Dell EMC Networking N-Series N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Switches User’s Configuration Guide Version 6.5.1.x - N2000/N2100-ON/N3000/N3100-ON/ N4000 Series Switches Version 6.4.x.
Notes and Cautions NOTE: A NOTE indicates important information that helps you make better use of your computer. CAUTION: A CAUTION indicates potential damage to hardware or loss of data if instructions are not followed. ____________ Information in this publication is subject to change without notice. Copyright © 2018 Dell EMC Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws.
Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . About This Document Audience . . . . . . . . . . . . . . . . . . . 53 . . . . . . . . . . . . . . . . . . . . . . . . 54 Document Conventions . . . . . . . . . . . . . . . . . Additional Documentation . 2 53 . . . . . . . . . . . . . . . Switch Feature Overview System Management Features 55 . . . . . . . . . . . . 57 . . . . . . . . . . . . . 58 . . . . . . . . . . 58 . . . . . . . . . . . . 58 . . . . . . . . . .
Stacking Features . . . . . . . . . . . . . . . . . . . . Single IP Management 66 . . . . . . . . . 66 . . . . . . . . . . . . . . . 67 Mixed and Single Series Stacking . . . 67 . . . . . . . . . 68 . . . . . . . . . . . . . . . . . . 68 . . . . . . . . . . . . . . . . . . . . 69 Master Failover with Transparent Transition . Nonstop Forwarding on the Stack Hot Add/Delete and Firmware Synchronization . Security Features Configurable Access and Authentication Profiles . . . . . . . . . . .
Power Utilization Reporting . . . . . . . . . . . . Power over Ethernet (PoE) Plus Features . . . . . . . . 76 77 Key PoE Plus Features for the Dell EMC Networking N1108P-ON, N1124P-ON, N1148P-ON, N2024P, N2048P, N2128PX-ON, N3024P, N3048P, and N3132PX-ON Switches . . . . . . . . . . . . . 77 Power Over Ethernet (PoE) Plus Configuration . . . . . . . . . . . . . . . . . . . . PoE Plus Support . . . . . . . . . . . . . . . . . . PoE 60W Support . . . . . . Powered Device Detection . . . . . . .
Data Center Bridging Exchange (DBCx) Protocol . . . . . . . . . . . . . . . . . Enhanced Transmission Selection . . . . . . . . . 89 89 . . . . . . . . . . . . . . 89 . . . . . . . . . . . . . . . . 90 Cisco Protocol Filtering . DHCP Layer-2 Relay . . . . . . . Virtual Local Area Network Supported Features VLAN Support . . . . . 91 . . . . . . . . . . . . . . . . . . . 91 Port-Based VLANs . . . . . . . . . . . . . . . . . MAC-based VLAN. 91 . . . . . . . . . . . . . . . . . 91 . . . . .
VLAN Routing . . . . . . . . . . . . . . . . . . . . IP Configuration. . . . . . . . . . . . . . . . . . . Open Shortest Path First (OSPF) Border Gateway Protocol (BGP) . . . . . . . . . . . . . . . . . . . . Virtual Routing and Forwarding (VRF) BOOTP/DHCP Relay Agent IP Helper and DHCP Relay 98 99 99 . . . . . . . 99 . . . . . . . . . . . . . 100 100 . . . . . . . . . . . . . . . . . . . . . . . . 100 . . . . . . . . . . . . . . . . . . 100 . . . . . . . . . . . . . . . . . . .
Internet Group Management Protocol IGMP Proxy . . . . . . . 106 . . . . . . . . . . . . . . . . . . . . . 106 Protocol Independent Multicast—Dense Mode . . . . . . . . . . . . . . . . . . . . . . . . 106 Protocol Independent Multicast—Sparse Mode . . . . . . . . . . . . . . . . . . . . . . . . 107 Protocol Independent Multicast—Source Specific Multicast. . . . . . . . . . . . . . . . . . 107 Protocol Independent Multicast IPv6 Support . . . . . . . . . . . . . . . . . . . . . . .
LED Definitions . . . . . . . . . . . . . . . . . . . Power Consumption for PoE Switches . . . . . . . 133 136 Dell EMC Networking N2100-ON Series Switch Hardware. . . . . . . . . . . . . . . . . . . . . . . . . 138 Front Panel . . . . . . . . . . . . . . . . . . . . . 138 Back Panel . . . . . . . . . . . . . . . . . . . . . 140 LED Definitions . . . . . . . . . . . . . . . . . . . Power Consumption for PoE Switches . . . . . . .
4 Using Dell EMC OpenManage Switch Administrator . . . . . . . . . . . . . . . . . . . . . 183 About Dell EMC OpenManage Switch Administrator . . . . . . . . . . . . . . . . . . . . . . . Starting the Application . . . . . . . . . . . . . . . . . Understanding the Interface . . . . . . . . . . . . . . . 183 184 185 Using the Switch Administrator Buttons and Links . . . . . . . . . . . . . . . . . . . . . . . . . . . Defining Fields . . . . . . . . . . . . . . . . . . . . . .
Recalling Commands from the History Buffer 197 . . . 6 Default Settings . 7 Setting the IP Address and Other Basic Network Information . . . . . . . . . . . . . . . 203 . . . . . . . . . . . . . . . . . . IP Address and Network Information Overview What Is the Basic Network Information? 199 . . . . 203 . . . . . 203 . . . 204 . . . . . . . . . . . . . . . . . . . . 205 Why Is Basic Network Information Needed? How Is Basic Network Information Configured? .
Configuring Static Network Information on the OOB Port . . . . . . . . . . . . . . . . . . . . . . . . . 220 Configuring Static Network Information on the Default VLAN 221 . . . . . . . . . . . . . . . . . . . . Configuring and Viewing Additional Network Information 222 . . . . . . . . . . . . . . . . . . . . . Basic Network Information Configuration Examples . . 224 . . . . . . . . . . . . . . . . . . . . . . . . .
Managing and Monitoring the Stack (Web) . . . . . . 247 . . . . . . . . . . . . . . . . . 247 . . . . . . . . . . . . . . . . . . 248 Unit Configuration Stack Summary . . . . . . . . . . 249 Supported Switches . . . . . . . . . . . . . . . . 250 Stack Port Summary . . . . . . . . . . . . . . . . 251 Stack Port Counters . . . . . . . . . . . . . . . . 252 Stack Firmware Synchronization . . . . . . . . . . . . . . . 252 . . . . . . . . . . . . . . . . . . . 253 Stack Port Diagnostics .
Access Lines . . . . . . . . . . . . . . . . . . . . Access Lines (AAA) . 273 . . . . . . . . . . . . . . . . 274 . . . . . . . . . . . . . 274 . . . . . . . . . . . . . . . . . . . . . . 275 Access Lines (Non-AAA) . Authentication Authentication Types . . . . . . . . . . . . . . . . Authentication Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287 . . . . . 289 297 . . . . . . . 305 . . . . . . . . . . . . . . . . . . . . . .
Default 802.1X Values . Captive Portal . . . . . . . . . . 331 . . . . . . . . . . . . . . . . . . . . . . 356 Captive Portal Overview 11 Monitoring and Logging System Information . . . . . . . . . . . . . . . . System Monitoring Overview 356 . . . . . . . . . . . . . . Default Captive Portal Behavior and Settings Configuring Captive Portal (Web) . . . . . . Configuring Captive Portal (CLI) . . . . . . . Captive Portal Configuration Example . . . .
Optical Transceiver Diagnostics . . . . . . . . . . 406 . . . . . . . . . . . . . . . . . 407 . . . . . . . . . . . . . . . . . . . . . . 408 Log Global Settings RAM Log Log File . . . . SYSLOG Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Email Alert Global Configuration . . . . . . . . . . 413 . . . . . . . . . 415 . . . . . . . 416 . . . . . . . . . . . . . . . . 416 Email Alert To Address Configuration Email Alert Statistics 413 . . . . . . .
Modules? . . . . . . . . . . . . . . . . . . . . . . Default General System Information . . . . . . . . . . Configuring General System Settings (Web) System Information . 437 . . . . . . 438 . . . . . . . . . . . . . . . . 438 CLI Banner . . . . . . . . . SDM Template Preference . Clock . . . . . . . . . . . . SNTP Global Settings . . . . SNTP Authentication . . . . SNTP Server . . . . . . . . Summer Time Configuration Time Zone Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . .
N1524P/N1548P, N2024P/N2048P/N2128PX-ON, N3024P/N3048P/N3048EP-ON/N3132PX-ON Only) . . . . . . . . . . . . . . . . . . . . . . . . . General System Settings Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . 13 SNMP . . . . 467 470 472 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SNMP Overview . . . . . . . . . . . . . . . . . . . . . What Is SNMP? . . . . . . . . . . . . . . . . . . . 473 473 . . . . . . . . . . . . . .
Configuring SNMP Views, Groups, and Users . Configuring Communities . . . 496 . . . . . . . . . . . . . 499 Configuring SNMP Notifications (Traps and Informs) . . . . . . . . . . . . . . . . . . . . SNMP Configuration Examples . . . 501 . . . . . . . . . . . . . 504 Configuring SNMPv1 and SNMPv2. 504 . . . . . . . . Configuring SNMP Management Station Access 505 . . . . . . . . . . . . . . . . . . . . . . . Configuring SNMPv3 506 . . . . . . . . . . . . . . . .
(TFTP) . . . . . . . . . . . . . . . . . . . . . . . . 532 Managing Files in Internal Flash . . . . Managing Files on a USB Flash Device Uploading a Configuration File (SCP) . . . . . . . . . . . . . . 533 534 535 Managing Configuration Scripts (SFTP) . . . . . . 536 File and Image Management Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . 537 . . . . . . . . . . . . . . 537 Upgrading the Firmware Managing Configuration Scripts . . . . . . . . . . . . . . . .
Managing Auto Configuration Auto Configuration Example . . . . . . . . . . . . 559 . . . . . . . . . . . . . . 560 Enabling USB Auto Configuration and Auto Image Download . 560 . . . . . . . . . . . . . . . . . . . . . Enabling DHCP Auto Configuration and Auto Image Download . Easy Firmware Upgrade via USB . 16 Monitoring Switch Traffic . Traffic Monitoring Overview What is RMON? . 563 . . . . . . . . . . . . . . . . . . . 565 . . . . . . . . . . . . . . 565 . . . . . . . . . . . . 565 .
RMON History Control Statistics RMON History Table RMON Event Control RMON Event Log . . RMON Alarms . . . . Port Statistics . . . . LAG Statistics . . . . Port Mirroring . . . . . . . . . . . . . . 587 . . . . . . . . . . . . . . . . 590 591 593 594 596 597 598 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring Switch Traffic (CLI) . . . . . . . . .
What Information Does the Switch Track in iSCSI Traffic Flows? . 625 . . . . . . . . . . . . . . . . . . . How Does iSCSI Optimization Interact With Dell EqualLogic and Compellant Arrays? . . . . . . . . 627 How Does iSCSI Optimization Interact with Other SAN Arrays? 627 . . . . . . . . . . . . . . . . . . . . How Does iSCSI Optimization Interact with DCBx? . 628 . . . . . . . . . . . . . . . . . . . . . . . iSCSI CoS and Priority Flow Control/Enhanced . . . . . . . 629 . . . . . . . . . . .
Default Port Values . . . . . . . . . . . . . . . . . . . Configuring Port Characteristics (Web) . Port Configuration. . . . . . . . . 648 . . . . . . . . . . . . . . . . . 648 . . . . . . . . . . 651 . . . . . . . . . . . . 653 Link Dependency Configuration Link Dependency Summary . . . . . . . . . . 654 . . . . . . . . . . . 655 Port Green Ethernet Configuration Port Green Ethernet Statistics Port Green Ethernet LPI History . . . . . . . . . . Configuring Port Characteristics (CLI) .
ACL Actions . . . . . . . . . . . . . . . . . . . . . 681 . . . . . . . . . 682 . . . . . . . . . . . . . . . . 682 What Is the ACL Mirror Function? What Is ACL Logging . . . . . . . . . . . 682 . . . . . . . . . . . . . . . . . . 683 What Are Time-Based ACLs? ACL Limitations . ACL Configuration Details . . . . . . . . . . . . . . . . Editing Access Lists 688 . . . . . . . . . . . . . . . . 688 Preventing False ACL Matches . . . . . . . . . . . 688 . . . . . . . . 690 . . . . . . . .
Configuring a Time Range . . . . . . . . . . . . . 725 . . . . . . . . . . . . . . 727 . . . . . . . . . . . . . . . . . . . . . 727 ACL Configuration Examples. Basic Rules Internal System ACLs . . . . . . . . . . . . . . . . Complete ACL Example . . . . . Advanced Examples . . . . . . Policy-Based Routing Examples 21 VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . VLAN Overview . . . . . . . . . . . . . . . . . . . . .
Creating a VLAN . . . . . . . Configuring IP-Based VLANs . . . . . Configuring a Protocol-Based VLAN . Configuring GVRP . . . . . . . . . . . Configuring Voice VLANs . . . . . . . Configuring a Voice VLAN (Extended . . . . . . . Example) 788 . . . . . . . . . . . . . . . . . . Configuring VLAN Settings for a LAG Configuring Double VLAN Tagging . . Configuring MAC-Based VLANs . . . 789 790 793 . . . . . . . . . . . . . . . . . . . . . 795 797 800 802 . . . . . . . . . . . . . . . . . . . . . .
IndirectLink Rapid Convergence Feature . . . . . Interoperability Between STP-PV and RSTP-PV Modes . . 844 . . . . . . . . . . . . . . . . . . . . . . . 846 Interoperability With IEEE Spanning Tree Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 851 . . . . . . . . . . . . . . . . . . . 852 Configuration Examples . Default STP Values . . . . . . . . . . . . 853 STP Global Settings . . . . . . . . . . . . . . . . . 853 STP Port Settings . . STP LAG Settings .
23 Discovering Network Devices . Device Discovery Overview . . . . . . . . 883 . . . . . . . . . . . . . . 883 What Is ISDP? . . . . . . . . . . . . . . . . . . . 883 What is LLDP? . . . . . . . . . . . . . . . . . . . 883 What is LLDP-MED? . . . . . . . . . . . . . . . . 884 Why are Device Discovery Protocols Needed? . . . . . . . . . . . . . . . . . . . . . . Default IDSP and LLDP Values . . . . . . . . . . . . . 885 . . . . . . . . . . . 887 . . . . . . . . . . . . . 887 . . . . .
Configuring LLDP . . . . . . . . . . . . . . . . . . 24 Port-Based Traffic Control . . . . . . . . . . Port-Based Traffic Control Overview What is Flow Control? . 907 . . . . . . . . . . . . . . . 908 . . . . . . . . . . . . . . What is Error Recovery? . . . . . . . . . . . . . 909 909 . . . . . . . 910 . . . . . . . . . . . . . 911 What is Link Local Protocol Filtering? What is Loop Protection? . Default Port-Based Traffic Control Values . . . . . . .
What Is IGMP Snooping? . What Is MLD Snooping? . . . . . . . . . . . . . 927 . . . . . . . . . . . . . . 929 . . . . . . 931 . . . . . . . . . . . . . . . . . . . . . 932 What Is Multicast VLAN Registration? . When Are Layer-3 Multicast Features Required? . . . . . . . . . . . . 932 . . . . . . . . . . . . . 934 What Are GARP and GMRP? . Snooping Switch Restrictions . MAC Address-Based Multicast Group . . . . . . .
GARP Timers . . . GMRP Parameters . . . . . . . . . . . . . . . . . 963 965 MFDB GMRP Table . . . . . . . . . . . . . . . . . 967 . . . . . . . . . . . . . . . . . Configuring L2 Multicast Features (CLI) . Configuring Layer-2 Multicasting . . . . . . . . . 968 . . . . . . . . . 968 . . . . . . 969 . . . . . . . . 970 Configuring IGMP Snooping on VLANs . Configuring IGMP Snooping Querier . . . . . . . 971 . . . . . . . . 972 . . . . . . . . . . . . . . . . . .
Dot1ag L2 Ping 992 . . . . . . . . . . . . . . . . . . . Dot1ag L2 Traceroute . . . . . . . . . . . . 993 . . . . . . . . . . . . . . . . . . 993 Dot1ag L2 Traceroute Cache . Dot1ag Statistics 992 . . . . . . . . . . . . . . . Configuring Dot1ag (CLI) . 995 . . . . . . . . . . . . . . . . Configuring Dot1ag Global Settings and Creating Domains. 995 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 996 . . . . . . . . . . . . 997 . . . . . . . . . . . . .
DHCP Snooping Dynamic Bindings Summary . . . . . . . . . . . . . . DHCP Snooping Statistics . . . . . IPSG Interface Configuration . . . . IPSG Binding Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1025 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Traffic Snooping and Inspection (CLI) . . . . . . . . . . . . . . . . . . . . . . .
