FTOS Configuration Guide for the Z9000 System FTOS 9.0.0.
Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your computer. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. Information in this publication is subject to change without notice. © 2012 Dell Force10. All rights reserved.
| 3
| www.dell.com | support.dell.
1 About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
www.dell.com | support.dell.com Configuration Task List for System Log Management . . . . . . . . . . . . . . . . . . . . . . . . 54 Disable System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Send System Messages to a Syslog Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Configure a Unix System as a Syslog Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Change System Logging Settings . . .
IP Access Control Lists (ACLs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 CAM Profiling, CAM Allocation, and CAM Optimization . . . . . . . . . . . . . . . . . . . . . . 88 Implementing ACLs on FTOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 IP Fragment Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Configure a standard IP ACL . . . . . . . . . . . .
www.dell.com | support.dell.com Sessions and Peers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Route Reflectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Confederations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 BGP Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
10 Content Addressable Memory (CAM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 Content Addressable Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243 CAM Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244 Microcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 CAM Profiling for ACLs .
www.dell.com | support.dell.com Specify a Default Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 Enable DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277 Configure a Method of Hostname Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278 Create Manual Binding Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278 Debug DHCP server . . . . .
Configuring GVRP Registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314 Configuring a GARP Timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 16 Internet Group Management Protocol (IGMP). . . . . . . . . . . . . . . . . . . . . . . . . . . 317 IGMP Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317 IGMP Protocol Overview . . . . . . . . . . . . . .
www.dell.com | support.dell.com Port Channel Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 Bulk Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353 Interface Range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353 Bulk Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuration Task List for ICMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389 UDP Helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 Configuring UDP Helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 Important Points to Remember about UDP Helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391 Enabling UDP Helper . . . . . . . . .
www.dell.com | support.dell.com 20 Intermediate System to Intermediate System . . . . . . . . . . . . . . . . . . . . . . . . . . . 421 Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421 IS-IS Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422 Multi-Topology IS-IS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
mac learning-limit station-move . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475 mac learning-limit no-station-move . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475 Learning Limit Violation Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476 Station Move Violation Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
www.dell.com | support.dell.com 24 Multicast Source Discovery Protocol (MSDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . 515 Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515 Anycast RP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517 Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
26 Multicast Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559 Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559 Enable IP Multicast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559 Multicast with ECMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
www.dell.com | support.dell.com Configure a Static Rendezvous Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608 Override Bootstrap Router Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609 Configure a Designated Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609 Create Multicast Boundaries and Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PVST+ Extended System ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646 PVST+ Sample Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647 33 Quality of Service (QoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651 Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 653 Port-based QoS Configurations . .
www.dell.com | support.dell.com Configure Interfaces for Layer 2 Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700 Enable Rapid Spanning Tree Protocol Globally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 702 Add and Remove Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 705 Modify Global Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Enable VLAN-Stacking for a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 751 Configure the Protocol Type Value for the Outer VLAN Tag . . . . . . . . . . . . . . . . . . 752 FTOS Options for Trunk Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 752 Debug VLAN Stacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 753 VLAN Stacking in Multi-vendor Networks . . . . . . . . . . . . . . . . .
www.dell.com | support.dell.com Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 782 Create a Community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 782 Read Managed Object Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 783 Write Managed Object Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring Network Time Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 819 Enable NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 820 Set the Hardware Clock with the Time Derived from NTP . . . . . . . . . . . . . . . . . . . 821 Configure NTP broadcasts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 821 Disable NTP on an interface . . . . . . . . . . . . . . . . . .
www.dell.com | support.dell.com 47 Virtual Router Redundancy Protocol (VRRP) . . . . . . . . . . . . . . . . . . . . . . . . . . . 879 VRRP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 879 VRRP Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 881 VRRP Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1 About this Guide Objectives This guide describes the protocols and features supported by the Force10 Operating System (FTOS) and provides configuration instructions and examples for implementing them. It supports the system platforms E-Series, C-Series, S-Series, and Z-Series. The Z9000 platform is available with FTOS version 8.3.11.0. Though this guide contains information on protocols, it is not intended to be a complete reference.
www.dell.com | support.dell.com Conventions This document uses the following conventions to describe command syntax: Convention Description keyword Keywords are in bold and should be entered in the CLI as listed. parameter Parameters are in italics and require a number or word to be entered in the CLI. {X} Keywords and parameters within braces must be entered in the CLI. [X] Keywords and parameters within brackets are optional.
2 Configuration Fundamentals The FTOS Command Line Interface (CLI) is a text-based interface through which you can configure interfaces and protocols. The CLI is largely the same for the E-Series, C-Series, and S-Series with the exception of some commands and command outputs. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels.
www.dell.com | support.dell.com CLI Modes Different sets of commands are available in each mode. A command found in one mode cannot be executed from another mode (with the exception of EXEC mode commands preceded by the command do; see The do Command on page 32). You can set user access rights to commands and command modes using privilege levels; for more information on privilege levels and security options, refer to Chapter 9, Security, on page 627.
Figure 2-2.
Prompt Access Command EXEC FTOS> Access the router through the console or Telnet. EXEC Privilege FTOS# • • From EXEC mode, enter the command enable. From any other mode, use the command end. CONFIGURATION FTOS(conf)# • From EXEC privilege mode, enter the command configure. From every mode except EXEC and EXEC Privilege, enter the command exit. • Note: Access all of the following modes from CONFIGURATION mode. IP ACCESS-LIST LINE 30 FTOS Command Modes CLI Command Mode INTERFACE modes www.
Table 2-1.
www.dell.com | support.dell.com The do Command Enter an EXEC mode command from any CONFIGURATION mode (CONFIGURATION, INTERFACE, SPANNING TREE, etc.) without returning to EXEC mode by preceding the EXEC mode command with the command do. Figure 2-4 illustrates the do command. Note: The following commands cannot be modified by the do command: enable, disable, exit, and configure. Figure 2-4.
Obtaining Help Obtain a list of keywords and a brief functional description of those keywords at any CLI mode using the ? or help command: • Enter ? at the prompt or after a keyword to list the keywords available in the current mode. • ? after a prompt lists all of the available keywords. The output of this command is the same for the help command. Figure 2-6.
www.dell.com | support.dell.com • • • Table 2-2. The UP and DOWN arrow keys display previously entered commands (see Command History). The BACKSPACE and DELETE keys erase the previous letter. Key combinations are available to move quickly across the command line, as described in Table 2-2. Short-Cut Keys and their Actions Key Combination Action CNTL-A Moves the cursor to the beginning of the command line. CNTL-B Moves the cursor back one character. CNTL-D Deletes character at cursor.
Filtering show Command Outputs Filter the output of a show command to display specific information by adding | [except | find | grep | no-more | save] specified_text after the command. The variable specified_text is the text for which you are filtering and it IS case sensitive unless the ignore-case sub-option is implemented. Starting with FTOS 7.8.1.0, the grep command accepts an ignore-case sub-option that forces the search to case-insensitive.
www.dell.com | support.dell.com • find displays the output of the show command beginning from the first occurrence of specified text Figure 2-11 shows this command used in combination with the command show linecard all. Figure 2-11.
3 Getting Started This chapter contains the following major sections: • • • • • • Default Configuration on page 38 Configure a Host Name on page 39 Access the System Remotely on page 39 Configure the Enable Password on page 41 Configuration File Management on page 42 File System Management on page 46 When you power up the switch, the system performs a Power-On Self Test (POST) during which the system LED is amber.
www.dell.com | support.dell.com To access the console port, follow the procedures below. Refer to Table 3-1 for the console port pinout. Step Task 1 Install an RJ-45 copper cable into the console port.Use a rollover (crossover) cable to connect the Z9000 console port to a terminal server. 2 Connect the other end of the cable to the DTE terminal server.
Configure a Host Name The host name appears in the prompt. The default host name is FTOS. • • Host names must start with a letter and end with a letter or digit. Characters within the string can be letters, digits, and hyphens. To configure a host name: Step 1 Task Command Syntax Command Mode Create a new host name. hostname name CONFIGURATION Figure 3-1 illustrates the hostname command. Figure 3-1.
www.dell.com | support.dell.com Configure the Management Port IP Address Assign IP addresses to the management ports in order to access the system remotely. Note: Assign different IP addresses to each RPM’s management port on the E-Series and C-Series platforms. To configure the management port IP address: Step 1 2 Task Command Syntax Command Mode Enter INTERFACE mode for the Management port. interface ManagementEthernet slot/port CONFIGURATION Assign an IP address to the interface.
To configure a username and password: Step 1 Task Command Syntax Command Mode Configure a username and password to access the system remotely. username username password [encryption-type] password encryption-type specifies how you are inputting the password, is 0 by default, and is not required. CONFIGURATION • • 0 is for inputting the password in clear text. 7 is for inputting a password that is already encrypted using a Type 7 hash.
www.dell.com | support.dell.com Configuration File Management Files can be stored on and accessed from various storage media. Rename, delete, and copy files on the system from the EXEC Privilege mode. The E-Series TeraScale and ExaScale platforms architecture use Compact Flash for the internal and external Flash memory. It has a space limitation but does not limit the number of files it can contain.
Important Points to Remember • • • You may not copy a file from one remote system to another. You may not copy a file from one location to the same location. The internal flash memories on the RPMs are synchronized whenever there is a change, but only if both RPMs are running the same version of FTOS. When copying to a server, a hostname can only be used if a DNS server is configured. The usbflash command is supported on Z9000. Refer to your system’s Release Notes for a list of approved USB vendors.
www.dell.com | support.dell.com Task Command Syntax Command Mode Save the running-configuration to: the startup-configuration on the internal flash of the primary RPM copy running-config startup-config the internal flash on an RPM copy running-config rpm{0|1}flash://filename Note: The internal flash memories on the RPMs are synchronized whenever there is a change, but only if the RPMs are running the same version of FTOS.
The output of the command dir also shows the read/write privileges, size (in bytes), and date of modification for each file, as shown in Figure 3-4. Figure 3-4.
www.dell.com | support.dell.com Figure 3-5. Tracking Changes with Configuration Comments FTOS#show running-config Current Configuration ... ! Version 8.3.11.0 ! Last configuration change at Thu Apr 3 23:06:28 2008 by admin ! Startup-config last updated at Thu Apr 3 23:06:55 2008 by admin ! boot system stack-unit 0 primary flash:// FTOS-ZB-8.3.11.0.bin boot system stack-unit 0 secondary flash:// FTOS-ZB-8.3.11.1.bin boot system stack-unit 0 default system: A: boot system gateway x.x.x.
Figure 3-7. Alternative Storage Location FTOS#cd slot0: FTOS#copy running-config test FTOS#copy run test ! 7419 bytes successfully copied FTOS#dir Directory of slot0: 1 2 3 4 5 6 7 8 9 drwdrwx ----rw---------------- 32768 512 0 7419 0 0 0 0 0 Jan Jul Jan Jul Jan Jan Jan Jan Jan 01 23 01 23 01 01 01 01 01 No File System Specified 1980 2007 1970 2007 1970 1970 1970 1970 1970 00:00:00 00:38:44 00:00:00 20:44:40 00:00:00 00:00:00 00:00:00 00:00:00 00:00:00 . ..
| Getting Started www.dell.com | support.dell.
4 Management Management is supported on platforms: e c sz This chapter explains the different protocols or services used to manage the Dell Force10 system including: • • • • • • • Configure Privilege Levels Configure Logging File Transfer Services Terminal Lines Lock CONFIGURATION mode Recovering from a Forgotten Password on the S4810 and Z9000 Recovering from a Failed Start on the S4810 and Z9000 Configure Privilege Levels Privilege levels restrict access to commands based on user or terminal line.
www.dell.com | support.dell.com A user can access all commands at his privilege level and below. Removing a command from EXEC mode Remove a command from the list of available commands in EXEC mode for a specific privilege level using the command privilege exec from CONFIGURATION mode. In the command, specify a level greater than the level given to a user or terminal line, followed by the first keyword of each command to be restricted.
The following table lists the configuration tasks you can use to customize a privilege level: Task Command Syntax Command Mode Remove a command from the list of available commands in EXEC mode. privilege exec level level {command ||...|| command} CONFIGURATION Move a command from EXEC Privilege to EXEC mode. privilege exec level level {command ||...|| command} CONFIGURATION Allow access to CONFIGURATION mode.
www.dell.com | support.dell.com 52 Create a Custom Privilege Level FTOS(conf)#do show run priv ! privilege exec level 3 capture privilege exec level 3 configure privilege exec level 4 resequence privilege exec level 3 capture bgp-pdu privilege exec level 3 capture bgp-pdu max-buffer-size privilege configure level 3 line privilege configure level 3 interface FTOS(conf)#do telnet 10.11.80.201 [telnet output omitted] FTOS#show priv Current privilege level is 3.
Apply a Privilege Level to a Username To set a privilege level for a user: Task Command Syntax Command Mode Configure a privilege level for a user. username username privilege level CONFIGURATION Apply a Privilege Level to a Terminal Line To set a privilege level for a terminal line: Task Command Syntax Command Mode Configure a privilege level for a terminal line.
www.dell.com | support.dell.com Log Messages in the Internal Buffer All error messages, except those beginning with %BOOTUP (Message), are log in the internal buffer.
Send System Messages to a Syslog Server Send system messages to a syslog server by specifying the server with the following command: Task Command Syntax Command Mode Specify the server to which you want to send system messages. You can configure up to eight syslog servers. logging {ip-address | hostname} CONFIGURATION Configure a Unix System as a Syslog Server Configure a UNIX system as a syslog server by adding the following lines to /etc/syslog.
www.dell.com | support.dell.com Task Command Syntax Command Mode Specify the size of the logging buffer. Note: When you decrease the buffer size, FTOS deletes all messages stored in the buffer. Increasing the buffer size does not affect messages in the buffer. logging buffered size CONFIGURATION Specify the number of messages that FTOS saves to its logging history table.
show logging Command FTOS#show logging syslog logging: enabled Console logging: level Debugging Monitor logging: level Debugging Buffer logging: level Debugging, 40 Messages Logged, Size (40960 bytes) Trap logging: level Informational %IRC-6-IRC_COMMUP: Link to peer RPM is up %RAM-6-RAM_TASK: RPM1 is transitioning to Primary RPM.
www.dell.com | support.dell.com Configure a UNIX logging facility level You can save system log messages with a UNIX system logging facility. To configure a UNIX logging facility level, use the following command in the CONFIGURATION mode: Command Syntax Command Mode Purpose logging facility [facility-type] CONFIGURATION Specify one of the following parameters.
Synchronize log messages You can configure FTOS to filter and consolidate the system messages for a specific line by synchronizing the message output. Only the messages with a severity at or below the set level appear. This feature works on the terminal and console connections available on the system.
www.dell.com | support.dell.com To have FTOS include a timestamp with the syslog message, use the following command syntax in the CONFIGURATION mode: Command Syntax Command Mode Purpose service timestamps [log | debug] [datetime [localtime] [msec] [show-timezone] | uptime] CONFIGURATION Add timestamp to syslog messages. Specify the following optional parameters: • datetime: You can add the keyword localtime to include the localtime, msec, and show-timezone.
Enable FTP server To enable the system as an FTP server, use the following command in the CONFIGURATION mode: Command Syntax Command Mode Purpose ftp-server enable CONFIGURATION Enable FTP on the system. To view FTP configuration, use the show running-config ftp Command Output in the EXEC privilege mode.
www.dell.com | support.dell.com Configure FTP client parameters To configure FTP client parameters, use the following commands in the CONFIGURATION mode: Command Syntax Command Mode Purpose ip ftp source-interface interface CONFIGURATION Enter the following keywords and slot/port or number information: • For a Gigabit Ethernet interface, enter the keyword GigabitEthernet followed by the slot/port information.
To apply an IP ACL to a line: Task Command Syntax Command Mode Apply an ACL to a VTY line. ip access-class access-list LINE To view the configuration, enter the show config command in the LINE mode, as shown in Applying an Access List to a VTY Line. Applying an Access List to a VTY Line FTOS(config-std-nacl)#show config ! ip access-list standard myvtyacl seq 5 permit host 10.11.0.
www.dell.com | support.dell.com To configure authentication for a terminal line: Step Task Command Syntax Command Mode 1 Create an authentication method list. You may use a mnemonic name or use the keyword default. The default authentication method for terminal lines is local, and the default method list is empty.
To change the timeout period or disable EXEC timeout. Task Command Syntax Command Mode Set the number of minutes and seconds. Default: 10 minutes on console, 30 minutes on VTY. Disable EXEC timeout by setting the timeout period to 0. exec-timeout minutes [seconds] LINE Return to the default timeout values. no exec-timeout LINE View the configuration using the command show config from LINE mode.
www.dell.com | support.dell.com Lock CONFIGURATION mode FTOS allows multiple users to make configurations at the same time. You can lock CONFIGURATION mode so that only one user can be in CONFIGURATION mode at any time (Message 2). A two types of locks can be set: auto and manual. • • Set an auto-lock using the command configuration mode exclusive auto from CONFIGURATION mode. When you set an auto-lock, every time a user is in CONFIGURATION mode all other users are denied access.
Viewing the Configuration Lock Status If you attempt to enter CONFIGURATION mode when another user has locked it, you may view which user has control of CONFIGURATION mode using the command show configuration lock from EXEC Privilege mode. You can then send any user a message using the send command from EXEC Privilege mode. Alternatively you can clear any line using the command clear from EXEC Privilege mode. If you clear a console session, the user is returned to EXEC mode.
www.dell.com | support.dell.com Step 11 Task Command Syntax Command Mode Save the running-config. copy running-config startup-config EXEC Privilege If you forget your password from the Z9000, use the following process: Step Task Command Syntax 1 Log onto the system via console. 2 Power-cycle the chassis by disconnecting and.then reconnecting the power cord. 3 Press Esc when prompted to abort the boot process.
Recovering from a Forgotten Enable Password on the S4810 and Z9000 If you forget the enable password on the S4810: Step Task Command Syntax Command Mode 1 Log onto the system via console. 2 Power-cycle the chassis by switching off all of the power modules and then switching them back on. 3 Press any key to abort the boot process. You enter uBoot immediately on the S4810, as indicated by the => prompt. Press any key (during bootup) Note: You must enter the CLI commands.
www.dell.com | support.dell.com Step Task Command Syntax Command Mode 7 Configure a new enable password. enable {secret | password} CONFIGURATION 8 Save the running-config to the startup-config. copy running-config startup-config EXEC Privilege Recovering from a Failed Start on the S4810 and Z9000 A system that does not start correctly might be attempting to boot from a corrupted FTOS image or from a mis-specified location.
5 802.1X 802.1X is supported on platforms: e c sz Protocol Overview 802.1X is a method of port security. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity can be verified (through a username and password, for example). This feature is named for its IEEE specification. 802.
www.dell.com | support.dell.com Figure 5-1.
3. The authenticator decapsulates the EAP Response from the EAPOL frame, encapsulates it in a RADIUS Access-Request frame, and forwards the frame to the authentication server. 4. The authentication server replies with an Access-Challenge. The Access-Challenge is request that the supplicant prove that it is who it claims to be, using a specified method (an EAP-Method). The challenge is translated and forwarded to the supplicant by the authenticator. 5.
www.dell.com | support.dell.com Figure 5-3. Code RADIUS Frame Format Identifier Range: 1-4 Codes: 1: Access-Request 2: Access-Accept 3: Access-Reject 11: Access-Challenge Length Message-Authenticator Attribute Type (79) EAP-Message Attribute Length EAP-Method Data (Supplicant Requested Credentials) fnC0034mp RADIUS Attributes for 802.1 Support Dell Force10 systems includes the following RADIUS attributes in all 802.1X-triggered Access-Request messages: • • • • 74 | 802.
Configuring 802.1X Configuring 802.1X on a port is a two-step process: 1. Enable 802.1X globally. See page 75. 2. Enable 802.1X on an interface. See page 75. Related Configuration Tasks • • • • • • Configuring Request Identity Re-transmissions on page 77 Configuring Port-control on page 80 Re-authenticating a Port on page 80 Configuring Timeouts on page 81 Configuring a Guest VLAN on page 84 Configuring an Authentication-fail VLAN on page 84 Important Points to Remember • • • FTOS supports 802.
www.dell.com | support.dell.com Figure 5-4. Enabling 802.1X To enable 802.1X: Step Task Command Syntax Command Mode 1 Enable 802.1X globally. dot1x authentication CONFIGURATION 2 Enter INTERFACE mode on an interface or a range of interfaces. interface [range] INTERFACE 3 Enable 802.1X on an interface or a range of interfaces. dot1x authentication INTERFACE Verify that 802.
View 802.1X configuration information for an interface using the command show dot1x interface, as shown in Figure 5-6. Figure 5-6. Verifying 802.1X Interface Configuration FTOS#show dot1x interface gigabitethernet 2/1 802.
www.dell.com | support.dell.com To configure a maximum number of Request Identity re-transmissions: Step 1 Task Command Syntax Command Mode Configure a maximum number of times that a Request Identity frame can be re-transmitted by the authenticator. dot1x max-eap-req number INTERFACE Range: 1-10 Default: 2 Figure 5-7 shows configuration information for a port for which the authenticator re-transmits an EAP Request Identity frame after 90 seconds and re-transmits a maximum of 10 times.
Figure 5-7. Configuring a Request Identity Re-transmissions FTOS(conf-if-range-gi-2/1)#dot1x tx-period 90 FTOS(conf-if-range-gi-2/1)#dot1x max-eap-req 10 FTOS(conf-if-range-gi-2/1)#dot1x quiet-period 120 FTOS#show dot1x interface gigabitethernet 2/1 802.
www.dell.com | support.dell.com Figure 5-8. Configuring Port-control FTOS(conf-if-gi-2/1)#dot1x port-control force-authorized FTOS(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1 802.
Figure 5-9. Configuring a Reauthentiction Period FTOS(conf-if-gi-2/1)#dot1x reauthentication interval 7200 FTOS(conf-if-gi-2/1)#dot1x reauth-max 10 FTOS(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1 802.
www.dell.com | support.dell.com Figure 5-10. Configuring a Timeout FTOS(conf-if-gi-2/1)#dot1x port-control force-authorized FTOS(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1 802.
Figure 5-11. Dynamic VLAN Assignment with 802.1X Guest and Authentication-fail VLANs Typically, the authenticator (Dell Force10 system) denies the supplicant access to the network until the supplicant is authenticated. If the supplicant is authenticated, the authenticator enables the port and places it in either the VLAN for which the port is configured, or the VLAN that the authentication server indicates in the authentication data. Note: Ports cannot be dynamically assigned to the default VLAN.
www.dell.com | support.dell.com The Guest VLAN 802.1X extension addresses this limitation with regard to non-802.1X capable devices, and the Authentication-fail VLAN 802.1X extension addresses this limitation with regard to external users. • • If the supplicant fails authentication a specified number of times, the authenticator places the port in the Authentication-fail VLAN. If a port is already forwarding on the Guest VLAN when 802.
Figure 5-13. Configuring an Authentication-fail VLAN FTOS(conf-if-gi-1/2)#dot1x auth-fail-vlan 100 max-attempts 5 FTOS(conf-if-gi-1/2)#show config ! interface GigabitEthernet 1/2 switchport dot1x guest-vlan 200 dot1x auth-fail-vlan 100 max-attempts 5 no shutdown FTOS(conf-if-gi-1/2)# View your configuration using the command show config from INTERFACE mode, as shown in Figure 5-12, or using the command show dot1x interface command from EXEC Privilege mode as shown in Figure 5-14. Figure 5-14.
| 802.1X www.dell.com | support.dell.
6 Access Control Lists (ACLs) The Access Control Lists (ACLs) chapter also includes prefix lists and route maps. ACLs are supported on platforms: ecsz ecsz Egress IP and MAC ACLs are supported on platforms: e z Ingress IP and MAC ACLs are supported on platforms: Overview At their simplest, Access Control Lists (ACLs), Prefix lists, and Route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter discusses implementing IP ACLs, IP Prefix lists and Route-maps.
www.dell.com | support.dell.com • • • • • • Configuring Ingress ACLs Configuring Egress ACLs Configuring ACLs to Loopback • Applying an ACL on Loopback Interfaces IP Prefix Lists ACL Resequencing Route Maps on page 113 IP Access Control Lists (ACLs) In the Dell Force10 switch/routers, you can create two different types of IP ACLs: standard or extended. A standard ACL filters packets based on the source IP packet.
CAM optimization is supported on platforms csz CAM Profiling CAM optimization is supported on platforms et The default CAM profile has 1K Layer 2 ingress ACL entries. If you need more memory for Layer 2 ingress ACLs, select the profile l2-ipv4-inacl. When budgeting your CAM allocations for ACLs and QoS configurations, remember that ACL and QoS rules might consume more than one CAM entry depending on complexity. For example, TCP and UDP rules with port range options might require more than one CAM entry.
www.dell.com | support.dell.com The CAM space is allotted in FP blocks. The total space allocated must equal 13 FP blocks. Note that there are 16 FP blocks, but the System Flow requires 3 blocks that cannot be reallocated. The default CAM Allocation settings on a C-Series matching are: • • • • • L3 ACL (ipv4acl): 6 L2 ACL(l2acl) : 5 IPv6 L3 ACL (ipv6acl): 0 L3 QoS (ipv4qos): 1 L2 QoS (l2qos): 1 The ipv6acl allocation must be entered as a factor of 2 (2, 4, 6, 8, 10).
Implementing ACLs on FTOS One IP ACL can be assigned per interface with FTOS. If an IP ACL is not assigned to an interface, it is not used by the software in any other capacity. The number of entries allowed per ACL is hardware-dependent. Refer to your line card documentation for detailed specification on entries allowed per ACL. If counters are enabled on IP ACL rules that are already configured, those counters are reset when a new rule is inserted or prepended.
www.dell.com | support.dell.com ACLs acl1 and acl2 have overlapping rules because the address range 20.1.1.0/24 is within 20.0.0.0/8. Therefore, (without the keyword order) packets within the range 20.1.1.0/24 match positive against cmap1 and are buffered in queue 7, though you intended for these packets to match positive against cmap2 and be buffered in queue 4.
• Loopback interfaces do not support ACLs using the IP fragment option. If you configure an ACL with the fragments option and apply it to a loopback interface, the command is accepted, but the ACL entries are not actually installed the offending rule in CAM. IP fragments ACL examples The following configuration permits all packets (both fragmented & non-fragmented) with destination IP 10.1.1.1. The second rule does not get hit at all.
www.dell.com | support.dell.com To log all the packets denied and to override the implicit deny rule and the implicit permit rule for TCP/ UDP fragments, use a configuration similar to the following. FTOS(conf)#ip access-list extended ABC FTOS(conf-ext-nacl)#permit tcp any any fragment FTOS(conf-ext-nacl)#permit udp any any fragment FTOS(conf-ext-nacl)#deny ip any any log FTOS(conf-ext-nacl) Note the following when configuring ACLs with the fragments keyword.
Step Command Syntax Command Mode Purpose 2 seq sequence-number {deny | permit} {source [mask] | any | host ip-address} [count [byte] | log] [order] [monitor] [fragments] CONFIG-STD-NACL Configure a drop or forward filter. The parameters are: • log and monitor options are supported on E-Series only. Note: When assigning sequence numbers to filters, keep in mind that you might need to insert a new filter.
www.dell.com | support.dell.com To configure a filter without a specified sequence number, use these commands in the following sequence, starting in the CONFIGURATION mode: Step Command Syntax Command Mode Purpose 1 ip access-list standard access-list-name CONFIGURATION Create a standard IP ACL and assign it a unique name. 2 {deny | permit} {source [mask] | any | host ip-address} [count [byte] | log] [order] [monitor] [fragments] CONFIG-STD-NACL Configure a drop or forward IP ACL filter.
Configure an extended IP ACL Extended IP ACLs filter on source and destination IP addresses, IP host addresses, TCP addresses, TCP host addresses, UDP addresses, and UDP host addresses. Since traffic passes through the filter in the order of the filter’s sequence, you can configure the extended IP ACL by first entering the IP ACCESS LIST mode and then assigning a sequence number to the filter. Note: On E-Series ExaScale systems, TCP ACL flags are not supported in an extended ACL with IPv6 microcode.
www.dell.com | support.dell.com Step Command Syntax Command Mode Purpose 2 seq sequence-number {deny | permit} tcp {source mask | any | host ip-address}} [count [byte] | log] [order] [monitor] [fragments] CONFIG-EXT-NACL Configure an extended IP ACL filter for TCP packets. • log and monitor options are supported on E-Series only. When you use the log keyword, CP processor logs details about the packets that match.
Configure filters without sequence number If you are creating an extended ACL with only one or two filters, you can let FTOS assign a sequence number based on the order in which the filters are configured. FTOS assigns filters in multiples of 5.
www.dell.com | support.dell.com Configuring Layer 2 and Layer 3 ACLs on an Interface Both Layer 2 and Layer 3 ACLs may be configured on an interface in Layer 2 mode. If both L2 and L3 ACLs are applied to an interface, the following rules apply: • • • The packets routed by FTOS are governed by the L3 ACL only, since they are not filtered against an L2 ACL. The packets switched by FTOS are first filtered by the L3 ACL, then by the L2 ACL.
The same ACL may be applied to different interfaces and that changes its functionality. For example, you can take ACL “ABCD” and apply it using the in keyword and it becomes an ingress access list. If you apply the same ACL using the out keyword, it becomes an egress access list. If you apply the same ACL to the loopback interface, it becomes a loopback access list.
www.dell.com | support.dell.com Counting ACL Hits You can view the number of packets matching the ACL by using the count option when creating ACL entries. E-Series supports packet and byte counts simultaneously. C-Series and S-Series support only one at any given time. To view the number of packets matching an ACL that is applied to an interface: Step Task 1 Create an ACL that uses rules with the count option.
Configuring Egress ACLs Egress ACLs are supported on platforms: e z Egress ACLs are applied to line cards and affect the traffic leaving the system. Configuring egress ACLs onto physical interfaces protects the system infrastructure from attack—malicious and incidental—by explicitly allowing only authorized traffic.These system-wide ACLs eliminate the need to apply ACLs onto each interface and achieves the same results. By localizing target traffic, it is a simpler implementation.
www.dell.com | support.dell.com Egress Layer 3 ACL Lookup for Control-plane IP Traffic By default, packets originated from the system are not filtered by egress ACLs. If you initiate a ping session from the system, for example, and apply an egress ACL to block this type of traffic on the interface, the ACL does not affect that ping traffic. The Control Plane Egress Layer 3 ACL feature enhances IP reachability debugging by implementing control-plane ACLs for CPU-generated and CPU-forwarded traffic.
Loopback interfaces do not support ACLs using the IP fragment option. If you configure an ACL with the fragments option and apply it to a loopback interface, the command is accepted, but the ACL entries are not actually installed the offending rule in CAM. See also Loopback Interfaces in the Interfaces chapter.
www.dell.com | support.dell.com Note: See also the section VTY Line Local Authentication and Authorization on page 746. IP Prefix Lists Prefix Lists are supported on platforms: cesz IP prefix lists control routing policy. An IP prefix list is a series of sequential filters that contain a matching criterion (examine IP route prefix) and an action (permit or deny) to process routes.
Configuration Task List for Prefix Lists To configure a prefix list, you must use commands in the PREFIX LIST, the ROUTER RIP, ROUTER OSPF, and ROUTER BGP modes. Basically, you create the prefix list in the PREFIX LIST mode, and assign that list to commands in the ROUTER RIP, ROUTER OSPF and ROUTER BGP modes.
www.dell.com | support.dell.com Figure 6-13. Command Example: seq FTOS(conf-nprefixl)#seq 20 permit 0.0.0.0/0 le 32 FTOS(conf-nprefixl)#seq 12 deny 134.23.0.0 /16 FTOS(conf-nprefixl)#seq 15 deny 120.23.14.0 /8 le 16 FTOS(conf-nprefixl)#show config ! ip prefix-list juba seq 12 deny 134.23.0.0/16 seq 15 deny 120.0.0.0/8 le 16 seq 20 permit 0.0.0.0/0 le 32 FTOS(conf-nprefixl)# Note the last line in the prefix list Juba contains a “permit all” statement.
To delete a filter, enter the show config command in the PREFIX LIST mode and locate the sequence number of the filter you want to delete; then use the no seq sequence-number command in the PREFIX LIST mode. To view all configured prefix lists, use either of the following commands in the EXEC mode: Command Syntax Command Mode Purpose show ip prefix-list detail [prefix-name] EXEC Privilege Show detailed information about configured Prefix lists.
www.dell.com | support.dell.com To apply a filter to routes in RIP (RIP is supported on C and E-Series.), use either of the following commands in the ROUTER RIP mode: Command Syntax Command Mode Purpose router rip CONFIGURATION Enter RIP mode distribute-list prefix-list-name in [interface] CONFIG-ROUTER-RIP Apply a configured prefix list to incoming routes. You can specify an interface. If you enter the name of a nonexistent prefix list, all routes are forwarded.
Figure 6-18. Command Example: show config in ROUTER OSPF Mode FTOS(conf-router_ospf)#show config ! router ospf 34 network 10.2.1.1 255.255.255.255 area 0.0.0.1 distribute-list prefix awe in FTOS(conf-router_ospf)# ACL Resequencing ACL Resequencing allows you to re-number the rules and remarks in an access or prefix list. The placement of rules within the list is critical because packets are matched against rules in sequential order.
www.dell.com | support.dell.com Resequencing an ACL or Prefix List Resequencing is available for IPv4 and IPv6 ACLs and prefix lists and MAC ACLs. To resequence an ACL or prefix list use the appropriate command in Table 6-5. You must specify the list name, starting number, and increment when using these commands. Table 6-5.
Figure 6-20. Resequencing Remarks FTOS(config-ext-nacl)# show config ! ip access-list extended test remark 4 XYZ remark 5 this remark corresponds to permit any host 1.1.1.1 seq 5 permit ip any host 1.1.1.1 remark 9 ABC remark 10 this remark corresponds to permit ip any host 1.1.1.2 seq 10 permit ip any host 1.1.1.2 seq 15 permit ip any host 1.1.1.3 seq 20 permit ip any host 1.1.1.
www.dell.com | support.dell.com • • • Two or more match clauses within the same route-map sequence have different match commands, matching a packet against these clauses is a logical AND operation. If no match is found in a route-map sequence, the process moves to the next route-map sequence until a match is found, or there are no more sequences. When a match is found, the packet is forwarded; no more route-map sequences are processed.
Figure 6-21. Command Example: show config in the ROUTE-MAP Mode FTOS(config-route-map)#show config ! route-map dilling permit 10 FTOS(config-route-map)# You can create multiple instances of this route map by using the sequence number option to place the route maps in the correct order. FTOS processes the route maps with the lowest sequence number first. When a configured route map is applied to a command, like redistribute, traffic passes through all instances of that route map until a match is found.
www.dell.com | support.dell.com Figure 6-24. Command Example: show route-map FTOS#show route-map dilling route-map dilling, permit, sequence 10 Match clauses: Set clauses: route-map dilling, permit, sequence 15 Match clauses: interface Loopback 23 Set clauses: tag 3444 FTOS# To delete a route map, use the no route-map map-name command in the CONFIGURATION mode. Configure route map filters Within the ROUTE-MAP mode, there are match and set commands.
Also, if there are different instances of the same route-map, then it’s sufficient if a permit match happens in any instance of that route-map.
www.dell.com | support.dell.com Command Syntax Command Mode Purpose match ipv6 address prefix-list-name CONFIG-ROUTE-MAP Match destination routes specified in a prefix list (IPv6). match ip next-hop {access-list-name | prefix-list prefix-list-name} CONFIG-ROUTE-MAP Match next-hop routes specified in a prefix list (IPv4). match ipv6 next-hop {access-list-name | prefix-list prefix-list-name} CONFIG-ROUTE-MAP Match next-hop routes specified in a prefix list (IPv6).
Command Syntax Command Mode Purpose set tag tag-value CONFIG-ROUTE-MAP Specify a tag for the redistributed routes. set weight value CONFIG-ROUTE-MAP Specify a value as the route’s weight. Use these commands to create route map instances. There is no limit to the number of set and match commands per route map, but the convention is to keep the number of match and set filters in a route map low. Set commands do not require a corresponding match command.
www.dell.com | support.dell.com Configure a route map for route tagging One method for identifying routes from different routing protocols is to assign a tag to routes from that protocol. As the route enters a different routing domain, it is tagged and that tag is passed along with the route as it passes through different routing protocols. This tag can then be used when the route leaves a routing domain to redistribute those routes again.
7 Bidirectional Forwarding Detection (BFD) Bidirectional Forwarding Detection (BFD) is supported only on platforms: ec z Protocol Overview Bidirectional Forwarding Detection (BFD) is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It also provides a failure detection solution for links on which no routing protocol is used.
www.dell.com | support.dell.com How BFD Works Two neighboring systems running BFD establish a session using a three-way handshake. After the session has been established, the systems exchange control packets at agreed upon intervals. In addition, systems send a control packet anytime there is a state change or change in a session parameter; these control packets are sent without regard to transmit and receive intervals. Note: FTOS does not support multi-hop BFD sessions.
Version (4) IHL TOS Total Length Preamble Flags Start Frame Delimiter Frag Offset Destination MAC TTL (255) Source MAC Protocol Ethernet Type (0x888e) Header Checksum Version (1) State Range: 3784 Source Port Options Diag Code Dest IP Addr Padding Checksum UDP Packet Detect Mult My Discriminator Your Discriminator Random number generated by remote system to identify a session Required Min RX Interval Required Min Echo RX Interval Auth Type The minimum interval between Echo pac
www.dell.com | support.dell.com Table 7-1. BFD Packet Fields Field Description Diagnostic Code The reason that the last session failed. State The current local session state. See BFD sessions. Flag A bit that indicates packet function. If the poll bit is set, the receiving system must respond as soon as possible, without regard to its transmit interval. The responding system clears the poll bit and sets the final bit in its response.
• • Active—The active system initiates the BFD session. Both systems can be active for the same session. Passive—The passive system does not initiate a session. It only responds to a request for session initialization from the active system. A BFD session has two modes: • • Asynchronous mode—In Asynchronous mode, both systems send periodic control messages at an agreed upon interval to indicate that their session status is Up.
www.dell.com | support.dell.com 4. The passive system receives the control packet, changes its state to Up. Both systems agree that a session has been established. However, since both members must send a control packet—that requires a response—anytime there is a state change or change in a session parameter, the passive system sends a final response indicating the state change. After this, periodic control packets are exchanged. Figure 7-2.
Figure 7-3. BFD State Machine current session state Up, Admin Down, Timer the packet received Down Init Down Admin Down, Timer Down Init Admin Down, Down, Timer Init, Up Up Up, Init Important Points to Remember • • • • • • • BFD for line card ports is hitless, but is not hitless for VLANs since they are instantiated on the RPM. FTOS supports a maximum of 100 sessions per BFD agent.
www.dell.com | support.dell.com • Troubleshooting BFD Configuring BFD for Physical Ports Configuring BFD for Physical Ports is supported on C-Series and E-Series only. BFD on physical ports is useful when no routing protocol is enabled. Without BFD, if the remote system fails, the local system does not remove the connected route until the first failed attempt to send a packet.
Establishing a session on physical ports To establish a session, BFD must be enabled at interface level on both ends of the link, as shown in the following illustration. The configuration parameters do not need to match. Figure 7-5. Establishing a BFD Session for Physical Ports R1: ACTIVE Role 4/24 R2: ACTIVE Role 2/1 FTOS(config)# bfd enable FTOSconfig)# interface gigabitethernet 2/1 FTOS(conf-if-gi-2/1)# ip address 2.2.2.2/24 FTOS(conf-if-gi-2/1)# bfd neighbor 2.2.2.
www.dell.com | support.dell.com Figure 7-7. Viewing Session Details R1(conf-if-gi-4/24)#do show bfd neighbors detail Session Discriminator: 1 Neighbor Discriminator: 1 Local Addr: 2.2.2.1 Local MAC Addr: 00:01:e8:09:c3:e5 Remote Addr: 2.2.2.
Figure 7-8. Changing Session Parameters for Physical Ports R1(conf-if-gi-4/24)#bfd interval 100 min_rx 100 multiplier 4 role passive R1(conf-if-gi-4/24)#do show bfd neighbors detail Session Discriminator: 1 Neighbor Discriminator: 1 Local Addr: 2.2.2.1 Local MAC Addr: 00:01:e8:09:c3:e5 Remote Addr: 2.2.2.
www.dell.com | support.dell.com To re-enable BFD on an interface: Step 1 Task Command Syntax Command Mode Enable BFD on an interface. bfd enable INTERFACE Configuring BFD for Static Routes Configuring BFD for Static Routes is supported on C-Series and E-Series only. BFD gives systems a link state detection mechanism for static routes.
