Dell Networking Configuration Guide for the C9000 Series Version 9.10(0.
Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your computer. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. Copyright © 2015 Dell Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws.
Contents 1 About this Guide.................................................................................................................................................... 33 Audience.....................................................................................................................................................................33 Conventions..................................................................................................................................................
Removing a Command from EXEC Mode.................................................................................................... 54 Moving a Command from EXEC Privilege Mode to EXEC Mode............................................................. 54 Allowing Access to CONFIGURATION Mode Commands.........................................................................55 Allowing Access to the Following Modes................................................................................................
Verifying System Images on C9010 Components............................................................................................ 78 When System Images on C9010 Components Do Not Match.................................................................79 Manually Resetting the System Image on a C9010 Component.............................................................80 Logging in to the Virtual Console of a C9010 Component......................................................................
Configure a Standard IP ACL................................................................................................................................ 114 Configuring a Standard IP ACL Filter.............................................................................................................115 Configure an Extended IP ACL.............................................................................................................................116 Configuring Filters with a Sequence Number....
8 Border Gateway Protocol IPv4 (BGPv4)......................................................................................................... 164 Autonomous Systems (AS)................................................................................................................................... 164 Sessions and Peers................................................................................................................................................. 166 Establish a Session..................
Changing the WEIGHT Attribute...................................................................................................................200 Enabling Multipath............................................................................................................................................201 Filtering BGP Routes........................................................................................................................................ 201 Filtering BGP Routes Using Route Maps....
Viewing Per-Protocol CoPP Counters........................................................................................................ 240 Viewing Per-Queue CoPP Counters............................................................................................................243 11 Data Center Bridging (DCB)............................................................................................................................ 244 Enabling Data Center Bridging.......................................
Using PFC and ETS to Manage Converged Ethernet Traffic................................................................... 281 Hierarchical Scheduling in ETS Output Policies.........................................................................................281 Priority-Based Flow Control Using Dynamic Buffer Method....................................................................... 282 Pause and Resume of Traffic.........................................................................................
Configure the System to be a DHCP Client......................................................................................................337 DHCP Client on a Management Interface...................................................................................................337 DHCP Client Operation with Other Features............................................................................................. 337 Configure Secure DHCP..................................................................
16 FIPS Cryptography............................................................................................................................................368 Configuration Tasks...............................................................................................................................................368 Preparing the System............................................................................................................................................
Configure a GARP Timer.......................................................................................................................................391 20 High Availability (HA)....................................................................................................................................... 392 High Availability on Chassis..................................................................................................................................
Basic Interface Configuration............................................................................................................................. 409 Advanced Interface Configuration.....................................................................................................................409 Port Numbering...................................................................................................................................................... 410 Interface Types................
Monitoring and Maintaining Interfaces............................................................................................................. 438 Maintenance Using TDR................................................................................................................................. 439 Displaying Traffic Statistics on HiGig Ports...................................................................................................... 440 Link Bundle Monitoring.................................
ARP Learning via Gratuitous ARP.................................................................................................................. 465 Enabling ARP Learning via Gratuitous ARP................................................................................................. 465 ARP Learning via ARP Request...................................................................................................................... 466 Configuring ARP Retries..............................................
Configuration Tasks for IS-IS.........................................................................................................................490 Configuring the Distance of a Route........................................................................................................... 497 Changing the IS-Type..................................................................................................................................... 498 Redistributing IPv4 Routes...........................
Clearing the MAC Address Table...................................................................................................................532 Setting the Aging Time for Dynamic Entries...............................................................................................532 Configuring a Static MAC Address................................................................................................................533 Displaying the MAC Address Table..........................................
31 Multicast Source Discovery Protocol (MSDP).............................................................................................. 567 Protocol Overview................................................................................................................................................. 567 Anycast RP............................................................................................................................................................... 568 Implementation Information.
Router 1 Running-ConfigurationRouter 2 Running-ConfigurationRouter 3 RunningConfigurationExample Running-Configuration........................................................................................ 596 Debugging and Verifying MSTP Configurations..............................................................................................599 33 Multicast Features...........................................................................................................................................
OSPF Area 0 — Te 3/1 and 3/2...................................................................................................................... 642 OSPF Area 0 — Te 2/1 and 2/2...................................................................................................................... 642 Configuration Task List for OSPFv3 (OSPF for IPv6).......................................................................................642 Enabling IPv6 Unicast Routing........................................
38 PIM Source-Specific Mode (PIM-SSM)..........................................................................................................670 Implementation Information............................................................................................................................... 670 Important Points to Remember.................................................................................................................... 670 Configure PIM-SMM.........................................
Adding a Unit to an Existing PE Stack.......................................................................................................... 709 Renumbering a Stack Unit.............................................................................................................................. 710 Prioritizing Stack Units..................................................................................................................................... 710 Managing PE Stack Redundancy...................
Restoring Power Delivery on the Port Extender........................................................................................ 744 Monitor the Power Budget.............................................................................................................................745 Displaying Power Allocated to Power Devices.......................................................................................... 746 Displaying Power Consumption on the Port Extender..................................
Configuring a Weight for WRED and ECN Operation.............................................................................. 784 Pre-Calculating Available QoS CAM Space...................................................................................................... 785 SNMP Support for Buffer Statistics Tracking.................................................................................................... 786 46 Routing Information Protocol (RIP)...................................................
Configuration Task List for AAA Authentication........................................................................................ 826 AAA Authorization..................................................................................................................................................829 Privilege Levels Overview............................................................................................................................... 829 Configuration Task List for Privilege Levels.....
Enabling Layer 2 Protocol Tunneling.......................................................................................................... 866 Specifying a Destination MAC Address for BPDUs....................................................................................867 Setting Rate-Limit BPDUs...............................................................................................................................867 Debugging Layer 2 Protocol Tunneling.........................................
Additional MIB Objects to View Copy Statistics.........................................................................................891 Obtaining a Value for MIB Objects............................................................................................................... 891 Manage VLANs using SNMP.................................................................................................................................892 Creating a VLAN.....................................................
Viewing SupportAssist Configuration.................................................................................................................921 56 System Time and Date..................................................................................................................................... 923 Network Time Protocol........................................................................................................................................ 923 Protocol Overview....................
Configuration Task List......................................................................................................................................... 949 Enabling Null VLAN as the Default VLAN.................................................................................................... 949 Assigning an IP Address to a VLAN...............................................................................................................950 Configuring Native VLANs................................
VLT Bandwidth Monitoring...................................................................................................................................981 VLT and High Availability.......................................................................................................................................981 VLT and IGMP Snooping.......................................................................................................................................981 VLT and Stacking.............
Configuring VLAN-Stack over VLT....................................................................................................................1015 64 Virtual Router Redundancy Protocol (VRRP)............................................................................................ 1018 VRRP Overview..................................................................................................................................................... 1018 VRRP Benefits.....................................
1 About this Guide This Configuration guide provides information about how to use and configure the software features supported in the Dell Networking operating system (OS) on a C9010 switch and C1048P port extender. You can configure each feature by entering commands from the C9010 console. Though this guide contains information on protocols, it is not intended to be a complete reference. This guide is a reference for configuring protocols on Dell Networking systems.
2 Configuration Fundamentals The Dell Networking OS command line interface (CLI) is a text-based interface you can use to configure interfaces and protocols. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels. After you enter a command, the command is added to the running configuration file.
You can set user access rights to commands and command modes using privilege levels. For more information about privilege levels and security options, refer to the Privilege Levels Overview section in the Security chapter. The Dell Networking OS CLI is divided into three major mode levels: • EXEC mode is the default mode and has a privilege level of 1, which is the most restricted level.
GRUB CONSOLE VIRTUAL TERMINAL LLDP LLDP MANAGEMENT INTERFACE MONITOR SESSION MULTIPLE SPANNING TREE OPENFLOW INSTANCE PVST PORT-CHANNEL FAILOVER-GROUP PREFIX-LIST PRIORITY-GROUP PROTOCOL GVRP QOS POLICY RSTP ROUTE-MAP ROUTER BGP BGP ADDRESS-FAMILY ROUTER ISIS ISIS ADDRESS-FAMILY ROUTER OSPF ROUTER OSPFV3 ROUTER RIP SPANNING TREE TRACE-LIST VLT DOMAIN VRRP UPLINK STATE GROUP Navigating CLI Modes The Dell Networking OS prompt changes to indicate the CLI mode.
CLI Command Mode Prompt Access Command Configuration Terminal Batch Dell(conf-b)# config terminal batch DOT1X PROFILE dell(conf-dot1x-profile)# dot1x AS-PATH ACL Dell(config-as-path)# ip as-path access-list 10 Gigabit Ethernet Interface Dell(conf-if-te-0/0)# interface (INTERFACE modes) 40 Gigabit Ethernet Interface Dell(conf-if-fo-0/0)# interface (INTERFACE modes) Interface Range Dell(conf-if-range)# interface (INTERFACE modes) Loopback Interface Dell(conf-if-lo-0)# interface (INTERFA
CLI Command Mode Prompt Access Command ROUTER ISIS Dell(conf-router_isis)# router isis ISIS ADDRESS-FAMILY Dell(conf-router_isis-af_ipv6)# address-family ipv6 unicast (ROUTER ISIS Mode) ROUTER OSPF Dell(conf-router_ospf)# router ospf ROUTER OSPFV3 Dell(conf-ipv6router_ospf)# ipv6 router ospf ROUTER RIP Dell(conf-router_rip)# router rip SPANNING TREE Dell(config-span)# protocol spanning-tree 0 TRACE-LIST Dell(conf-trace-acl)# ip trace-list CLASS-MAP Dell(config-class-map)# class-map
Example of Changing Command Modes Dell(conf)#protocol spanning-tree 0 Dell(config-span)# The do Command Use the do command to enter an EXEC mode command from any CONFIGURATION mode (CONFIGURATION, INTERFACE, SPANNING TREE, and so on.) without having to return to EXEC mode. The following examples show how to use the do command in CONFIGURATION mode.
Dell(conf-if-te-4/17)#show config ! interface TenGigabitEthernet 4/17 ip address 192.168.10.1/24 no shutdown Dell(conf-if-te-4/17)#no ip address Dell(conf-if-te-4/17)#show config ! interface TenGigabitEthernet 4/17 no ip address no shutdown Layer 2 protocols are disabled by default. To enable Layer 2 protocols, use the no disable command. For example, in PROTOCOL SPANNING TREE mode, enter no disable to enable Spanning Tree.
Short-Cut Key Combination Action CNTL-A Moves the cursor to the beginning of the command line. CNTL-B Moves the cursor back one character. CNTL-D Deletes character at cursor. CNTL-E Moves the cursor to the end of the line. CNTL-F Moves the cursor forward one character. CNTL-I Completes a keyword. CNTL-K Deletes all characters from the cursor to the end of the command line. CNTL-L Re-enters the previous command.
The grep command displays only the lines containing specified text. The following example shows this command used in combination with the show processes command. Dell#show processes cpu cp | grep system 0 72000 7200 10000 17.97% 17.81% 17.96% 0 system NOTE: Dell Networking OS accepts a space or no space before and after the pipe. To filter a phrase with spaces, underscores, or ranges, enclose the phrase with double quotation marks.
74 30 25 30 60 1720 3 6 172 10000 10000 10000 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0 sh 0 mount_mfs 0 mount_mfs The display command displays additional configuration information. The no-more command displays the output all at once rather than one screen at a time. This is similar to the terminal length command except that the no-more option affects the output of the specified command only. The save command copies the output to a file for future reference.
3 Getting Started This chapter describes how you start configuring your operating software. When you power up the chassis, the system performs a power-on self test (POST) and loads the Dell Networking operating software. Boot messages scroll up the terminal window during this process. No user interaction is required if the boot process proceeds without interruption. When the boot process completes, the system status LED remains online (green) and the console monitor displays the EXEC mode prompt.
Serial Console The RJ-45 network management port is located on the left side of the RPM as you face the chassis. Use a supported RJ-45 cable for a network connection. Figure 1. RJ-45 Console Port 1. RJ-45 Console Port Accessing the Console Port To access the console port, follow these steps: For the console port pinout, refer to Accessing the RJ-45 Console Port with a DB-9 Adapter. 1 Install an RJ-45 copper cable into the console port.
Console Port RJ-45 to RJ-45 Rollover Cable RJ-45 to RJ-45 Rollover Cable RJ-45 to DB-9 Adapter Terminal Server Device Signal RJ-45 Pinout RJ-45 Pinout DB-9 Pin Signal GND 4 5 5 GND GND 5 4 5 GND RxD 6 3 3 TxD NC 7 2 4 DTR CTS 8 1 7 RTS Mounting an NFS File System This feature enables you to quickly access data on an NFS mounted file system. You can perform file operations on an NFS mounted file system using supported file commands.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!.! 44250499 bytes successfully copied Dell# Dell#copy ftp://10.16.127.35 nfsmount: Source file name []: test.c User name to login remote host: username Example of Logging in to Copy from NFS Mount Dell#copy nfsmount://test flash: Destination file name [test]: test2 ! 5592 bytes successfully copied Dell# Dell#copy nfsmount://test.txt ftp://10.16.127.35 Destination file name [test.
Accessing the System Remotely You can configure the system to access it remotely by Telnet or SSH. • The switch has a dedicated management port and a management routing table that is separate from the IP routing table. • You can manage all Dell Networking products in-band via the front-end data ports through interfaces assigned an IP address as well. Accessing the System Remotely Configuring the system remotely is a three-step process: 1. Configure an IP address for the management port.
– mask: a subnet mask in /prefix-length format (/ xx). – gateway: the next hop for network traffic originating from the management port. Configuring a Username and Password To access the system remotely, you must configure a system username and password. • Configure a username and password to access the system remotely. CONFIGURATION mode username username password [encryption-type] password – encryption-type: specifies how you are inputting the password, is 0 by default, and is not required.
File Storage The Dell Networking OS can use the internal Flash, external Flash, or remote devices to store files. The system stores files on the internal Flash by default, but can be configured to store files elsewhere. To view file system information, use the following command. • View information about each file system.
Location source-file-url Syntax destination-file-url Syntax SCP server Important Points to Remember • You may not copy a file from one remote system to another. • You may not copy a file from one location to the same location. • When copying to a server, you can only use a hostname if a domain name server (DNS) server is configured. • The usbflash command is supported on the device. Refer to your system’s Release Notes for a list of approved USB vendors.
Configure the Overload Bit for a Startup Scenario For information about setting the router overload bit for a specific period of time after a switch reload is implemented, refer to the Intermediate System to Intermediate System (IS-IS) section in the Dell Networking OS Command Line Reference Guide. Viewing Files You can only view file information and content on local file systems. To view a list of files or the contents of a file, use the following commands. • View a list of files on the internal flash.
Changes in Configuration Files Configuration files have three commented lines at the beginning of the file, as shown in the following example, to help you track the last time any user made a change to the file, which user made the changes, and when the file was last saved to the startup-configuration.
4 Switch Management This chapter describes the switch management tasks supported on the switch. Configuring Privilege Levels Privilege levels restrict access to commands based on user or terminal line. There are 16 privilege levels, of which three are pre-defined. The default privilege level is 1. Level Description Level 0 Access to the system begins at EXEC mode, and EXEC mode commands are limited to enable, disable, and exit.
Allowing Access to CONFIGURATION Mode Commands To allow access to CONFIGURATION mode, use the privilege exec level level configure command from CONFIGURATION mode. A user that enters CONFIGURATION mode remains at his privilege level and has access to only two commands, end and exit. You must individually specify each CONFIGURATION mode command you want to allow access to using the privilege configure level level command.
privilege exec level 3 configure privilege exec level 4 resequence privilege exec level 3 capture bgp-pdu privilege exec level 3 capture bgp-pdu max-buffer-size privilege configure level 3 line privilege configure level 3 interface Dell(conf)#do telnet 10.11.80.201 [telnet output omitted] Dell#show priv Current privilege level is 3.
Applying a Privilege Level to a Terminal Line To set a privilege level for a terminal line, use the following command. • Configure privilege level for a terminal line. LINE mode privilege level level NOTE: When you assign a privilege level between 2 and 15, access to the system begins at EXEC mode, but the prompt is hostname#, rather than hostname>. Configuring Logging The Dell Networking operating system tracks changes in the system using event and error messages.
CONFIGURATION mode. This command is available with or without RBAC enabled. For information about RBAC, see RoleBased Access Control. Audit Logs The audit log contains configuration events and information. The types of information in this log consist of the following: • User logins to the switch. • System events for network issues or system issues. • Users making configuration changes. The switch logs who made the configuration changes and the date and time of the change.
Example of the show logging Command for Security For information about the logging extended command, see Enabling Audit and Security Logs Dell#show logging Jun 10 04:23:40: %STKUNIT0-M:CP %SEC-5-LOGIN_SUCCESS: Login successful for user admin on line vty0 ( 10.14.1.91 ) Clearing Audit Logs To clear audit logs, use the clear logging auditlog command in Exec mode. When RBAC is enabled, only the system administrator user role can issue this command.
Pre-requisites To configure a secure connection from the switch to the syslog server: 1. On the switch, enable the SSH server Dell(conf)#ip ssh server enable 2. On the syslog server, create a reverse SSH tunnel from the syslog server to the switch, using following syntax: ssh -R :: user@remote_host -nNf In the following example the syslog server IP address is 10.156.166.48 and the listening port is 5141. The switch IP address is 10.16.131.
Track Login Activity Dell Networking OS enables you to track the login activity of users and view the successful and unsuccessful login events. When you log in using the console or VTY line, the system displays the last successful login details of the current user and the number of unsuccessful login attempts since your last successful login to the system, and whether the current user’s permissions have changed since the last login.
User: admin Last login time: 12:52:01 UTC Tue Mar 22 2016 Last login location: Line vty0 ( 10.16.127.
The following is sample output of the show login statistics unsuccessful-attempts time-period days command. Dell# show login statistics unsuccessful-attempts time-period 15 There were 0 unsuccessful login attempt(s) for user admin in last 15 day(s). The following is sample output of the show login statistics unsuccessful-attempts user login-id command. Dell# show login statistics unsuccessful-attempts user admin There were 3 unsuccessful login attempt(s) for user admin in last 12 day(s).
Example of Enabling the System to Clear Existing Sessions The following example enables you to clear your existing login sessions. Dell(config)#login concurrent-session clear-line enable Example of Clearing Existing Sessions When you try to log in, the following message appears with all your existing concurrent sessions, providing an option to close any one of the existing sessions: $ telnet 10.11.178.14 Trying 10.11.178.14... Connected to 10.11.178.14. Escape character is '^]'.
• Secure Connection to a Syslog Server Disabling System Logging By default, logging is enabled and log messages are sent to the logging buffer, all terminal lines, the console, and the syslog servers. To disable system logging, use the following commands. • Disable all logging except on the console. CONFIGURATION mode • no logging on Disable logging to the logging buffer. CONFIGURATION mode • no logging buffer Disable logging to terminal lines.
Display the Logging Buffer and the Logging Configuration To display the current contents of the logging buffer and the logging settings for the system, use the show logging command in EXEC privilege mode. When RBAC is enabled, the security logs are filtered based on the user roles. Only the security administrator and system administrator can view the security logs.
• Specify the minimum severity level for logging to a syslog server. CONFIGURATION mode • logging trap level Specify the minimum severity level for logging to the syslog history table. CONFIGURATION mode • logging history level Specify the size of the logging buffer. CONFIGURATION mode logging buffered size • NOTE: When you decrease the buffer size, the operating system deletes all messages stored in the buffer. Increasing the buffer size does not affect messages in the buffer.
– sys11 (system use) – sys12 (system use) – sys13 (system use) – sys14 (system use) – syslog (for syslog messages) – user (for user programs) – uucp (UNIX to UNIX copy protocol) Example of the show running-config logging Command To view non-default settings, use the show running-config logging command in EXEC mode.
• Add timestamp to syslog messages. CONFIGURATION mode service timestamps [log | debug] [datetime [localtime] [msec] [show-timezone] | uptime] Specify the following optional parameters: – You can add the keyword localtime to include the localtime, msec, and show-timezone. If you do not add the keyword localtime, the time is UTC. – uptime: To view time since last boot. If you do not specify a parameter, the system configures uptime.
Configuring FTP Server Parameters After you enable the FTP server on the system, you can configure different parameters. To specify the system logging settings, use the following commands. • Specify the directory for users using FTP to reach the system. CONFIGURATION mode ftp-server topdir dir • The default is the internal flash directory. Specify a user name for all FTP users and configure either a plain text or encrypted password.
Terminal Lines You can access the system remotely and restrict access to the system by creating user profiles. Terminal lines on the system provide different means of accessing the system. The console line (console) connects you through the console port. The virtual terminal lines (VTYs) connect you through a remote session to the system. Denying and Permitting Access to a Terminal Line Dell Networking recommends applying only standard access control lists (ACLs) to deny and permit access to VTY lines.
aaa authentication login {method-list-name | default} [method-1] [method-2] [method-3] [method-4] [method-5] [method-6] 2 Apply the method list from Step 1 to a terminal line. CONFIGURATION mode login authentication {method-list-name | default} 3 If you used the line authentication method in the method list you applied to the terminal line, configure a password for the terminal line.
Using Telnet to Access Another Network Device To Telnet to another device, use the following commands. NOTE: The system allows 120 Telnet sessions per minute, allowing the login and logout of 10 Telnet sessions, 12 times in a minute. If the system reaches this non-practical limit, the Telnet service is stopped for 10 minutes. You can use console and SSH service to access the system during downtime. • Telnet to a device with an IPv4 or IPv6 address.
You can then send any user a message using the send command from EXEC Privilege mode. Alternatively, you can clear any line using the clear command from EXEC Privilege mode. If you clear a console session, the user is returned to EXEC mode. Example of Locking CONFIGURATION Mode for Single-User Access Dell(conf)#configuration mode exclusive auto BATMAN(conf)#exit 3d23h35m: %SYSTEM-P:CP %SYS-5-CONFIG_I: Configured from console by console Dell#config ! Locks configuration mode exclusively.
Ignoring the Startup Configuration and Booting from the Factory-Default Configuration If you do not want to do not want to boot up with your current startup configuration and do not want to delete it, you can interrupt the boot process and boot up with the C9000 series factory-default configuration. To boot up with the factory-default configuration: 1 Log onto the system using the console. 2 Power-cycle the chassis by disconnecting and then reconnecting the power cord.
CAUTION: There is no undo for this command. Important Point to Remember • After the restore is complete, a switch reloads immediately. The following example shows how the restore factory-defaults command restores a switch to its factory default settings. Dell# restore factory-defaults chassis nvram *********************************************************************** * Warning - Restoring factory defaults will delete the existing * * persistent settings (stacking, fanout, etc.
• The tftpboot command does not work after you perform a reset bootvar because the management IP address, network mask, and gateway IP address are all reset to NULL. In case the system fails to reload the image from a flash partition, follow these steps: 1. Power-cycle the chassis (pull the power cord and reinsert it). 2. When prompted by the system, press the Esc key to abort the boot process. You are placed in the boot-line interface (BLI) at the BOOT_USER # prompt. Press any key 3.
confidence that the local copy is exactly the same as the published software image. This validation procedure, and the verify {md5 | sha256} command to support it, can prevent the installation of corrupted or modified images. The verify {md5 | sha256} command calculates and displays the hash of any file on the specified local flash drive. You can compare the displayed hash against the appropriate hash published on i-Support.
• Column A: lists the system images stored in flash partition A: for each RPM component. Column B: lists the system images stored in partition B:.
Manually Resetting the System Image on a C9010 Component If the image running on the RPM CP does not match the image on a C9010 component, you can manually recover from the mismatch as follows: 1. Log in to the virtual console of the C9010 component as described in Logging in to the Virtual Console of a C9010 Component. 2. Display the boot variables that you need to configure so that the component boots from the RPM CP image by entering the show bootvar command at the BOOT_USER# prompt.
Configuring C9010 Components to Boot from the RPM CP Image By reconfiguring boot variables and resetting a component, you should be able to resolve most issues resulting from mismatched system images. To display the boot variables for a C9010 component that you need to configure so that a component boots with the RPM CP image, enter the show bootvar command at the BOOT_USER# prompt.
5 802.1X 802.1X is a method of port security. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity can be verified (through a username and password, for example). This feature is named for its IEEE specification. 802.
The following figures show how the EAP frames are encapsulated in Ethernet and RADIUS frames. Figure 2. EAP Frames Encapsulated in Ethernet and RADUIS Figure 3. EAP Frames Encapsulated in Ethernet and RADUIS The authentication process involves three devices: • The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests.
• Ports are in an unauthorized state by default. In this state, non-802.1X traffic cannot be forwarded in or out of the port. • The authenticator changes the port state to authorized if the server can authenticate the supplicant. In this state, network traffic can be forwarded normally. NOTE: The switch places 802.1X-enabled ports in the unauthorized state by default. Topics: • The Port-Authentication Process • Configuring 802.1X • Important Points to Remember • Enabling 802.
Success frame. If the identity information is invalid, the server sends an Access-Reject frame. If the port state remains unauthorized, the authenticator forwards an EAP Failure frame. Figure 4. EAP Port-Authentication EAP over RADIUS 802.1X uses RADIUS to shuttle EAP packets between the authenticator and the authentication server, as defined in RFC 3579. EAP messages are encapsulated in RADIUS packets as a type of attribute in Type, Length, Value (TLV) format. The Type value for EAP messages is 79.
RADIUS Attributes for 802.1 Support Dell Networking systems include the following RADIUS attributes in all 802.1X-triggered Access-Request messages: Attribute 31 Calling-station-id: relays the supplicant MAC address to the authentication server. Attribute 41 NAS-Port-Type: NAS-port physical port type. 15 indicates Ethernet. Attribute 61 NAS-Port: the physical port number by which the authenticator is connected to the supplicant.
Enabling 802.1X Enable 802.1X globally. Figure 6. 802.1X Enabled 1 Enable 802.1X globally. CONFIGURATION mode dot1x authentication 2 Enter INTERFACE mode on an interface or a range of interfaces. INTERFACE mode interface [range] 3 Enable 802.1X on the supplicant interface only. INTERFACE mode dot1x authentication NOTE: You must enabled dot1x authentication globaly as well as in interface mode on which supplicant is connected. Examples of Verifying that 802.
The bold text show that 802.1x has been enabled. By default, ports are not authorized. Dell#show running-config | find dot1x dot1x authentication ! [output omitted] ! interface TenGigabitEthernet 2/1 no ip address dot1x authentication no shutdown ! Dell# View 802.1X configuration information for an interface using the show dot1x interface command. The bold lines show that 802.1X is enabled on all ports unauthorized by default. Dell#show dot1x interface TenGigabitEthernet 2/1 802.
DHCP Client-ID :3417eb00aa12 MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 1000 Mbit, Mode auto Auto-mdix enabled, ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 20:06:07 Queueing strategy: fifo Input Statistics: 10760802379 packets, 688691353132 bytes 10760802177 64-byte pkts, 203 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 203 Multicasts, 0 Broadcasts, 10760802177 Unicasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 o
Example of Configuring a List of MAC Addresses for a dot1x Profile The following example configures 2 MAC addresses and then displays these addresses.
Configuring Critical VLAN By default, critical-VLAN is not configured. If authentication fails because of a server which is not reachable, user session is authenticated under critical-VLAN. To configure a critical-VLAN for users or devices when authenticating server is not reachable, use the following command. • Enable critical VLAN for users or devices INTERFACE mode dot1x critical-vlan [{vlan-id}] Specify a VLAN interface identifier to be configured as a critical VLAN. The VLAN ID range is 1– 4094.
INTERFACE mode dot1x tx-period number The range is from 1 to 65535 (1 year) • The default is 30. Configure a maximum number of times the authenticator re-transmits a Request Identity frame. INTERFACE mode dot1x max-eap-req number The range is from 1 to 10. The default is 2.
ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Auth Type: Auth PAE State: Backend State: 2 30 seconds 30 seconds 3600 seconds 10 SINGLE_HOST Initialize Initialize Forcibly Authorizing or Unauthorizing a Port IEEE 802.1X requires that a port can be manually placed into any of three states: • ForceAuthorized — an authorized state. A device connected to this port in this state is never subjected to the authentication process, but is allowed to communicate on the network.
Re-Authenticating a Port You can configure the authenticator for periodic re-authentication. After the supplicant has been authenticated, and the port has been authorized, you can configure the authenticator to reauthenticate the supplicant periodically. If you enable re-authentication, the supplicant is required to re-authenticate every 3600 seconds, but you can configure this interval. You can configure a maximum number of re-authentications as well.
1. The host sends a dot1x packet to the Dell Networking system 2. The system forwards a RADIUS REQEST packet containing the host MAC address and ingress port number 3. The RADIUS server authenticates the request and returns a RADIUS ACCEPT message with the VLAN assignment using Tunnel-Private-Group-ID The illustration shows the configuration before connecting the end user device in black and blue text, and after connecting the device in red text.
If the supplicant fails to authenticate for a specified number of times, the authenticator typically does not enable the port. In some cases this behavior is not appropriate. External users of an enterprise network, for example, might not be able to be authenticated, but still need access to the network. Also, some dumb-terminals, such as network printers, do not have 802.1X capability and therefore cannot authenticate themselves.
Configuring an Authentication-Fail VLAN If the supplicant fails authentication, the authenticator re-attempts to authenticate after a specified amount of time. NOTE: For more information about authenticator re-attempts, refer to Configuring a Quiet Period after a Failed Authentication. You can configure the maximum number of times the authenticator re-attempts authentication after a failure (3 by default), after which the port is placed in the Authentication-fail VLAN.
Dot1x Status: Port Control: Port Auth Status: Re-Authentication: Untagged VLAN id: Guest VLAN: Guest VLAN id: Auth-Fail VLAN: Auth-Fail VLAN id: Auth-Fail Max-Attempts: Tx Period: Quiet Period: ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Auth Type: Enable FORCE_AUTHORIZED UNAUTHORIZED Disable None Disabled 200 Enabled 100 5 90 seconds 120 seconds 10 15 seconds 15 seconds 7200 seconds 10 SINGLE_HOST Auth PAE State: Backend State: Initialize Initialize Configuring Timeou
Auth-Fail VLAN id: Auth-Fail Max-Attempts: Tx Period: Quiet Period: ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: NONE NONE 90 seconds 120 seconds 10 15 seconds 15 seconds 7200 seconds 10 Auth Type: Auth PAE State: Backend State: SINGLE_HOST Initialize Initialize Enter the tasks the user should do after finishing this task (optional). Multi-Host Authentication By default, 802.
When multiple end users are connected to a single authenticator port, single-host mode authentication does not authenticate all end users, and all but one are denied access to the network. For these cases, the Dell Networking OS supports multi-host mode authentication. Figure 9. Multi-Host Authentication Mode When you configure multi-host mode authentication, the first client to respond to an identity request is authenticated and subsequent responses are still ignored.
802.
Multi-Supplicant Authentication 802.1X multi-supplicant authentication enables multiple devices on a single authenticator port to access the network by authenticating each device. In addition, multi-supplicant authentication uses dynamic MAC-based VLAN assignment to place devices on different VLANs.
Untagged VLAN id: Auth PAE State: Backend State: 400 Authenticated Idle Restricting Multi-Supplicant Authentication To restrict the number of devices that 802.1X can authenticate on a port in multi-supplicant (multi-auth) mode, enter the dot1x max-supplicants number command in Interface mode. By default, the maximum number of multi-supplicant devices is 128.
MAB in Multi-Supplicant Authentication Mode Multi-supplicant authentication (multi-auth) mode is similar to other 802.1X modes in that the switch first attempts to authenticate a supplicant using 802.1X. 802.1X times out if the supplicant does not respond to the Request Identity frame. Then, if MAB authentication is enabled, the switch tries to authenticate every MAC it learns on the port, up to 128 MACs, which is the maximum number of supplicants that 802.
Auth-Fail VLAN id: Auth-Fail Max-Attempts: Critical VLAN: Critical VLAN id: Mac-Auth-Bypass: Mac-Auth-Bypass Only: Static-MAB: Static-MAB Profile: Tx Period: Quiet Period: ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Host Mode: Auth PAE State: Backend State: NONE NONE Disable NONE Enable Disable Disable NONE 30 seconds 60 seconds 2 30 seconds 30 seconds 3600 seconds 2 SINGLE_HOST Authenticated Idle Dynamic CoS with 802.
5 6 7 • 1 2 4 5 2 4 0 0 2 The priority of untagged packets is assigned according to the remapped value of priority 0 traffic in the RADIUS-based table. For example, in the following remapping table, untagged packets are tagged with priority 2: Dell#show dot1x cos-mapping interface TenGigabitethernet 2/3 802.1Xp CoS remap table on Te 2/3: ----------------------------Dot1p Remapped Dot1p 0 2 1 6 2 5 3 4 4 3 5 2 6 1 7 0 • After being re-tagged by dynamic CoS for 802.
6 Access Control Lists (ACLs) This chapter describes access control lists (ACLs), prefix lists, and route-maps. • Access control lists (ACLs), Ingress IP and MAC ACLs , and Egress IP and MAC ACLs are supported on the system. At their simplest, access control lists (ACLs), prefix lists, and route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps. For MAC ACLS, refer to Layer 2.
• • • Destination TCP port number Source UDP port number Destination UDP port number For more information about ACL options, refer to the Dell Networking OS Command Reference Guide. For extended ACL, TCP, and UDP filters, you can match criteria on specific or ranges of TCP or UDP ports. For extended ACL TCP filters, you can also match criteria on established TCP sessions. When creating an access list, the sequence of the filters is important.
Parameters • line card — Enter the linecard keyword and one of the following options: – linecard number (from 0 to 11) and then the port-set keyword and number. – All to specify all line card numbers and then the port-set keyword and number. • stack-unit stack-unit-number — Enter the keyword stack-unit and then the stack unit number. The range is 0–7. • pe pe–id — Enter the keyword pe and then the port-extender ID.
FcoeAcl : iscsiOptAcl : ipv4pbr : vrfv4Acl : Openflow : fedgovacl : nlbclusteracl: 0 0 0 0 0 0 0 Select the CAM allocation for Layer 2, IPv4, and IPv6 ACLs, Layer 2 and Layer 3 (IPv4) QoS, Layer 2 Protocol Tunneling (L2PT), IP and MAC source address validation for DHCP, and Policy-based Routing (PBR). Save the new CAM settings to the startupconfig (write-memor copy run start) then reload the system for the new settings to take effect. The total amount of space allowed is 12 FP Blocks.
Allocating CAM for Egress ACLs on the Port Extender To allocate Content Addressable Memory (CAM) for egress ACLs on the port extender. You can re-allocate memory space for egress ACLs on the port extender by using the cam-acl-egress-pe command in CONFIGURATION mode. The default CAM allocation settings for the three egress ACL and QoS regions on an switch are • L2 ACL(l2acl): 1 • L3 ACL (ipv4acl): 1 • IPv6 L3 ACL (ipv6acl): 2 The total egress CAM ACL space must equal 4 memory blocks.
ipv4pbr 2 cam-acl-pe l2acl 3 ipv4acl 2 ipv6acl 2 ipv4qos 2 l2qos 1 ipmacacl 2 cam-acl-egress-pe l2acl 2 ipv4acl 2 ipv6acl 0 Implementing ACLs You can assign one IP ACL per physical or VLAN interface. If you do not assign an IP ACL to an interface, it is not used by the software in any other capacity. The number of entries allowed per ACL is hardware-dependent. If you enable counters on IP ACL rules that are already configured, those counters are reset when a new rule is inserted or prepended.
Dell(conf)#ip access-list standard acl2 Dell(config-std-nacl)#permit 20.1.1.
Layer 4 ACL Rules Examples The following examples show the ACL commands for Layer 4 packet filtering. Permit an ACL line with L3 information only, and the fragments keyword is present: If a packet’s L3 information matches the L3 information in the ACL line, the packet's FO is checked. • If a packet's FO > 0, the packet is permitted. • If a packet's FO = 0, the next ACL entry is processed.
A standard IP ACL uses the source IP address as its match criterion. 1 Enter IP ACCESS LIST mode by naming a standard IP access list. CONFIGURATION mode ip access-list standard access-listname 2 Configure a drop or forward filter. CONFIG-STD-NACL mode seq sequence-number {deny | permit} {source [mask] | any | host ip-address} [count [byte]] [order] [fragments] NOTE: When assigning sequence numbers to filters, keep in mind that you might need to insert a new filter.
ip access-list standard access-list-name 2 Configure a drop or forward IP ACL filter. CONFIG-STD-NACL mode {deny | permit} {source [mask] | any | host ip-address} [count [byte]] [order] [fragments] When you use the log keyword, the CP logs details about the packets that match. Depending on how many packets match the log entry and at what rate, the CP may become busy as it has to log these packets’ details. The following example shows a standard IP ACL in which the system assigns the sequence numbers.
seq sequence-number {deny | permit} {ip-protocol-number | icmp | ip | tcp | udp} {source mask | any | host ip-address} {destination mask | any | host ip-address} [operator port [port]] [count [byte]] [order] [fragments] When you use the log keyword, the CP logs details about the packets that match. Depending on how many packets match the log entry and at what rate, the CP may become busy as it has to log these packets’ details.
Configuring Filters Without a Sequence Number If you are creating an extended ACL with only one or two filters, you can let the system assign a sequence number based on the order in which the filters are configured. Filters are assigned in multiples of five. To configure a filter for an extended IP ACL without a specified sequence number, use any or all of the following commands: • Configure a deny or permit filter to examine IP packets.
Table 6. L2 and L3 Filtering on Switched Packets L2 ACL Behavior L3 ACL Behavior Decision on Targeted Traffic Deny Deny L3 ACL denies. Deny Permit L3 ACL permits. Permit Deny L3 ACL denies. Permit Permit L3 ACL permits. NOTE: If you configure an interface as a vlan-stack access port, only the L2 ACL filters the packets. The L3 ACL applied to such a port does not affect traffic.
• If you do not attach an ACL to any of the ports, the FP entries are deleted. Similarly, when the same ACL is applied on a set of ports, only one set of entries is installed in the FP, thereby effectively saving CAM space. The optimization is enabled only if you specify the optimized option with the ip access-group command. This option is not valid for VLAN and LAG interfaces. NOTE: Port-based CAM Optimization is supported only on LM/LP front panel interfaces and is not available on PeGigE interfaces.
1,1000 Dell# Allocating ACL VLAN CAM CAM optimization for ACL VLAN groups is not enabled by default. You must allocate blocks of ACL VLAN CAM to enable ACL CAM optimization by using the cam-acl-vlan command. By default, 0 blocks of CAM are allocated for VLAN services in the VLAN Content Aware Processor (VCAP), an application that modifies VLAN settings before forwarding packets on member interfaces.
To view which IP ACL is applied to an interface, use the show config command in INTERFACE mode, or use the show running-config command in EXEC mode. Example of Viewing ACLs Applied to an Interface Dell(conf-if)#show conf ! interface TengigabitEthernet 0/0 ip address 10.2.1.100 255.255.255.0 ip access-group nimule in no shutdown Dell(conf-if)# To filter traffic on Telnet sessions, use only standard ACLs in the access-class command.
To create an egress ACL, use the ip access-group command in EXEC Privilege mode. The example shows viewing the configuration, applying rules to the newly created access group, and viewing the access list. Example of Applying ACL Rules to Egress Traffic and Viewing ACL Configuration To specify ingress, use the out keyword. Begin applying rules to the ACL with the ip access-list extended abcd command. To view the access-list, use the show command.
Counting ACL Hits You can view the number of packets matching the ACL by using the count option when creating ACL entries. 1 Create an ACL that uses rules with the count option. Refer to Configure a Standard IP ACL Filter. 2 Apply the ACL as an inbound or outbound ACL on an interface. Refer to Applying an IP ACL. 3 show ip accounting access-list EXEC Privilege mode View the number of packets matching the ACL. IP Prefix Lists IP prefix lists are supported to control routing policy.
The following list includes the configuration tasks for prefix lists, as described in the following sections. • Configuring a prefix list • Use a prefix list for route redistribution For a complete listing of all commands related to prefix lists, refer to the Dell Networking OS Command Line Reference Guide. Creating a Prefix List To create a prefix list, use the following commands. 1 Create a prefix list and assign it a unique name. You are in PREFIX LIST mode.
Creating a Prefix List Without a Sequence Number To create a filter without a specified sequence number, use the following commands. 1 Create a prefix list and assign it a unique name. CONFIGURATION mode ip prefix-list prefix-name 2 Create a prefix list filter with a deny or permit action. CONFIG-NPREFIXL mode {deny | permit} ip-prefix [ge min-prefix-length] [le max-prefix-length] The optional parameters are: • • ge min-prefix-length: is the minimum prefix length to be matched (0 to 32).
ip prefix-list filter_ospf: count: 4, range entries: 1, sequences: 5 - 10 seq 5 deny 100.100.1.0/24 (hit count: 0) seq 6 deny 200.200.1.0/24 (hit count: 0) seq 7 deny 200.200.2.0/24 (hit count: 0) seq 10 permit 0.0.0.0/0 le 32 (hit count: 0) The following example shows the show ip prefix-list summary command.
• Apply a configured prefix list to incoming routes. You can specify an interface. If you enter the name of a non-existent prefix list, all routes are forwarded. CONFIG-ROUTER-OSPF mode • distribute-list prefix-list-name in [interface] Apply a configured prefix list to incoming routes. You can specify which type of routes are affected. If you enter the name of a non-existent prefix list, all routes are forwarded.
Resequencing an ACL or Prefix List Resequencing is available for IPv4 and IPv6 ACLs, prefix lists, and MAC ACLs. To resequence an ACL or prefix list, use the following commands. You must specify the list name, starting number, and increment when using these commands.
Dell# end Dell# resequence access-list ipv4 test 2 2 Dell# show running-config acl ! ip access-list extended test remark 2 XYZ remark 4 this remark corresponds to permit any host 1.1.1.1 seq 4 permit ip any host 1.1.1.1 remark 6 this remark has no corresponding rule remark 8 this remark corresponds to permit ip any host 1.1.1.2 seq 8 permit ip any host 1.1.1.2 seq 10 permit ip any host 1.1.1.3 seq 12 permit ip any host 1.1.1.
Creating a Route Map Route maps, ACLs, and prefix lists are similar in composition because all three contain filters, but route map filters do not contain the permit and deny actions found in ACLs and prefix lists. Route map filters match certain routes and set or specify values. To create a route map, use the following command. • Create a route map and assign it a unique name. The optional permit and deny keywords are the action of the route map.
The following example shows a route map with multiple instances. The show config command displays only the configuration of the current route map instance. To view all instances of a specific route map, use the show route-map command.
Configuring Match Routes To configure match criterion for a route map, use the following commands. • Match routes with the same AS-PATH numbers. CONFIG-ROUTE-MAP mode • match as-path as-path-name Match routes with COMMUNITY list attributes in their path. CONFIG-ROUTE-MAP mode • match community community-list-name [exact] Match routes whose next hop is a specific interface.
• match origin {egp | igp | incomplete} Match routes specified as internal or external to OSPF, ISIS level-1, ISIS level-2, or locally generated. CONFIG-ROUTE-MAP mode • match route-type {external [type-1 | type-2] | internal | level-1 | level-2 | local } Match routes with a specific tag. CONFIG-ROUTE-MAP mode match tag tag-value To create route map instances, use these commands.
CONFIG-ROUTE-MAP mode • set tag tag-value Specify a value as the route’s weight. CONFIG-ROUTE-MAP mode set weight value To create route map instances, use these commands. There is no limit to the number of set commands per route map, but the convention is to keep the number of set filters in a route map low. Set commands do not require a corresponding match command.
! set tag 34 Continue Clause Normally, when a match is found, set clauses are executed, and the packet is then forwarded; no more route-map modules are processed. If you configure the continue command at the end of a module, the next module (or a specified module) is processed even after a match is found. The following example shows a continue clause at the end of a route-map module. In this example, if a match is found in the route-map “test” module 10, module 30 is processed.
key description udf-id id packetbase PacketBase offset bytes length bytes Dell(conf-udf-tcam)#key innerL3header udf-id 6 packetbase innerL3Header offset 0 length 2 6 View the UDF TCAM configuration. CONFIGURATION-UDF TCAM mode show config Dell(conf-udf-tcam)#show config ! udf-tcam ipnip seq 1 key innerL3header udf-id 6 packetbase innerL3Header offset 0 length 2 Dell(conf-udf-tcam)# 7 Configure the match criteria for the packet type in which UDF offset bytes are parsed.
Hot-Lock Behavior Dell Networking OS hot-lock features allow you to append and delete their corresponding content addressable memory (CAM) entries dynamically without disrupting traffic. Existing entries are simply shuffled to accommodate new entries. Hot-Lock IP ACLs allow you to append rules to and delete rules from an access control list (ACL) that is already written to CAM. This behavior is enabled by default and is available for both standard and extended ACLs on ingress and egress.
7 Bidirectional Forwarding Detection (BFD) BFD is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It also provides a failure detection solution for links on which no routing protocol is used. BFD is a simple hello mechanism. Two neighboring systems running BFD establish a session using a three-way handshake.
BFD Packet Format Control packets are encapsulated in user datagram protocol (UDP) packets. The following illustration shows the complete encapsulation of a BFD control packet inside an IPv4 packet. Figure 10. BFD in IPv4 Packet Format Field Description Diagnostic Code The reason that the last session failed. State The current local session state. Refer to BFD Sessions. Flag A bit that indicates packet function.
Field Description Detection Multiplier The number of packets that must be missed in order to declare a session down. Length The entire length of the BFD packet. My Discriminator A random number generated by the local system to identify the session. Your Discriminator A random number generated by the remote system to identify the session. Discriminator values are necessary to identify the session to which a control packet belongs because there can be many sessions running on a single interface.
Demand mode If one system requests Demand mode, the other system stops sending periodic control packets; it only sends a response to status inquiries from the Demand mode initiator. Either system (but not both) can request Demand mode at any time. NOTE: The Dell Networking OS supports Asynchronous mode only. A session can have four states: Administratively Down, Down, Init, and Up. Administratively Down The local system does not participate in a particular session.
state change or change in a session parameter, the passive system sends a final response indicating the state change. After this, periodic control packets are exchanged. Figure 11.
Session State Changes The following illustration shows how the session state on a system changes based on the status notification it receives from the remote system. For example, if a session on a system is down and it receives a Down status notification from the remote system, the session state on the local system changes to Init. Figure 12.
• Configure BFD for IS-IS • Configure BFD for BGP • Configure BFD for VRRP • Configuring Protocol Liveness Configure BFD for Static Routes Configuring BFD for static routes is supported on the switch. BFD offers systems a link state detection mechanism for static routes. With BFD, systems are notified to remove static routes from the routing table as soon as the link state change occurs, rather than waiting until packets fail to reach their next hop.
R1(conf)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 2.2.2.2 Te 4/24 Up 200 200 4 R To view detailed session information, use the show bfd neighbors detail command, as shown in the examples in Displaying BFD for BGP Information. Changing Static Route Session Parameters BFD sessions are configured with default intervals and a default role.
Configure BFD for OSPF When using BFD with OSPF, the OSPF protocol registers with the BFD manager. BFD sessions are established with all neighboring interfaces participating in OSPF. If a neighboring interface fails, the BFD agent on the line card notifies the BFD manager, which in turn notifies the OSPF protocol that a link state change occurred.
Establishing Sessions with OSPF Neighbors BFD sessions can be established with all OSPF neighbors at once or sessions can be established with all neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the Full state. Figure 14. Establishing Sessions with OSPF Neighbors To establish BFD with all OSPF neighbors or with OSPF neighbors on a single interface, use the following commands. • Establish sessions with all OSPF neighbors.
The bold line shows the OSPF BFD sessions. R2(conf-router_ospf)#bfd all-neighbors R2(conf-router_ospf)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr * 2.2.2.2 * 2.2.3.1 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 Te 2/1 Up 200 200 3 O 2.2.3.2 Te 2/2 Up 200 200 3 O Changing OSPFv3 Session Parameters Configure BFD sessions with default intervals and a default role.
