 2 maps to dot1p priority 4; priority group 4 maps to dot1p priorities 5, 6, and 7. Dell Networking OS Behavior: A priority group consists of 802.
strict-priority scheduling (strict-priority command). The priority group for strict-priority scheduling (scheduler strict command. Configure a DCBx Operation DCB devices use data center bridging exchange protocol (DCBx) to exchange configuration information with directly connected peers using the link layer discovery protocol (LLDP) protocol.
• If the peer configuration received is compatible with the internally propagated port configuration, the link with the DCBx peer is enabled. • If the received peer configuration is not compatible with the currently configured port configuration, the link with the DCBx peer port is disabled and a syslog message for an incompatible configuration is generated. The network administrator must then reconfigure the peer device so that it advertises a compatible DCB configuration.
configured ports, the configuration of DCBx ports in Manual mode is saved in the running configuration. On a DCBx port in a manual role, all PFC, application priority, ETS recommend, and ETS configuration TLVs are enabled. When making a configuration change to a DCBx port in a Manual role, Dell Networking recommends shutting down the interface using the shutdown command, change the configuration, then re-activate the interface using the no shutdown command. The default for the DCBx port role is manual.
• and the DCBx frame error counter is incremented. Although DCBx is operationally disabled, the port keeps the peer link up and continues to exchange DCBx packets. If a compatible peer configuration is later received, DCBx is enabled on the port. If there is no configuration source, a port may elect itself as the configuration source. A port may become the configuration source if the following conditions exist: – – – – – No other port is the configuration source. The port role is auto-upstream.
configured version, including fast and slow transmit timers and message formats. If a DCBx frame with a different version is received, a syslog message is generated and the peer version is recorded in the peer status table. If the frame cannot be processed, it is discarded and the discard counter is incremented. NOTE: Because DCBx TLV processing is best effort, it is possible that CIN frames may be processed when DCBx is configured to operate in CEE mode and vice versa.
class-map match-any dscp-pfc-2 match ip dscp 20-25,30-35 2. Associate above class-maps to Queues Queue assignment to be based on the below table. Table 18. o Queues Queue Assignment 3. Internal- 0 priority 1 2 3 4 5 6 7 Queue 0 2 3 4 5 6 7 1 Dot1p->Queue Mapping Configuration is retained at the default value. Default dot1p-queue mapping is, Dell#show qos dot1p-queue-mapping Dot1p Priority : 0 1 2 3 4 5 6 7 Queue :2 0 1 3 4 5 6 4. 7 Interface Configurations on server connected ports.
Figure 31. DCBx Sample Topology DCBx Prerequisites and Restrictions The following prerequisites and restrictions apply when you configure DCBx operation on a port: • For DCBx, on a port interface, enable LLDP in both Send (TX) and Receive (RX) mode (the protocol lldp mode command; refer to the example in CONFIGURATION versus INTERFACE Configurations in the Link Layer Discovery Protocol (LLDP) chapter). If multiple DCBx peer ports are detected on a local DCBx interface, LLDP is shut down.
Configuring DCBx To configure DCBx, follow these steps. For DCBx, to advertise DCBx TLVs to peers, enable LLDP. For more information, see Link Layer Discovery Protocol (LLDP). Configure DCBx operation at the interface level on a switch or globally on the switch. 1. Configure ToR- and FCF-facing interfaces as auto-upstream ports. 2. Configure server-facing interfaces as auto-downstream ports. 3. Configure a port to operate in a configuration-source role. 4. Configure ports to operate in a manual role.
[no] advertise DCBx-tlv {ets-conf | ets-reco | pfc} [ets-conf | ets-reco | pfc] [ets-conf | ets-reco | pfc] • ets-conf: enables the advertisement of ETS Configuration TLVs. • ets-reco: enables the advertisement of ETS Recommend TLVs. • pfc enables: the advertisement of PFC TLVs. The default is All PFC and ETS TLVs are advertised. NOTE: You can configure the transmission of more than one TLV type at a time; for example, advertise DCBx-tlv ets-conf ets-reco.
• cee: configures a port to use CEE (Intel 1.01). cin configures a port to use Cisco-Intel-Nuova (DCBx 1.0). • ieee-v2.5: configures a port to use IEEE 802.1Qaz (Draft 2.5). The default is Auto. NOTE: To configure the DCBx port role the interfaces use to exchange DCB information, use the DCBx port-role command in INTERFACE Configuration mode (Step 3). 4. Configure the PFC and ETS TLVs that advertise on unconfigured interfaces with a manual port-role.
The default is 0x10. DCBx Error Messages The following syslog messages appear when an error in DCBx operation occurs. LLDP_MULTIPLE_PEER_DETECTED: DCBx is operationally disabled after detecting more than one DCBx peer on the port interface. LLDP_PEER_AGE_OUT: DCBx is disabled as a result of LLDP timing out on a DCBx peer interface.
Verifying the DCB Configuration To display DCB configurations, use the following show commands. Table 19. Displaying DCB Configurations Command Output show dot1p-queue mapping Displays the current 802.1p priority-queue mapping. show dcb linecard unit-number Displays the data center bridging status, number of PFC-enabled ports, and number of PFC-enabled queues. You can optionally specify the linecard. The range for line card is from 0 to 11.
linecard Total Buffer PFC Total Buffer PFC Shared Buffer PFC Available Buffer PP (KB) (KB) (KB) (KB) ----------------------------------------------------------------------------2 0 11210 7488 2496 4992 The following example shows the output of the show qos dcb-map test command.
0 Input TLV pkts, 1 Output TLV pkts, 0 Error pkts, 0 Pause Tx pkts, 0 Pause Rx pkts The following table describes the show interface pfc summary command fields. Table 20. show interface pfc summary Command Description Fields Description Interface Interface type with stack-unit, linecard, and port number. Admin mode is on; Admin is enabled PFC Admin mode is on or off with a list of the configured PFC priorities .
Fields Description PFC Link Delay Link delay (in quanta) used to pause specified priority traffic. Application Priority TLV: FCOE TLV Tx Status Status of FCoE advertisements in application priority TLVs from local DCBx port: enabled or disabled. Application Priority TLV: ISCSI TLV Tx Status Status of ISCSI advertisements in application priority TLVs from local DCBx port: enabled or disabled.
Admin Parameters : -----------------Admin is enabled TC-grp Priority# Bandwidth TSA -----------------------------------------------0 1 0,1,2 100% ETS 2 3 0 % SP 3 4,5,6,7 0 % SP 4 5 6 7 Remote Parameters : ------------------Remote is disabled Local Parameters : -----------------Local is enabled TC-grp Priority# Bandwidth TSA -----------------------------------------------0 1 0,1,2 100% ETS 2 3 0 % SP 3 4,5,6,7 0 % SP 4 5 6 7 Oper status is init ETS DCBx Oper status is Down State Machine Type is Asymmetric C
3 13% ETS 4 12% ETS 5 12% ETS 6 12% ETS 7 12% ETS Remote Parameters: ------------------Remote is disabled Local Parameters : -----------------Local is enabled TC-grp Priority# Bandwidth TSA 0 0,1,2,3,4,5,6,7 100% ETS 1 0% ETS 2 0% ETS 3 0% ETS 4 0% ETS 5 0% ETS 6 0% ETS 7 0% ETS Priority# Bandwidth TSA 0 13% ETS 1 13% ETS 2 13% ETS 3 13% ETS 4 12% ETS 5 12% ETS 6 12% ETS 7 12% ETS Oper status is init Conf TLV Tx Status is disabled Traffic Class TLV Tx Status is disabled 0 Input Conf TLV Pkts, 0 Output Conf
5 6 7 Remote Parameters: ------------------Remote is disabled Local Parameters : -----------------Local is enabled TC-grp Priority# 0 0,1,2,3,4,5,6,7 1 2 3 4 5 6 7 12% 12% 12% ETS ETS ETS Bandwidth 100% 0% 0% 0% 0% 0% 0% 0% TSA ETS ETS ETS ETS ETS ETS ETS ETS Priority# Bandwidth 0 13% 1 13% 2 13% 3 13% 4 12% 5 12% 6 12% 7 12% Oper status is init Conf TLV Tx Status is disabled Traffic Class TLV Tx Status is disabled 0 Input Conf TLV Pkts, 0 Output Conf TLV 0 Input Traffic Class TLV Pkts, 0 Output Traffi
Local is enabled PG-grp Priority# BW-% BW-COMMITTED BW-PEAK TSA % Rate(Mbps) Burst(KB) Rate(Mpbs) Burst(KB) ---------------------------------------------------------0 0,1,2,4,5,6,7 50 400 100 4000 400 ETS 1 3 50 - - ETS 2 - - - - 3 - - - - 4 - - - - 5 - - - - 6 - - - - 7 - - - - Oper status is init Conf TLV Tx Status is disabled Traffic Class TLV Tx Status is disabled 0 Input Conf TLV Pkts, 0 Output Conf TLV Pkts, 0 Error Conf TLV Pkts 0 Input Traffic Class TLV Pkts, 0 Output Traffic Class TLV Pkts, 0 Error
Field Description • Internally propagated: ETS configuration parameters were received from configuration source. ETS DCBx Oper status Operational status of ETS configuration on local port: match or mismatch. State Machine Type Type of state machine used for DCBx exchanges of ETS parameters: • • Feature: for legacy DCBx versions Asymmetric: for an IEEE version Conf TLV Tx Status Status of ETS Configuration TLV advertisements: enabled or disabled.
E-ETS Configuration TLV enabled e-ETS Configuration TLV disabled R-ETS Recommendation TLV enabled r-ETS Recommendation TLV disabled P-PFC Configuration TLV enabled p-PFC Configuration TLV disabled F-Application priority for FCOE enabled f-Application Priority for FCOE disabled I-Application priority for iSCSI enabled i-Application Priority for iSCSI disabled ----------------------------------------------------------------------------------Interface TenGigabitEthernet 2/12 Remote Mac Address 00:01:e8:8a:df:a
Acknowledgment Number: 1 Total DCBx Frames transmitted 994 Total DCBx Frames received 646 Total DCBx Frame errors 0 Total DCBx Frames unrecognized 0 The following table describes the show interface DCBx detail command fields. Table 22. show interface DCBx detail Command Description Field Description Interface Interface type with chassis slot and port number. Port-Role Configured DCBx port role: auto-upstream, autodownstream, config-source, or manual.
Field Description Peer DCBx Status: Sequence Number Sequence number transmitted in Control TLVs received from peer device. Peer DCBx Status: Acknowledgment Number Acknowledgement number transmitted in Control TLVs received from peer device. Total DCBx Frames transmitted Number of DCBx frames sent from local port. Total DCBx Frames received Number of DCBx frames received from remote peer port. Total DCBx Frame errors Number of DCBx frames with errors received.
Using PFC and ETS to Manage Data Center Traffic The following shows examples of using PFC and ETS to manage your data center traffic. In the following example: • Incoming SAN traffic is configured for priority-based flow control. • Outbound LAN, IPC, and SAN traffic is mapped into three ETS priority groups and configured for enhanced traffic selection (bandwidth allocation and scheduling). • One lossless queue is used. Figure 32.
QoS Traffic Classification: The service-class dynamic dot1p command has been used in Global Configuration mode to map ingress dot1p frames to the queues shown in the following table. For more information, refer to QoS dot1p Traffic Classification and Queue Assignment.
Using PFC and ETS to Manage Converged Ethernet Traffic Using PFC and ETS to manage converged ethernet traffic: dcb-map linecard all backplane all dcb-map-name Hierarchical Scheduling in ETS Output Policies ETS supports up to three levels of hierarchical scheduling. For example, you can apply ETS output policies with the following configurations: Priority group 1 Assigns traffic to one priority queue with 20% of the link bandwidth and strictpriority scheduling.
Pause and Resume of Traffic The pause message is used by the sending device to inform the receiving device about a congested, heavily-loaded traffic state that has been identified. When the interface of a sending device transmits a pause frame, the recipient acknowledges this frame by temporarily halting the transmission of data packets. The sending device requests the recipient to restart the transmission of data traffic when the congestion eases and reduces.
Configuring the Dynamic Buffer Method Priority-based flow control using dynamic buffer spaces is supported on the switch. To configure the dynamic buffer capability, perform the following steps: 1. Enable the DCB application. By default, DCB is enabled and link-level flow control is disabled on all interfaces. CONFIGURATION mode dcb enable 2. Configure the shared PFC buffer size and the total buffer size. A maximum of 4 lossless queues are supported.
dcb pfc-total-buffer-size buffer-size linecard {linecard-number | all} Line card number range is from 0 to 2. 9. Configuring global shared buffer size on linecards.
Debugging and Diagnostics 12 This chapter describes the debugging and diagnostics tasks you can perform on the switch. Offline Diagnostics The offline diagnostics test suite is useful for isolating faults and debugging hardware. You can run offline diagnostics from the switch or port extender. Important Points to Remember • Diagnostics only test connectivity, not the entire data path. • Diagnostic results are stored on the flash of the switch on which you performed the diagnostics.
A warning is displayed with a CLI prompt asking you to click Yes or No. Dell#diag pe 0 stack-unit 0 level0 ? Warning - PE-Unit 0 at PEID 0 will go offline to run the diagnostics. Offline of system will bring down all the protocols and the system will be operationally down, except for running Diagnostics. PE unit will be automatically reloaded once the diagnostics tests are completed.
PE unit will be automatically reloaded once the diagnostics tests are completed. Warning - The diagnostic execution will cause multiple link flaps on the peer side - advisable to shut directly connected ports Proceed with PE diag [confirm yes/no]:yes Dell# Jul 30 12:59:39: %RPM0-P:CP %BRM-5-PE_UNIT_DOWN: PE:255 Unit:2 Unit MAC:f8:b1:56:00:02:d1 is operationally down.
Part Number Part Number Revision SW Version NetBsd Version ----- NA NA 1-0(0-4237) 1-0(0-4237) Available free memory: 694,554,624 bytes LEVEL 0 DIAGNOSTIC boardRevision ............................................... PASS cpldAccess .................................................. PASS cpuType ..................................................... PASS Starting test: fanControllerSpeedGet ...... 000 - FAN Controller Get Speed Test ................................
021 - One Gig PHY Access Test ...................................... PASS 022 - One Gig PHY Access Test ...................................... PASS 023 - One Gig PHY Access Test ...................................... PASS 024 - One Gig PHY Access Test ...................................... PASS 025 - One Gig PHY Access Test ...................................... PASS 026 - One Gig PHY Access Test ...................................... PASS 027 - One Gig PHY Access Test ......................................
002 - POE Manager Presence Test .................................... PASS 003 - POE Manager Presence Test .................................... PASS 004 - POE Manager Presence Test .................................... PASS 005 - POE Manager Presence Test .................................... PASS poeManagerPresence .......................................... PASS Starting test: poeManagerTemp ...... 000 - POE Manager Temperature Test ................................. PASS 001 - POE Manager Temperature Test ...
007 - One Gig PHY Link Test ........................................ PASS 008 - One Gig PHY Link Test ........................................ PASS 009 - One Gig PHY Link Test ........................................ PASS 010 - One Gig PHY Link Test ........................................ PASS 011 - One Gig PHY Link Test ........................................ PASS 012 - One Gig PHY Link Test ........................................ PASS 013 - One Gig PHY Link Test ........................................
The following example shows how to run offline diagnostics for PE in Debug mode. NOTE: Dell Networking highly recommends reloading the system after running the offline diagnostics in Debug mode on the switch.
EXEC Privilege Mode diag system diag linecard linecard_number A warning is displayed with a CLI prompt asking you to click Yes or No Dell#diag system Warning - diagnostic execution will cause multiple link flaps on the peer side - advisable to shut directly connected ports Proceed with Diags [confirm yes/no]: 5. View the results of the diagnostic tests. EXEC Privilege Mode show file flash://TestReport-CP-unit.txt show file flash://TestReport-LP-linecard-number.
- 1 2 3 4 5 6 7 8 9 10 Linecard Linecard Linecard Linecard Linecard Linecard Linecard Linecard Linecard Linecard card problem unknown not present not present offline C9000LC0640 C9000LC0640 1-0(0-4854) 24 offline C9000LC0640 C9000LC0640 1-0(0-4854) 24 not present not present not present not present card problem C9000-RPM-2.56T C9000-RPM-2.
unit 2d3h3m : Approximate time to complete the Diags (all levels)... 10 Mins Apr 26 22:33:07: %RPM0-P:CP %IPC-2-STATUS: target line card 10 not responding Apr 26 22:33:07: %RPM0-P:CP %CHMGR-2-LINECARD_DOWN: Major alarm: linecard 10 down - IPC timeout 2d3h4m : Diagnostic test results are stored on file: flash:/TestReport-LP-5.txt 2d3h4m : Diagnostic test results are stored on file: flash:/TestReport-LP-4.
CpuType PPID PPID Rev Service Tag Part Number Part Number Revision LM CPLD LM extended CPLD SW Version ---------- LM CN0CYFF2779314A60021 X00 15YQG02 0CYFF2 X00 31 30 1-0(0-4854) Available free memory: 1,664,086,016 bytes LEVEL 0 DIAGNOSTIC Starting test: bcm56854AccessTest ...... + Access Test for unit 0 : PASSED bcm56854AccessTest .......................................... PASS biosVerGetTest .............................................. PASS boardRevisionTest .........................................
pcieScanTest ................................................ PASS rtcTest ..................................................... PASS sataSsdTest ................................................. PASS Starting test: showTemperature ...... +Board First Thermal Monitor Sensor[0] is 42.0 C +Board First Thermal Monitor Sensor[1] is 37.0 C +Board First Thermal Monitor Sensor[2] is 36.0 C +Board First Thermal Monitor Sensor[3] is 37.0 C CPU Temp 31 c DDR Temperature 35 c showTemperature ..........................
/dev/rwd0k: 3 files, 20398 Iteration 10 - File System /dev/rwd0k: 3 files, 20398 Iteration 11 - File System /dev/rwd0k: 3 files, 20398 Iteration 12 - File System /dev/rwd0k: 3 files, 20398 Iteration 13 - File System /dev/rwd0k: 3 files, 20398 Iteration 14 - File System /dev/rwd0k: 3 files, 20398 Iteration 15 - File System /dev/rwd0k: 3 files, 20398 Iteration 16 - File System /dev/rwd0k: 3 files, 20398 Iteration 17 - File System /dev/rwd0k: 3 files, 20398 Iteration 18 - File System /dev/rwd0k: 3 files, 20398
/dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 42 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 43 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 44 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 45 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 46 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 47 - Fil
Available free memory: 1,357,742,080 bytes LEVEL 0 DIAGNOSTIC biosVerGetTest .............................................. PASS boardRevisionTest ........................................... PASS Starting test: cpldAccessTest ......CPLD Major Ver 3 Minor Ver 3 cpldAccessTest .............................................. PASS Starting test: cpuGELinkStatusTest ...... + GbE1 Link Status UP + GbE2 Link Status DOWN + GbE3 Link Status UP cpuGELinkStatusTest .........................................
PSU[0] Current Test FAIL PSU[1] Current Test FAIL PSU[2] Current Test FAIL psuCurrentTest .............................................. FAIL Starting test: psuFanAirFlowDirectionTest ...... PSU[0] Fan Air Flow Test FAIL PSU[1] Fan Air Flow Test FAIL PSU[2] Fan Air Flow Test FAIL psuFanAirFlowDirectionTest .................................. FAIL Starting test: psuFanSpeedTest ...... PSU[0] Fan Speed Test FAIL PSU[1] Fan Speed Test FAIL PSU[2] Fan Speed Test FAIL psuFanSpeedTest .............................
cpldRWTest .................................................. PASS extCPLDRWTest ............................................... PASS fanCntrlAccessTest .......................................... PASS Starting test: fanCntrlSpeedTest ......
PSU [1] Eeprom Access Test FAIL PSU [2] Eeprom Access Test FAIL psuEepromAccessTest ......................................... rtcTest ..................................................... sataSsdTest ................................................. Starting test: ssdFlashFileSystemStressTest ......
/dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 30 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 31 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 32 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 33 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 34 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 35 - Fil
ipcPingTrafficTest ..........................................
Available free memory: 1,664,086,016 bytes LEVEL 0 DIAGNOSTIC Starting test: bcm56854AccessTest ...... + Access Test for unit 0 : PASSED bcm56854AccessTest .......................................... PASS biosVerGetTest .............................................. PASS boardRevisionTest ........................................... PASS cpldAccessTest .............................................. PASS Starting test: CpuGbeLinkStatusTest ......
showTemperature ............................................. PASS slotInfoTest ................................................ PASS Starting test: spiFlashAccessTest ......temperature monitor 0: current= 49.8, peak= 86.1 temperature monitor 1: current= 50.9, peak= 86.1 temperature monitor 2: current= 51.4, peak= 87.8 temperature monitor 3: current= 52.0, peak= 87.8 temperature monitor 4: current= 50.3, peak= 87.8 temperature monitor 5: current= 49.8, peak= 87.8 temperature monitor 6: current= 50.
/dev/rwd0k: 3 files, 20398 Iteration 15 - File System /dev/rwd0k: 3 files, 20398 Iteration 16 - File System /dev/rwd0k: 3 files, 20398 Iteration 17 - File System /dev/rwd0k: 3 files, 20398 Iteration 18 - File System /dev/rwd0k: 3 files, 20398 Iteration 19 - File System /dev/rwd0k: 3 files, 20398 Iteration 20 - File System /dev/rwd0k: 3 files, 20398 Iteration 21 - File System /dev/rwd0k: 3 files, 20398 Iteration 22 - File System /dev/rwd0k: 3 files, 20398 Iteration 23 - File System /dev/rwd0k: 3 files, 20398
/dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 47 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 48 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 49 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 50 - File System Check passed Completed 50 iterations No issues found in SD Flash (/dev/wd0k) SD Flash File System Stress Test is Passed ssdFlashFileSystemStressTest ....................
PPID PPID Rev Service Tag Part Number Part Number Revision RPM CPLD RPM extended CPLD SW Version --------- CN0CKKCP7793149U0047 X00 154RG02 0CKKCP X00 33 32 1-0(0-4854) Available free memory: 1,357,742,080 bytes LEVEL 0 DIAGNOSTIC biosVerGetTest .............................................. PASS boardRevisionTest ........................................... PASS Starting test: cpldAccessTest ......CPLD Major Ver 3 Minor Ver 3 cpldAccessTest ..............................................
Starting test: mgmtLinkStatusTest ...... + GbE0 Link Status UP mgmtLinkStatusTest .......................................... mgmtPhyAccessTest ........................................... Starting test: pcieScanTest ...... 21 PCI devices installed out of 21 pcieScanTest ................................................ Starting test: psuCurrentTest ...... PSU[0] Current Test FAIL PSU[1] Current Test FAIL PSU[2] Current Test FAIL psuCurrentTest ..............................................
+ Access Test for unit 0 : PASSED udfAccessTest ............................................... PASS Starting test: usbTest ...... -USB "/dev/rsd0d" is not plugged/mounted/formatted; test SKIPPED usbTest ..................................................... FAIL LEVEL 1 DIAGNOSTIC cpldRWTest .................................................. PASS extCPLDRWTest ............................................... PASS fanCntrlAccessTest ..........................................
ERROR: ioctl: "lm8" op(1)=READ WITH STOP bus=25 address=0x4a offset=0 length=1 ERROR: ioctl: "lm9" op(1)=READ WITH STOP bus=26 address=0x4b offset=0 length=1 i2cTest ..................................................... FAIL Starting test: interruptStatusRegister ......SMC_SUS0_STA1 Interrupt Status : PASS interruptStatusRegister ..................................... PASS Starting test: psuEepromAccessTest ......
/dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 26 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 27 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 28 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 29 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 30 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 31 - Fil
udfLinkStatusTest ........................................... FAIL Starting test: usbTest ...... -USB "/dev/rsd0d" is not plugged/mounted/formatted; test SKIPPED usbTest ..................................................... FAIL LEVEL 2 DIAGNOSTIC ipcPingTrafficTest ..........................................
Parameters • rp — Enter the keyword rp to upload a trace log from the Route Processor CPU. • linecard slot-id — Enter the linecard slot-id parameters to specify the line-card CPU whose trace log you want to upload. • hw-trace — Enter the keyword hw-trace to upload the hardware trace log from the specified CPU. • sw-trace — Enter the keyword sw-trace to upload the software trace log from the specified CPU. • pe pe–id — Enter the keyword pe and port extender ID. Range is 0– 255.
show hardware linecard slot—id cpu data-plane statistics • The command output provides details about the packet types entering the CPU to see whether CPUbound traffic is internal (IPC traffic) or network control traffic, which the CPU must process. Display internal status and driver-level CPU port statistics of the Control Processor and Route Processor.
• Display the internal statistics for each port-pipe (unit) on per port basis. • show hardware linecard slot—id unit unit-number port-stats [detail] Display the line-card internal registers for each port-pipe. • show hardware linecard slot—id unit unit-number register Display the tables from the bShell through the CLI without going into the bShell. • show hardware linecard slot—id unit unit-number table-dump {table-name} Display hardware statistics from the specified port extender and stack-unit.
show hg-link-bundle—distribution {cp | linecard slot—id} npuUnit unit-number hg-port-channel channel-num Troubleshoot a flap or fault condition on a HiGig backplane link by displaying the internal ports that are mapped to backplane links for control or data traffic and the status of backplane links. In the show hardware bp-link-state command output, 1 indicates that a backplane link is up; 0 indicates the a link is down.
Displaying Port Extender Environment Information To display environment details for each port extender, use the show environment pe pe-id command. Dell#show environment pe pe-id To display information of hardware components of control bridge only, use the show environment all command. Dell#show environment all Display Power Supply Status To monitor the operational status of a power supply, use the show environment pem command. Use the command output to verify the operation of installed power supplies.
0 0 2 3 Total power: down up AC AC up up 1312 18880 0.0 643.0 1309.0 W Display Fan Status To monitor the status of fan operation, use the show environment fan command. The command output displays the operational status of each fan, including tray status, and speed of each fan.
Yes 2 2 2 2 Yes 2 28 32 36 40 44 QSFP Media not present or accessible Media not present or accessible Media not present or accessible 40GBASE-SR4 7503825H006J Media not present or accessible To display more detailed information about the transceiver type, wavelength, and power reception on a switch port, use the show interfaces command.
QSFP 168 Voltage Low Alarm threshold QSFP 168 Bias Low Alarm threshold QSFP 168 RX Power Low Alarm threshold =================================== QSFP 168 Temp High Warning threshold QSFP 168 Voltage High Warning threshold QSFP 168 Bias High Warning threshold QSFP 168 RX Power High Warning threshold QSFP 168 Temp Low Warning threshold QSFP 168 Voltage Low Warning threshold QSFP 168 Bias Low Warning threshold QSFP 168 RX Power Low Warning threshold =================================== QSFP 168 Temperature QSFP
Troubleshoot an Over-Temperature Condition To troubleshoot an over-temperature condition, determine the sensor(s) that triggered the overtemperature alarm by displaying the current temperature levels and the historical logs of the temperature threshold-crossing events. The RPM has CP and LP card whose sensor temperature are monitored. Similarly the Linecard’s sensor is monitored as well. The “show alarm threshold” provides the temperature threshold values for Linecards and RPM.
--------------------------------------------------------------------------Minor Off Minor Major Off Major Shutdown linecard0 78 99 84 105 110 --------------------------------------------------------------------------Minor Off Minor Major Off Major Shutdown RPM0 35 40 43 48 NA --------------------------------------------------------------------------Minor Off Minor Major Off Major Shutdown PEid100/Stack0 60 65 72 75 105 To display current temperature of line sensors, use the show environment thermal-sensors
When a temperature threshold is crossed (either below or above the pre-configured value), the system logs an event that contains information about the time when the event occurred, the type of event (minor, major, or shutdown), the current temperature of the sensor, and the identity of the sensor. The system also logs events when the fan speeds change (increase or decrease) as a result of changes in sensor temperature. To display the event log, use the show logging command.
• show hardware layer3 qos linecard {0-2} port—set {0-3} • show hardware ipv6 {e.g.
23 24 0 0 0 0 24 25 0 0 0 0 28 29 0 0 0 0 32 33 0 0 0 0 36 37 0 0 0 0 40 41 0 0 0 0 44 45 0 0 0 0 Internal 50 0 0 0 0 Internal 51 0 0 0 0 Internal 52 0 0 0 0 Internal 53 0 0 0 0 Internal 54 0 0 0 0 Internal 55 0 0 0 0 Internal 56 0 0 0 0 Internal 57 0 0 0 0 Internal 58 0 0 0 0 Internal 59 0 0 0 0 Internal 60 0 0 0 0 Internal 61 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Displaying Dataplane Statistics T
TR MGV Frames = 0 Bytes Transmitted = 0 Frames Transmitted = 125183 Mcast Frames Transmitted = 0 Bcast Frames Transmitted = 4 Pause Frames Transmitted = 0 Deferred Transmits = 0 Excessive Deferred Transmits = 0 TX single collisions = 0 TX multiple collisions = 0 TX late collisions = 0 TX Excessive collisions = 0 TX total collisions = 0 TX Drops = 0 TX Jabber = 0 TX FCS errors = 0 TX Control frames = 0 TX oversize frames = 0 TX undersize frames = 0 TX fragments = 0 Bytes received = 0 Frames received = 2868 B
Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Rx Undersize Packets = 0 Oversize Packets = 0 Pause Packets = 0 64 Octet Packets = 122688 65to127octets Packets = 246245 128to255octets Packets = 441 256to511octets Packets = 3816 512to1023octets Packets = 3247 1024toMaxoctets Packets = 150599 Jabbers = 0 align errors = 0 fcs errors = 0 good octets = 251640594 Drop pkts = 0 Unicast Packets = 333370 Multicast Packets = 193621 Broadcast Packets = 45 Source Address Changes = 3 Fragments = 0 Jum
file, you must perform an FTP to the Control Processor CPU flash directory where the application core dump is stored in the following formats: • An application core dump generated from CP of the RPM: f10Ch_rpm<0/1>_cp__.acore.gz • An application core dump from RP application: f10Ch_rpm<0/1>_rp__.acore.gz • An application core dump from LP application: f10Ch_lp__.acore.
A mini core dump contains critical information in the event of a crash. Mini core dump files are located in flash://CORE_DUMP_DIR directory. The kernel mini core filename in the RPM has the following formats: • Kernel mini core dump generated from CP of the RPMs: f10Ch_rpm<0/1>_cp_.kcore.mini.txt • Kernel mini cored ump from RP CPU: f10Ch_rpm<0/1>_rp_.kcore.mini.txt • Kernel mini core dump from LP CPU: f10Ch_lp_.kcore.mini.
• Kernel full core dump from LP application f10Ch_lp_.kcore.gz Enabling TCP Dumps A TCP dump captures CPU-bound control-plane traffic to improve troubleshooting and system manageability. You can perform a TCP dump on the Control Processor (CP) and Route Processor (RP) CPUs. When you enable TCP dumps, a dump captures all the packets on the local CPU, as specified in the CLI. You can save the traffic capture files to flash, to FTP, SCP, or TFTP.
Dynamic Host Configuration Protocol (DHCP) 13 DHCP is an application layer protocol that dynamically assigns IP addresses and other configuration parameters to network end-stations (hosts) based on configuration policies determined by network administrators.
Option Number and Description Subnet Mask Option 1 Specifies the client’s subnet mask. Router Option 3 Specifies the router IP addresses that may serve as the client’s default gateway. Domain Name Server Option 6 Domain Name Option 15 Specifies the domain name servers (DNSs) that are available to the client. Specifies the domain name that clients should use when resolving hostnames via DNS.
Option Number and Description Identifiers a user-defined string used by the Relay Agent to forward DHCP client packets to a specific server. The MD field identifies if a DHCP discovery message was sent by BMP at bootup (MD=BMP) or the ip address dhcp command (MD=INT) in Interface configuration mode or Active Fabric Manager (AFM). L2 DHCP Snooping Option 82 End Option 255 Specifies IP addresses for DHCP messages received from the client that are to be monitored to build a DHCP snooping database.
Figure 34. Client and Server Messaging Implementation Information The following describes DHCP implementation. • Dell Networking implements DHCP based on RFC 2131 and RFC 3046. • IP source address validation is a sub-feature of DHCP Snooping; the Dell Networking OS uses access control lists (ACLs) internally to implement this feature and as such, you cannot apply ACLs to an interface which has IP source address validation.
Configure the System to be a DHCP Server A DHCP server is a network device that has been programmed to provide network configuration parameters to clients upon request. Servers typically serve many clients, making host management much more organized and efficient. The following table lists the key responsibilities of DHCP servers. Table 25. DHCP Server Responsibilities DHCP Server Responsibility Description Address Storage and Management DHCP servers are the owners of the addresses used by DHCP clients.
3. Specify the range of IP addresses from which the DHCP server may assign addresses. DHCP mode network network/prefix-length • network: the subnet address. • prefix-length: specifies the number of bits used for the network portion of the address you specify. The prefix-length range is from 17 to 31. 4. Display the current pool configuration.
Specifying a Default Gateway The IP address of the default router should be on the same subnet as the client. To specify a default gateway, follow this step. • Specify default gateway(s) for the clients on the subnet, in order of preference. DHCP Mode default-router address Configure a Method of Hostname Resolution Dell Networking systems are capable of providing DHCP clients with parameters for two methods of hostname resolution—using DNS or NetBIOS WINS.
Manual bindings can be considered single-host address pools. There is no limit on the number of manual bindings, but you can only configure one manual binding per host. NOTE: The system does not prevent you from using a network IP as a host IP; be sure to not use a network IP as a host IP. 1. Create an address pool. DHCP mode pool name 2. Specify the client IP address. DHCP host address 3. Specify the client hardware address.
following illustration. Specify multiple DHCP servers by using the ip helper-address command multiple times. When you configure the ip helper-address command, the system listens for DHCP broadcast messages on port 67. The system rewrites packets received from the client and forwards them via unicast to the DHCP servers; the system rewrites the destination IP address and writes its own address as the relay device.
Example of the show ip interface Command R1_E600#show ip int gig 1/3 GigabitEthernet 1/3 is up, line protocol is down Internet address is 10.11.0.1/24 Broadcast address is 10.11.0.255 Address determined by user input IP MTU is 1500 bytes Helper address is 192.168.0.1 192.168.0.
• • Management routes added by the DHCP client have higher precedence over the same statically configured management route. Static routes are not removed from the running configuration if a dynamically acquired management route added by the DHCP client overwrites a static management route. Management routes added by the DHCP client are not added to the running configuration.
• • • • Option 82 DHCP Snooping Dynamic ARP Inspection Source Address Validation Option 82 RFC 3046 (the relay agent information option, or Option 82) is used for class-based IP address assignment. The code for the relay agent information option is 82, and is comprised of two sub-options, circuit ID and remote ID. Circuit ID This is the interface on which the client-originated message is received. Remote ID This identifies the host from which the message is received.
packet arrived on the correct port. Packets that do not pass this check are forwarded to the server for validation. This checkpoint prevents an attacker from spoofing a client and declining or releasing the real client’s address. Server-originated packets (DHCPOFFER, DHCPACK, and DHCPNACK) that arrive on a not trusted port are also dropped. This checkpoint prevents an attacker from acting as an imposter as a DHCP server to facilitate a man-in-the-middle attack.
clear ip dhcp snooping binding Displaying the Contents of the Binding Table To display the contents of the binding table, use the following command. • Display the contents of the binding table. EXEC Privilege mode show ip dhcp snooping Example of the show ip dhcp snooping Command View the DHCP snooping statistics with the show ip dhcp snooping command.
10.1.1.252 10.1.1.253 10.1.1.254 00:00:4d:57:e6:f6 00:00:4d:57:f8:e8 00:00:4d:69:e8:f2 172800 172740 172740 D D D Vl 10 Vl 10 Vl 10 Te 0/1 Te 0/3 Te 0/50 Total number of Entries in the table : 4 Dynamic ARP Inspection Dynamic address resolution protocol (ARP) inspection prevents ARP spoofing by forwarding only ARP frames that have been validated against the DHCP binding table. ARP is a stateless protocol that provides no authentication mechanism.
NOTE: Dynamic ARP inspection (DAI) uses entries in the L2SysFlow CAM region, a sub-region of SystemFlow. One CAM entry is required for every DAI-enabled VLAN. You can enable DAI on up to 16 VLANs on a system. However, the default CAM profile allocates only nine entries to the L2SysFlow region for DAI. You can configure 10 to 16 DAI-enabled VLANs by allocating more CAM space to the L2SysFlow region before enabling DAI. SystemFlow has 102 entries by default.
Invalid ARP Replies Dell# : 0 Bypassing the ARP Inspection You can configure a port to skip ARP inspection by defining the interface as trusted, which is useful in multi-switch environments. ARPs received on trusted ports bypass validation against the binding table. All ports are untrusted by default. To bypass the ARP inspection, use the following command. • Specify an interface as trusted so that ARPs are not validated against the binding table.
NOTE: If you enable IP source guard using the ip dhcp source-address-validation command and if there are more entries in the current DHCP snooping binding table than the available CAM space, SAV may not be applied to all entries. To ensure that SAV is applied correctly to all entries, enable the ip dhcp source-address-validation command before adding entries to the binding table. • Enable IP source address validation.
4. Enable IP+MAC SAV. INTERFACE mode ip dhcp source-address-validation ipmac 5. Enable IP source address validation with VLAN option. INTERFACE mode ip dhcp source-address-validation ipmac vlan vlan-id The system creates an ACL entry for each IP+MAC address pair in the binding table and applies it to the interface. To display the IP+MAC ACL for an interface for the entire system, use the show ip dhcp snooping source-address-validation [interface] command in EXEC Privilege mode.
Equal Cost Multi-Path (ECMP) 14 Equal cost multi-path (ECMP) supports multiple paths in next-hop packet forwarding to a destination device. ECMP for Flow-Based Affinity ECMP for flow-based affinity includes link bundle monitoring. Enabling Deterministic ECMP Next Hop Deterministic ECMP next hop arranges all ECMPs in order before writing them into the content addressable memory (CAM). For example, suppose the RTM learns eight ECMPs in the order that the protocols and interfaces came up.
NOTE: You cannot separate LAG and ECMP, but you can use different algorithms across the chassis with the same seed. If LAG member ports span multiple port-pipes and line cards, set the seed to the same value on each port-pipe to achieve deterministic behavior. NOTE: If you remove the hash algorithm configuration, the hash seed does not return to the original factory default setting. To configure the hash algorithm seed, use the following command. • Specify the hash algorithm seed. CONFIGURATION mode.
• ip ecmp-group maximum-paths {2-64} Enable ECMP group path management. CONFIGURATION mode. ip ecmp-group path-fallback Example of the ip ecmp-group maximum-paths Command Dell(conf)#ip ecmp-group maximum-paths 3 User configuration has been changed. Save the configuration and reload to take effect Dell(conf)# Creating an ECMP Group Bundle Within each ECMP group, you can specify an interface.
The range is from 1 to 64. Viewing an ECMP Group NOTE: An ecmp-group index is generated automatically for each unique ecmp-group when you configure multipath routes to the same network. The system can generate a maximum of 512 unique ecmp-groups. The ecmp-group indices are generated in even numbers (0, 2, 4, 6... 1022) and are for information only. You can configure ecmp-group with id 2 for link bundle monitoring.
mechanism results in load sharing of traffic corresponding to path X across both the available paths in a 4:1 ratio. The following example shows the configuration in each router shown in Figure 1: R1# interface vlan 10 ip address 1.1.1.1/24 no shut router bgp 1 maximum-paths ibgp 2 bgp dmzlink-bw neighbor 1.1.1.2 remote-as 1 neighbor 1.1.1.2 no shutdown neighbor 1.1.1.3 remote-as 1 neighbor 1.1.1.3 no shutdown R2# interface tengigbitethernet 1/1 ip address 1.1.1.
neighbor 4.4.4.1 remote-as 1 neighbor 4.4.4.1 dmzlink-bw neighbor 4.4.4.1 no shutdown R5# interface tengigbitethernet 1/1 Ip address 5.5.5.2/24 no shut interface fortGigE 1/48 ip address 3.3.3.2/24 no shut router bgp 2 maximum-paths ebgp 2 bgp dmzlink-bw neighbor 5.5.5.1 remote-as 1 neighbor 5.5.5.1 dmzlink-bw neighbor 5.5.5.1 no shutdown neighbor 3.3.3.1 remote-as 1 neighbor 3.3.3.
