Dell Networking Configuration Guide for the MXL 10/40GbE Switch I/O Module 9.5(0.
Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your computer. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. Copyright © 2014 Dell Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws.
Contents 1 About this Guide................................................................................................. 32 Audience..............................................................................................................................................32 Conventions........................................................................................................................................ 32 Information Symbols.............................................................
Viewing Files.................................................................................................................................. 55 Managing the File System................................................................................................................... 56 View the Command History................................................................................................................57 Using HTTP for File Transfers......................................................
Recovering from a Failed Start........................................................................................................... 80 5 802.1X................................................................................................................... 81 The Port-Authentication Process.......................................................................................................83 EAP over RADIUS...........................................................................................
Configuring Filters with a Sequence Number..................................................................................109 Configuring Filters Without a Sequence Number............................................................................ 110 Established Flag................................................................................................................................. 110 Configure Layer 2 and Layer 3 ACLs..........................................................................
BFD Three-Way Handshake........................................................................................................ 137 Session State Changes................................................................................................................ 138 Important Points to Remember........................................................................................................139 Configure BFD.............................................................................................
Related Configuration Tasks....................................................................................................... 162 Establish Sessions on Port-Channels......................................................................................... 162 Changing Physical Port Session Parameters..............................................................................163 Disabling BFD for Port-Channels..............................................................................................
CAM Allocation................................................................................................................................. 229 Test CAM Usage................................................................................................................................230 View CAM-ACL Settings................................................................................................................... 230 CAM Optimization.............................................................
PFC and ETS Configuration Examples............................................................................................. 276 Using PFC and ETS to Manage Data Center Traffic...................................................................276 Using PFC and ETS to Manage Converged Ethernet Traffic in a Switch Stack........................ 280 Hierarchical Scheduling in ETS Output Policies........................................................................
DHCP Packet Format and Options.................................................................................................. 308 Assign an IP Address using DHCP.............................................................................................. 310 Implementation Information.............................................................................................................311 Configure the System to be a DHCP Server......................................................................
Configure a Port for a Bridge-to-FCF Link................................................................................ 340 Impact on Other Software Features.......................................................................................... 340 FIP Snooping Prerequisites.........................................................................................................340 FIP Snooping Restrictions..................................................................................................
20 Internet Group Management Protocol (IGMP)......................................... 371 IGMP Protocol Overview...................................................................................................................371 IGMP Version 2............................................................................................................................ 371 IGMP Version 3............................................................................................................................
Configuring the Minimum Oper Up Links in a Port Channel.................................................... 395 Adding or Removing a Port Channel from a VLAN................................................................... 396 Assigning an IP Address to a Port Channel................................................................................396 Deleting or Disabling a Port Channel.........................................................................................397 Server Ports.................
Configuring the Duration to Establish a TCP Connection..............................................................426 Enabling Directed Broadcast............................................................................................................426 Resolution of Host Names............................................................................................................... 426 Enabling Dynamic Resolution of Host Names........................................................................
Implementing IPv6 with the Dell Networking OS........................................................................... 444 ICMPv6..............................................................................................................................................446 Path MTU Discovery......................................................................................................................... 447 IPv6 Neighbor Discovery....................................................................
Configuration Information............................................................................................................... 468 Configuration Tasks for IS-IS..................................................................................................... 468 IS-IS Metric Styles............................................................................................................................. 484 Configure Metric Values................................................................
Protocol Data Units..................................................................................................................... 515 Optional TLVs.................................................................................................................................... 516 Management TLVs.......................................................................................................................516 TIA-1057 (LLDP-MED) Overview.......................................................
Enabling the Rejected Source-Active Cache.............................................................................549 Accept Source-Active Messages that Fail the RFP Check.............................................................. 549 Specifying Source-Active Messages.................................................................................................553 Limiting the Source-Active Messages from a Peer.........................................................................
First Packet Forwarding for Lossless Multicast................................................................................ 583 Multicast Policies.............................................................................................................................. 583 IPv4 Multicast Policies...................................................................................................................... 583 Limiting the Number of Multicast Routes...............................................
Overview........................................................................................................................................... 634 Implementing Policy-based Routing with Dell Networking OS..................................................... 636 Configuration Task List for Policy-based Routing.......................................................................... 636 PBR Exceptions (Permit)...............................................................................................
Configuring the Encapsulated Remote Port Mirroring................................................................... 665 Configuration steps for ERPM ................................................................................................... 665 ERPM Behavior on a typical Dell Networking OS ...........................................................................666 Decapsulation of ERPM packets at the Destination IP/ Analyzer..............................................
Create Policy Maps..................................................................................................................... 709 Enabling QoS Rate Adjustment.........................................................................................................714 Enabling Strict-Priority Queueing.....................................................................................................714 Weighted Random Early Detection..................................................................
SNMP Traps for Root Elections and Topology Changes.................................................................747 Configuring Fast Hellos for Link State Detection............................................................................ 747 45 Security............................................................................................................ 748 AAA Accounting.............................................................................................................................
46 Service Provider Bridging.............................................................................789 VLAN Stacking...................................................................................................................................789 Important Points to Remember................................................................................................. 790 Configure VLAN Stacking......................................................................................................
48 Simple Network Management Protocol (SNMP)......................................814 Implementation Information............................................................................................................ 814 Configuration Task List for SNMP...............................................................................................814 Important Points to Remember..................................................................................................
Failover Roles.............................................................................................................................. 844 MAC Addressing..........................................................................................................................844 Stacking LAG............................................................................................................................... 844 Supported Stacking Topologies......................................................
Modifying Interface STP Parameters................................................................................................872 Enabling PortFast.............................................................................................................................. 873 Prevent Network Disruptions with BPDU Guard....................................................................... 873 Global BPDU Filtering..........................................................................................
55 Upgrade Procedures..................................................................................... 906 Get Help with Upgrades...................................................................................................................906 56 Virtual LANs (VLANs)......................................................................................907 Default VLAN.....................................................................................................................................
In Domain 1, configure the VLT domain and VLTi on Peer 1Configure mVLT on Peer 1Add links to the mVLT port-channel on Peer 1Next, configure the VLT domain and VLTi on Peer 2Configure mVLT on Peer 2Add links to the mVLT port-channel on Peer 2In Domain 2, configure the VLT domain and VLTi on Peer 3Configure mVLT on Peer 3Add links to the mVLT port-channel on Peer 3Configure the VLT domain and VLTi on Peer 4Configure mVLT on Peer 4Add links to the mVLT port-channel on Peer 4..........................
Routing Information Protocol (RIP)..................................................................................................977 Network Management...................................................................................................................... 977 MIB Location..................................................................................................................................... 981 60 FC Flex IO Modules...............................................................
1 About this Guide This guide describes the supported protocols and software features, and provides configuration instructions and examples, for the Dell Networking MXL 10/40GbE Switch IO Module. The MXL 10/40GbE Switch IO Module is installed in a Dell PowerEdge M1000e Enclosure. For information about how to install and perform the initial switch configuration, refer to the Getting Started Guides on the Dell Support website at http://support.dell.com/manuals.
* (Exception). This symbol is a note associated with additional text on the page that is marked with an asterisk.
2 Configuration Fundamentals The Dell Networking operating system command line interface (CLI) is a text-based interface you can use to configure interfaces and protocols. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels. In the Dell Networking OS, after you enable a command, it is entered into the running configuration file.
• EXEC Privilege mode has commands to view configurations, clear counters, manage configuration files, run diagnostics, and enable or disable debug operations. The privilege level is 15, which is unrestricted. You can configure a password for this mode; refer to the Configure the Enable Password section in the Getting Started chapter.
Navigating CLI Modes The Dell Networking OS prompt changes to indicate the CLI mode. The following table lists the CLI mode, its prompt, and information about how to access and exit the CLI mode. Move linearly through the command modes, except for the end command which takes you directly to EXEC Privilege mode and the exit command which moves you up one command mode level.
CLI Command Mode Prompt Access Command EXTENDED ACCESS-LIST Dell(config-ext-nacl)# ip access-list extended (IP ACCESS-LIST Modes) IP COMMUNITY-LIST Dell(config-communitylist)# ip community-list AUXILIARY Dell(config-line-aux)# line (LINE Modes) CONSOLE Dell(config-lineconsole)# line (LINE Modes) VIRTUAL TERMINAL Dell(config-line-vty)# line (LINE Modes) STANDARD ACCESS-LIST Dell(config-std-macl)# mac access-list standard (MAC ACCESS-LIST Modes) EXTENDED ACCESS-LIST Dell(config-ext-macl)
CLI Command Mode Prompt Access Command CONTROL-PLANE Dell(conf-controlcpuqos)# control-plane-cpuqos DCB POLICY Dell(conf-dcb-in)# (for input dcb-input for input policy policy) dcb-output for output policy Dell(conf-dcb-out)# (for output policy) DHCP Dell(config-dhcp)# ip dhcp server DHCP POOL Dell(config-dhcp-poolname)# pool (DHCP Mode) ECMP Dell(conf-ecmp-groupecmp-group-id)# ecmp-group EIS Dell(conf-mgmt-eis)# management egressinterface-selection FRRP Dell(conf-frrp-ring-id)# protoco
CLI Command Mode Prompt Access Command during a system boot: Hit any key to stop autoboot: UPLINK STATE GROUP Dell(conf-uplink-stategroup-groupID)# uplink-state-group The following example shows how to change the command mode from CONFIGURATION mode to PROTOCOL SPANNING TREE. Example of Changing Command Modes Dell(conf)#protocol spanning-tree 0 Dell(config-span)# The do Command You can enter an EXEC mode command from any CONFIGURATION mode (CONFIGURATION, INTERFACE, SPANNING TREE, and so on.
Example of Viewing Disabled Commands Dell(conf)#interface gigabitethernet 4/17 Dell(conf-if-gi-4/17)#ip address 192.168.10.1/24 Dell(conf-if-gi-4/17)#show config ! interface GigabitEthernet 4/17 ip address 192.168.10.1/24 no shutdown Dell(conf-if-gi-4/17)#no ip address Dell(conf-if-gi-4/17)#show config ! interface GigabitEthernet 4/17 no ip address no shutdown Layer 2 protocols are disabled by default. To enable Layer 2 protocols, use the no disable command.
• The TAB key auto-completes keywords in commands. Enter the minimum number of letters to uniquely identify a command. • The UP and DOWN arrow keys display previously entered commands (refer to Command History). • The BACKSPACE and DELETE keys erase the previous letter. • Key combinations are available to move quickly across the command line. The following list describes these short-cut key combinations.
Filtering show Command Outputs Filter the output of a show command to display specific information by adding | [except | find | grep | no-more | save] specified_text after the command. The variable specified_text is the text for which you are filtering and it IS case sensitive unless you use the ignore-case sub-option. Starting with the Dell Networking OS version 7.8.1.0, the grep command accepts an ignore-case suboption that forces the search to case-insensitive.
Dell(conf)#do show stack-unit all stack-ports all pfc details | find 0 stack unit 0 stack-port all Admin mode is On Admin is enabled Local is enabled Link Delay 45556 pause quantum 0 Pause Tx pkts, 0 Pause Rx pkts stack unit 1 stack-port all The no-more command displays the output all at once rather than one screen at a time. This is similar to the terminal length command except that the no-more option affects the output of the specified command only.
3 Getting Started This chapter describes how you start configuring your system. When you power up the chassis, the system performs a power-on self test (POST) during which the route processor module (RPM), switch fabric module (SFM), and line card status light emitting diodes (LEDs) blink green. The system then loads the Dell Networking operating system. Boot messages scroll up the terminal window during this process. No user interaction is required if the boot process proceeds without interruption.
Console Access The MXL 10/40GbE Switch IO Module has two management ports available for system access: a serial console port and an out-of-bounds (OOB) port. Serial Console A universal serial bus (USB) (A-Type) connector is located at the front panel. The USB can be defined as an External Serial Console (RS-232) port, and is labeled on the MXL 10/40GbE Switch IO Module chassis. The USB is present on the lower side, as you face the I/O side of the chassis, as shown.
Serial Console 46 Getting Started
External Serial Port with a USB Connector The following table listes the pin assignments. Table 2. Pin Assignments USB Pin Number Signal Name Pin 1 RTS Pin 2 RX Pin 3 TX Pin 4 CTS Pin 5, 6 GND RxD Chassis GND Accessing the CLI Interface and Running Scripts Using SSH In addition to the capability to access a device using a console connection or a Telnet session, you can also use SSH for secure, protected communication with the device.
Following are the points to remember, when you are trying to establish an SSH session to the device to run commands or script files: • There is an upper limit of 10 concurrent sessions in SSH. Therefore, you might expect a failure in executing SSH-related scripts. • To avoid denial of service (DoS) attacks, a rate-limit of 10 concurrent sessions per minute in SSH is devised. Therefore, you might experience a failure in executing SSH-related scripts when multiple short SSH commands are executed.
Modifying Default Flash Address map..Done Initialized eMMC Host Controller Detected SD Card BLC is 1 (preset 10) Hit any key to stop autoboot: 0 Boot Image selection Reading the Boot Block Info...Passed !! Images are OK A:0x0 B:0x0 Boot Selector set to Bootflash Partition A image... Verifying Copyright Information..success for Image - 0 Boot Selector: Booting Bootflash Partition A image... Copying stage-2 loader from 0xb6120000 to 0x8c100000(size = 0x100000) Boot Image selection DONE.
configurations to occur like jumbo frames on all ports and no storm control and spanning tree port-fast on the port of detection 00:00:42: %STKUNIT0-M:CP %SEC-5-LOGIN_SUCCESS: Login successful for user on line console Dell>en Password: Default Configuration A version of the Dell Networking OS is pre-loaded onto the chassis; however, the system is not configured when you power up for the first time (except for the default hostname, which is Dell). You must configure the system using the CLI.
Accessing the System Remotely You can configure the system to access it remotely by Telnet or SSH. The MXL 10/40GbE switch IO module has a dedicated management port and a management routing table that is separate from the IP routing table. Accessing the MXL Switch Remotely Configuring the system for Telnet is a three-step process, as described in the following topics: 1. Configure an IP address for the management port. Configure the Management Port IP Address 2.
– mask: a subnet mask in /prefix-length format (/ xx). – gateway: the next hop for network traffic originating from the management port. Configuring a Username and Password To access the system remotely, configure a system username and password. To configure a system username and password, use the following command. • Configure a username and password to access the system remotely.
Configuration File Management Files can be stored on and accessed from various storage media. Rename, delete, and copy files on the system from EXEC Privilege mode. NOTE: Using flash memory cards in the system that have not been approved by Dell Networking can cause unexpected system behavior, including a reboot. Copy Files to and from the System The command syntax for copying files is similar to UNIX. The copy command uses the format copy source-file-url destination-file-url.
NOTE: If all of the following conditions are true, the Portmode Hybrid configuration is not applied, because of the configuration process for server ports as switch ports by default: • The running configuration is saved in flash. • The startup configuration is deleted. • The switch is reloaded. • The saved configuration is copied to the running configuration.
• copy running-config tftp://{hostip | hostname}/ filepath/filename Save the running-configuration to an SCP server. EXEC Privilege mode copy running-config scp://{hostip | hostname}/ filepath/filename • NOTE: When copying to a server, you can only use a host name if you have configured a DNS server. Save the running-configuration to the startup-configuration on the internal flash of the primary RPM. Then copy the new startup-config file to the external flash of the primary RPM.
Example of the dir Command The output of the dir command also shows the read/write privileges, size (in bytes), and date of modification for each file.
EXEC Privilege mode show file-systems The output of the show file-systems command in the following example shows the total capacity, amount of free memory, file structure, media type, read/write privileges for each storage device in use.
[5/18 21:58:48]: CMD-(TEL0):[configure]by admin from vty0 (10.11.68.5) - Repeated 1 time. [5/18 21:58:57]: CMD-(TEL0):[interface port-channel 1]by admin from vty0 (10.11.68.5) [5/18 21:59:9]: CMD-(TEL0):[show config]by admin from vty0 (10.11.68.5) [5/18 22:4:32]: CMD-(TEL0):[exit]by admin from vty0 (10.11.68.5) [5/18 22:4:41]: CMD-(TEL0):[show interfaces port-channel brief]by admin from vty0 (10.11.68.5) Using HTTP for File Transfers Stating with Release 9.3(0.
2. Go on to the Dell Networking system and copy the software image to the flash drive, using the copy command. 3. Run the verify {md5 | sha256} [ flash://]img-file [hash-value] command. For example, verify sha256 flash://FTOS-SE-9.5.0.0.bin 4. Compare the generated hash value to the expected hash value published on the iSupport page.
4 Management Management is supported on the Dell Networking MXL 10/40GbE Switch IO Module. This chapter describes the different protocols or services used to manage the Dell Networking system. Configuring Privilege Levels Privilege levels restrict access to commands based on user or terminal line. There are 15 privilege levels, of which two are pre-defined. The default privilege level is 1.
configure level level command. In the command, specify the privilege level of the user or terminal line, and specify all keywords in the command to which you want to allow access. Allowing Access to INTERFACE, LINE, ROUTE-MAP, and ROUTER Mode 1. Similar to allowing access to CONFIGURATION mode, to allow access to INTERFACE, LINE, ROUTEMAP, and ROUTER modes, first allow access to the command that enters you into the mode.
• allows access to INTERFACE and LINE modes with the no command Dell(conf)#do show run privilege ! Dell(conf)#privilege exec level 3 capture Dell(conf)#privilege exec level 3 configure Dell(conf)#privilege exec level 4 resequence Dell(conf)#privilege exec level 3 clear arp-cache Dell(conf)#privilege exec level 3 clear arp-cache max-buffer-size Dell(conf)#privilege configure level 3 line Dell(conf)#privilege configure level 3 interface Dell(conf)#do telnet 10.11.80.
CONFIGURATION mode username username privilege level Applying a Privilege Level to a Terminal Line To set a privilege level for a terminal line, use the following command. • Configure a privilege level for a terminal line. Line mode privilege levellevel NOTE: When you assign a privilege level between 2 and 15, access to the system begins at EXEC mode, but the prompt is hostname#, rather than hostname>.
• Clearing Audit Logs Enabling Audit and Security Logs You enable audit and security logs to monitor configuration changes or determine if these changes affect the operation of the system in the network. You log audit and security events to a system log server, using the logging extended command in CONFIGURATION mode. This command is available with or without RBAC enabled. For information about RBAC, see Role-Based Access Control. Audit Logs The audit log contains configuration events and information.
Displaying Audit and Security Logs To display audit logs, use the show logging auditlog command in Exec mode. To view these logs, you must first enable the logging extended command. Only the RBAC system administrator user role can view the audit logs. Only the RBAC security administrator and system administrator user role can view the security logs. If extended logging is disabled, you can only view system events, regardless of RBAC user role. To view security logs, use the show logging command.
Setting Up a Secure Connection to a Syslog Server You can use reverse tunneling with the port forwarding to securely connect to a syslog server. Pre-requisites To configure a secure connection from the switch to the syslog server: 1. On the switch, enable the SSH server Dell(conf)#ip ssh server enable 2.
3. Configure logging to a local host. locahost is “127.0.0.1” or “::1”. If you do not, the system displays an error when you attempt to enable role-based only AAA authorization. Dell(conf)# logging localhost tcp port Dell(conf)#logging 127.0.0.1 tcp 5140 Display the Logging Buffer and the Logging Configuration To display the current contents of the logging buffer and the logging settings for the system, use the show logging command in EXEC privilege mode.
Log Messages in the Internal Buffer All error messages, except those beginning with %BOOTUP (Message), are log in the internal buffer.
• Configure a UNIX system as a syslog server by adding the following lines to /etc/syslog.conf on the UNIX system and assigning write permissions to the file. – Add line on a 4.1 BSD UNIX system. local7.debugging /var/log/log7.log – Add line on a 5.7 SunOS UNIX system. local7.debugging /var/adm/ftos.log In the previous lines, local7 is the logging facility level and debugging is the severity level.
To view the logging configuration, use the show running-config logging command in privilege mode, as shown in the example for Configuring a UNIX Logging Facility Level. Display the Logging Buffer and the Logging Configuration To display the current contents of the logging buffer and the logging settings for the system, use the show logging command in EXEC privilege mode. When RBAC is enabled, the security logs are filtered based on the user roles.
CONFIGURATION mode logging facility [facility-type] – auth (for authorization messages) – cron (for system scheduler messages) – daemon (for system daemons) – kern (for kernel messages) – local0 (for local use) – local1 (for local use) – local2 (for local use) – local3 (for local use) – local4 (for local use) – local5 (for local use) – local6 (for local use) – local7 (for local use) – lpr (for line printer system messages) – mail (for mail system messages) – news (for USENET news messages) – sys9 (system us
Synchronizing Log Messages You can configure the system to filter and consolidate the system messages for a specific line by synchronizing the message output. Only the messages with a severity at or below the set level appear. This feature works on the terminal and console connections available on the system. 1. Enter LINE mode. CONFIGURATION mode line {console 0 | vty number [end-number]} Configure the following parameters for the virtual terminal lines: • number: the range is from zero (0) to 9.
To disable time stamping on syslog messages, use the no service timestamps [log | debug] command. File Transfer Services With the Dell Networking OS, you can configure the system to transfer files over the network using the file transfer protocol (FTP). One FTP application is copying the system image files over an interface on to the system; however, FTP is not supported on virtual local area network (VLAN) interfaces. For more information about FTP, refer to RFC 959, File Transfer Protocol.
Configure the following optional and required parameters: – username: enter a text string. – encryption-type: enter 0 for plain text or 7 for encrypted text. – password: enter a text string. NOTE: You cannot use the change directory (cd) command until you have configured ftpserver topdir. To view the FTP configuration, use the show running-config ftp command in EXEC privilege mode. Configuring FTP Client Parameters To configure FTP client parameters, use the following commands.
• You cannot use the show ip accounting access-list command to display the contents of an ACL that is applied only to a VTY line. To apply an IP ACL to a line, Use the following command. • Apply an ACL to a VTY line. LINE mode ip access-class access-list Example of an ACL that Permits Terminal Access To view the configuration, use the show config command in LINE mode. Dell(config-std-nacl)#show config ! ip access-list standard myvtyacl seq 5 permit host 10.11.0.
aaa authentication login {method-list-name | default} [method-1] [method-2] [method-3] [method-4] [method-5] [method-6] 2. Apply the method list from Step 1 to a terminal line. CONFIGURATION mode login authentication {method-list-name | default} 3. If you used the line authentication method in the method list you applied to the terminal line, configure a password for the terminal line.
Dell(config-line-console)#show config line console 0 exec-timeout 0 0 Dell(config-line-console)# Using Telnet to get to Another Network Device To telnet to another device, use the following commands. • Telnet to the stack-unit. You do not need to configure the management port on the stack-unit to be able to telnet to it. EXEC Privilege mode • telnet-peer-stack-unit Telnet to a device with an IPv4 address.
• Set manual lock using the configure terminal lock command from CONFIGURATION mode. When you configure a manual lock, which is the default, you must enter this command each time you want to enter CONFIGURATION mode and deny access to others. Viewing the Configuration Lock Status If you attempt to enter CONFIGURATION mode when another user has locked it, you may view which user has control of CONFIGURATION mode using the show configuration lock command from EXEC Privilege mode.
4. Set the system parameters to ignore the startup configuration file when the system reloads. uBoot mode setenv stconfigignore true 5. To save the changes, use the saveenv command. uBoot mode saveenv 6. Reload the system. uBoot mode reset 7. Copy startup-config.bak to the running config. EXEC Privilege mode copy flash://startup-config.bak running-config 8. Remove all authentication statements you might have for the console. LINE mode no authentication login no password 9.
uBoot mode reset 6. Configure a new enable password. CONFIGURATION mode enable {secret | password} 7. Save the running-config to the startup-config. EXEC Privilege mode copy running-config startup-config Recovering from a Failed Start A system that does not start correctly might be attempting to boot from a corrupted Dell Networking OS image or from a mis-specified location. In this case, you can restart the system and interrupt the boot process to point the system to another boot location.
802.1X 5 802.1X is a method of port security. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity can be verified (through a username and password, for example). This feature is named for its IEEE specification. 802.
Figure 1. EAP Frames Encapsulated in Ethernet and RADUIS 82 802.
Figure 2. EAP Frames Encapsulated in Ethernet and RADUIS The authentication process involves three devices: • The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests. • The device with which the supplicant communicates is the authenticator. The authenticator is the gate keeper of the network.
3. The authenticator decapsulates the EAP response from the EAPOL frame, encapsulates it in a RADIUS Access-Request frame and forwards the frame to the authentication server. 4. The authentication server replies with an Access-Challenge frame. The Access-Challenge frame requests that the supplicant prove that it is who it claims to be, using a specified method (an EAPMethod). The challenge is translated and forwarded to the supplicant by the authenticator. 5.
EAP over RADIUS 802.1X uses RADIUS to shuttle EAP packets between the authenticator and the authentication server, as defined in RFC 3579. EAP messages are encapsulated in RADIUS packets as a type of attribute in Type, Length, Value (TLV) format. The Type value for EAP messages is 79. Figure 4. EAP Over RADIUS RADIUS Attributes for 802.1 Support Dell Networking systems include the following RADIUS attributes in all 802.
Important Points to Remember • The Dell Networking OS supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0, PEAPv1, and MS-CHAPv2 with PEAP. • 802.1X is not supported on port-channels or port-channel members. Enabling 802.1X Enable 802.1X globally and at a interface level. Figure 5. 802.1X Enabled 1. Enable 802.1X globally. CONFIGURATION mode dot1x authentication 2. Enter INTERFACE mode on an interface or a range of interfaces. INTERFACE mode 86 802.
interface [range] 3. Enable 802.1X on an interface or a range of interfaces. INTERFACE mode dot1x authentication Example of Verifying that 802.1X is Enabled Globally Example of Verifying 802.1X is Enabled on an Interface Verify that 802.1X is enabled globally and at the interface level using the show running-config | find dot1x command from EXEC Privilege mode. The bold lines show that 802.1X is enabled.
Auth PAE State: Backend State: Initialize Initialize Configuring Request Identity Re-Transmissions If the authenticator sends a Request Identity frame, but the supplicant does not respond, the authenticator waits 30 seconds and then re-transmits the frame. The amount of time that the authenticator waits before re-transmitting and the maximum number of times that the authenticator re-transmits are configurable.
The default is 60 seconds. Example of Configuring and Verifying Port Authentication The following example shows configuration information for a port for which the authenticator retransmits an EAP Request Identity frame: • after 90 seconds and a maximum of 10 times for an unresponsive supplicant • re-transmits an EAP Request Identity frame The bold lines show the new re-transmit interval, new quiet period, and new maximum re-transmissions.
Example of Placing a Port in Force-Authorized State and Viewing the Configuration The example shows configuration information for a port that has been force-authorized. The bold line shows the new port-control state. Dell(conf-if-gi-2/1)#dot1x port-control force-authorized Dell(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1 802.
Example of Re-Authenticating a Port and Verifying the Configuration The bold lines show that re-authentication is enabled and the new maximum and re-authentication time period. Dell(conf-if-gi-2/1)#dot1x reauthentication interval 7200 Dell(conf-if-gi-2/1)#dot1x reauth-max 10 Dell(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1 802.
The bold lines show the new supplicant and server timeouts. Dell(conf-if-gi-2/1)#dot1x port-control force-authorized Dell(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1 802.
Figure 6. Dynamic VLAN Assignment 1. Configure 8021.x globally (refer to Enabling 802.1X) along with relevant RADIUS server configurations (refer to the illustration in Dynamic VLAN Assignment with Port Authentication). 2. Make the interface a switchport so that it can be assigned to a VLAN. 3. Create the VLAN to which the interface will be assigned. 4. Connect the supplicant to the port configured for 802.1X. 5.
to be authenticated, but still need access to the network. Also, some dumb-terminals, such as network printers, do not have 802.1X capability and therefore cannot authenticate themselves. To be able to connect such devices, they must be allowed access the network without compromising network security. The Guest VLAN 802.1X extension addresses this limitation with regard to non-802.1X capable devices and the Authentication-fail VLAN 802.1X extension addresses this limitation with regard to external users.
! interface GigabitEthernet 1/2 switchport dot1x guest-vlan 200 dot1x auth-fail-vlan 100 max-attempts 5 no shutdown Dell(conf-if-gi-1/2)# View your configuration using the show config command from INTERFACE mode, as shown in the example in Configuring a Guest VLAN or using the show dot1x interface command from EXEC Privilege mode. Dell(conf-if-gi-2/1)#dot1x port-control force-authorized Dell(conf-if-gi-2/1)#do show dot1x interface gigabitethernet 2/1 802.
6 Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM) This chapter describes the access control list (ACL) VLAN group and content addressable memory (CAM) enhancements. Optimizing CAM Utilization During the Attachment of ACLs to VLANs You can enable and configure the ACL CAM optimization functionality to minimize the number of entries in CAM while ACLs are applied on a VLAN or a set of VLANs, and also while ACLs are applied on a set of ports.
• Whether the maximum number of groups in the system has exceeded • Whether the maximum number of VLAN numbers permitted per ACL group has exceeded • When a VLAN member that is being added is already a part of another ACL group After these verification steps are performed, the ACL manager considers the command as valid and sends the information to the ACL agent on the line card.
• Port ACL optimization is applicable only for ACLs that are applied without the VLAN range. • You cannot view the statistical details of ACL rules per VLAN and per interface if you enable the ACL VLAN group capability. You can view the counters per ACL only using the show ip accounting access list command. • Within a port, you can apply Layer 2 ACLs on a VLAN or a set of VLANs. In this case, CAM optimization is not applied.
CONFIGURATION (conf-acl-vl-grp) mode show acl-vlan-group {group name | detail} Dell#show acl-vlan-group detail Group Name : TestGroupSeventeenTwenty Egress IP Acl : SpecialAccessOnlyExpertsAllowed Vlan Members : 100,200,300 Group Name : CustomerNumberIdentificationEleven Egress IP Acl : AnyEmployeeCustomerElevenGrantedAccess Vlan Members : 2-10,99 Group Name : HostGroup Egress IP Acl : Group5 Vlan Members : 1,1000 Dell# Configuring FP Blocks for VLAN Parameters Use the cam-acl-vlan command to allocate the
11 7152 31687 0 11 7152 31687 | | IN-L2 ACL | 7152 | 0 | | | IN-L2 FIB | 32768 | 1081 | | | OUT-L2 ACL | 0 | 0 | | IN-L2 ACL | 7152 | 0 | | | IN-L2 FIB | 32768 | 1081 | | | OUT-L2 ACL | 0 | 0 | | 0 1 0 Viewing CAM Usage View the amount of CAM space available, used, and remaining in each partition (including IPv4Flow and Layer 2 ACL sub- partitions) using the show cam-usage command in EXEC Privilege mode Display Layer 2, Layer 3, ACL, or all CAM usage statistics
| | | OUT-L2 ACL | OUT-L3 ACL | | 1024 1024 | | 2 0 | | 1022 1024 The following sample output displays the CAM space utilization for Layer 2 ACLs: Dell#show cam-usage switch Linecard|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM ========|========|=================|=============|=============|============== 11 | 0 | IN-L2 ACL | 7152 | 0 | 7152 | | IN-L2 FIB | 32768 | 1081 | 31687 | | OUT-L2 ACL | 0 | 0 | 0 11 | 1 | IN-L2 ACL | 7152 | 0 | 7152 | | IN-L2 FIB | 32768 | 1081 | 31687 | | O
To reset the number of FP blocks to the default, use the no version of these commands. By default, zero groups are allocated for the ACL in VCAP. ACL VLAN groups or CAM optimization is not enabled by default, and you need to allocate the slices for CAM optimization. To display the number of FP blocks that is allocated for the different VLAN services, you can use the show cam-acl-vlan command.
Access Control Lists (ACLs) 7 This chapter describes access control lists (ACLs), prefix lists, and route-maps. At their simplest, ACLs, prefix lists, and route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps. For MAC ACLS, refer to Layer 2.
accommodate the new entries. Hot lock ACLs are enabled by default and support both standard and extended ACLs. NOTE: Hot lock ACLs are supported for Ingress ACLs only. Implementing ACL on the Dell Networking OS You can assign one IP ACL per interface with the Dell Networking OS. If you do not assign an IP ACL to an interface, it is not used by the software in any other capacity. The number of entries allowed per ACL is hardware-dependent.
In cases such as these, where class-maps with overlapping ACL rules are applied to different queues, use the order keyword to specify the order in which you want to apply ACL rules. The order can range from 0 to 254. The Dell Networking OS writes to the CAM ACL rules with lower-order numbers (order numbers closer to 0) before rules with higher-order numbers so that packets are matched as you intended. By default, all ACL rules have an order of 255.
Example of Permitting All Packets on an Interface Example of Denying Second and Subsequent Fragments The following configuration permits all packets (both fragmented and non-fragmented) with destination IP 10.1.1.1. The second rule does not get hit at all. Dell(conf)#ip access-list extended ABC Dell(conf-ext-nacl)#permit ip any 10.1.1.1/32 Dell(conf-ext-nacl)#deny ip any 10.1.1.1./32 fragments Dell(conf-ext-nacl) To deny the second/subsequent fragments, use the same rules in a different order.
In the following example, TCP packets that are first fragments or non-fragmented from host 10.1.1.1 with TCP destination port equal to 24 are permitted. Additionally, all TCP non-first fragments from host 10.1.1.1 are permitted. All other IP packets that are non-first fragments are denied. Dell(conf)#ip access-list extended ABC Dell(conf-ext-nacl)#permit tcp host 10.1.1.1 any eq 24 Dell(conf-ext-nacl)#permit tcp host 10.1.1.
The following example shows how the seq command orders the filters according to the sequence number assigned. In the example, filter 25 was configured before filter 15, but the show config command displays the filters in the correct order. Dell(conf-std-nacl)#seq 25 deny ip host 10.5.0.0 any Dell(conf-std-nacl)#seq 15 permit tcp 10.3.0.0 /16 any Dell(conf-std-nacl)#show config ! ip access-list standard dilling seq 15 permit tcp 10.3.0.
seq seq seq seq seq seq 30 35 40 45 50 55 deny tcp any any range 12345 12346 permit udp host 10.21.126.225 10.4.5.0 /28 permit udp host 10.21.126.226 10.4.5.0 /28 permit udp 10.8.0.0 /16 10.50.188.118 /31 range 1812 1813 permit tcp 10.8.0.0 /16 10.50.188.118 /31 eq 49 permit udp 10.15.1.0 /24 10.50.188.118 /31 range 1812 1813 To delete a filter, enter the show config command in IP ACCESS LIST mode and locate the sequence number of the filter you want to delete.
Configuring Filters Without a Sequence Number If you are creating an extended ACL with only one or two filters, you can let the system assign a sequence number based on the order in which the filters are configured. The system assigns filters in multiples of five. To configure a filter for an extended IP ACL without a specified sequence number, use any or all of the following commands: • Configure a deny or permit filter to examine IP packets.
Configure Layer 2 and Layer 3 ACLs Both Layer 2 and Layer 3 ACLs may be configured on an interface in Layer 2 mode. If both L2 and L3 ACLs are applied to an interface, the following rules apply: • When the system routes the packets, only the L3 ACL governs them because they are not filtered against an L2 ACL. • When the system switches the packets, first the L3 ACL filters them, then the L2 ACL filters them. • When the system switches the packets, the egress L3 ACL does not filter the packet.
Applying an IP ACL To apply an IP ACL (standard or extended) to a physical or port channel interface, use the following commands. 1. Enter the interface number. CONFIGURATION mode interface interface slot/port 2. Configure an IP address for the interface, placing it in Layer-3 mode. INTERFACE mode ip address ip-address 3. Apply an IP ACL to traffic entering or exiting an interface.
3. View the number of packets matching the ACL. EXEC Privilege mode show ip accounting access-list Configure Ingress ACLs Ingress ACLs are applied to interfaces and to traffic entering the system. These system-wide ACLs eliminate the need to apply ACLs onto each interface and achieves the same results. By localizing target traffic, it is a simpler implementation. To create an ingress ACL, use the ip access-group command in EXEC Privilege mode.
To create an egress ACL, use the ip access-group command in EXEC Privilege mode. The example shows viewing the configuration, applying rules to the newly created access group, and viewing the access list. Example of Applying ACL Rules to Egress Traffic and Viewing ACL Configuration To specify ingress, use the out keyword. Begin applying rules to the ACL with the ip access-list extended abcd command. To view the access-list, use the show command.
IP Prefix Lists IP prefix lists control routing policy. An IP prefix list is a series of sequential filters that contain a matching criterion (examine IP route prefix) and an action (permit or deny) to process routes. The filters are processed in sequence so that if a route prefix does not match the criterion in the first filter, the second filter (if configured) is applied. When the route prefix matches a filter, the system drops or forwards the packet based on the filter’s designated action.
For a complete listing of all commands related to prefix lists, refer to the Dell Networking OS Command Line Interface Reference Guide. Creating a Prefix List To create a prefix list, use the following commands. 1. Create a prefix list and assign it a unique name. You are in PREFIX LIST mode. CONFIGURATION mode ip prefix-list prefix-name 2. Create a prefix list with a sequence number and a deny or permit action.
Creating a Prefix List Without a Sequence Number To create a filter without a specified sequence number, use the following commands. 1. Create a prefix list and assign it a unique name. CONFIGURATION mode ip prefix-list prefix-name 2. Create a prefix list filter with a deny or permit action. CONFIG-NPREFIXL mode {deny | permit} ip-prefix [ge min-prefix-length] [le max-prefix-length] The optional parameters are: • ge min-prefix-length: is the minimum prefix length to be matched (from 0 to 32).
Example of the show ip prefix-list detail Command Example of the show ip prefix-list summary Command Dell>show ip prefix detail Prefix-list with the last deletion/insertion: filter_ospf ip prefix-list filter_in: count: 3, range entries: 3, sequences: 5 - 10 seq 5 deny 1.102.0.0/16 le 32 (hit count: 0) seq 6 deny 2.1.0.0/16 ge 23 (hit count: 0) seq 10 permit 0.0.0.0/0 le 32 (hit count: 0) ip prefix-list filter_ospf: count: 4, range entries: 1, sequences: 5 - 10 seq 5 deny 100.100.1.
Dell(conf-router_rip)#show config ! router rip distribute-list prefix juba out network 10.0.0.0 Dell(conf-router_rip)#router ospf 34 Applying a Filter to a Prefix List (OSPF) To apply a filter to routes in open shortest path first (OSPF), use the following commands. • Enter OSPF mode. CONFIGURATION mode • router ospf Apply a configured prefix list to incoming routes. You can specify an interface. If you enter the name of a non-existent prefix list, all routes are forwarded.
You can resequence IPv4 ACLs, prefixes, and MAC ACLs. No CAM writes happen as a result of resequencing, so there is no packet loss; the behavior is similar Hot-lock ACLs. NOTE: ACL resequencing does not affect the rules, remarks, or order in which they are applied. Resequencing merely renumbers the rules so that you can place new rules within the list as needed. Table 5. ACL Resequencing Rules Resquencing Rules Before Resequencing: seq 5 permit any host 1.1.1.1 seq 6 permit any host 1.1.1.
remark 9 ABC remark 10 this remark corresponds to permit ip any host 1.1.1.2 seq 10 permit ip any host 1.1.1.2 seq 15 permit ip any host 1.1.1.3 seq 20 permit ip any host 1.1.1.4 Dell# end Dell# resequence access-list ipv4 test 2 2 Dell# show running-config acl ! ip access-list extended test remark 2 XYZ remark 4 this remark corresponds to permit any host 1.1.1.1 seq 4 permit ip any host 1.1.1.1 remark 6 this remark has no corresponding rule remark 8 this remark corresponds to permit ip any host 1.1.1.
Route maps also have an “implicit deny.” Unlike ACLs and prefix lists; however, where the packet or traffic is dropped, in route maps, if a route does not match any of the route map conditions, the route is not redistributed. Implementation Information The Dell Networking OS implementation of route maps allows route maps with the no match or no set commands. When there is no match command, all traffic matches the route map and the set command applies.
The optional seq keyword allows you to assign a sequence number to the route map instance. Example of Viewing a Configured Route Map Example of Multiple Instances of a Route-Map Example of Deleting One Instance of a Route Map Example of Viewing All Instances of a Specified Route Map The default action is permit and the default sequence number starts at 10. When you use the keyword deny in configuring a route map, routes that meet the match filters are not redistributed.
Match clauses: Set clauses: route-map dilling, permit, sequence 15 Match clauses: interface Loopback 23 Set clauses: tag 3444 Dell# To delete a route map, use the no route-map map-name command in CONFIGURATION mode. Configure Route Map Filters Within ROUTE-MAP mode, there are match and set commands. • match commands search for a certain criterion in the routes. • set commands change the characteristics of routes, either adding something or specifying a level.
Dell(conf)#route-map force deny 20 Dell(config-route-map)#match tag 1000 Dell(conf)#route-map force deny 30 Dell(config-route-map)#match tag 1000 Configuring Match Routes To configure match criterion for a route map, use the following commands. • Match routes whose next hop is a specific interface. CONFIG-ROUTE-MAP mode match interface interface The parameters are: – For a Loopback interface, enter the keyword loopback then a number between zero (0) and 16383.
To create route map instances, use these commands. There is no limit to the number of match commands per route map, but the convention is to keep the number of match filters in a route map low. Set commands do not require a corresponding match command. Configuring Set Conditions To configure a set condition, use the following commands. • Generate a tag to be added to redistributed routes. CONFIG-ROUTE-MAP mode • set automatic-tag Specify an OSPF area or ISIS level for redistributed routes.
Route maps add to that redistribution capability by allowing you to match specific routes and set or change more attributes when redistributing those routes. In the following example, the redistribute command calls the route map static ospf to redistribute only certain static routes into OSPF. According to the route map static ospf, only routes that have a next hop of Gigabitethernet interface 0/0 and that have a metric of 255 are redistributed into the OSPF backbone area.
NOTE: If you configure the continue clause without specifying a module, the next sequential module is processed.
• For IP Packets, the ACL name, sequence number, ACL action (permit or deny), source and destination MAC addresses, source and destination IP addresses, and the transport layer protocol used are the logged attributes.
Configuring ACL Logging To configure the maximum number of ACL log messages to be generated and the frequency at which these messages must be generated, perform the following steps: NOTE: This example describes the configuration of ACL logging for standard IP access lists. You can enable the logging capability for standard and extended IPv4 ACLs, IPv6 ACLs, and standard and extended MAC ACLs. 1.
Behavior of Flow-Based Monitoring Activate flow-based monitoring for a monitoring session by entering the flow-based enable command in the Monitor Session mode. When you enable this capability, traffic with particular flows that are traversing through the ingress interfaces are examined, and appropriate ACLs can be applied in the ingress direction. By default, flow-based monitoring is not enabled.
The show config command has been modified to display monitoring configuration in a particular session. Example Output of the show Command (conf-mon-sess-11)#show config ! monitor session 11 flow-based enable source GigabitEthernet 13/0 destination GigabitEthernet 13/1 direction both The show ip | mac | ipv6 accounting commands have been enhanced to display whether monitoring is enabled for traffic that matches with the rules of the specific ACL.
Example of the flow-based enable Command To view an access-list that you applied to an interface, use the show ip accounting access-list command from EXEC Privilege mode. Dell(conf)#monitor session 0 Dell(conf-mon-sess-0)#flow-based enable Dell(conf)#ip access-list ext testflow Dell(config-ext-nacl)#seq 5 permit icmp any any count bytes monitor Dell(config-ext-nacl)#seq 10 permit ip 102.1.1.
8 Bidirectional Forwarding Detection (BFD) Bidirectional forwarding detection (BFD) is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It also provides a failure detection solution for links on which no routing protocol is used. BFD is a simple hello mechanism. Two neighboring systems running BFD establish a session using a three-way handshake.
NOTE: A session state change from Up to Down is the only state change that triggers a link state change in the routing protocol client. BFD Packet Format Control packets are encapsulated in user datagram protocol (UDP) packets. The following illustration shows the complete encapsulation of a BFD control packet inside an IPv4 packet. Figure 7. BFD in IPv4 Packet Format Field Description Diagnostic Code The reason that the last session failed. State The current local session state.
Field Description system clears the poll bit and sets the final bit in its response. The poll and final bits are used during the handshake and in Demand mode (refer to BFD Sessions). NOTE: The Dell Networking OS does not currently support multi-point sessions, Demand mode, authentication, or control plane independence; these bits are always clear. Detection Multiplier The number of packets that must be missed in order to declare a session down. Length The entire length of the BFD packet.
BFD Sessions You must enable BFD on both sides of a link in order to establish a session. The two participating systems can assume either of two roles: Active The active system initiates the BFD session. Both systems can be active for the same session. Passive The passive system does not initiate a session. It only responds to a request for session initialization from the active system.
handshake. Now the discriminator values have been exchanged and the transmit intervals have been negotiated. 4. The passive system receives the control packet and changes its state to Up. Both systems agree that a session has been established. However, because both members must send a control packet — that requires a response — anytime there is a state change or change in a session parameter, the passive system sends a final response indicating the state change.
receives a Down status notification from the remote system, the session state on the local system changes to Init. Figure 9. Session State Changes Important Points to Remember • BFD for line card ports is hitless, but is not hitless for VLANs because they are instantiated on the RPM. • The Dell Networking OS supports a maximum of 100 sessions per BFD agent. Each linecard processor has a BFD Agent, so the limit translates to 100 BFD sessions per linecard. • Enable BFD on both ends of a link.
• Configure BFD for Static Routes • Configure BFD for OSPF • Configure BFD for OSPFv3 • Configure BFD for BGP • Configure BFD for VRRP • Configure BFD for VLANs • Configuring Protocol Liveness • Troubleshooting BFD Configure BFD for Physical Ports BFD on physical ports is useful when you do not enable the routing protocol. Without BFD, if the remote system fails, the local system does not remove the connected route until the first failed attempt to send a packet.
Establishing a Session on Physical Ports To establish a session, enable BFD at the interface level on both ends of the link, as shown in the following illustration. The configuration parameters do not need to match. Figure 10. Establishing a BFD Session on Physical Ports 1. Enter interface mode. CONFIGURATION mode interface 2. Assign an IP address to the interface if one is not already assigned. INTERFACE mode ip address ip-address 3.
Session Discriminator: 1 Neighbor Discriminator: 1 Local Addr: 2.2.2.1 Local MAC Addr: 00:01:e8:09:c3:e5 Remote Addr: 2.2.2.
Local MAC Addr: 00:01:e8:09:c3:e5 Remote Addr: 2.2.2.
Configuring BFD for static routes is a three-step process: 1. Enable BFD globally. Refer to Enabling BFD Globally. 2. On the local system, establish a session with the next hop of a static route. Refer to Establishing Sessions for Static Routes. 3. On the remote system, establish a session with the physical port that is the origin of the static route. Refer to Establishing a Session on Physical Ports.
R - Static Route (RTM) LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 2.2.2.2 Gi 4/24 Up 100 100 4 R To view detailed session information, use the show bfd neighbors detail command, as shown in the examples in Disabling BFD for BGP. Changing Static Route Session Parameters BFD sessions are configured with default intervals and a default role. The parameters you can configure are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role.
Establishing Sessions with OSPF Neighbors BFD sessions can be established with all OSPF neighbors at once or sessions can be established with all neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the Full state. Figure 12. Establishing Sessions with OSPF Neighbors To establish BFD with all OSPF neighbors or with OSPF neighbors on a single interface, use the following commands. • Establish sessions with all OSPF neighbors.
INTERFACE mode ip ospf bfd all-neighbors Example of Verifying Sessions with OSPF Neighbors To view the established sessions, use the show bfd neighbors command. The bold line shows the OSPF BFD sessions. R2(conf-router_ospf)#bfd all-neighbors R2(conf-router_ospf)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients * 2.2.2.2 2.2.2.1 Gi 2/1 Up 100 100 3 O * 2.2.3.1 2.2.3.
To disable BFD sessions, use the following commands. • Disable BFD sessions with all OSPF neighbors. ROUTER-OSPF mode • no bfd all-neighbors Disable BFD sessions with all OSPF neighbors on an interface. INTERFACE mode ip ospf bfd all-neighbors disable Configure BFD for OSPFv3 BFD for OSPFv3 provides support for IPV6. Configuring BFD for OSPFv3 is a two-step process: 1. Enable BFD globally. 2. Establish sessions with OSPFv3 neighbors.
To change parameters for all OSPFv3 sessions or for OSPFv3 sessions on a single interface, use the following commands. To view session parameters, use the show bfd neighbors detail command, as shown in the example in Displaying BFD for BGP Information. • Change parameters for all OSPFv3 sessions. ROUTER-OSPFv3 mode • bfd all-neighbors interval milliseconds min_rx milliseconds multiplier value role [active | passive] Change parameters for OSPFv3 sessions on a single interface.
