Dell EMC Networking Configuration Guide for the C9010 Series Version 9.14.2.
Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your computer. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. NOTE: A WARNING indicates a potential for property damage, personal injury, or death. © 2018 - 2019 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Contents 1 About this Guide......................................................................................................................... 32 Audience............................................................................................................................................................................... 32 Conventions..................................................................................................................................................................
Applying a Privilege Level to a Username...................................................................................................................55 Applying a Privilege Level to a Terminal Line............................................................................................................. 55 Configuring Logging............................................................................................................................................................
The Port-Authentication Process..................................................................................................................................... 82 EAP over RADIUS..........................................................................................................................................................82 Configuring 802.1X..........................................................................................................................................................
Applying Egress ACLs...................................................................................................................................................116 Applying Layer 3 Egress ACLs on Control-Plane Traffic......................................................................................... 117 Counting ACL Hits........................................................................................................................................................ 117 IP Prefix Lists.....
Origin............................................................................................................................................................................. 165 AS Path......................................................................................................................................................................... 166 Next Hop...........................................................................................................................................
Storing Last and Bad PDUs....................................................................................................................................... 200 Capturing PDUs............................................................................................................................................................201 PDU Counters..............................................................................................................................................................
DCB Configuration Exchange.................................................................................................................................... 249 Configuration Source Election................................................................................................................................... 249 Propagation of DCB Information...............................................................................................................................
Configuring the Server for Automatic Address Allocation......................................................................................314 Specifying a Default Gateway.................................................................................................................................... 315 Configure a Method of Hostname Resolution..........................................................................................................315 Using DNS for Address Resolution...................
FIP Snooping in a Switch Stack...................................................................................................................................... 340 Using FIP Snooping...........................................................................................................................................................340 FIP Snooping Prerequisites........................................................................................................................................
Sample Configuration and Topology...............................................................................................................................365 FRRP Support on VLT......................................................................................................................................................366 19 GARP VLAN Registration Protocol (GVRP)................................................................................369 Configure GVRP....................................
Interface Types.................................................................................................................................................................. 391 View Basic Interface Information.................................................................................................................................... 392 Resetting an Interface to its Factory Default State......................................................................................................
Splitting QSFP Ports to SFP+ Ports............................................................................................................................... 419 Converting a QSFP or QSFP+ Port to an SFP or SFP+ Port................................................................................ 419 Configuring wavelength for 10–Gigabit SFP+ optics................................................................................................... 420 Link Dampening........................................
25 IPv6 Routing.......................................................................................................................... 444 Protocol Overview............................................................................................................................................................ 444 Extended Address Space...........................................................................................................................................
Configuring Authentication Passwords.................................................................................................................... 475 Setting the Overload Bit............................................................................................................................................. 475 Debugging IS-IS...........................................................................................................................................................
mac learning-limit mac-address-sticky.....................................................................................................................506 mac learning-limit station-move................................................................................................................................506 mac learning-limit no-station-move..........................................................................................................................
Limiting the Source-Active Cache............................................................................................................................ 543 Clearing the Source-Active Cache............................................................................................................................543 Enabling the Rejected Source-Active Cache...........................................................................................................
MLD timers........................................................................................................................................................................ 590 Reducing Host Response Burstiness........................................................................................................................590 Configuring MLD Version..................................................................................................................................................
OSPF ACK Packing...................................................................................................................................................... 611 Setting OSPF Adjacency with Cisco Routers........................................................................................................... 611 Configuration Information..................................................................................................................................................
Electing an RP using the BSR Mechanism.....................................................................................................................647 Creating Multicast Boundaries and Domains.................................................................................................................648 Enabling PIM-SM Graceful Restart................................................................................................................................
Important Points to Remember.......................................................................................................................................695 PE Stack Configuration....................................................................................................................................................695 Configuring a PE Stack..............................................................................................................................................
Upgrading the PoE Controller.................................................................................................................................... 734 Suspending Power Delivery on the Port Extender..................................................................................................734 Restoring Power Delivery on the Port Extender..................................................................................................... 734 Monitor the Power Budget........................
Configuring a Weight for WRED and ECN Operation............................................................................................ 768 Pre-Calculating Available QoS CAM Space................................................................................................................... 769 SNMP Support for Buffer Statistics Tracking...............................................................................................................769 47 Routing Information Protocol (RIP)..............
Privilege Levels Overview............................................................................................................................................ 811 Configuration Task List for Privilege Levels.............................................................................................................. 811 RADIUS...............................................................................................................................................................................
Marking Egress Packets with a DEI Value................................................................................................................ 851 Dynamic Mode CoS for VLAN Stacking.........................................................................................................................852 Mapping C-Tag to S-Tag dot1p Values.................................................................................................................... 853 Layer 2 Protocol Tunneling...............
Copy a Binary File to the Startup-Configuration..................................................................................................... 877 Additional MIB Objects to View Copy Statistics......................................................................................................877 Obtaining a Value for MIB Objects............................................................................................................................
Adding an Interface to the Spanning Tree Group.........................................................................................................906 Modifying Global Parameters.......................................................................................................................................... 906 Modifying Interface STP Parameters............................................................................................................................. 907 Enabling PortFast......
Guidelines for Configuring Multipoint Receive-Only Tunnels................................................................................ 934 59 Upgrade Procedures............................................................................................................... 936 60 Uplink Failure Detection (UFD)................................................................................................ 937 Feature Description...............................................................................
Configuring Route Leaking without Filtering Criteria..............................................................................................967 64 Virtual Link Trunking (VLT)..................................................................................................... 969 Overview............................................................................................................................................................................ 969 VLT on Core Switches.....................
65 Virtual Router Redundancy Protocol (VRRP)........................................................................... 1010 VRRP Overview................................................................................................................................................................1010 VRRP Benefits...................................................................................................................................................................1011 VRRP Implementation.........
1 About this Guide This Configuration guide provides information about how to use and configure the software features supported in the Dell Networking operating system (OS) on a C9010 console to configure a C9010 switch, C1048P, N20xx, and N30xx port extenders. The C9010 switch is also referred to as network director or control bridge. The port extenders are also referred to as rapid access nodes. Though this guide contains information on protocols, it is not intended to be a complete reference.
2 Configuration Fundamentals The Dell Networking OS command line interface (CLI) is a text-based interface you can use to configure interfaces and protocols. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels. After you enter a command, the command is added to the running configuration file.
• EXEC Privilege mode has commands to view configurations, clear counters, manage configuration files, run diagnostics, and enable or disable debug operations. The privilege level is 15, which is unrestricted. You can configure a password for this mode; refer to the Configure the Enable Password section in the Getting Started chapter.
GRUB BGP ADDRESS-FAMILY ROUTER ISIS ISIS ADDRESS-FAMILY ROUTER OSPF ROUTER OSPFV3 ROUTER RIP SPANNING TREE TRACE-LIST VLT DOMAIN VRRP UPLINK STATE GROUP Navigating CLI Modes The Dell Networking OS prompt changes to indicate the CLI mode. The following table lists the CLI mode, its prompt, and information about how to access and exit the CLI mode.
CLI Command Mode Prompt Access Command Port-channel Interface Dell(conf-if-po-0)# interface (INTERFACE modes) Tunnel Interface Dell(conf-if-tu-0)# interface (INTERFACE modes) VLAN Interface Dell(conf-if-vl-0)# interface (INTERFACE modes) STANDARD ACCESS-LIST Dell(config-std-nacl)# ip access-list standard (IP ACCESS-LIST Modes) EXTENDED ACCESS-LIST Dell(config-ext-nacl)# ip access-list extended (IP ACCESS-LIST Modes) IP COMMUNITY-LIST Dell(config-community-list)# ip community-list CONSOL
CLI Command Mode Prompt Access Command EIS Dell(conf-mgmt-eis)# management egress-interfaceselection FRRP Dell(conf-frrp-ring-id)# protocol frrp LLDP Dell(conf-lldp)# or Dell(conf-if —interface-lldp)# protocol lldp (CONFIGURATION or INTERFACE Modes) LLDP MANAGEMENT INTERFACE Dell(conf-lldp-mgmtIf)# management-interface (LLDP Mode) LINE Dell(config-line-console) or Dell(config-line-vty) line console orline vty MONITOR SESSION Dell(conf-mon-sess-sessionID)# monitor session OPENFLOW INSTAN
System image file is "system://A" System Type: C9010 Control Processor: Intel Rangeley with 2 Gbytes (2127536128 bytes) of memory, core(s) 2. Route Processor: Intel Rangeley with 2 Gbytes (2127536128 bytes) of memory, core(s) 2. 16G bytes of boot flash memory. 2 Route Processor Module. 3 24-port TE/GE (VG) 3 24-port TE/GE (VG) 4 6-port TE/FG (VG) 2 4-port TE/GE (VG) 208 Ten GigabitEthernet/IEEE 802.3 in10 Forty GigabitEthernet/IEEE 802.
debug --More-• Debug functions Enter ? after a partial keyword lists all of the keywords that begin with the specified letters. Dell(conf)#cl? class-map clock Dell(conf)#cl • Enter [space]? after a keyword lists all of the keywords that can follow the specified keyword. Dell(conf)#clock ? summer-time Configure summer (daylight savings) time timezone Configure time zone Dell(conf)#clock Entering and Editing Commands Notes for entering commands. • • The CLI is not case-sensitive.
Command History The Dell Networking OS maintains a history of previously-entered commands for each mode. For example: • • When you are in EXEC mode, the UP and DOWN arrow keys display the previously-entered EXEC mode commands. When you are in CONFIGURATION mode, the UP or DOWN arrows keys recall the previously-entered CONFIGURATION mode commands.
The find keyword displays the output of the show command beginning from the first occurrence of specified text. The following example shows this command used in combination with the show processes command. Example of the find Keyword Dell#show processes cpu cp | find system 0 72900 7290 10000 17.79% 17.93% 538 42710 4271 10000 6.52% 7.74% 535 50600 5060 10000 3.56% 3.61% 720 290 29 10000 0.20% 0.07% 614 250 25 10000 0.00% 0.03% 615 130 13 10000 0.00% 0.02% 508 290 29 10000 0.00% 0.02% 655 270 27 10000 0.
3 Getting Started This chapter describes how you start configuring your operating software. When you power up the chassis, the system performs a power-on self test (POST) and loads the Dell Networking operating software. Boot messages scroll up the terminal window during this process. No user interaction is required if the boot process proceeds without interruption. When the boot process completes, the system status LED remains online (green) and the console monitor displays the EXEC mode prompt.
Accessing the Console Port To access the console port, follow these steps: For the console port pinout, refer to Accessing the RJ-45 Console Port with a DB-9 Adapter. 1. Install an RJ-45 copper cable into the console port. Use a rollover (crossover) cable to connect the switch console port to a terminal server. 2. Connect the other end of the cable to the DTE terminal server. 3.
the mount command is saved to the startup configuration. As a result, each time the device re-boots, the NFS file system is mounted during start up. Table 4. Forming a copy Command Location source-file-url Syntax destination-file-url Syntax For a remote file location: copy nfsmount://{}/filepath/filename} username:password tftp://{hostip | hostname}/ filepath/filename NFS File System Important Points to Remember • • • • You cannot copy a file from one remote system to another.
Default Configuration Although a version of the Dell Networking OS is pre-loaded on the switch, the system is not configured when you power up the first time (except for the default hostname, which is Dell). You must configure the system using the CLI. Configuring a Host Name The host name appears in the prompt. The default host name is Dell. • • Host names must start with a letter and end with a letter or digit. Characters within the string can be letters, digits, and hyphens.
Configure a Management Route Define a path from the switch to the network from which you are accessing the system remotely. Management routes are separate from IP routes and are only used to manage the switch through the management port. • Configure a management route to the network from which you are accessing the system. CONFIGURATION mode management route ip-address/mask gateway • • • ip-address: the network address in dotted-decimal format (A.B.C.D).
• • enable secret is stored in the running/startup configuration using MD5 encryption method. enable sha256-password is stored in the running/startup configuration using sha256-based encryption method (PBKDF2). Dell Networking recommends using the enable sha256-password password. To configure an enable password, use the following command. • Create a password to access EXEC Privilege mode.
• To copy a local file to a remote system, combine the file-origin syntax for a local file location with the file-destination syntax for a remote file location. To copy a remote file to Dell Networking system, combine the file-origin syntax for a remote file location with the file-destination syntax for a local file location. • Table 5.
EXEC Privilege mode copy running-config scp://{hostip | hostname}/ filepath/filename NOTE: When copying to a server, a host name can only be used if a DNS server is configured. NOTE: When you load the startup configuration or a configuration file from a network server such as TFTP to the running configuration, the configuration is added to the running configuration. This does not replace the existing running configuration.
Example of the show running-config Command Dell#show running-config Current Configuration ... ! Version 1-0(0-4013) ! Last configuration change at Wed Jun 3 16:24:25 2015 by admin ! boot system rpm0 primary system: A: boot system rpm0 secondary tftp://10.16.127.35/DT-MAA-C9000-3 boot system rpm0 default system: A: boot system rpm1 primary system: A: boot system rpm1 secondary tftp://10.16.127.35/DT-MAA-C9000-3 boot system rpm1 default system: A: boot system gateway 10.16.127.
[May [May [May [May [May [May [May 17 17 17 17 17 17 17 10:16:53]: CMD-(CLI):[service timestamps log datetime utc]by default from console 10:17:05]: CMD-(CLI):[show clock]by default from console 10:17:20]: CMD-(CLI):[show running-config]by default from console 10:17:30]: CMD-(CLI):[interface tengigabitethernet 1/2]by default from console 10:17:32]: CMD-(CLI):[shutdown]by default from console 10:17:34]: CMD-(CLI):[no shutdown]by default from console 10:17:40]: CMD-(CLI):[write memory]by default from consol
• 52 Using Hashes to Validate Software Images Getting Started
4 Switch Management Configuring Privilege Levels Privilege levels restrict access to commands based on user or terminal line. There are 16 privilege levels, of which three are pre-defined. The default privilege level is 1. Level Description Level 0 Access to the system begins at EXEC mode, and EXEC mode commands are limited to enable, disable, and exit. Level 1 Access to the system begins at EXEC mode, and all commands are available.
Allowing Access to the Following Modes This section describes how to allow access to the INTERFACE, LINE, ROUTE-MAP, and ROUTER modes. Similar to allowing access to CONFIGURATION mode, to allow access to INTERFACE, LINE, ROUTE-MAP, and ROUTER modes, you must first allow access to the command that enters you into the mode. For example, to allow a user to enter INTERFACE mode, use the privilege configure level level interface tengigabitethernet command.
Current privilege level is 3.
To disable logging, use the following commands. • Disable all logging except on the console. • CONFIGURATION mode no logging on Disable logging to the logging buffer. • CONFIGURATION mode no logging buffer Disable logging to terminal lines. • CONFIGURATION mode no logging monitor Disable console logging. CONFIGURATION mode no logging console Audit and Security Logs This section describes how to configure, display, and clear audit and security logs.
Example of Enabling Audit and Security Logs Dell(conf)#logging extended Displaying Audit and Security Logs To display audit logs, use the show logging auditlog command in Exec mode. To view these logs, you must first enable the logging extended command. Only the RBAC system administrator user role can view the audit logs. Only the RBAC security administrator and system administrator user role can view the security logs.
Pre-requisites To configure a secure connection from the switch to the syslog server: 1. On the switch, enable the SSH server Dell(conf)#ip ssh server enable 2. On the syslog server, create a reverse SSH tunnel from the syslog server to the switch, using following syntax: ssh -R :: user@remote_host -nNf In the following example the syslog server IP address is 10.156.166.48 and the listening port is 5141. The switch IP address is 10.16.131.
change the default value to any number of days from 1 to 30. By default, login activity tracking is disabled. You can enable it using the login statistics enable command from the configuration mode. Restrictions for Tracking Login Activity These restrictions apply for tracking login activity: • • Only the system and security administrators can configure login activity tracking and view the login activity details of other users.
Unsuccessful login attempt(s) in last 30 day(s): 3 Successful login attempt(s) in last 30 day(s): 4 ----------------------------------------------------------------------------------------------------------------------------------User: admin1 Last login time: 12:49:19 UTC Tue Mar 22 2016 Last login location: Line vty0 ( 10.16.127.
Limit Concurrent Login Sessions Dell Networking OS enables you to limit the number of concurrent login sessions of users on VTY, auxiliary, and console lines. You can also clear any of your existing sessions when you reach the maximum permitted number of concurrent sessions. By default, you can use all 10 VTY lines, one console line, and one auxiliary line.
When you try to create more than the permitted number of sessions, the following message appears, prompting you to close one of the existing sessions. If you close any of the existing sessions, you are allowed to login. $ telnet 10.11.178.17 Trying 10.11.178.17... Connected to 10.11.178.17. Escape character is '^]'. Login: admin Password: Maximum concurrent sessions for the user reached. Current sessions for user admin: Line Location 2 vty 0 10.14.1.97 3 vty 1 10.14.1.97 4 vty 2 10.14.1.97 5 vty 3 10.14.1.
• no logging buffer Disable logging to terminal lines. • CONFIGURATION mode no logging monitor Disable console logging. CONFIGURATION mode no logging console Sending System Messages to a Syslog Server To send system messages to a specified syslog server, use the following command. The following syslog standards are supported: RFC 5424 The SYSLOG Protocol, R.Gerhards and Adiscon GmbH, March 2009, obsoletes RFC 3164 and RFC 5426 Transmission of Syslog Messages over UDP.
Jan 21 03:02:51: the full speed Jan 21 03:02:51: speed Jan 21 02:56:54: Jan 21 02:56:54: --More-- %SYSTEM:LP %CHMGR-2-PSU_FAN_SPEED_CHANGE: PSU_Fan speed changed to 80 % of %SYSTEM:LP %CHMGR-2-FAN_SPEED_CHANGE: Fan speed changed to 50 % of the full %SYSTEM:CP %SNMP-6-SNMP_WARM_START: Agent Initialized - SNMP WARM_START.
• • • • • • • • • • • • • • • • • • • • • • • cron (for system scheduler messages) daemon (for system daemons) kern (for kernel messages) local0 (for local use) local1 (for local use) local2 (for local use) local3 (for local use) local4 (for local use) local5 (for local use) local6 (for local use) local7 (for local use) lpr (for line printer system messages) mail (for mail system messages) news (for USENET news messages) sys9 (system use) sys10 (system use) sys11 (system use) sys12 (system use) sys13 (syst
• • level severity-level: the range is from 0 to 7. The default is 2. Use the all keyword to include all messages. limit: the range is from 20 to 300. The default is 20. To view the logging synchronous configuration, use the show config command in LINE mode. Enabling Timestamp on Syslog Messages By default, syslog messages include a time/date stamp, taken from the datetime, stating when the error or message was created. To enable timestamp, use the following command. • Add timestamp to syslog messages.
[May 17 15:53:36]: CMD-(CLI):[write memory]by default from console - Repeated 5 times.
• Specify the directory for users using FTP to reach the system. CONFIGURATION mode ftp-server topdir dir • The default is the internal flash directory. Specify a user name for all FTP users and configure either a plain text or encrypted password. CONFIGURATION mode ftp-server username username password [encryption-type] password Configure the following optional and required parameters: • • • username: enter a text string. encryption-type: enter 0 for plain text or 7 for encrypted text.
ip access-class access-list To view the configuration, use the show config command in LINE mode. Dell(config-std-nacl)#show config ! ip access-list standard myvtyacl seq 5 permit host 10.11.0.1 Dell(config-std-nacl)#line vty 0 Dell(config-line-vty)#show config line vty 0 access-class myvtyacl Configuring Login Authentication for Terminal Lines You can use any combination of up to six authentication methods to authenticate a user on a terminal line.
Setting Time Out of EXEC Privilege Mode EXEC time-out is a basic security feature that returns the system to EXEC mode after a period of inactivity on the terminal lines. To set time out, use the following commands. • Set the number of minutes and seconds. The default is 10 minutes on the console and 30 minutes on VTY. Disable EXEC time out by setting the time-out period to 0. LINE mode exec-timeout minutes [seconds] Return to the default time-out values.
• • Set auto-lock using the configuration mode exclusive auto command from CONFIGURATION mode. When you set autolock, every time a user is in CONFIGURATION mode, all other users are denied access. This means that you can exit to EXEC Privilege mode, and re-enter CONFIGURATION mode without having to set the lock again. Set manual lock using the configure terminal lock command from CONFIGURATION mode.
Syntax enable cpu-clock-monitor To disable this feature, use the no enable cpu-clock-monitor command. Parameters None Defaults Enabled Command Modes CONFIGURATION Command History This guide is platform-specific. For command information about other platforms, see the relevant Dell Networking OS Command Line Reference Guide. Version Description 9.11(2.0) Introduced on the C9010, S3048–ON, S6100–ON and Z9100–ON.
Ignoring the Startup Configuration and Booting from the Factory-Default Configuration If you do not want to do not want to boot up with your current startup configuration and do not want to delete it, you can interrupt the boot process and boot up with the C9000 series factory-default configuration. To boot up with the factory-default configuration: 1. Log onto the system using the console. 2. Power-cycle the chassis by disconnecting and then reconnecting the power cord. 3.
The following example shows how the restore factory-defaults command restores a switch to its factory default settings. Dell# restore factory-defaults chassis nvram *********************************************************************** * Warning - Restoring factory defaults will delete the existing * * persistent settings (stacking, fanout, etc.) * * After restoration the unit(s) will be powercycled immediately.
To boot from flash partition B: BOOT_USER # boot change primary boot device : file name : BOOT_USER # flash systemb To boot from the network: BOOT_USER # boot change primary boot device : file name : Server IP address : BOOT_USER # tftp FTOS-SI-9-5-0-169.bin 10.16.127.35 4. Assign an IP address and network mask to the Management Ethernet interface. BOOT_USER # interface management ethernet ip address ip_address_with_mask For example, 10.16.150.106/16. 5.
MD5 Dell# verify md5 flash://FTOS-SE-9.5.0.0.bin MD5 hash for FTOS-SE-9.5.0.0.bin: 275ceb73a4f3118e1d6bcf7d75753459 SHA256 Dell# verify sha256 flash://FTOS-SE-9.5.0.0.bin SHA256 hash for FTOS-SE-9.5.0.0.bin: e6328c06faf814e6899ceead219afbf9360e986d692988023b749e6b2093e933 Examples: Entering the Hash Value for Verification MD5 Dell# verify md5 flash://FTOS-SE-9.5.0.0.bin 275ceb73a4f3118e1d6bcf7d75753459 MD5 hash VERIFIED for FTOS-SE-9.5.0.0.bin SHA256 Dell# verify sha256 flash://FTOS-SE-9.5.0.0.
linecard 10 linecard 11 FLASH BOOT FLASH BOOT 1-0(0-4243)[boot] 1-0(0-4243)[boot] 1-0(0-4226) 1-0(0-4226) When System Images on C9010 Components Do Not Match You normally upgrade system images on all installed components at the same time by entering the upgrade system-image all command; for example: upgrade system-image all flash://FTOS-C9000-9.9.0.0.bin {A: | B:} command. For information about this upgrade procedure, see the C9010 and C1048P Release Notes.
• To log in to a line-card processor: Hold down the Ctrl key and type geo. Then release the Ctrl key and type the line-card slot number 0 to 9. When you finish, log back in to the RPM CP: Hold down the Ctrl key and type geo. Then release the Ctrl key and type x. • Booting the C9010 from an Image on a Network Server If you can configure an RPM to boot from a system image stored on a network server, all C9010 components are automatically configured to boot from the RPM CP image.
PRIMARY OPERATING SYSTEM BOOT PARAMETERS: ======================================== boot device : ftp file name : force10/rd/tgtimg/runtime/LP.bin Management Etherenet IP address : 127.10.10.43 Mask : 255.240.0.0 Server IP address : 127.10.10.10 Default Gateway IP address : 127.10.10.10 username : f10agent password : imagereq Viewing the Reason for Last System Reboot You can view the reason for the last system reboot.
5 802.1X 802.1X is a method of port security. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity can be verified (through a username and password, for example). This feature is named for its IEEE specification. 802.
Figure 3. EAP Frames Encapsulated in Ethernet and RADUIS The authentication process involves three devices: • • • The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests. The device with which the supplicant communicates is the authenticator. The authenticator is the gate keeper of the network.
The Port-Authentication Process The authentication process begins when the authenticator senses that a link status has changed from down to up: 1. When the authenticator senses a link state change, it requests that the supplicant identify itself using an EAP Identity Request frame. 2. The supplicant responds with its identity in an EAP Response Identity frame. 3.
Figure 5. EAP Over RADIUS RADIUS Attributes for 802.1 Support Dell Networking systems include the following RADIUS attributes in all 802.1X-triggered Access-Request messages: Attribute 31 Calling-station-id: relays the supplicant MAC address to the authentication server. Attribute 41 NAS-Port-Type: NAS-port physical port type. 15 indicates Ethernet. Attribute 61 NAS-Port: the physical port number by which the authenticator is connected to the supplicant.
Enabling 802.1X Enable 802.1X globally. Figure 6. 802.1X Enabled 1. Enable 802.1X globally. CONFIGURATION mode dot1x authentication 2. Enter INTERFACE mode on an interface or a range of interfaces. INTERFACE mode interface [range] 3. Enable 802.1X on the supplicant interface only. INTERFACE mode dot1x authentication NOTE: You must enabled dot1x authentication globaly as well as in interface mode on which supplicant is connected. Verify that 802.
interface TenGigabitEthernet 2/1 no ip address dot1x authentication no shutdown ! Dell# View 802.1X configuration information for an interface using the show dot1x interface command. The bold lines show that 802.1X is enabled on all ports unauthorized by default. Dell#show dot1x interface TenGigabitEthernet 2/1 802.
203 Multicasts, 0 Broadcasts, 10760802177 Unicasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics: 2285 packets, 146240 bytes, 0 underruns 2285 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 1983 Multicasts, 0 Broadcasts, 302 Unicasts 0 throttles, 0 discarded, 0 collisions, 0 wreddrops Rate info (interval 299 seconds): Input 76.00 Mbits/sec, 149280 packets/sec, 10.00% of line-rate Output 00.
Configuring the Static MAB and MAB Profile Enable MAB (mac-auth-bypass) before using the dot1x static-mab command to enable static mab. To enable static MAB and configure a static MAB profile, use the following commands. • Configure static MAB and static MAB profile on dot1x interface. INTERFACE mode dot1x static-mab profile profile-name Eenter a name to configure the static MAB profile name. The profile name length is limited to a maximum of 32 characters.
switchport dot1x critical-vlan 300 no shutdown Dell#show dot1x interface tengigabitethernet 2/1 802.
Configuring a Quiet Period after a Failed Authentication If the supplicant fails the authentication process, the authenticator sends another Request Identity frame after 30 seconds by default, but you can configure this period. NOTE: The quiet period (dot1x quiet-period) is a transmit interval for after a failed authentication; the Request Identity Re-transmit interval (dot1x tx-period) is for an unresponsive supplicant. To configure a quiet period, use the following command.
The example shows configuration information for a port that has been force-authorized. The bold line shows the new port-control state. Dell(conf-if-Te-0/0)#dot1x port-control force-authorized Dell(conf-if-Te-0/0)#show dot1x interface TenGigabitEthernet 0/0 802.
Re-Auth Interval: 7200 seconds Max-EAP-Req: 10 Auth Type: SINGLE_HOST Auth PAE State: Initialize Backend State: Initialize Auth PAE State: Initialize Backend State: Initialize Configuring Dynamic VLAN Assignment with Port Authentication On the switch, 802.1X authentication supports dynamic VLAN assignment. The basis for VLAN assignment is RADIUS attribute 81, Tunnel-Private-Group-ID. Dynamic VLAN assignment uses the standard dot1x procedure: 1. The host sends a dot1x packet to the Dell Networking system 2.
4. Connect the supplicant to the port configured for 802.1X. 5. Verify that the port has been authorized and placed in the desired VLAN (refer to the illustration in Dynamic VLAN Assignment with Port Authentication). Guest and Authentication-Fail VLANs Typically, the authenticator (the Dell system) denies the supplicant access to the network until the supplicant is authenticated.
Re-Auth Interval: Max-EAP-Req: Auth Type: Auth PAE State: Backend State: 7200 seconds 10 SINGLE_HOST Initialize Initialize Configuring an Authentication-Fail VLAN If the supplicant fails authentication, the authenticator re-attempts to authenticate after a specified amount of time. NOTE: For more information about authenticator re-attempts, refer to Configuring a Quiet Period after a Failed Authentication.
Example of Viewing Configured Authentication 802.
Supplicant Timeout: 15 seconds Server Timeout: 15 seconds Re-Auth Interval: 7200 seconds Max-EAP-Req: 10 Auth Type: Auth PAE State: Backend State: SINGLE_HOST Initialize Initialize Enter the tasks the user should do after finishing this task (optional). Multi-Host Authentication By default, 802.1x assumes that a single end user is connected to a single authenticator port in a one-to-one mode of authentication called single-host mode.
Figure 9. Multi-Host Authentication Mode When you configure multi-host mode authentication, the first client to respond to an identity request is authenticated and subsequent responses are still ignored. However, because the authenticator expects the possibility of multiple responses, no system log is generated. After the first supplicant is authenticated, all end users connected to the authorized port are allowed to access the network.
Auth-Fail VLAN id: Auth-Fail Max-Attempts: Critical VLAN: Critical VLAN id: Mac-Auth-Bypass: Mac-Auth-Bypass Only: Static-MAB: Static-MAB Profile: Tx Period: Quiet Period: ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Host Mode: Auth PAE State: Backend State: NONE NONE Disable NONE Disable Disable Disable NONE 30 seconds 60 seconds 2 30 seconds 30 seconds 3600 seconds 2 MULTI_HOST Connecting Idle Configuring Single-Host Authentication To enable single-host authentication o
During the authentication process, the switch is able to learn the MAC address of the device though the EAPoL frames, and the VLAN assignment from the RADIUS server. With this information it creates an authorized-MAC-to-VLAN mapping table per port. Then, the system can tag all incoming untagged frames with the appropriate VLAN-ID based on the table entries.
MAC Authentication Bypass MAC authentication bypass (MAB) enables you to provide MAC-based security by allowing only known MAC addresses within the network using a RADIUS server. 802.1X-enabled clients can authenticate themselves using the 802.1X protocol. Other devices that do not use 802.1X — like IP phones, printers, and IP fax machines — still need connectivity to the network. The guest VLAN provides one way to access the network.
• • • • Attribute 5—NAS -Port: The port number of the interface being authorized entered as an integer. Attribute 30—Called-Station-Id: MAC address of the ingress interfaces of the authenticator. Attribute 31—Calling-Station-Id: MAC address of the 802.1X supplicant. Attribute 87—NAS-Port-Id: The name of the interface being authorized entered as a string. NOTE: Only attributes 1 and 2 are used for MAB; Attributes 30 and 31 are not mandatory in the MAB method. 2.
You can use dynamic CoS with 802.1X is when the traffic from a server should be classified based on the application that it is running. A static dot1p priority configuration applied from the switch is not sufficient in this case, as the server application might change. You would instead need to push the CoS configuration to the switches based on the application the server is running. Dynamic CoS uses RADIUS attribute 59, called User-Priority-Table, to specify the priority value for incoming frames.
6 Access Control Lists (ACLs) This chapter describes access control lists (ACLs), prefix lists, and route-maps. • Access control lists (ACLs), Ingress IP and MAC ACLs , and Egress IP and MAC ACLs are supported on the system. At their simplest, access control lists (ACLs), prefix lists, and route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps. For MAC ACLS, refer to Layer 2.
When creating an access list, the sequence of the filters is important. You have a choice of assigning sequence numbers to the filters as you enter them, or the system assigns numbers in the order the filters are created. The sequence numbers are listed in the display output of the show config and show ip accounting access-list commands. Ingress and egress Hot Lock ACLs allow you to append or delete new rules into an existing ACL (already written into CAM) without disrupting traffic flow.
DELL#test cam-usage service-policy input L3 pe-unit 0 stack-unit 0 port-set 0 PE Unit|Stack-unit|Portpipe|CAM Partition|Available CAM|Estimated CAM per Port|Status ------------------------------------------------------------------------------------0 | 0 | 0 | L3QOS | 488 0 | Allowed User-Configurable CAM Allocation User-configurable content-addressable memory (CAM) allows you to specify the amount of memory space that you want to allocate for ACLs.
2. Verify the new settings that will be written to CAM on the next reload. The CAM ACL ingress profiles are configured globally on the PE. The show cam-acl-pe command does not display CAM ACL ingress profiles for each PE. The new settings will be written to CAM on the next reload EXEC and EXEC Privilege mode show cam-acl-pe 3. Reload the system. EXEC Privilege mode reload The following example displays the current CAM ACL settings for each ingress region and configures the ingress CAM settings.
3. Reload the system. EXEC Privilege mode reload The following example displays the current CAM ACL settings for each egress region and configures the egress CAM settings. Dell# show cam-acl-egress-pe -- Port extender Egress Cam ACL -Current Settings(in block sizes) 1 block = 256 entries L2Acl : 1 Ipv4Acl : 1 Ipv6Acl : 2 Dell(conf)#cam-acl-egress-pe l2acl 2 ipv4acl 2 ipv6acl 0 The following example displays the running configuration for the configured CAM ACLs.
Determine the Order in which ACLs are Used to Classify Traffic When you link class-maps to queues using the service-queue command, the system matches the class-maps according to queue priority (queue numbers closer to 0 have lower priorities). As shown in the following example, class-map cmap2 is matched against ingress packets before cmap1. ACLs acl1 and acl2 have overlapping rules because the address range 20.1.1.0/24 is within 20.0.0.0/8.
Optimizing ACL for More Number of IPv4 ACL Rules To optimize ACL for more number of IPv4 ACL rules, follow these steps: 1. Carve the vlanaclopt CAM region. CONFIGURATION mode cam-acl-vlan vlanopenflow 0 vlaniscsi 0 vlanaclopt 2 2. Enable the ACL optimized feature. CONFIGURATION mode feature acloptimized 3. Reload the system EXEC Privilege reload After the system reloads, the Dell Networking OS enables the feature.
Example of Denying Second and Subsequent Fragments Dell(conf)#ip access-list extended ABC Dell(conf-ext-nacl)#deny ip any 10.1.1.1/32 fragments Dell(conf-ext-nacl)#permit ip any 10.1.1.1/32 Dell(conf-ext-nacl) Layer 4 ACL Rules Examples The following examples show the ACL commands for Layer 4 packet filtering. Permit an ACL line with L3 information only, and the fragments keyword is present: If a packet’s L3 information matches the L3 information in the ACL line, the packet's FO is checked.
Configure a Standard IP ACL To configure an ACL, use commands in IP ACCESS LIST mode and INTERFACE mode. For a complete list of all the commands related to IP ACLs, refer to the Dell Networking OS Command Line Interface Reference Guide. To set up extended ACLs, refer to Configure an Extended IP ACL. A standard IP ACL uses the source IP address as its match criterion. 1. Enter IP ACCESS LIST mode by naming a standard IP access list. CONFIGURATION mode ip access-list standard access-listname 2.
{deny | permit} {source [mask] | any | host ip-address} [count [byte]] [order] [fragments] When you use the log keyword, the CP logs details about the packets that match. Depending on how many packets match the log entry and at what rate, the CP may become busy as it has to log these packets’ details. The following example shows a standard IP ACL in which the system assigns the sequence numbers.
CONFIGURATION mode ip access-list extended access-list-name 2. Configure an extended IP ACL filter for TCP packets. CONFIG-EXT-NACL mode seq sequence-number {deny | permit} tcp {source mask | any | host ip-address}} [count [byte]] [order] [fragments] Configure Filters, UDP Packets To create a filter for UDP packets with a specified sequence number, use the following commands. 1. Create an extended IP ACL and assign it a unique name. CONFIGURATION mode ip access-list extended access-list-name 2.
The following example shows an extended IP ACL in which the sequence numbers were assigned by the software. The filters were assigned sequence numbers based on the order in which they were configured (for example, the first filter was given the lowest sequence number). The show config command in IP ACCESS LIST mode displays the two filters with the sequence numbers 5 and 10. Dell(config-ext-nacl)#deny tcp host 123.55.34.0 any Dell(config-ext-nacl)#permit udp 154.44.123.34 0.0.255.255 host 34.6.0.
Guidelines for Configuring ACL VLAN Groups Keep the following points in mind when you configure ACL VLAN groups: • • • • • • • • • • The VLAN member interfaces, on which the ACL in an ACL VLAN group is applied, function as restricted interfaces. The ACL VLAN group name identifies the group of VLANs on which hierarchical filtering is performed. You can add only one ACL to an interface at a time.
SpecialAccessOnlyExpertsAllowed Vlan Members : 100,200,300 Group Name : CustomerNumberIdentificationEleven Egress IP Acl : AnyEmployeeCustomerElevenGrantedAccess Vlan Members : 2-10,99 Group Name : HostGroup Egress IP Acl : Group5 Vlan Members : 1,1000 Dell# Allocating ACL VLAN CAM CAM optimization for ACL VLAN groups is not enabled by default. You must allocate blocks of ACL VLAN CAM to enable ACL CAM optimization by using the cam-acl-vlan command.
To view which IP ACL is applied to an interface, use the show config command in INTERFACE mode, or use the show runningconfig command in EXEC mode. To filter traffic on Telnet sessions, use only standard ACLs in the access-class command. Applying Ingress ACLs on the Port Extender Ingress ACLs are applied to port extender interfaces and to traffic entering the system. These system-wide ACLs eliminate the need to apply ACLs onto each interface and achieves the same results.
Dell#configure terminal Dell(conf)#ip access-list extended abcd Dell(config-ext-nacl)#permit tcp any any Dell(config-ext-nacl)#deny icmp any any Dell(config-ext-nacl)#permit 1.1.1.2 Dell(config-ext-nacl)#end Dell#show ip accounting access-list ! Extended Ingress IP access list abcd on gigethernet 0/0 seq 5 permit tcp any any seq 10 deny icmp any any seq 15 permit 1.1.1.2 Applying Layer 3 Egress ACLs on Control-Plane Traffic By default, packets originated from the system are not filtered by egress ACLs.
• • • • To deny only /8 prefixes, enter deny x.x.x.x/x ge 8 le 8. To permit routes with the mask greater than /8 but less than /12, enter permit x.x.x.x/x ge 8. To deny routes with a mask less than /24, enter deny x.x.x.x/x le 24. To permit routes with a mask greater than /20, enter permit x.x.x.x/x ge 20. The following rules apply to prefix lists: • • A prefix list without any permit or deny filters allows all routes.
seq 20 permit 0.0.0.0/0 le 32 Dell(conf-nprefixl)# NOTE: The last line in the prefix list Juba contains a “permit all” statement. By including this line in a prefix list, you specify that all routes not matching any criteria in the prefix list are forwarded. To delete a filter, use the no seq sequence-number command in PREFIX LIST mode.
seq 7 deny 200.200.2.0/24 (hit count: 0) seq 10 permit 0.0.0.0/0 le 32 (hit count: 0) The following example shows the show ip prefix-list summary command.
To view the configuration, use the show config command in ROUTER OSPF mode, or the show running-config ospf command in EXEC mode. Dell(conf-router_ospf)#show config ! router ospf 34 network 10.2.1.1 255.255.255.255 area 0.0.0.1 distribute-list prefix awe in Dell(conf-router_ospf)# ACL Remarks While defining ACL rules, you can optionally include a remark to make the ACLs more descriptive. You can include a remark with a maximum of 80 characters in length. The remark command is available in each ACL mode.
The remark number is optional. The following is an example of removing a remark.
resequence prefix-list {ipv4 | ipv6} {prefix-list-name StartingSeqNum Step-to-Increment} The example shows the resequencing of an IPv4 access-list beginning with the number 2 and incrementing by 2. Remarks and rules that originally have the same sequence number have the same sequence number after you apply the resequence command. The following example shows resequencing ACLs when the remarks and rules have the same number.
Route Maps Although route maps are similar to ACLs and prefix lists in that they consist of a series of commands that contain a matching criterion and an action, route maps can modify parameters in matching packets. ACLs and prefix lists can only drop or forward the packet or traffic. Route maps process routes for route redistribution. For example, a route map can be called to filter only specific routes and to add a metric. Route maps also have an “implicit deny.
The following example shows viewing a configured route-map. Dell(config-route-map)#show config ! route-map dilling permit 10 Dell(config-route-map)# You can create multiple instances of this route map by using the sequence number option to place the route maps in the correct order. The system processes the route maps with the lowest sequence number first. When a configured route map is applied to a command, such as redistribute, traffic passes through all instances of that route map until a match is found.
Example of the match Command to Match Any of Several Values Dell(conf)#route-map force permit 10 Dell(config-route-map)#match tag 1000 Dell(config-route-map)#match tag 2000 Dell(config-route-map)#match tag 3000 In the next example, there is a match only if a route has both of the specified characteristics. In this example, there a match only if the route has a tag value of 1000 and a metric value of 2000.
• CONFIG-ROUTE-MAP mode match ip next-hop {access-list-name | prefix-list prefix-list-name} Match next-hop routes specified in a prefix list (IPv6). • CONFIG-ROUTE-MAP mode match ipv6 next-hop {access-list-name | prefix-list prefix-list-name} Match source routes specified in a prefix list (IPv4). • CONFIG-ROUTE-MAP mode match ip route-source {access-list-name | prefix-list prefix-list-name} Match source routes specified in a prefix list (IPv6).
• set ipv6 next-hop ip-address Assign an ORIGIN attribute. • CONFIG-ROUTE-MAP mode set origin {egp | igp | incomplete} Specify a tag for the redistributed routes. • CONFIG-ROUTE-MAP mode set tag tag-value Specify a value as the route’s weight. CONFIG-ROUTE-MAP mode set weight value To create route map instances, use these commands. There is no limit to the number of set commands per route map, but the convention is to keep the number of set filters in a route map low.
Continue Clause Normally, when a match is found, set clauses are executed, and the packet is then forwarded; no more route-map modules are processed. If you configure the continue command at the end of a module, the next module (or a specified module) is processed even after a match is found. The following example shows a continue clause at the end of a route-map module. In this example, if a match is found in the route-map “test” module 10, module 30 is processed.
key innerL3header udf-id 6 packetbase innerL3Header offset 0 length 2 Dell(conf-udf-tcam)# 7. Configure the match criteria for the packet type in which UDF offset bytes are parsed. CONFIGURATION-UDF TCAM mode match l2ethertype ipv4 ipprotocol value vlantag tagStatus Dell(conf-udf-tcam)#match l2ethertype ipv4 ipprotocol 4 vlantag any 8. View the UDF TCAM configuration.
7 Bidirectional Forwarding Detection (BFD) BFD is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It also provides a failure detection solution for links on which no routing protocol is used. BFD is a simple hello mechanism. Two neighboring systems running BFD establish a session using a three-way handshake.
BFD Packet Format Control packets are encapsulated in user datagram protocol (UDP) packets. The following illustration shows the complete encapsulation of a BFD control packet inside an IPv4 packet. Figure 10. BFD in IPv4 Packet Format Field Description Diagnostic Code The reason that the last session failed. State The current local session state. Refer to BFD Sessions. Flag A bit that indicates packet function.
Field Description Your Discriminator A random number generated by the remote system to identify the session. Discriminator values are necessary to identify the session to which a control packet belongs because there can be many sessions running on a single interface. Desired Min TX Interval The minimum rate at which the local system would like to send control packets to the remote system.
The session is declared down if: • • • A control packet is not received within the detection time. Sufficient echo packets are lost. Demand mode is active and a control packet is not received in response to a poll packet. BFD Three-Way Handshake A three-way handshake must take place between the systems that participate in the BFD session.
Session State Changes The following illustration shows how the session state on a system changes based on the status notification it receives from the remote system. For example, if a session on a system is down and it receives a Down status notification from the remote system, the session state on the local system changes to Init. Figure 12.
Configure BFD for Physical Ports Configuring BFD for physical ports is supported on the C-Series and E-Series platforms only. BFD on physical ports is useful when you do not enable the routing protocol. Without BFD, if the remote system fails, the local system does not remove the connected route until the first failed attempt to send a packet. When you enable BFD, the local system removes the route as soon as it stops receiving periodic control packets from the remote system.
Uptime: 00:09:06 Statistics: Number of packets received from neighbor: 4092 Number of packets sent to neighbor: 4093 Number of state changes: 1 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 7 Disabling and Re-Enabling BFD BFD is enabled on all interfaces by default, though sessions are not created unless explicitly configured.
Establishing Sessions for Static Routes Sessions are established for all neighbors that are the next hop of a static route. Figure 13. Establishing Sessions for Static Routes To establish a BFD session, use the following command. • Establish BFD sessions for all neighbors that are the next hop of a static route. CONFIGURATION mode ip route bfd To verify that sessions have been created for static routes, use the show bfd neighbors command. R1(conf)#ip route 2.2.3.0/24 2.2.2.
ip route bfd vrf vrf2 ip route bfd vrf vrf1 prefix-list p4_le The following example shows that sessions are created for static routes for the default VRF. The following example shows that sessions are created for static routes for the nondefault VRFs. Establishing Static Route Sessions on Specific Neighbors You can selectively enable BFD sessions on specific neighbors based on a destination prefix-list.
Disabling BFD for Static Routes If you disable BFD, all static route BFD sessions are torn down. A final Admin Down packet is sent to all neighbors on the remote systems, and those neighbors change to the Down state. To disable BFD for static routes, use the following command. • Disable BFD for static routes. CONFIGURATION mode no ip route bfd Configure BFD for IPv6 Static Routes BFD offers systems a link state detection mechanism for static routes.
Changing IPv6 Static Route Session Parameters BFD sessions are configured with default intervals and a default role. The parameters you can configure are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. These parameters are configured for all static routes. If you change a parameter, the change affects all sessions for static routes. To change parameters for static route sessions, use the following command . • Change parameters for all static route sessions.
To view session parameters, use the show bfd neighbors detail command. Establishing Sessions with OSPF Neighbors BFD sessions can be established with all OSPF neighbors at once or sessions can be established with all neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the Full state. Figure 14. Establishing Sessions with OSPF Neighbors To establish BFD with all OSPF neighbors or with OSPF neighbors on a single interface, use the following commands.
Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients * 2.2.2.2 2.2.2.1 Te 2/1 Up 200 200 3 O * 2.2.3.1 2.2.3.2 Te 2/2 Up 200 200 3 O Establishing Sessions with OSPF Neighbors for nondefault VRFs To configure BFD in a nondefault VRF, follow this procedure: • Enable BFD globally. • CONFIGURATION mode bfd enable Establish sessions with all OSPF neighbors in a specific VRF.
M V VT - MPLS - VRRP - Vxlan Tunnel LocalAddr * 5.1.1.1 RemoteAddr 5.1.1.2 Interface Po 30 State Rx-int Tx-int Mult VRF Clients Up 200 200 3 255 O * 6.1.1.1 6.1.1.2 Vl 30 Up 200 Dell# show bfd neighbors detail Session Discriminator: 1 Neighbor Discriminator: 1 Local Addr: 10.1.3.2 Local MAC Addr: 00:01:e8:02:15:0e Remote Addr: 10.1.3.
State: Up Configured parameters: TX: 200ms, RX: 200ms, Multiplier: 3 Neighbor parameters: TX: 200ms, RX: 200ms, Multiplier: 3 Actual parameters: TX: 200ms, RX: 200ms, Multiplier: 3 Role: Active Delete session on Down: True VRF: VRF_blue Client Registered: OSPF Uptime: 00:00:15 Statistics: Number of packets received from neighbor: 78 Number of packets sent to neighbor: 78 Number of state changes: 1 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 4
• Change parameters for OSPFv3 sessions on a single interface. INTERFACE mode ipv6 ospf bfd all-neighbors interval milliseconds min_rx milliseconds multiplier value role [active | passive] Establishing BFD Sessions with OSPFv3 Neighbors for nondefault VRFs To configure BFD in a nondefault VRF, use the following procedure: • Enable BFD globally. • CONFIGURATION mode bfd enable Establish sessions with all OSPFv3 neighbors in a specific VRF.
* fe80::2a0:c9ff:fe00:2 511 O3 fe80::3617:98ff:fe34:12 Vl 100 Up 150 150 3 * fe80::2a0:c9ff:fe00:2 511 O3 fe80::3617:98ff:fe34:12 Vl 101 Up 150 150 3 * fe80::2a0:c9ff:fe00:2 511 O3 fe80::3617:98ff:fe34:12 Vl 102 Up 150 150 3 * fe80::2a0:c9ff:fe00:2 511 O3 Dell# fe80::3617:98ff:fe34:12 Vl 103 Up 150 150 3 Disabling BFD for OSPFv3 If you disable BFD globally, all sessions are torn down and sessions on the remote system are placed in a Down state.