Dell(conf)#ip route vrf test 1.1.1.0/24 4.4.4.2 weight 100 Dell(conf)#ip route vrf test 1.1.1.0/24 6.6.6.2 weight 200 Dell(conf)# Dell(conf)# Dell#show running-config | grep route ip route vrf test 1.1.1.0/24 4.4.4.2 weight 100 ip route vrf test 1.1.1.0/24 6.6.6.2 weight 200 ECMP Support in L3 Host and LPM Tables The L3 host and Longest Prefix Match (LPM) tables provide ECMP next-hop forwarding for destination addresses.
15 FCoE Transit The Fibre Channel over Ethernet (FCoE) Transit feature is supported on Ethernet interfaces. When you enable the switch for FCoE transit, the switch functions as a FIP snooping bridge. NOTE: FIP snooping is not supported on Fibre Channel interfaces. Fibre Channel over Ethernet FCoE provides a converged Ethernet network that allows the combination of storage-area network (SAN) and LAN traffic on a Layer 2 link by encapsulating Fibre Channel data into Ethernet frames.
requirement for point-to-point connections by creating a unique virtual link for each connection between an FCoE end-device and an FCF via a transit switch. FIP provides functionality for discovering and logging into an FCF. After discovering and logging in, FIP allows FCoE traffic to be sent and received between FCoE end-devices (ENodes) and the FCF. FIP uses its own EtherType and frame format. The following illustration shows the communication that occurs between an ENode server and an FCoE switch (FCF).
Figure 37. FIP Discovery and Login Between an ENode and an FCF FIP Snooping on Ethernet Bridges In a converged Ethernet network, intermediate Ethernet bridges can snoop on FIP packets during the login process on an FCF. Then, using ACLs, a transit bridge can permit only authorized FCoE traffic to be transmitted between an FCoE end-device and an FCF. An Ethernet bridge that provides these functions is called a FIP snooping bridge (FSB).
The following illustration shows a switch used as a FIP snooping bridge in a converged Ethernet network. The top-of-rack (ToR) switch operates as an FCF for FCoE traffic. Converged LAN and SAN traffic is transmitted between the ToR switch and an core switch. The switch operates as a lossless FIP snooping bridge to transparently forward FCoE frames between the ENode servers and the FCF switch. Figure 38.
• To assign a MAC address to an FCoE end-device (server ENode or storage device) after a server successfully logs in, set the FCoE MAC address prefix (FC-MAP) value an FCF uses. The FC-MAP value is used in the ACLs installed in bridge-to-bridge links on the switch. • To provide more port security on ports that are directly connected to an FCF and have links to other FIP snooping bridges, set the FCF or Bridge-to-Bridge Port modes.
• configure each FIP snooping port to operate in Hybrid mode so that it accepts both tagged and untagged VLAN frames (use the portmode hybrid command). • configure tagged VLAN membership on each FIP snooping port that sends and receives FCoE traffic and has links with an FCF, ENode server, or another FIP snooping bridge (use the tagged port-type slot/port command). The default VLAN membership of the port must continue to operate with untagged frames.
Enable FIP Snooping on VLANs You can enable FIP snooping globally on a switch on all VLANs or on a specified VLAN. When you enable FIP snooping on VLANs: • FIP frames are allowed to pass through the switch on the enabled VLANs and are processed to generate FIP snooping ACLs. • FCoE traffic is allowed on VLANs only after a successful virtual-link initialization (fabric login FLOGI) between an ENode and an FCF. All other FCoE traffic is dropped.
Table 28. Impact of Enabling FIP Snooping Impact Description MAC address learning MAC address learning is not performed on FIP and FCoE frames, which are denied by ACLs dynamically created by FIP snooping on serverfacing ports in ENode mode. MTU auto-configuration MTU size is set to mini-jumbo (2500 bytes) when a port is in Switchport mode, the FIP snooping feature is enabled on the switch, and FIP snooping is enabled on all or individual VLANs.
To enable FCoE transit on the switch and configure the FCoE transit parameters on ports, follow these steps. 1. Configure FCoE. To configure FCoE transit, refer to the FCoE Transit Configuration Example NOTE: DCB/DCBx is enabled when either of these configurations is applied. 2. Save the configuration on the switch. EXEC Privilege mode. write memory 3. Reload the switch to enable the configuration. EXEC Privilege mode. reload After the switch is reloaded, DCB/DCBx is enabled. 4.
Command Output show fip-snooping enode [enode-mac enode-mac-address] Displays information on the ENodes in FIPsnooped sessions, including the ENode interface and MAC address, FCF MAC address, VLAN ID and FC-ID. show fip-snooping fcf [fcf-mac fcf-mac- Displays information on the FCFs in FIP-snooped address] sessions, including the FCF interface and MAC address, FCF interface, VLAN ID, FC-MAP value, FKA advertisement period, and number of ENodes connected.
Table 30. show fip-snooping sessions Command Description Field Description ENode MAC MAC address of the ENode. ENode Interface Slot/ port number of the interface connected to the ENode. FCF MAC MAC address of the FCF. FCF Interface Slot/ port number of the interface to which the FCF is connected. VLAN VLAN ID number used by the session. FCoE MAC MAC address of the FCoE session assigned by the FCF. FC-ID Fibre Channel ID assigned by the FCF. Port WWPN Worldwide port name of the CNA port.
The following example shows the show fip-snooping fcf command. Dell# show fip-snooping fcf FCF MAC FCF Interface VLAN FC-MAP FKA_ADV_PERIOD No. of Enodes ------------------- ---- ------------------- ------------54:7f:ee:37:34:40 Po 22 100 0e:fc:00 4000 2 The following table describes the show fip-snooping fcf command fields. Table 32. show fip-snooping fcf Command Description Field Description FCF MAC MAC address of the FCF.
Number Number Number Number Number Number Number Number Number Number Number Number Number Number Number Number Number Number of of of of of of of of of of of of of of of of of of Unicast Discovery Solicits FLOGI FDISC FLOGO Enode Keep Alive VN Port Keep Alive Multicast Discovery Advertisement Unicast Discovery Advertisement FLOGI Accepts FLOGI Rejects FDISC Accepts FDISC Rejects FLOGO Accepts FLOGO Rejects CVL FCF Discovery Timeouts VN Port Session Timeouts Session failures due to Hardware Config :0 :1
Field Description Number of FLOGI Number of FIP-snooped FLOGI request frames received on the interface. Number of FDISC Number of FIP-snooped FDISC request frames received on the interface. Number of FLOGO Number of FIP-snooped FLOGO frames received on the interface. Number of ENode Keep Alives Number of FIP-snooped ENode keep-alive frames received on the interface. Number of VN Port Keep Alives Number of FIP-snooped VN port keep-alive frames received on the interface.
The following example shows the show fip-snooping vlan command. Dell# show fip-snooping vlan * = Default VLAN VLAN ---*1 100 FC-MAP -----0X0EFC00 FCFs ---1 Enodes -----2 Sessions -------17 FCoE Transit Configuration Example The following illustration shows an core switch used as a FIP snooping bridge for FCoE traffic between an ENode (server blade) and an FCF (ToR switch). The ToR switch operates as an FCF and FCoE gateway. Figure 39.
The DCBx configuration on the FCF-facing port is detected by the server-facing port and the DCB PFC configuration on both ports is synchronized. For more information about how to configure DCBx and PFC on a port, refer to the Data Center Bridging (DCB) chapter. The following example shows how to configure FIP snooping on FCoE VLAN 10, on an FCF-facing port (0/50), on an ENode server-facing port (0/1), and to configure the FIP snooping ports as tagged members of the FCoE VLAN enabled for FIP snooping.
16 FIPS Cryptography Federal information processing standard (FIPS) cryptography provides cryptographic algorithms conforming to various FIPS standards published by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the US Department of Commerce. FIPS mode is also validated for numerous platforms to meet the FIPS-140-2 standard for a software-based cryptographic module. This chapter describes how to enable FIPS cryptography requirements on Dell Networking platforms.
Enabling FIPS Mode To enable or disable FIPS mode, use the console port. Secure the host attached to the console port against unauthorized access. Any attempts to enable or disable FIPS mode from a virtual terminal session are denied. When you enable FIPS mode, the following actions are taken: • If enabled, the SSH server is disabled. • All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, are closed.
Monitoring FIPS Mode Status To view the status of the current FIPS mode (enabled/disabled), use the following commands. • Use either command to view the status of the current FIPS mode. show fips status show system Example of the show fips status and show system Commands Dell#show fips status FIPS Mode : Enabled for the system using the show system command.
CONFIGURATION mode no fips mode enable The following Warning message displays: WARNING: Disabling FIPS mode will close all SSH/Telnet connections, restart those servers, and destroy all configured host keys.
Flex Hash and Optimized Boot-Up 17 This chapter describes the Flex Hash and fast-boot enhancements. Flex Hash Capability Overview The flex hash functionality enables you to configure a packet search key and matches packets based on the search key. When a packet matches the search key, two 16-bit hash fields are extracted from the start of the L4 header and provided as inputs (bins 2 and 3) for RTAG7 hash computation.
When load balancing RRoCE packets using flex hash is enabled, the show ip flow command is disabled. Similarly, when the show ip flow command is in use (ingress port-based load balancing is disabled), the hashing of RRoCE packets is disabled. Flex hash APIs do not mask out unwanted byte values after extraction of the data from the Layer 4 headers for the offset value. 2.
• The local system moves to the ‘collecting’ and ‘distributing’ states on the port in a single step without waiting for the partner to set the ‘collecting’ bit. RDMA Over Converged Ethernet (RoCE) Overview Remote direct memory access (RDMA) is a technology that a virtual machine (VM) uses to directly transfer information to the memory of another VM, thus enabling VMs to be connected to storage networks.
RRoCE traffic. For normal IP or data traffic that is not RRoCE-enabled, the packets comprise TCP and UDP packets and they can be marked with DSCP code points. Multicast is not supported in that network. Sample Configurations Figure 40.
! interface TenGigabitEthernet 0/1 Description Link to RoCE Adapter no ip address mtu 12000 portmode hybrid switchport no spanning-tree ! protocol lldp dcbx port-role auto-downstream no shutdown ! interface fortyGigE 0/33 Description “To C9010s” no ip address mtu 12000 ! port-channel-protocol LACP port-channel 1 mode active ! protocol lldp no advertise dcbx-tlv ets-reco dcbx port-role auto-upstream no shutdown C9010 1 and C9010 2, VLT, RoCE, and iSCSI ! dcb enable iscsi enable ! dcb-map converged Descriptio
Description VLTi to other switch C9010 1 vlt domain 2 peer-link port-channel 128 back-up destination interface Port-channel 128 no ip address mtu 12000 channel-member fortyGigE 1/4 no shutdown interface fortyGigE 1/4 no ip address mtu 12000 dcb-map Converged protocol lldp no shutdown C9010 2 vlt domain 2 peer-link port-channel 128 back-up destination interface Port-channel 128 no ip address mtu 12000 channel-member fortyGigE 1/4 no shutdown interface fortyGigE 1/4 no
protocol lldp no shutdown ! interface TenGigabitEthernet 0/18 Description SOFS-RDMA no ip address mtu 12000 portmode hybrid switchport no spanning-tree dcb-map RoCE ! protocol lldp no shutdown ! interface TenGigabitEthernet 0/22 Description SOFS- iSCSI no ip address mtu 12000 portmode hybrid switchport spanning-tree rstp edge-port spanning-tree 0 portfast dcb-map iSCSI ! protocol lldp no shutdown Preserving 802.
You can use the encapsulation dot1q vlan-id command in INTERFACE mode to configure lite subinterfaces.
18 Force10 Resilient Ring Protocol (FRRP) Force10 resilient ring protocol (FRRP) provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a metropolitan area network (MAN) or large campuses. FRRP is similar to what can be achieved with the spanning tree protocol (STP), though even with optimizations, STP can take up to 50 seconds to converge (depending on the size of network and node of failure) may require 4 to 5 seconds to reconverge.
A virtual LAN (VLAN) is configured on all node ports in the ring. All ring ports must be members of the Member VLAN and the Control VLAN. The Member VLAN is the VLAN used to transmit data as described earlier. The Control VLAN is used to perform the health checks on the ring. The Control VLAN can always pass through all ports in the ring, including the secondary port of the Master node.
Multiple FRRP Rings Up to 255 rings are allowed per system and multiple rings can be run on one system. More than the recommended number of rings may cause interface instability. You can configure multiple rings with a single switch connection; a single ring can have multiple FRRP groups; multiple rings can be connected with a common link. Member VLAN Spanning Two Rings Connected by One Switch A member VLAN can span two rings interconnected by a common switch, in a figure-eight style topology.
• The control VLAN is not used to carry any data traffic; it carries only RHFs. • The control VLAN cannot have members that are not ring ports. • If multiple rings share one or more member VLANs, they cannot share any links between them. • Member VLANs across multiple rings are not supported in Master nodes. • Each ring has only one Master node; all others are transit nodes. Attention: The port extender does not support FRRP.
Concept Explanation Ring Status The state of the FRRP ring. During initialization/configuration, the default ring status is Ring-down (disabled). The Primary and Secondary interfaces, control VLAN, and Master and Transit node information must be configured for the ring to be up. • Ring-Up — Ring is up and operational. • Ring-Down — Ring is broken or not set up. Ring Health-Check The Master node generates two types of RHFs.
Configuring the Control VLAN Control and member VLANS are configured normally for Layer 2. Their status as control or member is determined at the FRRP group commands. For more information about configuring VLANS in Layer 2 mode, refer to Layer 2. Be sure to follow these guidelines: • All VLANS must be in Layer 2 mode. • You can only add ring nodes to the VLAN. • A control VLAN can belong to one FRRP group only. • Tag control VLAN ports.
4. Configure the Master node. CONFIG-FRRP mode. mode master 5. Identify the Member VLANs for this FRRP group. CONFIG-FRRP mode. member-vlan vlan-id {range} VLAN-ID, Range: VLAN IDs for the ring’s member VLANS. 6. Enable FRRP. CONFIG-FRRP mode. no disable Configuring and Adding the Member VLANs Control and member VLANS are configured normally for Layer 2. Their status as Control or Member is determined at the FRRP group commands.
Interface: • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. Slot/Port, Range: Slot and Port ID for the interface. Range is entered Slot/Port-Port. VLAN ID: Identification number of the Control VLAN. 4. Configure a Transit node. CONFIG-FRRP mode. mode transit 5. Identify the Member VLANs for this FRRP group. CONFIG-FRRP mode.
Viewing the FRRP Configuration To view the configuration for the FRRP group, use the following command. • Show the configuration for this FRRP group. CONFIG-FRRP mode. show configuration Viewing the FRRP Information To view general FRRP information, use one of the following commands. • Show the information for the identified FRRP group. EXEC or EXEC PRIVELEGED mode. show frrp ring-id • Ring ID: the range is from 1 to 255. Show the state of all FRRP groups. EXEC or EXEC PRIVELEGED mode.
no shutdown ! interface TengigabitEthernet 1/34 no ip address switchport no shutdown ! interface Vlan 101 no ip address tagged TengigabitEthernet 1/24,34 no shutdown ! interface Vlan 201 no ip address tagged TengigabitEthernet 1/24,34 no shutdown ! protocol frrp 101 interface primary TengigabitEthernet 1/24 secondary TengigabitEthernet 1/34 control-vlan 101 member-vlan 201 mode master no disable Example of R2 TRANSIT interface TengigabitEthernet 2/14 no ip address switchport no shutdown ! interface Tengigab
! interface Vlan 101 no ip address tagged TengigabitEthernet 3/14,21 no shutdown ! interface Vlan 201 no ip address tagged TengigabitEthernet 3/14,21 no shutdown ! protocol frrp 101 interface primary TengigabitEthernet 3/21 secondary TengigabitEthernet 3/14 control-vlan 101 member-vlan 201 mode transit no disable 432 Force10 Resilient Ring Protocol (FRRP)
19 GARP VLAN Registration Protocol (GVRP) GARP VLAN registration protocol (GVRP), defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches. GVRP-compliant switches use GARP to register and de-register attribute values, such as VLAN IDs, with each other. Typical virtual local area network (VLAN) implementation involves manually configuring each Layer 2 switch that participates in a given VLAN.
Configure GVRP To begin, enable GVRP. To facilitate GVRP communications, enable GVRP globally on each switch. GVRP configuration is per interface on a switch-by-switch basis. Enable GVRP on each port that connects to a switch where you want GVRP information exchanged. In the following example, GVRP is configured on VLAN trunk ports. Figure 41. Global GVRP Configuration Example Basic GVRP configuration is a two-step process: 1. Enabling GVRP Globally 2.
Enabling GVRP Globally To configure GVRP globally, use the following command. • Enable GVRP for the entire switch. CONFIGURATION mode gvrp enable Example of Configuring GVRP Dell(conf)#protocol gvrp Dell(config-gvrp)#no disable Dell(config-gvrp)#show config ! protocol gvrp no disable Dell(config-gvrp)# To inspect the global configuration, use the show gvrp brief command. Enabling GVRP on a Layer 2 Interface To enable GVRP on a Layer 2 interface, use the following command.
not be unconfigured when it receives a Leave PDU. Therefore, the registration mode on that interface is FIXED. • Forbidden Mode — Disables the port to dynamically register VLANs and to propagate VLAN information except information about VLAN 1. A port with forbidden registration type thus allows only VLAN 1 to pass through even though the PDU carries information for more VLANs.
LeaveAll Timer Dell(conf)# 5000 The system displays this message if an attempt is made to configure an invalid GARP timer: Dell(conf)#garp timers join 300 % Error: Leave timer should be >= 3*Join timer.
20 High Availability (HA) High availability (HA) is a collection of features that preserves system continuity by maximizing uptime and minimizing packet loss during system disruptions. High Availability on Chassis The primary RPM (Route Processor Module) performs the routing, switching, and control operations while the standby RPM monitors the primary RPM. If the primary RPM fails, the standby RPM can assume control of the system without requiring a chassis reboot.
RPM Online Insertion Dell Networking systems can function with only one RPM. If you insert a second RPM, it comes online as the standby RPM. To display the status of installed RPMs, enter the show rpm all command.
-- Linecard 3 -Status Required Type : not present : C9000LC2410G - 24-port TE/GE Replacing a Line Card To replace a line card with a line card of the same type, you can remove the old card and insert a new card without any additional configuration. To replace a line card with a different card type, remove the card and then remove the existing line-card configuration for the slot using the command no linecard slot-id provision.
For example, if you configure hitless open shortest path first (OSPF) over hitless the link aggregation control protocol (LACP) link aggregation groups (LAGs), both features work seamlessly to deliver a hitless OSPF-LACP result. However, to achieve a hitless result, if the hitless behavior involves multiple protocols, all protocols must be hitless. For example, if OSPF is hitless but bidirectional forwarding detection (BFD) is not, OSPF operates in hitless mode and BFD flaps upon a control-plane failover.
Failure and Event Logging Dell Networking systems provide multiple options for logging failures and events. Trace Log To track the execution of a program, developers interlace messages with software code. These messages are called trace messages and are primarily used for debugging and to provide lowerlevel information than event messages, which system administrators use. Dell Networking OS retains trace messages for hardware and software and stores them in files (logs) on the internal flash.
redundancy disableauto-reboot pe all Prevents all the PEs from automatically rebooting when the switch fails. redundancy disableauto-reboot pe id stack-unit Prevents all the PEs in a stack from automatically rebooting when the switch fails. redundancy disableauto-reboot Prevents the system from automatically rebooting when the switch fails. show redundancy Displays the current redundancy configuration.
Runtime Event Log: Running Config: succeeded succeeded Jun 26 2015 22:56:16 Jun 26 2015 22:56:16 RPM Synchronization Data between the primary (management) and standby RPMs is synchronized immediately after bootup. After the two RPMs have performed an initial full synchronization (block sync), the system automatically updates only changed data (incremental sync).
• Prevent a failed stack unit from rebooting after a failover.
Internet Group Management Protocol (IGMP) 21 Internet group management protocol (IGMP) is a Layer 3 multicast protocol that hosts use to join or leave a multicast group. Multicast is premised on identifying many hosts by a single destination IP address; hosts represented by the same IP address are a multicast group. Multicast routing protocols (such as protocol-independent multicast [PIM]) use the information in IGMP messages to discover which groups are active and to populate the multicast routing table.
Figure 42. IGMP Messages in IP Packets Join a Multicast Group There are two ways that a host may join a multicast group: it may respond to a general query from its querier or it may send an unsolicited report to its querier. Responding to an IGMP Query The following describes how a host can join a multicast group. 1. One router on a subnet is elected as the querier. The querier periodically multicasts (to all-multicastsystems address 224.0.0.1) a general query to all hosts on the subnet. 2.
IGMP Version 3 Conceptually, IGMP version 3 behaves the same as version 2. However, there are differences. • Version 3 adds the ability to filter by multicast source, which helps multicast routing protocols avoid forwarding traffic to subnets where there are no interested receivers. • To enable filtering, routers must keep track of more state information, that is, the list of sources that must be filtered.
Figure 44. IGMP Version 3–Capable Multicast Routers Address Structure Joining and Filtering Groups and Sources The following illustration shows how multicast routers maintain the group and source information from unsolicited reports. 1. The first unsolicited report from the host indicates that it wants to receive traffic for group 224.1.1.1. 2. The host’s second report indicates that it is only interested in traffic from group 224.1.1.1, source 10.11.1.1.
Figure 45. Membership Reports: Joining and Filtering Leaving and Staying in Groups The following illustration shows how multicast routers track and refresh state changes in response to group-and-specific and general queries. 1. Host 1 sends a message indicating it is leaving group 224.1.1.1 and that the included filter for 10.11.1.1 and 10.11.1.2 are no longer necessary. 2.
Figure 46. Membership Queries: Leaving and Staying Configure IGMP Configuring IGMP is a two-step process. 1. Enable multicast routing using the ip multicast-routing command. 2. Enable a multicast routing protocol.
• Fast Convergence after MSTP Topology Changes • Designating a Multicast Router Interface Viewing IGMP Enabled Interfaces Interfaces that are enabled with PIM-SM are automatically enabled with IGMP. To view IGMP-enabled interfaces, use the following command. • View IGMP-enabled interfaces.
IGMP version is 3 Dell(conf-if-te-1/13)# Viewing IGMP Groups To view both learned and statically configured IGMP groups, use the following command. • View both learned and statically configured IGMP groups. EXEC Privilege mode show ip igmp groups Example of the show ip igmp groups Command Dell#show ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Last Reporter 225.1.1.1 TenGigabitEthernet 1/0 1.1.1.2 225.1.1.2 TenGigabitEthernet 1/0 1.1.1.
If you enable IGMP snooping on a VLT unit, IGMP snooping dynamically learned groups and multicast router ports are made to learn on the peer by explicitly tunneling the received IGMP control packets. IGMP Snooping Implementation Information • IGMP snooping uses IP multicast addresses not MAC addresses. • IGMP snooping reacts to spanning tree protocol (STP) and multiple spanning tree protocol (MSTP) topology changes by sending a general query on the interface that transitions to the forwarding state.
• View the configuration. INTERFACE VLAN mode show config Example of Configuration Output After Removing a Group-Port Association Dell(conf-if-vl-100)#show config ! interface Vlan 100 no ip address ip igmp snooping fast-leave shutdown Dell(conf-if-vl-100)# Disabling Multicast Flooding If the switch receives a multicast packet that has an IP address of a group it has not learned (unregistered frame), the switch floods that packet out of all ports on the VLAN.
• Configure the switch to be the querier for a VLAN by first assigning an IP address to the VLAN interface. INTERFACE VLAN mode ip igmp snooping querier IGMP snooping querier does not start if there is a statically configured multicast router interface in the VLAN. The switch may lose the querier election if it does not have the lowest IP address of all potential queriers on the subnet.
ip igmp snooping mrouter interface Internet Group Management Protocol (IGMP) 457
Interfaces 22 This chapter describes interface types, both physical and logical, and how to configure them on the switch. • 1-Gigabit Ethernet, 10-Gigabit Ethernet and 40-Gigabit Ethernet interfaces are supported on the C9010 switch and 1-Gigabit Ethernet C1048P port extender.
Port Numbering On the C9010, linecard slots are numbered 0 to 9. The RPM slots are numbered 10 and 11. NOTE: If the C9010 operates with only one RPM, you can install the RPM in either slot 10 (the top RPM slot labeled R0) or slot 11 (the bottom RPM slot labeled R1). If you install two RPMs, by default, the RPM in slot 10 is the primary management unit and the RPM in slot 11 is the standby.
Figure 48. 40GbE QSFP+ Port Numbering On the 6-Port 40GbE QSFP+ line card, ports are numbered from 0 to 5 and operate by default in 40GbE mode. If you use a breakout cable, each port can operate in 10G mode. 40GbE ports are numbered in multiples of four, starting with zero; for example, 0, 4, 8, 12, and so on. When you install a breakout cable, the resulting four 10GbE ports are numbered with the remaining numbers.
On the 1/10GbE RJ-45 line card, ports are numbered from 0 to 23 and operate in 1/10G mode. Figure 51. C1048P Port Numbering On a C1048P port extender, 10/100/1000BASE-T ports on the front panel are numbered from 1 to 48. • Odd-numbered ports 1-47 are on top; even-numbered ports 2-48 are on the bottom. • A yellow PE port number indicates that the port is PoE-enabled. • The two 10GbE SFP+ ports, which are used only for uplinks to an attached C9010, are numbered 1 and 2.
Interface Type Modes Possible Default Mode Requires Creation Default State Loopback L3 L3 Yes No Shutdown (enabled) Null N/A N/A No Enabled Port Channel L2, L3 L3 Yes Shutdown (disabled) VLAN L2, L3 L2 Yes (except default) L2 - Shutdown (disabled) NOTE: The VLAN range is 1 – 4094. VLAN 4092 and VLAN 4093 are reserved VLANs. You cannot configure these VLANs. L3 - No Shutdown (enabled) View Basic Interface Information To view basic interface information, use the following command.
Medium is MultiRate Interface index is 2098692 Internet address is not set Mode of IPv4 Address Assignment : NONE DHCP Client-ID :3417eb01dc27 MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 10000 Mbit Flowcontrol rx off tx off ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 07:40:05 Queueing strategy: fifo Input Statistics: 8748 packets, 1539208 bytes 0 64-byte pkts, 0 over 64-byte pkts, 8748 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 87
0 throttles, 0 discarded, 0 collisions, 0 wreddrops Rate info (interval 299 seconds): Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec, 0 packets/sec, 0.
Te 6/5 Te 6/6 Te 6/7 Te 6/8 Te 6/9 Te 6/10 Te 6/11 Te 6/12 Te 6/13 Te 6/14 Te 6/15 Te 6/16 Te 6/17 Te 6/18 Te 6/19 Te 6/20 Te 6/21 Te 6/22 Te 6/23 Fo 9/0 Fo 9/4 Fo 9/8 Fo 9/12 Fo 9/16 Fo 9/20 Te 10/0 Te 10/1 Te 10/2 Te 10/3 Te 11/0 Te 11/1 Te 11/2 Te 11/3 PeGi 255/1/1 PeGi 255/1/2 PeGi 255/1/3 PeGi 255/1/4 PeGi 255/1/5 PeGi 255/1/6 PeGi 255/1/7 PeGi 255/1/8 PeGi 255/1/9 PeGi 255/1/10 PeGi 255/1/11 PeGi 255/1/12 PeGi 255/1/13 PeGi 255/1/14 PeGi 255/1/15 PeGi 255/1/16 PeGi 255/1/17 PeGi 255/1/18 PeGi 255/1/19
PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi 466 255/1/32 255/1/33 255/1/34 255/1/35 255/1/36 255/1/37 255/1/38 255/1/39 255/1/40 255/1/41 255/1/42 255/1/43 255/1/44 255/1/45 255/1/46 255/1/47 255/1/48 255/2/1 255/2/2 255/2/3 255/2/4 2
PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi 255/2/48 255/3/1 255/3/2 255/3/3 255/3/4 255/3/5 255/3/6 255/3/7 255/3/8 255/3/9 255/3/10 255/3/11 255/3/12 255/3/13 255/3/14 255/3/15 255/3/16 255/3/17 255/3/18 255/3/19 255/3/20 255/3/21 255/3/22 255/3/23 255/3/24 255/3/25 255/3/26 255/3/27 255/3/28 255/3/29 255/3
TengigabitEthernet 1/7 TengigabitEthernet 1/8 unassigned unassigned NO NO Manual Manual administratively down administratively down down down To view only configured interfaces, use the show interfaces configured command in the EXEC Privilege mode. To determine which physical interfaces are available, use the show running-config command in EXEC mode. This command displays all physical interfaces available on the line cards. Dell#show running Current Configuration ...
3. Verify the configuration. INTERFACE mode show config Dell(conf-if-te-1/5)#show config ! interface TenGigabitEthernet 1/5 no ip address shutdown All the applied configurations are removed and the interface is set to the factory default state. Enabling a Physical Interface After determining the type of physical interfaces available, to enable and configure the interfaces, enter INTERFACE mode by using the interface interface {slot/port | pe-id/stack-unit/port} command. 1.
Port Pipes A port pipe is a Dell Networking-specific term for the hardware packet-processing elements that handle network traffic to and from a set of front-end I/O ports. The physical, front-end I/O ports are referred to as a port set. The system has 10 switch cards and each card has only one port pipe and 48 ports in each. • For ports connected through the port extender, you can have a maximum of 4 sessions system.
Configuring Layer 2 (Data Link) Mode Do not configure switching or Layer 2 protocols such as spanning tree protocol (STP) on an interface unless the interface has been set to Layer 2 mode. To set Layer 2 data transmissions through an individual interface, use the following command. • Enable Layer 2 data transmissions through an individual interface.
INTERFACE mode no shutdown Example of Error Due to Issuing a Layer 3 Command on a Layer 2 Interface If an interface is in the incorrect layer mode for a given command, an error message is displayed (shown in bold). In the following example, the ip address command triggered an error message because the interface is in Layer 2 mode and the ip address command is a Layer 3 command only. Dell(conf-if)#show config ! interface TengigabitEthernet 1/2 no ip address switchport no shutdown Dell(conf-if)#ip address 10.
MTU is 1554 bytes Inbound access list is not set Proxy ARP is enabled Split Horizon is enabled Poison Reverse is disabled ICMP redirects are not sent ICMP unreachables are not sent Egress Interface Selection (EIS) EIS allows you to isolate the management and front-end port domains by preventing switch-initiated traffic routing between the two domains. This feature provides additional security by preventing flooding attacks on front-end ports.
Management Interfaces The switch supports the Management Ethernet interface as well as the standard interface on any port. You can use either method to connect to the system. Configuring a Dedicated Management Interface The dedicated Management interface provides management access to the system. You can configure this interface using the CLI, but the configuration options on this interface are limited.
Global IPv6 address: 1::1/ Global IPv6 address: 2::1/64 Virtual-IP is not set Virtual-IP IPv6 address is not set MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 1000 Mbit, Mode full duplex ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 00:06:14 Queueing strategy: fifo Input 791 packets, 62913 bytes, 775 multicast Received 0 errors, 0 discarded Output 21 packets, 3300 bytes, 20 multicast Output 0 errors, 0 invalid protocol Time since last interface status change: 00:06:03 Unless
Example of the show interface and show ip route Commands To display the configuration for a given port, use the show interface command in EXEC Privilege mode, as shown in the following example. To display the routing table, use the show ip route command in EXEC Privilege mode.
For information about how to install a PE and set up a PE stack, see the C1048P Getting Started Guide and C1048P Installation Guide. VLAN Interfaces VLANs are logical interfaces and are, by default, in Layer 2 mode. Physical interfaces and port channels can be members of VLANs. The supported VLAN range is 1 – 4094. For more information about VLANs and Layer 2, refer to Layer 2 and Virtual LANs (VLANs).
• Enter a number as the Loopback interface. CONFIGURATION mode interface loopback number • The range is from 0 to 16383. View Loopback interface configurations. EXEC mode • show interface loopback number Delete a Loopback interface. CONFIGURATION mode no interface loopback number Many of the commands supported on physical interfaces are also supported on a Loopback interface. Null Interfaces The Null interface is another virtual interface. There is only one Null interface.
Port Channel Benefits A port channel interface provides many benefits, including easy management, link redundancy, and sharing. Port channels are transparent to network configurations and can be modified and managed as one interface. For example, you configure one IP address for the group and that IP address is used for all routed traffic on the port channel. With this feature, you can create larger-capacity interfaces by utilizing a group of lower-speed links.
configuration becomes the common speed of the port channel. If the other interfaces configured in that port channel are configured with a different speed, the system disables them. Configuration Tasks for Port Channel Interfaces To configure a port channel (LAG), use the commands similar to those found in physical interfaces. By default, no port channels are configured in the startup configuration.
• • mtu ip mtu (if the interface is on a Jumbo-enabled by default) NOTE: A logical port channel interface cannot have flow control. Flow control can only be present on the physical interfaces if they are part of a port channel. NOTE: The switch supports jumbo frames by default (the default maximum transmission unit (MTU) is 9216 bytes). To configure the MTU, use the mtu command from INTERFACE mode.
The following example is for a L2 port channel with port extender interfaces.
Reassigning an Interface to a New Port Channel An interface can be a member of only one port channel. If the interface is a member of a port channel, remove it from the first port channel and then add it to the second port channel. Each time you add or remove a channel member from a port channel, the system recalculates the hash algorithm for the port channel. To reassign an interface to a new port channel, use the following commands. 1. Remove the interface from the first port channel.
Example of Configuring the Minimum Oper Up Links in a Port Channel Dell#config t Dell(conf)#int po 1 Dell(conf-if-po-1)#minimum-links 5 Dell(conf-if-po-1)# Adding or Removing a Port Channel from a VLAN As with other interfaces, you can add Layer 2 port channel interfaces to VLANs. To add a port channel to a VLAN, place the port channel in Layer 2 mode (by using the switchport command). To add or remove a VLAN port channel and to view VLAN port channel members, use the following commands.
– secondary: the IP address is the interface’s backup IP address. You can configure up to eight secondary IP addresses. Deleting or Disabling a Port Channel To delete or disable a port channel, use the following commands. • Delete a port channel. CONFIGURATION mode • no interface portchannel channel-number Disable a port channel. shutdown When you disable a port channel, all interfaces within the port channel are operationally down also.
• Change to another algorithm. CONFIGURATION mode hash-algorithm ecmp {crc-upper} | {dest-ip} | {lsb} Example of the hash-algorithm Command Dell(conf)#hash-algorithm ecmp xor1 lag crc16 Dell(conf)# The hash-algorithm command is specific to ECMP group. The default ECMP hash configuration is crclower. This command takes the lower 32 bits of the hash key to compute the egress port. Other options for ECMP hash-algorithms are: • crc-upper — uses the upper 32 bits of the hash key to compute the egress port.
• Create a Multiple-Range • Exclude Duplicate Entries • Exclude a Smaller Port Range • Overlap Port Ranges • Commas • Add Ranges Create a Single-Range The following is an example of a single range. Dell(config)# interface range tengigabitethernet 0/1 - 23 Dell(config-if-range-te-0/1-23)# no shutdown Dell(config-if-range-te-0/1-23)# The following is an example of single range on PE ports.
Dell(conf-if-range-te-1/1-2,te-5/1-23)# ` Add Ranges The following example shows how to use commas to add VLAN and port-channel interfaces to the range. Dell(conf)#int range te5/1-23 , te1/1 - 2 Dell(conf-if-range-te-1/1-2,te-5/1-23)#interface range vlan 2 - 100 , Port 1 25 Dell(conf-if-range-vl-2-100,po-1-25)# Interface Range Enhancements Inserting a space between comma-separated interfaces and interface ranges in interface range command syntax is no longer required.
Example of Using a Macro to Change the Interface Range Configuration Mode The following example shows how to change to the interface-range configuration mode using the interface-range macro named “test.” Dell(config)# interface range macro test Dell(config-if)# Monitoring and Maintaining Interfaces Monitor interface statistics with the monitor interface command. This command displays an ongoing list of the interface status (up/down), number of packets, traffic statistics, and so on.
Over 1023B packets: Error statistics: Input underruns: Input giants: Input throttles: Input CRC: Input IP checksum: Input overrun: Output underruns: Output throttles: m l T q - 0 0 pps 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Change mode Page up Increase refresh interval Quit pps pps pps pps pps pps pps pps c - Clear screen a - Page down t - Decrease refresh interval q Dell# Maintenance Using TDR The time domain reflectometer (TDR) is supported on all Dell Networking switch/routers.
Displaying Traffic Statistics on HiGig Ports You can verify the buffer usage and queue counters for high-Gigabit Ethernet (HiGig) ports and link bundles (port channels). The buffer counters supported for front-end ports are extended to HiGig backplane ports. You can display the queue statistics and buffer counters for backplane line-card (leaf) and switch fabric module (SFM - spine) NPU port queues on a switch using the show commands described in this section.
To view the links that are being monitored, use the show link-bundle-distribution command.
• %STKUNIT0-M:CP %SWMGR-5-HG-BUNDLE_UNEVEN_DISTRIBUTION: Found uneven distribution in hg-port-channel 0/5/0 • %STKUNIT0-M:CP %SWMGR-5-HG-BUNDLE_UNEVEN_DISTRIBUTION_ALARM_CLEAR: Uneven distribution in hg-port-channel 0/5/0 got cleared Guidelines for Monitoring HiGig Link-Bundles When configuring HiGig link-bundle monitoring on the backplane, follow these guidelines: • By default, the capability to monitor the traffic distribution in a HiGig link bundle on a line-card or SFM NPU is disabled.
Enabling HiGig Link-Bundle Monitoring To enable the monitoring of HiGig link bundles, follow these steps. 1. Enable the monitoring of traffic distribution on the member links in a HiGig link bundle (portchannel). CONFIGURATION mode Dell(conf)#hg-link-bundle-monitor {sfm npu-id hg-port—channel hg-port— channel-id | slot slot npuUnit npu-id hg-port—channel 0} enable 2. Specify the trigger threshold for HiGig link-bundle monitoring.
The system supports the following types of transceivers only if they are Dell-qualified: • LR4 • SR4 • LM4 • PSM4 • PSM4-LR If you use any of the transceivers in the preceding list that is not Dell-qualified, Dell Networking OS places the interface in error-disabled (operationally down) state.
Converting a QSFP or QSFP+ Port to an SFP or SFP+ Port You can convert a QSFP or QSFP+ port to an SFP or SFP+ port using the Quad to Small Form Factor Pluggable Adapter (QSA). QSA provides smooth connectivity between devices that use Quad Lane Ports (such as the 40 Gigabit Ethernet adapters) and 10 Gigabit hardware that uses SFP+ based cabling. Using this adapter, you can effectively use a QSFP or QSFP+ module to connect to a lower-end switch or server that uses an SFP or SFP+ based module.
• The QSA module does not have a designated EEPROM. To recognize a QSA, Dell Networking OS reads the EEPROM corresponding to a SFP+ or SFP module that is plugged into QSA. The access location of this EEPROM is different from the EEPROM location of the QSFP+ module. • The diagnostics application is capable of detecting insertion or removal of both the QSA as well as the SFP+ or SFP optical cables plugged into the QSA.
Enabling Link Dampening To enable link dampening, use the following command. • Enable link dampening. INTERFACE mode dampening Examples of the show interfaces dampening Commands R1(conf-if-te-1/1)#show config ! interface TengigabitEthernet 1/1 ip address 10.10.19.1/24 dampening 1 2 3 4 no shutdown R1(conf-if-te-1/1)#exit To view the link dampening configuration on an interface, use the show config command.
