FTOS Configuration Guide for the Z9000 System FTOS 9.1(0.
Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your computer. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. Information in this publication is subject to change without notice. © 2013 Dell Force10. All rights reserved.
| 3
| www.dell.com | support.dell.
1 About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
www.dell.com | support.dell.com Log Messages in the Internal Buffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52 Configuration Task List for System Log Management . . . . . . . . . . . . . . . . . . . . . . . .52 Disable System Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52 Send System Messages to a Syslog Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6 Access Control Lists (ACLs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 IP Access Control Lists (ACLs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86 CAM Profiling, CAM Allocation, and CAM Optimization . . . . . . . . . . . . . . . . . . . . . .86 Implementing ACLs on FTOS . . . . . . . . .
www.dell.com | support.dell.com 8 Border Gateway Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156 Autonomous Systems (AS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156 Sessions and Peers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Domain Name Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .239 Reload Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 BMP Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 Normal Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .241 DHCP Configuration .
www.dell.com | support.dell.com CAM Profile Mismatches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .272 QoS CAM Region Limitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .273 11 Control Plane Policing (CoPP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure the System to be a DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .312 Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .313 Configure the Server for Automatic Address Allocation . . . . . . . . . . . . . . . . . . . . . .313 Specify a Default Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .314 Enable DHCP Server . . . . . . . . . . . . . . . . . . . . . . .
www.dell.com | support.dell.com FRRP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .343 Troubleshooting FRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .348 Configuration Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .348 Sample Configuration and Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
View Basic Interface Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .370 Enable a Physical Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .372 Physical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .373 Configuration Task List for Physical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . .373 Overview of Layer Modes . . . . . .
www.dell.com | support.dell.com 20 IPv4 Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417 IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417 Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .418 Configuration Task List for IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Adjust your CAM-Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .452 Assign an IPv6 Address to an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .453 Assign a Static IPv6 Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .454 Telnet with IPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .456 SNMP over IPv6 . . . . . . . . . . . . . . . .
www.dell.com | support.dell.com Changing the IS-IS Metric Style in One Level Only . . . . . . . . . . . . . . . . . . . . . . . .508 Leaking from One Level to Another . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .510 Sample Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511 24 Layer 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .545 LLDP Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .545 CONFIGURATION versus INTERFACE Configurations . . . . . . . . . . . . . . . . . . . . . . . .545 Enabling LLDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546 Disabling and Undoing LLDP . . . . . . . . . .
www.dell.com | support.dell.com Configure Multiple Spanning Tree Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .588 Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .588 Enable Multiple Spanning Tree Globally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .589 Add and Remove Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuration Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .628 Configuration Task List for OSPFv2 (OSPF for IPv4) . . . . . . . . . . . . . . . . . . . . . . . . . .629 Enable OSPFv2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .629 Enable Multi-Process OSPF (OSPFv2, IPv4 only) . . . . . . . . . . . . . . . . . . . . . . . . .631 Assign an OSPFv2 area . . . . . . . . . . . . . . . . . . . . . .
www.dell.com | support.dell.com Override Bootstrap Router Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .675 Configure a Designated Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .675 Create Multicast Boundaries and Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .676 PIM-SM Graceful Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .676 Monitoring PIM . .
PVST+ Sample Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .713 35 Quality of Service (QoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 717 Implementation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .719 Port-based QoS Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
www.dell.com | support.dell.com Enable Rapid Spanning Tree Protocol Globally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .768 Add and Remove Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .771 Modify Global Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .771 Modify Interface Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure VLAN Stacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .818 Create Access and Trunk Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .819 Enable VLAN-Stacking for a VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .819 Configure the Protocol Type Value for the Outer VLAN Tag . . . . . . . . . . . . . . . . . .820 FTOS Options for Trunk Ports . . . . . . . . . . . . . . . . . . . . . . . . .
www.dell.com | support.dell.com Configure Simple Network Management Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . .849 Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .850 Important Points to Remember . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .850 Create a Community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
46 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 885 46 System Time and Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 885 Network Time Protocol (NTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .885 Protocol Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
www.dell.com | support.dell.com RSTP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .924 VLT Configuration Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .925 Verifying a VLT Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .939 Sample Configuration: Virtual Link Trunking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1 About this Guide Objectives This guide describes the protocols and features supported by the Force10 Operating System (FTOS) and provides configuration instructions and examples for implementing them. It supports the system platforms E-Series, C-Series, S-Series, and Z-Series. Though this guide contains information on protocols, it is not intended to be a complete reference. This guide is a reference for configuring protocols on Dell Force10 systems.
www.dell.com | support.dell.com Conventions This document uses the following conventions to describe command syntax: Convention Description keyword Keywords are in bold and should be entered in the CLI as listed. parameter Parameters are in italics and require a number or word to be entered in the CLI. {X} Keywords and parameters within braces must be entered in the CLI. [X] Keywords and parameters within brackets are optional.
2 Configuration Fundamentals The FTOS Command Line Interface (CLI) is a text-based interface through which you can configure interfaces and protocols. The CLI is largely the same for the E-Series, C-Series, and S-Series with the exception of some commands and command outputs. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels.
www.dell.com | support.dell.com CLI Modes Different sets of commands are available in each mode. A command found in one mode cannot be executed from another mode (with the exception of EXEC mode commands preceded by the command do; see The do Command on page 30). You can set user access rights to commands and command modes using privilege levels; for more information on privilege levels and security options, refer to Chapter 9, Security, on page 627.
Figure 2-2.
Prompt Access Command EXEC FTOS> Access the router through the console or Telnet. EXEC Privilege FTOS# • • From EXEC mode, enter the command enable. From any other mode, use the command end. CONFIGURATION FTOS(conf)# • From EXEC privilege mode, enter the command configure. From every mode except EXEC and EXEC Privilege, enter the command exit. • Note: Access all of the following modes from CONFIGURATION mode. IP ACCESS-LIST LINE 28 FTOS Command Modes CLI Command Mode INTERFACE modes www.
Table 2-1. FTOS Command Modes (continued) Prompt Access Command STANDARD ACCESSLIST FTOS(config-std-macl)# mac access-list standard EXTENDED ACCESSLIST FTOS(config-ext-macl)# mac access-list extended MULTIPLE SPANNING TREE FTOS(config-mstp)# protocol spanning-tree mstp OPENFLOW FTOS(conf-of-instance of-id)# openflow of-instance of-id of-id represents the OpenFlow instance ID.
www.dell.com | support.dell.com The do Command Enter an EXEC mode command from any CONFIGURATION mode (CONFIGURATION, INTERFACE, SPANNING TREE, etc.) without returning to EXEC mode by preceding the EXEC mode command with the command do. Figure 2-4 illustrates the do command. Note: The following commands cannot be modified by the do command: enable, disable, exit, and configure. Figure 2-4.
Obtaining Help Obtain a list of keywords and a brief functional description of those keywords at any CLI mode using the ? or help command: • Enter ? at the prompt or after a keyword to list the keywords available in the current mode. • ? after a prompt lists all of the available keywords. The output of this command is the same for the help command. Figure 2-6.
www.dell.com | support.dell.com • • • Table 2-2. The UP and DOWN arrow keys display previously entered commands (see Command History). The BACKSPACE and DELETE keys erase the previous letter. Key combinations are available to move quickly across the command line, as described in Table 2-2. Short-Cut Keys and their Actions Key Combination Action CNTL-A Moves the cursor to the beginning of the command line. CNTL-B Moves the cursor back one character. CNTL-D Deletes character at cursor.
Filtering show Command Outputs Filter the output of a show command to display specific information by adding | [except | find | grep | no-more | save] specified_text after the command. The variable specified_text is the text for which you are filtering and it IS case sensitive unless the ignore-case sub-option is implemented. Starting with FTOS 7.8.1.0, the grep command accepts an ignore-case sub-option that forces the search to case-insensitive.
www.dell.com | support.dell.com • find displays the output of the show command beginning from the first occurrence of specified text Figure 2-11 shows this command used in combination with the command show linecard all. Figure 2-11.
3 Getting Started This chapter contains the following major sections: • • • • • • Default Configuration Configure a Host Name Access the System Remotely Configure the Enable Password Configuration File Management File System Management When you power up the switch, the system performs a Power-On Self Test (POST) during which the system LED is amber. The system then loads FTOS and boot messages scroll up the terminal window during this process.
www.dell.com | support.dell.com To access the console port, follow the procedures below. Refer to Table 3-1 for the console port pinout. Step Task 1 Install an RJ-45 copper cable into the console port.Use a rollover (crossover) cable to connect the Z9000 console port to a terminal server. 2 Connect the other end of the cable to the DTE terminal server.
Configure a Host Name The host name appears in the prompt. The default host name is FTOS. • • Host names must start with a letter and end with a letter or digit. Characters within the string can be letters, digits, and hyphens. To configure a host name: Step 1 Task Command Syntax Command Mode Create a new host name. hostname name CONFIGURATION Figure 3-1 illustrates the hostname command. Figure 3-1.
www.dell.com | support.dell.com Configure the Management Port IP Address Assign IP addresses to the management ports in order to access the system remotely. Note: Assign different IP addresses to each RPM’s management port on the E-Series and C-Series platforms. To configure the management port IP address: Step 1 2 Task Command Syntax Command Mode Enter INTERFACE mode for the Management port. interface ManagementEthernet slot/port CONFIGURATION Assign an IP address to the interface.
To configure a username and password: Step 1 Task Command Syntax Command Mode Configure a username and password to access the system remotely. username username password [encryption-type] password encryption-type specifies how you are inputting the password, is 0 by default, and is not required. CONFIGURATION • • 0 is for inputting the password in clear text. 7 is for inputting a password that is already encrypted using a Type 7 hash.
www.dell.com | support.dell.com Configure the Enable Password Access the EXEC Privilege mode using the enable command. The EXEC Privilege mode is unrestricted by default. Configure a password as a basic security measure. There are two types of enable passwords: • enable password stores the password in the running/startup configuration using a DES encryption method. • enable secret is stored in the running/startup configuration in using a stronger, MD5 encryption method.
Copy Files to and from the System The command syntax for copying files is similar to UNIX. The copy command uses the format copy source-file-url destination-file-url. Note: See the FTOS Command Line Interface Reference Guide for a detailed description of the copy command. • • Table 3-2. To copy a local file to a remote system, combine the file-origin syntax for a local file location with the file-destination syntax for a remote file location shown in Table 3-2.
www.dell.com | support.dell.com • The usbflash and rpm0usbflash commands are supported on E-Series ExaScale systems. Refer to your system’s Release Notes for a list of approved USB vendors. The usbflash command is supported on Z9000. Refer to your system’s Release Notes for a list of approved USB vendors. • Figure 3-2 shows an example of using the copy command to save a file to an FTP server. Figure 3-2. Saving a file to a Remote System Local Location Remote Location FTOS#copy flash://FTOS-ZB-8.3.11.
Task Command Syntax Command Mode Save the running-configuration to: the startup-configuration on the internal flash of the primary RPM copy running-config startup-config the internal flash on an RPM copy running-config rpm{0|1}flash://filename Note: The internal flash memories on the RPMs are synchronized whenever there is a change, but only if the RPMs are running the same version of FTOS.
www.dell.com | support.dell.com To view a list of files on the internal or external Flash: Step 1 Task Command Syntax Command Mode the internal flash of an RPM dir flash: EXEC Privilege the external flash of an RPM dir slot: View a list of files on: The output of the command dir also shows the read/write privileges, size (in bytes), and date of modification for each file, as shown in Figure 3-4. Figure 3-4.
In the running-configuration file, if there is a difference between the timestamp on the “Last configuration change,” and “Startup-config last updated,” then you have made changes that have not been saved and will not be preserved upon a system reboot. Figure 3-5. Tracking Changes with Configuration Comments FTOS#show running-config Current Configuration ... ! Version 8.3.11.
www.dell.com | support.dell.com In Figure 3-7, the default storage location is changed to the external Flash of the primary RPM. File management commands then apply to the external Flash rather than the internal Flash. Figure 3-7.
4 Management Management is supported on platforms: e c sz This chapter explains the different protocols or services used to manage the Dell Force10 system including: • • • • • • • Configure Privilege Levels Configure Logging File Transfer Services Terminal Lines Lock CONFIGURATION mode Recovering from a Forgotten Password on the S4810 and Z9000 Recovering from a Failed Start on the S4810 and Z9000 Configure Privilege Levels Privilege levels restrict access to commands based on user or terminal line.
www.dell.com | support.dell.com A user can access all commands at his privilege level and below. Removing a command from EXEC mode Remove a command from the list of available commands in EXEC mode for a specific privilege level using the command privilege exec from CONFIGURATION mode. In the command, specify a level greater than the level given to a user or terminal line, followed by the first keyword of each command to be restricted.
The following table lists the configuration tasks you can use to customize a privilege level: Task Command Syntax Command Mode Remove a command from the list of available commands in EXEC mode. privilege exec level level {command ||...|| command} CONFIGURATION Move a command from EXEC Privilege to EXEC mode. privilege exec level level {command ||...|| command} CONFIGURATION Allow access to CONFIGURATION mode.
www.dell.com | support.dell.com 50 Create a Custom Privilege Level FTOS(conf)#do show run priv ! privilege exec level 3 capture privilege exec level 3 configure privilege exec level 4 resequence privilege exec level 3 capture bgp-pdu privilege exec level 3 capture bgp-pdu max-buffer-size privilege configure level 3 line privilege configure level 3 interface FTOS(conf)#do telnet 10.11.80.201 [telnet output omitted] FTOS#show priv Current privilege level is 3.
Apply a Privilege Level to a Username To set a privilege level for a user: Task Command Syntax Command Mode Configure a privilege level for a user. username username privilege level CONFIGURATION Apply a Privilege Level to a Terminal Line To set a privilege level for a terminal line: Task Command Syntax Command Mode Configure a privilege level for a terminal line.
www.dell.com | support.dell.com Log Messages in the Internal Buffer All error messages, except those beginning with %BOOTUP (Message), are log in the internal buffer.
Send System Messages to a Syslog Server Send system messages to a syslog server by specifying the server with the following command: Task Command Syntax Command Mode Specify the server to which you want to send system messages. You can configure up to eight syslog servers. logging {ip-address | hostname} CONFIGURATION Configure a Unix System as a Syslog Server Configure a UNIX system as a syslog server by adding the following lines to /etc/syslog.
www.dell.com | support.dell.com Task Command Syntax Command Mode Specify the size of the logging buffer. Note: When you decrease the buffer size, FTOS deletes all messages stored in the buffer. Increasing the buffer size does not affect messages in the buffer. logging buffered size CONFIGURATION Specify the number of messages that FTOS saves to its logging history table.
show logging Command FTOS#show logging syslog logging: enabled Console logging: level Debugging Monitor logging: level Debugging Buffer logging: level Debugging, 40 Messages Logged, Size (40960 bytes) Trap logging: level Informational %IRC-6-IRC_COMMUP: Link to peer RPM is up %RAM-6-RAM_TASK: RPM1 is transitioning to Primary RPM.
www.dell.com | support.dell.com Configure a UNIX logging facility level You can save system log messages with a UNIX system logging facility. To configure a UNIX logging facility level, use the following command in the CONFIGURATION mode: Command Syntax Command Mode Purpose logging facility [facility-type] CONFIGURATION Specify one of the following parameters.
Synchronize log messages You can configure FTOS to filter and consolidate the system messages for a specific line by synchronizing the message output. Only the messages with a severity at or below the set level appear. This feature works on the terminal and console connections available on the system.
www.dell.com | support.dell.com To have FTOS include a timestamp with the syslog message, use the following command syntax in the CONFIGURATION mode: Command Syntax Command Mode Purpose service timestamps [log | debug] [datetime [localtime] [msec] [show-timezone] | uptime] CONFIGURATION Add timestamp to syslog messages. Specify the following optional parameters: • datetime: You can add the keyword localtime to include the localtime, msec, and show-timezone.
Enable FTP server To enable the system as an FTP server, use the following command in the CONFIGURATION mode: Command Syntax Command Mode Purpose ftp-server enable CONFIGURATION Enable FTP on the system. To view FTP configuration, use the show running-config ftp Command Output in the EXEC privilege mode.
www.dell.com | support.dell.com Configure FTP client parameters To configure FTP client parameters, use the following commands in the CONFIGURATION mode: Command Syntax Command Mode Purpose ip ftp source-interface interface CONFIGURATION Enter the following keywords and slot/port or number information: • For a Gigabit Ethernet interface, enter the keyword GigabitEthernet followed by the slot/port information.
To apply an IP ACL to a line: Task Command Syntax Command Mode Apply an ACL to a VTY line. ip access-class access-list LINE To view the configuration, enter the show config command in the LINE mode, as shown in Applying an Access List to a VTY Line. Applying an Access List to a VTY Line FTOS(config-std-nacl)#show config ! ip access-list standard myvtyacl seq 5 permit host 10.11.0.
www.dell.com | support.dell.com To configure authentication for a terminal line: Step Task Command Syntax Command Mode 1 Create an authentication method list. You may use a mnemonic name or use the keyword default. The default authentication method for terminal lines is local, and the default method list is empty. aaa authentication login {method-list-name | default} [method-1] [method-2] [method-3] [method-4] [method-5] [method-6] 2 Apply the method list from Step 1 to a terminal line.
To change the timeout period or disable EXEC timeout. Task Command Syntax Command Mode Set the number of minutes and seconds. Default: 10 minutes on console, 30 minutes on VTY. Disable EXEC timeout by setting the timeout period to 0. exec-timeout minutes [seconds] LINE Return to the default timeout values. no exec-timeout LINE View the configuration using the command show config from LINE mode.
www.dell.com | support.dell.com Password: FTOS>exit FTOS#telnet 2200:2200:2200:2200:2200::2201 Trying 2200:2200:2200:2200:2200::2201... Connected to 2200:2200:2200:2200:2200::2201. Exit character is '^]'. FreeBSD/i386 (freebsd2.force10networks.com) (ttyp1) login: admin FTOS# Lock CONFIGURATION mode FTOS allows multiple users to make configurations at the same time. You can lock CONFIGURATION mode so that only one user can be in CONFIGURATION mode at any time (Message 2).
Note: The CONFIGURATION mode lock corresponds to a VTY session, not a user. Therefore, if you configure a lock and then exit CONFIGURATION mode, and another user enters CONFIGURATION mode, when you attempt to re-enter CONFIGURATION mode, you are denied access even though you are the one that configured the lock. Note: If your session times out and you return to EXEC mode, the CONFIGURATION mode lock is unconfigured.
www.dell.com | support.dell.com Step Task Command Syntax Command Mode 7 Copy startup-config.bak to the running config. copy flash://startup-config.bak running-config EXEC Privilege 8 Remove all authentication statements you might have for the console. no authentication login no password LINE 9 Save the running-config. copy running-config startup-config EXEC Privilege 10 Set the system parameters to use the startup configuration file when the system reloads.
Step 12 Task Command Syntax Command Mode Save the running-config. copy running-config startup-config EXEC Privilege Recovering from a Forgotten Enable Password on the S4810 and Z9000 If you forget the enable password on the S4810: Step Task Command Syntax Command Mode 1 Log onto the system via console. 2 Power-cycle the chassis by switching off all of the power modules and then switching them back on. 3 Press any key to abort the boot process.
www.dell.com | support.dell.com Step Task Command Syntax Command Mode 5 Set the system parameters to ignore the enable password when the system reloads and save the environment. grub>setenv enablepwdignore=true grub>save_env enablepwdignore uBoot 6 Reload the system. reset uBoot 7 Configure a new enable password. enable {secret | password} CONFIGURATION 8 Save the running-config to the startup-config.
5 802.1X 802.1X is supported on platforms: e c sz Protocol Overview 802.1X is a method of port security. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity can be verified (through a username and password, for example). This feature is named for its IEEE specification. 802.
www.dell.com | support.dell.com Figure 5-1.
3. The authenticator decapsulates the EAP Response from the EAPOL frame, encapsulates it in a RADIUS Access-Request frame, and forwards the frame to the authentication server. 4. The authentication server replies with an Access-Challenge. The Access-Challenge is request that the supplicant prove that it is who it claims to be, using a specified method (an EAP-Method). The challenge is translated and forwarded to the supplicant by the authenticator. 5.
www.dell.com | support.dell.com Figure 5-3. Code RADIUS Frame Format Identifier Range: 1-4 Codes: 1: Access-Request 2: Access-Accept 3: Access-Reject 11: Access-Challenge Length Message-Authenticator Attribute Type (79) EAP-Message Attribute Length EAP-Method Data (Supplicant Requested Credentials) fnC0034mp RADIUS Attributes for 802.1 Support Dell Force10 systems includes the following RADIUS attributes in all 802.1X-triggered Access-Request messages: • • • • 72 | 802.
Configuring 802.1X Configuring 802.1X on a port is a two-step process: 1. Enable 802.1X globally. See page 73. 2. Enable 802.1X on an interface. See page 73. Related Configuration Tasks • • • • • • Configuring Request Identity Re-transmissions on page 75 Configuring Port-control on page 78 Re-authenticating a Port on page 78 Configuring Timeouts on page 79 Configuring a Guest VLAN on page 82 Configuring an Authentication-fail VLAN on page 82 Important Points to Remember • • • FTOS supports 802.
www.dell.com | support.dell.com Figure 5-4. Enabling 802.1X To enable 802.1X: Step Task Command Syntax Command Mode 1 Enable 802.1X globally. dot1x authentication CONFIGURATION 2 Enter INTERFACE mode on an interface or a range of interfaces. interface [range] INTERFACE 3 Enable 802.1X on an interface or a range of interfaces. dot1x authentication INTERFACE Verify that 802.
View 802.1X configuration information for an interface using the command show dot1x interface, as shown in Figure 5-6. Figure 5-6. Verifying 802.1X Interface Configuration FTOS#show dot1x interface gigabitethernet 2/1 802.
www.dell.com | support.dell.com To configure a maximum number of Request Identity re-transmissions: Step 1 Task Command Syntax Command Mode Configure a maximum number of times that a Request Identity frame can be re-transmitted by the authenticator. dot1x max-eap-req number Range: 1-10 Default: 2 INTERFACE Figure 5-7 shows configuration information for a port for which the authenticator re-transmits an EAP Request Identity frame after 90 seconds and re-transmits a maximum of 10 times.
Figure 5-7. Configuring a Request Identity Re-transmissions FTOS(conf-if-range-gi-2/1)#dot1x tx-period 90 FTOS(conf-if-range-gi-2/1)#dot1x max-eap-req 10 FTOS(conf-if-range-gi-2/1)#dot1x quiet-period 120 FTOS#show dot1x interface gigabitethernet 2/1 802.
www.dell.com | support.dell.com Figure 5-8. Configuring Port-control FTOS(conf-if-gi-2/1)#dot1x port-control force-authorized FTOS(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1 802.
Figure 5-9. Configuring a Reauthentiction Period FTOS(conf-if-gi-2/1)#dot1x reauthentication interval 7200 FTOS(conf-if-gi-2/1)#dot1x reauth-max 10 FTOS(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1 802.
www.dell.com | support.dell.com Figure 5-10. Configuring a Timeout FTOS(conf-if-gi-2/1)#dot1x port-control force-authorized FTOS(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1 802.
Figure 5-11. Dynamic VLAN Assignment with 802.1X Guest and Authentication-fail VLANs Typically, the authenticator (Dell Force10 system) denies the supplicant access to the network until the supplicant is authenticated. If the supplicant is authenticated, the authenticator enables the port and places it in either the VLAN for which the port is configured, or the VLAN that the authentication server indicates in the authentication data. Note: Ports cannot be dynamically assigned to the default VLAN.
www.dell.com | support.dell.com The Guest VLAN 802.1X extension addresses this limitation with regard to non-802.1X capable devices, and the Authentication-fail VLAN 802.1X extension addresses this limitation with regard to external users. • • If the supplicant fails authentication a specified number of times, the authenticator places the port in the Authentication-fail VLAN. If a port is already forwarding on the Guest VLAN when 802.
Figure 5-13. Configuring an Authentication-fail VLAN FTOS(conf-if-gi-1/2)#dot1x auth-fail-vlan 100 max-attempts 5 FTOS(conf-if-gi-1/2)#show config ! interface GigabitEthernet 1/2 switchport dot1x guest-vlan 200 dot1x auth-fail-vlan 100 max-attempts 5 no shutdown FTOS(conf-if-gi-1/2)# View your configuration using the command show config from INTERFACE mode, as shown in Figure 5-12, or using the command show dot1x interface command from EXEC Privilege mode as shown in Figure 5-14. Figure 5-14.
84 | 802.1X www.dell.com | support.dell.
6 Access Control Lists (ACLs) The Access Control Lists (ACLs) chapter also includes prefix lists and route maps. ecsz Ingress IP and MAC ACLs are supported on platforms: e c s z Egress IP and MAC ACLs are supported on platforms: e z ACLs are supported on platforms: Overview At their simplest, Access Control Lists (ACLs), Prefix lists, and Route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter discusses implementing IP ACLs, IP Prefix lists and Route-maps.
www.dell.com | support.dell.com • • • • • • Configuring Ingress ACLs Configuring Egress ACLs Configuring ACLs to Loopback • Applying an ACL on Loopback Interfaces IP Prefix Lists ACL Resequencing Route Maps IP Access Control Lists (ACLs) In the Dell Force10 switch/routers, you can create two different types of IP ACLs: standard or extended. A standard ACL filters packets based on the source IP packet.
CAM optimization is supported on platforms csz CAM Profiling CAM optimization is supported on platforms et The default CAM profile has 1K Layer 2 ingress ACL entries. If you need more memory for Layer 2 ingress ACLs, select the profile l2-ipv4-inacl. When budgeting your CAM allocations for ACLs and QoS configurations, remember that ACL and QoS rules might consume more than one CAM entry depending on complexity. For example, TCP and UDP rules with port range options might require more than one CAM entry.
www.dell.com | support.dell.com The CAM space is allotted in FP blocks. The total space allocated must equal 13 FP blocks. Note that there are 16 FP blocks, but the System Flow requires 3 blocks that cannot be reallocated. The default CAM Allocation settings on a C-Series matching are: • • • • • L3 ACL (ipv4acl): 6 L2 ACL(l2acl) : 5 IPv6 L3 ACL (ipv6acl): 0 L3 QoS (ipv4qos): 1 L2 QoS (l2qos): 1 The ipv6acl allocation must be entered as a factor of 2 (2, 4, 6, 8, 10).
Implementing ACLs on FTOS One IP ACL can be assigned per interface with FTOS. If an IP ACL is not assigned to an interface, it is not used by the software in any other capacity. The number of entries allowed per ACL is hardware-dependent. Refer to your line card documentation for detailed specification on entries allowed per ACL. If counters are enabled on IP ACL rules that are already configured, those counters are reset when a new rule is inserted or pre-pended.
www.dell.com | support.dell.com ACLs acl1 and acl2 have overlapping rules because the address range 20.1.1.0/24 is within 20.0.0.0/8. Therefore, (without the keyword order) packets within the range 20.1.1.0/24 match positive against cmap1 and are buffered in queue 7, though you intended for these packets to match positive against cmap2 and be buffered in queue 4.
• Loopback interfaces do not support ACLs using the IP fragment option. If you configure an ACL with the fragments option and apply it to a loopback interface, the command is accepted, but the ACL entries are not actually installed the offending rule in CAM. IP fragments ACL examples The following configuration permits all packets (both fragmented & non-fragmented) with destination IP 10.1.1.1. The second rule does not get hit at all.
www.dell.com | support.dell.com To log all the packets denied and to override the implicit deny rule and the implicit permit rule for TCP/ UDP fragments, use a configuration similar to the following. FTOS(conf)#ip access-list extended ABC FTOS(conf-ext-nacl)#permit tcp any any fragment FTOS(conf-ext-nacl)#permit udp any any fragment FTOS(conf-ext-nacl)#deny ip any any log FTOS(conf-ext-nacl) Note the following when configuring ACLs with the fragments keyword.
Step Command Syntax Command Mode Purpose 2 seq sequence-number {deny | permit} {source [mask] | any | host ip-address} [count [byte] | log] [order] [monitor] [fragments] CONFIG-STD-NACL Configure a drop or forward filter. The parameters are: • log and monitor options are supported on E-Series only. Note: When assigning sequence numbers to filters, keep in mind that you might need to insert a new filter.
www.dell.com | support.dell.com If you are creating a standard ACL with only one or two filters, you can let FTOS assign a sequence number based on the order in which the filters are configured. The software assigns filters in multiples of 5.
To delete a filter, enter the show config command in the IP ACCESS LIST mode and locate the sequence number of the filter you want to delete. Then use the no seq sequence-number command in the IP ACCESS LIST mode. Configure an extended IP ACL Extended IP ACLs filter on source and destination IP addresses, IP host addresses, TCP addresses, TCP host addresses, UDP addresses, and UDP host addresses.
www.dell.com | support.dell.com TCP packets: To create a filter for TCP packets with a specified sequence number, use these commands in the following sequence, starting in the CONFIGURATION mode: Step 1 2 Command Syntax Command Mode Purpose ip access-list extended access-list-name CONFIGURATION Create an extended IP ACL and assign it a unique name.
Figure 6-7. Command Example: seq FTOS(config-ext-nacl)#seq 15 deny ip host 112.45.0.0 any log FTOS(config-ext-nacl)#seq 5 permit tcp 12.1.3.45 0.0.255.255 any FTOS(config-ext-nacl)#show confi ! ip access-list extended dilling seq 5 permit tcp 12.1.0.0 0.0.255.255 any seq 15 deny ip host 112.45.0.
www.dell.com | support.dell.com Figure 6-8. Extended IP ACL FTOS(config-ext-nacl)#deny tcp host 123.55.34.0 any FTOS(config-ext-nacl)#permit udp 154.44.123.34 0.0.255.255 host 34.6.0.0 FTOS(config-ext-nacl)#show config ! ip access-list extended nimule seq 5 deny tcp host 123.55.34.0 any seq 10 permit udp 154.44.0.0 0.0.255.255 host 34.6.0.
For information on MAC ACLs, refer to Chapter 24, Layer 2. Assign an IP ACL to an Interface c sz Ingress and Egress IP ACL are supported on platforms: e Ingress IP ACLs are supported on platforms: z To pass traffic through a configured IP ACL, you must assign that ACL to a physical interface, a port channel interface, or a VLAN.
www.dell.com | support.dell.com To view which IP ACL is applied to an interface, use the show config command (Figure 232) in the INTERFACE mode or the show running-config command in the EXEC mode. Figure 6-9. Command example: show config in the INTERFACE Mode FTOS(conf-if)#show conf ! interface GigabitEthernet 0/0 ip address 10.2.1.100 255.255.255.0 ip access-group nimule in no shutdown FTOS(conf-if)# Use only Standard ACLs in the access-class command to filter traffic on Telnet sessions.
Figure 6-10. Creating an Ingress ACL FTOS(conf)#interface gige 0/0 FTOS(conf-if-gige0/0)#ip access-group abcd in FTOS(conf-if-gige0/0)#show config ! gigethernet 0/0 no ip address ip access-group abcd in no shutdown FTOS(conf-if-gige0/0)#end FTOS#configure terminal FTOS(conf)#ip access-list extended abcd FTOS(config-ext-nacl)#permit tcp any any FTOS(config-ext-nacl)#deny icmp any any FTOS(config-ext-nacl)#permit 1.1.1.
www.dell.com | support.dell.com Figure 6-11. Creating an Egress ACL FTOS(conf)#interface gige 0/0 FTOS(conf-if-gige0/0)#ip access-group abcd out FTOS(conf-if-gige0/0)#show config ! gigethernet 0/0 no ip address ip access-group abcd out no shutdown FTOS(conf-if-gige0/0)#end FTOS#configure terminal FTOS(conf)#ip access-list extended abcd FTOS(config-ext-nacl)#permit tcp any any FTOS(config-ext-nacl)#deny icmp any any FTOS(config-ext-nacl)#permit 1.1.1.
Configuring ACLs to Loopback ACLs can be supplied on Loopback interfaces supported on platform e Configuring ACLs onto the CPU in a loopback interface protects the system infrastructure from attack— malicious and incidental—by explicate allowing only authorized traffic. The ACLs on loopback interfaces are applied only to the CPU on the RPM—this eliminates the need to apply specific ACLs onto all ingress interfaces and achieves the same results. By localizing target traffic, it is a simpler implementation.
www.dell.com | support.dell.com Figure 6-12. Applying an ACL to the Loopback Interface FTOS(conf)#interface loopback 0 FTOS(conf-if-lo-0)#ip access-group abcd in FTOS(conf-if-lo-0)#show config ! interface Loopback 0 no ip address ip access-group abcd in no shutdown FTOS(conf-if-lo-0)#end FTOS#configure terminal FTOS(conf)#ip access-list extended abcd FTOS(config-ext-nacl)#permit tcp any any FTOS(config-ext-nacl)#deny icmp any any FTOS(config-ext-nacl)#permit 1.1.1.
The following rules apply to prefix lists: • • • A prefix list without any permit or deny filters allows all routes. An “implicit deny” is assumed (that is, the route is dropped) for all route prefixes that do not match a permit or deny filter in a configured prefix list. Once a route matches a filter, the filter’s action is applied. No additional filters are applied to the route.
www.dell.com | support.dell.com If you want to forward all routes that do not match the prefix list criteria, you must configure a prefix list filter to permit all routes (permit 0.0.0.0/0 le 32). The “permit all” filter should be the last filter in your prefix list. To permit the default route only, enter permit 0.0.0.0/0. Figure 6-13 illustrates how the seq command orders the filters according to the sequence number assigned.
Figure 6-14. Prefix List FTOS(conf-nprefixl)#permit 123.23.0.0 /16 FTOS(conf-nprefixl)#deny 133.24.56.0 /8 FTOS(conf-nprefixl)#show conf ! ip prefix-list awe seq 5 permit 123.23.0.0/16 seq 10 deny 133.0.0.0/8 FTOS(conf-nprefixl)# To delete a filter, enter the show config command in the PREFIX LIST mode and locate the sequence number of the filter you want to delete; then use the no seq sequence-number command in the PREFIX LIST mode.
www.dell.com | support.dell.com Use a prefix list for route redistribution To pass traffic through a configured prefix list, you must use the prefix list in a route redistribution command. The prefix list is applied to all traffic redistributed into the routing process and the traffic is either forwarded or dropped depending on the criteria and actions specified in the prefix list.
To view the configuration, use the show config command in the ROUTER OSPF mode (Figure 6-18) or the show running-config ospf command in the EXEC mode. Figure 6-18. Command Example: show config in ROUTER OSPF Mode FTOS(conf-router_ospf)#show config ! router ospf 34 network 10.2.1.1 255.255.255.255 area 0.0.0.1 distribute-list prefix awe in FTOS(conf-router_ospf)# ACL Resequencing ACL Resequencing allows you to re-number the rules and remarks in an access or prefix list.
www.dell.com | support.dell.com Table 6-4. ACL Resequencing Example (Resequenced) seq 15 permit any host 1.1.1.3 seq 20 permit any host 1.1.1.4 Resequencing an ACL or Prefix List Resequencing is available for IPv4 and IPv6 ACLs and prefix lists and MAC ACLs. To resequence an ACL or prefix list use the appropriate command in Table 6-5. You must specify the list name, starting number, and increment when using these commands. Table 6-5.
Remarks and rules that originally have the same sequence number have the same sequence number after the resequence command is applied. Remarks that do not have a corresponding rule will be incremented as a rule. These two mechanisms allow remarks to retain their original position in the list. For example, in Figure 6-20, remark 10 corresponds to rule 10 and as such they have the same number before and after the command is entered.
www.dell.com | support.dell.com Important Points to Remember For route-maps with more than one match clause: • • • Two or more match clauses within the same route-map sequence have the same match commands (though the values are different), matching a packet against these clauses is a logical OR operation. • Two or more match clauses within the same route-map sequence have different match commands, matching a packet against these clauses is a logical AND operation.
To view the configuration, use the show config command in the ROUTE-MAP mode (Figure 6-21). Figure 6-21. Command Example: show config in the ROUTE-MAP Mode FTOS(config-route-map)#show config ! route-map dilling permit 10 FTOS(config-route-map)# You can create multiple instances of this route map by using the sequence number option to place the route maps in the correct order. FTOS processes the route maps with the lowest sequence number first.
www.dell.com | support.dell.com Figure 6-24. Command Example: show route-map FTOS#show route-map dilling route-map dilling, permit, sequence 10 Match clauses: Set clauses: route-map dilling, permit, sequence 15 Match clauses: interface Loopback 23 Set clauses: tag 3444 FTOS# To delete a route map, use the no route-map map-name command in the CONFIGURATION mode. Configure route map filters Within the ROUTE-MAP mode, there are match and set commands.
Also, if there are different instances of the same route-map, then it’s sufficient if a permit match happens in any instance of that route-map.
www.dell.com | support.dell.com Command Syntax Command Mode Purpose match ipv6 address prefix-list-name CONFIG-ROUTE-MAP Match destination routes specified in a prefix list (IPv6). match ip next-hop {access-list-name | prefix-list prefix-list-name} CONFIG-ROUTE-MAP Match next-hop routes specified in a prefix list (IPv4). match ipv6 next-hop {access-list-name | prefix-list prefix-list-name} CONFIG-ROUTE-MAP Match next-hop routes specified in a prefix list (IPv6).
Command Syntax Command Mode Purpose set origin {egp | igp | incomplete} CONFIG-ROUTE-MAP Assign an ORIGIN attribute. set tag tag-value CONFIG-ROUTE-MAP Specify a tag for the redistributed routes. set weight value CONFIG-ROUTE-MAP Specify a value as the route’s weight. Use these commands to create route map instances. There is no limit to the number of set and match commands per route map, but the convention is to keep the number of match and set filters in a route map low.
www.dell.com | support.dell.com Configure a route map for route tagging One method for identifying routes from different routing protocols is to assign a tag to routes from that protocol. As the route enters a different routing domain, it is tagged and that tag is passed along with the route as it passes through different routing protocols. This tag can then be used when the route leaves a routing domain to redistribute those routes again.
7 Bidirectional Forwarding Detection (BFD) Bidirectional Forwarding Detection (BFD) is supported only on platforms: e cz Protocol Overview Bidirectional Forwarding Detection (BFD) is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It also provides a failure detection solution for links on which no routing protocol is used. BFD is a simple hello mechanism.
www.dell.com | support.dell.com How BFD Works Two neighboring systems running BFD establish a session using a three-way handshake. After the session has been established, the systems exchange control packets at agreed upon intervals. In addition, systems send a control packet anytime there is a state change or change in a session parameter; these control packets are sent without regard to transmit and receive intervals. Note: FTOS does not support multi-hop BFD sessions.
Version (4) IHL TOS Total Length Preamble Flags Start Frame Delimiter Frag Offset Destination MAC TTL (255) Source MAC Protocol Ethernet Type (0x888e) Header Checksum Version (1) State Range: 3784 Source Port Options Diag Code Dest IP Addr Padding Checksum UDP Packet Detect Mult My Discriminator Your Discriminator Random number generated by remote system to identify a session Required Min RX Interval Required Min Echo RX Interval Auth Type The minimum interval between Echo pac
www.dell.com | support.dell.com Table 7-1. BFD Packet Fields Field Description Diagnostic Code The reason that the last session failed. State The current local session state. See BFD sessions. Flag A bit that indicates packet function. If the poll bit is set, the receiving system must respond as soon as possible, without regard to its transmit interval. The responding system clears the poll bit and sets the final bit in its response.
• • Active—The active system initiates the BFD session. Both systems can be active for the same session. Passive—The passive system does not initiate a session. It only responds to a request for session initialization from the active system. A BFD session has two modes: • • Asynchronous mode—In Asynchronous mode, both systems send periodic control messages at an agreed upon interval to indicate that their session status is Up.
www.dell.com | support.dell.com 4. The passive system receives the control packet, changes its state to Up. Both systems agree that a session has been established. However, since both members must send a control packet—that requires a response—anytime there is a state change or change in a session parameter, the passive system sends a final response indicating the state change. After this, periodic control packets are exchanged. Figure 7-2.
Figure 7-3. BFD State Machine current session state Up, Admin Down, Timer the packet received Down Init Down Admin Down, Timer Down Init Admin Down, Down, Timer Init, Up Up Up, Init Important Points to Remember • • • • • • • BFD for line card ports is hitless, but is not hitless for VLANs since they are instantiated on the RPM. FTOS supports a maximum of 100 sessions per BFD agent.
www.dell.com | support.dell.com • Troubleshooting BFD Configuring BFD for Physical Ports Configuring BFD for Physical Ports is supported on C-Series and E-Series only. BFD on physical ports is useful when no routing protocol is enabled. Without BFD, if the remote system fails, the local system does not remove the connected route until the first failed attempt to send a packet.
Establishing a session on physical ports To establish a session, BFD must be enabled at interface level on both ends of the link, as shown in the following illustration. The configuration parameters do not need to match. Figure 7-5. Establishing a BFD Session for Physical Ports R1: ACTIVE Role 4/24 R2: ACTIVE Role 2/1 FTOS(config)# bfd enable FTOSconfig)# interface gigabitethernet 2/1 FTOS(conf-if-gi-2/1)# ip address 2.2.2.2/24 FTOS(conf-if-gi-2/1)# bfd neighbor 2.2.2.
www.dell.com | support.dell.com Figure 7-7. Viewing Session Details R1(conf-if-gi-4/24)#do show bfd neighbors detail Session Discriminator: 1 Neighbor Discriminator: 1 Local Addr: 2.2.2.1 Local MAC Addr: 00:01:e8:09:c3:e5 Remote Addr: 2.2.2.
Figure 7-8. Changing Session Parameters for Physical Ports R1(conf-if-gi-4/24)#bfd interval 100 min_rx 100 multiplier 4 role passive R1(conf-if-gi-4/24)#do show bfd neighbors detail Session Discriminator: 1 Neighbor Discriminator: 1 Local Addr: 2.2.2.1 Local MAC Addr: 00:01:e8:09:c3:e5 Remote Addr: 2.2.2.
www.dell.com | support.dell.com To re-enable BFD on an interface: Step 1 Task Command Syntax Command Mode Enable BFD on an interface. bfd enable INTERFACE Configuring BFD for Static Routes Configuring BFD for Static Routes is supported on C-Series and E-Series only. BFD gives systems a link state detection mechanism for static routes.
To establish a BFD session: Step 1 Task Command Syntax Command Mode Establish BFD sessions for all neighbors that are the next hop of a static route. ip route bfd CONFIGURATION Verify that sessions have been created for static routes using the command show bfd neighbors, as shown in the following illustration. View detailed session information using the command show bfd neighbors detail, as shown in Figure 7-8. Figure 7-10. Viewing Established Sessions for Static Routes R1(conf)#ip route 2.2.3.
www.dell.com | support.dell.com Disabling BFD for static routes If BFD is disabled, all static route BFD sessions are torn down. A final Admin Down packet is sent to all neighbors on the remote systems, and those neighbors change to the Down state (Message 3). To disable BFD for static routes: Step 1 Task Command Syntax Command Mode Disable BFD for static routes.