Establishing Sessions with IS-IS Neighbors BFD sessions can be established for all IS-IS neighbors at once or sessions can be established for all neighbors out of a specific interface. Figure 15. Establishing Sessions with IS-IS Neighbors To establish BFD with all IS-IS neighbors or with IS-IS neighbors on a single interface, use the following commands. • Establish sessions with all IS-IS neighbors. • ROUTER-ISIS mode bfd all-neighbors Establish sessions with IS-IS neighbors on a single interface.
Changing IS-IS Session Parameters BFD sessions are configured with default intervals and a default role. The parameters that you can configure are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. These parameters are configured for all IS-IS sessions or all IS-IS sessions out of an interface. If you change a parameter globally, the change affects all IS-IS neighbors sessions.
Figure 16. Establishing Sessions with BGP Neighbors The sample configuration shows alternative ways to establish a BFD session with a BGP neighbor: • • By establishing BFD sessions with all neighbors discovered by BGP (the bfd all-neighbors command). By establishing a BFD session with a specified BGP neighbor (the neighbor {ip-address | peer-group-name} bfd command) BFD packets originating from a router are assigned to the highest priority egress queue to minimize transmission delays.
CONFIG-ROUTERBGP mode neighbor {ip-address | peer-group-name} no shutdown 5. Configure parameters for a BFD session established with all neighbors discovered by BGP. OR Establish a BFD session with a specified BGP neighbor or peer group using the default BFD session parameters.
bfd all-neighbors DellEMC(conf)#router bgp 1 DellEMC(conf-router_bgp)#address-family ipv4 vrf vrf1 DellEMC(conf-router_bgp_af)#neighbor 10.1.1.2 remote-as 2 DellEMC(conf-router_bgp_af)#neighbor 10.1.1.
show ip bgp neighbors [ip-address] The following example shows verifying a BGP configuration. R2# show running-config bgp ! router bgp 2 neighbor 1.1.1.2 remote-as 1 neighbor 1.1.1.2 no shutdown neighbor 2.2.2.2 remote-as 1 neighbor 2.2.2.2 no shutdown neighbor 3.3.3.2 remote-as 1 neighbor 3.3.3.2 no shutdown bfd all-neighbors The following example shows viewing all BFD neighbors. The following example shows viewing BFD neighbors with full detail.
ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Neighbor is using BGP global mode BFD configuration For address family: IPv4 Unicast BGP table version 0, neighbor version 0 Prefixes accepted 0 (consume 0 bytes), withdrawn 0 by peer, martian prefixes ignored 0 Prefixes advertised 0, denied 0, withdrawn 0 from peer Connections established 1; dropped 0 Last reset never Local host: 2.2.2.3, Local port: 63805 Foreign host: 2.2.2.2, Foreign port: 179 E1200i_ExaScale# R2# show ip bgp neighbors 2.2.2.3 BGP neighbor is 2.
Establishing Sessions with All VRRP Neighbors BFD sessions can be established for all VRRP neighbors at once, or a session can be established with a particular neighbor. Figure 17. Establishing Sessions with All VRRP Neighbors To establish sessions with all VRRP neighbors, use the following command. • Establish sessions with all VRRP neighbors.
LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients * 2.2.5.1 2.2.5.2 Te 4/25 Down 1000 1000 3 V To view session state information, use the show vrrp command. The following example shows viewing VRRP session state information. The bold line shows the VRRP BFD session. R1(conf-if-te-4/25)#do show vrrp -----------------TenGigabitEthernet 4/1, VRID: 1, Net: 2.2.5.1 State: Backup, Priority: 1, Master: 2.2.5.
Configuring Protocol Liveness Protocol liveness is a feature that notifies the BFD manager when a client protocol is disabled. When you disable a client, all BFD sessions for that protocol are torn down. Neighbors on the remote system receive an Admin Down control packet and are placed in the Down state. To enable protocol liveness, use the following command. • Enable Protocol Liveness.
8 Border Gateway Protocol IPv4 (BGPv4) This chapter provides a general description of BGPv4 as it is supported in the Dell Networking OS. BGP protocol standards are listed in the Standards Compliance chapter. BGP is an external gateway protocol that transmits interdomain routing information within and between autonomous systems (AS). The primary function of the BGP is to exchange network reachability information with other BGP systems.
Figure 18. Interior BGP BGP version 4 (BGPv4) supports classless interdomain routing and aggregate routes and AS paths. BGP is a path vector protocol — a computer network in which BGP maintains the path that updated information takes as it diffuses through the network. Updates traveling through the network and returning to the same node are easily detected and discarded.
Figure 19. BGP Routers in Full Mesh The number of BGP speakers each BGP peer must maintain increases exponentially. Network management quickly becomes impossible. Sessions and Peers When two routers communicate using the BGP protocol, a BGP session is started. The two end-points of that session are Peers. A Peer is also called a Neighbor. Establish a Session Information exchange between peers is driven by events and timers. The focus in BGP is on the traffic routing policies.
State Description Connect In this state the router waits for the TCP connection to complete, transitioning to the OpenSent state if successful. If that transition is not successful, BGP resets the ConnectRetry timer and transitions to the Active state when the timer expires. Active The router resets the ConnectRetry timer to zero and returns to the Connect state. OpenSent After successful OpenSent transition, the router sends an Open message and waits for one in return.
1. Router B receives an advertisement from Router A through eBGP. Because the route is learned through eBGP, Router B advertises it to all its iBGP peers: Routers C and D. 2. Router C receives the advertisement but does not advertise it to any peer because its only other peer is Router D, an iBGP peer, and Router D has already learned it through iBGP from Router B. 3.
Figure 21. BGP Best Path Selection Best Path Selection Details 1. Prefer the path with the largest WEIGHT attribute. 2. Prefer the path with the largest LOCAL_PREF attribute. 3. Prefer the path that was locally Originated via a network command, redistribute command or aggregate-address command. a. Routes originated with the Originated via a network or redistribute commands are preferred over routes originated with the aggregate-address command. 4.
a. if the Router-ID is the same for multiple paths (because the routes were received from the same route) skip this step. b. if the Router-ID is NOT the same for multiple paths, prefer the path that was first received as the Best Path. The path selection algorithm returns without performing any of the checks detailed here. 11. Prefer the external path originated from the BGP router with the lowest router ID. If both paths are external, prefer the oldest path (first received path).
Multi-Exit Discriminators (MEDs) If two ASs connect in more than one place, a multi-exit discriminator (MED) can be used to assign a preference to a preferred path. MED is one of the criteria used to determine the best path, so keep in mind that other criteria may impact selection, as shown in the illustration in Best Path Selection Criteria. One AS assigns the MED a value and the other AS uses that value to decide the preferred path. For this example, assume the MED is the only attribute applied.
*> 7.0.0.0/30 *> 9.2.0.0/16 10.114.8.33 10.114.8.33 0 10 0 0 18508 18508 ? 701 i AS Path The AS path is the list of all ASs that all the prefixes listed in the update have passed through. The local AS number is added by the BGP speaker when advertising to a eBGP neighbor. The AS path is shown in the following example. The origin attribute is shown following the AS path information (shown in bold).
Implement BGP The following sections describe how BGP is implemented on the switch. Additional Path (Add-Path) Support The add-path feature reduces convergence times by advertising multiple paths to its peers for the same address prefix without replacing existing paths with new ones. By default, a BGP speaker advertises only the best path to its peers for a given address prefix. If the best path becomes unavailable, the BGP speaker withdraws its path from its local RIB and recalculates a new best path.
Where the 2-Byte format is 1-65535, the 4-Byte format is 1-4294967295. Enter AS numbers using the traditional format. If the ASN is greater than 65535, the dot format is shown when using the show ip bgp commands. For example, an ASN entered as 3183856184 appears in the show commands as 48581.51768; an ASN of 65123 is shown as 65123. To calculate the comparable dot format for an ASN from a traditional format, use ASN/65536. ASN%65536. Traditional Format DOT Format 65001 0.65501 65536 1.0 100000 1.
Dell(conf-router_bgp)#bgp asnotation asdot+ Dell(conf-router_bgp)#show conf ! router bgp 100 bgp asnotation asdot+ bgp four-octet-as-support neighbor 172.30.1.250 local-as 65057
Figure 24. Before and After AS Number Migration with Local-AS Enabled When you complete your migration, and you have reconfigured your network with the new information, disable this feature. If you use the “no prepend” option, the Local-AS does not prepend to the updates received from the eBGP peer. If you do not select “no prepend” (the default), the Local-AS is added to the first AS segment in the AS-PATH.
Important Points to Remember • • • • • • • • • • • • • • • • • • • • • • • Because eBGP packets are not controlled by the ACL, packets from BGP neighbors cannot be blocked using the deny ip command. The f10BgpM2AsPathTableEntry table, f10BgpM2AsPathSegmentIndex, and f10BgpM2AsPathElementIndex are used to retrieve a particular ASN from the AS path. These indices are assigned to the AS segments and individual ASN in each segment starting from 0.
• • auto-summarization (the default is no auto-summary) synchronization (the default is no synchronization) BGP Configuration To enable the BGP process and begin exchanging information, assign an AS number and use commands in ROUTER BGP mode to configure a BGP neighbor. By default, BGP is disabled. By default, the system compares the MED attribute on different paths from within the same AS (the bgp always-compare-med command is not enabled).
CONFIGURATION mode router bgp as-number • as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte) or 0.1 to 65535.65535 (Dotted format). Only one AS is supported per system. NOTE: If you enter a 4-Byte AS number, 4-Byte AS support is enabled automatically. a) Enable 4-Byte support for the BGP process. NOTE: This command is OPTIONAL. Enable if you want to use 4-Byte AS numbers or if you support AS4 number representation.
192.168.12.2 65123 0 R2# 0 0 0 0 never Active R2#show ip bgp summary BGP router identifier 192.168.10.2, local AS number 48735.
For address family: IPv4 Unicast BGP table version 0, neighbor version 0 0 accepted prefixes consume 0 bytes Prefix advertised 0, rejected 0, withdrawn 0 Connections established 0; dropped 0 Last reset never No active TCP connection Dell# The following example shows verifying the BGP configuration. R2#show running-config bgp ! router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.
CONFIG-ROUTER-BGP mode bgp asnotation asdot+ The following example shows the bgp asnotation asplain command. Dell(conf-router_bgp)#bgp asnotation asplain Dell(conf-router_bgp)#sho conf ! router bgp 100 bgp four-octet-as-support neighbor 172.30.1.250 remote-as 18508 neighbor 172.30.1.250 local-as 65057 neighbor 172.30.1.250 route-map rmap1 in neighbor 172.30.1.250 password 7 5ab3eb9a15ed02ff4f0dfd4500d6017873cfd9a267c04957 neighbor 172.30.1.
By default, all peer groups are disabled. 3. Create a BGP neighbor. CONFIG-ROUTERBGP mode neighbor ip-address remote-as as-number 4. Enable the neighbor. CONFIG-ROUTERBGP mode neighbor ip-address no shutdown 5. Add an enabled neighbor to the peer group. CONFIG-ROUTERBGP mode neighbor ip-address peer-group peer-group-name 6. Add a neighbor as a remote AS. CONFIG-ROUTERBGP mode neighbor {ip-address | peer-group name} remote-as as-number Formats: IP Address A.B.C.D • • Peer-Group Name: 16 characters.
To enable a peer group, use the neighbor peer-group-name no shutdown command in CONFIGURATION ROUTER BGP mode (shown in bold). Dell(conf-router_bgp)#neighbor zanzibar no shutdown Dell(conf-router_bgp)#show config ! router bgp 45 bgp fast-external-fallover bgp log-neighbor-changes neighbor zanzibar peer-group neighbor zanzibar no shutdown neighbor 10.1.1.1 remote-as 65535 neighbor 10.1.1.1 shutdown neighbor 10.14.8.60 remote-as 18505 neighbor 10.14.8.
When you enable fail-over, BGP tracks IP reachability to the peer remote address and the peer local address. Whenever either address becomes unreachable (for example, no active route exists in the routing table for peer IPv6 destinations/local address), BGP brings down the session with the peer. The BGP fast fail-over feature is configured on a per-neighbor or peer-group basis and is disabled by default. To enable the BGP fast fail-over feature, use the following command.
Minimum time between advertisement runs is 5 seconds For address family: IPv4 Unicast BGP neighbor is test Number of peers in this group 1 Peer-group members (* - outbound optimized): 100.100.100.100* Dell# router bgp neighbor neighbor neighbor neighbor neighbor neighbor neighbor Dell# 65517 test peer-group test fail-over test no shutdown 100.100.100.100 remote-as 65517 100.100.100.100 fail-over 100.100.100.100 update-source Loopback 0 100.100.100.
• • • Peer Group Name: 16 characters. AS-number: 0 to 65535 (2-Byte) or 1 to 4294967295 (4-Byte) or 0.1 to 65535.65535 (Dotted format). No Prepend: specifies that local AS values are not prepended to announcements from the neighbor. Format: IP Address: A.B.C.D. You must Configure Peer Groups before assigning it to an AS. This feature is not supported on passive peer groups. The first line in bold shows the actual AS number.
neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.9 local-as 6500 neighbor 100.10.92.9 no shutdown neighbor 192.168.10.1 remote-as 65123 neighbor 192.168.10.1 update-source Loopback 0 neighbor 192.168.10.1 no shutdown neighbor 192.168.12.2 remote-as 65123 neighbor 192.168.12.2 allowas-in 9 neighbor 192.168.12.2 update-source Loopback 0 neighbor 192.168.12.
0x59cd3b4 0x7128114 0x536a914 0x2ffe884 0x2ff7284 0x2ff7ec4 0x2ff8544 0x736c144 0x3b8d224 0x5eb1e44 0x5cd891c --More-- 0 0 0 0 0 0 0 0 0 0 0 2 10 3 1 99 4 3 1 10 1 9 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 18508 209 209 209 701 701 209 701 701 209 701 209 7018 15227 i 3356 13845 i 701 6347 7781 i 3561 9116 21350 i 1239 577 855 ? 3561 4755 17426 i 5743 2648 i 209 568 721 1494 i 701 2019 i 8584 16158 i 6453 4759 i Regular Expressions as Filters Regular expressions are used to filter
Dell(conf-router_bgp)#neigh 10.155.15.2 filter-list 1 in Dell(conf-router_bgp)#ex Dell(conf)#ip as-path access-list Eagle Dell(config-as-path)#deny 32$ Dell(config-as-path)#ex Dell(conf)#router bgp 99 Dell(conf-router_bgp)#neighbor AAA filter-list Eagle in Dell(conf-router_bgp)#show conf ! router bgp 99 neighbor AAA peer-group neighbor AAA filter-list Eaglein neighbor AAA no shutdown neighbor 10.155.15.2 remote-as 32 neighbor 10.155.15.2 filter-list 1 in neighbor 10.155.15.
1. Allow the advertisement of multiple paths for the same address prefix without the new paths replacing any previous ones. CONFIG-ROUTER-BGP mode bgp add-path {send | both} path-count count bgp add-path receive The range is from 2 to 64. 2. Allow the specified neighbor/peer group to send/ receive multiple path advertisements.
deny deny deny deny deny deny deny Dell# 14551:112 701:667 702:667 703:667 704:666 705:666 14551:666 Configuring an IP Extended Community List To configure an IP extended community list, use these commands. 1. Create a extended community list and enter the EXTCOMMUNITY-LIST mode. CONFIGURATION mode ip extcommunity-list extcommunity-list-name 2. Two types of extended communities are supported.
CONFIG-ROUTE-MAP mode match {community community-list-name [exact] | extcommunity extcommunity-list-name [exact]} 3. Return to CONFIGURATION mode. CONFIG-ROUTE-MAP mode exit 4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number AS-number: 0 to 65535 (2-Byte) or 1 to 4294967295 (4-Byte) or 0.1 to 65535.65535 (Dotted format) 5. Apply the route map to the neighbor or peer group’s incoming or outgoing routes.
router bgp as-number 5. Apply the route map to the neighbor or peer group’s incoming or outgoing routes. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} route-map map-name {in | out} To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode. To view a route map configuration, use the show route-map command in EXEC Privilege mode.
bgp default local-preference value • value: the range is from 0 to 4294967295. The default is 100. To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode or the show runningconfig bgp command in EXEC Privilege mode. A more flexible method for manipulating the LOCAL_PREF attribute value is to use a route map. 1. Enter the ROUTE-MAP mode and assign a name to a route map. CONFIGURATION mode route-map map-name [permit | deny] [sequence-number] 2.
neighbor {ip-address | peer-group-name} weight weight • • weight: the range is from 0 to 65535. The default is 0. Sets weight for the route. CONFIG-ROUTE-MAP mode set weight weight • weight: the range is from 0 to 65535. To view BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode or the show runningconfig bgp command in EXEC Privilege mode. Enabling Multipath By default, the system supports one path to a destination.
For information about configuring prefix lists, refer to Access Control Lists (ACLs). 3. Return to CONFIGURATION mode. CONFIG-PREFIX LIST mode exit 4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5. Filter routes based on the criteria in the configured prefix list.
Filtering BGP Routes Using AS-PATH Information To filter routes based on AS-PATH information, use these commands. 1. Create a AS-PATH ACL and assign it a name. CONFIGURATION mode ip as-path access-list as-path-name 2. Create a AS-PATH ACL filter with a deny or permit action. AS-PATH ACL mode {deny | permit} as-regular-expression 3. Return to CONFIGURATION mode. AS-PATH ACL exit 4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5.
Aggregating Routes The system provides multiple ways to aggregate routes in the BGP routing table. At least one specific route of the aggregate must be in the routing table for the configured aggregate to become active. To aggregate routes, use the following command. AS_SET includes AS_PATH and community information from the routes included in the aggregated route. • Assign the IP address and mask of the prefix to be aggregated.
The constant router reaction to the WITHDRAWN and UPDATE notices causes instability in the BGP process. To minimize this instability, you may configure penalties (a numeric value) for routes that flap. When the penalty value reaches a configured limit, the route is not advertised, even if the route is up. The system uses a penalty value is 1024. As time passes and the route does not flap, the penalty value decrements or is decayed. However, if the route flaps again, it is assigned another penalty.
• recent). Furthermore, in non-deterministic mode, the software may not compare MED attributes though the paths are from the same AS. Change the best path selection method to non-deterministic. Change the best path selection method to non-deterministic. CONFIG-ROUTER-BGP mode bgp non-deterministic-med NOTE: When you change the best path selection method, path selection for existing paths remains unchanged until you reset it by entering the clear ip bgp command in EXEC Privilege mode.
• • keepalive: the range is from 1 to 65535. Time interval, in seconds, between keepalive messages sent to the neighbor routers. The default is 60 seconds. • holdtime: the range is from 3 to 65536. Time interval, in seconds, between the last keepalive message and declaring the router dead. The default is 180 seconds. Configure timer values for all neighbors. CONFIG-ROUTER-BGP mode timers bgp keepalive holdtime • • keepalive: the range is from 1 to 65535.
If you specify a BGP peer group by using the peer-group-name argument, all members of the peer group inherit the characteristic configured with this command. • Clear all information or only specific details. EXEC Privilege mode clear ip bgp {* | neighbor-address | AS Numbers | ipv4 | peer-group-name} [soft [in | out]] • • *: Clears all peers. • neighbor-address: Clears the neighbor with this IP address. • AS Numbers: Peers’ AS numbers to be cleared. • ipv4: Clears information for the IPv4 address family.
CONFIGURATION Mode router bgp as-number 2. Shut down the BGP neighbors corresponding to IPv4 multicast groups using the following command: ROUTER-BGP Mode shutdown address-family-ipv4-multicast To enable or disable BGP neighbors corresponding to the IPv6 unicast groups: 1. Enter the router bgp mode using the following command: CONFIGURATION Mode router bgp as-number 2.
Set a Clause with a Continue Clause If the route-map entry contains sets with the continue clause, the set actions operation is performed first followed by the continue clause jump to the specified route map entry. • • If a set actions operation occurs in the first route map entry and then the same set action occurs with a different value in a subsequent route map entry, the last set of actions overrides the previous set of actions with the same set command.
BGP Regular Expression Optimization The system optimizes processing time when using regular expressions by caching and re-using regular expression evaluated results, at the expense of some memory in RP1 processor. BGP policies that contain regular expressions to match against as-paths and communities might take a lot of CPU processing time, thus affect BGP routing convergence.
Example of the show ip bgp neighbor Command to View Last and Bad PDUs Dell(conf-router_bgp)#do show ip bgp neighbors 1.1.1.2 BGP neighbor is 1.1.1.2, remote AS 2, external link BGP version 4, remote router ID 2.4.0.
To view the captured PDUs, use the show capture bgp-pdu neighbor command. Dell#show capture bgp-pdu neighbor 20.20.20.2 Incoming packet capture enabled for BGP neighbor 20.20.20.
Figure 25. Sample Configurations Example of Enabling BGP (Router 1) R1# conf R1(conf)#int loop 0 R1(conf-if-lo-0)#ip address 192.168.128.1/24 R1(conf-if-lo-0)#no shutdown R1(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.1/24 no shutdown R1(conf-if-lo-0)#int tengig 1/21 R1(conf-if-te-1/21)#ip address 10.0.1.21/24 R1(conf-if-te-1/21)#no shutdown R1(conf-if-te-1/21)#show config ! interface TenGigabitEthernet 1/21 ip address 10.0.1.
R1(conf-router_bgp)#neighbor 192.168.128.3 update-source loop 0 R1(conf-router_bgp)#show config ! router bgp 99 network 192.168.128.0/24 neighbor 192.168.128.2 remote-as 99 neighbor 192.168.128.2 update-source Loopback 0 neighbor 192.168.128.2 no shutdown neighbor 192.168.128.3 remote-as 100 neighbor 192.168.128.3 update-source Loopback 0 neighbor 192.168.128.3 no shutdown R1(conf-router_bgp)#end R1# R1#show ip bgp summary BGP router identifier 192.168.128.
neighbor 192.168.128.1 neighbor 192.168.128.3 neighbor 192.168.128.3 neighbor 192.168.128.3 R2(conf-router_bgp)#end no shutdown remote-as 100 update-source Loopback 0 no shutdown R2#show ip bgp summary BGP router identifier 192.168.128.
R3(conf)#end R3#show ip bgp summary BGP router identifier 192.168.128.3, local AS number 100 BGP table version is 1, main routing table version 1 1 network entrie(s) using 132 bytes of memory 3 paths using 204 bytes of memory BGP-RIB over all using 207 bytes of memory 2 BGP path attribute entrie(s) using 128 bytes of memory 2 BGP AS-PATH entrie(s) using 90 bytes of memory 2 neighbor(s) using 9216 bytes of memory Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 192.168.128.
Minimum time before advertisements start is 0 seconds Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Update source set to Loopback 0 Peer active in peer-group outbound optimization For address family: IPv4 Unicast BGP table version 1, neighbor version 1 Prefixes accepted 1 (consume 4 bytes), withdrawn 0 by peer Prefixes adverti
neighbor AAA peer-group neighbor AAA no shutdown neighbor BBB peer-group neighbor BBB no shutdown neighbor 192.168.128.1 remote-as 99 neighbor 192.168.128.1 peer-group CCC neighbor 192.168.128.1 update-source Loopback 0 neighbor 192.168.128.1 no shutdown neighbor 192.168.128.3 remote-as 100 neighbor 192.168.128.3 peer-group BBB neighbor 192.168.128.3 update-source Loopback 0 neighbor 192.168.128.3 no shutdown R2(conf-router_bgp)#end R2# R2#show ip bgp summary BGP router identifier 192.168.128.
192.168.128.1 99 93 192.168.128.2 99 122 R3#show ip bgp neighbor 99 120 1 1 0 0 (0) (0) 00:00:15 00:00:11 1 1 BGP neighbor is 192.168.128.1, remote AS 99, external link Member of peer-group BBB for session parameters BGP version 4, remote router ID 192.168.128.
Received 138 messages, 0 in queue 7 opens, 2 notifications, 7 updates 122 keepalives, 0 route refresh requests Sent 140 messages, 0 in queue 7 opens, 4 notifications, 7 updates 122 keepalives, 0 route refresh requests Minimum time between advertisement runs is 30 seconds Minimum time before advertisements start is 0 seconds Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128
9 Content Addressable Memory (CAM) CAM is a type of memory that stores information in the form of a lookup table. On the switch, CAM stores Layer 2 and Layer 3 forwarding information, access-lists (ACLs), flows, and routing policies. On a line card, there are one or two CAM (Dual-CAM) modules per port-pipe.
L2Acl Ipv4Acl Ipv6Acl Ipv4Qos L2Qos L2PT IpMacAcl VmanQos EcfmAcl Openflow : : : : : : : : : : 5 4 0 2 1 0 0 0 0 0 -- linecard 2 -Current Settings(in block sizes) 1 block = 256 entries L2Acl : 5 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 EcfmAcl : 0 Openflow : 0 The ipv6acl and vman-dual-qos allocations must be entered as a factor of 2 (2, 4, 6, 8, 10). All other profile allocations can use either even or odd numbered ranges.
Example of Viewing CAM-ACL Settings Dell# show cam-acl -- Chassis Cam ACL -Current Settings(in block sizes) 1 block = 256 entries L2Acl : 6 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 EcfmAcl : 0 Openflow : 0 -- linecard 0 -Current Settings(in block sizes) 1 block = 256 entries L2Acl : 6 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 EcfmAcl : 0 Openflow : 0 -- linecard 1 -Current Settings(in block sizes) 1 block = 256 entries L2Acl : 6 Ip
1 | | | | | | | | | | | | | | | | | 1 | | | | | --More-- 0 | | | | | | | | | | | | | | | | | 1 | | | | | IN-L2 ACL IN-L2 FIB IN-L3 ACL IN-L3 ECMP GRP IN-L3 FIB IN-L3-SysFlow IN-L3-TrcList IN-L3-McastFib IN-L3-Qos IN-L3-PBR IN-V6 ACL IN-V6 FIB IN-V6-SysFlow IN-V6-McastFib OUT-L2 ACL OUT-L3 ACL OUT-V6 ACL IN-L2 ACL IN-L2 FIB IN-L3 ACL IN-L3 FIB IN-L3-SysFlow | | | | | | | | | | | | | | | | | | | | | | 1008 32768 12288 1024 262141 2878 1024 9215 8192 1024 0 0 0 0 1024 1024 0 320 32768 12288 262141 2878 |
Example of Syslog message on CAM usage Following table shows few possible scenarios during which the syslog message appear on re-configuring the CAM usage threshold value. Consider if the last CAM threshold was set to 90 percent and now you re-configure the CAM threshold to 80. And, if the current CAM usage is 85 percent, then the system displays the syslog message saying that the CAM usage is above the configured CAM threshold value. Table 10.
Applications for CAM Profiling The following describes link aggregation group (LAG) hashing. LAG Hashing The Dell Networking OS includes a CAM profile and microcode that treats MPLS packets as non-IP packets. Normally, switching and LAG hashing is based on source and destination MAC addresses. Alternatively, you can base LAG hashing for MPLS packets on source and destination IP addresses. This type of hashing is allowed for MPLS packets with five labels or less.
Dell(conf)#hardware forwarding-table mode scaled-l3-hosts Hardware forwarding-table mode is changed. Save the configuration and reload to take effect. Dell(conf)#end Dell#write mem ! 01:13:36: %STKUNIT0-M:CP %FILEMGR-5-FILESAVED: Copied running-config to startup-config in flash by default Dell(conf)# Dell(conf)#end Dell#01:13:44: %STKUNIT0-M:CP %SYS-5-CONFIG_I: Configured from console Dell# 2. Display the hardware forwarding table mode in the current boot and in the next boot.
10 Control Plane Policing (CoPP) Control plane policing (CoPP) protects the switch’s routing, control, and line-card processors from undesired or malicious traffic and Denial of Service (DoS) attacks by filtering control-plane flows. CoPP uses a dedicated control-plane service policy that consists of ACLs and QoS policies, which provide filtering and rate-limiting capabilities for control-plane packets.
ISIS 01:80:c2:00:00:14/15 any 09:00:2b:00:00:04/05 any Q13 Q13 RP RP 500 500 The protocols mapped to each CPU queue and the default rate limit applied to the 7 CPU queues for the Route Processor, Control Processor, and line cards are as follows. Table 12.
Figure 26. Control Plane Policing NOTE: On the system, CoPP does not convert the input rate of control-plane traffic from kilobits per second (kbps) to packets per second (pps) as on other Dell Networking switches. On other switch, CoPP converts the input kilobit-persecond rate to a packet-per-second rate, assuming 64 bytes as the average packet size. CoPP then applies the packetper-second rate to the appropriate queue. On these switches, 1 kbps is approximately equal to 2 pps.
Configure Control Plane Policing You can create a CoPP service policy on a per-protocol and/or a per-queue basis that serves as the system-wide configuration for filtering and rate limiting control-plane traffic. Configuring CoPP for Protocols This section describes how to create a protocol-based CoPP service policy and apply it to control plane traffic. To create a protocol-based CoPP service policy, you must first create a Layer 2, Layer 3, and/or an IPv6 ACL rule for specified protocol traffic.
Examples of Configuring CoPP for Protocols Example of Creating an IP/IPv6/MAC Extended ACL to Select Protocol Traffic Dell(conf)#ip access-list extended ospf cpu-qos Dell(conf-ip-acl-cpuqos)#permit ospf Dell(conf-ip-acl-cpuqos)#exit Dell(conf)#ip access-list extended bgp cpu-qos Dell(conf-ip-acl-cpuqos)#permit bgp Dell(conf-ip-acl-cpuqos)#exit Dell(conf)#mac access-list extended lacp cpu-qos Dell(conf-mac-acl-cpuqos)#permit lacp Dell(conf-mac-acl-cpuqos)#exit Dell(conf)#ipv6 access-list ipv6-icmp cpu-qos De
Example of Applying a Protocol-Based Rate Limit to Control Plane Traffic Dell(conf)#control-plane-cpuqos Dell(conf-control-cpuqos)#service-policy rate-limit-protocols egressFP_rate_policy Dell(conf-control-cpuqos)#exit Configuring CoPP for CPU Queues This section describes how to create a queue-based CoPP service policy and apply it to control plane traffic. Controlling traffic on the CPU queues of the control plane does not require ACL rules; only QoS rate-limiting policies are used.
Example of Applying a Queue-Based Rate Limit to Control Plane Traffic Dell#conf Dell(conf)#control-plane-cpuqos Dell(conf-control-plane)#service-policy rate-limit-cpu-queues cpuq_rate_policy Displaying CoPP Configuration The CLI provides show commands to display the protocol traffic assigned to each control-plane queue and the current rate-limit applied to each queue. Other show commands display statistical information for trouble shooting CoPP operation.
Dell#show mac protocol-queue-mapping Protocol Destination Mac EtherType -----------------------------ARP any 0x0806 FRRP 01:01:e8:00:00:10/11 any LACP 01:80:c2:00:00:02 0x8809 LLDP any 0x88cc GVRP 01:80:c2:00:00:21 any STP 01:80:c2:00:00:00 any ISIS 01:80:c2:00:00:14/15 any 09:00:2b:00:00:04/05 any Queue ----Q1/Q8/Q2/Q9 Q19 Q13 Q6 Q12 Q13 Q13 Q13 EgPort -----CP/RP LP RP CP RP RP RP RP Rate (kbps) ----------100 300 500 500 200 150 500 500 Viewing IPv4 Protocol-Queue Mapping To view the queues to which IP
L3 LOCAL TERMINATED Dell# Q3 CP 400 400 5000 5000 Viewing Complete Protocol-Queue Mapping To view the queues to which all protocol traffic is assigned, use the show protocol-queue-mapping command.
SOURCE MISS STATION MOVE SFLOW_EGRESS SFLOW_INGRESS Q16 Q16 Q20 Q20 LP LP LP LP 200 200 5000 5000 200 200 5000 5000 500 500 3000 3000 500 500 3000 3000 Troubleshooting CoPP Operation To troubleshoot CoPP operation, use the debug commands described in this section. Enabling CPU Traffic Statistics During high-traffic network conditions, you may want to manually enable the collection of CPU traffic statistics by entering the debug cpu-traffic-stats command.
tcam: color_indep=0, Stage InPorts DATA=0x0000000000000000000000000000000000000000000000000000222222222222 MASK=0x0000000000000000000000000000000000000000000000000000222222222223 DstMac Offset: 88 Width: 48 DATA=0x00000180 c2000000 MASK=0x0000ffff ffffffff action={act=DropPrecedence, param0=1(0x1), param1=0(0), param2=0(0), param3=0(0)} action={act=Drop, param0=0(0), param1=0(0), param2=0(0), param3=0(0)} action={act=CosQCpuNew, param0=0(0), param1=0(0), param2=0(0), param3=0(0)} action={act=CopyToCpu, para
Viewing Per-Protocol CoPP Counters To view per-protocol counters of rate-limited control-plane traffic, use the show control-traffic protocol [cp-switch | [linecard {0-11} portset {0-0}] | [port-extender {0-255} stack-unit {0-7} portset {0-0}] counters command, where: • • cp-switch displays counters for rate-limited traffic on the central switch (aggregated CoPP). linecard portset displays counters for rate-limited traffic on a specified switch line card and port set (distributed CoPP).
Dell#show control-traffic queue all counters |no-more Queue-ID RxBytes TxBytes Drops ------------------------Q0 0 0 0 Q1 0 0 0 Q2 0 0 0 Q3 0 0 0 Q4 0 0 0 Q5 0 0 0 Q6 21673 21673 0 Q7 0 0 0 Q8 0 0 0 Q9 0 0 0 Q10 0 0 0 Q11 0 0 0 Q12 0 0 0 Q13 0 0 0 Q14 0 0 0 Q15 0 0 0 Q16 0 0 0 Q17 0 0 0 Q18 0 0 0 Q19 0 0 0 Q20 0 Dell#show control-traffic protocol cp-switch counters Protocol RxBytes TxBytes -------------------STP 0 0 LLDP 13835 13835 PVST 0 0 LACP 0 0 ARP REQ 0 0 ARP RESP 0 0 GVRP 0 0 FRRP 0 0 ECFM 0 0 ISIS
VLT CTRL - RP CPU VLT CTRL - CP & RP CPU VLT CTRL - HA VLT CTRL VLT IPM PDU VLT ARP RESP VLT TTL1 HYPERPULL OPENFLOW FEFD TRACEFLOW FCoE L3 LOCAL TERMINATED L3 UNKNOWN/UNRESOLVED ARP L2 DST HIT/BROADCAST MULTICAST CATCH ALL ACL LOGGING L3 HEADER ERROR/TTL0 IP OPTION/TTL1 VLAN L3 MTU FAIL Physical L3 MTU FAIL SOURCE MISS STATION MOVE TX UNICAST ENTRY TX MULTICAST ENTRY TX INTER SPINE ENTRY DROP ENTRY CP bound IPC RP bound IPC ECP bound IPC SFLOW_EGRESS SFLOW_INGRESS 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Q3 Q4 Q5 Q6 Q7 Q8 Q9 Q10 Q11 Q12 Q13 Q14 Q15 Q16 Q17 Q18 Q19 Q20 0 0 0 21673 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 21673 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 To clear the per-queue counters of rate-limited traffic at the aggregated (switch) or individual queue level, use the clear controltraffic queue {all | queue-id queue-number} counters command; for example: Dell#show control-traffic queue queue-id 6 counters Queue-ID RxBytes TxBytes Drops ------------------------Q6 24016 24016
11 Data Center Bridging (DCB) Topics: • • • • • • • • • • • • • • • • Enabling Data Center Bridging Ethernet Enhancements in Data Center Bridging QoS dot1p Traffic Classification and Queue Assignment SNMP Support for PFC and Buffer Statistics Tracking DCB Maps and its Attributes Data Center Bridging: Default Configuration Configuration Notes: PFC and ETS in a DCB Map Configuring Priority-Based Flow Control Configuring Enhanced Transmission Selection Configure a DCBx Operation Verifying the DCB Configuratio
Ethernet Enhancements in Data Center Bridging The following section describes DCB. The device supports the following DCB features: • • • Data center bridging exchange protocol (DCBx) Priority-based flow control (PFC) Enhanced transmission selection (ETS) NOTE: DCB is not supported on the Port Extender ports and Cascade ports.
The following illustration shows how PFC handles traffic congestion by pausing the transmission of incoming traffic with dot1p priority 4. Figure 28. Illustration of Traffic Congestion The system supports loading two DCB_Config files: • • FCoE converged traffic with priority 3. iSCSI storage traffic with priority 4. In the Dell Networking OS, PFC is implemented as follows: • • • • • PFC is supported on specified 802.1p priority traffic (dot1p 0 to 7) and is configured per interface.
Figure 29. Enhanced Transmission Selection The following table lists the traffic groupings ETS uses to select multiprotocol traffic for transmission. Table 15. ETS Traffic Groupings Traffic Groupings Description Group ID A 4-bit identifier assigned to each priority group. The range is from 0 to 7 configurable; 8 - 14 reservation and 15.0 - 15.7 is strict priority group.. Group bandwidth Percentage of available bandwidth allocated to a priority group.
Data Center Bridging in a Traffic Flow The following figure shows how DCB handles a traffic flow on an interface. Figure 30. DCB PFC and ETS Traffic Handling QoS dot1p Traffic Classification and Queue Assignment The following section describes QoS dot1P traffic classification and assignments.
dot1p Value in the Incoming Frame Egress Queue Assignment 2 2 3 3 4 4 5 5 6 6 7 7 Dell#show qos dot1p-queue-mapping Dot1p Priority : 0 1 2 3 4 5 6 7 Queue : 1 0 2 3 4 5 6 7 SNMP Support for PFC and Buffer Statistics Tracking Buffer Statistics Tracking (BST) feature provides a mechanism to aid in Resource Monitoring and Tuning of Buffer Allocation. Max Use Count mode in Buffer Statistics is supported.
DCB Maps and its Attributes This topic contains the following sections that describe how to configure a DCB map, apply the configured DCB map to a port, configure PFC without a DCB map, and configure lossless queues. DCB Map: Configuration Procedure A DCB map consists of PFC and ETS parameters. By default, PFC is not enabled on any 802.1p priority and ETS allocates equal bandwidth to each priority. To configure user-defined PFC and ETS settings, you must create a DCB map.
Table 16. Applying a DCB map to an Ethernet port Step Task Command Command Mode 1 Enter interface configuration mode on an Ethernet port.
Configuring Lossless Queues DCB also supports the manual configuration of lossless queues on an interface after you disable PFC mode in a DCB map and apply the map on the interface. The configuration of no-drop queues provides flexibility for ports on which PFC is not needed, but lossless traffic should egress from the interface. Lossless traffic egresses out the no-drop queues. Ingress 802.1p traffic from PFC-enabled peers is automatically mapped to the no-drop egress queues.
Applying a DCB Map on a Line Card On the C9010, DCB is supported per-line card. If the traffic handled by a DCB map is transmitted on ports on different line cards, you must manually configure the DCB map on the backplane ports of the C9010 line cards on which the ports reside. • Apply a DCB map with PFC and ETS settings on the backplane ports of C9010 line cards.
As soon as you apply a DCB map with PFC enabled on an interface, DCBx starts exchanging information with a peer. The IEEE802.1Qbb, CEE and CIN versions of PFC TLV are supported. DCBx also validates PFC configurations that are received in TLVs from peer devices. By applying a DCB map with PFC enabled, you enable PFC operations on ingress port traffic. To achieve complete lossless handling of traffic, configure PFC priorities on all DCB egress ports.
• ETS configuration error: If an error occurs in an ETS configuration, the configuration is ignored and the scheduler and bandwidth allocation settings are reset to the ETS default value: 100% of available bandwidth is allocated to priority group 0 and the bandwidth is equally assigned to each dot1p priority. If an error occurs when a port receives a peer’s ETS configuration, the port’s configuration resets to the ETS configuration in the previously configured DCB map.
Committed and peak burst size is in kilobytes. Default is 50. The range is from 0 to 10000. The pfc on command enables priority-based flow control. 3. Specify the dot1p priority-to-priority group mapping for each priority. priority-pgid dot1p0_group_num dot1p1_group_num ...dot1p7_group_num Priority group range is from 0 to 7. All priorities that map to the same queue must be in the same priority group. Leave a space between each priority group number.
For example, storage traffic is sensitive to frame loss; interprocess communication (IPC) traffic is latency-sensitive. ETS allows different traffic types to coexist without interruption in the same converged link by: • • Allocating a guaranteed share of bandwidth to each priority group. Allowing each group to exceed its minimum guaranteed bandwidth if another group is not fully using its allotted bandwidth. Creating an ETS Priority Group An ETS priority group specifies the range of 802.
• • In the CEE version, the priority group/traffic class group (TCG) ID 15 represents a non-ETS priority group. Any priority group configured with a scheduler type is treated as a strict-priority group and is given the priority-group (TCG) ID 15. The CIN version supports two types of strict-priority scheduling: • • Group strict priority: Use this to increase its bandwidth usage to the bandwidth total of the priority group and allow a single priority flow in a priority group.
• • Auto-downstream The configuration received from a DCBx peer or from an internally propagated configuration is not stored in the switch’s running configuration. On a DCBx port in an auto-upstream role, the PFC and application priority TLVs are enabled. ETS recommend TLVs are disabled and ETS configuration TLVs are enabled. The port advertises its own configuration to DCBx peers but is not willing to receive remote peer configuration.
DCB Configuration Exchange The DCBx protocol supports the exchange and propagation of configuration information for the enhanced transmission selection (ETS) and priority-based flow control (PFC) DCB features. DCBx uses the following methods to exchange DCB configuration parameters: Asymmetric DCB parameters are exchanged between a DCBx-enabled port and a peer port without requiring that a peer port and the local port use the same configured values for the configurations to be compatible.
Auto-Detection and Manual Configuration of the DCBx Version When operating in Auto-Detection mode (the DCBx version auto command), a DCBx port automatically detects the DCBx version on a peer port. Legacy CIN and CEE versions are supported in addition to the standard IEEE version 2.5 DCBx. A DCBx port detects a peer version after receiving a valid frame for that version.
class-map match-any dscp-pfc-2 match ip dscp 20-25,30-35 2. Associate above class-maps to Queues Queue assignment to be based on the below table. Table 19. o Queues Queue Assignment Internalpriority 0 1 2 3 4 5 6 7 Queue 1 0 2 3 4 5 6 7 3. Dot1p->Queue Mapping Configuration is retained at the default value. Default dot1p-queue mapping is, Dell#show qos dot1p-queue-mapping Dot1p Priority : 0 1 2 3 4 5 6 7 Queue :2 0 1 3 4 5 6 7 4. Interface Configurations on server connected ports. a.
Figure 31. DCBx Sample Topology DCBx Prerequisites and Restrictions The following prerequisites and restrictions apply when you configure DCBx operation on a port: • • For DCBx, on a port interface, enable LLDP in both Send (TX) and Receive (RX) mode (the protocol lldp mode command; refer to the example in CONFIGURATION versus INTERFACE Configurations in the Link Layer Discovery Protocol (LLDP) chapter). If multiple DCBx peer ports are detected on a local DCBx interface, LLDP is shut down.
2. Configure server-facing interfaces as auto-downstream ports. 3. Configure a port to operate in a configuration-source role. 4. Configure ports to operate in a manual role. NOTE: The DCBx configuration is not supported on cascade interfaces or extended ports 1. Enter INTERFACE Configuration mode. CONFIGURATION mode interface type slot/port 2. Enter LLDP Configuration mode to enable DCBx operation. INTERFACE mode [no] protocol lldp 3.
To verify the DCBx configuration on a port, use the show interface DCBx detail command. Configuring DCBx Globally on the Switch To globally configure the DCBx operation on a switch, follow these steps. 1. Enter Global Configuration mode. EXEC PRIVILEGE mode configure 2. Enter LLDP Configuration mode to enable DCBx operation. CONFIGURATION mode [no] protocol lldp 3. Configure the DCBx version used on all interfaces not already configured to exchange DCB information.
DCBx Error Messages The following syslog messages appear when an error in DCBx operation occurs. LLDP_MULTIPLE_PEER_DETECTED: DCBx is operationally disabled after detecting more than one DCBx peer on the port interface. LLDP_PEER_AGE_OUT: DCBx is disabled as a result of LLDP timing out on a DCBx peer interface. DSM_DCBx_PEER_VERSION_CONFLICT: A local port expected to receive the IEEE, CIN, or CEE version in a DCBx TLV from a remote peer but received a different, conflicting DCBx version.
Command Output You can use the show interface pfc statistics command even without enabling DCB on the system. show interface port-type slot/port ets {summary Displays the ETS configuration applied to egress traffic on an | detail} interface, including priority groups with priorities and bandwidth allocation. To clear ETS TLV counters, enter the clear ets counters interface port-type slot/port command. show interface port-type slot/port DCBx detail Plays the DCBx configuration on an interface.
Local FCOE PriorityMap is 0x8 Local ISCSI PriorityMap is 0x10 Remote FCOE PriorityMap is 0x8 Remote ISCSI PriorityMap is 0x8 Dell# show interfaces tengigabitethernet 1/4 pfc detail Interface TenGigabitEthernet 1/4 Admin mode is on Admin is enabled Remote is enabled Remote Willing Status is enabled Local is enabled Oper status is recommended PFC DCBx Oper status is Up State Machine Type is Feature TLV Tx Status is enabled PFC Link Delay 45556 pause quanta Application Priority TLV Parameters : ---------------
Fields Description PFC Link Delay Link delay (in quanta) used to pause specified priority traffic. Application Priority TLV: FCOE TLV Tx Status Status of FCoE advertisements in application priority TLVs from local DCBx port: enabled or disabled. Application Priority TLV: ISCSI TLV Tx Status Status of ISCSI advertisements in application priority TLVs from local DCBx port: enabled or disabled.
------------------Remote is disabled Local Parameters : -----------------Local is enabled TC-grp Priority# Bandwidth TSA -----------------------------------------------0 1 0,1,2 100% ETS 2 3 0 % SP 3 4,5,6,7 0 % SP 4 5 6 7 Oper status is init ETS DCBx Oper status is Down State Machine Type is Asymmetric Conf TLV Tx Status is enabled Reco TLV Tx Status is enabled 0 Input Conf TLV Pkts, 1955 Output Conf TLV Pkts, 0 Error Conf TLV Pkts 0 Input Reco TLV Pkts, 1955 Output Reco TLV Pkts, 0 Error Reco TLV Pkts Del
5 12% ETS 6 12% ETS 7 12% ETS Oper status is init Conf TLV Tx Status is disabled Traffic Class TLV Tx Status is disabled 0 Input Conf TLV Pkts, 0 Output Conf TLV Pkts, 0 Error Conf TLV Pkts 0T LIVnput Traffic Class TLV Pkts, 0 Output Traffic Class TLV Pkts, 0 Error Traffic Class Pkts The following example shows the show interface ets detail command.
0 Input Traffic Class TLV Pkts, 0 Output Traffic Class TLV Pkts, 0 Error Traffic Class TLV Pkts Dell#show interfaces fortyGige 0/36 ets detail Interface fortyGigE 0/36 Max Supported PG is 3 Number of Traffic Classes is 8 Admin mode is on Admin Parameters : -----------------Admin is enabled PG-grp Priority# BW-% BW-COMMITTED BW-PEAK TSA % Rate(Mbps) Burst(KB) Rate(Mpbs) Burst(KB) ----------------------------------------------------0 0,1,2,4,5,6,7 50 400 100 4000 400 ETS 1 3 50 - - - - ETS 2 - - - - - 3 - - -
Field Description Admin mode is enabled on the remote port for DCBx exchange, the Willing bit received in ETS TLVs from the remote peer is included. Local Parameters ETS configuration on local port, including Admin mode (enabled when a valid TLV is received from a peer), priority groups, assigned dot1p priorities, and bandwidth allocation. Operational status (local port) Port state for current operational ETS configuration: • • • Init: Local ETS configuration parameters were exchanged with peer.
6 7 - - Dell# show interface tengigabit 2/12 dcbx details E-ETS Configuration TLV enabled e-ETS Configuration TLV disabled R-ETS Recommendation TLV enabled r-ETS Recommendation TLV disabled P-PFC Configuration TLV enabled p-PFC Configuration TLV disabled F-Application priority for FCOE enabled f-Application Priority for FCOE disabled I-Application priority for iSCSI enabled i-Application Priority for iSCSI disabled -----------------------------------------------------------------------------------Interfa
Table 23. show interface DCBx detail Command Description Field Description Interface Interface type with chassis slot and port number. Port-Role Configured DCBx port role: auto-upstream, auto-downstream, config-source, or manual. DCBx Operational Status Operational status (enabled or disabled) used to elect a configuration source and internally propagate a DCB configuration. The DCBx operational status is the combination of PFC and ETS operational status.