Dell# show interfaces dampening TengigabitEthernet0/0 Interface State Flaps Penalty Half-Life Reuse Suppress Te 0/1 Up 0 0 20 500 1500 Max-Sup 300 Port Pipes A port pipe is a Dell Networking-specific term for the hardware packet-processing elements that handle network traffic to and from a set of front-end I/O ports. The physical, front-end I/O ports are referred to as a port set. The system has 10 switch cards and each card has only one port pipe and 48 ports in each.
Control how the system responds to and generates 802.3x pause frames on Ethernet interfaces. The default is rx off tx off. INTERFACE mode. flowcontrol rx [off | on] tx [off | on] Where: rx on: Processes the received flow control frames on this port. rx off: Ignores the received flow control frames on this port. tx on: Sends control frames from this port to the connected device when a higher rate of traffic is received.
The flow control sender and receiver must be on the same port-pipe. Flow control is not supported across different port-pipes. To enable pause frames, use the following command. • Control how the system responds to and generates 802.3x pause frames on 10 Gigabit line cards. INTERFACE mode flowcontrol rx [off | on] tx [off | on] [threshold {<1-2047> <1-2013> <1-2013>}] – rx on: enter the keywords rx on to process the received flow control frames on this port.
• All members must have the same link MTU value and the same IP MTU value. • The port channel link MTU and IP MTU must be less than or equal to the link MTU and IP MTU values configured on the channel members. For example, if the members have a link MTU of 2100 and an IP MTU 2000, the port channel’s MTU values cannot be higher than 2100 for link MTU or 2000 bytes for IP MTU. VLANs: • All members of a VLAN must have the same IP MTU value. • Members can have different Link MTU values.
no Negate a command or set its defaults show Show autoneg configuration information Dell(conf-if-te-0/1)#mode ? forced-master Force port to master mode forced-slave Force port to slave mode Dell(conf-if-te-0/1)# For details about the speed, duplex, and negotiation auto commands, refer to the Interfaces chapter of the Dell Networking OS Command Reference Guide.
Configuring the Interface Sampling Size Although you can enter any value between 30 and 299 seconds (the default), software polling is done once every 15 seconds. So, for example, if you enter “19”, you actually get a sample of the past 15 seconds. All LAG members inherit the rate interval configuration from the LAG. The following example shows how to configure rate interval when changing the default value.
0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts Received 0 input symbol errors, 0 runts, 0 giants, 0 throttles 0 CRC, 0 IP Checksum, 0 overrun, 0 discarded 0 packets output, 0 bytes, 0 underruns Output 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 IP Packets, 0 Vlans, 0 MPLS 0 throttles, 0 discarded Rate info (interval 100 seconds): Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec, 0 packets/sec, 0.
– For the management interface, enter the keyword ManagementEthernet 0/0. The slot number is 0; the port number is 0. – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. – For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information.
Internet Protocol Security (IPSec) 23 Internet protocol security (IPSec) is an end-to-end security scheme for protecting IP communications by authenticating and encrypting all packets in a communication session. Use IPSec between hosts, between gateways, or between hosts and gateways. IPSec is compatible with Telnet and FTP protocols. It supports two operational modes: Transport and Tunnel. • Transport mode — (default) Use to encrypt only the payload of the packet. Routing information is unchanged.
Configuring IPSec The following sample configuration shows how to configure FTP and telnet for IPSec. 1. Define the transform set. CONFIGURATION mode crypto ipsec transform-set myXform-seta esp-authentication md5 espencryption des 2. Define the crypto policy.
IPv4 Routing 24 IPv4 routing and various IP addressing features are supported. This chapter describes the basics of domain name service (DNS), address resolution protocol (ARP), and routing principles and their implementation in the Dell Networking OS.
• • Configuring Static Routes (optional) Configure Static Routes for the Management Interface (optional) For a complete listing of all commands related to IP addressing, refer to the Dell Networking OS Command Line Reference Guide. Assigning IP Addresses to an Interface Assign primary and secondary IP addresses to physical or logical (for example, [virtual local area network [VLAN] or port channel) interfaces to enable IP communication between the system and hosts connected to that interface.
no shutdown ! Dell(conf-if)# Dell(conf-if)#show conf ! interface TengigabitEthernet 0/0 ip address 10.11.1.1/24 no shutdown ! Dell(conf-if)# Configuring Static Routes A static route is an IP address that you manually configure and that the routing protocol does not learn, such as open shortest path first (OSPF). Often, static routes are used as backup routes in case other dynamically learned routes are unreachable. You can enter as many static IP addresses as necessary.
S 6.1.2.14/32 S 6.1.2.15/32 S 6.1.2.16/32 S 6.1.2.17/32 S 11.1.1.0/24 Direct, Lo 0 --More-- via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, Direct, Nu 0 Te Te Te Te 5/0 5/0 5/0 5/0 1/0 1/0 1/0 1/0 0/0 00:02:30 00:02:30 00:02:30 00:02:30 00:02:30 The system installs a next hop that is on the directly connected subnet of current IP address on the interface (for example, if interface gig 0/0 is on 172.31.5.0 subnet, the system installs the static route).
To view the configuration, use the show config command in INTERFACE mode. Resolution of Host Names Domain name service (DNS) maps host names to IP addresses. This feature simplifies such commands as Telnet and FTP by allowing you to enter a name instead of an IP address. Dynamic resolution of host names is disabled by default. Unless you enable the feature, the system resolves only host names entered into the host table with the ip host command.
Specifying the Local System Domain and a List of Domains If you enter a partial domain, the system can search different domains to finish or fully qualify that partial domain. A fully qualified domain name (FQDN) is any name that is terminated with a period/dot. The system searches the host table first to resolve the partial domain. The host table contains both statically configured and dynamically learnt host and IP addresses.
Dell#traceroute www.force10networks.com Translating "www.force10networks.com"...domain server (10.11.0.1) [OK] Type Ctrl-C to abort. ---------------------------------------------------------------------Tracing the route to www.force10networks.com (10.11.84.18), 30 hops max, 40 byte packets ---------------------------------------------------------------------TTL Hostname Probe1 Probe2 Probe3 1 10.11.199.190 001.000 ms 001.000 ms 002.000 ms 2 gwegress-sjc-02.force10networks.com (10.11.30.126) 005.000 ms 001.
Configuring Static ARP Entries ARP dynamically maps the MAC and IP addresses, and while most network host support dynamic mapping, you can configure an ARP entry (called a static ARP) for the ARP cache. To configure a static ARP entry, use the following command. • Configure an IP address and MAC address mapping for an interface. CONFIGURATION mode arp ip-address mac-address interface – ip-address: IP address in dotted decimal format (A.B.C.D). – mac-address: MAC address in nnnn.nnnn.nnnn format.
INTERFACE PORT-CHANNEL Mode INTERFACE PORT EXTENDER Mode arp-inpsecton-trust Dell(conf)#int peGigE 0/0/0 Dell(conf-if-pegi-0/0/0)# arp-inpsection-trust Configuring ARP Timeout Use the arp backoff-timer command for setting the exponential timer for resending unresolved ARPs. • Set the exponential timer for resending unresolved ARPs. CONFIGURATION Mode arp backoff-time seconds / minutes Enter the number of seconds an ARP entry is black-holed. The range is from 1 to 3600. The default is 30 minutes.
– no-refresh (OPTIONAL): enter the keywords no-refresh to delete the ARP entry from CAM. Or to specify which dynamic ARP entries you want to delete, use this option with interface or ip ip-address. – For a port channel interface, enter the keywords port-channel then a number. – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. – For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information.
Figure 52. ARP Learning via ARP Request When you enable ARP learning via gratuitous ARP, the system installs a new ARP entry, or updates an existing entry for all received ARP requests. Figure 53. ARP Learning via ARP Request with ARP Learning via Gratuitous ARP Enabled Whether you enable or disable ARP learning via gratuitous ARP, the system does not look up the target IP. It only updates the ARP entry for the Layer 3 interface with the source IP of the request.
arp backoff-time The default is 30. The range is from 1 to 3600. • For information about the arp backoff-time command, see Configuring the Timer for Resending Unresolved ARPs. Display all ARP entries learned via gratuitous ARP. EXEC Privilege mode show arp retries ICMP For diagnostics, the internet control message protocol (ICMP) provides routing information to end stations by choosing the best route (ICMP redirect messages) or determining if a router is reachable (ICMP Echo or Echo Reply).
IPv6 Routing 25 Internet protocol version 6 (IPv6) routing is the successor to IPv4. Due to the rapid growth in internet users and IP addresses, IPv4 is reaching its maximum usage. IPv6 will eventually replace IPv4 usage to allow for the constant expansion. This chapter provides a brief description of the differences between IPv4 and IPv6, and the Dell Networking support of IPv6. This chapter is not intended to be a comprehensive description of IPv6.
NOTE: The system provides the flexibility to add prefixes on Router Advertisements (RA) to advertise responses to Router Solicitations (RS). By default, RA response messages are sent when an RS message is received. The manipulation of IPv6 stateless autoconfiguration supports the router side only. Neighbor discovery (ND) messages are advertised so the neighbor can use this information to auto-configure its address. However, received ND messages are not used to create an IPv6 address.
IPv6 Header Fields The 40 bytes of the IPv6 header are ordered, as shown in the following illustration. Figure 54. IPv6 Header Fields Version (4 bits) The Version field always contains the number 6, referring to the packet’s IP version. Traffic Class (8 bits) The Traffic Class field deals with any data that needs special handling. These bits define the packet priority and are defined by the packet Source. Sending and forwarding routers use this field to identify different IPv6 classes and priorities.
Value Description 0 Hop-by-Hop option header 4 IPv4 6 TCP 8 Exterior Gateway Protocol (EGP) 41 IPv6 43 Routing header 44 Fragmentation header 50 Encrypted Security 51 Authentication header 59 No Next Header 60 Destinations option header NOTE: This table is not a comprehensive list of Next Header field values. For a complete and current listing, refer to the Internet Assigned Numbers Authority (IANA) web page.
Extension headers are processed in the order in which they appear in the packet header. Hop-by-Hop Options Header The Hop-by-Hop options header contains information that is examined by every router along the packet’s path. It follows the IPv6 header and is designated by the Next Header value 0 (zero). When a Hop-by-Hop Options header is not included, the router knows that it does not have to process any router specific information and immediately processes the packet to its final destination.
All the addresses in the following list are all valid and equivalent. • 2001:0db8:0000:0000:0000:0000:1428:57ab • 2001:0db8:0000:0000:0000::1428:57ab • 2001:0db8:0:0:0:0:1428:57ab • 2001:0db8:0:0::1428:57ab • 2001:0db8::1428:57ab • 2001:db8::1428:57ab IPv6 networks are written using classless inter-domain routing (CIDR) notation.
Table 38. Dell Networking OS versions and platforms with IPv6 support Feature and Functionality Dell Networking OS Release Introduction Documentation and Chapter Location Basic IPv6 Commands 8.3.11 IPv6 Basic Commands in the Dell Networking OS Command Line Reference Guide. IPv6 address types: Unicast 8.3.11 Extended Address Space IPv6 neighbor discovery 8.3.11 IPv6 Neighbor Discovery IPv6 stateless autoconfiguration 8.3.11 Stateless Autoconfiguration IPv6 MTU path discovery 8.3.
Feature and Functionality Dell Networking OS Release Introduction Documentation and Chapter Location IPv6 IS-IS in the Dell Networking OS Command Line Reference Guide. OSPF for IPv6 (OSPFv3) 8.3.11 Equal Cost Multipath for IPv6 8.3.11 OSPFv3 in the Dell Networking OS Command Line Reference Guide. IPv6 Services and Management Telnet client over IPv6 (outbound Telnet) 8.3.11 Configuring Telnet with IPv6 Telnet server over IPv6 (inbound Telnet) 8.3.
• Use the show cam-ipv6 extended-prefix command to display the currently configured number of IPv6 /65-/128 prefixes that can be stored in LPM CAM Partition 1 and the number that are supported after the next switch reboot. ICMPv6 ICMP for IPv6 (ICMPv6) combines the roles of ICMP, IGMP and ARP in IPv4. Like IPv4, it provides functions for reporting delivery and forwarding errors, and provides a simple echo service for troubleshooting. The implementation of ICMPv6 is based on RFC 4443.
Figure 55. Path MTU Discovery Process IPv6 Neighbor Discovery The IPv6 neighbor discovery protocol (NDP) is a top-level protocol for neighbor discovery on an IPv6 network. In place of address resolution protocol (ARP), NDP uses “Neighbor Solicitation” and “Neighbor Advertisement” ICMPv6 messages for determining relationships between neighboring nodes.
Figure 56. NDP Router Redirect IPv6 Neighbor Discovery of MTU Packets You can set the MTU advertised through the RA packets to incoming routers, without altering the actual MTU setting on the interface. The ipv6 nd mtu command sets the value advertised to routers. It does not set the actual MTU rate. For example, if you set ipv6 nd mtu to 1280, the interface still passes 1500-byte packets, if that is what is set with the mtu command.
Example for Configuring an IPv6 Recursive DNS Server The following example configures a RDNNS server with an IPv6 address of 1000::1 and a lifetime of 1 second.
DAD is enabled, number of DAD attempts: 3 ND reachable time is 20120 milliseconds ND base reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 198 to 600 seconds ND router advertisements live for 1800 seconds ND advertised hop limit is 64 IPv6 hop limit for originated packets is 64 ND dns-server address is 1000::1 with lifetime of 1 seconds ND dns-server address is 3000::1 with lifetime
Adjusting Your CAM Profile Although adjusting your CAM profile is not a mandatory step, if you plan to implement IPv6 ACLs, Dell Networking recommends that you adjust your CAM settings. The CAM space is allotted in FP blocks. The total space allocated must equal 13 FP blocks. There are 16 FP blocks, but the System Flow requires three blocks that cannot be reallocated. You must enter the ipv6acl allocation as a factor of 2 (2, 4, 6, 8, 10).
You can configure up to two IPv6 addresses on management interfaces, allowing required default router support on the management port that is acting as host, per RFC 4861. Data ports support more than two IPv6 addresses. When you configure IPv6 addresses on multiple interfaces (the ipv6 address command) and verify the configuration (the show ipv6 interfaces command), the same link local (fe80) address is displayed for each IPv6 interface. • Enter the IPv6 Address for the device.
Configuring Telnet with IPv6 The Telnet client and server on a switch supports IPv6 connections. You can establish a Telnet session directly to the router using an IPv6 Telnet client, or you can initiate an IPv6 Telnet connection from the router. • Enter the IPv6 Address for the device. EXEC mode or EXEC Privileged mode telnet ipv6 address – ipv6 address: x:x:x:x::x – mask: prefix length is from 0 to 128.
prefix-list route rpf Dell# List IPv6 prefix lists IPv6 routing information RPF table Displaying an IPv6 Configuration To view the IPv6 configuration for a specific interface, use the following command. • Display the currently running configuration for a specified interface. EXEC mode show ipv6 interface type {slot/port} Enter the keyword interface then the type of interface and slot/port information: – For all brief summary of IPv6 status and configuration, enter the keyword brief.
Displaying IPv6 Routes To view the global IPv6 routing information, use the following command. • Display IPv6 routing information for the specified route type. EXEC mode show ipv6 route type The following keywords are available: – To display information about a network, enter ipv6 address (X:X:X:X::X). – To display information about a host, enter hostname. – To display information about all IPv6 routes (including non-active routes), enter all.
L fe80::/10 [0/0] Direct, Nu 0, 00:34:42 Dell#show ipv6 route static Destination Dist/Metric, Gateway, Last Change ----------------------------------------------------S 8888:9999:5555:6666:1111:2222::/96 [1/0] via 2222:2222:3333:3333::1, Te 9/1, 00:03:16 S 9999:9999:9999:9999::/64 [1/0] via 8888:9999:5555:6666:1111:2222:3333:4444, 00:03:16 Displaying the Running Configuration for an Interface To view the configuration for any interface, use the following command.
Configuring IPv6 RA Guard The IPv6 Router Advertisement (RA) guard allows you to block or reject the unwanted router advertisement guard messages that arrive at the network device platform. To configure the IPv6 RA guard, perform the following steps: 1. Configure the terminal to enter the Global Configuration mode. EXEC Privilege mode configure terminal 2. Enable the IPv6 RA guard. CONFIGURATION mode ipv6 nd ra-guard enable 3. Create the policy.
POLICY LIST CONFIGURATION mode router-preference maximum {high | low | medium} 10. Set the router lifetime. POLICY LIST CONFIGURATION mode router—lifetime value The router lifetime range is from 0 to 9,000 seconds. 11. Apply the policy to trusted ports. POLICY LIST CONFIGURATION mode trusted-port 12. Set the maximum transmission unit (MTU) value. POLICY LIST CONFIGURATION mode mtu value The MTU range is from 1,280 to 11,982 bytes. 13. Set the advertised reachability time.
Intermediate System to Intermediate System 26 The intermediate system to intermediate system (IS-IS) protocol that uses a shortest-path-first algorithm. Dell Networking supports both IPv4 and IPv6 versions of IS-IS. The IS-IS protocol standards are listed in the Standards Compliance chapter. IS-IS Protocol Overview The IS-IS protocol, developed by the International Organization for Standardization (ISO), is an interior gateway protocol (IGP) that uses a shortest-path-first algorithm.
• area address — within your routing domain or area, each area must have a unique area value. The first byte is called the authority and format indicator (AFI). • system address — the router’s MAC address. • N-selector — this is always 0. The following illustration is an example of the ISO-style address to show the address format IS-IS uses. In this example, the first five bytes (47.0005.0001) are the area address. The system portion is 000c.000a. 4321 and the last byte is always 0. Figure 57.
area or domain are operating in multi-topology IPv6 mode, the topological restrictions of singletopology mode are no longer in effect. Interface Support MT IS-IS is supported on physical Ethernet interfaces, physical synchronous optical network technologies (SONET) interfaces, port-channel interfaces (static and dynamic using LACP), and virtual local area network (VLAN) interfaces. Adjacencies Adjacencies on point-to-point interfaces are formed as usual, where IS-IS routers do not implement MT extensions.
• The T2 timer is the maximum time that the system waits for LSP database synchronization. This timer applies to the database type (level-1, level-2, or both). • The T3 timer sets the overall wait time after which the router determines that it has failed to achieve database synchronization (by setting the overload bit in its own LSP).
IS-IS Parameter Default Value Designated Router priority 64 Circuit Type Level 1 and Level 2 IS Type Level 1 and Level 2 Equal Cost Multi Paths 16 Configuration Information To use IS-IS, you must configure and enable IS-IS in two or three modes: CONFIGURATION ROUTER ISIS, CONFIGURATION INTERFACE, and ( when configuring for IPv6) ADDRESS-FAMILY mode.
To configure IS-IS globally, use the following commands. 1. Create an IS-IS routing process. CONFIGURATION mode router isis [tag] tag: (optional) identifies the name of the IS-IS process. 2. Configure an IS-IS network entity title (NET) for a routing process. ROUTER ISIS mode net network-entity-title Specify the area address and system ID for an IS-IS routing process. The last byte must be 00. For more information about configuring a NET, see IS-IS Addressing. 3. Enter the interface configuration mode.
6. Enable IS-IS on the IPv4 interface. ROUTER ISIS mode ip router isis [tag] If you configure a tag variable, it must be the same as the tag variable assigned in step 1. 7. Enable IS-IS on the IPv6 interface. ROUTER ISIS mode ipv6 router isis [tag] If you configure a tag variable, it must be the same as the tag variable assigned in step 1. Examples of IS-IS Configuration Information The default IS type is level-1-2.
IS-IS: LSP authentication failures : 0 Dell# You can assign more NET addresses, but the System ID portion of the NET address must remain the same. The system supports up to six area addresses. Some address considerations are: • In order to be neighbors, configure Level 1 routers with at least one common area address. • A Level 2 router becomes a neighbor with another Level 2 router regardless of the area address configured.
• Enable graceful restart on ISIS processes. ROUTER-ISIS mode • graceful-restart ietf Configure the time during which the graceful restart attempt is prevented. ROUTER-ISIS mode graceful-restart interval minutes The range is from 1 to 120 minutes. • The default is 5 minutes. Enable the graceful restart maximum wait time before a restarting peer comes up.
The default is 30 seconds. Example of the show isis graceful-restart detail and show isis interface Commands NOTE: If this timer expires before the synchronization has completed, the restarting router sends the overload bit in the LSP. The 'overload' bit is an indication to the receiving router that database synchronization did not complete at the restarting router. To view all graceful restart-related configurations, use the show isis graceful-restart detail command in EXEC Privilege mode.
Restart Capable Neighbors: 2, In Start: 0, In Restart: 0 Dell# Changing LSP Attributes IS-IS routers flood link state PDUs (LSPs) to exchange routing information. LSP attributes include the generation interval, maximum transmission unit (MTU) or size, and the refresh interval. You can modify the LSP attribute defaults, but it is not necessary. To change the defaults, use any or all of the following commands. • Set interval between LSP generation.
Configuring the IS-IS Metric Style All IS-IS links or interfaces are associated with a cost that is used in the shortest path first (SPF) calculations. The possible cost varies depending on the metric style supported. If you configure narrow, transition, or narrow transition metric style, the cost can be a number between 0 and 63. If you configure wide or wide transition metric style, the cost can be a number between 0 and 16,777,215.
System Id: EEEE.EEEE.EEEE IS-Type: level-1-2 Manual area address(es): 47.0004.004d.0001 Routing for area address(es): 21.2223.2425.2627.2829.3031.3233 47.0004.004d.
To view the interface’s current metric, use the show config command in INTERFACE mode or the show isis interface command in EXEC Privilege mode. Configuring the Distance of a Route To configure the distance for a route, use the following command. • Configure the distance for a route. ROUTER ISIS mode distance Changing the IS-Type To change the IS-type, use the following commands. You can configure the system to act as a Level 1 router, a Level 1-2 router, or a Level 2 router.
Controlling Routing Updates To control the source of IS-IS route information, use the following command. • Disable a specific interface from sending or receiving IS-IS routing information. ROUTER ISIS mode passive-interface interface – For a 1-Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/port information. – For the Loopback interface on the RPM, enter the keyword loopback then a number from 0 to 16383. – For a port channel, enter the keywords port-channel then a number.
distribute-list prefix-list-name out [bgp as-number | connected | ospf process-id | rip | static] You can configure one of the optional parameters: – connected: for directly connected routes. – ospf process-id: for OSPF routes only. – rip: for RIP routes only. – static: for user-configured routes. • – bgp: for BGP routes only. Deny RTM download for pre-existing redistributed IPv4 routes.
• – bgp: for BGP routes only. Deny RTM download for pre-existing redistributed IPv6 routes. ROUTER ISIS-AF IPV6 mode distribute-list redistributed-override in Redistributing IPv4 Routes In addition to filtering routes, you can add routes from other routing instances or protocols to the IS-IS process. With the redistribute command syntax, you can include BGP, OSPF, RIP, static, or directly connected routes in the IS-IS process.
Redistributing IPv6 Routes To add routes from other routing instances or protocols, use the following commands. NOTE: These commands apply to IPv6 IS-IS only. To apply prefix lists to IPv4 routes, use the ROUTER ISIS mode previously shown. • Include BGP, directly connected, RIP, or user-configured (static) routes in IS-IS.
area-password [hmac-md5] password Dell supports HMAC-MD5 authentication. • This password is inserted in Level 1 LSPs, Complete SNPs, and Partial SNPs. Set the authentication password for a routing domain. ROUTER ISIS mode domain-password [encryption-type | hmac-md5] password Dell supports both DES and HMAC-MD5 authentication methods. This password is inserted in Level 2 LSPs, Complete SNPs, and Partial SNPs.
B233.00-00 eljefe.00-00 * eljefe.01-00 * eljefe.02-00 * Force10.00-00 Dell# 0x00000006 0x0000000E 0x00000001 0x00000001 0x00000004 0xC38A 0x53BF 0x68DF 0x2E7F 0xCDA9 1110 1196 1108 1099 1093 0/0/0 0/0/1 0/0/0 0/0/0 0/0/0 Debugging IS-IS To debug IS-IS processes, use the following commands. • View all IS-IS information. EXEC Privilege mode • debug isis View information on all adjacency-related activity (for example, hello packets that are sent and received).
– interface: Enter the type of interface and slot/port information to view IS-IS information on that interface only. The system displays debug messages on the console. To view which debugging commands are enabled, use the show debugging command in EXEC Privilege mode. To disable a specific debug command, enter the keyword no then the debug command. For example, to disable debugging of IS-IS updates, use the no debug isis updates-packets command. To disable all IS-IS debugging, use the no debug isis command.
Maximum Values in the Routing Table IS-IS metric styles support different cost ranges for the route. The cost range for the narrow metric style is 0 to 1023, while all other metric styles support a range of 0 to 0xFE000000. Change the IS-IS Metric Style in One Level Only By default, the IS-IS metric style is narrow. When you change from one IS-IS metric style to another, the IS-IS metric value (configured with the isis metric command) could be affected.
Beginning Metric Style Final Metric Style Resulting IS-IS Metric Value narrow transition narrow original value narrow transition wide transition original value narrow transition transition original value wide transition wide original value wide transition narrow default value (10) if the original value is greater than 63. A message is sent to the console. wide transition narrow transition default value (10) if the original value is greater than 63. A message is sent to the console.
Level-1 Metric Style Level-2 Metric Style Resulting Metric Value narrow narrow transition original value narrow transition original value wide narrow truncated value wide narrow transition truncated value wide wide transition original value wide transition truncated value narrow transition wide original value narrow transition narrow original value narrow transition wide transition original value narrow transition transition original value transition wide original value t
• Multi-topology — You must configure the IPv6 address. Configuring the IPv4 address is optional. You must enable the ipv6 router isis command on the interface. If you configure IPv4, also enable the router isis command. In router isis configuration mode, enable multi-topology under address-family ipv6 unicast. • Multi-topology Transition — You must configure the IPv6 address. Configuring the IPv4 address is optional. You must enable the ipv6 router isis command on the interface.
Dell(conf-if-te-3/17)#show config ! interface TenGigabitEthernet 3/17 ipv6 address 24:3::1/76 ipv6 router isis no shutdown Dell(conf-if-te-3/17)# Dell(conf-router_isis)#show config ! router isis net 34.0000.0000.AAAA.00 ! address-family ipv6 unicast multi-topology exit-address-family Dell (conf-router_isis)# Dell(conf-if-te-3/17)#show config ! interface TenGigabitEthernet 3/17 ipv6 address 24:3::1/76 ipv6 router isis no shutdown Dell(conf-if-te-3/17)# Dell(conf-router_isis)#show config ! router isis net 34.
iSCSI Optimization 27 This chapter describes how to configure internet small computer system interface (iSCSI) optimization, which enables quality-of-service (QoS) treatment for iSCSI traffic.
• iSCSI monitoring sessions — the switch monitors and tracks active iSCSI sessions in connections on the switch, including port information and iSCSI session information. • iSCSI QoS — A user-configured iSCSI class of service (CoS) profile is applied to all iSCSI traffic. Classifier rules are used to direct the iSCSI data traffic to queues that can be given preferential QoS treatment over other data passing through the switch.
Default iSCSI Optimization Values The following table lists the default values for the iSCSI optimization feature. Table 44. iSCSI Optimization Defaults Parameter Default Value iSCSI Optimization global setting iSCSI CoS mode (802.1p priority queue mapping) iSCSI CoS Packet classification When you enable iSCSI, iSCSI packets are queued based on dot1p, instead of DSCP values. VLAN priority tag iSCSI flows are assigned by default to dot1p priority 4 without the remark setting.
NOTE: Content addressable memory (CAM) allocation is optional. If CAM is not allocated, the following features are disabled: • session monitoring • aging • class of service You can enable iSCSI even when allocated with zero (0) CAM blocks. However, if no CAM blocks are allocated, session monitoring is disabled and the show iscsi command displays this information. 2. For a non-DCB environment: Enable iSCSI. CONFIGURATION mode iscsi enable 3. For a DCB environment: Configure iSCSI Optimization.
• ip-address specifies the IP address of the iSCSI target. When you enter the no form of the command, and the TCP port you want to delete is one bound to a specific IP address, include the IP address value in the command. If multiple IP addresses are mapped to a single TCP port, use the no iscsi target port command to remove all IP addresses assigned to the TCP port number. To remove a single IP address from the TCP port, use the no iscsi target port ipaddress command. 7.
[no] iscsi profile-compellent. The default is: Compellent disk arrays are not detected. NOTE: The [no] iscsi profile-compellent. command is not supported on cascade interfaces or extended ports Displaying iSCSI Optimization Information To display information on iSCSI optimization, use the following show commands. • Display the currently configured iSCSI settings. • show iscsi Display information on active iSCSI sessions on the switch.
---------------------------------------------------------------------------Target: iqn.2001-05.com.equallogic:0-8a0906-0e70c2002-10a0018426a48c94-iom010 Initiator: iqn.1991-05.com.microsoft:win-x9l8v27yajg ISID: 400001370000 VLT PEER2 Session 0: ----------------------------------------------------------------------------Target: iqn.2001-05.com.equallogic:0-8a0906-0f60c2002-0360018428d48c94-iom011 iqn.1991-05.com.
The following message displays when you enable iSCSI on a switch and describes the configuration changes that are automatically performed: %SYSTEM:CP %IFMGR-5-IFM_ISCSI_ENABLE: iSCSI has been enabled causing flow control to be enabled on all interfaces. EQL detection and enabling iscsi profile-compellent on an interface may cause some automatic configurations to occur like jumbo frames on all ports and no storm control and spanning tree port-fast on the port of detection.
• Initiator’s IQN (iSCSI qualified name) • Target’s IQN • Initiator’s TCP Port • Target’s TCP Port • Connection ID • Aging • Up Time If no iSCSI traffic is detected for a session during a user-configurable aging period, the session data is cleared.
The following syslog message is generated the first time an EqualLogic array is detected: %SYSTEM:CP %LLDP-5-LLDP_EQL_DETECTED: EqualLogic Storage Array detected on interface Te 1/ 43 • • • At the first detection of an EqualLogic array, an MTU of 12000 is enabled on all ports and portchannels (if it has not already been enabled). Spanning-tree portfast is enabled on the interface LLDP identifies. Unicast storm control is disabled on the interface LLDP identifies.
You can configure whether iSCSI frames are re-marked to contain the configured VLAN priority tag or IP DSCP when forwarded through the switch. NOTE: On a switch in which a large proportion of traffic is iSCSI, CoS queue assignments may interfere with other network control-plane traffic, such as ARP or LACP. Balance preferential treatment of iSCSI traffic against the needs of other critical data in the network.
28 Link Aggregation Control Protocol (LACP) A link aggregation group (LAG), referred to as a port channel by the Dell Networking OS, can provide both load-sharing and port redundancy across line cards. You can enable LAGs as static or dynamic. Introduction to Dynamic LAGs and LACP The Dell Networking OS uses LACP to create dynamic LAGs. LACP provides a standardized means of exchanging information between two systems (also called Partner Systems) and automatically establishes the LAG between the systems.
– The shutdown command on LAG “xyz” disables the LAG and retains the user commands. However, the system does not allow the channel number “xyz” to be statically created. – The no interface port-channel channel-number command deletes the specified LAG, including a dynamically created LAG. This command removes all LACP-specific commands on the member interfaces. The interfaces are restored to a state that is ready to be configured.
– number: cannot statically contain any links. • The default is LACP active. Configure port priority. LACP mode [no] lacp port-priority priority-value The range is from 1 to 65535 (the higher the number, the lower the priority). The default is 32768. LACP Configuration Tasks The following configuration tasks apply to LACP.
• Configure the dynamic LAG interfaces. CONFIGURATION mode port-channel-protocol lacp Example of the port-channel-protocol lacp Command Dell(conf)#interface Tengigabitethernet 3/15 Dell(conf-if-te-3/15)#no shutdown Dell(conf-if-te-3/15)#port-channel-protocol lacp Dell(conf-if-te-3/15-lacp)#port-channel 32 mode active ... Dell(conf)#interface Tengigabitethernet 3/16 Dell(conf-if-te-3/16)#no shutdown Dell(conf-if-te-3/16)#port-channel-protocol lacp Dell(conf-if-te-3/16-lacp)#port-channel 32 mode active ...
Partner System ID: Priority 32768, Address 0001.e801.
To avoid packet loss, redirect traffic through the next lowest-cost link (R3 to R4). the system has the ability to bring LAG 2 down if LAG 1 fails, so that traffic can be redirected. This redirection is what is meant by shared LAG state tracking. To achieve this functionality, you must group LAG 1 and LAG 2 into a single entity, called a failover group. Configuring Shared LAG State Tracking To configure shared LAG state tracking, you configure a failover group.
Figure 61. Configuring Shared LAG State Tracking The following are shared LAG state tracking console messages: • 2d1h45m: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Po 1 • 2d1h45m: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Po 2 To view the status of a failover group member, use the show interface port-channel command.
LACP Basic Configuration Example The screenshots in this section are based on the following example topology. Two routers are named ALPHA and BRAVO, and their hostname prompts reflect those names. Figure 62. LACP Basic Configuration Example Configure a LAG on ALPHA The following example creates a LAG on ALPHA.
Input statistics: 132 packets, 163668 bytes 0 Vlans 0 64-byte pkts, 12 over 64-byte pkts, 120 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 132 Multicasts, 0 Broadcasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics 136 packets, 16718 bytes, 0 underruns 0 64-byte pkts, 15 over 64-byte pkts, 121 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 136 Multicasts, 0 Broadcasts, 0 Unicasts 0 Vlans, 0 throttle
Figure 64.
Figure 65.
interface TengigabitEthernet 2/31 no ip address Summary of the LAG Configuration on Bravo Bravo(conf-if-te-3/21)#int port-channel 10 Bravo(conf-if-po-10)#no ip add Bravo(conf-if-po-10)#switch Bravo(conf-if-po-10)#no shut Bravo(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Bravo(conf-if-po-10)#exit Bravo(conf)#int tengig 3/21 Bravo(conf)#no ip address Bravo(conf)#no switchport Bravo(conf)#shutdown Bravo(conf-if-te-3/21)#port-channel-protocol lacp Bravo(conf-if-
Figure 66.
Figure 67.
Figure 68. Inspecting the LAG Status Using the show lacp command The point-to-point protocol (PPP) is a connection-oriented protocol that enables layer two links over various different physical layer connections. It is supported on both synchronous and asynchronous lines, and can operate in Half-Duplex or Full-Duplex mode. It was designed to carry IP traffic but is general enough to allow any type of network layer datagram to be sent over a PPP connection.
Layer 2 29 This chapter describes the Layer 2 features supported on the switch. Manage the MAC Address Table You can perform the following management tasks inr the MAC address table. • Clearing the MAC Address Table • Setting the Aging Time for Dynamic Entries • Configuring a Static MAC Address • Displaying the MAC Address Table Clearing the MAC Address Table You may clear the MAC address table of dynamic entries. To clear a MAC address table, use the following command.
The range is from 10 to 1000000. Configuring a Static MAC Address A static entry is one that is not subject to aging. Enter static entries manually. To create a static MAC address entry, use the following command. • Create a static MAC address entry in the MAC address table. CONFIGURATION mode mac-address-table static Displaying the MAC Address Table To display the MAC address table, use the following command. • Display the contents of the MAC address table.
interface) before the system verifies that sufficient CAM space exists. If the CAM check fails, a message is displayed: %E90MH:5 %ACL_AGENT-2-ACL_AGENT_LIST_ERROR: Unable to apply access-list MacLimit on TengigabitEthernet 5/84 In this case, the configuration is still present in the running-config and show output. Remove the configuration before re-applying a MAC learning limit with a lower value. Also, ensure that you can view the Syslog messages on your session.
To save all sticky MAC addresses into a configuration file that can be used as a startup configuration file, use the write config command. If the number of existing MAC addresses is fewer than the configured MAC learning limit, additional MAC addresses are converted to sticky MACs addresse on the port. To remove all sticky MAC addresses from the running configuration file, disable sticky MAC and enter the write config command.
Setting Station Move Violation Actions Station move violation actions are user-configurable. no-station-move is the default behavior. You can configure the system to take an action if a station move occurs using one the following options with the mac learning-limit command. To display a list of interfaces configured with MAC learning limit or station move violation actions, use the following commands. • Generate a system log message indicating a station move.
NIC Teaming NIC teaming is a feature that allows multiple network interface cards in a server to be represented by one MAC address and one IP address in order to provide transparent redundancy, balancing, and to fully utilize network adapter resources. The following illustration shows a topology where two NICs have been teamed together. In this case, if the primary NIC fails, traffic switches to the secondary NIC because they are represented by the same set of addresses. Figure 69.
Figure 70. Configuring the mac-address-table station-move refresh-arp Command Configure Redundant Pairs Networks that employ switches that do not support the spanning tree protocol (STP) — for example, networks with digital subscriber line access multiplexers (DSLAM) — cannot have redundant links between switches because they create switching loops (as shown in the following illustration).
Figure 71. Configuring Redundant Layer 2 Pairs without Spanning Tree You configure a redundant pair by assigning a backup interface to a primary interface with the switchport backup interface command. Initially, the primary interface is active and transmits traffic and the backup interface remains down. If the primary fails for any reason, the backup transitions to an active Up state. If the primary interface fails and later comes back up, it remains as the backup interface for the redundant pair.
To ensure that existing network applications see no difference when a primary interface in a redundant pair transitions to the backup interface, be sure to apply identical configurations of other traffic parameters to each interface. If you remove an interface in a redundant link (remove the line card of a physical interface or delete a port channel with the no interface port-channel command), the redundant pair configuration is also removed.
3/42 00:24:55: %SYSTEM-P:CP %IFMGR-5-ACTIVE: Changed Vlan interface state to active: Vl 1 00:24:55: %SYSTEM-P:CP %IFMGR-5-STATE_STBY_ACT: Changed interface state from standby to active: Te 3/42 Dell(conf-if-te-3/41)#do show ip int brief | find 3/41 TengigabitEthernet 3/41 unassigned NO Manual administratively down down TengigabitEthernet 3/42 unassigned YES Manual up up [output omitted] Example of Configuring Redundant Pairs on a Port-Channel Dell#show interfaces port-channel brief Codes: L - LACP Port-chan
Figure 72. Configuring Far-End Failure Detection The report consists of several packets in SNAP format that are sent to the nearest known MAC address. In the event of a far-end failure, the device stops receiving frames and, after the specified time interval, assumes that the far-end is not available. The connecting line protocol is brought down so that upper layer protocols can detect the neighbor unavailability faster. FEFD State Changes FEFD has two operational modes: Normal and Aggressive.
4. If the FEFD enabled system is configured to use FEFD in Normal mode and neighboring echoes are not received after three intervals, the state changes to unknown. You can set each interval from 3 to 255 seconds. 5. If the FEFD system has been set to Aggressive mode and neighboring echoes are not received after three intervals, the state changes to Err-disabled.
To report interval frequency and mode adjustments, use the following commands. 1. Configure two or more connected interfaces for Layer 2 or Layer 3 traffic. INTERFACE mode switchport ip address ip address 2. Activate the ports. INTEFACE mode no shutdown 3. Enable FEFD globally on the switch. CONFIGURATION mode fefd-global {interval | mode} Example of the show fefd Command To display information about the state of each interface, use the show fefd command in EXEC privilege mode.
Disabling an interface shuts down all protocols working on that interface’s connected line. It does not delete your previous FEFD configuration which you can enable again at any time. To set up and activate two or more connected interfaces, use the following commands. 1. Setup two or more connected interfaces for Layer 2 or Layer 3. INTERFACE mode ip address ip address, switchport 2. Activate the necessary ports administratively. INTERFACE mode no shutdown 3.
2w1d22h: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Te 4/0 2w1d22h: %SYSTEM-P:CP %IFMGR-5-INACTIVE: Changed Vlan interface state to inactive: Vl 1 2w1d22h : FEFD state on Te 4/0 changed from Bi-directional to Unknown The following example shows the debug fefd packets command.
Link Layer Discovery Protocol (LLDP) 30 This chapter describes how to configure and use the link layer discovery protocol (LLDP). 802.1AB (LLDP) Overview LLDP — defined by IEEE 802.1AB — is a protocol that enables a local area network (LAN) device to advertise its configuration and receive configuration information from adjacent LLDP-enabled LAN infrastructure devices.
