Dell Networking Configuration Guide for the C9000 Series Version 9.10(0.
Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your computer. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. Copyright © 2015 Dell Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws.
Contents 1 About this Guide......................................................................................................................37 Audience.....................................................................................................................................37 Conventions...............................................................................................................................37 Related Documents..............................................................
Upgrading the Dell Networking OS......................................................................................62 4 Switch Management.............................................................................................................. 63 Configuring Privilege Levels...................................................................................................63 Creating a Custom Privilege Level..................................................................................
Using Telnet to Access Another Network Device............................................................. 85 Lock CONFIGURATION Mode...............................................................................................86 Viewing the Configuration Lock Status......................................................................... 86 Recovering from a Forgotten Password .............................................................................
Configuring Multi-Supplicant AuthenticationRestricting Multi-Supplicant Authentication................................................................................................................... 121 MAC Authentication Bypass................................................................................................. 122 MAB in Single-host and Multi-Host Mode.................................................................. 123 MAB in Multi-Supplicant Authentication Mode...........................
Configuring Match Routes..............................................................................................157 Configuring Set Conditions............................................................................................ 159 Configure a Route Map for Route Redistribution......................................................160 Configure a Route Map for Route Tagging................................................................ 160 Continue Clause........................................
Ignore Router-ID for Some Best-Path Calculations.................................................203 Four-Byte AS Numbers................................................................................................... 203 AS4 Number Representation......................................................................................... 204 AS Number Migration......................................................................................................206 BGP4 Management Information Base (MIB).....
Storing Last and Bad PDUs.............................................................................................247 Capturing PDUs................................................................................................................ 248 PDU Counters................................................................................................................... 250 Sample Configurations.........................................................................................................
QoS dot1p Traffic Classification and Queue Assignment............................................. 296 SNMP Support for PFC and Buffer Statistics Tracking....................................................297 DCB Maps and its Attributes................................................................................................ 298 DCB Map: Configuration Procedure............................................................................298 Important Points to Remember..................................
Configuring the Dynamic Buffer Method......................................................................... 338 12 Debugging and Diagnostics.............................................................................................340 Offline Diagnostics................................................................................................................ 340 Running Port Extender Offline Diagnostics on the Switch......................................
Configure the System to be a DHCP Client..................................................................... 401 DHCP Client on a Management Interface.................................................................. 401 DHCP Client Operation with Other Features.............................................................402 Configure Secure DHCP...................................................................................................... 403 Option 82...............................................
Impact on Other Software Features.............................................................................429 FIP Snooping Restrictions.............................................................................................. 429 Configuring FIP Snooping....................................................................................................430 Displaying FIP Snooping Information.................................................................................
Configuration Checks......................................................................................................461 Sample Configuration and Topology.................................................................................461 19 GARP VLAN Registration Protocol (GVRP).................................................................... 463 Important Points to Remember..........................................................................................463 Configure GVRP..................
Viewing IGMP Enabled Interfaces...................................................................................... 483 Selecting an IGMP Version...................................................................................................484 Viewing IGMP Groups...........................................................................................................484 Enabling IGMP Immediate-Leave.......................................................................................
Port Channel Definition and Standards....................................................................... 514 Port Channel Benefits......................................................................................................514 Port Channel Implementation....................................................................................... 514 10/40 Gbps Interfaces in Port Channels......................................................................
Dynamic Counters................................................................................................................. 543 Clearing Interface Counters.......................................................................................... 544 23 Internet Protocol Security (IPSec).................................................................................. 545 Configuring IPSec .................................................................................................................
Configuring the LPM Table for IPv6 Extended Prefixes.................................................569 ICMPv6..................................................................................................................................... 570 Path MTU Discovery.............................................................................................................. 570 IPv6 Neighbor Discovery.......................................................................................................
Leaks from One Level to Another................................................................................ 606 Sample Configurations......................................................................................................... 607 27 iSCSI Optimization............................................................................................................. 610 iSCSI Optimization Overview...............................................................................................
mac learning-limit mac-address-sticky...................................................................... 641 mac learning-limit station-move.................................................................................. 641 mac learning-limit no-station-move........................................................................... 641 Learning Limit Violation Actions................................................................................... 642 Setting Station Move Violation Actions..........
Protocol Overview................................................................................................................. 678 Anycast RP............................................................................................................................... 681 Implementation Information............................................................................................... 681 Configure Multicast Source Discovery Protocol.............................................................
Flush MAC Addresses after a Topology Change..............................................................713 MSTP Sample Configurations...............................................................................................713 Router 1 Running-ConfigurationRouter 2 Running-ConfigurationRouter 3 Running-ConfigurationExample Running-Configuration....................................... 714 Debugging and Verifying MSTP Configurations...............................................................
RFC-2328 Compliant OSPF Flooding.......................................................................... 750 OSPF ACK Packing............................................................................................................751 Setting OSPF Adjacency with Cisco Routers.............................................................. 751 Configuration Information...................................................................................................
Requesting Multicast Traffic...........................................................................................794 Refuse Multicast Traffic...................................................................................................794 Send Multicast Traffic...................................................................................................... 794 Configuring PIM-SSM............................................................................................................
Upgrading a Port Extender...................................................................................................829 Auto-Upgrade of the OS Image....................................................................................829 Manually Upgrading the OS Image.............................................................................. 829 De-provisioning a Port Extender.........................................................................................
43 Power over Ethernet (PoE)............................................................................................... 872 Configuring PoE or PoE+..................................................................................................... 873 Enabling PoE or PoE+ on a Port................................................................................... 873 Configuration Tasks for PoE or PoE+..........................................................................
Setting dot1p Priorities for Incoming Traffic.............................................................. 907 Honoring dot1p Priorities on Ingress Traffic..............................................................908 Configuring Port-Based Rate Policing........................................................................ 909 Configuring Port-Based Rate Shaping........................................................................ 909 Policy-Based QoS Configurations..................................
Implementation Information............................................................................................... 953 Fault Recovery........................................................................................................................ 953 Setting the RMON Alarm................................................................................................ 954 Configuring an RMON Event.........................................................................................
TACACS+ Remote Authentication and Authorization............................................. 998 Command Authorization............................................................................................. 1000 Protection from TCP Tiny and Overlapping Fragment Attacks................................. 1000 Enabling SCP and SSH........................................................................................................ 1000 Using SCP with SSH to Copy a Software Image..........................
Provider Backbone Bridging...............................................................................................1031 51 sFlow...................................................................................................................................1033 Overview................................................................................................................................ 1033 Implementation Information..........................................................................
Copy a Binary File to the Startup-Configuration.................................................... 1060 Additional MIB Objects to View Copy Statistics.......................................................1061 Obtaining a Value for MIB Objects............................................................................. 1061 Manage VLANs using SNMP.............................................................................................. 1062 Creating a VLAN...............................................
Configuring SupportAssist Using a Configuration Wizard.......................................... 1093 Configuring SupportAssist Manually................................................................................ 1093 Configuring SupportAssist Activity................................................................................... 1095 Configuring SupportAssist Company.............................................................................. 1097 Configuring SupportAssist Person..................
UFD and NIC Teaming.........................................................................................................1124 Important Points to Remember.........................................................................................1125 Configuring Uplink Failure Detection...............................................................................1125 Clearing a UFD-Disabled Interface...................................................................................
Configuring Management VRF.....................................................................................1157 Configuring a Static Route............................................................................................ 1157 Route Leaking VRFs..............................................................................................................1158 Sample VRF Configuration.................................................................................................
eVLT Configuration Step Examples............................................................................ 1193 PIM-Sparse Mode Configuration Example......................................................................1195 Verifying a VLT Configuration............................................................................................1196 Additional VLT Sample Configurations...........................................................................
Intermediate System to Intermediate System (IS-IS).............................................. 1245 Network Management.................................................................................................. 1245 Multicast........................................................................................................................... 1249 Open Shortest Path First (OSPF).................................................................................
1 About this Guide This Configuration guide provides information about how to use and configure the software features supported in the Dell Networking operating system (OS) on a C9010 switch and C1048P port extender. You can configure each feature by entering commands from the C9010 console. Though this guide contains information on protocols, it is not intended to be a complete reference. This guide is a reference for configuring protocols on Dell Networking systems.
Related Documents For more information about the Dell Networking C9000 Series, refer to the following documents: • Dell Networking C9010 Getting Started Guide • Dell Networking C9010 Installation Guide • Dell Networking C1048P Getting Started Guide • Dell Networking C1048P Installation Guide • Dell Networking C9000 Series Command Line Reference Guide • Dell Networking C9000 Series Release Notes About this Guide 38
2 Configuration Fundamentals The Dell Networking OS command line interface (CLI) is a text-based interface you can use to configure interfaces and protocols. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels. After you enter a command, the command is added to the running configuration file.
Password: Dell> CLI Modes Different sets of commands are available in each mode. A command found in one mode cannot be executed from another mode (except for EXEC mode commands with a preceding do command (refer to the do Command section). You can set user access rights to commands and command modes using privilege levels. For more information about privilege levels and security options, refer to the Privilege Levels Overview section in the Security chapter.
GRUB DHCP DHCP POOL ECMP-GROUP EXTENDED COMMUNITY FRRP INTERFACE GIGABIT ETHERNET 10 GIGABIT ETHERNET 40 GIGABIT ETHERNET INTERFACE RANGE LOOPBACK MANAGEMENT ETHERNET NULL PORT-CHANNEL TUNNEL VLAN VRRP IP IPv6 IP COMMUNITY-LIST IP ACCESS-LIST STANDARD ACCESS-LIST EXTENDED ACCESS-LIST MAC ACCESS-LIST LINE AUXILLIARY CONSOLE VIRTUAL TERMINAL LLDP LLDP MANAGEMENT INTERFACE MONITOR SESSION MULTIPLE SPANNING TREE OPENFLOW INSTANCE PVST PORT-CHANNEL FAILOVER-GROUP PREFIX-LIST PRIORITY-GROUP PROTOCOL GVRP QOS POL
Navigating CLI Modes The Dell Networking OS prompt changes to indicate the CLI mode. The following table lists the CLI mode, its prompt, and information about how to access and exit the CLI mode.
CLI Command Mode Prompt Access Command PE 1-Gigabit Ethernet interface (on Dell(conf-if-pegi-0/0/0)# a port extender) interface (INTERFACE modes) Port-channel Interface Dell(conf-if-po-0)# interface (INTERFACE modes) Tunnel Interface Dell(conf-if-tu-0)# interface (INTERFACE modes) VLAN Interface Dell(conf-if-vl-0)# interface (INTERFACE modes) STANDARD ACCESS-LIST Dell(config-std-nacl)# ip access-list standard (IP ACCESS-LIST Modes) EXTENDED ACCESS-LIST Dell(config-ext-nacl)# ip access-lis
CLI Command Mode Prompt Access Command ROUTER RIP Dell(conf-router_rip)# router rip SPANNING TREE Dell(config-span)# protocol spanning-tree 0 TRACE-LIST Dell(conf-trace-acl)# ip trace-list CLASS-MAP Dell(config-class-map)# class-map CONTROL-PLANE Dell(conf-control-cpuqos)# control-plane-cpuqos DCB POLICY Dell(conf-dcb-in)# (for input policy) dcb-input for input policy dcb-output for output policy Dell(conf-dcb-out)# (for output policy) DHCP Dell(config-dhcp)# ip dhcp server DHCP POOL
CLI Command Mode Prompt Access Command VRRP Dell(conf-if-interfacetype-slot/port-vrid-vrrpgroup-id)# vrrp-group UPLINK STATE GROUP Dell(conf-uplink-stategroup-groupID)# uplink-state-group The following example shows how to change the command mode from CONFIGURATION mode to PROTOCOL SPANNING TREE.
3 24-port TE/GE (VG) 4 6-port TE/FG (VG) 2 4-port TE/GE (VG) 208 Ten GigabitEthernet/IEEE 802.3 in10 Forty GigabitEthernet/IEEE 802.3 interface(s) Dell# Dell(conf)#do show running-config interface tengigabitethernet 0/0 ! interface TenGigabitEthernet 0/0 no ip address shutdown Dell(conf)# Undoing Commands When you enter a command, the command line is added to the running configuration file (running-config).
clock configure copy debug --More-- Manage the system clock Configuring from terminal Copy from one file to another Debug functions • Enter ? after a partial keyword lists all of the keywords that begin with the specified letters. Dell(conf)#cl? class-map clock Dell(conf)#cl • Enter [space]? after a keyword lists all of the keywords that can follow the specified keyword.
Short-Cut Key Combination Action CNTL-P Recalls commands, beginning with the last command. CNTL-R Re-enters the previous command. CNTL-U Deletes the line. CNTL-W Deletes the previous word. CNTL-X Deletes the line. CNTL-Z Ends continuous scrolling of command outputs. Esc B Moves the cursor back one word. Esc F Moves the cursor forward one word. Esc D Deletes all characters from the cursor to the end of the word.
The grep command displays only the lines containing specified text. The following example shows this command used in combination with the show processes command. Dell#show processes cpu cp | grep system 0 72000 7200 10000 0 system 17.97% 17.81% 17.96% NOTE: Dell Networking OS accepts a space or no space before and after the pipe. To filter a phrase with spaces, underscores, or ranges, enclose the phrase with double quotation marks. The except keyword displays text that does not match the specified text.
533 12 2 1 529 523 646 445 329 244 74 30 25 0 0 10 0 0 10 0 0 0 30 30 60 1720 0 0 1 0 0 1 0 0 0 3 3 6 172 0 0 10000 0 0 10000 0 0 0 10000 10000 10000 10000 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.00% 0.
3 Getting Started This chapter describes how you start configuring your operating software. When you power up the chassis, the system performs a power-on self test (POST) and loads the Dell Networking operating software. Boot messages scroll up the terminal window during this process. No user interaction is required if the boot process proceeds without interruption. When the boot process completes, the system status LED remains online (green) and the console monitor displays the EXEC mode prompt.
Serial Console The RJ-45 network management port is located on the left side of the RPM as you face the chassis. Use a supported RJ-45 cable for a network connection. Figure 1. RJ-45 Console Port 1 RJ-45 Console Port Accessing the Console Port To access the console port, follow these steps: For the console port pinout, refer to Accessing the RJ-45 Console Port with a DB-9 Adapter. 1 Install an RJ-45 copper cable into the console port.
Table 2. Pin Assignments Between the Console and a DTE Terminal Server Console Port RJ-45 to RJ-45 Rollover Cable RJ-45 to RJ-45 Rollover Cable RJ-45 to DB-9 Adapter Terminal Server Device Signal RJ-45 Pinout RJ-45 Pinout DB-9 Pin Signal RTS 1 8 8 CTS NC 2 7 6 DSR TxD 3 6 2 RxD GND 4 5 5 GND GND 5 4 5 GND RxD 6 3 3 TxD NC 7 2 4 DTR CTS 8 1 7 RTS Mounting an NFS File System This feature enables you to quickly access data on an NFS mounted file system.
Table 4. Forming a copy Command Location source-file-url Syntax destination-file-url Syntax For a remote file location: copy nfsmount://{}/filepath/filename} username:password tftp://{hostip | hostname}/filepath/ filename NFS File System Important Points to Remember • You cannot copy a file from one remote system to another. • You cannot copy a file from one location to the same location.
running-config remote host: Destination file name [test.c]: ! 225 bytes successfully copied Dell# Default Configuration Although a version of the Dell Networking OS is pre-loaded on the switch, the system is not configured when you power up the first time (except for the default hostname, which is Dell). You must configure the system using the CLI. Configuring a Host Name The host name appears in the prompt. The default host name is Dell.
3 Configure a username and password. Configure a Username and Password Configure the Management Port IP Address To access the system remotely, assign IP addresses to the management ports. NOTE: Assign an IP address to the management port. 1 Enter INTERFACE mode for the Management port for RPM 0 (RPM 0 is in slot 10). CONFIGURATION mode interface ManagementEthernet 0/0 For RPM 1 (RPM1 in slot 11), configure its Management port: interface ManagementEthernet 1/0 2 Assign an IP address to the interface.
CONFIGURATION mode username username password [encryption-type] password • encryption-type: specifies how you are inputting the password, is 0 by default, and is not required. • 0 is for inputting the password in clear text. • 7 is for inputting a password that is already encrypted using a Type 7 hash. Obtaining the encrypted password from the configuration of another Dell Networking system. Configuring the Enable Password Access EXEC Privilege mode using the enable command.
File Storage The Dell Networking OS can use the internal Flash, external Flash, or remote devices to store files. The system stores files on the internal Flash by default, but can be configured to store files elsewhere. To view file system information, use the following command. • View information about each file system.
Table 5.
• Save the running-configuration to the startup-configuration on the system. EXEC Privilege mode • copy running-config startup-config Save the running-configuration to an FTP server. EXEC Privilege mode • copy running-config ftp:// username:password@{hostip | hostname}/filepath/ filename Save the running-configuration to a TFTP server. EXEC Privilege mode • copy running-config tftp://{hostip | hostname}/ filepath/filename Save the running-configuration to an SCP server.
• View the startup-configuration. EXEC Privilege mode show startup-config Example of the dir Command The output of the dir command also shows the read/write privileges, size (in bytes), and date of modification for each file.
Viewing Command History The command-history trace feature captures all commands entered by all users of the system with a time stamp and writes these messages to a dedicated trace log buffer. The system generates a trace message for each executed command. No password information is saved to the file. To view the command-history trace, use the show command-history command.
4 Switch Management This chapter describes the switch management tasks supported on the switch. Configuring Privilege Levels Privilege levels restrict access to commands based on user or terminal line. There are 16 privilege levels, of which three are pre-defined. The default privilege level is 1. Level Description Level 0 Access to the system begins at EXEC mode, and EXEC mode commands are limited to enable, disable, and exit.
Moving a Command from EXEC Privilege Mode to EXEC Mode To move a command from EXEC Privilege to EXEC mode for a privilege level, use the privilege exec command from CONFIGURATION mode. In the command, specify the privilege level of the user or terminal line and specify all keywords in the command to which you want to allow access. Allowing Access to CONFIGURATION Mode Commands To allow access to CONFIGURATION mode, use the privilege exec level level configure command from CONFIGURATION mode.
CONFIGURATION mode • privilege exec level level configure Allow access to INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode. Specify all the keywords in the command. CONFIGURATION mode • privilege configure level level {interface | line | route-map | router} {command-keyword ||...|| command-keyword} Allow access to a CONFIGURATION, INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode command. CONFIGURATION mode privilege {configure |interface | line | route-map | router} level level {command ||...
loopback managementethernet peGigE null port-channel range tengigabitethernet vlan Loopback interface Management Ethernet interface PE Gigabit Ethernet interface Null interface Port-channel interface Configure interface range TenGigabit Ethernet interface VLAN interface Dell(conf)#interface tengigabitethernet 1/1 Dell(conf-if-te-1/1)#? end Exit from configuration mode exit Exit from interface configuration mode Dell(conf-if-te-1/1)#exit Dell(conf)#line ? aux Auxiliary line console Primary terminal line vt
• the internal buffer • console and terminal lines • any configured syslog servers To disable logging, use the following commands. • Disable all logging except on the console. CONFIGURATION mode no logging on Disable logging to the logging buffer. • CONFIGURATION mode no logging buffer Disable logging to terminal lines. • CONFIGURATION mode no logging monitor Disable console logging.
• Users making configuration changes. The switch logs who made the configuration changes and the date and time of the change. However, each specific change on the configuration is not logged. Only that the configuration was modified is logged with the user ID, date, and time of the change. • Uncontrolled shutdown. Security Logs The security log contains security events and information. RBAC restricts access to audit and security logs based on the CLI sessions’ user roles.
Example of the show logging Command for Security For information about the logging extended command, see Enabling Audit and Security Logs Dell#show logging Jun 10 04:23:40: %STKUNIT0-M:CP %SEC-5-LOGIN_SUCCESS: Login successful for user admin on line vty0 ( 10.14.1.91 ) Clearing Audit Logs To clear audit logs, use the clear logging auditlog command in Exec mode. When RBAC is enabled, only the system administrator user role can issue this command.
Pre-requisites To configure a secure connection from the switch to the syslog server: 1 On the switch, enable the SSH server Dell(conf)#ip ssh server enable 2 On the syslog server, create a reverse SSH tunnel from the syslog server to the switch, using following syntax: ssh -R :: user@remote_host -nNf In the following example the syslog server IP address is 10.156.166.48 and the listening port is 5141. The switch IP address is 10.16.131.
3 Configure logging to a local host. locahost is “127.0.0.1” or “::1”. If you do not, the system displays an error when you attempt to enable role-based only AAA authorization. Dell(conf)# logging localhost tcp port Dell(conf)#logging 127.0.0.1 tcp 5140 Track Login Activity Dell Networking OS enables you to track the login activity of users and view the successful and unsuccessful login events.
Example of Configuring Login Activity Tracking The following example enables login activity tracking. The system stores the login activity details for the last 30 days. Dell(config)#login statistics enable The following example enables login activity tracking and configures the system to store the login activity details for 12 days. Dell(config)#login statistics enable Dell(config)#login statistics time-period 12 Display Login Statistics To view the login statistics, use the show login statistics command.
Last login location: Line vty0 ( 10.16.127.145 ) Unsuccessful login attempt(s) since the last successful login: 0 Unsuccessful login attempt(s) in last 30 day(s): 3 Successful login attempt(s) in last 30 day(s): 2 ----------------------------------------------------------------------------------------------------------------------------------User: admin3 Last login time: 13:18:42 UTC Tue Mar 22 2016 Last login location: Line vty0 ( 10.16.127.
Limit Concurrent Login Sessions Dell Networking OS enables you to limit the number of concurrent login sessions of users on VTY, auxiliary, and console lines. You can also clear any of your existing sessions when you reach the maximum permitted number of concurrent sessions. By default, you can use all 10 VTY lines, one console line, and one auxiliary line.
Example of Enabling the System to Clear Existing Sessions The following example enables you to clear your existing login sessions. Dell(config)#login concurrent-session clear-line enable Example of Clearing Existing Sessions When you try to log in, the following message appears with all your existing concurrent sessions, providing an option to close any one of the existing sessions: $ telnet 10.11.178.14 Trying 10.11.178.14... Connected to 10.11.178.14. Escape character is '^]'.
• Send System Messages to a Syslog Server • Change System Logging Settings • Display the Logging Buffer and the Logging Configuration • Configure a UNIX Logging Facility Level • Enable Timestamp on Syslog Messages • Synchronize Log Messages • Audit and Security Logs • Configuring Logging Format • Secure Connection to a Syslog Server Disabling System Logging By default, logging is enabled and log messages are sent to the logging buffer, all terminal lines, the console, and the syslog server
logging {ip-address | ipv6-address | hostname} {{udp {port}} | {tcp {port}}} Configuring a UNIX System as a Syslog Server To configure a UNIX System as a syslog server, use the following command. • Configure a UNIX system as a syslog server by adding the following lines to /etc/syslog.conf on the UNIX system and assigning write permissions to the file. • Add line on a 4.1 BSD UNIX system. local7.debugging /var/log/ftos.log • Add line on a 5.7 SunOS UNIX system. local7.debugging /var/adm/ftos.
Jan 21 02:56:54: %SYSTEM:CP %IFMGR-5-OSTATE_UP: Changed interface state to up: Te 2/3 --More-To view any changes made, use the show running-config logging command in EXEC privilege mode, as shown in the example for Configure a UNIX Logging Facility Level. Changing System Logging Settings You can change the default settings of the system logging by changing the severity level and the storage location. The default is to log all messages up to debug level, that is, all system messages.
To view the logging configuration, use the show running-config logging command in privilege mode, as shown in the example for Configure a UNIX Logging Facility Level. Configuring a UNIX Logging Facility Level You can save system log messages with a UNIX system logging facility. To configure a UNIX logging facility level, use the following command. • Specify one of the following parameters.
logging service service ! logging logging logging logging Dell# buffered 524288 debugging timestamps log datetime msec timestamps debug datetime msec trap debugging facility user source-interface Loopback 0 10.10.10.4 Synchronizing Log Messages You can configure the Dell Networking OS to filter and consolidate the system messages for a specific line by synchronizing the message output. Only the messages with a severity at or below the set level appear.
CONFIGURATION mode service timestamps [log | debug] [datetime [localtime] [msec] [show-timezone] | uptime] Specify the following optional parameters: • You can add the keyword localtime to include the localtime, msec, and show-timezone. If you do not add the keyword localtime, the time is UTC. • uptime: To view time since last boot. If you do not specify a parameter, the system configures uptime. To view the configuration, use the show running-config logging command in EXEC privilege mode.
Example of Viewing FTP Configuration Dell#show running ftp ! ftp-server enable ftp-server username nairobi password 0 zanzibar Dell# Configuring FTP Server Parameters After you enable the FTP server on the system, you can configure different parameters. To specify the system logging settings, use the following commands. • Specify the directory for users using FTP to reach the system. CONFIGURATION mode ftp-server topdir dir • The default is the internal flash directory.
• For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. • For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. Configure a password. • CONFIGURATION mode ip ftp password password Enter a username to use on the FTP client. • CONFIGURATION mode ip ftp username name To view the FTP configuration, use the show running-config ftp command in EXEC privilege mode, as shown in the example for Enable FTP Server.
line vty 0 access-class myvtyacl Configuring Login Authentication for Terminal Lines You can use any combination of up to six authentication methods to authenticate a user on a terminal line.A combination of authentication methods is called a method list. If the user fails the first authentication method, the system prompts the next method until all methods are exhausted, at which point the connection is terminated. The available authentication methods are: enable Prompt for the enable password.
line vty 2 password myvtypassword login authentication myvtymethodlist Dell(config-line-vty)# Setting Time Out of EXEC Privilege Mode EXEC time-out is a basic security feature that returns the system to EXEC mode after a period of inactivity on the terminal lines. To set time out, use the following commands. • Set the number of minutes and seconds. The default is 10 minutes on the console and 30 minutes on VTY. Disable EXEC time out by setting the time-out period to 0.
If you do not enter an IP address, the system enters a Telnet dialog that prompts you for one. Enter an IPv4 address in dotted decimal format (A.B.C.D). Enter an IPv6 address in the format 0000:0000:0000:0000:0000:0000:0000:0000. Elision of zeros is supported. Example of the telnet Command for Device Access Dell# telnet 10.11.80.203 Trying 10.11.80.203... Connected to 10.11.80.203. Exit character is '^]'.
You can then send any user a message using the send command from EXEC Privilege mode. Alternatively, you can clear any line using the clear command from EXEC Privilege mode. If you clear a console session, the user is returned to EXEC mode. Example of Locking CONFIGURATION Mode for Single-User Access Dell(conf)#configuration mode exclusive auto BATMAN(conf)#exit 3d23h35m: %SYSTEM-P:CP %SYS-5-CONFIG_I: Configured from console by console Dell#config ! Locks configuration mode exclusively.
EXEC Privilege mode copy running-config startup-config Ignoring the Startup Configuration and Booting from the Factory-Default Configuration If you do not want to do not want to boot up with your current startup configuration and do not want to delete it, you can interrupt the boot process and boot up with the C9000 series factory-default configuration. To boot up with the factory-default configuration: 1 Log onto the system using the console.
BOOT_USER mode BOOT_USER# boot change secondary BOOT_USER# boot change default 5 Reboot the chassis. BOOT_USER mode reload Restoring Factory-Default Settings When you restore factory-default settings on a switch, the existing NVRAM settings, startup configuration, and all configured settings are deleted. To restore the factory-default settings, enter the restore factory-defaults {chassis | domain | linecard | pe | rpm } command in EXEC Privilege mode. CAUTION: There is no undo for this command.
Restoring Factory-Default Boot Environment Variables The Boot line determines the location of the image that is used to boot up the switch after restoring factorydefault settings. Ideally, these locations contain valid images, which the switch uses to boot up. When you restore factory-default settings, you can either use a flash boot procedure or a network boot procedure to boot the switch.
To boot from flash partition A: BOOT_USER # boot change primary boot device : file name : BOOT_USER # flash systema To boot from flash partition B: BOOT_USER # boot change primary boot device : file name : BOOT_USER # flash systemb To boot from the network: BOOT_USER # boot change primary boot device : file name : Server IP address : BOOT_USER # 4 tftp FTOS-SI-9-5-0-169.bin 10.16.127.35 Assign an IP address and network mask to the Management Ethernet interface.
The verify {md5 | sha256} command calculates and displays the hash of any file on the specified local flash drive. You can compare the displayed hash against the appropriate hash published on i-Support. Optionally, the published hash can be included in the verify {md5 | sha256} command, which will display whether it matches the calculated hash of the indicated file. To validate a software image: 1 Download Dell Networking OS software image file from the iSupport page to the local (FTP or TFTP) server.
Verifying System Images on C9010 Components Each C9010 RPM contains three components: Control Processor (CP), Route Processor (RP), and line-card processor (LP). Each RPM component has a separate system image stored in the A: and B: flash partitions. In addition, each installed C9010 line card has a separate image stored in partitions A: and B:. To display the system images currently stored for all C9010 components, enter the show boot system all command.
C9000-9.9.0.0.bin {A: | B:} command. For information about this upgrade procedure, see the C9010 and C1048P Release Notes. By upgrading all C9010 components at the same time, you ensure that all system images match. However, sometimes the loaded system images do not match as a result of booting off a system image stored on a network server or installing an additional line card or RPM. When system images on C9010 components do not match, the RPM CP may not be able to manage them.
Logging in to the Virtual Console of a C9010 Component You must log in to the virtual console of a C9010 component in order to re-configure its boot variables. By default, you log in to a C9010 console port, which is identified as RPM0 CP or RPM1 CP. • To log in to the RPM RP: Hold down the Ctrl key and type geo. Then release the Ctrl key and type r. • To log in to the RPM LP: Hold down the Ctrl key and type geo. Then release the Ctrl key and type l.
======================================== boot device : ftp file name : force10/rd/tgtimg/runtime/RP.bin Management Etherenet IP address : 127.10.10.11 Mask : 255.240.0.0 Server IP address : 127.10.10.10 Default Gateway IP address : 127.10.10.
5 802.1X 802.1X is a method of port security. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity can be verified (through a username and password, for example). This feature is named for its IEEE specification. 802.
The following figures show how the EAP frames are encapsulated in Ethernet and RADIUS frames. Figure 2. EAP Frames Encapsulated in Ethernet and RADUIS Figure 3. EAP Frames Encapsulated in Ethernet and RADUIS The authentication process involves three devices: • • The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests.
server and the supplicant. The authenticator also changes the status of the port based on the results of the authentication process. The Dell Networking switch is the authenticator. • The authentication-server selects the authentication method, verifies the information the supplicant provides, and grants it network access privileges. Ports can be in one of two states: • Ports are in an unauthorized state by default. In this state, non-802.1X traffic cannot be forwarded in or out of the port.
4 The authentication server replies with an Access-Challenge frame. The Access-Challenge frame requests that the supplicant prove that it is who it claims to be, using a specified method (an EAP-Method). The challenge is translated and forwarded to the supplicant by the authenticator.
EAP over RADIUS 802.1X uses RADIUS to shuttle EAP packets between the authenticator and the authentication server, as defined in RFC 3579. EAP messages are encapsulated in RADIUS packets as a type of attribute in Type, Length, Value (TLV) format. The Type value for EAP messages is 79. Figure 5. EAP Over RADIUS RADIUS Attributes for 802.1 Support Dell Networking systems include the following RADIUS attributes in all 802.
• Configuring MAC addresses for a dot1x Profile • Configuring static MAB and MAB profile • Enabling Critical-VLAN • Configuring Request Identity Re-Transmissions • Forcibly Authorizing or Unauthorizing a Port • Configuring a Quiet Period after a Failed Authentication • Re-Authenticating a Port • Configuring Timeouts • Configuring a Guest VLAN • Configuring an Authentication-Fail VLAN Important Points to Remember • The system supports 802.
Enabling 802.1X Enable 802.1X globally. Figure 6. 802.1X Enabled 1 Enable 802.1X globally. CONFIGURATION mode dot1x authentication 2 Enter INTERFACE mode on an interface or a range of interfaces. INTERFACE mode interface [range] 3 Enable 802.1X on the supplicant interface only. 802.
INTERFACE mode dot1x authentication NOTE: You must enabled dot1x authentication globaly as well as in interface mode on which supplicant is connected. Examples of Verifying that 802.1X is Enabled Globally or on an Interface Verify that 802.1X is enabled globally and at the interface level using the show running-config | find dot1x command from EXEC Privilege mode. The bold text show that 802.1x has been enabled. By default, ports are not authorized.
Quiet Period: ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Host Mode: Auth PAE State: Backend State: 60 seconds 2 30 seconds 30 seconds 3600 seconds 2 SINGLE_HOST Initialize Initialize Dell#show int peGigE 255/0/2 peGigE 255/0/2 is up, line protocol is down(802.
Example of Configuring and Displaying a dot1x Profile Dell(conf)#dot1x profile test Dell(conf-dot1x-profile)# Dell#show dot1x profile 802.1x profile information ----------------------------Dot1x Profile test Profile MACs 00:00:00:00:01:11 Configuring MAC addresses for a do1x Profile To configure a list of MAC addresses for a dot1x profile, use the mac command. You can configure 1 to 6 MAC addresses. • Configure a list of MAC addresses for a dot1x profile.
Eenter a name to configure the static MAB profile name. The profile name length is limited to a maximum of 32 characters. Example of Static MAB and MAB Profile for an Interface Dell(conf-if-Te-2/1)#dot1x static-mab profile sample Dell(conf-if-Te 2/1))#show config ! interface TenGigabitEthernet 21 switchport dot1x static-mab profile sample no shutdown Dell(conf-if-Te 2/1))#show dot1x interface TenGigabitEthernet 2/1 802.
Example of Configuring a Critical VLAN for an Interface Dell(conf-if-Te-2/1)#dot1x critical-vlan 300 Dell(conf-if-Te 2/1)#show config ! interface TenGigabitEthernet 2/1 switchport dot1x critical-vlan 300 no shutdown Dell#show dot1x interface tengigabitethernet 2/1 802.
dot1x tx-period number The range is from 1 to 65535 (1 year) The default is 30. Configure a maximum number of times the authenticator re-transmits a Request Identity frame. • INTERFACE mode dot1x max-eap-req number The range is from 1 to 10. The default is 2. The example in Configuring a Quiet Period after a Failed Authentication shows configuration information for a port for which the authenticator re-transmits an EAP Request Identity frame after 90 seconds and retransmits a maximum of 10 times.
802.1x information on Te 2/1: ----------------------------Dot1x Status: Enable Port Control: AUTO Port Auth Status: UNAUTHORIZED Re-Authentication: Disable Untagged VLAN id: None Tx Period: 90 seconds Quiet Period: 120 seconds ReAuth Max: 2 Supplicant Timeout: 30 seconds Server Timeout: 30 seconds Re-Auth Interval: 3600 seconds Max-EAP-Req: 10 Auth Type: SINGLE_HOST Auth PAE State: Initialize Backend State: Initialize Forcibly Authorizing or Unauthorizing a Port IEEE 802.
Port Control: Port Auth Status: Re-Authentication: Untagged VLAN id: Tx Period: Quiet Period: ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Auth Type: Auth PAE State: Backend State: Auth PAE State: Backend State: FORCE_AUTHORIZED UNAUTHORIZED Disable None 90 seconds 120 seconds 2 30 seconds 30 seconds 3600 seconds 10 SINGLE_HOST Initialize Initialize Initialize Initialize Re-Authenticating a Port You can configure the authenticator for periodic re-authentication.
Port Control: Port Auth Status: Re-Authentication: Untagged VLAN id: Tx Period: Quiet Period: ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Auth Type: Auth PAE State: Backend State: Auth PAE State: Backend State: FORCE_AUTHORIZED UNAUTHORIZED Enable None 90 seconds 120 seconds 10 30 seconds 30 seconds 7200 seconds 10 SINGLE_HOST Initialize Initialize Initialize Initialize Configuring Dynamic VLAN Assignment with Port Authentication On the switch, 802.
The illustration shows the configuration before connecting the end user device in black and blue text, and after connecting the device in red text. The blue text corresponds to the preceding numbered steps on dynamic VLAN assignment with 802.1X. Figure 7. Dynamic VLAN Assignment 1 Configure 8021.x globally (refer to Enabling 802.1X) along with relevant RADIUS server configurations (refer to the illustration inDynamic VLAN Assignment with Port Authentication).
the VLAN for which the port is configured or the VLAN that the authentication server indicates in the authentication data. NOTE: Ports cannot be dynamically assigned to the default VLAN. If the supplicant fails to authenticate for a specified number of times, the authenticator typically does not enable the port. In some cases this behavior is not appropriate. External users of an enterprise network, for example, might not be able to be authenticated, but still need access to the network.
Auth-Fail VLAN id: NONE Auth-Fail Max-Attempts: 5 Tx Period: 90 seconds Quiet Period: 120 seconds ReAuth Max: 10 Supplicant Timeout: 15 seconds Server Timeout: 15 seconds Re-Auth Interval: 7200 seconds Max-EAP-Req: 10 Auth Type: SINGLE_HOST Auth PAE State: Initialize Backend State: Initialize Configuring an Authentication-Fail VLAN If the supplicant fails authentication, the authenticator re-attempts to authenticate after a specified amount of time.
0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 203 Multicasts, 0 Broadcasts, 10760802177 Unicasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics: 2285 packets, 146240 bytes, 0 underruns 2285 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 1983 Multicasts, 0 Broadcasts, 302 Unicasts 0 throttles, 0 discarded, 0 collisions, 0 wreddrops Rate info (interval 299 seconds): Input 76.
• The default is 30. Terminate the authentication process due to an unresponsive authentication server. INTERFACE mode dot1x server-timeout seconds The range is from 1 to 300. The default is 30. Example of Viewing Configured Server Timeouts The example shows configuration information for a port for which the authenticator terminates the authentication process for an unresponsive supplicant or server after 15 seconds. The bold lines show the new supplicant and server timeouts.
frames. When a port is authorized, the authenticated supplicant MAC address is associated with the port, and traffic from any other source MACs is dropped. Figure 8. Single-Host Authentication Mode 802.
When multiple end users are connected to a single authenticator port, single-host mode authentication does not authenticate all end users, and all but one are denied access to the network. For these cases, the Dell Networking OS supports multi-host mode authentication. Figure 9. Multi-Host Authentication Mode When you configure multi-host mode authentication, the first client to respond to an identity request is authenticated and subsequent responses are still ignored.
Configuring Multi-Host Authentication To enable multi-host authentication on a port, enter the dot1x host-mode multi-host command in Interface mode. To return to the default single-host authentication mode, enter the no dot1x host-mode command. To verify the currently configured authentication mode, enter the show dot1x interface command. Dell(conf-if-te-2/1)# dot1x host-mode multi-host Dell(conf-if-te-2/1)# do show dot1x interface tengigabitethernet 2/1 802.
Guest VLAN id: Auth-Fail VLAN: Auth-Fail VLAN id: Auth-Fail Max-Attempts: Critical VLAN: Critical VLAN id: Mac-Auth-Bypass: Mac-Auth-Bypass Only: Static-MAB: Static-MAB Profile: Tx Period: Quiet Period: ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Host Mode: Auth PAE State: Backend State: NONE Disable NONE NONE Disable NONE Disable Disable Disable NONE 30 seconds 60 seconds 2 30 seconds 30 seconds 3600 seconds 2 SINGLE_HOST Connecting Idle Multi-Supplicant Authentication
Port Control: Re-Authentication: Guest VLAN: Guest VLAN id: Auth-Fail VLAN: Auth-Fail VLAN id: Auth-Fail Max-Attempts: Critical VLAN: Critical VLAN id: Mac-Auth-Bypass: Mac-Auth-Bypass Only: Static-MAB: Static-MAB Profile: Tx Period: Quiet Period: ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Host Mode: Max-Supplicants: AUTO Disable Disable NONE Disable NONE NONE Disable NONE Disable Disable Disable NONE 30 seconds 60 seconds 2 30 seconds 30 seconds 3600 seconds 2 MULTI_AUT
their MAC address, and places them into a VLAN different from the VLAN in which unknown devices are placed. For an 802.1X-incapable device, 802.1X times out if the device does not respond to the Request Identity frame. If MAB is enabled, the port is then put into learning state and waits indefinitely until the device sends a packet. Once its MAC is learned, it is sent for authentication to the RADIUS server (as both the username and password, in hexadecimal format without any colons).
Configuring MAC Authentication Bypass To configure MAB in multi-supplicant authentication mode: 1 Configure the following attributes on a RADIUS Server: • Attribute 1—User-name: Use the supplicant MAC address in hex format without any colons. For example, enter 10:34:AA:33:44:F8 as 1034AA3344F8. • Attribute 2—Password: Use the supplicant MAC address, but encrypted in MD5. • Attribute 4—NAS-IP-Address: IPv4 address of the switch that is used to communicate with the RADIUS server.
Auth-Fail Max-Attempts: Critical VLAN: Critical VLAN id: Mac-Auth-Bypass: Mac-Auth-Bypass Only: Static-MAB: Static-MAB Profile: Tx Period: Quiet Period: ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Host Mode: Auth PAE State: Backend State: NONE Disable NONE Enable Disable Disable NONE 30 seconds 60 seconds 2 30 seconds 30 seconds 3600 seconds 2 SINGLE_HOST Authenticated Idle Dynamic CoS with 802.
frames are forwarded on egress queue 0 without changing the incoming dot1p value. The example shows how dynamic CoS remaps (or does not remap) the dot1p priority in 802.
6 Access Control Lists (ACLs) This chapter describes access control lists (ACLs), prefix lists, and route-maps. • Access control lists (ACLs), Ingress IP and MAC ACLs , and Egress IP and MAC ACLs are supported on the system. At their simplest, access control lists (ACLs), prefix lists, and route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps. For MAC ACLS, refer to Layer 2.
IP Access Control Lists (ACLs) You can create two different types of IP ACLs: standard or extended. A standard ACL filters packets based on the source IP packet.
The CAM space is allotted in filter processor (FP) blocks. The total amount of space allowed is 12 FP Blocks. System flow requires four blocks; these blocks cannot be reallocated. The ipv4acl profile range is from 0 to 8. When configuring space foripv6acl, the total number of Blocks must equal 12. The ipv6acl allocation must be a factor of 2 (2, 4). If allocation values are not entered for the CAM regions, the value is 0.
User-Configurable CAM Allocation User-configurable content-addressable memory (CAM) allows you to specify the amount of memory space that you want to allocate for ACLs. To allocate ACL CAM, use the cam-acl command in CONFIGURATION mode. For information about how to allocate CAM for ACL VLANs, see Allocating ACL VLAN CAM. The CAM space is allotted in filter processor (FP) blocks. The total amount of space allowed is 12 FP Blocks. System flow requires four blocks; these blocks cannot be reallocated.
new settings to take effect. The total amount of space allowed is 12 FP Blocks. System flow requires four blocks; these blocks cannot be reallocated. The ipv4acl profile range is from 0 to 8. Ranges for the CAM profiles are from 1 to 10, except for the ipv6acl profile which is from 0 to 4. The ipv6acl allocation must be a factor of 2 (2, 4). If allocation values are not entered for the CAM regions, the value is 0. 1 Enter a CAM allocation action to perform on ingress ACLs.
Allocating CAM for Egress ACLs on the Port Extender To allocate Content Addressable Memory (CAM) for egress ACLs on the port extender. You can re-allocate memory space for egress ACLs on the port extender by using the cam-acl-egress-pe command in CONFIGURATION mode. The default CAM allocation settings for the three egress ACL and QoS regions on an switch are • • • L2 ACL(l2acl): 1 L3 ACL (ipv4acl): 1 IPv6 L3 ACL (ipv6acl): 2 The total egress CAM ACL space must equal 4 memory blocks.
Current Settings(in block sizes) 1 block = 256 entries L2Acl : 1 Ipv4Acl : 1 Ipv6Acl : 2 Dell(conf)#cam-acl-egress-pe l2acl 2 ipv4acl 2 ipv6acl 0 The following example displays the running configuration for the configured CAM ACLs.
Determine the Order in which ACLs are Used to Classify Traffic When you link class-maps to queues using the service-queue command, the system matches the classmaps according to queue priority (queue numbers closer to 0 have lower priorities). As shown in the following example, class-map cmap2 is matched against ingress packets before cmap1. ACLs acl1 and acl2 have overlapping rules because the address range 20.1.1.0/24 is within 20.0.0.0/8. Therefore (without the keyword order), packets within the range 20.
• For an IP ACL, the system always applies implicit deny. You do not have to configure it. • For an IP ACL, the system applies implicit permit for second and subsequent fragment just prior to the implicit deny. • If you configure an explicit deny, the second and subsequent fragments do not hit the implicit permit rule for fragments. • Loopback interfaces do not support ACLs using the IP fragment option.
Example of Permitting All Packets from a Specified Host In this first example, TCP packets from host 10.1.1.1 with TCP destination port equal to 24 are permitted. All others are denied. Dell(conf)#ip access-list extended ABC Dell(conf-ext-nacl)#permit tcp host 10.1.1.
NOTE: When assigning sequence numbers to filters, keep in mind that you might need to insert a new filter. To prevent reconfiguring multiple filters, assign sequence numbers in multiples of five. When you use the log keyword, the CP logs details about the packets that match. Depending on how many packets match the log entry and at what rate, the CP may become busy as it has to log these packets’ details.
When you use the log keyword, the CP logs details about the packets that match. Depending on how many packets match the log entry and at what rate, the CP may become busy as it has to log these packets’ details. The following example shows a standard IP ACL in which the system assigns the sequence numbers. The filters were assigned sequence numbers based on the order in which they were configured (for example, the first filter was given the lowest sequence number).
ip access-list extended access-list-name 2 Configure a drop or forward filter. CONFIG-EXT-NACL mode seq sequence-number {deny | permit} {ip-protocol-number | icmp | ip | tcp | udp} {source mask | any | host ip-address} {destination mask | any | host ipaddress} [operator port [port]] [count [byte]] [order] [fragments] When you use the log keyword, the CP logs details about the packets that match.
Dell(config-ext-nacl)#show confi ! ip access-list extended dilling seq 5 permit tcp 12.1.0.0 0.0.255.255 any seq 15 deny ip host 112.45.0.0 any log Dell(config-ext-nacl)# Configuring Filters Without a Sequence Number If you are creating an extended ACL with only one or two filters, you can let the system assign a sequence number based on the order in which the filters are configured. Filters are assigned in multiples of five.
Configure Layer 2 and Layer 3 ACLs Both Layer 2 and Layer 3 ACLs may be configured on an interface in Layer 2 mode. If both L2 and L3 ACLs are applied to an interface, the following rules apply: • When the system routes the packets, only the L3 ACL governs them because they are not filtered against an L2 ACL. • When the system switches the packets, first the L3 ACL filters them, then the L2 ACL filters them. • When the system switches the packets, the egress L3 ACL does not filter the packet.
Guidelines for Configuring ACL VLAN Groups Keep the following points in mind when you configure ACL VLAN groups: • The VLAN member interfaces, on which the ACL in an ACL VLAN group is applied, function as restricted interfaces. The ACL VLAN group name identifies the group of VLANs on which hierarchical filtering is performed. • You can add only one ACL to an interface at a time.
CONFIGURATION mode acl-vlan-group group-name You can create up to eight different ACL VLAN groups. 2 Add a description. ACL-VLAN-GROUP CONFIGURATION (conf-acl-vl-grp) mode description description 3 Apply an egress IP ACL. ACL-VLAN-GROUP CONFIGURATION (conf-acl-vl-grp) mode ip access-group access-list-name out implicit-permit 4 Specify the VLAN members in the ACL VLAN group.
vlan {vlanaclopt | vlaniscsi | vlanopenflow} command allows you to allocate filter processor (FP) blocks of memory for ACL VLAN services: iSCSI counters, Open Flow, and ACL VLAN optimization. You can configure CAM allocation for only two of these VLAN services at a time. You can allocate from 0 to 2 FP blocks for each VLAN service. To allocate the number of FP blocks for ACL VLAN optimization, enter the cam-acl-vlan vlanaclopt <0-2> command.
To view which IP ACL is applied to an interface, use the show config command in INTERFACE mode, or use the show running-config command in EXEC mode. Example of Viewing ACLs Applied to an Interface Dell(conf-if)#show conf ! interface TengigabitEthernet 0/0 ip address 10.2.1.100 255.255.255.0 ip access-group nimule in no shutdown Dell(conf-if)# To filter traffic on Telnet sessions, use only standard ACLs in the access-class command.
apply ACLs onto each interface and achieves the same results. By localizing target traffic, it is a simpler implementation. To restrict egress traffic, use an egress ACL. For example, when a direct operating system (DOS) attack traffic is isolated to a specific interface, you can apply an egress ACL to block the flow from the exiting the box, thus protecting downstream devices. To create an egress ACL, use the ip access-group command in EXEC Privilege mode.
3 Create a Layer 3 ACL using permit rules with the count option to describe the desired CPU traffic. CONFIG-NACL mode permit ip {source mask | any | host ip-address} {destination mask | any | host ip-address} count Dell Networking OS Behavior: Virtual router redundancy protocol (VRRP) hellos and internet group management protocol (IGMP) packets are not affected when you enable egress ACL filtering for CPU traffic.
• An “implicit deny” is assumed (that is, the route is dropped) for all route prefixes that do not match a permit or deny filter in a configured prefix list. • After a route matches a filter, the filter’s action is applied. No additional filters are applied to the route. Implementation Information Prefix lists are used in processing routes for routing protocols (for example, router information protocol [RIP], open shortest path first [OSPF], and border gateway protocol [BGP]).
Example of Assigning Sequence Numbers to Filters If you want to forward all routes that do not match the prefix list criteria, configure a prefix list filter to permit all routes (permit 0.0.0.0/0 le 32). The “permit all” filter must be the last filter in your prefix list. To permit the default route only, enter permit 0.0.0.0/0. The following example shows how the seq command orders the filters according to the sequence number assigned.
! ip prefix-list awe seq 5 permit 123.23.0.0/16 seq 10 deny 133.0.0.0/8 Dell(conf-nprefixl)# To delete a filter, enter the show config command in PREFIX LIST mode and locate the sequence number of the filter you want to delete, then use the no seq sequence-number command in PREFIX LIST mode. Viewing Prefix Lists To view all configured prefix lists, use the following commands. • Show detailed information about configured prefix lists.
• Enter RIP mode. CONFIGURATION mode • router rip Apply a configured prefix list to incoming routes. You can specify an interface. If you enter the name of a nonexistent prefix list, all routes are forwarded. CONFIG-ROUTER-RIP mode • distribute-list prefix-list-name in [interface] Apply a configured prefix list to outgoing routes. You can specify an interface or type of route. If you enter the name of a non-existent prefix list, all routes are forwarded.
Dell(conf-router_ospf)#show config ! router ospf 34 network 10.2.1.1 255.255.255.255 area 0.0.0.1 distribute-list prefix awe in Dell(conf-router_ospf)# ACL Resequencing ACL resequencing allows you to re-number the rules and remarks in an access or prefix list. The placement of rules within the list is critical because packets are matched against rules in sequential order. To order new rules using the current numbering scheme, use resequencing whenever there is no opportunity.
EXEC mode • resequence access-list {ipv4 | ipv6 | mac} {access-list-name StartingSeqNum Step-to-Increment} IPv4 or IPv6 prefix-list EXEC mode resequence prefix-list {ipv4 | ipv6} {prefix-list-name StartingSeqNum Step-toIncrement} Examples of Resequencing ACLs When Remarks and Rules Have the Same Number or Different Numbers The example shows the resequencing of an IPv4 access-list beginning with the number 2 and incrementing by 2.
Dell# end Dell# resequence access-list ipv4 test 2 2 Dell# show running-config acl ! ip access-list extended test remark 2 XYZ remark 4 this remark corresponds to permit any host 1.1.1.1 seq 4 permit ip any host 1.1.1.1 remark 6 this remark has no corresponding rule remark 8 this remark corresponds to permit ip any host 1.1.1.2 seq 8 permit ip any host 1.1.1.2 seq 10 permit ip any host 1.1.1.3 seq 12 permit ip any host 1.1.1.
Configuration Task List for Route Maps Configure route maps in ROUTE-MAP mode and apply the maps in various commands in ROUTER RIP and ROUTER OSPF modes. The following list includes the configuration tasks for route maps, as described in the following sections.
route-map zakho, permit, sequence 20 Match clauses: interface TengigabitEthernet 0/1 Set clauses: tag 35 level stub-area Dell# To delete all instances of that route map, use the no route-map map-name command. To delete just one instance, add the sequence number to the command syntax.
In the next example, there is a match only if a route has both of the specified characteristics. In this example, there a match only if the route has a tag value of 1000 and a metric value of 2000. Also, if there are different instances of the same route-map, then it’s sufficient if a permit match happens in any instance of that route-map.
• • For a VLAN, enter the keyword vlan then a number from 1 to 4094. Match destination routes specified in a prefix list (IPv4). CONFIG-ROUTE-MAP mode • match ip address prefix-list-name Match destination routes specified in a prefix list (IPv6). CONFIG-ROUTE-MAP mode • match ipv6 address prefix-list-name Match next-hop routes specified in a prefix list (IPv4).
Configuring Set Conditions To configure a set condition, use the following commands. • Add an AS-PATH number to the beginning of the AS-PATH. CONFIG-ROUTE-MAP mode • set as-path prepend as-number [... as-number] Generate a tag to be added to redistributed routes. CONFIG-ROUTE-MAP mode • set automatic-tag Specify an OSPF area or ISIS level for redistributed routes.
To create route map instances, use these commands. There is no limit to the number of set commands per route map, but the convention is to keep the number of set filters in a route map low. Set commands do not require a corresponding match command. Configure a Route Map for Route Redistribution Route maps on their own cannot affect traffic and must be included in different commands to affect routing traffic.
Example of the redistribute Command Using a Route Tag ! router rip redistribute ospf 34 metric 1 route-map torip ! route-map torip permit 10 match route-type internal set tag 34 ! Continue Clause Normally, when a match is found, set clauses are executed, and the packet is then forwarded; no more routemap modules are processed. If you configure the continue command at the end of a module, the next module (or a specified module) is processed even after a match is found.
EXEC mode EXEC Privilege mode show cam-acl 4 Create a UDF packet format in the UDF TCAM table. CONFIGURATION mode udf-tcam name seq number Dell(conf)#udf-tcam ipnip seq 1 5 Configure a UDF ID to parse packet headers using the specified number of offset and required bytes. CONFIGURATION-UDF TCAM mode key description udf-id id packetbase PacketBase offset bytes length bytes Dell(conf-udf-tcam)#key innerL3header udf-id 6 packetbase innerL3Header offset 0 length 2 6 View the UDF TCAM configuration.
udf-id 1-12 value mask Dell(conf-udf-tcam-qual-val)#udf-id 1 aa ff 11 Associate the UDF qualifier value with a UDF packet profile in an IP access list. CONFIGURATION-STANDARD-ACCESS-LIST mode CONFIGURATION-EXTENDED-ACCESS-LIST mode permit ip {source mask | any | host ip-address} {destination mask | any | host ip-address} udf-pkt-format name udf-qualifier-value name Dell(config-ext-nacl)#permit ip any any udf-pkt-format ipinip udf-qualifiervalue ipnip_val1 12 View the UDF TCAM configuration.
7 Bidirectional Forwarding Detection (BFD) BFD is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It also provides a failure detection solution for links on which no routing protocol is used. BFD is a simple hello mechanism. Two neighboring systems running BFD establish a session using a threeway handshake.
NOTE: The Dell Networking OS does not support multi-hop BFD sessions. If a system does not receive a control packet within an agreed-upon amount of time, the BFD agent changes the session state to Down. It then notifies the BFD manager of the change and sends a control packet to the neighbor that indicates the state change (though it might not be received if the link or receiving interface is faulty).
BFD Packet Format Control packets are encapsulated in user datagram protocol (UDP) packets. The following illustration shows the complete encapsulation of a BFD control packet inside an IPv4 packet. Figure 10. BFD in IPv4 Packet Format Field Description Diagnostic Code The reason that the last session failed. State The current local session state. Refer to BFD Sessions. Flag A bit that indicates packet function.
Field Description system clears the poll bit and sets the final bit in its response. The poll and final bits are used during the handshake and in Demand mode (refer to BFD Sessions). NOTE: The Dell Networking OS does not currently support multi-point sessions, Demand mode, authentication, or control plane independence; these bits are always clear. Detection Multiplier The number of packets that must be missed in order to declare a session down. Length The entire length of the BFD packet.
BFD Sessions BFD must be enabled on both sides of a link in order to establish a session. The two participating systems can assume either of two roles: Active The active system initiates the BFD session. Both systems can be active for the same session. Passive The passive system does not initiate a session. It only responds to a request for session initialization from the active system.
2 When the passive system receives any of these control packets, it changes its session state to Init and sends a response that indicates its state change. The response includes its session ID in the My Discriminator field and the session ID of the remote system in the Your Discriminator field. 3 The active system receives the response from the passive system and changes its session state to Up. It then sends a control packet indicating this state change.
Session State Changes The following illustration shows how the session state on a system changes based on the status notification it receives from the remote system. For example, if a session on a system is down and it receives a Down status notification from the remote system, the session state on the local system changes to Init. Figure 12.
Configure BFD This section contains the following procedures. • Configure BFD for Static Routes • Configure BFD for OSPF • Configure BFD for OSPFv3 • Configure BFD for IS-IS • Configure BFD for BGP • Configure BFD for VRRP • Configuring Protocol Liveness Configure BFD for Static Routes Configuring BFD for static routes is supported on the switch. BFD offers systems a link state detection mechanism for static routes.
Establishing Sessions for Static Routes Sessions are established for all neighbors that are the next hop of a static route. Figure 13. Establishing Sessions for Static Routes To establish a BFD session, use the following command. • Establish BFD sessions for all neighbors that are the next hop of a static route. CONFIGURATION mode ip route bfd Example of the show bfd neighbors Command to Verify Static Routes To verify that sessions have been created for static routes, use the show bfd neighbors command.
To change parameters for static route sessions, use the following command . • Change parameters for all static route sessions. CONFIGURATION mode ip route bfd interval milliseconds min_rx milliseconds multiplier value role [active | passive] To view session parameters, use the show bfd neighbors detail command, as shown in the examples in Displaying BFD for BGP Information. Disabling BFD for Static Routes If you disable BFD, all static route BFD sessions are torn down.