For the tagged packets, Queue is selected based on the incoming Packet Dot1p. When PFC frames for a specific priority is received from the peer switch, the queue corresponding to that Dot1p is halted from scheduling on that port, thus honoring the PFC from the peer. If a queue is congested due to packets with a specific Dot1p and PFC is enabled for that Dot1p, switch will transit out PFC frames for that Dot1p.
Figure 32. PFC and ETS Applied to LAN, IPC, and SAN Priority Traffic QoS Traffic Classification: The service-class dynamic dot1p command has been used in Global Configuration mode to map ingress dot1p frames to the queues shown in the following table. For more information, refer to QoS dot1p Traffic Classification and Queue Assignment.
The following describes the priority group-bandwidth assignment. PFC and ETS Configuration Command Examples The following examples show PFC and ETS configuration commands to manage your data center traffic.
• Strict-priority groups: If priority group 1 or 2 has free bandwidth, (20 + 30)% of the free bandwidth is distributed to priority group 3. Priority groups 1 and 2 retain whatever free bandwidth remains up to the (20+ 30)%. If two priority groups have strict-priority scheduling, traffic assigned from the priority group with the higher priority-queue number is scheduled first.
Configuring the Dynamic Buffer Method Priority-based flow control using dynamic buffer spaces is supported on the switch. To configure the dynamic buffer capability, perform the following steps: 1. Enable the DCB application. By default, DCB is enabled and link-level flow control is disabled on all interfaces. CONFIGURATION mode dcb enable 2. Configure the shared PFC buffer size and the total buffer size. A maximum of 4 lossless queues are supported.
12 Debugging and Diagnostics This chapter describes the debugging and diagnostics tasks you can perform on the switch.
Warning - PE-Unit 0 at PEID 0 will go offline to run the diagnostics. Offline of system will bring down all the protocols and the system will be operationally down, except for running Diagnostics. PE unit will be automatically reloaded once the diagnostics tests are completed.
Jul 30 13:11:07: %PE255-C1048P:2 %CHMGR-2-FAN_SPEED_CHANGE: Fan speed changed to 60 % of the full speed Jul 30 13:11:07: %PE255-UNIT3-M:CP %IFMGR-5-OSTATE_UP: Changed interface state to up: Te 2/1 Jul 30 13:11:54: %PE255-C1048P:2 %CHMGR-2-FAN_SPEED_CHANGE: Fan speed changed to 75 % of the full speed Jul 30 13:11:54: %PE255-UNIT3-M:CP %CHMGR-4-TEMP_STATUS_CHANGE: Unit 2 temperature state changed to 1 (Current temperature 35C).
006 - One Gig PHY Access Test ...................................... PASS 007 - One Gig PHY Access Test ...................................... PASS 008 - One Gig PHY Access Test ...................................... PASS 009 - One Gig PHY Access Test ...................................... PASS 010 - One Gig PHY Access Test ...................................... PASS 011 - One Gig PHY Access Test ...................................... PASS 012 - One Gig PHY Access Test ......................................
043 - One Gig PHY Access Test ...................................... PASS 044 - One Gig PHY Access Test ...................................... PASS 045 - One Gig PHY Access Test ...................................... PASS 046 - One Gig PHY Access Test ...................................... PASS 047 - One Gig PHY Access Test ...................................... PASS 048 - One Gig PHY Access Test ...................................... PASS oneGAccess ..................................................
002 - One Gig PHY Link Test ........................................ PASS 003 - One Gig PHY Link Test ........................................ PASS 004 - One Gig PHY Link Test ........................................ PASS 005 - One Gig PHY Link Test ........................................ PASS 006 - One Gig PHY Link Test ........................................ PASS 007 - One Gig PHY Link Test ........................................ PASS 008 - One Gig PHY Link Test ........................................
usbRW (1, 1) The following example shows how to run offline diagnostics for PE in Debug mode. NOTE: Dell Networking highly recommends reloading the system after running the offline diagnostics in Debug mode on the switch.
A warning is displayed with a CLI prompt asking you to click Yes or No Dell#diag system Warning - diagnostic execution will cause multiple link flaps on the peer side advisable to shut directly connected ports Proceed with Diags [confirm yes/no]: 5. View the results of the diagnostic tests. EXEC Privilege Mode show file flash://TestReport-CP-unit.txt show file flash://TestReport-LP-linecard-number.txt The following example takes a switch offline.
0 0 0 0 0 1 2 3 Total power: absent absent absent up AC up 3440 599.0 599.
19 20 21 22 23 24 25 26 27 28 29 30 31 -rwx -rwx -rwx -rwx -rwx -rwx -rwx -rwx -rwx drwx -rwx -rwx -rwx 3160 484734 569421 265208 569421 262890 569677 251098 11518 4096 52186974 10918 17134 Apr Feb Feb Feb Feb Feb Feb Feb Apr Mar Apr Apr Apr 24 19 19 19 19 19 19 19 26 13 24 26 26 2015 2015 2015 2015 2015 2015 2015 2015 2015 2015 2015 2015 2015 19:27:06 12:10:04 12:13:28 12:16:18 12:18:24 12:21:42 12:23:14 12:24:14 22:33:08 02:28:26 19:28:16 22:33:08 22:35:56 +00:00 +00:00 +00:00 +00:00 +00:00 +00:00
ERROR: optic:17 is not present ERROR: optic:21 is not present opticEepromTest ............................................. FAIL opticPhyTest ................................................ PASS Starting test: opticPresenceTest ...... ERROR: optic:1 is not present ERROR: optic:5 is not present ERROR: optic:9 is not present ERROR: optic:13 is not present ERROR: optic:17 is not present ERROR: optic:21 is not present opticPresenceTest ...........................................
/dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 8 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 9 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 10 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 11 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 12 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 13 - File
Iteration 44 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 45 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 46 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 47 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 48 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 49 - File System Check passed /dev/rwd0k: 3 files, 20398
cpuGELinkStatusTest ......................................... FAIL cpuRevisionTest ............................................. PASS cpuSdramPresenceTest ........................................ PASS cpuSdramSizeTest ............................................ PASS eepromTest .................................................. PASS Starting test: extendedCPLDAccessTest ......extended CPLD Major Ver 2 Minor Ver 3 extendedCPLDAccessTest ...................................... PASS fanAirFlowDirection ........
PSU[2] Status Test FAIL psuStatusTest ............................................... FAIL Starting test: psuVoltageTest ...... PSU[0] Voltage Test FAIL PSU[1] Voltage Test FAIL PSU[2] Voltage Test FAIL psuVoltageTest .............................................. FAIL rtcTest ..................................................... PASS sataSsdTest ................................................. PASS Starting test: showTemperature ...... +Board First Thermal Monitor Sensor[0] is 38.
ERROR: Fan speed variation failed for tray[2] FAN TRAY[2] FAN 2 Controller Speed Test FAIL ERROR: Tray[2] fan[3] speed 56% is out of expected range [80-100%] ERROR: Fan speed variation failed for tray[2] FAN TRAY[2] FAN 3 Controller Speed Test FAIL fanCntrlSpeedTest ........................................... FAIL fanTrayEepromAccessTest ..................................... PASS Starting test: i2cTest ......
/dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 23 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 24 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 25 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 26 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 27 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 28 - Fil
usbTest ..................................................... FAIL LEVEL 2 DIAGNOSTIC ipcPingTrafficTest ..........................................
LEVEL 0 DIAGNOSTIC Starting test: bcm56854AccessTest ...... + Access Test for unit 0 : PASSED bcm56854AccessTest .......................................... PASS biosVerGetTest .............................................. PASS boardRevisionTest ........................................... PASS cpldAccessTest .............................................. PASS Starting test: CpuGbeLinkStatusTest ...... + GbE1 Link Status UP + GbE2 Link Status DOWN CpuGbeLinkStatusTest ........................................
Starting test: udfLinkStatus ...... ERROR: Unit 0 xe port 26 is DOWN udfLinkStatus ............................................... FAIL xeLinkSpeedTest ............................................. PASS Starting test: xeLinkStatusTest ...... ERROR: Unit 0 xe port 1 is DOWN ERROR: Unit 0 xe port 5 is DOWN ERROR: Unit 0 xe port 9 is DOWN ERROR: Unit 0 xe port 13 is DOWN ERROR: Unit 0 xe port 17 is DOWN ERROR: Unit 0 xe port 21 is DOWN xeLinkStatusTest ............................................
/dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 27 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 28 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 29 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 30 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 31 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 32 - Fil
udfLinkStatus (0, 1) xeLinkStatusTest (0, 1) ipcTrafficTest (2, 1) ------------------------------------------------------------------The following example shows the show diag in control processor command. Dell#show diag cp unit detail Diag status of CP unit: -------------------------------------------------------------------------Board: C9010 Dell Networking ================================================= CP unit is currently offline. CP unit alllevels diag issued at Sun Apr 26, 2015 10:32:01 PM.
ERROR: ioctl: "lm9" op(1)=READ WITH STOP bus=26 address=0x4b offset=0 length=1 i2cTest ..................................................... FAIL interruptStatusTest ......................................... PASS Starting test: lmPresenceTest ......LM Slot0 Not Present LM Slot1 Present LM Slot2 Not Present LM Slot3 Not Present LM Slot4 Present LM Slot5 Present LM Slot6 Not Present LM Slot7 Not Present LM Slot8 Not Present LM Slot9 Not Present Peer RPM Not Present lmPresenceTest .............................
Sensor Temperature : 27 c Sensor Temperature : 31 c DDR Temperature 33 c showTemperature ............................................. PASS Starting test: slotInfoTest ......RPM Slot No 0 slotInfoTest ................................................ PASS spiFlashAccessTest .......................................... PASS Starting test: udfAccessTest ...... + Access Test for unit 0 : PASSED udfAccessTest ............................................... PASS Starting test: usbTest ......
interruptStatusRegister ..................................... Starting test: psuEepromAccessTest ...... PSU [0] Eeprom Access Test FAIL PSU [1] Eeprom Access Test FAIL PSU [2] Eeprom Access Test FAIL psuEepromAccessTest ......................................... rtcTest ..................................................... sataSsdTest ................................................. Starting test: ssdFlashFileSystemStressTest ......
/dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 33 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 34 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 35 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 36 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 37 - File System Check passed /dev/rwd0k: 3 files, 20398 free (10199 clusters) Iteration 38 - Fil
psuFanAirFlowDirectionTest psuFanSpeedTest psuFanStatusTest psuPresenceTest psuShowTempTest psuStatusTest psuVoltageTest usbTest fanCntrlSpeedTest i2cTest psuEepromAccessTest udfLinkStatusTest usbTest ipcPingTrafficTest (0, (0, (0, (0, (0, (0, (0, (0, (1, (1, (1, (1, (1, (2, 1) 1) 1) 1) 1) 1) 1) 1) 1) 1) 1) 1) 1) 1) TRACE Logs In addition to the syslog buffer, to report hardware and software events and status information, the system buffers trace messages which are continuously written by various softwar
Causes Displayed Reasons Reload normal power-cycle Table 25. Linecard Restart Causes and Reasons Causes Displayed Reasons Reset of linecard powered-on show hardware Commands Use the show hardware commands to troubleshoot error conditions by displaying information about a hardware subcomponent and details from hardware-based feature tables. NOTE: Use the show hardware commands only under the guidance of the Dell Networking Technical Assistance Center (TAC).
• • • • • • • • • • • • show hardware unit unit-number ipmc-replication Display the internal statistics for each port-pipe (unit) on per port basis. show hardware linecard slot—id unit unit-number port-stats [detail] Display the line-card internal registers for each port-pipe. show hardware linecard slot—id unit unit-number register Display the tables from the bShell through the CLI without going into the bShell.
Example of the show interfaces transceiver Command Dell#show interfaces tengigabitethernet 10/1 transceiver SFP is present SFP+ 1 Serial Base ID fields SFP+ 1 Id = 0x03 SFP+ 1 Ext Id = 0x04 SFP+ 1 Connector = 0x21 SFP+ 1 Transceiver Code = 0x00 0x00 0x00 0x00 0x00 0x04 0x00 0x00 SFP+ 1 Encoding = 0x00 SFP+ 1 BR Nominal = 0x67 SFP+ 1 Length(SFM) Km = 0x00 SFP+ 1 Length(OM3) 2m = 0x00 SFP+ 1 Length(OM2) 1m = 0x00 SFP+ 1 Length(OM1) 1m = 0x00 SFP+ 1 Length(Copper) 1m = 0x01 SFP+ 1 Vendor Rev = A SFP+ 1 Laser W
• Use the show alarms command to display power-supply alarm messages. Dell#show alarms ... -- Major Alarms -Alarm Type Duration --------------------------------------------------------------------------PEM 0 in unit 0 down 25 sec PEM 2 in unit 0 down 6 sec • Use the show environment pem command to display complete information on power supply operation.
2 2 2 2 2 2 2 2 2 2 2 4 8 12 16 20 24 28 32 36 40 44 QSFP QSFP QSFP Media not present Media not present Media not present 40GBASE-SR4 Media not present 40GBASE-CR4-1M Media not present Media not present Media not present 40GBASE-SR4 Media not present or accessible or accessible or accessible 7503825D0169 or accessible APF12380010GM4 or accessible or accessible or accessible 7503825H006J or accessible Yes Yes Yes To display more detailed information about the transceiver type, wavelength, and power r
QSFP 168 Temp Low Warning threshold QSFP 168 Voltage Low Warning threshold QSFP 168 Bias Low Warning threshold QSFP 168 RX Power Low Warning threshold =================================== QSFP 168 Temperature QSFP 168 Voltage QSFP 168 TX1 Bias Current QSFP 168 TX2 Bias Current QSFP 168 TX3 Bias Current QSFP 168 TX4 Bias Current QSFP 168 RX1 Power QSFP 168 RX2 Power QSFP 168 RX3 Power QSFP 168 RX4 Power = = = = -5.000C 3.135V 10.000mA 0.043mW = = = = = = = = = = 21.891C 3.314V 0.000mA 0.000mA 0.000mA 0.
Examples of Syslog Temperature Alarm Conditions The following are example syslogs temperature alarm conditions in the system.
RP Boot Selector : 3.3.0.
• • • • • • • • • • • • • show hardware linecard {0-2} unit {0-3} {counters | details | port-stats [detail] | register | execute-shell-cmd | ipmc-replication | table-dump} show hardware {layer2| layer3} {e.g. acl |in acl} linecard {0-2} port—set {0-3} show hardware layer3 qos linecard {0-2} port—set {0-3} show hardware ipv6 {e.g.
Internal 60 Internal 61 0 0 0 0 0 0 0 0 0 0 Displaying Dataplane Statistics The show hardware linecard {0–2} cpu data-plane statistics command provides information about the packet types entering a line-card CPU. As shown in the following example, the show hardware linecard cpu data-plane statistics command output provides detailed RX/TX packet statistics on a per-queue basis.
tx_q3_pkts = 0 tx_q4_pkts = 0 tx_q5_pkts = 0 tx_broad_pkts = 114500 tx_multi_pkts = 7422 tx_uni_pkts = 475954 tx_pause_pkts = 0 tx_cols = 0 tx_single_cols = 0 tx_multi_cols = 0 tx_late_cols = 0 tx_excess_cols = 0 tx_deferred = 0 tx_discarded = 0 Party Bus Receive Counters for port 0: Rx Octets = 251640594 Rx Undersize Packets = 0 Rx Oversize Packets = 0 Rx Pause Packets = 0 Rx 64 Octet Packets = 122688 Rx 65to127octets Packets = 246245 Rx 128to255octets Packets = 441 Rx 256to511octets Packets = 3816 Rx 512t
Accessing Application Core Dumps Core dumps for an application crash are enabled by default. On the system, core dumps are generated and stored in the local flash of the system’s Control Processor CPU. To access an application core-dump file, you must perform an FTP to the Control Processor CPU flash directory where the application core dump is stored in the following formats: • An application core dump generated from CP of the RPM: • f10Ch_rpm<0/1>_cp__.acore.
• The Kernel mini core dump generated from the LM: f10Ch_lp_.kcore.mini.txt The panic string contains key information regarding the crash. Several panic string types exist, and they are displayed in regular english text to enable easier understanding of the crash cause.
You can use the capture-duration timer and the packet-count counter at the same time. The TCP dump stops when the first of the thresholds are met. That means that even if the duration timer is 9000 seconds, if the maximum file count parameter is met first, the dumps stop. • Enable a TCP dump for CPU bound traffic.
13 Dynamic Host Configuration Protocol (DHCP) DHCP is an application layer protocol that dynamically assigns IP addresses and other configuration parameters to network end-stations (hosts) based on configuration policies determined by network administrators.
Option Number and Description Specifies the client’s subnet mask. Router Option 3 Specifies the router IP addresses that may serve as the client’s default gateway. Domain Name Server Option 6 Domain Name Option 15 Specifies the domain name servers (DNSs) that are available to the client. Specifies the domain name that clients should use when resolving hostnames via DNS.
2. Servers unicast or broadcast a DHCPOFFER message in response to the DHCPDISCOVER that offers to the client values for the requested parameters. Multiple servers might respond to a single DHCPDISCOVER; the client might wait a period of time and then act on the most preferred offer. 3. The client broadcasts a DHCPREQUEST message in response to the offer, requesting the offered values. 4.
• • The switch supports 4K DHCP Snooping entries. All platforms support Dynamic ARP Inspection on 16 VLANs per system. For more information, refer to Dynamic ARP Inspection. NOTE: If the DHCP server is on the top of rack (ToR) and the VLTi (ICL) is down due to a failed link, when a VLT node is rebooted in JumpStart mode, it is not able to reach the DHCP server, resulting in bare metal provisioning (BMP) failure.
show config Configuration Tasks To configure DHCP, an administrator must first set up a DHCP server and provide it with configuration parameters and policy information including IP address ranges, lease length specifications, and configuration data that DHCP hosts need. Configuring the Dell system to be a DHCP server is a three-step process: 1. Configuring the Server for Automatic Address Allocation 2. Specifying a Default Gateway 3. Enable the system to be a DHCP server (no disable command).
domain-name name 2. Specify in order of preference the DNS servers that are available to a DHCP client. DHCP Mode dns-server address Using NetBIOS WINS for Address Resolution Windows internet naming service (WINS) is a name resolution service that Microsoft DHCP clients use to correlate host names to IP addresses within a group of networks. Microsoft DHCP clients can be one of four types of NetBIOS nodes: broadcast, peer-to-peer, mixed, or hybrid. 1.
• EXEC Privilege mode. clear ip dhcp binding Clear a DHCP binding entry for an individual IP address. EXEC Privilege mode. clear ip dhcp binding ip address Configure the System to be a Relay Agent DHCP clients and servers request and offer configuration information via broadcast DHCP messages. Routers do not forward broadcasts, so if there are no DHCP servers on the subnet, the client does not receive a response to its request and therefore cannot access the network.
To view the ip helper-address configuration for an interface, use the show ip interface command from EXEC privilege mode. Example of the show ip interface Command R1_E600#show ip int gig 1/3 GigabitEthernet 1/3 is up, line protocol is down Internet address is 10.11.0.1/24 Broadcast address is 10.11.0.255 Address determined by user input IP MTU is 1500 bytes Helper address is 192.168.0.1 192.168.0.
DHCP Client Operation with Other Features A DHCP client also operates with the following software features. Virtual Link Trunking (VLT) A DHCP client is not supported on VLT interfaces. VLAN and Port Channels DHCP client configuration and behavior are the same on Virtual LAN (VLAN) and port-channel (LAG) interfaces as on a physical interface.
Configuring Route Leaking between VRFs on DHCP Relay Agent To configure route leaking between VRFs on DHCP relay agent, include the configuration similar to the following along with your DHCP relay configuration on your system.
Non-default VRF configuration for DHCPv6 helper address The ipv6 helper-address command is enhanced to provide support for configuring VRF for DHCPv6 relay helper address. To forward DHCP packets between DHCP client and server if they are from different VRFs, you should configure route leak using route map between the VRFs. For more information on configuring route leak across VRF, see DHCP Relay when DHCP Server and Client are in Different VRFs.
Interface level DHCP relay source IPv4 or IPv6 configuration You can configure interface specific DHCP relay source IPv4 or IPv6 configuration. If the DHCP relay source interface is configured on the interface level, the DHCP relay forwards the packets from these interfaces to the DHCP server using the interface.
Dell(conf-if-vl-4)# tagged TenGigE 1/4 Dell(conf-if-vl-4)# ip helper-address vrf vrf1 100.0.0.1 Dell(conf-if-vl-4)# ipv6 helper-address vrf vrf1 100::1 Configure Secure DHCP DHCP as defined by RFC 2131 provides no authentication or security mechanisms. Secure DHCP is a suite of features that protects networks that use dynamic address allocation from spoofing and attacks.
DHCP Snooping DHCP snooping is a feature that protects networks from spoofing. It acts as a firewall between the DHCP server and DHCP clients. DHCP snooping places the ports either in trusted or non-trusted mode. By default, all ports are set to the non-trusted mode. An attacker can not connect to the DHCP server through trusted ports. While configuring DHCP snooping, manually configure ports connected to legitimate servers and relay agents as trusted ports.
ip dhcp snooping vlan name Adding a Static Entry in the Binding Table To add a static entry in the binding table, use the following command. • Add a static entry in the binding table. EXEC Privilege mode ip dhcp snooping binding mac mac-address vlan-id vlan-id ip ip-address interface interfacetype interface-number lease lease-value If multiple IP addresses are expected for the same MAC address, repeat this step for all IP addresses.
Drop DHCP Packets on Snooped VLANs Only Binding table entries are deleted when a lease expires or the relay agent encounters a DHCPRELEASE. Line cards maintain a list of snooped VLANs. When the binding table fills, DHCP packets are dropped only on snooped VLANs, while such packets are forwarded across non-snooped VLANs. Because DHCP packets are dropped, no new IP address assignments are made. However, DHCP release and decline packets are allowed so that the DHCP snooping table can decrease in size.
using the layer-2 eg-acl value fib value frrp value ing-acl value learn value l2pt value qos value system-flow 122 command. The logic is as follows: L2Protocol has 87 entries by default and must be expanded to its maximum capacity, 100 entries, before L2SystemFlow can be increased; therefore, 13 more L2Protocol entries are required. L2SystemFlow has 15 entries by default, but only nine are for DAI; to enable DAI on 16 VLANs, seven more entries are required.
Source Address Validation Using the DHCP binding table, Dell Networking OS can perform three types of source address validation (SAV). Table 27. Three Types of Source Address Validation Source Address Validation Description IP Source Address Validation Prevents IP spoofing by forwarding only IP packets that have been validated against the DHCP binding table.
Enabling IP+MAC Source Address Validation IP source address validation (SAV) validates the IP source address of an incoming packet against the DHCP snooping binding table. IP +MAC SAV ensures that the IP source address and MAC source address are a legitimate pair, rather than validating each attribute individually. You cannot configure IP+MAC SAV with IP SAV. 1. Allocate at least one FP block to the ipmacacl CAM region. CONFIGURATION mode cam-acl l2acl 2. Save the running-config to the startup-config.
To clear the number of SAV dropped packets on a particular interface, use the clear ip dhcp snooping source-addressvalidation discard-counters interface interface command.
14 Equal Cost Multi-Path (ECMP) ECMP for Flow-Based Affinity ECMP for flow-based affinity includes link bundle monitoring. Enabling Deterministic ECMP Next Hop Deterministic ECMP next hop arranges all ECMPs in order before writing them into the content addressable memory (CAM). For example, suppose the RTM learns eight ECMPs in the order that the protocols and interfaces came up. In this case, the forwarding information base (FIB) and CAM sort them so that the ECMPs are always arranged.
Link Bundle Monitoring Link bundle monitoring allows the system to monitor the use of multiple links for an uneven distribution. A global default threshold of 60% is the usage percentage for the bundle; when the system reaches this threshold, it begins monitoring the configured ECMP groups for uneven distribution. Links are monitored in 15-second intervals for three consecutive instances.
CONFIGURATION ECMP-GROUP mode link-bundle-monitor enable Modifying the ECMP Group Threshold You can customize the threshold percentage for monitoring ECMP group bundles. To customize the ECMP group bundle threshold and to view the changes, use the following commands. • Modify the threshold for monitoring ECMP group bundles. CONFIGURATION mode link-bundle-distribution trigger-threshold {percent} The range is from 1 to 90%. • The default is 60%. Display details for an ECMP group bundle.
In this scenario, there is an additional 40Gbps link that is sometimes activated between the routers R2 and R5. When LB is configured on the routers R2 and R3 to communicate with their EBGP peers (routers R4 and R5 respectively), router R2 advertises path X to router R1 with LB indicating that a 10Gbps link is available for communication. Also, the router R3 advertises the path X with LB indicating that a 40Gbps link is available (converted to bytes per second).
R5# interface tengigbitethernet 1/1 Ip address 5.5.5.2/24 no shut interface fortGigE 1/48 ip address 3.3.3.2/24 no shut router bgp 2 maximum-paths ebgp 2 bgp dmzlink-bw neighbor 5.5.5.1 remote-as 1 neighbor 5.5.5.1 dmzlink-bw neighbor 5.5.5.1 no shutdown neighbor 3.3.3.1 remote-as 1 neighbor 3.3.3.1 dmzlink-bw Dynamic Re-calculation of Link Bankwidth The Link cost associated with a port channel interface (LAG) changes whenever a member is added or deleted.
NOTE: When moving destination prefixes from the LPM to the host table, there may be a hash collision because the host table is a hash table. In this case, a workaround does not exist for programming route entries in the host table. NOTE: Before moving IPv6/128 route prefixes from the host table to the LPM table, you must enable LPM CAM partitioning for extended IPv6 prefixes. See Configuring the LPM Table for IPv6 Extended Prefixes for more information.
15 FCoE Transit The Fibre Channel over Ethernet (FCoE) Transit feature is supported on Ethernet interfaces. When you enable the switch for FCoE transit, the switch functions as a FIP snooping bridge. NOTE: FIP snooping is not supported on Fibre Channel interfaces.
FIP provides functionality for discovering and logging into an FCF. After discovering and logging in, FIP allows FCoE traffic to be sent and received between FCoE end-devices (ENodes) and the FCF. FIP uses its own EtherType and frame format. The following illustration shows the communication that occurs between an ENode server and an FCoE switch (FCF). The following table lists the FIP functions. Table 28.
Enable FIP snooping on the switch, configure the FIP snooping parameters, and configure CAM allocation for FCoE. When you enable FIP snooping, all ports on the switch by default become ENode ports. Dynamic ACL generation on the switch operating as a FIP snooping bridge function as follows: Port-based ACLs These ACLs are applied on all three port modes: on ports directly connected to an FCF, server-facing ENode ports, and bridge-to-bridge links. Port-based ACLs take precedence over global ACLs.
• • • • To assign a MAC address to an FCoE end-device (server ENode or storage device) after a server successfully logs in, set the FCoE MAC address prefix (FC-MAP) value an FCF uses. The FC-MAP value is used in the ACLs installed in bridge-to-bridge links on the switch. To provide more port security on ports that are directly connected to an FCF and have links to other FIP snooping bridges, set the FCF or Bridge-to-Bridge Port modes.
• • • A switch can support a maximum eight FIP snooping VLANs. Configure at least one FCF/bridge-to-bridge port mode interface for any FIP snooping-enabled VLAN. You can configure multiple FCF-trusted interfaces in a VLAN. When you disable FIP snooping: • ACLs are not installed, FIP and FCoE traffic is not blocked, and FIP packets are not processed. • • The existing per-VLAN and FIP snooping configuration is stored. The configuration is re-applied the next time you enable the FIP snooping feature.
FCoE traffic is allowed on the port only after the switch learns the FC-MAP value associated with the specified FCF MAC address and verifies that it matches the configured FC-MAP value for the FCoE VLAN. Configure a Port for a Bridge-to-FCF Link If a port is directly connected to an FCF, configure the port mode as FCF. Initially, all FCoE traffic is blocked; only FIP frames are allowed to pass.
To configure FCoE transit, refer to the FCoE Transit Configuration Example NOTE: DCB/DCBx is enabled when either of these configurations is applied. 2. Save the configuration on the switch. EXEC Privilege mode. write memory 3. Reload the switch to enable the configuration. EXEC Privilege mode. reload After the switch is reloaded, DCB/DCBx is enabled. 4. Enable the FCoE transit feature on a switch. CONFIGURATION mode. feature fip-snooping 5. Enable FIP snooping on all VLANs or on a specified VLAN.
Command Output show fip-snooping vlan Displays information on the FCoE VLANs on which FIP snooping is enabled. The following example shows the show fip-snooping sessions command.
Field Description ENode Interface Slot/ port number of the interface connected to the ENode. FCF MAC MAC address of the FCF. VLAN VLAN ID number used by the session. FC-ID Fibre Channel session ID assigned by the FCF. The following example shows the show fip-snooping fcf command. Dell# show fip-snooping fcf FCF MAC FCF Interface VLAN FC-MAP FKA_ADV_PERIOD No.
Number Number Number Number Number Number Number Number Number Number Number Number Number Number of of of of of of of of of of of of of of Enode Keep Alive VN Port Keep Alive Multicast Discovery Advertisement Unicast Discovery Advertisement FLOGI Accepts FLOGI Rejects FDISC Accepts FDISC Rejects FLOGO Accepts FLOGO Rejects CVL FCF Discovery Timeouts VN Port Session Timeouts Session failures due to Hardware Config :4416 :3136 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 The following example shows the show fip-s
Field Description Number of Multicast Discovery Advertisements Number of FIP-snooped multicast discovery advertisements received on the interface. Number of Unicast Discovery Advertisements Number of FIP-snooped unicast discovery advertisements received on the interface. Number of FLOGI Accepts Number of FIP FLOGI accept frames received on the interface. Number of FLOGI Rejects Number of FIP FLOGI reject frames received on the interface.
FCoE Transit Configuration Example The following illustration shows an core switch used as a FIP snooping bridge for FCoE traffic between an ENode (server blade) and an FCF (ToR switch). The ToR switch operates as an FCF and FCoE gateway. Figure 39. Configuration Example: FIP Snooping on an Core Switch In this example, DCBx and PFC are enabled on the FIP snooping bridge and on the FCF ToR switch.
NOTE: Configuring an FC-MAP value is only required if you do not use the default FC-MAP value (0x0EFC00). Example of Configuring the ENode Server-Facing Port Dell(conf)# interface tengigabitethernet 0/1 Dell(conf-if-te-0/1)# portmode hybrid Dell(conf-if-te-0/1)# switchport Dell(conf-if-te-0/1)# protocol lldp Dell(conf-if-te-0/1-lldp)# dcbx port-role auto-downstream NOTE: A port is enabled by default for bridge-ENode links.
16 FIPS Cryptography Federal information processing standard (FIPS) cryptography provides cryptographic algorithms conforming to various FIPS standards published by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the US Department of Commerce. FIPS mode is also validated for numerous platforms to meet the FIPS-140-2 standard for a software-based cryptographic module. This chapter describes how to enable FIPS cryptography requirements on Dell Networking platforms.
• • • All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, are closed. Any existing host keys (both RSA and RSA1) are deleted from system memory and NVRAM storage. FIPS mode is enabled. • • If you enable the SSH server when you enter the fips mode enable command, it is re-enabled for version 2 only. If you re-enable the SSH server, a new RSA host key-pair is generated automatically. You can also manually create this key-pair using the crypto key generate command.
FIPS Mode Burned In MAC No Of MACs ... : enabled : 00:01:e8:8a:ff:0c : 3 Disabling FIPS Mode The following describes disabling FIPS mode. When you disable FIPS mode, the following changes occur: • • • • • • • The SSH server disables. All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, close. Any existing host keys (both RSA and RSA1) are deleted from system memory and NVRAM storage. FIPS mode disables. The SSH server re-enables.
17 Flex Hash and Optimized Boot-Up This chapter describes the Flex Hash and fast-boot enhancements. Topics: • • • • • • • • Flex Hash Capability Overview Configuring the Flex Hash Mechanism LACP Fast Switchover Configuring LACP Fast Switchover LACP RDMA Over Converged Ethernet (RoCE) Overview Sample Configurations Preserving 802.
Dell(conf)# load-balance flexhash ipv4/ipv6 ip-proto offset1 [offset2 ] To delete the configured flex hash setting, use the no version of the command. LACP Fast Switchover LACP Fast Switchover causes the physical ports to be aggregated faster when configured in a port-channel on both the nodes that are members of a port-channel.
• Lossless connectivity: VMs require the connectivity to the storage network to be lossless always. When a planned upgrade of the network nodes happens, especially with top-of-rack (ToR) nodes where there is a single point of failure for the VMs, disk I/O operations are expected to occur in 20 seconds. If disk in not accessible in 20 seconds, unexpected and undefined behavior of the VMs occurs.
iscsi enable ! interface TenGigabitEthernet 0/1 Description Link to RoCE Adapter no ip address mtu 9216 portmode hybrid switchport no spanning-tree ! protocol lldp dcbx port-role auto-downstream no shutdown ! interface fortyGigE 0/33 Description “To C9010s” no ip address mtu 9216 ! port-channel-protocol LACP port-channel 1 mode active ! protocol lldp no advertise dcbx-tlv ets-reco dcbx port-role auto-upstream no shutdown C9010 1 and C9010 2, VLT, RoCE, and iSCSI ! dcb-map converged Description DCB map for C
no ip address mtu 9216 channel-member fortyGigE 1/4 no shutdown interface fortyGigE 1/4 no ip address mtu 9216 dcb-map Converged protocol lldp no shutdown C9010 2 vlt domain 2 peer-link port-channel 128 back-up destination interface Port-channel 128 no ip address mtu 9216 channel-member fortyGigE 1/4 no shutdown interface fortyGigE 1/4 no ip address mtu 9216 dcb-map Converged protocol lldp no shutdown Description from MXL B1 Switch no ip address mtu 9216 dcb-map RoCE ! port-channel-proto
! interface TenGigabitEthernet 0/22 Description SOFS- iSCSI no ip address mtu 9216 portmode hybrid switchport spanning-tree rstp edge-port spanning-tree 0 portfast dcb-map iSCSI ! protocol lldp no shutdown Preserving 802.1Q VLAN Tag Value for Lite Subinterfaces All the frames in a Layer 2 VLAN are identified using a tag defined in the IEEE 802.1Q standard to determine the VLAN to which the frames or traffic are relevant or associated. Such frames are encapsulated with the 802.1Q tags.
18 Force10 Resilient Ring Protocol (FRRP) Force10 resilient ring protocol (FRRP) provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a metropolitan area network (MAN) or large campuses. FRRP is similar to what can be achieved with the spanning tree protocol (STP), though even with optimizations, STP can take up to 50 seconds to converge (depending on the size of network and node of failure) may require 4 to 5 seconds to reconverge.
Ring Status The ring failure notification and the ring status checks provide two ways to ensure the ring remains up and active in the event of a switch or port failure. Ring Checking At specified intervals, the Master node sends a ring health frame (RHF) through the ring. If the ring is complete, the frame is received on its secondary port and the Master node resets its fail-period timer and continues normal operation.
• • • • • • • • One Master node per ring — all other nodes are Transit. Each node has two member interfaces — primary and secondary. There is no limit to the number of nodes on a ring. Master node ring port states — blocking, pre-forwarding, forwarding, and disabled. Transit node ring port states — blocking, pre-forwarding, forwarding, and disabled. STP disabled on ring interfaces. Master node secondary port is in blocking state during Normal operation.
Concept Explanation Ring Status The state of the FRRP ring. During initialization/configuration, the default ring status is Ring-down (disabled). The Primary and Secondary interfaces, control VLAN, and Master and Transit node information must be configured for the ring to be up. • • Ring HealthCheck Frame (RHF) Ring-Up — Ring is up and operational. Ring-Down — Ring is broken or not set up. The Master node generates two types of RHFs.
• Member VLANs across multiple rings are not supported in Master nodes. To create the control VLAN for this FRRP group, use the following commands on the switch that is to act as the Master node. 1. Create a VLAN with this ID number. CONFIGURATION mode. interface vlan vlan-id VLAN ID: from 1 to 4094. 2. Tag the specified interface or range of interfaces to this VLAN. CONFIG-INT-VLAN mode.
Interface: • Slot/Port, range: Slot and Port ID for the interface. The range is entered Slot/Port-Port. • • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. 3. Assign the Primary and Secondary ports and the Control VLAN for the ports on the ring. CONFIG-FRRP mode.
CONFIG-FRRP mode. show configuration Viewing the FRRP Information To view general FRRP information, use one of the following commands. • Show the information for the identified FRRP group. EXEC or EXEC PRIVELEGED mode. show frrp ring-id • Ring ID: the range is from 1 to 255. Show the state of all FRRP groups. EXEC or EXEC PRIVELEGED mode. show frrp summary Ring ID: the range is from 1 to 255. Troubleshooting FRRP To troubleshoot FRRP, use the following information.
secondary TengigabitEthernet 1/34 control-vlan 101 member-vlan 201 mode master no disable Example of R2 TRANSIT interface TengigabitEthernet 2/14 no ip address switchport no shutdown ! interface TengigabitEthernet 2/31 no ip address switchport no shutdown ! interface Vlan 101 no ip address tagged TengigabitEthernet 2/14,31 no shutdown ! interface Vlan 201 no ip address tagged TengigabitEthernet 2/14,31 no shutdown ! protocol frrp 101 interface primary TengigabitEthernet 2/14 secondary TengigabitEthernet 2/3
You can configure a simple FRRP ring that connects a VLT device in one data center to a VLT devices in two or more Data Centers. NOTE: This configuration connects VLT devices across Data Centers using FRRP; however, the VLTi may or may not participate as a ring interface of any FRRP ring. Following figure shows a simple FRRP ring inter-connecting VLT device: Figure 41.
As a result of the VLT Node1 configuration on R2, the FRRP ring R2 becomes active. The primary interface VLTi and the secondary interface P1 act as forwarding ports for the member VLANs (M11 to Mn). VLT Node2 is the master node. The primary interface for VLT Node2 is VLTi. P2 is the secondary interface, which is one of the orphan port participating in the FRRP ring. V1 is the control VLAN through which the RFHs are exchanged.
19 GARP VLAN Registration Protocol (GVRP) GARP VLAN registration protocol (GVRP), defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches. GVRP-compliant switches use GARP to register and de-register attribute values, such as VLAN IDs, with each other. Typical virtual local area network (VLAN) implementation involves manually configuring each Layer 2 switch that participates in a given VLAN.
Figure 43. Global GVRP Configuration Example Basic GVRP configuration is a two-step process: 1. Enabling GVRP Globally 2. Enabling GVRP on a Layer 2 Interface Related Configuration Tasks • • Configure GVRP Registration Configure a GARP Timer Enabling GVRP Globally To configure GVRP globally, use the following command. • Enable GVRP for the entire switch.
To inspect the global configuration, use the show gvrp brief command. Enabling GVRP on a Layer 2 Interface To enable GVRP on a Layer 2 interface, use the following command. • Enable GVRP on a Layer 2 interface.
• • Leave — When a GARP device expects to de-register a piece of attribute information, it sends out a Leave message and starts this timer. If a Join message does not arrive before the timer expires, the information is de-registered. The Leave timer must be greater than or equal to 3x the Join timer. The default is 600ms. LeaveAll — After startup, a GARP device globally starts a LeaveAll timer.
20 High Availability (HA) High availability (HA) is a collection of features that preserves system continuity by maximizing uptime and minimizing packet loss during system disruptions.
RPM Online Insertion Dell Networking systems can function with only one RPM. If you insert a second RPM, it comes online as the standby RPM. To display the status of installed RPMs, enter the show rpm all command.
To replace a line card with a different card type, remove the card and then remove the existing line-card configuration for the slot using the command no linecard slot-id provision. Dell(conf)# no linecard 3 provision If you do not remove the existing line-card configuration, the status of the newly installed line card displays as mismatch card type.
• • • • Border gateway protocol Open shortest path first Protocol independent multicast — sparse mode Intermediate system to intermediate system Software Resiliency During normal operations, the Dell Networking OS monitors the health of both hardware and software components in the background to identify potential failures, even before these failures manifest. System Health Monitoring The Dell Networking OS also monitors the overall health of the system.
redundancy auto-failoverlimit Limits the number of failovers for a specific period. redundancy primary (rpm0 | rpm1) Select preferred RPM as primary. redundancy disable-autoreboot pe all Prevents all the PEs from automatically rebooting when the switch fails. redundancy disable-autoreboot pe id stack-unit Prevents all the PEs in a stack from automatically rebooting when the switch fails. redundancy disable-autoreboot Prevents the system from automatically rebooting when the switch fails.
RPM Synchronization Data between the primary (management) and standby RPMs is synchronized immediately after bootup. After the two RPMs have performed an initial full synchronization (block sync), the system automatically updates only changed data (incremental sync). The data that is synchronized consists of configuration data, operational data, state and status, and statistics depending on the version of the Dell Networking OS.
21 Internet Group Management Protocol (IGMP) Internet group management protocol (IGMP) is a Layer 3 multicast protocol that hosts use to join or leave a multicast group. Multicast is premised on identifying many hosts by a single destination IP address; hosts represented by the same IP address are a multicast group. Multicast routing protocols (such as protocol-independent multicast [PIM]) use the information in IGMP messages to discover which groups are active and to populate the multicast routing table.
Figure 44. IGMP Messages in IP Packets Join a Multicast Group There are two ways that a host may join a multicast group: it may respond to a general query from its querier or it may send an unsolicited report to its querier. Responding to an IGMP Query The following describes how a host can join a multicast group. 1. One router on a subnet is elected as the querier. The querier periodically multicasts (to all-multicast-systems address 224.0.0.1) a general query to all hosts on the subnet. 2.
• • To enable filtering, routers must keep track of more state information, that is, the list of sources that must be filtered. An additional query type, the Group-and-Source-Specific Query, keeps track of state changes, while the Group-Specific and General queries still refresh the existing state.
3. The host’s third message indicates that it is only interested in traffic from sources 10.11.1.1 and 10.11.1.2. Because this request again prevents all other sources from reaching the subnet, the router sends another group-and-source query so that it can satisfy all other hosts. There are no other interested hosts so the request is recorded. Figure 47.
Figure 48. Membership Queries: Leaving and Staying Configure IGMP Configuring IGMP is a two-step process. 1. Enable multicast routing using the ip multicast-routing command. 2. Enable a multicast routing protocol.
• View IGMP-enabled interfaces. EXEC Privilege mode show ip igmp interface Dell(conf-if-te-1/0)#show ip igmp interface tengigabitethernet 1/0 TenGigabitEthernet 1/0 Inbound IGMP access group is not set Internet address is 1.1.1.1/24 IGMP is up on the interface IGMP query interval is 60 seconds IGMP querier timeout is 0 seconds IGMP max query response time is 10 seconds IGMP last member query response interval is 1000 ms IGMP immediate-leave is disabled IGMP activity: 0 joins IGMP querying router is 1.1.1.
Enabling IGMP Immediate-Leave If the querier does not receive a response to a group-specific or group-and-source query, it sends another (querier robustness value). Then, after no response, it removes the group from the outgoing interface for the subnet. IGMP immediate leave reduces leave latency by enabling a router to immediately delete the group membership on an interface after receiving a Leave message (it does not send any group-specific or group-and-source queries before deleting the entry).
• Configuring the Switch as Querier Dell(conf)#ip igmp snooping enable Dell(conf)#do show running-config igmp ip igmp snooping enable Dell(conf)# Removing a Group-Port Association To configure or view the remove a group-port association feature, use the following commands. • Configure the switch to remove a group-port association after receiving an IGMP Leave message. • INTERFACE VLAN mode ip igmp fast-leave View the configuration.
Configuring the Switch as Querier To configure the switch as a querier, use the following command. Hosts that do not support unsolicited reporting wait for a general query before sending a membership report. When the multicast source and receivers are in the same VLAN, multicast traffic is not routed and so there is no querier. Configure the switch to be the querier for a VLAN so that hosts send membership reports and the switch can generate a forwarding table by snooping.
22 Interfaces This chapter describes interface types, both physical and logical, and how to configure them on the switch. • 1-Gigabit Ethernet, 10-Gigabit Ethernet and 40-Gigabit Ethernet interfaces are supported on the C9010 switch and 1-Gigabit Ethernet C1048P port extender.
• • • • • • • • • • • • • • Displaying Traffic Statistics on HiGig Ports Link Bundle Monitoring Monitoring HiGig Link Bundles Non Dell-Qualified Transceivers Splitting QSFP Ports to SFP+ Ports Configuring wavelength for 10–Gigabit SFP+ optics Link Dampening Using Ethernet Pause Frames for Flow Control Configure the MTU Size on an Interface Auto-Negotiation on Ethernet Interfaces Provisioning Combo Ports View Advanced Interface Information Configuring the Traffic Sampling Size Globally Dynamic Counters Por
Figure 50. 40GbE QSFP+ Port Numbering On the 6-Port 40GbE QSFP+ line card, ports are numbered from 0 to 5 and operate by default in 40GbE mode. If you use a breakout cable, each port can operate in 10G mode. 40GbE ports are numbered in multiples of four, starting with zero; for example, 0, 4, 8, 12, and so on. When you install a breakout cable, the resulting four 10GbE ports are numbered with the remaining numbers.
Figure 53. C1048P Port Numbering On a C1048P port extender, 10/100/1000BASE-T ports on the front panel are numbered from 1 to 48. • • • Odd-numbered ports 1-47 are on top; even-numbered ports 2-48 are on the bottom. A yellow PE port number indicates that the port is PoE-enabled. The two 10GbE SFP+ ports, which are used only for uplinks to an attached C9010, are numbered 1 and 2.
Interface Type Modes Possible Default Mode Requires Creation Default State reserved VLANs. You cannot configure these VLANs. View Basic Interface Information To view basic interface information, use the following command. You have several options for viewing interface status and configuration parameters. • Lists all configurable interfaces on the chassis.
PE-ID/UNIT/PORT PE Gigabit Ethernet interface Dell#show interface peGigE 255/1/1 peGigE 255/1/1 is up, line protocol is up Hardware is DellEth, address is 6c:c0:00:43:09:91 Current address is 6c:c0:00:43:09:91 Pluggable media not present Interface index is 804323335 Internet address is not set Mode of IPv4 Address Assignment : NONE DHCP Client-ID :6cc000430991 MTU 1554 bytes, IP MTU 1500 bytes LineSpeed auto, Mode auto Auto-mdix enabled, ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interfac
Te 2/16 Te 2/17 Te 2/18 Te 2/19 Te 2/20 Te 2/21 Te 2/22 Te 2/23 Fo 5/0 Fo 5/4 Fo 5/8 Fo 5/12 Fo 5/16 Fo 5/20 Te 6/0 Te 6/1 Te 6/2 Te 6/3 Te 6/4 Te 6/5 Te 6/6 Te 6/7 Te 6/8 Te 6/9 Te 6/10 Te 6/11 Te 6/12 Te 6/13 Te 6/14 Te 6/15 Te 6/16 Te 6/17 Te 6/18 Te 6/19 Te 6/20 Te 6/21 Te 6/22 Te 6/23 Fo 9/0 Fo 9/4 Fo 9/8 Fo 9/12 Fo 9/16 Fo 9/20 Te 10/0 Te 10/1 Te 10/2 Te 10/3 Te 11/0 Te 11/1 Te 11/2 Te 11/3 PeGi 255/1/1 PeGi 255/1/2 PeGi 255/1/3 PeGi 255/1/4 PeGi 255/1/5 PeGi 255/1/6 PeGi 255/1/7 PeGi 255/1/8 PeGi 255
PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi 255/1/22 255/1/23 255/1/24 255/1/25 255/1/26 255/1/27 255/1/28 255/1/29 255/1/30 255/1/31 255/1/32 255/1/33 255/1/34 255/1/35 255/1/36 255/1/37 25
PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi PeGi 255/2/47 255/2/48 255/3/1 255/3/2 255/3/3 255/3/4 255/3/5 255/3/6 255/3/7 255/3/8 255/3/9 255/3/10 255/3/11 255/3/12 255/3/13 255/3/14 255/3/15 255/3/16 255/3/17 255/3/18 255/3/19 255/3/20 255/3/21 255/3/22 255/3/23 255/3/24 255/3/25 255/3/26 255/3/27 255/3/28
To determine which physical interfaces are available, use the show running-config command in EXEC mode. This command displays all physical interfaces available on the line cards. Dell#show running Current Configuration ...
Enabling a Physical Interface After determining the type of physical interfaces available, to enable and configure the interfaces, enter INTERFACE mode by using the interface interface {slot/port | pe-id/stack-unit/port} command. 1. Enter the keyword interface then the type of interface and slot/port information. CONFIGURATION mode interface interface • • • • • For the Management interface, enter the keyword ManagementEthernet then the slot/port information.