To establish a BFD session: Step 1 Task Command Syntax Command Mode Establish BFD sessions for all neighbors that are the next hop of a static route. ip route bfd CONFIGURATION Verify that sessions have been created for static routes using the command show bfd neighbors, as shown in the following illustration. View detailed session information using the command show bfd neighbors detail, as shown in Figure 7-8. Figure 7-10. Viewing Established Sessions for Static Routes R1(conf)#ip route 2.2.3.
www.dell.com | support.dell.com Disabling BFD for static routes If BFD is disabled, all static route BFD sessions are torn down. A final Admin Down packet is sent to all neighbors on the remote systems, and those neighbors change to the Down state (Message 3). To disable BFD for static routes: Step 1 Task Command Syntax Command Mode Disable BFD for static routes.
Figure 7-11. Establishing Sessions with OSPF Neighbors FTOS(conf-if-gi-2/1)# ip address 2.2.2.2/24 FTOS(conf-if-gi-2/1)# no shutdown FTOS(conf-if-gi-2/1)# exit FTOS(config)# router ospf 1 FTOS(config-router_ospf )# network 2.2.2.0/24 area 0 FTOS(config-router_ospf )# bfd all-neighbors FTOS(conf-if-gi-2/2)# ip address 2.2.3.1/24 FTOS(conf-if-gi-2/2)# no shutdown FTOS(conf-if-gi-2/2)# exit FTOS(config)# router ospf 1 FTOS(config-router_ospf )# network 2.2.3.
www.dell.com | support.dell.com View the established sessions using the command show bfd neighbors, as shown in the following illustration. Figure 7-12. Viewing Established Sessions for OSPF Neighbors R2(conf-router_ospf)#bfd all-neighbors R2(conf-router_ospf)#do show bfd neighbors * Ad Dn C I O R - Active session role Admin Down CLI ISIS OSPF Static Route (RTM) LocalAddr * 2.2.2.2 RemoteAddr 2.2.2.
Disabling BFD for OSPF If BFD is disabled globally, all sessions are torn down, and sessions on the remote system are placed in a Down state. If BFD is disabled on an interface, sessions on the interface are torn down, and sessions on the remote system are placed in a Down state (Message 3). Disabling BFD does not trigger a change in BFD clients; a final Admin Down packet is sent before the session is terminated.
www.dell.com | support.dell.com Figure 7-13. Establishing Sessions with IS-IS Neighbors FTOS(conf )# router isis FTOS(conf-router_isis)# net 02.1921.6800.2002.00 FTOS(conf-router_isis)# interface gigabitethernet 2/1 FTOS(conf-if-gi-2/1)#ip address 2.2.2.2/24 FTOS(config-if-gi-2/1)# ip router isis FTOS(config-if-gi-2/1)# exit FTOS(conf )# router isis FTOS(conf-router_isis)# bfd all-neighbors FTOS(conf-router_isis)# interface gigabitethernet 2/2 FTOS(conf-if-gi-2/2)#ip address 2.2.3.
Figure 7-14. Viewing Established Sessions for IS-IS Neighbors R2(conf-router_isis)#bfd all-neighbors R2(conf-router_isis)#do show bfd neighbors * Ad Dn C I O R - IS-IS BFD Sessions Enabled Active session role Admin Down CLI ISIS OSPF Static Route (RTM) LocalAddr Clients * 2.2.2.2 RemoteAddr Interface State Rx-int Tx-int Mult 2.2.2.1 Gi 2/1 Up 100 100 3 I Changing IS-IS session parameters BFD sessions are configured with default intervals and a default role.
www.dell.com | support.dell.com Disabling BFD for IS-IS If BFD is disabled globally, all sessions are torn down, and sessions on the remote system are placed in a Down state. If BFD is disabled on an interface, sessions on the interface are torn down, and sessions on the remote system are placed in a Down state (Remote System State Change due to Local State Admin Down). Disabling BFD does not trigger a change in BFD clients; a final Admin Down packet is sent before the session is terminated.
For example, the following illustration shows a sample BFD configuration on Router 1 and Router 2 that use eBGP in a transit network to interconnect AS1 and AS2. The eBGP routers exchange information with each other as well as with iBGP routers to maintain connectivity and accessibility within each autonomous system. Figure 7-15. BFD Session Between BGP Neighbors Interior BGP Interior BGP Router 2 1/1 2.2.4.3 Router 1 2/2 2.2.4.
www.dell.com | support.dell.com As long as each BFD for BGP neighbor receives a BFD control packet within the configured BFD interval for failure detection, the BFD session remains up and BGP maintains its adjacencies. If a BFD for BGP neighbor does not receive a control packet within the detection interval, the router informs any clients of the BFD session (other routing protocols) about the failure.
To remove the disabled state of a BFD for BGP session with a specified neighbor, enter the no neighbor {ip-address | peer-group-name} bfd disable command in ROUTER BGP configuration mode. The BGP link with the neighbor returns to normal operation and uses the BFD session parameters globally configured with the bfd all-neighbors command or configured for the peer group to which the neighbor belongs.
www.dell.com | support.dell.com The following examples show the BFD for BGP output displayed for these show commands. Figure 7-16. Verifying a BFD for BGP Configuration: show running-config bgp Command R2# show running-config bgp ! router bgp 2 neighbor 1.1.1.2 remote-as 1 neighbor 1.1.1.2 no shutdown neighbor 2.2.2.2 remote-as 1 neighbor 2.2.2.2 no shutdown neighbor 3.3.3.2 remote-as 1 neighbor 3.3.3.2 no shutdown bfd all-neighbors Figure 7-17.
Figure 7-18. Verifying BFD Sessions with BGP Neighbors: show bfd neighbors detail Command R2# show bfd neighbors detail Session Discriminator: 9 Neighbor Discriminator: 10 Local Addr: 1.1.1.3 Local MAC Addr: 00:01:e8:66:da:33 Remote Addr: 1.1.1.
www.dell.com | support.dell.com Figure 7-19.
Figure 7-21. Displaying Routing Sessions with BGP Neighbors: show ip bgp neighbors Command R2# show ip bgp neighbors 2.2.2.2 BGP neighbor is 2.2.2.2, remote AS 1, external link BGP version 4, remote router ID 12.0.0.
www.dell.com | support.dell.com Configuring BFD for VRRP BFD for VRRP is only supported on platforms: ec When using BFD with VRRP, the VRRP protocol registers with the BFD manager on the RPM. BFD sessions are established with all neighboring interfaces participating in VRRP. If a neighboring interface fails, the BFD agent on the line card notifies the BFD manager, which in turn notifies the VRRP protocol that a link state change occurred. Configuring BFD for VRRP is a three-step process: 1.
To establish sessions with all VRRP neighbors: Step 1 Task Command Syntax Command Mode Establish sessions with all VRRP neighbors. vrrp bfd all-neighbors INTERFACE Establishing VRRP sessions on VRRP neighbors The master router does not care about the state of the backup router, so it does not participate in any VRRP BFD sessions. Therefore, VRRP BFD sessions on the backup router cannot change to the UP state.
www.dell.com | support.dell.com Figure 7-24. Viewing Established Sessions for VRRP Neighbors R1(conf-if-gi-4/25)#do show vrrp -----------------GigabitEthernet 4/1, VRID: 1, Net: 2.2.5.1 State: Backup, Priority: 1, Master: 2.2.5.2 Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 95, Bad pkts rcvd: 0, Adv sent: 933, Gratuitous ARP sent: 3 Virtual MAC address: 00:00:5e:00:01:01 Virtual IP address: 2.2.5.4 Authentication: (none) BFD Neighbors: VRRP BFD Session RemoteAddr State 2.2.5.
To disable all VRRP sessions on an interface: Step 1 Task Command Syntax Command Mode Disable all VRRP sessions on an interface. no vrrp bfd all-neighbors INTERFACE To disable all VRRP sessions in a particular VRRP group: Step 1 Task Command Syntax Command Mode Disable all VRRP sessions in a VRRP group. bfd disable VRRP Task Command Syntax Command Mode Disable a particular VRRP session on an interface.
www.dell.com | support.dell.com Establishing sessions with VLAN neighbors To establish a session, BFD must be enabled at interface level on both ends of the link, as shown in the following illustration. The session parameters do not need to match. Figure 7-25. Establishing Sessions with VLAN Neighbors R1 R2 VLAN 200 4/25 2/3 FTOS(config-if-gi-4/25)# switchport FTOS(config-if-gi-4/25)# no shutdown FTOS(config-if-gi-4/25)# interface vlan 200 FTOS(config-if-vl-200)# ip address 2.2.3.
Changing session parameters BFD sessions are configured with default intervals and a default role. The parameters that can be configured are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. These parameters are configured per interface; if a configuration change is made, the change affects all sessions on that interface.
www.dell.com | support.dell.com Configuring BFD for port-channels is a two-step process: 1. Enable BFD globally on all participating routers. See Enabling BFD globally. 2. Enable BFD at interface level at both ends of the port-channel. Related configuration tasks • • Change session parameters. Disable BFD a port-channel. Establishing sessions on port-channels To establish a session, BFD must be enabled at interface level on both ends of the link, as shown in the following illustration.
Figure 7-28. Viewing Established Sessions for VLAN Neighbors R2(conf-if-po-1)#bfd neighbors 2.2.2.1 R2(conf-if-po-1)#do show bfd neighors * Ad Dn C I O R V - Active session role Admin Down CLI ISIS Port-channel OSPF Static Route (RTM) VRRP LocalAddr * 2.2.2.2 RemoteAddr 2.2.2.1 BFD Sessions Interface State Rx-int Tx-int Mult Clients Po 1 Up 100 100 3 C Changing port-channel session parameters BFD sessions are configured with default intervals and a default role.
www.dell.com | support.dell.com Configuring Protocol Liveness Protocol Liveness is a feature that notifies the BFD Manager when a client protocol is disabled. When a client is disabled, all BFD sessions for that protocol are torn down. Neighbors on the remote system receive an Admin Down control packet and are placed in the Down state (Message 3).
8 Border Gateway Protocol Platforms support BGP according to the following table: FTOS version Platform support IPv4: 8.3.11.2 IPv6: 9.0.0.0 Z9000 8.3.7.0 S4810 8.1.1.0 E-Series ExaScale 7.8.1.0 S-Series 7.7.1.0. C-Series pre-7.7.1.0 E-Series TeraScale z ex s c et This chapter is intended to provide a general description of Border Gateway Protocol version 4 (BGPv4) as it is supported in the Force10 Operating System (FTOS).
www.dell.com | support.dell.
A stub AS is one that is connected to only one other AS. A transit AS is one that provides connections through itself to separate networks. For example as seen in Figure 8-1, Router 1 can use Router 2 (the transit AS) to connect to Router 4. ISPs are always transit ASs, because they provide connections from one network to another. The ISP is considered to be “selling transit service” to the customer network, so thus the term Transit AS.
www.dell.com | support.dell.com Figure 8-2. Full Mesh Examples 4 Routers 6 Routers 8 Routers The number of BGP speakers each BGP peer must maintain increases exponentially. Network management quickly becomes impossible. Sessions and Peers When two routers communicate using the BGP protocol, a BGP session is started. The two end-points of that session are Peers. A Peer is also called a Neighbor. Establishing a session Information exchange between peers is driven by events and timers.
In order to make decisions in its operations with other BGP peers, a BGP peer uses a simple finite state machine that consists of six states: Idle, Connect, Active, OpenSent, OpenConfirm, and Established. For each peer-to-peer session, a BGP implementation tracks which of these six states the session is in. The BGP protocol defines the messages that each peer should exchange in order to change the session from one state to another. The first state is the Idle mode.
www.dell.com | support.dell.com • • If a route was received from a nonclient peer, reflect the route to all client peers. If the route was received from a client peer, reflect the route to all nonclient and all client peers. To illustrate how these rules affect routing, see Figure 8-3 and the following steps. Routers B, C, D, E, and G are members of the same AS - AS100. These routers are also in the same Route Reflection Cluster, where Router D is the Route Reflector.
BGP Attributes Routes learned via BGP have associated properties that are used to determine the best route to a destination when multiple paths exist to a particular destination. These properties are referred to as BGP attributes, and an understanding of how BGP attributes influence route selection is required for the design of robust networks.
www.dell.com | support.dell.com Figure 8-4. BGP Best Path Selection No, or Not Resulting in a Single Route Largest Weight Highest Local Pref Locally Originated Path Shortest AS Path Lowest Origin Code Lowest MED Learned via EBGP Lowest NEXT-HOP Cost Tie Breakers Short Cluster List from Lowest BGP ID Lowest Peering Addr A Single Route is Selected and Installed in the Forwarding Table Best Path selection details 1. Prefer the path with the largest WEIGHT attribute. 2.
• AS_CONFED_SEQUENCE has a path length of 1, no matter how many ASs are in the AS_CONFED_SEQUENCE. 5. Prefer the path with the lowest ORIGIN type (IGP is lower than EGP, and EGP is lower than INCOMPLETE). 6. Prefer the path with the lowest Multi-Exit Discriminator (MED) attribute. The following criteria apply: • • • This comparison is only done if the first (neighboring) AS is the same in the two paths; the MEDs are compared only if the first AS in the AS_SEQUENCE is the same for both paths.
www.dell.com | support.dell.com Weight The Weight attribute is local to the router and is not advertised to neighboring routers. If the router learns about more than one route to the same destination, the route with the highest weight will be preferred. The route with the highest weight is installed in the IP routing table. Local Preference Local Preference (LOCAL_PREF) represents the degree of preference within the entire AS. The higher the number, the greater the preference for the route.
Multi-Exit Discriminators (MEDs) If two Autonomous Systems (AS) connect in more than one place, a Multi-Exit Discriminator (MED) can be used to assign a preference to a preferred path. The MED is one of the criteria used to determine the best path, so keep in mind that other criteria may impact selection, as shown in Figure 8-4. One AS assigns the MED a value and the other AS uses that value to decide the preferred path. For this example, assume the MED is the only attribute applied.
www.dell.com | support.dell.com Origin The Origin indicates the origin of the prefix, or how the prefix came into BGP. There are three Origin codes: IGP, EGP, INCOMPLETE. • • IGP indicated the prefix originated from information learned through an interior gateway protocol. EGP indicated the prefix originated from information learned from an EGP protocol, which NGP replaced. INCOMPLETE indicates that the prefix originated from an unknown source.
Figure 8-8.
www.dell.com | support.dell.com Implementing BGP with FTOS Additional Path (Add-Path) support The Add-path feature reduces convergence times by advertising multiple paths to its peers for the same address prefix without replacing existing paths with new ones. By default, a BGP speaker advertises only the best path to its peers for a given address prefix. If the best path becomes unavailable, the BGP speaker withdraws it path from its local RIB and recalculates a new best path.
Table 8-1 gives some examples of these rules. Table 8-1.
www.dell.com | support.dell.com When creating Confederations, all the routers in a Confederation must be either 4-Byte or 2-Byte identified routers. You cannot mix them. Configure the 4-byte AS numbers with the four-octet-support command. AS4 Number Representation FTOS version 8.2.1.0 supports multiple representations of an 4-byte AS Numbers: asplain, asdot+, and asdot. Note: The ASDOT and ASDOT+ representations are supported only in conjunction with the 4-Byte AS Numbers feature.
Figure 8-9. Dynamic changes of the bgp asnotation command in the show running config ASDOT FTOS(conf-router_bgp)#bgp asnotation asdot FTOS(conf-router_bgp)#show conf ! router bgp 100 bgp asnotation asdot bgp four-octet-as-support neighbor 172.30.1.250 local-as 65057
www.dell.com | support.dell.com Figure 8-10. Dynamic changes when bgp asnotation command is disabled in the show running config AS NOTATION DISABLED FTOS(conf-router_bgp)#no bgp asnotation FTOS(conf-router_bgp)#sho conf ! router bgp 100 bgp four-octet-as-support neighbor 172.30.1.250 local-as 65057
Figure 8-11. Local-AS Scenario Router A AS 100 Router C AS 300 Router B AS 200 Before Migration Router A AS 100 AS 100 Router C AS 300 Router B Local AS 200 After Migration, with Local-AS enabled When you complete your migration, and you have reconfigured your network with the new information you must disable this feature. If the “no prepend” option is used, the local-as will not be prepended to the updates received from the eBGP peer.
www.dell.com | support.dell.com BGP4 Management Information Base (MIB) The FORCE10-BGP4-V2-MIB enhances FTOS BGP Management Information Base (MIB) support with many new SNMP objects and notifications (traps) defined in the draft-ietf-idr-bgp4-mibv2-05. To see these enhancements, download the MIB from the Dell Force10 website, www.force10networks.com. Note: See the Dell Force10 iSupport webpage for the Force10-BGP4-V2-MIB and other MIB documentation.
• • • • • • • • • • The f10BgpM2[Cfg]PeerReflectorClient field is populated based on the assumption that route-reflector clients are not in a full mesh if BGP client-2-client reflection is enabled and that the BGP speaker acting as reflector will advertise routes learned from one client to another client. If disabled, it is assumed that clients are in a full mesh, and there is no need to advertise prefixes to the other clients.
www.dell.com | support.dell.com BGP Configuration To enable the BGP process and begin exchanging information, you must assign an AS number and use commands in the ROUTER BGP mode to configure a BGP neighbor. Defaults By default, BGP is disabled. By default, FTOS compares the MED attribute on different paths from within the same AS (the bgp always-compare-med command is not enabled). Note: In FTOS, all newly configured neighbors and peer groups are disabled.
Configuration Task List for BGP The following list includes the configuration tasks for BGP: • • • • • • • • • • • • • • • • • • • • • • • • • Enable BGP Configure AS4 Number Representations Configure Peer Groups BGP fast fall-over Configure passive peering Maintain existing AS numbers during an AS migration Allow an AS number to appear in its own AS path Enable graceful restart Filter on an AS-Path attribute Configure IP community lists Manipulate the COMMUNITY attribute Change MED attribute Change LOCAL_
www.dell.com | support.dell.com In BGP, neighbor routers or peers can be classified as internal or external. External BGP peers must be connected physically to one another (unless you enable the EBGP multihop feature), while internal BGP peers do not need to be directly connected. The IP address of an EBGP neighbor is usually the IP address of the interface directly connected to the router.
Step Command Syntax Command Mode Purpose You must Configure Peer Groups before assigning it a remote AS. 3 neighbor {ip-address | peer-group-name} no shutdown CONFIG-ROUTER-BGP Enable the BGP neighbor. Note: When you change the configuration of a BGP neighbor, always reset it by entering the clear ip bgp command in EXEC Privilege mode. Enter show config in CONFIGURATION ROUTER BGP mode to view the BGP configuration. Use the show ip bgp summary command in EXEC Privilege mode to view the BGP status.
www.dell.com | support.dell.com Figure 8-13. Command example: show ip bgp summary (4-Byte AS Number displayed) R2#show ip bgp summary 4-Byte AS Number BGP router identifier 192.168.10.2, local AS number 48735.
Figure 8-14. Command example: show ip bgp neighbors FTOS#show ip bgp neighbors External BGP neighbor BGP neighbor is 10.114.8.60, remote AS 18508, external link BGP version 4, remote router ID 10.20.20.
www.dell.com | support.dell.com Figure 8-15. Command example: show running-config bgp R2#show running-config bgp ! router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list ISP1in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.
Only one form of AS Number Representation is supported at a time. You cannot combine the types of representations within an AS. Task Command Syntax Command Mode Enable ASPLAIN AS Number representation. Figure 8-16 bgp asnotation asplain CONFIG-ROUTER-BGP Note: ASPLAIN is the default method FTOS uses and does not appear in the configuration display. Enable ASDOT AS Number representation. Figure 8-17 bgp asnotation asdot CONFIG-ROUTER-BGP Enable ASDOT+ AS Number representation.
www.dell.com | support.dell.com Figure 8-18. Command example and output: bgp asnotation asdot+ FTOS(conf-router_bgp)#bgp asnotation asdot+ FTOS(conf-router_bgp)#sho conf ! router bgp 100 bgp asnotation asdot+ bgp four-octet-as-support neighbor 172.30.1.250 remote-as 18508 neighbor 172.30.1.250 local-as 65057 neighbor 172.30.1.250 route-map rmap1 in neighbor 172.30.1.250 password 7 5ab3eb9a15ed02ff4f0dfd4500d6017873cfd9a267c04957 neighbor 172.30.1.
Step Command Syntax Command Mode Purpose 5 neighbor ip-address peer-group peer-group-name CONFIG-ROUTER-BGP Add an enabled neighbor to the peer group. 6 neighbor {ip-address | peer-group name} remote-as as-number CONFIG-ROUTER-BGP Add a neighbor as a remote AS. Formats: IP Address A.B.C.D Peer-Group Name16 characters AS-number: 0-65535 (2-Byte) or 1-4294967295 | 0.1- 65535.65535 (4-Byte) or 0.1-65535.
www.dell.com | support.dell.com Figure 8-19. Command example: show config (creating peer-group) FTOS(conf-router_bgp)#neighbor zanzibar peer-group Configuring neighbor zanzibar FTOS(conf-router_bgp)#show conf ! router bgp 45 bgp fast-external-fallover bgp log-neighbor-changes neighbor zanzibar peer-group neighbor zanzibar shutdown neighbor 10.1.1.1 remote-as 65535 neighbor 10.1.1.1 shutdown neighbor 10.14.8.60 remote-as 18505 neighbor 10.14.8.
Figure 8-21. Command example: show ip bgp peer-group FTOS>show ip bgp peer-group Peer-group zanzibar, remote AS 65535 BGP version 4 Minimum time between advertisement runs is 5 seconds For address family: IPv4 Unicast BGP neighbor is zanzibar, peer-group internal, Number of peers in this group 26 Peer-group members (* - outbound optimized): 10.68.160.1 10.68.161.1 10.68.162.1 10.68.163.1 10.68.164.1 10.68.165.1 10.68.166.1 10.68.167.1 10.68.168.1 10.68.169.1 10.68.170.1 10.68.171.1 10.68.172.1 10.68.173.
www.dell.com | support.dell.com BGP fast fall-over By default, a BGP session is governed by the hold time. BGP routers typically carry large routing tables, so frequent session resets are not desirable. The BGP fast fall-over feature reduces the convergence time while maintaining stability. The connection to a BGP peer is immediately reset if a link to a directly connected external peer fails. When fall-over is enabled, BGP tracks IP reachability to the peer remote address and the peer local address.
Figure 8-22. Command example: show ip bgp neighbors FTOS#sh ip bgp neighbors BGP neighbor is 100.100.100.100, remote AS 65517, internal link Member of peer-group test for session parameters BGP version 4, remote router ID 30.30.30.
www.dell.com | support.dell.com Figure 8-23. Command example: show ip bgp peer-group FTOS#sh ip bgp peer-group Peer-group test Fall-over enabled BGP version 4 Minimum time between advertisement runs is 5 seconds For address family: IPv4 Unicast BGP neighbor is test Number of peers in this group 1 Peer-group members (* - outbound optimized): 100.100.100.100* FTOS# router bgp 65517 neighbor test peer-group neighbor test fall-over Fast Fall-Over Indicator neighbor test no shutdown neighbor 100.100.100.
Use these commands in the following sequence, starting in the CONFIGURATION ROUTER BGP mode to configure passive peering. Step Command Syntax Command Mode Purpose 1 neighbor peer-group-name peer-group passive limit CONFIG-ROUTER-BGP Configure a peer group that does not initiate TCP connections with other peers. Enter the limit keyword to restrict the number of sessions accepted. 2 neighbor peer-group-name subnet subnet-number mask CONFIG-ROUTER-BGP Assign a subnet to the peer group.
www.dell.com | support.dell.com Disable this feature, using the no neighbor local-as command in CONFIGURATION ROUTER BGP mode. Figure 8-24. Local-as information shown R2(conf-router_bgp)#show conf ! router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list Laura in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.
Figure 8-25. Allowas-in information shown R2(conf-router_bgp)#show conf ! router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list Laura in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.9 local-as 6500 neighbor 100.10.92.
www.dell.com | support.dell.com • • • • Save all FIB and CAM entries on the line card and continue forwarding traffic while the secondary RPM is coming online. Advertise to all BGP neighbors and peer-groups that the forwarding state of all routes has been saved. This prompts all peers to continue saving the routes they receive from your E-Series and to continue forwarding traffic. Bring the secondary RPM online as the primary and re-open sessions with all peers operating in “no shutdown” mode.
Command Syntax Command Mode Purpose neighbor {ip-address | peer-group-name} graceful-restart [stale-path-time time-in-seconds] CONFIG-ROUTER-BGP Set maximum time to retain the restarting neighbor’s or peer-group’s stale paths. Default is 360 seconds. Filter on an AS-Path attribute The BGP attribute, AS_PATH, can be used to manipulate routing policies. The AS_PATH attribute contains a sequence of AS numbers representing the route’s path.
www.dell.com | support.dell.com Use these commands in the following sequence, starting in the CONFIGURATION mode to configure an AS-PATH ACL to filter a specific AS_PATH value. Step Command Syntax Command Mode Purpose 1 ip as-path access-list as-path-name CONFIGURATION Assign a name to a AS-PATH ACL and enter AS-PATH ACL mode. 2 {deny | permit} filter parameter CONFIG-AS-PATH Enter the parameter to match BGP AS-PATH for filtering. This is the filter that will be used to match the AS-path.
Figure 8-27. Filtering with Regular Expression FTOS(config)#router bgp 99 FTOS(conf-router_bgp)#neigh AAA peer-group FTOS(conf-router_bgp)#neigh AAA no shut FTOS(conf-router_bgp)#show conf ! router bgp 99 neighbor AAA peer-group neighbor AAA no shutdown neighbor 10.155.15.2 remote-as 32 neighbor 10.155.15.2 shutdown FTOS(conf-router_bgp)#neigh 10.155.15.
www.dell.com | support.dell.com Table 8-4. Regular Expressions Regular Expression Definition + (plus) Matches 1 or more sequences of the immediately previous character or pattern. ? (question) Matches 0 or 1 sequence of the immediately previous character or pattern.
Command Syntax Command Mode Purpose redistribute ospf process-id [match external {1 | 2} | match internal] [metric-type {external | internal}] [route-map map-name] ROUTER BGP or CONF-ROUTER_BGPv6_AF Include specific OSPF routes in IS-IS. Configure the following parameters: • process-id range: 1 to 65535 • match external range: 1 or 2 • match internal • metric-type: external or internal. • map-name: name of a configured route map. Enable additional paths By default, the add-path feature is disabled.
www.dell.com | support.dell.com FTOS also supports BGP Extended Communities as described in RFC 4360—BGP Extended Communities Attribute. Use these commands in the following sequence, starting in the CONFIGURATION mode to configure an IP community list. Step Command Syntax Command Mode Purpose 1 ip community-list community-list-name CONFIGURATION Create a Community list and enter the COMMUNITY-LIST mode.
To view the configuration, use the show config command in the CONFIGURATION COMMUNITY-LIST or CONFIGURATION EXTCOMMUNITY LIST mode or the show ip {community-lists | extcommunity-list} command in EXEC Privilege mode (Figure 8-28). Figure 8-28.
www.dell.com | support.dell.com Step 5 Command Syntax Command Mode Purpose neighbor {ip-address | peer-group-name} route-map map-name {in | out} CONFIG-ROUTER-BGP Apply the route map to the neighbor or peer group’s incoming or outgoing routes. To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode. To view a route map configuration, use the show route-map command in EXEC Privilege mode.
Step Command Syntax Command Mode Purpose set comm-list community-list-name delete CONFIG-ROUTE-MAP Configure a set filter to delete all COMMUNITY numbers in the IP Community list.
www.dell.com | support.dell.com Figure 8-29. Command example: show ip bgp community (Partial) FTOS>show ip bgp community BGP table version is 3762622, local router ID is 10.114.8.48 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network | Metric LocPrf Weight Path * i 3.0.0.0/8 195.171.0.16 100 0 209 701 80 i *>i 4.2.49.12/30 195.171.0.16 100 0 209 i * i 4.21.132.0/23 195.171.0.
Change MED attribute By default, FTOS uses the MULTI_EXIT_DISC or MED attribute when comparing EBGP paths from the same AS. Use any or all of the following commands in the CONFIGURATION ROUTER BGP mode to change how the MED attribute is used. Command Syntax Command Mode Purpose bgp always-compare-med CONFIG-ROUTERBGP Enable MED comparison in the paths from neighbors with different ASs. By default, this comparison is not performed.
www.dell.com | support.dell.com Step Command Syntax Command Mode Purpose 2 set local-preference value CONFIG-ROUTE-MAP Change LOCAL_PREF value for routes meeting the criteria of this route map. 3 exit CONFIG-ROUTE-MAP Return to the CONFIGURATION mode. 4 router bgp as-number CONFIGURATION Enter the ROUTER BGP mode. 5 neighbor {ip-address | peer-group-name} route-map map-name {in | out} CONFIG-ROUTER-BGP Apply the route map to the neighbor or peer group’s incoming or outgoing routes.
Use the show config command in CONFIGURATION ROUTER BGP mode or the show running-config bgp command in EXEC Privilege mode to view BGP configuration. You can also use route maps to change this and other BGP attributes. For example, you can include the following command in a route map to specify the next hop address: Command Syntax Command Mode Purpose set weight weight CONFIG-ROUTE-MAP Sets weight for the route.
www.dell.com | support.dell.com Prior to filtering BGP routes, you must create the prefix list, AS-PATH ACL, or route map to be used. Refer to Chapter 6, “Access Control Lists (ACLs),” on page 87 for configuration information on prefix lists, AS-PATH ACLs, and route maps. Note: When you configure a new set of BGP policies, always reset the neighbor or peer group by entering the clear ip bgp command in EXEC Privilege mode.
Use these commands in the following sequence, starting in the CONFIGURATION mode to filter routes using a route map. Step Command Syntax Command Mode Purpose 1 route-map map-name [permit | deny] [sequence-number] CONFIGURATION Create a route map and assign it a name. 2 {match | set} CONFIG-ROUTE-MAP Create multiple route map filters with a match or set action. Refer to Chapter 6, “Access Control Lists (ACLs),” on page 87 for information on configuring route maps.
www.dell.com | support.dell.com Step 5 Command Syntax Command Mode Purpose neighbor {ip-address | peer-group-name} filter-list as-path-name {in | out} CONFIG-ROUTER-BGP Filter routes based on the criteria in the configured route map. Configure the following parameters: • ip-address or peer-group-name: enter the neighbor’s IP address or the peer group’s name. • as-path-name: enter the name of a configured AS-PATH ACL. • in: apply the AS-PATH ACL map to inbound routes.
Aggregate routes FTOS provides multiple ways to aggregate routes in the BGP routing table. At least one specific route of the aggregate must be in the routing table for the configured aggregate to become active. Use the following command in the CONFIGURATION ROUTER BGP mode to aggregate routes.
www.dell.com | support.dell.com Configure BGP confederations Another way to organize routers within an AS and reduce the mesh for IBGP peers is to configure BGP confederations. As with route reflectors, BGP confederations are recommended only for IBGP peering involving a large number of IBGP peering sessions per router. Basically, when you configure BGP confederations, you break the AS into smaller sub-AS, and to those outside your network, the confederations appear as one AS.
When dampening is applied to a route, its path is described by one of the following terms: • • • history entry—an entry that stores information on a downed route dampened path—a path that is no longer advertised penalized path—a path that is assigned a penalty The CLI example below shows configuring values to start reusing or restarting a route, as well as their default values. Figure 8-31.
www.dell.com | support.dell.com To view the BGP configuration, use show config in the CONFIGURATION ROUTER BGP mode or show running-config bgp in EXEC Privilege mode. To set dampening parameters via a route map, use the following command in CONFIGURATION ROUTE-MAP mode: Command Syntax Command Mode Purpose set dampening half-life reuse suppress max-suppress-time CONFIG-ROUTE-MAP Enter the following optional parameters to configure route dampening parameters: • half-life range: 1 to 45.
To view which routes are dampened (non-active), use the show ip bgp dampened-routes command in EXEC Privilege mode. Use the following command in EXEC Privilege mode to clear information on route dampening and return suppressed routes to active state. Command Syntax Command Mode Purpose clear ip bgp dampening [ip-address mask] EXEC Privilege Clear all information or only information on a specific route. Use the following command in EXEC and EXEC Privilege mode to view statistics on route flapping.
www.dell.com | support.dell.com Change BGP timers Use either or both of the following commands in the CONFIGURATION ROUTER BGP mode to configure BGP timers. Command Syntax Command Mode Purpose neighbors {ip-address | peer-group-name} timers keepalive holdtime CONFIG-ROUTER-BGP Configure timer values for a BGP neighbor or peer group. • keepalive range: 1 to 65535. Time interval, in seconds, between keepalive messages sent to the neighbor routers. (Default: 60 seconds) • holdtime range: 3 to 65536.
Use the clear ip bgp command in EXEC Privilege mode at the system prompt to reset a BGP connection using BGP soft reconfiguration. Command Syntax Command Mode Purpose clear ip bgp {* | neighbor-address | AS Numbers | ipv4 | peer-group-name} [soft [in | out]] EXEC Privilege Clear all information or only specific details.
www.dell.com | support.dell.com Route map continue The BGP route map continue feature (in ROUTE-MAP mode) allows movement from one route-map entry to a specific route-map entry (the sequence number). If the sequence number is not specified, the continue feature moves to the next sequence number (also known as an implied continue). If a match clause exists, the continue feature executes only after a successful match occurs. If there are no successful matches, continue is ignored.
MBGP Configuration et c MBGP for IPv4 Multicast is supported on platform c et s z MBGP is not supported on the E-Series ExaScale ex platform. MBGP for IPv6 unicast is supported on platforms Multiprotocol BGP (MBGP) is an enhanced BGP that carries IP multicast routes. BGP carries two sets of routes: one set for unicast routing and one set for multicast routing. The routes associated with multicast routing are used by the Protocol Independent Multicast (PIM) to build data distribution trees.
www.dell.com | support.dell.com BGP Regular Expression Optimization BGP policies that contain regular expressions to match against as-paths and communities might take a lot of CPU processing time, thus affect BGP routing convergence. Also, show bgp commands that get filtered through regular expressions can to take a lot of CPU cycles, especially when the database is large.
Use no debug ip bgp to disable all BGP debugging. Use undebug all to disable all debugging. Storing Last and Bad PDUs FTOS stores the last notification sent/received, and the last bad PDU received on per peer basis. The last bad PDU is the one that causes a notification to be issued. These PDUs are shown in the output of the command show ip bgp neighbor, as shown in Figure 8-34. Figure 8-34. Viewing the Last Bad PDU from BGP Peers FTOS(conf-router_bgp)#do show ip bgp neighbors 1.1.1.2 BGP neighbor is 1.1.
www.dell.com | support.dell.com Capturing PDUs Capture incoming and outgoing PDUs on a per-peer basis using the command capture bgp-pdu neighbor direction. Disable capturing using the no form of this command. The buffer size supports a maximum value between 40 MB (the default) and 100 MB. The capture buffers are cyclic and reaching the limit prompts the system to overwrite the oldest PDUs when new ones are received for a given neighbor or direction.
• • New PDU are captured and there is no more space to store them The max buffer size is reduced. (This may cause PDUs to be cleared depending upon the buffer space consumed and the new limit.) With full internet feed (205K) captured, approximately 11.8MB is required to store all of the PDUs, as shown in Figure 8-36. Figure 8-36. Required Memory for Captured PDUs FTOS(conf-router_bgp)#do show capture bgp-pdu neighbor 172.30.1.250 Incoming packet capture enabled for BGP neighbor 172.30.1.
www.dell.com | support.dell.com Figure 8-37 is a graphic illustration of the configurations shown on the following pages. These configurations show how to create BGP areas using physical and virtual links. They include setting up the interfaces and peers groups with each other. Figure 8-37. Sample Configuration Illustration Physical Links AS 99 Virtual Links GigE 1/21 10.0.1.21 /24 GigE 2/11 10.0.1.22 /24 Peer Group AAA e Pe Loopback ck 1 192.168.128.1 /24 rG u ro p BB GigE 1/31 10.0.3.
Figure 8-38. Enable BGP - Router 1 R1# conf R1(conf)#int loop 0 R1(conf-if-lo-0)#ip address 192.168.128.1/24 R1(conf-if-lo-0)#no shutdown R1(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.1/24 no shutdown R1(conf-if-lo-0)#int gig 1/21 R1(conf-if-gi-1/21)#ip address 10.0.1.21/24 R1(conf-if-gi-1/21)#no shutdown R1(conf-if-gi-1/21)#show config ! interface GigabitEthernet 1/21 ip address 10.0.1.21/24 no shutdown R1(conf-if-gi-1/21)#int gig 1/31 R1(conf-if-gi-1/31)#ip address 10.0.3.
www.dell.com | support.dell.com Figure 8-39. Enable BGP - Router 2 R2# conf R2(conf)#int loop 0 R2(conf-if-lo-0)#ip address 192.168.128.2/24 R2(conf-if-lo-0)#no shutdown R2(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.2/24 no shutdown R2(conf-if-lo-0)#int gig 2/11 R2(conf-if-gi-2/11)#ip address 10.0.1.22/24 R2(conf-if-gi-2/11)#no shutdown R2(conf-if-gi-2/11)#show config ! interface GigabitEthernet 2/11 ip address 10.0.1.
Figure 8-40. Enable BGP - Router 3 R3# conf R3(conf)# R3(conf)#int loop 0 R3(conf-if-lo-0)#ip address 192.168.128.3/24 R3(conf-if-lo-0)#no shutdown R3(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.3/24 no shutdown R3(conf-if-lo-0)#int gig 3/11 R3(conf-if-gi-3/11)#ip address 10.0.3.33/24 R3(conf-if-gi-3/11)#no shutdown R3(conf-if-gi-3/11)#show config ! interface GigabitEthernet 3/11 ip address 10.0.3.33/24 no shutdown R3(conf-if-lo-0)#int gig 3/21 R3(conf-if-gi-3/21)#ip address 10.
www.dell.com | support.dell.com Figure 8-41. Enable Peer Group - Router 1 R1#conf R1(conf)#router bgp 99 R1(conf-router_bgp)# network 192.168.128.0/24 R1(conf-router_bgp)# neighbor AAA peer-group R1(conf-router_bgp)# neighbor AAA no shutdown R1(conf-router_bgp)# neighbor BBB peer-group R1(conf-router_bgp)# neighbor BBB no shutdown R1(conf-router_bgp)# neighbor 192.168.128.2 peer-group AAA R1(conf-router_bgp)# neighbor 192.168.128.
Figure 8-42.
www.dell.com | support.dell.com Figure 8-43. Enable Peer Groups - Router 2 R2#conf R2(conf)#router bgp 99 R2(conf-router_bgp)# neighbor CCC peer-group R2(conf-router_bgp)# neighbor CC no shutdown R2(conf-router_bgp)# neighbor BBB peer-group R2(conf-router_bgp)# neighbor BBB no shutdown R2(conf-router_bgp)# neighbor 192.168.128.1 peer AAA R2(conf-router_bgp)# neighbor 192.168.128.1 no shut R2(conf-router_bgp)# neighbor 192.168.128.3 peer BBB R2(conf-router_bgp)# neighbor 192.168.128.
Figure 8-44. Enable Peer Group - Router 3 R3#conf R3(conf)#router bgp 100 R3(conf-router_bgp)# neighbor R3(conf-router_bgp)# neighbor R3(conf-router_bgp)# neighbor R3(conf-router_bgp)# neighbor R3(conf-router_bgp)# neighbor R3(conf-router_bgp)# neighbor R3(conf-router_bgp)# neighbor R3(conf-router_bgp)# neighbor R3(conf-router_bgp)# AAA peer-group AAA no shutdown CCC peer-group CCC no shutdown 192.168.128.2 peer-group BBB 192.168.128.2 no shutdown 192.168.128.1 peer-group BBB 192.168.128.
www.dell.com | support.dell.com Figure 8-45.
