FTOS Configuration Guide for the Z9000 System FTOS Version 9.2(0.0) and 9.2(0.
Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your computer. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2013 Dell Inc.
Contents 1 About this Guide........................................................................................................................ 29 Audience.................................................................................................................................................................29 Conventions............................................................................................................................................................ 29 Related Documents.
Configuring Privilege Levels................................................................................................................................... 51 Creating a Custom Privilege Level....................................................................................................................51 Removing a Command from EXEC Mode..........................................................................................................51 Moving a Command from EXEC Privilege Mode to EXEC Mode.
Configuring Request Identity Re-Transmissions.................................................................................................... 74 Configuring a Quiet Period after a Failed Authentication................................................................................ 75 Forcibly Authorizing or Unauthorizing a Port..........................................................................................................76 Re-Authenticating a Port..............................................
Continue Clause............................................................................................................................................. 107 7 Bidirectional Forwarding Detection (BFD)..........................................................................109 How BFD Works....................................................................................................................................................109 BFD Packet Format................................................
BGP4 Management Information Base (MIB)................................................................................................. 155 Important Points to Remember...................................................................................................................... 155 Configuration Information.....................................................................................................................................156 BGP Configuration..........................................
Sample Configurations..........................................................................................................................................193 9 Content Addressable Memory (CAM)..................................................................................203 CAM Profiles.........................................................................................................................................................203 Microcode..................................................
Debugging the DHCP Server.......................................................................................................................... 227 Using DHCP Clear Commands........................................................................................................................228 Configure the System to be a Relay Agent........................................................................................................... 228 Configure the System to be a DHCP Client...................
Implementing FRRP...............................................................................................................................................250 FRRP Configuration...............................................................................................................................................251 Creating the FRRP Group................................................................................................................................
Disabling Multicast Flooding..........................................................................................................................273 Specifying a Port as Connected to a Multicast Router.................................................................................. 273 Configuring the Switch as Querier................................................................................................................. 274 Fast Convergence after MSTP Topology Changes........................
Load-Balancing on the .................................................................................................................................. 292 Changing the Hash Algorithm........................................................................................................................ 293 Bulk Configuration................................................................................................................................................ 294 Interface Range.....................
Configuring DNS with Traceroute........................................................................................................................ 318 ARP....................................................................................................................................................................... 319 Configuration Tasks for ARP.................................................................................................................................
Assigning a Static IPv6 Route........................................................................................................................ 340 Configuring Telnet with IPv6.......................................................................................................................... 340 SNMP over IPv6............................................................................................................................................. 341 Showing IPv6 Information...................
Configuring the LAG Interfaces as Dynamic.................................................................................................. 371 Setting the LACP Long Timeout......................................................................................................................372 Monitoring and Debugging LACP...................................................................................................................373 Shared LAG State Tracking............................................
Important Points to Remember...................................................................................................................... 409 LLDP Compatibility..........................................................................................................................................409 CONFIGURATION versus INTERFACE Configurations.......................................................................................... 409 Enabling LLDP................................................
MSDP Sample Configurations.............................................................................................................................. 444 26 Multiple Spanning Tree Protocol (MSTP)......................................................................... 449 Protocol Overview................................................................................................................................................ 449 Spanning Tree Variations.............................................
Graceful Restart............................................................................................................................................. 480 Fast Convergence (OSPFv2, IPv4 Only).......................................................................................................... 481 Multi-Process OSPFv2 (IPv4 only)..................................................................................................................481 RFC-2328 Compliant OSPF Flooding.....................
30 PIM Source-Specific Mode (PIM-SSM)........................................................................... 521 Implementation Information................................................................................................................................. 521 Important Points to Remember...................................................................................................................... 521 Configure PIM-SMM...................................................................
Implementation Information................................................................................................................................. 549 Port-Based QoS Configurations............................................................................................................................550 Setting dot1p Priorities for Incoming Traffic.................................................................................................. 550 Honoring dot1p Priorities on Ingress Traffic...
Configuring Interfaces for Layer 2 Mode..............................................................................................................582 Enabling Rapid Spanning Tree Protocol Globally................................................................................................. 583 Adding and Removing Interfaces......................................................................................................................... 585 Modifying Global Parameters............................
Configure VLAN Stacking...............................................................................................................................621 Creating Access and Trunk Ports.................................................................................................................. 621 Enable VLAN-Stacking for a VLAN.................................................................................................................622 Configuring the Protocol Type Value for the Outer VLAN Tag..
Related Configuration Tasks.......................................................................................................................... 645 Important Points to Remember.............................................................................................................................646 Set up SNMP........................................................................................................................................................ 646 Creating a Community.............
Enabling Spanning Tree Protocol Globally........................................................................................................... 671 Adding an Interface to the Spanning Tree Group.................................................................................................673 Modifying Global Parameters............................................................................................................................... 674 Modifying Interface STP Parameters....................
Default VLAN........................................................................................................................................................ 701 Port-Based VLANs................................................................................................................................................702 VLANs and Port Tagging.......................................................................................................................................
50 Virtual Router Redundancy Protocol (VRRP)....................................................................743 VRRP Overview..................................................................................................................................................... 743 VRRP Benefits.......................................................................................................................................................744 VRRP Implementation..........................................
52 Standards Compliance......................................................................................................... 783 IEEE Compliance................................................................................................................................................... 783 RFC and I-D Compliance....................................................................................................................................... 784 General Internet Protocols........................
About this Guide 1 This guide describes the protocols and features the Dell Networking operating system (FTOS) supports and provides configuration instructions and examples for implementing them. This guide supports the Z9000 system platform. The Z9000 platform is available with FTOS version 8.3.11.1 and beyond. Though this guide contains information on protocols, it is not intended to be a complete reference. This guide is a reference for configuring protocols on Dell Networking systems.
Configuration Fundamentals 2 The Dell Networking operating system (FTOS) command line interface (CLI) is a text-based interface you can use to configure interfaces and protocols. The CLI is largely the same for the Z9000, S4810, and S4820T except for some commands and command outputs. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels.
Beneath CONFIGURATION mode are submodes that apply to interfaces, protocols, and features. The following example shows the submode command structure. Two sub-CONFIGURATION modes are important when configuring the chassis for the first time: • • INTERFACE submode is the mode in which you configure Layer 2 and Layer 3 protocols and IP services specific to an interface.
ROUTE-MAP ROUTER BGP BGP ADDRESS-FAMILY ROUTER ISIS ISIS ADDRESS-FAMILY ROUTER OSPF ROUTER OSPFV3 ROUTER RIP SPANNING TREE TRACE-LIST VLT DOMAIN VRRP UPLINK STATE GROUP GRUB Navigating CLI Modes The FTOS prompt changes to indicate the CLI mode. The following table lists the CLI mode, its prompt, and information about how to access and exit the CLI mode.
CLI Command Mode Prompt Access Command Management Ethernet Interface FTOS(conf-if-ma-0/0)# interface (INTERFACE modes) Null Interface FTOS(conf-if-nu-0)# interface (INTERFACE modes) Port-channel Interface FTOS(conf-if-po-0)# interface (INTERFACE modes) Tunnel Interface FTOS(conf-if-tu-0)# interface (INTERFACE modes) VLAN Interface FTOS(conf-if-vl-0)# interface (INTERFACE modes) STANDARD ACCESS-LIST FTOS(config-std-nacl)# ip access-list standard (IP ACCESS-LIST Modes) EXTENDED ACCESS-LIS
CLI Command Mode Prompt Access Command ROUTER OSPFV3 FTOS(confipv6router_ospf)# ipv6 router ospf ROUTER RIP FTOS(conf-router_rip)# router rip SPANNING TREE FTOS(config-span)# protocol spanning-tree 0 TRACE-LIST FTOS(conf-trace-acl)# ip trace-list CLASS-MAP FTOS(config-class-map)# class-map CONTROL-PLANE FTOS(conf-controlcpuqos)# control-plane-cpuqos DCB POLICY FTOS(conf-dcb-in)# (for input policy) dcb-input for input policy dcb-output for output policy FTOS(conf-dcb-out)# (for output
CLI Command Mode Prompt Access Command VRRP FTOS(conf-if-interfacetype-slot/port-vrid-vrrpgroup-id)# vrrp-group u-Boot FTOS(=>)# Press any key when the following line appears on the console during a system boot: Hit any key to stop autoboot: UPLINK STATE GROUP FTOS(conf-uplink-stategroup-groupID)# uplink-state-group The following example shows how to change the command mode from CONFIGURATION mode to PROTOCOL SPANNING TREE.
interface GigabitEthernet 4/17 no ip address no shutdown Layer 2 protocols are disabled by default. To enable Layer 2 protocols, use the no disable command. For example, in PROTOCOL SPANNING TREE mode, enter no disable to enable Spanning Tree. Obtaining Help Obtain a list of keywords and a brief functional description of those keywords at any CLI mode using the ? or help command: • To list the keywords available in the current mode, enter ? at the prompt or after a keyword.
Short-Cut Key Combination Action CNTL-A Moves the cursor to the beginning of the command line. CNTL-B Moves the cursor back one character. CNTL-D Deletes character at cursor. CNTL-E Moves the cursor to the end of the line. CNTL-F Moves the cursor forward one character. CNTL-I Completes a keyword. CNTL-K Deletes all characters from the cursor to the end of the command line. CNTL-L Re-enters the previous command.
• show run | grep ethernet does not return that search result because it only searches for instances containing a non-capitalized “ethernet.” • show run | grep Ethernet ignore-case returns instances containing both “Ethernet” and “ethernet.” The grep command displays only the lines containing specified text. The following example shows this command used in combination with the show linecard all command.
• On the system that telnets into the switch, this message appears: % Warning: The following users are currently configuring the system: User "" on line console0 • On the system that is connected over the console, this message appears: % Warning: User "" on line vty0 "10.11.130.
Getting Started 3 This chapter describes how you start configuring your system. When you power up the chassis, the system performs a power-on self test (POST) during which the route processor module (RPM), switch fabric module (SFM), and line card status light emitting diodes (LEDs) blink green. The system then loads the Dell Networking operating system (FTOS). Boot messages scroll up the terminal window during this process.
Accessing the Console Port To access the console port, follow these steps: For the console port pinout, refer to Accessing the RJ-45 Console Port with a DB-9 Adapter. 1. Install an RJ-45 copper cable into the console port.Use a rollover (crossover) cable to connect the S4810 console port to a terminal server. 2. Connect the other end of the cable to the DTE terminal server. 3.
• Create a host name. CONFIGURATION mode hostname name Example of the hostname Command FTOS(conf)#hostname R1 R1(conf)# Accessing the System Remotely You can configure the system to access it remotely by Telnet or SSH. • The Z9000 has a dedicated management port and a management routing table that is separate from the IP routing table. • You can manage all Dell Networking products in-band via the front-end data ports through interfaces assigned an IP address as well.
Configure a Management Route Define a path from the system to the network from which you are accessing the system remotely. Management routes are separate from IP routes and are only used to manage the system through the management port. To configure a management route, use the following command. • Configure a management route to the network from which you are accessing the system. CONFIGURATION mode management route ip-address/mask gateway – ip-address: the network address in dotted-decimal format (A.B.
* 7 is for inputting a password that is already encrypted using a DES hash. Obtain the encrypted password from the configuration file of another Dell Networking system. * 5 is for inputting a password that is already encrypted using an MD5 hash. Obtain the encrypted password from the configuration file of another Dell Networking system. Configuration File Management Files can be stored on and accessed from various storage media. Rename, delete, and copy files on the system from EXEC Privilege mode.
• The usbflash command is supported on Z9000. Refer to your system’s Release Notes for a list of approved USB vendors. Example of Copying a File to an FTP Server FTOS#copy flash://FTOS-EF-8.2.1.0.bin ftp://myusername:mypassword@10.10.10.10/ /FTOS/FTOS-EF-8.2.1.0 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 27952672 bytes successfully copied Example of Importing a File to the Local System core1#$//copy ftp://myusername:mypassword@10.10.10.10//FTOS/ FTOS-EF-8.2.1.0.
NOTE: When copying to a server, a host name can only be used if a DNS server is configured. • Save the running-configuration to the startup-configuration on the internal flash of the primary RPM. Then copy the new startup-config file to the external flash of the primary RPM.
6 drw8192 7 d--8192 8 -rw- 33059550 9 -rw- 27674906 10 -rw- 27674906 11 drw8192 12 -rw7276 13 -rw7341 14 -rw- 27674906 15 -rw- 27674906 --More-- Mar Mar Jul Jul Jul Jan Jul Jul Jul Jul 30 30 11 06 06 01 20 20 06 06 1919 1919 2007 2007 2007 1980 2007 2007 2007 2007 10:31:04 10:31:04 17:49:46 00:20:24 19:54:52 00:18:28 01:52:40 15:34:46 19:52:22 02:23:22 CORE_DUMP_DIR ADMIN_DIR FTOS-EF-7.4.2.0.bin FTOS-EF-4.7.4.302.bin boot-image-FILE diag startup-config.
• Change the default directory. EXEC Privilege mode cd directory In the following example, the default storage location is changed to the external Flash of the primary RPM. File management commands then apply to the external Flash rather than the internal Flash. The bold lines show that no file system is specified and that the file is saved to an external flash.
Management 4 Management is supported on the Z9000 Dell Networking platform. This chapter describes the different protocols or services used to manage the Dell Networking system. Configuring Privilege Levels Privilege levels restrict access to commands based on user or terminal line. There are 16 privilege levels, of which three are pre-defined. The default privilege level is 1.
Allowing Access to CONFIGURATION Mode Commands To allow access to CONFIGURATION mode, use the privilege exec level level configure command from CONFIGURATION mode. A user that enters CONFIGURATION mode remains at his privilege level and has access to only two commands, end and exit. You must individually specify each CONFIGURATION mode command you want to allow access to using the privilege configure level level command.
Example of EXEC Privilege Commands FTOS(conf)#do show run priv ! privilege exec level 3 capture privilege exec level 3 configure privilege exec level 4 resequence privilege exec level 3 capture bgp-pdu privilege exec level 3 capture bgp-pdu max-buffer-size privilege configure level 3 line privilege configure level 3 interface FTOS(conf)#do telnet 10.11.80.201 [telnet output omitted] FTOS#show priv Current privilege level is 3.
Applying a Privilege Level to a Username To set the user privilege level, use the following command. • Configure a privilege level for a user. CONFIGURATION mode username username privilege level Applying a Privilege Level to a Terminal Line To set a privilege level for a terminal line, use the following command. • Configure a privilege level for a user.
Configuration Task List for System Log Management There are two configuration tasks for system log management: • Disable System Logging • Send System Messages to a Syslog Server Disabling System Logging By default, logging is enabled and log messages are sent to the logging buffer, all terminal lines, the console, and the syslog servers. To disable system logging, use the following commands. • Disable all logging except on the console.
Changing System Logging Settings You can change the default settings of the system logging by changing the severity level and the storage location. The default is to log all messages up to debug level, that is, all system messages. By changing the severity level in the logging commands, you control the number of system messages logged. To specify the system logging settings, use the following commands. • Specify the minimum severity level for logging to the logging buffer.
Trap logging: level Informational %IRC-6-IRC_COMMUP: Link to peer RPM is up %RAM-6-RAM_TASK: RPM1 is transitioning to Primary RPM.
– local7 (for local use) – lpr (for line printer system messages) – mail (for mail system messages) – news (for USENET news messages) – sys9 (system use) – sys10 (system use) – sys11 (system use) – sys12 (system use) – sys13 (system use) – sys14 (system use) – syslog (for syslog messages) – user (for user programs) – uucp (UNIX to UNIX copy protocol) To view nondefault settings, use the show running-config logging command in EXEC mode.
– level severity-level: the range is from 0 to 7. The default is 2. Use the all keyword to include all messages. – limit: the range is from 20 to 300. The default is 20. To view the logging synchronous configuration, use the show config command in LINE mode. Enabling Timestamp on Syslog Messages By default, syslog messages do not include a time/date stamp stating when the error or message was created. To enable timestamp, use the following command. • Add timestamp to syslog messages.
Example of Viewing FTP Configuration FTOS#show running ftp ! ftp-server enable ftp-server username nairobi password 0 zanzibar FTOS# Configuring FTP Server Parameters After you enable the FTP server on the system, you can configure different parameters. To specify the system logging settings, use the following commands. • Specify the directory for users using FTP to reach the system. CONFIGURATION mode ftp-server topdir dir • The default is the internal flash directory.
• Configure a password. CONFIGURATION mode • ip ftp password password Enter a username to use on the FTP client. CONFIGURATION mode ip ftp username name To view the FTP configuration, use the show running-config ftp command in EXEC privilege mode, as shown in the example for Enable FTP Server. Terminal Lines You can access the system remotely and restrict access to the system by creating user profiles. Terminal lines on the system provide different means of accessing the system.
Configuring Login Authentication for Terminal Lines You can use any combination of up to six authentication methods to authenticate a user on a terminal line. A combination of authentication methods is called a method list. If the user fails the first authentication method, FTOS prompts the next method until all methods are exhausted, at which point the connection is terminated. The available authentication methods are: enable Prompt for the enable password.
Setting Time Out of EXEC Privilege Mode EXEC time-out is a basic security feature that returns FTOS to EXEC mode after a period of inactivity on the terminal lines. To set time out, use the following commands. • • Set the number of minutes and seconds. The default is 10 minutes on the console and 30 minutes on VTY. Disable EXEC time out by setting the time-out period to 0. LINE mode exec-timeout minutes [seconds] Return to the default time-out values.
FTOS>exit FTOS#telnet 2200:2200:2200:2200:2200::2201 Trying 2200:2200:2200:2200:2200::2201... Connected to 2200:2200:2200:2200:2200::2201. Exit character is '^]'. FreeBSD/i386 (freebsd2.force10networks.com) (ttyp1) login: admin FTOS# Lock CONFIGURATION Mode FTOS allows multiple users to make configurations at the same time. You can lock CONFIGURATION mode so that only one user can be in CONFIGURATION mode at any time (Message 2). You can set two types of lockst: auto and manual.
Recovering from a Forgotten Password on the Z9000 System If you configure authentication for the console and you exit out of EXEC mode or your console session times out, you are prompted for a password to re-enter. If you forget your password, use the following commands. 1. Log onto the system using the console. 2. Power-cycle the chassis by disconnecting and.then reconnecting the power cord. 3. Press Esc when prompted to abort the boot process.
Recovering from a Forgotten Enable Password on the Z9000 Use the following commands if you forget the enable password. 1. Log onto the system using the console. 2. Power-cycle the chassis by switching off all of the power modules and then switching them back on. 3. Press any key to abort the boot process. You enter grub on the Z9000, as indicated by the grub> prompt. (during bootup) hit any key NOTE: You must enter the CLI commands. The system rejects them if they are copied and pasted. 4.
5. (Optional) Set the Secondary and Default Boot parameters. GRUB mode set secondary_boot=’f10boot location’ set default_boot=’f10boot location’ 6. Save all variables individually. GRUB mode save_env primary_boot save_env secondary_boot save_env default_boot NOTE: This command must be used once for each environment variable. If this step is not completed, the chassis reboots continually. 7. Reboot the chassis.
802.1X 5 802.1X is supported on the Z9000 platforms. 802.1X is a method of port security. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity can be verified (through a username and password, for example). This feature is named for its IEEE specification. 802.
Figure 3. EAP Frames Encapsulated in Ethernet and RADUIS The authentication process involves three devices: • The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests. • The device with which the supplicant communicates is the authenticator. The authenticator is the gate keeper of the network.
4. The authentication server replies with an Access-Challenge frame. The Access-Challenge frame requests that the supplicant prove that it is who it claims to be, using a specified method (an EAP-Method). The challenge is translated and forwarded to the supplicant by the authenticator. 5.
Figure 5. EAP Over RADIUS RADIUS Attributes for 802.1 Support Dell Networking systems include the following RADIUS attributes in all 802.1X-triggered Access-Request messages: Attribute 31 Calling-station-id: relays the supplicant MAC address to the authentication server. Attribute 41 NAS-Port-Type: NAS-port physical port type. 15 indicates Ethernet. Attribute 61 NAS-Port: the physical port number by which the authenticator is connected to the supplicant.
Enabling 802.1X Enable 802.1X globally. Figure 6. 802.1X Enabled 1. Enable 802.1X globally. CONFIGURATION mode dot1x authentication 2. Enter INTERFACE mode on an interface or a range of interfaces. INTERFACE mode interface [range] 3. Enable 802.1X on the supplicant interface only. INTERFACE mode dot1x authentication Verify that 802.1X is enabled globally and at the interface level using the show running-config | find dot1x command from EXEC Privilege mode.
Example of Verifying that 802.1X is Enabled Globally The bold lines show that 802.1X is enabled. FTOS#show running-config | find dot1x dot1x authentication ! [output omitted] ! interface TenGigabitEthernet 2/1 no ip address dot1x authentication no shutdown ! FTOS# View 802.1X configuration information for an interface using the show dot1x interface command. Example of Verifying 802.1X is Enabled on an Interface The bold lines show that 802.1X is enabled on all ports unauthorized by default.
dot1x tx-period number The range is from 1 to 65535 (1 year) • The default is 30. Configure a maximum number of times the authenticator re-transmits a Request Identity frame. INTERFACE mode dot1x max-eap-req number The range is from 1 to 10. The default is 2. The example in Configuring a Quiet Period after a Failed Authentication shows configuration information for a port for which the authenticator re-transmits an EAP Request Identity frame after 90 seconds and re-transmits a maximum of 10 times.
Re-Auth Interval: Max-EAP-Req: 10 Auth Type: Auth PAE State: Backend State: 3600 seconds SINGLE_HOST Initialize Initialize Forcibly Authorizing or Unauthorizing a Port IEEE 802.1X requires that a port can be manually placed into any of three states: • ForceAuthorized — an authorized state. A device connected to this port in this state is never subjected to the authentication process, but is allowed to communicate on the network. Placing the port in this state is same as disabling 802.1X on the port.
Re-Authenticating a Port You can configure the authenticator for periodic re-authentication. After the supplicant has been authenticated, and the port has been authorized, you can configure the authenticator to re-authenticate the supplicant periodically. If you enable re-authentication, the supplicant is required to re-authenticate every 3600 seconds, but you can configure this interval. You can configure a maximum number of re-authentications as well.
• Terminate the authentication process due to an unresponsive supplicant. INTERFACE mode dot1x supplicant-timeout seconds The range is from 1 to 300. • The default is 30. Terminate the authentication process due to an unresponsive authentication server. INTERFACE mode dot1x server-timeout seconds The range is from 1 to 300. The default is 30.
The illustration shows the configuration on the Dell Networking system before connecting the end user device in black and blue text, and after connecting the device in red text. The blue text corresponds to the preceding numbered steps on dynamic VLAN assignment with 802.1X. Figure 7. Dynamic VLAN Assignment 1. Configure 8021.x globally (refer to Enabling 802.1X) along with relevant RADIUS server configurations (refer to the illustration inDynamic VLAN Assignment with Port Authentication). 2.
If the supplicant fails authentication, the authenticator typically does not enable the port. In some cases this behavior is not appropriate. External users of an enterprise network, for example, might not be able to be authenticated, but still need access to the network. Also, some dumb-terminals, such as network printers, do not have 802.1X capability and therefore cannot authenticate themselves.
FTOS(conf-if-Te-2/1)#dot1x auth-fail-vlan 100 max-attempts 5 FTOS(conf-if-Te-2/1)#show config ! interface TenGigabitEthernet 2/1 switchport dot1x authentication dot1x guest-vlan 200 dot1x auth-fail-vlan 100 max-attempts 5 no shutdown FTOS(conf-if-Te-2/1)# View your configuration using the show config command from INTERFACE mode, as shown in the example in Configuring a Guest VLAN or using the show dot1x interface command from EXEC Privilege mode. Example of Viewing Configured Authentication 802.
Access Control Lists (ACLs) 6 This chapter describes access control lists (ACLs), prefix lists, and route-maps. • Access control lists (ACLs), Ingress IP and MAC ACLs , and Egress IP and MAC ACLs are supported on the Z9000 platform. At their simplest, access control lists (ACLs), prefix lists, and route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps. For MAC ACLS, refer to Layer 2.
NOTE: Hot lock ACLs are supported for Ingress ACLs only. CAM Usage The following section describes CAM allocation and CAM optimization. • User Configurable CAM Allocation • CAM Optimization User Configurable CAM Allocation User configurable CAM allocations are supported on the Z9000 platform. Allocate space for IPV6 ACLs by using the cam-acl command in CONFIGURATION mode. The CAM space is allotted in filter processor (FP) blocks. The total space allocated must equal 13 FP blocks.
If you enable counters on IP ACL rules that are already configured, those counters are reset when a new rule is inserted or prepended. If a rule is appended, the existing counters are not affected. This is applicable to the following features: • • • L2 Ingress Access list L2 Egress Access list L3 Egress Access list NOTE: IP ACLs are supported over VLANs in FTOS version 6.2.1.1 and higher. ACLs and VLANs There are some differences when assigning ACLs to a VLAN rather than a physical port.
FTOS(conf)#interface gig 1/0 FTOS(conf-if-gi-1/0)#service-policy input pmap IP Fragment Handling FTOS supports a configurable option to explicitly deny IP fragmented packets, particularly second and subsequent packets. It extends the existing ACL command syntax with the fragments keyword for all Layer 3 rules applicable to all Layer protocols (permit/deny ip/tcp/udp/icmp). • Both standard and extended ACLs support IP fragments.
• If a packet's FO > 0, the packet is permitted. • If a packet's FO = 0, the next ACL entry is processed. Deny ACL line with L3 information only, and the fragments keyword is present: If a packet's L3 information does match the L3 information in the ACL line, the packet's FO is checked. • If a packet's FO > 0, the packet is denied. • If a packet's FO = 0, the next ACL line is processed. In this first example, TCP packets from host 10.1.1.1 with TCP destination port equal to 24 are permitted.
ip access-list standard access-listname 2. Configure a drop or forward filter. CONFIG-STD-NACL mode seq sequence-number {deny | permit} {source [mask] | any | host ip-address} [count [byte]] [order] [fragments] NOTE: When assigning sequence numbers to filters, keep in mind that you might need to insert a new filter. To prevent reconfiguring multiple filters, assign sequence numbers in multiples of five. When you use the log keyword, the CP logs details about the packets that match.
{deny | permit} {source [mask] | any | host ip-address} [count [byte]] [order] [fragments] When you use the log keyword, the CP logs details about the packets that match. Depending on how many packets match the log entry and at what rate, the CP may become busy as it has to log these packets’ details. The following example shows a standard IP ACL in which FTOS assigns the sequence numbers.
seq sequence-number {deny | permit} {ip-protocol-number | icmp | ip | tcp | udp} {source mask | any | host ip-address} {destination mask | any | host ip-address} [operator port [port]] [count [byte]] [order] [fragments] When you use the log keyword, the CP logs details about the packets that match. Depending on how many packets match the log entry and at what rate, the CP may become busy as it has to log these packets’ details.
Configuring Filters Without a Sequence Number If you are creating an extended ACL with only one or two filters, you can let FTOS assign a sequence number based on the order in which the filters are configured. FTOS assigns filters in multiples of five. To configure a filter for an extended IP ACL without a specified sequence number, use any or all of the following commands: • Configure a deny or permit filter to examine IP packets.
For the following features, if you enable counters on rules that have already been configured and a new rule is either inserted or prepended, all the existing counters are reset: • L2 ingress access list • L3 egress access list • L2 egress access list If a rule is simply appended, existing counters are not affected. Table 4. L2 and L3 Filtering on Switched Packets L2 ACL Behavior L3 ACL Behavior Decision on Targeted Traffic Deny Deny L3 ACL denies. Deny Permit L3 ACL permits.
3. Apply an IP ACL to traffic entering or exiting an interface. INTERFACE mode ip access-group access-list-name {in} [implicit-permit] [vlan vlan-range] NOTE: The number of entries allowed per ACL is hardware-dependent. For detailed specification about entries allowed per ACL, refer to your line card documentation. 4. Apply rules to the new ACL.
no shutdown FTOS(conf-if-gige0/0)#end FTOS#configure terminal FTOS(conf)#ip access-list extended abcd FTOS(config-ext-nacl)#permit tcp any any FTOS(config-ext-nacl)#deny icmp any any FTOS(config-ext-nacl)#permit 1.1.1.2 FTOS(config-ext-nacl)#end FTOS#show ip accounting access-list ! Extended Ingress IP access list abcd on gigethernet 0/0 seq 5 permit tcp any any seq 10 deny icmp any any seq 15 permit 1.1.1.2 Configure Egress ACLs Egress ACLs are supported on the Z9000 platform.
Applying Egress Layer 3 ACLs (Control-Plane) By default, packets originated from the system are not filtered by egress ACLs. For example, if you initiate a ping session from the system and apply an egress ACL to block this type of traffic on the interface, the ACL does not affect that ping traffic. The Control Plane Egress Layer 3 ACL feature enhances IP reachability debugging by implementing control-plane ACLs for CPU-generated and CPU-forwarded traffic.
• An “implicit deny” is assumed (that is, the route is dropped) for all route prefixes that do not match a permit or deny filter in a configured prefix list. • After a route matches a filter, the filter’s action is applied. No additional filters are applied to the route. Implementation Information In FTOS, prefix lists are used in processing routes for routing protocols (for example, router information protocol [RIP], open shortest path first [OSPF], and border gateway protocol [BGP]).
ip prefix-list juba seq 12 deny 134.23.0.0/16 seq 15 deny 120.0.0.0/8 le 16 seq 20 permit 0.0.0.0/0 le 32 FTOS(conf-nprefixl)# NOTE: The last line in the prefix list Juba contains a “permit all” statement. By including this line in a prefix list, you specify that all routes not matching any criteria in the prefix list are forwarded. To delete a filter, use the no seq sequence-number command in PREFIX LIST mode.
Example of the show ip prefix-list detail Command FTOS>show ip prefix detail Prefix-list with the last deletion/insertion: filter_ospf ip prefix-list filter_in: count: 3, range entries: 3, sequences: 5 - 10 seq 5 deny 1.102.0.0/16 le 32 (hit count: 0) seq 6 deny 2.1.0.0/16 ge 23 (hit count: 0) seq 10 permit 0.0.0.0/0 le 32 (hit count: 0) ip prefix-list filter_ospf: count: 4, range entries: 1, sequences: 5 - 10 seq 5 deny 100.100.1.0/24 (hit count: 0) seq 6 deny 200.200.1.0/24 (hit count: 0) seq 7 deny 200.
Applying a Filter to a Prefix List (OSPF) To apply a filter to routes in open shortest path first (OSPF), use the following commands. • Enter OSPF mode. CONFIGURATION mode • router ospf Apply a configured prefix list to incoming routes. You can specify an interface. If you enter the name of a non-existent prefix list, all routes are forwarded. CONFIG-ROUTER-OSPF mode • distribute-list prefix-list-name in [interface] Apply a configured prefix list to incoming routes.
Rules Resquencing Rules After Resequencing: seq 5 permit any host 1.1.1.1 seq 10 permit any host 1.1.1.2 seq 15 permit any host 1.1.1.3 seq 20 permit any host 1.1.1.4 Resequencing an ACL or Prefix List Resequencing is available for IPv4 and IPv6 ACLs, prefix lists, and MAC ACLs. To resequence an ACL or prefix list, use the following commands. You must specify the list name, starting number, and increment when using these commands.
they have the same number before and after the command is entered. Remark 4 is incremented as a rule, and all rules have retained their original positions. Example of Resequencing ACLs When Remarks and Rules Have Different Numbers FTOS(config-ext-nacl)# show config ! ip access-list extended test remark 4 XYZ remark 5 this remark corresponds to permit any host 1.1.1.1 seq 5 permit ip any host 1.1.1.1 remark 9 ABC remark 10 this remark corresponds to permit ip any host 1.1.1.2 seq 10 permit ip any host 1.1.1.
• When a match is found, the packet is forwarded and no more route-map sequences are processed. – If a continue clause is included in the route-map sequence, the next or a specified route-map sequence is processed after a match is found. Configuration Task List for Route Maps Configure route maps in ROUTE-MAP mode and apply the maps in various commands in ROUTER RIP and ROUTER OSPF modes. The following list includes the configuration tasks for route maps, as described in the following sections.
level stub-area FTOS# To delete all instances of that route map, use the no route-map map-name command. To delete just one instance, add the sequence number to the command syntax. Example of Deleting Instances of a Route Map FTOS(conf)#no route-map zakho 10 FTOS(conf)#end FTOS#show route-map route-map zakho, permit, sequence 20 Match clauses: interface GigabitEthernet 0/1 Set clauses: tag 35 level stub-area FTOS# The following example shows a route map with multiple instances.
Example of the match Command to Match All Specified Values FTOS(conf)#route-map force permit 10 FTOS(config-route-map)#match tag 1000 FTOS(config-route-map)#match metric 2000 In the following example, instance 10 permits the route having a tag value of 1000 and instances 20 and 30 deny the route having a tag value of 1000. In this scenario, FTOS scans all the instances of the route-map for any permit statement. If there is a match anywhere, the route is permitted.
• CONFIG-ROUTE-MAP mode match ip next-hop {access-list-name | prefix-list prefix-list-name} Match next-hop routes specified in a prefix list (IPv6). • CONFIG-ROUTE-MAP mode match ipv6 next-hop {access-list-name | prefix-list prefix-list-name} Match source routes specified in a prefix list (IPv4). • CONFIG-ROUTE-MAP mode match ip route-source {access-list-name | prefix-list prefix-list-name} Match source routes specified in a prefix list (IPv6).
• set metric {+ | - | metric-value} Specify an OSPF or ISIS type for redistributed routes. • CONFIG-ROUTE-MAP mode set metric-type {external | internal | type-1 | type-2} Assign an IP address as the route’s next hop. • CONFIG-ROUTE-MAP mode set next-hop ip-address Assign an IPv6 address as the route’s next hop. • CONFIG-ROUTE-MAP mode set ipv6 next-hop ip-address Assign an ORIGIN attribute. • CONFIG-ROUTE-MAP mode set origin {egp | igp | incomplete} Specify a tag for the redistributed routes.
match metric 255 set level backbone Configure a Route Map for Route Tagging One method for identifying routes from different routing protocols is to assign a tag to routes from that protocol. As the route enters a different routing domain, it is tagged. The tag is passed along with the route as it passes through different routing protocols. You can use this tag when the route leaves a routing domain to redistribute those routes again.
Bidirectional Forwarding Detection (BFD) 7 Bidirectional forwarding detection (BFD) is supported only on the Z9000 platform. BFD is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It also provides a failure detection solution for links on which no routing protocol is used. BFD is a simple hello mechanism.
BFD Packet Format Control packets are encapsulated in user datagram protocol (UDP) packets. The following illustration shows the complete encapsulation of a BFD control packet inside an IPv4 packet. Figure 8. BFD in IPv4 Packet Format Field Description Diagnostic Code The reason that the last session failed. State The current local session state. Refer to BFD Sessions. Flag A bit that indicates packet function.
Field Description NOTE: FTOS does not currently support multi-point sessions, Demand mode, authentication, or control plane independence; these bits are always clear. Detection Multiplier The number of packets that must be missed in order to declare a session down. Length The entire length of the BFD packet. My Discriminator A random number generated by the local system to identify the session. Your Discriminator A random number generated by the remote system to identify the session.
Asynchronous mode In Asynchronous mode, both systems send periodic control messages at an agreed upon interval to indicate that their session status is Up.’ Demand mode If one system requests Demand mode, the other system stops sending periodic control packets; it only sends a response to status inquiries from the Demand mode initiator. Either system (but not both) can request Demand mode at any time. NOTE: FTOS supports Asynchronous mode only.
Figure 9.
Session State Changes The following illustration shows how the session state on a system changes based on the status notification it receives from the remote system. For example, if a session on a system is down and it receives a Down status notification from the remote system, the session state on the local system changes to Init. Figure 10.