5. Set the local port speed. INTERFACE mode speed {10 | 100 | 1000 | 10000 | auto} NOTE: If you use an active optical cable (AOC), you can convert the QSFP+ port to a 10 Gigabit SFP+ port or 1 Gigabit SFP port. You can use the speed command to enable the required speed. 6. Disable auto-negotiation on the port. INTERFACE mode no negotiation auto If the speed was set to 1000, do not disable auto-negotiation. 7. Verify configuration changes.
• Enable Layer 2 data transmissions through an individual interface. INTERFACE mode switchport Dell(conf-if)#show config ! interface Port-channel 1 no ip address switchport no shutdown Dell(conf-if)# Configuring Layer 2 (Interface) Mode To configure an interface in Layer 2 mode, use the following commands. • Enable the interface. • INTERFACE mode no shutdown Place the interface in Layer 2 (switching) mode.
Configuring Layer 3 (Interface) Mode To assign an IP address, use the following commands. • Enable the interface. • INTERFACE mode no shutdown Configure a primary IP address and mask on the interface. INTERFACE mode ip address ip-address mask [secondary] The ip-address must be in dotted-decimal format (A.B.C.D) and the mask must be in slash format (/xx). Add the keyword secondary if the IP address is the interface’s backup IP address. You can only configure one primary IP address per interface.
management egress-interface-selection 2. Configure which applications uses EIS. EIS mode application {all | application-type} NOTE: If you configure SNMP as the management application for EIS and you add a default management route, when you perform an SNMP walk and check the debugging logs for the source and destination IPs, the SNMP agent uses the destination address of incoming SNMP packets as the source address for outgoing SNMP responses for security.
Last clearing of "show interface" counters 00:06:14 Queueing strategy: fifo Input 791 packets, 62913 bytes, 775 multicast Received 0 errors, 0 discarded Output 21 packets, 3300 bytes, 20 multicast Output 0 errors, 0 invalid protocol Time since last interface status change: 00:06:03 Unless you configure the management route command, you can only access the Management interface from the local LAN.
Destination ----------C 6.1.1.0/24 C 10.1.1.0/24 *S 0.0.0.0/0 00:01:12 Dell# Gateway ------Direct, Fo 2/12 Direct, Vl 10 via 6.1.1.1, Fo 2/12 Dist/Metric ----------0/0 0/0 0/0 Last Change ----------00:01:12 01:09:08 Port Extender Interfaces You can use a C9010 switch with an attached C1048P, N20xx or N30xx port extender (PE) to expand the port density of the chassis. In this configuration, the C9010 operates as a controlling bridge for the C1048P, N20xx or N30xx.
To assign an IP address to an interface, use the following command. • Configure an IP address and mask on the interface. INTERFACE mode ip address ip-address mask [secondary] • • ip-address mask: enter an address in dotted-decimal format (A.B.C.D). The mask must be in slash format (/24). secondary: the IP address is the interface’s backup IP address. You can configure up to eight secondary IP addresses. interface Vlan 10 ip address 1.1.1.
• Configuration Tasks for Port Channel Interfaces Port Channel Definition and Standards Link aggregation is defined by IEEE 802.3ad as a method of grouping multiple physical interfaces into a single logical interface—a link aggregation group (LAG) or port channel. A LAG is “a group of links that appear to a MAC client as if they were a single link” according to IEEE 802.3ad. In the Dell Networking OS, a LAG is referred to as a port channel interface.
Configuration Tasks for Port Channel Interfaces To configure a port channel (LAG), use the commands similar to those found in physical interfaces. By default, no port channels are configured in the startup configuration.
The interface variable is the physical interface type and slot/port information or port extender (PE) type and pe-id/unit-number/ port-id information. 2. Double check that the interface was added to the port channel. INTERFACE PORT-CHANNEL mode show config To view the port channel’s status and channel members in a tabular format, use the show interfaces port-channel brief command in EXEC Privilege mode, as shown in the following example.
When more than one interface is added to a Layer 2-port channel, the system selects one of the active interfaces in the port channel to be the primary port. The primary port replies to flooding and sends protocol data units (PDUs). An asterisk in the show interfaces port-channel brief command indicates the primary port. As soon as a physical interface is added to a port channel, the properties of the port channel determine the properties of the physical interface.
• Enter the number of links in a LAG that must be in “oper up” status. INTERFACE mode minimum-links number The default is 1. Dell#config t Dell(conf)#int po 1 Dell(conf-if-po-1)#minimum-links 5 Dell(conf-if-po-1)# Adding or Removing a Port Channel from a VLAN As with other interfaces, you can add Layer 2 port channel interfaces to VLANs. To add a port channel to a VLAN, place the port channel in Layer 2 mode (by using the switchport command).
Load Balancing Through Port Channels Dell Networking OS uses hash algorithms for distributing traffic evenly over channel members in a port channel (LAG). The hash algorithm distributes traffic among Equal Cost Multi-path (ECMP) paths and LAG members. The distribution is based on a flow, except for packet-based hashing. A flow is identified by the hash and is assigned to one link. In packet-based hashing, a single flow can be distributed on the LAG and uses one link.
The interface range command allows you to create an interface range allowing other commands to be applied to that range of interfaces. The interface range prompt offers the interface (with slot and port information) for valid interfaces. The maximum size of an interface range prompt is 32. If the prompt size exceeds this maximum, it displays (...) at the end of the output. NOTE: Non-existing interfaces are excluded from the interface range prompt.
Exclude a Smaller Port Range The following is an example show how the smaller of two port ranges are omitted in the interface-range prompt. Dell(conf)#interface range tengigabitethernet 2/0 - 23 , tengigabitethernet 2/1 - 10 Dell(conf-if-range-te-2/0-23)# Overlap Port Ranges The following is an example showing how the interface-range prompt extends a port range from the smallest start port number to the largest end port number when port ranges overlap.
Define the Interface Range The following example shows how to define an interface-range macro named “test” to select 10–GigabitEthernet interfaces 5/1 through 5/4. Dell(config)# define interface-range test tengigabitethernet 5/1 - 4 Choosing an Interface-Range Macro To use an interface-range macro, use the following command. • Selects the interfaces range to be configured using the values saved in a named interface-range macro.
Over 255B packets: Over 511B packets: Over 1023B packets: Error statistics: Input underruns: Input giants: Input throttles: Input CRC: Input IP checksum: Input overrun: Output underruns: Output throttles: m l T q - 0 0 0 0 pps 0 pps 0 pps 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Change mode Page up Increase refresh interval Quit pps pps pps pps pps pps pps pps c - Clear screen a - Page down t - Decrease refresh interval q Dell# Maintenance Using TDR The time domain reflectometer (TD
Link Bundle Monitoring Monitoring linked LAG bundles allows traffic distribution amounts in a link to be monitored for unfair distribution at any given time. A threshold of 60% is defined as an acceptable amount of traffic on a member link. Links are monitored in 15-second intervals for three consecutive instances.
percent between links for three successive rate-intervals. Alarms are removed when the link-bundle threshold is lower than the configured threshold and the unevenness is less than 10 percent between links for three successive rate intervals.
Dell(conf)#hg-link-bundle-monitor rate-interval seconds 4. Enable SNMP trap generation for HiGig link-bundle monitoring. CONFIGURATION mode Dell(conf)#snmp-server enable traps hg-lbm 5. Display the traffic utilization of member links in a HiGig link bundle (port channel).
Splitting QSFP Ports to SFP+ Ports The switch supports splitting a single 40G QSFP port into four 10G SFP+ ports using a supported breakout cable. (For the link to a list of supported cables, refer to the C9000 Installation Guide or the C9000 Release Notes). To split a single 40G port into four 10G ports, use the following command. • Split a single 40G port into 4-10G ports. CONFIGURATION mode linecard {0–11} port {0–20} portmode quad • • The range of switch line-card numbers is 0 to 11.
Example Scenarios Consider the following scenarios: • • • • QSFP port 0 is connected to a QSA with SFP+ optical cables plugged in. QSFP port 4 is connected to a QSA with SFP optical cables plugged in. QSFP port 8 in fanned-out mode is plugged in with QSFP optical cables. QSFP port 12 in 40 G mode is plugged in with QSFP optical cables.
Enabling Link Dampening To enable link dampening, use the following command. • Enable link dampening. INTERFACE mode dampening R1(conf-if-te-1/1)#show config ! interface TengigabitEthernet 1/1 ip address 10.10.19.1/24 dampening 1 2 3 4 no shutdown R1(conf-if-te-1/1)#exit To view the link dampening configuration on an interface, use the show config command. To view dampening information on all or specific dampened interfaces, use the show interfaces dampening command from EXEC Privilege mode.
Port Pipes A port pipe is a Dell Networking-specific term for the hardware packet-processing elements that handle network traffic to and from a set of front-end I/O ports. The physical, front-end I/O ports are referred to as a port set. The system has 10 switch cards and each card has only one port pipe and 48 ports in each. • • For ports connected through the port extender, you can have a maximum of 4 sessions system.
Threshold Settings When the transmission pause is set (tx on), you can set three thresholds to define the controls more closely. Ethernet pause frames flow control can be triggered when either the flow control buffer threshold or flow control packet pointer threshold is reached.
The following table lists the various Layer 2 overheads in the Dell Networking OS and the number of bytes. Table 38. Layer 2 Overhead Layer 2 Overhead Difference Between Link MTU and IP MTU Ethernet (untagged) 18 bytes VLAN Tag 22 bytes Untagged Packet with VLAN-Stack Header 22 bytes Tagged Packet with VLAN-Stack Header 26 bytes Link MTU and IP MTU considerations for port channels and VLANs are as follows. Port Channels: • • All members must have the same link MTU value and the same IP MTU value.
no Negate a command or set its defaults show Show autoneg configuration information Dell(conf-if-te-0/1)#mode ? forced-master Force port to master mode forced-slave Force port to slave mode Dell(conf-if-te-0/1)# For details about the speed and negotiation auto commands, refer to the Interfaces chapter of the Dell Networking OS Command Reference Guide. Provisioning Combo Ports The device has two combo ports of 1G SFP. By default, the combo ports are in Hybrid mode.
Dell#show Dell#show Dell#show Dell#show Dell#show Dell#show Dell#show ip interface linecard 1 configured ip interface tengigabitethernet 1 configured ip interface br configured ip interface br linecard 1 configured ip interface br tengigabitethernet 1 configured running-config interfaces configured running-config interface tengigabitethernet 1 configured In EXEC mode, the show interfaces switchport command displays only interfaces in Layer 2 mode and their relevant configuration information.
0 throttles, 0 discarded Rate info (interval 299 seconds): Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec, 0 packets/sec, 0.
ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 2w6d21h Queueing strategy: fifo Input Statistics: 3106 packets, 226755 bytes 133 64-byte pkts, 2973 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 406 Multicasts, 0 Broadcasts, 2700 Unicasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics: 3106 packets, 226755 bytes, 0 underruns 133 64-byte pkts, 2973 over 64-byte pkts, 0 over 127-byte pkts
• • • • • • • Egress ACLs ILM IP FLOW IP ACL IP FIB L2 ACL L2 FIB Clearing Interface Counters The counters in the show interfaces command are reset by the clear counters command. This command does not clear the counters any SNMP program captures. To clear the counters, use the following the command. • Clear the counters used in the show interface commands for all VRRP groups, VLANs, and physical interfaces or selected ones. Without an interface specified, the command clears all interface counters.
23 Internet Protocol Security (IPSec) Internet protocol security (IPSec) is an end-to-end security scheme for protecting IP communications by authenticating and encrypting all packets in a communication session. Use IPSec between hosts, between gateways, or between hosts and gateways. IPSec is compatible with Telnet and FTP protocols. It supports two operational modes: Transport and Tunnel. • • Transport mode — (default) Use to encrypt only the payload of the packet. Routing information is unchanged.
session-key outbound esp 257 auth encrypt match 0 tcp a::1 /128 0 a::2 /128 23 match 1 tcp a::1 /128 23 a::2 /128 0 match 2 tcp a::1 /128 0 a::2 /128 21 match 3 tcp a::1 /128 21 a::2 /128 0 match 4 tcp 1.1.1.1 /32 0 1.1.1.2 /32 23 match 5 tcp 1.1.1.1 /32 23 1.1.1.2 /32 0 match 6 tcp 1.1.1.1 /32 0 1.1.1.2 /32 21 match 7 tcp 1.1.1.1 /32 21 1.1.1.2 /32 0 3. Apply the crypto policy to management traffic.
24 IPv4 Routing IPv4 routing and various IP addressing features are supported. This chapter describes the basics of domain name service (DNS), address resolution protocol (ARP), and routing principles and their implementation in the Dell Networking OS.
• • • Assigning IP Addresses to an Interface (mandatory) Configuring Static Routes (optional) Configure Static Routes for the Management Interface (optional) For a complete listing of all commands related to IP addressing, refer to the Dell Networking OS Command Line Reference Guide.
Configuring Static Routes A static route is an IP address that you manually configure and that the routing protocol does not learn, such as open shortest path first (OSPF). Often, static routes are used as backup routes in case other dynamically learned routes are unreachable. You can enter as many static IP addresses as necessary. To configure a static route, use the following command. • Configure a static IP address.
Adding description for IPv4 and IPv6 static routes Dell EMC Networking OS provides support to add a description for the IPv4 or IPv6 static route configurations. A name option is introduced to provide the description about the static route configured. This feature enables you to segregate or distinguish between the configured IPv4 or IPv6 static routes.
Enabling Directed Broadcast By default, the system drops directed broadcast packets destined for an interface. This default setting provides some protection against denial of service (DoS) attacks. To enable the switch to receive directed broadcasts, use the following command. • Enable directed broadcast. INTERFACE mode ip directed-broadcast To view the configuration, use the show config command in INTERFACE mode. Resolution of Host Names Domain name service (DNS) maps host names to IP addresses.
Specifying the Local System Domain and a List of Domains If you enter a partial domain, the system can search different domains to finish or fully qualify that partial domain. A fully qualified domain name (FQDN) is any name that is terminated with a period/dot. The system searches the host table first to resolve the partial domain. The host table contains both statically configured and dynamically learnt host and IP addresses.
ARP The system uses two forms of address resolution: address resolution protocol (ARP) and Proxy ARP. ARP runs over Ethernet and enables endstations to learn the MAC addresses of neighbors on an IP network. Over time, the system creates a forwarding table mapping the MAC addresses to their corresponding IP address. This table is called the ARP Cache and dynamically learned addresses are removed after a defined period of time.
Protocol Address Age(min) Hardware Address Interface VLAN CPU -------------------------------------------------------------------------------Internet 10.1.2.4 17 08:00:20:b7:bd:32 Ma 1/0 CP Dell# Configuring ARP Inspection Trust Use the arp-inspection-trust command to specify a port or an interface as trusted so that ARP frames are not validated against the binding table. By default, this feature is disabled. • Enable ARP learning via gratuitous ARP.
• • • • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. For a port extender (PE) Gigabit Ethernet interface enter the keyword peGigE then the pe-id/pe-stack—unit-id/port-number information. For a port extender 10-Gigabit Ethernet interface, enter the keyword peTenGigE then the pe-id / stack-unit / port-id information. For a VLAN interface, enter the keyword vlan then a number between 1 and 4094.
Figure 55. ARP Learning via ARP Request with ARP Learning via Gratuitous ARP Enabled Whether you enable or disable ARP learning via gratuitous ARP, the system does not look up the target IP. It only updates the ARP entry for the Layer 3 interface with the source IP of the request. Configuring ARP Retries The number of ARP retries is user-configurable. The default backoff interval remains at 20 seconds. To set and display ARP retries, use the following commands. • Set the number of ARP retries.
Enabling ICMP Unreachable Messages By default, ICMP unreachable messages are disabled. When enabled, ICMP unreachable messages are created and sent out all interfaces. To disable and re-enable ICMP unreachable messages, use the following commands. • To disable ICMP unreachable messages. • INTERFACE mode no ip unreachable Set the system to create and send ICMP unreachable messages on the interface.
To enable ICMP or ICMP6 redirect messages, use the icmp6-redirect enable command. NOTE: The icmp6-redirect enable command is applicable for both ICMP and ICMP6 redirects. By default, Dell EMC Networking OS supports redirects on VLAN interfaces. For physical ports and port channel interfaces, carve the fedgovacl CAM region.
25 IPv6 Routing Internet protocol version 6 (IPv6) routing is the successor to IPv4. Due to the rapid growth in internet users and IP addresses, IPv4 is reaching its maximum usage. IPv6 will eventually replace IPv4 usage to allow for the constant expansion. This chapter provides a brief description of the differences between IPv4 and IPv6, and the Dell Networking support of IPv6. This chapter is not intended to be a comprehensive description of IPv6.
NOTE: As an alternative to stateless autoconfiguration, network hosts can obtain their IPv6 addresses using the dynamic host control protocol (DHCP) servers via stateful auto-configuration. NOTE: The system provides the flexibility to add prefixes on Router Advertisements (RA) to advertise responses to Router Solicitations (RS). By default, RA response messages are sent when an RS message is received. The manipulation of IPv6 stateless autoconfiguration supports the router side only.
IPv6 Header Fields The 40 bytes of the IPv6 header are ordered, as shown in the following illustration. Figure 57. IPv6 Header Fields Version (4 bits) The Version field always contains the number 6, referring to the packet’s IP version. Traffic Class (8 bits) The Traffic Class field deals with any data that needs special handling. These bits define the packet priority and are defined by the packet Source. Sending and forwarding routers use this field to identify different IPv6 classes and priorities.
Value Description 41 IPv6 43 Routing header 44 Fragmentation header 50 Encrypted Security 51 Authentication header 59 No Next Header 60 Destinations option header NOTE: This table is not a comprehensive list of Next Header field values. For a complete and current listing, refer to the Internet Assigned Numbers Authority (IANA) web page. Hop Limit (8 bits) The Hop Limit field shows the number of hops remaining for packet processing.
This field identifies the length of the Hop-by-Hop Options header in 8-byte units, but does not include the first 8 bytes. Consequently, if the header is less than 8 bytes, the value is 0 (zero). • Options (size varies) This field can contain one or more options. The first byte if the field identifies the Option type, and directs the router how to handle the option. 00 Skip and continue processing. 01 Discard the packet.
In IPv6, every interface, whether using static or dynamic address assignments, also receives a local-link address automatically in the fe80::/64 subnet. IPv6 Implementation on the Dell Networking OS The Dell Networking OS supports both IPv4 and IPv6 and both versions may be used simultaneously in your system. The following table lists the Dell Networking OS version in which an IPv6 feature became available for each platform. The sections following the table give greater detail about the feature. Table 40.
Feature and Functionality Dell Networking OS Release Introduction Documentation and Chapter Location Control and Monitoring in the Dell Networking OS Command Line Reference Guide. Telnet server over IPv6 (inbound Telnet) 8.3.11 Configuring Telnet with IPv6 Control and Monitoring in the Dell Networking OS Command Line Reference Guide. Secure Shell (SSH) client support over IPv6 8.3.
Path MTU Discovery IPv6 path maximum transmission unit (MTU), in accordance with RFC 1981, defines the largest packet size that can traverse a transmission path without suffering fragmentation. Path MTU for IPv6 uses ICMPv6 Type-2 messages to discover the largest MTU along the path from source to destination and avoid the need to fragment the packet. The recommended MTU for IPv6 is 1280.
Figure 59. NDP Router Redirect IPv6 Neighbor Discovery of MTU Packets You can set the MTU advertised through the RA packets to incoming routers, without altering the actual MTU setting on the interface. The ipv6 nd mtu command sets the value advertised to routers. It does not set the actual MTU rate. For example, if you set ipv6 nd mtu to 1280, the interface still passes 1500-byte packets, if that is what is set with the mtu command.
Debugging IPv6 RDNSS Information Sent to the Host To verify that you configured the IPv6 RDNSS information sent to the host correctly, use the debug ipv6 nd command in EXEC Privilege mode. The last three lines indicate that the IPv6 RDNSS information was configured correctly.
ipv6 address 1212::12/64 ipv6 nd dns-server 1000::1 1 ipv6 nd dns-server 3000::1 1 ipv6 nd dns-server 2000::1 0 no shutdown Secure Shell (SSH) Over an IPv6 Transport Both inbound and outbound secure shell (SSH) sessions using IPv6 addressing are supported. Inbound SSH supports accessing the system through the management interface as well as through a physical Layer 3 interface. For SSH configuration details, refer to the Security chapter in the Dell Networking OS Command Line Interface Reference Guide.
The total number of groups is 4. Assigning an IPv6 Address to an Interface Essentially, IPv6 is enabled on a switch simply by assigning IPv6 addresses to individual router interfaces. You can use IPv6 and IPv4 together on a system, but be sure to differentiate that usage carefully. To assign an IPv6 address to an interface, use the ipv6 address command.
NOTE: IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:). Omitting zeros is accepted as described in Addressing. SNMP over IPv6 You can configure SNMP over IPv6 transport so that an IPv6 host can perform SNMP queries and receive SNMP notifications from a device running a Dell Networking OS that supports IPv6. The SNMP-server commands for IPv6 have been extended to support IPv6.
• For a VLAN interface, enter the keyword vlan then the VLAN ID.
E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, Gateway of last resort is not set Destination Dist/Metric, Gateway, Last Change ----------------------------------------------------C 600::/64 [0/0] Direct, Te 0/24, 00:34:42 C 601::/64 [0/0] Direct, Te 0/24, 00:34:18 C 912::/64 [0/0] Direct, Lo 2, 00:02:33 O IA 999::1/128 [110/2] via fe80::201:e8ff:fe8b:3166, Te 0/24, 00:01:30 L fe80::/10 [0/0] Direct, Nu 0, 00:34:42 Dell#show ipv6 ro
Disabling ND Entry Timeout When a peer system warmboots or performs an ISSU, the ND entries in the local system may time out resulting in traffic loss. You can configure the system to keep the learnt neighbor discovery entries stateless so that the ND entries do not time out.
10. Set the router lifetime. POLICY LIST CONFIGURATION mode router—lifetime value The router lifetime range is from 0 to 9,000 seconds. 11. Apply the policy to trusted ports. POLICY LIST CONFIGURATION mode trusted-port 12. Set the maximum transmission unit (MTU) value. POLICY LIST CONFIGURATION mode mtu value 13. Set the advertised reachability time. POLICY LIST CONFIGURATION mode reachable—time value The reachability time range is from 0 to 3,600,000 milliseconds. 14.
ipv6 nd ra-guard policy test device-role router hop-limit maximum 1 match ra ipv6-access-list access other-config-flag on router-preference maximum medium trusted-port Interfaces : Te 1/1 Dell# Monitoring IPv6 RA Guard To debug IPv6 RA guard, use the following command. EXEC Privilege mode debug ipv6 nd ra-guard [interface slot/port | count value] The count range is from 1 to 65534. The default is infinity.
26 Intermediate System to Intermediate System The intermediate system to intermediate system (IS-IS) protocol that uses a shortest-path-first algorithm. Dell Networking supports both IPv4 and IPv6 versions of IS-IS. The IS-IS protocol standards are listed in the Standards Compliance chapter.
Figure 60. ISO Address Format Multi-Topology IS-IS Multi-topology IS-IS (MT IS-IS) allows you to create multiple IS-IS topologies on a single router with separate databases. Use this feature to place a virtual physical topology into logical routing domains, which can each support different routing and security policies. All routers on a LAN or point-to-point must have at least one common supported topology when operating in Multi-Topology IS-IS mode.
Graceful Restart Graceful restart is a protocol-based mechanism that preserves the forwarding table of the restarting router and its neighbors for a specified period to minimize the loss of packets. A graceful-restart router does not immediately assume that a neighbor is permanently down and so does not trigger a topology change. Normally, when an IS-IS router is restarted, temporary disruption of routing occurs due to events in both the restarting router and the neighbors of the restarting router.
• • Downloads IPv6 routes to the RTM for installing in the FIB. Accepts external IPv6 information and advertises this information in the PDUs. The following table lists the default IS-IS values. Table 41.
To configure IS-IS globally, use the following commands. 1. Create an IS-IS routing process. CONFIGURATION mode router isis [tag] tag: (optional) identifies the name of the IS-IS process. 2. Configure an IS-IS network entity title (NET) for a routing process. ROUTER ISIS mode net network-entity-title Specify the area address and system ID for an IS-IS routing process. The last byte must be 00. For more information about configuring a NET, see IS-IS Addressing. 3. Enter the interface configuration mode.
Vlan 2 GigabitEthernet 4/22 Loopback 0 Redistributing: Distance: 115 Generate narrow metrics: Accept narrow metrics: Generate wide metrics: Accept wide metrics: Dell# level-1-2 level-1-2 none none To view IS-IS protocol statistics, use the show isis traffic command in EXEC Privilege mode.
To configure wide or wide transition metric style, the cost can be between 0 and 16,777,215. Configuring IS-IS Graceful Restart To enable IS-IS graceful restart globally, use the following commands. Also, you can implement optional commands to enable the graceful restart settings. • Enable graceful restart on ISIS processes. • ROUTER-ISIS mode graceful-restart ietf Configure the time during which the graceful restart attempt is prevented.
T3 Timer T3 Timeout Value T2 Timeout Value T1 Timeout Value Adjacency wait time : : : : : Operational Timer Value ====================== Current Mode/State : T3 Time left : T2 Time left : Restart ACK rcv count : Restart Req rcv count : Suppress Adj rcv count : Restart CSNP rcv count : Database Sync count : Manual 30 30 (level-1), 30 (level-2) 5, retry count: 1 30 Normal/RUNNING 0 0 (level-1), 0 0 (level-1), 0 0 (level-1), 0 0 (level-1), 0 0 (level-1), 0 0 (level-1), 0 (level-2) (level-2) (level-2) (lev
• • size: the range is from 128 to 9195. The default is 1497. Set the LSP refresh interval. ROUTER ISIS mode lsp-refresh-interval seconds • • seconds: the range is from 1 to 65535. The default is 900 seconds. Set the maximum time LSPs lifetime. ROUTER ISIS mode max-lsp-lifetime seconds • seconds: the range is from 1 to 65535. The default is 1200 seconds. To view the configuration, use the show config command in ROUTER ISIS mode or the show running-config isis command in EXEC Privilege mode.
The default is Level 1 and Level 2 (level-1–2) To view which metric types are generated and received, use the show isis protocol command in EXEC Privilege mode. The IS-IS matrixes settings are in bold. Example of Viewing IS-IS Metric Types Dell#show isis protocol IS-IS Router: System Id: EEEE.EEEE.EEEE IS-Type: level-1-2 Manual area address(es): 47.0004.004d.0001 Routing for area address(es): 21.2223.2425.2627.2829.3031.3233 47.0004.004d.
Configuring the Distance of a Route To configure the distance for a route, use the following command. • Configure the distance for a route. ROUTER ISIS mode distance Changing the IS-Type To change the IS-type, use the following commands. You can configure the system to act as a Level 1 router, a Level 1-2 router, or a Level 2 router. To change the IS-type for the router, use the following commands. • Configure IS-IS operating level for a router.
Distribute Routes Another method of controlling routing information is to filter the information through a prefix list. Prefix lists are applied to incoming or outgoing routes and routes must meet the conditions of the prefix lists or the system does not install the route in the routing table. The prefix lists are globally applied on all interfaces running IS-IS. Configure the prefix list in PREFIX LIST mode prior to assigning it to the IS-IS process.
ROUTER ISIS-AF IPV6 mode distribute-list prefix-list-name out [bgp as-number | connected | ospf process-id | rip | static] You can configure one of the optional parameters: • • connected: for directly connected routes. • ospf process-id: for OSPF routes only. • rip: for RIP routes only. • static: for user-configured routes. • bgp: for BGP routes only. Deny RTM download for pre-existing redistributed IPv6 routes.
redistribute {bgp as-number | connected | rip | static} [level-1 level-1-2 | level-2] [metric metric-value] [metric-type {external | internal}] [route-map map-name] Configure the following parameters: • • level-1, level-1-2, or level-2: assign all redistributed routes to a level. The default is level-2. • metric-value: the range is from 0 to 16777215. The default is 0. • metric-type: choose either external or internal. The default is internal. • map-name: enter the name of a configured route map.
set-overload-bit • This setting prevents other routers from using it as an intermediate hop in their shortest path first (SPF) calculations. Remove the overload bit. ROUTER ISIS mode no set-overload-bit When the bit is set, a 1 is placed in the OL column in the show isis database command output. The overload bit is set in both the Level-1 and Level-2 database because the IS type for the router is Level-1-2. Dell#show isis database IS-IS Level-1 Link State Database LSPID LSP Seq Num LSP Checksum B233.
The system displays debug messages on the console. To view which debugging commands are enabled, use the show debugging command in EXEC Privilege mode. To disable a specific debug command, enter the keyword no then the debug command. For example, to disable debugging of IS-IS updates, use the no debug isis updates-packets command. To disable all IS-IS debugging, use the no debug isis command. To disable all debugging, use the undebug all command.
Beginning Metric Style Final Metric Style Resulting IS-IS Metric Value metric value is displayed in the show config and show running-config commands and is used if you change back to transition metric style. NOTE: A truncated value is a value that is higher than 63, but set back to 63 because the higher value is not supported. wide narrow transition default value (10) if the original value is greater than 63. A message is sent to the console.
Beginning Metric Style Next Metric Style Resulting Metric Value Next Metric Style Final Metric Value wide transition truncated value narrow transition default value (10). A message is sent to the logging buffer transition Leaks from One Level to Another In the following scenarios, each IS-IS level is configured with a different metric style. Table 45.
You can configure IPv6 IS-IS routes in one of the following three different methods: • • • Congruent Topology — You must configure both IPv4 and IPv6 addresses on the interface. Enable the ip router isis and ipv6 router isis commands on the interface. Enable the wide-metrics parameter in router isis configuration mode. Multi-topology — You must configure the IPv6 address. Configuring the IPv4 address is optional. You must enable the ipv6 router isis command on the interface.
Dell(conf-router_isis)#show config ! router isis net 34.0000.0000.AAAA.00 ! address-family ipv6 unicast multi-topology exit-address-family Dell (conf-router_isis)# IS-IS Sample Configuration — Multi-topology Transition Dell(conf-if-te-3/17)#show config ! interface TenGigabitEthernet 3/17 ipv6 address 24:3::1/76 ipv6 router isis no shutdown Dell(conf-if-te-3/17)# Dell(conf-router_isis)#show config ! router isis net 34.0000.0000.AAAA.
27 iSCSI Optimization This chapter describes how to configure internet small computer system interface (iSCSI) optimization, which enables quality-of-service (QoS) treatment for iSCSI traffic.
NOTE: After a switch is reloaded, powercycled, or upgraded, any information exchanged during the initial handshake is not available. If the switch establishes communication after reloading, it detects that a session was in progress but could not obtain complete information for it. Any incomplete information is not available in the show commands.
Parameter Default Value iSCSI CoS mode (802.1p priority queue mapping) dot1p priority 4 without the remark setting when you enable iSCSI. If you do not enable iSCSI, this feature is disabled. iSCSI CoS Packet classification When you enable iSCSI, iSCSI packets are queued based on dot1p, instead of DSCP values. VLAN priority tag iSCSI flows are assigned by default to dot1p priority 4 without the remark setting. DSCP None: user-configurable. Remark Not configured.
• tcp-port-n is the TCP port number or a list of TCP port numbers on which the iSCSI target listens to requests. You can configure up to 16 target TCP ports on the switch in one command or multiple commands. The default is 860, 3260. Separate port numbers with a comma. If multiple IP addresses are mapped to a single TCP port, use the no iscsi target port tcp-port-n command to remove all IP addresses assigned to the TCP number.
• • • Display information on active iSCSI sessions on the switch. show iscsi session Display detailed information on active iSCSI sessions on the switch. To display detailed information on specified iSCSI session, enter the session’s iSCSI ID. show iscsi sessions detailed [session isid] Display all globally configured non-default iSCSI settings in the current Dell Networking OS session.
10.10.0.44 33345 10.10.0.101 3260 0 VLT PEER2 Session 0: -------------------------------------------------------Target:iqn.2010-11.com.ixia:ixload:iscsi-TG1 Initiator:iqn.2010-11.com.ixia.ixload:initiator-iscsi-2c Up Time:00:00:01:28(DD:HH:MM:SS) Time for aging out:00:00:09:34(DD:HH:MM:SS) ISID:806978696102 Initiator Initiator Target Target Connection IP Address TCP Port IP Address TCPPort ID 10.10.0.53 33432 10.10.0.
Monitoring iSCSI Traffic Flows The switch snoops iSCSI session-establishment and termination packets by installing classifier rules that trap iSCSI protocol packets to the CPU for examination. Devices that initiate iSCSI sessions usually use well-known TCP ports 3260 or 860 to contact targets. When you enable iSCSI optimization, by default the switch identifies IP packets to or from these ports as iSCSI traffic.
including jumbo frames and flow-control on all ports; no storm control and spanning-tree port fast to be enabled on the port of detection. The following syslog message is generated the first time an EqualLogic array is detected: %SYSTEM:CP %LLDP-5-LLDP_EQL_DETECTED: EqualLogic Storage Array detected on interface Te 1/ 43 • • • At the first detection of an EqualLogic array, the maximum supported MTU is enabled on all ports and port-channels (if it has not already been enabled).
28 Link Aggregation Control Protocol (LACP) Introduction to Dynamic LAGs and LACP The Dell Networking OS uses LACP to create dynamic LAGs. LACP provides a standardized means of exchanging information between two systems (also called Partner Systems) and automatically establishes the LAG between the systems. The benefits and constraints of a LAG are basically the same as a port channel, as described in Port Channel Interfaces in the Interfaces chapter.
• • A port in Active state can set up a port channel (LAG) with another port in Active state. A port in Active state can set up a LAG with another port in Passive state. A port in Passive state cannot set up a LAG with another port in Passive state. Configuring LACP Commands If you configure aggregated ports with compatible LACP modes (Off, Active, Passive), LACP can automatically link them, as defined in IEEE 802.3, Section 43. To configure LACP, use the following commands.
The following example shows configuring a LAG interface. Dell(conf)#interface port-channel 32 Dell(conf-if-po-32)#no shutdown Dell(conf-if-po-32)#switchport The LAG is in the default VLAN. To place the LAG into a non-default VLAN, use the tagged command on the LAG. Dell(conf)#interface vlan 10 Dell(conf-if-vl-10)#tagged port-channel 32 Configuring the LAG Interfaces as Dynamic After creating a LAG, configure the dynamic LAG interfaces. To configure the dynamic LAG interfaces, use the following command.
Dell# show lacp 32 Port-channel 32 admin up, oper up, mode lacp Actor System ID: Priority 32768, Address 0001.e800.a12b Partner System ID: Priority 32768, Address 0001.e801.
Configuring Shared LAG State Tracking To configure shared LAG state tracking, you configure a failover group. NOTE: If a LAG interface is part of a redundant pair, you cannot use it as a member of a failover group created for shared LAG state tracking. 1. Enter port-channel failover group mode. CONFIGURATION mode port-channel failover-group 2. Create a failover group and specify the two port-channels that will be members of the group.
ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 00:01:28 Queueing strategy: fifo NOTE: The set of console messages shown above appear only if you configure shared LAG state tracking on that router (you can configure the feature on one or both sides of a link). For example, as previously shown, if you configured shared LAG state tracking on R2 only, no messages appear on R4 regarding the state of LAGs in a failover group.
Example of Viewing a LAG Port Configuration The following example inspects a LAG port configuration on ALPHA.
Figure 66.
Figure 67.
Figure 68.
Bravo(conf-if-po-10)#switch Bravo(conf-if-po-10)#no shut Bravo(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Bravo(conf-if-po-10)#exit Bravo(conf)#int tengig 3/21 Bravo(conf)#no ip address Bravo(conf)#no switchport Bravo(conf)#shutdown Bravo(conf-if-te-3/21)#port-channel-protocol lacp Bravo(conf-if-te-3/21-lacp)#port-channel 10 mode active Bravo(conf-if-te-3/21-lacp)#no shut Bravo(conf-if-te-3/21)#end ! interface TengigabitEthernet 3/21 no ip address ! port-ch
Figure 69. Inspecting a LAG Port on BRAVO Using the show interface Command The following figure illustrates inspecting LAG 10 Using the show interfaces port-channel Command.
Figure 70. Inspecting LAG 10 Using the show interfaces port-channel Command The following figure illustrates inspecting the LAG Status Using the show lacp command.
Figure 71. Inspecting the LAG Status Using the show lacp command The point-to-point protocol (PPP) is a connection-oriented protocol that enables layer two links over various different physical layer connections. It is supported on both synchronous and asynchronous lines, and can operate in Half-Duplex or Full-Duplex mode. It was designed to carry IP traffic but is general enough to allow any type of network layer datagram to be sent over a PPP connection.
29 Layer 2 Manage the MAC Address Table You can perform the following management tasks inr the MAC address table. • • • • Clearing the MAC Address Table Setting the Aging Time for Dynamic Entries Configuring a Static MAC Address Displaying the MAC Address Table Clearing the MAC Address Table You may clear the MAC address table of dynamic entries. To clear a MAC address table, use the following command. • Clear a MAC address table of dynamic entries.
Displaying the MAC Address Table To display the MAC address table, use the following command. • Display the contents of the MAC address table. EXEC Privilege mode show mac-address-table [address | aging-time [vlan vlan-id]| count | dynamic | interface | static | vlan] • • • • • • • address: displays the specified entry. aging-time: displays the configured aging-time. count: displays the number of dynamic and static entries for all VLANs, and the total number of entries.
mac learning-limit Dynamic The MAC address table is stored on the Layer 2 forwarding information base (FIB) region of the CAM. The Layer 2 FIB region allocates space for static MAC address entries and dynamic MAC address entries. When you enable MAC learning limit, entries created on this port are static by default. When you configure the dynamic option, learned MAC addresses are stored in the dynamic region and are subject to aging. Entries created before this option is set are not affected.
INTERFACE mode learn-limit-violation shutdown Setting Station Move Violation Actions Station move violation actions are user-configurable. no-station-move is the default behavior. You can configure the system to take an action if a station move occurs using one the following options with the mac learning-limit command. To display a list of interfaces configured with MAC learning limit or station move violation actions, use the following commands. • Generate a system log message indicating a station move.
• CONFIGURATION mode mac-address-table disable-learning lldp Disable source MAC address learning from LACP and LLDP BPDUs. CONFIGURATION mode mac-address-table disable-learning If you don’t use any option, the mac-address-table disable-learning command disables source MAC address learning from both LACP and LLDP BPDUs. Enabling port security You can enable or disable port security feature globally on the Dell EMC Networking OS.
Figure 73. Configuring the mac-address-table station-move refresh-arp Command Configure Redundant Pairs Networks that employ switches that do not support the spanning tree protocol (STP) — for example, networks with digital subscriber line access multiplexers (DSLAM) — cannot have redundant links between switches because they create switching loops (as shown in the following illustration).
Figure 74. Configuring Redundant Layer 2 Pairs without Spanning Tree You configure a redundant pair by assigning a backup interface to a primary interface with the switchport backup interface command. Initially, the primary interface is active and transmits traffic and the backup interface remains down. If the primary fails for any reason, the backup transitions to an active Up state. If the primary interface fails and later comes back up, it remains as the backup interface for the redundant pair.
As shown in the previous illustration, interface 3/41 is a backup interface for 3/42, and 3/42 is in the Down state. If 3/41 fails, 3/42 transitions to the Up state, which makes the backup link active. A message similar to the following message appears whenever you configure a backup port.
Apr 9 00:16:29: %STKUNIT0-M:CP %IFMGR-5-L2BKUP_WARN: Do not run any Layer2 protocols on Po 1 and Te 0/2 Dell(conf-if-po-1)# Far-End Failure Detection Far-end failure detection (FEFD) is a protocol that senses remote data link errors in a network. FEFD responds by sending a unidirectional report that triggers an echoed response after a specified time interval. You can enable FEFD globally or locally on an interface basis. Disabling the global FEFD configuration does not disable the interface configuration.
4. If the FEFD enabled system is configured to use FEFD in Normal mode and neighboring echoes are not received after three intervals, the state changes to unknown. You can set each interval from 3 to 255 seconds. 5. If the FEFD system has been set to Aggressive mode and neighboring echoes are not received after three intervals, the state changes to Err-disabled.
To display information about the state of each interface, use the show fefd command in EXEC privilege mode. Dell#show fefd FEFD is globally 'ON', interval is 3 seconds, mode is 'Normal'.
• Display output whenever events occur that initiate or disrupt an FEFD enabled connection. • EXEC Privilege mode debug fefd events Provide output for each packet transmission over the FEFD enabled connection. EXEC Privilege mode debug fefd packets The following example shows the debug fefd events command.
30 Link Layer Discovery Protocol (LLDP) 802.1AB (LLDP) Overview LLDP — defined by IEEE 802.1AB — is a protocol that enables a local area network (LAN) device to advertise its configuration and receive configuration information from adjacent LLDP-enabled LAN infrastructure devices. The collected information is stored in a management information base (MIB) on each device, and is accessible via simple network management protocol (SNMP).
Type TLV Description — Optional Includes sub-types of TLVs that advertise specific configuration information. These sub-types are Management TLVs, IEEE 802.1, IEEE 802.3, and TIA-1057 Organizationally Specific TLVs. Figure 77. LLDPDU Frame Optional TLVs The Dell Networking OS) upports these optional TLVs: management TLVs, IEEE 802.1 and 802.3 organizationally specific TLVs, and TIA-1057 organizationally specific TLVs. Management TLVs A management TLV is an optional TLVs sub-type.
Type TLV Description 7 System capabilities Identifies the chassis as one or more of the following: repeater, bridge, WLAN Access Point, Router, Telephone, DOCSIS cable device, end station only, or other. 8 Management address Indicates the network address of the management interface. The Dell Networking OS does not currently support this TLV. 127 Port-VLAN ID On Dell Networking systems, indicates the untagged VLAN to which a port belongs.
• • identify physical location identify network policy LLDP-MED is designed for, but not limited to, VoIP endpoints. TIA Organizationally Specific TLVs The Dell Networking system is an LLDP-MED Network Connectivity Device (Device Type 4). Network connectivity devices are responsible for: • • transmitting an LLDP-MED capability TLV to endpoint devices storing the information that endpoint devices advertise The following table describes the five types of TIA-1057 Organizationally Specific TLVs. Table 50.
Type SubType TLV Description 127 11 Inventory — Asset ID Indicates a user specified device number to manage inventory. 127 12–255 Reserved — LLDP-MED Capabilities TLV The LLDP-MED capabilities TLV communicates the types of TLVs that the endpoint device and the network connectivity device support. LLDP-MED network connectivity devices must transmit the Network Policies TLV.
An integer represents the application type (the Type integer shown in the following table), which indicates a device function for which a unique network policy is defined. An individual LLDP-MED network policy TLV is generated for each application type that you specify with the CLI (Advertising TLVs). NOTE: As shown in the following table, signaling is a series of control packets that are exchanged between an endpoint device and a network connectivity device to establish and maintain a connection.
using the max-milliwatts option with the power inline command. Dell Networking also honors the power value (power requirement) the powered device sends when the PE is configured with power inline mode class. Figure 81. Extended Power via MDI TLV Configure LLDP Configuring LLDP is a two-step process. 1. Enable LLDP globally. 2. Advertise TLVs out of an interface.
exit hello mode multiplier no show Exit from LLDP configuration mode LLDP hello configuration LLDP mode configuration (default = rx and tx) LLDP multiplier configuration Negate a command or set its defaults Show LLDP configuration R1(conf-lldp)#exit R1(conf)#interface tengigabitethernet 1/31 R1(conf-if-te-1/31)#protocol lldp R1(conf-if-te-1/31-lldp)#? advertise Advertise TLVs disable Disable LLDP protocol on this interface end Exit from configuration mode exit Exit from LLDP configuration mode hello LLDP
protocol lldp 2. Enable LLDP. PROTOCOL LLDP mode no disable Disabling and Undoing LLDP on Management Ports To disable or undo LLDP on management ports, use the following command. 1. Enter Protocol LLDP mode. CONFIGURATION mode. protocol lldp 2. Enter LLDP management-interface mode. LLDP-MANAGEMENT-INTERFACE mode. management-interface 3. Enter the disable command. LLDP-MANAGEMENT-INTERFACE mode. To undo an LLDP management port configuration, precede the relevant command with the keyword no.
Figure 82. Configuring LLDP Storing and Viewing Unrecognized LLDP TLVs Dell EMC Networking OS provides support to store unrecognized (reserved and organizational specific) LLDP TLVs. Also, support is extended to retrieve the stored unrecognized TLVs using SNMP. When the incoming TLV from LLDP neighbors is not recognized, the TLV is categorized as unrecognized TLV. The unrecognized TLVs is categorized into two types: 1. Reserved unrecognized LLDP TLV 2.
Viewing Unrecognized LLDP TLVs You can view or retrieve the stored unrecognized (reserved and organizational specific) TLVs using the show lldp neighbor details command. View all the LLDP TLV information including unrecognized TLVs, using the snmpwalk and snmpget commands. Viewing the LLDP Configuration To view the LLDP configuration, use the following command. • Display the LLDP configuration. CONFIGURATION or INTERFACE mode show config The following example shows viewing an LLDP global configuration.
-------------------------------------------------------------------Te 1/1 TenGigabitEthernet 1/5 00:01:e8:05:40:46 Te 1/2 TenGigabitEthernet 1/6 00:01:e8:05:40:46 DellEMC(conf-if-te-1/3)# Example of Viewing Detailed Information Advertised by Neighbors DellEMC(conf)#do show lldp neighbors detail ======================================================================== Local Interface TenGigabitEthernet 1/1 has 2 neighbors Total Frames Out: 3 Total Frames In: 8 Total Neighbor information Age outs: 0 Total Mult
Remote Port ID: fortyGigE 1/2/8/1 Local Port ID: TenGigabitEthernet 1/2 Locally assigned remote Neighbor Index: 1 Remote TTL: 300 Information valid for next 201 seconds Time since last information change of this neighbor: 00:01:39 UnknownTLVList: OrgUnknownTLVList: ((00-01-66),127, 4) ((00-01-66),126, 4) ((00-01-66),125, 4) ((00-01-66),124, ((00-01-66),122, 4) ((00-01-66),121, 4) ((00-01-66),120, 4) ((00-01-66),119, --------------------------------------------------------------------------Remote Chassis ID
no disable R1(conf-lldp)# Configuring LLDP Notification Interval This implementation has been introduced to adhere to the IEEE 802.1AB standard. This implementation allows a user to configure the LLDP notification interval between 5 (default) and 3600 seconds. NOTE: Before implementation of this feature, notification messages were not throttled. After implementation, the system throttles the lldp notification messages by 5 seconds (default) or as configured by the user.
no disable R1(conf-lldp)# Configuring a Time to Live The information received from a neighbor expires after a specific amount of time (measured in seconds) called a time to live (TTL). The TTL is the product of the LLDPDU transmit interval (hello) and an integer called a multiplier. The default multiplier is 4, which results in a default TTL of 120 seconds. • Adjust the TTL value. • CONFIGURATION mode or INTERFACE mode. multiplier Return to the default multiplier value.
Figure 83. The debug lldp detail Command — LLDPDU Packet Dissection Example of debug lldp Command Output with Unrecognized Reserved and Organizational Specific LLDP TLVs The following is an example of LLDPDU with both (Reserved and Organizational specific) unrecognized TLVs.
Table 54. LLDP Configuration MIB Objects MIB Object Category LLDP Variable LLDP MIB Object Description LLDP Configuration adminStatus lldpPortConfigAdminStatus Whether you enable the local LLDP agent for transmit, receive, or both. msgTxHold lldpMessageTxHoldMultiplier Multiplier value. msgTxInterval lldpMessageTxInterval Transmit Interval value. rxInfoTTL lldpRxInfoTTL Time to live for received TLVs. txInfoTTL lldpTxInfoTTL Time to live for transmitted TLVs.
TLV Type 7 8 TLV Name System Capabilities Management Address TLV Variable system capabilities enabled capabilities management address length management address subtype management address interface numbering subtype interface number OID System LLDP MIB Object Remote lldpRemSysDesc Local lldpLocSysCapSupported Remote lldpRemSysCapSupported Local lldpLocSysCapEnabled Remote lldpRemSysCapEnabled Local lldpLocManAddrLen Remote lldpRemManAddrLen Local lldpLocManAddrSubtype Remote
Table 57.