Configure BFD for OSPFv3 BFD for OSPFv3 provides support for IPV6. Configuring BFD for OSPFv3 is a two-step process: 1. Enable BFD globally. 2. Establish sessions with OSPFv3 neighbors. Related Configuration Tasks • Changing OSPFv3 Session Parameters • Disabling BFD for OSPFv3 Changing OSPFv3 Session Parameters Configure BFD sessions with default intervals and a default role.
Establishing Sessions with OSPFv3 Neighbors You can establish BFD sessions with all OSPFv3 neighbors at once or with all neighbors out of a specific interface. Sessions are only established when the OSPFv3 adjacency is in the Full state. To establish BFD with all OSPFv3 neighbors or with OSPFv3 neighbors on a single interface, use the following commands. • Establish sessions with all OSPFv3 neighbors. ROUTER-OSPFv3 mode • bfd all-neighbors Establish sessions with OSPFv3 neighbors on a single interface.
Establishing Sessions with IS-IS Neighbors BFD sessions can be established for all IS-IS neighbors at once or sessions can be established for all neighbors out of a specific interface. Figure 15. Establishing Sessions with IS-IS Neighbors To establish BFD with all IS-IS neighbors or with IS-IS neighbors on a single interface, use the following commands. • Establish sessions with all IS-IS neighbors. ROUTER-ISIS mode • bfd all-neighbors Establish sessions with IS-IS neighbors on a single interface.
C I O R - CLI ISIS OSPF Static Route (RTM) LocalAddr * 2.2.2.2 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 Te 2/1 Up 200 200 3 I Changing IS-IS Session Parameters BFD sessions are configured with default intervals and a default role. The parameters that you can configure are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. These parameters are configured for all IS-IS sessions or all IS-IS sessions out of an interface.
Configure BFD for BGP In a BGP core network, BFD provides rapid detection of communication failures in BGP fast-forwarding paths between internal BGP (iBGP) and external BGP (eBGP) peers for faster network reconvergence. BFD for BGP is supported on 1GE, 10GE, 40GE, port-channel, and VLAN interfaces. BFD for BGP does not support IPv6 and the BGP multihop feature. Prerequisites Before configuring BFD for BGP, you must first configure the following settings: 1.
• By establishing a BFD session with a specified BGP neighbor (the neighbor {ip-address | peer-group-name} bfd command) BFD packets originating from a router are assigned to the highest priority egress queue to minimize transmission delays. Incoming BFD control packets received from the BGP neighbor are assigned to the highest priority queue within the control plane policing (COPP) framework to avoid BFD packets drops due to queue congestion.
Disabling BFD for BGP You can disable BFD for BGP. To disable a BFD for BGP session with a specified neighbor, use the first command. To remove the disabled state of a BFD for BGP session with a specified neighbor, use the second command. The BGP link with the neighbor returns to normal operation and uses the BFD session parameters globally configured with the bfd all-neighbors command or configured for the peer group to which the neighbor belongs. • Disable a BFD for BGP session with a specified neighbor.
• Check to see if BFD is enabled for BGP connections. EXEC Privilege mode • show ip bgp summary Displays routing information exchanged with BGP neighbors, including BFD for BGP sessions. EXEC Privilege mode show ip bgp neighbors [ip-address] Examples of the BFD show Commands The following example shows verifying a BGP configuration. R2# show running-config bgp ! router bgp 2 neighbor 1.1.1.2 remote-as 1 neighbor 1.1.1.2 no shutdown neighbor 2.2.2.2 remote-as 1 neighbor 2.2.2.2 no shutdown neighbor 3.3.
Number Number Number Number Number of of of of of packets received from neighbor: 4762 packets sent to neighbor: 4490 state changes: 2 messages from IFA about port state change: 0 messages communicated b/w Manager and Agent: 5 Session Discriminator: 10 Neighbor Discriminator: 11 Local Addr: 2.2.2.3 Local MAC Addr: 00:01:e8:66:da:34 Remote Addr: 2.2.2.
The bold line shows the message displayed when you enable BFD for BGP connections. R2# show ip bgp summary BGP router identifier 10.0.0.1, local AS number 2 BGP table version is 0, main routing table version 0 BFD is enabled, Interval 200 Min_rx 200 Multiplier 3 Role Active 3 neighbor(s) using 24168 bytes of memory Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 1.1.1.2 2.2.2.2 3.3.3.
Neighbor is using BGP neighbor mode BFD configuration Peer active in peer-group outbound optimization ... R2# show ip bgp neighbors 2.2.2.4 BGP neighbor is 2.2.2.4, remote AS 1, external link Member of peer-group pg1 for session parameters BGP version 4, remote router ID 12.0.0.4 BGP state ESTABLISHED, in this state for 00:05:33 ... Neighbor is using BGP peer-group mode BFD configuration Peer active in peer-group outbound optimization ...
Establishing Sessions with All VRRP Neighbors BFD sessions can be established for all VRRP neighbors at once, or a session can be established with a particular neighbor. Figure 17. Establishing Sessions with All VRRP Neighbors To establish sessions with all VRRP neighbors, use the following command. • Establish sessions with all VRRP neighbors.
* - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) V - VRRP LocalAddr * 2.2.5.1 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.5.2 Te 4/25 Down 1000 1000 3 V To view session state information, use the show vrrp command. The following example shows viewing VRRP session state information. The bold line shows the VRRP BFD session. R1(conf-if-te-4/25)#do show vrrp -----------------TenGigabitEthernet 4/1, VRID: 1, Net: 2.2.5.
• Disable all VRRP sessions in a VRRP group. VRRP mode • bfd disable Disable a particular VRRP session on an interface. INTERFACE mode no vrrp bfd neighbor ip-address Configuring Protocol Liveness Protocol liveness is a feature that notifies the BFD manager when a client protocol is disabled. When you disable a client, all BFD sessions for that protocol are torn down. Neighbors on the remote system receive an Admin Down control packet and are placed in the Down state.
8 Border Gateway Protocol IPv4 (BGPv4) This chapter provides a general description of BGPv4 as it is supported in the Dell Networking OS. BGP protocol standards are listed in the Standards Compliance chapter. BGP is an external gateway protocol that transmits interdomain routing information within and between autonomous systems (AS). The primary function of the BGP is to exchange network reachability information with other BGP systems.
because they provide connections from one network to another. The ISP is considered to be “selling transit service” to the customer network, so thus the term Transit AS. When BGP operates inside an AS (AS1 or AS2, as seen in the following illustration), it is referred to as Internal BGP (IBGP Interior Border Gateway Protocol). When BGP operates between ASs (AS1 and AS2), it is called External BGP (EBGP Exterior Border Gateway Protocol).
four routers connected in a full mesh have three peers each, six routers have five peers each, and eight routers in full mesh have seven peers each. Figure 19. BGP Routers in Full Mesh The number of BGP speakers each BGP peer must maintain increases exponentially. Network management quickly becomes impossible. Sessions and Peers When two routers communicate using the BGP protocol, a BGP session is started. The two end-points of that session are Peers. A Peer is also called a Neighbor.
Establish a Session Information exchange between peers is driven by events and timers. The focus in BGP is on the traffic routing policies. In order to make decisions in its operations with other BGP peers, a BGP process uses a simple finite state machine that consists of six states: Idle, Connect, Active, OpenSent, OpenConfirm, and Established. For each peer-to-peer session, a BGP implementation tracks which of these six states the session is in.
To illustrate how these rules affect routing, refer to the following illustration and the following steps. Routers B, C, D, E, and G are members of the same AS (AS100). These routers are also in the same Route Reflection Cluster, where Router D is the Route Reflector. Router E and H are client peers of Router D; Routers B and C and nonclient peers of Router D. Figure 20. BGP Router Rules 1. Router B receives an advertisement from Router A through eBGP.
Best Path Selection Criteria Paths for active routes are grouped in ascending order according to their neighboring external AS number (BGP best path selection is deterministic by default, which means the bgp non-deterministic-med command is NOT applied). The best path in each group is selected based on specific criteria. Only one “best path” is selected at a time. If any of the criteria results in more than one path, BGP moves on to the next option in the list.
a 4. Routes originated with the Originated via a network or redistribute commands are preferred over routes originated with the aggregate-address command. Prefer the path with the shortest AS_PATH (unless the bgp bestpath as-path ignore command is configured, then AS_PATH is not considered). The following criteria apply: a An AS_SET has a path length of 1, no matter how many ASs are in the set. b A path with no AS_PATH configured has a path length of 0.
Local Preference Local preference (LOCAL_PREF) represents the degree of preference within the entire AS. The higher the number, the greater the preference for the route. Local preference (LOCAL_PREF) is one of the criteria used to determine the best path, so keep in mind that other criteria may impact selection, as shown in the illustration in Best Path Selection Criteria. For this example, assume that thelocal preference (LOCAL_PREF) is the only attribute applied.
NOTE: The MEDs are advertised across both links, so if a link goes down, AS 1 still has connectivity to AS300 and AS400. Figure 23. Multi-Exit Discriminators Origin The origin indicates the origin of the prefix, or how the prefix came into BGP. There are three origin codes: IGP, EGP, INCOMPLETE. Origin Type Description IGP Indicates the prefix originated from information learned through an interior gateway protocol.
Example of Viewing AS Paths Dell#show ip bgp paths Total 30655 Paths Address Hash Refcount Metric 0x4014154 0 3 18508 0x4013914 0 3 18508 0x5166d6c 0 3 18508 0x5e62df4 0 2 18508 0x3a1814c 0 26 18508 0x567ea9c 0 75 18508 0x6cc1294 0 2 18508 0x6cc18d4 0 1 18508 0x5982e44 0 162 18508 0x67d4a14 0 2 18508 0x559972c 0 31 18508 0x59cd3b4 0 2 18508 0x7128114 0 10 18508 0x536a914 0 3 18508 0x2ffe884 0 1 18508 Path 701 3549 19421 i 701 7018 14990 i 209 4637 1221 9249 9249 i 701 17302 i 209 22291 i 209 3356 2529 i 20
Advertise IGP Cost as MED for Redistributed Routes When using multipath connectivity to an external AS, you can advertise the MED value selectively to each peer for redistributed routes. For some peers you can set the internal/IGP cost as the MED while setting others to a constant pre-defined metric as MED value. Use the set metric-type internal command in a route-map to advertise the IGP cost as the MED to outbound EBGP peers when redistributing routes.
Traditional Format DOT Format 65001 0.65501 65536 1.0 100000 1.34464 4294967295 65535.65535 When creating Confederations, all the routers in a Confederation must be either 4-Byte or 2-Byte identified routers. You cannot mix them. Configure 4-byte AS numbers with the four-octet-support command. AS4 Number Representation Multiple representations of 4-byte AS numbers (asplain, asdot+, and asdot) are supported.
behavior to happen by allowing Router B to appear as if it still belongs to Router B’s old network (AS 200) as far as communicating with Router C is concerned. Figure 24. Before and After AS Number Migration with Local-AS Enabled When you complete your migration, and you have reconfigured your network with the new information, disable this feature. If you use the “no prepend” option, the Local-AS does not prepend to the updates received from the eBGP peer.
BGP4 Management Information Base (MIB) The FORCE10-BGP4-V2-MIB enhances support for the BGP management information base (MIB) with many new simple network management protocol (SNMP) objects and notifications (traps) defined in draft-ietf-idr-bgp4-mibv2-05. To see these enhancements, download the MIB from the Dell website. NOTE: For the Force10-BGP4-V2-MIB and other MIB documentation, refer to the Dell iSupport web page.
• Multiple instances of the same NLRI in the BGP RIB are not supported and are set to zero in the SNMP query response. • The f10BgpM2NlriIndex and f10BgpM2AdjRibsOutIndex fields are not used. • Carrying MPLS labels in BGP is not supported. The f10BgpM2NlriOpaqueType and f10BgpM2NlriOpaquePointer fields are set to zero. • 4-byte ASN is supported. The f10BgpM2AsPath4byteEntry table contains 4-byte ASN-related parameters based on the configuration.
Item Default Distance external distance = 20 internal distance = 200 local distance = 200 keepalive = 60 seconds Timers holdtime = 180 seconds Add-path Disabled Enabling BGP By default, BGP is not enabled on the system. The Dell Networking OS supports one autonomous system (AS) and assigns the AS number (ASN). To establish BGP sessions and route traffic, configure at least one BGP neighbor or peer. In BGP, routers with an established TCP connection are called neighbors or peers.
CONFIG-ROUTER-BGP mode address-family [ipv4 | ipv6} Use this command to enter BGP for IPv6 mode (CONF-ROUTER_BGPv6_AF). 2 Add a neighbor as a remote AS. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group name} remote-as as-number • • peer-group name: 16 characters as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte) or 0.1 to 65535.65535 (Dotted format) Formats: IP Address A.B.C.D You must Configure Peer Groups before assigning it a remote AS. 3 Enable the BGP neighbor.
192.168.10.1 65123 0 192.168.12.2 65123 0 R2# 0 0 0 0 0 0 0 0 never never Active Active For the router’s identifier, the system uses the highest IP address of the Loopback interfaces configured. Because Loopback interfaces are virtual, they cannot go down, thus preventing changes in the router ID. If you do not configure Loopback interfaces, the highest IP address of any interface is used as the router ID.
router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list ISP1in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.9 no shutdown neighbor 192.168.10.1 remote-as 65123 neighbor 192.168.10.1 update-source Loopback 0 neighbor 192.168.10.
Examples of the bgp asnotation Commands The following example shows the bgp asnotation asplain command. Dell(conf-router_bgp)#bgp asnotation asplain Dell(conf-router_bgp)#sho conf ! router bgp 100 bgp four-octet-as-support neighbor 172.30.1.250 remote-as 18508 neighbor 172.30.1.250 local-as 65057 neighbor 172.30.1.250 route-map rmap1 in neighbor 172.30.1.250 password 7 5ab3eb9a15ed02ff4f0dfd4500d6017873cfd9a267c04957 neighbor 172.30.1.
neighbor peer-group-name no shutdown By default, all peer groups are disabled. 3 Create a BGP neighbor. CONFIG-ROUTERBGP mode neighbor ip-address remote-as as-number 4 Enable the neighbor. CONFIG-ROUTERBGP mode neighbor ip-address no shutdown 5 Add an enabled neighbor to the peer group. CONFIG-ROUTERBGP mode neighbor ip-address peer-group peer-group-name 6 Add a neighbor as a remote AS. CONFIG-ROUTERBGP mode neighbor {ip-address | peer-group name} remote-as as-number Formats: IP Address A.B.C.
! router bgp 45 bgp fast-external-fallover bgp log-neighbor-changes neighbor zanzibar peer-group neighbor zanzibar shutdown neighbor 10.1.1.1 remote-as 65535 neighbor 10.1.1.1 shutdown neighbor 10.14.8.60 remote-as 18505 neighbor 10.14.8.60 no shutdown Dell(conf-router_bgp)# To enable a peer group, use the neighbor peer-group-name no shutdown command in CONFIGURATION ROUTER BGP mode (shown in bold).
10.68.183.1 10.68.184.1 10.68.185.1 Dell> Configuring BGP Fast Fail-Over By default, a BGP session is governed by the hold time. BGP routers typically carry large routing tables, so frequent session resets are not desirable. The BGP fast fail-over feature reduces the convergence time while maintaining stability. The connection to a BGP peer is immediately reset if a link to a directly connected external peer fails.
4 accepted prefixes consume 16 bytes Prefix advertised 0, denied 0, withdrawn 0 Connections established 6; dropped 5 Last reset 00:19:37, due to Reset by peer Notification History 'Connection Reset' Sent : 5 Recv: 0 Local host: 200.200.200.200, Local port: 65519 Foreign host: 100.100.100.100, Foreign port: 179 Dell# To verify that fast fail-over is enabled on a peer-group, use the show ip bgp peer-group command (shown in bold).
The peer group responds to OPEN messages sent on this subnet. 3 Enable the peer group. CONFIG-ROUTER-BGP mode neighbor peer-group-name no shutdown 4 Create and specify a remote peer for BGP neighbor. CONFIG-ROUTER-BGP mode neighbor peer-group-name remote-as as-number Only after the peer group responds to an OPEN message sent on the subnet does its BGP state change to ESTABLISHED. After the peer group is ESTABLISHED, the peer group is the same as any other peer group.
neighbor 192.168.12.2 update-source Loopback 0 neighbor 192.168.12.2 no shutdown R2(conf-router_bgp)# Allowing an AS Number to Appear in its Own AS Path This command allows you to set the number of times a particular AS number can occur in the AS path. The allow-as feature permits a BGP speaker to allow the ASN to be present for a specified number of times in the update received from the peer, even if that ASN matches its own.
With the graceful restart feature, the system enables the receiving/restarting mode by default. In Receiver-Only mode, graceful restart saves the advertised routes of peers that support this capability when they restart. This option provides support for remote peers for their graceful restart without supporting the feature itself. You can implement BGP graceful restart either by neighbor or by BGP peer-group. For more information, refer to the Dell Networking OS Command Line Interface Reference Guide.
exit 4 Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5 Use a configured AS-PATH ACL for route filtering and manipulation. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} filter-list as-path-name {in | out} If you assign an non-existent or empty AS-PATH ACL, the software allows all routes. Example of the show ip bgp paths Command To view all BGP path attributes in the BGP database, use the show ip bgp paths command in EXEC Privilege mode.
Regular Expression Definition * (asterisk) Matches 0 or more sequences of the immediately previous character or pattern. + (plus) Matches 1 or more sequences of the immediately previous character or pattern. ? (question) Matches 0 or 1 sequence of the immediately previous character or pattern.
Redistributing Routes In addition to filtering routes, you can add routes from other routing instances or protocols to the BGP process. With the redistribute command, you can include ISIS, OSPF, static, or directly connected routes in the BGP process. To add routes from other routing instances or protocols, use any of the following commands in ROUTER BGP mode. • Include, directly connected or user-configured (static) routes in BGP.
NOTE: The path-count parameter controls the number of paths that are advertised, not the number of paths that are received. Configuring IP Community Lists Mmultiple methods of manipulating routing attributes are supported in the Dell Networking OS. One attribute you can manipulate is the COMMUNITY attribute. This attribute is an optional attribute that is defined for a group of destinations. You can assign a COMMUNITY attribute to BGP routers by using an IP community list.
deny deny deny deny deny deny deny deny Dell# 705:112 14551:112 701:667 702:667 703:667 704:666 705:666 14551:666 Configuring an IP Extended Community List To configure an IP extended community list, use these commands. 1 Create a extended community list and enter the EXTCOMMUNITY-LIST mode. CONFIGURATION mode ip extcommunity-list extcommunity-list-name 2 Two types of extended communities are supported.
Filtering Routes with Community Lists To use an IP community list or IP extended community list to filter routes, you must apply a match community filter to a route map and then apply that route map to a BGP neighbor or peer group. 1 Enter the ROUTE-MAP mode and assign a name to a route map. CONFIGURATION mode route-map map-name [permit | deny] [sequence-number] 2 Configure a match filter for all routes meeting the criteria in the IP community or IP extended community list.
route-map map-name [permit | deny] [sequence-number] 2 Configure a set filter to delete all COMMUNITY numbers in the IP community list. CONFIG-ROUTE-MAP mode set comm-list community-list-name delete OR set community {community-number | local-as | no-advertise | no-export | none} Configure a community list by denying or permitting specific community numbers or types of community.
*>i 6.14.0.0/15 *>i 6.133.0.0/21 *>i 6.151.0.0/16 --More-- 205.171.0.16 205.171.0.16 205.171.0.16 100 100 100 0 0 0 209 7170 1455 i 209 7170 1455 i 209 7170 1455 i Changing MED Attributes By default, the system uses the MULTI_EXIT_DISC or MED attribute when comparing EBGP paths from the same AS. To change how the MED attribute is used, enter any or all of the following commands. • Enable MED comparison in the paths from neighbors with different ASs.
4 Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5 Apply the route map to the neighbor or peer group’s incoming or outgoing routes. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} route-map map-name {in | out} To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode. To view a route map configuration, use the show route-map command in EXEC Privilege mode.
– weight: the range is from 0 to 65535. To view BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode or the show runningconfig bgp command in EXEC Privilege mode. Enabling Multipath By default, the system supports one path to a destination. You can enable multipath to allow up to 16 parallel paths to a destination. NOTE: Dell Networking recommends not using multipath and add path simultaneously in a route reflector. To allow more than one path, use the following command.
• le: maximum prefix length to me matched. For information about configuring prefix lists, refer to Access Control Lists (ACLs). 3 Return to CONFIGURATION mode. CONFIG-PREFIX LIST mode exit 4 Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5 Filter routes based on the criteria in the configured prefix list.
5 Filter routes based on the criteria in the configured route map. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} route-map map-name {in | out} Configure the following parameters: • ip-address or peer-group-name: enter the neighbor’s IP address or the peer group’s name. • map-name: enter the name of a configured route map. • in: apply the route map to inbound routes. • out: apply the route map to outbound routes.
Configuring BGP Route Reflectors BGP route reflectors are intended for ASs with a large mesh; they reduce the amount of BGP control traffic. NOTE: Dell Networking recommends not using multipath and add path simultaneously in a route reflector. With route reflection configured properly, IBGP routers are not fully meshed within a cluster but all receive routing information.
*> 9.2.0.0/16 10.114.8.33 *> 9.141.128.0/24 10.114.8.33 Dell# 0 18508 701 i 0 18508 701 7018 2686 ? Configuring BGP Confederations Another way to organize routers within an AS and reduce the mesh for IBGP peers is to configure BGP confederations. As with route reflectors, BGP confederations are recommended only for IBGP peering involving many IBGP peering sessions per router.
To configure route flap dampening parameters, set dampening parameters using a route map, clear information on route dampening and return suppressed routes to active state, view statistics on route flapping, or change the path selection from the default mode (deterministic) to non-deterministic, use the following commands. • Enable route dampening.
bgp non-deterministic-med NOTE: When you change the best path selection method, path selection for existing paths remains unchanged until you reset it by entering the clear ip bgp command in EXEC Privilege mode. Examples of Working with Route Dampening To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode or the show running-config bgp command in EXEC Privilege mode. The following example shows how to configure values to reuse or restart a route.
neighbors {ip-address | peer-group-name} timers keepalive holdtime • – keepalive: the range is from 1 to 65535. Time interval, in seconds, between keepalive messages sent to the neighbor routers. The default is 60 seconds. – holdtime: the range is from 3 to 65536. Time interval, in seconds, between the last keepalive message and declaring the router dead. The default is 180 seconds. Configure timer values for all neighbors.
BGP stores all the updates received by the neighbor but does not reset the peer-session. Entering this command starts the storage of updates, which is required to do inbound soft reconfiguration. Outbound BGP soft reconfiguration does not require inbound soft reconfiguration to be enabled. Example of Soft-Reconfigration of a BGP Neighbor The example enables inbound soft reconfiguration for the neighbor 10.108.1.1.
In the Dell Networking OS, MBGP is implemented per RFC 1858. You can enable the MBGP feature per router and/or per peer/ peer-group. The default is IPv4 Unicast routes. When you configure a peer to support IPv4 multicast, the system takes the following actions: • Send a capacity advertisement to the peer in the BGP Open message specifying IPv4 multicast as a supported AFI/SAFI (Subsequent Address Family Identifier).
• debug ip bgp [ip-address | peer-group peer-group-name] keepalive [in | out] View information about BGP notifications received from or sent to neighbors. EXEC Privilege mode • debug ip bgp [ip-address | peer-group peer-group-name] notifications [in | out] View information about BGP updates and filter by prefix name. EXEC Privilege mode • debug ip bgp [ip-address | peer-group peer-group-name] updates [in | out] [prefix-list name] Enable soft-reconfiguration debug.
For address family: IPv4 Unicast BGP table version 1395, neighbor version 1394 Prefixes accepted 1 (consume 4 bytes), 0 withdrawn by peer Prefixes advertised 0, rejected 0, 0 withdrawn from peer Connections established 3; dropped 2 Last reset 00:00:12, due to Missing well known attribute Notification History 'UPDATE error/Missing well-known attr' Sent : 1 Recv: 0 'Connection Reset' Sent : 1 Recv: 0 Last notification (len 21) sent 00:26:02 ago ffffffff ffffffff ffffffff ffffffff 00160303 03010000 Last notifi
ffffffff ffffffff ffffffff ffffffff 00290104 000100b4 14141401 0c020a01 04000100 01020080 00000000 PDU[2] : len 19, captured 00:34:51 ago ffffffff ffffffff ffffffff ffffffff 00130400 PDU[3] : len 19, captured 00:34:50 ago ffffffff ffffffff ffffffff ffffffff 00130400 PDU[4] : len 19, captured 00:34:20 ago ffffffff ffffffff ffffffff ffffffff 00130400 [. . .] With full internet feed (205K) captured, approximately 11.8MB is required to store all of the PDUs.
The following illustration shows the configurations described on the following examples. These configurations show how to create BGP areas using physical and virtual links. They include setting up the interfaces and peers groups with each other. Figure 25. Sample Configurations Example of Enabling BGP (Router 1) R1# conf R1(conf)#int loop 0 R1(conf-if-lo-0)#ip address 192.168.128.1/24 R1(conf-if-lo-0)#no shutdown R1(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.
R1(conf-router_bgp)#neighbor 192.168.128.2 remote 99 R1(conf-router_bgp)#neighbor 192.168.128.2 no shut R1(conf-router_bgp)#neighbor 192.168.128.2 update-source loop 0 R1(conf-router_bgp)#neighbor 192.168.128.3 remote 100 R1(conf-router_bgp)#neighbor 192.168.128.3 no shut R1(conf-router_bgp)#neighbor 192.168.128.3 update-source loop 0 R1(conf-router_bgp)#show config ! router bgp 99 network 192.168.128.0/24 neighbor 192.168.128.2 remote-as 99 neighbor 192.168.128.2 update-source Loopback 0 neighbor 192.168.
router bgp 99 bgp router-id 192.168.128.2 network 192.168.128.0/24 bgp graceful-restart neighbor 192.168.128.1 remote-as 99 neighbor 192.168.128.1 update-source Loopback 0 neighbor 192.168.128.1 no shutdown neighbor 192.168.128.3 remote-as 100 neighbor 192.168.128.3 update-source Loopback 0 neighbor 192.168.128.3 no shutdown R2(conf-router_bgp)#end R2#show ip bgp summary BGP router identifier 192.168.128.
network 192.168.128.0/24 neighbor 192.168.128.1 remote-as 99 neighbor 192.168.128.1 update-source Loopback 0 neighbor 192.168.128.1 no shutdown neighbor 192.168.128.2 remote-as 99 neighbor 192.168.128.2 update-source Loopback 0 neighbor 192.168.128.2 no shutdown R3(conf)#end R3#show ip bgp summary BGP router identifier 192.168.128.
Hold time is 180, keepalive interval is 60 seconds Received 23 messages, 0 in queue 2 opens, 0 notifications, 2 updates 19 keepalives, 0 route refresh requests Sent 24 messages, 0 in queue 2 opens, 1 notifications, 2 updates 19 keepalives, 0 route refresh requests Minimum time between advertisement runs is 5 seconds Minimum time before advertisements start is 0 seconds Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Capabilities advertised t
R2(conf-router_bgp)# neighbor BBB no shutdown R2(conf-router_bgp)# neighbor 192.168.128.1 peer AAA R2(conf-router_bgp)# neighbor 192.168.128.1 no shut R2(conf-router_bgp)# neighbor 192.168.128.3 peer BBB R2(conf-router_bgp)# neighbor 192.168.128.3 no shut R2(conf-router_bgp)#show conf ! router bgp 99 network 192.168.128.0/24 neighbor AAA peer-group neighbor AAA no shutdown neighbor BBB peer-group neighbor BBB no shutdown neighbor 192.168.128.1 remote-as 99 neighbor 192.168.128.1 peer-group CCC neighbor 192.
BGP router identifier 192.168.128.3, local AS number 100 BGP table version is 1, main routing table version 1 1 network entrie(s) using 132 bytes of memory 3 paths using 204 bytes of memory BGP-RIB over all using 207 bytes of memory 2 BGP path attribute entrie(s) using 128 bytes of memory 2 BGP AS-PATH entrie(s) using 90 bytes of memory 2 neighbor(s) using 9216 bytes of memory Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 192.168.128.1 99 93 192.168.128.
Last notification (len 21) received 00:12:01 ago ffffffff ffffffff ffffffff ffffffff 00150306 00000000 Local host: 192.168.128.2, Local port: 65464 Foreign host: 192.168.128.1, Foreign port: 179 BGP neighbor is 192.168.128.3, remote AS 100, external link Member of peer-group BBB for session parameters BGP version 4, remote router ID 192.168.128.
9 Content Addressable Memory (CAM) CAM is a type of memory that stores information in the form of a lookup table. On the switch, CAM stores Layer 2 and Layer 3 forwarding information, access-lists (ACLs), flows, and routing policies. On a line card, there are one or two CAM (Dual-CAM) modules per port-pipe.
EcfmAcl Openflow : : 0 0 -- linecard 1 -Current Settings(in block sizes) 1 block = 256 entries L2Acl : 5 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 EcfmAcl : 0 Openflow : 0 -- linecard 2 -Current Settings(in block sizes) 1 block = 256 entries L2Acl : 5 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 EcfmAcl : 0 Openflow : 0 The ipv6acl and vman-dual-qos allocations must be entered as a factor of 2 (2, 4, 6, 8, 10).
Test CAM Usage The test cam-usage command applies to both IPv4 and IPv6 CAM profiles, but is best used when verifying QoS optimization for IPv6 ACLs. Use this command to determine whether sufficient ACL CAM space is available to enable a service-policy. Create a Class Map with all required ACL rules, then execute the test cam-usage command in Privilege mode to verify the actual CAM space required. The Status column in the command output indicates whether or not the policy can be enabled.
Ipv4Qos L2Qos L2PT IpMacAcl VmanQos EcfmAcl Openflow : : : : : : : 2 1 0 0 0 0 0 -- linecard 2 -Current Settings(in block sizes) 1 block = 256 entries L2Acl : 6 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 EcfmAcl : 0 Openflow : 0 View CAM Usage View the amount of CAM space available, used, and remaining in each partition (including IPv4Flow and Layer 2 ACL subpartitions) using the show cam-usage command from EXEC Privilege mode.
l2-ipv4-inacl Enable CAM profile with 32K L2 and 28K IPv4 ingress ACL unified-default Enable default unified CAM profile Dell(conf)#cam-profile default microcode ? default Enable default microcode lag-hash-align Enable microcode with LAG hash align lag-hash-mpls Enable microcode with LAG hash MPLS Dell(conf)#cam-profile default microcode default Dell(conf)#cam-ipv4flow ? default Reset IPv4flow CAM entries to default setting multicast-fib Set multicast FIB entries Dell(conf)#cam-l2acl ? default Reset L2-ACL
Table 10.
10 Control Plane Policing (CoPP) Control plane policing (CoPP) protects the switch’s routing, control, and line-card processors from undesired or malicious traffic and Denial of Service (DoS) attacks by filtering control-plane flows. CoPP uses a dedicated control-plane service policy that consists of ACLs and QoS policies, which provide filtering and ratelimiting capabilities for control-plane packets.
• Queues 7 to 13 process packets destined to the Route Processor CPU. • Queues 14 to 20 process packets destined to the line-card CPU.
15 LP/LM — 1 100 16 LP/LM Trace Flow, Station Move, Source Miss 1200 100 17 LP/LM BFD, ACL LOGGING 1200 1000 18 LP/LM — 7000 1000 19 LP/LM FRRP, Hyperpull 800 7000 20 LP/LM LP/LM SFLOW 5000 1000 NOTE: In the line-card CPU, some queues have no protocol traffic mapped to them. These rows appear blank in the preceding table. CoPP Example The illustrations in this section show the benefit of using CoPP compared to not using CoPP on a switch.
The following illustration shows the difference between using CoPP and not using CoPP on a switch. Figure 27. CoPP Versus Non-CoPP Operation Configure Control Plane Policing You can create a CoPP service policy on a per-protocol and/or a per-queue basis that serves as the system-wide configuration for filtering and rate limiting control-plane traffic. Configuring CoPP for Protocols This section describes how to create a protocol-based CoPP service policy and apply it to control plane traffic.
CONFIGURATION mode mac access-list extended name cpu-qos permit {arp | frrp | gvrp | isis | lacp | lldp | stp} 2 Create a Layer 3 extended ACL for specified protocol traffic. CONFIGURATION mode ip access-list extended name cpu-qos permit {bgp | dhcp | dhcp-relay | ftp | icmp | igmp | msdp | ntp | ospf | pim | rip | ssh | telnet | vrrp} 3 Create an IPv6 ACL for specified protocol traffic.
Dell(conf-ipv6-acl-cpuqos)#exit Dell(conf)#ipv6 access-list ipv6-vrrp cpu-qos Dell(conf-ipv6-acl-cpuqos)#permit vrrp Dell(conf-ipv6-acl-cpuqos)#exit Example of Creating a QoS Rate-Limiting Input Policy Dell(conf)#qos-policy-in rate_limit_200k cpu-qos Dell(conf-in-qos-policy-cpuqos)#rate-police 200 40 peak 500 40 Dell(conf-in-qos-policy-cpuqos)#exit Dell(conf)#qos-policy-in rate_limit_400k cpu-qos Dell(conf-in-qos-policy-cpuqos)#rate-police 400 50 peak 600 50 Dell(conf-in-qos-policy-cpuqos)#exit Dell(conf)#q
rate-police [rate-kbps] [burst-kbytes] peak [rate-kbps] [burst-kbytes] 2 Create an input policy-map to assign the QoS rate-limit policy to a control-plane queue. CONFIGURATION mode policy-map-input name cpu-qos service-queue queue-number qos-policy name On the switch, the range of queue-number values is from 0 to 20.
Displaying CoPP Configuration The CLI provides show commands to display the protocol traffic assigned to each control-plane queue and the current ratelimit applied to each queue. Other show commands display statistical information for trouble shooting CoPP operation. Viewing Queue Rates To view the rates that are currently applied on each control-plane queue, use the show cpu-queue rate [all | queueid id | range from-queue to-queue] command.
Protocol -------ARP FRRP LACP LLDP GVRP STP ISIS Destination Mac --------------any 01:01:e8:00:00:10/11 01:80:c2:00:00:02 any 01:80:c2:00:00:21 01:80:c2:00:00:00 01:80:c2:00:00:14/15 09:00:2b:00:00:04/05 EtherType --------0x0806 any 0x8809 0x88cc any any any any Queue ----Q1/Q8/Q2/Q9 Q19 Q13 Q6 Q12 Q13 Q13 Q13 EgPort -----CP/RP LP RP CP RP RP RP RP Rate (kbps) ----------100 300 500 500 200 150 500 500 Viewing IPv4 Protocol-Queue Mapping To view the queues to which IPv4 protocol traffic is assigned, us
VLT CTRL - CP CPU VLT CTRL - CP & RP CPU VLT IPM PDU L3 LOCAL TERMINATED Dell# Q3 Q3/Q10 Q3/Q10 Q3 CP CP/RP CP/RP CP 2000 2000 500 400 2000 2000 500 400 3000 3000 3000 5000 3000 3000 3000 5000 Viewing Complete Protocol-Queue Mapping To view the queues to which all protocol traffic is assigned, use the show protocol-queue-mapping command.
MULTICAST CATCH ALL ACL LOGGING L3 HEADER ERROR/TTL0 IP OPTION/TTL1 VLAN L3 MTU FAIL Physical L3 MTU FAIL SOURCE MISS STATION MOVE SFLOW_EGRESS SFLOW_INGRESS Q7 Q17 Q0 Q0 Q0 Q0 Q16 Q16 Q20 Q20 RP LP CP CP CP CP LP LP LP LP 200 200 200 100 200 200 200 200 5000 5000 200 200 200 100 200 200 200 200 5000 5000 500 1000 500 500 500 500 500 500 3000 3000 500 1000 500 500 500 500 500 500 3000 3000 Troubleshooting CoPP Operation To troubleshoot CoPP operation, use the debug commands described in this section.
Troubleshooting CPU Packet Loss To troubleshoot the reason for CPU packet loss, you can display statistics about system flows on the central switch (aggregated CoPP) or on a specified set of switch ports by entering the show hardware system-flow[cp-switch | linecard slot-id portset port-pipe] command. The number of hits for each system flow is also displayed.
EID 0x000002fc: gid=0xa, slice=9, slice_idx=0x4, part =0 prio=0x2fc, flags=0x10202, Installed, Enabled tcam: color_indep=0, Stage InPorts DATA=0x0000000000000000000000000000000000000000000000000000222222222222 MASK=0x0000000000000000000000000000000000000000000000000000222222222223 DstMac Offset: 88 Width: 48 DATA=0x00000180 c2000021 MASK=0x0000ffff ffffffff action={act=DropPrecedence, param0=1(0x1), param1=0(0), param2=0(0), param3=0(0)} action={act=Drop, param0=0(0), param1=0(0), param2=0(0), param3=0(0)}
iSCSI FCoE SFLOW HYPERPULL OPENFLOW L2 DST HIT/BROADCAST VLT TTL1/TRACEFLOW/TTL0/STATION MOVE/TTL1 /IP OPTION/L3 MTU FAIL/SOURCE MISS v6 ICMP NS 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Dell#show control-traffic protocol pe 0 stack-unit 0 portset 0 counters Protocol RxBytes TxBytes ------------------STP/ARP/ICMP(v4/v6)/IGMP/MLD/NTP/FTP/TELNET/SSH 0 0 PE CSP/PE-CB LLDP 26157 26157 LLDP/LACP/8021x 0 0 Drops ----0 0 0 Dell#clear control-traffic protocol pe 0 stack-unit 0 portset 0 counters Dell
v6 ICMP BGP OSPF RIP VRRP ICMP IGMP PIM MSDP BFD ON PHYSICAL PORTS BFD ON LOGICAL PORTS 802.
Viewing Per-Queue CoPP Counters To view per-queue counters of CoPP rate-limited traffic, use the show control-traffic queue {all | queue-id queue-number} counters command. The range of queue-number values is from 0 to 20. The twenty-one control–plane queues are divided into groups of seven queues for the Route Processor, Control Processor, and line-card CPUs as follows: • Queues 0 to 6 process packets destined to the Control Processor CPU .
11 Data Center Bridging (DCB) Topics: • Enabling Data Center Bridging • Ethernet Enhancements in Data Center Bridging • QoS dot1p Traffic Classification and Queue Assignment • SNMP Support for PFC and Buffer Statistics Tracking • DCB Maps and its Attributes • Data Center Bridging: Default Configuration • Configuration Notes: PFC and ETS in a DCB Map • Configuring Priority-Based Flow Control • Configuring Enhanced Transmission Selection • Configure a DCBx Operation • Verifying the DCB Co
dcb-map linecard 0 backplane all dcb-map linecard all backplane all NOTE: Dell Networking OS Behavior: DCB is not supported if you enable link-level flow control on one or more interfaces. For more information, refer to Ethernet Pause Frames. Ethernet Enhancements in Data Center Bridging The following section describes DCB.
• 802.1Qau — Congestion Notification • Data Center Bridging Exchange (DCBx) protocol NOTE: Dell Networking OS supports only the PFC, ETS, and DCBx features in data center bridging. Priority-Based Flow Control In a data center network, priority-based flow control (PFC) manages large bursts of one traffic type in multiprotocol links so that it does not affect other traffic types and no frames are lost due to congestion.
– PFC uses DCB MIB IEEE 802.1azd2.5 and PFC MIB IEEE 802.1bb-d2.2. • A dynamic threshold handles intermittent traffic bursts and varies based on the number of PFC priorities contending for buffers, while a static threshold places an upper limit on the transmit time of a queue after receiving a message to pause a specified priority. PFC traffic is paused only after surpassing both static and dynamic thresholds for the priority specified for the port. • By default, PFC is enabled when you enable DCB.
– PFC enabled or disabled – No bandwidth limit or no ETS processing • ETS uses the DCB MIB IEEE 802.1azd2.5. Data Center Bridging Exchange Protocol (DCBx) By default, the data center bridging exchange (DCBx) protocol is disabled; ETS is also disabled. DCBx allows a switch to automatically discover DCB-enabled peers and exchange configuration information. PFC and ETS use DCBx to exchange and negotiate parameters with peer devices.
QoS dot1p Traffic Classification and Queue Assignment The following section describes QoS dot1P traffic classification and assignments. DCB supports PFC, ETS, and DCBx to handle converged Ethernet traffic that is assigned to an egress queue according to the following QoS methods: Honor dot1p You can honor dot1p priorities in ingress traffic at the port or global switch level (refer to Default dot1p to Queue Mapping) using the service-class dynamic dot1p command in INTERFACE configuration mode.
The SNMP support for monitoring PFC and BST counters and statistics is supported. The enhancement is made on F10FPSTATS MIB with additional tables to display the PFC and BST counters and statistics. The following new tables are supported in F10-FPSTATS MIB • fpEgrQBuffSnapshotTable • fpIngPgBuffSnapshotTable • fpStatsPerPgTable • pfcPerPrioTable fpEgrQBuffSnapsh otTable This table fetches the BST statistics at Egress Port with respect to the buffer used.
Important Points to Remember • If you remove a dot1p priority-to-priority group mapping from a DCB map (no priority pgid command), the PFC and ETS parameters revert to their default values on the interfaces on which the DCB map is applied. By default, PFC is not applied on specific 802.1p priorities; ETS assigns equal bandwidth to each 802.1p priority. As a result, PFC and lossless port queues are disabled on 802.
Step Task Command Command Mode is already configured for lossless queues (pfc no-drop queues command). Configuring PFC without a DCB Map In a network topology that uses the default ETS bandwidth allocation (assigns equal bandwidth to each priority), you can also enable PFC for specific dot1p-priorities on individual interfaces without using a DCB map. This type of DCB configuration is useful on interfaces that require PFC for lossless traffic, but do not transmit converged Ethernet traffic. Table 16.
Table 17. Configuring Lossless Queues Step Task Command Command Mode 1 Enter INTERFACE Configuration mode. interface {tengigabitEthernet slot/port CONFIGURATION | fortygigabitEthernet slot} port-number is a port number from 0 to 23. 2 Open a DCB map and enter DCB map configuration mode. dcb-map name INTERFACE 3 Disable PFC. no pfc mode on DCB MAP 4 Return to interface configuration mode.
• The PFC memory buffer supports up to 2 lossless queues per port on all PFC enabled ports. • PFC and ETS are globally enabled by default. The default dot1p priority-queue assignments are applied as follows: Dell(conf)#do show qos dot1p-queue-mapping Dot1p Priority : 0 1 2 3 4 5 6 7 Queue : 1 0 2 3 4 5 6 7 Dell(conf)# Dell(conf)#dcb enable pfc-queues ? <1-4> Number of PFC lossless queues(default=2) <1-4> Number of PFC lossless queues(default=2) NOTE: In Egress queue assignment (8 queues).
• For PFC to be applied, the configured priority traffic must be supported by a PFC peer (as detected by DCBx). • If you apply a DCB map with PFC disabled (pfc off), you can enable link-level flow control on the interface using the flowcontrol rx on tx on command. To delete the DCB map, first disable link-level flow control. PFC is then automatically enabled on the interface because an interface is PFC-enabled by default, when DCB is enabled.
ETS Prerequisites and Restrictions On the switch, ETS is enabled by default on Ethernet ports with equal bandwidth assigned to each 802.1p priority, when DCB is enabled. You can change the default ETS configuration only by using a DCB map.
priority-group group-num {bandwidth bandwidth | strict-priority} [[committed | peak] bandwidth [burst-size] [peak | committed] bandwidth [burst-size]] pfc {on | off} The range for priority group is from 0 to 7. Set the bandwidth in percentage. The percentage range is from 1 to 100% in units of 1%. Committed and peak bandwidth is in megabits per second. The range is from 0 to 40000. Committed and peak burst size is in kilobytes. Default is 50. The range is from 0 to 10000.
NOTE: Dell Networking OS Behavior: By default, no lossless queues are configured on a port. A limit of 4 lossless queues is supported on a port. If the amount of priority traffic that you configure to be paused exceeds the 4 lossless queues, an error message displays. Any pfc-dot1p priorities configured on a given interface need not be the same across the system, until the total lossless queues configured on all the ports does not exceed the maximum lossless queues configured globally.
Dell Networking OS Behavior: A priority group consists of 802.1p priority values that are grouped for similar bandwidth allocation and scheduling, and that share latency and loss requirements. All 802.1p priorities mapped to the same queue must be in the same priority group. Configure all 802.1p priorities in priority groups associated with an ETS output policy. You can assign each dot1p priority to only one priority group. By default, all 802.
Prerequisite: For DCBx, enable LLDP on all DCB devices. DCBx Operation DCBx performs the following operations: • Discovers DCB configuration (such as PFC and ETS) in a peer device. • Detects DCB mis-configuration in a peer device; that is, when DCB features are not compatibly configured on a peer device and the local switch. Mis-configuration detection is feature-specific because some DCB features support asymmetric configuration.
– On a DCBx port in an auto-downstream role, all PFC, application priority, ETS recommend, and ETS configuration TLVs are enabled. Configuration source The port is configured to serve as a source of configuration information on the switch. Peer DCB configurations received on the port are propagated to other DCBx auto-configured ports. If the peer configuration is compatible with a port configuration, DCBx is enabled on the port.
Configuration Source Election When an auto-upstream or auto-downstream port receives a DCB configuration from a peer, the port first checks to see if there is an active configuration source on the switch. • If a configuration source already exists, the received peer configuration is checked against the local port configuration. If the received configuration is compatible, the DCBx marks the port as DCBx-enabled.
• The peer times out. • Multiple peers are detected on the link. If you configure a DCBx port to operate with a specific version (the DCBx version {cee | cin | ieee-v2.5} command in the Configuring DCBx), DCBx operations are performed according to the configured version, including fast and slow transmit timers and message formats. If a DCBx frame with a different version is received, a syslog message is generated and the peer version is recorded in the peer status table.
2. Associate above class-maps to Queues Queue assignment to be based on the below table. Table 18. o Queues Queue Assignment 3. Internalpriority 0 1 2 3 4 5 6 7 Queue 1 0 2 3 4 5 6 7 Dot1p->Queue Mapping Configuration is retained at the default value. Default dot1p-queue mapping is, Dell#show qos dot1p-queue-mapping Dot1p Priority : 0 1 2 3 4 5 6 7 Queue :2 0 1 3 4 5 6 4. 7 Interface Configurations on server connected ports. a Enable DCB globally.
DCBx Example The following figure shows how to use DCBx. The device is connected to third-party, top-of-rack (ToR) switches through 40GbE or 10GBE uplinks. The ToR switches are part of a Fibre Channel storage network. The ports connected to the server with CNA are configured as auto-downstream ports. Figure 31.
• For DCBx, on a port interface, enable LLDP in both Send (TX) and Receive (RX) mode (the protocol lldp mode command; refer to the example in CONFIGURATION versus INTERFACE Configurations in the Link Layer Discovery Protocol (LLDP) chapter). If multiple DCBx peer ports are detected on a local DCBx interface, LLDP is shut down.
[no] advertise DCBx-tlv {ets-conf | ets-reco | pfc} [ets-conf | ets-reco | pfc] [ets-conf | ets-reco | pfc] • ets-conf: enables the advertisement of ETS Configuration TLVs. • ets-reco: enables the advertisement of ETS Recommend TLVs. • pfc enables: the advertisement of PFC TLVs. The default is All PFC and ETS TLVs are advertised. NOTE: You can configure the transmission of more than one TLV type at a time; for example, advertise DCBx-tlv ets-conf ets-reco.