9 Bare Metal Provisioning 2.0 (BMP 2.0) Bare Metal Provisioning 2.0 (BMP 2.0) is included as part of the FTOS image. It is supported on the following platforms: and z. Bare Metal Provisioning (BMP) improves accessibility to the system by automatically loading pre-defined configurations and boot images that are stored in file servers. BMP can be used on a single system or on multiple systems. For more information on using BMP and the different types of modes, see the Open Automation Guide.
www.dell.com | support.dell.com Restrictions BMP 2.0 is supported on the user ports and management ports of a switch. Comparison of BMP 1.5 and 2.0 BMP 2.0 provides simplified auto-configuration options for customers. This feature enhancement provides a simplified CLI, additional support for file transfer protocols such as FTP and HTTP, and access to DHCP and file servers from both user and management ports, avoiding the need for dedicated management servers. BMP 1.5 BMP 2.0 Supported on S55 and S60.
To reconfigure a switch to reload between Normal and Jumpstart mode, use the reload-type command. Command Syntax Command Mode Purpose reload-type {normal-reload | jump-start [config-download {enable | disable}] [dhcp-timeout minutes]} EXEC Privilege Reload a switch running BMP version 2.0 in either Normal or Jumpstart (BMP) mode.
www.dell.com | support.dell.com Jumpstart mode Jumpstart (BMP) mode is the default boot mode configured for a new system arriving from Dell Force10. This mode obtains the FTOS image and configuration file from a network source (DHCP and file servers). DHCP Server MAC-Based IP assignment One way to use the Jumpstart mode most efficiently is to configure the DHCP server to assign a fixed IP address, FTOS image, and configuration file based on the system’s MAC address.
Update the following parameters on the appropriate DHCP server. • • • • • Boot File Name: The FTOS image to be loaded on the system. The boot file name is expected to use option 67 or the boot filename in the BOOTP payload of the DHCP offer. If both are specified, option 67 will be used. Configuration File Name: The configurations to be applied to the system. The configuration file name is expected to use option 209. File Server Address: The server where the Image and Configurations file are placed.
www.dell.com | support.dell.com The file server that holds the boot and configuration files must be configured to allow file transfers to the switch. The system recognizes HTTP, TFTP, FTP, USB, and Flash URLs. For example: • tftp://server ip or name/filename • ftp://user:passwd@serverip or name//mypath/FTOS-A.B.C.D.
If a DHCP offer has neither an image path or configuration file path it is considered to be an invalid BMP DHCP offer and the offer is ignored. The first DHCP offer with IP address, FTOS image and configuration file, or the IP address and FTOS image, or the IP address and configuration file is chosen. 4. The DHCP OFFER is selected. a 00:01:33: 00:01:33: 00:01:33: 00:01:33: All other ports except the port on which the offer was received and selected are set to shutdown mode.
www.dell.com | support.dell.com c 242 If the configuration file is downloaded from the server, any saved startup-configuration on the flash is ignored. If no configuration file is downloaded from the server, the startup-configuration file on the flash is loaded as in normal reload. 6. When the FTOS image and the configuration file have been downloaded, the IP address is released. 00:04:06: %STKUNIT0-M:CP %JUMPSTART-5-JUMPSTART: DHCP RELEASE sent on Fo 0/56.
10 Content Addressable Memory (CAM) Content Addressable Memory (CAM) is supported on platforms: • • • • • • • • • • • • • • • • • • et c s z Content Addressable Memory on page 243 CAM Profiles on page 244 Microcode on page 246 CAM Profiling for ACLs on page 246 When to Use CAM Profiling on page 249 Important Points to Remember on page 249 Select CAM Profiles on page 250 CAM Allocation on page 250 Test CAM Usage on page 251 View CAM Profiles on page 252 View CAM-ACL settings on page 253 View CAM-ACL settin
www.dell.com | support.dell.com • The TeraScale EG-series line cards are dual-CAM and use two 18 Megabit CAM modules with a dedicated 512 IPv4 Forwarding Information Base (FIB), and flexible CAM allocations for Layer2, FIB, and ACLs. Either ExaScale 10G or 40G CAM line cards can be used in a system. • CAM Profiles Dell Force10systems partition each CAM module so that it can store the different types of information. The size of each partition is specified in the CAM profile.
Table 10-1. CAM Profile Descriptions (continued) CAM Profile Description unified-default Maintains the CAM allocations for the and IPv4 FIB while allocating more CAM space for the Ingress and Egress Layer 2 ACL, and IPv4 ACL regions. Available Microcodes: ipv6-extacl ipv4-VRF Provides VRF functionality for IPv4. Available Microcodes:ipv4-vrf ipv4-v6-VRF Provides VRF functionality for both IPv4 and I.
www.dell.com | support.dell.com Microcode Microcode is a compiled set of instructions for a CPU. On Dell Force10systems, the microcode controls how packets are handled. There is a default microcode, and several other microcodes are available, so that you can adjust packet handling according to your application. Specifying a microcode is mandatory when selecting a CAM profile (though you are not required to change it). Note: Not all CAM profiles and microcodes are available for all systems.
When budgeting your CAM allocations for ACLs and QoS configurations, remember that ACL and QoS rules might consume more than one CAM entry depending on complexity. For example, TCP and UDP rules with port range options might require more than one CAM entry. The Layer 2 ACL CAM partition has sub-partitions for several types of information. Table 10-4 lists the sub-partition and the percentage of the Layer 2 ACL CAM partition that FTOS allocates to each by default. Table 10-4.
www.dell.com | support.dell.com Boot Behavior The profile and microcode loaded on the primary RPM determines the profile and microcode that is required on all other chassis components and is called the “chassis profile.” A profile mismatch condition exists if either the CAM profile or the microcode does not match. The following points describe line card boot behavior when the line card profile does not match the chassis profile. • • • • A microcode mismatch constitutes a profile mismatch.
Figure 10-2. EH Line Card with EG Chassis Profile—Card Problem R1#show linecard 1 brief -- Line card Status Next Boot Required Type Current Type Hardware Rev Num Ports Up Time FTOS Version Jumbo Capable 1 : : : : : : : : : -card problem - mismatch cam profile online E90MH - 90-port 10/100/1000Base-T line card with mini RJ-21 interfaces (EH) E90MH - 90-port 10/100/1000Base-T line card with mini RJ-21 interfaces (EH) Base - 0.3 PP0 - 1.1 PP0 - PP1 90 0 sec 8.1.1.
www.dell.com | support.dell.com • After you install a secondary RPM, copy the running-configuration to the startup-configuration so that the new RPM has the correct CAM profile. Select CAM Profiles A CAM profile is selected in CONFIGURATION mode. The CAM profile is applied to entire system, however, you must save the running-configuration to affect the change. All components in the chassis must have the same CAM profile and microcode.
• • • • • • • • • • L3 ACL (ipv4acl): 6 L2 ACL(l2acl) : 5 IPv6 L3 ACL (ipv6acl): 0 L3 QoS (ipv4qos): 1 L2 QoS (l2qos): 1 L2PT (l2pt): 1 MAC ACLs (ipmacacl): 2 ECFMACL (ecfmacl): 0 VMAN QoS (vman-qos): 0 VMAN Dual QoS (vman-dual-qos): 0 The ipv6acl and vman-dual-qos allocations must be entered as a factor of 2 (2, 4, 6, 8, 10). All other profile allocations can use either even or odd numbered ranges.
www.dell.com | support.dell.com Use this command to determine whether sufficient ACL CAM space is available to enable a service-policy. Create a Class Map with all required ACL rules, then execute the test cam-usage command in Privilege mode to verify the actual CAM space required. Figure 10-3 gives a sample of the output shown when executing the command. The status column indicates whether or not the policy can be enabled. Figure 10-3.
The command show running-config cam-profile shows the current profile and microcode (Figure 10-5). Note: If you select the CAM profile from CONFIGURATION mode, the output of this command does not reflect any changes until you save the running-configuration and reload the chassis. Figure 10-5.
www.dell.com | support.dell.com Figure 10-6.
Figure 10-7.
www.dell.com | support.dell.com • The IPv4Flow configuration is applied to entire system when you enter the command cam-ipv4flow from CONFIGURATION mode, however, you must save the running-configuration to affect the change. The amount of space that is allocated among the sub-partitions must be equal to the amount of CAM space allocated to IPv4Flow by the selected CAM profile (see Table 10-1.); Message 3 is displayed if the total allocated space is not correct.
Figure 10-8. Configuring IPv4Flow on the Entire System FTOS(conf)#cam-ipv4flow default FTOS#copy running-config startup-config File with same name already exist.
www.dell.com | support.dell.com Table 10-6. Layer 2 ACL CAM Sub-partition Sizes Partition % Allocated L2PT 13 FRRP 5 You can re-configure the amount of space, in percentage, allocated to each sub-partition. • Apply the Ingress Layer 2 ACL configuration to entire system by entering the command cam-l2acl from CONFIGURATION mode, however, you must save the running-configuration to affect the change.
Figure 10-9.
www.dell.com | support.dell.com Figure 10-10.
• If the packet has more than 5 MPLS labels, hashing is based on the source and destination MAC address. To enable this type of hashing, use the default CAM profile with the microcode lag-hash-mpls. LAG Hashing based on Bidirectional Flow To hash LAG packets such that both directions of a bidirectional flow (for example, VoIP or P2P file sharing) are mapped to the same output link in the LAG bundle, use the default CAM profile with the microcode lag-hash-align.
www.dell.com | support.dell.com QoS CAM Region Limitation The default CAM profile allocates a partition within the IPv4Flow region to store QoS service policies. If the QoS CAM space is exceeded, messages similar to the ones in Message 5 are displayed.
11 Control Plane Policing (CoPP) Control Plane Policing (CoPP) is supported on platforms: and z Overview Control Plane Policing (CoPP) uses ACL rules and QoS policies to create filters for a system’s control plane. That filter prevents traffic not specifically identified as legitimate from reaching the system control plane, rate-limits, traffic to an acceptable level.
CoPP solution example OPSF flood CPU at 1100 PPS ICMP fails Q5 Q4 CPU Processes (OSPF, LACP, STP, ICMP, etc) Packets Q6 400 PPS CPU Software Queue ICMP PING Q7 1100 PPS (Ingress Flow Entries) STP Protocol to Queue Classification Hardware Queue Rate Limiting Front End Ports No CoPP Rules Q3 Q2 Q1 STP Q0 Q7 receives STP at 1100 pps due to network storm/loop. The CPU is hit with the entire 1100 pps and the PING attemp fails intermittently.
The CoPP policies are configured by creating extended ACL rules and specifying rate-limits through QoS policies. The ACLs and QoS policies are assigned as service-policies. Configure CoPP for protocols This section lists the commands necessary to create and enable the service-policies for CoPP. Refer to Access Control Lists (ACLs) and Quality of Service (QoS) for complete information about creating ACLs and QoS rules.
www.dell.com | support.dell.
Match QoS Class Map to QoS Policy FTOS(conf)#policy-map-input egressFP_rate_policy cpu-qos FTOS(conf-policy-map-in-cpuqos)#class-map class_ospf qos-policy rate_limit_500k FTOS(conf-policy-map-in-cpuqos)#class-map class_bgp qos-policy rate_limit_400k FTOS(conf-policy-map-in-cpuqos)#class-map class_lacp qos-policy rate_limit_200k FTOS(conf-policy-map-in-cpuqos)#class-map class-ipv6 qos-policy rate_limit_200k FTOS(conf-policy-map-in-cpuqos)#exit Create Control Plane Service Policy FTOS(conf)#control-plane-cpu
www.dell.com | support.dell.
Use the show ip protocol-queue-mapping command to view the queue mapping for each configured protocol.
www.dell.com | support.dell.
12 Dynamic Host Configuration Protocol (DHCP) Dynamic Host Configuration Protocol (DHCP) is available on platforms: ecs z This chapter contains the following sections: • • • • • • Protocol Overview Implementation Information Configuration Tasks Configure the System to be a DHCP Server Configure the System to be a Relay Agent Configure Secure DHCP Protocol Overview Dynamic Host Configuration Protocol (DHCP) is an application layer protocol that dynamically assigns IP addresses and other configuration pa
www.dell.com | support.dell.com DHCP Packet Format and Options DHCP uses UDP as its transport protocol. The server listens on port 67 and transmits to port 68; the client listens on port 68 and transmits to port 67. The configuration parameters are carried as options in the DHCP packet in Type, Length, Value (TLV) format; many options are specified in RFC 2132.
Assigning an IP Address using DHCP When a client joins a network: 1. The client initially broadcasts a DHCPDISCOVER message on the subnet to discover available DHCP servers. This message includes the parameters that the client requires and might include suggested values for those parameters. 2. Servers unicast or broadcast a DHCPOFFER message in response to the DHCPDISCOVER that offers to the client values for the requested parameters.
www.dell.com | support.dell.com Implementation Information • • The Dell Force10 implementation of DHCP is based on RFC 2131 and RFC 3046. IP Source Address Validation is a sub-feature of DHCP Snooping; FTOS uses ACLs internally to implement this feature and as such, you cannot apply ACLs to an interface which has IP Source Address Validation.
The key responsibilities of DHCP servers are: 1. Address Storage and Management: DHCP servers are the owners of the addresses used by DHCP clients.The server stores the addresses and manages their use, keeping track of which addresses have been allocated and which are still available. 2. Configuration Parameter Storage and Management: DHCP servers also store and maintain other parameters that are sent to clients when requested. These parameters specify in detail how a client is to operate. 3.
www.dell.com | support.dell.com Create an IP Address Pool An address pool is a range of IP addresses that may be assigned by the DHCP server. Address pools are indexed by subnet number. To create an address pool: Step Task Command Syntax Command Mode 1 Access the DHCP server CLI context. ip dhcp server CONFIGURATION 2 Create an address pool and give it a name. pool name DHCP 3 Specify the range of IP addresses from which the DHCP server may assign addresses. • network is the subnet address.
Specify an Address Lease Time Task Command Syntax Command Mode Specify an address lease time for the addresses in a pool. lease {days [hours] [minutes] | infinite} Default: 24 hours DHCP Specify a Default Gateway The IP address of the default router should be on the same subnet as the client. Task Command Syntax Command Mode Specify default gateway(s) for the clients on the subnet, in order of preference.
www.dell.com | support.dell.com Configure a Method of Hostname Resolution Dell Force10 systems are capable of providing DHCP clients with parameters for two methods of hostname resolution. Address Resolution using DNS A domain is a group of networks. DHCP clients query DNS IP servers when they need to correlate host names to IP addresses. Step Task Command Syntax Command Mode 1 Create a domain.
To create a manual binding: Step Task Command Syntax Command Mode 1 Create an address pool pool name DHCP 2 Specify the client IP address. host address DHCP 3 Specify the client hardware address or client-identifier. • hardware-address is the client MAC address. type is the protocol of the hardware platform. The default protocol is Ethernet. client-identifier is required for Microsoft clients instead of a hardware addresses.
www.dell.com | support.dell.com Debug DHCP server Task Command Syntax Command Mode Display debug information for DHCP server. debug ip dhcp server [events | packets] EXEC Privilege Client Configuration Task Command Syntax Command Mode To specify the name of a Dynamic Host Configuration Protocol (DHCP) client, use the client-name DHCP pool configuration command. The client name should not include the domain name. client-name name DHCP The boot file stores the boot image for the client.
You can configure an interface on the Dell Force10 system to relay the DHCP messages to a specific DHCP server using the command ip helper-address dhcp-address from INTERFACE mode, as shown in the following figure. Specify multiple DHCP servers by entering the ip helper-address dhcp-address command multiple times. When ip helper-address is configured, the system listens for DHCP broadcast messages on port 67.
www.dell.com | support.dell.com Displaying the Helper Address Configuration R1_E600#show ip int gig 1/3 GigabitEthernet 1/3 is up, line protocol is down Internet address is 10.11.0.1/24 Broadcast address is 10.11.0.255 Address determined by user input IP MTU is 1500 bytes Helper address is 192.168.0.1 192.168.0.
The server echoes the option back to the relay agent in its response, and the relay agent can use the information in the option to forward a reply out the interface on which the request was received rather than flooding it on the entire VLAN. The relay agent strips Option 82 from DHCP responses before forwarding them to the client. Task Command Syntax Command Mode Insert Option 82 into DHCP packets. For routers between the relay agent and the DHCP server, enter the trust-downstream option.
www.dell.com | support.dell.com Note: DHCP server packets will be dropped on all untrusted interfaces of a system configured for DHCP snooping. To prevent these packets from being dropped, configure ip dhcp snooping trust on the server-connected port. Enable DCHP snooping Step Task Command Syntax Command Mode 1 Enable DHCP Snooping globally. ip dhcp snooping CONFIGURATION 2 Specify ports connected to DHCP servers as trusted. ip dhcp snooping trust INTERFACE 3 Enable DHCP Snooping on a VLAN.
View the DHACP Snooping statistics with the show ip dhcp snooping command as shown in the following example. FTOS#show ip dhcp snooping IP IP IP IP DHCP DHCP DHCP DHCP Snooping Snooping Mac Verification Relay Information-option Relay Trust Downstream : : : : Enabled. Disabled. Disabled. Disabled.
www.dell.com | support.dell.com Dynamic ARP Inspection Dynamic ARP inspection prevents ARP spoofing by forwarding only ARP frames that have been validated against the DHCP binding table. ARP is a stateless protocol that provides no authentication mechanism. Network devices accepts ARP request and replies from any device, and ARP replies are accepted even when no request was sent.
• denial of service—an attacker can send a fraudulent ARP messages to a client to associate a false MAC address with the gateway address, which would blackhole all internet-bound packets from the client. Note: DAI uses entries in the L2SysFlow CAM region, a sub-region of SystemFlow. One CAM entry is required for every DAI-enabled VLAN, and you can enable DAI on up to 16 VLANs on a system. However, the ExaScale default CAM profile allocates only 9 entries to the L2SysFlow region for DAI.
www.dell.com | support.dell.com Invalid ARP Replies FTOS# : 0 Bypass the ARP Inspection You can configure a port to skip ARP inspection by defining the interface as trusted, which is useful in multi-switch environments. ARPs received on trusted ports bypass validation against the binding table. All ports are untrusted by default. Task Command Syntax Command Mode Specify an interface as trusted so that ARPs are not validated against the binding table.
DHCP MAC Source Address Validation DHCP MAC Source Address Validation (SAV) validates a DHCP packet’s source hardware address against the client hardware address field (CHADDR) in the payload. FTOS Release 8.2.1.1 ensures that the packet’s source MAC address is checked against the CHADDR field in the DHCP header only for packets from snooped VLANs. Task Command Syntax Command Mode Enable DHCP MAC Source Address Validation.
www.dell.com | support.dell.
13 Equal Cost Multi-Path (ECMP) Equal Cost Multi-Path (ECMP) is supported on platforms: e c s z ECMP for Flow-based Affinity ECMP for Flow-based Affinity is available on platforms e z . The hashing algorithm on E-Series TeraScale and E-Series ExaScale are different. Hashing on ExaScale is based on CRC, checksum, or XOR, and the algorithm on TeraScale is based on checksum only.
www.dell.com | support.dell.com Configurable Hash Algorithm TeraScale has one algorithm that is used for LAGs, ECMP, and NH-ECMP, and ExaScale can use three different algorithms for each of these features. To adjust the ExaScale behavior to match TeraScale, use the following command: Task Command Syntax Command Mode Change the ExaScale hash-algorithm for LAG, ECMP, and NH-ECMP to match TeraScale.
FTOS provides a CLI-based solution for modifying the hash seed to ensure that on each configured system, the ECMP selection is same. When configured, the same seed is set for ECMP, LAG, and NH, and is used for incoming traffic only. Note: While the seed is stored separately on each port-pipe, the same seed is used across all CAMs. Note: You cannot separate LAG and ECMP, but you can use different algorithms across chassis with the same seed.
www.dell.com | support.dell.com Link Bundle Monitoring Link Bundle Monitoring is supported only on platforms z Monitoring linked ECMP bundles allows traffic distribution amounts in a link to be monitored for unfair distribution at any given time. A default threshold of 60% is defined as an acceptable amount of traffic on a member link. Links are monitored in 15-second intervals for three consecutive instances. Any deviation within that time causes a syslog to be sent and an alarm event to be generated.
Use the ip ecmp-group path-fallback command to enable or disable the feature. Task Command Syntax Command Mode Configure the maximum number of paths per ECMP group ip ecmp-group maximum-paths {2-64} CONFIGURATION Enable ECMP group path management ip ecmp-group path-fallback CONFIGURATION Note: You must save the new ECMP settings to the startup-config (write-mem) then reload the system for the new settings to take effect.
www.dell.com | support.dell.
14 Force10 Resilient Ring Protocol (FRRP) Force10 Resilient Ring Protocol (FRRP) is supported on platforms: ecsz Force10 Resilient Ring Protocol (FRRP) provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a Metropolitan Area Network (MAN) or large campuses.
www.dell.com | support.dell.com to be transmitted and received through it. See Figure 14-1 for a simple example of this FRRP topology. Note that ring direction is determined by the Master node’s Primary and Secondary ports. Figure 14-1.
If the Master node does not receive the Ring Health Frame (RHF) before the fail-period timer expires (a configurable timer), the Master node moves from the Normal state to the Ring-Fault state and unblocks its Secondary port. The Master node also clears its forwarding table and sends a control frame to all other nodes, instructing them to also clear their forwarding tables. Immediately after clearing its forwarding table, each node starts learning the new topology.
www.dell.com | support.dell.com In the example shown in Figure 14-2, FRRP 101 is a ring with its own Control VLAN, and FRRP 202 has its own Control VLAN running on another ring. A Member VLAN that spans both rings is added as a Member VLAN to both FRRP groups. Switch R3 has two instances of FRRP running on it: one for each ring. The example topology that follows shows R3 assuming the role of a Transit node for both FRRP 101 and FRRP 202. Figure 14-2.
• • • • • • • • • Multiple physical rings can be run on the same switch One Master node per ring—all other nodes are Transit Each node has 2 member interfaces—Primary, Secondary No limit to the number of nodes on a ring Master node ring port states—blocking, pre-forwarding, forwarding, disabled Transit node ring port states—blocking, pre-forwarding, forwarding, disabled STP disabled on ring interfaces Master node secondary port is in blocking state during Normal operation Ring Health Frames (RHF) • Hello R
www.dell.com | support.dell.com Table 14-1. FRRP Components (continued) Concept Explanation Ring Interface State Each interface (port) that is part of the ring maintains one of four states • • • • Blocking State: Accepts ring protocol packets but blocks data packets. LLDP, FEFD, or other Layer 2 control packets are accepted. Only the master node Secondary port can enter this state. Pre-Forwarding State: A transition state before moving to the Forward state.
• • • The Control VLAN is used to carry any data traffic; it carries only RHFs. The Control VLAN cannot have members that are not ring ports. If multiple rings share one or more member VLANs, they cannot share any links between them. • Member VLANs across multiple rings are not supported in Master nodes. • Each ring has only one Master node; all others are transit nodes. FRRP Configuration These are the tasks to configure FRRP.
www.dell.com | support.dell.com All VLANS must be in Layer 2 mode. Only ring nodes can be added to the VLAN. A Control VLAN can belong to one FRRP group only. Control VLAN ports must be tagged. All ports on the ring must use the same VLAN ID for the Control VLAN. A VLAN cannot be configured as both a Control VLAN and Member VLAN on the same ring. Only two interfaces can be members of a Control VLAN (the Master Primary and Secondary ports).
Step Command Syntax Command Mode Purpose 4 mode master CONFIG-FRRP Configure the Master node 5 member-vlan vlan-id {range} CONFIG-FRRP Identify the Member VLANs for this FRRP group VLAN-ID, Range: VLAN IDs for the ring’s Member VLANS. 6 no disable CONFIG-FRRP Enable FRRP Configure and add the Member VLANs Control and Member VLANS are configured normally for Layer 2. Their status as Control or Member is determined at the FRRP group commands.
www.dell.com | support.dell.com Step Command Syntax Command Mode Purpose 3 interface primary int slot/port secondary int slot/port control-vlan vlan id CONFIG-FRRP Assign the Primary and Secondary ports, and the Control VLAN for the ports on the ring. Interface: • For a 10/100/1000 Ethernet interface, enter the keyword keyword GigabitEthernet followed by the slot/port information.
Clear FRRP counters Use one of the following commands to clear the FRRP counters. Command Syntax Command Mode Purpose clear frrp ring-id EXEC PRIVELEGED Clear the counters associated with this Ring ID Ring ID: 1-255 clear frrp EXEC PRIVELEGED Clear the counters associated with all FRRP groups Show FRRP configuration Use the following command to view the configuration for the FRRP group.
www.dell.com | support.dell.com Troubleshooting FRRP Configuration Checks • • • • • • Each Control Ring must use a unique VLAN ID Only two interfaces on a switch can be Members of the same Control VLAN There can be only one Master node for any FRRP Group. FRRP can be configured on Layer 2 interfaces only Spanning Tree (if enabled globally) must be disabled on both Primary and Secondary interfaces when FRRP is enabled.
Figure 14-3.
www.dell.com | support.dell.
15 GARP VLAN Registration Protocol (GVRP) GARP VLAN Registration Protocol (GVRP) is supported on platform: ecsz Protocol Overview Typical VLAN implementation involves manually configuring each Layer 2 switch that participates in a given VLAN. GARP VLAN Registration Protocol (GVRP), defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches.
www.dell.com | support.dell.com Figure 15-1. GVRP Compatibility Error Message FTOS(conf)#protocol spanning-tree pvst FTOS(conf-pvst)#no disable % Error: GVRP running. Cannot enable PVST. ......... FTOS(conf)#protocol spanning-tree mstp FTOS(conf-mstp)#no disable % Error: GVRP running. Cannot enable MSTP. ......... FTOS(conf)#protocol gvrp FTOS(conf-gvrp)#no disable % Error: PVST running. Cannot enable GVRP. % Error: MSTP running. Cannot enable GVRP.
Figure 15-2. GVRP Configuration Overview GVRP is configured globally and on all VLAN trunk ports for the edge and core switches. Edge Switches Edge Switches Core Switches VLANs 70-80 VLANs 10-20 VLANs 10-20 VLANs 30-50 VLANs 70-80 VLANs 30-50 NOTES: VLAN 1 mode is always fixed and cannot be configured All VLAN trunk ports must be configured for GVRP All VLAN trunk ports must be configured as 802.1Q Basic GVRP configuration is a 2-step process: 1. Enable GVRP globally. See page 314. 2.
www.dell.com | support.dell.com Figure 15-3. Enabling GVRP Globally FTOS(conf)#protocol gvrp FTOS(config-gvrp)#no disable FTOS(config-gvrp)#show config ! protocol gvrp no disable FTOS(config-gvrp)# Enabling GVRP on a Layer 2 Interface Enable GVRP on a Layer 2 interface using the command gvrp enable in INTERFACE mode, as shown in Figure 15-4.
Based on the configuration in the example shown in Figure 15-5, the interface 1/21 will not be removed from VLAN 34 or VLAN 35 despite receiving a GVRP Leave message. Additionally, the interface will not be dynamically added to VLAN 45 or VLAN 46, even if a GVRP Join message is received. Figure 15-5.
www.dell.com | support.dell.com 316 FTOS displays Message 1 if an attempt is made to configure an invalid GARP timer. Message 1 GARP Timer Error FTOS(conf)#garp timers join 300 % Error: Leave timer should be >= 3*Join timer.
16 Internet Group Management Protocol (IGMP) Internet Group Management Protocol (IGMP) is supported on platform: ecsz Multicast is premised on identifying many hosts by a single destination IP address; hosts represented by the same IP address are a multicast group. Internet Group Management Protocol (IGMP) is a Layer 3 multicast protocol that hosts use to join or leave a multicast group.
www.dell.com | support.dell.com IGMP version 2 IGMP version 2 improves upon version 1 by specifying IGMP Leave messages, which allows hosts to notify routers that they no longer care about traffic for a particular group. Leave messages reduce the amount of time that the router takes to stop forwarding traffic for a group to a subnet (leave latency) after the last host leaves the group.
Sending an Unsolicited IGMP Report A host does not have to wait for a general query to join a group. It may send an unsolicited IGMP Membership Report, also called an IGMP Join message, to the querier. Leaving a Multicast Group 1. A host sends a membership report of type 0x17 (IGMP Leave message) to the all routers multicast address 224.0.0.2 when it no longer cares about multicast traffic for a particular group. 2.
www.dell.com | support.dell.com Figure 16-3. IGMP version 3 Membership Report Packet Format Version (4) IHL TOS (0xc0) Total Length Flags Frag Offset TTL (1) Protocol (2) Header Checksum Type Reserved Src IP Addr Dest IP Addr (224.0.0.
Figure 16-4. IGMP Membership Reports: Joining and Filtering Membership Reports: Joining and Filtering 3 Interface Multicast Group Filter Source Source Address Timer Mode Timer 1/1 224.1.1.1 GMI Exclude None 1/1 224.1.1.1 Include 10.11.1.1 GMI 1/1 224.1.1.1 Include 10.11.1.1 GMI IGMP Group-and-Source Specific Query Non-Querier Querier Type: 0x11 Group Address: 244.1.1.1 Number of Sources: 1 Source Address: 10.11.1.1 1/1 10.11.1.
www.dell.com | support.dell.com Figure 16-5. IGMP Membership Queries: Leaving and Staying in Groups Membership Queries: Leaving and Staying Non-Querier Querier Interface Multicast Group Filter Source Source Address Timer Mode Timer 1/1 224.1.1.1 Include 10.11.1.1 LQMT 10.11.1.2 LQMT Non-querier builds identical table and waits Other Querier Present Interval to assume Querier role 1/1 2/1 224.2.2.2 GMI Exclude None IGMP Group-and-Source Specific Query Type: 0x11 Group Address: 224.1.1.
Figure 16-6. Viewing IGMP-enabled Interfaces FTOS#show ip igmp interface gig 7/16 GigabitEthernet 7/16 is up, line protocol is up Internet address is 10.87.3.2/24 IGMP is enabled on interface IGMP query interval is 60 seconds IGMP querier timeout is 300 seconds IGMP max query response time is 10 seconds Last member query response interval is 199 ms IGMP activity: 0 joins, 0 leaves IGMP querying router is 10.87.3.
www.dell.com | support.dell.com Figure 16-8. Viewing Static and Learned IGMP Groups FTOS(conf-if-gi-1/0)#do sho ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Uptime 224.1.1.1 GigabitEthernet 1/0 00:00:03 224.1.2.1 GigabitEthernet 1/0 00:56:55 Expires Never 00:01:22 Last Reporter CLI 1.1.1.2 Adjusting Timers View the current value of all IGMP timers using the command show ip igmp interface from EXEC Privilege mode, as shown in Figure 16-6.
2. When a router receives a query it compares the IP address of the interface on which it was received with the source IP address given in the query. If the receiving router IP address is greater than the source address given in the query, the router stops sending queries. By this method, the router with the lowest IP address on the subnet is elected querier and continues to send queries. 3.
www.dell.com | support.dell.com IGMP Snooping Multicast packets are addressed with multicast MAC addresses, which represent a group of devices, rather than one unique device. Switches forward multicast frames out of all ports in a VLAN by default, even though there may be only some interested hosts, which is a waste of bandwidth.
Figure 16-10. Enabling IGMP Snooping FTOS(conf-if-vl-100)#show config ! interface Vlan 100 no ip address ip igmp snooping fast-leave shutdown FTOS(conf-if-vl-100)# Disabling Multicast Flooding If the switch receives a multicast packet that has an IP address of a group it has not learned (unregistered frame), the switch floods that packet out of all ports on the VLAN.
www.dell.com | support.dell.com • When enabled, IGMP snooping Querier starts after one query interval in case no IGMP general query (with IP SA lower than its VLAN IP address) is received on any of its VLAN members. Adjusting the Last Member Query Interval When the querier receives a leave message from a receiver, it sends a group-specific query out of the ports specified in the forwarding table. If no response is received, it sends another.
17 Interfaces This chapter describes interface types, both physical and logical, and how to configure them with FTOS. 10/100/1000 Mbps Ethernet, Gigabit Ethernet, and 10 Gigabit Ethernet interfaces are supported on platforms: e c s and Z SONET interfaces are only supported on platform e.
www.dell.com | support.dell.
Figure 17-1. show interfaces Command Example FTOS#show interfaces tengigabitethernet 1/0 TenGigabitEthernet 0/20 is up, line protocol is up Hardware is DellForce10Eth, address is 00:01:e8:a0:bf:ed Current address is 00:01:e8:a0:bf:ed Pluggable media present, QSFP type is 40GBASE-SR4 Wavelength is 850nm QSFP receive power reading is -2.
www.dell.com | support.dell.com Figure 17-3. Interfaces listed in the show running-config Command (Partial) FTOS#show running Current Configuration ...
To confirm that the interface is enabled, use the show config command in the INTERFACE mode. To leave the INTERFACE mode, use the exit command or end command. The user can not delete a physical interface. Physical Interfaces The Management Ethernet interface, is a single RJ-45 Fast Ethernet port on the Route Processor Module (RPM) of the C-Series and E-Series and on each unit of the S4810; it provides dedicated management access to the system.
www.dell.com | support.dell.com Overview of Layer Modes On all systems running FTOS, you can place physical interfaces, port channels, and VLANs in Layer 2 mode or Layer 3 mode. By default, VLANs are in Layer 2 mode. Table 17-1.
For information on enabling and configuring Spanning Tree Protocol, see Chapter 10, Layer 2, on page 47. To view the interfaces in Layer 2 mode, use the command show interfaces switchport in the EXEC mode. Configure Layer 3 (Network) Mode When you assign an IP address to a physical interface, you place it in Layer 3 mode. Use the ip address command and no shutdown command in INTERFACE mode to enable Layer 3 mode on an individual interface.
www.dell.com | support.dell.com Command Syntax Command Mode Purpose ip address ip-address mask [secondary] INTERFACE Configure a primary IP address and mask on the interface. The ip-address must be in dotted-decimal format (A.B.C.D) and the mask must be in slash format (/xx). Add the keyword secondary if the IP address is the interface’s backup IP address. You can only configure one (1) primary IP address per interface. You can configure up to 255 secondary IP addresses on a single interface.
To configure a Management interface, use the following command in the CONFIGURATION mode: Command Syntax Command Mode Purpose interface Managementethernet interface CONFIGURATION Enter the slot and the port (0). ON the E-Series and C-Series, dual RPMs can be in use. Slot range: C-Series, E-Series: 0-1 S4810: 0 To view the Primary RPM Management port, use the show interface Managementethernet command in the EXEC Privilege mode. If there are 2 RPMs, the you cannot view information on that interface.
www.dell.com | support.dell.com • • Once the virtual IP address is removed, the system is accessible through the native IP address of the primary RPM’s management interface. Primary and secondary management interface IP and virtual IP must be in the same subnet. Configure Management Interfaces on the S-Series The user can manage the S-Series from any port. Configure an IP address for the port using the ip address command, and enable it using the command no shutdown.
VLAN Interfaces VLANs are logical interfaces and are, by default, in Layer 2 mode. Physical interfaces and port channels can be members of VLANs. For more information on VLANs and Layer 2, refer to Chapter 10, Layer 2. See also Chapter 18, VLAN Stacking. Note: To monitor VLAN interfaces, use the Management Information Base for Network Management of TCP/IP-based internets: MIB-II (RFC 1213). Monitoring VLAN interfaces via SNMP is supported only on E-Series.
www.dell.com | support.dell.com Loopback Interfaces A Loopback interface is a virtual interface in which the software emulates an interface. Packets routed to it are processed locally. Since this interface is not a physical interface, you can configure routing protocols on this interface to provide protocol stability. You can place Loopback interfaces in default Layer 3 mode.
Port Channel Interfaces Port channel interfaces support link aggregation, as described in IEEE Standard 802.3ad. This section covers the following topics: • • • • Port channel definition and standards Port channel benefits Port channel implementation Configuration task list for port channel interfaces Port channel definition and standards Link aggregation is defined by IEEE 802.
www.dell.com | support.dell.com Table 17-2. Number of Port-channels per Platform Platform Port-channels Members/Channel C-Series 128 8 S-Series: S25 and S50 52 8 S55, S60 and S4810 128 8 Z9000 128 8 Note: If you are using either 10G ports or 40G ports, the Z9000 supports 8 members per LAG As soon as a port channel is configured, FTOS treats it like a physical interface. For example, IEEE 802.1Q tagging is maintained while the physical interface is in the port channel.
For example, if four interfaces (Gi 0/0, 0/1, 0/2, 0/3) in which Gi 0/0 and Gi 0/3 are set to speed 100 Mb/s and the others are set to 1000 Mb/s, with all interfaces enabled, and you add them to a port channel by entering channel-member gigabitethernet 0/0-3 while in the port channel interface mode, and FTOS determines if the first interface specified (Gi 0/0) is up. Once it is up, the common speed of the port channel is 100 Mb/s.
www.dell.com | support.dell.com Add a physical interface to a port channel The physical interfaces in a port channel can be on any line card in the chassis, but must be the same physical type. Note: Port channels can contain a mix of Gigabit Ethernet and 10/100/1000 Ethernet interfaces, but FTOS disables the interfaces that are not the same speed of the first channel member in the port channel (see 10/100/1000 Mbps interfaces in port channels).
Figure 17-10. show interfaces port-channel brief Command Example FTOS#show int port brief LAG Mode 1 L2L3 Status up Uptime 00:06:03 2 up 00:06:03 L2L3 Ports Gi 13/6 Gi 13/12 Gi 13/7 Gi 13/8 Gi 13/13 Gi 13/14 (Up) * (Up) (Up) * (Up) (Up) (Up) FTOS# Figure 17-11 displays the port channel’s mode (L2 for Layer 2 and L3 for Layer 3 and L2L3 for a Layer 2 port channel assigned to a routed VLAN), the status, and the number of interfaces belonging to the port channel. Figure 17-11.
www.dell.com | support.dell.com Figure 17-12. Error Message FTOS(conf-if-portch)#show config ! interface Port-channel 5 no ip address switchport channel-member GigabitEthernet 1/6 FTOS(conf-if-portch)#int gi 1/6 FTOS(conf-if)#ip address 10.56.4.4 /24 % Error: Port is part of a LAG Gi 1/6. FTOS(conf-if)# Error message Reassign an interface to a new port channel An interface can be a member of only one port channel.
Figure 17-13.
www.dell.com | support.dell.com To add a port channel to a VLAN, use either of the following commands: Command Syntax Command Mode Purpose tagged port-channel id number INTERFACE VLAN Add the port channel to the VLAN as a tagged interface. An interface with tagging enabled can belong to multiple VLANs. untagged port-channel id number INTERFACE VLAN Add the port channel to the VLAN as an untagged interface. An interface without tagging enabled can belong to only one VLAN.
Load balancing through port channels FTOS uses hash algorithms for distributing traffic evenly over channel members in a port channel (LAG). The hash algorithm distributes traffic among ECMP paths and LAG members. The distribution is based on a flow, except for packet-based hashing. A flow is identified by the hash and is assigned to one link. In packet-based hashing, a single flow can be distributed on the LAG and uses one link.
www.dell.com | support.dell.com On the E-Series, to change the 5-tuple default to 3-tuple, MAC, or packet-based, use the following command in CONFIGURATION mode: Command Syntax Command Mode Purpose [no] load-balance [ip-selection {3-tuple | packet-based}] [mac] CONFIGURATION To designate a method to balance traffic over a port channel. By default, IP 5-tuple is used to distribute traffic over members port channel.
IPv4, IPv6, and non-IP traffic handling on the E-Series The table below presents the combinations of the load-balance command and their effect on traffic types. Table 17-5.
www.dell.com | support.dell.com Hash algorithm The load-balance command discussed above selects the hash criteria applied to port channels. If even distribution is not obtained with the load-balance command, the hash-algorithm command can be used to select the hash scheme for LAG, ECMP and NH-ECMP. The 12 bit Lag Hash can be rotated or shifted till the desired hash is achieved. The nh-ecmp option allows you to change the hash value for recursive ECMP routes independently of non-recursive ECMP routes.
• lsb — always uses the least significant bit of the hash key to compute the egress port To change to another method, use the following command in the CONFIGURATION mode: Command Syntax Command Mode Purpose hash-algorithm ecmp {crc-upper} | {dest-ip} | {lsb} CONFIGURATION Change to another algorithm. For more on load-balancing, see “Equal Cost Multipath and Link Aggregation Frequently Asked Questions” in the E-Series FAQ section (login required) of iSupport: https://www.force10networks.
www.dell.com | support.dell.com Bulk Configuration Examples The following are examples of using the interface range command for bulk configuration: • Create a single-range • Create a multiple-range • Exclude duplicate entries • Exclude a smaller port range • Overlap port ranges • Commas • Add ranges Create a single-range Figure 17-17.