Configure BFD This section contains the following procedures. • Configuring BFD for Physical Ports • Configure BFD for Static Routes • Configure BFD for OSPF • Configure BFD for OSPFv3 • Configure BFD for IS-IS • Configure BFD for BGP • Configure BFD for VRRP • Configuring Protocol Liveness • Troubleshooting BFD Configure BFD for Physical Ports Configuring BFD for physical ports is supported on the C-Series and E-Series platforms only.
bfd enable R1(conf)# Establishing a Session on Physical Ports To establish a session, enable BFD at the interface level on both ends of the link, as shown in the following illustration. The configuration parameters do not need to match. Figure 11. Establishing a BFD Session on Physical Ports 1. Enter interface mode. CONFIGURATION mode interface 2. Assign an IP address to the interface if one is not already assigned. INTERFACE mode ip address ip-address 3.
Remote Addr: 2.2.2.
Disabling and Re-Enabling BFD BFD is enabled on all interfaces by default, though sessions are not created unless explicitly configured. If you disable BFD, all of the sessions on that interface are placed in an Administratively Down state ( the first message example), and the remote systems are notified of the session state change (the second message example). To disable and re-enable BFD on an interface, use the following commands. • Disable BFD on an interface.
Establishing Sessions for Static Routes Sessions are established for all neighbors that are the next hop of a static route. Figure 12. Establishing Sessions for Static Routes To establish a BFD session, use the following command. • Establish BFD sessions for all neighbors that are the next hop of a static route. CONFIGURATION mode ip route bfd To verify that sessions have been created for static routes, use the show bfd neighbors command.
ip route bfd interval milliseconds min_rx milliseconds multiplier value role [active | passive] To view session parameters, use the show bfd neighbors detail command, as shown in the examples in Displaying BFD for BGP Information. Disabling BFD for Static Routes If you disable BFD, all static route BFD sessions are torn down. A final Admin Down packet is sent to all neighbors on the remote systems, and those neighbors change to the Down state. To disable BFD for static routes, use the following command.
Establishing Sessions with OSPF Neighbors BFD sessions can be established with all OSPF neighbors at once or sessions can be established with all neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the Full state. Figure 13. Establishing Sessions with OSPF Neighbors To establish BFD with all OSPF neighbors or with OSPF neighbors on a single interface, use the following commands. • Establish sessions with all OSPF neighbors.
Example of Verifying Sessions with OSPF Neighbors The bold line shows the OSPF BFD sessions. R2(conf-router_ospf)#bfd all-neighbors R2(conf-router_ospf)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients * 2.2.2.2 2.2.2.1 Gi 2/1 Up 100 100 3 O * 2.2.3.1 2.2.3.
Configure BFD for OSPFv3 BFD for OSPFv3 is only supported on the Z9000 platform. BFD for OSPFv3 provides support for IPV6. Configuring BFD for OSPFv3 is a two-step process: 1. Enable BFD globally. 2. Establish sessions with OSPFv3 neighbors. Related Configuration Tasks • Changing OSPFv3 Session Parameters • Disabling BFD for OSPFv3 Changing OSPFv3 Session Parameters Configure BFD sessions with default intervals and a default role.
Establishing Sessions with OSPFv3 Neighbors You can establish BFD sessions with all OSPFv3 neighbors at once or with all neighbors out of a specific interface. Sessions are only established when the OSPFv3 adjacency is in the Full state. To establish BFD with all OSPFv3 neighbors or with OSPFv3 neighbors on a single interface, use the following commands. • Establish sessions with all OSPFv3 neighbors. ROUTER-OSPFv3 mode bfd all-neighbors Establish sessions with OSPFv3 neighbors on a single interface.
Establishing Sessions with IS-IS Neighbors BFD sessions can be established for all IS-IS neighbors at once or sessions can be established for all neighbors out of a specific interface. Figure 14. Establishing Sessions with IS-IS Neighbors To establish BFD with all IS-IS neighbors or with IS-IS neighbors on a single interface, use the following commands. • Establish sessions with all IS-IS neighbors. • ROUTER-ISIS mode bfd all-neighbors Establish sessions with IS-IS neighbors on a single interface.
* Ad Dn C I - ISIS O R - Active session role Admin Down CLI OSPF Static Route (RTM) LocalAddr * 2.2.2.2 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 Gi 2/1 Up 100 100 3 I Changing IS-IS Session Parameters BFD sessions are configured with default intervals and a default role. The parameters that you can configure are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role.
Prerequisites Before configuring BFD for BGP, you must first configure the following settings: 1. Configure BGP on the routers that you want to interconnect, as described in Border Gateway Protocol IPv4 (BGPv4). 2. Enable fast fall-over for BGP neighbors to reduce convergence time (the neighbor fall-over command), as described in BGP Fast Fall-Over. Establishing Sessions with BGP Neighbors Before configuring BFD for BGP, you must first configure BGP on the routers that you want to interconnect.
BFD packets originating from a router are assigned to the highest priority egress queue to minimize transmission delays. Incoming BFD control packets received from the BGP neighbor are assigned to the highest priority queue within the control plane policing (COPP) framework to avoid BFD packets drops due to queue congestion. BFD notifies BGP of any failure conditions that it detects on the link. Recovery actions are initiated by BGP.
The BGP link with the neighbor returns to normal operation and uses the BFD session parameters globally configured with the bfd all-neighbors command or configured for the peer group to which the neighbor belongs. • Disable a BFD for BGP session with a specified neighbor. ROUTER BGP mode • neighbor {ip-address | peer-group-name} bfd disable Remove the disabled state of a BFD for BGP session with a specified neighbor.
Example of Verifying BGP Configuration R2# show running-config bgp ! router bgp 2 neighbor 1.1.1.2 remote-as 1 neighbor 1.1.1.2 no shutdown neighbor 2.2.2.2 remote-as 1 neighbor 2.2.2.2 no shutdown neighbor 3.3.3.2 remote-as 1 neighbor 3.3.3.2 no shutdown bfd all-neighbors Example of Viewing All BFD Neighbors R2# show bfd neighbors * - Active session role Ad Dn - Admin Down B - BGP C - CLI I - ISIS O - OSPF R - Static Route (RTM) M - MPLS V - VRRP LocalAddr * 1.1.1.3 * 2.2.2.3 * 3.3.3.3 RemoteAddr 1.1.1.
Neighbor Discriminator: 11 Local Addr: 2.2.2.3 Local MAC Addr: 00:01:e8:66:da:34 Remote Addr: 2.2.2.
Example of Viewing BFD Summary Information The bold line shows the message displayed when you enable BFD for BGP connections. R2# show ip bgp summary BGP router identifier 10.0.0.1, local AS number 2 BGP table version is 0, main routing table version 0 BFD is enabled, Interval 100 Min_rx 100 Multiplier 3 Role Active 3 neighbor(s) using 24168 bytes of memory Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 1.1.1.2 2.2.2.2 3.3.3.
Foreign host: 2.2.2.2, Foreign port: 179 E1200i_ExaScale# R2# show ip bgp neighbors 2.2.2.3 BGP neighbor is 2.2.2.3, remote AS 1, external link Member of peer-group pg1 for session parameters BGP version 4, remote router ID 12.0.0.4 BGP state ESTABLISHED, in this state for 00:05:33 ... Neighbor is using BGP neighbor mode BFD configuration Peer active in peer-group outbound optimization ... R2# show ip bgp neighbors 2.2.2.4 BGP neighbor is 2.2.2.
Establishing Sessions with All VRRP Neighbors BFD sessions can be established for all VRRP neighbors at once, or a session can be established with a particular neighbor. Figure 16. Establishing Sessions with All VRRP Neighbors To establish sessions with all VRRP neighbors, use the following command. • Establish sessions with all VRRP neighbors.
* - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) V - VRRP LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients * 2.2.5.1 2.2.5.2 Gi 4/25 Down 1000 1000 3 V To view session state information, use the show vrrp command. Example of Viewing VRRP Session State Information The bold line shows the VRRP BFD session. R1(conf-if-gi-4/25)#do show vrrp -----------------GigabitEthernet 4/1, VRID: 1, Net: 2.2.5.1 State: Backup, Priority: 1, Master: 2.2.5.
• Disable all VRRP sessions on an interface. • INTERFACE mode no vrrp bfd all-neighbors Disable all VRRP sessions in a VRRP group. • VRRP mode bfd disable Disable a particular VRRP session on an interface. INTERFACE mode no vrrp bfd neighbor ip-address Configuring Protocol Liveness Protocol liveness is a feature that notifies the BFD manager when a client protocol is disabled. When you disable a client, all BFD sessions for that protocol are torn down.
The following example displays hexadecimal output from the debug bfd packet command. Example of Output from the debug bfd packet Command RX packet dump: 20 c0 03 18 00 00 00 05 00 00 00 04 00 01 86 a0 00 01 86 a0 00 00 00 00 00:34:13 : Sent packet for session with neighbor 2.2.2.2 on Gi 4/24 TX packet dump: 20 c0 03 18 00 00 00 04 00 00 00 05 00 01 86 a0 00 01 86 a0 00 00 00 00 00:34:14 : Received packet for session with neighbor 2.2.2.
Border Gateway Protocol IPv4 (BGPv4) 8 Border gateway protocol IPv4 (BGPv4) version 4 (BGPv4) is supported on the Z9000 platform. This chapter provides a general description of BGPv4 as it is supported in the Dell Networking operating system (FTOS). BGP protocol standards are listed in the Standards Compliance chapter. BGP is an external gateway protocol that transmits interdomain routing information within and between autonomous systems (AS).
Figure 17. Interior BGP BGP version 4 (BGPv4) supports classless interdomain routing and aggregate routes and AS paths. BGP is a path vector protocol — a computer network in which BGP maintains the path that updated information takes as it diffuses through the network. Updates traveling through the network and returning to the same node are easily detected and discarded.
Figure 18. BGP Routers in Full Mesh The number of BGP speakers each BGP peer must maintain increases exponentially. Network management quickly becomes impossible. Sessions and Peers When two routers communicate using the BGP protocol, a BGP session is started. The two end-points of that session are Peers. A Peer is also called a Neighbor.
Establish a Session Information exchange between peers is driven by events and timers. The focus in BGP is on the traffic routing policies. In order to make decisions in its operations with other BGP peers, a BGP process uses a simple finite state machine that consists of six states: Idle, Connect, Active, OpenSent, OpenConfirm, and Established. For each peer-to-peer session, a BGP implementation tracks which of these six states the session is in.
Route reflection divides iBGP peers into two groups: client peers and nonclient peers. A route reflector and its client peers form a route reflection cluster. Because BGP speakers announce only the best route for a given prefix, route reflector rules are applied after the router makes its best path decision. • If a route was received from a nonclient peer, reflect the route to all client peers. • If the route was received from a client peer, reflect the route to all nonclient and all client peers.
• Origin • AS Path • Next Hop Best Path Selection Criteria Paths for active routes are grouped in ascending order according to their neighboring external AS number (BGP best path selection is deterministic by default, which means the bgp non-deterministic-med command is NOT applied). The best path in each group is selected based on specific criteria. Only one “best path” is selected at a time. If any of the criteria results in more than one path, BGP moves on to the next option in the list.
Figure 20. BGP Best Path Selection Best Path Selection Details 1. Prefer the path with the largest WEIGHT attribute. 2. Prefer the path with the largest LOCAL_PREF attribute. 3. Prefer the path that was locally Originated via a network command, redistribute command or aggregate-address command. a. Routes originated with the Originated via a network or redistribute commands are preferred over routes originated with the aggregate-address command. 4.
7. Prefer external (EBGP) to internal (IBGP) paths or confederation EBGP paths. 8. Prefer the path with the lowest IGP metric to the BGP if next-hop is selected when synchronization is disabled and only an internal path remains. 9. FTOS deems the paths as equal and does not perform steps 9 through 11, if the following criteria is met: a. the IBGP multipath or EBGP multipath are configured (the maximum-path command). b.
Figure 21. BGP Local Preference Multi-Exit Discriminators (MEDs) If two ASs connect in more than one place, a multi-exit discriminator (MED) can be used to assign a preference to a preferred path. MED is one of the criteria used to determine the best path, so keep in mind that other criteria may impact selection, as shown in the illustration in Best Path Selection Criteria. One AS assigns the MED a value and the other AS uses that value to decide the preferred path.
Figure 22. Multi-Exit Discriminators NOTE: With FTOS version 8.3.1.0, configuring the set metric-type internal command in a route-map advertises the IGP cost as MED to outbound EBGP peers when redistributing routes. The configured set metric value overwrites the default IGP cost. If the outbound route-map uses MED, it overwrites IGP MED. Origin The origin indicates the origin of the prefix, or how the prefix came into BGP. There are three origin codes: IGP, EGP, INCOMPLETE.
AS Path The AS path is the list of all ASs that all the prefixes listed in the update have passed through. The local AS number is added by the BGP speaker when advertising to a eBGP neighbor. The AS path is shown in the following example. The origin attribute is shown following the AS path information (shown in bold).
Implement BGP with FTOS The following sections describe how to implement BGP on FTOS. Additional Path (Add-Path) Support BGP add-path is supported on the Z-Series platform. The add-path feature reduces convergence times by advertising multiple paths to its peers for the same address prefix without replacing existing paths with new ones. By default, a BGP speaker advertises only the best path to its peers for a given address prefix.
Ignore Router-ID for Some Best-Path Calculations FTOS version 8.3.1.0 and later allows you to avoid unnecessary BGP best-path transitions between external paths under certain conditions. The bgp bestpath router-id ignore command reduces network disruption caused by routing and forwarding plane changes and allows for faster convergence. Four-Byte AS Numbers FTOS version 7.7.1 and later supports 4-Byte (32-bit) format when configuring autonomous system numbers (ASNs).
ASDOT representation combines the ASPLAIN and ASDOT+ representations. AS numbers less than 65536 appear in integer format (asplain); AS numbers equal to or greater than 65536 appear in the decimal format (asdot+). For example, the AS number 65526 appears as 65526 and the AS number 65546 appears as 1.10. Dynamic AS Number Notation Application FTOS version 8.3.1.0 applies the ASN notation type change dynamically to the running-config statements.
Figure 23. Before and After AS Number Migration with Local-AS Enabled When you complete your migration, and you have reconfigured your network with the new information, disable this feature. If you use the “no prepend” option, the Local-AS does not prepend to the updates received from the eBGP peer. If you do not select “no prepend” (the default), the Local-AS is added to the first AS segment in the AS-PATH.
BGP4 Management Information Base (MIB) The FORCE10-BGP4-V2-MIB enhances FTOS BGP management information base (MIB) support with many new simple network management protocol (SNMP) objects and notifications (traps) defined in draft-ietf-idr-bgp4-mibv2-05. To see these enhancements, download the MIB from the Dell website. NOTE: For the Force10-BGP4-V2-MIB and other MIB documentation, refer to the Dell iSupport web page.
• To return all values on an snmpwalk for the f10BgpM2Peer sub-OID, use the -C c option, such as snmpwalk -v 2c -C c -c public. • An SNMP walk may terminate pre-maturely if the index does not increment lexicographically. Dell Networking recommends using options to ignore such errors. • Multiple BPG process instances are not supported. Thus, the f10BgpM2PeerInstance field in various tables is not used to locate a peer.
Item Default Graceful Restart feature Disabled Local preference 100 MED 0 Route Flap Damping Parameters half-life = 15 minutes reuse = 750 suppress = 2000 max-suppress-time = 60 minutes Distance external distance = 20 internal distance = 200 local distance = 200 Timers keepalive = 60 seconds holdtime = 180 seconds Add-path Disabled Enabling BGP By default, BGP is not enabled on the system. FTOS supports one autonomous system (AS) and assigns the AS number (ASN).
NOTE: Use it only if you support 4-Byte AS numbers or if you support AS4 number representation. If you are supporting 4-Byte ASNs, enable this command. Disable 4-Byte support and return to the default 2-Byte format by using the no bgp four-octet-assupport command. You cannot disable 4-Byte support if you currently have a 4-Byte ASN configured. Disabling 4-Byte AS numbers also disables ASDOT and ASDOT+ number representation. All AS numbers are displayed in ASPLAIN format.
BGP table version is 1, main routing table version 1 1 network entrie(s) using 132 bytes of memory 1 paths using 72 bytes of memory BGP-RIB over all using 73 bytes of memory 1 BGP path attribute entrie(s) using 72 bytes of memory 1 BGP AS-PATH entrie(s) using 47 bytes of memory 5 neighbor(s) using 23520 bytes of memory Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 10.10.21.1 10.10.32.3 100.10.92.9 192.168.10.1 192.168.12.
Last read 17:12:40, hold time is 180, keepalive interval is 60 seconds Received 0 messages, 0 notifications, 0 in queue Sent 0 messages, 0 notifications, 0 in queue Received 0 updates, Sent 0 updates Minimum time between advertisement runs is 5 seconds For address family: IPv4 Unicast BGP table version 0, neighbor version 0 0 accepted prefixes consume 0 bytes Prefix advertised 0, rejected 0, withdrawn 0 Connections established 0; dropped 0 Last reset never No active TCP connection FTOS# Example of Verifying
NOTE: The ASDOT and ASDOT+ representations are supported only with the 4-Byte AS numbers feature. If you do not implement 4-Byte AS numbers, only ASPLAIN representation is supported. Only one form of AS number representation is supported at a time. You cannot combine the types of representations within an AS. To configure AS4 number representations, use the following commands. • Enable ASPLAIN AS Number representation.
neighbor 172.30.1.250 local-as 65057 neighbor 172.30.1.250 route-map rmap1 in neighbor 172.30.1.250 password 7 5ab3eb9a15ed02ff4f0dfd4500d6017873cfd9a267c04957 neighbor 172.30.1.250 no shutdown 5332332 9911991 65057 18508 12182 7018 46164 i Configuring Peer Groups To configure multiple BGP neighbors at one time, create and populate a BGP peer group. An advantage of peer groups is that members of a peer group inherit the configuration properties of the group and share same update policy.
After you create a peer group, you can use any of the commands beginning with the keyword neighbor to configure that peer group. When you add a peer to a peer group, it inherits all the peer group’s configured parameters.
When you disable a peer group, all the peers within the peer group that are in the ESTABLISHED state move to the IDLE state. To view the status of peer groups, use the show ip bgp peer-group command in EXEC Privilege mode, as shown in the following example.
• Enable BGP Fast Fail-Over. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} fail-over To verify fast fail-over is enabled on a particular BGP neighbor, use the show ip bgp neighbors command. Because fast fail-over is disabled by default, it appears only if it has been enabled (shown in bold). Example of Verifying that Fast Fail-Over is Enabled on a BGP Neighbor FTOS#sh ip bgp neighbors BGP neighbor is 100.100.100.
fail-over enabled BGP version 4 Minimum time between advertisement runs is 5 seconds For address family: IPv4 Unicast BGP neighbor is test Number of peers in this group 1 Peer-group members (* - outbound optimized): 100.100.100.100* FTOS# router bgp neighbor neighbor neighbor neighbor neighbor neighbor neighbor FTOS# 65517 test peer-group test fail-over test no shutdown 100.100.100.100 remote-as 65517 100.100.100.100 fail-over 100.100.100.100 update-source Loopback 0 100.100.100.
Maintaining Existing AS Numbers During an AS Migration The local-as feature smooths out the BGP network migration operation and allows you to maintain existing ASNs during a BGP network migration. When you complete your migration, be sure to reconfigure your routers with the new information and disable this feature. • Allow external routes from this neighbor. CONFIG-ROUTERBGP mode neighbor {IP address | peer-group-name local-as as number [no prepend] – Peer Group Name: 16 characters.
• Allow this neighbor ID to use the AS path the specified number of times. CONFIG-ROUTER-BGP mode neighbor {IP address | peer-group-name} allowas-in number – Peer Group Name: 16 characters. – Number: 1 through 10. Format: IP Address: A.B.C.D. You must Configure Peer Groups before assigning it to an AS. The lines shown in bold are the number of times ASN 65123 can appear in the AS path (allows–in 9).
• Deletes all routes from the peer if forwarding state information is not saved. • Speeds convergence by advertising a special update packet known as an end-of-RIB marker. This marker indicates the peer has been updated with all routes in the local RIB.
• Local router supports graceful restart for this neighbor or peer-group as a receiver only. CONFIG-ROUTER-BGP mode • neighbor {ip-address | peer-group-name} graceful-restart [role receiver-only] Set the maximum time to retain the restarting neighbor’s or peer-group’s stale paths. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} graceful-restart [stale-path-time time-in-seconds] The default is 360 seconds.
0x4014154 0x4013914 0x5166d6c 0x5e62df4 0x3a1814c 0x567ea9c 0x6cc1294 0x6cc18d4 0x5982e44 0x67d4a14 0x559972c 0x59cd3b4 0x7128114 0x536a914 0x2ffe884 0x2ff7284 0x2ff7ec4 0x2ff8544 0x736c144 0x3b8d224 0x5eb1e44 0x5cd891c --More-- 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3 3 3 2 26 75 2 1 162 2 31 2 10 3 1 99 4 3 1 10 1 9 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 701 701 209 701 209 209 209 701 209 701 209 209 209
As seen in the following example, the expressions are displayed when using the show commands. To view the ASPATH ACL configuration, use the show config command in CONFIGURATION AS-PATH ACL mode and the show ip as-path-access-list command in EXEC Privilege mode. For more information about this command and route filtering, refer to Filtering BGP Routes. The following example applies access list Eagle to routes inbound from BGP peer 10.5.5.2.
redistribute isis [level-1 | level-1-2 | level-2] [metric value] [route-map map-name] Configure the following parameters: • – level-1, level-1-2, or level-2: Assign all redistributed routes to a level. The default is level-2. – metric value: The value is from 0 to 16777215. The default is 0. – map-name: name of a configured route map. Include specific OSPF routes in IS-IS.
IETF RFC 1997 defines the COMMUNITY attribute and the predefined communities of INTERNET, NO_EXPORT_SUBCONFED, NO_ADVERTISE, and NO_EXPORT. All BGP routes belong to the INTERNET community. In the RFC, the other communities are defined as follows: • All routes with the NO_EXPORT_SUBCONFED (0xFFFFFF03) community attribute are not sent to CONFED-EBGP or EBGP peers, but are sent to IBGP peers within CONFED-SUB-AS. • All routes with the NO_ADVERTISE (0xFFFFFF02) community attribute must not be advertised.
deny 14551:666 FTOS# Configuring an IP Extended Community List To configure an IP extended community list, use these commands. 1. Create a extended community list and enter the EXTCOMMUNITY-LIST mode. CONFIGURATION mode ip extcommunity-list extcommunity-list-name 2. Two types of extended communities are supported.
CONFIGURATION mode route-map map-name [permit | deny] [sequence-number] 2. Configure a match filter for all routes meeting the criteria in the IP community or IP extended community list. CONFIG-ROUTE-MAP mode match {community community-list-name [exact] | extcommunity extcommunitylist-name [exact]} 3. Return to CONFIGURATION mode. CONFIG-ROUTE-MAP mode exit 4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number AS-number: 0 to 65535 (2-Byte) or 1 to 4294967295 (4-Byte) or 0.1 to 65535.
3. – community-number: use AA:NN format where AA is the AS number (2 or 4 Bytes) and NN is a value specific to that autonomous system. – local-AS: routes with the COMMUNITY attribute of NO_EXPORT_SUBCONFED and are not sent to EBGP peers. – no-advertise: routes with the COMMUNITY attribute of NO_ADVERTISE and are not advertised. – no-export: routes with the COMMUNITY attribute of NO_EXPORT. – none: remove the COMMUNITY attribute. – additive: add the communities to already existing communities.
Changing MED Attributes By default, FTOS uses the MULTI_EXIT_DISC or MED attribute when comparing EBGP paths from the same AS. To change how the MED attribute is used, enter any or all of the following commands. • Enable MED comparison in the paths from neighbors with different ASs. CONFIG-ROUTER-BGP mode bgp always-compare-med • By default, this comparison is not performed. Change the bestpath MED selection.
5. Apply the route map to the neighbor or peer group’s incoming or outgoing routes. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} route-map map-name {in | out} To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode. To view a route map configuration, use the show route-map command in EXEC Privilege mode. Changing the NEXT_HOP Attribute You can change how the NEXT_HOP attribute is used.
The show ip bgp network command includes multipath information for that network. • Enable multiple parallel paths. CONFIG-ROUTER-BGP mode maximum-paths {ebgp | ibgp} number Filtering BGP Routes Filtering routes allows you to implement BGP policies. You can use either IP prefix lists, route maps, AS-PATH ACLs or IP community lists (using a route map) to control which routes the BGP neighbor or peer group accepts and advertises.
5. Filter routes based on the criteria in the configured prefix list. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} distribute-list prefix-list-name {in | out} Configure the following parameters: – ip-address or peer-group-name: enter the neighbor’s IP address or the peer group’s name. – prefix-list-name: enter the name of a configured prefix list. – in: apply the prefix list to inbound routes. – out: apply the prefix list to outbound routes.
– in: apply the route map to inbound routes. – out: apply the route map to outbound routes. To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode. To view a route map configuration, use the show route-map command in EXEC Privilege mode. Filtering BGP Routes Using AS-PATH Information To filter routes based on AS-PATH information, use these commands. 1. Create a AS-PATH ACL and assign it a name. CONFIGURATION mode ip as-path access-list as-path-name 2.
bgp cluster-id cluster-id • You can have multiple clusters in an AS. Configure the local router as a route reflector and the neighbor or peer group identified is the route reflector client. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} route-reflector-client When you enable a route reflector, FTOS automatically enables route reflection to all clients.
• Specifies the confederation ID. CONFIG-ROUTER-BGP mode bgp confederation identifier as-number • – as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte). Specifies which confederation sub-AS are peers. CONFIG-ROUTER-BGP mode bgp confederation peers as-number [... as-number] – as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte). All Confederation routers must be either 4 Byte or 2 Byte. You cannot have a mix of router ASN support.
– half-life: the range is from 1 to 45. Number of minutes after which the Penalty is decreased. After the router assigns a Penalty of 1024 to a route, the Penalty is decreased by half after the half-life period expires. The default is 15 minutes. – reuse: the range is from 1 to 20000. This number is compared to the flapping route’s Penalty value. If the Penalty value is less than the reuse value, the flapping route is once again advertised (or no longer suppressed).
To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode or the show running-config bgp command in EXEC Privilege mode. The following example shows how to configure values to reuse or restart a route. In the following example, default = 15 is the set time before the value decrements, bgp dampening 2 ? is the set re-advertise value, bgp dampening 2 2000 ? is the suppress value, and bgp dampening 2 2000 3000 ? is the time to suppress a route. Default values are also shown.
• Configure timer values for a BGP neighbor or peer group. CONFIG-ROUTER-BGP mode neighbors {ip-address | peer-group-name} timers keepalive holdtime – keepalive: the range is from 1 to 65535. Time interval, in seconds, between keepalive messages sent to the neighbor routers. The default is 60 seconds. – • holdtime: the range is from 3 to 65536. Time interval, in seconds, between the last keepalive message and declaring the router dead. The default is 180 seconds.
• – neighbor-address: Clears the neighbor with this IP address. – AS Numbers: Peers’ AS numbers to be cleared. – ipv4: Clears information for the IPv4 address family. – peer-group-name: Clears all members of the specified peer group. Enable soft-reconfiguration for the BGP neighbor specified. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} soft-reconfiguration inbound BGP stores all the updates received by the neighbor but does not reset the peer-session.
Enabling MBGP Configurations Multiprotocol BGP (MBGP) is an enhanced BGP that carries IP multicast routes. BGP carries two sets of routes: one set for unicast routing and one set for multicast routing. The routes associated with multicast routing are used by the protocol independent multicast (PIM) to build data distribution trees. MBGP for IPv4 multicast is supported on the Z9000 platform. FTOS MBGP is implemented per RFC 1858. You can enable the MBGP feature per router and/or per peer/peer-group.
• View information about BGP route being dampened. • EXEC Privilege mode debug ip bgp dampening [in | out] View information about local BGP state changes and other BGP events. • EXEC Privilege mode debug ip bgp [ip-address | peer-group peer-group-name] events [in | out] View information about BGP KEEPALIVE messages. • EXEC Privilege mode debug ip bgp [ip-address | peer-group peer-group-name] keepalive [in | out] View information about BGP notifications received from or sent to neighbors.
43 keepalives, 0 route refresh requests Minimum time between advertisement runs is 30 seconds Minimum time before advertisements start is 0 seconds Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) For address family: IPv4 Unicast BGP table version 1395, neighbor version 1394 Prefixes accepted 1 (consume 4 bytes), 0 withdrawn by p
Example of the show capture bgp-pdu neighbor Command FTOS#show capture bgp-pdu neighbor 20.20.20.2 Incoming packet capture enabled for BGP neighbor 20.20.20.
Sample Configurations The following example configurations show how to enable BGP and set up some peer groups. These examples are not comprehensive directions. They are intended to give you some guidance with typical configurations. To support your own IP addresses, interfaces, names, and so on, you can copy and paste from these examples to your CLI. Be sure that you make the necessary changes. The following illustration shows the configurations described on the following examples.
R1(conf-if-gi-1/21)#no shutdown R1(conf-if-gi-1/21)#show config ! interface GigabitEthernet 1/21 ip address 10.0.1.21/24 no shutdown R1(conf-if-gi-1/21)#int gig 1/31 R1(conf-if-gi-1/31)#ip address 10.0.3.31/24 R1(conf-if-gi-1/31)#no shutdown R1(conf-if-gi-1/31)#show config ! interface GigabitEthernet 1/31 ip address 10.0.3.31/24 no shutdown R1(conf-if-gi-1/31)#router bgp 99 R1(conf-router_bgp)#network 192.168.128.0/24 R1(conf-router_bgp)#neighbor 192.168.128.2 remote 99 R1(conf-router_bgp)#neighbor 192.168.
interface GigabitEthernet 2/11 ip address 10.0.1.22/24 no shutdown R2(conf-if-gi-2/11)#int gig 2/31 R2(conf-if-gi-2/31)#ip address 10.0.2.2/24 R2(conf-if-gi-2/31)#no shutdown R2(conf-if-gi-2/31)#show config ! interface GigabitEthernet 2/31 ip address 10.0.2.2/24 no shutdown R2(conf-if-gi-2/31)# R2(conf-if-gi-2/31)#router bgp 99 R2(conf-router_bgp)#network 192.168.128.0/24 R2(conf-router_bgp)#neighbor 192.168.128.1 remote 99 R2(conf-router_bgp)#neighbor 192.168.128.1 no shut R2(conf-router_bgp)#neighbor 192.
R3(conf-if-gi-3/11)#show config ! interface GigabitEthernet 3/11 ip address 10.0.3.33/24 no shutdown R3(conf-if-lo-0)#int gig 3/21 R3(conf-if-gi-3/21)#ip address 10.0.2.3/24 R3(conf-if-gi-3/21)#no shutdown R3(conf-if-gi-3/21)#show config ! interface GigabitEthernet 3/21 ip address 10.0.2.3/24 no shutdown R3(conf-if-gi-3/21)# R3(conf-if-gi-3/21)#router bgp 100 R3(conf-router_bgp)#show config ! router bgp 100 R3(conf-router_bgp)#network 192.168.128.0/24 R3(conf-router_bgp)#neighbor 192.168.128.
! router bgp 99 network 192.168.128.0/24 neighbor AAA peer-group neighbor AAA no shutdown neighbor BBB peer-group neighbor BBB no shutdown neighbor 192.168.128.2 remote-as 99 neighbor 192.168.128.2 peer-group AAA neighbor 192.168.128.2 update-source Loopback 0 neighbor 192.168.128.2 no shutdown neighbor 192.168.128.3 remote-as 100 neighbor 192.168.128.3 peer-group BBB neighbor 192.168.128.3 update-source Loopback 0 neighbor 192.168.128.3 no shutdown R1# R1#show ip bgp summary BGP router identifier 192.168.
Notification History 'Connection Reset' Sent : 1 Recv: 0 Last notification (len 21) sent 00:00:57 ago ffffffff ffffffff ffffffff ffffffff 00150306 00000000 Local host: 192.168.128.1, Local port: 179 Foreign host: 192.168.128.2, Foreign port: 65464 BGP neighbor is 192.168.128.3, remote AS 100, external link Member of peer-group BBB for session parameters BGP version 4, remote router ID 192.168.128.
neighbor 192.168.128.3 no shutdown R2(conf-router_bgp)#end R2# R2#show ip bgp summary BGP router identifier 192.168.128.
R3#show ip bgp neighbor BGP neighbor is 192.168.128.1, remote AS 99, external link Member of peer-group BBB for session parameters BGP version 4, remote router ID 192.168.128.
BGP neighbor is 192.168.128.3, remote AS 100, external link Member of peer-group BBB for session parameters BGP version 4, remote router ID 192.168.128.
Content Addressable Memory (CAM) 9 Content addressable memory (CAM) is supported on the Z9000 platform. CAM is a type of memory that stores information in the form of a lookup table. On Dell Networking systems, CAM stores Layer 2 and Layer 3 forwarding information, access-lists (ACLs), flows, and routing policies. On Dell Networking systems, there are one or two CAM (Dual-CAM) modules per port-pipe depending on the type of line card.
CAM Profile Description Available Microcodes: default. unified-default Maintains the CAM allocations for the IPv4 FIB while allocating more CAM space for the Ingress and Egress Layer 2 ACL and IPv4 ACL regions. Available Microcodes: ipv6-extacl. ipv4-64k-ipv6 Provides IPv6 functionality; an alternate to ipv6-extacl that redistributes CAM space from the IPv4FIB to IPv4Flow and IPv6FIB. Available Microcodes: ipv6-extacl. The size of CAM partitions is measured in entries.
NOTE: Not all CAM profiles and microcodes are available for all systems. For details regarding available profiles for each system, refer to the Command Line Interface Reference Guide. Microcode Description default Distributes CAM space for a typical deployment. lag-hash-align For applications that require the same hashing for bi-directional traffic (for example, VoIP call or P2P file sharing). For port-channels, this microcode maps both directions of a bi-directional flow to the same output link.
selected, non-EJ cards will be in problem state after reload # After reload: 00:04:46: %RPM0-P:CP %CHMGR-3-PROFILE_MISMATCH: Mismatch: line card 1 has mismatch CAM profile or microcode Example 1: EF Line Card with EG Chassis Profile (Card Problem) R1#show linecard 1 brief -- Line card 1 -Status : card problem - mismatch cam profile Next Boot : online Required Type : E48TF - 48-port 10/100/1000Base-T line card with RJ-45 interfaces (EF) Current Type : E48TF - 48-port 10/100/1000Base-T line card with RJ-45 i
Important Points to Remember • All line cards within a single system must have the same CAM profile; this profile must match the system CAM profile (the profile on the primary RPM). – • FTOS automatically reconfigures the CAM profile on line cards and the secondary RPM to match the system CAM profile by saving the correct profile on the card and then rebooting it. The CAM configuration is applied to entire system when you use the CONFIGURATION mode commands.
Table 9. Default Cam Allocation Settings CAM Allocation Setting L3 ACL (ipv4acl) 6 L2 ACL(l2acl) 5 IPv6 L3 ACL (ipv6acl) 0 L3 QoS (ipv4qos) 1 L2 QoS (l2qos) 1 L2PT (l2pt) 1 MAC ACLs (ipmacacl) 2 ECFMACL (ecfmacl) 0 VMAN QoS (vman-qos) 0 VMAN Dual QoS (vman-dual-qos) 0 The following additional CAM allocation settings are supported on the S4810 or S4820T platforms only. Table 10.
Test CAM Usage The test cam-usage command is supported on the Z9000 platform. This command applies to both IPv4 and IPv6 CAM profiles, but is best used when verifying QoS optimization for IPv6 ACLs. Use this command to determine whether sufficient ACL CAM space is available to enable a service-policy. Create a Class Map with all required ACL rules, then execute the test cam-usage command in Privilege mode to verify the actual CAM space required.
NOTE: If you select the CAM profile from CONFIGURATION mode, the output of this command does not reflect any changes until you save the running-configuration and reload the chassis. Example of show running-config cam-profile Command FTOS#show running-config cam-profile ! cam-profile default microcode default FTOS# View CAM-ACL Settings The show cam-acl command is supported on the platform. View the current cam-acl settings using the show cam-acl command.