Overview . . . . . . . . . . . . . . . . . . . . . Deployment Scenarios . . Definitions . . . . . . . . Configuration Consistency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Operation in the Network . . Layer-2 Configuration Steps . . . . . . . . . . . . . . . . . . . . . . 1069 1070 . . . . . . . . . . . . . 1077 Basic Configuration Example . A Complete MLAG Example . . . . . . . . . . . . . . . . . . . . . 29 Data Center Bridging Features . . . . . .
ETS Configuration Example . ETS Theory of Operation . . . . . . . . . . . 1129 . . . . . . . . . . . . . 1135 30 MAC Addressing and Forwarding MAC Address Table Overview . . . . . . . . . . . . . . . . . How Is the Address Table Populated? . . . . . . What Information Is in the MAC Address Table? . . . . . . . . . . . . . . . . . . . . . . . How Is the MAC Address Table Maintained Across a Stack? . . . . . . . . . . . . . . . Default MAC Address Table Values . 1141 1141 1142 . . . 1142 . . .
DHCP Bindings . . . . . . . . . . . . . . . . . . DHCP Server Reset Configuration . . . . . . . . . . . . . . . 1162 1163 Configuring the DHCP Server (CLI) . . . . . . . . . . 1164 . . . . . . 1165 . . . . . . . . 1166 Configuring a Dynamic Address Pool Configuring a Static Address Pool . . . . . . 1167 . . . . . . . . 1168 Monitoring DHCP Server Information DHCP Server Configuration Examples . . . . . . 1168 . . . . . . . .
Route Preferences Configuration . . . . . . . . . 1189 Configuring IP Routing Features (CLI) . . . . . . . . . 1190 Configuring Global IP Routing Settings . . . . . . Adding Static ARP Entries and Configuring ARP Table Settings . . . . . . . . . . . . . . . . . . . Configuring Router Discovery (IRDP) . . . . . . . Configuring Route Table Entries and Route Preferences . . . . . . . . . . . . . . . . . . . . IP Routing Configuration Example . . . . . . . . . . .
Configuring Routing Interfaces (CLI) . . . . . . . . . Configuring Loopback Interfaces. Configuring Tunnels . . . . . . . 34 Layer-2 and Layer-3 Relay Features . . . . . . . . . . . . . . . L2 and L3 Relay Overview 1211 . . 1211 . . . . . . . . 1213 1214 Configuring VLAN Routing Interfaces (IPv4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1215 1215 What Is L2 DHCP Relay? . . . . . . . . . . . . . 1215 What Is L3 DHCP Relay? . . . . . . . . . . . . . 1219 . . . . .
35 OSPF and OSPFv3 . OSPF Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1243 1244 What Are OSPF Areas and Other OSPF Topology Features? . . . . . . . . . . . . . . . . What Are OSPF Routers and LSAs? How Are Routes Selected? . . . . . . . . . . . . . . . . . . . 1245 . . . . . . . . . . . . . . . . . 1246 . . . . . . . . . . . . . . . . . . . . 1246 OSPF Feature Details. . . . . . . . . . . . . . 1248 . . . . . . . . . . . . . . . . . . . .
OSPFv3 Area Configuration . . . . . . . . . . . . Configuring OSPF Features (CLI) . . . . . . . . . . . . . . 1287 Configuring Global OSPF Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1287 1290 1292 . . . . . 1294 1296 1298 . . . . . . . . . . 1299 Configuring Virtual Links . . . . . . . . Configuring OSPF Area Range Settings Configuring NSF Settings for OSPF . . . Configuring OSPFv3 Features (CLI) . . . . . . . . . . .
Configuring Stub and NSSA Areas for OSPF and OSPFv3 . . . . . . . . . . . . . . . . . . . . . . Configuring a Virtual Link for OSPF and 1312 OSPFv3 1315 . . . . . . . . . . . . . . . . . . . . . . Interconnecting an IPv4 Backbone and Local IPv6 Network . . . . . . . . . . . . . . . . . Configuring the Static Area Range Cost . . . . . 1318 1321 . . . . . . . . . . . 1326 . . . . . . . . . . . . . . . . 1331 Configuring Flood Blocking . Configuring OSPF VRFs 36 VRF . . . . . . . . . . . . . . .
Configuring Global RIP Settings . . . . . . . . . Configuring RIP Interface Settings . . . . . . . . 38 VRRP 1351 . . . . . . . . . . . . . . 1353 . . . . . . . . . . . . . . . . . . . . . . . . . . VRRP Overview 1350 . . . Configuring Route Redistribution Settings . RIP Configuration Example 1349 . . . . . . . . . . . . . . . . . . . . How Does VRRP Work?. . . . . . . . . . . . . . 1357 1357 . . . . . . . . 1358 . . . . . . . . . . .
39 BGP . . . . . . . . . . . . . . . . . . . . . . . . . . . Overview . . . . . . . . . . . . . . . . . . . . . . . . 1386 . . . . . . . . . . . . . . . . . . . . 1386 . . . . . . . . . . . 1386 . . . . . . . . . . . . . . . . . . 1388 Decision Process Overview Path Attributes . . . . . . . . 1390 1392 1393 . . . . . . . . . . . . 1393 BGP Finite State Machine (FSM) . Detecting Loss of Adjacency . . . Authentication . . . . . . . . . . Outbound Update Groups . . . . . . . . . . . . . . . .
BGP Configuration Examples . . . . . . . . . . . . . 1422 . . . . . . . . . . . . . . . . . . 1422 BGP Example . . . . . . . . . . . . . . . . . . . Network Example . . . . . . . . . . . . . . . . . BGP Redistribution of OSPF Example . . . . . . Configuring the Multi-Exit Discriminator in BGP Advertised Routes . . . . . . . . . . . . . . . . Configuring Communities in BGP . . . . . . . . . 1423 1424 1425 Configuring a Route Reflector 1428 Enabling BGP . . . . . . . . . . .
Configuring IPv6 Routing Features (Web) . Global Configuration . . . . . . 1464 . . . . . . . . . . . . . . . 1464 Interface Configuration . . . . . Interface Summary . . . . . . . IPv6 Statistics . . . . . . . . . . IPv6 Neighbor Table . . . . . . DHCPv6 Client Parameters . . . DHCPv6 Client Statistics . . . . IPv6 Router Entry Configuration IPv6 Route Table . . . . . . . . IPv6 Route Preferences . . . . . Configured IPv6 Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring the DHCPv6 Server and Relay (Web) . DHCPv6 Global Configuration . . 1490 . . . . . . . . . . 1490 DHCPv6 Pool Configuration . . . . . Prefix Delegation Configuration . . DHCPv6 Pool Summary . . . . . . . DHCPv6 Interface Configuration . . DHCPv6 Server Bindings Summary DHCPv6 Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring the DHCPv6 Server and Relay (CLI) 1491 1493 1494 1495 1497 1498 . . . 1499 . . . . .
Default DiffServ Values . . . . . . . . . . . . . . . . 1510 Configuring DiffServ (Web) . . . . . . . . . . . . . . 1512 DiffServ Configuration . . . . . . . . . . . . . . 1512 . . . . . . . . . . . . . . . 1513 1514 Class Configuration . Class Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1516 1518 1521 1522 1523 . . . . . . . . . . . . . . . 1524 Policy Configuration . . . Policy Class Definition . . Service Configuration . . .
Two-Rate Meter Implementation . 44 Class-of-Service CoS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1543 1545 1545 What Are Trusted and Untrusted Port Modes? . . . . . . . . . . . . . . . . . . . . . . 1546 How Is Traffic Shaping Used on Egress Traffic? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1547 . . . . . . . . . . . . . . . . . 1547 How Are Traffic Queues Defined? . . Which Queue Management Methods Are Supported? . .
Example 2: Long-Lived Congestion . . Example 3: Data Center TCP (DCTCP) Configuration 45 Auto VoIP . . . . . . . 1570 . . . . . . . . . . . . . . . . . . . 1570 . . . . . . . . . . . . . . . . . . . . . . Auto VoIP Overview . . . . . . . . . . . . . . . . . . 1574 . . . . . . . . . . . . . . . 1574 Configuring Auto VoIP (Web) . . . . . . . . . . . . . Auto VoIP Global Configuration . . . . . . . . . . Configuring Auto VoIP (CLI) 1575 1575 . . . . . . . . . . . . . .
Configuring General IPv4 Multicast Features (Web) . . . . . . . . . . . . . . . . . . . . . . Multicast Global Configuration . . . . . 1601 . . . . . . . . . 1601 . . . . 1602 1603 1604 1605 1605 . . . . . . . 1606 Multicast Interface Configuration . . . . Multicast Route Table . . . . . . . . . . Multicast Admin Boundary Configuration Multicast Admin Boundary Summary . . Multicast Static MRoute Configuration . Multicast Static MRoute Summary . Configuring IPv6 Multicast Features (Web) .
MLD Proxy Interface Membership Information . . . . . . . . . . . . . . . . . Detailed MLD Proxy Interface Membership Information . . . . . . . . . . . . . . . . . . . . 1623 . . . 1624 . . . . . . . 1625 . . . . . . . . . . . . 1625 Configuring PIM for IPv4 and IPv6 (Web) PIM Global Configuration . . . . . . . . . . . 1627 1628 1629 1630 1632 1634 1636 1637 . . . . . . . . . . . . . . 1638 PIM Global Status . . . . . . . PIM Interface Configuration . PIM Interface Summary . . .
Configuring and Viewing PIM-DM for IPv6 Multicast Routing . . . . . . . . . . . . . . . . . Configuring and Viewing PIM-SM for IPv4 Multicast Routing . . . . . . . . . . . . . . Configuring and Viewing PIM-SM for IPv6 Multicast Routing . 1652 . . . 1653 . . . . . . . . . . . . . . . . 1655 Configuring and Viewing DVMRP Information . . . . . . . . . . . . . . . . . . . . 1658 L3 Multicast Configuration Examples . . . . . . . . . 1659 Configuring Multicast VLAN Routing With IGMP and PIM-SM . .
48 OpenFlow . . . . . . . . . . . . . . . . . . . . . . . Dell EMC Networking OpenFlow Hybrid Overview . . . . . . . . . . . . . . . . . . . . . . . . 1681 1681 Enable Dell EMC Networking OpenFlow Hybrid . . . . . . . . . . . . . . . . . . . . . . . 1682 . . . . . 1684 . . . . . . . 1715 . . . . . . . . . . . . . . . . . . . . . 1720 Interaction with OpenFlow Controllers . Deploy OpenFlow Controller Flows . Collect Port and Queue Status and Statistics Usage Scenarios . . . . . . . . . . . .
49 Dell EMC Networking Python Support . . . . . . . . . . . . . . . . . A Appendix . . . . . . . 1727 . . . . . . . . . . . . . . . . . . . . . . . 1735 Feature Limits and Platform Constants . . . . . . . . 1735 . . . . . . . . . . . . . 1748 . . . . . . . . . . . . . . . . . . . . . 1755 System Process Definitions . SupportAssist Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents
1 Introduction The switches in the N-Series are stackable layer-2 and layer-3 switches. These switches include the following features: • 1U form factor, rack-mountable chassis design. • Support for all data-communication requirements for a multi-layer switch, including layer-2 switching, IPv4 routing, IPv6 routing, IP multicast, quality of service, security, and system management features. • High availability with automatic failover and checkpointing of dynamic state.
syntax for any particular command. The parameter ranges listed in the examples or text may vary from the allowed range on any particular switch due to product limitations. Refer to the Feature Limits and Platform Constants section located in the Appendix of this document for range limits relevant to a particular switch model. Audience This guide is for network administrators in charge of managing one or more Dell EMC Networking N-Series switches.
Additional Documentation The following documents for the Dell EMC Networking N-Series switches are available at www.dell.com/support: • Getting Started Guide—provides information about the switch models in the series, including front and back panel features. It also describes the installation and initial configuration procedures. • CLI Reference Guide—provides information about the command-line interface (CLI) commands used to configure and manage the switch.
56 Introduction
Switch Feature Overview 2 This section describes the switch user-configurable software features. NOTE: Before proceeding, read the release notes for this product. The release notes are part of the firmware download.
System Management Features Multiple Management Options Any of the following methods can be used to manage the switch: • Use a web browser to access the Dell EMC OpenManage Switch Administrator interface. The switch contains an embedded Web server that serves HTML pages. Dell EMC Networking N-Series switches support HTTP and HTTPS over IPv4 or IPv6. • Use a Telnet client, SSH client, or a direct console connection to access the CLI.
For information about configuring system time settings, see "Managing General System Settings" on page 431. Log Messages The switch maintains in-memory log messages as well as persistent logs. Remote logging can be configured so that the switch sends log messages to a remote syslog server. The switch can also be configured to email log messages to a configured SMTP server. This allows the administrator to receive the log message in a specified e-mail account.
If the switch detects an IP address conflict on the management interface, it generates a trap and sends a log message. For information about configuring basic network information, see "Setting the IP Address and Other Basic Network Information" on page 203. IPv6 Management Features Dell EMC Networking N-Series switches provide IPv6 support for many standard management features including HTTP, HTTPS/SSL, Telnet, SSH, syslog, SNTP, TFTP, and traceroute on both the in-band and out-of-band management ports.
Switch Database Management Templates Switch Database Management (SDM) templates enable reallocating system resources to support a different mix of features based on network requirements. Dell EMC Networking N-Series switches support the following three templates: • Dual IPv4 and IPv6 (default) • IPv4 Routing • IPv4 Data Center For information about setting the SDM template, see "Managing General System Settings" on page 431.
NOTE: Automatic migration of the startup configuration to the next version of firmware from the current and previous versions of firmware is supported; the syntax is automatically updated when it is read into the running-config. Check the release notes to determine if any parts of the configuration cannot be migrated. Save the running-config to maintain the updated syntax. Migration of configuration is not assured on a firmware downgrade.
CDP Interoperability Through ISDP Industry Standard Discovery Protocol (ISDP) allows the Dell EMC Networking N-Series switch to interoperate with Cisco devices running the Cisco Discovery Protocol (CDP). ISDP is a proprietary layer-2 network protocol which inter-operates with Cisco network equipment and is used to share information between neighboring devices (routers, bridges, access servers, and switches). For information about configuring ISDP settings, see "Discovering Network Devices" on page 883.
!System Software Version 6.5.1.2 !This firmware supports a stack of up to twelve switches. !MVRP/MMRP capabilities and up to 4093 VLANs may be configured. When migrating between the two types of images, certain commands in the startup-config may fail to execute because the relevant feature is not available. The switch firmware will identify any failed commands. It is necessary to edit the startup-config if errors are displayed and remove any failed commands.
To upgrade an AdvLite mixed stack to Adv mono-culture stack using the .stk firmware, power off the stack, re-cable the stack with the legacy N3000 switches removed from the stack (N3000EP-ON and N3132PX-ON switches can operate with the Adv firmware) and power on the stack starting with the desired stack master unit. Once the stack is fully powered, use the clear config command to remove the configuration of the units that are no longer participating in the stack.
Stacking Features For information about creating and maintaining a stack of switches, see "Stacking" on page 231. Mixed and Single Series Stacking The Dell EMC Networking N2000, N2100-ON, N3000, and N3100-ON Series switches include a stacking feature that allows multiple switches of the same or different series to operate as a single unit.
Dell EMC Networking N3100-ON Series switches may also stack with the Dell EMC Networking N3048EP-ON switches in a stack of up to 12 units. The image name is N3000N3100Advv6.5.1.X.itb. Any unit may be the stack master. N3024/N3024P/N3034F/N3048/N3048P units will be recognized if stacked with this image. However, the front panel interfaces will remain detached and inoperable. Dell EMC Networking N3100-ON and N3000 switch series firmware is also available without mixed stacking capabilities.
Nonstop Forwarding on the Stack The Nonstop Forwarding (NSF) feature allows the forwarding plane of stack units to continue to forward packets while the control and management planes restart as a result of a power failure, hardware failure, or software fault on the stack master and allows the standby switch to quickly takeover as the master. Hot Add/Delete and Firmware Synchronization Units can be added to and deleted from the stack without cycling the power on the stack.
Security Features Configurable Access and Authentication Profiles Rules can be configured to limit access to the switch management interface based on criteria such as access type and source IP address of the management host. The user can also be required to be authenticated locally or by an external server, such as a RADIUS server. For information about configuring access and authentication profiles, see "Authentication, Authorization, and Accounting" on page 269.
RADIUS Support The switch has a Remote Authentication Dial In User Service (RADIUS) client and can support up to 32 named authentication and accounting RADIUS servers. The switch also supports RADIUS Attribute 4, which is the configuration of a NAS-IP address. The switch can also be configured to accept RADIUS-assigned VLANs. For information about configuring RADIUS client settings, see "Authentication, Authorization, and Accounting" on page 269.