4 Configure the PFC and ETS TLVs that advertise on unconfigured interfaces with a manual port-role. PROTOCOL LLDP mode [no] advertise DCBx-tlv {ets-conf | ets-reco | pfc} [ets-conf | ets-reco | pfc] [ets-conf | ets-reco | pfc] • ets-conf: enables transmission of ETS Configuration TLVs. • ets-reco: enables transmission of ETS Recommend TLVs. • pfc: enables transmission of PFC TLVs. NOTE: You can configure the transmission of more than one TLV type at a time.
DCBx Error Messages The following syslog messages appear when an error in DCBx operation occurs. LLDP_MULTIPLE_PEER_DETECTED: DCBx is operationally disabled after detecting more than one DCBx peer on the port interface. LLDP_PEER_AGE_OUT: DCBx is disabled as a result of LLDP timing out on a DCBx peer interface. DSM_DCBx_PEER_VERSION_CONFLICT: A local port expected to receive the IEEE, CIN, or CEE version in a DCBx TLV from a remote peer but received a different, conflicting DCBx version.
Command Output To clear PFC TLV counters, use the clear pfc counters interface port-type slot/port command. show interface port-type slot/port pfc statistics Displays counters for the PFC frames received and transmitted (by dot1p priority class) on an interface. You can use the show interface pfc statistics command even without enabling DCB on the system.
PFC DCBx Oper status is Up State Machine Type is Feature TLV Tx Status is enabled PFC Link Delay 45556 pause quantams Application Priority TLV Parameters : -------------------------------------FCOE TLV Tx Status is disabled ISCSI TLV Tx Status is disabled Local FCOE PriorityMap is 0x8 Local ISCSI PriorityMap is 0x10 Remote FCOE PriorityMap is 0x8 Remote ISCSI PriorityMap is 0x8 Dell# show interfaces tengigabitethernet 1/4 pfc detail Interface TenGigabitEthernet 1/4 Admin mode is on Admin is enabled Remote i
Fields Description • • Recommend: Remote PFC configuration parameters were received from peer. Internally propagated: PFC configuration parameters were received from configuration source. PFC DCBx Oper status Operational status for exchange of PFC configuration on local port: match (up) or mismatch (down).
Interface TenGigabitEthernet 1/3 Max Supported TC Groups is 3 Number of Traffic Classes is 8 Admin mode is on Admin Parameters : -----------------Admin is enabled TC-grp Priority# Bandwidth TSA -----------------------------------------------0 1 0,1,2 100% ETS 2 3 0 % SP 3 4,5,6,7 0 % SP 4 5 6 7 Remote Parameters : ------------------Remote is disabled Local Parameters : -----------------Local is enabled TC-grp Priority# Bandwidth TSA -----------------------------------------------0 1 0,1,2 100% ETS 2 3 0 % S
6 12% ETS 7 12% ETS Remote Parameters: ------------------Remote is disabled Local Parameters : -----------------Local is enabled TC-grp Priority# Bandwidth TSA 0 0,1,2,3,4,5,6,7 100% ETS 1 0% ETS 2 0% ETS 3 0% ETS 4 0% ETS 5 0% ETS 6 0% ETS 7 0% ETS Priority# Bandwidth TSA 0 13% ETS 1 13% ETS 2 13% ETS 3 13% ETS 4 12% ETS 5 12% ETS 6 12% ETS 7 12% ETS Oper status is init Conf TLV Tx Status is disabled Traffic Class TLV Tx Status is disabled 0 Input Conf TLV Pkts, 0 Output Conf TLV Pkts, 0 Error Conf TLV Pkt
1 2 3 4 5 6 7 0% 0% 0% 0% 0% 0% 0% Priority# Bandwidth 0 13% 1 13% 2 13% 3 13% 4 12% 5 12% 6 12% 7 12% Oper status is init Conf TLV Tx Status is disabled Traffic Class TLV Tx Status is disabled 0 Input Conf TLV Pkts, 0 Output Conf TLV 0 Input Traffic Class TLV Pkts, 0 Output Pkts ETS ETS ETS ETS ETS ETS ETS TSA ETS ETS ETS ETS ETS ETS ETS ETS Pkts, 0 Error Conf TLV Pkts Traffic Class TLV Pkts, 0 Error Traffic Class TLV Dell#show interfaces fortyGige 0/36 ets detail Interface fortyGigE 0/36 Max Supporte
The following table describes the show interface ets detail command fields. Table 21. show interface ets detail Command Description Field Description Interface Interface type with stack-unit, linecard, and port number. The port type can be ten gigabit or forty gigabit. Maximum Supported TC Maximum number of priority groups supported. Number of Traffic Classes Number of 802.1p priorities currently configured. Admin mode ETS mode: on or off.
The following example shows the show linecard 2 port-set 0 backplane all ets details command.
Sequence Number: 1 Acknowledgment Number: 1 Protocol State: In-Sync Peer DCBx Status: ---------------DCBx Operational Version is 0 DCBx Max Version Supported is 0 Sequence Number: 1 Acknowledgment Number: 1 Total DCBx Frames transmitted 994 Total DCBx Frames received 646 Total DCBx Frame errors 0 Total DCBx Frames unrecognized 0 The following table describes the show interface DCBx detail command fields. Table 22.
Field Description Peer DCBx Status: Acknowledgment Number Acknowledgement number transmitted in Control TLVs received from peer device. Total DCBx Frames transmitted Number of DCBx frames sent from local port. Total DCBx Frames received Number of DCBx frames received from remote peer port. Total DCBx Frame errors Number of DCBx frames with errors received. Total DCBx Frames unrecognized Number of unrecognizable DCBx frames received. Performing PFC Using DSCP Bits Instead of 802.
• One lossless queue is used. Figure 32. PFC and ETS Applied to LAN, IPC, and SAN Priority Traffic QoS Traffic Classification: The service-class dynamic dot1p command has been used in Global Configuration mode to map ingress dot1p frames to the queues shown in the following table. For more information, refer to QoS dot1p Traffic Classification and Queue Assignment.
dot1p Value in the Incoming Frame Priority Group Assignment 5 LAN 6 LAN 7 LAN The following describes the priority group-bandwidth assignment. PFC and ETS Configuration Command Examples The following examples show PFC and ETS configuration commands to manage your data center traffic.
Priority group 3 Assigns traffic to two priority queues with 50% of the link bandwidth and strict-priority scheduling. In this example, the configured ETS bandwidth allocation and scheduler behavior is as follows: Therefore, in this example, scheduling traffic to priority group 1 (mapped to one strict-priority queue) takes precedence over scheduling traffic to priority group 3 (mapped to two strict-priority queues).
Buffer Sizes for Lossless or PFC Packets You can configure up to a maximum of 4 lossless (PFC) queues. By configuring 4 lossless queues, you can configure 4 different priorities and assign a particular priority to each application that your network is used to process. For example, you can assign a higher priority for time-sensitive applications and a lower priority for other services, such as file transfers.
CONFIGURATION mode dcb-buffer-threshold dcb-buffer-threshold 5 DCB-BUFFER-THRESHOLD mode priority 0 buffer-size 52 pause-threshold 16 resume-offset 10 shared-threshold-weight 7 6 Assign the DCB policy to the DCB buffer threshold profile on the backplane. CONFIGURATION mode dcb-policy buffer-threshold linecard {linecard-number | all} port-set {port-pipe | all} backplane all dcb-policy-name 7 Assign the DCB policy to the DCB buffer threshold profile on interfaces.
12 Debugging and Diagnostics This chapter describes the debugging and diagnostics tasks you can perform on the switch.
• where pe-id is a port-extender group ID number from 0 to 255 • stack-unitunit-number is a PE stack-unit number from 0 to 7 Dell#diag pe 0 stack-unit 0 A warning is displayed with a CLI prompt asking you to click Yes or No. Dell#diag pe 0 stack-unit 0 level0 ? Warning - PE-Unit 0 at PEID 0 will go offline to run the diagnostics. Offline of system will bring down all the protocols and the system will be operationally down, except for running Diagnostics.
to shut directly connected ports Proceed with PE diag [confirm yes/no]:yes Dell# Jul 30 12:59:39: %RPM0-P:CP %BRM-5-PE_UNIT_DOWN: PE:255 Unit:2 Unit MAC:f8:b1:56:00:02:d1 is operationally down.
001 - FAN Controller Get Speed Test ................................ PASS fanControllerSpeedGet ....................................... PASS fanStatusMonitor ............................................ PASS flashAccess ................................................. PASS gpioAccess .................................................. PASS hotswapControllerAccess ..................................... PASS macAccess ................................................... PASS Starting test: oneGAccess ......
032 - One Gig PHY Access Test ...................................... PASS 033 - One Gig PHY Access Test ...................................... PASS 034 - One Gig PHY Access Test ...................................... PASS 035 - One Gig PHY Access Test ...................................... PASS 036 - One Gig PHY Access Test ...................................... PASS 037 - One Gig PHY Access Test ...................................... PASS 038 - One Gig PHY Access Test ......................................
psuStatusMonitor ............................................ PASS psuTemp ..................................................... PASS rtcPresence ................................................. PASS sfpPlusEepromAccess ......................................... PASS Starting test: sfpPlusPresence ...... 000 - SFP+ Presence Test ........................................... PASS 001 - SFP+ Presence Test ........................................... PASS sfpPlusPresence ..........................................
LEVEL 2 DIAGNOSTIC snakeOneGMac ................................................ snakeOneGPhy ................................................ snakeSfpPlusMac ............................................. snakeSfpPlusPhy ............................................. snakeStackMac ............................................... snakeStackPhy ...............................................
EXEC Privilege mode offline system offline linecard linecard_number The following message displays. Warning - offline of system will bring down all the protocols and the system will be operationally down, except for running Diagnostics. The "reload" command is required for normal operation after the offline command is issued. Proceed with Offline [confirm yes/no]: NOTE: You cannot enter this command in the standby unit. 3 Confirm offline status.
The following example verifies the offline/online status of a switch. Dell#show chassis brief Chassis Type : C9010 Chassis Mode : 1.
Apr 26 Apr 26 2d3h4m 2d3h4m Apr 26 2d3h4m Apr 26 2d3h4m 2d3h7m Apr 26 2d3h7m 22:33:07: %RPM0-P:CP %IPC-2-STATUS: target line card 10 not responding 22:33:07: %RPM0-P:CP %CHMGR-2-LINECARD_DOWN: Major alarm: linecard 10 down - IPC timeout : Diagnostic test results are stored on file: flash:/TestReport-LP-5.txt : Diagnostic test results are stored on file: flash:/TestReport-LP-4.
LEVEL 0 DIAGNOSTIC Starting test: bcm56854AccessTest ...... + Access Test for unit 0 : PASSED bcm56854AccessTest .......................................... PASS biosVerGetTest .............................................. PASS boardRevisionTest ........................................... PASS cpldAccessTest .............................................. PASS Starting test: CpuGbeLinkStatusTest ...... + GbE1 Link Status UP + GbE2 Link Status DOWN CpuGbeLinkStatusTest ........................................
average current temperature is 50.7 maximum peak temperature is 89.4 spiFlashAccessTest .......................................... Starting test: udfLinkStatus ...... ERROR: Unit 0 xe port 26 is DOWN udfLinkStatus ............................................... xeLinkSpeedTest ............................................. Starting test: xeLinkStatusTest ......
Iteration 24 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 25 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 26 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 27 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 28 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 29 - File System Check passed /dev/rwd0k: 3 files, 20398
Stop reason : after completion ------ Failed tests (level, times) -----CpuGbeLinkStatusTest (0, 1) hgLinkStatusTest (0, 1) i2cTest (0, 1) opticEepromTest (0, 1) opticPresenceTest (0, 1) udfLinkStatus (0, 1) xeLinkStatusTest (0, 1) ipcTrafficTest (2, 1) Example of a Test Log for Control Processor Dell#show file flash://TestReport-CP-unit.
LM Slot6 Not Present LM Slot7 Not Present LM Slot8 Not Present LM Slot9 Not Present Peer RPM Not Present lmPresenceTest .............................................. Starting test: masterSlaveTest ......RPM is Master masterSlaveTest ............................................. Starting test: mgmtLinkStatusTest ...... + GbE0 Link Status UP mgmtLinkStatusTest .......................................... mgmtPhyAccessTest ........................................... Starting test: pcieScanTest ......
Starting test: udfAccessTest ...... + Access Test for unit 0 : PASSED udfAccessTest ............................................... PASS Starting test: usbTest ...... -USB "/dev/rsd0d" is not plugged/mounted/formatted; test SKIPPED usbTest ..................................................... FAIL LEVEL 1 DIAGNOSTIC cpldRWTest .................................................. PASS extCPLDRWTest ............................................... PASS fanCntrlAccessTest .........................................
psuEepromAccessTest ......................................... rtcTest ..................................................... sataSsdTest ................................................. Starting test: ssdFlashFileSystemStressTest ......
Iteration 34 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 35 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 36 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 37 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 38 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 39 - File System Check passed /dev/rwd0k: 3 files, 20398
. psuFanSpeedTest psuFanStatusTest psuPresenceTest psuShowTempTest psuStatusTest psuVoltageTest usbTest fanCntrlSpeedTest i2cTest psuEepromAccessTest udfLinkStatusTest usbTest ipcPingTrafficTest (0, (0, (0, (0, (0, (0, (0, (1, (1, (1, (1, (1, (2, 1) 1) 1) 1) 1) 1) 1) 1) 1) 1) 1) 1) 1) The following example shows the show diag linecard detail command.
ERROR: Unit 0 hg port 31 is DOWN ERROR: Unit 0 hg port 32 is DOWN hgLinkStatusTest ............................................ FAIL Starting test: i2cTest ......
opticPhyTest ................................................ rtcTest ..................................................... sataSsdTest ................................................. Starting test: ssdFlashFileSystemStressTest ......
Iteration 34 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 35 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 36 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 37 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 38 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 39 - File System Check passed /dev/rwd0k: 3 files, 20398
Board: C9010 Dell Networking ================================================= CP unit is currently offline. CP unit alllevels diag issued at Sun Apr 26, 2015 10:32:01 PM. Current diag status : Card diags are done. Duration of execution (Total) : 4 min 0 sec. Diagnostic test results located: flash:/TestReport-CP-unit.
LM Slot8 Not Present LM Slot9 Not Present Peer RPM Not Present lmPresenceTest .............................................. Starting test: masterSlaveTest ......RPM is Master masterSlaveTest ............................................. Starting test: mgmtLinkStatusTest ...... + GbE0 Link Status UP mgmtLinkStatusTest .......................................... mgmtPhyAccessTest ........................................... Starting test: pcieScanTest ...... 21 PCI devices installed out of 21 pcieScanTest ....
udfAccessTest ............................................... PASS Starting test: usbTest ...... -USB "/dev/rsd0d" is not plugged/mounted/formatted; test SKIPPED usbTest ..................................................... FAIL LEVEL 1 DIAGNOSTIC cpldRWTest .................................................. PASS extCPLDRWTest ............................................... PASS fanCntrlAccessTest .......................................... PASS Starting test: fanCntrlSpeedTest ......
sataSsdTest ................................................. PASS Starting test: ssdFlashFileSystemStressTest ......
Iteration 35 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 36 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 37 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 38 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 39 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 40 - File System Check passed /dev/rwd0k: 3 files, 20398
psuPresenceTest psuShowTempTest psuStatusTest psuVoltageTest usbTest fanCntrlSpeedTest i2cTest psuEepromAccessTest udfLinkStatusTest usbTest ipcPingTrafficTest (0, (0, (0, (0, (0, (1, (1, (1, (1, (1, (2, 1) 1) 1) 1) 1) 1) 1) 1) 1) 1) 1) TRACE Logs In addition to the syslog buffer, to report hardware and software events and status information, the system buffers trace messages which are continuously written by various software tasks.
Last Restart Reason If a switch restarted for some reason (automatically or manually), the show rpm slot-id and show linecard slot-id command outputs include the reason for the restart. The following table shows the reasons displayed in the output and their corresponding causes. Table 23. RPM Restart Causes and Reasons Causes Displayed Reasons Power cycle of the chassis normal power-cycle Reload normal power-cycle Table 24.
• Display input and output statistics on the party bus, which carries inter-process communication traffic between CPUs. • show hardware party-bus {port { slot—id} | all} statistics Display the ingress and egress internal packet-drop counters, MAC drop counters, and FP packet drops for the line card on a per port basis. show hardware linecard slot—id drops unit unit-number port {port-number} • Use the command output to troubleshoot a line card and port-pipe unit that may experience internal drops.
show hardware {cp | linecard slot—id} bp-link-state show hg-link-bundle—distribution {cp | linecard slot—id} npuUnit unit-number hg-port-channel channel-num Troubleshoot a flap or fault condition on a HiGig backplane link by displaying the internal ports that are mapped to backplane links for control or data traffic and the status of backplane links. In the show hardware bp-link-state command output, 1 indicates that a backplane link is up; 0 indicates the a link is down.
To display information of hardware components of control bridge only, use the show environment all command. Dell#show environment all Display Power Supply Status To monitor the operational status of a power supply, use the show environment pem command. Use the command output to verify the operation of installed power supplies. The current operational status (up or down), power supply type, fan status and speed, and power usage are displayed.
0 2 up up 5256 up 5292 Speed in RPM Display Transceiver Type To monitor the types of transceivers installed in switch ports, use the show inventory media command.
QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP 168 168 168 168 168 168 168 168 168 168 168 168 168 168 168 168 168 Connector = 0x07 Transceiver Code = 0x02 0x00 0x00 0x00 0x00 0x00 0x00 0x00 Encoding = 0x05 Length(SFM) Km = 0x0a Length(OM3) 2m = 0x00 Length(OM2) 1m = 0x00 Length(OM1) 1m = 0x00 Length(Copper) 1m = 0x00 Vendor Rev = X Laser Wavelength = 1301.
--------------------------------------------------------------------------Minor Off Minor Major Off Major Shutdown linecard0 78 99 84 105 110 --------------------------------------------------------------------------Minor Off Minor Major Off Major Shutdown RPM0 35 40 43 48 NA --------------------------------------------------------------------------Minor Off Minor Major Off Major Shutdown PEid100/Stack0 60 65 72 75 105 Dell# NOTE: When the threshold is met, the system shuts down.
Example of Displaying Temperature threshold Values for Linecards and RPM Dell#show alarm threshold -- Temperature Limits (deg C) ---------------------------------------------------------------------------Minor Off Minor Major Off Major Shutdown linecard0 78 99 84 105 110 --------------------------------------------------------------------------Minor Off Minor Major Off Major Shutdown RPM0 35 40 43 48 NA --------------------------------------------------------------------------Minor Off Minor Major Off Major
The following examples display over-temperature event messages. Note that although the minimum speed for system fans is 40% of full speed, the corresponding power-supply fan speed is 60% of full speed.
Displaying Drop Counters To display drop counters, use the show hardware linecard drops commands. • Identify the line card, port pipe, and port that is experiencing internal drops. • show hardware linecard {0–2} drops [unit {0–3} [port {1–104}]] Display drop counters.
To display input and output statistics on the party bus, which carries inter-process communication traffic between CPUs use the show hardware party-bus port {{0-7}|all} statistics command.
tx_excess_cols = 0 tx_deferred = 0 tx_discarded = 0 Party Bus Receive Counters for port 0: Rx Octets = 251640594 Rx Undersize Packets = 0 Rx Oversize Packets = 0 Rx Pause Packets = 0 Rx 64 Octet Packets = 122688 Rx 65to127octets Packets = 246245 Rx 128to255octets Packets = 441 Rx 256to511octets Packets = 3816 Rx 512to1023octets Packets = 3247 Rx 1024toMaxoctets Packets = 150599 Rx Jabbers = 0 Rx align errors = 0 Rx fcs errors = 0 Rx good octets = 251640594 Rx Drop pkts = 0 Rx Unicast Packets = 333370 Rx Mul
Accessing Application Core Dumps Core dumps for an application crash are enabled by default. On the system, core dumps are generated and stored in the local flash of the system’s Control Processor CPU. To access an application core-dump file, you must perform an FTP to the Control Processor CPU flash directory where the application core dump is stored in the following formats: • An application core dump generated from CP of the RPM: f10Ch_rpm<0/1>_cp__.acore.
• • • Kernel mini cored ump from RP CPU: f10Ch_rpm<0/1>_rp_.kcore.mini.txt Kernel mini core dump from LP CPU: f10Ch_lp_.kcore.mini.txt The Kernel mini core dump generated from the LM: f10Ch_lp_.kcore.mini.txt The panic string contains key information regarding the crash. Several panic string types exist, and they are displayed in regular english text to enable easier understanding of the crash cause.
The tcpdump command has a finite run process. When you enable the command, it runs until the capture-duration timer and/or the packet-count counter threshold is met. If you do not set a threshold, the system uses a default of 5 minute captureduration and/or a single 1k file as the stopping point for the dump. You can use the capture-duration timer and the packet-count counter at the same time. The TCP dump stops when the first of the thresholds are met.
13 Dynamic Host Configuration Protocol (DHCP) DHCP is an application layer protocol that dynamically assigns IP addresses and other configuration parameters to network end-stations (hosts) based on configuration policies determined by network administrators.
The following table lists common DHCP options. Option Number and Description Subnet Mask Option 1 Specifies the client’s subnet mask. Router Option 3 Specifies the router IP addresses that may serve as the client’s default gateway. Domain Name Server Option 6 Domain Name Option 15 Specifies the domain name servers (DNSs) that are available to the client. Specifies the domain name that clients should use when resolving hostnames via DNS.
Option Number and Description Specifies IP addresses for DHCP messages received from the client that are to be monitored to build a DHCP snooping database. End Option 255 Signals the last option in the DHCP packet. Assign an IP Address using DHCP The following section describes DHCP and the client in a network. When a client joins a network: 1. The client initially broadcasts a DHCPDISCOVER message on the subnet to discover available DHCP servers.
DHCPNAK A server sends this message to the client if it is not able to fulfill a DHCPREQUEST; for example, if the requested address is already in use. In this case, the client starts the configuration process over by sending a DHCPDISCOVER. Figure 34. Client and Server Messaging Implementation Information The following describes DHCP implementation. • Dell Networking implements DHCP based on RFC 2131 and RFC 3046.
Table 25. DHCP Server Responsibilities DHCP Server Responsibility Description Address Storage and Management DHCP servers are the owners of the addresses used by DHCP clients. The server stores the addresses and manages their use, keeping track of which addresses have been allocated and which are still available. Configuration Parameter Storage and Management DHCP servers also store and maintain other parameters that are sent to clients when requested.
Configuration Tasks To configure DHCP, an administrator must first set up a DHCP server and provide it with configuration parameters and policy information including IP address ranges, lease length specifications, and configuration data that DHCP hosts need. Configuring the Dell system to be a DHCP server is a three-step process: 1. Configuring the Server for Automatic Address Allocation 2. Specifying a Default Gateway 3. Enable the system to be a DHCP server (no disable command).
Configure a Method of Hostname Resolution Dell Networking systems are capable of providing DHCP clients with parameters for two methods of hostname resolution— using DNS or NetBIOS WINS. Using DNS for Address Resolution A domain is a group of networks. DHCP clients query DNS IP servers when they need to correlate host names to IP addresses. 1 Create a domain. DHCP Mode domain-name name 2 Specify in order of preference the DNS servers that are available to a DHCP client.
host address 3 Specify the client hardware address. DHCP hardware-address hardware-address type • hardware-address: the client MAC address. • type: the protocol of the hardware platform. The default protocol is Ethernet. Debugging the DHCP Server To debug the DHCP server, use the following command. • Display debug information for DHCP server.
NOTE: DHCP Relay is not available on Layer 2 interfaces and VLANs. Figure 35. Configuring a Relay Agent To view the ip helper-address configuration for an interface, use the show ip interface command from EXEC privilege mode. Example of the show ip interface Command R1_E600#show ip int gig 1/3 GigabitEthernet 1/3 is up, line protocol is down Internet address is 10.11.0.1/24 Broadcast address is 10.11.0.255 Address determined by user input IP MTU is 1500 bytes Helper address is 192.168.0.1 192.168.0.
Configure the System to be a DHCP Client A DHCP client is a network device that requests an IP address and configuration parameters from a DHCP server. Implement the DHCP client functionality as follows: • The switch can obtain a dynamically assigned IP address from a DHCP server. A start-up configuration is not received. Use bare metal provisioning (BMP) to receive configuration parameters (OS version and a configuration file). BMP is enabled as a factory-default setting on a switch.
VLAN and Port Channels DHCP client configuration and behavior are the same on Virtual LAN (VLAN) and port-channel (LAG) interfaces as on a physical interface.
The DHCP relay agent inserts Option 82 before forwarding DHCP packets to the server. The server can use this information to: • track the number of address requests per relay agent. Restricting the number of addresses available per relay agent can harden a server against address exhaustion attacks. • associate client MAC addresses with a relay agent to prevent offering an IP address to a client spoofing the same MAC address on a different relay agent. • assign IP addresses according to the relay agent.
• DHCP Snooping is supported only FOR SPANNED VLANs. • Source address validation is not supported for VPLAG interfaces on VLT. • Port Extender does not support DHCP server. Prerequisites for DHCP Snooping • DHCP Snooping should be enabled globally on both VLT peers. • The same Remote ID string and Remote ID host name should be configured on both VLT peers. • To enable DHCP Secondary subnet feature in VLT, ensure that the secondary IP address subnet is the same in both VLT peers.
Displaying the Contents of the Binding Table To display the contents of the binding table, use the following command. • Display the contents of the binding table. EXEC Privilege mode show ip dhcp snooping Example of the show ip dhcp snooping Command View the DHCP snooping statistics with the show ip dhcp snooping command. Dell#show ip dhcp snooping IP IP IP IP DHCP DHCP DHCP DHCP Snooping Snooping Mac Verification Relay Information-option Relay Trust Downstream : : : : Enabled. Disabled. Disabled.
Dynamic ARP Inspection Dynamic address resolution protocol (ARP) inspection prevents ARP spoofing by forwarding only ARP frames that have been validated against the DHCP binding table. ARP is a stateless protocol that provides no authentication mechanism. Network devices accept ARP requests and replies from any device. ARP replies are accepted even when no request was sent.
Configuring Dynamic ARP Inspection To enable dynamic ARP inspection, use the following commands. 1 Enable DHCP snooping. 2 Validate ARP frames against the DHCP snooping binding table. INTERFACE VLAN mode arp inspection Examples of Viewing the ARP Information To view entries in the ARP database, use the show arp inspection database command.
Source Address Validation Using the DHCP binding table, Dell Networking OS can perform three types of source address validation (SAV). Table 26. Three Types of Source Address Validation Source Address Validation Description IP Source Address Validation Prevents IP spoofing by forwarding only IP packets that have been validated against the DHCP binding table.
DHCP MAC Source Address Validation DHCP MAC source address validation (SAV) validates a DHCP packet’s source hardware address against the client hardware address field (CHADDR) in the payload. The system ensures that the packet’s source MAC address is checked against the CHADDR field in the DHCP header only for packets from snooped VLANs. • Enable DHCP MAC SAV.
Total cam count 2 deny vlan 10 count (0 packets) deny vlan 20 count (0 packets) The following output of the show ip dhcp snooping source-address-validation discard-counters interface interface command displays the number of SAV dropped packets on a particular interface.
14 Equal Cost Multi-Path (ECMP) Equal cost multi-path (ECMP) supports multiple paths in next-hop packet forwarding to a destination device. ECMP for Flow-Based Affinity ECMP for flow-based affinity includes link bundle monitoring. Enabling Deterministic ECMP Next Hop Deterministic ECMP next hop arranges all ECMPs in order before writing them into the content addressable memory (CAM). For example, suppose the RTM learns eight ECMPs in the order that the protocols and interfaces came up.
• Specify the hash algorithm seed. CONFIGURATION mode. hash-algorithm seed value [linecard slot-id] [port-set number] The range is from 0 to 4095. Link Bundle Monitoring Link bundle monitoring allows the system to monitor the use of multiple links for an uneven distribution. A global default threshold of 60% is the usage percentage for the bundle; when the system reaches this threshold, it begins monitoring the configured ECMP groups for uneven distribution.
Creating an ECMP Group Bundle Within each ECMP group, you can specify an interface. If you enable monitoring for the ECMP group, the utilization calculation is performed when the average utilization of the linkbundle (as opposed to a single link within the bundle) exceeds 60%. 1 Create a user-defined ECMP group bundle. CONFIGURATION mode ecmp-group ecmp-group-id The range is from 1 to 64. 2 Add interfaces to the ECMP group bundle.
BGP Multipath Operation with Link Bankwidth BGP Link Bandwidth (LB) is a way to tell BGP to load-share in an unequal or weighted fashion. LB is an optional, non-transitive Extended Community that indicates the cost of the (external) link in bytes per second. LB is similar to the MED attribute and cannot extend beyond the neighboring AS. The following network diagram depicts a scenario where a 10Gbps link connects the routers R2 and R4 and a 40Gbps link connects the routers R3 and R5: Figure 36.
neighbor 1.1.1.1 remote-as 1 neighbor 1.1.1.1 no shutdown neighbor 4.4.4.2 remote-as 2 neighbor 4.4.4.2 dmzlink-bw neighbor 4.4.4.2 no shutdown neighbor 5.5.5.2 remote-as 2 neighbor 5.5.5.2 dmzlink-bw neighbor 5.5.5.2 no shutdown R3# interface tengigbitethernet 1/1 ip address 1.1.1.3/24 no shutdown interface fortyGigE 1/48 ip address 3.3.3.1/24 no shut router bgp 1 maximum-paths ebgp 2 bgp dmzlink-bw neighbor 1.1.1.1 remote-as 1 neighbor 1.1.1.1 no shutdown neighbor 3.3.3.2 remote-as 2 neighbor 3.3.3.
Weighted ECMP for Static Routes Dell Networking OS also supports Weighted ECMP for static routes. You can configure weights corresponding to the paths for a static destination. If all configured paths have weights, traffic distribution is performed using the Weighted ECMP method with the RTM these passing weights to the FIB. If all configured paths do not have weights, regular ECMP is used to determine traffic paths.
15 FCoE Transit The Fibre Channel over Ethernet (FCoE) Transit feature is supported on Ethernet interfaces. When you enable the switch for FCoE transit, the switch functions as a FIP snooping bridge. NOTE: FIP snooping is not supported on Fibre Channel interfaces.
• Allow transit Ethernet bridges to efficiently monitor FIP frames passing between FCoE end-devices and an FCF. To dynamically configure ACLs on the bridge to only permit traffic authorized by the FCF, use the FIP snooping data. FIP enables FCoE devices to discover one another, initialize and maintain virtual links over an Ethernet network, and access storage devices in a storage area network (SAN).
FIP Function Description Logout On receiving a FLOGO packet, FSB deletes all existing sessions from the ENode to the FCF. Figure 37. FIP Discovery and Login Between an ENode and an FCF FIP Snooping on Ethernet Bridges In a converged Ethernet network, intermediate Ethernet bridges can snoop on FIP packets during the login process on an FCF. Then, using ACLs, a transit bridge can permit only authorized FCoE traffic to be transmitted between an FCoE end-device and an FCF.
core switch. The switch operates as a lossless FIP snooping bridge to transparently forward FCoE frames between the ENode servers and the FCF switch. Figure 38. FIP Snooping on an Core Switch The following sections describe how to configure the FIP snooping feature on a switch that functions as a FIP snooping bridge so that it can perform the following functions: • Allocate CAM resources for FCoE. • Perform FIP snooping (allowing and parsing FIP frames) globally on all VLANs or on a per-VLAN basis.
FIP Snooping in a Switch Stack FIP snooping supports switch stacking as follows: • A switch stack configuration is synchronized with the standby stack unit. • Dynamic population of the FCoE database (ENode, Session, and FCF tables) is synchronized with the standby stack unit. The FCoE database is maintained by snooping FIP keep-alive messages. • In case of a failover, the new master switch starts the required timers for the FCoE database tables. Timers run only on the master stack unit.
• A switch can support a maximum eight FIP snooping VLANs. Configure at least one FCF/bridge-to-bridge port mode interface for any FIP snooping-enabled VLAN. • You can configure multiple FCF-trusted interfaces in a VLAN. • When you disable FIP snooping: – ACLs are not installed, FIP and FCoE traffic is not blocked, and FIP packets are not processed. – The existing per-VLAN and FIP snooping configuration is stored. The configuration is re-applied the next time you enable the FIP snooping feature.
Configure a Port for a Bridge-to-Bridge Link If a switch port is connected to another FIP snooping bridge, configure the FCoE-Trusted Port mode for bridge-bridge links. Initially, all FCoE traffic is blocked. Only FIP frames with the ALL_FCF_MAC and ALL_ENODE_MAC values in their headers are allowed to pass. After the switch learns the MAC address of a connected FCF, it allows FIP frames destined to or received from the FCF MAC address.
• The maximum number of FCFs supported per FIP snooping-enabled VLAN is twelve. • The maximum number of FCoE VLANs supported on the switch is eight. • The maximum number of FIP snooping sessions (including NPIV sessions) supported per ENode server is 16 • Links to other FIP snooping bridges on a FIP snooping-enabled port (bridge-to-bridge links) are not supported on the switch.
Displaying FIP Snooping Information Use the following show commands to display information on FIP snooping, . Table 29. Displaying FIP Snooping Information Command Output show fip-snooping sessions [interface vlan vlan-id] Displays information on FIP-snooped sessions on all VLANs or a specified VLAN, including the ENode interface and MAC address, the FCF interface and MAC address, VLAN ID, FCoE MAC address and FCoE session ID number (FC-ID), worldwide node name (WWNN) and the worldwide port name (WWPN).
Table 30. show fip-snooping sessions Command Description Field Description ENode MAC MAC address of the ENode. ENode Interface Slot/ port number of the interface connected to the ENode. FCF MAC MAC address of the FCF. FCF Interface Slot/ port number of the interface to which the FCF is connected. VLAN VLAN ID number used by the session. FCoE MAC MAC address of the FCoE session assigned by the FCF. FC-ID Fibre Channel ID assigned by the FCF. Port WWPN Worldwide port name of the CNA port.
Table 32. show fip-snooping fcf Command Description Field Description FCF MAC MAC address of the FCF. FCF Interface Slot/port number of the interface to which the FCF is connected. VLAN VLAN ID number used by the session. FC-MAP FC-Map value advertised by the FCF. ENode Interface Slot/number of the interface connected to the ENode. FKA_ADV_PERIOD Period of time (in milliseconds) during which FIP keep-alive advertisements are transmitted. No of ENodes Number of ENodes connected to the FCF.
The following example shows the show fip-snooping statistics port-channel command.
Field Description Number of FLOGI Rejects Number of FIP FLOGI reject frames received on the interface. Number of FDISC Accepts Number of FIP FDISC accept frames received on the interface. Number of FDISC Rejects Number of FIP FDISC reject frames received on the interface. Number of FLOGO Accepts Number of FIP FLOGO accept frames received on the interface. Number of FLOGO Rejects Number of FIP FLOGO reject frames received on the interface.
FCoE Transit Configuration Example The following illustration shows an core switch used as a FIP snooping bridge for FCoE traffic between an ENode (server blade) and an FCF (ToR switch). The ToR switch operates as an FCF and FCoE gateway. Figure 39. Configuration Example: FIP Snooping on an Core Switch In this example, DCBx and PFC are enabled on the FIP snooping bridge and on the FCF ToR switch.
Example of Enabling an FC-MAP Value on a VLAN Dell(conf-if-vl-10)# fip-snooping fc-map 0xOEFC01 NOTE: Configuring an FC-MAP value is only required if you do not use the default FC-MAP value (0x0EFC00).
16 FIPS Cryptography Federal information processing standard (FIPS) cryptography provides cryptographic algorithms conforming to various FIPS standards published by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the US Department of Commerce. FIPS mode is also validated for numerous platforms to meet the FIPS-140-2 standard for a software-based cryptographic module. This chapter describes how to enable FIPS cryptography requirements on Dell Networking platforms.
Enabling FIPS Mode To enable or disable FIPS mode, use the console port. Secure the host attached to the console port against unauthorized access. Any attempts to enable or disable FIPS mode from a virtual terminal session are denied. When you enable FIPS mode, the following actions are taken: • If enabled, the SSH server is disabled. • All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, are closed.
System MAC : 00:01:e8:8a:ff:0c Reload Type : normal-reload [Next boot : normal-reload] -- Unit 0 -Unit Type Status Next Boot Required Type Current Type Master priority Hardware Rev Num Ports Up Time Dell Version Jumbo Capable POE Capable FIPS Mode Burned In MAC No Of MACs ... : : : : : : : : : : : : : : : Management Unit online online C9010 - 48-port GE/TE/FG (SE) C9010 - 48-port GE/TE/FG (SE) 0 3.
17 Flex Hash and Optimized Boot-Up This chapter describes the Flex Hash and fast-boot enhancements. Topics: • Flex Hash Capability Overview • Configuring the Flex Hash Mechanism • LACP Fast Switchover • Configuring LACP Fast Switchover • LACP • RDMA Over Converged Ethernet (RoCE) Overview • Sample Configurations • Preserving 802.
When load balancing RRoCE packets using flex hash is enabled, the show ip flow command is disabled. Similarly, when the show ip flow command is in use (ingress port-based load balancing is disabled), the hashing of RRoCE packets is disabled. Flex hash APIs do not mask out unwanted byte values after extraction of the data from the Layer 4 headers for the offset value.
the RoCE and the IP networks and sends the RoCE frames over the IP network. RRoCE transmission results in the encapsulation of RoCE packets in IP packets. RRoCE packets are received and transmitted on specific interfaces called lite-subinterfaces. These interfaces are similar to the normal Layer 3 physical interfaces except for the extra provisioning that they offer to enable the VLAN ID for encapsulation. You can configure a physical interface or a Layer 3 Port Channel interface as a lite subinterface.
Sample Configurations Figure 40.
no spanning-tree ! protocol lldp dcbx port-role auto-downstream no shutdown ! interface fortyGigE 0/33 Description “To C9010s” no ip address mtu 9216 ! port-channel-protocol LACP port-channel 1 mode active ! protocol lldp no advertise dcbx-tlv ets-reco dcbx port-role auto-upstream no shutdown C9010 1 and C9010 2, VLT, RoCE, and iSCSI ! dcb-map converged Description DCB map for C9010 interlinks priority-group 0 bandwidth 30 pfc off priority-group 1 bandwidth 40 pfc on priority-group 2 bandwidth 30 pfc on pri
C9010 2 vlt domain 2 peer-link port-channel 128 back-up destination interface Port-channel 128 no ip address mtu 9216 channel-member fortyGigE 1/4 no shutdown interface fortyGigE 1/4 no ip address mtu 9216 dcb-map Converged protocol lldp no shutdown Description from MXL B1 Switch no ip address mtu 9216 dcb-map RoCE ! port-channel-protocol LACP port-channel 50 mode active ! protocol lldp no shutdown ! interface TenGigabitEthernet 0/28 Description EQL Array - iSCSI no ip address mtu 9216 p
protocol lldp no shutdown Preserving 802.1Q VLAN Tag Value for Lite Subinterfaces All the frames in a Layer 2 VLAN are identified using a tag defined in the IEEE 802.1Q standard to determine the VLAN to which the frames or traffic are relevant or associated. Such frames are encapsulated with the 802.1Q tags. If a single VLAN is configured in a network topology, all the traffic packets contain the same do1q tag, which is the tag value of the 802.1Q header.
18 Force10 Resilient Ring Protocol (FRRP) Force10 resilient ring protocol (FRRP) provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a metropolitan area network (MAN) or large campuses. FRRP is similar to what can be achieved with the spanning tree protocol (STP), though even with optimizations, STP can take up to 50 seconds to converge (depending on the size of network and node of failure) may require 4 to 5 seconds to reconverge.
The Control VLAN is used to perform the health checks on the ring. The Control VLAN can always pass through all ports in the ring, including the secondary port of the Master node. Ring Status The ring failure notification and the ring status checks provide two ways to ensure the ring remains up and active in the event of a switch or port failure. Ring Checking At specified intervals, the Master node sends a ring health frame (RHF) through the ring.
Member VLAN Spanning Two Rings Connected by One Switch A member VLAN can span two rings interconnected by a common switch, in a figure-eight style topology. A switch can act as a Master node for one FRRP group and a Transit for another FRRP group, or it can be a Transit node for both rings. In the following example, FRRP 101 is a ring with its own Control VLAN, and FRRP 202 has its own Control VLAN running on another ring. A Member VLAN that spans both rings is added as a Member VLAN to both FRRP groups.
Important FRRP Concepts The following table lists some important FRRP concepts. Concept Explanation Ring ID Each ring has a unique 8-bit ring ID through which the ring is identified (for example, FRRP 101 and FRRP 202, as shown in the illustration in Member VLAN Spanning Two Rings Connected by One Switch. Control VLAN Each ring has a unique Control VLAN through which tagged ring health frames (RHF) are sent. Control VLANs are used only for sending RHF, and cannot be used for any other purpose.
FRRP Configuration These are the tasks to configure FRRP. • Creating the FRRP Group • Configuring the Control VLAN – Configure Primary and Secondary ports • Configuring and Adding the Member VLANs – Configure Primary and Secondary ports Other FRRP related commands are: • Clearing the FRRP Counters • Viewing the FRRP Configuration • Viewing the FRRP Information Creating the FRRP Group Create the FRRP group on each switch in the ring. To create the FRRP group, use the command.
CONFIG-INT-VLAN mode. tagged interface slot/ port {range} Interface: • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. Slot/Port, Range: Slot and Port ID for the interface. Range is entered Slot/Port-Port. 3 Assign the Primary and Secondary ports and the control VLAN for the ports on the ring. CONFIG-FRRP mode.
VLAN ID: the range is from 1 to 4094. 2 Tag the specified interface or range of interfaces to this VLAN. CONFIG-INT-VLAN mode. tagged interface slot/port {range} Interface: 3 • Slot/Port, range: Slot and Port ID for the interface. The range is entered Slot/Port-Port. • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information.
Clearing the FRRP Counters To clear the FRRP counters, use one of the following commands. • Clear the counters associated with this Ring ID. EXEC PRIVELEGED mode. clear frrp ring-id • Ring ID: the range is from 1 to 255. Clear the counters associated with all FRRP groups. EXEC PRIVELEGED mode. clear frrp Viewing the FRRP Configuration To view the configuration for the FRRP group, use the following command. • Show the configuration for this FRRP group. CONFIG-FRRP mode.
• You can configure FRRP on Layer 2 interfaces only. • Spanning Tree (if you enable it globally) must be disabled on both Primary and Secondary interfaces when you enable FRRP. – When the interface ceases to be a part of any FRRP process, if you enable Spanning Tree globally, also enable it explicitly for the interface. • The maximum number of rings allowed on a chassis is 255. Sample Configuration and Topology The following example shows a basic FRRP topology.
Example of R3 TRANSIT interface TengigabitEthernet 3/14 no ip address switchport no shutdown ! interface TengigabitEthernet 3/21 no ip address switchport no shutdown ! interface Vlan 101 no ip address tagged TengigabitEthernet 3/14,21 no shutdown ! interface Vlan 201 no ip address tagged TengigabitEthernet 3/14,21 no shutdown ! protocol frrp 101 interface primary TengigabitEthernet 3/21 secondary TengigabitEthernet 3/14 control-vlan 101 member-vlan 201 mode transit no disable Force10 Resilient Ring Protoco
19 GARP VLAN Registration Protocol (GVRP) GARP VLAN registration protocol (GVRP), defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches. GVRP-compliant switches use GARP to register and de-register attribute values, such as VLAN IDs, with each other. Typical virtual local area network (VLAN) implementation involves manually configuring each Layer 2 switch that participates in a given VLAN.
Configure GVRP To begin, enable GVRP. To facilitate GVRP communications, enable GVRP globally on each switch. GVRP configuration is per interface on a switch-byswitch basis. Enable GVRP on each port that connects to a switch where you want GVRP information exchanged. In the following example, GVRP is configured on VLAN trunk ports. Figure 41. Global GVRP Configuration Example Basic GVRP configuration is a two-step process: 1. Enabling GVRP Globally 2.
• Enable GVRP for the entire switch. CONFIGURATION mode gvrp enable Example of Configuring GVRP Dell(conf)#protocol gvrp Dell(config-gvrp)#no disable Dell(config-gvrp)#show config ! protocol gvrp no disable Dell(config-gvrp)# To inspect the global configuration, use the show gvrp brief command. Enabling GVRP on a Layer 2 Interface To enable GVRP on a Layer 2 interface, use the following command. • Enable GVRP on a Layer 2 interface.
Dell(conf-if-te-1/21)#show conf ! interface TenGigabitEthernet 1/21 no ip address switchport gvrp enable gvrp registration fixed 34-35 gvrp registration forbidden 45-46 no shutdown Dell(conf-if-te-1/21)# Configure a GARP Timer Set GARP timers to the same values on all devices that are exchanging information using GVRP. There are three GARP timer settings. • Join — A GARP device reliably transmits Join messages to other devices by sending each Join message two times.
20 High Availability (HA) High availability (HA) is a collection of features that preserves system continuity by maximizing uptime and minimizing packet loss during system disruptions.
card in the C9010 chassis. For more information about how to install an RPM or line card in the C9010, see the C9010 Getting Started Guide or C9010 Installation Guide. RPM Online Insertion Dell Networking systems can function with only one RPM. If you insert a second RPM, it comes online as the standby RPM. To display the status of installed RPMs, enter the show rpm all command.
Replacing a Line Card To replace a line card with a line card of the same type, you can remove the old card and insert a new card without any additional configuration. To replace a line card with a different card type, remove the card and then remove the existing line-card configuration for the slot using the command no linecard slot-id provision.
• • • Link aggregation control protocol (Link Aggregation Control Protocol (LACP)) Link layer discovery protocol (Link Layer Discovery Protocol (LLDP)) Spanning tree protocol (Spanning Tree Protocol (STP)) Graceful Restart Graceful restart (also known as non-stop forwarding) is a protocol-based mechanism that preserves the forwarding table of the restarting router and its neighbors for a specified period to minimize the loss of packets.
• Kernel core dump — the central component of an OS that manages system processors and memory allocation and makes these facilities available to applications. A kernel core dump is the contents of the memory the kernel uses at the time of an exception. • Application core dump — the contents of the memory allocated to a failed application at the time of an exception. System Log Event messages provide system administrators diagnostics and auditing information.
Link to Peer: Up -- PEER RPM Status ------------------------------------------------RPM State: Standby RPM SW Version: 1-0(0-4095) -- Control Plane Redundancy Configuration ------------------------------------------------Primary RPM: rpm0 Auto Data Sync: Full Failover Type: Hot Failover Auto reboot RPM: Enabled Auto failover limit: 3 times in 60 minutes -- Control Plane Failover Record ------------------------------------------------Failover Count: 0 Last failover timestamp: None Last failover Reason: Non
Specifying an Auto-Failover Limit When a non-recoverable fatal error is detected, an automatic failover occurs. However, the Dell Networking OS is configured to auto-failover only three times within any 60-minute period. You may specify a different auto-failover count. To re-enable the auto-failover-limit with its default parameters, use the redundancy auto-failover-limit command without parameters. • Set a different auto-failover count.
21 Internet Group Management Protocol (IGMP) Internet group management protocol (IGMP) is a Layer 3 multicast protocol that hosts use to join or leave a multicast group. Multicast is premised on identifying many hosts by a single destination IP address; hosts represented by the same IP address are a multicast group. Multicast routing protocols (such as protocol-independent multicast [PIM]) use the information in IGMP messages to discover which groups are active and to populate the multicast routing table.
IGMP messages are encapsulated in IP packets, as shown in the following illustration. Figure 42. IGMP Messages in IP Packets Join a Multicast Group There are two ways that a host may join a multicast group: it may respond to a general query from its querier or it may send an unsolicited report to its querier. Responding to an IGMP Query The following describes how a host can join a multicast group. 1. One router on a subnet is elected as the querier.
IGMP Version 3 Conceptually, IGMP version 3 behaves the same as version 2. However, there are differences. • • • Version 3 adds the ability to filter by multicast source, which helps multicast routing protocols avoid forwarding traffic to subnets where there are no interested receivers. To enable filtering, routers must keep track of more state information, that is, the list of sources that must be filtered.