TLV Sub-Type TLV Name TLV Variable System LLDP-MED MIB Object lldpXMedLocXPoEPDPowe rSource Remote lldpXMedRemXPoEPSEPo werSource lldpXMedRemXPoEPDPow erSource Power Priority Local lldpXMedLocXPoEPDPowe rPriority lldpXMedLocXPoEPSEPort PDPriority Remote lldpXMedRemXPoEPSEPo werPriority lldpXMedRemXPoEPDPow erPriority Power Value Local lldpXMedLocXPoEPSEPort PowerAv lldpXMedLocXPoEPDPowe rReq Remote lldpXMedRemXPoEPSEPo werAv lldpXMedRemXPoEPDPow erReq Link Layer Discovery Protocol (LLDP) 5
31 Multicast Source Discovery Protocol (MSDP) This chapter describes how to configure and use the multicast source discovery protocol (MSDP). Protocol Overview MSDP is a Layer 3 protocol that connects IPv4 protocol-independent multicast-sparse mode (PIM-SM) domains. A domain in the context of MSDP is a contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as border gateway protocol (BGP).
Figure 85.
Implementation Information The Dell Networking OS implementation of MSDP is in accordance with RFC 3618 and Anycast RP is in accordance with RFC 3446. Configure Multicast Source Discovery Protocol Configuring MSDP is a four-step process. 1. Enable an exterior gateway protocol (EGP) with at least two routing domains. Refer to the following figures. The MSDP Sample Configurations show the OSPF-BGP configuration used in this chapter for MSDP.
Figure 86.
Figure 87.
Figure 88.
Figure 89. Configuring MSDP Enable MSDP Enable MSDP by peering RPs in different administrative domains. 1. Enable MSDP. CONFIGURATION mode ip multicast-msdp 2. Peer PIM systems in different administrative domains. CONFIGURATION mode ip msdp peer connect-source R3(conf)#ip multicast-msdp R3(conf)#ip msdp peer 192.168.0.
Multicast sources in remote domains are stored on the RP in the source-active cache (SA cache). The system does not create entries in the multicast routing table until there is a local receiver for the corresponding multicast group. R3#show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.
Enabling the Rejected Source-Active Cache To cache rejected sources, use the following command. Active sources can be rejected because the RPF check failed, the SA limit is reached, the peer RP is unreachable, or the SA message has a format error. • Cache rejected sources. CONFIGURATION mode ip msdp cache-rejected-sa Accept Source-Active Messages that Fail the RFP Check A default peer is a peer from which active sources are accepted even though they fail the RFP check.
Figure 91.
Figure 92.
Figure 93. MSDP Default Peer, Scenario 4 Specifying Source-Active Messages To specify messages, use the following command. • Specify the forwarding-peer and originating-RP from which all active sources are accepted without regard for the RPF check. CONFIGURATION mode ip msdp default-peer ip-address list If you do not specify an access list, the peer accepts all sources that peer advertises. All sources from RPs that the ACL denies are subject to the normal RPF check. Dell(conf)#ip msdp peer 10.0.50.
3 rejected SAs received, cache-size 32766 UpTime GroupAddr SourceAddr RPAddr 00:33:18 229.0.50.64 24.0.50.64 200.0.1.50 00:33:18 229.0.50.65 24.0.50.65 200.0.1.50 00:33:18 229.0.50.66 24.0.50.66 200.0.1.50 LearnedFrom 10.0.50.2 10.0.50.2 10.0.50.2 Reason Rpf-Fail Rpf-Fail Rpf-Fail Limiting the Source-Active Messages from a Peer To limit the source-active messages from a peer, use the following commands. 1. OPTIONAL: Store sources that are received after the limit is reached in the rejected SA cache.
2. Prevent the system from caching remote sources learned from a specific peer based on source and group. CONFIGURATION mode ip msdp sa-filter list out peer list ext-acl As shown in the following example, R1 is advertising source 10.11.4.2. It is already in the SA cache of R3 when an ingress SA filter is applied to R3. The entry remains in the SA cache until it expires and is not stored in the rejected SA cache. [Router 3] R3(conf)#do show run msdp ! ip multicast-msdp ip msdp peer 192.168.0.
To display the configured SA filters for a peer, use the show ip msdp peer command from EXEC Privilege mode. Logging Changes in Peership States To log changes in peership states, use the following command. • Log peership state changes. CONFIGURATION mode ip msdp log-adjacency-changes Terminating a Peership MSDP uses TCP as its transport protocol. In a peering relationship, the peer with the lower IP address initiates the TCP session, while the peer with the higher IP address listens on port 639.
R3(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 0.0.0.0(0) Connect Source: Lo 0 State: Inactive Up/Down Time: 00:00:04 Timers: KeepAlive 30 sec, Hold time 75 sec SourceActive packet count (in/out): 0/0 SAs learned from this peer: 0 SA Filtering: Input (S,G) filter: myremotefilter Output (S,G) filter: none Debugging MSDP To debug MSDP, use the following command. • Display the information exchanged between peers.
Figure 94. MSDP with Anycast RP Configuring Anycast RP To configure anycast RP: 1. In each routing domain that has multiple RPs serving a group, create a Loopback interface on each RP serving the group with the same IP address. CONFIGURATION mode interface loopback 2. Make this address the RP for the group. CONFIGURATION mode ip pim rp-address 3. In each routing domain that has multiple RPs serving a group, create another Loopback interface on each RP serving the group with a unique IP address.
network Reducing Source-Active Message Flooding RPs flood source-active messages to all of their peers away from the RP. When multiple RPs exist within a domain, the RPs forward received active source information back to the originating RP, which violates the RFP rule. You can prevent this unnecessary flooding by creating a mesh-group. A mesh in this context is a topology in which each RP in a set of RPs has a peership with all other RPs in the set.
The following shows an R2 configuration for MSDP with Anycast RP. ip multicast-routing ! interface TenGigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.1/24 no shutdown ! interface TenGigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown ! interface TenGigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32 no shutdown ! interface Loopback 1 ip address 192.168.0.
network 10.11.6.0/24 area 0 network 192.168.0.3/32 area 0 redistribute static redistribute connected redistribute bgp 200 ! router bgp 200 redistribute ospf 1 neighbor 192.168.0.22 remote-as 100 neighbor 192.168.0.22 ebgp-multihop 255 neighbor 192.168.0.22 update-source Loopback 0 neighbor 192.168.0.22 no shutdown ! ip multicast-msdp ip msdp peer 192.168.0.11 connect-source Loopback 0 ip msdp peer 192.168.0.22 connect-source Loopback 0 ip msdp sa-filter out 192.168.0.22 ! ip route 192.168.0.1/32 10.11.0.
ip address 10.11.4.1/24 no shutdown ! interface TenGigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown ! interface TenGigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown ! interface Loopback 0 ip address 192.168.0.2/32 no shutdown ! router ospf 1 network 10.11.1.0/24 area 0 network 10.11.4.0/24 area 0 network 192.168.0.2/32 area 0 redistribute static redistribute connected redistribute bgp 100 ! router bgp 100 redistribute ospf 1 neighbor 192.168.0.
ip multicast-msdp ip msdp peer 192.168.0.1 connect-source Loopback 0 ! ip route 192.168.0.2/32 10.11.0.23 MSDP Sample Configuration: R4 Running-Config ip multicast-routing ! interface TenGigabitEthernet 0/21 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown ! interface TenGigabitEthernet 0/22 ip address 10.10.42.1/24 no shutdown ! interface TenGigabitEthernet 0/31 ip pim sparse-mode ip address 10.11.6.43/24 no shutdown ! interface Loopback 0 ip address 192.168.0.
ip route 192.168.0.3/32 10.11.0.32 ! ip pim rp-address 192.168.0.1 group-address 224.0.0.0/4 MSDP Sample Configuration: R3 Running-Config ip multicast-routing ! interface TenGigabitEthernet 0/21 ip pim sparse-mode ip address 10.11.0.32/24 no shutdown ! interface TenGigabitEthernet 0/41 ip pim sparse-mode ip address 10.11.6.34/24 no shutdown ! interface ManagementEthernet 0/0 ip address 10.11.80.3/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.
! ip pim rp-address 192.168.0.3 group-address 224.0.0.
32 Multiple Spanning Tree Protocol (MSTP) Multiple spanning tree protocol (MSTP) — specified in IEEE 802.1Q-2003 — is a rapid spanning tree protocol (RSTP)-based spanning tree variation that improves on per-VLAN spanning tree plus (PVST+). MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances. Protocol Overview In contrast, PVST+ allows a spanning tree instance for each VLAN.
• • MSTP Sample Configurations Debugging and Verifying MSTP Configurations Spanning Tree Variations The Dell Networking OS supports four variations of spanning tree, as shown in the following table. Table 58. Spanning Tree Variations Dell Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .1w Multiple Spanning Tree Protocol (MSTP) 802 .
• • Within an MSTI, only one path from any bridge to any other bridge is enabled. Bridges block a redundant path by disabling one of the link ports. 1. Enter PROTOCOL MSTP mode. CONFIGURATION mode protocol spanning-tree mstp 2. Enable MSTP. PROTOCOL MSTP mode no disable To verify that MSTP is enabled, use the show config command in PROTOCOL MSTP mode.
1 100 2 200-300 To view the forwarding/discarding state of the ports participating in an MSTI, use the show spanning-tree msti command from EXEC Privilege mode. Dell#show spanning-tree msti 1 MSTI 1 VLANs mapped 100 Root Identifier has priority 32768, Address 0001.e806.953e Root Bridge hello time 2, max age 20, forward delay 15, max hops 19 Bridge Identifier has priority 32768, Address 0001.e80d.
Interoperate with Non-Dell Bridges The Dell Networking OS supports only one MSTP region. A region is a combination of three unique qualities: • • • Name is a mnemonic string you assign to the region. The default region name is null. Revision is a 2-byte number. The default revision number is 0. VLAN-to-instance mapping is the placement of a VLAN in an MSTI. For a bridge to be in the same MSTP region as another, all three of these qualities must match exactly.
PROTOCOL MSTP mode hello-time seconds NOTE: With large configurations (especially those configurations with more ports) Dell Networking recommends increasing the hello-time. The range is from 1 to 10. The default is 2 seconds. 3. Change the max-age parameter. PROTOCOL MSTP mode max-age seconds The range is from 6 to 40. The default is 20 seconds. 4. Change the max-hops parameter. PROTOCOL MSTP mode max-hops number The range is from 1 to 40. The default is 20.
spanning-tree msti number cost cost The range is from 0 to 200000. For the default, refer to the default values shown in the table.. 2. Change the port priority of an interface. INTERFACE mode spanning-tree msti number priority priority The range is from 0 to 240, in increments of 16. The default is 128. To view the current values for these interface parameters, use the show config command from INTERFACE mode.
Flush MAC Addresses after a Topology Change The system has an optimized MAC address flush mechanism for RSTP, MSTP, and PVST+ that flushes addresses only when necessary, which allows for faster convergence during topology changes. However, you may activate the flushing mechanism defined by 802.1Q-2003 using the tc-flush-standard command, which flushes MAC addresses after every topology change notification.
no shutdown ! (Step 3) interface Vlan 100 no ip address tagged TenGigabitEthernet 1/21,31 no shutdown ! interface Vlan 200 no ip address tagged TenGigabitEthernet 1/21,31 no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 1/21,31 no shutdown Router 2 Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3.
3. Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
tagged 1/0/31 tagged 1/0/32 exit interface vlan 200 tagged 1/0/31 tagged 1/0/32 exit interface vlan 300 tagged 1/0/31 tagged 1/0/32 exit Debugging and Verifying MSTP Configurations To debut and verify MSTP configuration, use the following commands. • • Display BPDUs. EXEC Privilege mode debug spanning-tree mstp bpdu Display MSTP-triggered topology change messages.
CIST Root Bridge Id: 32768:0001.e806.953e, Ext Path Cost: 0 Regional Bridge Id: 32768:0001.e806.953e, CIST Port Id: 128:470 Msg Age: 0, Max Age: 20, Hello: 2, Fwd Delay: 15, Ver1 Len: 0, Ver3 Len: 96 Name: Tahiti, Rev: 123, Int Root Path Cost: 0 Rem Hops: 20, Bridge Id: 32768:0001.e806.953e 4w0d4h : INST 1: Flags: 0x6e, Reg Root: 32768:0001.e806.953e, Int Root Cost: 0 Brg/Port Prio: 32768/128, Rem Hops: 20 INST 2: Flags: 0x6e, Reg Root: 32768:0001.e806.
33 Multicast Features The Dell Networking OS supports the following multicast protocols: • • • PIM Sparse-Mode (PIM-SM) Internet Group Management Protocol (IGMP) Multicast Source Discovery Protocol (MSDP) Topics: • • • • • • • • Enabling IP Multicast Implementation Information First Packet Forwarding for Lossless Multicast Multicast Policies Understanding Multicast Traceroute (mtrace) Printing Multicast Traceroute (mtrace) Paths Supported Error Codes mtrace Scenarios Enabling IP Multicast Before enablin
Dell EMC Networking OS does not support multicast routing in the following VLT scenarios: • • In a VLT enabled PIM router, multicast routing is not supported when there are multiple PIM spanned paths to reach source or RP. The workaround is to configure only one PIM spanned path to reach any PIM router in the aggregation or spine.
ip multicast-limit The range if from 1 to 16000. The default is 4000. NOTE: The IN-L3-McastFib CAM partition is used to store multicast routes and is a separate hardware limit that exists per port-pipe. Any software-configured limit may supersede by this hardware space limitation. The opposite is also true, the CAM partition might not be exhausted at the time the system-wide route limit the ip multicast-limit command sets is reached.
Figure 97. Preventing a Host from Joining a Group Table 60. Preventing a Host from Joining a Group — Description Location Description 1/21 • • • • Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 • • • • Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.1/24 no shutdown 2/1 • • • • Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.
Location Description • • • ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface GigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown 3/11 • • • • Interface GigabitEthernet 3/11 ip pim sparse-mode ip address 10.11.13.2/24 no shutdown 3/21 • • • • Interface GigabitEthernet 3/21 ip pim sparse-mode ip address 10.11.23.
Preventing a Source from Registering with the RP To prevent the PIM source DR from sending register packets to RP for the specified multicast source and group, use the following command. If the source DR never sends register packets to the RP, no hosts can ever discover the source and create a shortest path tree (SPT) to it. • Prevent a source from transmitting to a particular group.
Location Description • no shutdown 1/31 • • • • Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.1/24 no shutdown 2/1 • • • • Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.
Excessive traffic is generated when the join process from the RP back to the source is blocked due to a new source group being permitted in the join-filter. This results in the new source becoming stuck in registering on the DR and the continuous generation of UDP-encapsulated registration messages between the DR and RP routers which are being sent to the CPU. • Prevent the PIM SM router from creating state based on multicast source and/ or group.
Printing Multicast Traceroute (mtrace) Paths Dell Networking OS supports Multicast traceroute. MTRACE is an IGMP-based tool that prints the network path that a multicast packet takes from a source to a destination, for a particular group. Dell Networking OS has mtrace client and mtrace transit functionality. • • MTRACE Client — an mtrace client transmits mtrace queries and print the details from received responses.
Command Output Description From source (?) to destination (?) In case the provided source or destination IP can be resolved to a hostname the corresponding name will be displayed. In cases where the IP cannot be resolved, it is displayed as (?) 0 1.1.1.1 --> Destination The first row in the table corresponds to the destination provided by the user. -1 1.1.1.1 PIM Reached RP/Core 103.103.103.0/24 The information in each of the response blocks is displayed as follows: • • • • • -4 103.103.103.
Table 64. Mtrace Scenarios Scenario When you want to trace a route with the multicast tree for a source, group, and destination, you can specify all the parameters in the command. Mtrace will trace the complete path from source to destination by using the multicast tables for that group. You can issue the mtrace command specifying the source multicast tree and multicast group without specifying the destination. Mtrace traces the complete path traversing through the multicast group to reach the source.
Scenario Output ----------------------------------------------------------------* - Any PIM enabled interface on this node R1>mtrace 103.103.103.3 1.1.1.1 Type Ctrl-C to abort. Querying reverse path for source 103.103.103.3 to destination 1.1.1.1 via RPF From source (?) to destination (?) ---------------------------------------------------------------|Hop| OIF IP |Proto| Forwarding Code |Source Network/ Mask| ---------------------------------------------------------------0 1.1.1.1 --> Destination -1 1.1.1.
Scenario Output ----------------------------------------------------------------- If you invoke a weak mtrace query (without the multicast group details) and the RPF neighbor on one of the nodes to the source is not PIM enabled, the output of the command displays a NO ROUTE error code in the Forwarding Code column. In the command output, the entry for that node in the Source Network/Mask column displays the value as default.
Scenario If a router in the network does not process mtrace and drops the packet resulting in no response, the system performs an expanding-hop search to trace the path to the router that has dropped mtrace. The output of the command displays a ‘*’ indicating that no response is received for an mtrace request. The following message appears when the system performs a hopby-hop search: “switching to hop-by-hop:” Output R1>mtrace 99.99.99.99 1.1.1.1 Type Ctrl-C to abort. Querying reverse path for source 99.
Scenario Output -3 2.2.2.1 PIM 99.99.0.0/16 . . . -146 17.17.17.17 PIM No space in packet 99.99.0.0/16 ----------------------------------------------------------------In a valid scenario, mtrace request packets are expected to be received on the OIF of the node. However, due to incorrect formation of the multicast tree, the packet may be received on a wrong interface. In such a scenario, a corresponding error message is displayed. R1>mtrace 6.6.6.6 4.4.4.5 Type Ctrl-C to abort.
34 Multicast Listener Discovery Protocol Dell Networking OS Supports Multicast Listener Discovery (MLD) protocol. Multicast Listener Discovery (MLD) is a Layer 3 protocol that IPv6 routers use to learn of the multicast receivers that are directly connected to them and the groups in which the receivers are interested. Multicast routing protocols (like PIM) use the information learned from MLD to route multicast traffic to all interested receivers.
Destination Address field). To avoid duplicate reporting, any host that hears a report from another host for the same group in which it itself is interested cancels its report for that group. A host does not have to wait for a General Query to join a group. If a host wants to become a member of a group for which the router is not currently forwarding traffic, it should send an unsolicited report.
| | * * | | +. -+ . . . . . . +-+ | | * * | | * Source Address [N] * | | * * | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Version 2 multicast listener reports are sent by IP nodes to report (to neighboring routers) the current multicast listening state, or changes in the multicast listening state, of their interfaces.
| | * Source Address [2] * | | * * | | +-+ . . . . . . . . . +-+ | | * * | | * Source Address [N] * | | * * | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | . . . Auxiliary Data . . .
Configuring MLD Version To configure MLD version on the system, follow this procedure: Select the MLD version INTERFACE Mode ipv6 mld version {1 | 2} If you do not configure the MLD version, the system defaults to version 2. The ipv6 mld version command is applicable for MLD snooping-enabled interfaces. Clearing MLD groups Clear a specific group or all groups on an interface from the multicast routing table.
EXEC Privilege show ipv6 mld groups Dell#show ipv6 mld groups Total Number of Groups: 1 MLD Connected Group Membership Group Address Interface Mode Ff08::12 Vlan 10 MLDv2 Uptime 00:00:12 Expires 00:02:05 Last Reporter 1::2 Displaying MLD Interfaces Display MLD interfaces.
Configure the switch as a querier Hosts that do not support unsolicited reporting wait for a general query before sending a membership report. When the multicast source and receivers are in the same VLAN, multicast traffic is not routed, and so there is no querier. You must configure the switch to be the querier for a VLAN so that hosts send membership reports, and the switch can generate a forwarding table by snooping.
35 Object Tracking IPv4 or IPv6 object tracking is available on Dell Networking OS. Object tracking allows the Dell Networking operating system (OS) client processes, such as virtual router redundancy protocol (VRRP), to monitor tracked objects (for example, interface or link status) and take appropriate action when the state of an object changes.
Figure 99. Object Tracking Example When you configure a tracked object, such as an IPv4 or IPv6 a route or interface, you specify an object number to identify the object. Optionally, you can also specify: • • UP and DOWN thresholds used to report changes in a route metric. A time delay before changes in a tracked object’s state are reported to a client. Track Layer 2 Interfaces You can create an object to track the line-protocol state of a Layer 2 interface.
A tracked route matches a route in the routing table only if the exact address and prefix length match an entry in the routing table. For example, when configured as a tracked route, 10.0.0.0/24 does not match the routing table entry 10.0.0.0/8. If no route-table entry has the exact address and prefix length, the tracked route is considered to be DOWN.
The default is 0. 4. (Optional) Identify the tracked object with a text description. OBJECT TRACKING mode description text The text string can be up to 80 characters. 5. (Optional) Configure the metric threshold for the UP and/or DOWN routing status to be tracked for the specified route. OBJECT TRACKING mode threshold metric {[up number] [down number]} The default UP threshold is 254. The routing state is UP if the scaled route metric is less than or equal to the UP threshold.
delay {[up seconds] [down seconds]} Valid delay times are from 0 to 180 seconds. The default is 0. 3. (Optional) Identify the tracked object with a text description. OBJECT TRACKING mode description text The text string can be up to 80 characters. 4. (Optional) Display the tracking configuration and the tracked object’s status. EXEC Privilege mode show track object-id The following example configures object tracking on the reachability of an IPv4 route. Dell(conf)#track 104 ip route 10.0.0.
For example, consider that the next-hop address is changed and the track reachability is checked after the set refresh interval (20 seconds). If the reachability to the next-hop address is failed, the system displays the following log stating that the track object state is changed from UP to DOWN. Sep 28 11:08:57 %STKUNIT1-M:CP %OTM-6-STATE: Object 2 state transition from Up to Down.
Valid object IDs are from 1 to 65535. 2. (Optional) Configure the time delay used before communicating a change in the status of a tracked interface. OBJECT TRACKING mode delay {[up seconds] [down seconds]} Valid delay times are from 0 to 180 seconds. The default is 0. 3. (Optional) Identify the tracked object with a text description. OBJECT TRACKING mode description text The text string can be up to 80 characters. 4. (Optional) Display the tracking configuration and the tracked object’s status.
3. (Optional) Identify the tracked object with a text description. OBJECT TRACKING mode description text The text string can be up to 80 characters. 4. (Optional) Display the tracking configuration and the tracked object’s status. EXEC Privilege mode show track object-id Example of configuring object tracking for an IPv4 interface.
Displaying Tracked Objects To display the currently configured objects used to track Layer 2 and Layer 3 interfaces, and IPv4 and IPv6 routes, use the following show commands. To display the configuration and status of currently tracked Layer 2 or Layer 3 interfaces, IPv4 or IPv6 routes, or a VRF instance, use the show track command. You can also display the currently configured per-protocol resolution values used to scale route metrics when tracking metric thresholds.
Example of the show track vrf command. Dell#show track vrf red Track 5 IP route 192.168.0.0/24 reachability, Vrf: red Reachability is Up (CONNECTED) 3 changes, last change 00:02:39 First-hop interface is GigabitEthernet 13/4 Example of Viewing the object tracking configuration. Dell#show running-config track track 1 ip route 23.0.0.
36 Open Shortest Path First (OSPFv2 and OSPFv3) This chapter describes how to configure and use Open Shortest Path First (OSPFv2 for IPv4) and OSPF version 3 (OSPF for IPv6). NOTE: The fundamental mechanisms of OSPF (flooding, DR election, area support, SPF calculations, and so on) are the same between OSPFv2 and OSPFv3. This chapter identifies and clarifies the differences between the two versions of OSPF. Except where identified, the information in this chapter applies to both protocol versions.
Figure 100. Autonomous System Areas Area Types The backbone of the network is Area 0. It is also called Area 0.0.0.0 and is the core of any AS. All other areas must connect to Area 0. Areas can be defined in such a way that the backbone is not contiguous. An OSPF backbone is responsible for distributing routing information between areas. It consists of all area border routers, networks not wholly contained in any area, and their attached routers. The backbone is the only area with a default area number.
Router Types Router types are attributes of the OSPF process. A given physical router may be a part of one or more OSPF processes. For example, a router connected to more than one area, receiving routing from a border gateway protocol (BGP) process connected to another AS acts as both an area border router and an autonomous system router. Each router has a unique ID, written in decimal format (A.B.C.D). You do not have to associate the router ID with a valid IP address.
Area Border Router (ABR) Within an AS, an area border router (ABR) connects one or more areas to the backbone. The ABR keeps a copy of the link-state database for every area it connects to, so it may keep multiple copies of the link state database. An ABR takes information it has learned on one of its attached areas and can summarize it before sending it out on other areas it is connected to. An ABR can connect to many areas in an AS, and is considered a member of each area it connects to.
• • Type 9: Link Local LSA (OSPFv2), Intra-Area-Prefix LSA (OSPFv3) — For OSPFv2, this is a link-local "opaque" LSA as defined by RFC2370. For OSPFv3, this LSA carries the IPv6 prefixes of the router and network links. Type 11 - Grace LSA (OSPFv3) — For OSPFv3 only, this LSA is a link-local “opaque” LSA sent by a restarting OSPFv3 router during a graceful restart. For all LSA types, there are 20-byte LSA headers. One of the fields of the LSA header is the link-state ID.
Figure 102. Priority and Cost Examples OSPF Implementation The Dell Networking OS supports up to 10,000 OSPF routes for OSPFv2. Within the 10,000 routes, you can designate up to 8,000 routes as external and up to 2,000 as inter/intra area routes. Multiple OSPF processes (OSPF MP) are supported on OSPFv2 only; up to 32 simultaneous processes are supported. On OSPFv3, the system supports only one process at a time for all platforms.
Multi-Process OSPFv2 (IPv4 only) Multi-process OSPF is supported only on OSPFv2 with IPv4 on the switch. Up to 32 OSPFv2 processes are supported. Multi-process OSPF allows multiple OSPFv2 processes on a single router. Multiple OSPFv2 processes allow for isolating routing domains, supporting multiple route policies and priorities in different domains, and creating smaller domains for easier management. Each OSPFv2 process has a unique process ID and must have an associated router ID.
To confirm that you enabled RFC-2328–compliant OSPF flooding, use the show ip ospf command. Dell#show ip ospf Routing Process ospf 1 with ID 2.2.2.
OSPF features and functions are assigned to each router using the CONFIG-INTERFACE commands for each interface. NOTE: By default, OSPF is disabled. Configuration Task List for OSPFv2 (OSPF for IPv4) You can perform the following tasks to configure Open Shortest Path First version 2 (OSPF for IPv4) on the switch. Two of the tasks are mandatory; others are optional.
If you try to enter an OSPF process ID, or if you try to enable more OSPF processes than available Layer 3 interfaces, prior to assigning an IP address to an interface and setting the no shutdown command, the following message displays: Dell(conf)#router ospf 1 % Error: No router ID available. Assigning a Router ID In CONFIGURATION ROUTER OSPF mode, assign the router ID. The router ID is not required to be the router’s IP address.
Assigning an OSPFv2 Area After you enable OSPFv2, assign the interface to an OSPF area. Set up OSPF areas and enable OSPFv2 on an interface with the network command. You must have at least one AS area: Area 0. This is the backbone area. If your OSPF network contains more than one area, configure a backbone area (Area ID 0.0.0.0). Any area besides Area 0 can have any number ID assigned to it. The OSPFv2 process evaluates the network commands in the order they are configured.
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:04 Neighbor Count is 0, Adjacent neighbor count is 0 TengigabitEthernet 12/21 is up, line protocol is up Internet Address 10.2.3.1/24, Area 0.0.0.0 Process ID 1, Router ID 11.1.2.1, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State BDR, Priority 1 Designated Router (ID) 13.1.1.1, Interface address 10.2.3.2 Backup Designated Router (ID) 11.1.2.1, Interface address 10.2.3.
Area ID is the number or IP address assigned when creating the area. To view which LSAs are transmitted, use the show ip ospf database process-id database-summary command in EXEC Privilege mode. Dell#show ip ospf 34 database database-summary OSPF Router with ID (10.1.2.100) (Process ID 34) Area 2.2.2.2 3.3.3.3 Dell# ID Router Network S-Net S-ASBR Type-7 Subtotal 1 0 0 0 0 1 1 0 0 0 0 1 To view information on areas, use the show ip ospf process-id command in EXEC Privilege mode.
Transmit Delay is 1 sec, State DOWN, Priority 1 Designated Router (ID) 10.1.2.100, Interface address 0.0.0.0 Backup Designated Router (ID) 0.0.0.0, Interface address 0.0.0.0 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 13:39:46 Neighbor Count is 0, Adjacent neighbor count is 0 TengigabitEthernet 0/1 is up, line protocol is down Internet Address 10.1.3.100/24, Area 2.2.2.2 Process ID 34, Router ID 10.1.2.
Convergence Level 0 Min LSA origination 5 secs, Min LSA arrival 1 secs Number of area in this router is 0, normal 0 stub 0 nssa 0 Dell# Changing OSPFv2 Parameters on Interfaces You can modify the OSPF configuration on switch interfaces. Some interface parameter values must be consistent across all interfaces to avoid routing errors. For example, set the same time interval for the hello packets on all routers in the OSPF network to prevent misconfiguration of OSPF neighbors.
To view interface configurations, use the show config command in CONFIGURATION INTERFACE mode. To view interface status in the OSPF process, use the show ip ospf interface command in EXEC mode. The bold lines in the example show the change on the interface. The change is reflected in the OSPF configuration. Dell(conf-if)#ip ospf cost 45 Dell(conf-if)#show config ! interface TengigabitEthernet 0/0 ip address 10.1.2.100 255.255.255.
Applying Prefix Lists To apply prefix lists to incoming or outgoing OSPF routes, use the following commands. • Apply a configured prefix list to incoming OSPF routes. • CONFIG-ROUTEROSPF-id mode distribute-list prefix-list-name in [interface] Assign a configured prefix list to outgoing OSPF routes. CONFIG-ROUTEROSPF-id distribute-list prefix-list-name out [connected | isis | rip | static] Redistributing Routes You can add routes from other routing instances or protocols to the OSPF process.
• show routes To help troubleshoot OSPFv2, use the following commands. • View the summary of all OSPF process IDs enables on the router. • EXEC Privilege mode show running-config ospf View the summary information of the IP routes. • EXEC Privilege mode show ip route summary View the summary information for the OSPF database. • EXEC Privilege mode show ip ospf database View the configuration of OSPF neighbors connected to the local router.
Basic OSPFv2 Router Topology The following illustration is a sample basic OSPFv2 topology. Figure 103. Basic Topology and CLI Commands for OSPFv2 OSPF Area 0 — Te 1/1 and 1/2 router ospf 11111 network 10.0.11.0/24 area 0 network 10.0.12.0/24 area 0 network 192.168.100.0/24 area 0 ! interface TengigabitEthernet 1/1 ip address 10.1.11.1/24 no shutdown ! interface TengigabitEthernet 1/2 ip address 10.2.12.2/24 no shutdown ! interface Loopback 10 ip address 192.168.100.
OSPF Area 0 — Te 2/1 and 2/2 router ospf 22222 network 192.168.100.0/24 area 0 network 10.2.21.0/24 area 0 network 10.2.22.0/24 area 0 ! interface Loopback 20 ip address 192.168.100.20/24 no shutdown ! interface TengigabitEthernet 2/1 ip address 10.2.21.2/24 no shutdown ! interface TengigabitEthernet 2/2 ip address 10.2.22.2/24 no shutdown OSPFv3 NSSA NSSA (Not-So-Stubby-Area) is a stub area that does not support Type-5 LSAs, but supports Type-7 LSAs to forward external links.
Enable OSPFv3 for IPv6 by specifying an OSPF process ID and an area in INTERFACE mode. If you have not created an OSPFv3 process, it is created automatically. All IPv6 addresses configured on the interface are included in the specified OSPF process. NOTE: IPv6 and OSPFv3 do not support Multi-Process OSPF. You can only enable a single OSPFv3 process. To create multiple OSPF processes you need to have multiple VRFs on a switch.
• area-id: the area ID for this interface. Assigning OSPFv3 Process ID and Router ID Globally To assign, disable, or reset OSPFv3 globally, use the following commands. • Enable the OSPFv3 process globally and enter OSPFv3 mode. CONFIGURATION mode ipv6 router ospf {process ID} • The range is from 0 to 65535. Assign the router ID for this OSPFv3 process. CONF-IPV6-ROUTER-OSPF mode router-id {number} • number: the IPv4 address. The format is A.B.C.D.
ipv6 ospf interface-cost • • interface-cost:The range is from 1 to 65535. Default cost is based on the bandwidth. Specify how the OSPF interface cost is calculated based on the reference bandwidth method. The cost of an interface is calculated as Reference Bandwidth/Interface speed. ROUTER OSPFv3 auto-cost [reference-bandwidth ref-bw] To return to the default bandwidth or to assign cost based on the interface type, use the no auto-cost [referencebandwidth ref-bw] command.
• • • • • bgp | connected | static: enter one of the keywords to redistribute those routes. metric metric-value: The range is from 0 to 4294967295. metric-type metric-type: enter 1 for OSPFv3 external route type 1 OR 2 for OSPFv3 external route type 2. route-map map-name: enter a name of a configured route map. tag tag-value: The range is from 0 to 4294967295. Configuring a Default Route To generate a default external route into the OSPFv3 routing domain, configure the following parameters.
OSPFv3 Authentication Using IPsec: Configuration Notes OSPFv3 authentication using IPsec is implemented according to the specifications in RFC 4552. • To use IPsec, configure an authentication (using AH) or encryption (using ESP) security policy on an interface or in an OSPFv3 area. Each security policy consists of a security policy index (SPI) and the key used to validate OSPFv3 packets. After IPsec is configured for OSPFv3, IPsec operation is invisible to the user.
• • • • • key: specifies the text string used in authentication. All neighboring OSPFv3 routers must share key to exchange information. For MD5 authentication, the key must be 32 hex digits (non-encrypted) or 64 hex digits (encrypted). For SHA-1 authentication, the key must be 40 hex digits (non-encrypted) or 80 hex digits (encrypted). Remove an IPsec authentication policy from an interface.
The security policy index (SPI) value must be unique to one IPSec security policy (authentication or encryption) on the router. Configure the same authentication policy (the same SPI and key) on each interface in an OPSFv3 link. If you have enabled IPSec encryption in an OSPFv3 area using the area encryption command, you cannot use the area authentication command in the area at the same time. The configuration of IPSec authentication on an interface-level takes precedence over an area-level configuration.
• • • key-authentication-type: (optional) specifies if the authentication key is encrypted. The valid values are 0 or 7. Remove an IPsec encryption policy from an OSPFv3 area. no area area-id encryption ipsec spi number Display the configuration of IPsec encryption policies on the router. show crypto ipsec policy Displaying OSPFv3 IPsec Security Policies To display the configuration of IPsec authentication and encryption policies, use the following commands.
The following example shows the show crypto ipsec sa ipv6 command.
• • • debug ipv6 ospf events and/or packets show ipv6 neighbors show ipv6 routes Viewing Summary Information To get general route, configuration, links status, and debug information, use the following commands. • View the summary information of the IPv6 routes. • EXEC Privilege mode show ipv6 route summary View the summary information for the OSPFv3 database. • EXEC Privilege mode show ipv6 ospf database View the configuration of OSPFv3 neighbors.
MIB Object OID Description ospfv3NbrEntry 1.3.6.1.2.1.191.1.9.1 Contains a table describing all neighbors in the locality of the OSPFv3 router. Viewing the OSPFv3 MIB • To view the OSPFv3 MIB generated by the system, use the following command. snmpwalk -c ospf1 -v2c 10.16.133.129 1.3.6.1.2.1.191.1.1 SNMPv2-SMI::mib-2.191.1.1.1.0 = Gauge32: 336860180 SNMPv2-SMI::mib-2.191.1.1.2.0 = INTEGER: 1 SNMPv2-SMI::mib-2.191.1.1.3.0 = INTEGER: 3 SNMPv2-SMI::mib-2.191.1.1.4.0 = INTEGER: 1 SNMPv2-SMI::mib-2.191.1.
37 Per-VLAN Spanning Tree Plus (PVST+) Protocol Overview A sample PVST+ topology is shown below. For more information about spanning tree, refer to the Spanning Tree Protocol (STP) chapter. Figure 104. Per-VLAN Spanning Tree The Dell Networking OS supports three other versions of spanning tree, as shown in the following table. Table 66. Spanning Tree Versions Supported Dell Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .
Implementation Information • • The Dell Networking OS implementation of PVST+ is based on IEEE Standard 802.1w. The Dell Networking OS implementation of PVST+ uses IEEE 802.1s costs as the default costs (as shown in the following table). Other implementations use IEEE 802.1w costs as the default costs. If you are using Dell Networking systems in a multivendor network, verify that the costs are values you intended. Configure Per-VLAN Spanning Tree Plus Configuring PVST+ is a four-step process. 1. 2. 3. 4.
Influencing PVST+ Root Selection As shown in the previous PVST+ illustration, all VLANs use the same forwarding topology because R2 is elected the root, and all TengigabitEthernet ports have the same cost. The following per-VLAN spanning tree illustration changes the bridge priority of each bridge so that a different forwarding topology is generated for each VLAN. This behavior demonstrates how you can use PVST+ to achieve load balancing. Figure 105.
Number of topology changes 5, last change occurred 00:34:37 ago on Te 1/32 Port 375 (TengigabitEthernet 1/22) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.375 Designated root has priority 4096, address 0001.e80d.b6:d6 Designated bridge has priority 4096, address 0001.e80d.b6:d6 Designated port id is 128.
Table 67. Default Values for Port Cost Port Cost Default Value 100-Mb/s Ethernet interfaces 200000 1-Gigabit Ethernet interfaces 20000 10-Gigabit Ethernet interfaces 2000 Port Channel with 100 Mb/s Ethernet interfaces 180000 Port Channel with 1-Gigabit Ethernet interfaces 18000 Port Channel with 10-Gigabit Ethernet interfaces 1800 NOTE: The Dell Networking OS implementation of PVST+ uses IEEE 802.1s costs as the default costs. Other implementations use IEEE 802.1w costs as the default costs.
• You can clear the Error Disabled state with any of the following methods: • • • • Perform a shutdown command on the interface. Disable the shutdown-on-violation command on the interface (the no spanning-tree stp-id portfast [bpduguard | [shutdown-on-violation]] command). Disable spanning tree on the interface (the no spanning-tree command in INTERFACE mode). Disabling global spanning tree (the no spanning-tree command in CONFIGURATION mode).
Bridge ID Priority 32773 (priority 32768 sys-id-ext 5), Address 0001.e832.73f7 We are the root of Vlan 5 Configured hello time 2, max age 20, forward delay 15 PVST+ Sample Configurations The following examples provide the running configurations for the topology shown in the previous illustration.
no disable vlan 200 bridge-priority 4096 Example of PVST+ Configuration (R3) interface TengigabitEthernet 3/12 no ip address switchport no shutdown ! interface TengigabitEthernet 3/22 no ip address switchport no shutdown ! interface Vlan 100 no ip address tagged TengigabitEthernet 3/12,22 no shutdown ! interface Vlan 200 no ip address tagged TengigabitEthernet 3/12,22 no shutdown ! interface Vlan 300 no ip address tagged TengigabitEthernet 3/12,22 no shutdown ! protocol spanning-tree pvst no disable vlan 30
38 PIM Sparse-Mode (PIM-SM) Protocol-independent multicast sparse-mode (PIM-SM) is a multicast protocol that forwards multicast traffic to a subnet only after a request using a PIM Join message. This behavior is the opposite of PIM-Dense mode, which forwards multicast traffic to all subnets until a request to stop.
which the message was received is added to the outgoing interface list associated with the (*,G) entry, and the message is not (and does not need to be) forwarded towards the RP. Refuse Multicast Traffic A host requesting to leave a multicast group sends an IGMP Leave message to the last-hop DR. If the host is the only remaining receiver for that group on the subnet, the last-hop DR is responsible for sending a PIM Prune message up the RPT to prune its branch to the RP. 1.
• Creating Multicast Boundaries and Domains Enable PIM-SM You must enable PIM-SM on each participating interface. 1. Enable multicast routing on the system. CONFIGURATION mode ip multicast-routing 2. Enable PIM-Sparse mode. INTERFACE mode ip pim sparse-mode To display which interfaces are enabled with PIM-SM, use the show ip pim interface command from EXEC Privilege mode. show ip pim interface Address Interface Ver/ Mode 1.1.1.1 Te 1/0 v2/S 2.1.1.1 Te 11/0 v2/S 5.1.1.1 Vl 10 v2/S 6.1.1.
To configure a global expiry time or to configure the expiry time for a particular (S,G) entry, use the following command. Enable global expiry timer for S, G entries. CONFIGURATION mode ip pim sparse-mode sg-expiry-timer seconds The range is from 211 to 86,400 seconds. The default is 210. Dell(conf)#ip pim sparse-mode sg-expiry-timer 1800 To display the expiry time configuration, use the show running-configuration pim command from EXEC Privilege mode.
with the greatest priority value is the DR. If the priority value is the same for two routers, then the router with the greatest IP address is the DR. By default, the DR priority value is 192, so the IP address determines the DR. • Assign a DR priority value. • INTERFACE mode ip pim dr-priority priority-value Change the interval at which a router sends hello messages. • INTERFACE mode ip pim query-interval seconds Display the current value of these parameter.
Candidate BSR address: 7.7.7.
39 PIM Source-Specific Mode (PIM-SSM) PIM source-specific mode (PIM-SSM) is a multicast protocol that forwards multicast traffic from a single source to a subnet. In the other versions of protocol independent multicast (PIM), a receiver subscribes to a group only. The receiver receives traffic not just from the source in which it is interested but from all sources sending to that group.
Enabling PIM-SSM To enable PIM-SSM, follow these steps. 1. Create an ACL that uses permit rules to specify what range of addresses should use SSM. CONFIGURATION mode ip access-list standard name 2. Enter the ip pim ssm-range command and specify the ACL you created. CONFIGURATION mode ip pim ssm-range acl-name To display address ranges in the PIM-SSM range, use the show ip pim ssm-range command from EXEC Privilege mode. R1(conf)#do show run pim ! ip pim rp-address 10.11.12.2 group-address 224.0.0.
R1(conf)#ip igmp ssm-map map 10.11.5.2 R1(conf)#do show ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Mode Uptime 239.0.0.2 Vlan 300 IGMPv2-Compat 00:00:07 Member Ports: Te 1/1 239.0.0.1 Vlan 400 INCLUDE 00:00:10 Never 10.11.4.2 R1(conf)#do show ip igmp ssm-map IGMP Connected Group Membership Group Address Interface Mode Uptime 239.0.0.2 Vlan 300 IGMPv2-Compat 00:00:36 Member Ports: Te 1/1 R1(conf)#do show ip igmp ssm-map 239.0.0.
3. If you configure a secondary VLT peer as an E-BSR and in case of ICL flap or failover, the VLT lag will be down resulting a BSM timeout in the PIM domain and a new BSR will be elected. Hence, it is recommended to configure the primary VLT peer as E-BSR. To enable BSR election for IPv4 or IPv6, perform the following steps: 1. Enter the following IPv4 or IPv6 command to make a PIM router a BSR candidate: CONFIGURATION ip pim bsr-candidate ipv6 pim bsr-candidate 2.
NOTE: You can create the ACL list of multicast prefix using the ip access-list standard command.
40 Policy-based Routing (PBR) Policy-based Routing (PBR) allows a switch to make routing decisions based on policies applied to an interface.
To enable a PBR, you create a redirect list. Redirect lists are defined by rules, or routing policies.
Configuration Task List for Policy-based Routing To enable the PBR: • • • • Create a Redirect List Create a Rule for a Redirect-list Create a Track-id list. For complete tracking information, refer to Object Tracking chapter. Apply a Redirect-list to an Interface using a Redirect-group Create a Redirect List Use the following command in CONFIGURATION mode: Table 68.
track — keyword to enable tracking. track is used to track the object-id for a host reachability track object. Enter a number from 1 to 500. The track object should correspond to the host tracking of the forwarding router’s IP address configured in this rule.
Match only packets on a given port number fin Match on the fin bit gt Match only packets with a greater port number lt Match only packets with a lower port number neq Match only packets not on a given port number psh Match on the psh bit range Match only packets in the range of port numbers rst Match on the rst bit syn Match on the syn bit urg Match on the urg bit cr Dell(conf-redirectlist)#redirect 1.1.1.
A.B.C.D Source address any Any source host host A single source host Dell(conf-redirect-list)#redirect 3.3.3.3 ip 222.1.1.1 ? Mask A.B.C.D or /nn Mask in dotted decimal or in Dell(conf-redirect-list)#redirect 3.3.3.3 ip 222.1.1.1 /32 ? A.B.C.D Destination address any Any destination host host A single destination host Dell(conf-redirect-list)#redirect 3.3.3.3 ip 222.1.1.1 /32 77.1.1.1 Mask A.B.C.D or /nn Mask in dotted decimal or in Dell(conf-redirect-list)#redirect 3.3.3.3 ip 222.1.1.1 /32 77.1.1.
To ensure that the permit statement or PBR exception is effective, use a lower sequence number, as shown below: ip redirect-list rcl0 seq 10 permit ip host 3.3.3.3 any seq 15 redirect 2.2.2.2 ip any any Apply a Redirect-list to an Interface using a Redirect-group IP redirect lists are supported on physical interfaces as well as VLAN and port-channel interfaces.
seq 5 redirect tunnel 1 track 1 tcp 155.55.2.0/24 222.22.2.0/24, Track 1 [up], Next-hop reachable (via Te 1/32/1) seq 10 redirect tunnel 1 track 1 tcp any any, Track 1 [up], Next-hop reachable (via Te 1/32) seq 15 redirect tunnel 2 udp 155.55.0.0/16 host 144.144.144.144, Track 1 [up], Next-hop reachable (via Te 1/32/1) seq 35 redirect 155.1.1.2 track 5 ip 7.7.7.0/24 8.8.8.0/24, Track 5 [up], Next-hop reachable (via Po 5) seq 30 redirect 155.1.1.2 track 6 icmp host 8.8.8.
INTERFACE mode ip redirect-group redirect-list-name test l2–switch • • • redirect-list-name is the name of a redirect list to apply to this interface. FORMAT: up to 16 characters You can use the l2–switch option to apply the re-direct list to Layer2 traffic. NOTE: You can apply the l2–switch option to redirect Layer2 traffic only on a VLAN interface. This VLAN interface must be configured with an IP address for ARP resolution. The Layer2 PBR option matches the layer2 traffic flow.
Create the Redirect-List GOLD EDGE_ROUTER(conf-if-Te-2/23/1)#ip redirect-list GOLD EDGE_ROUTER(conf-redirect-list)#description Route GOLD traffic to ISP_GOLD. EDGE_ROUTER(conf-redirect-list)#direct 10.99.99.254 ip 192.168.1.0/24 any EDGE_ROUTER(conf-redirect-list)#redirect 10.99.99.254 ip 192.168.2.0/24 any EDGE_ROUTER(conf-redirect-list)# seq 15 permit ip any any EDGE_ROUTER(conf-redirect-list)#show config ! ip redirect-list GOLD description Route GOLD traffic to ISP_GOLD. seq 5 redirect 10.99.99.
View Redirect-List GOLD EDGE_ROUTER#show ip redirect-list IP redirect-list GOLD: Defined as: seq 5 redirect 10.99.99.254 ip 192.168.1.0/24 any, Next-hop reachable (via Te 3/23/1), ARP resolved seq 10 redirect 10.99.99.254 ip 192.168.2.
hop reachable (via Vl 20) Applied interfaces: Te 2/28 Dell# Configuration Tasks for Creating a PBR list using Explicit Track Objects for Tunnel Interfaces Creating steps for Tunnel Interfaces: Dell#configure terminal Dell(conf)#interface tunnel 1 Dell(conf-if-tu-1)#tunnel destination 40.1.1.2 Dell(conf-if-tu-1)#tunnel source 40.1.1.1 Dell(conf-if-tu-1)#tunnel mode ipip Dell(conf-if-tu-1)#tunnel keepalive 60.1.1.2 Dell(conf-if-tu-1)#ip address 60.1.1.
Verify the Applied Redirect Rules: Dell#show ip redirect-list explicit_tunnel IP redirect-list explicit_tunnel: Defined as: seq 5 redirect tunnel 1 track 1 tcp 155.55.2.0/24 222.22.2.0/24, Track 1 [up], Next-hop reachable (via Te 1/32) seq 10 redirect tunnel 1 track 1 tcp any any, Track 1 [up], Next-hop reachable (via Te 1/32) seq 15 redirect tunnel 1 track 1 udp 155.55.0.0/16 host 144.144.144.144, Track 1 [up], Nexthop reachable (via Te 1/32) seq 20 redirect tunnel 2 track 2 tcp 155.55.2.0/24 222.22.2.
41 Port Extenders (PEs) IEEE 802.1BR The IEEE 802.1BR protocol allows a controlling bridge to use IEEE LAN technologies to discover and manage port extenders. The following illustration shows how a controlling bridge connects through an automatically established port channel (auto-LAG) to an uplink port on one or more port extenders. Figure 107. Controlling Bridge with Port Extenders 1. Controlling Bridge (C9010) 3. 10GbE uplink ports on PEs 5. PE stack 2. Cascade ports on controlling bridge 4.