Port Protection A port may be put into the error-disabled state for any of the following reasons: • BPDU Storm: By default, if Spanning Tree Protocol (STP) bridge protocol data units (BPDUs) are received at a rate of 15pps or greater for three consecutive seconds on a port, the port will be error-disabled. The threshold is not configurable.
• ICMP storms: Ports on which ICMP storms are detected are errordisabled. The rate limit and burst sizes are configurable separately for IPv4 and IPv6. • PML: Interfaces on which the port security violation is configured to shut down the interface are error-disabled when a violation occurs. • Loop Protect: Loop protection diagnostically disables ports on which a loop is detected. A log message may be issued when a port is disabled by Loop Protection.
supported; however, the switch will transport encrypted packets, such as PEAP or EAP-TLS packets, between the supplicant and authentication server in support of mutual authentication and privacy. For information about configuring IEEE 802.1X settings, see "IEEE 802.1X" on page 321. MAC-Based 802.1X Authentication MAC-based authentication allows multiple supplicants connected to the same port to each authenticate individually.
Access Control Lists (ACLs) Access Control Lists (ACLs) can help to ensure network availability for legitimate users while blocking attempts to access the network by unauthorized users or to restrict legitimate users from accessing the network. ACLs may be used to provide traffic flow control, restrict contents of routing updates, decide which types of traffic are forwarded or blocked, and above all, provide some level of security for the network.
DHCP Snooping DHCP Snooping is a security feature that monitors DHCP messages between a DHCP client and DHCP server. It filters harmful DHCP messages and builds a bindings database of (MAC address, IP address, VLAN ID, port) tuples that are specified as authorized. DHCP snooping can be enabled globally and on specific VLANs. Ports within the VLAN can be configured to be trusted or untrusted. DHCP servers must be reached through trusted ports.
Green Technology Features For information about configuring Green Technology features, see "Port Characteristics" on page 637. Energy Detect Mode When the Energy Detect mode is enabled and the port link is down, the PHY automatically goes down for short period of time and then wakes up periodically to check link pulses. This mode reduces power consumption on the port when no link partner is present. Energy Detect is proprietary and operates independently from EEE.
Power over Ethernet (PoE) Plus Features NOTE: The Dell EMC Networking N1108P-ON/N1124P-ON/N1148P-ON, N1524P/N1548P, N2024P/N2048P/N2128PX-ON and N3024P/N3048P/N3048EPON/N3132PX-ON switches support PoE Plus. The N2128PX-ON/N3024P/N3048P/N3132PX-ON switches support PoE 60W on selected ports. The PoE feature does not apply to the other models in the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series.
Table 2-1. PoE Plus Key Features (Continued) Feature Description Power Management Modes Supports three power-management modes: • Static—Reserves a configurable amount of power for a PoE port. • Dynamic—Power is not reserved for the port at any point of time. Power is supplied based upon the detected powered device (PD) signature. • Class-based—Reserves a classed-based amount of power for a PoE port.
PoE 60W Support The Dell EMC Networking N3024P/N3048P/N3048EP-ON switches implement 4-pair PoE 60W on the first 12 1G ports. The N3132PX-ON switches implement PoE 60W on the copper 1G and 5G ports. The N2128PX-ON switches implement PoE 60W on the 2.5G ports. The N1108PON, N1124P-ON, 1148P-ON, N1524P, N1548P, N2024P, and N2048P switches do not support PoE 60W. PoE 60W allows power to be supplied to Class 5 powered devices that require power up to 60 watts. PoE 60W power must be configured manually.
lower limit is configured by the administrator. Power is not reserved until a PD is connected to the port. The powered device may draw up to the configured limit. LLDP-MED packets requesting power are ignored in static mode. Do not configure the powered device to use LLDP-MED to request power in this mode. Dynamic Power Management In this mode, power is allocated based upon the detected PD class signature.
Power is supplied to the device in class mode per the following table: Class Usage AF Device (Watts) AT Device (Watts) 0 Default 16.4 33 1 Optional 5 33 2 Optional 8 33 3 Optional 16.4 33 4 Optional 16.4 33 In four-pair mode, twice the power listed in the table above is delivered. For information about the available system power, see the Hardware Overview chapter.
If the remaining available power (threshold power - guard band - current power consumption) is less than the computed power draw of the new device, the device is not powered up. By default, the guard band is 32 watts. Regardless of the power management mode, if the device being powered up is a Class 1, 2, or 3 AF device, then the guard band is configured according to the device class.
Table 2-2. PoE Plus Key Features (Dell EMC Networking N1108P-ON/N1124P-ON/ N1148P-ON, N1524P/N1548P, N2024P/N2048P, N2128PX-ON, N3024P/N3048P/N3048EPON, and N3132PX-ON Only) Feature Description Power Management Mode Dynamic Power Detection Mode 802.
Switching Features Flow Control Support (IEEE 802.3x) Flow control enables lower speed switches to communicate with higher speed switches by requesting that the higher speed switch refrain from sending packets for a limited period of time. Transmissions are temporarily halted to prevent buffer overflows. For information about configuring flow control, see "Port-Based Traffic Control" on page 907.
Auto-MDI/MDIX Support The switch supports auto-detection between crossed and straight-through cables. Media-Dependent Interface (MDI) is the standard wiring for end stations, and the standard wiring for hubs and switches is known as MediaDependent Interface with Crossover (MDIX). Auto-negotiation must be enabled for the switch to detect the wiring configuration. NBASE-T ports (2.5G and 5G) do not support auto-detection. Use the correct crossover or straight-through cable on 2.5/5G NBASE-T interfaces.
Auto-negotiation Auto-negotiation allows the switch to advertise modes of operation. The auto-negotiation function provides the means to exchange information between two switches that share a point-to-point link segment and to automatically configure both switches to take maximum advantage of their transmission capabilities. Dell EMC Networking N-Series switches enhance auto-negotiation by providing configuration of port advertisement.
Dell EMC Networking N-Series switches support RSPAN destinations where traffic can be tunneled across the operational network. Mirrored traffic is flooded in the RSPAN VLAN from the source(s) to the destination(s) across any intermediate switches. This allows the administrator flexibility in connecting destination (probe) ports to the RSPAN. RSPAN does not support configuration of the CPU port as a source. For information about configuring port mirroring, see "Monitoring Switch Traffic" on page 565.
Connectivity Fault Management (IEEE 802.1ag) NOTE: This feature is available on the Dell EMC Networking N4000 Series switches only. The Connectivity Fault Management (CFM) feature, also known as Dot1ag, supports Service Level Operations, Administration, and Management (OAM). CFM is the OAM Protocol provision for end-to-end service layer instance in carrier networks.
Data Center Bridging Exchange (DBCx) Protocol NOTE: This feature is available on the Dell EMC Networking N4000 Series switches only. The Data Center Bridging Exchange Protocol (DCBx) is used by DCB devices to exchange configuration information with directly connected peers. The protocol is also used to detect misconfiguration of the peer DCB devices and, optionally, for configuration of peer DCB devices. For information about configuring DCBx settings, see "Data Center Bridging Features" on page 1109.
DHCP Layer-2 Relay This feature permits layer-3 relay agent functionality in layer-2 switched networks. The switch supports layer-2 DHCP relay configuration on individual ports, link aggregation groups (LAGs) and VLANs. For information about configuring layer-2 DHCP relay settings see "Layer-2 and Layer-3 Relay Features" on page 1215.
Virtual Local Area Network Supported Features For information about configuring VLAN features see "VLANs" on page 749. VLAN Support VLANs are collections of switching ports that comprise a single broadcast domain. Packets are classified as belonging to a VLAN based on either the VLAN tag or a combination of the ingress port and packet contents. Packets sharing common attributes can be groups in the same VLAN. The Dell EMC Networking N-Series switches are in full compliance with IEEE 802.1Q VLAN tagging.
Voice VLAN The Voice VLAN feature enables switch ports to carry voice traffic with a configured QoS and to optionally authenticate phones on the network. This allows preferential treatment of voice traffic over data traffic transiting the switch. Voice VLAN is the preferred solution for enterprises wishing to deploy VoIP services in their network. GARP and GVRP Support NOTE: GARP, GVRP, and GMRP are not available when running the AGGREGATION ROUTER image.
The Double VLAN feature (IEEE 802.1QinQ) allows the use of a second tag on network traffic. The additional tag helps differentiate between customers in the Metropolitan Area Networks (MAN) while preserving individual customer’s VLAN identification when they enter their own 802.1Q domain.
Spanning Tree Protocol Features For information about configuring Spanning Tree Protocol features, see "Spanning Tree Protocol" on page 831. Spanning Tree Protocol (STP) Spanning Tree Protocol (IEEE 802.1D) is a standard requirement of layer-2 switches that allows bridges to automatically prevent and resolve layer-2 forwarding loops.
Bridge Protocol Data Unit (BPDU) Guard Spanning Tree BPDU Guard is used to disable the port in case a new device tries to enter the already existing topology of STP. Thus devices, which were originally not a part of STP, are not allowed to influence the STP topology. BPDU Filtering When spanning tree is disabled on a port, the BPDU Filtering feature allows BPDU packets received on that port to be dropped.
Link Aggregation Features For information about configuring link aggregation (port-channel) features, see "Link Aggregation" on page 1037. Link Aggregation Up to eight ports can combine to form a single Link Aggregation Group (LAG). This enables fault tolerance protection from physical link disruption, higher bandwidth connections and improved bandwidth granularity. LAGs are formed from similarly configured physical links; i.e.
of-order frames. Devices unable to buffer the requisite number of frames will show excessive frame discard. Configuring copper and fiber ports together in an aggregation group is not recommended. Link Aggregate Control Protocol (LACP) Link Aggregate Control Protocol (LACP) uses peer exchanges across links to determine, on an ongoing basis, the aggregation capability of various links, and continuously provides the maximum level of aggregation capability achievable between a given pair of systems.
Routing Features NOTE: The N1100-ON Series switches do not support routing. Address Resolution Protocol (ARP) Table Management Static ARP entries can be created, and many settings for the dynamic ARP table can be managed, such as age time for entries, retries, and cache size. The ARP table supports routing by caching MAC addresses corresponding to the IP addresses of attached stations. For information about managing the ARP table, see "IP Routing" on page 1173.
Open Shortest Path First (OSPF) NOTE: This feature is not available on Dell EMC Networking N1100-ON or N1500 Series switches. Open Shortest Path First (OSPF) is a dynamic routing protocol commonly used within medium-to-large enterprise networks. OSPF is an interior gateway protocol (IGP) that operates within a single autonomous system. For information about configuring OSPF, see "OSPF and OSPFv3" on page 1243.
BOOTP/DHCP Relay Agent The switch BootP/DHCP Relay Agent feature relays BootP and DHCP messages between DHCP clients and DHCP servers that are located in different IP subnets. For information about configuring the BootP/DHCP Relay agent, see "Layer2 and Layer-3 Relay Features" on page 1215. IP Helper and DHCP Relay The IP Helper and DHCP Relay features provide the ability to relay various protocols to servers on a different subnet.
Virtual Router Redundancy Protocol (VRRP) VRRP provides hosts with redundant routers in the network topology without any need for the hosts to reconfigure or know that there are multiple routers. If the primary (master) router fails, a secondary router assumes control and continues to use the virtual router IP (VRIP) address.
IPv6 Routing Features NOTE: This feature is not available on Dell EMC Networking N1100-ON, N1500, N2000, and N2100-ON Series switches. IPv6 Configuration The switch supports IPv6, the next generation of the Internet Protocol. IPv6 can be globally enabled on the switch and settings such as the IPv6 hop limit and ICMPv6 rate limit error interval can be configured. The administrator can also control whether IPv6 is enabled on a specific interface.
For information about configuring DHCPv6 settings, see "DHCPv6 Server Settings" on page 1487. Quality of Service (QoS) Features NOTE: Some features that can affect QoS, such as ACLs and Voice VLAN, are described in other sections within this chapter. Differentiated Services (DiffServ) The QoS Differentiated Services (DiffServ) feature allows traffic to be classified into streams and given certain QoS treatment in accordance with defined per-hop behaviors.
Internet Small Computer System Interface (iSCSI) Optimization NOTE: This feature is not available on Dell EMC Networking N1100-ON or N1500 Series switches. It is also not available on N3000 Series switches running the AGGREGATION ROUTER image. The iSCSI Optimization feature helps network administrators track iSCSI traffic between iSCSI initiator and target systems. This is accomplished by monitoring, or snooping traffic to detect packets used by iSCSI stations in establishing iSCSI sessions and connections.
IGMP Snooping Querier When Protocol Independent Multicast (PIM) and IGMP are enabled in a network with IP multicast routing, an IP multicast router acts as the IGMP querier. However, if it is desirable to keep the multicast network layer-2 switched only, the IGMP Snooping Querier can perform the query functions of a layer-3 multicast router.
Layer-3 Multicast Features For information about configuring layer-3 (L3) multicast features, see "IPv4 and IPv6 Multicast" on page 1579. NOTE: This feature is not available on Dell EMC Networking N1100-ON, N1500, N2000, and N2100-ON Series switches. Distance Vector Multicast Routing Protocol Distance Vector Multicast Routing Protocol (DVMRP) exchanges probe packets with all DVMRP-enabled routers, establishing two way neighboring relationships and building a neighbor table.
Protocol Independent Multicast—Sparse Mode Protocol Independent Multicast-Sparse Mode (PIM-SM) is used to efficiently route multicast traffic to multicast groups that may span wide area networks, and where bandwidth is a constraint. PIM-SM uses shared trees by default and implements source-based trees for efficiency. This data threshold rate is used to toggle between trees.
108 Switch Feature Overview
3 Hardware Overview This section provides an overview of the switch hardware.
The Dell EMC Networking N1124-ON front panel provides 24 10/100/1000BASE-T Ethernet RJ-45 ports capable of full and half duplex operation, and four SFP+ ports. The N1124P-ON supports six PoE+ or 12 PoE ports on ports 1-12. Dell EMC-qualified SFP+ transceivers are sold separately. The Dell EMC Networking N1148-ON front panel provides 48 10/100/1000BASE-T Ethernet RJ-45 ports capable of full and half duplex operation, and four SFP+ ports. The N1148P-ON supports twelve PoE+ or 24 PoE ports on ports 1-24.
The console port is separately configurable and can be run as an asynchronous link from 1200 BAUD to 115,200 BAUD. The Dell EMC CLI supports changing only the speed of the console port. The defaults are 115,200 BAUD, 8 data bits, no parity, 1 stop bit, and no flow control. USB Port The Type-A, female USB port supports a USB 2.0-compliant flash memory drive. The Dell EMC Networking N-Series switch can read or write to a flash drive with a single partition formatted as FAT-32.
Power Supply The internal power supply wattage for the Dell EMC Networking N1100-ON switches is as follows: • N1108T-ON: 24W • N1108P-ON: 80W • N1124T-ON: 40W • N1124P-ON: 250W • N1148T-ON: 60W • N1148P-ON: 500W For information about power consumption for the N1100-ON PoE switches, see "Power Consumption for PoE Switches" on page 116. Ventilation System The N1108T-ON, N1124T-ON, and N1148T-ON switches are fanless.
Figure 3-3. 100/1000/10000BASE-T Port LEDs Link/SPD Activity (non-PoE) PoE/Activity (PoE) Table 3-19 shows the 100/1000/10000BASE-T port LED definitions. Table 3-1. 100/1000/10000BASE-T Port LED Definitions LED Color Link/SPD LED Off Definition There is no link. Solid amber The port is operating at 10/100 Mbps. Solid green The port is operating at 1000 Mbps. Activity LED (on non-PoE switches) Off There is no current transmit/receive activity.
Table 3-2. SFP Port LED Definitions (N1108-ON Only) LED Color Definition Link/SPD LED Off (Left LED) Solid green There is no link. Activity LED (Right LED) Off There is no current transmit/receive activity. Blinking green The port is actively transmitting/receiving. Table 3-3. The port is operating at 1 Gbps. SFP+ Port LED Definitions (N1124-ON and N1148-ON Only) LED Color Definition Link/SPD LED Off (Left bi-color Solid green LED) Solid amber There is no link.
System LEDs The system LEDs, located on the front panel, provide information about the power supplies, thermal conditions, and diagnostics. Table 3-25 shows the System LED definitions for the Dell EMC Networking N1100-ON switches. Table 3-5. System LED Definitions LED Color Definition Status Solid green Normal operation. Blinking green The switch is booting Solid amber A critical system error has occurred. Blinking amber A noncritical system error occurred (fan or power supply failure).