Ipv4Qos L2Qos L2PT IpMacAcl VmanQos VmanDualQos EcfmAcl FcoeAcl iscsiOptAcl : : : : : : : : : 2 1 0 0 0 0 0 0 2 -- Stack unit 0 -Current Settings(in block sizes) L2Acl : 4 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 VmanDualQos : 0 EcfmAcl : 0 FcoeAcl : 0 iscsiOptAcl : 2 FTOS# View CAM Usage View the amount of CAM space available, used, and remaining in each partition (including IPv4Flow and Layer 2 ACL sub-partitions) using the show cam-usage command from EXEC Privil
Return to the Default CAM Configuration Return to the default CAM Profile, microcode, IPv4Flow, or Layer 2 ACL configuration using the keyword default from EXEC Privilege mode or CONFIGURATION mode, as shown in the following example.
LAG Hashing Based on Bidirectional Flow To hash LAG packets such that both directions of a bidirectional flow (for example, VoIP or P2P file sharing) are mapped to the same output link in the LAG bundle, use the default CAM profile with the microcode lag-hash-align. Troubleshoot CAM Profiling The following section describes CAM profiling troubleshooting. CAM Profile Mismatches The CAM profile on all cards must match the system profile.
Control Plane Policing (CoPP) 10 Control plane policing (CoPP) is supported on the Z9000 platform. Control plane policing (CoPP) uses access control list (ACL) rules and quality of service (QoS) policies to create filters for a system’s control plane. That filter prevents traffic not specifically identified as legitimate from reaching the system control plane, rate-limits, traffic to an acceptable level.
Figure 26. CoPP Implemented Versus CoPP Not Implemented Configure Control Plane Policing For example, border gateway protocol (BGP) and internet control message protocol (ICMP) share same queue (Q6); Q6 has 400 PPS of bandwidth by default. The desired rate of ICMP is 100 PPS and the remaining 300 PPS is assigned to BGP. If ICMP packets come at 400 PPS, BGP packets may be dropped though ICMP packets are rate-limited to 100 PPS.
Configuring CoPP for Protocols This section lists the commands necessary to create and enable the service-policies for CoPP. For complete information about creating ACLs and QoS rules, refer to Access Control Lists (ACLs) and Quality of Service (QoS). The basics for creating a CoPP service policy are to create a Layer 2, Layer 3, and/or an IPv6 ACL rule for the desired protocol type. Then, create a QoS input policy to rate-limit the protocol traffics according to the ACL.
FTOS(conf-mac-acl-cpuqos)#exit FTOS(conf)#ipv6 access-list ipv6-icmp cpu-qos FTOS(conf-ipv6-acl-cpuqos)#permit icmp FTOS(conf-ipv6-acl-cpuqos)#exit FTOS(conf)#ipv6 access-list ipv6-vrrp cpu-qos FTOS(conf-ipv6-acl-cpuqos)#permit vrrp FTOS(conf-ipv6-acl-cpuqos)#exit Example of Creating the QoS Input Policy FTOS(conf)#qos-policy-in rate_limit_200k cpu-qos FTOS(conf-in-qos-policy-cpuqos)#rate-police 200 40 peak 500 40 FTOS(conf-in-qos-policy-cpuqos)#exit FTOS(conf)#qos-policy-in rate_limit_400k cpu-qos FTOS(con
The basics for creating a CoPP service policy is to create QoS policies for the desired CPU bound queue and associate it with a particular rate-limit. The QoS policies are assigned to a control-plane service policy for each port-pipe. 1. Create a QoS input policy for the router and assign the policing. CONFIGURATION mode qos-policy-input name cpu-qos 2. Create an input policy-map to assign the QoS policy to the desired service queues.l.
Q6 Q7 FTOS# 400 1100 To view the queue mapping for each configured protocol, use the show ip protocol-queue-mapping command.
Dynamic Host Configuration Protocol (DHCP) 11 Dynamic host configuration protocol (DHCP) is available on the Z-Series platform. DHCP is an application layer protocol that dynamically assigns IP addresses and other configuration parameters to network end-stations (hosts) based on configuration policies determined by network administrators.
Option Number and Description Specifies the router IP addresses that may serve as the client’s default gateway. Domain Name Server Option 6 Specifies the domain name servers (DNSs) that are available to the client. Domain Name Option 15 Specifies the domain name that clients should use when resolving hostnames via DNS. IP Address Lease Time Option 51 DHCP Message Type Option 53 Specifies the amount of time that the client is allowed to use an assigned IP address.
Assign an IP Address using DHCP The following section describes DHCP and the client in a network. When a client joins a network: 1. The client initially broadcasts a DHCPDISCOVER message on the subnet to discover available DHCP servers. This message includes the parameters that the client requires and might include suggested values for those parameters. 2. Servers unicast or broadcast a DHCPOFFER message in response to the DHCPDISCOVER that offers to the client values for the requested parameters.
Implementation Information The following describes DHCP implementation. • Dell Networking implements DHCP based on RFC 2131 and RFC 3046. • IP source address validation is a sub-feature of DHCP Snooping; the Dell Networking operating system (FTOS) uses access control lists (ACLs) internally to implement this feature and as such, you cannot apply ACLs to an interface which has IP source address validation.
DHCP Server Responsibility Description Responding To Client Requests DHCP servers respond to different types of requests from clients, primarily, granting, renewing, and terminating leases. Providing Administration Services DHCP servers include functionality that allows an administrator to implement policies that govern how DHCP performs its other tasks.
Related Configuration Tasks • Configure a Method of Hostname Resolution • Creating Manual Binding Entries • Debugging the DHCP Server • Using DHCP Clear Commands Excluding Addresses from the Address Pool The DHCP server assumes that all IP addresses in a DHCP address pool are available for assigning to DHCP clients. You must specify the IP address that the DHCP server should not assign to clients. To exclude an address, follow this step. • Exclude an address range from DHCP assignment.
Using NetBIOS WINS for Address Resolution Windows internet naming service (WINS) is a name resolution service that Microsoft DHCP clients use to correlate host names to IP addresses within a group of networks. Microsoft DHCP clients can be one of four types of NetBIOS nodes: broadcast, peer-to-peer, mixed, or hybrid. 1. Specify the NetBIOS WINS name servers, in order of preference, that are available to Microsoft Dynamic Host Configuration Protocol (DHCP) clients.
Using DHCP Clear Commands To clear DHCP binding entries, address conflicts, and server counters, use the following commands. • Clear DHCP binding entries for the entire binding table. EXEC Privilege mode. • clear ip dhcp binding Clear a DHCP binding entry for an individual IP address. EXEC Privilege mode. clear ip dhcp binding ip address Configure the System to be a Relay Agent This feature is available on the Z-Series platform.
Figure 29. Configuring a Relay Agent To view the ip helper-address configuration for an interface, use the show ip interface command from EXEC privilege mode. Example of the show ip interface Command R1_E600#show ip int gig 1/3 GigabitEthernet 1/3 is up, line protocol is down Internet address is 10.11.0.1/24 Broadcast address is 10.11.0.255 Address determined by user input IP MTU is 1500 bytes Helper address is 192.168.0.1 192.168.0.
ICMP redirects are not sent ICMP unreachables are not sent Configure the System to be a DHCP Client A DHCP client is a network device that requests an IP address and configuration parameters from a DHCP server. Implement the DHCP client functionality as follows: • The switch can obtain a dynamically assigned IP address from a DHCP server. A start-up configuration is not received. Use bare metal provisioning (BMP) to receive configuration parameters (FTOS version and a configuration file).
When a stack failover occurs, the new master requires the same DHCP server-assigned IP address on DHCP client interfaces. The new master reinitiates a DHCP packet transaction by sending a DHCP discovery packet on nonbound interfaces. Virtual Link Trunking (VLT) A DHCP client is not supported on VLT interfaces. VLAN and Port Channels DHCP client configuration and behavior are the same on Virtual LAN (VLAN) and port-channel (LAG) interfaces as on a physical interface.
Configure Secure DHCP The following feature is available on the Z-Series platform, except where noted. DHCP as defined by RFC 2131 provides no authentication or security mechanisms. Secure DHCP is a suite of features that protects networks that use dynamic address allocation from spoofing and attacks. • Option 82 • DHCP Snooping • Dynamic ARP Inspection • Source Address Validation Option 82 RFC 3046 (the relay agent information option, or Option 82) is used for class-based IP address assignment.
When you enable DHCP snooping, the relay agent builds a binding table — using DHCPACK messages — containing the client MAC address, IP addresses, IP address lease time, port, VLAN ID, and binding type. Every time the relay agent receives a DHCPACK on a trusted port, it adds an entry to the table.
clear ip dhcp snooping binding Displaying the Contents of the Binding Table To display the contents of the binding table, use the following command. • Display the contents of the binding table. EXEC Privilege mode show ip dhcp snooping View the DHCP snooping statistics with the show ip dhcp snooping command.
Total number of Entries in the table : 4 Dynamic ARP Inspection Dynamic address resolution protocol (ARP) inspection prevents ARP spoofing by forwarding only ARP frames that have been validated against the DHCP binding table. ARP is a stateless protocol that provides no authentication mechanism. Network devices accept ARP requests and replies from any device. ARP replies are accepted even when no request was sent.
Configuring Dynamic ARP Inspection To enable dynamic ARP inspection, use the following commands. 1. Enable DHCP snooping. 2. Validate ARP frames against the DHCP snooping binding table. INTERFACE VLAN mode arp inspection To view entries in the ARP database, use the show arp inspection database command.
Source Address Validation Using the DHCP binding table, FTOS can perform three types of source address validation (SAV). Table 12. Three Types of Source Address Validation Source Address Validation Description IP Source Address Validation Prevents IP spoofing by forwarding only IP packets that have been validated against the DHCP binding table. DHCP MAC Source Address Validation Verifies a DHCP packet’s source hardware address matches the client hardware address field (CHADDR) in the payload.
Enabling IP+MAC Source Address Validation The following feature is available on the Z9000 platform. IP source address validation (SAV) validates the IP source address of an incoming packet against the DHCP snooping binding table. IP+MAC SAV ensures that the IP source address and MAC source address are a legitimate pair, rather than validating each attribute individually. You cannot configure IP+MAC SAV with IP SAV. 1. Allocate at least one FP block to the ipmacacl CAM region.
Equal Cost Multi-Path (ECMP) 12 Equal cost multi-path (ECMP) is supported on theZ9000 platform. ECMP for Flow-Based Affinity ECMP for flow-based affinity is available on theZ9000platform. Flow-based affinity includes the following: • Link Bundle Monitoring Configuring the Hash Algorithm TeraScale has one algorithm that is used for link aggregation groups (LAGs), ECMP, and NH-ECMP, and ExaScale can use three different algorithms for each of these features.
Configuring the Hash Algorithm Seed Deterministic ECMP sorts ECMPs in order even though RTM provides them in a random order. However, the hash algorithm uses as a seed the lower 12 bits of the chassis MAC, which yields a different hash result for every chassis. This behavior means that for a given flow, even though the prefixes are sorted, two unrelated chassis can select different hops.
Managing ECMP Group Paths Managing ECMP group paths is supported only on the platform. Configure the maximum number of paths for an ECMP route that the L3 CAM can hold to avoid path degeneration. When you do not configure the maximum number of routes, the CAM can hold a maximum ECMP per route. To configure the maximum number of paths, use the following command. NOTE: Save the new ECMP settings to the startup-config (write-mem) then reload the system for the new settings to take effect.
link-bundle-distribution trigger-threshold {percent} The range is from 1 to 90%. • The default is 60%. Display details for an ECMP group bundle. EXEC mode show link-bundle-distribution ecmp-group ecmp-group-id The range is from 1 to 64. NOTE: An ecmp-group index is generated automatically for each unique ecmp-group when you configure multipath routes to the same network. The system can generate a maximum of 512 unique ecmp-groups. The ecmp-group indices are generated in even numbers (0, 2, 4, 6...
Enabling FIPS Cryptography 13 Federal information processing standard (FIPS) cryptography is supported on the Z9000 platform. This chapter describes how to enable FIPS cryptography requirements on Dell Networking platforms. This feature provides cryptographic algorithms conforming to various FIPS standards published by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the US Department of Commerce.
When you enable FIPS mode, the following actions are taken: • If enabled, the SSH server is disabled. • All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, are closed. • Any existing host keys (both RSA and RSA1) are deleted from system memory and NVRAM storage. • FIPS mode is enabled. – If you enable the SSH server when you enter the fips mode enable command, it is re-enabled for version 2 only.
Reload Type : normal-reload [Next boot : normal-reload] -- Unit 0 -Unit Type Status Next Boot Required Type Current Type Master priority Hardware Rev Num Ports Up Time FTOS Version Jumbo Capable POE Capable FIPS Mode Burned In MAC No Of MACs ... : : : : : : : : : : : : : : : Management Unit online online S4810 - 52-port GE/TE/FG (SE) S4810 - 52-port GE/TE/FG (SE) 0 3.0 64 7 hr, 3 min 4810-8-3-7-1061 yes no enabled 00:01:e8:8a:ff:0c 3 Disabling FIPS Mode The following describes disabling FIPS mode.
Force10 Resilient Ring Protocol (FRRP) 14 Force10 resilient ring protocol (FRRP) is supported on the Z9000 platform. FRRP provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a metropolitan area network (MAN) or large campuses.
Ring Status The ring failure notification and the ring status checks provide two ways to ensure the ring remains up and active in the event of a switch or port failure. Ring Checking At specified intervals, the Master node sends a ring health frame (RHF) through the ring. If the ring is complete, the frame is received on its secondary port and the Master node resets its fail-period timer and continues normal operation.
two instances of FRRP running on it: one for each ring. The example topology that follows shows R3 assuming the role of a Transit node for both FRRP 101 and FRRP 202. Important FRRP Points FRRP provides a convergence time that can generally range between 150ms and 1500ms for Layer 2 networks. The Master node originates a high-speed frame that circulates around the ring. This frame, appropriately, sets up or breaks down the ring. • The Master node transmits ring status check frames at specified intervals.
Concept Ring Protocol Timers Ring Status Ring Health-Check Frame (RHF) Explanation • Pre-Forwarding State — A transition state before moving to the Forward state. Control traffic is forwarded but data traffic is blocked. The Master node Secondary port transitions through this state during ring bring-up. All ports transition through this state when a port comes up. • Disabled State — When the port is disabled or down, or is not on the VLAN.
• Each ring has only one Master node; all others are transit nodes. FRRP Configuration These are the tasks to configure FRRP.
interface vlan vlan-id VLAN ID: from 1 to 4094. 2. Tag the specified interface or range of interfaces to this VLAN. CONFIG-INT-VLAN mode. tagged interface slot/ port {range} Interface: – For a 10/100/1000 Ethernet interface, enter the keyword GigabitEthernet then the slot/port information. – For a Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/port information. – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information.
• All VLANS must be in Layer 2 mode. • Tag control VLAN ports. Member VLAN ports, except the Primary/Secondary interface, can be tagged or untagged. • The control VLAN must be the same for all nodes on the ring. To create the Members VLANs for this FRRP group, use the following commands on all of the Transit switches in the ring. 1. Create a VLAN with this ID number. CONFIGURATION mode. interface vlan vlan-id VLAN ID: the range is from 1 to 4094. 2.
6. Enable this FRRP group on this switch. CONFIG-FRRP mode. no disable Setting the FRRP Timers To set the FRRP timers, use the following command. NOTE: Set the Dead-Interval time 3 times the Hello-Interval. • Enter the desired intervals for Hello-Interval or Dead-Interval times. CONFIG-FRRP mode. timer {hello-interval|dead-interval} milliseconds – Hello-Interval: the range is from 50 to 2000, in increments of 50 (default is 500).
Ring ID: the range is from 1 to 255. Troubleshooting FRRP To troubleshoot FRRP, use the following information. Configuration Checks • • • • • Each Control Ring must use a unique VLAN ID. Only two interfaces on a switch can be Members of the same control VLAN. There can be only one Master node for any FRRP group. You can configure FRRP on Layer 2 interfaces only. Spanning Tree (if you enable it globally) must be disabled on both Primary and Secondary interfaces when you enable FRRP.
! interface GigabitEthernet 2/31 no ip address switchport no shutdown ! interface Vlan 101 no ip address tagged GigabitEthernet 2/14,31 no shutdown ! interface Vlan 201 no ip address tagged GigabitEthernet 2/14,31 no shutdown ! protocol frrp 101 interface primary GigabitEthernet 2/14 secondary GigabitEthernet 2/31 controlvlan 101 member-vlan 201 mode transit no disable Example of R3 TRANSIT interface GigabitEthernet 3/14 no ip address switchport no shutdown ! interface GigabitEthernet 3/21 no ip address swi
GARP VLAN Registration Protocol (GVRP) 15 GARP VLAN registration protocol (GVRP) is supported on the Z9000 platform. Typical virtual local area network (VLAN) implementation involves manually configuring each Layer 2 switch that participates in a given VLAN. GVRP, defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches. GVRP-compliant switches use GARP to register and de-register attribute values, such as VLAN IDs, with each other.
exchanged. In the following example, that type of port is referred to as a VLAN trunk port, but it is not necessary to specifically identify to the Dell Networking operating system (FTOS) that the port is a trunk port. Figure 30. Global GVRP Configuration Example Basic GVRP configuration is a two-step process: 1. Enabling GVRP Globally 2.
gvrp enable Example of Configuring GVRP FTOS(conf)#protocol gvrp FTOS(config-gvrp)#no disable FTOS(config-gvrp)#show config ! protocol gvrp no disable FTOS(config-gvrp)# To inspect the global configuration, use the show gvrp brief command. Enabling GVRP on a Layer 2 Interface To enable GVRP on a Layer 2 interface, use the following command. • Enable GVRP on a Layer 2 interface.
Example of the gvrp registration Command FTOS(conf-if-gi-1/21)#gvrp registration fixed 34,35 FTOS(conf-if-gi-1/21)#gvrp registration forbidden 45,46 FTOS(conf-if-gi-1/21)#show conf ! interface GigabitEthernet 1/21 no ip address switchport gvrp enable gvrp registration fixed 34-35 gvrp registration forbidden 45-46 no shutdown FTOS(conf-if-gi-1/21)# Configure a GARP Timer Set GARP timers to the same values on all devices that are exchanging information using GVRP. There are three GARP timer settings.
• Boot the Chassis with a Single RPM • Boot the Chassis with Dual RPMs • Automatic and Manual RPM Failover • Support for RPM Redundancy by FTOS Version • RPM Synchronization 261
Internet Group Management Protocol (IGMP) 16 Internet group management protocol (IGMP) is supported on the Z9000 platform. Multicast is premised on identifying many hosts by a single destination IP address; hosts represented by the same IP address are a multicast group. IGMP is a Layer 3 multicast protocol that hosts use to join or leave a multicast group.
Figure 31. IGMP Messages in IP Packets Join a Multicast Group There are two ways that a host may join a multicast group: it may respond to a general query from its querier or it may send an unsolicited report to its querier. Responding to an IGMP Query The following describes how a host can join a multicast group. 1. One router on a subnet is elected as the querier. The querier periodically multicasts (to all-multicast-systems address 224.0.0.1) a general query to all hosts on the subnet. 2.
IGMP Version 3 Conceptually, IGMP version 3 behaves the same as version 2. However, there are differences. • Version 3 adds the ability to filter by multicast source, which helps multicast routing protocols avoid forwarding traffic to subnets where there are no interested receivers. • To enable filtering, routers must keep track of more state information, that is, the list of sources that must be filtered.
Figure 33. IGMP Version 3–Capable Multicast Routers Address Structure Joining and Filtering Groups and Sources The following illustration shows how multicast routers maintain the group and source information from unsolicited reports. 1. The first unsolicited report from the host indicates that it wants to receive traffic for group 224.1.1.1. 2. The host’s second report indicates that it is only interested in traffic from group 224.1.1.1, source 10.11.1.1.
Figure 34. Membership Reports: Joining and Filtering Leaving and Staying in Groups The following illustration shows how multicast routers track and refresh state changes in response to group-andspecific and general queries. 1. Host 1 sends a message indicating it is leaving group 224.1.1.1 and that the included filter for 10.11.1.1 and 10.11.1.2 are no longer necessary. 2.
Figure 35. Membership Queries: Leaving and Staying Configure IGMP Configuring IGMP is a two-step process. 1. Enable multicast routing using the ip multicast-routing command. 2. Enable a multicast routing protocol.
• Fast Convergence after MSTP Topology Changes • Designating a Multicast Router Interface Viewing IGMP Enabled Interfaces Interfaces that are enabled with PIM-SM are automatically enabled with IGMP. To view IGMP-enabled interfaces, use the following command. • View IGMP-enabled interfaces. EXEC Privilege mode show ip igmp interface Example of the show ip igmp interface Command FTOS#show ip igmp interface gig 7/16 GigabitEthernet 7/16 is up, line protocol is up Internet address is 10.87.3.
Viewing IGMP Groups To view both learned and statically configured IGMP groups, use the following command. • View both learned and statically configured IGMP groups. EXEC Privilege mode show ip igmp groups Example of the show ip igmp groups Command FTOS(conf-if-gi-1/0)#do sho ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Uptime 224.1.1.1 GigabitEthernet 1/0 00:00:03 224.1.2.1 GigabitEthernet 1/0 00:56:55 Expires Never 00:01:22 Last Reporter CLI 1.1.1.
• ip igmp query-max-resp-time Adjust the last member query interval. INTERFACE mode ip igmp last-member-query-interval Adjusting the IGMP Querier Timeout Value If there is more than one multicast router on a subnet, only one is elected to be the querier, which is the router that sends queries to the subnet. 1. Routers send queries to the all multicast systems address, 224.0.0.1. Initially, all routers send queries. 2.
EXEC Privilege mode show ip igmp interface View the enable status of this feature using the command from EXEC Privilege mode, as shown in the example in Selecting an IGMP Version. IGMP Snooping IGMP snooping enables switches to use information in IGMP packets to generate a forwarding table that associates ports with multicast groups so that when they receive multicast frames, they can forward them only to interested receivers.
Example of ip igmp snooping enable Command FTOS(conf)#ip igmp snooping enable FTOS(conf)#do show running-config igmp ip igmp snooping enable FTOS(conf)# Removing a Group-Port Association To configure or view the remove a group-port association feature, use the following commands. • Configure the switch to remove a group-port association after receiving an IGMP Leave message. INTERFACE VLAN mode • ip igmp fast-leave View the configuration.
Configuring the Switch as Querier To configure the switch as a querier, use the following command. Hosts that do not support unsolicited reporting wait for a general query before sending a membership report. When the multicast source and receivers are in the same VLAN, multicast traffic is not routed and so there is no querier. Configure the switch to be the querier for a VLAN so that hosts send membership reports and the switch can generate a forwarding table by snooping.
Interfaces 17 This chapter describes interface types, both physical and logical, and how to configure them with FTOS. • 10/100/1000 Mbps Ethernet, Gigabit Ethernet, and 10 Gigabit Ethernet interfaces are supported on the Z-Series platform.
Interface Types The following table describes different interface types.
Last clearing of "show interface" counters 00:09:54 Queueing strategy: fifo Input Statistics: 0 packets, 0 bytes 0 Vlans 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 0 Broadcasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics: 3 packets, 192 bytes, 0 underruns 3 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0
no ip address shutdown Enabling a Physical Interface After determining the type of physical interfaces available, to enable and configure the interfaces, enter INTERFACE mode by using the interface interface slot/port command. 1. Enter the keyword interface then the type of interface and slot/port information. CONFIGURATION mode interface interface 2. – For a 10/100/1000 Ethernet interface, enter the keyword GigabitEthernet then the slot/port information.
• Configuring Layer 2 (Interface) Mode • Management Interfaces • Auto-Negotiation on Ethernet Interfaces • Adjusting the Keepalive Timer • Clearing Interface Counters Overview of Layer Modes On all systems running FTOS, you can place physical interfaces, port channels, and VLANs in Layer 2 mode or Layer 3 mode. By default, VLANs are in Layer 2 mode.
Configuring Layer 2 (Interface) Mode To configure an interface in Layer 2 mode, use the following commands. • Enable the interface. INTERFACE mode • no shutdown Place the interface in Layer 2 (switching) mode. INTERFACE mode switchport For information about enabling and configuring the Spanning Tree Protocol, refer to Spanning Tree Protocol (STP). To view the interfaces in Layer 2 mode, use the show interfaces switchport command in EXEC mode.
Configuring Layer 3 (Interface) Mode To assign an IP address, use the following commands. • Enable the interface. INTERFACE mode • no shutdown Configure a primary IP address and mask on the interface. INTERFACE mode ip address ip-address mask [secondary] The ip-address must be in dotted-decimal format (A.B.C.D) and the mask must be in slash format (/xx). Add the keyword secondary if the IP address is the interface’s backup IP address. You can only configure one primary IP address per interface.
• • If a route in the EIS table conflicts with a front-end port route, the front-end port route has precedence. Due to protocol, ARP packets received through the management port create two ARP entries (one for the lookup in the EIS table and one for the default routing table). Configuring EIS EIS is compatible with the following protocols: DNS, FTP, NTP, RADIUS, sFlow, SNMP, SSH, Syslog, TACACS, Telnet, and TFTP. To enable and configure EIS, use the following commands: 1. Enter EIS mode.
The following rules apply to having two IPv6 addresses on a management interface: • IPv6 addresses on a single management interface cannot be in the same subnet. • IPv6 secondary addresses on management interfaces: – across a platform must be in the same subnet. – must not match the virtual IP address and must not be in the same subnet as the virtual IP.
To view the Primary RPM Management port, use the show interface Managementethernet command in EXEC Privilege mode. If there are two RPMs, you cannot view information on that interface. Configuring Management Interfaces on the S-Series You can manage the S-Series from any port. To configure an IP address for the port, use the following commands. There is no separate management routing table, so configure all routes in the IP routing table (the ip route command). • Configure an IP address.
NOTE: To monitor VLAN interfaces, use Management Information Base for Network Management of TCP/IP-based internets: MIB-II (RFC 1213). NOTE: You cannot simultaneously use egress rate shaping and ingress rate policing on the same VLAN. FTOS supports Inter-VLAN routing (Layer 3 routing in VLANs). You can add IP addresses to VLANs and use them in routing protocols in the same manner that physical interfaces are used.
• Delete a Loopback interface. CONFIGURATION mode no interface loopback number Many of the same commands found in the physical interface are also found in the Loopback interfaces. For more information, refer to Configure ACLs to Loopback. Null Interfaces The Null interface is another virtual interface. There is only one Null interface. It is always up, but no traffic is transmitted through this interface. To enter INTERFACE mode of the Null interface, use the following command.
Port Channel Implementation FTOS supports static and dynamic port channels. • Static — Port channels that are statically configured. • Dynamic — Port channels that are dynamically configured using the link aggregation control protocol (LACP). For details, refer to Link Aggregation Control Protocol (LACP). There are 128 port-channels with eight members per channel. NOTE: If you are using either 10G ports or 40G ports, the Z9000 supports eight members per LAG.
Configuration Tasks for Port Channel Interfaces To configure a port channel (LAG), use the commands similar to those found in physical interfaces. By default, no port channels are configured in the startup configuration.
A logical port channel interface cannot have flow control. Flow control can only be present on the physical interfaces if they are part of a port channel. NOTE: The Z9000 supports jumbo frames by default (the default maximum transmission unit (MTU) is 12000 bytes). To configure the MTU, use the mtu command from INTERFACE mode.
0 throttles, 0 discarded Rate info (interval 5 minutes): Input 00.01Mbits/sec, 2 packets/sec Output 81.60Mbits/sec, 133658 packets/sec Time since last interface status change: 04:31:57 FTOS> When more than one interface is added to a Layer 2-port channel, FTOS selects one of the active interfaces in the port channel to be the primary port. The primary port replies to flooding and sends protocol data units (PDUs). An asterisk in the show interfaces port-channel brief command indicates the primary port.
channel-member GigabitEthernet 1/8 no shutdown FTOS(conf-if-portch)#no chann gi 1/8 FTOS(conf-if-portch)#int port 5 FTOS(conf-if-portch)#channel gi 1/8 FTOS(conf-if-portch)#sho conf ! interface Port-channel 5 no ip address channel-member GigabitEthernet 1/8 shutdown FTOS(conf-if-portch)# Configuring the Minimum Oper Up Links in a Port Channel You can configure the minimum links in a port channel (LAG) that must be in “oper up” status to consider the port channel to be in “oper up” status.
show vlan Assigning an IP Address to a Port Channel You can assign an IP address to a port channel and use port channels in Layer 3 routing protocols. To assign an IP address, use the following command. • Configure an IP address and mask on the interface. INTERFACE mode ip address ip-address mask [secondary] – ip-address mask: enter an address in dotted-decimal format (A.B.C.D). The mask must be in slash format (/24). – secondary: the IP address is the interface’s backup IP address.
To change the IP traffic load-balancing default, use the following command. • Replace the default IP 4-tuple method of balancing traffic over a port channel. CONFIGURATION mode [no] load-balance {ip-selection [dest-ip | source-ip]} | {mac [dest-mac | source-dest-mac | source-mac]} | {tcp-udp enable} | {ing-port} You can select one, two, or all three of the following basic hash methods: – ip-selection [dest-ip | source-ip] — Distribute IP traffic based on the IP destination or source address.
• lsb — always uses the least significant bit of the hash key to compute the egress port. Bulk Configuration Bulk configuration allows you to determine if interfaces are present for physical interfaces or configured for logical interfaces. Interface Range An interface range is a set of interfaces to which other commands may be applied and may be created if there is at least one valid interface within the range.
Example of the interface range Command (Multiple Ranges) FTOS(conf)#interface range tengigabitethernet 0/5 - 10 , tengigabitethernet 0/1 , vlan 1 FTOS(conf-if-range-te-0/5-10,te-0/1,vl-1)# Exclude Duplicate Entries The following is an example showing how duplicate entries are omitted from the interface-range prompt.
CONFIGURATION mode define interface-range macro_name {vlan vlan_ID - vlan_ID} | {{gigabitethernet | tengigabitethernet | fortyGigE} slot/interface interface} [ , {vlan vlan_ID - vlan_ID} {{gigabitethernet | tengigabitethernet | fortyGigE} slot/interface - interface}] Define the Interface Range The following example shows how to define an interface-range macro named “test” to select Fast Ethernet interfaces 5/1 through 5/4.
• l — Page up • T — Increase refresh interval (by 1 second) • t — Decrease refresh interval (by 1 second) • c — Clear screen • a — Page down • q — Quit Example of the monitor interface Command FTOS#monitor interface gi 3/1 FTOS uptime is 1 day(s), 4 hour(s), 31 minute(s) Monitor time: 00:00:00 Refresh Intvl.
To test and display TDR results, use the following commands. 1. To test for cable faults on the GigabitEthernet cable. EXEC Privilege mode tdr-cable-test gigabitethernet / Between two ports, do not start the test on both ends of the cable. Enable the interface before starting the test. Enable the port to run the test or the test prints an error message. 2. Displays TDR test results.
for all practical purposes of routing, the interface is deemed to be “down.” After the interface becomes stable and the penalty decays below a certain threshold, the interface comes up again and the routing protocols re-converge. Link dampening: • reduces processing on the CPUs by reducing excessive interface flapping. • improves network stability by penalizing misbehaving interfaces and redirecting traffic.
Clearing Dampening Counters To clear dampening counters and accumulated penalties, use the following command. • Clear dampening counters. clear dampening Example of the clear dampening Command FTOS# clear dampening interface Gi 0/1 FTOS# show interfaces dampening GigabitEthernet0/0 InterfaceStateFlapsPenaltyHalf-LifeReuseSuppressMax-Sup Gi 0/1Up00205001500300 Link Dampening Support for XML View the output of the following show commands in XML by adding | display xml to the end of the command.
• View all LAG link bundles being monitored. show running-config ecmp-group Using Ethernet Pause Frames for Flow Control Ethernet pause frames and threshold settings are supported on the Z9000 platform. Ethernet Pause Frames allow for a temporary stop in data transmission. A situation may arise where a sending device may transmit data faster than a destination device can accept it. The destination sends a PAUSE frame back to the source, stopping the sender’s transmission for a period of time.
The discard threshold should be larger than the buffer threshold so that the buffer holds at least hold at least three packets. Enabling Pause Frames Enable Ethernet pause frames flow control on all ports on a chassis or a line card. If not, the system may exhibit unpredictable behavior. NOTE: Changes in the flow-control values may not be reflected automatically in the show interface output.
Table 13. Layer 2 Overhead Layer 2 Overhead Difference Between Link MTU and IP MTU Ethernet (untagged) 18 bytes VLAN Tag 22 bytes Untagged Packet with VLAN-Stack Header 22 bytes Tagged Packet with VLAN-Stack Header 26 bytes Link MTU and IP MTU considerations for port channels and VLANs are as follows. Port Channels: • All members must have the same link MTU value and the same IP MTU value.
NOTE: As a best practice, Dell Networking recommends keeping auto-negotiation enabled. Only disable autonegotiation on switch ports that attach to devices not capable of supporting negotiation or where connectivity issues arise from interoperability issues. For 10/100/1000 Ethernet interfaces, the negotiation auto command is tied to the speed command. Autonegotiation is always enabled when the speed command is set to 1000 or auto.
Gi 0/3 Down Gi 0/4 Force10Port Up Gi 0/5 Down Gi 0/6 Down Gi 0/7 Up Gi 0/8 Down Gi 0/9 Down Gi 0/10 Down Gi 0/11 Down Gi 0/12 Down [output omitted] Auto 1000 Mbit Auto Auto 1000 Mbit Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto -30-130 --1502,1504,1506-1508,1602 ------ In the previous example, several ports display “Auto” in the Speed field, including port 0/1. In the following example, the speed of port 0/1 is set to 100Mb and then its auto-negotiation is disabled.
• Change the default interval between keepalive messages. INTERFACE mode • keepalive [seconds] View the new setting. INTERFACE mode show config View Advanced Interface Information The following options have been implemented for the show [ip | running-config] interfaces commands for (only) linecard interfaces. When you use the configured keyword, only interfaces that have non-default configurations are displayed.
Configuring the Interface Sampling Size Although you can enter any value between 30 and 299 seconds (the default), software polling is done once every 15 seconds. So, for example, if you enter “19”, you actually get a sample of the past 15 seconds. All LAG members inherit the rate interval configuration from the LAG. The following example shows how to configure rate interval when changing the default value.
0 CRC, 0 IP Checksum, 0 overrun, 0 discarded 0 packets output, 0 bytes, 0 underruns Output 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 IP Packets, 0 Vlans, 0 MPLS 0 throttles, 0 discarded Rate info (interval 100 seconds): Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Time since last interface status change: 1d23h42m Dynamic Counters By default, counting is enabled for IPFLOW, IPACL, L2ACL, L2FIB.
– For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. – For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. – For a VLAN, enter the keyword vlan then a number. – (OPTIONAL) To clear statistics for all VRRP groups configured, enter the keyword vrrp. Enter a number from 1 to 255 as the vrid.
Internet Protocol Security (IPSec) 18 Internet protocol security (IPSec) is available on the Z9000 platform. IPSec is an end-to-end security scheme for protecting IP communications by authenticating and encrypting all packets in a communication session. Use IPSec between hosts, between gateways, or between hosts and gateways. IPSec is compatible with Telnet and FTP protocols. It supports two operational modes: Transport and Tunnel.
crypto ipsec transform-set myXform-seta esp-authentication md5 espencryption des 2. Define the crypto policy. CONFIGURATION mode crypto ipsec policy myCryptoPolicy 10 ipsec-manual transform-set myXform-set session-key inbound esp 256 auth encrypt session-key outbound esp 257 auth encrypt match 0 tcp a::1 /128 0 a::2 /128 23 match 1 tcp a::1 /128 23 a::2 /128 0 match 2 tcp a::1 /128 0 a::2 /128 21 match 3 tcp a::1 /128 21 a::2 /128 0 match 4 tcp 1.1.1.1 /32 0 1.1.1.
IPv4 Routing 19 IPv4 routing is supported on the Z9000 platform. FTOS supports various IP addressing features. This chapter describes the basics of domain name service (DNS), address resolution protocol (ARP), and routing principles and their implementation in the Dell Networking operating system (FTOS). IP Feature Default DNS Disabled Directed Broadcast Disabled Proxy ARP Enabled ICMP Unreachable Disabled ICMP Redirect Disabled IP Addresses FTOS supports IP version 4, as described in RFC 791.