Establishing Sessions with BGP Neighbors Before configuring BFD for BGP, you must first configure BGP on the routers that you want to interconnect. For more information, refer to Border Gateway Protocol IPv4 (BGPv4). For example, the following illustration shows a sample BFD configuration on Router 1 and Router 2 that use eBGP in a transit network to interconnect AS1 and AS2.
BFD for BGP is supported only on directly-connected BGP neighbors and only in BGP IPv4 networks. As long as each BFD for BGP neighbor receives a BFD control packet within the configured BFD interval for failure detection, the BFD session remains up and BGP maintains its adjacencies. If a BFD for BGP neighbor does not receive a control packet within the detection interval, the router informs any clients of the BFD session (other routing protocols) about the failure.
Disabling BFD for BGP You can disable BFD for BGP. To disable a BFD for BGP session with a specified neighbor, use the first command. To remove the disabled state of a BFD for BGP session with a specified neighbor, use the no neighbor {ip-address | peer-group-name} bfd disable command in ROUTER BGP configuration mode.
• Verify that a BFD for BGP session has been successfully established with a BGP neighbor. A line-byline listing of established BFD adjacencies is displayed. EXEC Privilege mode • show bfd neighbors [interface] [detail] Display BFD packet counters for sessions with BGP neighbors. EXEC Privilege mode • show bfd counters bgp [interface] Check to see if BFD is enabled for BGP connections.
The bold lines show the BFD session parameters: TX (packet transmission), RX (packet reception), and multiplier (maximum number of missed packets). R2# show bfd neighbors detail Session Discriminator: 9 Neighbor Discriminator: 10 Local Addr: 1.1.1.3 Local MAC Addr: 00:01:e8:66:da:33 Remote Addr: 1.1.1.
De-registration Init Up Down Admin Down : : : : : 4 0 6 0 2 Interface TenGigabitEthernet 6/1 Protocol BGP Messages: Registration De-registration Init Up Down Admin Down : : : : : : 5 4 0 6 0 2 Interface TenGigabitEthernet 6/2 Protocol BGP Messages: Registration De-registration Init Up Down Admin Down : : : : : : 1 0 0 1 0 2 The bold line shows the message displayed when you enable BFD for BGP connections. R2# show ip bgp summary BGP router identifier 10.0.0.
Sent 9 messages, 0 in queue 2 opens, 0 notifications, 0 updates 7 keepalives, 0 route refresh requests Minimum time between advertisement runs is 30 seconds Minimum time before advertisements start is 0 seconds Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Neighbor is using BGP global mode BFD configuration For address family:
Configuring BFD for VRRP is a three-step process: 1. Enable BFD globally. Refer to Enabling BFD Globally. 2. Establish VRRP BFD sessions with all VRRP-participating neighbors. Refer to Establishing VRRP Sessions on VRRP Neighbors. 3. On the master router, establish a VRRP BFD sessions with the backup routers. Refer to Establishing Sessions with All VRRP Neighbors. Related Configuration Tasks • Changing VRRP Session Parameters. • Disabling BFD for VRRP.
Establishing VRRP Sessions on VRRP Neighbors The master router does not care about the state of the backup router, so it does not participate in any VRRP BFD sessions. VRRP BFD sessions on the backup router cannot change to the UP state. Configure the master router to establish an individual VRRP session the backup router. To establish a session with a particular VRRP neighbor, use the following command. • Establish a session with a particular VRRP neighbor.
Changing VRRP Session Parameters BFD sessions are configured with default intervals and a default role. The parameters that you can configure are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. You can change parameters for all VRRP sessions or for a particular neighbor. To change parameters for all VRRP sessions or for a particular VRRP session, use the following commands. • Change parameters for all VRRP sessions.
There is one BFD agent for VLANs and port-channels that resides on RP2, as opposed to the other agents that are on the line card. Therefore, the 100 total possible sessions that this agent can maintain is shared for VLANs and port-channels. Configuring BFD for VLANs is a two-step process: 1. Enable the BFD globally. Refer to Enabling BFD Globally. 2. Establish sessions with VLAN neighbors. Refer to Establish Sessions with VLAN Neighbors. Related Configuration Task • Changing VLAN Session Parameters.
LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients * 2.2.3.2 2.2.3.1 Vl 200 Up 100 100 3 C Changing VLAN Session Parameters BFD sessions are configured with default intervals and a default role. The parameters that you can configure are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. You can change parameters per interface, if you make a configuration change, the change affects all sessions on that interface.
Related Configuration Tasks • Changing Port-Channel Session Parameters. • Disabling BFD for Port-Channels. Establish Sessions on Port-Channels To establish a session, you must enable BFD at interface level on both ends of the link, as shown in the following example. The session parameters do not need to match. Figure 16. Establishing Sessions on Port-Channels To establish a session on a port-channel, use the bfd neighbor ip-address command in INTERFACE PORT-CHANNEL mode.
Changing Physical Port Session Parameters Configure BFD sessions with default intervals and a default role. The parameters that you can configure are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. Configure these parameters per interface; if you change a parameter, the change affects all physical port sessions on that interface.
• debug bfd detail Examine the control packets in hexadecimal format. CONFIGURATION debug bfd packet Example of Output from the debug bfd detail Command Example of Output from the debug bfd packet Command The following example shows a three-way handshake using the debug bfd detail command. R1(conf-if-gi-4/24)#00:54:38: %RPM0-P:RP2 %BFDMGR-1-BFD_STATE_CHANGE: Changed session state to Down for neighbor 2.2.2.2 on interface Gi 4/24 (diag: 0) 00:54:38 : Sent packet for session with neighbor 2.2.2.
Border Gateway Protocol IPv4 (BGPv4) 9 This chapter provides a general description of BGPv4 as it is supported in the Dell Networking operating system. BGP protocol standards are listed in the Standards Compliance chapter. BGP is an external gateway protocol that transmits interdomain routing information within and between autonomous systems (AS). The primary function of the BGP is to exchange network reachability information with other BGP systems.
Figure 17. Interior BGP BGP version 4 (BGPv4) supports classless interdomain routing and aggregate routes and AS paths. BGP is a path vector protocol — a computer network in which BGP maintains the path that updated information takes as it diffuses through the network. Updates traveling through the network and returning to the same node are easily detected and discarded.
Figure 18. BGP Routers in Full Mesh The number of BGP speakers each BGP peer must maintain increases exponentially. Network management quickly becomes impossible. Sessions and Peers When two routers communicate using the BGP protocol, a BGP session is started. The two end-points of that session are Peers. A Peer is also called a Neighbor.
Establish a Session Information exchange between peers is driven by events and timers. The focus in BGP is on the traffic routing policies. In order to make decisions in its operations with other BGP peers, a BGP process uses a simple finite state machine that consists of six states: Idle, Connect, Active, OpenSent, OpenConfirm, and Established. For each peer-to-peer session, a BGP implementation tracks which of these six states the session is in.
Route Reflectors Route reflectors (RR) reorganize the iBGP core into a hierarchy and allow some route advertisement rules. Route reflection divides iBGP peers into two groups: client peers and nonclient peers. A route reflector and its client peers form a route reflection cluster. Because BGP speakers announce only the best route for a given prefix, route reflector rules are applied after the router makes its best path decision. NOTE: Address-family specific RR configurations are not supported.
BGP Attributes Routes learned using BGP have associated properties that are used to determine the best route to a destination when multiple paths exist to a particular destination. These properties are referred to as BGP attributes, and an understanding of how BGP attributes influence route selection is required for the design of robust networks.
Figure 20. BGP Best Path Selection Best Path Selection Details 1. Prefer the path with the largest WEIGHT attribute. 2. Prefer the path with the largest LOCAL_PREF attribute. 3. Prefer the path that was locally Originated via a network command, redistribute command or aggregate-address command. a. 4. Routes originated with the Originated via a network or redistribute commands are preferred over routes originated with the aggregate-address command.
c. Paths with no MED are treated as “worst” and assigned a MED of 4294967295. 7. Prefer external (EBGP) to internal (IBGP) paths or confederation EBGP paths. 8. Prefer the path with the lowest IGP metric to the BGP if next-hop is selected when synchronization is disabled and only an internal path remains. 9. The system deems the paths as equal and does not perform steps 9 through 11, if the following criteria is met: a. the IBGP multipath or EBGP multipath are configured (the maximum-path command).
and AS300. This is advertised to all routers within AS100, causing all BGP speakers to prefer the path through Router B. Figure 21. BGP Local Preference Multi-Exit Discriminators (MEDs) If two ASs connect in more than one place, a multi-exit discriminator (MED) can be used to assign a preference to a preferred path. MED is one of the criteria used to determine the best path, so keep in mind that other criteria may impact selection, as shown in the illustration in Best Path Selection Criteria.
Figure 22. Multi-Exit Discriminators NOTE: With the Dell Networking OS version 8.3.1.0, configuring the set metric-type internal command in a route-map advertises the IGP cost as MED to outbound EBGP peers when redistributing routes. The configured set metric value overwrites the default IGP cost. Origin The origin indicates the origin of the prefix, or how the prefix came into BGP. There are three origin codes: IGP, EGP, INCOMPLETE.
*> 7.0.0.0/30 *> 9.2.0.0/16 10.114.8.33 10.114.8.33 0 10 0 0 18508 18508 ? 701 i AS Path The AS path is the list of all ASs that all the prefixes listed in the update have passed through. The local AS number is added by the BGP speaker when advertising to a eBGP neighbor. The AS path is shown in the following example. The origin attribute is shown following the AS path information (shown in bold).
NOTE: It is possible to configure BGP peers that exchange both unicast and multicast network layer reachability information (NLRI), but you cannot connect multiprotocol BGP with BGP. Therefore, you cannot redistribute multiprotocol BGP routes into BGP. Implement BGP with the Dell Networking OS The following sections describe how to implement BGP on the Dell Networking OS.
Table 6.
AS4 Number Representation The Dell Networking OS version 8.2.1.0 supports multiple representations of 4-byte AS numbers: asplain, asdot+, and asdot. NOTE: The ASDOT and ASDOT+ representations are supported only with the 4-Byte AS numbers feature. If 4-Byte AS numbers are not implemented, only ASPLAIN representation is supported. ASPLAIN is the method the Dell Networking OS has used for all previous Dell Networking OS versions. ASPLAIN remains the default method with the Dell Networking OS version 8.2.1.
ASDOT+ Dell(conf-router_bgp)#bgp asnotation asdot+ Dell(conf-router_bgp)#show conf ! router bgp 100 bgp asnotation asdot bgp four-octet-as-support neighbor 172.30.1.250 local-as 65057
The following illustration shows a scenario where Router A, Router B, and Router C belong to AS 100, 200, and 300, respectively. Router A acquired Router B; Router B has Router C as its customer. When Router B is migrating to Router A, it must maintain the connection with Router C without immediately updating Router C’s configuration.
B has an inbound route-map applied on Router C to prepend "65001 65002" to the as-path, the following events take place on Router B: 1. Receive and validate the update. 2. Prepend local-as 200 to as-path. 3. Prepend "65001 65002" to as-path. Local-AS is prepended before the route-map to give an impression that update passed through a router in AS 200 before it reached Router B.
• The AFI/SAFI is not used as an index to the f10BgpM2PeerCountersEntry table. The BGP peer’s AFI/ SAFI (IPv4 Unicast or IPv6 Multicast) is used for various outbound counters. Counters corresponding to IPv4 Multicast cannot be queried.
By default, the system compares the MED attribute on different paths from within the same AS (the bgp always-compare-med command is not enabled). NOTE: In the Dell Networking OS, all newly configured neighbors and peer groups are disabled. To enable a neighbor or peer group, enter the neighbor {ip-address | peer-group-name} no shutdown command. The following table displays the default values for BGP. Table 7.
NOTE: Find Sample Configurations for enabling BGP routers at the end of this chapter. 1. Assign an AS number and enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number • as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte) or 0.1 to 65535.65535 (Dotted format). Only one AS is supported per system. NOTE: If you enter a 4-Byte AS number, 4-Byte AS support is enabled automatically. a. Enable 4-Byte support for the BGP process. NOTE: This command is OPTIONAL.
CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} no shutdown Example of the show ip bgp summary Command (2-Byte AS number displayed) Example of the show ip bgp summary Command (4-Byte AS number displayed) Example of the show ip bgp neighbors Command Example of Verifying BGP Configuration NOTE: When you change the configuration of a BGP neighbor, always reset it by entering the clear ip bgp command in EXEC Privilege mode.
NOTE: The showconfig command in CONFIGURATION ROUTER BGP mode gives the same information as the show running-config bgp command. The following example displays two neighbors: one is an external internal BGP neighbor and the second one is an internal BGP neighbor. The first line of the output for each neighbor displays the AS number and states whether the link is an external or internal (shown in bold). The third line of the show ip bgp neighbors output contains the BGP State.
network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list ISP1in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.9 no shutdown neighbor 192.168.10.1 remote-as 65123 neighbor 192.168.10.
Example of the bgp asnotation asplain Command Example of the bgp asnotation asdot Command Example of the bgp asnotation asdot+ Command Dell(conf-router_bgp)#bgp asnotation asplain Dell(conf-router_bgp)#sho conf ! router bgp 100 bgp four-octet-as-support neighbor 172.30.1.250 remote-as 18508 neighbor 172.30.1.250 local-as 65057 neighbor 172.30.1.250 route-map rmap1 in neighbor 172.30.1.
neighbor peer-group-name peer-group 2. Enable the peer group. CONFIG-ROUTERBGP mode neighbor peer-group-name no shutdown By default, all peer groups are disabled. 3. Create a BGP neighbor. CONFIG-ROUTERBGP mode neighbor ip-address remote-as as-number 4. Enable the neighbor. CONFIG-ROUTERBGP mode neighbor ip-address no shutdown 5. Add an enabled neighbor to the peer group. CONFIG-ROUTERBGP mode neighbor ip-address peer-group peer-group-name 6. Add a neighbor as a remote AS.
• neighbor route-map out • neighbor route-reflector-client • neighbor send-community A neighbor may keep its configuration after it was added to a peer group if the neighbor’s configuration is more specific than the peer group’s and if the neighbor’s configuration does not affect outgoing updates. NOTE: When you configure a new set of BGP policies for a peer group, always reset the peer group by entering the clear ip bgp peer-group peer-group-name command in EXEC Privilege mode.
Number of peers in this group 26 Peer-group members (* - outbound optimized): 10.68.160.1 10.68.161.1 10.68.162.1 10.68.163.1 10.68.164.1 10.68.165.1 10.68.166.1 10.68.167.1 10.68.168.1 10.68.169.1 10.68.170.1 10.68.171.1 10.68.172.1 10.68.173.1 10.68.174.1 10.68.175.1 10.68.176.1 10.68.177.1 10.68.178.1 Configuring BGP Fast Fail-Over By default, a BGP session is governed by the hold time. BGP routers typically carry large routing tables, so frequent session resets are not desirable.
Hold time is 180, keepalive interval is 60 seconds Received 52 messages, 0 notifications, 0 in queue Sent 45 messages, 5 notifications, 0 in queue Received 6 updates, Sent 0 updates Route refresh request: received 0, sent 0 Minimum time between advertisement runs is 5 seconds Minimum time before advertisements start is 0 seconds Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_
neighbor. To work around this, change the BGP configuration or change the order of the peer group configuration. You can constrain the number of passive sessions accepted by the neighbor. The limit keyword allows you to set the total number of sessions the neighbor will accept, between 2 and 256. The default is 256 sessions. 1. Configure a peer group that does not initiate TCP connections with other peers.
You must use Configuring Peer Groups before assigning it to an AS. This feature is not supported on passive peer groups. Example of the Verifying that Local AS Numbering is Disabled The first line in bold shows the actual AS number. The second two lines in bold show the local AS number (6500) maintained during migration. To disable this feature, use the no neighbor local-as command in CONFIGURATION ROUTER BGP mode. R2(conf-router_bgp)#show conf ! router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.
router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list Laura in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.9 local-as 6500 neighbor 100.10.92.9 no shutdown neighbor 192.168.10.1 remote-as 65123 neighbor 192.168.10.
CONFIG-ROUTER-BGP mode bgp graceful-restart [restart-time time-in-seconds] • The default is 120 seconds. Set maximum time to retain the restarting peer’s stale paths. CONFIG-ROUTER-BGP mode bgp graceful-restart [stale-path-time time-in-seconds] • The default is 360 seconds. Local router supports graceful restart as a receiver only.
Filtering on an AS-Path Attribute You can use the BGP attribute, AS_PATH, to manipulate routing policies. The AS_PATH attribute contains a sequence of AS numbers representing the route’s path. As the route traverses an AS, the ASN is prepended to the route. You can manipulate routes based on their AS_PATH to affect interdomain routing. By identifying certain ASN in the AS_PATH, you can permit or deny routes based on the number in its AS_PATH. AS-PATH ACLs use regular expressions to search AS_PATH values.
0x4013914 0x5166d6c 0x5e62df4 0x3a1814c 0x567ea9c 0x6cc1294 0x6cc18d4 0x5982e44 0x67d4a14 0x559972c 0x59cd3b4 0x7128114 0x536a914 0x2ffe884 0x2ff7284 0x2ff7ec4 0x2ff8544 0x736c144 0x3b8d224 0x5eb1e44 0x5cd891c --More-- 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 3 3 2 26 75 2 1 162 2 31 2 10 3 1 99 4 3 1 10 1 9 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 701 209 701 209 209 209 701 209 701 209 209 209 209 701 701 209 701 701
As seen in the following example, the expressions are displayed when using the show commands. To view the AS-PATH ACL configuration, use the show config command in CONFIGURATION AS-PATH ACL mode and the show ip as-path-access-list command in EXEC Privilege mode. For more information about this command and route filtering, refer to Filtering BGP Routes. The following example applies access list Eagle to routes inbound from BGP peer 10.5.5.2.
redistribute isis [level-1 | level-1-2 | level-2] [metric value] [route-map map-name] Configure the following parameters: – level-1, level-1-2, or level-2: Assign all redistributed routes to a level. The default is level-2. – metric value: The value is from 0 to 16777215. The default is 0. • – map-name: name of a configured route map. Include specific OSPF routes in IS-IS.
Configuring IP Community Lists Within the Dell Networking OS, you have multiple methods of manipulating routing attributes. One attribute you can manipulate is the COMMUNITY attribute. This attribute is an optional attribute that is defined for a group of destinations. You can assign a COMMUNITY attribute to BGP routers by using an IP community list. After you create an IP community list, you can apply routing decisions to all routers meeting the criteria in the IP community list.
deny deny deny deny deny deny deny deny 704:20 705:20 14551:20 701:112 702:112 703:112 704:112 705:112 Configuring an IP Extended Community List To configure an IP extended community list, use these commands. 1. Create a extended community list and enter the EXTCOMMUNITY-LIST mode. CONFIGURATION mode ip extcommunity-list extcommunity-list-name 2. Two types of extended communities are supported.
Filtering Routes with Community Lists To use an IP community list or IP extended community list to filter routes, you must apply a match community filter to a route map and then apply that route map to a BGP neighbor or peer group. 1. Enter the ROUTE-MAP mode and assign a name to a route map. CONFIGURATION mode route-map map-name [permit | deny] [sequence-number] 2. Configure a match filter for all routes meeting the criteria in the IP community or IP extended community list.
If you want to remove or add a specific COMMUNITY number from a BGP path, you must create a route map with one or both of the following statements in the route map. Then apply that route map to a BGP neighbor or peer group. 1. Enter ROUTE-MAP mode and assign a name to a route map. CONFIGURATION mode route-map map-name [permit | deny] [sequence-number] 2. Configure a set filter to delete all COMMUNITY numbers in the IP community list.
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network * i 3.0.0.0/8 *>i 4.2.49.12/30 * i 4.21.132.0/23 *>i 4.24.118.16/30 *>i 4.24.145.0/30 *>i 4.24.187.12/30 *>i 4.24.202.0/30 *>i 4.25.88.0/30 *>i 6.1.0.0/16 *>i 6.2.0.0/22 *>i 6.3.0.0/18 --More-- Next Hop Metric 195.171.0.16 195.171.0.16 195.171.0.16 195.171.0.16 195.171.0.16 195.171.0.16 195.171.0.16 195.171.0.16 195.171.0.16 195.171.0.16 195.171.0.
A more flexible method for manipulating the LOCAL_PREF attribute value is to use a route map. 1. Enter the ROUTE-MAP mode and assign a name to a route map. CONFIGURATION mode route-map map-name [permit | deny] [sequence-number] 2. Change LOCAL_PREF value for routes meeting the criteria of this route map. CONFIG-ROUTE-MAP mode set local-preference value 3. Return to CONFIGURATION mode. CONFIG-ROUTE-MAP mode exit 4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5.
neighbor {ip-address | peer-group-name} weight weight – weight: the range is from 0 to 65535. • The default is 0. Sets weight for the route. CONFIG-ROUTE-MAP mode set weight weight – weight: the range is from 0 to 65535. To view BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode or the show running-config bgp command in EXEC Privilege mode. Enabling Multipath By default, the software allows one path to a destination.
NOTE: When you configure a new set of BGP policies, to ensure the changes are made, always reset the neighbor or peer group by using the clear ip bgp command in EXEC Privilege mode. To filter routes using prefix lists, use the following commands. 1. Create a prefix list and assign it a name. CONFIGURATION mode ip prefix-list prefix-name 2. Create multiple prefix list filters with a deny or permit action.
Filtering BGP Routes Using Route Maps To filter routes using a route map, use these commands. 1. Create a route map and assign it a name. CONFIGURATION mode route-map map-name [permit | deny] [sequence-number] 2. Create multiple route map filters with a match or set action. CONFIG-ROUTE-MAP mode {match | set} For information about configuring route maps, refer to Access Control Lists (ACLs). 3. Return to CONFIGURATION mode. CONFIG-ROUTE-MAP mode exit 4. Enter ROUTER BGP mode.
exit 4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5. Filter routes based on the criteria in the configured route map. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} filter-list as-path-name {in | out} Configure the following parameters: • ip-address or peer-group-name: enter the neighbor’s IP address or the peer group’s name. • as-path-name: enter the name of a configured AS-PATH ACL. • in: apply the AS-PATH ACL map to inbound routes.
Aggregating Routes The Dell Networking OS provides multiple ways to aggregate routes in the BGP routing table. At least one specific route of the aggregate must be in the routing table for the configured aggregate to become active. To aggregate routes, use the following command. AS_SET includes AS_PATH and community information from the routes included in the aggregated route. • Assign the IP address and mask of the prefix to be aggregated.
All Confederation routers must be either 4 Byte or 2 Byte. You cannot have a mix of router ASN support. To view the configuration, use the show config command in CONFIGURATION ROUTER BGP mode. Enabling Route Flap Dampening When EBGP routes become unavailable, they “flap” and the router issues both WITHDRAWN and UPDATE notices.
– suppress: the range is from 1 to 20000. This number is compared to the flapping route’s Penalty value. If the Penalty value is greater than the suppress value, the flapping route is no longer advertised (that is, it is suppressed). The default is 2000.) – max-suppress-time: the range is from 1 to 255. The maximum number of minutes a route can be suppressed. The default is four times the half-life value. The default is 60 minutes. • – route-map map-name: name of a configured route map.
Example of Configuring a Route for Reuse or Restart Example of Viewing the Number of Dampened Routes To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode or the show running-config bgp command in EXEC Privilege mode. The following example shows how to configure values to reuse or restart a route.
• the lower of the holdtime values is the new holdtime value, and • whichever is the lower value; one-third of the new holdtime value, or the configured keepalive value is the new keepalive value. • Configure timer values for a BGP neighbor or peer group. CONFIG-ROUTER-BGP mode neighbors {ip-address | peer-group-name} timers keepalive holdtime – keepalive: the range is from 1 to 65535. Time interval, in seconds, between keepalive messages sent to the neighbor routers. The default is 60 seconds.
If you specify a BGP peer group by using the peer-group-name argument, all members of the peer group inherit the characteristic configured with this command. • Clear all information or only specific details. EXEC Privilege mode clear ip bgp {* | neighbor-address | AS Numbers | ipv4 | peer-group-name} [soft [in | out]] – *: Clears all peers. – neighbor-address: Clears the neighbor with this IP address. – AS Numbers: Peers’ AS numbers to be cleared. – ipv4: Clears information for the IPv4 address family.
• If the next route map entry does not contain a continue clause, the route map evaluates normally. If a match does not occur, the route map does not continue and falls-through to the next sequence number, if one exists Set a Clause with a Continue Clause If the route-map entry contains sets with the continue clause, the set actions operation is performed first followed by the continue clause jump to the specified route map entry.
BGP Regular Expression Optimization The Dell Networking OS optimizes processing time when using regular expressions by caching and reusing regular expression evaluated results, at the expense of some memory in RP1 processor. BGP policies that contain regular expressions to match against as-paths and communities might take a lot of CPU processing time, thus affect BGP routing convergence.
To disable a specific debug command, use the keyword no then the debug command. For example, to disable debugging of BGP updates, use no debug ip bgp updates command. To disable all BGP debugging, use the no debug ip bgp command. To disable all debugging, use the undebug all command. Storing Last and Bad PDUs The system stores the last notification sent/received and the last bad protocol data unit (PDU) received on a per peer basis. The last bad PDU is the one that causes a notification to be issued.
Sample Configurations The following example configurations show how to enable BGP and set up some peer groups. These examples are not comprehensive directions. They are intended to give you some guidance with typical configurations. To support your own IP addresses, interfaces, names, and so on, you can copy and paste from these examples to your CLI. Be sure that you make the necessary changes. The following illustration shows the configurations described on the following examples.
Example of Enabling BGP (Router 1) Example of Enabling BGP (Router 2) Example of Enabling BGP (Router 3) Example of Enabling Peer Groups (Router 1) Example of Enabling Peer Groups (Router 2) Example of Enabling Peer Groups (Router 3) R1# conf R1(conf)#int loop 0 R1(conf-if-lo-0)#ip address 192.168.128.1/24 R1(conf-if-lo-0)#no shutdown R1(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.1/24 no shutdown R1(conf-if-lo-0)#int gig 1/21 R1(conf-if-gi-1/21)#ip address 10.0.1.
Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 192.168.128.2 99 4 5 4 0 0 00:00:32 1 192.168.128.3 100 5 4 1 0 0 00:00:09 4 R1# R2# conf R2(conf)#int loop 0 R2(conf-if-lo-0)#ip address 192.168.128.2/24 R2(conf-if-lo-0)#no shutdown R2(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.2/24 no shutdown R2(conf-if-lo-0)#int gig 2/11 R2(conf-if-gi-2/11)#ip address 10.0.1.
2 neighbor(s) using 9216 bytes of memory Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 192.168.128.1 99 40 35 1 0 0 00:01:05 1 192.168.128.3 100 4 4 1 0 0 00:00:16 1 R2# R3# conf R3(conf)# R3(conf)#int loop 0 R3(conf-if-lo-0)#ip address 192.168.128.3/24 R3(conf-if-lo-0)#no shutdown R3(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.3/24 no shutdown R3(conf-if-lo-0)#int gig 3/11 R3(conf-if-gi-3/11)#ip address 10.0.3.
BGP-RIB over all using 207 bytes of memory 2 BGP path attribute entrie(s) using 128 bytes of 2 BGP AS-PATH entrie(s) using 90 bytes of memory 2 neighbor(s) using 9216 bytes of memory Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ 192.168.128.1 99 24 25 1 0 0 192.168.128.2 99 14 14 1 0 0 R3# memory Up/Down State/Pfx 00:14:20 1 00:10:22 1 R1#conf R1(conf)#router bgp 99 R1(conf-router_bgp)# network 192.168.128.
19 keepalives, 0 route refresh requests Minimum time between advertisement runs is 5 seconds Minimum time before advertisements start is 0 seconds Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Update source set to Loopback 0 Peer active in peer-group outbound optimization For address family: IPv4 Unicast BGP table version 1, n
R2(conf-router_bgp)# neighbor BBB peer-group R2(conf-router_bgp)# neighbor BBB no shutdown R2(conf-router_bgp)# neighbor 192.168.128.1 peer AAA R2(conf-router_bgp)# neighbor 192.168.128.1 no shut R2(conf-router_bgp)# neighbor 192.168.128.3 peer BBB R2(conf-router_bgp)# neighbor 192.168.128.3 no shut R2(conf-router_bgp)#show conf ! router bgp 99 network 192.168.128.0/24 neighbor AAA peer-group neighbor AAA no shutdown neighbor BBB peer-group neighbor BBB no shutdown neighbor 192.168.128.
R3(conf-router_bgp)# neighbor 192.168.128.2 no shutdown R3(conf-router_bgp)# neighbor 192.168.128.1 peer-group BBB R3(conf-router_bgp)# neighbor 192.168.128.1 no shutdown R3(conf-router_bgp)# R3(conf-router_bgp)#end R3#show ip bgp summary BGP router identifier 192.168.128.
CISCO_ROUTE_REFRESH(128) Update source set to Loopback 0 Peer active in peer-group outbound optimization For address family: IPv4 Unicast BGP table version 2, neighbor version 2 Prefixes accepted 1 (consume 4 bytes), withdrawn 0 by peer Prefixes advertised 1, denied 0, withdrawn 0 from peer Connections established 6; dropped 5 Last reset 00:12:01, due to Closed by neighbor Notification History 'HOLD error/Timer expired' Sent : 1 Recv: 0 'Connection Reset' Sent : 2 Recv: 2 Last notification (len 21) received
Content Addressable Memory (CAM) 10 Content addressable memory (CAM) is a type of memory that stores information in the form of a lookup table. On Dell Networking systems, CAM stores Layer 2 and Layer 3 forwarding information, access-lists (ACLs), flows, and routing policies. CAM Allocation Allocate space for IPV4 ACLs and quality of service (QoS) regions by using the cam-acl command in CONFIGURATION mode. The CAM space is allotted in filter processor (FP) blocks.
You must save the new CAM settings to the startup-config (write-mem or copy run start) then reload the system for the new settings to take effect. 1. Select a cam-acl action. CONFIGURATION mode cam-acl [default | l2acl] NOTE: Selecting default resets the CAM entries to the default settings. Select l2acl to allocate space for the ACLs and QoS regions. 2. Enter the number of FP blocks for each region.
-- Chassis Cam ACL -Current Settings(in block sizes) L2Acl : 6 Ipv4Acl : 2 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 VmanDualQos : 0 EcfmAcl : 0 FcoeAcl : 0 iscsiOptAcl : 2 -- Stack unit 5 -Current Settings(in block sizes) L2Acl : 6 Ipv4Acl : 2 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 VmanDualQos : 0 EcfmAcl : 0 FcoeAcl : 0 iscsiOptAcl : 2 Dell# CAM Optimization When you enable this command, if a Policy Map containing classification rules (ACL and/or dsc
Control Plane Policing (CoPP) 11 Control plane policing (CoPP) is supported on the XML switch. CoPP uses access control list (ACL) rules and quality of service (QoS) policies to create filters for a system’s control plane. That filter prevents traffic not specifically identified as legitimate from reaching the system control plane, rate-limits, traffic to an acceptable level.
Figure 26. CoPP Implemented Versus CoPP Not Implemented Configure Control Plane Policing The MXL switch can process maximum of 4200 PPS (packets per second). Protocols that share a single queue may experience flaps if one of the protocols receives a high rate of control traffic even though Per Protocol CoPP is applied. This happens because Queue-Based Rate Limiting is applies first.
CoPP policies are assigned on a per-protocol or a per-queue basis, and are assigned in CONTROLPLANE mode to each port-pipe. CoPP policies are configured by creating extended ACL rules and specifying rate-limits through QoS policies. The ACLs and QoS policies are assigned as service-policies. Configuring CoPP for Protocols This section lists the commands necessary to create and enable the service-policies for CoPP.
service-policy rate-limit-protocols Example of Creating the IP/IPv6/MAC Extended ACL Example of Creating the QoS Input Policy Example of Creating the QoS Class Map Example of Matching the QoS Class Map to the QoS Policy Example of Creating the Control Plane Service Policy Dell(conf)#ip access-list extended ospf cpu-qos Dell(conf-ip-acl-cpuqos)#permit ospf Dell(conf-ip-acl-cpuqos)#exit Dell(conf)#ip access-list extended bgp cpu-qos Dell(conf-ip-acl-cpuqos)#permit bgp Dell(conf-ip-acl-cpuqos)#exit Dell(conf)#
Dell(conf-policy-map-in-cpuqos)#class-map class_lacp qos-policy rate_limit_200k Dell(conf-policy-map-in-cpuqos)#class-map class-ipv6 qos-policy rate_limit_200k Dell(conf-policy-map-in-cpuqos)#exit Dell(conf)#control-plane-cpuqos Dell(conf-control-cpuqos)#service-policy rate-limit-protocols egressFP_rate_policy Dell(conf-control-cpuqos)#exit Configuring CoPP for CPU Queues Controlling traffic on the CPU queues does not require ACL rules, but does require QoS policies.
Dell(conf-qos-policy-in)#service-queue 6 qos-policy cpuq_2 Dell(conf-qos-policy-in)#service-queue 7 qos-policy cpuq_1 Dell#conf Dell(conf)#control-plane Dell(conf-control-plane)#service-policy rate-limit-cpu-queues cpuq_rate_policy Show Commands The following section describes the CoPP show commands. To view the rates for each queue, use the show cpu-queue rate cp command.
-------ARP FRRP LACP LLDP GVRP STP ISIS -------------------------- ----- ------ ----------any 0x0806 Q5/Q6 CP _ 01:01:e8:00:00:10/11 any Q7 CP _ 01:80:c2:00:00:02 0x8809 Q7 CP _ any 0x88cc Q7 CP _ 01:80:c2:00:00:21 any Q7 CP _ 01:80:c2:00:00:00 any Q7 CP _ 01:80:c2:00:00:14/15 any Q7 CP _ 09:00:2b:00:00:04/05 any Q7 CP Dell# To view the queue mapping for IPv6 protocols, use the show ipv6 protocol-queue-mapping command.
Data Center Bridging (DCB) 12 Data center bridging (DCB) is supported on the FC Flex IO module installed in the MXL 10/40GbE Switch. Ethernet Enhancements in Data Center Bridging The following section describes DCB. . DCB refers to a set of IEEE Ethernet enhancements that provide data centers with a single, robust, converged network to support multiple traffic types, including local area network (LAN), server, and storage traffic.
• 802.1Qbb — Priority-based Flow Control (PFC) • 802.1Qaz — Enhanced Transmission Selection (ETS) • 802.1Qau — Congestion Notification • Data Center Bridging Exchange (DCBx) protocol NOTE: In the Dell Networking OS version 8.3.12.0, only the PFC, ETS, and DCBx features are supported in data center bridging.
link-level flow control mechanism on the interface, DCBX negotiation with a peer is not performed. – If the negotiation fails and PFC is enabled on the port, any user-configured PFC input policies are applied. If no PFC input policy has been previously applied, the PFC default setting is used (no priorities configured). If you do not enable PFC on an interface, you can enable the 802.3x linklevel pause function. By default, the link-level pause is disabled.
Table 9. ETS Traffic Groupings Traffic Groupings Description Priority group A group of 802.1p priorities used for bandwidth allocation and queue scheduling. All 802.1p priority traffic in a group must have the same traffic handling requirements for latency and frame loss. Group ID A 4-bit identifier assigned to each priority group. The range is from 0 to 7. Group bandwidth Percentage of available bandwidth allocated to a priority group.
Data Center Bridging in a Traffic Flow The following figure shows how DCB handles a traffic flow on an interface. Figure 29. DCB PFC and ETS Traffic Handling Enabling Data Center Bridging Data center bridging is enabled by default on an MXL 10/40GbE Switch to support converged enhanced Ethernet (CEE) in a data center network.
CONFIGURATION mode no dcb enable 2. Re-enable DCB. CONFIGURATION mode dcb enable NOTE: Dell Networking OS Behavior: DCB is not supported if you enable link-level flow control on one or more interfaces. After you disable DCB, if link-level flow control is not automatically enabled on an interface, to enable flow control, manually shut down the interface (the shutdown command) and re-enable it (the no shutdown command).
dot1p Value in the Incoming Frame Egress Queue Assignment 5 3 6 3 7 3 NOTE: If you reconfigure the global dot1p-queue mapping, an automatic re-election of the DCBX configuration source port is performed (refer to Configuration Source Election). Configuring Priority-Based Flow Control PFC provides a flow control mechanism based on the 802.1p priorities in converged Ethernet traffic received on an interface and is enabled by default when you enable DCB.
Enter the 802.1p values of the frames to be paused. The range is from 0 to 7. The default is none. Maximum number of loss less queues supported on the switch: 2. Separate priority values with a comma. Specify a priority range with a dash, for example: pfc priority 1,3,5-7. 4. Enable the PFC configuration on the port so that the priorities are included in DCBx negotiation with peer PFC devices. DCB INPUT POLICY mode pfc mode on The default is PFC mode is on. 5.
You can enable any number of 802.1p priorities for PFC. Queues to which PFC priority traffic is mapped are lossless by default. Traffic may be interrupted due to an interface flap (going down and coming up) when you reconfigure the lossless queues for no-drop priorities in a PFC input policy and reapply the policy to an interface. To apply PFC, a PFC peer must support the configured priority traffic (as detected by DCBx).
interface type slot/port 2. Configure the port queues that will still function as no-drop queues for lossless traffic. INTERFACE mode pfc no-drop queues queue-range For the dot1p-queue assignments, refer to the dot1p Priority-Queue Assignment table. The maximum number of lossless queues globally supported on the switch is four. The range is from 0 to 3. Separate the queue values with a comma; specify a priority range with a dash; for example, pfc no-drop queues 1,3 or pfc no-drop queues 2-3.
Dell Networking OS Behavior: If you configure PFC on a 40GbE port, count the 40GbE port as four PFCenabled ports in the pfc-port number you enter in the command syntax. To achieve lossless PFC operation, the PFC port count and queue number used for the reserved buffer size that is created must be greater than or equal to the buffer size required for PFC-enabled ports and lossless queues on the switch.
• in the QoS output policy takes into account the bandwidth allocation or queue scheduler configured in the ETS output policy. You can only use a QoS ETS output policy in association with a priority group in a DCB output policy and cannot be applied to an interface as a normal QoS output policy (refer to Applying an ETS Output Policy for a Priority Group to an Interface and Creating an Output QoS Policy in the Quality of Service (QoS) chapter.). NOTE: The IEEE 802.
The Dell Networking OS supports hierarchical scheduling on an interface. The system control traffic is redirected to control queues as higher priority traffic with strict-priority scheduling. After control queues drain out, the remaining data traffic is scheduled to queues according to the bandwidth and scheduler configuration in the ETS output policy. The available bandwidth (that the ETS algorithm calculates) is equal to the link bandwidth after scheduling non-ETS higher-priority traffic.
set-pgid value The range is from 0 to 7. The default is none. 3. Configure the 802.1p priorities for the traffic on which you want to apply an ETS output policy. PRIORITY-GROUP mode priority-list value The range is from 0 to 7. The default is none. Separate priority values with a comma. Specify a priority range with a dash. For example, priority-list 3,5-7. 4. Exit priority-group configuration mode. PRIORITY-GROUP mode exit 5.
The maximum is 32 alphanumeric characters. 2. Enable the ETS configuration so that scheduling and bandwidth allocation configured in an ETS output policy or received in a DCBx TLV from a peer can take effect on an interface. DCB OUTPUT POLICY mode ets mode on The default: ETS mode is on. 3. Associate the 802.1p priority traffic in a priority group with the ETS configuration in a QoS output policy. DCB OUTPUT POLICY mode priority-group group-name qos-policy ets-policy-name 4.
configured at the interface or global level and in an output policy map (the service-policy output command), the QoS configuration in the output policy take precedence. When you apply a DCB output policy with ETS bandwidth allocation to an egress interface which uses default ETS settings, the configured bandwidth allocation may not be applied to dot1p priority traffic in the specified priority group. ETS Operation with DCBx The following section describes DCBx negotiation with peer ETS devices.
To create a QoS output policy that allocates different amounts of bandwidth to the different traffic types/ dot1p priorities assigned to a queue and apply the output policy to the interface, follow these steps. 1. Create a QoS output policy. CONFIGURATION mode qos-policy-output output-policy-name The maximum 32 alphanumeric characters. 2. Configure the percentage of bandwidth to allocate to the dot1p priority/queue traffic in the associated L2 class map.
Dell Networking Behavior: A dcb-policy input stack-unit all command overwrites any previous dcb-policy input stack-unit stack-unit-id configurations. Similarly, a dcb-policy input stack-unit stack-unit-id command overwrites any previous dcb-policy input stack-unit all configuration. Entering the no dcb-policy input stack-unit all command removes all DCB input policies applied to stacked ports and resets PFC to its default settings.
DCBx Operation DCBx performs the following operations: • Discovers DCB configuration (such as PFC and ETS) in a peer device. • Detects DCB mis-configuration in a peer device; that is, when DCB features are not compatibly configured on a peer device and the local switch. Mis-configuration detection is feature-specific because some DCB features support asymmetric configuration.
When an auto-downstream port receives and overwrites its configuration with internally propagated information, one of the following actions is taken: • If the peer configuration received is compatible with the internally propagated port configuration, the link with the DCBx peer is enabled.
NOTE: On a DCBx port, application priority TLV advertisements are handled as follows: • The application priority TLV is transmitted only if the priorities in the advertisement match the configured PFC priorities on the port. • On auto-upstream and auto-downstream ports: – If a configuration source is elected, the ports send an application priority TLV based on the application priority TLV received on the configuration-source port.
A newly elected configuration source propagates configuration changes received from a peer to the other auto-configuration ports. Ports receiving auto-configuration information from the configuration source ignore their current settings and use the configuration source information. Propagation of DCB Information When an auto-upstream or auto-downstream port receives a DCB configuration from a peer, the port acts as a DCBx client and checks if a DCBx configuration source exists on the switch.
DCBx Example The following figure shows how DCBX is used on an MXL Switch installed in a PowerEdge M1000e chassis in which servers are also installed. The external 40GbE ports on the base module (ports 33 and 37) of two switches are used for uplinks configured as DCBx auto-upstream ports. The MXL switch is connected to third-party, top-of-rack (ToR) switches through 40GbE uplinks. The ToR switches are part of a Fibre Channel storage network.
DCBx Prerequisites and Restrictions The following prerequisites and restrictions apply when you configure DCBx operation on a port: • For DCBx, on a port interface, enable LLDP in both Send (TX) and Receive (RX) mode (the protocol lldp mode command; refer to the example in CONFIGURATION versus INTERFACE Configurations in the Link Layer Discovery Protocol (LLDP) chapter). If multiple DCBx peer ports are detected on a local DCBx interface, LLDP is shut down.
• auto-downstream: configures the port to accept the internally propagated DCB configuration from a configuration source. • config-source: configures the port to serve as the configuration source on the switch. • manual: configures the port to operate only on administer-configured DCB parameters. The port does not accept a DCB configuration received from a peer or a local configuration source. The default is Manual. 5. On manual ports only: Configure the PFC and ETS TLVs advertised to DCBx peers.
CONFIGURATION mode [no] protocol lldp 3. Configure the DCBx version used on all interfaces not already configured to exchange DCB information. PROTOCL LLDP mode [no] DCBx version {auto | cee | cin | ieee-v2.5} • auto: configures all ports to operate using the DCBx version received from a peer. • cee: configures a port to use CEE (Intel 1.01). cin configures a port to use Cisco-Intel-Nuova (DCBx 1.0). • ieee-v2.5: configures a port to use IEEE 802.1Qaz (Draft 2.5). The default is Auto.
PROTOCOL LLDP mode [no] fcoe priority-bits priority-bitmap The priority-bitmap range is from 1 to FF. The default is 0x8. 7. Configure the iSCSI priority advertised for the iSCSI protocol in Application Priority TLVs. PROTOCOL LLDP mode [no] iscsi priority-bits priority-bitmap The priority-bitmap range is from 1 to FF. The default is 0x10. DCBx Error Messages The following syslog messages appear when an error in DCBx operation occurs.
– mgmt: enables traces for DCBx management frames. – resource: enables traces for DCBx system resource frames. – sem: enables traces for the DCBx state machine. – tlv: enables traces for DCBx TLVs. Verifying the DCB Configuration To display DCB configurations, use the following show commands. Table 10. Displaying DCB Configurations Command Output show dot1p-queue mapping Displays the current 802.1p priority-queue mapping.
Example of the show dot1p-queue mapping Command Example of the show dcb Command Example of the show qos dcb-input Command Example of the show qos dcb-output Command Example of the show qos priority-groups Command Example of the show interfaces pfc summary Command Example of the show interface pfc statistics Command Example of the show interface ets summary Command Example of the show interface ets detail Command Example of the show stack-unit all stack-ports all pfc details Command Example of the show stack
Oper status is Recommended PFC DCBx Oper status is Up State Machine Type is Feature TLV Tx Status is enabled PFC Link Delay 45556 pause quantams Application Priority TLV Parameters : -------------------------------------FCOE TLV Tx Status is disabled ISCSI TLV Tx Status is disabled Local FCOE PriorityMap is 0x8 Local ISCSI PriorityMap is 0x10 Remote FCOE PriorityMap is 0x8 Remote ISCSI PriorityMap is 0x8 Dell# show interfaces tengigabitethernet 0/49 pfc detail Interface TenGigabitEthernet 0/49 Admin mode is
Fields Description Local is enabled DCBx operational status (enabled or disabled) with a list of the configured PFC priorities Operational status (local port) DCBx operational status (enabled or disabled) with a list of the configured PFC priorities. Port state for current operational PFC configuration: • Init: Local PFC configuration parameters were exchanged with peer. • Recommend: Remote PFC configuration parameters were received from peer.
Fields Description PFC TLV Statistics: Output TLV pkts Number of PFC TLVs transmitted. PFC TLV Statistics: Error pkts Number of PFC error packets received. PFC TLV Statistics: Pause Tx pkts Number of PFC pause frames transmitted.
2 3 4 5 6 7 0% 0% 0% 0% 0% 0% Priority# Bandwidth 0 13% 1 13% 2 13% 3 13% 4 12% 5 12% 6 12% 7 12% Oper status is init Conf TLV Tx Status is disabled Traffic Class TLV Tx Status is disabled 0 Input Conf TLV Pkts, 0 Output Conf TLV 0 Input Traffic Class TLV Pkts, 0 Output Traffic Class TLV Pkts ETS ETS ETS ETS ETS ETS TSA ETS ETS ETS ETS ETS ETS ETS ETS Pkts, 0 Error Conf TLV Pkts Traffic Class TLV Pkts, 0 Error The following table describes the show interface ets detail command fields.
1 2 3 4 5 6 7 0% 0% 0% 0% 0% 0% 0% Priority# Bandwidth 0 13% 1 13% 2 13% 3 13% 4 12% 5 12% 6 12% 7 12% Oper status is init Conf TLV Tx Status is disabled Traffic Class TLV Tx Status is disabled 0 Input Conf TLV Pkts, 0 Output Conf TLV 0 Input Traffic Class TLV Pkts, 0 Output Traffic Class TLV Pkts ETS ETS ETS ETS ETS ETS ETS TSA ETS ETS ETS ETS ETS ETS ETS ETS Pkts, 0 Error Conf TLV Pkts Traffic Class TLV Pkts, 0 Error Table 12.
Field Description • • • Init: Local ETS configuration parameters were exchanged with peer. Recommend: Remote ETS configuration parameters were received from peer. Internally propagated: ETS configuration parameters were received from configuration source. ETS DCBx Oper status Operational status of ETS configuration on local port: match or mismatch.
6 7 8 - - Stack unit 1 stack port all Max Supported TC Groups is 4 Number of Traffic Classes is 1 Admin mode is on Admin Parameters: -------------------Admin is enabled TC-grp Priority# Bandwidth TSA -----------------------------------------------0 0,1,2,3,4,5,6,7 100% ETS 1 2 3 4 5 6 7 8 Dell(conf)# show interface tengigabitethernet 0/49 dcbx detail Dell#show interface te 0/49 dcbx detail E-ETS Configuration TLV enabled e-ETS Configuration TLV disabled R-ETS Recommendation TLV enabled r-ETS Recommendati
Total DCBX Frame errors 0 Total DCBX Frames unrecognized 0 The following table describes the show interface DCBx detail command fields. Table 13. show interface DCBx detail Command Description Field Description Interface Interface type with chassis slot and port number. Port-Role Configured DCBx port role: auto-upstream, autodownstream, config-source, or manual.
Field Description Peer DCBx Status: Sequence Number Sequence number transmitted in Control TLVs received from peer device. Peer DCBx Status: Acknowledgment Number Acknowledgement number transmitted in Control TLVs received from peer device. Total DCBx Frames transmitted Number of DCBx frames sent from local port. Total DCBx Frames received Number of DCBx frames received from remote peer port. Total DCBx Frame errors Number of DCBx frames with errors received.