Power Consumption for PoE Switches Table 3-6 describes the power consumption for N3132P-ON PoE switches. The PoE power budget is 60W for the N1108P-ON, 185W for the N1124P-ON, and 370W for the N1148P-ON. Table 3-6. Power Consumption for N3132P-ON PoE Switches Model Input Voltage Power Supply Configuration Maximum Steady Maximum Current Steady Consumption (A) Power (W) N1108P-ON 100V/60Hz Main PSU 0.95A 88.64W 110V/60Hz Main PSU 0.87A 88.43W 120V/60Hz Main PSU 0.80A 88.
Wall Installation To mount the switch on a wall: 1 Make sure that the mounting location meets the following requirements: • The surface of the wall must be capable of supporting the switch. • Allow at least two inches (5.1 cm) space on the sides for proper ventilation and five inches (12.7 cm) at the back for power cable clearance. • The location must be ventilated to prevent heat buildup.
5 Place the switch on the wall in the location where the switch is being installed. 6 On the wall, mark the locations where the screws to hold the switch must be prepared. 7 On the marked locations, drill the holes and place all plugs (not provided) in the holes. 8 Secure the switch to the wall with screws (not provided). Make sure that the ventilation holes are not obstructed.
Dell EMC Networking N1500 Series Switch Hardware This section contains information about device characteristics and modular hardware configurations for the Dell EMC Networking N1500 Series switches.
Figure 3-6. Dell EMC Networking N1524P Close-up The Dell EMC Networking 1524 front panel has status LEDs for overtemperature alarm (left), internal power (middle), and status (right) on the top row. The bottom row of status LEDs displays, from left to right, the Stack Master, redundant power supply (RPS) status, and fan alarm status. The Dell EMC Networking 1524P front panel, shown in Figure 3-6, has status LEDs for over-temperature alarm, internal power, and status on the top row.
The front-panel switch ports have the following characteristics: • The switch automatically detects the difference between crossed and straight-through cables on RJ-45 ports and automatically chooses the MDI or MDIX configuration to match the other end. • SFP+ ports support Dell EMC-qualified transceivers utilizing 10GBASESR, 10GBASE-LR, 10GBASE-CR, or 1000BASE-X technologies.
USB Port The Type-A, female USB port supports a USB 2.0-compliant flash memory drive. The Dell EMC Networking N-Series switch can read or write to a flash drive with a single partition formatted as FAT-32. Use a USB flash drive to copy switch configuration files and images between the USB flash drive and the switch. The USB flash drive may be used to move and copy configuration files and images from one switch to other switches in the network.
Figure 3-7. Dell EMC Networking N1500 Series Back Panel Fan Vents AC Power Receptacle Power Supplies Dell EMC Networking N1524 and N1548 The Dell EMC Networking N1524 and N1548 Series switches have an internal 100-watt power supply. The additional redundant power supply (Dell EMC Networking RPS720) provides 180 watts of power and gives full redundancy for the switch.
LED Definitions This section describes the LEDs on the front and back panels of the switch. Port LEDs Each port on a Dell EMC Networking N1500 Series switch includes two LEDs. One LED is on the left side of the port, and the second LED is on the right side of the port. This section describes the LEDs on the switch ports. 100/1000/10000BASE-T Port LEDs Each 100/1000/10000BASE-T port has two LEDs. Figure 3-8 illustrates the 100/1000/10000BASE-T port LEDs. Figure 3-8.
Stacking Port LEDs Table 3-8. Stacking Port LED Definitions LED Color Definition Link LED Off There is no link. Solid green The port is actively transmitting/receiving. Off There is no current transmit/receive activity. Blinking green The port is actively transmitting/receiving. Activity LED Console Port LEDs Table 3-9. Console Port LED Definitions LED Color Link/SPD LED Off Solid green Definition There is no link. A link is present.
Table 3-10. System LED Definitions (Continued) LED Color Definition RPS (on non-PoE Off switches) Solid green EPS (on PoE switches) Fan Stack Master Temp Stack No. There is no redundant power supply (RPS). Power to the RPS is on. Solid red An RPS is detected but it is not receiving power. Off There is no external power supply (EPS). Solid green Power to the EPS is on. Solid red An EPS is detected but it is not receiving power.
Table 3-11. Power Consumption Model Input Voltage Power Supply Configuration Max Steady Current Consumption (A) Max Steady Power (W) Dell EMC Networking N1548P 100V Main PSU+EPS PSU 17.1 1719.0 110V Main PSU+EPS PSU 15.5 1704.0 120V Main PSU+EPS PSU 14.1 1690.0 220V Main PSU+EPS PSU 7.5 1642.4 240V Main PSU+EPS PSU 6.9 1647.0 The PoE power budget for each interface is controlled by the switch firmware.
Dell EMC Networking N2000 Series Switch Hardware This section contains information about device characteristics and modular hardware configurations for the Dell EMC Networking N2000 Series switches.
Figure 3-10. Dell EMC Networking N2024/N2048 Close-up The Dell EMC Networking N2024/N2048 front panel, shown in Figure 3-10, has status LEDs for over-temperature alarm (left), internal power (middle), and status (right) on the top row. The bottom row of status LEDs displays, from left to right, the Stack Master, redundant power supply (RPS) status, and fan alarm status. The Dell EMC Networking N2024P/N2048P front panel has status LEDs for over-temperature alarm, internal power and status on the top row.
The front-panel switch ports have the following characteristics: • The switch automatically detects the difference between crossed and straight-through cables on RJ-45 ports and automatically chooses the MDI or MDIX configuration to match the other end. • SFP+ ports support Dell EMC-qualified transceivers. The default behavior is to log a message and generate an SNMP trap on insertion or removal of an optic that is not qualified by Dell.
the switch. The USB flash drive may be used to move and copy configuration files and images from one switch to other switches in the network. The system does not support the deletion of files on USB flash drives. The USB port does not support any other type of USB device. Reset Button The reset button is accessed through the pinhole and enables performing a hard reset on the switch. To use the reset button, insert an unbent paper clip or similar tool into the pinhole.
Figure 3-11. Dell EMC Networking N2000 Series Back Panel Fan Vents Figure 3-12. AC Power Receptacle Dell EMC Networking N2024P/N2048P Back Panel The term mini-SAS refers to the stacking port cable connections shown in Figure 3-13. See "Stacking" on page 231 for information on using the miniSAS ports to connect switches. Figure 3-13.
NOTE: PoE power is dynamically allocated. Not all ports will require the full PoE+ power. CAUTION: Remove the power cable from the power supplies prior to removing the power supply module itself. Power must not be connected prior to insertion in the chassis. Ventilation System Two internal fans cool the Dell EMC Networking N2000 Series switches. Information Tag The back panel includes a slide-out label panel that contains system information, such as the Service Tag, MAC address, and so on.
Table 3-13 shows the 100/1000/10000BASE-T port LED definitions. Table 3-13. 100/1000/10000BASE-T Port Definitions LED Color Link/SPD LED Off Definition There is no link. Solid yellow The port is operating at 10/100 Mbps. Solid green The port is operating at 1000 Mbps. Activity LED (on non-PoE switches) Off There is no current transmit/receive activity. Blinking green The port is actively transmitting/receiving.
Console Port LEDs Table 3-15. Console Port LED Definitions LED Color Link/SPD LED Off Solid green Definition There is no link. A link is present. System LEDs The system LEDs, located on the front panel, provide information about the power supplies, thermal conditions, and diagnostics. Table 3-16 shows the System LED definitions for the Dell EMC Networking N2000 Series switches. Table 3-16. System LED Definitions LED Color Definition Status Solid green Normal operation.
Table 3-16. System LED Definitions (Continued) LED Color Definition Fan Solid green The fan is powered and is operating at the expected RPM. Solid red A fan failure has occurred. Off The switch is not stack master. Solid green The switch is master for the stack. Solid green The switch is operating below the threshold temperature. Solid red The switch temperature exceeds the threshold of 75°C. – Switch ID within the stack. Stack Master Temp Stack No.
The PoE power budget for each interface is controlled by the switch firmware. The administrator can limit the power supplied on a port or prioritize power to some ports over others. Table 3-18 shows power budget data. Table 3-18. Dell EMC Networking N2000 Series PoE Power Budget Limit One PSU Two PSUs Model Name Max. PSU Output PoE+ Power Ability Turn-on Limitation Max.
Dell EMC Networking N2100-ON Series Switch Hardware This section contains information about device characteristics and modular hardware configurations for the Dell EMC Networking N2128PX-ON switch. Front Panel All N2128PX-ON PoE models are 1U, rack-mountable switches. The Dell EMC Networking N2128PX-ON front panel provides 24 10/100/1000BASE-T Ethernet RJ-45 ports and four 2.5G NBASE-T Ethernet RJ-45 ports that support auto-negotiation for speed, flow control, and duplex.
To remain consistent with prior N-Series devices, CLI and GUI port references will be non-consecutive when the port type changes. Ports labeled 1-28 on the front panel will be referred to in the UI as Gi1/0/X (where X =1 to 28), ports labeled 29-30 on the front panel will be referred to in the UI as Te1/0/Y (where Y= 1 to 2) and ports labeled 31-32 on the rear panel will be referred to as Tw1/1/W (where W=1 to 2).
Port and System LEDs The front panel contains light emitting diodes (LEDs) that indicate the status of port links, power supplies, fans, stacking, and the overall system status. See "LED Definitions" on page 154 for more information. Stack Master LED and Stack Number Display When a switch within a stack is the master unit, the Stack Master LED is solid green. If the Stack Master LED is off, the stack member is not the master unit. The Stack No. panel displays the unit number for the stack member.
Port LEDs Each port on a Dell EMC Networking N2100-ON Series switch includes two LEDs. One LED is on the left side of the port, and the second LED is on the right side of the port. This section describes the LEDs on the switch ports. Each 100/1000/10000BASE-T port has two LEDs. Figure 3-16 illustrates the 100/1000/10000BASE-T port LEDs. Figure 3-16. 100/1000/10000BASE-T Port LEDs Link/SPD Activity Table 3-19 shows the 100/1000/10000BASE-T port LED definitions. Table 3-19.
Table 3-20. 2500BASE-T Port LED Definitions LED Color Link/SPD LED Off (Left bi-color Solid green LED) Solid amber Activity/PoE LED (Right bi-color LED) Table 3-21. Definition There is no link. The port is operating at 2.5 Gbps. The port is operating at 100 Mbps or 1 Gbps. Off There is no current transmit/receive activity, and PoE power is off. Blinking green The port is actively transmitting/receiving, and PoE power is off.
Stacking Port LEDs Table 3-23. Stacking Port LED Definitions LED Color Definition Link LED Off There is no link. Solid green The port is actively transmitting/receiving. Off There is no current transmit/receive activity. Blinking green The port is actively transmitting/receiving. Activity LED Console Port LEDs Table 3-24. Console Port LED Definitions LED Color Link/SPD LED Off Solid green Definition There is no link. A link is present.
Table 3-25. System LED Definitions (Continued) LED Color Definition EPS (on PoE switches) Off There is no external power supply (EPS). Solid green Power to the EPS is on. Solid red An EPS is detected but it is not receiving power. Solid green The fan is powered and is operating at the expected RPM. Solid red A fan failure has occurred. Off The switch is not stack master. Solid green The switch is master for the stack. Solid green The switch is operating below the threshold temperature.
Table 3-27 shows power consumption data for the PoE-enabled N2128PX-ON switch when the power budget is 800W for the MPS. Table 3-27. Power Consumption Model Input Voltage Power Supply Configuration Maximum Steady Max Steady Current Power (W) Consumption (A) Dell EMC Networking N2128PX-ON 100V/60Hz MPS 9.92A 986.5W 110V/60Hz MPS 8.93A 975.7W 120V/60Hz MPS 8.01A 955.4W 220V/50Hz MPS 4.44A 945.4W 240V/50Hz MPS 4.08A 951.
The PoE power budget for each interface is controlled by the switch firmware. The administrator can limit the power supplied on a port or prioritize power to some ports over others. Table 3-29 shows power budget data. Table 3-29. Dell EMC Networking N2100-ON Series PoE Power Budget Limit One PSU Two PSUs Model Name Max. PSU Output PoE+ Power Ability Turn-on Limitation Max.
Dell EMC Networking N3000 Series Switch Hardware This section contains information about device characteristics and modular hardware configurations for the Dell EMC Networking N3000 Series switches.
Figure 3-18. Panel) Dell EMC Networking N3048 with 48 10/100/1000BASE-T Ports (Front Combo Ports 10/100/1000BASE-T Auto-sensing Full Duplex RJ-45 Ports SFP+ Ports The additional ports are on the right side of the front panel, as shown in Figure 3-18 and Figure 3-19. Figure 3-19.
Switch Ports The Dell EMC Networking N3024/N3024P front panel provides 24 Gigabit Ethernet (10/100/1000BASE-T) RJ-45 ports that support auto-negotiation for speed, flow control, and duplex. The Dell EMC Networking N3024P models support two SFP+ 10G ports. Dell EMC-qualified SFP+ transceivers are sold separately. The Dell EMC Networking N3000 Series switches operate in fullduplex mode only.
Combo Ports Combo ports automatically select the active media and always choose fiber media if both copper and fiber are active. Copper combo ports do not support 10 Mbps forced mode. Console Port The console port provides serial communication capabilities, which allows communication using RS-232 protocol.
Reset Button The reset button is accessed through the pinhole and enables performing a hard reset on the switch. To use the reset button, insert an unbent paper clip or similar tool into the pinhole. When the switch completes the boot process after the reset, it resumes operation with the most recently saved configuration. Any changes made to the running configuration that were not saved to the startup configuration prior to the reset are lost.
Back Panel The following images show the back panels of the Dell EMC Networking N3000 Series switches. Figure 3-20. Dell EMC Networking N3000 Series Back Panel Fan Vents Dual 10G Slots for SFP+ or 10GBASE-T Modules AC Power Receptacle Figure 3-21. Dell EMC Networking N3024P/N3048P Back Panel Figure 3-22. Dell EMC Networking N3048 Mini-SAS Stacking Ports Close-up Mini-SAS stacking ports The term mini-SAS refers to the stacking port cable connections shown in Figure 3-22.
Expansion Slots for Plug-in Modules One expansion slot is located on the back of the Dell EMC Networking N3000 Series models and can support the following modules: • 10GBASE-T module • SFP+ module Each plug-in module has two ports. The plug-in modules include hot-swap support, so a switch reboot is not needed after a new module is installed. Issue a no slot command after removing the original module and prior to inserting a new type of module.
CAUTION: Remove the power cable from the power supplies prior to removing the power supply module itself. Power must not be connected prior to insertion in the chassis. Ventilation System Two fans cool the Dell EMC Networking N3000 Series switches. The Dell EMC Networking N3000 Series switches additionally have a fan in each internal power supply. The Dell EMC Networking N3000 Series fan is fieldreplaceable.
Table 3-30 shows the 100/1000/10000BASE-T port LED definitions. Table 3-30. 100/1000/10000BASE-T Port Definitions LED Color Link/SPD LED Off Definition There is no link. Solid yellow The port is operating at 10/100 Mbps. Solid green The port is operating at 1000 Mbps. Activity LED (on non-PoE switches) Off There is no current transmit/receive activity. Blinking green The port is actively transmitting/receiving.
Table 3-32. 10GBASE-T Module LED Definitions LED Color Link/SPD LED Off Activity LED Definition There is no link. Solid green The port is operating at 10 Gbps. Solid amber The port is operating at 100/1000 Mbps. Off There is no current transmit/receive activity. Blinking green The port is actively transmitting/receiving. Stacking Port LEDs Table 3-33. Stacking Port LED Definitions LED Color Definition Link LED Off There is no link.
Console Port LEDs Table 3-35. Console Port LED Definitions LED Color Definition Link/SPD LED Off There is no link. Solid green A link is present. System LEDs The system LEDs, located on the front panel, provide information about the power supplies, thermal conditions, and diagnostics. Table 3-36 shows the System LED definitions for the Dell EMC Networking N3000 Series switches. Table 3-36. System LED Definitions LED Color Definition Status Solid green Normal operation.
Table 3-36. System LED Definitions LED Color Definition Power 1, Off There is no power or the switch has experienced a power failure. Solid green Power to the switch is on. Blinking green The switch locator function is enabled. Solid green The fan is powered and is operating at the expected RPM. Solid red A fan failure has occurred. Stack Master Off The switch is in stand-alone mode. Solid green The switch is master for the stack.
Power Consumption for PoE Switches Table 3-37 shows power consumption data for the PoE-enabled switches. Table 3-37. Dell EMC Networking N3000 Series Power Consumption Model Input Voltage Power Supply Configuration Max Steady Current Consumption (A) Max Steady Power (W) Dell EMC Networking N3024P 100V PSU1+PSU2 13.1 1310.0 110V PSU1+PSU2 11.7 1287.0 120V PSU1+PSU2 10.6 1272.0 220V PSU1+PSU2 5.6 1232.0 240V PSU1+PSU2 5.2 1240.