Overlap port ranges If overlapping port ranges are specified, the port range is extended to the smallest start port number and largest end port number: Figure 17-21.
www.dell.com | support.dell.
Monitor and Maintain Interfaces Monitor interface statistics with the monitor interface command. This command displays an ongoing list of the interface status (up/down), number of packets, traffic statistics, etc. Command Syntax Command Mode Purpose monitor interface interface EXEC Privilege View the interface’s statistics. Enter the type of interface and slot/port information: • For a 10/100/1000 Ethernet interface, enter the keyword GigabitEthernet followed by the slot/port information.
www.dell.com | support.dell.com Figure 17-24. Command Example: monitor interface FTOS#monitor interface gi 3/1 FTOS uptime is 1 day(s), 4 hour(s), 31 minute(s) Monitor time: 00:00:00 Refresh Intvl.
To test the condition of cables on 10/100/1000 BASE-T modules, use the tdr-cable-test command: Step 1 2 Command Syntax Command Mode Usage tdr-cable-test gigabitethernet / EXEC Privilege To test for cable faults on the GigabitEthernet cable. • Between two ports, the user must not start the test on both ends of the cable. • The user must enable the interface before starting the test. • The port should be enabled to run the test or the test prints an error message.
www.dell.com | support.dell.com This can be verified using show system brief command. If the unit ID is different than 0, then it must be renumbered to 0 before ports are split, by using the stackunit id renumber 0 command in EXEC mode. • • The quad port must be in a default configuration before it can be split into 4x10G ports. The 40G port is lost in the config when the port is split, so be sure the port is also removed from other L2/L3 feature configurations.
Assign a debounce time to an interface Command Syntax Command Mode Purpose link debounce time [milliseconds] INTERFACE Enter the time to delay link status change notification on this interface. Range: 100-5000 ms • • Figure 17-25. Default for Copper is 3100 ms Default for Fiber is 100 ms Setting Debounce Time FTOS(conf)#int gi 3/1 FTOS(conf-if-gi-3/1)#link debounce time 150 FTOS(conf-if-gi-3/1)#= Show debounce times in an interface show interface debounce [type] [slot/ port] Figure 17-26.
www.dell.com | support.dell.com Similarly, if an SFM fails (or is removed) in an E300 system with two SFM, ports configured with this feature will be shut down. All other ports are treated normally. When a second SFM is installed or replaced, all ports are booted up and treated as normally. This feature does not take affect until a single SFM is active in the E300 system. Disable port on one SFM This feature must be configured for each interface to shut down in the event that an SFM is disabled.
Figure 17-27. Configuring Link Dampening R1(conf-if-gi-1/1)#show config ! interface GigabitEthernet 1/1 ip address 10.10.19.1/24 dampening 1 2 3 4 no shutdown R1(conf-if-gi-1/1)#exit View the link dampening configuration on an interface using the command show config, or view dampening information on all or specific dampened interfaces using the command show interfaces dampening from EXEC Privilege mode, as shown in Figure 17-28. Figure 17-28.
www.dell.com | support.dell.com Link Dampening Support for XML View the output of the following show commands in XML by adding | display xml to the end of the command: • • • show interfaces dampening show interfaces dampening summary show interfaces interface x/y Configure MTU size on an Interface The Z9000 supports a link Maximum Transmission Unit (MTU) of 12000 bytes and maximum IP MTU of 9234 bytes. The link MTU is the frame size of a packet, and the IP MTU size is used for IP fragmentation.
The PAUSE frame is defined by IEEE 802.3x and uses MAC Control frames to carry the PAUSE commands. Ethernet Pause Frames are supported on full duplex only. The only configuration applicable to half duplex ports is rx off tx off. Note that if a port is over-subscribed, Ethernet Pause Frame flow control does not ensure no loss behavior.
www.dell.com | support.dell.com On the C-Series and S-Series systems, the flow-control sender and receiver must be on the same port-pipe. Flow control is not supported across different port-pipes on the C-Series or S-Series system. Command Syntax Command Mode Purpose flowcontrol rx [off | on] tx [off | on] [threshold {<1-2047> <1-2013> <1-2013>}] INTERFACE Control how the system responds to and generates 802.3x pause frames on 1 and 10Gig line cards.
Configure MTU Size on an Interface If a packet includes a Layer 2 header, the difference in bytes between the link MTU and IP MTU must be enough to include the Layer 2 header. For example, for VLAN packets, if the IP MTU is 1400, the Link MTU must be no less than 1422: 1400-byte IP MTU + 22-byte VLAN Tag = 1422-byte link MTU The MTU range is 592-12000, with a default of 1500. On the E-Series, the user must enter the ip mtu command to manually configure the IP MTU to compensate for the Layer 2 header.
www.dell.com | support.dell.com Port-pipes A port pipe is a Dell Force10 specific term for the hardware path that packets follow through a system. Port pipes travel through a collection of circuits (ASICs) built into line cards and RPMs on which various processing events for the packets occur. One or two port pipes process traffic for a given set of physical interfaces or a port-set. The E300 only supports one port pipe per slot.
Auto-Negotiation on Ethernet Interfaces Setting speed and duplex mode of Ethernet Interfaces By default, auto-negotiation of speed and duplex mode is enabled on 10/100/1000 Base-T Ethernet interfaces. Only 10GE interfaces do not support auto-negotiation. When using 10GE interfaces, verify that the settings on the connecting devices are set to no auto-negotiation. Note: Starting with FTOS 7.8.1.
www.dell.com | support.dell.com Figure 17-31.
Figure 17-33.
www.dell.com | support.dell.com Figure 17-34.
Figure 17-36.
www.dell.com | support.dell.com • • 374 L2ACL L2FIB For remaining applications, FTOS automatically turns on counting when the application is enabled, and is turned off when the application is disabled. Please note that if more than four counter-dependent applications are enabled on a port pipe, there is an impact on line rate performance.
Clear interface counters The counters in the show interfaces command are reset by the clear counters command. This command does not clear the counters captured by any SNMP program. To clear the counters, use the following command in the EXEC Privilege mode: Command Syntax Command Mode Purpose clear counters [interface] [vrrp [vrid] | learning-limit] EXEC Privilege Clear the counters used in the show interface commands for all VRRP groups, VLANs, and physical interfaces or selected ones.
| Interfaces www.dell.com | support.dell.
18 IPv4 Routing IPv4 Routing is supported on platforms: ecsz FTOS supports various IP addressing features. This chapter explains the basics of Domain Name Service (DNS), Address Resolution Protocol (ARP), and routing principles and their implementation in FTOS. • • • • • • IP Addresses Directed Broadcast Resolution of Host Names ARP ICMP UDP Helper Table 18-1 lists the defaults for the IP addressing features described in this chapter. Table 18-1.
www.dell.com | support.dell.com At its most basic level, an IP address is 32-bits composed of network and host portions and represented in dotted decimal format. For example, 00001010110101100101011110000011 is represented as 10.214.87.131 For more information on IP addressing, refer to RFC 791, Internet Protocol. Implementation Information In FTOS, you can configure any IP address as a static route except IP addresses already assigned to interfaces. Note: FTOS versions 7.7.1.
To assign an IP address to an interface, use these commands in the following sequence, starting in the CONFIGURATION mode: Step Command Syntax Command Mode Purpose interface interface CONFIGURATION Enter the keyword interface followed by the type of interface and slot/port information: • For a 1-Gigabit Ethernet interface, enter the keyword GigabitEthernet followed by the slot/port information. • For a Loopback interface, enter the keyword loopback followed by a number from 0 to 16383.
www.dell.com | support.dell.com Figure 18-2. show ip interface Command Example FTOS#show ip int gi 0/8 GigabitEthernet 0/8 is up, line protocol is up Internet address is 10.69.8.1/24 Broadcast address is 10.69.8.
Figure 18-3. show ip route static Command Example (partial) FTOS#show ip route static Destination Gateway ----------------S 2.1.2.0/24 Direct, Nu 0 S 6.1.2.0/24 via 6.1.20.2, S 6.1.2.2/32 via 6.1.20.2, S 6.1.2.3/32 via 6.1.20.2, S 6.1.2.4/32 via 6.1.20.2, S 6.1.2.5/32 via 6.1.20.2, S 6.1.2.6/32 via 6.1.20.2, S 6.1.2.7/32 via 6.1.20.2, S 6.1.2.8/32 via 6.1.20.2, S 6.1.2.9/32 via 6.1.20.2, S 6.1.2.10/32 via 6.1.20.2, S 6.1.2.11/32 via 6.1.20.2, S 6.1.2.12/32 via 6.1.20.2, S 6.1.2.13/32 via 6.1.20.2, S 6.1.2.
www.dell.com | support.dell.com To view the configured static routes for the management port, use the show ip management-route command in the EXEC privilege mode. Figure 18-4. show ip management-route Command Example FTOS>show ip management-route Destination ----------1.1.1.0/24 172.16.1.0/24 172.31.1.0/24 Gateway ------172.31.1.250 172.31.1.250 ManagementEthernet 1/0 State ----Active Active Connected FTOS> Directed Broadcast By default, FTOS drops directed broadcast packets destined for an interface.
Command Syntax Command Mode Purpose ip domain-lookup CONFIGURATION Enable dynamic resolution of host names. ip name-server ip-address [ip-address2 ... ip-address6] CONFIGURATION Specify up to 6 name servers. The order you entered the servers determines the order of their use. To view current bindings, use the show hosts command. Figure 18-5. show hosts Command Example FTOS>show host Default domain is force10networks.
www.dell.com | support.dell.com Command Syntax Command Mode Purpose ip domain-list name CONFIGURATION Enter up to 63 characters to configure names to complete unqualified host names. Configure this command up to 6 times to specify a list of possible domain names. FTOS searches the domain names in the order they were configured until a match is found or the list is exhausted. DNS with traceroute To configure your switch to perform DNS with traceroute, follow the steps below in the CONFIGURATION mode.
ARP FTOS uses two forms of address resolution: ARP and Proxy ARP. Address Resolution Protocol (ARP) runs over Ethernet and enables endstations to learn the MAC addresses of neighbors on an IP network. Over time, FTOS creates a forwarding table mapping the MAC addresses to their corresponding IP address. This table is called the ARP Cache and dynamically learned addresses are removed after a defined period of time. For more information on ARP, see RFC 826, An Ethernet Address Resolution Protocol.
www.dell.com | support.dell.com Command Syntax Command Mode Purpose arp ip-address mac-address interface CONFIGURATION Configure an IP address and MAC address mapping for an interface. • ip-address: IP address in dotted decimal format (A.B.C.D). • mac-address: MAC address in nnnn.nnnn.nnnn format • interface: enter the interface type slot/port information. These entries do not age and can only be removed manually. To remove a static ARP entry, use the no arp ip-address command syntax.
Command Syntax Command Mode Purpose clear arp-cache [interface | ip ip-address] [no-refresh] EXEC privilege Clear the ARP caches for all interfaces or for a specific interface by entering the following information: • For a 1-Gigabit Ethernet interface, enter the keyword GigabitEthernet followed by the slot/port information. • For a port channel interface, enter the keyword port-channel followed by a number from 1 to 255 for TeraScale and ExaScale.
www.dell.com | support.dell.com Beginning with version 8.3.1.0, when a Gratuitous ARP is received, FTOS installs an ARP entry on all 3 CPUs. Task Command Syntax Command Mode Enable ARP learning via gratuitous ARP. arp learn-enable CONFIGURATION ARP Learning via ARP Request In FTOS versions prior to 8.3.1.0, FTOS learns via ARP Requests only if the Target IP specified in the packet matches the IP address of the receiving router interface.
Configurable ARP Retries In FTOS versions prior to 8.3.1.0 the number of ARP retries is set to 5 and is not configurable. After 5 retries, FTOS backs off for 20 seconds before it sends a new request. Beginning with FTOS version 8.3.1.0, the number of ARP retries is configurable. The default backoff interval remains at 20 seconds. On the S4810 platform, with FTOS version 8.3.8.0 and later, the time between ARP resend is configurable. This timer is an exponential backoff timer.
www.dell.com | support.dell.com To reenable the creation of ICMP unreachable messages on the interface, use the following command in the INTERFACE mode: Command Syntax Command Mode Purpose ip unreachable INTERFACE Set FTOS to create and send ICMP unreachable messages on the interface. To view if ICMP unreachable messages are sent on the interface, use the show config command in the INTERFACE mode. If it is not listed in the show config command output, it is enabled.
2. Configure a broadcast address on interfaces that will receive UDP broadcast traffic. See Configuring a Broadcast Address on page 391. Important Points to Remember about UDP Helper • • • • The existing command ip directed broadcast is rendered meaningless if UDP helper is enabled on the same interface. The broadcast traffic rate should not exceed 200 packets per second when UDP helper is enabled. You may specify a maximum of 16 UDP ports.
www.dell.com | support.dell.com Figure 18-12. Configuring a Broadcast Address FTOS(conf-if-vl-100)#ip udp-broadcast-address 1.1.255.255 FTOS(conf-if-vl-100)#show config ! interface Vlan 100 ip address 1.1.0.1/24 ip udp-broadcast-address 1.1.255.255 untagged GigabitEthernet 1/2 no shutdown View the configured broadcast address for an interface using the command show interfaces, as shown in Figure 18-13. Figure 18-13.
2. If UDP helper (using the command ip udp-helper udp-port) is enabled, and the UDP destination port of the packet matches the UDP port configured, the system changes the destination address to the configured broadcast 1.1.255.255 and routes the packet to VLANs 100 and 101. If an IP broadcast address is not configured (using the command ip udp-broadcast-address) on VLANs 100 or 101, the packet is forwarded using the original destination IP address 255.255.255.255.
www.dell.com | support.dell.com Figure 18-15.
Troubleshooting UDP Helper Display debugging information using the command debug ip udp-helper, as shown in Figure 18-17. Figure 18-17. Debugging UDP Broadcast FTOS(conf)# debug ip udp-helper 01:20:22: Pkt rcvd on Gi 5/0 with IP DA (0xffffffff) will be sent on Gi 5/1 Gi 5/2 Vlan 3 01:44:54: Pkt rcvd on Gi 7/0 is handed over for DHCP processing. Use the command debug ip dhcp when using the IP helper and UDP helper on the same interface, as shown in Figure 18-18. Figure 18-18.
| IPv4 Routing www.dell.com | support.dell.
19 IPv6 Routing IPv6 Routing is supported on platforms ecsz Note: The IPv6 basic commands are supported on all platforms. However, not all features are supported on all platforms, nor for all releases. See Table 19-2 to determine the FTOS version supporting which features and platforms. IPv6 (Internet Protocol Version 6) is the successor to IPv4. Due to the extremely rapid growth in internet users and IP addresses, IPv4 is reaching its maximum usage.
www.dell.com | support.dell.com • • • Stateless Autoconfiguration Header Format Simplification Improved Support for Options and Extensions Extended Address Space The address format is extended from 32 bits to 128 bits. This not only provides room for all anticipated needs, it allows for the use of a hierarchical address space structure to optimize global addressing.
• • • • • • • Traffic Class (8 bits) Flow Label (20 bits) Payload Length (16 bits) Next Header (8 bits) Hop Limit (8 bits) Source Address (128 bits) Destination Address (128 bits) IPv6 provides for Extension Headers. Extension Headers are used only if necessary. There can be no extension headers, one extension header or more than one extension header in an IPv6 packet. Extension Headers are defined in the Next Header field of the preceding IPv6 header.
www.dell.com | support.dell.com Flow Label (20 bits) The Flow Label field identifies packets requiring special treatment in order to manage real-time data traffic. The sending router can label sequences of IPv6 packets so that forwarding routers can process packets within the same flow without needing to reprocess each packet’s header separately. Note: All packets in the flow must have the same source and destination addresses.
Hop Limit (8 bits) The Hop Limit field shows the number of hops remaining for packet processing. In IPv4, this is known as the Time to Live (TTL) field and uses seconds rather than hops. Each time the packet moves through a forwarding router, this field decrements by 1. If a router receives a packet with a Hop Limit of 1, it decrements it to 0 (zero). The router discards the packet and sends an ICMPv6 message back to the sending router indicating that the Hop Limit was exceeded in transit.
www.dell.com | support.dell.com The Hop-by-Hop Options header contains: • Next Header (1 byte) This field identifies the type of header following the Hop-by-Hop Options header and uses the same values shown in Table 19-1. • Header Extension Length (1 byte) This field identifies the length of the Hop-by-Hop Options header in 8-byte units, but does not include the first 8 bytes. Consequently, if the header is less than 8 bytes, the value is 0 (zero).
• • 2001:0db8::1428:57ab 2001:db8::1428:57ab IPv6 networks are written using Classless Inter-Domain Routing (CIDR) notation. An IPv6 network (or subnet) is a contiguous group of IPv6 addresses the size of which must be a power of two; the initial bits of addresses, which are identical for all hosts in the network, are called the network's prefix. A network is denoted by the first address in the network and the size in bits of the prefix (in decimal), separated with a slash.
www.dell.com | support.dell.com Table 19-2 lists the FTOS Version in which an IPv6 feature became available for each platform. The sections following the table give some greater detail about the feature. Specific platform support for each feature or functionality is designated by the c e s z symbols. Table 19-2.
Table 19-2. FTOS and IPv6 Feature Support (continued) IS-IS for IPv6 support for redistribution N/A N/A N/A N/A 8.3.10 8.3.11 Intermediate System to Intermediate System in the FTOS Configuration Guide IPv6 IS-IS in the FTOS Command Line Interface Reference Guide N/A ISIS for IPv6 support for distribute lists and administrative distance N/A N/A N/A 8.3.10 8.3.
www.dell.com | support.dell.com Table 19-2. FTOS and IPv6 Feature Support (continued) PIM-SSM for IPv6 7.5.1 8.2.1 8.4.2 8.4.2 N/A N/A IPv6 Multicast in this chapter IPv6 PIM in the FTOS Command Line Interface Reference Guide MLDv1/v2 7.4.1 8.2.1 8.4.2 8.4.2 N/A N/A IPv6 Multicast in this chapter Multicast IPv6 in the FTOS Command Line Interface Reference Guide MLDv1 Snooping 7.4.1 8.2.1 8.4.2 8.4.
Path MTU Discovery IPv6 MTU Discovery is supported on platforms c e s z Path MTU (Maximum Transmission Unit) defines the largest packet size that can traverse a transmission path without suffering fragmentation. Path MTU for IPv6 uses ICMPv6 Type-2 messages to discover the largest MTU along the path from source to destination and avoid the need to fragment the packet. The recommended MTU for IPv6 is 1280.
www.dell.com | support.dell.com Neighbor Discovery Protocol (NDP) is a top-level protocol for neighbor discovery on an IPv6 network. In lieu of ARP, NDP uses “Neighbor Solicitation” and “Neighbor Advertisement” ICMPv6 messages for determining relationships between neighboring nodes. Using these messages, an IPv6 device learns the link-layer addresses for neighbors known to reside on attached links, quickly purging cached values that become invalid.
QoS for IPv6 IPv6 QoS is supported on platform e FTOS IPv6 supports quality of service based on DSCP field. You can configure FTOS to honor the DSCP value on incoming routed traffic and forward the packets with the same value. IPv6 Multicast IPv6 Multicast is supported on platforms e FTOS supports the following protocols to implement IPv6 multicast routing: • • • Multicast Listener Discovery Protocol (MLD).
www.dell.com | support.dell.
Figure 19-5.
www.dell.com | support.dell.com Save the new CAM settings to the startup-config (write-mem or copy run start) then reload the system for the new settings to take effect. Command Syntax Command Mode Purpose cam-acl { ipv6acl } CONFIGURATION Allocate space for IPV6 ACLs. Enter the CAM profile name followed by the amount to be allotted. When not selecting the default option, you must enter all of the profiles listed and a range for each. The total space allocated must equal 13.
Assign a Static IPv6 Route IPv6 Static Routes are supported on platforms c e s z Use the ipv6 route command to configure IPv6 static routes. Note: After you configure a static IPv6 route (ipv6 route command) and configure the forwarding router’s address (specified in the ipv6 route command) on a neighbor’s interface, the IPv6 neighbor is not displayed in the show ipv6 route command output.
www.dell.com | support.dell.com Telnet with IPv6 IPv6 Telnet is supported on platforms c e s z The Telnet client and server in FTOS support IPv6 connections. You can establish a Telnet session directly to the router using an IPv6 Telnet client, or an IPv6 Telnet connection can be initiated from the router. Note: Telnet to link local addresses is not supported. Command Syntax Command Mode Purpose telnet ipv6 address EXEC or EXEC Privileged Enter the IPv6 Address for the device.
Show IPv6 Information All of the following show commands are supported on platforms c e s z View specific IPv6 configuration with the following commands.
www.dell.com | support.dell.com Show an IPv6 Interface View the IPv6 configuration for a specific interface with the following command. Command Syntax Command Mode Purpose show ipv6 interface type {slot/ EXEC Show the currently running configuration for the specified interface Enter the keyword interface followed by the type of interface and slot/port information: • For all brief summary of IPv6 status and configuration, enter the keyword brief.
Figure 19-6.
www.dell.com | support.dell.com Figure 19-7 illustrates the show ipv6 route command output. Figure 19-7.
Show the Running-Configuration for an Interface View the configuration for any interface with the following command. Command Syntax Command Mode Purpose show running-config interface type {slot/port} EXEC Show the currently running configuration for the specified interface Enter the keyword interface followed by the type of interface and slot/port information: • For a 10/100/1000 Ethernet interface, enter the keyword GigabitEthernet followed by the slot/ port information.
www.dell.com | support.dell.com 420 Command Syntax Command Mode Purpose IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:). Omitting zeros is accepted as described in Addressing earlier in this chapter.
20 Intermediate System to Intermediate System Intermediate System to Intermediate System is supported on platforms ez IS-IS is supported on the E-Series ExaScale platform with FTOS 8.1.1.0 and later. It is supported on the with FTOS 8.3.10.0. It is supported on the Z9000 platform with FTOS 9.0.0.0. Intermediate System to Intermediate System (IS-IS) protocol is an interior gateway protocol (IGP) that uses a shortest-path-first algorithm.
www.dell.com | support.dell.com systems manage destination paths for external routers. Only Level 2 routers can exchange data packets or routing information directly with external routers located outside of the routing domains. Level 1-2 systems manage both inter-area and intra-area traffic by maintaining two separate link databases; one for Level 1 routes and one for Level 2 routes. A Level 1-2 router does not advertise Level 2 routes to a Level 1 router.
Multi-Topology IS-IS FTOS 7.8.1.0 and later support Multi-Topology Routing IS-IS. E-Series ExaScale platform ex supports Multi-Topology IS-IS with FTOS 8.2.1.0 and later. S-Series platform supports Multi-Topology IS-IS with FTOS 8.3.10.0 and later. Multi-Topology IS-IS (MT IS-IS) allows you to create multiple IS-IS topologies on a single router with separate databases.
www.dell.com | support.dell.com Interface support MT IS-IS is supported on physical Ethernet interfaces, physical Sonet interfaces, port-channel interfaces (static & dynamic using LACP), and VLAN interfaces. Adjacencies Adjacencies on point-to-point interfaces are formed as usual, where IS-IS routers do not implement Multi-Topology (MT) extensions. If a local router does not participate in certain MTs, it will not advertise those MT IDs in its IIHs and so will not include that neighbor within its LSPs.
• • • The T1 timer specifies the wait time before unacknowledged restart requests are generated. This is the interval before the system sends a Restart Request (an IIH with RR bit set in Restart TLV) until the CSNP is received from the helping router. The duration can be set to a specific amount of time (seconds) or a number of attempts. The T2 timer is the maximum time that the system will wait for LSP database synchronization. This timer applies to the database type (level-1, level-2 or both).
www.dell.com | support.dell.com Table 20-1 displays the default values for IS-IS. Table 20-1.
• • Set the overload bit on page 443 Debug IS-IS on page 444 Enable IS-IS By default, IS-IS is not enabled. The system supports one instance of IS-IS. To enable IS-IS globally, create an IS-IS routing process and assign a NET address. To exchange protocol information with neighbors, enable IS-IS on an interface, instead of on a network as with other routing protocols. In IS-IS, neighbors form adjacencies only when they are same IS type.
www.dell.com | support.dell.com Step 3 Task Command Syntax Command Mode Enter the interface configuration mode. Enter the keyword interface interface CONFIGURATION interface followed by the type of interface and slot/port information: • For a 1-Gigabit Ethernet interface, enter the keyword GigabitEthernet followed by the slot/port information. • For the Loopback interface on the RPM, enter the keyword loopback followed by a number from 0 to 16383.
Figure 20-2. Command Example: show isis protocol FTOS#show isis protocol IS-IS Router: System Id: EEEE.EEEE.EEEE IS-Type: level-1-2 Manual area address(es): 47.0004.004d.0001 Routing for area address(es): 21.2223.2425.2627.2829.3031.3233 47.0004.004d.
www.dell.com | support.dell.com Configure Multi-Topology IS-IS (MT IS-IS) Step 1 Task Command Syntax Command Mode Enable Multi-Topology IS-IS for IPv6. Enter the transition keyword to allow an IS-IS IPv6 user to continue to use single-topology mode while upgrading to multi-topology mode.After every router has been configured with the transition keyword, and all the routers are in MT IS-IS IPv6 mode users can remove the transition keyword on each router.
Configure Multi-Topology IS-IS (MT IS-IS) Step 1 Task Command Syntax Command Mode Enable Multi-Topology IS-IS for IPv6. Enter the transition keyword to allow an IS-IS IPv6 user to continue to use single-topology mode while upgrading to multi-topology mode.After every router has been configured with the transition keyword, and all the routers are in MT IS-IS IPv6 mode users can remove the transition keyword on each router.
www.dell.com | support.dell.com Command Syntax Command Mode Purpose graceful-restart restart-wait seconds ROUTER-ISIS Enable the Graceful Restart maximum wait time before a restarting peer comes up. Be sure to set the t3 timer to adjacency on the restarting router when implementing this command.
Use the show isis graceful-restart detail command in EXEC Privilege mode to view all Graceful Restart related configuration. Figure 20-4.
www.dell.com | support.dell.com Figure 20-5. Command Example: show isis interface FTOS#show isis interface G1/34 GigabitEthernet 2/10 is up, line protocol is up MTU 1497, Encapsulation SAP Routing Protocol: IS-IS Circuit Type: Level-1-2 Interface Index 0x62cc03a, Local circuit ID 1 Level-1 Metric: 10, Priority: 64, Circuit ID: 0000.0000.000B.01 Hello Interval: 10, Hello Multiplier: 3, CSNP Interval: 10 Number of active level-1 adjacencies: 1 Level-2 Metric: 10, Priority: 64, Circuit ID: 0000.0000.000B.
Figure 20-6. Command Example: show running-config isis FTOS#show running-config isis ! router isis lsp-refresh-interval 902 net 47.0005.0001.000C.000A.4321.00 net 51.0005.0001.000C.000A.4321.00 FTOS# Configure IS-IS metric style and cost All IS-IS links or interfaces are associated with a cost that is used in the SPF calculations. The possible cost varies depending on the metric style supported.
www.dell.com | support.dell.com Figure 20-7. Command Example: show isis protocol FTOS#show isis protocol IS-IS Router: System Id: EEEE.EEEE.EEEE IS-Type: level-1-2 Manual area address(es): 47.0004.004d.0001 Routing for area address(es): 21.2223.2425.2627.2829.3031.3233 47.0004.004d.
Table 20-3. Correct Value Range for the isis metric command Metric Style Correct Value Range narrow transition 0 to 63 transition 0 to 63 Configuring the distance of a route Configure the distance for a route using the distance command from ROUTER ISIS mode.
www.dell.com | support.dell.com Figure 20-8. Command Example: show isis database FTOS#show isis database IS-IS Level-1 Link State Database LSPID LSP Seq Num B233.00-00 0x00000003 eljefe.00-00 * 0x00000009 eljefe.01-00 * 0x00000001 eljefe.02-00 * 0x00000001 Force10.00-00 0x00000002 IS-IS Level-2 Link State Database LSPID LSP Seq Num B233.00-00 0x00000006 eljefe.00-00 * 0x0000000D eljefe.01-00 * 0x00000001 eljefe.02-00 * 0x00000001 Force10.
Configure the prefix list in the PREFIX LIST mode prior to assigning it to the IS-IS process. For configuration information on prefix lists, see Chapter 6, Access Control Lists (ACLs). IPv4 routes Use the following commands in ROUTER ISIS mode to apply prefix lists to incoming or outgoing IPv4 routes. Note: These commands apply to IPv4 IS-IS only.
www.dell.com | support.dell.com 440 IPv6 routes Use these commands in ADDRESS-FAMILY IPV6 mode to apply prefix lists to incoming or outgoing IPv6 routes. = Note: These commands apply to IPv6 IS-IS only. Use the ROUTER ISIS mode previously shown to apply prefix lists to IPv4 routes. | Command Syntax Command Mode Purpose distribute-list prefix-list-name in [interface] ROUTER ISIS-AF IPV6 Apply a configured prefix list to all incoming IPv6 IS-IS routes.
Redistribute routes In addition to filtering routes, you can add routes from other routing instances or protocols to the IS-IS process. With the redistribute command syntax, you can include BGP, OSPF, RIP, static, or directly connected routes in the IS-IS process. Note: Do not route iBGP routes to IS-IS unless there are route-maps associated with the IS-IS redistribution. IPv4 routes Use any of the following commands in ROUTER ISIS mode to add routes from other routing instances or protocols.
www.dell.com | support.dell.com IPv6 routes Use any of the these commands in ROUTER ISIS ADDRESS-FAMILY IPV6 mode to add routes from other routing instances or protocols. Note: These commands apply to IPv6 IS-IS only. Use the ROUTER ISIS mode previously shown to apply prefix lists to IPv4 routes.
Use either or both of the commands in ROUTER ISIS mode to configure a simple text password. Command Syntax Command Mode Purpose area-password [hmac-md5] password ROUTER ISIS Configure authentication password for an area. FTOS supports HMAC-MD5 authentication. This password is inserted in Level 1 LSPs, Complete SNPs, and Partial SNPs. domain-password [encryption-type | hmac-md5] password ROUTER ISIS Set the authentication password for a routing domain.
www.dell.com | support.dell.com Figure 20-9. Command Example: show isis database FTOS#show isis database IS-IS Level-1 Link State Database LSPID LSP Seq Num B233.00-00 0x00000003 eljefe.00-00 * 0x0000000A eljefe.01-00 * 0x00000001 eljefe.02-00 * 0x00000001 Force10.00-00 0x00000002 IS-IS Level-2 Link State Database LSPID LSP Seq Num B233.00-00 0x00000006 eljefe.00-00 * 0x0000000E eljefe.01-00 * 0x00000001 eljefe.02-00 * 0x00000001 Force10.
Command Syntax Command Mode Purpose debug isis update-packets [interface] EXEC Privilege View sent and received LSPs. To view specific information, enter one of the following optional parameters: • interface: Enter the type of interface and slot/port information to view IS-IS information on that interface only. FTOS displays debug messages on the console. Use the show debugging command in EXEC Privilege mode to view which debugging commands are enabled.
www.dell.com | support.dell.com For any level (Level-1, Level-2, or Level-1-2), the value range possible in the isis metric command in INTERFACE mode changes depending on the metric style. Table 20-4.
Table 20-5.
www.dell.com | support.dell.com Leaking from One Level to Another 448 In the following scenarios, each IS-IS level is configured with a different metric style. Table 20-7.
Sample Configuration The following configurations are examples for enabling IPv6 IS-IS. These are not comprehensive directions. They are intended to give you a some guidance with typical configurations. S Note: Only one IS-IS process can run on the router, even if both IPv4 and IPv6 routing is being used. You can copy and paste from these examples to your CLI. Be sure you make the necessary changes to support your own IP Addresses, Interfaces, Names, etc.
www.dell.com | support.dell.com Figure 20-10. IS-IS Sample Configuration - Congruent Topology FTOS(conf-if-te-3/17)#show config ! interface TenGigabitEthernet 3/17 ip address 24.3.1.1/24 ipv6 address 24:3::1/76 ip router isis ipv6 router isis no shutdown FTOS (conf-if-te-3/17)# FTOS (conf-router_isis)#show config ! router isis metric-style wide level-1 metric-style wide level-2 net 34.0000.0000.AAAA.00 FTOS (conf-router_isis)# Figure 20-11.
Figure 20-13.
www.dell.com | support.dell.
21 Link Aggregation Control Protocol (LACP) Link Aggregation Control Protocol (LACP) is supported on platforms: ecsz The major sections in the chapter are: • • • • • Introduction to Dynamic LAGs and LACP on page 453 LACP Configuration Tasks on page 455 Shared LAG State Tracking on page 458 Configure LACP as Hitless on page 460 LACP Basic Configuration Example on page 461 Introduction to Dynamic LAGs and LACP A Link Aggregation Group (LAG), referred to as a port channel by FTOS, can provide both load-sha
www.dell.com | support.dell.com Important Points to Remember • • • • • • LACP enables you to add members to a port channel (LAG) as long as it has no static members. Conversely, if the LAG already contains a statically defined member (channel-member command), the port-channel mode command is not permitted. A static LAG cannot be created if a dynamic LAG using the selected number already exists.
LACP Configuration Commands If aggregated ports are configured with compatible LACP modes (Off, Active, Passive), LACP can automatically link them, as defined in IEEE 802.3, Section 43. The following commands configure LACP: Command Syntax Command Mode Purpose [no] lacp system-priority priority-value CONFIGURATION Configure the system priority.
www.dell.com | support.dell.com The LAG is in the default VLAN. To place the LAG into a non-default VLAN, use the tagged command on the LAG (Figure 21-2): Figure 21-2. Placing a LAG into a Non-default VLAN FTOS(conf)#interface vlan 10 FTOS(conf-if-vl-10)#tagged port-channel 32 Configure the LAG interfaces as dynamic After creating a LAG, configure the dynamic LAG interfaces. Figure 21-3 shows ports 3/15, 3/16, 4/15, and 4/16 added to LAG 32 in LACP mode with the command port-channel-protocol lacp.
To configure the LACP long timeout (Figure 196): Step 1 Task Command Syntax Command Mode Set the LACP timeout value to 30 seconds. lacp long-timeout CONFIG-INT-PO Figure 21-4. Invoking the LACP Long Timeout FTOS(conf)# interface port-channel 32 FTOS(conf-if-po-32)#no shutdown FTOS(conf-if-po-32)#switchport FTOS(conf-if-po-32)#lacp long-timeout FTOS(conf-if-po-32)#end FTOS# show lacp 32 Port-channel 32 admin up, oper up, mode lacp Actor System ID: Priority 32768, Address 0001.e800.
Shared LAG State Tracking provides the flexibility to bring down a port channel (LAG) based on the operational state of another LAG. At any time, only two LAGs can be a part of a group such that the fate (status) of one LAG depends on the other LAG. In Figure 21-5, line-rate traffic from R1 destined for R4 follows the lowest-cost route via R2, as shown. Traffic is equally distributed between LAGs 1 and 2. If LAG 1 fails, all traffic from R1 to R4 flows across LAG 2 only.
In Figure 21-6, LAGs 1 and 2 have been placed into to the same failover group. Figure 21-6. Configuring Shared LAG State Tracking R2#config R2(conf)#port-channel failover-group R2(conf-po-failover-grp)#group 1 port-channel 1 port-channel 2 View the failover group configuration using the show running-configuration po-failover-group command, as shown in Figure 21-7. Figure 21-7.
www.dell.com | support.dell.com Figure 21-9.
Figure 21-10. Enabling Hitless LACP FTOS(conf)#redundancy protocol lacp FTOS#show running-config redundancy ! redundancy protocol lacp FTOS# FTOS#show running-config interface gigabitethernet 0/12 ! interface GigabitEthernet 0/12 no ip address ! port-channel-protocol LACP port-channel 200 mode active no shutdown LACP Basic Configuration Example The screenshots in this section are based on the example topology shown in Figure 21-11.
www.dell.com | support.dell.com Configuring a LAG on ALPHA Figure 21-12. Creating a LAG on ALPHA Alpha(conf)#interface port-channel 10 Alpha(conf-if-po-10)#no ip address Alpha(conf-if-po-10)#switchport Alpha(conf-if-po-10)#no shutdown Alpha(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Alpha(conf-if-po-10)# Figure 21-13.
Figure 21-14. Inspecting Configuration of LAG 10 on ALPHA Indicates the MAC address assigned to the LAG. This does NOT match any of the physical interface MAC addresses.
www.dell.com | support.dell.com Figure 21-15. Using the show lacp Command to Verify LAG 10 Status on ALPHA Alpha#sho lacp 10 Port-channel 10 admin up, oper up, mode lacp Actor System ID: Priority 32768, Address 0001.e806.953e Partner System ID: Priority 32768, Address 0001.e809.
Summary of the configuration on ALPHA Figure 21-16.
www.dell.com | support.dell.com Summary of the configuration on BRAVO Figure 21-17.
Figure 21-18. Using the show interface Command to Inspect a LAG Port on BRAVO Shows the status of this nterface. Also shows it is part of LAG 10. Bravo#show int gig 3/21 GigabitEthernet 3/21 is up, line protocol is up Port is part of Port-channel 10 Hardware is Force10Eth, address is 00:01:e8:09:c3:82 Current address is 00:01:e8:09:c3:82 Shows that this is a Layer 2 port.
www.dell.com | support.dell.com Figure 21-19. Using the show interfaces port-channel Command to Inspect LAG 10 Indicates the MAC address assigned to the LAG. This does NOT match any of the physical interface MAC addresses.
Figure 21-20. Using the show lacp Command to Inspect LAG Status FTOS#show lacp 10 Port-channel 10 admin up, oper up, mode lacp Actor System ID: Priority 32768, Address 0001.e809.c24a Partner System ID: Priority 32768, Address 0001.e806.
www.dell.com | support.dell.
22 Layer 2 Layer 2 features are supported on platforms: ecsz This chapter describes the following Layer 2 features: • • • • • • Managing the MAC Address Table MAC Learning Limit NIC Teaming Microsoft Clustering Configuring Redundant Pairs Restricting Layer 2 Flooding Managing the MAC Address Table FTOS provides the following management activities for the MAC address table: • • • • Clear the MAC Address Table Set the Aging Time for Dynamic Entries Configure a Static MAC Address Display the MAC Address T
www.dell.com | support.dell.com Set the Aging Time for Dynamic Entries Learned MAC addresses are entered in the table as dynamic entries, which means that they are subject to aging. For any dynamic entry, if no packet arrives on the switch with the MAC address as the source or destination address within the timer period, the address is removed from the table. The default aging time is 1800 seconds. Task Command Syntax Command Mode Disable MAC address aging for all dynamic entries.
Display the MAC Address Table To display the contents of the MAC address table: Task Command Syntax CommandMode Display the contents of the MAC address table. • address displays the specified entry. • aging-time displays the configured aging-time. • count displays the number of dynamic and static entries for all VLANs, and the total number of entries. • dynamic displays only dynamic entries • interface displays only entries for the specified interface. • static displays only static entries.
www.dell.com | support.dell.com FTOS Behavior: When configuring MAC Learning Limit on a port or VLAN the configuration is accepted (becomes part of running-config and show mac learning-limit interface) before the system verifies that sufficient CAM space exists. If the CAM check fails, the a message is displayed: %E90MH:5 %ACL_AGENT-2-ACL_AGENT_LIST_ERROR: Unable to apply access-list Mac-Limit on GigabitEthernet 5/84 In this case, the configuration is still present in the running-config and show output.
mac learning-limit mac-address-sticky Using sticky MAC addresses allows you to associate a specific port with MAC addresses from trusted devices. If sticky MAC is enabled, the specified port will retain any dynamically-learned addresses and prevent them from being transferred or learned on other ports. If mac-learning-limit is configured and sticky MAC is enabled, all dynamically-learned addresses are converted to sticky MAC addresses for the selected port.
www.dell.com | support.dell.com FTOS Behavior: The C-Series and S-Series do not generate a station-move violation log entry for physical interfaces or port-channels when you configure mac learning-limit or when you configure mac learning-limit station-move-violation log.