Table 46. Type, Length, Value (TLV) Types Type TLV Description 0 End of LLDPDU Marks the end of an LLDPDU. 1 Chassis ID An administratively assigned name that identifies the LLDP agent. 2 Port ID An administratively assigned name that identifies a port through which TLVs are sent and received. 3 Time to Live An administratively assigned name that identifies a port through which TLVs are sent and received.
Figure 75. Organizationally Specific TLV IEEE Organizationally Specific TLVs Eight TLV types have been defined by the IEEE 802.1 and 802.3 working groups as a basic part of LLDP; the IEEE OUI is 00-80-C2. You can configure the Dell Networking system to advertise any or all of these TLVs. Table 47. Optional TLV Types Type TLV Description 4 Port description A user-defined alphanumeric string that describes the port. The Dell Networking OS does not currently support this TLV.
Type TLV Description 127 Protocol Identity Indicates the protocols that the port can process. The Dell Networking OS does not currently support this TLV. 127 MAC/PHY Configuration/Status Indicates the capability and current setting of the duplex status and bit rate, and whether the current settings are the result of auto-negotiation. This TLV is not available in the Dell Networking OS implementation of LLDP, but is available and mandatory (non-configurable) in the LLDP-MED implementation.
Regarding connected endpoint devices, LLDP-MED provides network connectivity devices with the ability to: • manage inventory • manage Power over Ethernet (PoE) • identify physical location • identify network policy LLDP-MED is designed for, but not limited to, VoIP endpoints. TIA Organizationally Specific TLVs The Dell Networking system is an LLDP-MED Network Connectivity Device (Device Type 4).
Type SubType TLV Description None or all TLVs must be supported. The Dell Networking OS does not currently support these TLVs. 127 5 Inventory — Hardware Revision Indicates the hardware revision of the LLDPMED device. 127 6 Inventory — Firmware Revision Indicates the firmware revision of the LLDPMED device. 127 7 Inventory — Software Revision Indicates the software revision of the LLDPMED device. 127 8 Inventory — Serial Number Indicates the device serial number of the LLDP-MED device.
Figure 76. LLDP-MED Capabilities TLV Table 49. LLDP-MED Capabilities Bit Position TLV Supported? 0 LLDP-MED Capabilities Yes 1 Network Policy Yes 2 Location Identification Yes 3 Extended Power via MDI-PSE Yes 4 Extended Power via MDI-PD No 5 Inventory No 6–15 reserved No Table 50.
NOTE: As shown in the following table, signaling is a series of control packets that are exchanged between an endpoint device and a network connectivity device to establish and maintain a connection. These signal packets might require a different network policy than the media packets for which a connection is made. In this case, configure the signaling application. Table 51.
Extended Power via MDI TLV The extended power via MDI TLV enables advanced PoE management between LLDP-MED endpoints and network connectivity devices. Advertise the extended power via MDI on all ports that are connected to an 802.3af powered, LLDP-MED endpoint device. • Power Type — there are two possible power types: power source entity (PSE) or power device (PD). The Dell Networking system is a PSE, which corresponds to a value of 0, based on the TIA-1057 specification.
• Dell Networking systems support up to eight neighbors per interface. • Dell Networking systems support a maximum of 8000 total neighbors per system. If the number of interfaces multiplied by eight exceeds the maximum, the system does not configure more than 8000. • INTERFACE level configurations override all CONFIGURATION level configurations. • LLDP is not hitless. LLDP Compatibility • Spanning tree and force10 ring protocol “blocked” ports allow LLDPDUs. • 802.
no show Negate a command or set its defaults Show LLDP configuration Enabling LLDP LLDP is disabled by default. Enable and disable LLDP globally or per interface. If you enable LLDP globally, all UP interfaces send periodic LLDPDUs. To enable LLDP, use the following command. 1. Enter Protocol LLDP mode. CONFIGURATION or INTERFACE mode protocol lldp 2. Enable LLDP. PROTOCOL LLDP mode no disable Disabling and Undoing LLDP To disable or undo LLDP, use the following command.
management-interface 3. Enter the disable command. LLDP-MANAGEMENT-INTERFACE mode. To undo an LLDP management port configuration, precede the relevant command with the keyword no. Advertising TLVs You can configure the system to advertise TLVs out of all interfaces or out of specific interfaces. • If you configure the system globally, all interfaces send LLDPDUs with the specified TLVs. • If you configure an interface, only the interface sends LLDPDUs with the specified TLVs.
Figure 79. Configuring LLDP Viewing the LLDP Configuration To view the LLDP configuration, use the following command. • Display the LLDP configuration. CONFIGURATION or INTERFACE mode show config Examples of Viewing LLDP Configurations The following example shows viewing an LLDP global configuration.
Viewing Information Advertised by Adjacent LLDP Agents To view brief information about adjacent devices or to view all the information that neighbors are advertising, use the following commands. • Display brief information about adjacent devices. • show lldp neighbors Display all of the information that neighbors are advertising.
Configuring LLDPDU Intervals LLDPDUs are transmitted periodically; the default interval is 30 seconds. To configure LLDPDU intervals, use the following command. • Configure a non-default transmit interval.
• Return to the default setting.
advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)#multiplier ? <2-10> Multiplier (default=4) R1(conf-lldp)#multiplier 5 R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description multiplier 5 no disable R1(conf-lldp)#no multiplier R1(conf-lldp)#show
Figure 80. The debug lldp detail Command — LLDPDU Packet Dissection Relevant Management Objects The system supports all IEEE 802.1AB MIB objects. The following tables list the objects associated with: • received and transmitted TLVs • the LLDP configuration on the local agent • IEEE 802.1AB Organizationally Specific TLVs • received and transmitted LLDP-MED TLVs Table 52.
MIB Object Category Basic TLV Selection LLDP Variable LLDP MIB Object Description msgTxInterval lldpMessageTxInterval Transmit Interval value. rxInfoTTL lldpRxInfoTTL Time to live for received TLVs. txInfoTTL lldpTxInfoTTL Time to live for transmitted TLVs. mibBasicTLVsTxEnable lldpPortConfigTLVsTxEnabl e Indicates which management TLVs are enabled for system ports.
Table 53.
TLV Type TLV Name TLV Variable System interface numbering Local subtype interface number OID LLDP MIB Object lldpLocManAddrIfSu btype Remote lldpRemManAddrIfS ubtype Local lldpLocManAddrIfId Remote lldpRemManAddrIfId Local lldpLocManAddrOID Remote lldpRemManAddrOI D Table 54. LLDP 802.
Table 55.
TLV Sub-Type TLV Name TLV Variable System LLDP-MED MIB Object 3 Location Data Format Local lldpXMedLocLocatio nSubtype Remote lldpXMedRemLocati onSubtype Local lldpXMedLocLocatio nInfo Remote lldpXMedRemLocati onInfo Local lldpXMedLocXPoED eviceType Remote lldpXMedRemXPoED eviceType Local lldpXMedLocXPoEPS EPowerSource Location Identifier Location ID Data 4 Extended Power via MDI Power Device Type Power Source lldpXMedLocXPoEP DPowerSource Remote lldpXMedRemXPoEP SEPowerSource lld
Multicast Source Discovery Protocol (MSDP) 31 This chapter describes how to configure and use the multicast source discovery protocol (MSDP). Protocol Overview MSDP is a Layer 3 protocol that connects IPv4 protocol-independent multicast-sparse mode (PIM-SM) domains. A domain in the context of MSDP is a contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as border gateway protocol (BGP).
Figure 81. Multicast Source Discovery Protocol (MSDP) RPs advertise each (S,G) in its domain in type, length, value (TLV) format. The total number of TLVs contained in the SA is indicated in the “Entry Count” field. SA messages are transmitted every 60 seconds, and immediately when a new source is detected. Figure 82.
Anycast RP Using MSDP, anycast RP provides load sharing and redundancy in PIM-SM networks. Anycast RP allows two or more rendezvous points (RPs) to share the load for source registration and the ability to act as hot backup routers for each other. Anycast RP allows you to configure two or more RPs with the same IP address on Loopback interfaces. The Anycast RP Loopback address are configured with a 32-bit mask, making it a host address.
• Accept Source-Active Messages that Fail the RFP Check • Specifying Source-Active Messages • Limiting the Source-Active Cache • Preventing MSDP from Caching a Local Source • Preventing MSDP from Caching a Remote Source • Preventing MSDP from Advertising a Local Source • Terminating a Peership • Clearing Peer Statistics • Debugging MSDP • MSDP with Anycast RP • MSDP Sample Configurations Figure 83.
Figure 84.
Figure 85.
Figure 86. Configuring MSDP Enable MSDP Enable MSDP by peering RPs in different administrative domains. 1. Enable MSDP. CONFIGURATION mode ip multicast-msdp 2. Peer PIM systems in different administrative domains.
Example of Configuring and Viewing MSDP R3(conf)#ip multicast-msdp R3(conf)#ip msdp peer 192.168.0.1 connect-source Loopback 0 R3(conf)#do show ip msdp summary Peer Addr Description Local Addr State Source SA Up/Down To view details about a peer, use the show ip msdp peer command in EXEC privilege mode. Multicast sources in remote domains are stored on the RP in the source-active cache (SA cache).
Limiting the Source-Active Cache Set the upper limit of the number of active sources that the system caches. The default active source limit is 500K messages. When the total number of active sources reaches the specified limit, subsequent active sources are dropped even if they pass the reverse path forwarding (RPF) and policy check. To limit the number of sources that SA cache stores, use the following command. • Limit the number of sources that can be stored in the SA cache.
Figure 87.
Figure 88.
Figure 89.
Figure 90. MSDP Default Peer, Scenario 4 Specifying Source-Active Messages To specify messages, use the following command. • Specify the forwarding-peer and originating-RP from which all active sources are accepted without regard for the RPF check. CONFIGURATION mode ip msdp default-peer ip-address list If you do not specify an access list, the peer accepts all sources that peer advertises. All sources from RPs that the ACL denies are subject to the normal RPF check.
Dell(conf)#ip access-list standard fifty Dell(conf)#seq 5 permit host 200.0.0.50 Dell#ip msdp sa-cache MSDP Source-Active Cache - 3 entries GroupAddr SourceAddr RPAddr LearnedFrom 229.0.50.2 24.0.50.2 200.0.0.50 10.0.50.2 229.0.50.3 24.0.50.3 200.0.0.50 10.0.50.2 229.0.50.4 24.0.50.4 200.0.0.50 10.0.50.2 Dell#ip msdp sa-cache rejected-sa MSDP Rejected SA Cache 3 rejected SAs received, cache-size 32766 UpTime GroupAddr SourceAddr RPAddr 00:33:18 229.0.50.64 24.0.50.64 200.0.1.50 00:33:18 229.0.50.65 24.0.50.
Example of Verifying the System is not Caching Local Sources When you apply this filter, the SA cache is not affected immediately. When sources that are denied by the ACL time out, they are not refreshed. Until they time out, they continue to reside in the cache. To apply the redistribute filter to entries already present in the SA cache, first clear the SA cache. You may optionally store denied sources in the rejected SA cache. R1(conf)#do show run msdp ! ip multicast-msdp ip msdp peer 192.168.0.
R3(conf)#do show ip msdp sa-cache R3(conf)# R3(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 0.0.0.0(639) Connect Source: Lo 0 State: Listening Up/Down Time: 00:01:19 Timers: KeepAlive 30 sec, Hold time 75 sec SourceActive packet count (in/out): 0/0 SAs learned from this peer: 0 SA Filtering: Input (S,G) filter: myremotefilter Output (S,G) filter: none Preventing MSDP from Advertising a Local Source To prevent MSDP from advertising a local source, use the following command.
Logging Changes in Peership States To log changes in peership states, use the following command. • Log peership state changes. CONFIGURATION mode ip msdp log-adjacency-changes Terminating a Peership MSDP uses TCP as its transport protocol. In a peering relationship, the peer with the lower IP address initiates the TCP session, while the peer with the higher IP address listens on port 639. • Terminate the TCP connection with a peer.
Example of the clear ip msdp peer Command and Verifying Statistics are Cleared R3(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.3(639) Connect Source: Lo 0 State: Established Up/Down Time: 00:04:26 Timers: KeepAlive 30 sec, Hold time 75 sec SourceActive packet count (in/out): 5/0 SAs learned from this peer: 0 SA Filtering: Input (S,G) filter: myremotefilter Output (S,G) filter: none R3(conf)#do clear ip msdp peer 192.168.0.1 R3(conf)#do show ip msdp peer Peer Addr: 192.168.0.
technique is less effective as traffic increases because preemptive load balancing requires prior knowledge of traffic distributions. • lack of scalable register decasulation: With only a single RP per group, all joins are sent to that RP regardless of the topological distance between the RP, sources, and receivers, and data is transmitted to the RP until the SPT switch threshold is reached.
Configuring Anycast RP To configure anycast RP: 1. In each routing domain that has multiple RPs serving a group, create a Loopback interface on each RP serving the group with the same IP address. CONFIGURATION mode interface loopback 2. Make this address the RP for the group. CONFIGURATION mode ip pim rp-address 3. In each routing domain that has multiple RPs serving a group, create another Loopback interface on each RP serving the group with a unique IP address.
CONFIGURATION mode ip msdp originator-id Example of an R1, R2, and R3 Configuration for MSDP with Anycast RP ip multicast-routing ! interface TenGigabitEthernet 1/1 ip pim sparse-mode ip address 10.11.3.1/24 no shutdown ! interface TenGigabitEthernet 1/2 ip address 10.11.2.1/24 no shutdown ! interface TenGigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.1.12/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32 no shutdown ! interface Loopback 1 ip address 192.168.0.
interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32 no shutdown ! interface Loopback 1 ip address 192.168.0.22/32 no shutdown ! router ospf 1 network 10.11.1.0/24 area 0 network 10.11.4.0/24 area 0 network 192.168.0.22/32 area 0 redistribute static redistribute connected redistribute bgp 100 ! router bgp 100 redistribute ospf 1 neighbor 192.168.0.3 remote-as 200 neighbor 192.168.0.3 ebgp-multihop 255 neighbor 192.168.0.3 no shutdown ! ip multicast-msdp ip msdp peer 192.168.0.
neighbor 192.168.0.22 update-source Loopback 0 neighbor 192.168.0.22 no shutdown ! ip ip ip ip ! ip ip ! ip multicast-msdp msdp peer 192.168.0.11 connect-source Loopback 0 msdp peer 192.168.0.22 connect-source Loopback 0 msdp sa-filter out 192.168.0.22 route 192.168.0.1/32 10.11.0.23 route 192.168.0.22/32 10.11.0.23 pim rp-address 192.168.0.3 group-address 224.0.0.0/4 MSDP Sample Configurations The following examples show the running-configurations described in this chapter.
! interface TenGigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown ! interface TenGigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown ! interface Loopback 0 ip address 192.168.0.2/32 no shutdown ! router ospf 1 network 10.11.1.0/24 area 0 network 10.11.4.0/24 area 0 network 192.168.0.2/32 area 0 redistribute static redistribute connected redistribute bgp 100 ! router bgp 100 redistribute ospf 1 neighbor 192.168.0.3 remote-as 200 neighbor 192.168.0.
! router bgp 200 redistribute ospf 1 neighbor 192.168.0.2 remote-as 100 neighbor 192.168.0.2 ebgp-multihop 255 neighbor 192.168.0.2 update-source Loopback 0 neighbor 192.168.0.2 no shutdown ! ip multicast-msdp ip msdp peer 192.168.0.1 connect-source Loopback 0 ! ip route 192.168.0.2/32 10.11.0.23 MSDP Sample Configuration: R4 Running-Config ip multicast-routing ! interface TenGigabitEthernet 0/21 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown ! interface TenGigabitEthernet 0/22 ip address 10.10.42.
no shutdown ! router ospf 1 network 10.11.1.0/24 area 0 network 10.11.4.0/24 area 0 network 192.168.0.2/32 area 0 redistribute static redistribute connected redistribute bgp 100 ! router bgp 100 redistribute ospf 1 neighbor 192.168.0.3 remote-as 200 neighbor 192.168.0.3 ebgp-multihop 255 neighbor 192.168.0.3 update-source Loopback 0 neighbor 192.168.0.3 no shutdown ! ip route 192.168.0.3/32 10.11.0.32 ! ip pim rp-address 192.168.0.1 group-address 224.0.0.
MSDP Sample Configuration: R4 Running-Config ip multicast-routing ! interface TenGigabitEthernet 0/21 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown ! interface TenGigabitEthernet 0/22 ip address 10.10.42.1/24 no shutdown ! interface TenGigabitEthernet 0/31 ip pim sparse-mode ip address 10.11.6.43/24 no shutdown ! interface Loopback 0 ip address 192.168.0.4/32 no shutdown ! router ospf 1 network 10.11.5.0/24 area 0 network 10.11.6.0/24 area 0 network 192.168.0.4/32 area 0 ! ip pim rp-address 192.
32 Multiple Spanning Tree Protocol (MSTP) Multiple spanning tree protocol (MSTP) — specified in IEEE 802.1Q-2003 — is a rapid spanning tree protocol (RSTP)-based spanning tree variation that improves on per-VLAN spanning tree plus (PVST+). MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances. Protocol Overview In contrast, PVST+ allows a spanning tree instance for each VLAN.
Spanning Tree Variations The Dell Networking OS supports four variations of spanning tree, as shown in the following table. Table 56. Spanning Tree Variations Dell Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .1w Multiple Spanning Tree Protocol (MSTP) 802 .
Enable Multiple Spanning Tree Globally MSTP is not enabled by default. To enable MSTP globally, use the following commands. When you enable MSTP, all physical, VLAN, and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the MSTI 0. • Within an MSTI, only one path from any bridge to any other bridge is enabled. • Bridges block a redundant path by disabling one of the link ports. 1. Enter PROTOCOL MSTP mode. CONFIGURATION mode protocol spanning-tree mstp 2.
Examples of Creating and Viewing MSTP Instances The following example shows using the msti command. Dell(conf)#protocol spanning-tree mstp Dell(conf-mstp)#msti 1 vlan 100 Dell(conf-mstp)#msti 2 vlan 200-300 Dell(conf-mstp)#show config ! protocol spanning-tree mstp no disable MSTI 1 VLAN 100 MSTI 2 VLAN 200-300 All bridges in the MSTP region must have the same VLAN-to-instance mapping. To view which instance a VLAN is mapped to, use the show spanning-tree mst vlan command from EXEC Privilege mode.
Influencing MSTP Root Selection MSTP determines the root bridge, but you can assign one bridge a lower priority to increase the probability that it becomes the root bridge. To change the bridge priority, use the following command. • Assign a number as the bridge priority. PROTOCOL MSTP mode msti instance bridge-priority priority A lower number increases the probability that the bridge becomes the root bridge. The range is from 0 to 61440, in increments of 4096. The default is 32768.
NOTE: Some non-Dell equipment may implement a non-null default region name, such as the Bridge ID or a MAC address. Changing the Region Name or Revision To change the region name or revision, use the following commands. • Change the region name. PROTOCOL MSTP mode • name name Change the region revision number. PROTOCOL MSTP mode revision number Example of the name Command To view the current region name and revision, use the show spanning-tree mst configuration command from EXEC Privilege mode.
The default is 15 seconds. 2. Change the hello-time parameter. PROTOCOL MSTP mode hello-time seconds NOTE: With large configurations (especially those configurations with more ports) Dell Networking recommends increasing the hello-time. The range is from 1 to 10. The default is 2 seconds. 3. Change the max-age parameter. PROTOCOL MSTP mode max-age seconds The range is from 6 to 40. The default is 20 seconds. 4. Change the max-hops parameter. PROTOCOL MSTP mode max-hops number The range is from 1 to 40.
• Port priority influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost. The following lists the default values for port cost by interface. Table 57.
• Enable EdgePort on an interface. INTERFACE mode spanning-tree mstp edge-port [bpduguard | shutdown-on-violation] Dell Networking OS Behavior: Regarding bpduguard shutdown-on-violation behavior: – If the interface to be shut down is a port channel, all the member ports are disabled in the hardware. – When you add a physical port to a port channel already in the Error Disable state, the new member port is also disabled in the hardware.
Figure 93. MSTP with Three VLANs Mapped to Two Spanning Tree Instances Router 1 Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3. Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 1/21,31 no shutdown Router 2 Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3. Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
name Tahiti revision 123 MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 ! (Step 2) interface TenGigabitEthernet 3/11 no ip address switchport no shutdown ! interface TenGigabitEthernet 3/21 no ip address switchport no shutdown ! (Step 3) interface Vlan 100 no ip address tagged TenGigabitEthernet 3/11,21 no shutdown ! interface Vlan 200 no ip address tagged TenGigabitEthernet 3/11,21 no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 3/11,21 no shutdown Example Running-Configuration This example
(Step 3) interface vlan 100 tagged 1/0/31 tagged 1/0/32 exit interface vlan 200 tagged 1/0/31 tagged 1/0/32 exit interface vlan 300 tagged 1/0/31 tagged 1/0/32 exit Debugging and Verifying MSTP Configurations To debut and verify MSTP configuration, use the following commands. • Display BPDUs. EXEC Privilege mode • debug spanning-tree mstp bpdu Display MSTP-triggered topology change messages.
– Are there “extra” MSTP instances in the Sending or Received logs? This may mean that an additional MSTP instance was configured on one router but not the others. The following example shows viewing an MSTP configuration. Dell#show run spanning-tree mstp ! protocol spanning-tree mstp name Tahiti revision 123 MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 The following example shows viewing the debug log (a successful MSTP configuration).
INST 2: Flags: 0x70, Reg Root: 32768:0001.e8d5.
Multicast Features 33 The Dell Networking OS supports the following multicast protocols: • PIM Sparse-Mode (PIM-SM) • Internet Group Management Protocol (IGMP) • Multicast Source Discovery Protocol (MSDP) Enabling IP Multicast Before enabling any multicast protocols, you must enable IP multicast routing. • Enable multicast routing.
• The Dell Networking OS implementation of MTRACE is in accordance with IETF draft draft-fennertraceroute-ipm. • Multicast is not supported on secondary IP addresses. • Egress L3 ACL is not applied to multicast data traffic if you enable multicast routing. First Packet Forwarding for Lossless Multicast All initial multicast packets are forwarded to receivers to achieve lossless multicast.
be learnt until TIB level falls below low watermark. 3w1d13h: %RPM0-P:RP2 %PIM-3-PIM_TIB_LIMIT: PIM TIB below low watermark. Route learning will begin. To limit the number of multicast routes, use the following command. • Limit the total number of multicast routes on the system. CONFIGURATION mode ip multicast-limit The range if from 1 to 16000. The default is 4000. NOTE: The IN-L3-McastFib CAM partition is used to store multicast routes and is a separate hardware limit that exists per port-pipe.
Figure 94. Preventing a Host from Joining a Group Table 58. Preventing a Host from Joining a Group — Description Location Description 1/21 • • • • Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 • • • Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.
Location Description • no shutdown 2/1 • • • • Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface GigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.
Rate Limiting IGMP Join Requests If you expect a burst of IGMP Joins, protect the IGMP process from overload by limiting that rate at which new groups can be joined. Hosts whose IGMP requests are denied will use the retry mechanism built-in to IGMP so that they’re membership is delayed rather than permanently denied. • Limit the rate at which new groups can be joined.
Figure 95. Preventing a Source from Transmitting to a Group Table 59. Preventing a Source from Transmitting to a Group — Description Location Description 1/21 • • • • Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 • • • Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.
Location Description • no shutdown 2/1 • • • • Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface GigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.
Preventing a PIM Router from Processing a Join To permit or deny PIM Join/Prune messages on an interface using an extended IP access list, use the following command. NOTE: Dell Networking recommends not using the ip pim join-filter command on an interface between a source and the RP router. Using this command in this scenario could cause problems with the PIM-SM source registration process resulting in excessive traffic being sent to the CPU of both the RP and PIM DR of the source.
Object Tracking 34 IPv4 or IPv6 object tracking is available on Dell Networking OS. Object tracking allows the Dell Networking operating system (OS) client processes, such as virtual router redundancy protocol (VRRP), to monitor tracked objects (for example, interface or link status) and take appropriate action when the state of an object changes.
Figure 96. Object Tracking Example When you configure a tracked object, such as an IPv4 or IPv6 a route or interface, you specify an object number to identify the object. Optionally, you can also specify: • UP and DOWN thresholds used to report changes in a route metric. • A time delay before changes in a tracked object’s state are reported to a client. Track Layer 2 Interfaces You can create an object to track the line-protocol state of a Layer 2 interface.
Track IPv4 and IPv6 Routes You can create an object that tracks an IPv4 or IPv6 route entry in the routing table. Specify a tracked route by its IPv4 or IPv6 address and prefix-length. Optionally specify a tracked route by a virtual routing and forwarding (VRF) instance name if the tracked route is part of a VRF. The next-hop address is not part of the definition of the tracked object.
Tracking a Metric Threshold Use the following commands to configure object tracking on the metric threshold of an IPv4 or IPv6 route. To remove object tracking, use the no track object-id command. 1. (Optional) Reconfigure the default resolution value used by the specified protocol to scale the metric for IPv4 or IPv6 routes. CONFIGURATION mode track resolution {ip route | ipv6 route} {isis resolution-value | ospf resolution-value} The range of resolution values is: • 2. ISIS routes - 1 to 1000.
The default UP threshold is 254. The routing state is UP if the scaled route metric is less than or equal to the UP threshold. The defult DOWN threshold is 255. The routing state is DOWN if the scaled route metric is greater than or equal to the DOWN threshold. 6. (Optional) Display the tracking configuration. EXEC Privilege mode show track object-id Example of IPv4 and IPv 6 Tracking Metric Thresholds The following example configures object tracking on the metric threshold of an IPv4 route.
(Optional) E-Series only: For an IPv4 route, you can enter a VRF name to specify the virtual routing table to which the tracked route belongs. 2. (Optional) Configure the time delay used before communicating a change in the status of a tracked route. OBJECT TRACKING mode delay {[up seconds] [down seconds]} Valid delay times are from 0 to 180 seconds. The default is 0. 3. (Optional) Identify the tracked object with a text description.
Set Tracking Delays You can configure an optional UP and/or DOWN timer for each tracked object to set the time delay before a change in the state of a tracked object is communicated to clients. The configured time delay starts when the state changes from UP to DOWN or the opposite way. If the state of an object changes back to its former UP/DOWN state before the timer expires, the timer is cancelled and the client is not notified.
A line-protocol object only tracks the link-level (UP/DOWN) status of a specified interface. When the linklevel status goes down, the tracked object status is DOWN; if the link-level status is up, the tracked object status is UP. To remove object tracking on a Layer 2 interface, use the no track object-id command. To configure object tracking on the status of a Layer 2 interface, use the following commands. 1. Configure object tracking on the line-protocol state of a Layer 2 interface.
• For a port channel interface, enter the keywords port-channel then a number. • For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. For an IPv4 interface, a routing object only tracks the UP/DOWN status of the specified IPv4 interface (the track interface ip-routing command). • • The status of an IPv4 interface is UP only if the Layer 2 status of the interface is UP and the interface has a valid IP address.
Dell(conf-track-101)#description NYC metro Dell(conf-track-101)#end Dell#show track 101 Track 101 Interface TenGigabitEthernet 7/2/1 ip routing Description: NYC metro Example of configuring object tracking for an IPv6 interface.
Tracked by: VRRP GigabitEthernet 7/30 IPv6 VRID 1 Track 4 Interface GigabitEthernet 13/4 ip routing IP routing is Up 3 changes, last change 00:03:30 Tracked by: Example of the show track brief command. Router# show track brief ResId State 1 Resource LastChange IP route reachability Parameter 10.16.0.0/16 Example of the show track resolution command. Dell#show track resolution IP Route Resolution ISIS 1 OSPF 1 IPv6 Route Resolution ISIS 1 Example of the show track vrf command.
Open Shortest Path First (OSPFv2 and OSPFv3) 35 This chapter describes how to configure and use Open Shortest Path First (OSPFv2 for IPv4) and OSPF version 3 (OSPF for IPv6). NOTE: The fundamental mechanisms of OSPF (flooding, DR election, area support, SPF calculations, and so on) are the same between OSPFv2 and OSPFv3. This chapter identifies and clarifies the differences between the two versions of OSPF. Except where identified, the information in this chapter applies to both protocol versions.
Areas allow you to further organize your routers within in the AS. One or more areas are required within the AS. Areas are valuable in that they allow sub-networks to "hide" within the AS, thus minimizing the size of the routing tables on all routers. An area within the AS may not see the details of another area’s topology. AS areas are known by their area number or the router’s IP address. Figure 97. Autonomous System Areas Area Types The backbone of the network is Area 0. It is also called Area 0.0.0.
In the previous example, Routers A, B, C, G, H, and I are the Backbone. • A stub area (SA) does not receive external route information, except for the default route. These areas do receive information from inter-area (IA) routes. NOTE: Configure all routers within an assigned stub area as stubby, and not generate LSAs that do not apply. For example, a Type 5 LSA is intended for external areas and the Stubby area routers may not generate external LSAs. A virtual link cannot traverse stubby areas.
Figure 98. OSPF Routing Examples Backbone Router (BR) A backbone router (BR) is part of the OSPF Backbone, Area 0. This includes all ABRs. It can also include any routers that connect only to the backbone and another ABR, but are only part of Area 0, such as Router I in the previous example. Area Border Router (ABR) Within an AS, an area border router (ABR) connects one or more areas to the backbone.
An ABR can connect to many areas in an AS, and is considered a member of each area it connects to. Autonomous System Border Router (ASBR) The autonomous system border area router (ASBR) connects to more than one AS and exchanges information with the routers in other ASs. Generally, the ASBR connects to a non-interior gate protocol (IGP) such as BGP or uses static routes.
• Type 5: LSA — These LSAs contain information imported into OSPF from other routing processes. They are flooded to all areas, except stub areas. The link-state ID of the Type 5 LSA is the external network number. • Type 7: External LSA — Routers in an NSSA do not receive external LSAs from ABRs, but are allowed to send external routing information for redistribution.
Virtual Links In the case in which an area cannot be directly connected to Area 0, you must configure a virtual link between that area and Area 0. The two endpoints of a virtual link are ABRs, and you must configure the virtual link in both routers. The common non-backbone area to which the two routers belong is called a transit area. A virtual link specifies the transit area and the router ID of the other virtual endpoint (the other ABR).
OSPF Implementation The Dell Networking OS supports up to 10,000 OSPF routes for OSPFv2. Within the 10,000 routes, you can designate up to 8,000 routes as external and up to 2,000 as inter/intra area routes. Multiple OSPF processes (OSPF MP) are supported on OSPFv2 only; up to 32 simultaneous processes are supported. On OSPFv3, the system supports only one process at a time for all platforms. OSPFv2 and OSPFv3 can coexist on a switch, but you must configure them individually.
Processing SNMP and Sending SNMP Traps Though there are may be several OSPFv2 processes, only one process can process simple network management protocol (SNMP) requests and send SNMP traps. The mib-binding command identifies one of the OSPVFv2 processes as the process responsible for SNMP management. If you do not specify the mib-binding command, the first OSPFv2 process created manages the SNMP processes and traps. RFC-2328 Compliant OSPF Flooding In OSPF, flooding is the most resource-consuming task.
Supports only single TOS (TOS0) routes It is an Autonomous System Boundary Router It is Flooding according to RFC 2328 SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Number of area in this router is 1, normal 0 stub 0 nssa 1 --More-- OSPF ACK Packing The OSPF ACK packing feature bundles multiple LS acknowledgements in a single packet, significantly reducing the number of ACK packets transmitted when the number of LSAs increases.
Configuration Information The interfaces must be in Layer 3 mode (assigned an IP address) and enabled so that they can send and receive traffic. The OSPF process must know about these interfaces. To make the OSPF process aware of these interfaces, they must be assigned to OSPF areas. You must configure OSPF GLOBALLY on the system in CONFIGURATION mode. OSPF features and functions are assigned to each router using the CONFIG-INTERFACE commands for each interface. NOTE: By default, OSPF is disabled.
If implementing multi-process OSPF, create an equal number of Layer 3 enabled interfaces and OSPF process IDs. For example, if you create four OSPFv2 process IDs, you must have four interfaces with Layer 3 enabled. 1. Assign an IP address to an interface. CONFIG-INTERFACE mode ip address ip-address mask The format is A.B.C.D/M. If you are using a Loopback interface, refer to Loopback Interfaces. 2. Enable the interface. CONFIG-INTERFACE mode no shutdown 3.
EXEC Privilege mode • clear ip ospf process-id View the current OSPFv2 status. EXEC mode show ip ospf process-id Example of Viewing the Current OSPFv2 Status Dell#show ip ospf 55555 Routing Process ospf 55555 with ID 10.10.10.
Assigning an OSPFv2 Area After you enable OSPFv2, assign the interface to an OSPF area. Set up OSPF areas and enable OSPFv2 on an interface with the network command. You must have at least one AS area: Area 0. This is the backbone area. If your OSPF network contains more than one area, configure a backbone area (Area ID 0.0.0.0). Any area besides Area 0 can have any number ID assigned to it. The OSPFv2 process evaluates the network commands in the order they are configured.
Dell(conf-router_ospf-1)# Dell# Dell Networking recommends using the interface IP addresses for the OSPFv2 router ID for easier management and troubleshooting. To view the configuration, use the show config command in CONFIGURATION ROUTER OSPF mode. OSPF, by default, sends hello packets out to all physical interfaces assigned an IP address that is a subset of a network on which OSPF is enabled. To view currently active interfaces and the areas assigned to them, use the show ip ospf interface command.
Loopback interface is treated as a stub Host. Dell# Configuring Stub Areas OSPF supports different types of LSAs to help reduce the amount of router processing within the areas. Type 5 LSAs are not flooded into stub areas; the ABR advertises a default route into the stub area to which it is attached. Stub area routers use the default route to reach external destinations. To ensure connectivity in your OSPFv2 network, never configure the backbone area as a stub area.
Configuring LSA Throttling Timers Configured link-state advertisement (LSA) timers replace the standard transmit and acceptance times for LSAs. The LSA throttling timers are configured in milliseconds. The interval time increases exponentially until a maximum time is reached. If the maximum time is reached, the system continues to transmit at the maximum interval. If the system is stable for twice the maximum interval time, it reverts to the startinterval timer. The cycle repeats.
Example of Viewing Passive Interfaces When you configure a passive interface, the show ip ospf process-id interface command adds the words passive interface to indicate that the hello packets are not transmitted on that interface (shown in bold). Dell#show ip ospf 34 int TengigabitEthernet 0/0 is up, line protocol is down Internet Address 10.1.2.100/24, Area 1.1.1.1 Process ID 34, Router ID 10.1.2.
NOTE: A higher convergence level can result in occasional loss of OSPF adjacency. Generally, convergence level 1 meets most convergence requirements. Only select higher convergence levels following consultation with Dell Technical Support. Examples of Enabling Fast-Convergence In the following examples, Convergence Level shows the fast-converge parameter setting and Min LSA origination shows the LSA parameters (shown in bold). The following example shows the fast-converge command.
• The dead interval must be the same on all routers in the OSPF network. Change the time interval between hello-packet transmission. CONFIG-INTERFACE mode ip ospf hello-interval seconds – seconds: the range is from 1 to 65535 (the default is 10 seconds). • The hello interval must be the same on all routers in the OSPF network. Use the MD5 algorithm to produce a message digest or key, which is sent instead of the key.
The bold lines in the example show the change on the interface. The change is reflected in the OSPF configuration. Dell(conf-if)#ip ospf cost 45 Dell(conf-if)#show config ! interface TengigabitEthernet 0/0 ip address 10.1.2.100 255.255.255.0 no shutdown ip ospf cost 45 Dell(conf-if)#end Dell#show ip ospf 34 interface TengigabitEthernet 0/0 is up, line protocol is up Internet Address 10.1.2.100/24, Area 2.2.2.2 Process ID 34, Router ID 10.1.2.
• retransmit-interval — LSA retransmit interval • transmit-delay — LSA transmission delay • dead-interval — dead router detection time • authentication-key — authentication key • message-digest-key — MD5 authentication key To configure virtual links, use the following command. • Configure the optional parameters of a virtual link.
ip prefix-list prefix-name • You are in PREFIX LIST mode. Create a prefix list with a sequence number and a deny or permit action. CONFIG- PREFIX LIST mode seq sequence-number {deny |permit} ip-prefix [ge min-prefix-length] [le maxprefix-length] The optional parameters are: – ge min-prefix-length: is the minimum prefix length to match (from 0 to 32). – le max-prefix-length: is the maximum prefix length to match (from 0 to 32).
Example of Viewing OSPF Configuration after Redistributing Routes To view the current OSPF configuration, use the show running-config ospf command in EXEC mode or the show config command in ROUTER OSPF mode. Dell(conf-router_ospf)#show config ! router ospf 34 network 10.1.2.32 0.0.0.255 area 2.2.2.2 network 10.1.3.24 0.0.0.255 area 3.3.3.3 distribute-list dilling in Dell(conf-router_ospf)# Troubleshooting OSPFv2 Use the information in this section to troubleshoot OSPFv2 operation on the switch.
• View the configuration of OSPF neighbors connected to the local router. EXEC Privilege mode • show ip ospf neighbor View the LSAs currently in the queue. EXEC Privilege mode • show ip ospf timers rate-limit View debug messages. EXEC Privilege mode debug ip ospf process-id [event | packet | spf | database-timers rate-limit] To view debug messages for a specific OSPF process ID, use the debug ip ospf process-id command. If you do not enter a process ID, the command applies to the first OSPF process.
Sample Configurations for OSPFv2 The following configurations are examples for enabling OSPFv2. These examples are not comprehensive directions. They are intended to give you some guidance with typical configurations. You can copy and paste from these examples to your CLI. To support your own IP addresses, interfaces, names, and so on, be sure that you make the necessary changes. Basic OSPFv2 Router Topology The following illustration is a sample basic OSPFv2 topology. Figure 100.
OSPF Area 0 — Te 3/1 and 3/2 router ospf 33333 network 192.168.100.0/24 area 0 network 10.0.13.0/24 area 0 network 10.0.23.0/24 area 0 ! interface Loopback 30 ip address 192.168.100.100/24 no shutdown ! interface TengigabitEthernet 3/1 ip address 10.1.13.3/24 no shutdown ! interface TengigabitEthernet 3/2 ip address 10.2.13.3/24 no shutdown OSPF Area 0 — Te 2/1 and 2/2 router ospf 22222 network 192.168.100.0/24 area 0 network 10.2.21.0/24 area 0 network 10.2.22.
NOTE: The OSPFv2 network area command enables OSPF on multiple interfaces with the single command. Use the OSPFv3 ipv6 ospf area command on each interface that runs OSPFv3. All IPv6 addresses on an interface are included in the OSPFv3 process that is created on the interface. Enable OSPFv3 for IPv6 by specifying an OSPF process ID and an area in INTERFACE mode. If you have not created an OSPFv3 process, it is created automatically.
ipv6 ospf process-id area area-id – process-id: the process ID number assigned. – area-id: the area ID for this interface. Assigning OSPFv3 Process ID and Router ID Globally To assign, disable, or reset OSPFv3 globally, use the following commands. • Enable the OSPFv3 process globally and enter OSPFv3 mode. CONFIGURATION mode ipv6 router ospf {process ID} • The range is from 0 to 65535. Assign the router ID for this OSPFv3 process. CONF-IPV6-ROUTER-OSPF mode router-id {number} – number: the IPv4 address.
– number: the IPv4 address. The format is A.B.C.D. NOTE: Enter the router-id for an OSPFv3 router as an IPv4 IP address. • Disable OSPF. CONFIGURATION mode • no ipv6 router ospf process-id} Reset the OSPFv3 process. EXEC Privilege mode clear ipv6 ospf process Configuring the Cost of OSPFv3 Routes Change in bandwidth directly affects the cost of OSPF routes. • Explicitly specify the cost of sending a packet on an interface.