• Configure Static Routes for the Management Interface (optional) For a complete listing of all commands related to IP addressing, refer to the FTOS Command Line Interface Reference Guide. Assigning IP Addresses to an Interface Assign primary and secondary IP addresses to physical or logical (for example, [virtual local area network [VLAN] or port channel) interfaces to enable IP communication between the system and hosts connected to that interface.
no shutdown ! FTOS(conf-if)# Configuring Static Routes A static route is an IP address that you manually configure and that the routing protocol does not learn, such as open shortest path first (OSPF). Often, static routes are used as backup routes in case other dynamically learned routes are unreachable. You can enter as many static IP addresses as necessary. To configure a static route, use the following command. • Configure a static IP address.
FTOS installs a next hop that is on the directly connected subnet of current IP address on the interface (for example, if interface gig 0/0 is on 172.31.5.0 subnet, FTOS installs the static route). FTOS also installs a next hop that is not on the directly connected subnet but which recursively resolves to a next hop on the interface's configured subnet. For example, if gig 0/0 has ip address on subnet 2.2.2.0 and if 172.31.5.43 recursively resolves to 2.2.2.0, FTOS installs the static route.
Enabling Directed Broadcast By default, FTOS drops directed broadcast packets destined for an interface. This default setting provides some protection against denial of service (DoS) attacks. To enable FTOS to receive directed broadcasts, use the following command. • Enable directed broadcast. INTERFACE mode ip directed-broadcast To view the configuration, use the show config command in INTERFACE mode. Resolution of Host Names Domain name service (DNS) maps host names to IP addresses.
f00-3 FTOS> (perm, OK) - IP 192.71.23.1 To view the current configuration, use the show running-config resolve command. Specifying the Local System Domain and a List of Domains If you enter a partial domain, FTOS can search different domains to finish or fully qualify that partial domain. A fully qualified domain name (FQDN) is any name that is terminated with a period/dot. FTOS searches the host table first to resolve the partial domain.
Tracing the route to www.force10networks.com (10.11.84.18), 30 hops max, 40 byte packets ---------------------------------------------------------------------TTL Hostname Probe1 Probe2 Probe3 1 10.11.199.190 001.000 ms 001.000 ms 002.000 ms 2 gwegress-sjc-02.force10networks.com (10.11.30.126) 005.000 ms 001.000 ms 001.000 ms 3 fw-sjc-01.force10networks.com (10.11.127.254) 000.000 ms 000.000 ms 000.000 ms 4 www.dell.com (10.11.84.18) 000.000 ms 000.000 ms 000.
– interface: enter the interface type slot/port information. These entries do not age and can only be removed manually. To remove a static ARP entry, use the no arp ipaddress command. To view the static entries in the ARP cache, use the show arp static command in EXEC privilege mode. Example of the show arp Command FTOS#show arp Protocol Address Age(min) Hardware Address Interface VLAN CPU -------------------------------------------------------------------------------Internet 10.1.2.
NOTE: Transit traffic may not be forwarded during the period when deleted ARP entries are resolved again and reinstalled in CAM. Use this option with extreme caution. ARP Learning via Gratuitous ARP Gratuitous ARP can mean an ARP request or reply. In the context of ARP learning via gratuitous ARP on FTOS, the gratuitous ARP is a request.
Figure 36. ARP Learning via ARP Request Beginning with FTOS version 8.3.1.0, when you enable ARP learning via gratuitous ARP, the system installs a new ARP entry, or updates an existing entry for all received ARP requests. Figure 37. ARP Learning via ARP Request with ARP Learning via Gratuitous ARP Enabled Whether you enable or disable ARP learning via gratuitous ARP, the system does not look up the target IP. It only updates the ARP entry for the Layer 3 interface with the source IP of the request.
CONFIGURATION mode arp backoff-time The default is 30. • The range is from 1 to 3600. Display all ARP entries learned via gratuitous ARP. EXEC Privilege mode show arp retries ICMP For diagnostics, the internet control message protocol (ICMP) provides routing information to end stations by choosing the best route (ICMP redirect messages) or determining if a router is reachable (ICMP Echo or Echo Reply). ICMP error messages inform the router of problems in a particular packet.
1. Enable UDP helper and specify the UDP ports for which traffic is forwarded. Refer to Enabling UDP Helper. 2. Configure a broadcast address on interfaces that will receive UDP broadcast traffic. Refer to Configuring a Broadcast Address. Important Points to Remember • The existing ip directed broadcast command is rendered meaningless if you enable UDP helper on the same interface. • The broadcast traffic rate should not exceed 200 packets per second when you enable UDP helper.
! interface Vlan 100 ip address 1.1.0.1/24 ip udp-broadcast-address 1.1.255.255 untagged GigabitEthernet 1/2 no shutdown To view the configured broadcast address for an interface, use show interfaces command. Example of Viewing Configured Broadcast Addresses R1_E600(conf)#do show interfaces vlan 100 Vlan 100 is up, line protocol is down Address is 00:01:e8:0d:b9:7a, Current address is 00:01:e8:0d:b9:7a Interface index is 1107787876 Internet address is 1.1.0.1/24 IP UDP-Broadcast address is 1.1.255.
Figure 38. UDP Helper with Broadcast-All Addresses UDP Helper with Subnet Broadcast Addresses When the destination IP address of an incoming packet matches the subnet broadcast address of any interface, the system changes the address to the configured broadcast address and sends it to matching interface. In the following illustration, Packet 1 has the destination IP address 1.1.1.255, which matches the subnet broadcast address of VLAN 101.
unchanged because the forwarding process is Layer 2. If you enabled UDP helper, the packet is flooded on VLAN 100 as well. Figure 40. UDP Helper with Configured Broadcast Addresses UDP Helper with No Configured Broadcast Addresses The following describes UDP helper with no broadcast addresses configured. • • If the incoming packet has a broadcast destination IP address, the unaltered packet is routed to all Layer 3 interfaces.
2005-11-05 11:59:36 %RELAY-I-PACKET, BOOTP REPLY (Unicast) received at interface 194.12.129.98 BOOTP Reply, XID = 0x9265f901, secs = 0 hwaddr = 00:02:2D:8D: 46:DC, giaddr = 172.21.50.193, hops = 2 2005-07-05 11:59:36 %RELAY-I-BOOTREPLY, Forwarded BOOTREPLY for 00:02:2D:8D: 46:DC to 128.141.128.90 Packet 0.0.0.0:68 -> 255.255.255.
IPv6 Routing 20 Internet protocol version 6 (IPv6) routing is supported on the Z9000 platform. NOTE: The IPv6 basic commands are supported on all platforms. However, not all features are supported on all platforms, nor for all releases. To determine the FTOS version supporting which features and platforms, refer to Implementing IPv6 with FTOS. IPv6 is the successor to IPv4. Due to the rapid growth in internet users and IP addresses, IPv4 is reaching its maximum usage.
NOTE: FTOS provides the flexibility to add prefixes on Router Advertisements (RA) to advertise responses to Router Solicitations (RS). By default, RA response messages are sent when an RS message is received. FTOS manipulation of IPv6 stateless autoconfiguration supports the router side only. Neighbor discovery (ND) messages are advertised so the neighbor can use this information to auto-configure its address. However, received ND messages are not used to create an IPv6 address.
IPv6 Header Fields The 40 bytes of the IPv6 header are ordered, as shown in the following illustration. Figure 41. IPv6 Header Fields Version (4 bits) The Version field always contains the number 6, referring to the packet’s IP version. Traffic Class (8 bits) The Traffic Class field deals with any data that needs special handling. These bits define the packet priority and are defined by the packet Source. Sending and forwarding routers use this field to identify different IPv6 classes and priorities.
Value Description 4 IPv4 6 TCP 8 Exterior Gateway Protocol (EGP) 41 IPv6 43 Routing header 44 Fragmentation header 50 Encrypted Security 51 Authentication header 59 No Next Header 60 Destinations option header NOTE: This table is not a comprehensive list of Next Header field values. For a complete and current listing, refer to the Internet Assigned Numbers Authority (IANA) web page at http://www.iana.org/assignments/ protocol-numbers.
Hop-by-Hop Options Header The Hop-by-Hop options header contains information that is examined by every router along the packet’s path. It follows the IPv6 header and is designated by the Next Header value 0 (zero). When a Hop-by-Hop Options header is not included, the router knows that it does not have to process any router specific information and immediately processes the packet to its final destination.
• 2001:0db8:0:0::1428:57ab • 2001:0db8::1428:57ab • 2001:db8::1428:57ab IPv6 networks are written using classless inter-domain routing (CIDR) notation. An IPv6 network (or subnet) is a contiguous group of IPv6 addresses the size of which must be a power of two; the initial bits of addresses, which are identical for all hosts in the network, are called the network's prefix. A network is denoted by the first address in the network and the size in bits of the prefix (in decimal), separated with a slash.
Feature and Functionality FTOS Release Introduction Documentation and Chapter Location Z9000 IPv6 stateless autoconfiguration 8.3.11 Stateless Autoconfiguration IPv6 MTU path discovery 8.3.11 Path MTU Discovery IPv6 ICMPv6 8.3.11 ICMPv6 IPv6 ping 8.3.11 ICMPv6 IPv6 traceroute 8.3.11 ICMPv6 IPv6 SNMP 8.3.11 IPv6 Routing Static routing 8.3.11 Assigning a Static IPv6 Route Route redistribution 8.3.11 OSPF, IS-IS, and IPv6 BGP chapters in the FTOS Command Line Reference Guide.
Feature and Functionality FTOS Release Introduction Documentation and Chapter Location Z9000 IPv6 Services and Management Telnet client over IPv6 (outbound Telnet) 8.3.11 Telnet server over IPv6 (inbound Telnet) 8.3.11 Configuring Telnet with IPv6 Control and Monitoring in the FTOS Command Line Reference Guide. Configuring Telnet with IPv6 Control and Monitoring in the FTOS Command Line Reference Guide. Secure Shell (SSH) client 8.3.
Path MTU Discovery IPv6 path maximum transmission unit (MTU) discovery is supported on the Z9000 platform. Path MTU, in accordance with RFC 1981, defines the largest packet size that can traverse a transmission path without suffering fragmentation. Path MTU for IPv6 uses ICMPv6 Type-2 messages to discover the largest MTU along the path from source to destination and avoid the need to fragment the packet. The recommended MTU for IPv6 is 1280.
Figure 43. NDP Router Redirect IPv6 Neighbor Discovery of MTU Packets With FTOS version 8.3.1.0, you can set the MTU advertised through the RA packets to incoming routers, without altering the actual MTU setting on the interface. The ipv6 nd mtu command sets the value advertised to routers. It does not set the actual MTU rate. For example, if you set ipv6 nd mtu to 1280, the interface still passes 1500-byte packets, if that is what is set with the mtu command.
Adjusting Your CAM-Profile The cam-acl command is supported on the Z9000 platform. Although adjusting your CAM-profile is not a mandatory step, if you plan to implement IPv6 ACLs, adjust your CAM settings. The CAM space is allotted in FP blocks. The total space allocated must equal 13 FP blocks. There are 16 FP blocks, but the System Flow requires three blocks that cannot be reallocated. You must enter the ipv6acl allocation as a factor of 2 (2, 4, 6, 8, 10).
• Enter the IPv6 Address for the device. CONFIG-INTERFACE mode ipv6 address ipv6 address/mask – ipv6 address: x:x:x:x::x – mask: The prefix length is from 0 to 128 NOTE: IPv6 addresses are normally written as eight groups of four hexadecimal digits. Separate each group by a colon (:). Omitting zeros is accepted as described in Addressing. Assigning a Static IPv6 Route IPv6 static routes are supported on the Z9000 platform. To configure IPv6 static routes, use the ipv6 route command.
– ipv6 address: x:x:x:x::x – mask: prefix length is from 0 to 128. NOTE: IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:). Omitting zeros is accepted as described in Addressing. SNMP over IPv6 The simple network management protocol (SNMP) is supported on the Z9000 platform. You can configure SNMP over IPv6 transport so that an IPv6 host can perform SNMP queries and receive SNMP notifications from a device running FTOS IPv6.
EXEC mode show ipv6 interface type {slot/port} Enter the keyword interface then the type of interface and slot/port information: – For all brief summary of IPv6 status and configuration, enter the keyword brief. – For all IPv6 configured interfaces, enter the keyword configured. – For a 10/100/1000 Ethernet interface, enter the keyword GigabitEthernet then the slot/ port information. – For a Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/ port information.
– To display information about a network, enter ipv6 address (X:X:X:X::X). – To display information about a host, enter hostname. – To display information about all IPv6 routes (including non-active routes), enter all. – To display information about all connected IPv6 routes, enter connected. – To display information about brief summary of all IPv6 routes, enter summary. – To display information about Border Gateway Protocol (BGP) routes, enter bgp.
Showing the Running-Configuration for an Interface To view the configuration for any interface, use the following command. • Show the currently running configuration for the specified interface. EXEC mode show running-config interface type {slot/port} Enter the keyword interface then the type of interface and slot/port information: – For a 10/100/1000 Ethernet interface, enter the keyword GigabitEthernet then the slot/ port information.
Intermediate System to Intermediate System 21 Intermediate system to intermediate system (Is-IS) is supported on the Z9000 platform. • • • IS-IS is supported on the Z9000 with FTOS version 9.0.0.0. The IS-IS protocol is an interior gateway protocol (IGP) that uses a shortest-path-first algorithm. Dell Networking supports both IPv4 and IPv6 versions of IS-IS. The IS-IS protocol standards are listed in the Standards Compliance chapter.
Figure 44. ISO Address Format Multi-Topology IS-IS Multi-topology IS-IS (MT IS-IS) allows you to create multiple IS-IS topologies on a single router with separate databases. Use this feature to place a virtual physical topology into logical routing domains, which can each support different routing and security policies. All routers on a LAN or point-to-point must have at least one common supported topology when operating in MultiTopology IS-IS mode.
Adjacencies Adjacencies on point-to-point interfaces are formed as usual, where IS-IS routers do not implement MT extensions. If a local router does not participate in certain MTs, it does not advertise those MT IDs in its IS-IS hellos (IIHs) and so does not include that neighbor within its LSPs. If an MT ID is not detected in the remote side’s IIHs, the local router does not include that neighbor within its LSPs.
identifier has also been included in the supported TLVs. The new TLVs use the extended metrics and up/down bit semantics. Multi-topology IS-IS adds TLVs: • MT TLV — contains one or more Multi-Topology IDs in which the router participates. This TLV is included in IIH and the first fragment of an LSP. • MT Intermediate Systems TLV — appears for every topology a node supports. An MT ID is added to the extended IS reachability TLV type 22.
Except where identified, the commands described in this chapter apply to both IPv4 and IPv6 versions of IS-IS. Configuration Tasks for IS-IS The following describes the configuration tasks for IS-IS.
4. – For a port channel, enter the keywords port-channel then a number. – For a SONET interface, enter the keyword sonet then the slot/port information. – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. – For a VLAN, enter the keyword vlan then a number from 1 to 4094. Enter an IPv4 Address. INTERFACE mode ip address ip-address mask Assign an IP address and mask to the interface.
Accept wide metrics: FTOS# none To view IS-IS protocol statistics, use the show isis traffic command in EXEC Privilege mode.
4. Implement a wide metric-style globally. ROUTER ISIS AF IPV6 mode isis ipv6 metric metric-value [level-1 | level-2 | level-1-2] To configure wide or wide transition metric style, the cost can be between 0 and 16,777,215. Configuring IS-IS Graceful Restart To enable IS-IS graceful restart globally, use the following commands. Additionally, you can implement optional commands to enable the graceful restart settings. • Enable graceful restart on ISIS processes.
– manual: allows you to specify a fixed value that the restarting router should use. The range is from 50 to 120 seconds. The default is 30 seconds. NOTE: If this timer expires before the synchronization has completed, the restarting router sends the overload bit in the LSP. The 'overload' bit is an indication to the receiving router that database synchronization did not complete at the restarting router.
Next IS-IS LAN Level-2 Hello in 6 seconds LSP Interval: 33 Next IS-IS LAN Level-1 Hello in 4 seconds Next IS-IS LAN Level-2 Hello in 6 seconds LSP Interval: 33 Restart Capable Neighbors: 2, In Start: 0, In Restart: 0 FTOS# Changing LSP Attributes IS-IS routers flood link state PDUs (LSPs) to exchange routing information. LSP attributes include the generation interval, maximum transmission unit (MTU) or size, and the refresh interval. You can modify the LSP attribute defaults, but it is not necessary.
Configuring the IS-IS Metric Style All IS-IS links or interfaces are associated with a cost that is used in the shortest path first (SPF) calculations. The possible cost varies depending on the metric style supported. If you configure narrow, transition, or narrow transition metric style, the cost can be a number between 0 and 63. If you configure wide or wide transition metric style, the cost can be a number between 0 and 16,777,215.
Loopback 0 Redistributing: Distance: 115 Generate narrow metrics: level-1-2 Accept narrow metrics: level-1-2 Generate wide metrics: Accept wide metrics: FTOS# none none Configuring the IS-IS Cost When you change from one IS-IS metric style to another, the IS-IS metric value could be affected. For each interface with IS-IS enabled, you can assign a cost or metric that is used in the link state calculation. To change the metric or cost of the interface, use the following commands.
Changing the IS-Type To change the IS-type, use the following commands. You can configure the system to act as a Level 1 router, a Level 1-2 router, or a Level 2 router. To change the IS-type for the router, use the following commands. • Configure IS-IS operating level for a router. ROUTER ISIS mode is-type {level-1 | level-1-2 | level-2-only} • Default is level-1-2. Change the IS-type for the IS-IS process.
– For a VLAN, enter the keyword vlan then a number from 1 to 4094. Distribute Routes Another method of controlling routing information is to filter the information through a prefix list. Prefix lists are applied to incoming or outgoing routes and routes must meet the conditions of the prefix lists or FTOS does not install the route in the routing table. The prefix lists are globally applied on all interfaces running IS-IS.
distribute-list prefix-list-name in [interface] Enter the type of interface and slot/port information: • – For a 1-Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/port information. – For the Loopback interface on the RPM, enter the keyword loopback then a number from 0 to 16383. – For a port channel, enter the keywords port-channel then a number. – For a SONET interface, enter the keyword sonet then the slot/port information.
• Include specific OSPF routes in IS-IS. ROUTER ISIS mode redistribute ospf process-id [level-1| level-1-2 | level-2] [metric value] [match external {1 | 2} | match internal] [metric-type {external | internal}] [route-map map-name] Configure the following parameters: – process-id the range is from 1 to 65535. – level-1, level-1-2, or level-2: assign all redistributed routes to a level. The default is level-2. – metric value the range is from 0 to 16777215. The default is 0.
command in ROUTER ISIS mode. To view the current IPv6 IS-IS configuration, use the show config command in ROUTER ISIS-ADDRESS FAMILY IPV6 mode. Configuring Authentication Passwords You can assign an authentication password for routers in Level 1 and for routers in Level 2. Because Level 1 and Level 2 routers do not communicate with each other, you can assign different passwords for Level 1 routers and for Level 2 routers.
B233.00-00 0x00000003 0x07BF eljefe.00-00 * 0x0000000A 0xF963 eljefe.01-00 * 0x00000001 0x68DF eljefe.02-00 * 0x00000001 0x2E7F Force10.00-00 0x00000002 0xD1A7 IS-IS Level-2 Link State Database LSPID LSP Seq Num LSP Checksum B233.00-00 0x00000006 0xC38A eljefe.00-00 * 0x0000000E 0x53BF eljefe.01-00 * 0x00000001 0x68DF eljefe.02-00 * 0x00000001 0x2E7F Force10.
– interface: Enter the type of interface and slot/port information to view IS-IS information on that interface only. FTOS displays debug messages on the console. To view which debugging commands are enabled, use the show debugging command in EXEC Privilege mode. To disable a specific debug command, enter the keyword no then the debug command. For example, to disable debugging of IS-IS updates, use the no debug isis updates-packets command. To disable all IS-IS debugging, use the no debug isis command.
Maximum Values in the Routing Table IS-IS metric styles support different cost ranges for the route. The cost range for the narrow metric style is 0 to 1023, while all other metric styles support a range of 0 to 0xFE000000. Change the IS-IS Metric Style in One Level Only By default, the IS-IS metric style is narrow. When you change from one IS-IS metric style to another, the IS-IS metric value (configured with the isis metric command) could be affected.
Beginning Metric Style Final Metric Style Resulting IS-IS Metric Value narrow transition wide transition original value narrow transition transition original value wide transition wide original value wide transition narrow default value (10) if the original value is greater than 63. A message is sent to the console. wide transition narrow transition default value (10) if the original value is greater than 63. A message is sent to the console.
Level-1 Metric Style Level-2 Metric Style Resulting Metric Value narrow transition original value wide narrow truncated value wide narrow transition truncated value wide wide transition original value wide transition truncated value narrow transition wide original value narrow transition narrow original value narrow transition wide transition original value narrow transition transition original value transition wide original value transition narrow original value transiti
• Multi-topology Transition — You must configure the IPv6 address. Configuring the IPv4 address is optional. You must enable the ipv6 router isis command on the interface. If you configure IPv4, also enable the ip router isis command. In router isis configuration mode, enable multi-topology transition under address-family ipv6 unicast. Figure 45. IPv6 IS-IS Sample Topography The following is a sample configuration for enabling IPv6 IS-IS.
FTOS (conf-router_isis)#show config ! router isis net 34.0000.0000.AAAA.00 ! address-family ipv6 unicast multi-topology exit-address-family FTOS (conf-router_isis)# IS-IS Sample Configuration — Multi-topology Transition FTOS (conf-if-te-3/17)#show config ! interface TenGigabitEthernet 3/17 ipv6 address 24:3::1/76 ipv6 router isis no shutdown FTOS (conf-if-te-3/17)# FTOS (conf-router_isis)#show config ! router isis net 34.0000.0000.AAAA.
Link Aggregation Control Protocol (LACP) 22 Link aggregation control protocol (LACP) is supported on the Z9000 platform. Introduction to Dynamic LAGs and LACP A link aggregation group (LAG), referred to as a port channel by FTOS, can provide both load-sharing and port redundancy across line cards. You can enable LAGs as static or dynamic. The benefits and constraints are basically the same, as described in Port Channel Interfaces in the Interfaces chapter.
NOTE: There is no configuration on the interface because that condition is required for an interface to be part of a LAG. • You can configure link dampening on individual members of a LAG. For more information, refer to Link Debounce Timer. LACP Modes FTOS provides three modes for configuration of LACP — Off, Active, and Passive. • Off — In this state, an interface is not capable of being part of a dynamic LAG. LACP does not run on any port that is configured to be in this state.
The range is from 1 to 65535 (the higher the number, the lower the priority). The default is 32768. LACP Configuration Tasks The following are LACP configuration tasks. • Creating a LAG • Configuring the LAG Interfaces as Dynamic • Setting the LACP Long Timeout • Monitoring and Debugging LACP • Configuring Shared LAG State Tracking Creating a LAG To create a dynamic port channel (LAG), use the following command. First you define the LAG and then the LAG interfaces.
FTOS(conf)#interface Gigabitethernet 3/16 FTOS(conf-if-gi-3/16)#no shutdown FTOS(conf-if-gi-3/16)#port-channel-protocol lacp FTOS(conf-if-gi-3/16-lacp)#port-channel 32 mode active ... FTOS(conf)#interface Gigabitethernet 4/15 FTOS(conf-if-gi-4/15)#no shutdown FTOS(conf-if-gi-4/15)#port-channel-protocol lacp FTOS(conf-if-gi-4/15-lacp)#port-channel 32 mode active ...
To view the PDU exchanges and the timeout value, use the debug lacp command. For more information, refer to Monitoring and Debugging LACP. Monitoring and Debugging LACP The system log (syslog) records faulty LACP actions. To debug LACP, use the following command. • Debug LACP, including configuration and events.
port-channel failover-group 2. Create a failover group and specify the two port-channels that will be members of the group. CONFIG-PO-FAILOVER-GRP mode group number port-channel number port-channel number In the following example, LAGs 1 and 2 have been placed into to the same failover group.
Minimum number of links to bring Port-channel up is 1 Port-channel is part of failover-group 1 Internet address is not set MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 1000 Mbit Members in this channel: Gi 1/17(U) ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 00:01:28 Queueing strategy: fifo NOTE: The set of console messages shown above appear only if you configure shared LAG state tracking on that router (you can configure the feature on one or both sides of a link).
Alpha(conf-if-po-10)#no shutdown Alpha(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Alpha(conf-if-po-10)# The following example inspects a LAG port configuration on ALPHA.
Figure 49.
Figure 50.
Figure 51.
interface GigabitEthernet 2/31 no ip address Summary of the LAG Configuration on Bravo Bravo(conf-if-gi-3/21)#int port-channel 10 Bravo(conf-if-po-10)#no ip add Bravo(conf-if-po-10)#switch Bravo(conf-if-po-10)#no shut Bravo(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Bravo(conf-if-po-10)#exit Bravo(conf)#int gig 3/21 Bravo(conf)#no ip address Bravo(conf)#no switchport Bravo(conf)#shutdown Bravo(conf-if-gi-3/21)#port-channel-protocol lacp Bravo(conf-if-gi-3/2
Figure 52.
Figure 53.
Figure 54. Inspecting the LAG Status Using the show lacp command The point-to-point protocol (PPP) is a connection-oriented protocol that enables layer two links over various different physical layer connections. It is supported on both synchronous and asynchronous lines, and can operate in Half-Duplex or Full-Duplex mode. It was designed to carry IP traffic but is general enough to allow any type of network layer datagram to be sent over a PPP connection.
Layer 2 23 Layer 2 features are supported on the Z9000 platform. Manage the MAC Address Table FTOS provides the following management activities for the MAC address table. • Clearing the MAC Address Table • Setting the Aging Time for Dynamic Entries • Setting the Aging Time for Dynamic Entries on a VLAN • Configuring a Static MAC Address • Displaying the MAC Address Table Clearing the MAC Address Table You may clear the MAC address table of dynamic entries.
Configuring a Static MAC Address A static entry is one that is not subject to aging. Enter static entries manually. To create a static MAC address entry, use the following command. • Create a static MAC address entry in the MAC address table. CONFIGURATION mode mac-address-table static Displaying the MAC Address Table To display the MAC address table, use the following command. • Display the contents of the MAC address table.
In this case, the configuration is still present in the running-config and show output. Remove the configuration before re-applying a MAC learning limit with a lower value. Also, ensure that you can view the Syslog messages on your session. NOTE: The CAM-check failure message beginning in FTOS version 8.3.1.0 is different from versions 8.2.1.
When you enable sticky mac on an interface, dynamically-learned MAC addresses do not age, even if you enabled mac-learning-limit dynamic. If you configured mac-learning-limit and mac-learning-limit dynamic and you disabled sticky MAC, any dynamically-learned MAC addresses ages. mac learning-limit station-move The mac learning-limit station-move command is available on the Z-Series platform. The station-move option, allows a MAC address already in the table to be learned off of another interface.
Setting Station Move Violation Actions Station move violation actions are supported only on the Z9000 platform. no-station-move is the default behavior. You can configure the system to take an action if a station move occurs using one the following options with the mac learning-limit command. To display a list of interfaces configured with MAC learning limit or station move violation actions, use the following commands. • Generate a system log message indicating a station move.
NIC Teaming Network interface controller (NIC) teaming is available on the Z-Series platform. NIC teaming is a feature that allows multiple network interface cards in a server to be represented by one MAC address and one IP address in order to provide transparent redundancy, balancing, and to fully utilize network adapter resources. The following illustration shows a topology where two NICs have been teamed together.
Figure 56. Configuring the mac-address-table station-move refresh-arp Command Configure Redundant Pairs Configuring redundant pairs is supported on the Z9000 platform. Networks that employ switches that do not support the spanning tree protocol (STP) — for example, networks with digital subscriber line access multiplexers (DSLAM) — cannot have redundant links between switches because they create switching loops (as shown in the following illustration).
Figure 57. Configuring Redundant Layer 2 Pairs without Spanning Tree You configure a redundant pair by assigning a backup interface to a primary interface with the switchport backup interface command. Initially, the primary interface is active and transmits traffic and the backup interface remains down. If the primary fails for any reason, the backup transitions to an active Up state. If the primary interface fails and later comes back up, it remains as the backup interface for the redundant pair.
Important Points about Configuring Redundant Pairs • You may not configure any interface to be a backup for more than one interface, no interface can have more than one backup, and a backup interface may not have a backup interface. • The active or backup interface may not be a member of a LAG. • The active and standby do not have to be of the same type (1G, 10G, and so on). • You may not enable any Layer 2 protocol on any interface of a redundant pair or to ports connected to them.
Example of Configuring Redundant Pairs on a Port-Channel () FTOS#show interfaces port-channel brief Codes: L - LACP Port-channel LAG Mode Status Uptime Ports 1 L2 up 00:08:33 Te 0/0 (Up) 2 L2 up 00:00:02 Te 0/1 (Up) FTOS#configure FTOS(conf)#interface port-channel 1 FTOS(conf-if-po-1)#switchport backup interface port-channel 2 Apr 9 00:15:13: %STKUNIT0-M:CP %IFMGR-5-L2BKUP_WARN: Do not run any Layer2 protocols on Po 1 and Po 2 Apr 9 00:15:13: %STKUNIT0-M:CP %IFMGR-5-OSTATE_DN: Changed interface state to dow
Figure 58. Configuring Far-End Failure Detection The report consists of several packets in SNAP format that are sent to the nearest known MAC address. In the event of a far-end failure, the device stops receiving frames and, after the specified time interval, assumes that the far-end is not available. The connecting line protocol is brought down so that upper layer protocols can detect the neighbor unavailability faster. FEFD State Changes FEFD has two operational modes, Normal and Aggressive.
5. If the FEFD system has been set to Aggressive mode and neighboring echoes are not received after three intervals, the state changes to Err-disabled. You must manually reset all interfaces in the Err-disabled state using the fefd reset [interface] command in EXEC privilege mode (it can be done globally or one interface at a time) before the FEFD enabled system can become operational again. Table 19.
no shutdown 3. Enable fefd globally. CONFIGURATION mode fefd {interval | mode} To display information about the state of each interface, use the show fefd command in EXEC privilege mode. Example of the show fefd Command FTOS#show fefd FEFD is globally 'ON', interval is 3 seconds, mode is 'Normal'.
interface GigabitEthernet 1/0 no ip address switchport fefd mode normal no shutdown FTOS(conf-if-gi-1/0)#do show fefd | grep 1/0 Gi 1/0 Normal 3 Unknown Debugging FEFD To debug FEFD, use the first command. To provide output for each packet transmission over the FEFD enabled connection, use the second command. • Display output whenever events occur that initiate or disrupt an FEFD enabled connection.
%RPM1-P:CP %FEFD-5-FEFD-BIDIRECTION-LINK-DETECTED: Interface Gi 0/45 has bidirectional link with its peer 399
Link Layer Discovery Protocol (LLDP) 24 The link layer discovery protocol (LLDP) is supported on the Z9000 platform. 802.1AB (LLDP) Overview LLDP — defined by IEEE 802.1AB — is a protocol that enables a local area network (LAN) device to advertise its configuration and receive configuration information from adjacent LLDP-enabled LAN infrastructure devices.
Table 20. Type, Length, Value (TLV) Types Type TLV Description 0 End of LLDPDU Marks the end of an LLDPDU. 1 Chassis ID An administratively assigned name that identifies the LLDP agent. 2 Port ID An administratively assigned name that identifies a port through which TLVs are sent and received. 3 Time to Live An administratively assigned name that identifies a port through which TLVs are sent and received.
Figure 61. Organizationally Specific TLV IEEE Organizationally Specific TLVs Eight TLV types have been defined by the IEEE 802.1 and 802.3 working groups as a basic part of LLDP; the IEEE OUI is 00-80-C2. You can configure the Dell Networking system to advertise any or all of these TLVs. Table 21. Optional TLV Types Type TLV Description 4 Port description A user-defined alphanumeric string that describes the port. FTOS does not currently support this TLV.
Type TLV Description 127 MAC/PHY Configuration/Status Indicates the capability and current setting of the duplex status and bit rate, and whether the current settings are the result of auto-negotiation. This TLV is not available in the FTOS implementation of LLDP, but is available and mandatory (nonconfigurable) in the LLDP-MED implementation.
• transmitting an LLDP-MED capability TLV to endpoint devices • storing the information that endpoint devices advertise The following table describes the five types of TIA-1057 Organizationally Specific TLVs. Table 22.
Type SubType TLV Description 127 8 Inventory — Serial Number Indicates the device serial number of the LLDP-MED device. 127 9 Inventory — Manufacturer Name Indicates the manufacturer of the LLDP-MED device. 127 10 Inventory — Model Name Indicates the model of the LLDP-MED device. 127 11 Inventory — Asset ID Indicates a user specified device number to manage inventory.
Table 24. LLDP-MED Device Types Value Device Type 0 Type Not Defined 1 Endpoint Class 1 2 Endpoint Class 2 3 Endpoint Class 3 4 Network Connectivity 5–255 Reserved LLDP-MED Network Policies TLV A network policy in the context of LLDP-MED is a device’s VLAN configuration and associated Layer 2 and Layer 3 configurations.
Type Application Description 6 Video Conferencing Specify this application type for dedicated video conferencing and other similar appliances supporting real-time interactive video. 7 Streaming Video Specify this application type for dedicated video conferencing and other similar appliances supporting real-time interactive video. 8 Video Signaling Specify this application type only if video control packets use a separate network policy than video data. 9–255 Reserved — Figure 63.
Configure LLDP Configuring LLDP is a two-step process. 1. Enable LLDP globally. 2. Advertise TLVs out of an interface. Related Configuration Tasks • Viewing the LLDP Configuration • Viewing Information Advertised by Adjacent LLDP Agents • Configuring LLDPDU Intervals • Configuring Transmit and Receive Mode • Configuring a Time to Live • Debugging LLDP Important Points to Remember • LLDP is enabled by default. • Dell Networking systems support up to eight neighbors per interface.
R1(conf-lldp)#exit R1(conf)#interface gigabitethernet 1/31 R1(conf-if-gi-1/31)#protocol lldp R1(conf-if-gi-1/31-lldp)#? advertise Advertise TLVs disable Disable LLDP protocol on this interface end Exit from configuration mode exit Exit from LLDP configuration mode hello LLDP hello configuration mode LLDP mode configuration (default = rx and tx) multiplier LLDP multiplier configuration no Negate a command or set its defaults show Show LLDP configuration R1(conf-if-gi-1/31-lldp)# Enabling LLDP LLDP is enable
Disabling and Undoing LLDP on Management Ports To disable or undo LLDP on management ports, use the following command. 1. Enter Protocol LLDP mode. CONFIGURATION mode. protocol lldp 2. Enter LLDP management-interface mode. LLDP-MANAGEMENT-INTERFACE mode. management-interface 3. Enter the disable command. LLDP-MANAGEMENT-INTERFACE mode. To undo an LLDP management port configuration, precede the relevant command with the keyword no.
* voice * voice-signaling In the following example, LLDP is enabled globally. R1 and R2 are transmitting periodic LLDPDUs that contain management, 802.1, and 802.3 TLVs. Figure 65. Configuring LLDP Viewing the LLDP Configuration To view the LLDP configuration, use the following command. • Display the LLDP configuration.
protocol lldp R1(conf-if-gi-1/31-lldp)# Viewing Information Advertised by Adjacent LLDP Agents To view brief information about adjacent devices or to view all the information that neighbors are advertising, use the following commands. • • Display brief information about adjacent devices. show lldp neighbors Display all of the information that neighbors are advertising.
Configuring LLDPDU Intervals LLDPDUs are transmitted periodically; the default interval is 30 seconds. To configure LLDPDU intervals, use the following command. • Configure a non-default transmit interval.
no mode Example of Configuring a Single Mode R1(conf)#protocol lldp R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)#mode ? rx Rx only tx Tx only R1(conf-lldp)#mode tx R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities
R1(conf-lldp)#multiplier 5 R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description multiplier 5 no disable R1(conf-lldp)#no multiplier R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)# Debugging LLDP You
Figure 66. The debug lldp detail Command — LLDPDU Packet Dissection Relevant Management Objects FTOS supports all IEEE 802.1AB MIB objects. The following tables list the objects associated with: • received and transmitted TLVs • the LLDP configuration on the local agent • IEEE 802.1AB Organizationally Specific TLVs • received and transmitted LLDP-MED TLVs Table 26.