Related Configuration Tasks • Changing OSPF Session Parameters • Disabling BFD for OSPF Establishing Sessions with OSPF Neighbors BFD sessions can be established with all OSPF neighbors at once or sessions can be established with all neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the Full state. Figure 14.
To establish BFD with all OSPF neighbors or with OSPF neighbors on a single interface, use the following commands. • Establish sessions with all OSPF neighbors. ROUTER-OSPF mode • bfd all-neighbors Establish sessions with OSPF neighbors on a single interface. INTERFACE mode ip ospf bfd all-neighbors Example of Verifying Sessions with OSPF Neighbors To view the established sessions, use the show bfd neighbors command. The bold line shows the OSPF BFD sessions.
Disabling BFD for OSPFv3 If you disable BFD globally, all sessions are torn down and sessions on the remote system are placed in a Down state. If you disable BFD on an interface, sessions on the interface are torn down and sessions on the remote system are placed in a Down state. Disabling BFD does not trigger a change in BFD clients; a final Admin Down packet is sent before the session is terminated. To disable BFD sessions, use the following commands. • Disable BFD sessions with all OSPFv3 neighbors.
• bfd all-neighbors interval milliseconds min_rx milliseconds multiplier value role [active | passive] Change parameters for OSPFv3 sessions on a single interface. INTERFACE mode ipv6 ospf bfd all-neighbors interval milliseconds min_rx milliseconds multiplier value role [active | passive] Disabling BFD for OSPFv3 If you disable BFD globally, all sessions are torn down and sessions on the remote system are placed in a Down state.
on the line card notifies the BFD manager, which in turn notifies the IS-IS protocol that a link state change occurred. Configuring BFD for IS-IS is a two-step process: 1 Enable BFD globally. 2 Establish sessions for all or particular IS-IS neighbors.
To establish BFD with all IS-IS neighbors or with IS-IS neighbors on a single interface, use the following commands. • Establish sessions with all IS-IS neighbors. ROUTER-ISIS mode • bfd all-neighbors Establish sessions with IS-IS neighbors on a single interface. INTERFACE mode isis bfd all-neighbors Example of Verifying Sessions with IS-IS Neighbors To view the established sessions, use the show bfd neighbors command. The bold line shows that IS-IS BFD sessions are enabled.
Disabling BFD for IS-IS If you disable BFD globally, all sessions are torn down and sessions on the remote system are placed in a Down state. If you disable BFD on an interface, sessions on the interface are torn down and sessions on the remote system are placed in a Down state. Disabling BFD does not trigger a change in BFD clients; a final Admin Down packet is sent before the session is terminated. To disable BFD sessions, use the following commands. • Disable BFD sessions with all IS-IS neighbors.
For example, the following illustration shows a sample BFD configuration on Router 1 and Router 2 that use eBGP in a transit network to interconnect AS1 and AS2. The eBGP routers exchange information with each other as well as with iBGP routers to maintain connectivity and accessibility within each autonomous system. Figure 16.
session (other routing protocols) about the failure. It then depends on the individual routing protocols that uses the BGP link to determine the appropriate response to the failure condition. The typical response is to terminate the peering session for the routing protocol and reconverge by bypassing the failed neighboring router. A log message is generated whenever BFD detects a failure condition. 1 Enable BFD globally.
• Disable a BFD for BGP session with a specified neighbor. ROUTER BGP mode neighbor {ip-address | peer-group-name} bfd disable Remove the disabled state of a BFD for BGP session with a specified neighbor. • ROUTER BGP mode no neighbor {ip-address | peer-group-name} bfd disable Use BFD in a BGP Peer Group You can establish a BFD session for the members of a peer group (the neighbor peer-group-name bfd command in ROUTER BGP configuration mode).
EXEC Privilege mode show ip bgp neighbors [ip-address] Examples of the BFD show Commands The following example shows verifying a BGP configuration. R2# show running-config bgp ! router bgp 2 neighbor 1.1.1.2 remote-as 1 neighbor 1.1.1.2 no shutdown neighbor 2.2.2.2 remote-as 1 neighbor 2.2.2.2 no shutdown neighbor 3.3.3.2 remote-as 1 neighbor 3.3.3.2 no shutdown bfd all-neighbors The following example shows viewing all BFD neighbors.
Statistics: Number of packets received from neighbor: 4762 Number of packets sent to neighbor: 4490 Number of state changes: 2 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 5 Session Discriminator: 10 Neighbor Discriminator: 11 Local Addr: 2.2.2.3 Local MAC Addr: 00:01:e8:66:da:34 Remote Addr: 2.2.2.
De-registration Init Up Down Admin Down : : : : : 0 0 1 0 2 The following example shows viewing BFD summary information. The bold line shows the message displayed when you enable BFD for BGP connections. R2# show ip bgp summary BGP router identifier 10.0.0.1, local AS number 2 BGP table version is 0, main routing table version 0 BFD is enabled, Interval 200 Min_rx 200 Multiplier 3 Role Active 3 neighbor(s) using 24168 bytes of memory Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 1.1.1.
Prefixes accepted 0 (consume 0 bytes), withdrawn 0 by peer, martian prefixes ignored 0 Prefixes advertised 0, denied 0, withdrawn 0 from peer Connections established 1; dropped 0 Last reset never Local host: 2.2.2.3, Local port: 63805 Foreign host: 2.2.2.2, Foreign port: 179 E1200i_ExaScale# R2# show ip bgp neighbors 2.2.2.3 BGP neighbor is 2.2.2.3, remote AS 1, external link Member of peer-group pg1 for session parameters BGP version 4, remote router ID 12.0.0.
Establishing Sessions with All VRRP Neighbors BFD sessions can be established for all VRRP neighbors at once, or a session can be established with a particular neighbor. Figure 17. Establishing Sessions with All VRRP Neighbors To establish sessions with all VRRP neighbors, use the following command. • Establish sessions with all VRRP neighbors.
Examples of Viewing VRRP Sessions To view the established sessions, use the show bfd neighbors command. The following example shows viewing sessions with VRRP neighbors. The bold line shows that VRRP BFD sessions are enabled. R1(conf-if-te-4/25)#vrrp bfd all-neighbors R1(conf-if-te-4/25)#do show bfd neighbor * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) V - VRRP LocalAddr * 2.2.5.1 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.5.
To view session parameters, use the show bfd neighbors detail command, as shown in the example in Verifying BFD Sessions with BGP Neighbors Using the show bfd neighbors command example in Displaying BFD for BGP Information. Disabling BFD for VRRP If you disable any or all VRRP sessions, the sessions are torn down. A final Admin Down control packet is sent to all neighbors and sessions on the remote system change to the Down state.
8 Border Gateway Protocol IPv4 (BGPv4) This chapter provides a general description of BGPv4 as it is supported in the Dell Networking OS. BGP protocol standards are listed in the Standards Compliance chapter. BGP is an external gateway protocol that transmits interdomain routing information within and between autonomous systems (AS). The primary function of the BGP is to exchange network reachability information with other BGP systems.
• multihomed AS — is one that maintains connections to more than one other AS. This group allows the AS to remain connected to the Internet in the event of a complete failure of one of their connections. However, this type of AS does not allow traffic from one AS to pass through on its way to another AS. A simple example of this group is seen in the following illustration. • stub AS — is one that is connected to only one other AS.
in “full mesh.” As seen in the illustration below, four routers connected in a full mesh have three peers each, six routers have five peers each, and eight routers in full mesh have seven peers each. Figure 19. BGP Routers in Full Mesh The number of BGP speakers each BGP peer must maintain increases exponentially. Network management quickly becomes impossible.
Sessions and Peers When two routers communicate using the BGP protocol, a BGP session is started. The two end-points of that session are Peers. A Peer is also called a Neighbor. Establish a Session Information exchange between peers is driven by events and timers. The focus in BGP is on the traffic routing policies.
proper peers. If the peers are members of a peer group however, the information can be sent to one place and then passed onto the peers within the group. Route Reflectors Route reflectors reorganize the iBGP core into a hierarchy and allow some route advertisement rules. NOTE: Do not use route reflectors (RRs) in the forwarding path. In iBGP, hierarchal RRs maintaining forwarding plane RRs could create routing loops. Route reflection divides iBGP peers into two groups: client peers and nonclient peers.
Communities BGP communities are sets of routes with one or more common attributes. Communities are a way to assign common attributes to multiple routes at the same time. BGP Attributes Routes learned using BGP have associated properties that are used to determine the best route to a destination when multiple paths exist to a particular destination.
The following illustration shows that the decisions BGP goes through to select the best path. The list following the illustration details the path selection criteria. Figure 21. BGP Best Path Selection Best Path Selection Details 1 Prefer the path with the largest WEIGHT attribute. 2 Prefer the path with the largest LOCAL_PREF attribute. 3 Prefer the path that was locally Originated via a network command, redistribute command or aggregate-address command.
a This comparison is only done if the first (neighboring) AS is the same in the two paths; the MEDs are compared only if the first AS in the AS_SEQUENCE is the same for both paths. b If you entered the bgp always-compare-med command, MEDs are compared for all paths. c Paths with no MED are treated as “worst” and assigned a MED of 4294967295. 7 Prefer external (EBGP) to internal (IBGP) paths or confederation EBGP paths.
Local Preference Local preference (LOCAL_PREF) represents the degree of preference within the entire AS. The higher the number, the greater the preference for the route. Local preference (LOCAL_PREF) is one of the criteria used to determine the best path, so keep in mind that other criteria may impact selection, as shown in the illustration in Best Path Selection Criteria. For this example, assume that thelocal preference (LOCAL_PREF) is the only attribute applied.
One AS assigns the MED a value and the other AS uses that value to decide the preferred path. For this example, assume the MED is the only attribute applied. In the following illustration, AS100 and AS200 connect in two places. Each connection is a BGP session. AS200 sets the MED for its T1 exit point to 100 and the MED for its OC3 exit point to 50. This sets up a path preference through the OC3 link. The MEDs are advertised to AS100 routers so they know which is the preferred path.
In the Dell Networking OS, these origin codes appear as shown in the following example. The question mark (?) indicates an origin code of INCOMPLETE (shown in bold). The lower case letter (i) indicates an origin code of IGP (shown in bold). Example of Viewing Origin Codes Dell#show ip bgp BGP table version is 0, local router ID is 10.101.15.
The system allows you to set the next hop attribute in the CLI. Setting the next hop attribute lets you determine a router as the next hop for a BGP neighbor. Multiprotocol BGP Multiprotocol extensions for BGP (MBGP) is defined in IETF RFC 2858. MBGP allows different types of address families to be distributed in parallel. MBGP allows information about the topology of the IP multicast-capable routers to be exchanged separately from the topology of normal IPv4 and IPv6 unicast routers.
When configuring this functionality: • If the redistribute command does not have metric configured and the BGP peer outbound routemap does have metric-type internal configured, BGP advertises the IGP cost as MED. • If the redistribute command has metric configured (route-map set metric or redistribute route-type metric) and the BGP peer outbound route-map has metric-type internal configured, BGP advertises the metric configured in the redistribute command as MED.
Traditional Format DOT Format 65001 0.65501 65536 1.0 100000 1.34464 4294967295 65535.65535 When creating Confederations, all the routers in a Confederation must be either 4-Byte or 2-Byte identified routers. You cannot mix them. Configure 4-byte AS numbers with the four-octet-support command. AS4 Number Representation Multiple representations of 4-byte AS numbers (asplain, asdot+, and asdot) are supported.
router bgp 100 bgp asnotation asdot bgp four-octet-as-support neighbor 172.30.1.250 local-as 65057
AS Number Migration With this feature you can transparently change the AS number of an entire BGP network and ensure that the routes are propagated throughout the network while the migration is in progress. When migrating one AS to another, perhaps combining ASs, an eBGP network may lose its routing to an iBGP if the ASN changes. Migration can be difficult as all the iBGP and eBGP peers of the migrating network must be updated to maintain network reachability.
C’s configuration. Local-AS allows this behavior to happen by allowing Router B to appear as if it still belongs to Router B’s old network (AS 200) as far as communicating with Router C is concerned. Figure 24. Before and After AS Number Migration with Local-AS Enabled When you complete your migration, and you have reconfigured your network with the new information, disable this feature. If you use the “no prepend” option, the Local-AS does not prepend to the updates received from the eBGP peer.
3 Prepend "65001 65002" to as-path. Local-AS is prepended before the route-map to give an impression that update passed through a router in AS 200 before it reached Router B. BGP4 Management Information Base (MIB) The FORCE10-BGP4-V2-MIB enhances support for the BGP management information base (MIB) with many new simple network management protocol (SNMP) objects and notifications (traps) defined in draft-ietf-idrbgp4-mibv2-05. To see these enhancements, download the MIB from the Dell website.
• The f10BgpM2[Cfg]PeerReflectorClient field is populated based on the assumption that route-reflector clients are not in a full mesh if you enable BGP client-2-client reflection and that the BGP speaker acting as reflector advertises routes learned from one client to another client. If disabled, it is assumed that clients are in a full mesh and there is no need to advertise prefixes to the other clients. • High CPU utilization may be observed during an SNMP walk of a large BGP Loc-RIB.
By default, the system compares the MED attribute on different paths from within the same AS (the bgp always-compare-med command is not enabled). NOTE: All newly configured neighbors and peer groups are disabled. To enable a neighbor or peer group, enter the neighbor {ip-address | peer-group-name} no shutdown command. The following table displays the default values for BGP in the Dell Networking OS. Table 9.
interface directly connected to the router. First, the BGP process determines if all internal BGP peers are reachable, then it determines which peers outside the AS are reachable. NOTE: Sample Configurations for enabling BGP routers are found at the end of this chapter. 1 Assign an AS number and enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number • as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte) or 0.1 to 65535.65535 (Dotted format). Only one AS is supported per system.
3 Enable the BGP neighbor. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} no shutdown Examples of the show ip bgp summary Command (2-Byte and 4–Byte AS number) NOTE: When you change the configuration of a BGP neighbor, always reset it by entering the clear ip bgp command in EXEC Privilege mode. To view the BGP configuration, enter show config in CONFIGURATION ROUTER BGP mode. To view the BGP status, use the show ip bgp summary command in EXEC Privilege mode.
To view the status of BGP neighbors, use the show ip bgp neighbors command in EXEC Privilege mode as shown in the first example. For BGP neighbor configuration information, use the show running-config bgp command in EXEC Privilege mode as shown in the second example. The following example displays two neighbors: one is an external internal BGP neighbor and the second one is an internal BGP neighbor.
The following example shows verifying the BGP configuration. R2#show running-config bgp ! router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list ISP1in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.9 no shutdown neighbor 192.
• Enable ASDOT AS Number representation. CONFIG-ROUTER-BGP mode • bgp asnotation asdot Enable ASDOT+ AS Number representation. CONFIG-ROUTER-BGP mode bgp asnotation asdot+ Examples of the bgp asnotation Commands The following example shows the bgp asnotation asplain command. Dell(conf-router_bgp)#bgp asnotation asplain Dell(conf-router_bgp)#sho conf ! router bgp 100 bgp four-octet-as-support neighbor 172.30.1.250 remote-as 18508 neighbor 172.30.1.250 local-as 65057 neighbor 172.30.1.
Configuring Peer Groups To configure multiple BGP neighbors at one time, create and populate a BGP peer group. An advantage of peer groups is that members of a peer group inherit the configuration properties of the group and share same update policy. A maximum of 256 peer groups are allowed on the system. Create a peer group by assigning it a name, then adding members to the peer group. After you create a peer group, you can configure route policies for it.
To add an internal BGP (IBGP) neighbor, configure the as-number parameter with the same BGP asnumber configured in the router bgp as-number command. Examples of Working with Peer Groups After you create a peer group, you can use any of the commands beginning with the keyword neighbor to configure that peer group. When you add a peer to a peer group, it inherits all the peer group’s configured parameters.
neighbor 10.14.8.60 no shutdown Dell(conf-router_bgp)# To disable a peer group, use the neighbor peer-group-name shutdown command in CONFIGURATION ROUTER BGP mode. The configuration of the peer group is maintained, but it is not applied to the peer group members. When you disable a peer group, all the peers within the peer group that are in the ESTABLISHED state move to the IDLE state.
When you enable fail-over, BGP tracks IP reachability to the peer remote address and the peer local address. Whenever either address becomes unreachable (for example, no active route exists in the routing table for peer IPv6 destinations/local address), BGP brings down the session with the peer. The BGP fast fail-over feature is configured on a per-neighbor or peer-group basis and is disabled by default. To enable the BGP fast fail-over feature, use the following command.
'Connection Reset' Sent : 5 Recv: 0 Local host: 200.200.200.200, Local port: 65519 Foreign host: 100.100.100.100, Foreign port: 179 Dell# To verify that fast fail-over is enabled on a peer-group, use the show ip bgp peer-group command (shown in bold).
neighbor peer-group-name subnet subnet-number mask The peer group responds to OPEN messages sent on this subnet. 3 Enable the peer group. CONFIG-ROUTER-BGP mode neighbor peer-group-name no shutdown 4 Create and specify a remote peer for BGP neighbor. CONFIG-ROUTER-BGP mode neighbor peer-group-name remote-as as-number Only after the peer group responds to an OPEN message sent on the subnet does its BGP state change to ESTABLISHED.
network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list Laura in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.9 local-as 6500 neighbor 100.10.92.9 no shutdown neighbor 192.168.10.1 remote-as 65123 neighbor 192.168.10.1 update-source Loopback 0 neighbor 192.168.10.
neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list Laura in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.9 local-as 6500 neighbor 100.10.92.9 no shutdown neighbor 192.168.10.1 remote-as 65123 neighbor 192.168.10.1 update-source Loopback 0 neighbor 192.168.10.1 no shutdown neighbor 192.168.12.2 remote-as 65123 neighbor 192.168.12.2 allowas-in 9 neighbor 192.168.12.
Filtering on an AS-Path Attribute You can use the BGP attribute, AS_PATH, to manipulate routing policies. The AS_PATH attribute contains a sequence of AS numbers representing the route’s path. As the route traverses an AS, the ASN is prepended to the route. You can manipulate routes based on their AS_PATH to affect interdomain routing. By identifying certain ASN in the AS_PATH, you can permit or deny routes based on the number in its AS_PATH. AS-PATH ACLs use regular expressions to search AS_PATH values.
Dell#show ip bgp paths Total 30655 Paths Address Hash Refcount 0x4014154 0 3 0x4013914 0 3 0x5166d6c 0 3 0x5e62df4 0 2 0x3a1814c 0 26 0x567ea9c 0 75 0x6cc1294 0 2 0x6cc18d4 0 1 0x5982e44 0 162 0x67d4a14 0 2 0x559972c 0 31 0x59cd3b4 0 2 0x7128114 0 10 0x536a914 0 3 0x2ffe884 0 1 0x2ff7284 0 99 0x2ff7ec4 0 4 0x2ff8544 0 3 0x736c144 0 1 0x3b8d224 0 10 0x5eb1e44 0 1 0x5cd891c 0 9 --More-- Metric Path 18508 701 3549 19421 i 18508 701 7018 14990 i 18508 209 4637 1221 9249 9249 i 18508 701 17302 i 18508 209 22291
Regular Expression Definition - (hyphen) Used within brackets to specify a range of AS or community numbers. _ (underscore) Matches a ^, a $, a comma, a space, or a {, or a }. Placed on either side of a string to specify a literal and disallow substring matching. You can precede or follow numerals enclosed by underscores by any of the characters listed. | (pipe) Matches characters on either side of the metacharacter; logical OR.
Redistributing Routes In addition to filtering routes, you can add routes from other routing instances or protocols to the BGP process. With the redistribute command, you can include ISIS, OSPF, static, or directly connected routes in the BGP process. To add routes from other routing instances or protocols, use any of the following commands in ROUTER BGP mode. • Include, directly connected or user-configured (static) routes in BGP.
To allow multiple paths sent to peers, use the following commands. 1 Allow the advertisement of multiple paths for the same address prefix without the new paths replacing any previous ones. CONFIG-ROUTER-BGP mode bgp add-path {send | both} path-count count bgp add-path receive The range is from 2 to 64. 2 Allow the specified neighbor/peer group to send/ receive multiple path advertisements.
• community-number: use AA:NN format where AA is the AS number (2 Bytes or 4 Bytes) and NN is a value specific to that autonomous system. • local-AS: routes with the COMMUNITY attribute of NO_EXPORT_SUBCONFED. • no-advertise: routes with the COMMUNITY attribute of NO_ADVERTISE. • no-export: routes with the COMMUNITY attribute of NO_EXPORT. • quote-regexp: then any number of regular expressions. The software applies all regular expressions in the list. • regexp: then a regular expression.
• soo: route origin or site-of-origin. Support for matching extended communities against regular expression is also supported. Match against a regular expression using the following keyword. • regexp: regular expression. Example of the show ip extcommunity-lists Command To set or modify an extended community attribute, use the set extcommunity {rt | soo} {ASN:NN | IPADDR:NN} command.
4 Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number AS-number: 0 to 65535 (2-Byte) or 1 to 4294967295 (4-Byte) or 0.1 to 65535.65535 (Dotted format) 5 Apply the route map to the neighbor or peer group’s incoming or outgoing routes. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} route-map map-name {in | out} To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode.
3 • community-number: use AA:NN format where AA is the AS number (2 or 4 Bytes) and NN is a value specific to that autonomous system. • local-AS: routes with the COMMUNITY attribute of NO_EXPORT_SUBCONFED and are not sent to EBGP peers. • no-advertise: routes with the COMMUNITY attribute of NO_ADVERTISE and are not advertised. • no-export: routes with the COMMUNITY attribute of NO_EXPORT. • none: remove the COMMUNITY attribute. • additive: add the communities to already existing communities.
Changing MED Attributes By default, the system uses the MULTI_EXIT_DISC or MED attribute when comparing EBGP paths from the same AS. To change how the MED attribute is used, enter any or all of the following commands. • Enable MED comparison in the paths from neighbors with different ASs. CONFIG-ROUTER-BGP mode bgp always-compare-med By default, this comparison is not performed. Change the bestpath MED selection.
3 Return to CONFIGURATION mode. CONFIG-ROUTE-MAP mode exit 4 Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5 Apply the route map to the neighbor or peer group’s incoming or outgoing routes. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} route-map map-name {in | out} To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode. To view a route map configuration, use the show route-map command in EXEC Privilege mode.
CONFIG-ROUTE-MAP mode set weight weight • weight: the range is from 0 to 65535. To view BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode or the show running-config bgp command in EXEC Privilege mode. Enabling Multipath By default, the system supports one path to a destination. You can enable multipath to allow up to 16 parallel paths to a destination. NOTE: Dell Networking recommends not using multipath and add path simultaneously in a route reflector.
To filter routes using prefix lists, use the following commands. 1 Create a prefix list and assign it a name. CONFIGURATION mode ip prefix-list prefix-name 2 Create multiple prefix list filters with a deny or permit action. CONFIG-PREFIX LIST mode seq sequence-number {deny | permit} {any | ip-prefix [ge | le] } • ge: minimum prefix length to be matched. • le: maximum prefix length to me matched. For information about configuring prefix lists, refer to Access Control Lists (ACLs).
Filtering BGP Routes Using Route Maps To filter routes using a route map, use these commands. 1 Create a route map and assign it a name. CONFIGURATION mode route-map map-name [permit | deny] [sequence-number] 2 Create multiple route map filters with a match or set action. CONFIG-ROUTE-MAP mode {match | set} For information about configuring route maps, refer to Access Control Lists (ACLs). 3 Return to CONFIGURATION mode. CONFIG-ROUTE-MAP mode exit 4 Enter ROUTER BGP mode.
ip as-path access-list as-path-name 2 Create a AS-PATH ACL filter with a deny or permit action. AS-PATH ACL mode {deny | permit} as-regular-expression 3 Return to CONFIGURATION mode. AS-PATH ACL exit 4 Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5 Filter routes based on the criteria in the configured route map.
• Configure the local router as a route reflector and the neighbor or peer group identified is the route reflector client. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} route-reflector-client When you enable a route reflector, the system automatically enables route reflection to all clients. To disable route reflection between all clients in this reflector, use the no bgp client-to-client reflection command in CONFIGURATION ROUTER BGP mode.
sub-AS, the IBGP neighbors are fully meshed and the MED, NEXT_HOP, and LOCAL_PREF attributes are maintained between confederations. To configure BGP confederations, use the following commands. • Specifies the confederation ID. CONFIG-ROUTER-BGP mode bgp confederation identifier as-number • as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte). Specifies which confederation sub-AS are peers. • CONFIG-ROUTER-BGP mode bgp confederation peers as-number [...
flapping, or change the path selection from the default mode (deterministic) to non-deterministic, use the following commands. • Enable route dampening. CONFIG-ROUTER-BGP mode bgp dampening [half-life | reuse | suppress max-suppress-time] [route-map mapname] Enter the following optional parameters to configure route dampening parameters: • • half-life: the range is from 1 to 45. Number of minutes after which the Penalty is decreased.
• order in which they arrived (starting with the most recent). Furthermore, in non-deterministic mode, the software may not compare MED attributes though the paths are from the same AS. Change the best path selection method to non-deterministic. Change the best path selection method to non-deterministic.
Changing BGP Timers To configure BGP timers, use either or both of the following commands. Timer values configured with the neighbor timers command override the timer values configured with the timers bgp command.
command, the replay and update process is triggered only if a route-refresh request is not negotiated with the peer. If the request is indeed negotiated (after execution of clear ip bgp soft in), BGP sends a route-refresh request to the neighbor and receives all of the peer’s updates. To use soft reconfiguration (or soft reset) without preconfiguration, both BGP peers must support the soft route refresh capability, which is advertised in the open message sent when the peers establish a TCP session.
Route Map Continue The BGP route map continue feature, continue [sequence-number], (in ROUTE-MAP mode) allows movement from one route-map entry to a specific route-map entry (the sequence number). If you do not specify a sequence number, the continue feature moves to the next sequence number (also known as an “implied continue”). If a match clause exists, the continue feature executes only after a successful match occurs. If there are no successful matches, continue is ignored.
• Send a capacity advertisement to the peer in the BGP Open message specifying IPv4 multicast as a supported AFI/SAFI (Subsequent Address Family Identifier). • If the corresponding capability is received in the peer’s Open message, BGP marks the peer as supporting the AFI/SAFI. • When exchanging updates with the peer, BGP sends and receives IPv4 multicast routes if the peer is marked as supporting that AFI/SAFI.
EXEC Privilege mode • debug ip bgp [ip-address | peer-group peer-group-name] events [in | out] View information about BGP KEEPALIVE messages. EXEC Privilege mode • debug ip bgp [ip-address | peer-group peer-group-name] keepalive [in | out] View information about BGP notifications received from or sent to neighbors. EXEC Privilege mode • debug ip bgp [ip-address | peer-group peer-group-name] notifications [in | out] View information about BGP updates and filter by prefix name.
3 opens, 1 notifications, 1394 updates 6 keepalives, 0 route refresh requests Sent 48 messages, 0 in queue 3 opens, 2 notifications, 0 updates 43 keepalives, 0 route refresh requests Minimum time between advertisement runs is 30 seconds Minimum time before advertisements start is 0 seconds Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFR
• The max buffer size is reduced. (This may cause PDUs to be cleared depending on the buffer space consumed and the new limit.) Examples of Capturing PDUs To change the maximum buffer size, use the capture bgp-pdu max-buffer-size command. To view the captured PDUs, use the show capture bgp-pdu neighbor command. Dell#show capture bgp-pdu neighbor 20.20.20.2 Incoming packet capture enabled for BGP neighbor 20.20.20.
PDU Counters Additional counters for various types of PDUs that are sent and received from neighbors are also supported. These are seen in the output of the show ip bgp neighbor command. Sample Configurations The following example configurations show how to enable BGP and set up some peer groups. These examples are not comprehensive directions. They are intended to give you some guidance with typical configurations.
The following illustration shows the configurations described on the following examples. These configurations show how to create BGP areas using physical and virtual links. They include setting up the interfaces and peers groups with each other. Figure 25. Sample Configurations Example of Enabling BGP (Router 1) R1# conf R1(conf)#int loop 0 R1(conf-if-lo-0)#ip address 192.168.128.1/24 R1(conf-if-lo-0)#no shutdown R1(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.
R1(conf-if-te-1/31)#ip address 10.0.3.31/24 R1(conf-if-te-1/31)#no shutdown R1(conf-if-te-1/31)#show config ! interface TenGigabitEthernet 1/31 ip address 10.0.3.31/24 no shutdown R1(conf-if-te-1/31)#router bgp 99 R1(conf-router_bgp)#network 192.168.128.0/24 R1(conf-router_bgp)#neighbor 192.168.128.2 remote 99 R1(conf-router_bgp)#neighbor 192.168.128.2 no shut R1(conf-router_bgp)#neighbor 192.168.128.2 update-source loop 0 R1(conf-router_bgp)#neighbor 192.168.128.
R2(conf-if-te-2/31)#no shutdown R2(conf-if-te-2/31)#show config ! interface TenGigabitEthernet 2/31 ip address 10.0.2.2/24 no shutdown R2(conf-if-te-2/31)# R2(conf-if-te-2/31)#router bgp 99 R2(conf-router_bgp)#network 192.168.128.0/24 R2(conf-router_bgp)#neighbor 192.168.128.1 remote 99 R2(conf-router_bgp)#neighbor 192.168.128.1 no shut R2(conf-router_bgp)#neighbor 192.168.128.1 update-source loop 0 R2(conf-router_bgp)#neighbor 192.168.128.3 remote 100 R2(conf-router_bgp)#neighbor 192.168.128.
R3(conf-if-lo-0)#int tengig 3/21 R3(conf-if-te-3/21)#ip address 10.0.2.3/24 R3(conf-if-te-3/21)#no shutdown R3(conf-if-te-3/21)#show config ! interface TenGigabitEthernet 3/21 ip address 10.0.2.3/24 no shutdown R3(conf-if-te-3/21)# R3(conf-if-te-3/21)#router bgp 100 R3(conf-router_bgp)#show config ! router bgp 100 R3(conf-router_bgp)#network 192.168.128.0/24 R3(conf-router_bgp)#neighbor 192.168.128.1 remote 99 R3(conf-router_bgp)#neighbor 192.168.128.1 no shut R3(conf-router_bgp)#neighbor 192.168.128.
neighbor AAA no shutdown neighbor BBB peer-group neighbor BBB no shutdown neighbor 192.168.128.2 remote-as 99 neighbor 192.168.128.2 peer-group AAA neighbor 192.168.128.2 update-source Loopback 0 neighbor 192.168.128.2 no shutdown neighbor 192.168.128.3 remote-as 100 neighbor 192.168.128.3 peer-group BBB neighbor 192.168.128.3 update-source Loopback 0 neighbor 192.168.128.3 no shutdown R1# R1#show ip bgp summary BGP router identifier 192.168.128.
ffffffff ffffffff ffffffff ffffffff 00150306 00000000 Local host: 192.168.128.1, Local port: 179 Foreign host: 192.168.128.2, Foreign port: 65464 BGP neighbor is 192.168.128.3, remote AS 100, external link Member of peer-group BBB for session parameters BGP version 4, remote router ID 192.168.128.
R2# R2#show ip bgp summary BGP router identifier 192.168.128.2, local AS number 99 BGP table version is 2, main routing table version 2 1 network entrie(s) using 132 bytes of memory 3 paths using 204 bytes of memory BGP-RIB over all using 207 bytes of memory 2 BGP path attribute entrie(s) using 128 bytes of memory 2 BGP AS-PATH entrie(s) using 90 bytes of memory 2 neighbor(s) using 9216 bytes of memory Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 192.168.128.
BGP neighbor is 192.168.128.1, remote AS 99, external link Member of peer-group BBB for session parameters BGP version 4, remote router ID 192.168.128.
BGP version 4, remote router ID 192.168.128.
9 Content Addressable Memory (CAM) CAM is a type of memory that stores information in the form of a lookup table. On the switch, CAM stores Layer 2 and Layer 3 forwarding information, access-lists (ACLs), flows, and routing policies. On a line card, there are one or two CAM (Dual-CAM) modules per port-pipe.
L2Acl Ipv4Acl Ipv6Acl Ipv4Qos L2Qos L2PT IpMacAcl VmanQos EcfmAcl Openflow : : : : : : : : : : 5 4 0 2 1 0 0 0 0 0 -- linecard 1 -Current Settings(in block sizes) 1 block = 256 entries L2Acl : 5 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 EcfmAcl : 0 Openflow : 0 -- linecard 2 -Current Settings(in block sizes) 1 block = 256 entries L2Acl : 5 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 EcfmAcl : 0 Openflow : 0 The ipv6acl and vman-dua
NOTE: If the allocation values are not entered for the CAM regions, the value is 0. 3 Verify that the new settings will be written to the CAM on the next boot. EXEC Privilege mode show cam-acl 4 Reload the system. EXEC Privilege mode reload Test CAM Usage The test cam-usage command applies to both IPv4 and IPv6 CAM profiles, but is best used when verifying QoS optimization for IPv6 ACLs. Use this command to determine whether sufficient ACL CAM space is available to enable a service-policy.
IpMacAcl VmanQos EcfmAcl Openflow : : : : 0 0 0 0 -- linecard 0 -Current Settings(in block sizes) 1 block = 256 entries L2Acl : 6 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 EcfmAcl : 0 Openflow : 0 -- linecard 1 -Current Settings(in block sizes) 1 block = 256 entries L2Acl : 6 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 EcfmAcl : 0 Openflow : 0 -- linecard 2 -Current Settings(in block sizes) 1 block = 256 entries L2Acl : 6 Ipv4Acl :
| | | | | | | | | | | | | 1 | | | | | --More-- | | | | | | | | | | | | | 1 | | | | | IN-L3 FIB IN-L3-SysFlow IN-L3-TrcList IN-L3-McastFib IN-L3-Qos IN-L3-PBR IN-V6 ACL IN-V6 FIB IN-V6-SysFlow IN-V6-McastFib OUT-L2 ACL OUT-L3 ACL OUT-V6 ACL IN-L2 ACL IN-L2 FIB IN-L3 ACL IN-L3 FIB IN-L3-SysFlow | | | | | | | | | | | | | | | | | | 262141 2878 1024 9215 8192 1024 0 0 0 0 1024 1024 0 320 32768 12288 262141 2878 | | | | | | | | | | | | | | | | | | 14 45 0 0 0 0 0 0 0 0 0 0 0 0 1136 2 14 44 | | | | | | | |
CAM Optimization The cam-optimization command allows you to optimize CAM utilization for QoS entries by minimizing the amount of required policy-map CAM space. When you enable this command, if a Policy Map containing classification rules (ACL and/or dscp/ ipprecedence rules) is applied to more than one physical interface on the same port-pipe, only a single copy of the policy is written (only 1 FP entry is used). When you disable this command, the system behaves as described in this chapter.
several UFT modes to extract the forwarding tables, as required. By default, Dell Networking OS initializes the table sizes to UFT mode 2 profile, since it provides a reasonable shared memory for all the tables. The other supported UFT modes are scaled-l3–hosts (UFT mode 3) and scaled-l3–routes (UFT mode 4). Table 10.
show hardware forwarding-table mode Dell#show hardware forwarding-table mode Mode L2 MAC Entries L3 Host Entries L3 Route Entries : : : : Current Settings Default 160K 144K 16K Next Boot Settings scaled-l3-routes 32K 16K 128K Dell# Content Addressable Memory (CAM) 267
10 Control Plane Policing (CoPP) Control plane policing (CoPP) protects the switch’s routing, control, and line-card processors from undesired or malicious traffic and Denial of Service (DoS) attacks by filtering control-plane flows. CoPP uses a dedicated control-plane service policy that consists of ACLs and QoS policies, which provide filtering and rate-limiting capabilities for control-plane packets.
Queue-based Control Plane Policing When configuring a queue-based CoPP policy, take into account that there are twenty-one CP queues divided into groups of 7 queues for the Route Processor, Control Processor, and line-card CPUs: • Queues 0 to 6 process packets destined to the Control Processor CPU. • Queues 7 to 13 process packets destined to the Route Processor CPU. • Queues 14 to 20 process packets destined to the line-card CPU.
8 RP ARP Request, ICMPv6 NS, ICMPv6 RS, L3 Broadcast Mac 600 DA 1000 9 RP ARP Request, ICMPv6 NS, ICMPv6 RS, L3 Broadcast Mac 600 DA 1000 10 RP VLT IPM PDU, VLT Control 3200 1000 11 RP Logical BFD 2600 6000 12 RP PVST, GVRP, IGMP, PIM, MLD, MSDP, FCoE, Open Flow 2300 3000 13 RP STP, LACP, ECFM, L2PT, ISIS, ISISv6, IPv4/IPv6 BGP, IPv4/IPv6 OSPF, RIP, IPv4/IPv6 VRRP 1800 3000 Table 13.
CoPP Example The illustrations in this section show the benefit of using CoPP compared to not using CoPP on a switch. The following illustration shows how CoPP rate limits protocol traffic destined to the control-plane CPU. Figure 26. Control Plane Policing NOTE: On the system, CoPP does not convert the input rate of control-plane traffic from kilobits per second (kbps) to packets per second (pps) as on other Dell Networking switches.
The following illustration shows the difference between using CoPP and not using CoPP on a switch. Figure 27.
Configure Control Plane Policing You can create a CoPP service policy on a per-protocol and/or a per-queue basis that serves as the systemwide configuration for filtering and rate limiting control-plane traffic. Configuring CoPP for Protocols This section describes how to create a protocol-based CoPP service policy and apply it to control plane traffic. To create a protocol-based CoPP service policy, you must first create a Layer 2, Layer 3, and/or an IPv6 ACL rule for specified protocol traffic.
CONFIGURATION mode policy-map-input name cpu-qos class-map name qos-policy name 7 Enter Control Plane configuration mode. CONFIGURATION mode control-plane-cpuqos 8 Apply the QoS input policy-map that configures rate limiting on specified protocol traffic on the control plane.
Dell(conf-class-map-cpuqos)#match ip access-group bgp Dell(conf-class-map-cpuqos)#exit Dell(conf)#class-map match-any class_lacp cpu-qos Dell(conf-class-map-cpuqos)#match mac access-group lacp Dell(conf-class-map-cpuqos)#exit Dell(conf)#class-map match-any class-ipv6-icmp cpu-qos Dell(conf-class-map-cpuqos)#match ipv6 access-group ipv6-icmp Dell(conf-class-map-cpuqos)#exit Example of Associating a QoS Class Map with a QoS Rate-Limit Policy Dell(conf)#policy-map-input egressFP_rate_policy cpu-qos Dell(conf-p
For information about the default rate limits applied to the seven CPU queues for the Route Processor, Control Processor, and line cards, refer to CoPP Implementation. 3 Enter Control Plane configuration mode. CONFIGURATION mode control-plane-cpuqos 4 Apply the QoS input policy-map with queue-based rate limiting on control plane traffic.
Q3 Q4 Q5 Q6 Q7 Q8 Q9 Q10 Q11 Q12 Q13 Q14 Q15 Q16 Q17 Q18 Q19 Q20 2000 300 300 1200 800 600 600 3200 2600 2300 1800 1 1 1200 1200 7000 800 5000 Dell#show cpu-queue rate queue-id 8 Service-Queue Rate (kbps) -----------------------Q8 600 Dell#show cpu-queue rate range 8 12 Service-Queue Rate (kbps) -----------------------Q8 600 Q9 600 Q10 3200 Q11 2600 Q12 2300 5000 2000 2000 3000 1000 1000 1000 1000 6000 3000 3000 4000 100 100 1000 1000 7000 1000 Burst (kb) ---------1000 Burst (kb) ---------1000 1000 100
150 ISIS 500 01:80:c2:00:00:14/15 any Q13 RP 09:00:2b:00:00:04/05 any Q13 RP 500 Viewing IPv4 Protocol-Queue Mapping To view the queues to which IPv4 protocol traffic is assigned, use the show ip protocol-queue-mapping command.
NTP 2000 FTP 3000 TELNET 2000 SSH 2000 VLT GARP 3000 VLT CTRL - CP CPU 3000 VLT CTRL - CP & RP CPU 3000 VLT IPM PDU 3000 L3 LOCAL TERMINATED 5000 Dell# Q3 CP 200 200 2000 Q3 CP 400 400 3000 Q3 CP 400 400 2000 Q3 CP 400 400 2000 Q3/Q10 CP/RP 500 500 3000 Q3 CP 2000 2000 3000 Q3/Q10 CP/RP 2000 2000 3000 Q3/Q10 CP/RP 500 500 3000 Q3 CP 400 400 5000 Viewing Complete Protocol-Queue Mapping To view the queues to which all protocol traffic is assigned, use the show pro
2000 v6 RAGUARD 1000 v6 ICMP NA 1000 v6 ICMP RA 1000 v6 ICMP NS 1000 v6 ICMP RS 1000 v6 ICMP 2000 BGP 2000 OSPF 2000 RIP 1000 VRRP 2000 ICMP 2000 IGMP 2000 PIM 2000 MSDP 2000 BFD 3000 802.
1000 OPENFLOW Q5 1000 FEFD Q6 1000 TRACEFLOW Q16 500 FCoE Q12 2000 L3 LOCAL TERMINATED Q3 5000 L3 UNKNOWN/UNRESOLVED ARP Q7 3000 L2 DST HIT/BROADCAST Q1/Q8 500 MULTICAST CATCH ALL Q7 500 ACL LOGGING Q17 1000 L3 HEADER ERROR/TTL0 Q0 500 IP OPTION/TTL1 Q0 500 VLAN L3 MTU FAIL Q0 500 Physical L3 MTU FAIL Q0 500 SOURCE MISS Q16 500 STATION MOVE Q16 500 SFLOW_EGRESS Q20 3000 SFLOW_INGRESS Q20 3000 CP 300 300 1000 CP 150 150 1000 LP 200 200 500 RP 300 300 2000 CP 400 400 5000 RP 200 200 30
NOTE: You must manually enable the collection of CPU traffic statistics with the debug cpu-trafficstats command before the statistics display in show cpu-traffic-stats output. It is recommended that when you finish CoPP troubleshooting, you disable the collection of CPU traffic statistics by entering the no debug cpu-traffic-stats command. Viewing CPU Traffic Statistics To view the statistics collected on CPU traffic, use the show cpu-traffic-stats [cp | rp |all] command.
MASK=0x0000ffff ffffffff action={act=DropPrecedence, param0=1(0x1), param1=0(0), param2=0(0), param3=0(0)} action={act=Drop, param0=0(0), param1=0(0), param2=0(0), param3=0(0)} action={act=CosQCpuNew, param0=0(0), param1=0(0), param2=0(0), param3=0(0)} action={act=CopyToCpu, param0=1(0x1), param1=1(0x1), param2=0(0), param3=0(0)} policer= statistics={stat id 1 slice = 9 idx=0 entries=1}{Packets} ################ FP Entry for redirecting LLDP BPDU to RSM ################ EID 0x000002ff: gid=0xa, slice=9, sli
DATA=0x0000000000000000000000000000000000000000000000000000222222222222 MASK=0x0000000000000000000000000000000000000000000000000000222222222223 DstMac Offset: 88 Width: 48 DATA=0x00000180 c2000021 MASK=0x0000ffff ffffffff action={act=DropPrecedence, param0=1(0x1), param1=0(0), param2=0(0), param3=0(0)} action={act=Drop, param0=0(0), param1=0(0), param2=0(0), param3=0(0)} action={act=CosQCpuNew, param0=4(0x4), param1=0(0), param2=0(0), param3=0(0)} action={act=CopyToCpu, param0=1(0x1), param1=5(0x5), param2=
v6 ICMP NA v6 RA Guard/v6 ICMP RA v6 ICMP/ICMP MLD MSDP FTP/TELNET/SSH/L3 LOCAL TERMINATED L3 UNKNOWN/UNRESOLVED ARP iSCSI FCoE SFLOW HYPERPULL OPENFLOW L2 DST HIT/BROADCAST VLT TTL1/TRACEFLOW/TTL0/STATION MOVE/TTL1 /IP OPTION/L3 MTU FAIL/SOURCE MISS v6 ICMP NS 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Dell#show control-traffic protocol pe 0 stack-unit 0 portset 0 counters Protocol RxBytes TxBytes ------------------STP/ARP/ICMP(v4/v6)/IGMP/MLD/NTP/FTP/T
0 LACP 0 ARP REQ 0 ARP RESP 0 GVRP 0 FRRP 0 ECFM 0 ISIS 0 L2PT 0 v6 BGP 0 v6 OSPF 0 v6 VRRP 0 MLD 0 v6 MULTICAST CATCH ALL 0 IPv6 DHCP 0 v6 RAGUARD 0 v6 ICMP NA 0 v6 ICMP RA 0 v6 ICMP NS 0 v6 ICMP RS 0 v6 ICMP 0 BGP 0 OSPF 0 RIP 0 VRRP 0 ICMP 0 IGMP 0 PIM 0 MSDP 0 BFD ON PHYSICAL PORTS 0 BFD ON LOGICAL PORTS 0 802.
0 DHCP RELAY 0 DHCP 0 NTP 0 FTP 0 TELNET 0 SSH 0 VLT GARP 0 VLT CTRL - CP CPU 0 VLT CTRL - RP CPU 0 VLT CTRL - CP & RP CPU 0 VLT CTRL - HA 0 VLT CTRL 0 VLT IPM PDU 0 VLT ARP RESP 0 VLT TTL1 0 HYPERPULL 0 OPENFLOW 0 FEFD 0 TRACEFLOW 0 FCoE 0 L3 LOCAL TERMINATED 0 L3 UNKNOWN/UNRESOLVED ARP 0 L2 DST HIT/BROADCAST 0 MULTICAST CATCH ALL 0 ACL LOGGING 0 L3 HEADER ERROR/TTL0 0 IP OPTION/TTL1 0 VLAN L3 MTU FAIL 0 Physical L3 MTU FAIL 0 SOURCE MISS 0 STATION MOVE 0 TX UNICAST ENTRY 0 0 0 0 0 0 0 0 0 0 0
0 TX MULTICAST ENTRY 0 TX INTER SPINE ENTRY 0 DROP ENTRY 0 CP bound IPC 0 RP bound IPC 0 ECP bound IPC 0 SFLOW_EGRESS 0 SFLOW_INGRESS 0 0 0 0 0 0 847344 847344 9180 9180 34484 34484 0 0 0 0 0 To clear the per-protocol counters of rate-limited control-plane traffic at the aggregated (switch) or line card and port set level, use the clear control-traffic protocol [cp—switch | linecard {0–2} portset {0–3}] counters command; for example: Dell#clear control-traffic protocol linecard 1 portset 2
Q7 Q8 Q9 Q10 Q11 Q12 Q13 Q14 Q15 Q16 Q17 Q18 Q19 Q20 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 To clear the per-queue counters of rate-limited traffic at the aggregated (switch) or individual queue level, use the clear control-traffic queue {all | queue-id queue-number} counters command; for example: Dell#show control-traffic queue queue-id 6 counters Queue-ID RxBytes TxBytes Drops ------------------------Q6 24016 24016 0 Dell#clear control-traffic queue queue-i
11 Data Center Bridging (DCB) Topics: • Enabling Data Center Bridging • Ethernet Enhancements in Data Center Bridging • QoS dot1p Traffic Classification and Queue Assignment • SNMP Support for PFC and Buffer Statistics Tracking • DCB Maps and its Attributes • Data Center Bridging: Default Configuration • Configuration Notes: PFC and ETS in a DCB Map • Configuring Priority-Based Flow Control • Configuring Enhanced Transmission Selection • Configure a DCBx Operation • Verifying the DCB Co
dcb enable By default, PFC is enabled for 2 lossless queues when use the dcb enable command. To configure, 3-4 lossless queues use the following syntax: Dell(conf)#dcb enable pfc-queues ? <1-4> Number of PFC lossless queues(default=2) dcb-map linecard 0 backplane all dcb-map linecard all backplane all NOTE: Dell Networking OS Behavior: DCB is not supported if you enable link-level flow control on one or more interfaces. For more information, refer to Ethernet Pause Frames.
sensitive to latency. Ethernet functions as a best-effort network that may drop packets in case of network congestion. IP networks rely on transport protocols (for example, TCP) for reliable data transmission with the associated cost of greater processing overhead and performance impact. Storage traffic Storage traffic based on Fibre Channel media uses the Small Computer System Interface (SCSI) protocol for data transfer.
The following illustration shows how PFC handles traffic congestion by pausing the transmission of incoming traffic with dot1p priority 4. Figure 28. Illustration of Traffic Congestion The system supports loading two DCB_Config files: • FCoE converged traffic with priority 3. • iSCSI storage traffic with priority 4. In the Dell Networking OS, PFC is implemented as follows: • PFC is supported on specified 802.1p priority traffic (dot1p 0 to 7) and is configured per interface.
Enhanced Transmission Selection Enhanced transmission selection (ETS) supports optimized bandwidth allocation between traffic types in multiprotocol (Ethernet, FCoE, SCSI) links. By default, ETS is disabled. ETS allows you to divide traffic according to its 802.1p priority into different priority groups (traffic classes) and configure bandwidth allocation and queue scheduling for each group to ensure that each traffic type is correctly prioritized and receives its required bandwidth.
• • PFC enabled or disabled • No bandwidth limit or no ETS processing ETS uses the DCB MIB IEEE 802.1azd2.5. Data Center Bridging Exchange Protocol (DCBx) By default, the data center bridging exchange (DCBx) protocol is disabled; ETS is also disabled. DCBx allows a switch to automatically discover DCB-enabled peers and exchange configuration information. PFC and ETS use DCBx to exchange and negotiate parameters with peer devices.
Data Center Bridging in a Traffic Flow The following figure shows how DCB handles a traffic flow on an interface. Figure 30. DCB PFC and ETS Traffic Handling QoS dot1p Traffic Classification and Queue Assignment The following section describes QoS dot1P traffic classification and assignments.
NOTE: Dell Networking does not recommend mapping all ingress traffic to a single queue when using PFC and ETS. However, Dell Networking does recommend using Ingress traffic classification using the service-class dynamic dot1p command (honor dot1p) on all DCB-enabled interfaces.
• fpIngPgBuffSnapshotTable • fpStatsPerPgTable • pfcPerPrioTable fpEgrQBuffSnapsh otTable This table fetches the BST statistics at Egress Port with respect to the buffer used. This table displays the Snapshot of the Buffer cells used by Unicast and Multicast Data and Control Queues. fpIngPgBuffSnapsh This table fetches the BST statistics at the Ingress Port with respect to the Shared Cells otTable and the Headroom cells used per Priority Group.
Leave a space between each priority group number. For example: priority-pgid 0 0 0 1 2 4 4 4 in which priority group 0 maps to dot1p priorities 0, 1, and 2; priority group 1 maps to dot1p priority 3; priority group 2 maps to dot1p priority 4; priority group 4 maps to dot1p priorities 5, 6, and 7.
Step Task Command Command Mode fortygigabitEthernet slot/port} 2 Apply the DCB map on the Ethernet port to configure it with the PFC and ETS settings in the map; for example: dcb-map name INTERFACE Dell# interface tengigabitEthernet 1/1 Dell(config-if-te-1/1)# dcb-map SAN_A_dcb_map1 Repeat Steps 1 and 2 to apply a DCB map to more than one port.
Configuring Lossless Queues DCB also supports the manual configuration of lossless queues on an interface after you disable PFC mode in a DCB map and apply the map on the interface. The configuration of no-drop queues provides flexibility for ports on which PFC is not needed, but lossless traffic should egress from the interface. Lossless traffic egresses out the no-drop queues. Ingress 802.1p traffic from PFC-enabled peers is automatically mapped to the no-drop egress queues.
Step Task Command Command Mode You cannot configure PFC no-drop queues on an interface on which a DCB map with PFC enabled has been applied, or which is already configured for PFC using the pfc priority command. Range: 0-3. Separate queue values with a comma; specify a priority range with a dash; for example: pfc no-drop queues 1,3 or pfc no-drop queues 2-3 Default: No lossless queues are configured. Applying a DCB Map on a Line Card On the C9010, DCB is supported per-line card.
Dell(conf)# Dell(conf)#dcb enable pfc-queues ? <1-4> Number of PFC lossless queues(default=2) <1-4> Number of PFC lossless queues(default=2) NOTE: In Egress queue assignment (8 queues). PFC is not applied on specific dot1p priorities. ETS: Equal bandwidth is assigned to each port queue and each dot1p priority in a priority group. To configure PFC and ETS parameters on an interface, you must specify the PFC mode, the ETS bandwidth allocation for a priority group, and the 802.
• To remove a DCB map, including the PFC configuration it contains, use the no dcb map command in Interface configuration mode. • To disable PFC operation on an interface, use the no pfc mode on command in DCB-Map configuration mode. • Traffic may be interrupted when you reconfigure PFC no-drop priorities in a DCB map or re-apply the DCB map to an interface. • For PFC to be applied, the configured priority traffic must be supported by a PFC peer (as detected by DCBx).
• • • • • Dell Networking OS supports hierarchical scheduling on an interface. The control traffic on Dell Networking OS is redirected to control queues as higher priority traffic with strict priority scheduling. After the control queues drain out, the remaining data traffic is scheduled to queues according to the bandwidth and scheduler configuration in the DCB map. The available bandwidth calculated by the ETS algorithm is equal to the link bandwidth after scheduling non-ETS higher-priority traffic.
• If you configure more than one priority group as strict priority, the higher numbered priority queue is given preference when scheduling data traffic. Configuring Priority-Based Flow Control Priority-Based Flow Control (PFC) provides a flow control mechanism based on the 802.1p priorities in converged Ethernet traffic received on an interface and is enabled by default when you enable DCB.
Leave a space between each priority group number. For example: priority-pgid 0 0 0 1 2 4 4 4 in which priority group 0 maps to dot1p priorities 0, 1, and 2; priority group 1 maps to dot1p priority 3; priority group 2 maps to dot1p priority 4; priority group 4 maps to dot1p priorities 5, 6, and 7. Dell Networking OS Behavior: As soon as you apply a DCB policy with PFC enabled on an interface, DCBx starts exchanging information with PFC-enabled peers. The IEEE802.
It is the user responsibility to have symmetric PFC configurations on the interfaces involved in a particular PFC-enabled traffic-flow to obtain lossless behavior. Configuring Enhanced Transmission Selection ETS provides a way to optimize bandwidth allocation to outbound 802.1p classes of converged Ethernet traffic. Different traffic types have different service needs. Using ETS, you can create groups within an 802.
Priority group range is from 0 to 7. All priorities that map to the same queue must be in the same priority group. Leave a space between each priority group number. For example: priority-pgid 0 0 0 1 2 4 4 4 in which priority group 0 maps to dot1p priorities 0, 1, and 2; priority group 1 maps to dot1p priority 3; priority group 2 maps to dot1p priority 4; priority group 4 maps to dot1p priorities 5, 6, and 7. Dell Networking OS Behavior: A priority group consists of 802.
priority scheduling (strict-priority command). The priority group for strict-priority scheduling (scheduler strict command. Configure a DCBx Operation DCB devices use data center bridging exchange protocol (DCBx) to exchange configuration information with directly connected peers using the link layer discovery protocol (LLDP) protocol.
the configuration to other auto-upstream and auto-downstream ports. A port that receives an internally propagated configuration overwrites its local configuration with the new parameter values.
Manual The port is configured to operate only with administrator-configured settings and does not auto-configure with DCB settings received from a DCBx peer or from an internally propagated configuration from the configuration source. If you enable DCBx, ports in Manual mode advertise their configurations to peer devices but do not accept or propagate internal or external configurations.
Configuration Source Election When an auto-upstream or auto-downstream port receives a DCB configuration from a peer, the port first checks to see if there is an active configuration source on the switch. • If a configuration source already exists, the received peer configuration is checked against the local port configuration. If the received configuration is compatible, the DCBx marks the port as DCBx-enabled.
Auto-Detection and Manual Configuration of the DCBx Version When operating in Auto-Detection mode (the DCBx version auto command), a DCBx port automatically detects the DCBx version on a peer port. Legacy CIN and CEE versions are supported in addition to the standard IEEE version 2.5 DCBx. A DCBx port detects a peer version after receiving a valid frame for that version.
The packets that come in with packet-dot1p 2 alone will use Q1 (as per dot1p to Queue classification – Table 2) on the egress port. • When Peer sends a PFC message for Priority 2, based on above PRIO2COS table (TABLE 2), Queue 1 is halted. • Queue 1 starts buffering the packets with Dot1p 2. This causes PG6 buffer counter to increase on the ingress, since P-dot1p 2 is mapped to PG6. • As the PG6 watermark threshold is reached, PFC will be generated for dot1p 2.
DCBx Example The following figure shows how to use DCBx. The device is connected to third-party, top-of-rack (ToR) switches through 40GbE or 10GBE uplinks. The ToR switches are part of a Fibre Channel storage network. The ports connected to the server with CNA are configured as auto-downstream ports. Figure 31.
DCBx Prerequisites and Restrictions The following prerequisites and restrictions apply when you configure DCBx operation on a port: • • For DCBx, on a port interface, enable LLDP in both Send (TX) and Receive (RX) mode (the protocol lldp mode command; refer to the example in CONFIGURATION versus INTERFACE Configurations in the Link Layer Discovery Protocol (LLDP) chapter). If multiple DCBx peer ports are detected on a local DCBx interface, LLDP is shut down.
• auto-upstream: configures the port to receive a peer configuration. The configuration source is elected from auto-upstream ports. • auto-downstream: configures the port to accept the internally propagated DCB configuration from a configuration source. • config-source: configures the port to serve as the configuration source on the switch. • manual: configures the port to operate only on administer-configured DCB parameters.
configure 2 Enter LLDP Configuration mode to enable DCBx operation. CONFIGURATION mode [no] protocol lldp 3 Configure the DCBx version used on all interfaces not already configured to exchange DCB information. PROTOCOL LLDP mode [no] DCBx version {auto | cee | cin | ieee-v2.5} • auto: configures all ports to operate using the DCBx version received from a peer. • cee: configures a port to use CEE (Intel 1.01). cin configures a port to use Cisco-Intel-Nuova (DCBx 1.0). • ieee-v2.