CONF-IPV6-ROUTER-OSPF mode passive-interface {type slot/port} Interface: identifies the specific interface that is passive. – For a port channel, enter the keywords port-channel then a number from 1 to 255 (for example, passive-interface po 100) – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information (for example, passive-interface ten 2/3).
Configure the following required and optional parameters: – always: indicate that default route information is always advertised. – metric metric-value: The range is from 0 to 4294967295. – metric-type metric-type: enter 1 for OSPFv3 external route type 1 OR 2 for OSPFv3 external route type 2. – route-map map-name: enter a name of a configured route map. OSPFv3 Authentication Using IPsec OSPFv3 uses OSPFv3 authentication using IP security (IPsec) to provide authentication for OSPFv3 packets.
OSPFv3 Authentication Using IPsec: Configuration Notes OSPFv3 authentication using IPsec is implemented according to the specifications in RFC 4552. • To use IPsec, configure an authentication (using AH) or encryption (using ESP) security policy on an interface or in an OSPFv3 area. Each security policy consists of a security policy index (SPI) and the key used to validate OSPFv3 packets. After IPsec is configured for OSPFv3, IPsec operation is invisible to the user.
Configuring IPsec Authentication on an Interface To configure, remove, or display IPsec authentication on an interface, use the following commands. Prerequisite: Before you enable IPsec authentication on an OSPFv3 interface, first enable IPv6 unicast routing globally, configure an IPv6 address and enable OSPFv3 on the interface, and assign it to an area (refer to Configuration Task List for OSPFv3 (OSPF for IPv6)).
ipv6 ospf encryption {null | ipsec spi number esp encryption-algorithm [keyencryption-type] key authentication-algorithm [key-authentication-type] key} – null: causes an encryption policy configured for the area to not be inherited on the interface. – ipsec spi number: is the security policy index (SPI) value. The range is from 256 to 4294967295. – esp encryption-algorithm: specifies the encryption algorithm used with ESP. The valid values are 3DES, DES, AES-CBC, and NULL.
area-id authentication ipsec spi number {MD5 | SHA1} [key-encryption-type] key – area area-id: specifies the area for which OSPFv3 traffic is to be authenticated. For area-id, enter a number or an IPv6 prefix. – spi number: is the SPI value. The range is from 256 to 4294967295. – MD5 | SHA1: specifies the authentication type: message digest 5 (MD5) or Secure Hash Algorithm 1 (SHA-1). – key-encryption-type: (optional) specifies if the key is encrypted.
are: 3DES - 48 or 96 hex digits; DES - 16 or 32 hex digits; AES-CBC - 32 or 64 hex digits for AES-128 and 48 or 96 hex digits for AES-192. – key-encryption-type: (optional) specifies if the key is encrypted. Valid values: 0 (key is not encrypted) or 7 (key is encrypted). – authentication-algorithm: specifies the authentication algorithm to use for encryption. The valid values are MD5 or SHA1. – key: specifies the text string used in authentication.
Outbound ESP SPI Inbound ESP Auth Key Outbound ESP Auth Key Inbound ESP Cipher Key Outbound ESP Cipher Key Transform set : : : : : : 502 (0x1F6) 123456789a123456789b123456789c12 123456789a123456789b123456789c12 123456789a123456789b123456789c123456789d12345678 123456789a123456789b123456789c123456789d12345678 esp-3des esp-md5-hmac Crypto IPSec client security policy data Policy name : OSPFv3-1-500 Policy refcount : 2 Inbound AH SPI : 500 (0x1F4) Outbound AH SPI : 500 (0x1F4) Inbound AH Key : bbdd96e6eb4828
IPSecv6 policy name: OSPFv3-1-600 inbound ah sas outbound ah sas inbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE outbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE Troubleshooting OSPFv3 The system provides several tools to troubleshoot OSPFv3 operation on the switch.
• show ipv6 ospf database View the configuration of OSPFv3 neighbors. EXEC Privilege mode • show ipv6 ospf neighbor View debug messages for all OSPFv3 interfaces. EXEC Privilege mode debug ipv6 ospf [event | packet] {type slot/port} – event: View OSPF event messages. – packet: View OSPF packets. – For a 10–Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information (for example, passive-interface te 2/1).
Per-VLAN Spanning Tree Plus (PVST+) 36 Per-VLAN spanning tree plus (PVST+) is a variation of spanning tree — developed by a third party — that allows you to configure a separate spanning tree instance for each virtual local area network (VLAN). Protocol Overview A sample PVST+ topology is shown below. For more information about spanning tree, refer to the Spanning Tree Protocol (STP) chapter. Figure 101.
Table 60. Spanning Tree Versions Supported Dell Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .1w Multiple Spanning Tree Protocol (MSTP) 802 .1s Per-VLAN Spanning Tree Plus (PVST+) Third Party Implementation Information • The Dell Networking OS implementation of PVST+ is based on IEEE Standard 802.1w. • The Dell Networking OS implementation of PVST+ uses IEEE 802.1s costs as the default costs (as shown in the following table).
no disable Disabling PVST+ To disable PVST+ globally or on an interface, use the following commands. • Disable PVST+ globally. PROTOCOL PVST mode • disable Disable PVST+ on an interface, or remove a PVST+ parameter configuration. INTERFACE mode no spanning-tree pvst Example of Viewing PVST+ Configuration To display your PVST+ configuration, use the show config command from PROTOCOL PVST mode.
Figure 102. Load Balancing with PVST+ The bridge with the bridge value for bridge priority is elected root. Because all bridges use the default priority (until configured otherwise), the lowest MAC address is used as a tie-breaker. To increase the likelihood that a bridge is selected as the STP root, assign bridges a low non-default value for bridge priority. To assign a bridge priority, use the following command. • Assign a bridge priority.
Root Identifier has priority 4096, Address 0001.e80d.b6d6 Root Bridge hello time 2, max age 20, forward delay 15 Bridge Identifier has priority 4096, Address 0001.e80d.b6d6 Configured hello time 2, max age 20, forward delay 15 We are the root of VLAN 100 Current root has priority 4096, Address 0001.e80d.b6d6 Number of topology changes 5, last change occurred 00:34:37 ago on Te 1/32 Port 375 (TengigabitEthernet 1/22) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.
PROTOCOL PVST mode vlan max-age The range is from 6 to 40. The default is 20 seconds. The values for global PVST+ parameters are given in the output of the show spanning-tree pvst command. Modifying Interface PVST+ Parameters You can adjust two interface parameters (port cost and port priority) to increase or decrease the probability that a port becomes a forwarding port. • Port cost — a value that is based on the interface type.
The range is from 0 to 240, in increments of 16. The default is 128. The values for interface PVST+ parameters are given in the output of the show spanning-tree pvst command, as previously shown. Configuring an EdgePort The EdgePort feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner. In this mode an interface forwards frames by default until it receives a BPDU that indicates that it should behave otherwise; it does not go through the Learning and Listening states.
PVST+ in Multi-Vendor Networks Some non-Dell Networking systems which have hybrid ports participating in PVST+ transmit two kinds of BPDUs: an 802.1D BPDU and an untagged PVST+ BPDU. Dell Networking systems do not expect PVST+ BPDU (tagged or untagged) on an untagged port. If this situation occurs, the system places the port in an Error-Disable state. This behavior might result in the network not converging.
Example of Viewing the Extend System ID in a PVST+ Configuration Dell(conf-pvst)#do show spanning-tree pvst vlan 5 brief VLAN 5 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32773, Address 0001.e832.73f7 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32773 (priority 32768 sys-id-ext 5), Address 0001.e832.
interface Vlan 100 no ip address tagged TengigabitEthernet 2/12,32 no shutdown ! interface Vlan 200 no ip address tagged TengigabitEthernet 2/12,32 no shutdown ! interface Vlan 300 no ip address tagged TengigabitEthernet 2/12,32 no shutdown ! protocol spanning-tree pvst no disable vlan 200 bridge-priority 4096 Example of PVST+ Configuration (R3) interface TengigabitEthernet 3/12 no ip address switchport no shutdown ! interface TengigabitEthernet 3/22 no ip address switchport no shutdown ! interface Vlan 100
37 PIM Sparse-Mode (PIM-SM) Protocol-independent multicast sparse-mode (PIM-SM) is a multicast protocol that forwards multicast traffic to a subnet only after a request using a PIM Join message; this behavior is the opposite of PIMDense mode, which forwards multicast traffic to all subnets until a request to stop. Implementation Information The Dell Networking implementation of PIM-SM is based on IETF Internet Draft draft-ietf-pim-sm-v2new-05. • The maximum number of PIM interfaces is 95.
3. If a host on the same subnet as another multicast receiver sends an IGMP report for the same multicast group, the gateway takes no action. If a router between the host and the RP receives a PIM Join message for which it already has a (*,G) entry, the interface on which the message was received is added to the outgoing interface list associated with the (*,G) entry, and the message is not (and does not need to be) forwarded towards the RP.
Configuring PIM-SSM Configuring PIM-SM is a three-step process. 1. Enable multicast routing (refer to the following step). 2. Select a rendezvous point. 3. Enable PIM-SM on an interface. Enable multicast routing. CONFIGURATION mode ip multicast-routing Related Configuration Tasks The following are related PIM-SM configuration tasks.
To display PIM neighbors for each interface, use the show ip pim neighbor command EXEC Privilege mode. Dell#show ip Neighbor Address 127.87.5.5 127.87.3.5 127.87.50.5 Dell# pim neighbor Interface Uptime/Expires Ver Te 0/11 Te 0/12 Te 1/13 v2 v2 v2 01:44:59/00:01:16 01:45:00/00:01:16 00:03:08/00:01:37 DR Prio/Mode 1 / S 1 / DR 1 / S To display the PIM routing table, use the show ip pim tib command from EXEC privilege mode.
To display the expiry time configuration, use the show running-configuration pim command from EXEC Privilege mode. Configuring a Static Rendezvous Point The rendezvous point (RP) is a PIM-enabled interface on a router that acts as the root a group-specific tree; every group must have an RP. • Identify an RP by the IP address of a PIM-enabled or Loopback interface. ip pim rp-address Example of Viewing an RP on a Loopback Interface Dell#sh run int loop0 ! interface Loopback 0 ip address 1.1.1.
Configuring a Designated Router Multiple PIM-SM routers might be connected to a single local area network (LAN) segment. One of these routers is elected to act on behalf of directly connected hosts. This router is the designated router (DR). The DR is elected using hello messages. Each PIM router learns about its neighbors by periodically sending a hello message out of each PIM-enabled interface. Hello messages contain the IP address of the interface out of which it is sent and a DR priority value.
NOTE: – When NSF capability is disabled by configuration, the configured values for restart-time and stale-entry-time are reset to default values. – The restart-time and stale-entry-time options can be configured only when NSF is enabled on the system. – (option) restart-time: the time the Dell Networking system requires to restart. The default value is 120 seconds. – (option) stale-entry-time: the maximum amount of time that the Dell Networking system preserves entries from a restarting neighbor.
PIM Source-Specific Mode (PIM-SSM) 38 PIM source-specific mode (PIM-SSM) is a multicast protocol that forwards multicast traffic from a single source to a subnet. In the other versions of protocol independent multicast (PIM), a receiver subscribes to a group only. The receiver receives traffic not just from the source in which it is interested but from all sources sending to that group.
Configure PIM-SMM Configuring PIM-SSM is a two-step process. 1. Configure PIM-SMM. 2. Enable PIM-SSM for a range of addresses. Related Configuration Tasks • Use PIM-SSM with IGMP Version 2 Hosts Enabling PIM-SSM To enable PIM-SSM, follow these steps. 1. Create an ACL that uses permit rules to specify what range of addresses should use SSM. CONFIGURATION mode ip access-list standard name 2. Enter the ip pim ssm-range command and specify the ACL you created.
• You may enter multiple ssm-map commands for different access lists. You may also enter multiple ssm-map commands for the same access list, as long as they use different source addresses. • When an extended ACL is associated with this command, an error message is displayed. If you apply an extended ACL before you create it, the system accepts the configuration, but when the ACL is later defined, the system ignores the ACL and the stated mapping has no effect.
Uptime 00:00:05 Expires Never Router mode INCLUDE Last reporter 10.11.4.2 Last reporter mode INCLUDE Last report received ALLOW Group source list Source address Uptime Expires 10.11.5.
Policy-based Routing (PBR) 39 Policy-based Routing (PBR) allows a switch to make routing decisions based on policies applied to an interface.
To enable a PBR, you create a redirect list. Redirect lists are defined by rules, or routing policies.
a tunnel interface user needs to provide tunnel id mandatory. Instead if user provides the tunnel destination IP as next hop, that would be treated as IPv4 next hop and not tunnel next hop. PBR with Multiple Tacking Option: Policy based routing with multiple tracking option extends and introduces the capabilities of object tracking to verify the next hop IP address before forwarding the traffic to the next hop. The verification method is made transparent to the user.
Use the following command in CONFIGURATION mode: Table 62. Create a Redirect List Command Syntax Command Mode ip redirect-list redirect-list- CONFIGURATION name Purpose Create a redirect list by entering the list name. Format: 16 characters Delete the redirect list with the no ip redirect-list command. The following example creates a redirect list by the name of “xyz.
correspond to the host tracking of the forwarding router’s IP address configured in this rule.
given port number psh range range of port numbers rst syn urg Match on the psh bit Match only packets in the Match on the rst bit Match on the syn bit Match on the urg bit cr Dell(conf-redirect-list)#redirect 1.1.1.
Dell(conf-redirect-list)#do show ip redirect-list IP redirect-list xyz: Defined as: seq 5 redirect 3.3.3.3 ip host 222.1.1.1 host 77.1.1.1 Applied interfaces: None Multiple rules can be applied to a single redirect-list. The rules are applied in ascending order, starting with the rule that has the lowest sequence number in a redirect-list displays the correct method for applying multiple rules to one list.
To ensure that the permit statement or PBR exception is effective, use a lower sequence number, as shown below: ip redirect-list rcl0 seq 10 permit ip host 3.3.3.3 any seq 15 redirect 2.2.2.2 ip any any Apply a Redirect-list to an Interface using a Redirect-group IP redirect lists are supported on physical interfaces as well as VLAN and port-channel interfaces.
Table 65. Viewing the Redirect-list Configuration Command Syntax Command Mode Purpose show ip redirect-list redirect-list-name EXEC View the redirect list configuration and the associated interfaces. show cam pbr View the redirect list entries programmed in the CAM. EXEC show cam-usage List the redirect list configuration using the show ip redirect-list redirect-list-name command. The noncontiguous mask is displayed in dotted format (x.x.x.x). The contiguous mask is displayed in /x format.
Showing CAM PBR Configuration Example : Dell#show cam pbr stack-unit 1 port-set 0 TCP Flag: Bit 5 - URG, Bit 4 - ACK, Bit 3 - PSH, Bit 2 - RST, Bit 1 - SYN, Bit 0 - FIN Cam Port VlanID Proto Tcp Src Dst SrcIp DstIp Next-hop Egress Index Flag Port Port MAC Port ---------------------------------------------------------------------------------------------------------------06080 0 N/A IP 0x0 0 0 200.200.200.200 200.200.200.200 199.199.199.199 199.199.199.199 N/A NA 06081 0 N/A TCP 0x10 0 40 234.234.234.234 255.
Create the Redirect-List GOLD EDGE_ROUTER(conf-if-Te-2/23/1)#ip redirect-list GOLD EDGE_ROUTER(conf-redirect-list)#description Route GOLD traffic to ISP_GOLD. EDGE_ROUTER(conf-redirect-list)#direct 10.99.99.254 ip 192.168.1.0/24 any EDGE_ROUTER(conf-redirect-list)#redirect 10.99.99.254 ip 192.168.2.0/24 any EDGE_ROUTER(conf-redirect-list)# seq 15 permit ip any any EDGE_ROUTER(conf-redirect-list)#show config ! ip redirect-list GOLD description Route GOLD traffic to ISP_GOLD. seq 5 redirect 10.99.99.
View Redirect-List GOLD EDGE_ROUTER#show ip redirect-list IP redirect-list GOLD: Defined as: seq 5 redirect 10.99.99.254 ip 192.168.1.0/24 any, Next-hop reachable (via Te 3/23/1), ARP resolved seq 10 redirect 10.99.99.254 ip 192.168.2.
Verify the Applied Redirect Rules: Dell#show ip redirect-list redirect_list_with_track IP redirect-list redirect_list_with_track Defined as: seq 5 redirect 42.1.1.2 track 3 tcp 155.55.2.0/24 222.22.2.0/24, Track 3 [up], Next-hop reachable (via Vl 20) seq 10 redirect 42.1.1.2 track 3 tcp any any, Track 3 [up], Next-hop reachable (via Vl 20) seq 15 redirect 42.1.1.2 track 3 udp 155.55.0.0/16 host 144.144.144.144, Track 3 [up], Next-hop reachable (via Vl 20) seq 20 redirect 42.1.1.2 track 3 udp any host 144.
Create a Redirect-list with Track Objects pertaining to Tunnel Interfaces: Dell#configure terminal Dell(conf)#ip redirect-list explicit_tunnel Dell(conf-redirect-list)#redirect tunnel 1 track 222.22.2.0/24 Dell(conf-redirect-list)#redirect tunnel 1 track Dell(conf-redirect-list)#redirect tunnel 1 track 144.144.144.144 Dell(conf-redirect-list)#redirect tunnel 2 track 222.22.2.0/24 Dell(conf-redirect-list)#redirect tunnel 2 track Dell(conf-redirect-list)#end Dell# 1 tcp 155.55.2.0/24 1 tcp any any 1 udp 155.
Port Extenders (PEs) 40 The C9010 switch supports the IEEE 802.1BR fabric protocol to expand the port density of the chassis, using C1048P port extenders. In this deployment, the C9010 operates as a controlling bridge for the C1048P. The C1048P functions as a remote line card that is physically connected to, and provisioned by, a C9010 over 10GbE links according to the IEEE 802.1BR standard. IEEE 802.1BR The IEEE 802.
Figure 104. Controlling Bridge with Port Extenders 1. Controlling Bridge (C9010) 2. Cascade ports on controlling bridge 3. 10GbE uplink ports on PEs 4. Standalone PE (C1048P) 5. PE stack 6. Cable connections in a ring topology 802.1BR Terms and Definitions The 802.1BR protocol uses the following terms to describe the operation of a controlling bridge and attached port extenders. 802.
802.1BR Term Definition Upstream port A port on a bridge port extender that connects to a cascade port. In the case of the connection between two bridge port extenders, the upstream port is the port furthest from the controlling bridge. Enabling the Port Extender Feature To use and configure a PE attached to a controlling bridge, such as the C9010, you must first enable the port-extender feature by entering the feature extended-bridge command.
• pe-id is a port-extender ID number from 0 to 255. You must enter a pe-id value; there is no default. After you provision a PE, you can manage the PE by entering the pe pe-id command; for example: Dell(conf)# pe 0 Dell(conf-pe-0)# show config NOTE: Dell Networking OS recommends that before you configure the cascade ports on the parent control bridge, ensure that the cascade ports have a default port configuration with no L2 and L3 configuration. 2.
Dell(conf-if-te-1/0,te-1/12)# no shutdown Dell(conf-if-te-1/0,te-1/12)# exit Dell(conf)# pe provision 10 Dell(conf-pe-10)# cascade interface tengigabitethernet 1/0,12 Dell(conf-pe-10)# show config pe provision 10 cascade interface TenGigabitEthernet 1/0,12 stack-unit 0 type C1048P Dell# do show pe brief -- Port Extenders Information ------------------------------------------------PE-id Status Stack-size Type System-MAC ------------------------------------------------10 online 1 C1048P 00:01:02:03:11:01 NOTE
LAG 268 A Mode N/A Status up Dell# Uptime 14:45:26 Ports Te 1/0 (Up) Te 1/12 (Up) PE Selection Logic After you provision port extenders and power them on, the PEs come online according to the selection logic in the scenarios described in this section. • You may provision cascade ports for different PEs but connect the cascade ports to the same PE. In this case, only the PE with lowest PE ID comes online. In the following example, both cascade ports 1/0 and 1/12 are cabled to the same PE.
Maximum number of PE Units allowed: 40 Current number of PE units in the system: 1 Codes: A - Active, I - Inactive Reason: CTM - Card Type Mismatch, CAM - CAM ACL Mismatch SVM - Software Version Mismatch, UE - Unknown Error Offline Reason: UNP - Unit Not Present, ICE - IPC CP Error, IRE - IPC RP Error ISE - IPC Setup Error, CVE - Card Validation Error PE-ID assigned: 10 Status: online System Mac: 00:01:02:03:11:01 PE Up Time: 00:02:14 PE Discovery Status: Provisioned PE User Configured Cascade Ports: Te 1/0
-----------------------------------------------------------------------Stack-id Status Reason Type UnitMac No.
PE Up Time: 00:00:00 PE Discovery Status: Provisioned PE User Configured Cascade Ports: Te 0/0(A) Cascade LAG: Po 261(Up) -----------------------------------------------------------------------Stack-id Status Reason Type UnitMac No.
– pe-id is a port-extender ID number from 0 to 255. – pe-stack-unit-id is a PE stack-unit ID number from 0 to 7. Dell# reset pe 0 stack-unit 1 Preventing Loops on Port Extender Ports You can specify the threshold value and a time interval for the maximum number of station moves to prevent loops on a port extender (PE) port . When the number of station moves for a specified MAC address exceeds the configured threshold value in the configured time, a loop is detected on the PE ports.
Upgrading a Port Extender You can update the Dell Networking operating system (OS) on a port extender manually as needed or allow it to be automatically updated by the controlling bridge. Auto-Upgrade of the OS Image An automatic OS upgrade is performed when a discovered standalone PE or PE stack is running an outof-date or incompatible software version compared to the OS image running on the controlling bridge. In this case, no operator intervention is necessary.
reset pe {0-255} [stack-unit {0-7}] Dell# Dell#reset pe Resetting PE will reload the entire PE STACK. Continue? [yes/no]: yes 3. Verify the OS image upgrade. EXEC Privilege mode show os-version Dell# Dell#show os-version RELEASE IMAGE INFORMATION : --------------------------------------------------------------------Platform Version Size ReleaseTime C-Series:C9000 9.9(0.
Platform C-Series:C1048P Version 9.9(0.0) Size 27132051 Sep ReleaseTime 4 2015 09:59:54 PE BOOT IMAGE INFORMATION : --------------------------------------------------------------------Type Version Target Checksum boot flash 3.3.1.
pwd reload rename reset show telnet-peer-stack-unit upgrade Display current working directory PE Halt and perform a cold restart Rename a file Reset selected PE PE Show running system information Open a telnet connection to the peer stack-unit Upgrade subcommands Supported Features • Because PE interfaces only support Layer 2 mode, you cannot configure an IP address configuration and Layer 3 protocol features.
Port Extender (PE) Stacking 41 You can stack up to eight C1048P port extenders using the mini-SAS stack ports on the back panel. The C1048P supports stacking only with other C1048P port extenders. Stacking is not supported on C9010 switches. To set up a PE stack, follow the installation procedure in the Dell Networking C1048P Getting Started Guide or Dell Networking C1048P Installation Guide. Each C1048P has 48 user ports, two uplink ports, and two stack-ports.
• MAC address (if there is a priority tie) — By default, the unit with the highest MAC value becomes the master unit if no priorities are configured. A change in the stack master occurs when: • You power down the stack master. • A failover of the master switch occurs. • You disconnect the master switch from the stack. NOTE: If a stack unit does not boot up at the same time as the other units, it does not participate in the election process.
Configuring a PE Stack Before you start, ensure that the PE stack units are cabled in a ring topology, powered on, and that one or more stack units are attached to a 10GbE port on the parent C9010. For detailed information, see the Dell Networking C1048P Getting Started Guide or Dell Networking C1048P Installation Guide. From a console attached to the C9010 or through a Telnet session to the C9010 management port: 1. Turn on support for the port-extender configuration on a C9010.
Dell(conf-if-range-te-0/0-1)# no shutdown Dell(conf-if-range-te-0/0-1)# end Dell# show pe 2 Codes: A - Active, I - Inactive Reason: CTM - Card Type Mismatch, CAM - CAM ACL Mismatch SVM - Software Version Mismatch, UE - Unknown Error Offline Reason: UNP - Unit Not Present, ICE - IPC CP Error, IRE - IPC RP Error ISE - IPC Setup Error, CVE - CHM Validation Error PE-ID assigned: 0 Status: online System Mac: a0:68:00:3f:92:bc PE Up Time: 14:06:37 PE Discovery Status: Provisioned PE User Configured Cascade Ports:
Renumbering the stack master triggers a stack reload, as shown in the following message. When the stack comes back online, the master unit remains the management unit. Renumbering management unit will reload the stack. WARNING: Interface configuration for current unit will be lost! Proceed[confirm yes/no]: yes Prioritizing Stack Units In a PE stack, by default, the stack unit with the highest MAC address is elected master; the stack unit with the second highest MAC address is elected standby.
– pe-id — port extender identifier. The range is from 0 to 255. The following example shows the redundancy reset-counter pe command. • Dell #redundancy reset-counter pe 0 Display redundancy information. EXEC Privilege mode show redundancy pe pe-id pe-id — Port-extender identifier of the master stack unit. The range is from to 255. The following example shows the show redundancy pe command.
Examples of Removing a PE Stack Member The following example shows the status of stack-unit 1 before it is removed from the PE stack.
Offline Reason: UNP - Unit Not Present, ICE - IPC CP Error, IRE - IPC RP Error ISE - IPC Setup Error, CVE - Card Validation Error PE-ID assigned: 0 Status: online System Mac: a0:68:00:3f:92:bc PE Up Time: 14:13:03 PE Discovery Status: Provisioned PE User Configured Cascade Ports: Te 0/0(A),Te 2/22(A) Cascade LAG: Po 258(Up) ------------------------------------------------------------------Stack-id Status Reason Type UnitMac No.
• Display information about a specified PE stack unit, including status, unit type, and MAC address. Dell#show pe 255 system stack-unit 2 -- Unit 2 -Unit Type : Management Unit Status : online Next Boot : online Required Type : C1048P - 48-port GE Current Type : C1048P - 48-port GE Master priority : 0 Hardware Rev : 5.0 Num Ports : 52 Up Time : 1 hr, 36 min Dell Networking OS Version : 9-9(0-8) Jumbo Capable : yes POE Capable : yes FIPS Mode : disabled Boot Flash : 3.3.1.
• Display the type of stack topology (ring or daisy chain) and the stack-port connections on peer stackunits in the ring. The interface and connection values are in the format pe-id/stack-port. Enter the PE ID of the master unit.
Using PE Console Commands To debug an error condition in a PE stack, you can connect a console to the console port on the master unit and enter PE console commands. Contact Dell Networking support for assistance. The supported PE console commands are described in the C9000 Series Command-Line Reference Guide.
Port Monitoring 42 Port monitoring (also referred to as mirroring) allows you to monitor ingress and/or egress traffic on specified ports. The mirrored traffic can be sent to a port to which a network analyzer is connected to inspect or troubleshoot the traffic. The Dell Networking OS supports the following mirroring techniques: • Port monitoring — Monitors network traffic by forwarding a copy of incoming and outgoing packets from a source port to a destination port on the same network router.
Figure 105. Port Monitoring Configurations Dell Networking OS Behavior: All monitored frames are tagged if the configured monitoring direction is egress (TX), regardless of whether the monitored port (MD) is a Layer 2 or Layer 3 port. If the MD port is a Layer 2 port, the frames are tagged with the VLAN ID of the VLAN to which the MD belongs. If the MD port is a Layer 3 port, the frames are tagged with VLAN ID 4095.
pipe 0.
monitor session id type rpm — The id needs to be unique and not already defined in the box specifying type as rpm defines an RPM session. type is an optional keyword, required only for rpm and erpm. Specifies one of the following types: • rpm — Creates a remote port monitoring (rpm) session. • erpm — Creates an encapsulated remote port monitoring (erpm) session.
The following example monitors and displays information about port extender interface 255/0/0.
In a remote-port mirroring session, monitored traffic is tagged with a VLAN ID and switched on a userdefined, nonroutable L2 VLAN. The VLAN is reserved in the network to carry only mirrored traffic, which is forwarded on all egress ports of the VLAN. Each intermediate switch that participates in the transport of mirrored traffic must be configured with the reserved L2 VLAN.
Configuring Remote Port Mirroring Remote port mirroring requires a source session (monitored ports on different source switches), a reserved tagged VLAN for transporting mirrored traffic (configured on source, intermediate, and destination switches), and a destination session (destination ports connected to analyzers on destination switches).
• The member port of the reserved VLAN should have MTU and IPMTU value as MAX+4 (to hold the VLAN tag parameter). • To associate with a source session, the reserved VLAN can have a maximum of 4 member ports. • To associate with a destination session, the reserved VLAN can have multiple member ports. • The reserved VLAN cannot have untagged ports. In the reserved L2 VLAN used for remote port mirroring: • MAC address learning in the reserved VLAN is automatically disabled.
• A destination port for remote port mirroring cannot be used as a source port, including the session in which the port functions as the destination port. • A destination port cannot be used in any spanning tree instance. • The reserved VLAN used to transport mirrored traffic must be a L2 VLAN. L3 VLANs are not supported.
2 monitor session id type rpm 3 source {interface | range} Enter a source port or a range of source port destination interface direction {rx | interfaces to be monitored. Enter the destination port tx | both} interface. Specify ingress (rx), egress (tx), or both ingress and egress traffic to be monitored. 7 no disable Specify a unique session ID number and RPM as the session type, and enter Monitoring-Session configuration mode. Enter the no disable command to activate the RPM session.
Dell(conf-mon-sess-3)#no disable Dell(conf-mon-sess-3)#exit Dell(conf)#end Dell# Dell#show monitor session SessID Source Destination ------ ---------------1 Te 0/5 remote-vlan 10 2 Vl 100 remote-vlan 20 3 Po 10 remote-vlan 30 Dell# Dir --rx rx both Mode ---Port Port Port Source IP --------N/A N/A N/A Dest IP -------N/A N/A N/A Dell(conf)#interface te 0/0 Dell(conf-if-te-0/0)#switchport Dell(conf-if-te-0/0)#no shutdown Dell(conf-if-te-0/0)#exit Dell(conf)#interface te 0/1 Dell(conf-if-te-0/1)#switchport
Configuring RPM Source Sessions to Avoid BPD Issues When you configure an RPM source session, you can avoid BPDU issues by using the configuration: 1. Enable the MAC control-plane egress ACL. mac control-plane egress-acl 2. Create an extended MAC access list and add a deny rule for (0x0180c2xxxxxx) packets using the following commands: mac access-list extended mac2 seq 5 deny any 01:80:c2:00:00:00 00:00:00:ff:ff:ff count 3. Apply the extended MAC ACL on the RPM VLAN (VLAN 10 in the following example).
Encapsulated Remote-Port Monitoring Encapsulated Remote Port Monitoring (ERPM) copies traffic from source ports/port-channels or source VLANs and forwards the traffic using routable GRE-encapsulated packets to the destination IP address specified in the session. NOTE: When configuring ERPM, follow these guidelines: • The Dell Networking OS supports ERPM source sessions only. Encapsulated packets terminate at the destination IP address or at the analyzer.
5 erpm source-ip-address dest-ipaddress Specify the source IP address and the destination IP address to which encapsulated mirrored traffic is sent. 6 flow-based enable Specify ERPM to be performed on a flowby-flow basis or if you configure a VLAN source interface. Enter no flow-based disable to disable flow-based ERPM. 7 no disable Enter the no disable command to activate the ERPM session. The following example shows a sample ERPM configuration.
only. You must also apply an access list to the VLAN with the rules that match with the keyword “monitor”.
43 Power over Ethernet (PoE) The PoE feature supports electrical power and transmission of data on Ethernet cabling. A single cable can provide both a data connection and electrical power to the attached devices such as wireless access points or IP cameras. The PoE feature is supported on a C1048P port-extender (PE); PoE is not supported on the C9010 switches. PoE, as described by IEEE 802.3af, specifies that a maximum of 15.
Configuring PoE or PoE+ Configuring PoE or PoE+ is a two-step process: 1. Connect the IEEE 802.3af/802.3at-compliant powered device directly to a port. 2. Enable PoE or PoE+ on the port extender. Enabling PoE or PoE+ on a Port By default, PoE or PoE+ are disabled. Configuration tasks for PoE include: • Enabling PoE and managing the inline power supplied to the port extender ports using the power inline mode command. To manage inline power in a port extender, use Configure Class or Static mode.
Manage Ports using Power Priority and the Power Budget The allocation and return of power-on ports depends on the total inline power available in the system and the power priority calculation. Determining the Power Priority for a Port The Dell Networking OS uses a sophisticated port prioritization algorithm to determine which ports receive power so that the PoE and PoE+ ports are powered up and down deterministically.
3. The max_milliwatts option has no effect on a port extender (PE) port when the PE port is configured to be in Class mode. Managing Power Priorities PoE or PoE+ enabled port extender ports have power access priorities based first on the priority configured and then on their port number.
and 30.0 W for PoE+. No dynamic PoE/PoE+ class detection performs on Static ports. The default Power Management mode is static. • pe pe-id — Specify the port extender ID. The range is from 0 to 255. • stack-unit unit-number — Specify the stack unit number of the port extender. The range is from 0 to 7. • Enable PoE and configure Power Management mode on a port extender.
1. Ports with low priority are shut down first. 2. Ports with a high priority are shut down second. 3. Ports with a critical priority are shut down third. NOTE: When you configure the ports with the same priority levels, the port number determines which port has the highest priority (port 1 has the highest priority; port 48 has the lowest priority). The ports with the higher interface numbers for inline power disable first. The ports with the lower interface numbers have the highest priority.
The following example sets the priority on interface peGigE 255/0/1 to critical.
Figure 107.
-------------------------------------------------------------------------------0/0 1000 150 0 99 841 0 0 841 Advertising the Extended Power through MDI The power device sends the following information in the LLDP-MED extended power-via-MDI TLV. 1. Power Requirement: Dell Networking OS uses it for power allocation 2. Power Priority — Critical, High, or Low: Dell Networking OS uses it for power priority calculation. 3. External Power Source: Dell Networking OS does not use this information. IEEE 802.
Advertising Extended Power Though dot3–TLVs The power device sends the following information in the IEEE 802.3 power-via-mdi TLV. 1. Power Class — Dell Networking OS honors and displays the power class in the show power inline command in EXEC mode (the PD-requested power value must be within the class max watts limit). 2. Type — Dell Networking OS uses type only when the type is Type1 or Type2 PD and displays the type in the show power inline command in EXEC mode.
Detecting Legacy Devices and Allocating Power To enable detection of legacy devices and allocation of inline power to the devices on a port extender, use the power inline legacy pe pe—id stack-unit unit-number command in Configuration mode. To disable detection of legacy devices, use the [no] power inline legacy pe pe-id stack-unitunit-number command. This command has the following parameters: • • pe pe-id — Specify the port extender ID. The range is from 0 to 255.
Creating VLANs for an Office VoIP Deployment The phone in the previous figure requires one tagged VLAN for VoIP service and one untagged VLAN for PC data, as shown in the following example. You can configure voice signaling on the voice VLAN but some implementations may need an extra tagged VLAN for this traffic.
Gi Gi 0/6/22 0.0.0.0 08:00:0f:22:7f:83 0/6/23 0.0.0.0 08:00:0f:23:de:a9 Configuring QoS for an Office VoIP Deployment There are several ways you can use quality of service (QoS) to map ingress phone and PC traffic to give them each a different quality of service. Honoring the Incoming DSCP Value If you know that traffic originating from the phone is tagged with the DSCP value of 46 (EF), you can make the associated queue a strict-priority queue, as shown in the following example.
Classifying VoIP Traffic and Applying QoS Policies You can avoid congestion and give precedence to voice and signaling traffic by classifying traffic based on the subnet and using strict priority and bandwidth weights on egress, as outlined in the following steps. The following figure depicts the topology and configuration for a C9000 system. Figure 109. PoE VoIP Traffic To classify VoIP traffic and apply QoS policies for an office VoIP deployment, use the following commands: 1.
CONFIGURATION mode or POLICY-MAP-OUT mode policy-map-out or service-queue 5. Assign a strict priority to unicast traffic in queue 3. CONFIGURATION mode strict-priority 6. Apply the input policy map you created in Step 2 to the interface connected to the phone. Apply the output policy map you created in Step 4 to the interface connected your desired next-hop router. INTERFACE mode service-policy Example of the sh run acl command. Dell#sh run acl ! ip access-list extended pc-subnet seq 5 permit ip 201.1.
no ip address portmode hybrid switchport service-policy input phone-pc power inline auto no shutdown Dell#sh run int gi 0/6/2 ! interface GigabitEthernet 0/6/2 description "Uplink to C9000" no ip address switchport service-policy output BW no shutdow Managing PoE on the Port Extender This section describes how to manage PoE on the port extender. Upgrading the PoE Controller To upgrade the PoE controller firmware on a port extender, use the following command.
• Disable inline power on the port extender. EXEC privilege mode power inline suspend pe pe-id stack-unit unit-number – pe pe-id — Specify the port extender ID. The range is from 0 to 255. – stack-unit unit-number — Specify the stack unit number of the port extender. The range is from 0 to 7.
(Watts) (Watts) ----------------------- -----------PeGi 0/0/0 30.00/0.00 0.00 ------- ------ -------- -----NO_PD critical 0 Monitor the Power Budget The power budget is the amount of power available from the installed PSUs minus the power required to operate the port extender. To help determine if power is available for additional PoE or PoE+ ports, use the show power inline and show power detail commands. For information about these commands, see Displaying PoE Power Allocation.
Enabling PoE or PoE+ on more ports than the power budget supports produces one of the following results: • If the newly PoE or PoE+ -enabled port has a lower priority, the command is accepted but power is not allocated to the port. In this case, the following message displays: %Warning: Insufficient power to enable. POE oper-status set to OFF for port.
Inline Power Max / Alloc Displays the maximum amount of power allowed for the port currently allocated to the port when sufficient power is available. When sufficient power is not available for a particular port, inline power is not supplied to that port. If you insert an extra power supply, or when the priority of the port is sufficiently increased, the PSU the allocated power to the port. Inline Power Consumed Displays the amount of power that the connected device consumes.
Power Power Power Power Power Power Power Power Available Consumed Consumed Threshold Available Allocated Consumed Remain (Watts) (Watts) (Watts) (%) (Watts) (Watts) (Watts) (Watts) -------------------------------------------------------------------------------0/0 1000 150 0 99 841 21 21 820 Table 70. show power detail Field Description Field Description Unit The stack member unit ID. Total Power Available (Watts) The total power available in the port extender.
Private VLANs (PVLAN) 44 Private VLANs (PVLANs) extend Dell Networking OS security suite by providing Layer 2 isolation between ports within the same virtual local area network (VLAN). A PVLAN partitions a traditional VLAN into subdomains identified by a primary and secondary VLAN pair. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports or trunk ports.
– A primary VLAN has one or more secondary VLANs. – A primary VLAN and each of its secondary VLANs decrement the available number of VLAN IDs in the switch. – A primary VLAN has one or more promiscuous ports. – A primary VLAN might have one or more trunk ports, or none. • Secondary VLAN — a subdomain of the primary VLAN. – There are two types of secondary VLAN — community VLAN and isolated VLAN. PVLAN port types include: • Host port — in the context of a private VLAN, is a port in a secondary VLAN.
• Display type and status of PVLAN interfaces. EXEC mode or EXEC Privilege mode • show interfaces private-vlan [interface interface] Display PVLANs and/or interfaces that are part of a PVLAN. EXEC mode or EXEC Privilege mode • show vlan private-vlan [community | interface | isolated | primary | primary_vlan | interface interface] Display primary-secondary VLAN mapping. EXEC mode or EXEC Privilege mode • show vlan private-vlan mapping Set the PVLAN mode of the selected port.
switchport mode private-vlan {host | promiscuous | trunk} • host (isolated or community VLAN port) • promiscuous (intra-VLAN communication port) • trunk (inter-switch PVLAN hub port) Example of the switchport mode private-vlan Command For interface details, refer to Enabling a Physical Interface in the Interfaces chapter. NOTE: You cannot add interfaces that are configured as PVLAN ports to regular VLANs. Conversely, you cannot add “regular” ports (ports not configured as PVLAN ports) to PVLANs.