Figure 7-11. Establishing Sessions with OSPF Neighbors FTOS(conf-if-gi-2/1)# ip address 2.2.2.2/24 FTOS(conf-if-gi-2/1)# no shutdown FTOS(conf-if-gi-2/1)# exit FTOS(config)# router ospf 1 FTOS(config-router_ospf )# network 2.2.2.0/24 area 0 FTOS(config-router_ospf )# bfd all-neighbors FTOS(conf-if-gi-2/2)# ip address 2.2.3.1/24 FTOS(conf-if-gi-2/2)# no shutdown FTOS(conf-if-gi-2/2)# exit FTOS(config)# router ospf 1 FTOS(config-router_ospf )# network 2.2.3.
www.dell.com | support.dell.com View the established sessions using the command show bfd neighbors, as shown in the following illustration. Figure 7-12. Viewing Established Sessions for OSPF Neighbors R2(conf-router_ospf)#bfd all-neighbors R2(conf-router_ospf)#do show bfd neighbors * Ad Dn C I O R - Active session role Admin Down CLI ISIS OSPF Static Route (RTM) LocalAddr * 2.2.2.2 RemoteAddr 2.2.2.
Disabling BFD for OSPF If BFD is disabled globally, all sessions are torn down, and sessions on the remote system are placed in a Down state. If BFD is disabled on an interface, sessions on the interface are torn down, and sessions on the remote system are placed in a Down state (Message 3). Disabling BFD does not trigger a change in BFD clients; a final Admin Down packet is sent before the session is terminated.
www.dell.com | support.dell.com Figure 7-13. Establishing Sessions with IS-IS Neighbors FTOS(conf )# router isis FTOS(conf-router_isis)# net 02.1921.6800.2002.00 FTOS(conf-router_isis)# interface gigabitethernet 2/1 FTOS(conf-if-gi-2/1)#ip address 2.2.2.2/24 FTOS(config-if-gi-2/1)# ip router isis FTOS(config-if-gi-2/1)# exit FTOS(conf )# router isis FTOS(conf-router_isis)# bfd all-neighbors FTOS(conf-router_isis)# interface gigabitethernet 2/2 FTOS(conf-if-gi-2/2)#ip address 2.2.3.
Figure 7-14. Viewing Established Sessions for IS-IS Neighbors R2(conf-router_isis)#bfd all-neighbors R2(conf-router_isis)#do show bfd neighbors * Ad Dn C I O R - IS-IS BFD Sessions Enabled Active session role Admin Down CLI ISIS OSPF Static Route (RTM) LocalAddr Clients * 2.2.2.2 RemoteAddr Interface State Rx-int Tx-int Mult 2.2.2.1 Gi 2/1 Up 100 100 3 I Changing IS-IS session parameters BFD sessions are configured with default intervals and a default role.
www.dell.com | support.dell.com Disabling BFD for IS-IS If BFD is disabled globally, all sessions are torn down, and sessions on the remote system are placed in a Down state. If BFD is disabled on an interface, sessions on the interface are torn down, and sessions on the remote system are placed in a Down state (Remote System State Change due to Local State Admin Down). Disabling BFD does not trigger a change in BFD clients; a final Admin Down packet is sent before the session is terminated.
For example, the following illustration shows a sample BFD configuration on Router 1 and Router 2 that use eBGP in a transit network to interconnect AS1 and AS2. The eBGP routers exchange information with each other as well as with iBGP routers to maintain connectivity and accessibility within each autonomous system. Figure 7-15. BFD Session Between BGP Neighbors Interior BGP Interior BGP Router 1 2/2 2.2.4.2 Router 2 1/1 2.2.4.
www.dell.com | support.dell.com As long as each BFD for BGP neighbor receives a BFD control packet within the configured BFD interval for failure detection, the BFD session remains up and BGP maintains its adjacencies. If a BFD for BGP neighbor does not receive a control packet within the detection interval, the router informs any clients of the BFD session (other routing protocols) about the failure.
To remove the disabled state of a BFD for BGP session with a specified neighbor, enter the no neighbor {ip-address | peer-group-name} bfd disable command in ROUTER BGP configuration mode. The BGP link with the neighbor returns to normal operation and uses the BFD session parameters globally configured with the bfd all-neighbors command or configured for the peer group to which the neighbor belongs.
www.dell.com | support.dell.com The following examples show the BFD for BGP output displayed for these show commands. Figure 7-16. R2# show running-config bgp ! router bgp 2 neighbor 1.1.1.2 remote-as 1 neighbor 1.1.1.2 no shutdown neighbor 2.2.2.2 remote-as 1 neighbor 2.2.2.2 no shutdown neighbor 3.3.3.2 remote-as 1 neighbor 3.3.3.2 no shutdown bfd all-neighbors Figure 7-17.
Figure 7-18. Verifying BFD Sessions with BGP Neighbors: show bfd neighbors detail Command R2# show bfd neighbors detail Session Discriminator: 9 Neighbor Discriminator: 10 Local Addr: 1.1.1.3 Local MAC Addr: 00:01:e8:66:da:33 Remote Addr: 1.1.1.
www.dell.com | support.dell.com Figure 7-19.
Figure 7-21. Displaying Routing Sessions with BGP Neighbors: show ip bgp neighbors Command R2# show ip bgp neighbors 2.2.2.2 BGP neighbor is 2.2.2.2, remote AS 1, external link BGP version 4, remote router ID 12.0.0.
www.dell.com | support.dell.com Configuring BFD for VRRP BFD for VRRP is only supported on platforms: ec When using BFD with VRRP, the VRRP protocol registers with the BFD manager on the RPM. BFD sessions are established with all neighboring interfaces participating in VRRP. If a neighboring interface fails, the BFD agent on the line card notifies the BFD manager, which in turn notifies the VRRP protocol that a link state change occurred. Configuring BFD for VRRP is a three-step process: 1.
To establish sessions with all VRRP neighbors: Step 1 Task Command Syntax Command Mode Establish sessions with all VRRP neighbors. vrrp bfd all-neighbors INTERFACE Establishing VRRP sessions on VRRP neighbors The master router does not care about the state of the backup router, so it does not participate in any VRRP BFD sessions. Therefore, VRRP BFD sessions on the backup router cannot change to the UP state.
www.dell.com | support.dell.com Figure 7-24. Viewing Established Sessions for VRRP Neighbors R1(conf-if-gi-4/25)#do show vrrp -----------------GigabitEthernet 4/1, VRID: 1, Net: 2.2.5.1 State: Backup, Priority: 1, Master: 2.2.5.2 Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 95, Bad pkts rcvd: 0, Adv sent: 933, Gratuitous ARP sent: 3 Virtual MAC address: 00:00:5e:00:01:01 Virtual IP address: 2.2.5.4 Authentication: (none) BFD Neighbors: VRRP BFD Session RemoteAddr State 2.2.5.
To disable all VRRP sessions on an interface: Step 1 Task Command Syntax Command Mode Disable all VRRP sessions on an interface. no vrrp bfd all-neighbors INTERFACE To disable all VRRP sessions in a particular VRRP group: Step 1 Task Command Syntax Command Mode Disable all VRRP sessions in a VRRP group. bfd disable VRRP Task Command Syntax Command Mode Disable a particular VRRP session on an interface.
www.dell.com | support.dell.com Establishing sessions with VLAN neighbors To establish a session, BFD must be enabled at interface level on both ends of the link, as shown in the following illustration. The session parameters do not need to match. Figure 7-25. Establishing Sessions with VLAN Neighbors R1 R2 VLAN 200 4/25 2/3 FTOS(config-if-gi-4/25)# switchport FTOS(config-if-gi-4/25)# no shutdown FTOS(config-if-gi-4/25)# interface vlan 200 FTOS(config-if-vl-200)# ip address 2.2.3.
Changing session parameters BFD sessions are configured with default intervals and a default role. The parameters that can be configured are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. These parameters are configured per interface; if a configuration change is made, the change affects all sessions on that interface.
www.dell.com | support.dell.com Configuring BFD for port-channels is a two-step process: 1. Enable BFD globally on all participating routers. See Enabling BFD globally. 2. Enable BFD at interface level at both ends of the port-channel. Related configuration tasks • • Change session parameters. Disable BFD a port-channel. Establishing sessions on port-channels To establish a session, BFD must be enabled at interface level on both ends of the link, as shown in the following illustration.
Figure 7-28. Viewing Established Sessions for VLAN Neighbors R2(conf-if-po-1)#bfd neighbors 2.2.2.1 R2(conf-if-po-1)#do show bfd neighors * Ad Dn C I O R V - Active session role Admin Down CLI ISIS Port-channel OSPF Static Route (RTM) VRRP LocalAddr * 2.2.2.2 RemoteAddr 2.2.2.1 BFD Sessions Interface State Rx-int Tx-int Mult Clients Po 1 Up 100 100 3 C Changing port-channel session parameters BFD sessions are configured with default intervals and a default role.
www.dell.com | support.dell.com Configuring Protocol Liveness Protocol Liveness is a feature that notifies the BFD Manager when a client protocol is disabled. When a client is disabled, all BFD sessions for that protocol are torn down. Neighbors on the remote system receive an Admin Down control packet and are placed in the Down state (Message 3).
8 Border Gateway Protocol Platforms support BGP according to the following table: FTOS version Platform support IPv4: 8.3.11.2 IPv6: 9.0.0.0 Z9000 8.3.7.0 S4810 8.1.1.0 E-Series ExaScale 7.8.1.0 S-Series 7.7.1.0. C-Series pre-7.7.1.0 E-Series TeraScale z ex s c et This chapter is intended to provide a general description of Border Gateway Protocol version 4 (BGPv4) as it is supported in the Force10 Operating System (FTOS).
www.dell.com | support.dell.
A multihomed AS is one that maintains connections to more than one other AS. This allows the AS to remain connected to the internet in the event of a complete failure of one of their connections. However, this type of AS does not allow traffic from one AS to pass through on its way to another AS. A simple example of this is seen in Figure 8-1. A stub AS is one that is connected to only one other AS. A transit AS is one that provides connections through itself to separate networks.
www.dell.com | support.dell.com Since each BGP router talking to another router is a session, a BGP network needs to be in “full mesh”. This is a topology that has every router directly connected to every other router. Each BGP router within an AS must have iBGP sessions with all other BGP routers in the AS. For example, a BGP network within an AS needs to be in “full mesh.
Establishing a session Information exchange between peers is driven by events and timers. The focus in BGP is on the traffic routing policies. In order to make decisions in its operations with other BGP peers, a BGP process uses a simple finite state machine that consists of six states: Idle, Connect, Active, OpenSent, OpenConfirm, and Established. For each peer-to-peer session, a BGP implementation tracks which of these six states the session is in.
www.dell.com | support.dell.com Route Reflectors Route Reflectors reorganize the iBGP core into a hierarchy and allows some route advertisement rules. Note: Route Reflectors (RRs) should not be used in the forwarding path. In iBGP, hierarchal RRs maintaining forwarding plane RRs could create routing loops. Route reflection divides iBGP peers into two groups: client peers and nonclient peers. A route reflector and its client peers form a route reflection cluster.
Confederations Communities BGP communities are sets of routes with one or more common attributes. This is a way to assign common attributes to multiple routes at the same time. BGP Attributes Routes learned via BGP have associated properties that are used to determine the best route to a destination when multiple paths exist to a particular destination.
www.dell.com | support.dell.com 162 Syste Note: In 8.3.11.4, the bgp bestpath as-path multipath-relax command is disabled by default, preventing BGP from load-balancing a learned route across two or more eBGP peers. To enable load-balancing across different eBGP peers, enable the bgp bestpath as-path multipath-relax command. A system error will result if the bgp bestpath as-path ignore command and the bgp bestpath as-path multipath-relax command are configured at the same time.
Best Path selection details 1. Prefer the path with the largest WEIGHT attribute. 2. Prefer the path with the largest LOCAL_PREF attribute. 3. Prefer the path that was locally Originated via a network command, redistribute command or aggregate-address command. • Routes originated with the network or redistribute commands are preferred over routes originated with the aggregate-address command. 4.
www.dell.com | support.dell.com 11. Prefer the external path originated from the BGP router with the lowest router ID. If both paths are external, prefer the oldest path (first received path). For paths containing a Route Reflector (RR) attribute, the originator ID is substituted for the router ID. 12. If two paths have the same router ID, prefer the path with the lowest cluster ID length. Paths without a cluster ID length are set to a 0 cluster ID length. 13.
Figure 8-5. LOCAL_PREF Example Set Local Preference to 100 Router A AS 100 T1 Link Router C AS 200 Router B Router E Set Local Preference to 200 OC3 Link Router E Router D AS 300 Router F Multi-Exit Discriminators (MEDs) If two Autonomous Systems (AS) connect in more than one place, a Multi-Exit Discriminator (MED) can be used to assign a preference to a preferred path.
www.dell.com | support.dell.com Figure 8-6. MED Route Example AS 100 Set MED to 100 Router A T1 Link Router C AS 200 Router B Router E OC3 Link Router D Set MED to 50 Note: With FTOS Release 8.3.1.0, configuring the set metric-type internal command in a route-map advertises the IGP cost as MED to outbound EBGP peers when redistributing routes. The configured set metric value overwrites the default IGP cost. If the outbound route-map uses MED, it will overwrite the IGP MED.
Figure 8-7. Origin attribute reported FTOS#show ip bgp BGP table version is 0, local router ID is 10.101.15.13 Status codes: s suppressed, d damped, h history, * valid, > best Path source: I - internal, a - aggregate, c - confed-external, r - redistributed, n - network Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop *> 7.0.0.0/29 10.114.8.33 *> 7.0.0.0/30 *> 9.2.0.0/16 Metric LocPrf Weight Path 0 0 18508 ? 10.114.8.33 0 0 18508 ? 10.114.8.
www.dell.com | support.dell.com Next Hop The Next Hop is the IP address used to reach the advertising router. For EBGP neighbors, the Next-Hop address is the IP address of the connection between the neighbors. For IBGP, the EBGP Next-Hop address is carried into the local AS. A Next Hop attribute is set when a BGP speaker advertises itself to another BGP speaker outside its local AS. It can also be set when advertising routes within an AS.
Advertise IGP cost as MED for redistributed routes When using multipath connectivity to an external AS, you can advertise the MED value selectively to each peer for redistributed routes. For some peers you can set the internal/IGP cost as the MED while setting others to a constant pre-defined metric as MED value. FTOS 8.3.1.0 and later support configuring the set metric-type internal command in a route-map to advertise the IGP cost as the MED to outbound EBGP peers when redistributing routes.
www.dell.com | support.dell.com 4-Byte AS Numbers FTOS Version 7.7.1 and later support 4-Byte (32-bit) format when configuring Autonomous System Numbers (ASNs). The 4-Byte support is advertised as a new BGP capability (4-BYTE-AS) in the OPEN message. If a 4-Byte BGP speaker has sent and received this capability from another speaker, all the messages will be 4-octet. The behavior of a 4-Byte BGP speaker will be different with the peer depending on whether the peer is 4-Byte or 2-Byte BGP speaker.
ASDOT+ representation splits the full binary 4-byte AS number into two words of 16 bits separated by a decimal point (.): .. Some examples are shown in Table 8-2. • • All AS Numbers between 0-65535 are represented as a decimal number, when entered in the CLI as well as when displayed in the show command outputs. AS Numbers larger than 65535 is represented using ASDOT notation as ..
www.dell.com | support.dell.com Figure 8-9. Dynamic changes of the bgp asnotation command in the show running config ASDOT FTOS(conf-router_bgp)#bgp asnotation asdot FTOS(conf-router_bgp)#show conf ! router bgp 100 bgp asnotation asdot bgp four-octet-as-support neighbor 172.30.1.250 local-as 65057
Figure 8-10. config Dynamic changes when bgp asnotation command is disabled in the show running AS NOTATION DISABLED FTOS(conf-router_bgp)#no bgp asnotation FTOS(conf-router_bgp)#sho conf ! router bgp 100 bgp four-octet-as-support neighbor 172.30.1.250 local-as 65057
www.dell.com | support.dell.com Figure 8-11. Local-AS Scenario Router A AS 100 Router C AS 300 Router B AS 200 Before Migration Router A AS 100 AS 100 Router C AS 300 Router B Local AS 200 After Migration, with Local-AS enabled When you complete your migration, and you have reconfigured your network with the new information you must disable this feature. If the “no prepend” option is used, the local-as will not be prepended to the updates received from the eBGP peer.
BGP4 Management Information Base (MIB) The FORCE10-BGP4-V2-MIB enhances FTOS BGP Management Information Base (MIB) support with many new SNMP objects and notifications (traps) defined in the draft-ietf-idr-bgp4-mibv2-05. To see these enhancements, download the MIB from the Dell Force10 website, www.force10networks.com. Note: See the Dell Force10 iSupport webpage for the Force10-BGP4-V2-MIB and other MIB documentation.
www.dell.com | support.dell.com • • • • • • • • • • The f10BgpM2[Cfg]PeerReflectorClient field is populated based on the assumption that route-reflector clients are not in a full mesh if BGP client-2-client reflection is enabled and that the BGP speaker acting as reflector will advertise routes learned from one client to another client. If disabled, it is assumed that clients are in a full mesh, and there is no need to advertise prefixes to the other clients.
BGP Configuration To enable the BGP process and begin exchanging information, you must assign an AS number and use commands in the ROUTER BGP mode to configure a BGP neighbor. Defaults By default, BGP is disabled. By default, FTOS compares the MED attribute on different paths from within the same AS (the bgp always-compare-med command is not enabled). Note: In FTOS, all newly configured neighbors and peer groups are disabled.
www.dell.com | support.dell.
In BGP, neighbor routers or peers can be classified as internal or external. External BGP peers must be connected physically to one another (unless you enable the EBGP multihop feature), while internal BGP peers do not need to be directly connected. The IP address of an EBGP neighbor is usually the IP address of the interface directly connected to the router. First, the BGP process determines if all internal BGP peers are reachable, and then it determines which peers outside the AS are reachable.
www.dell.com | support.dell.com Step Command Syntax Command Mode Purpose You must Configure Peer Groups before assigning it a remote AS. 3 neighbor {ip-address | peer-group-name} no shutdown CONFIG-ROUTER-BGP Enable the BGP neighbor. Note: When you change the configuration of a BGP neighbor, always reset it by entering the clear ip bgp command in EXEC Privilege mode. Enter show config in CONFIGURATION ROUTER BGP mode to view the BGP configuration.
Figure 8-13. Command example: show ip bgp summary (4-Byte AS Number displayed) R2#show ip bgp summary 4-Byte AS Number BGP router identifier 192.168.10.2, local AS number 48735.
www.dell.com | support.dell.com Figure 8-14. Command example: show ip bgp neighbors FTOS#show ip bgp neighbors External BGP neighbor BGP neighbor is 10.114.8.60, remote AS 18508, external link BGP version 4, remote router ID 10.20.20.
Figure 8-15. Command example: show running-config bgp R2#show running-config bgp ! router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list ISP1in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.9 no shutdown neighbor 192.168.10.
www.dell.com | support.dell.com Only one form of AS Number Representation is supported at a time. You cannot combine the types of representations within an AS. Task Command Syntax Command Mode Enable ASPLAIN AS Number representation. Figure 8-16 bgp asnotation asplain CONFIG-ROUTER-BGP Note: ASPLAIN is the default method FTOS uses and does not appear in the configuration display. Enable ASDOT AS Number representation.
Figure 8-18. Command example and output: bgp asnotation asdot+ FTOS(conf-router_bgp)#bgp asnotation asdot+ FTOS(conf-router_bgp)#sho conf ! router bgp 100 bgp asnotation asdot+ bgp four-octet-as-support neighbor 172.30.1.250 remote-as 18508 neighbor 172.30.1.250 local-as 65057 neighbor 172.30.1.250 route-map rmap1 in neighbor 172.30.1.250 password 7 5ab3eb9a15ed02ff4f0dfd4500d6017873cfd9a267c04957 neighbor 172.30.1.
www.dell.com | support.dell.com Step Command Syntax Command Mode Purpose 5 neighbor ip-address peer-group peer-group-name CONFIG-ROUTER-BGP Add an enabled neighbor to the peer group. 6 neighbor {ip-address | peer-group name} remote-as as-number CONFIG-ROUTER-BGP Add a neighbor as a remote AS. Formats: IP Address A.B.C.D Peer-Group Name16 characters AS-number: 0-65535 (2-Byte) or 1-4294967295 | 0.1- 65535.65535 (4-Byte) or 0.1-65535.
Figure 8-19. Command example: show config (creating peer-group) FTOS(conf-router_bgp)#neighbor zanzibar peer-group Configuring neighbor zanzibar FTOS(conf-router_bgp)#show conf ! router bgp 45 bgp fast-external-fallover bgp log-neighbor-changes neighbor zanzibar peer-group neighbor zanzibar shutdown neighbor 10.1.1.1 remote-as 65535 neighbor 10.1.1.1 shutdown neighbor 10.14.8.60 remote-as 18505 neighbor 10.14.8.
www.dell.com | support.dell.com Figure 8-21. Command example: show ip bgp peer-group FTOS>show ip bgp peer-group Peer-group zanzibar, remote AS 65535 BGP version 4 Minimum time between advertisement runs is 5 seconds For address family: IPv4 Unicast BGP neighbor is zanzibar, peer-group internal, Number of peers in this group 26 Peer-group members (* - outbound optimized): 10.68.160.1 10.68.161.1 10.68.162.1 10.68.163.1 10.68.164.1 10.68.165.1 10.68.166.1 10.68.167.1 10.68.168.1 10.68.169.1 10.68.170.
BGP fast fall-over By default, a BGP session is governed by the hold time. BGP routers typically carry large routing tables, so frequent session resets are not desirable. The BGP fast fall-over feature reduces the convergence time while maintaining stability. The connection to a BGP peer is immediately reset if a link to a directly connected external peer fails. When fall-over is enabled, BGP tracks IP reachability to the peer remote address and the peer local address.
www.dell.com | support.dell.com Figure 8-22. Command example: show ip bgp neighbors FTOS#sh ip bgp neighbors BGP neighbor is 100.100.100.100, remote AS 65517, internal link Member of peer-group test for session parameters BGP version 4, remote router ID 30.30.30.
Figure 8-23. Command example: show ip bgp peer-group FTOS#sh ip bgp peer-group Peer-group test Fall-over enabled BGP version 4 Minimum time between advertisement runs is 5 seconds For address family: IPv4 Unicast BGP neighbor is test Number of peers in this group 1 Peer-group members (* - outbound optimized): 100.100.100.100* FTOS# router bgp 65517 neighbor test peer-group neighbor test fall-over Fast Fall-Over Indicator neighbor test no shutdown neighbor 100.100.100.
www.dell.com | support.dell.com Use these commands in the following sequence, starting in the CONFIGURATION ROUTER BGP mode to configure passive peering. Step Command Syntax Command Mode Purpose 1 neighbor peer-group-name peer-group passive limit CONFIG-ROUTER-BGP Configure a peer group that does not initiate TCP connections with other peers. Enter the limit keyword to restrict the number of sessions accepted.
Disable this feature, using the no neighbor local-as command in CONFIGURATION ROUTER BGP mode. Figure 8-24. Local-as information shown R2(conf-router_bgp)#show conf ! router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list Laura in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.
www.dell.com | support.dell.com Figure 8-25. Allowas-in information shown R2(conf-router_bgp)#show conf ! router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list Laura in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.
• • • • Save all FIB and CAM entries on the line card and continue forwarding traffic while the secondary RPM is coming online. Advertise to all BGP neighbors and peer-groups that the forwarding state of all routes has been saved. This prompts all peers to continue saving the routes they receive from your E-Series and to continue forwarding traffic. Bring the secondary RPM online as the primary and re-open sessions with all peers operating in “no shutdown” mode.
www.dell.com | support.dell.com Command Syntax Command Mode Purpose neighbor {ip-address | peer-group-name} graceful-restart [stale-path-time time-in-seconds] CONFIG-ROUTER-BGP Set maximum time to retain the restarting neighbor’s or peer-group’s stale paths. Default is 360 seconds. Filter on an AS-Path attribute The BGP attribute, AS_PATH, can be used to manipulate routing policies. The AS_PATH attribute contains a sequence of AS numbers representing the route’s path.
Use these commands in the following sequence, starting in the CONFIGURATION mode to configure an AS-PATH ACL to filter a specific AS_PATH value. Step Command Syntax Command Mode Purpose 1 ip as-path access-list as-path-name CONFIGURATION Assign a name to a AS-PATH ACL and enter AS-PATH ACL mode. 2 {deny | permit} filter parameter CONFIG-AS-PATH Enter the parameter to match BGP AS-PATH for filtering. This is the filter that will be used to match the AS-path.
www.dell.com | support.dell.com Figure 8-27. Filtering with Regular Expression FTOS(config)#router bgp 99 FTOS(conf-router_bgp)#neigh AAA peer-group FTOS(conf-router_bgp)#neigh AAA no shut FTOS(conf-router_bgp)#show conf ! router bgp 99 neighbor AAA peer-group neighbor AAA no shutdown neighbor 10.155.15.2 remote-as 32 neighbor 10.155.15.2 shutdown FTOS(conf-router_bgp)#neigh 10.155.15.
Table 8-4. Regular Expressions Regular Expression Definition + (plus) Matches 1 or more sequences of the immediately previous character or pattern. ? (question) Matches 0 or 1 sequence of the immediately previous character or pattern.
www.dell.com | support.dell.com Command Syntax Command Mode Purpose redistribute ospf process-id [match external {1 | 2} | match internal] [metric-type {external | internal}] [route-map map-name] ROUTER BGP or CONF-ROUTER_BGPv6_AF Include specific OSPF routes in IS-IS. Configure the following parameters: • process-id range: 1 to 65535 • match external range: 1 or 2 • match internal • metric-type: external or internal. • map-name: name of a configured route map.
• • • All routes with the NO_EXPORT_SUBCONFED (0xFFFFFF03) community attribute are not sent to CONFED-EBGP or EBGP peers, but are sent to IBGP peers within CONFED-SUB-AS. All routes with the NO_ADVERTISE (0xFFFFFF02) community attribute must not be advertised. All routes with the NO_EXPORT (0xFFFFFF01) community attribute must not be advertised outside a BGP confederation boundary, but are sent to CONFED-EBGP and IBGP peers.
www.dell.com | support.dell.com Step 2 Command Syntax Command Mode Purpose {permit | deny} {{rt | soo} {ASN:NN | IPADDR:N} | regex REGEX-LINE} CONFIG-COMMUNITYLIST Two types of extended communities are supported. Filter routes based on the type of extended communities they carry using one of the following keywords: • rt: Route Target • soo: Route Origin or Site-of-Origin. Support for matching extended communities against regular expression is also supported.
Use these commands in the following sequence, starting in the CONFIGURATION mode, To use an IP Community list or Extended Community List to filter routes, you must apply a match community filter to a route map and then apply that route map to a BGP neighbor or peer group. Step Command Syntax Command Mode Purpose 1 route-map map-name [permit | deny] [sequence-number] CONFIGURATION Enter the ROUTE-MAP mode and assign a name to a route map.
www.dell.com | support.dell.com If you want to remove or add a specific COMMUNITY number from a BGP path, you must create a route map with one or both of the following statements in the route map. Then apply that route map to a BGP neighbor or peer group.
Figure 8-29. Command example: show ip bgp community (Partial) FTOS>show ip bgp community BGP table version is 3762622, local router ID is 10.114.8.48 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path * i 3.0.0.0/8 195.171.0.16 100 0 209 701 80 i *>i 4.2.49.12/30 195.171.0.16 100 0 209 i * i 4.21.132.0/23 195.171.0.16 100 0 209 6461 16422 i *>i 4.24.118.16/30 195.
www.dell.com | support.dell.com Change MED attribute By default, FTOS uses the MULTI_EXIT_DISC or MED attribute when comparing EBGP paths from the same AS. Use any or all of the following commands in the CONFIGURATION ROUTER BGP mode to change how the MED attribute is used. Command Syntax Command Mode Purpose bgp always-compare-med CONFIG-ROUTERBGP Enable MED comparison in the paths from neighbors with different ASs. By default, this comparison is not performed.
Step Command Syntax Command Mode Purpose 2 set local-preference value CONFIG-ROUTE-MAP Change LOCAL_PREF value for routes meeting the criteria of this route map. 3 exit CONFIG-ROUTE-MAP Return to the CONFIGURATION mode. 4 router bgp as-number CONFIGURATION Enter the ROUTER BGP mode. 5 neighbor {ip-address | peer-group-name} route-map map-name {in | out} CONFIG-ROUTER-BGP Apply the route map to the neighbor or peer group’s incoming or outgoing routes.
www.dell.com | support.dell.com Use the show config command in CONFIGURATION ROUTER BGP mode or the show running-config bgp command in EXEC Privilege mode to view BGP configuration. You can also use route maps to change this and other BGP attributes. For example, you can include the following command in a route map to specify the next hop address: Command Syntax Command Mode Purpose set weight weight CONFIG-ROUTE-MAP Sets weight for the route.
• • AS-PATH ACLs (using neighbor filter-list command) route maps (using neighbor route-map command) Prior to filtering BGP routes, you must create the prefix list, AS-PATH ACL, or route map to be used. Refer to Chapter 6, “Access Control Lists (ACLs),” on page 85 for configuration information on prefix lists, AS-PATH ACLs, and route maps.
www.dell.com | support.dell.com To view the BGP configuration, use the show config command in the ROUTER BGP mode. To view a prefix list configuration, use the show ip prefix-list detail or show ip prefix-list summary commands in EXEC Privilege mode. Use these commands in the following sequence, starting in the CONFIGURATION mode to filter routes using a route map.
Step 5 Command Syntax Command Mode Purpose neighbor {ip-address | peer-group-name} filter-list as-path-name {in | out} CONFIG-ROUTER-BGP Filter routes based on the criteria in the configured route map. Configure the following parameters: • ip-address or peer-group-name: enter the neighbor’s IP address or the peer group’s name. • as-path-name: enter the name of a configured AS-PATH ACL. • in: apply the AS-PATH ACL map to inbound routes. • out: apply the AS-PATH ACL to outbound routes.
www.dell.com | support.dell.com When you enable a route reflector, FTOS automatically enables route reflection to all clients. To disable route reflection between all clients in this reflector, use the no bgp client-to-client reflection command in CONFIGURATION ROUTER BGP mode. All clients should be fully meshed before you disable route reflection. Aggregate routes FTOS provides multiple ways to aggregate routes in the BGP routing table.
Configure BGP confederations Another way to organize routers within an AS and reduce the mesh for IBGP peers is to configure BGP confederations. As with route reflectors, BGP confederations are recommended only for IBGP peering involving a large number of IBGP peering sessions per router. Basically, when you configure BGP confederations, you break the AS into smaller sub-AS, and to those outside your network, the confederations appear as one AS.
www.dell.com | support.dell.com When dampening is applied to a route, its path is described by one of the following terms: • • • history entry—an entry that stores information on a downed route dampened path—a path that is no longer advertised penalized path—a path that is assigned a penalty The CLI example below shows configuring values to start reusing or restarting a route, as well as their default values. Figure 8-31.
To view the BGP configuration, use show config in the CONFIGURATION ROUTER BGP mode or show running-config bgp in EXEC Privilege mode. To set dampening parameters via a route map, use the following command in CONFIGURATION ROUTE-MAP mode: Command Syntax Command Mode Purpose set dampening half-life reuse suppress max-suppress-time CONFIG-ROUTE-MAP Enter the following optional parameters to configure route dampening parameters: • half-life range: 1 to 45.
www.dell.com | support.dell.com To view which routes are dampened (non-active), use the show ip bgp dampened-routes command in EXEC Privilege mode. Use the following command in EXEC Privilege mode to clear information on route dampening and return suppressed routes to active state. Command Syntax Command Mode Purpose clear ip bgp dampening [ip-address mask] EXEC Privilege Clear all information or only information on a specific route.
Change BGP timers Use either or both of the following commands in the CONFIGURATION ROUTER BGP mode to configure BGP timers. Command Syntax Command Mode Purpose neighbors {ip-address | peer-group-name} timers keepalive holdtime CONFIG-ROUTER-BGP Configure timer values for a BGP neighbor or peer group. • keepalive range: 1 to 65535. Time interval, in seconds, between keepalive messages sent to the neighbor routers. (Default: 60 seconds) • holdtime range: 3 to 65536.
www.dell.com | support.dell.com Use the clear ip bgp command in EXEC Privilege mode at the system prompt to reset a BGP connection using BGP soft reconfiguration. Command Syntax Command Mode Purpose clear ip bgp {* | neighbor-address | AS Numbers | ipv4 | peer-group-name} [soft [in | out]] EXEC Privilege Clear all information or only specific details.
Route map continue The BGP route map continue feature (in ROUTE-MAP mode) allows movement from one route-map entry to a specific route-map entry (the sequence number). If the sequence number is not specified, the continue feature moves to the next sequence number (also known as an implied continue). If a match clause exists, the continue feature executes only after a successful match occurs. If there are no successful matches, continue is ignored.
www.dell.com | support.dell.com MBGP Configuration et c MBGP for IPv4 Multicast is supported on platform c et s z MBGP is not supported on the E-Series ExaScale ex platform. MBGP for IPv6 unicast is supported on platforms Multiprotocol BGP (MBGP) is an enhanced BGP that carries IP multicast routes. BGP carries two sets of routes: one set for unicast routing and one set for multicast routing.
BGP Regular Expression Optimization BGP policies that contain regular expressions to match against as-paths and communities might take a lot of CPU processing time, thus affect BGP routing convergence. Also, show bgp commands that get filtered through regular expressions can to take a lot of CPU cycles, especially when the database is large.
www.dell.com | support.dell.com Use no debug ip bgp to disable all BGP debugging. Use undebug all to disable all debugging. Storing Last and Bad PDUs FTOS stores the last notification sent/received, and the last bad PDU received on per peer basis. The last bad PDU is the one that causes a notification to be issued. These PDUs are shown in the output of the command show ip bgp neighbor, as shown in Figure 8-34. Figure 8-34.
Capturing PDUs Capture incoming and outgoing PDUs on a per-peer basis using the command capture bgp-pdu neighbor direction. Disable capturing using the no form of this command. The buffer size supports a maximum value between 40 MB (the default) and 100 MB. The capture buffers are cyclic and reaching the limit prompts the system to overwrite the oldest PDUs when new ones are received for a given neighbor or direction.
www.dell.com | support.dell.com • • New PDU are captured and there is no more space to store them The max buffer size is reduced. (This may cause PDUs to be cleared depending upon the buffer space consumed and the new limit.) With full internet feed (205K) captured, approximately 11.8MB is required to store all of the PDUs, as shown in Figure 8-36. Figure 8-36. Required Memory for Captured PDUs FTOS(conf-router_bgp)#do show capture bgp-pdu neighbor 172.30.1.
Figure 8-37 is a graphic illustration of the configurations shown on the following pages. These configurations show how to create BGP areas using physical and virtual links. They include setting up the interfaces and peers groups with each other. Figure 8-37. Sample Configuration Illustration Physical Links AS 99 Virtual Links GigE 1/21 10.0.1.21 /24 GigE 2/11 10.0.1.22 /24 Peer Group AAA e Pe Loopback ck 1 192.168.128.1 /24 rG u ro p BB GigE 1/31 10.0.3.31 /24 Loopback 1 Lo 192.168.128.
www.dell.com | support.dell.com Figure 8-38. Enable BGP - Router 1 R1# conf R1(conf)#int loop 0 R1(conf-if-lo-0)#ip address 192.168.128.1/24 R1(conf-if-lo-0)#no shutdown R1(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.1/24 no shutdown R1(conf-if-lo-0)#int gig 1/21 R1(conf-if-gi-1/21)#ip address 10.0.1.21/24 R1(conf-if-gi-1/21)#no shutdown R1(conf-if-gi-1/21)#show config ! interface GigabitEthernet 1/21 ip address 10.0.1.
Figure 8-39. Enable BGP - Router 2 R2# conf R2(conf)#int loop 0 R2(conf-if-lo-0)#ip address 192.168.128.2/24 R2(conf-if-lo-0)#no shutdown R2(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.2/24 no shutdown R2(conf-if-lo-0)#int gig 2/11 R2(conf-if-gi-2/11)#ip address 10.0.1.22/24 R2(conf-if-gi-2/11)#no shutdown R2(conf-if-gi-2/11)#show config ! interface GigabitEthernet 2/11 ip address 10.0.1.22/24 no shutdown R2(conf-if-gi-2/11)#int gig 2/31 R2(conf-if-gi-2/31)#ip address 10.0.2.
www.dell.com | support.dell.com Figure 8-40. Enable BGP - Router 3 R3# conf R3(conf)# R3(conf)#int loop 0 R3(conf-if-lo-0)#ip address 192.168.128.3/24 R3(conf-if-lo-0)#no shutdown R3(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.3/24 no shutdown R3(conf-if-lo-0)#int gig 3/11 R3(conf-if-gi-3/11)#ip address 10.0.3.33/24 R3(conf-if-gi-3/11)#no shutdown R3(conf-if-gi-3/11)#show config ! interface GigabitEthernet 3/11 ip address 10.0.3.
Figure 8-41. Enable Peer Group - Router 1 R1#conf R1(conf)#router bgp 99 R1(conf-router_bgp)# network 192.168.128.0/24 R1(conf-router_bgp)# neighbor AAA peer-group R1(conf-router_bgp)# neighbor AAA no shutdown R1(conf-router_bgp)# neighbor BBB peer-group R1(conf-router_bgp)# neighbor BBB no shutdown R1(conf-router_bgp)# neighbor 192.168.128.2 peer-group AAA R1(conf-router_bgp)# neighbor 192.168.128.3 peer-group BBB R1(conf-router_bgp)# R1(conf-router_bgp)#show config ! router bgp 99 network 192.168.128.
www.dell.com | support.dell.com Figure 8-42.
Figure 8-43. Enable Peer Groups - Router 2 R2#conf R2(conf)#router bgp 99 R2(conf-router_bgp)# neighbor CCC peer-group R2(conf-router_bgp)# neighbor CC no shutdown R2(conf-router_bgp)# neighbor BBB peer-group R2(conf-router_bgp)# neighbor BBB no shutdown R2(conf-router_bgp)# neighbor 192.168.128.1 peer AAA R2(conf-router_bgp)# neighbor 192.168.128.1 no shut R2(conf-router_bgp)# neighbor 192.168.128.3 peer BBB R2(conf-router_bgp)# neighbor 192.168.128.
www.dell.com | support.dell.com Figure 8-44. Enable Peer Group - Router 3 R3#conf R3(conf)#router bgp 100 R3(conf-router_bgp)# neighbor R3(conf-router_bgp)# neighbor R3(conf-router_bgp)# neighbor R3(conf-router_bgp)# neighbor R3(conf-router_bgp)# neighbor R3(conf-router_bgp)# neighbor R3(conf-router_bgp)# neighbor R3(conf-router_bgp)# neighbor R3(conf-router_bgp)# AAA peer-group AAA no shutdown CCC peer-group CCC no shutdown 192.168.128.2 peer-group BBB 192.168.128.2 no shutdown 192.168.128.
Figure 8-45.
234 | Border Gateway Protocol www.dell.com | support.dell.
9 Bare Metal Provisioning 3.0 (BMP 3.0) Bare Metal Provisioning 3.0 (BMP 3.0) is included as part of the FTOS image. It is supported on platforms z. Overview Bare Metal Provisioning (BMP) is a feature that improves operational efficiency to the system by automatically loading pre-defined configurations and FTOS images using standard protocols such as DHCP and common file transfer mechanisms. Bare Metal Provisioning: • • • reduces the time to install and configure the network device.
www.dell.com | support.dell.com • • • Pre-configuration Scripts • Post-configuration Scripts • Auto-execution Scripts Configuration Tasks Script Examples Prerequisites Before you use BMP 3.0 to auto-configure a supported Dell Force10 switch, you must first configure: • • • • An external Dynamic Host Configuration Protocol (DHCP) server (required) - a network device offering configuration parameters File Server (required) - a network device for storing and servicing files.
1. Current (new) FTOS build image. 2. Configuration file or pre-configuration script (ZSH, TCL, or Expect script). 3. A list of checksums for all these components. Note: The configuration file is to maintain normal BMP functionality when a pre-configuration script is not sent. Preparing BMP DHCP Server DHCP Configuration You must first configure a DHCP server before you can use the BMP mode on a switch. Configure the DHCP server with the set of parameters described below for each client switch.
www.dell.com | support.dell.com • 230 User port stacking Note: BMP will eventually exit when the timeout occurs. DHCP Retry Mechanism BMP requests a different DHCP offer in the following scenarios: • • • If the command reload-type config-scr-download enable is enabled, the DHCP offer specifies both the boot image and the configuration file. If either download is successful, BMP will not request another DHCP offer.
option configfile "ftp://admin:admin@30.0.0.1/pt-s4810-12"; FTP URL with IP address option configfile "http://Guest-1/pt-s4810-12"; HTTP URL with DNS option configfile "pt-s4810-12"; TFTP ##### bootfile-name could be given in the following way option bootfile-name “ftp://admin:admin@Guest-1/ FTOS-SE-8.3.10.1.bin”; FTP URL with DNS option bootfile-name "http://30.0.0.1/FTOS-SE-8.3.10.1.bin”; HTTP URL with IP address option bootfile-name "tftp://30.0.0.1/FTOS-SE-8.3.10.1.
www.dell.com | support.dell.com BMP mode is the default boot mode configured for a new system arriving from Dell Force10. This mode obtains the FTOS image and configuration file from a network source (DHCP and file servers). Use Normal mode to boot the switch up with the management port in a no shutdown mode. If the management IP address is present in the start-up configuration file, it will be assigned.
Normal Mode When reloaded in Normal mode, the switch boots up with the management port in a no shutdown mode. If the management IP address is present in the start-up configuration file, it will be assigned. If the management IP address is not present in the start-up configuration file, no IP address will be assigned to the management interface. You can connect to the management port with an IP address on the same network and log in to the system through a telnet or SSH session.
www.dell.com | support.dell.com Post-configuration Scripts In BMP 3.0, after the pre-configuration script has completed and the configuration is loaded, you can run a post-configuration script if one is present in the configuration file. Use the post-configuration script to check the status of configured ports or protocols which can then be sent as a status report to a central repository for your network administrators.