Joining and Filtering Groups and Sources The following illustration shows how multicast routers maintain the group and source information from unsolicited reports. 1. The first unsolicited report from the host indicates that it wants to receive traffic for group 224.1.1.1. 2. The host’s second report indicates that it is only interested in traffic from group 224.1.1.1, source 10.11.1.1. Include messages prevents traffic from all other sources in the group from reaching the subnet.
Leaving and Staying in Groups The following illustration shows how multicast routers track and refresh state changes in response to group-and-specific and general queries. 1. Host 1 sends a message indicating it is leaving group 224.1.1.1 and that the included filter for 10.11.1.1 and 10.11.1.2 are no longer necessary. 2.
Related Configuration Tasks • Viewing IGMP Enabled Interfaces • Selecting an IGMP Version • Viewing IGMP Groups • Adjusting Timers • Configuring a Static IGMP Group • Preventing a Host from Joining a Group • Enabling IGMP Immediate-Leave • IGMP Snooping • Fast Convergence after MSTP Topology Changes • Designating a Multicast Router Interface Viewing IGMP Enabled Interfaces Interfaces that are enabled with PIM-SM are automatically enabled with IGMP.
Internet address is 1.1.1.1/24 IGMP is enabled on interface IGMP query interval is 60 seconds IGMP querier timeout is 125 seconds IGMP max query response time is 10 seconds IGMP last member query response interval is 1000 ms IGMP immediate-leave is disabled IGMP activity: 0 joins, 0 leaves, 0 channel joins, 0 channel leaves IGMP querying router is 1.1.1.
IGMP Snooping Implementation Information • IGMP snooping uses IP multicast addresses not MAC addresses. • IGMP snooping reacts to spanning tree protocol (STP) and multiple spanning tree protocol (MSTP) topology changes by sending a general query on the interface that transitions to the forwarding state. • If IGMP snooping is enabled on a PIM-enabled VLAN interface, data packets using the router as an Layer 2 hop may be dropped.
Example of Configuration Output After Removing a Group-Port Association Dell(conf-if-vl-100)#show config ! interface Vlan 100 no ip address ip igmp snooping fast-leave shutdown Dell(conf-if-vl-100)# Disabling Multicast Flooding If the switch receives a multicast packet that has an IP address of a group it has not learned (unregistered frame), the switch floods that packet out of all ports on the VLAN. When you configure the no ip igmp snooping flood command, the system drops the packets immediately.
The switch may lose the querier election if it does not have the lowest IP address of all potential queriers on the subnet. When enabled, IGMP snooping querier starts after one query interval in case no IGMP general query (with IP SA lower than its VLAN IP address) is received on any of its VLAN members. Adjusting the Last Member Query Interval To adjust the last member query interval, use the following command.
22 Interfaces This chapter describes interface types, both physical and logical, and how to configure them on the switch. • 1-Gigabit Ethernet, 10-Gigabit Ethernet and 40-Gigabit Ethernet interfaces are supported on the C9010 switch and 1Gigabit Ethernet C1048P port extender.
• Port Extender Interfaces • VLAN Interfaces • Loopback Interfaces • Null Interfaces • Port Channel Interfaces • Bulk Configuration • Defining Interface Range Macros • Monitoring and Maintaining Interfaces • Displaying Traffic Statistics on HiGig Ports • Link Bundle Monitoring • Monitoring HiGig Link Bundles • Non Dell-Qualified Transceivers • Splitting QSFP Ports to SFP+ Ports • Configuring wavelength for 10–Gigabit SFP+ optics • Link Dampening • Using Ethernet Pause Frames f
To configure a C9010 port, specify the interface with the command syntax: interface {TenGigabitEthernet | fortyGigE} slot/port-number • The slot is a chassis slot number from 0 to 11. • port-number is a linecard port number from 0 to 23 or an RPM port number from 0 to 3. NOTE: For slots 10 and 11, the port number is from 0 to 3 only. On the C9010, port interface numbers are written above the ports.
On the 1/10GbE SFP+ line card, ports are numbered from 0 to 23 and operate in 1/10G mode. Figure 50. 1/10GbE RJ-45 Port Numbering On the 1/10GbE RJ-45 line card, ports are numbered from 0 to 23 and operate in 1/10G mode. Figure 51. C1048P Port Numbering On a C1048P port extender, 10/100/1000BASE-T ports on the front panel are numbered from 1 to 48. • Odd-numbered ports 1-47 are on top; even-numbered ports 2-48 are on the bottom. • A yellow PE port number indicates that the port is PoE-enabled.
Interface Types The following table describes different interface types. Table 35. Types of Interfaces Interface Type Modes Possible Default Mode Requires Creation Default State Physical L2, L3 Unset No Shutdown (disabled) NOTE: For the port extender interface only L2 is supported.
Hardware is DellEth, address is 34:17:eb:01:dc:27 Current address is 34:17:eb:01:dc:27 Pluggable media present, SFP+ type is 10GBASE-ACU15M Medium is MultiRate Interface index is 2098692 Internet address is not set Mode of IPv4 Address Assignment : NONE DHCP Client-ID :3417eb01dc27 MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 10000 Mbit Flowcontrol rx off tx off ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 07:40:05 Queueing strategy: fifo Input Statistics: 8748 packets, 153
Time since last interface status change: 1d18h47m The following example displays the port extender interface configuration: Dell(conf)#interface peGigE 0/0/1 Dell(conf-if-pegi-0/0/1)#show config ! interface peGigE 0/0/1 switchport no shutdown Dell(conf-if-pegi-0/0/1)# The following example displays the status of interfaces: Dell#sho interfaces status | no-more Port Description Status Speed Fo 0/0 Down 40000 Fo 0/4 Down 40000 Fo 0/8 Down 40000 Fo 0/12 Down 40000 Fo 0/16 Down 40000 Fo 0/20 Down 40000 Te 2/0 D
Te 6/17 Te 6/18 Te 6/19 Te 6/20 Te 6/21 Te 6/22 Te 6/23 Fo 9/0 Fo 9/4 Fo 9/8 Fo 9/12 Fo 9/16 Fo 9/20 Te 10/0 Te 10/1 Te 10/2 Te 10/3 Te 11/0 Te 11/1 Te 11/2 Te 11/3 PeGi 255/1/1 PeGi 255/1/2 PeGi 255/1/3 PeGi 255/1/4 PeGi 255/1/5 PeGi 255/1/6 PeGi 255/1/7 PeGi 255/1/8 PeGi 255/1/9 PeGi 255/1/10 PeGi 255/1/11 PeGi 255/1/12 PeGi 255/1/13 PeGi 255/1/14 PeGi 255/1/15 PeGi 255/1/16 PeGi 255/1/17 PeGi 255/1/18 PeGi 255/1/19 PeGi 255/1/20 PeGi 255/1/21 PeGi 255/1/22 PeGi 255/1/23 PeGi 255/1/24 PeGi 255/1/25 PeGi 2
PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi 255/2/3 255/2/4 255/2/5 255/2/6 255/2/7 255/2/8 255/2/9 255/2/10 255/2/11 255/2/12 255/2/13 255/2/14 255/2/15 255/2/16 255/2/17 255/2/18 255/2/19 255/2/20 2
PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi 255/3/26 255/3/27 255/3/28 255/3/29 255/3/30 255/3/31 255/3/32 255/3/33 255/3/34 255/3/35 255/3/36 255/3/37 255/3/38 255/3/39 255/3/40 255/3/41 255/3/42 255/3/43 255/3/44 255/3/45 255/3/46 255/3/47 255/3/48 Up Up Up Up Up Up Up Up Up Up Up Up Up Down Up Down Down Up Up Up Down Up Up 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 1000 Auto 1000 Auto Auto 1000 1000 1000 Auto 10 10
Resetting an Interface to its Factory Default State You can reset any configurations applied on an interface to its factory default state. To reset the configuration, perform the following steps: 1 View the configurations applied on an interface.
no shutdown To confirm that the interface is enabled, use the show config command in INTERFACE mode. To leave INTERFACE mode, use the exit command or end command. You cannot delete a physical interface. Physical Interfaces The Management Ethernet interface is a single RJ-45 Fast Ethernet port on a switch. The interface provides dedicated management access to the system. Line card interfaces support Layer 2 and Layer 3 traffic over 10-Gigabit Ethernet and 40-Gigabit Ethernet interfaces.
NOTE: If you use an active optical cable (AOC), you can convert the QSFP+ port to a 10 Gigabit SFP+ port or 1 Gigabit SFP port. You can use the speed command to enable the required speed. 6 Optionally, set full- or half-duplex. INTERFACE mode duplex {half | full} 7 Disable auto-negotiation on the port. INTERFACE mode no negotiation auto If the speed was set to 1000, do not disable auto-negotiation. 8 Verify configuration changes.
Type of Interface Possible Modes Requires Creation Default State Null interface N/A No Enabled Port Channel Layer 2 Yes Shutdown (disabled) Yes, except for the default VLAN. No shutdown (active for Layer 2) Layer 3 VLAN Layer 2 Layer 3 Shutdown (disabled for Layer 3) Configuring Layer 2 (Data Link) Mode Do not configure switching or Layer 2 protocols such as spanning tree protocol (STP) on an interface unless the interface has been set to Layer 2 mode.
3 traffic from passing through the interface. Layer 2 traffic is unaffected by the shutdown command. One of the interfaces in the system must be in Layer 3 mode before you configure or enter a Layer 3 protocol mode (for example, OSPF). • Enable Layer 3 on an individual interface INTERFACE mode • ip address Enable the interface.
Broadcast address is 1.1.49.255 Address determined by config file MTU is 1554 bytes Inbound access list is not set Proxy ARP is enabled Split Horizon is enabled Poison Reverse is disabled ICMP redirects are not sent ICMP unreachables are not sent Egress Interface Selection (EIS) EIS allows you to isolate the management and front-end port domains by preventing switch-initiated traffic routing between the two domains.
Management Interfaces The switch supports the Management Ethernet interface as well as the standard interface on any port. You can use either method to connect to the system. Configuring a Dedicated Management Interface The dedicated Management interface provides management access to the system. You can configure this interface using the CLI, but the configuration options on this interface are limited.
Input 791 packets, 62913 bytes, 775 multicast Received 0 errors, 0 discarded Output 21 packets, 3300 bytes, 20 multicast Output 0 errors, 0 invalid protocol Time since last interface status change: 00:06:03 Unless you configure the management route command, you can only access the Management interface from the local LAN. To access the Management interface from another LAN, configure the management route command to point to the Management interface.
O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, > - non-active route, + - summary route Gateway of last resort is not set Destination ----------C 6.1.1.0/24 C 10.1.1.0/24 *S 0.0.0.0/0 00:01:12 Dell# Gateway ------Direct, Fo 2/12 Direct, Vl 10 via 6.1.1.
• Configure an IP address and mask on the interface. INTERFACE mode ip address ip-address mask [secondary] – ip-address mask: enter an address in dotted-decimal format (A.B.C.D). The mask must be in slash format (/24). – secondary: the IP address is the interface’s backup IP address. You can configure up to eight secondary IP addresses. Example of a Configuration for a VLAN Participating in an OSPF Process interface Vlan 10 ip address 1.1.1.
Port Channel Interfaces Port channel interfaces support link aggregation, as described in IEEE Standard 802.3ad. This section covers the following topics: • • • • Port Channel Definition and Standards Port Channel Benefits Port Channel Implementation Configuration Tasks for Port Channel Interfaces Port Channel Definition and Standards Link aggregation is defined by IEEE 802.
interface speed that the first channel member sets. That first interface may be the first interface that is physically brought up or was physically operating when interfaces were added to the port channel. For example, if the first operational interface in the port channel is a 10–Gigabit Ethernet interface, all interfaces at 40Gbps are kept up, and all 10/40 GbE interfaces that are not set to 10000 speed or auto negotiate are disabled.
You can configure a port channel as you would a physical interface by enabling or configuring protocols or assigning access control lists. Adding a Physical Interface to a Port Channel The physical interfaces in a port channel can be on any line card in the chassis, but must be the same physical type. You can add any physical interface to a port channel if the interface configuration is minimal.
LAG 1 Mode L2 Status up Uptime 00:15:36 Ports Te 0/0 Te 0/1 Te 1/12 Te 1/13 (Up) (Up) (Up) (Up) The following example is for a L2 port channel with port extender interfaces.
Reassigning an Interface to a New Port Channel An interface can be a member of only one port channel. If the interface is a member of a port channel, remove it from the first port channel and then add it to the second port channel. Each time you add or remove a channel member from a port channel, the system recalculates the hash algorithm for the port channel. To reassign an interface to a new port channel, use the following commands. 1 Remove the interface from the first port channel.
Dell(conf-if-po-1)#minimum-links 5 Dell(conf-if-po-1)# Adding or Removing a Port Channel from a VLAN As with other interfaces, you can add Layer 2 port channel interfaces to VLANs. To add a port channel to a VLAN, place the port channel in Layer 2 mode (by using the switchport command). To add or remove a VLAN port channel and to view VLAN port channel members, use the following commands. • Add the port channel to the VLAN as a tagged interface.
• Disable a port channel. shutdown When you disable a port channel, all interfaces within the port channel are operationally down also. Load Balancing Through Port Channels The system uses hash algorithms for distributing traffic evenly over channel members in a port channel (LAG). The hash algorithm distributes traffic among electronic commerce messaging protocol (ECMP) paths and LAG members. The distribution is based on a flow, except for packet-based hashing.
Bulk Configuration Bulk configuration allows you to determine if interfaces are present for physical interfaces or configured for logical interfaces. Interface Range An interface range is a set of interfaces to which other commands may be applied and may be created if there is at least one valid interface within the range. Bulk configuration excludes from configuration any non-existing interfaces from an interface range.
Create a Multiple-Range The following is an example of multiple range. Dell(conf)#interface range tengigabitethernet 0/5 - 10 , tengigabitethernet 0/1 , vlan 1 Dell(conf-if-range-te-0/5-10,te-0/1,vl-1)# Exclude Duplicate Entries The following is an example showing how duplicate entries are omitted from the interface-range prompt.
Also, you can associate a static multicast MAC address with one or more VLANs and port interfaces by using the macaddress-table static multicast-mac-address vlan vlan-id output-range interface command. Defining Interface Range Macros You can define an interface-range macro to automatically select a range of interfaces for configuration. Before you can use the macro keyword in the interface-range macro command string, define the macro. To define an interface-range macro, use the following command.
– For a port extender (PE) Gigabit Ethernet interface, enter the keyword peGigE then the pe-id/pe-stack—unit-id/portnumber information. Example of the monitor interface Command The information displays in a continuous run, refreshing every 2 seconds by default. To manage the output, use the following keys.
NOTE: TDR is an intrusive test. Do not run TDR on a link that is up and passing traffic. To test and display TDR results, use the following commands. 1 To test for cable faults on the TenGigabitEthernet EXEC Privilege mode tdr-cable-test tengigabitethernet slot/port Between two ports, do not start the test on both ends of the cable. Enable the interface before starting the test. Enable the port to run the test or the test prints an error message. 2 Displays TDR test results.
show running-config ecmp-group Link bundle monitoring can be also enable on port-channels, here it is the way it can be configured: interface Port-channel 111 no ip address switchport no shutdown link-bundle-monitor enable To view the links that are being monitored, use the show link-bundle-distribution command.
• %STKUNIT0-M:CP %SWMGR-5-HG-BUNDLE_UNEVEN_DISTRIBUTION: Found uneven distribution in hg-port-channel 0/5/0 • %STKUNIT0-M:CP %SWMGR-5-HG-BUNDLE_UNEVEN_DISTRIBUTION_ALARM_CLEAR: Uneven distribution in hg-portchannel 0/5/0 got cleared Guidelines for Monitoring HiGig Link-Bundles When configuring HiGig link-bundle monitoring on the backplane, follow these guidelines: • By default, the capability to monitor the traffic distribution in a HiGig link bundle on a line-card or SFM NPU is disabled.
CONFIGURATION mode Dell(conf)#hg-link-bundle-monitor trigger-threshold percentage 3 Specify the interval (in seconds) when HiGig link-bundle monitoring is performed. CONFIGURATION mode Dell(conf)#hg-link-bundle-monitor rate-interval seconds 4 Enable SNMP trap generation for HiGig link-bundle monitoring. CONFIGURATION mode Dell(conf)#snmp-server enable traps hg-lbm 5 Display the traffic utilization of member links in a HiGig link bundle (port channel).
Non-qualified pluggable media present, QSFP type is 40GBASE-SR4 Wavelength is 850nm No power Interface index is 2103813 Internet address is not set Mode of IPv4 Address Assignment : NONE DHCP Client-ID :3417ebf225c6 MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 40000 Mbit
NOTE: Trident2 chip sets do not work at 1G speeds with auto-negotiation enabled. As a result, when you peer any device using SFP, the link does not come up if auto-negotiation is enabled. Therefore, you must disable auto-negotiation on platforms that currently use Trident2 chip sets (9000 series). This limitation applies only when you convert QSFP to SFP using the QSA. This constraint does not apply for QSFP to SFP+ conversions using the QSA.
show config Link Dampening Interface state changes occur when interfaces are administratively brought up or down or if an interface state changes. Every time an interface changes a state or flaps, routing protocols are notified of the status of the routes that are affected by the change in state. These protocols go through the momentous task of re-converging. Flapping; therefore, puts the status of entire network at risk of transient loops and black holes.
To view link dampening on a port extender interface. Dell(conf-if-range-pegi-255/1/36-37)#do show interface Interface PeGi 255/1/36 PeGi 255/1/37 Supp State Up Up Flaps Penalty Half-Life Reuse Suppress Max-Sup 0 0 0 0 200 200 800 800 100 100 20 20 To view a dampening summary for the entire system, use the show interfaces dampening summary command from EXEC Privilege mode. Dell# show interfaces dampening summary 20 interfaces are configured with dampening. 3 interfaces are currently suppressed.
Transmission Media MTU Range (in bytes) Ethernet The MTU range is from 594 to 9216, with a default of 1554. The IP MTU automatically configures. Using Ethernet Pause Frames for Flow Control Ethernet Pause Frames allow for a temporary stop in data transmission. A situation may arise where a sending device may transmit data faster than a destination device can accept it. The destination sends a PAUSE frame back to the source, stopping the sender’s transmission for a period of time.
The pause is started when either the packet pointer or the buffer threshold is met (whichever is met first). When the discard threshold is met, packets are dropped. The pause ends when both the packet pointer and the buffer threshold fall below 50% of the threshold settings. The discard threshold defines when the interface starts dropping the packet on the interface. This may be necessary when a connected device doesn’t honor the flow control frame sent by the switch.
Table 37. Layer 2 Overhead Layer 2 Overhead Difference Between Link MTU and IP MTU Ethernet (untagged) 18 bytes VLAN Tag 22 bytes Untagged Packet with VLAN-Stack Header 22 bytes Tagged Packet with VLAN-Stack Header 26 bytes Link MTU and IP MTU considerations for port channels and VLANs are as follows. Port Channels: • All members must have the same link MTU value and the same IP MTU value.
Example of the negotiation auto Command Dell(conf)# int tengig 0/0 Dell(conf-if-te-0/1)#neg auto Dell(conf-if-te-0/1)# ? end Exit from configuration mode exit Exit from autoneg configuration mode mode Specify autoneg mode no Negate a command or set its defaults show Show autoneg configuration information Dell(conf-if-te-0/1)#mode ? forced-master Force port to master mode forced-slave Force port to slave mode Dell(conf-if-te-0/1)# For details about the speed, duplex, and negotiation auto commands, refer to t
Configuring the Interface Sampling Size Although you can enter any value between 30 and 299 seconds (the default), software polling is done once every 15 seconds. So, for example, if you enter “19”, you actually get a sample of the past 15 seconds. All LAG members inherit the rate interval configuration from the LAG. The following example shows how to configure rate interval when changing the default value.
Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Time since last interface status change: 1d23h42m Dynamic Counters By default, counting is enabled for IPFLOW, IPACL, L2ACL, L2FIB. For the remaining applications, the system automatically turns on counting when you enable the application, and is turned off when you disable the application.
– (OPTIONAL) To clear unknown source address (SA) drop counters when you configure the MAC learning limit on the interface, enter the keywords learning-limit. Example of the clear counters Command When you enter this command, confirm that you want to clear the interface counters for the specified interface.
23 Internet Protocol Security (IPSec) Internet protocol security (IPSec) is an end-to-end security scheme for protecting IP communications by authenticating and encrypting all packets in a communication session. Use IPSec between hosts, between gateways, or between hosts and gateways. IPSec is compatible with Telnet and FTP protocols. It supports two operational modes: Transport and Tunnel. • Transport mode — (default) Use to encrypt only the payload of the packet. Routing information is unchanged.
crypto ipsec policy myCryptoPolicy 10 ipsec-manual transform-set myXform-set session-key inbound esp 256 auth encrypt session-key outbound esp 257 auth encrypt match 0 tcp a::1 /128 0 a::2 /128 23 match 1 tcp a::1 /128 23 a::2 /128 0 match 2 tcp a::1 /128 0 a::2 /128 21 match 3 tcp a::1 /128 21 a::2 /128 0 match 4 tcp 1.1.1.1 /32 0 1.1.1.2 /32 23 match 5 tcp 1.1.1.1 /32 23 1.1.1.2 /32 0 match 6 tcp 1.1.1.1 /32 0 1.1.1.2 /32 21 match 7 tcp 1.1.1.1 /32 21 1.1.1.
24 IPv4 Routing IPv4 routing and various IP addressing features are supported. This chapter describes the basics of domain name service (DNS), address resolution protocol (ARP), and routing principles and their implementation in the Dell Networking OS.
NOTE: 31-bit subnet masks (/31, or 255.255.255.254), as defined by RFC 3021, are supported. This feature allows you to save two more IP addresses on point-to-point links than 30-bit masks. The system also supports RFC 3021 with ARP. Configuration Tasks for IP Addresses The following describes the tasks associated with IP address configuration.
ip address 10.11.1.1/24 no shutdown ! Dell(conf-if)# Dell(conf-if)#show conf ! interface TengigabitEthernet 0/0 ip address 10.11.1.1/24 no shutdown ! Dell(conf-if)# Configuring Static Routes A static route is an IP address that you manually configure and that the routing protocol does not learn, such as open shortest path first (OSPF). Often, static routes are used as backup routes in case other dynamically learned routes are unreachable. You can enter as many static IP addresses as necessary.
The system installs a next hop that is on the directly connected subnet of current IP address on the interface (for example, if interface gig 0/0 is on 172.31.5.0 subnet, the system installs the static route). The system also installs a next hop that is not on the directly connected subnet but which recursively resolves to a next hop on the interface's configured subnet. For example, if gig 0/0 has ip address on subnet 2.2.2.0 and if 172.31.5.43 recursively resolves to 2.2.2.
Name server, Domain name, and Domain list are VRF specific. The maximum number of Name servers and Domain lists per VRF is six. Enabling Dynamic Resolution of Host Names By default, dynamic resolution of host names (DNS) is disabled. To enable DNS, use the following commands. • Enable dynamic resolution of host names. CONFIGURATION mode • ip domain-lookup Specify up to six name servers. CONFIGURATION mode ip name-server ip-address [ip-address2 ...
Configuring DNS with Traceroute To configure your switch to perform DNS with traceroute, use the following commands. • Enable dynamic resolution of host names. CONFIGURATION mode • ip domain-lookup Specify up to six name servers. CONFIGURATION mode ip name-server ip-address [ip-address2 ... ip-address6] • The order you entered the servers determines the order of their use.
Configuration Tasks for ARP For a complete listing of all ARP-related commands, refer to the Dell Networking OS Command Line Reference Guide.
Internet Dell# 10.1.2.4 17 08:00:20:b7:bd:32 Ma 1/0 - CP Configuring ARP Inspection Trust Use the arp-inspection-trust command to specify a port or an interface as trusted so that ARP frames are not validated against the binding table. By default, this feature is disabled. • Enable ARP learning via gratuitous ARP.
clear arp-cache [interface | ip ip-address] [no-refresh] – ip ip-address (OPTIONAL): enter the keyword ip then the IP address of the ARP entry you wish to clear. – no-refresh (OPTIONAL): enter the keywords no-refresh to delete the ARP entry from CAM. Or to specify which dynamic ARP entries you want to delete, use this option with interface or ip ip-address. – For a port channel interface, enter the keywords port-channel then a number.
ARP Learning via ARP Request The system learns via ARP requests only if the target IP specified in the packet matches the IP address of the receiving router interface. This is the case when a host is attempting to resolve the gateway address. If the target IP does not match the incoming interface, the packet is dropped. If there is an existing entry for the requesting host, it is updated. Figure 52.
arp retries number The default is 5. • The range is from 1 to 20. Set the exponential timer for resending unresolved ARPs. CONFIGURATION mode arp backoff-time The default is 30. The range is from 1 to 3600. • For information about the arp backoff-time command, see Configuring the Timer for Resending Unresolved ARPs. Display all ARP entries learned via gratuitous ARP.
25 IPv6 Routing Internet protocol version 6 (IPv6) routing is the successor to IPv4. Due to the rapid growth in internet users and IP addresses, IPv4 is reaching its maximum usage. IPv6 will eventually replace IPv4 usage to allow for the constant expansion. This chapter provides a brief description of the differences between IPv4 and IPv6, and the Dell Networking support of IPv6. This chapter is not intended to be a comprehensive description of IPv6.
• Prefix Advertisement — Routers use “Router Advertisement” messages to announce the network prefix. Hosts then use their interface-identifier MAC address to generate their own valid IPv6 address. • Duplicate Address Detection (DAD) — Before configuring its IPv6 address, an IPv6 host node device checks whether that address is used anywhere on the network using this mechanism.
IPv6 Header Fields The 40 bytes of the IPv6 header are ordered, as shown in the following illustration. Figure 54. IPv6 Header Fields Version (4 bits) The Version field always contains the number 6, referring to the packet’s IP version. Traffic Class (8 bits) The Traffic Class field deals with any data that needs special handling. These bits define the packet priority and are defined by the packet Source. Sending and forwarding routers use this field to identify different IPv6 classes and priorities.
Next Header (8 bits) The Next Header field identifies the next header’s type. If an Extension header is used, this field contains the type of Extension header (as shown in the following table). If the next header is a transmission control protocol (TCP) or user datagram protocol (UDP) header, the value in this field is the same as for IPv4. The Extension header is located between the IP header and the TCP or UDP header. The following lists the Next Header field values.
Source Address (128 bits) The Source Address field contains the IPv6 address for the packet originator. Destination Address (128 bits) The Destination Address field contains the intended recipient’s IPv6 address. This can be either the ultimate destination or the address of the next hop router. Extension Header Fields Extension headers are used only when necessary. Due to the streamlined nature of the IPv6 header, adding extension headers do not severely impact performance.
11 Discard the packet and send an ICMP Parameter Problem, Code 2 message to the packet’s Source IP Address only if the Destination IP Address is not a multicast address. The second byte contains the Option Data Length. The third byte specifies whether the information can change en route to the destination. The value is 1 if it can change; the value is 0 if it cannot change.
another computer. This allows static IPv6 addresses to be configured in one place, without having to specifically configure each computer on the network in a different way. In IPv6, every interface, whether using static or dynamic address assignments, also receives a local-link address automatically in the fe80::/64 subnet. IPv6 Implementation on the Dell Networking OS The Dell Networking OS supports both IPv4 and IPv6 and both versions may be used simultaneously in your system.
Feature and Functionality Dell Networking OS Release Introduction Documentation and Chapter Location ISIS for IPv6 support for distribute lists and administrative distance 8.3.11 Intermediate System to Intermediate System IPv6 IS-IS in the Dell Networking OS Command Line Reference Guide. OSPF for IPv6 (OSPFv3) 8.3.11 Equal Cost Multipath for IPv6 8.3.11 OSPFv3 in the Dell Networking OS Command Line Reference Guide. IPv6 Services and Management Telnet client over IPv6 (outbound Telnet) 8.3.
ICMPv6 ICMP for IPv6 (ICMPv6) combines the roles of ICMP, IGMP and ARP in IPv4. Like IPv4, it provides functions for reporting delivery and forwarding errors, and provides a simple echo service for troubleshooting. The implementation of ICMPv6 is based on RFC 4443. ICMPv6 uses two message types: • Error reporting messages indicate when the forwarding or delivery of the packet failed at the destination or intermediate node.
NOTE: To avoid problems with network discovery, Dell Networking recommends configuring the static route last or assigning an IPv6 address to the interface and assigning an address to the peer (the forwarding router’s address) less than 10 seconds apart. With ARP, each node broadcasts ARP requests on the entire link. This approach causes unnecessary processing by uninterested nodes.
• prefix addresses • multicast addresses • invalid host addresses If you specify this information in the IPv6 RDNSS configuration, a DNS error is displayed. Example for Configuring an IPv6 Recursive DNS Server The following example configures a RDNNS server with an IPv6 address of 1000::1 and a lifetime of 1 second.
ICMP redirects are not sent DAD is enabled, number of DAD attempts: 3 ND reachable time is 20120 milliseconds ND base reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 198 to 600 seconds ND router advertisements live for 1800 seconds ND advertised hop limit is 64 IPv6 hop limit for originated packets is 64 ND dns-server address is 1000::1 with lifetime of 1 seconds ND dns-server addr
• L3 ACL (ipv4acl): 6 • L2 ACL(l2acl): 5 • IPv6 L3 ACL (ipv6acl): 0 • L3 QoS (ipv4qos): 1 • L2 QoS (l2qos): 1 To have the changes take effect, save the new CAM settings to the startup-config (write-mem or copy run start) then reload the system for the new settings. • Allocate space for IPV6 ACLs. Enter the CAM profile name then the allocated amount. CONFIGURATION mode cam-acl { ipv6acl } When not selecting the default option, enter all of the profiles listed and a range for each.
Assigning a Static IPv6 Route To configure IPv6 static routes, use the ipv6 route command. NOTE: After you configure a static IPv6 route (the ipv6 route command) and configure the forwarding router’s address (specified in the ipv6 route command) on a neighbor’s interface, the IPv6 neighbor does not display in the show ipv6 route command output. • Set up IPv6 static routes.
• snmp-server community ipv6 • snmp-server community access-list-name ipv6 • snmp-server group ipv6 • snmp-server group access-list-name ipv6 Displaying IPv6 Information To view a specified IPv6 configuration, use the show ipv6command. • List the IPv6 show options.
Link Local address: fe80::201:e8ff:fe8b:386e Global Unicast address(es): Actual address is 400::201:e8ff:fe8b:386e, subnet is 400::/64 Actual address is 412::201:e8ff:fe8b:386e, subnet is 412::/64 Virtual-IP IPv6 address is not set Received Prefix(es): 400::/64 onlink autoconfig Valid lifetime: 2592000, Preferred lifetime: 604800 Advertised by: fe80::201:e8ff:fe8b:3166 412::/64 onlink autoconfig Valid lifetime: 2592000, Preferred lifetime: 604800 Advertised by: fe80::201:e8ff:fe8b:3166 Global Anycast addres
B - BGP, IN - internal BGP, EX - external BGP,LO - Locally Originated, O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, Gateway of last resort is not set Destination Dist/Metric, Gateway, Last Change ----------------------------------------------------C 600::/64 [0/0] Direct, Te 0/24, 00:34:42 C 601::/64 [0/0] Di
– ipv6 address: the format is x:x:x:x::x. – mask: the prefix length is from 0 to 128. NOTE: IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:). Omitting zeros is accepted as described in Addressing.
26 Intermediate System to Intermediate System The intermediate system to intermediate system (IS-IS) protocol that uses a shortest-path-first algorithm. Dell Networking supports both IPv4 and IPv6 versions of IS-IS. The IS-IS protocol standards are listed in the Standards Compliance chapter.
• area address — within your routing domain or area, each area must have a unique area value. The first byte is called the authority and format indicator (AFI). • system address — the router’s MAC address. • N-selector — this is always 0. The following illustration is an example of the ISO-style address to show the address format IS-IS uses. In this example, the first five bytes (47.0005.0001) are the area address. The system portion is 000c.000a.4321 and the last byte is always 0. Figure 57.
Interface Support MT IS-IS is supported on physical Ethernet interfaces, physical synchronous optical network technologies (SONET) interfaces, port-channel interfaces (static and dynamic using LACP), and virtual local area network (VLAN) interfaces. Adjacencies Adjacencies on point-to-point interfaces are formed as usual, where IS-IS routers do not implement MT extensions.
Implementation Information IS-IS implementation supports one instance of IS-IS and six areas. You can configure the system as a Level 1 router, a Level 2 router, or a Level 1-2 router. For IPv6, the IPv4 implementation has been expanded to include two new type, length, values (TLVs) in the PDU that carry information required for IPv6 routing. The new TLVs are IPv6 Reachability and IPv6 Interface Address. Also, a new IPv6 protocol identifier has also been included in the supported TLVs.
NOTE: When using the IS-IS routing protocol to exchange IPv6 routing information and to determine destination reachability, you can route IPv6 along with IPv4 while using a single intra-domain routing protocol. The configuration commands allow you to enable and disable IPv6 routing and to configure or remove IPv6 prefixes on links. Except where identified, the commands described in this chapter apply to both IPv4 and IPv6 versions of IS-IS.
Enter the keyword interface then the type of interface and slot/port information: • • • • • • 4 For a 1-Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/port information. For the Loopback interface on the RPM, enter the keyword loopback then a number from 0 to 16383. For a port channel, enter the keywords port-channel then a number. For a SONET interface, enter the keyword sonet then the slot/port information.
Generate narrow metrics: Accept narrow metrics: Generate wide metrics: Accept wide metrics: Dell# level-1-2 level-1-2 none none To view IS-IS protocol statistics, use the show isis traffic command in EXEC Privilege mode.
Use this command for IPv6 route computation only when you enable multi-topology. If using single-topology mode, to apply to both IPv4 and IPv6 route computations, use the spf-interval command in CONFIG ROUTER ISIS mode. 4 Implement a wide metric-style globally. ROUTER ISIS AF IPV6 mode isis ipv6 metric metric-value [level-1 | level-2 | level-1-2] To configure wide or wide transition metric style, the cost can be between 0 and 16,777,215.
graceful-restart t3 {adjacency | manual seconds} – adjacency: the restarting router receives the remaining time value from its peer and adjusts its T3 value so if user has configured this option. – manual: allows you to specify a fixed value that the restarting router should use. The range is from 50 to 120 seconds. The default is 30 seconds.
LSP Interval: 33 Restart Capable Neighbors: 2, In Start: 0, In Restart: 0 Dell# Changing LSP Attributes IS-IS routers flood link state PDUs (LSPs) to exchange routing information. LSP attributes include the generation interval, maximum transmission unit (MTU) or size, and the refresh interval. You can modify the LSP attribute defaults, but it is not necessary. To change the defaults, use any or all of the following commands. • Set interval between LSP generation.
Configuring the IS-IS Metric Style All IS-IS links or interfaces are associated with a cost that is used in the shortest path first (SPF) calculations. The possible cost varies depending on the metric style supported. If you configure narrow, transition, or narrow transition metric style, the cost can be a number between 0 and 63. If you configure wide or wide transition metric style, the cost can be a number between 0 and 16,777,215.
Generate narrow metrics: Accept narrow metrics: Generate wide metrics: Accept wide metrics: Dell# level-1-2 level-1-2 none none Configuring the IS-IS Cost When you change from one IS-IS metric style to another, the IS-IS metric value could be affected. For each interface with IS-IS enabled, you can assign a cost or metric that is used in the link state calculation. To change the metric or cost of the interface, use the following commands. • Assign an IS-IS metric.
Changing the IS-Type To change the IS-type, use the following commands. You can configure the system to act as a Level 1 router, a Level 1-2 router, or a Level 2 router. To change the IS-type for the router, use the following commands. • Configure IS-IS operating level for a router. ROUTER ISIS mode is-type {level-1 | level-1-2 | level-2-only} • Default is level-1-2. Change the IS-type for the IS-IS process.
– For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/ port information. – For a VLAN, enter the keyword vlan then a number from 1 to 4094. Distribute Routes Another method of controlling routing information is to filter the information through a prefix list. Prefix lists are applied to incoming or outgoing routes and routes must meet the conditions of the prefix lists or the system does not install the route in the routing table.
Applying IPv6 Routes To apply prefix lists to incoming or outgoing IPv6 routes, use the following commands. NOTE: These commands apply to IPv6 IS-IS only. To apply prefix lists to IPv4 routes, use ROUTER ISIS mode, previously shown. • Apply a configured prefix list to all incoming IPv6 IS-IS routes.
Configure the following parameters: – level-1, level-1-2, or level-2: assign all redistributed routes to a level. The default is level-2. – metric-value the range is from 0 to 16777215. The default is 0. – metric-type: choose either external or internal. The default is internal. • – map-name: enter the name of a configured route map. Include specific OSPF routes in IS-IS.
ISIS mode. To view the current IPv6 IS-IS configuration, use the show config command in ROUTER ISIS-ADDRESS FAMILY IPV6 mode. Configuring Authentication Passwords You can assign an authentication password for routers in Level 1 and for routers in Level 2. Because Level 1 and Level 2 routers do not communicate with each other, you can assign different passwords for Level 1 routers and for Level 2 routers.
LSPID LSP Seq Num LSP Checksum B233.00-00 0x00000003 0x07BF eljefe.00-00 * 0x0000000A 0xF963 eljefe.01-00 * 0x00000001 0x68DF eljefe.02-00 * 0x00000001 0x2E7F Force10.00-00 0x00000002 0xD1A7 IS-IS Level-2 Link State Database LSPID LSP Seq Num LSP Checksum B233.00-00 0x00000006 0xC38A eljefe.00-00 * 0x0000000E 0x53BF eljefe.01-00 * 0x00000001 0x68DF eljefe.02-00 * 0x00000001 0x2E7F Force10.
To disable a specific debug command, enter the keyword no then the debug command. For example, to disable debugging of IS-IS updates, use the no debug isis updates-packets command. To disable all IS-IS debugging, use the no debug isis command. To disable all debugging, use the undebug all command. IS-IS Metric Styles The following sections provide additional information about the IS-IS metric styles.
Table 41. Metric Value When the Metric Style Changes Beginning Metric Style Final Metric Style Resulting IS-IS Metric Value wide narrow default value (10) if the original value is greater than 63. A message is sent to the console. wide transition truncated value (the truncated value appears in the LSP only). The original isis metric value is displayed in the show config and show runningconfig commands and is used if you change back to transition metric style.
Moving to transition and then to another metric style produces different results. Table 42. Metric Value when the Metric Style Changes Multiple Times Beginning Metric Style Next Metric Style Resulting Metric Value Next Metric Style Final Metric Value wide transition truncated value wide original value is recovered wide transition transition truncated value wide transition original value is recovered wide transition truncated value narrow default value (10).
Sample Configurations The following configurations are examples for enabling IPv6 IS-IS. These examples are not comprehensive directions. They are intended to give you some guidance with typical configurations. NOTE: Only one IS-IS process can run on the router, even if both IPv4 and IPv6 routing is being used. You can copy and paste from these examples to your CLI. To support your own IP addresses, interfaces, names, and so on, be sure that you make the necessary changes.
interface TenGigabitEthernet 3/17 ip address 24.3.1.1/24 ipv6 address 24:3::1/76 ip router isis ipv6 router isis no shutdown Dell (conf-if-te-3/17)# Dell(conf-router_isis)#show config ! router isis metric-style wide level-1 metric-style wide level-2 net 34.0000.0000.AAAA.00 Dell (conf-router_isis)# Dell(conf-if-te-3/17)#show config ! interface TenGigabitEthernet 3/17 ipv6 address 24:3::1/76 ipv6 router isis no shutdown Dell(conf-if-te-3/17)# Dell(conf-router_isis)#show config ! router isis net 34.0000.0000.
27 iSCSI Optimization This chapter describes how to configure internet small computer system interface (iSCSI) optimization, which enables qualityof-service (QoS) treatment for iSCSI traffic.
• Auto-detection of EqualLogic storage arrays — the switch detects any active EqualLogic array directly attached to its ports. • Manual configuration to detect Compellent storage arrays where auto-detection is not supported. • Automatic configuration of switch ports after detection of storage arrays. • If you configure flow-control, iSCSI uses the current configuration.
Default iSCSI Optimization Values The following table lists the default values for the iSCSI optimization feature. Table 44. iSCSI Optimization Defaults Parameter Default Value iSCSI Optimization global setting iSCSI CoS mode (802.1p priority queue mapping) iSCSI CoS Packet classification When you enable iSCSI, iSCSI packets are queued based on dot1p, instead of DSCP values. VLAN priority tag iSCSI flows are assigned by default to dot1p priority 4 without the remark setting.
iscsi enable 3 Save the configuration on the switch. EXEC Privilege mode write memory 4 Reload the switch. EXEC Privilege mode reload After the switch is reloaded, DCB/ DCBx and iSCSI monitoring are enabled. 5 (Optional) Configure the iSCSI target ports and optionally the IP addresses on which iSCSI communication is monitored. CONFIGURATION mode [no] iscsi target port tcp-port-1 [tcp-port-2...
LLDP CONFIGURATION mode or INTERFACE LLDP CONFIGURATION mode [no] advertise dcbx-app-tlv iscsi. You can send iSCSI TLVs either globally or on a specified interface. The interface configuration takes priority over global configuration. The default is Enabled. 9 (Optional) Configures the advertised priority bitmap in iSCSI application TLVs. LLDP CONFIGURATION mode [no] iscsi priority-bits. The default is 4 (0x10 in the bitmap). 10 (Optional) Configures the auto-detection of Compellent arrays on a port.
Maximum number of connections is 256 -----------------------------------------------iSCSI Targets and TCP Ports: -----------------------------------------------TCP Port Target IP Address 3260 860 The following example shows the show iscsi session command. VLT PEER1 Dell#show iscsi session Session 0: ---------------------------------------------------------------------------Target: iqn.2001-05.com.equallogic:0-8a0906-0e70c2002-10a0018426a48c94-iom010 Initiator: iqn.1991-05.com.
• iSCSI session snooping is enabled. • iSCSI LLDP monitoring starts to automatically detect EqualLogic arrays. The following message displays when you enable iSCSI on a switch and describes the configuration changes that are automatically performed: %SYSTEM:CP %IFMGR-5-IFM_ISCSI_ENABLE: iSCSI has been enabled causing flow control to be enabled on all interfaces.
• Up Time If no iSCSI traffic is detected for a session during a user-configurable aging period, the session data is cleared. If more than 256 simultaneous sessions are logged continuously, the following message displays indicating the queue rate limit has been reached: %Z9500LC48:1 %ACL_AGENT-3-ISCSI_OPT_MAX_SESS_LIMIT_REACHED: Monitored iSCSI sessionsreached maximum limit NOTE: If you are using EqualLogic or Compellent storage arrays, more than 256 simultaneous iSCSI sessions are possible.
The following message displays the first time you use the iscsi profile-compellent command to configure a port connected to a Dell Compellent storage array and describes the configuration changes that are automatically performed: %SYSTEM:CP %IFMGR-5-IFM_ISCSI_AUTO_CONFIG: This switch is being configured for optimal conditions to support iSCSI traffic which will cause some automatic configuration to occur including jumbo frames and flow-control on all ports; no storm control and spanning-tree port fast to be
28 Link Aggregation Control Protocol (LACP) A link aggregation group (LAG), referred to as a port channel by the Dell Networking OS, can provide both load-sharing and port redundancy across line cards. You can enable LAGs as static or dynamic. Introduction to Dynamic LAGs and LACP The Dell Networking OS uses LACP to create dynamic LAGs. LACP provides a standardized means of exchanging information between two systems (also called Partner Systems) and automatically establishes the LAG between the systems.
LACP Modes Three LACP configuration modes are supported — Off, Active, and Passive. • Off — In this state, an interface is not capable of being part of a dynamic LAG. LACP does not run on any port that is configured to be in this state. • Active — In this state, the interface is said to be in the “active negotiating state.” LACP runs on any link that is configured to be in this state. A port in Active state also automatically initiates negotiations with other ports by initiating LACP packets.
LACP Configuration Tasks The following configuration tasks apply to LACP. • Creating a LAG • Configuring the LAG Interfaces as Dynamic • Setting the LACP Long Timeout • Monitoring and Debugging LACP • Configuring Shared LAG State Tracking Creating a LAG To create a dynamic port channel (LAG), use the following command. First you define the LAG and then the LAG interfaces. • Create a dynamic port channel (LAG). CONFIGURATION mode • interface port-channel Create a dynamic port channel (LAG).
Dell(conf)#interface Tengigabitethernet 4/15 Dell(conf-if-te-4/15)#no shutdown Dell(conf-if-te-4/15)#port-channel-protocol lacp Dell(conf-if-te-4/15-lacp)#port-channel 32 mode active ...
• Debug LACP, including configuration and events. EXEC mode [no] debug lacp [config | events | pdu [in | out | [interface [in | out]]]] Shared LAG State Tracking Shared LAG state tracking provides the flexibility to bring down a port channel (LAG) based on the operational state of another LAG. At any time, only two LAGs can be a part of a group such that the fate (status) of one LAG depends on the other LAG.
To view the failover group configuration, use the show running-configuration po-failover-group command. R2#show running-config po-failover-group ! port-channel failover-group group 1 port-channel 1 port-channel 2 As shown in the following illustration, LAGs 1 and 2 are members of a failover group. LAG 1 fails and LAG 2 is brought down after the failure. This effect is logged by Message 1, in which a console message declares both LAGs down at the same time. Figure 61.
• If a LAG moves to the Down state due to this feature, its members may still be in the Up state. LACP Basic Configuration Example The screenshots in this section are based on the following example topology. Two routers are named ALPHA and BRAVO, and their hostname prompts reflect those names. Figure 62. LACP Basic Configuration Example Configure a LAG on ALPHA The following example creates a LAG on ALPHA.
0 64-byte pkts, 12 over 64-byte pkts, 120 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 132 Multicasts, 0 Broadcasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics 136 packets, 16718 bytes, 0 underruns 0 64-byte pkts, 15 over 64-byte pkts, 121 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 136 Multicasts, 0 Broadcasts, 0 Unicasts 0 Vlans, 0 throttles, 0 discarded, 0 collisions, 0 wreddrops Rate info
Figure 64.
Figure 65.
Bravo(conf-if-po-10)#switch Bravo(conf-if-po-10)#no shut Bravo(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Bravo(conf-if-po-10)#exit Bravo(conf)#int tengig 3/21 Bravo(conf)#no ip address Bravo(conf)#no switchport Bravo(conf)#shutdown Bravo(conf-if-te-3/21)#port-channel-protocol lacp Bravo(conf-if-te-3/21-lacp)#port-channel 10 mode active Bravo(conf-if-te-3/21-lacp)#no shut Bravo(conf-if-te-3/21)#end ! interface TengigabitEthernet 3/21 no ip address ! port-ch
The following figure illustrates inspecting a LAG Port on BRAVO Using the show interface Command. Figure 66.
The following figure illustrates inspecting LAG 10 Using the show interfaces port-channel Command. Figure 67.
The following figure illustrates inspecting the LAG Status Using the show lacp command. Figure 68. Inspecting the LAG Status Using the show lacp command The point-to-point protocol (PPP) is a connection-oriented protocol that enables layer two links over various different physical layer connections. It is supported on both synchronous and asynchronous lines, and can operate in Half-Duplex or Full-Duplex mode.
29 Layer 2 This chapter describes the Layer 2 features supported on the switch. Manage the MAC Address Table You can perform the following management tasks inr the MAC address table. • Clearing the MAC Address Table • Setting the Aging Time for Dynamic Entries • Configuring a Static MAC Address • Displaying the MAC Address Table Clearing the MAC Address Table You may clear the MAC address table of dynamic entries. To clear a MAC address table, use the following command.