MIB Object Category Basic TLV Selection LLDP Statistics LLDP Variable LLDP MIB Object Description rxInfoTTL lldpRxInfoTTL Time to live for received TLVs. txInfoTTL lldpTxInfoTTL Time to live for transmitted TLVs. mibBasicTLVsTxEnable lldpPortConfigTLVsTxEnable Indicates which management TLVs are enabled for system ports. mibMgmtAddrInstanceTxEnable lldpManAddrPortsTxEnable The management addresses defined for the system and the ports through which they are enabled for transmission.
TLV Type 4 5 6 7 8 TLV Name Port Description System Name System Description System Capabilities Management Address TLV Variable port description system name system description system capabilities enabled capabilities management address length management address subtype management address interface numbering subtype interface number OID System LLDP MIB Object Remote lldpRemPortId Local lldpLocPortDesc Remote lldpRemPortDesc Local lldpLocSysName Remote lldpRemSysName Local
TLV Type TLV Name TLV Variable System 127 Port and Protocol VLAN port and protocol VLAN Local ID supported Remote port and protocol VLAN Local enabled PPVID 127 VLAN Name VID VLAN name length VLAN name LLDP MIB Object lldpXdot1LocProtoVlan Supported lldpXdot1RemProtoVlan Supported lldpXdot1LocProtoVlan Enabled Remote lldpXdot1RemProtoVlan Enabled Local lldpXdot1LocProtoVlanI d Remote lldpXdot1RemProtoVlan Id Local lldpXdot1LocVlanId Remote lldpXdot1RemVlanId Local lldpXdot1LocVlanNam
TLV Sub-Type TLV Name TLV Variable System LLDP-MED MIB Object Unknown Policy Flag Local lldpXMedLocMediaPoli cyUnknown Remote lldpXMedLocMediaPoli cyUnknown Local lldpXMedLocMediaPoli cyTagged Remote lldpXMedLocMediaPoli cyTagged Local lldpXMedLocMediaPoli cyVlanID Remote lldpXMedRemMediaPol icyVlanID Local lldpXMedLocMediaPoli cyPriority Remote lldpXMedRemMediaPol icyPriority Local lldpXMedLocMediaPoli cyDscp Remote lldpXMedRemMediaPol icyDscp Local lldpXMedLocLocationS ubtype R
TLV Sub-Type TLV Name TLV Variable System LLDP-MED MIB Object Power Priority Local lldpXMedLocXPoEPDP owerPriority lldpXMedLocXPoEPSEP ortPDPriority Remote lldpXMedRemXPoEPSE PowerPriority lldpXMedRemXPoEPDP owerPriority Local lldpXMedLocXPoEPSEP ortPowerAv lldpXMedLocXPoEPDP owerReq Remote lldpXMedRemXPoEPSE PowerAv lldpXMedRemXPoEPDP owerReq Power Value 422
Multicast Source Discovery Protocol (MSDP) 25 Multicast source discovery protocol (MSDP) is supported on the Z9000 platform. Protocol Overview MSDP is a Layer 3 protocol that connects IPv4 protocol-independent multicast-sparse mode (PIM-SM) domains. A domain in the context of MSDP is a contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as border gateway protocol (BGP).
RPs advertise each (S,G) in its domain in type, length, value (TLV) format. The total number of TLVs contained in the SA is indicated in the “Entry Count” field. SA messages are transmitted every 60 seconds, and immediately when a new source is detected. Figure 68. MSDP SA Message Format Anycast RP Using MSDP, anycast RP provides load sharing and redundancy in PIM-SM networks.
The MSDP Sample Configurations show the OSPF-BGP configuration used in this chapter for MSDP. Also, refer to Open Shortest Path First (OSPFv2) and Border Gateway Protocol IPv4 (BGPv4). 2. Configure PIM-SM within each EGP routing domain. Refer to the following figures. The MSDP Sample Configurations show the PIM-SM configuration in this chapter for MSDP. Also, refer to PIM Sparse-Mode (PIM-SM). 3. Enable MSDP. 4. Peer the RPs in each routing domain with each other. Refer to Enable MSDP.
Figure 69.
Figure 70.
Figure 71.
Figure 72. Configuring MSDP Enable MSDP Enable MSDP by peering RPs in different administrative domains. 1. Enable MSDP. CONFIGURATION mode ip multicast-msdp 2. Peer PIM systems in different administrative domains.
Example of Configuring MSDP R3_E600(conf)#ip multicast-msdp R3_E600(conf)#ip msdp peer 192.168.0.1 connect-source Loopback 0 R3_E600(conf)#do show ip msdp summary Peer Addr Description Local Addr State Source SA Up/Down To view details about a peer, use the show ip msdp peer command in EXEC privilege mode. Multicast sources in remote domains are stored on the RP in the source-active cache (SA cache).
Limiting the Source-Active Cache Set the upper limit of the number of active sources that the Dell Networking operating system (FTOS) caches. The default active source limit is 500K messages. When the total number of active sources reaches the specified limit, subsequent active sources are dropped even if they pass the reverse path forwarding (RPF) and policy check. To limit the number of sources that SA cache stores, use the following command.
Figure 73.
Figure 74.
Figure 75.
Figure 76. MSDP Default Peer, Scenario 4 Specifying Source-Active Messages To specify messages, use the following command. • Specify the forwarding-peer and originating-RP from which all active sources are accepted without regard for the RPF check. CONFIGURATION mode ip msdp default-peer ip-address list If you do not specify an access list, the peer accepts all sources that peer advertises. All sources from RPs that the ACL denies are subject to the normal RPF check.
FTOS(conf)#ip access-list standard fifty FTOS(conf)#seq 5 permit host 200.0.0.50 FTOS#ip msdp sa-cache MSDP Source-Active Cache - 3 entries GroupAddr SourceAddr RPAddr LearnedFrom 229.0.50.2 24.0.50.2 200.0.0.50 10.0.50.2 229.0.50.3 24.0.50.3 200.0.0.50 10.0.50.2 229.0.50.4 24.0.50.4 200.0.0.50 10.0.50.2 FTOS#ip msdp sa-cache rejected-sa MSDP Rejected SA Cache 3 rejected SAs received, cache-size 32766 UpTime GroupAddr SourceAddr RPAddr 00:33:18 229.0.50.64 24.0.50.64 200.0.1.50 00:33:18 229.0.50.65 24.0.50.
ip msdp peer 192.168.0.3 connect-source Loopback 0 ip msdp redistribute list mylocalfilter ip msdp cache-rejected-sa 1000 R1_E600(conf)#do show run acl ! ip access-list extended mylocalfilter seq 5 deny ip host 239.0.0.1 host 10.11.4.2 seq 10 deny ip any any R1_E600(conf)#do show ip msdp sa-cache R1_E600(conf)#do show ip msdp sa-cache rejected-sa MSDP Rejected SA Cache 1 rejected SAs received, cache-size 1000 UpTime GroupAddr SourceAddr RPAddr LearnedFrom 00:02:20 239.0.0.1 10.11.4.2 192.168.0.
Preventing MSDP from Advertising a Local Source To prevent MSDP from advertising a local source, use the following command. • Prevent an RP from advertising a source in the SA cache. CONFIGURATION mode ip msdp sa-filter list in peer list ext-acl In the following example, R1 stops advertising source 10.11.4.2. Because it is already in the SA cache of R3, the entry remains there until it expires.
After the relationship is terminated, the peering state of the terminator is SHUTDOWN, while the peering state of the peer is INACTIVE. Example of the Verifying that Peering State is Disabled [Router 3] R3_E600(conf)#ip msdp shutdown 192.168.0.1 R3_E600(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 0.0.0.
Input (S,G) filter: myremotefilter Output (S,G) filter: none Debugging MSDP To debug MSDP, use the following command. • Display the information exchanged between peers. CONFIGURATION mode debug ip msdp Example of the debug ip msdp Command R1_E600(conf)#do debug ip msdp All MSDP debugging has been turned on R1_E600(conf)#03:16:08 : MSDP-0: Peer 03:16:09 : MSDP-0: Peer 192.168.0.3, 03:16:27 : MSDP-0: Peer 192.168.0.3, 03:16:38 : MSDP-0: Peer 192.168.0.3, 03:16:39 : MSDP-0: Peer 192.168.0.
Figure 77. MSDP with Anycast RP Configuring Anycast RP To configure anycast RP, use the following commands. 1. In each routing domain that has multiple RPs serving a group, create a Loopback interface on each RP serving the group with the same IP address. CONFIGURATION mode interface loopback 2. Make this address the RP for the group. CONFIGURATION mode ip pim rp-address 3.
interface loopback 4. Peer each RP with every other RP using MSDP, specifying the unique Loopback address as the connect-source. CONFIGURATION mode ip msdp peer 5. Advertise the network of each of the unique Loopback addresses throughout the network. ROUTER OSPF mode network Reducing Source-Active Message Flooding RPs flood source-active messages to all of their peers away from the RP.
interface Loopback 1 ip address 192.168.0.11/32 no shutdown ! router ospf 1 network 10.11.2.0/24 area 0 network 10.11.1.0/24 area 0 network 10.11.3.0/24 area 0 network 192.168.0.11/32 area 0 ! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 1 ip msdp peer 192.168.0.22 connect-source Loopback 1 ip msdp mesh-group AS100 192.168.0.22 ip msdp originator-id Loopback 1! ip pim rp-address 192.168.0.1 group-address 224.0.0.
! ip route 192.168.0.3/32 10.11.0.32 ! ip pim rp-address 192.168.0.1 group-address 224.0.0.0/4 Example of R3 Configuration for MSDP with Anycast RP ip multicast-routing ! interface GigabitEthernet 3/21 ip pim sparse-mode ip address 10.11.0.32/24 no shutdown interface GigabitEthernet 3/41 ip pim sparse-mode ip address 10.11.6.34/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.
ip address 10.11.2.1/24 no shutdown ! interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.1.12/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32 no shutdown ! router ospf 1 network 10.11.2.0/24 area 0 network 10.11.1.0/24 area 0 network 192.168.0.1/32 area 0 network 10.11.3.0/24 area 0 ! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 0 ! ip pim rp-address 192.168.0.1 group-address 224.0.0.
MSDP Sample Configuration: R3 Running-Config ip multicast-routing ! interface GigabitEthernet 3/21 ip pim sparse-mode ip address 10.11.0.32/24 no shutdown ! interface GigabitEthernet 3/41 ip pim sparse-mode ip address 10.11.6.34/24 no shutdown ! interface ManagementEthernet 0/0 ip address 10.11.80.3/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.
network 10.11.5.0/24 area 0 network 10.11.6.0/24 area 0 network 192.168.0.4/32 area 0 ! ip pim rp-address 192.168.0.3 group-address 224.0.0.
Multiple Spanning Tree Protocol (MSTP) 26 Multiple spanning tree protocol (MSTP) is supported on the Z9000 platform. Protocol Overview MSTP — specified in IEEE 802.1Q-2003 — is a rapid spanning tree protocol (RSTP)-based spanning tree variation that improves on per-VLAN spanning tree plus (PVST+). MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances.
Spanning Tree Variations The Dell Networking operating system (FTOS) supports four variations of spanning tree, as shown in the following table. Table 30. Spanning Tree Variations Dell Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .1w Multiple Spanning Tree Protocol (MSTP) 802 .1s Per-VLAN Spanning Tree Plus (PVST+) Third Party Implementation Information The following describes the MSTP implementation information.
• • Enabling SNMP Traps for Root Elections and Topology Changes Configuring Spanning Trees as Hitless Enable Multiple Spanning Tree Globally MSTP is not enabled by default. To enable MSTP globally, use the following commands. When you enable MSTP, all physical, VLAN, and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the MSTI 0. • • 1. Within an MSTI, only one path from any bridge to any other bridge is enabled.
Specify the keyword vlan then the VLANs that you want to participate in the MSTI. Example of the msti Command FTOS(conf)#protocol spanning-tree mstp FTOS(conf-mstp)#msti 1 vlan 100 FTOS(conf-mstp)#msti 2 vlan 200-300 FTOS(conf-mstp)#show config ! protocol spanning-tree mstp no disable MSTI 1 VLAN 100 MSTI 2 VLAN 200-300 All bridges in the MSTP region must have the same VLAN-to-instance mapping. To view which instance a VLAN is mapped to, use the show spanning-tree mst vlan command from EXEC Privilege mode.
Influencing MSTP Root Selection MSTP determines the root bridge, but you can assign one bridge a lower priority to increase the probability that it becomes the root bridge. To change the bridge priority, use the following command. • Assign a number as the bridge priority. PROTOCOL MSTP mode msti instance bridge-priority priority A lower number increases the probability that the bridge becomes the root bridge. The range is from 0 to 61440, in increments of 4096. The default is 32768.
Changing the Region Name or Revision To change the region name or revision, use the following commands. • Change the region name. • PROTOCOL MSTP mode name name Change the region revision number. PROTOCOL MSTP mode revision number To view the current region name and revision, use the show spanning-tree mst configuration command from EXEC Privilege mode.
The range is from 1 to 10. The default is 2 seconds. 3. Change the max-age parameter. PROTOCOL MSTP mode max-age seconds The range is from 6 to 40. The default is 20 seconds. 4. Change the max-hops parameter. PROTOCOL MSTP mode max-hops number The range is from 1 to 40. The default is 20. To view the current values for MSTP parameters, use the show running-config spanning-tree mstp command from EXEC privilege mode.
To change the port cost or priority of an interface, use the following commands. 1. Change the port cost of an interface. INTERFACE mode spanning-tree msti number cost cost The range is from 0 to 200000. For the default, refer to the default values shown in the table.. 2. Change the port priority of an interface. INTERFACE mode spanning-tree msti number priority priority The range is from 0 to 240, in increments of 16. The default is 128.
* Disabling global spanning tree (using the no spanning-tree command in CONFIGURATION mode). To verify that EdgePort is enabled, use the show config command from INTERFACE mode.
Router 1 Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3. Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
(Step 2) interface GigabitEthernet 2/11 no ip address switchport no shutdown ! interface GigabitEthernet 2/31 no ip address switchport no shutdown ! (Step 3) interface Vlan 100 no ip address tagged GigabitEthernet 2/11,31 no shutdown ! interface Vlan 200 no ip address tagged GigabitEthernet 2/11,31 no shutdown ! interface Vlan 300 no ip address tagged GigabitEthernet 2/11,31 no shutdown Router 3 Running-Configuration This example uses the following steps: 1.
tagged GigabitEthernet 3/11,21 no shutdown ! interface Vlan 300 no ip address tagged GigabitEthernet 3/11,21 no shutdown SFTOS Example Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3. Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
• debug spanning-tree mstp bpdu Display MSTP-triggered topology change messages. debug spanning-tree mstp events To ensure all the necessary parameters match (region name, region version, and VLAN to instance mapping), examine your individual routers. To show various portions of the MSTP configuration, use the show spanning-tree mst commands. To view the overall MSTP configuration on the router, use the show running-configuration spanningtree mstp in EXEC Privilege mode.
ProtId: 0, Ver: 3, Bpdu Type: MSTP, Flags 0x78 (Indicates MSTP routers are in the [single] region.) CIST Root Bridge Id: 32768:0001.e806.953e, Ext Path Cost: 0 Regional Bridge Id: 32768:0001.e806.953e, CIST Port Id: 128:470 Msg Age: 0, Max Age: 20, Hello: 2, Fwd Delay: 15, Ver1 Len: 0, Ver3 Len: 96 Name: Tahiti, Rev: 123 (MSTP region name and revision), Int Root Path Cost: 0 Rem Hops: 19, Bridge Id: 32768:0001.e8d5.cbbd 4w0d4h : INST 1 (MSTP Instance): Flags: 0x78, Reg Root: 32768:0001.e806.
Multicast Features 27 Multicast features are supported on the Z9000 platform. NOTE: Multicast is supported on secondary IP addresses on the platform. The Dell Networking operating system (FTOS) supports the following multicast protocols: • PIM Sparse-Mode (PIM-SM) • Internet Group Management Protocol (IGMP) • Multicast Source Discovery Protocol (MSDP) Enabling IP Multicast Enable IP multicast is supported on the Z9000 platform.
Figure 80. Multicast with ECMP Implementation Information Because protocol control traffic in FTOS is redirected using the MAC address, and multicast control traffic and multicast data traffic might map to the same MAC address, FTOS might forward data traffic with certain MAC addresses to the CPU in addition to control traffic. As the upper5 bits of an IP Multicast address are dropped in the translation, 32 different multicast group IDs all map to the same Ethernet address. For example, 224.0.0.
• Multicast is not supported on secondary IP addresses. • Egress L3 ACL is not applied to multicast data traffic if you enable multicast routing. First Packet Forwarding for Lossless Multicast Beginning with FTOS version version 8.3.1.0, all initial multicast packets are forwarded to receivers to achieve lossless multicast. In previous versions, when the Dell Networking system is an RP, all initial packets are dropped until PIM creates an (S,G) entry.
When the multicast route limit is reached, FTOS displays the following: 3w1d13h: %RPM0-P:RP2 %PIM-3-PIM_TIB_LIMIT: PIM TIB limit reached. No new routes will be learnt until TIB level falls below low watermark. 3w1d13h: %RPM0-P:RP2 %PIM-3-PIM_TIB_LIMIT: PIM TIB below low watermark. Route learning will begin. To limit the number of multicast routes, use the following command. • Limit the total number of multicast routes on the system. CONFIGURATION mode ip multicast-limit The range if from 1 to 50000.
Figure 81. Preventing a Host from Joining a Group Table 32. Preventing a Host from Joining a Group — Description Location Description 1/21 • • • • Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 • • • Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.
Location Description • no shutdown 2/1 • • • • Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface GigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.
Rate Limiting IGMP Join Requests If you expect a burst of IGMP Joins, protect the IGMP process from overload by limiting that rate at which new groups can be joined. Hosts whose IGMP requests are denied will use the retry mechanism built-in to IGMP so that they’re membership is delayed rather than permanently denied. • Limit the rate at which new groups can be joined.
Figure 82. Preventing a Source from Transmitting to a Group Table 33. Preventing a Source from Transmitting to a Group — Description Location Description 1/21 • • • • Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 • • • Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.
Location Description • no shutdown 2/1 • • • • Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface GigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.
Preventing a PIM Router from Processing a Join To permit or deny PIM Join/Prune messages on an interface using an extended IP access list, use the following command. NOTE: Dell Networking recommends not using the ip pim join-filter command on an interface between a source and the RP router. Using this command in this scenario could cause problems with the PIM-SM source registration process resulting in excessive traffic being sent to the CPU of both the RP and PIM DR of the source.
28 Open Shortest Path First (OSPFv2 and OSPFv3) Open shortest path first (OSPFv2 for IPv4) and OSPF version 3 (OSPF for IPv6) are supported on the Z9000 platform. This chapter provides a general description of OSPFv2 (OSPF for IPv4) and OSPFv3 (OSPF for IPv6) as supported in the Dell Networking operating system (FTOS). NOTE: The fundamental mechanisms of OSPF (flooding, DR election, area support, SPF calculations, and so on) are the same between OSPFv2 and OSPFv3.
Figure 83. Autonomous System Areas Area Types The backbone of the network is Area 0. It is also called Area 0.0.0.0 and is the core of any AS. All other areas must connect to Area 0. Areas can be defined in such a way that the backbone is not contiguous. In this case, backbone connectivity must be restored through virtual links. Virtual links are configured between any backbone routers that share a link to a non-backbone area and function as if they were direct links.
• Totally stubby areas are referred to as no summary areas in the Dell Networking operating system (FTOS). Networks and Neighbors As a link-state protocol, OSPF sends routing information to other OSPF routers concerning the state of the links between them. The state (up or down) of those links is important. Routers that share a link become neighbors on that segment. OSPF uses the Hello protocol as a neighbor discovery and keep alive mechanism.
Figure 84. OSPF Routing Examples Backbone Router (BR) A backbone router (BR) is part of the OSPF Backbone, Area 0. This includes all ABRs. It can also include any routers that connect only to the backbone and another ABR, but are only part of Area 0, such as Router I in the previous example. Area Border Router (ABR) Within an AS, an area border router (ABR) connects one or more areas to the backbone.
Autonomous System Border Router (ASBR) The autonomous system border area router (ASBR) connects to more than one AS and exchanges information with the routers in other ASs. Generally, the ASBR connects to a non-interior gate protocol (IGP) such as BGP or uses static routes. Internal Router (IR) The internal router (IR) has adjacencies with ONLY routers in the same area, as Router E, M, and I shown in the previous example.
• Type 8: Link LSA (OSPFv3) — This LSA carries the IPv6 address information of the local links. • Type 9: Link Local LSA (OSPFv2), Intra-Area-Prefix LSA (OSPFv3) — For OSPFv2, this is a link-local "opaque" LSA as defined by RFC2370. For OSPFv3, this LSA carries the IPv6 prefixes of the router and network links. • Type 11 - Grace LSA (OSPFv3) — For OSPFv3 only, this LSA is a link-local “opaque” LSA sent by a restarting OSPFv3 router during a graceful restart.
• Priority is a numbered rating 0 to 255. The higher the number, the higher the priority. • Cost is a numbered rating 1 to 65535. The higher the number, the greater the cost. The cost assigned reflects the cost should the router fail. When a router fails and the cost is assessed, a new priority number results. Figure 85. Priority and Cost Examples OSPF with FTOS FTOS supports up to 10,000 OSPF routes for OSPFv2.
• LSA(type 5) • External LSA (type 7) • Link LSA, OSPFv3 only (type 8) • Opaque Link-Local (type 9) • Grace LSA, OSPFv3 only (type 11) Graceful Restart Graceful restart for OSPFv2 and OSPFv3 are supported on the Z-Series platform in Helper mode only. When a router goes down without a graceful restart, there is a possibility for loss of access to parts of the network due to ongoing network topology changes. Additionally, LSA flooding and reconvergence can cause substantial delays.
• OSPFv2 and OSPFv3 support planned-only and/or unplanned-only restarts. The default is support for both planned and unplanned restarts. A planned restart occurs when you enter the redundancy force-failover rpm command to force the primary RPM to switch to the backup RPM. During a planned restart, OSPF sends out a Grace LSA before the system switches over to the backup RPM.
Enabling RFC-2328 Compliant OSPF Flooding To enable OSPF flooding, use the following command. When you enable this command, it configures FTOS to flood LSAs on all interfaces. • Enable RFC 2328 flooding. ROUTER OSPF mode flood-2328 To confirm RFC 2328 flooding behavior, use the debug ip ospf packet command. The following example shows no change in the updated packets (shown in bold). ACKs 2 (shown in bold) is printed only for ACK packets.
Setting OSPF Adjacency with Cisco Routers To establish an OSPF adjacency between Dell Networking and Cisco routers, the hello interval and dead interval must be the same on both routers. In FTOS, the OSPF dead interval value is, by default, set to 40 seconds, and is independent of the OSPF hello interval. Configuring a hello interval does not change the dead interval in FTOS. In contrast, the OSPF dead interval on a Cisco router is, by default, four times as long as the hello interval.
Configuration Task List for OSPFv2 (OSPF for IPv4) Open shortest path first version 2 (OSPF for IPv4) is supported on the Z9000 platform.
router ospf process-id [vrf {vrf name}] – vrf name: enter the keyword VRF and the instance name to tie the OSPF instance to the VRF. All network commands under this OSPF instance are later tied to the VRF instance. The range is from 0 to 65535. The OSPF process ID is the identifying number assigned to the OSPF process. The router ID is the IP address associated with the OSPF process. After the OSPF process and the VRF are tied together, the OSPF process ID cannot be used again in the system.
Format: A.B.C.D/M. If you are using a Loopback interface, refer to Loopback Interfaces. 2. Enable the interface. CONFIG-INTERFACE mode no shutdown 3. Return to CONFIGURATION mode to enable the OSPFv2 process globally. CONFIGURATION mode router ospf process-id [vrf] The range is from 0 to 65535. After the OSPF process and the VRF are tied together, the OSPF process ID cannot be used again in the system.
FTOS(conf-if-gi-4/44)#no shutdown FTOS(conf-if-gi-4/44)#ex FTOS(conf)#router ospf 1 FTOS(conf-router_ospf-1)#network 1.2.3.4/24 area 0 FTOS(conf-router_ospf-1)#network 10.10.10.10/24 area 1 FTOS(conf-router_ospf-1)#network 20.20.20.20/24 area 2 FTOS(conf-router_ospf-1)# FTOS# Dell Networking recommends using the interface IP addresses for the OSPFv2 router ID for easier management and troubleshooting. To view the configuration, use the show config command in CONFIGURATION ROUTER OSPF mode.
Process ID 1, Router ID 10.168.253.2, Network Type LOOPBACK, Cost: 1 Loopback interface is treated as a stub Host. FTOS# Configuring Stub Areas OSPF supports different types of LSAs to help reduce the amount of router processing within the areas. Type 5 LSAs are not flooded into stub areas; the ABR advertises a default route into the stub area to which it is attached. Stub area routers use the default route to reach external destinations.
passive-interface {default | interface} The default is enabled passive interfaces on ALL interfaces in the OSPF process. Entering the physical interface type, slot, and number enables passive interface on only the identified interface. – For a Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/port information (for example, passive-interface gi 2/1). – For a port channel, enter the keywords port-channel then a number from 1 to 255 for TeraScale and ExaScale.
Setting the convergence parameter (from 1 to 4) indicates the actual convergence level. Each convergence setting adjusts the LSA parameters to zero, but the fast-convergence parameter setting allows for even finer tuning of the convergence speed. The higher the number, the faster the convergence. To enable or disable fast-convergence, use the following command. • Enable OSPF fast-convergence and specify the convergence level.
ip ospf cost • – cost: The range is from 1 to 65535 (the default depends on the interface speed). Change the time interval the router waits before declaring a neighbor dead. CONFIG-INTERFACE mode ip ospf dead-interval seconds – seconds: the range is from 1 to 65535 (the default is 40 seconds). The dead interval must be four times the hello interval. • The dead interval must be the same on all routers in the OSPF network. Change the time interval between hello-packet transmission.
The bold lines in the example show the change on the interface. The change is reflected in the OSPF configuration. Example of Changing and Verifying the cost Parameter and Viewing Interface Status FTOS(conf-if)#ip ospf cost 45 FTOS(conf-if)#show config ! interface GigabitEthernet 0/0 ip address 10.1.2.100 255.255.255.0 no shutdown ip ospf cost 45 FTOS(conf-if)#end FTOS#show ip ospf 34 interface GigabitEthernet 0/0 is up, line protocol is up Internet Address 10.1.2.100/24, Area 2.2.2.
NOTE: By default, OSPFv2 graceful restart is disabled. To enable and configure OSPFv2 graceful restart, use the following commands. 1. Enable OSPFv2 graceful-restart globally and set the grace period. CONFIG-ROUTEROSPF- id mode graceful-restart grace-period seconds The seconds range is from 40 and 3000. This setting is the time that an OSPFv2 router’s neighbors advertises it as fully adjacent, regardless of the synchronization state, during a graceful restart.
Configuring Virtual Links Areas within OSPF must be connected to the backbone area (Area ID 0.0.0.0). If an OSPF area does not have a direct connection to the backbone, at least one virtual link is required. Configure virtual links on an ABR connected to the backbone.
• Create a prefix list and assign it a unique name. CONFIGURATION mode ip prefix-list prefix-name • You are in PREFIX LIST mode. Create a prefix list with a sequence number and a deny or permit action. CONFIG- PREFIX LIST mode seq sequence-number {deny |permit} ip-prefix [ge min-prefix-length] [le maxprefix-length] The optional parameters are: – ge min-prefix-length: is the minimum prefix length to match (from 0 to 32). – le max-prefix-length: is the maximum prefix length to match (from 0 to 32).
router ospf 34 network 10.1.2.32 0.0.0.255 area 2.2.2.2 network 10.1.3.24 0.0.0.255 area 3.3.3.3 distribute-list dilling in FTOS(conf-router_ospf)# Troubleshooting OSPFv2 FTOS has several tools to make troubleshooting easier. Be sure to check the following, as these questions represent typical issues that interrupt an OSPFv2 process. NOTE: The following is not a comprehensive list, just some examples of typical troubleshooting checks.
If you do not enter a process ID, the command applies to the first OSPF process. To view debug messages for a specific operation, enter one of the optional keywords: – event: view OSPF event messages. – packet: view OSPF packet information. – spf: view SPF information. – database-timers rate-limit: view the LSAs currently in the queue. Example of Viewing OSPF Configuration FTOS#show run ospf ! router ospf 3 ! router ospf 4 router-id 4.4.4.4 network 4.4.4.
Figure 86. Basic Topology and CLI Commands for OSPFv2 OSPF Area 0 — Gl 1/1 and 1/2 router ospf 11111 network 10.0.11.0/24 area 0 network 10.0.12.0/24 area 0 network 192.168.100.0/24 area 0 ! interface GigabitEthernet 1/1 ip address 10.1.11.1/24 no shutdown ! interface GigabitEthernet 1/2 ip address 10.2.12.2/24 no shutdown ! interface Loopback 10 ip address 192.168.100.100/24 no shutdown OSPF Area 0 — Gl 3/1 and 3/2 router ospf 33333 network 192.168.100.0/24 area 0 network 10.0.13.0/24 area 0 network 10.
OSPF Area 0 — Gl 2/1 and 2/2 router ospf 22222 network 192.168.100.0/24 area 0 network 10.2.21.0/24 area 0 network 10.2.22.0/24 area 0 ! interface Loopback 20 ip address 192.168.100.20/24 no shutdown ! interface GigabitEthernet 2/1 ip address 10.2.21.2/24 no shutdown ! interface GigabitEthernet 2/2 ip address 10.2.22.2/24 no shutdown Configuration Task List for OSPFv3 (OSPF for IPv6) Open shortest path first version 3 (OSPF for IPv6) is supported on the Z9000 platform.
Assigning IPv6 Addresses on an Interface To assign IPv6 addresses to an interface, use the following commands. 1. Assign an IPv6 address to the interface. CONF-INT-type slot/port mode ipv6 address ipv6 address IPv6 addresses are normally written as eight groups of four hexadecimal digits; separate each group by a colon (:). The format is A:B:C::F/128. 2. Bring up the interface.
• no ipv6 router ospf process-id Reset the OSPFv3 process. EXEC Privilege mode clear ipv6 ospf process Enter an example that illustrates the current task (optional). Enter the tasks the user should do after finishing this task (optional). Configuring Stub Areas To configure IPv6 stub areas, use the following command. • Configure the area as a stub area. CONF-IPV6-ROUTER-OSPF mode area area-id stub [no-summary] – no-summary: use these keywords to prevent transmission in to the area of summary ASBR LSAs.
• Specify which routes are redistributed into the OSPF process. CONF-IPV6-ROUTER-OSPF mode redistribute {bgp | connected | static} [metric metric-value | metric-type type-value] [route-map map-name] [tag tag-value] Configure the following required and optional parameters: – bgp | connected | static: enter one of the keywords to redistribute those routes. – metric metric-value: The range is from 0 to 4294967295.
graceful-restart grace-period seconds • The valid values are from 40 to 1800 seconds. Configure an OSPFv3 interface to not act on the Grace LSAs that it receives from a restarting OSPFv3 neighbor. • INTERFACE mode ipv6 ospf graceful-restart helper-reject Specify the operating mode and type of events that trigger a graceful restart. CONF-IPV6-ROUTER-OSPF mode graceful-restart mode [planned-only | unplanned-only] • – Planned-only: the OSPFv3 router supports graceful restart only for planned restarts.
OSPFv3 Router with ID (200.1.1.
To ensure integrity, data origin authentication, detection and rejection of replays, and confidentiality of the packet, RFC 4302 and RFC 4303 propose using two security protocols — authentication header (AH) and encapsulating security payload (ESP). For OSPFv3, these two IPsec protocols provide interoperable, high-quality cryptographically-based security.
– 3DES, DES, AES-CBC, and NULL encryption algorithms are supported; encrypted and unencrypted keys are supported. NOTE: To encrypt all keys on a router, use the service password-encryption command in Global Configuration mode. However, this command does not provide a high level of network security. To enable key encryption in an IPsec security policy at an interface or area level, specify 7 for [key-encryption-type] when you enter the ipv6 ospf authentication ipsec or ipv6 ospf encryption ipsec command.
Configuring IPsec Encryption on an Interface To configure, remove, or display IPsec encryption on an interface, use the following commands. Prerequisite: Before you enable IPsec encryption on an OSPFv3 interface, first enable IPv6 unicast routing globally, configure an IPv6 address and enable OSPFv3 on the interface, and assign it to an area (refer to Configuration Task List for OSPFv3 (OSPF for IPv6)).
If you have enabled IPSec encryption in an OSPFv3 area using the area encryption command, you cannot use the area authentication command in the area at the same time. The configuration of IPSec authentication on an interface-level takes precedence over an area-level configuration. If you remove an interface configuration, an area authentication policy that has been configured is applied to the interface. • Enable IPSec authentication for OSPFv3 packets in an area.
• • – esp encryption-algorithm: specifies the encryption algorithm used with ESP. The valid values are 3DES, DES, AES-CBC, and NULL. For AES-CBC, only the AES-128 and AES-192 ciphers are supported. – key: specifies the text string used in the encryption. All neighboring OSPFv3 routers must share the same key to decrypt information.
Outbound ESP SPI Inbound ESP Auth Key Outbound ESP Auth Key Inbound ESP Cipher Key Outbound ESP Cipher Key Transform set : : : : : : 502 (0x1F6) 123456789a123456789b123456789c12 123456789a123456789b123456789c12 123456789a123456789b123456789c123456789d12345678 123456789a123456789b123456789c123456789d12345678 esp-3des esp-md5-hmac Crypto IPSec client security policy data Policy name Policy refcount Inbound AH SPI Outbound AH SPI Inbound AH Key Outbound AH Key Transform set : : : : : : : OSPFv3-1-500 2 50
outbound ah sas inbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE outbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE Troubleshooting OSPFv3 FTOS has several tools to make troubleshooting easier. Consider the following information as these are typical issues that interrupt the OSPFv3 process.
• show ipv6 ospf neighbor View debug messages for all OSPFv3 interfaces. EXEC Privilege mode debug ipv6 ospf [event | packet] {type slot/port} 512 – event: View OSPF event messages. – packet: View OSPF packets. – For a Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/port information (for example, passive-interface gi 2/1). – For a port channel, enter the keywords port-channel then a number from 1 to 255 for TeraScale and ExaScale.
PIM Sparse-Mode (PIM-SM) 29 Protocol-independent multicast sparse-mode (PIM-SM) is supported on the Z9000 platform. PIM-SM is a multicast protocol that forwards multicast traffic to a subnet only after a request using a PIM Join message; this behavior is the opposite of PIM-Dense mode, which forwards multicast traffic to all subnets until a request to stop. Implementation Information Be aware of the following PIM-SM implementation information.
Refuse Multicast Traffic A host requesting to leave a multicast group sends an IGMP Leave message to the last-hop DR. If the host is the only remaining receiver for that group on the subnet, the last-hop DR is responsible for sending a PIM Prune message up the RPT to prune its branch to the RP. 1. After receiving an IGMP Leave message, the gateway removes the interface on which it is received from the outgoing interface list of the (*,G) entry.
CONFIGURATION mode ip multicast-routing Related Configuration Tasks The following are related PIM-SM configuration tasks. • Configuring S,G Expiry Timers • Configuring a Static Rendezvous Point • Configuring a Designated Router • Creating Multicast Boundaries and Domains Enable PIM-SM You must enable PIM-SM on each participating interface. 1. Enable multicast routing on the system. CONFIGURATION mode ip multicast-routing 2. Enable PIM-Sparse mode.
Flags: D - Dense, S - Sparse, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, Timers: Uptime/Expires Interface state: Interface, next-Hop, State/Mode (*, 192.1.2.1), uptime 00:29:36, expires 00:03:26, RP 10.87.2.6, flags: SCJ Incoming interface: GigabitEthernet 4/12, RPF neighbor 10.87.3.5 Outgoing interface list: GigabitEthernet 4/11 GigabitEthernet 7/13 (10.87.31.5, 192.1.2.