Configuration Tasks When the system boots up in BMP mode all ports, including management ports, are placed in L3 mode in a no shut state. The system acts as a DHCP client on these ports for a period of time (dhcp-timeout). This allows the system time to send out a DHCP DISCOVER on all the interface up ports to the DHCP Server in order to obtain its IP address, boot image filename and configuration file from the DHCP server. • Set up a DHCP server.
www.dell.com | support.dell.com System boot and set-up behavior in BMP Mode 1. System begins boot up process in BMP mode (default mode). 2. The system sends DHCP Discover on all the interface up ports.
• If there is a mismatch between the build images, the system upgrades to the downloaded version and reloads.
www.dell.com | support.dell.com Reload without a DHCP Server Offer A switch configured to reload in BMP mode and if the DHCP server cannot be reached, the system keeps on sending DISCOVER messages. 00:01:44: %STKUNIT0-M:CP %JUMPSTART-5-JUMPSTART_DISCOVER: DHCP DISCOVER sent on Te 0/50. 00:01:44: %STKUNIT0-M:CP %JUMPSTART-5-JUMPSTART_DISCOVER: DHCP DISCOVER sent on Te 0/51. 00:01:44: %STKUNIT0-M:CP %JUMPSTART-5-JUMPSTART_DISCOVER: DHCP DISCOVER sent on Ma 0/0.
2. The system receives a DHCP offer from a DHCP server with the following parameters: 13:23:47: %STKUNIT0-M:CP %JUMPSTART-5-BOOT_OFFER: DHCP acquired IP 10.16.134.167 mask 255.255.0.0 server IP 10.16.134.207. 13:23:48: %STKUNIT0-M:CP %JUMPSTART-5-BOOT_OFFER: DHCP tftp IP NIL sname NIL dns IP NIL router IP NIL. 13:23:48: %STKUNIT0-M:CP %JUMPSTART-5-BOOT_OFFER: DHCP image file tftp://10.16.127.53/mxl.bin. 13:23:48: %STKUNIT0-M:CP %JUMPSTART-5-BOOT_OFFER: DHCP config file NIL.
www.dell.com | support.dell.com b If the build images versions are different, the system stores the downloaded build image in the local Flash and loads the build image from the Flash. This process is repeated until the build image versions match.
3. The pre-configuration script is downloaded instead of the configuration file. 4. The pre-configuration script is run before applying the start-up configuration file. 5. The pre-configuration script has the ability to use configuration FTOS CLI commands using the utility name “F10do”. 6. When the pre-configuration script completes, the start-up configuration file will be automatically applied.
www.dell.com | support.dell.com Script Examples Auto-execution Script - Normal mode FTOS#show reload-type Reload-Type : normal-reload [Next boot : normal-reload] FTOS#show file flash://autoexec #! /usr/bin/tclsh puts [ exec f10do "show version" ] puts [ exec date ] puts "this is Autoexec script" FTOS# FTOS# FTOS#reload System configuration has been modified.
The following line indicates the start of the auto-execution script. 00:00:16: %STKUNIT1-M:CP %JUMPSTART-5-AUTOEXEC_START: 00:00:19: %STKUNIT1-M:CP %CHMGR-5-CHECKIN: Checkin from Stack unit 1 (type S4810, 64 ports) 00:00:20: %00:00:20: %STKUNIT1-M:CP %CHMGR-0-PS_UP: Power supply 0 in unit 1 is up 00:00:20: %STKUNIT1-M:CP %CHMGR-5-STACKUNITUP: Stack unit 1 is up 00:00:21: %STKUNIT1-M:CP %CHMGR-5-SYSTEM_READY: System ready 00:00:21: %STKUNIT1-M:CP %RAM-5-STACK_STATE: Stack unit 1 is in Active State.
www.dell.com | support.dell.com 252 The following line indicates the successful completion of the auto-execution script. 00:00:49: %STKUNIT1-M:CP %JUMPSTART-5-AUTOEXEC_SUCCESS: The AutoExec Script execution returned Success. The following line indicates that the Configuration file is loaded into the switch.
Pre-configuration Script - BMP Mode #! /usr/bin/expect #/DELL-FORCE10 # Execute F10do and Print proc print_f10do {cmd_str} { set str [exec f10do "$cmd_str"] set tmp_str [string map {\n \r\n} $str ] puts $tmp_str } set ftp_ip "20.0.0.1" set ftp_username "lab" set ftp_passwd "lab" set config_file "s4810-10-startup-config" set post_conf "s4810-10-post-config.exp" puts "Executing Pre-Config Script !!!!\r\n" exec rm -rf "$config_file" exec rm -rf "$post_conf" puts "Downloading Startup Config and P
www.dell.com | support.dell.com after 5000 puts "Download Complete !!!\r\n" if {[file exists $config_file]} { puts "Config File: $config_file downloaded successfully\r\n" } else { puts "ERROR: Config File: $config_file - Not Found\r\n" } if {[file exists $post_conf]} { puts "Post Config Script: $post_conf downloaded successfully\r\n" } else { puts "ERROR: Post Config Script: $post_conf - Not Found\r\n" } # Copy Config to Startup Config print_f10do "show version" after 5000 print_f10do "copy flash://$c
10 Content Addressable Memory (CAM) Content Addressable Memory (CAM) is supported on platforms: • • • • • • • • • • • • • • • • • • et c s z Content Addressable Memory CAM Profiles Microcode CAM Profiling for ACLs When to Use CAM Profiling Important Points to Remember Select CAM Profiles CAM Allocation Test CAM Usage View CAM Profiles View CAM-ACL settings View CAM-ACL settings Configure IPv4Flow Sub-partitions Configure Ingress Layer 2 ACL Sub-partitions Return to the Default CAM Configuration CAM Optimi
www.dell.com | support.dell.com CAM Profiles Dell Force10 systems partition each CAM module so that it can store the different types of information. The size of each partition is specified in the CAM profile. A CAM profile is stored on every card, including each RPM. The same profile must be on every line card and RPM in the chassis. There is a default CAM profile and several other CAM profiles available so that you can partition the CAM according to your performance requirements.
The size of CAM partitions is measured in entries. Table 10-1 shows the number of entries available in each partition for all CAM profiles. The total CAM space is finite, therefore adding entries to one region necessarily decreases the number available to other regions.
www.dell.com | support.dell.com Table 10-3. Microcode Descriptions Microcode Description lag-hash-mpls For hashing based on MPLS labels (up to five labels deep). With the default microcode, MPLS packets are distributed over a port-channel based on the MAC source and destination address. With the lag-hash-mpls microcode, MPLS packets are distributed across the port-channel based on IP source and destination address and IP protocol. This is applicable for MPLS packets with up to five labels.
The amount of space that you can distribute to the sub-partitions is equal to the amount of CAM space that the selected CAM profile allocates to the Layer 2 ACL partition. FTOS requires that you specify the amount of CAM space for all sub-partitions and that the sum of all sub-partitions is 100%. FTOS displays the following message if the total allocated space is not correct: % Error: Sum of all regions does not total to 100%.
www.dell.com | support.dell.com -- Line card Status Next Boot Required Type Current Type Hardware Rev Num Ports Up Time FTOS Version Jumbo Capable 1 : : : : : : : : : -card problem - mismatch cam profile online E48TF - 48-port 10/100/1000Base-T line card with RJ-45 interfaces (EF) E48TF - 48-port 10/100/1000Base-T line card with RJ-45 interfaces (EF) Base - 1.1 PP0 - 1.1 PP1 - 1.1 48 0 sec 7.6.1.
• • • • • FTOS automatically reconfigures the CAM profile on line cards and the secondary RPM to match the system CAM profile by saving the correct profile on the card and then rebooting it. The CAM configuration is applied to entire system when you use CONFIGURATION mode commands. You must save the running-configuration to affect the change. All CAM configuration commands require you to reboot the system.
www.dell.com | support.dell.com Allocate space for IPV4 ACLs and QoS regions, and IPv6 6 ACLs and QoS regions on the C-Series and S-Series by using the cam-acl command in CONFIGURATION mode. The CAM space is allotted in FP blocks. The total space allocated must equal 13 FP blocks. Note that there are 16 FP blocks, but the System Flow requires 3 blocks that cannot be reallocated.
Step Task Command Syntax Command Mode 3 Verify that the new settings will be written to the CAM on the next boot. show cam-acl EXEC Privilege 4 Reload the system. reload EXEC Privilege Test CAM Usage The test cam-usage command is supported on platforms cesz This command applies to both IPv4 and IPv6 CAM profiles, but is best used when verifying QoS optimization for IPv6 ACLs. Use this command to determine whether sufficient ACL CAM space is available to enable a service-policy.
www.dell.com | support.dell.com Reserved FIB : ACL : Flow : EgACL : MicroCode Name --More-- 0 0 0 0 : 8K entries entries entries entries entries : Default : : : : 0 0 0 0 : 8K entries entries entries entries entries : Default View a brief output of the command show cam-profile using the summary option. The command show running-config cam-profile shows the current profile and microcode as shown in the following example.
L2Qos L2PT IpMacAcl VmanQos VmanDualQos EcfmAcl : : : : : : 2 1 2 0 0 0 -- Line card 6 -Current Settings(in block sizes) L2Acl : 2 Ipv4Acl : 2 Ipv6Acl : 2 Ipv4Qos : 2 L2Qos : 2 L2PT : 1 IpMacAcl : 2 VmanQos : 0 VmanDualQos : 0 EcfmAcl : 0 The default values for the show cam-acl command for the are: FTOS#show cam-acl -- Chassis Cam ACL -Current Settings(in block sizes) L2Acl : 4 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 VmanDualQos : 0 EcfmAcl : 0 FcoeAcl : 0 iscsi
www.dell.com | support.dell.com View CAM Usage View the amount of CAM space available, used, and remaining in each partition (including IPv4Flow and Layer 2 ACL sub-partitions) using the command show cam-usage from EXEC Privilege mode, as shown in the following example.
Table 10-5. IPv4Flow CAM Sub-partition Sizes Space Allocated (EtherScale) Space Allocated (TeraScale) Space Allocated (ExaScale) QoS 8K 2K 2K System Flow 5K 5K 5K 1 1K 1K Partition Trace Lists You can re-configure the amount of space allocated for each type of entry. FTOS requires that you specify an amount of CAM space for all types and in the order shown in Table 10-5.
www.dell.com | support.dell.
Configure Ingress Layer 2 ACL Sub-partitions IPv4Flow sub-partitions are supported on platform e The Ingress Layer 2 ACL CAM partition has sub-partitions for several types of information. Table 10-6 lists the sub-partition and the percentage of the Ingress Layer 2 ACL CAM partition that FTOS allocates to each by default. Table 10-6.
www.dell.com | support.dell.com To re-allocate CAM space within the Ingress Layer 2 ACL partition on the entire system as shown in the following example. : Step Task Command Syntax Command Mode 1 Re-allocate CAM space within the Ingress Layer 2 ACL partition. cam-l2acl CONFIGURATION 2 Save the running-configuration. copy running-config startup-config EXEC Privilege 3 Verify that FTOS will write the new CAM configuration to the CAM on the next boot.
Return to the Default CAM Configuration Return to the default CAM Profile, microcode, IPv4Flow, or Layer 2 ACL configuration using the keyword default from EXEC Privilege mode or from CONFIGURATION mode, as shown in the following example.
www.dell.com | support.dell.com • • • • When MPLS IP packets are received, FTOS looks up to 5 labels deep for the IP header. When an IP header is present, hashing is based on IP 3 tuple (source IP address, destination IP address, and IP protocol). If an IP header is not found after the 5th label, hashing is based on the MPLS labels. If the packet has more than 5 MPLS labels, hashing is based on the source and destination MAC address.
• • • Change to the default profile if downgrading to and FTOS version earlier than 6.3.1.1. Use the CONFIGURATION mode commands so that the profile is change throughout the system. Use the EXEC Privilege mode commands to match the profile of a component to the profile of the target system. QoS CAM Region Limitation The default CAM profile allocates a partition within the IPv4Flow region to store QoS service policies.
www.dell.com | support.dell.
11 Control Plane Policing (CoPP) Control Plane Policing (CoPP) is supported on platforms: z Overview Control Plane Policing (CoPP) uses ACL rules and QoS policies to create filters for a system’s control plane. That filter prevents traffic not specifically identified as legitimate from reaching the system control plane, rate-limits, traffic to an acceptable level.
CoPP solution example OPSF flood CPU at 1100 PPS ICMP fails Q5 Q4 CPU Processes (OSPF, LACP, STP, ICMP, etc) Packets Q6 400 PPS CPU Software Queue ICMP PING Q7 1100 PPS (Ingress Flow Entries) STP Protocol to Queue Classification Hardware Queue Rate Limiting Front End Ports No CoPP Rules Q3 Q2 Q1 STP Q0 Q7 receives STP at 1100 pps due to network storm/loop. The CPU is hit with the entire 1100 pps and the PING attemp fails intermittently.
The CoPP policies are configured by creating extended ACL rules and specifying rate-limits through QoS policies. The ACLs and QoS policies are assigned as service-policies. Configure CoPP for protocols This section lists the commands necessary to create and enable the service-policies for CoPP. Refer to Access Control Lists (ACLs) and Quality of Service (QoS) for complete information about creating ACLs and QoS rules.
www.dell.com | support.dell.
Match QoS Class Map to QoS Policy FTOS(conf)#policy-map-input egressFP_rate_policy cpu-qos FTOS(conf-policy-map-in-cpuqos)#class-map class_ospf qos-policy rate_limit_500k FTOS(conf-policy-map-in-cpuqos)#class-map class_bgp qos-policy rate_limit_400k FTOS(conf-policy-map-in-cpuqos)#class-map class_lacp qos-policy rate_limit_200k FTOS(conf-policy-map-in-cpuqos)#class-map class-ipv6 qos-policy rate_limit_200k FTOS(conf-policy-map-in-cpuqos)#exit Create Control Plane Service Policy FTOS(conf)#control-plane-cpu
www.dell.com | support.dell.
Use the show ip protocol-queue-mapping command to view the queue mapping for each configured protocol.
www.dell.com | support.dell.
12 Z-Series Debugging and Diagnostics The chapter contains the following major sections: • • • • • • • • • Offline Diagnostics TRACE logs Hardware watchdog timer Last restart reason show hardware commands Troubleshooting packet loss Application core dumps Mini core dumps TCP dumps Offline Diagnostics The offline diagnostics test suite is useful for isolating faults and debugging hardware.
www.dell.com | support.dell.com Running Offline Diagnostics 1. Place the unit in the offline state using the offline stack-unit command from EXEC Privilege mode, as shown in Taking a Z-Series Stack Unit Offline. You cannot enter the command on a stacking unit. Note: The system reboots when the off-line diagnostics complete. This is an automatic process in default mode.
Figure 12-2.
www.dell.com | support.dell.com Figure 12-3. Running Offline Diagnostics on a Z-Series Standalone Unit FTOS#diag stack-unit 1 alllevels Warning - diagnostic execution will cause multiple link flaps on the peer side - advisable to shut directly connected ports Proceed with Diags [confirm yes/no]: yes 00:03:35: %S50N:1 %DIAGAGT-6-DA_DIAG_STARTED: Starting diags on stack unit 1 00:03:35 : Approximate time to complete these Diags ...
Figure 12-4. Verifying the Offline/Online Diagnostics of a Z-Series Standalone Unit flash: 3001958400 bytes total (2716000256 bytes free) FTOS#show file flash://TestReport-SU-0.
www.dell.com | support.dell.com Test 5 - Psu Source Type Test ...................................... FAIL + TEST - 6 PSU [0] Fan FLOW Type Normal (IO --> Rear) Test 6.000 - Psu Fan module type detect test ........................ PASS diagS3240GetPsuOnStatus[580]: ERROR: PSU-1 is not present... diagS3240PsuFanModuleTypeDetectTest[448]: ERROR: Getting PSU -1 power status failed. Offline diagnostics can be run in DEBUG Mode as shown in the following example, Running offline diagnostics in DEBUG mode.
Figure 12-7. show diag stack-unit command example FTOS#show diag stackunit 0 Diag status of Stackunit member 0: -------------------------------------------------------------------------Stackunit is currently offline. Stackunit level2 diag issued at Thu Apr 09, 2009 02:40:13 PM. Current diag status: Unit diags are done. Duration of execution (Total): 8 min 11 sec. Diagonostic test results located: /f10/flash/TestReport-SU-0.
www.dell.com | support.dell.com Last restart reason If a Z9000 system restarted for some reason (automatically or manually), the show system command output includes the reason for the restart. The following table shows the reasons displayed in the output and their corresponding causes. Table 12-1.
Table 12-2. show hardware Commands Command Description show hardware stack-unit {0-11} cpu management statistics View internal interface status of the stack-unit CPU port which connects to the external management interface. show hardware stack-unit {0-11} cpu data-plane statistics View driver-level statistics for the data-plane port on the CPU for the specified stack-unit.
www.dell.com | support.dell.com 292 The Z9000 supports 32 40G ports or 128 10G ports on four port-pipes, which are also called units. The system displays internal port numbers, not the external port numbers that you will see. See the following table for information that maps the internal unit port number with the port-pipe unit for the 40G (highlighted lines only) and 10G ports (all lines). Table 12-3.
Table 12-3.
www.dell.com | support.dell.com • • The card genuinely is too hot. A sensor has malfunctioned. Inspect cards adjacent to the one reporting the condition to discover the cause. • • If directly adjacent cards are not normal temperature, suspect a genuine overheating condition. If directly adjacent cards are normal temperature, suspect a faulty sensor. When the system detects a genuine over-temperature condition, it powers off the card.
Recognize an under-voltage condition If the system detects an under-voltage condition and declares an alarm. To recognize this condition, look for the system messages in Message 3. Message 3 Under-voltage Condition System Messages %CHMGR-1-CARD_SHUTDOWN: Major alarm: Line card 2 down - auto-shutdown due to under voltage This message in Message 3 indicates that the specified card is not receiving enough power. In response, the system first shuts down Power over Ethernet (PoE).
www.dell.com | support.dell.com Buffer tuning Buffer Tuning allows you to modify the way your switch allocates buffers from its available memory, and helps prevent packet drops during a temporary burst of traffic. The S-Series ASICs implement the key functions of queuing, feature lookups, and forwarding lookups in hardware.
You can configure dynamic buffers per port on both 1G and 10G FPs and per queue on CSFs. By default, the FP dynamic buffer allocation is 10 times oversubscribed. For the 48-port 1G card: • • • Dynamic Pool= Total Available Pool(16384 cells) – Total Dedicated Pool = 5904 cells Oversubscription ratio = 10 Dynamic Cell Limit Per port = 59040/29 = 2036 cells Figure 12-10.
www.dell.com | support.dell.com Buffer tuning commands Note: Buffer profile queue 1 is not supported. Use default buffer profile queue 4. Task Command Command Mode Define a buffer profile for the FP queues. buffer-profile fp fsqueue CONFIGURATION Define a buffer profile for the CSF queues. buffer-profile csf csqueue CONFIGURATION Change the dedicated buffers on a physical 1G interface. buffer dedicated BUFFER PROFILE Change the maximum amount of dynamic buffers an interface can request.
Display the allocations for any buffer profile using the show commands in Figure 12-12. Display the default buffer profile using the command show buffer-profile {summary | detail} from EXEC Privilege mode, as shown in Figure 12-11. Figure 12-11. Display the Default Buffer Profile FTOS#show buffer-profile detail interface gigabitethernet 0/1 Interface Gi 0/1 Buffer-profile Dynamic buffer 194.88 (Kilobytes) Queue# Dedicated Buffer Buffer Packets (Kilobytes) 0 2.50 256 1 2.50 256 2 2.50 256 3 2.50 256 4 9.
www.dell.com | support.dell.com Using a pre-defined buffer profile FTOS provides two pre-defined buffer profiles, one for single-queue (i.e non-QoS) applications, and one for four-queue (i.e QoS) applications. Task Command Mode Apply one of two pre-defined buffer profiles for all port pipes in the system. buffer-profile global [1Q|4Q] CONFIGURATION You must reload the system for the global buffer profile to take effect (Message 4).
Figure 12-13.
www.dell.com | support.dell.com Figure 12-14.
Figure 12-16.
www.dell.com | support.dell.com Displaying Party Bus Statistics FTOS#sh hardware stack-unit 2 cpu party-bus statistics Input Statistics: 27550 packets, 2559298 bytes 0 dropped, 0 errors Output Statistics: 1649566 packets, 1935316203 bytes 0 errors Displaying Stack Member Counters The show hardware stack-unit 0–7 {counters | details | port-stats [detail] | register} command displays internal receive and transmit statistics, based on the selected command option.
Application core dumps Application core dumps are disabled by default. A core dump file can be very large. Core dumps are stored in the local flash. Enable full application core dumps with the following: Task Command Syntax Command Mode Enable RPM core dumps and specify the shutdown mode. logging coredump server CONFIGURATION When you enable this command to allow the system to automatically upload application core dumps to an FTP server, you will be requested to enter a password.
www.dell.com | support.dell.
Task Command Syntax Command Mode Enable a TCP dump for CPU bound traffic.
www.dell.com | support.dell.
13 Dynamic Host Configuration Protocol (DHCP) Dynamic Host Configuration Protocol (DHCP) is available on platforms: (except where noted).
www.dell.com | support.dell.com DHCP Packet Format and Options DHCP uses UDP as its transport protocol. The server listens on port 67 and transmits to port 68; the client listens on port 68 and transmits to port 67. The configuration parameters are carried as options in the DHCP packet in Type, Length, Value (TLV) format; many options are specified in RFC 2132.
Assigning an IP Address using DHCP When a client joins a network: 1. The client initially broadcasts a DHCPDISCOVER message on the subnet to discover available DHCP servers. This message includes the parameters that the client requires and might include suggested values for those parameters. 2. Servers unicast or broadcast a DHCPOFFER message in response to the DHCPDISCOVER that offers to the client values for the requested parameters.
www.dell.com | support.dell.com Implementation Information • • The Dell Force10 implementation of DHCP is based on RFC 2131 and RFC 3046. IP Source Address Validation is a sub-feature of DHCP Snooping; FTOS uses ACLs internally to implement this feature and as such, you cannot apply ACLs to an interface which has IP Source Address Validation.
The key responsibilities of DHCP servers are: 1. Address Storage and Management: DHCP servers are the owners of the addresses used by DHCP clients.The server stores the addresses and manages their use, keeping track of which addresses have been allocated and which are still available. 2. Configuration Parameter Storage and Management: DHCP servers also store and maintain other parameters that are sent to clients when requested. These parameters specify in detail how a client is to operate. 3.
www.dell.com | support.dell.com To create an address pool: Step Task Command Syntax Command Mode 1 Access the DHCP server CLI context. ip dhcp server CONFIGURATION 2 Create an address pool and give it a name. pool name DHCP 3 Specify the range of IP addresses from which the DHCP server may assign addresses. • network is the subnet address. • prefix-length specifies the number of bits used for the network portion of the address you specify.
Enable DHCP Server DHCP server is disabled by default. Step Task Command Syntax Command Mode 1 Enter the DHCP command-line context. ip dhcp server CONFIGURATION 2 Enable DHCP server. no disable Default: Disabled DHCP 3 Display the current DHCP configuration. show config DHCP In the following figure, an IP phone is powered by PoE and has acquired an IP address from the Dell Force10 system, which is advertising LLDP-MED.
www.dell.com | support.dell.com Address Resolution using NetBIOS WINS Windows Internet Naming Service (WINS) is a name resolution service that Microsoft DHCP clients use to correlate host names to IP addresses within a group of networks. Microsoft DHCP clients can be one of four types of NetBIOS nodes: broadcast, peer-to-peer, mixed, or hybrid.
Step 3 Task Command Syntax Command Mode Specify the client hardware address or client-identifier. • hardware-address is the client MAC address. client-identifier is required for Microsoft clients instead of a hardware addresses. The client identifier is formed by concatenating the media type and the MAC address of the client. Refer to the “Address Resolution Protocol Parameters” section of RFC 1700—Assigned Numbers, for a list of media type codes.
www.dell.com | support.dell.com When ip helper-address is configured, the system listens for DHCP broadcast messages on port 67. The system rewrites packets received from the client and forwards them via unicast to the DHCP servers; the system rewrites the destination IP address and writes its own address as the relay device.
Configure the System for User Port Stacking When you set the DHCP offer on the DHCP server, you can set the stacking-option variable to provide the stack-port detail so a stack can be formed when the units are connected. Configure Secure DHCP DHCP as defined by RFC 2131 provides no authentication or security mechanisms. Secure DHCP is a suite of features that protects networks that use dynamic address allocation from spoofing and attacks.
www.dell.com | support.dell.com The relay agent strips Option 82 from DHCP responses before forwarding them to the client. Task Command Syntax Command Mode Insert Option 82 into DHCP packets. For routers between the relay agent and the DHCP server, enter the trust-downstream option. ip dhcp relay information-option [trust-downstream] CONFIGURATION Manually reset the remote ID for Option 82.
Enable DHCP snooping Step Task Command Syntax Command Mode 1 Enable DHCP Snooping globally. ip dhcp snooping CONFIGURATION 2 Specify ports connected to DHCP servers as trusted. ip dhcp snooping trust INTERFACE 3 Enable DHCP Snooping on a VLAN. ip dhcp snooping vlan CONFIGURATION Add a static entry in the binding table Task Command Syntax Command Mode Add a static entry in the binding table.
www.dell.com | support.dell.com View the DHACP Snooping statistics with the show ip dhcp snooping command as shown in the following example. FTOS#show ip dhcp snooping IP IP IP IP DHCP DHCP DHCP DHCP Snooping Snooping Mac Verification Relay Information-option Relay Trust Downstream : : : : Enabled. Disabled. Disabled. Disabled.
Dynamic ARP Inspection Dynamic ARP inspection prevents ARP spoofing by forwarding only ARP frames that have been validated against the DHCP binding table. ARP is a stateless protocol that provides no authentication mechanism. Network devices accepts ARP request and replies from any device, and ARP replies are accepted even when no request was sent. If a client receives an ARP message for which a relevant entry already exists in its ARP cache, it overwrites the existing entry with the new information.
www.dell.com | support.dell.com • denial of service—an attacker can send a fraudulent ARP messages to a client to associate a false MAC address with the gateway address, which would blackhole all internet-bound packets from the client. Note: DAI uses entries in the L2SysFlow CAM region, a sub-region of SystemFlow. One CAM entry is required for every DAI-enabled VLAN, and you can enable DAI on up to 16 VLANs on a system.
Invalid ARP Replies FTOS# : 0 Bypass the ARP Inspection You can configure a port to skip ARP inspection by defining the interface as trusted, which is useful in multi-switch environments. ARPs received on trusted ports bypass validation against the binding table. All ports are untrusted by default. Task Command Syntax Command Mode Specify an interface as trusted so that ARPs are not validated against the binding table. arp inspection-trust INTERFACE FTOS Behavior: Introduced in FTOS version 8.2.1.
www.dell.com | support.dell.com The DHCP binding table associates addresses assigned by the DHCP servers, with the port on which the requesting client is attached. When IP Source Address Validation is enabled on a port, the system verifies that the source IP address is one that is associated with the incoming port. If an attacker is impostering as a legitimate client the source address appears on the wrong ingress port, and the system drops the packet.
FTOS creates an ACL entry for each IP+MAC address pair in the binding table and applies it to the interface. Task Command Syntax Command Mode Display the IP+MAC ACL for an interface for the entire system.
www.dell.com | support.dell.
14 Equal Cost Multi-Path (ECMP) Equal Cost Multi-Path (ECMP) is supported on platforms: e c s ECMP for Flow-based Affinity ECMP for Flow-based Affinity is available on platforms e and The hashing algorithm on E-Series TeraScale and E-Series ExaScale are different. Hashing on ExaScale is based on CRC, checksum, or XOR, and the algorithm on TeraScale is based on checksum only.
www.dell.com | support.dell.com FTOS Behavior: In FTOS versions prior to 8.2.1.2, the ExaScale default hash-algorithm is 0. Beginning with version 8.2.1.2, the default hash-algorithm is 24. Deterministic ECMP Next Hop Deterministic ECMP Next Hop arranges all ECMPs in order before writing them into the CAM. For example, suppose the RTM learns 8 ECMPs in the order that the protocols and interfaces came up. In this case, the FIB and CAM sort them so that the ECMPs are always arranged.
In the illustration below, Core Router 1 is an E-Series TeraScale and Core Router 2 is an E-Series ExaScale. They have similar configurations and have routes for prefix P with two possible next-hops. When Deterministic ECMP is enabled and the hash algorithm and seed are configured the same, each flow is consistently sent to the same next hop even though they are routed through two different chassis.
www.dell.com | support.dell.com Enable link bundle monitoring using the ecmp-group command. Note: An ecmp-group index is generated automatically for each unique ecmp-group when the user configures multipath routes to the same network. The system can generate a maximum of 512 unique ecmp-groups. The ecmp-group indexes are generated in even numbers (0, 2, 4, 6... 1022) and are for information only.
15 Enabling FIPS Cryptography Federal Information Processing Standards (FIPS) Cryptography is supported on the following platforms: z This chapter describes how to enable FIPS cryptography requirements on the Dell Force10 platforms. This feature provides cryptographic algorithms conforming to various FIPS standards published by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the US Department of Commerce.
www.dell.com | support.dell.com Enabling FIPS Mode You must use the console port to enable or disable FIPS mode. The host attached to the console port must be secured against unauthorized access. Any attempts to enable or disable FIPS mode from a virtual terminal session are denied. To enable FIPS mode: Task Command Syntax Command Mode Enable FIPS mode from a console port.
Monitoring FIPS Mode Status The status of the current FIPS mode (Enabled/Disabled) can be viewed directly using either the show fips status command or the show system command as shown below. FTOS#show fips status FIPS Mode : Enabled for the system using the show system command.
336 | Enabling FIPS Cryptography www.dell.com | support.dell.
16 Force10 Resilient Ring Protocol (FRRP) Force10 Resilient Ring Protocol (FRRP) is supported on platforms: ecsz Force10 Resilient Ring Protocol (FRRP) provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a Metropolitan Area Network (MAN) or large campuses.
www.dell.com | support.dell.com to be transmitted and received through it. See Figure 16-1 for a simple example of this FRRP topology. Note that ring direction is determined by the Master node’s Primary and Secondary ports. Figure 16-1.
If the Master node does not receive the Ring Health Frame (RHF) before the fail-period timer expires (a configurable timer), the Master node moves from the Normal state to the Ring-Fault state and unblocks its Secondary port. The Master node also clears its forwarding table and sends a control frame to all other nodes, instructing them to also clear their forwarding tables. Immediately after clearing its forwarding table, each node starts learning the new topology.
www.dell.com | support.dell.com In the example shown in Figure 16-2, FRRP 101 is a ring with its own Control VLAN, and FRRP 202 has its own Control VLAN running on another ring. A Member VLAN that spans both rings is added as a Member VLAN to both FRRP groups. Switch R3 has two instances of FRRP running on it: one for each ring. The example topology that follows shows R3 assuming the role of a Transit node for both FRRP 101 and FRRP 202. Figure 16-2.
• • • • • • • • • Multiple physical rings can be run on the same switch One Master node per ring—all other nodes are Transit Each node has 2 member interfaces—Primary, Secondary No limit to the number of nodes on a ring Master node ring port states—blocking, pre-forwarding, forwarding, disabled Transit node ring port states—blocking, pre-forwarding, forwarding, disabled STP disabled on ring interfaces Master node secondary port is in blocking state during Normal operation Ring Health Frames (RHF) • Hello R
www.dell.com | support.dell.com Table 16-1. FRRP Components (continued) Concept Explanation Ring Interface State Each interface (port) that is part of the ring maintains one of four states • • • • Blocking State: Accepts ring protocol packets but blocks data packets. LLDP, FEFD, or other Layer 2 control packets are accepted. Only the master node Secondary port can enter this state. Pre-Forwarding State: A transition state before moving to the Forward state.
• • • The Control VLAN is used to carry any data traffic; it carries only RHFs. The Control VLAN cannot have members that are not ring ports. If multiple rings share one or more member VLANs, they cannot share any links between them. • Member VLANs across multiple rings are not supported in Master nodes. • Each ring has only one Master node; all others are transit nodes. FRRP Configuration These are the tasks to configure FRRP.
www.dell.com | support.dell.com All VLANS must be in Layer 2 mode. Only ring nodes can be added to the VLAN. A Control VLAN can belong to one FRRP group only. Control VLAN ports must be tagged. All ports on the ring must use the same VLAN ID for the Control VLAN. A VLAN cannot be configured as both a Control VLAN and Member VLAN on the same ring. Only two interfaces can be members of a Control VLAN (the Master Primary and Secondary ports).
Step Command Syntax Command Mode Purpose 4 mode master CONFIG-FRRP Configure the Master node 5 member-vlan vlan-id {range} CONFIG-FRRP Identify the Member VLANs for this FRRP group VLAN-ID, Range: VLAN IDs for the ring’s Member VLANS. 6 no disable CONFIG-FRRP Enable FRRP Configure and add the Member VLANs Control and Member VLANS are configured normally for Layer 2. Their status as Control or Member is determined at the FRRP group commands.
www.dell.com | support.dell.com Step Command Syntax Command Mode Purpose 3 interface primary int slot/port secondary int slot/port control-vlan vlan id CONFIG-FRRP Assign the Primary and Secondary ports, and the Control VLAN for the ports on the ring. Interface: • For a 10/100/1000 Ethernet interface, enter the keyword keyword GigabitEthernet followed by the slot/port information.
Clear FRRP counters Use one of the following commands to clear the FRRP counters. Command Syntax Command Mode Purpose clear frrp ring-id EXEC PRIVELEGED Clear the counters associated with this Ring ID Ring ID: 1-255 clear frrp EXEC PRIVELEGED Clear the counters associated with all FRRP groups Show FRRP configuration Use the following command to view the configuration for the FRRP group.
www.dell.com | support.dell.com Troubleshooting FRRP Configuration Checks • • • • • • Each Control Ring must use a unique VLAN ID Only two interfaces on a switch can be Members of the same Control VLAN There can be only one Master node for any FRRP Group. FRRP can be configured on Layer 2 interfaces only Spanning Tree (if enabled globally) must be disabled on both Primary and Secondary interfaces when FRRP is enabled.
Figure 16-3.
www.dell.com | support.dell.
17 GARP VLAN Registration Protocol (GVRP) GARP VLAN Registration Protocol (GVRP) is supported on platform: ecsz Protocol Overview Typical VLAN implementation involves manually configuring each Layer 2 switch that participates in a given VLAN. GARP VLAN Registration Protocol (GVRP), defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches.
www.dell.com | support.dell.com Figure 17-1. GVRP Compatibility Error Message FTOS(conf)#protocol spanning-tree pvst FTOS(conf-pvst)#no disable % Error: GVRP running. Cannot enable PVST. ......... FTOS(conf)#protocol spanning-tree mstp FTOS(conf-mstp)#no disable % Error: GVRP running. Cannot enable MSTP. ......... FTOS(conf)#protocol gvrp FTOS(conf-gvrp)#no disable % Error: PVST running. Cannot enable GVRP. % Error: MSTP running. Cannot enable GVRP.
Figure 17-2. GVRP Configuration Overview GVRP is configured globally and on all VLAN trunk ports for the edge and core switches. Edge Switches Edge Switches Core Switches VLANs 70-80 VLANs 10-20 VLANs 10-20 VLANs 30-50 VLANs 70-80 VLANs 30-50 NOTES: VLAN 1 mode is always fixed and cannot be configured All VLAN trunk ports must be configured for GVRP All VLAN trunk ports must be configured as 802.1Q Basic GVRP configuration is a 2-step process: 1. Enable GVRP globally. See page 354. 2.
www.dell.com | support.dell.com Figure 17-3. Enabling GVRP Globally FTOS(conf)#protocol gvrp FTOS(config-gvrp)#no disable FTOS(config-gvrp)#show config ! protocol gvrp no disable FTOS(config-gvrp)# Enabling GVRP on a Layer 2 Interface Enable GVRP on a Layer 2 interface using the command gvrp enable in INTERFACE mode, as shown in Figure 17-4.
Based on the configuration in the example shown in Figure 17-5, the interface 1/21 will not be removed from VLAN 34 or VLAN 35 despite receiving a GVRP Leave message. Additionally, the interface will not be dynamically added to VLAN 45 or VLAN 46, even if a GVRP Join message is received. Figure 17-5.
www.dell.com | support.dell.com 356 FTOS displays Message 1 if an attempt is made to configure an invalid GARP timer. Message 1 GARP Timer Error FTOS(conf)#garp timers join 300 % Error: Leave timer should be >= 3*Join timer.
18 Internet Group Management Protocol (IGMP) Internet Group Management Protocol (IGMP) is supported on platform: ecsz Multicast is premised on identifying many hosts by a single destination IP address; hosts represented by the same IP address are a multicast group. Internet Group Management Protocol (IGMP) is a Layer 3 multicast protocol that hosts use to join or leave a multicast group.
www.dell.com | support.dell.com IGMP version 2 IGMP version 2 improves upon version 1 by specifying IGMP Leave messages, which allows hosts to notify routers that they no longer care about traffic for a particular group. Leave messages reduce the amount of time that the router takes to stop forwarding traffic for a group to a subnet (leave latency) after the last host leaves the group.
Sending an Unsolicited IGMP Report A host does not have to wait for a general query to join a group. It may send an unsolicited IGMP Membership Report, also called an IGMP Join message, to the querier. Leaving a Multicast Group 1. A host sends a membership report of type 0x17 (IGMP Leave message) to the all routers multicast address 224.0.0.2 when it no longer cares about multicast traffic for a particular group. 2.
www.dell.com | support.dell.com Figure 18-3. Version (4) IHL IGMP version 3 Membership Report Packet Format TOS (0xc0) Total Length Flags Frag Offset TTL (1) Protocol (2) Header Checksum Type Reserved Src IP Addr Dest IP Addr (224.0.0.
Figure 18-4. IGMP Membership Reports: Joining and Filtering Membership Reports: Joining and Filtering 3 Interface Multicast Group Filter Source Source Address Timer Mode Timer 1/1 224.1.1.1 GMI Exclude None 1/1 224.1.1.1 Include 10.11.1.1 GMI 1/1 224.1.1.1 Include 10.11.1.1 GMI IGMP Group-and-Source Specific Query Non-Querier Querier Type: 0x11 Group Address: 244.1.1.1 Number of Sources: 1 Source Address: 10.11.1.1 1/1 10.11.1.
www.dell.com | support.dell.com Figure 18-5. IGMP Membership Queries: Leaving and Staying in Groups Membership Queries: Leaving and Staying Non-Querier Querier Interface Multicast Group Filter Source Source Address Timer Mode Timer 1/1 224.1.1.1 Include 10.11.1.1 LQMT 10.11.1.2 LQMT Non-querier builds identical table and waits Other Querier Present Interval to assume Querier role 1/1 2/1 224.2.2.2 GMI Exclude None IGMP Group-and-Source Specific Query Type: 0x11 Group Address: 224.1.1.
Figure 18-6. Viewing IGMP-enabled Interfaces FTOS#show ip igmp interface gig 7/16 GigabitEthernet 7/16 is up, line protocol is up Internet address is 10.87.3.2/24 IGMP is enabled on interface IGMP query interval is 60 seconds IGMP querier timeout is 300 seconds IGMP max query response time is 10 seconds Last member query response interval is 199 ms IGMP activity: 0 joins, 0 leaves IGMP querying router is 10.87.3.
www.dell.com | support.dell.com Figure 18-8. Viewing Static and Learned IGMP Groups FTOS(conf-if-gi-1/0)#do sho ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Uptime 224.1.1.1 GigabitEthernet 1/0 00:00:03 224.1.2.1 GigabitEthernet 1/0 00:56:55 Expires Never 00:01:22 Last Reporter CLI 1.1.1.2 Adjusting Timers View the current value of all IGMP timers using the command show ip igmp interface from EXEC Privilege mode, as shown in Figure 18-6.
2. When a router receives a query it compares the IP address of the interface on which it was received with the source IP address given in the query. If the receiving router IP address is greater than the source address given in the query, the router stops sending queries. By this method, the router with the lowest IP address on the subnet is elected querier and continues to send queries. 3.
www.dell.com | support.dell.com IGMP Snooping Multicast packets are addressed with multicast MAC addresses, which represent a group of devices, rather than one unique device. Switches forward multicast frames out of all ports in a VLAN by default, even though there may be only some interested hosts, which is a waste of bandwidth.
Figure 18-10. Enabling IGMP Snooping FTOS(conf-if-vl-100)#show config ! interface Vlan 100 no ip address ip igmp snooping fast-leave shutdown FTOS(conf-if-vl-100)# Disabling Multicast Flooding If the switch receives a multicast packet that has an IP address of a group it has not learned (unregistered frame), the switch floods that packet out of all ports on the VLAN.
www.dell.com | support.dell.com • When enabled, IGMP snooping Querier starts after one query interval in case no IGMP general query (with IP SA lower than its VLAN IP address) is received on any of its VLAN members. Adjusting the Last Member Query Interval When the querier receives a leave message from a receiver, it sends a group-specific query out of the ports specified in the forwarding table. If no response is received, it sends another.
19 Interfaces This chapter describes interface types, both physical and logical, and how to configure them with FTOS. 10/100/1000 Mbps Ethernet, Gigabit Ethernet, and 10 Gigabit Ethernet interfaces are supported on platforms: e c s z SONET interfaces are only supported on platform e.
www.dell.com | support.dell.
Figure 19-1. show interfaces Command Example FTOS#show interfaces tengigabitethernet 1/0 TenGigabitEthernet 0/20 is up, line protocol is up Hardware is DellForce10Eth, address is 00:01:e8:a0:bf:ed Current address is 00:01:e8:a0:bf:ed Pluggable media present, QSFP type is 40GBASE-SR4 Wavelength is 850nm QSFP receive power reading is -2.
www.dell.com | support.dell.com Figure 19-3. Interfaces listed in the show running-config Command (Partial) FTOS#show running Current Configuration ...
To confirm that the interface is enabled, use the show config command in the INTERFACE mode. To leave the INTERFACE mode, use the exit command or end command. The user can not delete a physical interface. Physical Interfaces The Management Ethernet interface, is a single RJ-45 Fast Ethernet port on the Route Processor Module (RPM) of the C-Series and E-Series and on each unit of the S4810 and Z9000; it provides dedicated management access to the system.
www.dell.com | support.dell.com Overview of Layer Modes On all systems running FTOS, you can place physical interfaces, port channels, and VLANs in Layer 2 mode or Layer 3 mode. By default, VLANs are in Layer 2 mode. Table 19-1.