Table 3-38. Dell EMC Networking N3000 Series PoE Power Budget Limit One PSU Two PSUs Model Name Max. PSU Output PoE+ Power Ability Turn-on Limitation Max. PSUs Output Ability PoE+ Power Turn-on Limitation Dell EMC Networking 715W 715W Power budget is 1100W: N3024P The total PoE supplied power must not exceed 550W. Dell EMC Networking 1100W N3048P/N3048 EP-ON 160 Power budget is 550W: Hardware Overview Power budget is 950W: The total PoE supplied power must not exceed 950W.
Dell EMC Networking N3100-ON Series Switch Hardware Front Panel All N3132PX-ON models are 1U, rack-mountable switches. The N3132PXON front panel provides twenty-four 10/100/1000BASE-T Ethernet RJ-45 ports and eight 5G NBASE-T Ethernet RJ-45 ports that support autonegotiation for speed, flow control, and duplex. NBASE-T interfaces require auto-negotiation to be enabled. They will not operate correctly in fixed speed mode. The N3132PX-ON switch front panel ports operate in full duplex mode only.
Console Port The console port provides serial communication capabilities, which allows communication using RS-232 protocol. The serial port provides a direct connection to the switch and allows access to the CLI from a console terminal connected to the port through the provided serial cable (with RJ45 YOST to female DB-9 connectors). The console port is separately configurable and can be run as an asynchronous link from 1200 BAUD to 115,200 BAUD. The Dell EMC CLI only supports changing the speed.
Stack Master LED and Stack Number Display When a switch within a stack is the master unit, the Stack Master LED is solid green. If the Stack Master LED is off, the stack member is not the master unit. The Stack No. panel displays the unit number for the stack member. If a switch is not part of a stack (in other words, it is a stack of one switch), the Stack Master LED is illuminated, and the unit number isdisplayed.
Port LEDs Each 100/1000/10000BASE-T port has two LEDs. Figure 3-25 illustrates the 100/1000/10000BASE-T port LEDs. Figure 3-25. 100/1000/10000BASE-T Port LEDs Link/SPD Activity Table 3-39, Table 3-40, and Table 3-41 show the port LED definitions. Table 3-39. 100/1000/10000BASE-T Port LED Definitions LED Color Link/SPD LED Off Definition There is no link. Solid yellow The port is operating at 10/100 Mbps. Solid green The port is operating at 1000 Mbps.
Table 3-40. 50000BASE-T Port LED Definitions LED Color Link/SPD LED Off (Left bi-color Solid green LED) Solid amber Activity/PoE LED (Right bi-color LED) Table 3-41. Definition There is no link. The port is operating at 2.5/5 Gbps. The port is operating at 100 Mbps or 1 Gbps. Off There is no current transmit/receive activity and PoE power is off. Blinking green The port is actively transmitting/receiving and PoE power is off.
Module Bay LEDs The following tables describe the purpose of each of the module bay LEDs when a QSFP or a Stacking module is installed. Table 3-42. QSFP Module LED Definitions LED Color Link/SPD LED Off Activity LED Table 3-43. Definition There is no link. Solid green The port is operating at 40 Gbps. Off There is no current transmit/receive activity. Blinking green The port is actively transmitting/receiving.
Table 3-45. Console Port LED Definitions LED Color Definition Link/SPD LED Off There is no link. Solid green A link is present. System LEDs The system LEDs, located on the front panel, provide information about the power supplies, thermal conditions, and diagnostics. Table 3-46 shows the System LED definitions for the Dell EMC Networking N3132PX-ON Series switches. Table 3-46. System LED Definitions LED Color Definition Status Solid green Normal operation.
Power Consumption for PoE Switches Table 3-47 shows power consumption data for the PoE-enabled N3132PX-ON switch when the power budget is 500W for one 715W power supply. Table 3-47. Power Consumption Model Input Voltage Power Supply Configuration Maximum Steady Max Steady Current Power (W) Consumption (A) Dell EMC Networking N3132PX-ON 100V/60Hz One 715W 6.47A 647.3W 110V/60Hz One 715W 5.79A 636.1W 120V/60Hz One 715W 5.12A 611.9W 220V/50Hz One 715W 2.85A 621.7W 240V/50Hz One 715W 2.
Table 3-49 shows power consumption data for the PoE-enabled N3132PX-ON switch when the power budget is 750W for one 1100W power supply. Table 3-49. Power Consumption Model Input Voltage Power Supply Configuration Maximum Steady Max Current Steady Consumption (A) Power (W) Dell EMC Networking N3132PX-ON 100V/60Hz One 1100W 9.41A 937.1W 110V/60Hz One 1100W 8.48A 929.7W 120V/60Hz One 1100W 7.69A 918.3W 220V/50Hz One 1100W 4.16A 904.3W 240V/50Hz One 1100W 3.81A 902.
Table 3-51 shows power consumption data for the PoE-enabled N3132PX-ON switch when the power budget is 1440W for one 1100W power supply + one 715W power supply. Table 3-51. Power Consumption Model Input Voltage Power Supply Configuration Maximum Steady Max Current Steady Consumption (A) Power (W) Dell EMC Networking N3132PX-ON 100V/60Hz 1100W + 715W 17.51A 1748W 110V/60Hz 1100W + 715W 15.7A 1722.3W 120V/60Hz 1100W + 715W 14.36A 1704.2W 220V/50Hz 1100W + 715W 7.63A 1663.
Dell EMC Networking N4000 Series Switch Hardware NOTE: Both the Dell EMC Networking PC8100 and N4000 Series switches can run firmware versions 6.0.0.8 and beyond. The Dell EMC Networking N4000 Series switches cannot run firmware prior to version 6.0.0.8. This section contains information about device characteristics and modular hardware configurations for the Dell EMC Networking N4000 Series switches.
Figure 3-26. Dell EMC Networking N4032 Front Panel 10GbE Copper Ports Module bay USB port Figure 3-27. Dell EMC Networking N4032F Front Panel 10GbE Fiber Ports Module bay USB port Dell EMC Networking N4032 and N4032F switches can be stacked with other Dell EMC Networking N4000 Series switches using 10G or 40G SFP+ or QSFP modules in the module bay. The Dell EMC Networking N4064 front panel provides 48 x 10GbE copper ports and two fixed QSFP ports, each supporting 4 x 10G or 1 x 40G connections.
Figure 3-28. Dell EMC Networking N4064 Front Panel Module bay 10GbE Copper Ports Figure 3-29. USB port Fixed QSFP ports Dell EMC Networking N4064F Front Panel Module bay 10GbE Fiber Ports USB port Fixed QSFP ports The Dell EMC Networking N4064 and N4064F switches can be stacked with other Dell EMC Networking N4000 Series switches using the 10G or 40G SFP+ or QSFP modules in the module bay or fixed QSFP ports.
• Blank module — defaults to 10G mode A reboot is not necessary when a hot-pluggable Ethernet module is replaced with an Ethernet module of different type. Issue the no slot command after removing the module and prior to installing the new module. Plug-in modules with any port configured as a stacking port are not hot-swappable. A no slot command must be executed prior to inserting the new Ethernet module. Changing the role of a port from stacking to Ethernet or vice-versa requires a switch reboot.
• Complies with IEEE802.3z, IEEE 802.3, IEEE802.3u, IEEE802.3ab, IEEE802.3az, IEEE802.3an • Four 10GBASE-T/1GBASE-T/100MBASE-T copper ports. • front-panel port status LEDs USB Port The Type-A, female USB port supports a USB 2.0-compliant flash memory drive. The Dell EMC Networking N4000 Series switch can read or write to a flash drive with a single partition formatted as FAT-32. Use a USB flash drive to copy switch configuration files and images between the USB flash drive and the switch.
The following image shows the back panel of the Dell EMC Networking N4000 Series switches. Figure 3-30. Dell EMC Networking N4000 Series Back Panel RJ-45 serial console port AC power OOB Ethernet port Fans AC power Console Port The console port is for management through a serial interface. This port provides a direct connection to the switch and provides access to the CLI from a console terminal connected to the port through the provided serial cable (RJ-45 to female DB-9 connectors).
Power Supplies Each Dell EMC Networking N4000 Series switch has two power supplies for redundant or loadsharing operation. Each power supply can support 300W. CAUTION: Remove the power cable from the modules prior to removing the module itself. Power must not be connected prior to insertion in the chassis. Ventilation System The Dell EMC Networking N4000 Series switches have two fans. Each switch also has four thermal sensors and a fan speed controller, which can be used to control FAN speeds.
Table 3-53 shows the 100/1000/10000BASE-T port LED definitions. Table 3-53. 100/1000/10000BASE-T Port LED Definitions LED Color Definition Link LED Off There is no link. Solid green The port is operating at 10 Gbps. Solid amber The port is operating at 100/1000 Mbps. Off There is no current transmit/receive activity. Blinking green The port is actively transmitting/receiving.
Table 3-56. QSFP Module LED Definitions LED Color Definition Link LED Off There is no link. Solid green The port is operating at 40 Gbps. Solid amber The port is operating at other speeds. Off There is no current transmit/receive activity. Blinking green The port is actively transmitting/receiving. Activity LED Out-of-Band Ethernet Management Port LEDs Table 3-57 shows the LED definitions for the OOB Ethernet management port. Table 3-57.
System LEDs The system LEDs, located on the front panel, provide information about the power supplies, thermal conditions, and diagnostics. Table 3-58 shows the System LED definitions for the Dell EMC Networking N4000 Series switches. Table 3-58. System LED Definitions—Dell EMC Networking N4000 Series Switches LED Color Definition System Blinking blue The switch is booting Solid red A critical system error has occurred.
Switch MAC Addresses The switch allocates MAC addresses from the Vital Product Data information stored locally in flash. MAC addresses are used as follows: Table 3-59.
Power Supplies: Unit Description Status ---1 1 1 ----------System Main Secondary ----------OK OK No Power Average Power (Watts) ---------42.0 N/A N/A Current Power (Watts) -------43.4 N/A N/A Since Date/Time ------------------04/06/2001 16:36:16 01/01/1970 00:00:00 USB Port Power Status: ---------------------Device Not Present console#show ip interface out-of-band IP Address..................................... Subnet Mask.................................... Default Gateway........................
Using Dell EMC OpenManage Switch Administrator 4 Dell EMC Networking N-Series Switches This section describes how to use the Dell EMC OpenManage Switch Administrator application.
Starting the Application To access the Dell EMC OpenManage Switch Administrator and log on to the switch: 1 Open a web browser. 2 Enter the IP address of the switch in the address bar and press . For information about assigning an IP address to a switch, see "Setting the IP Address and Other Basic Network Information" on page 203. 3 When the Login window displays, enter a username and password. Passwords and usernames are both case sensitive and alpha-numeric. Figure 4-1.
4 Click Submit. 5 The Dell EMC OpenManage Switch Administrator home page displays. The home page is the Device Information page, which contains a graphical representation of the front panel of the switch. For more information about the home page, see "Device Information" on page 400.
Figure 4-2.
Using the Switch Administrator Buttons and Links Table 4-2 describes the buttons and links available from the Dell EMC OpenManage Switch Administrator interface. Table 4-2. Button and Link Descriptions Button or Link Description Support Opens the Dell Support page at www.dell.com/support. About Contains the version and build number and Dell copyright information. Log Out Logs out of the application and returns to the login screen. Save Saves the running configuration to the startup configuration.
Defining Fields User-defined fields can contain 1–159 characters, unless otherwise noted on the Dell EMC OpenManage Switch Administrator web page. All characters may be used except for the following: • \ • / • : • * • ? • < • > • | Understanding the Device View The Device View shows various information about switch. This graphic appears on the Dell EMC OpenManage Switch Administrator Home page, which is the page that displays after a successful login.
Using the Device View Switch Locator Feature The Device View graphic includes a Locate button and a drop-down menu of timer settings. When the user clicks Locate, the switch locator LED blinks for the number of seconds selected from the timer menu. The blinking LED can help the administrator or a technician near the switch identify the physical location of the switch within a room or rack full of switches.
190 Using Dell EMC OpenManage Switch Administrator
5 Using the Command-Line Interface Dell EMC Networking N-Series Switches This section describes how to use the Command-Line Interface (CLI) on Dell EMC Networking N-Series switches. The topics covered in this section include: • Accessing the Switch Through the CLI • Understanding Command Modes • Entering CLI Commands Accessing the Switch Through the CLI The CLI provides a text-based way to manage and monitor the Dell EMC Networking N-Series switches.
the OOB Ethernet port. On the N1100-ON Series switches, the USB console port is located in the bottom right corner of the front panel. NOTE: For a stack of switches, be sure to connect to the console port on the Master switch. The Master LED is illuminated on the stack Master. Alternatively, use the connect command to access the console session. 2 Start the terminal emulator, such as Microsoft HyperTerminal, and select the appropriate serial port (for example, COM 1) to connect to the console.
NOTE: SSH, which is more secure than Telnet, is disabled by default. To connect to the switch using Telnet, the switch must have an IP address, and the switch and management station must have network connectivity. Any Telnet client on the management station can be used to connect to the switch. A Telnet session can also be initiated from the Dell EMC OpenManage Switch Administrator. For more information, see "Initiating a Telnet Session from the Web Interface" on page 439.
The CLI includes many additional command modes. For more information about the CLI command modes, including details about all modes, see the CLI Reference Guide. Table 5-1 describes how to navigate between CLI Command Mode and lists the prompt that displays in each mode. Table 5-1. Command Mode Overview Command Mode Access Method User Exec console> The user is automatically in User Exec mode unless the user is defined as a privileged user.
Entering CLI Commands The switch CLI provides several techniques to help users enter commands. Using the Question Mark to Get Help Enter a question mark (?) at the command prompt to display the commands available in the current mode. console(config-vlan)#? exit help ip ipv6 protocol vlan To exit from the mode. Display help for various special keys. Configure IP parameters. Configure IPv6 parameters. Configure the Protocols associated with particular Group Ids. Create a new VLAN or delete an existing VLAN.
Using Command Completion The CLI can complete partially entered commands when the or key are pressed. console#show run console#show running-config If the characters entered are not enough for the switch to identify a single matching command, continue entering characters until the switch can uniquely identify the command. Use the question mark (?) to display the available commands matching the characters already entered.
Understanding Error Messages If a command is entered and the system is unable to execute it, an error message appears. Table 5-2 describes the most common CLI error messages. Table 5-2. CLI Error Messages Message Text Description % Invalid input detected at '^' marker. Indicates that an incorrect or unavailable command was entered. The carat (^) shows where the invalid text is detected. This message also appears if any of the parameters or values are not recognized.
198 Using the Command-Line Interface
6 Default Settings This section describes the default settings for many of the software features on the Dell EMC Networking N-Series switches. Table 6-1. Default Settings Feature Default IP address DHCP on OOB interface, if equipped. DHCP on VLAN1 if no OOB interface Subnet mask None Default gateway None DHCP client Enabled on out-of-band (OOB) interface or VLAN 1 if no OOB interface.
Table 6-1. Default Settings (Continued) Feature Default DNS Enabled (No servers configured) SNMP Enabled (SNMPv1) SNMP Traps Enabled Auto Configuration Enabled Auto Save Disabled Stacking Enabled Nonstop Forwarding on the Stack Enabled sFlow Disabled ISDP Enabled (Versions 1 and 2) RMON Enabled TACACS+ Not configured RADIUS Not configured SSH/SSL Disabled Telnet Enabled Denial of Service Protection Disabled Captive Portal Disabled IEEE 802.
Table 6-1.
Table 6-1. Default Settings (Continued) Feature Default Multiple Spanning Tree Disabled Link Aggregation No LAGs configured LACP System Priority 1 Routing Mode Disabled OSPF Admin Mode Disabled OSPF Router ID 0.0.0.0 IP Helper and UDP Relay Disabled RIP Disabled VRRP Disabled Tunnel and Loopback Interfaces None IPv6 Routing Disabled DHCPv6 Disabled OSPFv3 Disabled DiffServ Enabled Auto VoIP Disabled Auto VoIP Traffic Class 6 PFC Disabled; no classifications configured.
Setting the IP Address and Other Basic Network Information 7 Dell EMC Networking N-Series Switches This chapter describes how to configure basic network information for the switch, such as the IP address, subnet mask, and default gateway.
Table 7-1. Basic Network Information (Continued) Feature Description Default Gateway Typically a router interface that is directly connected to the switch and is in the same subnet. The switch sends IP packets to the default gateway when it does not recognize the destination IP address in a packet. DHCP Client Requests network information from a DHCP server on the network. Domain Name System (DNS) Server Translates hostnames into IP addresses.
server on the network, the TFTP server must be identified. If configuring the switch to use a DNS server to resolve hostnames into IP addresses, it is possible to enter the hostname of the TFTP server instead of the IP address. It is often easier to remember a hostname than an IP address, and if the IP address is dynamically assigned, it might change from time-to-time. How Is Basic Network Information Configured? A console-port connection is required to perform the initial switch configuration.
recommended that the port be connected only to a physically isolated secure management network. The OOB port is a layer-3 interface that uses an internal non-user-configurable VLAN. The out-of-band port is a logical management interface. The IP stack’s routing table contains both IPv4/IPv6 routes associated with these management interfaces and IPv4/IPv6 routes associated with routing interfaces.