802.1BR Term Definition Port extender (PE) A bridge port extender that is not physically part of a controlling bridge, but is controlled by the controlling bridge. Upstream port A port on a bridge port extender that connects to a cascade port. In the case of the connection between two bridge port extenders, the upstream port is the port furthest from the controlling bridge.
PORT-EXTENDER CONFIGURATION mode Dell(conf-pe-0)# cascade interface interface-type slot/port-range • • interface interface-type specifies a C9010 10-Gigabit Ethernet interface. The only supported value is TenGigabitEthernet slot/port-range. slot/port-range specifies a C9010 10GbE port, including slot number and either a single port number, a port range, or a combination of both for auto-LAG configuration. • • • The range of slot numbers is from 0 to 11.
NOTE: In the User-Configured Cascade Ports field, A (active) indicates that a C9010 port is up (no shutdown) and configured as a cascade port; I (inactive) indicates that a port is down and configured as a cascade port. Dell# show interface port-channel brief Codes: L - LACP Port-channel O - OpenFlow Controller Port-channel A - Auto Port-channel LAG 258 A Mode N/A Status up Uptime 14:45:26 Ports Te 0/1,2 (up) Port Extender Limit You can connect a maximum of 80 PE units to the C9010 control bridge.
provisioned for PE 10; port 1/12 is provisioned for PE 20. As a result, only PE 10 comes online. PE 20 remains offline and its configured cascade port is placed in an error state.
PE-id: Not Assigned PE MAC: 00:01:02:03:22:02 Interface Errors: TenGigabitEthernet 1/8 - Error State • You may connect a PE to a parent C9010 using both uplink ports but provision the PE with only the cascade port attached to one of the uplink ports. In this case, the auto-LAG is created with only the provisioned cascade port when the PE comes online. In the following example, PE 10 is provisioned to connect only to cascade port 1/12.
• pe-id is a port-extender ID number from 0 to 255. Dell# connect pe 254 Login: peadmin Password: calvin Displaying PE Status To verify the operational status of a port extender attached to a C9010, enter any of the show commands in this section. In the command output, online indicates that a port extender is up; offline indicates that a port extender is down.
ECP ECP ECP ECP ECP Tx: 10 Rx Ack: 10 Dropped: 0 Rx: 6 Tx Ack: 6 Dell#show pe 10 system brief Stack MAC : a0:68:00:3f:92:bc -- Stack Info -Unit UnitType Status ReqTyp CurTyp Version Ports -----------------------------------------------------------------------------------0 Management online C1048P C1048P 9-9(0-5) 52 1 Member not present 2 Standby not present C1048P 3 Member not present C1048P 4 Member not present 5 Member not present 6 Member not present 7 Member not present -- Power Supplies -Unit Bay S
1. Enter Configuration mode. CONFIGURATION mode Dell(conf)# mac-address-table station-move threshold number interval seconds • number is the threshold value. The range is from 5 to 50. After you enter a threshold value, you can specify a time interval in seconds. The range is from 1 to 60 seconds. Dell(conf)# mac-address-table station-move threshold 5 interval 30 NOTE: Dell Networking OS recommends that you use the command because xSTP protocols are not supported on PEs. 2.
• At kernel, the following validations are done: • • Any control PDU (LACP or LLDP or ARP or DHCP etc) received at CB will be first checked for the source MAC address against matching any one of its PEX interface address. • In this scenario the source MAC could be the system MAC and in this case, the receiving PE interface would be brought down to cut the loop.
This loop will be broken based on the data traffic or control PDUs received at the PE. In the event of data traffic at the PE and continuous station moves between the PE and LM interface, the PE interface will be brought down. In case there is no data traffic on the LAN, control PDUs received at the PE will be used to break the loop.
• rpmA: or rpmB: specifies the flash partition (A: or B:) on the controlling bridge where the OS version to use for the PE upgrade is stored. Dell# Dell#upgrade system-image pe all rpmB: !!!!!!!!!!!!!!!!!!! Sep 7 13:03:32: %PE255-UNIT1-M:CP %DOWNLOAD-6-UPGRADE: Upgrade reques Bridge. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! PE (255) Image upgraded successfully. 2. After the upgrade is successful, reload the PE or PE stack.
RPM 1 RPM 1 Backup FPGA IAP 2.0 3.2 PE RELEASE IMAGE INFORMATION : --------------------------------------------------------------------Platform Version Size ReleaseTime C-Series:C1048P 9.9(0.0) 27132051 Sep 4 2015 09:59:54 PE BOOT IMAGE INFORMATION : --------------------------------------------------------------------Type Version Target Checksum boot flash 3.3.1.
pe-version-compat-support enable 2. Schedule a reboot or upgrade of the PEs with the state SVC but has a mismatched version with CB using the following command: reset pe schedule at 0:10-12/29/2017 range 1,3,5-10 no-confirm This command resets all the PEs with pe-ids in range 5 to 10 and pe-ids 1 and 3 at 0:10 AM on 29th Dec, 2017. 3.
• • • STP Edge port support on PE interfaces VLAN stacking VLT Dual Homing Dual homing provides support to manage and control the PEs from both the primary and the secondary chassis in a VLT setup. The C9010 switch supports dual homing using port extenders. You can also stack the port extenders in a dual homing setup. The following figure shows PE dual homing, where the port extenders are dual-homed to a pair of C9010 switches. Figure 108.
2. There is a CB connected to PE and a standalone CB. You can physically connect the CBs and then configure them as VLT peers. Then physically connect the uplink ports of the PE to each of the VLT peers. The system starts functioning as a dual homing setup. Refer to Standalone System. 3. There are two standalone CBs not connected to PEs. You can physically connect the CBs and then configure them as VLT peers. Then physically connect the uplink ports of the PE to the VLT peers.
NOTE: After saving the configurations to the startup-config, reload the system with unit ID 1. This is mandatory and proceed with further configurations after reloading the system. 6. Add VLTi for the election to happen between the systems. 7. System A and system B become VLT peers after the election of primary and secondary VLT units. 8. The PE connected to primary is online and PE to secondary remains offline. 9.
Cascade LAG: Po 258, Local Status: Up, Remote Status: Up PE Configuration: Local Status: Present, Remote Status: Present -----------------------------------------------------------------------Stack-id Status Reason Type UnitMac No.
3. Remove the disconnected interface (Te 0/1) from the configuration mode of PE 1 in System A. The configuration would be already available in System A and needs to be removed. PE CONFIGURATION (BATCH mode) no cascade interface interface slot/port Dell(conf-b-pe-1)# no cascade interface TenGigabitEthernet 0/1 4. Configure the cascade interface of the System B through the batch mode of System A and commit the configuration.
3. Configure the PE interface through batch mode of System A. PE CONFIGURATION (BATCH mode) Dell#cascade interface TenGigabitEthernet 0/0 4. Configure the cascade interface of the System B through the batch mode of System A and commit the configuration.
Dell#show running-config pe ! feature extended-bridge ! pe provision 200 cascade interface TenGigabitEthernet 0/22-23 stack-unit 2 type C1048P Dell#show pe brief -- Port Extenders Information ----------------------------------------------------------PE-id Status Stack-size Type System-MAC ---------------------------------------------------------200 online 1 C1048P f8:b1:56:00:02:8a Dell#show pe 200 Codes: A - Active, I - Inactive SVC - Software Version Compatible Reason: CTM - Card Type Mismatch, CAM - CAM
Proceed Boot Flash image for all cards [yes/no]: yes !!!!!!Sep 7 19:20:23: %RPM0-P:CP %DOWNLOAD-6-UPGRADE: PE 0 manual upgrade result - upgrade success. !!!!! Bootflash image upgrade for all cards completed successfully. Warning: Kindly save the system configuration before reloading. Dell# 2. Use the upgrade system-image all command to upgrade the image in both the CB and the PE. Dell#upgrade system-image all ftp: B: Address or name of remote host []: 10.16.127.141 Source file name []: $w/Releases/E9.9.
PE-ID assigned: 200 Status: offline System Mac: f8:b1:56:00:02:8a PE Up Time: 00:00:00 PE Discovery Status: Provisioned PE User Configured Cascade Ports: Te 0/22(A),Te 0/23(A) Cascade LAG: Po 458(Up) -----------------------------------------------------------------------Stack-id Status Reason Type UnitMac No.
changed to 1 (Current temperature 36C).
Image upgraded to all linecards C9010-2# 2. Change the boot parameters to boot from the upgraded partition. Save and reload the secondary VLT peer. C9010-2#configure terminal C9010-2(conf)#boot system rpm0 primary system: B: C9010-2(conf)#boot system rpm1 primary system: B: C9010-2(conf)#end C9010-2#reload System configuration has been modified. Save? [yes/no]: yes ! Synchronizing data to peer RPM !!! Proceed with reload [confirm yes/no]: yes All VLT LAG's gracefully shut down...
Proceed with reload [confirm yes/no]: yes All VLT LAG's gracefully shut down...!!! Starting to save trace messages...done. syncing disks... done unmounting file systems... unmounting /f10/phonehome (tmpfs)... unmounting /f10/flash (/dev/wd0e)... unmounting /f10/ConfD/db (mfs:295)... unmounting /usr/pkg (/dev/wd0i)... unmounting /boot (/dev/wd0b)... unmounting /usr (tmpfs)... unmounting /force10 (mfs:19)... unmounting /lib (tmpfs)... unmounting /f10 (tmpfs)... unmounting /tmp (tmpfs)...
• • PVLAN • Station move • Routing and ECMP IPv6 • • NDP and routing • VRF Layer 2 • • MAC Synchronization • PVLAN • Mac Learning Limit • BPDU guard • Loop Detection Multicast • • • • IGMP Snooping • PIM PBR Power Over Ethernet QoS CLIs Supported on Primary VLT Node In a dual homing setup, the following commands work only from the primary VLT peer.
42 Port Extender (PE) Stacking You can stack up to eight port extenders using the mini-SAS stack ports on the back panel. The C1048P supports stacking only with other C1048P port extenders. The N20xx series devices support stacking only with other N20xx series port extenders. The N30xx series devices support stacking only with other N30xx series port extenders. Stacking is not supported on C9010 switches.
NOTE: If a stack unit does not boot up at the same time as the other units, it does not participate in the election process. Units that boot up late do not participate in the election process because the master and standby have already been elected. The unit that boots up late (even if they have a higher priority configured) joins as a member. To display the PE stack master, enter the show pe pe—id system brief command. The following example shows output from an established stack.
3. Configure the cascade ports on the C9010 which are attached to PE stack units. The cascade ports must be operationally up (the no shutdown command) and have a default port configuration with no L2 and L3 configuration. The port interfaces must be the same type. You can configure up to sixteen C9010 ports in the auto-LAG. The generated auto-LAG number is from 258 to 513.
SVM - Software Version Mismatch, UE - Unknown Error Offline Reason: UNP - Unit Not Present, PVE - Port Validation Error ICE - IPC CP Error, IRE - IPC RP Error ISE - IPC Setup Error, CVE - Card Validation Error PE-ID assigned: 2 Status: online System Mac: a0:68:00:3f:92:bc PE Up Time: 14:06:37 PE Discovery Status: Provisioned PE User Configured Cascade Ports: Te 0/0(A) Cascade LAG: Po 258, Local Status: Up, Remote Status: Up PE Configuration: Local Status: Present, Remote Status: Present --------------------
Where: • • • pe pe-id is the PE ID number. The range is from 0 to 255. stack-unit unit-id is the stack-unit ID number. The range is from 0 to 7. renumber renumber is the new stack-unit ID. Dell# pe 200 stack-unit 3 renumber 5 Renumbering the stack master triggers a stack reload, as shown in the following message. When the stack comes back online, the master unit remains the management unit. Renumbering management unit will reload the stack.
The following example shows the redundancy reset-counter pe command. Dell #redundancy reset-counter pe 0 • Display redundancy information. EXEC Privilege mode show redundancy pe pe-id pe-id — Port-extender identifier of the master stack unit. The range is from to 255. The following example shows the show redundancy pe command.
3 4 5 6 7 Standby Member Member Member Member online C1048P not present not present not present not present C1048P 1-0(0-4149) 52 The following example displays the status of stack-unit 1 after it is removed from the PE stack.
5 6 7 • online online online - C1048P C1048P C1048P cb:28:00:42:bd:7c 62:74:00:41:54:01 6c:c0:00:43:11:11 52 52 52 Display summary information about the PE stack units attached to the master PE. Enter the PE ID of the master unit.
Service Tag Expr Svc Code Auto Reboot Burned In MAC No Of MACs : : : : : CL73Z01 274 031 203 69 enabled f8:b1:56:00:02:d1 66 -- Power Supplies -Unit Bay Status Type FanStatus FanSpeed(rpm) ------------------------------------------------------------2 0 up AC NA NA 2 1 up DC NA NA -- Fan Status -Unit Bay TrayStatus Fan0 Speed Fan1 Speed -----------------------------------------------------------2 0 up up 9056 up 9056 Speed in RPM • Display the type of stack topology (ring or daisy chain) with a list of a
When the uplink port is converted to access port, Dell EMC Networking OS creates a logical peTenGigE interface based on the 10/100/1000BASE-T Ports in the PE. There is a maximum of 4 uplink ports in a PE. The C1048P and N20xx have two standard uplink ports in the front panel, while the N30xx have two standard uplink ports in the front panel and one expansion slot for plug-in module on the back panel. The expansion slot supports 10GBASE-T or SFP+ module and each module has two ports. Figure 115.
NOTE: When a PE is reloaded, the uplink port come up as uplink by default, even though it has been configured as access ports. After connecting to CB, the system converts the uplink port to access port. Until conversion, some LLDP packets are advertised. Configuring Uplink Ports as Access Ports Under the PE provision configuration, you can configure the uplink ports as access port using the following steps: 1. Enter Port-Extender Configuration mode to provision a PE.
0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics: 0 packets, 0 bytes, 0 underruns 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 throttles, 0 discarded, 0 collisions, 0 wreddrops Rate info (interval 299 seconds): Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec, 0 packets/sec, 0.
Using PE Console Commands To debug an error condition in a PE stack, you can connect a console to the console port on the master unit and enter PE console commands. Contact Dell Networking support for assistance. The supported PE console commands are described in the C9000 Series Command-Line Reference Guide.
43 Port Monitoring Port monitoring (also referred to as mirroring) allows you to monitor ingress and/or egress traffic on specified ports. The mirrored traffic can be sent to a port to which a network analyzer is connected to inspect or troubleshoot the traffic. The Dell Networking OS supports the following mirroring techniques: • • • Port monitoring — Monitors network traffic by forwarding a copy of incoming and outgoing packets from a source port to a destination port on the same network router.
Figure 116. Port Monitoring Configurations Dell Networking OS Behavior: All monitored frames are tagged if the configured monitoring direction is egress (TX), regardless of whether the monitored port (MD) is a Layer 2 or Layer 3 port. If the MD port is a Layer 2 port, the frames are tagged with the VLAN ID of the VLAN to which the MD belongs. If the MD port is a Layer 3 port, the frames are tagged with VLAN ID 4095.
Example of Configuring Another Monitoring Session with a Previously Used Destination Port Dell(conf)#mon ses 300 Dell(conf-mon-sess-300)#source tengig 0/17 destination tengig 0/4 direction tx %Unable to create MTP entry for MD tenG 0/17 MG tenG 0/4 in stack-unit 0 port-pipe 0.
• • tx: to monitor transmitting packets only. both: to monitor both transmitting and receiving packets. flow-based enable — Specify flow-based enable for mirroring on a flow-by-flow basis and also for VLAN as source. destination interface — Enter one of the following keywords and slot/port information. NOTE: • • • • You cannot configure cascade ports as a destination port. For a 10–Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information.
Remote Port Mirroring Local port monitoring allows you to monitor traffic from one or more source ports by directing it to a destination port on the same switch/ router. Remote port mirroring allows you to monitor Layer 2 and Layer 3 ingress and/or egress traffic on multiple source ports on different switches and forward the mirrored traffic to multiple destination ports on different switches.
Figure 118. Remote Port Mirroring Configuring Remote Port Mirroring Remote port mirroring requires a source session (monitored ports on different source switches), a reserved tagged VLAN for transporting mirrored traffic (configured on source, intermediate, and destination switches), and a destination session (destination ports connected to analyzers on destination switches).
• • There is no restriction on the VLAN IDs used for the reserved remote-mirroring VLAN. Valid VLAN IDs are from 2 to 4094. The default VLAN ID is not supported. In mirrored traffic, packets that have the same destination MAC address as an intermediate or destination switch in the path used by the reserved VLAN to transport the mirrored traffic are dropped by the switch that receives the traffic if the switch has a L3 VLAN configured.
To display the current configuration of the reserved VLAN, enter the show vlan command.
Dell(conf)#interface vlan 100 Dell(conf-if-vl-100)#mac access-group mac_acl1 in Dell(conf-if-vl-100)#exit Dell(conf)#inte te 0/30 Dell(conf-if-te-0/30)#no shutdown Dell(conf-if-te-0/30)#switchport Dell(conf-if-te-0/30)#exit Dell(conf)#interface vlan 30 Dell(conf-if-vl-30)#mode remote-port-mirroring Dell(conf-if-vl-30)#tagged te 0/30 Dell(conf-if-vl-30)#exit Dell(conf)#interface port-channel 10 Dell(conf-if-po-10)#channel-member te 0/28-29 Dell(conf-if-po-10)#no shutdown Dell(conf-if-po-10)#exit Dell(conf)#m
Dell(conf-mon-sess-2)#exit Dell(conf)#monitor session 3 type rpm Dell(conf-mon-sess-3)#source remote-vlan 30 destination te 0/5 Dell(conf-mon-sess-3)#tagged destination te 0/5 Dell(conf-mon-sess-3)#end Dell# Dell#show monitor session SessID Source Destination Dir Mode Source IP ------ ------------------ ---- --------1 remote-vlan 10 Te 0/3 N/A N/A N/A 2 remote-vlan 20 Te 0/4 N/A N/A N/A 3 remote-vlan 30 Te 0/5 N/A N/A N/A Dell# Dest IP -------N/A N/A N/A Configuring RPM Source Sessions to Avoid BPD Issues
• The maximum number of source ports that can be defined in a session is 128. • Make sure that the destination IP address is reachable via the configured IP route (static or dynamic) • The system MTU should be configured properly to accommodate the increased size of the ERPM mirrored packet. • The system encapsulates the complete ingress or egress data under GRE header, IP header and outer MAC header and sends it out at the next hop interface as pointed by the routing table.
0 111 1 139 Po 1 remote-ip tx Enabled Vl 11 remote-ip rx No Enabled No Port 1.1.1.1 7.1.1.2 0 255 No 100 Flow 5.1.1.1 3.1.1.2 0 255 No 100 The next example shows the configuration of an ERPM session in which VLAN 11 is monitored as the source interface and a MAC ACL filters the monitored ingress traffic.
NOTE: For more information on configuring VLT, see Configuring VLT. VLT Non-fail over Scenario Consider a scenario where port monitoring is configured to mirror traffic on a VLT device's port or LAG to a destination port on some other device (TOR) on the network. When there is no fail over to the VLT peer, the VLTi link (ICL LAG) also receives the mirrored traffic as the VLTi link is added as an implicit member of the RPM vlan.
Scenario RPM Restriction Recommended Solution Mirroring Orphan Ports across VLT Devices — In this scenario, an orphan port on the primary VLT device is mirrored to another orphan port on the secondary VLT device through the ICL LAG. The port analyzer is connected to the secondary VLT device. No restrictions apply to the RPM session. The following example shows the configuration on the primary VLT device:source orphan port destination remote vlan direction rx/tx/both.
44 Power over Ethernet (PoE) The PoE feature supports electrical power and transmission of data on Ethernet cabling. A single cable can provide both a data connection and electrical power to the attached devices such as wireless access points or IP cameras. The PoE feature is supported on a C1048P, N2024P, N2048P , N3024P, or N3048P port-extender (PE); PoE is not supported on the C9010 switches. PoE, as described by IEEE 802.3af, specifies that a maximum of 15.
Configuring PoE or PoE+ Configuring PoE or PoE+ is a two-step process: 1. Connect the IEEE 802.3af/802.3at-compliant powered device directly to a port. 2. Enable PoE or PoE+ on the port extender. Enabling PoE or PoE+ on a Port By default, PoE or PoE+ are disabled. Configuration tasks for PoE include: • • Enabling PoE and managing the inline power supplied to the port extender ports using the power inline mode command. To manage inline power in a port extender, use Configure Class or Static mode.
NOTE: Static ports have a higher weight than Class mode ports, so all static ports always stay on top of all class ports, regardless of the other three parameters. 2. Power inline priority configuration 3. Link layer discovery protocol-media endpoint discovery (LLDP-MED) priority the power device (PD) sends in the Extended Power-viamedium dependent interface (MDI) type, length, value (TLV) or the priority the PD sends in the IEEE 802.3at power-via-MDI TLV 4.
Configuring Power Management on the PE — Class and Static Mode By default, PoE or PoE+ are disabled. To manage the inline power supplied to the port extender ports, use the power inline mode command in Configuration mode. The mode configuration applies to all the ports on the port extender. To manage the inline power in a port extender, you can configure Class or Static mode. This command has the following parameters.
Allocate PoE Power to Powered Devices to a Connected PE Interface To enable inline power and configure the maximum power allocation and priority for the powered device connected to a port extender interface, use the power inline {[max_milliwatts] | priority {critical | high | low}} command in Interface mode. By default, power inline is disabled. Port Prioritization To specify the priority on a particular interface on the port extender, use the power inline priority command.
Dell(conf-if-pegi-255/0/1)#power inline ? <440-30000> Max milliwatts (default = 30000) priority Configure poe priority Dell(conf-if-pegi-0/0/1)#power inline 30000 Example of Setting the Priority to Critical The following example sets the priority on interface peGigE 255/0/1 to critical.
Figure 119.
Advertising the Extended Power through MDI The power device sends the following information in the LLDP-MED extended power-via-MDI TLV. 1. Power Requirement: Dell Networking OS uses it for power allocation 2. Power Priority — Critical, High, or Low: Dell Networking OS uses it for power priority calculation. 3. External Power Source: Dell Networking OS does not use this information. IEEE 802.3at power-via-mdi TLV To configure the system or an interface to advertise IEEE 802.
advertise dot3-tlv power-via-mdi Example of Advertising in LLDP Configuration Mode The following example configures all the interfaces to advertise extended power though dot3–TLVs in configuration mode. Dell(conf-lldp)#advertise dot3-tlv power-via-mdi Example of Advertising in LLDP Interface Configuration Mode The following example configures interface peGigE 0/0/1 to advertise extended power though dot3–TLVs.
Creating VLANs for an Office VoIP Deployment The phone in the previous figure requires one tagged VLAN for VoIP service and one untagged VLAN for PC data, as shown in the following example. You can configure voice signaling on the voice VLAN but some implementations may need an extra tagged VLAN for this traffic.
Configuring QoS for an Office VoIP Deployment There are several ways you can use quality of service (QoS) to map ingress phone and PC traffic to give them each a different quality of service. Honoring the Incoming DSCP Value If you know that traffic originating from the phone is tagged with the DSCP value of 46 (EF), you can make the associated queue a strictpriority queue, as shown in the following example.
Classifying VoIP Traffic and Applying QoS Policies You can avoid congestion and give precedence to voice and signaling traffic by classifying traffic based on the subnet and using strict priority and bandwidth weights on egress, as outlined in the following steps. The following figure depicts the topology and configuration for a C9000 system. Figure 121. PoE VoIP Traffic To classify VoIP traffic and apply QoS policies for an office VoIP deployment, use the following commands: 1.
Example of the sh run acl command. Dell#sh run acl ! ip access-list extended pc-subnet seq 5 permit ip 201.1.1.0/24 any ! ip access-list extended phone-signalling seq 5 permit ip 192.1.1.0/24 host 192.1.1.1 ! ip access-list extended phone-subnet seq 5 permit ip 192.1.1.
Upgrading the PoE Controller To upgrade the PoE controller firmware on a port extender, use the following command. You can upgrade the PoE controller firmware using the firmware packaged with the Dell Networking OS. After the upgrade is successful, the port extender reloads automatically. NOTE: You cannot upgrade the PoE controller when any other upgrade is in progress. Upgrading the PoE controller may take a few minutes to complete. Also, the CLI is blocked until the upgrade is complete. 1.
power inline restore pe pe-id stack-unit unit-number • • pe pe-id — Specify the port extender ID. The range is from 0 to 255. stack-unit unit-number — Specify the stack unit number of the port extender. The range is from 0 to 7. Example of Restoring Power Delivery on the Port Extender The following example disable power delivery on the port extender.
PoE or PoE+ Power Budget Limit Model Name Maximum PSU Output Ability (1 PSU) Maximum PSUs System Power Output Ability Consumed (2 PSUs) Redundancy Power Consumed Threshold Max In-line Power Available default. Supports up to two 1100 W PSUs. The following table shows the maximum number of ports that you can configure for PoE and PoE+ based on the number of PSUs available on the C1048P. NOTE: The table assumes maximum of 30 W for PoE+ and 15.4 W for PoE. Table 78.
• interface interface — Enter the interface keyword and specify the PE Gigabit Ethernet interface using the keyword peGigE or peTenGigE. Specify a pe-id/unit/port for the interface.
• • pe pe-id — Enter the keyword pe and the port extender ID. The range is from 0 to 255. stack-unit unit-number — Enter the keyword stack-unit and the stack unit number. The range is from 0 to 7.
45 Private VLANs (PVLAN) Private VLANs (PVLANs) extend Dell Networking OS security suite by providing Layer 2 isolation between ports within the same virtual local area network (VLAN). A PVLAN partitions a traditional VLAN into subdomains identified by a primary and secondary VLAN pair. Private VLANs block all traffic to isolated ports except traffic from promiscuous ports. Traffic received from an isolated port is forwarded only to promiscuous ports or trunk ports.
PVLAN port types include: • Host port — in the context of a private VLAN, is a port in a secondary VLAN. The port must first be assigned that role in INTERFACE mode. • • • Host port that belongs to a community VLAN is allowed to communicate with other ports in the same community VLAN and with promiscuous ports & Trunk Port in Same PVLAN • Host port can be part of either community VLAN or isolated VLAN. The bhavior of host port will change with respect to its presence in community and isolated VLAN.
Configuration Task List The following sections contain the procedures that configure a private VLAN. • • • • Creating PVLAN Ports Creating a Primary VLAN Creating a Community VLAN Creating an Isolated VLAN Creating PVLAN ports PVLAN ports are those that will be assigned to the PVLAN. 1. Access INTERFACE mode for the port that you want to assign to a PVLAN. CONFIGURATION mode interface interface 2. Enable the port. INTERFACE mode no shutdown 3. Set the port in Layer 2 mode. INTERFACE mode switchport 4.
interface vlan vlan-id 2. Enable the VLAN. INTERFACE VLAN mode no shutdown 3. Set the PVLAN mode of the selected VLAN to primary. INTERFACE VLAN mode private-vlan mode primary 4. Map secondary VLANs to the selected primary VLAN. INTERFACE VLAN mode private-vlan mapping secondary-vlan vlan-list The list of secondary VLANs can be: • • • Specified in comma-delimited (VLAN-ID,VLAN-ID) or hyphenated-range format (VLAN-ID-VLAN-ID). Specified with this command even before they have been created.
Creating an Isolated VLAN An isolated VLAN is a secondary VLAN of a primary VLAN. An isolated VLAN port can only talk with the promiscuous ports in that primary VLAN. 1. Access INTERFACE VLAN mode for the VLAN that you want to make an isolated VLAN. CONFIGURATION mode interface vlan vlan-id 2. Enable the VLAN. INTERFACE VLAN mode no shutdown 3. Set the PVLAN mode of the selected VLAN to isolated. INTERFACE VLAN mode private-vlan mode isolated 4. Add one or more host ports to the VLAN.
Private VLAN Configuration Example The following example shows a private VLAN topology. Figure 122. Sample Private VLAN Topology The following configuration is based on the example diagram: • • • • • Te 0/0 and Te 23 are configured as promiscuous ports, assigned to the primary VLAN, VLAN 4000. Te 0/25 is configured as a PVLAN trunk port, also assigned to the primary VLAN 4000. Te 0/24 and Te 0/47 are configured as host ports and assigned to the isolated VLAN, VLAN 4003.
• • The S50V ports would have the same intra-switch communication characteristics as described for the C300. For transmission between switches, tagged packets originating from host PVLAN ports in one secondary VLAN and destined for host PVLAN ports in the other switch travel through the promiscuous ports in the local VLAN 4000 and then through the trunk ports (0/25 in each switch). Inspecting the Private VLAN Configuration The standard methods of inspecting configurations also apply in PVLANs.
The following example shows the VLAN status. Dell#show vlan Codes: * - Default VLAN, G - GVRP VLANs, P - Primary, C - Community, I - Isolated Q: U - Untagged, T - Tagged x - Dot1x untagged, X - Dot1x tagged G - GVRP tagged, M - Vlan-stack NUM * 1 100 P 200 I 201 Status Inactive Inactive Inactive Inactive Description Q Ports primary VLAN in PVLAN T Te 0/19-20 isolated VLAN in VLAN 200 T Te 0/21 The following example shows viewing a private VLAN configuration.
46 Quality of Service (QoS) This chapter describes how to use and configure Quality of Service (QoS) features on the switch. Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. Figure 123.
Implementation Information The Dell Networking QoS implementation complies with IEEE 802.1p User Priority Bits for QoS Indication.
Honoring dot1p Priorities on Ingress Traffic By default, the system does not honor dot1p priorities on ingress traffic. You can configure this feature on physical interfaces and port-channels, but you cannot configure it on individual interfaces in a port channel. You can configure service-class dynamic dot1p from CONFIGURATION mode, which applies the configuration to all interfaces. A CONFIGURATION mode service-class dynamic dot1p entry supersedes any INTERFACE entries.
rate shape Dell#config Dell(conf)#interface tengigabitethernet 1/2 Dell(conf-if)#rate shape 500 50 Dell(conf-if)#end Dell# Policy-Based QoS Configurations Policy-based QoS configurations consist of the components shown in the following example. Figure 124. Constructing Policy-Based QoS Configurations Classify Traffic Class maps differentiate traffic so that you can apply separate quality of service policies to different types of traffic.
NOTE: IPv6 and IP-any class maps cannot match on ACLs or VLANs. Use step 1 or step 2 to start creating a Layer 3 class map. 1. Create a match-any class map. CONFIGURATION mode class-map match-any class-map-name 2. Create a match-all class map. CONFIGURATION mode class-map match-all class-map-name 3. Specify your match criteria. CLASS MAP mode match {ip | ipv6 | ip-any} After you create a class-map, you are placed in CLASS MAP mode. Match-any class maps allow up to five ACLs.
class-map match-all 3. Specify your match criteria. CLASS MAP mode match mac After you create a class-map, you are placed in CLASS MAP mode. Match-any class maps allow up to five access-lists. Match-all class-maps allow only one. You can match against only one VLAN ID. 4. Link the class-map to a queue. POLICY MAP mode service-queue Applying Layer 2 Match Criteria on a Layer 3 Interface To process Layer 3 packets that contain a dot1p (IEEE 802.
5. Configure the DSCP value to be set on matched packets. QOS-POLICY-IN mode Dell(conf-qos-policy-in)#set ip-dscp 5 6. Create an input policy map. CONFIGURATION mode Dell(conf)#policy-map-input pp_policmap 7. Create a service queue to associate the class map and QoS policy map.
ip access-list extended AF1-FB2 seq 5 permit ip host 23.64.0.3 any seq 10 deny ip any any ! ip access-list extended AF2 seq 5 permit ip host 23.64.0.5 any seq 10 deny ip any any Create a QoS Policy There are two types of QoS policies — input and output. Input QoS policies regulate Layer 3 and Layer 2 ingress traffic. The regulation mechanisms for input QoS policies are rate policing and setting priority values. • • Layer 3 — QoS input policies allow you to rate police and set a DSCP or dot1p value.
4 (100 b). Dell(conf-qos-policy-in)#show config ! qos-policy-input my-input-qos-policy set ip-dscp 34 Dell(conf-qos-policy-in)#end Dell# Setting a dot1p Value for Egress Packets To set a dot1p value for egress packets, use the following command. • Set a dot1p value for egress packets. QOS-POLICY-IN mode set mac-dot1p Creating an Output QoS Policy To create an output QoS policy, use the following commands. 1. Create an output QoS policy. CONFIGURATION mode qos-policy-output 2.
Allocating Bandwidth to Queue The switch schedules packets for egress based on Deficit Round Robin (DRR). This strategy offers a guaranteed data rate. Allocate bandwidth to queues only in terms of percentage in 4-queue and 8-queue systems. The following table shows the default bandwidth percentage for each queue. Table 82. Default Bandwidth Weights Queue Default Bandwidth Percentage for 4– Queue System Default Bandwidth Percentage for 8– Queue System 0 6.67% 1% 1 13.33% 2% 2 26.67% 3% 3 53.
Applying a Class-Map or Input QoS Policy to a Queue To apply a class-map or input QoS policy to a queue, use the following command. • Assign an input QoS policy to a queue. POLICY-MAP-IN mode service-queue Applying an Input QoS Policy to an Input Policy Map To apply an input QoS policy to an input policy map, use the following command. • Apply an input QoS policy to an input policy map.
Packet dot1p on Ingress Packet Queue ID 7 7 The dot1p value is also honored for frames on the default VLAN. For more information, refer to Priority-Tagged Frames on the Default VLAN. • Enable the trust dot1p feature. POLICY-MAP-IN mode trust dot1p Mapping dot1p Values to Service Queues All traffic is by default mapped to the same queue, Queue 0. If you honor dot1p on ingress, you can create service classes based the queueing strategy in Honoring dot1p Values on Ingress Packets.
Applying an Output QoS Policy to a Queue To apply an output QoS policy to a queue, use the following command. • Apply an output QoS policy to queues. INTERFACE mode service-queue Specifying an Aggregate QoS Policy To specify an aggregate QoS policy, use the following command. • Specify an aggregate QoS policy. POLICY-MAP-OUT mode policy-aggregate Applying an Output Policy Map to an Interface To apply an output policy map to an interface, use the following command.
3. Apply the map profile to the interface. CONFIG-INTERFACE mode qos dscp-color-policy color-map-name Example: Create a DSCP Color Map The following example creates a DSCP color map profile, color-awareness policy, and applies it to interface te 0/11.
Display detailed information about a color policy for a specific interface Dell# show qos dscp-color-policy detail te 0/10 Interface TenGigabitEthernet 0/10 Dscp-color-map mapONE yellow 4,7 red 20,30 Enabling QoS Rate Adjustment By default, while rate limiting, policing, and shaping, the system does not include the Preamble, SFD, or the IFG fields. These fields are overhead; only the fields from MAC destination address to the CRC are used for forwarding and are included in these rate metering calculations.
Traffic is a mixture of various kinds of packets. The rate at which some types of packets arrive might be greater than others. In this case, the space on the buffer and traffic manager (BTM) (ingress or egress) can be consumed by only one or a few types of traffic, leaving no space for other types. You can apply a WRED profile to a policy-map so that specified traffic can be prevented from consuming too much of the BTM resources. WRED uses a profile to specify minimum and maximum threshold values.
threshold Applying a WRED Profile to Traffic After you create a WRED profile, you must specify on which traffic the system applies the profile. The system assigns a color-coded drop precedence — red, yellow, or green — to each packet based on the fourth bit of the 6-bit DSCP field in the packet header before queuing it. • • • If the fourth DSCP bit is 0, packet is marked as green. If the fourth DSCP bit is 1, the packet is marked as yellow (except for DSCP 63, which is marked as red).
3 4 5 6 7 0 0 0 0 0 DELL#show qos statistics wred-profile peGigE 0/1/1 Interface peGigE 0/1/1 Drop-statistic Dropped Pkts Green 0 Yellow 0 Out of Profile 0 Displaying egress-queue Statistics To display the number of transmitted and dropped packets on the egress queues of a WRED-configured interface, use the following command. • Display the number of packets and number of bytes on the egress-queue profile.
• • • match ip dscp match ip precedence match ip vlan By default, all packets are marked for green handling if the rate-police and trust-diffserv commands are not used in an ingress policy map. All packets marked for red handling or “violate” are dropped. In the class map, in addition to color-marking matching packets for yellow handling, you can also configure a DSCP value for matching packets.
class-map match-any class_dscp_50 match ip access-group dscp_50_non_ecn set-color yellow match ip access-group dscp_50 policy-map-input pmap_dscp_40_50 service-queue 2 class-map class_dscp_40 service-queue 3 class-map class_dscp_50 The second example shows how to achieve the desired configuration by specifying ECN match criteria to classify ECN-capable packets: ip access-list standard dscp_50_ecn seq 5 permit any dscp 50 ecn 1 seq 10 permit any dscp 50 ecn 2 seq 15 permit any dscp 50 ecn 3 ip access-list st
The user-configurable weight in WRED and ECN provides better control in how the switch responds to congestion before a queue overflows and packets are dropped or delayed. Using a configurable weight for WRED and ECN allows you to customize network performance and throughput. Setting Average Queue Size using a Weight You can configure the weight factor that determines the average queue size for WRED and ECN packet handling by using the wred weight command.
Queue Configuration Service-Pool Configuration WRED Threshold Relationship Expected Functionality Q threshold = Q-T Service-pool threshold = SP-T Enabled Disabled Disabled N/A N/A Enabled N/A Q-T < SP-T SP-T < Q-T Queue-based WRED; No ECN marking Service-pool-based WRED; No ECN marking Enabled Enabled Disabled N/A N/A Enabled N/A Q-T < SP-T Queue-based ECN marking above queue threshold. ECN marking up to shared buffer limits of the service-pool and then packets are tail dropped.
Dell(conf)#service-class wred ecn 0, 3-5, 7 backplane Pre-Calculating Available QoS CAM Space Pre-calculating available QoS CAM space allows you to measure the number of CAM entries a policy-map consumes. This feature allows you to avoid applying a policy-map on an interface that requires more CAM entries than are available and receive a CAM full error message (shown in the following example). The partial policy-map configuration might cause unintentional system behavior.
• • fpIngPgBuffSnapshotTable: Retrieves BST statistics from the ingress port for the shared and headroom cells used in a priority group. The snapshot of the ingress shared cells and the ingress headroom cells used for each priority group are displayed in this table when PFC is enabled. This table is indexed by stack-unit index, port number and priority-group number.
47 Routing Information Protocol (RIP) The Routing Information Protocol (RIP) tracks distances or hop counts to nearby routers when establishing network connections and is based on a distance-vector algorithm. RIP protocol standards are listed in the Standards Compliance chapter. Topics: • • • Protocol Overview Implementation Information Configuration Information Protocol Overview RIP is the oldest interior gateway protocol. There are two versions of RIP: RIP version 1 (RIPv1) and RIP version 2 (RIPv2).
Feature Default RIP timers • • • • Auto summarization Enabled ECMP paths supported 16 update timer = 30 seconds invalid timer = 180 seconds holddown timer = 180 seconds flush timer = 240 seconds Configuration Information By default, RIP is disabled on the switch. To configure RIP, you must use commands in two modes: ROUTER RIP and INTERFACE. Commands executed in the ROUTER RIP mode configure RIP globally, while commands executed in the INTERFACE mode configure RIP features on that interface only.
When the RIP process has learned the RIP routes, use the show ip rip database command in EXEC mode to view those routes. Dell#show ip rip database Total number of routes in RIP database: 978 160.160.0.0/16 [120/1] via 29.10.10.12, 00:00:26, Fa 0/0 160.160.0.0/16 auto-summary 2.0.0.0/8 [120/1] via 29.10.10.12, 00:01:22, Fa 0/0 2.0.0.0/8 auto-summary 4.0.0.0/8 [120/1] via 29.10.10.12, 00:01:22, Fa 0/0 4.0.0.0/8 auto-summary 8.0.0.0/8 [120/1] via 29.10.10.12, 00:00:26, Fa 0/0 8.0.0.0/8 auto-summary 12.0.0.
Assigning a Prefix List to RIP Routes Another method of controlling RIP (or any routing protocol) routing information is to filter the information through a prefix list. A prefix list is applied to incoming or outgoing routes. Those routes must meet the conditions of the prefix list; if not, the system drops the route. Prefix lists are globally applied on all interfaces running RIP. Configure the prefix list in PREFIX LIST mode prior to assigning it to the RIP process.
• Set the RIP versions sent out on that interface. INTERFACE mode ip rip send version [1] [2] To see whether the version command is configured, use the show config command in ROUTER RIP mode. To view the routing protocols configuration, use the show ip protocols command in EXEC mode. The following example shows the RIP configuration after the ROUTER RIP mode version command is set to RIPv2.
Generating a Default Route Traffic is forwarded to the default route when the traffic’s network is not explicitly listed in the routing table. Default routes are not enabled in RIP unless specified. Use the default-information originate command in ROUTER RIP mode to generate a default route into RIP. Default routes received in RIP updates from other routes are advertised if you configure the default-information originate command. • Specify the generation of a default route in RIP.
Debugging RIP The debug ip rip command enables RIP debugging. When you enable debugging, you can view information on RIP protocol changes or RIP routes. To enable RIP debugging, use the following command. • debug ip rip [interface | database | events | trigger] EXEC privilege mode Enable debugging of RIP. The following example shows the confirmation when you enable the debug function. Dell#debug ip rip RIP protocol debug is ON Dell# To disable RIP, use the no debug ip rip command.
Core 2 RIP Output The examples in the section show the core 2 RIP output. • • • To display Core 2 RIP database, use the show ip rip database command. To display Core 2 RIP setup, use the show ip route command. To display Core 2 RIP activity, use the show ip protocols command. To view the learned RIP routes on Core 2, use the show ip rip database command.
TenGigabitEthernet TenGigabitEthernet TenGigabitEthernet TenGigabitEthernet Routing for Networks: 10.300.10.0 10.200.10.0 10.11.20.0 10.11.10.0 2/42 2/41 2/31 2/11 2 2 2 2 2 2 2 2 Routing Information Sources: Gateway Distance Last Update 10.11.20.1 120 00:00:12 Distance: (default is 120) Core2# RIP Configuration on Core3 The following example shows how to configure RIPv2 on a host named Core3. Core3(conf-if-te-3/21)#router rip Core3(conf-router_rip)#version 2 Core3(conf-router_rip)#network 192.168.1.
N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, > - non-active route, + - summary route Gateway of last resort is not set Destination Gateway Dist/Metric ----------- ------- ----------R 10.11.10.0/24 via 10.11.20.2, Te 3/21 C 10.11.20.0/24 Direct, Te 3/21 C 10.11.30.0/24 Direct, Te 3/11 R 10.200.10.0/24 via 10.11.20.2, Te R 10.300.10.0/24 via 10.11.20.2, Te C 192.168.1.
10.200.10.0 10.300.10.0 10.11.10.0 10.11.20.0 The following example shows viewing the RIP configuration on Core 3. ! interface TengigabitEthernet 3/11 ip address 10.11.30.1/24 no shutdown ! interface TengigabitEthernet 3/21 ip address 10.11.20.1/24 no shutdown ! interface TengigabitEthernet 3/43 ip address 192.168.1.1/24 no shutdown ! interface TengigabitEthernet 3/44 ip address 192.168.2.1/24 no shutdown ! router rip version 2 network 10.11.20.0 network 10.11.30.0 network 192.168.1.0 network 192.168.2.
48 Remote Monitoring (RMON) Remote monitoring (RMON) is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell Networking Ethernet interfaces. RMON operates with the simple network management protocol (SNMP) and monitors all nodes on a local area network (LAN) segment.
[no] rmon hc-alarm number variable interval {delta | absolute} rising-threshold value eventnumber falling-threshold value event-number [owner string] Configure the alarm using the following optional parameters: • • • • • • • • • • number: alarm number, an integer from 1 to 65,535, the value must be unique in the RMON Alarm Table. variable: the MIB object to monitor — the variable must be in SNMP OID format; for example, 1.3.6.1.2.1.1.3.
Configuring RMON Collection Statistics To enable RMON MIB statistics collection on an interface, use the RMON collection statistics command in INTERFACE CONFIGURATION mode. • Enable RMON MIB statistics collection. CONFIGURATION INTERFACE (config-if) mode [no] rmon collection statistics {controlEntry integer} [owner ownername] • • • • controlEntry: specifies the RMON group of statistics using a value. integer: a value from 1 to 65,535 that identifies the RMON Statistics Table.
49 Rapid Spanning Tree Protocol (RSTP) Protocol Overview The Dell Networking OS supports three other versions of spanning tree, as shown in the following table. Table 88. Spanning Tree Versions Supported Dell Networking Term IEEE Specification Spanning Tree Protocol (STP) 802.1d Rapid Spanning Tree Protocol (RSTP) 802.1w Multiple Spanning Tree Protocol (MSTP) 802.1s Per-VLAN Spanning Tree Plus (PVST+) Third Party Configuring Rapid Spanning Tree Configuring RSTP is a two-step process. 1.
loops caused by non-system issues such as cabling errors or incorrect configurations. RSTP is useful for potential loop detection but to minimize possible topology changes after link or node failure, configure it using the following specifications.
To verify that RSTP is enabled, use the show config command from PROTOCOL SPANNING TREE RSTP mode. The bold line indicates that RSTP is enabled. Dell(conf-rstp)#show config ! protocol spanning-tree rstp no disable Dell(conf-rstp)# Figure 127. Rapid Spanning Tree Enabled Globally To view the interfaces participating in RSTP, use the show spanning-tree rstp command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output.
The port is not in the Edge port mode Port 379 (TengigabitEthernet 2/3) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.379 Designated root has priority 32768, address 0001.e801.cbb4 Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.
NOTE: Dell Networking recommends that only experienced network administrators change the Rapid Spanning Tree group parameters. Poorly planned modification of the RSTP parameters can negatively affect network performance. The following table displays the default values for RSTP. Table 89.
• Change the port cost of an interface. INTERFACE mode spanning-tree rstp cost cost The range is from 0 to 65535. • The default is listed in the previous table. Change the port priority of an interface. INTERFACE mode spanning-tree rstp priority priority-value The range is from 0 to 15. The default is 128. To view the current values for interface parameters, use the show spanning-tree rstp command from EXEC privilege mode.
• • Disable spanning tree on the interface (the no spanning-tree command in INTERFACE mode). Disable global spanning tree (the no spanning-tree command in CONFIGURATION mode). To enable EdgePort on an interface, use the following command. • Enable EdgePort on an interface.
50 Security This chapter describes several ways to provide access security to the Dell Networking system. For details about all the commands described in this chapter, refer to the Security chapter in the Dell Networking OS Command Reference Guide.
modify the permissions specific to that command and/or command option. For more information, see Modifying Command Permissions for Roles . NOTE: When you enter a user role, you have already been authenticated and authorized. You do not need to enter an enable password because you will be automatically placed in EXEC Priv mode. For greater security, the ability to view event, audit, and security system log is associated with user roles. For information about these topics, see Audit and Security Logs.
login authentication test authorization exec test To enable role-based only AAA authorization: Dell(conf)#aaa authorization role-only System-Defined RBAC User Roles By default, the Dell Networking OS provides 4 system defined user roles. You can create up to 8 additional user roles. NOTE: You cannot delete any system defined roles. The system defined user roles are as follows: • • • • Network Operator (netoperator) - This user role has no privilege to modify any configuration on the switch.
1. Create a new user role CONFIGURATION mode userrole name [inherit existing-role-name] 2. Verify that the new user role has inherited the security administrator permissions. Dell(conf)#do show userroles EXEC Privilege mode 3. After you create a user role, configure permissions for the new user role. See Modifying Command Permissions for Roles.
Example: Allow Security Administrator to Configure Spanning Tree The following example allows the security administrator (secadmin) to configure the spanning tree protocol. Note command is protocol spanning-tree. Dell(conf)#role configure addrole secadmin protocol spanning-tree Example: Allow Security Administrator to Access Interface Mode The following example allows the security administrator (secadmin) to access Interface mode.
The following example resets only the secadmin role to its original setting. Dell(conf)#no role configure addrole secadmin protocol Example: Reset System-Defined Roles and Roles that Inherit Permissions In the following example the command protocol permissions are reset to their original setting or one or more of the system-defined roles and any roles that inherited permissions from them.