For information on enabling and configuring Spanning Tree Protocol, see Chapter 10, Layer 2, on page 47. To view the interfaces in Layer 2 mode, use the command show interfaces switchport in the EXEC mode. Configure Layer 3 (Network) Mode When you assign an IP address to a physical interface, you place it in Layer 3 mode. Use the ip address command and no shutdown command in INTERFACE mode to enable Layer 3 mode on an individual interface.
www.dell.com | support.dell.com Command Syntax Command Mode Purpose ip address ip-address mask [secondary] INTERFACE Configure a primary IP address and mask on the interface. The ip-address must be in dotted-decimal format (A.B.C.D) and the mask must be in slash format (/xx). Add the keyword secondary if the IP address is the interface’s backup IP address. You can only configure one (1) primary IP address per interface. You can configure up to 255 secondary IP addresses on a single interface.
To configure a Management interface, use the following command in the CONFIGUR ATION mode: Command Syntax Command Mode Purpose interface managementethernet interface CONFIGURATION Enter the slot and the port (0). ON the E-Series and C-Series, dual RPMs can be in use. Slot range: C-Series, E-Series: 0-1 S4810, Z9000: 0 You can configure two global IPv6 addresses on the S4810 and Z9000 systems in EXEC Privilege mode.
www.dell.com | support.dell.com To configure IP addresses on a Management interface, use the following command in the MANAGEMENT INTERFACE mode: Command Syntax Command Mode Purpose ip address ip-address mask INTERFACE Configure an IP address and mask on the interface. • ip-address mask: enter an address in dotted-decimal format (A.B.C.D), the mask must be in /prefix format (/x) If there are 2 RPMs on the system, each Management interface must be configured with a different IP address.
As shown in the following example, from EXEC Privilege mode, display the configuration for a given port by entering the command show interface, and the routing table with the show ip route command. Figure 19-9.
www.dell.com | support.dell.com Assign an IP address to an interface with the following command the INTERFACE mode: Command Syntax Command Mode Purpose ip address ip-address mask [secondary] INTERFACE Configure an IP address and mask on the interface. • ip-address mask: enter an address in dotted-decimal format (A.B.C.D) and the mask must be in slash format (/24). • secondary: the IP address is the interface’s backup IP address. You can configure up to eight secondary IP addresses.
Null Interfaces The Null interface is another virtual interface created by the E-Series software. There is only one Null interface. It is always up, but no traffic is transmitted through this interface. To enter the INTERFACE mode of the Null interface, use the following command in the CONFIGURATION mode: Command Syntax Command Mode Purpose interface null 0 CONFIGURATION Enter the INTERFACE mode of the Null interface.
www.dell.com | support.dell.com With this feature, the user can create larger-capacity interfaces by utilizing a group of lower-speed links. For example, the user can build a 5-Gigabit interface by aggregating five 1-Gigabit Ethernet interfaces together. If one of the five interfaces fails, traffic is redistributed across the four remaining interfaces.
10/100/1000 Mbps interfaces in port channels When both 10/100/1000 interfaces and GigE interfaces are added to a port channel, the interfaces must share a common speed. When interfaces have a configured speed different from the port channel speed, the software disables those interfaces. The common speed is determined when the port channel is first enabled. At that time, the software checks the first interface listed in the port channel configuration.
www.dell.com | support.dell.com To configure a port channel, use these commands in the following sequence, starting in the CONFIGURATION mode: Step 1 2 Command Syntax Command Mode Purpose interface port-channel id-number CONFIGURATION Create a port channel. no shutdown INTERFACE PORT-CHANNEL Ensure that the port channel is active. The port channel is now enabled and you can place the port channel in Layer 2 or Layer 3 mode.
To add a physical interface to a port channel, use these commands in the following sequence in the INTERFACE mode of a port channel: Step Command Syntax Command Mode Purpose 1 channel-member interface INTERFACE PORT-CHANNEL Add the interface to a port channel. The interface variable is the physical interface type and slot/port information. 2 show config INTERFACE PORT-CHANNEL Double check that the interface was added to the port channel.
www.dell.com | support.dell.com Figure 19-12 displays the port channel’s mode (L2 for Layer 2 and L3 for Layer 3 and L2L3 for a Layer 2 port channel assigned to a routed VLAN), the status, and the number of interfaces belonging to the port channel. Figure 19-12. show interface port-channel Command Example FTOS>show interface port-channel 20 Port-channel 20 is up, line protocol is up Hardware address is 00:01:e8:01:46:fa Internet address is 1.1.120.
Reassign an interface to a new port channel An interface can be a member of only one port channel. If the interface is a member of a port channel, you must remove it from the first port channel and then add it to the second port channel. Each time you add or remove a channel member from a port channel, FTOS recalculates the hash algorithm for the port channel.
www.dell.com | support.dell.com Configure the minimum oper up links in a port channel (LAG) You can configure the minimum links in a port channel (LAG) that must be in “oper up” status for the port channel to be considered to be in “oper up” status. Use the following command in the INTERFACE mode: Command Syntax Command Mode Purpose minimum-links number INTERFACE Enter the number of links in a LAG that must be in “oper up” status.
Assign an IP address to a port channel You can assign an IP address to a port channel and use port channels in Layer 3 routing protocols. To assign an IP address, use the following command in the INTERFACE mode: Command Syntax Command Mode Purpose ip address ip-address mask [secondary] INTERFACE Configure an IP address and mask on the interface. • ip-address mask: enter an address in dotted-decimal format (A.B.C.D) and the mask must be in slash format (/24).
www.dell.com | support.dell.com E-Series load-balancing On the E-Series, the default load-balance criteria are a 5-tuple, as follows: • • • • • IP source address IP destination address Protocol type TCP/UDP source port TCP/UDP destination port Balancing may be applied to IPv4, switched IPv6, and non-IP traffic. For these traffic types, the IP-header-based hash and MAC-based hash may be applied to packets by using the following methods. Table 19-3.
To distribute IP traffic over an E-Series port channel member, FTOS uses the 5-tuple IP default. The 5-tuple and the 3-tuple hash use the following keys: Table 19-4. 5-tuple and 3-tuple Keys Keys 5-tuple 3-tuple IP source address (lower 32 bits) X X IP destination address (lower 32 bits) X X Protocol type X X TCP/UDP source port X TCP/UDP destination port X Note: For IPV6, only the first 32 bits (LSB) of IP Source Address and IP Destination Address are used for hash generation.
www.dell.com | support.dell.com Table 19-5.
For the E-Series TeraScale and ExaScale, you can select one of 47 possible hash algorithms. Command Syntax Command Mode Purpose hash-algorithm {algorithm-number} | {ecmp {checksum|crc|xor} [number]} lag {checksum|crc|xor][number]}nh-ecm p {[checksum|crc|xor] [number]}}| {linecard number ip-sa-mask value ip-da-mask value} CONFIGURATION Change the default (0) to another algorithm and apply it to ECMP, LAG hashing, or a particular line card.
www.dell.com | support.dell.com For more on load-balancing, see “Equal Cost Multipath and Link Aggregation Frequently Asked Questions” in the E-Series FAQ section (login required) of iSupport: https://www.force10networks.com/CSPortal20/KnowledgeBase/ToolTips.aspx Bulk Configuration Bulk configuration enables you to determine if interfaces are present, for physical interfaces, or, configured, for logical interfaces.
• • • Overlap port ranges Commas Add ranges Create a single-range Figure 19-18. Creating a Single-Range Bulk Configuration FTOS(config)# interface range gigabitethernet 5/1 - 23 FTOS(config-if-range-gi-5/1-23)# no shutdown Create a multiple-range Figure 19-19.
www.dell.com | support.dell.com Commas The example below shows how to use commas to add different interface types to the range, enabling all Gigabit Ethernet interfaces in the range 5/1 to 5/23 and both Ten Gigabit Ethernet interfaces 1/1 and 1/2. FTOS(config-if)# interface range gigabitethernet 5/1 - 23, tengigabitethernet 1/1 - 2 FTOS(config-if-range-gi-5/1-23)# no shutdown FTOS(config-if-range-gi-5/1-23)# Figure 19-23.
Choose an Interface-range Macro To use an interface-range macro in the interface range command, enter this command: Command Syntax Command Mode Purpose interface range macro name CONFIGURATION Selects the interfaces range to be configured using the values saved in a named interface-range macro. The example below shows how to change to the interface-range configuration mode using the interface-range macro named “test”.
www.dell.com | support.dell.com Figure 19-25. Command Example: monitor interface FTOS#monitor interface gi 3/1 FTOS uptime is 1 day(s), 4 hour(s), 31 minute(s) Monitor time: 00:00:00 Refresh Intvl.
To test the condition of cables on 10/100/1000 BASE-T modules, use the tdr-cable-test command: Step 1 2 Command Syntax Command Mode Usage tdr-cable-test gigabitethernet / EXEC Privilege To test for cable faults on the GigabitEthernet cable. • Between two ports, the user must not start the test on both ends of the cable. • The user must enable the interface before starting the test. • The port should be enabled to run the test or the test prints an error message.
www.dell.com | support.dell.com Important Points • • • • Splitting a 40G port into 4x10G port is supported only on a standalone unit. Split ports cannot be used as stack-link to stack an Z9000. Split ports cannot be a part of any stacked system. The unit number with the split ports must be the default (stack-unit 0) This can be verified using show system brief command.
• Changes made do not affect any ongoing debounces. The timer changes take affect from the next debounce onward. Assign a debounce time to an interface Command Syntax Command Mode Purpose link debounce time [milliseconds] INTERFACE Enter the time to delay link status change notification on this interface. Range: 100-5000 ms • • Figure 19-26.
www.dell.com | support.dell.com Disable ports when one only SFM is available (E300 only) Selected ports can be shut down when a single SFM is available on the E300 system. Each port to be shut down must be configured individually. When an E300 system boots up and a single SFM is active this configuration, any ports configured with this feature will be shut down. All other ports are booted up.
• • Link dampening can be applied to Layer 2 and Layer 3 interfaces. Link dampening can be configured on individual interfaces in a LAG. Enable Link Dampening Enable link dampening using the command dampening from INTERFACE mode, as shown in Figure 19-28. Figure 19-28. Configuring Link Dampening R1(conf-if-gi-1/1)#show config ! interface GigabitEthernet 1/1 ip address 10.10.19.
www.dell.com | support.dell.com Figure 19-31.
The globally assigned 48-bit Multicast address 01-80-C2-00-00-01 is used to send and receive pause frames. To allow full duplex flow control, stations implementing the pause operation instruct the MAC to enable reception of frames with destination address equal to this multicast address. The PAUSE frame is defined by IEEE 802.3x and uses MAC Control frames to carry the PAUSE commands. Ethernet Pause Frames are supported on full duplex only.
www.dell.com | support.dell.com Enable Pause Frames Note: On the C-Series and S-Series (non-S4810) platforms, Ethernet Pause Frames TX should be enabled only after consulting with the Dell Force10 Technical Assistance Center. Note: The S4810 supports only the rx control option. The S4810 does not transmit pause frames. Ethernet Pause Frames flow control must be enabled on all ports on a chassis or a line card. If not, the system may exhibit unpredictable behavior.
Configure MTU Size on an Interface If a packet includes a Layer 2 header, the difference in bytes between the link MTU and IP MTU must be enough to include the Layer 2 header. For example, for VLAN packets, if the IP MTU is 1400, the Link MTU must be no less than 1422: 1400-byte IP MTU + 22-byte VLAN Tag = 1422-byte link MTU The MTU range is 592-12000, with a default of 1500. On the E-Series, the user must enter the ip mtu command to manually configure the IP MTU to compensate for the Layer 2 header.
www.dell.com | support.dell.com Port-pipes A port pipe is a Dell Force10 specific term for the hardware path that packets follow through a system. Port pipes travel through a collection of circuits (ASICs) built into line cards and RPMs on which various processing events for the packets occur. One or two port pipes process traffic for a given set of physical interfaces or a port-set. The E300 only supports one port pipe per slot.
Auto-Negotiation on Ethernet Interfaces Setting speed and duplex mode of Ethernet Interfaces By default, auto-negotiation of speed and duplex mode is enabled on 10/100/1000 Base-T Ethernet interfaces. Only 10GE interfaces do not support auto-negotiation. When using 10GE interfaces, verify that the settings on the connecting devices are set to no auto-negotiation. Note: Starting with FTOS 7.8.1.
www.dell.com | support.dell.com Note: The show interfaces status command displays link status, but not administrative status. For link and administrative status, use show ip interface [interface | brief | linecard slot-number] [configuration]. Figure 19-32.
Figure 19-34.
www.dell.com | support.dell.com Figure 19-35.
Figure 19-37.
www.dell.com | support.dell.com Dynamic Counters By default, counting for the following four applications is enabled: • • • • IPFLOW IPACL L2ACL L2FIB For remaining applications, FTOS automatically turns on counting when the application is enabled, and is turned off when the application is disabled. Please note that if more than four counter-dependent applications are enabled on a port pipe, there is an impact on line rate performance.
Clear interface counters The counters in the show interfaces command are reset by the clear counters command. This command does not clear the counters captured by any SNMP program. To clear the counters, use the following command in the EXEC Privilege mode: Command Syntax Command Mode Purpose clear counters [interface] [vrrp [vrid] | learning-limit] EXEC Privilege Clear the counters used in the show interface commands for all VRRP groups, VLANs, and physical interfaces or selected ones.
416 | Interfaces www.dell.com | support.dell.
20 IPv4 Routing IPv4 Routing is supported on platforms: ecsz FTOS supports various IP addressing features. This chapter explains the basics of Domain Name Service (DNS), Address Resolution Protocol (ARP), and routing principles and their implementation in FTOS. • • • • • • IP Addresses Directed Broadcast Resolution of Host Names ARP ICMP UDP Helper Table 20-1 lists the defaults for the IP addressing features described in this chapter. Table 20-1.
www.dell.com | support.dell.com At its most basic level, an IP address is 32-bits composed of network and host portions and represented in dotted decimal format. For example, 00001010110101100101011110000011 is represented as 10.214.87.131 For more information on IP addressing, refer to RFC 791, Internet Protocol. Implementation Information In FTOS, you can configure any IP address as a static route except IP addresses already assigned to interfaces. Note: FTOS versions 7.7.1.
To assign an IP address to an interface, use these commands in the following sequence, starting in the CONFIGURATION mode: Step Command Syntax Command Mode Purpose interface interface CONFIGURATION Enter the keyword interface followed by the type of interface and slot/port information: • For a 1-Gigabit Ethernet interface, enter the keyword GigabitEthernet followed by the slot/port information. • For a Loopback interface, enter the keyword loopback followed by a number from 0 to 16383.
www.dell.com | support.dell.com Figure 20-2. show ip interface Command Example FTOS#show ip int gi 0/8 GigabitEthernet 0/8 is up, line protocol is up Internet address is 10.69.8.1/24 Broadcast address is 10.69.8.
Figure 20-3. show ip route static Command Example (partial) FTOS#show ip route static Destination Gateway ----------------S 2.1.2.0/24 Direct, Nu 0 S 6.1.2.0/24 via 6.1.20.2, S 6.1.2.2/32 via 6.1.20.2, S 6.1.2.3/32 via 6.1.20.2, S 6.1.2.4/32 via 6.1.20.2, S 6.1.2.5/32 via 6.1.20.2, S 6.1.2.6/32 via 6.1.20.2, S 6.1.2.7/32 via 6.1.20.2, S 6.1.2.8/32 via 6.1.20.2, S 6.1.2.9/32 via 6.1.20.2, S 6.1.2.10/32 via 6.1.20.2, S 6.1.2.11/32 via 6.1.20.2, S 6.1.2.12/32 via 6.1.20.2, S 6.1.2.13/32 via 6.1.20.2, S 6.1.
www.dell.com | support.dell.com To view the configured static routes for the management port, use the show ip management-route command in the EXEC privilege mode. Figure 20-4. show ip management-route Command Example FTOS>show ip management-route Destination ----------1.1.1.0/24 172.16.1.0/24 172.31.1.0/24 Gateway ------172.31.1.250 172.31.1.
Command Syntax Command Mode Purpose ip domain-lookup CONFIGURATION Enable dynamic resolution of host names. ip name-server ip-address [ip-address2 ... ip-address6] CONFIGURATION Specify up to 6 name servers. The order you entered the servers determines the order of their use. To view current bindings, use the show hosts command. Figure 20-5. show hosts Command Example FTOS>show host Default domain is force10networks.
www.dell.com | support.dell.com Command Syntax Command Mode Purpose ip domain-list name CONFIGURATION Enter up to 63 characters to configure names to complete unqualified host names. Configure this command up to 6 times to specify a list of possible domain names. FTOS searches the domain names in the order they were configured until a match is found or the list is exhausted. DNS with traceroute To configure your switch to perform DNS with traceroute, follow the steps below in the CONFIGURATION mode.
ARP FTOS uses two forms of address resolution: ARP and Proxy ARP. Address Resolution Protocol (ARP) runs over Ethernet and enables endstations to learn the MAC addresses of neighbors on an IP network. Over time, FTOS creates a forwarding table mapping the MAC addresses to their corresponding IP address. This table is called the ARP Cache and dynamically learned addresses are removed after a defined period of time. For more information on ARP, see RFC 826, An Ethernet Address Resolution Protocol.
www.dell.com | support.dell.com Command Syntax Command Mode Purpose arp ip-address mac-address interface CONFIGURATION Configure an IP address and MAC address mapping for an interface. • ip-address: IP address in dotted decimal format (A.B.C.D). • mac-address: MAC address in nnnn.nnnn.nnnn format • interface: enter the interface type slot/port information. These entries do not age and can only be removed manually. To remove a static ARP entry, use the no arp ip-address command syntax.
Command Syntax Command Mode Purpose clear arp-cache [interface | ip ip-address] [no-refresh] EXEC privilege Clear the ARP caches for all interfaces or for a specific interface by entering the following information: • For a 1-Gigabit Ethernet interface, enter the keyword GigabitEthernet followed by the slot/port information. • For a port channel interface, enter the keyword port-channel followed by a number from 1 to 255 for TeraScale and ExaScale.
www.dell.com | support.dell.com Beginning with version 8.3.1.0, when a Gratuitous ARP is received, FTOS installs an ARP entry on all 3 CPUs. Task Command Syntax Command Mode Enable ARP learning via gratuitous ARP. arp learn-enable CONFIGURATION ARP Learning via ARP Request In FTOS versions prior to 8.3.1.0, FTOS learns via ARP Requests only if the Target IP specified in the packet matches the IP address of the receiving router interface.
Configurable ARP Retries In FTOS versions prior to 8.3.1.0 the number of ARP retries is set to 5 and is not configurable. After 5 retries, FTOS backs off for 20 seconds before it sends a new request. Beginning with FTOS version 8.3.1.0, the number of ARP retries is configurable. The default backoff interval remains at 20 seconds. On the S4810 platform, with FTOS version 8.3.8.0 and later, the time between ARP resend is configurable. This timer is an exponential backoff timer.
www.dell.com | support.dell.com To reenable the creation of ICMP unreachable messages on the interface, use the following command in the INTERFACE mode: Command Syntax Command Mode Purpose ip unreachable INTERFACE Set FTOS to create and send ICMP unreachable messages on the interface. To view if ICMP unreachable messages are sent on the interface, use the show config command in the INTERFACE mode. If it is not listed in the show config command output, it is enabled.
2. Configure a broadcast address on interfaces that will receive UDP broadcast traffic. See Configuring a Broadcast Address on page 431. Important Points to Remember about UDP Helper • • • • The existing command ip directed broadcast is rendered meaningless if UDP helper is enabled on the same interface. The broadcast traffic rate should not exceed 200 packets per second when UDP helper is enabled. You may specify a maximum of 16 UDP ports.
www.dell.com | support.dell.com Figure 20-12. Configuring a Broadcast Address FTOS(conf-if-vl-100)#ip udp-broadcast-address 1.1.255.255 FTOS(conf-if-vl-100)#show config ! interface Vlan 100 ip address 1.1.0.1/24 ip udp-broadcast-address 1.1.255.255 untagged GigabitEthernet 1/2 no shutdown View the configured broadcast address for an interface using the command show interfaces, as shown in Figure 20-13. Figure 20-13.
2. If UDP helper (using the command ip udp-helper udp-port) is enabled, and the UDP destination port of the packet matches the UDP port configured, the system changes the destination address to the configured broadcast 1.1.255.255 and routes the packet to VLANs 100 and 101. If an IP broadcast address is not configured (using the command ip udp-broadcast-address) on VLANs 100 or 101, the packet is forwarded using the original destination IP address 255.255.255.255.
www.dell.com | support.dell.com Figure 20-15.
Troubleshooting UDP Helper Display debugging information using the command debug ip udp-helper, as shown in Figure 20-17. Figure 20-17. Debugging UDP Broadcast FTOS(conf)# debug ip udp-helper 01:20:22: Pkt rcvd on Gi 5/0 with IP DA (0xffffffff) will be sent on Gi 5/1 Gi 5/2 Vlan 3 01:44:54: Pkt rcvd on Gi 7/0 is handed over for DHCP processing. Use the command debug ip dhcp when using the IP helper and UDP helper on the same interface, as shown in Figure 20-18. Figure 20-18.
436 | IPv4 Routing www.dell.com | support.dell.
21 IPv6 Routing IPv6 Routing is supported on platforms ecsz Note: The IPv6 basic commands are supported on all platforms. However, not all features are supported on all platforms, nor for all releases. See Table 21-2 to determine the FTOS version supporting which features and platforms. IPv6 (Internet Protocol Version 6) is the successor to IPv4. Due to the extremely rapid growth in internet users and IP addresses, IPv4 is reaching its maximum usage.
www.dell.com | support.dell.com Protocol Overview IPv6 is an evolution of IPv4. IPv6 is generally installed as an upgrade in devices and operating systems. Most new devices and operating systems support both IPv4 and IPv6. Some key changes in IPv6 are: • • • • Extended Address Space Stateless Autoconfiguration Header Format Simplification Improved Support for Options and Extensions Extended Address Space The address format is extended from 32 bits to 128 bits.
The router redirect functionality in Neighbor Discovery Protocol (NDP) is similar to IPv4 router redirect messages. Neighbor Discovery Protocol (NDP) uses ICMPv6 redirect messages (Type 137) to inform nodes that a better router exists on the link. IPv6 Headers The IPv6 header has a fixed length of 40 bytes. This provides 16 bytes each for Source and Destination information and 8 bytes for general header information.
www.dell.com | support.dell.com Version (4 bits) The Version field always contains the number 6, referring to the packet’s IP version. Traffic Class (8 bits) The Traffic Class field deals with any data that needs special handling. These bits define the packet priority and are defined by the packet Source. Sending and forwarding routers use this field to identify different IPv6 classes and priorities. Routers understand the priority settings and handle them appropriately during conditions of congestion.
Table 21-1. Next Header field values Value Description 50 Encrypted Security 51 Authentication header 59 No Next Header 60 Destinations option header Note: This is not a comprehensive table of Next Header field values. Refer to the Internet Assigned Numbers Authority (IANA) web page at http://www.iana.org/assignments/ protocol-numbers for a complete and current listing. Hop Limit (8 bits) The Hop Limit field shows the number of hops remaining for packet processing.
www.dell.com | support.dell.com Extension headers are processed in the order in which they appear in the packet header. Hop-by-Hop Options header The Hop-by-Hop options header contains information that is examined by every router along the packet’s path. It follows the IPv6 header and is designated by the Next Header value 0 (zero) (Table 21-1).
Addressing IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:). For example, 2001:0db8:0000:0000:0000:0000:1428:57ab is a valid IPv6 address. If one or more four-digit group(s) is 0000, the zeros may be omitted and replaced with two colons(::). For example, 2001:0db8:0000:0000:0000:0000:1428:57ab can be shortened to 2001:0db8::1428:57ab. Only one set of double colons is supported in a single address.
www.dell.com | support.dell.com case, a DHCP server is used, but it is specifically configured to always assign the same IPv6 address to a particular computer, and never to assign that IP address to another computer. This allows static IPv6 addresses to be configured in one place, without having to specifically configure each computer on the network in a different way.
Table 21-2. FTOS and IPv6 Feature Support (continued) Static routing 7.4.1 8.2.1 7.8.1 7.8.1 8.3.10 8.3.11 Assign a Static IPv6 Route in this chapter Route redistribution 7.4.1 8.2.1 7.8.1 8.4.2 8.3.10 8.3.11 OSPF, IS-IS, and IPv6 BGP chapters in the FTOS Command Line Interface Reference Guide Multiprotocol BGP extensions for IPv6 7.4.1 8.2.1 7.8.1 8.4.2 8.3.10 8.3.11 IPv6 BGP in the FTOS Command Line Interface Reference Guide IPv6 BGP MD5 Authentication 8.2.1.0 8.2.1.0 8.2.1.
www.dell.com | support.dell.com Table 21-2. FTOS and IPv6 Feature Support (continued) Secure Shell (SSH) client support over IPv6 (outbound SSH) Layer 3 only 7.5.1 8.2.1 7.8.1 7.8.1 8.3.10 8.3.11 SSH over an IPv6 Transport in this chapter Secure Shell (SSH) server support over IPv6 (inbound SSH) Layer 3 only 7.4.1 8.2.1 7.8.1 7.8.1 8.3.10 8.3.11 SSH over an IPv6 Transport in this chapter IPv6 Access Control Lists 7.4.1 8.2.1 7.8.1 8.2.1.0 8.3.10 8.3.
ICMPv6 ICMPv6 is supported on platforms c e s z ICMP for IPv6 combines the roles of ICMP, IGMP and ARP in IPv4. Like IPv4, it provides functions for reporting delivery and forwarding errors, and provides a simple echo service for troubleshooting. The FTOS implementation of ICMPv6 is based on RFC 4443. Generally, ICMPv6 uses two message types: • • Error reporting messages indicate when the forwarding or delivery of the packet failed at the destination or intermediate node.
www.dell.com | support.dell.com Figure 21-2.
IPv6 Neighbor Discovery IPv6 NDP is supported on platforms c e s z Neighbor Discovery Protocol (NDP) is a top-level protocol for neighbor discovery on an IPv6 network. In lieu of ARP, NDP uses “Neighbor Solicitation” and “Neighbor Advertisement” ICMPv6 messages for determining relationships between neighboring nodes. Using these messages, an IPv6 device learns the link-layer addresses for neighbors known to reside on attached links, quickly purging cached values that become invalid.
www.dell.com | support.dell.com IPv6 Neighbor Discovery of MTU packets With FTOS 8.3.1.0, you can set the MTU advertised through the RA packets to incoming routers, without altering the actual MTU setting on the interface. The ipv6 nd mtu command sets the value advertised to routers. It does not set the actual MTU rate. For example, if ipv6 nd mtu is set to 1280, the interface will still pass 1500-byte packets, if that is what is set with the mtu command.
SSH over an IPv6 Transport IPv6 SSH is supported on platforms c e s z FTOS supports both inbound and outbound SSH sessions using IPv6 addressing. Inbound SSH supports accessing the system through the management interface as well as through a physical Layer 3 interface. Refer to the Security chapter in the FTOS Command Line Reference Guide for SSH configuration details.
www.dell.com | support.dell.com Figure 21-4. Command Example: show cam-profile summary (E-Series) FTOS#show cam-profile summary -- Chassis CAM Profile -: Current Settings : Next Boot Profile Name : IPV6-ExtACL : IPV6-ExtACL MicroCode Name : IPv6-ExtACL : IPv6-ExtACL -- Line card 1 -: Current Settings : Next Boot : IPV6-ExtACL : IPV6-ExtACL : IPv6-ExtACL : IPv6-ExtACL Profile Name MicroCode Name FTOS# Figure 21-5.
The default option sets the CAM Profile as follows: • • • • • L3 ACL (ipv4acl): 6 L2 ACL(l2acl): 5 IPv6 L3 ACL (ipv6acl): 0 L3 QoS (ipv4qos): 1 L2 QoS (l2qos): 1 Save the new CAM settings to the startup-config (write-mem or copy run start) then reload the system for the new settings to take effect. Command Syntax Command Mode Purpose cam-acl { ipv6acl } CONFIGURATION Allocate space for IPV6 ACLs. Enter the CAM profile name followed by the amount to be allotted.
www.dell.com | support.dell.com When you configure IPv6 addresses on multiple interfaces (ipv6 address command) and verify the configuration (show ipv6 interfaces command), the same link local (fe80) address is displayed for each IPv6 interface. Command Syntax Command Mode Purpose ipv6 address ipv6 address/mask CONFIG-INTERFACE Enter the IPv6 Address for the device.
Note: After you configure a static IPv6 route (ipv6 route command) and configure the forwarding router’s address (specified in the ipv6 route command) on a neighbor’s interface, the IPv6 neighbor is not displayed in the show ipv6 route command output.
www.dell.com | support.dell.com Telnet with IPv6 IPv6 Telnet is supported on platforms c e s z The Telnet client and server in FTOS support IPv6 connections. You can establish a Telnet session directly to the router using an IPv6 Telnet client, or an IPv6 Telnet connection can be initiated from the router. Note: Telnet to link local addresses is supported on the S4810 and Z9000. Command Syntax Command Mode telnet ipv6 address EXEC or EXEC Privileged Purpose Enter the IPv6 Address for the device.
Show IPv6 Information All of the following show commands are supported on platforms c e s z View specific IPv6 configuration with the following commands. Command Syntax Command Mode Purpose show ipv6 ? EXEC or EXEC Privileged List the IPv6 show options.
www.dell.com | support.dell.com Show an IPv6 Interface View the IPv6 configuration for a specific interface with the following command. Command Syntax Command Mode Purpose show ipv6 interface type {slot/ port} EXEC Show the currently running configuration for the specified interface. Enter the keyword interface followed by the type of interface and slot/port information: • For all brief summary of IPv6 status and configuration, enter the keyword brief.
Figure 21-6.
www.dell.com | support.dell.com Show IPv6 Routes View the global IPv6 routing information with the following command. Command Syntax Command Mode Purpose show ipv6 route type EXEC Show IPv6 routing information for the specified route type. Enter the keyword: • To display information about a network, enter the ipv6 address (X:X:X:X::X). • To display information about a host, enter the hostname. • To display information about all IPv6 routes (including non-active routes), enter all.
Figure 21-8.
www.dell.com | support.dell.com Show the Running-Configuration for an Interface View the configuration for any interface with the following command.
Command Syntax Command Mode Purpose IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:). Omitting zeros is accepted as described in Addressing earlier in this chapter.
464 | IPv6 Routing www.dell.com | support.dell.
22 Link Aggregation Control Protocol (LACP) Link Aggregation Control Protocol (LACP) is supported on platforms: ecsz The major sections in the chapter are: • • • • • Introduction to Dynamic LAGs and LACP on page 465 LACP Configuration Tasks on page 467 Shared LAG State Tracking on page 470 Configure LACP as Hitless on page 472 LACP Basic Configuration Example on page 473 Introduction to Dynamic LAGs and LACP A Link Aggregation Group (LAG), referred to as a port channel by FTOS, can provide both load-sha
www.dell.com | support.dell.com Important Points to Remember • • • • • • LACP enables you to add members to a port channel (LAG) as long as it has no static members. Conversely, if the LAG already contains a statically defined member (channel-member command), the port-channel mode command is not permitted. A static LAG cannot be created if a dynamic LAG using the selected number already exists.
LACP Configuration Commands If aggregated ports are configured with compatible LACP modes (Off, Active, Passive), LACP can automatically link them, as defined in IEEE 802.3, Section 43. The following commands configure LACP: Command Syntax Command Mode Purpose [no] lacp system-priority priority-value CONFIGURATION Configure the system priority.
www.dell.com | support.dell.com The LAG is in the default VLAN. To place the LAG into a non-default VLAN, use the tagged command on the LAG (Figure 22-2): Figure 22-2. Placing a LAG into a Non-default VLAN FTOS(conf)#interface vlan 10 FTOS(conf-if-vl-10)#tagged port-channel 32 Configure the LAG interfaces as dynamic After creating a LAG, configure the dynamic LAG interfaces. Figure 22-3 shows ports 3/15, 3/16, 4/15, and 4/16 added to LAG 32 in LACP mode with the command port-channel-protocol lacp.
To configure the LACP long timeout (Figure 196): Step 1 Task Command Syntax Command Mode Set the LACP timeout value to 30 seconds. lacp long-timeout CONFIG-INT-PO Figure 22-4. Invoking the LACP Long Timeout FTOS(conf)# interface port-channel 32 FTOS(conf-if-po-32)#no shutdown FTOS(conf-if-po-32)#switchport FTOS(conf-if-po-32)#lacp long-timeout FTOS(conf-if-po-32)#end FTOS# show lacp 32 Port-channel 32 admin up, oper up, mode lacp Actor System ID: Priority 32768, Address 0001.e800.
Shared LAG State Tracking provides the flexibility to bring down a port channel (LAG) based on the operational state of another LAG. At any time, only two LAGs can be a part of a group such that the fate (status) of one LAG depends on the other LAG. In Figure 22-5, line-rate traffic from R1 destined for R4 follows the lowest-cost route via R2, as shown. Traffic is equally distributed between LAGs 1 and 2. If LAG 1 fails, all traffic from R1 to R4 flows across LAG 2 only.
In Figure 22-6, LAGs 1 and 2 have been placed into to the same failover group. Figure 22-6. Configuring Shared LAG State Tracking R2#config R2(conf)#port-channel failover-group R2(conf-po-failover-grp)#group 1 port-channel 1 port-channel 2 View the failover group configuration using the show running-configuration po-failover-group command, as shown in Figure 22-7. Figure 22-7.
www.dell.com | support.dell.com Figure 22-9.
Figure 22-10. Enabling Hitless LACP FTOS(conf)#redundancy protocol lacp FTOS#show running-config redundancy ! redundancy protocol lacp FTOS# FTOS#show running-config interface gigabitethernet 0/12 ! interface GigabitEthernet 0/12 no ip address ! port-channel-protocol LACP port-channel 200 mode active no shutdown LACP Basic Configuration Example The screenshots in this section are based on the example topology shown in Figure 22-11.
www.dell.com | support.dell.com Configuring a LAG on ALPHA Figure 22-12. Creating a LAG on ALPHA Alpha(conf)#interface port-channel 10 Alpha(conf-if-po-10)#no ip address Alpha(conf-if-po-10)#switchport Alpha(conf-if-po-10)#no shutdown Alpha(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Alpha(conf-if-po-10)# Figure 22-13.
Figure 22-14. Inspecting Configuration of LAG 10 on ALPHA Indicates the MAC address assigned to the LAG. This does NOT match any of the physical interface MAC addresses.
www.dell.com | support.dell.com Figure 22-15. Using the show lacp Command to Verify LAG 10 Status on ALPHA Alpha#sho lacp 10 Port-channel 10 admin up, oper up, mode lacp Actor System ID: Priority 32768, Address 0001.e806.953e Partner System ID: Priority 32768, Address 0001.e809.
Summary of the configuration on ALPHA Figure 22-16.
www.dell.com | support.dell.com Summary of the configuration on BRAVO Figure 22-17.
Figure 22-18. Using the show interface Command to Inspect a LAG Port on BRAVO Shows the status of this nterface. Also shows it is part of LAG 10. Bravo#show int gig 3/21 GigabitEthernet 3/21 is up, line protocol is up Port is part of Port-channel 10 Hardware is Force10Eth, address is 00:01:e8:09:c3:82 Current address is 00:01:e8:09:c3:82 Shows that this is a Layer 2 port.
www.dell.com | support.dell.com Figure 22-19. Using the show interfaces port-channel Command to Inspect LAG 10 Indicates the MAC address assigned to the LAG. This does NOT match any of the physical interface MAC addresses.
Figure 22-20. Using the show lacp Command to Inspect LAG Status FTOS#show lacp 10 Port-channel 10 admin up, oper up, mode lacp Actor System ID: Priority 32768, Address 0001.e809.c24a Partner System ID: Priority 32768, Address 0001.e806.
www.dell.com | support.dell.
23 Intermediate System to Intermediate System Intermediate System to Intermediate System is supported on platforms ez IS-IS is supported on the E-Series ExaScale platform with FTOS 8.1.1.0 and later. It is supported on the with FTOS 8.3.10.0 and on Z9000 with FTOS 9.0.0.0. Intermediate System to Intermediate System (IS-IS) protocol is an interior gateway protocol (IGP) that uses a shortest-path-first algorithm. Dell Force10 supports both IPv4 and IPv6 versions of IS-IS, as it is detailed in this chapter.
www.dell.com | support.dell.com IS-IS is organized hierarchally into routing domains, and each router or system resides in at least one area. In IS-IS, routers are designated as Level 1, Level 2 or Level 1-2 systems. Level 1 routers only route traffic within an area, while Level 2 routers route traffic between areas. At its most basic, Level 1 systems route traffic within the area and any traffic destined for outside the area is sent to a Level 1-2 system.
Multi-Topology IS-IS FTOS 7.8.1.0 and later support Multi-Topology Routing IS-IS. E-Series ExaScale platform ex supports Multi-Topology IS-IS with FTOS 8.2.1.0 and later. S-Series platform supports Multi-Topology IS-IS with FTOS 8.3.10.0 and later. Multi-Topology IS-IS (MT IS-IS) allows you to create multiple IS-IS topologies on a single router with separate databases.
www.dell.com | support.dell.com Interface support MT IS-IS is supported on physical Ethernet interfaces, physical Sonet interfaces, port-channel interfaces (static & dynamic using LACP), and VLAN interfaces. Adjacencies Adjacencies on point-to-point interfaces are formed as usual, where IS-IS routers do not implement Multi-Topology (MT) extensions. If a local router does not participate in certain MTs, it will not advertise those MT IDs in its IIHs and so will not include that neighbor within its LSPs.
• • • The T1 timer specifies the wait time before unacknowledged restart requests are generated. This is the interval before the system sends a Restart Request (an IIH with RR bit set in Restart TLV) until the CSNP is received from the helping router. The duration can be set to a specific amount of time (seconds) or a number of attempts. The T2 timer is the maximum time that the system will wait for LSP database synchronization. This timer applies to the database type (level-1, level-2 or both).
www.dell.com | support.dell.com Table 23-1 displays the default values for IS-IS. Table 23-1.
• • Set the overload bit on page 505 Debug IS-IS on page 506 Enable IS-IS By default, IS-IS is not enabled. The system supports one instance of IS-IS. To enable IS-IS globally, create an IS-IS routing process and assign a NET address. To exchange protocol information with neighbors, enable IS-IS on an interface, instead of on a network as with other routing protocols. In IS-IS, neighbors form adjacencies only when they are same IS type.
www.dell.com | support.dell.com Step Task Command Syntax Command Mode 3 Enter the interface configuration mode. Enter the keyword interface followed by the type of interface and slot/port information: • For a 1-Gigabit Ethernet interface, enter the keyword GigabitEthernet followed by the slot/port information. • For the Loopback interface on the RPM, enter the keyword loopback followed by a number from 0 to 16383.
Figure 23-2. Command Example: show isis protocol FTOS#show isis protocol IS-IS Router: System Id: EEEE.EEEE.EEEE IS-Type: level-1-2 Manual area address(es): 47.0004.004d.0001 Routing for area address(es): 21.2223.2425.2627.2829.3031.3233 47.0004.004d.
www.dell.com | support.dell.com Configure Multi-Topology IS-IS (MT IS-IS) Step 1 Task Command Syntax Command Mode Enable Multi-Topology IS-IS for IPv6. Enter the transition keyword to allow an IS-IS IPv6 user to continue to use single-topology mode while upgrading to multi-topology mode.After every router has been configured with the transition keyword, and all the routers are in MT IS-IS IPv6 mode users can remove the transition keyword on each router.
Configure Multi-Topology IS-IS (MT IS-IS) Step 1 Task Command Syntax Command Mode Enable Multi-Topology IS-IS for IPv6. Enter the transition keyword to allow an IS-IS IPv6 user to continue to use single-topology mode while upgrading to multi-topology mode.After every router has been configured with the transition keyword, and all the routers are in MT IS-IS IPv6 mode users can remove the transition keyword on each router.
www.dell.com | support.dell.com Command Syntax Command Mode Purpose graceful-restart restart-wait seconds ROUTER-ISIS Enable the Graceful Restart maximum wait time before a restarting peer comes up. Be sure to set the t3 timer to adjacency on the restarting router when implementing this command.
Use the show isis graceful-restart detail command in EXEC Privilege mode to view all Graceful Restart related configuration. Figure 23-4.
www.dell.com | support.dell.com Figure 23-5. Command Example: show isis interface FTOS#show isis interface G1/34 GigabitEthernet 2/10 is up, line protocol is up MTU 1497, Encapsulation SAP Routing Protocol: IS-IS Circuit Type: Level-1-2 Interface Index 0x62cc03a, Local circuit ID 1 Level-1 Metric: 10, Priority: 64, Circuit ID: 0000.0000.000B.01 Hello Interval: 10, Hello Multiplier: 3, CSNP Interval: 10 Number of active level-1 adjacencies: 1 Level-2 Metric: 10, Priority: 64, Circuit ID: 0000.0000.000B.
Figure 23-6. Command Example: show running-config isis FTOS#show running-config isis ! router isis lsp-refresh-interval 902 net 47.0005.0001.000C.000A.4321.00 net 51.0005.0001.000C.000A.4321.00 FTOS# Configure IS-IS metric style and cost All IS-IS links or interfaces are associated with a cost that is used in the SPF calculations. The possible cost varies depending on the metric style supported.
www.dell.com | support.dell.com Figure 23-7. Command Example: show isis protocol FTOS#show isis protocol IS-IS Router: System Id: EEEE.EEEE.EEEE IS-Type: level-1-2 Manual area address(es): 47.0004.004d.0001 Routing for area address(es): 21.2223.2425.2627.2829.3031.3233 47.0004.004d.
Table 23-3. Correct Value Range for the isis metric command Metric Style Correct Value Range narrow transition 0 to 63 transition 0 to 63 Configuring the distance of a route Configure the distance for a route using the distance command from ROUTER ISIS mode.
www.dell.com | support.dell.com Figure 23-8. Command Example: show isis database FTOS#show isis database IS-IS Level-1 Link State Database LSPID LSP Seq Num B233.00-00 0x00000003 eljefe.00-00 * 0x00000009 eljefe.01-00 * 0x00000001 eljefe.02-00 * 0x00000001 Force10.00-00 0x00000002 IS-IS Level-2 Link State Database LSPID LSP Seq Num B233.00-00 0x00000006 eljefe.00-00 * 0x0000000D eljefe.01-00 * 0x00000001 eljefe.02-00 * 0x00000001 Force10.
Configure the prefix list in the PREFIX LIST mode prior to assigning it to the IS-IS process. For configuration information on prefix lists, see Chapter 6, Access Control Lists (ACLs). IPv4 routes Use the following commands in ROUTER ISIS mode to apply prefix lists to incoming or outgoing IPv4 routes. Note: These commands apply to IPv4 IS-IS only.
www.dell.com | support.dell.com 502 IPv6 routes Use these commands in ADDRESS-FAMILY IPV6 mode to apply prefix lists to incoming or outgoing IPv6 routes. = Note: These commands apply to IPv6 IS-IS only. Use the ROUTER ISIS mode previously shown to apply prefix lists to IPv4 routes. | Command Syntax Command Mode Purpose distribute-list prefix-list-name in [interface] ROUTER ISIS-AF IPV6 Apply a configured prefix list to all incoming IPv6 IS-IS routes.
