Dell EMC Networking OS Configuration Guide for the Z9100–ON System 9.14.2.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2018 - 2019 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Contents 1 About this Guide......................................................................................................................... 32 Audience............................................................................................................................................................................... 32 Conventions..................................................................................................................................................................
Removing a Command from EXEC Mode..................................................................................................................55 Moving a Command from EXEC Privilege Mode to EXEC Mode........................................................................... 55 Allowing Access to CONFIGURATION Mode Commands....................................................................................... 55 Allowing Access to Different Modes..........................................................
Enabling 802.1X....................................................................................................................................................................79 Configuring dot1x Profile ................................................................................................................................................... 80 Configuring the Static MAB and MAB Profile ..............................................................................................................
Counting ACL Hits........................................................................................................................................................ 113 Configure Ingress ACLs..................................................................................................................................................... 113 Configure Egress ACLs.............................................................................................................................................
Enabling four-byte autonomous system numbers.................................................................................................... 171 Changing a BGP router ID...........................................................................................................................................172 Configuring AS4 Number Representations...............................................................................................................172 Configuring a BGP peer.....................
Configuring UFT Modes............................................................................................................................................. 223 IPv6 CAM ACL Region..................................................................................................................................................... 224 Important Points to Remember.................................................................................................................................
Applying DCB Policies in a Switch Stack....................................................................................................................... 254 Configure a DCBx Operation........................................................................................................................................... 254 DCBx Operation...........................................................................................................................................................
Viewing the Number of SAV Dropped Packets....................................................................................................... 291 Clearing the Number of SAV Dropped Packets...................................................................................................... 292 14 Equal Cost Multi-Path (ECMP).................................................................................................293 ECMP for Flow-Based Affinity......................................................
Implementing FRRP........................................................................................................................................................... 319 FRRP Configuration.......................................................................................................................................................... 320 Creating the FRRP Group.......................................................................................................................................
Overview of Layer Modes.......................................................................................................................................... 353 Configuring Layer 2 (Data Link) Mode..................................................................................................................... 353 Configuring Layer 2 (Interface) Mode......................................................................................................................
Setting the Speed of Ethernet Interfaces......................................................................................................................378 Syslog Warning Upon Connecting SFP28 Optics with QSA....................................................................................... 379 FEC Configuration.............................................................................................................................................................
22 IPv6 Routing.......................................................................................................................... 404 Protocol Overview............................................................................................................................................................ 404 Extended Address Space...........................................................................................................................................
Multi-Topology IS-IS......................................................................................................................................................... 429 Transition Mode...........................................................................................................................................................429 Interface Support...............................................................................................................................................
27 Layer 2...................................................................................................................................464 Manage the MAC Address Table.................................................................................................................................... 464 Clearing the MAC Address Table..............................................................................................................................
Relevant Management Objects........................................................................................................................................491 29 Microsoft Network Load Balancing...........................................................................................495 Configuring a Switch for NLB ........................................................................................................................................ 496 Enabling a Switch for Multicast NLB..........
MSTP Sample Configurations..........................................................................................................................................527 Debugging and Verifying MSTP Configurations............................................................................................................ 531 32 Multicast Features.................................................................................................................. 533 Enabling IP Multicast...........................
Router Types............................................................................................................................................................... 568 Designated and Backup Designated Routers.......................................................................................................... 569 Link-State Advertisements (LSAs)...........................................................................................................................569 Router Priority and Cost..
Related Configuration Tasks.......................................................................................................................................612 Enable PIM-SM.................................................................................................................................................................. 612 Configuring S,G Expiry Timers.........................................................................................................................................
Enabling PVST+.................................................................................................................................................................654 Disabling PVST+................................................................................................................................................................654 Influencing PVST+ Root Selection..........................................................................................................................
RIPv1............................................................................................................................................................................. 689 RIPv2............................................................................................................................................................................ 689 Implementation Information.........................................................................................................................
Command Authorization............................................................................................................................................. 736 Protection from TCP Tiny and Overlapping Fragment Attacks.................................................................................. 737 Enabling SCP and SSH.....................................................................................................................................................
Marking Egress Packets with a DEI Value................................................................................................................770 Dynamic Mode CoS for VLAN Stacking..........................................................................................................................771 Mapping C-Tag to S-Tag dot1p Values.....................................................................................................................772 Layer 2 Protocol Tunneling...............
Obtaining a Value for MIB Objects............................................................................................................................798 MIB Support to Display Reason for Last System Reboot............................................................................................799 Viewing the Reason for Last System Reboot Using SNMP.................................................................................. 799 MIB Support for Power Monitoring................................
Transceiver Monitoring.....................................................................................................................................................829 Configuring SNMP context name...................................................................................................................................830 51 Storm Control......................................................................................................................... 831 Configure Storm Control........
Configuring a Source IP Address for NTP Packets................................................................................................ 858 Configuring NTP Authentication............................................................................................................................... 859 Configuring NTP control key password....................................................................................................................
Interspersed VLANs.................................................................................................................................................... 887 VLT on Core Switches................................................................................................................................................888 Enhanced VLT.............................................................................................................................................................
Dell-2 VLT Configuration............................................................................................................................................949 Dell-3 VLT Configuration............................................................................................................................................950 Dell-4 VLT Configuration.............................................................................................................................................
Configuring Route Leaking with Filtering................................................................................................................. 993 63 Virtual Router Redundancy Protocol (VRRP)............................................................................ 996 VRRP Overview................................................................................................................................................................ 996 VRRP Benefits......................................
66 X.509v3................................................................................................................................1047 Introduction to X.509v3 certificates............................................................................................................................. 1047 X.509v3 support in .........................................................................................................................................................
1 About this Guide This guide describes the protocols and features the Dell EMC Networking Operating System (OS) supports and provides configuration instructions and examples for implementing them. For complete information about all the CLI commands, see the Dell EMC Command Line Reference Guide for your system. The Z9100–ON platform is available with Dell EMC Networking OS version 9.8(1.0) and beyond. Though this guide contains information about protocols, it is not intended to be a complete reference.
2 Configuration Fundamentals The Dell EMC Networking Operating System (OS) command line interface (CLI) is a text-based interface you can use to configure interfaces and protocols. The CLI is largely the same for each platform except for some commands and command outputs. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels.
• EXEC Privilege mode has commands to view configurations, clear counters, manage configuration files, run diagnostics, and enable or disable debug operations. The privilege level is 15, which is unrestricted. You can configure a password for this mode; refer to the Configure the Enable Password section in the Getting Started chapter.
GRUB ISIS ADDRESS-FAMILY ROUTER OSPF ROUTER OSPFV3 ROUTER RIP SPANNING TREE TRACE-LIST VLT DOMAIN VRRP UPLINK STATE GROUP Navigating CLI Modes The Dell EMC Networking OS prompt changes to indicate the CLI mode. The following table lists the CLI mode, its prompt, and information about how to access and exit the CLI mode. Move linearly through the command modes, except for the end command which takes you directly to EXEC Privilege mode and the exit command which moves you up one command mode level.
CLI Command Mode Prompt Access Command VLAN Interface DellEMC(conf-if-vl-1)# interface (INTERFACE modes) STANDARD ACCESS-LIST DellEMC(config-std-nacl)# ip access-list standard (IP ACCESS-LIST Modes) EXTENDED ACCESS-LIST DellEMC(config-ext-nacl)# ip access-list extended (IP ACCESS-LIST Modes) IP COMMUNITY-LIST DellEMC(config-community-list)# ip community-list CONSOLE DellEMC(config-line-console)# line (LINE Modes) VIRTUAL TERMINAL DellEMC(config-line-vty)# line (LINE Modes) STANDARD ACCES
CLI Command Mode Prompt Access Command LINE DellEMC(config-line-console) or DellEMC(config-line-vty) line console orline vty MONITOR SESSION DellEMC(conf-mon-sesssessionID)# monitor session OPENFLOW INSTANCE DellEMC(conf-of-instance-ofid)# openflow of-instance PORT-CHANNEL FAILOVER-GROUP DellEMC(conf-po-failover-grp)# port-channel failover-group PRIORITY GROUP DellEMC(conf-pg)# priority-group PROTOCOL GVRP DellEMC(config-gvrp)# protocol gvrp QOS POLICY DellEMC(conf-qos-policy-outets)#
DellEMC(conf)# Undoing Commands When you enter a command, the command line is added to the running configuration file (running-config). To disable a command and remove it from the running-config, enter the no command, then the original command. For example, to delete an IP address configured on an interface, use the no ip address ip-address command. NOTE: Use the help or ? command as described in Obtaining Help.
• • • • • Enter the minimum number of letters to uniquely identify a command. For example, you cannot enter cl as a partial keyword because both the clock and class-map commands begin with the letters “cl.” You can enter clo, however, as a partial keyword because only one command begins with those three letters. The TAB key auto-completes keywords in commands. Enter the minimum number of letters to uniquely identify a command.
• show run | grep ethernet does not return that search result because it only searches for instances containing a noncapitalized “ethernet.” show run | grep Ethernet ignore-case returns instances containing both “Ethernet” and “ethernet.” • The grep command displays only the lines containing specified text. The following example shows this command used in combination with the show system brief command.
If either of these messages appears, Dell EMC Networking recommends coordinating with the users listed in the message so that you do not unintentionally overwrite each other’s configuration changes. Configuring alias command You can configure shorter alias names for single–line command input using the alias command. To configure the alias name, perform the following steps: 1. Configure the terminal to enter the Global Configuration mode. EXEC Privilege mode DellEMC#configure terminal 2.
-----------------------------------------------------------------Name: showipbr40 Definition: show ip interface brief | grep fortygig ignore-case -----------------------------------------------------------------DellEMC# 3. Display the details of a specific alias.
3 Getting Started This chapter describes how you start configuring your system. When you power up the chassis, the system performs a power-on self test (POST) and system then loads the Dell EMC Networking Operating System. Boot messages scroll up the terminal window during this process. No user interaction is required if the boot process proceeds without interruption. When the boot process completes, the system status LEDs remain online (green) and the console monitor displays the EXEC mode prompt.
1. Install an RJ-45 copper cable into the console port. Use a rollover (crossover) cable to connect the console port to a terminal server. 2. Connect the other end of the cable to the DTE terminal server. 3.
7. Confirm that the terminal settings on your terminal software emulation program are as follows: • • • • • 115200 baud rate No parity 8 data bits 1 stop bit No flow control Default Configuration Although a version of Dell EMC Networking OS is pre-loaded onto the system, the system is not configured when you power up the system first time (except for the default hostname, which is DellEMC). You must configure the system using the CLI. Configuring a Host Name The host name appears in the prompt.
Configure a Management Route Define a path from the system to the network from which you are accessing the system remotely. Management routes are separate from IP routes and are only used to manage the system through the management port. To configure a management route, use the following command. • Configure a management route to the network from which you are accessing the system.
• • • enable password is stored in the running/startup configuration using a DES encryption method. enable secret is stored in the running/startup configuration using MD5 encryption method. enable sha256-password is stored in the running/startup configuration using sha256-based encryption method (PBKDF2). Dell EMC Networking recommends using the enable sha256-password password. To configure an enable password, use the following command. • Create a password to access EXEC Privilege mode.
Example of Copying a File to an FTP Server DellEMC#copy flash://FTOS-Z9100-ON-9.8.1.0.bin ftp://myusername:mypassword@192.168.1.1/ file_path/FTOS-Z9100-ON-9.8.1.0.bin !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 54238335 bytes successfully copied Example of Importing a File to the Local System DellEMC#copy ftp://myusername:mypassword@192.168.1.1/file_path/FTOS-Z9100-ON-9.8.1.0.
Example of Logging in to Copy from NFS Mount DellEMC#copy nfsmount:///test flash: Destination file name [test]: test2 ! 5592 bytes successfully copied DellEMC# DellEMC#copy nfsmount:///test.txt ftp://10.16.127.35 Destination file name [test.txt]: User name to login remote host: username Password to login remote host: ! Example of Copying to NFS Mount DellEMC#copy flash://test.txt nfsmount:/// Destination file name [test.txt]: ! 15 bytes successfully copied DellEMC#copy flash://test/capture.txt.
Configure the Overload Bit for a Startup Scenario For information about setting the router overload bit for a specific period of time after a switch reload is implemented, see the Intermediate System to Intermediate System (IS-IS) section in the Dell Command Line Reference Guide for your system. Viewing Files You can only view file information and content on local file systems. To view a list of files or the contents of a file, use the following commands. • View a list of files on the internal flash.
Managing the File System The Dell EMC Networking system can use the internal Flash, external Flash, or remote devices to store files. The system stores files on the internal Flash by default but can be configured to store files elsewhere. To view file system information, use the following command. • View information about each file system.
• • • • To copy a file from the internal FLASH, enter flash:// followed by the filename. To copy the running configuration, enter the keyword running-config. To copy the startup configuration, enter the keyword startup-config. To copy a file on the USB device, enter usbflash:// followed by the filename. In the Dell EMC Networking OS release 9.8(0.0), HTTP services support the VRF-aware functionality.
MD5 DellEMC# verify md5 flash:file-name SHA256 DellEMC# verify sha256 flash://file-name Examples: Entering the Hash Value for Verification MD5 DellEMC# verify md5 flash://file-name 275ceb73a4f3118e1d6bcf7d75753459 SHA256 DellEMC# verify sha256 flash://file-name e6328c06faf814e6899ceead219afbf9360e986d692988023b749e6b2093e933 Getting Started 53
4 Management This chapter describes the different protocols or services used to manage the Dell EMC Networking system.
Removing a Command from EXEC Mode To remove a command from the list of available commands in EXEC mode for a specific privilege level, use the privilege exec command from CONFIGURATION mode. In the command, specify a level greater than the level given to a user or terminal line, then the first keyword of each command you wish to restrict.
CONFIGURATION mode privilege {configure |interface | line | route-map | router} level level {command ||...|| command} DellEMC#show running-config privilege ! privilege exec level 3 configure privilege exec level 4 resequence privilege configure level 3 line privilege configure level 3 interface tengigabitethernet DellEMC#telnet 10.11.80.
Configuring Logging The Dell EMC Networking OS tracks changes in the system using event and error messages. By default, Dell EMC Networking OS logs these messages on: • • • the internal buffer console and terminal lines any configured syslog servers To disable logging, use the following commands. • Disable all logging except on the console. • CONFIGURATION mode no logging on Disable logging to the logging buffer. • CONFIGURATION mode no logging buffer Disable logging to terminal lines.
• • • • • Only the system administrator user role can execute this command. The system administrator and system security administrator user roles can view security events and system events. The system administrator user roles can view audit, security, and system events. Only the system administrator and security administrator user roles can view security logs. The network administrator and network operator user roles can view system events.
Setting Up a Secure Connection to a Syslog Server You can use reverse tunneling with the port forwarding to securely connect to a syslog server. Figure 2. Setting Up a Secure Connection to a Syslog Server Pre-requisites To configure a secure connection from the switch to the syslog server: 1. On the switch, enable the SSH server DellEMC(conf)#ip ssh server enable 2.
Log Messages in the Internal Buffer All error messages, except those beginning with %BOOTUP (Message), are log in the internal buffer.
Track Login Activity Dell EMC Networking OS enables you to track the login activity of users and view the successful and unsuccessful login events. When you log in using the console or VTY line, the system displays the last successful login details of the current user and the number of unsuccessful login attempts since your last successful login to the system, and whether the current user’s permissions have changed since the last login.
Example of the show login statistics all command The show login statistics all command displays the successful and failed login details of all users in the last 30 days or the custom defined time period. DellEMC#show login statistics all -----------------------------------------------------------------User: admin Last login time: 08:54:28 UTC Wed Mar 23 2016 Last login location: Line vty0 ( 10.16.127.
The following is sample output of the show login statistics unsuccessful-attempts user login-id command. DellEMC# show login statistics unsuccessful-attempts user admin There were 3 unsuccessful login attempt(s) for user admin in last 12 day(s). The following is sample output of the show login statistics successful-attempts command. DellEMC#show login statistics successful-attempts There were 4 successful login attempt(s) for user admin in last 30 day(s).
Login: admin Password: Current sessions for user admin: Line Location 2 vty 0 10.14.1.97 3 vty 1 10.14.1.97 Clear existing session? [line number/Enter to cancel]: When you try to create more than the permitted number of sessions, the following message appears, prompting you to close one of the existing sessions. If you close any of the existing sessions, you are allowed to login. $ telnet 10.11.178.17 Trying 10.11.178.17... Connected to 10.11.178.17. Escape character is '^]'.
• Specify the size of the logging buffer. • CONFIGURATION mode logging buffered size NOTE: When you decrease the buffer size, Dell EMC Networking OS deletes all messages stored in the buffer. Increasing the buffer size does not affect messages in the buffer. Specify the number of messages that Dell EMC Networking OS saves to its logging history table.
• • • • • • • • • • • • • • • local5 (for local use) local6 (for local use) local7 (for local use) lpr (for line printer system messages) mail (for mail system messages) news (for USENET news messages) sys9 (system use) sys10 (system use) sys11 (system use) sys12 (system use) sys13 (system use) sys14 (system use) syslog (for syslog messages) user (for user programs) uucp (UNIX to UNIX copy protocol) To view nondefault settings, use the show running-config logging command in EXEC mode.
Enabling Timestamp on Syslog Messages By default, syslog messages include a time/date stamp, taken from the datetime, stating when the error or message was created. To enable timestamp, use the following command. • Add timestamp to syslog messages. CONFIGURATION mode service timestamps [log | debug] [datetime [localtime] [msec] [show-timezone] | uptime] Specify the following optional parameters: • • • localtime: You can add the keyword localtime to include the localtime, msec, and show-timezone.
Configuring FTP Server Parameters After you enable the FTP server on the system, you can configure different parameters. To specify the system logging settings, use the following commands. • Specify the directory for users using FTP to reach the system. CONFIGURATION mode ftp-server topdir dir • The default is the internal flash directory. Specify a user name for all FTP users and configure either a plain text or encrypted password.
Denying and Permitting Access to a Terminal Line Dell EMC Networking recommends applying only standard access control lists (ACLs) to deny and permit access to VTY lines. • • • • Layer 3 ACLs deny all traffic that is not explicitly permitted, but in the case of VTY lines, an ACL with no rules does not deny traffic. You cannot use the show ip accounting access-list command to display the contents of an ACL that is applied only to a VTY line.
Configuring Login Authentication for Terminal Lines You can use any combination of up to six authentication methods to authenticate a user on a terminal line. A combination of authentication methods is called a method list. If the user fails the first authentication method, Dell EMC Networking OS prompts the next method until all methods are exhausted, at which point the connection is terminated. The available authentication methods are: enable Prompt for the enable password.
no exec-timeout The following example shows how to set the timeout period and how to view the configuration using the show config command from LINE mode. DellEMC(conf)#line con 0 DellEMC(config-line-console)#exec-timeout 0 DellEMC(config-line-console)#show config line console 0 exec-timeout 0 0 DellEMC(config-line-console)# Using Telnet to get to Another Network Device To telnet to another device, use the following commands.
You can then send any user a message using the send command from EXEC Privilege mode. Alternatively, you can clear any line using the clear command from EXEC Privilege mode. If you clear a console session, the user is returned to EXEC mode. Example of Locking CONFIGURATION Mode for Single-User Access DellEMC(conf)#configuration mode exclusive auto BATMAN(conf)#exit 3d23h35m: %RPM0-P:CP %SYS-5-CONFIG_I: Configured from console by console DellEMC#config ! Locks configuration mode exclusively.
Reloading the system You can reload the system using the reload command. To reload the system, follow these steps: • Reload the system into Dell EMC Networking OS. • EXEC Privilege mode reload Reload the system if a configuration change to the NVRAM requires a device reload. • EXEC Privilege mode reload conditional nvram-cfg-change Reload the system into the Dell diagnostics mode. • EXEC Privilege mode reload dell-diag Reload the system into the ONIE mode.
The following example illustrates the restore factory-defaults command to restore the factory default settings. DellEMC#restore factory-defaults stack-unit 1 nvram *********************************************************************** * Warning - Restoring factory defaults will delete the existing * * persistent settings (stacking, fanout, etc.) * * After restoration the unit(s) will be powercycled immediately.
Disabling Syslog Messages for SNMP Authentication Failure Events The system generates syslog messages for SNMP authentication events. Over time, these messages can fill up the syslog file on the system, making analyzing system logs a cumbersome task. You can disable syslog messages for SNMP authentication failure events on the system. To disable these messages, follow this procedure: • Disable syslog messages for SNMP authentication failure events.
5 802.1X 802.1X is a port-based Network Access Control (PNAC) that provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity is verified (through a username and password, for example). 802.
• • • The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests. The device with which the supplicant communicates is the authenticator. The authenticator is the gate keeper of the network. It translates and forwards requests and responses between the authentication server and the supplicant.
Figure 5. EAP Port-Authentication EAP over RADIUS 802.1X uses RADIUS to shuttle EAP packets between the authenticator and the authentication server, as defined in RFC 3579. EAP messages are encapsulated in RADIUS packets as a type of attribute in Type, Length, Value (TLV) format. The Type value for EAP messages is 79. Figure 6. EAP Over RADIUS RADIUS Attributes for 802.1X Support Dell EMC Networking systems include the following RADIUS attributes in all 802.
Related Configuration Tasks • • • • • • Configuring Request Identity Re-Transmissions Forcibly Authorizing or Unauthorizing a Port Re-Authenticating a Port Configuring Timeouts Configuring a Guest VLAN Configuring an Authentication-Fail VLAN Important Points to Remember • • • • • Dell EMC Networking OS supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0, PEAPv1, and MS-CHAPv2 with PEAP. All platforms support only RADIUS as the authentication server.
1. Enable 802.1X globally. CONFIGURATION mode dot1x authentication 2. Enter INTERFACE mode on an interface or a range of interfaces. INTERFACE mode interface [range] 3. Enable 802.1X on the supplicant interface only. INTERFACE mode dot1x authentication Verify that 802.1X is enabled globally and at the interface level using the show running-config | find dot1x command from EXEC Privilege mode. In the following example, the bold lines show that 802.1X is enabled.
CONFIGURATION mode dot1x profile {profile-name} profile—name — Enter the dot1x profile name. The profile name length is limited to 32 characters. DellEMC(conf)#dot1x profile test DellEMC(conf-dot1x-profile)# DellEMC#show dot1x profile 802.1x profile information ----------------------------Dot1x Profile test Profile MACs 00:00:00:00:01:11 Configuring the Static MAB and MAB Profile Enable MAB (mac-auth-bypass) before using the dot1x static-mab command to enable static mab.
Configuring Critical VLAN By default, critical-VLAN is not configured. If authentication fails because of a server which is not reachable, user session is authenticated under critical-VLAN. To configure a critical-VLAN for users or devices when authenticating server is not reachable, use the following command. • Enable critical VLAN for users or devices INTERFACE mode dot1x critical-vlan [{vlan-id}] Specify a VLAN interface identifier to be configured as a critical VLAN. The VLAN ID range is 1– 4094.
mac 00:50:56:aa:01:11 DellEMC(conf-dot1x-profile)# DellEMC(conf-dot1x-profile)#exit DellEMC(conf)# Configuring Request Identity Re-Transmissions When the authenticator sends a Request Identity frame and the supplicant does not respond, the authenticator waits for 30 seconds and then re-transmits the frame. The amount of time that the authenticator waits before re-transmitting and the maximum number of times that the authenticator retransmits can be configured.
Untagged VLAN id: None Tx Period: 90 seconds Quiet Period: 120 seconds ReAuth Max: 2 Supplicant Timeout: 30 seconds Server Timeout: 30 seconds Re-Auth Interval: 3600 seconds Max-EAP-Req: 10 Auth Type: SINGLE_HOST Auth PAE State: Initialize Backend State: Initialize Forcibly Authorizing or Unauthorizing a Port The 802.1X ports can be placed into any of the three states: • ForceAuthorized — an authorized state.
To configure re-authentication time settings, use the following commands: • Configure the authenticator to periodically re-authenticate the supplicant. INTERFACE mode dot1x reauthentication [interval] seconds The range is from 1 to 31536000. • The default is 3600. Configure the maximum number of times the supplicant can be re-authenticated. INTERFACE mode dot1x reauth-max number The range is from 1 to 10. The default is 2.
802.
Figure 8. Dynamic VLAN Assignment 1. Configure 8021.x globally (refer to Enabling 802.1X) along with relevant RADIUS server configurations (refer to the illustration inDynamic VLAN Assignment with Port Authentication). 2. Make the interface a switchport so that it can be assigned to a VLAN. 3. Create the VLAN to which the interface will be assigned. 4. Connect the supplicant to the port configured for 802.1X. 5.
Configuring a Guest VLAN If the supplicant does not respond within a determined amount of time ([reauth-max + 1] * tx-period, the system assumes that the host does not have 802.1X capability and the port is placed in the Guest VLAN. NOTE: For more information about configuring timeouts, refer to Configuring Timeouts. Configure a port to be placed in the Guest VLAN after failing to respond within the timeout period using the dot1x guest-vlan command from INTERFACE mode.
Re-Authentication: Untagged VLAN id: Guest VLAN: Disabled Guest VLAN id: 200 Auth-Fail VLAN: Disabled Auth-Fail VLAN id: 100 Auth-Fail Max-Attempts: 5 Tx Period: Quiet Period: ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Auth Type: Disable None Auth PAE State: Backend State: Initialize Initialize 90 seconds 120 seconds 10 15 seconds 15 seconds 7200 seconds 10 SINGLE_HOST 802.
6 Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM) Optimizing CAM Utilization During the Attachment of ACLs to VLANs To minimize the number of entries in CAM, enable and configure the ACL CAM feature. Use this feature when you apply ACLs to a VLAN (or a set of VLANs) and when you apply ACLs to a set of ports. The ACL CAM feature allows you to effectively use the Layer 3 CAM space with VLANs and Layer 2 and Layer 3 CAM space with ports.
• • • • • • • The maximum number of members in an ACL VLAN group is determined by the type of switch and its hardware capabilities. This scaling limit depends on the number of slices that are allocated for ACL CAM optimization. If one slice is allocated, the maximum number of VLAN members is 256 for all ACL VLAN groups. If two slices are allocated, the maximum number of VLAN members is 512 for all ACL VLAN groups.
Vlan Members : 2-10,99 Group Name : HostGroup Egress IP Acl : Group5 Vlan Members : 1,1000 DellEMC# Configuring FP Blocks for VLAN Parameters To allocate the number of FP blocks for the various VLAN processes on the system, use the cam-acl-vlan command. To reset the number of FP blocks to the default, use the no version of this command. By default, 0 groups are allocated for the ACL in VLAN contentaware processor (VCAP). ACL VLAN groups or CAM optimization is not enabled by default.
The following output displays CAM space usage when you configure Layer 2 and Layer 3 ACLs: DellEMC#show cam-usage acl Stackunit|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM ========|========|=================|=============|=============|============== 1 | 0 | IN-L2 ACL | 1536 | 0 | 1536 | | IN-L3 ACL | 1024 | 1 | 1023 | | IN-L3 ECMP GRP | 1024 | 0 | 1024 | | IN-V6 ACL | 0 | 0 | 0 | | OUT-L2 ACL | 206 | 9 | 197 | | OUT-L3 ACL | 178 | 9 | 169 | | OUT-V6 ACL | 178 | 4 | 174 2 | 0 | IN-L2 ACL |
You can configure only two of these features at a time. • • To allocate the number of FP blocks for VLAN open flow operations, use the cam-acl-vlan vlanopenflow <0-2> command. To allocate the number of FP blocks for ACL VLAN optimization, use the cam-acl-vlan vlanaclopt <0-2> command. To reset the number of FP blocks to the default, use the no version of these commands. By default, zero groups are allocated for the ACL in VCAP. ACL VLAN groups or CAM optimization is not enabled by default.
------VRF UDF Aclrange Acloptimized ----disabled disabled disabled enabled Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM) 95
7 Access Control Lists (ACLs) This chapter describes access control lists (ACLs), prefix lists, and route-maps. At their simplest, access control lists (ACLs), prefix lists, and route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps. For MAC ACLS, refer to Layer 2.
• • • • • • • • • Assign an IP ACL to an Interface Applying an IP ACL Configure Ingress ACLs Configure Egress ACLs Configuring UDF ACL IP Prefix Lists ACL Remarks ACL Resequencing Route Maps IP Access Control Lists (ACLs) In Dell EMC Networking switch/routers, you can create two different types of IP ACLs: standard or extended. A standard ACL filters packets based on the source IP packet.
Test CAM Usage This command applies to both IPv4 and IPv6 CAM profiles, but is best used when verifying QoS optimization for IPv6 ACLs. To determine whether sufficient ACL CAM space is available to enable a service-policy, use this command. To verify the actual CAM space required, create a class map with all the required ACL rules, then execute the test cam-usage command in Privilege mode. The following example shows the output when executing this command.
You can use the log keyword to log the details about the packets that match. The control processor becomes busy based on the number of packets that match the log entry and the rate at which the details are logged in. However, the route processor (RP) is unaffected. You can use this option for debugging issues related to control traffic. ACL Optimization If an access list contains duplicate entries, Dell EMC Networking OS deletes one entry to conserve CAM space.
CONFIGURATION ACL RANGE mode type [inverse value] lower threshold upper-threshold DellEMC(conf)#feature aclrange DellEMC(conf)#aclrange sportrange1 DellEMC(conf-aclrange-sportrange1)# l4srcport 1024 65535 DellEMC(conf)#aclrange destportrange1 DellEMC(conf-acl-destportrange1)# l4dstport 500 500 DellEMC(conf)#aclrange inverserange DellEMC(conf-acl-inverserange)# l4dstport inverse 1000 DellEMC# show aclrange INDEX PROFILE_NAME TYPE INVERSE LOWER UPPER REF_CNT THRESHOLD THRESHOLD ----------------------------
Creating a Route Map Route maps, ACLs, and prefix lists are similar in composition because all three contain filters, but route map filters do not contain the permit and deny actions found in ACLs and prefix lists. Route map filters match certain routes and set or specific values. To create a route map, use the following command. • Create a route map and assign it a unique name. The optional permit and deny keywords are the actions of the route map.
tag 3444 DellEMC# To delete a route map, use the no route-map map-name command in CONFIGURATION mode. Configure Route Map Filters Within ROUTE-MAP mode, there are match and set commands. • • match commands search for a certain criterion in the routes. set commands change the characteristics of routes, either adding something or specifying a level.
match interface interface The parameters are: • • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port/subport information. • For a 25-Gigabit Ethernet interface, enter the keyword twentyFiveGigE then the slot/port/subport information. • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port/subport information. • For a 50-Gigabit Ethernet interface, enter the keyword fiftyGigE then the slot/port/subport information.
• set automatic-tag Specify an OSPF area or ISIS level for redistributed routes. • CONFIG-ROUTE-MAP mode set level {backbone | level-1 | level-1-2 | level-2 | stub-area} Specify a value for the BGP route’s LOCAL_PREF attribute. • CONFIG-ROUTE-MAP mode set local-preference value Specify a value for redistributed routes. • CONFIG-ROUTE-MAP mode set metric {+ | - | metric-value} Specify an OSPF or ISIS type for redistributed routes.
match interface TenGigabitEthernet 1/1/1 match metric 255 set level backbone Configure a Route Map for Route Tagging One method for identifying routes from different routing protocols is to assign a tag to routes from that protocol. As the route enters a different routing domain, it is tagged. The tag is passed along with the route as it passes through different routing protocols. You can use this tag when the route leaves a routing domain to redistribute those routes again.
IP Fragments ACL Examples The following examples show how you can use ACL commands with the fragment keyword to filter fragmented packets. The following configuration permits all packets (both fragmented and non-fragmented) with destination IP 10.1.1.1. The second rule does not get hit at all. Example of Permitting All Packets on an Interface DellEMC(conf)#ip access-list extended ABC DellEMC(conf-ext-nacl)#permit ip any 10.1.1.1/32 DellEMC(conf-ext-nacl)#deny ip any 10.1.1.
DellEMC(conf-ext-nacl)#deny ip any any log DellEMC(conf-ext-nacl) When configuring ACLs with the fragments keyword, be aware of the following. When an ACL filters packets, it looks at the fragment offset (FO) to determine whether it is a fragment. • • FO = 0 means it is either the first fragment or the packet is a non-fragment. FO > 0 means it is dealing with the fragments of the original packet. Configure a Standard IP ACL To configure an ACL, use commands in IP ACCESS LIST mode and INTERFACE mode.
Configuring a Standard IP ACL Filter If you are creating a standard ACL with only one or two filters, you can let Dell EMC Networking OS assign a sequence number based on the order in which the filters are configured. The software assigns filters in multiples of five. 1. Configure a standard IP ACL and assign it a unique name. CONFIGURATION mode ip access-list standard access-list-name 2. Configure a drop or forward IP ACL filter.
seq sequence-number {deny | permit} {ip-protocol-number | icmp | ip | tcp | udp} {source mask | any | host ip-address} {destination mask | any | host ip-address} [operator [portnumber | portname]] [count [byte]] [order] [monitor [session-id]] [fragments] While configuring an IP access list, you can choose to configure either by using the logical name of the protocol or by using the port number of the protocol. The logical names are available for both TCP and UDP.
seq seq seq seq 40 45 50 55 permit permit permit permit icmp icmp icmp icmp any any any any any any any any parameter-problem count (50 packets) port-unreachable count (50 packets) source-quench count (50 packets) time-exceeded count (50 packets) The following example shows the configuration to filter ICMPv6 packets using IPv6 ACL: DellEMC(config-ext-nacl)#show config ! ipv6 access-list extended icmp seq 5 permit icmp any any echo count seq 10 permit icmp any any echo-reply count seq 15 permit icmp a
The example below shows how the seq command orders the filters according to the sequence number assigned. In the example, filter 15 was configured before filter 5, but the show config command displays the filters in the correct order. DellEMC(config-ext-nacl)#seq 15 deny ip host 112.45.0.0 any log monitor 501 DellEMC(config-ext-nacl)#seq 5 permit tcp 12.1.3.45 0.0.255.255 any DellEMC(config-ext-nacl)#show config ! ip access-list extended dilling seq 5 permit tcp 12.1.0.0 0.0.255.
• • L3 egress access list L2 egress access list If a rule is simply appended, existing counters are not affected. Table 6. L2 and L3 Filtering on Switched Packets L2 ACL Behavior L3 ACL Behavior Decision on Targeted Traffic Deny Deny L3 ACL denies. Deny Permit L3 ACL permits. Permit Deny L3 ACL denies. Permit Permit L3 ACL permits. NOTE: If you configure an interface as a vlan-stack access port, only the L2 ACL filters the packets. The L3 ACL applied to such a port does not affect traffic.
interface TenGigabitEthernet 1/1/1 ip address 10.2.1.100 255.255.255.0 ip access-group nimule in no shutdown DellEMC(conf-if)# To filter traffic on Telnet sessions, use only standard ACLs in the access-class command. Counting ACL Hits You can view the number of packets matching the ACL by using the count option when creating ACL entries. 1. Create an ACL that uses rules with the count option. Refer to Configure a Standard IP ACL Filter. 2. Apply the ACL as an inbound or outbound ACL on an interface. 3.
To create an egress ACL, use the ip access-group command in EXEC Privilege mode. The example shows viewing the configuration, applying rules to the newly created access group, and viewing the access list. NOTE: VRF based ACL configurations are not supported on the egress traffic. Example of Applying ACL Rules to Egress Traffic and Viewing ACL Configuration To specify ingress, use the out keyword. Begin applying rules to the ACL with the ip access-list extended abcd command.
Dell EMC Networking OS Behavior: Virtual router redundancy protocol (VRRP) hellos and internet group management protocol (IGMP) packets are not affected when you enable egress ACL filtering for CPU traffic. Packets sent by the CPU with the source address as the VRRP virtual IP address have the interface MAC address instead of VRRP virtual MAC address. Configuring UDF ACL To configure a User Defined Field (UDF) ACL: 1. Enable UDF ACL feature on a switch.
DellEMC# 4. Create a UDF packet format in the UDF TCAM table. CONFIGURATION mode udf-tcam name seq number DellEMC(conf)#udf-tcam ipnip seq 1 5. Configure a UDF ID to parse packet headers using the specified number of offset and required bytes. CONFIGURATION-UDF TCAM mode key description udf-id id packetbase PacketBase offset bytes length bytes DellEMC(conf-udf-tcam)#key innerL3header udf-id 6 packetbase innerL3Header offset 0 length 2 6. View the UDF TCAM configuration.
12. View the UDF TCAM configuration. CONFIGURATION-UDF TCAM mode show config DellEMC(config-ext-nacl)#show config ! ip access-list extended aa seq 5 permit ip any any udf-pkt-format ipnip udf-qualifier-value ipnip_val1 DellEMC(config-ext-nacl)# IP Prefix Lists IP prefix lists control routing policy. An IP prefix list is a series of sequential filters that contain a matching criterion (examine IP route prefix) and an action (permit or deny) to process routes.
CONFIGURATION mode ip prefix-list prefix-name 2. Create a prefix list with a sequence number and a deny or permit action. CONFIG-NPREFIXL mode seq sequence-number {deny | permit} ip-prefix [ge min-prefix-length] [le max-prefix-length] The optional parameters are: • • ge min-prefix-length: the minimum prefix length to match (from 0 to 32). le max-prefix-length: the maximum prefix length to match (from 0 to 32).
Viewing Prefix Lists To view all configured prefix lists, use the following commands. • Show detailed information about configured prefix lists. • EXEC Privilege mode show ip prefix-list detail [prefix-name] Show a table of summarized information about configured Prefix lists. EXEC Privilege mode show ip prefix-list summary [prefix-name] The following example shows the show ip prefix-list detail command.
network 10.0.0.0 DellEMC(conf-router_rip)#router ospf 34 Applying a Filter to a Prefix List (OSPF) To apply a filter to routes in open shortest path first (OSPF), use the following commands. • Enter OSPF mode. • CONFIGURATION mode router ospf Apply a configured prefix list to incoming routes. You can specify an interface. If you enter the name of a non-existent prefix list, all routes are forwarded.
The remark number is optional. The following example shows how to write a remark for an ACL rule: Dell(config-ext-nacl)#ip access-list extended test Dell(config-ext-nacl)# remark permit any ip Dell(config-ext-nacl)# seq 10 permit ip any any Dell(config-ext-nacl)#sh config ! ip access-list extended test remark 10 permit any ip seq 10 permit ip any any Deleting a Remark To delete a remark, follow this procedure: A standard IP ACL uses the source IP address as its match criterion.
Rules Resquencing Rules After Resequencing: seq 5 permit any host 1.1.1.1 seq 10 permit any host 1.1.1.2 seq 15 permit any host 1.1.1.3 seq 20 permit any host 1.1.1.4 Resequencing an ACL or Prefix List Resequencing is available for IPv4 and IPv6 ACLs, prefix lists, and MAC ACLs. To resequence an ACL or prefix list, use the following commands. You must specify the list name, starting number, and increment when using these commands.
seq 15 permit ip any host 1.1.1.3 seq 20 permit ip any host 1.1.1.4 DellEMC# end DellEMC# resequence access-list ipv4 test 2 2 DellEMC# show running-config acl ! ip access-list extended test remark 2 XYZ remark 4 this remark corresponds to permit any host 1.1.1.1 seq 4 permit ip any host 1.1.1.1 remark 6 this remark has no corresponding rule remark 8 this remark corresponds to permit ip any host 1.1.1.2 seq 8 permit ip any host 1.1.1.2 seq 10 permit ip any host 1.1.1.3 seq 12 permit ip any host 1.1.1.
8 Bidirectional Forwarding Detection (BFD) BFD is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It also provides a failure detection solution for links on which no routing protocol is used. BFD is a simple hello mechanism. Two neighboring systems running BFD establish a session using a three-way handshake.
BFD Packet Format Control packets are encapsulated in user datagram protocol (UDP) packets. The following illustration shows the complete encapsulation of a BFD control packet inside an IPv4 packet. Figure 9. BFD in IPv4 Packet Format Field Description Diagnostic Code The reason that the last session failed. State The current local session state. Refer to BFD Sessions. Flag A bit that indicates packet function.
Field Description Your Discriminator A random number generated by the remote system to identify the session. Discriminator values are necessary to identify the session to which a control packet belongs because there can be many sessions running on a single interface. Desired Min TX Interval The minimum rate at which the local system would like to send control packets to the remote system.
State Description Up Both systems are exchanging control packets. The session is declared down if: • • • A control packet is not received within the detection time. Sufficient echo packets are lost. Demand mode is active and a control packet is not received in response to a poll packet. BFD Three-Way Handshake A three-way handshake must take place between the systems that participate in the BFD session.
Session State Changes The following illustration shows how the session state on a system changes based on the status notification it receives from the remote system. For example, if a session on a system is down and it receives a Down status notification from the remote system, the session state on the local system changes to Init. Figure 11.
• Configuring Protocol Liveness Configure BFD for Physical Ports Configuring BFD for physical ports is supported on the C-Series and E-Series platforms only. BFD on physical ports is useful when you do not enable the routing protocol. Without BFD, if the remote system fails, the local system does not remove the connected route until the first failed attempt to send a packet.
TX: 100ms, RX: 100ms, Multiplier: 4 Role: Passive Delete session on Down: False Client Registered: CLI Uptime: 00:09:06 Statistics: Number of packets received from neighbor: 4092 Number of packets sent to neighbor: 4093 Number of state changes: 1 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 7 Disabling and Re-Enabling BFD BFD is enabled on all interfaces by default, though sessions are not created unless explicitly configured.
Establishing Sessions for Static Routes for Default VRF Sessions are established for all neighbors that are the next hop of a static route on the default VRF. Figure 12. Establishing Sessions for Static Routes To establish a BFD session, use the following command. • Establish BFD sessions for all neighbors that are the next hop of a static route.
ip route bfd vrf vrf2 ip route bfd vrf vrf1 prefix-list p4_le The following example shows that sessions are created for static routes for the default VRF. Dell#show bfd neighbors * Ad Dn B C I O O3 R M V VT - Active session role Admin Down BGP CLI ISIS OSPF OSPFv3 Static Route (RTM) MPLS VRRP Vxlan Tunnel LocalAddr * 11.1.1.1 RemoteAddr 11.1.1.2 Interface Te 1/1/1 State Rx-int Tx-int Mult Clients Up 200 200 3 R * 21.1.1.1 21.1.1.2 Vl 100 Up 200 200 3 R * 31.1.1.1 31.1.1.
For more information on prefix lists, see IP Prefix Lists. To enable BFD sessions on specific neighbors, perform the following steps: Enter the following command to enable BFD session on specific next-hop neighbors: CONFIGURATION ip route bfd prefix-list prefix-list-name The BFD session is established for the next-hop neighbors that are specified in the prefix-list. • • • • • • • • • The absence of a prefix-list causes BFD sessions to be enabled on all the eligible next-hop neighbors.
Related Configuration Tasks • • Changing IPv6 Static Route Session Parameters Disabling BFD for Static Routes Establishing Sessions for IPv6 Static Routes for Default VRF Sessions are established for all neighbors that are the next hop of a static route on the default VRF. To establish a BFD session, use the following command. • Establish BFD sessions for all IPv6 neighbors that are the next hop of a static route.
I O O3 R M V VT - ISIS OSPF OSPFv3 Static Route (RTM) MPLS VRRP Vxlan Tunnel LocalAddr * 11::1 RemoteAddr 11::2 Interface Te 1/1/1 State Rx-int Tx-int Mult Clients Up 200 200 3 R * 21::1 21::2 Vl 100 Up 200 200 3 R * 31::1 31::2 Vl 101 Up 200 200 3 R The following example shows that sessions are created for static routes for the nondefault VRFs.
Related Configuration Tasks • • Changing OSPF Session Parameters Disabling BFD for OSPF Establishing Sessions with OSPF Neighbors for the Default VRF BFD sessions can be established with all OSPF neighbors at once or sessions can be established with all neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the Full state. Figure 13.
To view the established sessions, use the show bfd neighbors command. The bold line shows the OSPF BFD sessions. R2(conf-router_ospf)#bfd all-neighbors R2(conf-router_ospf)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients * 2.2.2.2 2.2.2.1 Te 2/1/1 Up 100 100 3 O * 2.2.3.1 2.2.3.
* 7.1.1.1 7.1.1.2 Te 1/21/1 Up 200 200 3 O The following example shows the show bfd vrf neighbors command output showing the nondefault VRF. show bfd vrf VRF_blue neighbors * Ad Dn B C I O O3 R M V VT - Active session role Admin Down BGP CLI ISIS OSPF OSPFv3 Static Route (RTM) MPLS VRRP Vxlan Tunnel LocalAddr * 5.1.1.1 RemoteAddr 5.1.1.2 Interface Po 30 State Rx-int Tx-int Mult VRF Clients Up 200 200 3 255 O * 6.1.1.1 6.1.1.2 Vl 30 Up 200 200 3 255 O * 7.1.1.1 7.1.1.
Delete session on Down: True VRF: VRF_blue Client Registered: OSPF Uptime: 00:00:15 Statistics: Number of packets received from neighbor: 78 Number of packets sent to neighbor: 78 Number of state changes: 1 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 4 Session Discriminator: 6 Neighbor Discriminator: 1 Local Addr: 7.1.1.1 Local MAC Addr: 00:a0:c9:00:00:02 Remote Addr: 7.1.1.
• no bfd all-neighbors Disable BFD sessions with all OSPF neighbors on an interface. INTERFACE mode ip ospf bfd all-neighbors disable Configure BFD for OSPFv3 BFD for OSPFv3 provides support for IPV6. Configuring BFD for OSPFv3 is a two-step process: 1. Enable BFD globally. 2. Establish sessions with OSPFv3 neighbors.
Establishing BFD Sessions with OSPFv3 Neighbors for nondefault VRFs To configure BFD in a nondefault VRF, use the following procedure: • Enable BFD globally. • CONFIGURATION mode bfd enable Establish sessions with all OSPFv3 neighbors in a specific VRF. • ROUTER-OSPFv3 mode bfd all-neighbors Establish sessions with the OSPFv3 neighbors on a single interface in a specific VRF.
* fe80::2a0:c9ff:fe00:2 511 O3 fe80::3617:98ff:fe34:12 Vl 102 Up 150 150 3 * fe80::2a0:c9ff:fe00:2 511 O3 DellEMC# fe80::3617:98ff:fe34:12 Vl 103 Up 150 150 3 Changing OSPFv3 Session Parameters Configure BFD sessions with default intervals and a default role. The parameters that you can configure are: desired tx interval, required min rx interval, detection multiplier, and system role. Configure these parameters for all OSPFv3 sessions or all OSPFv3 sessions on a particular interface.
Establishing Sessions with IS-IS Neighbors BFD sessions can be established for all IS-IS neighbors at once or sessions can be established for all neighbors out of a specific interface. Figure 14. Establishing Sessions with IS-IS Neighbors To establish BFD with all IS-IS neighbors or with IS-IS neighbors on a single interface, use the following commands. • Establish sessions with all IS-IS neighbors. • ROUTER-ISIS mode bfd all-neighbors Establish sessions with IS-IS neighbors on a single interface.
Changing IS-IS Session Parameters BFD sessions are configured with default intervals and a default role. The parameters that you can configure are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. These parameters are configured for all IS-IS sessions or all IS-IS sessions out of an interface. If you change a parameter globally, the change affects all IS-IS neighbors sessions.
Figure 15. Establishing Sessions with BGP Neighbors The sample configuration shows alternative ways to establish a BFD session with a BGP neighbor: • • By establishing BFD sessions with all neighbors discovered by BGP (the bfd all-neighbors command). By establishing a BFD session with a specified BGP neighbor (the neighbor {ip-address | peer-group-name} bfd command) BFD packets originating from a router are assigned to the highest priority egress queue to minimize transmission delays.
2. Specify the AS number and enter ROUTER BGP configuration mode. CONFIGURATION mode router bgp as-number 3. Add a BGP neighbor or peer group in a remote AS. CONFIG-ROUTERBGP mode neighbor {ip-address | peer-group name} remote-as as-number 4. Enable the BGP neighbor. CONFIG-ROUTERBGP mode neighbor {ip-address | peer-group-name} no shutdown 5. Add a BGP neighbor or peer group in a remote AS. CONFIG-ROUTERBGP mode neighbor {ipv6-address | peer-group name} remote-as as-number 6. Enable the BGP neighbor.
3. Specify the address family as IPv4. CONFIG-ROUTERBGP mode address-family ipv4 vrf vrf-name 4. Add an IPv4 BGP neighbor or peer group in a remote AS. CONFIG-ROUTERBGP_ADDRESSFAMILY mode neighbor {ip-address | peer-group name} remote-as as-number 5. Enable the BGP neighbor. CONFIG-ROUTERBGP_ADDRESSFAMILY mode neighbor {ip-address | peer-group-name} no shutdown 6. Add an IPv6 BGP neighbor or peer group in a remote AS.
Disabling BFD for BGP You can disable BFD for BGP. To disable a BFD for BGP session with a specified neighbor, use the first command. To remove the disabled state of a BFD for BGP session with a specified neighbor, use the second command. The BGP link with the neighbor returns to normal operation and uses the BFD session parameters globally configured with the bfd allneighbors command or configured for the peer group to which the neighbor belongs. • Disable a BFD for BGP session with a specified neighbor.
* 2.2.2.3 * 3.3.3.3 2.2.2.2 3.3.3.2 Te 1/2/1 Te 1/3/1 Up Up 200 200 200 200 3 3 B B The following example shows viewing BFD neighbors with full detail. The bold lines show the BFD session parameters: TX (packet transmission), RX (packet reception), and multiplier (maximum number of missed packets). R2# show bfd neighbors detail Session Discriminator: 9 Neighbor Discriminator: 10 Local Addr: 1.1.1.3 Local MAC Addr: 00:01:e8:66:da:33 Remote Addr: 1.1.1.