[no] fcoe priority-bits priority-bitmap The priority-bitmap range is from 1 to FF. The default is 0x8. 7 Configure the iSCSI priority advertised for the iSCSI protocol in Application Priority TLVs. PROTOCOL LLDP mode [no] iscsi priority-bits priority-bitmap The priority-bitmap range is from 1 to FF. The default is 0x10. DCBx Error Messages The following syslog messages appear when an error in DCBx operation occurs.
• mgmt: enables traces for DCBx management frames. • resource: enables traces for DCBx system resource frames. • sem: enables traces for the DCBx state machine. • tlv: enables traces for DCBx TLVs. Verifying the DCB Configuration To display DCB configurations, use the following show commands. Table 19. Displaying DCB Configurations Command Output show dot1p-queue mapping Displays the current 802.1p priority-queue mapping.
Examples of the show Commands The following example shows the show dot1p-queue mapping command. Dell(conf)# show dot1p-queue-mapping Dot1p Priority: 0 1 2 3 4 5 6 7 Queue : 0 0 0 1 2 3 3 3 The following example shows the show dcb command.
Oper status is recommended PFC DCBx Oper status is Up State Machine Type is Feature TLV Tx Status is enabled PFC Link Delay 45556 pause quanta Application Priority TLV Parameters : -------------------------------------FCOE TLV Tx Status is disabled ISCSI TLV Tx Status is disabled Local FCOE PriorityMap is 0x8 Local ISCSI PriorityMap is 0x10 Remote FCOE PriorityMap is 0x8 Remote ISCSI PriorityMap is 0x8 0 Input TLV pkts, 1 Output TLV pkts, 0 Error pkts, 0 Pause Tx pkts, 0 Pause Rx pkts The following table de
Fields Description PFC DCBx Oper status Operational status for exchange of PFC configuration on local port: match (up) or mismatch (down). State Machine Type Type of state machine used for DCBx exchanges of PFC parameters: • • Feature: for legacy DCBx versions Symmetric: for an IEEE version TLV Tx Status Status of PFC TLV advertisements: enabled or disabled. PFC Link Delay Link delay (in quanta) used to pause specified priority traffic.
Te Te Te Te 0/2 0/2 0/2 0/2 P4 P5 P6 P7 0 0 0 0 0 0 0 0 0 0 0 0 The following example shows the show interface ets summary command.
Admin is enabled TC-grp Priority# Bandwidth TSA 0 0,1,2,3,4,5,6,7 100% ETS 1 0% ETS 2 0% ETS 3 0% ETS 4 0% ETS 5 0% ETS 6 0% ETS 7 0% ETS Priority# Bandwidth TSA 0 13% ETS 1 13% ETS 2 13% ETS 3 13% ETS 4 12% ETS 5 12% ETS 6 12% ETS 7 12% ETS Remote Parameters: ------------------Remote is disabled Local Parameters : -----------------Local is enabled TC-grp Priority# Bandwidth TSA 0 0,1,2,3,4,5,6,7 100% ETS 1 0% ETS 2 0% ETS 3 0% ETS 4 0% ETS 5 0% ETS 6 0% ETS 7 0% ETS Priority# Bandwidth TSA 0 13% ETS 1 13%
1 2 3 4 5 6 7 Priority# Bandwidth TSA 0 1 2 3 4 5 6 7 Remote Parameters: ------------------Remote is disabled Local Parameters : -----------------Local is enabled TC-grp Priority# 0 0,1,2,3,4,5,6,7 1 2 3 4 5 6 7 0% 0% 0% 0% 0% 0% 0% ETS ETS ETS ETS ETS ETS ETS 13% 13% 13% 13% 12% 12% 12% 12% ETS ETS ETS ETS ETS ETS ETS ETS Bandwidth 100% 0% 0% 0% 0% 0% 0% 0% TSA ETS ETS ETS ETS ETS ETS ETS ETS Priority# Bandwidth 0 13% 1 13% 2 13% 3 13% 4 12% 5 12% 6 12% 7 12% Oper status is init Conf TLV Tx Status i
1 2 3 4 5 6 7 3 50 - - - - ETS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Remote Parameters : ------------------Remote is disabled Local Parameters : -----------------Local is enabled PG-grp Priority# BW-% BW-COMMITTED BW-PEAK TSA % Rate(Mbps) Burst(KB) Rate(Mpbs) Burst(KB) ---------------------------------------------------------0 0,1,2,4,5,6,7 50 400 100 4000 400 ETS 1 3 50 - - ETS 2 - - - - 3 - - - - 4 - - - - 5 - - - - 6 - - - - 7 - - - - Oper status is init Conf TLV Tx Status is d
Field Description Willing bit received in ETS TLVs from the remote peer is included. Local Parameters ETS configuration on local port, including Admin mode (enabled when a valid TLV is received from a peer), priority groups, assigned dot1p priorities, and bandwidth allocation. Operational status (local port) Port state for current operational ETS configuration: • • • Init: Local ETS configuration parameters were exchanged with peer.
Admin Parameters: -------------------Admin is enabled PG-grp Priority# Bandwidth TSA -----------------------------------------------0 0,1,2,4,5,6,7 50 % ETS 1 3 50 % 2 3 4 5 6 7 - ETS - Dell# show interface tengigabit 2/12 dcbx details E-ETS Configuration TLV enabled e-ETS Configuration TLV disabled R-ETS Recommendation TLV enabled r-ETS Recommendation TLV disabled P-PFC Configuration TLV enabled p-PFC Configuration TLV disabled F-Application priority for FCOE enabled f-Application Priority for FCOE disab
----------------DCBx Operational Version is 0 DCBx Max Version Supported is 0 Sequence Number: 1 Acknowledgment Number: 1 Protocol State: In-Sync Peer DCBx Status: ---------------DCBx Operational Version is 0 DCBx Max Version Supported is 0 Sequence Number: 1 Acknowledgment Number: 1 Total DCBx Frames transmitted 994 Total DCBx Frames received 646 Total DCBx Frame errors 0 Total DCBx Frames unrecognized 0 The following table describes the show interface DCBx detail command fields. Table 22.
Field Description Local DCBx Status: Acknowledgment Number Acknowledgement number transmitted in Control TLVs. Local DCBx Status: Protocol State Current operational state of DCBx protocol: ACK or IN-SYNC. Peer DCBx Status: DCBx Operational Version DCBx version advertised in Control TLVs received from peer device. Peer DCBx Status: DCBx Max Version Supported Highest DCBx version supported in Control TLVs received from peer device.
PRIORITY to PG mapping (PRIO2PG) is on the ingress for each port. By default, all priorities are mapped to PG7. A priority for which PFC has to be generated is assigned to a PG other than PG7 (say PG6) and buffer watermark is set on PG6 so as to generate PFC. In ingress, the buffers are accounted at per PG basis and would indicate the number of the packets that has ingress this port PG but still queued up in egress pipeline. However, there is no direct mapping between the PG and Queue.
• One lossless queue is used. Figure 32. PFC and ETS Applied to LAN, IPC, and SAN Priority Traffic QoS Traffic Classification: The service-class dynamic dot1p command has been used in Global Configuration mode to map ingress dot1p frames to the queues shown in the following table. For more information, refer to QoS dot1p Traffic Classification and Queue Assignment.
dot1p Value in the Incoming Frame Priority Group Assignment 1 LAN 2 LAN 3 SAN 4 IPC 5 LAN 6 LAN 7 LAN The following describes the priority group-bandwidth assignment. PFC and ETS Configuration Command Examples The following examples show PFC and ETS configuration commands to manage your data center traffic.
Using PFC and ETS to Manage Converged Ethernet Traffic Using PFC and ETS to manage converged ethernet traffic: dcb-map linecard all backplane all dcb-map-name Hierarchical Scheduling in ETS Output Policies ETS supports up to three levels of hierarchical scheduling. For example, you can apply ETS output policies with the following configurations: Priority group 1 Assigns traffic to one priority queue with 20% of the link bandwidth and strict-priority scheduling.
Priority-Based Flow Control Using Dynamic Buffer Method Priority-based flow control using dynamic buffer spaces is supported on the switch. In a data center network, priority-based flow control (PFC) manages large bursts of one traffic type in multiprotocol links so that it does not affect other traffic types and no frames are lost due to congestion. When PFC detects congestion on a queue for a specified priority, it sends a pause frame for the 802.1p priority traffic to the transmitting device.
The default behavior causes up to a maximum of 6.6 MB to be used for PFC-related traffic. The remaining approximate space of 1 MB can be used by lossy traffic. You can allocate all the remaining 1 MB to lossless PFC queues. If you allocate in such a way, the performance of lossy traffic is reduced and degraded. Although you can allocate a maximum buffer size, it is used only if a PFC priority is configured and applied on the interface.
CONFIGURATION mode dcb-buffer-threshold dcb-buffer-threshold 5 DCB-BUFFER-THRESHOLD mode priority 0 buffer-size 52 pause-threshold 16 resume-offset 10 shared-thresholdweight 7 6 Assign the DCB policy to the DCB buffer threshold profile on the backplane. CONFIGURATION mode dcb-policy buffer-threshold linecard {linecard-number | all} port-set {portpipe | all} backplane all dcb-policy-name 7 Assign the DCB policy to the DCB buffer threshold profile on interfaces.
12 Debugging and Diagnostics This chapter describes the debugging and diagnostics tasks you can perform on the switch.
Running Port Extender Offline Diagnostics on the Switch To run port extender offline diagnostics on the switch: 1 Start the diagnostics on the unit. EXEC Privilege Mode diag pe pe-id stack-unit unit-number Specify the port extender ID and stack unit ID. • where pe-id is a port-extender group ID number from 0 to 255 • stack-unitunit-number is a PE stack-unit number from 0 to 7 Dell#diag pe 0 stack-unit 0 A warning is displayed with a CLI prompt asking you to click Yes or No.
The file-name refers to the file name that is displayed in the show diag pe command. In this case, TestReport-SU-0-PE-0-20150312_045748.txt show file flash://DEFAULT_DIAG_REPORT_DIR/TestReport-SU-0PE-0-20150312_045748.txt Diagnostic results are stored to a file in the flash using the filename format: flash://DEFAULT_DIAG_REPORT_DIR/TestReport-SU--PE-.txt Dell#00:20:26 : Diagnostic test results are stored on flash:// DEFAULT_DIAG_REPORT_DIR/TestReport-SU-0-PE-020150312_045748.
Dell#dir Directory of flash:/default_diag_report_dir 1 drwx 16384 Mar 25 2015 14:26:10 +00:00 . 2 drwx 8192 Jan 01 1980 00:00:00 +00:00 .. 3 -rwx 97377 Jul 30 2015 07:52:04 +00:00 TestReport-SU-0PE-10-20150730_075149.txt The following example shows retrieving the diagnostics report for PE Dell#show file TestReport-SU-2-PE-255-20150730_131431.
009 - One Gig PHY Access Test ...................................... PASS 010 - One Gig PHY Access Test ...................................... PASS 011 - One Gig PHY Access Test ...................................... PASS 012 - One Gig PHY Access Test ...................................... PASS 013 - One Gig PHY Access Test ...................................... PASS 014 - One Gig PHY Access Test ...................................... PASS 015 - One Gig PHY Access Test ......................................
041 - One Gig PHY Access Test ...................................... PASS 042 - One Gig PHY Access Test ...................................... PASS 043 - One Gig PHY Access Test ...................................... PASS 044 - One Gig PHY Access Test ...................................... PASS 045 - One Gig PHY Access Test ...................................... PASS 046 - One Gig PHY Access Test ...................................... PASS 047 - One Gig PHY Access Test ......................................
Starting test: usbAccess ...... -USB "/dev/rsd0c" is not plugged/mounted/formatted; test SKIPPED ERROR: USB Access Test is not done usbAccess ................................................... FAIL usbPowerEnable .............................................. PASS usbStatus ................................................... PASS LEVEL 1 DIAGNOSTIC flashRW ..................................................... PASS Starting test: oneGPhyExtLink ...... 001 - One Gig PHY Link Test ............................
snakeOneGMac ................................................ snakeOneGPhy ................................................ snakeSfpPlusMac ............................................. snakeSfpPlusPhy ............................................. snakeStackMac ............................................... snakeStackPhy ...............................................
Running Offline Diagnostics on a Standalone Switch To run offline diagnostics on a Standalone Switch: 1 Shut down the directly connected port extender ports before you run offline diagnostics. 2 Place the entire system or particular linecard in offline state. EXEC Privilege mode offline system offline linecard linecard_number The following message displays. Warning - offline of system will bring down all the protocols and the system will be operationally down, except for running Diagnostics.
issued. Proceed with Offline [confirm yes/no]:yes % Error: linecard 0 is not present. % Error: linecard 2 is not present. % Error: linecard 3 is not present. % Error: linecard 6 is not present. % Error: linecard 7 is not present. % Error: linecard 8 is not present. % Error: linecard 9 is not present. Apr 26 22:26:17: %RPM0-P:CP %CHMGR-2-LINECARD_DOWN: linecard 4 down - linecard offline % Error: linecard 11 is not present.
--------------------------------------------------------------0 0 up up 7943 up 7992 up 7975 up 8008 0 1 up up 7975 up 8008 up 7992 up 7975 0 2 up up 7959 up 7959 up 7959 up 7975 Speed in RPM The following example runs offline diagnostics on a standalone switch Dell#diag system Warning - diagnostic execution will cause multiple link flaps on the peer side advisable to shut directly connected ports Proceed with Diags [confirm yes/no]: yes % Error: Invalid command - card is not present.
13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 -rwx -rwx -rwx -rwx drwx -rwx -rwx -rwx -rwx -rwx -rwx -rwx -rwx -rwx -rwx drwx -rwx -rwx -rwx 570957 333841 2185 3448 4096 570957 3160 484734 569421 265208 569421 262890 569677 251098 11518 4096 52186974 10918 17134 Jan Dec Feb Apr Mar Feb Apr Feb Feb Feb Feb Feb Feb Feb Apr Mar Apr Apr Apr 21 24 24 12 20 19 24 19 19 19 19 19 19 19 26 13 24 26 26 2015 2014 2015 2015 2015 2015 2015 2015 2015 2015 2015 2015 2015 2015 2015 2015 2015 2015 2015 15:2
ERROR: Unit 0 hg port 30 is DOWN ERROR: Unit 0 hg port 31 is DOWN ERROR: Unit 0 hg port 32 is DOWN hgLinkStatusTest ............................................ FAIL Starting test: i2cTest ......
ERROR: Unit 0 xe ERROR: Unit 0 xe ERROR: Unit 0 xe xeLinkStatusTest port 13 is DOWN port 17 is DOWN port 21 is DOWN ............................................ FAIL LEVEL 1 DIAGNOSTIC i2cTest ..................................................... opticPhyTest ................................................ rtcTest ..................................................... sataSsdTest ................................................. Starting test: ssdFlashFileSystemStressTest ......
Iteration 26 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 27 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 28 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 29 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 30 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 31 - File System Check passed /dev/rwd0k: 3 files, 20398
Failed : 8 Aborted : 0 Elapsed time : 00H:01M:01S Stop reason : after completion ------ Failed tests (level, times) -----CpuGbeLinkStatusTest (0, 1) hgLinkStatusTest (0, 1) i2cTest (0, 1) opticEepromTest (0, 1) opticPresenceTest (0, 1) udfLinkStatus (0, 1) xeLinkStatusTest (0, 1) ipcTrafficTest (2, 1) Example of a Test Log for Control Processor Dell#show file flash://TestReport-CP-unit.
ERROR: ioctl: "lm7" op(1)=READ WITH STOP bus=24 address=0x49 offset=0 length=1 ERROR: ioctl: "lm8" op(1)=READ WITH STOP bus=25 address=0x4a offset=0 length=1 ERROR: ioctl: "lm9" op(1)=READ WITH STOP bus=26 address=0x4b offset=0 length=1 i2cTest ..................................................... FAIL interruptStatusTest ......................................... PASS Starting test: lmPresenceTest ......
Starting test: showTemperature ...... +Board First Thermal Monitor Sensor[0] is 38.0 C +Board First Thermal Monitor Sensor[1] is 33.0 C +Board First Thermal Monitor Sensor[2] is 31.0 C +Board First Thermal Monitor Sensor[3] is 38.0 C +Board First Thermal Monitor Sensor[4] is 34.0 C +Board Second Thermal Monitor Sensor[0] is 40.0 C +Board Second Thermal Monitor Sensor[1] is 45.0 C +Board Second Thermal Monitor Sensor[2] is 36.0 C +Board Second Thermal Monitor Sensor[3] is 34.
ERROR: Fan speed variation failed for tray[2] FAN TRAY[2] FAN 2 Controller Speed Test FAIL ERROR: Tray[2] fan[3] speed 56% is out of expected range [80-100%] ERROR: Fan speed variation failed for tray[2] FAN TRAY[2] FAN 3 Controller Speed Test FAIL fanCntrlSpeedTest ........................................... FAIL fanTrayEepromAccessTest ..................................... PASS Starting test: i2cTest ......
Iteration 18 - File System /dev/rwd0k: 3 files, 20398 Iteration 19 - File System /dev/rwd0k: 3 files, 20398 Iteration 20 - File System /dev/rwd0k: 3 files, 20398 Iteration 21 - File System /dev/rwd0k: 3 files, 20398 Iteration 22 - File System /dev/rwd0k: 3 files, 20398 Iteration 23 - File System /dev/rwd0k: 3 files, 20398 Iteration 24 - File System /dev/rwd0k: 3 files, 20398 Iteration 25 - File System /dev/rwd0k: 3 files, 20398 Iteration 26 - File System /dev/rwd0k: 3 files, 20398 Iteration 27 - File System
Iteration 50 - File System Check passed Completed 50 iterations No issues found in SD Flash (/dev/wd0k) SD Flash File System Stress Test is Passed ssdFlashFileSystemStressTest ................................ PASS Starting test: udfLinkStatusTest ......
linecard is currently offline. linecard alllevels diag issued at Sun Apr 26, 2015 10:32:01 PM. Current diag status : Card diags are done. Duration of execution (Total) : 1 min 13 sec. Diagnostic test results located: flash:/TestReport-LP-4.
ERROR: optic:21 is not present opticEepromTest ............................................. FAIL opticPhyTest ................................................ PASS Starting test: opticPresenceTest ...... ERROR: optic:1 is not present ERROR: optic:5 is not present ERROR: optic:9 is not present ERROR: optic:13 is not present ERROR: optic:17 is not present ERROR: optic:21 is not present opticPresenceTest ........................................... FAIL Starting test: pcieScanTest ......
Iteration 3 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 4 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 5 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 6 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 7 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 8 - File System Check passed /dev/rwd0k: 3 files, 20398 free (
Iteration 35 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 36 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 37 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 38 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 39 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 40 - File System Check passed /dev/rwd0k: 3 files, 20398
The following example shows the show diag in control processor command. Dell#show diag cp unit detail Diag status of CP unit: -------------------------------------------------------------------------Board: C9010 Dell Networking ================================================= CP unit is currently offline. CP unit alllevels diag issued at Sun Apr 26, 2015 10:32:01 PM. Current diag status : Card diags are done. Duration of execution (Total) : 4 min 0 sec.
ERROR: ioctl: "lm6" op(1)=READ WITH STOP bus=23 address=0x48 offset=0 ERROR: ioctl: "lm7" op(1)=READ WITH STOP bus=24 address=0x49 offset=0 ERROR: ioctl: "lm8" op(1)=READ WITH STOP bus=25 address=0x4a offset=0 ERROR: ioctl: "lm9" op(1)=READ WITH STOP bus=26 address=0x4b offset=0 i2cTest ..................................................... FAIL interruptStatusTest ......................................... PASS Starting test: lmPresenceTest ......
sataSsdTest ................................................. PASS Starting test: showTemperature ...... +Board First Thermal Monitor Sensor[0] is 38.0 C +Board First Thermal Monitor Sensor[1] is 33.0 C +Board First Thermal Monitor Sensor[2] is 31.0 C +Board First Thermal Monitor Sensor[3] is 38.0 C +Board First Thermal Monitor Sensor[4] is 34.0 C +Board Second Thermal Monitor Sensor[0] is 40.0 C +Board Second Thermal Monitor Sensor[1] is 45.0 C +Board Second Thermal Monitor Sensor[2] is 36.
ERROR: Tray[2] fan[2] speed 56% is out of expected range [80-100%] ERROR: Fan speed variation failed for tray[2] FAN TRAY[2] FAN 2 Controller Speed Test FAIL ERROR: Tray[2] fan[3] speed 56% is out of expected range [80-100%] ERROR: Fan speed variation failed for tray[2] FAN TRAY[2] FAN 3 Controller Speed Test FAIL fanCntrlSpeedTest ........................................... FAIL fanTrayEepromAccessTest ..................................... PASS Starting test: i2cTest ......
/dev/rwd0k: 3 files, 20398 Iteration 18 - File System /dev/rwd0k: 3 files, 20398 Iteration 19 - File System /dev/rwd0k: 3 files, 20398 Iteration 20 - File System /dev/rwd0k: 3 files, 20398 Iteration 21 - File System /dev/rwd0k: 3 files, 20398 Iteration 22 - File System /dev/rwd0k: 3 files, 20398 Iteration 23 - File System /dev/rwd0k: 3 files, 20398 Iteration 24 - File System /dev/rwd0k: 3 files, 20398 Iteration 25 - File System /dev/rwd0k: 3 files, 20398 Iteration 26 - File System /dev/rwd0k: 3 files, 20398
/dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 50 - File System Check passed Completed 50 iterations No issues found in SD Flash (/dev/wd0k) SD Flash File System Stress Test is Passed ssdFlashFileSystemStressTest ................................ PASS Starting test: udfLinkStatusTest ......
TRACE Logs In addition to the syslog buffer, to report hardware and software events and status information, the system buffers trace messages which are continuously written by various software tasks. Each TRACE message provides the date, time, and name of the system process. All messages are stored in a ring buffer that you can save to a file either manually or automatically after failover.
Last Restart Reason If a switch restarted for some reason (automatically or manually), the show rpm slot-id and show linecard slot-id command outputs include the reason for the restart. The following table shows the reasons displayed in the output and their corresponding causes. Table 23. RPM Restart Causes and Reasons Causes Displayed Reasons Power cycle of the chassis normal power-cycle Reload normal power-cycle Table 24.
• Display Hardware Buffer Configurations, Counters. • show hardware {linecard <0-11> | pe <1-255> stack-unit <0-7>} buffer unit <0-0> port buffer-info Display the modular packet buffers details per unit and the mode of allocation. • show hardware linecard slot—id buffer unit unit-number} total-buffer Display the forwarding plane statistics containing the packet buffer usage per port per line card.
• • • show hardware ip in-acl pe pe-id stack-unit unit—number port-set number { counters | } Display FP entries created for layer 2 for the PE interface(s) to which the egress ACL configurations are applied. show hardware mac eg-acl pe pe-id stack-unit unit—number port-set number {counters | } Display FP entries created for layer 2 for the PE interface(s) to which the ingress ACL configurations are applied.
Environmental Monitoring The system components use environmental monitoring hardware to detect transmit power readings, receive power readings, and temperature updates. To receive periodic power updates, enable the enable optic-info-update interval command. The output in the following example displays the environment status of the RPM.
Display Power Supply Status To monitor the operational status of a power supply, use the show environment pem command. Use the command output to verify the operation of installed power supplies. The current operational status (up or down), power supply type, fan status and speed, and power usage are displayed. A switch power supply is sometimes referred to as a power entry module (PEM).
Display Fan Status To monitor the status of fan operation, use the show environment fan command. The command output displays the operational status of each fan, including tray status, and speed of each fan.
2 2 40 44 QSFP 40GBASE-SR4 7503825H006J Media not present or accessible Yes To display more detailed information about the transceiver type, wavelength, and power reception on a switch port, use the show interfaces command. Dell#show interfaces fortyGigE 2/16 fortyGigE 2/16 is down, line protocol is down Hardware is DellForce10Eth, address is 00:02:e5:c1:00:c2 Current address is 00:02:e5:c1:00:c2 Pluggable media present, QSFP type is 40GBASE-SR4 Wavelength is 850nm QSFP receive power reading is 0.
QSFP 168 Voltage High Warning threshold QSFP 168 Bias High Warning threshold QSFP 168 RX Power High Warning threshold QSFP 168 Temp Low Warning threshold QSFP 168 Voltage Low Warning threshold QSFP 168 Bias Low Warning threshold QSFP 168 RX Power Low Warning threshold =================================== QSFP 168 Temperature QSFP 168 Voltage QSFP 168 TX1 Bias Current QSFP 168 TX2 Bias Current QSFP 168 TX3 Bias Current QSFP 168 TX4 Bias Current QSFP 168 RX1 Power QSFP 168 RX2 Power QSFP 168 RX3 Power QSFP 168
Troubleshoot an Over-Temperature Condition To troubleshoot an over-temperature condition, determine the sensor(s) that triggered the over-temperature alarm by displaying the current temperature levels and the historical logs of the temperature thresholdcrossing events. The RPM has CP and LP card whose sensor temperature are monitored. Similarly the Linecard’s sensor is monitored as well. The “show alarm threshold” provides the temperature threshold values for Linecards and RPM.
-- Temperature Limits (deg C) ---------------------------------------------------------------------------Minor Off Minor Major Off Major Shutdown linecard0 78 99 84 105 110 --------------------------------------------------------------------------Minor Off Minor Major Off Major Shutdown RPM0 35 40 43 48 NA --------------------------------------------------------------------------Minor Off Minor Major Off Major Shutdown PEid100/Stack0 60 65 72 75 105 To display current temperature of line sensors, use the sh
When a temperature threshold is crossed (either below or above the pre-configured value), the system logs an event that contains information about the time when the event occurred, the type of event (minor, major, or shutdown), the current temperature of the sensor, and the identity of the sensor. The system also logs events when the fan speeds change (increase or decrease) as a result of changes in sensor temperature. To display the event log, use the show logging command.
• show hardware layer3 qos linecard {0-2} port—set {0-3} • show hardware ipv6 {e.g.
22 23 0 0 0 0 23 24 0 0 0 0 24 25 0 0 0 0 28 29 0 0 0 0 32 33 0 0 0 0 36 37 0 0 0 0 40 41 0 0 0 0 44 45 0 0 0 0 Internal 50 0 0 0 0 Internal 51 0 0 0 0 Internal 52 0 0 0 0 Internal 53 0 0 0 0 Internal 54 0 0 0 0 Internal 55 0 0 0 0 Internal 56 0 0 0 0 Internal 57 0 0 0 0 Internal 58 0 0 0 0 Internal 59 0 0 0 0 Internal 60 0 0 0 0 Internal 61 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Displaying
TR 255 byte frames = 1363 TR 511 byte frames = 1934 TR 1023 byte frames = 18 TR MAX Byte frames = 6202 TR MGV Frames = 0 Bytes Transmitted = 0 Frames Transmitted = 125183 Mcast Frames Transmitted = 0 Bcast Frames Transmitted = 4 Pause Frames Transmitted = 0 Deferred Transmits = 0 Excessive Deferred Transmits = 0 TX single collisions = 0 TX multiple collisions = 0 TX late collisions = 0 TX Excessive collisions = 0 TX total collisions = 0 TX Drops = 0 TX Jabber = 0 TX FCS errors = 0 TX Control frames = 0 TX o
tx_deferred = 0 tx_discarded = 0 Party Bus Receive Counters for port 0: Rx Octets = 251640594 Rx Undersize Packets = 0 Rx Oversize Packets = 0 Rx Pause Packets = 0 Rx 64 Octet Packets = 122688 Rx 65to127octets Packets = 246245 Rx 128to255octets Packets = 441 Rx 256to511octets Packets = 3816 Rx 512to1023octets Packets = 3247 Rx 1024toMaxoctets Packets = 150599 Rx Jabbers = 0 Rx align errors = 0 Rx fcs errors = 0 Rx good octets = 251640594 Rx Drop pkts = 0 Rx Unicast Packets = 333370 Rx Multicast Packets = 19
Accessing Application Core Dumps Core dumps for an application crash are enabled by default. On the system, core dumps are generated and stored in the local flash of the system’s Control Processor CPU. To access an application core-dump file, you must perform an FTP to the Control Processor CPU flash directory where the application core dump is stored in the following formats: • An application core dump generated from CP of the RPM: f10Ch_rpm<0/1>_cp__.acore.
Mini Core Dumps Dell Networking OS supports mini core dumps for kernel crashes. The mini core dump applies to Master units. Kernel mini core dumps are always enabled. The mini core dumps contain the stack space and some other very minimal information that can be used to debug a crash. These files are small files and are written into flash until space is exhausted. When the flash is full, the write process is stopped. A mini core dump contains critical information in the event of a crash.
timestamp is a text string in the format: yyyyddmmhhmmss (YearDayMonthHourMinuteSecond). To disable the full kernel and other core dumps, enter the no logging coredump command. The Kernel full core dump name in RPM’s uses the following formats: • Kernel full core dump generated from CP of the RPMs f10Ch_rpm<0/1>_cp_.kcore.gz • Kernel full core dump from RP application • Kernel full core dump from LP application f10Ch_rpm<0/1>_rp_.kcore.
Accessing Port Extender Core and Mini Core Dumps For port extenders (PE), the application core dump and the mini core dump of the port extenders are uploaded to the controller bridge’s flash inside directory /flash/CORE_DUMP_DIR. The format of a PE application core uploaded to CB are as follows: f10pe___Stk.acore.gz The format for a mini core dump uploaded to CB are as follows: f10pe_ StkUnit_.kcore.mini.
13 Dynamic Host Configuration Protocol (DHCP) DHCP is an application layer protocol that dynamically assigns IP addresses and other configuration parameters to network end-stations (hosts) based on configuration policies determined by network administrators.
specify the parameters that they require, and the server sends only those parameters. Some common options are shown in the following illustration. Figure 33. DHCP packet Format The following table lists common DHCP options. Option Number and Description Subnet Mask Option 1 Specifies the client’s subnet mask. Router Option 3 Specifies the router IP addresses that may serve as the client’s default gateway.
Option Number and Description Clients use this option to tell the server which parameters it requires. It is a series of octets where each octet is DHCP option code. Renewal Time Option 58 Specifies the amount of time after the IP address is granted that the client attempts to renew its lease with the original server. Rebinding Time Option 59 Specifies the amount of time after the IP address is granted that the client attempts to renew its lease with any server, if the original server does not respond.
There are additional messages that are used in case the DHCP negotiation deviates from the process previously described and shown in the illustration below. DHCPDECLINE A client sends this message to the server in response to a DHCPACK if the configuration parameters are unacceptable; for example, if the offered address is already in use. In this case, the client starts the configuration process over by sending a DHCPDISCOVER.
subnet mask that you give to each pool. For example, if all pools were configured for a /24 mask, the total would be 40000/253 (approximately 158). If the subnet is increased, more pools can be configured. The maximum subnet that can be configured for a single pool is /17. The system displays an error message for configurations that exceed the allocated memory. • The switch supports 4K DHCP Snooping entries. • All platforms support Dynamic ARP Inspection on 16 VLANs per system.
Configuring the Server for Automatic Address Allocation Automatic address allocation is an address assignment method by which the DHCP server leases an IP address to a client from a pool of available addresses. An address pool is a range of IP addresses that the DHCP server may assign. The subnet number indexes the address pools. To create an address pool, follow these steps. 1 Access the DHCP server CLI context. CONFIGURATION mode ip dhcp server 2 Create an address pool and give it a name.
• Creating Manual Binding Entries • Debugging the DHCP Server • Using DHCP Clear Commands Excluding Addresses from the Address Pool The DHCP server assumes that all IP addresses in a DHCP address pool are available for assigning to DHCP clients. You must specify the IP address that the DHCP server should not assign to clients. To exclude an address, follow this step. • Exclude an address range from DHCP assignment. The exclusion applies to all configured pools.
Using DNS for Address Resolution A domain is a group of networks. DHCP clients query DNS IP servers when they need to correlate host names to IP addresses. 1 Create a domain. DHCP Mode domain-name name 2 Specify in order of preference the DNS servers that are available to a DHCP client.
pool name 2 Specify the client IP address. DHCP host address 3 Specify the client hardware address. DHCP hardware-address hardware-address type • hardware-address: the client MAC address. • type: the protocol of the hardware platform. The default protocol is Ethernet. Debugging the DHCP Server To debug the DHCP server, use the following command. • Display debug information for DHCP server.
You can configure an interface on the Dell Networking system to relay the DHCP messages to a specific DHCP server using the ip helper-address command from INTERFACE mode, as shown in the following illustration. Specify multiple DHCP servers by using the ip helper-address command multiple times. When you configure the ip helper-address command, the system listens for DHCP broadcast messages on port 67.
To view the ip helper-address configuration for an interface, use the show ip interface command from EXEC privilege mode. Example of the show ip interface Command R1_E600#show ip int gig 1/3 GigabitEthernet 1/3 is up, line protocol is down Internet address is 10.11.0.1/24 Broadcast address is 10.11.0.255 Address determined by user input IP MTU is 1500 bytes Helper address is 192.168.0.1 192.168.0.
• ip route for 0.0.0.0 takes precedence if it is present or added later. • Management routes added by a DHCP client display with Route Source as DHCP in the show ip management route and show ip management-route dynamic command output. • Management routes added by DHCP are automatically reinstalled if you configure a static IP route with the ip route command that replaces a management route added by the DHCP client.
DHCP Server A switch can operate as a DHCP client and a DHCP server. DHCP client interfaces cannot acquire a dynamic IP address from the DHCP server running on the switch. Acquire a dynamic IP address from another DHCP server. Virtual Router Redundancy Protocol (VRRP) Do not enable the DHCP client on an interface and set the priority to 255 or assign the same DHCP interface IP address to a VRRP virtual group. Doing so guarantees that this router becomes the VRRP group owner.
The server echoes the option back to the relay agent in its response, and the relay agent can use the information in the option to forward a reply out the interface on which the request was received rather than flooding it on the entire VLAN. The relay agent strips Option 82 from DHCP responses before forwarding them to the client. To insert Option 82 into DHCP packets, follow this step. • Insert Option 82 into DHCP packets.
Restrictions for DHCP Snooping • DHCP Snooping is supported only for port extender interfaces connected to the VLT peers. • DHCP server must be connected to the VLT peers only using VLT Port-channel. • DHCP Snooping is supported only FOR SPANNED VLANs. • Source address validation is not supported for VPLAG interfaces on VLT. • Port Extender does not support DHCP server. Prerequisites for DHCP Snooping • DHCP Snooping should be enabled globally on both VLT peers.
Clearing the Binding Table To clear the binding table, use the following command. • Delete all of the entries in the binding table. EXEC Privilege mode clear ip dhcp snooping binding Displaying the Contents of the Binding Table To display the contents of the binding table, use the following command. • Display the contents of the binding table. EXEC Privilege mode show ip dhcp snooping Example of the show ip dhcp snooping Command View the DHCP snooping statistics with the show ip dhcp snooping command.
so that the DHCP snooping table can decrease in size. After the table usage falls below the maximum limit of 4000 entries, new IP address assignments are allowed. To view the number of entries in the table, use the show ip dhcp snooping binding command. This output displays the snooping binding table created using the ACK packets from the trusted port.
NOTE: Dynamic ARP inspection (DAI) uses entries in the L2SysFlow CAM region, a sub-region of SystemFlow. One CAM entry is required for every DAI-enabled VLAN. You can enable DAI on up to 16 VLANs on a system. However, the default CAM profile allocates only nine entries to the L2SysFlow region for DAI. You can configure 10 to 16 DAI-enabled VLANs by allocating more CAM space to the L2SysFlow region before enabling DAI. SystemFlow has 102 entries by default.
Valid ARP Replies Invalid ARP Requests Invalid ARP Replies Dell# : 1000 : 1000 : 0 Bypassing the ARP Inspection You can configure a port to skip ARP inspection by defining the interface as trusted, which is useful in multiswitch environments. ARPs received on trusted ports bypass validation against the binding table. All ports are untrusted by default. To bypass the ARP inspection, use the following command. • Specify an interface as trusted so that ARPs are not validated against the binding table.
impostering as a legitimate client, the source address appears on the wrong ingress port and the system drops the packet. If the IP address is fake, the address is not on the list of permissible addresses for the port and the packet is dropped. Similarly, if the IP address does not belong to the permissible VLAN, the packet is dropped. To enable IP source address validation, use the following command.
cam-acl l2acl 2 Save the running-config to the startup-config. EXEC Privilege mode copy running-config startup-config 3 Reload the system. EXEC Privilege reload 4 Enable IP+MAC SAV. INTERFACE mode ip dhcp source-address-validation ipmac 5 Enable IP source address validation with VLAN option. INTERFACE mode ip dhcp source-address-validation ipmac vlan vlan-id The system creates an ACL entry for each IP+MAC address pair in the binding table and applies it to the interface.
Clearing the Number of SAV Dropped Packets To clear the number of SAV dropped packets, use the clear ip dhcp snooping source-addressvalidation discard-counters command. Dell>clear ip dhcp snooping source-address-validation discard-counters To clear the number of SAV dropped packets on a particular interface, use the clear ip dhcp snooping source-address-validation discard-counters interface interface command.
14 Equal Cost Multi-Path (ECMP) Equal cost multi-path (ECMP) supports multiple paths in next-hop packet forwarding to a destination device. ECMP for Flow-Based Affinity ECMP for flow-based affinity includes link bundle monitoring. Enabling Deterministic ECMP Next Hop Deterministic ECMP next hop arranges all ECMPs in order before writing them into the content addressable memory (CAM). For example, suppose the RTM learns eight ECMPs in the order that the protocols and interfaces came up.
The system provides a command line interface (CLI)-based solution for modifying the hash seed to ensure that on each configured system, the ECMP selection is same. When configured, the same seed is set for ECMP, LAG, and NH, and is used for incoming traffic only. NOTE: While the seed is stored separately on each port-pipe, the same seed is used across all CAMs. NOTE: You cannot separate LAG and ECMP, but you can use different algorithms across the chassis with the same seed.
Managing ECMP Group Paths To manage ECMP group paths, you can configure the maximum number of paths for an ECMP route that the L3 CAM can hold to avoid path degeneration. When you do not configure the maximum number of routes, the CAM can hold a maximum ECMP per route. To configure the maximum number of paths, use the following command. NOTE: Save the new ECMP settings to the startup-config (write-mem) then reload the system for the new settings to take effect.
Modifying the ECMP Group Threshold You can customize the threshold percentage for monitoring ECMP group bundles. To customize the ECMP group bundle threshold and to view the changes, use the following commands. • Modify the threshold for monitoring ECMP group bundles. CONFIGURATION mode link-bundle-distribution trigger-threshold {percent} The range is from 1 to 90%. • The default is 60%. Display details for an ECMP group bundle.
The following network diagram depicts a scenario where a 10Gbps link connects the routers R2 and R4 and a 40Gbps link connects the routers R3 and R5: Figure 36. Sample BGP Link Bandwidth Configuration In this scenario, there is an additional 40Gbps link that is sometimes activated between the routers R2 and R5.
neighbor 1.1.1.1 no shutdown neighbor 4.4.4.2 remote-as 2 neighbor 4.4.4.2 dmzlink-bw neighbor 4.4.4.2 no shutdown neighbor 5.5.5.2 remote-as 2 neighbor 5.5.5.2 dmzlink-bw neighbor 5.5.5.2 no shutdown R3# interface tengigbitethernet 1/1 ip address 1.1.1.3/24 no shutdown interface fortyGigE 1/48 ip address 3.3.3.1/24 no shut router bgp 1 maximum-paths ebgp 2 bgp dmzlink-bw neighbor 1.1.1.1 remote-as 1 neighbor 1.1.1.1 no shutdown neighbor 3.3.3.2 remote-as 2 neighbor 3.3.3.2 dmzlink-bw neighbor 3.3.3.
Dynamic Re-calculation of Link Bankwidth The Link cost associated with a port channel interface (LAG) changes whenever a member is added or deleted. Continuous link flapping results in the re-calculation of the link costs. This behaviour also causes unnecessary processing overhead on the device as it advertises these changed link costs to its peers and updates its RTM when ever there is a change in the member status.
ECMP Support in L3 Host and LPM Tables The L3 host and Longest Prefix Match (LPM) tables provide ECMP next-hop forwarding for destination addresses. You can program IPv6 /128 and IPv4 /32 route prefixes to be stored in the L3 host table and move IPv6 /128 and IPv4 /32 route prefixes between the host table and the LPM route table. By default, IPv4 route prefixes are installed only in the LPM table and IPv6/128 route prefixes are installed only in the L3 host table.
15 FCoE Transit The Fibre Channel over Ethernet (FCoE) Transit feature is supported on Ethernet interfaces. When you enable the switch for FCoE transit, the switch functions as a FIP snooping bridge. NOTE: FIP snooping is not supported on Fibre Channel interfaces.
To ensure similar Fibre Channel robustness and security with FCoE in an Ethernet cloud network, FIP establishes virtual point-to-point links between FCoE end-devices (server ENodes and target storage devices) and FCoE forwarders (FCFs) over transit FCoE-enabled bridges. Ethernet bridges commonly provide ACLs that can emulate a point-to-point link by providing the traffic enforcement required to create a Fibre Channel-level of robustness.
FIP Function Description Logout On receiving a FLOGO packet, FSB deletes all existing sessions from the ENode to the FCF. Figure 37. FIP Discovery and Login Between an ENode and an FCF FIP Snooping on Ethernet Bridges In a converged Ethernet network, intermediate Ethernet bridges can snoop on FIP packets during the login process on an FCF. Then, using ACLs, a transit bridge can permit only authorized FCoE traffic to be transmitted between an FCoE end-device and an FCF.
Dynamic ACL generation on the switch operating as a FIP snooping bridge function as follows: Port-based ACLs These ACLs are applied on all three port modes: on ports directly connected to an FCF, server-facing ENode ports, and bridge-to-bridge links. Port-based ACLs take precedence over global ACLs. FCoE-generated ACLs These take precedence over user-configured ACLs. A user-configured ACL entry cannot deny FCoE and FIP snooping frames.
between the ToR switch and an core switch. The switch operates as a lossless FIP snooping bridge to transparently forward FCoE frames between the ENode servers and the FCF switch. Figure 38. FIP Snooping on an Core Switch The following sections describe how to configure the FIP snooping feature on a switch that functions as a FIP snooping bridge so that it can perform the following functions: • • • Allocate CAM resources for FCoE.
• To provide more port security on ports that are directly connected to an FCF and have links to other FIP snooping bridges, set the FCF or Bridge-to-Bridge Port modes. • To ensure that they are operationally active, check FIP snooping-enabled VLANs. • Process FIP VLAN discovery requests and responses, advertisements, solicitations, FLOGI/FDISC requests and responses, FLOGO requests and responses, keep-alive packets, and clear virtual-link messages.
• create the VLANs on the switch which handles FCoE traffic (use the interface vlan command). • configure each FIP snooping port to operate in Hybrid mode so that it accepts both tagged and untagged VLAN frames (use the portmode hybrid command). • configure tagged VLAN membership on each FIP snooping port that sends and receives FCoE traffic and has links with an FCF, ENode server, or another FIP snooping bridge (use the tagged port-type slot/port command).
Enable FIP Snooping on VLANs You can enable FIP snooping globally on a switch on all VLANs or on a specified VLAN. When you enable FIP snooping on VLANs: • • • • FIP frames are allowed to pass through the switch on the enabled VLANs and are processed to generate FIP snooping ACLs. FCoE traffic is allowed on VLANs only after a successful virtual-link initialization (fabric login FLOGI) between an ENode and an FCF. All other FCoE traffic is dropped.
Impact on Other Software Features When you enable FIP snooping on a switch, other software features are impacted. The following table lists the impact of FIP snooping. Table 28. Impact of Enabling FIP Snooping Impact Description MAC address learning MAC address learning is not performed on FIP and FCoE frames, which are denied by ACLs dynamically created by FIP snooping on server-facing ports in ENode mode.
Configuring FIP Snooping You can enable FIP snooping globally on all FCoE VLANs on a switch or on an individual FCoE VLAN. By default, FIP snooping is disabled. To enable FCoE transit on the switch and configure the FCoE transit parameters on ports, follow these steps. 1 Configure FCoE. To configure FCoE transit, refer to the FCoE Transit Configuration Example NOTE: DCB/DCBx is enabled when either of these configurations is applied. 2 Save the configuration on the switch. EXEC Privilege mode.
Displaying FIP Snooping Information Use the following show commands to display information on FIP snooping, . Table 29. Displaying FIP Snooping Information Command Output show fip-snooping sessions [interface vlan vlan-id] Displays information on FIP-snooped sessions on all VLANs or a specified VLAN, including the ENode interface and MAC address, the FCF interface and MAC address, VLAN ID, FCoE MAC address and FCoE session ID number (FC-ID), worldwide node name (WWNN) and the worldwide port name (WWPN).
aa:bb:cc:00:00:00 aa:bb:cc:00:00:00 aa:bb:cc:00:00:00 aa:bb:cc:00:00:00 FCoE MAC 0e:fc:00:01:00:01 0e:fc:00:01:00:02 0e:fc:00:01:00:03 0e:fc:00:01:00:04 0e:fc:00:01:00:05 Te Te Te Te 0/42 0/42 0/42 0/42 FC-ID 01:00:01 01:00:02 01:00:03 01:00:04 01:00:05 aa:bb:cd:00:00:00 aa:bb:cd:00:00:00 aa:bb:cd:00:00:00 aa:bb:cd:00:00:00 Te Te Te Te Port WWPN 31:00:0e:fc:00:00:00:00 41:00:0e:fc:00:00:00:00 41:00:0e:fc:00:00:00:01 41:00:0e:fc:00:00:00:02 41:00:0e:fc:00:00:00:03 0/43 0/43 0/43 0/43 100 100 100 100
Table 31. show fip-snooping enode Command Description Field Description ENode MAC MAC address of the ENode. ENode Interface Slot/ port number of the interface connected to the ENode. FCF MAC MAC address of the FCF. VLAN VLAN ID number used by the session. FC-ID Fibre Channel session ID assigned by the FCF. The following example shows the show fip-snooping fcf command. Dell# show fip-snooping fcf FCF MAC FCF Interface VLAN FC-MAP FKA_ADV_PERIOD No.
Number of Unicast Discovery Advertisement Number of FLOGI Accepts Number of FLOGI Rejects Number of FDISC Accepts Number of FDISC Rejects Number of FLOGO Accepts Number of FLOGO Rejects Number of CVL Number of FCF Discovery Timeouts Number of VN Port Session Timeouts Number of Session failures due to Hardware Config Dell(conf)# :2 :2 :0 :16 :0 :0 :0 :0 :0 :0 :0 Dell# show fip-snooping statistics int tengigabitethernet 0/11 Number of Vlan Requests :1 Number of Vlan Notifications :0 Number of Multicast Disc
Table 33. show fip-snooping statistics Command Descriptions Field Description Number of VLAN Requests Number of FIP-snooped VLAN request frames received on the interface. Number of VLAN Notifications Number of FIP-snooped VLAN notification frames received on the interface. Number of Multicast Discovery Solicits Number of FIP-snooped multicast discovery solicit frames received on the interface.
Field Description Number of FCF Discovery Timeouts Number of FCF discovery timeouts that occurred on the interface. Number of VN Port Session Timeouts Number of VN port session timeouts that occurred on the interface. Number of Session failures due to Hardware Config Number of session failures due to hardware configuration that occurred on the interface. The following example shows the show fip-snooping system command.
FCoE Transit Configuration Example The following illustration shows an core switch used as a FIP snooping bridge for FCoE traffic between an ENode (server blade) and an FCF (ToR switch). The ToR switch operates as an FCF and FCoE gateway. Figure 39. Configuration Example: FIP Snooping on an Core Switch In this example, DCBx and PFC are enabled on the FIP snooping bridge and on the FCF ToR switch.
The following example shows how to configure FIP snooping on FCoE VLAN 10, on an FCF-facing port (0/50), on an ENode server-facing port (0/1), and to configure the FIP snooping ports as tagged members of the FCoE VLAN enabled for FIP snooping.
16 FIPS Cryptography Federal information processing standard (FIPS) cryptography provides cryptographic algorithms conforming to various FIPS standards published by the National Institute of Standards and Technology (NIST), a nonregulatory agency of the US Department of Commerce. FIPS mode is also validated for numerous platforms to meet the FIPS-140-2 standard for a software-based cryptographic module. This chapter describes how to enable FIPS cryptography requirements on Dell Networking platforms.
Preparing the System Before you enable FIPS mode, Dell Networking recommends making the following changes to your system. 1 Disable the Telnet server (only use secure shell [SSH] to access the system). 2 Disable the FTP server (only use secure copy [SCP] to transfer files to and from the system). 3 Attach a secure, standalone host to the console port for the FIPS configuration to use. Enabling FIPS Mode To enable or disable FIPS mode, use the console port.
Generating Host-Keys The following describes hot-key generation. When you enable or disable FIPS mode, the system deletes the current public/private host-key pair, terminatesany SSH sessions that are in progress (deleting all the per-session encryption key information), actually enables/tests FIPS mode, generates new host-keys, and re-enables the SSH server (assuming it was enabled before enabling FIPS).
Disabling FIPS Mode The following describes disabling FIPS mode. When you disable FIPS mode, the following changes occur: • The SSH server disables. • All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, close. • Any existing host keys (both RSA and RSA1) are deleted from system memory and NVRAM storage. • FIPS mode disables. • The SSH server re-enables. • The Telnet server re-enables (if it is present in the configuration).
17 Flex Hash and Optimized Boot-Up This chapter describes the Flex Hash and fast-boot enhancements. Topics: • Flex Hash Capability Overview • Configuring the Flex Hash Mechanism • LACP Fast Switchover • Configuring LACP Fast Switchover • LACP • RDMA Over Converged Ethernet (RoCE) Overview • Sample Configurations • Preserving 802.
Configuring the Flex Hash Mechanism The flex hash functionality enables you to configure a packet search key and matches packets based on the search key. When a packet matches the search key, two 16-bit hash fields are extracted from the start of the L4 header and provided as inputs (bins 2 and 3) for RTAG7 hash computation. You must specify the offset of hash fields from the start of the L4 header, which contains a flow identification field.
Configuring LACP Fast Switchover To configure the optimized booting time functionality, perform the following step: • The lacp fast-switchover command applies to dynamic port-channel interfaces only. When applied on a static port-channel, this command has no effect. If you configure the optimized booting-time capability and perform a reload of the system, the LACP application sends PDUs across all the active LACP links immediately.
To provide lossless service for RRoCE, the QoS service policy must be configured in the ingress and egress directions on lite subinterfaces. A normal Layer 3 physical interface processes only untagged packets and makes routing decisions based on the default Layer 3 VLAN ID (4095). To enable routing of RRoCE packets, the VLAN ID is mapped to the default VLAN ID of 4095 using VLAN translation.
Sample Configurations Figure 40.
iscsi enable ! interface TenGigabitEthernet 0/1 Description Link to RoCE Adapter no ip address mtu 12000 portmode hybrid switchport no spanning-tree ! protocol lldp dcbx port-role auto-downstream no shutdown ! interface fortyGigE 0/33 Description “To C9010s” no ip address mtu 12000 ! port-channel-protocol LACP port-channel 1 mode active ! protocol lldp no advertise dcbx-tlv ets-reco dcbx port-role auto-upstream no shutdown C9010 1 and C9010 2, VLT, RoCE, and iSCSI ! dcb-map converged Description DCB map for
Description VLTi to other switch C9010 1 vlt domain 2 peer-link port-channel 128 back-up destination interface Port-channel 128 no ip address mtu 12000 channel-member fortyGigE 1/4 no shutdown interface fortyGigE 1/4 no ip address mtu 12000 dcb-map Converged protocol lldp no shutdown C9010 2 vlt domain 2 peer-link port-channel 128 back-up destination interface Port-channel 128 no ip address mtu 12000 channel-member fortyGigE 1/4 no shutdown interface fortyGigE 1/4 no
protocol lldp no shutdown ! interface TenGigabitEthernet 0/18 Description SOFS-RDMA no ip address mtu 12000 portmode hybrid switchport no spanning-tree dcb-map RoCE ! protocol lldp no shutdown ! interface TenGigabitEthernet 0/22 Description SOFS- iSCSI no ip address mtu 12000 portmode hybrid switchport spanning-tree rstp edge-port spanning-tree 0 portfast dcb-map iSCSI ! protocol lldp no shutdown Preserving 802.
associated with a physical/Port-channel interface. Normal VLANs and VLAN encapsulation can exist simultaneously and any non-unicast traffic received on a normal VLAN is not flooded using lite subinterfaces whose encapsulation VLAN ID matches with that of the normal VLAN ID. You can use the encapsulation dot1q vlan-id command in INTERFACE mode to configure lite subinterfaces.
18 Force10 Resilient Ring Protocol (FRRP) Force10 resilient ring protocol (FRRP) provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a metropolitan area network (MAN) or large campuses. FRRP is similar to what can be achieved with the spanning tree protocol (STP), though even with optimizations, STP can take up to 50 seconds to converge (depending on the size of network and node of failure) may require 4 to 5 seconds to reconverge.
Each Transit node is also configured with a Primary port and a Secondary port on the ring, but the port distinction is ignored as long as the node is configured as a Transit node. If the ring is complete, the Master node logically blocks all data traffic in the transmit and receive directions on the Secondary port to prevent a loop. If the Master node detects a break in the ring, it unblocks its Secondary port and allows data traffic to be transmitted and received through it.
During the time between the Transit node detecting that its link is restored and the Master node detecting that the ring is restored, the Master node’s Secondary port is still forwarding traffic. This can create a temporary loop in the topology. To prevent this, the Transit node places all the ring ports transiting the newly restored port into a temporary blocked state. The Transit node remembers which port has been temporarily blocked and places it into a pre- forwarding state.
• Topology Change RHF: triggered updates; processed at all nodes. Implementing FRRP • FRRP is media and speed independent. • FRRP is a Dell proprietary protocol that does not interoperate with any other vendor. • You must disable the spanning tree protocol (STP) on both the Primary and Secondary interfaces before you can enable FRRP. • All ring ports must be Layer 2 ports. This is required for both Master and Transit nodes.
Concept Explanation port transitions through this state during ring bring-up. All ports transition through this state when a port comes up. Ring Protocol Timers Ring Status • Pre-Forwarding State — A transition state before moving to the Forward state. Control traffic is forwarded but data traffic is blocked. The Master node Secondary port transitions through this state during ring bring-up. All ports transition through this state when a port comes up.
• Clearing the FRRP Counters • Viewing the FRRP Configuration • Viewing the FRRP Information Creating the FRRP Group Create the FRRP group on each switch in the ring. To create the FRRP group, use the command. • Create the FRRP group with this Ring ID. CONFIGURATION mode protocol frrp ring-id Ring ID: the range is from 1 to 255. Configuring the Control VLAN Control and member VLANS are configured normally for Layer 2. Their status as control or member is determined at the FRRP group commands.
• For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. Slot/Port, Range: Slot and Port ID for the interface. Range is entered Slot/Port-Port. 3 Assign the Primary and Secondary ports and the control VLAN for the ports on the ring. CONFIG-FRRP mode.
interface vlan vlan-id VLAN ID: the range is from 1 to 4094. 2 Tag the specified interface or range of interfaces to this VLAN. CONFIG-INT-VLAN mode. tagged interface slot/port {range} Interface: • Slot/Port, range: Slot and Port ID for the interface. The range is entered Slot/Port-Port. • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information.
timer {hello-interval|dead-interval} milliseconds • Hello-Interval: the range is from 50 to 2000, in increments of 50 (default is 500). • Dead-Interval: the range is from 50 to 6000, in increments of 50 (default is 1500). Clearing the FRRP Counters To clear the FRRP counters, use one of the following commands. • Clear the counters associated with this Ring ID. EXEC PRIVELEGED mode. clear frrp ring-id • Ring ID: the range is from 1 to 255. Clear the counters associated with all FRRP groups.
Troubleshooting FRRP To troubleshoot FRRP, use the following information. Configuration Checks • Each Control Ring must use a unique VLAN ID. • Only two interfaces on a switch can be Members of the same control VLAN. • There can be only one Master node for any FRRP group. • You can configure FRRP on Layer 2 interfaces only. • Spanning Tree (if you enable it globally) must be disabled on both Primary and Secondary interfaces when you enable FRRP.
Example of R2 TRANSIT interface TengigabitEthernet 2/14 no ip address switchport no shutdown ! interface TengigabitEthernet 2/31 no ip address switchport no shutdown ! interface Vlan 101 no ip address tagged TengigabitEthernet 2/14,31 no shutdown ! interface Vlan 201 no ip address tagged TengigabitEthernet 2/14,31 no shutdown ! protocol frrp 101 interface primary TengigabitEthernet 2/14 secondary TengigabitEthernet 2/31 control-vlan 101 member-vlan 201 mode transit no disable Example of R3 TRANSIT interface
19 GARP VLAN Registration Protocol (GVRP) GARP VLAN registration protocol (GVRP), defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches. GVRP-compliant switches use GARP to register and de-register attribute values, such as VLAN IDs, with each other. Typical virtual local area network (VLAN) implementation involves manually configuring each Layer 2 switch that participates in a given VLAN.
Topics: • Configure GVRP • Enabling GVRP Globally • Enabling GVRP on a Layer 2 Interface • Configure GVRP Registration • Configure a GARP Timer Configure GVRP To begin, enable GVRP. To facilitate GVRP communications, enable GVRP globally on each switch. GVRP configuration is per interface on a switch-by-switch basis. Enable GVRP on each port that connects to a switch where you want GVRP information exchanged. In the following example, GVRP is configured on VLAN trunk ports. Figure 41.
Basic GVRP configuration is a two-step process: 1 Enabling GVRP Globally 2 Enabling GVRP on a Layer 2 Interface Related Configuration Tasks • Configure GVRP Registration • Configure a GARP Timer Enabling GVRP Globally To configure GVRP globally, use the following command. • Enable GVRP for the entire switch.
switchport gvrp enable no shutdown To inspect the interface configuration, use the show config command from INTERFACE mode or use the show gvrp interface command in EXEC or EXEC Privilege mode. Configure GVRP Registration Configure GVRP registration. There are two GVRP registration modes: • Fixed Registration Mode — figuring a port in fixed registration mode allows for manual creation and registration of VLANs, prevents VLAN deregistration, and registers all VLANs known on other ports on the port.
information is de-registered. The Leave timer must be greater than or equal to 3x the Join timer. The default is 600ms. • LeaveAll — After startup, a GARP device globally starts a LeaveAll timer. After expiration of this interval, it sends out a LeaveAll message so that other GARP devices can re-register all relevant attribute information. The device then restarts the LeaveAll timer to begin a new cycle. The LeaveAll timer must be greater than or equal to 5x of the Leave timer. The default is 10000ms.