Redistribute routes In addition to filtering routes, you can add routes from other routing instances or protocols to the IS-IS process. With the redistribute command syntax, you can include BGP, OSPF, RIP, static, or directly connected routes in the IS-IS process. Note: Do not route iBGP routes to IS-IS unless there are route-maps associated with the IS-IS redistribution. IPv4 routes Use any of the following commands in ROUTER ISIS mode to add routes from other routing instances or protocols.
www.dell.com | support.dell.com IPv6 routes Use any of the these commands in ROUTER ISIS ADDRESS-FAMILY IPV6 mode to add routes from other routing instances or protocols. Note: These commands apply to IPv6 IS-IS only. Use the ROUTER ISIS mode previously shown to apply prefix lists to IPv4 routes.
Use either or both of the commands in ROUTER ISIS mode to configure a simple text password. Command Syntax Command Mode Purpose area-password [hmac-md5] password ROUTER ISIS Configure authentication password for an area. FTOS supports HMAC-MD5 authentication. This password is inserted in Level 1 LSPs, Complete SNPs, and Partial SNPs. domain-password [encryption-type | hmac-md5] password ROUTER ISIS Set the authentication password for a routing domain.
www.dell.com | support.dell.com Figure 23-9. Command Example: show isis database FTOS#show isis database IS-IS Level-1 Link State Database LSPID LSP Seq Num B233.00-00 0x00000003 eljefe.00-00 * 0x0000000A eljefe.01-00 * 0x00000001 eljefe.02-00 * 0x00000001 Force10.00-00 0x00000002 IS-IS Level-2 Link State Database LSPID LSP Seq Num B233.00-00 0x00000006 eljefe.00-00 * 0x0000000E eljefe.01-00 * 0x00000001 eljefe.02-00 * 0x00000001 Force10.
Command Syntax Command Mode Purpose debug isis update-packets [interface] EXEC Privilege View sent and received LSPs. To view specific information, enter one of the following optional parameters: • interface: Enter the type of interface and slot/port information to view IS-IS information on that interface only. FTOS displays debug messages on the console. Use the show debugging command in EXEC Privilege mode to view which debugging commands are enabled.
www.dell.com | support.dell.com For any level (Level-1, Level-2, or Level-1-2), the value range possible in the isis metric command in INTERFACE mode changes depending on the metric style. Table 23-4.
Table 23-5.
www.dell.com | support.dell.com Leaking from One Level to Another 510 In the following scenarios, each IS-IS level is configured with a different metric style. Table 23-7.
Sample Configuration The following configurations are examples for enabling IPv6 IS-IS. These are not comprehensive directions. They are intended to give you a some guidance with typical configurations. S Note: Only one IS-IS process can run on the router, even if both IPv4 and IPv6 routing is being used. You can copy and paste from these examples to your CLI. Be sure you make the necessary changes to support your own IP Addresses, Interfaces, Names, etc.
www.dell.com | support.dell.com Figure 23-10. IS-IS Sample Configuration - Congruent Topology FTOS(conf-if-te-3/17)#show config ! interface TenGigabitEthernet 3/17 ip address 24.3.1.1/24 ipv6 address 24:3::1/76 ip router isis ipv6 router isis no shutdown FTOS (conf-if-te-3/17)# FTOS (conf-router_isis)#show config ! router isis metric-style wide level-1 metric-style wide level-2 net 34.0000.0000.AAAA.00 FTOS (conf-router_isis)# Figure 23-11.
Figure 23-13.
www.dell.com | support.dell.
24 Layer 2 Layer 2 features are supported on platforms: ecsz This chapter describes the following Layer 2 features: • • • • • • Managing the MAC Address Table MAC Learning Limit NIC Teaming Microsoft Clustering Configuring Redundant Pairs Restricting Layer 2 Flooding Managing the MAC Address Table FTOS provides the following management activities for the MAC address table: • • • • Clear the MAC Address Table Set the Aging Time for Dynamic Entries Configure a Static MAC Address Display the MAC Address T
www.dell.com | support.dell.com Set the Aging Time for Dynamic Entries Learned MAC addresses are entered in the table as dynamic entries, which means that they are subject to aging. For any dynamic entry, if no packet arrives on the switch with the MAC address as the source or destination address within the timer period, the address is removed from the table. The default aging time is 1800 seconds. Task Command Syntax Command Mode Disable MAC address aging for all dynamic entries.
Display the MAC Address Table To display the contents of the MAC address table: Task Command Syntax CommandMode Display the contents of the MAC address table. • address displays the specified entry. • aging-time displays the configured aging-time. • count displays the number of dynamic and static entries for all VLANs, and the total number of entries. • dynamic displays only dynamic entries • interface displays only entries for the specified interface. • static displays only static entries.
www.dell.com | support.dell.com FTOS Behavior: When configuring MAC Learning Limit on a port or VLAN the configuration is accepted (becomes part of running-config and show mac learning-limit interface) before the system verifies that sufficient CAM space exists. If the CAM check fails, the a message is displayed: %E90MH:5 %ACL_AGENT-2-ACL_AGENT_LIST_ERROR: Unable to apply GigabitEthernet 5/84 access-list Mac-Limit on In this case, the configuration is still present in the running-config and show output.
mac learning-limit mac-address-sticky Using sticky MAC addresses allows you to associate a specific port with MAC addresses from trusted devices. If sticky MAC is enabled, the specified port will retain any dynamically-learned addresses and prevent them from being transferred or learned on other ports. If mac-learning-limit is configured and sticky MAC is enabled, all dynamically-learned addresses are converted to sticky MAC addresses for the selected port.
www.dell.com | support.dell.com FTOS Behavior: The C-Series and S-Series do not generate a station-move violation log entry for physical interfaces or port-channels when you configure mac learning-limit or when you configure mac learning-limit station-move-violation log.
Station Move Violation Actions Station Move Violation Actions are supported on platforms: S-Series (S25/S50) no-station-move is the default behavior (see mac learning-limit no-station-move on page 519). You can configure the system to take an action if a station move occurs using one the following options with the mac learning-limit command:. Task Command Syntax Command Mode Generate a system log message indicating a station move.
www.dell.com | support.dell.com Per-VLAN MAC Learning Limit Per-VLAN MAC Learning Limit is available only on platform: e An individual MAC learning limit can be configured for each VLAN using Per-VLAN MAC Learning Limit. One application of Per-VLAN MAC Learning Limit is on access ports. In Figure 24-1, an Internet Exchange Point (IXP) connects multiple Internet Service Provider (ISP). An IXP can provide several types of services to its customers including public an private peering.
Task Command Syntax Command Mode FTOS#show mac learning-limit Interface Vlan Learning Dynamic Static Slot/port Id Limit MAC count MAC count Gi 5/84 2 2 0 Gi 5/84 * 5 0 Gi 5/85 3 3 0 Gi 5/85 * 10 0 FTOS#show mac learning-limit interface gig 5/84 Interface Vlan Learning Dynamic Static Slot/port Id Limit MAC count MAC count Gi 5/84 2 2 0 Gi 5/84 * 5 0 FTOS#show mac learning-limit interface gig 5/84 vlan 2 Interface Vlan Learning Dynamic Static Slot/port Id Limit MAC count MAC count Gi 5/84 2 2 0 Unknown SA
www.dell.com | support.dell.com Note: If this command is not configured, traffic continues to be forwarded to the failed NIC until the ARP entry on the switch times out. Figure 24-3. Configuring mac-address-table station-move refresh-arp Command X MAC: A:B:C:D A:B IP: 1.1.1.
Microsoft Clustering Microsoft Clustering is supported only on platform: e Microsoft Clustering allows multiple servers using Microsoft Windows to be represented by one MAC address and IP address in order to provide transparent failover or balancing. FTOS does not recognize server clusters by default; it must be configured to do so. Default Behavior When an ARP request is sent to a server cluster, either the active server or all of the servers send a reply, depending on the cluster configuration.
www.dell.com | support.dell.com Figure 24-5.
Enable and Disable VLAN Flooding • • • • • • • ARP entries already resolved through the VLAN are deleted when the feature is enabled. This ensures that ARP entries across the VLAN are consistent. All ARP entries learned after the feature is enabled are deleted when the feature is disabled, and RP2 triggers ARP resolution. The feature is disabled with the command no vlan-flooding. When a port is added to the VLAN, the port automatically receives traffic if the feature is enabled.
www.dell.com | support.dell.com Figure 24-7. Configuring Redundant Layer 2 Pairs without Spanning Tree Redundant links create a switching loop. Without STP broadcast storms occurs.
Important Points about Configuring Redundant Pairs • • • • • • • You may not configure any interface to be a backup for more than one interface, no interface can have more than one backup, and a backup interface may not have a backup interface. Neither the active nor the backup interface may be a member of a LAG. The active and standby do not have to be of the same type (1G, 10G, etc). You may not enable any Layer 2 protocol on any interface of a redundant pair or to ports connected to them.
www.dell.com | support.dell.com Figure 24-8.
Conversely, if you want all multicast traffic to be flooded on all ports, but some specific traffic to be restricted, use mac-flood-list with the min-speed option, but without restrict-flooding configured. This configuration restricts flooding only for traffic with destination multicast MAC addresses within the multicast MAC address range you specify. In Figure 24-9, flooding of unknown multicast traffic is restricted to 1G ports on VLAN100 using the command restrict-flooding.
www.dell.com | support.dell.com Figure 24-10.
1. An interface on which FEFD is not configured is in Normal mode by default. 2. Once FEFD is enabled on an interface, it transitions to the Unknown state and sends an FEFD packet to the remote end of the link. 3. When the local interface receives the echoed packet from the remote end, the local interface transitions to the Bi-directional state. 4.
www.dell.com | support.dell.com Report interval frequency and mode adjustments can be made by supplementing this command as well.
Step 3 Task Command Syntax Command Mode Enable FEFD on each interface fefd {disable | interval | mode} INTERFACE Figure 24-12.
www.dell.com | support.dell.com During an RPM Failover 536 In the event that an RPM failover occurs, FEFD will become operationally down on all enabled ports for approximately 8-10 seconds before automatically becoming operational again. Figure 24-15. FEFD state change during an RPM failover 02-05-2009 12:40:38 Local7.Debug 10.16.151.12 %RAM-6-FAILOVER_REQ: RPM failover request from active peer: User request. 02-05-2009 12:40:38 Local7.Debug 10.16.151.
25 Link Layer Discovery Protocol (LLDP) Link Layer Discovery Protocol (LLDP) is supported only on platforms: ecsz This chapter contains the following sections: • • • 802.1AB (LLDP) Overview on page 537 TIA-1057 (LLDP-MED) Overview on page 540 Configuring LLDP on page 544 802.1AB (LLDP) Overview Link Layer Discovery Protocol (LLDP)—defined by IEEE 802.
www.dell.com | support.dell.com TLVs are encapsulated in a frame called an LLDP Data Unit (LLDPDU) (Figure 25-2), which is transmitted from one LLDP-enabled device to its LLDP-enabled neighbors. LLDP is a one-way protocol. LLDP-enabled devices (LLDP agents) can transmit and/or receive advertisements, but they cannot solicit and do not respond to advertisements. There are five types of TLVs. All types are mandatory in the construction of an LLDPDU except Optional TLVs.
Management TLVs A Management TLV is an Optional TLVs sub-type. This kind of TLV contains essential management information about the sender. The five types are described in Table 25-2. Organizationally Specific TLVs Organizationally specific TLVs can be defined by a professional organization or a vendor. They have two mandatory fields (Figure 25-3) in addition to the basic TLV fields (Figure 25-1): • Organizationally Unique Identifier (OUI)—a unique number assigned by the IEEE to an organization or vendor.
www.dell.com | support.dell.com Table 25-2. Optional TLV Types Type TLV Description 127 Port and Protocol VLAN ID On Dell Force10 systems, indicates the tagged VLAN to which a port belongs (and the untagged VLAN to which a port belongs if the port is in hybrid mode) 127 VLAN Name Indicates the user-defined alphanumeric string that identifies the VLAN. This TLV is supported on C-Series only. 127 Protocol Identity Indicates the protocols that the port can process.
TIA Organizationally Specific TLVs The Dell Force10 system is an LLDP-MED Network Connectivity Device (Device Type 4). Network connectivity devices are responsible for: • • transmitting an LLDP-MED capabilities TLV to endpoint devices storing the information that endpoint devices advertise Table 25-3 describes the five types of TIA-1057 Organizationally Specific TLVs. Table 25-3.
www.dell.com | support.dell.com LLDP-MED Capabilities TLV The LLDP-MED Capabilities TLV communicates the types of TLVs that the endpoint device and the network connectivity device support. LLDP-MED network connectivity devices must transmit the Network Policies TLV. • • The value of the LLDP-MED Capabilities field in the TLV is a 2 octet bitmap (Figure 25-4), each bit represents an LLDP-MED capability (Table 25-4). The possible values of the LLDP-MED Device Type is listed in Table 25-5.
LLDP-MED Network Policies TLV A network policy in the context of LLDP-MED is a device’s VLAN configuration and associated Layer 2 and Layer 3 configurations, specifically: • • • • VLAN ID VLAN tagged or untagged status Layer 2 priority DSCP value The application type is a represented by an integer (the Type integer in Table 25-6), which indicates a device function for which a unique network policy is defined.
www.dell.com | support.dell.com Figure 25-5. TLV Type (127) LLDP-MED Policies TLV TLV Length (8) 7 bits 9 bits Organizationally Organizationally Unique ID Defined Sub-type (00-12-BB) (2) 3 octets 1 octet Application Type (0-255) 1 octet U T X (0) 3 bits VLAN ID (0-4095) L2 Priority (0-7) DSCP Value (0-63) 12 bits 3 bits 6 bits Extended Power via MDI TLV The Extended Power via MDI TLV enables advanced PoE management between LLDP-MED endpoints and network connectivity devices.
• • • • • Viewing Information Advertised by Adjacent LLDP Agents on page 548 Configuring LLDPDU Intervals on page 549 Configuring Transmit and Receive Mode on page 550 Configuring a Time to Live on page 551 Debugging LLDP on page 552 Important Points to Remember • • • • • LLDP is disabled by default. Dell Force10 systems support up to 8 neighbors per interface. Dell Force10 systems support a maximum of 8000 total neighbors per system.
www.dell.com | support.dell.com Figure 25-7.
If LLDP is configured both globally and at interface level, the interface level configuration overrides the global configuration. To advertise TLVs: Step Command Mode Task Command 1 Enter LLDP mode. protocol lldp CONFIGURATI ON or INTERFACE 2 Advertise one or more TLVs. Include the keyword for each TLV you want to advertise. • For management TLVs: system-capabilities, system-description • For 802.1 TLVs: port-protocol-vlan-id, port-vlan-id, vlan-name • For 802.
www.dell.com | support.dell.com Viewing the LLDP Configuration Display the LLDP configuration using the command show config in either CONFIGURATION or INTERFACE mode, as shown in Figure 25-9 and Figure 25-10, respectively Figure 25-9.
Figure 25-12.
www.dell.com | support.dell.com Figure 25-13.
Figure 25-14.
www.dell.com | support.dell.com Figure 25-15.
Figure 25-17. Relevant Management Objects FTOS supports all IEEE 802.1AB MIB objects. • • • • Table 25-7 lists the objects associated with received and transmitted TLVs. Table 25-8 lists the objects associated with the LLDP configuration on the local agent. Table 25-9 lists the objects associated with IEEE 802.1AB Organizationally Specific TLVs. Table 25-10 lists the objects associated with received and transmitted LLDP-MED TLVs.
www.dell.com | support.dell.com Table 25-7.
Table 25-8.
www.dell.com | support.dell.com Table 25-9. LLDP 802.1 Organizationally Specific TLV MIB Objects TLV Type TLV Name TLV Variable System LLDP MIB Object 127 Port-VLAN ID PVID Local lldpXdot1LocPortVlanId Remote lldpXdot1RemPortVlanId 127 Port and Protocol VLAN ID port and protocol VLAN supported Local port and protocol VLAN enabled PPVID 127 VLAN Name VID VLAN name length VLAN name Table 25-10.
Table 25-10.
www.dell.com | support.dell.com Table 25-10.
26 Multicast Source Discovery Protocol (MSDP) Multicast Source Discovery Protocol (MSDP) is supported on platforms: ez Protocol Overview Multicast Source Discovery Protocol (MSDP) is a Layer 3 protocol that connects IPv4 PIM-SM domains. A domain in the context of MSDP is contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as BGP. Each RP peers with every other RP via TCP. Through this connection, peers advertise the sources in their domain. 1.
Multicast Source Discovery Protocol + + P 3 MPC IG Receiver OS PF + PI M PC 2 Source MP IG 4/1 AS Y Area 0 R4 4/31 2/1 + PI M AS X Area 0 OS PF www.dell.com | support.dell.com Figure 26-1. BGP R2 2/11 3/21 3/41 R3 P Pe MSD 1/21 1/2 R1 ersh ip RP RP1 1/1 PC 1 Receiver RPs advertise each (S,G) in its domain in Type, Length, Value (TLV) format. The total number of TLVs contained in the SA is indicated in the “Entry Count” field.
Anycast RP Using Multicast Source Discovery Protocol (MSDP), Anycast RP provides load sharing and redundancy in Protocol Independent Multicast sparse mode (PIM-SM) networks. Anycast RP allows two or more rendezvous points (RPs) to share the load for source registration and the ability to act as hot backup routers for each other. Anycast RP allows two or more RPs to be configured with the same IP address on loopback interfaces.
www.dell.com | support.dell.
interface GigabitEthernet 1/1 ip pim sparse-mode ip address 10.11.3.1/24 no shutdown ! interface GigabitEthernet 1/2 ip address 10.11.2.1/24 no shutdown ! interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.1.12/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32 no shutdown 1/1 1/21 PC 1 : 10.11.3.2/24 R1 1/2 interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.
Multicast Source Discovery Protocol (MSDP) R1 1/2 PC 1 1/1 1/21 R2 2/11 2/1 PC 2 2/31 R3 3/21 OS PF 3/41 router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.3/32 area 0 redistribute static redistribute connected redistribute bgp 200 R3_E600(conf)#do show run bgp ! router bgp 200 redistribute ospf 1 neighbor 192.168.0.2 remote-as 100 neighbor 192.168.0.2 ebgp-multihop 255 neighbor 192.168.0.2 update-source Loopback 0 neighbor 192.168.0.
M PI P GM +I R1 1/2 RP1 PC 2 Receiver: 239.0.0.1 1/1 1/21 ip multicast routing ! ip pim rp-address 192.168.0.1 group-address 224.0.0.0/4 AS 100 R2 2/31 R3 3/41 4/31 R4 AS 200 ip multicast-routing ! ip pim rp-address 192.168.0.3 group-address 224.0.0.0/4 ip multicast-routing ! ip pim rp-address 192.168.0.3 group-address 224.0.0.0/4 4/1 P GM + I PC 3 Receiver: 239.0.0.1 RP2 3/21 M PI ip multicast-routing ! ip pim rp-address 192.168.0.1 group-address 224.0.0.
Multicast Source Discovery Protocol (MSDP) R1_E600(conf)#do show ip msdp sa-cache MSDP Source-Active Cache - 1 entries GroupAddr SourceAddr RPAddr LearnedFrom Expire UpTime 239.0.0.1 10.11.4.2 192.168.0.1 local 95 16:49:25 (10.11.4.2, 239.0.0.1), uptime 1d16h, expires 00:03:12, flags: CTA Incoming interface: GigabitEthernet 1/21, RPF neighbor 10.11.1.21 Outgoing interface list: GigabitEthernet 1/1 Forward/Sparse 22:26:37/Never (*, 239.0.0.1), uptime 22:26:37, expires 00:00:00, RP 192.168.0.
Enable MSDP Enable MSDP by peering RPs in different administrative domains. Step Task Command Syntax Command Mode 1 Enable MSDP. ip multicast-msdp CONFIGURATION 2 PeerPIM systems in different administrative domains. ip msdp peer connect-source CONFIGURATION Figure 26-7. Configuring an MSDP Peer R3_E600(conf)#ip multicast-msdp R3_E600(conf)#ip msdp peer 192.168.0.1 connect-source Loopback 0 R3_E600(conf)#do show ip msdp summary Peer Addr 192.168.0.1 Local Addr 192.168.0.
www.dell.com | support.dell.com • • RPs can transmit SA messages periodically to prevent SA storms, and only sources that are in the cache are advertised in the SA to prevent transmitting multiple copies of the same source information. View the Source-active Cache Task Command Syntax Command Mode View the SA cache. show ip msdp sa-cache EXEC Privilege Figure 26-9.
Enable the Rejected Source-active Cache Active sources can be rejected because • • • • the RPF check failed, the SA limit is reached, the peer RP is unreachable, or because of an SA message format error. Task Command Syntax Command Mode Cache rejected sources. ip msdp cache-rejected-sa CONFIGURATION Accept Source-active Messages that fail the RFP Check A default peer is a peer from which active sources are accepted even though they fail the RFP check.
MSDP Default Peer Scenario 1 Scenario 2 RP5 RP4 RP5 RP4 (S5, G5) (S4, G4) (S3, G3) (S2, G2) (S5, G5) MSDP Peership MSDP Peership (S4, G4) (S2, G2) RP3 RP2 (S3, G3) RP2 Pe er RP3 sh ip il Fa www.dell.com | support.dell.com Figure 26-10.
Task Command Syntax Command Mode Specify the forwarding-peer and originating-RP from which all active sources are accepted without regard for the the RPF check. If you do not specify an access list, the peer accepts all sources advertised by that peer. All sources from RPs denied by the ACL are subjected to the normal RPF check. ip msdp default-peer ip-address list CONFIGURATION Figure 26-11. Accepting Source-active Messages with FTOS(conf)#ip msdp peer 10.0.50.
www.dell.com | support.dell.com Prevent MSDP from Caching a Local Source You can prevent MSDP from caching an active source based on source and/or group. Since the source is not cached, it is not advertised to remote RPs. Task Command Syntax Command Mode OPTIONAL: Cache sources that are denied by the redistribute list in the rejected SA cache. ip msdp cache-rejected-sa CONFIGURATION Prevent the system from caching local SA entries based on source and group using an extended ACL.
Prevent MSDP from Caching a Remote Source Task Command Syntax Command Mode OPTIONAL: Cache sources that are denied by the SA filter in the rejected SA cache. ip msdp cache-rejected-sa CONFIGURATION Prevent the system from caching remote sources learned from a specific peer based on source and group. ip msdp sa-filter list out peer list ext-acl CONFIGURATION In Figure 26-14, R1 is advertising source 10.11.4.2. It is already in the SA cache of R3 when an ingress SA filter is applied to R3.
www.dell.com | support.dell.com Prevent MSDP from Advertising a Local Source Task Command Syntax Command Mode Prevent an RP from advertising a source in the SA cache. ip msdp sa-filter list in peer list ext-acl CONFIGURATION In Figure 26-14, R1 stops advertising source 10.11.4.2. Since it is already in the SA cache of R3, the entry remains there until it expires. Figure 26-14.
Log Changes in Peership States Task Command Syntax Command Mode Log peership state changes. ip msdp log-adjacency-changes CONFIGURATION Terminate a Peership MSDP uses TCP as its transport protocol. In a peering relationship, the peer with the lower IP address initiates the TCP session, while the peer with the higher IP address listens on port 639. Task Command Syntax Command Mode Terminate the TCP connection with a peer.
www.dell.com | support.dell.com Clear Peer Statistics Task Command Syntax Command Mode Reset the TCP connection to the peer and clear all peer statistics. clear ip msdp peer peer-address CONFIGURATION Figure 26-16. Clearing Peer Statistics R3_E600(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.
Debug MSDP Task Command Syntax Command Mode Display the information exchanged between peers. debug ip msdp CONFIGURATION Figure 26-17. Debugging MSDP R1_E600(conf)#do debug ip msdp All MSDP debugging has been turned on R1_E600(conf)#03:16:08 : MSDP-0: Peer 03:16:09 : MSDP-0: Peer 192.168.0.3, 03:16:27 : MSDP-0: Peer 192.168.0.3, 03:16:38 : MSDP-0: Peer 192.168.0.3, 03:16:39 : MSDP-0: Peer 192.168.0.3, 03:17:09 : MSDP-0: Peer 192.168.0.3, 03:17:10 : MSDP-0: Peer 192.168.0.
MSDP with Anycast RP (10.11.4.2, 239.0.0.1), uptime 00:00:52, expires 00:03:20, flags: FTA Incoming interface: GigabitEthernet 2/1, RPF neighbor 0.0.0.0 Outgoing interface list: GigabitEthernet 2/11 Forward/Sparse 00:00:50/00:02:40 GigabitEthernet 2/31 Forward/Sparse 00:00:50/00:02:40 PI M AS X Area 0 + + MP IG PC 3 Receiver OS PF + PI M PC 2 Source MP IG 4/1 R4 4/31 + 2/1 OS PF www.dell.com | support.dell.com Figure 26-18. BGP (*, 239.0.0.1), uptime 00:00:23, expires 00:00:00, RP 192.
Reducing Source-active Message Flooding RPs flood source-active messages to all of their peers away from the RP. When multiple RPs exist within a domain, the RPs forward received active source information back to the originating RP, which violates the RFP rule. You can prevent this unnecessary flooding by creating a mesh-group. A mesh in this context is a topology in which each RP in a set of RPs has a peership with all other RPs in the set.
www.dell.com | support.dell.com Figure 26-19. 580 R1 Configuration for MSDP with Anycast RP ip multicast-routing ! interface GigabitEthernet 1/1 ip pim sparse-mode ip address 10.11.3.1/24 no shutdown ! interface GigabitEthernet 1/2 ip address 10.11.2.1/24 no shutdown ! interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.1.12/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32 no shutdown ! interface Loopback 1 ip address 192.168.0.
Figure 26-20. R2 Configuration for MSDP with Anycast RP ip multicast-routing ! interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.1/24 no shutdown ! interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown ! interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32 no shutdown ! interface Loopback 1 ip address 192.168.0.
www.dell.com | support.dell.com Figure 26-21. 582 R3 Configuration for MSDP with Anycast RP ip multicast-routing ! interface GigabitEthernet 3/21 ip pim sparse-mode ip address 10.11.0.32/24 no shutdown interface GigabitEthernet 3/41 ip pim sparse-mode ip address 10.11.6.34/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.
MSDP Sample Configurations The following figures show the running-configurations for the routers shown in figures Figure 26-5, Figure 26-4, Figure 26-5, Figure 26-6. Figure 26-22. MSDP Sample Configuration: R1 Running-config ip multicast-routing ! interface GigabitEthernet 1/1 ip pim sparse-mode ip address 10.11.3.1/24 no shutdown ! interface GigabitEthernet 1/2 ip address 10.11.2.1/24 no shutdown ! interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.1.
www.dell.com | support.dell.com Figure 26-23. 584 MSDP Sample Configuration: R2 Running-config ip multicast-routing ! interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.1/24 no shutdown ! interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown ! interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown ! interface Loopback 0 ip address 192.168.0.2/32 no shutdown ! router ospf 1 network 10.11.1.0/24 area 0 network 10.11.4.
Figure 26-24. MSDP Sample Configuration: R3 Running-config ip multicast-routing ! interface GigabitEthernet 3/21 ip pim sparse-mode ip address 10.11.0.32/24 no shutdown ! interface GigabitEthernet 3/41 ip pim sparse-mode ip address 10.11.6.34/24 no shutdown ! interface ManagementEthernet 0/0 ip address 10.11.80.3/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.
www.dell.com | support.dell.com Figure 26-25. 586 MSDP Sample Configuration: R4 Running-config ip multicast-routing ! interface GigabitEthernet 4/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown ! interface GigabitEthernet 4/22 ip address 10.10.42.1/24 no shutdown ! interface GigabitEthernet 4/31 ip pim sparse-mode ip address 10.11.6.43/24 no shutdown ! interface Loopback 0 ip address 192.168.0.4/32 no shutdown ! router ospf 1 network 10.11.5.0/24 area 0 network 10.11.6.0/24 area 0 network 192.
27 Multiple Spanning Tree Protocol (MSTP) Multiple Spanning Tree Protocol (MSTP) is supported on platforms: ecsz Protocol Overview Multiple Spanning Tree Protocol (MSTP)—specified in IEEE 802.1Q-2003—is an RSTP-based spanning tree variation that improves on PVST+. MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances. In contrast, PVST+ allows a spanning tree instance for each VLAN.
www.dell.com | support.dell.com FTOS supports three other variations of Spanning Tree, as shown in Table 44. Table 27-1. FTOS Supported Spanning Tree Protocols Dell Force10Term IEEE Specification Spanning Tree Protocol 802.1d Rapid Spanning Tree Protocol 802.1w Multiple Spanning Tree Protocol 802.1s Per-VLAN Spanning Tree Plus Third Party Implementation Information • • • • • The FTOS MSTP implementation is based on IEEE 802.
• • • Preventing Network Disruptions with BPDU Guard on page 881 SNMP Traps for Root Elections and Topology Changes on page 775 Configuring Spanning Trees as Hitless on page 884 Enable Multiple Spanning Tree Globally MSTP is not enabled by default. To enable MSTP: Step Task Command Syntax Command Mode 1 Enter PROTOCOL MSTP mode. protocol spanning-tree mstp CONFIGURATION 2 Enable MSTP.
www.dell.com | support.dell.com Create an MSTI using the command msti from PROTOCOL MSTP mode. Specify the keyword vlan followed by the VLANs that you want to participate in the MSTI, as shown in Figure 27-3. Figure 27-3.
Influence MSTP Root Selection MSTP determines the root bridge, but you can assign one bridge a lower priority to increase the probability that it will become the root bridge. To change the bridge priority: Task Command Syntax Command Mode Assign a number as the bridge priority. A lower number increases the probability that the bridge becomes the root bridge.
www.dell.com | support.dell.com To change the region name or revision: Task Command Syntax Command Mode Change the region name. name name PROTOCOL MSTP Change the region revision number. • Range: 0 to 65535 • Default: 0 revision number PROTOCOL MSTP View the current region name and revision using the command show spanning-tree mst configuration from EXEC Privilege mode, as shown in Figure 27-6. Figure 27-6.
Task Command Syntax Command Mode Change the hello-time parameter. hello-time seconds PROTOCOL MSTP Change the max-age parameter. Range: 6 to 40 Default: 20 seconds max-age seconds PROTOCOL MSTP Change the max-hops parameter. Range: 1 to 40 Default: 20 max-hops number PROTOCOL MSTP Note: With large configurations (especially those with more ports) Dell Force10 recommends that you increase the hello-time.
www.dell.com | support.dell.com Table 27-2. MSTP Default Port Cost Values Port Cost Default Value 10-Gigabit Ethernet interfaces 2000 Port Channel with 100 Mb/s Ethernet interfaces 180000 Port Channel with 1-Gigabit Ethernet interfaces 18000 Port Channel with 10-Gigabit Ethernet interfaces 1800 To change the port cost or priority of an interface: Task Command Syntax Command Mode Change the port cost of an interface. Range: 0 to 200000 Default: see Table 27-2.
Verify that EdgePort is enabled on a port using the command show config from the INTERFACE mode, as shown in Figure 27-8. FTOS Behavior: Regarding bpduguard shutdown-on-violation behavior: 1 If the interface to be shutdown is a port channel then all the member ports are disabled in the hardware. 2 When a physical port is added to a port channel already in error disable state, the new member port will also be disabled in the hardware.
www.dell.com | support.dell.com Figure 27-9. MSTP with Three VLANs Mapped to Two Spanning Tree Instances root R1 R2 1/2 Forwarding 2/1 2/3 Blocking 1/3 3/1 3/2 R3 Figure 27-10.
Figure 27-11.
www.dell.com | support.dell.com Figure 27-12.
Figure 27-13.
www.dell.com | support.dell.com Figure 27-14. Displaying BPDUs and Events FTOS#debug spanning-tree mstp bpdu 1w1d17h : MSTP: Sending BPDU on Gi 1/31 : ProtId: 0, Ver: 3, Bpdu Type: MSTP, Flags 0x68 CIST Root Bridge Id: 32768:0001.e806.953e, Ext Path Cost: 20000 Regional Bridge Id: 32768:0001.e809.c24a, CIST Port Id: 128:384 Msg Age: 2, Max Age: 20, Hello: 2, Fwd Delay: 15, Ver1 Len: 0, Ver3 Len: 96 Name: my-mstp-region, Rev: 0, Int Root Path Cost: 20000 Rem Hops: 19, Bridge Id: 32768:0001.e80d.
Figure 27-15. Sample Output for show running-configuration spanning-tree mstp command FTOS#show run spanning-tree mstp ! protocol spanning-tree mstp name Tahiti revision 123 MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 Figure 27-16. Displaying BPDUs and Events - Debug Log of Successful MSTP Configuration FTOS#debug spanning-tree mstp bpdu MSTP debug bpdu is ON FTOS# 4w0d4h : MSTP: Sending BPDU on Gi 2/21 : ProtId: 0, Ver: 3, Bpdu Type: MSTP, Flags 0x6e CIST Root Bridge Id: 32768:0001.e806.
www.dell.com | support.dell.
28 Multicast Features Multicast Features are supported on platforms: ecsz This chapter contains the following sections: • • • • • Enable IP Multicast on page 603 Multicast with ECMP on page 604 First Packet Forwarding for Lossless Multicast on page 605 Multicast Policies on page 606 Multicast Traceroute on page 613 FTOS supports the following multicast protocols: • • • • PIM Sparse-Mode (PIM-SM) on page 669 PIM Source-Specific Mode (PIM-SSM) on page 679 Internet Group Management Protocol (IGMP) on page
www.dell.com | support.dell.com Multicast with ECMP Dell Force10 multicast uses Equal-cost Multi-path (ECMP) routing to load-balance multiple streams across equal cost links. When creating the shared-tree Protocol Independent Multicast (PIM) uses routes from all configured routing protocols to select the best route to the rendezvous point (RP). If there are multiple, equal-cost paths, the PIM selects the route with the least number of currently running multicast streams.
As the upper five bits of an IP Multicast address are dropped in the translation, 32 different multicast group IDs all map to the same Ethernet address. For example, 224.0.0.5 is a well known IP address for OSPF that maps to the multicast MAC address 01:00:5e:00:00:05. However, 225.0.0.5, 226.0.0.5, etc., map to the same multicast MAC address. The Layer 2 FIB alone cannot differentiate multicast control traffic multicast data traffic with the same address, so if you use IP address 225.0.0.
www.dell.com | support.dell.com Multicast Policies FTOS offers parallel Multicast features for IPv4 and IPv6.
Note: The IN-L3-McastFib CAM partition is used to store multicast routes and is a separate hardware limit that is exists per port-pipe. Any software-configured limit might be superseded by this hardware space limitation. The opposite is also true, the CAM partition might not be exhausted at the time the system-wide route limit set by the ip multicast-limit is reached. Prevent a Host from Joining a Group You can prevent a host from joining a particular group by blocking specific IGMP reports.
Multicast Features ip igmp snooping enable interface Vlan 400 ip pim sparse-mode ip address 10.11.4.1/24 untagged GigabitEthernet 1/2 ip igmp access-group igmpjoinfilR2G2 no shutdown (*, 239.0.0.1), uptime 00:00:06, expires 00:00:00, RP 10.11.12.2, flags: SCJ Incoming interface: GigabitEthernet 1/21, RPF neighbor 10.11.12.
Rate Limit IGMP Join Requests If you expect a burst of IGMP Joins, protect the IGMP process from overload by limiting that rate at which new groups can be joined using the command ip igmp group-join-limit from INTERFACE mode. Hosts whose IGMP requests are denied will use the retry mechanism built-in to IGMP so that they’re membership is delayed rather than permanently denied. View the enable status of this feature using the command show ip igmp interface from EXEC Privilege mode.
610 | Multicast Features (10.11.5.2, 239.0.0.2), uptime 00:00:33, expires 00:03:07, flags: CT Incoming interface: GigabitEthernet 1/31, RPF neighbor 10.11.13.2 Outgoing interface list: Vlan 300 Forward/Sparse 00:00:40/Never (*, 239.0.0.2), uptime 00:00:40, expires 00:00:00, RP 10.11.12.2, flags: SCJ Incoming interface: GigabitEthernet 1/21, RPF neighbor 10.11.12.2 Outgoing interface list: Vlan 300 Forward/Sparse 00:00:40/Never (10.11.5.2, 239.0.0.
Prevent a PIM Router from Processing a Join Permit or deny PIM Join/Prune messages on an interface using an extended IP access list. Use the command ip pim join-filter to prevent the PIM SM router from creating state based on multicast source and/ or group.
www.dell.com | support.dell.com Prevent an IPv6 Neighbor from Forming an Adjacency Task Command Syntax Command Mode Prevent a router from participating in PIM.
Multicast Traceroute Multicast Traceroute is supported only on platform: e MTRACE is an IGMP-based tool that prints that network path that a multicast packet takes from a source to a destination, for a particular group. FTOS has mtrace client and mtrace transmit functionality. • • MTRACE Client—an mtrace client transmits mtrace queries and prints out the details received responses.
614 | Multicast Features www.dell.com | support.dell.
29 Open Shortest Path First (OSPFv2 and OSPFv3) Open Shortest Path First version 2 (OSPF for IPv4) is supported on platforms c e s Z Open Shortest Path First version 3 (OSPF for IPv6) is supported on platforms c eZ OSPF for IPv4 is supported on the E-Series ExaScale platform with FTOS 8.1.1.0; OSPF for IPv6 is supported on E-Series ExaScale with FTOS version 8.2.1.0 and later.
www.dell.com | support.dell.com Protocol Overview Open Shortest Path First (OSPF) routing is a link-state routing protocol that calls for the sending of Link-State Advertisements (LSAs) to all other routers within the same Autonomous System (AS) Areas. Information on attached interfaces, metrics used, and other variables is included in OSPF LSAs. As OSPF routers accumulate link-state information, they use the SPF algorithm (Shortest Path First algorithm) to calculate the shortest path to each node.
Figure 29-1. Autonomous System Areas Area Types The Backbone of the network is Area 0. It is also called Area 0.0.0.0 and is the core of any Autonomous System (AS). All other areas must connect to Area 0. Areas can be defined in such a way that the backbone is not contiguous. In this case, backbone connectivity must be restored through virtual links. Virtual links are configured between any backbone routers that share a link to a non-backbone area and function as if they were direct links.
www.dell.com | support.dell.com A Stub Area (SA) does not receive external route information, except for the default route. These areas do receive information from inter-area (IA) routes. Note that all routers within an assigned Stub area must be configured as stubby, and not generate LSAs that do not apply. For example, a Type 5 LSA is intended for external areas and the Stubby area routers may not generate external LSAs. Stubby areas cannot be traversed by a virtual link.
Figure 29-2. OSPF Routing Examples Backbone Router (BR) A Backbone Router (BR) is part of the OSPF Backbone, Area 0. This includes all Area Border Routers (ABRs). It can also include any routers that connect only to the Backbone and another ABR, but are only part of Area 0, such as Router I in Figure 29-2 above.
www.dell.com | support.dell.com Area Border Router (ABR) Within an AS, an Area Border (ABR) connects one or more areas to the Backbone. The ABR keeps a copy of the link-state database for every area it connects to, so it may keep multiple copies of the link state database. An Area Border Router (ABR) takes information it has learned on one of its attached areas and can summarize it before sending it out on other areas it is connected to.
Link-State Advertisements (LSAs) A Link-State Advertisement (LSA) communicates the router’s local routing topology to all other local routers in the same area. • • OSPFv3 can treat LSAs as having link-local flooding scope, or store and flood them as if they are understood, while ignoring them in their own SPF algorithms. OSPFv2 always discards unknown LSA types.
www.dell.com | support.dell.com For all LSA types, there are 20-byte LSA headers. One of the fields of the LSA header is the Link-State ID. Each router link is defined as one of four types: type 1, 2, 3, or 4. The LSA includes a link ID field that identifies, by the network number and mask, the object to which this link connects. Depending on the type, the link ID has different meanings.
Figure 29-3. Priority and Costs Example Implementing OSPF with FTOS FTOS supports up to 10,000 OSPF routes for OSPFv2. Within that 10,000 up to 8,000 routes can be designated as external and up to 2,000 designated as inter/intra area routes. FTOS version 7.8.1.0 and later support multiple OSPF processes (OSPF MP) on OSPFv2 only. The S-Series supports up to 16 processes simultaneously. The S4810 and Z9000 platforms support 32 OSPF processes simultaneously.
www.dell.com | support.dell.com • • • • • • • Network Summary (type 3) AS Boundary (type 4) AS External (type 5) NSSA External (type 7) Link LSA, OSPFv3 only (type 8) Opaque Link-local (type 9) Grace LSA, OSPFv3 only (type 11) Graceful Restart ces Graceful Restart for OSPFv2 is supported on modes and is supported on z platforms in Helper mode only. e Graceful Restart for OSPFv3 is supported on t is supported on z platforms in Helper mode only.
• • • Helper role in which the router's graceful restart function is to help a restarting neighbor router in its graceful restarts. Helper-reject role in which OSPF does not participate in the graceful restart of a neighbor. OSPFv2 supports “helper-only” and “restarting-only” roles. By default, both helper and restarting roles are enabled. OSPFv2 supports the helper-reject role globally on a router. OSPFv3 supports “helper-only” and “restarting-only” roles. The “helper-only” role is enabled by default.
www.dell.com | support.dell.com • • • • • The E-Series supports up to 28 OSPFv2 processes. The C-Series supports up to 6 OSPFv2 processes. The S50 and S25 support up to 4 OSPFv2 processes. The S55 and S60 support up to 16 OSPFv2 processes. The S4810 and Z9000 support up to 32 OSPFv2 processes. Each OSPFv2 process has a unique process ID and must have an associated Router ID. There must be an equal number of interfaces must be in Layer-3 mode for the number of processes created.