1.1.1.2 2.2.2.2 3.3.3.2 1 1 1 282 273 282 281 273 281 0 0 0 0 0 0 0 (0) 0 00:38:12 04:32:26 00:38:12 0 0 0 The following example shows viewing BFD information for a specified neighbor. The bold lines show the message displayed when you enable a BFD session with different configurations: • • • Message displays when you enable a BFD session with a BGP neighbor that inherits the global BFD session settings configured with the global bfd all-neighbors command.
Peer active in peer-group outbound optimization ... Configure BFD for VRRP When using BFD with VRRP, the VRRP protocol registers with the BFD manager on the route processor module (RPM). BFD sessions are established with all neighboring interfaces participating in VRRP. If a neighboring interface fails, the BFD agent on the line card notifies the BFD manager, which in turn notifies the VRRP protocol that a link state change occurred. Configuring BFD for VRRP is a three-step process: 1. Enable BFD globally.
Establishing VRRP Sessions on VRRP Neighbors The master router does not care about the state of the backup router, so it does not participate in any VRRP BFD sessions. VRRP BFD sessions on the backup router cannot change to the UP state. Configure the master router to establish an individual VRRP session the backup router. To establish a session with a particular VRRP neighbor, use the following command. • Establish a session with a particular VRRP neighbor.
Disabling BFD for VRRP If you disable any or all VRRP sessions, the sessions are torn down. A final Admin Down control packet is sent to all neighbors and sessions on the remote system change to the Down state. To disable all VRRP sessions on an interface, sessions for a particular VRRP group, or for a particular VRRP session on an interface, use the following commands. • Disable all VRRP sessions on an interface. • INTERFACE mode no vrrp bfd all-neighbors Disable all VRRP sessions in a VRRP group.
9 Border Gateway Protocol (BGP) Border Gateway Protocol (BGP) is an interdomain routing protocol that manages routing between edge routers. BGP uses an algorithm to exchange routing information between switches enabled with BGP. BGP determines a path to reach a particular destination using certain attributes while avoiding routing loops. BGP selects a single path as the best path to a destination network or host. You can also influence BGP to select different path by altering some of the BGP attributes.
Figure 17. BGP Topology with autonomous systems (AS) BGP version 4 (BGPv4) supports classless interdomain routing (CIDR) and aggregate routes and AS paths. BGP is a path vector protocol — a computer network in which BGP maintains the path that updated information takes as it diffuses through the network. Updates traveling through the network and returning to the same node are easily detected and discarded.
Figure 18. BGP Routers in Full Mesh The number of BGP speakers each BGP peer must maintain increases exponentially. Network management quickly becomes impossible. AS4 Number Representation Dell EMC Networking OS supports multiple representations of 4-byte AS numbers: asplain, asdot+, and asdot. NOTE: The ASDOT and ASDOT+ representations are supported only with the 4-Byte AS numbers feature. If 4-Byte AS numbers are not implemented, only ASPLAIN representation is supported.
• AS Numbers larger than 65535 is represented using ASDOT notation as .. For example: AS 65546 is represented as 1.10. ASDOT representation combines the ASPLAIN and ASDOT+ representations. AS numbers less than 65536 appear in integer format (asplain); AS numbers equal to or greater than 65536 appear in the decimal format (asdot+). For example, the AS number 65526 appears as 65526 and the AS number 65546 appears as 1.10.
DellEMC(conf-router_bgp)#no bgp four-octet-as-support DellEMC(conf-router_bgp)#sho conf ! router bgp 100 neighbor 172.30.1.250 local-as 65057 DellEMC(conf-router_bgp)#do show ip bgp BGP table version is 28093, local router ID is 172.30.1.57 Four-Byte AS Numbers You can use the 4-Byte (32-bit) format when configuring autonomous system numbers (ASNs). The 4-Byte support is advertised as a new BGP capability (4-BYTE-AS) in the OPEN message.
State Description If that transition is not successful, BGP resets the ConnectRetry timer and transitions to the Active state when the timer expires. Active The router resets the ConnectRetry timer to zero and returns to the Connect state. OpenSent After successful OpenSent transition, the router sends an Open message and waits for one in return. OpenConfirm After the Open message parameters are agreed between peers, the neighbor relation is established and is in the OpenConfirm state.
mode, Dell EMC Networking OS compares MED between the adjacent paths within an AS group because all paths in the AS group are from the same AS. NOTE: The bgp bestpath as-path multipath-relax command is disabled by default, preventing BGP from loadbalancing a learned route across two or more eBGP peers. To enable load-balancing across different eBGP peers, enable the bgp bestpath as-path multipath-relax command.
c. the paths were received from IBGP or EBGP neighbor respectively. 10. If the bgp bestpath router-id ignore command is enabled and: a. if the Router-ID is the same for multiple paths (because the routes were received from the same route) skip this step. b. if the Router-ID is NOT the same for multiple paths, prefer the path that was first received as the Best Path. The path selection algorithm returns without performing any of the checks detailed here. 11.
Figure 20. BGP Local Preference Multi-Exit Discriminators (MEDs) If two ASs connect in more than one place, a multi-exit discriminator (MED) can be used to assign a preference to a preferred path. MED is one of the criteria used to determine the best path, so keep in mind that other criteria may impact selection, as shown in the illustration in Best Path Selection Criteria. One AS assigns the MED a value and the other AS uses that value to decide the preferred path.
Figure 21. Multi-Exit Discriminators NOTE: Configuring the set metric-type internal command in a route-map advertises the IGP cost as MED to outbound EBGP peers when redistributing routes. The configured set metric value overwrites the default IGP cost. If the outbound route-map uses MED, it overwrites IGP MED. Origin The origin indicates the origin of the prefix, or how the prefix came into BGP. There are three origin codes: IGP, EGP, INCOMPLETE.
Example of Viewing AS Paths DellEMC#show ip bgp paths Total 30655 Paths Refcount Metric Path 3 18508 701 3549 19421 i 3 18508 701 7018 14990 i 3 18508 209 4637 1221 9249 9249 i 2 18508 701 17302 i 26 18508 209 22291 i 75 18508 209 3356 2529 i 2 18508 209 1239 19265 i 1 18508 701 2914 4713 17935 i 162 18508 209 i 2 18508 701 19878 ? 31 18508 209 18756 i 2 18508 209 7018 15227 i 10 18508 209 3356 13845 i 3 18508 209 701 6347 7781 i 1 18508 701 3561 9116 21350 i Next Hop The next hop is the IP address used to
IPv4 and IPv6 address family The IPv4 address family configuration in Dell EMC Networking OS is used for identifying routing sessions for protocols that use IPv4 address. You can specify multicast within the IPv4 address family. The default of address family configuration is IPv4 unicast. You can configure the VRF instances for IPv4 address family configuration. The IPv6 address family configuration is used for identifying routing sessions for protocols that use IPv6 address.
Item Default reuse = 750 suppress = 2000 max-suppress-time = 60 minutes Distance external distance = 20 internal distance = 200 local distance = 200 Timers keepalive = 60 seconds holdtime = 180 seconds Add-path Disabled Implement BGP with Dell EMC Networking OS The following sections describe how to implement BGP on Dell EMC Networking OS.
Ignore Router-ID in Best-Path Calculation You can avoid unnecessary BGP best-path transitions between external paths under certain conditions. The bgp bestpath routerid ignore command reduces network disruption caused by routing and forwarding plane changes and allows for faster convergence. AS Number Migration With this feature you can transparently change the AS number of an entire BGP network and ensure that the routes are propagated throughout the network while the migration is in progress.
BGP4 Management Information Base (MIB) The FORCE10-BGP4-V2-MIB enhances support for BGP management information base (MIB) with many new simple network management protocol (SNMP) objects and notifications (traps) defined in draft-ietf-idr-bgp4-mibv2-05. To see these enhancements, download the MIB from the Dell website. NOTE: For the Force10-BGP4-V2-MIB and other MIB documentation, refer to the Dell iSupport web page.
Configuration Information The software supports BGPv4 as well as the following: • • • • deterministic multi-exit discriminator (MED) (default) a path with a missing MED is treated as worst path and assigned an MED value of (0xffffffff) the community format follows RFC 1998 delayed configuration (the software at system boot reads the entire configuration file prior to sending messages to start BGP peer sessions) The following are not yet supported: • • auto-summarization (the default is no auto-summary) s
CONFIGURATION mode router bgp as-number • as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte) or 0.1 to 65535.65535 (Dotted format). Only one AS is supported per system. NOTE: If you enter a 4-Byte AS number, 4-Byte AS support is enabled automatically. 2. Add a BGP neighbor or peer and AS number.
NOTE: The showconfig command in CONFIGURATION ROUTER BGP mode gives the same information as the show running-config bgp command. The following example displays two neighbors: one is an external internal BGP neighbor and the second one is an internal BGP neighbor. The first line of the output for each neighbor displays the AS number and states whether the link is an external or internal (shown in bold). The third line of the show ip bgp neighbors output contains the BGP State.
The following example shows the show ip bgp summary command output (4–byte AS number displays). R2#show ip bgp summary BGP router identifier 1.1.1.1, local 80000 BGP local RIB : Routes to be Added 0, Replaced 0, Withdrawn 0 1 neighbor(s) using 40960 bytes of memory Neighbor 20.20.20.1 AS 200 MsgRcvd 0 MsgSent 0 TblVer 0 InQ 0 OutQ Up/Down State/Pfx 0 00:00:00 0 Changing a BGP router ID BGP uses the configured router ID to identify the devices in the network.
• Enable ASPLAIN AS Number representation. • CONFIG-ROUTER-BGP mode bgp asnotation asplain NOTE: ASPLAIN is the default method Dell EMC Networking OS uses and does not appear in the configuration display. Enable ASDOT AS Number representation. • CONFIG-ROUTER-BGP mode bgp asnotation asdot Enable ASDOT+ AS Number representation. CONFIG-ROUTER-BGP mode bgp asnotation asdot+ The following example shows the bgp asnotation asplain command output.
• Enter the router configuration mode and the AS number. • CONFIG mode router bgp as-number Add the IP address of the neighbor for the specified autonomous system. • CONFIG-ROUTER-BGP mode neighbor {ip-address | ipv6–address | peer-group-name} remote-as as-number Enable the neighbor. • CONFIG-ROUTERBGP mode neighbor ip-address | ipv6-address | peer-group-name no shutdown Specify the IPv4 address family configuration.
To support your own IP addresses, interfaces, names, and so on, you can copy and paste from these examples to your CLI. Be sure that you make the necessary changes. Example-Configuring BGP routing between peers Example of enabling BGP in Router A Following is an example to enable BGP configuration in the router A. RouterA# configure terminal RouterA(conf)# router bgp 40000 RouterA(conf-router_bgp)# bgp router-id 10.1.1.99 RouterA(conf-router_bgp)# timers bgp 80 130 RouterA(conf-router_bgp)# neighbor 192.
• • • • • • • You must create a peer group first before adding the neighbors in the peer group. If you remove any configuration parameters from a peer group, it will apply to all the neighbors configured under that peer group. If you have not configured a parameter for an individual neighbor in the peer group, the neighbor uses the value configured in the peer group. If you reset any parameter for an individual neighbor, it will override the value set in the peer group.
• • • • • • neighbor neighbor neighbor neighbor neighbor neighbor distribute-list out filter-list out next-hop-self route-map out route-reflector-client send-community A neighbor may keep its configuration after it was added to a peer group if the neighbor’s configuration is more specific than the peer group’s and if the neighbor’s configuration does not affect outgoing updates.
The following illustration shows the configurations described on the following examples. These configurations show how to create BGP areas using physical and virtual links. They include setting up the interfaces and peers groups with each other. Figure 24. BGP peer group example configurations Example of Enabling BGP (Router 1) R1# conf R1(conf)#int loop 0 R1(conf-if-lo-0)#ip address 192.168.128.1/32 R1(conf-if-lo-0)#no shutdown R1(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.
R1(conf-router_bgp)#neighbor 192.168.128.2 no shut R1(conf-router_bgp)#neighbor 192.168.128.2 update-source loop 0 R1(conf-router_bgp)#neighbor 10.0.3.33 remote 100 R1(conf-router_bgp)#neighbor 10.0.3.33 no shut R1(conf-router_bgp)#show config ! router bgp 99 network 192.168.128.0/24 neighbor 192.168.128.2 remote-as 99 neighbor 192.168.128.2 update-source Loopback 0 neighbor 10.0.3.33 no shutdown neighbor 10.0.3.
R3(conf-if-te-3/21/1)#show config ! interface TengigabitEthernet 3/21/1 ip address 10.0.2.3/24 no shutdown R3(conf-if-te-3/21/1)# R3(conf-if-te-3/21/1)#router bgp 100 R3(conf-router_bgp)#show config ! router bgp 100 R3(conf-router_bgp)#neighbor 10.0.3.31 remote 99 R3(conf-router_bgp)#neighbor 10.0.3.31 no shut R3(conf-router_bgp)#neighbor 10.0.2.2 remote 99 R3(conf-router_bgp)#neighbor 10.0.2.2 no shut R3(conf-router_bgp)#show config ! router bgp 100 neighbor 10.0.3.31 remote 99 neighbor 10.0.3.
R2(conf-router_bgp)# neighbor 192.168.128.1 no shut R2(conf-router_bgp)# neighbor 192.168.128.3 peer BBB R2(conf-router_bgp)# neighbor 192.168.128.3 no shut R2(conf-router_bgp)#show conf ! router bgp 99 network 192.168.128.0/24 neighbor AAA peer-group neighbor AAA no shutdown neighbor BBB peer-group neighbor BBB no shutdown neighbor 192.168.128.1 remote-as 99 neighbor 192.168.128.1 peer-group CCC neighbor 192.168.128.1 update-source Loopback 0 neighbor 192.168.128.1 no shutdown neighbor 192.168.128.
Advanced BGP configuration tasks The following sections describe how to configure the advanced (optional) BGP configuration tasks. Route-refresh and Soft-reconfiguration BGP soft-reconfiguration allows for faster and easier route changing. Changing routing policies typically requires a reset of BGP sessions (the TCP connection) for the policies to take effect. Such resets cause undue interruption to traffic due to hard reset of the BGP cache and the time it takes to re-establish the session.
Route-refresh This section explains how the soft-reconfiguration and route-refresh works. Soft-reconfiguration has to be configured explicitly for a neighbor unlike route refresh, which is automatically negotiated between BGP peers when establishing a peer session. The route-refresh updates will be sent, only if the neighbor soft-reconfiguration inbound command is not configured in a BGP neighbor and when you do a soft reset using clear ip bgp {neighbor-address | peer-group-name} soft in command.
neighbor 20.1.1.2 no shutdown neighbor 20::2 remote-as 200 neighbor 20::2 no shutdown ! address-family ipv6 unicast redistribute connected neighbor 20::2 activate exit-address-family ! DellEMC(conf-router_bgp)#do clear ip bgp 20.1.1.2 soft in May 8 15:28:11 : BGP: 20.1.1.2 sending ROUTE_REFRESH AFI/SAFI (1/1) May 8 15:28:12 : BGP: 20.1.1.2 UPDATE rcvd packet len 56 May 8 15:28:12 : BGP: 20.1.1.2 rcvd UPDATE w/ attr: origin ?, path 200, nexthop 20.1.1.
Configuring BGP aggregate routes To create an aggregate route entry in the BGP routing table, use the following commands. The aggregate route is advertised from the autonomous system. • Enter the router configuration mode and the AS number for the specific BGP routing process. • CONFIG mode router bgp as-number Create an aggregate entry in the BGP routing table.
Following is the sample configuration to suppress the advertisement of specific aggregate routes to all neighbors. DellEMC# configure terminal DellEMC(conf)# router bgp 100 DellEMC(conf-router_bgp)# aggregate-address 10.1.1.0 255.255.255.0 summary-only DellEMC(conf-router_bgp)# exit DellEMC(conf)# Filtering BGP The following section describes the methods used to filter the updates received from BGP neighbors.
DellEMC(conf-router_bgp)#neigh AAA no shut DellEMC(conf-router_bgp)#show conf ! router bgp 99 neighbor AAA peer-group neighbor AAA no shutdown neighbor 10.155.15.2 remote-as 32 neighbor 10.155.15.2 shutdown DellEMC(conf-router_bgp)#neigh 10.155.15.
1. Create a prefix list and assign it a name. CONFIGURATION mode ip prefix-list prefix-name 2. Create multiple prefix list filters with a deny or permit action. CONFIG-PREFIX LIST mode seq sequence-number {deny | permit} {any | ip-prefix [ge | le] } • • ge: minimum prefix length to be matched. le: maximum prefix length to me matched. For information about configuring prefix lists, refer to Access Control Lists (ACLs). 3. Return to CONFIGURATION mode. CONFIG-PREFIX LIST mode exit 4. Enter ROUTER BGP mode.
For information about configuring route maps, see Access Control Lists (ACLs). 3. Return to CONFIGURATION mode. CONFIG-ROUTE-MAP mode exit 4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5. Filter routes based on the criteria in the configured route map.
CONFIG-ROUTER-BGP mode neighbor {ip-address | ipv6-address | peer-group-name} filter-list as-path-name {in | out} If you assign an non-existent or empty AS-PATH ACL, the software allows all routes. To view all BGP path attributes in the BGP database, use the show ip bgp paths command in EXEC Privilege mode.
DellEMC(conf)# exit DellEMC# In the above example, add a BGP neighbor to the AS 400 and the route-map called route2 applied to inbound routes from the BGP neighbor at 10.10.10.1. A route map route2 is created with a permit clause and the route’s community attribute is matched to communities in community list 1. A community list 1 that permits routes with a communities attribute of 100. To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode.
fall-over enabled Update source set to Loopback 0 Peer active in peer-group outbound optimization For address family: IPv4 Unicast BGP table version 52, neighbor version 52 4 accepted prefixes consume 16 bytes Prefix advertised 0, denied 0, withdrawn 0 Connections established 6; dropped 5 Last reset 00:19:37, due to Reset by peer Notification History 'Connection Reset' Sent : 5 Recv: 0 Local host: 20.20.20.2, Local port: 65519 Foreign host: 10.10.10.
neighbor peer-group-name subnet subnet-number mask The peer group responds to OPEN messages sent on this subnet. 3. Enable the peer group. CONFIG-ROUTER-BGP mode neighbor peer-group-name no shutdown 4. Create and specify a remote peer for BGP neighbor. CONFIG-ROUTER-BGP mode neighbor peer-group-name remote-as as-number Only after the peer group responds to an OPEN message sent on the subnet does its BGP state change to ESTABLISHED.
The below example configuration shows how to enable the BGP graceful restart. DellEMC# configure terminal DellEMC(conf)# router bgp 400 DellEMC(conf-router_bgp)# bgp graceful-restart DellEMC(conf-router_bgp)# exit Redistributing Routes In addition to filtering routes, you can add routes from other routing instances or protocols to the BGP process. You can configure the device to redistribute ISIS, OSPF, static, or directly connected routes into BGP process using the redistribute command.
1. Allow the advertisement of multiple paths (send, receive or both). CONFIG-ROUTER-BGP or CONFIG-ROUTER-BGP-AF mode bgp add-path [both | enable | receive | send] path-count Configure the following parameters: • • • • • both: Indicate that the system sends and accepts multiple paths from peers. enable: Indicate that the system enables add-path support for the node. send: Indicate that the system sends multiple paths to peers. receive: Indicate that the system accepts multiple paths from peers.
• • • • no-advertise: routes with the COMMUNITY attribute of NO_ADVERTISE. no-export: routes with the COMMUNITY attribute of NO_EXPORT. quote-regexp: then any number of regular expressions. The software applies all regular expressions in the list. regexp: then a regular expression. To view the configuration, use the show config command in CONFIGURATION COMMUNITY-LIST or CONFIGURATION EXTCOMMUNITY LIST mode or the show ip {community-lists | extcommunity-list} command in EXEC Privilege mode.
deny 14551:112 deny 701:667 deny 702:667 deny 703:667 deny 704:666 deny 705:666 deny 14551:666 DellEMC# Configure BGP attributes Following sections explain how to configure the BGP attributes such as MED, COMMUNITY, WEIGHT, and LOCAL_PREFERENCE. Changing MED Attributes By default, Dell EMC Networking OS uses the MULTI_EXIT_DISC or MED attribute when comparing EBGP paths received from different BGP neighbors or peers from the same AS for the same route.
Configure a community list by denying or permitting specific community numbers or types of community. • • • • • • community-number: use AA:NN format where AA is the AS number (2 or 4 Bytes) and NN is a value specific to that autonomous system. local-AS: routes with the COMMUNITY attribute of NO_EXPORT_SUBCONFED and are not sent to EBGP peers. no-advertise: routes with the COMMUNITY attribute of NO_ADVERTISE and are not advertised. no-export: routes with the COMMUNITY attribute of NO_EXPORT.
value: the range is from 0 to 4294967295. The default is 100. DellEMC# configure terminal DellEMC(conf)# router bgp 400 DellEMC(conf_router_bgp)# neighbor 10.10.10.1 remote-as 500 DellEMC(conf_router_bgp)# bgp default local-preference 150 DellEMC(conf_router_bgp)# exit In the above example configuration, the default LOCAL_PREFERENCE value is changed to 150 for all the updates from AS 500 to AS 400. The default value is 100.
• If you do not use the all keyword, the next hop of only eBGP-learned routes is updated by the route reflector. If you use the all keyword, the next hop of both eBGP- and iBGP-learned routes are updated by the route reflector. Sets the next hop address. CONFIG-ROUTE-MAP mode set next-hop ip-address If the set next-hop command is applied on the out-bound interface using a route map, it takes precedence over the neighbor next-hop-self command.
Route Reflectors Route reflectors reorganize the iBGP core into a hierarchy and allow some route advertisement rules. NOTE: Do not use route reflectors (RRs) in the forwarding path. In iBGP, hierarchal RRs maintaining forwarding plane RRs could create routing loops. Route reflection divides iBGP peers into two groups: client peers and nonclient peers. A route reflector and its client peers form a route reflection cluster.
When you enter this command for the first time, the router configures as a route reflector and the specified BGP neighbors configure as clients in the route reflector cluster. When you remove all clients of a route reflector using the no neighbor route-reflectorclient command, the router no longer functions as a route reflector. When you enable a route reflector, Dell EMC Networking OS automatically enables route reflection to all clients.
• • suppress: the range is from 1 to 20000. This number is compared to the flapping route’s Penalty value. If the Penalty value is greater than the suppress value, the flapping route is no longer advertised (that is, it is suppressed). The default is 2000. • max-suppress-time: the range is from 1 to 255. The maximum number of minutes a route can be suppressed. The default is four times the half-life value. The default is 60 minutes. Clear all information or only information on a specific route.
To view which routes are dampened (non-active), use the show ip bgp dampened-routes command in EXEC Privilege mode. Changing BGP keepalive and hold timers BGP uses timers to control the activity of sending the keepalive messages to its neighbors or peers. Also, you can adjust the interval of how long the device has to wait for a keepalive messge from a neighbor before declaring the peer dead. To configure BGP timers, use either or both of the following commands.
CONFIG-ROUTER-BGP mode neighbors {ip-address | ipv6-address | peer-group-name} timers extended idle-holdtime • idle-holdtime: the range is from 1 to 32767. Time interval, in seconds, during which the peer remains in idle state. The default is 15 seconds. Configure idle-holdtime values for all BGP neighbors. CONFIG-ROUTER-BGP mode timers bgp extended idle holdtime idle-holdtime: the range is from 1 to 32767. Time interval, in seconds, during which the peer remains in idle state. The default is 15 seconds.
ROUTER-BGP Mode shutdown address-family-ipv6-unicast When you configure BGP, you must explicitly enable the BGP neighbors using the following commands: neighbor {ip-address | peer-group name} remote-as as-number neighbor {ip-address | peer-group-name} no shutdown For more information on enabling BGP, see Enabling BGP.
confederations appear as one AS. Within the confederation sub-AS, the IBGP neighbors are fully meshed and the MED, NEXT_HOP, and LOCAL_PREF attributes are maintained between confederations. To configure BGP confederations, use the following commands. • Specifies the confederation ID. CONFIG-ROUTER-BGP mode bgp confederation identifier as-number • • as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte). Specifies which confederation sub-AS are peers.
DellEMC(conf-router_bgpv6_af)# neighbor 50.0.0.2 activate DellEMC(conf-router_bgp)# exit Following is the output of show ip bgp vrf vrf1 summary command for the above configuration. DellEMC#show ip bgp vrf vrf1 summary BGP router identifier 1.1.1.1, local AS number 100 BGP local RIB : Routes to be Added 0, Replaced 0, Withdrawn 0 1 neighbor(s) using 16384 bytes of memory Neighbor 50.0.0.
network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list Laura in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.9 local-as 6500 neighbor 100.10.92.9 no shutdown neighbor 192.168.10.1 remote-as 65123 neighbor 192.168.10.1 update-source Loopback 0 neighbor 192.168.10.1 no shutdown neighbor 192.168.12.2 remote-as 65123 neighbor 192.168.12.
Enabling MBGP Configurations Multiprotocol BGP (MBGP) is an enhanced BGP that carries IP multicast routes. BGP carries two sets of routes: one set for unicast routing and one set for multicast routing. The routes associated with multicast routing are used by the protocol independent multicast (PIM) to build data distribution trees. Dell EMC Networking OS MBGP is implemented per RFC 1858. You can enable the MBGP feature per router and/or per peer/peer-group. The default is IPv4 Unicast routes.
Following is the output of show ip bgp ipv6 unicast summary command for the above configuration example. DellEMC#show ip bgp ipv6 unicast summary BGP router identifier 1.1.1.
Neighbor 20.20.20.2 30.30.30.1 2001::2 AS 200 20 200 MsgRcvd 10 0 40 MsgSent 20 0 45 TblVer 0 0 0 InQ 0 0 0 OutQ 0 0 0 Up/Down 00:06:11 00:00:00 00:03:14 State/Pfx 0 0 0 The same output will be displayed when using show ip bgp ipv4 unicast summary command. Following is the sample output of show ip bgp ipv4 multicast summary command. R1# show ip bgp ipv4 multicast summary BGP router identifier 1.1.1.
Following is the output of show ip bgp ipv6 unicast summary command for the above configuration example. R2#show ip bgp ipv6 unicast summary BGP router identifier 2.2.2.2, local AS number 200 BGP local RIB : Routes to be Added 0, Replaced 0, Withdrawn 0 2 neighbor(s) using 24576 bytes of memory Neighbor 20.20.20.
Following is the show running-config command output for the above configuration. DellEMC# show running-config bgp ! router bgp 655 bgp router-id 1.1.1.1 neighbor 10.1.1.2 remote-as 20 neighbor 10.1.1.2 auto-local-address neighbor 10.1.1.2 no shutdown ! address-family ipv6 unicast neighbor 10.1.1.2 activate exit-address-family ! Example configuration performed in R2 DellEMC# configure terminal DellEMC(conf)# router bgp 20 DellEMC(conf-router_bgp)# neighbor 10.1.1.
Debugging BGP To enable BGP debugging, use any of the following commands. • View all information about BGP, including BGP events, keepalives, notifications, and updates. • EXEC Privilege mode debug ip bgp [ip-address | peer-group peer-group-name] [in | out] View information about BGP route being dampened. • EXEC Privilege mode debug ip bgp dampening [in | out] View information about local BGP state changes and other BGP events.
Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) For address family: IPv4 Unicast BGP table version 1395, neighbor version 1394 Prefixes accepted 1 (consume 4 bytes), 0 withdrawn by peer Prefixes advertised 0, rejected 0, 0 withdrawn from peer Connections established 3; dropped 2 Last reset 00:00:12, due to Missing well known att
10 Content Addressable Memory (CAM) CAM Allocation CAM Allocation for Ingress To allocate the space for regions such has L2 ingress ACL, IPV4 ingress ACL, IPV6 ingress ACL, IPV4 QoS, L2 QoS, PBR, VRF ACL, and so forth, use the cam-acl command in CONFIGURATION mode. The CAM space is allotted in field processor (FP) blocks. The total space allocated must equal 9 FP blocks. The following table lists the default CAM allocation settings.
You must enter l2acl, ipv4acl, l2qos, l2pt, ipv4qos, ipv4pbr, vrfv4acl, and fcoe allocations as a factor of 2, ipv6acl, openflow, and vman_qos allocations as a factor of 3. Ipv4 acl region should also be in multiples of 3 when ipv4udf option is enabled. All other profile allocations can use either even or odd numbered ranges. For the new settings to take effect, you must save the new CAM settings to the startup-config (write-mem or copy run start) then reload the system for the new settings to take effect.
View CAM-ACL Settings The show cam-acl command shows the cam-acl setting that will be loaded after the next reload.
fedgovacl : nlbclusteracl: 0 0 -- stack-unit 1 -Current Settings(in block sizes) 1 block = 256 entries L2Acl : 2 Ipv4Acl : 2 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 2 L2PT : 0 IpMacAcl : 1 VmanQos : 0 EtsAcl : 0 FcoeAcl : 0 ipv4pbr : 0 vrfv4Acl : 0 Openflow : 0 fedgovacl : 0 nlbclusteracl: 0 View CAM Usage View the amount of CAM space available, used, and remaining in each partition (including IPv4 and IPv6 Flow and Layer 2 ACL subpartitions) using the show cam-usage command in EXEC Privilege mode The following
Configuring CAM Threshold and Silence Period This section describes how to configure CAM threshold and silence period between CAM threshold syslog warnings. The CAM threshold and silence period configuration is applicable only for Ingress L2, IPv4, IPv6 and Egress L2, IPv4, and IPv6 ACL CAM groups. For other ACL CAM regions, the CAM threshold and silence period is fixed and the values are 90 percent and 0 respectively.
Old CAM Threshold New CAM Threshold Current CAM Usage Syslog cam-usage of Ipv4Acl cam region on stackunit 0 Portpipe 0 Pipeline 0 is below 95%. 98 100 100 No syslog 95 80 10 No syslog 92 90 89 No syslog CAM Optimization When you enable the CAM optimization, if a Policy Map containing classification rules (ACL and/or DSCP/ ip-precedence rules) is applied to more than one physical interface on the same port-pipe, only a single copy of the policy is written (only one FP entry is used).
Syslog Warning Upon 90 Percent Utilization of CAM CAM utilization includes both the L3_DEFIP and L3_DEFIP_PAIR_128 table entries to calculate the utilization. Syslog Warning for Discrepancies Between Configured Extended Prefixes An error message is displayed if the number of extended prefix entries is different from the configured value during bootup.
IPv6 CAM ACL Region The IPv6 ACL CAM region is triple-wide in the platform. You can change the IPv6 ACL region to be double-wide mode. This results in a better scale of the IPv6 ACL entries. The IPV6 ACL CAM region can also be shared with the IPv4 QOS CAM region. You can partition the CAM as per the sharing requirements and both IPV6 ACLs and IPV4 QOS entries are installed on the same CAM region.
Set either the ipv4qos or ipv6acl option to zero. 3. Use the following command. CONFIGURATION mode cam-sharing ipv4qos value ipv6acl value Enter the value in percentage. 4. Save the running-configuration. EXEC Privilege mode copy running-config startup-config 5. Reload the system.
11 Control Plane Policing (CoPP) Control plane policing (CoPP) uses access control list (ACL) rules and quality of service (QoS) policies to create filters for a system’s control plane. That filter prevents traffic not specifically identified as legitimate from reaching the system control plane, rate-limits, traffic to an acceptable level.
Figure 28. CoPP Implemented Versus CoPP Not Implemented Topics: • Configure Control Plane Policing Configure Control Plane Policing The system can process a maximum of 8500 packets per second (PPS). Protocols that share a single queue may experience flaps if one of the protocols receives a high rate of control traffic even though per protocol CoPP is applied. This happens because queue-based rate limiting is applied first.
Configuring CoPP for Protocols This section lists the commands necessary to create and enable the service-policies for CoPP. For complete information about creating ACLs and QoS rules, refer to Access Control Lists (ACLs) and Quality of Service (QoS). The basics for creating a CoPP service policy are to create a Layer 2, Layer 3, and/or an IPv6 ACL rule for the desired protocol type. Then, create a QoS input policy to rate-limit the protocol traffics according to the ACL.
DellEMC(conf)#ipv6 access-list ipv6-icmp cpu-qos DellEMC(conf-ipv6-acl-cpuqos)#permit icmp DellEMC(conf-ipv6-acl-cpuqos)#exit DellEMC(conf)#ipv6 access-list ipv6-vrrp cpu-qos DellEMC(conf-ipv6-acl-cpuqos)#permit vrrp DellEMC(conf-ipv6-acl-cpuqos)#exit The following example shows creating the QoS input policy.
2. Create an input policy-map to assign the QoS policy to the desired service queues.l. CONFIGURATION mode policy-map--input name cpu-qos service-queue queue-number qos-policy name 3. Enter Control Plane mode. CONFIGURATION mode control-plane-cpuqos 4. Assign a CPU queue-based service policy on the control plane in cpu-qos mode. Enabling this command sets the queue rates according to those configured.
CPU Weig CPU Queue Queu ht Rate Shape e (PPS Rate) Protocol 7 64 400 xSTP, LACP, 802DOT1X, TRILL, L2PT, ECFM 8 64 600 LLDP, PVST, GVRP, FEFD, TRACEFLOW, FCoE 9 64 600 BGP, OSPF, IPV6-TUNNEL, IPV6-VRRP, RIP, ISIS 10 64 600 IPV4-VRRP, DHCP 11 64 300 MLD, PIM, MSDP Configuring Protocol to CPU Queue Mapping You can configure the mapping between CPU queues and the protocols that can be assigned to each CPU queue.
Viewing Queue Rates Example of Viewing Queue Rates DellEMC#show cpu-queue rate cp Service-Queue Rate (PPS) -----------------------Q0 600 Q1 1000 Q2 300 Q3 1300 Q4 2000 Q5 400 Q6 400 Q7 400 Q8 600 Q9 600 Q10 600 Q11 300 Burst (Packets) ---------512 50 50 50 50 50 50 50 50 50 50 50 To view the queue mapping for each configured protocol, use the show ip protocol-queue-mapping command.
ICMPV6 RS ICMPV6 VRRPV6 OSPFV3 DellEMC# any any any any any any any any _ _ _ _ Q5 Q6 Q10 Q9 _ _ _ _ _ _ _ _ Control Plane Policing (CoPP) 233
12 Data Center Bridging (DCB) Data center bridging (DCB) refers to a set of enhancements to Ethernet local area networks used in data center environments, particularly with clustering and storage area networks.
A CNA is a computer input/output device that combines the functionality of a host bus adapter (HBA) with a network interface controller (NIC). Multiple adapters on different devices for several traffic types are no longer required.
The system supports loading two DCB_Config files: • FCoE converged traffic with priority 3. In the Dell EMC Networking OS, PFC is implemented as follows: • • • • • • • • • • • • PFC is supported on specified 802.1p priority traffic (dot1p 0 to 7) and is configured per interface. However, only one lossless queue is supported on an interface: one for Fibre Channel over Ethernet (FCoE) converged traffic. Configure the same lossless queues on all ports.
Table 16. ETS Traffic Groupings Traffic Groupings Description Group ID A 4-bit identifier assigned to each priority group. The range is from 0 to 7 configurable; 8 - 14 reservation and 15.0 - 15.7 is strict priority group.. Group bandwidth Percentage of available bandwidth allocated to a priority group. Group transmission selection algorithm (TSA) Type of queue scheduling a priority group uses. In Dell EMC Networking OS, ETS is implemented as follows: • ETS supports groups of 802.
Buffer Organization This section describes the buffer organization on the platform. A single chip architecture can allocate or share all its resource on all the ports. However, the system runs on a different 2x2 chip design. In this design, all ports are assigned to four port-sets.
The following example shows DCB buffer values after one PFC lossless queue configured on a port that belongs to ingress pipe 0 [10G speed]: DellEMC# DellEMC#show dcb DCB Status: Enabled, PFC Queue Count: 2 Total Buffer: Total available buffer excluding the buffer pre-allocated for guaranteed services like global headroom, queue's min guaranteed buffer and CPU queues. PFC Total Buffer: Maximum buffer available for lossless queues.
DCB Maps and its Attributes This topic contains the following sections that describe how to configure a DCB map, apply the configured DCB map to a port, configure PFC without a DCB map, and configure lossless queues. DCB Map: Configuration Procedure A DCB map consists of PFC and ETS parameters. By default, PFC is not enabled on any 802.1p priority and ETS allocates equal bandwidth to each priority. To configure user-defined PFC and ETS settings, you must create a DCB map.
Configuring Priority-Based Flow Control Priority-Based Flow Control (PFC) provides a flow control mechanism based on the 802.1p priorities in converged Ethernet traffic received on an interface and is enabled by default when you enable DCB. As an enhancement to the existing Ethernet pause mechanism, PFC stops traffic transmission for specified priorities (Class of Service (CoS) values) without impacting other priority classes. Different traffic types are assigned to different priority classes.
Refer the following configuration for queue to dot1p mapping: DellEMC(conf)#do show qos dot1p-queue-mapping Dot1p Priority : 0 1 2 3 4 5 6 7 Queue : 2 0 1 3 4 5 6 7 DellEMC(conf)# The configuration of no-drop queues provides flexibility for ports on which PFC is not needed but lossless traffic should egress from the interface. Lossless traffic egresses out the no-drop queues. Ingress dot1p traffic from PFC-enabled interfaces is automatically mapped to the nodrop egress queues. 1.
Configuring PFC in a DCB Map A switch supports the use of a DCB map in which you configure priority-based flow control (PFC) setting. To configure PFC parameters, you must apply a DCB map on an interface. PFC Configuration Notes PFC provides flow control based on the 802.1p priorities in a converged Ethernet traffic that is received on an interface and is enabled by default when you enable DCB.
• You cannot enable PFC and link-level flow control at the same time on an interface. Applying a DCB Map on a Port When you apply a DCB map with PFC enabled on a switch interface, a memory buffer for PFC-enabled priority traffic is automatically allocated. The buffer size is allocated according to the number of PFC-enabled priorities in the assigned map. To apply a DCB map to an Ethernet port, follow these steps: Table 19.
Table 21. Configuring PFC Assymetric Step Task Command Command Mode 1 Enter interface configuration mode on an Ethernet port. DellEMC#interface interface-type CONFIGURATION 2 Enable pfc asymmetric on interface.
The default pause threshold size is 9 KB for all interfaces. This default behavior is impacted if you modify the total buffer available for PFC or assign static buffer configurations to the individual PFC queues. Shared headroom for lossless or PFC packets In switches that require lossless frame delivery, some fixed buffer is set aside to absorb any bursty traffic that arrives after flow control is configured (PFC in this case). This extra buffer space is called the PG headroom.
In the shared headroom feature, the main assumption is that not every PG uses the headroom buffer at the same time. This approach enables the system to save the headroom buffer space that is reserved for every PG to guarantee lossless delivery during traffic bursts. For each PG, you can assign a lower value for headroom buffer. This headroom buffer is sufficient enough to guarantee lossless behavior as this buffer is global and is shared among all the lossless queues.
Headroom-Pool Configured Buffer(KB) Used Buffer(KB) ----------------------------------------------------------------HP1 0 0 DellEMC# Monitoring Buffer Statistics for Tracking Purposes Using the buffer statistics tracking feature, you can monitor the peak buffer usage of the head room pool over a specific period of time. This monitoring enables you to optimize the head room pool size based on real-time network traffic data.
! class-map match-any dscp-pfc-2 match ip dscp 20-25,30-35 2. Associate above class-maps to Queues Queue assignment as below. DellEMC(conf)#do show qos dot1p-queue-mapping Dot1p Priority : 0 1 2 3 4 5 6 7 Queue : 1 0 2 3 4 5 6 7 3. Dot1p->Queue Mapping Configuration is retained at the default value. 4. Interface Configurations on server connected ports. a. Enable DCB globally. DellEMC(conf)#dcb enable b. Apply PFC Priority configuration. Configure priorities on which PFC is enabled.
Dell EMC Networking OS Releases 9.3(0.0) and earlier provide CLI support to specify the priorities for which PFC is enabled on each port. This feature is applicable only for the tagged packets based on the incoming packet Dot1p and Dot1p based queue classification. This document will discuss the configurations required to support PFC for untagged packets based on incoming packet DSCP. For the tagged packets, Queue is selected based on the incoming Packet Dot1p.
The packets that come in with packet-dot1p 2 alone will be assigned to PG6 on ingress. The packets that come in with packet-dot1p 2 alone will use Q1 (as per dot1p to Queue classification – Table 2) on the egress port. • • • When Peer sends a PFC message for Priority 2, based on above PRIO2COS table (TABLE 2), Queue 1 is halted. Queue 1 starts buffering the packets with Dot1p 2. This causes PG6 buffer counter to increase on the ingress, since P-dot1p 2 is mapped to PG6.
priority-pgid dot1p0_group_num dot1p1_group_num ...dot1p7_group_num Priority group range is from 0 to 7. All priorities that map to the same queue must be in the same priority group. Leave a space between each priority group number. For example: priority-pgid 0 0 0 1 2 4 4 4 in which priority group 0 maps to dot1p priorities 0, 1, and 2; priority group 1 maps to dot1p priority 3; priority group 2 maps to dot1p priority 4; priority group 4 maps to dot1p priorities 5, 6, and 7.
• • • • The configuration of bandwidth allocation and strict-queue scheduling is not supported at the same time for a priority group. Bandwidth assignment: By default, equal bandwidth is assigned to each dot1p priority in a priority group. To configure the bandwidth assigned to the port queues associated with dot1p priorities in a priority group, use the bandwidth percentage parameter. The sum of the bandwidth allocated to all priority groups in a DCB map must be 100% of the bandwidth on the link.
Therefore, in this example, scheduling traffic to priority group 1 (mapped to one strict-priority queue) takes precedence over scheduling traffic to priority group 3 (mapped to two strict-priority queues).
with the new parameter values. When an auto-upstream port (besides the configuration source) receives and overwrites its configuration with internally propagated information, one of the following actions is taken: • • If the peer configuration received is compatible with the internally propagated port configuration, the link with the DCBx peer is enabled.
match against the received application priority. Otherwise, these ports use their locally configured PFC priorities in application priority TLVs. • • If no configuration source is configured, auto-upstream and auto-downstream ports check to see that the locally configured PFC priorities match the priorities in a received application priority TLV. On manual ports, an application priority TLV is advertised only if the priorities in the TLV match the PFC priorities configured on the port.
source are marked as willing disabled. The internally propagated DCB configuration is refreshed on all autoconfiguration ports and each port may begin configuration negotiation with a DCBx peer again. Auto-Detection and Manual Configuration of the DCBx Version When operating in Auto-Detection mode (the DCBx version auto command), a DCBx port automatically detects the DCBx version on a peer port. Legacy CEE versions are supported in addition to the standard IEEE version 2.5 DCBx.
DCBx Prerequisites and Restrictions The following prerequisites and restrictions apply when you configure DCBx operation on a port: • For DCBx, on a port interface, enable LLDP in both Send (TX) and Receive (RX) mode (the protocol lldp mode command; refer to the example in in the chapter). If multiple DCBx peer ports are detected on a local DCBx interface, LLDP is shut down. Configuring DCBx To configure DCBx, follow these steps. For DCBx, to advertise DCBx TLVs to peers, enable LLDP.
PROTOCOL LLDP mode [no] advertise DCBx-appln-tlv {fcoe} • fcoe: enables the advertisement of FCoE in Application Priority TLVs. The default is Application Priority TLVs are enabled to advertise FCoE. NOTE: To disable TLV transmission, use the no form of the command; for example, no advertise DCBx-applntlv. To verify the DCBx configuration on a port, use the show interface DCBx detail command. Configuring DCBx Globally on the Switch To globally configure the DCBx operation on a switch, follow these steps.
DCBx Error Messages The following syslog messages appear when an error in DCBx operation occurs. LLDP_MULTIPLE_PEER_DETECTED: DCBx is operationally disabled after detecting more than one DCBx peer on the port interface. LLDP_PEER_AGE_OUT: DCBx is disabled as a result of LLDP timing out on a DCBx peer interface. DSM_DCBx_PEER_VERSION_CONFLICT: A local port expected to receive the IEEE or CEE version in a DCBx TLV from a remote peer but received a different, conflicting DCBx version.
Command Output show interface port-type ets {summary | detail} Displays the ETS configuration applied to egress traffic on an interface, including priority groups with priorities and bandwidth allocation. To clear ETS TLV counters, enter the clear ets counters interface port-type slot/port command. show interface port-type DCBx detail Plays the DCBx configuration on an interface. show Displays the PFC configuration applied to ingress traffic, including priorities and link delay.
-------------------------------------FCOE TLV Tx Status is disabled Local FCOE PriorityMap is 0x8 Remote FCOE PriorityMap is 0x8 0 Input TLV pkts, 1 Output TLV pkts, 0 Error pkts, 0 Pause Tx pkts, 0 Pause Rx pkts The following table describes the show interface pfc summary command fields. Table 26. show interface pfc summary Command Description Fields Description Interface Interface type with and port number.
The following example shows the show interface pfc statistics command.
The following example shows the show interface ets detail command.
Field Description Admin mode ETS mode: on or off. Admin Parameters ETS configuration on local port, including priority groups, assigned dot1p priorities, and bandwidth allocation. Remote Parameters ETS configuration on remote peer port, including Admin mode (enabled if a valid TLV was received or disabled), priority groups, assigned dot1p priorities, and bandwidth allocation.
The following example shows the show interface DCBx detail command (legacy CEE).
Field Description Local DCBx Status: DCBx Max Version Supported Highest DCBx version supported in Control TLVs. Local DCBx Status: Sequence Number Sequence number transmitted in Control TLVs. Local DCBx Status: Acknowledgment Number Acknowledgement number transmitted in Control TLVs. Local DCBx Status: Protocol State Current operational state of DCBx protocol: ACK or IN-SYNC. Peer DCBx Status: DCBx Operational Version DCBx version advertised in Control TLVs received from peer device.
dcb pfc-total-buffer-size value The buffer size range is from 0 to 3399. Default is 3088. 3. Configure the number of PFC queues. CONFIGURATION mode dcb enable pfc-queues pfc-queues The number of ports supported based on lossless queues configured depends on the buffer. The default number of PFC queues in the system is two.
Figure 33. PFC and ETS Applied to LAN, IPC, and SAN Priority Traffic QoS Traffic Classification: The service-class dynamic dot1p command has been used in Global Configuration mode to map ingress dot1p frames to the queues shown in the following table. For more information, refer to QoS dot1p Traffic Classification and Queue Assignment.
The following describes the priority group-bandwidth assignment. Priority Group Bandwidth Assignment IPC 5% SAN 50% LAN 45% PFC and ETS Configuration Command Examples The following examples show PFC and ETS configuration commands to manage your data center traffic. 1. Enabling DCB DellEMC(conf)#dcb enable 2.
13 Dynamic Host Configuration Protocol (DHCP) DHCP is an application layer protocol that dynamically assigns IP addresses and other configuration parameters to network end-stations (hosts) based on configuration policies determined by network administrators.
Option Number and Description Router Option 3 Specifies the router IP addresses that may serve as the client’s default gateway. Domain Name Server Option 6 Domain Name Option 15 Specifies the domain name servers (DNSs) that are available to the client. Specifies the domain name that clients should use when resolving hostnames via DNS. IP Address Lease Time Option 51 DHCP Message Type Option 53 Specifies the amount of time that the client is allowed to use an assigned IP address.
2. Servers unicast or broadcast a DHCPOFFER message in response to the DHCPDISCOVER that offers to the client values for the requested parameters. Multiple servers might respond to a single DHCPDISCOVER; the client might wait a period of time and then act on the most preferred offer. 3. The client broadcasts a DHCPREQUEST message in response to the offer, requesting the offered values. 4.
Configure the System to be a DHCP Server A DHCP server is a network device that has been programmed to provide network configuration parameters to clients upon request. Servers typically serve many clients, making host management much more organized and efficient. NOTE: If the management port is associated with any non-default VRF, then the ip address dhcp command does not work. The following table lists the key responsibilities of DHCP servers. Table 29.
Configuration Tasks To configure DHCP, an administrator must first set up a DHCP server and provide it with configuration parameters and policy information including IP address ranges, lease length specifications, and configuration data that DHCP hosts need. Configuring the Dell system to be a DHCP server is a three-step process: 1. Configuring the Server for Automatic Address Allocation 2.
dns-server address Using NetBIOS WINS for Address Resolution Windows internet naming service (WINS) is a name resolution service that Microsoft DHCP clients use to correlate host names to IP addresses within a group of networks. Microsoft DHCP clients can be one of four types of NetBIOS nodes: broadcast, peer-to-peer, mixed, or hybrid. 1. Specify the NetBIOS WINS name servers, in order of preference, that are available to Microsoft Dynamic Host Configuration Protocol (DHCP) clients.
EXEC Privilege mode. clear ip dhcp binding ip address Configure the System to be a DHCP Client A DHCP client is a network device that requests an IP address and configuration parameters from a DHCP server. Implement the DHCP client functionality as follows: • The switch can obtain a dynamically assigned IP address from a DHCP server. A start-up configuration is not received. Use bare metal provisioning (BMP) to receive configuration parameters (Dell EMC Networking OS version and a configuration file).
To renew the lease time of the dynamically acquired IP, use the renew dhcp command on an interface already configured with a dynamic IP address. NOTE: To verify the currently configured dynamic IP address on an interface, use the show ip dhcp lease command. The show running-configuration command output only displays ip address dhcp. The currently assigned dynamic IP address does not display. To configure and view an interface as a DHCP client to receive an IP address, use the following commands. 1.
NOTE: Management routes added by the DHCP client include the specific routes to reach a DHCP server in a different subnet and the management route. DHCP Client Operation with Other Features The DHCP client operates with other Dell EMC Networking OS features, as the following describes. Stacking The DHCP client daemon runs only on the master unit and handles all DHCP packet transactions. It periodically synchronizes the lease file with the standby unit.