Station Move Violation Actions Station Move Violation Actions are supported on platforms: S-Series (S25/S50) no-station-move is the default behavior (see mac learning-limit no-station-move on page 475). You can configure the system to take an action if a station move occurs using one the following options with the mac learning-limit command:. Task Command Syntax Command Mode Generate a system log message indicating a station move.
www.dell.com | support.dell.com Per-VLAN MAC Learning Limit Per-VLAN MAC Learning Limit is available only on platform: e An individual MAC learning limit can be configured for each VLAN using Per-VLAN MAC Learning Limit. One application of Per-VLAN MAC Learning Limit is on access ports. In Figure 22-1, an Internet Exchange Point (IXP) connects multiple Internet Service Provider (ISP). An IXP can provide several types of services to its customers including public an private peering.
Task Command Syntax Command Mode FTOS#show mac learning-limit Interface Vlan Learning Dynamic Static Slot/port Id Limit MAC count MAC count Gi 5/84 2 2 0 Gi 5/84 * 5 0 Gi 5/85 3 3 0 Gi 5/85 * 10 0 FTOS#show mac learning-limit interface gig 5/84 Interface Vlan Learning Dynamic Static Slot/port Id Limit MAC count MAC count Gi 5/84 2 2 0 Gi 5/84 * 5 0 FTOS#show mac learning-limit interface gig 5/84 vlan 2 Interface Vlan Learning Dynamic Static Slot/port Id Limit MAC count MAC count Gi 5/84 2 2 0 Unknown SA
www.dell.com | support.dell.com Note: If this command is not configured, traffic continues to be forwarded to the failed NIC until the ARP entry on the switch times out. Figure 22-3. Configuring mac-address-table station-move refresh-arp Command X MAC: A:B:C:D A:B IP: 1.1.1.
Microsoft Clustering Microsoft Clustering is supported only on platform: e Microsoft Clustering allows multiple servers using Microsoft Windows to be represented by one MAC address and IP address in order to provide transparent failover or balancing. FTOS does not recognize server clusters by default; it must be configured to do so. Default Behavior When an ARP request is sent to a server cluster, either the active server or all of the servers send a reply, depending on the cluster configuration.
www.dell.com | support.dell.com Figure 22-5.
Enable and Disable VLAN Flooding • • • • • • • ARP entries already resolved through the VLAN are deleted when the feature is enabled. This ensures that ARP entries across the VLAN are consistent. All ARP entries learned after the feature is enabled are deleted when the feature is disabled, and RP2 triggers ARP resolution. The feature is disabled with the command no vlan-flooding. When a port is added to the VLAN, the port automatically receives traffic if the feature is enabled.
www.dell.com | support.dell.com Figure 22-7. Configuring Redundant Layer 2 Pairs without Spanning Tree Redundant links create a switching loop. Without STP broadcast storms occurs.
Important Points about Configuring Redundant Pairs • • • • • • • You may not configure any interface to be a backup for more than one interface, no interface can have more than one backup, and a backup interface may not have a backup interface. Neither the active nor the backup interface may be a member of a LAG. The active and standby do not have to be of the same type (1G, 10G, etc). You may not enable any Layer 2 protocol on any interface of a redundant pair or to ports connected to them.
www.dell.com | support.dell.com Figure 22-8.
Conversely, if you want all multicast traffic to be flooded on all ports, but some specific traffic to be restricted, use mac-flood-list with the min-speed option, but without restrict-flooding configured. This configuration restricts flooding only for traffic with destination multicast MAC addresses within the multicast MAC address range you specify. In Figure 22-9, flooding of unknown multicast traffic is restricted to 1G ports on VLAN100 using the command restrict-flooding.
www.dell.com | support.dell.com Figure 22-10.
1. An interface on which FEFD is not configured is in Normal mode by default. 2. Once FEFD is enabled on an interface, it transitions to the Unknown state and sends an FEFD packet to the remote end of the link. 3. When the local interface receives the echoed packet from the remote end, the local interface transitions to the Bi-directional state. 4.
www.dell.com | support.dell.com Report interval frequency and mode adjustments can be made by supplementing this command as well.
Step 3 Task Command Syntax Command Mode Enable FEFD on each interface fefd {disable | interval | mode} INTERFACE Figure 22-12.
www.dell.com | support.dell.com During an RPM Failover 492 In the event that an RPM failover occurs, FEFD will become operationally down on all enabled ports for approximately 8-10 seconds before automatically becoming operational again. Figure 22-15. FEFD state change during an RPM failover 02-05-2009 12:40:38 Local7.Debug 10.16.151.12 %RAM-6-FAILOVER_REQ: RPM failover request from active peer: User request. Feb 5 07:06:09: %RPM1-S:CP 02-05-2009 12:40:38 Local7.Debug 10.16.151.
23 Link Layer Discovery Protocol (LLDP) Link Layer Discovery Protocol (LLDP) is supported only on platforms: ecsz This chapter contains the following sections: • • • 802.1AB (LLDP) Overview on page 493 TIA-1057 (LLDP-MED) Overview on page 496 Configuring LLDP on page 500 802.1AB (LLDP) Overview Link Layer Discovery Protocol (LLDP)—defined by IEEE 802.
www.dell.com | support.dell.com TLVs are encapsulated in a frame called an LLDP Data Unit (LLDPDU) (Figure 23-2), which is transmitted from one LLDP-enabled device to its LLDP-enabled neighbors. LLDP is a one-way protocol. LLDP-enabled devices (LLDP agents) can transmit and/or receive advertisements, but they cannot solicit and do not respond to advertisements. There are five types of TLVs. All types are mandatory in the construction of an LLDPDU except Optional TLVs.
Management TLVs A Management TLV is an Optional TLVs sub-type. This kind of TLV contains essential management information about the sender. The five types are described in Table 23-2. Organizationally Specific TLVs Organizationally specific TLVs can be defined by a professional organization or a vendor. They have two mandatory fields (Figure 23-3) in addition to the basic TLV fields (Figure 23-1): • Organizationally Unique Identifier (OUI)—a unique number assigned by the IEEE to an organization or vendor.
www.dell.com | support.dell.com Table 23-2. Optional TLV Types Type TLV Description 127 Port and Protocol VLAN ID On Dell Force10 systems, indicates the tagged VLAN to which a port belongs (and the untagged VLAN to which a port belongs if the port is in hybrid mode) 127 VLAN Name Indicates the user-defined alphanumeric string that identifies the VLAN. This TLV is supported on C-Series only. 127 Protocol Identity Indicates the protocols that the port can process.
TIA Organizationally Specific TLVs The Dell Force10 system is an LLDP-MED Network Connectivity Device (Device Type 4). Network connectivity devices are responsible for: • • transmitting an LLDP-MED capabilities TLV to endpoint devices storing the information that endpoint devices advertise Table 23-3 describes the five types of TIA-1057 Organizationally Specific TLVs. Table 23-3.
www.dell.com | support.dell.com LLDP-MED Capabilities TLV The LLDP-MED Capabilities TLV communicates the types of TLVs that the endpoint device and the network connectivity device support. LLDP-MED network connectivity devices must transmit the Network Policies TLV. • • The value of the LLDP-MED Capabilities field in the TLV is a 2 octet bitmap (Figure 23-4), each bit represents an LLDP-MED capability (Table 23-4). The possible values of the LLDP-MED Device Type is listed in Table 23-5.
LLDP-MED Network Policies TLV A network policy in the context of LLDP-MED is a device’s VLAN configuration and associated Layer 2 and Layer 3 configurations, specifically: • • • • VLAN ID VLAN tagged or untagged status Layer 2 priority DSCP value The application type is a represented by an integer (the Type integer in Table 23-6), which indicates a device function for which a unique network policy is defined.
www.dell.com | support.dell.com Figure 23-5. LLDP-MED Policies TLV TLV Type (127) 7 bits TLV Length (8) 9 bits Organizationally Organizationally Unique ID Defined Sub-type (00-12-BB) (2) 3 octets 1 octet Application Type (0-255) 1 octet U T X (0) 3 bits VLAN ID (0-4095) L2 Priority (0-7) DSCP Value (0-63) 12 bits 3 bits 6 bits Extended Power via MDI TLV The Extended Power via MDI TLV enables advanced PoE management between LLDP-MED endpoints and network connectivity devices.
• • • • • Viewing Information Advertised by Adjacent LLDP Agents on page 504 Configuring LLDPDU Intervals on page 505 Configuring Transmit and Receive Mode on page 506 Configuring a Time to Live on page 507 Debugging LLDP on page 508 Important Points to Remember • • • • • LLDP is disabled by default. Dell Force10 systems support up to 8 neighbors per interface. Dell Force10 systems support a maximum of 8000 total neighbors per system.
www.dell.com | support.dell.com Figure 23-7.
If LLDP is configured both globally and at interface level, the interface level configuration overrides the global configuration. To advertise TLVs: Step Command Mode Task Command 1 Enter LLDP mode. protocol lldp CONFIGURATI ON or INTERFACE 2 Advertise one or more TLVs. Include the keyword for each TLV you want to advertise. • For management TLVs: system-capabilities, system-description • For 802.1 TLVs: port-protocol-vlan-id, port-vlan-id, vlan-name • For 802.
www.dell.com | support.dell.com Viewing the LLDP Configuration Display the LLDP configuration using the command show config in either CONFIGURATION or INTERFACE mode, as shown in Figure 23-9 and Figure 23-10, respectively Figure 23-9.
Figure 23-12.
www.dell.com | support.dell.com Figure 23-13.
Figure 23-14.
www.dell.com | support.dell.com Figure 23-15.
Figure 23-17. Relevant Management Objects FTOS supports all IEEE 802.1AB MIB objects. • • • • Table 23-7 lists the objects associated with received and transmitted TLVs. Table 23-8 lists the objects associated with the LLDP configuration on the local agent. Table 23-9 lists the objects associated with IEEE 802.1AB Organizationally Specific TLVs. Table 23-10 lists the objects associated with received and transmitted LLDP-MED TLVs.
www.dell.com | support.dell.com Table 23-7.
Table 23-8.
www.dell.com | support.dell.com Table 23-9. LLDP 802.1 Organizationally Specific TLV MIB Objects TLV Type TLV Name TLV Variable System LLDP MIB Object 127 Port-VLAN ID PVID Local lldpXdot1LocPortVlanId Remote lldpXdot1RemPortVlanId 127 Port and Protocol VLAN ID port and protocol VLAN supported Local port and protocol VLAN enabled PPVID 127 VLAN Name VID VLAN name length VLAN name Table 23-10.
Table 23-10.
www.dell.com | support.dell.com Table 23-10.
24 Multicast Source Discovery Protocol (MSDP) Multicast Source Discovery Protocol (MSDP) is supported on platforms: e z. Protocol Overview Multicast Source Discovery Protocol (MSDP) is a Layer 3 protocol that connects IPv4 PIM-SM domains. A domain in the context of MSDP is contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as BGP. Each RP peers with every other RP via TCP. Through this connection, peers advertise the sources in their domain. 1.
+ + P 3 MPC IG Receiver OS PF + PI M PC 2 Source MP IG 4/1 AS Y Area 0 R4 4/31 + PI M AS X Area 0 2/1 OS PF www.dell.com | support.dell.com Figure 24-1. Multicast Source Discovery Protocol BGP R2 2/11 3/21 3/41 R3 P Pe MSD 1/21 1/2 R1 1/1 ersh ip RP RP1 PC 1 Receiver RPs advertise each (S,G) in its domain in Type, Length, Value (TLV) format. The total number of TLVs contained in the SA is indicated in the “Entry Count” field.
Anycast RP Using Multicast Source Discovery Protocol (MSDP), Anycast RP provides load sharing and redundancy in Protocol Independent Multicast sparse mode (PIM-SM) networks. Anycast RP allows two or more rendezvous points (RPs) to share the load for source registration and the ability to act as hot backup routers for each other. Anycast RP allows two or more RPs to be configured with the same IP address on loopback interfaces.
www.dell.com | support.dell.
interface GigabitEthernet 1/1 ip pim sparse-mode ip address 10.11.3.1/24 no shutdown ! interface GigabitEthernet 1/2 ip address 10.11.2.1/24 no shutdown ! interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.1.12/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32 no shutdown 1/1 1/21 PC 1 : 10.11.3.2/24 R1 1/2 interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.
Multicast Source Discovery Protocol (MSDP) R1 1/2 PC 1 1/1 1/21 R2 2/11 2/1 PC 2 2/31 R3 3/21 OS PF 3/41 router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.3/32 area 0 redistribute static redistribute connected redistribute bgp 200 R3_E600(conf)#do show run bgp ! router bgp 200 redistribute ospf 1 neighbor 192.168.0.2 remote-as 100 neighbor 192.168.0.2 ebgp-multihop 255 neighbor 192.168.0.2 update-source Loopback 0 neighbor 192.168.0.
M PI P GM +I R1 1/2 RP1 PC 2 Receiver: 239.0.0.1 1/1 1/21 ip multicast routing ! ip pim rp-address 192.168.0.1 group-address 224.0.0.0/4 AS 100 R2 2/31 R3 3/41 4/31 R4 AS 200 ip multicast-routing ! ip pim rp-address 192.168.0.3 group-address 224.0.0.0/4 ip multicast-routing ! ip pim rp-address 192.168.0.3 group-address 224.0.0.0/4 4/1 P GM + I PC 3 Receiver: 239.0.0.1 RP2 3/21 M PI ip multicast-routing ! ip pim rp-address 192.168.0.1 group-address 224.0.0.
Multicast Source Discovery Protocol (MSDP) R1_E600(conf)#do show ip msdp sa-cache MSDP Source-Active Cache - 1 entries GroupAddr SourceAddr RPAddr LearnedFrom Expire UpTime 239.0.0.1 10.11.4.2 192.168.0.1 local 95 16:49:25 (10.11.4.2, 239.0.0.1), uptime 1d16h, expires 00:03:12, flags: CTA Incoming interface: GigabitEthernet 1/21, RPF neighbor 10.11.1.21 Outgoing interface list: GigabitEthernet 1/1 Forward/Sparse 22:26:37/Never (*, 239.0.0.1), uptime 22:26:37, expires 00:00:00, RP 192.168.0.
Enable MSDP Enable MSDP by peering RPs in different administrative domains. Step Task Command Syntax Command Mode 1 Enable MSDP. ip multicast-msdp CONFIGURATION 2 PeerPIM systems in different administrative domains. ip msdp peer connect-source CONFIGURATION Figure 24-7. Configuring an MSDP Peer R3_E600(conf)#ip multicast-msdp R3_E600(conf)#ip msdp peer 192.168.0.1 connect-source Loopback 0 R3_E600(conf)#do show ip msdp summary Peer Addr 192.168.0.1 Local Addr 192.168.0.
www.dell.com | support.dell.com • • RPs can transmit SA messages periodically to prevent SA storms, and only sources that are in the cache are advertised in the SA to prevent transmitting multiple copies of the same source information. View the Source-active Cache Task Command Syntax Command Mode View the SA cache. show ip msdp sa-cache EXEC Privilege Figure 24-9.
Enable the Rejected Source-active Cache Active sources can be rejected because • • • • the RPF check failed, the SA limit is reached, the peer RP is unreachable, or because of an SA message format error. Task Command Syntax Command Mode Cache rejected sources. ip msdp cache-rejected-sa CONFIGURATION Accept Source-active Messages that fail the RFP Check A default peer is a peer from which active sources are accepted even though they fail the RFP check.
MSDP Default Peer Scenario 1 Scenario 2 RP5 RP4 RP5 RP4 (S5, G5) (S4, G4) (S3, G3) (S2, G2) (S5, G5) MSDP Peership MSDP Peership (S4, G4) (S2, G2) RP3 RP2 (S3, G3) RP2 Pe er RP3 sh ip il Fa www.dell.com | support.dell.com Figure 24-10.
Task Command Syntax Command Mode Specify the forwarding-peer and originating-RP from which all active sources are accepted without regard for the the RPF check. If you do not specify an access list, the peer accepts all sources advertised by that peer. All sources from RPs denied by the ACL are subjected to the normal RPF check. ip msdp default-peer ip-address list CONFIGURATION Figure 24-11. Accepting Source-active Messages with FTOS(conf)#ip msdp peer 10.0.50.
www.dell.com | support.dell.com Prevent MSDP from Caching a Local Source You can prevent MSDP from caching an active source based on source and/or group. Since the source is not cached, it is not advertised to remote RPs. Task Command Syntax Command Mode OPTIONAL: Cache sources that are denied by the redistribute list in the rejected SA cache. ip msdp cache-rejected-sa CONFIGURATION Prevent the system from caching local SA entries based on source and group using an extended ACL.
Prevent MSDP from Caching a Remote Source Task Command Syntax Command Mode OPTIONAL: Cache sources that are denied by the SA filter in the rejected SA cache. ip msdp cache-rejected-sa CONFIGURATION Prevent the system from caching remote sources learned from a specific peer based on source and group. ip msdp sa-filter list out peer list ext-acl CONFIGURATION In Figure 24-14, R1 is advertising source 10.11.4.2. It is already in the SA cache of R3 when an ingress SA filter is applied to R3.
www.dell.com | support.dell.com Prevent MSDP from Advertising a Local Source Task Command Syntax Command Mode Prevent an RP from advertising a source in the SA cache. ip msdp sa-filter list in peer list ext-acl CONFIGURATION In Figure 24-14, R1 stops advertising source 10.11.4.2. Since it is already in the SA cache of R3, the entry remains there until it expires. Figure 24-14.
Log Changes in Peership States Task Command Syntax Command Mode Log peership state changes. ip msdp log-adjacency-changes CONFIGURATION Terminate a Peership MSDP uses TCP as its transport protocol. In a peering relationship, the peer with the lower IP address initiates the TCP session, while the peer with the higher IP address listens on port 639. Task Command Syntax Command Mode Terminate the TCP connection with a peer.
www.dell.com | support.dell.com Clear Peer Statistics Task Command Syntax Command Mode Reset the TCP connection to the peer and clear all peer statistics. clear ip msdp peer peer-address CONFIGURATION Figure 24-16. Clearing Peer Statistics R3_E600(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.
Debug MSDP Task Command Syntax Command Mode Display the information exchanged between peers. debug ip msdp CONFIGURATION Figure 24-17. Debugging MSDP R1_E600(conf)#do debug ip msdp All MSDP debugging has been turned on R1_E600(conf)#03:16:08 : MSDP-0: Peer 03:16:09 : MSDP-0: Peer 192.168.0.3, 03:16:27 : MSDP-0: Peer 192.168.0.3, 03:16:38 : MSDP-0: Peer 192.168.0.3, 03:16:39 : MSDP-0: Peer 192.168.0.3, 03:17:09 : MSDP-0: Peer 192.168.0.3, 03:17:10 : MSDP-0: Peer 192.168.0.
MSDP with Anycast RP (10.11.4.2, 239.0.0.1), uptime 00:00:52, expires 00:03:20, flags: FTA Incoming interface: GigabitEthernet 2/1, RPF neighbor 0.0.0.0 Outgoing interface list: GigabitEthernet 2/11 Forward/Sparse 00:00:50/00:02:40 GigabitEthernet 2/31 Forward/Sparse 00:00:50/00:02:40 + + MP IG PC 3 Receiver OS PF + PI M PC 2 Source MP IG 4/1 R4 4/31 + PI M AS X Area 0 2/1 OS PF www.dell.com | support.dell.com Figure 24-18. BGP (*, 239.0.0.1), uptime 00:00:23, expires 00:00:00, RP 192.
Reducing Source-active Message Flooding RPs flood source-active messages to all of their peers away from the RP. When multiple RPs exist within a domain, the RPs forward received active source information back to the originating RP, which violates the RFP rule. You can prevent this unnecessary flooding by creating a mesh-group. A mesh in this context is a topology in which each RP in a set of RPs has a peership with all other RPs in the set.
www.dell.com | support.dell.com Figure 24-19. 536 R1 Configuration for MSDP with Anycast RP ip multicast-routing ! interface GigabitEthernet 1/1 ip pim sparse-mode ip address 10.11.3.1/24 no shutdown ! interface GigabitEthernet 1/2 ip address 10.11.2.1/24 no shutdown ! interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.1.12/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32 no shutdown ! interface Loopback 1 ip address 192.168.0.
Figure 24-20. R2 Configuration for MSDP with Anycast RP ip multicast-routing ! interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.1/24 no shutdown ! interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown ! interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32 no shutdown ! interface Loopback 1 ip address 192.168.0.
www.dell.com | support.dell.com Figure 24-21. 538 R3 Configuration for MSDP with Anycast RP ip multicast-routing ! interface GigabitEthernet 3/21 ip pim sparse-mode ip address 10.11.0.32/24 no shutdown interface GigabitEthernet 3/41 ip pim sparse-mode ip address 10.11.6.34/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.
MSDP Sample Configurations The following figures show the running-configurations for the routers shown in figures Figure 24-5, Figure 24-4, Figure 24-5, Figure 24-6. Figure 24-22. MSDP Sample Configuration: R1 Running-config ip multicast-routing ! interface GigabitEthernet 1/1 ip pim sparse-mode ip address 10.11.3.1/24 no shutdown ! interface GigabitEthernet 1/2 ip address 10.11.2.1/24 no shutdown ! interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.1.
www.dell.com | support.dell.com Figure 24-23. 540 MSDP Sample Configuration: R2 Running-config ip multicast-routing ! interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.1/24 no shutdown ! interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown ! interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown ! interface Loopback 0 ip address 192.168.0.2/32 no shutdown ! router ospf 1 network 10.11.1.0/24 area 0 network 10.11.4.
Figure 24-24. MSDP Sample Configuration: R3 Running-config ip multicast-routing ! interface GigabitEthernet 3/21 ip pim sparse-mode ip address 10.11.0.32/24 no shutdown ! interface GigabitEthernet 3/41 ip pim sparse-mode ip address 10.11.6.34/24 no shutdown ! interface ManagementEthernet 0/0 ip address 10.11.80.3/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.
www.dell.com | support.dell.com Figure 24-25. 542 MSDP Sample Configuration: R4 Running-config ip multicast-routing ! interface GigabitEthernet 4/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown ! interface GigabitEthernet 4/22 ip address 10.10.42.1/24 no shutdown ! interface GigabitEthernet 4/31 ip pim sparse-mode ip address 10.11.6.43/24 no shutdown ! interface Loopback 0 ip address 192.168.0.4/32 no shutdown ! router ospf 1 network 10.11.5.0/24 area 0 network 10.11.6.0/24 area 0 network 192.
25 Multiple Spanning Tree Protocol (MSTP) Multiple Spanning Tree Protocol (MSTP) is supported on platforms: ecsz Protocol Overview Multiple Spanning Tree Protocol (MSTP)—specified in IEEE 802.1Q-2003—is an RSTP-based spanning tree variation that improves on PVST+. MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances. In contrast, PVST+ allows a spanning tree instance for each VLAN.
www.dell.com | support.dell.com FTOS supports three other variations of Spanning Tree, as shown in Table 44. Table 25-1. FTOS Supported Spanning Tree Protocols Dell Force10Term IEEE Specification Spanning Tree Protocol 802.1d Rapid Spanning Tree Protocol 802.1w Multiple Spanning Tree Protocol 802.1s Per-VLAN Spanning Tree Plus Third Party Implementation Information • • • • • The FTOS MSTP implementation is based on IEEE 802.
• • • Preventing Network Disruptions with BPDU Guard on page 813 SNMP Traps for Root Elections and Topology Changes on page 709 Configuring Spanning Trees as Hitless on page 816 Enable Multiple Spanning Tree Globally MSTP is not enabled by default. To enable MSTP: Step Task Command Syntax Command Mode 1 Enter PROTOCOL MSTP mode. protocol spanning-tree mstp CONFIGURATION 2 Enable MSTP.
www.dell.com | support.dell.com Create an MSTI using the command msti from PROTOCOL MSTP mode. Specify the keyword vlan followed by the VLANs that you want to participate in the MSTI, as shown in Figure 25-3. Figure 25-3.
Influence MSTP Root Selection MSTP determines the root bridge, but you can assign one bridge a lower priority to increase the probability that it will become the root bridge. To change the bridge priority: Task Command Syntax Command Mode Assign a number as the bridge priority. A lower number increases the probability that the bridge becomes the root bridge.
www.dell.com | support.dell.com To change the region name or revision: Task Command Syntax Command Mode Change the region name. name name PROTOCOL MSTP Change the region revision number. • Range: 0 to 65535 • Default: 0 revision number PROTOCOL MSTP View the current region name and revision using the command show spanning-tree mst configuration from EXEC Privilege mode, as shown in Figure 25-6. Figure 25-6.
Task Command Syntax Command Mode Change the hello-time parameter. hello-time seconds PROTOCOL MSTP Change the max-age parameter. Range: 6 to 40 Default: 20 seconds max-age seconds PROTOCOL MSTP Change the max-hops parameter. Range: 1 to 40 Default: 20 max-hops number PROTOCOL MSTP Note: With large configurations (especially those with more ports) Dell Force10 recommends that you increase the hello-time.
www.dell.com | support.dell.com Table 25-2. MSTP Default Port Cost Values Port Cost Default Value 10-Gigabit Ethernet interfaces 2000 Port Channel with 100 Mb/s Ethernet interfaces 180000 Port Channel with 1-Gigabit Ethernet interfaces 18000 Port Channel with 10-Gigabit Ethernet interfaces 1800 To change the port cost or priority of an interface: Task Command Syntax Command Mode Change the port cost of an interface. Range: 0 to 200000 Default: see Table 25-2.
Verify that EdgePort is enabled on a port using the command show config from the INTERFACE mode, as shown in Figure 25-8. FTOS Behavior: Regarding bpduguard shutdown-on-violation behavior: 1 If the interface to be shutdown is a port channel then all the member ports are disabled in the hardware. 2 When a physical port is added to a port channel already in error disable state, the new member port will also be disabled in the hardware.
www.dell.com | support.dell.com Figure 25-9. MSTP with Three VLANs Mapped to Two Spanning Tree Instances root R1 R2 1/2 Forwarding 2/1 2/3 Blocking 1/3 3/1 3/2 R3 Figure 25-10.
Figure 25-11.
www.dell.com | support.dell.com Figure 25-12.
Figure 25-13.
www.dell.com | support.dell.com Figure 25-14. Displaying BPDUs and Events FTOS#debug spanning-tree mstp bpdu 1w1d17h : MSTP: Sending BPDU on Gi 1/31 : ProtId: 0, Ver: 3, Bpdu Type: MSTP, Flags 0x68 CIST Root Bridge Id: 32768:0001.e806.953e, Ext Path Cost: 20000 Regional Bridge Id: 32768:0001.e809.c24a, CIST Port Id: 128:384 Msg Age: 2, Max Age: 20, Hello: 2, Fwd Delay: 15, Ver1 Len: 0, Ver3 Len: 96 Name: my-mstp-region, Rev: 0, Int Root Path Cost: 20000 Rem Hops: 19, Bridge Id: 32768:0001.e80d.
Figure 25-15. Sample Output for show running-configuration spanning-tree mstp command FTOS#show run spanning-tree mstp ! protocol spanning-tree mstp name Tahiti revision 123 MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 Figure 25-16. Displaying BPDUs and Events - Debug Log of Successful MSTP Configuration FTOS#debug spanning-tree mstp bpdu MSTP debug bpdu is ON FTOS# 4w0d4h : MSTP: Sending BPDU on Gi 2/21 : ProtId: 0, Ver: 3, Bpdu Type: MSTP, Flags 0x6e CIST Root Bridge Id: 32768:0001.e806.
www.dell.com | support.dell.
26 Multicast Features Multicast Features are supported on platforms: ecsz This chapter contains the following sections: • • • • • Enable IP Multicast on page 559 Multicast with ECMP on page 560 First Packet Forwarding for Lossless Multicast on page 561 Multicast Policies on page 562 Multicast Traceroute on page 569 FTOS supports the following multicast protocols: • • • • PIM Sparse-Mode (PIM-SM) on page 603 PIM Source-Specific Mode (PIM-SSM) on page 613 Internet Group Management Protocol (IGMP) on page
www.dell.com | support.dell.com Multicast with ECMP Dell Force10 multicast uses Equal-cost Multi-path (ECMP) routing to load-balance multiple streams across equal cost links. When creating the shared-tree Protocol Independent Multicast (PIM) uses routes from all configured routing protocols to select the best route to the rendezvous point (RP). If there are multiple, equal-cost paths, the PIM selects the route with the least number of currently running multicast streams.
As the upper five bits of an IP Multicast address are dropped in the translation, 32 different multicast group IDs all map to the same Ethernet address. For example, 224.0.0.5 is a well known IP address for OSPF that maps to the multicast MAC address 01:00:5e:00:00:05. However, 225.0.0.5, 226.0.0.5, etc., map to the same multicast MAC address. The Layer 2 FIB alone cannot differentiate multicast control traffic multicast data traffic with the same address, so if you use IP address 225.0.0.
www.dell.com | support.dell.com Multicast Policies FTOS offers parallel Multicast features for IPv4 and IPv6.
Note: The IN-L3-McastFib CAM partition is used to store multicast routes and is a separate hardware limit that is exists per port-pipe. Any software-configured limit might be superseded by this hardware space limitation. The opposite is also true, the CAM partition might not be exhausted at the time the system-wide route limit set by the ip multicast-limit is reached. Prevent a Host from Joining a Group You can prevent a host from joining a particular group by blocking specific IGMP reports.
Multicast Features ip igmp snooping enable interface Vlan 400 ip pim sparse-mode ip address 10.11.4.1/24 untagged GigabitEthernet 1/2 ip igmp access-group igmpjoinfilR2G2 no shutdown (*, 239.0.0.1), uptime 00:00:06, expires 00:00:00, RP 10.11.12.2, flags: SCJ Incoming interface: GigabitEthernet 1/21, RPF neighbor 10.11.12.
Rate Limit IGMP Join Requests If you expect a burst of IGMP Joins, protect the IGMP process from overload by limiting that rate at which new groups can be joined using the command ip igmp group-join-limit from INTERFACE mode. Hosts whose IGMP requests are denied will use the retry mechanism built-in to IGMP so that they’re membership is delayed rather than permanently denied. View the enable status of this feature using the command show ip igmp interface from EXEC Privilege mode.
| Multicast Features (10.11.5.2, 239.0.0.2), uptime 00:00:33, expires 00:03:07, flags: CT Incoming interface: GigabitEthernet 1/31, RPF neighbor 10.11.13.2 Outgoing interface list: Vlan 300 Forward/Sparse 00:00:40/Never (*, 239.0.0.2), uptime 00:00:40, expires 00:00:00, RP 10.11.12.2, flags: SCJ Incoming interface: GigabitEthernet 1/21, RPF neighbor 10.11.12.2 Outgoing interface list: Vlan 300 Forward/Sparse 00:00:40/Never (10.11.5.2, 239.0.0.
Prevent a PIM Router from Processing a Join Permit or deny PIM Join/Prune messages on an interface using an extended IP access list. Use the command ip pim join-filter to prevent the PIM SM router from creating state based on multicast source and/ or group.
www.dell.com | support.dell.com Prevent an IPv6 Neighbor from Forming an Adjacency Task Command Syntax Command Mode Prevent a router from participating in PIM.
Multicast Traceroute Multicast Traceroute is supported only on platform: e MTRACE is an IGMP-based tool that prints that network path that a multicast packet takes from a source to a destination, for a particular group. FTOS has mtrace client and mtrace transmit functionality. • • MTRACE Client—an mtrace client transmits mtrace queries and prints out the details received responses.
| Multicast Features www.dell.com | support.dell.
27 Open Shortest Path First (OSPFv2) Open Shortest Path First (OSPFv2) is supported on platforms z.
www.dell.com | support.dell.com Autonomous System (AS) Areas OSPF operate in a type of hierarchy. The largest entity within the hierarchy is the autonomous system (AS), which is a collection of networks under a common administration that share a common routing strategy. OSPF is an intra-AS (interior gateway) routing protocol, although it is capable of receiving routes from and sending routes to other ASs.
Area Types The Backbone of the network is Area 0. It is also called Area 0.0.0.0 and is the core of any Autonomous System (AS). All other areas must connect to Area 0. Areas can be defined in such a way that the backbone is not contiguous. In this case, backbone connectivity must be restored through virtual links. Virtual links are configured between any backbone routers that share a link to a non-backbone area and function as if they were direct links.
www.dell.com | support.dell.com Figure 27-2 gives some examples of the different router designations. Figure 27-2.
Area Border Router (ABR) Within an AS, an Area Border (ABR) connects one or more areas to the Backbone. The ABR keeps a copy of the link-state database for every area it connects to, so it may keep multiple copies of the link state database. An Area Border Router (ABR) takes information it has learned on one of its attached areas and can summarize it before sending it out on other areas it is connected to. An ABR can connect to many areas in an AS, and is considered a member of each area it connects to.
www.dell.com | support.dell.com Link-State Advertisements (LSAs) A Link-State Advertisement (LSA) communicates the router's local routing topology to all other local routers in the same area. The LSA types supported by Dell Force10 are defined as follows: • • • • • • • Type 1 - Router LSA • The router lists links to other routers or networks in the same area. Type 1 LSAs are flooded across their own area only. The Link-State ID of the Type 1 LSA is the originating router ID.
• • 3: connection to a stub network IP network/subnet number 4: virtual link neighboring router ID LSA throttling LSA throttling provides configurable interval timers to improve OSPF convergence times. The default OSPF static timers (5 seconds for transmission, 1 second for acceptance) ensure sufficient time for sending and resending LSAs and for system acceptance of arriving LSAs. However, some networks may require reduced intervals for LSA transmission and acceptance.
www.dell.com | support.dell.com Figure 27-3. Priority and Costs Example Implementing OSPF with FTOS FTOS supports up to 10,000 OSPF routes. Within that 10,000 up to 8,000 routes can be designated as external and up to 2,000 designated as inter/intra area routes. FTOS version 7.8.1.0 and later support multiple OSPF processes (OSPF MP). The Z-Series supports up to 3 OSPF processes simultaneously. The S-Series supports up to 16 processes simultaneously.
• Opaque Link-local (type 9) Fast Convergence (OSPFv2, IPv4 only) Fast Convergence allows you to define the speeds at which LSAs are originated and accepted, and reduce OSPFv2 end-to-end convergence time. FTOS enables you to accept and originate LSAa as soon as they are available to speed up route information propagation. Note that the faster the convergence, the more frequent the route calculations and updates. This will impact CPU utilization and may impact adjacency stability in larger topologies.
www.dell.com | support.dell.com RFC-2328 Compliant OSPF Flooding In OSPF, flooding is the most resource-consuming task. The flooding algorithm described in RFC 2328 requires that OSPF flood LSAs on all interfaces, as governed by LSA's flooding scope. (Refer to Section 13 of the RFC.) When multiple direct links connect two routers, the RFC 2328 flooding algorithm generates significant redundant information across all links.
OSPF ACK Packing The OSPF ACK Packing feature bundles multiple LS acknowledgements in a single packet, significantly reducing the number of ACK packets transmitted when the number of LSAs increases. This feature also enhances network utilization and reduces the number of small ACK packets sent to a neighboring router. OSPF ACK packing is enabled by default, and non-configurable.
www.dell.com | support.dell.com OSPF must be configured GLOBALLY on the system in CONFIGURATION mode. OSPF features and functions are assigned to each router using the CONFIG-INTERFACE commands for each interface. Note: By default, OSPF is disabled Configuration Task List for OSPFv2 (OSPF for IPv4) Open Shortest Path First version 2 (OSPF for IPv4) is supported on platforms cesz 1. Configure a physical interface. Assign an IP address, physical or loopback, to the interface to enable Layer 3 routing. 2.
If implementing, Multi-Process OSPF, you must create an equal number of Layer 3 enabled interfaces and OSPF Process IDs. For example, if you create 4 OSPFv2 process IDs, you must have 4 interfaces with Layer 3 enabled. Use these commands on one of the interfaces to enable OSPFv2 routing. Step 1 Command Syntax Command Mode Usage ip address ip-address mask CONFIG-INTERFACE Assign an IP address to an interface. Format: A.B.C.D/M If using a Loopback interface, refer to Loopback Interfaces on page 340.
www.dell.com | support.dell.com Use the no router ospf process-id command syntax in the CONFIGURATION mode to disable OSPF. Use the clear ip ospf process-id command syntax in EXEC Privilege mode to reset the OSPFv2 process. Use the show ip ospf process-id command in EXEC mode (Figure 408) to view the current OSPFv2 status. Figure 27-8. Command Example: show ip ospf process-id FTOS#show ip ospf 55555 Routing Process ospf 55555 with ID 10.10.10.
Once the OSPF process and the VRF are tied together, the OSPF Process ID cannot be used again in the system. If you try to enable more OSPF processes than available Layer 3 interfaces you will see the following message. Message 4 C300(conf)#router ospf 1 % Error: No router ID available. In CONFIGURATION ROUTER OSPF mode, assign the Router ID. The Router ID is not required to be the router’s IP address. Dell Force10recommends using the IP address as the Router ID for easier management and troubleshooting.
www.dell.com | support.dell.com Use this command in CONFIGURATION ROUTER OSPF mode to set up each neighbor and OSPF area. The Area can be assigned by a number or with an IP interface address. Command Syntax Command Mode Usage network ip-address mask area area-id CONFIG-ROUTER-OSPF-id Enable OSPFv2 on an interface and assign an network address range to a specific OSPF area. IP Address Format: A.B.C.D/M Area ID Range: 0-65535 or A.B.C.
Figure 27-10. Command Example: show ip ospf process-id interface FTOS>show ip ospf 1 interface GigabitEthernet 12/17 is up, line protocol is up Internet Address 10.2.2.1/24, Area 0.0.0.0 Process ID 1, Router ID 11.1.2.1, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 11.1.2.1, Interface address 10.2.2.1 Backup Designated Router (ID) 0.0.0.0, Interface address 0.0.0.
www.dell.com | support.dell.com To ensure connectivity in your OSPFv2 network, never configure the backbone area as a stub area. Use these commands in the following sequence, starting in EXEC Privilege mode to configure a stub area. Step 1 Command Syntax Command Mode Usage show ip ospf process-id [vrf vrf name] database database-summary EXEC Privilege Review all areas after they were configured to determine which areas are NOT receiving type 5 LSAs.
Configure LSA throttling timers Configured LSA timers replace the standard transmit and acce4patnce times for LSAs. The LSA throttling timers are configured in milliseconds, with the interval time increasing exponentially until a maximum time has been reached. If the maximum time is reached, the system, the system continues to transmit at the max-interval. If the system is stable for twice the maximum interval time, the system reverts to the start-interval timer and the cycle begins again.
www.dell.com | support.dell.com Use the following command in the ROUTER OSPF mode to suppress the interface’s participation on an OSPF interface. This command stops the router from sending updates on that interface. Command Syntax Command Mode Usage passive-interface {default | interface} CONFIG-ROUTEROSPF-id Specify whether all or some of the interfaces will be passive. Default enabled passive interfaces on ALL interfaces in the OSPF process.
Figure 27-13. Command Example: show ip ospf process-id interface FTOS#show ip ospf 34 int GigabitEthernet 0/0 is up, line protocol is down Internet Address 10.1.2.100/24, Area 1.1.1.1 Process ID 34, Router ID 10.1.2.100, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State DOWN, Priority 1 Designated Router (ID) 10.1.2.100, Interface address 0.0.0.0 Backup Designated Router (ID) 0.0.0.0, Interface address 0.0.0.
www.dell.com | support.dell.com Figure 27-14 shows the convergence settings when fast-convergence is enabled and Figure 27-15 shows settings when fast-convergence is disabled. These displays appear with the show ip ospf command. Figure 27-14. Command Example: show ip ospf process-id (fast-convergence enabled) FTOS(conf-router_ospf-1)#fast-converge 2 FTOS(conf-router_ospf-1)#ex FTOS(conf)#ex FTOS#show ip ospf 1 Routing Process ospf 1 with ID 192.168.67.
Use any or all of the following commands in CONFIGURATION INTERFACE mode to change OSPFv2 parameters on the interfaces: Command Syntax Command Mode Usage ip ospf cost CONFIG-INTERFACE Change the cost associated with OSPF traffic on the interface. Cost: 1 to 65535 (default depends on the interface speed). ip ospf dead-interval seconds CONFIG-INTERFACE Change the time interval the router waits before declaring a neighbor dead. Configure Seconds range: 1 to 65535 (default is 40 seconds).
www.dell.com | support.dell.com Figure 27-16. Changing the OSPF Cost Value on an Interface FTOS(conf-if)#ip ospf cost 45 FTOS(conf-if)#show config ! interface GigabitEthernet 0/0 ip address 10.1.2.100 255.255.255.0 no shutdown ip ospf cost 45 FTOS(conf-if)#end FTOS#show ip ospf 34 interface The change is made on the interface and it is reflected in the OSPF configuration GigabitEthernet 0/0 is up, line protocol is up Internet Address 10.1.2.100/24, Area 2.2.2.2 Process ID 34, Router ID 10.1.2.