Figure 29-4. Enabling RFC-2328 Compliant OSPF Flooding 00:10:41 : OSPF(1000:00): Printed only for ACK packets Rcv. v:2 t:5(LSAck) l:64 Acks 2 rid:2.2.2.2 aid:1500 chk:0xdbee aut:0 auk: keyid:0 from:Vl 1000 LSType:Type-5 AS External id:160.1.1.0 adv:6.1.0.0 seq:0x8000000c LSType:Type-5 AS External id:160.1.2.0 adv:6.1.0.0 seq:0x8000000c 00:10:41 : OSPF(1000:00): Rcv. v:2 t:5(LSAck) l:64 Acks 2 rid:2.2.2.2 aid:1500 chk:0xdbee aut:0 auk: keyid:0 from:Vl 100 LSType:Type-5 AS External id:160.1.1.0 adv:6.1.0.
www.dell.com | support.dell.com Figure 29-6. Command Example: ip ospf intervals FTOS(conf)#int gi 2/2 FTOS(conf-if-gi-2/2)#ip ospf hello-interval 20 FTOS(conf-if-gi-2/2)#ip ospf dead-interval 80 Dead Interval Set at 4x Hello Interval FTOS(conf-if-gi-2/2)# Figure 29-7. OSPF Configuration with intervals set FTOS (conf-if-gi-2/2)#ip ospf dead-interval 20 FTOS (conf-if-gi-2/2)#do show ip os int gi1/3 GigabitEthernet 2/2 is up, line protocol is up Internet Address 20.0.0.
Configuration Task List for OSPFv2 (OSPF for IPv4) Open Shortest Path First version 2 (OSPF for IPv4) is supported on platforms: cesz 1. Configure a physical interface. Assign an IP address, physical or loopback, to the interface to enable Layer 3 routing. 2. Enable OSPF globally. Assign network area and neighbors. 3. Add interfaces or configure other attributes.
www.dell.com | support.dell.com Use these commands on one of the interfaces to enable OSPFv2 routing. Step 1 Command Syntax Command Mode Usage ip address ip-address mask CONFIG-INTERFACE Assign an IP address to an interface. Format: A.B.C.D/M If using a Loopback interface, refer to Loopback Interfaces. 2 no shutdown CONFIG-INTERFACE Enable the interface. Return to CONFIGURATION mode to enable the OSPF process.
Use the show ip ospf process-id command in EXEC mode to view the current OSPFv2 status. Figure 29-8. Command Example: show ip ospf process-id FTOS#show ip ospf 55555 Routing Process ospf 55555 with ID 10.10.10.10 Supports only single TOS (TOS0) routes SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Number of area in this router is 0, normal 0 stub 0 nssa 0 FTOS# Enable Multi-Process OSPF (OSPFv2, IPv4 only) Multi-Process OSPF allows multiple OSPFv2 processes on a single router.
www.dell.com | support.dell.com If you try to enable more OSPF processes than available Layer 3 interfaces you will see the following message: Message 2 C300(conf)#router ospf 1 % Error: No router ID available. In CONFIGURATION ROUTER OSPF mode, assign the Router ID. The Router ID is not required to be the router’s IP address. Dell Force10 recommends using the IP address as the Router ID for easier management and troubleshooting.
Enable OSPFv2 on interfaces Each interface must have OSPFv2 enabled on it. It must be configured for Layer 3 protocol and not be shutdown. OSPFv2 can also be assigned to a loopback interface as a virtual interface. OSPF functions and features such as MD5 Authentication, Grace Period, Authentication Wait Time, etc., are assigned on a per interface basis. Note: If using features like MD5 Authentication, ensure all the neighboring routers are also configured for MD5.
www.dell.com | support.dell.com Figure 29-10. Command Example: show ip ospf process-id interface FTOS>show ip ospf 1 interface GigabitEthernet 12/17 is up, line protocol is up Internet Address 10.2.2.1/24, Area 0.0.0.0 Process ID 1, Router ID 11.1.2.1, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 11.1.2.1, Interface address 10.2.2.1 Backup Designated Router (ID) 0.0.0.0, Interface address 0.0.0.
Configure stub areas OSPF supports different types of LSAs to help reduce the amount of router processing within the areas. Type 5 LSAs are not flooded into stub areas; the Area Border Router (ABR) advertises a default route into the stub area to which it is attached. Stub area routers use the default route to reach external destinations. To ensure connectivity in your OSPFv2 network, never configure the backbone area as a stub area.
www.dell.com | support.dell.
Enable passive interfaces A passive interface is one that does not send or receive routing information. Enabling passive interface suppresses routing updates on an interface. Although the passive interface will neither send nor receive routing updates, the network on that interface will still be included in OSPF updates sent via other interfaces. Use the following command in the ROUTER OSPF mode to suppress the interface’s participation on an OSPF interface.
www.dell.com | support.dell.com Figure 29-13. Command Example: show ip ospf process-id interface FTOS#show ip ospf 34 int GigabitEthernet 0/0 is up, line protocol is down Internet Address 10.1.2.100/24, Area 1.1.1.1 Process ID 34, Router ID 10.1.2.100, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State DOWN, Priority 1 Designated Router (ID) 10.1.2.100, Interface address 0.0.0.0 Backup Designated Router (ID) 0.0.0.0, Interface address 0.0.0.
Figure 29-14 shows the convergence settings when fast-convergence is enabled and Figure 29-15 shows settings when fast-convergence is disabled. These displays appear with the show ip ospf command. Figure 29-14. Command Example: show ip ospf process-id (fast-convergence enabled) FTOS(conf-router_ospf-1)#fast-converge 2 FTOS(conf-router_ospf-1)#ex FTOS(conf)#ex FTOS#show ip ospf 1 Routing Process ospf 1 with ID 192.168.67.
www.dell.com | support.dell.com Use any or all of the following commands in CONFIGURATION INTERFACE mode to change OSPFv2 parameters on the interfaces: Command Syntax Command Mode Usage ip ospf cost CONFIG-INTERFACE Change the cost associated with OSPF traffic on the interface. Cost: 1 to 65535 (default depends on the interface speed). ip ospf dead-interval seconds CONFIG-INTERFACE Change the time interval the router waits before declaring a neighbor dead. Configure Seconds range: 1 to 65535.
Figure 29-16. Changing the OSPF Cost Value on an Interface FTOS(conf-if)#ip ospf cost 45 FTOS(conf-if)#show config ! interface GigabitEthernet 0/0 ip address 10.1.2.100 255.255.255.0 no shutdown The change is made on the interface and it is reflected in the OSPF configuration. ip ospf cost 45 FTOS(conf-if)#end FTOS#show ip ospf 34 interface GigabitEthernet 0/0 is up, line protocol is up Internet Address 10.1.2.100/24, Area 2.2.2.2 Process ID 34, Router ID 10.1.2.
www.dell.com | support.dell.com • • • • grace period—the length of time the graceful restart process can last before OSPF terminates it. helper-reject neighbors—the router ID of each restart router that does not receive assistance from the configured router. mode—the situation or situations that trigger a graceful restart. role—the role or roles the configured router can perform. Note: By default, OSPFv2 graceful restart is disabled.
Figure 29-17. Command Example: show run ospf FTOS#show run ospf ! router ospf 1 graceful-restart grace-period 300 graceful-restart role helper-only graceful-restart mode unplanned-only graceful-restart helper-reject 10.1.1.1 graceful-restart helper-reject 20.1.1.1 network 10.0.2.0/24 area 0 FTOS# Use the following command to disable OSPFv2 graceful-restart after you have enabled it. Command Syntax Command Mode Usage no graceful-restart grace-period CONFIG-ROUTEROSPF-id Disable OSPFv2 graceful-restart.
www.dell.com | support.dell.com Use the following commands in CONFIGURATION-ROUTER OSPF mode to apply prefix lists to incoming or outgoing OSPF routes. Command Syntax Command Mode Usage distribute-list prefix-list-name in [interface] CONFIG-ROUTEROSPF-id Apply a configured prefix list to incoming OSPF routes. distribute-list prefix-list-name out [connected | isis | rip | static] CONFIG-ROUTEROSPF-id Assign a configured prefix list to outgoing OSPF routes.
Troubleshooting OSPFv2 FTOS has several tools to make troubleshooting easier. Be sure to check the following, as these are typical issues that interrupt an OSPFv2 process. Note that this is not a comprehensive list, just some examples of typical troubleshooting checks.
www.dell.com | support.dell.com Use the show running-config ospf command to see the state of all the enabled OSPFv2 processes. Command Syntax Command Mode Usage show running-config ospf EXEC Privilege View the summary of all OSPF process IDs enables on the router. Figure 29-19. Command Example: show running-config ospf FTOS#show run ospf ! router ospf 3 ! router ospf 4 router-id 4.4.4.4 network 4.4.4.
Use the following command in EXEC Privilege mode to configure the debugging options of an OSPFv2 process: Command Syntax Command Mode Usage debug ip ospf process-id [event | packet | spf] EXEC Privilege View debug messages. To view debug messages for a specific OSPF process ID, enter debug ip ospf process-id. If you do not enter a process ID, the command applies to the first OSPF process.
www.dell.com | support.dell.com Sample Configurations for OSPFv2 The following configurations are examples for enabling OSPFv2. These are not comprehensive directions. They are intended to give you a some guidance with typical configurations. You can copy and paste from these examples to your CLI. Be sure you make the necessary changes to support your own IP addresses, interfaces, names, etc. Basic OSPFv2 Router Topology The following illustration is a sample basic OSPFv2 topology.
Configuration Task List for OSPFv3 (OSPF for IPv6) Open Shortest Path First version 3 (OSPF for IPv6) is supported on platforms ce z The configuration options of OSPFv3 are the same as those for OSPFv2, but may be configured with differently labeled commands. Process IDs and areas need to be specified. Interfaces and addresses need to be included in the process. Areas can be defined as stub or totally stubby.
www.dell.com | support.dell.com Enable IPv6 Unicast Routing Command Syntax Command Mode Usage ipv6 unicast routing CONFIGURATION Enables IPv6 unicast routing globally. Assign IPv6 addresses on an interface Command Syntax Command Mode Usage ipv6 address ipv6 address CONF-INT-type slot/port Assign IPv6 address to the interface. IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:).
Use the no ipv6 router ospf process-id command syntax in the CONFIGURATION mode to disable OSPF. Use the clear ipv6 ospf process command syntax in the EXEC Privilege mode to reset the OSPFv3 process. Configure stub areas Command Syntax Command Mode Usage area area-id stub [no-summary] CONF-IPV6-ROUTER-OSPF Configure the area as a stub area. Use the no-summary keywords to prevent transmission in to the area of summary ASBR LSAs. Area ID is a number or IP address assigned when creating the Area.
www.dell.com | support.dell.com Redistribute routes You can add routes from other routing instances or protocols to the OSPFv3 process. With the redistribute command syntax, you can include RIP, static, or directly connected routes in the OSPF process. Command Syntax Command Mode Usage redistribute {bgp | connected | static} [metric metric-value | metric-type type-value] [route-map map-name] [tag tag-value] CONF-IPV6-ROUTER-OSPF Specify which routes will be redistributed into OSPF process.
Enable OSPFv3 graceful restart Graceful Restart for OSPFv3 is supported on platforms for more information on the feature. et z . Refer to Graceful Restart By default, OSPFv3 graceful restart is disabled and functions only in a helper role to help restarting neighbor routers in their graceful restarts when it receives a Grace LSA.
www.dell.com | support.dell.com To display information on the use and configuration of OSPFv3 graceful restart, enter any of the following commands: Command Syntax Command Mode Usage show run ospf EXEC Privilege Display the graceful-restart configuration for OSPFv2 and OSPFv3 (Figure 29-22). show ipv6 ospf database grace-lsa EXEC Privilege Display the Type-11 Grace LSAs sent and received on an OSPFv3 router (Figure 29-23).
Figure 29-24. Command Example: show ipv6 ospf database grace-lsa FTOS#show ipv6 ospf database grace-lsa ! Type-11 Grace LSA (Area 0) LS Age Link State ID Advertising Router LS Seq Number Checksum Length Associated Interface Restart Interval Restart Reason : : : : : : : : : 10 6.16.192.66 100.1.1.1 0x80000001 0x1DF1 36 Gi 5/3 180 Switch to Redundant Processor OSPFv3 Authentication Using IPsec OSPFv3 Authentication Using IPsec is supported only on platforms: etz Starting in release 8.4.2.
www.dell.com | support.dell.com • The encapsulating security payload encapsulates data, enabling the protection of data that follows in the datagram. ESP provides authentication and confidentiality of every packet. The ESP extension header is designed to provide a combination of security services for both IPv4 and IPv6. The ESP header is inserted after the IP header and before the next layer protocol header in transport mode.
• • • • IPsec security associations (SAs) are supported only in transport mode (tunnel mode is not supported). ESP with null encryption is supported for authenticating only OSPFv3 protocol headers. ESP with non-null encryption is supported for full confidentiality. 3DES, DES, AES-CBC, and NULL encryption algorithms are supported; encrypted and unencrypted keys are supported. Note: You may encrypt all keys on a router by using the service password-encryption command in global configuration mode.
www.dell.com | support.dell.com To configure IPsec authentication on an interface, enter the following command: Command Syntax Command Mode Usage ipv6 ospf authentication {null | ipsec spi number {MD5 | SHA1} [key-encryption-type] key} INTERFACE Enable IPsec authentication for OSPFv3 packets on an IPv6-based interface, where: null causes an authentication policy configured for the area to not be inherited on the interface. ipsec spi number is the Security Policy index (SPI) value.
To configure IPsec encryption on an interface, enter the following command: Command Syntax ipv6 ospf encryption {null | ipsec spi number esp encryption-algorithm [key-encryption-type] key authentication-algorithm [key-authentication-type] key} Command Mode INTERFACE Usage Enable IPsec encryption for OSPFv3 packets on an IPv6-based interface, where: null causes an encryption policy configured for the area to not be inherited on the interface. ipsec spi number is the Security Policy index (SPI) value.
www.dell.com | support.dell.com Configuring IPsec Authentication for an OSPFv3 Area Prerequisite: Before you enable IPsec authentication on an OSPFv3 area, you must first enable OSPFv3 globally on the router (see Configuration Task List for OSPFv3 (OSPF for IPv6)).
Configuring IPsec Encryption for an OSPFv3 Area Prerequisite: Before you enable IPsec encryption in an OSPFv3 area, you must first enable OSPFv3 globally on the router (see Configuration Task List for OSPFv3 (OSPF for IPv6)).
www.dell.com | support.dell.com If you have enabled IPsec authentication in an OSPFv3 area with the area authentication command, you cannot use the area encryption command in the area at the same time. The configuration of IPsec encryption on an interface-level takes precedence over an area-level configuration. If you remove an interface configuration, an area encryption policy that has been configured is applied to the interface.
Figure 29-25. Command Example: show crypto ipsec policy FTOS#show crypto ipsec policy Crypto IPSec client security policy data Policy name Policy refcount Inbound ESP SPI Outbound ESP SPI Inbound ESP Auth Key Outbound ESP Auth Key Inbound ESP Cipher Key Outbound ESP Cipher Key Transform set : : : : : : : : : In this encryption policy, the keys OSPFv3-1-502 are not encrypted.
www.dell.com | support.dell.com To display the IPsec security associations (SAs) used on OSPFv3 interfaces, enter the following command: Command Syntax Command Mode Usage show crypto ipsec sa ipv6 [interface interface] EXEC Privilege Displays security associations set up for OSPFv3 links in IPsec authentication and encryption policies on the router.
Figure 29-26.
www.dell.com | support.dell.com Troubleshooting OSPFv3 FTOS has several tools to make troubleshooting easier. Be sure to check the following, as these are typical issues that interrupt the OSPFv3 process. Note that this is not a comprehensive list, just some examples of typical troubleshooting checks.
Use the following command in EXEC Privilege mode to configure the debugging options of an OSPFv3 process: Command Syntax Command Mode Usage debug ipv6 ospf [event | packet] {type slot/port} EXEC Privilege View debug messages for all OSPFv3 interfaces. • event: View OSPF event messages. • packet: View OSPF packets. • For a Gigabit Ethernet interface, enter the keyword GigabitEthernet followed by the slot/port information (e.g., passive-interface gi 2/1).
www.dell.com | support.dell.
30 PIM Sparse-Mode (PIM-SM) PIM Sparse-Mode (PIM-SM) is supported on platforms: ecsz PIM-Sparse Mode (PIM-SM) is a multicast protocol that forwards multicast traffic to a subnet only upon request using a PIM Join message; this behavior is the opposite of PIM-Dense Mode, which forwards multicast traffic to all subnets until a request to stop. Implementation Information • • • • • • • • • • The Dell Force10 implementation of PIM-SM is based on the IETF Internet Draft draft-ietf-pim-sm-v2-new-05.
www.dell.com | support.dell.com Requesting Multicast Traffic A host requesting multicast traffic for a particular group sends an IGMP Join message to its gateway router. The gateway router is then responsible for joining the shared tree to the RP (RPT) so that the host can receive the requested traffic. 1. Upon receiving an IGMP Join message, the receiver gateway router (last-hop DR) creates a (*,G) entry in its multicast routing table for the requested group.
source, including the RP, create an (S,G) entry and list the interface on which the message was received as an outgoing interface, thus recreating a SPT to the source. 3. Once the RP starts receiving multicast traffic via the (S,G) it unicasts a Register-Stop message to the first-hop DR so that multicast packets are no longer encapsulated in PIM Register packets and unicast.
www.dell.com | support.dell.com Enable PIM-SM You must enable PIM-SM on each participating interface: Step 1 2 Task Command Command Mode Enable multicast routing on the system. ip multicast-routing CONFIGURATION Enable PIM-Sparse Mode ip pim sparse-mode INTERFACE Display which interfaces are enabled with PIM-SM using the command show ip pim interface from EXEC Privilege mode, as shown in Figure 30-1. Figure 30-1.
Figure 30-3. Viewing the PIM Multicast Routing Table FTOS#show ip pim tib PIM Multicast Routing Table Flags: D - Dense, S - Sparse, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, Timers: Uptime/Expires Interface state: Interface, next-Hop, State/Mode (*, 192.1.2.1), uptime 00:29:36, expires 00:03:26, RP 10.87.2.6, flags: SCJ Incoming interface: GigabitEthernet 4/12, RPF neighbor 10.87.3.
www.dell.com | support.dell.com Step 3 Task Command Syntax Command Mode Set the expiry time for a specific (S,G) entry (Figure 30-4). Range 211-86400 seconds Default: 210 ip pim sparse-mode sg-expiry-timer seconds sg-list access-list-name CONFIGURATION Note: The expiry time configuration is nullified, and the default global expiry time is used if: • • an ACL is specified for an in the ip pim sparse-mode sg-expiry-timer command, but the ACL has not been created or is a standard ACL.
Override Bootstrap Router Updates PIM-SM routers need to know the address of the RP for each group for which they have (*,G) entry. This address is obtained automatically through the bootstrap router (BSR) mechanism or a static RP configuration. If you have configured a static RP for a group, use the option override with the command ip pim rp-address to override bootstrap router updates with your static RP configuration.
www.dell.com | support.dell.com Create Multicast Boundaries and Domains A PIM domain is a contiguous set of routers that all implement PIM and are configured to operate within a common boundary defined by PIM Multicast Border Routers (PMBRs). PMBRs connect each PIM domain to the rest of the internet. Create multicast boundaries and domains by filtering inbound and outbound Bootstrap Router (BSR) messages per interface, use the ip pim bsr-border command.
• restart-time is the time required by the Dell Force10 system to restart. The default value is 180 seconds. • stale-entry-time is the maximum amount of time that the Dell Force10 system preserves entries from a restarting neighbor. The default value is 60 seconds. In helper-only mode, the system preserves the PIM states of a neighboring router while the neighbor gracefully restarts, but the Dell Force10 system allows itself to be taken off the forwarding path if it restarts.
678 | PIM Sparse-Mode (PIM-SM) www.dell.com | support.dell.
31 PIM Source-Specific Mode (PIM-SSM) PIM Source-Specific Mode (PIM-SSM) is supported on platforms: ecsz PIM-Source-Specific Mode (PIM-SSM) is a multicast protocol that forwards multicast traffic from a single source to a subnet. In the other versions of Protocol Independent Multicast (PIM), a receiver subscribes to a group only. The receiver receives traffic not just from the source in which it is interested but from all sources sending to that group.
680 | PIM Source-Specific Mode (PIM-SSM) (10.11.5.2, 239.0.0.2), uptime 00:00:36, expires 00:03:14, flags: CT Incoming interface: GigabitEthernet 1/31, RPF neighbor 10.11.13.2 Outgoing interface list: Vlan 300 Forward/Sparse 00:02:12/Never interface Vlan 400 ip pim sparse-mode ip address 10.11.4.1/24 untagged GigabitEthernet 1/2 ip igmp version 3 no shutdown interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown RP 2/1 R1 3/21 3/1 Source 1 10.11.5.
Implementation Information • • • • • The Dell Force10implementation of PIM-SSM is based on RFC 3569. C-Series supports a maximum of 31 PIM interfaces and 4K multicast entries including (*,G), and (S,G) entries. There is no limit on the number of PIM neighbors C-Series can have. S-Series supports a maximum of 31 PIM interfaces and 2K multicast entries including (*,G), and (S,G) entries. There is no limit on the number of PIM neighbors S-Series can have.
www.dell.com | support.dell.com Enable PIM-SSM To enable PIM-SSM: Step Task Command Syntax Command Mode 1 Create an ACL that uses permit rules to specify what range of addresses should use SSM. You must at least include one rule, permit 232.0.0.0/8, which is the default range for PIM-SSM. ip access-list standard name CONFIGURATION 2 Enter the command ip pim ssm-range and specify the ACL you created.
• When an extended ACL is associated with this command, FTOS displays an error message. If you apply an extended ACL before you create it, FTOS accepts the configuration, but when the ACL is later defined, FTOS ignores the ACL and the stated mapping has no effect. Display the source to which a group is mapped using the command show ip igmp ssm-map [group], as shown in Figure 31-4 on page 685.
684 | PIM Source-Specific Mode (PIM-SSM) interface Vlan 400 ip pim sparse-mode ip address 10.11.4.1/24 untagged GigabitEthernet 1/2 ip igmp version 3 no shutdown ip igmp snooping enable (10.11.5.2, 239.0.0.2), uptime 00:00:33, expires 00:00:00, flags: CJ Incoming interface: GigabitEthernet 1/31, RPF neighbor 10.11.13.2 Outgoing interface list: Vlan 300 Forward/Sparse 00:00:33/Never (10.11.5.2, 239.0.0.
Figure 31-4. Configuring PIM-SSM with IGMPv2 R1(conf)#do show run pim ! ip pim rp-address 10.11.12.2 group-address 224.0.0.0/4 ip pim ssm-range ssm R1(conf)#do show run acl ! ip access-list standard map seq 5 permit host 239.0.0.2 ! ip access-list standard ssm seq 5 permit host 239.0.0.2 R1(conf)#ip igmp ssm-map map 10.11.5.2 R1(conf)#do show ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Mode 239.0.0.2 Vlan 300 IGMPv2-Compat Member Ports: Gi 1/1 239.0.0.
www.dell.com | support.dell.
32 Port Monitoring Port Monitoring is supported on platforms: ecsz Port Monitoring, also known as Port Mirroring, is a feature that copies all incoming or outgoing packets on one port and forwards (mirrors) them to another port. The source port is the monitored port (MD) and the destination port is the monitoring port (MG). Port Monitoring functionality is different between platforms, but the behavior is the same, with highlighted exceptions.
www.dell.com | support.dell.com • The C-Series and S-Series may only have four destination ports per port-pipe. There is no limitation on the total number of monitoring sessions. Table 32-1 lists the maximum number of monitoring sessions per system. For the C-Series and S-Series, the total number of sessions is derived by consuming a unique destination port in each session, in each port-pipe. Table 32-1.
On the E-Series TeraScale, FTOS supports a single source-destination statement in a monitor session (Message 2). E-Series TeraScale supports only one source and one destination port per port-pipe (Message 3). Therefore, the E-Series TeraScale supports as many monitoring sessions as there are port-pipes in the system. Message 2 Multiple Source-Destination Statements Error Message on E-Series TeraScale % Error: Remove existing monitor configuration.
www.dell.com | support.dell.com The number of source ports FTOS allows within a port-pipe is equal to the number of physical ports in the port-pipe (n). However, n number of ports may only have four different destination ports (Message 5). Figure 32-2.
Figure 32-4.
www.dell.com | support.dell.com FTOS Behavior: The C-Series and S-Series continue to mirror outgoing traffic even after an MD participating in Spanning Tree Protocol transitions from the forwarding to blocking. Configuring Port Monitoring To configure port monitoring: Step Task Command Syntax Command Mode 1 Verify that the intended monitoring port has no configuration other than no shutdown, as shown in Figure 32-6.
Figure 32-7.
www.dell.com | support.dell.com Flow-based Monitoring Flow-based Monitoring is supported only on platform e Flow-based monitoring conserves bandwidth by monitoring only specified traffic instead all traffic on the interface. This feature is particularly useful when looking for malicious traffic. It is available for Layer 2 and Layer 3 ingress and egress traffic. You may specify traffic using standard or extended access-lists.
33 Private VLANs The Private VLAN (PVLAN) feature is supported on platforms: c sz For syntax details on the commands discussed in this chapter, see the Private VLANs Commands chapter in the FTOS Command Reference.
www.dell.com | support.dell.com Private VLAN Concepts The VLAN types in a private VLAN (PVLAN) include: Community VLAN — A community VLAN is a type of secondary VLAN in a primary VLAN: • • • Ports in a community VLAN can communicate with each other. Ports in a community VLAN can communicate with all promiscuous ports in the primary VLAN. A community VLAN can only contain ports configured as host.
Each of the port types can be any type of physical Ethernet port, including port channels (LAGs). For details on port channels, see Port Channel Interfaces on page 381 in Chapter 19, Interfaces. For an introduction to VLANs, see Chapter 24, Layer 2. Private VLAN Commands The commands dedicated to supporting the Private VLANs feature are: Table 33-1. Private VLAN Commands Task Command Syntax Command Mode Enable/disable Layer 3 communication between secondary VLANs.
www.dell.com | support.dell.com Private VLAN Configuration Task List The following sections contain the procedures that configure a private VLAN: • • • • Creating PVLAN ports Creating a Primary VLAN on page 699 Creating a Community VLAN on page 700 Creating an Isolated VLAN on page 700 Creating PVLAN ports Private VLAN ports are those that will be assigned to the private VLAN (PVLAN).
Creating a Primary VLAN A primary VLAN is a port-based VLAN that is specifically enabled as a primary VLAN to contain the promiscuous ports and PVLAN trunk ports for the private VLAN. A primary VLAN also contains a mapping to secondary VLANs, which are comprised of community VLANs and isolated VLANs. Step Command Syntax Command Mode Purpose 1 interface vlan vlan-id CONFIGURATION Access the INTERFACE VLAN mode for the VLAN to which you want to assign the PVLAN interfaces.
www.dell.com | support.dell.com Creating a Community VLAN A community VLAN is a secondary VLAN of the primary VLAN in a private VLAN. The ports in a community VLAN can talk to each other and with the promiscuous ports in the primary VLAN. Step Command Syntax Command Mode Purpose 1 interface vlan vlan-id CONFIGURATION Access the INTERFACE VLAN mode for the VLAN that you want to make a community VLAN. 2 no shutdown INTERFACE VLAN Enable the VLAN.
Figure 33-2.
www.dell.com | support.dell.com The result is that: • • • • The ports in community VLAN 4001 can communicate directly with each other and with promiscuous ports. The ports in community VLAN 4002 can communicate directly with each other and with promiscuous ports The ports in isolated VLAN 4003 can only communicate with the promiscuous ports in the primary VLAN 4000.
show vlan private-vlan mapping: Display the primary-secondary VLAN mapping. See the example • output from the S50V, above, in Figure 33-6. Two show commands revised to display PVLAN data are: • • show arp • show vlan: See revised output in Figure 33-7. Figure 33-4. show vlan private-vlan Example Output from C300 c300-1#show vlan private-vlan Primary Secondary Type Active ------- --------- --------- -----4000 Primary Yes 4001 Community Yes 4002 Community Yes 4003 Isolated Yes Figure 33-5.
www.dell.com | support.dell.com Figure 33-8.
34 Per-VLAN Spanning Tree Plus (PVST+) Per-VLAN Spanning Tree Plus (PVST+) is supported platforms: ecsz Protocol Overview Per-VLAN Spanning Tree Plus (PVST+) is a variation of Spanning Tree—developed by a third party— that allows you to configure a separate Spanning Tree instance for each VLAN. For more information on Spanning Tree, see Chapter 45, Spanning Tree Protocol (STP). Figure 34-1.
www.dell.com | support.dell.com FTOS supports three other variations of Spanning Tree, as shown in Table 34-1. Table 34-1. FTOS Supported Spanning Tree Protocols Dell Force10Term IEEE Specification Spanning Tree Protocol (STP) 802.1d Rapid Spanning Tree Protocol (RSTP) 802.1w Multiple Spanning Tree Protocol (MSTP) 802.1s Per-VLAN Spanning Tree Plus (PVST+) Third Party Implementation Information • • • • The FTOS implementation of PVST+ is based on IEEE Standard 802.1d.
• • • PVST+ in Multi-vendor Networks on page 712 PVST+ Extended System ID on page 712 PVST+ Sample Configurations on page 713 Enable PVST+ When you enable PVST+, FTOS instantiates STP on each active VLAN. To enable PVST+ globally: Step Task Command Syntax Command Mode 1 Enter PVST context. protocol spanning-tree pvst PROTOCOL PVST 2 Enable PVST+. no disable PROTOCOL PVST Disable PVST+ Task Command Syntax Command Mode Disable PVST+ globally.
Load Balancing with PVST+ STI 2 root STI 1: VLAN 100 STI 2: VLAN 200 STI 3: VLAN 300 R2 vlan 100 bridge-priority 4096 2/32 Blocking 3/22 X R3 STI 3 root vlan 100 bridge-priority 4096 3/12 2/12 Forwarding www.dell.com | support.dell.com Figure 34-3. 1/22 X X 1/32 STI 1 root R1 vlan 100 bridge-priority 4096 The bridge with the bridge value for bridge priority is elected root.
Figure 34-4. Display the PVST+ Forwarding Topology FTOS_E600(conf)#do show spanning-tree pvst vlan 100 VLAN 100 Root Identifier has priority 4096, Address 0001.e80d.b6d6 Root Bridge hello time 2, max age 20, forward delay 15 Bridge Identifier has priority 4096, Address 0001.e80d.b6d6 Configured hello time 2, max age 20, forward delay 15 We are the root of VLAN 100 Current root has priority 4096, Address 0001.e80d.
www.dell.com | support.dell.com Task Command Syntax Command Mode Change the max-age parameter. Range: 6 to 40 Default: 20 seconds vlan max-age PROTOCOL PVST The values for global PVST+ parameters are given in the output of the command show spanning-tree pvst, as shown in Figure 34-4. Modify Interface PVST+ Parameters You can adjust two interface parameters to increase or decrease the probability that a port becomes a forwarding port: • • Port cost is a value that is based on the interface type.
Task Command Syntax Command Mode Change the port priority of an interface. Range: 0 to 240, in increments of 16 Default: 128 spanning-tree pvst vlan priority INTERFACE The values for interface PVST+ parameters are given in the output of the command show spanning-tree pvst, as shown in Figure 34-4. Configure an EdgePort The EdgePort feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner.
www.dell.com | support.dell.com FTOS Behavior: Regarding bpduguard shutdown-on-violation behavior: 1 If the interface to be shutdown is a port channel then all the member ports are disabled in the hardware. 2 When a physical port is added to a port channel already in error disable state, the new member port will also be disabled in the hardware.
Figure 34-5. PVST+ with Extend System ID Dell Force10 System VLAN unaware Hub P1 untagged in VLAN 10 X P2 untagged in VLAN 20 moves to blocking unless Extended System ID is enabled Task Command Syntax Command Mode Augment the Bridge ID with the VLAN ID. extend system-id PROTOCOL PVST FTOS(conf-pvst)#do show spanning-tree pvst vlan 5 brief VLAN 5 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32773, Address 0001.e832.
www.dell.com | support.dell.com Figure 34-6.
Figure 34-7.
www.dell.com | support.dell.
35 Quality of Service (QoS) Quality of Service (QoS) is supported on platforms: e c s z Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. The E-Series has eight unicast queues per port and 128 multicast queues per-port pipe. Traffic is queued on ingress and egress. By default, on ingress, all data traffic is mapped to Queue 0, and all control traffic is mapped to Queue 7. On egress control traffic is mapped across all eight queues.
www.dell.com | support.dell.com Table 35-1.
Figure 35-1. Dell Force10 Networks QoS Architecture Marking (DiffServ, 802.1p, Exp) Ingress Packet Processing Packet Classification (ACL) Rate Policing Buffers Class-based Queues Switching Rate Limiting Buffers Class-based Queues Egress Congestion Management (WFQ Scheduling) Egress Packet Processing Traffic Shaping Congestion Avoidance (WRED) Implementation Information Dell Force10’s QoS implementation complies with IEEE 802.1p User Priority Bits for QoS Indication.
www.dell.com | support.dell.com • • Configure Port-based Rate Limiting Configure Port-based Rate Shaping Set dot1p Priorities for Incoming Traffic Change the priority of incoming traffic on the interface using the command dot1p-priority from INTERFACE mode, as shown in Figure 35-2. FTOS places traffic marked with a priority in a queue based on Table 35-2. If you set a dot1p priority for a port-channel, all port-channel members are configured with the same value.
On the C-Series and S-Series you can configure service-class dynamic dot1p from CONFIGURATION mode, which applies the configuration to all interfaces. A CONFIGURATION mode service-class dynamic dot1p entry supersedes any INTERFACE entries. See Mapping dot1p values to service queues on page 734. Note: You cannot configure service-policy input and service-class dynamic dot1p on the same interface. Figure 35-3.
www.dell.com | support.dell.com Figure 35-5.
Figure 35-7.
www.dell.com | support.dell.com Figure 35-9. Constructing Policy-based QoS Configurations Interface Input Service Policy 0 Output Service Policy 7 Input Policy Map Input Policy Map Class Map L3 ACL L3 Fields 7 0 DSCP Rate Policing Output Policy Map Output Policy Map Output QoS Policy Input QoS Policy Outgoing Marking Rate Limiting WRED B/W % Classify Traffic Class maps differentiate traffic so that you can apply separate quality of service policies to each class.
Figure 35-10. Using the Order Keyword in ACLs FTOS(conf)#ip access-list standard acl1 FTOS(config-std-nacl)#permit 20.0.0.0/8 FTOS(config-std-nacl)#exit FTOS(conf)#ip access-list standard acl2 FTOS(config-std-nacl)#permit 20.1.1.
www.dell.com | support.dell.com In cases such as these, where class-maps with overlapping ACL rules are applied to different queues, use the order keyword to specify the order in which you want to apply ACL rules, as shown in Figure 35-10. The order can range from 0 to 254. FTOS writes to the CAM ACL rules with lower order numbers (order numbers closer to 0) before rules with higher order numbers so that packets are matched as you intended. By default, all ACL rules have an order of 254.
FTOS Behavior: An explicit “deny any" rule in a Layer 3 ACL used in a (match any or match all) class-map creates a "default to Queue 0" entry in the CAM, which causes unintended traffic classification. Below, traffic is classified in two Queues, 1 and 2. Class-map ClassAF1 is “match any,” and ClassAF2 is “match all”.
www.dell.com | support.dell.com Create a QoS Policy There are two types of QoS policies: input and output. Input QoS policies regulate Layer 3 and Layer 2 ingress traffic. The regulation mechanisms for input QoS policies are rate policing and setting priority values. There are two types of input QoS policies: Layer 3 and Layer 2. • • Layer 3 QoS input policies allow you to rate police and set a DSCP or dot1p value. Layer 2 QoS input policies allow you to rate police and set a dot1p value.
Figure 35-12. Marking DSCP Values for Egress Packets FTOS#config FTOS(conf)#qos-policy-input my-input-qos-policy FTOS(conf-qos-policy-in)#set ip-dscp 34 % Info: To set the specified DSCP value 34 (100-010 b) the QoS policy must be mapped to queue 4 (100 b).
www.dell.com | support.dell.com To allocate bandwidth to queues on the C-Series and S-Series, assign each queue a weight ranging from 1 to 1024, in increments of 2n, using the command bandwidth-weight. Table 35-3 shows the default bandwidth weights for each queue, and their equivalent percentage which is derived by dividing the bandwidth weight by the sum of all queue weights. Note: Dell Force10 recommends assigning bandwidth to all queues.
Specify a WRED profile to yellow and/or green traffic using the command wred from QOS-POLICY-OUT mode. See Apply a WRED profile to traffic. Create Policy Maps There are two types of policy maps: input and output. Create Input Policy Maps There are two types of input policy-maps: Layer 3 and Layer 2. 1. Create a Layer 3 input policy map using the command policy-map-input from CONFIGURATION mode. Create a Layer 2 input policy map by specifying the keyword layer2 with the policy-map-input command. 2.
www.dell.com | support.dell.com Table 35-5.
When using QoS service policies with multiple class maps, you can configure FTOS to use the incoming DSCP or dot1p marking as a secondary option for packet queuing in the event that no match occurs in the class maps. When class-maps are used, traffic is matched against each class-map sequentially from first to last. The sequence is based on the priority of the rules, as follows: 1. rules with lowest priority, or in the absence of a priority configuration, 2.
www.dell.com | support.dell.com To enable Fall Back to trust diffserve or dot1p: Task Command Syntax Command Mode Classify packets according to their DSCP value as a secondary option in case no match occurs against the configured class maps. trust {diffserve | dot1p} fallback POLICY-MAP-IN Mapping dot1p values to service queues Mapping dot1p values to service queues is available only on platforms: csz On the C-Series and S-Series all traffic is by default mapped to the same queue, Queue 0.
2. Once you create an output policy map, do one or more of the following: • • • Apply an output QoS policy to a queue Specify an aggregate QoS policy Apply an output policy map to an interface 3. Apply the policy map to an interface. See page 61. Apply an output QoS policy to a queue Apply an output QoS policy to queues using the command service-queue from INTERFACE mode. Specify an aggregate QoS policy Specify an aggregate QoS policy using the command policy-aggregate from POLICY-MAP-OUT mode.
www.dell.com | support.dell.com QoS Rate Adjustment is disabled by default, and no qos-rate-adjust is listed in the running-configuration. Task Command Syntax Command Mode Include a specified number of bytes of packet overhead to include in rate limiting, policing, and shaping calculations. For example, to include the Preamble and SFD, enter qos-rate-adjust 8. For variable length overhead fields you must know the number of bytes you want to include.
Figure 35-13. Packet Drop Rate for WREDl No Packets Buffered Early Warning Allotted Space Packet Drop Rate All Pckts 0 Pckts 0KB Min Max Total Buffer Space Buffer Space fnC0045mp You can create a custom WRED profile or use on of the five pre-defined profiles. Table 35-7. Pre-defined WRED Profiles (E-Series) Default Profile Name Minimum Threshold Maximum Threshold wred_drop 0 0 wred_ge_y 1024 2048 wred_ge_g 2048 4096 wred_teng_y 4096 8192 wred_teng_g 8192 16384 Table 35-8.
www.dell.com | support.dell.com 2. The command wred places you in WRED mode. From this mode, specify minimum and maximum threshold values using the command threshold. Apply a WRED profile to traffic Once you create a WRED profile you must specify to which traffic FTOS should apply the profile. FTOS assigns a color (also called drop precedence)—red, yellow, or green—to each packet based on it DSCP value before queuing it. DSCP is a 6 bit field.
Figure 35-16.
www.dell.com | support.dell.com Pre-calculating Available QoS CAM Space Pre-calculating Available QoS CAM Space is supported on platforms: cesz Before version 7.3.1 there was no way to measure the number of CAM entries a policy-map would consume (the number of CAM entries that a rule uses is not predictable; 1 to 16 entries might be used per rule depending upon its complexity). Therefore, it was possible to apply to an interface a policy-map that requires more entries than are available.
• Exception indicates that the number of CAM entries required to write the policy-map to the CAM is greater than the number of available CAM entries, and therefore the policy-map cannot be applied to an interface in the specified port-pipe.
742 | Quality of Service (QoS) www.dell.com | support.dell.
36 Routing Information Protocol (RIP) Routing Information Protocol (RIP) is supported only on platforms: ecsz RIP is supported on the S-Series following the release of FTOS version 7.8.1.0, and on the C-Series with FTOS versions 7.6.1.0 and after. Routing Information Protocol (RIP) is based on a distance-vector algorithm, it tracks distances or hop counts to nearby routers when establishing network connections.
www.dell.com | support.dell.com RIP must receive regular routing updates to maintain a correct routing table. Response messages containing a router’s full routing table are transmitted every 30 seconds. If a router does not send an update within a certain amount of time, the hop count to that route is changed to unreachable (a route hop metric of 16 hops). Another timer sets the amount of time before the unreachable routes are removed from the routing table.
Configuration Task List for RIP • • • • • • • • • Enable RIP globally on page 745 (mandatory) Configure RIP on interfaces on page 746 (optional) Control RIP routing updates on page 747 (optional) Set send and receive version on page 748 (optional) Generate a default route on page 750 (optional) Control route metrics on page 751 (optional) Summarize routes on page 750 (optional) Control route metrics on page 751 Debug RIP on page 751 For a complete listing of all commands related to RIP, refer to the FTOS
www.dell.com | support.dell.com When the RIP process has learned the RIP routes, use the show ip rip database command in the EXEC mode to view those routes (Figure 385). Figure 36-2. show ip rip database Command Example (Partial) FTOS#show ip rip database Total number of routes in RIP database: 978 160.160.0.0/16 [120/1] via 29.10.10.12, 00:00:26, Fa 160.160.0.0/16 auto-summary 2.0.0.0/8 [120/1] via 29.10.10.12, 00:01:22, Fa 2.0.0.0/8 auto-summary 4.0.0.0/8 [120/1] via 29.10.10.12, 00:01:22, Fa 4.0.0.
Control RIP routing updates By default, RIP broadcasts routing information out all enabled interfaces, but you can configure RIP to send or to block RIP routing information, either from a specific IP address or a specific interface. To control which devices or interfaces receive routing updates, you must configure a direct update to one router and configure interfaces to block RIP updates from other sources.
www.dell.com | support.dell.com To add routes from other routing instances or protocols, use any of the following commands in the ROUTER RIP mode: Command Syntax Command Mode Purpose redistribute {connected | static} [metric metric-value] [route-map map-name] ROUTER RIP Include directly connected or user-configured (static) routes in RIP. • metric range: 0 to 16 • map-name: name of a configured route map.
Figure 36-3.
www.dell.com | support.dell.com Figure 36-5.
If you must perform routing between discontiguous subnets, disable automatic summarization. With automatic route summarization disabled, subnets are advertised. The command autosummary requires no other configuration commands. To disable automatic route summarization, in the ROUTER RIP mode, enter no autosummary. Note: If the ip split-horizon command is enabled on an interface, then the system does not advertise the summarized address.
www.dell.com | support.dell.com To enable RIP debugging, use the following command in the EXEC privilege mode: Command Syntax Command Mode Purpose debug ip rip [interface | database | events | trigger] EXEC privilege Enable debugging of RIP. Figure 36-6 shows the confirmation when the debug function is enabled. Figure 36-6. debug ip rip Command Example FTOS#debug ip rip RIP protocol debug is ON FTOS# To disable RIP, use the no debug ip rip command.