20 High Availability (HA) High availability (HA) is a collection of features that preserves system continuity by maximizing uptime and minimizing packet loss during system disruptions.
High Availability in a PE Stack A port extender (PE) stack has a master and standby management unit that provide redundancy in a similar way to redundant route processor modules (RPMs). If the master stack unit fails or is removed, the standby unit becomes the stack manager. The stack elects a new standby unit and resets the failed master unit. The failed master becomes online as a member unit; the remaining members remain online.
3 4 5 6 7 8 Linecard Linecard Linecard Linecard Linecard Linecard online online online online online online 9 Linecard online 10 Linecard 1-0(0-4095) 4 11 Linecard 1-0(0-4095) 4 online C9000-RPM-2.56T C9000-RPM-2.56T online C9000-RPM-2.56T C9000-RPM-2.
Current Type : C9000LC0640 - 6-port TE/FG Hardware Rev : 4.0 Num Ports : 24 Up Time : 0 sec Dell Networking OS Version : 1-0(0-4079) Jumbo Capable : yes POE Capable : Not supported Max Required Power : 125 Boot Flash : 3.3.1.15 Boot Selector : 3.3.0.
Graceful Restart Graceful restart (also known as non-stop forwarding) is a protocol-based mechanism that preserves the forwarding table of the restarting router and its neighbors for a specified period to minimize the loss of packets. A graceful-restart router does not immediately assume that a neighbor is permanently down and so does not trigger a topology change.
• Crash Log — contains trace messages that relate to IPC and IRC timeouts and task crashes on linecards and are stored under the directory CRASH_LOG_DIR. Core Dumps A core dump is the contents of RAM a program uses at the time of a software exception and identifies the cause of the exception. There are two types of core dumps: application and kernel.
Control-Plane Failover Control-plane failover is the process of the standby RPM becoming the primary RPM. The system automatically fails over to the standby RPM when: 1 Communication is lost between the standby and primary RPM. 2 You remove the primary RPM. You can perform a manual failover by entering the redundancy force-failover rpm command. To display the reason for the last control-plane failover on the chassis, enter the show redundancy command in EXEC Privilege mode.
RPM Synchronization Data between the primary (management) and standby RPMs is synchronized immediately after bootup. After the two RPMs have performed an initial full synchronization (block sync), the system automatically updates only changed data (incremental sync). The data that is synchronized consists of configuration data, operational data, state and status, and statistics depending on the version of the Dell Networking OS.
Disabling Auto-Reboot To disable auto-reboot, use the following command. • Prevent a failed stack unit from rebooting after a failover.
21 Internet Group Management Protocol (IGMP) Internet group management protocol (IGMP) is a Layer 3 multicast protocol that hosts use to join or leave a multicast group. Multicast is premised on identifying many hosts by a single destination IP address; hosts represented by the same IP address are a multicast group. Multicast routing protocols (such as protocol-independent multicast [PIM]) use the information in IGMP messages to discover which groups are active and to populate the multicast routing table.
IGMP Protocol Overview IGMP has three versions. Version 3 obsoletes and is backwards-compatible with version 2; version 2 obsoletes version 1. IGMP Version 2 IGMP version 2 improves on version 1 by specifying IGMP Leave messages, which allows hosts to notify routers that they no longer care about traffic for a particular group. Leave messages reduce the amount of time that the router takes to stop forwarding traffic for a group to a subnet (leave latency) after the last host leaves the group.
Join a Multicast Group There are two ways that a host may join a multicast group: it may respond to a general query from its querier or it may send an unsolicited report to its querier. Responding to an IGMP Query The following describes how a host can join a multicast group. 1 One router on a subnet is elected as the querier. The querier periodically multicasts (to all-multicastsystems address 224.0.0.1) a general query to all hosts on the subnet.
are sent to the all IGMP version 3-capable multicast routers address 244.0.0.22, as shown in the second illustration. Figure 43. IGMP Version 3 Packet Structure Figure 44. IGMP Version 3–Capable Multicast Routers Address Structure Joining and Filtering Groups and Sources The following illustration shows how multicast routers maintain the group and source information from unsolicited reports. 1 The first unsolicited report from the host indicates that it wants to receive traffic for group 224.1.1.1.
cannot record the include request. There are no other interested hosts, so the request is recorded. At this point, the multicast routing protocol prunes the tree to all but the specified sources. 3 The host’s third message indicates that it is only interested in traffic from sources 10.11.1.1 and 10.11.1.2. Because this request again prevents all other sources from reaching the subnet, the router sends another group-and-source query so that it can satisfy all other hosts.
Leaving and Staying in Groups The following illustration shows how multicast routers track and refresh state changes in response to groupand-specific and general queries. 1 Host 1 sends a message indicating it is leaving group 224.1.1.1 and that the included filter for 10.11.1.1 and 10.11.1.2 are no longer necessary.
Configure IGMP Configuring IGMP is a two-step process. 1 Enable multicast routing using the ip multicast-routing command. 2 Enable a multicast routing protocol.
Selecting an IGMP Version The Dell Networking OS enables IGMP version 2 by default, which supports version 1 and 2 hosts, but is not compatible with version 3 on the same subnet. If hosts require IGMP version 3, you can switch to IGMP version 3. To switch to version 3, use the following command. • Switch to a different IGMP version.
Enabling IGMP Immediate-Leave If the querier does not receive a response to a group-specific or group-and-source query, it sends another (querier robustness value). Then, after no response, it removes the group from the outgoing interface for the subnet. IGMP immediate leave reduces leave latency by enabling a router to immediately delete the group membership on an interface after receiving a Leave message (it does not send any group-specific or groupand-source queries before deleting the entry).
Configuring IGMP Snooping Configuring IGMP snooping is a one-step process. To enable, view, or disable IGMP snooping, use the following commands. There is no specific configuration needed for IGMP snooping with virtual link trunking (VLT). For information about VLT configurations, refer to Virtual Link Trunking (VLT). • Enable IGMP snooping on a switch. CONFIGURATION mode ip igmp snooping enable View the configuration. • CONFIGURATION mode show running-config Disable snooping on a VLAN.
interface Vlan 100 no ip address ip igmp snooping fast-leave shutdown Dell(conf-if-vl-100)# Disabling Multicast Flooding If the switch receives a multicast packet that has an IP address of a group it has not learned (unregistered frame), the switch floods that packet out of all ports on the VLAN. When you configure the no ip igmp snooping flood command, the system drops the packets immediately. The system does not forward the frames on mrouter ports, even if they are present.
• Configure the switch to be the querier for a VLAN by first assigning an IP address to the VLAN interface. INTERFACE VLAN mode ip igmp snooping querier IGMP snooping querier does not start if there is a statically configured multicast router interface in the VLAN. The switch may lose the querier election if it does not have the lowest IP address of all potential queriers on the subnet.
Designating a Multicast Router Interface To designate an interface as a multicast router interface, use the following command. The system also has the capability of listening in on the incoming IGMP general queries and designate those interfaces as the multicast router interface when the frames have a non-zero IP source address. All IGMP control packets and IP multicast data traffic originating from receivers is forwarded to multicast router interfaces.
22 Interfaces This chapter describes interface types, both physical and logical, and how to configure them on the switch. • 1-Gigabit Ethernet, 10-Gigabit Ethernet and 40-Gigabit Ethernet interfaces are supported on the C9010 switch and 1-Gigabit Ethernet C1048P port extender.
• Interface Types • View Basic Interface Information • Resetting an Interface to its Factory Default State • Enabling a Physical Interface • Physical Interfaces • Egress Interface Selection (EIS) • Management Interfaces • Port Extender Interfaces • VLAN Interfaces • Loopback Interfaces • Null Interfaces • Port Channel Interfaces • Bulk Configuration • Defining Interface Range Macros • Monitoring and Maintaining Interfaces • Displaying Traffic Statistics on HiGig Ports • Link
Port Numbering On the C9010, linecard slots are numbered 0 to 9. The RPM slots are numbered 10 and 11. NOTE: If the C9010 operates with only one RPM, you can install the RPM in either slot 10 (the top RPM slot labeled R0) or slot 11 (the bottom RPM slot labeled R1). If you install two RPMs, by default, the RPM in slot 10 is the primary management unit and the RPM in slot 11 is the standby.
On the C9010, port interface numbers are written above the ports. The following examples show port numbering on C9010 line cards (40GbE QSFP+, 1/10GbE SFP+, and 1/10GbE RJ-45). Figure 48. 40GbE QSFP+ Port Numbering On the 6-Port 40GbE QSFP+ line card, ports are numbered from 0 to 5 and operate by default in 40GbE mode. If you use a breakout cable, each port can operate in 10G mode. 40GbE ports are numbered in multiples of four, starting with zero; for example, 0, 4, 8, 12, and so on.
On the 1/10GbE SFP+ line card, ports are numbered from 0 to 23 and operate in 1/10G mode. Figure 50. 1/10GbE RJ-45 Port Numbering On the 1/10GbE RJ-45 line card, ports are numbered from 0 to 23 and operate in 1/10G mode. Figure 51. C1048P Port Numbering On a C1048P port extender, 10/100/1000BASE-T ports on the front panel are numbered from 1 to 48. • Odd-numbered ports 1-47 are on top; even-numbered ports 2-48 are on the bottom. • A yellow PE port number indicates that the port is PoE-enabled.
Interface Types The following table describes different interface types. Table 35. Types of Interfaces Interface Type Modes Possible Default Mode Requires Creation Default State Physical L2, L3 Unset No Shutdown (disabled) NOTE: For the port extender interface only L2 is supported.
This command has options to display the interface status, IP and MAC addresses, and multiple counters for the amount and type of traffic passing through the interface. If you configured a port channel interface, this command lists the interfaces configured in the port channel. NOTE: To end output from the system, such as the output from the show interfaces command, enter CTRL+C. The system returns you to the command prompt.
Pluggable media not present Interface index is 804323335 Internet address is not set Mode of IPv4 Address Assignment : NONE DHCP Client-ID :6cc000430991 MTU 1554 bytes, IP MTU 1500 bytes LineSpeed auto, Mode auto Auto-mdix enabled, ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 1d18h43m Queueing strategy: fifo Input Statistics: 0 packets, 0 bytes 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Mult
Te 2/13 Te 2/14 Te 2/15 Te 2/16 Te 2/17 Te 2/18 Te 2/19 Te 2/20 Te 2/21 Te 2/22 Te 2/23 Fo 5/0 Fo 5/4 Fo 5/8 Fo 5/12 Fo 5/16 Fo 5/20 Te 6/0 Te 6/1 Te 6/2 Te 6/3 Te 6/4 Te 6/5 Te 6/6 Te 6/7 Te 6/8 Te 6/9 Te 6/10 Te 6/11 Te 6/12 Te 6/13 Te 6/14 Te 6/15 Te 6/16 Te 6/17 Te 6/18 Te 6/19 Te 6/20 Te 6/21 Te 6/22 Te 6/23 Fo 9/0 Fo 9/4 Fo 9/8 Fo 9/12 Fo 9/16 Fo 9/20 Te 10/0 Te 10/1 Te 10/2 Te 10/3 Te 11/0 Te 11/1 Te 11/2 Te 11/3 PeGi 255/1/1 PeGi 255/1/2 PeGi 255/1/3 PeGi 255/1/4 PeGi 255/1/5 PeGi 255/1/6 PeGi 255/1
PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi 255/1/10 255/1/11 255/1/12 255/1/13 255/1/14 255/1/15 255/1/16 255/1/17 255/1/18 255/1/19 255/1/20 255/1/21 255/1/22 255/1/23 255/1/24 255/1/25 255/1/26 255/1/27 255/1/28 255/1/29 255/1/30 25
PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi 255/2/26 255/2/27 255/2/28 255/2/29 255/2/30 255/2/31 255/2/32 255/2/33 255/2/34 255/2/35 255/2/36 255/2/37 255/2/38 255/2/39 255/2/40 255/2/41 255/2/42 255/2/43 255/2/44 255/2/45 255/2/46 25
PeGi PeGi PeGi PeGi PeGi PeGi PeGi 255/3/42 255/3/43 255/3/44 255/3/45 255/3/46 255/3/47 255/3/48 Down Up Up Up Down Up Up Auto Auto 1000 Mbit Full 1000 Mbit Full 1000 Mbit Full Auto Auto 10 10 ------ To view which interfaces are enabled for Layer 3 data transmission, use the show ip interfaces brief command in EXEC Privilege mode. In the following example, TengigabitEthernet interface 1/5 is in Layer 3 mode because an IP address has been assigned to it and the interface’s status is operationally up.
Resetting an Interface to its Factory Default State You can reset any configurations applied on an interface to its factory default state. To reset the configuration, perform the following steps: 1 View the configurations applied on an interface.
Enabling a Physical Interface After determining the type of physical interfaces available, to enable and configure the interfaces, enter INTERFACE mode by using the interface interface {slot/port | pe-id/stack-unit/port} command. 1 Enter the keyword interface then the type of interface and slot/port information. CONFIGURATION mode interface interface • For the Management interface, enter the keyword ManagementEthernet then the slot/port information.
• For ports directly attached to the chassis you can have a maximum of 4 sessions per port pipe. Refer to Port Numbering Convention for the exact port location on switch line cards. Setting the Speed and Duplex Mode of Ethernet Interfaces To discover whether the remote and local interface requires manual speed synchronization, and to manually synchronize them if necessary, use the following command sequence. 1 Determine the local interface status. Refer to the following example.
Example of the show interfaces status Command to View Link Status NOTE: The show interfaces status command displays link status, but not administrative status. For both link and administrative status, use the show ip interface command. In the previous example, several ports display “Auto” in the Speed field. In the following example, the speed of port 1/1 is set to 100Mb and then its auto-negotiation is disabled.
Configuring Layer 2 (Data Link) Mode Do not configure switching or Layer 2 protocols such as spanning tree protocol (STP) on an interface unless the interface has been set to Layer 2 mode. To set Layer 2 data transmissions through an individual interface, use the following command. • Enable Layer 2 data transmissions through an individual interface.
INTERFACE mode • ip address Enable the interface. INTERFACE mode no shutdown Example of Error Due to Issuing a Layer 3 Command on a Layer 2 Interface If an interface is in the incorrect layer mode for a given command, an error message is displayed (shown in bold). In the following example, the ip address command triggered an error message because the interface is in Layer 2 mode and the ip address command is a Layer 3 command only.
Dell>show ip int vlan 58 Vlan 58 is up, line protocol is up Internet address is 1.1.49.1/24 Broadcast address is 1.1.49.255 Address determined by config file MTU is 1554 bytes Inbound access list is not set Proxy ARP is enabled Split Horizon is enabled Poison Reverse is disabled ICMP redirects are not sent ICMP unreachables are not sent Egress Interface Selection (EIS) EIS allows you to isolate the management and front-end port domains by preventing switch-initiated traffic routing between the two domains.
EIS mode application {all | application-type} NOTE: If you configure SNMP as the management application for EIS and you add a default management route, when you perform an SNMP walk and check the debugging logs for the source and destination IPs, the SNMP agent uses the destination address of incoming SNMP packets as the source address for outgoing SNMP responses for security. Management Interfaces The switch supports the Management Ethernet interface as well as the standard interface on any port.
• across a platform must be in the same subnet. • must not match the virtual IP address and must not be in the same subnet as the virtual IP. Viewing Two Global IPv6 Addresses Dell#show interfaces managementethernet 0/0 ManagementEthernet 0/0 is up, line protocol is up Hardware is DellEth, address is 00:01:e8:a0:bf:f3 Current address is 00:01:e8:a0:bf:f3 Pluggable media not present Interface index is 302006472 Internet address is 10.16.130.
• Configure an IP address. INTERFACE mode • ip address Enable the interface. INTERFACE mode • no shutdown The interface is the management interface. INTEFACE mode description Example of the show interface and show ip route Commands To display the configuration for a given port, use the show interface command in EXEC Privilege mode, as shown in the following example. To display the routing table, use the show ip route command in EXEC Privilege mode.
After the initial C1048P software provisioning is performed, you can configure L2 features on the C1048P by entering CLI commands on a C9010. C1048P interfaces are identified in the command syntax: interface peGigE pe-id/pe-stack—unit-id/port-number • • • pe-id is a port-extender group ID number from 0 to 255. pe-stack-unit-id is a PE stack-unit number from 0 to 7. port-number is a port number from 1 to 48 (see Port Numbering).
! tagged TenGigabitEthernet 2/2-13 tagged TenGigabitEthernet 5/0 ip ospf authentication-key force10 ip ospf cost 1 ip ospf dead-interval 60 ip ospf hello-interval 15 no shutdown Loopback Interfaces A Loopback interface is a virtual interface in which the software emulates an interface. Packets routed to it are processed locally. Because this interface is not a physical interface, you can configure routing protocols on this interface to provide protocol stability.
Port Channel Interfaces Port channel interfaces support link aggregation, as described in IEEE Standard 802.3ad. This section covers the following topics: • Port Channel Definition and Standards • Port Channel Benefits • Port Channel Implementation • Configuration Tasks for Port Channel Interfaces Port Channel Definition and Standards Link aggregation is defined by IEEE 802.
Member ports of a LAG are added and programmed into the hardware in a predictable order based on the port ID, instead of in the order in which the ports come up. With this implementation, load balancing yields predictable results across line card resets and chassis reloads. A physical interface can belong to only one port channel at a time. Each port channel must contain interfaces of the same interface type/speed. Port channels can contain a mix of 10 or 40 Gigabit Ethernet interfaces.
Creating a Port Channel You can create up to 128 port channels with 16 port members per group on the switch. To configure a port channel, use the following commands. 1 Create a port channel. CONFIGURATION mode interface port-channel id-number 2 Ensure that the port channel is active. INTERFACE PORT-CHANNEL mode no shutdown After you enable the port channel, you can place it in Layer 2 or Layer 3 mode.
To add a physical interface to a port, use the following commands. 1 Add the interface to a port channel. INTERFACE PORT-CHANNEL mode channel-member interface The interface variable is the physical interface type and slot/port information or port extender (PE) type and pe-id/unit-number/port-id information. 2 Double check that the interface was added to the port channel.
ARP type: ARPA, ARP Timeout 04:00:00 Queueing strategy: fifo Input Statistics: 729669643 packets, 95294971809 bytes 3845 64-byte pkts, 669214494 over 64-byte pkts, 5671532 over 127-byte pkts 11129708 over 255-byte pkts, 22140735 over 511-byte pkts, 21509325 over 1023byte pkts 119637 Multicasts, 0 Broadcasts, 729549906 Unicasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics: 126213191 packets, 100268791824 bytes, 0 underruns 3933 64-byte pkts, 5197951 over 64-byte pkts, 112053
no channel-member interface 2 Change to the second port channel INTERFACE mode. INTERFACE PORT-CHANNEL mode interface port-channel id number 3 Add the interface to the second port channel. INTERFACE PORT-CHANNEL mode channel-member interface Example of Moving an Interface to a New Port Channel The following example shows moving the TengigabitEthernet 1/8 interface from port channel 4 to port channel 3.
Adding or Removing a Port Channel from a VLAN As with other interfaces, you can add Layer 2 port channel interfaces to VLANs. To add a port channel to a VLAN, place the port channel in Layer 2 mode (by using the switchport command). To add or remove a VLAN port channel and to view VLAN port channel members, use the following commands. • Add the port channel to the VLAN as a tagged interface.
• secondary: the IP address is the interface’s backup IP address. You can configure up to eight secondary IP addresses. Deleting or Disabling a Port Channel To delete or disable a port channel, use the following commands. • Delete a port channel. CONFIGURATION mode • no interface portchannel channel-number Disable a port channel. shutdown When you disable a port channel, all interfaces within the port channel are operationally down also.
For more information about algorithm choices, refer to the command details in the IP Routing chapter of the Dell Networking OS Command Reference Guide. Change to another algorithm. • CONFIGURATION mode hash-algorithm ecmp {crc-upper} | {dest-ip} | {lsb} Example of the hash-algorithm Command Dell(conf)#hash-algorithm ecmp xor1 lag crc16 Dell(conf)# The hash-algorithm command is specific to ECMP group. The default ECMP hash configuration is crclower.
The show configuration command is also available under Interface Range mode. This command allows you to display the running configuration only for interfaces that are part of interface range. Bulk Configuration Examples Use the interface range command for bulk configuration. • Create a Single-Range • Create a Multiple-Range • Exclude Duplicate Entries • Exclude a Smaller Port Range • Overlap Port Ranges • Commas • Add Ranges Create a Single-Range The following is an example of a single range.
Overlap Port Ranges The following is an example showing how the interface-range prompt extends a port range from the smallest start port number to the largest end port number when port ranges overlap. Dell(conf)#inte ra te 2/1 - 11 , te 2/1 - 23 Dell(conf-if-range-te-2/1-23)# Commas The following is an example of how to use commas to add different interface types to the range.
id} [ , {vlan vlan_ID - vlan_ID} {{tengigabitethernet | fortyGigE} slot/port port} |{peGigE pe-id/unit-id/port-id}] Define the Interface Range The following example shows how to define an interface-range macro named “test” to select 10– GigabitEthernet interfaces 5/1 through 5/4. Dell(config)# define interface-range test tengigabitethernet 5/1 - 4 Choosing an Interface-Range Macro To use an interface-range macro, use the following command.
• m — Change mode • l — Page up • T — Increase refresh interval (by 1 second) • t — Decrease refresh interval (by 1 second) • c — Clear screen • a — Page down • q — Quit Dell#monitor interface te 3/1 FTOS uptime is 1 day(s), 4 hour(s), 31 minute(s) Monitor time: 00:00:00 Refresh Intvl.
NOTE: TDR is an intrusive test. Do not run TDR on a link that is up and passing traffic. To test and display TDR results, use the following commands. 1 To test for cable faults on the TenGigabitEthernet EXEC Privilege mode tdr-cable-test tengigabitethernet slot/port Between two ports, do not start the test on both ends of the cable. Enable the interface before starting the test. Enable the port to run the test or the test prints an error message. 2 Displays TDR test results.
Link Bundle Monitoring Monitoring linked LAG bundles allows traffic distribution amounts in a link to be monitored for unfair distribution at any given time. A threshold of 60% is defined as an acceptable amount of traffic on a member link. Links are monitored in 15-second intervals for three consecutive instances.
Monitoring HiGig Link Bundles You can monitor the HiGig link bundles that transmit data between internal backplane ports on line-card (leaf) and switch fabric module (SFM - spine) network processing units (NPUs) and generate a system log message or SNMP trap when traffic distribution in a link bundle is uneven. Each NPU is a Trident chip. On the switch, backplane port channels operate as HiGig link bundles to transmit data traffic between linecard and SFM NPUs. There are 11 line-card and 2 SFM NPUs.
Guidelines for Monitoring HiGig Link-Bundles When configuring HiGig link-bundle monitoring on the backplane, follow these guidelines: • By default, the capability to monitor the traffic distribution in a HiGig link bundle on a line-card or SFM NPU is disabled. • Each line-card NPU uses two HiGig link bundle for its backplane links to connect each SFM (spine) NPU.
Enabling HiGig Link-Bundle Monitoring To enable the monitoring of HiGig link bundles, follow these steps. 1 Enable the monitoring of traffic distribution on the member links in a HiGig link bundle (port-channel). CONFIGURATION mode Dell(conf)#hg-link-bundle-monitor {sfm npu-id hg-port—channel hg-port—channelid | slot slot npuUnit npu-id hg-port—channel 0} enable 2 Specify the trigger threshold for HiGig link-bundle monitoring.
If you use any of the cables or adapters in the preceding list that is not Dell-qualified, the Dell Networking OS detects it and makes it operational.
• The range of port numbers on a 40G port to be split is 0 to 20. To verify port splitting, use the show system linecard {0–11} fanout {count | configure} command. • The quad port must be in a default configuration before you can split it into 4x10G ports. The 40G port is lost in the configuration when the port is split; be sure that the port is also removed from other L2/L3 feature configurations.
Important Points to Remember • Before using the QSA to convert a 40 Gigabit Ethernet port to a 10 Gigabit SFP or SFP+ port, you must enable 40 G to 4*10 fan-out mode on the device. • When you insert a QSA into a 40 Gigabit port, you can use only the first 10 Gigabit port in the fan-out mode to plug-in SFP or SFP+ cables. The remaining three 10 Gigabit ports are perceived to be in Link Down state and are unusable. • You cannot use QSFP optical cables in a QSA setup.
wavelength 1529.0 The wavelength range is from 1528.3 nm to 1568.77nm. Verify configuration changes. • INTERFACE mode show config Link Dampening Interface state changes occur when interfaces are administratively brought up or down or if an interface state changes. Every time an interface changes a state or flaps, routing protocols are notified of the status of the routes that are affected by the change in state. These protocols go through the momentous task of re-converging.
Examples of the show interfaces dampening Commands R1(conf-if-te-1/1)#show config ! interface TengigabitEthernet 1/1 ip address 10.10.19.1/24 dampening 1 2 3 4 no shutdown R1(conf-if-te-1/1)#exit To view the link dampening configuration on an interface, use the show config command. To view dampening information on all or specific dampened interfaces, use the show interfaces dampening command from EXEC Privilege mode.
Port Pipes A port pipe is a Dell Networking-specific term for the hardware packet-processing elements that handle network traffic to and from a set of front-end I/O ports. The physical, front-end I/O ports are referred to as a port set. The system has 10 switch cards and each card has only one port pipe and 48 ports in each. • • For ports connected through the port extender, you can have a maximum of 4 sessions system.
If a port is over-subscribed, Ethernet Pause Frame flow control does not ensure no-loss behavior. Restriction: Ethernet Pause Frame flow control is not supported if PFC is enabled on an interface. Control how the system responds to and generates 802.3x pause frames on Ethernet interfaces. The default is rx off tx off. INTERFACE mode. flowcontrol rx [off | on] tx [off | on] Where: rx on: Processes the received flow control frames on this port. rx off: Ignores the received flow control frames on this port.
Enabling Pause Frames Enable Ethernet pause frames flow control on all ports on a chassis or a line card. If not, the system may exhibit unpredictable behavior. NOTE: Changes in the flow-control values may not be reflected automatically in the show interface output. As a workaround, apply the new settings, execute shut then no shut on the interface, and then check the running-config of the port. NOTE: If you disable rx flow control, Dell Networking recommends rebooting the system.
Table 37. Layer 2 Overhead Layer 2 Overhead Difference Between Link MTU and IP MTU Ethernet (untagged) 18 bytes VLAN Tag 22 bytes Untagged Packet with VLAN-Stack Header 22 bytes Tagged Packet with VLAN-Stack Header 26 bytes Link MTU and IP MTU considerations for port channels and VLANs are as follows. Port Channels: • All members must have the same link MTU value and the same IP MTU value.
For 10/100/1000 Ethernet interfaces, the negotiation auto command is tied to the speed command. Auto-negotiation is always enabled when the speed command is set to 1000 or auto. Set Auto-Negotiation Options The negotiation auto command provides a mode option for configuring an individual port to forced master/ forced slave once auto-negotiation is enabled. CAUTION: Ensure that only one end of the node is configured as forced-master and the other is configured as forced-slave.
In EXEC mode, the show interfaces switchport command displays only interfaces in Layer 2 mode and their relevant configuration information. The show interfaces switchport command displays the interface, whether it supports IEEE 802.1Q tagging or not, and the VLANs to which the interface belongs. Dell#show interfaces switchport Name: TengigabitEthernet 4/0 802.1QTagged: True Vlan membership: Vlan 2 Name: TengigabitEthernet 4/1 802.1QTagged: True Vlan membership: Vlan 2 Name: TengigabitEthernet 4/2 802.
Input 0 IP Packets, 0 Vlans 0 MPLS 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts Received 0 input symbol errors, 0 runts, 0 giants, 0 throttles 0 CRC, 0 IP Checksum, 0 overrun, 0 discarded 0 packets output, 0 bytes, 0 underruns Output 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 IP Packets, 0 Vlans, 0 MPLS 0 throttles, 0 discarded Rate info (interval 299 seconds): Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Output 00.
• Egress ACLs • ILM • IP FLOW • IP ACL • IP FIB • L2 ACL • L2 FIB Clearing Interface Counters The counters in the show interfaces command are reset by the clear counters command. This command does not clear the counters any SNMP program captures. To clear the counters, use the following the command. • Clear the counters used in the show interface commands for all VRRP groups, VLANs, and physical interfaces or selected ones.
23 Internet Protocol Security (IPSec) Internet protocol security (IPSec) is an end-to-end security scheme for protecting IP communications by authenticating and encrypting all packets in a communication session. Use IPSec between hosts, between gateways, or between hosts and gateways. IPSec is compatible with Telnet and FTP protocols. It supports two operational modes: Transport and Tunnel. • Transport mode — (default) Use to encrypt only the payload of the packet. Routing information is unchanged.
Configuring IPSec The following sample configuration shows how to configure FTP and telnet for IPSec. 1 Define the transform set. CONFIGURATION mode crypto ipsec transform-set myXform-seta esp-authentication md5 esp-encryption des 2 Define the crypto policy.
24 IPv4 Routing IPv4 routing and various IP addressing features are supported. This chapter describes the basics of domain name service (DNS), address resolution protocol (ARP), and routing principles and their implementation in the Dell Networking OS.
Implementation Information You can configure any IP address as a static route except IP addresses already assigned to interfaces. NOTE: 31-bit subnet masks (/31, or 255.255.255.254), as defined by RFC 3021, are supported. This feature allows you to save two more IP addresses on point-to-point links than 30-bit masks. The system also supports RFC 3021 with ARP. Configuration Tasks for IP Addresses The following describes the tasks associated with IP address configuration.
• 2 For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. Enable the interface. INTERFACE mode no shutdown 3 Configure a primary IP address and mask on the interface. INTERFACE mode ip address ip-address mask [secondary] • ip-address mask: the IP address must be in dotted decimal format (A.B.C.D). The mask must be in slash prefix-length format (/24). • secondary: add the keyword secondary if the IP address is the interface’s backup IP address.
• mask: enter a mask in slash prefix-length format (/X). • interface: enter an interface type then the slot/port information. • distance: the range is from 1 to 255. (optional) • permanent: keep the static route in the routing table (if you use the interface option) even if you disable the interface with the route. (optional) • tag tag-value: the range is from 1 to 4294967295.
Configure Static Routes for the Management Interface When an IP address that a protocol uses and a static management route exists for the same prefix, the protocol route takes precedence over the static management route. To configure a static route for the management port, use the following command. • Assign a static route to point to the management interface or forwarding router.
In a dual stack setup, the system sends both A ( for IPv4 — RFC 1035) and AAAA ( for IPv6 — RFC 3596) record requests to a DNS server even if you configure only the ip name-server command. Name server, Domain name, and Domain list are VRF specific. The maximum number of Name servers and Domain lists per VRF is six. Enabling Dynamic Resolution of Host Names By default, dynamic resolution of host names (DNS) is disabled. To enable DNS, use the following commands. • Enable dynamic resolution of host names.
dynamically learnt host and IP addresses. If the system cannot resolve the domain, it tries the domain name assigned to the local system. If that does not resolve the partial domain, the system searches the list of domains configured. To configure a domain name or a list of domain names, use the following commands. • Enter up to 63 characters to configure one domain name. CONFIGURATION mode • ip domain-name name Enter up to 63 characters to configure names to complete unqualified host names.
TTL Hostname Probe1 Probe2 Probe3 1 10.11.199.190 001.000 ms 001.000 ms 002.000 ms 2 gwegress-sjc-02.force10networks.com (10.11.30.126) 005.000 ms 001.000 ms 001.000 ms 3 fw-sjc-01.force10networks.com (10.11.127.254) 000.000 ms 000.000 ms 000.000 ms 4 www.dell.com (10.11.84.18) 000.000 ms 000.000 ms 000.000 ms Dell# ARP The system uses two forms of address resolution: address resolution protocol (ARP) and Proxy ARP.
• Configure an IP address and MAC address mapping for an interface. CONFIGURATION mode arp ip-address mac-address interface • ip-address: IP address in dotted decimal format (A.B.C.D). • mac-address: MAC address in nnnn.nnnn.nnnn format. • interface: enter the interface type. • For the Management interface, enter the keyword ManagementEthernet then the slot/port information. The slot range is from 0 to 1 and the port range is 0.
arp-inpsecton-trust Dell(conf)#int peGigE 0/0/0 Dell(conf-if-pegi-0/0/0)# arp-inpsection-trust Configuring ARP Timeout Use the arp backoff-timer command for setting the exponential timer for resending unresolved ARPs. • Set the exponential timer for resending unresolved ARPs. CONFIGURATION Mode arp backoff-time seconds / minutes Enter the number of seconds an ARP entry is black-holed. The range is from 1 to 3600. The default is 30 minutes. Enter the number of minutes an ARP entry is balck-holed.
• no-refresh (OPTIONAL): enter the keywords no-refresh to delete the ARP entry from CAM. Or to specify which dynamic ARP entries you want to delete, use this option with interface or ip ip-address. • For a port channel interface, enter the keywords port-channel then a number. • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information.
ARP Learning via ARP Request The system learns via ARP requests only if the target IP specified in the packet matches the IP address of the receiving router interface. This is the case when a host is attempting to resolve the gateway address. If the target IP does not match the incoming interface, the packet is dropped. If there is an existing entry for the requesting host, it is updated. Figure 52.
Configuring ARP Retries The number of ARP retries is user-configurable. The default backoff interval remains at 20 seconds. To set and display ARP retries, use the following commands. • Set the number of ARP retries. CONFIGURATION mode arp retries number The default is 5. The range is from 1 to 20. Set the exponential timer for resending unresolved ARPs. • CONFIGURATION mode arp backoff-time The default is 30. The range is from 1 to 3600.
For a complete listing of all commands related to ICMP, refer to the Dell Networking OS Command Line Reference Guide. Enabling ICMP Unreachable Messages By default, ICMP unreachable messages are disabled. When enabled, ICMP unreachable messages are created and sent out all interfaces. To disable and re-enable ICMP unreachable messages, use the following commands. • To disable ICMP unreachable messages.
25 IPv6 Routing Internet protocol version 6 (IPv6) routing is the successor to IPv4. Due to the rapid growth in internet users and IP addresses, IPv4 is reaching its maximum usage. IPv6 will eventually replace IPv4 usage to allow for the constant expansion. This chapter provides a brief description of the differences between IPv4 and IPv6, and the Dell Networking support of IPv6. This chapter is not intended to be a comprehensive description of IPv6.
Extended Address Space The address format is extended from 32 bits to 128 bits. This not only provides room for all anticipated needs, it allows for the use of a hierarchical address space structure to optimize global addressing. Stateless Autoconfiguration When a booting device comes up in IPv6 and asks for its network prefix, the device can get the prefix (or prefixes) from an IPv6 router on its link.
IPv6 Headers The IPv6 header has a fixed length of 40 bytes. This fixed length provides 16 bytes each for source and destination information and 8 bytes for general header information. The IPv6 header includes the following fields: • • • • • • • • Version (4 bits) Traffic Class (8 bits) Flow Label (20 bits) Payload Length (16 bits) Next Header (8 bits) Hop Limit (8 bits) Source Address (128 bits) Destination Address (128 bits) IPv6 provides for extension headers.
classes and priorities. Routers understand the priority settings and handle them appropriately during conditions of congestion. Flow Label (20 bits) The Flow Label field identifies packets requiring special treatment in order to manage real-time data traffic. The sending router can label sequences of IPv6 packets so that forwarding routers can process packets within the same flow without needing to reprocess each packet’s header separately.
Hop Limit (8 bits) The Hop Limit field shows the number of hops remaining for packet processing. In IPv4, this is known as the Time to Live (TTL) field and uses seconds rather than hops. Each time the packet moves through a forwarding router, this field decrements by 1. If a router receives a packet with a Hop Limit of 1, it decrements it to 0 (zero). The router discards the packet and sends an ICMPv6 message back to the sending router indicating that the Hop Limit was exceeded in transit.
This field identifies the length of the Hop-by-Hop Options header in 8-byte units, but does not include the first 8 bytes. Consequently, if the header is less than 8 bytes, the value is 0 (zero). • Options (size varies) This field can contain one or more options. The first byte if the field identifies the Option type, and directs the router how to handle the option. 00 Skip and continue processing. 01 Discard the packet.
For example, 2001:0db8:1234::/48 stands for the network with addresses 2001:0db8:1234:0000:0000:0000:0000:0000 through 2001:0db8:1234:ffff:ffff:ffff:ffff:ffff. Link-local Addresses Link-local addresses, starting with fe80:, are assigned only in the local link area. The addresses are generated usually automatically by the operating system's IP layer for each network interface.
Feature and Functionality Dell Networking OS Release Introduction Documentation and Chapter Location IPv6 stateless autoconfiguration 8.3.11 Stateless Autoconfiguration IPv6 MTU path discovery 8.3.11 Path MTU Discovery IPv6 ICMPv6 8.3.11 ICMPv6 IPv6 ping 8.3.11 ICMPv6 IPv6 traceroute 8.3.11 ICMPv6 IPv6 SNMP 8.3.11 IPv6 Routing Static routing 8.3.11 Assigning a Static IPv6 Route Route redistribution 8.3.
Feature and Functionality Dell Networking OS Release Introduction Documentation and Chapter Location Control and Monitoring in the Dell Networking OS Command Line Reference Guide. Secure Shell (SSH) client support over IPv6 (outbound SSH) Layer 3 only 8.3.11 Secure Shell (SSH) Over an IPv6 Transport Secure Shell (SSH) server support over IPv6 (inbound SSH) Layer 3 only 8.3.11 Secure Shell (SSH) Over an IPv6 Transport IPv6 Access Control Lists 8.3.
ICMPv6 ICMP for IPv6 (ICMPv6) combines the roles of ICMP, IGMP and ARP in IPv4. Like IPv4, it provides functions for reporting delivery and forwarding errors, and provides a simple echo service for troubleshooting. The implementation of ICMPv6 is based on RFC 4443. ICMPv6 uses two message types: • Error reporting messages indicate when the forwarding or delivery of the packet failed at the destination or intermediate node.
messages to discover the largest MTU along the path from source to destination and avoid the need to fragment the packet. The recommended MTU for IPv6 is 1280. Greater MTU settings increase processing efficiency because each packet carries more data while protocol overheads (for example, headers) or underlying per-packet delays remain fixed. Figure 55.
a multicast address with the unicast address used as the last 24 bits. Other hosts on the link do not participate in the process, greatly increasing network bandwidth efficiency. Figure 56. NDP Router Redirect IPv6 Neighbor Discovery of MTU Packets You can set the MTU advertised through the RA packets to incoming routers, without altering the actual MTU setting on the interface. The ipv6 nd mtu command sets the value advertised to routers. It does not set the actual MTU rate.
• link local addresses • loopback addresses • prefix addresses • multicast addresses • invalid host addresses If you specify this information in the IPv6 RDNSS configuration, a DNS error is displayed. Example for Configuring an IPv6 Recursive DNS Server The following example configures a RDNNS server with an IPv6 address of 1000::1 and a lifetime of 1 second.
IPV6 is enabled Link Local address: fe80::201:e8ff:fe8b:7570 Global Unicast address(es): 1212::12, subnet is 1212::/64 (MANUAL) Remaining lifetime: infinite Global Anycast address(es): Joined Group address(es): ff02::1 ff02::2 ff02::1:ff00:12 ff02::1:ff8b:7570 ND MTU is 0 ICMP redirects are not sent DAD is enabled, number of DAD attempts: 3 ND reachable time is 20120 milliseconds ND base reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is
Configuration Tasks for IPv6 The following are configuration tasks for the IPv6 protocol. • • • • • • • Adjusting Your CAM-Profile Assigning an IPv6 Address to an Interface Assigning a Static IPv6 Route Configuring Telnet with IPv6 SNMP over IPv6 Showing IPv6 Information Clearing IPv6 Routes Adjusting Your CAM Profile Although adjusting your CAM profile is not a mandatory step, if you plan to implement IPv6 ACLs, Dell Networking recommends that you adjust your CAM settings.
• Provides information on FP groups allocated for the egress acl. CONFIGURATION mode show cam-acl-egress Allocate at least one group for L2ACL and IPv4 ACL. The total number of groups is 4. Assigning an IPv6 Address to an Interface Essentially, IPv6 is enabled on a switch simply by assigning IPv6 addresses to individual router interfaces. You can use IPv6 and IPv4 together on a system, but be sure to differentiate that usage carefully.
• tag: route tag Enter the keyword interface then the type of interface and slot/port information: • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. • For a loopback interface, enter the keyword loopback then the loopback number. • For a port-channel interface, enter the keywords port-channel then the port-channel number.
Displaying IPv6 Information To view a specified IPv6 configuration, use the show ipv6command. • List the IPv6 show options.
IPV6 is enabled Stateless address autoconfiguration is enabled Link Local address: fe80::201:e8ff:fe8b:386e Global Unicast address(es): Actual address is 400::201:e8ff:fe8b:386e, subnet is 400::/64 Actual address is 412::201:e8ff:fe8b:386e, subnet is 412::/64 Virtual-IP IPv6 address is not set Received Prefix(es): 400::/64 onlink autoconfig Valid lifetime: 2592000, Preferred lifetime: 604800 Advertised by: fe80::201:e8ff:fe8b:3166 412::/64 onlink autoconfig Valid lifetime: 2592000, Preferred lifetime: 60480
Route Source Active Routes Non-active Routes connected 5 0 static 0 0 Total 5 0 Dell#show ipv6 route Codes: C - connected, L - local, S - static, R - RIP, B - BGP, IN - internal BGP, EX - external BGP,LO - Locally Originated, O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, Gateway of last resort is not set Desti
shutdown Dell# Clearing IPv6 Routes To clear routes from the IPv6 routing table, use the following command. • Clear (refresh) all or a specific route from the IPv6 routing table. EXEC mode clear ipv6 route {* | ipv6 address prefix-length} • *: all routes. • ipv6 address: the format is x:x:x:x::x. • mask: the prefix length is from 0 to 128. NOTE: IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:).
26 Intermediate System to Intermediate System The intermediate system to intermediate system (IS-IS) protocol that uses a shortest-path-first algorithm. Dell Networking supports both IPv4 and IPv6 versions of IS-IS. The IS-IS protocol standards are listed in the Standards Compliance chapter.
This brief overview is not intended to provide a complete understanding of IS-IS; for that, consult the documents listed in Multi-Topology IS-IS. IS-IS Addressing IS-IS PDUs require ISO-style addressing called network entity title (NET). For those familiar with name-to-network service mapping point (NSAP) addresses, the composition of the NET is identical to an NSAP address, except the last byte is always 0. The NET is composed of the IS-IS area address, system ID, and N-selector.
You must implement a wide metric-style globally on the autonomous system (AS) to run multi-topology IS-IS for IPv6 because the Type, Length, Value (TLVs) used to advertise IPv6 information in link-state packets (LSPs) are defined to use only extended metrics. The multi-topology ID is shown in the first octet of the IS-IS packet. Certain MT topologies are assigned to serve predetermined purposes: • MT ID #0: Equivalent to the “standard” topology. • MT ID #1: Reserved for IPv4 in-band management purposes.
Graceful Restart Graceful restart is a protocol-based mechanism that preserves the forwarding table of the restarting router and its neighbors for a specified period to minimize the loss of packets. A graceful-restart router does not immediately assume that a neighbor is permanently down and so does not trigger a topology change. Normally, when an IS-IS router is restarted, temporary disruption of routing occurs due to events in both the restarting router and the neighbors of the restarting router.
new IPv6 protocol identifier has also been included in the supported TLVs. The new TLVs use the extended metrics and up/down bit semantics. Multi-topology IS-IS adds TLVs: • MT TLV — contains one or more Multi-Topology IDs in which the router participates. This TLV is included in IIH and the first fragment of an LSP. • MT Intermediate Systems TLV — appears for every topology a node supports. An MT ID is added to the extended IS reachability TLV type 22.
NOTE: When using the IS-IS routing protocol to exchange IPv6 routing information and to determine destination reachability, you can route IPv6 along with IPv4 while using a single intra-domain routing protocol. The configuration commands allow you to enable and disable IPv6 routing and to configure or remove IPv6 prefixes on links. Except where identified, the commands described in this chapter apply to both IPv4 and IPv6 versions of ISIS.
Specify the area address and system ID for an IS-IS routing process. The last byte must be 00. For more information about configuring a NET, see IS-IS Addressing. 3 Enter the interface configuration mode. CONFIGURATION mode interface interface Enter the keyword interface then the type of interface and slot/port information: 4 • For a 1-Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/port information.
Examples of IS-IS Configuration Information The default IS type is level-1-2. To change the IS type to Level 1 only or Level 2 only, use the is-type command in ROUTER ISIS mode. To view the IS-IS configuration, enter the show isis protocol command in EXEC Privilege mode or the show config command in ROUTER ISIS mode. Dell#show isis protocol IS-IS Router: System Id: EEEE.EEEE.EEEE IS-Type: level-1-2 Manual area address(es): 47.0004.004d.0001 Routing for area address(es): 21.2223.2425.2627.2829.
Configuring Multi-Topology IS-IS (MT IS-IS) To configure multi-topology IS-IS (MT IS-IS), use the following commands. 1 Enable multi-topology IS-IS for IPv6. ROUTER ISIS AF IPV6 mode multi-topology [transition] Enter the keyword transition to allow an IS-IS IPv6 user to continue to use single-topology mode while upgrading to multi-topology mode.
The range is from 1 to 120 minutes. • The default is 5 minutes. Enable the graceful restart maximum wait time before a restarting peer comes up. ROUTER-ISIS mode graceful-restart restart-wait seconds When implementing this command, be sure to set the t3 timer to adjacency on the restarting router. The range is from 1 to 120 minutes. • The default is 30 seconds. Configure the time that the graceful restart timer T1 defines for a restarting router to use for each interface.
To view all graceful restart-related configurations, use the show isis graceful-restart detail command in EXEC Privilege mode.
Changing LSP Attributes IS-IS routers flood link state PDUs (LSPs) to exchange routing information. LSP attributes include the generation interval, maximum transmission unit (MTU) or size, and the refresh interval. You can modify the LSP attribute defaults, but it is not necessary. To change the defaults, use any or all of the following commands. • Set interval between LSP generation. ROUTER ISIS mode lsp-gen-interval [level-1 | level-2] seconds • seconds: the range is from 0 to 120.
Configuring the IS-IS Metric Style All IS-IS links or interfaces are associated with a cost that is used in the shortest path first (SPF) calculations. The possible cost varies depending on the metric style supported. If you configure narrow, transition, or narrow transition metric style, the cost can be a number between 0 and 63. If you configure wide or wide transition metric style, the cost can be a number between 0 and 16,777,215.
Example of Viewing IS-IS Metric Types Dell#show isis protocol IS-IS Router: System Id: EEEE.EEEE.EEEE IS-Type: level-1-2 Manual area address(es): 47.0004.004d.0001 Routing for area address(es): 21.2223.2425.2627.2829.3031.3233 47.0004.004d.
Metric Sytle Correct Value Range wide transition 0 to 16777215 narrow transition 0 to 63 transition 0 to 63 To view the interface’s current metric, use the show config command in INTERFACE mode or the show isis interface command in EXEC Privilege mode. Configuring the Distance of a Route To configure the distance for a route, use the following command. • Configure the distance for a route. ROUTER ISIS mode distance Changing the IS-Type To change the IS-type, use the following commands.
eljefe.02-00 * 0x00000001 0x2E7F Force10.00-00 0x00000002 0xD1A7 IS-IS Level-2 Link State Database LSPID LSP Seq Num LSP Checksum B233.00-00 0x00000006 0xC38A eljefe.00-00 * 0x0000000D 0x51C6 eljefe.01-00 * 0x00000001 0x68DF eljefe.02-00 * 0x00000001 0x2E7F Force10.00-00 0x00000004 0xCDA9 1113 1102 0/0/0 0/0/0 LSP Holdtime 1124 1129 1122 1113 1107 ATT/P/OL 0/0/0 0/0/0 0/0/0 0/0/0 0/0/0 Dell# Controlling Routing Updates To control the source of IS-IS route information, use the following command.
• • For a 1-Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/port information. • For the Loopback interface on the RPM, enter the keyword loopback then a number from 0 to 16383. • For a port channel, enter the keywords port-channel then a number. • For a SONET interface, enter the keyword sonet then the slot/port information. • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information.
ROUTER ISIS-AF IPV6 mode distribute-list prefix-list-name out [bgp as-number | connected | ospf processid | rip | static] You can configure one of the optional parameters: • • connected: for directly connected routes. • ospf process-id: for OSPF routes only. • rip: for RIP routes only. • static: for user-configured routes. • bgp: for BGP routes only. Deny RTM download for pre-existing redistributed IPv6 routes.
• process-id the range is from 1 to 65535. • level-1, level-1-2, or level-2: assign all redistributed routes to a level. The default is level-2. • metric value the range is from 0 to 16777215. The default is 0. • match external the range is from 1 or 2. • match internal • metric-type: external or internal. • map-name: enter the name of a configured route map. Redistributing IPv6 Routes To add routes from other routing instances or protocols, use the following commands.
Configuring Authentication Passwords You can assign an authentication password for routers in Level 1 and for routers in Level 2. Because Level 1 and Level 2 routers do not communicate with each other, you can assign different passwords for Level 1 routers and for Level 2 routers. However, if you want the routers in the level to communicate with each other, configure them with the same password. To configure a simple text password, use the following commands.
Example of Viewing the Overload Bit Setting When the bit is set, a 1 is placed in the OL column in the show isis database command output. The overload bit is set in both the Level-1 and Level-2 database because the IS type for the router is Level-1-2. Dell#show isis database IS-IS Level-1 Link State Database LSPID LSP Seq Num LSP Checksum B233.00-00 0x00000003 0x07BF eljefe.00-00 * 0x0000000A 0xF963 eljefe.01-00 * 0x00000001 0x68DF eljefe.02-00 * 0x00000001 0x2E7F Force10.
• interface: Enter the type of interface and slot/port information to view IS-IS information on that interface only. View the events that triggered IS-IS shortest path first (SPF) events for debugging purposes. • EXEC Privilege mode debug isis spf-triggers View sent and received LSPs.
Metric Style Correct Value Range for the isis metric Command wide 0 to 16777215 narrow 0 to 63 wide transition 0 to 16777215 narrow transition 0 to 63 transition 0 to 63 Maximum Values in the Routing Table IS-IS metric styles support different cost ranges for the route. The cost range for the narrow metric style is 0 to 1023, while all other metric styles support a range of 0 to 0xFE000000. Change the IS-IS Metric Style in One Level Only By default, the IS-IS metric style is narrow.
Beginning Metric Style Final Metric Style Resulting IS-IS Metric Value narrow wide original value narrow transition original value narrow narrow transition original value narrow wide transition original value transition wide original value transition narrow original value transition narrow original value transition wide transition original value narrow transition wide original value narrow transition narrow original value narrow transition wide transition original value n
Beginning Metric Style Next Metric Style Resulting Metric Value Next Metric Style Final Metric Value wide transition truncated value narrow default value (10). A message is sent to the logging buffer wide transition transition truncated value narrow transition default value (10). A message is sent to the logging buffer Leaks from One Level to Another In the following scenarios, each IS-IS level is configured with a different metric style. Table 43.
Sample Configurations The following configurations are examples for enabling IPv6 IS-IS. These examples are not comprehensive directions. They are intended to give you some guidance with typical configurations. NOTE: Only one IS-IS process can run on the router, even if both IPv4 and IPv6 routing is being used. You can copy and paste from these examples to your CLI. To support your own IP addresses, interfaces, names, and so on, be sure that you make the necessary changes.
also enable the ip router isis command. In router isis configuration mode, enable multitopology transition under address-family ipv6 unicast. Figure 58. IPv6 IS-IS Sample Topography IS-IS Sample Configuration — Congruent Topology IS-IS Sample Configuration — Multi-topology IS-IS Sample Configuration — Multi-topology Transition The following is a sample configuration for enabling IPv6 IS-IS. Dell(conf-if-te-3/17)#show config ! interface TenGigabitEthernet 3/17 ip address 24.3.1.
Dell(conf-router_isis)#show config ! router isis net 34.0000.0000.AAAA.00 ! address-family ipv6 unicast multi-topology exit-address-family Dell (conf-router_isis)# Dell(conf-if-te-3/17)#show config ! interface TenGigabitEthernet 3/17 ipv6 address 24:3::1/76 ipv6 router isis no shutdown Dell(conf-if-te-3/17)# Dell(conf-router_isis)#show config ! router isis net 34.0000.0000.AAAA.
27 iSCSI Optimization This chapter describes how to configure internet small computer system interface (iSCSI) optimization, which enables quality-of-service (QoS) treatment for iSCSI traffic.
Ethernet network using the data center bridging exchange protocol (DCBx) through stacked and/or nonstacked Ethernet switches. iSCSI session monitoring over virtual link trunking (VLT) synchronizes the iSCSI session information between the VLT peers, allowing session information to be available in both the VLT peers. You can enable or disable iSCSI when you configure VLT.
ensure that iSCSI traffic in these sessions receives priority treatment when forwarded on stacked switch hardware. Figure 59.
Default iSCSI Optimization Values The following table lists the default values for the iSCSI optimization feature. Table 44. iSCSI Optimization Defaults Parameter Default Value iSCSI Optimization global setting iSCSI CoS mode (802.1p priority queue mapping) iSCSI CoS Packet classification When you enable iSCSI, iSCSI packets are queued based on dot1p, instead of DSCP values. VLAN priority tag iSCSI flows are assigned by default to dot1p priority 4 without the remark setting.
cam-acl l2acl 3 ipv4acl 4 ipv6acl 0 ipv4qos 2 l2qos 1 l2pt 0 ipmacacl 0 vmanqos 0 ecfmacl 0 iscsioptacl 2 NOTE: Content addressable memory (CAM) allocation is optional. If CAM is not allocated, the following features are disabled: • session monitoring • aging • class of service You can enable iSCSI even when allocated with zero (0) CAM blocks. However, if no CAM blocks are allocated, session monitoring is disabled and the show iscsi command displays this information.
6 (Optional) Set the QoS policy that is applied to the iSCSI flows. CONFIGURATION mode [no] iscsi cos {enable | disable | dot1p vlan-priority-value [remark] | dscp dscp-value [remark]} • enable: enables the application of preferential QoS treatment to iSCSI traffic so that iSCSI packets are scheduled in the switch with a dot1p priority 4 regardless of the VLAN priority tag in the packet. The default is: iSCSI packets are handled with dotp1 priority 4 without remark.
Displaying iSCSI Optimization Information To display information on iSCSI optimization, use the following show commands. • Display the currently configured iSCSI settings. • show iscsi Display information on active iSCSI sessions on the switch. • • show iscsi session Display detailed information on active iSCSI sessions on the switch. To display detailed information on specified iSCSI session, enter the session’s iSCSI ID.
Target: iqn.2001-05.com.equallogic:0-8a0906-0e70c2002-10a0018426a48c94-iom010 Initiator: iqn.1991-05.com.microsoft:win-x9l8v27yajg ISID: 400001370000 VLT PEER2 Session 0: ----------------------------------------------------------------------------Target: iqn.2001-05.com.equallogic:0-8a0906-0f60c2002-0360018428d48c94-iom011 iqn.1991-05.com.microsoft:win-x9l8v27yajg ISID: 400001370000 The following example shows the show iscsi session detailed command.
The following message displays when you enable iSCSI on a switch and describes the configuration changes that are automatically performed: %SYSTEM:CP %IFMGR-5-IFM_ISCSI_ENABLE: iSCSI has been enabled causing flow control to be enabled on all interfaces. EQL detection and enabling iscsi profilecompellent on an interface may cause some automatic configurations to occur like jumbo frames on all ports and no storm control and spanning tree portfast on the port of detection.
Information Monitored in iSCSI Traffic Flows iSCSI optimization examines the following data in packets and uses the data to track the session and create the classifier entries that enable QoS treatment.
Detection and Auto-Configuration for Dell EqualLogic Arrays The iSCSI optimization feature includes auto-provisioning support with the ability to detect directly connected Dell EqualLogic storage arrays and automatically reconfigure the switch to enhance storage traffic flows. The switch uses the link layer discovery protocol (LLDP) to discover Dell EqualLogic devices on the network. LLDP is enabled by default. For more information about LLDP, refer to Link Layer Discovery Protocol (LLDP).
• MTU is set to 1200 for all interfaces on all ports and port-channels, if it is not already enabled. • Spanning-tree portfast is enabled on the interface. • Unicast storm control is disabled on the interface. Enter the iscsi profile-compellent command in INTERFACE Configuration mode; for example: Dell(conf-if-te-o/50)# iscsi profile-compellent Application of Quality of Service to iSCSI Traffic Flows You can configure iSCSI CoS mode.
28 Link Aggregation Control Protocol (LACP) A link aggregation group (LAG), referred to as a port channel by the Dell Networking OS, can provide both load-sharing and port redundancy across line cards. You can enable LAGs as static or dynamic. Introduction to Dynamic LAGs and LACP The Dell Networking OS uses LACP to create dynamic LAGs. LACP provides a standardized means of exchanging information between two systems (also called Partner Systems) and automatically establishes the LAG between the systems.
• If a physical interface is a part of a dynamic LAG, it cannot be added as a member of a static LAG. The channel-member tengigabitethernet x/y command is rejected in the static LAG interface for that physical interface. • A dynamic LAG can be created with any type of configuration. • There is a difference between the shutdown and no interface port-channel commands: • The shutdown command on LAG “xyz” disables the LAG and retains the user commands.
INTERFACE mode [no] port-channel-protocol lacp The default is LACP disabled. This command creates context. Configure LACP mode. • LACP mode [no] port-channel number mode [active | passive | off] • number: cannot statically contain any links. The default is LACP active. Configure port priority. • LACP mode [no] lacp port-priority priority-value The range is from 1 to 65535 (the higher the number, the lower the priority). The default is 32768.