The following illustration depicts the topology in which routes are leaked between VRFs in the relay agent. VRF_1 VRF_2 DHCP Server --------------------- DHCP relay agent --------------------------- Client (10.0.0.1) (10.0.0.2) (20.0.0.2) (20.0.0.4) Configuring Route Leaking between VRFs on DHCP Relay Agent To configure route leaking between VRFs on DHCP relay agent, include the configuration similar to the following along with your DHCP relay configuration on your system.
ip prefix-list ip2 seq 5 permit 10.0.0.0/24 Non-default VRF configuration for DHCPv6 helper address The ipv6 helper-address command is enhanced to provide support for configuring VRF for DHCPv6 relay helper address. To forward DHCP packets between DHCP client and server if they are from different VRFs, you should configure route leak using route map between the VRFs. For more information on configuring route leak across VRF, see DHCP Relay when DHCP Server and Client are in Different VRFs.
Interface level DHCP relay source IPv4 or IPv6 configuration You can configure interface specific DHCP relay source IPv4 or IPv6 configuration. If the DHCP relay source interface is configured on the interface level, the DHCP relay forwards the packets from these interfaces to the DHCP server using the interface.
Dell(conf-if-vl-4)# tagged TenGigE 1/4 Dell(conf-if-vl-4)# ip helper-address vrf vrf1 100.0.0.1 Dell(conf-if-vl-4)# ipv6 helper-address vrf vrf1 100::1 Configure Secure DHCP DHCP as defined by RFC 2131 provides no authentication or security mechanisms. Secure DHCP is a suite of features that protects networks that use dynamic address allocation from spoofing and attacks.
information about deriving the interface name from interface index, see the section Example of deriving the interface index number. Remote ID (Option This identifies the host from which the message is received. 37) Default values: The default value of this option is the MAC address of the relay agent that adds Option 37. DHCP Snooping DHCP snooping is a feature that protects networks from spoofing. It acts as a firewall between the DHCP server and DHCP clients.
ip dhcp snooping 2. Specify ports connected to DHCP servers as trusted. INTERFACE mode INTERFACE PORT EXTENDER mode ip dhcp snooping trust 3. Enable DHCP snooping on a VLAN. CONFIGURATION mode ip dhcp snooping vlan name Enabling IPv6 DHCP Snooping To enable IPv6 DHCP snooping, use the following commands. 1. Enable IPv6 DHCP snooping globally. CONFIGURATION mode ipv6 dhcp snooping 2. Specify ports connected to IPv6 DHCP servers as trusted. INTERFACE mode ipv6 dhcp snooping trust 3.
clear ipv6 dhcp snooping binding DellEMC# clear ipv6 dhcp snooping? binding Clear the snooping binding database Displaying the Contents of the Binding Table To display the contents of the binding table, use the following command. • Display the DHCP snooping information. • EXEC Privilege mode show ip dhcp snooping Display the contents of the binding table. EXEC Privilege mode show ip dhcp snooping binding View the DHCP snooping statistics with the show ip dhcp snooping command.
The following example shows a sample output of the show ip dhcp snooping binding command for a device connected to both the VLT peers. The Po 10 interface is the VLT port channel connected to a ToR switch or an end device. DellEMC#show ip dhcp snooping binding Codes : S - Static D - Dynamic IP Address MAC Address Expires(Sec) Type VLAN Interface ========================================================================= 10.1.1.10 00:00:a0:00:00:00 39735 S Vl 200 Po 10 10.1.1.
Drop DHCP Packets on Snooped VLANs Only Binding table entries are deleted when a lease expires or the relay agent encounters a DHCPRELEASE. Line cards maintain a list of snooped VLANs. When the binding table fills, DHCP packets are dropped only on snooped VLANs, while such packets are forwarded across non-snooped VLANs. Because DHCP packets are dropped, no new IP address assignments are made. However, DHCP release and decline packets are allowed so that the DHCP snooping table can decrease in size.
To view entries in the ARP database, use the show arp inspection database command. DellEMC#show arp inspection database Protocol Address Age(min) Hardware Address Interface VLAN CPU --------------------------------------------------------------------Internet 10.1.1.251 00:00:4d:57:f2:50 Te 1/2/1 Vl 10 CP Internet 10.1.1.252 00:00:4d:57:e6:f6 Te 1/1/1 Vl 10 CP Internet 10.1.1.253 00:00:4d:57:f8:e8 Te 1/3/1 Vl 10 CP Internet 10.1.1.
Source Address Validation Using the DHCP binding table, Dell EMC Networking OS can perform three types of source address validation (SAV). Table 30. Three Types of Source Address Validation Source Address Validation Description IP Source Address Validation Prevents IP spoofing by forwarding only IP packets that have been validated against the DHCP binding table.
Enabling IP+MAC Source Address Validation IP source address validation (SAV) validates the IP source address of an incoming packet and optionally the VLAN ID of the client against the DHCP snooping binding table. IP+MAC SAV ensures that the IP source address and MAC source address are a legitimate pair, rather than validating each attribute individually. You cannot configure IP+MAC SAV with IP SAV. 1. Allocate at least one FP block to the ipmacacl CAM region. CONFIGURATION mode cam-acl l2acl 2.
Clearing the Number of SAV Dropped Packets To clear the number of SAV dropped packets, use the clear ip dhcp snooping source-address-validation discardcounters command. DellEMC>clear ip dhcp snooping source-address-validation discard-counters To clear the number of SAV dropped packets on a particular interface, use the clear ip dhcp snooping source-addressvalidation discard-counters interface interface command.
14 Equal Cost Multi-Path (ECMP) ECMP for Flow-Based Affinity ECMP for flow-based affinity includes link bundle monitoring. Configuring the Hash Algorithm TeraScale has one algorithm that is used for link aggregation groups (LAGs), ECMP, and NH-ECMP, and ExaScale can use three different algorithms for each of these features. To adjust the ExaScale behavior to match TeraScale, use the following command. • Change the ExaScale hash-algorithm for LAG, ECMP, and NH-ECMP to match TeraScale. CONFIGURATION mode.
NOTE: You cannot separate LAG and ECMP, but you can use different algorithms across the chassis with the same seed. If LAG member ports span multiple port-pipes and line cards, set the seed to the same value on each port-pipe to achieve deterministic behavior. NOTE: If you remove the hash algorithm configuration, the hash seed does not return to the original factory default setting. To configure the hash algorithm seed, use the following command. • Specify the hash algorithm seed. CONFIGURATION mode.
ip ecmp-group path-fallback DellEMC(conf)#ip ecmp-group maximum-paths 3 User configuration has been changed. Save the configuration and reload to take effect DellEMC(conf)# Creating an ECMP Group Bundle Within each ECMP group, you can specify an interface. If you enable monitoring for the ECMP group, the utilization calculation is performed when the average utilization of the link-bundle (as opposed to a single link within the bundle) exceeds 60%. 1. Create a user-defined ECMP group bundle.
Support for /128 IPv6 and /32 IPv4 Prefixes in Layer 3 Host Table and LPM Table IPv6 enhancements utilize the capability on platform to program /128 IPv6 prefixes in LPM table and /32 IPv4 prefixes in Host table. Also host table provides ECMP support for destination prefixes in the hardware. The platform uses the hardware chip that supports this behavior and hence they can make use of this capability.
15 FIP Snooping The Fibre Channel over Ethernet (FCoE) Transit feature is supported on Ethernet interfaces. When you enable the switch for FCoE transit, the switch functions as a FIP snooping bridge. NOTE: FIP snooping is not supported on Fibre Channel interfaces or in a switch stack.
Table 31. FIP Functions FIP Function Description FIP VLAN discovery FCoE devices (ENodes) discover the FCoE VLANs on which to transmit and receive FIP and FCoE traffic. FIP discovery FCoE end-devices and FCFs are automatically discovered. Initialization FCoE devices learn ENodes from the FLOGI and FDISC to allow immediate login and create a virtual link with an FCoE switch. Maintenance A valid virtual link between an FCoE device and an FCoE switch is maintained and the LOGO functions properly.
Port-based ACLs These ACLs are applied on all three port modes: on ports directly connected to an FCF, server-facing ENode ports, and bridge-to-bridge links. Port-based ACLs take precedence over global ACLs. FCoE-generated ACLs These take precedence over user-configured ACLs. A user-configured ACL entry cannot deny FCoE and FIP snooping frames. The following illustration shows a switch used as a FIP snooping bridge in a converged Ethernet network.
• Process FIP VLAN discovery requests and responses, advertisements, solicitations, FLOGI/FDISC requests and responses, FLOGO requests and responses, keep-alive packets, and clear virtual-link messages. Using FIP Snooping There are four steps to configure FCoE transit. 1. 2. 3. 4. Enable the FCoE transit feature on a switch. Enable FIP snooping globally on all Virtual Local Area Networks (VLANs) or individual VLANs on a FIP snooping bridge.
Ipv6Acl : Ipv4Qos : L2Qos : L2PT : IpMacAcl : VmanQos : EtsAcl : FcoeAcl : iscsiOptAcl : ipv4pbr : vrfv4Acl : Openflow : fedgovacl : nlbclusteracl: 0 2 0 0 0 0 1 2 2 0 0 0 0 0 -- stack-unit 1 -Current Settings(in block sizes) 1 block = 256 entries L2Acl : 2 Ipv4Acl : 0 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 0 L2PT : 0 IpMacAcl : 0 VmanQos : 0 EtsAcl : 1 FcoeAcl : 2 iscsiOptAcl : 2 ipv4pbr : 0 vrfv4Acl : 0 Openflow : 0 fedgovacl : 0 nlbclusteracl: 0 DellEMC(conf)# Enabling the FCoE Transit Feature The following
Configure the FC-MAP Value You can configure the FC-MAP value to be applied globally by the switch on all or individual FCoE VLANs to authorize FCoE traffic. The configured FC-MAP value is used to check the FC-MAP value for the MAC address assigned to ENodes in incoming FCoE frames. If the FC-MAP value does not match, FCoE frames are dropped. A session between an ENode and an FCF is established by the switchbridge only when the FC-MAP value on the FCF matches the FC-MAP value on the FIP snooping bridge.
• • The maximum number of FCFs supported per FIP snooping-enabled VLAN is twelve. When FCoE is configured on fanned-out ports or unusable 100G ports, traffic outage occurs for about 45 seconds. Configuring FIP Snooping You can enable FIP snooping globally on all FCoE VLANs on a switch or on an individual FCoE VLAN. By default, FIP snooping is disabled. To enable FCoE transit on the switch and configure the FCoE transit parameters on ports, follow these steps. 1.
Command Output show fip-snooping vlan Displays information on the FCoE VLANs on which FIP snooping is enabled. The following example shows the show fip-snooping sessions command.
Field Description ENode Interface Slot/port number of the interface connected to the ENode. FCF MAC MAC address of the FCF. VLAN VLAN ID number used by the session. FC-ID Fibre Channel session ID assigned by the FCF. The following example shows the show fip-snooping fcf command. DellEMC# show fip-snooping fcf FCF MAC FCF Interface VLAN FC-MAP FKA_ADV_PERIOD No.
Number Number Number Number Number Number Number Number Number Number Number Number Number Number of of of of of of of of of of of of of of Enode Keep Alive VN Port Keep Alive Multicast Discovery Advertisement Unicast Discovery Advertisement FLOGI Accepts FLOGI Rejects FDISC Accepts FDISC Rejects FLOGO Accepts FLOGO Rejects CVL FCF Discovery Timeouts VN Port Session Timeouts Session failures due to Hardware Config :4416 :3136 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 The following example shows the show fip-s
Field Description Number of Multicast Discovery Advertisements Number of FIP-snooped multicast discovery advertisements received on the interface. Number of Unicast Discovery Advertisements Number of FIP-snooped unicast discovery advertisements received on the interface. Number of FLOGI Accepts Number of FIP FLOGI accept frames received on the interface. Number of FLOGI Rejects Number of FIP FLOGI reject frames received on the interface.
FCoE Transit Configuration Example The following illustration shows a switch used as a FIP snooping bridge for FCoE traffic between an ENode (server blade) and an FCF (ToR switch). The ToR switch operates as an FCF and FCoE gateway. Figure 38. Configuration Example: FIP Snooping on a Switch In this example, DCBx and PFC are enabled on the FIP snooping bridge and on the FCF ToR switch.
DellEMC(conf-if-te-1/1/1)# protocol lldp DellEMC(conf-if-te-1/1/1-lldp)# dcbx port-role auto-downstream NOTE: A port is enabled by default for bridge-ENode links.
16 Flex Hash and Optimized Boot-Up This chapter describes the Flex Hash and fast-boot enhancements. Topics: • • • • • • • Flex Hash Capability Overview Configuring the Flex Hash Mechanism Configuring Fast Boot and LACP Fast Switchover Optimizing the Boot Time Interoperation of Applications with Fast Boot and System States RDMA Over Converged Ethernet (RoCE) Overview Preserving 802.
To delete the configured flex hash setting, use the no version of the command. Configuring Fast Boot and LACP Fast Switchover Configure the optimized booting time functionality by performing the following steps. 1. Enable the system to restart with optimized booting-time functionality enabled. CONFIGURATION mode DellEMC(conf)#reload-type fastboot 2. Configure fast boot on a port-channel on both the nodes that are members of a port-channel in order to enable the physical ports to be aggregated faster.
3. Before performing the planned reload, we recommend that the IPv6 Neighbor Discovery (ND) reachable timer is increased to a value of 300 seconds or longer on the adjacent devices to prevent the ND cache entries from becoming stale and being removed while the ToR goes through a CPU reset. This timer can be restored to its prior value after the ToR has completed its planned reload. 4.
• The system saves all the dynamic ND cache entries to a database on the flash card.
Changes to BGP Multipath When the system becomes active after a fast-boot restart, a change has been made to the BGP multipath and ECMP behavior. The system delays the computation and installation of additional paths to a destination into the BGP routing information base (RIB) and forwarding table for a certain period of time.
To provide lossless service for RRoCE, the QoS service policy must be configured in the ingress and egress directions on lite sub interfaces. Preserving 802.1Q VLAN Tag Value for Lite Subinterfaces This functionality is supported on the platform. All the frames in a Layer 2 VLAN are identified using a tag defined in the IEEE 802.1Q standard to determine the VLAN to which the frames or traffic are relevant or associated. Such frames are encapsulated with the 802.1Q tags.
17 Force10 Resilient Ring Protocol (FRRP) FRRP provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a metropolitan area network (MAN) or large campuses. FRRP is similar to what can be achieved with the spanning tree protocol (STP), though even with optimizations, STP can take up to 50 seconds to converge (depending on the size of network and node of failure) and may require 4 to 5 seconds to reconverge.
Ring Status The ring failure notification and the ring status checks provide two ways to ensure the ring remains up and active in the event of a switch or port failure. Ring Checking At specified intervals, the Master node sends a ring health frame (RHF) through the ring. If the ring is complete, the frame is received on its secondary port and the Master node resets its fail-period timer and continues normal operation.
Figure 39. Example of Multiple Rings Connected by Single Switch Important FRRP Points FRRP provides a convergence time that can generally range between 150ms and 1500ms for Layer 2 networks. The Master node originates a high-speed frame that circulates around the ring. This frame, appropriately, sets up or breaks down the ring. • • • • • • • • • • The Master node transmits ring status check frames at specified intervals. You can run multiple physical rings on the same switch.
Important FRRP Concepts The following table lists some important FRRP concepts. Concept Explanation Ring ID Each ring has a unique 8-bit ring ID through which the ring is identified (for example, FRRP 101 and FRRP 202, as shown in the illustration in Member VLAN Spanning Two Rings Connected by One Switch. Control VLAN Each ring has a unique Control VLAN through which tagged ring health frames (RHF) are sent. Control VLANs are used only for sending RHF, and cannot be used for any other purpose.
• Each ring has only one Master node; all others are transit nodes. FRRP Configuration These are the tasks to configure FRRP.
• • For a 50-Gigabit Ethernet interface, enter the keyword fiftyGigE then the slot/port/subport information. For a 100-Gigabit Ethernet interface, enter the keyword hundredGigE then the slot/port information. 3. Assign the Primary and Secondary ports and the control VLAN for the ports on the ring. CONFIG-FRRP mode.
• • • • For a 25-Gigabit Ethernet interface, enter the keyword twentyFiveGigE then the slot/port/subport information. For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port/subport information. For a 50-Gigabit Ethernet interface, enter the keyword fiftyGigE then the slot/port/subport information. For a 100-Gigabit Ethernet interface, enter the keyword hundredGigE then the slot/port information. VLAN ID: Identification number of the Control VLAN. 4. Configure a Transit node.
EXEC or EXEC PRIVELEGED mode. show frrp ring-id • Ring ID: the range is from 1 to 255. Show the state of all FRRP groups. EXEC or EXEC PRIVELEGED mode. show frrp summary Ring ID: the range is from 1 to 255. Troubleshooting FRRP To troubleshoot FRRP, use the following information. Configuration Checks • • • • • Each Control Ring must use a unique VLAN ID. Only two interfaces on a switch can be Members of the same control VLAN. There can be only one Master node for any FRRP group.
! interface TenGigabitEthernet 1/11/1 no ip address switchport no shutdown ! interface Vlan 101 no ip address tagged TenGigabitEthernet 1/14/1,11/1 no shutdown ! interface Vlan 201 no ip address tagged TenGigabitEthernet 1/14/1,11/1 no shutdown ! protocol frrp 101 interface primary TenGigabitEthernet 1/14/1 secondary TenGigabitEthernet 1/11/1 controlvlan 101 member-vlan 201 mode transit no disable Example of R3 TRANSIT interface TenGigabitEthernet 1/14/1 no ip address switchport no shutdown ! interface TenG
Figure 40. FRRP Ring Connecting VLT Devices You can also configure an FRRP ring where both the VLT peers are connected to the FRRP ring and the VLTi acts as the primary interface for the FRRP Master and transit nodes. This active-active FRRP configuration blocks the FRRP ring on a per VLAN or VLAN group basis enabling the configuration to spawn across different set of VLANs.
multiple member VLANS are configured (for example, M1 to M10) that carry the data traffic across the FRRP rings. The secondary port P2 is tagged to the control VLAN (V1). VLTi is implicitly tagged to the member VLANs when these VLANs are configured in the VLT peer. As a result of the VLT Node2 configuration on R2, the secondary interface P2 is blocked for the member VLANs (M11 to Mn). Following figure illustrated the FRRP Ring R1 topology: Figure 41.
18 GARP VLAN Registration Protocol (GVRP) The generic attribute registration protocol (GARP) VLAN registration protocol (GVRP), defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches. GVRP-compliant switches use GARP to register and deregister attribute values, such as VLAN IDs, with each other.
Figure 42. Global GVRP Configuration Example Basic GVRP configuration is a two-step process: 1. Enabling GVRP Globally 2. Enabling GVRP on a Layer 2 Interface Related Configuration Tasks • • Configure GVRP Registration Configure a GARP Timer Enabling GVRP Globally To configure GVRP globally, use the following command. • Enable GVRP for the entire switch.
To inspect the global configuration, use the show gvrp brief command. Enabling GVRP on a Layer 2 Interface To enable GVRP on a Layer 2 interface, use the following command. • Enable GVRP on a Layer 2 interface.
• • Leave — When a GARP device expects to de-register a piece of attribute information, it sends out a Leave message and starts this timer. If a Join message does not arrive before the timer expires, the information is de-registered. The Leave timer must be greater than or equal to 3x the Join timer. The Dell EMC Networking OS default is 600ms. LeaveAll — After startup, a GARP device globally starts a LeaveAll timer.
19 Internet Group Management Protocol (IGMP) Internet group management protocol (IGMP) is a Layer 3 multicast protocol that hosts use to join or leave a multicast group. Multicast is premised on identifying many hosts by a single destination IP address; hosts represented by the same IP address are a multicast group. Multicast routing protocols (such as protocol-independent multicast [PIM]) use the information in IGMP messages to discover which groups are active and to populate the multicast routing table.
Figure 43. IGMP Messages in IP Packets Join a Multicast Group There are two ways that a host may join a multicast group: it may respond to a general query from its querier or it may send an unsolicited report to its querier. Responding to an IGMP Query The following describes how a host can join a multicast group. 1. One router on a subnet is elected as the querier. The querier periodically multicasts (to all-multicast-systems address 224.0.0.1) a general query to all hosts on the subnet. 2.
• • To enable filtering, routers must keep track of more state information, that is, the list of sources that must be filtered. An additional query type, the Group-and-Source-Specific Query, keeps track of state changes, while the Group-Specific and General queries still refresh the existing state.
3. The host’s third message indicates that it is only interested in traffic from sources 10.11.1.1 and 10.11.1.2. Because this request again prevents all other sources from reaching the subnet, the router sends another group-and-source query so that it can satisfy all other hosts. There are no other interested hosts so the request is recorded. Figure 46.
Figure 47. Membership Queries: Leaving and Staying Configure IGMP Configuring IGMP is a two-step process. 1. Enable multicast routing using the ip multicast-routing command. 2. Enable a multicast routing protocol.
• View IGMP-enabled IPv4 interfaces. • EXEC Privilege mode show ip igmp interface View IGMP-enabled IPv6 interfaces. EXEC Privilege mode show ipv6 mld interface DellEMC#show ip igmp interface TenGigabitEthernet 1/10/1 Inbound IGMP access group is not set Internet address is 165.87.34.
Viewing IGMP Groups To view both learned and statically configured IGMP groups, use the following command. • View both learned and statically configured IGMP groups. EXEC Privilege mode show ip igmp groups show ipv6 mld groups DellEMC#show ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface 225.1.1.1 TenGigabitEthernet 1/1/1 225.1.2.
• Interface mode ipv6 mld query-max-response-time Adjust the last member query interval. • INTERFACE mode ip igmp last-member-query-interval Adjust the amount of time the querier waits, for the initial query response, before sending the next IPv6 query. Interface mode ipv6 mld last-member-query-interval Enabling IGMP Immediate-Leave If the querier does not receive a response to a group-specific or group-and-source query, it sends another (querier robustness value).
• CONFIGURATION mode show running-config Disable snooping on a VLAN.
show ip igmp snooping mrouter Configuring the Switch as Querier To configure the switch as a querier, use the following command. Hosts that do not support unsolicited reporting wait for a general query before sending a membership report. When the multicast source and receivers are in the same VLAN, multicast traffic is not routed and so there is no querier. Configure the switch to be the querier for a VLAN so that hosts send membership reports and the switch can generate a forwarding table by snooping.
Traffic (switch initiated management traffic or responses to switch-destined traffic with management port IP address as the source IP address) for user-specified management protocols must exit out of the management port. In this chapter, all the references to traffic indicate switch-initiated traffic and responses to switch-destined traffic with management port IP address as the source IP address.
Enabling and Disabling Management Egress Interface Selection You can enable or disable egress-interface-selection using the management egress-interface-selection command. NOTE: Egress Interface Selection (EIS) works only with IPv4 routing. When the feature is enabled using the management egress-interface-selection command, the following events are performed: • • • • • • • • • • • • • The CLI prompt changes to the EIS mode.
• • • • • • • • • • • • TCP/UDP port number is extracted from the sockaddr structure in the in_selectsrc call which is called as part of the connect system call or in the ip_output function. If the destination TCP/UDP port number belongs to a configured management application, then sin_port of destination sockaddr structure is set to Management EIS ID 2 so that route lookup can be done in the management EIS routing table.
Handling of Transit Traffic (Traffic Separation) This is forwarded traffic where destination IP is not an IP address configured in the switch. • • • Packets received on the management port with destination on the front-end port is dropped. Packets received on the front-end port with destination on the management port is dropped. A separate drop counter is incremented for this case. This counter is viewed using the netstat command, like all other IP layer counters.
2. Non-Management Applications (Applications that are not configured as management applications as defined by this feature): Non-management application traffic exits out of either front-end data port or management port based on routing table. If there is a default route on both the management and front-end data port, the default for the data port is preferred route.
EIS behavior for ICMP: ICMP packets do not have TCP/UDP ports. In this case, to perform an EIS route lookup for ICMP-based applications (ping and traceroute), you must configure ICMP as a management application. If the management port is down or the route lookup fails, packets are dropped. If source IP address does not match the management port IP address route lookup is done in the default routing table.
20 Interfaces This chapter describes interface types, both physical and logical, and how to configure them with Dell EMC Networking Operating System (OS). The system supports 10–Gigabit, 25–Gigabit, 40–Gigbit, 50–Gigabit, and 100–Gigabit QSFP 28 interfaces. NOTE: Only Dell-qualified optics are supported on these interfaces. Non-Dell optics for 40–Gigbit, 25–Gigabit, 50– Gigabit, and 100–Gigabit are set to error-disabled state.
• • • • • • • • • • • • • • • • • Splitting 100G Ports Link Dampening Link Bundle Monitoring Using Ethernet Pause Frames for Flow Control Configure the MTU Size on an Interface Configuring wavelength for 10–Gigabit SFP+ optics Port-Pipes CR4 Auto-Negotiation Setting the Speed of Ethernet Interfaces Syslog Warning Upon Connecting SFP28 Optics with QSA FEC Configuration View Advanced Interface Information Configuring the Traffic Sampling Size Globally Dynamic Counters Enhanced Validation of Interface Ranges
Hardware is DellEth, address is 4c:76:25:e5:49:42 Current address is 4c:76:25:e5:49:42 Pluggable media present, QSFP28 type is 100GBASE-CR4-1M Wavelength is 38nm Interface index is 2099716 Internet address is 10.10.10.
no ip address shutdown View interface information with FEC type The show interfaces output for 25G/50G/100G interfaces shows the FEC types and codes for better understanding, if FEC is enabled in that particular interface. The following example shows the configuration and status information for one interface.
0 Multicasts, 0 Broadcasts, 0 Unicasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded 0 FEC corrected blocks, 0 FEC uncorrected blocks Output Statistics: 0 packets, 0 bytes, 0 underruns 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 throttles, 0 discarded, 0 collisions, 0 wreddrops Rate info (interval 299 seconds): Input 00.00 Mbits/sec, 0 packets/sec, 0.
mac learning-limit 10 no-station-move no shutdown 2. Reset an interface to its factory default state. CONFIGURATION mode default interface interface-type] DellEMC(conf)#default interface tengigabitethernet 1/5/1 3. Verify the configuration. INTERFACE mode show config DellEMC(conf-if-te-1/5/1)#show config ! interface TenGigabitEthernet 1/5/1 no ip address shutdown All the applied configurations are removed and the interface is set to the factory default state.
• • • • Configuring Layer 2 (Data Link) Mode Configuring Layer 2 (Interface) Mode Management Interfaces Clearing Interface Counters Overview of Layer Modes On all systems running Dell EMC Networking OS, you can place physical interfaces, port channels, and VLANs in Layer 2 mode or Layer 3 mode. By default, VLANs are in Layer 2 mode. Table 43.
switchport To view the interfaces in Layer 2 mode, use the show interfaces switchport command in EXEC mode. Configuring Layer 3 (Network) Mode When you assign an IP address to a physical interface, you place it in Layer 3 mode. To enable Layer 3 mode on an individual interface, use the following commands. In all interface types except VLANs, the shutdown command prevents all traffic from passing through the interface.
Proxy ARP is enabled Split Horizon is enabled Poison Reverse is disabled ICMP redirects are not sent ICMP unreachables are not sent IP unicast RPF check is not supported Automatic recovery of an Err-disabled interface The Dell EMC Networking OS attempts to recover the interface from the Err-disabled state automatically based on the cause of the error.
Whenever the Err-disable recovery timer is reconfigured, it will get effective only after the current timer expires. Following message is displayed after each Err-disable recovery timer configuration: DellEMC(conf)# errdisable recovery interval 30 New timer interval will be effective from the next timer instance only. Following is the sample steps to configure the recovery cause and the timer interval for automatic recovery of an interface.
Management Interfaces The system supports the Management Ethernet interface as well as the standard interface on any port. You can use either method to connect to the system. Configuring Management Interfaces The dedicated Management interface provides management access to the system. You can configure this interface using the CLI, but the configuration options on this interface are limited.
Gateway of last resort is 10.11.131.254 to network 0.0.0.0 Destination ----------*S 0.0.0.0/0 C 10.11.130.0/23 DellEMC# Gateway Dist/Metric Last Change ----------------- ----------via 10.11.131.254, Te 1/1/1 1/0 1d2h Direct, Te 1/1/1 0/0 1d2h VLAN Interfaces VLANs are logical interfaces and are, by default, in Layer 2 mode. Physical interfaces and port channels can be members of VLANs. For more information about VLANs and Layer 2, see Layer 2 and Virtual LANs (VLANs).
• Delete a Loopback interface. CONFIGURATION mode no interface loopback number Many of the commands supported on physical interfaces are also supported on a Loopback interface. Null Interfaces The Null interface is another virtual interface. There is only one Null interface. It is always up, but no traffic is transmitted through this interface. To enter INTERFACE mode of the Null interface, use the following command. • Enter INTERFACE mode of the Null interface.
Member ports of a LAG are added and programmed into the hardware in a predictable order based on the port ID, instead of in the order in which the ports come up. With this implementation, load balancing yields predictable results across device reloads. A physical interface can belong to only one port channel at a time. Each port channel must contain interfaces of the same interface type/speed. Port channels can contain a mix of 1G/10G/25G/40G/50G/100G.
Adding a Physical Interface to a Port Channel The physical interfaces in a port channel can be on any line card in the chassis, but must be the same physical type. NOTE: Port channels can contain a mix of Ethernet interfaces, but Dell EMC Networking OS disables the interfaces that are not the same speed of the first channel member in the port channel (refer to 10/100/1000 Mbps Interfaces in Port Channels). You can add any physical interface to a port channel if the interface configuration is minimal.
42 CRC, 0 IP Checksum, 0 overrun, 0 discarded 2456590833 packets output, 203958235255 bytes, 0 underruns Output 1640 Multicasts, 56612 Broadcasts, 2456532581 Unicasts 2456590654 IP Packets, 0 Vlans, 0 MPLS 0 throttles, 0 discarded Rate info (interval 5 minutes): Input 00.01Mbits/sec, 2 packets/sec Output 81.
channel-member TenGigabitEthernet 1/8/1 shutdown DellEMC(conf-if-po-3)# Configuring the Minimum Oper Up Links in a Port Channel You can configure the minimum links in a port channel (LAG) that must be in “oper up” status to consider the port channel to be in “oper up” status. To set the “oper up” status of your links, use the following command. • Enter the number of links in a LAG that must be in “oper up” status. INTERFACE mode minimum-links number The default is 1.
EXEC mode DellEMC(conf)# interface tengigabitethernet 1/1/1 DellEMC(conf-if-te-1/1/1)#switchport DellEMC(conf-if-te-1/1/1)# vlan tagged 2-5,100,4010 DellEMC#show interfaces switchport te 1/1/1 Codes: U x G i - Untagged, T - Tagged Dot1x untagged, X - Dot1x tagged GVRP tagged, M - Trunk, H - VSN tagged Internal untagged, I - Internal tagged, v - VLT untagged, V - VLT tagged Name: TenGigabitEthernet 1/1/1 802.
Load-Balancing Method By default, LAG hashing uses the source IP, destination IP, source transmission control protocol (TCP)/user datagram protocol (UDP) port, and destination TCP/UDP port for hash computation. For packets without a Layer 3 header, Dell EMC Networking OS automatically uses load-balance mac source-dest-mac. Do not configure IP hashing or MAC hashing at the same time.
• • • • • • • • • • • • crc16 — uses 16 bit CRC16-bisync polynomial crc16cc — uses 16 bit CRC16 using CRC16-CCITT polynomial crc32LSB — uses LSB 16 bits of computed CRC32 crc32MSB — uses MSB 16 bits of computed CRC32(default) crc-upper — uses the upper 32 bits of the hash key to compute the egress port. dest-ip — uses destination IP address as part of the hash key. lsb — uses the least significant bit of the hash key to compute the egress port.
Create a Single-Range The following is an example of a single range. Example of the interface range Command (Single Range) DellEMC(config)# interface range tengigabitethernet 1/1/1 - 1/2/3 DellEMC(config-if-range-te-1/1/1-1/2/3)# no shutdown DellEMC(config-if-range-te-1/1/1-1/2/3)# DellEMC(config)# interface range hundredGigE 1/1-1/8 DellEMC(config-if-range-te-1/1-1/8)# no shutdown DellEMC(config-if-range-te-1/1-1/8)# Create a Multiple-Range The following is an example of multiple range.
Add Ranges The following example shows how to use commas to add VLAN and port-channel interfaces to the range.
• • • • For a 25-Gigabit Ethernet interface, enter the keyword twentyFiveGigE then the slot/port/subport information. For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port/subport information. For a 50-Gigabit Ethernet interface, enter the keyword fiftyGigE then the slot/port/subport information. For a 100-Gigabit Ethernet interface, enter the keyword hundredGigE then the slot/port information.
EXEC Privilege mode tdr-cable-test tengigabitethernet slot/port/subport Between two ports, do not start the test on both ends of the cable. Enable the interface before starting the test. Enable the port to run the test or the test prints an error message. 2. Displays TDR test results. EXEC Privilege mode show tdr tengigabitethernet slot/port/subport Non Dell-Qualified Transceivers The system supports Dell-qualified transceivers and only some of the non Dell-qualified transceivers.
• Split a 100G port into two 50G ports. CONFIGURATION Mode stack-unit stack-unit-number port number portmode dual speed 50G • • stack-unit-number: enter the stack member unit identifier of the stack member to reset. • number: enter the port number of the 100G port to be split. The range is from 1 to 32. Split a 100G port into four 25G ports.
Important Points to Remember • • • • Link dampening is not supported on VLAN interfaces. Link dampening is disabled when the interface is configured for port monitoring. You can apply link dampening to Layer 2 and Layer 3 interfaces. You can configure link dampening on individual interfaces in a LAG. Configuration Example of Link Dampening The figure shows a how link dampening works in a sample scenario when an interface is configured with dampening.
Figure 48. Interface State Change Consider an interface periodically flaps as shown above. Every time the interface goes down, a penalty (1024) is added. In the above example, during the first interface flap (flap 1), the penalty is added to 1024. And, the accumulated penalty will exponentially decay based on the set half-life, which is set as 10 seconds in the above example. During the second interface flap (flap 2), again the penalty (1024) is accumulated.
Enabling Link Dampening To enable link dampening, use the following command. • Enable link dampening. INTERFACE mode dampening To view the link dampening configuration on an interface, use the show config command. R1(conf-if-te-1/1/1)#show config ! interface TenGigabitEthernet 1/1/1 ip address 10.10.19.1/24 dampening 1 2 3 4 no shutdown To view dampening information on all or specific dampened interfaces, use the show interfaces dampening command from EXEC Privilege mode.
Configure MTU Size on an Interface In Dell EMC Networking OS, Maximum Transmission Unit (MTU) is defined as the entire Ethernet packet (Ethernet header + FCS + payload). The following table lists the range for each transmission media. Transmission Media MTU Range (in bytes) Ethernet 594-12000 = link MTU 576-9234 = IP MTU Link Bundle Monitoring Monitoring linked LAG bundles allows traffic distribution amounts in a link to be monitored for unfair distribution at any given time.
Control how the system responds to and generates 802.3x pause frames on Ethernet interfaces. The default is rx off tx off. INTERFACE mode. flowcontrol rx [off | on] tx [off | on]| [monitor session-ID] Where: rx on: Processes the received flow control frames on this port. rx off: Ignores the received flow control frames on this port. tx on: Sends control frames from this port to the connected device when a higher rate of traffic is received.
Link MTU and IP MTU considerations for port channels and VLANs are as follows. Port Channels: • • All members must have the same link MTU value and the same IP MTU value. The port channel link MTU and IP MTU must be less than or equal to the link MTU and IP MTU values configured on the channel members. For example, if the members have a link MTU of 2100 and an IP MTU 2000, the port channel’s MTU values cannot be higher than 2100 for link MTU or 2000 bytes for IP MTU.
DellEMC(conf-if-hu-1/1)#no intf-type cr4 autoneg DellEMC(conf-if-hu-1/1)#show config ! interface hundredGigE 1/1 no ip address shutdown no intf-type cr4 autoneg Important Points to Remember • • • For 10–Gigabit Ethernet interfaces, CR4 auto-negotiation is not applicable. For 100-Gigabit Ethernet interfaces, CR4 auto-negotiation is enabled by default. For 40–Gigbit, 25–Gigabit and 50–Gigabit Ethernet interfaces, CR4 auto-negotiation is disabled by default.
Te 1/2/4 Fo 1/3 Fo 1/4 Fo 1/5 [output omitted] Up Down Down Down 10000 40000 40000 Auto Mbit Mbit Mbit Mbit Full Auto Auto Auto 2-5 ---- In the previous example, several ports display “Auto” in the Speed field. In the following example, the speed of port 1/1 is set to 100Mb and then its auto-negotiation is disabled.
example for the fec enable command for a 100G interface. DellEMC(conf-if-hu-1/1)#fec enable DellEMC(conf-if-hu-1/1)#show config ! interface hundredGigE 1/1 no ip address shutdown intf-type cr4 autoneg fec enable Important Points to Remember • • • • • For 10–Gigabit and 40–Gigabit Ethernet interfaces, FEC configurations are not applicable. For 100-Gigabit Ethernet interfaces, CR4 auto-negotiation is enabled by default. You can enable or disable FEC and auto negotiation irrespective of each other.
The following example lists the possible show commands that have the configured keyword available: DellEMC#show DellEMC#show DellEMC#show DellEMC#show DellEMC#show DellEMC#show DellEMC#show DellEMC#show DellEMC#show DellEMC#show DellEMC#show DellEMC#show DellEMC#show DellEMC#show interfaces configured interfaces stack-unit 1 configured interfaces tengigabitEthernet 1 configured interfaces fortyGigE 1 configured ip interface configured ip interface stack-unit 1 configured ip interface tengigabitEthernet 1 c
0 packets input, 0 bytes Input 0 IP Packets, 0 Vlans 0 MPLS 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts Received 0 input symbol errors, 0 runts, 0 giants, 0 throttles 0 CRC, 0 IP Checksum, 0 overrun, 0 discarded 0 packets output, 0 bytes, 0 underruns Output 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 IP Packets, 0 Vlans, 0 MPLS 0 throttles, 0 discarded Rate info (interval 299 seconds): Input 00.00 Mbits/sec, 0 packets/sec, 0.
Medium is MultiRate, Wavelength is 850nm SFP+ receive power reading is -36.
NOTE: If you enable more than four counter-dependent applications on a port pipe, there is an impact on line rate performance. The following counter-dependent applications are supported by Dell EMC Networking OS: • • • • • • • • • • • Egress VLAN Ingress VLAN Next Hop 2 Next Hop 1 Egress ACLs ILM IP FLOW IP ACL IP FIB L2 ACL L2 FIB Clearing Interface Counters The counters in the show interfaces command are reset by the clear counters command.
Compressing Configuration Files You can optimize and reduce the sizes of the configuration files. You can compress the running configuration by grouping all the VLANs and the physical interfaces with the same property. Support to store the operating configuration to the startup config in the compressed mode and to perform an image downgrade without any configuration loss are provided. You can create groups of VLANs using the interface group command.
Uncompressed Compressed interface Vlan 2 ! no ip address no shutdown Compressed config size – 27 lines. ! interface Vlan 3 tagged te 1/1/1 no ip address shutdown ! interface Vlan 4 tagged te 1/1/1 no ip address shutdown ! interface Vlan 5 tagged te 1/1/1 no ip address shutdown ! interface Vlan 100 no ip address no shutdown ! interface Vlan 1000 ip address 1.1.1.
OUI on 25G and 50G Interfaces When you connect the system to another device using a 25G or 50G interface, the organizationally unique identifier (OUI) of the local interface must match with the OUI of the peer interface for autonegotiation to work correctly. You can set the OUI of the local interface manually using the oui command. This command is only available on 25G and 50G interfaces.
21 IPv4 Routing The Dell EMC Networking Operating System (OS) supports various IP addressing features. This chapter describes the basics of domain name service (DNS), address resolution protocol (ARP), and routing principles and their implementation in the Dell EMC Networking OS.
IP Addresses Dell EMC Networking OS supports IP version 4 (as described in RFC 791), classful routing, and variable length subnet masks (VLSM). With VLSM, you can configure one network with different masks. Supernetting, which increases the number of subnets, is also supported. To subnet, you add a mask to the IP address to separate the network and host portions of the IP address.
ip address ip-address mask [secondary] • • ip-address mask: the IP address must be in dotted decimal format (A.B.C.D). The mask must be in slash prefix-length format (/24). secondary: add the keyword secondary if the IP address is the interface’s backup IP address. You can configure up to eight secondary IP addresses. To view the configuration, use the show config command in INTERFACE mode or use the show ip interface command in EXEC privilege mode, as shown in the second example.
Direct, Lo 0 --More-Dell EMC Networking OS installs a next hop that is on the directly connected subnet of current IP address on the interface. Dell EMC Networking OS also installs a next hop that is not on the directly connected subnet but which recursively resolves to a next hop on the interface's configured subnet. • • • • When the interface goes down, Dell EMC Networking OS withdraws the route. When the interface comes up, Dell EMC Networking OS re-installs the route.
Packet handling during MTU mismatch When you configure the MTU size on an interface, ensure that the MTU size of both ingress and egress interfaces are set to the same value for IPv4 traffic to work correctly. If there is an MTU mismatch between the ingress and egress interface, there may be a high CPU usage. If egress interface MTU size is smaller than the ingress interface, packets may get fragmented.
Enabling Directed Broadcast By default, Dell EMC Networking OS drops directed broadcast packets destined for an interface. This default setting provides some protection against denial of service (DoS) attacks. To enable Dell EMC Networking OS to receive directed broadcasts, use the following command. • Enable directed broadcast. INTERFACE mode ip directed-broadcast To view the configuration, use the show config command in INTERFACE mode.
Specifying the Local System Domain and a List of Domains If you enter a partial domain, Dell EMC Networking OS can search different domains to finish or fully qualify that partial domain. A fully qualified domain name (FQDN) is any name that is terminated with a period/dot. Dell EMC Networking OS searches the host table first to resolve the partial domain. The host table contains both statically configured and dynamically learnt host and IP addresses.
ARP Dell EMC Networking OS uses two forms of address resolution: address resolution protocol (ARP) and Proxy ARP. ARP runs over Ethernet and enables endstations to learn the MAC addresses of neighbors on an IP network. Over time, Dell EMC Networking OS creates a forwarding table mapping the MAC addresses to their corresponding IP address. This table is called the ARP Cache and dynamically learned addresses are removed after a defined period of time.
To view if Proxy ARP is enabled on the interface, use the show config command in INTERFACE mode. If it is not listed in the show config command output, it is enabled. Only non-default information is displayed in the show config command output. Clearing ARP Cache To clear the ARP cache of dynamically learnt ARP information, use the following command. • Clear the ARP caches for all interfaces or for a specific interface by entering the following information.
Figure 49. ARP Learning via ARP Request Beginning with Dell EMC Networking OS version 8.3.1.0, when you enable ARP learning via gratuitous ARP, the system installs a new ARP entry, or updates an existing entry for all received ARP requests. Figure 50. ARP Learning via ARP Request with ARP Learning via Gratuitous ARP Enabled Whether you enable or disable ARP learning via gratuitous ARP, the system does not look up the target IP.
ICMP For diagnostics, the internet control message protocol (ICMP) provides routing information to end stations by choosing the best route (ICMP redirect messages) or determining if a router is reachable (ICMP Echo or Echo Reply). ICMP error messages inform the router of problems in a particular packet. These messages are sent only on unicast traffic. Configuration Tasks for ICMP The following lists the configuration tasks for ICMP.
Figure 51. ICMP Redirect Host H is connected to the same Ethernet segment as SW1 and SW2. SW1 and SW2 are multi-layer switches which can route packets. The default gateway of Host H is configured as SW1. Although the best route to the remote branch office host may be through SW2, Host H sends a packet destined for Host R to its default gateway — SW1.
• If the UDP port list contains ports 67 or 68, UDP broadcast traffic is forwarded on those ports. Enabling UDP Helper To enable UDP helper, use the following command. • Enable UPD helper. ip udp-helper udp-ports To view the interfaces and ports on which you enabled UDP helper, use the show ip udp-helper command from EXEC Privilege mode.
UDP Helper with Broadcast-All Addresses When the destination IP address of an incoming packet is the IP broadcast address, Dell EMC Networking OS rewrites the address to match the configured broadcast address. In the following illustration: 1. Packet 1 is dropped at ingress if you did not configure UDP helper address. 2.
UDP Helper with Configured Broadcast Addresses Incoming packets with a destination IP address matching the configured broadcast address of any interface are forwarded to the matching interfaces. In the following illustration, Packet 1 has a destination IP address that matches the configured broadcast address of VLAN 100 and 101. If you enabled UDP helper and the UDP port number matches, the packet is flooded on both VLANs with an unchanged destination address. Packet 2 is sent from a host on VLAN 101.
2017-08-05 11:59:35 %RELAY-I-BOOTREQUEST, Forwarded BOOTREQUEST for 00:02:2D:8D:46:DC to 137.138.17.6 2017-08-05 11:59:36 %RELAY-I-PACKET, BOOTP REPLY (Unicast) received at interface 194.12.129.98 BOOTP Reply, XID = 0x9265f901, secs = 0 hwaddr = 00:02:2D:8D:46:DC, giaddr = 172.21.50.193, hops = 2 2017-08-05 11:59:36 %RELAY-I-BOOTREPLY, Forwarded BOOTREPLY for 00:02:2D:8D:46:DC to 128.141.128.90 Packet 0.0.0.0:68 -> 255.255.255.
22 IPv6 Routing Internet protocol version 6 (IPv6) routing is the successor to IPv4. Due to the rapid growth in internet users and IP addresses, IPv4 is reaching its maximum usage. IPv6 will eventually replace IPv4 usage to allow for the constant expansion. This chapter provides a brief description of the differences between IPv4 and IPv6, and the Dell EMC Networking support of IPv6. This chapter is not intended to be a comprehensive description of IPv6.
• Prefix Renumbering — Useful in transparent renumbering of hosts in the network when an organization changes its service provider. NOTE: As an alternative to stateless autoconfiguration, network hosts can obtain their IPv6 addresses using the dynamic host control protocol (DHCP) servers via stateful auto-configuration. NOTE: Dell EMC Networking OS provides the flexibility to add prefixes on Router Advertisements (RA) to advertise responses to Router Solicitations (RS).
To support /65 – /128 IPv6 route prefix entries, Dell EMC Networking OS needs to be programmed with /65 - /128 bit IPv6 support. The number of entries as well needs to be explicitly programmed. This number can be1K, 2K, or 3K granularity. On the system, for IPv6 /65 to /128 will consume the same storage banks which is used by the L3_DEFIP table. Once the IPv6 128 bit is enabled, number of entries in L3_DEFIP will be reduced. LPM partitioning will take effect after reboot of the box.
Payload Length (16 bits) The Payload Length field specifies the packet payload. This is the length of the data following the IPv6 header. IPv6 Payload Length only includes the data following the header, not the header itself. The Payload Length limit of 2 bytes requires that the maximum packet payload be 64 KB. However, the Jumbogram option type Extension header supports larger packet sizes when required. Next Header (8 bits) The Next Header field identifies the next header’s type.
However, if the Destination Address is a Hop-by-Hop options header, the Extension header is examined by every forwarding router along the packet’s route. The Hop-by-Hop options header must immediately follow the IPv6 header, and is noted by the value 0 (zero) in the Next Header field. Extension headers are processed in the order in which they appear in the packet header. Hop-by-Hop Options Header The Hop-by-Hop options header contains information that is examined by every router along the packet’s path.
For example, 2001:0db8:1234::/48 stands for the network with addresses 2001:0db8:1234:0000:0000:0000:0000:0000 through 2001:0db8:1234:ffff:ffff:ffff:ffff:ffff. Link-local Addresses Link-local addresses, starting with fe80:, are assigned only in the local link area. The addresses are generated usually automatically by the operating system's IP layer for each network interface.
Figure 56. Path MTU discovery process IPv6 Neighbor Discovery The IPv6 neighbor discovery protocol (NDP) is a top-level protocol for neighbor discovery on an IPv6 network. In place of address resolution protocol (ARP), NDP uses “Neighbor Solicitation” and “Neighbor Advertisement” ICMPv6 messages for determining relationships between neighboring nodes.
Figure 57. NDP Router Redirect IPv6 Neighbor Discovery of MTU Packets You can set the MTU advertised through the RA packets to incoming routers, without altering the actual MTU setting on the interface. The ipv6 nd mtu command sets the value advertised to routers. It does not set the actual MTU rate. For example, if you set ipv6 nd mtu to 1280, the interface still passes 1500-byte packets, if that is what is set with the mtu command.
Debugging IPv6 RDNSS Information Sent to the Host To verify that the IPv6 RDNSS information sent to the host is configured correctly, use the debug ipv6 nd command in EXEC Privilege mode. Example of Debugging IPv6 RDNSS Information Sent to the Host The following example debugs IPv6 RDNSS information sent to the host.
To display IPv6 RDNSS information, use the show configuration command in INTERFACE CONFIG mode. DellEMC(conf-if-te-1/1/1)#show configuration The following example uses the show configuration command to display IPv6 RDNSS information.
• EXEC mode or EXEC Privilege mode show cam-acl Provides information on FP groups allocated for the egress acl. CONFIGURATION mode show cam-acl-egress Allocate at least one group for L2ACL and IPv4 ACL. The total number of groups is 4. Assigning an IPv6 Address to an Interface Essentially, IPv6 is enabled in Dell EMC Networking OS simply by assigning IPv6 addresses to individual router interfaces. You can use IPv6 and IPv4 together on a system, but be sure to differentiate that usage carefully.
• For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. Configuring Telnet with IPv6 The Telnet client and server in Dell EMC Networking OS supports IPv6 connections. You can establish a Telnet session directly to the router using an IPv6 Telnet client, or you can initiate an IPv6 Telnet connection from the router. NOTE: Telnet to link local addresses is supported on the system. • Enter the IPv6 Address for the device.
• Show the currently running configuration for the specified interface. EXEC mode show ipv6 interface interface {slot/port[/subport]} Enter the keyword interface then the type of interface and slot/port information: • • • • • • • • • • For all brief summary of IPv6 status and configuration, enter the keyword brief. For all IPv6 configured interfaces, enter the keyword configured. For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port/subport information.