Configuring RIPv2 on Core 2 Figure 36-8. Configuring RIPv2 on Core 2 Core2(conf-if-gi-2/31)# Core2(conf-if-gi-2/31)#router rip Core2(conf-router_rip)#ver 2 Core2(conf-router_rip)#network 10.200.10.0 Core2(conf-router_rip)#network 10.300.10.0 Core2(conf-router_rip)#network 10.11.10.0 Core2(conf-router_rip)#network 10.11.20.0 Core2(conf-router_rip)#show config ! router rip network 10.0.0.
www.dell.com | support.dell.com Figure 36-10.
RIP Configuration on Core 3 Figure 36-12. RIP Configuration on Core 3 Core3(conf-if-gi-3/21)#router rip Core3(conf-router_rip)#version 2 Core3(conf-router_rip)#network 192.168.1.0 Core3(conf-router_rip)#network 192.168.2.0 Core3(conf-router_rip)#network 10.11.30.0 Core3(conf-router_rip)#network 10.11.20.0 Core3(conf-router_rip)#show config ! router rip network 10.0.0.0 network 192.168.1.0 network 192.168.2.
www.dell.com | support.dell.com Figure 36-14.
RIP Configuration Summary Figure 36-16. Summary of Core 2 RIP Configuration Using Output of show run Command ! interface GigabitEthernet 2/11 ip address 10.11.10.1/24 no shutdown ! interface GigabitEthernet 2/31 ip address 10.11.20.2/24 no shutdown ! interface GigabitEthernet 2/41 ip address 10.200.10.1/24 no shutdown ! interface GigabitEthernet 2/42 ip address 10.250.10.1/24 no shutdown router rip version 2 10.200.10.0 10.300.10.0 10.11.10.0 10.11.20.0 Figure 36-17.
www.dell.com | support.dell.
37 Remote Monitoring (RMON) Remote Monitoring (RMON) is supported on platform: ecsz This chapter describes the Remote Monitoring (RMON): • • Implementation Fault Recovery Remote Monitoring (RMON) is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell Force10Ethernet Interfaces. RMON operates with SNMP and monitors all nodes on a LAN segment.
www.dell.com | support.dell.com Fault Recovery RMON provides the following fault recovery functions: Interface Down—When an RMON-enabled interface goes down, monitoring continues. However, all data values are registered as 0xFFFFFFFF (32 bits) or ixFFFFFFFFFFFFFFFF (64 bits). When the interface comes back up, RMON monitoring processes resumes. Note: A Network Management System (NMS) should be ready to interpret a down interface and plot the interface performance graph accordingly.
Set rmon alarm To set an alarm on any MIB object, use the rmon alarm or rmon hc-alarm command in GLOBAL CONFIGURATION mode. To disable the alarm, use the no form of this command: Command Syntax Command Mode Purpose [no] rmon alarm number variable interval {delta | absolute} rising-threshold [value event-number] falling-threshold value event-number [owner string] or CONFIGURATION Set an alarm on any MIB object. Use the no form of this command to disable the alarm.
www.dell.com | support.dell.com Figure 37-1. rmon alarm Command Example FTOS(conf)#rmon alarm 10 1.3.6.1.2.1.2.2.1.20.1 20 delta rising-threshold 15 1 falling-threshold 0 owner nms1 Alarm Number MIB Variable Monitor Interval Counter Value Limit Triggered Event The above example configures RMON alarm number 10. The alarm monitors the MIB variable 1.3.6.1.2.1.2.2.1.20.1 (ifEntry.ifOutErrors) once every 20 seconds until the alarm is disabled, and checks the rise or fall of the variable.
Figure 37-2. rmon event Command Example FTOS(conf)#rmon event 1 log trap eventtrap description “High ifOutErrors” owner nms1 The above configuration example creates RMON event number 1, with the description “High ifOutErrors”, and generates a log entry when the event is triggered by an alarm. The user nms1 owns the row that is created in the event table by this command. This configuration also generates an SNMP trap when the event is triggered using the SNMP community string “eventtrap”.
www.dell.com | support.dell.com Configure RMON collection history To enable the RMON MIB history group of statistics collection on an interface, use the rmon collection history command in interface configuration mode. To remove a specified RMON history group of statistics collection, use the no form of this command.
38 Rapid Spanning Tree Protocol (RSTP) Rapid Spanning Tree Protocol (RSTP) is supported on platforms: ecsz Protocol Overview Rapid Spanning Tree Protocol (RSTP) is a Layer 2 protocol—specified by IEEE 802.1w—that is essentially the same as Spanning-Tree Protocol (STP) but provides faster convergence and interoperability with switches configured with STP and MSTP. FTOS supports three other variations of Spanning Tree, as shown in Table 38-1. Table 38-1.
www.dell.com | support.dell.
Figure 38-1.
www.dell.com | support.dell.com Enable Rapid Spanning Tree Protocol Globally Rapid Spanning Tree Protocol must be enabled globally on all participating bridges; it is not enabled by default. To enable Rapid Spanning Tree globally for all Layer 2 interfaces: Step Task Command Syntax Command Mode 1 Enter the PROTOCOL SPANNING TREE RSTP mode. protocol spanning-tree rstp CONFIGURATION 2 Enable Rapid Spanning Tree.
Figure 38-4. Rapid Spanning Tree Enabled Globally root R1 R2 1/3 Forwarding 2/1 1/4 Blocking 2/2 1/1 1/2 3/1 3/2 3/3 2/3 2/4 3/4 R3 Port 684 (GigabitEthernet 4/43) is alternate Discarding Port path cost 20000, Port priority 128, Port Identifier 128.684 Designated root has priority 32768, address 0001.e801.cbb4 Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.
www.dell.com | support.dell.com Figure 38-5. show spanning-tree rstp Command Example FTOS#show spanning-tree rstp Root Identifier has priority 32768, Address 0001.e801.cbb4 Root Bridge hello time 2, max age 20, forward delay 15, max hops 0 Bridge Identifier has priority 32768, Address 0001.e801.cbb4 Configured hello time 2, max age 20, forward delay 15, max hops 0 We are the root Current root has priority 32768, Address 0001.e801.
Figure 38-6. show spanning-tree rstp brief Command Example R3#show spanning-tree rstp brief Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 0001.e801.cbb4 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32768, Address 0001.e80f.1dad Configured hello time 2, max age 20, forward delay 15 Interface Designated Name PortID Prio Cost Sts Cost Bridge ID PortID ---------- -------- ---- ------- --- ------- -------------------- -------Gi 3/1 128.
www.dell.com | support.dell.com Table 38-2 displays the default values for RSTP. Table 38-2.
To change the port cost or priority of an interface, use the following commands: Task Command Syntax Command Mode Change the port cost of an interface. Range: 0 to 65535 Default: see Table 38-2. spanning-tree rstp cost cost INTERFACE Change the port priority of an interface. Range: 0 to 15 Default: 128 spanning-tree rstp priority priority-value INTERFACE View the current values for interface parameters using the show spanning-tree rstp command from EXEC privilege mode. See Figure 38-5.
www.dell.com | support.dell.com FTOS Behavior: Regarding bpduguard shutdown-on-violation behavior: 1 If the interface to be shutdown is a port channel then all the member ports are disabled in the hardware. 2 When a physical port is added to a port channel already in error disable state, the new member port will also be disabled in the hardware.
Figure 38-8. bridge-priority Command Example FTOS(conf-rstp)#bridge-priority 4096 04:27:59: %RPM0-P:RP2 %SPANMGR-5-STP_ROOT_CHANGE: RSTP root changed. My Bridge ID: 4096:0001.e80b.88bd Old Root: 32768:0001.e801.cbb4 New Root: 4096:0001.e80b.88bd Old root bridge ID New root bridge ID SNMP Traps for Root Elections and Topology Changes Enable SNMP traps for RSTP, MSTP, and PVST+ collectively using the command snmp-server enable traps xstp.
www.dell.com | support.dell.
39 Software-Defined Networking (SDN) Dell Networking operating software (FTOS) supports Software-Defined Networking (SDN). For more information, refer to the SDN Deployment Guide.
www.dell.com | support.dell.
40 Security Security features are supported on platforms: e c sz This chapter discusses several ways to provide access security to the Dell Force10system.
www.dell.com | support.dell.
Suppress AAA Accounting for null username sessions When AAA Accounting is activated, the FTOS software issues accounting records for all users on the system, including users whose username string, because of protocol translation, is NULL. An example of this is a user who comes in on a line where the AAA Authentication login method-list none command is applied.
www.dell.com | support.dell.com No specific show command exists for TACACS+ accounting. To obtain accounting records displaying information about users currently logged in, perform the following task in Privileged EXEC mode: Command Syntax Command Mode Purpose show accounting CONFIGURATION Step through all active sessions and print all the accounting records for the actively accounted functions. Figure 40-1.
Configure login authentication for terminal lines You can assign up to five authentication methods to a method list. FTOS evaluates the methods in the order in which you enter them in each list. If the first method list does not respond or returns an error, FTOS applies the next method list until the user either passes or fails the authentication. If the user fails a method list, FTOS does not apply the next method list.
www.dell.com | support.dell.com To view the configuration, use the show config command in the LINE mode or the show running-config in the EXEC Privilege mode. Note: Dell Force10 recommends that you use the none method only as a backup. This method does not authenticate users. The none and enable methods do not work with SSH. You can create multiple method lists and assign them to different terminal lines.
To get enable authentication from the RADIUS server, and use TACACS as a backup, issue the following commands: FTOS(config)# aaa authentication enable default radius tacacs Radius and TACACS server has to be properly setup for this. FTOS(config)# radius-server host x.x.x.x key FTOS(config)# tacacs-server host x.x.x.
www.dell.com | support.dell.com • • • Privilege level 1—is the default level for the EXEC mode. At this level, you can interact with the router, for example, view some show commands and Telnet and ping to test connectivity, but you cannot configure the router. This level is often called the “user” level. One of the commands available in Privilege level 1 is the enable command, which you can use to enter a specific privilege level. Privilege level 0—contains only the end, enable and disable commands.
To configure a username and password, use the following command in the CONFIGURATION mode: Command Syntax Command Mode Purpose username name [access-class access-list-name] [nopassword | password [encryption-type] password] [privilege level] CONFIGURATION Assign a user name and password. Configure the optional and required parameters: • name: Enter a text string up to 63 characters long. • access-class access-list-name: Enter the name of a configured IP ACL.
www.dell.com | support.dell.com Configure custom privilege levels In addition to assigning privilege levels to the user, you can configure the privilege levels of commands so that they are visible in different privilege levels. Within FTOS, commands have certain privilege levels. With the privilege command, the default level can be changed or you can reset their privilege level back to the default.
Step 3 Command Syntax Command Mode Purpose privilege mode {level level command | reset command} CONFIGURATION Configure level and commands for a mode or reset a command’s level. Configure the following required and optional parameters: • mode: Enter a keyword for the modes (exec, configure, interface, line, route-map, router) • level level range: 0 to 15. Levels 0, 1 and 15 are pre-configured. Levels 2 to 14 are available for custom configuration.
www.dell.com | support.dell.com Figure 40-3. User john’s Login and the List of Available Commands apollo% telnet 172.31.1.53 Trying 172.31.1.53... Connected to 172.31.1.53. Escape character is '^]'.
Enable and disabling privilege levels Enter the enable or enable privilege-level command in the EXEC Privilege mode to set a user’s security level. If you do not enter a privilege level, FTOS sets it to 15 by default. To move to a lower privilege level, enter the command disable followed by the level-number you wish to set for the user in the EXEC Privilege mode. If you enter disable without a level-number, your security level is 1.
www.dell.com | support.dell.com Step Task 6 Enter the following commands at the Grub command line prompt. Note: You must type the commands; pasted commands are not accepted. grub> set stconfigignore=true grub> save_env stconfigignore grub> reboot 7 The Z9000 system boots up with factory default configuration. The default FTOS> system prompt displays when the system boots. 8 Copy the startup-config into the running-config.
RADIUS exec-authorization stores a user-shell profile and that is applied during user login. You may name the relevant named-lists with either a unique name or the default name. When authorization is enabled by the RADIUS server, the server returns the following information to the client: • • • • Idle time ACL configuration information Auto-command Privilege level After gaining authorization for the first time, you may configure these attributes.
www.dell.com | support.dell.com Set access to privilege levels through RADIUS Through the RADIUS server, you can use the command privilege level to configure a privilege level for the user to enter into when they connect to a session.This value is configured on the client system. Configuration Task List for RADIUS To authenticate users using RADIUS, at least one RADIUS server must be specified so that the system can communicate with and configure RADIUS as one of your authentication methods.
Apply the method list to terminal lines To enable RADIUS AAA login authentication for a method list, you must apply it to a terminal line. To configure a terminal line for RADIUS authentication and authorization, enter the following commands: Command Syntax Command Mode Purpose line {aux 0 | console 0 | vty number [end-number]} CONFIGURATION Enter the LINE mode. login authentication {method-list-name | default} LINE Enable AAA login authentication for the specified RADIUS method list.
www.dell.com | support.dell.com To view the RADIUS configuration, use the show running-config radius command in the EXEC Privilege mode. To delete a RADIUS server host, use the no radius-server host {hostname | ip-address} command. Set global communication parameters for all RADIUS server hosts You can configure global communication parameters (auth-port, key, retransmit, and timeout parameters) and specific host communication parameters on the same system.
Monitor RADIUS To view information on RADIUS transactions, use the following command in the EXEC Privilege mode: Command Syntax Command Mode Purpose debug radius EXEC Privilege View RADIUS transactions to troubleshoot problems. TACACS+ FTOS supports Terminal Access Controller Access Control System (TACACS+ client, including support for login authentication.
www.dell.com | support.dell.com To select TACACS as the login authentication method, use these commands in the following sequence in the CONFIGURATION mode: Step Command Syntax Command Mode Purpose 1 tacacs-server host {ip-address | host} CONFIGURATION Configure a TACACS+ server host. Enter the IP address or host name of the TACACS+ server. Use this command multiple times to configure multiple TACACS+ server hosts. 2 aaa authentication login {method-list-name | default} tacacs+ [...
Figure 40-4.
www.dell.com | support.dell.com Figure 40-5 demonstrates how to configure the access-class from a TACACS+ server. This causes the configured access-class on the VTY line to be ignored. If you have configured a deny10 ACL on the TACACS+ server, FTOS downloads it and applies it. If the user is found to be coming from the 10.0.0.0 subnet, FTOS also immediately closes the Telnet connection. Note, that no matter where the user is coming from, they see the login prompt. Figure 40-5.
To delete a TACACS+ server host, use the no tacacs-server host {hostname | ip-address} command. freebsd2# telnet 2200:2200:2200:2200:2200::2202 Trying 2200:2200:2200:2200:2200::2202... Connected to 2200:2200:2200:2200:2200::2202. Escape character is '^]'. Login: admin Password: FTOS# FTOS# Command Authorization The AAA command authorization feature configures FTOS to send each configuration command to a TACACS server for authorization before it is added to the running configuration.
www.dell.com | support.dell.com SCP is a remote file copy program that works with SSH and is supported by FTOS. Note: The Windows-based WinSCP client software is not supported for secure copying between a PC and an FTOS-based system. Unix-based SCP client software is supported.
Figure 40-6. Specifying an SSH version FTOS(conf)#ip ssh server version 2 FTOS(conf)#do show ip ssh SSH server : disabled. SSH server version : v2. Password Authentication : enabled. Hostbased Authentication : disabled. RSA Authentication : disabled. To disable SSH server functions, enter no ip ssh server enable.
www.dell.com | support.dell.com • ip ssh connection-rate-limit: Configure the maximum number of incoming SSH connections per minute. • • • • • • • • • • • ip ssh hostbased-authentication enable: Enable hostbased-authentication for the SSHv2 server. ip ssh key-size: Configure the size of the server-generated RSA SSHv1 key. ip ssh password-authentication enable: Enable password authentication for the SSH server. ip ssh pub-key-file: Specify the file to be used for host-based authentication.
Figure 40-8. Enabling SSH Password Authentication FTOS(conf)#ip ssh server enable % Please wait while SSH Daemon initializes ... done. FTOS(conf)#ip ssh password-authentication enable FTOS#sh ip ssh SSH server : enabled. Password Authentication : enabled. Hostbased Authentication : disabled. RSA Authentication : disabled. RSA Authentication of SSH The following procedure authenticates an SSH client based on an RSA key using RSA authentication.
www.dell.com | support.dell.com To configure host-based authentication: Step Task Command Syntax 1 Configure RSA Authentication. See RSA Authentication of SSH, above. 2 Create shosts by copying the public RSA key to the to the file shosts in the diretory .ssh, and write the IP address of the host to the file. Figure 40-10. Command Mode cp /etc/ssh/ssh_host_rsa_key.pub /.ssh/shosts Creating shosts admin@Unix_client# cd /etc/ssh admin@Unix_client# ls moduli sshd_config ssh_host_dsa_key.
Figure 40-12. Client-based SSH Authentication FTOS#ssh 10.16.127.201 ? -l User name option -p SSH server port option (default 22) -v SSH protocol version Troubleshooting SSH • You may not bind id_rsa.pub to RSA authentication while logged in via the console. In this case, Message 2 appears. Message 2 RSA Authentication Error %Error: No username set for this term. • Host-based authentication must be enabled on the server (Dell Force10 system) and the client (Unix machine).
www.dell.com | support.dell.com Trace Lists The Trace Lists feature is supported only on the E-Series: e You can log packet activity on a port to confirm the source of traffic attacking a system. Once the Trace list is enabled on the system, you view its traffic log to confirm the source address of the attacking traffic. In FTOS, Trace lists are similar to extended IP ACLs, except that Trace lists are not applied to an interface.
Since traffic passes through the filter in the order of the filter’s sequence, you can configure the trace list by first entering the TRACE LIST mode and then assigning a sequence number to the filter. To create a filter for packets with a specified sequence number, use these commands in the following sequence, starting in the CONFIGURATION mode: Step 1 2 Command Syntax Command Mode Purpose ip trace-list trace-list-name CONFIGURATION Enter the TRACE LIST mode by creating an trace list.
www.dell.com | support.dell.com Step 2 Command Syntax Command Mode Purpose seq sequence-number {deny | permit} tcp {source mask | any | host ip-address} [operator port [port]] {destination mask | any | host ip-address} [operator port [port]] [established] [count [byte] | log] TRACE LIST Configure a trace list filter for TCP packets. • source: An IP address as the source IP address for the filter to match.
Figure 40-13. Trace list Using seq Command Example FTOS(config-trace-acl)#seq 15 deny ip host 12.45.0.0 any log FTOS(config-trace-acl)#seq 5 permit tcp 121.1.3.45 0.0.255.255 any FTOS(config-trace-acl)#show conf ! ip trace-list dilling seq 5 permit tcp 121.1.0.0 0.0.255.255 any seq 15 deny ip host 12.45.0.0 any log FTOS(config-trace-acl)# If you are creating a Trace list with only one or two filters, you can let FTOS assign a sequence number based on the order in which the filters are configured.
www.dell.com | support.dell.com Command Syntax Command Mode Purpose {deny | permit} tcp {source mask | any | host ip-address} [operator port [port]] {destination mask | any | host ip-address} [operator port [port]] [established] [count [byte] | log] TRACE LIST Configure a deny or permit filter to examine TCP packets. Configure the following required and optional parameters: • source: An IP address as the source IP address for the filter to match.
Figure 40-14. Trace List Example FTOS(config-trace-acl)#deny tcp host 123.55.34.0 any FTOS(config-trace-acl)#permit udp 154.44.123.34 0.0.255.255 host 34.6.0.0 FTOS(config-trace-acl)#show config ! ip trace-list nimule seq 5 deny tcp host 123.55.34.0 any seq 10 permit udp 154.44.0.0 0.0.255.255 host 34.6.0.0 To view all configured Trace lists and the number of packets processed through the Trace list, use the show ip accounting trace-list command (Figure 40-15) in the EXEC Privilege mode.
www.dell.com | support.dell.com VTY Line and Access-Class Configuration Various methods are available to restrict VTY access in FTOS. These depend on which authentication scheme you use — line, local, or remote: Table 40-1. VTY Access Authentication Method Username VTY access-class access-class support? support? Remote authorization support? Line YES NO NO Local NO YES NO TACACS+ YES NO YES (with FTOS 5.2.1.0 and later) RADIUS YES NO YES (with FTOS 6.1.1.
Figure 40-16. Example Access-Class Configuration Using Local Database FTOS(conf)#user gooduser password abc privilege 10 access-class permitall FTOS(conf)#user baduser password abc privilege 10 access-class denyall FTOS(conf)# FTOS(conf)#aaa authentication login localmethod local FTOS(conf)# FTOS(conf)#line vty 0 9 FTOS(config-line-vty)#login authentication localmethod FTOS(config-line-vty)#end Note: See also the section Chapter 6, Access Control Lists (ACLs).
www.dell.com | support.dell.com Figure 40-18.
41 Service Provider Bridging Service Provider Bridging is supported on platforms: ecsz This chapter contains the following major sections: • • • • • VLAN Stacking on page 817 VLAN Stacking Packet Drop Precedence on page 828 Dynamic Mode CoS for VLAN Stacking on page 830 Layer 2 Protocol Tunneling on page 833 Provider Backbone Bridging on page 837 VLAN Stacking VLAN Stacking is supported on platforms: cesz VLAN Stacking, also called Q-in-Q, is defined in IEEE 802.
VLAN Stacking in a Service Provider Network TPID (0x9100) PCP VID (VLAN 300) DEI PCP TPID (0x8100) CFI (0) VID (VLAN Red) AN 1 00 tagged 100 AN 0 10 VL VL www.dell.com | support.dell.com Figure 41-1.
Create Access and Trunk Ports An access port is a port on the service provider edge that directly connects to the customer. An access port may belong to only one service provider VLAN. A trunk port is a port on a service provider bridge that connects to another service provider bridge and is a member of multiple service provider VLANs. Physical ports and port-channels can be access or trunk ports.
www.dell.com | support.dell.com Display the status and members of a VLAN using the show vlan command from EXEC Privilege mode. Members of a VLAN-Stacking-enabled VLAN are marked with an M in column Q. Figure 41-3.
Step 2 Task Command Syntax Command Mode Add the port to a 802.1Q VLAN as tagged or untagged. [tagged | untagged] INTERFACE VLAN In Figure 41-4 GigabitEthernet 0/1 a trunk port that is configured as a hybrid port and then added to VLAN 100 as untagged VLAN 101 as tagged, and VLAN 103, which is a stacking VLAN. Figure 41-4.
www.dell.com | support.dell.com Figure 41-5. Example of Output of debug member vlan and debug member port FTOS# debug member vlan 603 vlan id : 603 ports : Gi 2/47 (MT), Gi 3/1(MU), Gi 3/25(MT), Gi 3/26(MT), Gi 3/27(MU) FTOS#debug member port gigabitethernet 2/47 vlan id : 603 (MT), 100(T), 101(NU) FTOS# VLAN Stacking in Multi-vendor Networks The first field in the VLAN tag is the Tag Protocol Identifier (TPID), which is two bytes.
Figure 41-6.
LUE TPID Mismatch and 0x8100 Match on the E-Series TeraScale TPID 0x9100 VLAN GREEN UE N BL VLA R1-E-Series TeraScale TPID: 0x9100 NB CE PROVIDER RVI SE X R2-E-Series TeraScale TPID: 0x8181 VLAN GREEN, VLAN VL AN Building D TPID 0x8100 VLA INTE RN ET www.dell.com | support.dell.com Figure 41-7.
LUE First-byte TPID Match on the E-Series ExaScale TPID 0x9191 VLAN GREEN UE N BL VLA R1-E-Series TeraScale TPID: 0x9191 Building D NB CE PROVIDER RVI SE VLA INTE RN ET Figure 41-8. X R2-E-Series ExaScale TPID: 0x9100 VLAN GREEN, VLAN VL AN PU VLAN R PURPLE ED RP LE Building C VL AN D RE Table 41-1 details the outcome of matched and mis-matched TPIDs in a VLAN-stacking network with the E-Series. Table 41-1.
www.dell.com | support.dell.com You can configure the first eight bits of the TPID using the command vlan-stack protocol-type. The TPID on the C-Series and S-Series systems is global. Ingress frames that do not match the system TPID are treated as untagged. This rule applies for both the outer tag TPID of a double-tagged frame and the TPID of a single-tagged frame.
Single and Double-tag First-byte TPID Match on C-Series and S-Series VLA NB LUE DEFAULT VLAN Figure 41-10. TPID 0x8181 R2-C-Series w/ FTOS <8.2.1.0 ED TPID: 0x8181 VLAN R PURPLE VLAN GREEN, VLAN EN GRE VLAN UE DEFAULT VLAN N BL R3-C-Series w/ FTOS >=8.2.1.0 VL VLA TPID: 0x8181 AN PU R1-C-Series w/ FTOS <8.2.1.
www.dell.com | support.dell.com Table 41-2 details the outcome of matched and mismatched TPIDs in a VLAN-stacking network with the C-Series and S-Series. Table 41-2. C-Series and S-Series Behaviors for Mis-matched TPID Network Position Incoming Packet TPID System TPID Match Type Pre-8.2.1.0 8.2.1.
Enable Drop Eligibility You must enable Drop Eligibility globally before you can honor or mark the DEI value. Task Command Syntax Command Mode Make packets eligible for dropping based on their DEI value. By default, packets are colored green, and DEI is marked 0 on egress. dei enable CONFIGURATION When Drop Eligibility is enabled, DEI mapping or marking takes place according to the defaults. In this case, the CFI is affected according to Table 41-3. Table 41-3.
www.dell.com | support.dell.com Task Command Syntax Command Mode FTOS#show interface dei-honor Default Drop precedence: Green Interface CFI/DEI Drop precedence ------------------------------------------------------------Gi 0/1 0 Green Gi 0/1 1 Yellow Gi 8/9 1 Red Gi 8/40 0 Yellow Mark Egress Packets with a DEI Value On egress, you can set the DEI value according to a different mapping than ingress (see Honor the Incoming DEI Value).
Figure 41-12. Statically and Dynamically Assigned dot1p for VLAN Stacking Untagged S-Tag with statically-assigned dot1p S-Tag DATA 0x0800 SA DA DATA 100 1 C-Tag C-Tag 3 0x0800 0x8100 SA DA 3 100 0x8100 C-Tagged 400 0x9100 SA DA 0x9100 SA DA S-Tag 4 400 S-Tag with mapped dot1p When configuring Dynamic Mode CoS, you have two options: a mark the S-Tag dot1p and queue the frame according to the original C-Tag dot1p.
www.dell.com | support.dell.com FTOS Behavior: For Option A above, when there is a conflict between the queue selected by Dynamic Mode CoS (vlan-stack dot1p-mapping) and a QoS configuration, the queue selected by Dynamic Mode CoS takes precedence. However, rate policing for the queue is determined by QoS configuration.
To map C-Tag dot1p values to S-Tag dot1p values and mark the frames accordingly: Step Task Command Syntax Command Mode 1 Allocate CAM space to enable queuing frames according to the C-Tag or the S-Tag. vman-qos: mark the S-Tag dot1p and queue the frame according to the original C-Tag dot1p. This method requires half as many CAM entries as vman-qos-dual-fp. vman-qos-dual-fp: mark the S-Tag dot1p and queue the frame according to the S-Tag dot1p.
SPANNI NG TR VLAN Stacking without L2PT INTE RN E T no spanning-tree ETWORK EN RE SPAN NIN G www.dell.com | support.dell.com Figure 41-13. T ING TREE ANN SP CE PROVIDER w/ I V R SE EE EE TR Building B no spanning-tree X BPDU w/ destination MAC address: 01-80-C2-00-00-00 Building A You might need to transport control traffic transparently through the intermediate network to the other region.
VLAN Stacking with L2PT SPANNI NG TR Figure 41-14. INTE RN E E RE SPAN NIN G T no spanning-tree NETWORK EE EE TR ING TREE ANN SP PROVIDER w/ E C I RV SE BPDU w/ destination T MAC address: 01-01-e8-00-00-00 R1-E-Series R2 Non-Force10 System BPDU w/ destination MAC address: 01-80-C2-00-00-00 no spanning-tree Building B R3 Non-Force10 System BPDU w/ destination MAC address: 01-80-C2-00-00-00 Building A Implementation Information • • • L2PT is available for STP, RSTP, MSTP, and PVST+ BPDUs.
www.dell.com | support.dell.com Enable Layer 2 Protocol Tunneling Step Task Command Syntax Command Mode 1 Verify that the system is running the default CAM profile; you must use this CAM profile for L2PT. show cam-profile EXEC Privilege 2 Enable protocol tunneling globally on the system. protocol-tunnel enable CONFIGURATION 3 Tunnel BPDUs the VLAN.
There are total 13 user-configurable FP blocks on the C-Series and S-Series. The default number of blocks for L2PT is 0; you must allocate at least one to enable BPDU rate-limiting. Step Task Command Syntax Command Mode 1 Create at least one FP group for L2PT. See CAM Allocation on page 261 for details on this command. cam-acl l2acl CONFIGURATION 2 Save the running-config to the startup-config. copy running-config startup-config EXEC Privilege 3 Reload the system.
www.dell.com | support.dell.com Provider Backbone Bridging through IEEE 802.1ad eliminates the need for tunneling BPDUs with L2PT and increases the reliability of provider bridge networks as the network core need only learn the MAC addresses of core switches, as opposed to all MAC addresses received from attached customer devices. 838 | Task Command Syntax Command Mode Use the Provider Bridge Group address as the destination MAC address in BPDUs.
42 sFlow Configuring sFlow is supported on platforms: • • • • • • • • ecsz Enable and Disable sFlow on page 841 sFlow Show Commands on page 842 Specify Collectors on page 844 Polling Intervals on page 844 Sampling Rate on page 844 Back-off Mechanism on page 846 sFlow on LAG ports on page 846 Extended sFlow on page 846 Overview FTOS supports sFlow version 5. sFlow is a standard-based sampling technology embedded within switches and routers which is used to monitor network traffic.
www.dell.com | support.dell.com Figure 42-1. sFlow Traffic Monitoring System sFlow Collector Switch/Router sFlow Datagrams sFlow Agent Poll Interface Counters Interface Counters Flow Samples Switch ASIC Implementation Information Dell Force10’s sFlow is designed so that the hardware sampling rate is per line card port-pipe and is decided based upon all the ports in that port-pipe.
• • • • • • • • • • FTOS exports all sFlow packets to the collector. A small sampling rate can equate to a large number of exported packets. A backoff mechanism will automatically be applied to reduce this amount. Some sampled packets may be dropped when the exported packet rate is high and the backoff mechanism is about to or is starting to take effect. The dropEvent counter, in the sFlow packet, will always be zero.
www.dell.com | support.dell.com sFlow Show Commands FTOS includes the following sFlow display commands: • • • Show sFlow Globally on page 49 Show sFlow on an Interface on page 50 Show sFlow on a Line Card on page 50 Show sFlow Globally Use the following command to view sFlow statistics: Command Syntax show sflow Command Mode EXEC Purpose Display sFlow configuration information and statistics. Figure 42-2 is a sample output from the show sflow command: Figure 42-2.
Figure 42-3. Command Example: show sflow interface FTOS#show sflow interface gigabitethernet 1/16 Gi 1/16 Configured sampling rate :8192 Actual sampling rate :8192 Sub-sampling rate :2 Counter polling interval :15 Samples rcvd from h/w :33 Samples dropped for sub-sampling :6 The configuration, shown in Figure 42-2, is also displayed in the running configuration (Figure 42-4): Figure 42-4.
www.dell.com | support.dell.com Specify Collectors The sflow collector command allows identification of sFlow Collectors to which sFlow datagrams are forwarded. The user can specify up to two sFlow collectors. If two Collectors are specified, the samples are sent to both. Collection through Management interface is supported on platform: e.
The sflow sample-rate command, when issued in CONFIGURATION mode, changes the default sampling rate. By default, the sampling rate of an interface is set to the same value as the current global default sampling rate.If the value entered is not a correct power of 2, the command generates an error message with the previous and next power-of-2 value. Select one of these two number and re-enter the command. (For more information on values in power-of-2, see Sub-sampling on page 845.
www.dell.com | support.dell.com Back-off Mechanism If the sampling rate for an interface is set to a very low value, the CPU can get overloaded with flow samples under high-traffic conditions. In such a scenario, a binary back-off mechanism gets triggered, which doubles the sampling-rate (halves the number of samples per second) for all interfaces. The backoff mechanism continues to double the sampling-rate until CPU condition is cleared. This is as per sFlow version 5 draft.
Figure 42-6. Confirming that Extended sFlow is Enabled FTOS#show sflow sFlow services are enabled Extended sFlow settings Global default sampling rate: 4096 show all 3 types are enabled Global default counter polling interval: 15 Global extended information enabled: gateway, router, switch 1 collectors configured Collector IP addr: 10.10.10.3, Agent IP addr: 10.10.0.
www.dell.com | support.dell.com Table 42-1. Extended Gateway Summary IP SA IP DA srcAS and srcPeerAS dstAS and dstPeerAS static/connected/IGP static/connected/IGP — — Extended gateway data is not exported because there is no AS information. static/connected/IGP BGP 0 Exported src_as & src_peer_as are zero because there is no AS information for IGP. BGP static/connected/IGP — — Prior to FTOS version 7.8.1.0, extended gateway data is not be exported because IP DA is not learned via BGP.
43 Simple Network Management Protocol (SNMP) Simple Network Management Protocol (SNMP) is supported on platforms: ecsz Protocol Overview Network management stations use Simple Network Management Protocol (SNMP) to retrieve or alter management data from network elements. A datum of management information is called a managed object; the value of a managed object can be static or variable. Network elements store managed objects in a database called a Management Information Base (MIB).
www.dell.com | support.dell.
View your SNMP configuration using the command show running-config snmp, from EXEC Privilege mode, as shown in Figure 43-1. Figure 43-1. Creating an SNMP Community FTOS#snmp-server community my-snmp-community ro 22:31:23: %RPM1-P:CP %SNMP-6-SNMP_WARM_START: Agent Initialized - SNMP WARM_START.
www.dell.com | support.dell.com Task Command Figure 43-4. Reading the Value of Many Managed Objects at Once > snmpwalk -v 2c -c mycommunity 10.11.131.161 .1.3.6.1.2.1.1 SNMPv2-MIB::sysDescr.0 = STRING: Dell Force10 Networks Real Time Operating System Software Dell Force10 Operating System Version: 1.0 Dell Force10 Application Software Version: E_MAIN4.7.6.350 Copyright (c) 1999-2007 by Dell Force10 Networks, Inc. Build Time: Mon May 12 14:02:22 PDT 2008 SNMPv2-MIB::sysObjectID.
To configure system contact and location information from the Dell Force10 system: Task Command Command Mode Identify the system manager along with this person’s contact information (e.g E-mail address or phone number). You may use up to 55 characters. Default: None snmp-server contact text CONFIGURATION Identify the physical location of the system. For example, San Jose, 350 Holger Way, 1st floor lab, rack A1-1. You may use up to 55 characters.
www.dell.com | support.dell.com To configure the system to send SNMP notifications: Step Task Command Command Mode 1 Configure the Dell Force10 system send notifications to an SNMP server. snmp-server host ip-address CONFIGURATION 2 Specify which traps the Dell Force10 system sends to the trap receiver. • Enable all Dell Force10 enterpriseSpecific and RFC-defined traps using the command snmp-server enable traps from CONFIGURATION mode.
Table 43-2. Dell Force10 Enterprise-specific SNMP Traps Command Option Trap envmon CARD_SHUTDOWN: %sLine card %d down - %s CARD_DOWN: %sLine card %d down - %s LINECARDUP: %sLine card %d is up CARD_MISMATCH: Mismatch: line card %d is type %s - type %s required.
www.dell.com | support.dell.com Table 43-2. Dell Force10 Enterprise-specific SNMP Traps Command Option Trap xstp %SPANMGR-5-STP_NEW_ROOT: New Spanning Tree Root, Bridge ID Address 0001.e801.fc35. Priority 32768, %SPANMGR-5-STP_TOPOLOGY_CHANGE: Bridge port GigabitEthernet 11/38 transitioned from Forwarding to Blocking state. %SPANMGR-5-MSTP_NEW_ROOT_BRIDGE: Elected root bridge for instance 0. %SPANMGR-5-MSTP_NEW_ROOT_PORT: MSTP root changed to port Gi 11/38 for instance 0. My Bridge ID: 40960:0001.
• Copy startup-config ftp://... /abc.txt Note: Where ‘ftp’ is indicated in the examples above, scp or TFTP can also be used. A copy performed by CLI or SNMP can be differentiated by the trap string printed at the SNMP host. The copyAlarmIndex sent to the host has a value of ‘-1’ for a copy done by CLI and a positive value when the copy is done by SNMP. The relevant MIBs for these functions are: Table 43-3.
www.dell.com | support.dell.com Table 43-3. MIB Objects for Copying Configuration Files via SNMP MIB Object OID Object Values Description copyUserName .1.3.6.1.4.1.6027.3.5.1.1.1.9 Username for the server. Username for the FTP, TFTP, or SCP server. • If the copyUserName is specified so must copyUserPassword. copyUserPassword .1.3.6.1.4.1.6027.3.5.1.1.1.10 Password for the server. Password for the FTP, TFTP, or SCP server.
Note: In UNIX, enter the command snmpset for help using this command. Place the file f10-copy-config.mib the directory from which you are executing the snmpset command or in the snmpset tool path. Table 43-4. Copying Configuration Files via SNMP Task Copy the running-config to the startup-config using the following command from the UNIX machine: snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address copySrcFileType.index i 2 copyDestFileType.
www.dell.com | support.dell.com Table 43-4. Copying Configuration Files via SNMP (continued) Task • • server-ip-address must be preceded by the keyword a. values for copyUsername and copyUserPassword must be preceded by the keyword s. Figure 43-10. Copying Configuration Files via SNMP and FTP to a Remote Server > snmpset -v 2c -c private -m ./f10-copy-config.mib 10.10.10.10 copySrcFileType.110 i 2 copyDestFileName.110 s /home/startup-config copyDestFileLocation.110 i 4 copyServerAddress.110 a 11.11.
Dell Force10 provides additional MIB Objects to view copy statistics. These are provided in Table 43-5. Table 43-5. MIB Objects for Copying Configuration Files via SNMP MIB Object OID Values Description copyState .1.3.6.1.4.1.6027.3.5.1.1.1.11 1= running 2 = successful 3 = failed Specifies the state of the copy operation. copyTimeStarted .1.3.6.1.4.1.6027.3.5.1.1.1.12 Time value Specifies the point in the up-time clock that the copy operation started. copyTimeCompleted .1.3.6.1.4.1.6027.3.5.
www.dell.com | support.dell.com Figure 43-13 shows the command syntax using MIB object names, and Figure 43-14 shows the same command using the object OIDs. In both cases, the object is followed by same index number used in the snmpset command. Figure 43-13. Obtaining MIB Object Values for a Copy Operation using Object-name Syntax > snmpget -v 2c -c private -m ./f10-copy-config.mib 10.11.131.140 copyTimeCompleted.110 FORCE10-COPY-CONFIG-MIB::copyTimeCompleted.110 = Timeticks: (1179831) 3:16:38.
Figure 43-16. Assign a VLAN Alias using SNMP [Unix system output] > snmpset -v2c -c mycommunity 10.11.131.185 .1.3.6.1.2.1.17.7.1.4.3.1.1.1107787786 s "My VLAN" SNMPv2-SMI::mib-2.17.7.1.4.3.1.1.
www.dell.com | support.dell.com The table that the Dell Force10 system sends in response to the snmpget request is a table that contains hexadecimal (hex) pairs, each pair representing a group of eight ports. • • • On the E-Series, 12 hex pairs represents a line card. Twelve pairs accommodates the greatest currently available line card port density, 96 ports. On the C-Series, 28 hex pairs represents a line card.
The value 40 is in the first set of 7 hex pairs, indicating that these ports are in Stack Unit 0. The hex value 40 is 0100 0000 in binary. As described above, the left-most position in the string represents Port 1. The next position from the left represents Port 2 and has a value of 1, indicating that Port 0/2 is in VLAN 10. The remaining positions are 0, so those ports are not in the VLAN.
www.dell.com | support.dell.com Figure 43-21. Adding Tagged Ports to a VLAN using SNMP >snmpset -v2c -c mycommunity 10.11.131.185 .1.3.6.1.2.1.17.7.1.4.3.1.2.1107787786 x "40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" .1.3.6.1.2.1.17.7.1.4.3.1.4.
In Figure 43-22, R1 has one dynamic MAC address, learned off of port GigabitEthernet 1/21, which a member of the default VLAN, VLAN 1. The SNMP walk returns the values for dot1dTpFdbAddress, dot1dTpFdbPort, and dot1dTpFdbStatus. Each object is comprised an OID concatenated with an instance number. In the case of these objects, the instance number is the decimal equivalent of the MAC address; derive the instance number by converting each hex pair to its decimal equivalent.
www.dell.com | support.dell.com Figure 43-24. Fetching Dynamic MAC Addresses on the Default VLAN ------------------------MAC Addresses on Dell Force10 System------------------------------R1_E600(conf)#do show mac-address-table VlanId Mac Address Type Interface State 1000 00:01:e8:06:95:ac Dynamic Po 1 Active ------------------------------Query from Management Station------------------------------->snmpwalk -v 2c -c techpubs 10.11.131.162 .1.3.6.1.4.1.6027.3.2.1.1.5 SNMPv2-SMI::enterprises.6027.3.2.1.1.5.
• the next 1 bit is unused For example, the index 72925242 is 100010110001100000000111010 in binary. The binary interface index for GigabitEthernet 1/21 of a 48-port 10/100/1000Base-T line card with RJ-45 interface is shown in Figure 43-27. Notice that the physical/logical bit and the final, unused bit are not given. The interface is physical, so this must be represented by a 0 bit, and the unused bit is always 0.
www.dell.com | support.dell.
44 Storm Control ecsz Storm Control for Multicast is supported on platforms: c s z Storm Control is supported on platforms: The storm control feature enables you to control unknown-unicast and broadcast traffic on Layer 2 and Layer 3 physical interfaces. FTOS Behavior: On the E-Series, FTOS supports broadcast control for Layer 3 traffic only. To control Layer 2 broadcast traffic use the command storm-control unknown-unicast.
www.dell.com | support.dell.com • 872 The percentage of storm control is calculated based on the advertised rate of the line card, not by the speed setting. Configure storm control from CONFIGURATION mode Configure storm control from CONFIGURATION mode using the command storm control. From CONFIGURATION mode you can configure storm control for ingress and egress traffic. Do not apply per-VLAN QoS on an interface that has storm-control enabled (either on an interface or globally).