Examples of Configuring a LAG Interface The following example shows configuring a LAG interface. Dell(conf)#interface port-channel 32 Dell(conf-if-po-32)#no shutdown Dell(conf-if-po-32)#switchport The LAG is in the default VLAN. To place the LAG into a non-default VLAN, use the tagged command on the LAG. Dell(conf)#interface vlan 10 Dell(conf-if-vl-10)#tagged port-channel 32 Configuring the LAG Interfaces as Dynamic After creating a LAG, configure the dynamic LAG interfaces.
timeout value to be 30 seconds. Invoking the longer timeout might prevent the LAG from flapping if the remote system is up but temporarily unable to transmit PDUs due to a system interruption. NOTE: The 30-second timeout is available for dynamic LAG interfaces only. You can enter the lacp long-timeout command for static LAGs, but it has no effect. To configure LACP long timeout, use the following command. • Set the LACP timeout value to 30 seconds.
Shared LAG State Tracking Shared LAG state tracking provides the flexibility to bring down a port channel (LAG) based on the operational state of another LAG. At any time, only two LAGs can be a part of a group such that the fate (status) of one LAG depends on the other LAG. As shown in the following illustration, the line-rate traffic from R1 destined for R4 follows the lowest-cost route via R2. Traffic is equally distributed between LAGs 1 and 2.
group number port-channel number port-channel number Examples of Configuring and Viewing LAGs In the following example, LAGs 1 and 2 have been placed into to the same failover group. R2#config R2(conf)#port-channel failover-group R2(conf-po-failover-grp)#group 1 port-channel 1 port-channel 2 To view the failover group configuration, use the show running-configuration po-failover-group command.
Last clearing of "show interface" counters 00:01:28 Queueing strategy: fifo NOTE: The set of console messages shown above appear only if you configure shared LAG state tracking on that router (you can configure the feature on one or both sides of a link). For example, as previously shown, if you configured shared LAG state tracking on R2 only, no messages appear on R4 regarding the state of LAGs in a failover group.
Configure a LAG on ALPHA The following example creates a LAG on ALPHA. Example of Configuring a LAG Alpha(conf)#interface port-channel 10 Alpha(conf-if-po-10)#no ip address Alpha(conf-if-po-10)#switchport Alpha(conf-if-po-10)#no shutdown Alpha(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Alpha(conf-if-po-10)# Example of Viewing a LAG Port Configuration The following example inspects a LAG port configuration on ALPHA.
Output 00.00 Mbits/sec,0 packets/sec, 0.00% of line-rate Time since last interface status change: 00:02:14 Figure 63.
Figure 64.
Figure 65.
interface TengigabitEthernet 2/31 no ip address Summary of the LAG Configuration on Bravo Bravo(conf-if-te-3/21)#int port-channel 10 Bravo(conf-if-po-10)#no ip add Bravo(conf-if-po-10)#switch Bravo(conf-if-po-10)#no shut Bravo(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Bravo(conf-if-po-10)#exit Bravo(conf)#int tengig 3/21 Bravo(conf)#no ip address Bravo(conf)#no switchport Bravo(conf)#shutdown Bravo(conf-if-te-3/21)#port-channel-protocol lacp Bravo(conf-if-
The following figure illustrates inspecting a LAG Port on BRAVO Using the show interface Command. Figure 66.
The following figure illustrates inspecting LAG 10 Using the show interfaces port-channel Command. Figure 67.
The following figure illustrates inspecting the LAG Status Using the show lacp command. Figure 68. Inspecting the LAG Status Using the show lacp command The point-to-point protocol (PPP) is a connection-oriented protocol that enables layer two links over various different physical layer connections. It is supported on both synchronous and asynchronous lines, and can operate in Half-Duplex or Full-Duplex mode.
29 Layer 2 This chapter describes the Layer 2 features supported on the switch. Manage the MAC Address Table You can perform the following management tasks inr the MAC address table. • Clearing the MAC Address Table • Setting the Aging Time for Dynamic Entries • Configuring a Static MAC Address • Displaying the MAC Address Table Clearing the MAC Address Table You may clear the MAC address table of dynamic entries. To clear a MAC address table, use the following command.
• Specify an aging time. CONFIGURATION mode mac-address-table aging-time seconds The range is from 10 to 1000000. Configuring a Static MAC Address A static entry is one that is not subject to aging. Enter static entries manually. To create a static MAC address entry, use the following command. • Create a static MAC address entry in the MAC address table. CONFIGURATION mode mac-address-table static Displaying the MAC Address Table To display the MAC address table, use the following command.
• • • • • mac learning-limit mac-address-sticky mac learning-limit station-move Learning Limit Violation Actions Setting Station Move Violation Actions Recovering from Learning Limit and Station Move Violations Dell Networking OS Behavior: When configuring the MAC learning limit on a port or VLAN, the configuration is accepted (becomes part of running-config and show mac learning-limit interface) before the system verifies that sufficient CAM space exists.
mac learning-limit mac-address-sticky Using sticky MAC addresses allows you to associate a specific port with MAC addresses from trusted devices. If you enable sticky MAC, the specified port retains any dynamically-learned addresses and prevents them from being transferred or learned on other ports. Up to 1000 sticky entries are supported on a port. If you configure mac-learning-limit and you enabled sticky MAC, all dynamically-learned addresses are converted to sticky MAC addresses for the selected port.
show mac learning-limit Learning Limit Violation Actions Learning limit violation actions are user-configurable. To configure the system to take an action when the MAC learning limit is reached on an interface and a new address is received using one the following options with the mac learning-limit command, use the following commands. • Generate a system log message when the MAC learning limit is exceeded.
Recovering from Learning Limit and Station Move Violations After a learning-limit or station-move violation shuts down an interface, you must manually reset it. To reset the learning limit, use the following commands. NOTE: Alternatively, you can reset the interface by shutting it down using the shutdown command and then re-enabling it using the no shutdown command. • Reset interfaces in the ERR_Disabled state caused by a learning limit violation or station move violation.
NIC Teaming NIC teaming is a feature that allows multiple network interface cards in a server to be represented by one MAC address and one IP address in order to provide transparent redundancy, balancing, and to fully utilize network adapter resources. The following illustration shows a topology where two NICs have been teamed together. In this case, if the primary NIC fails, traffic switches to the secondary NIC because they are represented by the same set of addresses. Figure 69.
NOTE: If you have configured the no mac-address-table station-move refresh-arp command, traffic continues to be forwarded to the failed NIC until the ARP entry on the switch times out. Figure 70.
Apply all other configurations to each interface in the redundant pair such that their configurations are identical, so that transition to the backup interface in the event of a failure is transparent to rest of the network. Figure 71. Configuring Redundant Layer 2 Pairs without Spanning Tree You configure a redundant pair by assigning a backup interface to a primary interface with the switchport backup interface command.
To ensure that existing network applications see no difference when a primary interface in a redundant pair transitions to the backup interface, be sure to apply identical configurations of other traffic parameters to each interface. If you remove an interface in a redundant link (remove the line card of a physical interface or delete a port channel with the no interface port-channel command), the redundant pair configuration is also removed.
00:24:55: %SYSTEM-P:CP inactive: Vl 1 00:24:55: %SYSTEM-P:CP 00:24:55: %SYSTEM-P:CP 1 00:24:55: %SYSTEM-P:CP standby to active: Te 3/42 %IFMGR-5-INACTIVE: Changed Vlan interface state to %IFMGR-5-OSTATE_UP: Changed interface state to up: Te 3/42 %IFMGR-5-ACTIVE: Changed Vlan interface state to active: Vl %IFMGR-5-STATE_STBY_ACT: Changed interface state from Dell(conf-if-te-3/41)#do show ip int brief | find 3/41 TengigabitEthernet 3/41 unassigned NO Manual administratively down down TengigabitEthernet 3/42
Far-End Failure Detection Far-end failure detection (FEFD) is a protocol that senses remote data link errors in a network. FEFD responds by sending a unidirectional report that triggers an echoed response after a specified time interval. You can enable FEFD globally or locally on an interface basis. Disabling the global FEFD configuration does not disable the interface configuration. Figure 72.
FEFD State Changes FEFD has two operational modes: Normal and Aggressive. When a far-end failure is detected on an FEFD-enabled interface: • If the interface is in normal FEFD mode, no user intervention is required to reset the interface; it automatically resets to an FEFD operational state. • If the interface is in aggressive FEFD mode, manual intervention is required to reset the interface.
Local Event Mode Local State Remote State Local Admin Status Local Protocol Status Remote Admin Status Remote Protocol Status Link Failure Unknown Unknown Up Down Up Down Aggressive Important Points to Remember • FEFD is supported only on physical Ethernet interfaces, except the management interface. • FEFD is not supported on copper Ethernet and Fibre Channel ports. FEFD is supported only on fiber Ethernet ports. • FEFD is not supported on port extender (PE) ports.
Te Te Te Te 1/0 1/1 1/2 1/3 Normal Normal Normal Normal (second) 3 3 3 3 Bi-directional Admin Shutdown Admin Shutdown Admin Shutdown Dell#show run fefd ! fefd-global mode normal fefd-global interval 3 Enabling FEFD on an Interface To enable, change, or disable FEFD on an interface, use the following commands. • Enable FEFD on a per interface basis. INTERFACE mode fefd • Change the FEFD mode. INTERFACE mode fefd [mode {aggressive | normal}] • Disable FEFD protocol on one interface.
no shutdown Dell(conf-if-te-1/0)#do show fefd | grep 1/0 Te 1/0 Normal 3 Unknown Debugging FEFD To debug FEFD, use the first command. To provide output for each packet transmission over the FEFD enabled connection, use the second command. • Display output whenever events occur that initiate or disrupt an FEFD enabled connection. EXEC Privilege mode • debug fefd events Provide output for each packet transmission over the FEFD enabled connection.
30 Link Layer Discovery Protocol (LLDP) This chapter describes how to configure and use the link layer discovery protocol (LLDP). 802.1AB (LLDP) Overview LLDP — defined by IEEE 802.1AB — is a protocol that enables a local area network (LAN) device to advertise its configuration and receive configuration information from adjacent LLDP-enabled LAN infrastructure devices.
There are five types of TLVs. All types are mandatory in the construction of an LLDPDU except Optional TLVs. You can configure the inclusion of individual Optional TLVs. Table 46. Type, Length, Value (TLV) Types Type TLV Description 0 End of LLDPDU Marks the end of an LLDPDU. 1 Chassis ID An administratively assigned name that identifies the LLDP agent. 2 Port ID An administratively assigned name that identifies a port through which TLVs are sent and received.
Management TLVs A management TLV is an optional TLVs sub-type. This kind of TLV contains essential management information about the sender. Organizationally Specific TLVs A professional organization or a vendor can define organizationally specific TLVs. They have two mandatory fields (as shown in the following illustration) in addition to the basic TLV fields. Figure 75. Organizationally Specific TLV IEEE Organizationally Specific TLVs Eight TLV types have been defined by the IEEE 802.1 and 802.
Type TLV Description 127 Port-VLAN ID On Dell Networking systems, indicates the untagged VLAN to which a port belongs. 127 Port and Protocol VLAN ID On Dell Networking systems, indicates the tagged VLAN to which a port belongs (and the untagged VLAN to which a port belongs if the port is in Hybrid mode). 127 Protocol Identity Indicates the protocols that the port can process. The Dell Networking OS does not currently support this TLV.
TIA-1057 (LLDP-MED) Overview Link layer discovery protocol — media endpoint discovery (LLDP-MED) as defined by ANSI/ TIA-1057— provides additional organizationally specific TLVs so that endpoint devices and network connectivity devices can advertise their characteristics and configuration information; the OUI for the Telecommunications Industry Association (TIA) is 00-12-BB.
Type SubType TLV Description 127 3 Location Identification Indicates that the physical location of the device expressed in one of three possible formats: • • • 127 4 Inventory Management TLVs Implementation of this set of TLVs is optional in LLDP-MED devices. None or all TLVs must be supported. The Dell Networking OS does not currently support these TLVs.
LLDP-MED Capabilities TLV The LLDP-MED capabilities TLV communicates the types of TLVs that the endpoint device and the network connectivity device support. LLDP-MED network connectivity devices must transmit the Network Policies TLV. • The value of the LLDP-MED capabilities field in the TLV is a 2–octet bitmap, each bit represents an LLDP-MED capability (as shown in the following table). • The possible values of the LLDP-MED device type are shown in the following.
LLDP-MED Network Policies TLV A network policy in the context of LLDP-MED is a device’s VLAN configuration and associated Layer 2 and Layer 3 configurations. LLDP-MED network policies TLV include: • VLAN ID • VLAN tagged or untagged status • Layer 2 priority • DSCP value An integer represents the application type (the Type integer shown in the following table), which indicates a device function for which a unique network policy is defined.
Type Application Description 7 Streaming Video Specify this application type for dedicated video conferencing and other similar appliances supporting real-time interactive video. 8 Video Signaling Specify this application type only if video control packets use a separate network policy than video data. 9–255 Reserved — Figure 77.
Configure LLDP Configuring LLDP is a two-step process. 1 Enable LLDP globally. 2 Advertise TLVs out of an interface. Related Configuration Tasks • • • • • • Viewing the LLDP Configuration Viewing Information Advertised by Adjacent LLDP Agents Configuring LLDPDU Intervals Configuring Transmit and Receive Mode Configuring a Time to Live Debugging LLDP Important Points to Remember • • • • • LLDP is enabled by default. Dell Networking systems support up to eight neighbors per interface.
Example of the protocol lldp Command (CONFIGURATION Level) R1(conf)#protocol lldp R1(conf-lldp)#? advertise Advertise TLVs disable Disable LLDP protocol globally end Exit from configuration mode exit Exit from LLDP configuration mode hello LLDP hello configuration mode LLDP mode configuration (default = rx and tx) multiplier LLDP multiplier configuration no Negate a command or set its defaults show Show LLDP configuration R1(conf-lldp)#exit R1(conf)#interface tengigabitethernet 1/31 R1(conf-if-te-1/31)#prot
Disabling and Undoing LLDP To disable or undo LLDP, use the following command. • Disable LLDP globally or for an interface. disable To undo an LLDP configuration, precede the relevant command with the keyword no. Enabling LLDP on Management Ports LLDP on management ports is enabled by default. To enable LLDP on management ports, use the following command. 1 Enter Protocol LLDP mode. CONFIGURATION mode protocol lldp 2 Enable LLDP.
Advertising TLVs You can configure the system to advertise TLVs out of all interfaces or out of specific interfaces. • If you configure the system globally, all interfaces send LLDPDUs with the specified TLVs. • If you configure an interface, only the interface sends LLDPDUs with the specified TLVs. • If you configure LLDP both globally and at interface level, the interface level configuration overrides the global configuration. To advertise TLVs, use the following commands. 1 Enter LLDP mode.
In the following example, LLDP is enabled globally. R1 and R2 are transmitting periodic LLDPDUs that contain management, 802.1, and 802.3 TLVs. Figure 79. Configuring LLDP Viewing the LLDP Configuration To view the LLDP configuration, use the following command. • Display the LLDP configuration. CONFIGURATION or INTERFACE mode show config Examples of Viewing LLDP Configurations The following example shows viewing an LLDP global configuration.
R1(conf-if-te-1/31)#protocol lldp R1(conf-if-te-1/31-lldp)#show config ! protocol lldp R1(conf-if-te-1/31-lldp)# Viewing Information Advertised by Adjacent LLDP Agents To view brief information about adjacent devices or to view all the information that neighbors are advertising, use the following commands. • Display brief information about adjacent devices. • show lldp neighbors Display all of the information that neighbors are advertising.
99-Build Time: Thu Aug 9 01:05:51 PDT 2007 Existing System Capabilities: Repeater Bridge Router Enabled System Capabilities: Repeater Bridge Router Remote Port Vlan ID: 1 Port and Protocol Vlan ID: 1, Capability: Supported, Status: Enabled --------------------------------------------------------------------------======================================================================== Configuring LLDPDU Intervals LLDPDUs are transmitted periodically; the default interval is 30 seconds.
Configuring Transmit and Receive Mode After you enable LLDP, the switch transmits and receives LLDPDUs by default. To configure the system to transmit or receive only and return to the default, use the following commands. • Transmit only. CONFIGURATION mode or INTERFACE mode • mode tx Receive only. CONFIGURATION mode or INTERFACE mode • mode rx Return to the default setting.
Configuring a Time to Live The information received from a neighbor expires after a specific amount of time (measured in seconds) called a time to live (TTL). The TTL is the product of the LLDPDU transmit interval (hello) and an integer called a multiplier. The default multiplier is 4, which results in a default TTL of 120 seconds. • Adjust the TTL value. CONFIGURATION mode or INTERFACE mode. • multiplier Return to the default multiplier value. CONFIGURATION mode or INTERFACE mode.
• View a readable version of the TLVs. • debug lldp brief View a readable version of the TLVs plus a hexadecimal version of the entire LLDPDU. debug lldp detail Figure 80. The debug lldp detail Command — LLDPDU Packet Dissection Relevant Management Objects The system supports all IEEE 802.1AB MIB objects. The following tables list the objects associated with: • received and transmitted TLVs • the LLDP configuration on the local agent • IEEE 802.
Table 52. LLDP Configuration MIB Objects MIB Object Category LLDP Variable LLDP MIB Object Description LLDP Configuration adminStatus lldpPortConfigAdminStatus Whether you enable the local LLDP agent for transmit, receive, or both. msgTxHold lldpMessageTxHoldMultiplier Multiplier value. msgTxInterval lldpMessageTxInterval Transmit Interval value. rxInfoTTL lldpRxInfoTTL Time to live for received TLVs. txInfoTTL lldpTxInfoTTL Time to live for transmitted TLVs.
Table 53.
TLV Type TLV Name TLV Variable System LLDP MIB Object interface numbering subtype Local lldpLocManAddrIfSub type Remote lldpRemManAddrIfSu btype Local lldpLocManAddrIfId Remote lldpRemManAddrIfId Local lldpLocManAddrOID Remote lldpRemManAddrOID interface number OID Table 54. LLDP 802.
Table 55.
TLV Sub-Type TLV Name TLV Variable 3 Location Data Format Local Location Identifier Location ID Data 4 Extended Power via MDI Power Device Type Power Source System LLDP-MED MIB Object lldpXMedLocLocation Subtype Remote lldpXMedRemLocatio nSubtype Local lldpXMedLocLocation Info Remote lldpXMedRemLocatio nInfo Local lldpXMedLocXPoEDe viceType Remote lldpXMedRemXPoED eviceType Local lldpXMedLocXPoEPS EPowerSource lldpXMedLocXPoEPD PowerSource Remote lldpXMedRemXPoEPS EPowerSource lldpX
31 Multicast Source Discovery Protocol (MSDP) This chapter describes how to configure and use the multicast source discovery protocol (MSDP). Protocol Overview MSDP is a Layer 3 protocol that connects IPv4 protocol-independent multicast-sparse mode (PIM-SM) domains. A domain in the context of MSDP is a contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as border gateway protocol (BGP).
3 When an MSDP peer receives an SA message, it determines if there are any group members within the domain interested in any of the advertised sources. If there are, the receiving RP sends a join message to the originating RP, creating a shortest path tree (SPT) to the source. Figure 81.
RPs advertise each (S,G) in its domain in type, length, value (TLV) format. The total number of TLVs contained in the SA is indicated in the “Entry Count” field. SA messages are transmitted every 60 seconds, and immediately when a new source is detected. Figure 82.
Anycast RP Using MSDP, anycast RP provides load sharing and redundancy in PIM-SM networks. Anycast RP allows two or more rendezvous points (RPs) to share the load for source registration and the ability to act as hot backup routers for each other. Anycast RP allows you to configure two or more RPs with the same IP address on Loopback interfaces. The Anycast RP Loopback address are configured with a 32-bit mask, making it a host address.
Related Configuration Tasks The following lists related MSDP configuration tasks.
• MSDP Sample Configurations Figure 83. Configuring Interfaces for MSDP Figure 84.
Enable MSDP Enable MSDP by peering RPs in different administrative domains. 1 Enable MSDP. CONFIGURATION mode ip multicast-msdp 2 Peer PIM systems in different administrative domains. CONFIGURATION mode ip msdp peer connect-source Example of Configuring and Viewing MSDP R3(conf)#ip multicast-msdp R3(conf)#ip msdp peer 192.168.0.
Viewing the Source-Active Cache To view the source-active cache, use the following command. • View the SA cache. EXEC Privilege mode show ip msdp sa-cache Example of the show ip msdp sa-cache Command R3#show ip msdp sa-cache MSDP Source-Active Cache - 1 entries GroupAddr SourceAddr RPAddr LearnedFrom 239.0.0.1 10.11.4.2 192.168.0.1 192.168.0.1 Expire UpTime 76 00:10:44 Limiting the Source-Active Cache Set the upper limit of the number of active sources that the system caches.
Enabling the Rejected Source-Active Cache To cache rejected sources, use the following command. Active sources can be rejected because the RPF check failed, the SA limit is reached, the peer RP is unreachable, or the SA message has a format error. • Cache rejected sources. CONFIGURATION mode ip msdp cache-rejected-sa Accept Source-Active Messages that Fail the RFP Check A default peer is a peer from which active sources are accepted even though they fail the RFP check.
• In Scenario 4, RP1 has a default peer plus an access list. The list permits RP4 so the RPF check is disregarded for active sources from it, but RP5 (and all others because of the implicit deny all) are subject to the RPF check and fail, so those active sources are rejected. Figure 87. MSDP Default Peer, Scenario 1 Figure 88.
Specifying Source-Active Messages To specify messages, use the following command. • Specify the forwarding-peer and originating-RP from which all active sources are accepted without regard for the RPF check. CONFIGURATION mode ip msdp default-peer ip-address list If you do not specify an access list, the peer accepts all sources that peer advertises. All sources from RPs that the ACL denies are subject to the normal RPF check.
The default limit is 100K. If the total number of sources received from the peer is already larger than the limit when this configuration is applied, those sources are not discarded. To enforce the limit in such a situation, first clear the SA cache. Preventing MSDP from Caching a Local Source You can prevent MSDP from caching an active source based on source and/or group. Because the source is not cached, it is not advertised to remote RPs.
Preventing MSDP from Caching a Remote Source To prevent MSDP from caching a remote source, use the following commands. 1 OPTIONAL: Cache sources that the SA filter denies in the rejected SA cache. CONFIGURATION mode ip msdp cache-rejected-sa 2 Prevent the system from caching remote sources learned from a specific peer based on source and group.
Preventing MSDP from Advertising a Local Source To prevent MSDP from advertising a local source, use the following command. • Prevent an RP from advertising a source in the SA cache. CONFIGURATION mode ip msdp sa-filter list in peer list ext-acl Example of Verifying the System is not Advertising Local Sources In the following example, R1 stops advertising source 10.11.4.2. Because it is already in the SA cache of R3, the entry remains there until it expires.
Terminating a Peership MSDP uses TCP as its transport protocol. In a peering relationship, the peer with the lower IP address initiates the TCP session, while the peer with the higher IP address listens on port 639. • Terminate the TCP connection with a peer. CONFIGURATION mode ip msdp shutdown Example of the Verifying that Peering State is Disabled After the relationship is terminated, the peering state of the terminator is SHUTDOWN, while the peering state of the peer is INACTIVE.
Local Addr: 192.168.0.3(639) Connect Source: Lo 0 State: Established Up/Down Time: 00:04:26 Timers: KeepAlive 30 sec, Hold time 75 sec SourceActive packet count (in/out): 5/0 SAs learned from this peer: 0 SA Filtering: Input (S,G) filter: myremotefilter Output (S,G) filter: none R3(conf)#do clear ip msdp peer 192.168.0.1 R3(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 0.0.0.
less effective as traffic increases because preemptive load balancing requires prior knowledge of traffic distributions. • lack of scalable register decasulation: With only a single RP per group, all joins are sent to that RP regardless of the topological distance between the RP, sources, and receivers, and data is transmitted to the RP until the SPT switch threshold is reached.
Configuring Anycast RP To configure anycast RP: 1 In each routing domain that has multiple RPs serving a group, create a Loopback interface on each RP serving the group with the same IP address. CONFIGURATION mode interface loopback 2 Make this address the RP for the group. CONFIGURATION mode ip pim rp-address 3 In each routing domain that has multiple RPs serving a group, create another Loopback interface on each RP serving the group with a unique IP address.
Specifying the RP Address Used in SA Messages The default originator-id is the address of the RP that created the message. In the case of Anycast RP, there are multiple RPs all with the same address. To use the (unique) address of another interface as the originator-id, use the following command. • Use the address of another interface as the originator-id instead of the RP address.
! interface TenGigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown ! interface TenGigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32 no shutdown ! interface Loopback 1 ip address 192.168.0.22/32 no shutdown ! router ospf 1 network 10.11.1.0/24 area 0 network 10.11.4.0/24 area 0 network 192.168.0.
router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.3/32 area 0 redistribute static redistribute connected redistribute bgp 200 ! router bgp 200 redistribute ospf 1 neighbor 192.168.0.22 remote-as 100 neighbor 192.168.0.22 ebgp-multihop 255 neighbor 192.168.0.22 update-source Loopback 0 neighbor 192.168.0.22 no shutdown ! ip multicast-msdp ip msdp peer 192.168.0.11 connect-source Loopback 0 ip msdp peer 192.168.0.22 connect-source Loopback 0 ip msdp sa-filter out 192.168.0.22 ! ip route 192.168.0.
! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 0 ! ip pim rp-address 192.168.0.1 group-address 224.0.0.0/4 MSDP Sample Configuration: R2 Running-Config ip multicast-routing ! interface TenGigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.1/24 no shutdown ! interface TenGigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown ! interface TenGigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown ! interface Loopback 0 ip address 192.168.
ip address 10.11.80.3/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.3/32 area 0 redistribute static redistribute connected redistribute bgp 200 ! router bgp 200 redistribute ospf 1 neighbor 192.168.0.2 remote-as 100 neighbor 192.168.0.2 ebgp-multihop 255 neighbor 192.168.0.2 update-source Loopback 0 neighbor 192.168.0.2 no shutdown ! ip multicast-msdp ip msdp peer 192.168.0.
no shutdown ! interface TenGigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown ! interface TenGigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown ! interface Loopback 0 ip address 192.168.0.2/32 no shutdown ! router ospf 1 network 10.11.1.0/24 area 0 network 10.11.4.0/24 area 0 network 192.168.0.2/32 area 0 redistribute static redistribute connected redistribute bgp 100 ! router bgp 100 redistribute ospf 1 neighbor 192.168.0.3 remote-as 200 neighbor 192.168.
redistribute bgp 200 ! router bgp 200 redistribute ospf 1 neighbor 192.168.0.2 remote-as 100 neighbor 192.168.0.2 ebgp-multihop 255 neighbor 192.168.0.2 update-source Loopback 0 neighbor 192.168.0.2 no shutdown ! ip multicast-msdp ip msdp peer 192.168.0.1 connect-source Loopback 0 ! ip route 192.168.0.2/32 10.11.0.23 MSDP Sample Configuration: R4 Running-Config ip multicast-routing ! interface TenGigabitEthernet 0/21 ip pim sparse-mode ip address 10.11.5.
32 Multiple Spanning Tree Protocol (MSTP) Multiple spanning tree protocol (MSTP) — specified in IEEE 802.1Q-2003 — is a rapid spanning tree protocol (RSTP)-based spanning tree variation that improves on per-VLAN spanning tree plus (PVST+). MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances. Protocol Overview In contrast, PVST+ allows a spanning tree instance for each VLAN.
Topics: • Spanning Tree Variations • Configure Multiple Spanning Tree Protocol • Enable Multiple Spanning Tree Globally • Adding and Removing Interfaces • Creating Multiple Spanning Tree Instances • Influencing MSTP Root Selection • Interoperate with Non-Dell Bridges • Changing the Region Name or Revision • Modifying Global Parameters • Modifying the Interface Parameters • Configuring an EdgePort • Flush MAC Addresses after a Topology Change • MSTP Sample Configurations • Debuggin
Configure Multiple Spanning Tree Protocol Configuring multiple spanning tree is a four-step process. 1 Configure interfaces for Layer 2. 2 Place the interfaces in VLANs. 3 Enable the multiple spanning tree protocol. 4 Create multiple spanning tree instances and map VLANs to them. Related Configuration Tasks The following are the related configuration tasks for MSTP.
PROTOCOL MSTP mode no disable Example of Verifying MSTP is Enabled To verify that MSTP is enabled, use the show config command in PROTOCOL MSTP mode. Dell(conf)#protocol spanning-tree mstp Dell(config-mstp)#show config ! protocol spanning-tree mstp no disable Dell# Adding and Removing Interfaces To add and remove interfaces, use the following commands. To add an interface to the MSTP topology, configure it for Layer 2 and add it to a VLAN.
MSTI 1 VLAN 100 MSTI 2 VLAN 200-300 All bridges in the MSTP region must have the same VLAN-to-instance mapping. To view which instance a VLAN is mapped to, use the show spanning-tree mst vlan command from EXEC Privilege mode.
msti instance bridge-priority priority A lower number increases the probability that the bridge becomes the root bridge. The range is from 0 to 61440, in increments of 4096. The default is 32768. Example of Assigning and Verifying the Root Bridge Priority By default, the simple configuration shown previously yields the same forwarding path for both MSTIs. The following example shows how R3 is assigned bridge priority 0 for MSTI 2, which elects a different root bridge than MSTI 2.
Changing the Region Name or Revision To change the region name or revision, use the following commands. • Change the region name. PROTOCOL MSTP mode name name Change the region revision number. • PROTOCOL MSTP mode revision number Example of the name Command To view the current region name and revision, use the show spanning-tree mst configuration command from EXEC Privilege mode.
The default is 15 seconds. 2 Change the hello-time parameter. PROTOCOL MSTP mode hello-time seconds NOTE: With large configurations (especially those configurations with more ports) Dell Networking recommends increasing the hello-time. The range is from 1 to 10. The default is 2 seconds. 3 Change the max-age parameter. PROTOCOL MSTP mode max-age seconds The range is from 6 to 40. The default is 20 seconds. 4 Change the max-hops parameter. PROTOCOL MSTP mode max-hops number The range is from 1 to 40.
Modifying the Interface Parameters You can adjust two interface parameters to increase or decrease the probability that a port becomes a forwarding port. • Port cost is a value that is based on the interface type. The greater the port cost, the less likely the port is selected to be a forwarding port. • Port priority influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost.
Configuring an EdgePort The EdgePort feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner. In this mode, an interface forwards frames by default until it receives a BPDU that indicates that it should behave otherwise; it does not go through the Learning and Listening states. The bpduguard shutdown-onviolation option causes the interface hardware to be shut down when it receives a BPDU.
no shutdown Dell(conf-if-te-3/41)# Flush MAC Addresses after a Topology Change The system has an optimized MAC address flush mechanism for RSTP, MSTP, and PVST+ that flushes addresses only when necessary, which allows for faster convergence during topology changes. However, you may activate the flushing mechanism defined by 802.1Q-2003 using the tc-flush-standard command, which flushes MAC addresses after every topology change notification.
Router 1 Running-Configuration This example uses the following steps: 1 Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2 Assign Layer-2 interfaces to the MSTP topology. 3 Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
revision 123 MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 ! (Step 2) interface TenGigabitEthernet 2/11 no ip address switchport no shutdown ! interface TenGigabitEthernet 2/31 no ip address switchport no shutdown ! (Step 3) interface Vlan 100 no ip address tagged TenGigabitEthernet 2/11,31 no shutdown ! interface Vlan 200 no ip address tagged TenGigabitEthernet 2/11,31 no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 2/11,31 no shutdown Router 3 Running-Configuration This example uses the f
no ip address tagged TenGigabitEthernet 3/11,21 no shutdown ! interface Vlan 200 no ip address tagged TenGigabitEthernet 3/11,21 no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 3/11,21 no shutdown Example Running-Configuration This example uses the following steps: 1 Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2 Assign Layer-2 interfaces to the MSTP topology. 3 Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
tagged 1/0/32 exit Debugging and Verifying MSTP Configurations To debut and verify MSTP configuration, use the following commands. • Display BPDUs. EXEC Privilege mode debug spanning-tree mstp bpdu Display MSTP-triggered topology change messages. • debug spanning-tree mstp events Examples of Viewing MSTP Information To ensure all the necessary parameters match (region name, region version, and VLAN to instance mapping), examine your individual routers.
The following example shows viewing the debug log (a successful MSTP configuration). Dell#debug spanning-tree mstp bpdu MSTP debug bpdu is ON Dell# 4w0d4h : MSTP: Sending BPDU on Te 2/21 : ProtId: 0, Ver: 3, Bpdu Type: MSTP, Flags 0x6e CIST Root Bridge Id: 32768:0001.e806.953e, Ext Path Cost: 0 Regional Bridge Id: 32768:0001.e806.
33 Multicast Features The Dell Networking OS supports the following multicast protocols: • PIM Sparse-Mode (PIM-SM) • Internet Group Management Protocol (IGMP) • Multicast Source Discovery Protocol (MSDP) Topics: • Enabling IP Multicast • Implementation Information • First Packet Forwarding for Lossless Multicast • Multicast Policies Enabling IP Multicast Before enabling any multicast protocols, you must enable IP multicast routing. • Enable multicast routing.
Protocol Ethernet Address OSPF 01:00:5e:00:00:05 01:00:5e:00:00:06 RIP 01:00:5e:00:00:09 NTP 01:00:5e:00:01:01 VRRP 01:00:5e:00:00:12 PIM-SM 01:00:5e:00:00:0d • The Dell Networking OS implementation of MTRACE is in accordance with IETF draft draft-fennertraceroute-ipm. • Multicast is not supported on secondary IP addresses. • Egress L3 ACL is not applied to multicast data traffic if you enable multicast routing.
• Preventing a Source from Registering with the RP • Preventing a PIM Router from Processing a Join Limiting the Number of Multicast Routes When the total number of multicast routes on a system limit is reached, Dell Networking OS does not process any IGMP or multicast listener discovery protocol (MLD) joins to PIM — though it still processes leave messages — until the number of entries decreases below 95% of the limit.
ip igmp access-group access-list-name Dell Networking OS Behavior: Do not enter the ip igmp access-group command before creating the access-list. If you do, after entering your first deny rule, the system clears multicast routing table and relearns all groups, even those not covered by the rules in the access-list, because there is an implicit deny all rule at the end of all access-lists. Therefore, configuring an IGMP join request filter in this order might result in data loss.
limiting Receiver 1, so both IGMP reports are accepted, and two corresponding entries are created in the routing table. Figure 94. Preventing a Host from Joining a Group Table 58. Preventing a Host from Joining a Group — Description Location 1/21 Description • • • Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.
Location Description • no shutdown 1/31 • • • • Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.1/24 no shutdown 2/1 • • • • Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.
Location Description Receiver 2 • • • • • • Interface VLAN 400 ip pim sparse-mode ip address 10.11.4.1/24 untagged GigabitEthernet 1/2 ip igmp access-group igmpjoinfilR2G2 no shutdown Rate Limiting IGMP Join Requests If you expect a burst of IGMP Joins, protect the IGMP process from overload by limiting that rate at which new groups can be joined. Hosts whose IGMP requests are denied will use the retry mechanism built-in to IGMP so that they’re membership is delayed rather than permanently denied.
allowed to forward both groups. As a result, Receiver 1 receives only one transmission, while Receiver 2 receives duplicate transmissions. Figure 95. Preventing a Source from Transmitting to a Group Table 59. Preventing a Source from Transmitting to a Group — Description Location 1/21 Description • • • Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.
Location Description • no shutdown 1/31 • • • • Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.1/24 no shutdown 2/1 • • • • Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.
Location Description • • • • ip pim sparse-mode ip address 10.11.4.1/24 untagged GigabitEthernet 1/2 no shutdown Preventing a PIM Router from Processing a Join To permit or deny PIM Join/Prune messages on an interface using an extended IP access list, use the following command. NOTE: Dell Networking recommends not using the ip pim join-filter command on an interface between a source and the RP router.
34 Object Tracking IPv4 or IPv6 object tracking is available on Dell Networking OS. Object tracking allows the Dell Networking operating system (OS) client processes, such as virtual router redundancy protocol (VRRP), to monitor tracked objects (for example, interface or link status) and take appropriate action when the state of an object changes.
Later, if network conditions change and the cost of the default route in each router changes, the mastership of the VRRP group is automatically reassigned to the router with the better metric. Figure 96. Object Tracking Example When you configure a tracked object, such as an IPv4 or IPv6 a route or interface, you specify an object number to identify the object. Optionally, you can also specify: • UP and DOWN thresholds used to report changes in a route metric.
Track Layer 3 Interfaces You can create an object that tracks the Layer 3 state (IPv4 or IPv6 routing status) of an interface. • • The Layer 3 status of an interface is UP only if the Layer 2 status of the interface is UP and the interface has a valid IP address. The Layer 3 status of an interface goes DOWN when its Layer 2 status goes down or the IP address is removed from the routing table. Track IPv4 and IPv6 Routes You can create an object that tracks an IPv4 or IPv6 route entry in the routing table.
• For intermediate system to intermediate system (ISIS), you can set the resolution in the range from 1 to 1000, where the default is 10. • For OSPF, you can set the resolution in the range from 1 to 1592, where the default is 1. • The resolution value used to map static routes is not configurable. By default, Dell Networking OS assigns a metric of 0 to static routes. • The resolution value used to map router information protocol (RIP) routes is not configurable.
description text The text string can be up to 80 characters. 5 (Optional) Configure the metric threshold for the UP and/or DOWN routing status to be tracked for the specified route. OBJECT TRACKING mode threshold metric {[up number] [down number]} The default UP threshold is 254. The routing state is UP if the scaled route metric is less than or equal to the UP threshold. The defult DOWN threshold is 255. The routing state is DOWN if the scaled route metric is greater than or equal to the DOWN threshold.
Tracking Route Reachability Use the following commands to configure object tracking on the reachability of an IPv4 or IPv6 route. To remove object tracking, use the no track object-id command. 1 Configure object tracking on the reachability of an IPv4 or IPv6 route. CONFIGURATION mode track object-id {ip route ip-address/prefix-len | ipv6 route ipv6-address/ prefix-len} reachability [vrf vrf-name] Valid object IDs are from 1 to 65535.
Tracked by: Dell#configure Dell(conf)#track 4 ip route 3.1.1.0/24 reachability vrf vrf1 The following example configures object tracking on the reachability of an IPv6 route.
• Track Layer 3 Interfaces • Track IPv4 and IPv6 Routes For a complete listing of all commands related to object tracking, refer to the Dell Networking OS Command Line Interface Reference Guide. Tracking a Layer 2 Interface You can create an object that tracks the line-protocol state of a Layer 2 interface and monitors its operational status (UP or DOWN).
show track object-id Example of Configuring Object Tracking Dell(conf)#track 100 interface tengigabitethernet 7/1/1 line-protocol Dell(conf-track-100)#delay up 20 Dell(conf-track-100)#description San Jose data center Dell(conf-track-100)#end Dell#show track 100 Track 100 Interface TenGigabitEthernet 7/1/1 line-protocol Description: San Jose data center Tracking a Layer 3 Interface You can create an object that tracks the routing status of an IPv4 or IPv6 Layer 3 interface.
OBJECT TRACKING mode delay {[up seconds] [down seconds]} Valid delay times are from 0 to 180 seconds. The default is 0. 3 (Optional) Identify the tracked object with a text description. OBJECT TRACKING mode description text The text string can be up to 80 characters. 4 (Optional) Display the tracking configuration and the tracked object’s status.
• show track [object-id [brief] | interface [brief] [vrf vrf-name] | ip route [brief] [vrf vrf-name] | resolution | vrf vrf-name [brief] | brief] Display the tracking configuration of a specified object or all objects that are currently configured on the router. show running-config track [object-id] Example of the show track command. Dell#show track Track 1 IP route 23.0.0.
Track 5 IP route 192.168.0.0/24 reachability, Vrf: red Reachability is Up (CONNECTED) 3 changes, last change 00:02:39 First-hop interface is GigabitEthernet 13/4 Example of Viewing the object tracking configuration. Dell#show running-config track track 1 ip route 23.0.0.0/8 reachability track 2 ipv6 route 2040::/64 metric threshold delay down 3 delay up 5 threshold metric up 200 track 3 ipv6 route 2050::/64 reachability track 4 interface GigabitEthernet 13/4 ip routing track 5 ip route 192.168.0.
35 Open Shortest Path First (OSPFv2 and OSPFv3) This chapter describes how to configure and use Open Shortest Path First (OSPFv2 for IPv4) and OSPF version 3 (OSPF for IPv6). NOTE: The fundamental mechanisms of OSPF (flooding, DR election, area support, SPF calculations, and so on) are the same between OSPFv2 and OSPFv3. This chapter identifies and clarifies the differences between the two versions of OSPF. Except where identified, the information in this chapter applies to both protocol versions.
Autonomous System (AS) Areas OSPF operates in a type of hierarchy. The largest entity within the hierarchy is the autonomous system (AS), which is a collection of networks under a common administration that share a common routing strategy. OSPF is an intra-AS (interior gateway) routing protocol, although it is capable of receiving routes from and sending routes to other ASs. You can divide an AS into a number of areas, which are groups of contiguous networks and attached hosts.
Area Types The backbone of the network is Area 0. It is also called Area 0.0.0.0 and is the core of any AS. All other areas must connect to Area 0. Areas can be defined in such a way that the backbone is not contiguous. In this case, backbone connectivity must be restored through virtual links. Virtual links are configured between any backbone routers that share a link to a non-backbone area and function as if they were direct links.
The following example shows different router designations. Figure 98. OSPF Routing Examples Backbone Router (BR) A backbone router (BR) is part of the OSPF Backbone, Area 0. This includes all ABRs. It can also include any routers that connect only to the backbone and another ABR, but are only part of Area 0, such as Router I in the previous example.
Area Border Router (ABR) Within an AS, an area border router (ABR) connects one or more areas to the backbone. The ABR keeps a copy of the link-state database for every area it connects to, so it may keep multiple copies of the link state database. An ABR takes information it has learned on one of its attached areas and can summarize it before sending it out on other areas it is connected to. An ABR can connect to many areas in an AS, and is considered a member of each area it connects to.
Link-State Advertisements (LSAs) A link-state advertisement (LSA) communicates the router’s local routing topology to all other local routers in the same area. The LSA types supported by Dell Networking are defined as follows: • Type 1: Router LSA — The router lists links to other routers or networks in the same area. Type 1 LSAs are flooded across their own area only. The link-state ID of the Type 1 LSA is the originating router ID.
require reduced intervals for LSA transmission and acceptance. Throttling timers allow for this improved convergence times. The LSA throttling timers are configured in milliseconds, with the interval time increasing exponentially until a maximum time has been reached. If the maximum time is reached, the system, the system continues to transmit at the max-interval until twice the max-interval time has passed. At that point, the system reverts to the start-interval timer and the cycle begins again.
• Cost is a numbered rating 1 to 65535. The higher the number, the greater the cost. The cost assigned reflects the cost should the router fail. When a router fails and the cost is assessed, a new priority number results. Figure 99. Priority and Cost Examples OSPF Implementation The Dell Networking OS supports up to 10,000 OSPF routes for OSPFv2. Within the 10,000 routes, you can designate up to 8,000 routes as external and up to 2,000 as inter/intra area routes.
• Network (type 2) • Network Summary (type 3) • AS Boundary (type 4) • LSA(type 5) • External LSA (type 7) • Link LSA, OSPFv3 only (type 8) • Opaque Link-Local (type 9) • Grace LSA, OSPFv3 only (type 11) Fast Convergence (OSPFv2, IPv4 Only) Fast convergence allows you to define the speeds at which LSAs are originated and accepted, and reduce OSPFv2 end-to-end convergence time.
RFC-2328 Compliant OSPF Flooding In OSPF, flooding is the most resource-consuming task. The flooding algorithm described in RFC 2328 requires that OSPF flood LSAs on all interfaces, as governed by LSA’s flooding scope (refer to Section 13 of the RFC.) When multiple direct links connect two routers, the RFC 2328 flooding algorithm generates significant redundant information across all links.
Number of area in this router is 1, normal 0 stub 0 nssa 1 --More-- OSPF ACK Packing The OSPF ACK packing feature bundles multiple LS acknowledgements in a single packet, significantly reducing the number of ACK packets transmitted when the number of LSAs increases. This feature also enhances network utilization and reduces the number of small ACK packets sent to a neighboring router. OSPF ACK packing is enabled by default and non-configurable.
Configuration Information The interfaces must be in Layer 3 mode (assigned an IP address) and enabled so that they can send and receive traffic. The OSPF process must know about these interfaces. To make the OSPF process aware of these interfaces, they must be assigned to OSPF areas. You must configure OSPF GLOBALLY on the system in CONFIGURATION mode. OSPF features and functions are assigned to each router using the CONFIG-INTERFACE commands for each interface. NOTE: By default, OSPF is disabled.
Enabling OSPFv2 To enable Layer 3 routing, assign an IP address to an interface (physical or Loopback). By default, OSPF, similar to all routing protocols, is disabled. You must configure at least one interface for Layer 3 before enabling OSPFv2 globally. If implementing multi-process OSPF, create an equal number of Layer 3 enabled interfaces and OSPF process IDs. For example, if you create four OSPFv2 process IDs, you must have four interfaces with Layer 3 enabled. 1 Assign an IP address to an interface.
• Disable OSPF. CONFIGURATION mode no router ospf process-id Reset the OSPFv2 process. • EXEC Privilege mode clear ip ospf process-id View the current OSPFv2 status. • EXEC mode show ip ospf process-id Example of Viewing the Current OSPFv2 Status Dell#show ip ospf 55555 Routing Process ospf 55555 with ID 10.10.10.
If you try to enable more OSPF processes than available Layer 3 interfaces, the following message displays: Dell(conf)#router ospf 1 % Error: No router ID available. Assigning an OSPFv2 Area After you enable OSPFv2, assign the interface to an OSPF area. Set up OSPF areas and enable OSPFv2 on an interface with the network command. You must have at least one AS area: Area 0. This is the backbone area. If your OSPF network contains more than one area, configure a backbone area (Area ID 0.0.0.0).
Dell(conf-if-te-4/44)#no shutdown Dell(conf-if-te-4/44)#ex Dell(conf)#router ospf 1 Dell(conf-router_ospf-1)#network 1.2.3.4/24 area 0 Dell(conf-router_ospf-1)#network 10.10.10.10/24 area 1 Dell(conf-router_ospf-1)#network 20.20.20.20/24 area 2 Dell(conf-router_ospf-1)# Dell# Dell Networking recommends using the interface IP addresses for the OSPFv2 router ID for easier management and troubleshooting. To view the configuration, use the show config command in CONFIGURATION ROUTER OSPF mode.
Adjacent with neighbor 10.168.253.3 (Backup Designated Router) Loopback 0 is up, line protocol is up Internet Address 10.168.253.2/32, Area 0.0.0.1 Process ID 1, Router ID 10.168.253.2, Network Type LOOPBACK, Cost: 1 Loopback interface is treated as a stub Host. Dell# Configuring Stub Areas OSPF supports different types of LSAs to help reduce the amount of router processing within the areas.
To view information on areas, use the show ip ospf process-id command in EXEC Privilege mode. Configuring LSA Throttling Timers Configured link-state advertisement (LSA) timers replace the standard transmit and acceptance times for LSAs. The LSA throttling timers are configured in milliseconds. The interval time increases exponentially until a maximum time is reached. If the maximum time is reached, the system continues to transmit at the maximum interval.
To enable both receiving and sending routing updates, use the no passive-interface interface command. Example of Viewing Passive Interfaces When you configure a passive interface, the show ip ospf process-id interface command adds the words passive interface to indicate that the hello packets are not transmitted on that interface (shown in bold). Dell#show ip ospf 34 int TengigabitEthernet 0/0 is up, line protocol is down Internet Address 10.1.2.100/24, Area 1.1.1.1 Process ID 34, Router ID 10.1.2.
NOTE: A higher convergence level can result in occasional loss of OSPF adjacency. Generally, convergence level 1 meets most convergence requirements. Only select higher convergence levels following consultation with Dell Technical Support. Examples of Enabling Fast-Convergence In the following examples, Convergence Level shows the fast-converge parameter setting and Min LSA origination shows the LSA parameters (shown in bold). The following example shows the fast-converge command.
• seconds: the range is from 1 to 65535 (the default is 40 seconds). The dead interval must be four times the hello interval. • The dead interval must be the same on all routers in the OSPF network. Change the time interval between hello-packet transmission. CONFIG-INTERFACE mode ip ospf hello-interval seconds • • seconds: the range is from 1 to 65535 (the default is 10 seconds). The hello interval must be the same on all routers in the OSPF network.
The bold lines in the example show the change on the interface. The change is reflected in the OSPF configuration. Dell(conf-if)#ip ospf cost 45 Dell(conf-if)#show config ! interface TengigabitEthernet 0/0 ip address 10.1.2.100 255.255.255.0 no shutdown ip ospf cost 45 Dell(conf-if)#end Dell#show ip ospf 34 interface TengigabitEthernet 0/0 is up, line protocol is up Internet Address 10.1.2.100/24, Area 2.2.2.2 Process ID 34, Router ID 10.1.2.
• Create a prefix list and assign it a unique name. CONFIGURATION mode ip prefix-list prefix-name • You are in PREFIX LIST mode. Create a prefix list with a sequence number and a deny or permit action. CONFIG- PREFIX LIST mode seq sequence-number {deny |permit} ip-prefix [ge min-prefix-length] [le maxprefix-length] The optional parameters are: • ge min-prefix-length: is the minimum prefix length to match (from 0 to 32). • le max-prefix-length: is the maximum prefix length to match (from 0 to 32).
• metric-type metric-type: 1 for OSPF external route type 1. 2 for OSPF external route type 2. • route-map map-name: enter a name of a configured route map. • tag tag-value: the range is from 0 to 4294967295. Example of Viewing OSPF Configuration after Redistributing Routes To view the current OSPF configuration, use the show running-config ospf command in EXEC mode or the show config command in ROUTER OSPF mode. Dell(conf-router_ospf)#show config ! router ospf 34 network 10.1.2.32 0.0.0.255 area 2.2.
• View the summary information for the OSPF database. EXEC Privilege mode • show ip ospf database View the configuration of OSPF neighbors connected to the local router. EXEC Privilege mode • show ip ospf neighbor View the LSAs currently in the queue. EXEC Privilege mode • show ip ospf timers rate-limit View debug messages.
Sample Configurations for OSPFv2 The following configurations are examples for enabling OSPFv2. These examples are not comprehensive directions. They are intended to give you some guidance with typical configurations. You can copy and paste from these examples to your CLI. To support your own IP addresses, interfaces, names, and so on, be sure that you make the necessary changes. Basic OSPFv2 Router Topology The following illustration is a sample basic OSPFv2 topology. Figure 100.
no shutdown ! interface Loopback 10 ip address 192.168.100.100/24 no shutdown OSPF Area 0 — Te 3/1 and 3/2 router ospf 33333 network 192.168.100.0/24 area 0 network 10.0.13.0/24 area 0 network 10.0.23.0/24 area 0 ! interface Loopback 30 ip address 192.168.100.100/24 no shutdown ! interface TengigabitEthernet 3/1 ip address 10.1.13.3/24 no shutdown ! interface TengigabitEthernet 3/2 ip address 10.2.13.3/24 no shutdown OSPF Area 0 — Te 2/1 and 2/2 router ospf 22222 network 192.168.100.
Configuration Task List for OSPFv3 (OSPF for IPv6) This section describes the configuration tasks for Open Shortest Path First version 3 (OSPF for IPv6) on the switch. The configuration options of OSPFv3 are the same as those options for OSPFv2, but you may configure OSPFv3 with differently labeled commands. Specify process IDs and areas and include interfaces and addresses in the process. Define areas as stub or totally stubby.
ipv6 address ipv6 address IPv6 addresses are normally written as eight groups of four hexadecimal digits; separate each group by a colon (:). The format is A:B:C::F/128. 2 Bring up the interface. CONF-INT-type slot/port mode no shutdown Assigning Area ID on an Interface To assign the OSPFv3 process to an interface, use the following command. The ipv6 ospf area command enables OSPFv3 on an interface and places the interface in the specified area.
NOTE: Enter the router-id for an OSPFv3 router as an IPv4 IP address. • Disable OSPF. CONFIGURATION mode • no ipv6 router ospf process-id Reset the OSPFv3 process. EXEC Privilege mode clear ipv6 ospf process Enter an example that illustrates the current task (optional). Enter the tasks the user should do after finishing this task (optional). Assigning OSPFv3 Process ID and Router ID to a VRF To assign, disable, or reset OSPFv3 on a non-default VRF, use the following commands.
Configuring the Cost of OSPFv3 Routes Change in bandwidth directly affects the cost of OSPF routes. • Explicitly specify the cost of sending a packet on an interface. INTERFACE mode ipv6 ospf interface-cost • • interface-cost:The range is from 1 to 65535. Default cost is based on the bandwidth. Specify how the OSPF interface cost is calculated based on the reference bandwidth method. The cost of an interface is calculated as Reference Bandwidth/Interface speed.
• For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information (for example, passive-interface ten 2/3). • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information (for example, passive-interface ten 2/4). • For a VLAN, enter the keyword vlan then a number from 1 to 4094 (for example, passiveinterface vlan 2222). To enable both receiving and sending routing updates, use the no passive-interface interface command.
• metric metric-value: The range is from 0 to 4294967295. • metric-type metric-type: enter 1 for OSPFv3 external route type 1 OR 2 for OSPFv3 external route type 2. • route-map map-name: enter a name of a configured route map. OSPFv3 Authentication Using IPsec OSPFv3 uses OSPFv3 authentication using IP security (IPsec) to provide authentication for OSPFv3 packets. IPsec authentication ensures security in the transmission of OSPFv3 packets between IPsec-enabled routers.
OSPFv3 Authentication Using IPsec: Configuration Notes OSPFv3 authentication using IPsec is implemented according to the specifications in RFC 4552. • To use IPsec, configure an authentication (using AH) or encryption (using ESP) security policy on an interface or in an OSPFv3 area. Each security policy consists of a security policy index (SPI) and the key used to validate OSPFv3 packets. After IPsec is configured for OSPFv3, IPsec operation is invisible to the user.
Configuring IPsec Authentication on an Interface To configure, remove, or display IPsec authentication on an interface, use the following commands. Prerequisite: Before you enable IPsec authentication on an OSPFv3 interface, first enable IPv6 unicast routing globally, configure an IPv6 address and enable OSPFv3 on the interface, and assign it to an area (refer to Configuration Task List for OSPFv3 (OSPF for IPv6)).
• Enable IPsec encryption for OSPFv3 packets on an IPv6-based interface. INTERFACE mode ipv6 ospf encryption {null | ipsec spi number esp encryption-algorithm [keyencryption-type] key authentication-algorithm [key-authentication-type] key} • null: causes an encryption policy configured for the area to not be inherited on the interface. • ipsec spi number: is the security policy index (SPI) value. The range is from 256 to 4294967295.
• Enable IPSec authentication for OSPFv3 packets in an area. CONF-IPV6-ROUTER-OSPF mode area-id authentication ipsec spi number {MD5 | SHA1} [key-encryption-type] key • area area-id: specifies the area for which OSPFv3 traffic is to be authenticated. For area-id, enter a number or an IPv6 prefix. • spi number: is the SPI value. The range is from 256 to 4294967295. • MD5 | SHA1: specifies the authentication type: message digest 5 (MD5) or Secure Hash Algorithm 1 (SHA-1).
• • • • • key: specifies the text string used in the encryption. All neighboring OSPFv3 routers must share the same key to decrypt information. The required lengths of a non-encrypted or encrypted key are: 3DES - 48 or 96 hex digits; DES - 16 or 32 hex digits; AES-CBC - 32 or 64 hex digits for AES-128 and 48 or 96 hex digits for AES-192. key-encryption-type: (optional) specifies if the key is encrypted. Valid values: 0 (key is not encrypted) or 7 (key is encrypted).
Policy refcount Inbound ESP SPI Outbound ESP SPI Inbound ESP Auth Key Outbound ESP Auth Key Inbound ESP Cipher Key Outbound ESP Cipher Key Transform set : : : : : : : : 1 502 (0x1F6) 502 (0x1F6) 123456789a123456789b123456789c12 123456789a123456789b123456789c12 123456789a123456789b123456789c123456789d12345678 123456789a123456789b123456789c123456789d12345678 esp-3des esp-md5-hmac Crypto IPSec client security policy data Policy name : OSPFv3-1-500 Policy refcount : 2 Inbound AH SPI : 500 (0x1F4) Outbound AH
Interface: TenGigabitEthernet 0/1 Link Local address: fe80::201:e8ff:fe40:4d11 IPSecv6 policy name: OSPFv3-1-600 inbound ah sas outbound ah sas inbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE outbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE Troubleshooting OSPFv3 The system provides several tools to troubleshoot OSP
• show ipv6 route summary View the summary information for the OSPFv3 database. EXEC Privilege mode • show ipv6 ospf database View the configuration of OSPFv3 neighbors. EXEC Privilege mode • show ipv6 ospf neighbor View debug messages for all OSPFv3 interfaces. EXEC Privilege mode debug ipv6 ospf [event | packet] {type slot/port} • event: View OSPF event messages. • packet: View OSPF packets.
36 Per-VLAN Spanning Tree Plus (PVST +) Per-VLAN spanning tree plus (PVST+) is a variation of spanning tree — developed by a third party — that allows you to configure a separate spanning tree instance for each virtual local area network (VLAN). Protocol Overview A sample PVST+ topology is shown below. For more information about spanning tree, refer to the Spanning Tree Protocol (STP) chapter. Figure 101.
The Dell Networking OS supports three other versions of spanning tree, as shown in the following table. Table 60. Spanning Tree Versions Supported Dell Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .1w Multiple Spanning Tree Protocol (MSTP) 802 .1s Per-VLAN Spanning Tree Plus (PVST+) Third Party Implementation Information • The Dell Networking OS implementation of PVST+ is based on IEEE Standard 802.1w.
Enabling PVST+ When you enable PVST+, the system instantiates STP on each active VLAN. 1 Enter PVST context. PROTOCOL PVST mode protocol spanning-tree pvst 2 Enable PVST+. PROTOCOL PVST mode no disable Disabling PVST+ To disable PVST+ globally or on an interface, use the following commands. • Disable PVST+ globally. PROTOCOL PVST mode • disable Disable PVST+ on an interface, or remove a PVST+ parameter configuration.