Figure 31. PFC and ETS Applied to LAN, IPC, and SAN Priority Traffic QoS Traffic Classification: The service-class dynamic dot1p command has been used in Global Configuration mode to map ingress dot1p frames to the queues shown in the following table. For more information, refer to QoS dot1p Traffic Classification and Queue Assignment.
dot1p Value in Incoming Frame Queue Assignment 3 1 4 2 5 3 6 3 7 3 The following describes the dot1p-priority class group assignment dot1p Value in the Incoming Frame Priority Group Assignment 0 LAN 1 LAN 2 LAN 3 SAN 4 IPC 5 LAN 6 LAN 7 LAN The following describes the priority group-bandwidth assignment.
Example of Configuring QoS Priority-Queue Assignment to Honor Dot1p Priorities Example of Configuring a DCB Input Policy to Apply PFC to Lossless SAN Priority Traffic Example of Configuring an ETS Priority Group Example of Configuring an ETS Output Policy for Egress Traffic Example of Configuring a DCB Output Policy to Apply ETS (Bandwidth Allocation and Scheduling) to IPC, SAN, and LAN Priority Traffic Example of Applying DCB Input and Output Policies to an Interface Example of Configuring a QoS Output Pol
Dell(conf)# qos-policy-output lan-q0 Dell(conf-qos-policy-out)# bandwidth-percentage 20 Dell(conf-qos-policy-out)# exit Dell(conf)#q os-policy-output lan-q3 Dell(conf-qos-policy-out)# bandwidth-percentage 70 Dell(conf-qos-policy-out)# exit Dell(conf)#policy-map-output ets-queues Dell(conf)# policy-map-output ets-queues Dell(conf-policy-map-out)# service-queue 0 qos-policy lan-q0 Dell(conf-policy-map-out)# service-queue 3 qos-policy lan-q3 Dell(conf-if-te-0/1)# service-policy output ets-queues Using PFC and
mapped to one queue takes precedence over the strict priority group whose traffic is mapped to two queues. Therefore, in this example, scheduling traffic to priority group 1 (mapped to one strict-priority queue) takes precedence over scheduling traffic to priority group 3 (mapped to two strict-priority queues).
Step Task Command Leave a space between each priority group number. For example: priority-pgid 0 0 0 1 2 4 4 4 in which priority group 0 maps to dot1p priorities 0, 1, and 2; priority group 1 maps to dot1p priority 3; priority group 2 maps to dot1p priority 4; priority group 4 maps to dot1p priorities 5, 6, and 7.
Step Task Command Command Mode already configured for lossless queues (pfc no-drop queues command). Configuring PFC without a DCB Map In a network topology that uses the default ETS bandwidth allocation (assigns equal bandwidth to each priority), you can also enable PFC for specific dot1p-priorities on individual interfaces without using a DCB map. This type of DCB configuration is useful on interfaces that require PFC for lossless traffic, but do not transmit converged Ethernet traffic.
• If you configure lossless queues on an interface that already has a DCB map with PFC enabled (pfc on), an error message is displayed. Step Task Command Command Mode 1 Enter INTERFACE Configuration mode. interface{tengigabitE CONFIGURATION thernet slot/port | fortygigabitEthernet slot/port} 2 Open a DCB map and enter DCB map configuration mode. dcb-map name INTERFACE 3 Disable PFC. no pfc mode on DCB MAP 4 Return to interface configuration mode.
congestion eases and reduces. The time period that is specified in the pause frame defines the duration for which the flow of data packets is halted. When the time period elapses, the transmission restarts. When a device sends a pause frame to another device, the time for which the sending of packets from the other device must be stopped is contained in the pause frame. The device that sent the pause frame empties the buffer to be less than the threshold value and restarts the acceptance of data packets.
Interworking of DCB Map With DCB Buffer Threshold Settings The dcb-input and dcb-output configuration commands are deprecated. You must use the dcp-map command to create a DCB map to configure priority flow control (PFC) and enhanced transmission selection (ETS) on Ethernet ports that support converged Ethernet traffic. Configure the dcb-buffer-threshold command and its related parameters only on ports with either auto configuration or dcb-map configuration.
CONFIGURATION mode S6000-109-Dell(conf)#dcb enable 2. Configure the shared PFC buffer size and the total buffer size. A maximum of 4 lossless queues are supported. CONFIGURATION mode S6000-109-Dell(conf)#dcb pfc-shared-buffer-size 4000 S6000-109-Dell(conf)#dcb pfc-total-buffer-size 5000 3. Configure the number of PFC queues. CONFIGURATION mode Dell(conf)#dcb enable pfc-queues 4 The number of ports supported based on lossless queues configured will depend on the buffer.
13 Debugging and Diagnostics This chapter describes debugging and diagnostics for the XML switch. Offline Diagnostics The offline diagnostics test suite is useful for isolating faults and debugging hardware. The diagnostics tests are grouped into three levels: • Level 0 — Level 0 diagnostics check for the presence of various components and perform essential path verifications. In addition, Level 0 diagnostics verify the identification registers of the components on the board.
NOTE: The system reboots when the offline diagnostics complete. This is an automatic process. The following warning message appears when you implement the offline stackunit command: Warning - Diagnostic execution will cause stack-unit to reboot after completion of diags. Proceed with Offline-Diags [confirm yes/no]:y Dell#offline stack-unit 0 Warning - offline of unit will bring down all the protocols and the unit will be operationally down, except for running Diagnostics.
Proceed with Diags [confirm yes/no]: yes FTOS#Dec 15 04:14:07: %MXL-10/40GbE:0 %DIAGAGT-6-DA_DIAG_STARTED: Starting diags on stack unit 0 00:12:10 : System may take additional time for Driver Init. 00:12:10 : Approximate time to complete the Diags ... 6 Mins 00:13:53 : Diagnostic test results are stored on file: flash:/TestReportSU-0.txt Diags completed... Rebooting the system now!!! Dec 15 04:15:54: %MXL-10/40GbE:0 %DIAGAGT-6-DA_DIAG_DONE: Diags finished on stack unit 0 syncing disks...
Test Test Test Test Test Test Test Test Test Test Test 11 - CPLD Presence Test ........................................ 12 - Flash Access Test ......................................... 13 - Board Revision Test ....................................... 14 - MGMT PHY Presence Test .................................... 15.000 - Optional Module Type Test ............................. 15.001 - Optional Module Type Test ............................. 15 - Optional Module Type Test .................................
Using the Show Hardware Commands The show hardware command tree consists of commands used with the XML switch. These commands display information from a hardware sub-component and from hardware-based feature tables. NOTE: Use the show hardware commands only under the guidance of the Dell Technical Assistance Center. • View internal interface status of the stack-unit CPU port which connects to the external management interface.
• View the input and output statistics for a stack-port interface. EXEC Privilege mode • show hardware stack-unit {0-5} stack-port {33–56} View the counters in the field processors of the stack unit. EXEC Privilege mode • show hardware stack-unit {0-5} unit {0-0} counters View the details of the FP Devices and Hi gig ports on the stack-unit. EXEC Privilege mode • show hardware stack-unit {0-5} unit {0-0} details Execute a specified bShell command from the CLI without going into the bShell.
SFP SFP SFP SFP SFP SFP SFP SFP SFP SFP SFP SFP SFP SFP 49 49 49 49 49 49 49 49 49 49 49 49 49 49 Length(9um) 100m Length(50um) 10m Length(62.
When the system detects a genuine over-temperature condition, it powers off the card. To recognize this condition, look for the following system messages: CHMGR-2-MAJOR_TEMP: Major alarm: chassis temperature high (temperature reaches or exceeds threshold of [value]C) CHMGR-2-TEMP_SHUTDOWN_WARN: WARNING! temperature is [value]C; approaching shutdown threshold of [value]C To view the programmed alarm thresholds levels, including the shutdown value, use the show alarms threshold command.
Recognize an Under-Voltage Condition If the system detects an under-voltage condition, it sends an alarm. To recognize this condition, look for the following system message: %CHMGR-1-CARD_SHUTDOWN: Major alarm: Line card 2 down - auto-shutdown due to under voltage. This message indicates that the specified card is not receiving enough power. In response, the system first shuts down Power over Ethernet (PoE).
Buffer Tuning Buffer tuning allows you to modify the way your switch allocates buffers from its available memory and helps prevent packet drops during a temporary burst of traffic. The application-specific integrated circuit (ASICs) implement the key functions of queuing, feature lookups, and forwarding lookups in hardware.
Figure 32. Buffer Tuning Points Deciding to Tune Buffers Dell Networking recommends exercising caution when configuring any non-default buffer settings, as tuning can significantly affect system performance. The default values work for most cases. As a guideline, consider tuning buffers if traffic is bursty (and coming from several interfaces). In this case: • Reduce the dedicated buffer on all queues/interfaces. • Increase the dynamic buffer on all interfaces.
BUFFER PROFILE mode • buffer dedicated Change the maximum number of dynamic buffers an interface can request. BUFFER PROFILE mode • buffer dynamic Change the number of packet-pointers per queue. BUFFER PROFILE mode • buffer packet-pointers Apply the buffer profile to a CSF to FP link.
Dell#show buffer-profile detail interface tengigabitethernet 0/1 Interface tengig 0/1 Buffer-profile Dynamic buffer 194.88 (Kilobytes) Queue# Dedicated Buffer Buffer Packets (Kilobytes) 0 2.50 256 1 2.50 256 2 2.50 256 3 2.50 256 4 9.38 256 5 9.38 256 6 9.38 256 7 9.
Using a Pre-Defined Buffer Profile The Dell Networking OS provides two pre-defined buffer profiles, one for single-queue (for example, non-quality-of-service [QoS]) applications, and one for four-queue (for example, QoS) applications. You must reload the system for the global buffer profile to take effect, a message similar to the following displays: % Info: For the global pre-defined buffer profile to take effect, please save the config and reload the system..
buffer fp-uplink stack-unit 0 port-set 0 buffer-policy fsqueue-hig buffer fp-uplink stack-unit 0 port-set 1 buffer-policy fsqueue-hig ! Interface range gi 0/1 - 48 buffer-policy fsqueue-fp Dell#sho run int gi 0/10 ! interface GigabitEthernet 0/10 no ip address Troubleshooting Packet Loss The show hardware stack-unit command is intended primarily to troubleshoot packet loss. To troubleshoot packet loss, use the following commands.
1 2 3 4 5 6 7 8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Dell#show hardware stack-unit --- Ingress Drops --Ingress Drops : IBP CBP Full Drops : PortSTPnotFwd Drops : IPv4 L3 Discards : Policy Discards : Packets dropped by FP : (L2+L3) Drops : Port bitmap zero Drops : Rx VLAN Drops : 0 drops unit 0 port 1 30 0 0 0 0 14 0 16 0 --- Ingress MAC counters--Ingress FCSDrops : 0 Ingress MTUExceeds : 0 --- MMU Drops --HOL DROPS TxPurge CellErr Aged Drops : 0 : 0 : 0 -
dropped recvToNet rxError rxDatapathErr rxPkt(COS0) rxPkt(COS1) rxPkt(COS2) rxPkt(COS3) rxPkt(COS4) rxPkt(COS5) rxPkt(COS6) rxPkt(COS7) rxPkt(UNIT0) rxPkt(UNIT1) rxPkt(UNIT2) rxPkt(UNIT3) transmitted txRequested noTxDesc txError txReqTooLarge txInternalError txDatapathErr txPkt(COS0) txPkt(COS1) txPkt(COS2) txPkt(COS3) txPkt(COS4) txPkt(COS5) txPkt(COS6) txPkt(COS7) txPkt(UNIT0) :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 The show hardware stack-unit cpu
34 over 255-byte pkts, 504838 over 511-byte pkts, 1009638 over 1023-byte pkts 0 Multicasts, 0 Broadcasts, 1649714 Unicasts 0 throttles, 0 discarded, 0 collisions Rate info (interval 45 seconds): Input 00.00 Mbits/sec, 2 packets/sec, 0.00% of line-rate Output 00.06 Mbits/sec, 8 packets/sec, 0.
Mini Core Dumps The Dell Networking OS supports mini core dumps on the application and kernel crashes. The mini core dump applies to Master, Standby, and Member units. Application and kernel mini core dumps are always enabled. The mini core dumps contain the stack space and some other minimal information that you can use to debug a crash. These files are small files and are written into flash until space is exhausted. When the flash is full, the write process is stopped.
--------------------FREE MEMORY--------------uvmexp.free = 0x2312 Enabling TCP Dumps A TCP dump captures CPU-bound control plane traffic to improve troubleshooting and system manageability. When you enable TCP dump, it captures all the packets on the local CPU, as specified in the CLI. You can save the traffic capture files to flash, FTP, SCP, or TFTP. The files saved on the flash are located in the flash://TCP_DUMP_DIR/Tcpdump_/ directory and labeled tcpdump_*.pcap.
Dynamic Host Configuration Protocol (DHCP) 14 The dynamic host configuration protocol (DHCP) is an application layer protocol that dynamically assigns IP addresses and other configuration parameters to network end-stations (hosts) based on configuration policies determined by network administrators.
Option Number and Description Subnet Mask Option 1 Specifies the client’s subnet mask. Router Option 3 Specifies the router IP addresses that may serve as the client’s default gateway. Domain Name Server Option 6 Domain Name Option 15 Specifies the domain name servers (DNSs) that are available to the client. Specifies the domain name that clients should use when resolving hostnames via DNS.
Option Number and Description Identifiers a user-defined string used by the Relay Agent to forward DHCP client packets to a specific server. L2 DHCP Snooping Option 82 End Option 255 Specifies IP addresses for DHCP messages received from the client that are to be monitored to build a DHCP snooping database. Signals the last option in the DHCP packet. Assign an IP Address using DHCP The following section describes DHCP and the client in a network. When a client joins a network: 1.
Figure 34. Client and Server Messaging Implementation Information The following describes DHCP implementation. • Dell Networking implements DHCP based on RFC 2131 and RFC 3046. • IP source address validation is a sub-feature of DHCP Snooping; the Dell Networking operating system (OS) uses access control lists (ACLs) internally to implement this feature and as such, you cannot apply ACLs to an interface which has IP source address validation.
Configure the System to be a DHCP Server Configuring the system to be a DHCP server is supported on the XML switch. A DHCP server is a network device that has been programmed to provide network configuration parameters to clients upon request. Servers typically serve many clients, making host management much more organized and efficient. The following table lists the key responsibilities of DHCP servers. Table 15.
3. Specify the range of IP addresses from which the DHCP server may assign addresses. DHCP mode network network/prefix-length • network: the subnet address. • prefix-length: specifies the number of bits used for the network portion of the address you specify. The prefix-length range is from 17 to 31. 4. Display the current pool configuration. DHCP mode show config After an IP address is leased to a client, only that client may release the address.
• Specify an address lease time for the addresses in a pool. DHCP lease {days [hours] [minutes] | infinite} The default is 24 hours. Specifying a Default Gateway The IP address of the default router should be on the same subnet as the client. To specify a default gateway, follow this step. • Specify default gateway(s) for the clients on the subnet, in order of preference. DHCP default-router address Enabling the DHCP Server To set up the DHCP Server, you must first enable it.
Configure a Method of Hostname Resolution Dell systems are capable of providing DHCP clients with parameters for two methods of hostname resolution—using DNS or NetBIOS WINS. Using DNS for Address Resolution A domain is a group of networks. DHCP clients query DNS IP servers when they need to correlate host names to IP addresses. 1. Create a domain. DHCP domain-name name 2. Specify in order of preference the DNS servers that are available to a DHCP client.
pool name 2. Specify the client IP address. DHCP host address 3. Specify the client hardware address. DHCP hardware-address hardware-address type • hardware-address: the client MAC address. • type: the protocol of the hardware platform. The default protocol is Ethernet. Debugging the DHCP Server To debug the DHCP server, use the following command. • Display debug information for DHCP server.
shown in the following illustration. Specify multiple DHCP servers by using the ip helper-address dhcp-address command multiple times. When you configure the ip helper-address command, the system listens for DHCP broadcast messages on port 67. The system rewrites packets received from the client and forwards them via unicast to the DHCP servers; the system rewrites the destination IP address and writes its own address as the relay device.
Example of the show ip interface Command Dell#show ip int tengig 1/3 GigabitEthernet 1/3 is up, line protocol is down Internet address is 10.11.0.1/24 Broadcast address is 10.11.0.255 Address determined by user input IP MTU is 1500 bytes Helper address is 192.168.0.1 192.168.0.
Configuring the DHCP Client System This section describes how to configure and view an interface as a DHCP client to receive an IP address. Dell Networking OS Behavior: The ip address dhcp command enables DHCP server-assigned dynamic addresses on an interface. The setting persists after a switch reboot. To stop DHCP transactions and save the dynamically acquired IP address, use the shutdown command on the interface.
interface type slot/port 2. Acquire the IP address for an Ethernet interface from a DHCP network server. INTERFACE mode ip address dhcp Dynamically assigned IP addresses can be released without removing the DHCP client operation on the interface on a switch configured as a DHCP client. 3. Manually acquire a new IP address from the DHCP server by releasing a dynamically acquired IP address while retaining the DHCP client configuration on the interface.
====== Te 4/37 11:14 ========= 189.17.9.2/30 Renew Time ========== 09-05-2023 04:56 ========= ======== ====== ============== =========== 0.0.0.0 189.17.9.1 BOUND 06-12-2012 07:35 01-18-2038 Rebind Time ======== 11-06-2034 13:46 The following example shows the packet- and event-level debug messages displayed for the packet transmissions and state transitions on a DHCP client interface when you enable and disable a DHCP client.
Interface Te 0/1 :Transitioned to state STOPPED May 27 15:55:22: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT-LOG: DHCLIENT_DBG_EVT: Interface Te 0/1 :DHCP IP RELEASED CMD sent to Dell in state STOPPED Dell#renew dhcp int te 0/1 Dell#May 27 15:55:28: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT-LOG: DHCLIENT_DBG_EVT: Interface Te 0/1 :DHCP RENEW CMD Received in state STOPPED May 27 15:55:31: %STKUNIT0-M:CP %DHCLIENT-5-DHCLIENT-LOG: DHCLIENT_DBG_EVT: Interface Te 0/1 :Transitioned to state SELECTING May 27 15:55:31: %STKUNIT0
• Management routes added by a DHCP client display with Route Source as DHCP in the show ip management route and show ip management-route dynamic command output. • Management routes added by DHCP are automatically reinstalled if you configure a static IP route with the ip route command that replaces a management route added by the DHCP client. If you remove the statically configured IP route using the no ip route command, the management route is reinstalled.
DHCP Server A switch can operate as a DHCP client and a DHCP server. DHCP client interfaces cannot acquire a dynamic IP address from the DHCP server running on the switch. Acquire a dynamic IP address from another DHCP server. Virtual Router Redundancy Protocol (VRRP) Do not enable the DHCP client on an interface and set the priority to 255 or assign the same DHCP interface IP address to a VRRP virtual group. Doing so guarantees that this router becomes the VRRP group owner.
To insert Option 82 into DHCP packets, follow this step. • Insert Option 82 into DHCP packets. CONFIGURATION mode ip dhcp relay information-option [trust-downstream] For routers between the relay agent and the DHCP server, enter the trust-downstream option. DHCP Snooping DHCP snooping protects networks from spoofing. In the context of DHCP snooping, ports are either trusted or not trusted. By default, all ports are not trusted. Trusted ports are ports through which attackers cannot connect.
CONFIGURATION mode ip dhcp snooping 2. Specify ports connected to DHCP servers as trusted. INTERFACE mode ip dhcp snooping trust 3. Enable DHCP snooping on a VLAN. CONFIGURATION mode ip dhcp snooping vlan Adding a Static Entry in the Binding Table To add a static entry in the binding table, use the following command. • Add a static entry in the binding table. EXEC Privilege mode ip dhcp snooping binding mac Clearing the Binding Table To clear the binding table, use the following command.
Snooping packets processed on L2 vlans : 0 DHCP Binding File Details Invalid File Invalid Binding Entry Binding Entry lease expired : 0 : 0 : 0 Drop DHCP Packets on Snooped VLANs Only Binding table entries are deleted when a lease expires or the relay agent encounters a DHCPRELEASE. Starting with the Dell Networking OS version 8.2.1.1, line cards maintain a list of snooped VLANs.
Broadcast An attacker can broadcast an ARP reply that specifies FF:FF:FF:FF:FF:FF as the gateway’s MAC address, resulting in all clients broadcasting all internet-bound packets. MAC flooding An attacker can send fraudulent ARP messages to the gateway until the ARP cache is exhausted, after which, traffic from the gateway is broadcast.
Internet Internet Dell# 10.1.1.253 10.1.1.254 - 00:00:4d:57:f8:e8 00:00:4d:69:e8:f2 Gi 0/3 Te 0/50 Vl 10 Vl 10 CP CP To see how many valid and invalid ARP packets have been processed, use the show arp inspection statistics command.
Enabling IP Source Address Validation IP source address validation (SAV) prevents IP spoofing by forwarding only IP packets that have been validated against the DHCP binding table. A spoofed IP packet is one in which the IP source address is strategically chosen to disguise the attacker. For example, using ARP spoofing, an attacker can assume a legitimate client’s identity and receive traffic addressed to it. Then the attacker can spoof the client’s IP address to interact with other clients.
4. Enable IP+MAC SAV. INTERFACE mode ip dhcp source-address-validation ipmac The system creates an ACL entry for each IP+MAC address pair in the binding table and applies it to the interface. To display the IP+MAC ACL for an interface for the entire system, use the show ip dhcp snooping source-address-validation [interface] command in EXEC Privilege mode.
Equal Cost Multi-Path (ECMP) 15 Equal cost multi-path (ECMP) is supported on the XML switch platform. ECMP for Flow-Based Affinity ECMP for flow-based affinity is available on the XML switch. NOTE: IPv6 /128 routes having multiple paths do not form ECMPs. The /128 route is treated as a host entry and finds its place in the host table. NOTE: Using XOR algorithms results in imbalanced loads across an ECMP/LAG when the number of members in said ECMP/LAG is a multiple of 4.
sent and an alarm event to be generated. When the deviation clears, another syslog is sent and a clear alarm event is generated. Link bundle utilization is calculated as the total bandwidth of all links divided by the total bytes-persecond of all links. Within each ECMP group, you can specify interfaces. If you enable monitoring for the ECMP group, the utilization calculation is performed when the utilization of the link-bundle (not a link within a bundle) exceeds 60%.
16 FCoE Transit The Fibre Channel over Ethernet (FCoE) Transit feature is supported on the XML 10/40GbE switch. When you enable the switch for FCoE transit, the switch functions as a FIP snooping bridge. NOTE: FCoE transit is not supported on Fibre Channel interfaces. Fibre Channel over Ethernet FCoE provides a converged Ethernet network that allows the combination of storage-area network (SAN) and LAN traffic on a Layer 2 link by encapsulating Fibre Channel data into Ethernet frames.
FIP provides functionality for discovering and logging into an FCF. After discovering and logging in, FIP allows FCoE traffic to be sent and received between FCoE end-devices (ENodes) and the FCF. FIP uses its own EtherType and frame format. The following illustration shows the communication that occurs between an ENode server and an FCoE switch (FCF). The following table lists the FIP functions. Table 17.
Figure 37. FIP Discovery and Login Between an ENode and an FCF FIP Snooping on Ethernet Bridges In a converged Ethernet network, intermediate Ethernet bridges can snoop on FIP packets during the login process on an FCF. Then, using ACLs, a transit bridge can permit only authorized FCoE traffic to be transmitted between an FCoE end-device and an FCF. An Ethernet bridge that provides these functions is called a FIP snooping bridge (FSB).
FCoEgenerated ACLs These take precedence over user-configured ACLs. A user-configured ACL entry cannot deny FCoE and FIP snooping frames. The following illustration shows an MXL 10/40GbE switch used as a FIP snooping bridge in a converged Ethernet network. The top-of-rack (ToR) switch operates as an FCF for FCoE traffic. Converged LAN and SAN traffic is transmitted between the ToR switch and an MXL switch.
The following sections describe how to configure the FIP snooping feature on a switch that functions as a FIP snooping bridge so that it can perform the following functions: • Perform FIP snooping (allowing and parsing FIP frames) globally on all VLANs or on a per-VLAN basis. • To assign a MAC address to an FCoE end-device (server ENode or storage device) after a server successfully logs in, set the FCoE MAC address prefix (FC-MAP) value an FCF uses.
– The existing per-VLAN and FIP snooping configuration is stored. The configuration is re-applied the next time you enable the FIP snooping feature. Enabling the FCoE Transit Feature The following sections describe how to enable FCoE transit. NOTE: FCoE transit is disabled by default. To enable this feature, you must follow the Configuring FIP Snooping procedure. As soon as you enable the FCoE transit feature on a switch-bridge, existing VLAN-specific and FIP snooping configurations are applied.
Configure a Port for a Bridge-to-FCF Link If a port is directly connected to an FCF, configure the port mode as FCF. Initially, all FCoE traffic is blocked; only FIP frames are allowed to pass. FCoE traffic is allowed on the port only after a successful fabric login (FLOGI) request/response and confirmed use of the configured FC-MAP value for the VLAN. FLOGI and fabric discovery (FDISC) request/response packets are trapped to the CPU. They are forwarded after the necessary ACLs are installed.
For VLAN membership, you must: • create the VLANs on the switch which handles FCoE traffic (use the interface vlan command). • configure each FIP snooping port to operate in Hybrid mode so that it accepts both tagged and untagged VLAN frames (use the portmode hybrid command). • configure tagged VLAN membership on each FIP snooping port that sends and receives FCoE traffic and has links with an FCF, ENode server, or another FIP snooping bridge (use the tagged port-type slot/port command).
By default, a port is configured for bridge-to-ENode links. 5. Configure the port for bridge-to-FCF links. INTERFACE or CONFIGURATION mode fip-snooping port-mode fcf NOTE: To disable the FIP snooping feature or FIP snooping on VLANs, use the no version of a command; for example, no feature fip-snooping or no fip-snooping enable. . Displaying FIP Snooping Information Use the following show commands to display information on FIP snooping, . Table 19.
Command Output number of FCoE VLANs, FCFs, ENodes, and currently active sessions. Displays information on the FCoE VLANs on which FIP snooping is enabled.
Field Description Port WWPN Worldwide port name of the CNA port. Port WWNN Worldwide node name of the CNA port.
Field Description ENode Interface Slot/number of the interface connected to the ENode. FKA_ADV_PERIOD Period of time (in milliseconds) during which FIP keep-alive advertisements are transmitted. No of ENodes Number of ENodes connected to the FCF. FC-ID Fibre Channel session ID assigned by the FCF.
Number Number Number Number Number Number Number Number Number Number Number Number Number Number Number Number Number Number Number Number of of of of of of of of of of of of of of of of of of of of Vlan Notifications Multicast Discovery Solicits Unicast Discovery Solicits FLOGI FDISC FLOGO Enode Keep Alive VN Port Keep Alive Multicast Discovery Advertisement Unicast Discovery Advertisement FLOGI Accepts FLOGI Rejects FDISC Accepts FDISC Rejects FLOGO Accepts FLOGO Rejects CVL FCF Discovery Timeouts VN P
Field Description Number of FLOGI Accepts Number of FIP FLOGI accept frames received on the interface. Number of FLOGI Rejects Number of FIP FLOGI reject frames received on the interface. Number of FDISC Accepts Number of FIP FDISC accept frames received on the interface. Number of FDISC Rejects Number of FIP FDISC reject frames received on the interface. Number of FLOGO Accepts Number of FIP FLOGO accept frames received on the interface.
Figure 39. FIP Snooping on an MXL 10/40GbE Switch Configuration Example • A server-facing port is configured for DCBx in an auto-downstream role. • An FCF-facing port is configured for DCBx in an auto-upstream or configuration-source role. The DCBx configuration on the FCF-facing port is detected by the server-facing port and the DCB PFC configuration on both ports is synchronized. For more information about how to configure DCBx and PFC on a port, refer to the Data Center Bridging (DCB) chapter.
Example of Enabling the FIP Snooping Feature on the Switch (FIP Snooping Bridge) Example of Enabling FIP Snooping on the FCoE VLAN Example of Enabling an FC-MAP Value on a VLAN Example of Configuring the ENode Server-Facing Port Example of Configuring the FCF-Facing Port Example of Configuring FIP Snooping Ports as Tagged Members of the FCoE VLAN Dell(conf)# feature fip-snooping Dell(conf)# interface vlan 10 Dell(conf-if-vl-10)# fip-snooping enable Dell(conf-if-vl-10)# fip-snooping fc-map 0xOEFC01 NOTE: Con
17 FIPS Cryptography Federal information processing standard (FIPS) cryptography is supported on the XML switch platform. This chapter describes how to enable FIPS cryptography requirements on Dell Networking platforms. This feature provides cryptographic algorithms conforming to various FIPS standards published by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the US Department of Commerce.
– If you re-enable the SSH server, a new RSA host key-pair is generated automatically. You can also manually create this key-pair using the crypto key generate command. NOTE: Under certain unusual circumstances, it is possible for the fips enable command to indicate a failure. • This failure occurs if any of the self-tests fail when you enable FIPS mode. • This failure occurs if there were existing SSH/Telnet sessions that could not be closed successfully in a reasonable amount of time.
-- Unit 0 -Unit Type Status Next Boot Required Type Current Type Master priority Hardware Rev Num Ports Up Time Dell Version Jumbo Capable POE Capable FIPS Mode Burned In MAC No Of MACs ... : : : : : : : : : : : : : : : Management Unit online online XML - 52-port GE/TE/FG (SE) XML - 52-port GE/TE/FG (SE) 0 3.0 64 7 hr, 3 min XML-8-3-7-1061 yes no enabled 00:01:e8:8a:ff:0c 3 Disabling FIPS Mode The following describes disabling FIPS mode.
18 Force10 Resilient Ring Protocol (FRRP) FRRP provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a metropolitan area network (MAN) or large campuses. FRRP is similar to what can be achieved with the spanning tree protocol (STP), though even with optimizations, STP can take up to 50 seconds to converge (depending on the size of network and node of failure) may require 4 to 5 seconds to reconverge.
Figure 40. Normal Operating FRRP Topology A virtual LAN (VLAN) is configured on all node ports in the ring. All ring ports must be members of the Member VLAN and the Control VLAN. The Member VLAN is the VLAN used to transmit data as described earlier. The Control VLAN is used to perform the health checks on the ring. The Control VLAN can always pass through all ports in the ring, including the secondary port of the Master node.
Ring Failure If a Transit node detects a link down on any of its ports on the FRRP ring, it immediately sends a linkdown control frame on the Control VLAN to the Master node. When the Master node receives this control frame, the Master node moves from the Normal state to the Ring-Fault state and unblocks its Secondary port. The Master node clears its routing table and sends a control frame to all other ring nodes, instructing them to clear their routing tables as well.
Figure 41. Multiple Rings Connected by a Single Switch Example Important FRRP Points FRRP provides a convergence time that can generally range between 150ms and 1500ms for Layer 2 networks. The Master node originates a high-speed frame that circulates around the ring. This frame, appropriately, sets up or breaks down the ring. • The Master node transmits ring status check frames at specified intervals. • You can run multiple physical rings on the same switch.
• STP disabled on ring interfaces. • Master node secondary port is in blocking state during Normal operation. • Ring health frames (RHF) – Hello RHF: sent at 500ms (hello interval); Only the Master node transmits and processes these. – Topology Change RHF: triggered updates; processed at all nodes. Important FRRP Concepts The following table lists some important FRRP concepts.
Concept Explanation • Ring-Up — Ring is up and operational. • Ring-Down — Ring is broken or not set up. Ring Health-Check The Master node generates two types of RHFs. RHFs never loop the ring because Frame (RHF) they terminate at the Master node’s secondary port. • Hello RHF (HRHF) — These frames are processed only on the Master node’s Secondary port. The Transit nodes pass the HRHF through without processing it. An HRHF is sent at every Hello interval.
• Viewing the FRRP Configuration • Viewing the FRRP Information Creating the FRRP Group Create the FRRP group on each switch in the ring. To create the FRRP group, use the command. • Create the FRRP group with this Ring ID. CONFIGURATION mode protocol frrp ring-id Ring ID: the range is from 1 to 255. Configuring the Control VLAN Control and member VLANS are configured normally for Layer 2. Their status as control or member is determined at the FRRP group commands.
• For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. Slot/Port, Range: Slot and Port ID for the interface. Range is entered Slot/Port-Port. 3. Assign the Primary and Secondary ports and the control VLAN for the ports on the ring. CONFIG-FRRP mode. interface primary int slot/port secondary int slot/port control-vlan vlan id • For a 10/100/1000 Ethernet interface, enter the keyword GigabitEthernet then the slot/port information.
To create the Members VLANs for this FRRP group, use the following commands on all of the Transit switches in the ring. 1. Create a VLAN with this ID number. CONFIGURATION mode. interface vlan vlan-id VLAN ID: the range is from 1 to 4094. 2. Tag the specified interface or range of interfaces to this VLAN. CONFIG-INT-VLAN mode. tagged interface slot/port {range} 3. • For a 10/100/1000 Ethernet interface, enter the keyword GigabitEthernet then the slot/port information.
VLAN-ID, Range: VLAN IDs for the ring’s Member VLANs. 6. Enable this FRRP group on this switch. CONFIG-FRRP mode. no disable Setting the FRRP Timers To set the FRRP timers, use the following command. NOTE: Set the Dead-Interval time 3 times the Hello-Interval. • Enter the desired intervals for Hello-Interval or Dead-Interval times. CONFIG-FRRP mode. timer {hello-interval|dead-interval} milliseconds – Hello-Interval: the range is from 50 to 2000, in increments of 50 (default is 500).
• Show the state of all FRRP groups. EXEC or EXEC PRIVELEGED mode. show frrp summary Ring ID: the range is from 1 to 255. Troubleshooting FRRP To troubleshoot FRRP, use the following information. Configuration Checks • • • • • • Each Control Ring must use a unique VLAN ID. Only two interfaces on a switch can be Members of the same control VLAN. There can be only one Master node for any FRRP group. You can configure FRRP on Layer 2 interfaces only.
Example of R1 MASTER Example of R2 TRANSIT Example of R3 TRANSIT interface GigabitEthernet 1/24 no ip address switchport no shutdown ! interface GigabitEthernet 1/34 no ip address switchport no shutdown ! interface Vlan 101 no ip address tagged GigabitEthernet 1/24,34 no shutdown ! interface Vlan 201 no ip address tagged GigabitEthernet 1/24,34 no shutdown ! protocol frrp 101 interface primary GigabitEthernet 1/24 secondary GigabitEthernet 1/34 control-vlan 101 member-vlan 201 mode master no disable interfa
no shutdown ! interface GigabitEthernet 3/21 no ip address switchport no shutdown ! interface Vlan 101 no ip address tagged GigabitEthernet 3/14,21 no shutdown ! interface Vlan 201 no ip address tagged GigabitEthernet 3/14,21 no shutdown ! protocol frrp 101 interface primary GigabitEthernet 3/21 secondary GigabitEthernet 3/14 control-vlan 101 member-vlan 201 mode transit no disable Force10 Resilient Ring Protocol (FRRP) 365
19 GARP VLAN Registration Protocol (GVRP) GARP VLAN registration protocol (GVRP) is supported on the XML switch platform. Typical virtual local area network (VLAN) implementation involves manually configuring each Layer 2 switch that participates in a given VLAN. GVRP, defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches.
VLAN trunk port, but it is not necessary to specifically identify to the Dell Networking operating system (OS) that the port is a trunk port. Figure 43. Global GVRP Configuration Example Basic GVRP configuration is a two-step process: 1. Enabling GVRP Globally 2. Enabling GVRP on a Layer 2 Interface Related Configuration Tasks • Configure GVRP Registration • Configure a GARP Timer Enabling GVRP Globally To configure GVRP globally, use the following command. • Enable GVRP for the entire switch.
gvrp enable Example of Configuring GVRP Dell(conf)#protocol gvrp Dell(config-gvrp)#no disable Dell(config-gvrp)#show config ! protocol gvrp no disable Dell(config-gvrp)# To inspect the global configuration, use the show gvrp brief command. Enabling GVRP on a Layer 2 Interface To enable GVRP on a Layer 2 interface, use the following command. • Enable GVRP on a Layer 2 interface.
do not want the interface to advertise or learn about particular VLANS, set the interface to the registration mode of FORBIDDEN. Based on the configuration in the following example, the interface 1/21 is not removed from VLAN 34 or VLAN 35 despite receiving a GVRP Leave message. Additionally, the interface is not dynamically added to VLAN 45 or VLAN 46, even if a GVRP Join message is received.
Dell displays this message if an attempt is made to configure an invalid GARP timer: Dell(conf)#garp timers join 300 % Error: Leave timer should be >= 3*Join timer.
Internet Group Management Protocol (IGMP) 20 Multicast is premised on identifying many hosts by a single destination IP address; hosts represented by the same IP address are a multicast group. IGMP is a Layer 3 multicast protocol that hosts use to join or leave a multicast group. Multicast routing protocols (such as protocol-independent multicast [PIM]) use the information in IGMP messages to discover which groups are active and to populate the multicast routing table.
Figure 44. IGMP Messages in IP Packets Join a Multicast Group There are two ways that a host may join a multicast group: it may respond to a general query from its querier or it may send an unsolicited report to its querier. • Responding to an IGMP Query – One router on a subnet is elected as the querier. The querier periodically multicasts (to allmulticast-systems address 224.0.0.1) a general query to all hosts on the subnet.
IGMP Version 3 Conceptually, IGMP version 3 behaves the same as version 2. However, there are differences. • Version 3 adds the ability to filter by multicast source, which helps multicast routing protocols avoid forwarding traffic to subnets where there are no interested receivers. • To enable filtering, routers must keep track of more state information, that is, the list of sources that must be filtered.
Figure 46. IGMP Version 3–Capable Multicast Routers Address Structure Joining and Filtering Groups and Sources The following illustration shows how multicast routers maintain the group and source information from unsolicited reports. 1. The first unsolicited report from the host indicates that it wants to receive traffic for group 224.1.1.1. 2. The host’s second report indicates that it is only interested in traffic from group 224.1.1.1, source 10.11.1.1.
Figure 47. Membership Reports: Joining and Filtering Leaving and Staying in Groups The following illustration shows how multicast routers track and refresh state changes in response to group-and-specific and general queries. 1. Host 1 sends a message indicating it is leaving group 224.1.1.1 and that the included filter for 10.11.1.1 and 10.11.1.2 are no longer necessary. 2.
Figure 48. Membership Queries: Leaving and Staying IGMP Snooping IGMP snooping enables switches to use information in IGMP packets to generate a forwarding table that associates ports with multicast groups so that when they receive multicast frames, they can forward them only to interested receivers. Multicast packets are addressed with multicast MAC addresses, which represent a group of devices, rather than one unique device.
• IGMP snooping reacts to spanning tree protocol (STP) and multiple spanning tree protocol (MSTP) topology changes by sending a general query on the interface that transitions to the forwarding state. • Configuring IGMP Snooping Configuring IGMP snooping is a one-step process. To enable, view, or disable IGMP snooping, use the following commands. • Enable IGMP snooping on a switch. CONFIGURATION mode • ip igmp snooping enable View the configuration.
ip igmp snooping fast-leave shutdown Dell(conf-if-vl-100)# Disabling Multicast Flooding If the switch receives a multicast packet that has an IP address of a group it has not learned (unregistered frame), the switch floods that packet out of all ports on the VLAN. On the MXL Switch, when you configure no ip igmp snooping flood, the system forwards the frames on the mrouter ports for first 96 IGMP snooping-enabled VLANs. For all other VLANs, the unregistered multicast packets are dropped.
• Adjust the last member query interval. INTERFACE VLAN mode ip igmp snooping last-member-query-interval Fast Convergence after MSTP Topology Changes The following describes the fast convergence feature. When a port transitions to the Forwarding state as a result of an STP or MSTP topology change, the system sends a general query out of all ports except the multicast router ports.
Interfaces 21 This chapter describes 100/1000/10000 Mbps Ethernet, 10 Gigabit Ethernet, and 40 Gigabit Ethernet interface types, both physical and logical, and how to configure them with the Dell Networking operating software (OS).
Interface Types The following table describes different interface types.
Dell#show interfaces tengigabitethernet 0/16 TenGigabitEthernet 0/16 is up, line protocol is up Hardware is DellForce10Eth, address is 00:1e:c9:f1:00:05 Current address is 00:1e:c9:f1:00:05 Server Port AdminState is Up Pluggable media not present Interface index is 38080769 Internet address is not set Mode of IP Address Assignment : NONE DHCP Client-ID :tenG145001ec9f10005 MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 10000 Mbit Flowcontrol rx off tx off ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "
GigabitEthernet 1/7 GigabitEthernet 1/8 unassigned unassigned NO NO Manual Manual administratively down administratively down down down To view only configured interfaces, use the show interfaces configured command in the EXEC Privilege mode. In the previous example, GigabitEthernet interface 1/5 is in Layer 3 mode because an IP address has been assigned to it and the interface’s status is operationally up.
Physical Interfaces The switch interfaces support Layer 2 and Layer 3 traffic over the 100/1000/10000, 10-Gigabit, and 40Gigabit Ethernet interfaces. These interfaces can also become part of virtual interfaces such as virtual local area networks (VLANs) or port channels. For more information about VLANs, refer to Bulk Configuration. For more information on port channels, refer to Physical Interfaces.
Type of Interface Possible Modes Requires Creation Default State VLAN Layer 2 Yes, except for the default VLAN. No shutdown (active for Layer 2) Layer 3 Shutdown (disabled for Layer 3) Configuring Layer 2 (Data Link) Mode Do not configure switching or Layer 2 protocols such as spanning tree protocol (STP) on an interface unless the interface has been set to Layer 2 mode. To set Layer 2 data transmissions through an individual interface, use the following command.
• Enable Layer 3 on an individual interface INTERFACE mode • ip address Enable the interface. INTERFACE mode no shutdown Dell(conf-if)#show config ! interface TenGigabitEthernet 1/5 ip address 10.10.10.1 /24 no shutdown Dell(conf-if)# Example of Error Due to Issuing a Layer 3 Command on a Layer 2 Interface If an interface is in the incorrect layer mode for a given command, an error message displays (shown in bold).
To view all interfaces to see with an IP address assigned, use the show ip interfaces brief command in EXEC mode as shown in View Basic Interface Information. To view IP information on an interface in Layer 3 mode, use the show ip interface command in EXEC Privilege mode. Dell(conf-if-vl-10)#do sh int vl 10 Vlan 10 is up, line protocol is up Address is 00:1e:c9:f1:03:38, Current address is 00:1e:c9:f1:03:38 Interface index is 1107787786 Internet address is 5.5.5.
For additional management access, IOM supports the default VLAN (VLAN 1) L3 interface in addition to the public fabric D management interface. You can assign the IP address for the VLAN 1 default management interface using the setup wizard (or) through the CLI. If you do not configure the VLAN 1 default using the wizard or CLI presented in startup-config, by default, the VLAN 1 management interface gets its IP address using DHCP. There is only one management interface for the whole stack.
0 Multicasts, 0 Broadcasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics: 0 packets, 0 bytes, 0 underruns 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 throttles, 0 discarded, 0 collisions Rate info (interval 299 seconds): Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec, 0 packets/sec, 0.
! ip ospf hello-interval 15 no shutdown Loopback Interfaces A Loopback interface is a virtual interface in which the software emulates an interface. Packets routed to it are processed locally. Because this interface is not a physical interface, you can configure routing protocols on this interface to provide protocol stability. You can place Loopback interfaces in default Layer 3 mode. To configure, view, or delete a Loopback interface, use the following commands.
• Port Channel Implementation • Configuration Tasks for Port Channel Interfaces Port Channel Definition and Standards Link aggregation is defined by IEEE 802.3ad as a method of grouping multiple physical interfaces into a single logical interface—a link aggregation group (LAG) or port channel. A LAG is “a group of links that appear to a MAC client as if they were a single link” according to IEEE 802.3ad. In the Dell Networking OS, a LAG is referred to as a port channel interface.
at 1000 Mbps are kept up, and all 100/1000/10000 interfaces that are not set to 1000 speed or auto negotiate are disabled. 100/1000/10000 Mbps Interfaces in Port Channels When both 100/1000/10000 interfaces and TenGigabitEthernet interfaces are added to a port channel, the interfaces must share a common speed. When interfaces have a configured speed different from the port channel speed, the software disables those interfaces. The common speed is determined when the port channel is first enabled.
After you enable the port channel, you can place it in Layer 2 or Layer 3 mode. To place the port channel in Layer 2 mode or configure an IP address to place the port channel in Layer 3 mode, use the switchport command. You can configure a port channel as you would a physical interface by enabling or configuring protocols or assigning access control lists. Adding a Physical Interface to a Port Channel You can add any physical interface to a port channel if the interface configuration is minimal.
The following example shows the port channel’s mode (L2 for Layer 2 and L3 for Layer 3 and L2L3 for a Layer 2-port channel assigned to a routed VLAN), the status, and the number of interfaces belonging to the port channel.
% Error: Te 1/6 Port is part of a LAG. Dell(conf-if)# Reassigning an Interface to a New Port Channel An interface can be a member of only one port channel. If the interface is a member of a port channel, remove it from the first port channel and then add it to the second port channel. To reassign an interface to a new port channel, use the following commands. 1. Remove the interface from the first port channel. INTERFACE PORT-CHANNEL mode no channel-member interface 2.
Example of Configuring the Minimum Oper Up Links in a Port Channel Dell#config t Dell(conf)#int po 1 Dell(conf-if-po-1)#minimum-links 5 Dell(conf-if-po-1)# Adding or Removing a Port Channel from a VLAN As with other interfaces, you can add Layer 2 port channel interfaces to VLANs. To add a port channel to a VLAN, place the port channel in Layer 2 mode (by using the switchport command). To add or remove a VLAN port channel and to view VLAN port channel members, use the following commands.
– secondary: the IP address is the interface’s backup IP address. You can configure up to eight secondary IP addresses. Deleting or Disabling a Port Channel To delete or disable a port channel, use the following commands. • Delete a port channel. CONFIGURATION mode • no interface portchannel channel-number Disable a port channel. shutdown When you disable a port channel, all interfaces within the port channel are operationally down also.
Bulk Configuration Bulk configuration allows you to determine if interfaces are present for physical interfaces or configured for logical interfaces. Interface Range An interface range is a set of interfaces to which other commands may be applied and may be created if there is at least one valid interface within the range. Bulk configuration excludes from configuration any non-existing interfaces from an interface range.
Create a Multiple-Range The following is an example of multiple range. Example of the interface range Command (Multiple Ranges) Dell(conf)#interface range tengigabitethernet 3/0 , tengigabitethernet 2/1 47 , vlan 1000 Dell(conf-if-range-te-2/1-47)# Exclude Duplicate Entries The following is an example showing how duplicate entries are omitted from the interface-range prompt.
Add Ranges The following example shows how to use commas to add VLAN and port-channel interfaces to the range. Example of Multiple-Range Bulk Configuration with VLAN and Port-channel Dell(conf-ifrange-te-5/1-23-te-1/1-2)# interface range Vlan 2 – 100 , Port 1 – 25 Dell(conf-if-range-te-5/1-23-te-1/1-2-vl-2-100-po-1-25)# no shutdown Dell(conf-if-range)# Defining Interface Range Macros You can define an interface-range macro to automatically select a range of interfaces for configuration.
Monitoring and Maintaining Interfaces Monitor interface statistics with the monitor interface command. This command displays an ongoing list of the interface status (up/down), number of packets, traffic statistics, and so on. To view the interface’s statistics, use the following command. • View the interface’s statistics.
Input overrun: Output underruns: Output throttles: m l T q - 0 0 0 Change mode Page up Increase refresh interval Quit 0 pps 0 pps 0 pps 0 0 0 c - Clear screen a - Page down t - Decrease refresh interval Dell Maintenance Using TDR The time domain reflectometer (TDR) is supported on all Dell Networking switch/routers. TDR is an assistance tool to resolve link issues that helps detect obvious open or short conditions within any of the four copper pairs.
NOTE: When you split a 40G port (such as fo 0/4) into four 10G ports, the 40G interface configuration is available in the startup configuration when you save the running configuration by using the write memory command. When a reload of the system occurs, the 40G interface configuration is not applicable because the 40G ports are split into four 10G ports after the reload operation. While the reload is in progress, you might see error messages when the configuration file is being loaded.
• The 40G port is lost in the configuration when the port is split; be sure the port is also removed from other L2/L3 feature configurations. • The system must be reloaded after issuing the CLI for the change to take effect. Configure the MTU Size on an Interface The link MTU is the frame size of a packet. The IP MTU size is used for IP fragmentation.
data transfer. As a result, only the first fanned-out port is identified as the active 10 Gigabit port with a speed of 10G or 1G depending on whether you insert an SFP+ or SFP cable respectively. NOTE: Although it is possible to configure the remaining three 10 Gigabit ports, the Link UP event does not occur for these ports leaving the lanes unusable. Dell Networking OS perceives these ports to be in a Link Down state.