• • To display information about static IPv6 routes, enter static. To display information about an IPv6 Prefix lists, enter list and the prefix-list name. The following example shows the show ipv6 route summary command. DellEMC#show ipv6 route summary Route Source Active Routes Non-active Routes connected 5 0 static 0 0 Total 5 0 The following example shows the show ipv6 route command.
no ip address ipv6 address 3:4:5:6::8/24 shutdown DellEMC# Clearing IPv6 Routes To clear routes from the IPv6 routing table, use the following command. • Clear (refresh) all or a specific route from the IPv6 routing table. EXEC mode clear ipv6 route {* | ipv6 address prefix-length} • • • *: all routes. ipv6 address: the format is x:x:x:x::x. mask: the prefix length is from 0 to 128.
9. Enable verification of the advertised default router preference value. The preference value must be less than or equal to the specified limit. POLICY LIST CONFIGURATION mode router-preference maximum {high | low | medium} 10. Set the router lifetime. POLICY LIST CONFIGURATION mode router—lifetime value The router lifetime range is from 0 to 9,000 seconds. 11. Apply the policy to trusted ports. POLICY LIST CONFIGURATION mode trusted-port 12. Set the maximum transmission unit (MTU) value.
23 iSCSI Optimization This chapter describes how to configure internet small computer system interface (iSCSI) optimization, which enables quality-of-service (QoS) treatment for iSCSI traffic.
This cannot be inferred as the maximum supported iSCSI sessions are reached. Also, number of iSCSI sessions displayed on the system may show any number equal to or less than the maximum. The following illustration shows iSCSI optimization between servers and a storage array in which a stack of three switches connect installed servers (iSCSI initiators) to a storage array (iSCSI targets) in a SAN network.
You can configure whether the iSCSI optimization feature uses the VLAN priority or IP DSCP mapping to determine the traffic class queue. By default, iSCSI flows are assigned to dot1p priority 4. To map incoming iSCSI traffic on an interface to a dot1p priority-queue other than 4, use the QoS dot1p-priority command (refer to QoS dot1p Traffic Classification and Queue Assignment). Dell EMC Networking recommends setting the CoS dot1p priority-queue to 0 (zero).
The following message displays the first time a Dell EqualLogic array is detected and describes the configuration changes that are automatically performed: %STKUNIT0-M:CP %IFMGR-5-IFM_ISCSI_AUTO_CONFIG: This switch is being configured for optimal conditions to support iSCSI traffic which will cause some automatic configuration to occur including jumbo frames and flow-control on all ports; no storm control and spanning-tree port fast to be enabled on the port of detection.
Enable and Disable iSCSI Optimization The following describes enabling and disabling iSCSI optimizaiton. NOTE: iSCSI monitoring is disabled by default. iSCSI auto-configuration and auto-detection is enabled by default. If you enable iSCSI, flow control is automatically enabled on all interfaces. To disable flow control on all interfaces, use the no flow control rx on tx off command and save the configuration.
Configuring iSCSI Optimization To configure iSCSI optimization, use the following commands. 1. For a non-DCB environment: Enable session monitoring. CONFIGURATION mode cam-acl l2acl 4 ipv4acl 4 ipv6acl 0 ipv4qos 2 l2qos 1 l2pt 0 ipmacacl 0 vman-qos 0 fcoeacl 0 iscsioptacl 2 NOTE: Content addressable memory (CAM) allocation is optional.
• • dscp dscp-value: specifies the DSCP value assigned to incoming packets in an iSCSI session. The range is from 0 to 63. The default is: the DSCP value in ingress packets is not changed. remark: marks incoming iSCSI packets with the configured dot1p or DSCP value when they egress the switch. The default is: the dot1 and DSCP values in egress packets are not changed. 8. (Optional) Set the aging time for iSCSI session monitoring. CONFIGURATION mode [no] iscsi aging time time.
Target: iqn.2001-05.com.equallogic:0-8a0906-0e70c2002-10a0018426a48c94-iom010 Initiator: iqn.1991-05.com.microsoft:win-x9l8v27yajg ISID: 400001370000 VLT PEER2 Session 0: -----------------------------------------------------------------------------------Target: iqn.2001-05.com.equallogic:0-8a0906-0f60c2002-0360018428d48c94-iom011 iqn.1991-05.com.microsoft:win-x9l8v27yajg ISID: 400001370000 The following example shows the show iscsi session detailed command.
24 Intermediate System to Intermediate System The intermediate system to intermediate system (IS-IS) protocol that uses a shortest-path-first algorithm. Dell EMC Networking supports both IPv4 and IPv6 versions of IS-IS.
Figure 59. ISO Address Format Multi-Topology IS-IS Multi-topology IS-IS (MT IS-IS) allows you to create multiple IS-IS topologies on a single router with separate databases. Use this feature to place a virtual physical topology into logical routing domains, which can each support different routing and security policies. All routers on a LAN or point-to-point must have at least one common supported topology when operating in Multi-Topology IS-IS mode.
Graceful Restart Graceful restart is a protocol-based mechanism that preserves the forwarding table of the restarting router and its neighbors for a specified period to minimize the loss of packets. A graceful-restart router does not immediately assume that a neighbor is permanently down and so does not trigger a topology change. Normally, when an IS-IS router is restarted, temporary disruption of routing occurs due to events in both the restarting router and the neighbors of the restarting router.
• Accepts external IPv6 information and advertises this information in the PDUs. The following table lists the default IS-IS values. Table 47.
1. Create an IS-IS routing process. CONFIGURATION mode router isis [tag] tag: (optional) identifies the name of the IS-IS process. 2. Configure an IS-IS network entity title (NET) for a routing process. ROUTER ISIS mode net network-entity-title Specify the area address and system ID for an IS-IS routing process. The last byte must be 00. For more information about configuring a NET, refer to IS-IS Addressing. 3. Enter the interface configuration mode.
Interfaces supported by IS-IS: Vlan 2 TenGigabitEthernet 4/22/1 Loopback 0 Redistributing: Distance: 115 Generate narrow metrics: level-1-2 Accept narrow metrics: level-1-2 Generate wide metrics: none Accept wide metrics: none DellEMC# To view IS-IS protocol statistics, use the show isis traffic command in EXEC Privilege mode.
isis ipv6 metric metric-value [level-1 | level-2 | level-1-2] To configure wide or wide transition metric style, the cost can be between 0 and 16,777,215. Configuring IS-IS Graceful Restart To enable IS-IS graceful restart globally, use the following commands. Additionally, you can implement optional commands to enable the graceful restart settings. • Enable graceful restart on ISIS processes.
Interval/Blackout time T3 Timer T3 Timeout Value T2 Timeout Value T1 Timeout Value Adjacency wait time : : : : : : Operational Timer Value ====================== Current Mode/State : T3 Time left : T2 Time left : Restart ACK rcv count : Restart Req rcv count : Suppress Adj rcv count : Restart CSNP rcv count : Database Sync count : 1 min Manual 30 30 (level-1), 30 (level-2) 5, retry count: 1 30 Normal/RUNNING 0 0 (level-1), 0 0 (level-1), 0 0 (level-1), 0 0 (level-1), 0 0 (level-1), 0 0 (level-1), 0 (le
ROUTER ISIS mode lsp-mtu size • • size: the range is from 128 to 9195. The default is 1497. Set the LSP refresh interval. ROUTER ISIS mode lsp-refresh-interval seconds • • seconds: the range is from 1 to 65535. The default is 900 seconds. Set the maximum time LSPs lifetime. ROUTER ISIS mode max-lsp-lifetime seconds • seconds: the range is from 1 to 65535. The default is 1200 seconds.
metric-style {narrow [transition] | transition | wide [transition]} [level-1 | level-2] The default is narrow. The default is Level 1 and Level 2 (level-1–2) To view which metric types are generated and received, use the show isis protocol command in EXEC Privilege mode. The IS-IS matrixes settings are in bold. Example of Viewing IS-IS Metric Types DellEMC#show isis protocol IS-IS Router: System Id: EEEE.EEEE.EEEE IS-Type: level-1-2 Manual area address(es): 47.0004.004d.
Configuring the Distance of a Route To configure the distance for a route, use the following command. • Configure the distance for a route. ROUTER ISIS mode distance Changing the IS-Type To change the IS-type, use the following commands. You can configure the system to act as a Level 1 router, a Level 1-2 router, or a Level 2 router. To change the IS-type for the router, use the following commands. • Configure IS-IS operating level for a router.
• • For a port channel interface, enter the keywords port-channel then a number. For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. Distribute Routes Another method of controlling routing information is to filter the information through a prefix list. Prefix lists are applied to incoming or outgoing routes and routes must meet the conditions of the prefix lists or Dell EMC Networking OS does not install the route in the routing table.
• • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port/subport information. • For a 50-Gigabit Ethernet interface, enter the keyword fiftyGigE then the slot/port/subport information. • For a 100-Gigabit Ethernet interface, enter the keyword hundredGigE then the slot/port information. • For a Loopback interface, enter the keyword loopback then a number from 0 to 16383. • For a port channel interface, enter the keywords port-channel then a number.
Redistributing IPv6 Routes To add routes from other routing instances or protocols, use the following commands. NOTE: These commands apply to IPv6 IS-IS only. To apply prefix lists to IPv4 routes, use the ROUTER ISIS mode previously shown. • Include BGP, directly connected, RIP, or user-configured (static) routes in IS-IS.
Setting the Overload Bit Another use for the overload bit is to prevent other routers from using this router as an intermediate hop in their shortest path first (SPF) calculations. For example, if the IS-IS routing database is out of memory and cannot accept new LSPs, Dell EMC Networking OS sets the overload bit and IS-IS traffic continues to transit the system. To set or remove the overload bit manually, use the following commands. • Set the overload bit in LSPs.
• EXEC Privilege mode debug isis spf-triggers View sent and received LSPs. EXEC Privilege mode debug isis update-packets [interface] To view specific information, enter the following optional parameter: • interface: Enter the type of interface and slot/port information to view IS-IS information on that interface only. Dell EMC Networking OS displays debug messages on the console. To view which debugging commands are enabled, use the show debugging command in EXEC Privilege mode.
Table 49. Metric Value When the Metric Style Changes Beginning Metric Style Final Metric Style Resulting IS-IS Metric Value wide narrow default value (10) if the original value is greater than 63. A message is sent to the console. wide transition truncated value (the truncated value appears in the LSP only). The original isis metric value is displayed in the show config and show running-config commands and is used if you change back to transition metric style.
Beginning Metric Style Next Metric Style Resulting Metric Value Next Metric Style Final Metric Value wide transition transition truncated value wide transition original value is recovered wide transition truncated value narrow default value (10). A message is sent to the logging buffer wide transition transition truncated value narrow transition default value (10).
NOTE: Whenever you make IS-IS configuration changes, clear the IS-IS process (re-started) using the clear isis command. The clear isis command must include the tag for the ISIS process. The following example shows the response from the router: DellEMC#clear isis * % ISIS not enabled. DellEMC#clear isis 9999 * You can configure IPv6 IS-IS routes in one of the following three different methods: • • • Congruent Topology — You must configure both IPv4 and IPv6 addresses on the interface.
IS-IS Sample Configuration — Multi-topology DellEMC(conf-if-te-3/17/1)#show config ! interface TenGigabitEthernet 3/17/1 ipv6 address 24:3::1/76 ipv6 router isis no shutdown DellEMC(conf-if-te-3/17/1)# DellEMC(conf-router_isis)#show config ! router isis net 34.0000.0000.AAAA.
25 In-Service Software Upgrade This chapter deals with In-Service Software Upgrade (ISSU) and its dependencies. Topics: • • • • • • • • • ISSU Introduction Fastboot 2.0 (Zero Loss Upgrade) L2 ISSU L3 ISSU CoPP Mirroring flow control packets PFC QoS Tunnel Configuration ISSU Introduction In-service software upgrades (ISSU), also known as warmboot or fastboot 2.0, allow Dell EMC Networking to address software bugs and add new features to switches and routers without interrupting network availability.
LACP Long Timeout If there is a LACP protocol running on an interface, the user needs to have the LACP long timeout configured, if LACP short timeout is configured, ISSU will not take place. Spanning Tree When spanning tree is enabled, user needs to have BPDU guard configured in the interfaces. MAC Address Table During warmboot MAC address table will be stored and they are retrieved after warmboot is complete.
Mirroring flow control packets ISSU for mirroring flow control packets is a graceful implementation . The mirror ACL FP rules and the MTPs would be cleared out when the box comes up in warmboot during the ISSU audit phase, and the flows are re-programmed again with mirror action when the mirroring configurations are downloaded. In case of legacy L3 ACL based mirroring , the mirroring actions would be cleared out and re-programmed while the FP rules are retained.
26 Link Aggregation Control Protocol (LACP) Introduction to Dynamic LAGs and LACP A link aggregation group (LAG), referred to as a port channel by Dell EMC Networking OS, can provide both load-sharing and port redundancy across line cards. You can enable LAGs as static or dynamic. The benefits and constraints are basically the same, as described in Port Channel Interfaces in the Interfaces chapter.
• Passive — In this state, the interface is not in an active negotiating state, but LACP runs on the link. A port in Passive state also responds to negotiation requests (from ports in Active state). Ports in Passive state respond to LACP packets. Dell EMC Networking OS supports LAGs in the following cases: • • A port in Active state can set up a port channel (LAG) with another port in Active state. A port in Active state can set up a LAG with another port in Passive state.
switchport DellEMC(conf)#interface port-channel 32 DellEMC(conf-if-po-32)#no shutdown DellEMC(conf-if-po-32)#switchport The LAG is in the default VLAN. To place the LAG into a non-default VLAN, use the tagged command on the LAG. DellEMC(conf)#interface vlan 10 DellEMC(conf-if-vl-10)#tagged port-channel 32 Configuring the LAG Interfaces as Dynamic After creating a LAG, configure the dynamic LAG interfaces. To configure the dynamic LAG interfaces, use the following command.
DellEMC# show lacp 32 Port-channel 32 admin up, oper up, mode lacp Actor System ID: Priority 32768, Address 0001.e800.a12b Partner System ID: Priority 32768, Address 0001.e801.
Configuring Shared LAG State Tracking To configure shared LAG state tracking, you configure a failover group. NOTE: If a LAG interface is part of a redundant pair, you cannot use it as a member of a failover group created for shared LAG state tracking. 1. Enter port-channel failover group mode. CONFIGURATION mode port-channel failover-group 2. Create a failover group and specify the two port-channels that will be members of the group.
Members in this channel: Te 1/17/1(U) ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 00:01:28 Queueing strategy: fifo NOTE: The set of console messages shown above appear only if you configure shared LAG state tracking on that router (you can configure the feature on one or both sides of a link). For example, as previously shown, if you configured shared LAG state tracking on R2 only, no messages appear on R4 regarding the state of LAGs in a failover group.
Example of Viewing a LAG Port Configuration Alpha#sh int TenGigabitEthernet 1/31/1 TenGigabitEthernet 1/31/1 is up, line protocol is up Port is part of Port-channel 10 Hardware is DellEMCEth, address is 00:01:e8:06:95:c0 Current address is 00:01:e8:06:95:c0 Interface Index is 109101113 Port will not be disabled on partial SFM failure Internet address is not set MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 10000 Mbit, Mode full duplex, Slave Flowcontrol rx on tx on ARP type: ARPA, ARP Timeout 04:00:00 Last cl
Figure 65.
Figure 66.
Bravo(conf-if-po-10)#switch Bravo(conf-if-po-10)#no shut Bravo(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Bravo(conf-if-po-10)#exit Bravo(conf)#int tengig 3/21/1 Bravo(conf)#no ip address Bravo(conf)#no switchport Bravo(conf)#shutdown Bravo(conf-if-te-3/21/1)#port-channel-protocol lacp Bravo(conf-if-te-3/21/1-lacp)#port-channel 10 mode active Bravo(conf-if-te-3/21/1-lacp)#no shut Bravo(conf-if-te-3/21/1)#end ! interface TenGigabitEthernet 3/21/1 no ip addre
Figure 67.
Figure 68.
Figure 69. Inspecting the LAG Status Using the show lacp command The point-to-point protocol (PPP) is a connection-oriented protocol that enables layer two links over various different physical layer connections. It is supported on both synchronous and asynchronous lines, and can operate in Half-Duplex or Full-Duplex mode. It was designed to carry IP traffic but is general enough to allow any type of network layer datagram to be sent over a PPP connection.
27 Layer 2 Manage the MAC Address Table You can perform the following management tasks in the MAC address table. • • • • Clearing the MAC Address Table Setting the Aging Time for Dynamic Entries Configuring a Static MAC Address Displaying the MAC Address Table Clearing the MAC Address Table You may clear the MAC address table of dynamic entries. To clear a MAC address table, use the following command. • Clear a MAC address table of dynamic entries.
Displaying the MAC Address Table To display the MAC address table, use the following command. • Display the contents of the MAC address table. EXEC Privilege mode show mac-address-table [address | aging-time [vlan vlan-id]| count | dynamic | interface | static | vlan] • • • • • • • address: displays the specified entry. aging-time: displays the configured aging-time. count: displays the number of dynamic and static entries for all VLANs, and the total number of entries.
NOTE: An SNMP trap is available for mac learning-limit station-move. No other SNMP traps are available for MAC Learning Limit, including limit violations. mac learning-limit Dynamic The MAC address table is stored on the Layer 2 forwarding information base (FIB) region of the CAM. The Layer 2 FIB region allocates space for static MAC address entries and dynamic MAC address entries. When you enable MAC learning limit, entries created on this port are static by default.
interface TenGigabitEthernet 1/1/1 no ip address switchport mac learning-limit 1 dynamic no-station-move mac learning-limit station-move-violation log no shutdown Learning Limit Violation Actions To configure the system to take an action when the MAC learning limit is reached on an interface and a new address is received using one the following options with the mac learning-limit command, use the following commands. • Generate a system log message when the MAC learning limit is exceeded.
• mac learning-limit reset Reset interfaces in the ERR_Disabled state caused by a learning limit violation. • EXEC Privilege mode mac learning-limit reset learn-limit-violation [interface | all] Reset interfaces in the ERR_Disabled state caused by a station move violation. EXEC Privilege mode mac learning-limit reset station-move-violation [interface | all] Disabling MAC Address Learning on the System You can configure the system to not learn MAC addresses from LACP and LLDP BPDUs.
Figure 70. Redundant NICs with NIC Teaming When you use NIC teaming, consider that the server MAC address is originally learned on Port 0/1 of the switch (shown in the following) and Port 0/5 is the failover port. When the NIC fails, the system automatically sends an ARP request for the gateway or host NIC to resolve the ARP and refresh the egress interface.
Assign a backup interface to an interface using the switchport backup command. The backup interface remains in a Down state until the primary fails, at which point it transitions to Up state. If the primary interface fails, and later comes up, it becomes the backup interface for the redundant pair. Dell EMC Networking OS supports Gigabit, 10 Gigabit, and 40-Gigabit interfaces as backup interfaces.
• • • The active or backup interface can be a LAG, but it cannot be a member port of a LAG. The active and standby do not have to be of the same type (1G, 10G, and so on). You may not enable any Layer 2 protocol on any interface of a redundant pair or to ports connected to them.
and Te 1/2/1 DellEMC(conf-if-po-1)# Far-End Failure Detection Far-end failure detection (FEFD) is a protocol that senses remote data link errors in a network. FEFD responds by sending a unidirectional report that triggers an echoed response after a specified time interval. You can enable FEFD globally or locally on an interface basis. Disabling the global FEFD configuration does not disable the interface configuration. Figure 73.
EXEC privilege mode (it can be done globally or one interface at a time) before the FEFD enabled system can become operational again. Table 52.
Te 1/2/1 Te 1/3/1 Te 1/4/1 Normal 3 Normal 3 Normal 3 Admin Shutdown Admin Shutdown Admin Shutdown DellEMC#show run fefd ! fefd-global mode normal fefd-global interval 3 Enabling FEFD on an Interface To enable, change, or disable FEFD on an interface, use the following commands. • Enable FEFD on a per interface basis. INTERFACE mode • fefd Change the FEFD mode. INTERFACE mode • fefd [mode {aggressive | normal}] Disable FEFD protocol on one interface.
debug fefd packets DellEMC#debug fefd events DellEMC#config DellEMC(conf)#int te 1/1/1 DellEMC(conf-if-te-1/1/1)#shutdown 2w1d22h: %RPM0-P:CP %IFMGR-5-ASTATE_DN: Changed interface Admin state to down: Te 1/1/1 DellEMC(conf-if-te-1/1/1)#2w1d22h : FEFD state on Te 1/1/1 changed from ANY to Unknown 2w1d22h: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Te 1/1/1 2w1d22h: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Te 4/1/1 2w1d22h: %RPM0-P:CP %IFMGR-5-INACTIVE: Changed Vlan
28 Link Layer Discovery Protocol (LLDP) 802.1AB (LLDP) Overview LLDP — defined by IEEE 802.1AB — is a protocol that enables a local area network (LAN) device to advertise its configuration and receive configuration information from adjacent LLDP-enabled LAN infrastructure devices. The collected information is stored in a management information base (MIB) on each device, and is accessible via simple network management protocol (SNMP).
Type TLV Description — Optional Includes sub-types of TLVs that advertise specific configuration information. These sub-types are Management TLVs, IEEE 802.1, IEEE 802.3, and TIA-1057 Organizationally Specific TLVs. Figure 75. LLDPDU Frame Optional TLVs The Dell EMC Networking OS supports these optional TLVs: management TLVs, IEEE 802.1 and 802.3 organizationally specific TLVs, and TIA-1057 organizationally specific TLVs. Management TLVs A management TLV is an optional TLVs sub-type.
Type TLV Description 7 System capabilities Identifies the chassis as one or more of the following: repeater, bridge, WLAN Access Point, Router, Telephone, DOCSIS cable device, end station only, or other. 8 Management address Indicates the network address of the management interface. Dell EMC Networking OS does not currently support this TLV. 127 Port-VLAN ID On Dell EMC Networking systems, indicates the untagged VLAN to which a port belongs.
TIA Organizationally Specific TLVs The Dell EMC Networking system is an LLDP-MED Network Connectivity Device (Device Type 4). Network connectivity devices are responsible for: • • transmitting an LLDP-MED capability TLV to endpoint devices storing the information that endpoint devices advertise The following table describes the five types of TIA-1057 Organizationally Specific TLVs. Table 55.
LLDP-MED Capabilities TLV The LLDP-MED capabilities TLV communicates the types of TLVs that the endpoint device and the network connectivity device support. LLDP-MED network connectivity devices must transmit the Network Policies TLV. • • The value of the LLDP-MED capabilities field in the TLV is a 2–octet bitmap, each bit represents an LLDP-MED capability (as shown in the following table). The possible values of the LLDP-MED device type are shown in the following.
different network policy than the media packets for which a connection is made. In this case, configure the signaling application. Table 58. Network Policy Applications Type Application Description 0 Reserved — 1 Voice Specify this application type for dedicated IP telephony handsets and other appliances supporting interactive voice services. 2 Voice Signaling Specify this application type only if voice control packets use a separate network policy than voice data.
Important Points to Remember • • • • • LLDP is enabled by default. Dell EMC Networking systems support up to eight neighbors per interface. Dell EMC Networking systems support a maximum of 8000 total neighbors per system. If the number of interfaces multiplied by eight exceeds the maximum, the system does not configure more than 8000. INTERFACE level configurations override all CONFIGURATION level configurations. LLDP is not hitless.
2. Enable LLDP. PROTOCOL LLDP mode no disable Disabling and Undoing LLDP To disable or undo LLDP, use the following command. • Disable LLDP globally or for an interface. disable To undo an LLDP configuration, precede the relevant command with the keyword no. Enabling LLDP on Management Ports LLDP on management ports is enabled by default. To enable LLDP on management ports, use the following command. 1. Enter Protocol LLDP mode. CONFIGURATION mode protocol lldp 2. Enter LLDP management-interface mode.
PROTOCOL LLDP mode advertise {dcbx-appln-tlv | dcbx-tlv | dot3-tlv | interface-port-desc | management-tlv | med } Include the keyword for each TLV you want to advertise. • • • • For management TLVs: system-capabilities, system-description. For 802.1 TLVs: port-protocol-vlan-id, port-vlan-id . For 802.3 TLVs: max-frame-size.
Organizational Specific Unrecognized LLDP TLVs The type value for organizational specific TLV is 127. The system processes each LLDP frame to retrieve the OUI, subtype, and data length, and stores the retrieved data of organizational specific unrecognized LLDP TLVs in a list. The stored list of organizational TLVs is removed when the neighbor is lost or neighbor ages out.
protocol lldp DellEMC(conf-if-te-1/31/1-lldp)# Viewing Information Advertised by Adjacent LLDP Neighbors To view brief information about adjacent devices or to view all the information that neighbors are advertising, use the following commands. • • Display brief information about adjacent devices. show lldp neighbors Display all of the information that neighbors are advertising.
Time since last information change of this neighbor: 00:01:17 UnknownTLVList: ( 9, 4) ( 10, 4) ( 11, 4) ( 12, 4) ( 13, 4) ( 14, 4) ( 15, 4) ( 19, 4) ( 20, 4) ( 21, 4) ( 22, 4) ( 23, 4) ( 24, 4) ( 25, 4) ( 29, 4) ( 30, 4) ( 31, 4) ( 32, 4) ( 33, 4) ( 34, 4) ( 35, 4) ( 39, 4) ( 40, 4) ( 41, 4) ( 42, 4) ( 43, 4) ( 44, 4) ( 45, 4) ( 49, 4) ( 50, 4) ( 51, 4) ( 52, 4) ( 53, 4) ( 54, 4) ( 55, 4) ( 59, 4) ( 60, 4) ( 61, 4) ( 62, 4) ( 63, 4) ( 64, 4) ( 65, 4) ( 69, 4) ( 70, 4) ( 71, 4) ( 72, 4) ( 73, 4) ( 74, 4) ( 7
hello R1(conf)#protocol lldp R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)#hello ? <5-180> Hello interval in seconds (default=30) R1(conf-lldp)#hello 25 R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-desc
no mode R1(conf)#protocol lldp R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)#mode ? rx Rx only tx Tx only R1(conf-lldp)#mode tx R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description mode tx no disabl
advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)# Debugging LLDP You can view the TLVs that your system is sending and receiving. To view the TLVs, use the following commands. • • View a readable version of the TLVs. debug lldp brief View a readable version of the TLVs plus a hexadecimal version of the entire LLDPDU, including unrecognized TLVs.
Dec Dec Dec Dec 4 4 4 4 22:38:29 22:38:29 22:38:29 22:38:29 : aa bb cc 04 61 : 40 : TLV: UNKNOWN TLV, Type: 125 Len: 1, Value: @ : TLV: ENDOFPDU, Len: 0 Relevant Management Objects Dell EMC Networking OS supports all IEEE 802.1AB MIB objects. The following tables list the objects associated with: • • • • received and transmitted TLVs the LLDP configuration on the local agent IEEE 802.1AB Organizationally Specific TLVs received and transmitted LLDP-MED TLVs Table 59.
TLV Type 2 TLV Name Port ID TLV Variable port subtype port ID 4 Port Description 5 System Name 6 System Description 7 System Capabilities 8 Management Address port description system name system description system capabilities enabled capabilities management address length management address subtype management address interface numbering subtype interface number OID System LLDP MIB Object Remote lldpRemChassisId Local lldpLocPortIdSubtype Remote lldpRemPortIdSubtype Local
TLV Type 127 TLV Name VLAN Name TLV Variable System LLDP MIB Object PPVID Local lldpXdot1LocProtoVlanId Remote lldpXdot1RemProtoVlanId Local lldpXdot1LocVlanId Remote lldpXdot1RemVlanId Local lldpXdot1LocVlanName Remote lldpXdot1RemVlanName Local lldpXdot1LocVlanName Remote lldpXdot1RemVlanName VID VLAN name length VLAN name Table 62.
TLV Sub-Type TLV Name TLV Variable Location ID Data 494 Link Layer Discovery Protocol (LLDP) System LLDP-MED MIB Object Remote lldpXMedRemLocationSubt ype Local lldpXMedLocLocationInfo Remote lldpXMedRemLocationInfo
29 Microsoft Network Load Balancing Network load balancing (NLB) is a clustering functionality that is implemented by Microsoft on Windows 2000 Server and Windows Server 2003 operating systems (OSs). NLB uses a distributed methodology or pattern to equally split and balance the network traffic load across a set of servers that are part of the cluster or group.
• • • The NLB Unicast mode uses switch flooding to transmit all packets to all the servers that are part of the VLAN. When a large volume of traffic is processed, the clustering performance might be impacted in a small way. This limitation is applicable to switches that perform unicast flooding in the software. The ip vlan-flooding command applies globally across the system and for all VLANs.
This setting causes the multicast MAC address to be mapped to the Cluster IP address for the NLB mode of operation of the switch. NOTE: While configuring static ARP for the Cluster IP, provide any one of the interfaces that is used in the static multicast MAC configuration, where the Cluster host is connected. As the switch does not accept only one ARPinterface pair, if you configure static ARP with each egress interface, the switch overwrites the previous egressinterface configuration. 2.
30 Multicast Source Discovery Protocol (MSDP) Multicast source discovery protocol (MSDP) is supported on Dell EMC Networking OS. Protocol Overview MSDP is a Layer 3 protocol that connects IPv4 protocol-independent multicast-sparse mode (PIM-SM) domains. A domain in the context of MSDP is a contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as border gateway protocol (BGP).
Figure 82.
Implementation Information The Dell EMC Networking OS implementation of MSDP is in accordance with RFC 3618 and Anycast RP is in accordance with RFC 3446. Configure Multicast Source Discovery Protocol Configuring MSDP is a four-step process. 1. Enable an exterior gateway protocol (EGP) with at least two routing domains. Refer to the following figures. The MSDP Sample Configurations show the OSPF-BGP configuration used in this chapter for MSDP.
Figure 83.
Figure 84.
Figure 85.
Figure 86. Configuring MSDP Enable MSDP Enable MSDP by peering RPs in different administrative domains. 1. Enable MSDP. CONFIGURATION mode ip multicast-msdp 2. Peer PIM systems in different administrative domains. CONFIGURATION mode ip msdp peer connect-source R3(conf)#ip multicast-msdp R3(conf)#ip msdp peer 192.168.0.
Multicast sources in remote domains are stored on the RP in the source-active cache (SA cache). The system does not create entries in the multicast routing table until there is a local receiver for the corresponding multicast group. R3#show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.
Enabling the Rejected Source-Active Cache To cache rejected sources, use the following command. Active sources can be rejected because the RPF check failed, the SA limit is reached, the peer RP is unreachable, or the SA message has a format error. • Cache rejected sources. CONFIGURATION mode ip msdp cache-rejected-sa Accept Source-Active Messages that Fail the RFP Check A default peer is a peer from which active sources are accepted even though they fail the RFP check.
Figure 88.
Figure 89. MSDP Default Peer, Scenario 4 Specifying Source-Active Messages To specify messages, use the following command. • Specify the forwarding-peer and originating-RP from which all active sources are accepted without regard for the RPF check. CONFIGURATION mode ip msdp default-peer ip-address list If you do not specify an access list, the peer accepts all sources that peer advertises. All sources from RPs that the ACL denies are subject to the normal RPF check. DellEMC(conf)#ip msdp peer 10.0.50.
3 rejected SAs received, cache-size 32766 UpTime GroupAddr SourceAddr RPAddr 00:33:18 229.0.50.64 24.0.50.64 200.0.1.50 00:33:18 229.0.50.65 24.0.50.65 200.0.1.50 00:33:18 229.0.50.66 24.0.50.66 200.0.1.50 LearnedFrom 10.0.50.2 10.0.50.2 10.0.50.2 Reason Rpf-Fail Rpf-Fail Rpf-Fail Limiting the Source-Active Messages from a Peer To limit the source-active messages from a peer, use the following commands. 1. OPTIONAL: Store sources that are received after the limit is reached in the rejected SA cache.
2. Prevent the system from caching remote sources learned from a specific peer based on source and group. CONFIGURATION mode ip msdp sa-filter list out peer list ext-acl As shown in the following example, R1 is advertising source 10.11.4.2. It is already in the SA cache of R3 when an ingress SA filter is applied to R3. The entry remains in the SA cache until it expires and is not stored in the rejected SA cache. [Router 3] R3(conf)#do show run msdp ! ip multicast-msdp ip msdp peer 192.168.0.
To display the configured SA filters for a peer, use the show ip msdp peer command from EXEC Privilege mode. Logging Changes in Peership States To log changes in peership states, use the following command. • Log peership state changes. CONFIGURATION mode ip msdp log-adjacency-changes Terminating a Peership MSDP uses TCP as its transport protocol. In a peering relationship, the peer with the lower IP address initiates the TCP session, while the peer with the higher IP address listens on port 639.
R3(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 0.0.0.0(0) Connect Source: Lo 0 State: Inactive Up/Down Time: 00:00:04 Timers: KeepAlive 30 sec, Hold time 75 sec SourceActive packet count (in/out): 0/0 SAs learned from this peer: 0 SA Filtering: Input (S,G) filter: myremotefilter Output (S,G) filter: none Debugging MSDP To debug MSDP, use the following command. • Display the information exchanged between peers.
Figure 90. MSDP with Anycast RP Configuring Anycast RP To configure anycast RP, use the following commands. 1. In each routing domain that has multiple RPs serving a group, create a Loopback interface on each RP serving the group with the same IP address. CONFIGURATION mode interface loopback 2. Make this address the RP for the group. CONFIGURATION mode ip pim rp-address 3.
network Reducing Source-Active Message Flooding RPs flood source-active messages to all of their peers away from the RP. When multiple RPs exist within a domain, the RPs forward received active source information back to the originating RP, which violates the RFP rule. You can prevent this unnecessary flooding by creating a mesh-group. A mesh in this context is a topology in which each RP in a set of RPs has a peership with all other RPs in the set.
The following example shows an R2 configuration for MSDP with Anycast RP. ip multicast-routing ! interface TenGigabitEthernet 2/1/1 ip pim sparse-mode ip address 10.11.4.1/24 no shutdown ! interface TenGigabitEthernet 2/11/1 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown ! interface TenGigabitEthernet 2/31/1 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32 no shutdown ! interface Loopback 1 ip address 192.168.0.
network 10.11.6.0/24 area 0 network 192.168.0.3/32 area 0 redistribute static redistribute connected redistribute bgp 200 ! router bgp 200 redistribute ospf 1 neighbor 192.168.0.22 remote-as 100 neighbor 192.168.0.22 ebgp-multihop 255 neighbor 192.168.0.22 update-source Loopback 0 neighbor 192.168.0.22 no shutdown ! ip multicast-msdp ip msdp peer 192.168.0.11 connect-source Loopback 0 ip msdp peer 192.168.0.22 connect-source Loopback 0 ip msdp sa-filter out 192.168.0.22 ! ip route 192.168.0.1/32 10.11.0.
! interface TenGigabitEthernet 1/11/1 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown ! interface TenGigabitEthernet 1/31/1 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown ! interface Loopback 0 ip address 192.168.0.2/32 no shutdown ! router ospf 1 network 10.11.1.0/24 area 0 network 10.11.4.0/24 area 0 network 192.168.0.2/32 area 0 redistribute static redistribute connected redistribute bgp 100 ! router bgp 100 redistribute ospf 1 neighbor 192.168.0.3 remote-as 200 neighbor 192.168.0.
! ip route 192.168.0.2/32 10.11.0.23 MSDP Sample Configuration: R4 Running-Config ip multicast-routing ! interface TenGigabitEthernet 1/1/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown ! interface TenGigabitEthernet 1/22/1 ip address 10.10.42.1/24 no shutdown ! interface TenGigabitEthernet 1/31/1 ip pim sparse-mode ip address 10.11.6.43/24 no shutdown ! interface Loopback 0 ip address 192.168.0.4/32 no shutdown ! router ospf 1 network 10.11.5.0/24 area 0 network 10.11.6.0/24 area 0 network 192.
31 Multiple Spanning Tree Protocol (MSTP) Multiple spanning tree protocol (MSTP) — specified in IEEE 802.1Q-2003 — is a rapid spanning tree protocol (RSTP)-based spanning tree variation that improves per-VLAN spanning tree plus (PVST+). MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances. Protocol Overview MSTP — specified in IEEE 802.
• • • • • • Modifying the Interface Parameters Setting STP path cost as constant Configuring an EdgePort Flush MAC Addresses after a Topology Change MSTP Sample Configurations Debugging and Verifying MSTP Configurations Spanning Tree Variations The Dell EMC Networking OS supports four variations of spanning tree, as shown in the following table. Table 63. Spanning Tree Variations Dell EMC Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .
Enable Multiple Spanning Tree Globally MSTP is not enabled by default. To enable MSTP globally, use the following commands. When you enable MSTP, all physical, VLAN, and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the MSTI 0. • • Within an MSTI, only one path from any bridge to any other bridge is enabled. Bridges block a redundant path by disabling one of the link ports. 1. Enter PROTOCOL MSTP mode. CONFIGURATION mode protocol spanning-tree mstp 2. Enable MSTP.
To view which instance a VLAN is mapped to, use the show spanning-tree mst vlan command from EXEC Privilege mode. DellEMC(conf-mstp)#name my-mstp-region DellEMC(conf-mstp)#exit DellEMC(conf)#do show spanning-tree mst config MST region name: my-mstp-region Revision: 0 MSTI VID 1 100 2 200-300 To view the forwarding/discarding state of the ports participating in an MSTI, use the show spanning-tree msti command from EXEC Privilege mode.
Influencing MSTP Root Selection MSTP determines the root bridge, but you can assign one bridge a lower priority to increase the probability that it becomes the root bridge. To change the bridge priority, use the following command. • Assign a number as the bridge priority. PROTOCOL MSTP mode msti instance bridge-priority priority A lower number increases the probability that the bridge becomes the root bridge. The range is from 0 to 61440, in increments of 4096. The default is 32768.
DellEMC(conf)#do show spanning-tree mst config MST region name: my-mstp-region Revision: 0 MSTI VID 1 100 2 200-300 Modifying Global Parameters The root bridge sets the values for forward-delay, hello-time, max-age, and max-hops and overwrites the values set on other MSTP bridges. • • • • Forward-delay — the amount of time an interface waits in the Listening state and the Learning state before it transitions to the Forwarding state.
MSTI 2 bridge-priority 4096 DellEMC(conf)# Modifying the Interface Parameters You can adjust two interface parameters to increase or decrease the probability that a port becomes a forwarding port. • • Port cost is a value that is based on the interface type. The greater the port cost, the less likely the port is selected to be a forwarding port. Port priority influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost.
The following is the example configuration: DELLEMC(conf)#protocol spanning-tree pvst DELLEMC(conf-pvst)#port-channel path-cost custom This command is support in all STP modes such as STP, RSTP, MSTP, and PVST. To change the path cost to achieve new IEEE standard behavior, use no port-channel path-cost custom command. Dell EMC Networking OS behavior does not change when a new member port is added to the port-channel or an existing member port is deleted from the configuration.
To view the enable status of this feature, use the show running-config spanning-tree mstp command from EXEC Privilege mode. MSTP Sample Configurations The running-configurations support the topology shown in the following illustration. The configurations are from Dell EMC Networking OS systems. Figure 92. MSTP with Three VLANs Mapped to Two Spanning Tree Instances Router 1 Running-Configuration This example uses the following steps: 1.
interface Vlan 200 no ip address tagged TenGigabitEthernet 1/21,31/1 no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 1/21,31/1 no shutdown Router 2 Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3. Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
switchport no shutdown ! (Step 3) interface Vlan 100 no ip address tagged TenGigabitEthernet 2/11/1,31/1 no shutdown ! interface Vlan 200 no ip address tagged TenGigabitEthernet 2/11/1,31/1 no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 2/11/1,31/1 no shutdown Router 3 Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3.
! (Step 2) interface TenGigabitEthernet 3/11/1 no ip address switchport no shutdown ! interface TenGigabitEthernet 3/21/1 no ip address switchport no shutdown ! (Step 3) interface Vlan 100 no ip address tagged TenGigabitEthernet 3/11/1,21/1 no shutdown ! interface Vlan 200 no ip address tagged TenGigabitEthernet 3/11/1,21/1 no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 3/11/1,21/1 no shutdown SFTOS Example Running-Configuration This example uses the following steps: 1.
interface vlan 300 tagged 1/0/31 tagged 1/0/32 exit Debugging and Verifying MSTP Configurations To debut and verify MSTP configuration, use the following commands. • • Display BPDUs. EXEC Privilege mode debug spanning-tree mstp bpdu Display MSTP-triggered topology change messages. debug spanning-tree mstp events To ensure all the necessary parameters match (region name, region version, and VLAN to instance mapping), examine your individual routers.
4w0d4h : MSTP: Received BPDU on Te 2/21/1 : ProtId: 0, Ver: 3, Bpdu Type: MSTP, Flags 0x78 (Indicates MSTP routers are in the [single] region.) CIST Root Bridge Id: 32768:0001.e806.953e, Ext Path Cost: 0 Regional Bridge Id: 32768:0001.e806.953e, CIST Port Id: 128:470 Msg Age: 0, Max Age: 20, Hello: 2, Fwd Delay: 15, Ver1 Len: 0, Ver3 Len: 96 Name: Tahiti, Rev: 123 (MSTP region name and revision), Int Root Path Cost: 0 Rem Hops: 19, Bridge Id: 32768:0001.e8d5.
32 Multicast Features NOTE: Multicast routing is supported on secondary IP addresses; it is not supported on IPv6. NOTE: Multicast routing is supported across default and non-default virtual routing and forwarding (VRFs).
Protocol Ethernet Address PIM-SM 01:00:5e:00:00:0d • • • • The Dell EMC Networking OS implementation of MTRACE is in accordance with IETF draft draft-fenner-traceroute-ipm. Multicast is not supported on secondary IP addresses. If you enable multicast routing, egress Layer 3 ACL is not applied to multicast data traffic. Multicast traffic can be forwarded to a maximum of 15 VLANs with the same outgoing interface.
NOTE: The IN-L3-McastFib CAM partition stores multicast routes and is a separate hardware limit that exists per portpipe. Any software-configured limit may supersede this hardware space limitation. The opposite is also true, the CAM partition might not be exhausted at the time the system-wide route limit is reached using the ip multicast-limit command.
Figure 93. Preventing a Host from Joining a Group The following table lists the location and description shown in the previous illustration. Table 65. Preventing a Host from Joining a Group — Description Location Description 1/21/1 • • • • Interface TenGigabitEthernet 1/21/1 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31/1 • • • • Interface TenGigabitEthernet 1/21/1 ip pim sparse-mode ip address 10.11.13.
Location Description 2/11/1 • • • • Interface TenGigabitEthernet 1/21/1 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31/1 • • • • Interface TenGigabitEthernet 1/21/1 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1/1 • • • • Interface TenGigabitEthernet 1/21/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown 3/11/1 • • • • Interface TenGigabitEthernet 1/21/1 ip pim sparse-mode ip address 10.11.13.
You can configure PIM to switch over to the SPT when the router receives multicast packets at or beyond a specified rate. Table 66. Configuring PIM to Switch Over to the SPT Configuring PIM to Switch Over to the SPT Command Mode IPv4 Configure PIM to switch over to the SPT when the multicast packet rate is at or beyond a specified rate. The keyword infinity directs PIM to never switch to the SPT.
Figure 94. Preventing a Source from Transmitting to a Group The following table lists the location and description shown in the previous illustration. Table 67. Preventing a Source from Transmitting to a Group — Description Location Description 1/21/1 • • • • Interface TenGigabitEthernet 1/21/1 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31/1 • • • • Interface TenGigabitEthernet 1/31/1 ip pim sparse-mode ip address 10.11.13.
Location Description 2/11/1 • • • • Interface TenGigabitEthernet 2/11/1 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31/1 • • • • Interface TenGigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1/1 • • • • Interface TenGigabitEthernet 3/1/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown 3/11/1 • • • • Interface TenGigabitEthernet 3/11/1 ip pim sparse-mode ip address 10.11.13.
Understanding Multicast Traceroute (mtrace) Multicast Traceroute (mtrace) is a multicast diagnostic facility used for tracing multicast paths. Mtrace enables you to trace the path that a multicast packet takes from its source to the destination. When you initiate mtrace from a source to a destination, an mtrace Query packet with IGMP type 0x1F is sent to the last-hop multicast router for the given destination. The mtrace query packet is forwarded hop-by-hop untill it reaches the last-hop router.
the RPF neighbor. When a Dell EMC Networking system is the last hop to the destination, Dell EMC Networking OS sends a response to the query. To print the network path, use the following command. • Print the network path that a multicast packet takes from a multicast source to receiver, for a particular group.
Command Output Description • • • • -4 103.103.103.3 --> Source o (1.1.1.1) Outgoing interface address at that node for the source and group o (PIM) Multicast protocol used at the node to retrieve the information o (Reached RP/Core) Forwarding code in mtrace to denote that RP node is reached o (103.103.103.0/24) Source network and mask. In case (*G) tree is used, this field will have the value as (shared tree).
Scenario destination by using the multicast tables for that group. Output destination 1.1.1.1 via group 226.0.0.3 From source (?) to destination (?) ---------------------------------------------------------------|Hop| OIF IP |Proto| Forwarding Code |Source Network/ Mask| ---------------------------------------------------------------0 1.1.1.1 --> Destination -1 1.1.1.1 PIM Reached RP/Core 103.103.103.0/24 -2 101.101.101.102 PIM 103.103.103.0/24 -3 2.2.2.1 PIM 103.103.103.0/24 -4 103.103.103.
Scenario Output Querying reverse path for source 103.103.103.3 to destination 1.1.1.1 via RPF From source (?) to destination (?) ---------------------------------------------------------------|Hop| OIF IP |Proto| Forwarding Code |Source Network/ Mask| ---------------------------------------------------------------0 1.1.1.1 --> Destination -1 1.1.1.1 PIM 103.103.103.0/24 -2 101.101.101.102 PIM 103.103.103.0/24 -3 2.2.2.1 PIM 103.103.103.0/24 -4 103.103.103.
Scenario is not PIM enabled, the output of the command displays a NO ROUTE error code in the Forwarding Code column. In the command output, the entry for that node in the Source Network/Mask column displays the value as default. If a multicast tree is not formed due to a configuration issue (for example, PIM is not enabled on one of the interfaces on the path), you can invoke a weak mtrace to identify the location in the network where the error has originated. Output Querying reverse path for source 6.6.
Scenario output of the command displays a ‘*’ indicating that no response is received for an mtrace request. The following message appears when the system performs a hopby-hop search: “switching to hop-by-hop:” Output 1.1.1.1 via RPF From source (?) to destination (?) * * * * switching to hop-by-hop: ---------------------------------------------------------------|Hop| OIF IP |Proto| Forwarding Code |Source Network/ Mask| ---------------------------------------------------------------0 1.1.1.
Scenario Output . . . -146 17.17.17.17 PIM No space in packet 99.99.0.0/16 ----------------------------------------------------------------- In a valid scenario, mtrace request packets are expected to be received on the OIF of the node. However, due to incorrect formation of the multicast tree, the packet may be received on a wrong interface. In such a scenario, a corresponding error message is displayed. R1>mtrace 6.6.6.6 4.4.4.5 Type Ctrl-C to abort. Querying reverse path for source 6.6.6.
33 Multicast Listener Discovery Protocol Dell Networking OS Supports Multicast Listener Discovery (MLD) protocol. Multicast Listener Discovery (MLD) is a Layer 3 protocol that IPv6 routers use to learn of the multicast receivers that are directly connected to them and the groups in which the receivers are interested. Multicast routing protocols (like PIM) use the information learned from MLD to route multicast traffic to all interested receivers.
Destination Address field). To avoid duplicate reporting, any host that hears a report from another host for the same group in which it itself is interested cancels its report for that group. A host does not have to wait for a General Query to join a group. If a host wants to become a member of a group for which the router is not currently forwarding traffic, it should send an unsolicited report.
| | * * | | +. -+ . . . . . . +-+ | | * * | | * Source Address [N] * | | * * | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Version 2 multicast listener reports are sent by IP nodes to report (to neighboring routers) the current multicast listening state, or changes in the multicast listening state, of their interfaces.
| | * Source Address [2] * | | * * | | +-+ . . . . . . . . . +-+ | | * * | | * Source Address [N] * | | * * | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | . . . Auxiliary Data . . .
Configuring MLD Version To configure MLD version on the system, follow this procedure: Select the MLD version INTERFACE Mode ipv6 mld version {1 | 2} If you do not configure the MLD version, the system defaults to version 2. The ipv6 mld version command is applicable for MLD snooping-enabled interfaces. Clearing MLD groups Clear a specific group or all groups on an interface from the multicast routing table.
EXEC Privilege show ipv6 mld groups Dell#show ipv6 mld groups Total Number of Groups: 1 MLD Connected Group Membership Group Address Interface Mode Ff08::12 Vlan 10 MLDv2 Uptime 00:00:12 Expires 00:02:05 Last Reporter 1::2 Displaying MLD Interfaces Display MLD interfaces.
Configure the switch as a querier Hosts that do not support unsolicited reporting wait for a general query before sending a membership report. When the multicast source and receivers are in the same VLAN, multicast traffic is not routed, and so there is no querier. You must configure the switch to be the querier for a VLAN so that hosts send membership reports, and the switch can generate a forwarding table by snooping.
34 Object Tracking IPv4 or IPv6 object tracking is available on Dell EMC Networking OS. Object tracking allows the Dell EMC Networking OS client processes, such as virtual router redundancy protocol (VRRP), to monitor tracked objects (for example, interface or link status) and take appropriate action when the state of an object changes. NOTE: In Dell EMC Networking OS release version 8.4.1.0, object tracking is supported only on VRRP.
Figure 95. Object Tracking Example When you configure a tracked object, such as an IPv4/IPv6 a route or interface, you specify an object number to identify the object. Optionally, you can also specify: • • UP and DOWN thresholds used to report changes in a route metric. A time delay before changes in a tracked object’s state are reported to a client. Track Layer 2 Interfaces You can create an object to track the line-protocol state of a Layer 2 interface.