Configuring a Static MAC Address A static entry is one that is not subject to aging. Enter static entries manually. To create a static MAC address entry, use the following command. • Create a static MAC address entry in the MAC address table. CONFIGURATION mode mac-address-table static Displaying the MAC Address Table To display the MAC address table, use the following command. • Display the contents of the MAC address table.
Setting the MAC Learning Limit To set a MAC learning limit on an interface, use the following command. • Specify the number of MAC addresses that the system can learn off a Layer 2 interface. INTERFACE mode mac learning-limit address_limit Three options are available with the mac learning-limit command: – dynamic – no-station-move – station-move NOTE: An SNMP trap is available for mac learning-limit station-move. No other SNMP traps are available for MAC Learning Limit, including limit violations.
mac learning-limit station-move The mac learning-limit station-move command allows a MAC address already in the table to be learned from another interface. For example, if you disconnect a network device from one interface and reconnect it to another interface, the MAC address is learned on the new interface. When the system detects this “station move,” the system clears the entry learned on the original interface and installs a new entry on the new interface.
• Shut down the second port to learn the MAC address. INTERFACE mode • station-move-violation shutdown-offending Shut down both the first and second port to learn the MAC address. INTERFACE mode • station-move-violation shutdown-both Display a list of all of the interfaces configured with MAC learning limit or station move violation.
If you don’t use any option, the mac-address-table disable-learning command disables source MAC address learning from both LACP and LLDP BPDUs. NIC Teaming NIC teaming is a feature that allows multiple network interface cards in a server to be represented by one MAC address and one IP address in order to provide transparent redundancy, balancing, and to fully utilize network adapter resources. The following illustration shows a topology where two NICs have been teamed together.
NOTE: If you have configured the no mac-address-table station-move refresh-arp command, traffic continues to be forwarded to the failed NIC until the ARP entry on the switch times out. Figure 70.
Apply all other configurations to each interface in the redundant pair such that their configurations are identical, so that transition to the backup interface in the event of a failure is transparent to rest of the network. Figure 71. Configuring Redundant Layer 2 Pairs without Spanning Tree You configure a redundant pair by assigning a backup interface to a primary interface with the switchport backup interface command.
Important Points about Configuring Redundant Pairs • You may not configure any interface to be a backup for more than one interface, no interface can have more than one backup, and a backup interface may not have a backup interface. • The active or backup interface may not be a member of a LAG. • The active and standby do not have to be of the same type (1G, 10G, and so on). • You may not enable any Layer 2 protocol on any interface of a redundant pair or to ports connected to them.
Apr 9 00:15:13: %STKUNIT0-M:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Po 2 Apr 9 00:15:13: %STKUNIT0-M:CP %IFMGR-5-STATE_ACT_STBY: Changed interface state to standby: Po 2 Dell(conf-if-po-1)# Dell# Dell#show interfaces switchport backup Interface Status Paired Interface Status Port-channel 1 Active Port-chato mannel 2 Standby Port-channel 2 Standby Port-channel 1 Active Dell# Dell(conf-if-po-1)#switchport backup interface tengigabitethernet 0/2 Apr 9 00:16:29: %STKUNIT0-M:CP %IFMGR-5-L2BKUP_WA
FEFD State Changes FEFD has two operational modes: Normal and Aggressive. When a far-end failure is detected on an FEFD-enabled interface: • If the interface is in normal FEFD mode, no user intervention is required to reset the interface; it automatically resets to an FEFD operational state. • If the interface is in aggressive FEFD mode, manual intervention is required to reset the interface.
Configuring FEFD You can configure FEFD on all interfaces from CONFIGURATION mode or on individual interfaces from INTERFACE mode. To enable FEFD globally on all interfaces, use the following command. • CONFIGURATION mode fefd-global To report interval frequency and mode adjustments, use the following commands. 1 Configure two or more connected interfaces for Layer 2 or Layer 3 traffic. INTERFACE mode switchport ip address ip address 2 Activate the ports.
INTERFACE mode fefd disable Disabling an interface shuts down all protocols working on that interface’s connected line. It does not delete your previous FEFD configuration which you can enable again at any time. To set up and activate two or more connected interfaces, use the following commands. 1 Setup two or more connected interfaces for Layer 2 or Layer 3. INTERFACE mode ip address ip address, switchport 2 Activate the necessary ports administratively.
2w1d22h: %SYSTEM-P:CP %IFMGR-5-INACTIVE: Changed Vlan interface state to inactive: Vl 1 2w1d22h : FEFD state on Te 4/0 changed from Bi-directional to Unknown The following example shows the debug fefd packets command.
30 Link Layer Discovery Protocol (LLDP) This chapter describes how to configure and use the link layer discovery protocol (LLDP). 802.1AB (LLDP) Overview LLDP — defined by IEEE 802.1AB — is a protocol that enables a local area network (LAN) device to advertise its configuration and receive configuration information from adjacent LLDP-enabled LAN infrastructure devices.
Table 46. Type, Length, Value (TLV) Types Type TLV Description 0 End of LLDPDU Marks the end of an LLDPDU. 1 Chassis ID An administratively assigned name that identifies the LLDP agent. 2 Port ID An administratively assigned name that identifies a port through which TLVs are sent and received. 3 Time to Live An administratively assigned name that identifies a port through which TLVs are sent and received.
Management TLVs A management TLV is an optional TLVs sub-type. This kind of TLV contains essential management information about the sender. Organizationally Specific TLVs A professional organization or a vendor can define organizationally specific TLVs. They have two mandatory fields (as shown in the following illustration) in addition to the basic TLV fields. Figure 75. Organizationally Specific TLV IEEE Organizationally Specific TLVs Eight TLV types have been defined by the IEEE 802.1 and 802.
Type TLV Description 127 Port and Protocol VLAN ID On Dell Networking systems, indicates the tagged VLAN to which a port belongs (and the untagged VLAN to which a port belongs if the port is in Hybrid mode). 127 Protocol Identity Indicates the protocols that the port can process. The Dell Networking OS does not currently support this TLV.
TIA Organizationally Specific TLVs The Dell Networking system is an LLDP-MED Network Connectivity Device (Device Type 4). Network connectivity devices are responsible for: • transmitting an LLDP-MED capability TLV to endpoint devices • storing the information that endpoint devices advertise The following table describes the five types of TIA-1057 Organizationally Specific TLVs. Table 48.
Type SubType TLV Description 127 8 Inventory — Serial Number Indicates the device serial number of the LLDP-MED device. 127 9 Inventory — Manufacturer Name Indicates the manufacturer of the LLDP-MED device. 127 10 Inventory — Model Name Indicates the model of the LLDP-MED device. 127 11 Inventory — Asset ID Indicates a user specified device number to manage inventory.
Value Device Type 2 Endpoint Class 2 3 Endpoint Class 3 4 Network Connectivity 5–255 Reserved LLDP-MED Network Policies TLV A network policy in the context of LLDP-MED is a device’s VLAN configuration and associated Layer 2 and Layer 3 configurations.
Type Application Description 8 Video Signaling Specify this application type only if video control packets use a separate network policy than video data. 9–255 Reserved — Figure 77. LLDP-MED Policies TLV Extended Power via MDI TLV The extended power via MDI TLV enables advanced PoE management between LLDP-MED endpoints and network connectivity devices. Advertise the extended power via MDI on all ports that are connected to an 802.3af powered, LLDP-MED endpoint device.
• • • • Configuring LLDPDU Intervals Configuring Transmit and Receive Mode Configuring a Time to Live Debugging LLDP Important Points to Remember • • • • • LLDP is enabled by default. Dell Networking systems support up to eight neighbors per interface. Dell Networking systems support a maximum of 8000 total neighbors per system. If the number of interfaces multiplied by eight exceeds the maximum, the system does not configure more than 8000.
R1(conf-lldp)#? advertise disable end exit hello mode multiplier no show Advertise TLVs Disable LLDP protocol globally Exit from configuration mode Exit from LLDP configuration mode LLDP hello configuration LLDP mode configuration (default = rx and tx) LLDP multiplier configuration Negate a command or set its defaults Show LLDP configuration Enabling LLDP LLDP is disabled by default. Enable and disable LLDP globally or per interface. If you enable LLDP globally, all UP interfaces send periodic LLDPDUs.
protocol lldp 2 Enter LLDP management-interface mode. LLDP-MANAGEMENT-INTERFACE mode. management-interface 3 Enter the disable command. LLDP-MANAGEMENT-INTERFACE mode. To undo an LLDP management port configuration, precede the relevant command with the keyword no. Advertising TLVs You can configure the system to advertise TLVs out of all interfaces or out of specific interfaces. • If you configure the system globally, all interfaces send LLDPDUs with the specified TLVs.
In the following example, LLDP is enabled globally. R1 and R2 are transmitting periodic LLDPDUs that contain management, 802.1, and 802.3 TLVs. Figure 79. Configuring LLDP Viewing the LLDP Configuration To view the LLDP configuration, use the following command. • Display the LLDP configuration. CONFIGURATION or INTERFACE mode show config Examples of Viewing LLDP Configurations The following example shows viewing an LLDP global configuration.
Viewing Information Advertised by Adjacent LLDP Agents To view brief information about adjacent devices or to view all the information that neighbors are advertising, use the following commands. • Display brief information about adjacent devices. • show lldp neighbors Display all of the information that neighbors are advertising.
• Configure a non-default transmit interval.
R1(conf-lldp)#mode ? rx Rx only tx Tx only R1(conf-lldp)#mode tx R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description mode tx no disable R1(conf-lldp)#no mode R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf
no disable R1(conf-lldp)# Debugging LLDP You can view the TLVs that your system is sending and receiving. To view the TLVs, use the following commands. • View a readable version of the TLVs. • debug lldp brief View a readable version of the TLVs plus a hexadecimal version of the entire LLDPDU. debug lldp detail Figure 80. The debug lldp detail Command — LLDPDU Packet Dissection Relevant Management Objects The system supports all IEEE 802.1AB MIB objects.
Table 52. LLDP Configuration MIB Objects MIB Object Category LLDP Variable LLDP MIB Object Description LLDP Configuration adminStatus lldpPortConfigAdminStatus Whether you enable the local LLDP agent for transmit, receive, or both. msgTxHold lldpMessageTxHoldMultiplier Multiplier value. msgTxInterval lldpMessageTxInterval Transmit Interval value. rxInfoTTL lldpRxInfoTTL Time to live for received TLVs. txInfoTTL lldpTxInfoTTL Time to live for transmitted TLVs.
TLV Type 4 5 6 7 8 TLV Name Port Description System Name System Description System Capabilities Management Address TLV Variable port description system name system description system capabilities enabled capabilities management address length management address subtype management address interface numbering subtype interface number OID System LLDP MIB Object Remote lldpRemPortId Local lldpLocPortDesc Remote lldpRemPortDesc Local lldpLocSysName Remote lldpRemSysName Local
TLV Type TLV Name TLV Variable PPVID 127 VLAN Name VID VLAN name length VLAN name System LLDP MIB Object Remote lldpXdot1RemProtoVlanE nabled Local lldpXdot1LocProtoVlanId Remote lldpXdot1RemProtoVlanI d Local lldpXdot1LocVlanId Remote lldpXdot1RemVlanId Local lldpXdot1LocVlanName Remote lldpXdot1RemVlanName Local lldpXdot1LocVlanName Remote lldpXdot1RemVlanName Table 55.
TLV Sub-Type TLV Name TLV Variable System LLDP-MED MIB Object L2 Priority Local lldpXMedLocMediaPolicy Priority Remote lldpXMedRemMediaPolic yPriority Local lldpXMedLocMediaPolicy Dscp Remote lldpXMedRemMediaPolic yDscp Local lldpXMedLocLocationSub type Remote lldpXMedRemLocationSu btype Local lldpXMedLocLocationInf o Remote lldpXMedRemLocationInf o Local lldpXMedLocXPoEDevice Type Remote lldpXMedRemXPoEDevic eType Local lldpXMedLocXPoEPSEPo werSource DSCP Value 3 Location Iden
TLV Sub-Type TLV Name TLV Variable System LLDP-MED MIB Object lldpXMedRemXPoEPDPo werReq Link Layer Discovery Protocol (LLDP) 566
31 Multicast Source Discovery Protocol (MSDP) This chapter describes how to configure and use the multicast source discovery protocol (MSDP). Protocol Overview MSDP is a Layer 3 protocol that connects IPv4 protocol-independent multicast-sparse mode (PIM-SM) domains. A domain in the context of MSDP is a contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as border gateway protocol (BGP).
RPs advertise each (S,G) in its domain in type, length, value (TLV) format. The total number of TLVs contained in the SA is indicated in the “Entry Count” field. SA messages are transmitted every 60 seconds, and immediately when a new source is detected. Figure 82.
With Anycast RP, all the RPs are configured to be MSDP peers of each other. When a source registers with one RP, an SA message is sent to the other RPs informing them that there is an active source for a particular multicast group. The result is that each RP is aware of the active sources in the area of the other RPs. If any of the RPs fail, IP routing converges and one of the RPs becomes the active RP in more than one area. New sources register with the backup RP.
• MSDP Sample Configurations Figure 83. Configuring Interfaces for MSDP Figure 84.
Enable MSDP Enable MSDP by peering RPs in different administrative domains. 1 Enable MSDP. CONFIGURATION mode ip multicast-msdp 2 Peer PIM systems in different administrative domains. CONFIGURATION mode ip msdp peer connect-source Example of Configuring and Viewing MSDP R3(conf)#ip multicast-msdp R3(conf)#ip msdp peer 192.168.0.
Example of the show ip msdp sa-cache Command R3#show ip msdp sa-cache MSDP Source-Active Cache - 1 entries GroupAddr SourceAddr RPAddr LearnedFrom 239.0.0.1 10.11.4.2 192.168.0.1 192.168.0.1 Expire UpTime 76 00:10:44 Limiting the Source-Active Cache Set the upper limit of the number of active sources that the system caches. The default active source limit is 500K messages.
• In Scenario 3, RP3 is configured as a default MSDP peer for RP1 and so the RPF check is disregarded for RP3.
• In Scenario 4, RP1 has a default peer plus an access list. The list permits RP4 so the RPF check is disregarded for active sources from it, but RP5 (and all others because of the implicit deny all) are subject to the RPF check and fail, so those active sources are rejected. Figure 87. MSDP Default Peer, Scenario 1 Figure 88.
Specifying Source-Active Messages To specify messages, use the following command. • Specify the forwarding-peer and originating-RP from which all active sources are accepted without regard for the RPF check. CONFIGURATION mode ip msdp default-peer ip-address list If you do not specify an access list, the peer accepts all sources that peer advertises. All sources from RPs that the ACL denies are subject to the normal RPF check.
CONFIGURATION mode ip msdp cache-rejected-sa 2 Prevent the system from caching local SA entries based on source and group using an extended ACL. CONFIGURATION mode ip msdp redistribute list Example of Verifying the System is not Caching Local Sources When you apply this filter, the SA cache is not affected immediately. When sources that are denied by the ACL time out, they are not refreshed. Until they time out, they continue to reside in the cache.
R3(conf)# R3(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 0.0.0.0(639) Connect Source: Lo 0 State: Listening Up/Down Time: 00:01:19 Timers: KeepAlive 30 sec, Hold time 75 sec SourceActive packet count (in/out): 0/0 SAs learned from this peer: 0 SA Filtering: Input (S,G) filter: myremotefilter Output (S,G) filter: none Preventing MSDP from Advertising a Local Source To prevent MSDP from advertising a local source, use the following command.
Terminating a Peership MSDP uses TCP as its transport protocol. In a peering relationship, the peer with the lower IP address initiates the TCP session, while the peer with the higher IP address listens on port 639. • Terminate the TCP connection with a peer. CONFIGURATION mode ip msdp shutdown Example of the Verifying that Peering State is Disabled After the relationship is terminated, the peering state of the terminator is SHUTDOWN, while the peering state of the peer is INACTIVE.
Local Addr: 0.0.0.0(0) Connect Source: Lo 0 State: Inactive Up/Down Time: 00:00:04 Timers: KeepAlive 30 sec, Hold time 75 sec SourceActive packet count (in/out): 0/0 SAs learned from this peer: 0 SA Filtering: Input (S,G) filter: myremotefilter Output (S,G) filter: none Debugging MSDP To debug MSDP, use the following command. • Display the information exchanged between peers.
3. RPs use MSDP to peer with each other using a unique address. Figure 91. MSDP with Anycast RP Configuring Anycast RP To configure anycast RP: 1 In each routing domain that has multiple RPs serving a group, create a Loopback interface on each RP serving the group with the same IP address. CONFIGURATION mode interface loopback 2 Make this address the RP for the group.
4 Peer each RP with every other RP using MSDP, specifying the unique Loopback address as the connect-source. CONFIGURATION mode ip msdp peer 5 Advertise the network of each of the unique Loopback addresses throughout the network. ROUTER OSPF mode network Reducing Source-Active Message Flooding RPs flood source-active messages to all of their peers away from the RP.
router ospf 1 network 10.11.2.0/24 area 0 network 10.11.1.0/24 area 0 network 10.11.3.0/24 area 0 network 192.168.0.11/32 area 0 ! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 1 ip msdp peer 192.168.0.22 connect-source Loopback 1 ip msdp mesh-group AS100 192.168.0.22 ip msdp originator-id Loopback 1! ip pim rp-address 192.168.0.1 group-address 224.0.0.0/4 The following shows an R2 configuration for MSDP with Anycast RP.
ip pim sparse-mode ip address 10.11.0.32/24 no shutdown interface TenGigabitEthernet 0/41 ip pim sparse-mode ip address 10.11.6.34/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.3/32 area 0 redistribute static redistribute connected redistribute bgp 200 ! router bgp 200 redistribute ospf 1 neighbor 192.168.0.22 remote-as 100 neighbor 192.168.0.22 ebgp-multihop 255 neighbor 192.168.0.
network network network network 10.11.2.0/24 area 0 10.11.1.0/24 area 0 192.168.0.1/32 area 0 10.11.3.0/24 area 0 ! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 0 ! ip pim rp-address 192.168.0.1 group-address 224.0.0.0/4 MSDP Sample Configuration: R2 Running-Config ip multicast-routing ! interface TenGigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.1/24 no shutdown ! interface TenGigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.
ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.3/32 area 0 redistribute static redistribute connected redistribute bgp 200 ! router bgp 200 redistribute ospf 1 neighbor 192.168.0.2 remote-as 100 neighbor 192.168.0.2 ebgp-multihop 255 neighbor 192.168.0.2 update-source Loopback 0 neighbor 192.168.0.2 no shutdown ! ip multicast-msdp ip msdp peer 192.168.0.1 connect-source Loopback 0 ! ip route 192.168.0.2/32 10.11.0.
interface Loopback 0 ip address 192.168.0.2/32 no shutdown ! router ospf 1 network 10.11.1.0/24 area 0 network 10.11.4.0/24 area 0 network 192.168.0.2/32 area 0 redistribute static redistribute connected redistribute bgp 100 ! router bgp 100 redistribute ospf 1 neighbor 192.168.0.3 remote-as 200 neighbor 192.168.0.3 ebgp-multihop 255 neighbor 192.168.0.3 update-source Loopback 0 neighbor 192.168.0.3 no shutdown ! ip route 192.168.0.3/32 10.11.0.32 ! ip pim rp-address 192.168.0.1 group-address 224.0.0.
ip address 10.11.5.1/24 no shutdown ! interface TenGigabitEthernet 0/22 ip address 10.10.42.1/24 no shutdown ! interface TenGigabitEthernet 0/31 ip pim sparse-mode ip address 10.11.6.43/24 no shutdown ! interface Loopback 0 ip address 192.168.0.4/32 no shutdown ! router ospf 1 network 10.11.5.0/24 area 0 network 10.11.6.0/24 area 0 network 192.168.0.4/32 area 0 ! ip pim rp-address 192.168.0.3 group-address 224.0.0.
32 Multiple Spanning Tree Protocol (MSTP) Multiple spanning tree protocol (MSTP) — specified in IEEE 802.1Q-2003 — is a rapid spanning tree protocol (RSTP)-based spanning tree variation that improves on per-VLAN spanning tree plus (PVST+). MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances. Protocol Overview In contrast, PVST+ allows a spanning tree instance for each VLAN.
• Changing the Region Name or Revision • Modifying Global Parameters • Modifying the Interface Parameters • Configuring an EdgePort • Flush MAC Addresses after a Topology Change • MSTP Sample Configurations • Debugging and Verifying MSTP Configurations Spanning Tree Variations The Dell Networking OS supports four variations of spanning tree, as shown in the following table. Table 56. Spanning Tree Variations Dell Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .
• Modifying the Interface Parameters • Configuring an EdgePort • Flush MAC Addresses after a Topology Change • Debugging and Verifying MSTP Configurations • Prevent Network Disruptions with BPDU Guard • Enabling SNMP Traps for Root Elections and Topology Changes Enable Multiple Spanning Tree Globally MSTP is not enabled by default. To enable MSTP globally, use the following commands.
Examples of Creating and Viewing MSTP Instances The following example shows using the msti command. Dell(conf)#protocol spanning-tree mstp Dell(conf-mstp)#msti 1 vlan 100 Dell(conf-mstp)#msti 2 vlan 200-300 Dell(conf-mstp)#show config ! protocol spanning-tree mstp no disable MSTI 1 VLAN 100 MSTI 2 VLAN 200-300 All bridges in the MSTP region must have the same VLAN-to-instance mapping. To view which instance a VLAN is mapped to, use the show spanning-tree mst vlan command from EXEC Privilege mode.
msti instance bridge-priority priority A lower number increases the probability that the bridge becomes the root bridge. The range is from 0 to 61440, in increments of 4096. The default is 32768. Example of Assigning and Verifying the Root Bridge Priority By default, the simple configuration shown previously yields the same forwarding path for both MSTIs. The following example shows how R3 is assigned bridge priority 0 for MSTI 2, which elects a different root bridge than MSTI 2.
Dell(conf)#do show spanning-tree mst config MST region name: my-mstp-region Revision: 0 MSTI VID 1 100 2 200-300 Modifying Global Parameters The root bridge sets the values for forward-delay, hello-time, max-age, and max-hops and overwrites the values set on other MSTP bridges. • Forward-delay — the amount of time an interface waits in the Listening state and the Learning state before it transitions to the Forwarding state.
Example of the forward-delay Parameter To view the current values for MSTP parameters, use the show running-config spanning-tree mstp command from EXEC privilege mode.
To view the current values for these interface parameters, use the show config command from INTERFACE mode. Configuring an EdgePort The EdgePort feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner. In this mode, an interface forwards frames by default until it receives a BPDU that indicates that it should behave otherwise; it does not go through the Learning and Listening states.
To view the enable status of this feature, use the show running-config spanning-tree mstp command from EXEC Privilege mode. MSTP Sample Configurations The running-configurations support the topology shown in the following illustration. The configurations are from Dell Networking OS systems. Figure 93. MSTP with Three VLANs Mapped to Two Spanning Tree Instances Router 1 Running-Configuration This example uses the following steps: 1.
no ip address tagged TenGigabitEthernet 1/21,31 no shutdown ! interface Vlan 200 no ip address tagged TenGigabitEthernet 1/21,31 no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 1/21,31 no shutdown Router 2 Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3.
3. Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
(Step 3) interface vlan 100 tagged 1/0/31 tagged 1/0/32 exit interface vlan 200 tagged 1/0/31 tagged 1/0/32 exit interface vlan 300 tagged 1/0/31 tagged 1/0/32 exit Debugging and Verifying MSTP Configurations To debut and verify MSTP configuration, use the following commands. • Display BPDUs. EXEC Privilege mode • debug spanning-tree mstp bpdu Display MSTP-triggered topology change messages.
MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 The following example shows viewing the debug log (a successful MSTP configuration). Dell#debug spanning-tree mstp bpdu MSTP debug bpdu is ON Dell# 4w0d4h : MSTP: Sending BPDU on Te 2/21 : ProtId: 0, Ver: 3, Bpdu Type: MSTP, Flags 0x6e CIST Root Bridge Id: 32768:0001.e806.953e, Ext Path Cost: 0 Regional Bridge Id: 32768:0001.e806.
33 Multicast Features The Dell Networking OS supports the following multicast protocols: • PIM Sparse-Mode (PIM-SM) • Internet Group Management Protocol (IGMP) • Multicast Source Discovery Protocol (MSDP) Topics: • Enabling IP Multicast • Implementation Information • First Packet Forwarding for Lossless Multicast • Multicast Policies Enabling IP Multicast Before enabling any multicast protocols, you must enable IP multicast routing. • Enable multicast routing.
• The Dell Networking OS implementation of MTRACE is in accordance with IETF draft draft-fenner-traceroute-ipm. • Multicast is not supported on secondary IP addresses. • Egress L3 ACL is not applied to multicast data traffic if you enable multicast routing. First Packet Forwarding for Lossless Multicast All initial multicast packets are forwarded to receivers to achieve lossless multicast.
• Limit the total number of multicast routes on the system. CONFIGURATION mode ip multicast-limit The range if from 1 to 16000. The default is 4000. NOTE: The IN-L3-McastFib CAM partition is used to store multicast routes and is a separate hardware limit that exists per port-pipe. Any software-configured limit may supersede by this hardware space limitation.
entry is created only for group 239.0.0.1. VLAN 300 has no access list limiting Receiver 1, so both IGMP reports are accepted, and two corresponding entries are created in the routing table. Figure 94. Preventing a Host from Joining a Group Table 58. Preventing a Host from Joining a Group — Description Location Description 1/21 • • • • Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 • • • • Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.
Location Description 2/1 • • • • Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown • • • • Interface GigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown 3/11 • • • • Interface GigabitEthernet 3/11 ip pim sparse-mode ip address 10.11.13.
• Limit the rate at which new groups can be joined. INTERFACE mode ip igmp group-join-limit To view the enable status of this feature, use the show ip igmp interface command from EXEC Privilege mode. Preventing a PIM Router from Forming an Adjacency To prevent a router from participating in PIM (for example, to configure stub multicast routing), use the following command. • Prevent a router from participating in protocol independent multicast (PIM).
but no outgoing interfaces are listed. R2 has no filter, so it is allowed to forward both groups. As a result, Receiver 1 receives only one transmission, while Receiver 2 receives duplicate transmissions. Figure 95. Preventing a Source from Transmitting to a Group Table 59. Preventing a Source from Transmitting to a Group — Description Location Description 1/21 • • • • Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.
Location Description 2/1 • • • • Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown • • • • Interface GigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown 3/11 • • • • Interface GigabitEthernet 3/11 ip pim sparse-mode ip address 10.11.13.
Preventing a PIM Router from Processing a Join To permit or deny PIM Join/Prune messages on an interface using an extended IP access list, use the following command. NOTE: Dell Networking recommends not using the ip pim join-filter command on an interface between a source and the RP router. Using this command in this scenario could cause problems with the PIM-SM source registration process resulting in excessive traffic being sent to the CPU of both the RP and PIM DR of the source.
34 Object Tracking IPv4 or IPv6 object tracking is available on Dell Networking OS. Object tracking allows the Dell Networking operating system (OS) client processes, such as virtual router redundancy protocol (VRRP), to monitor tracked objects (for example, interface or link status) and take appropriate action when the state of an object changes.
the default route in each router changes, the mastership of the VRRP group is automatically reassigned to the router with the better metric. Figure 96. Object Tracking Example When you configure a tracked object, such as an IPv4 or IPv6 a route or interface, you specify an object number to identify the object. Optionally, you can also specify: • UP and DOWN thresholds used to report changes in a route metric. • A time delay before changes in a tracked object’s state are reported to a client.
Track IPv4 and IPv6 Routes You can create an object that tracks an IPv4 or IPv6 route entry in the routing table. Specify a tracked route by its IPv4 or IPv6 address and prefix-length. Optionally specify a tracked route by a virtual routing and forwarding (VRF) instance name if the tracked route is part of a VRF. The next-hop address is not part of the definition of the tracked object.
CONFIGURATION mode track resolution {ip route | ipv6 route} {isis resolution-value | ospf resolution-value} The range of resolution values is: • 2 ISIS routes - 1 to 1000. The default is 1. • OSPF routes - 1 to 1592. The efault is 1. Configure object tracking on the metric of an IPv4 or IPv6 route. CONFIGURATION mode track object-id {ip route ip-address/prefix-len | ipv6 route ipv6-address/prefix-len} metric threshold [vrf vrf-name] Valid object IDs are from 1 to 65535.
Dell(conf)#track 10 ip route 3.1.1.0/24 metric threshold vrf vrf1 The following example configures object tracking on the metric threshold of an IPv6 route. Dell(conf)#track 8 ipv6 route 2::/64 metric threshold Dell(conf-track-8)#threshold metric up 30 Dell(conf-track-8)#threshold metric down 40 Track Route Reachability If you configure the reachability of an IP route entry as a tracked object, the UP/DOWN state of the route is determined by the entry of the next-hop address in the ARP cache.
Examples of IPv4 and IPv6 Tracking Route Reachability The following example configures object tracking on the reachability of an IPv4 route. Dell(conf)#track 104 ip route 10.0.0.0/8 reachability Dell(conf-track-104)#delay up 20 down 10 Dell(conf-track-104)#end Dell#show track 104 Track 104 IP route 10.0.0.0/8 reachability Reachability is Down (route not in route table) 2 changes, last change 00:02:49 Tracked by: Dell#configure Dell(conf)#track 4 ip route 3.1.1.
Object Tracking Configuration You can configure three types of object tracking for a client. • Track Layer 2 Interfaces • Track Layer 3 Interfaces • Track IPv4 and IPv6 Routes For a complete listing of all commands related to object tracking, refer to the Dell Networking OS Command Line Interface Reference Guide. Tracking a Layer 2 Interface You can create an object that tracks the line-protocol state of a Layer 2 interface and monitors its operational status (UP or DOWN).
Example of Configuring Object Tracking Dell(conf)#track 100 interface tengigabitethernet 7/1/1 line-protocol Dell(conf-track-100)#delay up 20 Dell(conf-track-100)#description San Jose data center Dell(conf-track-100)#end Dell#show track 100 Track 100 Interface TenGigabitEthernet 7/1/1 line-protocol Description: San Jose data center Tracking a Layer 3 Interface You can create an object that tracks the routing status of an IPv4 or IPv6 Layer 3 interface.
The text string can be up to 80 characters. 4 (Optional) Display the tracking configuration and the tracked object’s status. EXEC Privilege mode show track object-id Examples of Configuring Object Tracking for an IPv4 or IPv6 Interface Example of configuring object tracking for an IPv4 interface.
Track 3 IPv6 route 2050::/64 reachability Reachability is Up (STATIC) 5 changes, last change 00:02:16 First-hop interface is GigabitEthernet 13/2 Tracked by: VRRP GigabitEthernet 7/30 IPv6 VRID 1 Track 4 Interface GigabitEthernet 13/4 ip routing IP routing is Up 3 changes, last change 00:03:30 Tracked by: Example of the show track brief command. Router# show track brief ResId State 1 Resource LastChange IP route reachability Parameter 10.16.0.0/16 Example of the show track resolution command.
35 Open Shortest Path First (OSPFv2 and OSPFv3) This chapter describes how to configure and use Open Shortest Path First (OSPFv2 for IPv4) and OSPF version 3 (OSPF for IPv6). NOTE: The fundamental mechanisms of OSPF (flooding, DR election, area support, SPF calculations, and so on) are the same between OSPFv2 and OSPFv3. This chapter identifies and clarifies the differences between the two versions of OSPF. Except where identified, the information in this chapter applies to both protocol versions.
area within the AS may not see the details of another area’s topology. AS areas are known by their area number or the router’s IP address. Figure 97. Autonomous System Areas Area Types The backbone of the network is Area 0. It is also called Area 0.0.0.0 and is the core of any AS. All other areas must connect to Area 0. Areas can be defined in such a way that the backbone is not contiguous. An OSPF backbone is responsible for distributing routing information between areas.
Networks and Neighbors As a link-state protocol, OSPF sends routing information to other OSPF routers concerning the state of the links between them. The state (up or down) of those links is important. Routers that share a link become neighbors on that segment. OSPF uses the Hello protocol as a neighbor discovery and keep alive mechanism. After two routers are neighbors, they may proceed to exchange and synchronize their databases, which creates an adjacency.
The following example shows different router designations. Figure 98. OSPF Routing Examples Backbone Router (BR) A backbone router (BR) is part of the OSPF Backbone, Area 0. This includes all ABRs. It can also include any routers that connect only to the backbone and another ABR, but are only part of Area 0, such as Router I in the previous example. Area Border Router (ABR) Within an AS, an area border router (ABR) connects one or more areas to the backbone.
An ABR can connect to many areas in an AS, and is considered a member of each area it connects to. Autonomous System Border Router (ASBR) The autonomous system border area router (ASBR) connects to more than one AS and exchanges information with the routers in other ASs. Generally, the ASBR connects to a non-interior gate protocol (IGP) such as BGP or uses static routes.
• Type 7: External LSA — Routers in an NSSA do not receive external LSAs from ABRs, but are allowed to send external routing information for redistribution. They use Type 7 LSAs to tell the ABRs about these external routes, which the ABR then translates to Type 5 external LSAs and floods as normal to the rest of the OSPF network. • Type 8: Link LSA (OSPFv3) — This LSA carries the IPv6 address information of the local links.
• Cost is a numbered rating 1 to 65535. The higher the number, the greater the cost. The cost assigned reflects the cost should the router fail. When a router fails and the cost is assessed, a new priority number results. Figure 99. Priority and Cost Examples OSPF Implementation The Dell Networking OS supports up to 10,000 OSPF routes for OSPFv2. Within the 10,000 routes, you can designate up to 8,000 routes as external and up to 2,000 as inter/intra area routes.
Fast Convergence (OSPFv2, IPv4 Only) Fast convergence allows you to define the speeds at which LSAs are originated and accepted, and reduce OSPFv2 end-to-end convergence time. The system allows you to accept and originate LSAs as soon as they are available to speed up route information propagation. NOTE: The faster the convergence, the more frequent the route calculations and updates. This impacts CPU utilization and may impact adjacency stability in larger topologies.
The following example shows no change in the updated packets (shown in bold). ACKs 2 (shown in bold) is printed only for ACK packets. 00:10:41 : OSPF(1000:00): Rcv. v:2 t:5(LSAck) l:64 Acks 2 rid:2.2.2.2 aid:1500 chk:0xdbee aut:0 auk: keyid:0 from:Vl 1000 LSType:Type-5 AS External id:160.1.1.0 adv:6.1.0.0 seq:0x8000000c LSType:Type-5 AS External id:160.1.2.0 adv:6.1.0.0 seq:0x8000000c 00:10:41 : OSPF(1000:00): Rcv. v:2 t:5(LSAck) l:64 Acks 2 rid:2.2.2.
Dell(conf-if-te-2/2)# In the following example, the dead interval is set at 4x the hello interval (shown in bold). Dell (conf-if-te-2/2)#ip ospf dead-interval 20 Dell (conf-if-te-2/2)#do show ip os int te 1/3 TengigabitEthernet 2/2 is up, line protocol is up Internet Address 20.0.0.1/24, Area 0 Process ID 10, Router ID 1.1.1.2, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 1.1.1.2, Interface address 30.0.0.1 Backup Designated Router (ID) 1.1.1.
Enabling OSPFv2 To enable Layer 3 routing, assign an IP address to an interface (physical or Loopback). By default, OSPF, similar to all routing protocols, is disabled. You must configure at least one interface for Layer 3 before enabling OSPFv2 globally. If implementing multi-process OSPF, create an equal number of Layer 3 enabled interfaces and OSPF process IDs. For example, if you create four OSPFv2 process IDs, you must have four interfaces with Layer 3 enabled. 1 Assign an IP address to an interface.
• clear ip ospf process-id View the current OSPFv2 status. EXEC mode show ip ospf process-id Example of Viewing the Current OSPFv2 Status Dell#show ip ospf 55555 Routing Process ospf 55555 with ID 10.10.10.10 Supports only single TOS (TOS0) routes SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Number of area in this router is 0, normal 0 stub 0 nssa 0 Dell# Enabling Multi-Process OSPF (OSPFv2, IPv4 Only) Multi-process OSPF allows multiple OSPFv2 processes on a single router.
When configuring the network command, configure a network address and mask that is a superset of the IP subnet configured on the Layer-3 interface for OSPFv2 to use. You can assign the area in the following step by a number or with an IP interface address. • Enable OSPFv2 on an interface and assign a network address range to a specific OSPF area. CONFIG-ROUTER-OSPF-id mode network ip-address mask area area-id The IP Address Format is A.B.C.D/M. The area ID range is from 0 to 65535 or A.B.C.D/M.
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:04 Neighbor Count is 0, Adjacent neighbor count is 0 TengigabitEthernet 12/21 is up, line protocol is up Internet Address 10.2.3.1/24, Area 0.0.0.0 Process ID 1, Router ID 11.1.2.1, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State BDR, Priority 1 Designated Router (ID) 13.1.1.1, Interface address 10.2.3.2 Backup Designated Router (ID) 11.1.2.1, Interface address 10.2.3.
Process ID is the ID assigned when configuring OSPFv2 globally. 4 Configure the area as a stub area. CONFIG-ROUTER-OSPF-id mode area area-id stub [no-summary] Use the keywords no-summary to prevent transmission into the area of summary ASBR LSAs. Area ID is the number or IP address assigned when creating the area. Example of the show ip ospf database database-summary Command To view which LSAs are transmitted, use the show ip ospf database process-id database-summary command in EXEC Privilege mode.
Entering the physical interface type, slot, and number enables passive interface on only the identified interface. – For a 10–Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information (for example, passive-interface te 2/1). – For a 40-Gigabit Ethernet interface, enter the keyword FortyGigabitEthernet then the slot/port information (for example, passive-interface fo 2/3).
When disabled, the parameter is set at 0. NOTE: A higher convergence level can result in occasional loss of OSPF adjacency. Generally, convergence level 1 meets most convergence requirements. Only select higher convergence levels following consultation with Dell Technical Support. Examples of Enabling Fast-Convergence In the following examples, Convergence Level shows the fast-converge parameter setting and Min LSA origination shows the LSA parameters (shown in bold).
CONFIG-INTERFACE mode ip ospf hello-interval seconds – seconds: the range is from 1 to 65535 (the default is 10 seconds). • The hello interval must be the same on all routers in the OSPF network. Use the MD5 algorithm to produce a message digest or key, which is sent instead of the key. CONFIG-INTERFACE mode ip ospf message-digest-key keyid md5 key – keyid: the range is from 1 to 255. – Key: a character string. NOTE: Be sure to write down or otherwise record the key.
Process ID 34, Router ID 10.1.2.100, Network Type BROADCAST, Cost: 45 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 10.1.2.100, Interface address 10.1.2.100 Backup Designated Router (ID) 10.1.2.100, Interface address 0.0.0.
Applying Prefix Lists To apply prefix lists to incoming or outgoing OSPF routes, use the following commands. • Apply a configured prefix list to incoming OSPF routes. CONFIG-ROUTEROSPF-id mode • distribute-list prefix-list-name in [interface] Assign a configured prefix list to outgoing OSPF routes. CONFIG-ROUTEROSPF-id distribute-list prefix-list-name out [connected | isis | rip | static] Redistributing Routes You can add routes from other routing instances or protocols to the OSPF process.
• Is the OSPF process active on the interface? • Are adjacencies established correctly? • Are the interfaces configured for Layer 3 correctly? • Is the router in the correct area type? • Have the routes been included in the OSPF database? • Have the OSPF routes been included in the routing table (not just the OSPF database)? Some useful troubleshooting commands are: • show interfaces • show protocols • debug IP OSPF events and/or packets • show neighbors • show routes To help troublesh
! router ospf 4 router-id 4.4.4.4 network 4.4.4.0/28 area 1 ! router ospf 5 ! router ospf 6 ! router ospf 7 mib-binding ! router ospf 8 ! ipv6 router ospf 999 default-information originate always router-id 10.10.10.10 Dell# Sample Configurations for OSPFv2 The following configurations are examples for enabling OSPFv2. These examples are not comprehensive directions. They are intended to give you some guidance with typical configurations. You can copy and paste from these examples to your CLI.
! interface TengigabitEthernet 1/1 ip address 10.1.11.1/24 no shutdown ! interface TengigabitEthernet 1/2 ip address 10.2.12.2/24 no shutdown ! interface Loopback 10 ip address 192.168.100.100/24 no shutdown OSPF Area 0 — Te 3/1 and 3/2 router ospf 33333 network 192.168.100.0/24 area 0 network 10.0.13.0/24 area 0 network 10.0.23.0/24 area 0 ! interface Loopback 30 ip address 192.168.100.100/24 no shutdown ! interface TengigabitEthernet 3/1 ip address 10.1.13.
The OSPFv3 ipv6 ospf area command enables OSPFv3 on the interface and places the interface in an area. With OSPFv2, two commands are required to accomplish the same tasks — the router ospf command to create the OSPF process, then the network area command to enable OSPF on an interface. NOTE: The OSPFv2 network area command enables OSPF on multiple interfaces with the single command. Use the OSPFv3 ipv6 ospf area command on each interface that runs OSPFv3.
– process-id: the process ID number assigned. – area-id: the area ID for this interface. Assigning OSPFv3 Process ID and Router ID Globally To assign, disable, or reset OSPFv3 globally, use the following commands. • Enable the OSPFv3 process globally and enter OSPFv3 mode. CONFIGURATION mode ipv6 router ospf {process ID} • The range is from 0 to 65535. Assign the router ID for this OSPFv3 process. CONF-IPV6-ROUTER-OSPF mode router-id {number} – number: the IPv4 address. The format is A.B.C.D.
• Disable OSPF. CONFIGURATION mode • no ipv6 router ospf process-id} Reset the OSPFv3 process. EXEC Privilege mode clear ipv6 ospf process Configuring the Cost of OSPFv3 Routes Change in bandwidth directly affects the cost of OSPF routes. • Explicitly specify the cost of sending a packet on an interface. INTERFACE mode ipv6 ospf interface-cost • – interface-cost:The range is from 1 to 65535. Default cost is based on the bandwidth.
– For a port channel, enter the keywords port-channel then a number from 1 to 255 (for example, passiveinterface po 100) – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information (for example, passive-interface ten 2/3). – For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information (for example, passive-interface ten 2/4).
OSPFv3 Authentication Using IPsec OSPFv3 uses OSPFv3 authentication using IP security (IPsec) to provide authentication for OSPFv3 packets. IPsec authentication ensures security in the transmission of OSPFv3 packets between IPsec-enabled routers. IPsec is a set of protocols developed by the internet engineering task force (IETF) to support secure exchange of packets at the IP layer. IPsec supports two encryption modes: transport and tunnel.
• In an OSPFv3 authentication policy: – AH is used to authenticate OSPFv3 headers and certain fields in IPv6 headers and extension headers. – MD5 and SHA1 authentication types are supported; encrypted and unencrypted keys are supported. • In an OSPFv3 encryption policy: – Both encryption and authentication are used. – IPsec security associations (SAs) are supported only in Transport mode (Tunnel mode is not supported).
show crypto ipsec sa ipv6 Configuring IPsec Encryption on an Interface To configure, remove, or display IPsec encryption on an interface, use the following commands. Prerequisite: Before you enable IPsec encryption on an OSPFv3 interface, first enable IPv6 unicast routing globally, configure an IPv6 address and enable OSPFv3 on the interface, and assign it to an area (refer to Configuration Task List for OSPFv3 (OSPF for IPv6)).
If you have enabled IPSec encryption in an OSPFv3 area using the area encryption command, you cannot use the area authentication command in the area at the same time. The configuration of IPSec authentication on an interface-level takes precedence over an area-level configuration. If you remove an interface configuration, an area authentication policy that has been configured is applied to the interface. • Enable IPSec authentication for OSPFv3 packets in an area.
– key-encryption-type: (optional) specifies if the key is encrypted. Valid values: 0 (key is not encrypted) or 7 (key is encrypted). – authentication-algorithm: specifies the authentication algorithm to use for encryption. The valid values are MD5 or SHA1. – key: specifies the text string used in authentication. All neighboring OSPFv3 routers must share key to exchange information. For MD5 authentication, the key must be 32 hex digits (non-encrypted) or 64 hex digits (encrypted).
Outbound AH SPI Inbound AH Key Outbound AH Key Transform set : : : : 500 (0x1F4) bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba8ed8bb5efe91e97e bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba8ed8bb5efe91e97e ah-md5-hmac Crypto IPSec client security policy data Policy name : OSPFv3-0-501 Policy refcount : 1 Inbound ESP SPI : 501 (0x1F5) Outbound ESP SPI : 501 (0x1F5) Inbound ESP Auth Key : bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba8ed8bb5efe91e97eb7c0c30808825fb5 Outbound ESP Auth Key : bbdd96e6e
Troubleshooting OSPFv3 The system provides several tools to troubleshoot OSPFv3 operation on the switch. This section describes typical, OSPFv3 troubleshooting scenarios. NOTE: The following troubleshooting section is not meant to be a comprehensive list, but only to provide examples of typical troubleshooting checks.
– For a VLAN, enter the keyword vlan then a number from 1 to 4094 (for example, passive-interface vlan 2222). The system supports up to 4094 VLANs.
36 Per-VLAN Spanning Tree Plus (PVST+) Per-VLAN spanning tree plus (PVST+) is a variation of spanning tree — developed by a third party — that allows you to configure a separate spanning tree instance for each virtual local area network (VLAN). Protocol Overview A sample PVST+ topology is shown below. For more information about spanning tree, refer to the Spanning Tree Protocol (STP) chapter. Figure 101.
Dell Networking Term IEEE Specification Multiple Spanning Tree Protocol (MSTP) 802 .1s Per-VLAN Spanning Tree Plus (PVST+) Third Party Implementation Information • The Dell Networking OS implementation of PVST+ is based on IEEE Standard 802.1w. • The Dell Networking OS implementation of PVST+ uses IEEE 802.1s costs as the default costs (as shown in the following table). Other implementations use IEEE 802.1w costs as the default costs.
• disable Disable PVST+ on an interface, or remove a PVST+ parameter configuration. INTERFACE mode no spanning-tree pvst Example of Viewing PVST+ Configuration To display your PVST+ configuration, use the show config command from PROTOCOL PVST mode.
• Assign a bridge priority. PROTOCOL PVST mode vlan bridge-priority The range is from 0 to 61440. The default is 32768. Example of the show spanning-tree pvst vlan Command To display the PVST+ forwarding topology, use the show spanning-tree pvst [vlan vlan-id] command from EXEC Privilege mode. Dell(conf)#do show spanning-tree pvst vlan 100 VLAN 100 Root Identifier has priority 4096, Address 0001.e80d.
NOTE: With large configurations (especially those configurations with more ports), Dell Networking recommends increasing the hello-time. The range is from 1 to 10. • The default is 2 seconds. Change the max-age parameter. PROTOCOL PVST mode vlan max-age The range is from 6 to 40. The default is 20 seconds. The values for global PVST+ parameters are given in the output of the show spanning-tree pvst command.
The range is from 0 to 240, in increments of 16. The default is 128. The values for interface PVST+ parameters are given in the output of the show spanning-tree pvst command, as previously shown. Configuring an EdgePort The EdgePort feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner. In this mode an interface forwards frames by default until it receives a BPDU that indicates that it should behave otherwise; it does not go through the Learning and Listening states.
Enabling PVST+ Extend System ID In the following example, ports P1 and P2 are untagged members of different VLANs. These ports are untagged because the hub is VLAN unaware. There is no data loop in this scenario; however, you can employ PVST+ to avoid potential misconfigurations. If you enable PVST+ on the Dell Networking switch in this network, P1 and P2 receive BPDUs from each other.