Example Configuring an (S,G) Expiry Time FTOS(conf)#ip access-list extended SGtimer FTOS(config-ext-nacl)#permit ip 10.1.2.3/24 225.1.1.0/24 FTOS(config-ext-nacl)#permit ip any 232.1.1.0/24 FTOS(config-ext-nacl)#permit ip 100.1.1.0/16 any FTOS(config-ext-nacl)#show conf ! ip access-list extended SGtimer seq 5 permit ip 10.1.2.0/24 225.1.1.0/24 seq 10 permit ip any 232.1.1.0/24 seq 15 permit ip 100.1.0.
Example of Viewing the Rendezvous Point (Multicast Group Range) FTOS#show ip pim rp mapping PIM Group-to-RP Mappings Group(s): 224.0.0.0/4, Static RP: 165.87.50.5, v2 Configuring a Designated Router Multiple PIM-SM routers might be connected to a single local area network (LAN) segment. One of these routers is elected to act on behalf of directly connected hosts. This router is the designated router (DR). The DR is elected using hello messages.
– (option) restart-time: the time the Dell Networking system requires to restart. The default value is 180 seconds. – (option) stale-entry-time: the maximum amount of time that the Dell Networking system preserves entries from a restarting neighbor. The default value is 60 seconds. – (option) helper-only: this mode takes precedence over any graceful restart configuration.
PIM Source-Specific Mode (PIM-SSM) 30 PIM source-specific mode (PIM-SSM) is supported on the Z9000 platform. PIM-SSM is a multicast protocol that forwards multicast traffic from a single source to a subnet. In the other versions of protocol independent multicast (PIM), a receiver subscribes to a group only. The receiver receives traffic not just from the source in which it is interested but from all sources sending to that group.
Related Configuration Tasks • Use PIM-SSM with IGMP Version 2 Hosts Enabling PIM-SSM To enable PIM-SSM, follow these steps. 1. Create an ACL that uses permit rules to specify what range of addresses should use SSM. CONFIGURATION mode ip access-list standard name 2. Enter the ip pim ssm-range command and specify the ACL you created. CONFIGURATION mode ip pim ssm-range acl-name To display address ranges in the PIM-SSM range, use the show ip pim ssm-range command from EXEC Privilege mode.
IGMP group table. If you do not specify the group option, the display is a list of groups currently in the IGMP group table that has a group-to-source mapping. To display the list of sources mapped to a group currently in the IGMP group table, use the show ip igmp groups group detail command. Configuring PIM-SSM with IGMPv2 R1(conf)#do show run pim ! ip pim rp-address 10.11.12.2 group-address 224.0.0.0/4 ip pim ssm-range ssm R1(conf)#do show run acl ! ip access-list standard map seq 5 permit host 239.0.0.
Port Monitoring 31 Port monitoring is supported on the Z9000 platform. Port monitoring is a feature that copies all incoming or outgoing packets on one port and forwards (mirrors) them to another port. The source port is the monitored port (MD) and the destination port is the monitoring port (MG). Port monitoring functionality is different between platforms, but the behavior is the same, with highlighted exceptions.
Configuring Port Monitoring To configure port monitoring, use the following commands. 1. Verify that the intended monitoring port has no configuration other than no shutdown, as shown in the following example. EXEC Privilege mode show interface 2. Create a monitoring session, as shown in the following example. CONFIGURATION mode monitor session 3. Specify the source and destination port and direction of traffic, as shown in the following example.
Figure 87.
Private VLANs (PVLAN) 32 The private VLAN (PVLAN) feature is supported on the Z9000 platform. For syntax details about the commands described in this chapter, refer to the Private VLANs commands chapter in the FTOS Command Line Reference Guide. Private VLANs extend the Dell Networking operating system (FTOS) security suite by providing Layer 2 isolation between ports within the same virtual local area network (VLAN).
• – A primary VLAN has one or more promiscuous ports. – A primary VLAN might have one or more trunk ports, or none. Secondary VLAN — a subdomain of the primary VLAN. – There are two types of secondary VLAN — community VLAN and isolated VLAN. PVLAN port types include: • Community port — a port that belongs to a community VLAN and is allowed to communicate with other ports in the same community VLAN and with promiscuous ports.
• Display PVLANs and/or interfaces that are part of a PVLAN. EXEC mode or EXEC Privilege mode • show vlan private-vlan [community | interface | isolated | primary | primary_vlan | interface interface] Display primary-secondary VLAN mapping. EXEC mode or EXEC Privilege mode • show vlan private-vlan mapping Set the PVLAN mode of the selected port.
NOTE: You cannot add interfaces that are configured as PVLAN ports to regular VLANs. Conversely, you cannot add “regular” ports (ports not configured as PVLAN ports) to PVLANs. The example below shows the switchport mode private-vlan command on a port and on a port channel.
You can enter interfaces singly or in range format, either comma-delimited (slot/port,port,port) or hyphenated (slot/port-port). You can only add promiscuous ports or PVLAN trunk ports to the PVLAN (no host or regular ports). 6. (OPTIONAL) Assign an IP address to the VLAN. INTERFACE VLAN mode ip address ip address 7. (OPTIONAL) Enable/disable Layer 3 communication between secondary VLANs.
INTERFACE VLAN mode private-vlan mode isolated 4. Add one or more host ports to the VLAN. INTERFACE VLAN mode tagged interface or untagged interface You can enter the interfaces singly or in range format, either comma-delimited (slot/port,port,port) or hyphenated (slot/ port-port). You can only add ports defined as host to the VLAN. The following example shows the use of the PVLAN commands that are used in VLAN INTERFACE mode to configure the PVLAN member VLANs (primary, community, and isolated VLANs).
Private VLAN Configuration Example The following example shows a private VLAN topology. Figure 88. Sample Private VLAN Topology The following configuration is based on the example diagram for the C300–1: • Gi 0/0 and Gi 23 are configured as promiscuous ports, assigned to the primary VLAN, VLAN 4000. • Gi 0/25 is configured as a PVLAN trunk port, also assigned to the primary VLAN 4000. • Gi 0/24 and Gi 0/47 are configured as host ports and assigned to the isolated VLAN, VLAN 4003.
NOTE: Even after you disable ip-local-proxy-arp (no ip-local-proxy-arp) in a secondary VLAN, Layer 3 communication may happen between some secondary VLAN hosts, until the ARP timeout happens on those secondary VLAN hosts. In parallel, on S50-1: • Gi 0/3 is a promiscuous port and Gi 0/25 is a PVLAN trunk port, assigned to the primary VLAN 4000. • Gi 0/4-6 are host ports. Gi 0/4 and Gi 0/5 are assigned to the community VLAN 4001, while Gi 0/6 is assigned to the isolated VLAN 4003.
4001 4002 4003 Community Yes Community Yes Isolated Yes Gi 4/0,23 Gi 4/24,47 Gi 0/24,47 Example of Viewing a Private VLAN (S50V) S50-1#show vlan private-vlan Primary Secondary Type Active ------- --------- --------- -----4000 Primary Yes 4001 Community Yes 4003 Isolated Yes Ports ----------Gi 0/3,25 Gi 0/4-5 Gi 0/6 Example of the show vlan private-vlan mapping Command S50-1#show vlan private-vlan mapping Private Vlan: Primary : 4000 Isolated : 4003 Community : 4001 NOTE: In the following example, notic
interface GigabitEthernet 0/25 no ip address switchport switchport mode private-vlan trunk no shutdown ! interface Vlan 4000 private-vlan mode primary private-vlan mapping secondary-vlan 4001-4003 no ip address tagged GigabitEthernet 0/3,25 no shutdown ! interface Vlan 4001 private-vlan mode community 538
Per-VLAN Spanning Tree Plus (PVST+) 33 Per-VLAN spanning tree plus (PVST+) is supported on the Z9000 platform. Protocol Overview PVST+ is a variation of spanning tree — developed by a third party — that allows you to configure a separate spanning tree instance for each virtual local area network (VLAN). For more information about spanning tree, refer to the Spanning Tree Protocol (STP) chapter. Figure 89.
Table 34. Spanning Tree Variations FTOS Supports Dell Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .1w Multiple Spanning Tree Protocol (MSTP) 802 .1s Per-VLAN Spanning Tree Plus (PVST+) Third Party Implementation Information • The FTOS implementation of PVST+ is based on IEEE Standard 802.1w. • The FTOS implementation of PVST+ uses IEEE 802.1s costs as the default costs (as shown in the following table).
no disable Disabling PVST+ To disable PVST+ globally or on an interface, use the following commands. • Disable PVST+ globally. PROTOCOL PVST mode • disable Disable PVST+ on an interface, or remove a PVST+ parameter configuration. INTERFACE mode no spanning-tree pvst To display your PVST+ configuration, use the show config command from PROTOCOL PVST mode.
Figure 90. Load Balancing with PVST+ The bridge with the bridge value for bridge priority is elected root. Because all bridges use the default priority (until configured otherwise), the lowest MAC address is used as a tie-breaker. To increase the likelihood that a bridge is selected as the STP root, assign bridges a low non-default value for bridge priority. To assign a bridge priority, use the following command. • Assign a bridge priority.
We are the root of VLAN 100 Current root has priority 4096, Address 0001.e80d.b6d6 Number of topology changes 5, last change occurred 00:34:37 ago on Gi 1/32 Port 375 (GigabitEthernet 1/22) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.375 Designated root has priority 4096, address 0001.e80d.b6:d6 Designated bridge has priority 4096, address 0001.e80d.b6:d6 Designated port id is 128.
Modifying Interface PVST+ Parameters You can adjust two interface parameters (port cost and port priority) to increase or decrease the probability that a port becomes a forwarding port. • Port cost — a value that is based on the interface type. The greater the port cost, the less likely the port is selected to be a forwarding port. • Port priority — influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost.
bpduguard, although the interface is placed in an Error Disabled state when receiving the BPDU, the physical interface remains up and spanning-tree drops packets in the hardware after a BPDU violation. BPDUs are dropped in the software after receiving the BPDU violation. This feature is the same as PortFast mode in spanning tree. CAUTION: Configure EdgePort only on links connecting to an end station. EdgePort can cause loops if you enable it on an interface connected to a network.
To keep both ports in a Forwarding state, use extend system ID. Extend system ID augments the bridge ID with a VLAN ID to differentiate BPDUs on each VLAN so that PVST+ does not detect a loop and both ports can remain in a Forwarding state. Figure 91. PVST+ with Extend System ID • Augment the bridge ID with the VLAN ID.
! protocol spanning-tree pvst no disable vlan 100 bridge-priority 4096 interface Vlan 100 no ip address tagged GigabitEthernet 1/22,32 no shutdown ! interface Vlan 200 no ip address tagged GigabitEthernet 1/22,32 no shutdown ! interface Vlan 300 no ip address tagged GigabitEthernet 1/22,32 no shutdown ! protocol spanning-tree pvst no disable vlan 100 bridge-priority 4096 Example of PVST+ Configuration (R2) interface GigabitEthernet 2/12 no ip address switchport no shutdown ! interface GigabitEthernet 2/32 n
! interface Vlan 100 no ip address tagged GigabitEthernet 3/12,22 no shutdown ! interface Vlan 200 no ip address tagged GigabitEthernet 3/12,22 no shutdown ! interface Vlan 300 no ip address tagged GigabitEthernet 3/12,22 no shutdown ! protocol spanning-tree pvst no disable vlan 300 bridge-priority 4096 548
Quality of Service (QoS) 34 Quality of service (QoS) is supported on the Z9000 platform. Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. Figure 92. Dell Networking QoS Architecture Implementation Information The Dell Networking QoS implementation complies with IEEE 802.1p User Priority Bits for QoS Indication.
You cannot configure port-based and policy-based QoS on the same interface, and synchronous optical network technologies (SONET) line cards support only port-based QoS. Port-Based QoS Configurations You can configure the following QoS features on an interface. NOTE: You cannot simultaneously use egress rate shaping and ingress rate policing on the same virtual local area network (VLAN).
You can configure service-class dynamic dot1p from CONFIGURATION mode, which applies the configuration to all interfaces. A CONFIGURATION mode service-class dynamic dot1p entry supersedes any INTERFACE entries. For more information, refer to Mapping dot1p Values to Service Queues. NOTE: You cannot configure service-policy input and service-class dynamic dot1p on the same interface. • Honor dot1p priorities on ingress traffic.
Out of profile yellow 0 Traffic Monitor 2: normal Out of profile yellow 0 Traffic Monitor 3: normal Out of profile yellow 0 Traffic Monitor 4: normal Out of profile yellow 0 red 0 NA peak NA red 0 NA peak NA red 0 NA peak NA red 0 Configuring Port-Based Rate Shaping Configuring port-based rate limiting is supported on the Z9000 platform. FTOS Behavior: Rate shaping is effectively rate limiting because of its smaller buffer size.
Policy-Based QoS Configurations Policy-based QoS configurations consist of the components shown in the following example. Figure 93. Constructing Policy-Based QoS Configurations Classify Traffic Class maps differentiate traffic so that you can apply separate quality of service policies to each class. For both class maps, Layer 2 and Layer 3, FTOS matches packets against match criteria in the order that you configure them.
Use step 1 or step 2 to start creating a Layer 3 class map. 1. Create a match-any class map. CONFIGURATION mode class-map match-any 2. Create a match-all class map. CONFIGURATION mode class-map match-all 3. Specify your match criteria. CLASS MAP mode match ip After you create a class-map, FTOS places you in CLASS MAP mode. Match-any class maps allow up to five ACLs. Match-all class-maps allow only one ACL. 4. Link the class-map to a queue.
match mac After you create a class-map, FTOS places you in CLASS MAP mode. Match-any class maps allow up to five access-lists. Match-all class-maps allow only one. You can match against only one VLAN ID. 4. Link the class-map to a queue. POLICY MAP mode service-queue Determining the Order in Which ACLs are Used to Classify Traffic When you link class-maps to queues using the service-queue command, FTOS matches the class-maps according to queue priority (queue numbers closer to 0 have lower priorities).
ip access-list extended AF1-FB1 seq 5 permit ip host 23.64.0.2 any seq 10 deny ip any any ! ip access-list extended AF1-FB2 seq 5 permit ip host 23.64.0.3 any seq 10 deny ip any any ! ip access-list extended AF2 seq 5 permit ip host 23.64.0.5 any seq 10 deny ip any any FTOS#show cam layer3-qos interface gigabitethernet 4/49 Cam Port Dscp Proto Tcp Src Dst SrcIp DstIp DSCP Queue Index Flag Port Port Marking ----------------------------------------------------------------------20416 1 18 IP 0x0 0 0 23.64.0.
Creating an Input QoS Policy To create an input QoS policy, use the following steps. 1. Create a Layer 3 input QoS policy. CONFIGURATION mode qos-policy-input Create a Layer 2 input QoS policy by specifying the keyword layer2 after the qos-policy-input command. 2.
Table 37. Default Bandwidth Weights Queue Default Weight Equivalent Percentage 0 1 6.67% 1 2 13.33% 2 4 26.67% 3 8 53.33% A key similarity between allocating bandwidth by percentage and allocating by weight is that assigning a weight or percentage to one queue affects the amount of bandwidth that is allocated to other queues. Therefore, whenever you are allocating bandwidth to one queue, Dell Networking recommends evaluating your bandwidth requirements for all other queues as well.
Applying a Class-Map or Input QoS Policy to a Queue Applying an Input QoS Policy to an Input Policy Map Honoring DSCP Values on Ingress Packets Honoring dot1p Values on Ingress Packets 3. Apply the input policy map to an interface. Applying a Class-Map or Input QoS Policy to a Queue To apply a class-map or input QoS policy to a queue, use the following command. • Assign an input QoS policy to a queue.
Guaranteeing Bandwidth to dot1p-Based Service Queues To guarantee bandwidth to dot1p-based service queues, use the following command. Apply this command in the same way as the bandwidth-weight command in an output QoS policy (refer to Allocating Bandwidth to Queue). The bandwidth-weight command in QOS-POLICY-OUT mode supersedes the service-class bandwidth-weight command. • Guarantee a minimum bandwidth to queues globally.
policy-aggregate Applying an Output Policy Map to an Interface To apply an output policy map to an interface, use the following command. • Apply an input policy map to an interface. INTERFACE mode service-policy output You can apply the same policy map to multiple interfaces, and you can modify a policy map after you apply it. Enabling QoS Rate Adjustment By default, while rate limiting, policing, and shaping, FTOS does not include the Preamble, SFD, or the IFG fields.
Weighted Random Early Detection Weighted random early detection (WRED) is supported on the Z9000 platform. Creating WRED Profiles To create WRED profiles, use the following commands. 1. Create a WRED profile. CONFIGURATION mode wred 2. Specify the minimum and maximum threshold values. WRED mode threshold Applying a WRED Profile to Traffic After you create a WRED profile, you must specify to which traffic FTOS should apply the profile.
Pre-Calculating Available QoS CAM Space Pre-calculating available QoS CAM space is supported on the Z9000 platform. Before FTOS version 7.3.1, there was no way to measure the number of CAM entries a policy-map would consume (the number of CAM entries that a rule uses is not predictable; from 1 to 16 entries might be used per rule depending upon its complexity). Therefore, it was possible to apply to an interface a policy-map that requires more entries than are available.
Example of the test cam-usage Command FTOS# test cam-usage service-policy input pmap_l2 linecard 0 port-set 0 Linecard | Port-pipe | CAM Partition | Available CAM | Estimated CAM | Status =============================================================================== 0 0 L2ACL 500 200 Allowed(2) 564
Routing Information Protocol (RIP) 35 Routing information protocol (RIP) is supported on the Z9000 platform. RIP is based on a distance-vector algorithm; it tracks distances or hop counts to nearby routers when establishing network connections. RIP protocol standards are listed in the Standards Compliance chapter. Protocol Overview RIP is the oldest interior gateway protocol. There are two versions of RIP: RIP version 1 (RIPv1) and RIP version 2 (RIPv2).
Table 39. RIP Defaults Feature Default Interfaces running RIP • • Listen to RIPv1 and RIPv2 Transmit RIPv1 RIP timers • • • • update timer = 30 seconds invalid timer = 180 seconds holddown timer = 180 seconds flush timer = 240 seconds Auto summarization Enabled ECMP paths supported 16 Configuration Information By default, RIP is disabled in FTOS. To configure RIP, you must use commands in two modes: ROUTER RIP and INTERFACE.
network ip-address After designating networks with which the system is to exchange RIP information, ensure that all devices on that network are configured to exchange RIP information. The FTOS default is to send RIPv1 and to receive RIPv1 and RIPv2. To change the RIP version globally, use the version command in ROUTER RIP mode. To view the global RIP configuration, use the show running-config command in EXEC mode or the show config command in ROUTER RIP mode.
Configure RIP on Interfaces When you enable RIP globally on the system, interfaces meeting certain conditions start receiving RIP routes. By default, interfaces that you enable and configure with an IP address in the same subnet as the RIP network address receive RIPv1 and RIPv2 routes and send RIPv1 routes. Assign IP addresses to interfaces that are part of the same subnet as the RIP network identified in the network command syntax.
redistribute {connected | static} [metric metric-value] [route-map map-name] – • metric-value: the range is from 0 to 16. – map-name: the name of a configured route map. Include specific OSPF routes in RIP. ROUTER RIP mode redistribute ospf process-id [match external {1 | 2} | match internal] [metric value] [route-map map-name] Configure the following parameters: – process-id: the range is from 1 to 65535. – metric: the range is from 0 to 16. – map-name: the name of a configured route map.
Default version control: receive version 2, send version 2 Interface Recv Send GigabitEthernet 0/0 2 2 Routing for Networks: 10.0.0.0 Routing Information Sources: Gateway Distance Last Update Distance: (default is 120) FTOS# To configure an interface to receive or send both versions of RIP, include 1 and 2 in the command syntax. The command syntax for sending both RIPv1 and RIPv2 and receiving only RIPv2 is shown in the following example.
– value The range is from 1 to 16. – route-map-name: The name of a configured route map. To confirm that the default route configuration is completed, use the show config command in ROUTER RIP mode. Summarize Routes Routes in the RIPv2 routing table are summarized by default, thus reducing the size of the routing table and improving routing efficiency in large networks. By default, the autosummary command in ROUTER RIP mode is enabled and summarizes RIP routes up to the classful network boundary.
Debugging RIP The debug ip rip command enables RIP debugging. When you enable debugging, you can view information on RIP protocol changes or RIP routes. To enable RIP debugging, use the following command. • debug ip rip [interface | database | events | trigger] EXEC privilege mode Enable debugging of RIP. The following example shows the confirmation when you enable the debug function.
Core2(conf-router_rip)#network 10.11.10.0 Core2(conf-router_rip)#network 10.11.20.0 Core2(conf-router_rip)#show config ! router rip network 10.0.0.0 version 2 Core2(conf-router_rip)# Core 2 RIP Output The examples in the section show the core 2 RIP output. • To display Core 2 RIP database, use the show ip rip database command. • To display Core 2 RIP setup, use the show ip route command. • To display Core 2 RIP activity, use the show ip protocols command.
Core2# Example of the show ip protocols Command to Show RIP Configuration Activity on Core 2 Core2#show ip protocols Routing Protocol is "RIP" Sending updates every 30 seconds, next due in 17 Invalid after 180 seconds, hold down 180, flushed after 240 Output delay 8 milliseconds between packets Automatic network summarization is in effect Outgoing filter for all interfaces is Incoming filter for all interfaces is Default redistribution metric is 1 Default version control: receive version 2, send version 2 I
10.11.10.0/24 [120/1] via 10.11.20.2, 00:00:13, GigabitEthernet 3/21 10.200.10.0/24 [120/1] via 10.11.20.2, 00:00:13, GigabitEthernet 3/21 10.300.10.0/24 [120/1] via 10.11.20.2, 00:00:13, GigabitEthernet 3/21 10.11.20.0/24 directly connected,GigabitEthernet 3/21 10.11.30.0/24 directly connected,GigabitEthernet 3/11 10.0.0.0/8 auto-summary 192.168.1.0/24 directly connected,GigabitEthernet 3/43 192.168.1.0/24 auto-summary 192.168.2.0/24 directly connected,GigabitEthernet 3/44 192.168.2.
10.11.20.2 120 00:00:22 Distance: (default is 120) Core3# RIP Configuration Summary Example of Viewing RIP Configuration on Core 2 ! interface GigabitEthernet 2/11 ip address 10.11.10.1/24 no shutdown ! interface GigabitEthernet 2/31 ip address 10.11.20.2/24 no shutdown ! interface GigabitEthernet 2/41 ip address 10.200.10.1/24 no shutdown ! interface GigabitEthernet 2/42 ip address 10.250.10.1/24 no shutdown router rip version 2 10.200.10.0 10.300.10.0 10.11.10.0 10.11.20.
Remote Monitoring (RMON) 36 Remote monitoring (RMON) is supported on the Z9000 platform. RMON is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell Networking Ethernet interfaces. RMON operates with the simple network management protocol (SNMP) and monitors all nodes on a local area network (LAN) segment.
• Platform Adaptation — RMON supports all Dell Networking chassis and all Dell Networking Ethernet interfaces. Setting the rmon Alarm To set an alarm on any MIB object, use the rmon alarm or rmon hc-alarm command in GLOBAL CONFIGURATION mode. • Set an alarm on any MIB object.
Configuring an RMON Event To add an event in the RMON event table, use the rmon event command in GLOBAL CONFIGURATION mode. • Add an event in the RMON event table. CONFIGURATION mode [no] rmon event number [log] [trap community] [description string] [owner string] – number: assigned event number, which is identical to the eventIndex in the eventTable in the RMON MIB. The value must be an integer from 1 to 65,535 and be unique in the RMON Event Table.
Example of the rmon collection statistics Command FTOS(conf-if-mgmt)#rmon collection statistics controlEntry 20 owner john Configuring the RMON Collection History To enable the RMON MIB history group of statistics collection on an interface, use the rmon collection history command in INTERFACE CONFIGURATION mode. • Configure the RMON MIB history group of statistics collection.
Rapid Spanning Tree Protocol (RSTP) 37 Rapid spanning tree protocol (RSTP) is supported on the Z9000 platform. Protocol Overview RSTP is a Layer 2 protocol — specified by IEEE 802.1w — that is essentially the same as spanning-tree protocol (STP) but provides faster convergence and interoperability with switches configured with STP and multiple spanning tree protocol (MSTP). The Dell operating system (FTOS) supports three other variations of spanning tree, as shown in the following table. Table 40.
• FTOS supports only one Rapid Spanning Tree (RST) instance. • All interfaces in virtual local area networks (VLANs) and all enabled interfaces in Layer 2 mode are automatically added to the RST topology. • Adding a group of ports to a range of VLANs sends multiple messages to the rapid spanning tree protocol (RSTP) task, avoid using the range command. When using the range command, Dell Networking recommends limiting the range to five ports and 40 VLANs.
interface GigabitEthernet 1/1 no ip address switchport no shutdown FTOS(conf-if-gi-1/1)# Enabling Rapid Spanning Tree Protocol Globally Enable RSTP globally on all participating bridges; it is not enabled by default. When you enable RSTP, all physical and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the RST topology. • Only one path from any bridge to any other bridge is enabled. • Bridges block a redundant path by disabling one of the link ports.
Figure 95. Rapid Spanning Tree Enabled Globally To view the interfaces participating in RSTP, use the show spanning-tree rstp command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. Example of the show spanning-tree rstp Command FTOS#show spanning-tree rstp Root Identifier has priority 32768, Address 0001.e801.
The port is not in the Edge port mode Port 379 (GigabitEthernet 2/3) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.379 Designated root has priority 32768, address 0001.e801.cbb4 Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.
Modifying Global Parameters You can modify RSTP parameters. The root bridge sets the values for forward-delay, hello-time, and max-age and overwrites the values set on other bridges participating in the Rapid Spanning Tree group. • Forward-delay — the amount of time an interface waits in the Listening state and the Learning state before it transitions to the Forwarding state. • Hello-time — the time interval in which the bridge sends RSTP BPDUs.
• The default is 2 seconds. Change the max-age parameter. PROTOCOL SPANNING TREE RSTP mode max-age seconds The range is from 6 to 40. The default is 20 seconds. To view the current values for global parameters, use the show spanning-tree rstp command from EXEC privilege mode. Enabling SNMP Traps for Root Elections and Topology Changes To enable SNMP traps, use the following command. • Enable SNMP traps for RSTP, MSTP, and PVST+ collectively.
snmp-server enable traps xstp Influencing RSTP Root Selection RSTP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it is selected as the root bridge. To change the bridge priority, use the following command. • Assign a number as the bridge priority or designate it as the primary or secondary root. PROTOCOL SPANNING TREE RSTP mode bridge-priority priority-value – priority-value The range is from 0 to 65535.
– Disable spanning tree on the interface (the no spanning-tree command in INTERFACE mode). – Disable global spanning tree (the no spanning-tree command in CONFIGURATION mode). To enable EdgePort on an interface, use the following command. • Enable EdgePort on an interface.
Software-Defined Networking (SDN) 38 Dell Networking operating software (FTOS) supports Software-Defined Networking (SDN). For more information, refer to the SDN Deployment Guide.
Security 39 Security features are supported on the Z9000 platform. This chapter describes several ways to provide access security to the Dell Networking system. For details about all the commands described in this chapter, refer to the Security chapter in the FTOS Command Reference Guide. AAA Accounting Accounting, authentication, and authorization (AAA) accounting is part of the AAA security model.
– default | name: enter the name of a list of accounting methods. – start-stop: use for more accounting information, to send a start-accounting notice at the beginning of the requested event and a stop-accounting notice at the end. – wait-start: ensures that the TACACS+ security server acknowledges the start notice before granting the user's process request.
Monitoring AAA Accounting FTOS does not support periodic interim accounting because the periodic command can cause heavy congestion when many users are logged in to the network. No specific show command exists for TACACS+ accounting. To obtain accounting records displaying information about users currently logged in, use the following command. • Step through all active sessions and print all the accounting records for the actively accounted functions.
Configure Login Authentication for Terminal Lines You can assign up to five authentication methods to a method list. FTOS evaluates the methods in the order in which you enter them in each list. If the first method list does not respond or returns an error, FTOS applies the next method list until the user either passes or fails the authentication. If the user fails a method list, FTOS does not apply the next method list.
– method-list-name: character string used to name the list of enable authentication methods activated when a user logs in. – method1 [... method4]: any of the following: RADIUS, TACACS, enable, line, none. If you do not set the default list, only the local enable is checked. This setting has the same effect as issuing an aaa authentication enable default enable command.
Privilege Levels Overview Limiting access to the system is one method of protecting the system and your network. However, at times, you might need to allow others access to the router and you can limit that access to a subset of commands. In FTOS, you can configure a privilege level for users who need limited access to the system. Every command in FTOS is assigned a privilege level of 0, 1, or 15. You can configure up to 16 privilege levels in FTOS.
– name: Enter a text string up to 63 characters long. – access-class access-list-name: Enter the name of a configured IP ACL. – nopassword: Do not require the user to enter a password. – encryption-type: Enter 0 for plain text or 7 for encrypted text. – password: Enter a string. – privilege level The range is from 0 to 15. To view usernames, use the show users command in EXEC Privilege mode.
Configure the optional and required parameters: 2. – name: enter a text string (up to 63 characters). – access-class access-list-name: enter the name of a configured IP ACL. – privilege level: the range is from 0 to 15. – nopassword: do not require the user to enter a password. – encryption-type: enter 0 for plain text or 7 for encrypted text. – password: enter a string. Configure a password for privilege level.
! hostname Force10 ! enable password level 8 notjohn enable password Force10 ! username admin password 0 admin username john password 0 john privilege 8 ! The following example shows the Telnet session for user john. The show privilege command output confirms that john is in privilege level 8. In EXEC Privilege mode, john can access only the commands listed. In CONFIGURATION mode, john can access only the snmp-server commands. Example of Privilege Level Login and Available Commands apollo% telnet 172.31.1.
– password: Enter a text string up to 25 characters long. To view the password configured for a terminal, use the show config command in LINE mode. Enabling and Disabling Privilege Levels To enable and disable privilege levels, use the following commands. • Set a user’s security level. EXEC Privilege mode enable or enable privilege-level • If you do not enter a privilege level, FTOS sets it to 15 by default. Move to a lower privilege level.
|Force10 Boot | | | | | | | | | | | | | | | | | | | | | +-----------------------------+ Use the ^ and v keys to select which entry is highlighted. Press enter to boot the selected OS, 'e' to edit the commands before booting or 'c' for a command-line. RADIUS Remote authentication dial-in user service (RADIUS) is a distributed client/server protocol.
Idle Time Every session line has its own idle-time. If the idle-time value is not changed, the default value of 30 minutes is used. RADIUS specifies idle-time allow for a user during a session before timeout. When a user logs in, the lower of the two idle-time values (configured or default) is used. The idle-time value is updated if both of the following happens: • The administrator changes the idle-time of the line on which the user has logged in.
NOTE: RADIUS authentication and authorization are done in a single step. Hence, authorization cannot be used independent of authentication. However, if you have configured RADIUS authorization and have not configured authentication, a message is logged stating this. During authorization, the next method in the list (if present) is used, or if another method is not present, an error is reported.
– auth-port port-number: the range is from 0 to 65335. Enter a UDP port number. The default is 1812. – retransmit retries: the range is from 0 to 100. Default is 3. – timeout seconds: the range is from 0 to 1000. Default is 5 seconds. – key [encryption-type] key: enter 0 for plain text or 7 for encrypted text, and a string for the key. The key can be up to 42 characters long. This key must match the key configured on the RADIUS server host.
Monitoring RADIUS To view information on RADIUS transactions, use the following command. • View RADIUS transactions to troubleshoot problems. EXEC Privilege mode debug radius TACACS+ FTOS supports terminal access controller access control system (TACACS+ client, including support for login authentication. Configuration Task List for TACACS+ The following list includes the configuration task for TACACS+ functions.
To view the configuration, use the show config in LINE mode or the show running-config tacacs+ command in EXEC Privilege mode. If authentication fails using the primary method, FTOS employs the second method (or third method, if necessary) automatically. For example, if the TACACS+ server is reachable, but the server key is invalid, FTOS proceeds to the next authentication method. In the following example, the TACACS+ is incorrect, but the user is still authenticated by the secondary method.
downloads it and applies it. If the user is found to be coming from the 10.0.0.0 subnet, FTOS also immediately closes the Telnet connection. Note, that no matter where the user is coming from, they see the login prompt. When configuring a TACACS+ server host, you can set different communication parameters, such as the key password. Example of Specifying a TACACS+ Server Host FTOS# FTOS(conf)# FTOS(conf)#ip access-list standard deny10 FTOS(conf-std-nacl)#permit 10.0.0.
Command Authorization The AAA command authorization feature configures FTOS to send each configuration command to a TACACS server for authorization before it is added to the running configuration. By default, the AAA authorization commands configure the system to check both EXEC mode and CONFIGURATION mode commands. Use the no aaa authorization config-commands command to enable only EXEC mode command checking.
The following example shows using the ip ssh server version 2 command to enable SSH version 2 and the show ip ssh command to confirm the setting. Specifying an SSH Version FTOS(conf)#ip ssh server version 2 FTOS(conf)#do show ip ssh SSH server : disabled. SSH server version : v2. Password Authentication : enabled. Hostbased Authentication : disabled. RSA Authentication : disabled. To disable SSH server functions, use the no ip ssh server enable command.
• show ip ssh client-pub-keys: display the client public keys used in host-based authentication. • show ip ssh rsa-authentication: display the authorized-keys for the RSA authentication. • ssh-peer-rpm: open an SSH connection to the peer RPM. The following example shows the use of SCP and SSH to copy a software image from one switch running SSH server on UDP port 99 to the local switch.
Using RSA Authentication of SSH The following procedure authenticates an SSH client based on an RSA key using RSA authentication. This method uses SSH version 2. 1. On the SSH client (Unix machine), generate an RSA key, as shown in the following example. 2. Copy the public key id_rsa.pub to the Dell Networking system. 3. Disable password authentication if enabled. CONFIGURATION mode no ip ssh password-authentication enable 4. Bind the public keys to RSA authentication.
Example of Creating shosts admin@Unix_client# cd /etc/ssh admin@Unix_client# ls moduli sshd_config ssh_host_dsa_key.pub ssh_host_key.pub ssh_host_rsa_key.pub ssh_config ssh_host_dsa_key ssh_host_key ssh_host_rsa_key admin@Unix_client# cat ssh_host_rsa_key.pub ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA8K7jLZRVfjgHJzUOmXxuIbZx/ AyWhVgJDQh39k8v3e8eQvLnHBIsqIL8jVy1QHhUeb7GaDlJVEDAMz30myqQbJgXBBRTWgBpLWwL/ doyUXFufjiL9YmoVTkbKcFmxJEMkE3JyHanEi7hg34LChjk9hL1by8cYZP2kYS2lnSyQWk= admin@Unix_client# ls id_rsa id_rsa.
If the IP address in the RSA key does not match the IP address from which you attempt to log in, the following message appears. In this case, verify that the name and IP address of the client is contained in the file /etc/hosts: RSA Authentication Error. Telnet To use Telnet with SSH, first enable SSH, as previously described. By default, the Telnet daemon is enabled. If you want to disable the Telnet daemon, use the following command, or disable Telnet in the startup config.
excluded them from the VTY line with a deny-all access class. After users identify themselves, FTOS retrieves the access class from the local database and applies it. (FTOS then can close the connection if a user is denied access.) NOTE: If a VTY user logs in with RADIUS authentication, the privilege level is applied from the RADIUS server only if you configure RADIUS authentication. The following example shows how to allow or deny a Telnet connection to a user.
FTOS(config-std-mac)#deny any FTOS(conf)# FTOS(conf)#line vty 0 9 FTOS(config-line-vty)#access-class sourcemac FTOS(config-line-vty)#end 617
Service Provider Bridging 40 Service provider bridging is supported on the Z9000 platform. VLAN Stacking Virtual local area network (VLAN) stacking is supported on the Z9000 platform. VLAN stacking, also called Q-in-Q, is defined in IEEE 802.1ad — Provider Bridges, which is an amendment to IEEE 802.1Q — Virtual Bridged Local Area Networks. It enables service providers to use 802.