The administrator can assign an IPv4 address or IPv6 addresses to the OOB management port and to any VLAN. By default, all ports (other than the OOB port) are members of VLAN 1. If an IP address is assigned to VLAN 1, it is possible to connect to the switch management interface by using any of the front-panel switch ports. Assignment of an IP address to a VLAN associated to a front panel interface is required to manage the Dell EMC Networking, N1100-ON, N1500, N2000, and N2100-ON Series switches.
Default Network Information NOTE: Dell EMC Networking, N1100-ON, N1500, N2000, and N2100-ON Series switches do not have an out-of-band interface. By default, no network information is configured. The DHCP client is enabled on the OOB interface by default on Dell EMC Networking N3000, N3100-ON, and N4000 Series switches. The DHCP client is enabled on VLAN 1 by default on the Dell EMC Networking, N1100-ON, N1500, N2000, and N2100-ON Series switches. DNS is enabled, but no DNS servers are configured.
Configuring Basic Network Information (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring basic network information on the Dell EMC Networking N-Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. Out-of-Band Interface NOTE: Dell EMC Networking, N1100-ON, N1500, N2000, and N2100-ON Series switches do not have an out-of-band interface.
Figure 7-1. Out of Band Interface To enable the DHCP client and allow a DHCP server on your network to automatically assign the network information to the OOB interface, select DHCP from the Protocol menu. If the network information is statically assigned, ensure that the Protocol menu is set to None.
Figure 7-2. IP Interface Configuration (Default VLAN) Assigning Network Information to the Default VLAN To assign an IP Address and subnet mask to the default VLAN: 1 From the Interface menu, select VLAN 1. 2 From the Routing Mode field, select Enable. 3 From the IP Address Configuration Method field specify whether to assign a static IP address (Manual) or use DHCP for automatic address assignment.
Route Entry Configuration (Switch Default Gateway) Use the Route Entry Configuration page to configure the default gateway for the switch. The default VLAN uses the switch default gateway as its default gateway. The switch default gateway must not be on the same subnet as the OOB management port, as the OOB management port cannot route packets received on the front-panel ports. To display the Route Entry Configuration page, click Routing Router Route Entry Configuration in the navigation panel.
Configuring a Default Gateway for the Switch: To configure the switch default gateway: 1 Open the Route Entry Configuration page. 2 From the Route Type field, select Default. Figure 7-4. Default Route Configuration (Default VLAN) 3 In the Next Hop IP Address field, enter the IP address of the default gateway. 4 Click Apply. For more information about configuring routes, see "IP Routing" on page 1173.
Domain Name Server Use the Domain Name Server page to configure the IP address of the DNS server. The switch uses the DNS server to translate hostnames into IP addresses. To display the Domain Name Server page, click System IP Addressing Domain Name Server in the navigation panel. Figure 7-5. DNS Server To configure DNS server information, click the Add link and enter the IP address of the DNS server in the available field. Figure 7-6.
Default Domain Name Use the Default Domain Name page to configure the domain name the switch adds to a local (unqualified) hostname. To display the Default Domain Name page, click System IP Addressing Default Domain Name in the navigation panel. Figure 7-7.
Host Name Mapping Use the Host Name Mapping page to assign an IP address to a static host name. The Host Name Mapping page provides one IP address per host. To display the Host Name Mapping page, click System IP Addressing Host Name Mapping. Figure 7-8. Host Name Mapping To map a host name to an IP address, click the Add link, type the name of the host and its IP address in the appropriate fields, and then click Apply. Figure 7-9.
Dynamic Host Name Mapping Use the Dynamic Host Name Mapping page to view dynamic host entries the switch has learned. The switch learns hosts dynamically by using the configured DNS server to resolve a hostname. For example, if you ping www.dell.com from the CLI, the switch uses the DNS server to lookup the IP address of dell.com and adds the entry to the Dynamic Host Name Mapping table.
Configuring Basic Network Information (CLI) This section provides information about the commands used for configuring basic network information on the Dell EMC Networking N-Series switches. For more information about these commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series Switches CLI Reference Guide at www.dell.com/support.
Command Purpose ipv6 address dhcp Enable the DHCPv6 client. CTRL + Z Exit to Privileged Exec mode. show ip interface vlan 1 Display network information for VLAN 1. Managing DHCP Leases Use the following commands to manage and troubleshoot DHCP leases on the switch. Command Purpose show dhcp lease interface [interface] Display IPv4 addresses leased from a DHCP server.
Configuring Static Network Information on the OOB Port NOTE: Dell EMC Networking N1100-ON, N1500, N2000, and N2100-ON Series switches do not have an out-of-band interface. Use the following commands to configure a static IP address, subnet mask, and default gateway on the OOB port. If no default gateway is configured, then the zero subnet (0.0.0.0) is used.
Configuring Static Network Information on the Default VLAN Use the following commands to configure a static IP address, subnet mask, and default gateway on the default VLAN. Alternatively, a DHCP server may be used to obtain a network address. The switch also supports IPv6 address auto-configuration. IP subnets on in-band ports (configured on switch VLANs) may not overlap with the OOB port subnet.
Command Purpose show ip interface vlan 10 Verify the network information for VLAN 10. show ipv6 interface vlan 10 Verify IPv6 network information for VLAN 10. interface Gi1/0/24 Enter physical Interface Configuration mode for the specified interface. switchport access vlan 10 Allow access to the management VLAN over this port. exit Exit Interface Configuration mode.
Command Purpose show ip address-conflict View the status information corresponding to the last detected address conflict. clear ip address-conflict- Clear the address conflict detection status in the switch.
Basic Network Information Configuration Examples Configuring Network Information Using the OOB Port In this example, an administrator at a Dell office in California decides not to use the Dell Easy Setup Wizard to perform the initial switch configuration. The administrator configures Dell EMC Networking N3000, N3100-ON, and N4000 Series switches to obtain information from a DHCP server on the management network and creates the administrative user with read/write access.
3 Configure the DNS servers, default domain name, and static host mapping. console(config)#ip name-server 10.27.138.20 10.27.138.21 console(config)#ip domain-name sunny.dell.com console(config)#ip host admin-laptop 10.27.65.103 console(config)#exit 4 View the network information that the DHCP server on the network dynamically assigned to the switch. console#show ip interface out-of-band IP Address........................ 10.27.22.153 Subnet Mask...................... 255.255.255.0 Default Gateway..........
Configuring Network Information Using the Serial Interface In this example, the administrator configures a Dell EMC Networking N1100-ON/N1500/N2000/N2100-ON Series switch via the serial interface while using the same DHCP server and address configuration as given in the previous example. 1 Connect a front-panel port (e.g., gi1/0/24) to the management network.
Forward Net Directed Broadcasts........... Disable Proxy ARP.................................. Enable Local Proxy ARP........................... Disable Active State............................... Active MAC Address........................ 001E.C9DE.B77A Encapsulation Type....................... Ethernet IP MTU....................................... 1500 Bandwidth.............................. 10000 kbps Destination Unreachables.................. Enabled ICMP Redirects............................
228 Setting Basic Network Information
8 Managing QSFP Ports Dell EMC Networking N3100-ON and N4000 Series Switches QSFP ports available on Dell EMC Networking N4000 Series switches can operate in 1 x 40G mode or in 4 x 10G mode. Appropriate cables must be used that match the selected mode. When changing from one mode to another, a switch reboot is required. The QSFP ports also support stacking over the interfaces in either 1 x 40G or 4 x 10G mode. Changing from Ethernet mode to stacking mode and vice-versa requires a reboot as well.
This command will not take effect until the switch is rebooted. console(config-if-Fo1/1/2)#do reload Are you sure you want to reload the stack? (y/n) To change a 4 x 10G port to 1 x 40G mode, enter the following commands on the 40-gigabit interface: console(config)#interface Fo2/1/1 console(config-if-Fo2/1/1)#hardware profile portmode 1x40g This command will not take effect until the switch is rebooted.
9 Stacking Dell EMC Networking N-Series Switches This chapter describes how to configure and manage a stack of switches.
module. Beginning with the 6.5.1 release, any stack containing any N3000 Series switch (other than the N3048EP-ON) is limited to a maximum of eight units. Dell EMC Networking N4000 Series switches stack with other Dell EMC Networking N4000 Series switches over front-panel ports configured for stacking. Dell EMC Networking N1500 Series switches stack with other N1500 Series switches using the 10G SFP+ front-panel ports.
significant portion of the stack capacity will transit stacking links. One technique for achieving this is to distribute uplinks evenly across the stack vs. connecting all uplinks to a single stack unit or to adjacent stacking units. NOTE: Beginning with the 6.5.1 release, any stack containing any N3000 Series switch (other than the N3048EP-ON) is limited to a maximum of eight units. Dell EMC Networking N2100-ON Series switches have two fixed stacking ports in the rear that accept mini-SAS cables.
to the maximum distance supported by the transceiver on the stack links. Note that PFC cannot be enabled on stacking ports — the system handles the buffering and flow control automatically. A single switch in the stack manages all the units in the stack (the stack master), and the stack is managed by using a single IP address. The IP address of the stack does not change, even if the stack master changes. A stack is created by daisy-chaining stacking links on adjacent units.
Dell strongly recommends connecting the stack in a ring topology so that each switch is connected to two other switches. Connecting switches in a ring topology allows the stack to utilize the redundant communication path to each switch. If a switch in a ring topology fails, the stack can automatically establish a new communications path to the other switches. Switches not stacked in a ring topology may split into multiple independent stacks upon the failure of a single switch or stacking link.
Figure 9-1. Connecting a Stack of Switches Unit 1 Unit 2 Unit 3 The stack in Figure 9-1 has the following physical connections between the switches: 236 • The lower stacking port on Unit 1 is connected to the upper stacking port on Unit 2. • The lower stacking port on Unit 2 is connected to the upper stacking port on Unit 3. • The lower stacking port on Unit 3 is connected to the upper stacking port on Unit 1.
Dell EMC Networking N1124-ON/N1148-ON, N1500, N2000, N2100-ON, N3000, N3048EP-ON, N3100-ON, and N4000 Stacking Compatibility Dell EMC Networking N1100-ON, N1500, and N4000 Series switches do not stack with different Dell EMC Networking Series switches or other Dell EMC Networking switches. Dell EMC Networking N1124T-ON/N1148TON/N1124P-ON/N1148P-ON Series switches only stack with other Dell EMC Networking N1124T-ON/N1148T-ON/N1124P-ON/N1148P-ON Series switches.
• If the switch has the stack master function enabled but another stack master is already active, then the switch changes its configured stack master value to disabled. • If the stack master function is unassigned and there is another stack master in the system then the switch changes its configured stack master value to disabled. • If the stack master function is enabled or unassigned and there is no other stack master in the system, then the switch becomes stack master.
are not already connected to any ports of that unit. This is important because if STP is enabled and any links are UP, the STP reconvergence will take place as soon as the link is detected. After the stack cables on the new member are connected to the stack, the units can be powered up, beginning with the unit directly attached to the currently powered-up unit. Always power up new stack units closest to an existing powered unit first. Do not connect a new member to the stack after it is powered up.
• Remove all the member ports of any Port-Channels (LAGs) so there will not be any control traffic destined to those ports connected to this member. • Statically re-route any traffic going through this unit. When a unit in the stack fails, the stack master removes the failed unit from the stack. The failed unit reboots with its original running-config. If the stack is configured in a ring topology, then the stack automatically routes around the failed unit.
The stack master copies its running configuration to the standby unit whenever it changes (subject to some restrictions to reduce overhead). This enables the standby unit to take over the stack operation with minimal interruption if the stack master becomes unavailable. Operational state synchronization also occurs: • when the running configuration is saved to the startup configuration on the stack master. • when the standby unit changes.
The NSF feature enables the stack master unit to synchronize the runningconfig within 60 seconds after a configuration change has been made. However, if a lot of configuration changes happen concurrently, NSF uses a back-off mechanism to reduce the load on the switch. In this case, the stack master will attempt resynchronization no more often than once every 120 seconds. The show nsf command output includes information about when the next running-config synchronization will occur.
The NSF checkpoint service allows the stack master to communicate startup configuration data to the standby unit in the stack. When the stack selects a standby unit, the checkpoint service notifies applications to start a complete checkpoint. After the initial checkpoint is done, applications checkpoint changes to their data every 120 seconds. NOTE: The switch cannot guarantee that a standby unit has exactly the same data that the stack master has when it fails.
Table 9-1. Applications that Checkpoint Data Application Checkpointed Data SIM The system's MAC addresses. System up time. IP address, network mask, default gateway on each management interface, DHCPv6 acquired IPv6 address. Voice VLAN VoIP phones identified by CDP or DHCP (not LLDP) Switch Stack MAC Addressing and Stack Design Considerations The switch stack uses the MAC addresses assigned to the stack master. NOTE: Each switch is assigned four consecutive MAC addresses.
To prevent a LAG from going down, configure LAGs with members on multiple units within the stack, when possible. If a stack unit fails, the system can continue to forward on the remaining members of the stack. If the switch stack performs VLAN routing, another way to take advantage of NSF is to configure multiple “best paths” to the same destination on different stack members.
in the rear of the switch. The N3100-ON supports a pluggable stacking module in the rear. Stacking on Ethernet ports is not supported. The fixed stacking ports show as TwentygigabitStacking and are abbreviated Tw. NSF is enabled by default. NSF can be disabled to redirect the CPU resources consumed by data checkpointing; however, this is ill-advised, as checkpointing consumes almost no switch resources.
Managing and Monitoring the Stack (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring stacking on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. NOTE: Changes made on the Stacking configuration pages take effect only after the device is reset.
Changing the ID or Switch Type for a Stack Member To change the switch ID or type: 1 Open the Unit Configuration page. 2 Click Add to display the Add Unit page. For the N30xx series switches, stack size is limited to 8. Figure 9-3. Add Remote Log Server Settings 3 Specify the switch ID, and select the model number of the switch. 4 Click Apply. Stack Summary Use the Stack Summary page to view a summary of switches participating in the stack.
Stack Firmware Synchronization Use the Stack Firmware Synchronization page to control whether the firmware image on a new stack member can be automatically upgraded or downgraded to match the firmware image of the stack master. To display the Stack Firmware Synchronization page, click System Stack Management Stack Firmware Synchronization in the navigation panel. Figure 9-5.
Supported Switches Use the Supported Switches page to view information regarding each type of supported switch for stacking, and information regarding the supported switches. To display the Supported Switches page, click System Stack Management Supported Switches in the navigation panel. Figure 9-6.
Stack Port Summary Use the Stack Port Summary page to configure the stack-port mode and to view information about the stackable ports. This screen displays the unit, the stackable interface, the configured mode of the interface, the running mode as well as the link status and link speed of the stackable port. NOTE: By default the ports are configured to operate as Ethernet ports.
Stack Port Counters Use the Stack Port Counters page to view the transmitted and received statistics, including data rate and error rate. To display the Stack Port Counters page, click System Stack Management Stack Port Counters in the navigation panel. Figure 9-8. Stack Port Counters Stack Port Diagnostics The Stack Port Diagnostics page is intended for Field Application Engineers (FAEs) only.
NSF Summary Use the NSF Summary page to change the administrative status of the NSF feature and to view NSF information. NOTE: The OSPF feature uses NSF to enable the hardware to continue forwarding IPv4 packets using OSPF routes while a backup unit takes over stack master responsibility. To configure NSF on a stack that uses OSPF or OSPFv3, see "NSF OSPF Configuration" on page 1269 and "NSF OSPFv3 Configuration" on page 1286.
Checkpoint Statistics Use the Checkpoint Statistics page to view information about checkpoint messages generated by the stack master. To display the Checkpoint Statistics page, click System Stack Management Checkpoint Statistics in the navigation panel. Figure 9-10.
Managing the Stack (CLI) This section provides information about the commands for managing the stack and viewing information about the switch stack. For more information about these commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring Stack Member, Stack Port, and NSF Settings Use the following commands to configure stacking and NSF settings.
Command Purpose member unit SID Add a switch to the stack and specify the model of the new stack member. • unit - The switch unit ID • SID - The index into the database of the supported switch types, indicating the type of the switch being pre-configured. Note: Member configuration displayed in the running config may be learned from the physical stack. Member configuration is not automatically saved in the startup configuration. Save the configuration to retain the current member settings.