• QSFP port 12 in 40 G mode is plugged in with QSFP optical cables.
SFP 0 Rx Power measurement type =================================== SFP 0 Temp High Alarm threshold SFP 0 Voltage High Alarm threshold SFP 0 Bias High Alarm threshold = OMA = 0.000C = 0.000V = 0.000mA NOTE: In the following show interfaces tengigbitethernet transceiver commands, the ports 5,6, and 7 are inactive and no physical SFP or SFP+ connection actually exists on these ports.
QSFP 0 Connector = 0x23 QSFP 0 Transceiver Code = 0x08 0x00 0x00 0x00 0x00 0x00 0x00 0x00 QSFP 0 Encoding = 0x00 ……………… ……………… QSFP 0 Diagnostic Information =================================== QSFP 0 Rx Power measurement type = OMA =================================== QSFP 0 Temp High Alarm threshold = 0.000C QSFP 0 Voltage High Alarm threshold = 0.000V QSFP 0 Bias High Alarm threshold = 0.
…………………… LineSpeed 1000 Mbit Dell#show interfaces tengigabitethernet 0/6 gigabitethernet 0/0 is up, line protocol is down Hardware is DellEth, address is 90:b1:1c:f4:9a:fa Current address is 90:b1:1c:f4:9a:fa Pluggable media present, SFP type is 1GBASE …………………… LineSpeed 1000 Mbit Dell#show interfaces tengigabitethernet 0/7 gigabitethernet 0/0 is up, line protocol is down Hardware is DellEth, address is 90:b1:1c:f4:9a:fa Current address is 90:b1:1c:f4:9a:fa Pluggable media present, SFP type is 1GBASE ………………
The globally assigned 48-bit Multicast address 01-80-C2-00-00-01 is used to send and receive pause frames. To allow full duplex flow control, stations implementing the pause operation instruct the MAC to enable reception of frames with a destination address equal to this multicast address. The pause frame is defined by IEEE 802.3x and uses MAC Control frames to carry the pause commands. Ethernet pause frames are supported on full duplex only.
Configure MTU Size on an Interface If a packet includes a Layer 2 header, the difference in bytes between the link MTU and IP MTU must be enough to include the Layer 2 header. For example, for VLAN packets, if the IP MTU is 1400, the Link MTU must be no less than 1422: 1400-byte IP MTU + 22-byte VLAN Tag = 1422-byte link MTU The MTU range is from 592 to 12000, with a default of 1500. IP MTU automatically configures.
Port-Pipes A high-speed data bus connection used to switch traffic between front-end ports is known as the port pipe. A port pipe is a Dell Networking-specific term for the hardware path that packets follow through a system. The MXL switch supports single port pipe only. Auto-Negotiation on Ethernet Interfaces By default, auto-negotiation of speed and duplex mode is enabled on 100/1000/10000 Base-T Ethernet interfaces. Only 10GE interfaces do not support auto-negotiation.
speed {100 | 1000 | 10000 | auto} 6. Optionally, set full- or half-duplex. INTERFACE mode duplex {half | full} 7. Disable auto-negotiation on the port. INTERFACE mode no negotiation auto If the speed was set to 1000, do not disable auto-negotiation. 8. Verify configuration changes.
Set Auto-Negotiation Options The negotiation auto command provides a mode option for configuring an individual port to forced master/ forced slave after you enable auto-negotiation. CAUTION: Ensure that only one end of the node is configured as forced-master and the other is configured as forced-slave. If both are configured the same (that is, both as forced-master or both as forced-slave), the show interface command flaps between an auto-neg-error and forced-master/slave states.
Dell#show ip interface brief configured Dell#show running-config interfaces configured Dell#show running-config interface tengigabitEthernet 1 configured In EXEC mode, the show interfaces switchport command displays only interfaces in Layer 2 mode and their relevant configuration information. The show interfaces switchport command displays the interface, whether it supports IEEE 802.1Q tagging or not, and the VLANs to which the interface belongs.
LineSpeed 10000 Mbit ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 1d23h44m Queueing strategy: fifo 0 packets input, 0 bytes Input 0 IP Packets, 0 Vlans 0 MPLS 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts Received 0 input symbol errors, 0 runts, 0 giants, 0 throttles 0 CRC, 0 IP Checksum, 0 overrun, 0 discarded 0 packets output, 0 bytes, 0 underruns Output 0 Multicasts, 0 Broadcasts, 0 Unicasts 0
• Egress ACLs • ILM • IP FLOW • IP ACL • IP FIB • L2 ACL • L2 FIB Clearing Interface Counters The counters in the show interfaces command are reset by the clear counters command. This command does not clear the counters any SNMP program captures. To clear the counters, use the following the command. • Clear the counters used in the show interface commands for all VRRP groups, VLANs, and physical interfaces or selected ones.
address-table static multicast-mac-address vlan vlan-id output-range interface command.
Internet Protocol Security (IPSec) 22 IPSec is an end-to-end security scheme for protecting IP communications by authenticating and encrypting all packets in a communication session. Use IPSec between hosts, between gateways, or between hosts and gateways. IPSec is compatible with Telnet and file transfer protocols (FTPs) and can operate in Transport mode. In Transport mode, IPSec encrypts only the packet payload; the IP header is unchanged. This is the default mode.
crypto ipsec transform-set myXform-seta esp-authentication md5 espencryption des 2. Define the crypto policy. CONFIGURATION mode crypto ipsec policy myCryptoPolicy 10 ipsec-manual transform-set myXform-set session-key inbound esp 256 auth encrypt session-key outbound esp 257 auth encrypt match 0 tcp a::1 /128 0 a::2 /128 21 match 1 tcp a::1 /128 21 a::2 /128 0 match 2 tcp 1.1.1.1 /32 0 1.1.1.2 /32 21 match 3 tcp 1.1.1.1 /32 21 1.1.1.2 /32 0 3.
IPv4 Routing 23 The Dell Networking OS supports various IP addressing features. This chapter describes the basics of domain name service (DNS), address resolution protocol (ARP), and routing principles and their implementation in the Dell Networking operating system (OS). IP Feature Default DNS Disabled Directed Broadcast Disabled Proxy ARP Enabled ICMP Unreachable Disabled ICMP Redirect Disabled IP Addresses The Dell Networking OS supports IP version 4, as described in RFC 791.
• Configuring Static Routes (optional) • Configure Static Routes for the Management Interface (optional) For a complete listing of all commands related to IP addressing, refer to the Dell Networking OS Command Line Interface Reference Guide. Assigning IP Addresses to an Interface Assign primary and secondary IP addresses to physical or logical (for example, [virtual local area network [VLAN] or port channel) interfaces to enable IP communication between the system and hosts connected to that interface.
Dell#show ip interface tengig 0/16 TenGigabitEthernet 0/16 is down, line protocol is down Internet address is not set IP MTU is 1500 bytes Directed broadcast forwarding is disabled Proxy ARP is enabled Split Horizon is enabled Poison Reverse is disabled ICMP redirects are not sent ICMP unreachables are not sent Dell# Configuring Static Routes A static route is an IP address that you manually configure and that the routing protocol does not learn, such as open shortest path first (OSPF).
S S S S S 6.1.2.14/32 6.1.2.15/32 6.1.2.16/32 6.1.2.17/32 11.1.1.0/24 --More-- via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, Direct, Nu 0 Direct, Lo 0 Te Te Te Te 5/0 5/0 5/0 5/0 1/0 1/0 1/0 1/0 0/0 00:02:30 00:02:30 00:02:30 00:02:30 00:02:30 The system installs a next hop that is on the directly connected subnet of current IP address on the interface (for example, if interface tengig 0/0 is on 172.31.5.0 subnet, the system installs the static route).
Path MTU discovery (PMTD) identifies the path MTU value between the sender and the receiver, and uses the determined value to transmit packets across the network. PMTD, as described in RFC 1191, denotes that the default byte size of an IP packet is 576. This packet size is called the maximum transmission unit (MTU) for IPv4 frames. PMTD operates by containing the do not fragment (DF) bit set in the IP headers of outgoing packets.
Configuring the Duration to Establish a TCP Connection You can configure the amount of time for which the device must wait before it attempts to establish a TCP connection. Using this capability, you can limit the wait times for TCP connection requests.
The following sections describe DNS and the resolution of host names. • Enabling Dynamic Resolution of Host Names • Specifying the Local System Domain and a List of Domains • Configuring DNS with Traceroute Enabling Dynamic Resolution of Host Names By default, dynamic resolution of host names (DNS) is disabled. To enable DNS, use the following commands. • Enable dynamic resolution of host names. CONFIGURATION mode • ip domain-lookup Specify up to six name servers.
• Enter up to 63 characters to configure names to complete unqualified host names. CONFIGURATION mode ip domain-list name Configure this command up to six times to specify a list of possible domain names. The Dell Networking OS searches the domain names in the order they were configured until a match is found or the list is exhausted. Configuring DNS with Traceroute To configure your switch to perform DNS with traceroute, use the following commands. • Enable dynamic resolution of host names.
4 www.force10networks.com (10.11.84.18) 000.000 ms 000.000 ms 000.000 ms Dell# ARP The Dell Networking OS uses two forms of address resolution: address resolution protocol (ARP) and Proxy ARP. ARP runs over Ethernet and enables endstations to learn the MAC addresses of neighbors on an IP network. Over time, the system creates a forwarding table mapping the MAC addresses to their corresponding IP address.
To view the static entries in the ARP cache, use the show arp static command in EXEC privilege mode. Dell#show arp Protocol Address Age(min) Hardware Address Interface VLAN CPU ---------------------------------------------------------------------------------------Internet 10.11.68.14 94 00:01:e9:45:00:03 Ma 0/0 CP Internet 10.11.209.254 0 00:01:e9:45:00:03 Ma 0/0 CP Dell# Enabling Proxy ARP By default, Proxy ARP is enabled. To disable Proxy ARP, use the no proxy-arp command in the interface mode.
ARP Learning via Gratuitous ARP Gratuitous ARP can mean an ARP request or reply. In the context of ARP learning via gratuitous ARP on the system, the gratuitous ARP is a request. A gratuitous ARP request is an ARP request that is not needed according to the ARP specification, but one that hosts may send to.
Figure 50. ARP Learning via ARP Request with ARP Learning via Gratuitous ARP Enabled Whether you enable or disable ARP learning via gratuitous ARP, the system does not look up the target IP. It only updates the ARP entry for the Layer 3 interface with the source IP of the request. Configuring ARP Retries In the Dell Networking OS versions prior to 8.3.1.0, the number of ARP retries is set to five and is not configurable.
ICMP For diagnostics, the internet control message protocol (ICMP) provides routing information to end stations by choosing the best route (ICMP redirect messages) or determining if a router is reachable (ICMP Echo or Echo Reply). ICMP error messages inform the router of problems in a particular packet. These messages are sent only on unicast traffic. Configuration Tasks for ICMP The following lists the configuration tasks for ICMP.
• UDP helper is compatible with IP helper (ip helper-address): – UDP broadcast traffic with port number 67 or 68 are unicast to the dynamic host configuration protocol (DHCP) server per the ip helper-address configuration whether or not the UDP port list contains those ports. – If the UDP port list contains ports 67 or 68, UDP broadcast traffic is forwarded on those ports. Enabling UDP Helper To enable UDP helper, use the following command. • Enable UPD helper.
address to the configured broadcast 1.1.255.255 and routes the packet to VLANs 100 and 101. If you do not configure an IP broadcast address (using the ip udp-broadcast-address command) on VLANs 100 or 101, the packet is forwarded using the original destination IP address 255.255.255.255. Packet 2, sent from a host on VLAN 101 has a broadcast MAC address and IP address. In this case: 1. It is flooded on VLAN 101 without changing the destination address because the forwarding process is Layer 2. 2.
Figure 52. UDP Helper with Subnet Broadcast Addresses UDP Helper with Configured Broadcast Addresses Incoming packets with a destination IP address matching the configured broadcast address of any interface are forwarded to the matching interfaces. In the following illustration, Packet 1 has a destination IP address that matches the configured broadcast address of VLAN 100 and 101.
Troubleshooting UDP Helper To display debugging information for troubleshooting, use the debug ip udp-helper command. Example of the debug ip udp-helper Command Dell(conf)# debug ip udp-helper 01:20:22: Pkt rcvd on TenGig 5/0 with IP DA (0xffffffff) will be sent on TenGig 5/1 TenGig 5/ 2 Vlan 3 01:44:54: Pkt rcvd on TenGig 7/0 is handed over for DHCP processing. When using the IP helper and UDP helper on the same interface, use the debug ip dhcp command.
24 IPv6 Addressing Internet protocol version 6 (IPv6) is supported on the MXL switch platform. NOTE: The IPv6 basic commands are supported on all platforms. However, not all features are supported on all platforms, nor for all releases. To determine the Dell Networking OS version supporting which features and platforms, refer to Implementing IPv6 with the Dell Networking OS. IPv6 is the successor to IPv4. Due to the rapid growth in internet users and IP addresses, IPv4 is reaching its maximum usage.
NOTE: The Dell Networking OS provides the flexibility to add prefixes on Router Advertisements (RA) to advertise responses to Router Solicitations (RS). By default, RA response messages are sent when an RS message is received. The Dell Networking OS manipulation of IPv6 stateless autoconfiguration supports the router side only. Neighbor discovery (ND) messages are advertised so the neighbor can use this information to autoconfigure its address.
IPv6 Header Fields The 40 bytes of the IPv6 header are ordered, as shown in the following illustration. Figure 54. IPv6 Header Fields Version (4 bits) The Version field always contains the number 6, referring to the packet’s IP version. Traffic Class (8 bits) The Traffic Class field deals with any data that needs special handling. These bits define the packet priority and are defined by the packet Source. Sending and forwarding routers use this field to identify different IPv6 classes and priorities.
protocol (TCP) or user datagram protocol (UDP) header, the value in this field is the same as for IPv4. The Extension header is located between the IP header and the TCP or UDP header. The following lists the Next Header field values.
However, if the Destination Address is a Hop-by-Hop options header, the Extension header is examined by every forwarding router along the packet’s route. The Hop-by-Hop options header must immediately follow the IPv6 header, and is noted by the value 0 (zero) in the Next Header field. Extension headers are processed in the order in which they appear in the packet header. Hop-by-Hop Options Header The Hop-by-Hop options header contains information that is examined by every router along the packet’s path.
2001:0db8:0000:0000:0000:0000:1428:57ab can be shortened to 2001:0db8::1428:57ab. Only one set of double colons is supported in a single address. Any number of consecutive 0000 groups may be reduced to two colons, as long as there is only one double colon used in an address. Leading and/or trailing zeros in a group can also be omitted (as in ::1 for localhost, 1:: for network addresses and :: for unspecified addresses). All the addresses in the following list are all valid and equivalent.
Implementing IPv6 with the Dell Networking OS The Dell Networking OS supports both IPv4 and IPv6 and both may be used simultaneously in your system. The following table lists the Dell Networking OS version in which an IPv6 feature became available for each platform. The sections following the table give greater detail about the feature. Feature and Functionality Dell Networking OS Release Introduction Documentation and Chapter Location MXL Basic IPv6 Commands 9.2(0.
Feature and Functionality Dell Networking OS Release Introduction Documentation and Chapter Location MXL IPv6 IS-IS in the Dell Networking OS Command Line Reference Guide. IS-IS for IPv6 support for redistribution 9.2(0.0) Intermediate System to Intermediate System (IS-IS) IPv6 IS-IS in the Dell Networking OS Command Line Reference Guide. ISIS for IPv6 support for distribute lists and administrative distance 9.2(0.0) OSPF for IPv6 (OSPFv3) 9.2(0.0) Equal Cost Multipath for IPv6 9.2(0.
Feature and Functionality Dell Networking OS Release Introduction Documentation and Chapter Location MXL IPv6 PIM in the Dell Networking OS Command Line Reference Guide. PIM-SSM for IPv6 N/A IPv6 Multicast in this chapter IPv6 PIM in the Dell Networking OS Command Line Reference Guide. MLDv1/v2 N/A IPv6 Multicast in this chapter Multicast IPv6 in the Dell Networking OS Command Line Reference Guide.
Path MTU Discovery IPv6 path maximum transmission unit (MTU) discovery is supported on the MXL switch platform. Path MTU, in accordance with RFC 1981, defines the largest packet size that can traverse a transmission path without suffering fragmentation. Path MTU for IPv6 uses ICMPv6 Type-2 messages to discover the largest MTU along the path from source to destination and avoid the need to fragment the packet. The recommended MTU for IPv6 is 1280.
With ARP, each node broadcasts ARP requests on the entire link. This approach causes unnecessary processing by uninterested nodes. With NDP, each node sends a request only to the intended destination via a multicast address with the unicast address used as the last 24 bits. Other hosts on the link do not participate in the process, greatly increasing network bandwidth efficiency. Figure 56. NDP Router Redirect IPv6 Neighbor Discovery of MTU Packets With the Dell Networking OS version 8.3.1.
• prefix addresses • multicast addresses • invalid host addresses If you specify this information in the IPv6 RDNSS configuration, a DNS error is displayed. Example for Configuring an IPv6 Recursive DNS Server The following example configures a RDNNS server with an IPv6 address of 1000::1 and a lifetime of 1 second.
Displaying IPv6 RDNSS Information To display IPv6 interface information, including IPv6 RDNSS information, use the show ipv6 interface command in EXEC or EXEC Privilege mode. Examples of Displaying IPv6 RDNSS Information The following example displays IPv6 RDNSS information. The output in the last 3 lines indicates that the IPv6 RDNSS was correctly configured on interface te 0/1.
• Multicast listener discovery protocol (MLD) — MLD on a multicast router sends out periodic general MLD queries that the switch forwards through all ports in the VLAN. There are two versions of MLD: MLD version 1 is based on version 2 of the Internet group management protocol (IGMP) for IPv4; MLD version 2 is based on version 3 of the IGMP for IPv4. IPv6 multicast for the Dell Networking OS supports versions 1 and 2.
• L2 ACL(l2acl): 5 • IPv6 L3 ACL (ipv6acl): 0 • L3 QoS (ipv4qos): 1 • L2 QoS (l2qos): 1 To have the changes take effect, save the new CAM settings to the startup-config (write-mem or copy run start) then reload the system for the new settings. • Allocate space for IPV6 ACLs. Enter the CAM profile name then the allocated amount. CONFIGURATION mode cam-acl { ipv6acl } When not selecting the default option, enter all of the profiles listed and a range for each. The total space allocated must equal 13.
– mask: The prefix length is from 0 to 128 NOTE: IPv6 addresses are normally written as eight groups of four hexadecimal digits. Separate each group by a colon (:). Omitting zeros is accepted as described in Addressing. Assigning a Static IPv6 Route IPv6 static routes are supported on the MXL switch platform. To configure IPv6 static routes, use the ipv6 route command.
– mask: prefix length is from 0 to 128. NOTE: IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:). Omitting zeros is accepted as described in Addressing. SNMP over IPv6 The simple network management protocol (SNMP) is supported on the MXL switch platform. You can configure SNMP over IPv6 transport so that an IPv6 host can perform SNMP queries and receive SNMP notifications from a device running IPv6.
show ipv6 interface type {slot/port} Enter the keyword interface then the type of interface and slot/port information: – For all brief summary of IPv6 status and configuration, enter the keyword brief. – For all IPv6 configured interfaces, enter the keyword configured. – For a 10/100/1000 Ethernet interface, enter the keyword GigabitEthernet then the slot/ port information. – For a Gigabit Ethernet interface, enter the keyword GigabitEthernet then the slot/ port information.
connected static Total 5 0 5 0 0 0 Dell#show ipv6 route Codes: C - connected, L - local, S - static, R - RIP, B - BGP, IN - internal BGP, EX - external BGP,LO - Locally Originated, O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, Gateway of last resort is not set Destination Dist/Metric, Gateway, Last Change -
Clearing IPv6 Routes To clear routes from the IPv6 routing table, use the following command. • Clear (refresh) all or a specific route from the IPv6 routing table. EXEC mode clear ipv6 route {* | ipv6 address prefix-length} – *: all routes. – ipv6 address: the format is x:x:x:x::x. – mask: the prefix length is from 0 to 128. NOTE: IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:).
iSCSI Optimization 25 The MXL switch enables internet small computer system interface (iSCSI) optimization with default iSCSI parameter settings and is auto-provisioned to support the following features. • Detection and Auto-Configuration for Dell EqualLogic Arrays • Configuring Detection and Ports for Dell Compellent Arrays To display information on iSCSI configuration and sessions, use the show commands. iSCSI optimization enables quality-of-service (QoS) treatment for iSCSI traffic.
treatment over other data passing through the switch. Preferential treatment helps to avoid session interruptions during times of congestion that would otherwise cause dropped iSCSI packets. • iSCSI DCBx TLVs are supported. The following illustration shows iSCSI optimization between servers in an M1000e enclosure and a storage array in which a stack and MXL connects installed servers (iSCSI initiators) to a storage array (iSCSI targets) in a SAN network.
Monitoring iSCSI Traffic Flows The switch snoops iSCSI session-establishment and termination packets by installing classifier rules that trap iSCSI protocol packets to the CPU for examination. Devices that initiate iSCSI sessions usually use well-known TCP ports 3260 or 860 to contact targets. When you enable iSCSI optimization, by default the switch identifies IP packets to or from these ports as iSCSI traffic.
• Spanning-tree portfast is enabled on the interface LLDP identifies. • Unicast storm control is disabled on the interface LLDP identifies. Configuring Detection and Ports for Dell Compellent Arrays For the best iSCSI traffic conditions, the MXL switch auto-configures a port connected to a Dell Compellent storage array, when configured as compellent connected port through CLI.
Parameter Default Value iSCSI CoS Treatment iSCSI packets are queued based on dot1p instead of DSCP values. VLAN priority tag iSCSI flows are assigned by default to dot1p priority 4 without the remark setting. DSCP None: user-configurable. Remark Not configured. iSCSI session aging time 10 minutes iSCSI optimization target ports iSCSI well-known ports 3260 and 860 are configured as default (with no IP address or name) but can be removed as any other configured target.
----------------------------------------------------------------------------Target: iqn.2001-05.com.equallogic:0-8a0906-0e70c2002-10a0018426a48c94-iom010 Initiator: iqn.1991-05.com.microsoft:win-x9l8v27yajg ISID: 400001370000 VLT PEER2 Session 1: ----------------------------------------------------------------------------Target: iqn.2001-05.com.equallogic:0-8a0906-0f60c2002-0360018428d48c94-iom011 iqn.1991-05.com.
Intermediate System to Intermediate System 26 Intermediate system to intermediate system (Is-IS) is supported on the MXL switch platform. • The IS-IS protocol is an interior gateway protocol (IGP) that uses a shortest-path-first algorithm. Dell Networking supports both IPv4 and IPv6 versions of IS-IS. • The IS-IS protocol standards are listed in the Standards Compliance chapter.
The NET length is variable, with a maximum of 20 bytes and a minimum of 8 bytes. It is composed of the following: • area address — within your routing domain or area, each area must have a unique area value. The first byte is called the authority and format indicator (AFI). • system address — the router’s MAC address. • N-selector — this is always 0. The following illustration is an example of the ISO-style address to show the address format IS-IS uses. In this example, the first five bytes (47.0005.
Transition Mode All routers in the area or domain must use the same type of IPv6 support, either single-topology or multitopology. A router operating in multi-topology mode does not recognize the ability of the singletopology mode router to support IPv6 traffic, which leads to holes in the IPv6 topology.
A new TLV (the Restart TLV) is introduced in the IIH PDUs, indicating that the router supports graceful restart. Timers Three timers are used to support IS-IS graceful restart functionality. After you enable graceful restart, these timers manage the graceful restart process. There are three times, T1, T2, and T3. • The T1 timer specifies the wait time before unacknowledged restart requests are generated.
• Accepts external IPv6 information and advertises this information in the PDUs. The following table lists the default IS-IS values. Table 27.
Enabling IS-IS By default, IS-IS is not enabled. The system supports one instance of IS-IS. To enable IS-IS globally, create an IS-IS routing process and assign a NET address. To exchange protocol information with neighbors, enable IS-IS on an interface, instead of on a network as with other routing protocols. In IS-IS, neighbors form adjacencies only when they are same IS type. For example, a Level 1 router never forms an adjacency with a Level 2 router.
The IP address must be on the same subnet as other IS-IS neighbors, but the IP address does not need to relate to the NET address. 5. Enter an IPv6 Address. INTERFACE mode ipv6 address ipv6-address mask • • ipv6 address: x:x:x:x::x mask: The prefix length is from 0 to 128. The IPv6 address must be on the same subnet as other IS-IS neighbors, but the IP address does not need to relate to the NET address. 6. Enable IS-IS on the IPv4 interface.
Dell#show isis traffic IS-IS: Level-1 Hellos (sent/rcvd) : 4272/1538 IS-IS: Level-2 Hellos (sent/rcvd) : 4272/1538 IS-IS: PTP Hellos (sent/rcvd) : 0/0 IS-IS: Level-1 LSPs sourced (new/refresh) : 0/0 IS-IS: Level-2 LSPs sourced (new/refresh) : 0/0 IS-IS: Level-1 LSPs flooded (sent/rcvd) : 32/19 IS-IS: Level-2 LSPs flooded (sent/rcvd) : 32/17 IS-IS: Level-1 LSPs CSNPs (sent/rcvd) : 1538/0 IS-IS: Level-2 LSPs CSNPs (sent/rcvd) : 1534/0 IS-IS: Level-1 LSPs PSNPs (sent/rcvd) : 0/0 IS-IS: Level-2 LSPs PSNPs (sent
Use this command for IPv6 route computation only when you enable multi-topology. If using SingleTopology mode, to apply to both IPv4 and IPv6 route computations, use the spf-interval command in CONFIG ROUTER ISIS mode. 4. Implement a wide metric-style globally. ROUTER ISIS AF IPV6 mode isis ipv6 metric metric-value [level-1 | level-2 | level-1-2] To configure wide or wide transition metric style, the cost can be between 0 and 16,777,215.
– level-1, level-2: identifies the database instance type to which the wait interval applies. The range is from 5 to 20 seconds. • The default is 30 seconds. Configure graceful restart timer T3 to set the time used by the restarting router as an overall maximum time to wait for database synchronization to complete.
T1 time left: 0, retry count left:0 Dell# To view all interfaces configured with IS-IS routing along with the defaults, use the show isis interface command in EXEC Privilege mode. Dell#show isis interface G1/34 GigabitEthernet 2/10 is up, line protocol is up MTU 1497, Encapsulation SAP Routing Protocol: IS-IS Circuit Type: Level-1-2 Interface Index 0x62cc03a, Local circuit ID 1 Level-1 Metric: 10, Priority: 64, Circuit ID: 0000.0000.000B.
• Set the maximum time LSPs lifetime. ROUTER ISIS mode max-lsp-lifetime seconds – seconds: the range is from 1 to 65535. The default is 1200 seconds. Example of Viewing IS-IS Configuration (ROUTER ISIS Mode) To view the configuration, use the show config command in ROUTER ISIS mode or the show running-config isis command in EXEC Privilege mode. Dell#show running-config isis ! router isis lsp-refresh-interval 902 net 47.0005.0001.000C.000A.4321.00 net 51.0005.0001.000C.000A.4321.
Metric Style Characteristics Cost Range Supported on IS-IS Interfaces wide transition Sends wide (new) TLVs and accepts both narrow (old) and wide (new) TLVs. 0 to 16777215 To change the IS-IS metric style of the IS-IS process, use the following command. • Set the metric style for the IS-IS process. ROUTER ISIS mode metric-style {narrow [transition] | transition | wide [transition]} [level-1 | level-2] The default is narrow.
• The default is 10. Assign a metric for an IPv6 link or interface. INTERFACE mode isis ipv6 metric default-metric [level-1 | level-2] – default-metric: the range is from 0 to 63 for narrow and transition metric styles. The range is from 0 to 16777215 for wide metric styles. The default is 10. The default level is level-1. For more information about this command, refer to Configuring the IS-IS Metric Style. The following table describes the correct value range for the isis metric command.
Example of the show isis database Command to View Level 1-2 Link State Databases To view which IS-type is configured, use the show isis protocol command in EXEC Privilege mode. The show config command in ROUTER ISIS mode displays only non-default information, so if you do not change the IS-type, the default value (level-1-2) is not displayed. The default is Level 1-2 router. When the IS-type is Level 1-2, the software maintains two Link State databases, one for each level.
Applying IPv4 Routes To apply prefix lists to incoming or outgoing IPv4 routes, use the following commands. NOTE: These commands apply to IPv4 IS-IS only. To apply prefix lists to IPv6 routes, use ADDRESSFAMILY IPV6 mode, shown later. • Apply a configured prefix list to all incoming IPv4 IS-IS routes.
– For the Loopback interface on the RPM, enter the keyword loopback then a number from 0 to 16383. – For a port channel, enter the keywords port-channel then a number from 1 to 255. – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. – For a 40-Gigabit Ethernet interface, enter the keyword FortyGigabitEthernet then the slot/ port information. • – For a VLAN, enter the keyword vlan then a number from 1 to 4094.
• – map-name: enter the name of a configured route map. Include specific OSPF routes in IS-IS. ROUTER ISIS mode redistribute ospf process-id [level-1| level-1-2 | level-2] [metric value] [match external {1 | 2} | match internal] [metric-type {external | internal}] [route-map map-name] Configure the following parameters: – process-id the range is from 1 to 65535. – level-1, level-1-2, or level-2: assign all redistributed routes to a level. The default is level-2.
– map-name: name of a configured route map. To view the IS-IS configuration globally (including both IPv4 and IPv6 settings), use the show runningconfig isis command in EXEC Privilege mode. To view the current IPv4 IS-IS configuration, use the show config command in ROUTER ISIS mode. To view the current IPv6 IS-IS configuration, use the show config command in ROUTER ISIS-ADDRESS FAMILY IPV6 mode.
ROUTER ISIS mode no set-overload-bit Example of Viewing the Overload Bit Setting When the bit is set, a 1 is placed in the OL column in the show isis database command output. The overload bit is set in both the Level-1 and Level-2 database because the IS type for the router is Level-1-2. Dell#show isis database IS-IS Level-1 Link State Database LSPID LSP Seq Num LSP Checksum B233.00-00 0x00000003 0x07BF eljefe.00-00 * 0x0000000A 0xF963 eljefe.01-00 * 0x00000001 0x68DF eljefe.02-00 * 0x00000001 0x2E7F Dell.
To view specific information, enter the following optional parameter: • – interface: Enter the type of interface and slot/port information to view IS-IS information on that interface only. View the events that triggered IS-IS shortest path first (SPF) events for debugging purposes. EXEC Privilege mode • debug isis spf-triggers View sent and received LSPs.
Metric Style Correct Value Range for the isis metric Command narrow 0 to 63 wide transition 0 to 16777215 narrow transition 0 to 63 transition 0 to 63 Maximum Values in the Routing Table IS-IS metric styles support different cost ranges for the route. The cost range for the narrow metric style is 0 to 1023, while all other metric styles support a range of 0 to 0xFE000000. Change the IS-IS Metric Style in One Level Only By default, the IS-IS metric style is narrow.
Beginning Metric Style Final Metric Style Resulting IS-IS Metric Value transition wide original value transition narrow original value transition narrow original value transition wide transition original value narrow transition wide original value narrow transition narrow original value narrow transition wide transition original value narrow transition transition original value wide transition wide original value wide transition narrow default value (10) if the original value
Leaks from One Level to Another In the following scenarios, each IS-IS level is configured with a different metric style. Table 31.
NOTE: Whenever you make IS-IS configuration changes, clear the IS-IS process (re-started) using the clear isis command. The clear isis command must include the tag for the ISIS process. The following example shows the response from the router: Dell#clear isis * % ISIS not enabled. Dell#clear isis 9999 * You can configure IPv6 IS-IS routes in one of the following three different methods: • Congruent Topology — You must configure both IPv4 and IPv6 addresses on the interface.
R1(conf-if-lo-0)#ip router isis 9999 R1(conf-if-lo-0)#no shutdown R1(conf-if-lo-0)#router isis 9999 R1(conf-router_isis)#is-type level-1 R1(conf-router_isis)#net FF.F101.0002.0C00.1111.00 R1(conf-router_isis)#ipv6 route 2001:db8:9999:2::/128 2001:db8:1021:2:: R1(conf)#ipv6 route 2001:db8:9999:3::/128 2001:db8:1022:3:: R1(conf)#ip route 192.168.1.2/32 10.0.12.2 R1(conf)#ip route 192.168.1.3/32 10.0.13.3 R1(conf)#interface GigabitEthernet 1/21 R1(conf-if-gi-1/21)#ip address 10.0.12.
R2(conf-if-lo-0)#router isis 9999 R2(conf-router_isis)#int gi 2/11 R2(conf-if-gi-2/11)#ip address 10.0.12.2/24 R2(conf-if-gi-2/11)#ipv6 address 2001:db8:9999:2::/48 R2(conf-if-gi-2/11)#ip router isis 9999 R2(conf-if-gi-2/11)#isis network point-to-point R2(conf-if-gi-2/11)#no shutdown R2(conf-if-gi-2/11)#int gi 2/31 R2(conf-if-gi-2/31)#ip address 10.0.23.
R3(conf)#ipv6 route 2001:db8:9999:2::/128 2001:db8:1023:2:: R3(conf)#ip route 192.168.1.1/32 10.0.13.1 R 3(conf)#interface GigabitEthernet 3/14 R3(conf-if-gi-3/14)#ip address 10.0.13.3/24 R3(conf-if-gi-3/14)#ipv6 address 2001:db8:1022:3::/48 R3(conf-if-gi-3/14)#ip router isis 9999 R3(conf-if-gi-3/14)#isis circuit-type level-1 R3(conf-if-gi-3/14)#isis network point-to-point R3(conf-if-gi-3/14)#no shutdown R3(conf-if-gi-3/14)#interface GigabitEthernet 3/21 R3(conf-if-gi-3/21)#ip address 10.0.23.
27 Link Aggregation Control Protocol (LACP) Link aggregation control protocol (LACP) is supported on the MXL switch platform. Introduction to Dynamic LAGs and LACP A link aggregation group (LAG), referred to as a port channel, can provide both load-sharing and port redundancy across line cards. You can enable LAGs as static or dynamic. The benefits and constraints are basically the same, as described in Port Channel Interfaces in the Interfaces chapter.
• There is a difference between the shutdown and no interface port-channel commands: – The shutdown command on LAG “xyz” disables the LAG and retains the user commands. However, the system does not allow the channel number “xyz” to be statically created. – The no interface port-channel channel-number command deletes the specified LAG, including a dynamically created LAG. This command removes all LACP-specific commands on the member interfaces.
• Configure LACP mode. LACP mode [no] port-channel number mode [active | passive | off] – number: cannot statically contain any links. • The default is LACP active. Configure port priority. LACP mode [no] lacp port-priority priority-value The range is from 1 to 65535 (the higher the number, the lower the priority). The default is 32768. LACP Configuration Tasks The following are LACP configuration tasks.
Configuring the LAG Interfaces as Dynamic After creating a LAG, configure the dynamic LAG interfaces. To configure the dynamic LAG interfaces, use the following command. • Configure the dynamic LAG interfaces. CONFIGURATION mode port-channel-protocol lacp Example of the port-channel-protocol lacp Command Dell(conf)#interface Gigabitethernet 3/15 Dell(conf-if-gi-3/15)#no shutdown Dell(conf-if-gi-3/15)#port-channel-protocol lacp Dell(conf-if-gi-3/15-lacp)#port-channel 32 mode active ...
Dell(conf-if-po-32)#switchport Dell(conf-if-po-32)#lacp long-timeout Dell(conf-if-po-32)#end Dell# show lacp 32 Port-channel 32 admin up, oper up, mode lacp Actor System ID: Priority 32768, Address 0001.e800.a12b Partner System ID: Priority 32768, Address 0001.e801.
Figure 60. Shared LAG State Tracking To avoid packet loss, redirect traffic through the next lowest-cost link (R3 to R4). The system has the ability to bring LAG 2 down if LAG 1 fails, so that traffic can be redirected. This redirection is what is meant by shared LAG state tracking. To achieve this functionality, you must group LAG 1 and LAG 2 into a single entity, called a failover group. Configuring Shared LAG State Tracking To configure shared LAG state tracking, you configure a failover group. 1.
As shown in the following illustration, LAGs 1 and 2 are members of a failover group. LAG 1 fails and LAG 2 is brought down after the failure. This effect is logged by Message 1, in which a console message declares both LAGs down at the same time. Figure 61.
• • • • Only a LAG can be a member of a failover group. You can configure shared LAG state tracking on one side of a link or on both sides. If a LAG that is part of a failover group is deleted, the failover group is deleted. If a LAG moves to the Down state due to this feature, its members may still be in the Up state. LACP Basic Configuration Example The screenshots in this section are based on the following example topology.
Hardware is Force10Eth, address is 00:01:e8:06:95:c0 Current address is 00:01:e8:06:95:c0 Interface Index is 109101113 Port will not be disabled on partial SFM failure Internet address is not set MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 1000 Mbit, Mode full duplex, Slave Flowcontrol rx on tx on ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 00:02:11 Queueing strategy: fifo Input statistics: 132 packets, 163668 bytes 0 Vlans 0 64-byte pkts, 12 over 64-byte pkts, 120 over 1
Figure 63.
Figure 64.
Figure 65.
interface GigabitEthernet 2/31 no ip address Bravo(conf-if-gi-3/21)#int port-channel 10 Bravo(conf-if-po-10)#no ip add Bravo(conf-if-po-10)#switch Bravo(conf-if-po-10)#no shut Bravo(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Bravo(conf-if-po-10)#exit Bravo(conf)#int gig 3/21 Bravo(conf)#no ip address Bravo(conf)#no switchport Bravo(conf)#shutdown Bravo(conf-if-gi-3/21)#port-channel-protocol lacp Bravo(conf-if-gi-3/21-lacp)#port-channel 10 mode active Bravo(
Figure 66.
Figure 67.
Figure 68. Inspecting the LAG Status Using the show lacp command The point-to-point protocol (PPP) is a connection-oriented protocol that enables layer two links over various different physical layer connections. It is supported on both synchronous and asynchronous lines, and can operate in Half-Duplex or Full-Duplex mode. It was designed to carry IP traffic but is general enough to allow any type of network layer datagram to be sent over a PPP connection.
Layer 2 28 Layer 2 features are supported on the MXL switch platform. Manage the MAC Address Table The Dell Networking OS provides the following management activities for the MAC address table. • Clearing the MAC Address Table • Setting the Aging Time for Dynamic Entries • Configuring a Static MAC Address • Displaying the MAC Address Table Clearing the MAC Address Table You may clear the MAC address table of dynamic entries. To clear a MAC address table, use the following command.
The range is from 10 to 1000000. Dell Networking OS Behavior: The time elapsed before the configured MAC aging time expires is not precisely as configured. For example, the VLAN configuration mac-address-table aging-time 1, does not remove dynamic entries from the CAM after precisely 1 second. The actual minimum aging time for entries is approximately 5 seconds because this is the default MAC address table scanning interval.
• Setting Station Move Violation Actions • Recovering from Learning Limit and Station Move Violations Dell Networking OS Behavior: When configuring the MAC learning limit on a port, the configuration is accepted (becomes part of running-config and show mac learning-limit interface) before the system verifies that sufficient CAM space exists.
Learning Limit Violation Actions To configure the system to take an action when the MAC learning limit is reached on an interface and a new address is received using one the following options with the mac learning-limit command, use the following commands. • Generate a system log message when the MAC learning limit is exceeded. INTERFACE mode • learn-limit-violation log Shut down the interface and generate a system log message when the MAC learning limit is exceeded.
• Reset interfaces in the ERR_Disabled state caused by a learning limit violation or station move violation. EXEC Privilege mode • mac learning-limit reset Reset interfaces in the ERR_Disabled state caused by a learning limit violation. EXEC Privilege mode • mac learning-limit reset learn-limit-violation [interface | all] Reset interfaces in the ERR_Disabled state caused by a station move violation.
Figure 69. Redundant NICs with NIC Teaming When you use NIC teaming, consider that the server MAC address is originally learned on Port 0/1 of the switch (shown in the following) and Port 0/5 is the failover port. When the NIC fails, the system automatically sends an ARP request for the gateway or host NIC to resolve the ARP and refresh the egress interface.
Figure 70. Configuring the mac-address-table station-move refresh-arp Command MAC Move Optimization MAC move optimization is supported only on the E-Series platform. Station-move detection takes 5000ms because this is the interval at which the detection algorithm runs. The threshold option is the number of times a station move must be detected in a single interval in order to trigger a system log message.
Link Layer Discovery Protocol (LLDP) 29 The link layer discovery protocol (LLDP) is supported on the MXL switch platform. 802.1AB (LLDP) Overview LLDP — defined by IEEE 802.1AB — is a protocol that enables a local area network (LAN) device to advertise its configuration and receive configuration information from adjacent LLDP-enabled LAN infrastructure devices.
Table 32. Type, Length, Value (TLV) Types Type TLV Description 0 End of LLDPDU Marks the end of an LLDPDU. 1 Chassis ID An administratively assigned name that identifies the LLDP agent. 2 Port ID An administratively assigned name that identifies a port through which TLVs are sent and received. 3 Time to Live A value that tells the receiving agent how long the information contained in the TLV Value field is valid.
• Organizationally Unique Identifier (OUI)—a unique number assigned by the IEEE to an organization or vendor. • OUI Sub-type—These sub-types indicate the kind of information in the following data field. The subtypes are determined by the owner of the OUI. Figure 73. Organizationally Specific TLV IEEE Organizationally Specific TLVs Eight TLV types have been defined by the IEEE 802.1 and 802.3 working groups as a basic part of LLDP; the IEEE OUI is 00-80-C2.
Type TLV Description untagged VLAN to which a port belongs if the port is in Hybrid mode). 127 VLAN Name Indicates the user-defined alphanumeric string that identifies the VLAN. 127 Protocol Identity Indicates the protocols that the port can process. The Dell Networking OS does not currently support this TLV. 127 MAC/PHY Configuration/Status Indicates the capability and current setting of the duplex status and bit rate, and whether the current settings are the result of auto-negotiation.
devices can advertise their characteristics and configuration information; the OUI for the Telecommunications Industry Association (TIA) is 00-12-BB. • LLDP-MED Endpoint Device — any device that is on an IEEE 802 LAN network edge can communicate using IP and uses the LLDP-MED framework. • LLDP-MED Network Connectivity Device — any device that provides access to an IEEE 802 LAN to an LLDP-MED endpoint device and supports IEEE 802.1AB (LLDP) and TIA-1057 (LLDP-MED).
Type SubType TLV Description • 127 4 Inventory Management TLVs Implementation of this set of TLVs is optional in LLDP-MED devices. None or all TLVs must be supported. The Dell Networking OS does not currently support these TLVs. 127 Emergency Call Services ELIN Location Identification Indicates power requirements, priority, and power status. 5 Inventory — Hardware Revision Indicates the hardware revision of the LLDPMED device.
When you enable LLDP-MED in Dell Networking OS (using the advertise med command), the system begins transmitting this TLV. Figure 74. LLDP-MED Capabilities TLV Table 35. Dell Networking OS LLDP-MED Capabilities Bit Position TLV Dell Networking OS Support 0 LLDP-MED Capabilities Yes 1 Network Policy Yes 2 Location Identification Yes 3 Extended Power via MDI-PSE Yes 4 Extended Power via MDI-PD No 5 Inventory No 6–15 reserved No Table 36.
An integer represents the application type (the Type integer shown in the following table), which indicates a device function for which a unique network policy is defined. An individual LLDP-MED network policy TLV is generated for each application type that you specify with the CLI (XXAdvertising TLVs). NOTE: As shown in the following table, signaling is a series of control packets that are exchanged between an endpoint device and a network connectivity device to establish and maintain a connection.
Extended Power via MDI TLV The extended power via MDI TLV enables advanced PoE management between LLDP-MED endpoints and network connectivity devices. Advertise the extended power via MDI on all ports that are connected to an 802.3af powered, LLDP-MED endpoint device. • Power Type — there are two possible power types: power source entity (PSE) or power device (PD). The Dell Networking system is a PSE, which corresponds to a value of 0, based on the TIA-1057 specification.
Important Points to Remember • LLDP is enabled by default. • Dell Networking systems support up to eight neighbors per interface. • Dell Networking systems support a maximum of 8000 total neighbors per system. If the number of interfaces multiplied by eight exceeds the maximum, the system does not configure more than 8000. • INTERFACE level configurations override all CONFIGURATION level configurations. • LLDP is not hitless.
Enabling LLDP LLDP is enabled by default. Enable and disable LLDP globally or per interface. If you enable LLDP globally, all UP interfaces send periodic LLDPDUs. To enable LLDP, use the following command. 1. Enter Protocol LLDP mode. CONFIGURATION or INTERFACE mode protocol lldp 2. Enable LLDP. PROTOCOL LLDP mode no disable Disabling and Undoing LLDP To disable or undo LLDP, use the following command. • Disable LLDP globally or for an interface.
• For TIA-1057 TLVs: – guest-voice – guest-voice-signaling – location-identification – power-via-mdi – softphone-voice – streaming-video – video-conferencing – video-signaling – voice – voice-signaling In the following example, LLDP is enabled globally. R1 and R2 are transmitting periodic LLDPDUs that contain management, 802.1, and 802.3 TLVs. Figure 77. Configuring LLDP Viewing the LLDP Configuration To view the LLDP configuration, use the following command. • Display the LLDP configuration.
hello 10 no disable R1(conf-lldp)# R1(conf-lldp)#exit R1(conf)#interface gigabitethernet 1/31 R1(conf-if-gi-1/31)#show config ! interface GigabitEthernet 1/31 no ip address switchport no shutdown R1(conf-if-gi-1/31)#protocol lldp R1(conf-if-gi-1/31-lldp)#show config ! protocol lldp R1(conf-if-gi-1/31-lldp)# Viewing Information Advertised by Adjacent LLDP Agents To view brief information about adjacent devices or to view all the information that neighbors are advertising, use the following commands.
Locally assigned remote Neighbor Index: 7 Remote TTL: 120 Information valid for next 105 seconds Time since last information change of this neighbor: 1d21h56m Remote System Desc: Emulex OneConnect 10Gb Multi function Adapter Existing System Capabilities: Station only Enabled System Capabilities: Station only --------------------------------------------------------------------------======================================================================== Local Interface Te 0/3 has 1 neighbor Total Frames Out:
R1(conf-lldp)#no mode R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)# Configuring Transmit and Receive Mode After you enable LLDP, Dell Networking systems transmit and receive LLDPDUs by default. To configure the system to transmit or receive only and return to the default, use the following commands. • Transmit only.
no disable R1(conf-lldp)# Configuring a Time to Live The information received from a neighbor expires after a specific amount of time (measured in seconds) called a time to live (TTL). The TTL is the product of the LLDPDU transmit interval (hello) and an integer called a multiplier. The default multiplier is 4, which results in a default TTL of 120 seconds. • Adjust the TTL value. CONFIGURATION mode or INTERFACE mode. • multiplier Return to the default multiplier value.
• View a readable version of the TLVs plus a hexadecimal version of the entire LLDPDU. debug lldp detail Figure 78. The debug lldp detail Command — LLDPDU Packet Dissection Relevant Management Objects Dell Networkings OS supports all IEEE 802.1AB MIB objects. The following tables list the objects associated with: • received and transmitted TLVs • the LLDP configuration on the local agent • IEEE 802.
Table 38. LLDP Configuration MIB Objects MIB Object Category LLDP Variable LLDP adminStatus Configuration Basic TLV Selection LLDP MIB Object Description lldpPortConfigAdminStatus Whether you enable the local LLDP agent for transmit, receive, or both. msgTxHold lldpMessageTxHoldMultiplie Multiplier value. r msgTxInterval lldpMessageTxInterval Transmit Interval value. rxInfoTTL lldpRxInfoTTL Time to live for received TLVs. txInfoTTL lldpTxInfoTTL Time to live for transmitted TLVs.
MIB Object Category LLDP Variable LLDP MIB Object statsTLVsUnrecognizedTota lldpStatsRxPortTLVsUnreco l gnizedTotal Description Total number of all TLVs the local agent does not recognize. Table 39.
TLV Type TLV Name TLV Variable management address System LLDP MIB Object Remote lldpRemManAddrSu btype Local lldpLocManAddr Remote lldpRemManAddr interface numbering Local subtype interface number OID lldpLocManAddrIfSu btype Remote lldpRemManAddrIfS ubtype Local lldpLocManAddrIfId Remote lldpRemManAddrIfId Local lldpLocManAddrOID Remote lldpRemManAddrOI D Table 40. LLDP 802.