The list of secondary VLANs can be: 5. • Specified in comma-delimited (VLAN-ID,VLAN-ID) or hyphenated-range format (VLAN-IDVLAN-ID). • Specified with this command even before they have been created. • Amended by specifying the new secondary VLAN to be added to the list. Add promiscuous ports as tagged or untagged interfaces. INTERFACE VLAN mode tagged interface or untagged interface Add PVLAN trunk ports to the VLAN only as tagged interfaces.
You can enter the interfaces singly or in range format, either comma-delimited (slot/ port,port,port) or hyphenated (slot/ port-port). You can only add host (isolated) ports to the VLAN. Creating an Isolated VLAN An isolated VLAN is a secondary VLAN of a primary VLAN. An isolated VLAN port can only talk with the promiscuous ports in that primary VLAN. 1. Access INTERFACE VLAN mode for the VLAN that you want to make an isolated VLAN. CONFIGURATION mode interface vlan vlan-id 2. Enable the VLAN.
Private VLAN Configuration Example The following example shows a private VLAN topology. Figure 110. Sample Private VLAN Topology The following configuration is based on the example diagram: • Te 0/0 and Te 23 are configured as promiscuous ports, assigned to the primary VLAN, VLAN 4000. • Te 0/25 is configured as a PVLAN trunk port, also assigned to the primary VLAN 4000. • Te 0/24 and Te 0/47 are configured as host ports and assigned to the isolated VLAN, VLAN 4003.
• All the ports in the secondary VLANs (both community and isolated VLANs) can only communicate with ports in the other secondary VLANs of that PVLAN over Layer 3, and only when the ip localproxy-arp command is invoked in the primary VLAN. NOTE: Even after you disable ip-local-proxy-arp (no ip-local-proxy-arp) in a secondary VLAN, Layer 3 communication may happen between some secondary VLAN hosts, until the ARP timeout happens on those secondary VLAN hosts.
show vlan private-vlan mapping This command is specific to the PVLAN feature. Examples of Viewing a Private VLANs The show arp and show vlan commands are revised to display PVLAN data. The following example shows viewing a private VLAN for a C300 system.
no ip address switchport switchport mode private-vlan host no shutdown ! interface TengigabitEthernet 0/5 no ip address switchport switchport mode private-vlan host no shutdown ! interface TengigabitEthernet 0/6 no ip address switchport switchport mode private-vlan host no shutdown ! interface TengigabitEthernet 0/25 no ip address switchport switchport mode private-vlan trunk no shutdown ! interface Vlan 4000 private-vlan mode primary private-vlan mapping secondary-vlan 4001-4003 no ip address tagged Tengi
Quality of Service (QoS) 45 This chapter describes how to use and configure Quality of Service (QoS) features on the switch. Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. Figure 111. Dell Networking QoS Architecture Implementation Information The Dell Networking QoS implementation complies with IEEE 802.1p User Priority Bits for QoS Indication.
• RFC 2475, An Architecture for Differentiated Services • RFC 2597, Assured Forwarding PHB Group • RFC 2598, An Expedited Forwarding PHB You cannot configure port-based and policy-based QoS on the same interface. Port-Based QoS Configurations You can configure the following QoS features on an interface. NOTE: You cannot simultaneously use egress rate shaping and ingress rate policing on the same virtual local area network (VLAN).
Honoring dot1p Priorities on Ingress Traffic By default, the system does not honor dot1p priorities on ingress traffic. You can configure this feature on physical interfaces and port-channels, but you cannot configure it on individual interfaces in a port channel. You can configure service-class dynamic dot1p from CONFIGURATION mode, which applies the configuration to all interfaces. A CONFIGURATION mode service-class dynamic dot1p entry supersedes any INTERFACE entries.
Example of Configuring and Viewing Rate Policing The following example shows configuring rate policing. Dell#config t Dell(conf)#interface tengigabitethernet 1/2 Dell(conf-if)#rate police 100 40 peak 150 50 Dell(conf-if)#end Dell# Configuring Port-Based Rate Shaping Rate shaping buffers, rather than drops, traffic exceeding the specified rate until the buffer is exhausted.
Policy-Based QoS Configurations Policy-based QoS configurations consist of the components shown in the following example. Figure 112. Constructing Policy-Based QoS Configurations Classify Traffic Class maps differentiate traffic so that you can apply separate quality of service policies to different types of traffic. For both class maps, Layer 2 and Layer 3, the system matches packets against match criteria in the order that you configure them.
Creating a Layer 3 Class Map A Layer 3 class map differentiates ingress packets based on the DSCP value, IP precedence, VLANs, or characteristics defined in an IP ACL. You can also use VLAN IDs and VRF IDs to classify the traffic using layer 3 class-maps. You can specify more than one DSCP and IP precedence value, but only one value must match to trigger a positive match for the class map. NOTE: IPv6 and IP-any class maps cannot match on ACLs or VLANs.
The following example matches IPv6 traffic with a DSCP value of 40. Dell(conf)# class-map match-all test Dell(conf-class-map)# match ipv6 dscp 40 The following example matches IPv4 and IPv6 traffic with a precedence value of 3. Dell(conf)# class-map match-any test1 Dell(conf-class-map)#match ip-any precedence 3 Creating a Layer 2 Class Map All class maps are Layer 3 by default; however, you can create a Layer 2 class map by specifying the layer2 option with the class-map command.
Dell(conf)# interface fo 0/0 INTERFACE mode Dell(conf-if-fo-0/0)# ip address 90.1.1.1/16 2. Configure a Layer 2 QoS policy with Layer 2 (Dot1p or source MAC-based) match criteria. CONFIGURATION mode Dell(conf)# policy-map-input l2p layer2 3. Apply the Layer 2 policy on a Layer 3 interface.
CONFIGURATION mode Dell(conf)#policy-map-input pp_policmap 7. Create a service queue to associate the class map and QoS policy map. POLICY-MAP mode Dell(conf-policy-map-in)#service-queue 0 class-map pp_classmap qos-policy pp_qospolicy Ordering ACL Rules When you link class-maps to queues using the service-queue command, the system matches the class-maps according to queue priority (queue numbers closer to 0 have lower priorities).
match ip access-group AF1-FB2 set-ip-dscp 12 match ip dscp 10 set-ip-dscp 14 match ipv6 dscp 20 set-ip-dscp 14 ! class-map match-all ClassAF2 match ip access-group AF2 match ip dscp 18 Dell#show running-config ACL ! ip access-list extended AF1-FB1 seq 5 permit ip host 23.64.0.2 any seq 10 deny ip any any ! ip access-list extended AF1-FB2 seq 5 permit ip host 23.64.0.3 any seq 10 deny ip any any ! ip access-list extended AF2 seq 5 permit ip host 23.64.0.
Create a Layer 2 input QoS policy by specifying the keyword layer2 after the qos-policy-input command. 2. After you create an input QoS policy, do one or more of the following: Configuring Policy-Based Rate Policing Setting a DSCP Value for Egress Packets Setting a dot1p Value for Egress Packets Configuring Policy-Based Rate Policing To configure policy-based rate policing, use the following command. • Configure rate police ingress traffic.
qos-policy-output 2. After you configure an output QoS policy, do one or more of the following: Strict-Priority Queuing Configuring Policy-Based Rate Shaping Allocating Bandwidth to Queue Specifying WRED Drop Precedence Strict-Priority Queuing You can configure strict-priority queueing in an output QoS policy. Strict-priority means that the system de-queues all packets from the assigned queue before servicing any other queues. Strict-priority queueing is performed using the Scheduler Strict feature.
Allocating Bandwidth to Queue The switch schedules packets for egress based on Deficit Round Robin (DRR). This strategy offers a guaranteed data rate. Allocate bandwidth to queues only in terms of percentage in 4-queue and 8-queue systems. The following table shows the default bandwidth percentage for each queue. Table 72. Default Bandwidth Weights Queue Default Bandwidth Percentage for Default Bandwidth Percentage for 4–Queue System 8–Queue System 0 6.67% 1% 1 13.33% 2% 2 26.67% 3% 3 53.
Create a Layer 2 input policy map by entering the policy-map-input layer2 command. 2. After you create an input policy map, do one or more of the following: Applying a Class-Map or Input QoS Policy to a Queue Applying an Input QoS Policy to an Input Policy Map Honoring DSCP Values on Ingress Packets Guaranteeing Bandwidth to dot1p-Based Service Queues Honoring dot1p Values on Ingress Packets 3. Apply the input policy map to an interface.
DSCP/CP bit range (in hexadecimal) DSCP Definition Traditional IP Precedence Internal Queue ID DSCP/CP decimal range 000xxx BE (Best Effort) Best Effort 0 • 0–7 Enable the trust DSCP feature. POLICY-MAP-IN mode trust diffserv Honoring dot1p Values on Ingress Packets In an input QoS policy, you can configure the system to honor dot1p values on ingress packets using the Trust dot1p feature. The following table specifies the queue to which the classified traffic is sent based on the dot1p value.
Guaranteeing Bandwidth to dot1p-Based Service Queues To guarantee bandwidth to dot1p-based service queues, use the following command. Apply this command in the same way as the bandwidth-percentage command in an output QoS policy (refer to Allocating Bandwidth to Queue). The bandwidth-percentage command in QOSPOLICY-OUT mode supersedes the service-class bandwidth-percentage command. • Guarantee a minimum bandwidth to queues globally.
Specifying an Aggregate QoS Policy To specify an aggregate QoS policy, use the following command. • Specify an aggregate QoS policy. POLICY-MAP-OUT mode policy-aggregate Applying an Output Policy Map to an Interface To apply an output policy map to an interface, use the following command. • Apply an input policy map to an interface. INTERFACE mode service-policy output You can apply the same policy map to multiple interfaces, and you can modify a policy map after you apply it.
• If you configured a DSCP color map on an interface that does not exist or you delete a DSCP color map that is configured on an interface, that interface uses an all green color policy. To create a DSCP color map: 1. Create the color-aware map QoS DSCP color map. CONFIGURATION mode qos dscp-color-map color-map-name 2. Create the color aware map profile. DSCP-COLOR-MAP dscp {yellow | red} {list-dscp-values} 3. Apply the map profile to the interface.
Display a specific DSCP color map. Dell# show qos dscp-color-map mapTWO Dscp-color-map mapTWO yellow 16,55 Displaying a DSCP Color Policy Configuration To display the DSCP color policy configuration for one or all interfaces, use the show qos dscpcolor-policy {summary [interface] | detail {interface}} command in EXEC mode. summary: Displays summary information about a color policy on one or more interfaces.
You can optionally include overhead fields in rate metering calculations by enabling QoS rate adjustment. QoS rate adjustment is disabled by default, and no qos-rate-adjust is listed in the runningconfiguration • Include a specified number of bytes of packet overhead to include in rate limiting, policing, and shaping calculations. CONFIGURATION mode qos-rate-adjust overhead-bytes For example, to include the Preamble and SFD, enter qos-rate-adjust 8.
WRED uses a profile to specify minimum and maximum threshold values. The minimum threshold is the allotted buffer space for specified traffic, for example, 1000KB on egress. If the 1000KB is consumed, packets are dropped randomly at an exponential rate until the maximum threshold is reached (as shown in the following illustration); this procedure is the “early detection” part of WRED.
Creating WRED Profiles To create WRED profiles, use the following commands. 1. Create a WRED profile. CONFIGURATION mode wred 2. Specify the minimum and maximum threshold values. WRED mode threshold Applying a WRED Profile to Traffic After you create a WRED profile, you must specify on which traffic the system applies the profile.
Displaying WRED Drop Statistics To display WRED drop statistics, use the following command. • Display the number of packets that the WRED profile drops. EXEC Privilege mode show qos statistics Examples of the show qos statistics Commands The following shows the show qos statistics output. Dell# show qos statitstics wred-profile WInterface Te 0/49 Drop-statistic Green Yellow Out of Profile Dropped Pkts 51624 51300 0 The following shows the show qos statistics output on the port extender.
congestion avoidance by allowing the switch to mark packets for later transmission rather than dropping them from a queue. ECN uses a two-bit ECN-specific field in the IP header to indicate if a packet is ECN-capable, if the endpoints in the transport protocol are ECN-capable, and if there is network congestion.
When you use ECN to classify and color-mark packets in an ingress class map, take into account: • When all matching packets are marked for yellow treatment, policer-based coloring is not supported at the same time. • If a single-rate two-color policer is configured at the same time as ECN-matched packets are set for yellow handling, by default all packets less than PIR are marked for “green” handling.
class-map match-any class_dscp_40 match ip access-group dscp_40_non_ecn set-color yellow match ip access-group dscp_40 class-map match-any class_dscp_50 match ip access-group dscp_50_non_ecn set-color yellow match ip access-group dscp_50 policy-map-input pmap_dscp_40_50 service-queue 2 class-map class_dscp_40 service-queue 3 class-map class_dscp_50 The second example shows how to achieve the desired configuration by specifying ECN match criteria to classify ECN-capable packets: ip access-list standard dscp_
transmission and when the transmission rate is reduced on an interface during times of network congestion. For example, in a best-effort network topology that uses WRED with instantaneous ECN, data packets may be transmitted at a rate in which latency or throughput are not maintained at an effective, optimal level. Packets are dropped when the network experiences a large traffic load according to the configured WRED thresholds.
You can define WRED profiles and a weight on global service-pools for both lossy and lossless (PFC) service-pools. The following events occur when you configure WRED with ECN on a global service-pool: • If WRED/ECN is enabled on the global service-pool with threshold values and if it is not enabled on the queues, WRED/ECN are not effective based on global service-pool WRED thresholds. The queue on which traffic is scheduled must have WRED/ECN settings enabled for WRED to be valid for its traffic.
buffer memory that can be accessed by multiple queues when the minimum guaranteed buffers for a queue are consumed. 1. Configure the weight factor for computation of average-queue size. This weight value applies to front-end and backplane ports. QOS-POLICY-OUT mode Dell(conf-qos-policy-out)#wred weight number 2.
Pre-Calculating Available QoS CAM Space Pre-calculating available QoS CAM space allows you to measure the number of CAM entries a policymap consumes. This feature allows you to avoid applying a policy-map on an interface that requires more CAM entries than are available and receive a CAM full error message (shown in the following example). The partial policy-map configuration might cause unintentional system behavior.
test cam-usage Example of the test cam-usage Command Dell# test cam-usage service-policy input pmap_l2 linecard 0 port-set 0 Linecard | Port-pipe | CAM Partition | Available CAM | Estimated CAM | Status =============================================================================== 0 0 L2ACL 500 200 Allowed(2) SNMP Support for Buffer Statistics Tracking SNMP support for buffer statistics tracking (BST) counters is implemented in the F10-FPSTATS MIB.
Routing Information Protocol (RIP) 46 The Routing Information Protocol (RIP) tracks distances or hop counts to nearby routers when establishing network connections and is based on a distance-vector algorithm. RIP protocol standards are listed in the Standards Compliance chapter. Protocol Overview RIP is the oldest interior gateway protocol. There are two versions of RIP: RIP version 1 (RIPv1) and RIP version 2 (RIPv2). These versions are documented in RFCs 1058 and 2453.
Implementation Information The Dell Networking OS supports both versions of RIP and allows you to configure one version globally and the other version on interfaces or both versions on the interfaces. The following table lists the default values for RIP parameters on the switch. Table 77.
Enabling RIP Globally By default, RIP is disabled on the switch. To enable RIP globally, use the following commands. 1. Enter ROUTER RIP mode and enable the RIP process. CONFIGURATION mode router rip 2. Assign an IP network address as a RIP network to exchange routing information.
192.162.2.0/24 [120/1] via 29.10.10.12, 00:01:21, Fa 0/0 192.162.2.0/24 auto-summary 192.161.1.0/24 [120/1] via 29.10.10.12, 00:00:27, Fa 0/0 192.161.1.0/24 auto-summary 192.162.3.0/24 [120/1] via 29.10.10.12, 00:01:22, Fa 0/0 192.162.3.0/24 auto-summary To disable RIP globally, use the no router rip command in CONFIGURATION mode. Configure RIP on Interfaces When you enable RIP globally on the system, interfaces meeting certain conditions start receiving RIP routes.
• Assign a configured prefix list to all outgoing RIP routes. ROUTER RIP mode distribute-list prefix-list-name out To view the current RIP configuration, use the show running-config command in EXEC mode or the show config command in ROUTER RIP mode. Adding RIP Routes from Other Instances In addition to filtering routes, you can add routes from other routing instances or protocols to the RIP process.
• ip rip receive version [1] [2] Set the RIP versions sent out on that interface. INTERFACE mode ip rip send version [1] [2] Examples of Setting the RIP Process To see whether the version command is configured, use the show config command in ROUTER RIP mode. To view the routing protocols configuration, use the show ip protocols command in EXEC mode. The following example shows the RIP configuration after the ROUTER RIP mode version command is set to RIPv2.
Interface FastEthernet 0/0 Routing for Networks: 10.0.0.0 Recv 2 Routing Information Sources: Gateway Distance Send 1 2 Last Update Distance: (default is 120) Dell# Generating a Default Route Traffic is forwarded to the default route when the traffic’s network is not explicitly listed in the routing table. Default routes are not enabled in RIP unless specified. Use the default-information originate command in ROUTER RIP mode to generate a default route into RIP.
Exercise caution when applying an offset command to routers on a broadcast network, as the router using the offset command is modifying RIP advertisements before sending out those advertisements. The distance command also allows you to manipulate route metrics. To assign different weights to routes so that the ones with the lower weight or administrative distance assigned are preferred, use the distance command. To set route matrixes, use the following commands.
RIP Configuration Example The examples in this section show the command sequence to configure RIPv2 on the two routers shown in the following illustration — Core 2 and Core 3. The host prompts used in the following example reflect those names. The examples are divided into the following groups of command sequences: • Configuring RIPv2 on Core 2 • Core 2 RIP Output • RIP Configuration on Core 3 • Core 3 RIP Output • RIP Configuration Summary Figure 114.
To view the learned RIP routes on Core 2, use the show ip rip database command. Core2(conf-router_rip)#end 00:12:24: %SYSTEM-P:CP %SYS-5-CONFIG_I: Configured from console by console Core2#show ip rip database Total number of routes in RIP database: 7 10.11.30.0/24 [120/1] via 10.11.20.1, 00:00:03, TenGigabitEthernet 2/31 10.300.10.0/24 directly connected,TenGigabitEthernet 2/42 10.200.10.0/24 directly connected,TenGigabitEthernet 2/41 10.11.20.0/24 directly connected,TenGigabitEthernet 2/31 10.11.10.
TenGigabitEthernet TenGigabitEthernet TenGigabitEthernet TenGigabitEthernet Routing for Networks: 10.300.10.0 10.200.10.0 10.11.20.0 10.11.10.0 2/42 2/41 2/31 2/11 2 2 2 2 2 2 2 2 Routing Information Sources: Gateway Distance Last Update 10.11.20.1 120 00:00:12 Distance: (default is 120) Core2# RIP Configuration on Core3 The following example shows how to configure RIPv2 on a host named Core3.
192.168.2.0/24 192.168.2.0/24 Core3# directly connected,TenGigabitEthernet 3/44 auto-summary To view the RIP setup on Core 3, use the show ip routes command.
RIP Configuration Summary Examples of Viewing the RIP Configuration on Core 2 and Core 3 The following example shows viewing the RIP configuration on Core 2. ! interface TengigabitEthernet ip address 10.11.10.1/24 no shutdown ! interface TengigabitEthernet ip address 10.11.20.2/24 no shutdown ! interface TengigabitEthernet ip address 10.200.10.1/24 no shutdown ! interface TengigabitEthernet ip address 10.250.10.1/24 no shutdown router rip version 2 10.200.10.0 10.300.10.0 10.11.10.0 10.11.20.
47 Remote Monitoring (RMON) Remote monitoring (RMON) is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell Networking Ethernet interfaces. RMON operates with the simple network management protocol (SNMP) and monitors all nodes on a local area network (LAN) segment.
• Platform Adaptation — RMON supports all Dell Networking chassis and all Dell Networking Ethernet interfaces. Setting the RMON Alarm To set an alarm on any MIB object, use the rmon alarm or rmon hc-alarm command in GLOBAL CONFIGURATION mode. • Set an alarm on any MIB object.
increase of 15 or more (such as from 100000 to 100015). The alarm then triggers event number 1, which is configured with the RMON event command. Possible events include a log entry or an SNMP trap. If the 1.3.6.1.2.1.2.2.1.20.1 value changes to 0 (falling-threshold 0), the alarm is reset and can be triggered again. Dell(conf)#rmon alarm 10 1.3.6.1.2.1.2.2.1.20.
– integer: a value from 1 to 65,535 that identifies the RMON Statistics Table. The value must be unique in the RMON Statistic Table. – owner: (Optional) specifies the name of the owner of the RMON group of statistics. – ownername: (Optional) records the name of the owner of the RMON group of statistics. The default is a null-terminated string. Example of the rmon collection statistics Command To remove a specified RMON statistics collection, use the no form of this command.
Rapid Spanning Tree Protocol (RSTP) 48 The Rapid Spanning Tree Protocol (RSTP) is a Layer 2 protocol — specified by IEEE 802.1w — that is essentially the same as spanning-tree protocol (STP) but provides faster convergence and interoperability with switches configured with STP and multiple spanning tree protocol (MSTP).. Protocol Overview The Dell Networking OS supports three other versions of spanning tree, as shown in the following table. Table 78.
• • All interfaces in virtual local area networks (VLANs) and all enabled interfaces in Layer 2 mode are automatically added to the RST topology. Adding a group of ports to a range of VLANs sends multiple messages to the RSTP task, avoid using the range command. When using the range command, Dell Networking recommends limiting the range to five ports and 40 VLANs. RSTP and VLT Virtual link trunking (VLT) provides loop-free redundant topologies and does not require RSTP.
Dell(conf-if-te-1/1)#show config ! interface TenGigabitEthernet 1/1 no ip address switchport no shutdown Enabling Rapid Spanning Tree Protocol Globally Enable RSTP globally on all participating bridges; it is not enabled by default. When you enable RSTP, all physical and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the RST topology. • Only one path from any bridge to any other bridge is enabled.
Figure 115. Rapid Spanning Tree Enabled Globally To view the interfaces participating in RSTP, use the show spanning-tree rstp command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. Dell#show spanning-tree rstp Root Identifier has priority 32768, Address 0001.e801.cbb4 Root Bridge hello time 2, max age 20, forward delay 15, max hops 0 Bridge Identifier has priority 32768, Address 0001.e801.
The port is not in the Edge port mode Port 379 (TengigabitEthernet 2/3) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.379 Designated root has priority 32768, address 0001.e801.cbb4 Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.
Modifying Global Parameters You can modify RSTP parameters. The root bridge sets the values for forward-delay, hello-time, and max-age and overwrites the values set on other bridges participating in the Rapid Spanning Tree group. • • • Forward-delay — the amount of time an interface waits in the Listening state and the Learning state before it transitions to the Forwarding state. Hello-time — the time interval in which the bridge sends RSTP BPDUs.
• Change the max-age parameter. PROTOCOL SPANNING TREE RSTP mode max-age seconds The range is from 6 to 40. The default is 20 seconds. To view the current values for global parameters, use the show spanning-tree rstp command from EXEC privilege mode. Enabling SNMP Traps for Root Elections and Topology Changes To enable SNMP traps, use the following command. • Enable SNMP traps for RSTP, MSTP, and PVST+ collectively.
Influencing RSTP Root Selection RSTP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it is selected as the root bridge. To change the bridge priority, use the following command. • Assign a number as the bridge priority or designate it as the primary or secondary root. PROTOCOL SPANNING TREE RSTP mode bridge-priority priority-value – priority-value The range is from 0 to 65535.
– Disable the shutdown-on-violation command on the interface (the no spanning-tree stp-id portfast [bpduguard | [shutdown-on-violation]] command). – Disable spanning tree on the interface (the no spanning-tree command in INTERFACE mode). – Disable global spanning tree (the no spanning-tree command in CONFIGURATION mode). To enable EdgePort on an interface, use the following command. • Enable EdgePort on an interface.
NOTE: The hello time is encoded in BPDUs in increments of 1/256ths of a second. The standard minimum hello time in seconds is 1 second, which is encoded as 256. Millisecond. hello times are encoded using values less than 256; the millisecond hello time equals (x/1000)*256. When you configure millisecond hellos, the default hello interval of 2 seconds is still used for edge ports; the millisecond hello interval is not used.
Security 49 This chapter describes several ways to provide access security to the Dell Networking system. For details about all the commands described in this chapter, refer to the Security chapter in the Dell Networking OS Command Reference Guide. Role-Based Access Control With Role-Based Access Control (RBAC), access and authorization is controlled based on a user’s role. Users are granted permissions based on their user roles, not on their individual user ID.
allows you to change permissions based on the role. You can modify the permissions specific to that command and/or command option. For more information, see Modifying Command Permissions for Roles . NOTE: When you enter a user role, you have already been authenticated and authorized. You do not need to enter an enable password because you will be automatically placed in EXEC Priv mode. For greater security, the ability to view event, audit, and security system log is associated with user roles.
For consistency, the best practice is to define the same authorization method list across all lines, in the same order of comparison; for example VTY and console port. You could also use the default authorization method list to apply to all the LINES (console port, VTY). If you do not, the following error is displayed when you attempt to enable role-based only AAA authorization. % Error: Exec authorization must be applied to more than one line to be useful, e.g. console and vty lines.
Role Modes netoperator netadmin Exec Config Interface Router IP Route-map Protocol MAC secadmin Exec Config Line sysadmin Exec Config Interface Line Router IP Route-map Protocol MAC User Roles This section describes how to create a new user role and configure command permissions and contains the following topics.
Example of Creating a User Role The configuration in the following example creates a new user role, myrole, which inherits the security administrator (secadmin) permissions. Create a new user role, myrole and inherit security administrator permissions. Dell(conf)#userrole myrole inherit secadmin Verify that the user role, myrole, has inherited the security administrator permissions. The output highlighted in bold indicates that the user role has successfully inherited the security administrator permissions.
The following example denies the netadmin role from using the show users command and then verifies that netadmin cannot access the show users command in exec mode. Note that the netadmin role is not listed in the Role access: secadmin,sysadmin, which means the netadmin cannot access the show users command.
The following example removes the secadmin access to LINE mode and then verifies that the security administrator can no longer access LINE mode, using the show role mode configure line command in EXEC Privilege mode.
AAA Authentication and Authorization for Roles This section describes how to configure AAA Authentication and Authorization for Roles.
You can further restrict users’ permissions, using the aaa authorization command command in CONFIGURATION mode. aaa authorization command {method-list-name | default} method [… method4] Examples of Applying a Method List The following configuration example applies a method list: TACACS+, RADIUS and local: ! radius-server host 10.16.150.203 key ! tacacs-server host 10.16.150.
authorization exec ucraaa accounting commands role netadmin ucraaa line vty 9 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin ucraaa ! Configuring TACACS+ and RADIUS VSA Attributes for RBAC For RBAC and privilege levels, the Dell Networking OS RADIUS and TACACS+ implementation supports two vendor-specific options: privilege level and roles. The Dell Networking vendor-ID is 6027 and the supported option has attribute of type string, which is titled “Force10-avpair”.
• Applying an Accounting Method to a Role • Displaying Active Accounting Sessions for Roles Configuring AAA Accounting for Roles To configure AAA accounting for roles, use the aaa accounting command in CONFIGURATION mode.
• Displaying User Roles • Displaying Information About Roles Logged into the Switch • Displaying Active Accounting Sessions for Roles Displaying User Roles To display user roles using the show userrole command in EXEC Privilege mode, use the show userroles and show users commands in EXEC privilege mode.
4 vty 2 ml1 netadmin 12 idle 172.31.1.5 AAA Accounting Accounting, authentication, and authorization (AAA) accounting is part of the AAA security model. For details about commands related to AAA security, refer to the Security chapter in the Dell Networking OS Command Reference Guide. AAA accounting enables tracking of services that users are accessing and the amount of network resources being consumed by those services.
– tacacs+: designate the security service. The system supports only TACACS+. Example Dell(conf)#aaa accounting dot1x default start-stop tacacs+ Dell(conf)# tacacs-server host server-address key key Suppressing AAA Accounting for Null Username Sessions When you activate AAA accounting, the system issues accounting records for all users on the system, including users whose username string, because of protocol translation, is NULL.
Monitoring AAA Accounting The system does not support periodic interim accounting because the periodic command can cause heavy congestion when many users are logged in to the network. No specific show command exists for TACACS+ accounting. To obtain accounting records displaying information about users currently logged in, use the following command. • Step through all active sessions and print all the accounting records for the actively accounted functions.
For a complete list of all commands related to login authentication, refer to the Security chapter in the Dell Networking OS Command Reference Guide. Configure Login Authentication for Terminal Lines You can assign up to five authentication methods to a method list. The system evaluates the methods in the order in which you enter them in each list. If the first method list does not respond or returns an error, the system applies the next method list until the user either passes or fails the authentication.
Enabling AAA Authentication To enable AAA authentication, use the following command. • Enable AAA authentication. CONFIGURATION mode aaa authentication enable {method-list-name | default} method1 [... method4] – default: uses the listed authentication methods that follow this argument as the default list of methods when a user logs in. – method-list-name: character string used to name the list of enable authentication methods activated when a user logs in. – method1 [...
Server-Side Configuration Using AAA authentication, the switch acts as a RADIUS or TACACS+ client to send authentication requests to a TACACS+ or RADIUS server. • • TACACS+ — When using TACACS+, the switch sends an initial packet with service type SVC_ENABLE, and then sends a second packet with just the password. The TACACS server must have an entry for username $enable$.
enable command. If you move between privilege levels, you are prompted for a password if you move to a higher privilege level. Configuration Task List for Privilege Levels The following list has the configuration tasks for privilege levels and passwords.
– level level: Specify a level from 0 to 15. Level 15 includes all levels. – encryption-type: Enter 0 for plain text or 7 for encrypted text. – password: Enter a string. To change only the password for the enable command, configure only the password parameter. To view the configuration for the enable secret command, use the show running-config command in EXEC Privilege mode. In custom-configured privilege levels, the enable command is always available.
To assign commands and passwords to a custom privilege level, use the following commands. You must be in privilege level 15. 1. Assign a user name and password. CONFIGURATION mode username name [access-class access-list-name] [privilege level] [nopassword | password [encryption-type] password] Configure the optional and required parameters: 2. • name: enter a text string (up to 63 characters). • access-class access-list-name: enter the name of a configured IP ACL.
Line 2: All other users are assigned a password to access privilege level 8. Line 3: The configure command is assigned to privilege level 8 because it needs to reach CONFIGURATION mode where the snmp-server commands are located. Line 4: The snmp-server commands, in CONFIGURATION mode, are assigned to privilege level 8.
LINE mode privilege level level • – level level: The range is from 0 to 15. Levels 0, 1, and 15 are pre-configured. Levels 2 to 14 are available for custom configuration. Specify either a plain text or encrypted password. LINE mode password [encryption-type] password Configure the following optional and required parameters: – encryption-type: Enter 0 for plain text or 7 for encrypted text. – password: Enter a text string up to 25 characters long.
If an error occurs in the transmission or reception of RADIUS packets, you can view the error by enabling the debug radius command. Transactions between the RADIUS server and the client are encrypted (the users’ passwords are not sent in plain text). RADIUS uses UDP as the transport protocol between the RADIUS server host and the client. For more information about RADIUS, refer to RFC 2865, Remote Authentication Dial-in User Service.
Auto-Command You can configure the system through the RADIUS server to automatically execute a command when you connect to a specific line. The auto-command command is executed when the user is authenticated and before the prompt appears to the user. • Automatically execute a command. auto-command Privilege Levels Through the RADIUS server, you can configure a privilege level for the user to enter into when they connect to a session. This value is configured on the client system. • Set a privilege level.
• Create a method list with RADIUS and TACACS+ as authorization methods. CONFIGURATION mode aaa authorization exec {method-list-name | default} radius tacacs+ Typical order of methods: RADIUS, TACACS+, Local, None. If RADIUS denies authorization, the session ends (RADIUS must not be the last method specified). Applying the Method List to Terminal Lines To enable RADIUS AAA login authentication for a method list, apply it to a terminal line.
which they were configured. When the switch authenticates a user, the software connects with the RADIUS server hosts one at a time, until a RADIUS server host responds with an accept or reject response. If you want to change an optional parameter setting for a specific host, use the radius-server host command. To change the global communication settings to all RADIUS server hosts, refer to Setting Global Communication Parameters for all RADIUS Server Hosts.
EXEC Privilege mode debug radius TACACS+ The system supports terminal access controller access control system (TACACS+ client, including support for login authentication. Configuration Task List for TACACS+ The following list includes the configuration task for TACACS+ functions.
Example of a Failed Authentication To view the configuration, use the show config in LINE mode or the show running-config tacacs + command in EXEC Privilege mode. If authentication fails using the primary method, the system employs the second method (or third method, if necessary) automatically. For example, if the TACACS+ server is reachable, but the server key is invalid, the system proceeds to the next authentication method.
username and password of the incoming user before it can fetch the access class from the server. A user, therefore, at least sees the login prompt. If the access class denies the connection, the system closes the Telnet session immediately. The following example demonstrates how to configure the access-class from a TACACS+ server. This configuration ignores the configured access-class on the VTY line. If you have configured a deny10 ACL on the TACACS+ server, the system downloads it and applies it.
To view the TACACS+ configuration, use the show running-config tacacs+ command in EXEC Privilege mode. To delete a TACACS+ server host, use the no tacacs-server host {hostname | ip-address} command. freebsd2# telnet 2200:2200:2200:2200:2200::2202 Trying 2200:2200:2200:2200:2200::2202... Connected to 2200:2200:2200:2200:2200::2202. Escape character is '^]'.
EXEC Privilege mode ssh {hostname} [-l username | -p port-number | -v {1 | 2} • hostname is the IP address or host name of the remote device. Enter an IPv4 or IPv6 address in dotted decimal format (A.B.C.D). Configure the Dell Networking system as an SCP/SSH server. CONFIGURATION mode • ip ssh server {enable | port port-number} Configure the Dell Networking system as an SSH server that uses only version 1 or 2. CONFIGURATION mode • ip ssh server version {1|2} Display SSH connection information.
EXEC Privilege mode Example of Using SCP to Copy from an SSH Server on Another Switch Other SSH-related commands include: • crypto key generate: generate keys for the SSH server. • debug ip ssh: enables collecting SSH debug information. • ip scp topdir: identify a location for files used in secure copy transfer. • ip ssh authentication-retries: configure the maximum number of attempts that should be used to authenticate a user.
To configure the time or volume rekey threshold at which to re-generate the SSH key during an SSH session, use the ip ssh rekey [time rekey-interval] [volume rekey-limit] command. CONFIGURATION mode. Configure the following parameters: • rekey-interval: time-based rekey threshold for an SSH session. The range is from 10 to 1440 minutes. The default is 60 minutes. • rekey-limit: volume-based rekey threshold for an SSH session. The range is from 1 to 4096 to megabytes. The default is 1024 megabytes.
hmac-algorithm: Enter a space-delimited list of keyed-hash message authentication code (HMAC) algorithms supported by the SSH server. The following HMAC algorithms are available: • hmac-md5 • hmac-md5-96 • hmac-sha1 • hmac-sha1-96 • hmac-sha2-256 • hmac-sha2-256-96 The default HMAC algorithms are the following: • hmac-md5 • hmac-md5-96 • hmac-sha1 • hmac-sha1-96 • hmac-sha2-256 • hmac-sha2-256-96 When FIPS is enabled, the default HMAC algorithm is hmac-sha1-96.
The following example shows you how to configure a cipher list. Dell(conf)#ip ssh server cipher 3des-cbc aes128-cbc aes128-ctr Secure Shell Authentication Secure Shell (SSH) is disabled by default. Enable SSH using the ip ssh server enable command.
no ip ssh password-authentication enable 4. Enable RSA authentication in SSH. CONFIGURATION mode ip ssh rsa-authentication enable 5. Install user’s public key for RSA authentication in SSH. EXEC Privilege mode ip ssh rsa-authentication my-authorized-keys flash://public_key Example of Generating RSA Keys admin@Unix_client#ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/admin/.ssh/id_rsa): /home/admin/.ssh/id_rsa already exists.
admin@Unix_client# ls moduli sshd_config ssh_host_dsa_key.pub ssh_host_key.pub ssh_host_rsa_key.pub ssh_config ssh_host_dsa_key ssh_host_key ssh_host_rsa_key admin@Unix_client# cat ssh_host_rsa_key.pub ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA8K7jLZRVfjgHJzUOmXxuIbZx/ AyWhVgJDQh39k8v3e8eQvLnHBIsqIL8jVy1QHhUeb7GaDlJVEDAMz30myqQbJgXBBRTWgBpLWwL/ doyUXFufjiL9YmoVTkbKcFmxJEMkE3JyHanEi7hg34LChjk9hL1by8cYZP2kYS2lnSyQWk= admin@Unix_client# ls id_rsa id_rsa.pub shosts admin@Unix_client# cat shosts 10.16.127.
Telnet To use Telnet with SSH, first enable SSH, as previously described. By default, the Telnet daemon is enabled. If you want to disable the Telnet daemon, use the following command, or disable Telnet in the startup config. To enable or disable the Telnet daemon, use the [no] ip telnet server enable command.
users identify themselves, the system retrieves the access class from the local database and applies it. (The system can then close the connection if a user is denied access.) NOTE: If a VTY user logs in with RADIUS authentication, the privilege level is applied from the RADIUS server only if you configure RADIUS authentication. The following example shows how to allow or deny a Telnet connection to a user. Users see a login prompt even if they cannot log in. No access class is configured for the VTY line.
To apply a MAC ACL on a VTY line, use the same access-class command as IP ACLs. The following example shows how to deny incoming connections from subnet 10.0.0.0 without displaying a login prompt.
Service Provider Bridging 50 Service provider bridging provides the ability to add a second VLAN ID tag in an Ethernet frame and is referred to as VLAN stacking in the Dell Networking OS. VLAN Stacking VLAN stacking, also called Q-in-Q, is defined in IEEE 802.1ad — Provider Bridges, which is an amendment to IEEE 802.1Q — Virtual Bridged Local Area Networks. It enables service providers to use 802.
Figure 116. VLAN Stacking in a Service Provider Network Important Points to Remember • Interfaces that are members of the Default VLAN and are configured as VLAN-Stack access or trunk ports do not switch untagged traffic. To switch traffic, add these interfaces to a non-default VLANstack-enabled VLAN. • Dell Networking cautions against using the same MAC address on different customer VLANs, on the same VLAN-stack VLAN.
Configure VLAN Stacking Configuring VLAN-Stacking is a three-step process. 1. Creating Access and Trunk Ports 2. Assign access and trunk ports to a VLAN (Creating Access and Trunk Ports). 3. Enabling VLAN-Stacking for a VLAN.
! interface TenGigabitEthernet 2/12 no ip address switchport vlan-stack trunk no shutdown Enable VLAN-Stacking for a VLAN To enable VLAN-Stacking for a VLAN, use the following command. • Enable VLAN-Stacking for the VLAN. INTERFACE VLAN mode vlan-stack compatible Example of Viewing VLAN Stack Member Status To display the status and members of a VLAN, use the show vlan command from EXEC Privilege mode. Members of a VLAN-Stacking-enabled VLAN are marked with an M in column Q.
To configure trunk ports, use the following commands. 1. Configure a trunk port to carry untagged, single-tagged, and double-tagged traffic by making it a hybrid port. INTERFACE mode portmode hybrid NOTE: You can add a trunk port to an 802.1Q VLAN as well as a Stacking VLAN only when the TPID 0x8100. 2. Add the port to a 802.1Q VLAN as tagged or untagged.
Example of Debugging a VLAN and its Ports The port notations are as follows: • • • • • MT — stacked trunk MU — stacked access port T — 802.1Q trunk port U — 802.