Configure AAA Authorization for Roles Authorization services determine if the user has permission to use a command in the CLI. Users with only privilege levels can use commands in privilege-or-role mode (the default) provided their privilege level is the same or greater than the privilege level of those commands. Users with defined roles can use commands provided their role is permitted to use those commands. Role inheritance is also used to determine authorization.
accounting commands role netadmin line vty 6 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 7 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 8 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin line vty 9 login authentication ucraaa authorization exec ucraaa accounting commands role netadmin ! ucraaa ucraaa ucraaa ucraaa ucraaa Configuring TACACS+ and RADIUS VSA Attr
Configuring AAA Accounting for Roles To configure AAA accounting for roles, use the aaa accounting command in CONFIGURATION mode. aaa accounting {system | exec | commands {level | role role-name}} {name | default} {startstop | wait-start | stop-only} {tacacs+} Example of Configuring AAA Accounting for Roles The following example shows you how to configure AAA accounting to monitor commands executed by the users who have a secadmin user role.
netoperator netadmin secadmin sysadmin MAC testadmin Exec Exec Config Interface Line Router IP Routemap Protocol MAC Exec Config Exec Config Interface Line Router IP Routemap Protocol netadmin Exec Config Interface Line Router IP Routemap Protocol MAC Displaying Role Permissions Assigned to a Command To display permissions assigned to a command, use the show role command in EXEC Privilege mode. The output displays the user role and or permission level.
Configuration Task List for AAA Accounting The following sections present the AAA accounting configuration tasks.
In the following sample configuration, AAA accounting is set to track all usage of EXEC commands and commands on privilege level 15. Dell(conf)#aaa accounting exec default start-stop tacacs+ Dell(conf)#aaa accounting command 15 default start-stop tacacs+ Configuring AAA Accounting for Terminal Lines To enable AAA accounting with a named method list for a specific terminal line (where com15 and execAcct are the method list names), use the following commands. • Configure AAA accounting for terminal lines.
In the following sample configuration, AAA accounting is set to track all usage of EXEC commands and commands on privilege level 15. Dell(conf)# aaa accounting dot1x default start-stop radius Dell(conf)# aaa accounting exec default stop-only radius Sample dot1x accounting records The following lists the sample EAP and MAB accounting records EAP START accounting record: Fri May 10 12:20:43 2019 NAS-IP-Address = 10.16.133.
MAB STOP record: Fri May 10 23:30:42 2019 User-Name = "001122334455" Called-Station-Id = "00-11-33-44-77-88" Calling-Station-Id = "00-11-22-33-44-55" NAS-IP-Address = 10.16.133.
RADIUS Attribute code RADIUS Attribute Description 40 Acct-Status-Type STOP 44 Acct-Session-Id CLI Session-Id - To match start and stop session requests. 46 Acct-Session Time Time the user has received the service. 49 Acct-Terminate-Cause Reason for session termination. 61 NAS-Port-Type ASYNC - for Console session. VIRTUAL - for telnet/SSH session. Table 92.
RADIUS Attribute code RADIUS Attribute Description 95 NAS-IPv6–Address IPv6 address of the NAS. Session Identification Attributes 1 User-Name User name/ Supplicant MAC Address (for MAB). 5 NAS-Port Port on which session is terminated. 6 Service-Type Framed (2) for EAP /Call check (10) for MAB. 8 Framed-IP-Address IPv4 address of supplicant. 168 Framed-IPV6-Address IPv6 address of supplicant. 30 Called-Station-Id Switch MAC Address. 31 Calling-Station-Id Supplicant MAC Address.
dot1x event Accounting type Attributes Supplicant goes off without explicitly sending EAP logoff Stop Stop record attributes with termination cause as Idle Timeout (4). Periodic Reauth of supplicant Stop Stop record attributes with termination cause as Supplicant restart (19). Failure of dot1x authorized port assignment to untagged VLAN Stop Stop record attributes with termination cause as Port error (8).
The default method-list is applied to all terminal lines. Possible methods are: • • • • • • enable: use the password you defined using the enable secret, enable password, or enable sha256-password command in CONFIGURATION mode. In general, the enable secret command overrules the enable password command. If you configure the enable sha256-password command, it overrules both the enable secret and enable password commands. line: use the password you defined using the password command in LINE mode.
To use local enable authentication on the console, while using remote authentication on VTY lines, run the following commands. The following example shows enabling local authentication for console and remote authentication for the VTY lines.
AAA Authorization The system enables AAA new-model by default. You can set authorization to be either local or remote. Different combinations of authentication and authorization yield different results. By default, the system sets both to local. Privilege Levels Overview Limiting access to the system is one method of protecting the system and your network. However, at times, you might need to allow others access to the router and you can limit that access to a subset of commands.
• • • encryption-type: Enter 0 for plain text or 7 for encrypted text. password: Enter a string. privilege level The range is from 0 to 15. To view usernames, use the show users command in EXEC Privilege mode. Configuring the Enable Password Command To configure the Dell Networking OS, use the enable command to enter EXEC Privilege level 15. After entering the command, the system requests that you enter a password.
• If you assign only the first keyword to the privilege level, all commands beginning with that keyword are also assigned to the privilege level. If you enter the entire command, the software assigns the privilege level to that command only. To assign commands and passwords to a custom privilege level, use the following commands. You must be in privilege level 15. 1. Assign a user name and password.
username admin password 0 admin username john password 0 john privilege 8 ! The following example shows the Telnet session for user john. The show privilege command output confirms that john is in privilege level 8. In EXEC Privilege mode, john can access only the commands listed. In CONFIGURATION mode, john can access only the snmpserver commands. apollo% telnet 172.31.1.53 Trying 172.31.1.53... Connected to 172.31.1.53. Escape character is '^]'.
EXEC Privilege mode disable level-number • level-number: The level-number you wish to set. If you enter disable without a level-number, your security level is 1. Resetting a Password To reset a password on the switch, follow the procedure in Recovering from a Forgotten Password on the switch. RADIUS Remote authentication dial-in user service (RADIUS) is a distributed client/server protocol.
RADIUS can specify an ACL for the user if both of the following are true: • • If an ACL is absent. If there is a very long delay for an entry, or a denied entry because of an ACL, and a message is logged. NOTE: The ACL name must be a string. Only standard ACLs in authorization (both RADIUS and TACACS) are supported. Authorization is denied in cases using Extended ACLs.
Applying the Method List to Terminal Lines To enable RADIUS AAA login authentication for a method list, apply it to a terminal line. To configure a terminal line for RADIUS authentication and authorization, use the following commands. • Enter LINE mode. • CONFIGURATION mode line {aux 0 | console 0 | vty number [end-number]} Enable AAA login authentication for the specified RADIUS method list.
• Configure a key for all RADIUS communications between the system and RADIUS server hosts. CONFIGURATION mode radius-server key [encryption-type] key • • encryption-type: enter 7 to encrypt the password. Enter 0 to keep the password as plain text. • key: enter a string. The key can be up to 42 characters long. You cannot use spaces in the key. Configure the number of times the system retransmits RADIUS requests.
Support for Change of Authorization and Disconnect Messages packets The Network Access Server (NAS) uses RADIUS to authenticate AAA or dot1x user-access to the switch. The RADIUS service does not support unsolicited messages sent from the RADIUS server to the NAS. However, there are many instances in which it is desirable for changes to be made to session characteristics, without requiring the NAS to initiate the exchange.
Table 98. Session Identification Attributes Attribute code Attribute Description 31 Calling-Station-Id (MAC Address) The link address from which session is connected. Table 99.
6 Resource Unavailable(506) • Internal CoA or DM message processing errors. 7 Missing Attribute(402) • CoA or DM request without Vendor-specific attribute or invalid Vendor-specific attribute. CoA with re-authenticate or terminate request not containing calling-station-id or NAS-Port attribute. CoA with disable-port or bounce-port request not containing NAS-Port attribute. DM request not containing user-name attribute.
• • Length • 16 Zero Octets • Request Attributes • Shared secret (based on the source IP address of the packet) discards the packets, if the message-authenticator received in the request is invalid. The message-authenticator is calculated using the following fields: • • • • • Code Type Identifier Length Request Authenticator Attributes Disconnect Message Processing This section lists various actions that the NAS performs during DM processing.
2. Enter the following command to configure the global shared key value: client-key encryption-type key Dell(conf-dynamic-auth#)client-key 7 password Disconnecting administrative users logged in through RADIUS Dell EMC Networking OS enables you to configure disconnect messages (DMs) to disconnect RADIUS administrative users who are logged in through an AAA interface.
• • sends a CoA-Ack if it is successfully able to flap the port. discards the packet, if simultaneous requests are received for the same NAS Port. Configuring CoA to re-authenticate 802.1x sessions Dell EMC Networking OS provides RADIUS extension commands that enables you to configure re-authentication of 802.1x user sessions. When you configure this feature, the DAC sends the CoA request to re-authenticate the 802.1x uer session when ever the authorization level of the user’s profile changes.
NAS terminates the 802.1x user session without disabling the physical port. Dell(conf#)radius dynamic-auth Dell(conf-dynamic-auth#)terminate-session NAS takes the following actions whenever session termination is triggered: • • • • • • validates the DM request and the session identification attributes. sends a DM-Nak with an error-cause of 402 (missing attribute), if the DM request does not contain the calling-station-id and NASport attributes.
RPM failover scenario This section describes how the NAS handles virtual IP failovers to the secondary RPM. • • The NAS Route Processor Module (RPM) processes the RADIUS dynamic authorization message only if the role of RPM is active. The NAS standby RPM processes the retransmitted CoA or DM messages without requiring a chassis reboot if primary RPM fails and standby becomes primary. Stack failover scenario This section describes the stack failover scenario.
• • • Monitoring TACACS+ TACACS+ Remote Authentication and Authorization Specifying a TACACS+ Server Host For a complete listing of all commands related to TACACS+, refer to the Security chapter in the Dell Networking OS Command Reference Guide. Choosing TACACS+ as the Authentication Method One of the login authentication methods available is TACACS+ and the user’s name and password are sent for authentication to the TACACS hosts specified.
%SYSTEM-P:CP %SEC-5-LOGOUT: Exec session is terminated for user admin on line vty0 (10.11.9.209) Dell(conf)#username angeline password angeline Dell(conf)#%SYSTEM-P:CP %SEC-5-LOGIN_SUCCESS: Login successful for user angeline on vty0 (10.11.9.209) %SYSTEM-P:CP %SEC-3-AUTHENTICATION_ENABLE_SUCCESS: Enable password authentication success on vty0 ( 10.11.9.209 ) Monitoring TACACS+ To view information on TACACS+ transactions, use the following command. • View TACACS+ transactions to troubleshoot problems.
To specify multiple TACACS+ server hosts, configure the tacacs-server host command multiple times. If you configure multiple TACACS+ server hosts, the system attempts to connect with them in the order in which they were configured. To view the TACACS+ configuration, use the show running-config tacacs+ command in EXEC Privilege mode. To delete a TACACS+ server host, use the no tacacs-server host {hostname | ip-address} command.
• Display SSH connection information. EXEC Privilege mode show ip ssh The following example shows using the ip ssh server version 2 command to enable SSH version 2 and the show ip ssh command to confirm the setting. ell(conf)#ip ssh server version 2 Dell(conf)#do show ip ssh SSH server : enabled. SSH server version : v1 and v2. SSH server vrf : default. SSH server ciphers : aes256-ctr,aes256-cbc,aes192-ctr,aes192-cbc,aes128-ctr,aes128cbc,3des-cbc.
The following example shows the use of SCP and SSH to copy a software image from one switch running SSH server on UDP port 99 to the local switch. Dell#copy scp: flash: Address or name of remote host []: 10.10.10.1 Port number of the server [22]: 99 Source file name []: test.
Example of Configuring a Cipher List The following example shows you how to configure a cipher list. Dell(conf)#ip ssh server cipher 3des-cbc aes128-cbc aes128-ctr Configuring DNS in the SSH Server Dell EMC Networking provides support to enable the DNS in SSH server configuration for host-based authentication. You can specify whether the SSH Server should look up the remote host name and check whether the resolved host name for the remote IP address maps to the same IP address.
hmac-algorithm: Enter a space-delimited list of keyed-hash message authentication code (HMAC) algorithms supported by the SSH server. The following HMAC algorithms are available: • • • • • hmac-md5 hmac-md5-96 hmac-sha1 hmac-sha1-96 hmac-sha2-256 The default list of HMAC algorithm is in the following order: • • • • • hmac-sha2-256 hmac-sha1 hmac-sha1-96 hmac-md5 hmac-md5-96 When FIPS is enabled, the default HMAC algorithm is hmac-sha2-256, hmac-sha1, hmac-sha1-96.
• aes256-ctr The default cipher list is in the given order: aes256-ctr, aes256-cbc, aes192-ctr, aes192-cbc, aes128-ctr, aes128-cbc, 3des-cbc. Example of Configuring a Cipher List The following example shows you how to configure a cipher list. Dell(conf)#ip ssh cipher aes128-ctr aes128-cbc 3des-cbc Secure Shell Authentication Secure Shell (SSH) is disabled by default. Enable SSH using the ip ssh server enable command.
EXEC Privilege mode ip ssh rsa-authentication my-authorized-keys flash://public_key admin@Unix_client#ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/admin/.ssh/id_rsa): /home/admin/.ssh/id_rsa already exists. Overwrite (y/n)? y Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/admin/.ssh/id_rsa. Your public key has been saved in /home/admin/.ssh/id_rsa.pub.
The following example shows creating rhosts. admin@Unix_client# ls id_rsa id_rsa.pub rhosts shosts admin@Unix_client# cat rhosts 10.16.127.201 admin Using Client-Based SSH Authentication To SSH from the chassis to the SSH client, use the following command. This method uses SSH version 1 or version 2. If the SSH port is a non-default value, use the ip ssh server port number command to change the default port number. You may only change the port number when SSH is disabled.
The system provides several ways to configure access classes for VTY lines, including: • • VTY Line Local Authentication and Authorization VTY Line Remote Authentication and Authorization VTY Line Local Authentication and Authorization The system retrieves the access class from the local database. To use this feature: 1. 2. 3. 4. Create a username. Enter a password. Assign an access class. Enter a privilege level.
Dell(config-line-vty)#end (same applies for radius and line authentication) VTY MAC-SA Filter Support The system supports MAC access lists which permit or deny users based on their source MAC address. With this approach, you can implement a security policy based on the source MAC address. To apply a MAC ACL on a VTY line, use the same access-class command as IP ACLs. The following example shows how to deny incoming connections from subnet 10.0.0.0 without displaying a login prompt.
EXEC mode show ip ssh Dell# show ip ssh SSH server : enabled. SSH server version : v1 and v2. SSH server vrf : default. SSH server ciphers : aes256-ctr,aes256-cbc,aes192-ctr,aes192-cbc,aes128-ctr,aes128cbc,3des-cbc. SSH server macs : hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96. SSH server kex algorithms : diffie-hellman-group-exchange-sha1,diffie-hellman-group1sha1,diffie-hellman-group14-sha1. Password Authentication : enabled. Hostbased Authentication : disabled.
ICMPv4 message types IP header bad (12) Timestamp request (13) Timestamp reply (14) Information request (15) Information reply (16) Address mask request (17) Address mask reply (18) NOTE: The Dell Networking OS does not suppress the ICMP message type echo request (8). Table 104.
Dell EMC Networking OS Security Hardening The security of a network consists of multiple factors. Apart from access to the device, best practices, and implementing various security features, security also lies with the integrity of the device. If the software itself is compromised, all of the aforementioned methods become ineffective. The Dell EMC Networking OS is enhanced verify whether the startup configuration file is altered before loading.
Configuring the root User Password For added security, you can change the root user password. If you configure the secure-cli command on the system, the Dell EMC Networking OS resets any previously-configured root access password without displaying any warning message. With the secure-cli command enabled on the system, the CONFIGURATION mode does not display the root access password option. To change the default root user password, follow these steps: • Change the default root user password.
51 Service Provider Bridging VLAN Stacking VLAN stacking, also called Q-in-Q, is defined in IEEE 802.1ad — Provider Bridges, which is an amendment to IEEE 802.1Q — Virtual Bridged Local Area Networks. It enables service providers to use 802.1Q architecture to offer separate VLANs to customers with no coordination between customers, and minimal coordination between customers and the provider. Using only 802.
Figure 128. VLAN Stacking in a Service Provider Network Important Points to Remember • • • • • Interfaces that are members of the Default VLAN and are configured as VLAN-Stack access or trunk ports do not switch untagged traffic. To switch traffic, add these interfaces to a non-default VLAN-stack-enabled VLAN. Dell Networking cautions against using the same MAC address on different customer VLANs, on the same VLAN-stack VLAN.
Related Configuration Tasks • • • • Configuring the Protocol Type Value for the Outer VLAN Tag Configuring Options for Trunk Ports Debugging VLAN Stacking VLAN Stacking in Multi-Vendor Networks Creating Access and Trunk Ports To create access and trunk ports, use the following commands. • • Access port — a port on the service provider edge that directly connects to the customer. An access port may belong to only one service provider VLAN.
3 4 5 6 Inactive Inactive Inactive Active Dell# M Po1(Te 1/14-15) M Te 1/13 Configuring the Protocol Type Value for the Outer VLAN Tag The tag protocol identifier (TPID) field of the S-Tag is user-configurable. To set the S-Tag TPID, use the following command. • Select a value for the S-Tag TPID. CONFIGURATION mode vlan-stack protocol-type The default is 9100. To display the S-Tag TPID for a VLAN, use the show running-config command from EXEC privilege mode.
G - GVRP tagged, M - Vlan-stack NUM * 1 100 101 103 Status Inactive Inactive Inactive Inactive Description Q Ports U Te 0/1 T Te 0/1 M Te 0/1 Debugging VLAN Stacking To debug VLAN stacking, use the following command. • Debug the internal state and membership of a VLAN and its ports. debug member The port notations are as follows: • • • • • MT — stacked trunk MU — stacked access port T — 802.1Q trunk port U — 802.
Figure 129.
Figure 130.
Figure 131. Single and Double-Tag TPID Mismatch VLAN Stacking Packet Drop Precedence VLAN stacking packet-drop precedence is supported on the switch. The drop eligible indicator (DEI) bit in the S-Tag indicates to a service provider bridge which packets it should prefer to drop when congested. Enabling Drop Eligibility Enable drop eligibility globally before you can honor or mark the DEI value. When you enable drop eligibility, DEI mapping or marking takes place according to the defaults.
Ingress Egress Access Port Trunk Port DEI Disabled DEI Enabled Retain outer tag CFI Set outer tag CFI to 0. Retain inner tag CFI Retain inner tag CFI Set outer tag CFI to 0 Set outer tag CFI to 0 To enable drop eligibility globally, use the following command. • Make packets eligible for dropping based on their DEI value. CONFIGURATION mode dei enable By default, packets are colored green, and DEI is marked 0 on egress.
-------------------------------Te 0/1 Green 0 Te 0/1 Yellow 1 Te 1/9 Yellow 0 Te 1/40 Yellow 0 Dynamic Mode CoS for VLAN Stacking One of the ways to ensure quality of service for customer VLAN-tagged frames is to use the 802.1p priority bits in the tag to indicate the level of QoS desired. When an S-Tag is added to incoming customer frames, the 802.1p bits on the S-Tag may be configured statically for each customer or derived from the C-Tag using Dynamic Mode CoS. Dynamic Mode CoS maps the C-Tag 802.
qos-policy-input 3 layer2 rate-police 40 Likewise, in the following configuration, packets with dot1p priority 0–3 are marked as dot1p 7 in the outer tag and queued to Queue 3. Rate policing is according to qos-policy-input 3. All other packets will have outer dot1p 0 and hence are queued to Queue 1. They are therefore policed according to qos-policy-input 1.
Figure 133. VLAN Stacking without L2PT You might need to transport control traffic transparently through the intermediate network to the other region. Layer 2 protocol tunneling enables BPDUs to traverse the intermediate network by identifying frames with the Bridge Group Address, rewriting the destination MAC to a user-configured non-reserved address, and forwarding the frames.
Figure 134. VLAN Stacking with L2PT Implementation Information • • • L2PT is available for STP, RSTP, MSTP, and PVST+ BPDUs. No protocol packets are tunneled when you enable VLAN stacking. L2PT requires the default CAM profile. Enabling Layer 2 Protocol Tunneling To enable Layer 2 protocol tunneling, use the following command. 1. Verify that the system is running the default CAM profile. Use this CAM profile for L2PT. EXEC Privilege mode show cam-profile 2.
protocol-tunnel stp Specifying a Destination MAC Address for BPDUs By default, the system uses a Dell Networking-unique MAC address for tunneling BPDUs. You can configure another value. To specify a destination MAC address for BPDUs, use the following command. • Overwrite the BPDU with a user-specified destination MAC address when BPDUs are tunneled across the provider network.
the GVRP Address, 01-80-C2-00-00-21, specified in 802.1Q. Only bridges in the service provider network use this destination MAC address so these bridges treat GARP PDUs originating from the customer network as normal data frames, rather than consuming them. Provider backbone bridging through IEEE 802.
52 sFlow sFlow is a standard-based sampling technology embedded within switches and routers which is used to monitor network traffic. It is designed to provide traffic monitoring for high-speed networks with many switches and routers.
• • • • • • • • Only egress sampling is supported. The system exports all sFlow packets to the collector. A small sampling rate can equate to many exported packets. A backoff mechanism is automatically applied to reduce this amount. Some sampled packets may be dropped when the exported packet rate is high and the backoff mechanism is about to or is starting to take effect. The dropEvent counter, in the sFlow packet, is always zero.
69 sFlow samples dropped due to sub-sampling Linecard 1 Port set 0 H/W sampling rate 8192 Te 1/16: configured rate 8192, actual rate 8192, sub-sampling rate 1 Te 1/17: configured rate 16384, actual rate 16384, sub-sampling rate 2 Displaying Show sFlow on an Interface To view sFlow information on a specific interface, use the following command. • Display sFlow configuration information and statistics on a specific interface.
The default UDP port is 6343. The default max-datagram-size is 1400. Changing the Polling Intervals The sflow polling-interval command configures the polling interval for an interface in the maximum number of seconds between successive samples of counters sent to the collector. This command changes the global default counter polling (20 seconds) interval. You can configure an interface to use a different polling interval.
Collector IP addr: 10.10.10.3, Agent IP addr: 10.10.0.
53 Simple Network Management Protocol (SNMP) The Simple Network Management Protocol (SNMP) is designed to manage devices on IP networks by monitoring device operation, which might require administrator intervention. NOTE: On Dell Networking routers, standard and private SNMP management information bases (MIBs) are supported, including all Get and a limited number of Set operations (such as set vlan and copy cmd).
MIBs are hierarchically structured and use object identifiers to address managed objects, but managed objects also have a textual name called an object descriptor. Implementation Information The following describes SNMP implementation information. • • • • The Dell Networking OS supports SNMP version 1 as defined by RFC 1155, 1157, and 1212, SNMP version 2c as defined by RFC 1901, and SNMP version 3 as defined by RFC 2571. The system supports up to 16 trap receivers.
Creating a Community For SNMPv1 and SNMPv2, create a community to enable the community-based security on the switch. The management station generates requests to either retrieve or alter the value of a management object and is called the SNMP manager. A network element that processes SNMP requests is called an SNMP agent. An SNMP community is a group of SNMP agents and managers that are allowed to interact.
NOTE: To give a user read and write privileges, repeat this step for each privilege type. • Configure an SNMP group (with password or privacy privileges). • CONFIGURATION mode snmp-server group group-name {oid-tree} priv read name write name Configure the user with a secure authorization password and privacy password. • CONFIGURATION mode snmp-server user name group-name {oid-tree} auth md5 auth-password priv des56 priv password Configure an SNMPv3 view.
The following example shows reading the value of many managed objects at one time. > snmpwalk -v 2c -c public 10.11.198.100 .1.3.6.1.2.1.1 SNMPv2-MIB::sysDescr.0 = STRING: Dell Force10 OS Operating System Version: 2.0 Application Software Version: 9.2(1.0B2) Series: C9000 Copyright (c) 1999-2013 by Dell Inc. All Rights Reserved. Build Time: Sun Jan 12 22:24:47 2014 SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.6027.1.5.1 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (133410) 0:22:14.
CONFIGURATION mode snmpset -v version -c community agent-ip sysLocation.0 s “location-info” You may use up to 55 characters. The default is None. Configuring the CPU Utilization for SNMP Traps When the total CPU utilization exceeds the configured threshold for the specified time, a threshold notification is sent as an SNMP trap. If a low threshold value is not specified, the low threshold value is set to the same value as the high threshold value.
RP LP LP LP LP LP LP LP LP LP LP LP LP PE 0 1 2 3 4 5 6 7 8 9 10 11 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 85 85 85 85 85 85 85 85 85 85 85 85 85 85 75 75 75 75 75 75 75 75 75 75 75 75 75 75 80 80 80 80 80 80 80 80 80 80 80 80 80 80 70 70 70 70 70 70 70 70 70 70 70 70 70 70 Configuring Threshold Memory Utilization for SNMP Traps When the total memory utilization for a CPU exceeds the configured high/low threshold for a given time, a threshold notification is sent as an SNMP trap.
LP LP LP LP LP LP LP LP LP LP LP LP PE 0 1 2 3 4 5 6 7 8 9 10 11 92 92 92 92 92 92 92 92 92 92 92 92 85 82 82 82 82 82 82 82 82 82 82 82 82 70 Subscribing to Managed Object Value Updates using SNMP By default, the system displays some unsolicited SNMP messages (traps) upon certain events and conditions. You can also configure the system to send the traps to a management station. Traps cannot be saved on the system.
• Enable a subset of SNMP traps. snmp-server enable traps NOTE: The envmon option enables all environment traps including those traps that are enabled with the envmon supply, envmon temperature, and envmon fan options. The following traps are available.
vlt Enable VLT traps. vrrp Enable VRRP state change traps xstp %SPANMGR-5-STP_NEW_ROOT: New Spanning Tree Root, Bridge ID Priority 32768, Address 0001.e801.fc35. %SPANMGR-5-STP_TOPOLOGY_CHANGE: Bridge port TenGigabitEthernet 11/38 transitioned from Forwarding to Blocking state. %SPANMGR-5-MSTP_NEW_ROOT_BRIDGE: Elected root bridge for instance 0. %SPANMGR-5-MSTP_NEW_ROOT_PORT: MSTP root changed to port Te 11/38 for instance 0. My Bridge ID: 40960:0001.e801.fc35 Old Root: 40960:0001.e801.
SNMP OID %SYSTEM-P:CP %SNMP-4-RMON_HC_RISING_THRESHOLD: RMON high-capacity rising threshold alarm from SNMP OID Enabling an SNMP Agent to Notify Syslog Server Failure You can configure a network device to send an SNMP trap if an audit processing failure occurs due to loss of connectivity with the syslog server. If a connectivity failure occurs on a syslog server that is configured for reliable transmission, an SNMP trap is sent and a message is displayed on the console.
Copy Configuration Files Using SNMP To do the following, use SNMP from a remote client. • • • copy the running-config file to the startup-config file copy configuration files from the Dell Networking system to a server copy configuration files from a server to the Dell Networking system You can perform all of these tasks using IPv4 or IPv6 addresses. The examples in this section use IPv4 addresses; however, you can substitute IPv6 addresses for the IPv4 addresses in all of the examples.
MIB Object OID Object Values Description copyDestFileName .1.3.6.1.4.1.6027.3.5.1.1.1.1.7 Path (if the file is not in the default directory) and filename. Specifies the name of destination file. copyServerAddress .1.3.6.1.4.1.6027.3.5.1.1.1.1.8 IP Address of the server. The IP address of the server. • copyUserName .1.3.6.1.4.1.6027.3.5.1.1.1.1.9 Username for the server. Username for the FTP, TFTP, or SCP server. • copyUserPassword .1.3.6.1.4.1.6027.3.5.1.1.1.1.10 Password for the server.
Copying Configuration Files via SNMP To copy the running-config to the startup-config from the UNIX machine, use the following command. • Copy the running-config to the startup-config from the UNIX machine. snmpset -v 2c -c public force10system-ip-address copySrcFileType.index i 2 copyDestFileType.index i 3 The following examples show the command syntax using MIB object names and the same command using the object OIDs. In both cases, a unique index number follows the object.
FTOS-COPY-CONFIG-MIB::copyDestFileLocation.110 = INTEGER: ftp(4) FTOS-COPY-CONFIG-MIB::copyServerAddress.110 = IpAddress: 11.11.11.11 FTOS-COPY-CONFIG-MIB::copyUserName.110 = STRING: mylogin FTOS-COPY-CONFIG-MIB::copyUserPassword.110 = STRING: mypass Copying the Startup-Config Files to the Server via TFTP To copy the startup-config to the server via TFTP from the UNIX machine, use the following command. NOTE: Verify that the file exists and its permissions are set to 777.
MIB Object OID Values Description 4 = file exists 5 = file not found 6 = timeout 7 = unknown copyEntryRowStatus .1.3.6.1.4.1.6027.3.5.1.1.1.1.15 Row status Specifies the state of the copy operation. Uses CreateAndGo when you are performing the copy. The state is set to active when the copy is completed. Obtaining a Value for MIB Objects To obtain a value for any of the MIB objects, use the following command. • Get a copy-config MIB object value. snmpset -v 2c -c public -m ./f10-copy-config.
Viewing the Reason for Last System Reboot Using SNMP • To view the reason for last system reboot using SNMP, you can use any one of the applicable SNMP commands: The following example shows a sample output of the snmpwalk command to view the last reset reason. [apoosappan@login-maa-06 ~]$ snmpwalk -c public -v 2c 10.16.130.49 1.3.6.1.4.1.6027.3.26.1.4.3.1.7 DELL-NETWORKING-CHASSIS-MIB::dellNetProcessorResetReason.supervisor.1.
snmpwalk -v 2c -c public -On 10.16.150.97 1.3.6.1.4.1.6027.3.26.1.4.8 .1.3.6.1.4.1.6027.3.26.1.4.8.1.2.1 .1.3.6.1.4.1.6027.3.26.1.4.8.1.2.2 .1.3.6.1.4.1.6027.3.26.1.4.8.1.2.3 .1.3.6.1.4.1.6027.3.26.1.4.8.1.2.4 .1.3.6.1.4.1.6027.3.26.1.4.8.1.3.1 .1.3.6.1.4.1.6027.3.26.1.4.8.1.3.2 .1.3.6.1.4.1.6027.3.26.1.4.8.1.3.3 .1.3.6.1.4.1.6027.3.26.1.4.8.1.3.4 .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.1 .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.2 .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.3 .1.3.6.1.4.1.6027.3.26.1.4.8.1.4.4 .1.3.6.1.4.1.6027.3.
MIB Object OID Description dellNetFpEgrQDroppedBytesRate 1.3.6.1.4.1.6027.3.27.1.20.1.9 Rate of Bytes dropped per Unicast/ Multicast Egress queue. MIB Support to Display Egress Queue Statistics Dell Networking OS provides MIB objects to display the information of the ECMP group count information. The following table lists the related MIB objects: Table 113. MIB Objects to display ECMP Group Count MIB Object OID Description dellNetInetCidrECMPGrpMax 1.3.6.1.4.1.6027.3.9.1.
STRING: 4C 76 25 F4 AB 02 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.10.1.1.2.32.1.4.127.0.0.1.1.4.127.0.0.1 = "" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.20.1.1.0.24.0.0.0.0 = "" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.20.1.1.1.32.1.4.20.1.1.1.1.4.20.1.1.1 = HexSTRING: 4C 76 25 F4 AB 02 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.20.1.1.2.32.1.4.127.0.0.1.1.4.127.0.0.1 = "" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.1.1.4.30.1.1.0.24.0.0.0.0 = "" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.9.
Gauge32: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.10.1.1.2.32.1.4.127.0.0.1.1.4.127.0.0.1 = Gauge32: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.20.1.1.0.24.0.0.0.0 = Gauge32: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.20.1.1.1.32.1.4.20.1.1.1.1.4.20.1.1.1 = Gauge32: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.20.1.1.2.32.1.4.127.0.0.1.1.4.127.0.0.1 = Gauge32: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.11.1.1.4.30.1.1.0.24.0.0.0.0 = Gauge32: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.
Viewing the entAliasMappingTable MIB • To view the entAliasMappingTable generated by the system, use the following command. snmpwalk -v 2c -c public -On 10.16.150.97 1.3.6.1.2.1.47.1.3.2.1 .1.3.6.1.2.1.47.1.3.2.1.2.5.0 = OID: .1.3.6.1.2.1.2.2.1.1.2097157 .1.3.6.1.2.1.47.1.3.2.1.2.9.0 = OID: .1.3.6.1.2.1.2.2.1.1.2097669 .1.3.6.1.2.1.47.1.3.2.1.2.13.0 = OID: .1.3.6.1.2.1.2.2.1.1.2098181 .1.3.6.1.2.1.47.1.3.2.1.2.17.0 = OID: .1.3.6.1.2.1.2.2.1.1.2098693 .1.3.6.1.2.1.47.1.3.2.1.2.21.0 = OID: .1.3.6.1.2.1.2.2.
In the above example: • • • 33997973 is the count of green packet-drops (Green Drops). 329629607 is the count of yellow packet-drops (Yellow Drops). 31997973 is the count of red packet-drops (Out of Profile Drops). MIB Support for LAG Dell Networking provides a method to retrieve the configured LACP information (Actor and Partner).
MIB Object OID Description from an Aggregator Parser, and either delivering the frame to its MAC Client or discarding the frame. dot3adAggPortListTable 1.2.840.10006.300.43.1.1.2 Contains a list of all the ports associated with each Aggregator. Each LACP channel in a device occupies an entry in the table. dot3adAggPortListEntry 1.2.840.10006.300.43.1.1.2.1 Contains a list of ports associated with a given Aggregator and indexed by the ifIndex of the Aggregator. dot3adAggPortListPorts 1.2.840.10006.
snmpwalk -v2c -c mycommunity 10.16.150.83 1.0.8802.1.1.2.1.4 iso.0.8802.1.1.2.1.4.1.1.6.0.2113029.2 = INTEGER: 5 iso.0.8802.1.1.2.1.4.1.1.6.0.3161092.6 = INTEGER: 5 iso.0.8802.1.1.2.1.4.1.1.6.0.3161605.2 = INTEGER: 5 iso.0.8802.1.1.2.1.4.1.1.6.0.4209668.6 = INTEGER: 5 iso.0.8802.1.1.2.1.4.1.1.6.0.4210181.2 = INTEGER: 5 iso.0.8802.1.1.2.1.4.1.1.6.0.9437185.2 = INTEGER: 5 iso.0.8802.1.1.2.1.4.1.1.7.0.2113029.2 = STRING: "fortyGigE 1/50" iso.0.8802.1.1.2.1.4.1.1.7.0.3161092.
snmpwalk -v2c -c public 10.16.150.83 1.0.8802.1.1.2.1.4.4.1.4 iso.0.8802.1.1.2.1.4.4.1.4.0.3161092.1.0.1.102.1.133 iso.0.8802.1.1.2.1.4.4.1.4.0.3161092.1.0.1.102.2.134 iso.0.8802.1.1.2.1.4.4.1.4.0.3161092.1.0.1.102.3.135 iso.0.8802.1.1.2.1.4.4.1.4.0.3161092.1.0.1.102.4.136 iso.0.8802.1.1.2.1.4.4.1.4.0.3161092.1.0.1.102.5.137 = = = = = STRING: STRING: STRING: STRING: STRING: "Dell" "Dell" "Dell" "Dell" "Dell" snmpget -v2c -c public 10.16.150.102 1.0.8802.1.1.2.1.4.4.1.4.0.1048580.2.0.1.232.16.1 iso.0.
MIB Object OID Access or Permission Description dellNetPortSecIfSecureMacLimit 1.3.6.1.4.1.6027.3.31.1.2.1.1.3 read-write Maximum number (N) of MAC addresses to be secured on the interface dellNetPortSecIfCurrentMacCou 1.3.6.1.4.1.6027.3.31.1.2.1.1.4 nt read-only Current number of MAC addresses learnt or configured on this interface dellNetPortSecIfStationMoveEn 1.3.6.1.4.1.6027.3.31.1.2.1.1.
MAC addresses cannot be retrieved using dellNetPortSecSecureStaticMacAddrTable and dellNetPortSecSecureMacAddrTable. These tables are valid only if port security feature is enabled globally in the system. Table 121. MIB Objects for configuring MAC addresses MIB Object OID dellNetPortSecIfSecureStaticMa 1.3.6.1.4.1.6027.3.31.1.2.2.1.4 cRowStatus Access or Permission Description read-write Allows adding or deleting entries to or from the table dellNetPortSecSecureStaticMac AddrTable.
Manage VLANs using SNMP The qBridgeMIB managed objects in Q-BRIDGE-MIB, defined in RFC 2674, allows you to use SNMP to manage VLANs. Creating a VLAN To create a VLAN, use the dot1qVlanStaticRowStatus object. The snmpset operation shown in the following example creates VLAN 10 by specifying a value of 4 for instance 10 of the dot1qVlanStaticRowStatus object. > snmpset -v2c -c mycommunity 123.45.6.78 .1.3.6.1.2.1.17.7.1.4.3.1.5.10 i 4 SNMPv2-SMI::mib-2.17.7.1.4.3.1.5.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 SNMPv2-SMI::mib-2.17.7.1.4.3.1.4.1107787786 = Hex-STRING: 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 In the following example, Port 0/2 is added as a tagged member of VLAN 10.
show interface Or, from the management system, use the snmpwwalk command to identify the interface index. 3. Enter the snmpset command to change the admin status using either the object descriptor or the OID. snmpset with descriptor: snmpset -v version -c community agent-ip ifAdminStatus.ifindex i {1 | 2} snmpset with OID: snmpset -v version -c community agent-ip .1.3.6.1.2.1.2.2.1.7.ifindex i {1 | 2} Choose integer 1 to change the admin status to Up, or 2 to change the admin status to Down.
---------------Query from Management Station--------------->snmpwalk -v 2c -c techpubs 10.11.131.162 .1.3.6.1.2.1.17.7.1.2.2.1 Use dot3aCurAggFdbTable to fetch the learned MAC address of a port-channel. The instance number is the decimal conversion of the MAC address concatenated with the port-channel number.
Figure 136. Interface Index Number Assigned to FortyGigE 0/4 Port In this example, if you start from the least significant bit on the right: • • • • • The first 14 bits (00001000000010) identify a line card. The next 4 bits (1001) identify a 40-Gigabit Ethernet interface. The next 12 bits (000011000100) identify slot 0 and port 4. The next bit (0) identifies a physical interface. The last bit is always 0, which means that it is unused.
• • • • • • • • • • • • • sho run bgp router bgp 100 address-family ipv4 vrf vrf1 snmp context context1 neighbor 20.1.1.1 remote-as 200 neighbor 20.1.1.1 no shutdown exit-address-family address-family ipv4 vrf vrf2 snmp context context2 timers bgp 30 90 neighbor 30.1.1.1 remote-as 200 neighbor 30.1.1.1 no shutdown exit-address-family To map the context to a VRF instance for SNMPv3, follow these steps: 1. Create a community and map a VRF to it.
Example of SNMP Walk Output for BGP timer configured for vrf2 (SNMPv2c) snmpwalk -v 2c -c vrf2 10.16.131.125 1.3.6.1.4.1.6027.20.1.2.3 SNMPv2-SMI::enterprises.6027.20.1.2.3.1.1.1.0.1.30.1.1.2.1.30.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.3.1.1.2.0.1.30.1.1.2.1.30.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.3.2.1.1.0.1.30.1.1.2.1.30.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.3.2.1.2.0.1.30.1.1.2.1.30.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.3.2.1.3.0.1.30.1.1.2.1.30.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.
Example of Viewing Changed Interface State for Monitored Ports SNMPv2-MIB::sysUpTime.0 = Timeticks: (8500842) 23:36:48.42 SNMPv2-MIB::snmpTrapOID.0 = OID: IF-MIB::linkDown IF-MIB::ifIndex.33865785 = INTEGER: 33865785 SNMPv2-SMI::enterprises.6027.3.1.1.4.1.2 = STRING: "OSTATE_DN: Changed interface state to down: Te 0/0" 2010-02-10 14:22:39 10.16.130.4 [10.16.130.4]: SNMPv2-MIB::sysUpTime.0 = Timeticks: (8500842) 23:36:48.42 SNMPv2-MIB::snmpTrapOID.0 = OID: IF-MIB::linkDown IF-MIB::ifIndex.
Field (OID) Description SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.4 Vendor Name SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.5 Part Number SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.6 Serial Number SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.7 Transmit Power SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.8 Receive Power Configuring SNMP context name To configure the SNMP context name for OSPFv3 module, use the following command. • Configure the SNMP context-name.
54 Storm Control Storm control allows you to control unknown-unicast, muticast, and broadcast traffic on Layer 2 and Layer 3 physical interfaces. Dell Networking Operating System (OS) Behavior: Dell Networking OS supports unknown-unicast, muticast, and broadcast control (the storm-control broadcast command) for Layer 2 and Layer 3 traffic. To view the storm control broadcast configuration show storm-control broadcast | multicast | unknown-unicast | pfc-llfc[interface] command.
• storm-control multicast packets_per_second in Shut down the port if it receives the PFC/LLFC packets more than the configured rate. INTERFACE mode storm-control pfc-llfc pps in shutdown NOTE: PFC/LLFC storm control enabled interface disables the interfaces if it receives continuous PFC/LLFC packets. It can be a result of a faulty NIC/Switch that sends spurious PFC/LLFC packets.
55 Spanning Tree Protocol (STP) The spanning tree protocol (STP) is a Layer 2 protocol — specified by IEEE 802.1d — that eliminates loops in a bridged topology by enabling only a single path through the network.
• • • Prevent Network Disruptions with BPDU Guard STP Root Guard Enabling SNMP Traps for Root Elections and Topology Changes Important Points to Remember • • • • • STP is disabled by default. The Dell Networking OS supports only one spanning tree instance (0). For multiple instances, enable the multiple spanning tree protocol (MSTP) or per-VLAN spanning tree plus (PVST+). You may only enable one flavor of spanning tree at any one time.
no ip address 2. Place the interface in Layer 2 mode. INTERFACE switchport 3. Enable the interface. INTERFACE mode no shutdown To verify that an interface is in Layer 2 mode and enabled, use the show config command from INTERFACE mode. Dell(conf-if-te-1/1)#show config ! interface TenGigabitEthernet 1/1 no ip address switchport no shutdown Dell(conf-if-te-1/1)# Enabling Spanning Tree Protocol Globally Enable the spanning tree protocol globally; it is not enabled by default.
2. Enable STP. PROTOCOL SPANNING TREE mode no disable To disable STP globally for all Layer 2 interfaces, use the disable command from PROTOCOL SPANNING TREE mode. To verify that STP is enabled, use the show config command from PROTOCOL SPANNING TREE mode.
Adding an Interface to the Spanning Tree Group To add a Layer 2 interface to the spanning tree topology, use the following command. • Enable spanning tree on a Layer 2 interface. INTERFACE mode spanning-tree 0 To remove a Layer 2 interface from the spanning tree topology, enter the no spanning-tree 0 command. Modifying Global Parameters You can modify the spanning tree parameters.
To view the current values for global parameters, use the show spanning-tree 0 command from EXEC privilege mode. Refer to the second example in Enabling Spanning Tree Protocol Globally. Modifying Interface STP Parameters You can set the port cost and port priority values of interfaces in Layer 2 mode. • • Port cost — a value that is based on the interface type. The greater the port cost, the less likely the port is selected to be a forwarding port.
Preventing Network Disruptions with BPDU Guard Configure the Portfast (and Edgeport, in the case of RSTP, PVST+, and MSTP) feature on ports that connect to end stations. End stations do not generate BPDUs, so ports configured with Portfast/ Edgport (edgeports) do not expect to receive BDPUs. If an edgeport does receive a BPDU, it likely means that it is connected to another part of the network, which can negatively affect the STP topology.
Figure 139. Enabling BPDU Guard Dell Networking OS Behavior: BPDU guard and BPDU filtering both block BPDUs, but are two separate features. BPDU guard: • • is used on edgeports and blocks all traffic on edgeport if it receives a BPDU. drops the BPDU after it reaches the Route Processor and generates a console message.
Selecting STP Root The STP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it becomes the root bridge. You can also specify that a bridge is the root or the secondary root. To change the bridge priority or specify that a bridge is the root or secondary root, use the following command. • Assign a number as the bridge priority or designate it as the root or secondary root.
Figure 140. STP Root Guard Prevents Bridging Loops Configuring Root Guard Enable STP root guard on a per-port or per-port-channel basis. Dell Networking OS Behavior: The following conditions apply to a port enabled with STP root guard: • • • • • Root guard is supported on any STP-enabled port or port-channel interface.
To verify the STP root guard configuration on a port or port-channel interface, use the show spanning-tree 0 guard [interface interface] command in a global configuration mode. Enabling SNMP Traps for Root Elections and Topology Changes To enable SNMP traps individually or collectively, use the following commands. • • Enable SNMP traps for spanning tree state changes. snmp-server enable traps stp Enable SNMP traps for RSTP, MSTP, and PVST+ collectively.
Figure 141. STP Loop Guard Prevents Forwarding Loops Configuring Loop Guard Enable STP loop guard on a per-port or per-port channel basis. The following conditions apply to a port enabled with loop guard: • • Loop guard is supported on any STP-enabled port or port-channel interface.
• If no BPDU is received from a remote device, loop guard places the port in a Loop-Inconsistent Blocking state and no traffic is forwarded on the port. When used in a PVST+ network, STP loop guard is performed per-port or per-port channel at a VLAN level. If no BPDUs are received on a VLAN interface, the port or port-channel transitions to a Loop-Inconsistent (Blocking) state only for this VLAN. • To enable a loop guard on an STP-enabled port or port-channel interface, use the following command.
56 SupportAssist SupportAssist sends troubleshooting data securely to Dell. SupportAssist in this Dell Networking OS release does not support automated email notification at the time of hardware fault alert, automatic case creation, automatic part dispatch, or reports. SupportAssist requires Dell Networking OS 9.9(0.0) and SmartScripts 9.7 or later to be installed on the Dell Networking device. For more information on SmartScripts, see Dell Networking Open Automation guide. Figure 142.
Configuring SupportAssist Using a Configuration Wizard You are guided through a series of queries to configure SupportAssist. The generated commands are added to the running configuration, including the DNS resolve commands, if configured. This command starts the configuration wizard for the SupportAssist. At any time, you can exit by entering Ctrl-C. If necessary, you can skip some data entry. Enable the SupportAssist service.
the collection, transmission and/or use of the Collected Data, you may not download, install or otherwise use SupportAssist. NOTE: This step is not mandatory and you can configure SupportAssist manually without performing this step. Even before you accept or reject the EULA, the configuration data is sent to the default centrally deployed SupportAssist Server. If you reject the EULA, the configuration data is not transmitted to the SupportAssist server. 2. Move to the SupportAssist Configuration mode.
Configuring SupportAssist Activity SupportAssist Activity mode allows you to configure and view the action-manifest file for a specific activity. To configure SupportAssist activity, use the following commands. 1. Move to the SupportAssist Activity mode for an activity. Allows you to configure customized details for a specific activity.
By default, the full transfer includes the core files. When you disable the core transfer activity, the full transfer excludes the core files.
[no] contact-person [first ] last Dell(conf-supportassist)#contact-person first john last doe Dell(conf-supportassist-pers-john_doe)# 2. Configure the email addresses to reach the contact person. SUPPORTASSIST PERSON mode [no] email-address primary email-address [alternate email-address] Dell(conf-supportassist-pers-john_doe)#email-address primary jdoe@mycompany.com Dell(conf-supportassist-pers-john_doe)# 3. Configure phone numbers of the contact person.
[no] enable Dell(conf-supportassist-serv-default)#enable Dell(conf-supportassist-serv-default)# 4. Configure the URL to reach the SupportAssist remote server. SUPPORTASSIST SERVER mode [no] url uniform-resource-locator Dell(conf-supportassist-serv-default)#url https://192.168.1.1/index.htm Dell(conf-supportassist-serv-default)# Viewing SupportAssist Configuration To view the SupportAssist configurations, use the following commands: 1.
url http://1.1.1.1:1337 Dell# 3. Display the EULA for the feature. EXEC Privilege mode show eula-consent {support-assist | other feature} Dell#show eula-consent support-assist SupportAssist EULA has been: Accepted Additional information about the SupportAssist EULA is as follows: By installing SupportAssist, you allow Dell to save your contact information (e.g. name, phone number and/or email address) which would be used to provide technical support for your Dell products and services.
57 System Time and Date System time and date settings are user-configurable and maintained through the network time protocol (NTP). System times and dates are also set in hardware settings using the Dell Networking OS CLI. Topics: • • Network Time Protocol Time and Date Network Time Protocol The network time protocol (NTP) synchronizes timekeeping among a set of distributed time servers and clients. The protocol also coordinates time distribution in a large, diverse network with various interfaces.