TLV Type TLV Name TLV Variable VLAN name System LLDP MIB Object Remote lldpXdot1RemVlanN ame Local lldpXdot1LocVlanNa me Remote lldpXdot1RemVlanN ame Table 41.
TLV Sub-Type TLV Name TLV Variable System LLDP-MED MIB Object L2 Priority Local lldpXMedLocMediaP olicyPriority Remote lldpXMedRemMedia PolicyPriority Local lldpXMedLocMediaP olicyDscp Remote lldpXMedRemMedia PolicyDscp Local lldpXMedLocLocatio nSubtype Remote lldpXMedRemLocati onSubtype Local lldpXMedLocLocatio nInfo Remote lldpXMedRemLocati onInfo Local lldpXMedLocXPoED eviceType Remote lldpXMedRemXPoED eviceType Local lldpXMedLocXPoEPS EPowerSource DSCP Value 3 Location Ident
TLV Sub-Type TLV Name TLV Variable System LLDP-MED MIB Object Power Value Local lldpXMedLocXPoEPS EPortPowerAv lldpXMedLocXPoEP DPowerReq Remote lldpXMedRemXPoEP SEPowerAv lldpXMedRemXPoEP DPowerReq Link Layer Discovery Protocol (LLDP) 537
Microsoft Network Load Balancing 30 Network Load Balancing (NLB) is a clustering functionality that is implemented by Microsoft on Windows 2000 Server and Windows Server 2003 operating systems. NLB uses a distributed methodology or pattern to equally split and balance the network traffic load across a set of servers that are part of the cluster or group.
With NLB, the data frame is forwarded to all the servers for them to perform load-balancing. NLB Multicast Mode Scenario Consider a sample topology in which four servers, namely S1 through S4, are configured as a cluster or a farm. This set of servers is connected to a Layer 3 switch, which in turn is connected to the end-clients. They contain a single multicast MAC address (MAC-Cluster: 03-00-5E-11-11-11).
Enable and Disable VLAN Flooding • The older ARP entries are overwritten whenever newer NLB entries are learned. • All ARP entries, learned after the feature is enabled, are deleted when the feature is disabled, and RP2 triggers an ARP resolution. The feature is disabled with the no ip vlan-flooding command. • When a port is added to the VLAN, the port automatically receives traffic if the feature is enabled. Old ARP entries are not deleted or updated.
Multicast Source Discovery Protocol (MSDP) 31 Multicast source discovery protocol (MSDP) is supported on the MXL switch platform. Protocol Overview MSDP is a Layer 3 protocol that connects IPv4 protocol-independent multicast-sparse mode (PIM-SM) domains. A domain in the context of MSDP is a contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as border gateway protocol (BGP).
Figure 79. Multicast Source Discovery Protocol (MSDP) RPs advertise each (S,G) in its domain in type, length, value (TLV) format. The total number of TLVs contained in the SA is indicated in the “Entry Count” field. SA messages are transmitted every 60 seconds, and immediately when a new source is detected. Figure 80.
Anycast RP Using MSDP, anycast RP provides load sharing and redundancy in PIM-SM networks. Anycast RP allows two or more rendezvous points (RPs) to share the load for source registration and the ability to act as hot backup routers for each other. Anycast RP allows you to configure two or more RPs with the same IP address on Loopback interfaces. The Anycast RP Loopback address are configured with a 32-bit mask, making it a host address.
• Manage the Source-Active Cache • Accept Source-Active Messages that Fail the RFP Check • Limiting the Source-Active Messages from a Peer • Preventing MSDP from Caching a Local Source • Preventing MSDP from Caching a Remote Source • Preventing MSDP from Advertising a Local Source • Terminating a Peership • Clearing Peer Statistics • Debugging MSDP • Anycast RP • MSDP Sample Configurations Figure 81.
Figure 82.
Figure 83.
Figure 84. Configuring MSDP Enabling MSDP Enable MSDP by peering RPs in different administrative domains. 1. Enable MSDP. CONFIGURATION mode ip multicast-msdp 2. Peer PIM systems in different administrative domains.
Example of Configuring MSDP Example of Viewing Peer Information R3_E600(conf)#ip multicast-msdp R3_E600(conf)#ip msdp peer 192.168.0.1 connect-source Loopback 0 R3_E600(conf)#do show ip msdp summary Peer Addr Local Addr State Source 192.168.0.1 192.168.0.3 Established Lo 0 SA 1 Up/Down Description 00:05:29 To view details about a peer, use the show ip msdp peer command in EXEC privilege mode. Multicast sources in remote domains are stored on the RP in the source-active cache (SA cache).
Limiting the Source-Active Cache Set the upper limit of the number of active sources that the Dell Networking operating system caches. The default active source limit is 500K messages. When the total number of active sources reaches the specified limit, subsequent active sources are dropped even if they pass the reverse path forwarding (RPF) and policy check. To limit the number of sources that SA cache stores, use the following command. • Limit the number of sources that can be stored in the SA cache.
Figure 85.
Figure 86.
Figure 87.
Figure 88. MSDP Default Peer, Scenario 4 Specifying Source-Active Messages To specify messages, use the following command. • Specify the forwarding-peer and originating-RP from which all active sources are accepted without regard for the RPF check. CONFIGURATION mode ip msdp default-peer ip-address list If you do not specify an access list, the peer accepts all sources that peer advertises. All sources from RPs that the ACL denies are subject to the normal RPF check.
Dell(conf)#ip access-list standard fifty Dell(conf)#seq 5 permit host 200.0.0.50 Dell#ip msdp sa-cache MSDP Source-Active Cache - 3 entries GroupAddr SourceAddr RPAddr LearnedFrom 229.0.50.2 24.0.50.2 200.0.0.50 10.0.50.2 229.0.50.3 24.0.50.3 200.0.0.50 10.0.50.2 229.0.50.4 24.0.50.4 200.0.0.50 10.0.50.2 Dell#ip msdp sa-cache rejected-sa MSDP Rejected SA Cache 3 rejected SAs received, cache-size 32766 UpTime GroupAddr SourceAddr RPAddr 00:33:18 229.0.50.64 24.0.50.64 200.0.1.50 00:33:18 229.0.50.65 24.0.50.
Example of Verifying the System is not Caching Local Sources When you apply this filter, the SA cache is not affected immediately. When sources that are denied by the ACL time out, they are not refreshed. Until they time out, they continue to reside in the cache. To apply the redistribute filter to entries already present in the SA cache, first clear the SA cache. You may optionally store denied sources in the rejected SA cache. R1_E600(conf)#do show run msdp ! ip multicast-msdp ip msdp peer 192.168.0.
R3_E600(conf)#do show ip msdp sa-cache R3_E600(conf)# R3_E600(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 0.0.0.0(639) Connect Source: Lo 0 State: Listening Up/Down Time: 00:01:19 Timers: KeepAlive 30 sec, Hold time 75 sec SourceActive packet count (in/out): 0/0 SAs learned from this peer: 0 SA Filtering: Input (S,G) filter: myremotefilter Output (S,G) filter: none Preventing MSDP from Advertising a Local Source To prevent MSDP from advertising a local source, use the following command.
Logging Changes in Peership States To log changes in peership states, use the following command. • Log peership state changes. CONFIGURATION mode ip msdp log-adjacency-changes Terminating a Peership MSDP uses TCP as its transport protocol. In a peering relationship, the peer with the lower IP address initiates the TCP session, while the peer with the higher IP address listens on port 639. • Terminate the TCP connection with a peer.
Example of the clear ip msdp peer Command and Verifying Statistics are Cleared R3_E600(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.3(639) Connect Source: Lo 0 State: Established Up/Down Time: 00:04:26 Timers: KeepAlive 30 sec, Hold time 75 sec SourceActive packet count (in/out): 5/0 SAs learned from this peer: 0 SA Filtering: Input (S,G) filter: myremotefilter Output (S,G) filter: none R3_E600(conf)#do clear ip msdp peer 192.168.0.
technique is less effective as traffic increases because preemptive load balancing requires prior knowledge of traffic distributions. • lack of scalable register decasulation: With only a single RP per group, all joins are sent to that RP regardless of the topological distance between the RP, sources, and receivers, and data is transmitted to the RP until the SPT switch threshold is reached.
Configuring Anycast RP To configure anycast RP, use the following commands. 1. In each routing domain that has multiple RPs serving a group, create a Loopback interface on each RP serving the group with the same IP address. CONFIGURATION mode interface loopback 2. Make this address the RP for the group. CONFIGURATION mode ip pim rp-address 3. In each routing domain that has multiple RPs serving a group, create another Loopback interface on each RP serving the group with a unique IP address.
CONFIGURATION mode ip msdp originator-id Example of R1 Configuration for MSDP with Anycast RP Example of R2 Configuration for MSDP with Anycast RP Example of R3 Configuration for MSDP with Anycast RP ip multicast-routing ! interface GigabitEthernet 1/1 ip pim sparse-mode ip address 10.11.3.1/24 no shutdown ! interface GigabitEthernet 1/2 ip address 10.11.2.1/24 no shutdown ! interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.1.
ip address 10.11.0.23/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32 no shutdown ! interface Loopback 1 ip address 192.168.0.22/32 no shutdown ! router ospf 1 network 10.11.1.0/24 area 0 network 10.11.4.0/24 area 0 network 192.168.0.22/32 area 0 redistribute static redistribute connected redistribute bgp 100 ! router bgp 100 redistribute ospf 1 neighbor 192.168.0.3 remote-as 200 neighbor 192.168.0.3 ebgp-multihop 255 neighbor 192.168.0.
neighbor 192.168.0.22 ebgp-multihop 255 neighbor 192.168.0.22 update-source Loopback 0 neighbor 192.168.0.22 no shutdown ! ip ip ip ip ! ip ip ! ip multicast-msdp msdp peer 192.168.0.11 connect-source Loopback 0 msdp peer 192.168.0.22 connect-source Loopback 0 msdp sa-filter out 192.168.0.22 route 192.168.0.1/32 10.11.0.23 route 192.168.0.22/32 10.11.0.23 pim rp-address 192.168.0.3 group-address 224.0.0.
interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.1/24 no shutdown ! interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown ! interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown ! interface Loopback 0 ip address 192.168.0.2/32 no shutdown ! router ospf 1 network 10.11.1.0/24 area 0 network 10.11.4.0/24 area 0 network 192.168.0.
redistribute connected redistribute bgp 200 ! router bgp 200 redistribute ospf 1 neighbor 192.168.0.2 remote-as 100 neighbor 192.168.0.2 ebgp-multihop 255 neighbor 192.168.0.2 update-source Loopback 0 neighbor 192.168.0.2 no shutdown ! ip multicast-msdp ip msdp peer 192.168.0.1 connect-source Loopback 0 ! ip route 192.168.0.2/32 10.11.0.23 ip multicast-routing ! interface GigabitEthernet 4/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown ! interface GigabitEthernet 4/22 ip address 10.10.42.
32 Multiple Spanning Tree Protocol (MSTP) Multiple spanning tree protocol (MSTP) — specified in IEEE 802.1Q-2003 — is a rapid spanning tree protocol (RSTP)-based spanning tree variation that improves on per-VLAN spanning tree plus (PVST+). Protocol Overview MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances. In contrast, PVST+ allows a spanning tree instance for each VLAN.
Spanning Tree Variations The Dell Networking operating system (OS) supports four variations of spanning tree, as shown in the following table. Table 42. Spanning Tree Variations Dell Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .1w Multicast Source Discovery Protocol (MSDP) 802 .1s Per-VLAN Spanning Tree Plus (PVST+) Third Party Implementation Information The following describes the MSTP implementation information.
• SNMP Traps for Root Elections and Topology Changes Enable Multiple Spanning Tree Globally MSTP is not enabled by default. To enable MSTP globally, use the following commands. When you enable MSTP, all physical, VLAN, and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the MSTI 0. • Within an MSTI, only one path from any bridge to any other bridge is enabled. • Bridges block a redundant path by disabling one of the link ports. 1. Enter PROTOCOL MSTP mode.
All bridges in the MSTP region must have the same VLAN-to-instance mapping. To view which instance a VLAN is mapped to, use the show spanning-tree mst vlan command from EXEC Privilege mode. To view the forwarding/discarding state of the ports participating in an MSTI, use the show spanningtree msti command from EXEC Privilege mode. Dell#show spanning-tree msti 1 MSTI 1 VLANs mapped 100 Root Identifier has priority 32768, Address 0001.e806.
Dell(conf-mstp)#msti 2 bridge-priority 0 Dell(conf-mstp)#show config ! protocol spanning-tree mstp MSTI 2 bridge-priority 0 Dell(conf-mstp)# Interoperate with Non-Dell Networking OS Bridges The Dell Networking OS supports only one MSTP region. A region is a combination of three unique qualities: • Name is a mnemonic string you assign to the region. The default region name is null. • Revision is a 2-byte number. The default revision number is 0.
1 2 100 200-300 Modifying Global Parameters The root bridge sets the values for forward-delay, hello-time, max-age, and max-hops and overwrites the values set on other MSTP bridges. • • • • Forward-delay — the amount of time an interface waits in the Listening state and the Learning state before it transitions to the Forwarding state. Hello-time — the time interval in which the bridge sends MSTP bridge protocol data units (BPDUs).
The default is 20. Example of the forward-delay Parameter To view the current values for MSTP parameters, use the show running-config spanning-tree mstp command from EXEC privilege mode.
Modifying the Interface Parameters You can adjust two interface parameters to increase or decrease the probability that a port becomes a forwarding port. • • Port cost is a value that is based on the interface type. The greater the port cost, the less likely the port is selected to be a forwarding port. Port priority influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost.
on-violation option causes the interface hardware to be shut down when it receives a BPDU. When you implement only bpduguard, although the interface is placed in an Error Disabled state when receiving the BPDU, the physical interface remains up and spanning-tree drops packets in the hardware after a BPDU violation. BPDUs are dropped in the software after receiving the BPDU violation. This feature is the same as PortFast mode in spanning tree.
To view the enable status of this feature, use the show running-config spanning-tree mstp command from EXEC Privilege mode. MSTP Sample Configurations The running-configurations support the topology shown in the following illustration. The configurations are from Dell Networking OS systems. Figure 92. MSTP with Three VLANs Mapped to Two Spanning Tree Instances Router 1 Running-Configuration This example uses the following steps: 1.
! (Step 3) interface Vlan 100 no ip address tagged GigabitEthernet 1/21,31 no shutdown ! interface Vlan 200 no ip address tagged GigabitEthernet 1/21,31 no shutdown ! interface Vlan 300 no ip address tagged GigabitEthernet 1/21,31 no shutdown Router 2 Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3.
Router 3 Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3. Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
(Step 2) interface 1/0/31 no shutdown spanning-tree port mode enable switchport protected 0 exit interface 1/0/32 no shutdown spanning-tree port mode enable switchport protected 0 exit (Step 3) interface vlan 100 tagged 1/0/31 tagged 1/0/32 exit interface vlan 200 tagged 1/0/31 tagged 1/0/32 exit interface vlan 300 tagged 1/0/31 tagged 1/0/32 exit Debugging and Verifying MSTP Configurations To debut and verify MSTP configuration, use the following commands. • Display BPDUs.
• MSTP flags indicate communication received from the same region. – As shown in the following, the MSTP routers are located in the same region. – Does the debug log indicate that packets are coming from a “Different Region”? If so, one of the key parameters is not matching. • MSTP Region Name and Revision. – The configured name and revisions must be identical among all the routers.
The bold line in the following example shows that the MSTP routers are in different regions and are not communicating with each other. 4w0d4h : MSTP: Received BPDU on TenGig 2/21 : ProtId: 0, Ver: 3, Bpdu Type: MSTP, Flags 0x78Different Region CIST Root Bridge Id: 32768:0001.e806.953e, Ext Path Cost: 0 Regional Bridge Id: 32768:0001.e806.
Multicast Features 33 Multicast features are supported on the MXL switch platform. The Dell Networking operating system (OS) supports the following multicast protocols: • PIM Sparse-Mode (PIM-SM) • PIM Source-Specific Mode (PIM-SSM) • Internet Group Management Protocol (IGMP) • Multicast Source Discovery Protocol (MSDP) Enabling IP Multicast Prior to enabling any multicast protocols, you must enable multicast routing. • Enable multicast routing.
Figure 93. Multicast with ECMP Implementation Information Because protocol control traffic in the Networking OS is redirected using the MAC address, and multicast control traffic and multicast data traffic might map to the same MAC address, the Dell Networking OS might forward data traffic with certain MAC addresses to the CPU in addition to control traffic. As the upper 5 bits of an IP Multicast address are dropped in the translation, 32 different multicast group IDs all map to the same Ethernet address.
Protocol Ethernet Address PIM-SM 01:00:5e:00:00:0d • The Dell Networking OS implementation of MTRACE is in accordance with IETF draft draft-fennertraceroute-ipm. • Multicast is not supported on secondary IP addresses. • Egress L3 ACL is not applied to multicast data traffic if you enable multicast routing. First Packet Forwarding for Lossless Multicast Beginning with the Dell Networking OS version version 8.3.1.
• • If the limit is increased after it is reached, join subsequent join requests are accepted. In this case, increase the limit by at least 10% for IGMP and MLD to resume. If the limit is decreased after it is reached, the system does not clear the existing sessions. Entries are cleared after a timeout (you may also clear entries using clear ip mroute). NOTE: The Dell Networking OS waits at least 30 seconds between stopping and starting IGMP join processing.
239.0.0.1 and 239.0.0.2, a multicast routing table entry is created only for group 239.0.0.1. VLAN 300 has no access list limiting Receiver 1, so both IGMP reports are accepted, and two corresponding entries are created in the routing table. Figure 94. Preventing a Host from Joining a Group Table 44. Preventing a Host from Joining a Group — Description Location Description 1/21 • • • Multicast Features Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.
Location Description • no shutdown 1/31 • • • • Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.1/24 no shutdown 2/1 • • • • Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.
Location Description • • ip igmp access-group igmpjoinfilR2G2 no shutdown Rate Limiting IGMP Join Requests If you expect a burst of IGMP Joins, protect the IGMP process from overload by limiting that rate at which new groups can be joined. Hosts whose IGMP requests are denied will use the retry mechanism built-in to IGMP so that they’re membership is delayed rather than permanently denied. • Limit the rate at which new groups can be joined.
Figure 95. Preventing a Source from Transmitting to a Group Table 45. Preventing a Source from Transmitting to a Group — Description Location Description 1/21 • • • • Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 • • • Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.
Location Description • no shutdown 2/1 • • • • Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface GigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.
Preventing a PIM Router from Processing a Join To permit or deny PIM Join/Prune messages on an interface using an extended IP access list, use the following command. NOTE: Dell Networking recommends not using the ip pim join-filter command on an interface between a source and the RP router. Using this command in this scenario could cause problems with the PIM-SM source registration process resulting in excessive traffic being sent to the CPU of both the RP and PIM DR of the source.
Open Shortest Path First (OSPFv2 and OSPFv3) 34 Open shortest path first (OSPFv2 for IPv4) and OSPF version 3 (OSPF for IPv6) are supported on the MXL switch platform. This chapter provides a general description of OSPFv2 (OSPF for IPv4) and OSPFv3 (OSPF for IPv6) as supported in the Dell Networking operating system (OS). NOTE: The fundamental mechanisms of OSPF (flooding, DR election, area support, SPF calculations, and so on) are the same between OSPFv2 and OSPFv3.
Areas allow you to further organize your routers within in the AS. One or more areas are required within the AS. Areas are valuable in that they allow sub-networks to "hide" within the AS, thus minimizing the size of the routing tables on all routers. An area within the AS may not see the details of another area’s topology. AS areas are known by their area number or the router’s IP address. Figure 96. Autonomous System Areas Area Types The backbone of the network is Area 0. It is also called Area 0.0.0.
In the previous example, Routers A, B, C, G, H, and I are the Backbone. • A stub area (SA) does not receive external route information, except for the default route. These areas do receive information from inter-area (IA) routes. NOTE: Configure all routers within an assigned stub area as stubby, and not generate LSAs that do not apply. For example, a Type 5 LSA is intended for external areas and the Stubby area routers may not generate external LSAs. A virtual link cannot traverse stubby areas.
Figure 97. OSPF Routing Examples Backbone Router (BR) A backbone router (BR) is part of the OSPF Backbone, Area 0. This includes all ABRs. It can also include any routers that connect only to the backbone and another ABR, but are only part of Area 0, such as Router I in the previous example. Area Border Router (ABR) Within an AS, an area border router (ABR) connects one or more areas to the backbone.
An ABR can connect to many areas in an AS, and is considered a member of each area it connects to. Internal Router (IR) The internal router (IR) has adjacencies with ONLY routers in the same area, as Router E, M, and I shown in the previous example. Designated and Backup Designated Routers OSPF elects a designated router (DR) and a backup designated router (BDR). Among other things, the DR is responsible for generating LSAs for the entire multiaccess network.
external routes, which the ABR then translates to Type 5 external LSAs and floods as normal to the rest of the OSPF network. • Type 8: Link LSA (OSPFv3) — This LSA carries the IPv6 address information of the local links. • Type 9: Link Local LSA (OSPFv2), Intra-Area-Prefix LSA (OSPFv3) — For OSPFv2, this is a link-local "opaque" LSA as defined by RFC2370. For OSPFv3, this LSA carries the IPv6 prefixes of the router and network links.
Figure 98. Priority and Cost Examples OSPF with the Dell Networking OS The Dell Networking OS supports up to 10,000 OSPF routes for OSPFv2. Within that 10,000 routes, you can designate up to 8,000 routes as external and up to 2,000 as inter/intra area routes. The Dell Networking OS version 7.8.1.0 and later supports multiple OSPF processes (OSPF MP). The MXL switch supports up to 16 processes simultaneously. On OSPFv3, the system supports only one process at a time for all platforms.
• External LSA (type 7) • Link LSA, OSPFv3 only (type 8) • Opaque Link-Local (type 9) • Grace LSA, OSPFv3 only (type 11) Graceful Restart Graceful restart for OSPFv2 and OSPFv3 are supported in Helper and Restart modes. When a router goes down without a graceful restart, there is a possibility for loss of access to parts of the network due to ongoing network topology changes. Additionally, LSA flooding and reconvergence can cause substantial delays.
• If multiple OSPF interfaces provide communication between two routers, after you configure helperreject on one interface, all other interfaces between the two routers behave as if they are in the helpreject role. • OSPFv2 and OSPFv3 support planned-only and/or unplanned-only restarts. The default is support for both planned and unplanned restarts. A planned restart occurs when you enter the redundancy force-failover rpm command to force the primary RPM to switch to the backup RPM.
RFC-2328 Compliant OSPF Flooding In OSPF, flooding is the most resource-consuming task. The flooding algorithm described in RFC 2328 requires that OSPF flood LSAs on all interfaces, as governed by LSA’s flooding scope (refer to Section 13 of the RFC.) When multiple direct links connect two routers, the RFC 2328 flooding algorithm generates significant redundant information across all links.
Number of area in this router is 1, normal 0 stub 0 nssa 1 --More-- OSPF ACK Packing The OSPF ACK packing feature bundles multiple LS acknowledgements in a single packet, significantly reducing the number of ACK packets transmitted when the number of LSAs increases. This feature also enhances network utilization and reduces the number of small ACK packets sent to a neighboring router. OSPF ACK packing is enabled by default and non-configurable.
Configuration Information The interfaces must be in Layer-3 mode (assigned an IP address) and enabled so that they can send and receive traffic. The OSPF process must know about these interfaces. To make the OSPF process aware of these interfaces, they must be assigned to OSPF areas. You must configure OSPF GLOBALLY on the system in CONFIGURATION mode. OSPF features and functions are assigned to each router using the CONFIG-INTERFACE commands for each interface. NOTE: By default, OSPF is disabled.
ip address ip-address mask The format is A.B.C.D/M. If you are using a Loopback interface, refer to Loopback Interfaces. 2. Enable the interface. CONFIG-INTERFACE mode no shutdown 3. Return to CONFIGURATION mode to enable the OSPFv2 process globally. CONFIGURATION mode router ospf process-id [vrf {vrf name}] • vrf name: enter the keyword VRF and the instance name to tie the OSPF instance to the VRF. All network commands under this OSPF instance are later tied to the VRF instance.
Example of Viewing the Current OSPFv2 Status Dell#show ip ospf 55555 Routing Process ospf 55555 with ID 10.10.10.10 Supports only single TOS (TOS0) routes SPF schedule delay 5 secs, Hold time between two SPFs 10 secs Number of area in this router is 0, normal 0 stub 0 nssa 0 Dell# Enabling Multi-Process OSPF (OSPFv2, IPv4 Only) Multi-process OSPF allows multiple OSPFv2 processes on a single router. The MXL switch supports up to 16 OSPFv2 processes.
The OSPFv2 process evaluates the network commands in the order they are configured. Assign the network address that is most explicit first to include all subnets of that address. For example, if you assign the network address 10.0.0.0 /8, you cannot assign the network address 10.1.0.0 /16 because it is already included in the first network address.
To view the configuration, use the show config command in CONFIGURATION ROUTER OSPF mode. OSPF, by default, sends hello packets out to all physical interfaces assigned an IP address that is a subset of a network on which OSPF is enabled. To view currently active interfaces and the areas assigned to them, use the show ip ospf interface command. Dell>show ip ospf 1 interface TenGigabitEthernet 12/17 is up, line protocol is up Internet Address 10.2.2.1/24, Area 0.0.0.0 Process ID 1, Router ID 11.1.2.
Configuring Stub Areas OSPF supports different types of LSAs to help reduce the amount of router processing within the areas. Type 5 LSAs are not flooded into stub areas; the ABR advertises a default route into the stub area to which it is attached. Stub area routers use the default route to reach external destinations. To ensure connectivity in your OSPFv2 network, never configure the backbone area as a stub area. To configure a stub area, use the following commands. 1.
transmit at the max-interval. If the system is stable for twice the maximum interval time, the system reverts to the start-interval timer and the cycle begins again. 1. Specify the interval times for all LSA transmissions. CONFIG-ROUTEROSPF- id mode timers throttle lsa all {start-interval | hold-interval | max-interval} • start-interval: set the minimum interval between the initial sending and resending the same LSA. The range is from 0 to 600,000 milliseconds.
To enable both receiving and sending routing updates, use the no passive-interface interface command. Example of Viewing Passive Interfaces When you configure a passive interface, the show ip ospf process-id interface command adds the words passive interface to indicate that the hello packets are not transmitted on that interface (shown in bold). Dell#show ip ospf 34 int TenGigabitEthernet 0/0 is up, line protocol is down Internet Address 10.1.2.100/24, Area 1.1.1.1 Process ID 34, Router ID 10.1.2.
NOTE: A higher convergence level can result in occasional loss of OSPF adjacency. Generally, convergence level 1 meets most convergence requirements. Only select higher convergence levels following consultation with Dell Technical Support. Example of the fast-converge Command Example of Disabling Fast-Convergence In the examples below, Convergence Level shows the fast-converge parameter setting and Min LSA origination shows the LSA parameters (shown in bold).
• The dead interval must be the same on all routers in the OSPF network. Change the time interval between hello-packet transmission. CONFIG-INTERFACE mode ip ospf hello-interval seconds – seconds: the range is from 1 to 65535 (the default is 10 seconds). • The hello interval must be the same on all routers in the OSPF network. Use the MD5 algorithm to produce a message digest or key, which is sent instead of the key.
The bold lines in the example show the change on the interface. The change is reflected in the OSPF configuration. Dell(conf-if)#ip ospf cost 45 Dell(conf-if)#show config ! interface TenGigabitEthernet 0/0 ip address 10.1.2.100 255.255.255.0 no shutdown ip ospf cost 45 Dell(conf-if)#end Dell#show ip ospf 34 interface GigabitEthernet 0/0 is up, line protocol is up Internet Address 10.1.2.100/24, Area 2.2.2.2 Process ID 34, Router ID 10.1.2.
• grace period — the length of time the graceful restart process can last before OSPF terminates it. • helper-reject neighbors — the router ID of each restart router that does not receive assistance from the configured router. • mode — the situation or situations that trigger a graceful restart. • role — the role or roles the configured router can perform. NOTE: By default, OSPFv2 graceful restart is disabled. To enable and configure OSPFv2 graceful restart, use the following commands. 1.
For more information about OSPF graceful restart, refer to the Dell Networking OS Command Line Reference Guide. Example of the show run ospf Command When you configure a graceful restart on an OSPFv2 router, the show run ospf command displays information similar to the following. Dell#show run ospf ! router ospf 1 graceful-restart grace-period 300 graceful-restart role helper-only graceful-restart mode unplanned-only graceful-restart helper-reject 10.1.1.1 graceful-restart helper-reject 20.1.1.1 network 10.
distribute-list prefix-list-name out [connected | ospf | rip | static] Redistributing Routes You can add routes from other routing instances or protocols to the OSPF process. With the redistribute command, you can include RIP, static, or directly connected routes in the OSPF process. NOTE: Do not route iBGP routes to OSPF unless there are route-maps associated with the OSPF redistribution. To redistribute routes, use the following command.
• Have the routes been included in the OSPF database? • Have the OSPF routes been included in the routing table (not just the OSPF database)? Some useful troubleshooting commands are: • show interfaces • show protocols • debug IP OSPF events and/or packets • show neighbors • show routes To help troubleshoot OSPFv2, use the following commands. • View the summary of all OSPF process IDs enables on the router.
Example of Viewing OSPF Configuration Dell#show run ospf ! router ospf 3 ! router ospf 4 router-id 4.4.4.4 network 4.4.4.0/28 area 1 ! router ospf 5 ! router ospf 6 ! router ospf 7 mib-binding ! router ospf 8 ! router ospf 90 area 2 virtual-link 4.4.4.4 area 2 virtual-link 90.90.90.90 retransmit-interval 300 ! ipv6 router ospf 999 default-information originate always router-id 10.10.10.10 Dell# Sample Configurations for OSPFv2 The following configurations are examples for enabling OSPFv2.
Figure 99. Basic Topology and CLI Commands for OSPFv2 OSPF Area 0 — Gl 1/1 and 1/2 router ospf 11111 network 10.0.11.0/24 area 0 network 10.0.12.0/24 area 0 network 192.168.100.0/24 area 0 ! interface GigabitEthernet 1/1 ip address 10.1.11.1/24 no shutdown ! interface GigabitEthernet 1/2 ip address 10.2.12.2/24 no shutdown ! interface Loopback 10 ip address 192.168.100.100/24 no shutdown OSPF Area 0 — Gl 3/1 and 3/2 router ospf 33333 network 192.168.100.0/24 area 0 network 10.0.13.0/24 area 0 network 10.
OSPF Area 0 — Gl 2/1 and 2/2 router ospf 22222 network 192.168.100.0/24 area 0 network 10.2.21.0/24 area 0 network 10.2.22.0/24 area 0 ! interface Loopback 20 ip address 192.168.100.20/24 no shutdown ! interface GigabitEthernet 2/1 ip address 10.2.21.2/24 no shutdown ! interface GigabitEthernet 2/2 ip address 10.2.22.
Assigning IPv6 Addresses on an Interface To assign IPv6 addresses to an interface, use the following commands. 1. Assign an IPv6 address to the interface. CONF-INT-type slot/port mode ipv6 address ipv6 address IPv6 addresses are normally written as eight groups of four hexadecimal digits; separate each group by a colon (:). The format is A:B:C::F/128. 2. Bring up the interface.
– number: the IPv4 address. The format is A.B.C.D. NOTE: Enter the router-id for an OSPFv3 router as an IPv4 IP address. • Disable OSPF. CONFIGURATION mode • no ipv6 router ospf process-id Reset the OSPFv3 process. EXEC Privilege mode clear ipv6 ospf process Configuring Stub Areas To configure IPv6 stub areas, use the following command. • Configure the area as a stub area.
To indicate that hello packets are not transmitted on that interface, when you configure a passive interface, the show ipv6 ospf interface command adds the words passive interface. Redistributing Routes You can add routes from other routing instances or protocols to the OSPFv3 process. With the redistribute command, you can include RIP, static, or directly connected routes in the OSPF process. Route redistribution is also supported between OSPF Routing process IDs.
period command. The grace period is the time that the OSPFv3 neighbors continue to advertise the restarting router as though it is fully adjacent. When you enable graceful restart (restarting role), an OSPFv3 restarting expects its OSPFv3 neighbors to help when it restarts by not advertising the broken link. When you enable the helper-reject role on an interface using the ipv6 ospf graceful-restart helper-reject command, you reconfigure OSPFv3 graceful restart to function in a restarting-only role.
• Display the Type-11 Grace LSAs sent and received on an OSPFv3 router (shown in the following example). EXEC Privilege mode • show ipv6 ospf database grace-lsa Display the currently configured OSPFv3 parameters for graceful restart (shown in the following example).
Dell#show ipv6 ospf database grace-lsa ! Type-11 Grace LSA (Area 0) LS Age Link State ID Advertising Router LS Seq Number Checksum Length Associated Interface Restart Interval Restart Reason : : : : : : : : : 10 6.16.192.66 100.1.1.1 0x80000001 0x1DF1 36 Gi 5/3 180 Switch to Redundant Processor OSPFv3 Authentication Using IPsec OSPFv3 authentication using IP security (IPsec) is supported the MXL switch. Starting in Dell Networking OS version 8.4.2.
between the two mechanisms is the extent of the coverage. ESP only protects IP header fields if they are encapsulated by ESP. You decide the set of IPsec protocols that are employed for authentication and encryption and the ways in which they are employed. When you correctly implement and deploy IPsec, it does not adversely affect users or hosts. AH and ESP are designed to be cryptographic algorithm-independent.
– Configuring IPsec Authentication on an Interface – Configuring IPsec Encryption on an Interface – Configuring IPSec Authentication for an OSPFv3 Area – Configuring IPsec Encryption for an OSPFv3 Area – Displaying OSPFv3 IPsec Security Policies Configuring IPsec Authentication on an Interface To configure, remove, or display IPsec authentication on an interface, use the following commands.
NOTE: When you configure encryption using the ipv6 ospf encryption ipsec command, you enable both IPsec encryption and authentication. However, when you enable authentication on an interface using the ipv6 ospf authentication ipsec command, you do not enable encryption at the same time. The SPI value must be unique to one IPsec security policy (authentication or encryption) on the router. Configure the same authentication policy (the same SPI and key) on each OSPFv3 interface in a link.
If you have enabled IPSec encryption in an OSPFv3 area using the area encryption command, you cannot use the area authentication command in the area at the same time. The configuration of IPSec authentication on an interface-level takes precedence over an area-level configuration. If you remove an interface configuration, an area authentication policy that has been configured is applied to the interface. • Enable IPSec authentication for OSPFv3 packets in an area.
– area area-id: specifies the area for which OSPFv3 traffic is to be encrypted. For area-id, enter a number or an IPv6 prefix. – spi number: is the security policy index (SPI) value. The range is from 256 to 4294967295. – esp encryption-algorithm: specifies the encryption algorithm used with ESP. The valid values are 3DES, DES, AES-CBC, and NULL. For AES-CBC, only the AES-128 and AES-192 ciphers are supported. – key: specifies the text string used in the encryption.
– For a VLAN interface, enter the keywords vlan vlan-id. The valid VLAN IDs are from 1 to 4094. Example of the show crypto ipsec policy Command Example of the show crypto ipsec sa ipv6 Command In the first example, the keys are not encrypted (shown in bold). In the second and third examples, the keys are encrypted (shown in bold).
STATUS : ACTIVE outbound ah sas spi : 500 (0x1f4) transform : ah-md5-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE inbound esp sas outbound esp sas Interface: TenGigabitEthernet 0/1 Link Local address: fe80::201:e8ff:fe40:4d11 IPSecv6 policy name: OSPFv3-1-600 inbound ah sas outbound ah sas inbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE outbound esp sas spi : 600 (0x258) tran
• show virtual links • show ipv6 routes Viewing Summary Information To get general route, configuration, links status, and debug information, use the following commands. • View the summary information of the IPv6 routes. EXEC Privilege mode • show ipv6 route summary View the summary information for the OSPFv3 database. EXEC Privilege mode • show ipv6 ospf database View the configuration of OSPFv3 neighbors.
Policy-based Routing (PBR) 35 Policy-based Routing is supported on the MXL platform. This chapter covers the following topics: • Overview • Implementing Policy-based Routing with Dell Networking OS • Configuration Task List for Policy-based Routing • Sample Configuration Overview Policy-based Routing (PBR) enables you to make routing decisions based on policies applied to a specific interface.
To enable a PBR, you create a Redirect List. Redirect lists are defined by rules, or routing policies.
Implementing Policy-based Routing with Dell Networking OS • Non-contiguous bitmasks for PBR • Hot-Lock PBR Non-contiguous bitmasks for PBR Non-contiguous bitmasks for PBR allows more granular and flexible control over routing policies. Network addresses that are in the middle of a subnet can be included or excluded. Specific bitmasks can be entered using the dotted decimal format. Non-contiguous bitmask example Dell#show ip redirect-list IP redirect-list rcl0: Defined as: seq 5 permit ip 200.200.200.
The following example creates a redirect list by the name of “xyz.” Dell(conf)#ip redirect-list ? WORD Redirect-list name (max 16 chars) Dell(conf)#ip redirect-list xyz Create a Rule for a Redirect-list Use the following command in CONFIGURATION REDIRECT-LIST mode to set the rules for the redirect list. You can enter the command multiple times and create a sequence of redirect rules. Use the seq nn redirect version of the command to organize your rules.
Dell(conf-redirect-list)#redirect 3.3.3.3 ? <0-255> An IP protocol number icmp Internet Control Message Protocol ip Any Internet Protocol tcp Transmission Control Protocol udp User Datagram Protocol Dell(conf-redirect-list)#redirect 3.3.3.3 ip ? A.B.C.D Source address any Any source host host A single source host Dell(conf-redirect-list)#redirect 3.3.3.3 ip 222.1.1.1 ? Mask A.B.C.D or /nn Mask in dotted decimal or in slash format Dell(conf-redirect-list)#redirect 3.3.3.3 ip 222.1.1.1 /32 ? A.B.C.
PBR Exceptions (Permit) Use the command permit to create an exception to a redirect list. Exceptions are used when a forwarding decision should be based on the routing table rather than a routing policy. Dell Networking OS assigns the first available sequence number to a rule configured without a sequence number and inserts the rule into the PBR CAM region next to the existing entries. Since the order of rules is important, ensure that you configure any necessary sequence numbers.
Applying a Redirect-list to an Interface Example: Dell(conf-if-te-4/0)#ip redirect-group xyz Dell(conf-if-te-4/0)# Applying a Redirect-list to an Interface Example: Dell(conf-if-te-1/0)#ip redirect-group test Dell(conf-if-te-1/0)#ip redirect-group xyz Dell(conf-if-te-1/0)#show config ! interface TenGigabitEthernet 1/0 no ip address ip redirect-group test ip redirect-group xyz shutdown Dell(conf-if-te-1/0)# In addition to supporting multiple redirect-lists in a redirect-group, multiple redirect-groups are su
NOTE: If, the redirect-list is applied to an interface, the output of show ip redirect-list redirect-listname command displays reachability and ARP status for the specified next-hop.
Create the Redirect-List GOLD EDGE_ROUTER(conf-if-Te-3/23)#ip redirect-list GOLD EDGE_ROUTER(conf-redirect-list)#description Route GOLD traffic to ISP_GOLD. EDGE_ROUTER(conf-redirect-list)#direct 10.99.99.254 ip 192.168.1.0/24 any EDGE_ROUTER(conf-redirect-list)#redirect 10.99.99.254 ip 192.168.2.0/24 any EDGE_ROUTER(conf-redirect-list)# seq 15 permit ip any any EDGE_ROUTER(conf-redirect-list)#show config ! ip redirect-list GOLD description Route GOLD traffic to ISP_GOLD. seq 5 redirect 10.99.99.254 ip 192.
View Redirect-List GOLD EDGE_ROUTER#show ip redirect-list IP redirect-list GOLD: Defined as: seq 5 redirect 10.99.99.254 ip 192.168.1.0/24 any, Next-hop reachable (via Te 3/23), ARP resolved seq 10 redirect 10.99.99.254 ip 192.168.2.
PIM Sparse-Mode (PIM-SM) 36 Protocol-independent multicast sparse-mode (PIM-SM) is supported on the MXL switch platform. PIM-SM is a multicast protocol that forwards multicast traffic to a subnet only after a request using a PIM Join message; this behavior is the opposite of PIM-Dense mode, which forwards multicast traffic to all subnets until a request to stop. Implementation Information Be aware of the following PIM-SM implementation information.
received becomes the outgoing interface associated with the (*,G) entry. This process constructs an RPT branch to the RP. 3. If a host on the same subnet as another multicast receiver sends an IGMP report for the same multicast group, the gateway takes no action.
Important Point to Remember If you use a Loopback interface with a /32 mask as the RP, you must enable PIM Sparse-mode on the interface. Configuring PIM-SM Configuring PIM-SM is a three-step process. 1. Enable multicast routing (refer to the following step). 2. Select a rendezvous point. 3. Enable PIM-SM on an interface. Enable multicast routing. CONFIGURATION mode ip multicast-routing Related Configuration Tasks The following are related PIM-SM configuration tasks.
189.87.31.6 Gi 7/11 189.87.50.6 Gi 7/13 Dell# 0x0 0x4 v2/S v2/S 0 1 30 30 1 1 127.87.31.6 127.87.50.6 NOTE: You can influence the selection of the Rendezvous Point by enabling PIM-Sparse mode on a Loopback interface and assigning a low IP address. To display PIM neighbors for each interface, use the show ip pim neighbor command EXEC Privilege mode. Dell#show ip Neighbor Address 127.87.5.5 127.87.3.5 127.87.50.
ip pim sparse-mode sg-expiry-timer seconds The range is from 211 to 86,400 seconds. The default is 210. 2. Create an extended ACL. CONFIGURATION mode ip access-list extended access-list-name 3. Specify the source and group to which the timer is applied using extended ACLs with permit rules only. CONFIG-EXT-NACL mode [seq sequence-number] permit ip source-address/mask | any | host sourceaddress} {destination-address/mask | any | host destination-address} 4.
ip pim rp-address Example of Viewing an RP on a Loopback Interface Dell#sh run int loop0 ! interface Loopback 0 ip address 1.1.1.1/32 ip pim sparse-mode no shutdown Dell#sh run pim ! ip pim rp-address 1.1.1.1 group-address 224.0.0.0/4 Overriding Bootstrap Router Updates PIM-SM routers must know the address of the RP for each group for which they have (*,G) entry. This address is obtained automatically through the bootstrap router (BSR) mechanism or a static RP configuration.
INTERFACE mode • ip pim dr-priority priority-value Change the interval at which a router sends hello messages. INTERFACE mode • ip pim query-interval seconds Display the current value of these parameter. EXEC Privilege mode show ip pim interface Creating Multicast Boundaries and Domains A PIM domain is a contiguous set of routers that all implement PIM and are configured to operate within a common boundary defined by PIM multicast border routers (PMBRs).
PIM Source-Specific Mode (PIM-SSM) 37 PIM source-specific mode (PIM-SSM) is supported on the MXL switch platform. PIM-SSM is a multicast protocol that forwards multicast traffic from a single source to a subnet. In the other versions of protocol independent multicast (PIM), a receiver subscribes to a group only. The receiver receives traffic not just from the source in which it is interested but from all sources sending to that group.
Important Points to Remember • The default SSM range is 232/8 always. Applying an SSM range does not overwrite the default range. Both the default range and SSM range are effective even when the default range is not added to the SSM ACL. • Extended ACLs cannot be used for configuring SSM range. Be sure to create the ACL first and then apply it to the SSM range. • The default range is always supported, so range can never be smaller than the default.
• You may enter multiple ssm-map commands for different access lists. You may also enter multiple ssm-map commands for the same access list, as long as they use different source addresses. • When an extended ACL is associated with this command, the system displays an error message. If you apply an extended ACL before you create it, the system accepts the configuration, but when the ACL is later defined, the system ignores the ACL and the stated mapping has no effect.
Uptime 00:00:05 Expires Never Router mode INCLUDE Last reporter 10.11.4.2 Last reporter mode INCLUDE Last report received ALLOW Group source list Source address Uptime Expires 10.11.5.
38 Port Monitoring Port monitoring is supported on the MXL switch platform. Mirroring is used for monitoring Ingress or Egress or both Ingress and Egress traffic on a specific port(s). This mirrored traffic can be sent to a port where a network sniffer can connect and monitor the traffic.
2 Te 0/0 Te 0/2 both Port N/A N/A Dell (conf-mon-sess-2)#do show running-config monitor session ! monitor session 1 source TenGigabitEthernet 0/0 destination TenGigabitEthernet 0/1 direction both ! monitor session 2 source TenGigabitEthernet 0/0 destination TenGigabitEthernet 0/2 direction both Dell (conf-mon-sess-2)# ! Configuring Port Monitoring To configure port monitoring, use the following commands. 1.
Dell(conf-mon-sess-1)#flow-based enable Dell(conf-mon-sess-1)#exit Dell(conf)#do show monitor session SessID Source Destination Dir Mode Source IP ------ ------------------ ---- --------0 Te 0/0 Te 0/1 rx Port N/A 0 Po 10 Te 0/1 rx Port N/A 1 Vl 40 Te 0/2 rx Flow N/A Dest IP -------N/A N/A N/A Note: Source as VLAN is achieved via Flow based mirroring. Please refer section Enabling Flow-Based monitoring.
flow-based enable 2. Define in access-list rules that include the keyword monitor. For port monitoring, Dell Networking OS only considers traffic matching rules with the keyword monitor. CONFIGURATION mode ip access-list Refer to Access Control Lists (ACLs). 3. Apply the ACL to the monitored port.
mirroring helps network administrators monitor and analyze traffic to troubleshoot network problems in a time-saving and efficient way. In a remote-port mirroring session, monitored traffic is tagged with a VLAN ID and switched on a userdefined, non-routable L2 VLAN. The VLAN is reserved in the network to carry only mirrored traffic, which is forwarded on all egress ports of the VLAN.
Configuring Remote Port Mirroring Remote port mirroring requires a source session (monitored ports on different source switches), a reserved tagged VLAN for transporting mirrored traffic (configured on source, intermediate, and destination switches), and a destination session (destination ports connected to analyzers on destination switches).
• • You cannot configure the dedicated VLAN used to transport mirrored traffic as a source VLAN. Egressing remote-vlan packets are rate limited to a default value of 100 Mbps. In a destination session used for remote port mirroring: • • • • • • • Maximum number of destination sessions supported on a switch: 64 Maximum number ports supported in a destination session: 64. You can configure any port as a destination port. You can configure additional destination ports in an active session.
Codes: * - Default VLAN, G - GVRP VLANs, R - Remote Port Mirroring VLANs, P Primary, C - Community, I - Isolated O - Openflow Q: U - Untagged, T - Tagged x - Dot1x untagged, X - Dot1x tagged o - OpenFlow untagged, O - OpenFlow tagged G - GVRP tagged, M - Vlan-stack i - Internal untagged, I - Internal tagged, v - VLT untagged, V - VLT tagged * R R NUM 1 100 300 Status Inactive Active Active Description Q Ports T Fo 0/44 T Fo 0/52 Configuring the Sample Remote Port Mirroring Remote port mirroring require
Dell(conf)#interface vlan 20 Dell(conf-if-vl-20)#mode remote-port-mirroring Dell(conf-if-vl-20)#tagged te 0/6 Dell(conf-if-vl-20)#exit Dell(conf)#monitor session 2 type rpm Dell(conf-mon-sess-2)#source vlan 100 destination remote-vlan 20 dir rx Dell(conf-mon-sess-2)#no disable Dell(conf-mon-sess-2)#flow-based enable Dell(conf-mon-sess-2)#exit Dell(conf)#mac access-list standard mac_acl Dell(config-std-macl)#permit 00:00:00:00:11:22 count monitor Dell(config-std-macl)#exit Dell(conf)#interface vlan 100 Dell(
Dell(conf)#interface te 0/2 Dell(conf-if-te-0/2)#switchport Dell(conf-if-te-0/2)#no shutdown Dell(conf-if-te-0/2)#exit Dell(conf)#inte vlan 10 Dell(conf-if-vl-10)#mode remote-port-mirroring Dell(conf-if-vl-10)#tagged te 0/0 Dell(conf-if-vl-10)#exit Dell(conf)#inte vlan 20 Dell(conf-if-vl-20)#mode remote-port-mirroring Dell(conf-if-vl-20)#tagged te 0/1 Dell(conf-if-vl-20)#exit Dell(conf)#interface vlan 30 Dell(conf-if-vl-30)#mode remote-port-mirroring Dell(conf-if-vl-30)#tagged te 0/2 Dell(conf-if-vl-30)#exi
Configuring the Encapsulated Remote Port Mirroring The ERPM session copies traffic from the source ports/lags or source VLANs and forwards the traffic using routable GRE-encapsulated packets to the destination ip address specified in the session. Important: The steps to be followed for the ERPM Encapsulation : • Dell Networking OS supports ERPM Source session only. The Encapsulated packets terminate at the destination ip or at the analyzer.