Therefore, a mismatched TPID results in the port not differentiating between tagged and untagged traffic. Figure 117.
Figure 118.
Figure 119. Single and Double-Tag TPID Mismatch VLAN Stacking Packet Drop Precedence VLAN stacking packet-drop precedence is supported on the switch. The drop eligible indicator (DEI) bit in the S-Tag indicates to a service provider bridge which packets it should prefer to drop when congested. Enabling Drop Eligibility Enable drop eligibility globally before you can honor or mark the DEI value. When you enable drop eligibility, DEI mapping or marking takes place according to the defaults.
Table 81. Drop Eligibility Behavior Ingress Egress DEI Disabled DEI Enabled Normal Port Normal Port Retain CFI Set CFI to 0. Trunk Port Trunk Port Retain inner tag CFI Retain inner tag CFI. Retain outer tag CFI Set outer tag CFI to 0. Retain inner tag CFI Retain inner tag CFI Set outer tag CFI to 0 Set outer tag CFI to 0 Access Port Trunk Port To enable drop eligibility globally, use the following command. • Make packets eligible for dropping based on their DEI value.
Marking Egress Packets with a DEI Value On egress, you can set the DEI value according to a different mapping than ingress. For ingress information, refer to Honoring the Incoming DEI Value. To mark egress packets, use the following command. • Set the DEI value on egress according to the color currently assigned to the packet.
• • Option 1: Mark the S-Tag dot1p and queue the frame according to the original C-Tag dot1p. In this case, you must have other dot1p QoS configurations; this option is classic dot1p marking. Option 2: Mark the S-Tag dot1p and queue the frame according to the S-Tag dot1p. For example, if frames with C-Tag dot1p values 0, 6, and 7 are mapped to an S-Tag dot1p value 0, all such frames are sent to the queue associated with the S-Tag 802.1p value 0.
service-policy input in layer2 no shutdown Mapping C-Tag to S-Tag dot1p Values To map C-Tag dot1p values to S-Tag dot1p values and mark the frames accordingly, use the following commands. 1. Allocate CAM space to enable queuing frames according to the C-Tag or the S-Tag.
Figure 121. VLAN Stacking without L2PT You might need to transport control traffic transparently through the intermediate network to the other region. Layer 2 protocol tunneling enables BPDUs to traverse the intermediate network by identifying frames with the Bridge Group Address, rewriting the destination MAC to a user-configured non-reserved address, and forwarding the frames.
Figure 122. VLAN Stacking with L2PT Implementation Information • L2PT is available for STP, RSTP, MSTP, and PVST+ BPDUs. • No protocol packets are tunneled when you enable VLAN stacking. • L2PT requires the default CAM profile. Enabling Layer 2 Protocol Tunneling To enable Layer 2 protocol tunneling, use the following command. 1. Verify that the system is running the default CAM profile. Use this CAM profile for L2PT.
show cam-profile 2. Enable protocol tunneling globally on the system. CONFIGURATION mode protocol-tunnel enable 3. Tunnel BPDUs the VLAN. INTERFACE VLAN mode protocol-tunnel stp Specifying a Destination MAC Address for BPDUs By default, the system uses a Dell Networking-unique MAC address for tunneling BPDUs. You can configure another value. To specify a destination MAC address for BPDUs, use the following command.
The range is from 64 to 320 kbps. Debugging Layer 2 Protocol Tunneling To debug Layer 2 protocol tunneling, use the following command. • Display debugging information for L2PT. EXEC Privilege mode debug protocol-tunnel Provider Backbone Bridging IEEE 802.1ad—Provider Bridges amends 802.1Q—Virtual Bridged Local Area Networks so that service providers can use 802.
sFlow 51 sFlow is a standard-based sampling technology embedded within switches and routers which is used to monitor network traffic. It is designed to provide traffic monitoring for high-speed networks with many switches and routers. Overview The Dell Networking OS supports sFlow version 5. sFlow uses two types of sampling: • Statistical packet-based sampling of switched or routed packet flows. • Time-based sampling of interface counters.
Important Points to Remember • The Dell Networking OS implementation of the sFlow MIB supports sFlow configuration via snmpset. • Dell Networking recommends the sFlow Collector be connected to the Dell Networking chassis through a line card port rather than the management Ethernet port. • Only egress sampling is supported. • The system exports all sFlow packets to the collector. A small sampling rate can equate to many exported packets.
• Displaying Show sFlow on an Interface • Displaying Show sFlow on a Line Card Displaying Show sFlow Global To view sFlow statistics, use the following command. • Display sFlow configuration information and statistics. EXEC mode show sflow Example of Viewing sFlow Configuration (Global) The first bold line indicates sFlow is globally enabled. The second bold lines indicate sFlow is enabled on linecards Te 1/16 and Te 1/17.
mtu 9252 ip mtu 9234 switchport sflow enable sflow sample-rate 8192 no shutdown Displaying Show sFlow on a Line Card To view sFlow statistics on a specified line card, use the following command. • Display sFlow configuration information and statistics on the specified interface.
– interval value: in seconds. The range is from 15 to 86400 seconds. The default is 20 seconds. Back-Off Mechanism If the sampling rate for an interface is set to a very low value, the CPU can get overloaded with flow samples under high-traffic conditions. In such a scenario, a binary back-off mechanism gets triggered, which doubles the sampling-rate (halves the number of samples per second) for all interfaces. The backoff mechanism continues to double the sampling-rate until the CPU condition is cleared.
77 UDP packets exported 0 UDP packets dropped 165 sFlow samples collected 69 sFlow samples dropped due to sub-sampling Linecard 1 Port set 0 H/W sampling rate 8192 Gi 1/16: configured rate 8192, actual rate 8192, sub-sampling rate 1 Gi 1/17: configured rate 16384, actual rate 16384, sub-sampling rate 2 Linecard 3 Port set 1 H/W sampling rate 16384 Gi 3/40: configured rate 16384, actual rate 16384, sub-sampling rate 1 If you did not enable any extended information, the show output displays the following (sho
IP SA IP DA srcAS and srcPeerAS dstAS and dstPeerAS Description routing protocols, and for cases where is source is reachable over ECMP. BGP 962 BGP Exported Exported Extended gateway data is packed.
52 Simple Network Management Protocol (SNMP) The Simple Network Management Protocol (SNMP) is designed to manage devices on IP networks by monitoring device operation, which might require administrator intervention. NOTE: On Dell Networking routers, standard and private SNMP management information bases (MIBs) are supported, including all Get and a limited number of Set operations (such as set vlan and copy cmd).
Configuring SNMP version 3 requires configuring SNMP users in one of three methods. Refer to Setting Up User-Based Security (SNMPv3).
To choose a name for the community you create, use the following command. • Choose a name for the community. CONFIGURATION mode snmp-server community name {ro | rw} Example of Creating an SNMP Community To view your SNMP configuration, use the show running-config snmp command from EXEC Privilege mode. Dell(conf)#snmp-server community my-snmp-community ro 22:31:23: %SYSTEM-P:CP %SNMP-6-SNMP_WARM_START: Agent Initialized - SNMP WARM_START.
• snmp-server group groupname {oid-tree} auth read name write name Configure an SNMPv3 view. CONFIGURATION mode snmp-server view view-name 3 noauth {included | excluded} NOTE: To give a user read and write privileges, repeat this step for each privilege type. • Configure an SNMP group (with password or privacy privileges). CONFIGURATION mode • snmp-server group group-name {oid-tree} priv read name write name Configure the user with a secure authorization password and privacy password.
Examples of Reading Managed Object Values In the following example, the value “4” displays in the OID before the IP address for IPv4. For an IPv6 IP address, a value of “16” displays. > snmpget -v 2c -c mycommunity 10.11.131.161 sysUpTime.0 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (32852616) 3 days, 19:15:26.16 > snmpget -v 2c -c mycommunity 10.11.131.161 .1.3.6.1.2.1.1.3.0 The following example shows reading the value of the next managed object. > snmpgetnext -v 2c -c mycommunity 10.11.131.161 .1.
snmp-server contact text You may use up to 55 characters. • The default is None. (From a Dell Networking system) Identify the physical location of the system (for example, San Jose, 350 Holger Way, 1st floor lab, rack A1-1). CONFIGURATION mode snmp-server location text You may use up to 55 characters. • The default is None. (From a management station) Identify the system manager along with this person’s contact information (for example, an email address or phone number).
Parameters • cpu-utilization-time — Enter one of the following values to configure the threshold level for the time in which a switch CPU can be used: – 5 sec – 1 min – 5 min • cp — Enter the keyword cp to configure the CPU utilization time for the Control Processor CPU. • rp — Enter the keyword rp to configure the CPU utilization time for the Route Processor CPU • lp — Enter the keyword lp to configure the line processor CPU utilization time. The range of switch slot IDs is from 0 to 2.
LP LP LP LP LP LP LP LP LP PE 3 4 5 6 7 8 9 10 11 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 85 85 85 85 85 85 85 85 85 85 75 75 75 75 75 75 75 75 75 75 80 80 80 80 80 80 80 80 80 80 70 70 70 70 70 70 70 70 70 70 Configuring Threshold Memory Utilization for SNMP Traps When the total memory utilization for a CPU exceeds the configured high/low threshold for a given time, a threshold notification is sent as an SNMP trap.
Example of Configuring CPU Utilization Threshold To display the configured values of memory utilization thresholds, use the show util-threshold memory command from CONFIGURATION mode.
To send the SNMP version to use for notification messages, enter the keyword version. To identify the SNMPv1 community string, enter the name of the community-string. 2. Specify which traps the Dell Networking system sends to the trap receiver. CONFIGURATION mode snmp-server enable traps Enable all Dell Networking enterprise-specific and RFC-defined traps using the snmp-server enable traps command from CONFIGURATION mode.
traps ets fips hg-lbm isis lacp pfc snmp traps stp vlt traps vrrp traps xstp traps Enable Enable Enable Enable Enable Enable Enable ets traps FIP Snooping state change traps higig Link Bundle Monitoring traps ISIS adjacency change traps LACP state change traps pfc traps SNMP Enable STP Enable VLT traps Enable VRRP state change Enable 802.1s, 802.
vlt Enable VLT traps. vrrp Enable VRRP state change traps xstp %SPANMGR-5-STP_NEW_ROOT: New Spanning Tree Root, Bridge ID Priority 32768, Address 0001.e801.fc35. %SPANMGR-5-STP_TOPOLOGY_CHANGE: Bridge port TenGigabitEthernet 11/38 transitioned from Forwarding to Blocking state. %SPANMGR-5-MSTP_NEW_ROOT_BRIDGE: Elected root bridge for instance 0. %SPANMGR-5-MSTP_NEW_ROOT_PORT: MSTP root changed to port Te 11/38 for instance 0. My Bridge ID: 40960:0001.e801.fc35 Old Root: 40960:0001.e801.
SNMP OID %SYSTEM-P:CP %SNMP-4-RMON_FALLING_THRESHOLD: RMON falling threshold alarm from SNMP OID %SYSTEM-P:CP %SNMP-4-RMON_HC_RISING_THRESHOLD: RMON high-capacity rising threshold alarm from SNMP OID Copy config traps FILEMGR_COPY_CONFIG_TRAP: Copy-config from running-config to startup-config succeeded RMON traps %SYSTEM-P:CP %SNMP-4-RMON_RISING_THRESHOLD: RMON rising threshold alarm from SNMP OID %SYSTEM-P:CP %SNMP-4-RMON_FALLING_THRESHOLD: RMON falling threshold alarm from SNMP OID %SYSTE
STRING: "NOT_REACHABLE: Syslog server 10.11.226.121 (port: 9140) is not reachable" SNMPv2-SMI::enterprises. 6027.3.6.1.1.2.0 = INTEGER: 2 Following is the sample audit log message that other syslog servers that are reachable receive: Oct 21 00:46:13: dv-fedgov-s4810-6: %EVL-6-NOT_REACHABLE:Syslog server 10.11.226.
MIB Object OID Object Values Description 3 = tftp is FTP or SCP, you must specify copyServerAddress, copyUserName, and copyUserPassword. 4 = ftp 5 = scp 6 = usbflash copySrcFileName copyDestFileType . 1.3.6.1.4.1.6027.3.5.1.1.1. 1.4 Path (if the file is not in the current directory) and filename. Specifies name of the file. . 1.3.6.1.4.1.6027.3.5.1.1.1. 1.5 1 = Dell Networking OS file Specifies the type of file to copy to.
MIB Object OID Object Values copyUserName . 1.3.6.1.4.1.6027.3.5.1.1.1. 1.9 Username for the server. Username for the FTP, TFTP, or SCP server. . 1.3.6.1.4.1.6027.3.5.1.1.1. 1.10 Password for the server. copyUserPassword Description • If you specify copyUserName, you must also specify copyUserPassword. Password for the FTP, TFTP, or SCP server. Copying a Configuration File To copy a configuration file, use the following commands.
The following examples show the snmpset command to copy a configuration. These examples assume that: • • • • the server OS is UNIX you are using SNMP version 2c the community name is public the file f10-copy-config.mib is in the current directory or in the snmpset tool path Copying Configuration Files via SNMP To copy the running-config to the startup-config from the UNIX machine, use the following command. • Copy the running-config to the startup-config from the UNIX machine.
Copying the Startup-Config Files to the Server via FTP To copy the startup-config to the server via FTP from the UNIX machine, use the following command. Copy the startup-config to the server via FTP from the UNIX machine. snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address copySrcFileType.index i 2 copyDestFileName.index s filepath/filename copyDestFileLocation.index i 4 copyServerAddress.index a server-ip-address copyUserName.index s server-login-id copyUserPassword.
s filepath/filename copyDestFileType.index i 3 copyServerAddress.index a server-ip-address copyUserName.index s server-login-id copyUserPassword.index s server-login-password Example of Copying a Binary File From the Server to the Startup-Configuration via FTP > snmpset -v 2c -c private -m ./f10-copy-config.mib 10.10.10.10 copySrcFileType. 10 i 1 copySrcFileLocation.10 i 4 copyDestFileType.10 i 3 copySrcFileName.10 s /home/ myfilename copyServerAddress.10 a 172.16.1.56 copyUserName.
Obtaining a Value for MIB Objects To obtain a value for any of the MIB objects, use the following command. • Get a copy-config MIB object value. snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address [OID.index | mib-object.index] index: the index value used in the snmpset command used to complete the copy operation. NOTE: You can use the entire OID rather than the object name. Use the form: OID.index.
Assigning a VLAN Alias Write a character string to the dot1qVlanStaticName object to assign a name to a VLAN. Example of Assigning a VLAN Alias using SNMP [Unix system output] > snmpset -v2c -c mycommunity 10.11.131.185 . 1.3.6.1.2.1.17.7.1.4.3.1.1.1107787786 s "My VLAN" SNMPv2-SMI::mib-2.17.7.1.4.3.1.1.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 SNMPv2-SMI::mib-2.17.7.1.4.3.1.4.1107787786 = Hex-STRING: 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Example of Adding a Tagged Port to a VLAN using SNMP In the following example, Port 0/2 is added as a tagged member of VLAN 10. >snmpset -v2c -c mycommunity 10.11.131.185 . 1.3.6.1.2.1.17.7.1.4.3.1.2.
and 1.3.6.1.4.1.6027.3.18.1.6 Enabling and Disabling a Port using SNMP To enable and disable a port using SNMP, use the following commands. 1. Create an SNMP community on the Dell system. CONFIGURATION mode snmp-server community 2. From the Dell Networking system, identify the interface index of the port for which you want to change the admin status. EXEC Privilege mode show interface Or, from the management system, use the snmpwwalk command to identify the interface index. 3.
Table 86. MIB Objects for Fetching Dynamic MAC Entries in the Forwarding Database MIB Object OID MIB Description dot1dTpFdbTable .1.3.6.1.2.1.17.4.3 Q-BRIDGE MIB List the learned unicast MAC addresses on the default VLAN. dot1qTpFdbTable .1.3.6.1.2.1.17.7.1.2. 2 Q-BRIDGE MIB List the learned unicast MAC addresses on nondefault VLANs. dot3aCurAggFdb Table .1.3.6.1.4.1.6027.3.2. 1.1.5 F10-LINKAGGREGATION -MIB List the learned MAC addresses of aggregated links (LAG).
-------------Query from Management Station--------------------->snmpwalk -v 2c -c techpubs 10.11.131.162 .1.3.6.1.4.1.6027.3.2.1.1.5 SNMPv2-SMI::enterprises.6027.3.2.1.1.5.1.1.1000.0.1.232.6.149.172.1 = 1000 SNMPv2-SMI::enterprises.6027.3.2.1.1.5.1.2.1000.0.1.232.6.149.172.1 = STRING: 00 01 E8 06 95 AC SNMPv2-SMI::enterprises.6027.3.2.1.1.5.1.3.1000.0.1.232.6.149.172.1 = SNMPv2-SMI::enterprises.6027.3.2.1.1.5.1.4.1000.0.1.232.6.149.172.
For example, the interface index 51528196 for the FortyGigE 0/4 port is 0000 0011 0001 0010 0100 0010 0000 0100 in binary format as shown in the following figure. Figure 124. Interface Index Number Assigned to FortyGigE 0/4 Port In this example, if you start from the least significant bit on the right: • The first 14 bits (00001000000010) identify a line card. • The next 4 bits (1001) identify a 40-Gigabit Ethernet interface. • The next 12 bits (000011000100) identify slot 0 and port 4.
Example of Viewing Status of Learned MAC Addresses If we learn MAC addresses for the LAG, status is shown for those as well. dot3aCurAggVlanId SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.1.1.0.0.0.0.0.1.1 dot3aCurAggMacAddr SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.2.1.0.0.0.0.0.1.1 00 00 00 01 dot3aCurAggIndex SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.3.1.0.0.0.0.0.1.1 dot3aCurAggStatus SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.4.1.0.0.0.0.0.1.
Storm Control 53 Storm control allows you to control unknown-unicast, muticast, and broadcast traffic on Layer 2 and Layer 3 physical interfaces. Dell Networking Operating System (OS) Behavior: Dell Networking OS supports unknown-unicast, muticast, and broadcast control (the storm-control broadcast command) for Layer 2 and Layer 3 traffic. To view the storm control broadcast configuration show storm-control broadcast | multicast | unknown-unicast | pfc-llfc[interface] command.
• The storm control is calculated in packets per second. • Configure storm control. • INTERFACE mode Configure the packets per second of broadcast traffic allowed on an interface (ingress only). INTERFACE mode • storm-control broadcast packets_per_second in Configure the packets per second of multicast traffic allowed on C-Series or S-Series interface (ingress only) network only.
54 Spanning Tree Protocol (STP) The spanning tree protocol (STP) is a Layer 2 protocol — specified by IEEE 802.1d — that eliminates loops in a bridged topology by enabling only a single path through the network. Protocol Overview By eliminating loops, STP improves scalability in a large network and allows you to implement redundant paths, which can be activated after the failure of active paths.
• The Dell Networking OS supports only one spanning tree instance (0). For multiple instances, enable the multiple spanning tree protocol (MSTP) or per-VLAN spanning tree plus (PVST+). You may only enable one flavor of spanning tree at any one time. • All ports in virtual local area networks (VLANs) and all enabled interfaces in Layer 2 mode are automatically added to the spanning tree topology at the time you enable the protocol.
INTERFACE mode no ip address 2. Place the interface in Layer 2 mode. INTERFACE switchport 3. Enable the interface. INTERFACE mode no shutdown Example of the show config Command To verify that an interface is in Layer 2 mode and enabled, use the show config command from INTERFACE mode.
Figure 126. Spanning Tree Enabled Globally To enable STP globally, use the following commands. 1. Enter PROTOCOL SPANNING TREE mode. CONFIGURATION mode protocol spanning-tree 0 2. Enable STP. PROTOCOL SPANNING TREE mode no disable Examples of Verifying and Viewing Spanning Tree To disable STP globally for all Layer 2 interfaces, use the disable command from PROTOCOL SPANNING TREE mode. To verify that STP is enabled, use the show config command from PROTOCOL SPANNING TREE mode.
To view the spanning tree configuration and the interfaces that are participating in STP, use the show spanning-tree 0 command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. R2#show spanning-tree 0 Executing IEEE compatible Spanning Tree Protocol Bridge Identifier has priority 32768, address 0001.e826.ddb7 Configured hello time 2, max age 20, forward delay 15 Current root has priority 32768, address 0001.e80d.
spanning-tree 0 To remove a Layer 2 interface from the spanning tree topology, enter the no spanning-tree 0 command. Modifying Global Parameters You can modify the spanning tree parameters. The root bridge sets the values for forward-delay, hellotime, and max-age and overwrites the values set on other bridges participating in STP. NOTE: Dell Networking recommends that only experienced network administrators change the spanning tree parameters.
• the default is 2 seconds. Change the max-age parameter (the refresh interval for configuration information that is generated by recomputing the spanning tree topology). PROTOCOL SPANNING TREE mode max-age seconds The range is from 6 to 40. The default is 20 seconds. To view the current values for global parameters, use the show spanning-tree 0 command from EXEC privilege mode. Refer to the second example in Enabling Spanning Tree Protocol Globally.
only implement bpduguard, although the interface is placed in an Error Disabled state when receiving the BPDU, the physical interface remains up and spanning-tree drops packets in the hardware after a BPDU violation. BPDUs are dropped in the software after receiving the BPDU violation. CAUTION: Enable PortFast only on links connecting to an end station. PortFast can cause loops if it is enabled on an interface connected to a network. To enable PortFast on an interface, use the following command.
• • • • • If the interface to be shut down is a port channel, all the member ports are disabled in the hardware. When you add a physical port to a port channel already in the Error Disable state, the new member port is also disabled in the hardware. When you remove a physical port from a port channel in the Error Disable state, the Error Disabled state is cleared on this physical port (the physical port is enabled in the hardware).
• disables spanning tree on an interface • drops all BPDUs at the line card without generating a console message Example of Blocked BPDUs Dell(conf-if-te-0/7)#do show spanning-tree rstp brief Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 0001.e805.fb07 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32768, Address 0001.e85d.0e90 Configured hello time 2, max age 20, forward delay 15 Interface Name PortID Prio ---------- -------Te 0/6 128.
Root Bridge hello time 2, max age 20, forward delay 15 Dell# STP Root Guard Use the STP root guard feature in a Layer 2 network to avoid bridging loops. In STP, the switch in the network with the lowest priority (as determined by STP or set with the bridgepriority command) is selected as the root bridge. If two switches have the same priority, the switch with the lower MAC address is selected as the root.
Figure 128. STP Root Guard Prevents Bridging Loops Configuring Root Guard Enable STP root guard on a per-port or per-port-channel basis. Dell Networking OS Behavior: The following conditions apply to a port enabled with STP root guard: • Root guard is supported on any STP-enabled port or port-channel interface.
INTERFACE mode or INTERFACE PORT-CHANNEL mode spanning-tree {0 | mstp | rstp | pvst} rootguard – 0: enables root guard on an STP-enabled port assigned to instance 0. – mstp: enables root guard on an MSTP-enabled port. – rstp: enables root guard on an RSTP-enabled port. – pvst: enables root guard on a PVST-enabled port. To disable STP root guard on a port or port-channel interface, use the no spanning-tree 0 rootguard command in an interface configuration mode.
As soon as a BPDU is received on an STP port in a Loop-Inconsistent state, the port returns to a blocking state. If you disable STP loop guard on a port in a Loop-Inconsistent state, the port transitions to an STP blocking state and restarts the max-age timer. Figure 129. STP Loop Guard Prevents Forwarding Loops Configuring Loop Guard Enable STP loop guard on a per-port or per-port channel basis.
– Multiple Spanning Tree Protocol (MSTP) – Per-VLAN Spanning Tree Plus (PVST+) • You cannot enable root guard and loop guard at the same time on an STP port. For example, if you configure loop guard on a port on which root guard is already configured, the following error message is displayed: % Error: RootGuard is configured. Cannot configure LoopGuard.
Te 0/2 Te 0/3 0 0 LIS EDS (Shut) Spanning Tree Protocol (STP) Loopguard Bpduguard 1007
55 System Time and Date System time and date settings are user-configurable and maintained through the network time protocol (NTP). System times and dates are also set in hardware settings using the Dell Networking OS CLI. Network Time Protocol The network time protocol (NTP) synchronizes timekeeping among a set of distributed time servers and clients. The protocol also coordinates time distribution in a large, diverse network with various interfaces.
time and adjust the local clock accordingly. In addition, the message includes information to calculate the expected timekeeping accuracy and reliability, as well as select the best from possibly several servers.
Configure the Network Time Protocol Configuring NTP is a one-step process. • Enabling NTP Related Configuration Tasks • Configuring NTP Broadcasts • Setting the Hardware Clock with the Time Derived from NTP • Disabling NTP on an Interface • Configuring a Source IP Address for NTP Packets (optional) Enabling NTP NTP is disabled by default. To enable NTP, specify an NTP server to which the Dell Networking system synchronizes. To specify multiple servers, enter the command multiple times.
ntp broadcast client Example of Configuring NTP Broadcasts 2w1d11h : NTP: Maximum Slew:-0.000470, Remainder = -0.496884 Disabling NTP on an Interface By default, NTP is enabled on all active interfaces. If you disable NTP on an interface, the system drops any NTP packets sent to that interface. To disable NTP on an interface, use the following command. • Disable NTP on the interface.
Dell Networking OS Behavior: Dell Networking OS uses an encryption algorithm to store the authentication key that is different from previous Dell Networking OS versions; Dell Networking OS uses data encryption standard (DES) encryption to store the key in the startup-config when you enter the ntp authentication-key command.
ntp master To configure the ntp master enter the stratum number to identify the NTP Server’s hierarchy. Examples of Configuring and Viewing an NTP Configuration The following example shows configuring an NTP server. R6_E300(conf)#1w6d23h : NTP: xmit packet to 192.168.1.1: leap 0, mode 3, version 3, stratum 2, ppoll 1024 rtdel 0219 (8.193970), rtdsp AF928 (10973.266602), refid C0A80101 (192.168.1.1) ref CD7F4F63.6BE8F000 (14:51:15.421 UTC Thu Apr 2 2009) org CD7F4F63.68000000 (14:51:15.
NOTE: • Leap Indicator (sys.leap, peer.leap, pkt.leap) — This is a two-bit code warning of an impending leap second to be inserted in the NTP time scale. The bits are set before 23:59 on the day of insertion and reset after 00:00 on the following day. This causes the number of seconds (rollover interval) in the day of insertion to be increased or decreased by one.
Time and Date You can set the time and date in the Dell Networking OS using the CLI. Configuration Task List This section describes configuring the time and date settings.
– timezone-name: enter the name of the timezone. Do not use spaces. – offset: enter one of the following: * a number from 1 to 23 as the number of hours in addition to UTC for the timezone. * a minus sign (-) then a number from 1 to 23 as the number of hours.
00:00:00 pacific Sat Nov 7 2009" Setting Recurring Daylight Saving Time Set a date (and time zone) on which to convert the switch to daylight saving time on a specific day every year. If you have already set daylight saving for a one-time setting, you can set that date and time as the recurring setting with the clock summer-time time-zone recurring command. To set a recurring daylight saving time, use the following command.
Examples of Configuring and Viewing the Clock Summer-Time Recurring Option The following example shows using the clock summer-time recurring command.
Tunneling 56 Tunnel interfaces create a logical tunnel for IPv4 or IPv6 traffic. Tunneling supports RFC 2003, RFC 2473, and 4213. DSCP, hop-limits, flow label values, OSPFv2, and OSPFv3 are also supported. ICMP error relay, PATH MTU transmission, and fragmented packets are not supported. Configuring a Tunnel You can configure a tunnel in IPv6 mode, IPv6IP mode, and IPIP mode. You can configure a tunnel in IPv6 mode, IPv6IP mode, and IPIP mode.
interface Tunnel 2 no ip address ipv6 address 2::1/64 tunnel destination 90.1.1.1 tunnel source 60.1.1.1 tunnel mode ipv6ip no shutdown The following sample configuration shows a tunnel configured in IPIP mode (IPv4 tunnel carries IPv4 and IPv6 traffic): Dell(conf)#interface tunnel 3 Dell(conf-if-tu-3)#tunnel source 5::5 Dell(conf-if-tu-3)#tunnel destination 8::9 Dell(conf-if-tu-3)#tunnel mode ipv6 Dell(conf-if-tu-3)#ip address 3.1.1.
ipv6 unnumbered TenGigabitEthernet 0/0 tunnel source 40.1.1.1 tunnel mode ipip decapsulate-any no shutdown Dell(conf-if-tu-1)# Configuring Tunnel allow-remote Decapsulation You can configure an IPv4 or IPV6 address or prefix whose tunneled packet will be accepted for decapsulation. • • If no allow-remote entries are configured, then tunneled packets from any remote peer address will be accepted. Upto eight allow-remote entries can be configured on any particular multipoint receive-only tunnel.
no shutdown Multipoint Receive-Only Tunnels A multipoint receive-only IP tunnel decapsulates packets from remote end-points and never forwards packets on the tunnel. You can configure an additional level of security on a receive-only IP tunnel by specifying a valid prefix or range of remote peers. The operational status of a multipoint receive-only tunnel interface always remains up.
Upgrade Procedures 57 For detailed upgrade procedures, refer to the Dell Networking OS Release Notes for your switch. The release notes describe the requirements and steps to follow to upgrade to a desired OS version. Upgrade Overview To upgrade system software on the switch, follow these general steps: 1. Identify the boot and system images currently stored on the switch (Control Processor, Route Processor, and line-card CPUs) using the show boot system all command. 2.
local flash. This image contains independent images for the CPUs: Control Processor (CP), Route Processor (RP), and line-card processor (LP). Each separate image runs on a different CPU and are unpacked and downloaded on the appropriate CPU via the party bus. You can use TFTP or FTP to copy images to the local storage of each CPU.
Uplink Failure Detection (UFD) 58 Uplink failure detection (UFD) provides detection of the loss of upstream connectivity and, if used with network interface controller (NIC) teaming, automatic recovery from a failed link. Feature Description A switch provides upstream connectivity for devices, such as servers. If a switch loses its upstream connectivity, downstream devices also lose their connectivity.
Figure 131. Uplink Failure Detection How Uplink Failure Detection Works UFD creates an association between upstream and downstream interfaces. The association of uplink and downlink interfaces is called an uplink-state group. An interface in an uplink-state group can be a physical interface or a port-channel (LAG) aggregation of physical interfaces. An enabled uplink-state group tracks the state of all assigned upstream interfaces.
Figure 132. Uplink Failure Detection Example If only one of the upstream interfaces in an uplink-state group goes down, a specified number of downstream ports associated with the upstream interface are put into a Link-Down state. You can configure this number and is calculated by the ratio of the upstream port bandwidth to the downstream port bandwidth in the same uplink-state group.
– An uplink-state group is considered to be operationally down if it has no upstream interfaces in the Link-Up state. No uplink-state tracking is performed when a group is disabled or in an Operationally Down state. • You can assign physical port or port-channel interfaces to an uplink-state group. – You can assign an interface to only one uplink-state group. Configure each interface assigned to an uplink-state group as either an upstream or downstream interface, but not both.
• Port channel: enter port-channel {1-512 | port-channel-range} Where port-range and port-channel-range specify a range of ports separated by a dash (-) and/or individual ports/port channels in any order; for example: upstream tengigabitethernet 1/1-2,5,9,11-12 downstream port-channel 1-3,5 • A comma is required to separate each port and port-range entry. To delete an interface from the group, use the no {upstream | downstream} interface command. 3.
Clearing a UFD-Disabled Interface You can manually bring up a downstream interface in an uplink-state group that UFD disabled and is in a UFD-Disabled Error state. To re-enable one or more disabled downstream interfaces and clear the UFD-Disabled Error state, use the following command. • Re-enable a downstream interface on the switch/router that is in a UFD-Disabled Error State so that it can send and receive traffic.
down: Te 0/47 02:37:29: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: Te 0/47 02:37:29 : UFD: Group:3, UplinkState: DOWN 02:37:29: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: to down: Group 3 02:37:29: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: error-disabled: Fo 1/0 02:37:29: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: Fo 1/0 02:38:31 : UFD: Group:3, UplinkState: UP 02:38:31: %SYSTEM-P:CP %IFMGR-5-OSTATE_UP: to up: Group 3 02:38:53: %SYSTEM-P:CP %IFMGR-5-OSTATE_UP: UFD error-disabled: Fo 1/0 02:38:53: %SYSTEM-P:CP %IFMGR-5-OSTATE_UP: UFD error-disabl
• If a downstream interface in an uplink-state group is disabled (Oper Down state) by uplink-state tracking because an upstream port is down, the message error-disabled[UFD] displays in the output. Display the current configuration of all uplink-state groups or a specified group. EXEC mode or UPLINK-STATE-GROUP mode (For EXEC mode) show running-config uplink-state-group [group-id] (For UPLINK-STATE-GROUP mode) show configuration – group-id: The values are from 1 to 16.
Interface index is 280544512 Internet address is not set MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 1000 Mbit, Mode auto Flowcontrol rx off tx off ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 00:25:46 Queueing strategy: fifo Input Statistics: 0 packets, 0 bytes 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 0 Broadcasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Ou
• Add a text description for the group. • Verify the configuration with various show commands.
Virtual LANs (VLANs) 59 Virtual LANs (VLANs) are a logical broadcast domain or logical grouping of interfaces in a local area network (LAN) in which all data received is kept locally and broadcast to all members of the group. When in Layer 2 mode, VLANs move traffic at wire speed and can span multiple devices. The system supports up to 4093 port-based VLANs and one default VLAN, as specified in IEEE 802.1Q.
command places the interface in Layer 2 mode and the show vlan command in EXEC privilege mode indicates that the interface is now part of the Default VLAN (VLAN 1). By default, VLAN 1 is the Default VLAN. To change that designation, use the default vlan-id command in CONFIGURATION mode. You cannot delete the Default VLAN. NOTE: You cannot assign an IP address to the Default VLAN. To assign an IP address to a VLAN that is currently the Default VLAN, create another VLAN and assign it to be the Default VLAN.
VLANs and Port Tagging To add an interface to a VLAN, the interface must be in Layer 2 mode. After you place an interface in Layer 2 mode, the interface is automatically placed in the Default VLAN. The system supports IEEE 802.1Q tagging at the interface level to filter traffic. When you enable tagging, a tag header is added to the frame after the destination and source MAC addresses. That information is preserved as the frame moves through the network.
• Disable the default VLAN, so that all ports belong to the Null VLAN until configured as a member of another VLAN. CONFIGURATION mode default-vlan disable Default: the default VLAN is enabled (no default-vlan disable). Assigning an IP Address to a VLAN VLANs are a Layer 2 feature. For two physical interfaces on different VLANs to communicate, you must assign an IP address to the VLANs to route traffic between the two interfaces.
NOTE: You cannot configure an existing switchport or port channel interface for Native VLAN. Interfaces must have no other Layer 2 or Layer 3 configurations when using the portmode hybrid command or a message similar to this displays: % Error: Port is in Layer-2 mode Te 5/6. To configure a port so that it can be a member of an untagged and tagged VLANs, use the following commands. 1. Remove any Layer 2 or Layer 3 configurations from the interface. INTERFACE mode 2.
Dell#show vlan Codes: * - Default VLAN, G - GVRP VLANs NUM * 1 2 3 4 5 6 Status Inactive Active Active Active Active Active Dell# Q U U U T U U U Ports Te 1/4-11 Te 0/1,18 Te 0/2,19 Te 0/3,20 Po 1 Te 0/12 Te 2/0 Assigning Interfaces to a VLAN You can only assign interfaces in Layer 2 mode to a VLAN using the tagged and untagged commands. To place an interface in Layer 2 mode, use the switchport command. You can further designate these Layer 2 interfaces as tagged or untagged.
Codes: * - Default VLAN, G - GVRP VLANs NUM Status Q * 1 Inactive 2 Active T T 3 Active T T Ports Po1(Te 0/0-1) Te 2/0 Po1(Te 0/0-1) Te 2/1 Dell#config Dell(conf)#int vlan 4 Dell(conf-if-vlan)#tagged po 1 Dell(conf-if-vlan)#show conf ! interface Vlan 4 no ip address tagged Port-channel 1 Dell(conf-if-vlan)#end Dell#show vlan Codes: * - Default VLAN, G - GVRP VLANs NUM Status Q * 1 Inactive 2 Active T T 3 Active T T 4 Active T Dell# Ports Po1(Te 0/0-1) Te 3/0 Po1(Te 0/0-1) Te 3/1 Po1(Te 0/0-1) When you r
To determine interface status, use the show vlan command. Interface (te 2/2) is untagged and in the Default VLAN (vlan 1). In a port-based VLAN (vlan 4), use the untagged command to add the interface to that VLAN. The show vlan command output displays the interface’s changed status (te 2/2). Because the Default VLAN no longer contains any interfaces, it is listed as inactive.
VLT Proxy Gateway 60 The Virtual link trucking (VLT) proxy gateway feature allows a VLT domain to locally terminate and route L3 packets that are destined to a L3 end point in another VLT domain. Enable the VLT proxy gateway using the link layer discover protocol (LLDP) method or the static configuration.
Figure 134. VLT Proxy Gateway — Topology 1 Guidelines for Enabling the VLT Proxy Gateway Keep the following points in mind when you enable this functionality: 1. The proxy gateway is supported only for VLT; for example, across VLT domain. 2. To get full benefits out of proxy gateway, peer-routing is recommended 3.
the same subnet, there is no route asymmetry dynamically. But if you configure the static route on one DC and not on the other, there is asymmetry. 8. If the port-channel specified in theproxy-gateway command is not a VLT LAG, the configuration is rejected by the CLI. The VLT LAG cannot be configured as a legacy LAG when it is part of a proxygateway 9. You cannot change the LLDP port channel interface to a legacy LAG when you enable the proxy gateway. 10.
LLDP Organizational TLV for Proxy Gateway Define a new organizational TLV : • LLDP defines an organizationally specific TLV (type 127) with an organizationally unique identifier (0x0001E8) and organizationally defined subtype (0x01) for sending or receiving this information. • LLDP will uses the existing infrastructure and adds the new TLV, and sends and receives only on the configured ports.
2. Configure peer-domain-link port-channel in VLT Domain Proxy Gateway LLDP mode. The VLT port channel is the one that connects the remote VLT domain. Sample Configurations for Static VLT Proxy Gateway Apply the following configurations in the Core L3 Routers C and D in local VLT domain and C1 and D1 in the remote VLT domain: 1. Configure proxy-gateway static in VLT Domain CONFIG mode 2. Configure remote-mac-address in VLT Domain Proxy Gateway LLDP mode.
Sample Scenario for VLT Proxy Gateway Figure 135. VLT Proxy Gateway — Topology 2 1. The above figure (Topology 2) shows a sample VLT Proxy gateway scenario. There are no diagonal links in the square VLT connection between the C and D in VLT domain 1 and C1 and D1 in the VLT domain 2. This undergoes sub-optimal routing with the VLT Proxy Gateway LLDP method.
2. ICL shut – Assume ICL between C1 and D1 is shut and if D1 is secondary VLT one half of the inter DC link goes down. After vm motion, if a packet reaches D2 with the destination MAC address of D1, it may be dropped. This behaviour is applicable only in the LLDP configuration; in the static configuration, the packet is forwarded. 3. Any L3 packet, when it gets an L3 hit and is routed because of this feature, has a TTL decrement as expected. 4.
4. Display the VLT proxy gateway configuration. EXEC mode Dell#show vlt-proxy-gateway Configuring an LLDP VLT Proxy Gateway You can configure a proxy gateway in a VLT domain to locally route packets destined to a L3 endpoint in another VLT domain. To configure an LLDP proxy gateway: 1. Enable VLT on a switch, then configure a VLT domain and enter VLT-Domain Configuration mode. CONFIGURATION mode Dell(conf)#vlt domain domain-id 2. Configure the LLDP proxy gateway.