Figure 96. VLAN Stacking in a Service Provider Network Important Points to Remember 620 • Interfaces that are members of the Default VLAN and are configured as VLAN-Stack access or trunk ports do not switch untagged traffic. To switch traffic, add these interfaces to a non-default VLAN-Stack-enabled VLAN. • Dell Networking cautions against using the same MAC address on different customer VLANs, on the same VLAN-Stack VLAN.
Configure VLAN Stacking Configuring VLAN-Stacking is a three-step process. 1. Creating Access and Trunk Ports 2. Assign access and trunk ports to a VLAN (Creating Access and Trunk Ports). 3. Enabling VLAN-Stacking for a VLAN.
Enable VLAN-Stacking for a VLAN To enable VLAN-Stacking for a VLAN, use the following command. • Enable VLAN-Stacking for the VLAN. INTERFACE VLAN mode vlan-stack compatible To display the status and members of a VLAN, use the show vlan command from EXEC Privilege mode. Members of a VLAN-Stacking-enabled VLAN are marked with an M in column Q.
In the following example, GigabitEthernet 0/1 is a trunk port that is configured as a hybrid port and then added to VLAN 100 as untagged VLAN 101 as tagged, and VLAN 103, which is a stacking VLAN.
VLAN Stacking in Multi-Vendor Networks The first field in the VLAN tag is the tag protocol identifier (TPID), which is 2 bytes. In a VLAN-stacking network, after the frame is double tagged, the outer tag TPID must match the TPID of the next-hop system. While 802.1Q requires that the inner tag TPID is 0x8100, it does not require a specific value for the outer tag TPID. Systems may use any 2-byte value; FTOS uses 0x9100 (shown in the following) while non-Dell Networking systems might use a different value.
Figure 97.
Figure 98.
Figure 99. Single and Double-Tag TPID Mismatch VLAN Stacking Packet Drop Precedence VLAN stacking packet drop precedence is available on the Z900 platform. The drop eligible indicator (DEI) bit in the S-Tag indicates to a service provider bridge which packets it should prefer to drop when congested. Enabling Drop Eligibility Enable drop eligibility globally before you can honor or mark the DEI value. When you enable drop eligibility, DEI mapping or marking takes place according to the defaults.
Table 43. Drop Eligibility Behavior Ingress Egress DEI Disabled DEI Enabled Normal Port Normal Port Retain CFI Set CFI to 0. Trunk Port Trunk Port Retain inner tag CFI Retain inner tag CFI. Retain outer tag CFI Set outer tag CFI to 0. Retain inner tag CFI Retain inner tag CFI Set outer tag CFI to 0 Set outer tag CFI to 0 Access Port Trunk Port To enable drop eligibility globally, use the following command. • Make packets eligible for dropping based on their DEI value.
Marking Egress Packets with a DEI Value On egress, you can set the DEI value according to a different mapping than ingress. For ingress information, refer to Honoring the Incoming DEI Value. To mark egress packets, use the following command. • Set the DEI value on egress according to the color currently assigned to the packet.
• Mark the S-Tag dot1p and queue the frame according to the S-Tag dot1p. For example, if frames with C-Tag dot1p values 0, 6, and 7 are mapped to an S-Tag dot1p value 0, all such frames are sent to the queue associated with the S-Tag 802.1p value 0. This option requires two different CAM entries, each in a different Layer 2 ACL FP block.
cam-acl l2acl number ipv4acl number ipv6acl number ipv4qos number l2qos number l2pt number ipmacacl number ecfmacl number {vman-qos | vman-qos-dualfp} number – vman-qos: mark the S-Tag dot1p and queue the frame according to the original C-Tag dot1p. This method requires half as many CAM entries as vman-qos-dual-fp. – vman-qos-dual-fp: mark the S-Tag dot1p and queue the frame according to the S-Tag dot1p. This method requires twice as many CAM entries as vman-qos and FP blocks in multiples of 2.
Figure 101. VLAN Stacking without L2PT You might need to transport control traffic transparently through the intermediate network to the other region. Layer 2 protocol tunneling enables BPDUs to traverse the intermediate network by identifying frames with the Bridge Group Address, rewriting the destination MAC to a user-configured non-reserved address, and forwarding the frames.
address is user-configurable, so you can specify an address that non-Dell Networking systems can recognize and rewrite the address at egress edge. Figure 102. VLAN Stacking with L2PT Implementation Information • L2PT is available for STP, RSTP, MSTP, and PVST+ BPDUs. • No protocol packets are tunneled when you enable VLAN stacking. • L2PT requires the default CAM profile.
Enabling Layer 2 Protocol Tunneling To enable Layer 2 protocol tunneling, use the following command. 1. Verify that the system is running the default CAM profile. Use this CAM profile for L2PT. EXEC Privilege mode show cam-profile 2. Enable protocol tunneling globally on the system. CONFIGURATION mode protocol-tunnel enable 3. Tunnel BPDUs the VLAN.
The range is from 64 to 320 kbps. Debugging Layer 2 Protocol Tunneling To debug Layer 2 protocol tunneling, use the following command. • Display debugging information for L2PT. EXEC Privilege mode debug protocol-tunnel Provider Backbone Bridging IEEE 802.1ad—Provider Bridges amends 802.1Q—Virtual Bridged Local Area Networks so that service providers can use 802.
sFlow 41 Configuring sFlow is supported on the Z9000 platform. Overview The Dell Networking operating system (FTOS) supports sFlow version 5. sFlow is a standard-based sampling technology embedded within switches and routers which is used to monitor network traffic. It is designed to provide traffic monitoring for high-speed networks with many switches and routers. sFlow uses two types of sampling: • Statistical packet-based sampling of switched or routed packet flows.
• • • • • • when the exported packet rate is high and the backoff mechanism is about to or is starting to take effect. The dropEvent counter, in the sFlow packet, is always zero. Community list and local preference fields are not filled in extended gateway element in the sFlow datagram. 802.1P source priority field is not filled in extended switch element in sFlow datagram. Only Destination and Destination Peer AS number are packed in the dst-as-path field in extended gateway element.
Global default sampling rate: 32768 Global default counter polling interval: 20 Global extended information enabled: none 0 collectors configured 0 UDP packets exported 0 UDP packets dropped 0 sFlow samples collected 0 sFlow samples dropped due to sub-sampling Enabling and Disabling sFlow on an Interface By default, sFlow is disabled on all interfaces. This CLI is supported on physical ports and link aggregation group (LAG) ports. To enable sFlow on a specific interface, use the following command.
Displaying Show sFlow on an Interface To view sFlow information on a specific interface, use the following command. • Display sFlow configuration information and statistics on a specific interface.
sflow collector ip-address agent-addr ip-address [number [max-datagram-size number] ] | [max-datagram-size number ] The default UDP port is 6343. The default max-datagram-size is 1400. Changing the Polling Intervals The sflow polling-interval command configures the polling interval for an interface in the maximum number of seconds between successive samples of counters sent to the collector. This command changes the global default counter polling (20 seconds) interval.
NOTE: The entire AS path is not included. BGP community-list and local preference information are not included. These fields are assigned default values and are not interpreted by the collector. • • Enable extended sFlow. sflow [extended-switch] [extended-router] [extended-gateway] enable By default packing of any of the extended information in the datagram is disabled. Confirm that extended information packing is enabled.
Table 44. Extended Gateway Summary IP SA IP DA srcAS and srcPeerAS dstAS and dstPeerAS Description static/connected/IGP static/connected/IGP — — Extended gateway data is not exported because there is no AS information. static/connected/IGP BGP 0 Exported src_as and src_peer_as are zero because there is no AS information for IGP. BGP static/connected/IGP — Exported — Exported Prior to FTOS version 7.8.1.0, extended gateway data is not exported because IP DA is not learned via BGP.
42 Simple Network Management Protocol (SNMP) Simple network management protocol (SNMP) is supported on the Z9000 platform. NOTE: On Dell Networking routers, standard and private SNMP management information bases (MIBs) are supported, including all Get and a limited number of Set operations (such as set vlan and copy cmd). Protocol Overview Network management stations use SNMP to retrieve or alter management data from network elements.
• Copying Configuration Files via SNMP • Manage VLANs Using SNMP • Enabling and Disabling a Port using SNMP • Fetch Dynamic MAC Entries using SNMP • Deriving Interface Indices • Monitor Port-channels Important Points to Remember • Typically, 5-second timeout and 3-second retry values on an SNMP server are sufficient for both LAN and WAN applications.
! snmp-server community mycommunity ro Setting Up User-Based Security (SNMPv3) When setting up SNMPv3, you can set users up with one of the following three types of configuration for SNMP read/ write operations. Users are typically associated to an SNMP group with permissions provided, such as OID view. • noauth — no password or privacy. Select this option to set up a user with no password or privacy privileges. This setting is the basic configuration.
Select a User-based Security Type FTOS(conf)#snmp-server host 1.1.1.1 traps {oid tree} version 3 ? auth Use the SNMPv3 authNoPriv Security Level noauth Use the SNMPv3 noAuthNoPriv Security Level priv Use the SNMPv3 authPriv Security Level FTOS(conf)#snmp-server host 1.1.1.1 traps {oid tree} version 3 noauth ? WORD SNMPv3 user name Reading Managed Object Values You may only retrieve (read) managed object values if your management station is a member of the same community as the SNMP agent.
Writing Managed Object Values You may only alter (write) a managed object value if your management station is a member of the same community as the SNMP agent, and the object is writable. Use the following command to write or write-over the value of a managed object. • To write or write-over the value of a managed object. snmpset -v version -c community agent-ip {identifier.instance | descriptor.instance}syntax value Example of Writing the Value of a Managed Object > snmpset -v 2c -c mycommunity 10.11.
Subscribing to Managed Object Value Updates using SNMP By default, the Dell Networking system displays some unsolicited SNMP messages (traps) upon certain events and conditions. You can also configure the system to send the traps to a management station. Traps cannot be saved on the system. FTOS supports the following three sets of traps: • RFC 1157-defined traps — coldStart, warmStart, linkDown, linkUp, authenticationFailure, and egpNeighbborLoss.
Enabling a Subset of SNMP Traps You can enable a subset of Dell Networking enterprise-specific SNMP traps using one of the following listed command options. To enable a subset of Dell Networking enterprise-specific SNMP traps, use the following command. • Enable a subset of SNMP traps. snmp-server enable traps NOTE: The envmon option enables all environment traps including those traps that are enabled with the envmon supply, envmon temperature, and envmon fan options.
FAN_BAD: Minor alarm: some fans in fan tray %d are down FAN_OK: Minor alarm cleared: all fans in fan tray %d are good vlt Enable VLT traps. vrrp Enable VRRP state change traps xstp %SPANMGR-5-STP_NEW_ROOT: New Spanning Tree Root, Bridge ID Priority 32768, Address 0001.e801.fc35. %SPANMGR-5-STP_TOPOLOGY_CHANGE: Bridge port GigabitEthernet 11/38 transitioned from Forwarding to Blocking state. %SPANMGR-5-MSTP_NEW_ROOT_BRIDGE: Elected root bridge for instance 0.
Copy Configuration Files Using SNMP To do the following, use SNMP from a remote client. • copy the running-config file to the startup-config file • copy configuration files from the Dell Networking system to a server • copy configuration files from a server to the Dell Networking system You can perform all of these tasks using IPv4 or IPv6 addresses. The examples in this section use IPv4 addresses; however, you can substitute IPv6 addresses for the IPv4 addresses in all of the examples.
MIB Object OID Object Values Description • copyDestFileLocation .1.3.6.1.4.1.6027.3.5.1.1.1.1.6 e is running-config or startup-config, the default copyDestFileLocatio n is flash. If copyDestFileType is a binary, you must specify copyDestFileLocatio n and copyDestFileName. 1 = flash 2 = slot0 3 = tftp 4 = ftp 5 = scp Specifies the location of destination file. • If copyDestFileLocatio n is FTP or SCP, you must specify copyServerAddress , copyUserName, and copyUserPassword. copyDestFileName .1.3.
CONFIGURATION mode snmp-server community community-name rw 2. Copy the f10-copy-config.mib MIB from the Dell iSupport web page to the server to which you are copying the configuration file. 3. On the server, use the snmpset command as shown in the following example. snmpset -v snmp-version -c community-name -m mib_path/f10-copy-config.mib force10system-ip-address mib-object.index {i | a | s} object-value... – Every specified object must have an object value and must precede with the keyword i.
FTOS-COPY-CONFIG-MIB::copySrcFileType.101 = INTEGER: runningConfig(2) FTOS-COPY-CONFIG-MIB::copyDestFileType.101 = INTEGER: startupConfig(3) Example of Copying Configuration Files (Using OIDs) > snmpset -v 2c -c public -m ./f10-copy-config.mib 10.10.10.10 .1.3.6.1.4.1.6027.3.5.1.1.1.1.2.100 i 2 .1.3.6.1.4.1.6027.3.5.1.1.1.1.5.100 i 3 FFTOS-COPY-CONFIG-MIB::copySrcFileType.100 = INTEGER: runningConfig(2) FTOS-COPY-CONFIG-MIB::copyDestFileType.
Copying the Startup-Config Files to the Server via TFTP To copy the startup-config to the server via TFTP from the UNIX machine, use the following command. NOTE: Verify that the file exists and its permissions are set to 777. Specify the relative path to the TFTP root directory. • Copy the startup-config to the server via TFTP from the UNIX machine. snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address copySrcFileType.index i 3 copyDestFileType.index i 1 copyDestFileName.
MIB Object OID Values Description 3 = failed copyTimeStarted .1.3.6.1.4.1.6027.3.5.1.1.1.1.12 Time value Specifies the point in the up-time clock that the copy operation started. copyTimeCompleted .1.3.6.1.4.1.6027.3.5.1.1.1.1.13 Time value Specifies the point in the up-time clock that the copy operation completed. copyFailCause .1.3.6.1.4.1.6027.3.5.1.1.1.1.
Example of Getting a MIB Object Value (Using OID) > snmpget -v 2c -c private 10.11.131.140 .1.3.6.1.4.1.6027.3.5.1.1.1.1.13.110 SNMPv2-SMI::enterprises.6027.3.5.1.1.1.1.13.110 = Timeticks: (1179831) 3:16:38.31 Manage VLANs using SNMP The qBridgeMIB managed objects in Q-BRIDGE-MIB, defined in RFC 2674, allows you to use SNMP to manage VLANs. Creating a VLAN To create a VLAN, use the dot1qVlanStaticRowStatus object.
• To add an untagged port to a VLAN, write the port to the dot1qVlanStaticEgressPorts and dot1qVlanStaticUntaggedPorts objects. NOTE: Whether adding a tagged or untagged port, specify values for both dot1qVlanStaticEgressPorts and dot1qVlanStaticUntaggedPorts. In the following example, Port 0/2 is added as an untagged member of VLAN 10. Example of Adding an Untagged Port to a VLAN using SNMP >snmpset -v2c -c mycommunity 10.11.131.185 . 1.3.6.1.2.1.17.7.1.4.3.1.2.
Managing Overload on Startup If you are running IS-IS, you can set a specific amount of time to prevent ingress traffic from being received after a reload and allow the routing protocol upgrade process to complete. To prevent ingress traffic on a router while the IS reload is implemented, use the following command. • Set the amount of time after an IS-IS reload is performed before ingress traffic is allowed at startup.
Fetch Dynamic MAC Entries using SNMP Dell Networking supports the RFC 1493 dot1d table for the default VLAN and the dot1q table for all other VLANs. NOTE: The 802.1q Q-BRIDGE MIB defines VLANs regarding 802.1d, as 802.1d itself does not define them. As a switchport must belong a VLAN (the default VLAN or a configured VLAN), all MAC address learned on a switchport are associated with a VLAN. For this reason, the Q-Bridge MIB is used for MAC address query.
VlanId Mac Address Type Interface State 1000 00:01:e8:06:95:ac Dynamic Gi 1/21 Active ---------------Query from Management Station--------------->snmpwalk -v 2c -c techpubs 10.11.131.162 .1.3.6.1.2.1.17.7.1.2.2.1 Use dot3aCurAggFdbTable to fetch the learned MAC address of a port-channel. The instance number is the decimal conversion of the MAC address concatenated with the port-channel number.
Table 48. MIB Objects for Viewing the System Image on Flash Partitions MIB Object OID Description MIB chSysSwInPartitionAImgVe 1.3.6.1.4.1.6027.3.10.1.2.8.1.11 List the version string of the Chassis MIB rs system image in Flash Partition A. chSysSwInPartitionBImgVe 1.3.6.1.4.1.6027.3.10.1.2.8.1.12 List the version string of the Chassis MIB rs system image in Flash Partition B.
Example of Viewing Status of Learned MAC Addresses dot3aCurAggVlanId SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.1.1.0.0.0.0.0.1.1 dot3aCurAggMacAddr SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.2.1.0.0.0.0.0.1.1 00 00 00 01 dot3aCurAggIndex SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.3.1.0.0.0.0.0.1.1 dot3aCurAggStatus SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.4.1.0.0.0.0.0.1.1 active, 2 – status inactive = INTEGER: 1 = Hex-STRING: 00 00 = INTEGER: 1 = INTEGER: 1 << Status Layer 3 LAG does not include this support.
Storm Control 43 Storm control is supported on the Z9000 and platform. The storm control feature allows you to control unknown-unicast and broadcast traffic on Layer 2 and Layer 3 physical interfaces. FTOS Behavior: FTOS supports broadcast control (the storm-control broadcast command) for Layer 2 and Layer 3 traffic. Configure Storm Control Storm control is supported in INTERFACE mode and CONFIGURATION mode.
Spanning Tree Protocol (STP) 44 The spanning tree protocol (STP) is supported on the Z9000 platform. Protocol Overview STP is a Layer 2 protocol — specified by IEEE 802.1d — that eliminates loops in a bridged topology by enabling only a single path through the network. By eliminating loops, the protocol improves scalability in a large network and allows you to implement redundant paths, which can be activated after the failure of active paths.
Important Points to Remember • • • • • STP is disabled by default. The Dell Networking operating system (FTOS) supports only one spanning tree instance (0). For multiple instances, enable the multiple spanning tree protocol (MSTP) or per-VLAN spanning tree plus (PVST+). You may only enable one flavor of spanning tree at any one time.
To configure and enable the interfaces for Layer 2, use the following command. 1. If the interface has been assigned an IP address, remove it. INTERFACE mode no ip address 2. Place the interface in Layer 2 mode. INTERFACE switchport 3. Enable the interface. INTERFACE mode no shutdown To verify that an interface is in Layer 2 mode and enabled, use the show config command from INTERFACE mode.
Figure 104. Spanning Tree Enabled Globally To enable STP globally, use the following commands. 1. Enter PROTOCOL SPANNING TREE mode. CONFIGURATION mode protocol spanning-tree 0 2. Enable STP. PROTOCOL SPANNING TREE mode no disable To disable STP globally for all Layer 2 interfaces, use the disable command from PROTOCOL SPANNING TREE mode. To verify that STP is enabled, use the show config command from PROTOCOL SPANNING TREE mode.
Example of Viewing Spanning Tree Configuration R2#show spanning-tree 0 Executing IEEE compatible Spanning Tree Protocol Bridge Identifier has priority 32768, address 0001.e826.ddb7 Configured hello time 2, max age 20, forward delay 15 Current root has priority 32768, address 0001.e80d.
Modifying Global Parameters You can modify the spanning tree parameters. The root bridge sets the values for forward-delay, hello-time, and maxage and overwrites the values set on other bridges participating in STP. NOTE: Dell Networking recommends that only experienced network administrators change the spanning tree parameters. Poorly planned modification of the spanning tree parameters can negatively affect network performance. The following table displays the default values for STP. Table 50.
To view the current values for global parameters, use the show spanning-tree 0 command from EXEC privilege mode. Refer to the second example in Enabling Spanning Tree Protocol Globally. Modifying Interface STP Parameters You can set the port cost and port priority values of interfaces in Layer 2 mode. • Port cost — a value that is based on the interface type. The greater the port cost, the less likely the port is selected to be a forwarding port.
Example of Verifying PortFast is Enabled on an Interface FTOS#(conf-if-gi-1/1)#show conf ! interface GigabitEthernet 1/1 no ip address switchport spanning-tree 0 portfast no shutdown FTOS#(conf-if-gi-1/1)# Prevent Network Disruptions with BPDU Guard Configure the Portfast (and Edgeport, in the case of RSTP, PVST+, and MSTP) feature on ports that connect to end stations. End stations do not generate BPDUs, so ports configured with Portfast/ Edgport (edgeports) do not expect to receive BDPUs.
Figure 105. Enabling BPDU Guard FTOS Behavior: BPDU guard and BPDU filtering (refer to Removing an Interface from the Spanning Tree Group) both block BPDUs, but are two separate features. BPDU guard: • is used on edgeports and blocks all traffic on edgeport if it receives a BPDU. • drops the BPDU after it reaches the RPM and generates a console message.
Interface Name Role PortID Prio Cost Sts Cost Link-type Edge ---------- ------ -------- ---- ------- --- ---------------Gi 0/6 Root 128.263 128 20000 FWD 20000 P2P No Gi 0/7 ErrDis 128.
A, device D is elected as root, causing the link between Switches A and B to enter a Blocking state. Network traffic then begins to flow in the directions indicated by the BPDU arrows in the topology. If the links between Switches C and A or Switches C and B cannot handle the increased traffic flow, frames may be dropped.
• You cannot enable root guard and loop guard at the same time on an STP port. For example, if you configure root guard on a port on which loop guard is already configured, the following error message displays: • % Error: LoopGuard is configured. Cannot configure RootGuard. • When used in an MSTP network, if root guard blocks a boundary port in the CIST, the port is also blocked in all other MST instances.
redundancy protocol xstp FTOS# STP Loop Guard STP loop guard is supported only on the platform. The STP loop guard feature provides protection against Layer 2 forwarding loops (STP loops) caused by a hardware failure, such as a cable failure or an interface fault. When a cable or interface fails, a participating STP link may become unidirectional (STP requires links to be bidirectional) and an STP port does not receive BPDUs.
Figure 107. STP Loop Guard Prevents Forwarding Loops Configuring Loop Guard Enable STP loop guard on a per-port or per-port channel basis. FTOS Behavior: The following conditions apply to a port enabled with loop guard: 682 • Loop guard is supported on any STP-enabled port or port-channel interface.
• You cannot enable root guard and loop guard at the same time on an STP port. For example, if you configure loop guard on a port on which root guard is already configured, the following error message is displayed: % Error: RootGuard is configured. Cannot configure LoopGuard. • Enabling Portfast BPDU guard and loop guard at the same time on a port results in a port that remains in a blocking state and prevents traffic from flowing through it.
System Time and Date 45 System time and date settings and the network time protocol (NTP) are supported on the Z9000 platform. You can set system times and dates and maintained through the NTP. They are also set through the Dell Networking operating system (FTOS) command line interfaces (CLIs) and hardware settings. Network Time Protocol The network time protocol (NTP) synchronizes timekeeping among a set of distributed time servers and clients.
and serve as a client to the NTP host. As soon as a host-client relationship is established, the networking device propagates the time information throughout its local network. Protocol Overview The NTP messages to one or more servers and processes the replies as received. The server interchanges addresses and ports, fills in or overwrites certain fields in the message, recalculates the checksum, and returns it immediately.
Enabling NTP NTP is disabled by default. To enable NTP, specify an NTP server to which the Dell Networking system synchronizes. To specify multiple servers, enter the command multiple times. You may specify an unlimited number of servers at the expense of CPU resources. • Specify the NTP server to which the Dell Networking system synchronizes. CONFIGURATION mode ntp server ip-address To display the system clock state with respect to NTP, use the show ntp status command from EXEC Privilege mode.
• Set the interface to receive NTP packets. INTERFACE mode ntp broadcast client Example of Configuring NTP Broadcasts 2w1d11h : NTP: Maximum Slew:-0.000470, Remainder = -0.496884 Disabling NTP on an Interface By default, NTP is enabled on all active interfaces. If you disable NTP on an interface, FTOS drops any NTP packets sent to that interface. To disable NTP on an interface, use the following command. • Disable NTP on the interface.
Configuring NTP Authentication NTP authentication and the corresponding trusted key provide a reliable means of exchanging NTP packets with trusted time sources. NTP authentication begins when the first NTP packet is created following the configuration of keys. NTP authentication in FTOS uses the message digest 5 (MD5) algorithm and the key is embedded in the synchronization packet that is sent to an NTP time source. FTOS Behavior: FTOS versions 8.2.1.
ntp server 11.1.1.1 version 3 ntp trusted-key 345 FTOS# Configuring an NTP Server R6_E300(conf)#1w6d23h : NTP: xmit packet to 192.168.1.1: leap 0, mode 3, version 3, stratum 2, ppoll 1024 rtdel 0219 (8.193970), rtdsp AF928 (10973.266602), refid C0A80101 (192.168.1.1) ref CD7F4F63.6BE8F000 (14:51:15.421 UTC Thu Apr 2 2009) org CD7F4F63.68000000 (14:51:15.406 UTC Thu Apr 2 2009) rec CD7F4F63.6BE8F000 (14:51:15.421 UTC Thu Apr 2 2009) xmt CD7F5368.D0535000 (15:8:24.
NOTE: • Leap Indicator (sys.leap, peer.leap, pkt.leap) — This is a two-bit code warning of an impending leap second to be inserted in the NTP time scale. The bits are set before 23:59 on the day of insertion and reset after 00:00 on the following day. This causes the number of seconds (rollover interval) in the day of insertion to be increased or decreased by one.
Setting the Time and Date for the Switch Hardware Clock To set the time and date for the switch hardware clock, use the following command. • Set the hardware clock to the current time and date. EXEC Privilege mode calendar set time month day year – time: enter the time in hours:minutes:seconds. For the hour variable, use the 24-hour format; for example, 17:15:00 is 5:15 pm. – month: enter the name of one of the 12 months in English.
• Set the clock to the appropriate timezone. CONFIGURATION mode clock timezone timezone-name offset – timezone-name: enter the name of the timezone. Do not use spaces. – offset: enter one of the following: * a number from 1 to 23 as the number of hours in addition to UTC for the timezone. * a minus sign (-) then a number from 1 to 23 as the number of hours.
changed from "none" to "Summer time starts 00:00:00 Pacific Sat Mar 14 2009;Summer time ends 00:00:00 pacific Sat Nov 7 2009" Setting Recurring Daylight Saving Time Set a date (and time zone) on which to convert the switch to daylight saving time on a specific day every year. If you have already set daylight saving for a one-time setting, you can set that date and time as the recurring setting with the clock summer-time time-zone recurring command.
FTOS(conf)#02:02:13: %RPM0-P:CP %CLOCK-6-TIME CHANGE: Summertime configuration changed from "none" to "Summer time starts 00:00:00 Pacific Sat Mar 14 2009;Summer time ends 00:00:00 pacific Sat Nov 7 2009" NOTE: If you enter after entering the recurring command parameter, and you have already set a one-time daylight saving time/date, the system uses that time and date as the recurring setting.
Tunneling 46 Tunneling is supported on the Z9000 platform. Tunneling supports RFC 2003, RFC 2473, and 4213. DSCP, hop-limits, flow label values, OSPFv2, and OSPFv3 are also supported. ICMP error relay, PATH MTU transmission, and fragmented packets are not supported. Configuring a Tunnel Configuring a tunnel is supported on the Z9000 platform. You can configure a tunnel in IPv6 mode, IPv6IP mode, and IPIP mode.
tunnel destination 23.22.21.3 tunnel source 23.22.22.3 tunnel mode ipv6ip no shutdown FTOS(conf-if-tu-22)#ipv6 address 5adb::3/64 FTOS(conf-if-tu-22)#sho c ! interface Tunnel 22 no ip address ipv6 address 5adb::3/64 tunnel destination 23.22.21.3 tunnel source 23.22.22.3 tunnel mode ipv6ip no shutdown FTOS(conf-if-tu-22)#exit FTOS(conf)#ip route 23.22.21.0/24 23.22.22.
Upgrade Procedures 47 To find the upgrade procedures, go to the FTOS Release Notes for your system type to see all the requirements needed to upgrade to the desired FTOS version. To upgrade your system type, follow the procedures in the FTOS Release Notes. Get Help with Upgrades Direct any questions or concerns about the FTOS upgrade procedures to the Dell Technical Support Center. You can reach Technical Support: • On the web: http://support.dell.com/ • By email: Dell-Force10_Technical_Support@Dell.
Virtual LANs (VLANs) 48 Virtual LANs (VLANs) are supported on the Z9000 platform. VLANs are a logical broadcast domain or logical grouping of interfaces in a local area network (LAN) in which all data received is kept locally and broadcast to all members of the group. When in Layer 2 mode, VLANs move traffic at wire speed and can span multiple devices. The Dell Networking operating system (FTOS) supports up to 4093 port-based VLANs and one default VLAN, as specified in IEEE 802.1Q.
NOTE: You cannot assign an IP address to the Default VLAN. To assign an IP address to a VLAN that is currently the Default VLAN, create another VLAN and assign it to be the Default VLAN. For more information about assigning IP addresses, refer to Assigning an IP Address to a VLAN. • Untagged interfaces must be part of a VLAN. To remove an untagged interface from the Default VLAN, create another VLAN and place the interface into that VLAN.
Figure 109. Tagged Frame Format The tag header contains some key information that FTOS uses: • The VLAN protocol identifier identifies the frame as tagged according to the IEEE 802.1Q specifications (2 bytes). • Tag control information (TCI) includes the VLAN ID (2 bytes total). The VLAN ID can have 4,096 values, but two are reserved. NOTE: The insertion of the tag header into the Ethernet frame increases the size of the frame to more than the 1,518 bytes as specified in the IEEE 802.3 standard.
To activate the VLAN, after you create a VLAN, assign interfaces in Layer 2 mode to the VLAN. To view the configured VLANs, use the show vlan command in EXEC Privilege mode.
NUM Status Q * 1 Inactive 2 Active T T 3 Active T T Ports Po1(So 0/0-1) Gi 3/0 Po1(So 0/0-1) Gi 3/1 FTOS#config FTOS(conf)#int vlan 4 FTOS(conf-if-vlan)#tagged po 1 FTOS(conf-if-vlan)#show conf ! interface Vlan 4 no ip address tagged Port-channel 1 FTOS(conf-if-vlan)#end FTOS#show vlan Codes: * - Default VLAN, G - GVRP VLANs NUM Status Q * 1 Inactive 2 Active T T 3 Active T T 4 Active T FTOS# Ports Po1(So 0/0-1) Gi 3/0 Po1(So 0/0-1) Gi 3/1 Po1(So 0/0-1) When you remove a tagged interface from a VLAN (us
Move an Untagged Interface to Another VLAN FTOS#show vlan Codes: * - Default VLAN, G - GVRP VLANs NUM * 1 2 Status Active Active 3 Active Q U T T T T Ports Gi 3/2 Po1(So 0/0-1) Gi 3/0 Po1(So 0/0-1) Gi 3/1 4 Inactive FTOS#conf FTOS(conf)#int vlan 4 FTOS(conf-if-vlan)#untagged gi 3/2 FTOS(conf-if-vlan)#show config ! interface Vlan 4 no ip address untagged GigabitEthernet 3/2 FTOS(conf-if-vlan)#end FTOS#show vlan Codes: * - Default VLAN, G - GVRP VLANs NUM * 1 2 Status Q Inactive Active T T Active T T
– secondary — This is the interface’s backup IP address. You can configure up to eight secondary IP addresses. Configuring Native VLANs Traditionally, ports can be either untagged for membership to one VLAN or tagged for membership to multiple VLANs. You must connect an untagged port to a VLAN-unaware station (one that does not understand VLAN tags), and you must connect a tagged port to a VLAN-aware station (one that generates and understands VLAN tags).
Default: the default VLAN is enabled (no default-vlan disable).
Virtual Link Trunking (VLT) 49 Virtual link trunking (VLT) is supported on the Z9000 platform. Overview VLT allows physical links between two chassis to appear as a single virtual link to the network core or other switches such as Edge, Access, or top-of-rack (ToR). VLT reduces the role of spanning tree protocols (STPs) by allowing link aggregation group (LAG) terminations on two separate distribution or core switches, and by supporting a loop-free topology.
Figure 110. VLT on Switches VLT on Core Switches You can also deploy VLT on core switches. Uplinks from servers to the access layer and from access layer to the aggregation layer are bundled in LAG groups with end-to-end Layer 2 multipathing. This set up requires “horizontal” stacking at the access layer and VLT at the aggregation layer such that all the uplinks from servers to access and access to aggregation are in Active-Active Load Sharing mode.
Figure 111. Enhanced VLT VLT Terminology The following are key VLT terms. • Virtual link trunk (VLT) — The combined port channel between an attached device and the VLT peer switches. • VLT backup link — The backup link monitors the vitality of VLT peer switches. The backup link sends configurable, periodic keep alive messages between the VLT peer switches. • VLT interconnect (VLTi) — The link used to synchronize states between the VLT peer switches. Both ends must be on 10G or 40G interfaces.
Configure Virtual Link Trunking VLT requires that you enable the feature and then configure the same VLT domain, backup link, and VLT interconnect on both peer switches. Important Points to Remember • VLT port channel interfaces must be switch ports. • If you include RSTP on the system, configure it before VLT. Refer to Configure Rapid Spanning Tree. • Dell Networking strongly recommends that the VLTi (VLT interconnect) be a static LAG and that you disable LACP on the VLTi.
Configuration Notes When you configure VLT, the following conditions apply. • • VLT domain – A VLT domain supports two chassis members, which appear as a single logical device to network access devices connected to VLT ports through a port channel. – A VLT domain consists of the two core chassis, the interconnect trunk, backup link, and the LAG members connected to attached devices. – Each VLT domain has a unique MAC address that you create or VLT creates automatically.
– When you change the default VLAN ID on a VLT peer switch, the VLT interconnect may flap. – In a VLT domain, the following software features are supported on VLTi: link layer discovery protocol (LLDP), flow control, port monitoring, jumbo frames, and data center bridging (DCB). – When you enable the VLTi link, the link between the VLT peer switches is established if the following configured information is true on both peer switches: * the VLT system MAC address matches.
In the port-channel used by the switch to connect to the VLT domain, configure the port interfaces on each VLT peer as hybrid ports before adding them to the port channel (refer to Connecting a VLT Domain to an Attached Access Device (Switch or Server)). To configure a port in Hybrid mode so that it can carry untagged, single-tagged, and double-tagged traffic, use the portmode hybrid command in Interface Configuration mode as described in Configuring Native VLANs.
• • Failure scenarios – On a link failover, when a VLT port channel fails, the traffic destined for that VLT port channel is redirected to the VLTi to avoid flooding. – When a VLT switch determines that a VLT port channel has failed (and that no other local port channels are available), the peer with the failed port channel notifies the remote peer that it no longer has an active port channel for a link.
• Configure any ports at the edge of the spanning tree’s operating domain as edge ports, which are directly connected to end stations or server racks. Disable RSTP on ports connected directly to Layer 3-only routers not running STP or configure them as edge ports. • Ensure that the primary VLT node is the root bridge and the secondary VLT peer node has the second-best bridge ID in the network.
VLT Port Delayed Restoration With FTOS version 8.3.12.0 , when a VLT node boots up, if the VLT ports have been previously saved in the start-up configuration, they are not immediately enabled. To ensure MAC and ARP entries from the VLT per node are downloaded to the newly enabled VLT node, the system allows time for the VLT ports on the new node to be enabled and begin receiving traffic. The delay-restore feature waits for all saved configurations to be applied, then starts a configurable timer.
Figure 112. PIM-Sparse Mode Support on VLT On each VLAN where the VLT peer nodes act as the first hop or last hop routers, one of the VLT peer nodes is elected as the PIM designated router. If you configured IGMP snooping along with PIM on the VLT VLANs, you must configure VLTi as the static multicast router port on both VLT peer switches. This ensures that for first hop routers, the packets from the source are redirected to the designated router (DR) if they are incorrectly hashed.