-----0 0 1 -----Te 0/9 Po 1 Vl 11 ----------- --- ---- --------- -------remote-ip rx Port 1.1.1.1 7.1.1.2 remote-ip tx Port 1.1.1.1 7.1.1.2 remote-ip rx Flow 5.1.1.1 3.1.1.2 Sample example for monitoring the VLANs as source, an access list with monitor keyword in its rules needs to be attached to the vlan interface.
As seen in the above figure, the packets received/transmitted on Port A will be encapsulated with an IP/GRE header plus a new L2 header and sent to the destination ip address (Port D’s ip address) on the sniffer. The Header that gets attached to the packet is 38 bytes long. If the sniffer does not support IP interface, a destination switch will be needed to receive the encapsulated ERPM packet and locally mirror the whole packet to the Sniffer or a Linux Server.
: Specify another interface on the Linux server via which the decapsulation packets can Egress. In case there is only one interface, the ingress interface itself can be specified as Egress and the analyzer can listen in the tx direction.
Private VLANs (PVLAN) 39 The private VLAN (PVLAN) feature is supported on the MXL switch platform. For syntax details about the commands described in this chapter, refer to the Private VLANs commands chapter in the Dell Networking OS Command Line Reference Guide. Private VLANs extend the Dell Networking operating system (OS) security suite by providing Layer 2 isolation between ports within the same virtual local area network (VLAN).
– A primary VLAN has one or more secondary VLANs. – A primary VLAN and each of its secondary VLANs decrement the available number of VLAN IDs in the switch. – A primary VLAN has one or more promiscuous ports. – A primary VLAN might have one or more trunk ports, or none. • Secondary VLAN — a subdomain of the primary VLAN. – There are two types of secondary VLAN — community VLAN and isolated VLAN.
• [no] private-vlan mapping secondary-vlan vlan-list Display type and status of PVLAN interfaces. EXEC mode or EXEC Privilege mode • show interfaces private-vlan [interface interface] Display PVLANs and/or interfaces that are part of a PVLAN. EXEC mode or EXEC Privilege mode • show vlan private-vlan [community | interface | isolated | primary | primary_vlan | interface interface] Display primary-secondary VLAN mapping.
4. Select the PVLAN mode. INTERFACE mode switchport mode private-vlan {host | promiscuous | trunk} • host (isolated or community VLAN port) • promiscuous (intra-VLAN communication port) • trunk (inter-switch PVLAN hub port) Example of the switchport mode private-vlan Command For interface details, refer to Enabling a Physical Interface in the Interfaces chapter. NOTE: You cannot add interfaces that are configured as PVLAN ports to regular VLANs.
The list of secondary VLANs can be: 5. • Specified in comma-delimited (VLAN-ID,VLAN-ID) or hyphenated-range format (VLAN-IDVLAN-ID). • Specified with this command even before they have been created. • Amended by specifying the new secondary VLAN to be added to the list. Add promiscuous ports as tagged or untagged interfaces. INTERFACE VLAN mode tagged interface or untagged interface Add PVLAN trunk ports to the VLAN only as tagged interfaces.
You can enter the interfaces singly or in range format, either comma-delimited (slot/ port,port,port) or hyphenated (slot/ port-port). You can only add host (isolated) ports to the VLAN. Creating an Isolated VLAN An isolated VLAN is a secondary VLAN of a primary VLAN. An isolated VLAN port can only talk with the promiscuous ports in that primary VLAN. 1. Access INTERFACE VLAN mode for the VLAN that you want to make an isolated VLAN. CONFIGURATION mode interface vlan vlan-id 2. Enable the VLAN.
Private VLAN Configuration Example The following example shows a private VLAN topology. Figure 101. Sample Private VLAN Topology The following configuration is based on the example diagram for the MXL switch: • TenGig 0/0 and TenGig 0/23 are configured as promiscuous ports, assigned to the primary VLAN, VLAN 4000. • TenGig 0/25 is configured as a PVLAN trunk port, also assigned to the primary VLAN 4000.
• The ports in isolated VLAN 4003 can only communicate with the promiscuous ports in the primary VLAN 4000. • All the ports in the secondary VLANs (both community and isolated VLANs) can only communicate with ports in the other secondary VLANs of that PVLAN over Layer 3, and only when the ip localproxy-arp command is invoked in the primary VLAN.
Dell#show vlan private-vlan Primary Secondary Type ------- --------- --------20 Primary 30 Community 40 Isolated Dell# Active Ports ------ -----------------------------------------Yes Te 1/1,5 Yes Te 1/2 Yes Te 1/3 S50-1#show vlan private-vlan mapping Private Vlan: Primary : 4000 Isolated : 4003 Community : 4001 NOTE: In the following example, notice the addition of the PVLAN codes – P, I, and C – in the left column.
interface Vlan 20 private-vlan mode primary private-vlan mapping secondary-vlan 30,40 no ip address tagged TenGigabitEthernet 1/1,5 shutdown ! interface Vlan 30 private-vlan mode community no ip address tagged TenGigabitEthernet 1/2 no shutdown ! 678 Private VLANs (PVLAN)
Per-VLAN Spanning Tree Plus (PVST+) 40 Per-VLAN spanning tree plus (PVST+) is supported on the MXL switch platform. Protocol Overview PVST+ is a variation of spanning tree — developed by a third party — that allows you to configure a separate spanning tree instance for each virtual local area network (VLAN). For more information about spanning tree, refer to the Spanning Tree Protocol (STP) chapter. Figure 102.
Table 46. Spanning Tree Variations Dell Networking OS Supports Dell Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .1w Multiple Spanning Tree Protocol (MSTP) 802 .1s Per-VLAN Spanning Tree Plus (PVST+) Third Party Implementation Information • The Dell Networking OS implementation of PVST+ is based on IEEE Standard 802.1w. • The Dell Networking OS implementation of PVST+ uses IEEE 802.
PROTOCOL PVST mode no disable Disabling PVST+ To disable PVST+ globally or on an interface, use the following commands. • Disable PVST+ globally. PROTOCOL PVST mode • disable Disable PVST+ on an interface, or remove a PVST+ parameter configuration. INTERFACE mode no spanning-tree pvst Example of Viewing PVST+ Configuration To display your PVST+ configuration, use the show config command from PROTOCOL PVST mode.
Figure 103. Load Balancing with PVST+ The bridge with the bridge value for bridge priority is elected root. Because all bridges use the default priority (until configured otherwise), the lowest MAC address is used as a tie-breaker. To increase the likelihood that a bridge is selected as the STP root, assign bridges a low non-default value for bridge priority. To assign a bridge priority, use the following command. • Assign a bridge priority.
Root Identifier has priority 32768, Address 001e.c9f1.00f3 Root Bridge hello time 2, max age 20, forward delay 15 Bridge Identifier has priority 32768, Address 001e.c9f1.00f3 Configured hello time 2, max age 20, forward delay 15 Bpdu filter disabled globally We are the root of VLAN 2 Current root has priority 32768, Address 001e.c9f1.
vlan hello-time NOTE: With large configurations (especially those configurations with more ports), Dell Networking recommends increasing the hello-time. The range is from 1 to 10. • The default is 2 seconds. Change the max-age parameter. PROTOCOL PVST mode vlan max-age The range is from 6 to 40. The default is 20 seconds. The values for global PVST+ parameters are given in the output of the show spanning-tree pvst command.
To change the port cost or port priority of an interface, use the following commands. • Change the port cost of an interface. INTERFACE mode spanning-tree pvst vlan cost. The range is from 0 to 200000. • Refer to the table for the default values. Change the port priority of an interface. INTERFACE mode spanning-tree pvst vlan priority. The range is from 0 to 240, in increments of 16. The default is 128.
• You can clear the Error Disabled state with any of the following methods: – Perform a shutdown command on the interface. – Disable the shutdown-on-violation command on the interface (the no spanning-tree stp-id portfast [bpduguard | [shutdown-on-violation]] command). – Disable spanning tree on the interface (the no spanning-tree command in INTERFACE mode). – Disabling global spanning tree (the no spanning-tree command in CONFIGURATION mode).
• Augment the bridge ID with the VLAN ID. PROTOCOL PVST mode extend system-id Example of Viewing the Extend System ID in a PVST+ Configuration Dell(conf-pvst)#do show spanning-tree pvst vlan 5 brief VLAN 5 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32773, Address 0001.e832.73f7 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32773 (priority 32768 sys-id-ext 5), Address 0001.e832.
interface TenGigabitEthernet 2/12 no ip address switchport no shutdown ! interface TenGigabitEthernet 2/32 no ip address switchport no shutdown ! interface Vlan 100 no ip address tagged TenGigabitEthernet 2/12,32 no shutdown ! interface Vlan 200 no ip address tagged TenGigabitEthernet 2/12,32 no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 2/12,32 no shutdown ! protocol spanning-tree pvst no disable vlan 200 bridge-priority 4096 interface TenGigabitEthernet 3/12 no ip address switch
Enable BPDU Filtering globally The enabling of BPDU Filtering stops transmitting of BPDUs on the operational port fast enabled ports by default. When BPDUs are received, the spanning tree is automatically prepared. By default global bpdu filtering is disabled. Enable BPDU Filter globally to filter transmission of BPDU port fast enabled interfaces. PROTOCOL PVST mode edge-port bpdu filter default Figure 105.
41 Quality of Service (QoS) Quality of service (QoS) is supported on the MXL switch platform. Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. The MXL switch traffic has four data queues per port. All queues are serviced using the Weighted Round Robin scheduling algorithm. You can only manage prioritize queuing on egress.
Feature Direction Create Policy Maps Ingress + Egress Create Input Policy Maps Ingress Honor DSCP Values on Ingress Packets Ingress Honoring dot1p Values on Ingress Packets Ingress Create Output Policy Maps Egress Specify an Aggregate QoS Policy Egress QoS Rate Adjustment Strict-Priority Queueing Weighted Random Early Detection Egress Create WRED Profiles Egress Figure 106.
• • • • RFC 2474, Definition of the Differentiated Services Field (DS Field) in the IPv4 Headers RFC 2475, An Architecture for Differentiated Services RFC 2597, Assured Forwarding PHB Group RFC 2598, An Expedited Forwarding PHB You cannot configure port-based and policy-based QoS on the same interface. Port-Based QoS Configurations You can configure the following QoS features on an interface.
Dell#config Dell(conf)#interface tengigabitethernet 1/0 Dell(conf-if)#switchport Dell(conf-if)#dot1p-priority 1 Dell(conf-if)#end Dell# Honoring dot1p Priorities on Ingress Traffic By default, the Dell Networking OS does not honor dot1p priorities on ingress traffic. You can configure this feature on physical interfaces and port-channels, but you cannot configure it on individual interfaces in a port channel.
Configuring Port-Based Rate Policing If the interface is a member of a VLAN, you may specify the VLAN for which ingress packets are policed. • Rate policing ingress traffic on an interface.
– PSH – RST – URG In the existing software, ECE/CWR TCP flag qualifiers are not supported. • Because this functionality forcibly marks all the packets matching the specific match criteria as ‘yellow’, Dell Networking OS does not support Policer based coloring and this feature concurrently.
On ECN deployment, the non-ECN packets that are transmitted on the ECN-WRED enabled interface will be considered as Green packets and will be subject to the early WRED drops. Typically the TCP-acks, OAM, ICMP ping packets will be non-ECN in nature and it is not desirable for this packets getting WRED dropped. In such a condition, it is necessary that the switch is capable to take differentiated actions for ECN/NonECN packets.
Until Release 9.3(0.0), ACL supports classification based on the below TCP flags: • ACK • FIN • SYN • PSH • RST • URG You can now use the ‘ecn’ match qualifier along with the above TCP flag for classification.
Sample configuration to mark non-ecn packets as “yellow” with single traffic class Consider the use case where the packet with DSCP value “40” need to be enqueued in queue#2 and packets with DSCP value as 50 need to be enqueued in queue#3. And all the packets with ecn value as ‘0’ must be marked as ‘yellow’. The above requirement can be achieved using either of the two approaches. The above requirement can be achieved using either of the two approaches.
match ip access-group dscp_40_ecn ! class-map match-any class_dscp_50 match ip access-group dscp_50_non_ecn set-color yellow match ip access-group dscp_50_ecn ! policy-map-input pmap_dscp_40_50 service-queue 2 class-map class_dscp_40 service-queue 3 class-map class_dscp_50 Policy-Based QoS Configurations Policy-based QoS configurations consist of the components shown in the following example. Figure 107.
DSCP Color Maps This section describes how to configure color maps and how to display the color map and color map configuration. This sections consists of the following topics: • Creating a DSCP Color Map • Displaying Color Maps • Display Color Map Configuration Creating a DSCP Color Map You can create a DSCP color map to outline the differentiated services codepoint (DSCP) mappings to the appropriate color mapping (green, yellow, red) for the input traffic.
Example: Create a DSCP Color Map The following example creates a DSCP color map profile, color-awareness policy, and applies it to interface te 0/11. Create the DSCP color map profile, bat-enclave-map, with a yellow drop precedence , and set the DSCP values to 9,10,11,13,15,16 Dell(conf)# qos dscp-color-map bat-enclave-map Dell(conf-dscp-color-map)# dscp yellow 9,10,11,13,15,16 Dell (conf-dscp-color-map)# exit Assign the color map, bat-enclave-map to interface te 0/11.
Display summary information about a color policy for a specific interface. Dell# show qos dscp-color-policy summary te 0/10 Interface dscp-color-map TE 0/10 mapONE Display detailed information about a color policy for a specific interface Dell# show qos dscp-color-policy detail te 0/10 Interface TenGigabitEthernet 0/10 Dscp-color-map mapONE yellow 4,7 red 20,30 Classify Traffic Class maps differentiate traffic so that you can apply separate quality of service policies to different types of traffic.
Example of Creating a Layer 3 Class Map Dell(conf)#ip access-list standard acl1 Dell(conf-std-nacl)#permit 20.0.0.0/8 Dell(conf-std-nacl)#exit Dell(conf)#ip access-list standard acl2 Dell(conf-std-nacl)#permit 20.1.1.
4. Link the class-map to a queue. POLICY MAP mode service-queue Determining the Order in Which ACLs are Used to Classify Traffic When you link class-maps to queues using the service-queue command, the system matches the class-maps according to queue priority (queue numbers closer to 0 have lower priorities). For example, as described in the previous example, class-map cmap2 is matched against ingress packets before cmap1. ACLs acl1 and acl2 have overlapping rules because the address range 20.1.1.
! qos-policy-input flowbased set ip-dscp 3 Displaying Configured Class Maps and Match Criteria To display all class-maps or a specific class map, use the following command. Dell Networking OS Behavior: An explicit “deny any" rule in a Layer 3 ACL used in a (match any or match all) class-map creates a "default to Queue 0" entry in the CAM, which causes unintended traffic classification. In the following example, traffic is classified in two Queues, 1 and 2.
20422 1 24511 1 10 0 0 0 0x0 0x0 0 0 0 0 0.0.0.0/0 0.0.0.0/0 0.0.0.0/0 14 0.0.0.0/0 - 1 0 In the previous example, the ClassAF1 does not classify traffic as intended. Traffic matching the first match criteria is classified to Queue 1, but all other traffic is classified to Queue 0 as a result of CAM entry 20419. When you remove the explicit “deny any” rule from all three ACLs, the CAM reflects exactly the desired classification. The following example shows correct traffic classifications.
Setting a DSCP Value for Egress Packets Setting a dot1p Value for Egress Packets Configuring Policy-Based Rate Policing To configure policy-based rate policing, use the following command. • Configure rate police ingress traffic. QOS-POLICY-IN mode rate-police Setting a DSCP Value for Egress Packets You can set the DSCP value for egress packets based on ingress QOS classification. The 6 bits that are used for DSCP are also used to identify the queue in which traffic is buffered.
Configuring Policy-Based Rate Shaping To configure policy-based rate shaping, use the following command. • Configure rate shape egress traffic. QOS-POLICY-OUT mode rate-shape Allocating Bandwidth to Queue The Dell Networking recommends pre-calculating your bandwidth requirements before creating them. Make sure you apply the QoS policy to all the four queues and that the sum of the bandwidths allocated through them is exactly 100.
match ip access-group test set-ip-dscp 2 match ip access-group test1 set-ip-dscp 4 match ip precedence 7 set-ip-dscp 1 Dell#show run qos-policy-input ! qos-policy-input flowbased set ip-dscp 3 Dell# Specifying WRED Drop Precedence • Specify a WRED profile to yellow and/or green traffic. QOS-POLICY-OUT mode wred For more information, refer to Applying a WRED Profile to Traffic. Create Policy Maps There are two types of policy maps: input and output.
Applying an Input QoS Policy to an Input Policy Map To apply an input QoS policy to an input policy map, use the following command. • Apply an input QoS policy to an input policy map. POLICY-MAP-IN mode policy-aggregate Honoring DSCP Values on Ingress Packets The Dell Networking OS provides the ability to honor DSCP values on ingress packets using Trust DSCP feature. . The following table lists the standard DSCP definitions and indicates to which queues the Dell Networking OS maps DSCP values.
dot1p Queue ID 2 0 3 1 4 2 5 3 6 3 7 3 The dot1p value is also honored for frames on the default VLAN. For more information, refer to PriorityTagged Frames on the Default VLAN. • Enable the trust dot1p feature.
1. Match packets against match-any qos-AF4. If a match exists, queue the packet as AF4 in Queue 4, and if no match exists, go to the next class map. 2. Match packets against match-any qos-AF3. If a match exists, queue the packet as AF3 in Queue 3, and if no match exists, go to the next class map. 3. Match packets against match-all qos-BE1. If a match exists, queue the packet as BE1, and if no match exists, queue the packets to the default queue, Queue 0. 4.
• You cannot apply an input Layer 2 QoS policy on an interface you also configure with the vlanstack access command. • If you apply a service policy that contains an ACL to more than one interface, the system uses ACL optimization to conserve CAM space. The ACL optimization behavior detects when an ACL exists in the CAM rather than writing it to the CAM multiple times. • Apply an input policy map to an interface.
You can apply the same policy map to multiple interfaces, and you can modify a policy map after you apply it. Enabling QoS Rate Adjustment By default, while rate limiting, policing, and shaping, the Dell Networking OS does not include the Preamble, SFD, or the IFG fields. These fields are overhead; only the fields from MAC destination address to the CRC are used for forwarding and are included in these rate metering calculations.
The range is from 1 to 3. Weighted Random Early Detection The WRED congestion avoidance mechanism drops packets to prevent buffering resources from being consumed. Traffic is a mixture of various kinds of packets. The rate at which some types of packets arrive might be greater than others. In this case, the space on the buffer and traffic manager (BTM) (ingress or egress) can be consumed by only one or a few types of traffic, leaving no space for other types.
Default Profile Name Minimum Threshold Maximum Threshold Maximum Drop Rate wred_fortyg_y 467 4671 50 wred_fortyg_g 467 4671 25 Creating WRED Profiles To create WRED profiles, use the following commands. 1. Create a WRED profile. CONFIGURATION mode wred-profile 2. Specify the minimum and maximum threshold values. WRED mode threshold Applying a WRED Profile to Traffic After you create a WRED profile, you must specify to which traffic the system should apply the profile.
0 Dell# Displaying WRED Drop Statistics To display WRED drop statistics, use the following command. • Display the number of packets the system the WRED profile drops. EXEC Privilege mode show qos statistics Example of the show qos statistics wred-profile Command Dell#show qos statistics wred-profile Interface Te 0/20 Drop-statistic Green Yellow Out of Profile Dropped Pkts 11234 12484 0 Dell# Classifying Layer 2 Traffic on Layer 3 Interfaces To process Layer 3 packets that contain Dot1p — (IEEE 802.
Classifying Packets Based on a Combination of DSCP Code Points and VLAN IDs You can configure a classifier map, which contains both the Differentiated Services Code Point (DSCP) and MAC VLAN IDs as parameters, for filtering packets that are received before they are forwarded or dropped. You can now specify both DSCP-IP packet classification (Layer 3 headers) and Dot1p—(IEEE 802.1p) Packet classification (Layer 2 headers) as match criteria in a Layer 3 class map.
Dell(conf)#policy-map-input pp_policmap 7. Create a service queue to associate the class map and QoS policy map.
Routing Information Protocol (RIP) 42 The routing information protocol (RIP) is based on a distance-vector algorithm and tracks distances or hop counts to nearby routers when establishing network connections. RIP protocol standards are listed in the Standards Compliance chapter. Protocol Overview RIP is the oldest interior gateway protocol. There are two versions of RIP: RIP version 1 (RIPv1) and RIP version 2 (RIPv2). These versions are documented in RFCs 1058 and 2453.
Implementation Information The Dell Networking OS supports both versions of RIP and allows you to configure one version globally and the other version on interfaces or both versions on the interfaces. The following table lists the defaults for RIP in the system. Table 53.
Enabling RIP Globally By default, RIP is not enabled in the system. To enable RIP globally, use the following commands. 1. Enter ROUTER RIP mode and enable the RIP process on the system. CONFIGURATION mode router rip 2. Assign an IP network address as a RIP network to exchange routing information.
29.0.0.0/8 31.0.0.0/8 [120/1] via 31.0.0.0/8 192.162.2.0/24 [120/1] via 192.162.2.0/24 192.161.1.0/24 [120/1] via 192.161.1.0/24 192.162.3.0/24 [120/1] via 192.162.3.0/24 auto-summary 29.10.10.12, 00:00:26, Fa 0/0 auto-summary 29.10.10.12, 00:01:21, Fa 0/0 auto-summary 29.10.10.12, 00:00:27, Fa 0/0 auto-summary 29.10.10.12, 00:01:22, Fa 0/0 auto-summary To disable RIP globally, use the no router rip command in CONFIGURATION mode.
redistribute {connected | static} [metric metric-value] [route-map map-name] – metric-value: the range is from 0 to 16. • – map-name: the name of a configured route map. Include specific OSPF routes in RIP. ROUTER RIP mode redistribute ospf process-id [match external {1 | 2} | match internal] [metric value] [route-map map-name] Configure the following parameters: – process-id: the range is from 1 to 65535. – metric: the range is from 0 to 16. – map-name: the name of a configured route map.
• version {1 | 2} Set the RIP versions received on that interface. INTERFACE mode • ip rip receive version [1] [2] Set the RIP versions sent out on that interface.
The following example of the show ip protocols command confirms that both versions are sent out that interface. This interface no longer sends and receives the same RIP versions as the Dell Networking OS does globally (shown in bold).
The autosummary command requires no other configuration commands. To disable automatic route summarization, enter no autosummary in ROUTER RIP mode. NOTE: If you enable the ip split-horizon command on an interface, the system does not advertise the summarized address. Controlling Route Metrics As a distance-vector protocol, RIP uses hop counts to determine the best route, but sometimes the shortest hop count is a route over the lowest-speed link.
Enable debugging of RIP. Example of the debug ip rip Command The following example shows the confirmation when you enable the debug function. Dell#debug ip rip RIP protocol debug is ON Dell# To disable RIP, use the no debug ip rip command. RIP Configuration Example The examples in this section show the command sequence to configure RIPv2 on the two routers shown in the following illustration — Core 2 and Core 3. The host prompts used in the following example reflect those names.
Core 2 RIP Output The examples in the section show the core 2 RIP output. Example of the show ip rip database Command to View Learned RIP Routes on Core 2 Example of the show ip route Command to Show RIP Setup on Core 2 Example of the show ip protocols Command to Show RIP Configuration Activity on Core 2 • • • To display Core 2 RIP database, use the show ip rip database command. To display Core 2 RIP setup, use the show ip route command. To display Core 2 RIP activity, use the show ip protocols command.
Sending updates every 30 seconds, next due in 17 Invalid after 180 seconds, hold down 180, flushed after 240 Output delay 8 milliseconds between packets Automatic network summarization is in effect Outgoing filter for all interfaces is Incoming filter for all interfaces is Default redistribution metric is 1 Default version control: receive version 2, send version 2 Interface Recv Send TenGigabitEthernet 2/42 2 2 TenGigabitEthernet 2/41 2 2 TenGigabitEthernet 2/31 2 2 TenGigabitEthernet 2/11 2 2 Routing for
10.11.10.0/24 [120/1] via 10.11.20.2, 00:00:13, TenGigabitEthernet 3/21 10.200.10.0/24 [120/1] via 10.11.20.2, 00:00:13, TenGigabitEthernet 3/21 10.300.10.0/24 [120/1] via 10.11.20.2, 00:00:13, TenGigabitEthernet 3/21 10.11.20.0/24 directly connected,TenGigabitEthernet 3/21 10.11.30.0/24 directly connected,TenGigabitEthernet 3/11 10.0.0.0/8 auto-summary 192.168.1.0/24 directly connected,TenGigabitEthernet 3/43 192.168.1.0/24 auto-summary 192.168.2.0/24 directly connected,TenGigabitEthernet 3/44 192.168.2.
Distance: (default is 120) Core3# RIP Configuration Summary Example of Viewing RIP Configuration on Core 2 Example of Viewing RIP Configuration on Core 3 ! interface TenGigabitEthernet ip address 10.11.10.1/24 no shutdown ! interface TenGigabitEthernet ip address 10.11.20.2/24 no shutdown ! interface TenGigabitEthernet ip address 10.200.10.1/24 no shutdown ! interface TenGigabitEthernet ip address 10.250.10.1/24 no shutdown 2/11 2/31 2/41 2/42 router rip version 2 10.200.10.0 10.300.10.0 10.11.10.
Remote Monitoring (RMON) 43 RMON is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell Networking Ethernet interfaces. RMON operates with the simple network management protocol (SNMP) and monitors all nodes on a local area network (LAN) segment. RMON monitors traffic passing through the router and segment traffic not destined for the router.
Setting the rmon Alarm To set an alarm on any MIB object, use the rmon alarm or rmon hc-alarm command in GLOBAL CONFIGURATION mode. • Set an alarm on any MIB object.
is configured with the RMON event command. Possible events include a log entry or an SNMP trap. If the 1.3.6.1.2.1.2.2.1.20.1 value changes to 0 (falling-threshold 0), the alarm is reset and can be triggered again. Dell(conf)#rmon alarm 10 1.3.6.1.2.1.2.2.1.20.1 20 delta rising-threshold 15 1 falling-threshold 0 owner nms1 Configuring an RMON Event To add an event in the RMON event table, use the rmon event command in GLOBAL CONFIGURATION mode. • Add an event in the RMON event table.
– integer: a value from 1 to 65,535 that identifies the RMON Statistics Table. The value must be unique in the RMON Statistic Table. – owner: (Optional) specifies the name of the owner of the RMON group of statistics. – owner-string: (Optional) records the name of the owner of the RMON group of statistics. The default is a null-terminated string. Example of the rmon collection statistics Command To remove a specified RMON statistics collection, use the no form of this command.
Enabling an RMON MIB Collection History Group The rmon collection history command enables an RMON MIB collection history group of statistics. In the following example, the command enables an RMON MIB collection history group of statistics with an ID number of 20 and an owner of “john”, both the sampling interval and the number of buckets use their respective defaults.
Rapid Spanning Tree Protocol (RSTP) 44 Rapid spanning tree protocol (RSTP) is supported on the MXL switch platform. Protocol Overview RSTP is a Layer 2 protocol — specified by IEEE 802.1w — that is essentially the same as spanning-tree protocol (STP) but provides faster convergence and interoperability with switches configured with STP and multiple spanning tree protocol (MSTP). The Dell operating system (OS) supports three other variations of spanning tree, as shown in the following table. Table 54.
Important Points to Remember • RSTP is disabled by default. • The Dell Networking OS supports only one Rapid Spanning Tree (RST) instance. • All interfaces in virtual local area networks (VLANs) and all enabled interfaces in Layer 2 mode are automatically added to the RST topology. • Adding a group of ports to a range of VLANs sends multiple messages to the rapid spanning tree protocol (RSTP) task, avoid using the range command.
To enable RSTP globally for all Layer 2 interfaces, use the following commands. 1. Enter PROTOCOL SPANNING TREE RSTP mode. CONFIGURATION mode protocol spanning-tree rstp 2. Enable RSTP. PROTOCOL SPANNING TREE RSTP mode no disable Example of Verifying that RSTP is Enabled Example of the show spanning-tree rstp Command Example of the show spanning-tree rstp brief Command To disable RSTP globally for all Layer 2 interfaces, enter the disable command from PROTOCOL SPANNING TREE RSTP mode.
Figure 110. Rapid Spanning Tree Enabled Globally To view the interfaces participating in RSTP, use the show spanning-tree rstp command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. Dell#show spanning-tree rstp Root Identifier has priority 32768, Address 0001.e801.cbb4 Root Bridge hello time 2, max age 20, forward delay 15, max hops 0 Bridge Identifier has priority 32768, Address 0001.e801.
Number of transitions to forwarding state 1 BPDU : sent 121, received 2 The port is not in the Edge port mode, bpdu filter is disabled Port 379 (TenGigabitethernet 2/3) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.379 Designated root has priority 32768, address 0001.e801.cbb4 Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.
For bridge protocol data units (BPDU) filtering behavior, refer to Removing an Interface from the Spanning Tree Group. Modifying Global Parameters You can modify RSTP parameters. The root bridge sets the values for forward-delay, hello-time, and max-age and overwrites the values set on other bridges participating in the Rapid Spanning Tree group. • Forward-delay — the amount of time an interface waits in the Listening state and the Learning state before it transitions to the Forwarding state.
NOTE: With large configurations (especially those configurations with more ports) Dell Networking recommends increasing the hello-time. The range is from 1 to 10. • The default is 2 seconds. Change the max-age parameter. PROTOCOL SPANNING TREE RSTP mode max-age seconds The range is from 6 to 40. The default is 20 seconds. To view the current values for global parameters, use the show spanning-tree rstp command from EXEC privilege mode.
Modifying Interface Parameters On interfaces in Layer 2 mode, you can set the port cost and port priority values. • Port cost — a value that is based on the interface type. The previous table lists the default values. The greater the port cost, the less likely the port is selected to be a forwarding port. • Port priority — influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost.
• You can clear the Error Disabled state with any of the following methods: – Perform an shutdown command on the interface. – Disable the shutdown-on-violation command on the interface (the no spanning-tree stp-id portfast [bpduguard | [shutdown-on-violation]] command). – Disable spanning tree on the interface (the no spanning-tree command in INTERFACE mode). – Disable global spanning tree (the no spanning-tree command in CONFIGURATION mode). To enable EdgePort on an interface, use the following command.
ID: 4096:0001.e80b.88bd Old Root: 32768:0001.e801.cbb4 New Root: 4096:0001.e80b.88bd SNMP Traps for Root Elections and Topology Changes To enable SNMP traps for RSTP, MSTP, and PVST+ collectively, use the following command. Enable SNMP traps for RSTP, MSTP, and PVST+ collectively. snmp-server enable traps xstp Configuring Fast Hellos for Link State Detection To achieve sub-second link-down detection so that convergence is triggered faster, use RSTP fast hellos.
Security 45 Security features are supported on the MXL switch platform. This chapter describes several ways to provide access security to the Dell Networking system. For details about all the commands described in this chapter, refer to the Security chapter in the Dell Networking OS Command Reference Guide. AAA Accounting Accounting, authentication, and authorization (AAA) accounting is part of the AAA security model.
– command level: sends accounting of commands executed at the specified privilege level. – exec: sends accounting information when a user has logged in to EXEC mode. – suppress: do not generate accounting records for a specific type of user. – system: sends accounting information of any other AAA configuration. – default | name: enter the name of a list of accounting methods.
CONFIG-LINE-VTY mode accounting commands 15 com15 accounting exec execAcct Example of Enabling AAA Accounting with a Named Method List Dell(config-line-vty)# accounting commands 15 com15 Dell(config-line-vty)# accounting exec execAcct Monitoring AAA Accounting The Dell Networking OS does not support periodic interim accounting because the periodic command can cause heavy congestion when many users are logged in to the network. No specific show command exists for TACACS+ accounting.
Configuration Task List for AAA Authentication The following sections provide the configuration tasks. • Configure Login Authentication for Terminal Lines • Configuring AAA Authentication Login Methods • Enabling AAA Authentication • Enabling AAA Authentication — RADIUS For a complete list of all commands related to login authentication, refer to the Security chapter in the Dell Networking OS Command Reference Guide.
login authentication {method-list-name | default} To view the configuration, use the show config command in LINE mode or the show runningconfig in EXEC Privilege mode. NOTE: Dell Networking recommends using the none method only as a backup. This method does not authenticate users. The none and enable methods do not work with secure shell (SSH). You can create multiple method lists and assign them to different terminal lines.
Dell(config)# radius-server host x.x.x.x key Dell(config)# tacacs-server host x.x.x.x key To use local authentication for enable secret on the console, while using remote authentication on VTY lines, issue the following commands.
By default, commands are assigned to different privilege levels. You can access those commands only if you have access to that privilege level. For example, to reach the protocol spanning-tree command, log in to the router, enter the enable command for privilege level 15 (this privilege level is the default level for the command) and then enter CONFIGURATION mode. You can configure passwords to control access to the box and assign different privilege levels to users.
To configure a password for a specific privilege level, use the following command. • Configure a password for a privilege level. CONFIGURATION mode enable password [level level] [encryption-mode] password Configure the optional and required parameters: – level level: Specify a level from 0 to 15. Level 15 includes all levels. – encryption-type: Enter 0 for plain text or 7 for encrypted text. – password: Enter a string.
• encryption-type: enter 0 for plain text or 7 for encrypted text. • password: enter a text string up to 32 characters long. To change only the password for the enable command, configure only the password parameter. 3. Configure level and commands for a mode or reset a command’s level.
The following example shows the Telnet session for user john. The show privilege command output confirms that john is in privilege level 8. In EXEC Privilege mode, john can access only the commands listed. In CONFIGURATION mode, john can access only the snmp-server commands. apollo% telnet 172.31.1.53 Trying 172.31.1.53... Connected to 172.31.1.53. Escape character is '^]'.
enable or enable privilege-level • If you do not enter a privilege level, the system sets it to 15 by default. Move to a lower privilege level. EXEC Privilege mode disable level-number – level-number: The level-number you wish to set. If you enter disable without a level-number, your security level is 1. RADIUS Remote authentication dial-in user service (RADIUS) is a distributed client/server protocol.
Idle Time Every session line has its own idle-time. If the idle-time value is not changed, the default value of 30 minutes is used. RADIUS specifies idle-time allow for a user during a session before timeout. When a user logs in, the lower of the two idle-time values (configured or default) is used. The idle-time value is updated if both of the following happens: • The administrator changes the idle-time of the line on which the user has logged in.
• Applying the Method List to Terminal Lines (mandatory except when using default lists) • Specifying a RADIUS Server Host (mandatory) • Setting Global Communication Parameters for all RADIUS Server Hosts (optional) • Monitoring RADIUS (optional) For a complete listing of all Dell Networking OS commands related to RADIUS, refer to the Security chapter in the Dell Networking OS Command Reference Guide. NOTE: RADIUS authentication and authorization are done in a single step.
CONFIGURATION mode authorization exec methodlist Specifying a RADIUS Server Host When configuring a RADIUS server host, you can set different communication parameters, such as the UDP port, the key password, the number of retries, and the timeout. To specify a RADIUS server host and configure its communication parameters, use the following command. • Enter the host name or IP address of the RADIUS server host.
CONFIGURATION mode radius-server deadtime seconds • – seconds: the range is from 0 to 2147483647. The default is 0 seconds. Configure a key for all RADIUS communications between the system and RADIUS server hosts. CONFIGURATION mode radius-server key [encryption-type] key – encryption-type: enter 7 to encrypt the password. Enter 0 to keep the password as plain text. • – key: enter a string. The key can be up to 42 characters long. You cannot use spaces in the key.
For a complete listing of all commands related to TACACS+, refer to the Security chapter in the Dell Networking OS Command Reference Guide. Choosing TACACS+ as the Authentication Method One of the login authentication methods available is TACACS+ and the user’s name and password are sent for authentication to the TACACS hosts specified. To use TACACS+ to authenticate users, specify at least one TACACS+ server for the system to communicate with and configure TACACS+ as one of your authentication methods.
aaa authentication login LOCAL local tacacs+ aaa authorization exec default tacacs+ none aaa authorization commands 1 default tacacs+ none aaa authorization commands 15 default tacacs+ none aaa accounting exec default start-stop tacacs+ aaa accounting commands 1 default start-stop tacacs+ aaa accounting commands 15 default start-stop tacacs+ Dell(conf)# Dell(conf)#do show run tacacs+ ! tacacs-server key 7 d05206c308f4d35b tacacs-server host 10.10.10.
Dell(conf-std-nacl)#permit 10.0.0.0/8 Dell(conf-std-nacl)#deny any Dell(conf)# Dell(conf)#aaa authentication login tacacsmethod tacacs+ Dell(conf)#aaa authentication exec tacacsauthorization tacacs+ Dell(conf)#tacacs-server host 25.1.1.
Command Authorization The AAA command authorization feature configures the Dell Networking OS to send each configuration command to a TACACS server for authorization before it is added to the running configuration. By default, the AAA authorization commands configure the system to check both EXEC mode and CONFIGURATION mode commands. To enable only EXEC mode command checking, use the no aaa authorization config-commands command.
CONFIGURATION mode • ip ssh server version {1|2} Display SSH connection information. EXEC Privilege mode show ip ssh Specifying an SSH Version The following example shows using the ip ssh server version 2 command to enable SSH version 2 and the show ip ssh command to confirm the setting. Dell(conf)#ip ssh server version 2 Dell(conf)#do show ip ssh SSH server : disabled. SSH server version : v2. Password Authentication : enabled. Hostbased Authentication : disabled. RSA Authentication : disabled.
• ip ssh connection-rate-limit: configure the maximum number of incoming SSH connections per minute. • ip ssh hostbased-authentication enable: enable host-based authentication for the SSHv2 server. • ip ssh key-size: configure the size of the server-generated RSA SSHv1 key. • ip ssh password-authentication enable: enable password authentication for the SSH server. • ip ssh pub-key-file: specify the file the host-based authentication uses.
Examples The following example configures the time-based rekey threshold for an SSH session to 30 minutes. Dell(conf)#ip ssh rekey time 30 The following example configures the volume-based rekey threshold for an SSH session to 4096 megabytes. Dell(conf)#ip ssh rekey volume 4096 Configuring the SSH Server Key Exchange Algorithm To configure the key exchange algorithm for the SSH server, use the ip ssh server kex keyexchange-algorithm command in CONFIGURATION mode.
• hmac-sha2-256-96 The default HMAC algorithms are the following: • hmac-md5 • hmac-md5-96 • hmac-sha1 • hmac-sha1-96 • hmac-sha2-256 • hmac-sha2-256-96 When FIPS is enabled, the default HMAC algorithm is hmac-sha1-96. Example of Configuring a HMAC Algorithm The following example shows you how to configure a HMAC algorithm list.
• Enabling SSH Authentication by Password • Using RSA Authentication of SSH • Configuring Host-Based SSH Authentication Important Points to Remember • If you enable more than one method, the order in which the methods are preferred is based on the ssh_config file on the Unix machine. • When you enable all the three authentication methods, password authentication is the backup method when the RSA method fails.
ip ssh rsa-authentication my-authorized-keys flash://public_key Example of Generating RSA Keys admin@Unix_client#ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/admin/.ssh/id_rsa): /home/admin/.ssh/id_rsa already exists. Overwrite (y/n)? y Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/admin/.ssh/id_rsa. Your public key has been saved in /home/admin/.ssh/id_rsa.pub.
doyUXFufjiL9YmoVTkbKcFmxJEMkE3JyHanEi7hg34LChjk9hL1by8cYZP2kYS2lnSyQWk= admin@Unix_client# ls id_rsa id_rsa.pub shosts admin@Unix_client# cat shosts 10.16.127.201, ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA8K7jLZRVfjgHJzUOmXxuIbZx/AyW hVgJDQh39k8v3e8eQvLnHBIsqIL8jVy1QHhUeb7GaDlJVEDAMz30myqQbJgXBBRTWgBpLWwL/ admin@Unix_client# ls id_rsa id_rsa.pub rhosts shosts admin@Unix_client# cat rhosts 10.16.127.
Example of Using Telnet for Remote Login Dell(conf)#ip telnet server enable Dell(conf)#no ip telnet server enable VTY Line and Access-Class Configuration Various methods are available to restrict VTY access in the Dell Networking OS. These depend on which authentication scheme you use — line, local, or remote. Table 56.
The following example shows how to allow or deny a Telnet connection to a user. Users see a login prompt even if they cannot log in. No access class is configured for the VTY line. It defaults from the local database. NOTE: For more information, refer to Access Control Lists (ACLs).
Example of Configuring VTY Authorization Based on MAC ACL for the Line (Per MAC Address) Dell(conf)#mac access-list standard sourcemac Dell(config-std-mac)#permit 00:00:5e:00:01:01 Dell(config-std-mac)#deny any Dell(conf)# Dell(conf)#line vty 0 9 Dell(config-line-vty)#access-class sourcemac Dell(config-line-vty)#end Role-Based Access Control With Role-Based Access Control (RBAC), access and authorization is controlled based on a user’s role.
actions the user can perform. This allows for greater flexibility in assigning permissions for each command to each role and as a result, it is easier and much more efficient to administer user rights. If a user’s role matches one of the allowed user roles for that command, then command authorization is granted. A constrained RBAC model provides for separation of duty and as a result, provides greater security than the hierarchical RBAC model.
You must specify at least local authentication. For consistency, the best practice is to define the same authentication method list across all lines, in the same order of comparison; for example VTY and console port. You could also use the default authentication method to apply to all the LINES (console port, VTY). NOTE: The authentication method list should be in the same order as the authorization method list.
operator user role. This role does not have access to the commands that are available to the system security administrator for cryptography operations, AAA, or the commands reserved solely for the system administrator. • Security Administrator (secadmin): This user role can control the security policy across the systems that are within a domain or network topology.
• If you inherit a user role, you cannot modify or delete the inheritance. If you want to change or remove the inheritance, delete the user role and create it again. If the user role is in use, you cannot delete the user role. 1. Create a new user role CONFIGURATION mode userrole name [inherit existing-role-name] 2. Verify that the new user role has inherited the security administrator permissions. Dell(conf)#do show userroles EXEC Privilege mode 3.
When you modify a command for a role, you specify the role, the mode, and whether you want to restrict access using the deleterole keyword or grant access using the addrole keyword followed by the command you are controlling access. For information about how to create new roles, see also Creating a New User Role. The following output displays the modes available for the role command.
The following example shows that the secadmin role can now access Interface mode (highlighted in bold). Role Inheritance netoperator Modes netadmin secadmin sysadmin MAC Exec Config Interface Router IP RouteMap Protocol MAC Exec Config Interface Line Exec Config Interface Line Router IP RouteMap Protocol Example: Remove Security Administrator Access to Line Mode.
Adding and Deleting Users from a Role To create a user name that is authenticated based on a user role, use the username name password encryption-type password role role-name command in CONFIGURATION mode. Example The following example creates a user name that is authenticated based on a user role. Dell (conf) #username john password 0 password role secadmin The following example deletes a user role.
the same or greater than the privilege level of those commands. Users with defined roles can use commands provided their role is permitted to use those commands. Role inheritance is also used to determine authorization. Users with roles and privileges are authorized with the same mechanism. There are six methods available for authorization: radius, tacacs+, local, enable, line, and none. When role-based only AAA authorization is enabled, the enable, line, and none methods are not available.
accounting commands role netadmin line vty 3 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 4 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 5 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 6 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 7 login authentication ucraaa authorization exec ucraaa accounting comman
role is Force10-avpair= ”shell:role=“ where user-role is a user defined or systemdefined role. In the following example, you create an AV pair for a system-defined role, sysadmin. Force10-avpair= "shell:role=sysadmin" In the following example, you create an AV pair for a user-defined role. You must also define a role, using the userrole myrole inherit command on the switch to associate it with this AV pair.
Active accounted actions on tty2, User john Priv 1 Role netoperator Task ID 1, EXEC Accounting record, 00:00:30 Elapsed, service=shell Active accounted actions on tty3, User admin Priv 15 Role sysadmin Task ID 2, EXEC Accounting record, 00:00:26 Elapsed, service=shell Display Information About User Roles This section describes how to display information about user roles.
Role access: secadmin,sysadmin Dell#show role mode configure interface Role access: netadmin, sysadmin Dell#show role mode configure line Role access: netadmin,sysadmin Displaying Information About Users Logged into the Switch To display information on all users logged into the switch, using the show users command in EXEC Privilege mode. The output displays privilege level and/or user role. The mode is displayed at the start of the output and both the privilege and roles for all users is also displayed.
Service Provider Bridging 46 Service provider bridging is supported on the MXL switch platform. VLAN Stacking VLAN stacking, also called Q-in-Q, is defined in IEEE 802.1ad — Provider Bridges, which is an amendment to IEEE 802.1Q — Virtual Bridged Local Area Networks. VLAN stacking enables service providers to use 802.1Q architecture to offer separate VLANs to customers with no coordination between customers, and minimal coordination between customers and the provider. Using only 802.
Figure 112. VLAN Stacking in a Service Provider Network Important Points to Remember • Interfaces that are members of the Default VLAN and are configured as VLAN-Stack access or trunk ports do not switch untagged traffic. To switch traffic, add these interfaces to a non-default VLANStack-enabled VLAN. • Dell Networking cautions against using the same MAC address on different customer VLANs, on the same VLAN-Stack VLAN. Configure VLAN Stacking Configuring VLAN-Stacking is a three-step process. 1.
2. Assign access and trunk ports to a VLAN (Creating Access and Trunk Ports). 3. Enable VLAN-Stacking for a VLAN. Related Configuration Tasks • Configuring the Protocol Type Value for the Outer VLAN Tag • Configuring Options for Trunk Ports • Debugging VLAN Stacking • VLAN Stacking in Multi-Vendor Networks Creating Access and Trunk Ports To create access and trunk ports, use the following commands. • Access port — a port on the service provider edge that directly connects to the customer.
Enable VLAN-Stacking for a VLAN To enable VLAN-Stacking for a VLAN, use the following command. • Enable VLAN-Stacking for the VLAN. INTERFACE VLAN mode vlan-stack compatible Example of Viewing VLAN Stack Member Status To display the status and members of a VLAN, use the show vlan command from EXEC Privilege mode. Members of a VLAN-Stacking-enabled VLAN are marked with an M in column Q.
NOTE: You can add a trunk port to an 802.1Q VLAN as well as a Stacking VLAN only when the TPID 0x8100. 2. Add the port to a 802.1Q VLAN as tagged or untagged. INTERFACE VLAN mode [tagged | untagged] Example of Configuring a Trunk Port as a Hybrid Port and Adding it to Stacked VLANs In the following example, GigabitEthernet 0/1 is a trunk port that is configured as a hybrid port and then added to VLAN 100 as untagged VLAN 101 as tagged, and VLAN 103, which is a stacking VLAN.
• U — 802.1Q access port • NU — Native VLAN (untagged) Dell# debug member vlan 603 vlan id : 603 ports : Gi 2/47 (MT), Gi 3/1(MU), Gi 3/25(MT), Gi 3/26(MT), Gi 3/27(MU) Dell#debug member port gigabitethernet 2/47 vlan id : 603 (MT), 100(T), 101(NU) Dell# VLAN Stacking in Multi-Vendor Networks The first field in the VLAN tag is the tag protocol identifier (TPID), which is 2 bytes. In a VLAN-stacking network, after the frame is double tagged, the outer tag TPID must match the TPID of the next-hop system.
Figure 113.
Figure 114.
Figure 115. Single and Double-Tag TPID Mismatch The following table details the outcome of matched and mismatched TPIDs in a VLAN-stacking network. Table 57. Behaviors for Mismatched TPID Network Position Incoming Packet TPID System TPID Match Type Pre-Version 8.2.1.0 Version 8.2.1.
Network Position Core Egress Access Point Incoming Packet TPID System TPID Match Type Pre-Version 8.2.1.0 Version 8.2.1.
• Make packets eligible for dropping based on their DEI value. CONFIGURATION mode dei enable By default, packets are colored green, and DEI is marked 0 on egress. Honoring the Incoming DEI Value To honor the incoming DEI value, you must explicitly map the DEI bit to a Dell Networking OS drop precedence. Precedence can have one of three colors. Precedence Description Green High-priority packets that are the least preferred to be dropped. Yellow Lower-priority packets that are treated as best-effort.