NOTE: The OSPF feature uses NSF to enable the hardware to continue forwarding IPv4 packets using OSPF routes while a backup unit takes over stack master responsibility. Additional NSF commands are available in OSPF and OSPFv3 command modes. For more information, see "NSF OSPF Configuration" on page 1269 and "NSF OSPFv3 Configuration" on page 1286 Viewing and Clearing Stacking and NSF Information Use the following commands to view stacking information and to clear NSF statistics.
Connecting to the Management Console from a Stack Member From the CLI Unavailable prompt, use the following command to connect the console session to the local unit. Command Purpose connect [unit] Connect the console on the remote unit to the local unit Stacking and NSF Usage Scenarios Only a few settings are available to control the stacking configuration, such as the designation of the standby unit or enabling/disabling NSF.
Figure 9-11. Basic Stack Failover When all four units are up and running, the show switch CLI command gives the following output: console#show switch SW Management Status --1 2 3 4 --------Stack Member Stack Member Mgmt Switch Stack Member Standby Status Preconfig PluggedModel ID in Model ID ------- -------- --------Opr Stby N3048 N3048 N3048 N3048 N3048 N3048 N3048 N3048 Switch Code Status Version ------- -------OK 6.0.0.0 OK 6.0.0.0 OK 6.0.0.0 OK 6.0.0.
When the failed unit resumes normal operation, the previous configuration that exists for that unit is reapplied by the stack master. To permanently remove the unit from the stack, enter into Stack Config Mode and use the member command, as the following example shows.
The following is the output on Dell EMC Networking N1500 Series switches: console#show supported switchtype SID --1 2 3 4 Switch Model ID -------------------------------N1524 N1524P N1548 N1548P 2 Preconfigure the switch (SID = 2) as member number 2 in the stack. console#configure console(config)#stack console(config-stack)#member 2 2 console(config-stack)#exit console(config)#exit 3 Confirm the stack configuration. Some of the fields have been omitted from the following output due to space limitations.
NSF in the Data Center Figure 9-12 illustrates a data center scenario, where the stack of two Dell EMC Networking N-Series switches acts as an access switch. The access switch is connected to two aggregation switches, AS1 and AS2. The stack has a link from two different units to each aggregation switch, with each pair of links grouped together in a LAG. The two LAGs and link between AS1 and AS2 are members of the same VLAN. Spanning tree is enabled on the VLAN.
NSF and VoIP Figure 9-13 shows how NSF maintains existing voice calls during a stack master failure. Assume the top unit is the stack master. When the stack master fails, the call from phone A is immediately disconnected. The call from phone B continues. On the uplink, the forwarding plane removes the failed LAG member and continues using the remaining LAG member. If phone B has learned VLAN or priority parameters through LLDP-MED, it continues to use those parameters.
NSF and DHCP Snooping Figure 9-14 illustrates a layer-2 access switch running DHCP snooping. DHCP snooping only accepts DHCP server messages on ports configured as trusted ports. DHCP snooping listens to DHCP messages to build a bindings database that lists the IP address the DHCP server has assigned to each host. IP Source Guard (IPSG) uses the bindings database to filter data traffic in hardware based on source IP address and source MAC address.
If a host is in the middle of an exchange with the DHCP server when the failover occurs, the exchange is interrupted while the control plane restarts. When DHCP snooping is enabled, the hardware traps all DHCP packets to the CPU. The control plane drops these packets during the restart. The DHCP client and server retransmit their DHCP messages until the control plane has resumed operation and messages get through. Thus, DHCP snooping does not miss any new bindings during a failover.
Figure 9-15. NSF and a Storage Area Network When the stack master fails, session A drops. The initiator at 10.1.1.10 detects a link down on its primary NIC and attempts to reestablish the session on its backup NIC to a different IP address on the disk array. The hardware forwards the packets to establish this new session, but assuming the session is established before the control plane is restarted on the backup unit, the new session receives no priority treatment in the hardware.
NSF and Routed Access Figure 9-16 shows a stack of three units serving as an access router for a set of hosts. Two LAGs connect the stack to two aggregation routers. Each LAG is a member of a VLAN routing interface. The stack has OSPF and PIM adjacencies with each of the aggregation routers. The top unit in the stack is the stack master. Figure 9-16. NSF and Routed Access If the stack master fails, its link to the aggregation router is removed from the LAG.
JOIN messages upstream. The control plane updates the driver with checkpointed unicast routes. The forwarding plane reconciles layer-3 hardware tables. The OSPF graceful restart finishes, and the control plane deletes any stale unicast routes not relearned at this point. The forwarding plane reconciles layer-3 multicast hardware tables.
10 Authentication, Authorization, and Accounting Dell EMC Networking N-Series Switches This chapter describes how to control access to the switch management interface using authentication and authorization. These services can also be used to restrict or allow network access when used in conjunction with IEEE 802.1x. It also describes how to record this access using accounting. Together the three services are referred to by the acronym AAA.
error, the next method in the list is tried. This continues until all methods in the list have been attempted. If no method can perform the service, then the service fails. A method may return an error due to lack of network access, misconfiguration of a server, and other reasons. If there is no error, the method returns success if the user is allowed access to the service and failure if the user is not.
Methods that never return an error cannot be followed by any other methods in a method list. • The enable method uses the enable password. If there is no enable password defined, then the enable method will return an error. • The ias method is a special method that is only used for 802.1X. It uses an internal database (separate from the local user database) that acts like an 802.1X authentication server. This method never returns an error. It will always pass or deny a user.
Table 10-2. Default Method Lists (Continued) AAA Service (type) List Name List Methods Authorization (commands) dfltCmdAuthList none Accounting (exec) dfltExecList tacacs (start-stop) Accounting (commands) dfltCmdList tacacs (stop-only) Access Lines There are five access lines: console, Telnet, SSH, HTTP, and HTTPS. HTTP and HTTPS are not configured using AAA method lists. Instead, the authentication list for HTTP and HTTPS is configured directly (authorization and accounting are not supported).
This authentication method is not implemented by Dell EMC Networking N-Series switches. Use the Management ACL capability to perform the equivalent function. Public key authentication operates as follows: The administrator first generates a pair of encryption keys, the “public” key and the “private” key. Messages encrypted with the private key can be decrypted only by the public key, and vice-versa. The administrator keeps the private key on his/her local machine, and loads the public key on to the switch.
DSA key generation complete. console(config)#ip ssh server Access Lines (AAA) Table 10-3 shows the method lists assigned to the various access lines by default. Table 10-3.
Authentication Authentication is the process of validating a user's identity. During the authentication process, only identity validation is done. There is no determination made of which switch services the user is allowed to access. This is true even when RADIUS is used for authentication; RADIUS cannot perform separate transactions for authentication and authorization. However, the RADIUS server can provide attributes during the authentication process that are used in the authorization process.
Authentication Manager Overview The Authentication Manager supports the hierarchical configuration of host authentication methods on an interface. Use of the Authentication Manager is optional, but it is recommended when using multiple types of authentication on an interface, e.g., Captive Portal in conjunction with MAB or IEEE 802.1X. Dell switches support the following host authentication methods: • IEEE 802.
By default, Dell switches are configured with a method list that contains the methods (in order) 802.1x, MAB as the default methods for all the ports. Dell switches restrict the configuration such that no method is allowed to follow the Captive Portal method, if configured. The authentication manager controls only the order in which the authentication methods are executed.
authenticated client is removed and the authentication process begins again from the first method in the order. If 802.1X has a lower priority than the authenticated method, then the client is not removed and the 802.1X frames are ignored. If administrator changes the priority of the methods, then all the users who are authenticated using a lower-priority method are forced to reauthenticate.
4 On the interface, enable MAC based authentication mode, enable MAB, and set the order of authentication to 802.1X followed by MAC authentication. Configure the switch to send CHAP attributes to the RADIUS server. Set the format of the User-Name sent to the RADIUS server to XXXX.XXXX.XXXX. Also enable periodic re-authentication. console(config)#mab request format attribute 1 groupsize 4 separator .
console(config)#interface Gi1/0/2 console(config-if-Gi1/0/2)#switchport mode general console(config-if-Gi1/0/2)#switchport general pvid 3 6 On the interface, configure the port to use MAC based authentication and enable MAB. The authentication manager is configured to only use MAB and the priority is set to MAB.
64 F8B1.562B.A1D9 Authenticated F8B1562BA1D9 Idle 3 console(config-if-Gi1/0/1)#show dot1x clients all Clients Authenticated using Monitor Mode....... Clients Authenticated using Dot1x.............. Interface...................................... User Name...................................... Supp MAC Address............................... Session Time................................... Filter Id...................................... VLAN Assigned..................................
Using RADIUS The RADIUS client on the switch supports multiple RADIUS servers. When multiple authentication servers are configured, they can help provide redundancy. One server can be designated as the primary and the other(s) will function as backup server(s). The switch attempts to use the primary server first. if the primary server does not respond, the switch attempts to use the backup servers. A priority value can be configured to determine the order in which the backup servers are contacted.
As a user attempts to connect to the switch management interface, the switch first detects the contact and prompts the user for a name and password. The switch encrypts the supplied information, and a RADIUS client transports the request to a pre-configured RADIUS server. Figure 10-1.
Which RADIUS Attributes Does the Switch Support? Table 10-6 lists the RADIUS attributes that the switch supports and indicates whether the 802.1X feature, User Manager feature, or Captive Portal feature supports the attribute. The RADIUS administrator must configure these attributes on the RADIUS server(s) when utilizing the switch RADIUS service. Table 10-6. Supported RADIUS Attributes Type RADIUS Attribute Name 802.
Table 10-6. Supported RADIUS Attributes (Continued) Type RADIUS Attribute Name 802.
RADIUS server state. Transmitted in Access-Request and AccountingRequest messages. • SERVICE-TYPE The Service-Type attribute may be validated in the Access-Accept packet received from the RADIUS server. Only the Login-User(1) and Administrative-User(6) values are considered valid for Service-Type in the Access-Accept message returned from the RADIUS server. • SESSION-TIMEOUT Session time-out value for the session (in seconds). Used by both 802.1x and Captive Portal.
Used to indicate the VLAN to be assigned to the user. May be a string which matches a pre-configured VLAN name or a VLAN ID. If a VLAN ID is given, the string must contain only decimal digits. Using TACACS+ Servers to Control Management Access TACACS+ (Terminal Access Controller Access Control System) provides access control for networked devices via one or more centralized servers. TACACS+ simplifies authentication by making use of a single database that can be shared by many clients on a large network.
The TACACS+ server list can be configured with one or more hosts defined via their network IP addresses. Each can be assigned a priority to determine the order in which the TACACS+ client will contact the servers. TACACS+ contacts the server when a connection attempt fails or times out for a higher priority server. Each server host can be configured with a specific connection type, port, timeout, and shared key, or the server hosts can be globally configured with the key and timeout.
Authentication Examples It is important to understand that during authentication, all that happens is that the user is validated. If any attributes are returned from the server, they are not processed during authentication. In the examples below, it is assumed that the default configuration of authorization—that is, no authorization—is used.
7 Set the minimum number of character classes that must be present in the password. The possible character classes are: upper-case, lower-case, numeric and special: console(config)#passwords strength minimum character-classes 4 8 Enable password strength checking: console(config)#passwords strength-check 9 Create a user with the name “admin” and password “paSS1&word2”. This user is enabled for privilege level 15.
RADIUS Authentication Example Use the following configuration to require RADIUS authentication to login over a Telnet connection: 1 Create a login authentication list called “rad” that contains the method radius. If this method returns an error, the user will fail to login: console#config console(config)#aaa authentication login “rad” radius 2 Create an enable authentication list called “raden” that contains the method radius.
ACL Using Authentication Manager to Configure MAB with RADIUS Server The following is a relatively complex example of using an ACL to control access to Gi1/0/1, using the Authentication Manager to configure MAB in conjunction with a RADIUS server.
console(config-auth-radius)#name Default-Radius-Server console(config-auth-radius)#primary console(config-auth-radius)#usage 802.1x console(config-auth-radius)#key “dellSecret” console(config)#exit 10 Configure the management interface and bypass 802.
Combined RADIUS, CoA, MAB and 802.1x Example The following example configures RADIUS in conjunction with IEEE 802.1X to provide network access to switch clients. 1 Enable 802.1x: console#config console(config)#dot1x system-auth-control 2 Configure 802.1x clients to use RADIUS services: console(config)#aaa authentication dot1x default radius 3 Enable CoA for RADIUS: console(config)#aaa server radius dynamic-author 4 Configure the remote RADIUS server for COA requests at 10.130.191.
console(config-if-Gi1/0/7)#exit 10 Configure Gi1/0/6 to allow connected hosts access to network resources, regardless of RADIUS configuration. RADIUS CoA disconnect requests are ignored for clients on this port: console(config)#interface Gi1/0/6 console(config-if-Gi1/0/6)#dot1x port-control force-authorized console(config-if-Gi1/0/6)#exit 11 Configure Gi1/0/5 to use standard 802.
TACACS+ Authentication Example Use the following configuration to require TACACS+ authentication when logging in over a Telnet connection: 1 Create a login authentication list called “tacplus” that contains the method tacacs. If this method returns an error, the user will fail to login: console#config console(config)#aaa authentication login “tacplus” tacacs 2 Create an enable authentication list called “tacp” that contains the method tacacs.
NOTE: Dell EMC Networking TACACS supports setting the maximum user privilege level in the authorization response. Configure the TACACS server to send priv-lvl= X, where X is either 1 (Non-privileged mode), or 15 (Privileged mode). Public Key SSH Authentication Example The following is an example of a public key configuration for SSH login. Using a tool such as putty and a private/public key infrastructure, one can enable secure login to the Dell EMC Networking N-Series switch without a password.
5 Enter the public key obtained from a key authority or from a tool such as PuTTyGen. This command is entered as a single line, not as multiple lines as it appears in the following text.
SSH HTTPS HTTP DOT1X defaultList enableList :local :local : PUTTY Configuration Main Screen On the following screen, the IP address of the switch is configured and SSH is selected as the secure login protocol.
On the next screen, PUTTY is configured to use SSH-2 only. This is an optional step that accelerates the login process.
The following screen is the key to the configuration. It is set to display the authentication banner, disable authentication with Pageant, disable keyboardinteractive authentication (unless desired), disable attempted changes of user name, and select the private key file used to authenticate with the switch.
The following screen configures the user name to be sent to the switch. A user name is always required. Alternatively, leave Auto-login name blank and the system will prompt for a user name.
After configuring Putty, be sure to save the configuration. The following screen shows the result of the login process. The user name is entered automatically and the switch confirms that public key authentication occurs. Authenticating with a Public Key from Linux The following example configures the switch to allow administrative access without a password for Linux users with correctly configured SSH clients. Dell EMC Networking SSH is configured to require a password on administrator accounts.
Substitute the login ID of the switch administrator for the User admin parameter above, and set the correct path to your account for the IdentityFile parameter.
Also, ensure that the private key ~/.ssh/id_rsa is not readable by others by executing the chmod 0600 ~/.ssh/id_rsa command in Linux. Authentication will fail if the file is readable by others. The command string to log into the switch (substituting the correct IP address) from a Linux account is: ssh -2 -i ~/.ssh/id_rsa -F ~/.ssh/ssh_config 10.27.21.70 Authenticating Without a Public Key When authenticating without the public key, the switch prompts for the user name and password.
console#config console(config)#username mylogin password XXXXXXXX privilege 15 2 Enter the externally generated key: console(config)#crypto key pubkey-chain ssh 3 Associate the key with the newly added user login: console(config-pubkey-chain)#user-key mylogin dsa 4 Add the externally generated key. All of the key information is entered between double quotes.
Authorization Authorization is used to determine which services the user is allowed to access. For example, the authorization process may assign a user’s privilege level, which determines the set of commands the user can execute. There are three kinds of authorization: commands, exec, and network. • Commands: Command authorization determines which CLI commands the user is authorized to execute.
Administrative Profiles The Administrative Profiles feature allows the network administrator to define a list of rules that control the CLI commands available to a user. These rules are collected in a “profile.” The rules in a profile can define the set of commands, or a command mode, to which a user is permitted or denied access. Within a profile, rule numbers determine the order in which the rules are applied.
Table 10-9. Default Administrative Profiles Name Description network-admin Allows access to all commands. network-security Allows access to network security features such as 802.1X, Voice VLAN, Dynamic ARP Inspection and IP Source Guard. router-admin Allows access to Layer 3 features such as IPv4 Routing, IPv6 Routing, OSPF, RIP, etc. multicast-admin Allows access to multicast features at all layers, this includes L2, IPv4 and IPv6 multicast, IGMP, IGMP Snooping, etc.
With the users that were previously configured, the guest user will still log into user Exec mode, since the guest user only has privilege level 1 (the default). The admin user will be able to login directly to Privileged Exec mode since his privilege level was configured as 15.