! interface TengigabitEthernet 1/32 no ip address switchport no shutdown ! protocol spanning-tree pvst no disable vlan 100 bridge-priority 4096 interface Vlan 100 no ip address tagged TengigabitEthernet 1/22,32 no shutdown ! interface Vlan 200 no ip address tagged TengigabitEthernet 1/22,32 no shutdown ! interface Vlan 300 no ip address tagged TengigabitEthernet 1/22,32 no shutdown ! protocol spanning-tree pvst no disable vlan 100 bridge-priority 4096 Example of PVST+ Configuration (R2) interface Tengigabit
tagged TengigabitEthernet 3/12,22 no shutdown ! interface Vlan 200 no ip address tagged TengigabitEthernet 3/12,22 no shutdown ! interface Vlan 300 no ip address tagged TengigabitEthernet 3/12,22 no shutdown ! protocol spanning-tree pvst no disable vlan 300 bridge-priority 4096 Per-VLAN Spanning Tree Plus (PVST+) 663
37 PIM Sparse-Mode (PIM-SM) Protocol-independent multicast sparse-mode (PIM-SM) is a multicast protocol that forwards multicast traffic to a subnet only after a request using a PIM Join message; this behavior is the opposite of PIM-Dense mode, which forwards multicast traffic to all subnets until a request to stop.
1. After receiving an IGMP Join message, the receiver gateway router (last-hop DR) creates a (*,G) entry in its multicast routing table for the requested group. The interface on which the join message was received becomes the outgoing interface associated with the (*,G) entry. 2. The last-hop DR sends a PIM Join message to the RP.
Configuring PIM-SSM Configuring PIM-SM is a three-step process. 1. Enable multicast routing (refer to the following step). 2. Select a rendezvous point. 3. Enable PIM-SM on an interface. Enable multicast routing. CONFIGURATION mode ip multicast-routing Related Configuration Tasks The following are related PIM-SM configuration tasks.
127.87.50.5 Dell# Te 1/13 00:03:08/00:01:37 v2 1 / S To display the PIM routing table, use the show ip pim tib command from EXEC privilege mode. Dell#show ip pim tib PIM Multicast Routing Table Flags: D - Dense, S - Sparse, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, Timers: Uptime/Expires Interface state: Interface, next-Hop, State/Mode (*, 192.1.2.1), uptime 00:29:36, expires 00:03:26, RP 10.87.2.
Dell#sh run pim ! ip pim rp-address 1.1.1.1 group-address 224.0.0.0/4 Overriding Bootstrap Router Updates PIM-SM routers must know the address of the RP for each group for which they have (*,G) entry. This address is obtained automatically through the bootstrap router (BSR) mechanism or a static RP configuration. Use the following command if you have configured a static RP for a group.
Create multicast boundaries and domains by filtering inbound and outbound bootstrap router (BSR) messages per interface. The following command is applied to the subsequent inbound and outbound updates. Timeout removes existing BSR advertisements. • Create multicast boundaries and domains by filtering inbound and outbound BSR messages per interface. • ip pim bsr-border Remove candidate RP advertisements.
38 PIM Source-Specific Mode (PIM-SSM) PIM source-specific mode (PIM-SSM) is a multicast protocol that forwards multicast traffic from a single source to a subnet. In the other versions of protocol independent multicast (PIM), a receiver subscribes to a group only. The receiver receives traffic not just from the source in which it is interested but from all sources sending to that group.
Configure PIM-SMM Configuring PIM-SSM is a two-step process. 1. Configure PIM-SMM. 2. Enable PIM-SSM for a range of addresses. Related Configuration Tasks • Use PIM-SSM with IGMP Version 2 Hosts Enabling PIM-SSM To enable PIM-SSM, follow these steps. 1 Create an ACL that uses permit rules to specify what range of addresses should use SSM. CONFIGURATION mode ip access-list standard name 2 Enter the ip pim ssm-range command and specify the ACL you created.
To display the source to which a group is mapped, use the show ip igmp ssm-map [group] command. If you use the group option, the command displays the group-to-source mapping even if the group is not currently in the IGMP group table. If you do not specify the group option, the display is a list of groups currently in the IGMP group table that has a group-tosource mapping. To display the list of sources mapped to a group currently in the IGMP group table, use the show ip igmp groups group detail command.
39 Policy-based Routing (PBR) Policy-based Routing (PBR) allows a switch to make routing decisions based on policies applied to an interface.
To enable a PBR, you create a redirect list. Redirect lists are defined by rules, or routing policies.
next-hops and/or Tunnel Interfaces in this case).
Create a Rule for a Redirect-list Use the following command in CONFIGURATION REDIRECT-LIST mode to set the rules for the redirect list. You can enter the command multiple times and create a sequence of redirect rules. Use the seq nn redirect version of the command to organize your rules. Table 63. Create a Rule for a Redirect-list Command Syntax Comman d Mode Purpose {seq sequence-number} REDIRECT Configure a rule for the redirect list.
• • lt = less than range = inclusive range of ports (you must specify two ports for the port command parameter.) source ip-address or any or host ip-address (Optional) — Source’s IP address or host from which they packets were sent. mask (Optional) — network mask /prefix format (/x). any (Optional) — Specifies that all traffic is subject to the filter. destination mask — IP address of the network or host to which the packets are sent. FORMAT: A.B.C.
<0-255> An IP protocol number icmp Internet Control Message Protocol ip Any Internet Protocol tcp Transmission Control Protocol udp User Datagram Protocol Dell(conf-redirect-list)#redirect 3.3.3.3 ip ? A.B.C.D Source address any Any source host host A single source host Dell(conf-redirect-list)#redirect 3.3.3.3 ip 222.1.1.1 ? Mask A.B.C.D or /nn Mask in dotted decimal or in Dell(conf-redirect-list)#redirect 3.3.3.3 ip 222.1.1.1 /32 ? A.B.C.
Ineffective PBR Exception due to Low Sequence Number ip redirect-list rcl0 seq 5 redirect 2.2.2.2 ip any any seq 10 permit ip host 3.3.3.3 any To ensure that the permit statement or PBR exception is effective, use a lower sequence number, as shown below: ip redirect-list rcl0 seq 10 permit ip host 3.3.3.3 any seq 15 redirect 2.2.2.2 ip any any Apply a Redirect-list to an Interface using a Redirect-group IP redirect lists are supported on physical interfaces as well as VLAN and port-channel interfaces.
Table 65. Viewing the Redirect-list Configuration Command Syntax Command Mode Purpose show ip redirect-list redirect-list-name EXEC View the redirect list configuration and the associated interfaces. show cam pbr EXEC View the redirect list entries programmed in the CAM. show cam-usage List the redirect list configuration using the show ip redirect-list redirect-list-name command. The non-contiguous mask is displayed in dotted format (x.x.x.x). The contiguous mask is displayed in /x format.
N/A NA 06081 0 N/A TCP 0x10 00:00:00:00:00:09 8/1 0 40 234.234.234.234 255.234.234.234 222.222.222.222/24 Sample Configuration The following configuration is an example for setting up a PBR. These are not comprehensive directions. They are intended to give you a some guidance with typical configurations. You can copy and paste from these examples to your CLI. Be sure you make the necessary changes to support your own IP Addresses, Interfaces, Names, etc.
! ip redirect-list GOLD description Route GOLD traffic to ISP_GOLD. seq 5 redirect 10.99.99.254 ip 192.168.1.0/24 any seq 10 redirect 10.99.99.254 ip 192.168.2.0/24 any seq 15 permit ip any any Assign Redirect-List GOLD to Interface 2/11 EDGE_ROUTER(conf)#int Te 2/11/1 EDGE_ROUTER(conf-if-Te-2/11/1)#ip add 192.168.3.
1 2 3 4 Interface ip routing Interface ipv6 routing IP Host reachability IP Host reachability Tunnel 1 Tunnel 2 42.1.1.2/32 43.1.1.
ResId 1 2 Dell# Resource Interface ip routing Interface ipv6 routing Parameter Tunnel 1 Tunnel 2 State Up Up LastChange 00:00:00 00:00:00 Create a Redirect-list with Track Objects pertaining to Tunnel Interfaces: Dell#configure terminal Dell(conf)#ip redirect-list explicit_tunnel Dell(conf-redirect-list)#redirect tunnel 1 track Dell(conf-redirect-list)#redirect tunnel 1 track Dell(conf-redirect-list)#redirect tunnel 1 track Dell(conf-redirect-list)#redirect tunnel 2 track Dell(conf-redirect-list)#redir
40 Port Extenders (PEs) The C9010 switch supports the IEEE 802.1BR fabric protocol to expand the port density of the chassis, using C1048P port extenders. In this deployment, the C9010 operates as a controlling bridge for the C1048P. The C1048P functions as a remote line card that is physically connected to, and provisioned by, a C9010 over 10GbE links according to the IEEE 802.1BR standard. IEEE 802.1BR The IEEE 802.
802.1BR Terms and Definitions The 802.1BR protocol uses the following terms to describe the operation of a controlling bridge and attached port extenders. 802.1BR Term Definition Cascade port A port on a controlling bridge or bridge port extender that connects to an upstream port. In the case of the connection between two bridge port extenders, the cascade port is the port closest to the controlling bridge. Controlling bridge A bridge that supports one or more bridge port extenders.
Dell(conf)# pe provision pe-id • pe-id is a port-extender ID number from 0 to 255. You must enter a pe-id value; there is no default. After you provision a PE, you can manage the PE by entering the pe pe-id command; for example: Dell(conf)# pe 0 Dell(conf-pe-0)# show config NOTE: Dell Networking OS recommends that before you configure the cascade ports on the parent control bridge, ensure that the cascade ports have a default port configuration with no L2 and L3 configuration.
Dell(conf-pe-10)# show config pe provision 10 cascade interface TenGigabitEthernet 1/0,12 stack-unit 0 type C1048P Dell# do show pe brief -- Port Extenders Information ------------------------------------------------PE-id Status Stack-size Type System-MAC ------------------------------------------------10 online 1 C1048P 00:01:02:03:11:01 NOTE: If the status of a port extender is not online, communication with the attached C9010 was unsuccessful, possibly due to a mismatch in software version (SVM) or anoth
feature extended-bridge ! pe provision 10 cascade interface TenGigabitEthernet 1/0 stack-unit 0 type C1048P stack-unit 0 priority 1 ! pe provision 20 cascade interface TenGigabitEthernet 1/12 Dell# show pe brief - Port Extenders Information ----------------------------------------------------------PE-id Status Stack-size Type System-MAC ---------------------------------------------------------10 online 1 C1048P a0:68:00:3f:92:bc 20 offline 1 C1048P 00:00:00:00:00:00 Dell#show pe errors PE-id: 10 PE MAC: a0
online. In the following example, PE 10 is provisioned to connect only to cascade port 1/12. However, the second uplink port on the PE is also cabled to cascade port 1/0. As a result, port 1/0 is not included in the auto-LAG although it is discovered as an LLDP neighbor.
Displaying PE Status To verify the operational status of a C1048P attached to a C9010, enter any of the show commands in this section. In the command output, online indicates that a C1048P is up; offline indicates that a C1048P is down.
0 1 absent NA NA -- Fan Status -Unit Bay TrayStatus Fan0 Speed Fan1 Speed -----------------------------------------------------------------------------------0 0 up up 8888 up 9056 Speed in RPM For more information about verifying the PE configuration, see Displaying PE Stack Information. Resetting a Port Extender To reload a PE, enter the reset command. • reset pe pe-id stack-unit pe-stack-unit-id EXEC Privilege – pe-id is a port-extender ID number from 0 to 255.
Po 1 Pe-Loop Shutdown PEloop-disable Po 100 Pe-Loop Shutdown PEloop-disable 5 To display the reason why the line protocol is down on a PE port or port channel, enter the show interface command. EXEC mode Dell(conf-if-po-1)#do show interface port-channel 1 Port-channel 1 is up, line protocol is down(Pe Loop Detection) Upgrading a Port Extender You can update the Dell Networking operating system (OS) on a port extender manually as needed or allow it to be automatically updated by the controlling bridge.
reset pe {0-255} [stack-unit {0-7}] Dell# Dell#reset pe Resetting PE will reload the entire PE STACK. Continue? [yes/no]: yes 3 Verify the OS image upgrade. EXEC Privilege mode show os-version Dell# Dell#show os-version RELEASE IMAGE INFORMATION : --------------------------------------------------------------------Platform Version Size ReleaseTime C-Series:C9000 9.9(0.
PE FPGA IMAGE INFORMATION : --------------------------------------------------------------------FPGA Name Version CPLD 16 PE PoE-CONTROLLER IMAGE INFORMATION --------------------------------------------------------------------Type Version PoE Controller 2.65 De-provisioning a Port Extender To remove the provisioned configuration from a PE, follow one of the de-provisioning procedures in this section.
homing setup. The following figure shows PE dual homing, where the C1048P port extenders are dual-homed to a pair of C9010 switches. Figure 105. Dual Homing — Sample Topology In the preceding illustration, Port Extender PE 1 is connected to System A and Port Extender PE 2 is connected to System B. PE 3 is connected to both A and B. When the systems A and B are connected to each other and made as VLT peers, you can configure PE 1, PE 2, and PE 3 from either of the systems.
Systems with Port Extender The following diagram illustrates PE 1 connected to System A and PE 2 connected to System B. Figure 106. Systems with Port Extender — Before setting up Dual Homing You can connect System A and System B and configure them as VLT peers as follows: 1 Ensure that System A and System B are upgraded to OS 9.10(0.). Ensure that PE IDs of PE 1 and PE 2 are different. The IDs should be unique and cannot overlap during the configuration.
5 Add VLTi for the election to happen between the systems. 6 System A and system B become VLT peers after the election of primary and secondary VLT units. 7 The PE connected to primary is online and PE to secondary remains offline. 8 Import the configurations of peer systems in both primary and secondary CBs by using the import peer-config command.
PE Configuration: Local Status: Present, Remote Status: Present -----------------------------------------------------------------------Stack-id Status Reason Type UnitMac No.
3 Remove the disconnected interface (Te 0/1) from the configuration mode of PE 1 in System A. The configuration would be already available in System A and needs to be removed. PE CONFIGURATION (BATCH mode) no cascade interface interface slot/port Dell# no cascade interface TenGigabitEthernet 0/1 4 Configure the cascade interface of the System B through the batch mode of System A and commit the configuration.
Build Path: /sites/eqx/work/swbuild01_1/patch02/E9-9-0/SW/SRC Dell Networking OS uptime is 10 minute(s) System image file is "system://A" System Type: C9010 Control Processor: Intel Rangeley with 2 Gbytes (2127536128 bytes) of memory, core(s) 4. Route Processor: Intel Rangeley with 2 Gbytes (2127536128 bytes) of memory, core(s) 4. 16G bytes of boot flash memory. 2 Route Processor Module. 1 24-port TE/GE 2 4-port TE/GE 32 Ten GigabitEthernet/IEEE 802.
Linecard3 Linecard4 Linecard5 Linecard6 Linecard7 Linecard8 Linecard9 Linecard10 Linecard11 PE (0/0) PE (0/1) Boot Boot Boot Boot Boot Boot Boot Boot Boot Boot Boot Flash Flash Flash Flash Flash Flash Flash Flash Flash Flash Flash 3.3.1.16 3.3.1.16 3.3.1.16 3.3.1.16 3.3.1.16 3.3.1.16 3.3.1.16 3.3.1.16 3.3.1.16 3.3.1.7 3.3.1.7 3.3.1.18 3.3.1.18 3.3.1.18 3.3.1.18 3.3.1.18 3.3.1.18 3.3.1.18 3.3.1.18 3.3.1.18 3.3.1.7 3.3.1.
Apr 3 05:47:20: %RPM1-P:CP %DOWNLOAD-6-UPGRADE_PROGRESS: PE 200 firmware auto sync is in progress. Apr 3 05:47:21: %RPM1-P:CP %BRM-5-PE_UNIT_DOWN: PE:200 Unit:2 Unit MAC:f8:b1:56:00:02:8a is operationally down. Apr 3 05:47:22: %RPM1-P:CP %BRM-5-BRM_LOG_PE_UNIT_VALIDATE_ERROR: PE:200 Unit:2 is in error: SW and CAM ACL Validation error state.
not programmed? Apr 3 00:41:00: %PE200-UNIT2-M:CP %CHMGR-5-CHMCANNOTDO: Unable to read chassis mfg eeprom not programmed? Apr 3 00:41:01: %PE200-UNIT2-M:CP %CHMGR-5-STACKUNIT_DETECTED: stack-unit 2 present Apr 3 00:41:01: %PE200-UNIT2-M:CP %CHMGR-5-CHECKIN: Checkin from stack-unit 2 (type C1048P, 52 ports) Apr 3 00:41:01: %PE200-C1048P:2 %CHMGR-2-FAN_SPEED_CHANGE: Fan speed changed to 60 % of the full speed Apr 3 00:41:01: %PE200-C1048P:2 %CHMGR-2-FAN_SPEED_CHANGE: Fan speed changed to 75 % of the full spee
Supported Features • Because PE interfaces only support Layer 2 mode, you cannot configure an IP address configuration and Layer 3 protocol features. • A port extender supports the following L2 protocols on PE ports: NOTE: The only Layer 3 feature supported on PE ports is L3 VLANs – 802.
41 Port Extender (PE) Stacking You can stack up to eight C1048P port extenders using the mini-SAS stack ports on the back panel. The C1048P supports stacking only with other C1048P port extenders. Stacking is not supported on C9010 switches. To set up a PE stack, follow the installation procedure in the Dell Networking C1048P Getting Started Guide or Dell Networking C1048P Installation Guide. Each C1048P has 48 user ports, two uplink ports, and two stack-ports.
• You power down the stack master. • A failover of the master switch occurs. • You disconnect the master switch from the stack. NOTE: If a stack unit does not boot up at the same time as the other units, it does not participate in the election process. Units that boot up late do not participate in the election process because the master and standby have already been elected. The unit that boots up late (even if they have a higher priority configured) joins as a member.
feature extended-bridge 2 Enter Port-Extender Configuration mode to provision a PE stack by using the PE ID. A Cascade LAG (port channel) is automatically created, once PE is provisioned or created. CONFIGURATION mode pe provision pe-id • 3 pe-id is a port-extender ID number from 0 to 255. Configure the cascade ports on the C9010 which are attached to PE stack units.
0 1 2 online online online - C1048P C1048P C1048P a0:68:00:3f:92:bc 6c:c0:00:11:22:33 34:17:eb:00:bb:09 52 52 52 Example of Dual Homed PE Stack Dell(conf-b)#pe provision 2 Dell(conf-b-pe-2)#cascade interface TenGigabitEthernet 0/0 Dell(conf-b-pe-2)#cascade interface TenGigabitEthernet 1/4 peer Dell(conf-b)#commit Dell(conf-b)#end Dell# show pe 2 Codes: A - Active, I - Inactive Reason: CTM - Card Type Mismatch, CAM - CAM ACL Mismatch SVM - Software Version Mismatch, UE - Unknown Error Offline Reason: U
After the new unit loads and the parent C9010 discovers it, the preconfigured software settings download from the C9010. The new unit functions as part of the stack. Renumbering a Stack Unit By default, the number of a PE stack unit is 0. After you create and power on a PE stack, the units automatically number from 0 to 7, starting at 0. To change the default or automatically assigned stack unit number, use the pe renumber command.
Managing PE Stack Redundancy To manage the master and standby redundancy in a PE stack, use the following commands. • Reset the current management unit and make the standby unit the new master unit. EXEC Privilege mode redundancy force-failover pe pe-id pe-id — port extender identifier. The range is 0 through 255. The following example shows the redundancy force-failover pe command. Dell#redundancy force-failover pe 3 • A new standby is elected.
Last failover timestamp: Last failover Reason: Last failover type: None None None -- Last Data Block Sync Record: ------------------------------------------------stack-unit Config: succeeded Jun 30 2015 15:26:47 Runtime Event Log: succeeded Jun 30 2015 15:26:47 Running Config: succeeded Jun 30 2015 15:26:47 Removing a Unit from a PE Stack In a PE stack, the parent C9010 synchronizes the software configuration on all stack units.
Displaying PE Stack Information To display information about a PE stack configuration, enter the following show commands in EXEC Privilege mode. • Display information about PE stack units connected to the C9010, including the discovery status.
--------------------------------------------------------------1 0 up up 9056 up 8888 2 0 up up 9056 up 9230 3 0 up up 10000 up 9795 • Speed in RPM Display information about a specified PE stack unit, including status, unit type, and MAC address. Dell#show pe 255 system stack-unit 2 -- Unit 2 -Unit Type : Management Unit Status : online Next Boot : online Required Type : C1048P - 48-port GE Current Type : C1048P - 48-port GE Master priority : 0 Hardware Rev : 5.
show pe pe-id system stack-ports topology Dell#show pe 255 system stack-ports topology Topology: Ring Interface Connection --------------------1/1 3/1 1/2 2/1 2/1 1/2 2/2 3/2 3/1 1/1 3/2 2/2 Locating the Port Extender • Use the location-led command to locate a PE by toggling its LED off and on. EXEC Privilege mode location-led pe pe-id stack-unit unit-number The following example turns on the green blinking light on the main PSU LED on port extender 0 stack unit 5.
Splitting a Daisy-Chained PE Stack If you split a PE stack in a daisy-chain topology into two sub-stacks and each sub-stack has a PE uplink to the controlling bridge, the C9010 detects the stack split and generates an alarm. System administrator intervention is required to diagnose and correct the split condition; for example, check cable connections or reboot stack units to reactivate each PE stack.
42 Port Monitoring Port monitoring (also referred to as mirroring) allows you to monitor ingress and/or egress traffic on specified ports. The mirrored traffic can be sent to a port to which a network analyzer is connected to inspect or troubleshoot the traffic. The Dell Networking OS supports the following mirroring techniques: • Port monitoring — Monitors network traffic by forwarding a copy of incoming and outgoing packets from a source port to a destination port on the same network router.
Example of Viewing a Monitoring Session Given these parameters, the following illustration shows the possible port monitoring configurations on the switch. Figure 110. Port Monitoring Configurations Dell Networking OS Behavior: All monitored frames are tagged if the configured monitoring direction is egress (TX), regardless of whether the monitored port (MD) is a Layer 2 or Layer 3 port. If the MD port is a Layer 2 port, the frames are tagged with the VLAN ID of the VLAN to which the MD belongs.
Dell(conf-mon-sess-300)#source tengig 0/17 destination tengig 0/1 direction tx Dell(conf-mon-sess-300)#do show mon session SessionID Source Destination Direction Mode Type --------- ------ ----------- --------- ------0 Te 0/13 Te 0/1 rx interface Port-based 10 Te 0/14 Te 0/2 rx interface Port-based 20 Te 0/15 Te 0/3 rx interface Port-based 30 Te 0/16 Te 0/37 rx interface Port-based 300 Te 0/17 Te 0/1 tx interface Port-based Dell(conf-mon-sess-300)# Example of Configuring Another Monitoring Session with a Pr
source interface interface | range — Specify the port or list of ports that needs to be monitored Enter the one of the following keywords and slot/port information: • For a 10–Gigabit Ethernet interface, enter the keyword TenGigabitEthernet, then the slot/port information. • For a 40–Gigabit Ethernet interface, enter the keyword fortyGigE, then the slot/port information. • For a port extender (PE) Gigabit Ethernet interface, enter the keyword peGigE then the PEID/Unit/Port/ information.
In the following example, the host and server are exchanging traffic which passes through the uplink interface 1/1. Port 1/1 is the monitored port and port 1/42 is the destination port, which is configured to only monitor traffic received on tengigabitethernet 1/1 (host-originated traffic). Figure 111. Port Monitoring Example Remote Port Mirroring Local port monitoring allows you to monitor traffic from one or more source ports by directing it to a destination port on the same switch/router.
Remote Port Mirroring Example Remote port mirroring uses the analyzers shown in the aggregation network in Site A. The VLAN traffic on monitored links from the access network is tagged and assigned to a dedicated L2 VLAN. Monitored links are configured in two source sessions shown with orange and green circles. Each source session uses a separate reserved VLAN to transmit mirrored packets (mirrored source-session traffic is shown with an orange or green circle with a blue border).
• BPDU monitoring is not required to use remote port mirroring. • A remote port mirroring session mirrors monitored traffic by prefixing the reserved VLAN tag to monitored packets so that they are copied to the reserve VLAN. • Mirrored traffic is transported across the network using 802.1Q-in-802.1Q tunneling. The source address, destination address and original VLAN ID of the mirrored packet are preserved with the tagged VLAN header. Untagged source packets are tagged with the reserve VLAN ID.
• A destination port for remote port mirroring cannot be used as a source port, including the session in which the port functions as the destination port. • A destination port cannot be used in any spanning tree instance. • The reserved VLAN used to transport mirrored traffic must be a L2 VLAN. L3 VLANs are not supported.
(rx), egress (tx), or both ingress and egress traffic to be monitored. 7 no disable Enter the no disable command to activate the RPM session.
Dell(conf-if-te-0/0)#no shutdown Dell(conf-if-te-0/0)#exit Dell(conf)#interface te 0/1 Dell(conf-if-te-0/1)#switchport Dell(conf-if-te-0/1)#no shutdown Dell(conf-if-te-0/1)#exit Dell(conf)#interface te 0/2 Dell(conf-if-te-0/2)#switchport Dell(conf-if-te-0/2)#no shutdown Dell(conf-if-te-0/2)#exit Dell(conf)#interface vlan 10 Dell(conf-if-vl-10)#mode remote-port-mirroring Dell(conf-if-vl-10)#tagged te 0/0 Dell(conf-if-vl-10)#exit Dell(conf)#inte vlan 20 Dell(conf-if-vl-20)#mode remote-port-mirroring Dell(conf
tagged Port-channel 2 mac access-group mac2 out no shutdown 4. Create an RPM session (In the following example, port-channels 1 and 2 are LACP). Dell(conf)#monitor session 1 type rpm Dell(conf-mon-sess-1)#source port-channel 1 destination remote-vlan 10 dir rx Dell(conf-mon-sess-1)#no disable 5. Verify the port-channel configuration.
mulitple source statements in an ERPM monitoring session. 5 erpm source-ip-address dest-ip-address Specify the source IP address and the destination IP address to which encapsulated mirrored traffic is sent. 6 flow-based enable Specify ERPM to be performed on a flow-by-flow basis or if you configure a VLAN source interface. Enter no flow-based disable to disable flowbased ERPM. 7 no disable Enter the no disable command to activate the ERPM session.
seq 10 permit any any count monitor Dell(config-ext-macl)# Dell(config-ext-macl)#do sh run int vlan 100 ! interface Vlan 100 no ip address tagged peGigE 3/0/1 mac access-group test in shutdown Dell(config-ext-macl)# Port Monitoring 729
43 Power over Ethernet (PoE) The PoE feature supports electrical power and transmission of data on Ethernet cabling. A single cable can provide both a data connection and electrical power to the attached devices such as wireless access points or IP cameras. The PoE feature is supported on a C1048P port-extender (PE); PoE is not supported on the C9010 switches. PoE, as described by IEEE 802.3af, specifies that a maximum of 15.
Configuring PoE or PoE+ Configuring PoE or PoE+ is a two-step process: 1. Connect the IEEE 802.3af/802.3at-compliant powered device directly to a port. 2. Enable PoE or PoE+ on the port extender. Enabling PoE or PoE+ on a Port By default, PoE or PoE+ are disabled. Configuration tasks for PoE include: • Enabling PoE and managing the inline power supplied to the port extender ports using the power inline mode command. To manage inline power in a port extender, use Configure Class or Static mode.
Manage Ports using Power Priority and the Power Budget The allocation and return of power-on ports depends on the total inline power available in the system and the power priority calculation. Determining the Power Priority for a Port The Dell Networking OS uses a sophisticated port prioritization algorithm to determine which ports receive power so that the PoE and PoE+ ports are powered up and down deterministically.
Managing Power Priorities PoE or PoE+ enabled port extender ports have power access priorities based first on the priority configured and then on their port number. The default priority is with respect to the port numbers, the lower port numbers have higher priorities when compared with higher port numbers You can augment the default prioritization using the [no] power inline {[max_milliwatts] | priority {critical | high | low}} command, where critical is the highest priority and low is the lowest priority.
Example: Configuring Power Management Static Mode on the Port Extender The following example configures the power management to Static mode on the port extender 0 on stack unit 0. Dell(conf)#power inline mode pe 0 stack-unit 0 static Example: Displaying PoE Power Allocation on a Port Extender The following example displays the PoE power allocation on a specified port extender, using the show power inline {pe pe-id stack—unit unit number | interface interface } command in EXEC and EXEC Privilege mode.
NOTE: Avoid allocating more power than necessary to a port because allocated power is made unavailable to other ports regardless of whether it is consumed when using the power inline max_milliwatts command. Typical IP phones use 3 to 10 Watts. The power inline command has the following parameters: • • • • • • max_milliwatts — (OPTIONAL) Specify the maximum inline power that is allocated to a powered device connected to the interface. The range if from 440 to 30000 mW.
------------PeGi 255/0/1 -----------30.00/21.40 -----------21.50 ------4 -----2 -------low -----0 Example of Configuring Port Extender Interfaces with a Maximum Power of 15000 and 5000 mW The following example sets the maximum allocated power to 15000 mW on interface peGigE 0/0/1 and 5000 mW on interface peGigE 0/0/2 interface peGigE 0/0/3 is not configured. The default value of 30000 mW is the maximum power that you can allocate to a device.
The following example sets the global threshold limit for the PoE power budget to 99 percent on port extender 0 on stack unit 0.
4. PD requested power value — Dell Networking OS uses this value for power allocation. 5. PSE allocated power value — Dell Networking OS uses this value to check whether the PD is in sync with the PSE. To enable the system or interface to advertise IEEE 802.3 power-via-mdi TLV to advertise its power negotiation capabilities with the powered devices using LLDP, use the advertise dot3–tlv power—via—mdi command. You can configure this command either on a specific interface or globally.
Deploying Voice Over IP (VoIP) For a complete list of all PoE commands, see the Dell Networking OS Command Line Reference Guide. Current VoIP phones follow the same basic boot and operations process: 1. Wait for an LLDP from the Ethernet switch. 2. Obtain an IP address from a dynamic host configuration protocol (DHCP) server. 3. Send an LLDP-MED frame to the switch. 4. Wait for an LLDP-MED frame from the switch and read the Network Policy TLV to get the VLAN ID, Layer 2 priority, and DSCP value. 5.
description "Voice VLAN" no ip address tagged PeGigGE 0/6/10-11,22-23,46-47 shutdown ! interface Vlan 300 description "Voice Signaling VLAN" no ip address tagged PeGigGE 0/6/10-11,22-23,46-47 shutdown Configuring LLDP-MED for an Office VoIP Deployment VoIP deployments may optionally use LLDP-MED. LLDP-MED advertises VLAN, dot1P, and DSCP configurations on the switch so that you do not need to manually configure every phone with this information.
Dell#show run qos-policy-output ! qos-policy-output VoIP_Q scheduler strict Honoring the Incoming dot1p Value If you know that traffic originating from the phone is tagged with a dot1p value of 5, you can make the associated queue a strict-priority queue, as shown in the following example.
To classify VoIP traffic and apply QoS policies for an office VoIP deployment, use the following commands: 1 Create three standard or extended access-lists, one each for voice, voice signaling, and PC data, and place each in its own match-any class-map. CONFIGURATION mode or CLASS-MAP mode ip access-list or class-map match-any 2 Create an input policy-map containing all three class-maps and assign each class-map a different service queue.
! qos-policy-output signalling bandwidth-weight 64 Dell#sh run policy-map-output ! policy-map-output BW service-queue 1 qos-policy data service-queue 2 qos-policy signalling Dell#sh run | grep strict-p strict-priority unicast 3 Dell#sh run int gi 0/6/10 ! interface GigabitEthernet 0/6/10 description "IP Phone X” no ip address portmode hybrid switchport service-policy input phone-pc power inline no shutdown Dell#sh run int gi 0/6/2 ! interface GigabitEthernet 0/6/2 description "Uplink to C9000" no ip address
Suspending Power Delivery on the Port Extender You can temporarily disable and then restore power on the port extender. For information about how to restore power to the port extender, see Restoring Power Delivery on the PE. To disable inline power on the port extender, use the following command. When you use this command, the inline power to all the ports on the port extender are disabled. • Disable inline power on the port extender.
Power Management Mode: Static Interface Inline Power Inline Power Class Device PoE Port LLDP Max / Alloc Consumed Type Priority Support (Watts) (Watts) ----------------------- ------------ ------- ------ -------- -----PeGi 0/0/0 30.00/0.00 0.00 NO_PD critical 0 Monitor the Power Budget The power budget is the amount of power available from the installed PSUs minus the power required to operate the port extender.
• If all the lower priority ports combined cannot meet the power requirements of the newly enabled port, the command is accepted but power on the lower priority ports is not terminated and power is not supplied to the port. The second result is true even if a powered device is not connected to the port. You can allocate power to a port, thus subtracting it from the power budget and making it unavailable to other ports, but that power is not consumed.
NOTE: After device detection, the Class value received via 802.3 Power via MDI takes precedence and displays here. Device Type Displays whether the device is Type 1 or Type 2. NOTE: After device detection, the Type value received via 802.3 Power via MDI takes precedence and displays here. PoE Port Priority Displays the priority assigned for the port (the default is low). See Allocating PoE Power on an Interface. NOTE: You can configure priority or it is received via 802.3 Power via MDI.
Field Description Inline Power Allocated (Watts) Total power allocated to the ports. Inline Power Consumed (Watts) Total power connected devices consumes. Inline Power Remaining (Watts) Difference between the available power and the allocated power.
44 Private VLANs (PVLAN) Private VLANs (PVLANs) extend Dell Networking OS security suite by providing Layer 2 isolation between ports within the same virtual local area network (VLAN). A PVLAN partitions a traditional VLAN into subdomains identified by a primary and secondary VLAN pair. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports or trunk ports.
– A primary VLAN and each of its secondary VLANs decrement the available number of VLAN IDs in the switch. – A primary VLAN has one or more promiscuous ports. – A primary VLAN might have one or more trunk ports, or none. • Secondary VLAN — a subdomain of the primary VLAN. – There are two types of secondary VLAN — community VLAN and isolated VLAN. PVLAN port types include: • Host port — in the context of a private VLAN, is a port in a secondary VLAN.
• Display primary-secondary VLAN mapping. EXEC mode or EXEC Privilege mode • show vlan private-vlan mapping Set the PVLAN mode of the selected port. INTERFACE switchport mode private-vlan {host | promiscuous | trunk} NOTE: Secondary VLANs are Layer 2 VLANs, so even if they are operationally down while primary VLANs are operationally up, Layer 3 traffic is still transmitted across secondary VLANs.
Dell#conf Dell(conf)#interface TengigabitEthernet 2/1 Dell(conf-if-te-2/1)#switchport mode private-vlan promiscuous Dell(conf)#interface TengigabitEthernet 2/2 Dell(conf-if-te-2/2)#switchport mode private-vlan host Dell(conf)#interface TengigabitEthernet 2/3 Dell(conf-if-te-2/3)#switchport mode private-vlan trunk Dell(conf)#interface TengigabitEthernet 2/2 Dell(conf-if-te-2/2)#switchport mode private-vlan host Dell(conf)#interface port-channel 10 Dell(conf-if-po-10)#switchport mode private-vlan promiscuous
7 (OPTIONAL) Enable/disable Layer 3 communication between secondary VLANs. INTERFACE VLAN mode ip local-proxy-arp NOTE: If a promiscuous or host port is untagged in a VLAN and it receives a tagged packet in the same VLAN, the packet is NOT dropped. Creating a Community VLAN A community VLAN is a secondary VLAN of the primary VLAN in a private VLAN. The ports in a community VLAN can talk to each other and with the promiscuous ports in the primary VLAN.
INTERFACE VLAN mode tagged interface or untagged interface You can enter the interfaces singly or in range format, either comma-delimited (slot/port,port,port) or hyphenated (slot/ port-port). You can only add ports defined as host to the VLAN. Example of Configuring Private VLAN Members The following example shows the use of the PVLAN commands that are used in VLAN INTERFACE mode to configure the PVLAN member VLANs (primary, community, and isolated VLANs).
Private VLAN Configuration Example The following example shows a private VLAN topology. Figure 115. Sample Private VLAN Topology The following configuration is based on the example diagram: • Te 0/0 and Te 23 are configured as promiscuous ports, assigned to the primary VLAN, VLAN 4000. • Te 0/25 is configured as a PVLAN trunk port, also assigned to the primary VLAN 4000. • Te 0/24 and Te 0/47 are configured as host ports and assigned to the isolated VLAN, VLAN 4003.
• • Te 0/3 is a promiscuous port and Te 0/25 is a PVLAN trunk port, assigned to the primary VLAN 4000. Te 0/4-6 are host ports. Te 0/4 and Te 0/5 are assigned to the community VLAN 4001, while Te 0/6 is assigned to the isolated VLAN 4003. The result is that: • • The S50V ports would have the same intra-switch communication characteristics as described for the C300.
------- --------- --------4000 Primary 4001 Community 4003 Isolated -----Yes Yes Yes ----------Te 0/3,25 Te 0/4-5 Te 0/6 The following example shows the show vlan private-vlan mapping command. Dell#show vlan private-vlan mapping Private Vlan: Primary : 4000 Isolated : 4003 Community : 4001 NOTE: In the following example, notice the addition of the PVLAN codes – P, I, and C – in the left column. The following example shows the VLAN status.
45 Quality of Service (QoS) This chapter describes how to use and configure Quality of Service (QoS) features on the switch. Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. Figure 116.
• SNMP Support for Buffer Statistics Tracking Implementation Information The Dell Networking QoS implementation complies with IEEE 802.1p User Priority Bits for QoS Indication.
Dell(conf-if)#end Dell# Honoring dot1p Priorities on Ingress Traffic By default, the system does not honor dot1p priorities on ingress traffic. You can configure this feature on physical interfaces and port-channels, but you cannot configure it on individual interfaces in a port channel. You can configure service-class dynamic dot1p from CONFIGURATION mode, which applies the configuration to all interfaces. A CONFIGURATION mode service-class dynamic dot1p entry supersedes any INTERFACE entries.
Dell(conf-if)#end Dell# Configuring Port-Based Rate Shaping Rate shaping buffers, rather than drops, traffic exceeding the specified rate until the buffer is exhausted. If any stream exceeds the configured bandwidth on a continuous basis, it can consume all of the buffer space that is allocated to the port. • Apply rate shaping to outgoing traffic on a port. INTERFACE mode • rate shape Apply rate shaping to a queue.
Policy-Based QoS Configurations Policy-based QoS configurations consist of the components shown in the following example. Figure 117. Constructing Policy-Based QoS Configurations Classify Traffic Class maps differentiate traffic so that you can apply separate quality of service policies to different types of traffic. For both class maps, Layer 2 and Layer 3, the system matches packets against match criteria in the order that you configure them.
Use step 1 or step 2 to start creating a Layer 3 class map. 1 Create a match-any class map. CONFIGURATION mode class-map match-any class-map-name 2 Create a match-all class map. CONFIGURATION mode class-map match-all class-map-name 3 Specify your match criteria. CLASS MAP mode match {ip | ipv6 | ip-any} After you create a class-map, you are placed in CLASS MAP mode. Match-any class maps allow up to five ACLs. Match-all class-maps allow only one ACL. 4 Link the class-map to a queue.
Use Step 1 or Step 2 to start creating a Layer 2 class map. 1 Create a match-any class map. CONFIGURATION mode class-map match-any 2 Create a match-all class map. CONFIGURATION mode class-map match-all 3 Specify your match criteria. CLASS MAP mode match mac After you create a class-map, you are placed in CLASS MAP mode. Match-any class maps allow up to five access-lists. Match-all class-maps allow only one. You can match against only one VLAN ID. 4 Link the class-map to a queue.
Applying DSCP and VLAN Match Criteria on a Service Queue You can configure Layer 3 class maps which contain both a Layer 3 Differentiated Services Code Point (DSCP) and IP VLAN IDs as match criteria to filter incoming packets on a service queue on the switch. To configure a Layer 3 class map to classify traffic according to both an IP VLAN ID and DSCP value, use the match ip vlan vlan-id command in class-map input configuration mode.
When class-maps with overlapping ACL rules are applied to different queues, use the keyword order to process ACL rules in the desired order. ACL rules with lower order numbers (order numbers closer to 0) are applied before rules with higher order numbers so that packets are matched as you intended. • Specify the order in which you want to apply ACL rules using the keyword order. order The order can range from 0 to 254. By default, all ACL rules have an order of 254.
Create a QoS Policy There are two types of QoS policies — input and output. Input QoS policies regulate Layer 3 and Layer 2 ingress traffic. The regulation mechanisms for input QoS policies are rate policing and setting priority values. • Layer 3 — QoS input policies allow you to rate police and set a DSCP or dot1p value. In addition, you can configure a drop precedence for incoming packets based on their DSCP value by using a DSCP color map. For more information, see DSCP Color Maps.
Example of Setting a DSCP Value for Egress Packets Dell#config Dell(conf)#qos-policy-input my-input-qos-policy Dell(conf-qos-policy-in)#set ip-dscp 34 % Info: To set the specified DSCP value 34 (100-010 b) the QoS policy must be mapped to queue 4 (100 b). Dell(conf-qos-policy-in)#show config ! qos-policy-input my-input-qos-policy set ip-dscp 34 Dell(conf-qos-policy-in)#end Dell# Setting a dot1p Value for Egress Packets To set a dot1p value for egress packets, use the following command.
rate-shape {kbps | pps} peak-rate {burst-kbps | burst-packets} [committed {kbps | pps} committed-rate {burst-kbps | burst-packets}] In a QoS output policy, you can configure rate-shaping on egress traffic: • In either kilobits per second (kbps) or packets per second (pps) • By specifying peak rate and the peak burst, and (optionally) committed rate and committed burst size You must configure the peak rate and peak burst size using the same value: kilobits or packets per second.
wred For more information, refer to Applying a WRED Profile to Traffic. Create Policy Maps There are two types of policy maps: input and output. Creating Input Policy Maps There are two types of input policy-maps: Layer 3 and Layer 2. 1 Create a Layer 3 input policy map. CONFIGURATION mode policy-map-input Create a Layer 2 input policy map by entering the policy-map-input layer2 command.
Table 73.
• Layer 2 or Layer 3 service policies supersede dot1p service classes. • Create service classes. INTERFACE mode service-class dynamic dot1p Guaranteeing Bandwidth to dot1p-Based Service Queues To guarantee bandwidth to dot1p-based service queues, use the following command. Apply this command in the same way as the bandwidth-percentage command in an output QoS policy (refer to Allocating Bandwidth to Queue).
Applying an Output QoS Policy to a Queue To apply an output QoS policy to a queue, use the following command. • Apply an output QoS policy to queues. INTERFACE mode service-queue Specifying an Aggregate QoS Policy To specify an aggregate QoS policy, use the following command. • Specify an aggregate QoS policy. POLICY-MAP-OUT mode policy-aggregate Applying an Output Policy Map to an Interface To apply an output policy map to an interface, use the following command.
• A DSCP value cannot be in both the yellow and red lists. Setting the red or yellow list with any DSCP value that is already in the other list results in an error and no update to that DSCP list is made. • Each color map can only have one list of DSCP values for each color; any DSCP values previously listed for that color that are not in the new DSCP list are colored green.
Display a specific DSCP color map. Dell# show qos dscp-color-map mapTWO Dscp-color-map mapTWO yellow 16,55 Displaying a DSCP Color Policy Configuration To display the DSCP color policy configuration for one or all interfaces, use the show qos dscp-color-policy {summary [interface] | detail {interface}} command in EXEC mode. summary: Displays summary information about a color policy on one or more interfaces.
• Include a specified number of bytes of packet overhead to include in rate limiting, policing, and shaping calculations. CONFIGURATION mode qos-rate-adjust overhead-bytes For example, to include the Preamble and SFD, enter qos-rate-adjust 8. For variable length overhead fields, know the number of bytes you want to include. The default is disabled. The range is from 1 to 31.
detection” part of WRED. If the maximum threshold, for example, 2000KB, is reached, all incoming packets are dropped until the buffer space consumes less than 2000KB of the specified traffic. Figure 118. Packet Drop Rate for WRED You can create a custom WRED profile or use one of the five pre-defined profiles. Table 75.
threshold Applying a WRED Profile to Traffic After you create a WRED profile, you must specify on which traffic the system applies the profile. The system assigns a color-coded drop precedence — red, yellow, or green — to each packet based on the fourth bit of the 6bit DSCP field in the packet header before queuing it. • If the fourth DSCP bit is 0, packet is marked as green. • If the fourth DSCP bit is 1, the packet is marked as yellow (except for DSCP 63, which is marked as red).
Yellow Out of Profile 51300 0 The following shows the show qos statistics output on the port extender.
• If queued packets exceed the maximum threshold, they are dropped. ECN Packet Classification When ECN for WRED is enabled on an interface, non-ECN-capable packets are marked as green-profiled traffic and are subject to early WRED drops. For example, TCP-acks, OAM, and ICMP ping packets are non-ECN-capable. However, it is not desirable for these packets to be WRED-dropped.
policy-map-input ecn_0_pmap service-queue 0 class-map ecn_0_cmap Applying the policy map “ecn_0_pmap” marks all incoming packets with the ECN field set to 0 for “yellow” handling on queue 0 (default queue). Example: Color-marking non-ECN Packets in Different Traffic Classes The following examples both show how to mark non-ECN packets for “yellow” handling when packets with DCSP 40 egress on queue 2 and packets with DSCP 50 egress on queue 3.
policy-map-input pmap_dscp_40_50 service-queue 2 class-map class_dscp_40 service-queue 3 class-map class_dscp_50 Using A Configurable Weight for WRED and ECN The switch supports a user-configurable weight that determines the average queue size used in WRED and Explicit Congestion Notification (ECN) operation on front-end I/O and backplane interfaces.
the maximum drop-rate percentage for yellow and green profiles. You can configure these parameters for both front-end and backplane ports. Global Service-Pools for WRED with ECN You can enable WRED with ECN to work with global service-pools. Global service pools that function as shared buffers are accessed by multiple queues when the minimum guaranteed buffers for a queue are consumed. The switch supports four global service-pools in the egress direction.
Queue Configuration Service-Pool Configuration WRED Threshold Relationship Q threshold = Q-T Service-pool threshold = SP-T Expected Functionality SP-T < Q-T Same as above but ECN marking starts above SP-T. Configuring a Weight for WRED and ECN Operation You can configure a WRED weight to customize WRED and ECN operation on a front-end or backplane interface.
Pre-Calculating Available QoS CAM Space Pre-calculating available QoS CAM space allows you to measure the number of CAM entries a policy-map consumes. This feature allows you to avoid applying a policy-map on an interface that requires more CAM entries than are available and receive a CAM full error message (shown in the following example). The partial policy-map configuration might cause unintentional system behavior.
SNMP Support for Buffer Statistics Tracking SNMP support for buffer statistics tracking (BST) counters is implemented in the F10-FPSTATS MIB. BST counters allow you to better monitor system resources and allocate buffer memory. BST counters include the Max Use Count statistic, which provides the maximum counter value over a period of time. In the F10-FPSTATS MIB, the following tables display BST counters: • fpEgrQBuffSnapshotTable: Retrieves BST statistics from the egress port used in a buffer.
46 Routing Information Protocol (RIP) The Routing Information Protocol (RIP) tracks distances or hop counts to nearby routers when establishing network connections and is based on a distance-vector algorithm. RIP protocol standards are listed in the Standards Compliance chapter. Topics: • Protocol Overview • Implementation Information • Configuration Information Protocol Overview RIP is the oldest interior gateway protocol.
Implementation Information The Dell Networking OS supports both versions of RIP and allows you to configure one version globally and the other version on interfaces or both versions on the interfaces. The following table lists the default values for RIP parameters on the switch. Table 77.
Enabling RIP Globally By default, RIP is disabled on the switch. To enable RIP globally, use the following commands. 1 Enter ROUTER RIP mode and enable the RIP process. CONFIGURATION mode router rip 2 Assign an IP network address as a RIP network to exchange routing information.