Example of Viewing DEI-Marking Configuration To display the DEI-marking configuration, use the show interface dei-mark [interface slot/ port | linecard number port-set number] in EXEC Privilege mode.
configuration, the queue selected by Dynamic Mode CoS takes precedence. However, rate policing for the queue is determined by QoS configuration. For example, the following access-port configuration maps all traffic to Queue 0: vlan-stack dot1p-mapping c-tag-dot1p 0-7 sp-tag-dot1p 1 However, if the following QoS configuration also exists on the interface, traffic is queued to Queue 0 but is policed at 40Mbps (qos-policy-input for queue 3) because class-map "a" of Queue 3 also matches the traffic.
cam-acl l2acl number ipv4acl number ipv6acl number ipv4qos number l2qos number l2pt number ipmacacl number ecfmacl number {vman-qos | vman-qos-dualfp} number • vman-qos: mark the S-Tag dot1p and queue the frame according to the original C-Tag dot1p. This method requires half as many CAM entries as vman-qos-dual-fp. • vman-qos-dual-fp: mark the S-Tag dot1p and queue the frame according to the S-Tag dot1p. This method requires twice as many CAM entries as vman-qos and FP blocks in multiples of 2.
Figure 117. VLAN Stacking without L2PT You might need to transport control traffic transparently through the intermediate network to the other region. Layer 2 protocol tunneling enables BPDUs to traverse the intermediate network by identifying frames with the Bridge Group Address, rewriting the destination MAC to a user-configured non-reserved address, and forwarding the frames.
network because only the Dell Networking OS could recognize the significance of the destination MAC address and rewrite it to the original Bridge Group Address. In the Dell Networking OS version 8.2.1.0 and later, the L2PT MAC address is user-configurable, so you can specify an address that non-Dell Networking systems can recognize and rewrite the address at egress edge. Figure 118. VLAN Stacking with L2PT Implementation Information • L2PT is available for STP, RSTP, MSTP, and PVST+ BPDUs.
Enabling Layer 2 Protocol Tunneling To enable Layer 2 protocol tunneling, use the following command. 1. Verify that the system is running the default CAM profile. Use this CAM profile for L2PT. EXEC Privilege mode show cam-profile 2. Enable protocol tunneling globally on the system. CONFIGURATION mode protocol-tunnel enable 3. Tunnel BPDUs the VLAN.
4. Set a maximum rate at which the RPM processes BPDUs for L2PT. VLAN STACKING mode protocol-tunnel rate-limit The default is: no rate limiting. The range is from 64 to 320 kbps. Debugging Layer 2 Protocol Tunneling To debug Layer 2 protocol tunneling, use the following command. • Display debugging information for L2PT. EXEC Privilege mode debug protocol-tunnel Provider Backbone Bridging IEEE 802.1ad—Provider Bridges amends 802.
sFlow 47 Configuring sFlow is supported on the MXL switch platform. Overview The Dell Networking operating system (OS) supports sFlow version 5. sFlow is a standard-based sampling technology embedded within switches and routers which is used to monitor network traffic. It is designed to provide traffic monitoring for high-speed networks with many switches and routers. sFlow uses two types of sampling: • Statistical packet-based sampling of switched or routed packet flows.
Important Points to Remember • The Dell Networking OS implementation of the sFlow MIB supports sFlow configuration using the snmpset command. • The Dell Networking OS exports all sFlow packets to the collector. A small sampling rate can equate to many exported packets. A backoff mechanism is automatically applied to reduce this amount. Some sampled packets may be dropped when the exported packet rate is high and the backoff mechanism is about to or is starting to take effect.
• Displaying Show sFlow on an Interface • Displaying Show sFlow on a Stack Unit Displaying Show sFlow Global To view sFlow statistics, use the following command. • Display sFlow configuration information and statistics. EXEC mode show sflow Example of Viewing sFlow Configuration (Global) The first bold line indicates sFlow is globally enabled.
Example of Viewing sFlow Configuration (Stack Unit) Dell#show sflow stack-unit 1 Stack-Unit 1 Samples rcvd from h/w Total UDP packets exported UDP packets exported via RPM UDP packets dropped Dell# :0 :0 :0 :0 Configuring Specify Collectors The sflow collector command allows identification of sFlow collectors to which sFlow datagrams are forwarded. You can specify up to two sFlow collectors. If you specify two collectors, the samples are sent to both.
To change the sampling rate either globally or on an interface, use the following command. • Change the global or interface sampling rate. CONFIGURATION mode or INTERFACE mode [no] sflow sample-rate sample-rate sample-rate: The range is from 256 to 8388608 for the C-Series and S-Series. The range is from 2 to 8388608 for the E-Series. The rate must be entered in factors of 2 (for example, 4096 or 8192).
As a result of back-off, the actual sampling-rate of an interface may differ from its configured sampling rate. You can view the actual sampling-rate of the interface and the configured sample-rate by using the show sflow command. sFlow on LAG ports When a physical port becomes a member of a LAG, it inherits the sFlow configuration from the LAG port. Enabling Extended sFlow The MXL switch support extended-switch information processing only.
0 0 0 0 UDP packets exported UDP packets dropped sFlow samples collected sFlow samples dropped due to sub-sampling sFlow 813
48 Simple Network Management Protocol (SNMP) Simple network management protocol (SNMP) is supported on the MXL switch platform. Network management stations use SNMP to retrieve or alter management data from network elements. A datum of management information is called a managed object; the value of a managed object can be static or variable. Network elements store managed objects in a database called a management information base (MIB).
Related Configuration Tasks • Set up SNMP • Setting Up User-Based Security (SNMPv3) • Reading Managed Object Values • Writing Managed Object Values • Configuring Contact and Location Information using SNMP • Subscribing to Managed Object Value Updates using SNMP • Copying Configuration Files via SNMP • Manage VLANs using SNMP • Enabling and Disabling a Port using SNMP • Fetch Dynamic MAC Entries using SNMP • Deriving Interface Indices • Monitor Port-Channels • Troubleshooting SNMP O
FIPS Mode Enabled Privacy Options Authentication Options aes128 (AES128-CFB) sha (HMAC-SHA1-96) aes128 (AES128-CFB) sha (HMAC-SHA1-96) To enable security for SNMP packets transferred between the server and the client, you can use the snmp-server user username group groupname 3 auth authentication-type authpassword priv aes128 priv-password command to specify that AES-CFB 128 encryption algorithm needs to be used.
SNMP version 3 (SNMPv3) is a user-based security model that provides password authentication for user security and encryption for data security and privacy. Three sets of configurations are available for SNMP read/write operations: no password or privacy, password privileges, password and privacy privileges. You can configure a maximum of 16 users even if they are in different groups.
• Configure the user with view privileges only (no password or privacy privileges). CONFIGURATION mode • snmp-server user name group-name 3 noauth Configure an SNMP group with view privileges only (no password or privacy privileges). CONFIGURATION mode • snmp-server group group-name 3 noauth auth read name write name Configure an SNMPv3 view.
Reading Managed Object Values You may only retrieve (read) managed object values if your management station is a member of the same community as the SNMP agent. Dell Networking supports RFC 4001, Textual Conventions for Internet Work Addresses that defines values representing a type of internet address. These values display for ipAddressTable objects using the snmpwalk command. There are several UNIX SNMP commands that read data. • Read the value of a single managed object.
In the following example, the value 4 displays in the OID before the IP address for IPv4. >snmpwalk -v 2c -c public 10.11.195.63 1.3.6.1.2.1.4.34 IP-MIB::ip.34.1.3.1.4.1.1.1.1 = INTEGER: 1107787778 IP-MIB::ip.34.1.3.1.4.2.1.1.1 = INTEGER: 1107787779 IP-MIB::ip.34.1.3.2.16.254.128.0.0.0.0.0.0.2.1.232.255.254.139.5.8 = INTEGER: 1107787778 IP-MIB::ip.34.1.4.1.4.1.1.1.1 = INTEGER: 1 IP-MIB::ip.34.1.4.1.4.2.1.1.1 = INTEGER: 1 IP-MIB::ip.34.1.4.2.16.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.
CONFIGURATION mode snmpset -v version -c community agent-ip sysContact.0 s “contact-info” You may use up to 55 characters. • The default is None. (From a management station) Identify the physical location of the system (for example, San Jose, 350 Holger Way, 1st floor lab, rack A1-1). CONFIGURATION mode snmpset -v version -c community agent-ip sysLocation.0 s “location-info” You may use up to 55 characters. The default is None.
Enable all Dell Networking enterprise-specific and RFC-defined traps using the snmp-server enable traps command from CONFIGURATION mode. Enable all of the RFC-defined traps using the snmp-server enable traps snmp command from CONFIGURATION mode. 3. Specify the interfaces out of which the Dell Networking OS sends SNMP traps.
SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::mib-2.47.2.0.1, SNMPv2-SMI::enterprises.6027.3.6.1.1.2.0 = INTEGER: 4 Trap SNMPv2-MIB::sysUpTime.0 = Timeticks: (1488564) 4:08:05.64, SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::mib-2.47.2.0.1, SNMPv2-SMI::enterprises.6027.3.6.1.1.2.0 = INTEGER: 5 Trap SNMPv2-MIB::sysUpTime.0 = Timeticks: (1489064) 4:08:10.64, SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::mib-2.47.2.0.1, SNMPv2-SMI::enterprises.6027.3.6.1.1.2.0 = INTEGER: 6 Trap SNMPv2-MIB::sysUpTime.
SNMPv2-SMI::enterprises.6027.3.15.4.0 = STRING: "ETS_TRAP_TYPE_PEER_STATE_CHANGE: ETS Peer state changed to disabled for port Te 0/44", SNMPv2-SMI::enterprises.6027.3.6.1.1.2.0 = INTEGER: 23 pfc pfc peer state enabled 10.16.130.140 [10.16.130.140]: Trap SNMPv2-MIB::sysUpTime.0 = Timeticks: (626100) 1:44:21.00, SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.6027.3.15.4.0.7, SNMPv2-SMI::enterprises.6027.3.15.4.1.1.0 = INTEGER: 45420801, SNMPv2-SMI::enterprises.6027.3.15.4.1.2.
MIB Object OID Object Values Description and copySrcFileName. copySrcFileLocation . 1.3.6.1.4.1.6027.3.5.1.1.1. 1.3 1 = flash 2 = n/a Specifies the location of source file. • 3 = tftp 4 = ftp 5 = scp If copySrcFileLocation is FTP or SCP, you must specify copyServerAddress, copyUserName, and copyUserPassword. 6 = usbflash copySrcFileName copyDestFileType . 1.3.6.1.4.1.6027.3.5.1.1.1. 1.4 Path (if the file is not in the current directory) and filename. Specifies name of the file. . 1.3.6.1.4.1.
MIB Object OID Object Values Description copyServerAddress . 1.3.6.1.4.1.6027.3.5.1.1.1. 1.8 IP Address of the server. The IP address of the server. . 1.3.6.1.4.1.6027.3.5.1.1.1. 1.9 Username for the server. Username for the FTP, TFTP, or SCP server. . 1.3.6.1.4.1.6027.3.5.1.1.1. 1.10 Password for the server. copyUserName copyUserPassword • • If you specify copyServerAddress, you must also specify copyUserName and copyUserPassword.
• -m: View the MIB files for the SNMP command. • -r: Number of retries using the option • -t: View the timeout. • -v: View the SNMP version (either 1, 2, 2d, or 3). The following examples show the snmpset command to copy a configuration. These examples assume that: • the server OS is UNIX • you are using SNMP version 2c • the community name is public • the file f10-copy-config.
>snmpset -c public -v 2c 10.11.131.162 .1.3.6.1.4.1.6027.3.5.1.1.1.1.2.8 i 3 .1.3.6.1.4.1.6027.3.5.1.1.1.1.5.8 i 2 SNMPv2-SMI::enterprises.6027.3.5.1.1.1.1.2.8 = INTEGER: 3 SNMPv2-SMI::enterprises.6027.3.5.1.1.1.1.5.8 = INTEGER: 2 Copying the Startup-Config Files to the Server via FTP To copy the startup-config to the server via FTP from the UNIX machine, use the following command. Copy the startup-config to the server via FTP from the UNIX machine. snmpset -v 2c -c public -m ./f10-copy-config.
Copying a Binary File to the Startup-Configuration To copy a binary file from the server to the startup-configuration on the Dell Networking system via FTP, use the following command. • Copy a binary file from the server to the startup-configuration on the Dell Networking system via FTP. snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address copySrcFileType.index i 1 copySrcFileLocation.index i 4 copySrcFileName.index s filepath/filename copyDestFileType.index i 3 copyServerAddress.
MIB Object OID Values Description 6 = timeout 7 = unknown copyEntryRowStatus . 1.3.6.1.4.1.6027.3.5.1.1.1. 1.15 Row status Specifies the state of the copy operation. Uses CreateAndGo when you are performing the copy. The state is set to active when the copy is completed. Obtaining a Value for MIB Objects To obtain a value for any of the MIB objects, use the following command. • Get a copy-config MIB object value. snmpset -v 2c -c public -m /f10-copy-config.mib force10system-ip-address [OID.
Manage VLANs using SNMP The qBridgeMIB managed objects in Q-BRIDGE-MIB, defined in RFC 2674, allows you to use SNMP to manage VLANs. Creating a VLAN To create a VLAN, use the dot1qVlanStaticRowStatus object. The snmpset operation shown in the following example creates VLAN 10 by specifying a value of 4 for instance 10 of the dot1qVlanStaticRowStatus object. Example of Creating a VLAN using SNMP > snmpset -v2c -c mycommunity 123.45.6.78 .1.3.6.1.2.1.17.7.1.4.3.1.5.10 i 4 SNMPv2-SMI::mib-2.17.7.1.4.3.1.5.
MTU 1554 bytes, IP MTU 1500 bytes LineSpeed auto ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 00:12:42 Queueing strategy: fifo Time since last interface status change: 00:12:42 To display the ports in a VLAN, send an snmpget request for the object dot1qStaticEgressPorts using the interface index as the instance number, as shown for an S-Series. > snmpget -v2c -c mycommunity 10.11.131.185 . 1.3.6.1.2.1.17.7.1.4.3.1.2.1107787786 SNMPv2-SMI::mib-2.17.7.1.4.3.1.2.
position from the left represents Port 2 and has a value of 1, indicating that Port 0/2 is in VLAN 10. The remaining positions are 0, so those ports are not in the VLAN. NOTE: The table contains none of the other information the command provides, such as port speed or whether the ports are tagged or untagged. Add Tagged and Untagged Ports to a VLAN The value dot1qVlanStaticEgressPorts object is an array of all VLAN members. The dot1qVlanStaticUntaggedPorts object is an array of only untagged VLAN members.
00 00 00 00 00 00 00 00 00" SNMPv2-SMI::mib-2.17.7.1.4.3.1.2.1107787786 = Hex-STRING: 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 SNMPv2-SMI::mib-2.17.7.1.4.3.1.4.
Table 61. MIB Objects for Fetching Dynamic MAC Entries in the Forwarding Database MIB Object OID MIB Description dot1dTpFdbTable .1.3.6.1.2.1.17.4.3 Q-BRIDGE MIB List the learned unicast MAC addresses on the default VLAN. dot1qTpFdbTable .1.3.6.1.2.1.17.7.1.2. 2 Q-BRIDGE MIB List the learned unicast MAC addresses on nondefault VLANs. dot3aCurAggFdb Table .1.3.6.1.4.1.6027.3.2. 1.1.5 F10-LINKAGGREGATION -MIB List the learned MAC addresses of aggregated links (LAG).
>snmpwalk -v 2c -c techpubs 10.11.131.162 .1.3.6.1.2.1.17.7.1.2.2.1 SNMPv2-SMI::mib-2.17.7.1.2.2.1.2.1000.0.1.232.6.149.172 = INTEGER: 118 SNMPv2-SMI::mib-2.17.7.1.2.2.1.3.1000.0.1.232.6.149.172 = INTEGER: 3 Use dot3aCurAggFdbTable to fetch the learned MAC address of a port-channel. The instance number is the decimal conversion of the MAC address concatenated with the port-channel number.
Example of Deriving the Interface Index Number To view the system image on Flash Partition A, use the chSysSwInPartitionAImgVers object or, to view the system image on Flash Partition B, use the chSysSwInPartitionBImgVers object. Table 62. MIB Objects for Viewing the System Image on Flash Partitions MIB Object OID Description MIB chSysSwInPartitionAImg 1.3.6.1.4.1.6027.3.10.1.2. Vers 8.1.11 List the version string of the system image in Flash Partition A. Chassis MIB chSysSwInPartitionBImg 1.3.6.1.
Untagged 2) dot3aCommonAggFdbStatus SNMPv2-SMI::enterprises.6027.3.2.1.1.6.1.4.1107755009.1 = INTEGER: 1 << Status active, 2 – status inactive If we learn MAC addresses for the LAG, status is shown for those as well. dot3aCurAggVlanId SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.1.1.0.0.0.0.0.1.1 dot3aCurAggMacAddr SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.2.1.0.0.0.0.0.1.1 00 00 00 01 dot3aCurAggIndex SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.3.1.0.0.0.0.0.1.1 dot3aCurAggStatus SNMPv2-SMI::enterprises.6027.3.2.
MIB Object OID Description bmpAutoSave .1.3.6.1.4.1.6027.3.23.1.2 LEAF INTEGER bmpConfigDownload .1.3.6.1.4.1.6027.3.23.1.3 LEAF INTEGER bmpDhcpTimeout .1.3.6.1.4.1.6027.3.23.1.4 LEAF INTEGER bmpRetryCount .1.3.6.1.4.1.6027.3.23.1.5 LEAF INTEGER bmpUserDefinedString .1.3.6.1.4.1.6027.3.23.1.6 LEAF OCTET STRING Entity MIBS The Entity MIB provides a mechanism for presenting hierarchies of physical entities using SNMP tables.
SNMPv2-SMI::mib-2.47.1.1.1.1.2.1 SNMPv2-SMI::mib-2.47.1.1.1.1.2.2 SNMPv2-SMI::mib-2.47.1.1.1.1.2.3 SNMPv2-SMI::mib-2.47.1.1.1.1.2.4 SNMPv2-SMI::mib-2.47.1.1.1.1.2.5 SNMPv2-SMI::mib-2.47.1.1.1.1.2.6 SNMPv2-SMI::mib-2.47.1.1.1.1.2.7 SNMPv2-SMI::mib-2.47.1.1.1.1.2.8 SNMPv2-SMI::mib-2.47.1.1.1.1.2.
Stacking 49 Stacking is supported on the MXL switch platform. Stacking is supported on a MXL 10/40GbE switch on the 40GbE ports (for the base module) or a 2-Port 40GbE QSFP+ module. You can connect up to six MXL 10/40GbE switches in a single stack. Stacking provides a single point of management and network interface controller (NIC) teaming for high availability and higher throughput.
Figure 119. Four-Stacked MXL 10/40GbE Switches Stack Management Roles The stack elects the management units for the stack management. • Stack master — primary management unit, also called the master unit. • Standby — secondary management unit. The master holds the control plane and the other units maintain a local copy of the forwarding databases. From the stack master you can configure: • System-level features that apply to all stack members. • Interface-level features for each stack member.
If the master switch goes off line, the standby replaces it as the new master and the switch with the next highest priority or MAC address becomes standby. NOTE: For the MXL switch, the entire stack has only one management IP address. Stack Master Election The stack elects a master and standby unit at bootup time based on two criteria. • Unit priority — User-configurable. The range is from 1 to 14. A higher value (14) means a higher priority. The default is 0.
Failover Roles If the stack master fails (for example, is powered off), it is removed from the stack topology. The standby unit detects the loss of peering communication and takes ownership of the stack management, switching from the standby role to the master role. The lack of a standby unit triggers an election within the remaining units for a standby role.
Figure 120. Dual-Ring Stacking Topology for MXL 10/40GbE Switches Example 2: Dual Daisy-Chain Stack Across Multiple Chassis Using two separate, daisy-chained stacks in a stacking topology provides redundancy and increased high availability in case of stack failure. Also, stacking upgrades are simplified when you have to take one stack offline, as shown in the following examle.
Figure 121. Dual Daisy-Chain Stacking Topology for MXL 10/40GbE Switches Stack Group/Port Numbers By default, each unit in Standalone mode is numbered stack-unit 0. Stack-unit numbers are assigned to member switches when the stack comes up. The following example shows the stack-group numbers of 40GbE ports on an MXL 10/40GbE switch.
Figure 122. Stack-Group on an MXL 10/40GbE Switch Configuring a Switch Stack Configuring a switch stack is a four step process. To configure and bring up a switch stack, follow these steps: 1. Connect the switches to be stacked with 40G direct attach or QSFP fibre cables. 2. Configure the stacking ports on each switch. 3. All switches must be booted together. 4. (Optional) Configure management priorities, unit numbers, or logical provisioning for stack units.
• A maximum of four stack groups (40GbE ports) is supported on a stacked MXL 10/40GbE switch. • Interconnect the stack units by following the instructions in Cabling Stacked Switches. • When you create stack ports on an MXL Switch, all ports must be fixed or on the expansion module. Mixing fixed and expansion module ports in order to stack is not supported.
Configuring and Bringing Up a Stack After you attach the 40G QSFP or direct attach cables in a stack of MXL 10/40GbE Switches, to bring up the stack, follow these steps. NOTE: The procedure uses command examples for the stacking topology shown previously in this chapter. 1. Set up a connection to the CLI on an MXL 10/40GbE Switch as described in Accessing the CLI. 2. Log on to the CLI and enter Global Configuration mode. Login: username Password: ***** Dell> enable Dell# configure 3.
Assigning a Priority to Stacked Switches To configure the stack so that the roles are assigned according to pre-determined priorities instead of using the highest MAC addresses, use the stack-unit priority command in Global Configuration mode on each stacked switch. The switch with the highest priority number is elected master. The switch with the next highest priority number is elected standby and takes over stack management if the master switch fails.
• The base-module ports on the switch (ports 33 and 37/stack groups 0 and 1) are pre-configured for 40GbE operation. • The 40GbE ports on FlexIO modules (ports 41 and 45 in slot 0; ports 49 and 53 in slot 1) are preconfigured for 4x10GbE (quad mode) operation. Create a virtual stack unit by logically provisioning a switch.
To display the stack-unit number, use the show system brief command. Removing a Port from the Stacking Mode To remove a 40GbE port from the stack, use the no form of the stack-unit unit-number stackgroup number command. After entering the command, save the configuration and reload the stack for the change to take effect. Remove a stacked port from a stack.
stack-unit 0 stack-group group-number • stack-unit 0 defines the default ID unit-number in the initial configuration of a switch. • 5. stack-group group-number configures a 40GbE port for stacking. Base-module ports are stack groups 0 and 1; 40GbE ports on a FlexIO module in slot 0 are stack groups 2 and 3 and in slot 1 are stack groups 4 and 5. Save the stacking configuration on the 40GbE ports. EXEC Privilege mode write memory 6. Reload the switch.
NOTE: Adding a new unit that is powered on and has stack groups configured is the same as merging two stacks (refer to Adding a Stack Unit). If the new unit has been configured with a higher priority than the current stack master, it becomes the new stack master and the stack reloads. If the new unit does not have a higher priority than the master switch, it is added as a member switch.
• reset stack-unit unit-number Reload a member unit, from the unit itself. EXEC Privilege mode • reset-self Reset a stack-unit when the unit is in a problem state. EXEC Privilege mode reset stack-unit unit-number hard Verify a Stack Configuration The following lists the status of a stacked switch according to the color of the System Status light emitting diodes (LEDs) on its front panel. • Blue indicates the switch is operating as the stack master or as a standalone unit.
-- Stack Info -Unit UnitType Status ReqTyp CurTyp Version Ports --------------------------------------------------------------0 Management online MXL-10/40GbE MXL-10/40GbE 9-1-0-853 56 1 Standby online MXL-10/40GbE MXL-10/40GbE 9-1-0-853 56 2 Member online MXL-10/40GbE MXL-10/40GbE 9-1-0-853 56 3 Member online MXL-10/40GbE MXL-10/40GbE 9-1-0-853 56 4 Member online MXL-10/40GbE MXL-10/40GbE 9-1-0-853 56 5 Member online MXL-10/40GbE MXL-10/40GbE 9-1-0-853 56 Dell#show system Stack MAC : 00:1e:c9:f1:00:e3 Relo
Required Type Current Type Master priority Hardware Rev Num Ports Up Time Dell Networking Jumbo Capable POE Capable : MXL-10/40GbE - 34-port GE/TE/FG (XL) : MXL-10/40GbE - 34-port GE/TE/FG (XL) : 13 : 3.
0/41 1/33 1/37 1/49 1/53 2/37 2/49 1/49 2/37 0/33 0/41 2/49 1/33 1/53 40 40 40 40 40 40 40 up up up up up up up up up up up up up up Troubleshooting a Switch Stack To perform troubleshooting operations on a switch stack, use the following commands on the master switch. 1. Displays the status of stacked ports on stack units. show system stack-ports 2.
-- Stack-unit Redundancy Configuration ---------------------------------------------------------Primary Stack-unit: mgmt-id 0 Auto Data Sync: Full Failover Type: Hot (Failover Failover type with redundancy.
May 31 01:46:17: %STKUNIT3-M:CP %CHMGR-2-STACKUNIT_DOWN: Major alarm: Stack unit 4 down - IPC timeout Dell#May 31 01:46:17: %STKUNIT3-M:CP %IFMGR-1-DEL_PORT: Removed port: Te 4/1-32,41-48, Fo 4/ 49,53 Dell#May 31 01:46:18: %STKUNIT5-S:CP %IFMGR-1-DEL_PORT: Removed port: Te 4/1-32,41-48, Fo 4/ 49,53 Unplugged Stacking Cable • Problem: A stacking cable is unplugged from a member switch. The stack loses half of its bandwidth from the disconnected switch.
and power-cycle the stack. ----------------------------------------MEMBER 2--------------------------------------------Error: Stack Port 51 has flapped 5 times within 10 seconds.Shutting down this stack port now. Error: Please check the stack cable/module and power-cycle the stack.
Stack Unit in Card-Problem State Due to Configuration Mismatch • Problem: A stack unit enters a Card-Problem state because there is a configuration mismatch between the logical provisioning stored for the stack-unit number on the master switch and the newly added unit with the same number. • Resolution: The resolution is to reload the stack. When the stack is up, the card problem will be solved. To correct a configuration mismatch, reload the entire stack using the reload command in EXEC Privilege mode.
Erasing IOM Primary Image, please wait .!.............................................................................. ... ...................................Writing...................................... ... ................................................................................ ... ................................................................................ ... 31972272 bytes successfully copied System image upgrade completed successfully.
Example of Upgrading a Single Stack Unit The following example shows how to upgrade an individual stack unit.
Storm Control 50 Storm control is supported on the MXL switch platform. The storm control feature allows you to control unknown-unicast and broadcast traffic on Layer 2 and Layer 3 physical interfaces. Dell Networking OS Behavior: The Dell Networking OS supports broadcast control (the storm-control broadcast command) for Layer 2 and Layer 3 traffic. The minimum number of packets per second (PPS) that storm control can limit is two.
Spanning Tree Protocol (STP) 51 The spanning tree protocol (STP) is supported on the MXL switch platform. Protocol Overview STP is a Layer 2 protocol — specified by IEEE 802.1d — that eliminates loops in a bridged topology by enabling only a single path through the network. By eliminating loops, the protocol improves scalability in a large network and allows you to implement redundant paths, which can be activated after the failure of active paths.
Important Points to Remember • STP is disabled by default. • The Dell Networking operating system (OS) supports only one spanning tree instance (0). For multiple instances, enable the multiple spanning tree protocol (MSTP) or per-VLAN spanning tree plus (PVST+). You may only enable one flavor of spanning tree at any one time.
To configure and enable the interfaces for Layer 2, use the following command. 1. If the interface has been assigned an IP address, remove it. INTERFACE mode no ip address 2. Place the interface in Layer 2 mode. INTERFACE switchport 3. Enable the interface. INTERFACE mode no shutdown Example of the show config Command To verify that an interface is in Layer 2 mode and enabled, use the show config command from INTERFACE mode.
Figure 124. Spanning Tree Enabled Globally To enable STP globally, use the following commands. 1. Enter PROTOCOL SPANNING TREE mode. CONFIGURATION mode protocol spanning-tree 0 2. Enable STP. PROTOCOL SPANNING TREE mode no disable Example of Verifying Spanning Tree is Enabled Example of Viewing Spanning Tree Configuration Example of Verifying a Port Participates in Spanning Tree To disable STP globally for all Layer 2 interfaces, use the disable command from PROTOCOL SPANNING TREE mode.
To view the spanning tree configuration and the interfaces that are participating in STP, use the show spanning-tree 0 command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. R2#show spanning-tree 0 Executing IEEE compatible Spanning Tree Protocol Bridge Identifier has priority 32768, address 0001.e826.ddb7 Configured hello time 2, max age 20, forward delay 15 Current root has priority 32768, address 0001.e80d.
INTERFACE mode spanning-tree 0 Removing an Interface from the Spanning Tree Group To remove a Layer 2 interface from the spanning tree topology, use the following command. • Disable spanning tree on a Layer 2 interface. INTERFACE mode no spanning-tree 0 Modifying Global Parameters You can modify the spanning tree parameters. The root bridge sets the values for forward-delay, hellotime, and max-age and overwrites the values set on other bridges participating in STP.
hello-time seconds NOTE: With large configurations (especially those with more ports) Dell Networking recommends increasing the hello-time. The range is from 1 to 10. • the default is 2 seconds. Change the max-age parameter (the refresh interval for configuration information that is generated by recomputing the spanning tree topology). PROTOCOL SPANNING TREE mode max-age seconds The range is from 6 to 40. The default is 20 seconds.
Enabling PortFast The PortFast feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner. Interfaces forward frames by default until they receive a BPDU that indicates that they should behave otherwise; they do not go through the Learning and Listening states. The bpduguard shutdown-onviolation option causes the interface hardware to be shut down when it receives a BPDU.
BPDU. Otherwise, although the interface is placed in an Error Disabled state when receiving the BPDU, the physical interface remains up and spanning-tree will only drop packets after a BPDU violation. The following example shows a scenario in which an edgeport might unintentionally receive a BPDU. The port on the Dell Networking system is configured with Portfast. If the switch is connected to the hub, the BPDUs that the switch generates might trigger an undesirable topology change.
Figure 125. Enabling BPDU Guard Dell Networking OS Behavior: BPDU guard and BPDU filtering (refer to Removing an Interface from the Spanning Tree Group) both block BPDUs, but are two separate features. BPDU guard is used on edgeports and blocks all traffic on edgeport if it receives a BPDU. Example of Blocked BPDUs Dell#show spanning-tree 0 brief Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 0001.e88a.
Global BPDU Filtering When BPDU Filtering is enabled globally, it stops transmitting BPDUs on the operational port fast enabled ports by default. When it receives BPDUs, it automatically participates in the spanning tree. By default global bpdu filtering is disabled. Figure 126. BPDU Filtering Enabled Globally Interface BPDU Filtering When BPDU Filtering is enabled on an interface, it should stop sending and receiving BPDUs on the port fast enabled ports.
Figure 127. BPDU Filtering Enabled Globally Selecting STP Root The STP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it becomes the root bridge. You can also specify that a bridge is the root or the secondary root. To change the bridge priority or specify that a bridge is the root or secondary root, use the following command. • Assign a number as the bridge priority or designate it as the root or secondary root.
Root Bridge hello time 2, max age 20, forward delay 15 Dell# STP Root Guard Use the STP root guard feature in a Layer 2 network to avoid bridging loops. In STP, the switch in the network with the lowest priority (as determined by STP or set with the bridgepriority command) is selected as the root bridge. If two switches have the same priority, the switch with the lower MAC address is selected as the root.
Figure 128. STP Root Guard Prevents Bridging Loops Configuring Root Guard Enable STP root guard on a per-port or per-port-channel basis. Dell Networking OS Behavior: The following conditions apply to a port enabled with STP root guard: • Root guard is supported on any STP-enabled port or port-channel interface except when used as a stacking port.
– 0: enables root guard on an STP-enabled port assigned to instance 0. – mstp: enables root guard on an MSTP-enabled port. – rstp: enables root guard on an RSTP-enabled port. – pvst: enables root guard on a PVST-enabled port. To disable STP root guard on a port or port-channel interface, use the no spanning-tree 0 rootguard command in an interface configuration mode.
System Time and Date 52 System time and date settings and the network time protocol (NTP) are supported on the MXL switch platform. You can set system times and dates and maintained through the NTP. They are also set through the Dell Networking operating system (OS) command line interfaces (CLIs) and hardware settings. Network Time Protocol The network time protocol (NTP) synchronizes timekeeping among a set of distributed time servers and clients.
time and adjust the local clock accordingly. In addition, the message includes information to calculate the expected timekeeping accuracy and reliability, as well as select the best from possibly several servers.
Configure the Network Time Protocol Configuring NTP is a one-step process. • Enabling NTP Related Configuration Tasks • Configuring NTP Broadcasts • Setting the Time and Date for the Switch Hardware Clock • Disabling NTP on an Interface • Configuring a Source IP Address for NTP Packets Enabling NTP NTP is disabled by default. To enable NTP, specify an NTP server to which the Dell Networking system synchronizes. To specify multiple servers, enter the command multiple times.
ntp update-calendar Example of Updating the System Clock Relative to NTP Dell(conf)#do show calendar 11:08:48 UTC Tue May 22 2012 Dell(conf)#ntp update-calendar 1 Dell(conf)#do show calendar 11:10:02 UTC Tue May 22 2012 Configuring NTP Broadcasts With the Dell Networking OS, you can receive broadcasts of time information. You can set interfaces within the system to receive NTP information through broadcast. To configure an interface to receive NTP broadcasts, use the following commands.
– For a port channel interface, enter the keyword port-channel then a number from 1 to 128. – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. – For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. – For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information.
Example of Viewing NTP Configuration Configuring an NTP Server To view the NTP configuration, use the show running-config ntp command in EXEC privilege mode. The following example shows an encrypted authentication key (in bold). All keys are encrypted. Dell#show running ntp ! ntp authenticate ntp authentication-key 345 md5 5A60910F3D211F02 ntp server 11.1.1.1 version 3 ntp trusted-key 345 Dell# Dell(conf)#1w6d23h : NTP: xmit packet to 192.168.1.
NOTE: • Leap Indicator (sys.leap, peer.leap, pkt.leap) — This is a two-bit code warning of an impending leap second to be inserted in the NTP time scale. The bits are set before 23:59 on the day of insertion and reset after 00:00 on the following day. This causes the number of seconds (rollover interval) in the day of insertion to be increased or decreased by one.
• Setting Recurring Daylight Saving Time Setting the Time and Date for the Switch Hardware Clock To set the time and date for the switch hardware clock, use the following command. • Set the hardware clock to the current time and date. EXEC Privilege mode calendar set time month day year – time: enter the time in hours:minutes:seconds. For the hour variable, use the 24-hour format; for example, 17:15:00 is 5:15 pm. – month: enter the name of one of the 12 months in English.
To set the clock timezone, use the following command. • Set the clock to the appropriate timezone. CONFIGURATION mode clock timezone timezone-name offset – timezone-name: enter the name of the timezone. Do not use spaces. – offset: enter one of the following: * a number from 1 to 23 as the number of hours in addition to UTC for the timezone. * a minus sign (-) then a number from 1 to 23 as the number of hours.
Example of the clock summer-time Command Dell(conf)#clock summer-time pacific date Mar 14 2012 00:00 Nov 7 2012 00:00 Dell(conf)# Setting Recurring Daylight Saving Time Set a date (and time zone) on which to convert the switch to daylight saving time on a specific day every year. If you have already set daylight saving for a one-time setting, you can set that date and time as the recurring setting with the clock summer-time time-zone recurring command.
Example of the clock summer-time recurring Command Example of Clock Summer-Time Recurring Parameters Dell(conf)#clock summer-time pacific recurring Mar 14 2012 00:00 Nov 7 2012 00:00 Dell(conf)# NOTE: If you enter after entering the recurring command parameter, and you have already set a one-time daylight saving time/date, the system uses that time and date as the recurring setting.
Tunneling 53 Tunneling supports RFC 2003, RFC 2473, and 4213. DSCP, hop-limits, flow label values, OSPFv2, and OSPFv3 are also supported. ICMP error relay, PATH MTU transmission, and fragmented packets are not supported. Configuring a Tunnel You can configure a tunnel in IPv6 mode, IPv6IP mode, and IPIP mode. • If the tunnel mode is IPIP or IPv6IP, the tunnel source address and the tunnel destination address must be an IPv4 address.
tunnel mode ipv6ip no shutdown The following sample configuration shows a tunnel configured in IPIP mode (IPv4 tunnel carries IPv4 and IPv6 traffic): Dell(conf)#interface tunnel 3 Dell(conf-if-tu-3)#tunnel source 5::5 Dell(conf-if-tu-3)#tunnel destination 8::9 Dell(conf-if-tu-3)#tunnel mode ipv6 Dell(conf-if-tu-3)#ip address 3.1.1.1/24 Dell(conf-if-tu-3)#ipv6 address 3::1/64 Dell(conf-if-tu-3)#no shutdown Dell(conf-if-tu-3)#show config ! interface Tunnel 3 ip address 3.1.1.
Configuring the ip and ipv6 unnumbered Configuring the tunnel interface is supported on the MXL platform. You can configure the tunnel in ip unnumbered and ipv6 unnumbered command. To configure the tunnel interface to operate without a unique explicit ip/ ipv6 address, select the interface from which the tunnel will borrow its address. The following sample configuration shows the IP unnumbered command: Dell(conf-if-te-0/0)#show config ! interface TenGigabitEthernet 0/0 ip address 20.1.1.
no shutdown Configuring the tunnel source anylocal The anylocal argument can be used in place of the ip address or interface, but only with multipoint receive-only mode tunnels. The tunnel source anylocal command will allow the multipoint receive-only tunnel to decapsulate tunnel packets addressed to any IPv4 or IPv6 (depending on the tunnel mode) address configured on the switch that is operationally UP.
Uplink Failure Detection (UFD) 54 Uplink failure detection (UFD) is supported on the MXL switch platform. Feature Description UFD provides detection of the loss of upstream connectivity and, if used with network interface controller (NIC) teaming, automatic recovery from a failed link. A switch provides upstream connectivity for devices, such as servers. If a switch loses its upstream connectivity, downstream devices also lose their connectivity.
Figure 130. Uplink Failure Detection How Uplink Failure Detection Works UFD creates an association between upstream and downstream interfaces. The association of uplink and downlink interfaces is called an uplink-state group. An interface in an uplink-state group can be a physical interface or a port-channel (LAG) aggregation of physical interfaces. An enabled uplink-state group tracks the state of all assigned upstream interfaces.
Figure 131. Uplink Failure Detection Example If only one of the upstream interfaces in an uplink-state group goes down, a specified number of downstream ports associated with the upstream interface are put into a Link-Down state. You can configure this number and is calculated by the ratio of the upstream port bandwidth to the downstream port bandwidth in the same uplink-state group.
– An uplink-state group is considered to be operationally down if it has no upstream interfaces in the Link-Up state. No uplink-state tracking is performed when a group is disabled or in an Operationally Down state. • You can assign physical port or port-channel interfaces to an uplink-state group. – You can assign an interface to only one uplink-state group. Configure each interface assigned to an uplink-state group as either an upstream or downstream interface, but not both.
• Port channel: enter port-channel {1-512 | port-channel-range} Where port-range and port-channel-range specify a range of ports separated by a dash (-) and/or individual ports/port channels in any order; for example: upstream gigabitethernet 1/1-2,5,9,11-12 downstream port-channel 1-3,5 • A comma is required to separate each port and port-range entry. To delete an interface from the group, use the no {upstream | downstream} interface command. 3.
Clearing a UFD-Disabled Interface You can manually bring up a downstream interface in an uplink-state group that UFD disabled and is in a UFD-Disabled Error state. To re-enable one or more disabled downstream interfaces and clear the UFD-Disabled Error state, use the following command. • Re-enable a downstream interface on the switch/router that is in a UFD-Disabled Error State so that it can send and receive traffic.
00:10:13: %STKUNIT0-M:CP error-disabled: Te 0/6 00:10:13: %STKUNIT0-M:CP Te 0/4 00:10:13: %STKUNIT0-M:CP Te 0/5 00:10:13: %STKUNIT0-M:CP Te 0/6 %IFMGR-5-OSTATE_DN: Downstream interface set to UFD %IFMGR-5-OSTATE_DN: Changed interface state to down: %IFMGR-5-OSTATE_DN: Changed interface state to down: %IFMGR-5-OSTATE_DN: Changed interface state to down: Dell(conf-if-range-te-0/1-3)#do clear ufd-disable uplink-state-group 3 00:11:50: %STKUNIT0-M:CP UFD error-disabled: Te 0/4 00:11:51: %STKUNIT0-M:CP UFD err
(For UPLINK-STATE-GROUP mode) show configuration – group-id: The values are from 1 to 16.
Input Statistics: 0 packets, 0 bytes 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 0 Broadcasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics: 0 packets, 0 bytes, 0 underruns 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 throttles, 0 discarded, 0 collisions Rate info
Dell(conf-uplink-state-group-3)#upstream tengigabitethernet 0/3-4 Dell(conf-uplink-state-group-3)#description Testing UFD feature Dell(conf-uplink-state-group-3)#show config ! uplink-state-group 3 description Testing UFD feature downstream disable links 2 downstream TenGigabitEthernet 0/1-2,5,9,11-12 upstream TenGigabitEthernet 0/3-4 Dell#show running-config uplink-state-group ! uplink-state-group 3 description Testing UFD feature downstream disable links 2 downstream TenGigabitEthernet 0/1-2,5,9,11-12 upst
55 Upgrade Procedures To find the upgrade procedures, go to the Dell Networking OS Release Notes for your system type to see all the requirements needed to upgrade to the desired Dell Networking OS version. To upgrade your system type, follow the procedures in the Dell Networking OS Release Notes. Get Help with Upgrades Direct any questions or concerns about the Dell Networking OS upgrade procedures to the Dell Technical Support Center. You can reach Technical Support: • On the web: http://www.dell.
Virtual LANs (VLANs) 56 Virtual LANs (VLANs) are supported on the MXL switch platform. VLANs are a logical broadcast domain or logical grouping of interfaces in a local area network (LAN) in which all data received is kept locally and broadcast to all members of the group. When in Layer 2 mode, VLANs move traffic at wire speed and can span multiple devices. The Dell Networking operating system (OS) supports up to 4093 port-based VLANs and one default VLAN, as specified in IEEE 802.1Q.
By default, VLAN 1 is the Default VLAN. To change that designation, use the default vlan-id command in CONFIGURATION mode. You cannot delete the Default VLAN. NOTE: You cannot assign an IP address to the Default VLAN. To assign an IP address to a VLAN that is currently the Default VLAN, create another VLAN and assign it to be the Default VLAN. For more information about assigning IP addresses, refer to Assigning an IP Address to a VLAN. • • Untagged interfaces must be part of a VLAN.
information is preserved as the frame moves through the network. The following example shows the structure of a frame with a tag header. The VLAN ID is inserted in the tag header. Figure 132. Tagged Frame Format The tag header contains some key information that the Dell Networking OS uses: • The VLAN protocol identifier identifies the frame as tagged according to the IEEE 802.1Q specifications (2 bytes). • Tag control information (TCI) includes the VLAN ID (2 bytes total).
• Configure a port-based VLAN (if the VLAN-ID is different from the Default VLAN ID) and enter INTERFACE VLAN mode. CONFIGURATION mode interface vlan vlan-id To activate the VLAN, after you create a VLAN, assign interfaces in Layer 2 mode to the VLAN. Example of Verifying a Port-Based VLAN To view the configured VLANs, use the show vlan command in EXEC Privilege mode.
Add an Interface to Another VLAN To view just the interfaces that are in Layer 2 mode, use the show interfaces switchport command in EXEC Privilege mode or EXEC mode. The following example shows the steps to add a tagged interface (in this case, port channel 1) to VLAN 4. To view the interface’s status. Interface (po 1) is tagged and in VLAN 2 and 3, use the show vlan command. In a port-based VLAN, use the tagged command to add the interface to another VLAN.
untagged interface This command is available only in VLAN interfaces. Move an Untagged Interface to Another VLAN The no untagged interface command removes the untagged interface from a port-based VLAN and places the interface in the Default VLAN. You cannot use the no untagged interface command in the Default VLAN. The following example shows the steps and commands to move an untagged interface from the Default VLAN to another VLAN. To determine interface status, use the show vlan command.
In the Dell Networking OS, you can place VLANs and other logical interfaces in Layer 3 mode to receive and send routed traffic. For more information, refer to Bulk Configuration. To assign an IP address, use the following command. • Configure an IP address and mask on the interface. INTERFACE mode ip address ip-address mask [secondary] – ip-address mask — Enter an address in dotted-decimal format (A.B.C.D) and the mask must be in slash format (/24). – secondary — This is the interface’s backup IP address.
[tagged | untagged] Enabling Null VLAN as the Default VLAN In a Carrier Ethernet for Metro Service environment, service providers who perform frequent reconfigurations for customers with changing requirements occasionally enable multiple interfaces, each connected to a different customer, before the interfaces are fully configured. This presents a vulnerability because both interfaces are initially placed in the native VLAN, VLAN 1, and for that period customers are able to access each other's networks.
Virtual Link Trunking (VLT) 57 Virtual link trunking (VLT) is supported on the MXL switch platform. Overview VLT allows physical links between two chassis to appear as a single virtual link to the network core. VLT reduces the role of spanning tree protocols (STPs) by allowing link aggregation group (LAG) terminations on two separate distribution or core switches, and by supporting a loop-free topology.
Figure 133. Virtual Link Trunking Multi-domain VLT A multi-domain VLT (mVLT) configuration creates a port channel between two VLT domains by allowing two different VLT domains, using different VLT Domain ID numbers, connected by a standard LACP LAG to form a loop-free Layer 2 topology in the aggregation layer. This configuration supports a maximum of four (4) nodes per mVLT domain, increasing the number of available ports and allowing for dual redundancy of the VLT.
Figure 134. Multi-Domain VLT Example VLT Terminology The following are key VLT terms. • • • • • Virtual link trunk (VLT) — The combined port channel between an attached device and the VLT peer switches. VLT backup link — The backup link monitors the vitality of VLT peer switches. The backup link sends configurable, periodic keep alive messages between the VLT peer switches. VLT interconnect (VLTi) — The link used to synchronize states between the VLT peer switches.
• If you reboot both VLT peers in BMP mode and the VLT LAGs are static, the DHCP server reply to the DHCP discover offer may not be forwarded by the ToR to the correct node. To avoid this scenario, configure the VLT LAGs to the ToR and the ToR port channel to the VLT peers with LACP. If supported by the ToR, enable the lacp-ungroup feature on the ToR using the lacp ungroup memberindependent port-channel command.
the VLT Interconnect (VLTi) does not activate. To find the reason for the VLTi being down, use the show vlt statistics command to verify that there are mismatch errors, then use the show vlt brief command on each VLT peer to view the VLT version on the peer switch. If the VLT version is more than one release different from the current version in use, the VLTi does not activate.
– If you replace a VLT peer node, preconfigure the switch with the VLT system MAC address, unit-id, and other VLT parameters before connecting it to the existing VLT peer switch using the VLTi connection. – If the size of the MTU for VLTi members is less than 1496 bytes, MAC addresses may not be synced. Dell Networking recommends retaining the default MTU allocation (1554 bytes) for VLTi members.
NOTE: PVST+ passthrough is supported in a VLT domain. PVST+ BPDUs does not result in an interface shutdown. PVST+ BPDUs for a nondefault VLAN is flooded out as any other L2 multicast packet. On a default VLAN, RTSP is part of the PVST+ topology in that specific VLAN (default VLAN). – For detailed information about how to use VRRP in a VLT domain, refer to the following VLT and VRRP Interoperability section. – For information about configuring IGMP Snooping in a VLT domain, refer to VLT and IGMP Snooping.
determine whether the failure is a link-level failure or whether the remote peer has failed entirely. If the remote peer is still alive (heartbeat messages are still being received), the VLT secondary switch disables its VLT port channels. If keepalive messages from the peer are not being received, the peer continues to forward traffic, assuming that it is the last device available in the network.
VLT and IGMP Snooping When configuring IGMP Snooping with VLT, ensure the configurations on both sides of the VLT trunk are identical to get the same behavior on both sides of the trunk. When you configure IGMP snooping on a VLT node, the dynamically learned groups and multicast router ports are automatically learned on the VLT peer node. VLT Port Delayed Restoration With the Dell Networking OS version 8.3.12.
Figure 135. PIM-Sparse Mode Support on VLT On each VLAN where the VLT peer nodes act as the first hop or last hop routers, one of the VLT peer nodes is elected as the PIM designated router. If you configured IGMP snooping along with PIM on the VLT VLANs, you must configure VLTi as the static multicast router port on both VLT peer switches. This ensures that for first hop routers, the packets from the source are redirected to the designated router (DR) if they are incorrectly hashed.