Influencing PVST+ Root Selection As shown in the previous PVST+ illustration, all VLANs use the same forwarding topology because R2 is elected the root, and all TengigabitEthernet ports have the same cost. The following per-VLAN spanning tree illustration changes the bridge priority of each bridge so that a different forwarding topology is generated for each VLAN. This behavior demonstrates how you can use PVST + to achieve load balancing. Figure 102.
vlan bridge-priority The range is from 0 to 61440. The default is 32768. Example of the show spanning-tree pvst vlan Command To display the PVST+ forwarding topology, use the show spanning-tree pvst [vlan vlan-id] command from EXEC Privilege mode. Dell(conf)#do show spanning-tree pvst vlan 100 VLAN 100 Root Identifier has priority 4096, Address 0001.e80d.b6d6 Root Bridge hello time 2, max age 20, forward delay 15 Bridge Identifier has priority 4096, Address 0001.e80d.
The default is 15 seconds. Change the hello-time parameter. • PROTOCOL PVST mode vlan hello-time NOTE: With large configurations (especially those configurations with more ports), Dell Networking recommends increasing the hello-time. The range is from 1 to 10. The default is 2 seconds. Change the max-age parameter. • PROTOCOL PVST mode vlan max-age The range is from 6 to 40. The default is 20 seconds. The values for global PVST+ parameters are given in the output of the show spanning-tree pvst command.
NOTE: The Dell Networking OS implementation of PVST+ uses IEEE 802.1s costs as the default costs. Other implementations use IEEE 802.1w costs as the default costs. If you are using Dell Networking systems in a multi-vendor network, verify that the costs are values you intended. To change the port cost or port priority of an interface, use the following commands. • Change the port cost of an interface. INTERFACE mode spanning-tree pvst vlan cost. The range is from 0 to 200000.
• When you add a physical port to a port channel already in an Error Disable state, the new member port is also disabled in the hardware. • When you remove a physical port from a port channel in an Error Disable state, the Error Disabled state is cleared on this physical port (the physical port is enabled in the hardware). • The reset linecard command does not clear the Error Disabled state of the port or the hardware Disabled state. The interface continues to be disables in the hardware.
To keep both ports in a Forwarding state, use extend system ID. Extend system ID augments the bridge ID with a VLAN ID to differentiate BPDUs on each VLAN so that PVST+ does not detect a loop and both ports can remain in a Forwarding state. Figure 103. PVST+ with Extend System ID • Augment the bridge ID with the VLAN ID.
no shutdown ! interface TengigabitEthernet 1/32 no ip address switchport no shutdown ! protocol spanning-tree pvst no disable vlan 100 bridge-priority 4096 interface Vlan 100 no ip address tagged TengigabitEthernet 1/22,32 no shutdown ! interface Vlan 200 no ip address tagged TengigabitEthernet 1/22,32 no shutdown ! interface Vlan 300 no ip address tagged TengigabitEthernet 1/22,32 no shutdown ! protocol spanning-tree pvst no disable vlan 100 bridge-priority 4096 Example of PVST+ Configuration (R2) interfac
no shutdown ! interface TengigabitEthernet 3/22 no ip address switchport no shutdown ! interface Vlan 100 no ip address tagged TengigabitEthernet 3/12,22 no shutdown ! interface Vlan 200 no ip address tagged TengigabitEthernet 3/12,22 no shutdown ! interface Vlan 300 no ip address tagged TengigabitEthernet 3/12,22 no shutdown ! protocol spanning-tree pvst no disable vlan 300 bridge-priority 4096 Per-VLAN Spanning Tree Plus (PVST+) 792
37 PIM Sparse-Mode (PIM-SM) Protocol-independent multicast sparse-mode (PIM-SM) is a multicast protocol that forwards multicast traffic to a subnet only after a request using a PIM Join message; this behavior is the opposite of PIM-Dense mode, which forwards multicast traffic to all subnets until a request to stop.
Requesting Multicast Traffic A host requesting multicast traffic for a particular group sends an Internet group management protocol (IGMP) Join message to its gateway router. The gateway router is then responsible for joining the shared tree to the RP (RPT) so that the host can receive the requested traffic. 1 After receiving an IGMP Join message, the receiver gateway router (last-hop DR) creates a (*,G) entry in its multicast routing table for the requested group.
receiving the first multicast packet from a particular source, the last-hop DR sends a PIM Join message to the source to create an SPT to it. 4 There are two paths, then, between the receiver and the source, a direct SPT and an RPT.
Enable PIM-SM You must enable PIM-SM on each participating interface. 1 Enable multicast routing on the system. CONFIGURATION mode ip multicast-routing 2 Enable PIM-Sparse mode. INTERFACE mode ip pim sparse-mode Examples of Viewing PIM-SM Information To display which interfaces are enabled with PIM-SM, use the show ip pim interface command from EXEC Privilege mode. show ip pim interface Address Interface Ver/ Mode 1.1.1.1 Te 1/0 v2/S 2.1.1.1 Te 11/0 v2/S 5.1.1.1 Vl 10 v2/S 6.1.1.
(10.87.31.5, 192.1.2.1), uptime 00:01:24, expires 00:02:26, flags: FT Incoming interface: TenGigabitEthernet 1/11, RPF neighbor 0.0.0.0 Outgoing interface list: TenGigabitEthernet 0/11 TenGigabitEthernet 0/12 TenGigabitEthernet 1/13 --More-- Configuring S,G Expiry Timers By default, S, G entries expire in 210 seconds. You can configure a global expiry time (for all [S,G]). When you create, delete, or update an expiry time, the changes are applied when the keep alive timer refreshes.
! ip pim rp-address 1.1.1.1 group-address 224.0.0.0/4 Overriding Bootstrap Router Updates PIM-SM routers must know the address of the RP for each group for which they have (*,G) entry. This address is obtained automatically through the bootstrap router (BSR) mechanism or a static RP configuration. Use the following command if you have configured a static RP for a group.
EXEC Privilege mode show ip pim interface Creating Multicast Boundaries and Domains A PIM domain is a contiguous set of routers that all implement PIM and are configured to operate within a common boundary defined by PIM multicast border routers (PMBRs). PMBRs connect each PIM domain to the rest of the Internet. Create multicast boundaries and domains by filtering inbound and outbound bootstrap router (BSR) messages per interface.
38 PIM Source-Specific Mode (PIMSSM) PIM source-specific mode (PIM-SSM) is a multicast protocol that forwards multicast traffic from a single source to a subnet. In the other versions of protocol independent multicast (PIM), a receiver subscribes to a group only. The receiver receives traffic not just from the source in which it is interested but from all sources sending to that group.
Important Points to Remember • • • The default SSM range is 232/8 always. Applying an SSM range does not overwrite the default range. Both the default range and SSM range are effective even when the default range is not added to the SSM ACL. Extended ACLs cannot be used for configuring SSM range. Be sure to create the ACL first and then apply it to the SSM range. The default range is always supported, so range can never be smaller than the default.
R1(conf)#do show ip pim ssm-range Group Address / MaskLen 239.0.0.2 / 32 Use PIM-SSM with IGMP Version 2 Hosts PIM-SSM requires receivers that support IGMP version 3. You can employ PIM-SSM even when receivers support only IGMP version 1 or version 2 by translating (*,G) entries to (S,G) entries. Translate (*,G) entries to (S,G) entries using the ip igmp ssm-map acl command source from CONFIGURATION mode. In a standard access list, specify the groups or the group ranges that you want to map to a source.
Member Ports: Te 1/1 239.0.0.1 Vlan 400 INCLUDE 00:00:10 Never 10.11.4.2 R1(conf)#do show ip igmp ssm-map IGMP Connected Group Membership Group Address Interface Mode Uptime Expires 239.0.0.2 Vlan 300 IGMPv2-Compat 00:00:36 Never Member Ports: Te 1/1 R1(conf)#do show ip igmp ssm-map 239.0.0.2 SSM Map Information Group : 239.0.0.2 Source(s) : 10.11.5.2 R1(conf)#do show ip igmp groups detail Interface Group Uptime Expires Router mode Last reporter Last reporter mode Last report Group source Source address 10.
39 Policy-based Routing (PBR) Policy-based Routing (PBR) allows a switch to make routing decisions based on policies applied to an interface.
To enable a PBR, you create a redirect list. Redirect lists are defined by rules, or routing policies.
interface user needs to provide tunnel id mandatory. Instead if user provides the tunnel destination IP as next hop, that would be treated as IPv4 next hop and not tunnel next hop. PBR with Multiple Tacking Option: Policy based routing with multiple tracking option extends and introduces the capabilities of object tracking to verify the next hop IP address before forwarding the traffic to the next hop. The verification method is made transparent to the user.
• Create a Rule for a Redirect-list • Create a Track-id list. For complete tracking information, refer to Object Tracking chapter. • Apply a Redirect-list to an Interface using a Redirect-group Create a Redirect List Use the following command in CONFIGURATION mode: Table 62. Create a Redirect List Command Syntax Command Mode Purpose ip redirect-list redirect-listname CONFIGURATION Create a redirect list by entering the list name.
sequence-number (Optional) — Configures a rule with an assigned sequence number for the redirect list. Enter a number from 1 to 65535. track — keyword to enable tracking. track is used to track the object-id for a host reachability track object. Enter a number from 1 to 500. The track object should correspond to the host tracking of the forwarding router’s IP address configured in this rule.
port number fin gt greater port number lt lower port number neq given port number psh range range of port numbers rst syn urg Match on the fin bit Match only packets with a Match only packets with a Match only packets not on a Match on the psh bit Match only packets in the Match on the rst bit Match on the syn bit Match on the urg bit cr Dell(conf-redirect-list)#redirect 1.1.1.
any Any destination host host A single destination host Dell(conf-redirect-list)#redirect 3.3.3.3 ip 222.1.1.1 /32 77.1.1.1 Mask A.B.C.D or /nn Mask in dotted decimal or in format Dell(conf-redirect-list)#redirect 3.3.3.3 ip 222.1.1.1 /32 77.1.1.1 Dell(conf-redirect-list)#redirect 3.3.3.3 ip 222.1.1.1 /32 77.1.1.1 Dell(conf-redirect-list)#do show ip redirect-list ? slash /32 ? /32 IP redirect-list xyz: Defined as: seq 5 redirect 3.3.3.3 ip host 222.1.1.1 host 77.1.1.
Ineffective PBR Exception due to Low Sequence Number ip redirect-list rcl0 seq 5 redirect 2.2.2.2 ip any any seq 10 permit ip host 3.3.3.3 any To ensure that the permit statement or PBR exception is effective, use a lower sequence number, as shown below: ip redirect-list rcl0 seq 10 permit ip host 3.3.3.3 any seq 15 redirect 2.2.2.2 ip any any Apply a Redirect-list to an Interface using a Redirect-group IP redirect lists are supported on physical interfaces as well as VLAN and port-channel interfaces.
In addition to supporting multiple redirect-lists in a redirect-group, multiple redirect-groups are supported on a single interface. Dell Networking OS has the capability to support multiple groups on an interface for backup purposes. Show Redirect List Configuration To view the redirect list configuration, use the following command in EXEC mode: Table 65.
seq 10 redirect 1.1.1.2 tcp 234.224.234.234 255.234.234.234 222.222.222.222/24 eq 40 ack, Next-hop reachable (via Te 2/1/1), Applied interfaces: Te 2/2/1 NOTE: If, the redirect-list is applied to an interface, the output of show ip redirect-list redirect-list-name command displays reachability status for the specified next-hop.
Create the Redirect-List GOLD EDGE_ROUTER(conf-if-Te-2/23/1)#ip redirect-list GOLD EDGE_ROUTER(conf-redirect-list)#description Route GOLD traffic to ISP_GOLD. EDGE_ROUTER(conf-redirect-list)#direct 10.99.99.254 ip 192.168.1.0/24 any EDGE_ROUTER(conf-redirect-list)#redirect 10.99.99.254 ip 192.168.2.0/24 any EDGE_ROUTER(conf-redirect-list)# seq 15 permit ip any any EDGE_ROUTER(conf-redirect-list)#show config ! ip redirect-list GOLD description Route GOLD traffic to ISP_GOLD. seq 5 redirect 10.99.99.
EDGE_ROUTER(conf-if-Te-2/11/1)#end EDGE_ROUTER(conf-redirect-list)#end EDGE_ROUTER# View Redirect-List GOLD EDGE_ROUTER#show ip redirect-list IP redirect-list GOLD: Defined as: seq 5 redirect 10.99.99.254 ip 192.168.1.0/24 any, Next-hop reachable (via Te 3/23/1), ARP resolved seq 10 redirect 10.99.99.254 ip 192.168.2.
Dell(conf)#int TenGigabitEthernet 2/28 Dell(conf-if-te-2/28)#ip redirect-group redirect_list_with_track Dell(conf-if-te-2/28)#end Verify the Applied Redirect Rules: Dell#show ip redirect-list redirect_list_with_track IP redirect-list redirect_list_with_track Defined as: seq 5 redirect 42.1.1.2 track 3 tcp 155.55.2.0/24 222.22.2.0/24, Track 3 [up], Next-hop reachable (via Vl 20) seq 10 redirect 42.1.1.2 track 3 tcp any any, Track 3 [up], Next-hop reachable (via Vl 20) seq 15 redirect 42.1.1.
ResId 1 2 Dell# Resource Interface ip routing Interface ipv6 routing Parameter Tunnel 1 Tunnel 2 State Up Up LastChange 00:00:00 00:00:00 Create a Redirect-list with Track Objects pertaining to Tunnel Interfaces: Dell#configure terminal Dell(conf)#ip redirect-list explicit_tunnel Dell(conf-redirect-list)#redirect tunnel 1 track Dell(conf-redirect-list)#redirect tunnel 1 track Dell(conf-redirect-list)#redirect tunnel 1 track 144.144.144.
40 Port Extenders (PEs) The C9010 switch supports the IEEE 802.1BR fabric protocol to expand the port density of the chassis, using C1048P port extenders. In this deployment, the C9010 operates as a controlling bridge for the C1048P. The C1048P functions as a remote line card that is physically connected to, and provisioned by, a C9010 over 10GbE links according to the IEEE 802.1BR standard.
IEEE 802.1BR The IEEE 802.1BR protocol allows a controlling bridge to use IEEE LAN technologies to discover and manage port extenders. The following illustration shows how a controlling bridge connects through an automatically established port channel (auto-LAG) to an uplink port on one or more port extenders. Figure 104.
802.1BR Terms and Definitions The 802.1BR protocol uses the following terms to describe the operation of a controlling bridge and attached port extenders. 802.1BR Term Definition Cascade port A port on a controlling bridge or bridge port extender that connects to an upstream port. In the case of the connection between two bridge port extenders, the cascade port is the port closest to the controlling bridge. Controlling bridge A bridge that supports one or more bridge port extenders.
Provisioning a Port Extender You can provision a port extender (PE) with an initial software configuration before or after you install and power on the PE. To provision a PE, start from the control bridge console and enter the following commands. If you enter the commands before you install the PE with a parent control bridge, the pre-configured software settings are downloaded to the PE when you attach it to a control bridge port and power up the PE.
NOTE: Provisioning a PE automatically creates a link aggregation group (LAG or port channel) on the controlling bridge. The generated auto-LAG number is from 257 to 513. All cascade ports configured on the control bridge to connect to the PE become member ports of the auto-LAG. 3 (Optional) Provision a C1048P for port-extender stacking. You can pre-provision a C1048P so that the parent C9010 dynamically discovers and automatically provisions the PE as a stack unit.
Dell# show pe 10 Codes: A - Active, I - Inactive Reason: CTM - Card Type Mismatch, CAM - CAM ACL Mismatch SVM - Software Version Mismatch, UE - Unknown Error Offline Reason: UNP - Unit Not Present, ICE - IPC CP Error, IRE - IPC RP Error ISE - IPC Setup Error, CVE - Card Validation Error PE-ID assigned: 10 Status: online System Mac: 00:01:02:03:11:01 PE Up Time: 00:01:06 PE Discovery Status: Provisioned PE User Configured Cascade Ports: Te 1/0(A),Te 1/12(A) Cascade LAG: Po 268(Up) ---------------------------
pe provision 20 cascade interface TenGigabitEthernet 1/12 Dell# show pe brief - Port Extenders Information ----------------------------------------------------------PE-id Status Stack-size Type System-MAC ---------------------------------------------------------10 online 1 C1048P a0:68:00:3f:92:bc 20 offline 1 C1048P 00:00:00:00:00:00 Dell#show pe errors PE-id: 10 PE MAC: a0:68:00:3f:92:bc Interface Errors: TenGigabitEthernet 1/12 - Error State • You may connect two PEs to a parent C9010 but only provisio
• You may connect a PE to a parent C9010 using both uplink ports but provision the PE with only the cascade port attached to one of the uplink ports. In this case, the auto-LAG is created with only the provisioned cascade port when the PE comes online. In the following example, PE 10 is provisioned to connect only to cascade port 1/12. However, the second uplink port on the PE is also cabled to cascade port 1/0.
Managing a Port Extender Manage the PEs connected to a parent C9010 through a Telnet session. You can display PE operational status and current stack configuration or rest the PE. Starting a Telnet Session To manage a standalone port extender or a PE stack, start a Telnet session with the PE or the master unit in the stack using the connect pe command. • connect pe pe-id EXEC Privilege • pe-id is a port-extender ID number from 0 to 255.
0 error SVM C1048P 00:00:00:00:00:00 52 Dell#show pe 10 statistics PE-ID: 10 PE-CSP Tx Message: 4 PE-CSP Rx Message: 2 ECP Tx: 5 ECP Rx Ack: 5 ECP Dropped: 0 ECP Rx: 3 ECP Tx Ack: 3 ell#show pe 10 system brief Stack MAC : a0:68:00:3f:92:bc -- Stack Info -Unit UnitType Status ReqTyp CurTyp Version Ports ----------------------------------------------------------------------------------0 Management online C1048P C1048P 9-9(0-5) 52 1 Member not present 2 Standby not present C1048P 3 Member not present C
Preventing Loops on Port Extender Ports You can specify the threshold value and a time interval for the maximum number of station moves to prevent loops on a port extender (PE) port . When the number of station moves for a specified MAC address exceeds the configured threshold value in the configured time, a loop is detected on the PE ports.
EXEC mode Dell(conf-if-po-1)#do show interface port-channel 1 Port-channel 1 is up, line protocol is down(Pe Loop Detection) Upgrading a Port Extender You can update the Dell Networking operating system (OS) on a port extender manually as needed or allow it to be automatically updated by the controlling bridge.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! PE (255) Image upgraded successfully. 2 After the upgrade is successful, reload the PE or PE stack. To reload a PE stack, enter the stack-unit number of the master unit. EXEC Privilege mode reset pe {0-255} [stack-unit {0-7}] Dell# Dell#reset pe Resetting PE will reload the entire PE STACK. Continue? [yes/no]: yes 3 Verify the OS image upgrade.
RPM RPM RPM RPM RPM RPM 0 1 1 1 1 1 IAP FPGA 1 CPLD FPGA 2 Backup FPGA IAP 3.2 2.14 2.6 2.0 2.0 3.2 PE RELEASE IMAGE INFORMATION : --------------------------------------------------------------------Platform Version Size ReleaseTime C-Series:C1048P 9.9(0.0) 27132051 Sep 4 2015 09:59:54 PE BOOT IMAGE INFORMATION : --------------------------------------------------------------------Type Version Target Checksum boot flash 3.3.1.
copy delete diag dir disable enable exit format hostname no offline online power-cycle pwd reload rename reset show telnet-peer-stack-unit upgrade Copy from one file to another Delete a file Run diagnosis List files on a filesystem Turn off privileged commands Turn on privileged commands Exit from the EXEC Format a filesystem Set system's network name Reset a command Take a PE stack unit offline Bring a PE stack unit online Power-cycle the unit(s) Display current working directory PE Halt and perform a col
In the preceding illustration, Port Extender PE 1 is connected to System A and Port Extender PE 2 is connected to System B. PE 3 is connected to both A and B. When the systems A and B are connected to each other and made as VLT peers, you can configure PE 1, PE 2, and PE 3 from either of the systems. System A is the primary controlling bridge and System B is the secondary. When the primary system goes down, the secondary system acts as primary and controls the PEs.
Systems with Port Extender The following diagram illustrates PE 1 connected to System A and PE 2 connected to System B. Figure 106. Systems with Port Extender — Before setting up Dual Homing You can connect System A and System B and configure them as VLT peers as follows: 1 Ensure that System A and System B are upgraded to OS 9.10(0.). Ensure that PE IDs of PE 1 and PE 2 are different. The IDs should be unique and cannot overlap during the configuration.
NOTE: The system MAC and unit ID are the mandatory configurations to be done so that the dual homing functions properly. NOTE: After saving the configurations to the startup-config, reload the system with unit ID 1. This is mandatory and proceed with further configurations after reloading the system. 5 Add VLTi for the election to happen between the systems. 6 System A and system B become VLT peers after the election of primary and secondary VLT units.
Dell#show pe 1 Codes: A - Active, I - Inactive Reason: CTM - Card Type Mismatch, CAM - CAM ACL Mismatch SVM - Software Version Mismatch, UE - Unknown Error Offline Reason: UNP - Unit Not Present, ICE - IPC CP Error, IRE - IPC RP Error ISE - IPC Setup Error, CVE - Card Validation Error PE-ID assigned: 1 Status: online System Mac: f8:b1:56:6e:20:07 PE Up Time: 00:17:15 PE Discovery Status: Provisioned PE User Configured Cascade Ports: Te 0/0(A) Cascade LAG: Po 258, Local Status: Up, Remote Status: Up PE Confi
Standalone System You can connect a standalone system to a system that already has a PE to make it dual homed. In the following illustration, PE 1 is connected to System A and System B is a standalone. Figure 108. Standalone System and System with PE — Before setting up Dual Homing To convert the above system into a dual homing setup, perform the following: 1 Repeat the steps 1 to 6 from Systems with Port Extender.
Once the cascade interfaces are configured, the PE starts functioning in a dual homing setup as shown in the following diagram: Figure 109. Standalone System and System with PE — After setting up Dual Homing You can configure PE 1 from both System A and System B. Upgrading to OS 9.10(0.0) To upgrade the Dell Networking OS 9.9(0.0) to OS 9.10(0.0): • Upgrade the bootflash of the devices to 3.3.1.18 in OS 9.10.0.0. • Upgrade the system-image in the Controlling Bridge (CB).
16G bytes of boot flash memory. 2 Route Processor Module. 1 24-port TE/GE 2 4-port TE/GE 32 Ten GigabitEthernet/IEEE 802.
Linecard2 Linecard3 Linecard4 Linecard5 Linecard6 Linecard7 Linecard8 Linecard9 Linecard10 Linecard11 PE (0/0) PE (0/1) Boot Boot Boot Boot Boot Boot Boot Boot Boot Boot Boot Boot Flash Flash Flash Flash Flash Flash Flash Flash Flash Flash Flash Flash 3.3.1.16 3.3.1.16 3.3.1.16 3.3.1.16 3.3.1.16 3.3.1.16 3.3.1.16 3.3.1.16 3.3.1.16 3.3.1.16 3.3.1.7 3.3.1.7 3.3.1.18 3.3.1.18 3.3.1.18 3.3.1.18 3.3.1.18 3.3.1.18 3.3.1.18 3.3.1.18 3.3.1.18 3.3.1.18 3.3.1.7 3.3.1.
The above procedure brings up the devices in Dell Networking OS 9.10(0.0). To get a dual homing setup, you need to have a VLT domain running in two systems with the same OS version. Refer to Setting up Dual Homing. When you upgrade a standalone system to OS 10.0(0.0) and then connect a PE later, there might be a mismatch between the versions.
Apr 3 05:52:52: %RPM1-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Po 458 Apr 3 05:54:35: %RPM1-P:CP %IFMGR-5-OSTATE_UP: Changed interface state to up: Te 0/22 Apr 3 05:54:35: %RPM1-P:CP %IFMGR-5-OSTATE_UP: Changed interface state to up: Te 0/23 Apr 3 05:54:35: %RPM1-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Te 0/22 Apr 3 05:54:35: %RPM1-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Te 0/23 Apr 3 05:54:35: %RPM1-P:CP %IFMGR-5-OSTATE_UP: Changed interface state to up:
Apr 3 00:41:03: %PE200-UNIT2-M:CP %IFMGR-5-ASTATE_UP: Changed interface Admin state to up: Po 257 Apr 3 00:41:03: %PE200-C1048P:2 %IFAGT-5-INSERT_OPTICS_PLUS: Optics SFP+ inserted in slot 2 port 1 Apr 3 00:41:03: %PE200-C1048P:2 %IFAGT-5-UNSUP_OPTICS: Non-qualified optics in slot 2 port 2 Apr 3 00:41:03: %PE200-UNIT2-M:CP %IFMGR-5-OSTATE_UP: Changed interface state to up: Te 2/1 Apr 3 00:41:03: %PE200-UNIT2-M:CP %IFMGR-5-OSTATE_UP: Changed interface state to up: Te 2/2 Apr 3 00:41:23: %PE200-UNIT2-M:CP %IFM
• • LAGs • LLDP • Loop detection and MAC Learning Limit A port extender does not support: • DCB • FEFD • GVRP • FRRP • Sticky MAC • STP Edge port support on PE interfaces • VLAN stacking • VLT Port Extenders (PEs) 844
41 Port Extender (PE) Stacking You can stack up to eight C1048P port extenders using the mini-SAS stack ports on the back panel. The C1048P supports stacking only with other C1048P port extenders. Stacking is not supported on C9010 switches. To set up a PE stack, follow the installation procedure in the Dell Networking C1048P Getting Started Guide or Dell Networking C1048P Installation Guide. Each C1048P has 48 user ports, two uplink ports, and two stack-ports.
Although the master and standby units are automatically selected by MAC address, you can configure PE priorities to specify which units are assigned the master and standby roles. Stack Master Election When a PE stack reloads and all stack units come up, all units participate in the stack master election. The master and standby units are chosen based on the priority or MAC address. The stack takes the MAC address of the master unit. • Unit priority — The range is from 1 to 14.
Important Points to Remember • • • • • • You can stack up to eight C1048P port extenders. You cannot stack C1048P port extenders with other system types. Set up a C1048P stack by using the dedicated stacking ports on the back panel. Dell Networking recommends using a ring topology for a PE stack. All stack units must have the same version of Dell Networking OS. When you restore the factory-default settings on all units in a stack, the units are placed in standalone mode.
4 • interface interface-type specifies a C9010 10-Gigabit Ethernet interface. The only supported value is TenGigabitEthernet slot/port-range. • slot/port-range specifies a C9010 10GbE port, including slot number and either a single port number, a port range, or a combination of both for auto-LAG configuration. • The range of slot numbers is from 0 to 9 for linecard slots. The range of port numbers is from 0 to 23.
Dell(conf-b)#commit Dell(conf-b)#end Dell# show pe 2 Codes: A - Active, I - Inactive Reason: CTM - Card Type Mismatch, CAM - CAM ACL Mismatch SVM - Software Version Mismatch, UE - Unknown Error Offline Reason: UNP - Unit Not Present, ICE - IPC CP Error, IRE - IPC RP Error ISE - IPC Setup Error, CVE - CHM Validation Error PE-ID assigned: 2 Status: online System Mac: a0:68:00:3f:92:bc PE Up Time: 14:06:37 PE Discovery Status: Provisioned PE User Configured Cascade Ports: Te 0/0(A) Cascade LAG: Po 258, Local S
Renumbering a Stack Unit By default, the number of a PE stack unit is 0. After you create and power on a PE stack, the units automatically number from 0 to 7, starting at 0. To change the default or automatically assigned stack unit number, use the pe renumber command. NOTE: You can renumber a unit only when it is online and if no unit with the new stack-unit number is online. • Configure a stack-unit number.
• priority — The unit with the numerically highest priority is elected the master management unit; the unit with the second highest priority is the standby unit. The range is from 1 to 14. There is no default. Dell(conf)#pe 2 Dell(conf-pe-2)#stack-unit 0 priority 14 Dell(conf-pe-2)#stack-unit 1 priority 13 Managing PE Stack Redundancy To manage the master and standby redundancy in a PE stack, use the following commands. • Reset the current management unit and make the standby unit the new master unit.
pe State: Peer pe stack unit ID: pe SW Version: Standby 2 1-0(0-4074) -- pe Redundancy Configuration ------------------------------------------------Primary pe: mgmt-id 0 Auto Data Sync: Full Failover Type: Hot Failover Auto reboot pe: Disabled Auto failover limit: 3 times in 60 minutes -- pe Failover Record ------------------------------------------------Failover Count: 0 Last failover timestamp: None Last failover Reason: None Last failover type: None -- Last Data Block Sync Record: --------------------
0 1 2 3 4 5 6 7 Management online C1048P C1048P 1-0(0-4149) 52 Member not present Member not present Standby online C1048P C1048P 1-0(0-4149) 52 Member not present Member not present Member not present Member not present Verifying a PE Stack Master and Standby The Status LED on the front panel of a PE stack unit identifies the unit’s role in the stack. • Off indicates that the unit is a stack member. • Off also indicates that the unit is stack standby.
show pe pe-id system brief Dell#show pe 255 system brief Stack MAC : f8:b1:56:62:61:08 -- Stack Info -Unit UnitType Status ReqTyp CurTyp Version Ports ---------------------------------------------------------------------------0 Member not present 1 Member online C1048P C1048P 9-9(0-8) 52 2 Management online C1048P C1048P 9-9(0-8) 52 3 Standby online C1048P C1048P 9-9(0-8) 52 4 Member not present 5 Member not present 6 Member not present 7 Member not present -- Power Supplies -Unit Bay Status Type FanStatu
Piece Part ID PPID Revision Service Tag Expr Svc Code Auto Reboot Burned In MAC No Of MACs : : : : : : : TW-0J9K8D-28298-499-0001 X01 CL73Z01 274 031 203 69 enabled f8:b1:56:00:02:d1 66 -- Power Supplies -Unit Bay Status Type FanStatus FanSpeed(rpm) ------------------------------------------------------------2 0 up AC NA NA 2 1 up DC NA NA -- Fan Status -Unit Bay TrayStatus Fan0 Speed Fan1 Speed -----------------------------------------------------------2 0 up up 9056 up 9056 Speed in RPM • Display the
location-led pe pe-id stack-unit unit-number The following example turns on the green blinking light on the main PSU LED on port extender 0 stack unit 5. Dell#location-led pe 0 stack-unit 5 on The following example disables the location-led feature on the PE stack-unit 5 Dell#location-led pe 0 stack-unit 5 off Troubleshooting a PE Stack To troubleshoot the operation of a PE stack, use the following tasks.
42 Port Monitoring Port monitoring (also referred to as mirroring) allows you to monitor ingress and/or egress traffic on specified ports. The mirrored traffic can be sent to a port to which a network analyzer is connected to inspect or troubleshoot the traffic. The Dell Networking OS supports the following mirroring techniques: • Port monitoring — Monitors network traffic by forwarding a copy of incoming and outgoing packets from a source port to a destination port on the same network router.
Example of Viewing a Monitoring Session Given these parameters, the following illustration shows the possible port monitoring configurations on the switch. Figure 110. Port Monitoring Configurations Dell Networking OS Behavior: All monitored frames are tagged if the configured monitoring direction is egress (TX), regardless of whether the monitored port (MD) is a Layer 2 or Layer 3 port. If the MD port is a Layer 2 port, the frames are tagged with the VLAN ID of the VLAN to which the MD belongs.
Examples of Port Monitoring In the following examples of port monitoring, the four source ports 0/13, 0/14, 0/15, and 0/16 belong to the same port pipe and mirror traffic to four different destinations (0/1, 0/2, 0/3, and 0/37). You cannot add another destination on the same port pipe in a monitoring session because a maximum number of four destination ports are supported on the same port pipe.
EXEC Privilege mode show running-config monitor session 2 Create a monitoring session using the command monitor session from CONFIGURATION mode, as shown in the following example. MONITOR SESSION mode monitor session [session-ID] source interface | range destination interface direction {rx | tx | both} 3 Specify the source and destination port and direction of traffic, as shown in the following example.
flow-based enable — Specify flow-based enable for mirroring on a flow-by-flow basis and also for VLAN as source. destination interface — Enter one of the following keywords and slot/port information. NOTE: • You cannot configure cascade ports as a destination port. • For a 10–Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. • For a 40–Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information.
In the following example, the host and server are exchanging traffic which passes through the uplink interface 1/1. Port 1/1 is the monitored port and port 1/42 is the destination port, which is configured to only monitor traffic received on tengigabitethernet 1/1 (host-originated traffic). Figure 111. Port Monitoring Example Remote Port Mirroring Local port monitoring allows you to monitor traffic from one or more source ports by directing it to a destination port on the same switch/router.
peGigE port-channel range remote vlan tengigabitethernet vlan PE Gigabit Ethernet interface Port-channel interface Configure interface range Remote-Port-Mirroing vlan TenGigabit Ethernet interface VLAN Monitoring Remote Port Mirroring Example Remote port mirroring uses the analyzers shown in the aggregation network in Site A. The VLAN traffic on monitored links from the access network is tagged and assigned to a dedicated L2 VLAN.
Configuring Remote Port Mirroring Remote port mirroring requires a source session (monitored ports on different source switches), a reserved tagged VLAN for transporting mirrored traffic (configured on source, intermediate, and destination switches), and a destination session (destination ports connected to analyzers on destination switches).
• You can use the default VLAN and native VLANs as a source VLAN. • You cannot configure the dedicated VLAN used to transport mirrored traffic as a source VLAN. • Egressing remote-vlan packets are rate limited to a default value of 100 Mbps. In a destination session used for remote port mirroring: • Maximum number of destination sessions supported on a switch: 64 • Maximum number ports supported in a destination session: 64. • You can configure any port as a destination port.
To display the current configuration of the reserved VLAN, enter the show vlan command.
Dell(conf-if-vl-20)#mode remote-port-mirroring Dell(conf-if-vl-20)#tagged te 0/6 Dell(conf-if-vl-20)#exit Dell(conf)#monitor session 2 type rpm Dell(conf-mon-sess-2)#source vlan 100 destination remote-vlan 20 dir rx Dell(conf-mon-sess-2)#no disable Dell(conf-mon-sess-2)#exit Dell(conf)#mac access-list standard mac_acl Dell(config-std-macl)#permit 00:00:00:00:11:22 count monitor Dell(config-std-macl)#exit Dell(conf)#interface vlan 100 Dell(conf-if-vl-100)#mac access-group mac_acl1 in Dell(conf-if-vl-100)#exi
Dell(conf-if-vl-10)#tagged te 0/0 Dell(conf-if-vl-10)#exit Dell(conf)#inte vlan 20 Dell(conf-if-vl-20)#mode remote-port-mirroring Dell(conf-if-vl-20)#tagged te 0/1 Dell(conf-if-vl-20)#exit Dell(conf)#interface vlan 30 Dell(conf-if-vl-30)#mode remote-port-mirroring Dell(conf-if-vl-30)#tagged te 0/2 Dell(conf-if-vl-30)#exit Dell(conf)#monitor session 1 type rpm Dell(conf-mon-sess-1)#source remote-vlan 10 dest te 0/3 Dell(conf-mon-sess-1)#exit Dell(conf)#monitor session 2 type rpm Dell(conf-mon-sess-2)#source
rx 5 Dell(conf-mon-sess-1)#no disable Verify the port-channel configuration.
Monitoring-Session configuration mode. The session number needs to be unique and not already defined. 3 source {interface | range } direction {rx | tx | both} Specify the source port or range of ports. Specify the ingress (rx), egress (tx), or both ingress and egress traffic to be monitored. You can enter mulitple source statements in an ERPM monitoring session.
The following example shows you how to configures a source as a physical interface only for ERPM. Dell(conf)#monitor session 3 type erpm Dell(conf-mon-sess-3)#)source vlan 100 dir rx Dell(conf-mon-sess-3)# erpm source-ip 1.1.1.1 dest-ip 100.1.1.2 Dell(conf-mon-sess-3)# flow-based enable Dell(conf-mon-sess-3)# no disable The following example configures the port extender ports so that they are tagged and untagged members of VLAN 100.
43 Power over Ethernet (PoE) The PoE feature supports electrical power and transmission of data on Ethernet cabling. A single cable can provide both a data connection and electrical power to the attached devices such as wireless access points or IP cameras. The PoE feature is supported on a C1048P port-extender (PE); PoE is not supported on the C9010 switches. PoE, as described by IEEE 802.3af, specifies that a maximum of 15.
• Advertising the Extended Power through MDI • Advertising Extended Power Though dot3–TLVs • Detecting Legacy Devices and Allocating Power • Deploying Voice Over IP (VoIP) • Managing PoE on the Port Extender Configuring PoE or PoE+ Configuring PoE or PoE+ is a two-step process: 1 Connect the IEEE 802.3af/802.3at-compliant powered device directly to a port. 2 Enable PoE or PoE+ on the port extender. Enabling PoE or PoE+ on a Port By default, PoE or PoE+ are disabled.
• Displaying PoE Power Allocation to Power Devices For a complete listing of all PoE commands, see the Dell Networking OS Command Line Reference Guide. Manage Ports using Power Priority and the Power Budget The allocation and return of power-on ports depends on the total inline power available in the system and the power priority calculation.
Determining the Affect of a Port on the Power Budget The PoE and PoE+ power budget is affected differently depending on how you enable PoE and PoE+ and whether a device is connected. The following lists these differences. 1 When you configure a port as power inline without setting the max_milliwatts power limit option, the Dell Networking OS does not allocate any power to the port unless a device is connected and there is no limit to the amount of power consumed by the powered device.
Configuring Power Management on the PE — Class and Static Mode By default, PoE or PoE+ are disabled. To manage the inline power supplied to the port extender ports, use the power inline mode command in Configuration mode. The mode configuration applies to all the ports on the port extender. To manage the inline power in a port extender, you can configure Class or Static mode. This command has the following parameters.
Total Inline Power Consumed: 0W Remaining inline power Available :841W Power Management Mode : Static Interface Inline Power Inline Power Class Device PoE Port LLDP Max / Alloc Consumed Type Priority Support (Watts) (Watts) ---------- ----------- ----------- ------ ------ ------- -----PeGi 0/0/0 30.00/0.00 0.
The power inline command has the following parameters: • max_milliwatts — (OPTIONAL) Specify the maximum inline power that is allocated to a powered device connected to the interface. The range if from 440 to 30000 mW. When you do not configure a power value, the system uses the default value (30000 mW). NOTE: The max_milliwatts option only works when you use Static Management mode. When you enable Class mode, the max_milliwatts option has no effect on the interface.
Power Reserved for inline Power: Total Inline Power Consumed: Remaining inline power Available: Power Management Mode: Interface ------------PeGi 255/0/1 Inline Power Max / Alloc (Watts) -----------30.00/21.40 1612W 21W 1580W Class Inline Power Consumed (Watts) -----------21.
Setting the Threshold Limit for the PoE Power Budget To set the global threshold limit of the total power available for PoE on the port extender, use the power budget global-threshold pe pe-id stack-unit unit-number threshold-value command in Configuration mode. This command has the following parameters. • pe pe-id — Enter the keyword PE and specify the port extender ID. The range is from 0 to 255.
When you enable the advertise med power-via-mdi command in CONFIGURATION mode, advertisement is enabled for all the interfaces. To enable advertisement for a specific interface, use INTERFACE Configuration mode. NOTE: If you also configure LLDP to use the 802.3 TLV format, 802.3 overrides the advertise med power-via-mdi settings. For more information, see Advertising Extended Power Though dot3–TLVs. Parameters power-via-mdi — Enter the keyword power-via-mdi to advertise IEEE 802.
extender to allocate less power to the endpoint, while making more power available to other port extender ports. By default, advertising extended power through dot3–TVLs is disabled. NOTE: The port extender performs Layer 2 classification and participates in LLDP power negotiation only when in Class mode. To use this feature, configure PoE in power management Class mode. For information about Class mode, see Enabling PoE/PoE+ on a Port. • Configure the system or an interface to advertise IEEE 802.
The following example shows detecting and allocating power to legacy devices on the port extender. Dell(conf)#power inline legacy pe 0 stack-unit 0 Deploying Voice Over IP (VoIP) For a complete list of all PoE commands, see the Dell Networking OS Command Line Reference Guide. Current VoIP phones follow the same basic boot and operations process: 1 Wait for an LLDP from the Ethernet switch. 2 Obtain an IP address from a dynamic host configuration protocol (DHCP) server.
interface PeGigGE 0/6/10 no ip address portmode hybrid switchport ! power inline no shutdown ! interface Vlan 100 description "Data VLAN" no ip address untagged PeGigGE 0/6/10-11,22-23,46-47 shutdown ! interface Vlan 200 description "Voice VLAN" no ip address tagged PeGigGE 0/6/10-11,22-23,46-47 shutdown ! interface Vlan 300 description "Voice Signaling VLAN" no ip address tagged PeGigGE 0/6/10-11,22-23,46-47 shutdown Configuring LLDP-MED for an Office VoIP Deployment VoIP deployments may optionally use LL
Configuring QoS for an Office VoIP Deployment There are several ways you can use quality of service (QoS) to map ingress phone and PC traffic to give them each a different quality of service. Honoring the Incoming DSCP Value If you know that traffic originating from the phone is tagged with the DSCP value of 46 (EF), you can make the associated queue a strict-priority queue, as shown in the following example.
Classifying VoIP Traffic and Applying QoS Policies You can avoid congestion and give precedence to voice and signaling traffic by classifying traffic based on the subnet and using strict priority and bandwidth weights on egress, as outlined in the following steps. The following figure depicts the topology and configuration for a C9000 system. Figure 114.
CONFIGURATION mode or QOS-POLICY-IN mode qos-policy-out or bandwidth-weight 4 Create an output policy map containing both QoS policies and assign them to different service queues. CONFIGURATION mode or POLICY-MAP-OUT mode policy-map-out or service-queue 5 Assign a strict priority to unicast traffic in queue 3. CONFIGURATION mode strict-priority 6 Apply the input policy map you created in Step 2 to the interface connected to the phone.
strict-priority unicast 3 Dell#sh run int gi 0/6/10 ! interface GigabitEthernet 0/6/10 description "IP Phone X” no ip address portmode hybrid switchport service-policy input phone-pc power inline no shutdown Dell#sh run int gi 0/6/2 ! interface GigabitEthernet 0/6/2 description "Uplink to C9000" no ip address switchport service-policy output BW no shutdown Managing PoE on the Port Extender This section describes how to manage PoE on the port extender.
Suspending Power Delivery on the Port Extender You can temporarily disable and then restore power on the port extender. For information about how to restore power to the port extender, see Restoring Power Delivery on the PE. To disable inline power on the port extender, use the following command. When you use this command, the inline power to all the ports on the port extender are disabled. • Disable inline power on the port extender.
The following example disable power delivery on the port extender.
The following table shows the maximum number of ports that you can configure for PoE and PoE+ based on the number of PSUs available. NOTE: The table assumes maximum of 30 W for PoE+ and 15.4 W for PoE. Table 68.
Power Management Mode: Static Interface Inline Power Class Consumed (Watts) ------------ ----15.00 4 --------PeGi 2/1/2 Inline Power Max / Alloc Watts) ------------30.00 / 15.00 Device Type PoE Port Priority LLDP Support -----2 -------- ------Low PowViaMDI Table 69. show power inline Field Description Field Description Interface Displays the linecard slot and port number.
Displaying Power Consumption on the Port Extender To display detailed inline power consumption on a port extender, use the following command. For more information on monitoring power budget, see Monitoring the Power Budget. • Display detailed information about inline power consumption on the port extender. EXEC mode show power detail {pe pe-id stack-unit unit-number} • pe pe-id — Enter the keyword pe and the port extender ID. The range is from 0 to 255.
Field Description Inline Power Remaining (Watts) Difference between the available power and the allocated power.
44 Private VLANs (PVLAN) Private VLANs (PVLANs) extend Dell Networking OS security suite by providing Layer 2 isolation between ports within the same virtual local area network (VLAN). A PVLAN partitions a traditional VLAN into subdomains identified by a primary and secondary VLAN pair. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports or trunk ports.
• • • • A community VLAN can only contain ports configured as host. Isolated VLAN — a type of secondary VLAN in a primary VLAN: • Ports in an isolated VLAN cannot talk directly to each other. • Ports in an isolated VLAN can only communicate with promiscuous ports in the primary VLAN. • An isolated VLAN can only contain ports configured as host. Primary VLAN — the base VLAN of a PVLAN: • A switch can have one or more primary VLANs, and it can have none.
NOTE: Even after you disable ip-local-proxy-arp (no ip-local-proxy-arp) in a secondary VLAN, Layer 3 communication may happen between some secondary VLAN hosts, until the address resolution protocol (ARP) timeout happens on those secondary VLAN hosts. Set the mode of the selected VLAN to community, isolated, or primary. • INTERFACE VLAN mode [no] private-vlan mode {community | isolated | primary} Map secondary VLANs to the selected primary VLAN.
Creating PVLAN ports PVLAN ports are those that will be assigned to the PVLAN. 1 Access INTERFACE mode for the port that you want to assign to a PVLAN. CONFIGURATION mode interface interface 2 Enable the port. INTERFACE mode no shutdown 3 Set the port in Layer 2 mode. INTERFACE mode switchport 4 Select the PVLAN mode.
Creating a Primary VLAN A primary VLAN is a port-based VLAN that is specifically enabled as a primary VLAN to contain the promiscuous ports and PVLAN trunk ports for the private VLAN. A primary VLAN also contains a mapping to secondary VLANs, which are comprised of community VLANs and isolated VLANs. 1 Access INTERFACE VLAN mode for the VLAN to which you want to assign the PVLAN interfaces. CONFIGURATION mode interface vlan vlan-id 2 Enable the VLAN.
NOTE: If a promiscuous or host port is untagged in a VLAN and it receives a tagged packet in the same VLAN, the packet is NOT dropped. Creating a Community VLAN A community VLAN is a secondary VLAN of the primary VLAN in a private VLAN. The ports in a community VLAN can talk to each other and with the promiscuous ports in the primary VLAN. 1 Access INTERFACE VLAN mode for the VLAN that you want to make a community VLAN. CONFIGURATION mode interface vlan vlan-id 2 Enable the VLAN.
4 Add one or more host ports to the VLAN. INTERFACE VLAN mode tagged interface or untagged interface You can enter the interfaces singly or in range format, either comma-delimited (slot/ port,port,port) or hyphenated (slot/ port-port). You can only add ports defined as host to the VLAN. Example of Configuring Private VLAN Members The following example shows the use of the PVLAN commands that are used in VLAN INTERFACE mode to configure the PVLAN member VLANs (primary, community, and isolated VLANs).
Private VLAN Configuration Example The following example shows a private VLAN topology. Figure 115. Sample Private VLAN Topology The following configuration is based on the example diagram: • • • • • Te 0/0 and Te 23 are configured as promiscuous ports, assigned to the primary VLAN, VLAN 4000. Te 0/25 is configured as a PVLAN trunk port, also assigned to the primary VLAN 4000. Te 0/24 and Te 0/47 are configured as host ports and assigned to the isolated VLAN, VLAN 4003.
• • The ports in isolated VLAN 4003 can only communicate with the promiscuous ports in the primary VLAN 4000. All the ports in the secondary VLANs (both community and isolated VLANs) can only communicate with ports in the other secondary VLANs of that PVLAN over Layer 3, and only when the ip local-proxyarp command is invoked in the primary VLAN.
• The following examples show the results of using this command without the command options in the topology diagram previously shown. Display the primary-secondary VLAN mapping. The following example shows the output from the S50V. show vlan private-vlan mapping This command is specific to the PVLAN feature. Examples of Viewing a Private VLANs The show arp and show vlan commands are revised to display PVLAN data. The following example shows viewing a private VLAN for a C300 system.
no shutdown ! interface TengigabitEthernet 0/4 no ip address switchport switchport mode private-vlan host no shutdown ! interface TengigabitEthernet 0/5 no ip address switchport switchport mode private-vlan host no shutdown ! interface TengigabitEthernet 0/6 no ip address switchport switchport mode private-vlan host no shutdown ! interface TengigabitEthernet 0/25 no ip address switchport switchport mode private-vlan trunk no shutdown ! interface Vlan 4000 private-vlan mode primary private-vlan mapping secon
45 Quality of Service (QoS) This chapter describes how to use and configure Quality of Service (QoS) features on the switch. Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. Figure 116.
• Enabling Strict-Priority Queueing • Weighted Random Early Detection • Explicit Congestion Notification • Using A Configurable Weight for WRED and ECN • Pre-Calculating Available QoS CAM Space • SNMP Support for Buffer Statistics Tracking Implementation Information The Dell Networking QoS implementation complies with IEEE 802.1p User Priority Bits for QoS Indication.
Packet Dot1p on Ingress Packet Queue Number on C9000 Series 3 3 4 4 5 5 6 6 7 7 • Change the priority of incoming traffic on the interface. dot1p-priority Example of Configuring a dot1p Priority on an Interface Dell#config Dell(conf)#interface tengigabitethernet 1/2 Dell(conf-if)#switchport Dell(conf-if)#dot1p-priority 1 Dell(conf-if)#end Dell# Honoring dot1p Priorities on Ingress Traffic By default, the system does not honor dot1p priorities on ingress traffic.
dotp or trust dot1p. When priority-tagged frames ingress a tagged port, the frames are dropped because, for a tagged port, the default VLAN is 0. Dell Networking OS Behavior: Hybrid ports can receive untagged, tagged, and priority tagged frames. The rate metering calculation might be inaccurate for untagged ports because an internal assumption is made that all frames are treated as tagged. Internally, the ASIC adds a 4-bytes tag to received untagged frames.
Policy-Based QoS Configurations Policy-based QoS configurations consist of the components shown in the following example. Figure 117. Constructing Policy-Based QoS Configurations Classify Traffic Class maps differentiate traffic so that you can apply separate quality of service policies to different types of traffic. For both class maps, Layer 2 and Layer 3, the system matches packets against match criteria in the order that you configure them.
Creating a Layer 3 Class Map A Layer 3 class map differentiates ingress packets based on the DSCP value, IP precedence, VLANs, or characteristics defined in an IP ACL. You can also use VLAN IDs and VRF IDs to classify the traffic using layer 3 class-maps. You can specify more than one DSCP and IP precedence value, but only one value must match to trigger a positive match for the class map. NOTE: IPv6 and IP-any class maps cannot match on ACLs or VLANs.
The following example matches IPv6 traffic with a DSCP value of 40. Dell(conf)# class-map match-all test Dell(conf-class-map)# match ipv6 dscp 40 The following example matches IPv4 and IPv6 traffic with a precedence value of 3. Dell(conf)# class-map match-any test1 Dell(conf-class-map)#match ip-any precedence 3 Creating a Layer 2 Class Map All class maps are Layer 3 by default; however, you can create a Layer 2 class map by specifying the layer2 option with the class-map command.
CONFIGURATION mode Dell(conf)# interface fo 0/0 INTERFACE mode Dell(conf-if-fo-0/0)# ip address 90.1.1.1/16 2 Configure a Layer 2 QoS policy with Layer 2 (Dot1p or source MAC-based) match criteria. CONFIGURATION mode Dell(conf)# policy-map-input l2p layer2 3 Apply the Layer 2 policy on a Layer 3 interface.
QOS-POLICY-IN mode Dell(conf-qos-policy-in)#set ip-dscp 5 6 Create an input policy map. CONFIGURATION mode Dell(conf)#policy-map-input pp_policmap 7 Create a service queue to associate the class map and QoS policy map.
policy-map-input PolicyMapIn service-queue 1 class-map ClassAF1 qos-policy QosPolicyIn-1 service-queue 2 class-map ClassAF2 qos-policy QosPolicyIn-2 Dell#show running-config class-map ! class-map match-any ClassAF1 match ip access-group AF1-FB1 set-ip-dscp 10 match ip access-group AF1-FB2 set-ip-dscp 12 match ip dscp 10 set-ip-dscp 14 match ipv6 dscp 20 set-ip-dscp 14 ! class-map match-all ClassAF2 match ip access-group AF2 match ip dscp 18 Dell#show running-config ACL ! ip access-list extended AF1-FB1 seq
Creating an Input QoS Policy To create an input QoS policy, use the following steps. 1 Create a Layer 3 input QoS policy. CONFIGURATION mode qos-policy-input Create a Layer 2 input QoS policy by specifying the keyword layer2 after the qos-policy-input command.
QOS-POLICY-IN mode set mac-dot1p Creating an Output QoS Policy To create an output QoS policy, use the following commands. 1 Create an output QoS policy. CONFIGURATION mode qos-policy-output 2 After you configure an output QoS policy, do one or more of the following: Strict-Priority Queuing Configuring Policy-Based Rate Shaping Allocating Bandwidth to Queue Specifying WRED Drop Precedence Strict-Priority Queuing You can configure strict-priority queueing in an output QoS policy.
rate, it is considered to be green-colored or coded. When the transmitted traffic falls below the committed rate, the bandwidth, which is not used by any traffic that is traversing the network, is aggregated to form the committed burst size. Traffic is considered to be green-colored up to the point at which the unused bandwidth does not exceed the committed burst size. Allocating Bandwidth to Queue The switch schedules packets for egress based on Deficit Round Robin (DRR).
Create Policy Maps There are two types of policy maps: input and output. Creating Input Policy Maps There are two types of input policy-maps: Layer 3 and Layer 2. 1 Create a Layer 3 input policy map. CONFIGURATION mode policy-map-input Create a Layer 2 input policy map by entering the policy-map-input layer2 command.
Table 73.
Mapping dot1p Values to Service Queues All traffic is by default mapped to the same queue, Queue 0. If you honor dot1p on ingress, you can create service classes based the queueing strategy in Honoring dot1p Values on Ingress Packets. You may apply this queuing strategy globally by entering the following command from CONFIGURATION mode. • All dot1p traffic is mapped to Queue 0 unless you enable service-class dynamic dot1p on an interface or globally.
policy-map-output 2 After you create an output policy map, do one or more of the following: Applying an Output QoS Policy to a Queue Specifying an Aggregate QoS Policy Applying an Output Policy Map to an Interface 3 Apply the policy map to an interface. Applying an Output QoS Policy to a Queue To apply an output QoS policy to a queue, use the following command. • Apply an output QoS policy to queues.
Creating a DSCP Color Map You can create a DSCP color map to outline the differentiated services codepoint (DSCP) mappings to the appropriate color mapping (green, yellow, red) for the input traffic. The system uses this information to classify input traffic on an interface based on the DSCP value of each packet and assigns it an initial drop precedence of green, yellow, or red The default setting for each DSCP value (0-63) is green (low drop precedence).
Create the DSCP color map profile, bat-enclave-map, with a yellow drop precedence , and set the DSCP values to 9,10,11,13,15,16 Dell(conf)# qos dscp-color-map bat-enclave-map Dell(conf-dscp-color-map)# dscp yellow 9,10,11,13,15,16 Dell (conf-dscp-color-map)# exit Assign the color map, bat-enclave-map to interface te 0/11.
Display summary information about a color policy for a specific interface.
Enabling Strict-Priority Queueing In strict-priority queuing, the system de-queues all packets from the assigned queue before servicing any other queues. You can assign strict-priority to one unicast queue, using the strict-priority command. • Policy-based per-queue rate shaping is not supported on the queue configured for strict-priority queuing.
example, 2000KB, is reached, all incoming packets are dropped until the buffer space consumes less than 2000KB of the specified traffic. Figure 118. Packet Drop Rate for WRED You can create a custom WRED profile or use one of the five pre-defined profiles. Table 75.
CONFIGURATION mode wred 2 Specify the minimum and maximum threshold values. WRED mode threshold Applying a WRED Profile to Traffic After you create a WRED profile, you must specify on which traffic the system applies the profile. The system assigns a color-coded drop precedence — red, yellow, or green — to each packet based on the fourth bit of the 6-bit DSCP field in the packet header before queuing it. • • If the fourth DSCP bit is 0, packet is marked as green.
Displaying WRED Drop Statistics To display WRED drop statistics, use the following command. • Display the number of packets that the WRED profile drops. EXEC Privilege mode show qos statistics Examples of the show qos statistics Commands The following shows the show qos statistics output. Dell# show qos statitstics wred-profile WInterface Te 0/49 Drop-statistic Green Yellow Out of Profile Dropped Pkts 51624 51300 0 The following shows the show qos statistics output on the port extender.
Explicit Congestion Notification Explicit Congestion Notification (ECN) enhances and extends WRED functionality by marking packets for later transmission instead of dropping them when a threshold value is exceeded. Use ECN for WRED to reduce the packet transmission rate in a congested, heavily-loaded network. While WRED drops packets to indicate congestion, ECN marks packets instead of dropping them when the average queue length exceeds the threshold value.
• match ip dscp • match ip precedence • match ip vlan By default, all packets are marked for green handling if the rate-police and trust-diffserv commands are not used in an ingress policy map. All packets marked for red handling or “violate” are dropped. In the class map, in addition to color-marking matching packets for yellow handling, you can also configure a DSCP value for matching packets.
Example: Color-marking non-ECN Packets in Different Traffic Classes The following examples both show how to mark non-ECN packets for “yellow” handling when packets with DCSP 40 egress on queue 2 and packets with DSCP 50 egress on queue 3. Non-ECN-capable packets have the ECN field in their packet headers set to 0.
match ip access-group dscp_50_ecn policy-map-input pmap_dscp_40_50 service-queue 2 class-map class_dscp_40 service-queue 3 class-map class_dscp_50 Using A Configurable Weight for WRED and ECN The switch supports a user-configurable weight that determines the average queue size used in WRED and Explicit Congestion Notification (ECN) operation on front-end I/O and backplane interfaces.
The average queue size is computed using the last calculated average-queue size and the current queue size. The following is the formula to calculate the average queue size: average-queue-size (t+1) = average-queuesize (t) + (current-queue-length - average-queue-size (t))/2^N where t is the time or the current instant at which average queue size is measured, t+1 is the next calculation of the average queue size, and N is the weight factor.
Table 76.
Dell(conf-wred)#wred thresh-2 Dell(conf-wred)#threshold min 300 max 400 max-drop-rate 80 3 Associate a service class for each WRED profile, and assign the WRED profile to specific queues on backplane ports.