192.161.1.0/24 auto-summary 192.162.3.0/24 [120/1] via 29.10.10.12, 00:01:22, Fa 0/0 192.162.3.0/24 auto-summary To disable RIP globally, use the no router rip command in CONFIGURATION mode. Configure RIP on Interfaces When you enable RIP globally on the system, interfaces meeting certain conditions start receiving RIP routes. By default, interfaces that you enable and configure with an IP address in the same subnet as the RIP network address receive RIPv1 and RIPv2 routes and send RIPv1 routes.
Adding RIP Routes from Other Instances In addition to filtering routes, you can add routes from other routing instances or protocols to the RIP process. With the redistribute command, you can include open shortest path first (OSPF), static, or directly connected routes in the RIP process. To add routes from other routing instances or protocols, use the following commands. • Include directly connected or user-configured (static) routes in RIP.
The following example shows the RIP configuration after the ROUTER RIP mode version command is set to RIPv2. When you set the ROUTER RIP mode version command, the interface (TengigabitEthernet 0/0) participating in the RIP process is also set to send and receive RIPv2 (shown in bold).
ROUTER RIP mode default-information originate [always] [metric value] [route-map route-map-name] – always: Enter the keyword always to always generate a default route. – value The range is from 1 to 16. – route-map-name: The name of a configured route map. To confirm that the default route configuration is completed, use the show config command in ROUTER RIP mode.
– offset: the range is from 0 to 16. – interface: the type, slot, and number of an interface. To view the configuration changes, use the show config command in ROUTER RIP mode. Debugging RIP The debug ip rip command enables RIP debugging. When you enable debugging, you can view information on RIP protocol changes or RIP routes. To enable RIP debugging, use the following command. • debug ip rip [interface | database | events | trigger] EXEC privilege mode Enable debugging of RIP.
RIP Configuration on Core2 The following example shows how to configure RIPv2 on a host named Core2. Example of Configuring RIPv2 on Core 2 Core2(conf-if-te-2/31)# Core2(conf-if-te-2/31)#router rip Core2(conf-router_rip)#ver 2 Core2(conf-router_rip)#network 10.200.10.0 Core2(conf-router_rip)#network 10.300.10.0 Core2(conf-router_rip)#network 10.11.10.0 Core2(conf-router_rip)#network 10.11.20.0 Core2(conf-router_rip)#show config ! router rip network 10.0.0.
----------- ------- ----------- ----------C 10.11.10.0/24 Direct, Te 2/11 C 10.11.20.0/24 Direct, Te 2/31 R 10.11.30.0/24 via 10.11.20.1, Te 2/31 C 10.200.10.0/24 Direct, Te 2/41 C 10.300.10.0/24 Direct, Te 2/42 R 192.168.1.0/24 via 10.11.20.1, Te 2/31 R 192.168.2.0/24 via 10.11.20.1, Te 2/31 Core2# R 192.168.1.0/24 via 10.11.20.1, Te 2/31 R 192.168.2.0/24 via 10.11.20.
Core 3 RIP Output The examples in this section show the core 2 RIP output. • • • To display Core 3 RIP database, use the show ip rip database command. To display Core 3 RIP setup, use the show ip route command. To display Core 3 RIP activity, use the show ip protocols command. Examples of the show ip Command with Core 3 Output To view learned RIP routes on Core 3, use the show ip rip database command. Core3#show ip rip database Total number of routes in RIP database: 7 10.11.10.0/24 [120/1] via 10.11.20.
TenGigabitEthernet 3/11 2 2 TenGigabitEthernet 3/44 2 2 TenGigabitEthernet 3/43 2 2 Routing for Networks: 10.11.20.0 10.11.30.0 192.168.2.0 192.168.1.0 Routing Information Sources: Gateway Distance Last Update 10.11.20.2 120 00:00:22 Distance: (default is 120) Core3# RIP Configuration Summary Examples of Viewing the RIP Configuration on Core 2 and Core 3 The following example shows viewing the RIP configuration on Core 2. ! interface TengigabitEthernet ip address 10.11.10.
router rip version 2 network 10.11.20.0 network 10.11.30.0 network 192.168.1.0 network 192.168.2.
47 Remote Monitoring (RMON) Remote monitoring (RMON) is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell Networking Ethernet interfaces. RMON operates with the simple network management protocol (SNMP) and monitors all nodes on a local area network (LAN) segment.
Setting the RMON Alarm To set an alarm on any MIB object, use the rmon alarm or rmon hc-alarm command in GLOBAL CONFIGURATION mode. • Set an alarm on any MIB object.
Configuring an RMON Event To add an event in the RMON event table, use the rmon event command in GLOBAL CONFIGURATION mode. • Add an event in the RMON event table. CONFIGURATION mode [no] rmon event number [log] [trap community] [description string] [owner string] – number: assigned event number, which is identical to the eventIndex in the eventTable in the RMON MIB. The value must be an integer from 1 to 65,535 and be unique in the RMON Event Table.
Configuring the RMON Collection History To enable the RMON MIB history group of statistics collection on an interface, use the rmon collection history command in INTERFACE CONFIGURATION mode. • Configure the RMON MIB history group of statistics collection. CONFIGURATION INTERFACE (config-if) mode [no] rmon collection history {controlEntry integer} [owner ownername] [buckets bucket-number] [interval seconds] – controlEntry: specifies the RMON group of statistics using a value.
48 Rapid Spanning Tree Protocol (RSTP) The Rapid Spanning Tree Protocol (RSTP) is a Layer 2 protocol — specified by IEEE 802.1w — that is essentially the same as spanning-tree protocol (STP) but provides faster convergence and interoperability with switches configured with STP and multiple spanning tree protocol (MSTP).. Protocol Overview The Dell Networking OS supports three other versions of spanning tree, as shown in the following table. Table 78.
RSTP and VLT Virtual link trunking (VLT) provides loop-free redundant topologies and does not require RSTP. RSTP can cause temporary port state blocking and may cause topology changes after link or node failures. Spanning tree topology changes are distributed to the entire Layer 2 network, which can cause a network-wide flush of learned media access control (MAC) and address resolution protocol (ARP) addresses, requiring these addresses to be re-learned.
Enabling Rapid Spanning Tree Protocol Globally Enable RSTP globally on all participating bridges; it is not enabled by default. When you enable RSTP, all physical and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the RST topology. • Only one path from any bridge to any other bridge is enabled. • Bridges block a redundant path by disabling one of the link ports. To enable RSTP globally for all Layer 2 interfaces, use the following commands.
no disable Dell(conf-rstp)# Figure 120. Rapid Spanning Tree Enabled Globally To view the interfaces participating in RSTP, use the show spanning-tree rstp command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. Dell#show spanning-tree rstp Root Identifier has priority 32768, Address 0001.e801.cbb4 Root Bridge hello time 2, max age 20, forward delay 15, max hops 0 Bridge Identifier has priority 32768, Address 0001.e801.
Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.379, designated path cost 0 Number of transitions to forwarding state 1 BPDU : sent 121, received 5 The port is not in the Edge port mode Port 380 (TengigabitEthernet 2/4) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.380 Designated root has priority 32768, address 0001.e801.cbb4 Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.
The following table displays the default values for RSTP. Table 79. RSTP Default Values RSTP Parameter Default Value Forward Delay 15 seconds Hello Time 2 seconds Max Age 20 seconds Port Cost: Port Cost: • • • • 10-Gigabit Ethernet interfaces Port Channel with 10-Gigabit Ethernet interfaces Port Priority 2000 1800 128 To change these parameters, use the following commands. • Change the forward-delay parameter. PROTOCOL SPANNING TREE RSTP mode forward-delay seconds The range is from 4 to 30.
Modifying Interface Parameters On interfaces in Layer 2 mode, you can set the port cost and port priority values. • • Port cost — a value that is based on the interface type. The previous table lists the default values. The greater the port cost, the less likely the port is selected to be a forwarding port. Port priority — influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost.
interface hardware to be shut down when it receives a BPDU. When only bpduguard is implemented, although the interface is placed in an Error Disabled state when receiving the BPDU, the physical interface remains up and spanning-tree drops packets in the hardware after a BPDU violation. BPDUs are dropped in the software after receiving the BPDU violation. This feature is the same as PortFast mode in Spanning Tree. CAUTION: Configure EdgePort only on links connecting to an end station.
Example of Verifying Hello-Time Interval Dell(conf-rstp)#do show spanning-tree rstp brief Executing IEEE compatible Spanning Tree Protocol Root ID Priority 0, Address 0001.e811.2233 Root Bridge hello time 50 ms, max age 20, forward delay 15 Bridge ID Priority 0, Address 0001.e811.2233 We are the root Configured hello time 50 ms, max age 20, forward delay 15 NOTE: The hello time is encoded in BPDUs in increments of 1/256ths of a second.
49 Security This chapter describes several ways to provide access security to the Dell Networking system. For details about all the commands described in this chapter, refer to the Security chapter in the Dell Networking OS Command Reference Guide.
for greater flexibility in assigning permissions for each command to each role and as a result, it is easier and much more efficient to administer user rights. If a user’s role matches one of the allowed user roles for that command, then command authorization is granted. A constrained RBAC model provides for separation of duty and as a result, provides greater security than the hierarchical RBAC model.
4. Specify authorization method list (RADIUS, TACACS+, or Local). You must at least specify local authorization. For consistency, the best practice is to define the same authorization method list across all lines, in the same order of comparison; for example VTY and console port. You could also use the default authorization method list to apply to all the LINES (console port, VTY). If you do not, the following error is displayed when you attempt to enable role-based only AAA authorization.
sysadmin Exec Config Interface Line Router IP Route-map Protocol MAC User Roles This section describes how to create a new user role and configure command permissions and contains the following topics. • Creating a New User Role • Modifying Command Permissions for Roles • Adding and Deleting Users from a Role Creating a New User Role Instead of using the system defined user roles, you can create a new user role that best matches your organization.
netoperator netadmin secadmin sysadmin myrole secadmin Exec Exec Exec Exec Config Config Config Config Interface Router IP Route-map Protocol MAC Line Interface Line Router IP Route-map Protocol MAC. Line Modifying Command Permissions for Roles You can modify (add or delete) command permissions for newly created user roles and system defined roles using the role mode { { { addrole | deleterole } role-name } | reset } command command in Configuration mode.
The following example allows the security administrator (secadmin) to only access 10-Gigabit Ethernett interfaces and then shows that the secadmin, highlighted in bold, can now access Interface mode. However, the secadmin can only access 10Gigabit Ethernet interfaces.
Adding and Deleting Users from a Role To create a user name that is authenticated based on a user role, use the username name password encryption-type password role role-name command in CONFIGURATION mode. Example The following example creates a user name that is authenticated based on a user role. Dell (conf) #username john password 0 password role secadmin The following example deletes a user role.
level of those commands. Users with defined roles can use commands provided their role is permitted to use those commands. Role inheritance is also used to determine authorization. Users with roles and privileges are authorized with the same mechanism. There are six methods available for authorization: radius, tacacs+, local, enable, line, and none. When role-based only AAA authorization is enabled, the enable, line, and none methods are not available.
accounting commands role netadmin line vty 6 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 7 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 8 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 9 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin ! ucraaa ucraaa ucraaa ucraaa ucraaa Configuring TACACS+ and RADIUS VSA Attr
Role Accounting This section describes how to configure role accounting and how to display active sessions for roles. This sections consists of the following topics: • Configuring AAA Accounting for Roles • Applying an Accounting Method to a Role • Displaying Active Accounting Sessions for Roles Configuring AAA Accounting for Roles To configure AAA accounting for roles, use the aaa accounting command in CONFIGURATION mode.
Display Information About User Roles This section describes how to display information about user roles. This sections consists of the following topics: • Displaying User Roles • Displaying Information About Roles Logged into the Switch • Displaying Active Accounting Sessions for Roles Displaying User Roles To display user roles using the show userrole command in EXEC Privilege mode, use the show userroles and show users commands in EXEC privilege mode.
Line 0 console 0 *3 vty 1 4 vty 2 User admin sec1 ml1 Role sysadmin secadmin netadmin Privilege 15 14 12 Host(s) Location idle idle 172.31.1.4 idle 172.31.1.5 AAA Accounting Accounting, authentication, and authorization (AAA) accounting is part of the AAA security model. For details about commands related to AAA security, refer to the Security chapter in the Dell Networking OS Command Reference Guide.
– tacacs+: designate the security service. The system supports only TACACS+. Example Dell(conf)#aaa accounting dot1x default start-stop tacacs+ Dell(conf)# tacacs-server host server-address key key Suppressing AAA Accounting for Null Username Sessions When you activate AAA accounting, the system issues accounting records for all users on the system, including users whose username string, because of protocol translation, is NULL.
Monitoring AAA Accounting The system does not support periodic interim accounting because the periodic command can cause heavy congestion when many users are logged in to the network. No specific show command exists for TACACS+ accounting. To obtain accounting records displaying information about users currently logged in, use the following command. • Step through all active sessions and print all the accounting records for the actively accounted functions.
Configure Login Authentication for Terminal Lines You can assign up to five authentication methods to a method list. The system evaluates the methods in the order in which you enter them in each list. If the first method list does not respond or returns an error, the system applies the next method list until the user either passes or fails the authentication. If the user fails a method list, the system does not apply the next method list.
CONFIGURATION mode aaa authentication enable {method-list-name | default} method1 [... method4] – default: uses the listed authentication methods that follow this argument as the default list of methods when a user logs in. – method-list-name: character string used to name the list of enable authentication methods activated when a user logs in. – method1 [... method4]: any of the following: RADIUS, TACACS, enable, line, none. If you do not set the default list, only the local enable is checked.
Therefore, the RADIUS server must have an entry for this username. AAA Authorization The system enables AAA new-model by default. You can set authorization to be either local or remote. Different combinations of authentication and authorization yield different results. By default, the system sets both to local. Privilege Levels Overview Limiting access to the system is one method of protecting the system and your network.
Configuring a Username and Password In the Dell Networking OS, you can assign a specific username to limit user access to the system. To configure a username and password, use the following command. • Assign a user name and password. CONFIGURATION mode username name [access-class access-list-name] [nopassword | password [encryption-type] password] [privilege level] Configure the optional and required parameters: – name: Enter a text string up to 63 characters long.
stored encrypted in the configuration file and by default are displayed in the encrypted form when the configuration is displayed. Enabling the service obscure-passwords command displays asterisks instead of the encrypted passwords and keys. This command prevents a user from reading these passwords and keys by obscuring this information with asterisks. Password obscuring masks the password and keys for display only but does not change the contents of the file.
• password: enter a string up to 25 characters long. To change only the password for the enable command, configure only the password parameter. 3 Configure level and commands for a mode or reset a command’s level. CONFIGURATION mode privilege mode {level level command | reset command} Configure the following required and optional parameters: • mode: enter a keyword for the modes (exec, configure, interface, line, route-map, or router) • level level: the range is from 0 to 15.
enable exit no show terminal traceroute Dell#confi Dell(conf)#? end exit no snmp-server Dell(conf)# Turn on privileged commands Exit from the EXEC Negate a command Show running system information Set terminal line parameters Trace route to destination Exit from Configuration mode Exit from Configuration mode Reset a command Modify SNMP parameters Specifying LINE Mode Password and Privilege You can specify a password authentication of all users on different terminal lines.
Resetting a Password To reset a password on the switch, follow the procedure in Recovering from a Forgotten Password on the switch. RADIUS Remote authentication dial-in user service (RADIUS) is a distributed client/server protocol. This protocol transmits authentication, authorization, and configuration information between a central RADIUS server and a RADIUS client (the Dell Networking system). The system sends user information to the RADIUS server and requests authentication of the user and password.
ACL Configuration Information The RADIUS server can specify an ACL. If an ACL is configured on the RADIUS server, and if that ACL is present, the user may be allowed access based on that ACL. If the ACL is absent, authorization fails, and a message is logged indicating this. RADIUS can specify an ACL for the user if both of the following are true: • If an ACL is absent. • If there is a very long delay for an entry, or a denied entry because of an ACL, and a message is logged.
Defining a AAA Method List to be Used for RADIUS To configure RADIUS to authenticate or authorize users on the system, create a AAA method list. Default method lists do not need to be explicitly applied to the line, so they are not mandatory. To create a method list, use the following commands. • Enter a text string (up to 16 characters long) as the name of the method list you wish to use with the RADIUS authentication method.
– retransmit retries: the range is from 0 to 100. Default is 3. – timeout seconds: the range is from 0 to 1000. Default is 5 seconds. – key [encryption-type] key: enter 0 for plain text or 7 for encrypted text, and a string for the key. The key can be up to 42 characters long. This key must match the key configured on the RADIUS server host. If you do not configure these optional parameters, the global default values for all RADIUS host are applied.
Monitoring RADIUS To view information on RADIUS transactions, use the following command. • View RADIUS transactions to troubleshoot problems. EXEC Privilege mode debug radius TACACS+ The system supports terminal access controller access control system (TACACS+ client, including support for login authentication. Configuration Task List for TACACS+ The following list includes the configuration task for TACACS+ functions.
4 Assign the method-list to the terminal line. LINE mode login authentication {method-list-name | default} Example of a Failed Authentication To view the configuration, use the show config in LINE mode or the show running-config tacacs+ command in EXEC Privilege mode. If authentication fails using the primary method, the system employs the second method (or third method, if necessary) automatically.
TACACS+ Remote Authentication and Authorization The system takes the access class from the TACACS+ server. Access class is the class of service that restricts Telnet access and packet sizes. If you have configured remote authorization, the system ignores the access class you have configured for the VTY line and gets this access class information from the TACACS+ server. The system must know the username and password of the incoming user before it can fetch the access class from the server.
freebsd2# telnet 2200:2200:2200:2200:2200::2202 Trying 2200:2200:2200:2200:2200::2202... Connected to 2200:2200:2200:2200:2200::2202. Escape character is '^]'. Login: admin Password: Dell# Command Authorization The AAA command authorization feature configures the system to send each configuration command to a TACACS server for authorization before it is added to the running configuration.
• ip ssh server version {1|2} Display SSH connection information. EXEC Privilege mode show ip ssh Specifying an SSH Version The following example shows using the ip ssh server version 2 command to enable SSH version 2 and the show ip ssh command to confirm the setting. ell(conf)#ip ssh server version 2 Dell(conf)#do show ip ssh SSH server : enabled. SSH server version : v1 and v2. SSH server vrf : default. SSH server ciphers : aes256-ctr,aes256-cbc,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc, 3des-cbc.
• ip ssh hostbased-authentication enable: enable host-based authentication for the SSHv2 server. • ip ssh key-size: configure the size of the server-generated RSA SSHv1 key. • ip ssh password-authentication enable: enable password authentication for the SSH server. • ip ssh pub-key-file: specify the file the host-based authentication uses. • ip ssh rhostsfile: specify the rhost file the host-based authorization uses.
The following example configures the volume-based rekey threshold for an SSH session to 4096 megabytes. Dell(conf)#ip ssh rekey volume 4096 Configuring the SSH Server Cipher List To configure the cipher list supported by the SSH server, use the ip ssh server cipher cipher-list command in CONFIGURATION mode. cipher-list-: Enter a space-delimited list of ciphers the SSH server will support. The following ciphers are available.
• hmac-md5-96 When FIPS is enabled, the default HMAC algorithm is hmac-sha2-256,hmac-sha1,hmac-sha1-96. Example of Configuring a HMAC Algorithm The following example shows you how to configure a HMAC algorithm list. Dell(conf)# ip ssh server mac hmac-sha1-96 Configuring the HMAC Algorithm for the SSH Client To configure the HMAC algorithm for the SSH client, use the ip ssh mac hmac-algorithm command in CONFIGURATION mode.
• aes256-cbc • aes128-ctr • aes192-ctr • aes256-ctr The default cipher list is aes256-ctr, aes256-cbc, aes192-ctr, aes192-cbc, aes128-ctr, aes128-cbc, 3des-cbc. Example of Configuring a Cipher List The following example shows you how to configure a cipher list. Dell(conf)#ip ssh server cipher 3des-cbc aes128-cbc aes128-ctr Configuring the SSH Client Cipher List To configure the cipher list supported by the SSH client, use the ip ssh cipher cipher-list command in CONFIGURATION mode.
• When you enable all the three authentication methods, password authentication is the backup method when the RSA method fails. • The files known_hosts and known_hosts2 are generated when a user tries to SSH using version 1 or version 2, respectively. Enabling SSH Authentication by Password Authenticate an SSH client by prompting for a password when attempting to connect to the Dell Networking system. This setup is the simplest method of authentication and uses SSH version 1.
Configuring Host-Based SSH Authentication Authenticate a particular host. This method uses SSH version 2. To configure host-based authentication, use the following commands. 1 Configure RSA Authentication. Refer to Using RSA Authentication of SSH. 2 Create shosts by copying the public RSA key to the file shosts in the directory .ssh, and write the IP address of the host to the file. cp /etc/ssh/ssh_host_rsa_key.pub /.ssh/shosts Refer to the first example.
Using Client-Based SSH Authentication To SSH from the chassis to the SSH client, use the following command. This method uses SSH version 1 or version 2. If the SSH port is a non-default value, use the ip ssh server port number command to change the default port number. You may only change the port number when SSH is disabled. Then use the -p option with the ssh command. • SSH from the chassis to the SSH client. ssh ip_address Example of Client-Based SSH Authentication Dell#ssh 10.16.127.
Authentication Method VTY access-class support? Username access-class support? Remote authorization support? RADIUS YES NO YES The system provides several ways to configure access classes for VTY lines, including: • VTY Line Local Authentication and Authorization • VTY Line Remote Authentication and Authorization VTY Line Local Authentication and Authorization The system retrieves the access class from the local database. To use this feature: 1. Create a username. 2. Enter a password. 3.
following example shows how to deny incoming connections from subnet 10.0.0.0 without displaying a login prompt. The example uses TACACS+ as the authentication mechanism. Example of Configuring VTY Authorization Based on Access Class Retrieved from the Line (Per Network Address) Dell(conf)#ip access-list standard deny10 Dell(conf-ext-nacl)#permit 10.0.0.0/8 Dell(conf-ext-nacl)#deny any Dell(conf)# Dell(conf)#aaa authentication login tacacsmethod tacacs+ Dell(conf)#tacacs-server host 256.1.1.
50 Service Provider Bridging Service provider bridging provides the ability to add a second VLAN ID tag in an Ethernet frame and is referred to as VLAN stacking in the Dell Networking OS. VLAN Stacking VLAN stacking, also called Q-in-Q, is defined in IEEE 802.1ad — Provider Bridges, which is an amendment to IEEE 802.1Q — Virtual Bridged Local Area Networks. It enables service providers to use 802.
network. At the egress edge, the provider removes the S-Tag, so that the customer receives the frame in its original condition, as shown in the following illustration. Figure 121. VLAN Stacking in a Service Provider Network Important Points to Remember • Interfaces that are members of the Default VLAN and are configured as VLAN-Stack access or trunk ports do not switch untagged traffic. To switch traffic, add these interfaces to a non-default VLAN-stack-enabled VLAN.
Configure VLAN Stacking Configuring VLAN-Stacking is a three-step process. 1. Creating Access and Trunk Ports 2. Assign access and trunk ports to a VLAN (Creating Access and Trunk Ports). 3. Enabling VLAN-Stacking for a VLAN.
vlan-stack trunk no shutdown Enable VLAN-Stacking for a VLAN To enable VLAN-Stacking for a VLAN, use the following command. • Enable VLAN-Stacking for the VLAN. INTERFACE VLAN mode vlan-stack compatible Example of Viewing VLAN Stack Member Status To display the status and members of a VLAN, use the show vlan command from EXEC Privilege mode. Members of a VLANStacking-enabled VLAN are marked with an M in column Q.
portmode hybrid NOTE: You can add a trunk port to an 802.1Q VLAN as well as a Stacking VLAN only when the TPID 0x8100. 2 Add the port to a 802.1Q VLAN as tagged or untagged.
ports : Te 1/47 (MT), Te 2/1(MU), Te 2/25(MT), Te 2/26(MT), Te 2/27(MU) Dell#debug member port tengigabitethernet 1/47 vlan id : 603 (MT), 100(T), 101(NU) VLAN Stacking in Multi-Vendor Networks The first field in the VLAN tag is the tag protocol identifier (TPID), which is 2 bytes. In a VLAN-stacking network, after the frame is double tagged, the outer tag TPID must match the TPID of the next-hop system. While 802.
Therefore, a mismatched TPID results in the port not differentiating between tagged and untagged traffic. Figure 122.
Figure 123.
Figure 124. Single and Double-Tag TPID Mismatch VLAN Stacking Packet Drop Precedence VLAN stacking packet-drop precedence is supported on the switch. The drop eligible indicator (DEI) bit in the S-Tag indicates to a service provider bridge which packets it should prefer to drop when congested. Enabling Drop Eligibility Enable drop eligibility globally before you can honor or mark the DEI value. When you enable drop eligibility, DEI mapping or marking takes place according to the defaults.
Table 81. Drop Eligibility Behavior Ingress Egress DEI Disabled DEI Enabled Normal Port Normal Port Retain CFI Set CFI to 0. Trunk Port Trunk Port Retain inner tag CFI Retain inner tag CFI. Retain outer tag CFI Set outer tag CFI to 0. Retain inner tag CFI Retain inner tag CFI Set outer tag CFI to 0 Set outer tag CFI to 0 Access Port Trunk Port To enable drop eligibility globally, use the following command. • Make packets eligible for dropping based on their DEI value.
Marking Egress Packets with a DEI Value On egress, you can set the DEI value according to a different mapping than ingress. For ingress information, refer to Honoring the Incoming DEI Value. To mark egress packets, use the following command. • Set the DEI value on egress according to the color currently assigned to the packet.
• Option 2: Mark the S-Tag dot1p and queue the frame according to the S-Tag dot1p. For example, if frames with C-Tag dot1p values 0, 6, and 7 are mapped to an S-Tag dot1p value 0, all such frames are sent to the queue associated with the STag 802.1p value 0. This option requires two different CAM entries, each in a different Layer 2 ACL FP block.
cam-acl l2acl number ipv4acl number ipv6acl number ipv4qos number l2qos number l2pt number ipmacacl number ecfmacl number {vman-qos | vman-qos-dual-fp} number • vman-qos: mark the S-Tag dot1p and queue the frame according to the original C-Tag dot1p. This method requires half as many CAM entries as vman-qos-dual-fp. • vman-qos-dual-fp: mark the S-Tag dot1p and queue the frame according to the S-Tag dot1p. This method requires twice as many CAM entries as vman-qos and FP blocks in multiples of 2.
consumed and later dropped because the intermediate network itself might be using spanning tree (shown in the following illustration). Figure 126. VLAN Stacking without L2PT You might need to transport control traffic transparently through the intermediate network to the other region.
Dell Networking OS Behavior: The L2PT MAC address is user-configurable, so you can specify an address that non-Dell Networking systems can recognize and rewrite the address at egress edge. Figure 127. VLAN Stacking with L2PT Implementation Information • L2PT is available for STP, RSTP, MSTP, and PVST+ BPDUs. • No protocol packets are tunneled when you enable VLAN stacking. • L2PT requires the default CAM profile.
EXEC Privilege mode show cam-profile 2 Enable protocol tunneling globally on the system. CONFIGURATION mode protocol-tunnel enable 3 Tunnel BPDUs the VLAN. INTERFACE VLAN mode protocol-tunnel stp Specifying a Destination MAC Address for BPDUs By default, the system uses a Dell Networking-unique MAC address for tunneling BPDUs. You can configure another value. To specify a destination MAC address for BPDUs, use the following command.
Debugging Layer 2 Protocol Tunneling To debug Layer 2 protocol tunneling, use the following command. • Display debugging information for L2PT. EXEC Privilege mode debug protocol-tunnel Provider Backbone Bridging IEEE 802.1ad—Provider Bridges amends 802.1Q—Virtual Bridged Local Area Networks so that service providers can use 802.1Q architecture to offer separate VLANs to customers with no coordination between customers, and minimal coordination between customers and the provider. 802.
51 sFlow sFlow is a standard-based sampling technology embedded within switches and routers which is used to monitor network traffic. It is designed to provide traffic monitoring for high-speed networks with many switches and routers.
To avoid the back-off, either increase the global sampling rate or configure all the line card ports with the desired sampling rate even if some ports have no sFlow configured. Important Points to Remember • The Dell Networking OS implementation of the sFlow MIB supports sFlow configuration via snmpset. • Dell Networking recommends the sFlow Collector be connected to the Dell Networking chassis through a line card port rather than the management Ethernet port. • Only egress sampling is supported.
Displaying Show sFlow Global To view sFlow statistics, use the following command. • Display sFlow configuration information and statistics. EXEC mode show sflow Example of Viewing sFlow Configuration (Global) The first bold line indicates sFlow is globally enabled. The second bold lines indicate sFlow is enabled on linecards Te 1/16 and Te 1/17.
Displaying Show sFlow on a Line Card To view sFlow statistics on a specified line card, use the following command. • Display sFlow configuration information and statistics on the specified interface.
Back-Off Mechanism If the sampling rate for an interface is set to a very low value, the CPU can get overloaded with flow samples under high-traffic conditions. In such a scenario, a binary back-off mechanism gets triggered, which doubles the sampling-rate (halves the number of samples per second) for all interfaces. The backoff mechanism continues to double the sampling-rate until the CPU condition is cleared. This is as per sFlow version 5 draft.
Global extended information enabled: none 0 collectors configured 0 UDP packets exported 0 UDP packets dropped 0 sFlow samples collected 0 sFlow samples dropped due to sub-sampling Important Points to Remember • If the IP source address is learned via IGP, srcAS and srcPeerAS are zero. • The srcAS and srcPeerAS might be zero even though the IP source address is learned via BGP.
52 Simple Network Management Protocol (SNMP) The Simple Network Management Protocol (SNMP) is designed to manage devices on IP networks by monitoring device operation, which might require administrator intervention. NOTE: On Dell Networking routers, standard and private SNMP management information bases (MIBs) are supported, including all Get and a limited number of Set operations (such as set vlan and copy cmd).
Implementation Information The following describes SNMP implementation information. • The Dell Networking OS supports SNMP version 1 as defined by RFC 1155, 1157, and 1212, SNMP version 2c as defined by RFC 1901, and SNMP version 3 as defined by RFC 2571. • The system supports up to 16 trap receivers. • The Dell Networking OS implementation of the sFlow MIB supports sFlow configuration via SNMP sets.
SNMP version 3 (SNMPv3) is a user-based security model that provides password authentication for user security and encryption for data security and privacy. Three sets of configurations are available for SNMP read/write operations: no password or privacy, password privileges, password and privacy privileges. You can configure a maximum of 32 users even if they are in different groups. Creating a Community For SNMPv1 and SNMPv2, create a community to enable the community-based security on the switch.
snmp-server view view-name oid-tree {included | excluded} NOTE: To give a user read and write view privileges, repeat this step for each privilege type. • Configure the user with an authorization password (password privileges only). CONFIGURATION mode • snmp-server user name group-name 3 noauth auth md5 auth-password Configure an SNMP group (password privileges only). CONFIGURATION mode • snmp-server group groupname {oid-tree} auth read name write name Configure an SNMPv3 view.
Examples of Reading Managed Object Values In the following example, the value “4” displays in the OID before the IP address for IPv4. For an IPv6 IP address, a value of “16” displays. > snmpget -v 2c -c mycommunity 10.11.131.161 sysUpTime.0 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (32852616) 3 days, 19:15:26.16 > snmpget -v 2c -c mycommunity 10.11.131.161 .1.3.6.1.2.1.1.3.0 The following example shows reading the value of the next managed object. > snmpgetnext -v 2c -c mycommunity 10.11.131.161 .1.
• (From a Dell Networking system) Identify the physical location of the system (for example, San Jose, 350 Holger Way, 1st floor lab, rack A1-1). CONFIGURATION mode snmp-server location text You may use up to 55 characters. • The default is None. (From a management station) Identify the system manager along with this person’s contact information (for example, an email address or phone number). CONFIGURATION mode snmpset -v version -c community agent-ip sysContact.
• {{high | low} cpu-utilization-threshold-percentage} — Enter a percentage value to configure the high or low threshold level for the time in which a switch CPU can be used. The percentage of CPU use ranges from 0 to 100. Defaults – High CPU utilization threshold: 1 min = 85%, 5 min = 80% – Low CPU utilization threshold: 1 min = 75%, 5 min = 70% NOTE: A threshold level of 0 disables Syslog and SNMP traps. • Configure the high or low CPU utilization threshold for SNMP traps.
• lp — Enter the keyword lp to configure the linecard processor memory utilization threshold time. The range of switch slot IDs is from 0 to 2. • pe — Enter the keyword, pe to configure the CPU memory utilization time for of all PEs that are configured in the system. • all — Enter the keyword all to configure the memory utilization threshold on all switch CPUs: Control Processor, Route Processor, PE, and line cards.
• Dell Networking enterpriseSpecific environment traps — fan, supply, and temperature. • Dell Networking enterpriseSpecific protocol traps — bgp, ecfm, stp, and xstp. To configure the system to send SNMP notifications, use the following commands. 1 Configure the Dell Networking system to send notifications to an SNMP server. CONFIGURATION mode snmp-server host ip-address [traps | informs] [version 1 | 2c |3] [community-string] To send trap messages, enter the keyword traps.
ecfm ecmp entity envmon ets fips hg-lbm isis lacp pfc snmp stp vlt vrrp xstp Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable Enable ECFM state change traps ecmp traps entity change traps SNMP environmental monitor traps ets traps FIP Snooping state change traps higig Link Bundle Monitoring traps ISIS adjacency change traps LACP state change traps pfc traps SNMP traps STP traps VLT traps VRRP state change traps 802.1s, 802.
Address 0001.e801.fc35. %SPANMGR-5-STP_TOPOLOGY_CHANGE: Bridge port TenGigabitEthernet 11/38 transitioned from Forwarding to Blocking state. %SPANMGR-5-MSTP_NEW_ROOT_BRIDGE: Elected root bridge for instance 0. %SPANMGR-5-MSTP_NEW_ROOT_PORT: MSTP root changed to port Te 11/38 for instance 0. My Bridge ID: 40960:0001.e801.fc35 Old Root: 40960:0001.e801.fc35 New Root: 32768:00d0.038a.2c01. %SPANMGR-5-MSTP_TOPOLOGY_CHANGE: Topology change BridgeAddr: 0001.e801.
Enabling an SNMP Agent to Notify Syslog Server Failure You can configure a network device to send an SNMP trap if an audit processing failure occurs due to loss of connectivity with the syslog server. If a connectivity failure occurs on a syslog server that is configured for reliable transmission, an SNMP trap is sent and a message is displayed on the console.
Copy Configuration Files Using SNMP To do the following, use SNMP from a remote client. • copy the running-config file to the startup-config file • copy configuration files from the Dell Networking system to a server • copy configuration files from a server to the Dell Networking system You can perform all of these tasks using IPv4 or IPv6 addresses. The examples in this section use IPv4 addresses; however, you can substitute IPv6 addresses for the IPv4 addresses in all of the examples.
MIB Object OID Object Values Description copyDestFileLocation .1.3.6.1.4.1.6027.3.5.1.1.1.1.6 1 = flash Specifies the location of destination file. 2 = slot0 3 = tftp • 4 = ftp 5 = scp If copyDestFileLocation is FTP or SCP, you must specify copyServerAddress, copyUserName, and copyUserPassword. copyDestFileName .1.3.6.1.4.1.6027.3.5.1.1.1.1.7 Path (if the file is not in the default directory) and filename. Specifies the name of destination file. copyServerAddress .1.3.6.1.4.1.6027.3.5.1.1.
NOTE: You can use the entire OID rather than the object name. Use the form: OID.index i object-value. To view more information, use the following options in the snmpset command. • -c: View the community, either public or private. • -m: View the MIB files for the SNMP command. • -r: Number of retries using the option • -t: View the timeout. • -v: View the SNMP version (either 1, 2, 2d, or 3). The following examples show the snmpset command to copy a configuration.
The following example shows copying configuration files from a UNIX machine using the OID. >snmpset -c public -v 2c 10.11.131.162 .1.3.6.1.4.1.6027.3.5.1.1.1.1.2.8 i 3 .1.3.6.1.4.1.6027.3.5.1.1.1.1.5.8 i 2 SNMPv2-SMI::enterprises.6027.3.5.1.1.1.1.2.8 = INTEGER: 3 SNMPv2-SMI::enterprises.6027.3.5.1.1.1.1.5.8 = INTEGER: 2 Copying the Startup-Config Files to the Server via FTP To copy the startup-config to the server via FTP from the UNIX machine, use the following command.
filename copyDestFileType.index i 3 copyServerAddress.index a server-ip-address copyUserName.index s server-login-id copyUserPassword.index s server-login-password Example of Copying a Binary File From the Server to the Startup-Configuration via FTP > snmpset -v 2c -c private -m ./f10-copy-config.mib 10.10.10.10 copySrcFileType.10 i 1 copySrcFileLocation.10 i 4 copyDestFileType.10 i 3 copySrcFileName.10 s /home/myfilename copyServerAddress.10 a 172.16.1.56 copyUserName.10 s mylogin copyUserPassword.
NOTE: You can use the entire OID rather than the object name. Use the form: OID.index. Examples of Getting a MIB Object Value The following examples show the snmpget command to obtain a MIB object value. These examples assume that: • the server OS is UNIX • you are using SNMP version 2c • the community name is public • the file f10-copy-config.mib is in the current directory NOTE: In UNIX, enter the snmpset command for help using this command.
MTU 1554 bytes, IP MTU 1500 bytes LineSpeed auto Displaying the Ports in a VLAN The system identifies VLAN interfaces using an interface index number that is displayed in the output of the show interface vlan command. Add Tagged and Untagged Ports to a VLAN The value dot1qVlanStaticEgressPorts object is an array of all VLAN members. The dot1qVlanStaticUntaggedPorts object is an array of only untagged VLAN members. All VLAN members that are not in dot1qVlanStaticUntaggedPorts are tagged.
Managing Overload on Startup If you are running IS-IS, you can set a specific amount of time to prevent ingress traffic from being received after a reload and allow the routing protocol upgrade process to complete. To prevent ingress traffic on a router while the IS reload is implemented, use the following command. • Set the amount of time after an IS-IS reload is performed before ingress traffic is allowed at startup.
Fetch Dynamic MAC Entries using SNMP Dell Networking supports the RFC 1493 dot1d table for the default VLAN and the dot1q table for all other VLANs. NOTE: The 802.1q Q-BRIDGE MIB defines VLANs regarding 802.1d, as 802.1d itself does not define them. As a switchport must belong a VLAN (the default VLAN or a configured VLAN), all MAC address learned on a switchport are associated with a VLAN. For this reason, the Q-Bridge MIB is used for MAC address query.
Example of Fetching MAC Addresses Learned on a Port-Channel Using SNMP Use dot3aCurAggFdbTable to fetch the learned MAC address of a port-channel. The instance number is the decimal conversion of the MAC address concatenated with the port-channel number.
For example, the interface index 51528196 for the FortyGigE 0/4 port is 0000 0011 0001 0010 0100 0010 0000 0100 in binary format as shown in the following figure. Figure 129. Interface Index Number Assigned to FortyGigE 0/4 Port In this example, if you start from the least significant bit on the right: • The first 14 bits (00001000000010) identify a line card. • The next 4 bits (1001) identify a 40-Gigabit Ethernet interface. • The next 12 bits (000011000100) identify slot 0 and port 4.
status inactive Example of Viewing Changed Interface State for Monitored Ports Layer 3 LAG does not include this support. SNMP trap works for the Layer 2 / Layer 3 / default mode LAG. SNMPv2-MIB::sysUpTime.0 = Timeticks: (8500842) 23:36:48.42 SNMPv2-MIB::snmpTrapOID.0 = OID: IF-MIB::linkDown IF-MIB::ifIndex.33865785 = INTEGER: 33865785 SNMPv2-SMI::enterprises.6027.3.1.1.4.1.2 = STRING: "OSTATE_DN: Changed interface state Te 0/0" 2010-02-10 14:22:39 10.16.130.4 [10.16.130.4]: SNMPv2-MIB::sysUpTime.
53 Storm Control Storm control allows you to control unknown-unicast, muticast, and broadcast traffic on Layer 2 and Layer 3 physical interfaces. Dell Networking Operating System (OS) Behavior: Dell Networking OS supports unknown-unicast, muticast, and broadcast control (the storm-control broadcast command) for Layer 2 and Layer 3 traffic. To view the storm control broadcast configuration show storm-control broadcast | multicast | unknownunicast | pfc-llfc[interface] command.
• Configure the packets per second of broadcast traffic allowed on an interface (ingress only). INTERFACE mode • storm-control broadcast packets_per_second in Configure the packets per second of multicast traffic allowed on C-Series or S-Series interface (ingress only) network only. INTERFACE mode • storm-control multicast packets_per_second in Shut down the port if it receives the PFC/LLFC packets more than the configured rate.
54 Spanning Tree Protocol (STP) The spanning tree protocol (STP) is a Layer 2 protocol — specified by IEEE 802.1d — that eliminates loops in a bridged topology by enabling only a single path through the network.
Related Configuration Tasks • Adding an Interface to the Spanning Tree Group • Modifying Global Parameters • Modifying Interface STP Parameters • Enabling PortFast • Prevent Network Disruptions with BPDU Guard • STP Root Guard • Enabling SNMP Traps for Root Elections and Topology Changes Important Points to Remember • STP is disabled by default. • The Dell Networking OS supports only one spanning tree instance (0).
Configuring Interfaces for Layer 2 Mode All interfaces on all switches that participate in spanning tree must be in Layer 2 mode and enabled. Figure 130. Example of Configuring Interfaces for Layer 2 Mode To configure and enable the interfaces for Layer 2, use the following command. 1 If the interface has been assigned an IP address, remove it. INTERFACE mode no ip address 2 Place the interface in Layer 2 mode. INTERFACE switchport 3 Enable the interface.
Example of the show config Command To verify that an interface is in Layer 2 mode and enabled, use the show config command from INTERFACE mode. Dell(conf-if-te-1/1)#show config ! interface TenGigabitEthernet 1/1 no ip address switchport no shutdown Dell(conf-if-te-1/1)# Enabling Spanning Tree Protocol Globally Enable the spanning tree protocol globally; it is not enabled by default.
Examples of Verifying and Viewing Spanning Tree To disable STP globally for all Layer 2 interfaces, use the disable command from PROTOCOL SPANNING TREE mode. To verify that STP is enabled, use the show config command from PROTOCOL SPANNING TREE mode.
Adding an Interface to the Spanning Tree Group To add a Layer 2 interface to the spanning tree topology, use the following command. • Enable spanning tree on a Layer 2 interface. INTERFACE mode spanning-tree 0 To remove a Layer 2 interface from the spanning tree topology, enter the no spanning-tree 0 command. Modifying Global Parameters You can modify the spanning tree parameters.
• Change the max-age parameter (the refresh interval for configuration information that is generated by recomputing the spanning tree topology). PROTOCOL SPANNING TREE mode max-age seconds The range is from 6 to 40. The default is 20 seconds. To view the current values for global parameters, use the show spanning-tree 0 command from EXEC privilege mode. Refer to the second example in Enabling Spanning Tree Protocol Globally.
• Enable PortFast on an interface. INTERFACE mode spanning-tree stp-id portfast [bpduguard | [shutdown-on-violation]] Example of Verifying PortFast is Enabled on an Interface To verify that PortFast is enabled on a port, use the show spanning-tree command from EXEC Privilege mode or the show config command from INTERFACE mode. Dell Networking recommends using the show config command.
– Disabling global spanning tree (the no spanning-tree in CONFIGURATION mode). Figure 132. Enabling BPDU Guard Dell Networking OS Behavior: BPDU guard and BPDU filtering both block BPDUs, but are two separate features. BPDU guard: • • is used on edgeports and blocks all traffic on edgeport if it receives a BPDU. drops the BPDU after it reaches the Route Processor and generates a console message.
Dell(conf-if-te-0/7)#do show ip int br te 0/7 Interface IP-Address OK Method Status Protocol TenGigabitEthernet 0/7 unassigned YES Manual up up Selecting STP Root The STP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it becomes the root bridge. You can also specify that a bridge is the root or the secondary root. To change the bridge priority or specify that a bridge is the root or secondary root, use the following command.
the BPDU is ignored and the port on Switch C transitions from a forwarding to a root-inconsistent state (shown by the green X icon). As a result, Switch A becomes the root bridge. Figure 133. STP Root Guard Prevents Bridging Loops Configuring Root Guard Enable STP root guard on a per-port or per-port-channel basis. Dell Networking OS Behavior: The following conditions apply to a port enabled with STP root guard: • Root guard is supported on any STP-enabled port or port-channel interface.
– 0: enables root guard on an STP-enabled port assigned to instance 0. – mstp: enables root guard on an MSTP-enabled port. – rstp: enables root guard on an RSTP-enabled port. – pvst: enables root guard on a PVST-enabled port. To disable STP root guard on a port or port-channel interface, use the no spanning-tree 0 rootguard command in an interface configuration mode.
As soon as a BPDU is received on an STP port in a Loop-Inconsistent state, the port returns to a blocking state. If you disable STP loop guard on a port in a Loop-Inconsistent state, the port transitions to an STP blocking state and restarts the max-age timer. Figure 134. STP Loop Guard Prevents Forwarding Loops Configuring Loop Guard Enable STP loop guard on a per-port or per-port channel basis.
• You cannot enable root guard and loop guard at the same time on an STP port. For example, if you configure loop guard on a port on which root guard is already configured, the following error message is displayed: % Error: RootGuard is configured. Cannot configure LoopGuard. • Enabling Portfast BPDU guard and loop guard at the same time on a port results in a port that remains in a blocking state and prevents traffic from flowing through it.
55 SupportAssist SupportAssist sends troubleshooting data securely to Dell. SupportAssist in this Dell Networking OS release does not support automated email notification at the time of hardware fault alert, automatic case creation, automatic part dispatch, or reports. SupportAssist requires Dell Networking OS 9.9(0.0) and SmartScripts 9.7 or later to be installed on the Dell Networking device. For more information on SmartScripts, see Dell Networking Open Automation guide. Figure 135.
• Configuring SupportAssist Person • Configuring SupportAssist Server • Viewing SupportAssist Configuration Configuring SupportAssist Using a Configuration Wizard You are guided through a series of queries to configure SupportAssist. The generated commands are added to the running configuration, including the DNS resolve commands, if configured. This command starts the configuration wizard for the SupportAssist. At any time, you can exit by entering Ctrl-C. If necessary, you can skip some data entry.
involve international transfers of data from you to Dell and/or to Dells affiliates, subcontractors or business partners. When making such transfers, Dell shall ensure appropriate protection is in place to safeguard the Collected Data being transferred in connection with SupportAssist. If you are downloading SupportAssist on behalf of a company or other legal entity, you are further certifying to Dell that you have appropriate authority to provide this consent on behalf of that entity.
support-assist activity {full-transfer} start now Dell#support-assist activity full-transfer start now Configuring SupportAssist Activity SupportAssist Activity mode allows you to configure and view the action-manifest file for a specific activity. To configure SupportAssist activity, use the following commands. 1 Move to the SupportAssist Activity mode for an activity. Allows you to configure customized details for a specific activity.
SUPPORTASSIST ACTIVITY mode action-manifest show {all} Dell(conf-supportassist-act-full-transfer)#action-manifest show all Dell(conf-supportassist-act-full-transfer)# 6 Enable a specific SupportAssist activity. SUPPORTASSIST ACTIVITY mode [no] enable Dell(conf-supportassist-act-full-transfer)#enable Dell(conf-supportassist-act-full-transfer)# Configuring SupportAssist Company SupportAssist Company mode allows you to configure name, address and territory information of the company.