• • • • transmit-delay: LSA transmission delay dead-interval: dead router detection time authentication-key: authentication key message-digest-key: MD5 authentication key Use the following command in CONFIGURATION ROUTER OSPF mode to configure virtual links.
www.dell.com | support.dell.com Filter routes To filter routes, use prefix lists. OSPF applies prefix lists to incoming or outgoing routes. Incoming routes must meet the conditions of the prefix lists, and if they do not, OSPF does not add the route to the routing table. Configure the prefix list in CONFIGURATION PREFIX LIST mode prior to assigning it to the OSPF process. Command Syntax Command Mode Usage ip prefix-list prefix-name CONFIGURATION Create a prefix list and assign it a unique name.
Redistribute routes You can add routes from other routing instances or protocols to the OSPF process. With the redistribute command syntax, you can include RIP, static, or directly connected routes in the OSPF process. Note: Do not route iBGP routes to OSPF unless there are route-maps associated with the OSPF redistribution.
www.dell.com | support.dell.com Troubleshooting OSPFv2 FTOS has several tools to make troubleshooting easier. Be sure to check the following, as these are typical issues that interrupt an OSPFv2 process. Note that this is not a comprehensive list, just some examples of typical troubleshooting checks.
Figure 27-19. Command Example: show running-config ospf FTOS#show run ospf ! router ospf 3 ! router ospf 4 router-id 4.4.4.4 network 4.4.4.0/28 area 1 ! router ospf 5 ! router ospf 6 ! router ospf 7 mib-binding ! router ospf 8 ! router ospf 90 area 2 virtual-link 4.4.4.4 area 2 virtual-link 90.90.90.90 retransmit-interval 300 ! ipv6 router ospf 999 default-information originate always router-id 10.10.10.
www.dell.com | support.dell.com Use the following command in EXEC Privilege mode to configure the debugging options of an OSPFv2 process: Command Syntax Command Mode Usage debug ip ospf process-id [event | packet | spf | database-timers rate-limit] EXEC Privilege View debug messages. To view debug messages for a specific OSPF process ID, enter debug ip ospf process-id. If you do not enter a process ID, the command applies to the first OSPF process.
Figure 27-20. Basic topology and CLI commands for OSPFv2 OSPF AREA 0 GI 2/1 GI 1/1 GI 2/2 GI 1/2 GI 3/1 router ospf 11111 network 10.0.11.0/24 area 0 network 10.0.12.0/24 area 0 network 192.168.100.0/24 area 0 ! interface GigabitEthernet 1/1 ip address 10.1.11.1/24 no shutdown ! interface GigabitEthernet 1/2 ip address 10.2.12.2/24 no shutdown ! interface Loopback 10 ip address 192.168.100.100/24 no shutdown GI 3/2 router ospf 33333 network 192.168.100.0/24 area 0 network 10.0.13.
www.dell.com | support.dell.
28 PIM Sparse-Mode (PIM-SM) PIM Sparse-Mode (PIM-SM) is supported on platforms: ecsz PIM-Sparse Mode (PIM-SM) is a multicast protocol that forwards multicast traffic to a subnet only upon request using a PIM Join message; this behavior is the opposite of PIM-Dense Mode, which forwards multicast traffic to all subnets until a request to stop. Implementation Information • • • • • • • • • • The Dell Force10 implementation of PIM-SM is based on the IETF Internet Draft draft-ietf-pim-sm-v2-new-05.
www.dell.com | support.dell.com Protocol Overview PIM-SM initially uses unidirectional shared trees to forward multicast traffic; that is, all multicast traffic must flow only from the Rendezvous Point (RP) to the receivers. Once a receiver receives traffic from the RP, PM-SM switches to shortest path trees (SPT) to forward multicast traffic. Every multicast group has an RP and a unidirectional shared tree (group-specific shared tree).
1. The source gateway router (first-hop DR) receives the multicast packets and creates an (S,G) entry in its multicast routing table. The first-hop DR encapsulates the initial multicast packets in PIM Register packets and unicasts them to the RP. 2. The RP decapsulates the PIM Register packets and forwards them if there are any receivers for that group. The RP sends a PIM Join message towards the source.
www.dell.com | support.dell.com • • • • Configure a Designated Router on page 609 Create Multicast Boundaries and Domains on page 610 PIM-SM Graceful Restart on page 610 Monitoring PIM on page 611 Enable PIM-SM You must enable PIM-SM on each participating interface: Step 1 2 Task Command Command Mode Enable multicast routing on the system.
Figure 28-3. Viewing the PIM Multicast Routing Table FTOS#show ip pim tib PIM Multicast Routing Table Flags: D - Dense, S - Sparse, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, Timers: Uptime/Expires Interface state: Interface, next-Hop, State/Mode (*, 192.1.2.1), uptime 00:29:36, expires 00:03:26, RP 10.87.2.6, flags: SCJ Incoming interface: GigabitEthernet 4/12, RPF neighbor 10.87.3.
www.dell.com | support.dell.com Step 3 Task Command Syntax Command Mode Set the expiry time for a specific (S,G) entry (Figure 28-4). Range 211-86400 seconds Default: 210 ip pim sparse-mode sg-expiry-timer seconds sg-list access-list-name CONFIGURATION Note: The expiry time configuration is nullified, and the default global expiry time is used if: • • an ACL is specified for an in the ip pim sparse-mode sg-expiry-timer command, but the ACL has not been created or is a standard ACL.
Override Bootstrap Router Updates PIM-SM routers need to know the address of the RP for each group for which they have (*,G) entry. This address is obtained automatically through the bootstrap router (BSR) mechanism or a static RP configuration. If you have configured a static RP for a group, use the option override with the command ip pim rp-address to override bootstrap router updates with your static RP configuration.
www.dell.com | support.dell.com Create Multicast Boundaries and Domains A PIM domain is a contiguous set of routers that all implement PIM and are configured to operate within a common boundary defined by PIM Multicast Border Routers (PMBRs). PMBRs connect each PIM domain to the rest of the internet. Create multicast boundaries and domains by filtering inbound and outbound Bootstrap Router (BSR) messages per interface, use the ip pim bsr-border command.
• restart-time is the time required by the Dell Force10 system to restart. The default value is 180 seconds. • stale-entry-time is the maximum amount of time that the Dell Force10 system preserves entries from a restarting neighbor. The default value is 60 seconds. In helper-only mode, the system preserves the PIM states of a neighboring router while the neighbor gracefully restarts, but the Dell Force10 system allows itself to be taken off the forwarding path if it restarts.
| PIM Sparse-Mode (PIM-SM) www.dell.com | support.dell.
29 PIM Source-Specific Mode (PIM-SSM) PIM Source-Specific Mode (PIM-SSM) is supported on platforms: ecsz PIM-Source-Specific Mode (PIM-SSM) is a multicast protocol that forwards multicast traffic from a single source to a subnet. In the other versions of Protocol Independent Multicast (PIM), a receiver subscribes to a group only. The receiver receives traffic not just from the source in which it is interested but from all sources sending to that group.
| PIM Source-Specific Mode (PIM-SSM) (10.11.5.2, 239.0.0.2), uptime 00:00:36, expires 00:03:14, flags: CT Incoming interface: GigabitEthernet 1/31, RPF neighbor 10.11.13.2 Outgoing interface list: Vlan 300 Forward/Sparse 00:02:12/Never interface Vlan 400 ip pim sparse-mode ip address 10.11.4.1/24 untagged GigabitEthernet 1/2 ip igmp version 3 no shutdown interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown RP 2/1 R1 3/21 3/1 Source 1 10.11.5.
Implementation Information • • • • • The Dell Force10implementation of PIM-SSM is based on RFC 3569. C-Series supports a maximum of 31 PIM interfaces and 4K multicast entries including (*,G), and (S,G) entries. There is no limit on the number of PIM neighbors C-Series can have. S-Series supports a maximum of 31 PIM interfaces and 2K multicast entries including (*,G), and (S,G) entries. There is no limit on the number of PIM neighbors S-Series can have.
www.dell.com | support.dell.com Enable PIM-SSM To enable PIM-SSM: Step Task Command Syntax Command Mode 1 Create an ACL that uses permit rules to specify what range of addresses should use SSM. You must at least include one rule, permit 232.0.0.0/8, which is the default range for PIM-SSM. ip access-list standard name CONFIGURATION 2 Enter the command ip pim ssm-range and specify the ACL you created.
• When an extended ACL is associated with this command, FTOS displays an error message. If you apply an extended ACL before you create it, FTOS accepts the configuration, but when the ACL is later defined, FTOS ignores the ACL and the stated mapping has no effect. Display the source to which a group is mapped using the command show ip igmp ssm-map [group], as shown in Figure 29-4 on page 619.
| PIM Source-Specific Mode (PIM-SSM) interface Vlan 400 ip pim sparse-mode ip address 10.11.4.1/24 untagged GigabitEthernet 1/2 ip igmp version 3 no shutdown ip igmp snooping enable (10.11.5.2, 239.0.0.2), uptime 00:00:33, expires 00:00:00, flags: CJ Incoming interface: GigabitEthernet 1/31, RPF neighbor 10.11.13.2 Outgoing interface list: Vlan 300 Forward/Sparse 00:00:33/Never (10.11.5.2, 239.0.0.
Figure 29-4. Configuring PIM-SSM with IGMPv2 R1(conf)#do show run pim ! ip pim rp-address 10.11.12.2 group-address 224.0.0.0/4 ip pim ssm-range ssm R1(conf)#do show run acl ! ip access-list standard map seq 5 permit host 239.0.0.2 ! ip access-list standard ssm seq 5 permit host 239.0.0.2 R1(conf)#ip igmp ssm-map map 10.11.5.2 R1(conf)#do show ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Mode 239.0.0.2 Vlan 300 IGMPv2-Compat Member Ports: Gi 1/1 239.0.0.
www.dell.com | support.dell.
30 Port Monitoring Port Monitoring is supported on platforms: ecsz Port Monitoring, also known as Port Mirroring, is a feature that copies all incoming or outgoing packets on one port and forwards (mirrors) them to another port. The source port is the monitored port (MD) and the destination port is the monitoring port (MG). Port Monitoring functionality is different between platforms, but the behavior is the same, with highlighted exceptions.
www.dell.com | support.dell.com • The C-Series and S-Series may only have four destination ports per port-pipe. There is no limitation on the total number of monitoring sessions. Table 30-1 lists the maximum number of monitoring sessions per system. For the C-Series and S-Series, the total number of sessions is derived by consuming a unique destination port in each session, in each port-pipe. Table 30-1.
On the E-Series TeraScale, FTOS supports a single source-destination statement in a monitor session (Message 2). E-Series TeraScale supports only one source and one destination port per port-pipe (Message 3). Therefore, the E-Series TeraScale supports as many monitoring sessions as there are port-pipes in the system. Message 2 Multiple Source-Destination Statements Error Message on E-Series TeraScale % Error: Remove existing monitor configuration.
www.dell.com | support.dell.com The number of source ports FTOS allows within a port-pipe is equal to the number of physical ports in the port-pipe (n). However, n number of ports may only have four different destination ports (Message 5). Figure 30-2.
Figure 30-4.
www.dell.com | support.dell.com FTOS Behavior: The C-Series and S-Series continue to mirror outgoing traffic even after an MD participating in Spanning Tree Protocol transitions from the forwarding to blocking. Configuring Port Monitoring To configure port monitoring: Step Task Command Syntax Command Mode 1 Verify that the intended monitoring port has no configuration other than no shutdown, as shown in Figure 30-6.
Figure 30-7.
www.dell.com | support.dell.com Flow-based Monitoring Flow-based Monitoring is supported only on platform e Flow-based monitoring conserves bandwidth by monitoring only specified traffic instead all traffic on the interface. This feature is particularly useful when looking for malicious traffic. It is available for Layer 2 and Layer 3 ingress and egress traffic. You may specify traffic using standard or extended access-lists.
31 Private VLANs FTOS 7.8.1.0 adds a Private VLAN (PVLAN) feature for the C-Series and S-Series: csz For syntax details on the commands discussed in this chapter, see the Private VLANs Commands chapter in the FTOS Command Reference.
www.dell.com | support.dell.com Private VLAN Concepts The VLAN types in a private VLAN (PVLAN) include: Community VLAN — A community VLAN is a type of secondary VLAN in a primary VLAN: • • • Ports in a community VLAN can communicate with each other. Ports in a community VLAN can communicate with all promiscuous ports in the primary VLAN. A community VLAN can only contain ports configured as host.
Each of the port types can be any type of physical Ethernet port, including port channels (LAGs). For details on port channels, see Port Channel Interfaces on page 341 in Chapter 17, Interfaces. For an introduction to VLANs, see Chapter 22, Layer 2. Private VLAN Commands The commands dedicated to supporting the Private VLANs feature are: Table 31-1. Private VLAN Commands Task Enable/disable Layer 3 communication between secondary VLANs.
www.dell.com | support.dell.com Private VLAN Configuration Task List The following sections contain the procedures that configure a private VLAN: • • • • Creating PVLAN ports Creating a Primary VLAN on page 633 Creating a Community VLAN on page 634 Creating an Isolated VLAN on page 634 Creating PVLAN ports Private VLAN ports are those that will be assigned to the private VLAN (PVLAN).
Creating a Primary VLAN A primary VLAN is a port-based VLAN that is specifically enabled as a primary VLAN to contain the promiscuous ports and PVLAN trunk ports for the private VLAN. A primary VLAN also contains a mapping to secondary VLANs, which are comprised of community VLANs and isolated VLANs. Step Command Syntax Command Mode Purpose 1 interface vlan vlan-id CONFIGURATION Access the INTERFACE VLAN mode for the VLAN to which you want to assign the PVLAN interfaces.
www.dell.com | support.dell.com Creating a Community VLAN A community VLAN is a secondary VLAN of the primary VLAN in a private VLAN. The ports in a community VLAN can talk to each other and with the promiscuous ports in the primary VLAN. Step Command Syntax Command Mode Purpose 1 interface vlan vlan-id CONFIGURATION Access the INTERFACE VLAN mode for the VLAN that you want to make a community VLAN. 2 no shutdown INTERFACE VLAN Enable the VLAN.
Figure 31-2.
www.dell.com | support.dell.com The result is that: • • • • The ports in community VLAN 4001 can communicate directly with each other and with promiscuous ports. The ports in community VLAN 4002 can communicate directly with each other and with promiscuous ports The ports in isolated VLAN 4003 can only communicate with the promiscuous ports in the primary VLAN 4000.
• show vlan private-vlan mapping: Display the primary-secondary VLAN mapping. See the example output from the S50V, above, in Figure 31-6. Two show commands revised to display PVLAN data are: • • show arp • show vlan: See revised output in Figure 31-7. Figure 31-4.
www.dell.com | support.dell.com Figure 31-8.
32 Per-VLAN Spanning Tree Plus (PVST+) Per-VLAN Spanning Tree Plus (PVST+) is supported platforms: ecsz Protocol Overview Per-VLAN Spanning Tree Plus (PVST+) is a variation of Spanning Tree—developed by a third party— that allows you to configure a separate Spanning Tree instance for each VLAN. For more information on Spanning Tree, see Chapter 42, Spanning Tree Protocol (STP). Figure 32-1.
www.dell.com | support.dell.com FTOS supports three other variations of Spanning Tree, as shown in Table 32-1. Table 32-1. FTOS Supported Spanning Tree Protocols Dell Force10Term IEEE Specification Spanning Tree Protocol (STP) 802.1d Rapid Spanning Tree Protocol (RSTP) 802.1w Multiple Spanning Tree Protocol (MSTP) 802.1s Per-VLAN Spanning Tree Plus (PVST+) Third Party Implementation Information • • • • The FTOS implementation of PVST+ is based on IEEE Standard 802.1d.
• • • PVST+ in Multi-vendor Networks on page 646 PVST+ Extended System ID on page 646 PVST+ Sample Configurations on page 647 Enable PVST+ When you enable PVST+, FTOS instantiates STP on each active VLAN. To enable PVST+ globally: Step Task Command Syntax Command Mode 1 Enter PVST context. protocol spanning-tree pvst PROTOCOL PVST 2 Enable PVST+. no disable PROTOCOL PVST Disable PVST+ Task Command Syntax Command Mode Disable PVST+ globally.
STI 2 root vlan 100 bridge-priority 4096 STI 3 root STI 1: VLAN 100 STI 2: VLAN 200 STI 3: VLAN 300 R2 2/32 Blocking R3 vlan 100 bridge-priority 4096 3/22 X 3/12 2/12 Forwarding www.dell.com | support.dell.com Figure 32-3. Load Balancing with PVST+ 1/22 X X 1/32 STI 1 root R1 vlan 100 bridge-priority 4096 The bridge with the bridge value for bridge priority is elected root. Since all bridges use the default priority (until configured otherwise), lowest MAC address is used as a tie-breaker.
Figure 32-4. Display the PVST+ Forwarding Topology FTOS_E600(conf)#do show spanning-tree pvst vlan 100 VLAN 100 Root Identifier has priority 4096, Address 0001.e80d.b6d6 Root Bridge hello time 2, max age 20, forward delay 15 Bridge Identifier has priority 4096, Address 0001.e80d.b6d6 Configured hello time 2, max age 20, forward delay 15 We are the root of VLAN 100 Current root has priority 4096, Address 0001.e80d.
www.dell.com | support.dell.com Task Command Syntax Command Mode Change the max-age parameter. Range: 6 to 40 Default: 20 seconds vlan max-age PROTOCOL PVST The values for global PVST+ parameters are given in the output of the command show spanning-tree pvst, as shown in Figure 32-4. Modify Interface PVST+ Parameters You can adjust two interface parameters to increase or decrease the probability that a port becomes a forwarding port: • • Port cost is a value that is based on the interface type.
Task Command Syntax Command Mode Change the port priority of an interface. Range: 0 to 240, in increments of 16 Default: 128 spanning-tree pvst vlan priority INTERFACE The values for interface PVST+ parameters are given in the output of the command show spanning-tree pvst, as shown in Figure 32-4. Configure an EdgePort The EdgePort feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner.
www.dell.com | support.dell.com FTOS Behavior: Regarding bpduguard shutdown-on-violation behavior: 1 If the interface to be shutdown is a port channel then all the member ports are disabled in the hardware. 2 When a physical port is added to a port channel already in error disable state, the new member port will also be disabled in the hardware.
Figure 32-5. PVST+ with Extend System ID Dell Force10 System VLAN unaware Hub P1 untagged in VLAN 10 X P2 untagged in VLAN 20 moves to blocking unless Extended System ID is enabled Task Command Syntax Command Mode Augment the Bridge ID with the VLAN ID. extend system-id PROTOCOL PVST FTOS(conf-pvst)#do show spanning-tree pvst vlan 5 brief VLAN 5 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32773, Address 0001.e832.
www.dell.com | support.dell.com Figure 32-6.
Figure 32-7.
www.dell.com | support.dell.
33 Quality of Service (QoS) Quality of Service (QoS) is supported on platforms: ecsz Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. The E-Series has eight unicast queues per port and 128 multicast queues per-port pipe. Traffic is queued on ingress and egress. By default, on ingress, all data traffic is mapped to Queue 0, and all control traffic is mapped to Queue 7. On egress control traffic is mapped across all eight queues.
www.dell.com | support.dell.com Table 33-1.
Figure 33-1. Dell Force10 Networks QoS Architecture Marking (DiffServ, 802.1p, Exp) Ingress Packet Processing Packet Classification (ACL) Rate Policing Buffers & Class-based Queues Switching Rate Limiting Buffers & Class-based Queues Egress Congestion Management (WFQ Scheduling) Egress Packet Processing Traffic Shaping Congestion Avoidance (WRED) Implementation Information Dell Force10’s QoS implementation complies with IEEE 802.1p User Priority Bits for QoS Indication.
www.dell.com | support.dell.com • • Configure Port-based Rate Limiting Configure Port-based Rate Shaping Set dot1p Priorities for Incoming Traffic Change the priority of incoming traffic on the interface using the command dot1p-priority from INTERFACE mode, as shown in Figure 33-2. FTOS places traffic marked with a priority in a queue based on Table 33-2. If you set a dot1p priority for a port-channel, all port-channel members are configured with the same value.
On the C-Series and S-Series you can configure service-class dynamic dot1p from CONFIGURATION mode, which applies the configuration to all interfaces. A CONFIGURATION mode service-class dynamic dot1p entry supersedes any INTERFACE entries. See Mapping dot1p values to service queues on page 668. Note: You cannot configure service-policy input and service-class dynamic dot1p on the same interface. Figure 33-3.
www.dell.com | support.dell.com Figure 33-5.
Figure 33-7.
www.dell.com | support.dell.com Figure 33-9. Constructing Policy-based QoS Configurations Interface Input Service Policy 0 Output Service Policy 7 Input Policy Map Input Policy Map Class Map L3 ACL L3 Fields 7 0 DSCP Rate Policing Output Policy Map Output Policy Map Output QoS Policy Input QoS Policy Outgoing Marking Rate Limiting WRED B/W % Classify Traffic Class maps differentiate traffic so that you can apply separate quality of service policies to each class.
Figure 33-10. Using the Order Keyword in ACLs FTOS(conf)#ip access-list standard acl1 FTOS(config-std-nacl)#permit 20.0.0.0/8 FTOS(config-std-nacl)#exit FTOS(conf)#ip access-list standard acl2 FTOS(config-std-nacl)#permit 20.1.1.
www.dell.com | support.dell.com Set DSCP values for egress packets based on flow Set DSCP values for egress packets based on flow is supported only on platform e Match-any Layer 3 flows may have several match criteria. All flows that match at least one of the match criteria are mapped to the same queue since they are in the same class map.
FTOS Behavior: An explicit “deny any" rule in a Layer 3 ACL used in a (match any or match all) class-map creates a "default to Queue 0" entry in the CAM, which causes unintended traffic classification. Below, traffic is classified in two Queues, 1 and 2. Class-map ClassAF1 is “match any,” and ClassAF2 is “match all”.
www.dell.com | support.dell.com Create a QoS Policy There are two types of QoS policies: input and output. Input QoS policies regulate Layer 3 and Layer 2 ingress traffic. The regulation mechanisms for input QoS policies are rate policing and setting priority values. There are two types of input QoS policies: Layer 3 and Layer 2. • • Layer 3 QoS input policies allow you to rate police and set a DSCP or dot1p value. Layer 2 QoS input policies allow you to rate police and set a dot1p value.
Figure 33-12. Marking DSCP Values for Egress Packets FTOS#config FTOS(conf)#qos-policy-input my-input-qos-policy FTOS(conf-qos-policy-in)#set ip-dscp 34 % Info: To set the specified DSCP value 34 (100-010 b) the QoS policy must be mapped to queue 4 (100 b).
www.dell.com | support.dell.com To allocate bandwidth to queues on the C-Series and S-Series, assign each queue a weight ranging from 1 to 1024, in increments of 2n, using the command bandwidth-weight. Table 33-3 shows the default bandwidth weights for each queue, and their equivalent percentage which is derived by dividing the bandwidth weight by the sum of all queue weights. Table 33-3. Queue Default Bandwidth Weights for C-Series and S-Series Default Weight Equivalent Percentage 0 1 6.
Create Input Policy Maps There are two types of input policy-maps: Layer 3 and Layer 2. 1. Create a Layer 3 input policy map using the command policy-map-input from CONFIGURATION mode. Create a Layer 2 input policy map by specifying the keyword layer2 with the policy-map-input command. 2.
www.dell.com | support.dell.com DSCP/CP hex range (XXX)xxx DSCP Definition Traditional IP Precedence E-Series Internal Queue ID C-Series Internal Queue ID S-Series Internal DSCP/CP Queue ID decimal 011XXX AF3 Flash 3 1 1 010XXX AF2 Immediate 2 1 1 001XXX AF1 Priority 1 0 0 000XXX BE (Best Effort) Best Effort 0 0 0 16–31 0–15 Honoring dot1p values on ingress packets FTOS provides the ability to honor dot1p values on ingress packets with the Trust dot1p feature.
By default, if no match occurs, the packet is queued to the default queue, Queue 0.
www.dell.com | support.dell.com Mapping dot1p values to service queues Mapping dot1p values to service queues is available only on platforms: csz On the C-Series and S-Series all traffic is by default mapped to the same queue, Queue 0. If you honor dot1p on ingress, then you can create service classes based the queueing strategy in Table 33-6 using the command service-class dynamic dot1p from INTERFACE mode. You may apply this queuing strategy globally by entering this command from CONFIGURATION mode.
Apply an output QoS policy to a queue Apply an output QoS policy to queues using the command service-queue from INTERFACE mode. Specify an aggregate QoS policy Specify an aggregate QoS policy using the command policy-aggregate from POLICY-MAP-OUT mode. Apply an output policy map to an interface Apply an input policy map to an interface using the command service-policy output from INTERFACE mode. You can apply the same policy map to multiple interfaces, and you can modify a policy map after you apply it.
www.dell.com | support.dell.com Strict-priority Queueing You can assign strict-priority to one unicast queue, 1-7, using the command strict-priority from CONFIGURATION mode. Strict-priority means that FTOS dequeues all packets from the assigned queue before servicing any other queues. • • • The strict-priority supersedes bandwidth-percentage an bandwidth-weight percentage configurations. A queue with strict-priority can starve other queues in the same port-pipe.
You can create a custom WRED profile or use on of the five pre-defined profiles. Table 33-7. Pre-defined WRED Profiles (E-Series) Default Profile Name Minimum Threshold Maximum Threshold wred_drop 0 0 wred_ge_y 1024 2048 wred_ge_g 2048 4096 wred_teng_y 4096 8192 wred_teng_g 8192 16384 Table 33-8.
www.dell.com | support.dell.com Display Default and Configured WRED Profiles Display default and configured WRED profiles and their threshold values using the command show qos wred-profile from EXEC mode, as shown in Figure 33-14. Figure 33-14. Displaying WRED Profiles (E-Series) FTOS#show qos wred-profile Wred-profile-name wred_drop wred_ge_y wred_ge_g wred_teng_y wred_teng_g Figure 33-15.
Figure 33-16.
www.dell.com | support.dell.com Pre-calculating Available QoS CAM Space Pre-calculating Available QoS CAM Space is supported on platforms: cesz Before version 7.3.1 there was no way to measure the number of CAM entries a policy-map would consume (the number of CAM entries that a rule uses is not predictable; 1 to 16 entries might be used per rule depending upon its complexity). Therefore, it was possible to apply to an interface a policy-map that requires more entries than are available.
• Exception indicates that the number of CAM entries required to write the policy-map to the CAM is greater than the number of available CAM entries, and therefore the policy-map cannot be applied to an interface in the specified port-pipe.
| Quality of Service (QoS) www.dell.com | support.dell.
34 Routing Information Protocol (RIP) Routing Information Protocol (RIP) is supported only on platforms: ecsz RIP is supported on the S-Series following the release of FTOS version 7.8.1.0, and on the C-Series with FTOS versions 7.6.1.0 and after. Routing Information Protocol (RIP) is based on a distance-vector algorithm, it tracks distances or hop counts to nearby routers when establishing network connections.
www.dell.com | support.dell.com RIP must receive regular routing updates to maintain a correct routing table. Response messages containing a router’s full routing table are transmitted every 30 seconds. If a router does not send an update within a certain amount of time, the hop count to that route is changed to unreachable (a route hop metric of 16 hops). Another timer sets the amount of time before the unreachable routes are removed from the routing table.
Configuration Task List for RIP • • • • • • • • • Enable RIP globally on page 679 (mandatory) Configure RIP on interfaces on page 680 (optional) Control RIP routing updates on page 681 (optional) Set send and receive version on page 682 (optional) Generate a default route on page 684 (optional) Control route metrics on page 685 (optional) Summarize routes on page 684 (optional) Control route metrics on page 685 Debug RIP on page 685 For a complete listing of all commands related to RIP, refer to the FTOS
www.dell.com | support.dell.com When the RIP process has learned the RIP routes, use the show ip rip database command in the EXEC mode to view those routes (Figure 385). Figure 34-2. show ip rip database Command Example (Partial) FTOS#show ip rip database Total number of routes in RIP database: 978 160.160.0.0/16 [120/1] via 29.10.10.12, 00:00:26, Fa 160.160.0.0/16 auto-summary 2.0.0.0/8 [120/1] via 29.10.10.12, 00:01:22, Fa 2.0.0.0/8 auto-summary 4.0.0.0/8 [120/1] via 29.10.10.12, 00:01:22, Fa 4.0.0.
Control RIP routing updates By default, RIP broadcasts routing information out all enabled interfaces, but you can configure RIP to send or to block RIP routing information, either from a specific IP address or a specific interface. To control which devices or interfaces receive routing updates, you must configure a direct update to one router and configure interfaces to block RIP updates from other sources.
www.dell.com | support.dell.com To add routes from other routing instances or protocols, use any of the following commands in the ROUTER RIP mode: Command Syntax Command Mode Purpose redistribute {connected | static} [metric metric-value] [route-map map-name] ROUTER RIP Include directly connected or user-configured (static) routes in RIP. • metric range: 0 to 16 • map-name: name of a configured route map.
Figure 34-3 shows an example of the RIP configuration after the ROUTER RIP mode version command is set to RIPv2. When the ROUTER RIP mode version command is set, the interface (GigabitEthernet 0/0) participating in the RIP process is also set to send and receive RIPv2. Figure 34-3.
www.dell.com | support.dell.com Figure 34-5.
If you must perform routing between discontiguous subnets, disable automatic summarization. With automatic route summarization disabled, subnets are advertised. The command autosummary requires no other configuration commands. To disable automatic route summarization, in the ROUTER RIP mode, enter no autosummary. Note: If the ip split-horizon command is enabled on an interface, then the system does not advertise the summarized address.
www.dell.com | support.dell.com To enable RIP debugging, use the following command in the EXEC privilege mode: Command Syntax Command Mode Purpose debug ip rip [interface | database | events | trigger] EXEC privilege Enable debugging of RIP. Figure 34-6 shows the confirmation when the debug function is enabled. Figure 34-6. debug ip rip Command Example FTOS#debug ip rip RIP protocol debug is ON FTOS# To disable RIP, use the no debug ip rip command.
Configuring RIPv2 on Core 2 Figure 34-8. Configuring RIPv2 on Core 2 Core2(conf-if-gi-2/31)# Core2(conf-if-gi-2/31)#router rip Core2(conf-router_rip)#ver 2 Core2(conf-router_rip)#network 10.200.10.0 Core2(conf-router_rip)#network 10.300.10.0 Core2(conf-router_rip)#network 10.11.10.0 Core2(conf-router_rip)#network 10.11.20.0 Core2(conf-router_rip)#show config ! router rip network 10.0.0.
www.dell.com | support.dell.com Figure 34-10.
RIP Configuration on Core 3 Figure 34-12. RIP Configuration on Core 3 Core3(conf-if-gi-3/21)#router rip Core3(conf-router_rip)#version 2 Core3(conf-router_rip)#network 192.168.1.0 Core3(conf-router_rip)#network 192.168.2.0 Core3(conf-router_rip)#network 10.11.30.0 Core3(conf-router_rip)#network 10.11.20.0 Core3(conf-router_rip)#show config ! router rip network 10.0.0.0 network 192.168.1.0 network 192.168.2.
www.dell.com | support.dell.com Figure 34-14.
RIP Configuration Summary Figure 34-16. Summary of Core 2 RIP Configuration Using Output of show run Command ! interface GigabitEthernet 2/11 ip address 10.11.10.1/24 no shutdown ! interface GigabitEthernet 2/31 ip address 10.11.20.2/24 no shutdown ! interface GigabitEthernet 2/41 ip address 10.200.10.1/24 no shutdown ! interface GigabitEthernet 2/42 ip address 10.250.10.1/24 no shutdown router rip version 2 10.200.10.0 10.300.10.0 10.11.10.0 10.11.20.0 Figure 34-17.
www.dell.com | support.dell.
35 Remote Monitoring (RMON) Remote Monitoring (RMON) is supported on platform: ecsz This chapter describes the Remote Monitoring (RMON): • • Implementation Fault Recovery Remote Monitoring (RMON) is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell Force10Ethernet Interfaces. RMON operates with SNMP and monitors all nodes on a LAN segment.
www.dell.com | support.dell.com Fault Recovery RMON provides the following fault recovery functions: Interface Down—When an RMON-enabled interface goes down, monitoring continues. However, all data values are registered as 0xFFFFFFFF (32 bits) or ixFFFFFFFFFFFFFFFF (64 bits). When the interface comes back up, RMON monitoring processes resumes. Note: A Network Management System (NMS) should be ready to interpret a down interface and plot the interface performance graph accordingly.
Set rmon alarm To set an alarm on any MIB object, use the rmon alarm or rmon hc-alarm command in GLOBAL CONFIGURATION mode. To disable the alarm, use the no form of this command: Command Syntax Command Mode Purpose [no] rmon alarm number variable interval {delta | absolute} rising-threshold [value event-number] falling-threshold value event-number [owner string] or CONFIGURATION Set an alarm on any MIB object. Use the no form of this command to disable the alarm.
www.dell.com | support.dell.com Figure 35-1. rmon alarm Command Example FTOS(conf)#rmon alarm 10 1.3.6.1.2.1.2.2.1.20.1 20 delta rising-threshold 15 1 falling-threshold 0 owner nms1 Alarm Number MIB Variable Monitor Interval Counter Value Limit Triggered Event The above example configures RMON alarm number 10. The alarm monitors the MIB variable 1.3.6.1.2.1.2.2.1.20.1 (ifEntry.ifOutErrors) once every 20 seconds until the alarm is disabled, and checks the rise or fall of the variable.
Figure 35-2. rmon event Command Example FTOS(conf)#rmon event 1 log trap eventtrap description “High ifOutErrors” owner nms1 The above configuration example creates RMON event number 1, with the description “High ifOutErrors”, and generates a log entry when the event is triggered by an alarm. The user nms1 owns the row that is created in the event table by this command. This configuration also generates an SNMP trap when the event is triggered using the SNMP community string “eventtrap”.
www.dell.com | support.dell.com Configure RMON collection history To enable the RMON MIB history group of statistics collection on an interface, use the rmon collection history command in interface configuration mode. To remove a specified RMON history group of statistics collection, use the no form of this command.
36 Rapid Spanning Tree Protocol (RSTP) Rapid Spanning Tree Protocol (RSTP) is supported on platforms: ecsz Protocol Overview Rapid Spanning Tree Protocol (RSTP) is a Layer 2 protocol—specified by IEEE 802.1w—that is essentially the same as Spanning-Tree Protocol (STP) but provides faster convergence and interoperability with switches configured with STP and MSTP. FTOS supports three other variations of Spanning Tree, as shown in Table 36-1. Table 36-1.
www.dell.com | support.dell.
Figure 36-1.
www.dell.com | support.dell.com Enable Rapid Spanning Tree Protocol Globally Rapid Spanning Tree Protocol must be enabled globally on all participating bridges; it is not enabled by default. To enable Rapid Spanning Tree globally for all Layer 2 interfaces: Step Task Command Syntax Command Mode 1 Enter the PROTOCOL SPANNING TREE RSTP mode. protocol spanning-tree rstp CONFIGURATION 2 Enable Rapid Spanning Tree.
Figure 36-4. Rapid Spanning Tree Enabled Globally root R1 R2 1/3 Forwarding 2/1 1/4 Blocking 2/2 1/1 1/2 3/1 3/2 3/3 2/3 2/4 3/4 R3 Port 684 (GigabitEthernet 4/43) is alternate Discarding Port path cost 20000, Port priority 128, Port Identifier 128.684 Designated root has priority 32768, address 0001.e801.cbb4 Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.
www.dell.com | support.dell.com Figure 36-5. show spanning-tree rstp Command Example FTOS#show spanning-tree rstp Root Identifier has priority 32768, Address 0001.e801.cbb4 Root Bridge hello time 2, max age 20, forward delay 15, max hops 0 Bridge Identifier has priority 32768, Address 0001.e801.cbb4 Configured hello time 2, max age 20, forward delay 15, max hops 0 We are the root Current root has priority 32768, Address 0001.e801.
Figure 36-6. show spanning-tree rstp brief Command Example R3#show spanning-tree rstp brief Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 0001.e801.cbb4 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32768, Address 0001.e80f.1dad Configured hello time 2, max age 20, forward delay 15 Interface Designated Name PortID Prio Cost Sts Cost Bridge ID PortID ---------- -------- ---- ------- --- ------- -------------------- -------Gi 3/1 128.
www.dell.com | support.dell.com Table 36-2 displays the default values for RSTP. Table 36-2.
To change the port cost or priority of an interface, use the following commands: Task Command Syntax Command Mode Change the port cost of an interface. Range: 0 to 65535 Default: see Table 36-2. spanning-tree rstp cost cost INTERFACE Change the port priority of an interface. Range: 0 to 15 Default: 128 spanning-tree rstp priority priority-value INTERFACE View the current values for interface parameters using the show spanning-tree rstp command from EXEC privilege mode. See Figure 36-5.
www.dell.com | support.dell.com FTOS Behavior: Regarding bpduguard shutdown-on-violation behavior: 1 If the interface to be shutdown is a port channel then all the member ports are disabled in the hardware. 2 When a physical port is added to a port channel already in error disable state, the new member port will also be disabled in the hardware.
Figure 36-8. bridge-priority Command Example FTOS(conf-rstp)#bridge-priority 4096 04:27:59: %RPM0-P:RP2 %SPANMGR-5-STP_ROOT_CHANGE: RSTP root changed. My Bridge ID: 4096:0001.e80b.88bd Old Root: 32768:0001.e801.cbb4 New Root: 4096:0001.e80b.88bd Old root bridge ID New root bridge ID SNMP Traps for Root Elections and Topology Changes Enable SNMP traps for RSTP, MSTP, and PVST+ collectively using the command snmp-server enable traps xstp.
www.dell.com | support.dell.
37 Security Security features are supported on platforms: e c sz This chapter discusses several ways to provide access security to the Dell Force10system. Platform-specific features are identified by the c, e or s icons (as shown below).
www.dell.com | support.dell.
Suppress AAA Accounting for null username sessions When AAA Accounting is activated, the FTOS software issues accounting records for all users on the system, including users whose username string, because of protocol translation, is NULL. An example of this is a user who comes in on a line where the AAA Authentication login method-list none command is applied.
www.dell.com | support.dell.com No specific show command exists for TACACS+ accounting. To obtain accounting records displaying information about users currently logged in, perform the following task in Privileged EXEC mode: Command Syntax Command Mode Purpose show accounting CONFIGURATION Step through all active sessions and print all the accounting records for the actively accounted functions. Figure 37-1.
Configure login authentication for terminal lines You can assign up to five authentication methods to a method list. FTOS evaluates the methods in the order in which you enter them in each list. If the first method list does not respond or returns an error, FTOS applies the next method list until the user either passes or fails the authentication. If the user fails a method list, FTOS does not apply the next method list.
www.dell.com | support.dell.com To view the configuration, use the show config command in the LINE mode or the show running-config in the EXEC Privilege mode. Note: Dell Force10 recommends that you use the none method only as a backup. This method does not authenticate users. The none and enable methods do not work with SSH. You can create multiple method lists and assign them to different terminal lines.
To get enable authentication from the RADIUS server, and use TACACS as a backup, issue the following commands: FTOS(config)# aaa authentication enable default radius tacacs Radius and TACACS server has to be properly setup for this. FTOS(config)# radius-server host x.x.x.x key FTOS(config)# tacacs-server host x.x.x.
www.dell.com | support.dell.com • • • Privilege level 1—is the default level for the EXEC mode. At this level, you can interact with the router, for example, view some show commands and Telnet and ping to test connectivity, but you cannot configure the router. This level is often called the “user” level. One of the commands available in Privilege level 1 is the enable command, which you can use to enter a specific privilege level. Privilege level 0—contains only the end, enable and disable commands.
To configure a username and password, use the following command in the CONFIGURATION mode: Command Syntax Command Mode Purpose username name [access-class access-list-name] [nopassword | password [encryption-type] password] [privilege level] CONFIGURATION Assign a user name and password. Configure the optional and required parameters: • name: Enter a text string up to 63 characters long. • access-class access-list-name: Enter the name of a configured IP ACL.
www.dell.com | support.dell.com Configure custom privilege levels In addition to assigning privilege levels to the user, you can configure the privilege levels of commands so that they are visible in different privilege levels. Within FTOS, commands have certain privilege levels. With the privilege command, the default level can be changed or you can reset their privilege level back to the default.