• test cam-usage service-policy input policy-map linecard {0–2} number port-set number • test cam-usage service-policy input policy-map linecard {0–2} all The output of this command, shown in the following example, displays: • The estimated number of CAM entries the policy-map will consume. • Whether or not the policy-map can be applied. • The number of interfaces in a port-pipe to which the policy-map can be applied.
• fpEgrQBuffSnapshotTable: Retrieves BST statistics from the egress port used in a buffer. This table displays a snapshot of the buffer cells used by unicast and multicast data and control queues. • fpIngPgBuffSnapshotTable: Retrieves BST statistics from the ingress port for the shared and headroom cells used in a priority group. The snapshot of the ingress shared cells and the ingress headroom cells used for each priority group are displayed in this table when PFC is enabled.
46 Routing Information Protocol (RIP) The Routing Information Protocol (RIP) tracks distances or hop counts to nearby routers when establishing network connections and is based on a distance-vector algorithm. RIP protocol standards are listed in the Standards Compliance chapter. Topics: • Protocol Overview • Implementation Information • Configuration Information Protocol Overview RIP is the oldest interior gateway protocol.
RIPv2 RIPv2 adds support for subnet fields in the RIP routing updates, thus qualifying it as a classless routing protocol. The RIPv2 message format includes entries for route tags, subnet masks, and next hop addresses. Another enhancement included in RIPv2 is multicasting for route updates on IP multicast address 224.0.0.9.
Configuration Task List The following is the configuration task list for RIP.
When the RIP process has learned the RIP routes, use the show ip rip database command in EXEC mode to view those routes. Dell#show ip rip database Total number of routes in RIP database: 978 160.160.0.0/16 [120/1] via 29.10.10.12, 00:00:26, Fa 0/0 160.160.0.0/16 auto-summary 2.0.0.0/8 [120/1] via 29.10.10.12, 00:01:22, Fa 0/0 2.0.0.0/8 auto-summary 4.0.0.0/8 [120/1] via 29.10.10.12, 00:01:22, Fa 0/0 4.0.0.0/8 auto-summary 8.0.0.0/8 [120/1] via 29.10.10.12, 00:00:26, Fa 0/0 8.0.0.0/8 auto-summary 12.0.0.
ROUTER RIP mode neighbor ip-address • You can use this command multiple times to exchange RIP information with as many RIP networks as you want. Disable a specific interface from sending or receiving RIP routing information. ROUTER RIP mode passive-interface interface Assigning a Prefix List to RIP Routes Another method of controlling RIP (or any routing protocol) routing information is to filter the information through a prefix list. A prefix list is applied to incoming or outgoing routes.
redistribute ospf process-id [match external {1 | 2} | match internal] [metric value] [route-map map-name] Configure the following parameters: • process-id: the range is from 1 to 65535. • metric: the range is from 0 to 16. • map-name: the name of a configured route map. To view the current RIP configuration, use the show running-config command in EXEC mode or the show config command in ROUTER RIP mode.
TengigabitEthernet Routing for Networks: 10.0.0.0 0/0 2 Routing Information Sources: Gateway Distance 2 Last Update Distance: (default is 120) Dell# To configure an interface to receive or send both versions of RIP, include 1 and 2 in the command syntax. The command syntax for sending both RIPv1 and RIPv2 and receiving only RIPv2 is shown in the following example.
• route-map-name: The name of a configured route map. To confirm that the default route configuration is completed, use the show config command in ROUTER RIP mode. Summarize Routes Routes in the RIPv2 routing table are summarized by default, thus reducing the size of the routing table and improving routing efficiency in large networks. By default, the autosummary command in ROUTER RIP mode is enabled and summarizes RIP routes up to the classful network boundary.
• • • prefix-list-name: the name of an established Prefix list to determine which incoming routes are modified offset: the range is from 0 to 16. interface: the type, slot, and number of an interface. To view the configuration changes, use the show config command in ROUTER RIP mode. Debugging RIP The debug ip rip command enables RIP debugging. When you enable debugging, you can view information on RIP protocol changes or RIP routes. To enable RIP debugging, use the following command.
RIP Configuration on Core2 The following example shows how to configure RIPv2 on a host named Core2. Example of Configuring RIPv2 on Core 2 Core2(conf-if-te-2/31)# Core2(conf-if-te-2/31)#router rip Core2(conf-router_rip)#ver 2 Core2(conf-router_rip)#network 10.200.10.0 Core2(conf-router_rip)#network 10.300.10.0 Core2(conf-router_rip)#network 10.11.10.0 Core2(conf-router_rip)#network 10.11.20.0 Core2(conf-router_rip)#show config ! router rip network 10.0.0.
> - non-active route, + - summary route Gateway of last resort is not set Destination Gateway Dist/Metric Last Change ----------- ------- ----------- ----------C 10.11.10.0/24 Direct, Te 2/11 C 10.11.20.0/24 Direct, Te 2/31 R 10.11.30.0/24 via 10.11.20.1, Te 2/31 C 10.200.10.0/24 Direct, Te 2/41 C 10.300.10.0/24 Direct, Te 2/42 R 192.168.1.0/24 via 10.11.20.1, Te 2/31 R 192.168.2.0/24 via 10.11.20.1, Te 2/31 Core2# R 192.168.1.0/24 via 10.11.20.1, Te 2/31 R 192.168.2.0/24 via 10.11.20.
router rip network 10.0.0.0 network 192.168.1.0 network 192.168.2.0 version 2 Core3(conf-router_rip)# Core 3 RIP Output The examples in this section show the core 2 RIP output. • To display Core 3 RIP database, use the show ip rip database command. • To display Core 3 RIP setup, use the show ip route command. • To display Core 3 RIP activity, use the show ip protocols command.
To view the RIP configuration activity on Core 3, use the show ip protocols command.
The following example shows viewing the RIP configuration on Core 3. ! interface TengigabitEthernet 3/11 ip address 10.11.30.1/24 no shutdown ! interface TengigabitEthernet 3/21 ip address 10.11.20.1/24 no shutdown ! interface TengigabitEthernet 3/43 ip address 192.168.1.1/24 no shutdown ! interface TengigabitEthernet 3/44 ip address 192.168.2.1/24 no shutdown ! router rip version 2 network 10.11.20.0 network 10.11.30.0 network 192.168.1.0 network 192.168.2.
47 Remote Monitoring (RMON) Remote monitoring (RMON) is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell Networking Ethernet interfaces. RMON operates with the simple network management protocol (SNMP) and monitors all nodes on a local area network (LAN) segment.
NOTE: A network management system (NMS) should be ready to interpret a down interface and plot the interface performance graph accordingly. • Line Card Down — The same as Interface Down (see previous). • Chassis Down — When a chassis goes down, all sampled data is lost. But the RMON configurations are saved in the configuration file. The sampling process continues after the chassis returns to operation.
• owner string: (Optional) specifies an owner for the alarm, this setting is the alarmOwner object in the alarmTable of the RMON MIB. Default is a null-terminated string. Example of the rmon alarm Command To disable the alarm, use the no form of the command. The following example configures RMON alarm number 10. The alarm monitors the MIB variable 1.3.6.1.2.1.2.2.1.20.1 (ifEntry.ifOutErrors) once every 20 seconds until the alarm is disabled, and checks the rise or fall of the variable.
Configuring RMON Collection Statistics To enable RMON MIB statistics collection on an interface, use the RMON collection statistics command in INTERFACE CONFIGURATION mode. • Enable RMON MIB statistics collection. CONFIGURATION INTERFACE (config-if) mode [no] rmon collection statistics {controlEntry integer} [owner ownername] • controlEntry: specifies the RMON group of statistics using a value. • integer: a value from 1 to 65,535 that identifies the RMON Statistics Table.
• seconds: (Optional) the number of seconds in each polling cycle. The value is ranged from 5 to 3,600 (Seconds). The default is 1,800 (as defined in RFC-2819). Example of the rmon collection history Command To remove a specified RMON history group of statistics collection, use the no form of this command.
48 Rapid Spanning Tree Protocol (RSTP) The Rapid Spanning Tree Protocol (RSTP) is a Layer 2 protocol — specified by IEEE 802.1w — that is essentially the same as spanning-tree protocol (STP) but provides faster convergence and interoperability with switches configured with STP and multiple spanning tree protocol (MSTP).. Protocol Overview The Dell Networking OS supports three other versions of spanning tree, as shown in the following table. Table 78.
Important Points to Remember • RSTP is disabled by default on the switch. • The system supports only one Rapid Spanning Tree (RST) instance. • All interfaces in virtual local area networks (VLANs) and all enabled interfaces in Layer 2 mode are automatically added to the RST topology. • Adding a group of ports to a range of VLANs sends multiple messages to the RSTP task, avoid using the range command.
INTERFACE mode switchport 3 Enable the interface. INTERFACE mode no shutdown Example of Verifying an Interface is in Layer 2 Mode and Enabled To verify that an interface is in Layer 2 mode and enabled, use the show config command from INTERFACE mode. The bold lines indicate that the interface is in Layer 2 mode.
no disable Dell(conf-rstp)# Figure 120. Rapid Spanning Tree Enabled Globally To view the interfaces participating in RSTP, use the show spanning-tree rstp command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. Dell#show spanning-tree rstp Root Identifier has priority 32768, Address 0001.e801.cbb4 Root Bridge hello time 2, max age 20, forward delay 15, max hops 0 Bridge Identifier has priority 32768, Address 0001.e801.
Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.378, designated path cost 0 Number of transitions to forwarding state 1 BPDU : sent 121, received 2 The port is not in the Edge port mode Port 379 (TengigabitEthernet 2/3) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.379 Designated root has priority 32768, address 0001.e801.cbb4 Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.
no spanning-tree 0 Modifying Global Parameters You can modify RSTP parameters. The root bridge sets the values for forward-delay, hello-time, and max-age and overwrites the values set on other bridges participating in the Rapid Spanning Tree group. • Forward-delay — the amount of time an interface waits in the Listening state and the Learning state before it transitions to the Forwarding state. • Hello-time — the time interval in which the bridge sends RSTP BPDUs.
NOTE: With large configurations (especially those configurations with more ports) Dell Networking recommends increasing the hello-time. The range is from 1 to 10. The default is 2 seconds. Change the max-age parameter. • PROTOCOL SPANNING TREE RSTP mode max-age seconds The range is from 6 to 40. The default is 20 seconds. To view the current values for global parameters, use the show spanning-tree rstp command from EXEC privilege mode.
The range is from 0 to 15. The default is 128. To view the current values for interface parameters, use the show spanning-tree rstp command from EXEC privilege mode. Influencing RSTP Root Selection RSTP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it is selected as the root bridge. To change the bridge priority, use the following command. • Assign a number as the bridge priority or designate it as the primary or secondary root.
• When you add a physical port to a port channel already in the Error Disable state, the new member port is also disabled in the hardware. • When you remove a physical port from a port channel in the Error Disable state, the error disabled state is cleared on this physical port (the physical port is enabled in the hardware). • The reset linecard command does not clear the Error Disabled state of the port or the hardware disabled state. The interface continues to be disables in the hardware.
The range is from 50 to 950 milliseconds. Example of Verifying Hello-Time Interval Dell(conf-rstp)#do show spanning-tree rstp brief Executing IEEE compatible Spanning Tree Protocol Root ID Priority 0, Address 0001.e811.2233 Root Bridge hello time 50 ms, max age 20, forward delay 15 Bridge ID Priority 0, Address 0001.e811.2233 We are the root Configured hello time 50 ms, max age 20, forward delay 15 NOTE: The hello time is encoded in BPDUs in increments of 1/256ths of a second.
49 Security This chapter describes several ways to provide access security to the Dell Networking system. For details about all the commands described in this chapter, refer to the Security chapter in the Dell Networking OS Command Reference Guide.
Overview of RBAC With Role-Based Access Control (RBAC), access and authorization is controlled based on a user’s role. Users are granted permissions based on their user roles, not on their individual user ID. User roles are created for job functions and through those roles they acquire the permissions to perform their associated job function. Each user can be assigned only a single role. Many users can have the same role. The Dell Networking OS supports the constrained RBAC model.
1 Locally define a system administrator user role. This will give you access to login with full permissions even if network connectivity to remote authentication servers is not available. 2 Configure login authentication on the console. This ensures that all users are properly identified through authentication no matter the access point. If you do not configure login the authentication on the console, the system displays an error when you attempt to enable role-based only AAA authorization.
System-Defined RBAC User Roles By default, the Dell Networking OS provides 4 system defined user roles. You can create up to 8 additional user roles. NOTE: You cannot delete any system defined roles. The system defined user roles are as follows: • Network Operator (netoperator) - This user role has no privilege to modify any configuration on the switch. You can access Exec mode (monitoring) to view the current configuration and status information.
defined roles. Otherwise you would have to create a user role’s command permissions from scratch. You then restrict commands or add commands to that role. For more information about this topic, see Modifying Command Permissions for Roles. NOTE: You can change user role permissions on system pre-defined user roles or user-defined user roles.
myrole secadmin Exec Config Line Modifying Command Permissions for Roles You can modify (add or delete) command permissions for newly created user roles and system defined roles using the role mode { { { addrole | deleterole } role-name } | reset } command command in Configuration mode. NOTE: You cannot modify system administrator command permissions. If you add or delete command permissions using the role command, those changes only apply to the specific user role.
Example: Allow Security Administrator to Access Only 10-Gigabit Ethernet Interfaces The following example allows the security administrator (secadmin) to only access 10-Gigabit Ethernett interfaces and then shows that the secadmin, highlighted in bold, can now access Interface mode. However, the secadmin can only access 10-Gigabit Ethernet interfaces.
In the following example the command protocol permissions are reset to their original setting or one or more of the system-defined roles and any roles that inherited permissions from them. Dell(conf)#role configure reset protocol Adding and Deleting Users from a Role To create a user name that is authenticated based on a user role, use the username name password encryption-type password role role-name command in CONFIGURATION mode.
To configure AAA authentication, use the aaa authentication command in CONFIGURATION mode. aaa authentication login {method-list-name | default} method [… method4] Configure AAA Authorization for Roles Authorization services determine if the user has permission to use a command in the CLI. Users with only privilege levels can use commands in privilege-or-role mode (the default) provided their privilege level is the same or greater than the privilege level of those commands.
authorization exec ucraaa accounting commands role netadmin line vty 1 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 2 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 3 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 4 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 5 login authentication ucraaa authorization exe
The format to create a Dell Network OS AV pair for privilege level is shell:priv-lvl= where number is a value between 0 and 15. Force10-avpair= ”shell:priv-lvl=15“ Example for Creating a AVP Pair for System Defined or User-Defined Role The following section shows you how to create an AV pair to allow a user to login from a network access server to have access to commands based on the user’s role.
The following example applies the accounting default method to the user role secadmin (security administrator). Dell(conf-vty-0)# accounting commands role secadmin default Displaying Active Accounting Sessions for Roles To display active accounting sessions for each user role, use the show accounting command in EXEC mode.
Displaying Role Permissions Assigned to a Command To display permissions assigned to a command, use the show role command in EXEC Privilege mode. The output displays the user role and or permission level.
As with authentication and authorization, you must configure AAA accounting by defining a named list of accounting methods and then applying that list to various virtual terminal line (VTY) lines. Configuration Task List for AAA Accounting The following sections present the AAA accounting configuration tasks.
Suppressing AAA Accounting for Null Username Sessions When you activate AAA accounting, the system issues accounting records for all users on the system, including users whose username string, because of protocol translation, is NULL. An example of this is a user who comes in on a line where the AAA authentication login method-list none command is applied. To prevent accounting records from being generated for sessions that do not have usernames associated with them, use the following command.
Monitoring AAA Accounting The system does not support periodic interim accounting because the periodic command can cause heavy congestion when many users are logged in to the network. No specific show command exists for TACACS+ accounting. To obtain accounting records displaying information about users currently logged in, use the following command. • Step through all active sessions and print all the accounting records for the actively accounted functions.
• Enabling AAA Authentication—RADIUS For a complete list of all commands related to login authentication, refer to the Security chapter in the Dell Networking OS Command Reference Guide. Configure Login Authentication for Terminal Lines You can assign up to five authentication methods to a method list. The system evaluates the methods in the order in which you enter them in each list.
NOTE: Dell Networking recommends using the none method only as a backup. This method does not authenticate users. The none and enable methods do not work with secure shell (SSH). You can create multiple method lists and assign them to different terminal lines. Enabling AAA Authentication To enable AAA authentication, use the following command. • Enable AAA authentication. CONFIGURATION mode aaa authentication enable {method-list-name | default} method1 [...
The following example shows enabling local authentication for console and remote authentication for the VTY lines. Dell(config)# aaa authentication enable mymethodlist radius tacacs Dell(config)# line vty 0 9 Dell(config-line-vty)# enable authentication mymethodlist Server-Side Configuration Using AAA authentication, the switch acts as a RADIUS or TACACS+ client to send authentication requests to a TACACS+ or RADIUS server.
After you configure other privilege levels, enter those levels by adding the level parameter after the enable command or by configuring a user name or password that corresponds to the privilege level. For more information about configuring user names, refer to Configuring a Username and Password. By default, commands in the Dell Networking OS are assigned to different privilege levels. You can access those commands only if you have access to that privilege level.
Configuring the Enable Password Command To configure the Dell Networking OS, use the enable command to enter EXEC Privilege level 15. After entering the command, the system requests that you enter a password. Privilege levels are not assigned to passwords, rather passwords are assigned to a privilege level. You can always change a password for any privilege level. To change to a different privilege level, enter the enable command, then the privilege level.
Example of Obscuring Password and Keys Dell(config)# service obscure-passwords Configuring Custom Privilege Levels In addition to assigning privilege levels to the user, you can configure the privilege levels of commands so that they are visible in different privilege levels. Within the Dell Networking OS, commands have certain privilege levels. With the privilege command, you can change the default level or you can reset their privilege level back to the default.
• • • level level: the range is from 0 to 15. Levels 0, 1, and 15 are pre-configured. Levels 2 to 14 are available for custom configuration. command: a CLI keyword (up to five keywords allowed). reset: return the command to its default privilege mode. Examples of Custom Privilege Level Commands To view the configuration, use the show running-config command in EXEC Privilege mode. The following example shows a configuration to allow a user john to view only EXEC mode commands and all snmp-server commands.
Dell#confi Dell(conf)#? end exit no snmp-server Dell(conf)# Exit from Configuration mode Exit from Configuration mode Reset a command Modify SNMP parameters Specifying LINE Mode Password and Privilege You can specify a password authentication of all users on different terminal lines. The user’s privilege level is the same as the privilege level assigned to the terminal line, unless a more specific privilege level is assigned to the user.
Resetting a Password To reset a password on the switch, follow the procedure in Recovering from a Forgotten Password on the switch. RADIUS Remote authentication dial-in user service (RADIUS) is a distributed client/server protocol. This protocol transmits authentication, authorization, and configuration information between a central RADIUS server and a RADIUS client (the Dell Networking system). The system sends user information to the RADIUS server and requests authentication of the user and password.
Idle Time Every session line has its own idle-time. If the idle-time value is not changed, the default value of 30 minutes is used. RADIUS specifies idle-time allow for a user during a session before timeout. When a user logs in, the lower of the two idle-time values (configured or default) is used. The idle-time value is updated if both of the following happens: • The administrator changes the idle-time of the line on which the user has logged in.
• Defining a AAA Method List to be Used for RADIUS (mandatory) • Applying the Method List to Terminal Lines (mandatory except when using default lists) • Specifying a RADIUS Server Host (mandatory) • Setting Global Communication Parameters for all RADIUS Server Hosts (optional) • Monitoring RADIUS (optional) For a complete listing of supported RADIUS commands, refer to the Security chapter in the Dell Networking OS Command Reference Guide.
• To use the method list. CONFIGURATION mode authorization exec methodlist Specifying a RADIUS Server Host When configuring a RADIUS server host, you can set different communication parameters, such as the UDP port, the key password, the number of retries, and the timeout. To specify a RADIUS server host and configure its communication parameters, use the following command. • Enter the host name or IP address of the RADIUS server host.
• Set a time interval after which a RADIUS host server is declared dead. CONFIGURATION mode radius-server deadtime seconds • seconds: the range is from 0 to 2147483647. The default is 0 seconds. Configure a key for all RADIUS communications between the system and RADIUS server hosts. • CONFIGURATION mode radius-server key [encryption-type] key • encryption-type: enter 7 to encrypt the password. Enter 0 to keep the password as plain text. • key: enter a string. The key can be up to 42 characters long.
• TACACS+ Remote Authentication and Authorization • Specifying a TACACS+ Server Host For a complete listing of all commands related to TACACS+, refer to the Security chapter in the Dell Networking OS Command Reference Guide. Choosing TACACS+ as the Authentication Method One of the login authentication methods available is TACACS+ and the user’s name and password are sent for authentication to the TACACS hosts specified.
! aaa authentication enable default tacacs+ enable aaa authentication enable LOCAL enable tacacs+ aaa authentication login default tacacs+ local aaa authentication login LOCAL local tacacs+ aaa authorization exec default tacacs+ none aaa authorization commands 1 default tacacs+ none aaa authorization commands 15 default tacacs+ none aaa accounting exec default start-stop tacacs+ aaa accounting commands 1 default start-stop tacacs+ aaa accounting commands 15 default start-stop tacacs+ Dell(conf)# Dell(conf)#
When configuring a TACACS+ server host, you can set different communication parameters, such as the key password. Example of Specifying a TACACS+ Server Host Dell# Dell(conf)# Dell(conf)#ip access-list standard deny10 Dell(conf-std-nacl)#permit 10.0.0.0/8 Dell(conf-std-nacl)#deny any Dell(conf)# Dell(conf)#aaa authentication login tacacsmethod tacacs+ Dell(conf)#aaa authentication exec tacacsauthorization tacacs+ Dell(conf)#tacacs-server host 25.1.1.
Login: admin Password: Dell# Command Authorization The AAA command authorization feature configures the system to send each configuration command to a TACACS server for authorization before it is added to the running configuration. By default, the AAA authorization commands configure the system to check both EXEC mode and CONFIGURATION mode commands. Use the no aaa authorization config-commands command to enable only EXEC mode command checking.
hostname is the IP address or host name of the remote device. Enter an IPv4 or IPv6 address in dotted decimal format (A.B.C.D). Configure the Dell Networking system as an SCP/SSH server. • CONFIGURATION mode ip ssh server {enable | port port-number} Configure the Dell Networking system as an SSH server that uses only version 1 or 2. • CONFIGURATION mode ip ssh server version {1|2} Display SSH connection information.
CONFIGURATION mode copy scp: flash: 4 On Switch 2, in response to prompts, enter the path to the desired file and enter the port number specified in Step 1. EXEC Privilege mode Example of Using SCP to Copy from an SSH Server on Another Switch Other SSH-related commands include: • crypto key generate: generate keys for the SSH server. • debug ip ssh: enables collecting SSH debug information. • ip scp topdir: identify a location for files used in secure copy transfer.
To remove the generated RSA host keys and zeroize the key storage location, use the crypto key zeroize rsa command in CONFIGURATION mode. Dell(conf)#crypto key zeroize rsa Configuring When to Re-generate an SSH Key You can configure the time-based or volume-based rekey threshold for an SSH session. If both threshold types are configured, the session rekeys when either one of the thresholds is reached.
Example of Configuring a Cipher List The following example shows you how to configure a cipher list. Dell(conf)#ip ssh server cipher 3des-cbc aes128-cbc aes128-ctr Configuring the HMAC Algorithm for the SSH Server To configure the HMAC algorithm for the SSH server, use the ip ssh server mac hmac-algorithm command in CONFIGURATION mode. hmac-algorithm: Enter a space-delimited list of keyed-hash message authentication code (HMAC) algorithms supported by the SSH server.
hmac-algorithm: Enter a space-delimited list of keyed-hash message authentication code (HMAC) algorithms supported by the SSH server. The following HMAC algorithms are available: • hmac-md5 • hmac-md5-96 • hmac-sha1 • hmac-sha1-96 • hmac-sha2-256 The default list of HMAC algorithm is in the following order: • hmac-sha2-256 • hmac-sha1 • hmac-sha1-96 • hmac-md5 • hmac-md5-96 When FIPS is enabled, the default HMAC algorithm is hmac-sha2-256, hmac-sha1, hmac-sha1-96.
The following example shows you how to configure a cipher list. Dell(conf)#ip ssh server cipher 3des-cbc aes128-cbc aes128-ctr Configuring the SSH Client Cipher List To configure the cipher list supported by the SSH client, use the ip ssh cipher cipher-list command in CONFIGURATION mode. cipher-list-: Enter a space-delimited list of ciphers the SSH Client supports. The following ciphers are available.
• The files known_hosts and known_hosts2 are generated when a user tries to SSH using version 1 or version 2, respectively. Enabling SSH Authentication by Password Authenticate an SSH client by prompting for a password when attempting to connect to the Dell Networking system. This setup is the simplest method of authentication and uses SSH version 1. To enable SSH password authentication, use the following command. • Enable SSH password authentication.
Your identification has been saved in /home/admin/.ssh/id_rsa. Your public key has been saved in /home/admin/.ssh/id_rsa.pub. Configuring Host-Based SSH Authentication Authenticate a particular host. This method uses SSH version 2. To configure host-based authentication, use the following commands. 1 Configure RSA Authentication. Refer to Using RSA Authentication of SSH. 2 Create shosts by copying the public RSA key to the file shosts in the directory .
The following example shows creating rhosts. admin@Unix_client# ls id_rsa id_rsa.pub rhosts shosts admin@Unix_client# cat rhosts 10.16.127.201 admin Using Client-Based SSH Authentication To SSH from the chassis to the SSH client, use the following command. This method uses SSH version 1 or version 2. If the SSH port is a non-default value, use the ip ssh server port number command to change the default port number. You may only change the port number when SSH is disabled.
VTY Line and Access-Class Configuration Various methods are available to restrict VTY access in the Dell Networking OS. These depend on which authentication scheme you use — line, local, or remote. Table 80.
NOTE: If a VTY user logs in with RADIUS authentication, the privilege level is applied from the RADIUS server only if you configure RADIUS authentication. The following example shows how to allow or deny a Telnet connection to a user. Users see a login prompt even if they cannot log in. No access class is configured for the VTY line. It defaults from the local database. NOTE: For more information, refer to Access Control Lists (ACLs).
VTY MAC-SA Filter Support The system supports MAC access lists which permit or deny users based on their source MAC address. With this approach, you can implement a security policy based on the source MAC address. To apply a MAC ACL on a VTY line, use the same access-class command as IP ACLs. The following example shows how to deny incoming connections from subnet 10.0.0.0 without displaying a login prompt.
50 Service Provider Bridging Service provider bridging provides the ability to add a second VLAN ID tag in an Ethernet frame and is referred to as VLAN stacking in the Dell Networking OS. VLAN Stacking VLAN stacking, also called Q-in-Q, is defined in IEEE 802.1ad — Provider Bridges, which is an amendment to IEEE 802.1Q — Virtual Bridged Local Area Networks. It enables service providers to use 802.
forward the frame traffic across its network. At the egress edge, the provider removes the S-Tag, so that the customer receives the frame in its original condition, as shown in the following illustration. Figure 121. VLAN Stacking in a Service Provider Network Important Points to Remember • Interfaces that are members of the Default VLAN and are configured as VLAN-Stack access or trunk ports do not switch untagged traffic. To switch traffic, add these interfaces to a non-default VLANstack-enabled VLAN.
• • • This limitation becomes relevant if you enable the port as a multi-purpose port (carrying single-tagged and double-tagged traffic). When the LP ports are present in RPM 10 and 11, VLAN stacking is supported. VLAN stacking is supported on C9010 ports but not on peGigE ports. Configure VLAN Stacking Configuring VLAN-Stacking is a three-step process. 1 Creating Access and Trunk Ports 2 Assign access and trunk ports to a VLAN (Creating Access and Trunk Ports). 3 Enabling VLAN-Stacking for a VLAN.
Dell#show run interface te 2/0 ! interface TenGigabitEthernet 2/0 no ip address switchport vlan-stack access no shutdown Dell#show run interface te 2/12 ! interface TenGigabitEthernet 2/12 no ip address switchport vlan-stack trunk no shutdown Enable VLAN-Stacking for a VLAN To enable VLAN-Stacking for a VLAN, use the following command. • Enable VLAN-Stacking for the VLAN.
The default is 9100. To display the S-Tag TPID for a VLAN, use the show running-config command from EXEC privilege mode. The system displays the S-Tag TPID only if it is a non-default value. Configuring Options for Trunk Ports 802.1ad trunk ports may also be tagged members of a VLAN so that it can carry single and double-tagged traffic. You can enable trunk ports to carry untagged, single-tagged, and double-tagged VLAN traffic by making the trunk port a hybrid port.
NUM * 1 100 101 103 Status Inactive Inactive Inactive Inactive Description Q Ports U Te 0/1 T Te 0/1 M Te 0/1 Debugging VLAN Stacking To debug VLAN stacking, use the following command. • Debug the internal state and membership of a VLAN and its ports. debug member Example of Debugging a VLAN and its Ports The port notations are as follows: • MT — stacked trunk • MU — stacked access port • T — 802.1Q trunk port • U — 802.
VLAN Stacking The default TPID for the outer VLAN tag is 0x9100. The system allows you to configure both bytes of the 2 byte TPID. Previous versions allowed you to configure the first byte only, and thus, the systems did not differentiate between TPIDs with a common first byte. For example, 0x8100 and any other TPID beginning with 0x81 were treated as the same TPID, as shown in the following illustration. The system differentiates between 0x9100 and 0x91XY, as shown in the following illustration.
Therefore, a mismatched TPID results in the port not differentiating between tagged and untagged traffic. Figure 122.
Figure 123.
Figure 124. Single and Double-Tag TPID Mismatch VLAN Stacking Packet Drop Precedence VLAN stacking packet-drop precedence is supported on the switch. The drop eligible indicator (DEI) bit in the S-Tag indicates to a service provider bridge which packets it should prefer to drop when congested.
Enabling Drop Eligibility Enable drop eligibility globally before you can honor or mark the DEI value. When you enable drop eligibility, DEI mapping or marking takes place according to the defaults. In this case, the CFI is affected according to the following table. Table 81. Drop Eligibility Behavior Ingress Egress DEI Disabled DEI Enabled Normal Port Normal Port Retain CFI Set CFI to 0. Trunk Port Trunk Port Retain inner tag CFI Retain inner tag CFI.
Dell#show interface dei-honor Default Drop precedence: Green Interface CFI/DEI Drop precedence --------------------------------------Te 0/1 0 Green Te 0/1 1 Yellow Te 1/9 1 Red Te 1/40 0 Yellow Marking Egress Packets with a DEI Value On egress, you can set the DEI value according to a different mapping than ingress. For ingress information, refer to Honoring the Incoming DEI Value. To mark egress packets, use the following command.
Dynamic Mode CoS for VLAN Stacking One of the ways to ensure quality of service for customer VLAN-tagged frames is to use the 802.1p priority bits in the tag to indicate the level of QoS desired. When an S-Tag is added to incoming customer frames, the 802.1p bits on the S-Tag may be configured statically for each customer or derived from the C-Tag using Dynamic Mode CoS. Dynamic Mode CoS maps the C-Tag 802.1p value to a S-Tag 802.1p value. Figure 125.
Examples of QoS Interface Configuration and Rate Policing policy-map-input in layer2 service-queue 3 class-map a qos-policy 3 ! class-map match-any a layer2 match mac access-group a ! mac access-list standard a seq 5 permit any ! qos-policy-input 3 layer2 rate-police 40 Likewise, in the following configuration, packets with dot1p priority 0–3 are marked as dot1p 7 in the outer tag and queued to Queue 3. Rate policing is according to qos-policy-input 3.
EXEC Privilege mode copy running-config startup-config reload 3 Map C-Tag dot1p values to a S-Tag dot1p value. INTERFACE mode vlan-stack dot1p-mapping c-tag-dot1p values sp-tag-dot1p value Separate C-Tag values by commas. Dashed ranges are permitted. Dynamic Mode CoS overrides any Layer 2 QoS configuration in case of conflicts. NOTE: Because dot1p-mapping marks and queues packets, the only remaining applicable QoS configuration is rate metering. You may use Rate Shaping or Rate Policing.
traverse the intermediate network might be consumed and later dropped because the intermediate network itself might be using spanning tree (shown in the following illustration). Figure 126. VLAN Stacking without L2PT You might need to transport control traffic transparently through the intermediate network to the other region.
Dell Networking OS Behavior: The L2PT MAC address is user-configurable, so you can specify an address that non-Dell Networking systems can recognize and rewrite the address at egress edge. Figure 127. VLAN Stacking with L2PT Implementation Information • L2PT is available for STP, RSTP, MSTP, and PVST+ BPDUs. • No protocol packets are tunneled when you enable VLAN stacking. • L2PT requires the default CAM profile.
Enabling Layer 2 Protocol Tunneling To enable Layer 2 protocol tunneling, use the following command. 1 Verify that the system is running the default CAM profile. Use this CAM profile for L2PT. EXEC Privilege mode show cam-profile 2 Enable protocol tunneling globally on the system. CONFIGURATION mode protocol-tunnel enable 3 Tunnel BPDUs the VLAN.
For details about this command, refer to CAM Allocation. 2 Save the running-config to the startup-config. EXEC Privilege mode copy running-config startup-config 3 Reload the system. EXEC Privilege mode reload 4 Set a maximum rate at which the BPDUs are processed for L2PT. VLAN STACKING mode protocol-tunnel rate-limit The default is: no rate limiting. The range is from 64 to 320 kbps. Debugging Layer 2 Protocol Tunneling To debug Layer 2 protocol tunneling, use the following command.
Provider backbone bridging through IEEE 802.1ad eliminates the need for tunneling BPDUs with L2PT and increases the reliability of provider bridge networks as the network core need only learn the MAC addresses of core switches, as opposed to all MAC addresses received from attached customer devices. • Use the Provider Bridge Group address as the destination MAC address in BPDUs. The xstp keyword applies this functionality to STP, RSTP, and MSTP; this functionality is not available for PVST+.
51 sFlow sFlow is a standard-based sampling technology embedded within switches and routers which is used to monitor network traffic. It is designed to provide traffic monitoring for high-speed networks with many switches and routers.
Implementation Information Dell Networking sFlow is designed so that the hardware sampling rate is per line card port-pipe and is decided based on all the ports in that port-pipe. If you do not enable sFlow on any port specifically, the global sampling rate is downloaded to that port and is to calculate the port-pipe’s lowest sampling rate. This design supports the possibility that sFlow might be configured on that port in the future. Back-off is triggered based on the port-pipe’s hardware sampling rate.
• Enable sFlow globally. CONFIGURATION mode [no] sflow enable Enabling and Disabling sFlow on an Interface By default, sFlow is disabled on all interfaces. This CLI is supported on physical ports and link aggregation group (LAG) ports. To enable sFlow on a specific interface, use the following command. • Enable sFlow on an interface. INTERFACE mode [no] sflow enable To disable sFlow on an interface, use the no version of this command.
77 UDP packets exported 0 UDP packets dropped 165 sFlow samples collected 69 sFlow samples dropped due to sub-sampling Linecard 1 Port set 0 H/W sampling rate 8192 Te 1/16: configured rate 8192, actual rate 8192, sub-sampling rate 1 Te 1/17: configured rate 16384, actual rate 16384, sub-sampling rate 2 Displaying Show sFlow on an Interface To view sFlow information on a specific interface, use the following command. • Display sFlow configuration information and statistics on a specific interface.
Samples rcvd from h/w Samples dropped for sub-sampling Total UDP packets exported UDP packets exported via RP UDP packets dropped :165 :69 :77 :77 : Configuring Specify Collectors The sflow collector command allows identification of sFlow collectors to which sFlow datagrams are forwarded. You can specify up to two sFlow collectors. If you specify two collectors, the samples are sent to both. • Identify sFlow collectors to which sFlow datagrams are forwarded.
Back-Off Mechanism If the sampling rate for an interface is set to a very low value, the CPU can get overloaded with flow samples under high-traffic conditions. In such a scenario, a binary back-off mechanism gets triggered, which doubles the sampling-rate (halves the number of samples per second) for all interfaces. The backoff mechanism continues to double the samplingrate until the CPU condition is cleared. This is as per sFlow version 5 draft.
Collector IP addr: 10.10.10.3, Agent IP addr: 10.10.0.
IP SA IP DA srcAS and srcPeerAS dstAS and dstPeerAS Description routing protocols, and for cases where is source is reachable over ECMP. BGP BGP Exported Exported Extended gateway data is packed.
52 Simple Network Management Protocol (SNMP) The Simple Network Management Protocol (SNMP) is designed to manage devices on IP networks by monitoring device operation, which might require administrator intervention. NOTE: On Dell Networking routers, standard and private SNMP management information bases (MIBs) are supported, including all Get and a limited number of Set operations (such as set vlan and copy cmd).
Protocol Overview Network management stations use SNMP to retrieve or alter management data from network elements. A datum of management information is called a managed object; the value of a managed object can be static or variable. Network elements store managed objects in a database called a management information base (MIB). MIBs are hierarchically structured and use object identifiers to address managed objects, but managed objects also have a textual name called an object descriptor.
• Manage VLANs Using SNMP • Enabling and Disabling a Port using SNMP • Fetch Dynamic MAC Entries using SNMP • Deriving Interface Indices • Monitor Port-channels Important Points to Remember • Typically, 5-second timeout and 3-second retry values on an SNMP server are sufficient for both LAN and WAN applications. If you experience a timeout with these values, increase the timeout value to greater than 3 seconds, and increase the retry value to greater than 2 seconds on your SNMP server.
Example of Creating an SNMP Community To view your SNMP configuration, use the show running-config snmp command from EXEC Privilege mode. Dell(conf)#snmp-server community my-snmp-community ro 22:31:23: %SYSTEM-P:CP %SNMP-6-SNMP_WARM_START: Agent Initialized - SNMP WARM_START.
snmp-server view view-name 3 noauth {included | excluded} NOTE: To give a user read and write privileges, repeat this step for each privilege type. • Configure an SNMP group (with password or privacy privileges). CONFIGURATION mode • snmp-server group group-name {oid-tree} priv read name write name Configure the user with a secure authorization password and privacy password.
Examples of Reading Managed Object Values In the following example, the value “4” displays in the OID before the IP address for IPv4. For an IPv6 IP address, a value of “16” displays. > snmpget -v 2c -c mycommunity 10.11.131.161 sysUpTime.0 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (32852616) 3 days, 19:15:26.16 > snmpget -v 2c -c mycommunity 10.11.131.161 .1.3.6.1.2.1.1.3.0 The following example shows reading the value of the next managed object. > snmpgetnext -v 2c -c mycommunity 10.11.131.161 .1.
• (From a Dell Networking system) Identify the system manager along with this person’s contact information (for example, an email address or phone number). CONFIGURATION mode snmp-server contact text You may use up to 55 characters. • The default is None. (From a Dell Networking system) Identify the physical location of the system (for example, San Jose, 350 Holger Way, 1st floor lab, rack A1-1). CONFIGURATION mode snmp-server location text You may use up to 55 characters. • The default is None.
Use the util-threshold cpu command to configure the high or low CPU utilization threshold for SNMP traps. Use the show util-threshold cpu command to display the configured values of CPU utilization thresholds. Parameters • cpu-utilization-time — Enter one of the following values to configure the threshold level for the time in which a switch CPU can be used: • 5 sec • 1 min • 5 min • cp — Enter the keyword cp to configure the CPU utilization time for the Control Processor CPU.
RP LP LP LP LP LP LP LP LP LP LP LP LP PE 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 2 3 4 5 6 7 8 9 10 11 0 0 0 0 0 0 0 0 0 0 0 0 0 0 85 85 85 85 85 85 85 85 85 85 85 85 85 85 75 75 75 75 75 75 75 75 75 75 75 75 75 75 80 80 80 80 80 80 80 80 80 80 80 80 80 80 70 70 70 70 70 70 70 70 70 70 70 70 70 70 Configuring Threshold Memory Utilization for SNMP Traps When the total memory utilization for a CPU exceeds the configured high/low threshold for a given time, a threshold notification is sent as an SNMP trap.
CONFIGURATION mode util—threshold memory {5 sec | 1 min | 5 min} {cp |rp | lp | pe | all} {high {0-100} | low {0-100}} Example of Configuring CPU Utilization Threshold To display the configured values of memory utilization thresholds, use the show util-threshold memory command from CONFIGURATION mode.
snmp-server host ip-address [traps | informs] [version 1 | 2c |3] [communitystring] To send trap messages, enter the keyword traps. To send informational messages, enter the keyword informs. To send the SNMP version to use for notification messages, enter the keyword version. To identify the SNMPv1 community string, enter the name of the community-string. 2 Specify which traps the Dell Networking system sends to the trap receiver.
The following traps are available.
temperature is within threshold of %dC) MAJOR_TEMP: Major alarm: chassis temperature high (%s temperature reaches or exceeds threshold of %dC) MAJOR_TEMP_CLR: Major alarm cleared: chassis temperature lower (%s %d temperature is within threshold of %dC) envmon fan FAN_TRAY_BAD: Major alarm: fantray %d is missing or down FAN_TRAY_OK: Major alarm cleared: fan tray %d present FAN_BAD: Minor alarm: some fans in fan tray %d are down FAN_OK: Minor alarm cleared: all fans in fan tray %d are good vlt Enable VLT trap
SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::mib-2.47.2.0.1, SNMPv2-SMI::enterprises.6027.3.6.1.1.2.0 = INTEGER: 6 Trap SNMPv2-MIB::sysUpTime.0 = Timeticks: (1489568) 4:08:15.68,SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::mib-2.47.2.0.1, SNMPv2-SMI::enterprises.6027.3.6.1.1.2.
Table 83. List of Syslog Server MIBS that have read access MIB Object OID Object Values Description dF10SysLogTraps 1.3.6.1.4.1.6027.3.30.1.1 1 = reachable2 = unreachable Specifies whether the syslog server is reachable or unreachable. The following example shows the SNMP trap that is sent when connectivity to the syslog server is lost: DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (19738) 0:03:17.38 SNMPv2MIB::snmpTrapOID.0 = OID: SNMPv2SMI::enterprises.6027.3.30.1.1.1 SNMPv2-SMI::enterprises.
MIB Object OID Object Values 2 = running-config Description • 3 = startup-config • copySrcFileLocation 1 = flash . 1.3.6.1.4.1.6027.3.5.1.1.1.1. 2 = slot0 3 3 = tftp If copySrcFileType is running-config or startup-config, the default copySrcFileLocation is flash. If copySrcFileType is a binary file, you must also specify copySrcFileLocation and copySrcFileName. Specifies the location of source file.
MIB Object OID Object Values Description 4 = ftp copyServerAddress, copyUserName, and copyUserPassword. 5 = scp copyDestFileName . Path (if the file is not in Specifies the name of 1.3.6.1.4.1.6027.3.5.1.1.1.1. the default directory) and destination file. 7 filename. copyServerAddress . IP Address of the server. 1.3.6.1.4.1.6027.3.5.1.1.1.1. 8 The IP address of the server. . Username for the server. 1.3.6.1.4.1.6027.3.5.1.1.1.1. 9 Username for the FTP, TFTP, or SCP server. .
• index must be unique to all previously executed snmpset commands. If an index value has been used previously, a message like the following appears. In this case, increment the index value and enter the command again. Error in packet. Reason: notWritable (that object does not support modification) Failed object: FTOS-COPY-CONFIG-MIB::copySrcFileType.101 • To complete the command, use as many MIB objects in the command as required by the MIB object descriptions shown in the previous table.
Copying the Startup-Config Files to the Running-Config To copy the startup-config to the running-config from a UNIX machine, use the following command. • Copy the startup-config to the running-config from a UNIX machine. snmpset -c private -v 2c force10system-ip-address copySrcFileType.index i 3 copyDestFileType.index i 2 Examples of Copying Configuration Files from a UNIX Machine The following example shows copying configuration files from a UNIX machine using the object name.
FTOS-COPY-CONFIG-MIB::copyUserName.110 = STRING: mylogin FTOS-COPY-CONFIG-MIB::copyUserPassword.110 = STRING: mypass Copying the Startup-Config Files to the Server via TFTP To copy the startup-config to the server via TFTP from the UNIX machine, use the following command. NOTE: Verify that the file exists and its permissions are set to 777. Specify the relative path to the TFTP root directory. • Copy the startup-config to the server via TFTP from the UNIX machine. snmpset -v 2c -c public -m .
Additional MIB Objects to View Copy Statistics Dell Networking provides more MIB objects to view copy statistics, as shown in the following table. Table 85. Additional MIB Objects for Copying Configuration Files via SNMP MIB Object OID Values copyState 1= running . 1.3.6.1.4.1.6027.3.5.1.1.1.1. 2 = successful 11 Description Specifies the state of the copy operation. 3 = failed copyTimeStarted . Time value 1.3.6.1.4.1.6027.3.5.1.1.1.1.
snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address [OID.index | mib-object.index] index: the index value used in the snmpset command used to complete the copy operation. NOTE: You can use the entire OID rather than the object name. Use the form: OID.index. Examples of Getting a MIB Object Value The following examples show the snmpget command to obtain a MIB object value.
Assigning a VLAN Alias Write a character string to the dot1qVlanStaticName object to assign a name to a VLAN. Example of Assigning a VLAN Alias using SNMP [Unix system output] > snmpset -v2c -c mycommunity 10.11.131.185 .1.3.6.1.2.1.17.7.1.4.3.1.1.1107787786 s "My VLAN" SNMPv2-SMI::mib-2.17.7.1.4.3.1.1.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" SNMPv2-SMI::mib-2.17.7.1.4.3.1.2.1107787786 = Hex-STRING: 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 SNMPv2-SMI::mib-2.17.7.1.4.3.1.4.
F10-ISIS-MIB::f10IsisSysOloadV6WaitForBgp To enable overload bit for IPv4 set 1.3.6.1.4.1.6027.3.18.1.1 and IPv6 set 1.3.6.1.4.1.6027.3.18.1.4 To set time to wait set 1.3.6.1.4.1.6027.3.18.1.2 and 1.3.6.1.4.1.6027.3.18.1.5 respectively To set time to wait till bgp session are up set 1.3.6.1.4.1.6027.3.18.1.3 and 1.3.6.1.4.1.6027.3.18.1.6 Enabling and Disabling a Port using SNMP To enable and disable a port using SNMP, use the following commands. 1 Create an SNMP community on the Dell system.
Fetch Dynamic MAC Entries using SNMP Dell Networking supports the RFC 1493 dot1d table for the default VLAN and the dot1q table for all other VLANs. NOTE: The 802.1q Q-BRIDGE MIB defines VLANs regarding 802.1d, as 802.1d itself does not define them. As a switchport must belong a VLAN (the default VLAN or a configured VLAN), all MAC address learned on a switchport are associated with a VLAN. For this reason, the Q-Bridge MIB is used for MAC address query.
Example of Fetching MAC Addresses Learned on a Non-default VLAN Using SNMP In the following example, TenGigabitEthernet 1/21 is moved to VLAN 1000, a non-default VLAN. To fetch the MAC addresses learned on non-default VLANs, use the object dot1qTpFdbTable. The instance number is the VLAN number concatenated with the decimal conversion of the MAC address.
The interface index is a binary number with bits that indicate the slot number, port number, interface type, and card type of the interface. The system converts this binary index number to decimal, and displays it in the show command output. Figure 128. Example of Assigning Interface Index Numbers Starting from the least significant bit (LSB) in the preceding figure: • The first 14 bits represent the card type of a physical interface or the interface number of a logical interface.
• • • The next 12 bits (000011000100) identify slot 0 and port 4. The next bit (0) identifies a physical interface. The last bit is always 0, which means that it is unused. NOTE: The interface index does not change if the interface reloads or fails over. Monitor Port-Channels To check the status of a Layer 2 port-channel, use f10LinkAggMib (.1.3.6.1.4.1.6027.3.2). In the following example, Po 1 is a switchport and Po 2 is in Layer 3 mode.
IF-MIB::ifIndex.33865785 = INTEGER: 33865785 SNMPv2-SMI::enterprises.6027.3.1.1.4.1.2 = STRING: "OSTATE_DN: Changed interface state to down: Te 0/0" 2010-02-10 14:22:39 10.16.130.4 [10.16.130.4]: SNMPv2-MIB::sysUpTime.0 = Timeticks: (8500842) 23:36:48.42 SNMPv2-MIB::snmpTrapOID.0 = OID: IF-MIB::linkDown IF-MIB::ifIndex.1107755009 = INTEGER: 1107755009 SNMPv2-SMI::enterprises.6027.3.1.1.4.1.2 = STRING: "OSTATE_DN: Changed interface state to down: Po 1" 2010-02-10 14:22:40 10.16.130.4 [10.16.130.
53 Storm Control Storm control allows you to control unknown-unicast, muticast, and broadcast traffic on Layer 2 and Layer 3 physical interfaces. Dell Networking Operating System (OS) Behavior: Dell Networking OS supports unknown-unicast, muticast, and broadcast control (the storm-control broadcast command) for Layer 2 and Layer 3 traffic. To view the storm control broadcast configuration show storm-control broadcast | multicast | unknown-unicast | pfc-llfc[interface] command.
Configuring Storm Control from INTERFACE Mode To configure storm control, use the following command. From INTERFACE mode: • You can only configure storm control for ingress traffic. • If you configure storm control from both INTERFACE and CONFIGURATION mode, the INTERFACE mode configurations override the CONFIGURATION mode configurations. • The storm control is calculated in packets per second. • Configure storm control.
CONFIGURATION mode • storm-control multicast packets_per_second in Configure the packets per second of unknown-unicast traffic allowed in or out of the network.
54 Spanning Tree Protocol (STP) The spanning tree protocol (STP) is a Layer 2 protocol — specified by IEEE 802.1d — that eliminates loops in a bridged topology by enabling only a single path through the network.
Dell Networking Term IEEE Specification Per-VLAN Spanning Tree Plus (PVST+) Third Party Configure Spanning Tree Configuring spanning tree is a two-step process.
Configuring Interfaces for Layer 2 Mode All interfaces on all switches that participate in spanning tree must be in Layer 2 mode and enabled. Figure 130. Example of Configuring Interfaces for Layer 2 Mode To configure and enable the interfaces for Layer 2, use the following command. 1 If the interface has been assigned an IP address, remove it. INTERFACE mode no ip address 2 Place the interface in Layer 2 mode.
switchport 3 Enable the interface. INTERFACE mode no shutdown Example of the show config Command To verify that an interface is in Layer 2 mode and enabled, use the show config command from INTERFACE mode. Dell(conf-if-te-1/1)#show config ! interface TenGigabitEthernet 1/1 no ip address switchport no shutdown Dell(conf-if-te-1/1)# Enabling Spanning Tree Protocol Globally Enable the spanning tree protocol globally; it is not enabled by default.
• Bridges block a redundant path by disabling one of the link ports. Figure 131. Spanning Tree Enabled Globally To enable STP globally, use the following commands. 1 Enter PROTOCOL SPANNING TREE mode. CONFIGURATION mode protocol spanning-tree 0 2 Enable STP. PROTOCOL SPANNING TREE mode no disable Examples of Verifying and Viewing Spanning Tree To disable STP globally for all Layer 2 interfaces, use the disable command from PROTOCOL SPANNING TREE mode.
To view the spanning tree configuration and the interfaces that are participating in STP, use the show spanning-tree 0 command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. R2#show spanning-tree 0 Executing IEEE compatible Spanning Tree Protocol Bridge Identifier has priority 32768, address 0001.e826.ddb7 Configured hello time 2, max age 20, forward delay 15 Current root has priority 32768, address 0001.e80d.
Adding an Interface to the Spanning Tree Group To add a Layer 2 interface to the spanning tree topology, use the following command. • Enable spanning tree on a Layer 2 interface. INTERFACE mode spanning-tree 0 To remove a Layer 2 interface from the spanning tree topology, enter the no spanning-tree 0 command. Modifying Global Parameters You can modify the spanning tree parameters.
The range is from 4 to 30. The default is 15 seconds. Change the hello-time parameter (the BPDU transmission interval). • PROTOCOL SPANNING TREE mode hello-time seconds NOTE: With large configurations (especially those with more ports) Dell Networking recommends increasing the hello-time. The range is from 1 to 10. the default is 2 seconds. Change the max-age parameter (the refresh interval for configuration information that is generated by recomputing the spanning tree topology).
The range is from 0 to 15. The default is 8. To view the current values for interface parameters, use the show spanning-tree 0 command from EXEC privilege mode. Refer to the second example in Enabling Spanning Tree Protocol Globally. Enabling PortFast The PortFast feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner.
Preventing Network Disruptions with BPDU Guard Configure the Portfast (and Edgeport, in the case of RSTP, PVST+, and MSTP) feature on ports that connect to end stations. End stations do not generate BPDUs, so ports configured with Portfast/ Edgport (edgeports) do not expect to receive BDPUs. If an edgeport does receive a BPDU, it likely means that it is connected to another part of the network, which can negatively affect the STP topology.
• Disabling global spanning tree (the no spanning-tree in CONFIGURATION mode). Figure 132. Enabling BPDU Guard Dell Networking OS Behavior: BPDU guard and BPDU filtering both block BPDUs, but are two separate features. BPDU guard: • • is used on edgeports and blocks all traffic on edgeport if it receives a BPDU. drops the BPDU after it reaches the Route Processor and generates a console message.
---------- -------- ---- ------- --- ------- -------------------Te 0/6 128.263 128 20000 FWD 20000 32768 0001.e805.fb07 128.653 Te 0/7 128.264 128 20000 EDS 20000 32768 0001.e85d.0e90 128.264 Interface Name Role PortID Prio Cost Sts Cost Link-type Edge ---------- ------ -------- ---- ------- --- ---------------Te 0/6 Root 128.263 128 20000 FWD 20000 P2P No Te 0/7 ErrDis 128.
Because any switch in an STP network with a lower priority can become the root bridge, the forwarding topology may not be stable. The location of the root bridge can change, resulting in unpredictable network behavior. The STP root guard feature ensures that the position of the root bridge does not change. Root Guard Scenario For example, as shown in the following illustration (STP topology 1, upper left) Switch A is the root bridge in the network core.
Configuring Root Guard Enable STP root guard on a per-port or per-port-channel basis. Dell Networking OS Behavior: The following conditions apply to a port enabled with STP root guard: • Root guard is supported on any STP-enabled port or port-channel interface.
snmp-server enable traps xstp STP Loop Guard The STP loop guard feature provides protection against Layer 2 forwarding loops (STP loops) caused by a hardware failure, such as a cable failure or an interface fault. When a cable or interface fails, a participating STP link may become unidirectional (STP requires links to be bidirectional) and an STP port does not receive BPDUs. When an STP blocking port does not receive BPDUs, it transitions to a Forwarding state.
As soon as a BPDU is received on an STP port in a Loop-Inconsistent state, the port returns to a blocking state. If you disable STP loop guard on a port in a Loop-Inconsistent state, the port transitions to an STP blocking state and restarts the max-age timer. Figure 134. STP Loop Guard Prevents Forwarding Loops Configuring Loop Guard Enable STP loop guard on a per-port or per-port channel basis.
• Spanning Tree Protocol (STP) • Rapid Spanning Tree Protocol (RSTP) • Multiple Spanning Tree Protocol (MSTP) • Per-VLAN Spanning Tree Plus (PVST+) • You cannot enable root guard and loop guard at the same time on an STP port. For example, if you configure loop guard on a port on which root guard is already configured, the following error message is displayed: % Error: RootGuard is configured. Cannot configure LoopGuard.
Name Instance Sts Guard type --------- -------- --------- ---------Te 0/1 0 INCON(Root) Rootguard Te 0/2 0 LIS Loopguard Te 0/3 0 EDS (Shut) Bpduguard Spanning Tree Protocol (STP) 1091
55 SupportAssist SupportAssist sends troubleshooting data securely to Dell. SupportAssist in this Dell Networking OS release does not support automated email notification at the time of hardware fault alert, automatic case creation, automatic part dispatch, or reports. SupportAssist requires Dell Networking OS 9.9(0.0) and SmartScripts 9.7 or later to be installed on the Dell Networking device. For more information on SmartScripts, see Dell Networking Open Automation guide. Figure 135.
Topics: • Configuring SupportAssist Using a Configuration Wizard • Configuring SupportAssist Manually • Configuring SupportAssist Activity • Configuring SupportAssist Company • Configuring SupportAssist Person • Configuring SupportAssist Server • Viewing SupportAssist Configuration Configuring SupportAssist Using a Configuration Wizard You are guided through a series of queries to configure SupportAssist.
the information for providing recommendations to improve your IT infrastructure.
contact-person [first ] last Dell(conf)#support-assist Dell(conf-supportassist)#contact-person first john last doe Dell(conf-supportassist-pers-john_doe)# 5 (Optional) Configure the name of the remote SupportAssist Server and move to SupportAssist Server mode.
action-manifest get tftp | ftp | flash Dell(conf-supportassist-act-full-transfer)#action-manifest get tftp://10.0.0.1/ test file Dell(conf-supportassist-act-full-transfer)# The custom action-manifest file is a JSON file. Syntax of the custom action-manifest file: { } “show command-1” : “xml tag-1”, “show command-2” : “xml tag-2”, “show command-3” : “xml tag-3”, ...
[no] enable Dell(conf-supportassist-act-full-transfer)#enable Dell(conf-supportassist-act-full-transfer)# Configuring SupportAssist Company SupportAssist Company mode allows you to configure name, address and territory information of the company. SupportAssist Company configurations are optional for the SupportAssist service. To configure SupportAssist company, use the following commands. 1 Configure the contact information for the company.
Configuring SupportAssist Person SupportAssist Person mode allows you to configure name, email addresses, phone, method and time zone for contacting the person. SupportAssist Person configurations are optional for the SupportAssist service. To configure SupportAssist person, use the following commands. 1 Configure the contact name for an individual.
Configuring SupportAssist Server SupportAssist Server mode allows you to configure server name and the means of reaching the server. By default, a SupportAssist server URL has been configured on the device. Configuring a URL to reach the SupportAssist remote server should be done only under the direction of Dell SupportChange. To configure SupportAssist server, use the following commands. 1 Configure the name of the remote SupportAssist Server and move to SupportAssist Server mode.
show support-assist status Dell#show support-assist status SupportAssist Service: Installed EULA: Accepted Server: default Enabled: Yes URL: https://stor.g3.ph.dell.com Service status: Enabled Server: chennai Enabled: Yes URL: http://10.16.148.19/ Activity -------------full-transfer 2 State ------Success Last Start -----------------------Aug 10 2015 11:15:26 PST Last Success -----------------------Aug 10 2015 11:15:28 PST Display the current configuration and changes from the default values.
may include but is not limited to configuration information, user supplied contact information, names of data volumes, IP addresses, access control lists, diagnostics & performance information, network configuration information, host/server configuration & performance information and related data (Collected Data) and transmits this information to Dell. By downloading SupportAssist and agreeing to be bound by these terms and the Dell end user license agreement, available at: www.dell.