A tracked route matches a route in the routing table only if the exact address and prefix length match an entry in the routing table. For example, when configured as a tracked route, 10.0.0.0/24 does not match the routing table entry 10.0.0.0/8. If no route-table entry has the exact address and prefix length, the tracked route is considered to be DOWN.
VRRP Object Tracking As a client, VRRP can track up to 20 objects (including route entries, and Layer 2 and Layer 3 interfaces) in addition to the 12 tracked interfaces supported for each VRRP group. You can assign a unique priority-cost value from 1 to 254 to each tracked VRRP object or group interface. The priority cost is subtracted from the VRRP group priority if a tracked VRRP object is in a DOWN state.
Track 100 Interface TenGigabitEthernet 1/1/1 line-protocol Description: San Jose data center Tracking a Layer 3 Interface You can create an object that tracks the routing status of an IPv4 or IPv6 Layer 3 interface. You can track the routing status of any of the following Layer 3 interfaces: • • • • • • • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port/subport information.
Interface TenGigabitEthernet 7/2/1 ip routing Description: NYC metro The following is an example of configuring object tracking for an IPv6 interface: DellEMC(conf)#track 103 interface tengigabitethernet 1/11/1 ipv6 routing DellEMC(conf-track-103)#description Austin access point DellEMC(conf-track-103)#end DellEMC#show track 103 Track 103 Interface TenGigabitEthernet 1/11/1 ipv6 routing Description: Austin access point Track an IPv4/IPv6 Route You can create an object that tracks the reachability or metric
Tracking Route Reachability Use the following commands to configure object tracking on the reachability of an IPv4 or IPv6 route. To remove object tracking, use the no track object-id command. 1. Configure object tracking on the reachability of an IPv4 or IPv6 route. CONFIGURATION mode track object-id {ip route ip-address/prefix-len | ipv6 route ipv6-address/prefix-len} reachability [vrf vrf-name] Valid object IDs are from 1 to 500.
Configuring track reachability refresh interval If there is no entry in ARP table or if the next-hop address in the ARP cache ages out for a route tracked for its reachability, an attempt is made to check if the next-hop address is reachable after a certain refresh interval to see if the next-hop address appear in the ARP cache before considering it as DOWN. You can change the refresh interval for which the next-hop address is checked. The default refresh interval is 60 seconds.
threshold metric {[up number] [down number]} The default UP threshold is 254. The routing state is UP if the scaled route metric is less than or equal to the UP threshold. The defult DOWN threshold is 255. The routing state is DOWN if the scaled route metric is greater than or equal to the DOWN threshold. 6. (Optional) Display the tracking configuration.
Reachability is Up (STATIC) 5 changes, last change 00:02:16 First-hop interface is TenGigabitEthernet 1/2/1 Tracked by: VRRP TenGigabitEthernet 2/30/1 IPv6 VRID 1 Track 4 Interface TenGigabitEthernet 1/4/1 ip routing IP routing is Up 3 changes, last change 00:03:30 Tracked by: Example of the show track brief Command Router# show track brief ResId State 1 Resource LastChange IP route reachability Parameter 10.16.0.
35 Open Shortest Path First (OSPFv2 and OSPFv3) Open shortest path first (OSPFv2 for IPv4) and OSPF version 3 (OSPF for IPv6) are supported on Dell EMC Networking OS. This chapter provides a general description of OSPFv2 (OSPF for IPv4) and OSPFv3 (OSPF for IPv6) as supported in the Dell EMC Networking Operating System (OS). NOTE: The fundamental mechanisms of OSPF (flooding, DR election, area support, SPF calculations, and so on) are the same between OSPFv2 and OSPFv3.
Figure 96. Autonomous System Areas Area Types The backbone of the network is Area 0. It is also called Area 0.0.0.0 and is the core of any AS. All other areas must connect to Area 0. An OSPF backbone is responsible for distributing routing information between areas. It consists of all area border routers, networks not wholly contained in any area, and their attached routers. NOTE: If you configure two non-backbone areas, then you must enable the B bit in OSPF.
Networks and Neighbors As a link-state protocol, OSPF sends routing information to other OSPF routers concerning the state of the links between them. The state (up or down) of those links is important. Routers that share a link become neighbors on that segment. OSPF uses the Hello protocol as a neighbor discovery and keep alive mechanism. After two routers are neighbors, they may proceed to exchange and synchronize their databases, which creates an adjacency.
Backbone Router (BR) A backbone router (BR) is part of the OSPF Backbone, Area 0. This includes all ABRs. It can also include any routers that connect only to the backbone and another ABR, but are only part of Area 0, such as Router I in the previous example. Area Border Router (ABR) Within an AS, an area border router (ABR) connects one or more areas to the backbone. The ABR keeps a copy of the link-state database for every area it connects to, so it may keep multiple copies of the link state database.
• • • • • (for example, the ASBR where the Type 5 advertisement originated. The link-state ID for Type 4 LSAs is the router ID of the described ASBR). Type 5: LSA — These LSAs contain information imported into OSPF from other routing processes. They are flooded to all areas, except stub areas. The link-state ID of the Type 5 LSA is the external network number.
Figure 98. Priority and Cost Examples OSPF with Dell EMC Networking OS The Dell EMC Networking OS supports up to 128,000 OSPF routes for OSPFv2. Dell EMC Networking OS version 9.4(0.0) and later support only one OSPFv2 process per VRF. Dell EMC Networking OS version 9.7(0.0) and later support OSPFv3 in VRF. Also, on OSPFv3, Dell EMC Networking OS supports only one OSPFv3 process per VRF. OSPFv2 and OSPFv3 can co-exist but you must configure them individually.
RPM have been downloaded into the forwarding information base (FIB) on the line cards (the data plane) and are still resident. For packets that have existing FIB/CAM entries, forwarding between ingress and egress ports/VLANs, and so on, can continue uninterrupted while the control plane OSPF process comes back to full functionality and rebuilds its routing tables.
Processing SNMP and Sending SNMP Traps Only the process in default vrf can process the SNMP requests and send SNMP traps. NOTE: SNMP gets request corresponding to the OspfNbrOption field in the OspfNbrTable returns a value of 66. RFC-2328 Compliant OSPF Flooding In OSPF, flooding is the most resource-consuming task. The flooding algorithm described in RFC 2328 requires that OSPF flood LSAs on all interfaces, as governed by LSA’s flooding scope (refer to Section 13 of the RFC.
OSPF ACK Packing The OSPF ACK packing feature bundles multiple LS acknowledgements in a single packet, significantly reducing the number of ACK packets transmitted when the number of LSAs increases. This feature also enhances network utilization and reduces the number of small ACK packets sent to a neighboring router. OSPF ACK packing is enabled by default and non-configurable.
Configuration Task List for OSPFv2 (OSPF for IPv4) You can perform the following tasks to configure Open Shortest Path First version 2 (OSPF for IPv4) on the switch. Two of the tasks are mandatory; others are optional.
no shutdown 3. Return to CONFIGURATION mode to enable the OSPFv2 process globally. CONFIGURATION mode router ospf process-id [vrf {vrf name}] • vrf name: enter the keyword VRF and the instance name to tie the OSPF instance to the VRF. All network commands under this OSPF instance are later tied to the VRF instance. The range is from 0 to 65535. The OSPF process ID is the identifying number assigned to the OSPF process. The router ID is the IP address associated with the OSPF process.
network ip-address mask area area-id The IP Address Format is A.B.C.D/M. The area ID range is from 0 to 65535 or A.B.C.D/M. Enable OSPFv2 on Interfaces Enable and configure OSPFv2 on each interface (configure for Layer 3 protocol), and not shutdown. You can also assign OSPFv2 to a Loopback interface as a virtual interface. OSPF functions and features, such as MD5 Authentication, Grace Period, Authentication Wait Time, are assigned on a per interface basis.
Example of Viewing OSPF Status on a Loopback Interface DellEMC#show ip ospf 1 int TenGigabitEthernet 1/23/1 is up, line protocol is up Internet Address 10.168.0.1/24, Area 0.0.0.1 Process ID 1, Router ID 10.168.253.2, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State DROTHER, Priority 1 Designated Router (ID) 10.168.253.5, Interface address 10.168.0.4 Backup Designated Router (ID) 192.168.253.3, Interface address 10.168.0.
Enabling Passive Interfaces A passive interface is one that does not send or receive routing information. Enabling passive interface suppresses routing updates on an interface. Although the passive interface does not send or receive routing updates, the network on that interface is still included in OSPF updates sent via other interfaces. To suppress the interface’s participation on an OSPF interface, use the following command. This command stops the router from sending updates on that interface.
• Enable OSPF fast-convergence and specify the convergence level. CONFIG-ROUTEROSPF- id mode fast-convergence {number} The parameter range is from 1 to 4. The higher the number, the faster the convergence. When disabled, the parameter is set at 0. NOTE: A higher convergence level can result in occasional loss of OSPF adjacency. Generally, convergence level 1 meets most convergence requirements. Only select higher convergence levels following consultation with Dell Technical Support.
• • seconds: the range is from 1 to 65535 (the default is 10 seconds). The hello interval must be the same on all routers in the OSPF network. Use the MD5 algorithm to produce a message digest or key, which is sent instead of the key. CONFIG-INTERFACE mode ip ospf message-digest-key keyid md5 key • • keyid: the range is from 1 to 255. Key: a character string. NOTE: Be sure to write down or otherwise record the key. You cannot learn the key after it is configured.
ip ospf authentication-key key Configure a key that is a text string no longer than eight characters. • All neighboring routers must share password to exchange OSPF information. Set the authentication change wait time in seconds between 0 and 300 for the interface. CONFIG-INTERFACE mode ip ospf auth-change-wait-time seconds This setting is the amount of time OSPF has available to change its interface authentication type.
NOTE: The Helper mode is enabled by default on the device. To enable the restart mode also on the device, you must configure the grace period using the graceful-restart grace-period command. After you enable restart mode the router advertises the neighbor as fully adjacent during a restart. For more information about OSPF graceful restart, refer to the Dell EMC Networking OS Command Line Reference Guide.
Configure the following required and optional parameters: • • • • • bgp, connected, isis, rip, static: enter one of the keywords to redistribute those routes. metric metric-value: the range is from 0 to 4294967295. metric-type metric-type: 1 for OSPF external route type 1. 2 for OSPF external route type 2. route-map map-name: enter a name of a configured route map. tag tag-value: the range is from 0 to 4294967295.
debug ip ospf process-id [event | packet | spf | database-timers rate-limit] To view debug messages for a specific OSPF process ID, use the debug ip ospf process-id command. If you do not enter a process ID, the command applies to the first OSPF process. To view debug messages for a specific operation, enter one of the optional keywords: • • • • event: view OSPF event messages. packet: view OSPF packet information. spf: view SPF information. database-timers rate-limit: view the LSAs currently in the queue.
no shutdown ! interface TenGigabitEthernet 1/2/1 ip address 10.2.12.2/24 no shutdown ! interface Loopback 10 ip address 192.168.100.100/24 no shutdown OSPF Area 0 — Te 3/1 and 3/2 router ospf 33333 network 192.168.100.0/24 area 0 network 10.0.13.0/24 area 0 network 10.0.23.0/24 area 0 ! interface Loopback 30 ip address 192.168.100.100/24 no shutdown ! interface TenGigabitEthernet 3/1/1 ip address 10.1.13.3/24 no shutdown ! interface TenGigabitEthernet 3/2/1 ip address 10.2.13.
2. No-redistribute – To restrict Type-7 LSAs — When NSSA ASBR is also an ABR, redistributed external routes need not be translated from Type-7 to Type-5 LSAs. ABR will directly inject external routes through Type-5 LSAs into the OSPF domain. It does not send Type-7 LSAs into the NSSA area. 3. No-summary – To act as totally stubby area — NSSA area can be converted intoa totally stubby area to reduce the number of Type-3 LSAs.
Assigning IPv6 Addresses on an Interface To assign IPv6 addresses to an interface, use the following commands. 1. Assign an IPv6 address to the interface. CONF-INT-type slot/port mode ipv6 address ipv6 address IPv6 addresses are normally written as eight groups of four hexadecimal digits; separate each group by a colon (:). The format is A:B:C::F/128. 2. Bring up the interface.
Assigning OSPFv3 Process ID and Router ID to a VRF To assign, disable, or reset OSPFv3 on a non-default VRF, use the following commands. • Enable the OSPFv3 process on a non-default VRF and enter OSPFv3 mode. CONFIGURATION mode ipv6 router ospf {process ID}} • The process ID range is from 0 to 65535. Assign the router ID for this OSPFv3 process. CONF-IPV6-ROUTER-OSPF mode router-id {number} • number: the IPv4 address. The format is A.B.C.D.
Redistributing Routes You can add routes from other routing instances or protocols to the OSPFv3 process. With the redistribute command, you can include RIP, static, or directly connected routes in the OSPF process. Route redistribution is also supported between OSPF Routing process IDs. To add redistributing routes, use the following command. • Specify which routes are redistributed into the OSPF process.
By default, OSPFv3 graceful restart is disabled and functions only in a helper role to help restarting neighbor routers in their graceful restarts when it receives a Grace LSA. To enable OSPFv3 graceful restart, enter the ipv6 router ospf process-id command to enter OSPFv3 configuration mode. Then configure a grace period using the graceful-restart grace-period command. The grace period is the time that the OSPFv3 neighbors continue to advertise the restarting router as though it is fully adjacent.
graceful-restart grace-period 180 network 20.1.1.0/24 area 0 network 30.1.1.0/24 area 0 ! ipv6 router ospf 1 log-adjacency-changes graceful-restart grace-period 180 The following example shows the show ipv6 ospf database database-summary command. DellEMC#show ipv6 ospf database database-summary ! OSPFv3 Router with ID (200.1.1.
NOTE: Dell EMC Networking OS supports only Transport Encryption mode in OSPFv3 authentication with IPsec. With IPsec-based authentication, Crypto images are used to include the IPsec secure socket application programming interface (API) required for use with OSPFv3.
• • • • Configuring IPsec Encryption on an Interface Configuring IPsec Authentication for an OSPFv3 Area Configuring IPsec Encryption for an OSPFv3 Area Displaying OSPFv3 IPsec Security Policies Configuring IPsec Authentication on an Interface To configure, remove, or display IPsec authentication on an interface, use the following commands.
• • • • • • authentication-algorithm: specifies the encryption authentication algorithm to use. The valid values are MD5 or SHA1. key: specifies the text string used in authentication. All neighboring OSPFv3 routers must share key to exchange information. For MD5 authentication, the key must be 32 hex digits (non-encrypted) or 64 hex digits (encrypted). For SHA-1 authentication, the key must be 40 hex digits (non-encrypted) or 80 hex digits (encrypted).
The configuration of IPsec encryption on an interface-level takes precedence over an area-level configuration. If you remove an interface configuration, an area encryption policy that has been configured is applied to the interface. • Enable IPsec encryption for OSPFv3 packets in an area.
Outbound ESP SPI Inbound ESP Auth Key Outbound ESP Auth Key Inbound ESP Cipher Key Outbound ESP Cipher Key Transform set : : : : : : 502 (0x1F6) 123456789a123456789b123456789c12 123456789a123456789b123456789c12 123456789a123456789b123456789c123456789d12345678 123456789a123456789b123456789c123456789d12345678 esp-3des esp-md5-hmac Crypto IPSec client security policy data Policy name Policy refcount Inbound AH SPI Outbound AH SPI Inbound AH Key Outbound AH Key Transform set : : : : : : : OSPFv3-1-500 2 50
outbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE Troubleshooting OSPFv3 The system provides several tools to troubleshoot OSPFv3 operation on the switch. This section describes typical, OSPFv3 troubleshooting scenarios. NOTE: The following troubleshooting section is meant to be a comprehensive list, but only to provide some examples of typical troubleshooting checks.
MIB Support for OSPFv3 SNMPv3 context name support implements MIB views on multiple OSPV3 instances. Table 71. MIB Objects for OSPFv3 MIB Object OID Description ospfv3GeneralGroup 1.3.6.1.2.1.191.1.1 Contains a 32-bit unsigned integer uniquely identifying the router in the autonomous system. ospfv3AreaEntry 1.3.6.1.2.1.191.1.2.1 Contains information describing the parameter configuration and cumulative statistics of the router’s attached areas. ospfv3AsLsdbEntry 1.3.6.1.2.1.191.1.3.
MIB Support for OSPFv3 SNMPv3 context name support implements MIB views on multiple OSPV3 instances. Table 72. MIB Objects for OSPFv3 MIB Object OID Description ospfv3GeneralGroup 1.3.6.1.2.1.191.1.1 Contains a 32-bit unsigned integer uniquely identifying the router in the autonomous system. ospfv3AreaEntry 1.3.6.1.2.1.191.1.2.1 Contains information describing the parameter configuration and cumulative statistics of the router’s attached areas. ospfv3AsLsdbEntry 1.3.6.1.2.1.191.1.3.
36 Policy-based Routing (PBR) Overview When a router receives a packet, the router decides where to forward the packet based on the destination address in the packet, which is used to look up an entry in a routing table. However, in some cases, there may be a need to forward the packet based on other criteria: size, source, protocol type, destination, and so on.
• • Dell EMC Networking OS supports multiple next-hop entries in the redirect lists. Redirect-lists are applied at Ingress. PBR with Redirect-to-Tunnel Option: You can provide a tunnel ID for a redirect rule. In this case, the resolved next hop is the tunnel interface IP. The qualifiers of the rule pertain to the inner IP details. You must provide a tunnel ID for the next hop to be a tunnel interface.
To ensure the permit permit statement or PBR exception is effective, use a lower sequence number, as shown: ip redirect-list rcl0 seq 10 permit ip host 3.3.3.3 any seq 15 redirect 2.2.2.2 ip any any Create a Redirect List To create a redirect list, use the following commands. Create a redirect list by entering the list name. CONFIGURATION mode ip redirect-list redirect-list-name redirect-list-name: 16 characters. To delete the redirect list, use the no ip redirect-list command.
Example: Creating a Rule DellEMC(conf-redirect-list)#redirect ? A.B.C.D Forwarding router's address DellEMC(conf-redirect-list)#redirect 3.3.3.3 ? <0-255> An IP protocol number icmp Internet Control Message Protocol ip Any Internet Protocol tcp Transmission Control Protocol udp User Datagram Protocol DellEMC(conf-redirect-list)#redirect 3.3.3.3 ip ? A.B.C.D Source address any Any source host host A single source host DellEMC(conf-redirect-list)#redirect 3.3.3.3 ip 222.1.1.1 ? Mask A.B.C.
To apply a redirect list to an interface, use the following command. You can apply multiple redirect-lists can be applied to a redirect-group. It is also possible to create two or more redirect-groups on one interface for backup purposes. Apply a redirect list (policy-based routing) to an interface. INTERFACE mode ip redirect-group redirect-list-name test l2–switch • • • redirect-list-name is the name of a redirect list to apply to this interface.
1/32/1) seq 15 redirect tunnel 2 udp 155.55.0.0/16 host 144.144.144.144, Track 1 [up], Next-hop reachable (via Te 1/32/1) seq 35 redirect 155.1.1.2 track 5 ip 7.7.7.0/24 8.8.8.0/24, Track 5 [up], Next-hop reachable (via Po 5) seq 30 redirect 155.1.1.2 track 6 icmp host 8.8.8.8 any, Track 5 [up], Next-hop reachable (via Po 5) seq 35 redirect 42.1.1.2 icmp host 8.8.8.8 any, Next-hop reachable (via Vl 20) seq 40 redirect 43.1.1.2 tcp 155.55.2.0/24 222.22.2.
Create the Redirect-List GOLD EDGE_ROUTER(conf-if-Te-2/23/1)#ip redirect-list GOLD EDGE_ROUTER(conf-redirect-list)#description Route GOLD traffic to ISP_GOLD. EDGE_ROUTER(conf-redirect-list)#direct 10.99.99.254 ip 192.168.1.0/24 any EDGE_ROUTER(conf-redirect-list)#redirect 10.99.99.254 ip 192.168.2.0/24 any EDGE_ROUTER(conf-redirect-list)# seq 15 permit ip any any EDGE_ROUTER(conf-redirect-list)#show config ! ip redirect-list GOLD description Route GOLD traffic to ISP_GOLD. seq 5 redirect 10.99.99.
View Redirect-List GOLD EDGE_ROUTER#show ip redirect-list IP redirect-list GOLD: Defined as: seq 5 redirect 10.99.99.254 ip 192.168.1.0/24 any, Next-hop reachable (via Te 3/23/1), ARP resolved seq 10 redirect 10.99.99.254 ip 192.168.2.
hop reachable (via Vl 20) Applied interfaces: Te 2/28 DellEMC# Creating a PBR list using Explicit Track Objects for Tunnel Interfaces Creating steps for Tunnel Interfaces: DellEMC#configure terminal DellEMC(conf)#interface tunnel 1 DellEMC(conf-if-tu-1)#tunnel destination 40.1.1.2 DellEMC(conf-if-tu-1)#tunnel source 40.1.1.1 DellEMC(conf-if-tu-1)#tunnel mode ipip DellEMC(conf-if-tu-1)#tunnel keepalive 60.1.1.2 DellEMC(conf-if-tu-1)#ip address 60.1.1.
Verify the Applied Redirect Rules: DellEMC#show ip redirect-list explicit_tunnel IP redirect-list explicit_tunnel: Defined as: seq 5 redirect tunnel 1 track 1 tcp 155.55.2.0/24 222.22.2.0/24, Track 1 [up], Next-hop reachable (via Te 1/32) seq 10 redirect tunnel 1 track 1 tcp any any, Track 1 [up], Next-hop reachable (via Te 1/32) seq 15 redirect tunnel 1 track 1 udp 155.55.0.0/16 host 144.144.144.144, Track 1 [up], Nexthop reachable (via Te 1/32) seq 20 redirect tunnel 2 track 2 tcp 155.55.2.0/24 222.22.2.
37 PIM Sparse-Mode (PIM-SM) Implementation Information The following information is necessary for implementing PIM-SM. • • • • • The Dell EMC Networking implementation of PIM-SM is based on IETF Internet Draft draft-ietf-pim-sm-v2-new-05. The platform supports a maximum of 95 IPv4 and IPv6 PIM interfaces and 2000 multicast entries including (*,G), and (S,G) entries. The maximum number of PIM neighbors is the same as the maximum number of PIM-SM interfaces.
Send Multicast Traffic With PIM-SM, all multicast traffic must initially originate from the RP. A source must unicast traffic to the RP so that the RP can learn about the source and create an SPT to it. Then the last-hop DR may create an SPT directly to the source. 1. The source gateway router (first-hop DR) receives the multicast packets and creates an (S,G) entry in its multicast routing table. The first-hop DR encapsulates the initial multicast packets in PIM Register packets and unicasts them to the RP.
INTERFACE mode {ip | ipv6} pim sparse-mode To display which interfaces are enabled with PIM-SM, use the show {ip | ipv6} pim interface command from EXEC Privilege mode. Following is an example of show ip pim interface command output: DellEMC#show ip pim interface Address Interface Ver/ Mode 165.87.34.5 Fo 1/10/1 v2/S 10.1.1.2 Vl 10 v2/S 20.1.1.5 Vl 20 v2/S 165.87.31.200 Vl 30 v2/S Nbr Count 0 1 1 1 Query Intvl 30 30 30 30 DR Prio 1 1 1 1 DR 165.87.34.5 10.1.1.2 20.1.1.5 165.87.31.
(*, 192.1.2.1), uptime 00:29:36, expires 00:03:26, RP 10.87.2.6, flags: SCJ Incoming interface: FortyGigE 1/12/1, RPF neighbor 10.87.3.5 Outgoing interface list: FortyGigE 1/11/1 FortyGigE 1/13/1 (10.87.31.5, 192.1.2.1), uptime 00:01:24, expires 00:02:26, flags: FT Incoming interface: FortyGigE 1/10/1, RPF neighbor 0.0.0.
Configuring a Static Rendezvous Point The rendezvous point (RP) is a PIM-enabled interface on a router that acts as the root a group-specific tree; every group must have an RP. • Identify an RP by the IP address of a PIM-enabled or Loopback interface. {ip | ipv6} pim rp-address address group-address group-address mask [override] Following is an example of IPv4 configuration: DellEMC#show running-configuration interface loop0 ! interface Loopback 0 ip address 1.1.1.
Following is an example of show ip pim rp mapping command output: DellEMC#show ip pim rp mapping PIM Group-to-RP Mappings Group(s): 224.0.0.0/4, Static RP: 165.87.50.5, v2 Following is an example of show ipv6 pim rp mapping command output: Dell#show ipv6 pim rp mapping PIM Group-to-RP Mappings Group(s): ff00::/8, Static RP: 2001:100::1, v2 Dell# Configuring a Designated Router Multiple PIM-SM routers might be connected to a single local area network (LAN) segment.
0/0 0/0 0/0 0/0 State-Refresh messages sent/received MSDP updates sent/received Null Register messages sent/received Register-stop messages sent/received Data path event summary: 0 no-cache messages received 0 last-hop switchover messages received 0/0 pim-assert messages sent/received 0/0 register messages sent/received DellEMC# Following is an example of show ipv6 pim interface command output: Dell#show ipv6 pim interface Interface Ver/ Nbr Query DR Mode Count Intvl Prio Fo 1/3/1 v2/S 1 30 1 Address : fe
3. If you configure a secondary VLT peer as an E-BSR and in case of ICL flap or failover, the VLT lag will be down resulting a BSM timeout in the PIM domain and a new BSR will be elected. Hence, it is recommended to configure the primary VLT peer as E-BSR. To enable BSR election for IPv4 or IPv6, perform the following steps: 1. Enter the following IPv4 or IPv6 command to make a PIM router a BSR candidate: CONFIGURATION ip pim bsr-candidate ipv6 pim bsr-candidate 2.
38 PIM Source-Specific Mode (PIM-SSM) PIM source-specific mode (PIM-SSM) is a multicast protocol that forwards multicast traffic from a single source to a subnet. In the other versions of protocol independent multicast (PIM), a receiver subscribes to a group only. The receiver receives traffic not just from the source in which it is interested but from all sources sending to that group.
Enabling PIM-SSM To enable PIM-SSM, follow these steps. 1. Create an ACL that uses permit rules to specify what range of addresses should use SSM. CONFIGURATION mode ip access-list standard name 2. Enter the ip pim ssm-range command and specify the ACL you created. CONFIGURATION mode ip pim ssm-range acl-name To display address ranges in the PIM-SSM range, use the show ip pim ssm-range command from EXEC Privilege mode. R1(conf)#do show run pim ! ip pim rp-address 10.11.12.2 group-address 224.0.0.
R1(conf)#ip igmp ssm-map map 10.11.5.2 R1(conf)#do show ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Mode Uptime 239.0.0.2 Vlan 300 IGMPv2-Compat 00:00:07 Member Ports: Te 1/1/1 239.0.0.1 Vlan 400 INCLUDE 00:00:10 Never 10.11.4.2 R1(conf)#do show ip igmp ssm-map IGMP Connected Group Membership Group Address Interface Mode Uptime 239.0.0.2 Vlan 300 IGMPv2-Compat 00:00:36 Member Ports: Te 1/1/1 R1(conf)#do show ip igmp ssm-map 239.0.0.
3. If you configure a secondary VLT peer as an E-BSR and in case of ICL flap or failover, the VLT lag will be down resulting a BSM timeout in the PIM domain and a new BSR will be elected. Hence, it is recommended to configure the primary VLT peer as E-BSR. To enable BSR election for IPv4 or IPv6, perform the following steps: 1. Enter the following IPv4 or IPv6 command to make a PIM router a BSR candidate: CONFIGURATION ip pim bsr-candidate ipv6 pim bsr-candidate 2.
NOTE: You can create the ACL list of multicast prefix using the ip access-list standard command.
39 Port Monitoring Port monitoring (also referred to as mirroring ) allows you to monitor ingress and/or egress traffic on specified ports. The mirrored traffic can be sent to a port to which a network analyzer is connected to inspect or troubleshoot the traffic. Mirroring is used for monitoring Ingress or Egress or both Ingress and Egress traffic on a specific port(s). This mirrored traffic can be sent to a port where a network sniffer can connect and monitor the traffic.
configure up to 128 source ports in a monitoring session. Only one destination port is supported in a monitoring session. The platform supports multiple source-destination statements in a single monitor session. The maximum number of source ports that can be supported in a session is 128. The maximum number of destination ports that can be supported depends on the port mirroring directions as follows: • • • 4 per port pipe, if the four destination ports mirror in one direction, either rx or tx.
Configuring Port Monitoring To configure port monitoring, use the following commands. 1. Verify that the intended monitoring port has no configuration other than no shutdown, as shown in the following example. EXEC Privilege mode show interface 2. Create a monitoring session using the command monitor session from CONFIGURATION mode, as shown in the following example. CONFIGURATION mode monitor session monitor session type rpm/erpm type is an optional keyword, required only for rpm and erpm 3.
In the following example, the host and server are exchanging traffic which passes through the uplink interface 1/1/1. Port 1/1/1 is the monitored port and port 1/32/1 is the destination port, which is configured to only monitor traffic received on tengigabitethernet 1/1/1 (host-originated traffic). Figure 100. Port Monitoring Example Configuring Monitor Multicast Queue To configure monitor QoS multicast queue ID, use the following commands. 1. Configure monitor QoS multicast queue ID.
Behavior of Flow-Based Monitoring You can activate flow-based monitoring for a monitoring session using the flow-based enable command in the Monitor Session mode. When you enable this flow-based monitoring, traffic with particular flows that are traversing through the interfaces are examined in accordance with the applied ACLs. By default, flow-based monitoring is not enabled. There are two ways in which you can enable flow-based monitoring in Dell EMC Networking OS.
The show ip accounting commands have been enhanced to display whether monitoring is enabled for traffic that matches with the rules of the specific ACL. Example Output of the show Command DellEMC# show ip accounting access-list ! Extended Ingress IP access list kar on TenGigabitEthernet 1/1/1 Total cam count 1 seq 5 permit ip 192.168.20.0/24 173.168.20.
interface TenGigabitEthernet 1/1/1 ip address 10.11.1.254/24 ip access-group testflow in shutdown DellEMC(conf-if-te-1/1/1)#exit DellEMC(conf)#do show ip accounting access-list testflow ! Extended Ingress IP access list testflow on TenGigabitEthernet 1/1/1 Total cam count 4 seq 5 permit icmp any any 40 monitor 40 count bytes (0 packets 0 bytes) seq 10 permit ip 102.1.1.
NOTE: If you configure IPv6 mirroring without configuring ipv4udfmirracl CAM region, following error message appears. % Error: IPv6 Mirror-Access-list not supported on this CAM profile. Please remove the ipv6 access-group. Enabling IPv6 Flow-Based Monitoring To enable IPv6 flow-based mirroring, use ipv6 access-group access-list-name command under monitor session. You can apply a new IPv6 ACL in a monitor session, when an ACL is already applied. If so, the new ACL will replace the old and overwrite it. 1.
Current Settings(in 1 block = 256 Single Wide Regions: Double Wide Regions: : Triple Wide Regions: L2Acl : 0 Ipv4Acl : 2 Ipv6Acl : 3 Ipv4Qos : 0 L2Qos : 0 L2PT : 0 IpMacAcl : 1 VmanQos : 0 EcfmAcl : 0 EtsAcl : 0 FcoeAcl : 0 iscsiOptAcl : 0 ipv4pbr : 0 vrfv4Acl : 0 Openflow : 0 fedgovacl : 0 nlbclusteracl : 0 ipv4udfmirracl*: 3 ipv4mirracl : 0 block sizes) entries Ipv4Acl L2Acl, L2Qos, L2PT FcoeAcl, ipv4pbr, vrfv4Acl Ipv6Acl, VmanQos, Openflow, ipv4udfmirracl(ipv6mirracl) * - shared regions To view an acce
Figure 101. Remote Port Mirroring Configuring Remote Port Mirroring Remote port mirroring requires a source session (monitored ports on different source switches), a reserved tagged VLAN for transporting mirrored traffic (configured on source, intermediate, and destination switches), and a destination session (destination ports connected to analyzers on destination switches).
• • • The reserved VLAN for remote port mirroring can be automatically configured in intermediate switches by using GVRP. There is no restriction on the VLAN IDs used for the reserved remote-mirroring VLAN. Valid VLAN IDs are from 2 to 4094. The default VLAN ID is not supported.
To display the currently configured source and destination sessions for remote port mirroring on a switch, enter the show monitor session command in EXEC Privilege mode.
You can configure the below steps on other source switches to configure additional source ports for this RPM session. 1. Configure a new RPM session and specifying type as rpm defined a RPM session. CONFIGURATION mode monitor session session-id type rpm The session-id needs to be unique. 2. Configure the source ports or list of ports, ingress/egress traffic to be monitored. MONITOR SESSION mode source {interface | range | any} destination remote—vlan vlan-id direction {rx | tx | both} 3.
Following are the port numbers referred in the above illustration: • • • • • • 1 is tengigabitethernet 2 is tengigabitethernet 4 is tengigabitethernet 5 is tengigabitethernet 7 is tengigabitethernet 8 is tengigabitethernet 1/1/1 1/2/1 1/4/1 1/5/1 1/7/1 1/8/1 Configuring Remote Port Mirroring on a source switch The below configuration example shows that the source is a source port and the destination is the reserved VLAN (for example, remotevlan 10).
DellEMC(conf-if-vl-20)#tagged tengigabitethernet 1/2/1 DellEMC(conf-if-vl-20)#exit DellEMC(conf)#monitor session 2 type rpm DellEMC(conf-mon-sess-2)#source vlan 100 destination remote-vlan 20 dir rx DellEMC(conf-mon-sess-2)#no disable DellEMC(conf-mon-sess-2)#flow-based enable DellEMC(conf-mon-sess-2)#exit DellEMC(conf)#mac access-list standard mac_acl DellEMC(config-std-macl)#permit 00:00:00:00:11:22 count monitor DellEMC(config-std-macl)#exit DellEMC(conf)#interface vlan 100 DellEMC(conf-if-vl-100)#mac ac
Configuring Remote Port Mirroring on an intermediate switch Following is a sample configuration of RPM on an intermediate switch. DellEMC(conf)#interface vlan 30 DellEMC(conf-if-vl-20)#mode remote-port-mirroring DellEMC(conf-if-vl-20)#tagged tengigabitethernet 1/4/1 DellEMC(conf-if-vl-20)#tagged tengigabitethernet 1/5/1 DellEMC(conf-if-vl-20)#exit Configuring Remote Port Mirroring on a Destination switch Following is a sample configuration of RPM on a destination switch.
Table 73. Configuration steps for ERPM Step Command Purpose 1 configure terminal Enter global configuration mode. 2 monitor session type erpm Specify a session ID and ERPM as the type of monitoring session, and enter the Monitoring-Session configuration mode. The session number needs to be unique and not already defined. 3 source { interface | range } direction {rx | tx | both} Specify the source port or range of ports.
ERPM Behavior on a typical Dell EMC Networking OS The Dell EMC Networking OS is designed to support only the Encapsulation of the data received / transmitted at the specified source port (Port A). An ERPM destination session / decapsulation of the ERPM packets at the destination Switch are not supported. Figure 103.
• Either have a Linux server's ethernet port ip as the ERPM destination ip or connect the ingress interface of the server to the ERPM MirrorToPort. The analyzer should listen in the forward/egress interface. If there is only one interface, one can choose the ingress and forward interface to be same and listen in the tx direction of the interface. • Download/ Write a small script (for example: erpm.py) such that it will strip the given ERPM packet starting from the bit where GRE header ends.
RPM over VLT Scenarios This section describes the restrictions that apply when you configure RPM in a VLT set up. Consider a simple VLT setup where two VLT peers are connected using VLTi and a top-of-rack switch is connected to both the VLT peers using VLT LAGs in a ring topology. In this setup, the following table describes the possible restrictions that apply when RPM is used to mirror traffic: Table 74.
Scenario RPM Restriction Recommended Solution member port of the VLT LAG is mirrored to rate limit value is configured in the RPM an orphan port on the peer VLT device. The mirror session. packet analyzer is connected to the peer VLT device. Mirroring member port of ICL LAG to VLT LAG — In this scenario, a member port of the ICL LAG is mirrored to the VLT LAG on the same VLT device. The packet analyzer is connected to the TOR switch. No restrictions apply.
40 Private VLANs (PVLAN) The private VLAN (PVLAN) feature is supported on Dell EMC Networking OS. For syntax details about the commands described in this chapter, refer to the Private VLANs commands chapter in the Dell EMC Networking OS Command Line Reference Guide. Private VLANs extend the Dell EMC Networking OS security suite by providing Layer 2 isolation between ports within the same virtual local area network (VLAN).
PVLAN port types include: • • Community port — a port that belongs to a community VLAN and is allowed to communicate with other ports in the same community VLAN and with promiscuous ports. Host port — in the context of a private VLAN, is a port in a secondary VLAN: • • • The port must first be assigned that role in INTERFACE mode. • A port assigned the host role cannot be added to a regular VLAN.
Configuration Task List The following sections contain the procedures that configure a private VLAN. • • • • Creating PVLAN Ports Creating a Primary VLAN Creating a Community VLAN Creating an Isolated VLAN Creating PVLAN ports PVLAN ports are ports that will be assigned to the PVLAN. 1. Access INTERFACE mode for the port that you want to assign to a PVLAN. CONFIGURATION mode interface interface 2. Enable the port. INTERFACE mode no shutdown 3. Set the port in Layer 2 mode. INTERFACE mode switchport 4.
2. Enable the VLAN. INTERFACE VLAN mode no shutdown 3. Set the PVLAN mode of the selected VLAN to primary. INTERFACE VLAN mode private-vlan mode primary 4. Map secondary VLANs to the selected primary VLAN. INTERFACE VLAN mode private-vlan mapping secondary-vlan vlan-list The list of secondary VLANs can be: • • • Specified in comma-delimited (VLAN-ID,VLAN-ID) or hyphenated-range format (VLAN-ID-VLAN-ID). Specified with this command even before they have been created.
Creating an Isolated VLAN An isolated VLAN is a secondary VLAN of a primary VLAN. An isolated VLAN port can only talk with the promiscuous ports in that primary VLAN. 1. Access INTERFACE VLAN mode for the VLAN that you want to make an isolated VLAN. CONFIGURATION mode interface vlan vlan-id 2. Enable the VLAN. INTERFACE VLAN mode no shutdown 3. Set the PVLAN mode of the selected VLAN to isolated. INTERFACE VLAN mode private-vlan mode isolated 4. Add one or more host ports to the VLAN.
Private VLAN Configuration Example The following example shows a private VLAN topology. Figure 104. Sample Private VLAN Topology The following configuration is based on the example diagram for the Z9500: • • • • • Te 1/1 and Te 1/23 are configured as promiscuous ports, assigned to the primary VLAN, VLAN 4000. Te 1/25 is configured as a PVLAN trunk port, also assigned to the primary VLAN 4000. Te 1/24 and Te 1/47 are configured as host ports and assigned to the isolated VLAN, VLAN 4003.
• • The S4810 ports would have the same intra-switch communication characteristics as described for the Z9500. For transmission between switches, tagged packets originating from host PVLAN ports in one secondary VLAN and destined for host PVLAN ports in the other switch travel through the promiscuous ports in the local VLAN 4000 and then through the trunk ports (1/25 in each switch). Inspecting the Private VLAN Configuration The standard methods of inspecting configurations also apply in PVLANs.
* 1 100 P 200 I 201 Inactive Inactive Inactive Inactive primary VLAN in PVLAN T Te 1/19/1-2 isolated VLAN in VLAN 200 T Te 1/21/1 The following example shows viewing a private VLAN configuration.
41 Per-VLAN Spanning Tree Plus (PVST+) Protocol Overview PVST+ is a variation of spanning tree — developed by a third party — that allows you to configure a separate spanning tree instance for each virtual local area network (VLAN). For more information about spanning tree, refer to the Spanning Tree Protocol (STP) chapter. Figure 105. Per-VLAN Spanning Tree The Dell EMC Networking OS supports three other variations of spanning tree, as shown in the following table. Table 75.
Implementation Information • • The Dell EMC Networking OS implementation of PVST+ is based on IEEE Standard 802.1w. The Dell EMC Networking OS implementation of PVST+ uses IEEE 802.1s costs as the default costs (as shown in the following table). Other implementations use IEEE 802.1w costs as the default costs. If you are using Dell EMC Networking systems in a multivendor network, verify that the costs are values you intended.
To display your PVST+ configuration, use the show config command from PROTOCOL PVST mode. Dell_E600(conf-pvst)#show config verbose ! protocol spanning-tree pvst no disable vlan 100 bridge-priority 4096 Influencing PVST+ Root Selection As shown in the previous per-VLAN spanning tree illustration, all VLANs use the same forwarding topology because R2 is elected the root, and all TenGigabitEthernet ports have the same cost.
To display the PVST+ forwarding topology, use the show spanning-tree pvst [vlan vlan-id] command from EXEC Privilege mode. Dell_E600(conf)#do show spanning-tree pvst vlan 100 VLAN 100 Root Identifier has priority 4096, Address 0001.e80d.b6d6 Root Bridge hello time 2, max age 20, forward delay 15 Bridge Identifier has priority 4096, Address 0001.e80d.b6d6 Configured hello time 2, max age 20, forward delay 15 We are the root of VLAN 100 Current root has priority 4096, Address 0001.e80d.
Modifying Interface PVST+ Parameters You can adjust two interface parameters (port cost and port priority) to increase or decrease the probability that a port becomes a forwarding port. • • Port cost — a value that is based on the interface type. The greater the port cost, the less likely the port is selected to be a forwarding port. Port priority — influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost.
shut down when it receives a BPDU. When you only implement bpduguard, although the interface is placed in an Error Disabled state when receiving the BPDU, the physical interface remains up and spanning-tree drops packets in the hardware after a BPDU violation. BPDUs are dropped in the software after receiving the BPDU violation. This feature is the same as PortFast mode in spanning tree. CAUTION: Configure EdgePort only on links connecting to an end station.
Figure 107. PVST+ with Extend System ID • Augment the bridge ID with the VLAN ID. PROTOCOL PVST mode extend system-id DellEMC(conf-pvst)#do show spanning-tree pvst vlan 5 brief VLAN 5 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32773, Address 0001.e832.73f7 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32773 (priority 32768 sys-id-ext 5), Address 0001.e832.
! interface Vlan 300 no ip address tagged TenGigabitEthernet 1/22,32/1 no shutdown ! protocol spanning-tree pvst no disable vlan 100 bridge-priority 4096 Example of PVST+ Configuration (R2) interface TenGigabitEthernet 2/12/1 no ip address switchport no shutdown ! interface TenGigabitEthernet 2/32/1 no ip address switchport no shutdown ! interface Vlan 100 no ip address tagged TenGigabitEthernet 2/12,32/1 no shutdown ! interface Vlan 200 no ip address tagged TenGigabitEthernet 2/12,32/1 no shutdown ! interf
42 Quality of Service (QoS) This chapter describes how to use and configure Quality of Service service (QoS) features on the switch. Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. Table 77.
Feature Direction Specify an Aggregate QoS Policy Egress Create Output Policy Maps Egress Enabling QoS Rate Adjustment Enabling Strict-Priority Queueing Weighted Random Early Detection Egress Create WRED Profiles Egress Figure 108.
• Enabling Buffer Statistics Tracking Implementation Information The Dell EMC Networking QoS implementation complies with IEEE 802.1p User Priority Bits for QoS Indication.
Honoring dot1p Priorities on Ingress Traffic By default, Dell EMC Networking OS does not honor dot1p priorities on ingress traffic. You can configure this feature on physical interfaces and port-channels, but you cannot configure it on individual interfaces in a port channel. You can configure service-class dynamic dot1p from CONFIGURATION mode, which applies the configuration to all interfaces. A CONFIGURATION mode service-class dynamic dot1p entry supersedes any INTERFACE entries.
• Apply rate shaping to a queue. QoS Policy mode rate-shape DellEMC#configure terminal DellEMC(conf)#interface tengigabitethernet 1/1/1 DellEMC(conf-if-te-1/1/1)#rate shape 500 50 DellEMC(conf-if-te-1/1/1)#end Policy-Based QoS Configurations Policy-based QoS configurations consist of the components shown in the following example. Figure 109.
Creating a Layer 3 Class Map A Layer 3 class map differentiates ingress packets based on the DSCP value or IP precedence, and characteristics defined in an IP ACL. You can also use VLAN IDs and VRF IDs to classify the traffic using layer 3 class-maps. You may specify more than one DSCP and IP precedence value, but only one value must match to trigger a positive match for the class map. NOTE: IPv6 and IP-any class maps cannot match on ACLs or VLANs. Use step 1 or step 2 to start creating a Layer 3 class map.
Creating a Layer 2 Class Map All class maps are Layer 3 by default; however, you can create a Layer 2 class map by specifying the layer2 option with the classmap command. A Layer 2 class map differentiates traffic according to 802.1p value and/or VLAN and/or characteristics defined in a MAC ACL.. Use Step 1 or Step 2 to start creating a Layer 2 class map. 1. Create a match-any class map. CONFIGURATION mode class-map match-any 2. Create a match-all class map. CONFIGURATION mode class-map match-all 3.
class-map match-any ClassAF1 match ip access-group AF1-FB1 set-ip-dscp 10 match ip access-group AF1-FB2 set-ip-dscp 12 match ip dscp 10 set-ip-dscp 14 match ipv6 dscp 20 set-ip-dscp 14 ! class-map match-all ClassAF2 match ip access-group AF2 match ip dscp 18 DellEMC#show running-config ACL ! ip access-list extended AF1-FB1 seq 5 permit ip host 23.64.0.2 any seq 10 deny ip any any ! ip access-list extended AF1-FB2 seq 5 permit ip host 23.64.0.
• • CIR < x< PIR – will be marked as “Yellow” PIR < x – will be marked as “Red” But ‘Green’ packets matching the specific match criteria for which ‘color-marking’ is configured will be over-written and marked as “Yellow”. Create a QoS Policy There are two types of QoS policies — input and output. Input QoS policies regulate Layer 3 and Layer 2 ingress traffic. The regulation mechanisms for input QoS policies are rate policing and setting priority values.
Creating an Output QoS Policy To create an output QoS policy, use the following commands. 1. Create an output QoS policy. CONFIGURATION mode qos-policy-output 2. After you configure an output QoS policy, do one or more of the following: Scheduler Strict — Policy-based Strict-priority Queueing configuration is done through scheduler strict. It is applied to Qos-policyoutput. When scheduler strict is applied to multiple Queues, high queue number takes precedence.
DSCP Color Maps This section describes how to configure color maps and how to display the color map and color map configuration. This sections consists of the following topics: • • • Creating a DSCP Color Map Displaying Color Maps Display Color Map Configuration Creating a DSCP Color Map You can create a DSCP color map to outline the differentiated services codepoint (DSCP) mappings to the appropriate color mapping (green, yellow, red) for the input traffic.
Displaying DSCP Color Maps To display DSCP color maps, use the show qos dscp-color-map command in EXEC mode. Examples for Creating a DSCP Color Map Display all DSCP color maps. DellEMC# show qos dscp-color-map Dscp-color-map mapONE yellow 4,7 red 20,30 Dscp-color-map mapTWO yellow 16,55 Display a specific DSCP color map.
Create a Layer 2 input policy map by specifying the keyword layer2 with the policy-map-input command. 2. After you create an input policy map, do one or more of the following: Applying a Class-Map or Input QoS Policy to a Queue Applying an Input QoS Policy to an Input Policy Map Honoring DSCP Values on Ingress Packets Honoring dot1p Values on Ingress Packets 3. Apply the input policy map to an interface.
dot1p Queue ID 1 0 2 2 3 3 4 4 5 5 6 6 7 7 The dot1p value is also honored for frames on the default VLAN. For more information, refer to Priority-Tagged Frames on the Default VLAN. • Enable the trust dot1p feature. POLICY-MAP-IN mode trust dot1p Mapping dot1p Values to Service Queues All traffic is by default mapped to the same queue, Queue 0. If you honor dot1p on ingress, you can create service classes based the queueing strategy in Honoring dot1p Values on Ingress Packets.
CONFIGURATION mode policy-map-output 2. After you create an output policy map, do one or more of the following: Applying an Output QoS Policy to a Queue Specifying an Aggregate QoS Policy Applying an Output Policy Map to an Interface 3. Apply the policy map to an interface. Applying an Output QoS Policy to a Queue To apply an output QoS policy to a queue, use the following command. • Apply an output QoS policy to queues.
Enabling Strict-Priority Queueing In strict-priority queuing, the system de-queues all packets from the assigned queue before servicing any other queues. You can assign strict-priority to one unicast queue, using the strict-priority command. • • • Policy-based per-queue rate shaping is not supported on the queue configured for strict-priority queuing.
In switch B, global dot1p honoring should be enabled, this will queue the packets on queue 1 as the dot1p will be 2 and PFC should be enabled for priority 2. The policy map applied on switch A need not be enabled in switch B. When queue 1 in switch B gets congested, PFC will be generated for priority 2 which will be honored in switch A.
Enabling and Disabling WRED Globally By default, WRED is enabled on the system. You can disable or reenable WRED manually using a single command. Follow these steps to disable or enable WRED in Dell EMC Networking OS. • Enable WRED • CONFIGURATION mode wred enable Disable WRED CONFIGURATION mode no wred enable NOTE: If you disable WRED globally, the system accepts any WRED profile you apply to traffic. But the changes do not take effect until you enable WRED globally.
show qos statistics wred-profile DellEMC#show qos statistics wred-profile Interface Te 1/1/1 Drop-statistic Dropped Pkts Green Yellow Out of Profile 51623 51300 0 DellEMC# Displaying egress–queue Statistics To display the number of transmitted and dropped packets and their rate on the egress queues of an interface, use the following command: • Display the number of packets and number of bytes on the egress-queue profile.