To route traffic to and from the multicast source and receiver that are connected to VLT ports, enable PIM-Sparse mode on the VLANs to which the VLT ports belong using the ip pim sparse-mode command. If IGMP Snooping is configured on these VLANs, the VLTi must be configured as a static multicast router port on both VLT peers. To verify the PIM neighbors on the VLT VLAN and on the multicast port, use the show ip pim neighbor, show ip igmp snooping mrouter, and show running config commands.
Configuring VLT Multicast To enable and configure VLT multicast, follow these steps. 1. Enable VLT on a switch, then configure a VLT domain and enter VLT-domain configuration mode. CONFIGURATION mode vlt domain domain-id 2. Enable peer-routing. VLT DOMAIN mode peer-routing 3. Configure the multicast peer-routing timeout. VLT DOMAIN mode multicast peer-routing—timeout value value: Specify a value (in seconds) from 1 to 1200. 4. Configure a PIM-SM compatible VLT node as a designated router (DR).
• For PVLAN, if the IP address is configured for the primary VLAN, L3 routing is enabled. NOTE: If the CAM is full, do not enable peer-routing. NOTE: The peer routing and peer-routing-timeout is applicable for both IPv6/ IPv4. Configuring VLT Unicast To enable and configure VLT unicast, follow these steps. 1. Enable VLT on a switch, then configure a VLT domain and enter VLT-domain configuration mode. CONFIGURATION mode vlt domain domain-id 2. Enable peer-routing. VLT DOMAIN mode peer-routing 3.
BPDUs use the MAC address of the primary VLT peer as the RSTP bridge ID in the designated bridge ID field. The primary VLT peer sends these BPDUs on VLT interfaces connected to access devices. The MAC address for a VLT domain is automatically selected on the peer switches when you create the domain. Configure both ends of the VLT interconnect trunk with identical RSTP configurations. When you enable VLT, the show spanning-tree rstp brief command output displays VLT information.
Configuring VLT To configure virtual link trunking and create a VLT domain in which two MXL switches are physically connected and treated as a single port channel by access devices, you must configure the following settings on each VLT peer device. Prerequisites: Before you begin, make sure that both VLT peer switches are running the same Dell Networking OS version and are configured for RSTP as described in RSTP Configuration.
5. Repeat Steps 1 to 4 on the VLT peer switch to configure the VLT interconnect. Configuring a VLT Backup Link To configure a VLT backup link, use the following command. 1. Specify the management interface to be used for the backup link through an out-of-band management network. CONFIGURATION mode interface managementethernet slot/ port Enter the slot (0-1) and the port (0). 2. Configure an IPv4 address (A.B.C.D) or IPv6 address (X:X:X:X::X) and mask (/x) on the interface.
CONFIGURATION mode vlt domain domain-id The range of domain IDs is from 1 to 1000. 2. (Optional) After you configure the VLT domain on each peer switch on both sides of the interconnect trunk, by default, the system elects a primary and secondary VLT peer device. VLT DOMAIN CONFIGURATION mode primary-priority value To reconfigure the primary role of VLT peer switches, use the primary-priority command.
CONFIGURATION mode interface port-channel id-number 2. Remove an IP address from the interface. INTERFACE PORT-CHANNEL mode no ip address 3. Place the interface in Layer 2 mode. INTERFACE PORT-CHANNEL mode switchport 4. Add one or more port interfaces to the port channel. INTERFACE PORT-CHANNEL mode channel-member interface interface: specify one of the following interface types: 5. • 10-Gigabit Ethernet: enter tengigabitethernet slot/port.
The range of domain IDs is from 1 to 1000. 2. Enter the port-channel number that acts as the interconnect trunk. VLT DOMAIN CONFIGURATION mode peer-link port-channel id-number The range is from 1 to 128. 3. Enter the VLAN ID number of the VLAN where the VLT forwards packets received on the VLTi from an adjacent peer that is down. VLT DOMAIN CONFIGURATION mode peer-down-vlan vlan interface number The range is from 1 to 4094.
back-up destination ip-address [interval seconds] You can optionally specify the time interval used to send hello messages. The range is from 1 to 5 seconds. 6. When you create a VLT domain on a switch, the system automatically creates a VLT-system MAC address used for internal system operations. VLT DOMAIN CONFIGURATION mode system-mac mac-address mac-address Use the system-mac command to explicitly configure the default MAC address for the domain by entering a new MAC address in the format: aaaa.bbbb.
no shutdown 12. Add links to the mVLT port. Configure a range of interfaces to bulk configure. CONFIGURATION mode interface range {port-channel id} 13. Enable LACP on the LAN port. INTERFACE mode port-channel-protocol lacp 14. Configure the LACP port channel mode. INTERFACE mode port-channel number mode [active] 15. Ensure that the interface is active. MANAGEMENT INTERFACE mode no shutdown 16. Repeat steps 1 through 15 for the VLT peer node in Domain 1. 17.
EXEC mode • show vlt statistics Display the RSTP configuration on a VLT peer switch, including the status of port channels used in the VLT interconnect trunk and to connect to access devices. EXEC mode • show spanning-tree rstp Display the current status of a port or port-channel interface used in the VLT domain. EXEC mode show interfaces interface – interface: specify one of the following interface types: * Fast Ethernet: enter fastethernet slot/port.
Domain ID: Role: Role Priority: ICL Link Status: HeartBeat Status: VLT Peer Status: Local Unit Id: Version: Local System MAC address: Remote System MAC address: Configured System MAC address: Remote system version: Delay-Restore timer: 1000 Secondary 32768 Up Up Up 0 5(1) 00:01:e8:8a:e9:70 00:01:e8:8a:e7:e7 00:0a:0a:01:01:0a 5(1) 90 seconds Dell_VLTpeer2# show vlt brief VLT Domain Brief -----------------Domain ID: Role: Role Priority: ICL Link Status: HeartBeat Status: VLT Peer Status: Local Unit Id: Vers
Local System MAC address: 00:01:e8:8a:df:e6 Local System Role Priority: 32768 Dell_VLTpeer1# show running-config vlt ! vlt domain 30 peer-link port-channel 60 back-up destination 10.11.200.18 Dell_VLTpeer2# show running-config vlt ! vlt domain 30 peer-link port-channel 60 back-up destination 10.11.200.
Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 0, Address 0001.e88a.dff8 We are the root Configured hello time 2, max age 20, forward delay 15 Interface Designated Name PortID Prio Cost Sts Cost Bridge ID PortID ---------- -------- ---- ------- -------- - ------- ------------Po 1 128.2 128 200000 DIS 0 0 0001.e88a.dff8 128.2 Po 3 128.4 128 200000 DIS 0 0 0001.e88a.dff8 128.4 Po 4 128.5 128 200000 DIS 0 0 0001.e88a.dff8 128.5 Po 100 128.101 128 800 FWD(VLTi)0 0 0001.e88a.dff8 128.
EXEC mode or EXEC Privilege mode show interfaces interface 8. In the top of rack unit, configure LACP in the physical ports. EXEC Privilege mode show running-config entity 9. Verify VLT is running. EXEC mode show vlt brief show vlt detail 10. Verify the VLT LAG is running in both VLT peer units.
vlt domain 5 peer-link port-channel 1 back-up destination 10.11.206.58 mxl-2# mxl-2#show interfaces managementethernet 0/0 Internet address is 10.11.206.43/16 mxl-4#show running-config vlt ! vlt domain 5 peer-link port-channel 1 back-up destination 10.11.206.43 mxl-4# mxl-4#show running-config interface managementethernet 0/0 ip address 10.11.206.
mxl-4#show running-config interface port-channel 2 ! interface Port-channel 2 no ip address switchport vlt-peer-lag port-channel 2 no shutdown mxl-4# mxl-4#show interfaces port-channel 2 brief Codes: L - LACP Port-channel LAG Mode Status Uptime Ports L 2 L2L3 up 03:33:14 Te 0/40 (Up) mxl-4# mxl-1#show running-config interface tengigabitethernet 0/48 ! interface TenGigabitEthernet 0/48 no ip address ! port-channel-protocol LACP port-channel 100 mode active mxl-1#show running-config interface tengigabitethern
------------ ----------- ------------ ------------ ------------10 10 UP UP 100, 200, 300, 400, mxl-2#show interfaces port-channel 2 brief Codes: L - LACP Port-channel LAG Mode L 2 L2L3 mxl-2# mxl-4#show Codes: L - Status Uptime Ports up 03:43:24 Te 0/40 (Up) interfaces port-channel 2 brief LACP Port-channel LAG Mode Status Uptime Ports L 2 L2L3 up 03:33:31 Te 0/18 (Up) mxl-4# mVLT Configuration Example The following example demonstrates the steps to configure multi-domain VLT (mVLT) in a network.
In Domain 1, configure the VLT domain and VLTi on Peer 1 Domain_1_Peer1#configure Domain_1_Peer1(conf)#interface port-channel 1 Domain_1_Peer1(conf-if-po-1)#channel-member TenGigabitEthernet 0/8-9 Domain_1_Peer1#no shutdown Domain_1_Peer1(conf)#vlt domain 1000 Domain_1_Peer1(conf-vlt-domain)#peer-link port-channel 1 Domain_1_Peer1(conf-vlt-domain)#back-up destination 10.16.130.
Domain_1_Peer3#no shutdown Domain_2_Peer3(conf)#vlt domain 200 Domain_2_Peer3(conf-vlt-domain)#peer-link port-channel 1 Domain_2_Peer3(conf-vlt-domain)#back-up destination 10.18.130.
Enable PIM on the VLT port VLANs. VLT_Peer1(conf)#interface vlan 4001 VLT_Peer1(conf-if-vl-4001)#ip address 140.0.0.1/24 VLT_Peer1(conf-if-vl-4001)#ip pim sparse-mode VLT_Peer1(conf-if-vl-4001)#tagged port-channel 101 VLT_Peer1(conf-if-vl-4001)#tagged port-channel 102 VLT_Peer1(conf-if-vl-4001)#no shutdown VLT_Peer1(conf-if-vl-4001)#exit Configure the VLTi port as a static multicast router port for the VLAN.
Configure the VLT interconnect (VLTi). Dell_VLTpeer1(conf)#interface port-channel 100 Dell_VLTpeer1(conf-if-po-100)#no ip address Dell_VLTpeer1(conf-if-po-100)#channel-member fortyGigE 0/56,60 Dell_VLTpeer1(conf-if-po-100)#no shutdown Dell_VLTpeer1(conf-if-po-100)#exit Configure the port channel to an attached device.
Configure the port channel to an attached device. Dell_VLTpeer2(conf)#interface port-channel 110 Dell_VLTpeer2(conf-if-po-110)#no ip address Dell_VLTpeer2(conf-if-po-110)#switchport Dell_VLTpeer2(conf-if-po-110)#channel-member fortyGigE 0/48 Dell_VLTpeer2(conf-if-po-110)#no shutdown Dell_VLTpeer2(conf-if-po-110)#vlt-peer-lag port-channel 110 Dell_VLTpeer2(conf-if-po-110)#end Verify that the port channels used in the VLT domain are assigned to the same VLAN.
Description Behavior at Peer Up Behavior During Run Time Action to Take The VLT peer does not boot up. The VLTi is forced to a down state. The VLT peer does not boot up. The VLTi is forced to a down state. Verify the domain ID matches on both VLT peers. A syslog error message and an SNMP trap are generated. A syslog error message and an SNMP trap are generated. Dell Networking Version A syslog error message mismatch is generated. A syslog error message is generated.
Description Behavior at Peer Up Behavior During Run Time Action to Take peers is compatible. For more information, refer to the Release Notes for this release. VLT LAG ID is not configured on one VLT peer A syslog error message is generated. The peer with the VLT configured remains active. A syslog error message is generated. The peer with the VLT configured remains active. Verify the VLT LAG ID is configured correctly on both VLT peers. VLT LAG ID mismatch The VLT port channel is brought down.
trunk mode to be a member of non-VLT PVLANs if the VLTi is configured on both the peers. MAC address synchronization is performed for VLT PVLANs across peers in a VLT domain. Keep the following points in mind when you configure VLT nodes in a PVLAN: • • • Configure the VLTi link to be in trunk mode. Do not configure the VLTi link to be in access or promiscuous mode. You can configure a VLT LAG or port channel to be in trunk, access, or promiscuous port modes when you include the VLT LAG in a PVLAN.
the PVLAN mode on both the peers is identical. For example, if the MAC address is learned on a VLT LAG and the VLAN is a primary VLT VLAN on one peer and not a primary VLT VLAN on the other peer, MAC synchronization does not occur. Whenever a change occurs in the VLAN mode of one of the peers, this modification is synchronized with the other peers.
The ARP request received on ICLs are not proxied, even if they are received with a secondary VLAN tag. This behavior change occurs because the node from which the ARP request was forwarded would have replied with its MAC address, and the current node discards the ARP request.
VLT LAG Mode PVLAN Mode of VLT VLAN Peer1 Peer2 Peer1 Peer2 Promiscuo us Trunk Primary Access Access Access Access Access Access Access Access ICL VLAN Membership Mac Synchronization Primary Yes No Secondary (Community) Secondary (Community) Yes Yes - Primary VLAN X - Primary VLAN X Yes Yes Secondary (Isolated) Secondary (Isolated) Yes Yes - Primary VLAN X - Primary VLAN X Yes Yes Secondary (Isolated) Secondary (Isolated) No No - Primary VLAN X - Primary VLAN Y No
NOTE: To be included in the VLTi, the port channel must be in Default mode (no switchport or VLAN assigned). 2. Remove an IP address from the interface. INTERFACE PORT-CHANNEL mode no ip address 3. Add one or more port interfaces to the port channel. INTERFACE PORT-CHANNEL mode channel-member interface interface: specify one of the following interface types: 4. • 1-Gigabit Ethernet: Enter gigabitethernet slot/port. • 10-Gigabit Ethernet: Enter tengigabitethernet slot/port.
3. Set the port in Layer 2 mode. INTERFACE mode switchport 4. Select the PVLAN mode. INTERFACE mode switchport mode private-vlan {host | promiscuous | trunk} • • • 5. host (isolated or community VLAN port) promiscuous (intra-VLAN communication port) trunk (inter-switch PVLAN hub port) Access INTERFACE VLAN mode for the VLAN to which you want to assign the PVLAN interfaces. CONFIGURATION mode interface vlan vlan-id 6. Enable the VLAN. INTERFACE VLAN mode no shutdown 7.
Layer 3 VLT provides a higher resiliency at the Layer 3 forwarding level. VLT peer routing enables you to replace VRRP with routed VLT to route the traffic from Layer 2 access nodes. With proxy ARP, hosts can resolve the MAC address of the VLT node even when VLT node is down.
disable the proxy ARP. If peer routing is disabled when ICL link is down, a notification is not sent to the VLT peer and in such a case, the VLT peer does not disable the proxy ARP operation. When the VLT domain is removed on one of the VLT nodes, the peer routing configuration removal will be notified to the peer. In this case VLT peer node disables the proxy ARP.
Virtual Router Redundancy Protocol (VRRP) 58 Virtual router redundancy protocol (VRRP) is supported on the MXL switch platform. VRRP Overview VRRP is designed to eliminate a single point of failure in a statically routed network. VRRP specifies a MASTER router that owns the next hop IP and MAC address for end stations on a local area network (LAN). The MASTER router is chosen from the virtual routers by an election process and forwards packets sent to the next hop IP address.
Figure 137. Basic VRRP Configuration VRRP Benefits With VRRP configured on a network, end-station connectivity to the network is not subject to a single point-of-failure. End-station connections to the network are redundant and are not dependent on internal gateway protocol (IGP) protocols to converge or update routing tables.
CAUTION: Increasing the advertisement interval increases the VRRP Master dead interval, resulting in an increased failover time for Master/Backup election. Take caution when increasing the advertisement interval, as the increased dead interval may cause packets to be dropped during that switch-over time.
• NOTE: The interface must already have a primary IP address defined and be enabled, as shown in the second example. Delete a VRRP group. INTERFACE mode no vrrp-group vrid Example of Configuring VRRP Example of Verifying the VRRP Configuration Dell(conf)#int tengig 1/1 Dell(conf-if-te-1/1)#vrrp-group 111 Dell(conf-if-te-1/1-vrid-111)# Dell(conf-if-te-1/1)#show conf ! interface Tengigabitethernet 1/1 ip address 10.10.10.
3. Set all the switches from both to version 3. NOTE: Do not run VRRP version 2 and version 3 in the same group for an extended period of time Example: Migrating an IPv4 VRRP Group from VRRPv2 to VRRPv3 NOTE: Carefully following this procedure, otherwise you might introduce dual master switches issues. To migrate an IPv4 VRRP Group from VRRPv2 to VRRPv3: 1. Set the backup switches to VRRP version to both.
The VRID range is from 1 to 255. 2. Configure virtual IP addresses for this VRID. INTERFACE -VRID mode virtual-address ip-address1 [...ip-address12] The range is up to 12 addresses. Example of the virtual-address Command Example of Verifying the Virtual IP Address Configuration Example of Verifying the VRRP Group Priority Dell(conf-if-te-1/1-vrid-111)#virtual-address 10.10.10.1 Dell(conf-if-te-1/1-vrid-111)#virtual-address 10.10.10.2 Dell(conf-if-te-1/1-vrid-111)#virtual-address 10.10.10.
Authentication: (none) Dell# When the VRRP process completes its initialization, the State field contains either Master or Backup. Setting VRRP Group (Virtual Router) Priority Setting a virtual router priority to 255 ensures that router is the “owner” virtual router for the VRRP group. VRRP elects the MASTER router by choosing the router with the highest priority. The default priority for a virtual router is 100. The higher the number, the higher the priority.
Configuring VRRP Authentication Simple authentication of VRRP packets ensures that only trusted routers participate in VRRP processes. When you enable authentication, the Dell Networking OS includes the password in its VRRP transmission. The receiving router uses that password to verify the transmission.\ NOTE: You must configure all virtual routers in the VRRP group the same: you must enable authentication with the same password or authentication is disabled.
Example of Disabling Preempt Example of Verifying Preempt is Disabled Re-enable preempt by entering the preempt command. When you enable preempt, it does not display in the show commands, because it is a default setting. Dell(conf-if-te-1/1)#vrrp-group 111 Dell(conf-if-te-1/1-vrid-111)#no preempt Dell(conf-if-te-1/1-vrid-111)#show conf Dell(conf-if-te-1/1-vrid-111)#show conf ! vrrp-group 111 authentication-type simple 7 387a7f2df5969da4 no preempt priority 255 virtual-address 10.10.10.1 virtual-address 10.
Example of the advertise-interval Command Example of Verifying the Configured Advertisement Interval The following example shows how to change the advertise interval using the advertise-interval command.
NOTE: You can configure a tracked object for a VRRP group (using the track object-id command in INTERFACE-VRID mode) before you actually create the tracked object (using a track object-id command in CONFIGURATION mode). However, no changes in the VRRP group’s priority occur until the tracked object is defined and determined to be down. Tracking an Interface To track an interface, use the following commands.
virtual-address 10.10.10.3 virtual-address 10.10.10.
INTERFACE mode vrrp delay minimum seconds This time is the gap between an interface coming up and being operational, and VRRP enabling. The seconds range is from 0 to 900. • The default is 0. Set the delay time for VRRP initialization on all the interfaces in the system configured for VRRP. INTERFACE mode vrrp delay reload seconds This time is the gap between system boot up completion and VRRP enabling. The seconds range is from 0 to 900. The default is 0.
Figure 138. VRRP for IPv4 Topology Example of Configuring VRRP for IPv4 R2(conf)#int tengig 2/31 R2(conf-if-te-2/31)#ip address 10.1.1.1/24 R2(conf-if-te-2/31)#vrrp-group 99 R2(conf-if-te-2/31-vrid-99)#priority 200 R2(conf-if-te-2/31-vrid-99)#virtual 10.1.1.3 R2(conf-if-te-2/31-vrid-99)#no shut R2(conf-if-te-2/31)#show conf ! interface Tengigabitethernet 2/31 ip address 10.1.1.1/24 ! vrrp-group 99 priority 200 virtual-address 10.1.1.
no shutdown R2(conf-if-te-2/31)#end R2#show vrrp -----------------Tengigabitethernet 2/31, VRID: 99, Net: 10.1.1.1 State: Master, Priority: 200, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 817, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:63 Virtual IP address: 10.1.1.3 Authentication: (none) R2# Router 3 R3(conf)#int tengig 3/21 R3(conf-if-te-3/21)#ip address 10.1.1.
Standards Compliance 59 This chapter describes standards compliance for Dell Networking products. NOTE: Unless noted, when a standard cited here is listed as supported by the Dell Networking Operating System (OS), the system also supports predecessor standards. One way to search for predecessor standards is to use the http://tools.ietf.org/ website. Click “Browse and search IETF documents,” enter an RFC number, and inspect the top of the resulting document for obsolescence citations to related RFCs.
RFC and I-D Compliance The Dell Networking OS supports the following standards. The standards are grouped by related protocol. The columns showing support by platform indicate which version of Dell Networking OS first supports the standard. General Internet Protocols The following table lists the Dell Networking OS support per platform for general internet protocols. Table 69.
RFC# Full Name 1027 Using ARP to Implement Transparent Subnet Gateways 1035 DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION (client) 1042 A Standard for the Transmission of IP Datagrams over IEEE 802 Networks 1191 Path MTU Discovery 1305 Network Time Protocol (Version 3) Specification, Implementation and Analysis 1519 Classless Inter-Domain Routing (CIDR): an Address Assignment and Aggregation Strategy 1542 Clarifications and Extensions for the Bootstrap Protocol 1812 Requirements for IP Ve
RFC# Full Name 4893 BGP Support for Four-octet AS Number Space 5396 Textual Representation of Autonomous System (AS) Numbers draft-ietf-idrbgp4- 20 A Border Gateway Protocol 4 (BGP-4) draft-ietf-idrrestart- 06 Graceful Restart Mechanism for BGP Open Shortest Path First (OSPF) The following table lists the Dell Networking OS support per platform for OSPF protocol. Table 72.
RFC# Full Name 1212 Concise MIB Definitions 1215 A Convention for Defining Traps for use with the SNMP 1493 Definitions of Managed Objects for Bridges [except for the dot1dTpLearnedEntryDiscards object] 1724 RIP Version 2 MIB Extension 1850 OSPF Version 2 Management Information Base 1901 Introduction to Community-based SNMPv2 2011 SNMPv2 Management Information Base for the Internet Protocol using SMIv2 2012 SNMPv2 Management Information Base for the Transmission Control Protocol using SMIv2
RFC# Full Name radiusAuthClientUnknownTypes radiusAuthClientPacketsDropped 2698 A Two Rate Three Color Marker 3635 Definitions of Managed Objects for the Ethernet-like Interface Types 2674 Definitions of Managed Objects for Bridges with Traffic Classes, Multicast Filtering and Virtual LAN Extensions 2787 Definitions of Managed Objects for the Virtual Router Redundancy Protocol 2819 Remote Network Monitoring Management Information Base: Ethernet Statistics Table, Ethernet History Control Table, Et
RFC# Full Name draft-grant-tacacs -02 The TACACS+ Protocol draft-ietf-idr-bgp4 -mib-06 Definitions of Managed Objects for the Fourth Version of the Border Gateway Protocol (BGP-4) using SMIv2 IEEE 802.1AB Management Information Base module for LLDP configuration, statistics, local system data and remote systems data components. IEEE 802.1AB The LLDP Management Information Base extension module for IEEE 802.1 organizationally defined discovery information.
RFC# Full Name IEEE 802.1Qbb Priority-based Flow Control module for managing IEEE 802.1Qbb MIB Location You can find Force10 MIBs under the Force10 MIBs subhead on the Documentation page of iSupport: https://www.force10networks.com/csportal20/KnowledgeBase/Documentation.aspx You also can obtain a list of selected MIBs and their OIDs at the following URL: https://www.force10networks.com/csportal20/MIBs/MIB_OIDs.aspx Some pages of iSupport require a login.
FC Flex IO Modules 60 This part provides a generic, broad-level description of the operations, capabilities, and configuration commands of the Fiber Channel (FC) Flex IO module. FC Flex IO Modules This part provides a generic, broad-level description of the operations, capabilities, and configuration commands of the Fiber Channel (FC) Flex IO module.
slots of the MXL 10/40GbE Switch and it provides four FC ports per module. If you insert only one FC Flex IO module, four ports are supported; if you insert two FC Flex IO modules, eight ports are supported. By installing an FC Flex IO module, you can enable the MXL 10/40GbE Switch and I/O Aggregator to directly connect to an existing FC SAN network.
FC Flex IO Module Capabilities and Operations The FC Flex IO module has the following characteristics: • You can install one or two FC Flex IO modules on the MXL 10/40GbE Switch or I/O Aggregator. Each module supports four FC ports. • Each port can operate in 2Gbps, 4Gbps, or 8Gbps of Fibre Channel speed. • All ports on an FC Flex IO module can function in the NPIV mode that enables connectivity to FC switches or directors, and also to multiple SAN topologies.
• With both FC Flex IO modules present in the MXL or I/O Aggregator switches, the power supply requirement and maximum thermal output are the same as these parameters needed for the M1000 chassis. • Each port on the FC Flex IO module contains status indicators to denote the link status and transmission activity. For traffic that is being transmitted, the port LED shows a blinking green light. The Link LED displays solid green when a proper link with the peer is established.
• On I/O Aggregators, uplink failure detection (UFD) is disabled if FC Flex IO module is present to allow server ports to communicate with the FC fabric even when the Ethernet upstream ports are not operationally up. • Ensure that the NPIV functionality is enabled on the upstream switches that operate as FC switches or FCoE forwarders (FCF) before you connect the FC port of the MXL or I/O Aggregator to these upstream switches.
the FCoE frames. The module directly switches any non-FCoE or non-FIP traffic, and only FCoE frames are processed and transmitted out of the Ethernet network. When the external device sends FCoE data frames to the switch that contains the FC Flex IO module, the destination MAC address represents one of the Ethernet MAC addresses assigned to FC ports. Based on the destination address, the FCoE header is removed from the incoming packet and the FC frame is transmitted out of the FC port.
Installing and Configuring Flowchart for FC Flex IO Modules 988 FC Flex IO Modules
To see if a switch is running the latest Dell Networking OS version, use the show version command. To download a Dell Networking OS version, go to http://support.dell.com. Installation Site Preparation Before installing the switch or switches, make sure that the chosen installation location meets the following site requirements: • Clearance — There is adequate front and rear clearance for operator access. Allow clearance for cabling, power connections, and ventilation.
Interconnectivity of FC Flex IO Modules with Cisco MDS Switches In a network topology that contains Cisco MDS switches, FC Flex IO modules that are plugged into the MXL and I/O Aggregator switches enable interoperation for a robust, effective deployment of the NPIV proxy gateway and FCoE-FC bridging behavior.
Figure 139. Case 1: Deployment Scenario of Configuring FC Flex IO Modules Figure 140. Case 2: Deployment Scenario of Configuring FC Flex IO Modules Data Center Bridging (DCB) Data center bridging (DCB) is supported on the FC Flex IO module installed in the MXL 10/40GbE Switch. Ethernet Enhancements in Data Center Bridging The following section describes DCB. .
DCB refers to a set of IEEE Ethernet enhancements that provide data centers with a single, robust, converged network to support multiple traffic types, including local area network (LAN), server, and storage traffic. Through network consolidation, DCB results in reduced operational cost, simplified management, and easy scalability by avoiding the need to deploy separate application-specific networks.
PFC enhances the existing 802.3x pause and 802.1p priority capabilities to enable flow control based on 802.1p priorities (classes of service). Instead of stopping all traffic on a link (as performed by the traditional Ethernet pause mechanism), PFC pauses traffic on a link according to the 802.1p priority set on a traffic type. You can create lossless flows for storage and server traffic while allowing for loss in case of LAN traffic congestion on the same physical interface.
low-latency storage or server cluster traffic in a traffic class to receive more bandwidth and restrict besteffort LAN traffic assigned to a different traffic class. Although you can configure strict-priority queue scheduling for a priority group, ETS introduces flexibility that allows the bandwidth allocated to each priority group to be dynamically managed according to the amount of LAN, storage, and server traffic in a flow. Unused bandwidth is dynamically allocated to prioritized priority groups.
• Bandwidth allocated by the ETS algorithm is made available after strict-priority groups are serviced. If a priority group does not use its allocated bandwidth, the unused bandwidth is made available to other priority groups. • For ETS traffic selection, an algorithm is applied to priority groups using: – Strict priority shaping – ETS shaping • ETS uses the DCB MIB IEEE 802.1azd2.5.
Step Task Command Leave a space between each priority group number. For example: priority-pgid 0 0 0 1 2 4 4 4 in which priority group 0 maps to dot1p priorities 0, 1, and 2; priority group 1 maps to dot1p priority 3; priority group 2 maps to dot1p priority 4; priority group 4 maps to dot1p priorities 5, 6, and 7.
Configuring PFC without a DCB Map In a network topology that uses the default ETS bandwidth allocation (assigns equal bandwidth to each priority), you can also enable PFC for specific dot1p-priorities on individual interfaces without using a DCB map. This type of DCB configuration is useful on interfaces that require PFC for lossless traffic, but do not transmit converged Ethernet traffic. Step Task Command Command Mode 1 Enter interface configuration mode on an Ethernet port.
Step Task Command Command Mode fortygigabitEthernet slot/port} 2 Open a DCB map and enter DCB map configuration mode. dcb-map name INTERFACE 3 Disable PFC. no pfc mode on DCB MAP 4 Return to interface configuration mode. exit DCB MAP 5 Apply the DCB map, created to disable the PFC operation, on the interface dcb-map {name | default} INTERFACE 6 Configure the port queues that still function as no-drop queues for lossless traffic.
Data Center Bridging in a Traffic Flow The following figure shows how DCB handles a traffic flow on an interface. Figure 143. DCB PFC and ETS Traffic Handling Enabling Data Center Bridging Data center bridging is enabled by default on an MXL 10/40GbE Switch to support converged enhanced Ethernet (CEE) in a data center network.
no dcb enable 2. Re-enable DCB. CONFIGURATION mode dcb enable NOTE: Dell Networking OS Behavior: DCB is not supported if you enable link-level flow control on one or more interfaces. After you disable DCB, if link-level flow control is not automatically enabled on an interface, to enable flow control, manually shut down the interface (the shutdown command) and re-enable it (the no shutdown command).
dot1p Value in the Incoming Frame Egress Queue Assignment 6 3 7 3 NOTE: If you reconfigure the global dot1p-queue mapping, an automatic re-election of the DCBX configuration source port is performed (refer to Configuration Source Election). Configure Enhanced Transmission Selection ETS provides a way to optimize bandwidth allocation to outbound 802.1p classes of converged Ethernet traffic. Different traffic types have different service needs. Using ETS, you can create groups within an 802.
* Group strict priority: Use this to increase its bandwidth usage to the bandwidth total of the priority group and allow a single priority flow in a priority group. A single flow in a group can use all the bandwidth allocated to the group. * Link strict priority: Use this to increase to the maximum link bandwidth and allow a flow in any priority group. CIN supports only the dot1p priority-queue assignment in a priority group.
interface type slot/port 7. Apply the QoS output policy with the bandwidth percentage for specified priority queues to an egress interface. INTERFACE mode service-policy output output-policy-name Configure a DCBx Operation DCB devices use data center bridging exchange protocol (DCBx) to exchange configuration information with directly connected peers using the link layer discovery protocol (LLDP) protocol.
A port that receives an internally propagated configuration overwrites its local configuration with the new parameter values. When an auto-upstream port (besides the configuration source) receives and overwrites its configuration with internally propagated information, one of the following actions is taken: • If the peer configuration received is compatible with the internally propagated port configuration, the link with the DCBx peer is enabled.
On a DCBX port that is the configuration source, all PFC and application priority TLVs are enabled. ETS recommend TLVs are disabled and ETS configuration TLVs are enabled. Manual The port is configured to operate only with administrator-configured settings and does not auto-configure with DCB settings received from a DCBx peer or from an internally propagated configuration from the configuration source.
Configuration Source Election When an auto-upstream or auto-downstream port receives a DCB configuration from a peer, the port first checks to see if there is an active configuration source on the switch. • If a configuration source already exists, the received peer configuration is checked against the local port configuration. If the received configuration is compatible, the DCBx marks the port as DCBxenabled.
• The switch reboots. • The link is reset (goes down and up). • User-configured CLI commands require the version negotiation to restart. • The peer times out. • Multiple peers are detected on the link. If you configure a DCBx port to operate with a specific version (the DCBx version {cee | cin | ieee-v2.5} command in the Configuring DCBx), DCBx operations are performed according to the configured version, including fast and slow transmit timers and message formats.
Figure 144. DCBx Sample Topology DCBx Prerequisites and Restrictions The following prerequisites and restrictions apply when you configure DCBx operation on a port: • For DCBx, on a port interface, enable LLDP in both Send (TX) and Receive (RX) mode (the protocol lldp mode command; refer to the example in CONFIGURATION versus INTERFACE Configurations in the Link Layer Discovery Protocol (LLDP) chapter). If multiple DCBx peer ports are detected on a local DCBx interface, LLDP is shut down.
Configuring DCBx To configure DCBx, follow these steps. For DCBx, to advertise DCBx TLVs to peers, enable LLDP. For more information, refer to Link Layer Discovery Protocol (LLDP). Configure DCBx operation at the interface level on a switch or globally on the switch. To configure an MXL switch for DCBx operation in a data center network, you must: 1. Configure ToR- and FCF-facing interfaces as auto-upstream ports. 2. Configure server-facing interfaces as auto-downstream ports. 3.
[no] advertise DCBx-tlv {ets-conf | ets-reco | pfc} [ets-conf | ets-reco | pfc] [ets-conf | ets-reco | pfc] • ets-conf: enables the advertisement of ETS Configuration TLVs. • ets-reco: enables the advertisement of ETS Recommend TLVs. • pfc enables: the advertisement of PFC TLVs. The default is All PFC and ETS TLVs are advertised. NOTE: You can configure the transmission of more than one TLV type at a time; for example, advertise DCBx-tlv ets-conf ets-reco.
• • cee: configures a port to use CEE (Intel 1.01). cin configures a port to use Cisco-Intel-Nuova (DCBx 1.0). ieee-v2.5: configures a port to use IEEE 802.1Qaz (Draft 2.5). The default is Auto. NOTE: To configure the DCBx port role the interfaces use to exchange DCB information, use the DCBx port-role command in INTERFACE Configuration mode (Step 3). 4. Configure the PFC and ETS TLVs that advertise on unconfigured interfaces with a manual port-role.
The priority-bitmap range is from 1 to FF. The default is 0x10. DCBx Error Messages The following syslog messages appear when an error in DCBx operation occurs. LLDP_MULTIPLE_PEER_DETECTED: DCBx is operationally disabled after detecting more than one DCBx peer on the port interface. LLDP_PEER_AGE_OUT: DCBx is disabled as a result of LLDP timing out on a DCBx peer interface.
Verifying the DCB Configuration To display DCB configurations, use the following show commands. Table 76. Displaying DCB Configurations Command Output show dot1p-queue mapping Displays the current 802.1p priority-queue mapping. show dcb [stack-unit unit-number] Displays the data center bridging status, number of PFC-enabled ports, and number of PFC-enabled queues. On the master switch in a stack, you can specify a stack-unit number. The range is from 0 to 5.
Example of the show dot1p-queue mapping Command Example of the show dcb Command Example of the show qos dcb-input Command Example of the show qos dcb-output Command Example of the show qos priority-groups Command Example of the show interfaces pfc summary Command Example of the show interface pfc statistics Command Example of the show interface ets summary Command Example of the show interface ets detail Command Example of the show stack-unit all stack-ports all pfc details Command Example of the show stack
Oper status is Recommended PFC DCBx Oper status is Up State Machine Type is Feature TLV Tx Status is enabled PFC Link Delay 45556 pause quantams Application Priority TLV Parameters : -------------------------------------FCOE TLV Tx Status is disabled ISCSI TLV Tx Status is disabled Local FCOE PriorityMap is 0x8 Local ISCSI PriorityMap is 0x10 Remote FCOE PriorityMap is 0x8 Remote ISCSI PriorityMap is 0x8 Dell# show interfaces tengigabitethernet 0/49 pfc detail Interface TenGigabitEthernet 0/49 Admin mode is
Fields Description Local is enabled DCBx operational status (enabled or disabled) with a list of the configured PFC priorities Operational status (local port) DCBx operational status (enabled or disabled) with a list of the configured PFC priorities. Port state for current operational PFC configuration: • Init: Local PFC configuration parameters were exchanged with peer. • Recommend: Remote PFC configuration parameters were received from peer.
Fields Description PFC TLV Statistics: Output TLV pkts Number of PFC TLVs transmitted. PFC TLV Statistics: Error pkts Number of PFC error packets received. PFC TLV Statistics: Pause Tx pkts Number of PFC pause frames transmitted.
2 3 4 5 6 7 0% 0% 0% 0% 0% 0% Priority# Bandwidth 0 13% 1 13% 2 13% 3 13% 4 12% 5 12% 6 12% 7 12% Oper status is init Conf TLV Tx Status is disabled Traffic Class TLV Tx Status is disabled 0 Input Conf TLV Pkts, 0 Output Conf TLV 0 Input Traffic Class TLV Pkts, 0 Output Traffic Class TLV Pkts ETS ETS ETS ETS ETS ETS TSA ETS ETS ETS ETS ETS ETS ETS ETS Pkts, 0 Error Conf TLV Pkts Traffic Class TLV Pkts, 0 Error The following table describes the show interface ets detail command fields.
1 2 3 4 5 6 7 0% 0% 0% 0% 0% 0% 0% Priority# Bandwidth 0 13% 1 13% 2 13% 3 13% 4 12% 5 12% 6 12% 7 12% Oper status is init Conf TLV Tx Status is disabled Traffic Class TLV Tx Status is disabled 0 Input Conf TLV Pkts, 0 Output Conf TLV 0 Input Traffic Class TLV Pkts, 0 Output Traffic Class TLV Pkts ETS ETS ETS ETS ETS ETS ETS TSA ETS ETS ETS ETS ETS ETS ETS ETS Pkts, 0 Error Conf TLV Pkts Traffic Class TLV Pkts, 0 Error Table 78.
Field Description • • • Init: Local ETS configuration parameters were exchanged with peer. Recommend: Remote ETS configuration parameters were received from peer. Internally propagated: ETS configuration parameters were received from configuration source. ETS DCBx Oper status Operational status of ETS configuration on local port: match or mismatch.
6 7 8 - - Stack unit 1 stack port all Max Supported TC Groups is 4 Number of Traffic Classes is 1 Admin mode is on Admin Parameters: -------------------Admin is enabled TC-grp Priority# Bandwidth TSA -----------------------------------------------0 0,1,2,3,4,5,6,7 100% ETS 1 2 3 4 5 6 7 8 Dell(conf)# show interface tengigabitethernet 0/49 dcbx detail Dell#show interface te 0/49 dcbx detail E-ETS Configuration TLV enabled e-ETS Configuration TLV disabled R-ETS Recommendation TLV enabled r-ETS Recommendati
Total DCBX Frame errors 0 Total DCBX Frames unrecognized 0 The following table describes the show interface DCBx detail command fields. Table 79. show interface DCBx detail Command Description Field Description Interface Interface type with chassis slot and port number. Port-Role Configured DCBx port role: auto-upstream, autodownstream, config-source, or manual.
Field Description Peer DCBx Status: Sequence Number Sequence number transmitted in Control TLVs received from peer device. Peer DCBx Status: Acknowledgment Number Acknowledgement number transmitted in Control TLVs received from peer device. Total DCBx Frames transmitted Number of DCBx frames sent from local port. Total DCBx Frames received Number of DCBx frames received from remote peer port. Total DCBx Frame errors Number of DCBx frames with errors received.
Figure 145. PFC and ETS Applied to LAN, IPC, and SAN Priority Traffic QoS Traffic Classification: The service-class dynamic dot1p command has been used in Global Configuration mode to map ingress dot1p frames to the queues shown in the following table. For more information, refer to QoS dot1p Traffic Classification and Queue Assignment.
dot1p Value in Incoming Frame Queue Assignment 3 1 4 2 5 3 6 3 7 3 The following describes the dot1p-priority class group assignment dot1p Value in the Incoming Frame Priority Group Assignment 0 LAN 1 LAN 2 LAN 3 SAN 4 IPC 5 LAN 6 LAN 7 LAN The following describes the priority group-bandwidth assignment.
Example of Configuring QoS Priority-Queue Assignment to Honor Dot1p Priorities Example of Configuring a DCB Input Policy to Apply PFC to Lossless SAN Priority Traffic Example of Configuring an ETS Priority Group Example of Configuring an ETS Output Policy for Egress Traffic Example of Configuring a DCB Output Policy to Apply ETS (Bandwidth Allocation and Scheduling) to IPC, SAN, and LAN Priority Traffic Example of Applying DCB Input and Output Policies to an Interface Example of Configuring a QoS Output Pol
Dell(conf)# qos-policy-output lan-q0 Dell(conf-qos-policy-out)# bandwidth-percentage 20 Dell(conf-qos-policy-out)# exit Dell(conf)#q os-policy-output lan-q3 Dell(conf-qos-policy-out)# bandwidth-percentage 70 Dell(conf-qos-policy-out)# exit Dell(conf)#policy-map-output ets-queues Dell(conf)# policy-map-output ets-queues Dell(conf-policy-map-out)# service-queue 0 qos-policy lan-q0 Dell(conf-policy-map-out)# service-queue 3 qos-policy lan-q3 Dell(conf-if-te-0/1)# service-policy output ets-queues Using PFC and
The show dcb command has been enhanced to display the following additional buffer-related information: Dell(conf)#do show dcb dcb Status : Enabled PFC Queue Count : 2 --Indicate the PFC queue configured.
The N-port identifier virtualization (NPIV) proxy gateway (NPG) provides FCoE-FC bridging capability on the MXL 10/40GbE Switch and M I/O Aggregator with the FC Flex IO module. This chapter describes how to configure and use an NPIV proxy gateway on an MXL 10/40GbE Switch and M I/O Aggregator with the FC Flex IO module in a (SAN.
Using an FCoE map applied to downstream (server-facing) Ethernet ports and upstream (fabric-facing) FC ports, you can configure the association between a SAN fabric and the FCoE VLAN that connects servers over the NPIV proxy gateway to FC switches in the fabric.
Term Description or 8-Gigabit mode. On an NPIV proxy gateway, an FC port can be used as a downlink for a server connection and an uplink for a fabric connection. F port Port mode of an FC port connected to an end node (N) port on an MXL 10/40GbE Switch and M I/O Aggregator with the FC Flex IO module NPIV proxy gateway. N port Port mode of an MXL 10/40GbE Switch and M I/O Aggregator with the FC Flex IO module FC port that connects to an F port on an FC switch in a SAN fabric.
Term Description principal switch The switch in a fabric with the lowest domain number. The principal switch accesses the master name database and the zone/zone set database. DCB Maps A Data Center Bridging (DCB) map is used to configure DCB functionality, such as PFC and ETS, on MXL 10/40GbE Switch and M I/O Aggregator with the FC Flex IO module Ethernet ports that support CEE traffic and are DCBx-enabled, by default. For more information, on PFC and ETS, see Data Center Bridging (DCB).
Configuring an NPIV Proxy Gateway Prerequisite: Before you configure an NPIV proxy gateway (NPG) with the FC Flex IO module on an MXL 10/40GbE Switch or an M I/O Aggregator, ensure that the following features are enabled. • DCB is enabled by default with the FC Flex IO module on the MXL 10/40GbE Switch or M I/O Aggregator. • Autonegotiated DCBx is enabled for converged traffic by default with the FC Flex IO module Ethernet ports on all MXL 10/40GbE Switches or M I/O Aggregators.
Step Task Command Command Mode priority-pgid dot1p0_group_num dot1p1_group_num dot1p2_group_num dot1p3_group_num dot1p4_group_num dot1p5_group_num dot1p6_group_num dot1p7_group_num DCB MAP strict-priority scheduling. The sum of all allocated bandwidth percentages must be 100 percent. Strict-priority traffic is serviced first. Afterward, bandwidth allocated to other priority groups is made available and allocated according to the specified percentages.
Applying a DCB Map on Server-facing Ethernet Ports You can apply a DCB map only on a physical Ethernet interface and can apply only one DCB map per interface. Step Task Command Command Mode 1 Enter CONFIGURATION mode on a serverfacing port or port channel to apply a DCB map. interface {tengigabitEthernet slot/port | fortygigabitEthernet slot/port} CONFIGURATION dcb-map name INTERFACE You cannot apply a DCB map on a port channel.
• The FC-MAP value, used to generate the fabric-provided MAC address (FPMA). The FPMA is used by servers to transmit FCoE traffic to the fabric. You can associate an FC-MAP with only one FCoE VLAN and conversely, associate an FCoE VLAN with only one FC-MAP. • FCF priority, the priority used by a server CNA to select an upstream FCoE forwarder (FCF) • FIP keepalive (FKA) advertisement timeout The values for the FCoE VLAN, fabric ID and FC-MAP must be unique.
Applying an FCoE Map on Server-facing Ethernet Ports You can apply multiple FCoE maps on an Ethernet port or port channel. When you apply an FCoE map on a server-facing port or port channel: • The port is configured to operate in hybrid mode (accept both tagged and untagged VLAN frames). • The associated FCoE VLAN is enabled on the port or port channel. When you enable a server-facing Ethernet port, the servers respond to the FIP advertisements by performing FLOGIs on upstream virtualized FCF ports.
Step Task Command Command Mode 1 Configure a fabric-facing FC port. interface fibrechannel slot/ port CONFIGURATION 2 Apply the FCoE and FC fabric configurations in fabric map-name an FCoE map to the port. Repeat this step to apply an FCoE map to more than one FC port, for example: INTERFACE FIBRE_CHANNEL Dell# interface fi 0/0Dell(configif-fc-0/0)# fabric SAN_FABRIC_A Enable the port for FC transmission.
Dell(config-fcoe-name)# fabric-id 1002 vlan 1002 Dell(config-fcoe-name)# description "SAN_FABRIC_A" Dell(config-fcoe-name)# fc-map 0efc00 Dell(config-fcoe-name)# keepalive Dell(config-fcoe-name)# fcf-priority 128 Dell(config-fcoe-name)# fka-adv-period 8 5. Enable an upstream FC port: Dell(config)# interface fibrechannel 0/0 Dell(config-if-fc-0)# no shutdown 6.
Command Description show fc switch Displays the FC mode of operation and worldwide node (WWN) name of an MXL 10/40GbE Switch or M I/O Aggregator with the FC Flex IO module.
Duplex Data transmission mode: Full (allows communication in both directions at the same time), Half (allows communication in both directions but not at the same time), Auto (auto-negotiated transmission). VLAN VLAN IDs of the VLANs in which the port is a member.
correctly configured) or Incomplete (either the FC-MAP value, fabric ID, or VLAN ID are not correctly configured). Oper-State Operational status of the link to the fabric: up (link is up and transmitting FC traffic), down (link is down and not transmitting FC traffic), link-wait (link is up and waiting for FLOGI to complete on peer FC port), or removed (port has been shut down).
-----------------------Te 0/12 fid_1003 Te 0/13 fid_1003 20:01:00:10:18:f1:94:20 1003 FLOGI LOGGED_IN 10:00:00:00:c9:d9:9c:cb 1003 FDISC LOGGED_IN Fc 0/5 Fc 0/0 Table 85. show npiv devices brief Field Descriptions Field Description Total NPIV Devices Number of downstream ENodes connected to a fabric over the MXL 10/40GbE Switch or M I/O Aggregator with the FC Flex IO module, NPG.
FCoE Vlan Fabric Map ENode WWPN ENode WWNN FCoE MAC FC-ID LoginMethod Secs Status : : : : : : : : : 1003 fid_1003 10:00:00:00:c9:d9:9c:cb 10:00:00:00:c9:d9:9c:cd 0e:fc:03:01:02:02 01:02:01 FDISC 5593 LOGGED_IN Table 86. show npiv devices Field Descriptions Field Description ENode [number] Server CNA that has successfully logged in to a fabric over an MXL 10/40GbE Switch or M I/O Aggregator with the FC Flex IO module Ethernet port in ENode mode. Enode MAC MAC address of a server CNA port.
show fc switch Command Example Dell# show fc switch Switch Mode : NPG Switch WWN : 10:00:5c:f9:dd:ef:10:c0 Dell# Table 87. show fc switch Command Description Field Description Switch Mode Fibre Channel mode o f operation of an MXL 10/40GbE Switch or M I/O Aggregator with the FC Flex IO module. Default: NPG (configured as an NPIV proxy gateway). Switch WWN Factory-assigned worldwide node (WWN) name of the MXL 10/40GbE Switch or M I/O Aggregator with the FC Flex IO module.