56 System Time and Date System time and date settings are user-configurable and maintained through the network time protocol (NTP). System times and dates are also set in hardware settings using the Dell Networking OS CLI. Topics: • Network Time Protocol • Time and Date Network Time Protocol The network time protocol (NTP) synchronizes timekeeping among a set of distributed time servers and clients. The protocol also coordinates time distribution in a large, diverse network with various interfaces.
also definitive maximum error bounds, so that the user interface can determine not only the time, but the quality of the time as well. In what may be the most common client/server model, a client sends an NTP message to one or more servers and processes the replies as received. The server interchanges addresses and ports, overwrites certain fields in the message, recalculates the checksum and returns the message immediately.
each peer is able to select the best time from possibly several other clocks, update the local clock, and estimate its accuracy. Figure 136. NTP Fields Implementation Information Dell Networking systems can only be an NTP client. Configure the Network Time Protocol Configuring NTP is a one-step process.
Enabling NTP NTP is disabled by default. To enable NTP, specify an NTP server to which the Dell Networking system synchronizes. To specify multiple servers, enter the command multiple times. You may specify an unlimited number of servers at the expense of CPU resources. • Specify the NTP server to which the Dell Networking system synchronizes.
Disabling NTP on an Interface By default, NTP is enabled on all active interfaces. If you disable NTP on an interface, the system drops any NTP packets sent to that interface. To disable NTP on an interface, use the following command. • Disable NTP on the interface. INTERFACE mode ntp disable To view whether NTP is configured on the interface, use the show config command in INTERFACE mode. If ntp disable is not listed in the show config command output, NTP is enabled.
Configuring NTP Authentication NTP authentication and the corresponding trusted key provide a reliable means of exchanging NTP packets with trusted time sources. NTP authentication begins when the first NTP packet is created following the configuration of keys. NTP authentication in Dell Networking OS uses the message digest 5 (MD5) algorithm and the key is embedded in the synchronization packet that is sent to an NTP time source.
5 • hostname : Enter the keyword hostname to see the IP address or host name of the remote device. • ipv4-address : Enter an IPv4 address in dotted decimal format (A.B.C.D). • ipv6-address : Enter an IPv6 address in the format 0000:0000:0000:0000:0000:0000:0000:0000. Elision of zeros is supported. • key keyid : Configure a text string as the key exchanged between the NTP server and the client. • prefer: Enter the keyword prefer to set this NTP server as the preferred server.
NOTE: • Leap Indicator (sys.leap, peer.leap, pkt.leap) — This is a two-bit code warning of an impending leap second to be inserted in the NTP time scale. The bits are set before 23:59 on the day of insertion and reset after 00:00 on the following day. This causes the number of seconds (rollover interval) in the day of insertion to be increased or decreased by one.
Time and Date You can set the time and date in the Dell Networking OS using the CLI. Configuration Task List This section describes configuring the time and date settings.
Setting the Timezone Universal time coordinated (UTC) is the time standard based on the International Atomic Time standard, commonly known as Greenwich Mean time. When determining system time, include the differentiator between UTC and your local timezone. For example, San Jose, CA is the Pacific Timezone with a UTC offset of -8. To set the clock timezone, use the following command. • Set the clock to the appropriate timezone.
• start-year: enter a four-digit number as the year. The range is from 1993 to 2035. • start-time: enter the time in hours:minutes. For the hour variable, use the 24-hour format; example, 17:15 is 5:15 pm. • end-month: enter the name of one of the 12 months in English. You can enter the name of a day to change the order of the display to time day month year. • end-day: enter the number of the day. The range is from 1 to 31.
• end-week: If you entered a start-week, enter the one of the following as the week that daylight saving ends: • week-number: Enter a number from 1 to 4 as the number of the week in the month to start daylight saving time. • first: Enter the keyword first to start daylight saving time in the first week of the month. • last: Enter the keyword last to start daylight saving time in the last week of the month. • end-month: Enter the name of one of the 12 months in English.
Configuring a Custom-defined Period for NTP time Synchronization You can configure the system to send an audit log message to a syslog server if the time difference from the NTP server is greater than a threshold value (offset-threshold). However, time synchronization still occurs. To configure the offset-threshold, follow this procedure. • Specify the threshold time interval before which the system generates an NTP audit log message if the system time deviates from the NTP server.
57 Tunneling Tunnel interfaces create a logical tunnel for IPv4 or IPv6 traffic. Tunneling supports RFC 2003, RFC 2473, and 4213. DSCP, hop-limits, flow label values, OSPFv2, and OSPFv3 are also supported. ICMP error relay, PATH MTU transmission, and fragmented packets are not supported.
The following sample configuration shows a tunnel configured in IPV6IP mode (IPv4 tunnel carries IPv6 traffic only): Dell(conf)#interface tunnel 2 Dell(conf-if-tu-2)#tunnel source 60.1.1.1 Dell(conf-if-tu-2)#tunnel destination 90.1.1.1 Dell(conf-if-tu-2)#tunnel mode ipv6ip Dell(conf-if-tu-2)#ipv6 address 2::1/64 Dell(conf-if-tu-2)#no shutdown Dell(conf-if-tu-2)#show config ! interface Tunnel 2 no ip address ipv6 address 2::1/64 tunnel destination 90.1.1.1 tunnel source 60.1.1.
The following sample configuration shows how to use the tunnel interface configuration commands. Dell(conf-if-te-0/0)#show config ! interface TenGigabitEthernet 0/0 ip address 20.1.1.1/24 ipv6 address 20:1::1/64 no shutdown Dell(conf)#interface tunnel 1 Dell(conf-if-tu-1)#ip unnumbered tengigabitethernet 0/0 Dell(conf-if-tu-1)#ipv6 unnumbered tengigabitethernet 0/0 Dell(conf-if-tu-1)#tunnel source 40.1.1.
Configuring Tunnel source anylocal Decapsulation The tunnel source anylocal command allows a multipoint receive-only tunnel to decapsulate tunnel packets addressed to any IPv4 or IPv6 (depending on the tunnel mode) address configured on the switch that is operationally UP. The source anylocal parameters can be used for packet decapsulation instead of the ip address or interface (tunnel allow-remote command), but only on multipoint receive-only mode tunnels.
• The IP MTU configured on the physical interface determines how multiple nested encapsulated packets are handled in a multipoint receive-only tunnel. • Control-plane packets received on a multipoint receive-only tunnel are destined to the local IP address and routed to the CPU after decapsulation. A response to these packets from the switch is only possible if the route to the sender does not pass through a receive-only tunnel.
58 Upgrade Procedures For detailed upgrade procedures, refer to the Dell Networking OS Release Notes for your switch. The release notes describe the requirements and steps to follow to upgrade to a desired OS version. Upgrade Overview To upgrade system software on the switch, follow these general steps: 1 Identify the boot and system images currently stored on the switch (Control Processor, Route Processor, and line-card CPUs) using the show boot system all command.
• When booting from the local flash, boot up with an image stored in the same partition: A or B. A firmware upgrade includes upgrades for the system image, BIOS, and bootcode. Use the upgrade command to upgrade the switch firmware by downloading an image from a network server or from the local flash. This image contains independent images for the CPUs: Control Processor (CP), Route Processor (RP), and line-card processor (LP).
59 Uplink Failure Detection (UFD) Uplink failure detection (UFD) provides detection of the loss of upstream connectivity and, if used with network interface controller (NIC) teaming, automatic recovery from a failed link. Feature Description A switch provides upstream connectivity for devices, such as servers. If a switch loses its upstream connectivity, downstream devices also lose their connectivity.
• In Step C, UFD on S1 disables the link to the server. The server then stops using the link to S1 and switches to using its link to S2 to send traffic upstream to R1. Figure 137. Uplink Failure Detection How Uplink Failure Detection Works UFD creates an association between upstream and downstream interfaces. The association of uplink and downlink interfaces is called an uplink-state group.
An enabled uplink-state group tracks the state of all assigned upstream interfaces. Failure on an upstream interface results in the automatic disabling of downstream interfaces in the uplink-state group. As a result, downstream devices can execute the protection or recovery procedures they have in place to establish alternate connectivity paths, as shown in the following illustration. Figure 138.
Important Points to Remember When you configure UFD, the following conditions apply. • • • You can configure up to 16 uplink-state groups. By default, no uplink-state groups are created. • An uplink-state group is considered to be operationally up if it has at least one upstream interface in the Link-Up state. • An uplink-state group is considered to be operationally down if it has no upstream interfaces in the Link-Up state.
To delete an uplink-state group, use the no uplink-state-group group-id command. 2 Assign a port or port-channel to the uplink-state group as an upstream or downstream interface.
6 (Optional) Disables upstream-link tracking without deleting the uplink-state group. UPLINK-STATE-GROUP mode no enable The default is upstream-link tracking is automatically enabled in an uplink-state group. To re-enable upstream-link tracking, use the enable command. Clearing a UFD-Disabled Interface You can manually bring up a downstream interface in an uplink-state group that UFD disabled and is in a UFD-Disabled Error state.
disabled: Fo 1/12 02:36:43: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: 1/0 02:36:43: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: 1/4 02:36:43: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: 1/8 02:36:43: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: 1/12 02:37:29: %SYSTEM-P:CP %IFMGR-5-ASTATE_DN: down: Te 0/47 02:37:29: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: 0/47 02:37:29 : UFD: Group:3, UplinkState: DOWN 02:37:29: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: down: Group 3 02:37:29: %SYSTEM-P:CP %IFMGR-5-OSTATE_DN: disabled: Fo 1/0 02:37:29: %SYSTEM-P:CP %IFMGR-5-OSTATE_D
• • 10-Gigabit Ethernet: enter tengigabitethernet slot/port. • 10-Gigabit Ethernet: enter tengigabitethernet slot/port. • Port channel: enter port-channel {1-512}. If a downstream interface in an uplink-state group is disabled (Oper Down state) by uplink-state tracking because an upstream port is down, the message error-disabled[UFD] displays in the output. Display the current configuration of all uplink-state groups or a specified group.
The following example shows viewing the uplink state group interface status for an S50 system.
Sample Configuration: Uplink Failure Detection The following example shows a sample configuration of UFD on a switch/router in which you configure as follows. • • • • • • Configure uplink-state group 3. Add downstream links Tengigabitethernet 0/1, 0/2, 0/5, 0/9, 0/11, and 0/12. Configure two downstream links to be disabled if an upstream link fails. Add upstream links Tengigabitethernet 0/3 and 0/4. Add a text description for the group. Verify the configuration with various show commands.
(Up): Interface up (Dwn): Interface down (Dis): Interface disabled Uplink State Group : 3 Status: Enabled, Up Upstream Interfaces : Te 0/3(Up) Te 0/4(Dwn) Downstream Interfaces : Te 0/1(Dis) Te 0/2(Dwn) Te 0/5(Dwn) Te 0/9(Dwn) Te 0/11(Dwn) Te 0/12(Dwn) Uplink Failure Detection (UFD) 1132
60 Virtual LANs (VLANs) Virtual LANs (VLANs) are a logical broadcast domain or logical grouping of interfaces in a local area network (LAN) in which all data received is kept locally and broadcast to all members of the group. When in Layer 2 mode, VLANs move traffic at wire speed and can span multiple devices. The system supports up to 4093 port-based VLANs and one default VLAN, as specified in IEEE 802.1Q.
Default VLAN When you configure interfaces for Layer 2 mode, they are automatically placed in the Default VLAN as untagged interfaces. Only untagged interfaces can belong to the Default VLAN. The following example displays the outcome of placing an interface in Layer 2 mode. To configure an interface for Layer 2 mode, use the switchport command.
those interfaces. Different VLANs can communicate between each other by means of IP routing. Because traffic is only broadcast or flooded to the interfaces within a VLAN, the VLAN conserves bandwidth. Finally, you can have multiple VLANs configured on one switch, thus segmenting the device. Interfaces within a port-based VLAN must be in Layer 2 mode and can be tagged or untagged in the VLAN ID. VLANs and Port Tagging To add an interface to a VLAN, the interface must be in Layer 2 mode.
Enabling Null VLAN as the Default VLAN In a Carrier Ethernet for Metro Service environment, service providers who perform frequent reconfigurations for customers with changing requirements occasionally enable multiple interfaces, each connected to a different customer, before the interfaces are fully configured. This presents a vulnerability because both interfaces are initially placed in the native VLAN, VLAN 1, and for that period customers are able to access each other's networks.
Configuring Native VLANs Traditionally, ports can be either untagged for membership to one VLAN or tagged for membership to multiple VLANs. You must connect an untagged port to a VLAN-unaware station (one that does not understand VLAN tags), and you must connect a tagged port to a VLAN-aware station (one that generates and understands VLAN tags). Native VLAN support breaks this barrier so that you can connect a port to both VLAN-aware and VLANunaware stations. Such ports are referred to as hybrid ports.
A VLAN is active only if the VLAN contains interfaces and those interfaces are operationally up. As shown in the following example, VLAN 1 is inactive because it does not contain any interfaces. The other VLANs contain enabled interfaces and are active. NOTE: In a VLAN, the shutdown command stops Layer 3 (routed) traffic only. Layer 2 traffic continues to pass through the VLAN. If the VLAN is not a routed VLAN (that is, configured with an IP address), the shutdown command has no affect on VLAN traffic.
To tag frames leaving an interface in Layer 2 mode, assign that interface to a port-based VLAN to tag it with that VLAN ID. To tag interfaces, use the following commands. 1 Access INTERFACE VLAN mode of the VLAN to which you want to assign the interface. CONFIGURATION mode interface vlan vlan-id 2 Enable an interface to include the IEEE 802.1Q tag header.
When you remove a tagged interface from a VLAN (using the no tagged interface command), it remains tagged only if it is a tagged interface in another VLAN. If the tagged interface is removed from the only VLAN to which it belongs, the interface is placed in the Default VLAN as an untagged interface. Moving Untagged Interfaces To move untagged interfaces from the Default VLAN to another VLAN, use the following commands. 1 Access INTERFACE VLAN mode of the VLAN to which you want to assign the interface.
NUM * 1 2 3 4 Dell# Status Q Inactive Active T T Active T T Active U Ports Po1(Te 0/0-1) Te 2/0 Po1(Te 0/0-1) Te 2/1 Te 2/2 The only way to remove an interface from the Default VLAN is to place the interface in Default mode by using the no switchport command in INTERFACE mode.
61 VLT Proxy Gateway The Virtual link trucking (VLT) proxy gateway feature allows a VLT domain to locally terminate and route L3 packets that are destined to a L3 end point in another VLT domain. Enable the VLT proxy gateway using the link layer discover protocol (LLDP) method or the static configuration.
core or Layer 3 routers C and D in local VLT Domain and C1 and D1 in the remote VLT Domain are then part of a Layer 3 cloud. Figure 140. VLT Proxy Gateway — Topology 1 Guidelines for Enabling the VLT Proxy Gateway Keep the following points in mind when you enable this functionality: 1 The proxy gateway is supported only for VLT; for example, across VLT domain.
5 The connection between DCs can only be a L3 VLT in eVLT format. For more information, refer to the eVLT Configuration Example 6 Trace route across DCs may show extra hops. 7 You must maintain route symmetry across the VLT domains to ensure no traffic drops. When the routing table across DCs is not symmetrical, there is a possibility of a routing miss by a DC that does not have the route for the L3 traffic.
• LLDP has a limited TLV size. As a result, information that is carried by this new TLV is limited to only one or two MAC addresses. • You must ensure proper configuration and physical setup on all related systems. LLDP Organizational TLV for Proxy Gateway Define a new organizational TLV : • LLDP defines an organizationally specific TLV (type 127) with an organizationally unique identifier (0x0001E8) and organizationally defined subtype (0x01) for sending or receiving this information.
Sample Configurations for LLDP VLT Proxy Gateway Apply the following configurations in the Core L3 Routers C and D in the local VLT domain and C1 and D1 in the remote VLT domain: 1 Configure proxy-gateway lldp in VLT Domain CONFIG mode. 2 Configure peer-domain-link port-channel in VLT Domain Proxy Gateway LLDP mode. The VLT port channel is the one that connects the remote VLT domain.
Sample Scenario for VLT Proxy Gateway Figure 141. VLT Proxy Gateway — Topology 2 1 The above figure (Topology 2) shows a sample VLT Proxy gateway scenario. There are no diagonal links in the square VLT connection between the C and D in VLT domain 1 and C1 and D1 in the VLT domain 2. This undergoes sub-optimal routing with the VLT Proxy Gateway LLDP method.
2 ICL shut – Assume ICL between C1 and D1 is shut and if D1 is secondary VLT one half of the inter DC link goes down. After vm motion, if a packet reaches D2 with the destination MAC address of D1, it may be dropped. This behaviour is applicable only in the LLDP configuration; in the static configuration, the packet is forwarded. 3 Any L3 packet, when it gets an L3 hit and is routed because of this feature, has a TTL decrement as expected.
4 Display the VLT proxy gateway configuration. EXEC mode Dell#show vlt-proxy-gateway Configuring an LLDP VLT Proxy Gateway You can configure a proxy gateway in a VLT domain to locally route packets destined to a L3 endpoint in another VLT domain. To configure an LLDP proxy gateway: 1 Enable VLT on a switch, then configure a VLT domain and enter VLT-Domain Configuration mode. CONFIGURATION mode Dell(conf)#vlt domain domain-id 2 Configure the LLDP proxy gateway.
62 Virtual Routing and Forwarding (VRF) Virtual Routing and Forwarding (VRF) allows a physical router to partition itself into multiple Virtual Routers (VRs). The control and data plane are isolated in each VR so that traffic does NOT flow across VRs.Virtual Routing and Forwarding (VRF) allows multiple instances of a routing table to co-exist within the same router at the same time. VRF Overview VRF improves functionality by allowing network paths to be segmented without using multiple devices.
VRF uses interfaces to distinguish routes for different VRF instances. Interfaces in a VRF can be either physical (Ethernet port or port channel) or logical (VLANs). You can configure identical or overlapping IP subnets on different interfaces if each interface belongs to a different VRF instance. Figure 142.
• VLAN interfaces • Loopback interfaces VRF supports route redistribution between routing protocols (including static routes) only when the routes are within the same VRF. Dell Networking OS uses both the VRF name and VRF ID to manage VRF instances. The VRF name and VRF ID number are assigned using the ip vrf command. The VRF ID is displayed in show ip vrf command output. The VRF ID is not exchanged between routers. VRF IDs are local to a router.
Feature/Capability Support Status for Default VRF Support Status for Non-default VRF NOTE: ACLs supported on all VRF VLAN ports. IPv4 ACLs are supported on nondefault-VRFs also. IPv6 ACLs are supported on defaultVRF only. PBR supported on default-VRF only. QoS not supported on VLANs.
DHCP DHCP requests are not forwarded across VRF instances. The DHCP client and server must be on the same VRF instance. VRF Configuration The VRF configuration tasks are: 1 Enabling VRF in Configuration Mode 2 Creating a Non-Default VRF 3 Assign an Interface to a VRF You can also: • View VRF Instance Information • Connect an OSPF Process to a VRF Instance • Configure VRRP on a VRF Load VRF CAM VRF is enabled by default on the switch.
Table 91. Creating a Non-Default VRF Instance Task Command Syntax Command Mode Create a non-default VRF instance by specifying a name and VRF ID number, and enter VRF configuration mode. ip vrf vrf-name vrf-id VRF ID range: 1 to 512 and 0 (default VRF) CONFIGURATION Assigning an Interface to a VRF You must enter the ip vrf forwarding command before you configure the IP address or any other setting on an interface.
Task Command Syntax Command Mode ip address 10.1.1.1/24 INTERFACE CONFIGURATION ipv6 address 1::1 INTERFACE CONFIGURATION NOTE: Before assigning a front-end port to a management VRF, ensure that no IP address is configured on the interface. Assign an IPv4 address to the interface. NOTE: You can assign either an IPv4 or an IPv6 address but not both. Assign an IPv6 address to the interface. NOTE: You can also auto configure an IPv6 address using the ipv6 address autoconfig command.
Task Command Syntax Command Mode instance. process-id range: 0-65535 Once the OSPF process and the VRF are tied together, the OSPF Process ID cannot be used again in the system. Configuring VRRP on a VRF Instance You can configure the VRRP feature on interfaces that belong to a VRF instance. In a virtualized network that consists of multiple VRFs, various overlay networks can exist on a shared physical infrastructure.
Task Command Syntax Command Mode Configure a static route that points management route ipaddress mask to a management interface. managementethernet ormanagement route ipv6address prefix-length managementethernet CONFIGURATION NOTE: You can also have the management route to point to a front-end port in case of the management VRF. For example: management route 2::/64 te 0/0.
Sample VRF Configuration The following configuration illustrates a typical VRF set-up. Figure 143. Setup OSPF and Static Routes Figure 144.
The following example relates to the configuration shown in Figure1 and Figure 2. Router 1 ========================================================================= ========================= Router 2 ========================================================================= ============== The following shows the output of the show commands on Router 1. Router 1 The following shows the output of the show commands on Router 2.
You can use the match source-protocol or match ip-address commands to specify matching criteria for importing or exporting routes between VRFs. NOTE: You must use the match source-protocol or match ip-address commands in conjunction with the route-map command to be able to define the match criteria for route leaking. Consider a scenario where you have created two VRF tables VRF-red and VRF-blue. VRF-red exports routes with the export_ospfbgp_protocol route-map to VRF-blue.
When you import routes into VRF-blue using the route-map import_ospf_protocol, only OSPF routes are imported into VRF-blue. Even though VRF-red has leaked both OSPF as well as BGP routes to be shared with other VRFs, this command imports only OSPF routes into VRF-blue. 9 Configure the import target in the source VRF for reverse communnication with the destination VRF.
If the target VRF contains the same prefix (either sourced or Leaked route from some other VRF), then the Leak for that particular prefix will fail and an error-log will be thrown. Manual intervention is required to clear the unneeded prefixes. The source route will take priority over the leaked route and the leaked route is deleted. Consider a scenario where you have created four VRF tables VRF-red, VRF-blue, VRF-Green, and VRF-shared.
ip route-import ip route-import 2:2 3:3 Show routing tables of all the VRFs (without any route-export and route-import tags being configured) Show routing tables of VRFs( after route-export and route-import tags are configured). Important Points to Remember • If the target VRF conatins the same prefix as either the sourced or Leaked route from some other VRF, then route Leaking for that particular prefix fails and the following error-log is thrown.
63 Virtual Link Trunking (VLT) Virtual link trunking (VLT) is supported on Dell Networking OS. Overview VLT reduces the role of spanning tree protocols (STPs) by allowing link aggregation group (LAG) terminations on two separate distribution or core switches and supporting a loop-free topology. To prevent the initial loop that may occur prior to VLT being established, use a spanning tree protocol.
The following example shows how VLT is deployed. The switches appear as a single virtual switch from the point of view of the switch or server supporting link aggregation control protocol (LACP). Figure 145. Example of VLT Deployment VLT on Core Switches You can also deploy VLT on core switches. Uplinks from servers to the access layer and from access layer to the aggregation layer are bundled in LAG groups with end-to-end Layer 2 multipathing.
VLT Terminology The following are key VLT terms. • Virtual link trunk (VLT) — The combined port channel between an attached device and the VLT peer switches. • VLT backup link — The backup link monitors the vitality of VLT peer switches. The backup link sends configurable, periodic keep alive messages between the VLT peer switches. • VLT interconnect (VLTi) — The link used to synchronize states between the VLT peer switches. Both ends must be on 10G or 40G interfaces.
• If the DHCP server is located on the ToR and the VLTi (ICL) is down due to a failed link when a VLT node is rebooted in BMP mode, it is not able to reach the DHCP server, resulting in BMP failure. • If the source is connected to an orphan (non-spanned, non-VLT) port in a VLT peer, the receiver is connected to a VLT (spanned) port-channel, and the VLT port-channel link between the VLT peer connected to the source and TOR is down, traffic is duplicated due to route inconsistency between peers.
• A VLT interconnect over 1G ports is not supported. • The port channel must be in Default mode (not Switchport mode) to have VLTi recognize it. • The system automatically includes the required VLANs in VLTi. You do not need to manually select VLANs. • VLT peer switches operate as separate chassis with independent control and data planes for devices attached to non-VLT ports.
• • • In case of dual RPM, configure the virtual IP address as backup link. This is needed so that the backup link wont flap duirng RPM failover scenarios. See Configuring a Virtual IP Address. Virtual link trunks (VLTs) between access devices and VLT peer switches • To connect servers and access switches with VLT peer switches, you use a VLT port channel, as shown in Overview.
• • • Ingress and egress QoS policies applied on VLT ports must be the same on both VLT peers. • You should apply the same ingress and egress QoS policies on VLTi (ICL) member ports to handle failed links. Software features not supported with VLT • • • In a VLT domain, the following software features are not supported on non-VLT ports: 802.1x, DHCP snooping, and FRRP.
Primary and Secondary VLT Peers Primary and secondary VLT peers are supported to prevent issues when connectivity between peers is lost on the switch. You can elect or configure the Primary Peer. By default, the peer with the lowest MAC address is selected as the Primary Peer. You can configure another peer as the Primary Peer using the VLT primary-priority command. If the VLTi link fails, the status of the remote VLT Primary Peer is checked using the backup link.
VLT Bandwidth Monitoring When bandwidth usage of the VLTi (ICL) exceeds 80%, a syslog error message (shown in the following message) and an SNMP trap are generated. %STKUNIT0-M:CP %VLTMGR-6-VLT-LAG-ICL: Overall Bandwidth utilization of VLT-ICL-LAG (port-channel 25) crosses threshold. Bandwidth usage (80 ) When the bandwidth usage drops below the 80% threshold, the system generates another syslog message (shown in the following message) and an SNMP trap.
VLT IPv6 The following features have been enhanced to support VLT on IPv6. : • VLT Sync — Entries learned on the VLT interface are synced on both VLT peers. • Non-VLT Sync — Entries learned on non-VLT interfaces are synced on both VLT peers. • Tunneling — Control information is associated with tunnel traffic so that the appropriate VLT peer can mirror the ingress port as the VLT interface rather than pointing to the VLT peer’s VLTi link.
PIM-Sparse Mode Support on VLT The designated router functionality of the PIM Sparse-Mode multicast protocol is supported on VLT peer switches for multicast sources and receivers that are connected to VLT ports. VLT peer switches can act as a last-hop router for IGMP receivers and as a first-hop router for multicast sources. Figure 146.
On each VLAN where the VLT peer nodes act as the first hop or last hop routers, one of the VLT peer nodes is elected as the PIM designated router. If you configured IGMP snooping along with PIM on the VLT VLANs, you must configure VLTi as the static multicast router port on both VLT peer switches. This ensures that for first hop routers, the packets from the source are redirected to the designated router (DR) if they are incorrectly hashed.
Spanned VLANs Any VLAN configured on both VLT peer nodes is referred to as a Spanned VLAN. The VLT Interconnect (VLTi) port is automatically added as a member of the Spanned VLAN. As a result, any adjacent router connected to at least one VLT node on a Spanned VLAN subnet is directly reachable from both VLT peer nodes at the routing level. VLT Unicast Routing VLT unicast routing locally routes packets destined for the L3 endpoint of the VLT peer. This method avoids suboptimal routing.
peer-routing—timeout value value: Specify a value (in seconds) from 1 to 65535. VLT Multicast Routing VLT Multicast Routing provides resiliency to multicast routed traffic during the multicast routing protocol convergence period after a VLT link or VLT peer fails using the least intrusive method (PIM) and does not alter current protocol behavior. Unlike VLT Unicast Routing, a normal multicast routing protocol does not exchange multicast routes between VLT peers.
vlt domain domain-id 2 Enable peer-routing. VLT DOMAIN mode peer-routing 3 Configure the multicast peer-routing timeout. VLT DOMAIN mode multicast peer-routing—timeout value value: Specify a value (in seconds) from 1 to 1200. 4 Configure a PIM-SM compatible VLT node as a designated router (DR). For more information, refer to Configuring a Designated Router. 5 Configure a PIM-enabled external neighboring router as a rendezvous point (RP).
Configure both ends of the VLT interconnect trunk with identical RSTP configurations. When you enable VLT, the show spanning-tree rstp brief command output displays VLT information (refer to Verifying a VLT Configuration). Preventing Forwarding Loops in a VLT Domain During the bootup of VLT peer switches, a forwarding loop may occur until the VLT configurations are applied on each switch and the primary/secondary roles are determined.
Configure RSTP on VLT Peers to Prevent Forwarding Loops (VLT Peer 2) Dell_VLTpeer2(conf)#protocol spanning-tree rstp Dell_VLTpeer2(conf-rstp)#no disable Dell_VLTpeer2(conf-rstp)#bridge-priority 0 Configuring VLT VLT requires that you enable the feature and then configure the same VLT domain, backup link, and VLT interconnect on both peer switches. To configure VLT, use the following procedure.
3 Add one or more port interfaces to the port channel. INTERFACE PORT-CHANNEL mode channel-member interface interface: specify one of the following interface types: 4 • 1-Gigabit Ethernet: Enter gigabitethernet slot/port. • 10-Gigabit Ethernet: Enter tengigabitethernet slot/port. • 40-Gigabit Ethernet: Enter fortyGigE slot/port. Ensure that the port channel is active. INTERFACE PORT-CHANNEL mode no shutdown 5 Repeat Steps 1 to 4 on the VLT peer switch to configure the VLT interconnect.
process, use the primary-priority command. Enter a lower value on the primary peer and a higher value on the secondary peer. VLT DOMAIN CONFIGURATION mode primary-priority value The priority values are from 1 to 65535. The default is 32768. If the primary peer fails, the secondary peer (with the higher priority) takes the primary role. If the primary peer (with the lower priority) later comes back online, it is assigned the secondary role (there is no preemption).
back-up destination {ip address ipv4-address/mask | ipv6 address ipv6-address/ mask} Dell(conf-vlt-domain)#back-up destination ? A.B.C.D IP address for VLT backup link ipv6 Configure IPv6 address for VLT backup link IPv4 address (A.B.C.D) or IPv6 address (X:X:X:X::X) of the VLT peer’s management interface. 5 Repeat Steps 1 – 4 on the VLT peer switch. To set the amount of time, in seconds, to delay the system from restoring the VLT port, use the delayrestore command at any time.
system-mac mac-address mac-address To explicitly configure the default MAC address for the domain by entering a new MAC address, use the system-mac command. The format is aaaa.bbbb.cccc. Also, reconfigure the same MAC address on the VLT peer switch. Use this command to minimize the time required for the VLT system to synchronize the default MAC address of the VLT domain on both peer switches when one peer switch reboots.
interface: specify one of the following interface types: 5 • 1-Gigabit Ethernet: enter gigabitethernet slot/port. • 10-Gigabit Ethernet: enter tengigabitethernet slot/port. • 40-Gigabit Ethernet: Enter fortyGigE slot/port. Ensure that the port channel is active. INTERFACE PORT-CHANNEL mode no shutdown 6 Associate the port channel to the corresponding port channel in the VLT peer for the VLT connection to an attached device.
The range is from 1 to 4094. Configuring Enhanced VLT (eVLT) (Optional) To configure enhanced VLT (eVLT) between two VLT domains on your network, use the following procedure. For a sample configuration, refer to eVLT Configuration Example. To set up the VLT domain, use the following commands. 1 Configure the port channel to be used for the VLT interconnect on a VLT switch and enter interface configuration mode.
system-mac mac-address mac-address To explicitly configure the default MAC address for the domain by entering a new MAC address, use the system-mac command. The format is aaaa.bbbb.cccc. Also reconfigure the same MAC address on the VLT peer switch. Use this command to minimize the time required for the VLT system to synchronize the default MAC address of the VLT domain on both peer switches when one peer switch reboots.
INTERFACE mode port-channel-protocol lacp 14 Configure the LACP port channel mode. INTERFACE mode port-channel number mode [active] 15 Ensure that the interface is active. MANAGEMENT INTERFACE mode no shutdown 16 Repeat steps 1 through 15 for the VLT peer node in Domain 1. 17 Repeat steps 1 through 15 for the first VLT node in Domain 2. 18 Repeat steps 1 through 15 for the VLT peer node in Domain 2.
8 Configure the VLT links between VLT peer 1 and VLT peer 2 to the top of rack unit (shown in the following example). 9 Configure the static LAG/LACP between ports connected from VLT peer 1 and VLT peer 2 to the top of rack unit. EXEC Privilege mode show running-config entity 10 Configure the VLT peer link port channel id in VLT peer 1 and VLT peer 2. EXEC mode or EXEC Privilege mode show interfaces interface 11 In the top of rack unit, configure LACP in the physical ports.
1 Configure the peer 2 management ip/ interface ip for which connectivity is present in VLT peer 1. 2 Configure the peer 1 management ip/ interface ip for which connectivity is present in VLT peer 2. Dell-2#show running-config vlt ! vlt domain 5 peer-link port-channel 1 back-up destination 10.11.206.58 Dell-2# show interfaces managementethernet 0/0 Internet address is 10.11.206.43/16 Dell-4#show running-config vlt ! vlt domain 5 peer-link port-channel 1 back-up destination 10.11.206.
In the ToR unit, configure LACP on the physical ports.
Dell-4#show interfaces port-channel 2 brief Codes: L - LACP Port-channel LAG L 2 Mode L2L3 Status up Uptime 03:33:31 Ports Te 0/18 (Up) eVLT Configuration Example The following example demonstrates the steps to configure enhanced VLT (eVLT) in a network. In this example, you are configuring two domains. Domain 1 consists of Peer 1 and Peer 2; Domain 2 consists of Peer 3 and Peer 4, as shown in the following example. In Domain 1, configure Peer 1 fist, then configure Peer 2.
Configure eVLT on Peer 1. Domain_1_Peer1(conf)#interface port-channel 100 Domain_1_Peer1(conf-if-po-100)# switchport Domain_1_Peer1(conf-if-po-100)# vlt-peer-lag port-channel 100 Domain_1_Peer1(conf-if-po-100)# no shutdown Add links to the eVLT port-channel on Peer 1.
Domain_2_Peer3(conf-if-range-te-0/16-17)# port-channel 100 mode active Domain_2_Peer3(conf-if-range-te-0/16-17)# no shutdown Next, configure the VLT domain and VLTi on Peer 4. Domain_2_Peer4#configure Domain_2_Peer4(conf)#interface port-channel 1 Domain_2_Peer4(conf-if-po-1)# channel-member TenGigabitEthernet 0/8-9 Domain_1_Peer4#no shutdown Domain_2_Peer4(conf)#vlt domain 200 Domain_2_Peer4(conf-vlt-domain)# peer-link port-channel 1 Domain_2_Peer4(conf-vlt-domain)# back-up destination 10.18.130.
Repeat these steps on VLT Peer Node 2. VLT_Peer2(conf)#ip multicast-routing VLT_Peer2(conf)#interface vlan 4001 VLT_Peer2(conf-if-vl-4001)#ip address 140.0.0.
• Display the current status of a port or port-channel interface used in the VLT domain. EXEC mode show interfaces interface • interface: specify one of the following interface types: • Fast Ethernet: enter fastethernet slot/port. • 1-Gigabit Ethernet: enter gigabitethernet slot/port. • 10-Gigabit Ethernet: enter tengigabitethernet slot/port. • Port channel: enter port-channel {1-128}.
Role: Role Priority: ICL Link Status: HeartBeat Status: VLT Peer Status: Local Unit Id: Version: Local System MAC address: Remote System MAC address: Configured System MAC address: Remote system version: Delay-Restore timer: Primary 32768 Up Up Up 1 5(1) 00:01:e8:8a:e7:e7 00:01:e8:8a:e9:70 00:0a:0a:01:01:0a 5(1) 90 seconds The following example shows the show vlt detail command.
peer-link port-channel 60 back-up destination 10.11.200.20 The following example shows the show vlt statistics command.
Po Po Po Po Po 4 100 110 111 120 128.5 128.101 128.111 128.112 128.121 128 128 128 128 128 200000 800 00 200000 2000 DIS 0 FWD(VLTi)0 FWD(vlt) 0 DIS(vlt) 0 FWD(vlt) 0 0 0 0 0 0 0001.e88a.dff8 0001.e88a.dff8 0001.e88a.dff8 0001.e88a.dff8 0001.e88a.dff8 128.5 128.101 128.111 128.112 128.
NUM Status Description Q Ports 10 Active U Po110(Fo 0/52) T Po100(Fo 0/56,60) Configuring Virtual Link Trunking (VLT Peer 2) Enable VLT and create a VLT domain with a backup-link VLT interconnect (VLTi). Dell_VLTpeer2(conf)#vlt domain 999 Dell_VLTpeer2(conf-vlt-domain)#peer-link port-channel 100 Dell_VLTpeer2(conf-vlt-domain)#back-up destination 10.11.206.23 Dell_VLTpeer2(conf-vlt-domain)#exit Configure the backup link.
Verifying a Port-Channel Connection to a VLT Domain (From an Attached Access Switch) On an access device, verify the port-channel connection to a VLT domain. Dell_TORswitch(conf)# show running-config interface port-channel 11 ! interface Port-channel 11 no ip address switchport channel-member fortyGigE 1/18,22 no shutdown Troubleshooting VLT To help troubleshoot different VLT issues that may occur, use the following information.
Description Behavior at Peer Up Behavior During Run Time Action to Take brief commands to view the VLT port channel status information. All VLT port channels go down on both VLT peers. A syslog error message is generated. No traffic is passed on the port channels. Spanning tree mismatch at port level A syslog error message is generated. A one-time informational Correct the spanning tree syslog message is configuration on the generated. ports.
Reconfiguring Stacked Switches as VLT To convert switches that have been stacked to VLT peers, use the following procedure. 1 Remove the current configuration from the switches. You will need to split the configuration up for each switch. 2 Copy the files to the flash memory of the appropriate switch. 3 Copy the files on the flash drive to the startup-config. 4 Reset the stacking ports to user ports for both switches. 5 Reload the stack and confirm the new configurations have been applied.
Keep the following points in mind when you configure VLT nodes in a PVLAN: • • • Configure the VLTi link to be in trunk mode. Do not configure the VLTi link to be in access or promiscuous mode. You can configure a VLT LAG or port channel to be in trunk, access, or promiscuous port modes when you include the VLT LAG in a PVLAN. The VLT LAG settings must be the same on both the peers. If you configure a VLT LAG as a trunk port, you can associate that LAG to be a member of a normal VLAN or a PVLAN.
mode on both the peers is identical. For example, if the MAC address is learned on a VLT LAG and the VLAN is a primary VLT VLAN on one peer and not a primary VLT VLAN on the other peer, MAC synchronization does not occur. Whenever a change occurs in the VLAN mode of one of the peers, this modification is synchronized with the other peers.
• The ARP request is not received on the ICL Under such conditions, the IP stack performs the following operations: • The ARP reply is sent with the MAC address of the primary VLAN. • The ARP request packet originates on the primary VLAN for the intended destination IP address. The ARP request received on ICLs are not proxied, even if they are received with a secondary VLAN tag.
VLT LAG Mode PVLAN Mode of VLT VLAN ICL VLAN Membership Mac Synchronization Peer1 Peer1 Primary Yes Yes - Secondary (Community) Yes Yes - Secondary (Isolated) - Secondary (Isolated) Yes Yes Promiscuou Trunk s Primary Normal No No Promiscuou Trunk s Primary Primary Yes No Access Secondary (Community) Secondary (Community) Yes Yes - Primary VLAN X - Primary VLAN X Yes Yes Secondary (Isolated) Secondary (Isolated) Yes Yes - Primary VLAN X Yes Yes Secondary (Isolated) Sec
security functionalities to be achieved. This section contains the following topics that describe how to configure a VLT VLAN or a VLT LAG (VLTi link) and assign that VLT interface to a PVLAN. Creating a VLT LAG or a VLT VLAN 1 Configure the port channel for the VLT interconnect on a VLT switch and enter interface configuration mode CONFIGURATION mode interface port-channel id-number.
VLT DOMAIN CONFIGURATION mode peer-link port-channel id-number peer-down-vlan vlan interface number The range is from 1 to 4094. Associating the VLT LAG or VLT VLAN in a PVLAN 1 Access INTERFACE mode for the port that you want to assign to a PVLAN. CONFIGURATION mode interface interface 2 Enable the port. INTERFACE mode no shutdown 3 Set the port in Layer 2 mode. INTERFACE mode switchport 4 Select the PVLAN mode.
The list of secondary VLANs can be: • Specified in comma-delimited (VLAN-ID,VLAN-ID) or hyphenated-range format (VLAN-IDVLAN-ID). • Specified with this command even before they have been created. • Amended by specifying the new secondary VLAN to be added to the list. Proxy ARP Capability on VLT Peer Nodes The proxy ARP functionality is supported on VLT peer nodes. A proxy ARP-enabled device answers the ARP requests that are destined for another host or router.
Working of Proxy ARP for VLT Peer Nodes Proxy ARP is enabled only when peer routing is enabled on both the VLT peers. If peer routing is disabled on one of the VLT peers, proxy ARP is not performed when the ICL link goes down. Proxy ARP is performed only when the VLT peer's MAC address is installed in the database. Proxy ARP is stopped when the VLT peer's MAC address is removed from the ARP database because of the peer routing timer expiry.
VLT Nodes as Rendezvous Points for Multicast Resiliency You can configure virtual link trunking (VLT) peer nodes as rendezvous points (RPs) in a Protocol Independent Multicast (PIM) domain. PIM uses a VLT node as the RP to distribute multicast traffic to a multicast group. Messages to join the multicast group (Join messages) and data are sent towards the RP, so that receivers can discover who the senders are and begin receiving traffic destined for the multicast group.
Configuring VLAN-Stack over VLT To configure VLAN-stack over VLT, follow these steps. 1 Configure the VLT LAG as VLAN-stack access or trunk mode on both the peers. INTERFACE PORT-CHANNEL mode vlan-stack {access | trunk} 2 Configure VLAN as VLAN-stack compatible on both the peers. INTERFACE VLAN mode vlan-stack compatible 3 Add the VLT LAG as a member to the VLAN-stack on both the peers. INTERFACE VLAN mode member port-channel port—channel ID 4 Verify the VLAN-stack configurations.
Dell#show running-config interface port-channel 10 ! interface Port-channel 10 no ip address switchport vlan-stack access vlt-peer-lag port-channel 10 no shutdown Dell# Dell(conf)#interface port-channel 20 Dell(conf-if-po-20)#switchport Dell(conf-if-po-20)#vlt-peer-lag port-channel 20 Dell(conf-if-po-20)#vlan-stack trunk Dell(conf-if-po-20)#no shutdown Dell#show running-config interface port-channel 20 ! interface Port-channel 20 no ip address switchport vlan-stack trunk vlt-peer-lag port-channel 20 no shut
unit-id 1 Dell# Configure VLT LAG as VLAN-Stack Access or Trunk Port Dell(conf)#interface port-channel 10 Dell(conf-if-po-10)#switchport Dell(conf-if-po-10)#vlt-peer-lag port-channel 10 Dell(conf-if-po-10)#vlan-stack access Dell(conf-if-po-10)#no shutdown Dell#show running-config interface port-channel 10 ! interface Port-channel 10 no ip address switchport vlan-stack access vlt-peer-lag port-channel 10 no shutdown Dell# Dell(conf)#interface port-channel 20 Dell(conf-if-po-20)#switchport Dell(conf-if-po-20)
64 Virtual Router Redundancy Protocol (VRRP) Virtual router redundancy protocol (VRRP) is supported on Dell Networking OS. VRRP Overview VRRP is designed to eliminate a single point of failure in a statically routed network. Authentication is not supported on VRRPv3. VRRP is supported on “all types” of interfaces, including physical, VLAN, port-channel, and port extender interfaces. VRRP specifies a MASTER router that owns the next hop IP and MAC address for end stations on a local area network (LAN).
For more detailed information about VRRP, refer to RFC 2338, Virtual Router Redundancy Protocol. Figure 148. Basic VRRP Configuration VRRP Benefits With VRRP configured on a network, end-station connectivity to the network is not subject to a single pointof-failure. End-station connections to the network are redundant and are not dependent on internal gateway protocol (IGP) protocols to converge or update routing tables.
Up to 255 VRRP groups are supported on the switch. The total number of VRRP groups per system should be less than 512. The following recommendations shown may vary depending on various factors like address resolution protocol (ARP) broadcasts, IP broadcasts, or spanning tree protocol (STP) before changing the advertisement interval.
• Tracking a Metric Threshold • Tracking Route Reachability For a complete listing of all commands related to VRRP, refer to Dell Networking OS Command Line Reference Guide. Creating a Virtual Router To enable VRRP, create a virtual router. In the Dell Networking Operating System, the virtual router identifier (VRID) identifies a VRRP group. To enable or delete a virtual router, use the following commands. • Create a virtual router for that interface with a VRID.
Example: Configuring VRRP to Use Version 3 The following example configures the IPv4 VRRP 100 group to use VRRP protocol version 3. Dell(conf-if-te-0/0)# vrrp-group 100 Dell (conf-if-te-0/0-vrid-100)#version ? 2 VRRPv2 3 VRRPv3 both Interoperable, send VRRPv3 receive both Dell(conf-if-te-0/0-vrid-100)#version 3 You can use the version both command in INTERFACE mode to migrate from VRRPv2 to VRRPv3.
multiple IP subnets configured on the interface, Dell Networking recommends configuring virtual IP addresses belonging to the same IP subnet for any one VRRP group. • For example, an interface (on which you enable VRRP) contains a primary IP address of 50.1.1.1/24 and a secondary IP address of 60.1.1.1/24. The VRRP group (VRID 1) must contain virtual addresses belonging to either subnet 50.1.1.0/24 or subnet 60.1.1.0/24, but not from both subnets (though the system allows the same).
The following example shows the same VRRP group (VRID 111) configured on multiple interfaces on different subnets. Dell#show vrrp -----------------TenGigabitEthernet 1/1/1, VRID: 111, Net: 10.10.10.1 State: Master, Priority: 255, Master: 10.10.10.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 1768, Gratuitous ARP sent: 5 Virtual MAC address: 00:00:5e:00:01:6f Virtual IP address: 10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.
State: Master, Priority: 255, Master: 10.10.10.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 2343, Gratuitous ARP sent: 5 Virtual MAC address: 00:00:5e:00:01:6f Virtual IP address: 10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.10 Authentication: (none) -----------------TenGigabitEthernet 1/2/1, VRID: 111, Net: 10.10.2.1 State: Master, Priority: 125, Master: 10.10.2.
Disabling Preempt The preempt command is enabled by default. The command forces the system to change the MASTER router if another router with a higher priority comes online. Prevent the BACKUP router with the higher priority from becoming the MASTER router by disabling preempt. NOTE: You must configure all virtual routers in the VRRP group the same: you must configure all with preempt enabled or configure all with preempt disabled.
If you are configured for VRRP version 2, the timer values must be in multiples of whole seconds. For example, timer value of 3 seconds or 300 centisecs are valid and equivalent. However, a timer value of 50 centisecs is invalid because it not is not multiple of 1 second. If are using VRRP version 3, you must configure the timer values in multiples of 25 centisecs. To change the advertisement interval in seconds or centisecs, use the following command. A centisecs is 1/100 of a second.
NOTE: When you reload a node that contains VRRP configuration and is enabled for VLT, Dell Networking recommends that you configure the reload timer by using the vrrp delay reload command to ensure that VRRP is functional. Otherwise, when you reload a VLT node configured for VRRP, the local destination address is not seen on the reloaded node causing suboptimal routing. Set the delay timer on individual interfaces. The delay timer is supported on all physical interfaces, VLANs, and LAGs.
For a virtual group, you can track the line-protocol state or the routing status of any of the following interfaces with the interface interface parameter: • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port. • For a 40-Gigabit Ethernet: enter fortyGigE slot/port. • For a port extender 1-Gigabit Ethernet interface, enter the keyword peGigE then the pe-id/stackunit-number/port-number.
The following example shows how to verify tracking using the show conf command. Dell(conf-if-te-1/1/1-vrid-111)#show conf ! vrrp-group 111 advertise-interval 10 authentication-type simple 7 387a7f2df5969da4 no preempt priority 255 track TenGigabitEthernet 1/2/1 virtual-address 10.10.10.1 virtual-address 10.10.10.2 virtual-address 10.10.10.3 virtual-address 10.10.10.
Virtual IP address: 1.1.1.100 Authentication: (none) Dell# Tracking states for 2 resource Ids: 2 - Up IPv6 route, 2040::/64, priority-cost 20, 00:02:11 3 - Up IPv6 route, 2050::/64, priority-cost 30, 00:02:11 The following example shows verifying the VRRP configuration on an interface.
you make the necessary changes. The VRRP topology was created using the CLI configuration shown in the following example. Figure 149. VRRP for IPv4 Topology Example of Configuring VRRP for IPv4 Router 2 R2(conf)#int te 2/31 R2(conf-if-te-2/31)#ip address 10.1.1.1/24 R2(conf-if-te-2/31)#vrrp-group 99 R2(conf-if-te-2/31-vrid-99)#priority 200 R2(conf-if-te-2/31-vrid-99)#virtual 10.1.1.3 R2(conf-if-te-2/31-vrid-99)#no shut R2(conf-if-te-2/31)#show conf ! interface TenGigabitEthernet 2/31 ip address 10.1.1.
vrrp-group 99 priority 200 virtual-address 10.1.1.3 no shutdown R2(conf-if-te-2/31)#end R2#show vrrp -----------------TenGigabitEthernet 2/31, VRID: 99, Net: 10.1.1.1 State: Master, Priority: 200, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 817, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:63 Virtual IP address: 10.1.1.3 Authentication: (none) R2# Router 3 R3(conf)#int te 3/21 R3(conf-if-te-3/21)#ip address 10.1.1.
10.1.1.3 Authentication: (none) Figure 150. VRRP for an IPv6 Configuration NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be MASTER even if one of two routers has a higher IP or IPv6 address. Example of Configuring VRRP for IPv6 Router 2 and Router 3 Configure a virtual link local (fe80) address for each VRRPv3 group created for an interface.
The virtual IPv6 address you configure must be the same as the IPv6 subnet to which the interface belongs. Although R2 and R3 have the same default, priority (100), R2 is elected master in the VRRPv3 group because the TenGigE 0/0 interface has a higher IPv6 address than the TenGigE 1/0 interface on R3.
R3(conf-if-te-1/0)#show config interface TenGigabitEthernet 1/0 ipv6 address 1::2/64 vrrp-group 10 priority 100 virtual-address fe80::10 virtual-address 1::10 no shutdown R3(conf-if-te-1/0)#end R3#show vrrp -----------------TenGigabitEthernet 1/0, IPv6 VRID: 10, Version: 3, Net: fe80::201:e8ff:fe6b:1845 VRF: 0 default State: Backup, Priority: 100, Master: fe80::201:e8ff:fe6a:c59f Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 11, Bad pkts
the same in VRF-1 and VRF-2; similarly, there is no requirement for the IP addresses to be different. In VRF-3, the node IP addresses and subnet are unique. Figure 151. VRRP in a VRF: Non-VLAN Example Example of Configuring VRRP in a VRF on Switch-1 (Non-VLAN) Switch-1 S1(conf)#ip vrf default-vrf 0 ! S1(conf)#ip vrf VRF-1 1 ! S1(conf)#ip vrf VRF-2 2 ! S1(conf)#ip vrf VRF-3 3 ! S1(conf)#interface TenGigabitEthernet 2/1 S1(conf-if-te-2/1)#ip vrf forwarding VRF-1 S1(conf-if-te-2/1)#ip address 10.10.1.
S1(conf-if-te-12/2-vrid-101)#priority 100 S1(conf-if-te-12/2-vrid-101)#virtual-address 10.10.1.2 S1(conf-if-te-12/2)#no shutdown ! S1(conf)#interface TenGigabitEthernet 2/3 S1(conf-if-te-2/3)#ip vrf forwarding VRF-3 S1(conf-if-te-2/3)#ip address 20.1.1.5/24 S1(conf-if-te-2/3)#vrrp-group 15 % Info: The VRID used by the VRRP group 15 in VRF 3 will be 243. S1(conf-if-te-2/3-vrid-105)#priority 255 S1(conf-if-te-2/3-vrid-105)#virtual-address 20.1.1.
This VLAN scenario often occurs in a service-provider network in which you configure VLAN tags for traffic from multiple customers on customer-premises equipment (CPE), and separate VRF instances associated with each VLAN are configured on the provider edge (PE) router in the point-of-presence (POP).
S2(conf-if-vl-100)#ip address 10.10.1.2/24 S2(conf-if-vl-100)#tagged tengigabitethernet 2/4 S2(conf-if-vl-100)#vrrp-group 11 % Info: The VRID used by the VRRP group 11 in VRF 1 will be 177. S2(conf-if-vl-100-vrid-101)#priority 255 S2(conf-if-vl-100-vrid-101)#virtual-address 10.10.1.2 S2(conf-if-vl-100)#no shutdown ! S2(conf-if-te-2/4)#interface vlan 200 S2(conf-if-vl-200)#ip vrf forwarding VRF-2 S2(conf-if-vl-200)#ip address 10.10.1.
00:00:5e:00:01:04 Virtual IP address: 192.168.0.
65 Standards Compliance This chapter describes standards compliance for Dell Networking products. NOTE: Unless noted, when a standard cited here is listed as supported by the Dell Networking OS, the system also supports predecessor standards. One way to search for predecessor standards is to use the http://tools.ietf.org/ website. Click “Browse and search IETF documents,” enter an RFC number, and inspect the top of the resulting document for obsolescence citations to related RFCs.
802.3z Gigabit Ethernet (1000BASE-X) ANSI/TIA-1057 LLDP-MED Force10 FRRP (Force10 Redundant Ring Protocol) Force10 PVST+ SFF-8431 SFP+ Direct Attach Cable (10GSFP+Cu) MTU 9,252 bytes RFC and I-D Compliance The C9000 series supports the following standards. The standards are grouped by related protocol. General Internet Protocols The following table lists the Dell Networking OS support on the C9000 Series for the general internet protocols. Table 97.
RFC# Full Name draft-ietf-bfd -base-03 Bidirectional Forwarding Detection Border Gateway Protocol (BGP) The following table lists the Dell Networking OS support on the C9000 Series for BGP protocols. Table 98.
RFC# Full Name 1042 A Standard for the Transmission of IP Datagrams over IEEE 802 Networks 1191 Path MTU Discovery 1305 Network Time Protocol (Version 3) Specification, Implementation and Analysis 1519 Classless Inter-Domain Routing (CIDR): an Address Assignment and Aggregation Strategy 1542 Clarifications and Extensions for the Bootstrap Protocol 1812 Requirements for IP Version 4 Routers 2131 Dynamic Host Configuration Protocol 2338 Virtual Router Redundancy Protocol (VRRP) 3021 Using 3
Intermediate System to Intermediate System (IS-IS) The following table lists the Dell Networking OS support on the C9000 Series for IS-IS protocol. Table 101.
RFC# Full Name 1212 Concise MIB Definitions 1215 A Convention for Defining Traps for use with the SNMP 1493 Definitions of Managed Objects for Bridges [except for the dot1dTpLearnedEntryDiscards object] 1724 RIP Version 2 MIB Extension 1850 OSPF Version 2 Management Information Base 1901 Introduction to Community-based SNMPv2 2011 SNMPv2 Management Information Base for the Internet Protocol using SMIv2 2012 SNMPv2 Management Information Base for the Transmission Control Protocol using SMIv2
RFC# Full Name 3635 Definitions of Managed Objects for the Ethernet-like Interface Types 2674 Definitions of Managed Objects for Bridges with Traffic Classes, Multicast Filtering and Virtual LAN Extensions 2787 Definitions of Managed Objects for the Virtual Router Redundancy Protocol 2819 Remote Network Monitoring Management Information Base: Ethernet Statistics Table, Ethernet History Control Table, Ethernet History Table, Alarm Table, Event Table, Log Table 2863 The Interfaces Group MIB 2865
RFC# Full Name draft-ietfnetmodinterfacescfg-03 Defines a YANG data model for the configuration of network interfaces. Used in the Programmatic Interface RESTAPI feature. IEEE 802.1AB Management Information Base module for LLDP configuration, statistics, local system data and remote systems data components. IEEE 802.1AB The LLDP Management Information Base extension module for IEEE 802.1 organizationally defined discovery information. (LLDP DOT1 MIB and LLDP DOT3 MIB) IEEE 802.
RFC# Full Name FORCE10-SMI Force10 Structure of Management Information FORCE10Force10 System Component MIB (enables the user to view CAM usage information) SYSTEMCOMPONENTMIB FORCE10-TCMIB Force10 Textual Convention FORCE10TRAP-ALARMMIB Force10 Trap Alarm MIB Multicast The following table lists the Dell Networking OS support per platform for Multicast protocol. Table 103.
RFC# Full Name S-Series C-Series E-Series TeraScale E-Series ExaScale Mode (PIM-DM): Protocol Specification (Revised) 4541 Considerations for 7.6.1 Internet Group (IGMPv1/v2) Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Snooping Switches 7.6.1 (IGMPv1/v2) √ IGMPv1/v2/v3, MLDv1 Snooping 8.2.1 IGMPv1/v2/ v3, MLDv1 Snooping draft-ietf-pim sm-v2-new- 05 Protocol Independent Multicast - Sparse Mode (PIM-SM): Protocol Specification (Revised) 7.7.1 √ IPv4/ IPv6 8.2.
Routing Information Protocol (RIP) The following table lists the Dell Networking OS support on the C9000 Series for RIP protocol. Table 105. Routing Information Protocol (RIP) RFC# Full Name 1058 Routing Information Protocol 2453 RIP Version 4191 Default Router Preferences and More-Specific Routes MIB Location You can find Dell Networking MIBs under the Force10 MIBs subhead on the Documentation page of iSupport: https://www.force10networks.com/csportal20/KnowledgeBase/Documentation.