Specifically: • • • Available CAM — the available number of CAM entries in the specified CAM partition for the specified line card or stack-unit portpipe. Estimated CAM — the estimated number of CAM entries that the policy will consume when it is applied to an interface. Status — indicates whether the specified policy-map can be completely applied to an interface in the port-pipe.
Configuring Policy-Based Rate Shaping You can configure the rate shaping for QoS output policies in packets per second (pps). You can explicitly specify the rate shaping functionality for QoS output policies as peak rate and committed rate attributes. You can also configure the peak burst and committed burst sizes. All of these settings can be configured in Kbps, Mbps, or pps. To configure the peak and committed rates and burst sizes, perform the following steps: 1.
Global Service Pools With WRED and ECN Settings Support for global service pools is now available. You can configure global service pools that are shared buffer pools accessed by multiple queues when the minimum guaranteed buffers for the queue are consumed. Two service pools are used– one for loss-based queues and the other for lossless (priority-based flow control (PFC)) queues. You can enable WRED and ECN configuration on the global servicepools.
QOS-POLICY-OUT mode DellEMC(conf-qos-policy-out)#wred—profile weight number 2. Configure a WRED profile, and specify the threshold and maximum drop rate. WRED mode DellEMC(conf-wred) #wred—profile thresh-1 DellEMC(conf-wred) #threshold min 100 max 200 max-drop-rate 40 3. Configure another WRED profile, and specify the threshold and maximum drop rate. WRED mode DellEMC(conf-wred) #wred—profile thresh-2 DellEMC(conf-wred) #threshold min 300 max 400 max-drop-rate 80 4.
class-map match-any ecn_0_cmap match ip access-group ecn_0 set-color yellow ! policy-map-input ecn_0_pmap service-queue 0 class-map ecn_0_cmap Applying this policy-map “ecn_0_pmap” will mark all the packets with ‘ecn == 0’ as yellow packets on queue0 (default queue). Classifying Incoming Packets Using ECN and ColorMarking Explicit Congestion Notification (ECN) is a capability that enhances WRED by marking the packets instead of causing WRED to drop them when the threshold value is exceeded.
• • • PSH RST URG You can now use the ‘ecn’ match qualifier along with the above TCP flag for classification.
service-queue 2 class-map class_dscp_40 service-queue 3 class-map class_dscp_50 Approach with explicit ECN match qualifiers for ECN packets: ! ip access-list standard dscp_50_ecn seq 5 permit any dscp 50 ecn 1 seq 10 permit any dscp 50 ecn 2 seq 15 permit any dscp 50 ecn 3 ! ip access-list standard dscp_40_ecn seq 5 permit any dscp 40 ecn 1 seq 10 permit any dscp 40 ecn 2 seq 15 permit any dscp 40 ecn 3 ! ip access-list standard dscp_50_non_ecn seq 5 permit any dscp 50 ecn 0 ! ip access-list standard dscp_4
Managing Hardware Buffer Statistics The memory management unit (MMU) is 12.2 MB in size. It contains approximately 60,000 cells, each of which is 208 bytes in size. MMU also has another portion of 3 MB allocated to it. The entire MMU space is shared across a maximum of 104 logical ports to support the egress admission-control functionality to implement scheduling and shaping on per-port and per-queue levels.
UCAST UCAST UCAST UCAST UCAST UCAST UCAST UCAST MCAST MCAST MCAST MCAST MCAST MCAST MCAST MCAST MCAST 688 4 5 6 7 8 9 10 11 0 1 2 3 4 5 6 7 8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Quality of Service (QoS)
43 Routing Information Protocol (RIP) The Routing Information Protocol (RIP) tracks distances or hop counts to nearby routers when establishing network connections and is based on a distance-vector algorithm. RIP is based on a distance-vector algorithm; it tracks distances or hop counts to nearby routers when establishing network connections. RIP protocol standards are listed in the Standards Compliance chapter.
Feature Default • Transmit RIPv1 RIP timers • • • • update timer = 30 seconds invalid timer = 180 seconds holddown timer = 180 seconds flush timer = 240 seconds Auto summarization Enabled ECMP paths supported 16 Configuration Information By default, RIP is disabled in Dell EMC Networking OS. To configure RIP, you must use commands in two modes: ROUTER RIP and INTERFACE.
network 10.0.0.0 DellEMC(conf-router_rip)# When the RIP process has learned the RIP routes, use the show ip rip database command in EXEC mode to view those routes. DellEMC#show ip rip database Total number of routes in RIP database: 978 160.160.0.0/16 [120/1] via 29.10.10.12, 00:00:26, Fa 1/4 160.160.0.0/16 auto-summary 2.0.0.0/8 [120/1] via 29.10.10.12, 00:01:22, Fa 1/4 2.0.0.0/8 auto-summary 4.0.0.0/8 [120/1] via 29.10.10.12, 00:01:22, Fa 1/4 4.0.0.0/8 auto-summary 8.0.0.0/8 [120/1] via 29.10.10.
[120/1] via 29.10.10.12, 00:01:22, Fa 1/49 192.162.3.0/24 auto-summary To disable RIP globally, use the no router rip command in CONFIGURATION mode. Configure RIP on Interfaces When you enable RIP globally on the system, interfaces meeting certain conditions start receiving RIP routes. By default, interfaces that you enable and configure with an IP address in the same subnet as the RIP network address receive RIPv1 and RIPv2 routes and send RIPv1 routes.
• • map-name: the name of a configured route map. Include specific OSPF routes in RIP. ROUTER RIP mode redistribute ospf process-id [match external {1 | 2} | match internal] [metric value] [routemap map-name] Configure the following parameters: • • • process-id: the range is from 1 to 65535. metric: the range is from 0 to 16. map-name: the name of a configured route map. To view the current RIP configuration, use the show running-config command in EXEC mode or the show config command in ROUTER RIP mode.
Gateway Distance Last Update Distance: (default is 120) DellEMC# Generating a Default Route Traffic is forwarded to the default route when the traffic’s network is not explicitly listed in the routing table. Default routes are not enabled in RIP unless specified. Use the default-information originate command in ROUTER RIP mode to generate a default route into RIP.
Configure the following parameters: • • • prefix-list-name: the name of an established Prefix list to determine which incoming routes are modified offset: the range is from 0 to 16. interface: the type, slot, and number of an interface. To view the configuration changes, use the show config command in ROUTER RIP mode. Debugging RIP The debug ip rip command enables RIP debugging. When you enable debugging, you can view information on RIP protocol changes or RIP routes.
Core2(conf-router_rip)#show config ! router rip network 10.0.0.0 version 2 Core2(conf-router_rip)# Core 2 RIP Output The examples in the section show the core 2 RIP output. • • • To display Core 2 RIP database, use the show ip rip database command. To display Core 2 RIP setup, use the show ip route command. To display Core 2 RIP activity, use the show ip protocols command. The following example shows the show ip rip database command to view the learned RIP routes on Core 2.
Invalid after 180 seconds, hold down 180, flushed after 240 Output delay 8 milliseconds between packets Automatic network summarization is in effect Outgoing filter for all interfaces is Incoming filter for all interfaces is Default redistribution metric is 1 Default version control: receive version 2, send version 2 Interface Recv Send TenGigabitEthernet 2/4/1 2 2 TenGigabitEthernet 2/5/1 2 2 TenGigabitEthernet 2/3/1 2 2 TenGigabitEthernet 2/11/1 2 2 Routing for Networks: 10.300.10.0 10.200.10.0 10.11.20.
192.168.2.0/24 Core3# auto-summary The following command shows the show ip routes command to view the RIP setup on Core 3.
no shutdown ! interface TenGigabitEthernet 2/4/1 ip address 10.200.10.1/24 no shutdown ! interface TenGigabitEthernet 2/5/1 ip address 10.250.10.1/24 no shutdown router rip version 2 10.200.10.0 10.300.10.0 10.11.10.0 10.11.20.0 The following example shows viewing the RIP configuration on Core 3. ! interface TenGigabitEthernet 3/1/1 ip address 10.11.30.1/24 no shutdown ! interface TenGigabitEthernet 3/2/1 ip address 10.11.20.1/24 no shutdown ! interface TenGigabitEthernet 3/4/1 ip address 192.168.1.
44 Remote Monitoring (RMON) RMON is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell EMC Networking Ethernet interfaces. RMON operates with the simple network management protocol (SNMP) and monitors all nodes on a local area network (LAN) segment. RMON monitors traffic passing through the router and segment traffic not destined for the router.
[no] rmon hc-alarm number variable interval {delta | absolute} rising-threshold value eventnumber falling-threshold value event-number [owner string] Configure the alarm using the following optional parameters: • • • • • • • • • • number: alarm number, an integer from 1 to 65,535, the value must be unique in the RMON Alarm Table. variable: the MIB object to monitor — the variable must be in SNMP OID format; for example, 1.3.6.1.2.1.1.3.
Configuring RMON Collection Statistics To enable RMON MIB statistics collection on an interface, use the RMON collection statistics command in INTERFACE CONFIGURATION mode. • Enable RMON MIB statistics collection. CONFIGURATION INTERFACE (config-if) mode [no] rmon collection statistics {controlEntry integer} [owner ownername] • • • • controlEntry: specifies the RMON group of statistics using a value. integer: a value from 1 to 65,535 that identifies the RMON Statistics Table.
45 Rapid Spanning Tree Protocol (RSTP) Protocol Overview RSTP is a Layer 2 protocol — specified by IEEE 802.1w — that is essentially the same as spanning-tree protocol (STP) but provides faster convergence and interoperability with switches configured with STP and multiple spanning tree protocol (MSTP). The Dell EMC Networking OS supports three other variations of spanning tree, as shown in the following table. Table 84.
RSTP and VLT Virtual link trunking (VLT) provides loop-free redundant topologies and does not require RSTP. RSTP can cause temporary port state blocking and may cause topology changes after link or node failures. Spanning tree topology changes are distributed to the entire Layer 2 network, which can cause a network-wide flush of learned media access control (MAC) and address resolution protocol (ARP) addresses, requiring these addresses to be re-learned.
protocol spanning-tree rstp 2. Enable RSTP. PROTOCOL SPANNING TREE RSTP mode no disable To disable RSTP globally for all Layer 2 interfaces, enter the disable command from PROTOCOL SPANNING TREE RSTP mode. To verify that RSTP is enabled, use the show config command from PROTOCOL SPANNING TREE RSTP mode. The bold line indicates that RSTP is enabled. DellEMC(conf-rstp)#show config ! protocol spanning-tree rstp no disable DellEMC(conf-rstp)# Figure 112.
Port 378 (TenGigabitEthernet 2/2/1) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.378 Designated root has priority 32768, address 0001.e801.cbb4 Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.
• • • Forward-delay — the amount of time an interface waits in the Listening state and the Learning state before it transitions to the Forwarding state. Hello-time — the time interval in which the bridge sends RSTP BPDUs. Max-age — the length of time the bridge maintains configuration information before it refreshes that information by recomputing the RST topology. NOTE: Dell EMC Networking recommends that only experienced network administrators change the Rapid Spanning Tree group parameters.
Enabling SNMP Traps for Root Elections and Topology Changes To enable SNMP traps, use the following command. • Enable SNMP traps for RSTP, MSTP, and PVST+ collectively. snmp-server enable traps xstp Modifying Interface Parameters On interfaces in Layer 2 mode, you can set the port cost and port priority values. • • Port cost — a value that is based on the interface type. The previous table lists the default values. The greater the port cost, the less likely the port is selected to be a forwarding port.
A console message appears when a new root bridge has been assigned. The following example example shows the console message after the bridge-priority command is used to make R2 the root bridge (shown in bold). DellEMC(conf-rstp)#bridge-priority 4096 04:27:59: %RPM0-P:RP2 %SPANMGR-5-STP_ROOT_CHANGE: RSTP root changed. My Bridge ID: 4096:0001.e80b.88bd Old Root: 32768:0001.e801.cbb4 New Root: 4096:0001.e80b.
RSTP fast hellos decrease the hello interval to the order of milliseconds and all timers derived from the hello timer are adjusted accordingly. This feature does not inter-operate with other vendors, and is available only for RSTP. • Configure a hello time on the order of milliseconds. PROTOCOL RSTP mode hello-time milli-second interval The range is from 50 to 950 milliseconds.
46 Software-Defined Networking (SDN) Software-Defined Networking (SDN) 711
47 Security This chapter describes several ways to provide security to the Dell EMC Networking system. For details about all the commands described in this chapter, refer to the Security chapter in the Dell EMC Networking OS Command Reference Guide.
aaa accounting {commands | exec | suppress | system level} {default | name} {start-stop | wait-start | stop-only} {tacacs+} The variables are: • • • • • • • • • system: sends accounting information of any other AAA configuration. exec: sends accounting information when a user has logged in to EXEC mode. command level: sends accounting of commands executed at the specified privilege level. suppress: Do not generate accounting records for a specific type of user.
Monitoring AAA Accounting Dell EMC Networking OS does not support periodic interim accounting because the periodic command can cause heavy congestion when many users are logged in to the network. No specific show command exists for TACACS+ accounting. To obtain accounting records displaying information about users currently logged in, use the following command. • Step through all active sessions and print all the accounting records for the actively accounted functions.
CONFIGURATION mode aaa authentication login {method-list-name | default} method1 [... method4] The default method-list is applied to all terminal lines. Possible methods are: • • • • • • enable: use the password you defined using the enable secret, enable password, or enable sha256-password command in CONFIGURATION mode. In general, the enable secret command overrules the enable password command.
The following example shows enabling authentication from the RADIUS server. DellEMC(config)# aaa authentication enable default radius tacacs Radius and TACACS server has to be properly setup for this. DellEMC(config)# radius-server host x.x.x.x key DellEMC(config)# tacacs-server host x.x.x.x key To use local enable authentication on the console, while using remote authentication on VTY lines, run the following commands.
Obscuring Passwords and Keys By default, the service password-encryption command stores encrypted passwords. For greater security, you can also use the service obscure-passwords command to prevent a user from reading the passwords and keys, including RADIUS, TACACS+ keys, router authentication strings, VRRP authentication by obscuring this information. Passwords and keys are stored encrypted in the configuration file and by default are displayed in the encrypted form when the configuration is displayed.
Configuration Task List for Privilege Levels The following list has the configuration tasks for privilege levels and passwords.
Configuring Custom Privilege Levels In addition to assigning privilege levels to the user, you can configure the privilege levels of commands so that they are visible in different privilege levels. Within Dell EMC Networking OS, commands have certain privilege levels. With the privilege command, you can change the default level or you can reset their privilege level back to the default. • • Assign the launch keyword (for example, configure) for the keyword’s command mode.
DellEMC(conf)#privilege exec level 8 configure DellEMC(conf)#privilege config level 8 snmp-server DellEMC(conf)#end DellEMC#show running-config Current Configuration ... ! hostname Force10 ! enable password level 8 notjohn enable password Force10 ! username admin password 0 admin username john password 0 john privilege 8 ! The following example shows the Telnet session for user john. The show privilege command output confirms that john is in privilege level 8.
Enabling and Disabling Privilege Levels To enable and disable privilege levels, use the following commands. • Set a user’s security level. EXEC Privilege mode enable or enable privilege-level • If you do not enter a privilege level, Dell EMC Networking OS sets it to 15 by default. Move to a lower privilege level. EXEC Privilege mode disable level-number • level-number: The level-number you wish to set. If you enter disable without a level-number, your security level is 1.
ACL Configuration Information The RADIUS server can specify an ACL. If an ACL is configured on the RADIUS server, and if that ACL is present, the user may be allowed access based on that ACL. If the ACL is absent, authorization fails, and a message is logged indicating this. RADIUS can specify an ACL for the user if both of the following are true: • • If an ACL is absent. If there is a very long delay for an entry, or a denied entry because of an ACL, and a message is logged.
CONFIGURATION mode aaa authorization exec {method-list-name | default} radius tacacs+ Typical order of methods: RADIUS, TACACS+, Local, None. If RADIUS denies authorization, the session ends (RADIUS must not be the last method specified). Applying the Method List to Terminal Lines To enable RADIUS AAA login authentication for a method list, apply it to a terminal line. To configure a terminal line for RADIUS authentication and authorization, use the following commands. • Enter LINE mode.
• Set a time interval after which a RADIUS host server is declared dead. CONFIGURATION mode radius-server deadtime seconds • • seconds: the range is from 0 to 2147483647. The default is 0 seconds. Configure a key for all RADIUS communications between the system and RADIUS server hosts. CONFIGURATION mode radius-server key [encryption-type] key • • encryption-type: enter 7 to encrypt the password. Enter 0 to keep the password as plain text. • key: enter a string. The key can be up to 42 characters long.
4. Log in to switch using console or telnet or ssh with a valid user role. When 1-factor authentication is used, the authentication succeeds enabling you to access the switch. When two-factor authentication is used, the system prompts you to enter a one-time password as a second step of authentication. If a valid one-time password is supplied, the authentication succeeds enabling you to access the switch.
Table 87. Change of Authorization (CoA) Attribute Attribute code Attribute Description 5 NAS-Port Port associated with the session to be processed for EAP or MAB users or the VTY ID for AAA sessions. Table 88. Session Identification Attributes Attribute code Attribute Description 31 Calling-Station-Id (MAC Address) The link address from which session is connected. Table 89.
Table 92. CoA EAP/MAB Disable Port Radius Attribute code Radius Attribute Description Mandatory NAS Identification Attributes 4 NAS-IP-Address IPv4 address of the NAS. No 95 NAS-IPv6–Address IPv6 address of the NAS. No Port on which session is terminated Yes t=26(vendor-specific);l=length;vendor-identificationattribute;Length=value; Data=”cmd=bounce-host-port” Yes Description Mandatory Session Identification Attributes 5 NAS-Port Authorization Attributes 26 Vendor-Specific Table 93.
Radius Attribute code Radius Attribute Description Mandatory - AAA user name 5 NAS-Port Port on which session is terminated No t=26(vendor-specific);l=length;vendor-identificationattribute;Length=value; Data=”cmd=disconnect-user” Yes Authorization Attributes 26 Vendor-Specific Error-cause Values It is possible that a Dynamic Authorization Server cannot honor Disconnect Message request or CoA request packets for some reason.
• • • if the CoA request contains incorrect Vendor-Specific attribute value. • if the CoA request contains incorrect NAS-port or calling-station-id values. rejects the CoA-Request containing NAS-IP-Address or NAS-IPV6-Address attribute that does not match the NAS with a CoA-Nak; Error-Cause value is “NAS Identification Mismatch” (403). responds with a CoA-Nak, if it is configured to prohibit honoring of corresponding CoA-Request messages; Error-Cause value is “Administratively Prohibited” (501).
• • • responds to a disconnect message containing unsupported attributes with DM-Nak; Error-Cause value is “Unsupported Attributes” (401). NOTE: Unsupported attributes are the ones that are not mentioned in the RFC 5176 but present in the disconnect message that is received by the NAS. rejects the disconnect message containing NAS-IP-Address or NAS-IPV6-Address attribute that does not match NAS with DM-Nak; Error-Cause value is “NAS Identification Mismatch” (403).
NAS disconnects the administrative users who are connected through an AAA interface. Dell(conf#)radius dynamic-auth Dell(conf-dynamic-auth#)disconnect-user NAS takes the following actions: • • • • • validates the DM request and the session identification attributes. sends a DM-Nak with an error-cause of 402 (missing attribute), if the DM request does not contain the User-Name. sends a DM-Ack, if it is able to successfully disconnect the admin user.
2. Enter the following command to configure the re-authentication of 802.1x sessions: coa-reauthenticate NAS re-initiates the user authentication state. Dell(conf#)radius dynamic-auth Dell(conf-dynamic-auth#)coa-reauthenticate NAS takes the following actions whenever re-authentication is triggered: • • • • • • • • • • validates the CoA request and the session identification attributes.
• • NAS server listens on the Management IP UDP port 3799 (default) or the port configured through CLI. The user is logged-in through 802.1X enabled physical port and successfully authenticated with Radius Server. To initiate shutting down of the 802.1x enabled port, the DAC sends a standard CoA request that contains one or more session identification attributes. NAS uses the NAS-port attributes to identify the 802.1x enabled physical port. 1.
NAS considers the new replay protection window value from next window period. The range is from 1 to 10 minutes. The default is 5 minutes. Dell(conf-dynamic-auth#)replay-prot-window 10 Rate-limiting RADIUS packets NAS enables you to allow or reject RADIUS dynamic authorization packets based on the rate-limiting value that you specify. NAS lets you to configure number of RADIUS dynamic authorization packets allowed per minute. The default value is 30 packets per minute.
2. Enter a text string (up to 16 characters long) as the name of the method list you wish to use with the TACAS+ authentication method. CONFIGURATION mode aaa authentication login {method-list-name | default} tacacs+ [...method3] The TACACS+ method must not be the last method specified. 3. Enter LINE mode. CONFIGURATION mode line {aux 0 | console 0 | vty number [end-number]} 4. Assign the method-list to the terminal line.
TACACS+ Remote Authentication The system takes the access class from the TACACS+ server. Access class is the class of service that restricts Telnet access and packet sizes. If you have configured remote authorization, the system ignores the access class you have configured for the VTY line and gets this access class information from the TACACS+ server. The system must know the username and password of the incoming user before it can fetch the access class from the server.
If rejected by the AAA server, the command is not added to the running config, and a message displays: 04:07:48: %RPM0-P:CP %SEC-3-SEC_AUTHORIZATION_FAIL: Authorization failure Command authorization failed for user (denyall) on vty0 ( 10.11.9.209 ) Certain TACACS+ servers do not authenticate the device if you use the aaa authorization commands level default local tacacs+ command. To resolve the issue, use the aaa authorization commands level default tacacs+ local command.
To disable SSH server functions, use the no ip ssh server enable command. Using SCP with SSH to Copy a Software Image To use secure copy (SCP) to copy a software image through an SSH connection from one switch to another, use the following commands. 1. On Switch 1, set the SSH port number ( port 22 by default). CONFIGURATION MODE ip ssh server port number 2. On Switch 1, enable SSH. CONFIGURATION MODE copy ssh server enable 3. On Switch 2, invoke SCP. CONFIGURATION MODE copy scp: flash: 4.
To remove the generated RSA host keys and zeroize the key storage location, use the crypto key zeroize rsa command in CONFIGURATION mode. DellEMC(conf)#crypto key zeroize rsa Configuring When to Re-generate an SSH Key You can configure the time-based or volume-based rekey threshold for an SSH session. If both threshold types are configured, the session rekeys when either one of the thresholds is reached.
• • • • • hmac-md5 hmac-md5-96 hmac-sha1 hmac-sha1-96 hmac-sha2-256 The default HMAC algorithms are the following: • • • • • hmac-sha2-256 hmac-sha1 hmac-sha1-96 hmac-md5 hmac-md5-96 When FIPS is enabled, the default HMAC algorithm is hmac-sha2-256,hmac-sha1,hmac-sha1-96. Example of Configuring a HMAC Algorithm The following example shows you how to configure a HMAC algorithm list.
• • • aes128-ctr aes192-ctr aes256-ctr The default cipher list is aes256-ctr, aes256-cbc, aes192-ctr, aes192-cbc, aes128-ctr, aes128-cbc, 3des-cbc. Example of Configuring a Cipher List The following example shows you how to configure a cipher list. DellEMC(conf)#ip ssh server cipher 3des-cbc aes128-cbc aes128-ctr Configuring the SSH Client Cipher List To configure the cipher list supported by the SSH client, use the ip ssh cipher cipher-list command in CONFIGURATION mode.
Secure Shell Authentication Secure Shell (SSH) is enabled by default using the SSH Password Authentication method. Enabling SSH Authentication by Password Authenticate an SSH client by prompting for a password when attempting to connect to the Dell EMC Networking system. This setup is the simplest method of authentication and uses SSH version 2. To enable SSH password authentication, use the following command. • Enable SSH password authentication.
Configuring Host-Based SSH Authentication Authenticate a particular host. This method uses SSH version 2. To configure host-based authentication, use the following commands. 1. Configure RSA Authentication. Refer to Using RSA Authentication of SSH. 2. Create shosts by copying the public RSA key to the file shosts in the directory .ssh, and write the IP address of the host to the file. cp /etc/ssh/ssh_host_rsa_key.pub /.ssh/shosts Refer to the first example. 3.
ssh ip_address DellEMC#ssh 10.16.127.201 ? -c Encryption cipher to use (for v2 clients only) -l User name option -m HMAC algorithm to use (for v2 clients only) -p SSH server port option (default 22) -v SSH protocol version Troubleshooting SSH To troubleshoot SSH, use the following information. You may not bind id_rsa.pub to RSA authentication while logged in via the console. In this case, this message displays:%Error: No username set for this term.
VTY Line Local Authentication and Authorization retrieves the access class from the local database. To use this feature: 1. 2. 3. 4. Create a username. Enter a password. Assign an access class. Enter a privilege level. You can assign line authentication on a per-VTY basis; it is a simple password authentication, using an access-class as authorization. Configure local authentication globally and configure access classes on a per-user basis.
To apply a MAC ACL on a VTY line, use the same access-class command as IP ACLs. The following example shows how to deny incoming connections from subnet 10.0.0.0 without displaying a login prompt.
For greater security, the ability to view event, audit, and security system log is associated with user roles. For information about these topics, see Audit and Security Logs. Privilege-or-Role Mode versus Role-only Mode By default, the system provides access to commands determined by the user’s role or by the user’s privilege level. The user’s role takes precedence over a user’s privilege level.
System-Defined RBAC User Roles By default, the Dell EMC Networking OS provides 4 system defined user roles. You can create up to 8 additional user roles. NOTE: You cannot delete any system defined roles. The system defined user roles are as follows: • • • • Network Operator (netoperator) - This user role has no privilege to modify any configuration on the switch. You can access Exec mode (monitoring) to view the current configuration and status information.
Example of Creating a User Role The configuration in the following example creates a new user role, myrole, which inherits the security administrator (secadmin) permissions. Create a new user role, myrole and inherit security administrator permissions. DellEMC(conf)#userrole myrole inherit secadmin Verify that the user role, myrole, has inherited the security administrator permissions.
The following example allows the security administrator (secadmin) to access Interface mode.
Adding and Deleting Users from a Role To create a user name that is authenticated based on a user role, use the username name password encryption-type password role role-name command in CONFIGURATION mode. Example The following example creates a user name that is authenticated based on a user role. DellEMC(conf)# username john password 0 password role secadmin The following example deletes a user role.
To configure AAA authorization, use the aaa authorization exec command in CONFIGURATION mode. The aaa authorization exec command determines which CLI mode the user will start in for their session; for example, Exec mode or Exec Privilege mode. For information about how to configure authentication for roles, see Configure AAA Authentication for Roles.
authorization exec ucraaa accounting commands role netadmin ucraaa ! Configuring TACACS+ and RADIUS VSA Attributes for RBAC For RBAC and privilege levels, the Dell EMC Networking OS RADIUS and TACACS+ implementation supports two vendor-specific options: privilege level and roles. The Dell EMC Networking vendor-ID is 6027 and the supported option has attribute of type string, which is titled “Force10-avpair”.
Applying an Accounting Method to a Role To apply an accounting method list to a role executed by a user with that user role, use the accounting command in LINE mode. accounting {exec | commands {level | role role-name}} method-list Example of Applying an Accounting Method to a Role The following example applies the accounting default method to the user role secadmin (security administrator).
Role access: sysadmin DellEMC##show role mode configure password-attributes Role access: secadmin,sysadmin DellEMC#show role mode configure interface Role access: netadmin, sysadmin DellEMC#show role mode configure line Role access: netadmin,sysadmin Displaying Information About Users Logged into the Switch To display information on all users logged into the switch, using the show users command in EXEC Privilege mode. The output displays privilege level and/or user role.
CONFIGURATION mode ip ssh challenge-response-authentication enable 2. View the configuration. EXEC mode show ip ssh DellEMC# show ip ssh SSH server : enabled. SSH server version : v2. SSH server vrf : default. SSH server ciphers : aes256-ctr,aes256-cbc,aes192-ctr,aes192-cbc,aes128-ctr,aes128cbc,3des-cbc. SSH server macs : hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96. SSH server kex algorithms : diffie-hellman-group-exchange-sha1,diffie-hellman-group1sha1,diffie-hellman-group14-sha1.
ICMPv4 message types Router solicitation (10) Time exceeded (11) IP header bad (12) Timestamp request (13) Timestamp reply (14) Information request (15) Information reply (16) Address mask request (17) Address mask reply (18) NOTE: The Dell EMC Networking OS does not suppress the ICMP message type echo request (8). Table 99.
SSH Lockout Settings The system has a SSH protection mechanism which, by default, allows 10 login attempts (success or failure) per minute. After the 10th attempt, the system blocks the user login for one minute (since the first login attempt) before allowing the next set of login attempts. With Dell EMC Networking OS version 9.11(0.0), the SSH protection mechanism has been enhanced to allow 60 login attempts (success or failure) per minute.
After enabling and configuring OS image hash verification, the device verifies the hash checksum of the OS boot image during every reload. DellEMC# verified boot hash system-image A: 619A8C1B7A2BC9692A221E2151B9DA9E Image Verification for Subsequent OS Upgrades After enabling OS image hash verification, for subsequent Dell EMC Networking OS upgrades, you must enter the hash checksum of the new OS image file.
NOTE: The verified boot hash command is only applicable for the startup configuration file in the local file system. After enabling and configuring startup configuration verification, the device verifies the hash checksum of the startup configuration during every reload. DellEMC# verified boot hash startup—config 619A8C1B7A2BC9692A221E2151B9DA9E Configuring the root User Password For added security, you can change the root user password.
• A minimum of one special character including a space (" !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~") If you enable the boot access password, the system prompts for a password when you access the GRUB interface. DellEMC(conf)#boot-access password 7 Hg$7^5HMoiY% *********************************************************************** * Warning - boot-access password will enable password protection in * * GRUB. Keep it safe. Forgetting this password and the CLI password * * may result in switch becoming inaccessible.
48 Service Provider Bridging VLAN Stacking VLAN stacking, also called Q-in-Q, is defined in IEEE 802.1ad — Provider Bridges, which is an amendment to IEEE 802.1Q — Virtual Bridged Local Area Networks. It enables service providers to use 802.1Q architecture to offer separate VLANs to customers with no coordination between customers, and minimal coordination between customers and the provider. Using only 802.
Figure 113. VLAN Stacking in a Service Provider Network Important Points to Remember • • • Interfaces that are members of the Default VLAN and are configured as VLAN-Stack access or trunk ports do not switch untagged traffic. To switch traffic, add these interfaces to a non-default VLAN-Stack-enabled VLAN. Dell EMC Networking cautions against using the same MAC address on different customer VLANs, on the same VLAN-Stack VLAN.
• • Debugging VLAN Stacking VLAN Stacking in Multi-Vendor Networks Creating Access and Trunk Ports To create access and trunk ports, use the following commands. • • Access port — a port on the service provider edge that directly connects to the customer. An access port may belong to only one service provider VLAN. Trunk port — a port on a service provider bridge that connects to another service provider bridge and is a member of multiple service provider VLANs.
DellEMC# M Te 3/13/1 Configuring the Protocol Type Value for the Outer VLAN Tag The tag protocol identifier (TPID) field of the S-Tag is user-configurable. To set the S-Tag TPID, use the following command. • Select a value for the S-Tag TPID. CONFIGURATION mode vlan-stack protocol-type The default is 9100. To display the S-Tag TPID for a VLAN, use the show running-config command from EXEC privilege mode. Dell EMC Networking OS displays the S-Tag TPID only if it is a non-default value.
* 1 100 101 103 Inactive Inactive Inactive Inactive U Te 1/1/1 T Te 1/1/1 M Te 1/1/1 Debugging VLAN Stacking To debug VLAN stacking, use the following command. • Debug the internal state and membership of a VLAN and its ports. debug member The port notations are as follows: • • • • • MT — stacked trunk MU — stacked access port T — 802.1Q trunk port U — 802.
Figure 114.
Figure 115.
Figure 116. Single and Double-Tag TPID Mismatch VLAN Stacking Packet Drop Precedence VLAN stacking packet-drop precedence is supported on the switch. The drop eligible indicator (DEI) bit in the S-Tag indicates to a service provider bridge which packets it should prefer to drop when congested. Enabling Drop Eligibility Enable drop eligibility globally before you can honor or mark the DEI value. When you enable drop eligibility, DEI mapping or marking takes place according to the defaults.
Ingress Egress Access Port Trunk Port DEI Disabled DEI Enabled Retain outer tag CFI Set outer tag CFI to 0. Retain inner tag CFI Retain inner tag CFI Set outer tag CFI to 0 Set outer tag CFI to 0 To enable drop eligibility globally, use the following command. • Make packets eligible for dropping based on their DEI value. CONFIGURATION mode dei enable By default, packets are colored green, and DEI is marked 0 on egress.
-------------------------------Te 1/1/1 Green 0 Te 1/1/1 Yellow 1 Te 2/9/1 Yellow 0 Te 2/10/1 Yellow 0 Dynamic Mode CoS for VLAN Stacking One of the ways to ensure quality of service for customer VLAN-tagged frames is to use the 802.1p priority bits in the tag to indicate the level of QoS desired. When an S-Tag is added to incoming customer frames, the 802.1p bits on the S-Tag may be configured statically for each customer or derived from the C-Tag using Dynamic Mode CoS.
qos-policy-input 3 layer2 rate-police 40 Likewise, in the following configuration, packets with dot1p priority 0–3 are marked as dot1p 7 in the outer tag and queued to Queue 3. Rate policing is according to qos-policy-input 3. All other packets will have outer dot1p 0 and hence are queued to Queue 1. They are therefore policed according to qos-policy-input 1.
Figure 118. VLAN Stacking without L2PT You might need to transport control traffic transparently through the intermediate network to the other region. Layer 2 protocol tunneling enables BPDUs to traverse the intermediate network by identifying frames with the Bridge Group Address, rewriting the destination MAC to a user-configured non-reserved address, and forwarding the frames.
Figure 119. VLAN Stacking with L2PT Implementation Information • • • L2PT is available for STP, RSTP, MSTP, and PVST+ BPDUs. No protocol packets are tunneled when you enable VLAN stacking. L2PT requires the default CAM profile. Enabling Layer 2 Protocol Tunneling To enable Layer 2 protocol tunneling, use the following command. 1. Verify that the system is running the default CAM profile. Use this CAM profile for L2PT. EXEC Privilege mode show cam-profile 2.
protocol-tunnel stp Specifying a Destination MAC Address for BPDUs By default, Dell EMC Networking OS uses a Dell EMC Networking-unique MAC address for tunneling BPDUs. You can configure another value. To specify a destination MAC address for BPDUs, use the following command. • Overwrite the BPDU with a user-specified destination MAC address when BPDUs are tunneled across the provider network.
The same is true for GARP VLAN registration protocol (GVRP). 802.1ad specifies that provider bridges participating in GVRP use a reserved destination MAC address called the Provider Bridge GVRP Address, 01-80-C2-00-00-0D, to exchange GARP PDUs instead of the GVRP Address, 01-80-C2-00-00-21, specified in 802.1Q. Only bridges in the service provider network use this destination MAC address so these bridges treat GARP PDUs originating from the customer network as normal data frames, rather than consuming them.
49 sFlow sFlow is a standard-based sampling technology embedded within switches and routers which is used to monitor network traffic. It is designed to provide traffic monitoring for high-speed networks with many switches and routers.
Important Points to Remember • • • • • • • • • The Dell EMC Networking OS implementation of the sFlow MIB supports sFlow configuration via snmpset. By default, sFlow collection is supported only on data ports. If you want to enable sFlow collection through management ports, use the management egress-interface-selection and application sflow-collector commands in Configuration and EIS modes respectively. Dell EMC Networking OS exports all sFlow packets to the collector.
Global extended information enabled: none 0 collectors configured 0 UDP packets exported 0 UDP packets dropped 0 sFlow samples collected 0 sFlow samples dropped due to sub-sampling Important Points to Remember • • • • • To export extended-gateway data, BGP must learn the IP destination address. If the IP destination address is not learned via BGP the Dell EMC Networking system does not export extended-gateway data. If the IP source address is learned via IGP, srcAS and srcPeerAS are zero.
Enabling sFlow Max-Header Size Extended To configure the maximum header size of a packet to 256 bytes, use the following commands: • Set the maximum header size of a packet. CONFIGURATION mode INTERFACE mode sflow max-header-size extended By default, the maximum header size of a packet is 128 bytes. When sflow max-header-size extended is enabled, 256 bytes are copied. These bytes are useful for VxLAN, NvGRE, IPv4, and IPv6 tunneled packets. NOTE: Interface mode configuration takes priority.
Displaying Show sFlow Global To view sFlow statistics, use the following command. • Display sFlow configuration information and statistics. EXEC mode show sflow The first bold line indicates sFlow is globally enabled. The second bold lines indicate sFlow is enabled on te 1/29/1 and te 1/29/2 DellEMC#show sflow sFlow services are enabled Global default sampling rate: 32768 Global default counter polling interval: 20 1 collectors configured Collector IP addr: 133.33.33.53, Agent IP addr: 133.33.33.
interface TenGigabitEthernet 1/16/1 no ip address switchport sflow ingress-enable sflow sample-rate 8192 no shutdown Displaying Show sFlow on a Stack-unit To view sFlow statistics on a specified Stack-unit, use the following command. • Display sFlow configuration information and statistics on the specified interface.
As a result of back-off, the actual sampling-rate of an interface may differ from its configured sampling rate. You can view the actual sampling-rate of the interface and the configured sample-rate by using the show sflow command. sFlow on LAG ports When a physical port becomes a member of a LAG, it inherits the sFlow configuration from the LAG port.
50 Simple Network Management Protocol (SNMP) The Simple Network Management Protocol (SNMP) is designed to manage devices on IP networks by monitoring device operation, which might require administrator intervention. NOTE: On Dell EMC Networking routers, standard and private SNMP management information bases (MIBs) are supported, including all Get and a limited number of Set operations (such as set vlan and copy cmd).
• • • • Monitor Port-Channels Troubleshooting SNMP Operation Transceiver Monitoring Configuring SNMP context name Protocol Overview Network management stations use SNMP to retrieve or alter management data from network elements. A datum of management information is called a managed object; the value of a managed object can be static or variable. Network elements store managed objects in a database called a management information base (MIB).
SHA authentication needs to be used with the AES-CFB128 privacy algorithm only when FIPS is enabled because SHA is then the only available authentication level. If FIPS is disabled, you can use MD5 authentication in addition to SHA authentication with the AES-CFB128 privacy algorithm You cannot modify the FIPS mode if SNMPv3 users are already configured and present in the system.
SNMP version 3 (SNMPv3) is a user-based security model that provides password authentication for user security and encryption for data security and privacy. Three sets of configurations are available for SNMP read/write operations: no password or privacy, password privileges, password and privacy privileges. You can configure a maximum of 16 users even if they are in different groups.
• snmp-server group groupname {oid-tree} auth read name write name Configure an SNMPv3 view. CONFIGURATION mode snmp-server view view-name 3 noauth {included | excluded} NOTE: To give a user read and write privileges, repeat this step for each privilege type. • Configure an SNMP group (with password or privacy privileges). • CONFIGURATION mode snmp-server group group-name {oid-tree} priv read name write name Configure the user with a secure authorization password and privacy password.
Writing Managed Object Values You may only alter (write) a managed object value if your management station is a member of the same community as the SNMP agent, and the object is writable. Use the following command to write or write-over the value of a managed object. • To write or write-over the value of a managed object. snmpset -v version -c community agent-ip {identifier.instance | descriptor.instance}syntax value > snmpset -v 2c -c mycommunity 10.11.131.161 sysName.0 s "R5" SNMPv2-MIB::sysName.
• • • RFC 1157-defined traps — coldStart, warmStart, linkDown, linkUp, authenticationFailure, and egpNeighbborLoss. Dell EMC Networking enterpriseSpecific environment traps — fan, supply, and temperature. Dell EMC Networking enterpriseSpecific protocol traps — bgp, ecfm, stp, and xstp. To configure the system to send SNMP notifications, use the following commands. 1. Configure the Dell EMC Networking system to send notifications to an SNMP server.
ABNORMAL_TASK_TERMINATION: CRASH - task:%s %s CPU_THRESHOLD: Cpu %s usage above threshold. Cpu5SecUsage (%d) CPU_THRESHOLD_CLR: Cpu %s usage drops below threshold. Cpu5SecUsage (%d) MEM_THRESHOLD: Memory %s usage above threshold. MemUsage (%d) MEM_THRESHOLD_CLR: Memory %s usage drops below threshold. MemUsage (%d) DETECT_STN_MOVE: Station Move threshold exceeded for Mac %s in vlan %d CAM-UTILIZATION: Enable SNMP envmon CAM utilization traps.
4:08:15.68,SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::mib-2.47.2.0.1, SNMPv2-SMI::enterprises.6027.3.6.1.1.2.
%SPANMGR-5-MSTP_NEW_ROOT_BRIDGE: Elected root bridge for instance 0. %SPANMGR-5-MSTP_NEW_ROOT_PORT: MSTP root changed to port Tf 1/1 for instance 0. My Bridge ID: 40960:0001.e801.fc35 Old Root: 40960:0001.e801.fc35 New Root: 32768:00d0.038a.2c01. %SPANMGR-5-MSTP_TOPOLOGY_CHANGE: Topology change BridgeAddr: 0001.e801.fc35 Mstp Instance Id 0 port Te 1/8/1 transitioned from forwarding to discarding state.
Table 103. List of Syslog Server MIBS that have read access MIB Object OID Object Values Description dF10SysLogTraps 1.3.6.1.4.1.6027.3.30.1.1 1 = reachable2 = unreachable Specifies whether the syslog server is reachable or unreachable. The following example shows the SNMP trap that is sent when connectivity to the syslog server is lost: DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (19738) 0:03:17.38 SNMPv2MIB::snmpTrapOID.0 = OID: SNMPv2SMI::enterprises.6027.3.30.1.1.1 SNMPv2-SMI::enterprises.
MIB Object OID Object Values Description 3 = tftp • 4 = ftp 5 = scp 6 = usbflash copySrcFileName .1.3.6.1.4.1.6027.3.5.1.1.1.1.4 Path (if the file is not in the current directory) and filename. If copySrcFileLocation is FTP or SCP, you must specify copyServerAddress, copyUserName, and copyUserPassword. Specifies name of the file. • If copySourceFileType is set to running-config or startupconfig, copySrcFileName is not required. copyDestFileType .1.3.6.1.4.1.6027.3.5.1.1.1.1.
CONFIGURATION mode snmp-server community community-name rw 2. Copy the f10-copy-config.mib MIB from the Dell iSupport web page to the server to which you are copying the configuration file. 3. On the server, use the snmpset command as shown in the following example. snmpset -v snmp-version -c community-name -m mib_path/f10-copy-config.mib force10system-ipaddress mib-object.index {i | a | s} object-value... • • Every specified object must have an object value and must precede with the keyword i.
Copying the Startup-Config Files to the Running-Config To copy the startup-config to the running-config from a UNIX machine, use the following command. • Copy the startup-config to the running-config from a UNIX machine. snmpset -c private -v 2c force10system-ip-address copySrcFileType.index i 3 copyDestFileType.index i 2 The following example shows how to copy configuration files from a UNIX machine using the object name. > snmpset -c public -v 2c -m ./f10-copy-config.mib 10.11.131.162 copySrcFileType.
Copy a Binary File to the Startup-Configuration To copy a binary file from the server to the startup-configuration on the Dell EMC Networking system via FTP, use the following command. • Copy a binary file from the server to the startup-configuration on the Dell EMC Networking system via FTP. snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address copySrcFileType.index i 1 copySrcFileLocation.index i 4 copySrcFileName.index s filepath/ filename copyDestFileType.
The following examples show the snmpget command to obtain a MIB object value. These examples assume that: • • • • the server OS is UNIX you are using SNMP version 2c the community name is public the file f10-copy-config.mib is in the current directory NOTE: In UNIX, enter the snmpset command for help using this command. The following examples show the command syntax using MIB object names and the same command using the object OIDs.
average input-power start time. These statistics can also be obtained by using the CLI command:show environment. The following table lists the related MIB objects, OID and description for the same: Table 107. MIB Objects to Display the Information for Power Monitoring MIB Object OID Description envMonSupplyCurrentPower 1.3.6.1.4.1.674.10895.3000.1.2.110.7.2.1.5 Displays per PSU input power (current configuration). envMonSupplyAveragePower 1.3.6.1.4.1.674.10895.3000.1.2.110.7.2.1.
MIB Object OID Description dellNetIfTransReceivePowerLane1 1.3.6.1.4.1.6027.3.11.1.3.1.1.12 Specifies Lane 1 Rx power value in dBm dellNetIfTransReceivePowerLane2 1.3.6.1.4.1.6027.3.11.1.3.1.1.13 Specifies Lane 2 Rx power value in dBm dellNetIfTransReceivePowerLane3 1.3.6.1.4.1.6027.3.11.1.3.1.1.14 Specifies Lane 3 Rx power value in dBm dellNetIfTransReceivePowerLane4 1.3.6.1.4.1.6027.3.11.1.3.1.1.15 Specifies Lane 4 Rx power value in dBm dellNetIfTransTemperature 1.3.6.1.4.1.6027.3.11.1.3.
MIB Support to Display the Software Core Files Generated by the System Dell EMC Networking provides MIB objects to display the software core files generated by the system. The chSysSwCoresTable contains the list of software core files generated by the system. The following table lists the related MIB objects. Table 110. MIB Objects for Displaying the Software Core Files Generated by the System MIB Object OID Description chSysSwCoresTable 1.3.6.1.4.1.6027.3.10.1.2.
MIB Support for PFC Storm Control Dell EMC Networking provides MIB objects to display the information for PFC Storm Control. The OIDs specific to PFC Storm Control are appended to the dellNetFpStatsMib. These statistics can also be obtained by using the CLI commands:show storm-control pfc status stack-unit <> port-set <> and show storm-control pfc statistics stack-unit <> port-set <>. The following table lists the related MIB objects, OID and description for the same: Table 111.
SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.2.2097925.6 SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.3.2097157.5 SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.3.2097157.6 SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.3.2097413.5 SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.3.2097413.6 SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.3.2097669.5 SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.3.2097669.6 SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.3.2097925.5 SNMPv2-SMI::enterprises.6027.3.27.1.21.1.1.1.3.2097925.
Table 112. MIB Objects to Display the Information for PFC no-drop-priority L2Dlf Drop MIB Object OID Description dellNetFpPfcL2DlfDropCounterTable 1.3.6.1.4.1.6027.3.27.1.22 Table to show the drop counters of pfcnodrop-priority l2-dlf drop. dellNetFpPfcL2DlfDropCounterEntry 1.3.6.1.4.1.6027.3.27.1.22.1 Table entry to show the drop counters of pfc-nodrop-priority l2-dlf drop. dellNetFpPfcL2DlfDropCounters 1.3.6.1.4.1.6027.3.27.1.22.1.
SNMPv2-SMI::enterprises.6027.3.27.1.23.1.4.1.1.4 SNMPv2-SMI::enterprises.6027.3.27.1.23.1.5.1.1.1 SNMPv2-SMI::enterprises.6027.3.27.1.23.1.5.1.1.2 SNMPv2-SMI::enterprises.6027.3.27.1.23.1.5.1.1.3 SNMPv2-SMI::enterprises.6027.3.27.1.23.1.5.1.1.
MIB Support to Display the Available Partitions on Flash Dell EMC Networking provides MIB objects to display the information of various partitions such as /flash, /tmp, /usr/pkg, and /f10/ConfD. The dellNetFlashStorageTable table contains the list of all partitions on disk. The following table lists the related MIB objects: Table 115. MIB Objects to Display the Available Partitions on Flash MIB Object OID Description dellNetFlashPartitionNumber 1.3.6.1.4.1.6027.3.26.1.4.8.1.1 Index for the table.
.1.3.6.1.4.1.6027.3.26.1.4.8.1.4.4 = INTEGER: 400528 .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.5 = INTEGER: 60 .1.3.6.1.4.1.6027.3.26.1.4.8.1.5.1 = INTEGER: 3872014 .1.3.6.1.4.1.6027.3.26.1.4.8.1.5.2 = INTEGER: 56527 .1.3.6.1.4.1.6027.3.26.1.4.8.1.5.3 = INTEGER: 138860 .1.3.6.1.4.1.6027.3.26.1.4.8.1.5.4 = INTEGER: 1608180 .1.3.6.1.4.1.6027.3.26.1.4.8.1.5.5 = INTEGER: 51140 .1.3.6.1.4.1.6027.3.26.1.4.8.1.6.1 = STRING: "/usr/pkg" .1.3.6.1.4.1.6027.3.26.1.4.8.1.6.2 = STRING: "/tmpimg" .1.3.6.1.4.1.6027.3.26.1.4.8.1.6.
Viewing the ECMP Group Count Information • To view the ECMP group count information generated by the system, use the following command. snmpwalk -c public -v 2c 10.16.151.191 1.3.6.1.4.1.6027.3.9 SNMPv2-SMI::enterprises.6027.3.9.1.1.1.2.1.1 = Counter64: 79 SNMPv2-SMI::enterprises.6027.3.9.1.1.1.2.1.2 = Counter64: 1 SNMPv2-SMI::enterprises.6027.3.9.1.3.0 = Gauge32: 18 SNMPv2-SMI::enterprises.6027.3.9.1.4.0 = Gauge32: 1 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.10.1.1.0.24.0.0.0.
"" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.90.90.90.2.32.1.4.90.90.90.2.1.4.90.90.90.2 = Hex-STRING: 00 00 DA FE 04 0B SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.100.100.100.0.24.1.4.10.1.1.1.1.4.10.1.1.1 = Hex-STRING: 4C 76 25 F4 AB 02 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.100.100.100.0.24.1.4.20.1.1.1.1.4.20.1.1.1 = Hex-STRING: 4C 76 25 F4 AB 02 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.100.100.100.0.24.1.4.30.1.1.1.1.4.30.1.1.
SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.80.80.80.0.24.1.4.30.1.1.1.1.4.30.1.1.1 = Gauge32: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.90.90.90.0.24.0.0.0.0 = Gauge32: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.90.90.90.1.32.1.4.127.0.0.1.1.4.127.0.0.1 = Gauge32: 0 SNMPv2SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.90.90.90.2.32.1.4.90.90.90.2.1.4.90.90.90.2 = Gauge32: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.100.100.100.0.24.1.4.10.1.1.1.1.4.10.1.1.
MIB Object OID Description dellNetFpEgIPv4L3UCAgedDrops 1.3.6.1.4.1.6027.3.27.1.3.1.16 IPv4 L3 UC Aged and Drops. dellNetFpEgTTLThresholdDrops 1.3.6.1.4.1.6027.3.27.1.3.1.17 TTL Threshold Drops. dellNetFpEgInvalidVLANCounterDrops 1.3.6.1.4.1.6027.3.27.1.3.1.18 Invalid VLAN Counter Drops. dellNetFpEgL2MCDrops 1.3.6.1.4.1.6027.3.27.1.3.1.19 L2 MC Drops. dellNetFpEgPktDropsOfAnyCondition 1.3.6.1.4.1.6027.3.27.1.3.1.20 Packet Drops of ANY Conditions. dellNetFpEgHgMacUnderFlow 1.3.6.1.4.1.
SNMPv2-SMI::enterprises.6027.3.27.1.3.1.25.2108942 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.25.2109454 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.25.2109966 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.25.2110478 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.25.2110990 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.25.2111502 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.25.2112014 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.25.2112526 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.25.2113038 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.25.
SNMPv2-SMI::enterprises.6027.3.27.1.3.1.27.2102798 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.27.2103310 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.27.2103822 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.27.2104334 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.27.2104846 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.27.2105358 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.27.2105870 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.27.2106382 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.27.2106894 SNMPv2-SMI::enterprises.6027.3.27.1.3.1.27.
.1.3.6.1.2.1.47.1.3.2.1.2.30.0 = OID: .1.3.6.1.2.1.2.2.1.1.2100356 .1.3.6.1.2.1.47.1.3.2.1.2.31.0 = OID: .1.3.6.1.2.1.2.2.1.1.2100484 MIB Support for LAG Dell EMC Networking provides a method to retrieve the configured LACP information (Actor and Partner). Actor (local interface) is to designate the parameters and flags pertaining to the sending node, while the term Partner (remote interface) is to designate the sending node’s view of its peer parameters and flags.
MIB Object OID Description delivering the frame to its MAC Client or discarding the frame. dot3adAggPortListTable 1.2.840.10006.300.43.1.1.2 Contains a list of all the ports associated with each Aggregator. Each LACP channel in a device occupies an entry in the table. dot3adAggPortListEntry 1.2.840.10006.300.43.1.1.2.1 Contains a list of ports associated with a given Aggregator and indexed by the ifIndex of the Aggregator. dot3adAggPortListPorts 1.2.840.10006.300.43.1.1.2.1.
snmpwalk -v2c -c mycommunity 10.16.150.83 1.0.8802.1.1.2.1.4 iso.0.8802.1.1.2.1.4.1.1.6.0.2113029.2 = INTEGER: 5 iso.0.8802.1.1.2.1.4.1.1.6.0.3161092.6 = INTEGER: 5 iso.0.8802.1.1.2.1.4.1.1.6.0.3161605.2 = INTEGER: 5 iso.0.8802.1.1.2.1.4.1.1.6.0.4209668.6 = INTEGER: 5 iso.0.8802.1.1.2.1.4.1.1.6.0.4210181.2 = INTEGER: 5 iso.0.8802.1.1.2.1.4.1.1.6.0.9437185.2 = INTEGER: 5 iso.0.8802.1.1.2.1.4.1.1.7.0.2113029.2 = STRING: "fortyGigE 1/50" iso.0.8802.1.1.2.1.4.1.1.7.0.3161092.
snmpwalk -v2c -c public 10.16.150.83 1.0.8802.1.1.2.1.4.4.1.4 iso.0.8802.1.1.2.1.4.4.1.4.0.3161092.1.0.1.102.1.133 iso.0.8802.1.1.2.1.4.4.1.4.0.3161092.1.0.1.102.2.134 iso.0.8802.1.1.2.1.4.4.1.4.0.3161092.1.0.1.102.3.135 iso.0.8802.1.1.2.1.4.4.1.4.0.3161092.1.0.1.102.4.136 iso.0.8802.1.1.2.1.4.4.1.4.0.3161092.1.0.1.102.5.137 = = = = = STRING: STRING: STRING: STRING: STRING: "Dell" "Dell" "Dell" "Dell" "Dell" snmpget -v2c -c public 10.16.150.102 1.0.8802.1.1.2.1.4.4.1.4.0.1048580.2.0.1.232.16.1 iso.0.
MIB Object OID Access or Permission Description dellNetPortSecIfSecureMacLimit 1.3.6.1.4.1.6027.3.31.1.2.1.1.3 read-write Maximum number (N) of MAC addresses to be secured on the interface dellNetPortSecIfCurrentMacCou 1.3.6.1.4.1.6027.3.31.1.2.1.1.4 nt read-only Current number of MAC addresses learnt or configured on this interface dellNetPortSecIfStationMoveEn 1.3.6.1.4.1.6027.3.31.1.2.1.1.
MAC addresses cannot be retrieved using dellNetPortSecSecureStaticMacAddrTable and dellNetPortSecSecureMacAddrTable. These tables are valid only if port security feature is enabled globally in the system. Table 126. MIB Objects for configuring MAC addresses MIB Object OID dellNetPortSecIfSecureStaticMa 1.3.6.1.4.1.6027.3.31.1.2.2.1.4 cRowStatus Access or Permission Description read-write Allows adding or deleting entries to or from the table dellNetPortSecSecureStaticMac AddrTable.
MIB Support for CAM Dell EMC Networking provides a method to retrieve the CAM usage information. The following table lists the related MIB objects: Table 128. MIB Objects for CAM MIB Object OID Description camUsageL2Pip 1.3.6.1.4.1.6027.3.7.1.1.2.1.11 eLine Contains information about the pipe line number of the chip on the layer 2 switch where CAM is located. camUsageL3Pip 1.3.6.1.4.1.6027.3.7.1.1.3.1.
MIB support for MAC notification traps Dell EMC Networking OS provides MIB support to generate SNMP trap messages on learning or station move of a new or existing MAC address in the system with mac–address, vlan–id, and port details. The following table lists the related MIB objects, OID, and description for the same: Table 129. MIB Objects for MAC notification traps MIB Object OID Description dellNetMacNotifMib 1.3.6.1.4.1.6027.3.28.1 Contains the MAC notification groups.
Assigning a VLAN Alias Write a character string to the dot1qVlanStaticName object to assign a name to a VLAN. [Unix system output] > snmpset -v2c -c mycommunity 10.11.131.185 .1.3.6.1.2.1.17.7.1.4.3.1.1.1107787786 s "My VLAN" SNMPv2-SMI::mib-2.17.7.1.4.3.1.1.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00" SNMPv2-SMI::mib-2.17.7.1.4.3.1.2.1107787786 = Hex-STRING: 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 SNMPv2-SMI::mib-2.17.7.1.4.3.1.4.
Fetch Dynamic MAC Entries using SNMP Dell EMC Networking supports the RFC 1493 dot1d table for the default VLAN and the dot1q table for all other VLANs. NOTE: The 802.1q Q-BRIDGE MIB defines VLANs regarding 802.1d, as 802.1d itself does not define them. As a switchport must belong a VLAN (the default VLAN or a configured VLAN), all MAC address learned on a switchport are associated with a VLAN. For this reason, the Q-Bridge MIB is used for MAC address query.
1000 00:01:e8:06:95:ac Dynamic Po 1 Active -------------Query from Management Station--------------------->snmpwalk -v 2c -c techpubs 10.11.131.162 .1.3.6.1.4.1.6027.3.2.1.1.5 SNMPv2-SMI::enterprises.6027.3.2.1.1.5.1.1.1000.0.1.232.6.149.172.1 = SNMPv2-SMI::enterprises.6027.3.2.1.1.5.1.2.1000.0.1.232.6.149.172.1 = 06 95 AC SNMPv2-SMI::enterprises.6027.3.2.1.1.5.1.3.1000.0.1.232.6.149.172.1 = SNMPv2-SMI::enterprises.6027.3.2.1.1.5.1.4.1000.0.1.232.6.149.172.
• snmp-server community vrf2 ro • snmp-server context context1 • snmp-server context context2 • snmp mib community-map vrf1 context context1 • snmp mib community-map vrf1 context context2 2. Configure snmp context under the VRF instances. • • • • • • • • • • • • • sho run bgp router bgp 100 address-family ipv4 vrf vrf1 snmp context context1 neighbor 20.1.1.1 remote-as 200 neighbor 20.1.1.1 no shutdown exit-address-family address-family ipv4 vrf vrf2 snmp context context2 timers bgp 30 90 neighbor 30.1.1.
SNMPv2-SMI::enterprises.6027.20.1.2.3.2.1.4.0.1.20.1.1.2.1.20.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.3.2.1.5.0.1.20.1.1.2.1.20.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.3.3.1.1.0.1.20.1.1.2.1.20.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.3.3.1.2.0.1.20.1.1.2.1.20.1.1.
Layer 3 LAG does not include this support. SNMP trap works for the Layer 2 / Layer 3 / default mode LAG. Example of Viewing Changed Interface State for Monitored Ports SNMPv2-MIB::sysUpTime.0 = Timeticks: (8500842) 23:36:48.42 SNMPv2-MIB::snmpTrapOID.0 = OID: IF-MIB::linkDown IF-MIB::ifIndex.33865785 = INTEGER: 33865785 SNMPv2-SMI::enterprises.6027.3.1.1.4.1.2 = STRING: "OSTATE_DN: Changed interface state to down: Te 1/1/1" 2010-02-10 14:22:39 10.16.130.4 [10.16.130.4]: SNMPv2-MIB::sysUpTime.
SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.18.2113540 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.19.2113540 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.20.2113540 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.21.2113540 = = = = STRING: "7.530000" "" "" "" Table 132. SNMP OIDs for Transceiver Monitoring Field (OID) Description SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.1 Device Name SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.2 Port SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.
51 Storm Control Storm control allows you to control unknown-unicast, muticast, and broadcast traffic on Layer 2 and Layer 3 physical interfaces. Dell EMC Networking Operating System (OS) Behavior: Dell EMC Networking OS supports unknown-unicast, muticast, and broadcast control for Layer 2 and Layer 3 traffic. To view the storm control broadcast configuration show storm-control broadcast | multicast | unknown-unicast | pfc-llfc[interface] command.
• storm-control multicast packets_per_second in Shut down the port if it receives the PFC/LLFC packets more than the configured rate. INTERFACE mode storm-control pfc-llfc pps in shutdown NOTE: PFC/LLFC storm control enabled interface disables the interfaces if it receives continuous PFC/LLFC packets. It can be a result of a faulty NIC/Switch that sends spurious PFC/LLFC packets.
Restore Queue Drop State You can restore the queue drop triggered due to the storm control PFC detection to the normal state. Once the storm control PFC is detected on a port or priority, you can activate the queue drop action. You can restore the dropped queue to normal state on the following conditions. You can restore the queue after a particular period of time. Use the queue-drop backoff-force polling—count command to remove the queue-drop state after the specified number of polling is done.
5 6 DellEMC# 834 Storm Control 0 0 0 0 0 0
52 Spanning Tree Protocol (STP) The spanning tree protocol (STP) is supported on Dell EMC Networking OS.
• • • • • Enabling PortFast Prevent Network Disruptions with BPDU Guard STP Root Guard Enabling SNMP Traps for Root Elections and Topology Changes Configuring Spanning Trees as Hitless Important Points to Remember • • • • • STP is disabled by default. The Dell EMC Networking OS supports only one spanning tree instance (0). For multiple instances, enable the multiple spanning tree protocol (MSTP) or per-VLAN spanning tree plus (PVST+). You may only enable one flavor of spanning tree at any one time.
1. If the interface has been assigned an IP address, remove it. INTERFACE mode no ip address 2. Place the interface in Layer 2 mode. INTERFACE switchport 3. Enable the interface. INTERFACE mode no shutdown To verify that an interface is in Layer 2 mode and enabled, use the show config command from INTERFACE mode.
CONFIGURATION mode protocol spanning-tree 0 2. Enable STP. PROTOCOL SPANNING TREE mode no disable To disable STP globally for all Layer 2 interfaces, use the disable command from PROTOCOL SPANNING TREE mode. To verify that STP is enabled, use the show config command from PROTOCOL SPANNING TREE mode.
Adding an Interface to the Spanning Tree Group To add a Layer 2 interface to the spanning tree topology, use the following command. • Enable spanning tree on a Layer 2 interface. INTERFACE mode spanning-tree 0 Modifying Global Parameters You can modify the spanning tree parameters. The root bridge sets the values for forward-delay, hello-time, and max-age and overwrites the values set on other bridges participating in STP.
PROTOCOL SPANNING TREE mode max-age seconds The range is from 6 to 40. The default is 20 seconds. To view the current values for global parameters, use the show spanning-tree 0 command from EXEC privilege mode. Refer to the second example in Enabling Spanning Tree Protocol Globally. Modifying Interface STP Parameters You can set the port cost and port priority values of interfaces in Layer 2 mode. • • Port cost — a value that is based on the interface type.
no shutdown DellEMC#(conf-if-te-1/1/1)# Prevent Network Disruptions with BPDU Guard Configure the Portfast (and Edgeport, in the case of RSTP, PVST+, and MSTP) feature on ports that connect to end stations. End stations do not generate BPDUs, so ports configured with Portfast/ Edgport (edgeports) do not expect to receive BDPUs. If an edgeport does receive a BPDU, it likely means that it is connected to another part of the network, which can negatively affect the STP topology.
Figure 122. Enabling BPDU Guard Dell EMC Networking OS Behavior: BPDU guard and BPDU filtering both block BPDUs, but are two separate features. BPDU guard: • • is used on edgeports and blocks all traffic on edgeport if it receives a BPDU. drops the BPDU after it reaches the RP and generates a console message.
Selecting STP Root The STP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it becomes the root bridge. You can also specify that a bridge is the root or the secondary root. To change the bridge priority or specify that a bridge is the root or secondary root, use the following command. • Assign a number as the bridge priority or designate it as the root or secondary root.
Figure 123. STP Root Guard Prevents Bridging Loops Configuring Root Guard Enable STP root guard on a per-port or per-port-channel basis. Dell EMC Networking OS Behavior: The following conditions apply to a port enabled with STP root guard: • • • • • Root guard is supported on any STP-enabled port or port-channel interface except when used as a stacking port.
To verify the STP root guard configuration on a port or port-channel interface, use the show spanning-tree 0 guard [interface interface] command in a global configuration mode. Enabling SNMP Traps for Root Elections and Topology Changes To enable SNMP traps individually or collectively, use the following commands. • • Enable SNMP traps for spanning tree state changes. snmp-server enable traps stp Enable SNMP traps for RSTP, MSTP, and PVST+ collectively.
Figure 124. STP Loop Guard Prevents Forwarding Loops Configuring Loop Guard Enable STP loop guard on a per-port or per-port channel basis. The following conditions apply to a port enabled with loop guard: • • Loop guard is supported on any STP-enabled port or port-channel interface.
• • If no BPDU is received from a remote device, loop guard places the port in a Loop-Inconsistent Blocking state and no traffic is forwarded on the port. When used in a PVST+ network, STP loop guard is performed per-port or per-port channel at a VLAN level. If no BPDUs are received on a VLAN interface, the port or port-channel transitions to a Loop-Inconsistent (Blocking) state only for this VLAN. To enable a loop guard on an STP-enabled port or port-channel interface, use the following command.
53 SupportAssist SupportAssist sends troubleshooting data securely to Dell. SupportAssist in this Dell EMC Networking OS release does not support automated email notification at the time of hardware fault alert, automatic case creation, automatic part dispatch, or reports. SupportAssist requires Dell EMC Networking OS 9.9(0.0) and SmartScripts 9.7 or later to be installed on the Dell EMC Networking device. For more information on SmartScripts, see Dell EMC Networking Open Automation guide. Figure 125.
Enable the SupportAssist service. CONFIGURATION mode support-assist activate DellEMC(conf)#support-assist activate This command guides you through steps to configure SupportAssist. Configuring SupportAssist Manually To manually configure SupportAssist service, use the following commands. 1. Accept the end-user license agreement (EULA). CONFIGURATION mode eula-consent {support-assist} {accept | reject} NOTE: Once accepted, you do not have to accept the EULA again.
support-assist DellEMC(conf)#support-assist DellEMC(conf-supportassist)# 3. (Optional) Configure the contact information for the company. SUPPORTASSIST mode contact-company name {company-name}[company-next-name] ... [company-next-name] DellEMC(conf)#support-assist DellEMC(conf-supportassist)#contact-company name test DellEMC(conf-supportassist-cmpy-test)# 4. (Optional) Configure the contact name for an individual.
[no] activity {full-transfer|core-transfer|event-transfer} DellEMC(conf-supportassist)#activity full-transfer DellEMC(conf-supportassist-act-full-transfer)# DellEMC(conf-supportassist)#activity core-transfer DellEMC(conf-supportassist-act-core-transfer)# DellEMC(conf-supportassist)#activity event-transfer DellEMC(conf-supportassist-act-event-transfer)# 2. Copy an action-manifest file for an activity to the system.
[no] enable DellEMC(conf-supportassist-act-full-transfer)#enable DellEMC(conf-supportassist-act-full-transfer)# DellEMC(conf-supportassist-act-core-transfer)#enable DellEMC(conf-supportassist-act-core-transfer)# DellEMC(conf-supportassist-act-event-transfer)#enable DellEMC(conf-supportassist-act-event-transfer)# Configuring SupportAssist Company SupportAssist Company mode allows you to configure name, address and territory information of the company.
SUPPORTASSIST PERSON mode [no] email-address primary email-address [alternate email-address] DellEMC(conf-supportassist-pers-john_doe)#email-address primary jdoe@mycompany.com DellEMC(conf-supportassist-pers-john_doe)# 3. Configure phone numbers of the contact person. SUPPORTASSIST PERSON mode [no] phone primary phone [alternate phone] DellEMC(conf-supportassist-pers-john_doe)#phone primary +919999999999 DellEMC(conf-supportassist-pers-john_doe)# 4. Configure the preferred method for contacting the person.
[no] url uniform-resource-locator DellEMC(conf-supportassist-serv-default)#url https://192.168.1.1/index.htm DellEMC(conf-supportassist-serv-default)# Viewing SupportAssist Configuration To view the SupportAssist configurations, use the following commands: 1. Display information on the SupportAssist feature status including any activities, status of communication, last time communication sent, and so on.
show eula-consent {support-assist | other feature} DellEMC#show eula-consent support-assist SupportAssist EULA has been: Accepted Additional information about the SupportAssist EULA is as follows: By installing SupportAssist, you allow Dell to save your contact information (e.g. name, phone number and/or email address) which would be used to provide technical support for your Dell products and services. Dell may use the information for providing recommendations to improve your IT infrastructure.
54 System Time and Date System time and date settings and the network time protocol (NTP) are supported on Dell EMC Networking OS. You can set system times and dates and maintained through the NTP. They are also set through the Dell EMC Networking Operating System (OS) command line interfaces (CLIs) and hardware settings. The Dell EMC Networking OS supports reaching an NTP server through different VRFs. You can configure a maximum of eight logging servers across different VRFs or the same VRF.
Protocol Overview The NTP messages to one or more servers and processes the replies as received. The server interchanges addresses and ports, fills in or overwrites certain fields in the message, recalculates the checksum, and returns it immediately. Information included in the NTP message allows each client/server peer to determine the timekeeping characteristics of its other peers, including the expected accuracies of their clocks.
To display the system clock state with respect to NTP, use the show ntp status command from EXEC Privilege mode. DellEMC#show ntp status Clock is synchronized, stratum 4, reference is 10.16.151.117, vrf-id is 0 frequency is -44.862 ppm, stability is 0.050 ppm, precision is -18 reference time deeef7ef.85eeaa10 Tue, Jul 10 2018 9:16:31.523 UTC clock offset is -0.167449 msec, root delay is 149.194 msec root dispersion is 54.557 msec, peer dispersion is 0.
• • • • • • • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port/subport information. For a 50-Gigabit Ethernet interface, enter the keyword fiftyGigE then the slot/port/subport information. For a 100-Gigabit Ethernet interface, enter the keyword hundredGigE then the slot/port information. For a Loopback interface, enter the keyword loopback then a number from 0 to 16383. For the Management interface, enter the keyword ManagementEthernet then the slot/port information.
5. Configure the switch as NTP master. CONFIGURATION mode ntp master To configure the switch as NTP Server use the ntp master command. stratum number identifies the NTP Server's hierarchy. The following example shows configuring an NTP server. Dell EMC(conf)#show running-config ntp ! ntp master ntp server 10.16.127.44 ntp server 10.16.127.86 ntp server 10.16.127.
• Receive Timestamp — the arrival time on the client of the last NTP message from the server. If the server becomes unreachable, the value is set to zero. • Transmit Timestamp — the departure time on the server of the current NTP message from the sender. • Filter dispersion — the error in calculating the minimum delay from a set of sample data from a peer. To view the NTP configuration, use the show running-config ntp command in EXEC privilege mode.
Setting the Time and Date for the Switch Software Clock You can change the order of the month and day parameters to enter the time and date as time day month year. You cannot delete the software clock. The software clock runs only when the software is up. The clock restarts, based on the hardware clock, when the switch reboots. To set the software clock, use the following command. • Set the system software clock to the current time and date.
• • • • • • • • • • time-zone: enter the three-letter name for the time zone. This name displays in the show clock output. start-month: enter the name of one of the 12 months in English. You can enter the name of a day to change the order of the display to time day month year. start-day: enter the number of the day. The range is from 1 to 31. You can enter the name of a month to change the order of the display to time day month year. start-year: enter a four-digit number as the year.
• offset: (OPTIONAL) Enter the number of minutes to add during the summer-time period. The range is from 1 to1440. The default is 60 minutes. The following example shows the clock summer-time recurring command.
55 Tunneling Tunnel interfaces create a logical tunnel for IPv4 or IPv6 traffic. Tunneling supports RFC 2003, RFC 2473, and 4213. DSCP, hop-limits, flow label values, open shortest path first (OSPF) v2, and OSPFv3 are supported. Internet control message protocol (ICMP) error relay, PATH MTU transmission, and fragmented packets are not supported.
tunnel mode ipv6ip no shutdown The following sample configuration shows a tunnel configured in IPIP mode (IPv4 tunnel carries IPv4 and IPv6 traffic): DellEMC(conf)#interface tunnel 3 DellEMC(conf-if-tu-3)#tunnel source 5::5 DellEMC(conf-if-tu-3)#tunnel destination 8::9 DellEMC(conf-if-tu-3)#tunnel mode ipv6 DellEMC(conf-if-tu-3)#ip address 3.1.1.1/24 DellEMC(conf-if-tu-3)#ipv6 address 3::1/64 DellEMC(conf-if-tu-3)#no shutdown DellEMC(conf-if-tu-3)#show config ! interface Tunnel 3 ip address 3.1.1.
interface TenGigabitEthernet 1/1/1 ip address 20.1.1.1/24 ipv6 address 20:1::1/64 no shutdown DellEMC(conf)#interface tunnel 1 DellEMC(conf-if-tu-1)#ip unnumbered tengigabitethernet 1/1/1 DellEMC(conf-if-tu-1)#ipv6 unnumbered tengigabitethernet 1/1/1 DellEMC(conf-if-tu-1)#tunnel source 40.1.1.
tunnel source anylocal tunnel allow-remote 40.1.1.2 tunnel mode ipip decapsulate-any no shutdown Guidelines for Configuring Multipoint ReceiveOnly Tunnels • • • • • You can configure up to eight remote end-points for a multipoint receive-only tunnel. The maximum number of remote end-points supported for all multipoint receive-only tunnels on the switch depends on the hardware table size to setup termination.
56 Uplink Failure Detection (UFD) Feature Description A switch provides upstream connectivity for devices, such as servers. If a switch loses its upstream connectivity, downstream devices also lose their connectivity. However, the devices do not receive a direct indication that upstream connectivity is lost because connectivity to the switch is still operational. UFD allows a switch to associate downstream interfaces with upstream interfaces.
Figure 127. Uplink Failure Detection How Uplink Failure Detection Works UFD creates an association between upstream and downstream interfaces. The association of uplink and downlink interfaces is called an uplink-state group. An interface in an uplink-state group can be a physical interface or a port-channel (LAG) aggregation of physical interfaces. An enabled uplink-state group tracks the state of all assigned upstream interfaces.
Figure 128. Uplink Failure Detection Example If only one of the upstream interfaces in an uplink-state group goes down, a specified number of downstream ports associated with the upstream interface are put into a Link-Down state. You can configure this number and is calculated by the ratio of the upstream port bandwidth to the downstream port bandwidth in the same uplink-state group.
• If you disable an uplink-state group, the downstream interfaces are not disabled regardless of the state of the upstream interfaces. • • If an uplink-state group has no upstream interfaces assigned, you cannot disable downstream interfaces when an upstream link goes down. To enable the debug messages for events related to a specified uplink-state group or all groups, use the debug uplink-stategroup [group-id] command, where the group-id is from 1 to 16.
description text The maximum length is 80 alphanumeric characters. 6. (Optional) Disable upstream-link tracking without deleting the uplink-state group. UPLINK-STATE-GROUP mode no enable The default is upstream-link tracking is automatically enabled in an uplink-state group. To re-enable upstream-link tracking, use the enable command. Clearing a UFD-Disabled Interface You can manually bring up a downstream interface in an uplink-state group that UFD disabled and is in a UFD-Disabled Error state.
02:38:53: 02:38:53: 02:38:53: 02:38:53: %RPM0-P:CP %RPM0-P:CP %RPM0-P:CP %RPM0-P:CP %IFMGR-5-OSTATE_UP: %IFMGR-5-OSTATE_UP: %IFMGR-5-OSTATE_UP: %IFMGR-5-OSTATE_UP: Changed Changed Changed Changed interface interface interface interface state state state state to to to to up: up: up: up: Fo Fo Fo Fo 3/4/1 3/5/1 3/6/1 3/7/1 Displaying Uplink Failure Detection To display information on the UFD feature, use any of the following commands.
Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Time since last interface status change: 00:01:23 The following example shows viewing the UFD configuration.
uplink-state-group 3 description Testing UFD feature downstream disable links 2 downstream TenGigabitEthernet 1/1-2,5,9,11-12/1 upstream TenGigabitEthernet 1/3-4/1 DellEMC# show uplink-state-group 3 Uplink State Group: 3 Status: Enabled, Up DellEMC# show uplink-state-group detail (Up): Interface up (Dwn): Interface down (Dis): Interface disabled Uplink State Group : 3 Status: Enabled, Up Upstream Interfaces : Te 1/3/1(Up) Te 1/4/1(Dwn) Downstream Interfaces : Te 1/1/1(Dis) Te 1/2/1(Dwn) Te 1/5/1(Dwn) Te 1/9
57 Upgrade Procedures To find the upgrade procedures, go to the Dell EMC Networking OS Release Notes for your system type to see all the requirements needed to upgrade to the desired Dell EMC Networking OS version. To upgrade your system type, follow the procedures in the Dell EMC Networking OS Release Notes. You can download the release notes of your platform at https://www.force10networks.com. Use your login ID to log in to the website.
58 Virtual LANs (VLANs) Virtual LANs (VLANs) are a logical broadcast domain or logical grouping of interfaces in a local area network (LAN) in which all data received is kept locally and broadcast to all members of the group. When in Layer 2 mode, VLANs move traffic at wire speed and can span multiple devices. The system supports up to 4093 port-based VLANs and one default VLAN, as specified in IEEE 802.1Q.
• • Untagged interfaces must be part of a VLAN. To remove an untagged interface from the Default VLAN, create another VLAN and place the interface into that VLAN. Alternatively, use the no switchport command, and Dell EMC Networking OS removes the interface from the Default VLAN. A tagged interface requires an additional step to remove it from Layer 2 mode. Because tagged interfaces can belong to multiple VLANs, remove the tagged interface from all VLANs using the no tagged interface command.
Information contained in the tag header allows the system to prioritize traffic and to forward information to ports associated with a specific VLAN ID. Tagged interfaces can belong to multiple VLANs, while untagged interfaces can belong only to one VLAN. Configuration Task List This section contains the following VLAN configuration tasks.
To tag frames leaving an interface in Layer 2 mode, assign that interface to a port-based VLAN to tag it with that VLAN ID. To tag interfaces, use the following commands. 1. Access INTERFACE VLAN mode of the VLAN to which you want to assign the interface. CONFIGURATION mode interface vlan vlan-id 2. Enable an interface to include the IEEE 802.1Q tag header.
untagged interface This command is available only in VLAN interfaces. The no untagged interface command removes the untagged interface from a port-based VLAN and places the interface in the Default VLAN. You cannot use the no untagged interface command in the Default VLAN. The following example shows the steps and commands to move an untagged interface from the Default VLAN to another VLAN. To determine interface status, use the show vlan command.
Configuring Native VLANs Traditionally, ports can be either untagged for membership to one VLAN or tagged for membership to multiple VLANs. You must connect an untagged port to a VLAN-unaware station (one that does not understand VLAN tags), and you must connect a tagged port to a VLAN-aware station (one that generates and understands VLAN tags). Native VLAN support breaks this barrier so that you can connect a port to both VLAN-aware and VLAN-unaware stations. Such ports are referred to as hybrid ports.
59 Virtual Link Trunking (VLT) Overview In a traditional switched topology as shown below, spanning tree protocols (STPs) are used to block one or more links to prevent loops in the network. Although loops are prevented, bandwidth of all links is not effectively utilized by the connected devices. Figure 130. Traditional switched topology VLT not only overcomes this caveat, but also provides a multipath to the connected devices.
To prevent the initial loop that may occur prior to VLT being established, use a spanning tree protocol. After VLT is established, you may use rapid spanning tree protocol (RSTP) to prevent loops from forming with new links that are incorrectly connected and outside the VLT domain. VLT provides Layer 2 multipathing, creating redundancy through increased bandwidth, enabling multiple parallel paths between nodes, and load-balancing traffic where alternate paths exist.
between the two VLT chassis. IGMP and VLT configurations must be identical on both sides of the trunk to ensure the same behavior on both sides. The following example shows how VLT is deployed. The switches appear as a single virtual switch from the point of view of the switch or server supporting link aggregation control protocol (LACP). VLT Terminology The following are key VLT terms. • • • • • • Virtual link trunk (VLT) — The combined port channel between an attached device and the VLT peer switches.
If Host 1 from a VLT domain sends a frame to Host 2 in another VLT domain, the frame can use any link shown to reach Host 2. MAC synchronization between VLT peers handles the traffic flow even if it is hashed and forwarded through the other member of the portchannel.
VLT on Core Switches Uplinks from servers to the access layer and from access layer to the aggregation layer are bundled in LAG groups with end-to-end Layer 2 multipathing. This set up requires “horizontal” stacking at the access layer and VLT at the aggregation layer such that all the uplinks from servers to access and access to aggregation are in Active-Active Load Sharing mode. This example provides the highest form of resiliency, scaling, and load balancing in data center switching networks.
Figure 135. Enhanced VLT Configure Virtual Link Trunking VLT requires that you enable the feature and then configure the same VLT domain, backup link, and VLT interconnect on both peer switches. Important Points to Remember • • • • • • • • • • • • • You cannot enable stacking simultaneously with VLT. If you enable both at the same time, unexpected behavior can occur. VLT port channel interfaces must be switch ports. If you include RSTP on the system, configure it before VLT.
• • • • • • • • When you enable IGMP snooping on the VLT peers, ensure the value of the delay-restore command is not less than the query interval. When you enable Layer 3 routing protocols on VLT peers, make sure the delay-restore timer is set to a value that allows sufficient time for all routes to establish adjacency and exchange all the L3 routes between the VLT peers before you enable the VLT ports.
• • Separately configure each VLT peer switch with the same VLT domain ID and the VLT version. If the system detects mismatches between VLT peer switches in the VLT domain ID or VLT version, the VLT Interconnect (VLTi) does not activate. To find the reason for the VLTi being down, use the show vlt statistics command to verify that there are mismatch errors, then use the show vlt brief command on each VLT peer to view the VLT version on the peer switch.
• • • • • • The discovery protocol running between VLT peers automatically generates the ID number of the port channel that connects an access device and a VLT switch. The discovery protocol uses LACP properties to identify connectivity to a common client device and automatically generates a VLT number for port channels on VLT peers that connects to the device. The discovery protocol requires that an attached device always runs LACP over the port-channel interface.
• • Configure the same L3 routing (static and dynamic) on each peer so that the L3 reachability and routing tables are identical on both VLT peers. Both the VRRP master and backup peers must be able to locally forward L3 traffic in the same way. • In a VLT domain, although both VLT peers actively participate in L3 forwarding as the VRRP master or backup router, the show vrrp command output displays one peer as master and the other peer as backup.
VLT Bandwidth Monitoring When bandwidth usage of the VLTi (ICL) exceeds 80%, a syslog error message (shown in the following message) and an SNMP trap are generated. %STKUNIT0-M:CP %VLTMGR-6-VLT-LAG-ICL: Overall Bandwidth utilization of VLT-ICL-LAG (portchannel 25) crosses threshold. Bandwidth usage (80 ) When the bandwidth usage drops below the 80% threshold, the system generates another syslog message (shown in the following message) and an SNMP trap.
PIM-Sparse Mode Support on VLT The designated router functionality of the PIM Sparse-Mode multicast protocol is supported on VLT peer switches for multicast sources and receivers that are connected to VLT ports. VLT peer switches can act as a last-hop router for IGMP receivers and as a first-hop router for multicast sources. Figure 136.
Each VLT peer runs its own PIM protocol independently of other VLT peers. To ensure the PIM protocol states or multicast routing information base (MRIB) on the VLT peers are synced, if the incoming interface (IIF) and outgoing interface (OIF) are Spanned, the multicast route table is synced between the VLT peers. To verify the PIM neighbors on the VLT VLAN and on the multicast port, use the show ip pim neighbor, show ip igmp snooping mrouter, and show running config commands.
Figure 137. Packets without peer routing enabled If you enable peer routing, a VLT node acts as a proxy gateway for its connected VLT peer as shown in the image below. Even though the gateway address of the packet is different, Peer-1 routes the packet to its destination on behalf of Peer-2 to avoid sub-optimal routing. Figure 138. Packets with peer routing enabled Benefits of Peer Routing • • • • Avoids sub-optimal routing Reduces latency by avoiding another hop in the traffic path.
VLT Unicast Routing VLT unicast routing is a type of VLT peer routing that locally routes unicast packets destined for the L3 endpoint of the VLT peer. This method avoids sub-optimal routing. Peer-routing syncs the MAC addresses of both VLT peers and requires two local DA entries in TCAM. If a VLT node is down, a timer that allows you to configure the amount of time needed for peer recovery provides resiliency. You can enable VLT unicast across multiple configurations using VLT links.
• • When using factory default settings on a new switch deployed as a VLT node, packet loss may occur due to the requirement that all ports must be open. ECMP is not compatible on VLT nodes using VLT multicast. You must use a single VLAN. Configuring VLT Multicast To enable and configure VLT multicast, follow these steps. 1. Enable VLT on a switch, then configure a VLT domain and enter VLT-domain configuration mode. CONFIGURATION mode vlt domain domain-id 2. Enable peer-routing.
1. Configure RSTP in the core network and on each peer switch as described in Rapid Spanning Tree Protocol (RSTP). Disabling RSTP on one VLT peer may result in a VLT domain failure. 2. Enable RSTP on each peer switch. PROTOCOL SPANNING TREE RSTP mode no disable 3. Configure each peer switch with a unique bridge priority.
1. Configure the VLT interconnect for the VLT domain. The primary and secondary switch roles in the VLT domain are automatically assigned after you configure both sides of the VLTi. NOTE: If you use a third-party ToR unit, to avoid potential problems if you reboot the VLT peers, Dell EMC recommends using static LAGs on the VLTi between VLT peers. 2. Enable VLT and create a VLT domain ID. VLT automatically selects a system MAC address. 3. Configure a backup link for the VLT domain. 4.
NOTE: If management VRF or any specific VRF is enabled on the system, then use the back-up destination command with vrf [management vrf-name | vrf-name] You can optionally specify the time interval used to send hello messages. The range is from 1 to 5 seconds. 3. Configure the port channel to be used as the VLT interconnect between VLT peers in the domain. VLT DOMAIN CONFIGURATION mode peer-link port-channel id-number 4. Enable peer routing.
vlt domain domain-id The range of domain IDs from 1 to 1000. 2. Enter an amount of time, in seconds, to delay the restoration of the VLT ports after the system is rebooted. CONFIGURATION mode delay-restore delay-restore-time The range is from 1 to 1200. The default is 90 seconds. Reconfiguring the Default VLT Settings (Optional) To reconfigure the default VLT settings, use the following commands. 1. Enter VLT-domain configuration mode for a specified VLT domain.
switchport 4. Add one or more port interfaces to the port channel. INTERFACE PORT-CHANNEL mode channel-member interface interface: specify one of the following interface types: • • • • • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port/subport information. For a 25-Gigabit Ethernet interface, enter the keyword twentyFiveGigE then the slot/port/subport information.
• • For a 50-Gigabit Ethernet interface, enter the keyword fiftyGigE then the slot/port/subport information. For a 100-Gigabit Ethernet interface, enter the keyword hundredGigE then the slot/port information. 3. Enter VLT-domain configuration mode for a specified VLT domain. CONFIGURATION mode vlt domain domain-id The range of domain IDs is from 1 to 1000. 4. Enter the port-channel number that acts as the interconnect trunk. VLT DOMAIN CONFIGURATION mode peer-link port-channel id-number 5.
INTERFACE mode port-channel number mode [active] 15. Ensure that the interface is active. MANAGEMENT INTERFACE mode no shutdown 16. Enable peer routing. VLT DOMAIN CONFIGURATION mode peer-routing If you enable peer routing, a VLT node acts as the proxy gateway for its peer. 17. Repeat steps 1 through 16 for the VLT peer node in Domain 1. 18. Repeat steps 1 through 16 for the first VLT node in Domain 2. 19. Repeat steps 1 through 16 for the VLT peer node in Domain 2.
show interfaces interface In the following sample VLT configuration steps, VLT peer 1 is Dell-2, VLT peer 2 is Dell-4, and the ToR is S60-1. NOTE: If you use a third-party ToR unit, Dell EMC Networking recommends using static LAGs with VLT peers to avoid potential problems if you reboot the VLT peers. Configure the VLT domain with the same ID in VLT peer 1 and VLT peer 2.
s60-1#show running-config interface tengigabitethernet 1/30/1 ! interface TenGigabitEthernet 1/30/1 no ip address ! port-channel-protocol LACP port-channel 100 mode active no shutdown s60-1#show running-config interface port-channel 100 ! interface Port-channel 100 no ip address switchport no shutdown s60-1#show interfaces port-channel 100 brief Codes: L - LACP Port-channel LAG 100 L Mode L2 Status up Uptime 03:33:48 Ports Te 1/8/1 (Up) Te 1/30/1 (Up) Verify VLT is up.
Run PVST+ on both VLT peer switches. A PVST+ instance is created for every VLAN configured in the system. PVST+ instances running in the Primary Peer control the VLT-LAGs on both Primary and Secondary peers. Only the Primary VLT switch determines the PVST+ roles and states on VLT ports and ensures that the VLT interconnect link is never blocked. The PVST+ instance in Primary peer sends the role/state of VLT-LAGs for all VLANs to the Secondary peer.
• • As the Router ID of Dell-1 is the highest in the topology (highest loopback address of 172.17.1.1), Dell-1 is the OSPF Designated Router. As the Router ID of Dell-2 is the second highest in the topology (172.16.1.1), Dell-2 is the OSPF Backup Designated Router. Figure 139. Peer Routing Configuration Example Dell-1 Switch Configuration In the following output, RSTP is enabled with a bridge priority of 0. This ensures that Dell-1 becomes the root bridge.
ip address 10.10.10.1/24 no shutdown (The management interfaces are part of a default VRF and are isolated from the switch’s data plane.) In Dell-1, te 0/0 and te 0/1 are used for VLTi.
vlt-peer-lag port-channel 2 no shutdown Vlan 20 is used in Dell-1, Dell-2, and R1 to form OSPF adjacency. When OSPF is converged, the routing tables in all devices are synchronized. DellEMC#1#sh run int vlan 20 interface Vlan 20 description OSPF PEERING VLAN ip address 192.168.20.1/29 untagged Port-channel 1 no shutdown ! DellEMC#1#sh run int vlan 800 interface Vlan 800 description Client-VLAN ip address 192.168.8.
Use the show vlt detail command to verify that VLT is functional and that the correct VLANs are allowed. DellEMC#1#sh vlt detail Local LAG Id -----------1 2 Peer LAG Id ----------1 2 Local Status -----------UP UP Peer Status ----------UP UP Active VLANs ------------20 1, 800, 900 The following output displays the OSPF configuration in Dell-1 DellEMC#1#sh run | find router router ospf 1 router-id 172.17.1.1 network 192.168.9.0/24 area 0 network 192.168.8.0/24 area 0 network 172.17.1.
0 0 90:b1:1c:f4:2c:bd 90:b1:1c:f4:29:f3 LOCAL_DA LOCAL_DA 00001 00001A The above output shows that the 90:b1:1c:f4:2c:bd MAC address belongs to Dell-1. The 90:b1:1c:f4:29:f3 MAC address belongs to Dell-2. Also note that these MAC addresses are marked with LOCAL_DA. This means, these are the local destination MAC addresses used by hosts when routing is required. Packets sent to this MAC address are directly forwarded to their destinations without being sent to the peer switch.
no ip address port-channel-protocol LACP port-channel 2 mode active no shutdown Te 0/6 connects to the uplink switch R1. Dell-2#sh run int te0/6 interface TenGigabitEthernet 0/6 description To_CR1_fa0/13 no ip address port-channel-protocol LACP port-channel 1 mode active no shutdown Port channel 1 connects the uplink switch R1.
Verify if VLT on Dell-1 is functional Dell-2#sh vlt brief VLT Domain Brief -----------------Domain ID: Role: Role Priority: 1 Secondary 55000 ICL Link Status: HeartBeat Status: VLT Peer Status: Local Unit Id: Version: Local System MAC address: Remote System MAC address: Configured System MAC address: Remote system version: Delay-Restore timer: Peer routing : Peer routing-Timeout timer: Multicast peer routing timeout: Up Up Up 1 6(3) 90:b1:1c:f4:29:f1 90:b1:1c:f4:2c:bb 90:b1:1c:f4:01:01 6(3) 90 seconds En
The following output displays the routes learned using OSPF. Dell-2 also learns the routes to the loopback addresses on R1 through OSPF. Dell-2#show ip route ospf Destination Gateway ----------------O 2.2.2.2/24 via 192.168.20.3, O 3.3.3.2/24 via 192.168.20.3, O 4.4.4.2/24 via 192.168.20.3, O 172.15.1.1/32 via 192.168.20.3, O 172.16.1.2/32 via 192.168.20.
network 172.15.1.0 0.0.0.255 area 0 network 192.168.20.0 0.0.0.7 area 0 CR1#show ip ospf neighbor (R1 is a DROTHER) Neighbor ID Pri State Dead Time Address Interface 172.16.1.2 1 FULL/BDR 00:00:31 192.168.20.2 Port-channel1 172.17.1.1 1 FULL/DR 00:00:38 192.168.20.1 Port-channel1 CR1#show ip route (Output Truncated) 2.0.0.0/24 is subnetted, 1 subnets C 2.2.2.0 is directly connected, Loopback2 3.0.0.0/24 is subnetted, 1 subnets C 3.3.3.0 is directly connected, Loopback3 O 192.168.8.0/24 [110/2] via 192.168.
Figure 140. eVLT Configuration Example eVLT Configuration Step Examples In Domain 1, configure the VLT domain and VLTi on Peer 1. Domain_1_Peer1#configure Domain_1_Peer1(conf)#interface port-channel 1 Domain_1_Peer1(conf-if-po-1)# channel-member TenGigabitEthernet 1/8/1-1/8/2 Domain_1_Peer1(conf)#vlt domain 1000 Domain_1_Peer1(conf-vlt-domain)# peer-link port-channel 1 Domain_1_Peer1(conf-vlt-domain)# back-up destination 10.16.130.
Configure eVLT on Peer 2. Domain_1_Peer2(conf)#interface port-channel 100 Domain_1_Peer2(conf-if-po-100)# switchport Domain_1_Peer2(conf-if-po-100)# vlt-peer-lag port-channel 100 Domain_1_Peer2(conf-if-po-100)# no shutdown Add links to the eVLT port-channel on Peer 2.
PIM-Sparse Mode Configuration Example The following sample configuration shows how to configure the PIM Sparse mode designated router functionality on the VLT domain with two VLT port-channels that are members of VLAN 4001. For more information, refer to PIM-Sparse Mode Support on VLT. Examples of Configuring PIM-Sparse Mode The following example shows how to enable PIM multicast routing on the VLT node globally.
• Display the current configuration of all VLT domains or a specified group on the switch. • EXEC mode show running-config vlt Display statistics on VLT operation. • • EXEC mode show vlt statistics Display the RSTP configuration on a VLT peer switch, including the status of port channels used in the VLT interconnect trunk and to connect to access devices. EXEC mode show spanning-tree rstp Display the current status of a port or port-channel interface used in the VLT domain.
Peer-Routing Peer-Routing-Timeout timer Multicast peer-routing timeout DellEMC# : Disabled : 0 seconds : 150 seconds The following example shows the show vlt detail command.
---------------HeartBeat Messages Sent: HeartBeat Messages Received: ICL Hello's Sent: ICL Hello's Received: 994 978 89 89 The following example shows the show spanning-tree rstp command. The bold section displays the RSTP state of port channels in the VLT domain. Port channel 100 is used in the VLT interconnect trunk (VLTi) to connect to VLT peer2. Port channels 110, 111, and 120 are used to connect to access switches or servers (vlt).
Dell_VLTpeer1(conf-if-ma-1/1)#no shutdown Dell_VLTpeer1(conf-if-ma-1/1)#exit Configure the VLT interconnect (VLTi). Dell_VLTpeer1(conf)#interface port-channel 100 Dell_VLTpeer1(conf-if-po-100)#no ip address Dell_VLTpeer1(conf-if-po-100)#channel-member fortyGigE 1/5,1/6 Dell_VLTpeer1(conf-if-po-100)#no shutdown Dell_VLTpeer1(conf-if-po-100)#exit Configure the port channel to an attached device.
Verify that the port channels used in the VLT domain are assigned to the same VLAN.
Description Behavior at Peer Up Behavior During Run Time Action to Take System MAC mismatch A syslog error message and an SNMP trap are generated. A syslog error message and an SNMP trap are generated. Verify that the unit ID of VLT peers is not the same on both units and that the MAC address is the same on both units. Unit ID mismatch The VLT peer does not boot up. The VLTi is forced to a down state. The VLT peer does not boot up. The VLTi is forced to a down state.
When a VLTi port in trunk mode is a member of symmetric VLT PVLANs, the PVLAN packets are forwarded only if the PVLAN settings of both the VLT nodes are identical. You can configure the VLTi in trunk mode to be a member of non-VLT PVLANs if the VLTi is configured on both the peers. MAC address synchronization is performed for VLT PVLANs across peers in a VLT domain. Keep the following points in mind when you configure VLT nodes in a PVLAN: • • • Configure the VLTi link to be in trunk mode.
PVLAN Operations When a VLT Peer is Restarted When the VLT peer node is rebooted, the VLAN membership of the VLTi link is preserved and when the peer node comes back online, a verification is performed with the newly received PVLAN configuration from the peer. If any differences are identified, the VLTi link is either added or removed from the VLAN. When the peer node restarts and returns online, all the PVLAN configurations are exchanged across the peers.
VLT LAG Mode PVLAN Mode of VLT VLAN ICL VLAN Membership Mac Synchronization Peer1 Peer2 Peer1 Peer2 Access Access Secondary (Community) Secondary (Isolated) No No • • Yes Yes Promiscuous Promiscuous Primary X Primary X Primary Primary Yes Yes - Secondary (Community) - Secondary (Community) Yes Yes - Secondary (Isolated) - Secondary (Isolated) Yes Yes Promiscuous Trunk Primary Normal No No Promiscuous Trunk Primary Primary Yes No Access Access Secondary (Communi
2. Remove an IP address from the interface. INTERFACE PORT-CHANNEL mode no ip address 3. Add one or more port interfaces to the port channel. INTERFACE PORT-CHANNEL mode channel-member interface interface: specify one of the following interface types: • • • • • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port/subport information. For a 25-Gigabit Ethernet interface, enter the keyword twentyFiveGigE then the slot/port/subport information.
7. To obtain maximum VLT resiliency, configure the PVLAN IDs and mappings to be identical on both the VLT peer nodes. Set the PVLAN mode of the selected VLAN to primary. INTERFACE VLAN mode private-vlan mode primary 8. Map secondary VLANs to the selected primary VLAN. INTERFACE VLAN mode private-vlan mapping secondary-vlan vlan-list The list of secondary VLANs can be: • • • Specified in comma-delimited (VLAN-ID,VLAN-ID) or hyphenated-range format (VLAN-ID-VLAN-ID).
When a VLT node detects peer up, it does not perform proxy ARP for the peer IP addresses. IP address synchronization occurs again between the VLT peers. Proxy ARP is enabled only if you enable peer routing on both the VLT peers. If you disable peer routing by using the no peerroutingcommand in VLT DOMAIN node, a notification is sent to the VLT peer to disable the proxy ARP.