45 Spanning Tree Protocol (STP) Spanning Tree Protocol (STP) is supported on platforms: ecsz Protocol Overview Spanning Tree Protocol (STP) is a Layer 2 protocol—specified by IEEE 802.1d—that eliminates loops in a bridged topology by enabling only a single path through the network. By eliminating loops, the protocol improves scalability in a large network and enables you to implement redundant paths, which can be activated upon the failure of active paths.
www.dell.com | support.dell.
Configuring Interfaces for Layer 2 Mode All interfaces on all switches that will participate in Spanning Tree must be in Layer 2 mode and enabled. Figure 45-1.
www.dell.com | support.dell.com Enabling Spanning Tree Protocol Globally Spanning Tree Protocol must be enabled globally; it is not enabled by default. To enable Spanning Tree globally for all Layer 2 interfaces: Step Task Command Syntax Command Mode 1 Enter the PROTOCOL SPANNING TREE mode. protocol spanning-tree 0 CONFIGURATION 2 Enable Spanning Tree.
Figure 45-4. Spanning Tree Enabled Globally root R1 R2 1/3 Forwarding 2/1 1/4 Blocking 2/2 1/1 1/2 3/1 3/2 3/3 3/4 R3 2/3 2/4 Port 290 (GigabitEthernet 2/4) is Blocking Port path cost 4, Port priority 8, Port Identifier 8.290 Designated root has priority 32768, address 0001.e80d.2462 Designated bridge has priority 32768, address 0001.e80d.2462 Designated port id is 8.
www.dell.com | support.dell.com Confirm that a port is participating in Spanning Tree using the show spanning-tree 0 brief command from EXEC privilege mode. Figure 45-6. show spanning-tree brief Command Example FTOS#show spanning-tree 0 brief Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 0001.e80d.2462 We are the root of the spanning tree Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32768, Address 0001.e80d.
Modifying Global Parameters You can modify Spanning Tree parameters. The root bridge sets the values for forward-delay, hello-time, and max-age and overwrites the values set on other bridges participating in Spanning Tree. Note: Dell Force10 recommends that only experienced network administrators change the Spanning Tree parameters. Poorly planned modification of the Spanning Tree parameters can negatively impact network performance. Table 45-2 displays the default values for Spanning Tree. Table 45-2.
www.dell.com | support.dell.com View the current values for global parameters using the show spanning-tree 0 command from EXEC privilege mode. See Figure 45-5. Modifying Interface STP Parameters You can set the port cost and port priority values of interfaces in Layer 2 mode. • • Port cost is a value that is based on the interface type. The greater the port cost, the less likely the port will be selected to be a forwarding port.
To enable PortFast on an interface: Task Command Syntax Command Mode Enable PortFast on an interface. spanning-tree stp-id portfast [bpduguard | [shutdown-on-violation]] INTERFACE Verify that PortFast is enabled on a port using the show spanning-tree command from the EXEC privilege mode or the show config command from INTERFACE mode; Dell Force10 recommends using the show config command, as shown in Figure 45-7. Figure 45-7.
www.dell.com | support.dell.com Note: Note that unless the shutdown-on-violation option is enabled, spanning-tree only drops packets after a BPDU violation; the physical interface remains up, as shown below. FTOS(conf-if-gi-0/7)#do show spanning-tree rstp brief Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 0001.e805.fb07 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32768, Address 0001.e85d.
Figure 45-8. Enabling BPDU Guard FTOS(conf-if-gi-3/41)# spanning-tree 0 portfast bpduguard shutdown-on-violation FTOS(conf-if-gi-3/41)#show config ! interface GigabitEthernet 3/41 no ip address switchport spanning-tree 0 portfast bpduguard shutdown-on-violation no shutdown 3/41 Hub Switch with Spanning Tree Enabled FTOS Behavior: BPDU Guard and BPDU filtering (see Removing an Interface from the Spanning Tree Group on page 878) both block BPDUs, but are two separate features.
www.dell.com | support.dell.com View only the root information using the show spanning-tree root command (see Figure 45-9) from EXEC privilege mode. Figure 45-9. show spanning-tree root Command Example FTOS#show spanning-tree 0 root Root ID Priority 32768, Address 0001.e80d.
46 System Time and Date System Time and Date settings and NTP are supported on platforms: ecsz System times and dates can be set and maintained through the Network Time Protocol (NTP). They are also set through FTOS CLIs and hardware settings.
www.dell.com | support.dell.com NTP is designed to produce three products: clock offset, roundtrip delay, and dispersion, all of which are relative to a selected reference clock. • • • Clock offset represents the amount to adjust the local clock to bring it into correspondence with the reference clock. Roundtrip delay provides the capability to launch a message to arrive at the reference clock at a specified time. Dispersion represents the maximum error of the local clock relative to the reference clock.
Figure 46-1. NTP Fields Source Port (123) Destination Port (123) Length NTP Packet Payload Checksum Range: +32 to -32 Status Leap Indicator Code: 00: No Warning 01: +1 second 10: -1 second 11: reserved Type Precision Est. Error Est.
www.dell.com | support.dell.com Enable NTP NTP is disabled by default. To enable it, specify an NTP server to which the Dell Force10 system will synchronize. Enter the command multiple times to specify multiple servers. You may specify an unlimited number of servers at the expense of CPU resources. Task Command Command Mode Specify the NTP server to which the Dell Force10 system will synchronize.
Set the Hardware Clock with the Time Derived from NTP Task Command Command Mode Periodically update the system hardware clock with the time value derived from NTP. ntp update-calendar CONFIGURATION Figure 46-4.
www.dell.com | support.dell.com Configure a source IP address for NTP packets By default, the source address of NTP packets is the IP address of the interface used to reach the network. You can configure one interface’s IP address to be included in all NTP packets.
To configure NTP authentication, use these commands in the following sequence in the CONFIGURATION mode: Step Command Syntax Command Mode Purpose ntp authenticate CONFIGURATION Enable NTP authentication. 2 ntp authentication-key number md5 key CONFIGURATION Set an authentication key. Configure the following parameters: number: Range 1 to 4294967295. This number must be the same as the number in the ntp trusted-key command. key: Enter a text string. This text string is encrypted.
www.dell.com | support.dell.com Command Syntax Command Mode Purpose ntp server ip-address [key keyid] [prefer] [version number] CONFIGURATION Configure an NTP server. Configure the IP address of a server and the following optional parameters: • key keyid: Configure a text string as the key exchanged between the NTP server and client. • prefer: Enter the keyword to set this NTP server as the preferred server. • version number: Enter a number 1 to 3 as the NTP version.
• • • • • • • • Root Delay (sys.rootdelay, peer.rootdelay, pkt.rootdelay): This is a signed fixed-point number indicating the total roundtrip delay to the primary reference source at the root of the synchronization subnet, in seconds. Note that this variable can take on both positive and negative values, depending on clock precision and skew. Root Dispersion (sys.rootdispersion, peer.rootdispersion, pkt.
www.dell.com | support.dell.com Set the time and date for the switch hardware clock Command Syntax Command Mode Purpose calendar set time month day year EXEC Privilege Set the hardware clock to the current time and date. time: Enter the time in hours:minutes:seconds. For the hour variable, use the 24-hour format, for example, 17:15:00 is 5:15 pm. month: Enter the name of one of the 12 months in English. You can enter the name of a day to change the order of the display to time day month year.
The software clock runs only when the software is up. The clock restarts, based on the hardware clock, when the switch reboots. Command Syntax Command Mode Purpose clock set time month day year EXEC Privilege Set the system software clock to the current time and date. time: Enter the time in hours:minutes:seconds. For the hour variable, use the 24-hour format, for example, 17:15:00 is 5:15 pm. month: Enter the name of one of the 12 months in English.
www.dell.com | support.dell.com 896 Command Syntax Command Mode Purpose FTOS#conf FTOS(conf)#clock timezone Pacific -8 FTOS(conf)#01:40:19: %RPM0-P:CP %CLOCK-6-TIME CHANGE: Timezone configuration changed from "UTC 0 hrs 0 mins" to "Pacific -8 hrs 0 mins" FTOS# Set daylight saving time FTOS supports setting the system to daylight saving time once or on a recurring basis every year.
Set Daylight Saving Time Once Set a date (and time zone) on which to convert the switch to daylight saving time on a one-time basis. Command Syntax Command Mode Purpose clock summer-time time-zone date start-month start-day start-year start-time end-month end-day end-year end-time [offset] CONFIGURATION Set the clock to the appropriate timezone and daylight saving time. time-zone: Enter the three-letter name for the time zone. This name is displayed in the show clock output.
www.dell.com | support.dell.
Command Syntax Command Mode Purpose start-year: Enter a four-digit number as the year. Range: 1993 to 2035 start-time: Enter the time in hours:minutes. For the hour variable, use the 24-hour format, example, 17:15 is 5:15 pm. end-week: If you entered a start-week, Enter the one of the following as the week that daylight saving ends: • • • week-number: enter a number from 1-4 as the number of the week to end daylight saving time.
www.dell.com | support.dell.
47 Upgrade Procedures Find the upgrade procedures Go to the FTOS Release Notes for your system type to see all the requirements to upgrade to the desired FTOS version. Follow the procedures in the FTOS Release Notes for the software version you wish to upgrade to. Get Help with upgrades Direct any questions or concerns about FTOS Upgrade Procedures to Dell Force10’s Technical Support Center. You can reach Technical Support: • • • On the Web: www.force10networks.
902 | Upgrade Procedures www.dell.com | support.dell.
48 Virtual LANs (VLAN) Virtual LANs (VLAN) are supported on platforms: e c s z This section contains the following subsections: • • • • • Default VLAN Port-Based VLANs VLANs and Port Tagging Configuration Task List for VLANs Enable Null VLAN as the Default VLAN Virtual LANs, or VLANs, are a logical broadcast domain or logical grouping of interfaces in a LAN in which all data received is kept locally and broadcast to all members of the group.
www.dell.com | support.dell.com Table 48-1 displays the defaults for VLANs in FTOS. Table 48-1. VLAN Defaults on FTOS Feature Default Spanning Tree group ID All VLANs are part of Spanning Tree group 0 Mode Layer 2 (no IP address is assigned) Default VLAN ID VLAN 1 Default VLAN When interfaces are configured for Layer 2 mode, they are automatically placed in the Default VLAN as untagged interfaces. Only untagged interfaces can belong to the Default VLAN.
Untagged interfaces must be part of a VLAN. To remove an untagged interface from the Default VLAN, you must create another VLAN and place the interface into that VLAN. Alternatively, enter the no switchport command, and FTOS removes the interface from the Default VLAN. A tagged interface requires an additional step to remove it from Layer 2 mode. Since tagged interfaces can belong to multiple VLANs, you must remove the tagged interface from all VLANs, using the no tagged interface command.
www.dell.com | support.dell.com • • The VLAN protocol identifier identifies the frame as tagged according to the IEEE 802.1Q specifications (2 bytes). Tag Control Information (TCI) includes the VLAN ID (2 bytes total). The VLAN ID can have 4,096 values, but 2 are reserved. Note: The insertion of the tag header into the Ethernet frame increases the size of the frame to more than the 1518 bytes specified in the IEEE 802.3 standard. Some devices that are not compliant with IEEE 802.
Use the show vlan command (Figure 48-3) in the EXEC privilege mode to view the configured VLANs. Figure 48-3. show vlan Command Example FTOS#show vlan Codes: * - Default VLAN, G - GVRP VLANs * NUM 1 2 3 4 5 6 Status Inactive Active Active Active Active Active Q U U U T U U U Ports So 9/4-11 Gi 0/1,18 Gi 0/2,19 Gi 0/3,20 Po 1 Gi 0/12 So 9/0 FTOS# A VLAN is active only if the VLAN contains interfaces and those interfaces are operationally up.
www.dell.com | support.dell.com To tag frames leaving an interface in Layer 2 mode, you must assign that interface to a port-based VLAN to tag it with that VLAN ID. To tag interfaces, use these commands in the following sequence: Step Command Syntax Command Mode Purpose 1 interface vlan vlan-id CONFIGURATION Access the INTERFACE VLAN mode of the VLAN to which you want to assign the interface. tagged interface INTERFACE Enable an interface to include the IEEE 802.1Q tag header.
Use the untagged command to move untagged interfaces from the Default VLAN to another VLAN: Step 1 2 Command Syntax Command Mode Purpose interface vlan vlan-id CONFIGURATION Access the INTERFACE VLAN mode of the VLAN to which you want to assign the interface. untagged interface INTERFACE Configure an interface as untagged. This command is available only in VLAN interfaces.
www.dell.com | support.dell.com Assign an IP address to a VLAN VLANs are a Layer 2 feature. For two physical interfaces on different VLANs to communicate, you must assign an IP address to the VLANs to route traffic between the two interfaces. The shutdown command in INTERFACE mode does not affect Layer 2 traffic on the interface; the shutdown command only prevents Layer 3 traffic from traversing over the interface. Note: An IP address cannot be assigned to the Default VLAN, which, by default, is VLAN 1.
Native VLANs Traditionally, ports can be either untagged for membership to one VLAN or tagged for membership to multiple VLANs. An untagged port must be connected to a VLAN-unaware station (one that does not understand VLAN tags), and a tagged port must be connected to a VLAN-aware station (one that generates and understands VLAN tags). Native VLAN support breaks this barrier so that a port can be connected to both VLAN-aware and VLAN-unaware stations. Such ports are referred to as hybrid ports.
www.dell.com | support.dell.com 912 Enable Null VLAN as the Default VLAN In a Carrier Ethernet for Metro Service environment, service providers who perform frequent reconfigurations for customers with changing requirements occasionally enable multiple interfaces, each connected to a different customer, before the interfaces are fully configured.
49 Virtual Link Trunking (VLT) Virtual Link Trunking (VLT) is supported on platforms z Overview Virtual link trunking (VLT) allows physical links between two chassis to appear as a single virtual link to the network core. VLT reduces the role of Spanning Tree protocols by allowing LAG terminations on two separate distribution or core switches, and by supporting a loop free topology. (A Spanning Tree protocol is still needed to prevent the initial loop that may occur prior to VLT being established.
www.dell.com | support.dell.com Figure 49-1. Virtual Link Trunking Out-of-Band Management Network Backup Link S4810 Backup Link S4810 Chassis VLT Domain Chassis Interconnect Trunk Virtual Link Trunk Switch or Server that supports LACP (802.1ad) VLT peer devices have independent management planes. A chassis interconnect trunk between the VLT chassis maintains synchronization of L2/L3 control planes across the two VLT peers. The chassis interconnect trunk uses 10GE or 40GE user ports on the chassis.
Enhanced VLT An enhanced VLT (eVLT) configuration creates a port channel between two VLT domains by allowing two different VLT domains, using different VLT Domain ID numbers, connected by a standard LACP LAG to form a loop-free Layer 2 topology in the aggregation layer. This configuration supports a maximum of four (4) nodes per eVLT domain, increasing the number of available ports and allowing for dual redundancy of the VLT.
www.dell.com | support.dell.com VLT domain - This domain includes both VLT peer devices, the VLT interconnect, and all of the port channels in the VLT connected to the attached devices. It is also associated to the configuration mode that must be used to assign VLT global parameters. VLT peer device - One of a pair of devices that are connected with the special port channel known as the VLT interconnect (VLTi).
Configuration Notes When you configure VLT, the following conditions apply: • • VLT domain: • A VLT domain supports two chassis members, which appear as a single logical device to network access devices connected to VLT ports through a port channel. • A VLT domain consists of the two core chassis, the interconnect trunk, backup link, and the LAG members connected to attached devices. The domain ID can be from 1 to 1000.
www.dell.com | support.dell.com • • • • • • • • The VLT interconnect is used for data traffic only when there is a link failure that requires the VLTi to be used in order for data packets to reach their final destination. Unknown, multicast and broadcast traffic can be flooded across the VLT interconnect. MAC addresses for VLANs configured across VLT peer chassis are synchronized over the VLT interconnect on an egress port such as a VLT LAG. MAC addresses are the same on both VLT peer nodes.
• • The chassis backup link does not carry control plane information or data traffic. Its use is restricted to health checks only. Virtual link trunks (VLTs) between access devices and VLT peer switches: • To connect servers and access switches with VLT peer switches, you use a VLT port channel (see Figure 49-1). Up to 48 port-channels are supported; up to 8 member links are supported in each port channel between the VLT domain and an access device.
www.dell.com | support.dell.com • • • • • 920 | All system management protocols are supported on VLT ports, including SNMP, RMON, AAA, ACL, DNS, FTP, SSH, Syslog, NTP, RADIUS, SCP, TACACS+, Telnet, and LLDP. • Layer 3 VLAN connectivity VLT peers is enabled by configuring a VLAN network interface for the same VLAN on both switches. • IGMP snooping is supported over VLT ports. The multicast forwarding state is synchronized on both VLT peer switches.
• • the network. In either case, upon recovery of the peer link or reestablishment of message forwarding across the interconnect trunk, the two VLT peers resynchronize any MAC addresses learned while communication was interrupted, and the VLT system continues normal data forwarding. If the primary chassis is rebooted, the secondary chassis takes on the operational role of the primary. When operation of the original, primary chassis is restored, it takes on the operational role of the secondary chassis.
www.dell.com | support.dell.com When the bandwidth usage drops below the 80% threshold, the system generates another syslog message (Message 2) and an SNMP trap. Message 2 Excessive VLTi Bandwidth Usage Drops Below Threshold Value Error %STKUNIT0-M:CP %VLTMGR-6-VLT-LAG-ICL: Overall Bandwidth utilization of VLT-ICL-LAG (port-channel 25) reaches below threshold.
PIM-Sparse Mode Support on VLT The Designated Router functionality of the PIM Sparse-Mode multicast protocol is supported on VLT peer switches for multicast sources and receivers that are connected to VLT ports. The VLT peer switches can act as a last-hop router for IGMP receivers and as a first-hop router for multicast sources. On each VLAN where the VLT peer nodes act as the first hop or last hop routers, one of the VLT peer nodes will be elected as the PIM Designated Router.
www.dell.com | support.dell.com If the VLT node elected as the designated router fails, traffic loss will occur until another VLT node is elected the designated router. RSTP Configuration The RSTP Spanning Tree protocol is supported in a VLT domain. Before you configure VLT on peer switches, you must configure the Rapid Spanning Tree Protocol (RSTP) in the network if it will be included in your configuration. RSTP is required for initial loop prevention during the VLT startup phase.
Sample RSTP Configuration Using Figure 49-1 as a sample VLT topology, the primary VLT switch will send BPDUs to an access device (switch or server) with its own RSTP bridge ID. BPDUs generated by an RSTP-enabled access device are only processed by the primary VLT switch. The secondary VLT switch tunnels the BPDUs that it receives to the primary VLT switch over the VLT interconnect.
www.dell.com | support.dell.com 4. (Optional) Manually reconfigure default VLT settings, such as MAC address and VLT primary/ secondary roles. 5. Connect the peer switches in a VLT domain to an attached access device (switch or server). Configure a VLT interconnect Step 1 Task Command Syntax Command Mode Configure the port channel to be used for the VLT interconnect on a VLT switch and enter interface configuration mode.
Use the delay-restore command at any time to set an amount of time, in seconds, to delay the system from restoring the VLT port. Refer to VLT Port Delayed Restoration for more information. Configure a VLT port delay period Step Task Command Syntax Command Mode 1 Enter VLT-domain configuration mode for a specified VLT domain. Range of domain IDs: 1 to 1000.
www.dell.com | support.dell.com (Optional) Reconfigure default VLT settings Step 4 Task Command Syntax Command Mode (Optional) When you create a VLT domain on a switch, the FTOS software automatically assigns a unique unit ID (0 or 1) to each peer switch. The unit IDs are used for internal system operations. Use the unit-id command to explicitly configure the default values on each peer switch. You must configure a different unit ID (0 or 1) on each peer switch.
Use the peer-down-vlan parameter to configure the VLAN where a VLT peer will forward received packets over the VLTi from an adjacent VLT peer that is down. When a VLT peer with BMP reboots, untagged DHCP discover packets are sent to the peer over the VLTi. Using this configuration ensures the DHCP discover packets are forwarded to the VLAN that has the DHCP server.
www.dell.com | support.dell.com (Optional) Configure Enhanced VLT (eVLT) Step Task Command Syntax Command Mode 5 Configure the IP address of the management interface on the remote VLT peer to be used as the endpoint of the VLT backup link for sending out-of-band hello messages. You can optionally specify the time interval used to send hello messages. Range: 1 to 5 seconds.
(Optional) Configure Enhanced VLT (eVLT) Step 11 Task Command Syntax Command Mode Ensure that the port channel is active. no shutdown INTERFACE PORT-CHANNEL interface range CONFIGURATION Add links to the eVLT port. 12 Configure a range of interfaces to bulk configure. {port-channel id} 13 Enable LACP on the LAN port. port-channel-protocol lacp INTERFACE 14 Configure the LACP port channel mode. port-channel number mode [active] INTERFACE 15 Ensure that the interface is active.
www.dell.com | support.dell.com Task Command Syntax Command Mode 5. show interfaces interface EXEC EXEC Privilege Configure the peer 1 management ip/ interface ip for which connectivity is present in VLT peer 1. Configure the VLT links between VLT peer 1 and VLT peer 2 to the top of rack unit. 6. Configure the static LAG/LACP between ports connected from VLT peer 1 and VLT peer 2 to the top of rack unit. show running-config entity EXEC Privilege 7.
Configure the backup link between the VLT peer units. 1. 2. Configure the peer 2 management ip/ interface ip for which connectivity is present in VLT peer 1. Configure the peer 1 management ip/ interface ip for which connectivity is present in VLT peer 2. s4810-2#show running-config vlt ! vlt domain 5 peer-link port-channel 1 back-up destination 10.11.206.58 s4810-2# s4810-2#show interfaces managementethernet 0/0 Internet address is 10.11.206.
www.dell.com | support.dell.
FTOS(conf)#show vlt brief VLT Domain Brief -----------------Domain ID: Role: Role Priority: ICL Link Status: HeartBeat Status: VLT Peer Status: Version: Local System MAC address: Remote System MAC address: Remote system version: Delay-Restore timer: 10 Primary 32768 Up Not Established Up 5(1) 00:01:e8:8b:14:3c 00:01:e8:8b:15:20 5 (1) 90 seconds FTOS#FTOS(conf-if-vl-100)#show vlt detail Local LAG Id Peer LAG Id Local Status Peer Status ------------ ----------- ------------ -----------10 10 UP UP Active VL
www.dell.com | support.dell.com eVLT Configuration Example The following example demonstrates the steps to configure enhanced VLT (eVLT) in a network. In this example there are two domains being configured. Domain 1 consists of Peer 1 and Peer 2; Domain 2 consists of Peer 3 and Peer 4 as shown below. In Domain 1, configure Peer 1 first, then configure Peer 2. When that is complete, perform the same steps for the peer nodes in Domain 2. The interface used in this example is TenGigabitEthernet.
Domain_1_Peer1(conf-if-range-te-0/16-17)#no shutdown Next, configure the VLT domain and VLTi on Peer 2: Domain_1_Peer2#configure Domain_1_Peer2(conf)#interface port-channel 1 Domain_1_Peer2(conf-if-po-1)#channel-member TenGigabitEthernet 0/8-9 Domain_1_Peer2#no shutdown Domain_1_Peer2(conf)#vlt domain 200 Domain_1_Peer2(conf-vlt-domain)#peer-link port-channel 1 Domain_1_Peer2(conf-vlt-domain)#back-up destination 10.16.130.
www.dell.com | support.dell.com Domain_2_Peer4(conf)#vlt domain 200 Domain_2_Peer4(conf-vlt-domain)#peer-link port-channel 1 Domain_2_Peer4(conf-vlt-domain)#back-up destination 10.18.130.
Verifying a VLT Configuration To monitor the operation or verify the configuration of a VLT domain, enter any of the following show commands on the primary and secondary VLT switches: Show Command Syntax Description show vlt backup-link Command Mode: EXEC Displays information on backup link operation (see Figure 49-4). show vlt brief Command Mode: EXEC Displays general status information about VLT domains currently configured on the switch (see Figure 49-5).
www.dell.com | support.dell.com Destination: Peer HeartBeat status: HeartBeat Timer Interval: HeartBeat Timeout: UDP Port: HeartBeat Messages Sent: HeartBeat Messages Received: 10.11.200.20 Up 1 3 34998 1030 1014 Figure 49-5.
Figure 49-8. show running-config vlt Command Output on VLT peer switches FTOS#VLTpeer1#show running-config vlt ! vlt domain 30 peer-link port-channel 60 back-up destination 10.11.200.18 FTOS#VLTpeer2#show running-config vlt ! vlt domain 30 peer-link port-channel 60 back-up destination 10.11.200.20 Figure 49-9.
www.dell.com | support.dell.com Figure 49-10. Configuring Virtual Link Trunking (VLT Peer 1) FTOS_VLTpeer1(conf)#vlt domain 999 FTOS_VLTpeer1(conf-vlt-domain)#peer-link port-channel 100 FTOS_VLTpeer1(conf-vlt-domain)#back-up destination 10.11.206.35 FTOS_VLTpeer1(conf-vlt-domain)#exit Enable VLT and create a VLT domain with a backup-link and interconnect (VLTi) FTOS_VLTpeer1(conf)#interface ManagementEthernet 0/0 FTOS_VLTpeer1(conf-if-ma-0/0)#ip address 10.11.206.
Figure 49-11. Configuring Virtual Link Trunking (VLT Peer 2) FTOS_VLTpeer2(conf)#vlt domain 999 FTOS_VLTpeer2(conf-vlt-domain)#peer-link port-channel 100 FTOS_VLTpeer2(conf-vlt-domain)#back-up destination 10.11.206.23 FTOS_VLTpeer2(conf-vlt-domain)#exit Enable VLT and create a VLT domain with a backup-link VLT interconnect (VLTi) FTOS_VLTpeer2(conf)#interface ManagementEthernet 0/0 FTOS_VLTpeer2(conf-if-ma-0/0)#ip address 10.11.206.
www.dell.com | support.dell.com Troubleshooting VLT Use the following information to help troubleshoot different VLT issues that may occur. Note: For information on VLT failure mode timing and its impact, contact your Dell Force10 representative. Description | Behavior During Run Time Action to Take Bandwidth monitoring A syslog error message and an SNMP trap is generated when the VLTi bandwidth usage goes above the 80% threshold and when it drops below 80%.
Description Behavior at Peer Up Behavior During Run Time Action to Take Unit ID mismatch The VLT peer does not boot up. The VLTi is forced to a down state. The VLT domain will not be formed. The VLTi will be in a down state. A syslog error message is generated. The VLT peer does not boot up. The VLTi is forced to a down state. A syslog error message is generated. Verify the unit ID is correct on both VLT peers. Unit ID numbers must be sequential on peer units; i.e.
www.dell.com | support.dell.
50 Virtual Router Redundancy Protocol (VRRP) Virtual Router Redundancy Protocol (VRRP) is supported on platforms: ec sz . This chapter covers the following information: • • • • • VRRP Overview VRRP Benefits VRRP Implementation VRRP Configuration Sample Configurations VRRP Overview Virtual Router Redundancy Protocol (VRRP) is designed to eliminate a single point of failure in a statically routed network. VRRP specifies a MASTER router that owns the next hop IP and MAC address for end stations on a LAN.
www.dell.com | support.dell.com In Figure 50-1 below, Router A is configured as the MASTER router. It is configured with the IP address of the virtual router and sends any packets addressed to the virtual router through interface GigabitEthernet 1/1 to the Internet. As the BACKUP router, Router B is also configured with the IP address of the virtual router. If for any reason Router A becomes unavailable, VRRP elects a new MASTER Router. Router B assumes the duties of Router A and becomes the MASTER router.
VRRP Benefits With VRRP configured on a network, end-station connectivity to the network is not subject to a single point-of-failure. End-station connections to the network are redundant and they are not dependent on IGP protocols to converge or update routing tables. VRRP Implementation E-Series supports an unlimited total number of VRRP groups on the router while supporting up to 255 VRRP groups on a single interface (Table 50-1).
www.dell.com | support.dell.com Table 50-1.
Create a Virtual Router To enable VRRP, you must create a Virtual Router. In FTOS, a VRRP Group is identified by the Virtual Router Identifier (VRID). To enable a Virtual Router, use the following command in the INTERFACE mode. To delete a VRRP group, use the no vrrp-group vrid command in the INTERFACE mode. Task Command Syntax Command Mode Create a virtual router for that interface with a VRID.
www.dell.com | support.dell.com Assign Virtual IP addresses Virtual routers contain virtual IP addresses configured for that VRRP Group (VRID). A VRRP group does not transmit VRRP packets until you assign the Virtual IP address to the VRRP group. E-Series supports an unlimited total number of VRRP Groups on the router while supporting up to 255 VRRP groups on a single interface (Table 50-1).
Step 2 Task Command Syntax Command Mode Configure virtual IP addresses for this VRID. virtual-address ip-address1 [...ip-address12] Range: up to 12 addresses INTERFACE -VRID Figure 50-4. Command Example: virtual-address FTOS(conf-if-gi-1/1-vrid-111)#virtual-address 10.10.10.1 FTOS(conf-if-gi-1/1-vrid-111)#virtual-address 10.10.10.2 FTOS(conf-if-gi-1/1-vrid-111)#virtual-address 10.10.10.3 FTOS(conf-if-gi-1/1-vrid-111)# Figure 50-5.
www.dell.com | support.dell.com Figure 50-6. Command Example Display: show vrrp Same VRRP Group (VRID) FTOS#do show vrrp -----------------GigabitEthernet 1/1, VRID: 111, Net: 10.10.10.1 State: Master, Priority: 255, Master: 10.10.10.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 1768, Gratuitous ARP sent: 5 Virtual MAC address: 00:00:5e:00:01:6f Virtual IP address: 10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.
Configure the VRRP Group’s priority with the following command in the VRRP mode: Task Command Syntax Command Mode Configure the priority for the VRRP group. INTERFACE -VRID priority priority Range: 1-255 Default: 100 Figure 50-7. Command Example: priority in Interface VRRP mode FTOS(conf-if-gi-1/2)#vrrp-group 111 FTOS(conf-if-gi-1/2-vrid-111)#priority 125 Figure 50-8. Command Example Display: show vrrp FTOS#show vrrp -----------------GigabitEthernet 1/1, VRID: 111, Net: 10.10.10.
www.dell.com | support.dell.com Configure simple authentication with the following command in the VRRP mode: Task Command Syntax Command Mode Configure a simple text password. authentication-type simple [encryption-type] password INTERFACE-VRID Parameters: encryption-type: 0 indicates unencrypted; 7 indicates encrypted password: plain text Figure 50-9.
Since preempt is enabled by default, disable the preempt function with the following command in the VRRP mode. Re-enable preempt by entering the preempt command. When preempt is enabled, it does not display in the show commands, because it is a default setting., Task Command Syntax Command Mode Prevent any BACKUP router with a higher priority from becoming the MASTER router. no preempt INTERFACE-VRID Figure 50-11.
www.dell.com | support.dell.com Figure 50-13. Command Example: advertise-interval FTOS(conf-if-gi-1/1)#vrrp-group 111 FTOS(conf-if-gi-1/1-vrid-111)#advertise-interval 10 FTOS(conf-if-gi-1/1-vrid-111)# Figure 50-14. Command Example Display: advertise-interval in VRID mode FTOS(conf-if-gi-1/1-vrid-111)#show conf ! vrrp-group 111 advertise-interval 10 authentication-type simple 7 387a7f2df5969da4 no preempt priority 255 virtual-address 10.10.10.1 virtual-address 10.10.10.2 virtual-address 10.10.10.
Figure 50-15. Command Example: track FTOS(conf-if-gi-1/1)#vrrp-group 111 FTOS(conf-if-gi-1/1-vrid-111)#track gigabitethernet 1/2 FTOS(conf-if-gi-1/1-vrid-111)# Figure 50-16. Command Example Display: track in VRID mode FTOS(conf-if-gi-1/1-vrid-111)#show conf ! vrrp-group 111 advertise-interval 10 authentication-type simple 7 387a7f2df5969da4 no preempt priority 255 track GigabitEthernet 1/2 virtual-address 10.10.10.1 virtual-address 10.10.10.2 virtual-address 10.10.10.3 virtual-address 10.10.10.
www.dell.com | support.dell.com Task Command Syntax Command Mode Set the delay time for VRRP initialization on all the interfaces in the system configured for VRRP. This is the gap between system boot up completion and VRRP enabling. vrrp delay reload seconds Seconds range: 0-900 Default: 0 INTERFACE Sample Configurations The following configurations are examples for enabling VRRP. These are not comprehensive directions. They are intended to give you a some guidance with typical configurations.
Figure 50-17. Configure VRRP Router 2 R2(conf)#int gi 2/31 R2(conf-if-gi-2/31)#ip address 10.1.1.3/24 R2(conf-if-gi-2/31)#no shut R2(conf-if-gi-2/31)#vrrp-group 99 R2(conf-if-gi-2/31-vrid-99)#virtual 10.1.1.3 R2(conf-if-gi-2/31-vrid-99)#no shut R2(conf-if-gi-2/31)#show conf ! interface GigabitEthernet 2/31 ip address 10.1.1.1/24 ! vrrp-group 99 virtual-address 10.1.1.3 no shutdown R2(conf-if-gi-2/31)#end R2#show vrrp -----------------GigabitEthernet 2/31, VRID: 99, Net: 10.1.1.
www.dell.com | support.dell.com Figure 50-18. VRRP Topography Illustration State Master: R2 was the first interface configured with VRRP Virtual MAC is automatically assigned and is the same on both Routers State Backup: R3 was the second interface configured with VRRP R2#show vrrp -----------------GigabitEthernet 2/31, VRID: 99, Net: 10.1.1.3 10.1.1.1 State: Master, Priority: 100, Master: 10.1.1.3 10.1.1.
51 Standards Compliance This appendix contains the following sections: • • • IEEE Compliance RFC and I-D Compliance MIB Location Note: Unless noted, when a standard cited here is listed as supported by FTOS, FTOS also supports predecessor standards. One way to search for predecessor standards is to use the http://tools.ietf.org/ website. Click on “Browse and search IETF documents”, enter an RFC number, and inspect the top of the resulting document for obsolescence citations to related RFCs.
www.dell.com | support.dell.com • • • Force10 — PVST+ SFF-8431 — SFP+ Direct Attach Cable (10GSFP+Cu) MTU — 9,252 bytes RFC and I-D Compliance The following standards are supported by FTOS, and are grouped by related protocol. The columns showing support by platform indicate which version of FTOS first supports the standard. Note: Checkmarks () in the E-Series column indicate that FTOS support was added before FTOS version 7.5.1.
General IPv4 Protocols FTOS support, per platform RFC# Full Name s c et ex z 791 Internet Protocol 7.6.1 7.5.1 8.1.1 792 Internet Control Message Protocol 7.6.1 7.5.1 8.1.1 826 An Ethernet Address Resolution Protocol 7.6.1 7.5.1 8.1.1 1027 Using ARP to Implement Transparent Subnet Gateways 7.6.1 7.5.1 8.1.1 1035 Domain N ames- Implementation and Specification (client) 7.6.1 7.5.1 8.1.
www.dell.com | support.dell.com General IPv6 Protocols 2460 Internet Protocol, Version 6 (IPv6) Specification 7.8.1 7.8.1 8.2.1 2461 (Partial) Neighbor Discovery for IP Version 6 (IPv6) 7.8.1 7.8.1 8.2.1 2462 (Partial) IPv6 Stateless Address Autoconfiguration 7.8.1 7.8.1 8.2.1 2463 Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification 7.8.1 7.8.1 8.2.1 2464 Transmission of IPv6 Packets over Ethernet Networks 7.8.1 7.8.1 8.
Border Gateway Protocol (BGP) draft-ietf-idr A Border Gateway Protocol 4 (BGP-4) -bgp4-20 7.8.1 7.7.1 8.1.1 draft-ietf-idr -restart-06 7.8.1 7.7.1 8.1.1 Graceful Restart Mechanism for BGP Open Shortest Path First (OSPF) FTOS support, per platform RFC# Full Name s c et ex z 1587 The OSPF Not-So-Stubby Area (NSSA) Option 7.6.1 7.5.1 8.1.1 2154 OSPF with Digital Signatures 7.6.1 7.5.1 8.1.1 2328 OSPF Version 2 7.6.1 7.5.1 8.1.1 2370 The OSPF Opaque LSA Option 7.6.
www.dell.com | support.dell.com Intermediate System to Intermediate System (IS-IS) 5306 Restart Signaling for IS-IS draft-ietf-isis Point-to-point operation over LAN in link-state routing -igp-p2p-ove protocols r-lan-06 draft-ietf-isis Routing IPv6 with IS-IS -ipv6-06 draft-kaplan- Extended Ethernet Frame Size Support isis-ext-eth02 8.3.1 8.3.1 8.1.1 7.5.1 8.2.1 8.1.
Multiprotocol Label Switching (MPLS) 5036 LDP Specification 8.3.1 5063 Extensions to GMPLS Resource Reservation Protocol (RSVP) Graceful Restart 8.3.1 Multicast FTOS support, per platform RFC# Full Name s c et ex z 1112 Host Extensions for IP Multicasting 7.8.1 7.7.1 8.1.1 2236 Internet Group Management Protocol, Version 2 7.8.1 7.7.1 8.1.1 2710 Multicast Listener Discovery (MLD) for IPv6 8.2.
www.dell.com | support.dell.com 970 Network Management FTOS support, per platform | s c et ex z Structure and Identification of Management Information for TCP/IP-based Internets 7.6.1 7.5.1 8.1.1 1156 Management Information Base for Network Management of TCP/IP-based internets 7.6.1 7.5.1 8.1.1 1157 A Simple Network Management Protocol (SNMP) 7.6.1 7.5.1 8.1.1 1212 Concise MIB Definitions 7.6.1 7.5.1 8.1.1 1215 A Convention for Defining Traps for use with the SNMP 7.6.
Network Management (continued) FTOS support, per platform s c et ex z Coexistence Between Version 1, Version 2, and Version 3 of the Internet-standard Network Management Framework 7.6.1 7.5.1 8.1.1 2578 Structure of Management Information Version 2 (SMIv2) 7.6.1 7.5.1 8.1.1 2579 Textual Conventions for SMIv2 7.6.1 7.5.1 8.1.1 2580 Conformance Statements for SMIv2 7.6.1 7.5.1 8.1.
www.dell.com | support.dell.com Network Management (continued) FTOS support, per platform RFC# Full Name s c et ex z 5060 Protocol Independent Multicast MIB 7.8.1 7.8.1 7.7.1 8.1.1 ANSI/ TIA-1057 The LLDP Management Information Base extension module for TIA-TR41.4 Media Endpoint Discovery information 7.7.1 7.6.1 7.6.1 8.1.1 draft-grant-t acacs-02 The TACACS+ Protocol 7.6.1 7.5.1 8.1.1 7.8.1 7.7.1 8.1.1 8.1.
Network Management (continued) FTOS support, per platform RFC# Full Name s FORCE10-C Dell Force10 C-Series Enterprise Chassis MIB S-CHASSIS -MIB c et ex z 7.5.1 FORCE10-I Dell Force10Enterprise IF Extension MIB (extends the F-EXTENSI Interfaces portion of the MIB-2 (RFC 1213) by ON-MIB providing proprietary SNMP OIDs for other counters displayed in the "show interfaces" output) 7.6.1 7.6.1 7.6.1 8.1.1 FORCE10-L Dell Force10 Enterprise Link Aggregation MIB INKAGG-M IB 7.6.1 7.5.1 8.1.1 8.
www.dell.com | support.dell.com MIB Location Dell Force10 MIBs are under the Force10 MIBs subhead on the Documentation page of iSupport: https://www.force10networks.com/csportal20/KnowledgeBase/Documentation.aspx You also can obtain a list of selected MIBs and their OIDs at the following URL: https://www.force10networks.com/csportal20/MIBs/MIB_OIDs.aspx Some pages of iSupport require a login. To request an iSupport account, go to: https://www.force10networks.com/CSPortal20/Support/AccountRequest.
Index Numerics 10/100/1000 Base-T Ethernet line card, auto negotiation 409 100/1000 Ethernet interfaces port channels 382 4-Byte AS Numbers 170 802.1AB 963 802.1D 963 802.1p 963 802.1p/Q 963 802.1Q 963 802.1s 963 802.1w 963 802.1X 963 802.3ab 963 802.3ac 963 802.3ad 963 802.3ae 963 802.3af 963 802.3ak 963 802.3i 963 802.3u 963 802.3x 963 802.
www.dell.com | support.dell.
forward delay 772, 879 FRRP 337 FRRP Master Node 337 FRRP Transit Node 337 FTOS 623 FTP 58 configuring client parameters 60 configuring server parameters 59 enabling server 59 using VLANs 58 G GARP VLAN Registration Protocol (GVRP) grep option 33 grep pipe option 702 GVRP (GARP VLAN Registration Protocol) 351 351 H Hash algorithm 392 hash algorithm, LAG 384, 387, 389 hashing algorithms for flows and fragments hello time 772, 879 host port 696 Hot Lock ACL 86 Hybrid ports 908 hybrid ports 911 389 I I-D
www.dell.com | support.dell.
M MAC hashing scheme 392 management interface 374 accessing 378 configuring a management interface 377 configuring IP address 378 definition 376 IP address consideration 378 management interface, switch 373 max age 772, 879 MBGP 220 Member VLAN (FRRP) 339 MIB Location 974 minimum oper up links in a port channel 388 mirror, port 687 monitor interfaces 397 MSDP 559 MT IS-IS 485 MT IS-IS TLVs 487 MTU configuring MTU values for Port Channels 407 configuring MTU values for VLANs 407 definition 404 IP MTU configu
www.dell.com | support.dell.
setting route metrics 751 summarizing routes 751 timer values 744 version 1 description 743 version default on interfaces 744 RIP routes, maximum 744 RIPv1 743 RIPv2 744 root bridge 771, 879 route maps configuring match commands 115 configuring set commands 116 creating 112 creating multiple instances 113 default action 112 definition 111 deleting 113, 114 implementation 111 implicit deny 111 redistributing routes 117 tagging routes 118 RSA 804 S SCP 801, 802 SCP/SSH server 802 searching show commands 34 d
www.dell.com | support.dell.com Trace list 808 Trace lists configuring a trace list 809 configuring filter without sequence number configuring trace list for TCP 809 configuring trace list for UDP 810 trunk port 696 TTL 551 ports 811 U user level definition 786 user name configuring user name 787 username command 788 V virtual IP addresses 952 Virtual LANs. See VLAN. Virtual Router Identifier. See VRID. Virtual Router Redundancy Protocol. See VRRP.