Step 3 Command Syntax Command Mode Purpose privilege mode {level level command | reset command} CONFIGURATION Configure level and commands for a mode or reset a command’s level. Configure the following required and optional parameters: • mode: Enter a keyword for the modes (exec, configure, interface, line, route-map, router) • level level range: 0 to 15. Levels 0, 1 and 15 are pre-configured. Levels 2 to 14 are available for custom configuration.
www.dell.com | support.dell.com Figure 37-3. User john’s Login and the List of Available Commands apollo% telnet 172.31.1.53 Trying 172.31.1.53... Connected to 172.31.1.53. Escape character is '^]'.
Enable and disabling privilege levels Enter the enable or enable privilege-level command in the EXEC Privilege mode to set a user’s security level. If you do not enter a privilege level, FTOS sets it to 15 by default. To move to a lower privilege level, enter the command disable followed by the level-number you wish to set for the user in the EXEC Privilege mode. If you enter disable without a level-number, your security level is 1.
www.dell.com | support.dell.com Step Task 6 Enter the following commands at the Grub command line prompt. Note: You must type the commands; pasted commands are not accepted. grub> set stconfigignore=true grub> save_env stconfigignore grub> reboot 7 The Z9000 system boots up with factory default configuration. The default FTOS> system prompt displays when the system boots. 8 Copy the startup-config into the running-config.
RADIUS exec-authorization stores a user-shell profile and that is applied during user login. You may name the relevant named-lists with either a unique name or the default name. When authorization is enabled by the RADIUS server, the server returns the following information to the client: • • • • Idle time ACL configuration information Auto-command Privilege level After gaining authorization for the first time, you may configure these attributes.
www.dell.com | support.dell.com Set access to privilege levels through RADIUS Through the RADIUS server, you can use the command privilege level to configure a privilege level for the user to enter into when they connect to a session.This value is configured on the client system. Configuration Task List for RADIUS To authenticate users using RADIUS, at least one RADIUS server must be specified so that the system can communicate with and configure RADIUS as one of your authentication methods.
Apply the method list to terminal lines To enable RADIUS AAA login authentication for a method list, you must apply it to a terminal line. To configure a terminal line for RADIUS authentication and authorization, enter the following commands: Command Syntax Command Mode Purpose line {aux 0 | console 0 | vty number [end-number]} CONFIGURATION Enter the LINE mode. login authentication {method-list-name | default} LINE Enable AAA login authentication for the specified RADIUS method list.
www.dell.com | support.dell.com To view the RADIUS configuration, use the show running-config radius command in the EXEC Privilege mode. To delete a RADIUS server host, use the no radius-server host {hostname | ip-address} command. Set global communication parameters for all RADIUS server hosts You can configure global communication parameters (auth-port, key, retransmit, and timeout parameters) and specific host communication parameters on the same system.
Monitor RADIUS To view information on RADIUS transactions, use the following command in the EXEC Privilege mode: Command Syntax Command Mode Purpose debug radius EXEC Privilege View RADIUS transactions to troubleshoot problems. TACACS+ FTOS supports Terminal Access Controller Access Control System (TACACS+ client, including support for login authentication.
www.dell.com | support.dell.com To select TACACS as the login authentication method, use these commands in the following sequence in the CONFIGURATION mode: Step Command Syntax Command Mode Purpose 1 tacacs-server host {ip-address | host} CONFIGURATION Configure a TACACS+ server host. Enter the IP address or host name of the TACACS+ server. Use this command multiple times to configure multiple TACACS+ server hosts. 2 aaa authentication login {method-list-name | default} tacacs+ [...
Figure 37-4.
www.dell.com | support.dell.com Figure 37-5 demonstrates how to configure the access-class from a TACACS+ server. This causes the configured access-class on the VTY line to be ignored. If you have configured a deny10 ACL on the TACACS+ server, FTOS downloads it and applies it. If the user is found to be coming from the 10.0.0.0 subnet, FTOS also immediately closes the Telnet connection. Note, that no matter where the user is coming from, they see the login prompt. Figure 37-5.
To delete a TACACS+ server host, use the no tacacs-server host {hostname | ip-address} command. freebsd2# telnet 2200:2200:2200:2200:2200::2202 Trying 2200:2200:2200:2200:2200::2202... Connected to 2200:2200:2200:2200:2200::2202. Escape character is '^]'. Login: admin Password: FTOS# FTOS# Command Authorization The AAA command authorization feature configures FTOS to send each configuration command to a TACACS server for authorization before it is added to the running configuration.
www.dell.com | support.dell.com SCP is a remote file copy program that works with SSH and is supported by FTOS. Note: The Windows-based WinSCP client software is not supported for secure copying between a PC and an FTOS-based system. Unix-based SCP client software is supported.
Figure 37-6. Specifying an SSH version FTOS(conf)#ip ssh server version 2 FTOS(conf)#do show ip ssh SSH server : disabled. SSH server version : v2. Password Authentication : enabled. Hostbased Authentication : disabled. RSA Authentication : disabled. To disable SSH server functions, enter no ip ssh server enable.
www.dell.com | support.dell.com • ip ssh connection-rate-limit: Configure the maximum number of incoming SSH connections per minute. • • • • • • • • • • • ip ssh hostbased-authentication enable: Enable hostbased-authentication for the SSHv2 server. ip ssh key-size: Configure the size of the server-generated RSA SSHv1 key. ip ssh password-authentication enable: Enable password authentication for the SSH server. ip ssh pub-key-file: Specify the file to be used for host-based authentication.
Figure 37-8. Enabling SSH Password Authentication FTOS(conf)#ip ssh server enable % Please wait while SSH Daemon initializes ... done. FTOS(conf)#ip ssh password-authentication enable FTOS#sh ip ssh SSH server : enabled. Password Authentication : enabled. Hostbased Authentication : disabled. RSA Authentication : disabled. RSA Authentication of SSH The following procedure authenticates an SSH client based on an RSA key using RSA authentication.
www.dell.com | support.dell.com To configure host-based authentication: Step Task Command Syntax 1 Configure RSA Authentication. See RSA Authentication of SSH, above. 2 Create shosts by copying the public RSA key to the to the file shosts in the diretory .ssh, and write the IP address of the host to the file. Figure 37-10. Command Mode cp /etc/ssh/ssh_host_rsa_key.pub /.ssh/shosts Creating shosts admin@Unix_client# cd /etc/ssh admin@Unix_client# ls moduli sshd_config ssh_host_dsa_key.
Figure 37-12. Client-based SSH Authentication FTOS#ssh 10.16.127.201 ? -l User name option -p SSH server port option (default 22) -v SSH protocol version Troubleshooting SSH • You may not bind id_rsa.pub to RSA authentication while logged in via the console. In this case, Message 2 appears. Message 2 RSA Authentication Error %Error: No username set for this term. • Host-based authentication must be enabled on the server (Dell Force10 system) and the client (Unix machine).
www.dell.com | support.dell.com Trace Lists The Trace Lists feature is supported only on the E-Series: e You can log packet activity on a port to confirm the source of traffic attacking a system. Once the Trace list is enabled on the system, you view its traffic log to confirm the source address of the attacking traffic. In FTOS, Trace lists are similar to extended IP ACLs, except that Trace lists are not applied to an interface.
Since traffic passes through the filter in the order of the filter’s sequence, you can configure the trace list by first entering the TRACE LIST mode and then assigning a sequence number to the filter. To create a filter for packets with a specified sequence number, use these commands in the following sequence, starting in the CONFIGURATION mode: Step Command Syntax Command Mode Purpose 1 ip trace-list trace-list-name CONFIGURATION Enter the TRACE LIST mode by creating an trace list.
www.dell.com | support.dell.com Step 2 Command Syntax Command Mode Purpose seq sequence-number {deny | permit} tcp {source mask | any | host ip-address} [operator port [port]] {destination mask | any | host ip-address} [operator port [port]] [established] [count [byte] | log] TRACE LIST Configure a trace list filter for TCP packets. • source: An IP address as the source IP address for the filter to match.
Figure 37-13. Trace list Using seq Command Example FTOS(config-trace-acl)#seq 15 deny ip host 12.45.0.0 any log FTOS(config-trace-acl)#seq 5 permit tcp 121.1.3.45 0.0.255.255 any FTOS(config-trace-acl)#show conf ! ip trace-list dilling seq 5 permit tcp 121.1.0.0 0.0.255.255 any seq 15 deny ip host 12.45.0.0 any log FTOS(config-trace-acl)# If you are creating a Trace list with only one or two filters, you can let FTOS assign a sequence number based on the order in which the filters are configured.
www.dell.com | support.dell.com Command Syntax Command Mode Purpose {deny | permit} tcp {source mask | any | host ip-address} [operator port [port]] {destination mask | any | host ip-address} [operator port [port]] [established] [count [byte] | log] TRACE LIST Configure a deny or permit filter to examine TCP packets. Configure the following required and optional parameters: • source: An IP address as the source IP address for the filter to match.
Figure 37-14. Trace List Example FTOS(config-trace-acl)#deny tcp host 123.55.34.0 any FTOS(config-trace-acl)#permit udp 154.44.123.34 0.0.255.255 host 34.6.0.0 FTOS(config-trace-acl)#show config ! ip trace-list nimule seq 5 deny tcp host 123.55.34.0 any seq 10 permit udp 154.44.0.0 0.0.255.255 host 34.6.0.0 To view all configured Trace lists and the number of packets processed through the Trace list, use the show ip accounting trace-list command (Figure 37-15) in the EXEC Privilege mode.
www.dell.com | support.dell.com VTY Line and Access-Class Configuration Various methods are available to restrict VTY access in FTOS. These depend on which authentication scheme you use — line, local, or remote: Table 37-1. VTY Access Authentication Method Username VTY access-class access-class support? support? Remote authorization support? Line YES NO NO Local NO YES NO TACACS+ YES NO YES (with FTOS 5.2.1.0 and later) RADIUS YES NO YES (with FTOS 6.1.1.
Figure 37-16. Example Access-Class Configuration Using Local Database FTOS(conf)#user gooduser password abc privilege 10 access-class permitall FTOS(conf)#user baduser password abc privilege 10 access-class denyall FTOS(conf)# FTOS(conf)#aaa authentication login localmethod local FTOS(conf)# FTOS(conf)#line vty 0 9 FTOS(config-line-vty)#login authentication localmethod FTOS(config-line-vty)#end Note: See also the section Chapter 6, Access Control Lists (ACLs).
www.dell.com | support.dell.com Figure 37-18.
38 Service Provider Bridging Service Provider Bridging is supported on platforms: ecsz This chapter contains the following major sections: • • • • • VLAN Stacking on page 749 VLAN Stacking Packet Drop Precedence on page 760 Dynamic Mode CoS for VLAN Stacking on page 762 Layer 2 Protocol Tunneling on page 765 Provider Backbone Bridging on page 769 VLAN Stacking VLAN Stacking is supported on platforms: cesz VLAN Stacking, also called Q-in-Q, is defined in IEEE 802.
TPID (0x9100) PCP VID (VLAN 300) DEI PCP TPID (0x8100) CFI (0) VID (VLAN Red) AN 1 00 tagged 100 AN 0 10 VL VL www.dell.com | support.dell.com Figure 38-1.
Create Access and Trunk Ports An access port is a port on the service provider edge that directly connects to the customer. An access port may belong to only one service provider VLAN. A trunk port is a port on a service provider bridge that connects to another service provider bridge and is a member of multiple service provider VLANs. Physical ports and port-channels can be access or trunk ports.
www.dell.com | support.dell.com Display the status and members of a VLAN using the show vlan command from EXEC Privilege mode. Members of a VLAN-Stacking-enabled VLAN are marked with an M in column Q. Figure 38-3.
Step 2 Task Command Syntax Command Mode Add the port to a 802.1Q VLAN as tagged or untagged. [tagged | untagged] INTERFACE VLAN In Figure 38-4 GigabitEthernet 0/1 a trunk port that is configured as a hybrid port and then added to VLAN 100 as untagged VLAN 101 as tagged, and VLAN 103, which is a stacking VLAN. Figure 38-4.
www.dell.com | support.dell.com Figure 38-5. Example of Output of debug member vlan and debug member port FTOS# debug member vlan 603 vlan id : 603 ports : Gi 2/47 (MT), Gi 3/1(MU), Gi 3/25(MT), Gi 3/26(MT), Gi 3/27(MU) FTOS#debug member port gigabitethernet 2/47 vlan id : 603 (MT), 100(T), 101(NU) FTOS# VLAN Stacking in Multi-vendor Networks The first field in the VLAN tag is the Tag Protocol Identifier (TPID), which is two bytes.
Figure 38-6.
LUE TPID 0x9100 VLAN GREEN UE N BL VLA R1-E-Series TeraScale TPID: 0x9100 NB CE PROVIDER RVI SE X R2-E-Series TeraScale TPID: 0x8181 VLAN GREEN, VLAN VL AN Building D TPID 0x8100 VLA INTE RN ET www.dell.com | support.dell.com Figure 38-7.
LUE TPID 0x9191 VLAN GREEN UE N BL VLA R1-E-Series TeraScale TPID: 0x9191 Building D NB CE PROVIDER RVI SE VLA INTE RN ET Figure 38-8. First-byte TPID Match on the E-Series ExaScale X R2-E-Series ExaScale TPID: 0x9100 VLAN GREEN, VLAN VL AN PU VLAN R PURPLE ED RP LE Building C VL AN D RE Table 38-1 details the outcome of matched and mis-matched TPIDs in a VLAN-stacking network with the E-Series. Table 38-1.
www.dell.com | support.dell.com You can configure the first eight bits of the TPID using the command vlan-stack protocol-type. The TPID on the C-Series and S-Series systems is global. Ingress frames that do not match the system TPID are treated as untagged. This rule applies for both the outer tag TPID of a double-tagged frame and the TPID of a single-tagged frame.
Single and Double-tag First-byte TPID Match on C-Series and S-Series VLA NB LUE DEFAULT VLAN Figure 38-10. TPID 0x8181 R2-C-Series w/ FTOS <8.2.1.0 ED TPID: 0x8181 VLAN R PURPLE VLAN GREEN, VLAN EN GRE VLAN UE DEFAULT VLAN N BL R3-C-Series w/ FTOS >=8.2.1.0 VL VLA TPID: 0x8181 AN PU R1-C-Series w/ FTOS <8.2.1.
www.dell.com | support.dell.com Table 38-2 details the outcome of matched and mismatched TPIDs in a VLAN-stacking network with the C-Series and S-Series. Table 38-2. Network Position C-Series and S-Series Behaviors for Mis-matched TPID Incoming Packet TPID System TPID Match Type Pre-8.2.1.0 8.2.1.
Enable Drop Eligibility You must enable Drop Eligibility globally before you can honor or mark the DEI value. Task Command Syntax Command Mode Make packets eligible for dropping based on their DEI value. By default, packets are colored green, and DEI is marked 0 on egress. dei enable CONFIGURATION When Drop Eligibility is enabled, DEI mapping or marking takes place according to the defaults. In this case, the CFI is affected according to Table 38-3. Table 38-3.
www.dell.com | support.dell.com Task Command Syntax Command Mode FTOS#show interface dei-honor Default Drop precedence: Green Interface CFI/DEI Drop precedence ------------------------------------------------------------Gi 0/1 0 Green Gi 0/1 1 Yellow Gi 8/9 1 Red Gi 8/40 0 Yellow Mark Egress Packets with a DEI Value On egress, you can set the DEI value according to a different mapping than ingress (see Honor the Incoming DEI Value).
Figure 38-12. Statically and Dynamically Assigned dot1p for VLAN Stacking Untagged S-Tag with statically-assigned dot1p S-Tag DATA 0x0800 SA DA DATA 100 1 C-Tag C-Tag 3 0x0800 0x8100 SA DA 3 100 0x8100 C-Tagged 400 0x9100 SA DA 0x9100 SA DA S-Tag 4 400 S-Tag with mapped dot1p When configuring Dynamic Mode CoS, you have two options: a mark the S-Tag dot1p and queue the frame according to the original C-Tag dot1p.
www.dell.com | support.dell.com FTOS Behavior: For Option A above, when there is a conflict between the queue selected by Dynamic Mode CoS (vlan-stack dot1p-mapping) and a QoS configuration, the queue selected by Dynamic Mode CoS takes precedence. However, rate policing for the queue is determined by QoS configuration.
To map C-Tag dot1p values to S-Tag dot1p values and mark the frames accordingly: Step Task Command Syntax Command Mode 1 Allocate CAM space to enable queuing frames according to the C-Tag or the S-Tag. vman-qos: mark the S-Tag dot1p and queue the frame according to the original C-Tag dot1p. This method requires half as many CAM entries as vman-qos-dual-fp. vman-qos-dual-fp: mark the S-Tag dot1p and queue the frame according to the S-Tag dot1p.
SPANNI NG TR VLAN Stacking without L2PT INTE RN E T no spanning-tree ETWORK EN RE SPAN NIN G www.dell.com | support.dell.com Figure 38-13. T ING TREE ANN SP CE PROVIDER w/ I V R SE EE EE TR Building B no spanning-tree X BPDU w/ destination MAC address: 01-80-C2-00-00-00 Building A You might need to transport control traffic transparently through the intermediate network to the other region.
VLAN Stacking with L2PT SPANNI NG TR Figure 38-14. INTE RN E E RE SPAN NIN G T no spanning-tree NETWORK EE EE TR ING TREE ANN SP PROVIDER w/ E C I RV SE BPDU w/ destination T MAC address: 01-01-e8-00-00-00 R1-E-Series R2 Non-Force10 System BPDU w/ destination MAC address: 01-80-C2-00-00-00 no spanning-tree Building B R3 Non-Force10 System BPDU w/ destination MAC address: 01-80-C2-00-00-00 Building A Implementation Information • • • L2PT is available for STP, RSTP, MSTP, and PVST+ BPDUs.
www.dell.com | support.dell.com Enable Layer 2 Protocol Tunneling Step Task Command Syntax Command Mode 1 Verify that the system is running the default CAM profile; you must use this CAM profile for L2PT. show cam-profile EXEC Privilege 2 Enable protocol tunneling globally on the system. protocol-tunnel enable CONFIGURATION 3 Tunnel BPDUs the VLAN.
There are total 13 user-configurable FP blocks on the C-Series and S-Series. The default number of blocks for L2PT is 0; you must allocate at least one to enable BPDU rate-limiting. Step Task Command Syntax Command Mode 1 Create at least one FP group for L2PT. See CAM Allocation on page 250 for details on this command. cam-acl l2acl CONFIGURATION 2 Save the running-config to the startup-config. copy running-config startup-config EXEC Privilege 3 Reload the system.
www.dell.com | support.dell.com Provider Backbone Bridging through IEEE 802.1ad eliminates the need for tunneling BPDUs with L2PT and increases the reliability of provider bridge networks as the network core need only learn the MAC addresses of core switches, as opposed to all MAC addresses received from attached customer devices. 770 | Task Command Syntax Command Mode Use the Provider Bridge Group address as the destination MAC address in BPDUs.
39 sFlow Configuring sFlow is supported on platforms: • • • • • • • • ecsz Enable and Disable sFlow on page 773 sFlow Show Commands on page 774 Specify Collectors on page 776 Polling Intervals on page 776 Sampling Rate on page 776 Back-off Mechanism on page 778 sFlow on LAG ports on page 778 Extended sFlow on page 778 Overview FTOS supports sFlow version 5. sFlow is a standard-based sampling technology embedded within switches and routers which is used to monitor network traffic.
www.dell.com | support.dell.com Figure 39-1. sFlow Traffic Monitoring System sFlow Collector Switch/Router sFlow Datagrams sFlow Agent Poll Interface Counters Interface Counters Flow Samples Switch ASIC Implementation Information Dell Force10’s sFlow is designed so that the hardware sampling rate is per line card port-pipe and is decided based upon all the ports in that port-pipe.
• • • • • • • • • • FTOS exports all sFlow packets to the collector. A small sampling rate can equate to a large number of exported packets. A backoff mechanism will automatically be applied to reduce this amount. Some sampled packets may be dropped when the exported packet rate is high and the backoff mechanism is about to or is starting to take effect. The dropEvent counter, in the sFlow packet, will always be zero.
www.dell.com | support.dell.com sFlow Show Commands FTOS includes the following sFlow display commands: • • • Show sFlow Globally on page 49 Show sFlow on an Interface on page 50 Show sFlow on a Line Card on page 50 Show sFlow Globally Use the following command to view sFlow statistics: Command Syntax show sflow Command Mode EXEC Purpose Display sFlow configuration information and statistics. Figure 39-2 is a sample output from the show sflow command: Figure 39-2.
Figure 39-3. Command Example: show sflow interface FTOS#show sflow interface gigabitethernet 1/16 Gi 1/16 Configured sampling rate :8192 Actual sampling rate :8192 Sub-sampling rate :2 Counter polling interval :15 Samples rcvd from h/w :33 Samples dropped for sub-sampling :6 The configuration, shown in Figure 39-2, is also displayed in the running configuration (Figure 39-4): Figure 39-4.
www.dell.com | support.dell.com Specify Collectors The sflow collector command allows identification of sFlow Collectors to which sFlow datagrams are forwarded. The user can specify up to two sFlow collectors. If two Collectors are specified, the samples are sent to both. Collection through Management interface is supported on platform: e.
The sflow sample-rate command, when issued in CONFIGURATION mode, changes the default sampling rate. By default, the sampling rate of an interface is set to the same value as the current global default sampling rate.If the value entered is not a correct power of 2, the command generates an error message with the previous and next power-of-2 value. Select one of these two number and re-enter the command. (For more information on values in power-of-2, see Sub-sampling on page 777.
www.dell.com | support.dell.com Back-off Mechanism If the sampling rate for an interface is set to a very low value, the CPU can get overloaded with flow samples under high-traffic conditions. In such a scenario, a binary back-off mechanism gets triggered, which doubles the sampling-rate (halves the number of samples per second) for all interfaces. The backoff mechanism continues to double the sampling-rate until CPU condition is cleared. This is as per sFlow version 5 draft.
Figure 39-6. Confirming that Extended sFlow is Enabled FTOS#show sflow sFlow services are enabled Extended sFlow settings Global default sampling rate: 4096 show all 3 types are enabled Global default counter polling interval: 15 Global extended information enabled: gateway, router, switch 1 collectors configured Collector IP addr: 10.10.10.3, Agent IP addr: 10.10.0.
www.dell.com | support.dell.com Table 39-1. Extended Gateway Summary IP SA IP DA srcAS and srcPeerAS dstAS and dstPeerAS static/connected/IGP static/connected/IGP — — Extended gateway data is not exported because there is no AS information. static/connected/IGP BGP 0 Exported src_as & src_peer_as are zero because there is no AS information for IGP. BGP static/connected/IGP — — Prior to FTOS version 7.8.1.0, extended gateway data is not be exported because IP DA is not learned via BGP.
40 Simple Network Management Protocol (SNMP) Simple Network Management Protocol (SNMP) is supported on platforms: ecsz Protocol Overview Network management stations use Simple Network Management Protocol (SNMP) to retrieve or alter management data from network elements. A datum of management information is called a managed object; the value of a managed object can be static or variable. Network elements store managed objects in a database called a Management Information Base (MIB).
www.dell.com | support.dell.
View your SNMP configuration, using the command show running-config snmp from EXEC Privilege mode, as shown in Figure 40-1. Figure 40-1. Creating an SNMP Community FTOS#snmp-server community my-snmp-community ro 22:31:23: %RPM1-P:CP %SNMP-6-SNMP_WARM_START: Agent Initialized - SNMP WARM_START.
www.dell.com | support.dell.com Task Command Figure 40-4. Reading the Value of Many Managed Objects at Once > snmpwalk -v 2c -c mycommunity 10.11.131.161 .1.3.6.1.2.1.1 SNMPv2-MIB::sysDescr.0 = STRING: Dell Force10 Networks Real Time Operating System Software Dell Force10 Operating System Version: 1.0 Dell Force10 Application Software Version: E_MAIN4.7.6.350 Copyright (c) 1999-2007 by Dell Force10 Networks, Inc. Build Time: Mon May 12 14:02:22 PDT 2008 SNMPv2-MIB::sysObjectID.
To configure system contact and location information from the Dell Force10 system: Task Command Command Mode Identify the system manager along with this person’s contact information (e.g E-mail address or phone number). You may use up to 55 characters. Default: None snmp-server contact text CONFIGURATION Identify the physical location of the system. For example, San Jose, 350 Holger Way, 1st floor lab, rack A1-1. You may use up to 55 characters.
www.dell.com | support.dell.com To configure the system to send SNMP notifications: Step Task Command Command Mode 1 Configure the Dell Force10 system send notifications to an SNMP server. snmp-server host ip-address CONFIGURATION 2 Specify which traps the Dell Force10 system sends to the trap receiver. • Enable all Dell Force10 enterpriseSpecific and RFC-defined traps using the command snmp-server enable traps from CONFIGURATION mode.
Table 40-2. Dell Force10 Enterprise-specific SNMP Traps Command Option Trap envmon CARD_SHUTDOWN: %sLine card %d down - %s CARD_DOWN: %sLine card %d down - %s LINECARDUP: %sLine card %d is up CARD_MISMATCH: Mismatch: line card %d is type %s - type %s required.
www.dell.com | support.dell.com Table 40-2. Dell Force10 Enterprise-specific SNMP Traps Command Option Trap %SPANMGR-5-STP_TOPOLOGY_CHANGE: Bridge port GigabitEthernet 11/38 transitioned from Forwarding to Blocking state. %SPANMGR-5-MSTP_NEW_ROOT_BRIDGE: Elected root bridge for instance 0. %SPANMGR-5-MSTP_NEW_ROOT_PORT: MSTP root changed to port Gi 11/38 for instance 0. My Bridge ID: 40960:0001.e801.fc35 Old Root: 40960:0001.e801.fc35 New Root: 32768:00d0.038a.2c01.
The relevant MIBs for these functions are: Table 40-3. MIB Objects for Copying Configuration Files via SNMP MIB Object OID Object Values Description copySrcFileType .1.3.6.1.4.1.6027.3.5.1.1.1.2 1 = FTOS file 2 = running-config 3 = startup-config Specifies the type of file to copy from. Valid values are: • If the copySrcFileType is running-config or startup-config, the default copySrcFileLocation is flash.
www.dell.com | support.dell.com To copy a configuration file: Step Task Command Syntax Command Mode 1 Create an SNMP community string with read/ write privileges. snmp-server community community-name rw CONFIGURATION 2 Copy the f10-copy-config.mib MIB from the Dell Force10 iSupport webpage to the server to which you are copying the configuration file. 3 On the server, use the command snmpset as shown: snmpset -v snmp-version -c community-name -m mib_path/f10-copy-config.
Table 40-4. Copying Configuration Files via SNMP Task Copy the running-config to the startup-config using the following command from the Unix machine: snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address copySrcFileType.index i 2 copyDestFileType.index i 3 Figure 40-6 show the command syntax using MIB object names, and Figure 40-7 shows the same command using the object OIDs. In both cases, the object is followed by a unique index number. Figure 40-6.
www.dell.com | support.dell.com Table 40-4. Copying Configuration Files via SNMP (continued) Task • • server-ip-address must be preceded by the keyword a. values for copyUsername and copyUserPassword must be preceded by the keyword s. Figure 40-10. Copying Configuration Files via SNMP and FTP to a Remote Server > snmpset -v 2c -c private -m ./f10-copy-config.mib 10.10.10.10 copySrcFileType.110 i 2 copyDestFileName.110 s /home/startup-config copyDestFileLocation.110 i 4 copyServerAddress.110 a 11.11.
Dell Force10 provides additional MIB Objects to view copy statistics. These are provided in Table 40-5. Table 40-5. MIB Objects for Copying Configuration Files via SNMP MIB Object OID Values Description copyState .1.3.6.1.4.1.6027.3.5.1.1.1.11 1= running 2 = successful 3 = failed Specifies the state of the copy operation. copyTimeStarted .1.3.6.1.4.1.6027.3.5.1.1.1.12 Time value Specifies the point in the up-time clock that the copy operation started. copyTimeCompleted .1.3.6.1.4.1.6027.3.5.
www.dell.com | support.dell.com Figure 40-13 shows the command syntax using MIB object names, and Figure 40-14 shows the same command using the object OIDs. In both cases, the object is followed by same index number used in the snmpset command. Figure 40-13. Obtaining MIB Object Values for a Copy Operation using Object-name Syntax > snmpget -v 2c -c private -m ./f10-copy-config.mib 10.11.131.140 copyTimeCompleted.110 FORCE10-COPY-CONFIG-MIB::copyTimeCompleted.110 = Timeticks: (1179831) 3:16:38.
Figure 40-16. Assign a VLAN Alias using SNMP [Unix system output] > snmpset -v2c -c mycommunity 10.11.131.185 .1.3.6.1.2.1.17.7.1.4.3.1.1.1107787786 s "My VLAN" SNMPv2-SMI::mib-2.17.7.1.4.3.1.1.
www.dell.com | support.dell.com The table that the Dell Force10 system sends in response to the snmpget request is a table that contains hexadecimal (hex) pairs, each pair representing a group of eight ports. • • • On the E-Series, 12 hex pairs represents a line card. Twelve pairs accommodates the greatest currently available line card port density, 96 ports. On the C-Series, 28 hex pairs represents a line card.
The value 40 is in the first set of 7 hex pairs, indicating that these ports are in Stack Unit 0. The hex value 40 is 0100 0000 in binary. As described above, the left-most position in the string represents Port 1. The next position from the left represents Port 2 and has a value of 1, indicating that Port 0/2 is in VLAN 10. The remaining positions are 0, so those ports are not in the VLAN.
www.dell.com | support.dell.com Figure 40-21. 798 Adding Tagged Ports to a VLAN using SNMP >snmpset -v2c -c mycommunity 10.11.131.185 .1.3.6.1.2.1.17.7.1.4.3.1.2.1107787786 x "40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" .1.3.6.1.2.1.17.7.1.4.3.1.4.
Enable and Disable a Port using SNMP Step Task Command Syntax Command Mode 1 Create an SNMP community on the Dell Force10 system. snmp-server community CONFIGURATION 2 From the Dell Force10 system, identify the interface index of the port for which you want to change the admin status. Or, from the management system, use the snmpwwalk command to identify the interface index.
www.dell.com | support.dell.com Figure 40-22. Fetching Dynamic MAC Addresses on the Default VLAN ------------------------MAC Addresses on Dell Force10 System------------------------------R1_E600#show mac-address-table VlanId 1 Mac Address 00:01:e8:06:95:ac Type Interface Dynamic Gi 1/21 State Active ------------------------------Query from Management Station------------------------------->snmpwalk -v 2c -c techpubs 10.11.131.162 .1.3.6.1.2.1.17.4.3.1 SNMPv2-SMI::mib-2.17.4.3.1.1.0.1.232.6.149.
Figure 40-25. Display the Interface Index Number FTOS#show interface gig 1/21 GigabitEthernet 1/21 is up, line protocol is up Hardware is Force10Eth, address is 00:01:e8:0d:b7:4e Current address is 00:01:e8:0d:b7:4e Interface index is 72925242 [output omitted] FTOS#show linecard all | grep 1 The interface index is a binary number with bits that indicate the slot number, port number, interface type, and card type of the interface.
www.dell.com | support.dell.com For interface indexing, slot and port numbering begins with the binary one. If the Dell Force10 system begins slot and port numbering from 0, then the binary 1 represents slot and port 0. For example, the index number in Figure 40-27 gives the binary 2 for the slot number, though interface GigabitEthernet 1/21 belongs to Slot 1. This is because the port for this example is on an E-Series which begins numbering slots from 0.
41 Storm Control ecsz Storm Control for Multicast is supported on platforms: c s z Storm Control is supported on platforms: The storm control feature enables you to control unknown-unicast and broadcast traffic on Layer 2 and Layer 3 physical interfaces. FTOS Behavior: On the E-Series, FTOS supports broadcast control for Layer 3 traffic only. To control Layer 2 broadcast traffic use the command storm-control unknown-unicast.
www.dell.com | support.dell.com • 804 The percentage of storm control is calculated based on the advertised rate of the line card, not by the speed setting. Configure storm control from CONFIGURATION mode Configure storm control from CONFIGURATION mode using the command storm control. From CONFIGURATION mode you can configure storm control for ingress and egress traffic. Do not apply per-VLAN QoS on an interface that has storm-control enabled (either on an interface or globally).
42 Spanning Tree Protocol (STP) Spanning Tree Protocol (STP) is supported on platforms: ecsz Protocol Overview Spanning Tree Protocol (STP) is a Layer 2 protocol—specified by IEEE 802.1d—that eliminates loops in a bridged topology by enabling only a single path through the network. By eliminating loops, the protocol improves scalability in a large network and enables you to implement redundant paths, which can be activated upon the failure of active paths.
www.dell.com | support.dell.
Configuring Interfaces for Layer 2 Mode All interfaces on all switches that will participate in Spanning Tree must be in Layer 2 mode and enabled. Figure 42-1.
www.dell.com | support.dell.com Enabling Spanning Tree Protocol Globally Spanning Tree Protocol must be enabled globally; it is not enabled by default. To enable Spanning Tree globally for all Layer 2 interfaces: Step Task Command Syntax Command Mode 1 Enter the PROTOCOL SPANNING TREE mode. protocol spanning-tree 0 CONFIGURATION 2 Enable Spanning Tree.
Figure 42-4. Spanning Tree Enabled Globally root R1 R2 1/3 Forwarding 2/1 1/4 Blocking 2/2 1/1 1/2 3/1 3/2 3/3 3/4 R3 2/3 2/4 Port 290 (GigabitEthernet 2/4) is Blocking Port path cost 4, Port priority 8, Port Identifier 8.290 Designated root has priority 32768, address 0001.e80d.2462 Designated bridge has priority 32768, address 0001.e80d.2462 Designated port id is 8.
www.dell.com | support.dell.com Confirm that a port is participating in Spanning Tree using the show spanning-tree 0 brief command from EXEC privilege mode. Figure 42-6. show spanning-tree brief Command Example FTOS#show spanning-tree 0 brief Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 0001.e80d.2462 We are the root of the spanning tree Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32768, Address 0001.e80d.
Modifying Global Parameters You can modify Spanning Tree parameters. The root bridge sets the values for forward-delay, hello-time, and max-age and overwrites the values set on other bridges participating in Spanning Tree. Note: Dell Force10 recommends that only experienced network administrators change the Spanning Tree parameters. Poorly planned modification of the Spanning Tree parameters can negatively impact network performance. Table 42-2 displays the default values for Spanning Tree. Table 42-2.
www.dell.com | support.dell.com View the current values for global parameters using the show spanning-tree 0 command from EXEC privilege mode. See Figure 42-5. Modifying Interface STP Parameters You can set the port cost and port priority values of interfaces in Layer 2 mode. • • Port cost is a value that is based on the interface type. The greater the port cost, the less likely the port will be selected to be a forwarding port.
To enable PortFast on an interface: Task Command Syntax Command Mode Enable PortFast on an interface. spanning-tree stp-id portfast [bpduguard | [shutdown-on-violation]] INTERFACE Verify that PortFast is enabled on a port using the show spanning-tree command from the EXEC privilege mode or the show config command from INTERFACE mode; Dell Force10 recommends using the show config command, as shown in Figure 42-7. Figure 42-7.
www.dell.com | support.dell.com Note: Note that unless the shutdown-on-violation option is enabled, spanning-tree only drops packets after a BPDU violation; the physical interface remains up, as shown below. FTOS(conf-if-gi-0/7)#do show spanning-tree rstp brief Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 0001.e805.fb07 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32768, Address 0001.e85d.
Figure 42-8. Enabling BPDU Guard FTOS(conf-if-gi-3/41)# spanning-tree 0 portfast bpduguard shutdown-on-violation FTOS(conf-if-gi-3/41)#show config ! interface GigabitEthernet 3/41 no ip address switchport spanning-tree 0 portfast bpduguard shutdown-on-violation no shutdown 3/41 Hub Switch with Spanning Tree Enabled FTOS Behavior: BPDU Guard and BPDU filtering (see Removing an Interface from the Spanning Tree Group on page 810) both block BPDUs, but are two separate features.
www.dell.com | support.dell.com View only the root information using the show spanning-tree root command (see Figure 42-9) from EXEC privilege mode. Figure 42-9. show spanning-tree root Command Example FTOS#show spanning-tree 0 root Root ID Priority 32768, Address 0001.e80d.
43 System Time and Date System Time and Date settings and NTP are supported on platforms: ecsz System times and dates can be set and maintained through the Network Time Protocol (NTP). They are also set through FTOS CLIs and hardware settings.
www.dell.com | support.dell.com • • • Clock offset represents the amount to adjust the local clock to bring it into correspondence with the reference clock. Roundtrip delay provides the capability to launch a message to arrive at the reference clock at a specified time. Dispersion represents the maximum error of the local clock relative to the reference clock.
Figure 43-1. NTP Fields Source Port (123) Destination Port (123) Length NTP Packet Payload Checksum Range: +32 to -32 Status Leap Indicator Code: 00: No Warning 01: +1 second 10: -1 second 11: reserved Type Precision Est. Error Est.
www.dell.com | support.dell.com Enable NTP NTP is disabled by default. To enable it, specify an NTP server to which the Dell Force10 system will synchronize. Enter the command multiple times to specify multiple servers. You may specify an unlimited number of servers at the expense of CPU resources. Task Command Command Mode Specify the NTP server to which the Dell Force10 system will synchronize.
Set the Hardware Clock with the Time Derived from NTP Task Command Command Mode Periodically update the system hardware clock with the time value derived from NTP. ntp update-calendar CONFIGURATION Figure 43-4.
www.dell.com | support.dell.com Configure a source IP address for NTP packets By default, the source address of NTP packets is the IP address of the interface used to reach the network. You can configure one interface’s IP address to be included in all NTP packets.
To configure NTP authentication, use these commands in the following sequence in the CONFIGURATION mode: Step Command Syntax Command Mode Purpose ntp authenticate CONFIGURATION Enable NTP authentication. 2 ntp authentication-key number md5 key CONFIGURATION Set an authentication key. Configure the following parameters: number: Range 1 to 4294967295. This number must be the same as the number in the ntp trusted-key command. key: Enter a text string. This text string is encrypted.
www.dell.com | support.dell.com Command Syntax Command Mode Purpose ntp server ip-address [key keyid] [prefer] [version number] CONFIGURATION Configure an NTP server. Configure the IP address of a server and the following optional parameters: • key keyid: Configure a text string as the key exchanged between the NTP server and client. • prefer: Enter the keyword to set this NTP server as the preferred server. • version number: Enter a number 1 to 3 as the NTP version.
• • • • • • • • Root Delay (sys.rootdelay, peer.rootdelay, pkt.rootdelay): This is a signed fixed-point number indicating the total roundtrip delay to the primary reference source at the root of the synchronization subnet, in seconds. Note that this variable can take on both positive and negative values, depending on clock precision and skew. Root Dispersion (sys.rootdispersion, peer.rootdispersion, pkt.
www.dell.com | support.dell.com Set the time and date for the switch hardware clock Command Syntax Command Mode Purpose calendar set time month day year EXEC Privilege Set the hardware clock to the current time and date. time: Enter the time in hours:minutes:seconds. For the hour variable, use the 24-hour format, for example, 17:15:00 is 5:15 pm. month: Enter the name of one of the 12 months in English. You can enter the name of a day to change the order of the display to time day month year.
The software clock runs only when the software is up. The clock restarts, based on the hardware clock, when the switch reboots. Command Syntax Command Mode Purpose clock set time month day year EXEC Privilege Set the system software clock to the current time and date. time: Enter the time in hours:minutes:seconds. For the hour variable, use the 24-hour format, for example, 17:15:00 is 5:15 pm. month: Enter the name of one of the 12 months in English.
www.dell.com | support.dell.com 828 Command Syntax Command Mode Purpose FTOS#conf FTOS(conf)#clock timezone Pacific -8 FTOS(conf)#01:40:19: %RPM0-P:CP %CLOCK-6-TIME CHANGE: Timezone configuration changed from "UTC 0 hrs 0 mins" to "Pacific -8 hrs 0 mins" FTOS# Set daylight saving time FTOS supports setting the system to daylight saving time once or on a recurring basis every year.