Virtual Routing and Forwarding (VRF) 61 Virtual Routing and Forwarding (VRF) allows a physical router to partition itself into multiple Virtual Routers (VRs). The control and data plane are isolated in each VR so that traffic does NOT flow across VRs.Virtual Routing and Forwarding (VRF) allows multiple instances of a routing table to co-exist within the same router at the same time. VRF Overview VRF improves functionality by allowing network paths to be segmented without using multiple devices.
Figure 136. VRF Network Example VRF Configuration Notes Although there is no restriction on the number of VLANs that can be assigned to a VRF instance, the total number of routes supported in VRF is limited by the size of the IPv4 CAM. VRF is implemented in a network device by using Forwarding Information Bases (FIBs). A network device may have the ability to configure different virtual routers, where entries in the FIB that belong to one VRF cannot be accessed by another VRF on the same device.
Dell Networking OS uses both the VRF name and VRF ID to manage VRF instances. The VRF name and VRF ID number are assigned using the ip vrf command. The VRF ID is displayed in show ip vrf command output. The VRF ID is not exchanged between routers. VRF IDs are local to a router. VRF supports some routing protocols only on the default VRF (default-vrf) instance. Table 1 displays the software features supported in VRF and whether they are supported on all VRF instances or only the default VRF. Table 89.
Feature/Capability Support Status for Default VRF Support Status for Non-default VRF NOTE: ACLs supported on all VRF VLAN ports. IPv4 ACLs are supported on nondefault-VRFs also. IPv6 ACLs are supported on defaultVRF only. PBR supported on default-VRF only. QoS not supported on VLANs.
DHCP DHCP requests are not forwarded across VRF instances. The DHCP client and server must be on the same VRF instance. VRF Configuration The VRF configuration tasks are: 1. Enabling VRF in Configuration Mode 2. Creating a Non-Default VRF 3. Assign an Interface to a VRF You can also: • View VRF Instance Information • Connect an OSPF Process to a VRF Instance • Configure VRRP on a VRF Load VRF CAM VRF is enabled by default on the switch.
NOTE: You can configure an IP address or subnet on a physical or VLAN interface that overlaps the same IP address or subnet configured on another interface only if the interfaces are assigned to different VRFs. If two interfaces are assigned to the same VRF, you cannot configure overlapping IP subnets or the same IP address on them. Table 92. Assigning an Interface to a VRF Task Command Syntax Command Mode Assign an interface to a VRF instance.
Task Command Syntax Display the interfaces assigned to show ip vrf [vrf-name] a VRF instance. To display information on all VRF instances (including the default VRF 0), do not enter a value for vrf-name. Command Mode EXEC Assigning an OSPF Process to a VRF Instance OSPF routes are supported on all VRF instances. Refer to for complete OSPF configuration information. Assign an OSPF process to a VRF instance . Return to CONFIGURATION mode to enable the OSPF process.
Configuring Management VRF You can assign a management interface to a management VRF. Task Command Syntax Command Mode Create a management VRF. ip vrf management CONFIGURATION Assign a management port to a management VRF. interface management VRF MODE Configuring a Static Route To configure a static route, perform the following steps: Task Command Syntax Command Mode Configure a static route that points to a management interface.
The following example illustrates how route leaking between two VRFs can be performed: interface TenGigabitEthernet 0/9 ip vrf forwarding VRF1 ip address 120.0.0.1/24 interface TenGigabitEthernet 0/10 ip vrf forwarding VRF2 ip address 140.0.0.1/24 ip route vrf VRF1 20.0.0.0/16 140.0.0.2 vrf VRF2 ip route vrf VRF2 40.0.0.0/16 120.0.0.2 vrf VRF1 Sample VRF Configuration The following configuration illustrates a typical VRF set-up. Figure 137.
Figure 138. Setup VRF Interfaces The following example relates to the configuration shown in Figure1 and Figure 2. Router 1 ====================================================================== ============================ Router 2 ====================================================================== ================= The following shows the output of the show commands on Router 1.
The following shows the output of the show commands on Router 2. Router 2 Dynamic Route Leaking Route Leaking is a powerful feature that enables communication between isolated (virtual) routing domains by segregating and sharing a set of services such as VOIP, Video, and so on that are available on one routing domain with other virtual domains. Inter-VRF Route Leaking enables a VRF to leak or export routes that are present in its RTM to one or more VRFs.
You can then use the ip route-import route-map command to import routes matching the filtering criteria defined in the import_ospf_protocol route-map. For a reply communication, VRF-blue is configured with a route-export tag. This value is then configured as route-import tag on the VRF-Red. To configure route leaking using filtering criteria, perform the following steps: 1. Configure VRF-red using the following command:ip vrf vrf-redip vrf forwarding vrfredip address x.x.x.x 255.x.x.
• • Even though the Target VRF-B has specified filtering options to match BGP, the BGP route is not leaked as that route is not active in the Source VRF. The export-target and import-target support only the match protocol and match prefix-list options. Other options that are configured in the route-maps are ignored. You can expose a unique set of routes from the Source VRF for Leaking to other VRFs.
4. Configure the import target in VRF-red.ip route-import 1:1 5. Configure the export target in VRF-red.ip route-export 2:2 6. Configure VRF-blue.ip vrf vrf-blue ip vrf forwarding vrf-blue ip address x.x.x.x 255.x.x.x A non-default VRF named VRF-blue is created and the interface 1/12 is assigned to it. 7. Configure the import target in VRF-blue.ip route-import 1:1 8. Configure the export target in VRF-blue.ip route-export 3:3 9. Configure VRF-green.
Virtual Link Trunking (VLT) 62 Virtual link trunking (VLT) is supported on Dell Networking OS. Overview VLT reduces the role of spanning tree protocols (STPs) by allowing link aggregation group (LAG) terminations on two separate distribution or core switches and supporting a loop-free topology. To prevent the initial loop that may occur prior to VLT being established, use a spanning tree protocol.
Figure 139. Example of VLT Deployment VLT on Core Switches You can also deploy VLT on core switches. Uplinks from servers to the access layer and from access layer to the aggregation layer are bundled in LAG groups with end-to-end Layer 2 multipathing. This set up requires “horizontal” stacking at the access layer and VLT at the aggregation layer such that all the uplinks from servers to access and access to aggregation are in Active-Active Load Sharing mode.
• VLT domain — This domain includes both the VLT peer devices, VLT interconnect, and all of the port channels in the VLT connected to the attached devices. It is also associated to the configuration mode that you must use to assign VLT global parameters. • VLT peer device — One of a pair of devices that are connected with the special port channel known as the VLT interconnect (VLTi). VLT peer switches have independent management planes.
If this scenario occurs, use the clear mac-address-table sticky all command on the primary or secondary peer to correctly sync the MAC addresses. • If static ARP is enabled on only one VLT peer, entries may be overwritten during bulk sync. Configuration Notes VLT requires that you enable the feature and then configure the same VLT domain, backup link, and VLT interconnect on both peer switches. When you configure VLT, the following conditions apply.
– ARP entries configured across the VLTi are the same on both VLT peer nodes. – If you shut down the port channel used in the VLT interconnect on a peer switch in a VLT domain in which you did not configure a backup link, the switch’s role displays in the show vlt brief command output as Primary instead of Standalone. – When you change the default VLAN ID on a VLT peer switch, the VLT interconnect may flap.
• * In one possible topology, a switch uses the BMP feature to receive its IP address, configuration files, and boot image from a DHCP server that connects to the switch through the VLT domain. In the port-channel used by the switch to connect to the VLT domain, configure the port interfaces on each VLT peer as hybrid ports before adding them to the port channel (refer to Connecting a VLT Domain to an Attached Access Device (Switch or Server)).
– To verify that a VLT peer is consistently configured for either the master or backup role in all VRRP groups, use the show vrrp command on each peer. – Configure the same L3 routing (static and dynamic) on each peer so that the L3 reachability and routing tables are identical on both VLT peers. Both the VRRP master and backup peers must be able to locally forward L3 traffic in the same way.
RSTP and VLT VLT provides loop-free redundant topologies and does not require RSTP. RSTP can cause temporary port state blocking and may cause topology changes after link or node failures. Spanning tree topology changes are distributed to the entire layer 2 network, which can cause a network-wide flush of learned MAC and ARP addresses, requiring these addresses to be re-learned. However, enabling RSTP can detect potential loops caused by non-system issues such as cabling errors or incorrect configurations.
interfaces in a dual RPM. A virtual management IP must be configured on the dual RPM VLT node to maintain uninterrupted VLT backup functionality. For more information, refer to “VLT backup link” section in the Configuration Notes VLT and IGMP Snooping When configuring IGMP Snooping with VLT, ensure the configurations on both sides of the VLT trunk are identical to get the same behavior on both sides of the trunk.
This delay in bringing up the VLT ports also applies when the VLTi link recovers from a failure that caused the VLT ports on the secondary VLT peer node to be disabled. PIM-Sparse Mode Support on VLT The designated router functionality of the PIM Sparse-Mode multicast protocol is supported on VLT peer switches for multicast sources and receivers that are connected to VLT ports. VLT peer switches can act as a last-hop router for IGMP receivers and as a first-hop router for multicast sources. Figure 140.
VLT VLANs, you must configure VLTi as the static multicast router port on both VLT peer switches. This ensures that for first hop routers, the packets from the source are redirected to the designated router (DR) if they are incorrectly hashed. In addition to being first-hop or last -hop routers, the peer node can also act as an intermediate router.
VLT Unicast Routing VLT unicast routing locally routes packets destined for the L3 endpoint of the VLT peer. This method avoids suboptimal routing. In VLT unicast routing, peer-routing syncs the MAC addresses of both VLT peers and requires two local DA entries in TCAM. In case a VLT node is down, a timer that allows you to configure the amount of time needed for peer recovery provides resiliency. You can enable VLT unicast across multiple configurations using VLT links.
between the VLT peers. Only multicast routes configured with a Spanned VLAN IP as their IIF are synced between VLT peers. For multicast routes with a Spanned VLAN IIF, only OIFs configured with a Spanned VLAN IP interface are synced between VLT peers.
6. Configure the VLT VLAN routing metrics to prefer VLT VLAN interfaces over non-VLT VLAN interfaces. For more information, refer to Classify Traffic. 7. Configure symmetrical Layer 2 and Layer 3 configurations on both VLT peers for any spanned VLAN. Non-VLT ARP Sync Synchronization for non-ARP routing table entries is supported on the switch. ARP entries (including ND entries) learned on other ports are synced with the VLT peer to support station move scenarios.
bridge-priority Sample RSTP Configuration The following is a sample of an RSTP configuration. Using the example shown in the Overview section as a sample VLT topology, the primary VLT switch sends BPDUs to an access device (switch or server) with its own RSTP bridge ID. BPDUs generated by an RSTP-enabled access device are only processed by the primary VLT switch. The secondary VLT switch tunnels the BPDUs that it receives to the primary VLT switch over the VLT interconnect.
Configuring a VLT Interconnect To configure a VLT interconnect, follow these steps. 1. Configure the port channel for the VLT interconnect on a VLT switch and enter interface configuration mode. CONFIGURATION mode interface port-channel id-number Enter the same port-channel number configured with the peer-link port-channel command as described in Enabling VLT and Creating a VLT Domain. NOTE: To be included in the VLTi, the port channel must be in Default mode (no switchport or VLAN assigned). 2.
To disable VLT, use the no vlt domain command. NOTE: Do not use MAC addresses such as “reserved” or “multicast.” 2. Configure the IP address of the management interface on the remote VLT peer to be used as the endpoint of the VLT backup link for sending out-of-band hello messages. VLT DOMAIN CONFIGURATION mode back-up destination {ipv4–address] | ipv6 ipv6–address [interval seconds]} You can optionally specify the time interval used to send hello messages. The range is from 1 to 5 seconds. 3.
Enter the slot (0-1) and the port (0). 2. Configure an IPv4 address (A.B.C.D) or IPv6 address (X:X:X:X::X) and mask (/x) on the interface. MANAGEMENT INTERFACE mode {ip address ipv4-address/ mask | ipv6 address ipv6-address/ mask} This is the IP address that is configured on the VLT peer using the back-up destination command. 3. Ensure that the interface is active. MANAGEMENT INTERFACE mode no shutdown 4. Configure a VLT backup link using the back-up destination command.
CONFIGURATION mode vlt domain domain-id The range of domain IDs is from 1 to 1000. 2. (Optional) When you create a VLT domain on a switch, the system automatically creates a VLTsystem MAC address used for internal system operations. VLT DOMAIN CONFIGURATION mode system-mac mac-address mac-address To explicitly configure the default MAC address for the domain by entering a new MAC address, use the system-mac command. The format is aaaa.bbbb.cccc.
4. Add one or more port interfaces to the port channel. INTERFACE PORT-CHANNEL mode channel-member interface interface: specify one of the following interface types: 5. • 1-Gigabit Ethernet: enter gigabitethernet slot/port. • 10-Gigabit Ethernet: enter tengigabitethernet slot/port. • 40-Gigabit Ethernet: Enter fortyGigE slot/port. Ensure that the port channel is active. INTERFACE PORT-CHANNEL mode no shutdown 6.
peer-link port-channel id-number peer-down-vlan vlan interface-number The range is from 1 to 4094. Configuring Enhanced VLT (eVLT) (Optional) To configure enhanced VLT (eVLT) between two VLT domains on your network, use the following procedure. For a sample configuration, refer to eVLT Configuration Example. To set up the VLT domain, use the following commands. 1. Configure the port channel to be used for the VLT interconnect on a VLT switch and enter interface configuration mode.
system-mac mac-address mac-address To explicitly configure the default MAC address for the domain by entering a new MAC address, use the system-mac command. The format is aaaa.bbbb.cccc. Also reconfigure the same MAC address on the VLT peer switch. Use this command to minimize the time required for the VLT system to synchronize the default MAC address of the VLT domain on both peer switches when one peer switch reboots. 7.
INTERFACE mode port-channel-protocol lacp 14. Configure the LACP port channel mode. INTERFACE mode port-channel number mode [active] 15. Ensure that the interface is active. MANAGEMENT INTERFACE mode no shutdown 16. Repeat steps 1 through 15 for the VLT peer node in Domain 1. 17. Repeat steps 1 through 15 for the first VLT node in Domain 2. 18. Repeat steps 1 through 15 for the VLT peer node in Domain 2.
9. Configure the static LAG/LACP between ports connected from VLT peer 1 and VLT peer 2 to the top of rack unit. EXEC Privilege mode show running-config entity 10. Configure the VLT peer link port channel id in VLT peer 1 and VLT peer 2. EXEC mode or EXEC Privilege mode show interfaces interface 11. In the top of rack unit, configure LACP in the physical ports. EXEC Privilege mode show running-config entity 12. Verify that VLT is running. EXEC mode show vlt brief or show vlt detail 13.
2. Configure the peer 1 management ip/ interface ip for which connectivity is present in VLT peer 2. Dell-2#show running-config vlt ! vlt domain 5 peer-link port-channel 1 back-up destination 10.11.206.58 Dell-2# show interfaces managementethernet 0/0 Internet address is 10.11.206.43/16 Dell-4#show running-config vlt ! vlt domain 5 peer-link port-channel 1 back-up destination 10.11.206.43 Dell-4#show running-config interface managementethernet 0/0 ip address 10.11.206.
interface TenGigabitEthernet 0/48 no ip address ! port-channel-protocol LACP port-channel 100 mode active no shutdown Dell-1#show running-config interface tengigabitethernet 0/50 ! interface TenGigabitEthernet 0/50 no ip address ! port-channel-protocol LACP port-channel 100 mode active no shutdown Dell-1#show running-config interface port-channel 100 ! interface Port-channel 100 no ip address switchport no shutdown Dell-1#show interfaces port-channel 100 brief Codes: L - LACP Port-channel L LAG 100 Mode L
LAG L 2 Mode L2L3 Status up Uptime 03:33:31 Ports Te 0/18 (Up) eVLT Configuration Example The following example demonstrates the steps to configure enhanced VLT (eVLT) in a network. In this example, you are configuring two domains. Domain 1 consists of Peer 1 and Peer 2; Domain 2 consists of Peer 3 and Peer 4, as shown in the following example. In Domain 1, configure Peer 1 fist, then configure Peer 2. When that is complete, perform the same steps for the peer nodes in Domain 2.
Domain_1_Peer1(conf-if-range-te-0/16-17)# port-channel 100 mode active Domain_1_Peer1(conf-if-range-te-0/16-17)# no shutdown Next, configure the VLT domain and VLTi on Peer 2.
Domain_2_Peer4(conf-vlt-domain)# Domain_2_Peer4(conf-vlt-domain)# Domain_2_Peer4(conf-vlt-domain)# Domain_2_Peer4(conf-vlt-domain)# peer-link port-channel 1 back-up destination 10.18.130.12 system-mac mac-address 00:0b:00:0b:00:0b unit-id 1 Configure eVLT on Peer 4. Domain_2_Peer4(conf)#interface port-channel 100 Domain_2_Peer4(conf-if-po-100)# switchport Domain_2_Peer4(conf-if-po-100)# vlt-peer-lag port-channel 100 Domain_2_Peer4(conf-if-po-100)# no shutdown Add links to the eVLT port-channel on Peer 4.
Verifying a VLT Configuration To monitor the operation or verify the configuration of a VLT domain, use any of the following show commands on the primary and secondary VLT switches. • Display information on backup link operation. EXEC mode • show vlt backup-link Display general status information about VLT domains currently configured on the switch.
Examples of the show vlt and show spanning-tree rstp Commands The following example shows the show vlt backup-link command. Dell_VLTpeer1# show vlt backup-link VLT Backup Link ----------------Destination: Peer HeartBeat status: HeartBeat Timer Interval: HeartBeat Timeout: UDP Port: HeartBeat Messages Sent: HeartBeat Messages Received: 10.11.200.
The following example shows the show vlt detail command. Dell_VLTpeer1# show vlt detail Local LAG Id -----------100 127 Peer LAG Id ----------100 2 Local Status Peer Status Active VLANs ------------ ----------- ------------UP UP 10, 20, 30 UP UP 20, 30 Dell_VLTpeer2# show vlt detail Local LAG Id -----------2 100 Peer LAG Id ----------127 100 Local Status -----------UP UP Peer Status ----------UP UP Active VLANs ------------20, 30 10, 20, 30 The following example shows the show vlt role command.
Dell_VLTpeer2# show vlt statistics VLT Statistics ---------------HeartBeat Messages Sent: HeartBeat Messages Received: ICL Hello's Sent: ICL Hello's Received: 994 978 89 89 The following example shows the show spanning-tree rstp command. The bold section displays the RSTP state of port channels in the VLT domain. Port channel 100 is used in the VLT interconnect trunk (VLTi) to connect to VLT peer2. Port channels 110, 111, and 120 are used to connect to access switches or servers (vlt).
Configuring Virtual Link Trunking (VLT Peer 1) Enable VLT and create a VLT domain with a backup-link and interconnect trunk (VLTi). Dell_VLTpeer1(conf)#vlt domain 999 Dell_VLTpeer1(conf-vlt-domain)#peer-link port-channel 100 Dell_VLTpeer1(conf-vlt-domain)#back-up destination 10.11.206.35 Dell_VLTpeer1(conf-vlt-domain)#exit Configure the backup link. Dell_VLTpeer1(conf)#interface ManagementEthernet 0/0 Dell_VLTpeer1(conf-if-ma-0/0)#ip address 10.11.206.
Dell_VLTpeer2(conf-if-ma-0/0)#no shutdown Dell_VLTpeer2(conf-if-ma-0/0)#exit Configure the VLT interconnect (VLTi). Dell_VLTpeer2(conf)#interface port-channel 100 Dell_VLTpeer2(conf-if-po-100)#no ip address Dell_VLTpeer2(conf-if-po-100)#channel-member fortyGigE 0/46,50 Dell_VLTpeer2(conf-if-po-100)#no shutdown Dell_VLTpeer2(conf-if-po-100)#exit Configure the port channel to an attached device.
Table 94. Troubleshooting VLT Description Behavior at Peer Up Behavior During Run Time Action to Take Bandwidth monitoring A syslog error message and an SNMP trap is generated when the VLTi bandwidth usage goes above the 80% threshold and when it drops below 80%. A syslog error message and an SNMP trap is generated when the VLTi bandwidth usage goes above its threshold. Depending on the traffic that is received, the traffic can be offloaded inVLTi. Domain ID mismatch The VLT peer does not boot up.
Description Behavior at Peer Up Behavior During Run Time Action to Take A syslog error message is generated. A syslog error message is generated. if Peer 1 is unit ID “0”, Peer 2 unit ID must be “1’. Version ID mismatch A syslog error message and an SNMP trap are generated. A syslog error message and an SNMP trap are generated. Verify the Dell Networking OS versions on the VLT peers is compatible. For more information, refer to the Release Notes for this release.
identified by a primary and secondary VLAN pair. With VLT being a Layer 2 redundancy mechanism, support for configuration of VLT nodes in a PVLAN enables Layer 2 security functionalities. To achieve maximum VLT resiliency, you should configure the PVLAN IDs and mappings to be identical on both the VLT peer nodes. The association of PVLAN with the VLT LAG must also be identical.
validated to cause the VLTi to be a member of that VLAN. Whenever a change in the VLAN mode on one of the peers occurs, the information is synchronized with the other peer and VLTi is either added or removed from the VLAN based on the validation of the VLAN parity. For VLT VLANs, the association between primary VLAN and secondary VLANs is examined on both the peers. Only if the association is identical on both the peers, VLTi is configured as a member of those VLANs.
port mode mismatches occur. Also, you can view these discrepancies if any occur by using the show vlt mismatch command. Interoperation of VLT Nodes in a PVLAN with ARP Requests When an ARP request is received, and the following conditions are applicable, the IP stack performs certain operations. • The VLAN on which the ARP request is received is a secondary VLAN (community or isolated VLAN).
VLT LAG Mode PVLAN Mode of VLT VLAN Peer1 Peer1 Peer2 - Secondary (Community) Access Promiscuo us Peer2 Access Promiscuo us ICL VLAN Membership Mac Synchronization - Secondary (Isolated) No No Secondary (Community) Secondary (Isolated) No No • • Yes Yes Primary X Primary X Primary Primary Yes Yes - Secondary (Community) - Secondary (Community) Yes Yes - Secondary (Isolated) - Secondary (Isolated) Yes Yes Promiscuo us Trunk Primary Normal No No Promiscuo us Trunk
Configuring a VLT VLAN or LAG in a PVLAN You can configure the VLT peers or nodes in a private VLAN (PVLAN). Because the VLT LAG interfaces are terminated on two different nodes, PVLAN configuration of VLT VLANs and VLT LAGs are symmetrical and identical on both the VLT peers. PVLANs provide Layer 2 isolation between ports within the same VLAN. A PVLAN partitions a traditional VLAN into subdomains identified by a primary and secondary VLAN pair.
VLT DOMAIN CONFIGURATION mode peer-link port-channel id-number The range is from 1 to 128. 8. (Optional) To configure a VLT LAG, enter the VLAN ID number of the VLAN where the VLT forwards packets received on the VLTi from an adjacent peer that is down. VLT DOMAIN CONFIGURATION mode peer-link port-channel id-number peer-down-vlan vlan interface number The range is from 1 to 4094. Associating the VLT LAG or VLT VLAN in a PVLAN 1. Access INTERFACE mode for the port that you want to assign to a PVLAN.
INTERFACE VLAN mode private-vlan mapping secondary-vlan vlan-list The list of secondary VLANs can be: • Specified in comma-delimited (VLAN-ID,VLAN-ID) or hyphenated-range format (VLAN-IDVLAN-ID). • • Specified with this command even before they have been created. Amended by specifying the new secondary VLAN to be added to the list. Proxy ARP Capability on VLT Peer Nodes The proxy ARP functionality is supported on VLT peer nodes.
performed only when the VLT peer's MAC address is installed in the database. Proxy ARP is stopped when the VLT peer's MAC address is removed from the ARP database because of the peer routing timer expiry. The source hardware address in the ARP response contains the VLT peer MAC address. Proxy ARP is supported for both unicast and broadcast ARP requests. Control packets, other than ARP requests destined for the VLT peers that reach the undesired and incorrect VLT node, are dropped if the ICL link is down.
synchronized from the VLT peer, after the RP starts receiving multicast traffic via these routes, these (S, G) routes are considered valid and are downloaded to the device. Only (S, G) routes are used to forward the multicast traffic from the source to the receiver. You can configure VLT nodes, which function as RP, as Multicast Source Discovery Protocol (MSDP) peers in different domains. However, you cannot configure the VLT peers as MSDP peers in the same VLT domain.
Configure VLT domain Dell(conf)#vlt domain 1 Dell(conf-vlt-domain)#peer-link port-channel 1 Dell(conf-vlt-domain)#back-up destination 10.16.151.116 Dell(conf-vlt-domain)#primary-priority 100 Dell(conf-vlt-domain)#system-mac mac-address 00:00:00:11:11:11 Dell(conf-vlt-domain)#unit-id 0 Dell(conf-vlt-domain)# Dell#show running-config vlt ! vlt domain 1 peer-link port-channel 1 back-up destination 10.16.151.
Dell(conf-if-vl-50-stack)#member port-channel 20 Dell#show running-config interface vlan 50 ! interface Vlan 50 vlan-stack compatible member Port-channel 10,20 shutdown Dell# Verify that the Port Channels used in the VLT Domain are Assigned to the VLAN-Stack VLAN Sample Configuration of VLAN-Stack Over VLT (Peer 2) Configure VLT domain Dell(conf)#vlt domain 1 Dell(conf-vlt-domain)#peer-link port-channel 1 Dell(conf-vlt-domain)#back-up destination 10.16.151.
no shutdown Dell# Configure the VLAN as VLAN-Stack VLAN and add the VLT LAG as members to the VLAN Dell(conf)#interface vlan 50 Dell(conf-if-vl-50)#vlan-stack compatible Dell(conf-if-vl-50-stack)#member port-channel 10 Dell(conf-if-vl-50-stack)#member port-channel 20 Dell(conf-if-vl-50-stack)# Dell#show running-config interface vlan 50 ! interface Vlan 50 vlan-stack compatible member Port-channel 10,20 shutdown Dell# Verify that the Port Channels used in the VLT Domain are Assigned to the VLAN-Stack VLAN V
Virtual Router Redundancy Protocol (VRRP) 63 Virtual router redundancy protocol (VRRP) is supported on Dell Networking OS. VRRP Overview VRRP is designed to eliminate a single point of failure in a statically routed network. Authentication is not supported on VRRPv3. VRRP is supported on “all types” of interfaces, including physical, VLAN, portchannel, and port extender interfaces. VRRP specifies a MASTER router that owns the next hop IP and MAC address for end stations on a local area network (LAN).
Figure 142. Basic VRRP Configuration VRRP Benefits With VRRP configured on a network, end-station connectivity to the network is not subject to a single point-of-failure. End-station connections to the network are redundant and are not dependent on internal gateway protocol (IGP) protocols to converge or update routing tables. VRRP Implementation Within a single VRRP group, up to 12 virtual IP addresses are supported.
decreases based on the dynamics of the network, the advertisement intervals may increase or decrease accordingly. CAUTION: Increasing the advertisement interval increases the VRRP Master dead interval, resulting in an increased failover time for Master/Backup election. Take caution when increasing the advertisement interval, as the increased dead interval may cause packets to be dropped during that switch-over time. Table 96.
Creating a Virtual Router To enable VRRP, create a virtual router. In the Dell Networking Operating System, the virtual router identifier (VRID) identifies a VRRP group. To enable or delete a virtual router, use the following commands. • Create a virtual router for that interface with a VRID. INTERFACE mode vrrp-group vrid The VRID range is from 1 to 255. • NOTE: The interface must already have a primary IP address defined and be enabled, as shown in the second example. Delete a VRRP group.
3 VRRPv3 both Interoperable, send VRRPv3 receive both Dell(conf-if-te-0/0-vrid-100)#version 3 You can use the version both command in INTERFACE mode to migrate from VRRPv2 to VRRPv3. When you set the VRRP version to both, the switch sends only VRRPv3 advertisements but can receive VRRPv2 or VRRPv3 packets. To migrate an IPv4 VRRP group from VRRPv2 to VRRPv3: 1. Set the switches with the lowest priority to “both”. 2. Set the switch with the highest priority to version to 3. 3.
• • belonging to either subnet 50.1.1.0/24 or subnet 60.1.1.0/24, but not from both subnets (though the system allows the same). If the virtual IP address and the interface’s primary/secondary IP address are the same, the priority on that VRRP group MUST be set to 255. The interface then becomes the OWNER router of the VRRP group and the interface’s physical MAC address is changed to that of the owner VRRP group’s MAC address.
Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 1768, Gratuitous ARP sent: 5 Virtual MAC address: 00:00:5e:00:01:6f Virtual IP address: 10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.10 Authentication: (none) -----------------TenGigabitEthernet 1/2/1, VRID: 111, Net: 10.10.2.1 State: Master, Priority: 100, Master: 10.10.2.
-----------------TenGigabitEthernet 1/2/1, VRID: 111, Net: 10.10.2.1 State: Master, Priority: 125, Master: 10.10.2.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 601, Gratuitous ARP sent: 2 Virtual MAC address: 00:00:5e:00:01:6f Virtual IP address: 10.10.2.2 10.10.2.3 Authentication: (none) Configuring VRRP Authentication Simple authentication of VRRP packets ensures that only trusted routers participate in VRRP processes.
Because preempt is enabled by default, disable the preempt function with the following command. • Prevent any BACKUP router with a higher priority from becoming the MASTER router. INTERFACE-VRID mode no preempt Examples of Disabling Preempt Re-enable preempt by entering the preempt command. When you enable preempt, it does not display in the show commands, because it is a default setting. The following example shows how to disable preempt using the no preempt command.
advertise-interval seconds The range is from 1 to 255 seconds. • The default is 1 second. For VRRPv3, change the advertisement centisecs interval setting. INTERFACE-VRID mode advertise-interval centisecs centisecs The range is from 25 to 4075 centisecs in units of 25 centisecs. The default is 100 centisecs. Examples of the advertise-interval Command The following example shows how to change the advertise interval using the advertise-interval command.
• When an interface comes up and becomes operational, the system waits 300 seconds (5 minutes) to bring up VRRP on that interface. To set the delay time for VRRP initialization, use the following commands. • Set the delay time for VRRP initialization on an individual interface. INTERFACE mode vrrp delay minimum seconds This time is the gap between an interface coming up and being operational, and VRRP enabling. The seconds range is from 0 to 900. • The default is 0.
NOTE: You can configure a tracked object for a VRRP group (using the track object-id command in INTERFACE-VRID mode) before you actually create the tracked object (using a track object-id command in CONFIGURATION mode). However, no changes in the VRRP group’s priority occur until the tracked object is defined and determined to be down.
virtual-address 10.10.10.3 virtual-address 10.10.10.
no ip address ipv6 address 2007::30/64 vrrp-ipv6-group 1 track 2 priority-cost 20 track 3 priority-cost 30 virtual-address 2007::1 virtual-address fe80::1 no shutdown Sample Configurations Before you set up VRRP, review the following sample configurations. VRRP for an IPv4 Configuration The following configuration shows how to enable IPv4 VRRP. This example does not contain comprehensive directions and is intended to provide guidance for only a typical VRRP configuration.
Figure 143. VRRP for IPv4 Topology Example of Configuring VRRP for IPv4 Router 2 R2(conf)#int te 2/31 R2(conf-if-te-2/31)#ip address 10.1.1.1/24 R2(conf-if-te-2/31)#vrrp-group 99 R2(conf-if-te-2/31-vrid-99)#priority 200 R2(conf-if-te-2/31-vrid-99)#virtual 10.1.1.3 R2(conf-if-te-2/31-vrid-99)#no shut R2(conf-if-te-2/31)#show conf ! interface TenGigabitEthernet 2/31 ip address 10.1.1.1/24 ! vrrp-group 99 priority 200 virtual-address 10.1.1.
R2(conf-if-te-2/31)#end R2#show vrrp -----------------TenGigabitEthernet 2/31, VRID: 99, Net: 10.1.1.1 State: Master, Priority: 200, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 817, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:63 Virtual IP address: 10.1.1.3 Authentication: (none) R2# Router 3 R3(conf)#int te 3/21 R3(conf-if-te-3/21)#ip address 10.1.1.
Figure 144. VRRP for an IPv6 Configuration NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be MASTER even if one of two routers has a higher IP or IPv6 address. Example of Configuring VRRP for IPv6 Router 2 and Router 3 Configure a virtual link local (fe80) address for each VRRPv3 group created for an interface.
Although R2 and R3 have the same default, priority (100), R2 is elected master in the VRRPv3 group because the TenGigE 0/0 interface has a higher IPv6 address than the TenGigE 1/0 interface on R3.
ipv6 address 1::2/64 vrrp-group 10 priority 100 virtual-address fe80::10 virtual-address 1::10 no shutdown R3(conf-if-te-1/0)#end R3#show vrrp -----------------TenGigabitEthernet 1/0, IPv6 VRID: 10, Version: 3, Net: fe80::201:e8ff:fe6b:1845 VRF: 0 default State: Backup, Priority: 100, Master: fe80::201:e8ff:fe6a:c59f Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 11, Bad pkts rcvd: 0, Adv sent: 0 Virtual MAC address: 00:00:5e:00:02:0a VR
Figure 145. VRRP in a VRF: Non-VLAN Example Example of Configuring VRRP in a VRF on Switch-1 (Non-VLAN) Switch-1 S1(conf)#ip vrf default-vrf 0 ! S1(conf)#ip vrf VRF-1 1 ! S1(conf)#ip vrf VRF-2 2 ! S1(conf)#ip vrf VRF-3 3 ! S1(conf)#interface TenGigabitEthernet 2/1 S1(conf-if-te-2/1)#ip vrf forwarding VRF-1 S1(conf-if-te-2/1)#ip address 10.10.1.5/24 S1(conf-if-te-12/1)#vrrp-group 11 % Info: The VRID used by the VRRP group 11 in VRF 1 will be 177.
S1(conf)#interface TenGigabitEthernet 2/3 S1(conf-if-te-2/3)#ip vrf forwarding VRF-3 S1(conf-if-te-2/3)#ip address 20.1.1.5/24 S1(conf-if-te-2/3)#vrrp-group 15 % Info: The VRID used by the VRRP group 15 in VRF 3 will be 243. S1(conf-if-te-2/3-vrid-105)#priority 255 S1(conf-if-te-2/3-vrid-105)#virtual-address 20.1.1.
VRRP in VRF: Switch-1 VLAN Configuration S1(conf)#ip vrf VRF-1 1 ! S1(conf)#ip vrf VRF-2 2 ! S1(conf)#ip vrf VRF-3 3 ! S1(conf)#interface TenGigabitEthernet 2/4 S1(conf-if-te-2/4)#no ip address S1(conf-if-te-2/4)#switchport S1(conf-if-te-2/4)#no shutdown ! S1(conf-if-te-2/4)#interface vlan 100 S1(conf-if-vl-100)#ip vrf forwarding VRF-1 S1(conf-if-vl-100)#ip address 10.10.1.
S2(conf-if-vl-100-vrid-101)#virtual-address 10.10.1.2 S2(conf-if-vl-100)#no shutdown ! S2(conf-if-te-2/4)#interface vlan 200 S2(conf-if-vl-200)#ip vrf forwarding VRF-2 S2(conf-if-vl-200)#ip address 10.10.1.2/24 S2(conf-if-vl-200)#tagged tengigabitethernet 2/4 S2(conf-if-vl-200)#vrrp-group 11 % Info: The VRID used by the VRRP group 11 in VRF 2 will be 178. S2(conf-if-vl-200-vrid-101)#priority 255 S2(conf-if-vl-200-vrid-101)#virtual-address 10.10.1.
192.168.0.
Standards Compliance 64 This chapter describes standards compliance for Dell Networking products. NOTE: Unless noted, when a standard cited here is listed as supported by the Dell Networking OS, the system also supports predecessor standards. One way to search for predecessor standards is to use the http://tools.ietf.org/ website. Click “Browse and search IETF documents,” enter an RFC number, and inspect the top of the resulting document for obsolescence citations to related RFCs.
SFF-8431 SFP+ Direct Attach Cable (10GSFP+Cu) MTU 9,252 bytes RFC and I-D Compliance The C9000 series supports the following standards. The standards are grouped by related protocol. General Internet Protocols The following table lists the Dell Networking OS support on the C9000 Series for the general internet protocols. Table 97.
Border Gateway Protocol (BGP) The following table lists the Dell Networking OS support on the C9000 Series for BGP protocols. Table 98.
RFC# Full Name 1542 Clarifications and Extensions for the Bootstrap Protocol 1812 Requirements for IP Version 4 Routers 2131 Dynamic Host Configuration Protocol 2338 Virtual Router Redundancy Protocol (VRRP) 3021 Using 31-Bit Prefixes on IPv4 Point-to-Point Links 3046 DHCP Relay Agent Information Option 3069 VLAN Aggregation for Efficient IP Address Allocation 3128 Protection Against a Variant of the Tiny Fragment Attack General IPv6 Protocols The following table lists the Dell Networking
Intermediate System to Intermediate System (IS-IS) The following table lists the Dell Networking OS support on the C9000 Series for IS-IS protocol. Table 101.
RFC# Full Name 1724 RIP Version 2 MIB Extension 1850 OSPF Version 2 Management Information Base 1901 Introduction to Community-based SNMPv2 2011 SNMPv2 Management Information Base for the Internet Protocol using SMIv2 2012 SNMPv2 Management Information Base for the Transmission Control Protocol using SMIv2 2013 SNMPv2 Management Information Base for the User Datagram Protocol using SMIv2 2024 Definitions of Managed Objects for Data Link Switching using SMIv2 2096 IP Forwarding Table MIB 25
RFC# Full Name 2787 Definitions of Managed Objects for the Virtual Router Redundancy Protocol 2819 Remote Network Monitoring Management Information Base: Ethernet Statistics Table, Ethernet History Control Table, Ethernet History Table, Alarm Table, Event Table, Log Table 2863 The Interfaces Group MIB 2865 Remote Authentication Dial In User Service (RADIUS) 3273 Remote Network Monitoring Management Information Base for High Capacity Networks (64 bits): Ethernet Statistics High-Capacity Table, Eth
RFC# Full Name interfacescfg-03 IEEE 802.1AB Management Information Base module for LLDP configuration, statistics, local system data and remote systems data components. IEEE 802.1AB The LLDP Management Information Base extension module for IEEE 802.1 organizationally defined discovery information. (LLDP DOT1 MIB and LLDP DOT3 MIB) IEEE 802.1AB The LLDP Management Information Base extension module for IEEE 802.3 organizationally defined discovery information.
RFC# Full Name FORCE10Force10 System Component MIB (enables the user to view CAM usage information) SYSTEMCOMPONENTMIB FORCE10-TCMIB Force10 Textual Convention FORCE10TRAP-ALARMMIB Force10 Trap Alarm MIB Multicast The following table lists the Dell Networking OS support per platform for Multicast protocol. Table 103. Multicast RFC# Full Name 1112 C-Series E-Series TeraScale E-Series ExaScale Host Extensions for 7.8.1 IP Multicasting 7.7.1 √ 8.1.1 2236 Internet Group 7.8.
RFC# Full Name S-Series C-Series E-Series TeraScale E-Series ExaScale 4541 Considerations for Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Snooping Switches 7.6.1 (IGMPv1/v2) 7.6.1 (IGMPv1/v2) √ IGMPv1/v2/v3, MLDv1 Snooping 8.2.1 IGMPv1/v2/ v3, MLDv1 Snooping 7.8.1 PIM-SM for IPv4 7.7.1 √ IPv4/ IPv6 8.2.
MIB Location You can find Dell Networking MIBs under the Force10 MIBs subhead on the Documentation page of iSupport: https://www.force10networks.com/csportal20/KnowledgeBase/Documentation.aspx You also can obtain a list of selected MIBs and their OIDs at the following URL: https://www.force10networks.com/csportal20/MIBs/MIB_OIDs.aspx Some pages of iSupport require a login. To request an iSupport account, go to: https://www.force10networks.com/CSPortal20/Support/AccountRequest.