Each VLT peer runs its own PIM protocol independently of other VLT peers. To ensure the PIM protocol states or multicast routing information base (MRIB) on the VLT peers are synced, if the incoming interface (IIF) and outgoing interface (OIF) are Spanned, the multicast route table is synced between the VLT peers. To verify the PIM neighbors on the VLT VLAN and on the multicast port, use the show ip pim neighbor, show ip igmp snooping mrouter, and show running config commands.
vlt domain domain-id 2. Enable peer-routing. VLT DOMAIN mode peer-routing 3. Configure the peer-routing timeout. VLT DOMAIN mode peer-routing—timeout value value: Specify a value (in seconds) from 1 to 65535. VLT Multicast Routing VLT multicast routing is supported on the Z9000 platform.
peer-routing 3. Configure the multicast peer-routing timeout. VLT DOMAIN mode multicast peer-routing—timeout value value: Specify a value (in seconds) from 1 to 1200. 4. Configure a PIM-SM compatible VLT node as a designated router (DR). For more information, refer to Configuring a Designated Router. 5. Configure a PIM-enabled external neighboring router as a rendezvous point (RP). For more information, refer to Configuring a Static Rendezvous Point. 6.
no disable 3. Configure each peer switch with a unique bridge priority. PROTOCOL SPANNING TREE RSTP mode bridge-priority Sample RSTP Configuration The following is a sample of an RSTP configuration. Using the example shown in the Overview section as a sample VLT topology, the primary VLT switch sends BPDUs to an access device (switch or server) with its own RSTP bridge ID. BPDUs generated by an RSTP-enabled access device are only processed by the primary VLT switch.
interface port-channel id-number Enter the same port-channel number configured with the peer-link port-channel command as described in Enabling VLT and Creating a VLT Domain. NOTE: To be included in the VLTi, the port channel must be in Default mode (no switchport or VLAN assigned). 2. Remove an IP address from the interface. INTERFACE PORT-CHANNEL mode no ip address 3. Add one or more port interfaces to the port channel.
LACP on VLT ports (on a VLT switch or access device), which are members of the virtual link trunk, is not brought up until the VLT domain is recognized on the access device. 5. Repeat Steps 1 to 4 on the VLT peer switch to configure the IP address of this switch as the endpoint of the VLT backup link and to configure the same port channel for the VLT interconnect. Configuring a VLT Backup Link To configure a VLT backup link, use the following command. 1.
To reconfigure the primary role of VLT peer switches, use the primary-priority command. To configure the primary role on a VLT peer, enter a lower value than the priority value of the remote peer. The priority values are from 1 to 65535. The default is 32768. 3. (Optional) When you create a VLT domain on a switch, FTOS automatically creates a VLT-system MAC address used for internal system operations.
no shutdown 6. Associate the port channel to the corresponding port channel in the VLT peer for the VLT connection to an attached device. INTERFACE PORT-CHANNEL mode vlt-peer-lag port-channel id-number The valid port-channel ID numbers are from 1 to 128. 7. Repeat Steps 1 to 6 on the VLT peer switch to configure the same port channel as part of the VLT domain. 8. On an attached switch or server: To connect to the VLT domain and add port channels to it, configure a port channel.
– 3. 10 Gigabit Ethernet: enter tengigabitethernet slot/port. Enter VLT-domain configuration mode for a specified VLT domain. CONFIGURATION mode vlt domain domain-id The range of domain IDs is from 1 to 1000. 4. Enter the port-channel number that acts as the interconnect trunk. VLT DOMAIN CONFIGURATION mode peer-link port-channel id-number The range is from 1 to 128. 5.
Valid port-channel ID numbers are from 1 to 128. 11. Ensure that the port channel is active. INTERFACE PORT-CHANNEL mode no shutdown 12. Add links to the eVLT port. Configure a range of interfaces to bulk configure. CONFIGURATION mode interface range {port-channel id} 13. Enable LACP on the LAN port. INTERFACE mode port-channel-protocol lacp 14. Configure the LACP port channel mode. INTERFACE mode port-channel number mode [active] 15. Ensure that the interface is active.
9. Configure the static LAG/LACP between ports connected from VLT peer 1 and VLT peer 2 to the top of rack unit. EXEC Privilege mode show running-config entity 10. Configure the VLT peer link port channel id in VLT peer 1 and VLT peer 2. EXEC mode or EXEC Privilege mode show interfaces interface 11. In the top of rack unit, configure LACP in the physical ports. EXEC Privilege mode show running-config entity 12. Verify that VLT is running. EXEC mode show vlt brief or show vlt detail 13.
s4810-4#show running-config vlt ! vlt domain 5 peer-link port-channel 1 back-up destination 10.11.206.43 s4810-4# s4810-4#show running-config interface managementethernet 0/0 ip address 10.11.206.58/16 no shutdown Configure the VLT links between VLT peer 1 and VLT peer 2 to the Top of Rack unit. In the following example, port Te 0/40 in VLT peer 1 is connected to Te 0/48 of TOR and port Te 0/18 in VLT peer 2 is connected to Te 0/50 of TOR. 1.
no shutdown s60-1# s60-1#show running-config interface port-channel 100 ! interface Port-channel 100 no ip address switchport no shutdown s60-1# s60-1#show interfaces port-channel 100 brief Codes: L - LACP Port-channel L LAG 100 Mode L2 Status up Uptime 03:33:48 s60-1# Ports Te 0/48 (Up) Te 0/50 (Up) Verify VLT is up. Verify that the VLTi (ICL) link, backup link connectivity (heartbeat status), and VLT peer link (peer chassis) are all up.
Figure 113. eVLT Configuration Example eVLT Configuration Step Examples In Domain 1, configure the VLT domain and VLTi on Peer 1. Domain_1_Peer1#configure Domain_1_Peer1(conf)#interface port-channel 1 Domain_1_Peer1(conf-if-po-1)# channel-member TenGigabitEthernet 0/8-9 Domain_1_Peer1(conf)#vlt domain 1000 Domain_1_Peer1(conf-vlt-domain)# peer-link port-channel 1 Domain_1_Peer1(conf-vlt-domain)# back-up destination 10.16.130.
Configure eVLT on Peer 2. Domain_1_Peer2(conf)#interface port-channel 100 Domain_1_Peer2(conf-if-po-100)# switchport Domain_1_Peer2(conf-if-po-100)# vlt-peer-lag port-channel 100 Domain_1_Peer2(conf-if-po-100)# no shutdown Add links to the eVLT port-channel on Peer 2.
PIM-Sparse Mode Configuration Example The following sample configuration shows how to configure the PIM Sparse mode designated router functionality on the VLT domain with two VLT port-channels that are members of VLAN 4001. For more information, refer to PIM-Sparse Mode Support on VLT. Example of Configuring PIM-Sparse Mode Enable PIM Multicast Routing on the VLT node globally. VLT_Peer1(conf)#ip multicast-routing Enable PIM on the VLT port VLANs.
• show vlt detail Display the VLT peer status, role of the local VLT switch, VLT system MAC address and system priority, and the MAC address and priority of the locally-attached VLT device. • EXEC mode show vlt role Display the current configuration of all VLT domains or a specified group on the switch. • EXEC mode show running-config vlt Display statistics on VLT operation.
Domain ID: Role: Role Priority: ICL Link Status: HeartBeat Status: VLT Peer Status: Local Unit Id: Version: Local System MAC address: Remote System MAC address: Configured System MAC address: Remote system version: Delay-Restore timer: 1000 Secondary 32768 Up Up Up 0 5(1) 00:01:e8:8a:e9:70 00:01:e8:8a:e7:e7 00:0a:0a:01:01:0a 5(1) 90 seconds FTOS_VLTpeer2# show vlt brief VLT Domain Brief -----------------Domain ID: Role: Role Priority: ICL Link Status: HeartBeat Status: VLT Peer Status: Local Unit Id: Vers
System Role Priority: 32768 Local System MAC address: 00:01:e8:8a:df:e6 Local System Role Priority: 32768 Example of the show running-config vlt Command FTOS_VLTpeer1# show running-config vlt ! vlt domain 30 peer-link port-channel 60 back-up destination 10.11.200.18 FTOS_VLTpeer2# show running-config vlt ! vlt domain 30 peer-link port-channel 60 back-up destination 10.11.200.
Executing IEEE compatible Spanning Tree Protocol Root ID Priority 0, Address 0001.e88a.dff8 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 0, Address 0001.e88a.dff8 We are the root Configured hello time 2, max age 20, forward delay 15 Interface Designated Name PortID Prio Cost Sts Cost Bridge ID PortID ---------- -------- ---- ------- -------- - ------- ------------Po 1 128.2 128 200000 DIS 0 0 0001.e88a.dff8 128.2 Po 3 128.4 128 200000 DIS 0 0 0001.e88a.dff8 128.4 Po 4 128.
Isolated Q: U - Untagged, T - Tagged x - Dot1x untagged, X - Dot1x tagged G - GVRP tagged, M - Vlan-stack, H - Hyperpull tagged NUM Status Description Q Ports 10 Active U Po110(Fo 0/52) T Po100(Fo 0/56,60) Configuring Virtual Link Trunking (VLT Peer 2) Enable VLT and create a VLT domain with a backup-link VLT interconnect (VLTi). FTOS_VLTpeer2(conf)#vlt domain 999 FTOS_VLTpeer2(conf-vlt-domain)#peer-link port-channel 100 FTOS_VLTpeer2(conf-vlt-domain)#back-up destination 10.11.206.
interface Port-channel 11 no ip address switchport channel-member fortyGigE 1/18,22 no shutdown Troubleshooting VLT To help troubleshoot different VLT issues that may occur, use the following information. NOTE: For information on VLT Failure mode timing and its impact, contact your Dell Networking representative. Table 51.
Description Behavior at Peer Up Behavior During Run Time Action to Take Unit ID mismatch The VLT peer does not boot up. The VLTi is forced to a down state. A syslog error message is generated. The VLT peer does not boot up. The VLTi is forced to a down state. A syslog error message is generated. Verify the unit ID is correct on both VLT peers. Unit ID numbers must be sequential on peer units; for example, if Peer 1 is unit ID “0”, Peer 2 unit ID must be “1’.
Virtual Router Redundancy Protocol (VRRP) 50 Virtual router redundancy protocol (VRRP) is supported on the Z9000 platform. VRRP Overview VRRP is designed to eliminate a single point of failure in a statically routed network. VRRP specifies a MASTER router that owns the next hop IP and MAC address for end stations on a local area network (LAN). The MASTER router is chosen from the virtual routers by an election process and forwards packets sent to the next hop IP address.
Figure 114. Basic VRRP Configuration VRRP Benefits With VRRP configured on a network, end-station connectivity to the network is not subject to a single point-of-failure. End-station connections to the network are redundant and are not dependent on internal gateway protocol (IGP) protocols to converge or update routing tables. VRRP Implementation Within a single VRRP group, up to 12 virtual IP addresses are supported.
CAUTION: Increasing the advertisement interval increases the VRRP Master dead interval, resulting in an increased failover time for Master/Backup election. Take caution when increasing the advertisement interval, as the increased dead interval may cause packets to be dropped during that switch-over time. Table 52.
• Delete a VRRP group. INTERFACE mode no vrrp-group vrid Example of Configuring VRRP FTOS(conf)#int gi 1/1 FTOS(conf-if-gi-1/1)#vrrp-group 111 FTOS(conf-if-gi-1/1-vrid-111)# Example of Verifying the VRRP Configuration FTOS(conf-if-gi-1/1)#show conf ! interface GigabitEthernet 1/1 ip address 10.10.10.1/24 ! vrrp-group 111 no shutdown FTOS(conf-if-gi-1/1)# Assign Virtual IP addresses Virtual routers contain virtual IP addresses configured for that VRRP group (VRID).
virtual-address ip-address1 [...ip-address12] The range is up to 12 addresses. Example of the virtual-address Command FTOS(conf-if-gi-1/1-vrid-111)#virtual-address 10.10.10.1 FTOS(conf-if-gi-1/1-vrid-111)#virtual-address 10.10.10.2 FTOS(conf-if-gi-1/1-vrid-111)#virtual-address 10.10.10.3 FTOS(conf-if-gi-1/1-vrid-111)# Example of Verifying the Virtual IP Address Configuration NOTE: In the following example, the primary IP address and the virtual IP addresses are on the same subnet.
If two routers in a VRRP group come up at the same time and have the same priority value, the interface’s physical IP addresses are used as tie-breakers to decide which is MASTER. The router with the higher IP address becomes MASTER. To configure the VRRP group’s priority, use the following command. • Configure the priority for the VRRP group. INTERFACE -VRID mode priority priority The range is from 1 to 255. The default is 100.
– password: plain text. Example of authentication-type Command The bold section shows the encryption type (encrypted) and the password. FTOS(conf-if-gi-1/1-vrid-111)#authentication-type ? FTOS(conf-if-gi-1/1-vrid-111)#authentication-type simple 7 force10 Example of Verifying the Configuration of VRRP Authentication The bold section shows the encrypted password. FTOS(conf-if-gi-1/1-vrid-111)#show conf ! vrrp-group 111 authentication-type simple 7 387a7f2df5969da4 priority 255 virtual-address 10.10.10.
Changing the Advertisement Interval By default, the MASTER router transmits a VRRP advertisement to all members of the VRRP group every one second, indicating it is operational and is the MASTER router. If the VRRP group misses three consecutive advertisements, the election process begins and the BACKUP virtual router with the highest priority transitions to MASTER.
• 10 Gigabit Ethernet: enter tengigabitethernet slot/port. • Port channel: enter port-channel number. • SONET: enter sonet slot/port. • VLAN: enter vlan vlan-id. – The valid VLAN IDs are from 1 to 4094. For a virtual group, you can also track the status of a configured object (the track object-id command) by entering its object number.
priority 255 track GigabitEthernet 1/2 virtual-address 10.10.10.1 virtual-address 10.10.10.2 virtual-address 10.10.10.3 virtual-address 10.10.10.
Setting VRRP Initialization Delay VRRP initialization delay is supported on the Z9000 platform. When configured, VRRP is enabled immediately upon system reload or boot. You can delay VRRP initialization to allow the IGP and EGP protocols to be enabled prior to selecting the VRRP Master. This delay ensures that VRRP initializes with no errors or conflicts. You can configure the delay for up to 15 minutes, after which VRRP enables normally. Set the delay timer on individual interfaces.
Figure 115. VRRP for IPv4 Topology Example of Configuring VRRP for IPv4 Router 2 R2(conf)#int gi 2/31 R2(conf-if-gi-2/31)#ip address 10.1.1.1/24 R2(conf-if-gi-2/31)#vrrp-group 99 R2(conf-if-gi-2/31-vrid-99)#priority 200 R2(conf-if-gi-2/31-vrid-99)#virtual 10.1.1.3 R2(conf-if-gi-2/31-vrid-99)#no shut R2(conf-if-gi-2/31)#show conf ! interface GigabitEthernet 2/31 ip address 10.1.1.1/24 ! vrrp-group 99 priority 200 virtual-address 10.1.1.
no shutdown R2(conf-if-gi-2/31)#end R2#show vrrp -----------------GigabitEthernet 2/31, VRID: 99, Net: 10.1.1.1 State: Master, Priority: 200, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 817, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:63 Virtual IP address: 10.1.1.3 Authentication: (none) R2# Router 3 R3(conf)#int gi 3/21 R3(conf-if-gi-3/21)#ip address 10.1.1.
Figure 116. VRRP for an IPv6 Configuration NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be MASTER even if one of two routers has a higher IP or IPv6 address. Example of Configuring VRRP for IPv6 Router 2 and Router 3 Configure a virtual link local (fe80) address for each VRRPv3 group created for an interface.
R2(conf-if-gi-0/0)#no ip address R2(conf-if-gi-0/0)#ipv6 address 1::1/64 R2(conf-if-gi-0/0)#vrrp-group 10 R2(conf-if-gi-0/0-vrid-10)#virtual-address fe80::10 R2(conf-if-gi-0/0-vrid-10)#virtual-address 1::10 R2(conf-if-gi-0/0-vrid-10)#no shutdown R2(conf-if-gi-0/0)#show config interface GigabitEthernet 0/0 ipv6 address 1::1/64 vrrp-group 10 priority 100 virtual-address fe80::10 virtual-address 1::10 no shutdown R2(conf-if-gi-0/0)#end R2#show vrrp -----------------GigabitEthernet 0/0, IPv6 VRID: 10, Version:
VRRP in a VRF Configuration The following example shows how to enable VRRP operation in a VRF virtualized network for the following scenarios. • Multiple VRFs on physical interfaces running VRRP. • Multiple VRFs on VLAN interfaces running VRRP. To view a VRRP in a VRF configuration, use the show commands described in Displaying VRRP in a VRF Configuration. VRRP in a VRF: Non-VLAN Scenario The following example shows how to enable VRRP in a non-VLAN.
Figure 117. VRRP in a VRF: Non-VLAN Example Example of Configuring VRRP in a VRF on Switch-1 (Non-VLAN) Switch-1 S1(conf)#ip vrf default-vrf 0 ! S1(conf)#ip vrf VRF-1 1 ! S1(conf)#ip vrf VRF-2 2 ! S1(conf)#ip vrf VRF-3 3 ! S1(conf)#interface GigabitEthernet 12/1 S1(conf-if-gi-12/1)#ip vrf forwarding VRF-1 S1(conf-if-gi-12/1)#ip address 10.10.1.5/24 S1(conf-if-gi-12/1)#vrrp-group 11 % Info: The VRID used by the VRRP group 11 in VRF 1 will be 177.
! S1(conf)#interface GigabitEthernet 12/3 S1(conf-if-gi-12/3)#ip vrf forwarding VRF-3 S1(conf-if-gi-12/3)#ip address 20.1.1.5/24 S1(conf-if-gi-12/3)#vrrp-group 15 % Info: The VRID used by the VRRP group 15 in VRF 3 will be 243. S1(conf-if-gi-12/3-vrid-105)#priority 255 S1(conf-if-gi-12/3-vrid-105)#virtual-address 20.1.1.
! S1(conf)#ip vrf VRF-2 2 ! S1(conf)#ip vrf VRF-3 3 ! S1(conf)#interface GigabitEthernet 12/4 S1(conf-if-gi-12/4)#no ip address S1(conf-if-gi-12/4)#switchport S1(conf-if-gi-12/4)#no shutdown ! S1(conf-if-gi-12/4)#interface vlan 100 S1(conf-if-vl-100)#ip vrf forwarding VRF-1 S1(conf-if-vl-100)#ip address 10.10.1.5/24 S1(conf-if-vl-100)#tagged gigabitethernet 12/4 S1(conf-if-vl-100)#vrrp-group 11 % Info: The VRID used by the VRRP group 11 in VRF 1 will be 177.
S2(conf-if-gi-12/4)#interface vlan 200 S2(conf-if-vl-200)#ip vrf forwarding VRF-2 S2(conf-if-vl-200)#ip address 10.10.1.2/24 S2(conf-if-vl-200)#tagged gigabitethernet 12/4 S2(conf-if-vl-200)#vrrp-group 11 % Info: The VRID used by the VRRP group 11 in VRF 2 will be 178. S2(conf-if-vl-200-vrid-101)#priority 255 S2(conf-if-vl-200-vrid-101)#virtual-address 10.10.1.
Z-Series Debugging and Diagnostics 51 This chapter describes debugging and diagnostics for the Z-Series platform. Offline Diagnostics The offline diagnostics test suite is useful for isolating faults and debugging hardware. The diagnostics tests are grouped into three levels: • Level 0 — Level 0 diagnostics check for the presence of various components and perform essential path verifications. In addition, they verify the identification registers of the components on the board.
3. Start diagnostics on the unit. diag When the tests are complete, the system displays the syslog Message 1 shown and automatically reboots the unit. FTOS#00:20:26 : Diagnostic test results are stored on file: flash:/ TestReport-SU-0.txt FTOS#00:20:31: %Z9000:0 %DIAGAGT-6-DA_DIAG_DONE: Diags finished on stack unit 0 Diags completed... Rebooting the system now!!! Diagnostic results are printed to a file in the flash using the filename format TestReport-SU-.txt. 4.
0 2 up 0 3 up Speed in RPM FTOS# up up 16000 up 16000 up 16000 16000 Running Offline Diagnostics on a Z-Series Standalone Unit As shown in the following output example, log messages differ somewhat when diagnostics are done on a standalone unit.
diagS3240PsuVoltageReadTest[188]: ERROR: Getting PSU -1 power status failed.. Test 2.001 - Psu voltage read test .................................. FAIL Test 2 - Psu Voltage Read Test ..................................... FAIL + TEST - 3 PSU [0] Temperature ---> 45 Degree Celcius Test 3.000 - Psu temperature read test .............................. PASS diagS3240GetPsuOnStatus[580]: ERROR: PSU-1 is not present... diagS3240PsuTemperatureTest[258]: ERROR: Getting PSU -1 power status failed.. Test 3.
Stack-unit Member 3: Not present. Stack-unit Member 4: Not present. Stack-unit Member 5: Not present. Stack-unit Member 6: Not present. Stack-unit Member 7: Not present. ------------------------------------------------------------------Example of the show diag stack-unit Command FTOS#show diag stackunit 0 Diag status of Stackunit member 0: -----------------------------------------------------------------Stackunit is currently offline. Stackunit level2 diag issued at Thu Apr 09, 2009 02:40:13 PM.
Line Card Restart Causes and Reasons Causes Displayed Reasons Remote power cycle of the chassis push-button reset reload soft reset reboot after a crash soft reset Hardware Watchdog Timer The hardware watchdog command automatically reboots an FTOS switch/router when a unit is unresponsive. This is a last resort mechanism intended to prevent a manual power cycle. show hardware Commands These commands display information from a hardware subcomponent and from hardware-based feature tables.
• • • • • Execute a specified bShell command from the CLI without going into the bShell. show hardware stack-unit {0-11} unit {0-1} execute-shell-cmd {command} View the Multicast IPMC replication table from the bShell. show hardware stack-unit {0-11} unit {0-1} ipmc-replication View the internal statistics for each port-pipe (unit) on per port basis. show hardware stack-unit {0-11} unit {0-1} port-stats [detail] View the stack-unit internal registers for each port-pipe.
Internal Unit Port Number User Ports from 0 to 31 on Unit 0 User Ports from 32 to 63 on Unit 1 User Ports from 64 to 95 on Unit 2 User Ports from 96 to 127 on Unit 3 No User Ports on Unit 4 No User Ports on Unit 5 21 20 52 84 116 Internal Internal 22 21 53 85 117 Internal Internal 23 22 54 86 118 Internal Internal 24 23 55 87 119 Internal Internal 25 24 56 88 120 Internal Internal 26 25 57 89 121 Internal Internal 27 26 58 90 122 Internal Internal 28
Recognize an Over-Temperature Condition An overtemperature condition occurs, for one of two reasons: the card genuinely is too hot or a sensor has malfunctioned. To discover the cause, inspect cards near the one reporting the condition. • If directly adjacent cards are not normal temperature, suspect a genuine overheating condition. • If directly adjacent cards are normal temperature, suspect a faulty sensor. When the system detects a genuine over-temperature condition, it powers off the card.
Troubleshoot an Under-Voltage Condition To troubleshoot an under-voltage condition, check that the correct number of power supplies are installed and their Status LEDs are lit. The simple network management protocol (SNMP) traps and object identifiers (OIDs) shown in the following table provide information on environmental monitoring hardware and hardware components. Table 54.
1. CSF — Output queues going from the CSF. 2. FP Uplink — Output queues going from the FP to the CSF IDP links. 3. Front-End Link — Output queues going from the FP to the front-end PHY. All ports support eight queues — four for data traffic and four for control traffic. All eight queues are tunable. Physical memory is organized into cells of 128 bytes. The cells are organized into two buffer pools — dedicated buffer and dynamic buffer.
Buffer Tuning Points Decide to Tune Buffers Dell Networking recommends exercising caution when configuring any non-default buffer settings, as tuning can significantly affect system performance. The default values work for most cases. As a guideline, consider tuning buffers if traffic is very bursty (and coming from several interfaces). In this case: • Reduce the dedicated buffer on all queues/interfaces. • Increase the dynamic buffer on all interfaces.
• Define a buffer profile for the CSF queues. • CONFIGURATION mode buffer-profile csf csqueue Change the dedicated buffers on a physical 1G interface. • BUFFER PROFILE mode buffer dedicated Change the maximum number of dynamic buffers an interface can request. • BUFFER PROFILE mode buffer dynamic Change the number of packet-pointers per queue. • BUFFER PROFILE mode buffer packet-pointers Apply the buffer profile to a line card.
Dynamic buffer 194.88 (Kilobytes) Queue# Dedicated Buffer Buffer Packets (Kilobytes) 0 2.50 256 1 2.50 256 2 2.50 256 3 2.50 256 4 9.38 256 5 9.38 256 6 9.38 256 7 9.38 256 Displaying Buffer Profile Allocations FTOS#show running-config interface tengigabitethernet 2/0 ! interface TenGigabitEthernet 2/0 no ip address mtu 9252 switchport no shutdown buffer-policy myfsbufferprofile FTOS#show buffer-profile detail int gi 0/10 Interface Gi 0/10 Buffer-profile fsqueue-fp Dynamic buffer 1256.
! buffer-profile fp fsqueue-hig buffer dedicated queue0 3 queue1 3 queue2 3 queue3 3 queue4 3 queue5 3 queue6 3 queue7 3 buffer dynamic 1256 ! buffer fp-uplink stack-unit 0 port-set 0 buffer-policy fsqueue-hig buffer fp-uplink stack-unit 0 port-set 1 buffer-policy fsqueue-hig ! Interface range gi 0/1 - 48 buffer-policy fsqueue-fp FTOS#sho run int gi 0/10 ! interface GigabitEthernet 0/10 no ip address switchport no shutdown buffer-policy fsqueue-fp FTOS# Troubleshooting Packet Loss The show hardware stack-
Total Mmu Drops :0 Total EgMac Drops :0 Total Egress Drops :0 UNIT No: 1 Total Ingress Drops :0 Total IngMac Drops :0 Total Mmu Drops :0 Total EgMac Drops :0 Total Egress Drops :0 FTOS#show hardware stack-unit 0 drops unit 0 Port# :Ingress Drops :IngMac Drops :Total Mmu Drops :EgMac Drops :Egress Drops 1 0 0 0 0 0 2 0 0 0 0 0 3 0 0 0 0 0 4 0 0 0 0 0 5 0 0 0 0 0 6 0 0 0 0 0 7 0 0 0 0 0 8 0 0 0 0 0 Displaying Drop Counters Z9000-B4#show hardware stack-unit UserPort PortNumber Ingress Drops Egress Drops 64 1 0
dropped recvToNet rxError rxDatapathErr rxPkt(COS0) rxPkt(COS1) rxPkt(COS2) rxPkt(COS3) rxPkt(COS4) rxPkt(COS5) rxPkt(UNIT0) rxPkt(UNIT1) rxPkt(UNIT2) rxPkt(UNIT3) transmitted txRequested noTxDesc txError txReqTooLarge txInternalError txDatapathErr txPkt(COS0) txPkt(COS1) txPkt(COS2) txPkt(COS3) txPkt(COS4) txPkt(COS5) txPkt(UNIT0) txPkt(UNIT1) txPkt(UNIT2) txPkt(UNIT3) :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 Displaying Party Bus Statistics FTOS#sh hard
GRBCA.ge0 GT64.ge0 GT127.ge0 GT255.ge0 GT511.ge0 GTPKT.ge0 GTBCA.ge0 GTBYT.ge0 RUC.cpu0 TDBGC6.cpu0 : : : : : : : : : : 12 4 964 4 1 973 1 71,531 972 1,584 +9 +3 +964 +4 +1 +972 +1 +71,467 +971 +1,449= Enabling Application Core Dumps Application core dumps are disabled by default. A core dump file can be very large. Core dumps are stored in the local flash. To enable core dumps, use the following command. • Enable RPM core dumps and specify the shutdown mode.
---------------------------FREE MEMORY--------------uvmexp.free = 0x2312 Enabling TCP Dumps TCP dump captures CPU bound control plane traffic to improve troubleshooting and system manageability. When you enable TCP dumps, a dump captures all the packets on the local CPU, as specified in the CLI. You can save the traffic capture files to flash, to FTP, SCP, or TFTP. The files saved on the flash are located in the flash:// TCP_DUMP_DIR/Tcpdump_/ directory and are labeled tcpdump_*.pcap.
Standards Compliance 52 This chapter describes standards compliance for Dell Networking products. NOTE: Unless noted, when a standard cited here is listed as supported by the Dell Networking operating system (FTOS), FTOS also supports predecessor standards. One way to search for predecessor standards is to use the http://tools.ietf.org/ website. Click “Browse and search IETF documents,” enter an RFC number, and inspect the top of the resulting document for obsolescence citations to related RFCs.
RFC and I-D Compliance FTOS supports the following standards. The standards are grouped by related protocol. The columns showing support by platform indicate which version of FTOS first supports the standard. General Internet Protocols The following table lists the FTOS support per platform for general internet protocols. Table 55. General Internet Protocols RFC# Full Name S-Series C-Series E-Series TeraScale E-Series ExaScale 768 User Datagram Protocol 7.6.1 7.5.1 √ 8.1.
RFC# Full Name S-Series 2615 PPP over SONET/SDH √ 2698 A Two Rate Three Color Marker √ 8.1.1 3164 The BSD syslog Protocol 7.5.1 √ 8.1.1 draft-ietf-bfd base-03 Bidirectional Forwarding Detection 7.6.1 √ 8.1.1 7.6.1 C-Series E-Series TeraScale E-Series ExaScale General IPv4 Protocols The following table lists the FTOS support per platform for general IPv4 protocols. Table 56.
RFC# Full Name S-Series C-Series E-Series TeraScale E-Series ExaScale Assignment and Aggregation Strategy 1542 Clarifications and Extensions for the Bootstrap Protocol 7.6.1 7.5.1 √ 8.1.1 1812 Requirements for IP Version 4 Routers 7.6.1 7.5.1 √ 8.1.1 2131 Dynamic Host 7.6.1 Configuration Protocol 7.5.1 √ 8.1.1 2338 Virtual Router Redundancy Protocol (VRRP) 7.6.1 7.5.1 √ 8.1.1 3021 Using 31-Bit Prefixes on IPv4 Point-to-Point Links 7.7.1 7.5.1 7.7.1 8.1.
RFC# Full Name 2464 S-Series C-Series E-Series TeraScale E-Series ExaScale Transmission of IPv6 7.8.1 Packets over Ethernet Networks 7.8.1 √ 8.2.1 2675 IPv6 Jumbograms 7.8.1 7.8.1 √ 8.2.1 2711 IPv6 Router Alert Option 8.3.12.0 3587 IPv6 Global Unicast Address Format 7.8.1 7.8.1 √ 8.2.1 4007 IPv6 Scoped Address Architecture 8.3.12.0 4291 Internet Protocol Version 6 (IPv6) Addressing Architecture 7.8.1 7.8.1 √ 8.2.
RFC# Full Name S-Series/Z-Series 2842 Capabilities Advertisement with BGP-4 7.8.1 2858 Multiprotocol Extensions for BGP-4 7.8.1 2918 Route Refresh Capability for BGP-4 7.8.1 3065 Autonomous System Confederations for BGP 7.8.1 4360 BGP Extended Communities Attribute 7.8.1 4893 BGP Support for Four-octet AS Number Space 7.8.1 5396 Textual Representation of Autonomous System (AS) Numbers 8.1.2 draft-ietf-idrbgp4- 20 A Border Gateway Protocol 4 (BGP-4) 7.8.
RFC# Full Name S-Series C-Series E-Series TeraScale E-Series ExaScale Protocol (ISO DP 10589) 1195 Use of OSI IS-IS for Routing in TCP/IP and Dual Environments √ 8.1.1 2763 Dynamic Hostname Exchange Mechanism for IS-IS √ 8.1.1 2966 Domain-wide Prefix Distribution with TwoLevel IS-IS √ 8.1.1 3373 Three-Way Handshake for Intermediate System to Intermediate System (IS-IS) Pointto-Point Adjacencies √ 8.2.1 3567 IS-IS ACruythpetongtircaap thioicn √ 8.1.
RFC# Full Name draft-kaplan-isise xt-eth-02 Extended Ethernet Frame Size Support S-Series C-Series E-Series TeraScale E-Series ExaScale √ 8.1.1 Routing Information Protocol (RIP) The following table lists the FTOS support per platform for RIP protocol. Table 61. Routing Information Protocol (RIP) RFC# Full Name S-Series C-Series E-Series TeraScale E-Series ExaScale 1058 Routing Information Protocol 7.8.1 7.6.1 √ 8.1.1 2453 RIP Version 7.8.1 7.6.1 √ 8.1.1 4191 Default Router 8.
RFC# Full Name 3810 S-Series C-Series E-Series TeraScale E-Series ExaScale Multicast Listener Discovery Version 2 (MLDv2) for IPv6 √ 8.2.1 3973 Protocol Independent Multicast - Dense Mode (PIM-DM): Protocol Specification (Revised) √ 4541 Considerations for 7.6.1 (IGMPv1/v2) 7.6.1 (IGMPv1/v2) √ IGMPv1/v2/v3, 8.2.
RFC# Full Name S4810 dot1dTpLearnedEntryDiscard s object] 1724 RIP Version 2 MIB Extension 1850 OSPF Version 2 Management 7.6.1 Information Base 1901 Introduction to Communitybased SNMPv2 2011 SNMPv2 Management 7.6.1 Information Base for the Internet Protocol using SMIv2 2012 SNMPv2 Management Information Base for the Transmission Control Protocol using SMIv2 2013 SNMPv2 Management 7.6.
RFC# Full Name S4810 2574 User-based Security Model 7.6.1 (USM) for version 3 of the Simple Network Management Protocol (SNMPv3) 2575 View-based Access Control 7.6.1 Model (VACM) for the Simple Network Management Protocol (SNMP) 2576 Coexistence Between Version 1, Version 2, and Version 3 of the Internetstandard Network Management Framework 2578 Structure of Management 7.6.1 Information Version 2 (SMIv2) 2579 Textual Conventions for SMIv2 7.6.1 2580 Conformance Statements for SMIv2 7.6.
RFC# Full Name S4810 Table, Ethernet History Control Table, Ethernet History Table, Alarm Table, Event Table, Log Table 2863 The Interfaces Group MIB 2865 Remote Authentication Dial In 7.6.1 User Service (RADIUS) 3273 Remote Network Monitoring Management Information Base for High Capacity Networks (64 bits): Ethernet Statistics High-Capacity Table, Ethernet History HighCapacity Table 7.6.1 3416 Version 2 of the Protocol Operations for the Simple Network Management Protocol (SNMP) 7.6.
RFC# Full Name S4810 S4820T Z9000 9.2(0.0) 9.2(0.0) Endpoint Discovery information draft-grant-tacacs -02 The TACACS+ Protocol 7.6.1 draft-ietf-idr-bgp4 mib-06 Definitions of Managed 7.8.
RFC# Full Name S4810 S4820T Z9000 9.2.(0.0) 9.2.(0.0) Multiple Spanning Tree Protocol sFlow.org sFlow Version 5 7.7.1 sFlow.org sFlow Version 5 MIB 7.7.1 FORCE10-BGP4-V2MIB Force10 BGP MIB (draft-ietfidr-bgp4-mibv2-05) 7.8.1 f10–bmp-mib Force10 Bare Metal Provisioning MIB 9.2(0.0) FORCE10-FIB-MIB Force10 CIDR Multipath Routes MIB (The IP Forwarding Table provides information that you can use to determine the egress port of an IP packet and troubleshoot an IP reachability issue.
RFC# Full Name S4810 FORCE10-SMI Force10 Structure of Management Information 7.6.1 FORCE10-SYSTEMCOMPONENT-MIB Force10 System Component 7.6.1 MIB (enables the user to view CAM usage information) FORCE10-TC-MIB Force10 Textual Convention 7.6.1 FORCE10-TRAPALARM-MIB Force10 Trap Alarm MIB 7.6.1 S4820T Z9000 MIB Location You can find Force10 MIBs under the Force10 MIBs subhead on the Documentation page of iSupport: https://www.force10networks.com/csportal20/KnowledgeBase/Documentation.