Set Daylight Saving Time Once Set a date (and time zone) on which to convert the switch to daylight saving time on a one-time basis. Command Syntax Command Mode Purpose clock summer-time time-zone date start-month start-day start-year start-time end-month end-day end-year end-time [offset] CONFIGURATION Set the clock to the appropriate timezone and daylight saving time. time-zone: Enter the three-letter name for the time zone. This name is displayed in the show clock output.
www.dell.com | support.dell.
Command Syntax Command Mode Purpose start-year: Enter a four-digit number as the year. Range: 1993 to 2035 start-time: Enter the time in hours:minutes. For the hour variable, use the 24-hour format, example, 17:15 is 5:15 pm. end-week: If you entered a start-week, Enter the one of the following as the week that daylight saving ends: • week-number: enter a number from 1-4 as the number of • first: enter the keyword first to end daylight saving time in • the first week of the month.
www.dell.com | support.dell.
44 Upgrade Procedures Find the upgrade procedures Go to the FTOS Release Notes for your system type to see all the requirements to upgrade to the desired FTOS version. Follow the procedures in the FTOS Release Notes for the software version you wish to upgrade to. Get Help with upgrades Direct any questions or concerns about FTOS Upgrade Procedures to Dell Force10’s Technical Support Center. You can reach Technical Support: • • • On the Web: www.force10networks.
| Upgrade Procedures www.dell.com | support.dell.
45 Virtual LANs (VLAN) Virtual LANs (VLAN) are supported on platforms: e c s z This section contains the following subsections: • • • • • Default VLAN Port-Based VLANs VLANs and Port Tagging Configuration Task List for VLANs Enable Null VLAN as the Default VLAN Virtual LANs, or VLANs, are a logical broadcast domain or logical grouping of interfaces in a LAN in which all data received is kept locally and broadcast to all members of the group.
www.dell.com | support.dell.com Table 45-1 displays the defaults for VLANs in FTOS. Table 45-1. VLAN Defaults on FTOS Feature Default Spanning Tree group ID All VLANs are part of Spanning Tree group 0 Mode Layer 2 (no IP address is assigned) Default VLAN ID VLAN 1 Default VLAN When interfaces are configured for Layer 2 mode, they are automatically placed in the Default VLAN as untagged interfaces. Only untagged interfaces can belong to the Default VLAN.
Untagged interfaces must be part of a VLAN. To remove an untagged interface from the Default VLAN, you must create another VLAN and place the interface into that VLAN. Alternatively, enter the no switchport command, and FTOS removes the interface from the Default VLAN. A tagged interface requires an additional step to remove it from Layer 2 mode. Since tagged interfaces can belong to multiple VLANs, you must remove the tagged interface from all VLANs, using the no tagged interface command.
www.dell.com | support.dell.com • • The VLAN protocol identifier identifies the frame as tagged according to the IEEE 802.1Q specifications (2 bytes). Tag Control Information (TCI) includes the VLAN ID (2 bytes total). The VLAN ID can have 4,096 values, but 2 are reserved. Note: The insertion of the tag header into the Ethernet frame increases the size of the frame to more than the 1518 bytes specified in the IEEE 802.3 standard. Some devices that are not compliant with IEEE 802.
Use the show vlan command (Figure 45-3) in the EXEC privilege mode to view the configured VLANs. Figure 45-3. show vlan Command Example FTOS#show vlan Codes: * - Default VLAN, G - GVRP VLANs * NUM 1 2 3 4 5 6 Status Inactive Active Active Active Active Active Q U U U T U U U Ports So 9/4-11 Gi 0/1,18 Gi 0/2,19 Gi 0/3,20 Po 1 Gi 0/12 So 9/0 FTOS# A VLAN is active only if the VLAN contains interfaces and those interfaces are operationally up.
www.dell.com | support.dell.com To tag frames leaving an interface in Layer 2 mode, you must assign that interface to a port-based VLAN to tag it with that VLAN ID. To tag interfaces, use these commands in the following sequence: Step Command Syntax Command Mode Purpose 1 interface vlan vlan-id CONFIGURATION Access the INTERFACE VLAN mode of the VLAN to which you want to assign the interface. tagged interface INTERFACE Enable an interface to include the IEEE 802.1Q tag header.
Use the untagged command to move untagged interfaces from the Default VLAN to another VLAN: Step 1 2 Command Syntax Command Mode Purpose interface vlan vlan-id CONFIGURATION Access the INTERFACE VLAN mode of the VLAN to which you want to assign the interface. untagged interface INTERFACE Configure an interface as untagged. This command is available only in VLAN interfaces.
www.dell.com | support.dell.com Assign an IP address to a VLAN VLANs are a Layer 2 feature. For two physical interfaces on different VLANs to communicate, you must assign an IP address to the VLANs to route traffic between the two interfaces. The shutdown command in INTERFACE mode does not affect Layer 2 traffic on the interface; the shutdown command only prevents Layer 3 traffic from traversing over the interface. Note: An IP address cannot be assigned to the Default VLAN, which, by default, is VLAN 1.
Native VLANs Traditionally, ports can be either untagged for membership to one VLAN or tagged for membership to multiple VLANs. An untagged port must be connected to a VLAN-unaware station (one that does not understand VLAN tags), and a tagged port must be connected to a VLAN-aware station (one that generates and understands VLAN tags). Native VLAN support breaks this barrier so that a port can be connected to both VLAN-aware and VLAN-unaware stations. Such ports are referred to as hybrid ports.
www.dell.com | support.dell.com 844 Enable Null VLAN as the Default VLAN In a Carrier Ethernet for Metro Service environment, service providers who perform frequent reconfigurations for customers with changing requirements occasionally enable multiple interfaces, each connected to a different customer, before the interfaces are fully configured.
46 Virtual Link Trunking (VLT) Virtual Link Trunking (VLT) is supported on platforms: z Overview Virtual link trunking (VLT) allows physical links between two chassis to appear as a single virtual link to the network core. VLT reduces the role of Spanning Tree protocols by allowing LAG terminations on two separate distribution or core switches, and by supporting a loop free topology. (A Spanning Tree protocol is still needed to prevent the initial loop that may occur prior to VLT being established.
www.dell.com | support.dell.com Figure 46-1. Virtual Link Trunking Out-of-Band Management Network Backup Link S4810 Backup Link S4810 Chassis VLT Domain Chassis Interconnect Trunk Virtual Link Trunk Switch or Server that supports LACP (802.1ad) VLT peer devices have independent management planes. A chassis interconnect trunk between the VLT chassis maintains synchronization of L2/L3 control planes across the two VLT peers. The chassis interconnect trunk uses 10GE or 40GE user ports on the chassis.
Enhanced VLT An enhanced VLT (eVLT) configuration creates a port channel between two VLT domains by allowing two different VLT domains connected by a standard LACP LAG to form a loop-free Layer 2 topology in the aggregation layer. This configuration supports a maximum of four (4) nodes per eVLT domain, increasing the number of available ports and allowing for dual redundancy of the VLT.
www.dell.com | support.dell.com VLT domain - This domain includes both VLT peer devices, the VLT interconnect, and all of the port channels in the VLT connected to the attached devices. It is also associated to the configuration mode that must be used to assign VLT global parameters. VLT peer device - One of a pair of devices that are connected with the special port channel known as the VLT interconnect (VLTi).
• • VLT domain: • A VLT domain supports two chassis members, which appear as a single logical device to network access devices connected to VLT ports through a port channel. • A VLT domain consists of the two core chassis, the interconnect trunk, backup link, and the LAG members connected to attached devices. The domain ID can be from 1 to 1000. • Each VLT domain has a a unique MAC address that is created automatically by VLT or user-configured. • ARP tables are synchronized between the VLT peer nodes.
www.dell.com | support.dell.com • • • • • • MAC addresses for VLANs configured across VLT peer chassis are synchronized over the VLT interconnect on an egress port such as a VLT LAG. MAC addresses are the same on both VLT peer nodes. ARP entries configured across the VLTi are the same on both VLT peer nodes.
• Virtual link trunks (VLTs) between access devices and VLT peer switches: • To connect servers and access switches with VLT peer switches, you use a VLT port channel (see Figure 46-1). Up to 48 port-channels are supported; up to 8 member links are supported in each port channel between the VLT domain and an access device. • The ID number of the port channel that connects an access device and a VLT switch is automatically generated by the discovery protocol running between VLT peers.
www.dell.com | support.dell.com • • • • • 852 | Layer 3 VLAN connectivity VLT peers is enabled by configuring a VLAN network interface for the same VLAN on both switches. • IGMP snooping is supported over VLT ports. The multicast forwarding state is synchronized on both VLT peer switches. The IGMP snooping process on a VLT peer shares the learned group information with the other VLT peer over the chassis interconnect trunk.
• • the network. In either case, upon recovery of the peer link or reestablishment of message forwarding across the interconnect trunk, the two VLT peers resynchronize any MAC addresses learned while communication was interrupted, and the VLT system continues normal data forwarding. If the primary chassis is rebooted, the secondary chassis takes on the operational role of the primary. When operation of the original, primary chassis is restored, it takes on the operational role of the secondary chassis.
www.dell.com | support.dell.com When the bandwidth usage drops below the 80% threshold, the system generates another syslog message (Message 2) and an SNMP trap. Message 2 Excessive VLTi Bandwidth Usage Drops Below Threshold Value Error %STKUNIT0-M:CP %VLTMGR-6-VLT-LAG-ICL: Overall Bandwidth utilization of VLT-ICL-LAG (port-channel 25) reaches below threshold.
PIM-Sparse Mode Support on VLT The Designated Router functionality of the PIM Sparse-Mode multicast protocol is supported on VLT peer switches for multicast sources and receivers that are connected to VLT ports. The VLT peer switches can act as a last-hop router for IGMP receivers and as a first-hop router for multicast sources. On each VLAN where the VLT peer nodes act as the first hop or last hop routers, one of the VLT peer nodes will be elected as the PIM Designated Router.
www.dell.com | support.dell.com If the VLT node elected as the designated router fails, traffic loss will occur until another VLT node is elected the designated router. RSTP Configuration The RSTP Spanning Tree protocol is supported in a VLT domain. Before you configure VLT on peer switches, you must configure the Rapid Spanning Tree Protocol (RSTP) in the network if it will be included in your configuration. RSTP is required for initial loop prevention during the VLT startup phase.
Sample RSTP Configuration Using Figure 46-1 as a sample VLT topology, the primary VLT switch will send BPDUs to an access device (switch or server) with its own RSTP bridge ID. BPDUs generated by an RSTP-enabled access device are only processed by the primary VLT switch. The secondary VLT switch tunnels the BPDUs that it receives to the primary VLT switch over the VLT interconnect.
www.dell.com | support.dell.com 4. (Optional) Manually reconfigure default VLT settings, such as MAC address and VLT primary/ secondary roles. 5. Connect the peer switches in a VLT domain to an attached access device (switch or server). Configure a VLT interconnect Step 1 Task Command Syntax Command Mode Configure the port channel to be used for the VLT interconnect on a VLT switch and enter interface configuration mode.
Use the delay-restore command at any time to set an amount of time, in seconds, to delay the system from restoring the VLT port. Refer to VLT Port Delayed Restoration for more information. Configure a VLT port delay period Step 1 Task Command Syntax Command Mode Enter VLT-domain configuration mode for a specified VLT domain. vlt domain domain-id CONFIGURATION delay-restore delay-restore-time CONFIGURATION Range of domain IDs: 1 to 1000.
www.dell.com | support.dell.com (Optional) Reconfigure default VLT settings Step 4 Task Command Syntax Command Mode (Optional) When you create a VLT domain on a switch, the FTOS software automatically assigns a unique unit ID (0 or 1) to each peer switch. The unit IDs are used for internal system operations. unit-id {0 | 1} VLT DOMAIN CONFIGURATION Use the unit-id command to explicitly configure the default values on each peer switch.
Use the peer-down-vlan parameter to configure the VLAN where a VLT peer will forward received packets over the VLTi from an adjacent VLT peer that is down. When a VLT peer with BMP reboots, untagged DHCP discover packets are sent to the peer over the VLTi. Using this configuration ensures the DHCP discover packets are forwarded to the VLAN that has the DHCP server.
www.dell.com | support.dell.com (Optional) Configure Enhanced VLT (eVLT) Step Task Command Syntax Command Mode 5 Configure the IP address of the management interface on the remote VLT peer to be used as the endpoint of the VLT backup link for sending out-of-band hello messages. You can optionally specify the time interval used to send hello messages. Range: 1 to 5 seconds.
(Optional) Configure Enhanced VLT (eVLT) Step 11 Task Command Syntax Command Mode Ensure that the port channel is active. no shutdown INTERFACE PORT-CHANNEL interface range CONFIGURATION Add links to the eVLT port. 12 Configure a range of interfaces to bulk configure. {port-channel id} 13 Enable LACP on the LAN port. port-channel-protocol lacp INTERFACE 14 Configure the LACP port channel mode. port-channel number mode [active] INTERFACE 15 Ensure that the interface is active.
www.dell.com | support.dell.com Task Command Syntax Command Mode 5. show interfaces interface EXEC EXEC Privilege Configure the peer 1 management ip/ interface ip for which connectivity is present in VLT peer 1. Configure the VLT links between VLT peer 1 and VLT peer 2 to the top of rack unit. 6. Configure the static LAG/LACP between ports connected from VLT peer 1 and VLT peer 2 to the top of rack unit. show running-config entity EXEC Privilege 7.
Configure the backup link between the VLT peer units. 1. Configure the peer 2 management ip/ interface ip for which connectivity is present in VLT peer 1. 2. Configure the peer 1 management ip/ interface ip for which connectivity is present in VLT peer 2. s4810-2#show running-config vlt ! vlt domain 5 peer-link port-channel 1 back-up destination 10.11.206.58 s4810-2# s4810-2#show interfaces managementethernet 0/0 Internet address is 10.11.206.
www.dell.com | support.dell.
FTOS(conf)#show vlt brief VLT Domain Brief -----------------Domain ID: Role: Role Priority: ICL Link Status: HeartBeat Status: VLT Peer Status: Version: Local System MAC address: Remote System MAC address: Remote system version: Delay-Restore timer: 10 Primary 32768 Up Not Established Up 5(1) 00:01:e8:8b:14:3c 00:01:e8:8b:15:20 5 (1) 90 seconds FTOS#FTOS(conf-if-vl-100)#show vlt detail Local LAG Id Peer LAG Id Local Status Peer Status ------------ ----------- ------------ -----------10 10 UP UP Active VL
www.dell.com | support.dell.com eVLT Configuration Example The following example demonstrates the steps to configure enhanced VLT (eVLT) in a network. In this example there are two domains being configured. Domain 1 consists of Peer 1 and Peer 2; Domain 2 consists of Peer 3 and Peer 4 as shown below. In Domain 1, configure Peer 1 first, then configure Peer 2. When that is complete, perform the same steps for the peer nodes in Domain 2. The interface used in this example is TenGigabitEthernet.
Domain_1_Peer1(conf-if-range-te-0/16-17)#no shutdown Next, configure the VLT domain and VLTi on Peer 2: Domain_1_Peer2#configure Domain_1_Peer2(conf)#interface port-channel 1 Domain_1_Peer2(conf-if-po-1)#channel-member TenGigabitEthernet 0/8-9 Domain_1_Peer2#no shutdown Domain_1_Peer2(conf)#vlt domain 1000 Domain_1_Peer2(conf-vlt-domain)#peer-link port-channel 1 Domain_1_Peer2(conf-vlt-domain)#back-up destination 10.16.130.
www.dell.com | support.dell.com Domain_2_Peer4(conf)#vlt domain 1000 Domain_2_Peer4(conf-vlt-domain)#peer-link port-channel 1 Domain_2_Peer4(conf-vlt-domain)#back-up destination 10.18.130.
Verifying a VLT Configuration To monitor the operation or verify the configuration of a VLT domain, enter any of the following show commands on the primary and secondary VLT switches: Show Command Syntax Description show vlt backup-link Displays information on backup link operation (see Figure 46-4). Command Mode: EXEC show vlt brief Displays general status information about VLT domains currently configured on the switch (see Figure 46-5).
www.dell.com | support.dell.com Destination: Peer HeartBeat status: HeartBeat Timer Interval: HeartBeat Timeout: UDP Port: HeartBeat Messages Sent: HeartBeat Messages Received: Figure 46-5. 10.11.200.
Figure 46-8. show running-config vlt Command Output on VLT peer switches FTOS#VLTpeer1#show running-config vlt ! vlt domain 30 peer-link port-channel 60 back-up destination 10.11.200.18 FTOS#VLTpeer2#show running-config vlt ! vlt domain 30 peer-link port-channel 60 back-up destination 10.11.200.20 Figure 46-9.
www.dell.com | support.dell.com Figure 46-10. Configuring Virtual Link Trunking (VLT Peer 1) FTOS_VLTpeer1(conf)#vlt domain 999 FTOS_VLTpeer1(conf-vlt-domain)#peer-link port-channel 100 FTOS_VLTpeer1(conf-vlt-domain)#back-up destination 10.11.206.35 FTOS_VLTpeer1(conf-vlt-domain)#exit Enable VLT and create a VLT domain with a backup-link and interconnect (VLTi) FTOS_VLTpeer1(conf)#interface ManagementEthernet 0/0 FTOS_VLTpeer1(conf-if-ma-0/0)#ip address 10.11.206.
Figure 46-11. Configuring Virtual Link Trunking (VLT Peer 2) FTOS_VLTpeer2(conf)#vlt domain 999 FTOS_VLTpeer2(conf-vlt-domain)#peer-link port-channel 100 FTOS_VLTpeer2(conf-vlt-domain)#back-up destination 10.11.206.23 FTOS_VLTpeer2(conf-vlt-domain)#exit Enable VLT and create a VLT domain with a backup-link VLT interconnect (VLTi) FTOS_VLTpeer2(conf)#interface ManagementEthernet 0/0 FTOS_VLTpeer2(conf-if-ma-0/0)#ip address 10.11.206.
www.dell.com | support.dell.com Troubleshooting VLT Use the following information to help troubleshoot different VLT issues that may occur. Note: For information on VLT failure mode timing and its impact, contact your Dell Force10 representative. Description Behavior at Peer Up | A syslog error message and an SNMP trap is generated when the VLTi bandwidth usage goes above its threshold. Action to Take Depending on the traffic that is received, the traffic can be offloaded inVLTi.
Description Unit ID mismatch Behavior at Peer Up Behavior During Run Time Action to Take Verify the unit ID is correct The VLT peer does not The VLT peer does not boot up. The VLTi is forced boot up. The VLTi is forced on both VLT peers. Unit ID numbers must be to a down state. to a down state. A syslog error message is sequential on peer units; The VLT domain will not i.e., if Peer 1 is unit ID “0”, generated. be formed. The VLTi will Peer 2 unit ID must be “1’. be in a down state.
www.dell.com | support.dell.
47 Virtual Router Redundancy Protocol (VRRP) Virtual Router Redundancy Protocol (VRRP) is supported on platforms: ec sz . This chapter covers the following information: • • • • • VRRP Overview VRRP Benefits VRRP Implementation VRRP Configuration Sample Configurations VRRP Overview Virtual Router Redundancy Protocol (VRRP) is designed to eliminate a single point of failure in a statically routed network. VRRP specifies a MASTER router that owns the next hop IP and MAC address for end stations on a LAN.
www.dell.com | support.dell.com In Figure 47-1 below, Router A is configured as the MASTER router. It is configured with the IP address of the virtual router and sends any packets addressed to the virtual router through interface GigabitEthernet 1/1 to the Internet. As the BACKUP router, Router B is also configured with the IP address of the virtual router. If for any reason Router A becomes unavailable, VRRP elects a new MASTER Router. Router B assumes the duties of Router A and becomes the MASTER router.
VRRP Benefits With VRRP configured on a network, end-station connectivity to the network is not subject to a single point-of-failure. End-station connections to the network are redundant and they are not dependent on IGP protocols to converge or update routing tables. VRRP Implementation E-Series supports an unlimited total number of VRRP groups on the router while supporting up to 255 VRRP groups on a single interface (Table 47-1).
www.dell.com | support.dell.com Table 47-1.
Create a Virtual Router To enable VRRP, you must create a Virtual Router. In FTOS, a VRRP Group is identified by the Virtual Router Identifier (VRID). To enable a Virtual Router, use the following command in the INTERFACE mode. To delete a VRRP group, use the no vrrp-group vrid command in the INTERFACE mode. Task Command Syntax Command Mode Create a virtual router for that interface with a VRID.
www.dell.com | support.dell.com To activate a VRRP Group on an interface (so that VRRP group starts transmitting VRRP packets), configure at least one Virtual IP address in a VRRP group. The Virtual IP address is the IP address of the Virtual Router and does not require the IP address mask. You can configure up to 12 Virtual IP addresses on a single VRRP Group (VRID).
Figure 47-5. Command Example Display: show config for the Interface FTOS(conf-if-gi-1/1)#show conf ! interface GigabitEthernet 1/1 ip address 10.10.10.1/24 ! vrrp-group 111 priority 255 virtual-address 10.10.10.1 virtual-address 10.10.10.2 virtual-address 10.10.10.3 ! vrrp-group 222 no shutdown FTOS(conf-if-gi-1/1)# Note that the Primary IP address and the Virtual IP addresses are on the same subnet Figure 47-6 shows the same VRRP group configured on multiple interfaces on different subnets. Figure 47-6.
www.dell.com | support.dell.com Set VRRP Group (Virtual Router) Priority Setting a Virtual Router priority to 255 ensures that router is the “owner” virtual router for the VRRP group. VRRP elects the MASTER router by choosing the router with the highest priority. THe default priority for a Virtual Router is 100. The higher the number, the higher the priority. If the MASTER router fails, VRRP begins the election process to choose a new MASTER router based on the next-highest priority.
Configure VRRP Authentication Simple authentication of VRRP packets ensures that only trusted routers participate in VRRP processes. When authentication is enabled, FTOS includes the password in its VRRP transmission, and the receiving router uses that password to verify the transmission. Note: All virtual routers in the VRRP group must be configured the same: authentication must be enabled with the same password or authentication is disabled.
www.dell.com | support.dell.com Prevent the BACKUP router with the higher priority from becoming the MASTER router by disabling preempt. Note: All virtual routers in the VRRP group must be configured the same: all configured with preempt enabled or configured with preempt disabled. Since preempt is enabled by default, disable the preempt function with the following command in the VRRP mode. Re-enable preempt by entering the preempt command.
Change that advertisement interval with the following command in the VRRP mode: Task Command Syntax Command Mode Change the advertisement interval setting. advertise-interval seconds Range: 1-255 seconds Default: 1 second INTERFACE-VRID Figure 47-13. Command Example: advertise-interval FTOS(conf-if-gi-1/1)#vrrp-group 111 FTOS(conf-if-gi-1/1-vrid-111)#advertise-interval 10 FTOS(conf-if-gi-1/1-vrid-111)# Figure 47-14.
www.dell.com | support.dell.com The sum of all the costs for all tracked interfaces must be less than or equal to the configured priority of the VRRP group. Figure 47-15. Command Example: track FTOS(conf-if-gi-1/1)#vrrp-group 111 FTOS(conf-if-gi-1/1-vrid-111)#track gigabitethernet 1/2 FTOS(conf-if-gi-1/1-vrid-111)# Figure 47-16.
Task Command Syntax Command Mode Set the delay time for VRRP initialization on an individual interface. This is the gap between an interface coming up and being operational, and VRRP enabling. vrrp delay minimum seconds Seconds range: 0-900 Default: 0 INTERFACE Set the delay time for VRRP initialization on all the interfaces in the system configured for VRRP. This is the gap between system boot up completion and VRRP enabling.
www.dell.com | support.dell.com Figure 47-17. Configure VRRP Router 2 R2(conf)#int gi 2/31 R2(conf-if-gi-2/31)#ip address 10.1.1.3/24 R2(conf-if-gi-2/31)#no shut R2(conf-if-gi-2/31)#vrrp-group 99 R2(conf-if-gi-2/31-vrid-99)#virtual 10.1.1.3 R2(conf-if-gi-2/31-vrid-99)#no shut R2(conf-if-gi-2/31)#show conf ! interface GigabitEthernet 2/31 ip address 10.1.1.1/24 ! vrrp-group 99 virtual-address 10.1.1.
Figure 47-18. VRRP Topography Illustration State Master: R2 was the first interface configured with VRRP Virtual MAC is automatically assigned and is the same on both Routers State Backup: R3 was the second interface configured with VRRP R2#show vrrp -----------------GigabitEthernet 2/31, VRID: 99, Net: 10.1.1.3 10.1.1.1 State: Master, Priority: 100, Master: 10.1.1.3 10.1.1.
www.dell.com | support.dell.
48 Z-Series Debugging and Diagnostics The chapter contains the following major sections: • • • • • • • • • Offline Diagnostics TRACE logs Hardware watchdog timer Last restart reason (Z9000) show hardware commands (Z9000) Troubleshooting packet loss Application core dumps Mini core dumps TCP dumps Offline Diagnostics The offline diagnostics test suite is useful for isolating faults and debugging hardware.
www.dell.com | support.dell.com Running Offline Diagnostics 1. Place the unit in the offline state using the offline stack-unit command from EXEC Privilege mode, as shown in Taking a Z-Series Stack Unit Offline. You cannot enter the command on a stacking unit. Note: The system reboots when the off-line diagnostics complete. This is an automatic process in default mode.
Figure 48-2.
www.dell.com | support.dell.com Figure 48-3. Running Offline Diagnostics on a Z-Series Standalone Unit FTOS#diag stack-unit 1 alllevels Warning - diagnostic execution will cause multiple link flaps on the peer side - advisable to shut directly connected ports Proceed with Diags [confirm yes/no]: yes 00:03:35: %S50N:1 %DIAGAGT-6-DA_DIAG_STARTED: Starting diags on stack unit 1 00:03:35 : Approximate time to complete these Diags ...
Figure 48-4. Verifying the Offline/Online Diagnostics of a Z-Series Standalone Unit flash: 3001958400 bytes total (2716000256 bytes free) FTOS#show file flash://TestReport-SU-0.
www.dell.com | support.dell.com Test 5 - Psu Source Type Test ...................................... FAIL + TEST - 6 PSU [0] Fan FLOW Type Normal (IO --> Rear) Test 6.000 - Psu Fan module type detect test ........................ PASS diagS3240GetPsuOnStatus[580]: ERROR: PSU-1 is not present... diagS3240PsuFanModuleTypeDetectTest[448]: ERROR: Getting PSU -1 power status failed. Offline diagnostics can be run in DEBUG Mode as shown in the following example, Running offline diagnostics in DEBUG mode.
Figure 48-7. show diag stack-unit command example FTOS#show diag stackunit 0 Diag status of Stackunit member 0: -------------------------------------------------------------------------Stackunit is currently offline. Stackunit level2 diag issued at Thu Apr 09, 2009 02:40:13 PM. Current diag status: Unit diags are done. Duration of execution (Total): 8 min 11 sec. Diagonostic test results located: /f10/flash/TestReport-SU-0.
www.dell.com | support.dell.com Last restart reason (Z9000) If an Z9000 system restarted for some reason (automatically or manually), the show system command output includes the reason for the restart. The following table shows the reasons displayed in the output and their corresponding causes. Table 48-1.
Table 48-2. show hardware Commands Command Description show hardware stack-unit {0-11} cpu management statistics View internal interface status of the stack-unit CPU port which connects to the external management interface. show hardware stack-unit {0-11} cpu data-plane statistics View driver-level statistics for the data-plane port on the CPU for the specified stack-unit.
www.dell.com | support.dell.com 904 The Z9000 supports 32 40G ports or 128 10G ports on four port-pipes, which are also called units. The system displays internal port numbers, not the external port numbers that you will see. See the following table for information that maps the internal unit port number with the port-pipe unit for the 40G (highlighted lines only) and 10G ports (all lines). Table 48-3.
Table 48-3.
www.dell.com | support.dell.com • • The card genuinely is too hot. A sensor has malfunctioned. Inspect cards adjacent to the one reporting the condition to discover the cause. • • If directly adjacent cards are not normal temperature, suspect a genuine overheating condition. If directly adjacent cards are normal temperature, suspect a faulty sensor. When the system detects a genuine over-temperature condition, it powers off the card.
Recognize an under-voltage condition If the system detects an under-voltage condition and declares an alarm. To recognize this condition, look for the system messages in Message 3. Message 3 Under-voltage Condition System Messages %CHMGR-1-CARD_SHUTDOWN: Major alarm: Line card 2 down - auto-shutdown due to under voltage This message in Message 3 indicates that the specified card is not receiving enough power. In response, the system first shuts down Power over Ethernet (PoE).
www.dell.com | support.dell.com Buffer tuning Buffer Tuning allows you to modify the way your switch allocates buffers from its available memory, and helps prevent packet drops during a temporary burst of traffic. The S-Series ASICs implement the key functions of queuing, feature lookups, and forwarding lookups in hardware.
You can configure dynamic buffers per port on both 1G and 10G FPs and per queue on CSFs. By default, the FP dynamic buffer allocation is 10 times oversubscribed. For the 48-port 1G card: • • • Dynamic Pool= Total Available Pool(16384 cells) – Total Dedicated Pool = 5904 cells Oversubscription ratio = 10 Dynamic Cell Limit Per port = 59040/29 = 2036 cells Figure 48-10.
www.dell.com | support.dell.com Buffer tuning commands Note: Buffer profile queue 1 is not supported. Use default buffer profile queue 4. Task Command Command Mode Define a buffer profile for the FP queues. buffer-profile fp fsqueue CONFIGURATION Define a buffer profile for the CSF queues. buffer-profile csf csqueue CONFIGURATION Change the dedicated buffers on a physical 1G interface. buffer dedicated BUFFER PROFILE Change the maximum amount of dynamic buffers an interface can request.
Display the allocations for any buffer profile using the show commands in Figure 48-12. Display the default buffer profile using the command show buffer-profile {summary | detail} from EXEC Privilege mode, as shown in Figure 48-11. Figure 48-11. Display the Default Buffer Profile FTOS#show buffer-profile detail interface gigabitethernet 0/1 Interface Gi 0/1 Buffer-profile Dynamic buffer 194.88 (Kilobytes) Queue# Dedicated Buffer Buffer Packets (Kilobytes) 0 2.50 256 1 2.50 256 2 2.50 256 3 2.50 256 4 9.
www.dell.com | support.dell.com Using a pre-defined buffer profile FTOS provides two pre-defined buffer profiles, one for single-queue (i.e non-QoS) applications, and one for four-queue (i.e QoS) applications. Task Command Mode Apply one of two pre-defined buffer profiles for all port pipes in the system. buffer-profile global [1Q|4Q] CONFIGURATION You must reload the system for the global buffer profile to take effect (Message 4).
Figure 48-13.
www.dell.com | support.dell.com Figure 48-14.
Figure 48-16.
www.dell.com | support.dell.com Displaying Party Bus Statistics FTOS#sh hardware stack-unit 2 cpu party-bus statistics Input Statistics: 27550 packets, 2559298 bytes 0 dropped, 0 errors Output Statistics: 1649566 packets, 1935316203 bytes 0 errors Displaying Stack Member Counters The show hardware stack-unit 0–7 {counters | details | port-stats [detail] | register} command displays internal receive and transmit statistics, based on the selected command option.
Application core dumps Application core dumps are disabled by default. A core dump file can be very large. Core dumps are stored in the local flash. Enable full application core dumps with the following: Task Command Syntax Command Mode Enable RPM core dumps and specify the shutdown mode. logging coredump server CONFIGURATION When you enable this command to allow the system to automatically upload application core dumps to an FTP server, you will be requested to enter a password.
www.dell.com | support.dell.
Task Command Syntax Command Mode Enable a TCP dump for CPU bound traffic.
www.dell.com | support.dell.
49 Standards Compliance This appendix contains the following sections: • • • IEEE Compliance RFC and I-D Compliance MIB Location Note: Unless noted, when a standard cited here is listed as supported by FTOS, FTOS also supports predecessor standards. One way to search for predecessor standards is to use the http://tools.ietf.org/ website. Click on “Browse and search IETF documents”, enter an RFC number, and inspect the top of the resulting document for obsolescence citations to related RFCs.
www.dell.com | support.dell.com • • • Force10 — PVST+ SFF-8431 — SFP+ Direct Attach Cable (10GSFP+Cu) MTU — 9,252 bytes RFC and I-D Compliance The following standards are supported by FTOS, and are grouped by related protocol. The columns showing support by platform indicate which version of FTOS first supports the standard. Note: Checkmarks () in the E-Series column indicate that FTOS support was added before FTOS version 7.5.1.
General IPv4 Protocols FTOS support, per platform E-Series E-Series S-Series C-Series TeraScale ExaScale RFC# Full Name 791 Internet Protocol 7.6.1 7.5.1 8.1.1 792 Internet Control Message Protocol 7.6.1 7.5.1 8.1.1 826 An Ethernet Address Resolution Protocol 7.6.1 7.5.1 8.1.1 1027 Using ARP to Implement Transparent Subnet Gateways 7.6.1 7.5.1 8.1.1 1035 DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION (client) 7.6.1 7.5.1 8.1.
www.dell.com | support.dell.com General IPv6 Protocols 2462 (Partial) IPv6 Stateless Address Autoconfiguration 7.8.1 7.8.1 8.2.1 2463 Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification 7.8.1 7.8.1 8.2.1 2464 Transmission of IPv6 Packets over Ethernet Networks 7.8.1 7.8.1 8.2.1 2675 IPv6 Jumbograms 7.8.1 7.8.1 8.2.1 3587 IPv6 Global Unicast Address Format 7.8.1 7.8.1 8.2.
Open Shortest Path First (OSPF) FTOS support, per platform S-Series C-Series E-Series TeraScal e The OSPF Not-So-Stubby Area (NSSA) Option 7.6.1 7.5.1 8.1.1 2154 OSPF with Digital Signatures 7.6.1 7.5.1 8.1.1 2328 OSPF Version 2 7.6.1 7.5.1 8.1.1 2370 The OSPF Opaque LSA Option 7.6.1 7.5.1 8.1.1 2740 OSPF for IPv6 7.8.1 8.2.1 3623 Graceful OSPF Restart 7.8.1 7.5.1 8.1.
www.dell.com | support.dell.com Intermediate System to Intermediate System (IS-IS) draft-ietf-isis -ipv6-06 Routing IPv6 with IS-IS draft-kaplan-isis-e Extended Ethernet Frame Size Support xt-eth-02 7.5.1 8.2.1 8.1.1 Routing Information Protocol (RIP) FTOS support, per platform S-Series C-Series E-Series TeraScale E-Series ExaScale Routing Information Protocol 7.8.1 7.6.1 8.1.1 RIP Version 2 7.8.1 7.6.1 8.1.
Multiprotocol Label Switching (MPLS) 5036 LDP Specification 8.3.1 5063 Extensions to GMPLS Resource Reservation Protocol (RSVP) Graceful Restart 8.3.1 Multicast FTOS support, per platform S-Series C-Series E-Series TeraScale E-Series ExaScale Host Extensions for IP Multicasting 7.8.1 7.7.1 8.1.1 2236 Internet Group Management Protocol, Version 2 7.8.1 7.7.1 8.1.1 2710 Multicast Listener Discovery (MLD) for IPv6 8.2.
www.dell.com | support.dell.com Network Management (continued) 928 FTOS support, per platform | S-Series C-Series E-Series TeraScale E-Series ExaScale Concise MIB Definitions 7.6.1 7.5.1 8.1.1 1215 A Convention for Defining Traps for use with the SNMP 7.6.1 7.5.1 8.1.1 1493 Definitions of Managed Objects for Bridges [except for the dot1dTpLearnedEntryDiscards object] 7.6.1 7.5.1 8.1.1 1724 RIP Version 2 MIB Extension 7.5.1 8.1.
Network Management (continued) FTOS support, per platform S-Series C-Series E-Series TeraScale E-Series ExaScale Conformance Statements for SMIv2 7.6.1 7.5.1 8.1.1 2618 RADIUS Authentication Client MIB, except the following four counters: radiusAuthClientInvalidServerAddresses radiusAuthClientMalformedAccessResponses radiusAuthClientUnknownTypes radiusAuthClientPacketsDropped 7.6.1 7.5.1 8.1.1 2665 Definitions of Managed Objects for the Ethernet-like Interface Types 7.6.1 7.5.1 8.
www.dell.com | support.dell.com Network Management (continued) FTOS support, per platform RFC# Full Name draft-grant-tacacs -02 The TACACS+ Protocol draft-ietf-idr-bgp4 Definitions of Managed Objects for the Fourth -mib-06 Version of the Border Gateway Protocol (BGP-4) using SMIv2 S-Series C-Series E-Series TeraScale E-Series ExaScale 7.6.1 7.5.1 8.1.1 7.8.1 7.7.1 8.1.1 8.1.
Network Management (continued) FTOS support, per platform RFC# Full Name S-Series C-Series FORCE10-CHAS Dell Force10 E-Series Enterprise Chassis MIB SIS-MIB E-Series TeraScale E-Series ExaScale 8.1.1 FORCE10-COPY Dell Force10 File Copy MIB (supporting SNMP -CONFIG-MIB SET operation) 7.7.1 7.7.1 8.1.1 FORCE10-MON- Dell Force10 Monitoring MIB MIB 7.6.1 7.5.1 8.1.1 FORCE10-PROD Dell Force10 Product Object Identifier MIB UCTS-MIB 7.6.1 7.5.1 8.1.
www.dell.com | support.dell.com MIB Location Dell Force10 MIBs are under the Force10 MIBs subhead on the Documentation page of iSupport: https://www.force10networks.com/csportal20/KnowledgeBase/Documentation.aspx You also can obtain a list of selected MIBs and their OIDs at the following URL: https://www.force10networks.com/csportal20/MIBs/MIB_OIDs.aspx Some pages of iSupport require a login. To request an iSupport account, go to: https://www.force10networks.com/CSPortal20/Support/AccountRequest.
Index Numerics 10/100/1000 Base-T Ethernet line card, auto negotiation 369 100/1000 Ethernet interfaces port channels 342 4-Byte AS Numbers 171 802.1AB 921 802.1D 921 802.1p 921 802.1p/Q 921 802.1Q 921 802.1s 921 802.1w 921 802.1X 921 802.3ab 921 802.3ac 921 802.3ad 921 802.3ae 921 802.3af 921 802.3ak 921 802.3i 921 802.3u 921 802.3x 921 802.
www.dell.com | support.dell.
flowcontrol 366 Force 10 Resilient Ring Protocol 297 forward delay 706, 811 FRRP 297 FRRP Master Node 297 FRRP Transit Node 297 FTOS 578 FTP 60 configuring client parameters 62 configuring server parameters 61 enabling server 61 using VLANs 60 G GARP VLAN Registration Protocol (GVRP) grep option 35 grep pipe option 636 GVRP (GARP VLAN Registration Protocol) 311 311 H Hash algorithm 352 hash algorithm, LAG 344, 346, 349 hashing algorithms for flows and fragments hello time 706, 811 host port 630 Hot Lock
www.dell.com | support.dell.
M MAC hashing scheme 351 management interface 334 accessing 337 configuring a management interface 337 configuring IP address 337 definition 336 IP address consideration 337 management interface, switch 333 max age 706, 811 MBGP 221 Member VLAN (FRRP) 299 MIB Location 932 minimum oper up links in a port channel 347 mirror, port 621 monitor interfaces 357 MSDP 515 MT IS-IS 423 MT IS-IS TLVs 425 MTU configuring MTU values for Port Channels 367 configuring MTU values for VLANs 367 definition 364 IP MTU configu
www.dell.com | support.dell.
root bridge 705, 811 route maps configuring match commands 117 configuring set commands 118 creating 114 creating multiple instances 115 default action 114 definition 113 deleting 115, 116 implementation 113 implicit deny 113 redistributing routes 119 tagging routes 120 RSA 736 S SCP 733, 734 SCP/SSH server 734 searching show commands 36 display 36 grep 36 secondary VLAN 630 Secure Shell (SSH) 733 show accounting command 714 show arp command 637 show crypto 736 show hardware commands (S60) 902 show interfa
www.dell.com | support.dell.com 940 U user level definition 718 user name configuring user name 719 username command 720 V virtual IP addresses 883 Virtual LANs. See VLAN. Virtual Router Identifier. See VRID. Virtual Router Redundancy Protocol. See VRRP.