Protocol Overview The NTP messages to one or more servers and processes the replies as received. The server interchanges addresses and ports, fills in or overwrites certain fields in the message, recalculates the checksum, and returns it immediately. Information included in the NTP message allows each client/server peer to determine the timekeeping characteristics of its other peers, including the expected accuracies of their clocks.
To display the system clock state with respect to NTP, use the show ntp status command from EXEC Privilege mode. DellEMC#show ntp status Clock is synchronized, stratum 4, reference is 10.16.151.117, vrf-id is 0 frequency is -44.862 ppm, stability is 0.050 ppm, precision is -18 reference time deeef7ef.85eeaa10 Tue, Jul 10 2018 9:16:31.523 UTC clock offset is -0.167449 msec, root delay is 149.194 msec root dispersion is 54.557 msec, peer dispersion is 0.
• • • • For a Loopback interface, enter the keyword loopback then a number from 0 to 16383. For the Management interface, enter the keyword ManagementEthernet then the slot/port information. For a port channel interface, enter the keywords port-channel then a number. For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. To view the configuration, use the show running-config ntp command in EXEC privilege mode (refer to the example in Configuring NTP Authentication).
To configure the switch as NTP Server use the ntp master command. stratum number identifies the NTP Server's hierarchy. The following example shows configuring an NTP server. Dell EMC(conf)#show running-config ntp ! ntp master ntp server 10.16.127.44 ntp server 10.16.127.86 ntp server 10.16.127.
To view the NTP configuration, use the show running-config ntp command in EXEC privilege mode. The following example shows an encrypted authentication key (in bold). All keys are encrypted. DellEMC#show running ntp ! ntp authenticate ntp authentication-key 345 md5 5A60910F3D211F02 ntp server 11.1.1.1 version 3 ntp trusted-key 345 DellEMC# Configuring NTP control key password The Network Time Protocal daemon (NTPD) design uses NTPQ to configure NTPD.
Setting the Timezone Universal time coordinated (UTC) is the time standard based on the International Atomic Time standard, commonly known as Greenwich Mean time. When determining system time, include the differentiator between UTC and your local timezone. For example, San Jose, CA is the Pacific Timezone with a UTC offset of -8. To set the clock timezone, use the following command. • Set the clock to the appropriate timezone.
Setting Recurring Daylight Saving Time Set a date (and time zone) on which to convert the switch to daylight saving time on a specific day every year. If you have already set daylight saving for a one-time setting, you can set that date and time as the recurring setting with the clock summer-time time-zone recurring command. To set a recurring daylight saving time, use the following command. • Set the clock to the appropriate timezone and adjust to daylight saving time every year.
pacific Sun Nov 1 2009" Configuring a Custom-defined Period for NTP time Synchronization You can configure the system to send an audit log message to a syslog server if the time difference from the NTP server is greater than a threshold value (offset-threshold). However, time synchronization still occurs. To configure the offset-threshold, follow this procedure. • Specify the threshold time interval before which the system generates an NTP audit log message if the system time deviates from the NTP server.
58 Tunneling Tunnel interfaces create a logical tunnel for IPv4 or IPv6 traffic. Tunneling supports RFC 2003, RFC 2473, and 4213. DSCP, hop-limits, flow label values, OSPFv2, and OSPFv3 are also supported. ICMP error relay, PATH MTU transmission, and fragmented packets are not supported.
tunnel mode ipv6ip no shutdown The following sample configuration shows a tunnel configured in IPIP mode (IPv4 tunnel carries IPv4 and IPv6 traffic): Dell(conf)#interface tunnel 3 Dell(conf-if-tu-3)#tunnel source 5::5 Dell(conf-if-tu-3)#tunnel destination 8::9 Dell(conf-if-tu-3)#tunnel mode ipv6 Dell(conf-if-tu-3)#ip address 3.1.1.1/24 Dell(conf-if-tu-3)#ipv6 address 3::1/64 Dell(conf-if-tu-3)#no shutdown Dell(conf-if-tu-3)#show config ! interface Tunnel 3 ip address 3.1.1.
The following sample configuration shows how to configure a tunnel allow-remote address. Dell(conf)#interface tunnel 1 Dell(conf-if-tu-1)#ipv6 address 1abd::1/64 Dell(conf-if-tu-1)#ip address 1.1.1.1/24 Dell(conf-if-tu-1)#tunnel source 40.1.1.1 Dell(conf-if-tu-1)#tunnel mode ipip decapsulate-any Dell(conf-if-tu-1)#tunnel allow-remote 40.1.1.2 Dell(conf-if-tu-1)#no shutdown Dell(conf-if-tu-1)#show config ! interface Tunnel 1 ip address 1.1.1.1/24 ipv6 address 1abd::1/64 tunnel source 40.1.1.
• • • Control-plane packets received on a multipoint receive-only tunnel are destined to the local IP address and routed to the CPU after decapsulation. A response to these packets from the switch is only possible if the route to the sender does not pass through a receiveonly tunnel. Multipathing over more than one VLAN interface is not supported on packets routed through the tunnel interface. IP tunnel interfaces are supported over ECMP paths to the next hop.
59 Upgrade Procedures For detailed upgrade procedures, refer to the Dell Networking OS Release Notes for your switch. The release notes describe the requirements and steps to follow to upgrade to a desired OS version. Upgrade Overview To upgrade system software on the switch, follow these general steps: 1. Identify the boot and system images currently stored on the switch (Control Processor, Route Processor, and line-card CPUs) using the show boot system all command. 2.
60 Uplink Failure Detection (UFD) Feature Description A switch provides upstream connectivity for devices, such as servers. If a switch loses its upstream connectivity, downstream devices also lose their connectivity. However, the devices do not receive a direct indication that upstream connectivity is lost because connectivity to the switch is still operational UFD allows a switch to associate downstream interfaces with upstream interfaces.
Figure 144. Uplink Failure Detection How Uplink Failure Detection Works UFD creates an association between upstream and downstream interfaces. The association of uplink and downlink interfaces is called an uplink-state group. An interface in an uplink-state group can be a physical interface or a port-channel (LAG) aggregation of physical interfaces. An enabled uplink-state group tracks the state of all assigned upstream interfaces.
Figure 145. Uplink Failure Detection Example If only one of the upstream interfaces in an uplink-state group goes down, a specified number of downstream ports associated with the upstream interface are put into a Link-Down state. You can configure this number and is calculated by the ratio of the upstream port bandwidth to the downstream port bandwidth in the same uplink-state group.
• If you disable an uplink-state group, the downstream interfaces are not disabled regardless of the state of the upstream interfaces. • • If an uplink-state group has no upstream interfaces assigned, you cannot disable downstream interfaces when an upstream link goes down. To enable the debug messages for events related to a specified uplink-state group or all groups, use the debug uplink-stategroup [group-id] command, where the group-id is from 1 to 16.
The maximum length is 80 alphanumeric characters. 6. (Optional) Disables upstream-link tracking without deleting the uplink-state group. UPLINK-STATE-GROUP mode no enable The default is upstream-link tracking is automatically enabled in an uplink-state group. To re-enable upstream-link tracking, use the enable command. Clearing a UFD-Disabled Interface You can manually bring up a downstream interface in an uplink-state group that UFD disabled and is in a UFD-Disabled Error state.
Displaying Uplink Failure Detection To display information on the UFD feature, use any of the following commands. • Display status information on a specified uplink-state group or all groups. EXEC mode show uplink-state-group [group-id] [detail] • • group-id: The values are 1 to 16. • detail: displays additional status information on the upstream and downstream interfaces in each group. Display the current status of a port or port-channel interface assigned to an uplink-state group.
Upstream Interfaces : Te 0/41(Dwn) Po 8(Dwn) Downstream Interfaces : Te 0/40(Dwn) The following example shows viewing the uplink state group interface status for an S50 system.
• Verify the configuration with various show commands.
61 Virtual LANs (VLANs) Virtual LANs (VLANs) are a logical broadcast domain or logical grouping of interfaces in a local area network (LAN) in which all data received is kept locally and broadcast to all members of the group. When in Layer 2 mode, VLANs move traffic at wire speed and can span multiple devices. The system supports up to 4093 port-based VLANs and one default VLAN, as specified in IEEE 802.1Q.
• A tagged interface requires an additional step to remove it from Layer 2 mode. Because tagged interfaces can belong to multiple VLANs, remove the tagged interface from all VLANs using the no tagged interface command. Only after the interface is untagged and a member of the Default VLAN can you use the no switchport command to remove the interface from Layer 2 mode. For more information, refer to VLANs and Port Tagging.
Configuration Task List This section contains the following VLAN configuration tasks.
NOTE: You cannot configure an existing switchport or port channel interface for Native VLAN. Interfaces must have no other Layer 2 or Layer 3 configurations when using the portmode hybrid command or a message similar to this displays: % Error: Port is in Layer-2 mode Te 5/6. To configure a port so that it can be a member of an untagged and tagged VLANs, use the following commands. 1. Remove any Layer 2 or Layer 3 configurations from the interface. INTERFACE mode 2. Configure the interface for Hybrid mode.
Assigning Interfaces to a VLAN You can only assign interfaces in Layer 2 mode to a VLAN using the tagged and untagged commands. To place an interface in Layer 2 mode, use the switchport command. You can further designate these Layer 2 interfaces as tagged or untagged. For more information, refer to the Interfaces chapter and Configuring Layer 2 (Data Link) Mode.
When you remove a tagged interface from a VLAN (using the no tagged interface command), it remains tagged only if it is a tagged interface in another VLAN. If the tagged interface is removed from the only VLAN to which it belongs, the interface is placed in the Default VLAN as an untagged interface. Moving Untagged Interfaces To move untagged interfaces from the Default VLAN to another VLAN, use the following commands. 1. Access INTERFACE VLAN mode of the VLAN to which you want to assign the interface.
62 VLT Proxy Gateway Proxy Gateway in VLT Domains Using a proxy gateway, the VLT peers in a domain can route the L3 packets destined for VLT peers in another domain as long as they have L3 reachability for the IP destinations. A proxy gateway in a VLT domain provides the following benefits: • • Avoids sub-optimal routing of packets by a VLT domain when packets are destined to the endpoint in another VLT domain.
Figure 147. VLT Proxy Gateway — Topology 1 Guidelines for Enabling the VLT Proxy Gateway Keep the following points in mind when you enable this functionality: 1. The proxy gateway is supported only for VLT; for example, across VLT domain. 2. To get full benefits out of proxy gateway, peer-routing is recommended 3.
13. When a VM moves from one VLT domain to the another VLT domain, the VM host sends the gratuitous GARP. The GARP triggers a mac movement from the previous VLT domain to the newer VLT domain. 14. After a station move, if a host sends a TTL1 packet destined to its gateway; for example, a previous VLT node, the packet may be dropped. 15. After a station move, if a host first PINGs its gateway; for example, a previous VLT node it results a 40 to 60% success rate considering it takes a longer path.
• LLDP packets fail to reach the remote VLT domain devices (due to system down, rebooting, port down or physical link connection) Sample Configurations for LLDP VLT Proxy Gateway Apply the following configurations in the Core L3 Routers C and D in the local VLT domain and C1 and D1 in the remote VLT domain: 1. Configure proxy-gateway lldp in VLT Domain CONFIG mode. 2. Configure peer-domain-link port-channel in VLT Domain Proxy Gateway LLDP mode.
1. The above figure (Topology 2) shows a sample VLT Proxy gateway scenario. There are no diagonal links in the square VLT connection between the C and D in VLT domain 1 and C1 and D1 in the VLT domain 2. This undergoes sub-optimal routing with the VLT Proxy Gateway LLDP method. For VLT Proxy Gateway to work in this scenario you must configure the , VLT-peer-mac transmit command under VLT Domain Proxy Gateway LLDP mode, in both C and D (VLT domain 1) and C1 and D1 (VLT domain 2).
Dell(conf)#vlt domain domain-id 2. Configure the LLDP proxy gateway. VLT DOMAIN mode Dell(conf-vlt-domain)#proxy-gateway lldp 3. You can configure the port channel interface for an LLDP proxy gateway and exclude a VLAN or a range of VLANs from proxy routing. This parameter is for an LLDP proxy gateway configuration. VLT DOMAIN PROXY GW LLDP mode Dell(conf-vlt-domain-proxy-gw-lldp)#peer-domain-link port-channel interface exclude-vlan vlan-range 4. Display the VLT proxy gateway configuration.
63 Virtual Routing and Forwarding (VRF) VRF Overview VRF improves functionality by allowing network paths to be segmented without using multiple devices. Using VRF also increases network security and can eliminate the need for encryption and authentication due to traffic segmentation. Internet service providers (ISPs) often take advantage of VRF to create separate virtual private networks (VPNs) for customers; VRF is also referred to as VPN routing and forwarding.
VRF Configuration Notes Although there is no restriction on the number of VLANs that can be assigned to a VRF instance, the total number of routes supported in VRF is limited by the size of the IPv4 CAM. VRF is implemented in a network device by using Forwarding Information Bases (FIBs). A network device may have the ability to configure different virtual routers, where entries in the FIB that belong to one VRF cannot be accessed by another VRF on the same device.
Feature/Capability Support Status for Default VRF Support Status for Non-default VRF default-VRF only. PBR supported on default-VRF only. QoS not supported on VLANs.
• • Connect an OSPF Process to a VRF Instance Configure VRRP on a VRF Load VRF CAM VRF is enabled by default on the switch. To load the VRF CAM profile, enter the feature vrf command in global configuration mode. Table 128. Load VRF CAM Step Task Command Syntax Command Mode 1 Load CAM memory for the VRF feature. feature vrf CONFIGURATION After you load VRF CAM, CLI parameters that allow you to configure non-default VRFs are made available on the system.
Task Command Syntax Command Mode ipv6 address 1::1 INTERFACE CONFIGURATION NOTE: You can assign either an IPv4 or an IPv6 address but not both. Assign an IPv6 address to the interface. NOTE: You can also auto configure an IPv6 address using the ipv6 address autoconfig command. View VRF Instance Information To display information about VRF configuration, enter the show ip vrf command. Table 132.
Task Command Syntax Configure the VRRP group and virtual IP address View VRRP command output for the VRF vrf1 Command Mode vrrp-group 10 virtual-address 10.1.1.100 show config ----------------------------! interface TenGigabitEthernet 0/13 ip vrf forwarding vrf1 ip address 10.1.1.1/24 ! vrrp-group 10 virtual-address 10.1.1.100 no shutdown show vrrp vrf vrf1 -----------------TenGigabitEthernet 0/13, IPv4 VRID: 10, Version: 2, Net: 10.1.1.1 VRF: 2 vrf1 State: Master, Priority: 100, Master: 10.1.1.
NOTE: The command line help still displays relevant details corresponding to each of these commands. However, these interface range or interface group commands are not supported when Management VRF is configured. Configuring a Static Route To configure a static route, perform the following steps: Table 135. Configuring a Static Route Task Command Syntax Command Mode Configure a static route that points to a management interface.
Figure 150.
Figure 151. Setup VRF Interfaces The following example relates to the configuration shown in the above illustrations. Router 1 Router 2 The following shows the output of the show commands on Router 1. Router 1 The following shows the output of the show commands on Router 2.
Configuring Route Leaking with Filtering When you initalize route leaking from one VRF to another, all the routes are exposed to the target VRF. If the size of the source VRF's RTM is considerablly large, an import operation results in the duplication of the target VRF's RTM with the source RTM entries. To mitigate this issue, you can use route-maps to filter the routes that are exported and imported into the route targets based on certain matching criteria.
When you import routes into VRF-blue using the route-map import_ospf_protocol, only OSPF routes are imported into VRF-blue. Even though VRF-red has leaked both OSPF as well as BGP routes to be shared with other VRFs, this command imports only OSPF routes into VRF-blue. 9. Configure the import target in the source VRF for reverse communnication with the destination VRF.
A non-default VRF named VRF-Shared is created and the interface 1/4 is assigned to this VRF. 2. Configure the export target in the source VRF:.ip route-export 1:1 3. Configure VRF-red.ip vrf vrf-red ip vrf forwarding VRF-red ip address x.x.x.x 255.x.x.x A non-default VRF named VRF-red is created and the interface 1/11 is assigned to this VRF. 4. Configure the import target in VRF-red.ip route-import 1:1 5. Configure the export target in VRF-red.ip route-export 2:2 6. Configure VRF-blue.
64 Virtual Link Trunking (VLT) Overview In a traditional switched topology as shown below, spanning tree protocols (STPs) are used to block one or more links to prevent loops in the network. Although loops are prevented, bandwidth of all links is not effectively utilized by the connected devices. Figure 152. Traditional switched topology VLT not only overcomes this caveat, but also provides a multipath to the connected devices.
To prevent the initial loop that may occur prior to VLT being established, use a spanning tree protocol. After VLT is established, you may use rapid spanning tree protocol (RSTP) to prevent loops from forming with new links that are incorrectly connected and outside the VLT domain. VLT provides Layer 2 multipathing, creating redundancy through increased bandwidth, enabling multiple parallel paths between nodes, and load-balancing traffic where alternate paths exist.
The following example shows how VLT is deployed. The switches appear as a single virtual switch from the point of view of the switch or server supporting link aggregation control protocol (LACP). VLT on Core Switches You can also deploy VLT on core switches. Uplinks from servers to the access layer and from access layer to the aggregation layer are bundled in LAG groups with end-to-end Layer 2 multipathing.
• • Bulk synchronization happens only for global IPv6 Neighbors; link-local neighbor entries are not synced. If all of the following conditions are true, MAC addresses may not be synced correctly: • • • • • • VLT peers use VLT interconnect (VLTi) Sticky MAC is enabled on an orphan port in the primary or secondary peer MACs are currently inactive If this scenario occurs, use the clear mac-address-table sticky all command on the primary or secondary peer to correctly sync the MAC addresses.
• When you enable the VLTi link, the link between the VLT peer switches is established if the following configured information is true on both peer switches: • • the VLT-system MAC address (if configured) matches. the VLT unit-id (if configured) is not identical. NOTE: If the VLT-system MAC address or VLT unit-id is not configured on both VLT peer switches, VLT automatically sets the default VLT-system MAC address and unit-id on each peer.
• • Dell Networking does not recommend enabling peer-routing if the CAM is full. To enable peer-routing, a minimum of two local DA spaces for wild card functionality are required. Software features supported on VLT physical ports • • In a VLT domain, the following software features are supported on VLT physical ports: 802.1p, LLDP, IPv6 dynamic routing, flow control, port monitoring, and jumbo frames.
RSTP and VLT VLT provides loop-free redundant topologies and does not require RSTP. RSTP can cause temporary port state blocking and may cause topology changes after link or node failures. Spanning tree topology changes are distributed to the entire layer 2 network, which can cause a network-wide flush of learned MAC and ARP addresses, requiring these addresses to be re-learned. However, enabling RSTP can detect potential loops caused by non-system issues such as cabling errors or incorrect configurations.
VLT and Stacking You cannot enable stacking on switches configured for VLT operation. If you enable stacking on a Dell Networking switch on which you want to enable VLT, you must first remove the unit from the existing stack. After you remove the unit, you can configure VLT on the switch. VLT IPv6 The following features have been enhanced to support VLT on IPv6. : • • • • • VLT Sync — Entries learned on the VLT interface are synced on both VLT peers.
Figure 155. PIM-Sparse Mode Support on VLT On each VLAN where the VLT peer nodes act as the first hop or last hop routers, one of the VLT peer nodes is elected as the PIM designated router. If you configured IGMP snooping along with PIM on the VLT VLANs, you must configure VLTi as the static multicast router port on both VLT peer switches. This ensures that for first hop routers, the packets from the source are redirected to the designated router (DR) if they are incorrectly hashed.
If the VLT node elected as the designated router fails and you enable VLT Multicast Routing, multicast routes are synced to the other peer for traffic forwarding to ensure minimal traffic loss. If you did not enable VLT Multicast Routing, traffic loss occurs until the other VLT peer is selected as the DR. VLT Routing VLT unicast and multicast routing is supported on the switch. Layer 2 protocols from the ToR to the server are intra-rack and inter-rack.
value: Specify a value (in seconds) from 1 to 65535. VLT Multicast Routing VLT Multicast Routing provides resiliency to multicast routed traffic during the multicast routing protocol convergence period after a VLT link or VLT peer fails using the least intrusive method (PIM) and does not alter current protocol behavior. Unlike VLT Unicast Routing, a normal multicast routing protocol does not exchange multicast routes between VLT peers.
Non-VLT ARP Sync Synchronization for non-ARP routing table entries is supported on the switch. ARP entries (including ND entries) learned on other ports are synced with the VLT peer to support station move scenarios. NOTE: ARP entries learned on non-VLT, non-spanned VLANs are not synced with VLT peers. RSTP Configuration RSTP is supported in a VLT domain. Before you configure VLT on peer switches, configure RSTP in the network. RSTP is required for initial loop prevention during the VLT startup phase.
Configure RSTP on VLT Peers to Prevent Forwarding Loops (VLT Peer 1) Dell_VLTpeer1(conf)#protocol spanning-tree rstp Dell_VLTpeer1(conf-rstp)#no disable Dell_VLTpeer1(conf-rstp)#bridge-priority 4096 Configure RSTP on VLT Peers to Prevent Forwarding Loops (VLT Peer 2) Dell_VLTpeer2(conf)#protocol spanning-tree rstp Dell_VLTpeer2(conf-rstp)#no disable Dell_VLTpeer2(conf-rstp)#bridge-priority 0 Configuring VLT VLT requires that you enable the feature and then configure the same VLT domain, backup link, and V
no shutdown 5. Repeat Steps 1 to 4 on the VLT peer switch to configure the VLT interconnect. Enabling VLT and Creating a VLT Domain To enable VLT and create a VLT domain: 1. Enable VLT on a switch, then configure a VLT domain and enter VLT-domain configuration mode. CONFIGURATION mode vlt domain domain-id The domain ID range is from 1 to 1000. Configure the same domain ID on the peer switch to allow for common peering. VLT uses the domain ID to automatically create a VLT MAC address for the domain.
3. Ensure that the interface is active. MANAGEMENT INTERFACE mode no shutdown 4. Configure a VLT backup link using the back-up destination command. VLT domain mode back-up destination {ip address ipv4-address/mask | ipv6 address ipv6-address/mask} Dell(conf-vlt-domain)#back-up destination ? A.B.C.D IP address for VLT backup link ipv6 Configure IPv6 address for VLT backup link IPv4 address (A.B.C.D) or IPv6 address (X:X:X:X::X) of the VLT peer’s management interface. 5.
Connecting a VLT Domain to an Attached Access Device (Switch or Server) To connect a VLT domain to an attached access device, use the following commands. On a VLT peer switch: To connect to an attached device, configure the same port channel ID number on each peer switch in the VLT domain. 1. Configure the same port channel to be used to connect to an attached device and enter interface configuration mode. CONFIGURATION mode interface port-channel id-number 2. Remove an IP address from the interface.
peer-link port-channel id-number peer-down-vlan vlan interface-number The range is from 1 to 4094. Configuring Enhanced VLT (eVLT) (Optional) To configure enhanced VLT (eVLT) between two VLT domains on your network, use the following procedure. For a sample configuration, refer to eVLT Configuration Example. To set up the VLT domain, use the following commands. 1. Configure the port channel to be used for the VLT interconnect on a VLT switch and enter interface configuration mode.
interface port-channel id-number Enter the same port-channel number configured with the peer-link port-channel command in the Enabling VLT and Creating a VLT Domain. 9. Place the interface in Layer 2 mode. INTERFACE PORT-CHANNEL mode switchport 10. Associate the port channel to the corresponding port channel in the VLT peer for the VLT connection to an attached device. INTERFACE PORT-CHANNEL mode vlt-peer-lag port-channel id-number Valid port-channel ID numbers are from 1 to 128. 11.
show interfaces interface 8. Configure the VLT links between VLT peer 1 and VLT peer 2 to the top of rack unit (shown in the following example). 9. Configure the static LAG/LACP between ports connected from VLT peer 1 and VLT peer 2 to the top of rack unit. EXEC Privilege mode show running-config entity 10. Configure the VLT peer link port channel id in VLT peer 1 and VLT peer 2. EXEC mode or EXEC Privilege mode show interfaces interface 11. In the top of rack unit, configure LACP in the physical ports.
Configure the VLT links between VLT peer 1 and VLT peer 2 to the Top of Rack unit. In the following example, port Te 0/40 in VLT peer 1 is connected to Te 0/48 of TOR and port Te 0/18 in VLT peer 2 is connected to Te 0/50 of TOR. 1. Configure the static LAG/LACP between the ports connected from VLT peer 1 and VLT peer 2 to the Top of Rack unit. 2. Configure the VLT peer link port channel id in VLT peer 1 and VLT peer 2. 3.
Role: Role Priority: ICL Link Status: HeartBeat Status: VLT Peer Status: Local System MAC address: Remote System MAC address: Primary 32768 Up Up Up 00:01:e8:8c:4d:08 00:01:e8:8c:4d:1c Dell-2#show vlt detail Local LAG Id Peer LAG Id Local Status Active VLANs ------------ ----------- ------------ -----------2 2 Up 1000-1199 Verify that the VLT LAG is up in both VLT peer units.
Domain_1_Peer1(conf)#vlt domain 1000 Domain_1_Peer1(conf-vlt-domain)# peer-link port-channel 1 Domain_1_Peer1(conf-vlt-domain)# back-up destination 10.16.130.11 Domain_1_Peer1(conf-vlt-domain)# system-mac mac-address 00:0a:00:0a:00:0a Domain_1_Peer1(conf-vlt-domain)# unit-id 0 Configure eVLT on Peer 1.
Domain_2_Peer3(conf-if-range-te-0/16-17)# port-channel 100 mode active Domain_2_Peer3(conf-if-range-te-0/16-17)# no shutdown Next, configure the VLT domain and VLTi on Peer 4. Domain_2_Peer4#configure Domain_2_Peer4(conf)#interface port-channel 1 Domain_2_Peer4(conf-if-po-1)# channel-member TenGigabitEthernet 0/8-9 Domain_1_Peer4#no shutdown Domain_2_Peer4(conf)#vlt domain 200 Domain_2_Peer4(conf-vlt-domain)# peer-link port-channel 1 Domain_2_Peer4(conf-vlt-domain)# back-up destination 10.18.130.
VLT_Peer2(conf-if-vl-4001)#ip igmp snooping mrouter interface port-channel 128 VLT_Peer2(conf-if-vl-4001)#exit VLT_Peer2(conf)#end Verifying a VLT Configuration To monitor the operation or verify the configuration of a VLT domain, use any of the following show commands on the primary and secondary VLT switches. • Display information on backup link operation. • EXEC mode show vlt backup-link Display general status information about VLT domains currently configured on the switch.
VLT Backup Link ----------------Destination: Peer HeartBeat status: HeartBeat Timer Interval: HeartBeat Timeout: UDP Port: HeartBeat Messages Sent: HeartBeat Messages Received: 10.11.200.20 Up 1 3 34998 1030 1014 The following example shows the show vlt brief command.
Local System MAC address: 00:01:e8:8a:df:bc Local System Role Priority: 32768 Dell_VLTpeer2# show vlt role VLT Role ---------VLT Role: System MAC address: System Role Priority: Local System MAC address: Local System Role Priority: Secondary 00:01:e8:8a:df:bc 32768 00:01:e8:8a:df:e6 32768 The following example shows the show running-config vlt command. Dell_VLTpeer1# show running-config vlt ! vlt domain 30 peer-link port-channel 60 back-up destination 10.11.200.
Dell_VLTpeer2# show spanning-tree rstp brief Executing IEEE compatible Spanning Tree Protocol Root ID Priority 0, Address 0001.e88a.dff8 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 0, Address 0001.e88a.dff8 We are the root Configured hello time 2, max age 20, forward delay 15 Interface Designated Name PortID Prio Cost Sts Cost Bridge ID PortID ---------- -------- ---- ------- -------- - ------- ------------Po 1 128.2 128 200000 DIS 0 0 0001.e88a.dff8 128.2 Po 3 128.
G - GVRP tagged, M - Vlan-stack, H - Hyperpull tagged NUM Status Description Q Ports 10 Active U Po110(Fo 0/52) T Po100(Fo 0/56,60) Configuring Virtual Link Trunking (VLT Peer 2) Enable VLT and create a VLT domain with a backup-link VLT interconnect (VLTi). Dell_VLTpeer2(conf)#vlt domain 999 Dell_VLTpeer2(conf-vlt-domain)#peer-link port-channel 100 Dell_VLTpeer2(conf-vlt-domain)#back-up destination 10.11.206.23 Dell_VLTpeer2(conf-vlt-domain)#exit Configure the backup link.
Troubleshooting VLT To help troubleshoot different VLT issues that may occur, use the following information. NOTE: For information on VLT Failure mode timing and its impact, contact your Dell EMC Networking representative. Table 137. Troubleshooting VLT Description Behavior at Peer Up Behavior During Run Time Action to Take Bandwidth monitoring A syslog error message and an SNMP trap is generated when the VLTi bandwidth usage goes above the 80% threshold and when it drops below 80%.
Description Behavior at Peer Up Behavior During Run Time A syslog error message is generated. A syslog error message is generated. Action to Take Reconfiguring Stacked Switches as VLT To convert switches that have been stacked to VLT peers, use the following procedure. 1. Remove the current configuration from the switches. You will need to split the configuration up for each switch. 2. Copy the files to the flash memory of the appropriate switch. 3.
Association of VLTi as a Member of a PVLAN If a VLAN is configured as a non-VLT VLAN on both the peers, the VLTi link is made a member of that VLAN if the VLTi link is configured as a PVLAN or normal VLAN on both the peers. If a PVLAN is configured as a VLT VLAN on one peer and a non-VLT VLAN on another peer, the VLTi is added as a member of that VLAN by verifying the PVLAN parity on both the peers.
Under such conditions, the IP stack performs the following operations: • • The ARP reply is sent with the MAC address of the primary VLAN. The ARP request packet originates on the primary VLAN for the intended destination IP address. The ARP request received on ICLs are not proxied, even if they are received with a secondary VLAN tag. This behavior change occurs because the node from which the ARP request was forwarded would have replied with its MAC address, and the current node discards the ARP request.
VLT LAG Mode PVLAN Mode of VLT VLAN ICL VLAN Membership Mac Synchronization Peer1 Peer2 Peer1 Peer2 Access Access Secondary (Isolated) Secondary (Isolated) No No - Primary VLAN X - Primary VLAN Y No No Secondary (Community) Secondary (Community) No No - Primary VLAN Y - Primary VLAN X No No Access Access Promiscuous Access Primary Secondary No No Trunk Access Primary/Normal Secondary No No Configuring a VLT VLAN or LAG in a PVLAN You can configure the VLT peers or nodes
peer-link port-channel id-number The range is from 1 to 128. 8. (Optional) To configure a VLT LAG, enter the VLAN ID number of the VLAN where the VLT forwards packets received on the VLTi from an adjacent peer that is down. VLT DOMAIN CONFIGURATION mode peer-link port-channel id-number peer-down-vlan vlan interface number The range is from 1 to 4094. Associating the VLT LAG or VLT VLAN in a PVLAN 1. Access INTERFACE mode for the port that you want to assign to a PVLAN.
command in INTERFACE mode. If it is not listed in the show config command output, it is enabled. Only nondefault information is displayed in the show config command output. ARP proxy operation is performed on the VLT peer node IP address when the peer VLT node is down. The ARP proxy stops working either when the peer routing timer expires or when the peer VLT node goes up. Layer 3 VLT provides a higher resiliency at the Layer 3 forwarding level.
To enable an explicit multicast routing table synchronization method for VLT nodes, you can configure VLT nodes as RPs. Multicast routing needs to identify the incoming interface for each route. The PIM running on both VLT peers enables both the peers to obtain traffic from the same incoming interface. You can configure a VLT node to be an RP through the ip pim rp-address command in Global Configuration mode.
unit-id 0 Dell# Configure VLT LAG as VLAN-Stack Access or Trunk Port Dell(conf)#interface port-channel 10 Dell(conf-if-po-10)#switchport Dell(conf-if-po-10)#vlt-peer-lag port-channel 10 Dell(conf-if-po-10)#vlan-stack access Dell(conf-if-po-10)#no shutdown Dell#show running-config interface port-channel 10 ! interface Port-channel 10 no ip address switchport vlan-stack access vlt-peer-lag port-channel 10 no shutdown Dell# Dell(conf)#interface port-channel 20 Dell(conf-if-po-20)#switchport Dell(conf-if-po-20)
Configure VLT LAG as VLAN-Stack Access or Trunk Port Dell(conf)#interface port-channel 10 Dell(conf-if-po-10)#switchport Dell(conf-if-po-10)#vlt-peer-lag port-channel 10 Dell(conf-if-po-10)#vlan-stack access Dell(conf-if-po-10)#no shutdown Dell#show running-config interface port-channel 10 ! interface Port-channel 10 no ip address switchport vlan-stack access vlt-peer-lag port-channel 10 no shutdown Dell# Dell(conf)#interface port-channel 20 Dell(conf-if-po-20)#switchport Dell(conf-if-po-20)#vlt-peer-lag po
ToR 1. Enable BFD globally. TOR(conf)# bfd enable 2. Configure a VLT peer LAG. 3. Configure the port channel for the VLT interconnect on a ToR. TOR(conf)# interface TOR(conf-if-po-111)# TOR(conf-if-po-111)# TOR(conf-if-po-111)# port-channel 10 no ip address switchport no shutdown 4. Configure a VLAN. TOR(conf)#interface vlan 100 TOR(conf-if-vl-100)#ip address 100.1.1.
4. Configure a VLT peer LAG. VLT_Primary(conf)#interface port-channel 10 VLT_Primary(conf-if-po-10)#no ip address VLT_Primary(conf-if-po-10)#switchport VLT_Primary(conf-if-po-10)#vlt-peer-lag port-channel 10 VLT_Primary(conf-if-po-10)#no shutdown 5. Configure a VLAN. VLT_Primary(conf)#interface vlan 100 VLT_Primary(conf-if-vl-100)#ip address 100.1.1.1/24 VLT_Primary(conf-if-vl-100)#tagged port-channel 10 VLT_Primary(conf-if-vl-100)#no shutdown VLT_Primary(conf-if-vl-100)#exit 6. Enable BFD over OSPF.
• To verify the VLTi (ICL) link is up in the VLT primary peer, use show vlt brief command.
65 Virtual Router Redundancy Protocol (VRRP) VRRP Overview VRRP is designed to eliminate a single point of failure in a statically routed network. Authentication is not supported on VRRPv3. VRRP is supported on “all types” of interfaces, including physical, VLAN, port-channel, and port extender interfaces. VRRP specifies a MASTER router that owns the next hop IP and MAC address for end stations on a local area network (LAN).
Figure 157. Basic VRRP Configuration VRRP Benefits With VRRP configured on a network, end-station connectivity to the network is not subject to a single point-of-failure. End-station connections to the network are redundant and are not dependent on internal gateway protocol (IGP) protocols to converge or update routing tables. VRRP Implementation Within a single VRRP group, up to 12 virtual IP addresses are supported.
Recommended Advertise Interval Groups/Interface Total VRRP Groups Between 250 and 450 2–3 seconds 24 Between 450 and 600 3–4 seconds 36 Between 600 and 800 4 seconds 48 Between 800 and 1000 5 seconds 84 Between 1000 and 1200 7 seconds 100 Between 1200 and 1500 8 seconds 120 VRRP Configuration By default, VRRP is not configured. Configuration Task List The following list specifies the configuration tasks for VRRP.
The following example shows verifying a VRRP configuration. Dell(conf-if-te-1/1)#show conf ! interface TenGigabitEthernet 1/1 ip address 10.10.10.
• If you configure multiple VRRP groups on an interface, only one of the VRRP Groups can contain the interface primary or secondary IP address. Configuring a Virtual IP Address To configure a virtual IP address, use the following commands. 1. Configure a VRRP group. INTERFACE mode vrrp-group vrrp-id The VRID range is from 1 to 255. 2. Configure virtual IP addresses for this VRID. INTERFACE -VRID mode virtual-address ip-address1 [...ip-address12] The range is up to 12 addresses.
Setting VRRP Group (Virtual Router) Priority Setting a virtual router priority to 255 ensures that router is the “owner” virtual router for the VRRP group. VRRP elects the MASTER router by choosing the router with the highest priority. The default priority for a virtual router is 100. The higher the number, the higher the priority. If the MASTER router fails, VRRP begins the election process to choose a new MASTER router based on the next-highest priority.
The bold section shows the encryption type (encrypted) and the password. Dell(conf-if-te-1/1/1-vrid-111)#authentication-type ? Dell(conf-if-te-1/1/1-vrid-111)#authentication-type simple 7 force10 The following example shows verifying the VRRP authentication configuration using the show conf command. The bold section shows the encrypted password. Dell(conf-if-te-1/1/1-vrid-111)#show conf ! vrrp-group 111 authentication-type simple 7 387a7f2df5969da4 priority 255 virtual-address 10.10.10.1 virtual-address 10.
If are using VRRP version 2, you must configure the timer values in multiple of whole seconds. For example a timer value of 3 seconds or 300 centisecs are valid and equivalent. However, a time value of 50 centisecs is invalid because it not a multiple of 1 second. If you are using VRRP version 3, you must configure the timer values in multiples of 25 centisecs. If you are configured for VRRP version 2, the timer values must be in multiples of whole seconds.
This time is the gap between an interface coming up and being operational, and VRRP enabling. The seconds range is from 0 to 900. • The default is 0. Set the delay time for VRRP initialization on all the interfaces in the system configured for VRRP. INTERFACE mode vrrp delay reload seconds This time is the gap between system boot up completion and VRRP enabling. The seconds range is from 0 to 900. The default is 0.
• show vrrp (Optional) Display the configuration of tracked objects in VRRP groups on a specified interface. EXEC mode or EXEC Privilege mode show running-config interface interface Dell(conf-if-te-1/1/1)#vrrp-group 111 Dell(conf-if-te-1/1/1-vrid-111)#track Tengigabitethernet 1/2/1 The following example shows how to verify tracking using the show conf command.
Virtual MAC address: 00:00:5e:00:01:01 Virtual IP address: 1.1.1.100 Authentication: (none) Dell# Tracking states for 2 resource Ids: 2 - Up IPv6 route, 2040::/64, priority-cost 20, 00:02:11 3 - Up IPv6 route, 2050::/64, priority-cost 30, 00:02:11 The following example shows verifying the VRRP configuration on an interface.
Figure 158. VRRP for IPv4 Topology Examples of Configuring VRRP for IPv4 and IPv6 The following example shows configuring VRRP for IPv4 Router 2.
Figure 159. VRRP for an IPv6 Configuration NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be MASTER even if one of two routers has a higher IP or IPv6 address. The following example shows configuring VRRP for IPv6 Router 2 and Router 3. Configure a virtual link local (fe80) address for each VRRPv3 group created for an interface.
VRRP in a VRF: Non-VLAN Scenario The following example shows how to enable VRRP in a non-VLAN. The following example shows a typical use case in which you create three virtualized overlay networks by configuring three VRFs in two switches. The default gateway to reach the Internet in each VRF is a static route with the next hop being the virtual IP address configured in VRRP. In this scenario, a single VLAN is associated with each VRF.
S1(conf-if-te-2/1-vrid-101)#virtual-address 10.10.1.2 S1(conf-if-te-2/1)#no shutdown ! S1(conf)#interface TenGigabitEthernet 2/2 S1(conf-if-te-2/2)#ip vrf forwarding VRF-2 S1(conf-if-te-2/2)#ip address 10.10.1.6/24 S1(conf-if-te-2/2)#vrrp-group 11 % Info: The VRID used by the VRRP group 11 in VRF 2 will be 178. S1(conf-if-te-12/2-vrid-101)#priority 100 S1(conf-if-te-12/2-vrid-101)#virtual-address 10.10.1.
VRRP in VRF: Switch-1 VLAN Configuration S1(conf)#ip vrf VRF-1 1 ! S1(conf)#ip vrf VRF-2 2 ! S1(conf)#ip vrf VRF-3 3 ! S1(conf)#interface TenGigabitEthernet 2/4 S1(conf-if-te-2/4)#no ip address S1(conf-if-te-2/4)#switchport S1(conf-if-te-2/4)#no shutdown ! S1(conf-if-te-2/4)#interface vlan 100 S1(conf-if-vl-100)#ip vrf forwarding VRF-1 S1(conf-if-vl-100)#ip address 10.10.1.
S2(conf-if-vl-200-vrid-101)#priority 255 S2(conf-if-vl-200-vrid-101)#virtual-address 10.10.1.2 S2(conf-if-vl-200)#no shutdown ! S2(conf-if-te-2/4)#interface vlan 300 S2(conf-if-vl-300)#ip vrf forwarding VRF-3 S2(conf-if-vl-300)#ip address 20.1.1.6/24 S2(conf-if-vl-300)#tagged tengigabitethernet 2/4 S2(conf-if-vl-300)#vrrp-group 15 % Info: The VRID used by the VRRP group 15 in VRF 3 will be 243. S2(conf-if-vl-300-vrid-101)#priority 100 S2(conf-if-vl-300-vrid-101)#virtual-address 20.1.1.
• • • • • • • • • Server racks, Rack 1 and Rack 2, are part of data centers DC1 and DC2, respectively. Rack 1 is connected to devices A1 and B1 in a Layer 2 network segment. Rack 2 is connected to devices A2 and B2 in a Layer 2 network segment. A VLT link aggregation group (LAG) is present between A1 and B1 as well as A2 and B2. A1 and B1 are connected to core routers, C1 and D1 with VLT routing enabled. A2 and B2 are connected to core routers, C2 and D2, with VLT routing enabled.
interface port-channel 128 channel member ten 1/1/1 channel member ten 1/1/2 no shutdown int ten 1/5/1 port-channel-protocol lacp port-channel 10 mode active no shut int ten 1/4/1 port-channel-protocol lacp port-channel 20 mode active no shut interface port-channel 10 vlt-peer-lag po 10 switchport no shutdown interface port-channel 20 vlt-peer-lag po 20 switchport no shutdown int vlan 100 ip address 100.1.1.1/24 tagged port-channel 10 vrrp-group 10 advertise-interval 60 virtual-ip 100.1.1.
no shutdown interface port-channel 20 vlt-peer-lag po 20 switchport no shutdown int vlan 100 ip address 100.1.1.2/24 tagged port-channel 10 vrrp-group 10 advertise-interval 60 virtual-ip 100.1.1.254 priority 100 no shutdown int vlan 200 tagged port-channel 20 no shutdown router ospf 10 network 100.1.1.0/24 area 0 Sample configuration of C2: vlt domain 10 peer-link port-channel 128 back-up destination 10.16.140.
no shutdown router ospf 10 network 100.1.1.0/24 area 0 Sample configuration of D2: vlt domain 10 peer-link port-channel 128 back-up destination 10.16.140.
66 Standards Compliance This chapter describes standards compliance for Dell Networking products. NOTE: Unless noted, when a standard cited here is listed as supported by the Dell Networking OS, the system also supports predecessor standards. One way to search for predecessor standards is to use the http://tools.ietf.org/ website. Click “Browse and search IETF documents,” enter an RFC number, and inspect the top of the resulting document for obsolescence citations to related RFCs.
RFC and I-D Compliance The C9000 series supports the following standards. The standards are grouped by related protocol. General Internet Protocols The following table lists the Dell Networking OS support on the C9000 Series for the general internet protocols. Table 140.
RFC# Full Name 5396 Textual Representation of Autonomous System (AS) Numbers draft-ietf-idrbgp4- 20 A Border Gateway Protocol 4 (BGP-4) draft-ietf-idrrestart- 06 Graceful Restart Mechanism for BGP General IPv4 Protocols The following table lists the Dell Networking OS support on the C9000 Series for general IPv4 protocols. Table 142.
RFC# Full Name 4291 Internet Protocol Version 6 (IPv6) Addressing Architecture 4443 Internet Control Message Protocol (ICMPv6) for the IPv6 Specification 4861 Neighbor Discovery for IPv6 4862 IPv6 Stateless Address Autoconfiguration 5175 IPv6 Router Advertisement Flags Option Intermediate System to Intermediate System (IS-IS) The following table lists the Dell Networking OS support on the C9000 Series for IS-IS protocol. Table 144.
RFC# Full Name 2012 SNMPv2 Management Information Base for the Transmission Control Protocol using SMIv2 2013 SNMPv2 Management Information Base for the User Datagram Protocol using SMIv2 2024 Definitions of Managed Objects for Data Link Switching using SMIv2 2096 IP Forwarding Table MIB 2558 Definitions of Managed Objects for the Synchronous Optical Network/Synchronous Digital Hierarchy (SONET/ SDH) Interface Type 2570 Introduction and Applicability Statements for Internet Standard Management
RFC# Full Name draft-grant-tacacs -02 The TACACS+ Protocol draft-ietf-idr-bgp4 - Definitions of Managed Objects for the Fourth Version of the Border Gateway Protocol (BGP-4) using SMIv2 mib-06 draft-ietf-isiswgmib- 16 Management Information Base for Intermediate System to Intermediate System (IS-IS): isisSysObject (top level scalar objects) isisISAdjTable isisISAdjAreaAddrTable isisISAdjIPAddrTable isisISAdjProtSuppTable draft-ietf-netmodinterfaces-cfg-03 Defines a YANG data model for the configurati
RFC# Full Name FORCE10-TC-MIB Force10 Textual Convention FORCE10-TRAPALARM-MIB Force10 Trap Alarm MIB Multicast The following table lists the Dell Networking OS support per platform for Multicast protocol. Table 146. Multicast RFC# Full Name S-Series C-Series E-Series TeraScale E-Series ExaScale 1112 Host Extensions for IP Multicasting 7.8.1 7.7.1 √ 8.1.1 2236 Internet Group Management Protocol, Version 2 7.8.1 7.7.1 √ 8.1.1 2710 Multicast Listener Discovery (MLD) for IPv6 √ 8.2.
RFC# Full Name 2328 OSPF Version 2 2370 The OSPF Opaque LSA Option 2740 OSPF for IPv6 3623 Graceful OSPF Restart 4222 Prioritized Treatment of Specific OSPF Version 2 Packets and Congestion Avoidance Routing Information Protocol (RIP) The following table lists the Dell Networking OS support on the C9000 Series for RIP protocol. Table 148.
67 X.509v3 Dell Networking OS supports X.509v3 standards. Topics: • • • • • • • • • Introduction to X.509v3 certification X.509v3 support in Dell Networking OS Information about installing CA certificates Information about Creating Certificate Signing Requests (CSR) Information about installing trusted certificates Transport layer security (TLS) Online certificate status protocol (OSCP) Verifying certificates Event logging Introduction to X.509v3 certification X.
Advantages of X.509v3 certificates Public key authentication is preferred over password-based authentication, although both may be used in conjunction, for various reasons. Public-key authentication provides the following advantages over normal password-based authentication: • • • Public-key authentication avoids the human problems of low-entropy password selection and provides more resistance to brute-force attacks than password-based authentication.
The other hosts on the network, such as the SUT switch, syslog server, and OCSP server, generate private keys and create Certificate Signing Requests (CSRs). The hosts then upload the CSRs to the Intermediate CA or make the CSRs available for the Intermediate CA to download. Dell Networking OS generates a CSR using the crypto cert generate request command. The hosts on the network (SUT, syslog, OCSP…) also download and install the CA certificates from the Root and Intermediate CAs.
Installing CA certificate To install a CA certificate, perform the following step: Enter the following command in the global configuration mode: crypto ca-cert install {path} Information about Creating Certificate Signing Requests (CSR) Certificate Signing Request (CSR) enables a device to get a X.509v3 certificate from a CA. In order for a device to get a X.509v3 certificate, the device first requests a certificate from a CA through a Certificate Signing Request (CSR).
• • • • Email address Validity Length Alternate Name NOTE: The command contains multiple options with the Common Name being a required field and blanks being filled in for unspecified fields. Information about installing trusted certificates Dell Networking OS also enables you to install a trusted certificate. The system can then present this certificate for authentication to clients such as SSH and HTTPS.
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA TLS_DH_RSA_WITH_AES_256_CBC_SHA TLS_DH_RSA_WITH_AES_128_CBC_SHA TLS compression is disabled by default. TLS session resumption is also supported to reduce processor and traffic overhead due to public key cryptographic operations and handshake traffic. However, the maximum time allowed for a TLS session to resume without repeating the TLS authentication or handshake process is configurable with a default of 1 hour. You can also disable session resumption.
Configuring revocation behavior You can configure the system behavior if an OCSP responder fails. By default, when all the OCSP responders fail to send a response to an OSCP request, the system accepts the certificate and logs the event. However, you can configure the system to reject the certificate in case OCSP responders fail.