4. Verify the VLAN-stack configurations. EXEC Privilege show running-config Sample configuration of VLAN-stack over VLT (Peer 1) Configure the VLT domain DellEMC(conf)#vlt domain 1 DellEMC(conf-vlt-domain)#peer-link port-channel 1 DellEMC(conf-vlt-domain)#back-up destination 10.16.151.
interface Vlan 50 vlan-stack compatible member Port-channel 10,20 shutdown DellEMC# Verify that the Port Channels used in the VLT Domain are Assigned to the VLAN-Stack VLAN DellEMC#show vlan id 50 Codes: * - Default VLAN, G - GVRP VLANs, R - Remote Port Mirroring VLANs, P - Primary, C Community, I - Isolated O - Openflow Q: U - Untagged, T - Tagged x - Dot1x untagged, X - Dot1x tagged o - OpenFlow untagged, O - OpenFlow tagged G - GVRP tagged, M - Vlan-stack i - Internal untagged, I - Internal tagged, v - V
switchport vlan-stack trunk vlt-peer-lag port-channel 20 no shutdown DellEMC# Configure the VLAN as a VLAN-Stack VLAN and add the VLT LAG as members to the VLAN DellEMC(conf)#interface vlan 50 DellEMC(conf-if-vl-50)#vlan-stack compatible DellEMC(conf-if-vl-50-stack)#member port-channel 10 DellEMC(conf-if-vl-50-stack)#member port-channel 20 DellEMC(conf-if-vl-50-stack)# DellEMC#show running-config interface vlan 50 ! interface Vlan 50 vlan-stack compatible member Port-channel 10,20 shutdown DellEMC# Verify t
IPv6 Peer Routing When you enable peer routing on VLT nodes, the MAC address of the peer VLT node is stored in the ternary content addressable memory (TCAM) space table of a station. If the data traffic destined to a VLT node, node1, reaches the other VLT node, node2, owing to LAGlevel hashing in the ToR switch, it is routed instead of forwarding the packet to node1. This processing occurs because of the match or hit for the entry in the TCAM of the VLT node2.
Figure 141. Sample Configuration of IPv6 Peer Routing in a VLT Domain Sample Configuration of IPv6 Peer Routing in a VLT Domain Consider a sample scenario as shown in the following figure in which two VLT nodes, Unit1 and Unit2, are connected in a VLT domain using an ICL or VLTi link. To the south of the VLT domain, Unit1 and Unit2 are connected to a ToR switch named Node B. Also, Unit1 is connected to another node, Node A, and Unit2 is linked to a node, Node C.
Neighbor Solicitation from VLT Hosts Consider a case in which NS for VLT node1 IP reaches VLT node1 on the VLT interface and NS for VLT node1 IP reaches VLT node2 due to LAG level hashing in the ToR. When VLT node1 receives NS from VLT VLAN interface, it unicasts the NA packet on the VLT interface. When NS reaches VLT node2, it is flooded on all interfaces including ICL. When VLT node 1 receives NS on ICL, it floods the NA packet on the VLAN.
When VLT node receives traffic from non-VLT host intended to VLT host, it routes the traffic to VLT interface. If VLT interface is not operationally up VLT node will route the traffic over ICL. Non-VLT host to North Bound traffic flow When VLT node receives traffic from non-VLT host intended to north bound with DMAC as self MAC it routes traffic to next hop.
Static VXLAN Configuration in a VLT setup Configuration steps are covered below: 1. Both Gateway VTEPs need VLT configured. • ICL port configuration interface Port-channel 1 no ip address channel-member TenGigabitEthernet 0/4-5 no shutdown • VLT Domain Configuration vlt domain 100 peer-link port-channel 1 back-up destination 10.11.70.14 • this is ip address of the peer node VXLAN Instance Configuration vxlan-instance 1 static local-vtep-ip 14.14.14.
vni-profile test vnid 200 remote-vtep-ip 3.3.3.3 vni-profile test • VLT Access port configuration interface TengigabitEthernet 0/12 port-channel-protocol lacp port-channel 30 mode active interface Port-channel 30 no ip address vxlan-instance 1 switchport vlt-peer-lag port-channel 30 no shutdown 2. Configure loopback interface and VXLAN instances on both the peers. • Configure loopback interface IP address on both peers with the same IPaddress. interface Loopback 1 ip address 14.14.14.
60 VLT Proxy Gateway The virtual link trucking (VLT) proxy gateway feature allows a VLT domain to locally terminate and route L3 packets that are destined to a Layer 3 (L3) end point in another VLT domain. Enable the VLT proxy gateway using the link layer discover protocol (LLDP) method or the static configuration. For more information, see the Command Line Reference Guide.
Figure 143. Sample Configuration for a VLT Proxy Gateway Guidelines for Enabling the VLT Proxy Gateway Keep the following points in mind when you enable a VLT proxy gateway: • • • • • • • • • • • • • Proxy gateway is supported only for VLT; for example, across a VLT domain. You must enable the VLT peer-routing command for the VLT proxy gateway to function.
• • • • When a Virtual Machine (VM) moves from one VLT domain to the another VLT domain, the VM host sends the gratuitous ARP (GARP) , which in-turn triggers a mac movement from the previous VLT domain to the newer VLT domain. After a station move, if the host sends a TTL1 packet destined to its gateway; for example, a previous VLT node, the packet can be dropped.
• LLDP packets fail to reach the remote VLT domain devices (for example, because the system is down, rebooting, or the port’s physical link connection is down). LLDP VLT Proxy Gateway in a Square VLT Topology Figure 144. Sample Configuration for a VLT Proxy Gateway • The preceding figure shows a sample square VLT Proxy gateway topology. There are no diagonal links in the square VLT connection between the C and D in VLT domain 1 and C1 and D1 in the VLT domain 2. This causes sub-optimal routing.
• You can disable the VLT Proxy Gateway for a particular VLAN using an "Exclude-VLAN" configuration. The configuration has to be done in both the VLT domains [C and D in VLT domain 1 and C1 and D1 in VLT domain 2].
Figure 145. VLT Proxy Gateway Sample Topology VLT Domain Configuration Dell-1 and Dell-2 constitute VLT domain 120. Dell-3 and Dell-4 constitute VLT domain 110. These two VLT domains are connected using a VLT LAG P0 50. To know how to configure the interfaces in VLT domains, see the Configuring VLT section. Dell-1 VLT Configuration vlt domain 120 peer-link port-channel 120 back-up destination 10.1.1.
Note that on the inter-domain link, the switchport command is enabled. On a VLTi link between VLT peers in a VLT domain, the switchport command is not used. VLAN 100 is used as the OSPF peering VLAN between Dell-1 and Dell-2. interface Vlan 100 description OSPF Peering VLAN to Dell-2 ip address 10.10.100.1/30 ip ospf network point-to-point no shutdown VLAN 101 is used as the OSPF peering VLAN between the two VLT domains. interface Vlan 101 description ospf peering vlan across VLTPG_Po50 ip address 10.10.
Neighbor ID Pri State Dead Time Address Interface Area 4.4.4.4 1 FULL/ - 00:00:33 10.10.100.1 Vl 100 0 Dell-3 VLT Configuration vlt domain 110 peer-link port-channel 110 back-up destination 10.1.1.1 primary-priority 4096 system-mac mac-address 02:01:e8:d8:93:02 unit-id 0 peer-routing ! proxy-gateway static remote-mac-address 00:01:e8:d8:93:07 remote-mac-address 00:01:e8:d8:93:e5 These MAC addresses are the system L2 interface addresses for each switch at the remote site, Dell-1 and Dell-2.
Dell-4 VLT Configuration vlt domain 110 peer-link port-channel 110 back-up destination 10.1.1.0 primary-priority 24576 system-mac mac-address 02:01:e8:d8:93:02 unit-id 1 peer-routing ! proxy-gateway static remote-mac-address 00:01:e8:d8:93:07 remote-mac-address 00:01:e8:d8:93:e5 These MAC addresses are the system L2 interface addresses for each switch at the remote site, Dell-1 and Dell-2. interface Vlan 102 description ospf peering vlan to DELL-3 ip address 10.10.102.
61 Virtual Extensible LAN (VXLAN) Virtual Extensible LAN (VXLAN) is supported on Dell EMC Networking OS. Overview The switch acts as the VXLAN gateway and performs the VXLAN Tunnel End Point (VTEP) functionality. VXLAN is a technology where in the data traffic from the virtualized servers is transparently transported over an existing legacy network. Figure 146. VXLAN Gateway NOTE: In a stack setup, the Dell EMC Networking OS does not support VXLAN.
Components of VXLAN network VXLAN provides a mechanism to extend an L2 network over an L3 network. In short, VXLAN is an L2 overlay scheme over an L3 network and this overlay is termed as a VXLAN segment.
• • • VTEP maintains MAC bindings to a VTEP. VXLAN communicates with the VTEP using a standard protocol called OvsDb Protocol. The protocol uses the JSON RPC-based message format. The VTEP acts according to the TOR schema defined by VMWare. The solution is very specific to VMWare-based orchestration platforms and does not work with other orchestration platforms. VXLAN Frame Format VXLAN provides a mechanism to extend an L2 network over an L3 network.
VXLAN Header : • • • Frame Check Sequence (FCS): Note that the original Ethernet frame's FCS is not included, but new FCS is generated on the outer Ethernet frame. VXLAN Flags : Reserved bits set to zero except bit 3, the first bit, which is set to 1 for a valid VNI VNI: The 24-bit field that is the VXLAN Network Identifier Reserved: A set of fields, 24 bits and 8 bits, that are reserved and set to zero .
+j6i9eskgUlvBuV5OOZKzh29Gy4sjXvdYL5GirZFon8iZNY5FON +WlpcLJ9GjMvVfwvJx7exVs9cqXvm6UZ4Bf262STKbm+Q4qz30tyjDdF1xDBcBjL83UcEvSW65V/ sSFKBohqu40EWXIBJ0QbKvFWv91rbjkgtsrHVTdohrA== -----END CERTIFICATE----Copy and paste the generated certificate to the NSX. NOTE: Once controller connectivity is established from VLT peers, if you want to generate a new certificate and use it for controller connection, generate the certificate from the node (node that is directly connected to controller).
Figure 149. Hardware Devices 3. Add a service node or replicator. Under Home > Networking and Security > Service Definition > Hardware Devices > Replication Cluster, click the Edit button. Select required hosts for replication and click OK. Figure 150. Add Service Node or Replicator NOTE: Ensure L3 reachability between the VTEP and the replicator. 4. Create Logical Switch. You can create a logical network by creating a logical switch.
Figure 151. Create Logical Switch 5. Create Logical Switch Port. A logical switch port provides a logical connection point for a VM interface (VIF) and a L2 gateway connection to an external network. It binds the virtual access ports in the gateway to logical network (VXLAN) and VLAN. In the Manage Hardware Bindings window, expand a VTEP and click Add. The Manage Hardware Bindings Window opens. Click the Select link and the Specify Hardware Port window opens. Click the hardware port and click OK.
Figure 153. Create Logical Switch Port 6. (Optional) Enable or disable BFD globally. Go to Hardware Devices tab > BFD Configuration, and click the Edit button. The Edit BFD Configuration windows opens. Check or uncheck the Enable BFD check box. You can also change the probe interval if required. Figure 154. Edit VXLAN BFD Configuration NOTE: For more details about NSX controller configuration, refer to the NSX user guide from VMWare .
Configuring and Controling VXLAN from Nuage Controller GUI The Dell EMC Networking OS supports Nuage controller for VXLAN. You can configure and control VXLAN from the Nuage controller GUI, by adding a hardware device to the Nuage controller and authenticating the device. 1. Under the Infrastructure tab, add a datacenter gateway. Figure 155. Add Data center Gateway 2. Create port-to-VLAN mappings. Figure 156. Port-to-VLAN mappings 3. Under the Networks tab, create an L2 domain.
Configuring VxLAN Gateway To configure the VxLAN gateway on the switch, follow these steps: 1. Connecting to NVP controller 2. Advertising VXLAN access ports to controller Connecting to an NVP Controller To connect to an NVP controller, use the following commands. 1. Enable the VXLAN feature. CONFIGURATION mode feature vxlan You must configure feature VXLAN to configure vxlan-instance. 2. Create a VXLAN instance that connects to the controller.
Displaying VXLAN Configurations To display the VXLAN configurations, use the following commands. The following example shows the show vxlan vxlan-instance command. DellEMC#show vxlan vxlan-instance 1 Instance : 1 Mode : Controller Admin State : enabled Controller Type : Nsx Management IP : 10.16.140.34 Gateway IP : 4.3.3.3 MAX Backoff : 8000 Controller : 10.16.140.181:6640 ssl Controller Cluster : : 10.16.140.181:6640 ssl (connected) : 10.16.140.182:6640 ssl (connected) : 10.16.140.
The following example shows the show vxlan vxlan-instance unicast-mac-remote command. DellEMC# show vxlan vxlan-instance <1> unicast-mac-remote Total Local Mac Count: 1 VNI MAC TUNNEL 4656 00:00:01:00:00:01 36.1.1.1 The following example shows the show vxlan vxlan-instance unicast-mac-remote command when the tunnel is down. DellEMC# show vxlan vxlan-instance <1> unicast-mac-remote Total Local Mac Count: 1 VNI MAC TUNNEL 4656 00:00:01:00:00:01 36.1.1.
9. Associate VNID to VLAN. INTERFACE VLAN mode vxlan-vnid VNID Displaying Static VXLAN Configurations To display the static VXLAN configurations, use the following commands. The following example displays the basic configuration details. DellEMC# show vxlan vxlan-instance 1 Instance : 1 Mode : Static Admin State : Up Local vtep ip : 101.101.101.101 Port List : Fo 1/49 The following example displays VTEP to VNI mapping for a specific remote VTEP.
VXLAN Scenario VXLAN tunnel stays down even if the remote VTEP IP is reachable through a recursive route. Following section explains the scenario through an example configuration. The following illustration depicts the topology in which the VTEPs are connected. Figure 158. VXLAN Scenario In the above illustration, R1 and R2 are the VTEPs that are trying to form the VXLAN tunnel. R3, the route reflector, exchanges the routes across two IBGP peers (R1 and R2).
In this RIOT scheme, whenever R1 tries to reach R2, the packet gets to P1 on VTEP 1 with VLAN 10 and gets routed out of P2 on VLAN 20. VTEP 1 sends an ARP request for R2 (10.1.2.1) through P2. This request gets VXLAN encapsulated at P3 and is sent out of P4. Eventually, the native ARP request reaches R2. R2 sends an ARP response that is VXLAN encapsulated at VTEP 2. This response reaches VTEP 1 on P4 with a VXLAN encapsulation. At this point, the ARP response is de-capsulated at P4.
• • • • • • • When you ping for 10.1.2.1 (Vlan 20’s IP on R2) from R1, the packet would get to P1 on VTEP 1 with Vlan 10, and try to get routed out of P2 on Vlan 20. VTEP 1 sends an ARP request for 10.1.2.1 out of P2. This gets VXLAN encapsulated at P2, and gets sent out of P3. VXLAN encapsulated ARP request lands on VTEP 2 which is decapsulated and sent out of P5 and P6. Packets looped back to P5 will not be forwarded again to either to P4 or P6 because of the added ACL rule 4.4.3.
In order for this configuration to work, the physical loopback ports are required to be in port-channels. There are two types of physical loopback interfaces: VXLAN Loopback Port and Non-VXLAN Loopback Port. These two port-channels are implicitly made no spanning tree, so that they do not go into a blocked state if xSTP is enabled. Internal Loopback To configure internal loopback port-channels, add free ports in the device as members of a port-channel, say 10, then configure vxlaninstance 1 loopback.
For VLT, in addition to the masks specified earlier, the VLT specific mask, to disallow frames that ingress on an ICL from going out of a VLT port channel would be permanently in place. These masks won’t be removed for the loopback ports even if the VLT peer LAG goes down (this is a deviation from standard VLT behavior, when these loopbacks are provisioned as VLT port-channels.). NSX Controller-based VXLAN for VLT Apart from static VXLAN for VLT, you can also use an NSX controller for VXLAN in a VLT setup.
• • before configuring controller-based VXLAN with VLT, remove any existing standalone VXLAN configuration. BFD tunnels come up only after the NSX controller sends tunnel details. The details come after the remote MAC addresses are downloaded from NSX controller. Configure NSX Controller-based VxLAN in VLT Setup You can configure NSX controller-based VxLAN in a VLT setup. To configure NSX controller-based VxLAN in a VLT setup, perform the following tasks: 1. (Optional) Configure BFD and UFD.
gateway-ip gateway-IP-address 5. Enter the IP address of the peer OVSDB server. peer-ovsdbserver-ip ovsdb-IP-address The peer OVSDB server is the peer VLT device. 6. Enter the fail mode. VxLAN INSTANCE mode fail-mode secure 7. Enable the VxLAN instance. VxLAN INSTANCE mode no shutdown NOTE: Dell EMC Networking recommends the non-secure fail mode if you are configuring VxLAN for a VLT setup and use a physical L3 link for peer OVSDB connectivity.
unit-id 0 peer-routing Configuration on an interface that is not part of VLT (orphan port): DellEMC#show run interface te 1/21 ! interface TenGigabitEthernet 1/21 1122 Virtual Extensible LAN (VXLAN) vxlan-instance 1 no ip address switchport no shutdown DellEMC# Configuration on VLT port channel: DellEMC#show run int po 10 ! interface Port-channel 10 vxlan-instance 1 no ip address switchport vlt-peer-lag port-channel 10 no shutdown The following are some of the show command outputs on the VLT primary: DellEM
* - No VLAN mapping exists and yet to be installed Name VNID a35fe7f7-fe82-37b4-b69a-0af4244d1fca 5000 DellEMC#$nstance 1 logical-network name a35fe7f7-fe82-37b4-b69a-0af4244d1fca Name : a35fe7f7-fe82-37b4-b69a-0af4244d1fca Description : Type : ELAN Tunnel Key : 5000 VFI : 28674 Unknown Multicast MAC Tunnels: 6.6.6.
DellEMC#show cam mac stack-unit 1 port-set 0 VlanId Mac Address Region Interface 500 ff:ff:ff:ff:ff:ff STATIC 00001 28674 00:00:00:cc:00:00 DYNAMIC 0x80000004(vxlan) 28674 00:00:bb:00:00:00 DYNAMIC 0x80000006(vxlan) 0 ff:ff:ff:ff:ff:ff STATIC 00001 1 00:01:e8:8b:7a:6e DYNAMIC Po 11 20 00:00:00:cc:00:00 STATIC Te 1/21 500 f4:8e:38:2b:3e:87 STATIC Po 1 0 00:10:18:ff:ff:ff STATIC Invalid 500 34:17:eb:37:11:02 DYNAMIC Te 1/51/1 0 14:18:77:0a:53:82 LOCAL_DA 00001 0 14:18:77:0a:53:82 LOCAL_DA 00001 0 f4:8e:38:2b:
Tunnel Key : 5000 VFI : 28674 Unknown Multicast MAC Tunnels: 6.6.6.2 : vxlan_over_ipv4 (up)(Active) Port Vlan Bindings: Te 1/21: VLAN: 20 (0x80000004), Po 1: VLAN: 20 (0x80000001), Po 10: VLAN: 20 (0x80000002), Po 20: VLAN: 20 (0x80000005), DellEMC# DellEMC# DellEMC# DellEMC# DellEMC# DellEMC#show vxlan vxlan-instance 1 multicast-mac * - Active Replicator LN-Name VNID a35fe7f7-fe82-37b4-b69a-0af4244d1fca 5000 MAC unknown dst TUNNEL-LIST 6.6.6.
• show file flash://vtep-cert.
Figure 161. Hardware Devices 3. Add a service node or replicator. Under Home > Networking and Security > Service Definition > Hardware Devices > Replication Cluster, click the Edit button. Select required hosts for replication and click OK. Figure 162. Add Service Node or Replicator NOTE: Ensure L3 reachability between the VTEP and the replicator. 4. Create Logical Switch. You can create a logical network by creating a logical switch.
Figure 163. Create Logical Switch 5. Create Logical Switch Port. A logical switch port provides a logical connection point for a VM interface (VIF) and a L2 gateway connection to an external network. It binds the virtual access ports in the gateway to logical network (VXLAN) and VLAN. In the Manage Hardware Bindings window, expand a VTEP and click Add. The Manage Hardware Bindings Window opens. Click the Select link and the Specify Hardware Port window opens. Click the hardware port and click OK.
Figure 165. Create Logical Switch Port 6. (Optional) Enable or disable BFD globally. Go to Hardware Devices tab > BFD Configuration, and click the Edit button. The Edit BFD Configuration windows opens. Check or uncheck the Enable BFD check box. You can also change the probe interval if required. Figure 166. Edit VXLAN BFD Configuration NOTE: For more details about NSX controller configuration, refer to the NSX user guide from VMWare .
62 Virtual Routing and Forwarding (VRF) VRF Overview VRF improves functionality by allowing network paths to be segmented without using multiple devices. Using VRF also increases network security and can eliminate the need for encryption and authentication due to traffic segmentation. Internet service providers (ISPs) often take advantage of VRF to create separate virtual private networks (VPNs) for customers; VRF is also referred to as VPN routing and forwarding.
VRF Configuration Notes Although there is no restriction on the number of VLANs that can be assigned to a VRF instance, the total number of routes supported in VRF is limited by the size of the IPv4 CAM. VRF is implemented in a network device by using Forwarding Information Bases (FIBs). A network device may have the ability to configure different virtual routers, where entries in the FIB that belong to one VRF cannot be accessed by another VRF on the same device.
Feature/Capability Support Status for Default VRF Support Status for Non-default VRF PBR, L3 QoS on VLANs Yes No NOTE: QoS not supported on VLANs. IPv4 ARP Yes Yes sFlow Yes No VRRP on physical and logical interfaces Yes Yes VRRPV3 Yes Yes Secondary IP Addresses Yes Yes Basic Yes Yes OSPFv3 Yes Yes IS-IS Yes Yes BGP Yes Yes ACL Yes No Multicast No No NDP Yes Yes RAD Yes Yes DHCP DHCP requests are not forwarded across VRF instances.
The VRF ID range is from 1 to 511. 0 is the default VRF ID. Assigning an Interface to a VRF You must enter the ip vrf forwarding command before you configure the IP address or any other setting on an interface. NOTE: You can configure an IP address or subnet on a physical or VLAN interface that overlaps the same IP address or subnet configured on another interface only if the interfaces are assigned to different VRFs.
CONFIGURATION router ospf process-id vrf vrf name The process-id range is from 0-65535. Configuring VRRP on a VRF Instance You can configure the VRRP feature on interfaces that belong to a VRF instance. In a virtualized network that consists of multiple VRFs, various overlay networks can exist on a shared physical infrastructure. Nodes (hosts and servers) that are part of the VRFs can be configured with IP static routes for reaching specific destinations through a given gateway in a VRF.
VRF MODE interface management When Management VRF is configured, the following interface range or interface group commands are disabled: • • • • • • • • • • • • • • • • ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 nd dad — Duplicated Address Detection nd dns-server — Configure DNS distribution option in RA packets originated by the router nd hop-limit — Set hop limit advertised in RA and used in IPv6 data packets originated by the router nd managed-config-flag — Hosts sh
Figure 168.
Figure 169. Setup VRF Interfaces The following example relates to the configuration shown in the above illustrations. Router 1 ip vrf blue 1 ! ip vrf orange 2 ! ip vrf green 3 ! interface TenGigabitEthernet no ip address switchport no shutdown ! interface TenGigabitEthernet ip vrf forwarding blue ip address 10.0.0.1/24 no shutdown ! interface TenGigabitEthernet ip vrf forwarding orange ip address 20.0.0.1/24 no shutdown ! interface TenGigabitEthernet ip vrf forwarding green ip address 30.0.0.
ip vrf forwarding blue ip address 1.0.0.1/24 tagged TenGigabitEthernet 3/1/1 no shutdown ! interface Vlan 192 ip vrf forwarding orange ip address 2.0.0.1/24 tagged TenGigabitEthernet 3/1/1 no shutdown ! interface Vlan 256 ip vrf forwarding green ip address 3.0.0.1/24 tagged TenGigabitEthernet 3/1/1 no shutdown ! router ospf 1 vrf blue router-id 1.0.0.1 network 1.0.0.0/24 area 0 network 10.0.0.0/24 area 0 ! router ospf 2 vrf orange router-id 2.0.0.1 network 2.0.0.0/24 area 0 network 20.0.0.
! router ospf 1 vrf blue router-id 1.0.0.2 network 11.0.0.0/24 area 0 network 1.0.0.0/24 area 0 passive-interface TenGigabitEthernet 2/1/1 ! router ospf 2 vrf orange router-id 2.0.0.2 network 21.0.0.0/24 area 0 network 2.0.0.0/24 area 0 passive-interface TenGigabitEthernet 2/2/1 ! ip route vrf green30.0.0.0/24 3.0.0.1 ! The following shows the output of the show commands on Router 1.
----------2.0.0.0/24 20.0.0.0/24 21.0.0.0/24 C C O ------Direct, Vl 192 Direct, Te 1/2/1 via 2.0.0.
Configuring Route Leaking without Filtering Criteria You can use the ip route-export tag command to export all the IPv4 routes corresponding to a source VRF. For leaking IPv6 routes, use the ipv6 route-export tag command. This action exposes source VRF's routes (IPv4 or IPv6 depending on the command that you use) to various other VRFs. The destinations or target VRFs then import these IPv4 or IPv6 routes using the ip route-import tag or the ipv6 route-import tag command respectively.
ip route-import 3:3 9. Configure VRF-green. ip vrf vrf-green interface-type slot/port[/subport] ip vrf forwarding VRF-green ip address ip—address mask A non-default VRF named VRF-green is created and the interface is assigned to it. 10. Configure the import target in the source VRF VRF-Shared for reverse communication with VRF-red and VRF-blue.
00:00:11 C O C 122.2.2.0/24 44.4.4.4/32 144.4.4.0/24 Direct, Te 1/12/1 0/0 22:39:61 via vrf-shared:144.4.4.4 0/0 00:32:36 Direct, vrf-shared:Te 1/4/1 0/0 00:32:36 DellEMC# show ip route vrf VRF-Green O 33.3.3.3/32 00:00:11 via 133.3.3.3 C Direct, Te 1/13/1 0/0 133.3.3.0/24 110/0 22:39:61 DellEMC# show ip route vrf VRF-Shared O 11.1.1.1/32 via VRF-Red:111.1.1.1 110/0 00:00:10 C 111.1.1.0/24 Direct, VRF-Red:Te 1/11/1 0/0 22:39:59 O 22.2.2.2/32 via VRF-Blue:122.2.2.2 110/0 00:00:11 C 122.2.2.
You can then use the ip route-import route-map command to import routes matching the filtering criteria defined in the import_ospf_protocol route-map. For a reply communication, VRF-blue is configured with a route-export tag. This value is then configured as route-import tag on the VRF-Red. To configure route leaking using filtering criteria, perform the following steps: 1.
O 44.4.4.4/32 via vrf-red:144.4.4.4 0/0 00:32:36 << only OSPF and BGP leaked from VRF-red Important Points to Remember • • • Only Active routes are eligible for leaking. For example, if VRF-A has two routes from BGP and OSPF, in which the BGP route is not active. In this scenario, the OSPF route takes precedence over BGP. Even though the Target VRF-B has specified filtering options to match BGP, the BGP route is not leaked as that route is not active in the Source VRF.
63 Virtual Router Redundancy Protocol (VRRP) VRRP Overview VRRP is designed to eliminate a single point of failure in a statically routed network. VRRP specifies a MASTER router that owns the next hop IP and MAC address for end stations on a local area network (LAN). The MASTER router is chosen from the virtual routers by an election process and forwards packets sent to the next hop IP address.
Figure 170. Basic VRRP Configuration VRRP Benefits With VRRP configured on a network, end-station connectivity to the network is not subject to a single point-of-failure. End-station connections to the network are redundant and are not dependent on internal gateway protocol (IGP) protocols to converge or update routing tables. In conjunction with Virtual Link Trunking (VLT), you can configure optimized forwarding with virtual router redundancy protocol (VRRP).
Table 139. Recommended VRRP Advertise Intervals Total VRRP Groups Recommended Advertise Interval Groups/Interface Less than 250 1 second 12 Between 250 and 450 2–3 seconds 24 Between 450 and 600 3–4 seconds 36 Between 600 and 800 4 seconds 48 Between 800 and 1000 5 seconds 84 Between 1000 and 1200 7 seconds 100 Between 1200 and 1500 8 seconds 120 VRRP Configuration By default, VRRP is not configured.
interface TenGigabitEthernet 1/1/1 ip address 10.10.10.1/24 ! vrrp-group 111 no shutdown Configuring the VRRP Version for an IPv4 Group For IPv4, you can configure a VRRP group to use one of the following VRRP versions: • • VRRPv2 as defined in RFC 3768, Virtual Router Redundancy Protocol (VRRP) VRRPv3 as defined in RFC 5798, Virtual Router Redundancy Protocol (VRRP) Version 3 for IPv4 and IPv6 You can also migrate a IPv4 group from VRRPv2 to VRRP3.
• The virtual IP addresses must be in the same subnet as the primary or secondary IP addresses configured on the interface. Though a single VRRP group can contain virtual IP addresses belonging to multiple IP subnets configured on the interface, Dell EMC Networking recommends configuring virtual IP addresses belonging to the same IP subnet for any one VRRP group. • • • For example, an interface (on which you enable VRRP) contains a primary IP address of 50.1.1.1/24 and a secondary IP address of 60.1.1.
VRF: 0 default State: Master, Priority: 100, Master: 10.10.2.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 27, Gratuitous ARP sent: 2 Virtual MAC address: 00:00:5e:00:01:6f Virtual IP address: 10.10.2.2 10.10.2.3 Authentication: When the VRRP process completes its initialization, the State field contains either Master or Backup.
NOTE: Authentication for VRRPv3 is not supported. To configure simple authentication, use the following command. • Configure a simple text password. INTERFACE-VRID mode authentication-type simple [encryption-type] password Parameters: • • encryption-type: 0 indicates unencrypted; 7 indicates encrypted. password: plain text. The bold section shows the encryption type (encrypted) and the password.
Changing the Advertisement Interval By default, the MASTER router transmits a VRRP advertisement to all members of the VRRP group every one second, indicating it is operational and is the MASTER router. If the VRRP group misses three consecutive advertisements, the election process begins and the BACKUP virtual router with the highest priority transitions to MASTER.
For a virtual group, you can track the line-protocol state or the routing status of any of the following interfaces with the interface interface parameter: • • • • • • • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port/subport information. For a 25-Gigabit Ethernet interface, enter the keyword twentyFiveGigE then the slot/port/subport information. For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port/subport information.
virtual-address 10.10.10.3 virtual-address 10.10.10.10 The following example shows verifying the tracking status.
Set the delay timer on individual interfaces. The delay timer is supported on all physical interfaces, VLANs, and LAGs. When you configure both CLIs, the later timer rules VRRP enabling. For example, if you set vrrp delay reload 600 and vrrp delay minimum 300, the following behavior occurs: • • When the system reloads, VRRP waits 600 seconds (10 minutes) to bring up VRRP on all interfaces that are up and configured for VRRP.
Figure 171. VRRP for IPv4 Topology Examples of Configuring VRRP for IPv4 and IPv6 The following example shows configuring VRRP for IPv4 Router 2. R2(conf)#interface tengigabitethernet 2/31/1 R2(conf-if-te-2/31/1)#ip address 10.1.1.1/24 R2(conf-if-te-2/31/1)#vrrp-group 99 R2(conf-if-te-2/31/1-vrid-99)#priority 200 R2(conf-if-te-2/31/1-vrid-99)#virtual 10.1.1.3 R2(conf-if-te-2/31/1-vrid-99)#no shut R2(conf-if-te-2/31/1)#show conf ! interface TenGigabitEthernet 2/31/1 ip address 10.1.1.
-----------------TenGigabitEthernet 2/31/1, VRID: 99, Net: 10.1.1.1 VRF: 0 default State: Master, Priority: 200, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 817, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:63 Virtual IP address: 10.1.1.3 Authentication: (none) R2# Router 3 R3(conf)#interface tengigabitethernet 3/21/1 R3(conf-if-te-3/21/1)#ip address 10.1.1.
Figure 172. VRRP for an IPv6 Configuration NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be MASTER even if one of two routers has a higher IP or IPv6 address. The following example shows configuring VRRP for IPv6 Router 2 and Router 3. Configure a virtual link local (fe80) address for each VRRPv3 group created for an interface.
ipv6 address 1::1/64 vrrp-group 10 priority 100 virtual-address fe80::10 virtual-address 1::10 no shutdown R2(conf-if-te-1/1/1)#end R2#show vrrp -----------------TenGigabitEthernet 1/1/1, IPv6 VRID: 10, Version: 3, Net:fe80::201:e8ff:fe6a:c59f VRF: 0 default State: Master, Priority: 100, Master: fe80::201:e8ff:fe6a:c59f (local) Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 135 Virtual MAC address: 00:00:5e:
instance in order that there is one MASTER and one backup router for each VRF. In VRF-1 and VRF-2, Switch-2 serves as owner-master of the VRRP group and Switch-1 serves as the backup. On VRF-3, Switch-1 is the owner-master and Switch-2 is the backup. In VRF-1 and VRF-2 on Switch-2, the virtual IP and node IP address, subnet, and VRRP group are the same. On Switch-1, the virtual IP address, subnet, and VRRP group are the same in VRF-1 and VRF-2, but the IP address of the node interface is unique.
! S1(conf)#interface TenGigabitEthernet 1/3/1 S1(conf-if-te-1/3/1)#ip vrf forwarding VRF-3 S1(conf-if-te-1/3/1)#ip address 20.1.1.5/24 S1(conf-if-te-1/3/1)#vrrp-group 15 % Info: The VRID used by the VRRP group 15 in VRF 3 will be 243. S1(conf-if-te-1/3/1-vrid-105)#priority 255 S1(conf-if-te-1/3/1-vrid-105)#virtual-address 20.1.1.5 S1(conf-if-te-1/3/1)#no shutdown DellEMC#show vrrp tengigabitethernet 2/8/1 -----------------TenGigabitEthernet 2/8/1, IPv4 VRID: 1, Version: 2, Net: 10.1.1.
This VLAN scenario often occurs in a service-provider network in which you configure VLAN tags for traffic from multiple customers on customer-premises equipment (CPE), and separate VRF instances associated with each VLAN are configured on the provider edge (PE) router in the point-of-presence (POP).
10.1.1.100 Authentication: (none) VRRP in VRF: Switch-2 VLAN Configuration Switch-2 S2(conf)#ip vrf VRF-1 1 ! S2(conf)#ip vrf VRF-2 2 ! S2(conf)#ip vrf VRF-3 3 ! S2(conf)#interface TenGigabitEthernet 1/1/1 S2(conf-if-te-1/1/1)#no ip address S2(conf-if-te-1/1/1)#switchport S2(conf-if-te-1/1/1)#no shutdown ! S2(conf-if-te-1/1/1)#interface vlan 100 S2(conf-if-vl-100)#ip vrf forwarding VRF-1 S2(conf-if-vl-100)#ip address 10.10.1.
Port-channel 1, IPv4 VRID: 1, Version: 2, Net: 10.1.1.1 VRF: 2 vrf2 State: Master, Priority: 100, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 419, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:01 Virtual IP address: 10.1.1.100 Authentication: (none) VRRP for IPv6 Configuration This section shows VRRP IPv6 topology with CLI configurations.
NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be master even if one of two routers has a higher IP or IPv6 address. Router 2 R2(conf)#interface tengigabitethernet 1/1/1 R2(conf-if-te-1/1/1)#no ip address R2(conf-if-te-1/1/1)#ipv6 address 1::1/64 R2(conf-if-te-1/1/1)#vrrp-group 10 NOTE: You must configure a virtual link local (fe80) address for each VRRPv3 group created for an interface.
VRF: 0 default State: Backup, Priority: 100, Master: fe80::201:e8ff:fe6a:c59f Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 11, Bad pkts rcvd: 0, Adv sent: 0 Virtual MAC address: 00:00:5e:00:02:0a Virtual IP address: 1::10 fe80::10 DellEMC#show vrrp tengigabitethernet 1/1/1 TenGigabitEthernet 1/1/1, IPv6 VRID: 255, Version: 3, Net: fe80::201:e8ff:fe8a:fd76 VRF: 0 default State: Backup, Priority: 90, Master: fe80::201:e8ff:fe8a:e9ed Hold
Port-channel 1, IPv6 VRID: 255, Version: 3, Net: fe80::201:e8ff:fe8a:fd76 VRF: 2 vrf2 State: Backup, Priority: 90, Master: fe80::201:e8ff:fe8a:e9ed Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 548, Bad pkts rcvd: 0, Adv sent: 0 Virtual MAC address: 00:00:5e:00:02:ff Virtual IP address: 10:1:1::255 fe80::255 Proxy Gateway with VRRP VLT proxy gateway solves the inefficient traffic trombone problem when VLANs are extended between date cen
• • • The core routers C1 and D1 in the local VLT domain are connected to the core routers C2 and D2 in the remote VLT Domain using VLT links. The core routers C1 and D1 in local VLT Domain along with C2 and D2 in the remote VLT Domain are part of a Layer 3 cloud. The core routers C1, D1, C2, D2 are in a VRRP group with the same vrrp-group ID. When a virtual machine running in Server Rack 1 migrates to Server Rack 2, L3 packets for that VM are routed through the default gateway.
unit-id 1 peer-routing interface port-channel 128 channel member ten 1/1/1 channel member ten 1/1/2 no shutdown int ten 1/5/1 port-channel-protocol lacp port-channel 10 mode active no shut int ten 1/4/1 port-channel-protocol lacp port-channel 20 mode active no shut interface port-channel 10 vlt-peer-lag po 10 switchport no shutdown interface port-channel 20 vlt-peer-lag po 20 switchport no shutdown int vlan 100 ip address 100.1.1.
interface port-channel 10 vlt-peer-lag po 10 switchport no shutdown interface port-channel 20 vlt-peer-lag po 20 switchport no shutdown int vlan 100 ip address 100.1.1.3/24 tagged port-channel 10 vrrp-group 10 advertise-interval 60 virtual-ip 100.1.1.254 priority 100 no shutdown int vlan 200 tagged port-channel 20 no shutdown router ospf 10 network 100.1.1.0/24 area 0 Sample configuration of D2: vlt domain 10 peer-link port-channel 128 back-up destination 10.16.140.
int vlan 200 tagged port-channel 20 no shutdown router ospf 10 network 100.1.1.
64 Debugging and Diagnostics Offline Diagnostics The offline diagnostics test suite is useful for isolating faults and debugging hardware. The diagnostics tests are grouped into three levels: • • • Level 0 — Level 0 diagnostics check for the presence of various components and perform essential path verifications. In addition, Level 0 diagnostics verify the identification registers of the components on the board. Level 1 — A smaller set of diagnostic tests.
The following example shows the offline stack-unit stack-unit-number command. DellEMC#offline stack-unit 1 Warning - offline of unit will bring down all the protocols and the unit will be operationally down, except for running Diagnostics. Please make sure that stacking is not configured for Diagnostics execution. Also reboot/online command is necessary for normal operation after the offline command is issued.
QSFP QSFP QSFP QSFP QSFP 26/1 26/1 26/1 26/1 26/1 BR max BR min Vendor SN Datecode CheckCodeExt = = = = = 0 0 APF12380010GME 120925 0xf2 [output truncated] Recognize an Overtemperature Condition An overtemperature condition occurs, for one of two reasons: the card genuinely is too hot or a sensor has malfunctioned. Inspect cards adjacent to the one reporting the condition to discover the cause. • • If directly adjacent cards are not normal temperature, suspect a genuine overheating condition.
Troubleshoot an Under-Voltage Condition To troubleshoot an under-voltage condition, check that the correct number of power supplies are installed and their Status light emitting diodes (LEDs) are lit. The following table lists information for SNMP traps and OIDs on the environmental monitoring hardware and hardware components. Table 140. SNMP Traps and OIDs OID String OID Name Description chSysPortXfpRecvPower OID displays the receiving power of the connected optics.
apply user-defined buffer profile on interface Te 1/1. Please remove global pre-defined buffer profile. To apply a predefined buffer profile, use the following command: • Apply one of the predefined buffer profiles for all port pipes in the system. CONFIGURATION mode buffer-profile global [1Q|4Q] If the default buffer profile dynamic is active, Dell EMC Networking OS displays an error message instructing you to remove the default configuration using the no buffer-profile global command.
Rx VLAN Drops : 0 --- Ingress MAC counters--Ingress FCSDrops : 0 Ingress MTUExceeds : 0 --- MMU Drops --Ingress MMU Drops : 0 Ingress Drops Bytes : 0 HOL DROPS(TOTAL) : 0 HOL DROPS on COS0 : 0 HOL DROPS on COS1 : 0 HOL DROPS on COS2 : 0 HOL DROPS on COS3 : 0 HOL DROPS on COS4 : 0 HOL DROPS on COS5 : 0 HOL DROPS on COS6 : 0 HOL DROPS on COS7 : 0 HOL DROPS on COS8 : 0 HOL DROPS on COS9 : 0 HOL DROPS on COS10 : 0 HOL DROPS on COS11 : 0 HOL DROPS on COS12 : 0 HOL DROPS on COS13 : 0 HOL DROPS on COS14 : 0 HOL DR
dropped :0 recvToNet :773 rxError :0 rxFwdError :0 rxDatapathErr :0 rxPkt(COS0 ) :0 rxPkt(COS1 ) :0 rxPkt(COS2 ) :0 rxPkt(COS3 ) :0 rxPkt(COS4 ) :0 rxPkt(COS5 ) :0 rxPkt(COS6 ) :0 rxPkt(COS7 ) :0 rxPkt(COS8 ) :773 rxPkt(COS9 ) :0 rxPkt(COS10) :0 rxPkt(COS11) :0 rxPkt(UNIT0) :773 transmitted :12698 txRequested :12698 noTxDesc :0 txError :0 txReqTooLarge :0 txInternalError :0 txDatapathErr :0 txPkt(COS0 ) :0 txPkt(COS1 ) :0 txPkt(COS2 ) :0 txPkt(COS3 ) :0 txPkt(COS4 ) :0 txPkt(COS5 ) :0 txPkt(COS6 ) :0 txPkt(
RX RX RX RX RX - 1024 1519 1519 2048 4096 to to to to to 1518 1522 2047 4095 9216 Byte Byte Byte Byte Byte Frame Counter Good VLAN Frame Counter Frame Counter Frame Counter Frame Counter 0 0 0 0 0 Example of Displaying Counter Information for a Specific Interface DellEMC#show hardware counters interface hundredGigE 1/1 unit: 0 port: 50 (interface Hu 1/1) Description Value RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX RX
TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX - Unicast Frame Counter Multicast Frame Counter Broadcast Frame Counter Byte Counter Control Frame Counter Pause Control Frame Counter Oversized Frame Counter Jabber Counter VLAN Tag Frame Counter Double VLAN Tag Frame Counter RUNT Frame Counter Fragment Counter PFC Frame Priority 0 PFC Frame Priority 1 PFC Frame Priority 2 PFC Frame Priority 3 PFC Frame Priority 4 PFC Frame Priority 5 PFC Frame Priority 6 PFC
3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 drwx -rwx -rwx -rwx -rwx -rwx -rwx -rwx -rwx -rwx -rwx -rwx -rwx -rwx -rwx -rwx -rwx -rwx -rwx -rwx -rwx -rwx -rwx -rwx -rwx -rwx 4096 512 1868977 1553622 1523296 1523523 1527504 1738282 1525213 765783 784725 787785 797852 1552883 803356 1523099 1828006 161797 43275928 1810311 1812442 1810601 1800256 1798111 1887496 1913790 Jul Sep Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Aug Aug Sep Sep Sep Sep Sep Sep Sep Sep 15 30 1
• Enable a TCP dump for CPU bound traffic.
65 Standards Compliance This chapter describes standards compliance for Dell EMC Networking products. NOTE: Unless noted, when a standard cited here is listed as supported by the Dell EMC Networking OS, the system also supports predecessor standards. One way to search for predecessor standards is to use the http://tools.ietf.org/ website. Click “Browse and search IETF documents,” enter an RFC number, and inspect the top of the resulting document for obsolescence citations to related RFCs.
RFC and I-D Compliance Dell EMC Networking OS supports the following standards. The standards are grouped by related protocol. The columns showing support by platform indicate which version of Dell EMC Networking OS first supports the standard. General Internet Protocols The following table lists the Dell EMC Networking OS support per platform for general internet protocols. Table 141.
R F C # Full Name S-Series S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 24 Definition of 7.7.1 74 the Differentiate d Services Field (DS Field) in the IPv4 and IPv6 Headers 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2 PPP over 61 SONET/SDH 5 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2 6 9 8 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.
RF C# Full Name S-Series S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 130 5 Network Time Protocol (Version 3) Specification, Implementation and Analysis 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 1519 Classless Inter-Domain Routing 7.6.1 (CIDR): an Address Assignment and Aggregation Strategy 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 154 2 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) Clarifications and Extensions for 7.6.
RFC Full Name # S-Series S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 4291 Internet Protocol Version 6 (IPv6) Addressing Architecture 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 4443 Internet Control Message Protocol (ICMPv6) for the IPv6 Specification 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 4861 8.3.12.0 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 4862 IPv6 Stateless Address Autoconfiguration 8.3.12.0 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.
Open Shortest Path First (OSPF) The following table lists the Dell EMC Networking OS support per platform for OSPF protocol. Table 145. Open Shortest Path First (OSPF) RFC # Full Name S-Series/ZSeries S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 1587 The OSPF Not-SoStubby Area (NSSA) Option 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2154 OSPF with Digital Signatures 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2370 The OSPF Opaque LSA Option 7.6.1 9.8(0.
RFC# Full Name S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 5308 Routing IPv6 with IS-IS 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) draft-ietfisisigpp2poverlan-06 Point-to-point operation over LAN in link-state routing protocols 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) draftkaplanisis-e xteth-02 Extended Ethernet Frame Size 9.8(0.0P2) Support 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.
Network Management The following table lists the Dell EMC Networking OS support per platform for network management protocol. Table 149. Network Management RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 1155 Structure and Identification of Management Information for TCP/IP-based Internets 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 1156 Management Information Base for 7.6.1 Network Management of TCP/IP-based internets 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.
RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 2572 Message Processing and Dispatching for the Simple Network Management Protocol (SNMP) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 2574 User-based Security Model 7.6.1 (USM) for version 3 of the Simple Network Management Protocol (SNMPv3) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 2575 View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP) 7.6.1 9.8(0.0P2) 9.8(0.
RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON High Capacity Networks (64 bits): Ethernet Statistics High-Capacity Table, Ethernet History HighCapacity Table 3416 Version 2 of the Protocol Operations for the Simple Network Management Protocol (SNMP) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 3418 Management Information Base (MIB) for the Simple Network Management Protocol (SNMP) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.
RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON draftietfnetmod interfac escfg-03 Defines a YANG data model for the configuration of network interfaces. Used in the Programmatic Interface RESTAPI feature. 9.2(0.0) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) IEEE 802.1A B Management Information Base module for LLDP configuration, statistics, local system data and remote systems data components. 7.7.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) IEEE 802.
RFC# Full Name SIONMIB by providing proprietary SNMP OIDs for other counters displayed in the "show interfaces" output) FORCE Force10 Enterprise Link 10Aggregation MIB LINKA GGMIB S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) FORCE Force10 E-Series Enterprise 10Chassis MIB CHASS IS-MIB FORCE Force10 File Copy MIB 10(supporting SNMP SET COPY- operation) CONFI G-MIB 7.7.1 9.8(0.
Some pages of iSupport require a login. To request an iSupport account, go to: https://www.force10networks.com/CSPortal20/AccountRequest/AccountRequest.aspx If you have forgotten or lost your account information, contact Dell TAC for assistance.
66 X.509v3 supports X.509v3 standards. Topics: • • • • • • • • • Introduction to X.509v3 certificates X.509v3 support in Information about installing CA certificates Information about Creating Certificate Signing Requests (CSR) Information about installing trusted certificates Transport layer security (TLS) Online Certificate Status Protocol (OSCP) Verifying certificates Event logging Introduction to X.509v3 certificates X.
Advantages of X.509v3 certificates Public key authentication is preferred over password-based authentication, although both may be used in conjunction, for various reasons. Public-key authentication provides the following advantages over normal password-based authentication: • • • Public-key authentication avoids the human problems of low-entropy password selection and provides more resistance to brute-force attacks than password-based authentication.
The other hosts on the network, such as the SUT switch, syslog server, and OCSP server, generate private keys and create Certificate Signing Requests (CSRs). The hosts then upload the CSRs to the Intermediate CA or make the CSRs available for the Intermediate CA to download. generates a CSR using the crypto cert generate request command. The hosts on the network (SUT, syslog, OCSP…) also download and install the CA certificates from the Root and Intermediate CAs.
Installing CA certificate To install a CA certificate, enter the crypto ca-cert install {path} command in Global Configuration mode. Information about Creating Certificate Signing Requests (CSR) Certificate Signing Request (CSR) enables a device to get a X.509v3 certificate from a CA. In order for a device to get a X.509v3 certificate, the device first requests a certificate from a CA through a Certificate Signing Request (CSR).
NOTE: The command contains multiple options with the Common Name being a required field and blanks being filled in for unspecified fields. Information about installing trusted certificates Dell EMC Networking OS also enables you to install a trusted certificate. The system can then present this certificate for authentication to clients such as SSH and HTTPS. This trusted certificate is also presented to the TLS server implementations that require client authentication such as Syslog.
TLS compression is disabled by default. TLS session resumption is also supported to reduce processor and traffic overhead due to public key cryptographic operations and handshake traffic. However, the maximum time allowed for a TLS session to resume without repeating the TLS authentication or handshake process is configurable with a default of 1 hour. You can also disable session resumption.
Configuring Revocation Behavior You can configure the system behavior if an OCSP responder fails. By default, when all the OCSP responders fail to send a response to an OSCP request, the system accepts the certificate and logs the event. However, you can configure the system to reject the certificate in case OCSP responders fail.
• A secure session negotiation fails due to invalid, expired, or revoked certificate. 1054 X.