[no] contact-person [first ] last Dell(conf-supportassist)#contact-person first john last doe Dell(conf-supportassist-pers-john_doe)# 2 Configure the email addresses to reach the contact person. SUPPORTASSIST PERSON mode [no] email-address primary email-address [alternate email-address] Dell(conf-supportassist-pers-john_doe)#email-address primary jdoe@mycompany.com Dell(conf-supportassist-pers-john_doe)# 3 Configure phone numbers of the contact person.
[no] enable Dell(conf-supportassist-serv-default)#enable Dell(conf-supportassist-serv-default)# 4 Configure the URL to reach the SupportAssist remote server. SUPPORTASSIST SERVER mode [no] url uniform-resource-locator Dell(conf-supportassist-serv-default)#url https://192.168.1.1/index.htm Dell(conf-supportassist-serv-default)# Viewing SupportAssist Configuration To view the SupportAssist configurations, use the following commands.
show eula-consent {support-assist | other feature} Dell#show eula-consent SupportAssist EULA has been: Accepted Additional information about the SupportAssist EULA is as follows: By installing SupportAssist, you allow Dell to save your contact information (e.g. name, phone number and/or email address) which would be used to provide technical support for your Dell products and services. Dell may use the information for providing recommendations to improve your IT infrastructure.
56 System Time and Date System time and date settings are user-configurable and maintained through the network time protocol (NTP). System times and dates are also set in hardware settings using the Dell Networking OS CLI. Topics: • • Network Time Protocol Time and Date Network Time Protocol The network time protocol (NTP) synchronizes timekeeping among a set of distributed time servers and clients. The protocol also coordinates time distribution in a large, diverse network with various interfaces.
which to synchronize and serve as a client to the NTP host. As soon as a host-client relationship is established, the networking device propagates the time information throughout its local network. Protocol Overview The NTP messages to one or more servers and processes the replies as received. The server interchanges addresses and ports, fills in or overwrites certain fields in the message, recalculates the checksum, and returns it immediately.
Enabling NTP NTP is disabled by default. To enable NTP, specify an NTP server to which the Dell Networking system synchronizes. To specify multiple servers, enter the command multiple times. You may specify an unlimited number of servers at the expense of CPU resources. • Specify the NTP server to which the Dell Networking system synchronizes.
To view whether NTP is configured on the interface, use the show config command in INTERFACE mode. If ntp disable is not listed in the show config command output, NTP is enabled. (The show config command displays only non-default configuration information.) Configuring a Source IP Address for NTP Packets By default, the source address of NTP packets is the IP address of the interface used to reach the network. You can configure one interface’s IP address include in all NTP packets.
3 • number: the range is from 1 to 4294967295. This number must be the same as the number in the ntp trusted-key command. • key: enter a text string. This text string is encrypted. Define a trusted key. CONFIGURATION mode ntp trusted-key number Configure a number from 1 to 4294967295. The number must be the same as the number used in the ntp authentication-key command. 4 Configure an NTP server.
version - NTP version 3 leap NOTE: • Leap Indicator (sys.leap, peer.leap, pkt.leap) — This is a two-bit code warning of an impending leap second to be inserted in the NTP time scale. The bits are set before 23:59 on the day of insertion and reset after 00:00 on the following day. This causes the number of seconds (rollover interval) in the day of insertion to be increased or decreased by one.
Setting the Time and Date for the Switch Software Clock You can change the order of the month and day parameters to enter the time and date as time day month year. You cannot delete the software clock. The software clock runs only when the software is up. The clock restarts, based on the hardware clock, when the switch reboots. To set the software clock, use the following command. • Set the system software clock to the current time and date.
Set Daylight Saving Time The system supports setting the system to daylight saving time once or on a recurring basis every year. Setting Daylight Saving Time Once Set a date (and time zone) on which to convert the switch to daylight saving time on a one-time basis. To set the clock for daylight savings time once, use the following command. • Set the clock to the appropriate timezone and daylight saving time.
– start-week: (OPTIONAL) Enter one of the following as the week that daylight saving begins and then enter values for start-day through end-time: * week-number: Enter a number from 1 to 4 as the number of the week in the month to start daylight saving time. * first: Enter the keyword first to start daylight saving time in the first week of the month. * last: Enter the keyword last to start daylight saving time in the last week of the month.
CONFIGURATION mode ntp offset-threshold threshold-value The range for threshold-value is from 0 to 999.
57 Tunneling Tunnel interfaces create a logical tunnel for IPv4 or IPv6 traffic. Tunneling supports RFC 2003, RFC 2473, and 4213. DSCP, hop-limits, flow label values, OSPFv2, and OSPFv3 are also supported. ICMP error relay, PATH MTU transmission, and fragmented packets are not supported.
no ip address ipv6 address 2::1/64 tunnel destination 90.1.1.1 tunnel source 60.1.1.1 tunnel mode ipv6ip no shutdown The following sample configuration shows a tunnel configured in IPIP mode (IPv4 tunnel carries IPv4 and IPv6 traffic): Dell(conf)#interface tunnel 3 Dell(conf-if-tu-3)#tunnel source 5::5 Dell(conf-if-tu-3)#tunnel destination 8::9 Dell(conf-if-tu-3)#tunnel mode ipv6 Dell(conf-if-tu-3)#ip address 3.1.1.
Configuring Tunnel allow-remote Decapsulation You can configure an IPv4 or IPV6 address or prefix whose tunneled packet will be accepted for decapsulation. • If no allow-remote entries are configured, then tunneled packets from any remote peer address will be accepted. • Upto eight allow-remote entries can be configured on any particular multipoint receive-only tunnel. The following sample configuration shows how to configure a tunnel allow-remote address.
the switch CPU for the receive-only tunnel. The tunnel interface can function as an unnumbered interface with no IPv4/IPv6 address assigned. Guidelines for Configuring Multipoint Receive-Only Tunnels • You can configure up to eight remote end-points for a multipoint receive-only tunnel. The maximum number of remote end-points supported for all multipoint receive-only tunnels on the switch depends on the hardware table size to setup termination.
58 Upgrade Procedures For detailed upgrade procedures, refer to the Dell Networking OS Release Notes for your switch. The release notes describe the requirements and steps to follow to upgrade to a desired OS version. Upgrade Overview To upgrade system software on the switch, follow these general steps: 1. Identify the boot and system images currently stored on the switch (Control Processor, Route Processor, and line-card CPUs) using the show boot system all command. 2.
59 Uplink Failure Detection (UFD) Uplink failure detection (UFD) provides detection of the loss of upstream connectivity and, if used with network interface controller (NIC) teaming, automatic recovery from a failed link. Feature Description A switch provides upstream connectivity for devices, such as servers. If a switch loses its upstream connectivity, downstream devices also lose their connectivity.
• In Step C, UFD on S1 disables the link to the server. The server then stops using the link to S1 and switches to using its link to S2 to send traffic upstream to R1. Figure 137. Uplink Failure Detection How Uplink Failure Detection Works UFD creates an association between upstream and downstream interfaces. The association of uplink and downlink interfaces is called an uplink-state group.
protection or recovery procedures they have in place to establish alternate connectivity paths, as shown in the following illustration. Figure 138. Uplink Failure Detection Example If only one of the upstream interfaces in an uplink-state group goes down, a specified number of downstream ports associated with the upstream interface are put into a Link-Down state.
– If you assign a port channel as an upstream interface, the port channel interface enters a Link-Down state when the number of port-channel member interfaces in a Link-Up state drops below the configured minimum number of members parameter. • If one of the upstream interfaces in an uplink-state group goes down, either a user-configurable set of downstream ports or all the downstream ports in the group are put in an Operationally Down state with an UFD Disabled error.
NOTE: Downstream interfaces in an uplink-state group are put into a Link-Down state with an UFD-Disabled error message only when all upstream interfaces in the group go down. To revert to the default setting, use the no downstream disable links command. 4 (Optional) Enable auto-recovery so that UFD-disabled downstream ports in the uplink-state group come up when a disabled upstream port in the group comes back up.
Example of Syslog Messages Before and After Entering the clear ufd-disable uplink-state-group Command The following example message shows the Syslog messages that display when you clear the UFD-Disabled state from all disabled downstream interfaces in an uplink-state group by using the clear ufd-disable uplink-state-group groupid command. All downstream interfaces return to an operationally up state.
– Port channel: enter port-channel {1-512}. • If a downstream interface in an uplink-state group is disabled (Oper Down state) by uplink-state tracking because an upstream port is down, the message error-disabled[UFD] displays in the output. Display the current configuration of all uplink-state groups or a specified group.
Queueing strategy: fifo Input Statistics: 0 packets, 0 bytes 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 0 Broadcasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics: 0 packets, 0 bytes, 0 underruns 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 throttles, 0 discarded,
Dell(conf-uplink-state-group-3)# show config ! uplink-state-group 3 description Testing UFD feature downstream disable links 2 downstream TengigabitEthernet 0/1-2,5,9,11-12 upstream TengigabitEthernet 0/3-4 Dell(conf-uplink-state-group-3)# Dell(conf-uplink-state-group-3)#exit Dell(conf)#exit Dell# 00:13:06: %STKUNIT0-M:CP %SYS-5-CONFIG_I: Configured from console by console Dell# show running-config uplink-state-group ! uplink-state-group 3 description Testing UFD feature downstream disable links 2 downstrea
60 Virtual LANs (VLANs) Virtual LANs (VLANs) are a logical broadcast domain or logical grouping of interfaces in a local area network (LAN) in which all data received is kept locally and broadcast to all members of the group. When in Layer 2 mode, VLANs move traffic at wire speed and can span multiple devices. The system supports up to 4093 portbased VLANs and one default VLAN, as specified in IEEE 802.1Q.
Default VLAN When you configure interfaces for Layer 2 mode, they are automatically placed in the Default VLAN as untagged interfaces. Only untagged interfaces can belong to the Default VLAN. The following example displays the outcome of placing an interface in Layer 2 mode. To configure an interface for Layer 2 mode, use the switchport command.
VLANs and Port Tagging To add an interface to a VLAN, the interface must be in Layer 2 mode. After you place an interface in Layer 2 mode, the interface is automatically placed in the Default VLAN. The system supports IEEE 802.1Q tagging at the interface level to filter traffic. When you enable tagging, a tag header is added to the frame after the destination and source MAC addresses. That information is preserved as the frame moves through the network.
Assigning an IP Address to a VLAN VLANs are a Layer 2 feature. For two physical interfaces on different VLANs to communicate, you must assign an IP address to the VLANs to route traffic between the two interfaces. The shutdown command in INTERFACE mode does not affect Layer 2 traffic on the interface; the shutdown command only prevents Layer 3 traffic from traversing over the interface. NOTE: You cannot assign an IP address to the Default VLAN (VLAN 1).
[tagged | untagged] Creating a Port-Based VLAN To configure a port-based VLAN, create the VLAN and then add physical interfaces or port channel (LAG) interfaces to the VLAN. NOTE: The Default VLAN (VLAN 1) is part of the system startup configuration and does not require configuration. A VLAN is active only if the VLAN contains interfaces and those interfaces are operationally up. As shown in the following example, VLAN 1 is inactive because it does not contain any interfaces.
To tag frames leaving an interface in Layer 2 mode, assign that interface to a port-based VLAN to tag it with that VLAN ID. To tag interfaces, use the following commands. 1 Access INTERFACE VLAN mode of the VLAN to which you want to assign the interface. CONFIGURATION mode interface vlan vlan-id 2 Enable an interface to include the IEEE 802.1Q tag header.
Moving Untagged Interfaces To move untagged interfaces from the Default VLAN to another VLAN, use the following commands. 1 Access INTERFACE VLAN mode of the VLAN to which you want to assign the interface. CONFIGURATION mode interface vlan vlan-id 2 Configure an interface as untagged. INTERFACE mode untagged interface This command is available only in VLAN interfaces.
The only way to remove an interface from the Default VLAN is to place the interface in Default mode by using the no switchport command in INTERFACE mode.
61 VLT Proxy Gateway The Virtual link trucking (VLT) proxy gateway feature allows a VLT domain to locally terminate and route L3 packets that are destined to a L3 end point in another VLT domain. Enable the VLT proxy gateway using the link layer discover protocol (LLDP) method or the static configuration.
information about the eVLT, see the Virtual Link Trunking (VLT) chapter. The core or Layer 3 routers C and D in local VLT Domain and C1 and D1 in the remote VLT Domain are then part of a Layer 3 cloud. Figure 140. VLT Proxy Gateway — Topology 1 Guidelines for Enabling the VLT Proxy Gateway Keep the following points in mind when you enable this functionality: 1. The proxy gateway is supported only for VLT; for example, across VLT domain. 2.
routing protocols are enabled and both DCs come in the same subnet, there is no route asymmetry dynamically. But if you configure the static route on one DC and not on the other, there is asymmetry. 8. If the port-channel specified in theproxy-gateway command is not a VLT LAG, the configuration is rejected by the CLI. The VLT LAG cannot be configured as a legacy LAG when it is part of a proxy-gateway 9. You cannot change the LLDP port channel interface to a legacy LAG when you enable the proxy gateway.
The LLDP organizational TLV passes local destination MAC address information to peer VLT domain devices so they can act as the proxy gateway.
Sample Scenario for VLT Proxy Gateway Figure 141. VLT Proxy Gateway — Topology 2 1. The above figure (Topology 2) shows a sample VLT Proxy gateway scenario. There are no diagonal links in the square VLT connection between the C and D in VLT domain 1 and C1 and D1 in the VLT domain 2. This undergoes sub-optimal routing with the VLT Proxy Gateway LLDP method.
Static Proxy Configuration Method Dell(conf-vlt-domain)#proxy-gateway static Dell(conf-vlt-domain-pxy-gw-static)#remote-mac-address 01:23:45:67:89:ab exclude-vlan 10 Dynamic Proxy Configuration Method Dell(conf-vlt-domain)#proxy-gateway lldp Dell(conf-vlt-domain-pxy-gw-lldp peer-domain-link port-channel 1 exclude-vlan 10 5.
VLT DOMAIN PROXY GW LLDP mode Dell(conf-vlt-domain-proxy-gw-lldp)#peer-domain-link port-channel interface exclude-vlan vlan-range 4 Display the VLT proxy gateway configuration.
62 Virtual Routing and Forwarding (VRF) Virtual Routing and Forwarding (VRF) allows a physical router to partition itself into multiple Virtual Routers (VRs). The control and data plane are isolated in each VR so that traffic does NOT flow across VRs.Virtual Routing and Forwarding (VRF) allows multiple instances of a routing table to co-exist within the same router at the same time. VRF Overview VRF improves functionality by allowing network paths to be segmented without using multiple devices.
VRF uses interfaces to distinguish routes for different VRF instances. Interfaces in a VRF can be either physical (Ethernet port or port channel) or logical (VLANs). You can configure identical or overlapping IP subnets on different interfaces if each interface belongs to a different VRF instance. Figure 142.
VRF supports some routing protocols only on the default VRF (default-vrf) instance. Table 1 displays the software features supported in VRF and whether they are supported on all VRF instances or only the default VRF. Table 89. Feature/Capability Support Status for Default VRF Support Status for Non-default VRF Configuration rollback for commands introduced or modified Yes No LLDP protocol on the port Yes No 802.
Feature/Capability Support Status for Default VRF Support Status for Non-default VRF Support for storm-control (broadcast and unknown-unicast) Yes No sFlow Yes No VRRP on physical and logical interfaces Yes Yes VRRPV3 Yes Yes Secondary IP Addresses Yes No Following IPv6 capabilities No Basic Yes No OSPFv3 Yes Yes IS-IS Yes Yes BGP Yes Yes ACL Yes No Multicast Yes No NDP Yes Yes RAD Yes Yes Ingress/Egress Storm-Control (perinterface/global) Yes No DHCP DHCP requ
Table 90. Load VRF CAM Step Task Command Syntax Command Mode 1 Load CAM memory for the VRF feature. feature vrf CONFIGURATION After you load VRF CAM, CLI parameters that allow you to configure non-default VRFs are made available on the system. Creating a Non-Default VRF Instance VRF is enabled by default on the switch and supports up to 512 VRF instances: 1 to 512 and the default VRF (0). Table 91.
Task Command Syntax Command Mode Assign an IPv4 address to the interface. ip address 10.1.1.1/24 INTERFACE CONFIGURATION ipv6 address 1::1 INTERFACE CONFIGURATION NOTE: You can assign either an IPv4 or an IPv6 address but not both. Assign an IPv6 address to the interface. NOTE: You can also auto configure an IPv6 address using the ipv6 address autoconfig command. View VRF Instance Information To display information about VRF configuration, enter the show ip vrf command.
Task Command Syntax Command Mode Create VRF ip vrf vrf1 CONFIGURATION Assign the VRF to an interface ip vrf forwarding vrf1 VRF CONFIGURATION Assign an IP address to the interface ip address 10.1.1.1 /24 no shutdown Configure the VRRP group and virtual IP address View VRRP command output for the VRF vrf1 Configuring Management VRF You can assign a management interface to a management VRF. Task Command Syntax Command Mode Create a management VRF.
This command indicates that packets that are destined to x.x.x.x/s.s.s.s are reachable through nh.nh.nh.nh in the default VRF table. Meaning, the routes to x.x.x.x/s.s.s.s are leaked from the default VRF routing table into the non-default VRF routing table. The following example illustrates how route leaking between two VRFs can be performed: interface TenGigabitEthernet 0/9 ip vrf forwarding VRF1 ip address 120.0.0.1/24 interface TenGigabitEthernet 0/10 ip vrf forwarding VRF2 ip address 140.0.0.
Sample VRF Configuration The following configuration illustrates a typical VRF set-up. Figure 143. Setup OSPF and Static Routes Figure 144.
The following example relates to the configuration shown in Figure1 and Figure 2. Router 1 ==================================================================================== ============== Router 2 ==================================================================================== === The following shows the output of the show commands on Router 1. Router 1 The following shows the output of the show commands on Router 2.
While importing these routes into VRF-blue, you can further specify match conditions at the import end to define the filtering criteria based on which the routes are imported into VRF-blue. You can define a route-map import_ospf_protocol and then specify the match criteria as OSPF using the match source-protocol ospf command. You can then use the ip route-import route-map command to import routes matching the filtering criteria defined in the import_ospf_protocol route-map.
Configuring Route Leaking without Filtering Criteria You can use the ip route-export tag command to export all the IPv4 routes corresponding to a source VRF. For leaking IPv6 routes, use the ipv6 route-export tag command. This action exposes source VRF's routes (IPv4 or IPv6 depending on the command that you use) to various other VRFs. The destinations or target VRFs then import these IPv4 or IPv6 routes using the ip route-import tag or the ipv6 route-import tag command respectively.
ip route-export ip route-import ! ip vrf VRF-Green ! ip vrf VRF-shared ip route-export ip route-import ip route-import 3:3 1:1 1:1 2:2 3:3 Show routing tables of all the VRFs (without any route-export and route-import tags being configured) Show routing tables of VRFs( after route-export and route-import tags are configured).
63 Virtual Link Trunking (VLT) Virtual link trunking (VLT) is supported on Dell Networking OS. Overview VLT reduces the role of spanning tree protocols (STPs) by allowing link aggregation group (LAG) terminations on two separate distribution or core switches and supporting a loop-free topology. To prevent the initial loop that may occur prior to VLT being established, use a spanning tree protocol.
The following example shows how VLT is deployed. The switches appear as a single virtual switch from the point of view of the switch or server supporting link aggregation control protocol (LACP). Figure 145. Example of VLT Deployment VLT on Core Switches You can also deploy VLT on core switches. Uplinks from servers to the access layer and from access layer to the aggregation layer are bundled in LAG groups with end-toend Layer 2 multipathing.
• VLT peer device — One of a pair of devices that are connected with the special port channel known as the VLT interconnect (VLTi). VLT peer switches have independent management planes. A VLT interconnect between the VLT chassis maintains synchronization of L2/L3 control planes across the two VLT peer switches. The VLT interconnect uses either 10G or 40G user ports on the chassis. A separate backup link maintains heartbeat messages across an out-of-band (OOB) management network.
– A VLT domain consists of the two core chassis, the interconnect trunk, backup link, and the LAG members connected to attached devices. – Each VLT domain has a unique MAC address that you can configure using the system-mac command. If you do not specify a MAC address, VLT uses the primary peer’s MAC address by default. – ARP tables are synchronized between the VLT peer nodes. – VLT peer switches operate as separate chassis with independent control and data planes for devices attached on nonVLT ports.
• VLT backup link – In the backup link between peer switches, heartbeat messages are exchanged between the two chassis for health checks. The default time interval between heartbeat messages over the backup link is 1 second. You can configure this interval. The range is from 1 to 5 seconds. DSCP marking on heartbeat messages is CS6.
• Software features not supported with VLT – In a VLT domain, the following software features are not supported on non-VLT ports: 802.1x, DHCP snooping, and FRRP. • VLT and VRRP interoperability – In a VLT domain, VRRP interoperates with virtual link trunks that carry traffic to and from access devices (see Overview). The VLT peers belong to the same VRRP group and are assigned master and backup roles. Each peer actively forwards L3 traffic, reducing the traffic flow over the VLT interconnect.
RSTP and VLT VLT provides loop-free redundant topologies and does not require RSTP. RSTP can cause temporary port state blocking and may cause topology changes after link or node failures. Spanning tree topology changes are distributed to the entire layer 2 network, which can cause a network-wide flush of learned MAC and ARP addresses, requiring these addresses to be re-learned. However, enabling RSTP can detect potential loops caused by nonsystem issues such as cabling errors or incorrect configurations.
VLT and Stacking You cannot enable stacking on switches configured for VLT operation. If you enable stacking on a Dell Networking switch on which you want to enable VLT, you must first remove the unit from the existing stack. After you remove the unit, you can configure VLT on the switch. VLT IPv6 The following features have been enhanced to support VLT on IPv6. : • VLT Sync — Entries learned on the VLT interface are synced on both VLT peers.
PIM-Sparse Mode Support on VLT The designated router functionality of the PIM Sparse-Mode multicast protocol is supported on VLT peer switches for multicast sources and receivers that are connected to VLT ports. VLT peer switches can act as a last-hop router for IGMP receivers and as a first-hop router for multicast sources. Figure 146.
To route traffic to and from the multicast source and receiver, enable PIM on the L3 side connected to the PIM router using the ip pim sparse-mode command. Each VLT peer runs its own PIM protocol independently of other VLT peers. To ensure the PIM protocol states or multicast routing information base (MRIB) on the VLT peers are synced, if the incoming interface (IIF) and outgoing interface (OIF) are Spanned, the multicast route table is synced between the VLT peers.
NOTE: The peer-routing and peer-routing-timeout commands are supported on both IPv4 and IPv6 to enable L3 VLT peer routing and configure the delay after which peer routing is disabled. Configuring VLT Unicast To enable and configure VLT unicast, follow these steps. 1 Enable VLT on a switch, then configure a VLT domain and enter VLT-domain configuration mode. CONFIGURATION mode vlt domain domain-id 2 Enable peer-routing. VLT DOMAIN mode peer-routing 3 Configure the peer-routing timeout.
Configuring VLT Multicast To enable and configure VLT multicast, follow these steps. 1 Enable VLT on a switch, then configure a VLT domain and enter VLT-domain configuration mode. CONFIGURATION mode vlt domain domain-id 2 Enable peer-routing. VLT DOMAIN mode peer-routing 3 Configure the multicast peer-routing timeout. VLT DOMAIN mode multicast peer-routing—timeout value value: Specify a value (in seconds) from 1 to 1200. 4 Configure a PIM-SM compatible VLT node as a designated router (DR).
Preventing Forwarding Loops in a VLT Domain During the bootup of VLT peer switches, a forwarding loop may occur until the VLT configurations are applied on each switch and the primary/secondary roles are determined. To prevent the interfaces in the VLT interconnect trunk and RSTP-enabled VLT ports from entering a Forwarding state and creating a traffic loop in a VLT domain, take the following steps.
Configuring VLT VLT requires that you enable the feature and then configure the same VLT domain, backup link, and VLT interconnect on both peer switches. To configure VLT, use the following procedure. Prerequisites: Before you begin, make sure that both VLT peer switches are running the same Dell Networking OS version and are configured for RSTP as described in RSTP Configuration.
Enabling VLT and Creating a VLT Domain To enable VLT and create a VLT domain: 1 Enable VLT on a switch, then configure a VLT domain and enter VLT-domain configuration mode. CONFIGURATION mode vlt domain domain-id The domain ID range is from 1 to 1000. Configure the same domain ID on the peer switch to allow for common peering. VLT uses the domain ID to automatically create a VLT MAC address for the domain.
Configuring a VLT Backup Link To configure a VLT backup link, use the following command. 1 Specify the management interface to be used for the backup link through an out-of-band management network. CONFIGURATION mode interface managementethernet slot/ port Enter the slot (0-1) and the port (0). 2 Configure an IPv4 address (A.B.C.D) or IPv6 address (X:X:X:X::X) and mask (/x) on the interface.
Reconfiguring the Default VLT Settings (Optional) To reconfigure the default VLT settings, use the following commands. 1 Enter VLT-domain configuration mode for a specified VLT domain. CONFIGURATION mode vlt domain domain-id The range of domain IDs is from 1 to 1000. 2 (Optional) When you create a VLT domain on a switch, the system automatically creates a VLT-system MAC address used for internal system operations.
3 Place the interface in Layer 2 mode. INTERFACE PORT-CHANNEL mode switchport 4 Add one or more port interfaces to the port channel. INTERFACE PORT-CHANNEL mode channel-member interface interface: specify one of the following interface types: 5 • 1-Gigabit Ethernet: enter gigabitethernet slot/port. • 10-Gigabit Ethernet: enter tengigabitethernet slot/port. • 40-Gigabit Ethernet: Enter fortyGigE slot/port. Ensure that the port channel is active.
The range is from 1 to 4094. Configuring Enhanced VLT (eVLT) (Optional) To configure enhanced VLT (eVLT) between two VLT domains on your network, use the following procedure. For a sample configuration, refer to eVLT Configuration Example. To set up the VLT domain, use the following commands. 1 Configure the port channel to be used for the VLT interconnect on a VLT switch and enter interface configuration mode.
7 When you create a VLT domain on a switch, the system automatically assigns a unique unit ID (0 or 1) to each peer switch. VLT DOMAIN CONFIGURATION mode unit-id {0 | 1} The unit IDs are used for internal system operations. To explicitly configure the default values on each peer switch, use the unit-id command. Configure a different unit ID (0 or 1) on each peer switch.
To verify the configuration of a VLT domain, use any of the show commands described in Verifying a VLT Configuration. VLT Sample Configuration To review a sample VLT configuration setup, study these steps. 1 Configure the VLT domain with the same ID in VLT peer 1 and VLT peer 2. VLT DOMAIN mode vlt domain domain id 2 Configure the VLTi between VLT peer 1 and VLT peer 2. 3 You can configure LACP/static LAG between the peer units (not shown).
Example of Configuring VLT In the following sample VLT configuration steps, VLT peer 1 is Dell-2, VLT peer 2 is Dell-4, and the ToR is S60-1. NOTE: If you use a third-party ToR unit, Dell Networking recommends using static LAGs with VLT peers to avoid potential problems if you reboot the VLT peers. Configure the VLT domain with the same ID in VLT peer 1 and VLT peer 2.
Dell-2#show running-config interface port-channel 2 ! interface Port-channel 2 no ip address switchport vlt-peer-lag port-channel 2 no shutdown Dell-2#show interfaces port-channel 2 brief Codes: L - LACP Port-channel L LAG 2 Mode L2L3 Status up Uptime 03:33:14 Ports Te 0/40 (Up) In the ToR unit, configure LACP on the physical ports.
Verify that the VLT LAG is up in both VLT peer units. Dell-2#show interfaces port-channel 2 brief Codes: L - LACP Port-channel LAG L 2 Mode L2L3 Status up Uptime 03:43:24 Ports Te 0/40 (Up) Dell-4#show interfaces port-channel 2 brief Codes: L - LACP Port-channel LAG L 2 Mode L2L3 Status up Uptime 03:33:31 Ports Te 0/18 (Up) eVLT Configuration Example The following example demonstrates the steps to configure enhanced VLT (eVLT) in a network. In this example, you are configuring two domains.
Configure eVLT on Peer 1. Domain_1_Peer1(conf)#interface port-channel 100 Domain_1_Peer1(conf-if-po-100)# switchport Domain_1_Peer1(conf-if-po-100)# vlt-peer-lag port-channel 100 Domain_1_Peer1(conf-if-po-100)# no shutdown Add links to the eVLT port-channel on Peer 1.
Domain_2_Peer4(conf-if-po-1)# channel-member TenGigabitEthernet 0/8-9 Domain_1_Peer4#no shutdown Domain_2_Peer4(conf)#vlt domain 200 Domain_2_Peer4(conf-vlt-domain)# peer-link port-channel 1 Domain_2_Peer4(conf-vlt-domain)# back-up destination 10.18.130.12 Domain_2_Peer4(conf-vlt-domain)# system-mac mac-address 00:0b:00:0b:00:0b Domain_2_Peer4(conf-vlt-domain)# unit-id 1 Configure eVLT on Peer 4.
Verifying a VLT Configuration To monitor the operation or verify the configuration of a VLT domain, use any of the following show commands on the primary and secondary VLT switches. • Display information on backup link operation. EXEC mode • show vlt backup-link Display general status information about VLT domains currently configured on the switch.
UDP Port: 34998 HeartBeat Messages Sent: 1026 HeartBeat Messages Received: 1025 Dell_VLTpeer2# show vlt backup-link VLT Backup Link ----------------Destination: Peer HeartBeat status: HeartBeat Timer Interval: HeartBeat Timeout: UDP Port: HeartBeat Messages Sent: HeartBeat Messages Received: 10.11.200.20 Up 1 3 34998 1030 1014 The following example shows the show vlt brief command.
The following example shows the show vlt role command.
Name PortID Prio Cost Sts Cost Bridge ID PortID ---------- -------- ---- ------- --------- ------- -----------------Po 1 128.2 128 200000 DIS 800 4096 0001.e88a.d656 128.2 Po 3 128.4 128 200000 DIS 800 4096 0001.e88a.d656 128.4 Po 4 128.5 128 200000 DIS 800 4096 0001.e88a.d656 128.5 Po 100 128.101 128 800 FWD(VLTi) 800 0 0001.e88a.dff8 128.101 Po 110 128.111 128 00 FWD(vlt) 800 4096 0001.e88a.d656 128.111 Po 111 128.112 128 200000 DIS(vlt) 800 4096 0001.e88a.d656 128.112 Po 120 128.
Dell_VLTpeer1(conf-if-po-110)#no shutdown Dell_VLTpeer1(conf-if-po-110)#vlt-peer-lag port-channel 110 Dell_VLTpeer1(conf-if-po-110)#end Verify that the port channels used in the VLT domain are assigned to the same VLAN.
Verifying a Port-Channel Connection to a VLT Domain (From an Attached Access Switch) On an access device, verify the port-channel connection to a VLT domain. Dell_TORswitch(conf)# show running-config interface port-channel 11 ! interface Port-channel 11 no ip address switchport channel-member fortyGigE 1/18,22 no shutdown Troubleshooting VLT To help troubleshoot different VLT issues that may occur, use the following information.
Description Behavior at Peer Up Behavior During Run Time Action to Take System MAC mismatch A syslog error message and an SNMP trap are generated. A syslog error message and an SNMP trap are generated. Verify that the unit ID of VLT peers is not the same on both units and that the MAC address is the same on both units. Unit ID mismatch The VLT peer does not boot up. The VLTi is forced to a down state. The VLT peer does not boot up. The VLTi is forced to a down state.
The association of PVLAN with the VLT LAG must also be identical. After the VLT LAG is configured to be a member of either the primary or secondary PVLAN (which is associated with the primary), ICL becomes an automatic member of that PVLAN on both switches. This association helps the PVLAN data flow received on one VLT peer for a VLT LAG to be transmitted on that VLT LAG from the peer. You can associate either a VLT VLAN or a VLT LAG to a PVLAN.
mode of operation and the primary to secondary association of the VLT nodes is determined on both the VLT peers. MAC synchronization is performed for the VLT LAGs only if the VLT LAG and primary-secondary VLT peer mapping are symmetrical. The PVLAN mode of VLT LAGs on one peer is validated against the PVLAN mode of VLT LAGs on the other peer. MAC addresses that are learned on that VLT LAG are synchronized between the peers only if the PVLAN mode on both the peers is identical.
The ARP request received on ICLs are not proxied, even if they are received with a secondary VLAN tag. This behavior change occurs because the node from which the ARP request was forwarded would have replied with its MAC address, and the current node discards the ARP request.
VLT LAG Mode Peer1 PVLAN Mode of VLT VLAN Peer2 Access Access Access Access ICL VLAN Membership Mac Synchronization Peer1 Peer2 - Primary VLAN X - Primary VLAN X Yes Yes Secondary (Isolated) Secondary (Isolated) No No - Primary VLAN X - Primary VLAN Y No No Secondary (Community) Secondary (Community) No No - Primary VLAN Y - Primary VLAN X No No Promiscuous Access Primary Secondary No No Trunk Access Primary/Normal Secondary No No Configuring a VLT VLAN or LAG in a PV
5 To configure the VLT interconnect, repeat Steps 1–4 on the VLT peer switch. 6 Enter VLT-domain configuration mode for a specified VLT domain. CONFIGURATION mode vlt domain domain-id The range of domain IDs is from 1 to 1000. 7 Enter the port-channel number that acts as the interconnect trunk. VLT DOMAIN CONFIGURATION mode peer-link port-channel id-number The range is from 1 to 128.
private-vlan mode primary 8 Map secondary VLANs to the selected primary VLAN. INTERFACE VLAN mode private-vlan mapping secondary-vlan vlan-list The list of secondary VLANs can be: • • • Specified in comma-delimited (VLAN-ID,VLAN-ID) or hyphenated-range format (VLAN-ID-VLAN-ID). Specified with this command even before they have been created. Amended by specifying the new secondary VLAN to be added to the list.
The IP address of the VLT node VLAN interface is synchronized with the VLT peer over ICL when the VLT peers are up. Whenever an IP address is added or deleted, this updated information is synchronized with the VLT peer. IP address synchronization occurs regardless of the VLAN administrative state. IP address addition and deletion serve as the trigger events for synchronization. When a VLAN state is down, the VLT peer might perform a proxy ARP operation for the IP addresses of that VLAN interface.
or synchronized multicast outgoing interface (OIF) maps after a peer node failure, use the timeout value that you configured through the multicast peer-routing timeout value command. You can configure an optimal time for a VLT node to retain synced multicast routes or synced multicast outgoing interface (OIF), after a VLT peer node failure, through the multicast peer-routing-timeout command in VLT DOMAIN mode.
! interface Port-channel 10 no ip address switchport vlan-stack access vlt-peer-lag port-channel 10 no shutdown Dell# Dell(conf)#interface port-channel 20 Dell(conf-if-po-20)#switchport Dell(conf-if-po-20)#vlt-peer-lag port-channel 20 Dell(conf-if-po-20)#vlan-stack trunk Dell(conf-if-po-20)#no shutdown Dell#show running-config interface port-channel 20 ! interface Port-channel 20 no ip address switchport vlan-stack trunk vlt-peer-lag port-channel 20 no shutdown Dell# Configure VLAN as VLAN-Stack VLAN and ad
Dell#show running-config interface port-channel 10 ! interface Port-channel 10 no ip address switchport vlan-stack access vlt-peer-lag port-channel 10 no shutdown Dell# Dell(conf)#interface port-channel 20 Dell(conf-if-po-20)#switchport Dell(conf-if-po-20)#vlt-peer-lag port-channel 20 Dell(conf-if-po-20)#vlan-stack trunk Dell(conf-if-po-20)#no shutdown Dell#show running-config interface port-channel 20 ! interface Port-channel 20 no ip address switchport vlan-stack trunk vlt-peer-lag port-channel 20 no shut
64 Virtual Router Redundancy Protocol (VRRP) Virtual router redundancy protocol (VRRP) is supported on Dell Networking OS. VRRP Overview VRRP is designed to eliminate a single point of failure in a statically routed network. Authentication is not supported on VRRPv3. VRRP is supported on “all types” of interfaces, including physical, VLAN, port-channel, and port extender interfaces. VRRP specifies a MASTER router that owns the next hop IP and MAC address for end stations on a local area network (LAN).
For more detailed information about VRRP, refer to RFC 2338, Virtual Router Redundancy Protocol. Figure 148. Basic VRRP Configuration VRRP Benefits With VRRP configured on a network, end-station connectivity to the network is not subject to a single point-of-failure. Endstation connections to the network are redundant and are not dependent on internal gateway protocol (IGP) protocols to converge or update routing tables.
Table 96. Recommended VRRP Advertise Intervals on the Switch Recommended Advertise Interval Groups/Interface Total VRRP Groups Less than 250 1 second 12 Between 250 and 450 2–3 seconds 24 Between 450 and 600 3–4 seconds 36 Between 600 and 800 4 seconds 48 Between 800 and 1000 5 seconds 84 Between 1000 and 1200 7 seconds 100 Between 1200 and 1500 8 seconds 120 VRRP Configuration By default, VRRP is not configured.
• Delete a VRRP group. INTERFACE mode no vrrp-group vrid Examples of Configuring Verifying a VRRP Configuration The following example shows configuring a VRRP configuration. Dell(conf)#int te 1/1 Dell(conf-if-te-1/1)#vrrp-group 111 Dell(conf-if-te-1/1-vrid-111)# The following example shows verifying a VRRP configuration. Dell(conf-if-te-1/1)#show conf ! interface TenGigabitEthernet 1/1 ip address 10.10.10.
1. Set the backup switches to VRRP version to both. Dell_backup_switch1(conf-if-te-0/1-vrid-100)#version both Dell_backup_switch2(conf-if-te-0/2-vrid-100)#version both 2. Set the master switch to VRRP protocol version 3. Dell_master_switch(conf-if-te-0/1-vrid-100)#version 3 3. Set the backup switches to version 3.
The following example shows how to verify a virtual IP address configuration. NOTE: In the following example, the primary IP address and the virtual IP addresses are on the same subnet. Dell(conf-if-te-1/1/1)#show conf ! interface TenGigabitEthernet 1/1/1 ip address 10.10.10.1/24 ! vrrp-group 111 priority 255 virtual-address 10.10.10.1 virtual-address 10.10.10.2 virtual-address 10.10.10.
Examples of the priority Command Dell(conf-if-te-1/2/1)#vrrp-group 111 Dell(conf-if-te-1/2/1-vrid-111)#priority 125 To verify the VRRP group priority, use the show vrrp command. Dellshow vrrp -----------------TenGigabitEthernet 1/1/1, VRID: 111, Net: 10.10.10.1 State: Master, Priority: 255, Master: 10.10.10.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 2343, Gratuitous ARP sent: 5 Virtual MAC address: 00:00:5e:00:01:6f Virtual IP address: 10.10.10.1 10.10.
virtual-address 10.10.10.3 virtual-address 10.10.10.10 Disabling Preempt The preempt command is enabled by default. The command forces the system to change the MASTER router if another router with a higher priority comes online. Prevent the BACKUP router with the higher priority from becoming the MASTER router by disabling preempt. NOTE: You must configure all virtual routers in the VRRP group the same: you must configure all with preempt enabled or configure all with preempt disabled.
To change the advertisement interval in seconds or centisecs, use the following command. A centisecs is 1/100 of a second. • Change the advertisement interval setting. INTERFACE-VRID mode advertise-interval seconds The range is from 1 to 255 seconds. • The default is 1 second. For VRRPv3, change the advertisement centisecs interval setting. INTERFACE-VRID mode advertise-interval centisecs centisecs The range is from 25 to 4075 centisecs in units of 25 centisecs. The default is 100 centisecs.
• Set the delay time for VRRP initialization on an individual interface. INTERFACE mode vrrp delay minimum seconds This time is the gap between an interface coming up and being operational, and VRRP enabling. The seconds range is from 0 to 900. • The default is 0. Set the delay time for VRRP initialization on all the interfaces in the system configured for VRRP. INTERFACE mode vrrp delay reload seconds This time is the gap between system boot up completion and VRRP enabling.
Tracking an Interface To track an interface, use the following commands. NOTE: The sum of all the costs for all tracked interfaces must be less than the configured priority of the VRRP group. • Monitor an interface and, optionally, set a value to be subtracted from the interface’s VRRP group priority. INTERFACE-VRID mode track interface [priority-cost cost] The cost range is from 1 to 254. • The default is 10. (Optional) Display the configuration.
First-hop interface is GigabitEthernet 1/3 Tracked by: VRRP GigabitEthernet 1/8 IPv6 VRID 1 The following example shows verifying the VRRP status. ON the MASTER ========== Dell#show vrrp -----------------TenGigabitEthernet 0/1, IPv4 VRID: 1, Version: 2, Net: 1.1.1.1 VRF: 0 default State: Master, Priority: 100, Master: 1.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 36, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:01 Virtual IP address: 1.
support your own IP addresses, interfaces, names, and so on, be sure that you make the necessary changes. The VRRP topology was created using the CLI configuration shown in the following example. Figure 149. VRRP for IPv4 Topology Example of Configuring VRRP for IPv4 Router 2 R2(conf)#int te 2/31 R2(conf-if-te-2/31)#ip address 10.1.1.1/24 R2(conf-if-te-2/31)#vrrp-group 99 R2(conf-if-te-2/31-vrid-99)#priority 200 R2(conf-if-te-2/31-vrid-99)#virtual 10.1.1.
-----------------TenGigabitEthernet 2/31, VRID: 99, Net: 10.1.1.1 State: Master, Priority: 200, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 817, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:63 Virtual IP address: 10.1.1.3 Authentication: (none) R2# Router 3 R3(conf)#int te 3/21 R3(conf-if-te-3/21)#ip address 10.1.1.2/24 R3(conf-if-te-3/21)#vrrp-group 99 R3(conf-if-te-3/21-vrid-99)#virtual 10.1.1.
10.1.1.3 Authentication: (none) Figure 150. VRRP for an IPv6 Configuration NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be MASTER even if one of two routers has a higher IP or IPv6 address. Example of Configuring VRRP for IPv6 Router 2 and Router 3 Configure a virtual link local (fe80) address for each VRRPv3 group created for an interface.
R2(conf-if-te-0/0-vrid-10)#virtual-address 1::10 R2(conf-if-te-0/0-vrid-10)#no shutdown R2(conf-if-te-0/0)#show config interface TenGigabitEthernet 0/0 ipv6 address 1::1/64 vrrp-group 10 priority 100 virtual-address fe80::10 virtual-address 1::10 no shutdown R2(conf-if-te-0/0)#end ON MASTER ========== Dell#show vrrp -----------------TenGigabitEthernet 0/1, IPv4 VRID: 1, Version: 2, Net: 1.1.1.1 VRF: 0 default State: Master, Priority: 100, Master: 1.1.1.
Virtual MAC address: 00:00:5e:00:02:0a VRRP in a VRF Configuration The following example shows how to enable VRRP operation in a VRF virtualized network for the following scenarios. • Multiple VRFs on physical interfaces running VRRP. • Multiple VRFs on VLAN interfaces running VRRP. To view a VRRP in a VRF configuration, use the show commands described in Displaying VRRP in a VRF Configuration. VRRP in a VRF: Non-VLAN Scenario The following example shows how to enable VRRP in a non-VLAN.
There is no requirement for the virtual IP and node IP addresses to be the same in VRF-1 and VRF-2; similarly, there is no requirement for the IP addresses to be different. In VRF-3, the node IP addresses and subnet are unique. Figure 151.
S1(conf-if-te-2/3)#vrrp-group 15 % Info: The VRID used by the VRRP group 15 in VRF 3 will be 243. S1(conf-if-te-2/3-vrid-105)#priority 255 S1(conf-if-te-2/3-vrid-105)#virtual-address 20.1.1.
! S1(conf-if-te-2/4)#interface vlan 100 S1(conf-if-vl-100)#ip vrf forwarding VRF-1 S1(conf-if-vl-100)#ip address 10.10.1.5/24 S1(conf-if-vl-100)#tagged tengigabitethernet 2/4 S1(conf-if-vl-100)#vrrp-group 11 % Info: The VRID used by the VRRP group 11 in VRF 1 will be 177. S1(conf-if-vl-100-vrid-101)#priority 100 S1(conf-if-vl-100-vrid-101)#virtual-address 10.10.1.
S2(conf-if-vl-300-vrid-101)#virtual-address 20.1.1.5 S2(conf-if-vl-300)#no shutdown Displaying VRRP in a VRF Configuration To display information on a VRRP group that is configured on an interface that belongs to a VRF instance, use the following commands. • Display information on a VRRP group that is configured on an interface that belongs to a VRF instance. • show running-config track [interface interface] Display information on VRRP groups configured on interfaces that belong to a VRF instance.
65 Standards Compliance This chapter describes standards compliance for Dell Networking products. NOTE: Unless noted, when a standard cited here is listed as supported by the Dell Networking OS, the system also supports predecessor standards. One way to search for predecessor standards is to use the http://tools.ietf.org/ website. Click “Browse and search IETF documents,” enter an RFC number, and inspect the top of the resulting document for obsolescence citations to related RFCs.
MTU 9,252 bytes RFC and I-D Compliance The C9000 series supports the following standards. The standards are grouped by related protocol. General Internet Protocols The following table lists the Dell Networking OS support on the C9000 Series for the general internet protocols. Table 97.
RFC# Full Name 2796 BGP Route Reflection: An Alternative to Full Mesh Internal BGP (IBGP) 2842 Capabilities Advertisement with BGP-4 2858 Multiprotocol Extensions for BGP-4 2918 Route Refresh Capability for BGP-4 3065 Autonomous System Confederations for BGP 4360 BGP Extended Communities Attribute 4893 BGP Support for Four-octet AS Number Space 5396 Textual Representation of Autonomous System (AS) Numbers draft-ietf-idrbgp4- 20 A Border Gateway Protocol 4 (BGP-4) draft-ietf-idrrestart- 0
General IPv6 Protocols The following table lists the Dell Networking OS support on the C9000 series for general IPv6 protocols. Table 100.
RFC# Full Name 5308 Routing IPv6 with IS-IS draft-ietf-isis-igpp2p- over-lan-06 Point-to-point operation over LAN in link-state routing protocols draft-kaplan-isis-e xt-eth-02 Extended Ethernet Frame Size Support Network Management The following table lists the Dell Networking OS support on the C9000 Series for network management protocol. Table 102.
RFC# Full Name radiusAuthClientMalformedAccessResponses radiusAuthClientUnknownTypes radiusAuthClientPacketsDropped 2698 A Two Rate Three Color Marker 3635 Definitions of Managed Objects for the Ethernet-like Interface Types 2674 Definitions of Managed Objects for Bridges with Traffic Classes, Multicast Filtering and Virtual LAN Extensions 2787 Definitions of Managed Objects for the Virtual Router Redundancy Protocol 2819 Remote Network Monitoring Management Information Base: Ethernet Statistics
RFC# Full Name IEEE 802.1AB Management Information Base module for LLDP configuration, statistics, local system data and remote systems data components. IEEE 802.1AB The LLDP Management Information Base extension module for IEEE 802.1 organizationally defined discovery information. (LLDP DOT1 MIB and LLDP DOT3 MIB) IEEE 802.1AB The LLDP Management Information Base extension module for IEEE 802.3 organizationally defined discovery information.
Multicast The following table lists the Dell Networking OS support per platform for Multicast protocol. Table 103. Multicast RFC# Full Name S-Series C-Series E-Series TeraScale E-Series ExaScale 1112 Host Extensions for IP Multicasting 7.8.1 7.7.1 √ 8.1.1 2236 Internet Group Management Protocol, Version 2 7.8.1 7.7.1 √ 8.1.1 2710 Multicast Listener Discovery (MLD) for IPv6 √ 8.2.1 3376 Internet Group Management Protocol, Version 3 7.7.1 √ 8.1.1 3569 An Overview of Source- 7.8.
Open Shortest Path First (OSPF) The following table lists the Dell Networking OS support on the C9000 Series for OSPF protocol. Table 104.