The RADIUS server should be configured such that it will send the Cisco AV Pair attribute with the “roles” value. For example: shell:roles=router-admin The above example attribute gives the user access to the commands permitted by the router-admin profile. RADIUS Change of Authorization Dell EMC Networking N-Series switches support the Change of Authorization Disconnect-Request per RFC 3576. The Dell EMC Networking N-Series switch listens for the Disconnect-Request on UDP port 3799.
The administrator can configure whether all or any of the session attributes are used to identify a client session. If all is configured, all session identification attributes included in the CoA Disconnect-Request must match a session or the device returns a Disconnect-NAK or CoA-NAK with the “Invalid Attribute Value” error-code attribute. All attributes in the Disconnect-Request are treated as mandatory attributes. Unsupported attributes generate a Disconnect-NAK with error-cause Unsupported Service.
3 Configure a local RADIUS client connection to RADIUS server 10.11.12.13 using the shared secret “secret sauce”. The default port number is used. console(config-radius-da)#client 10.11.12.13 server-key “secret sauce” 4 Disconnect-request client identification must match on all keys. console(config-radius-da)#auth-type all console(config-radius-da)#exit RADIUS COA Example with Telnet and SSH The following example configures telnet and SSH clients in conjunction with RADIUS CoA.
7 Configure telnet sessions to the switch to use RADIUS authentication (the only login-list method): console(config)#line telnet console(config-telnet)#login authentication login-list console(config-telnet)#exit 8 Configure SSH sessions to the switch to use RADIUS authentication: console(config)#line ssh console(config-ssh)#login authentication login-list console(config-ssh)#exit 9 Enable the SSH server (the telnet server is enabled by default): console(config)#ip ssh server 314 Authentication, Authoriz
TACACS Authorization TACACS+ Authorization Example—Direct Login to Privileged Exec Mode Apply the following configuration to use TACACS+ for authorization, such that a user can enter Privileged Exec mode directly: 1 Create an exec authorization method list called “tacex” which contains the method tacacs. console#config console(config)#aaa authorization exec “tacex” tacacs 2 Assign the tacex exec authorization method list to be used for users accessing the switch via Telnet.
The above example attribute will give the user access to the commands permitted by the router-admin profile. NOTE: If the priv-lvl attribute is also supplied, the user can also be placed directly into Privileged Exec mode. TACACS+ Authorization Example—Custom Administrative Profile This example creates a custom profile that allows the user to control user access to the switch by configuring a administrative profile that only allows access to AAA related commands.
console(admin-profile)#rule console(admin-profile)#rule console(admin-profile)#rule console(admin-profile)#rule .*” console(admin-profile)#rule .*” 88 87 86 85 permit permit permit permit command command command command “^password .*” “^username .*” “^show user.*" “^radius server 84 permit command “^tacacs-server 3 Enter rule number permit mode mode-name commands to allows all commands in the named mode.
TACACS+ Authorization Example—Per-command Authorization An alternative method for command authorization is to use the TACACS+ feature of per-command authorization. With this feature, every time the user enters a command, a request is sent to the TACACS+ server to ask if the user is permitted to execute that command. Exec authorization does not need to be configured to use per-command authorization.
Accounting Accounting is used to record security events, such as a user logging in or executing a command. Accounting records may be sent upon completion of an event (stop-only) or at both the beginning and end of an event (startstop). There are three types of accounting: commands, Dot1x, and exec. • Commands—Sends accounting records for command execution. • Dot1x—Sends accounting records for network access. • Exec—Sends accounting records for management access (logins).
• Acct-Session Time(46) • Acct-Input-Octets (42) • Acct-Output-Octets (43) • Acct-Input-Gigawords(52) • Acct-Output-Gigawords (53) Certain of the attributes above are sent only if received from the RADIUS server during the Access Request process, e.g., Class or State. The following attributes are sent in the Accounting Start record sent to the RADIUS server when the switch is configured for 802.
IEEE 802.1X What is IEEE 802.1X? The IEEE 802.1X standard provides a means of preventing unauthorized access by supplicants (clients) to the services the switch offers, such as access to the LAN. The 802.1X network has three components: • Supplicant — The client connected to the authenticated port that requests access to the network. • Authenticator — The network device that prevents network access prior to authentication.
As shown in Figure 10-3, the Dell EMC Networking switch is the authenticator and ensures that the supplicant (a PC) that is attached to an 802.1X-controlled port is authenticated by an authentication server (a RADIUS server). The result of the authentication process determines whether the supplicant is authorized to access network services on that controlled port. Dell EMC Networking N-Series switches support 802.1X authentication using remote RADIUS or using a local authentication service (IAS).
are attached to a port configured in auto mode, they will all be allowed access to network resources as soon as any 802.1X-aware device on the port authenticates. In addition to force-authorized, force-unauthorized, and auto modes, the 802.1X mode of a port can be MAC based, as the following section describes. NOTE: Only MAC-Based and Auto modes use 802.1X to authenticate. Forceauthorized and Force-unauthorized modes are manual overrides. What is MAC-Based 802.
• Considers the client to be 802.1X unaware client (if it does not receive an EAP response packet from that client) The authenticator sends a request to the authentication server with the MAC address of the client in a hexadecimal format as the username and the MD5 hash of the MAC address as the password. The authentication server checks its database for the authorized MAC addresses and returns an Access-Accept or an Access-Reject response, depending on whether the MAC address is found in the database.
3 - CHAP-Password - = Encrypted MAC address (CHAP) only or unencrypted (PAP) User Name 4 - NAS-IP-Address — IP address of the switch 5 - NAS-Port — switch internal port number (ifIndex) 6 - Service Type is set to 10 for MAB (Call-Check) 12 - Framed-MTU - port/switch MTU - header length (e.g.
Authenticated VLANs Hosts that authenticate normally use a VLAN that includes access to network resources. This VLAN may be assigned by the RADIUS server. Hosts that fail authentication might be denied access to the network or placed into an unauthenticated VLAN. Hosts that do not attempt authentication may be placed into a guest VLAN. The network administrator can configure the type of access provided to the authenticated, guest, and unauthenticated VLANs.
without much additional configuration required on the switches in the network. Dynamic VLAN assignment requires that the port be configured in general or access mode. Unauthenticated VLAN The network administrator may choose to configure an unauthenticated VLAN. Hosts that attempt authentication and fail are placed in the unauthenticated VLAN.
When the guest VLAN capabiltiy is disabled, users authorized by the guest VLAN are removed from the VLAN and denied network access. What is Monitor Mode? The monitor mode is a special mode that can be enabled in conjunction with 802.1X authentication. Monitor mode provides a way for network administrators to identify possible issues with the 802.1X configuration on the switch without affecting the network access to the users of the switch.
Table 10-11. IEEE 802.
How Does the Authentication Server Assign DiffServ Policy? The Dell EMC Networking N-Series switches allow the external 802.1X Authenticator or RADIUS server to assign DiffServ policies to users that authenticate to the switch. When a host (supplicant) attempts to connect to the network through a port, the switch contacts the 802.1X authenticator or RADIUS server, which then provides information to the switch about which DiffServ policy to assign the host (supplicant).
Table 10-12. Default Port-Based Security Values Feature Description Per-port 802.
N2000, N2100-ON, N3000, N3100-ON, and N4000 Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. Dot1x Authentication Use the Dot1x Authentication page to configure the 802.1X administrative mode on the switch and to configure general 802.1X parameters for a port. To display the Dot1x Authentication page, click Switching Network Security Dot1x Authentication Authentication in the navigation panel. Figure 10-4.
Figure 10-5. Configure Dot1x Settings 5 Click Apply. To reauthenticate a port: 1 Open the Dot1x Authentication page. 2 Click Show All. The Dot1x Authentication Table displays. 3 Check Edit to select the Unit/Port to re-authenticate. 4 Check Re-authenticate Now. 5 Click Apply. The authentication process is restarted on the specified port. To reauthenticate multiple ports: 1 Open the Dot1x Authentication page. 2 Click Show All. The Dot1x Authentication Table displays.
To change the administrative port control: 1 Open the Dot1x Authentication page. 2 Click Show All. The Dot1x Authentication Table displays. 3 Scroll to the right side of the table and select the Edit check box for each port to configure. Change Admin Interface Control to Authorized, Unauthorized, MAC-based, or Automode as needed for chosen ports. Only MAC-based and Automode actually use 802.1X to authenticate. Authorized and Unauthorized are manual overrides. 4 Click Apply.
NOTE: The VLAN Assignment Mode field is the same as the Admin Mode field on the System Management Security Authorization Network RADIUS page. To display the Port Access Control Configuration page, click Switching Network Security Dot1x Authentication Monitor Mode Port Access Control Configuration in the navigation panel. Figure 10-7. Port Access Control Configuration Port Access Control History Log Use the Port Access Control History Log page to view log messages about 802.
Internal Authentication Server Users Configuration Use the Internal Authentication Server Users Configuration page to add users to the local IAS database and to view the database entries. To display the Internal Authentication Server Users Configuration page, click System Management Security Internal Authentication Server Users Configuration in the navigation panel. Figure 10-9.
4 Click Apply. To view the Internal Authentication Server Users Table page, click Show All. To delete an IAS user: 1 Open the Internal Authentication Server Users Configuration page. 2 From the User menu, select the user to remove, select the user to remove. 3 Select the Remove check box. Figure 10-11. Removing an IAS User 4 Click Apply. Configuring IEEE 802.1X (CLI) This section provides information about commands you use to configure 802.1X and Port Security settings.
Command Purpose aaa authentication dot1x default method1 Specify the authentication method to use to authenticate 802.1X clients that connect to the switch. method1—The method keyword can be radius, none, or ias. dot1x system-authcontrol Globally enable 802.1X authentication on the switch. interface interface Enter interface configuration mode for the specified interface. The interface variable includes the interface type and number, for example tengigabitethernet 1/0/3.
Command Purpose dot1x port-control {force-authorized | force-unauthorized | auto | mac-based} NOTE: For standard 802.1X implementations in which one Specify the 802.1X mode for the port. client is connected to one port, use the dot1x port-control auto command to enable 802.1X authentication on the port. • auto — Enables 802.1X authentication on the interface and causes the port to transition to the authorized or unauthorized state based on the 802.
NOTE: To enable 802.1X Monitor Mode to help troubleshoot authentication issues, use the dot1x system-auth-control monitor command in Global Configuration mode. To view 802.1X authentication events and information, use the show dot1x authentication-history {interface | all} [failed-auth-only] [detail] command. To clear the history, use the clear dot1x authentication-history command in Privileged Exec mode. Configuring Additional 802.1X Interface Settings Use the following commands to configure 802.
Command Purpose dot1x max-req count Set the maximum number of times that the switch sends an Extensible Authentication Protocol (EAP)-request frame (assuming that no response is received) other than Request-Identity to the client before restarting the authentication process. dot1x max-reauth-req count Set the maximum number of times that the switch sends an Extensible Authentication Protocol (EAP)-Request Identify frame to client with no response before restarting the authentication process.
Command Purpose dot1x dynamic-vlan enable If the RADIUS assigned VLAN does not exist on the switch, allow the switch to dynamically create the assigned VLAN. interface interface Enter interface configuration mode for the specified interface. The interface variable includes the interface type and number, for example tengigabitethernet 1/0/3. A range of interfaces can be specified using the interface range command.
Configuring Internal Authentication Server Users Use the following commands to add users to the IAS database and to use the database for 802.1X authentication. Command Purpose configure Enter Global Configuration mode. aaa ias-user username user Add a user to the IAS user database. This command also changes the mode to the IAS User Config mode. password password [encrypted] Configure the password associated with the user. CTRL + Z Exit to Privileged Exec mode.
The switch uses an authentication server with an IP address of 10.10.10.10 to authenticate clients. Port 7 is connected to a printer in the unsecured area. The printer is an 802.1X unaware client, so Port 7 is configured to use MACbased authentication with MAB. NOTE: The printer requires an entry in the client database that uses the printer MAC address as the username. An IP phone is directly connected to Port 8, and a PC is connected to the IP phone.
Figure 10-12. 802.1X Example Physically Unsecured Devices Clients (Ports 1 and 3) Physically Secured Devices Authentication Server (RADIUS) Dell EMC Networking N-Series switch Clients (Port 8) Printer (Port 7) LAN Uplink (Port 24) LAN Server (Port 9) The following example shows how to configure the example shown in Figure 10-12. 1 Configure the RADIUS server IP address and a global shared secret (secret). console#configure console(config)#radius server auth 10.10.10.
console(config-if)#dot1x port-control force-authorized console(config-if)#exit 4 Configure Port 7 to require MAC-based authentication with MAB. By default, EAP-MD5 authentication is used. console(config)#interface gi1/0/7 console(config-if-Gi1/0/7)#dot1x port-control mac-based console(config-if-Gi1/0/7)#mab 5 Configure the port in access mode (default setting).
Filter Id...................................... VLAN Assigned.................................. 1 (Default) Interface...................................... User Name...................................... Supp MAC Address............................... Session Time................................... Filter Id...................................... VLAN Assigned.................................. Gi1/0/7 0006.6B33.06BA 0006.6B33.06BA 826 1 (Default) 9 View a summary of the port status.
10 View 802.1X information about Port 8. console#show dot1x interface Gi1/0/8 Administrative Mode............... Dynamic VLAN Creation Mode........ VLAN Assignment Mode.............. Monitor Mode...................... Port ------Gi1/0/8 Enabled Enabled Disabled Disabled Admin Oper Reauth Reauth Mode Mode Control Period ---------------- ------------ -------- ---------mac-based Authorized FALSE 3600 Quiet Period................................... Transmit Period................................
VLAN ID VLAN Name VLAN Purpose 200 Unauthorized Data traffic from clients that fail the authentication with the RADIUS server 300 Guest Data traffic from clients that do not attempt to authenticate with the RADIUS server NOTE: Dynamic VLAN creation applies only to authorized ports. The VLANs for unauthorized and guest users must be configured on the switch and cannot be dynamically created based on RADIUS-based VLAN assignment.
To configure the switch: 1 Create the VLANs and configure the VLAN names. console(config)#vlan 100 console(config-vlan100)#name Authorized console(config-vlan100)#exit console(config)#vlan 200 console(config-vlan200)#name Unauthorized console(config-vlan200)#exit console(config)#vlan 300 console(config-vlan300)#name Guest console(config-vlan300)#exit 2 Configure information about the external RADIUS server the switch uses to authenticate clients. The RADIUS server IP address is 10.10.10.
8 Enable periodic reauthentication of the client on the ports and set the number of seconds to wait between reauthentication attempts to 300 seconds. Reauthentication is enabled to increase security. If the client information is removed from the RADIUS server after it has been authenticated, the client will be denied access when it attempts to reauthenticate.
In this example, Ports 1–23 are configured as downlink, or access, ports, and Port 24 is the trunk port. As a trunk port, Port 24 is automatically added as a member to all VLANs that are statically or dynamically configured on the switch. However, the network administrator in this example has determined that traffic in VLANs 1000–2000 should not be forwarded on the trunk port, even if the RADIUS server assigns a connected host to a VLAN in this range, and the switch dynamically creates the VLAN.
console(config-if)#switchport mode access console(config-if)#dot1x port-control auto console(config-if)#exit 8 Enter Interface Configuration mode for port 24, the uplink (trunk) port. console(config)#interface Gi1/0/24 9 Disable 802.1X authentication on the interface. This causes the port to transition to the authorized state without any authentication exchange required. This port does not connect to any end-users, so there is no need for 802.1X-based authentication.
• The DiffServ policy specified in the attribute must already be configured on the switch, and the policy names must be identical. For information about configuring a DiffServ policy, see "DiffServ Configuration Examples" on page 1533. The example "Providing Subnets Equal Access to External Network" on page 1533, describes how to configure a policy named internet_access.
2 Configure the DiffServ traffic class that matches HTTP traffic. console(config)#class-map match-all cl-http console(config-classmap)#match dstl4port 80 console(config-classmap)#exit 3 Configure the DiffServ policy.
Captive Portal This section describes how to configure the Captive Portal feature. The topics covered in this section include: • Captive Portal Overview • Default Captive Portal Behavior and Settings • Configuring Captive Portal (Web) • Configuring Captive Portal (CLI) • IEEE 802.1X Configuration Examples Captive Portal Overview A Captive Portal (CP) helps manage or restrict network access.
Figure 10-13. Connecting to the Captive Portal DHCP Server Switch with Captive Portal DNS Server RADIUS Server (Optional) Captive Portal User (Host) ` Default Captive Portal Welcome Screen (Displays in Captive Portal User’s Browser) The CP feature blocks hosts connected to the switch from most network access until user verification has been established. Access to 802.1X, DHCP, ARP, NetBIOS, and DNS services is allowed.
Is Captive Portal Dependent on Any Other Feature? If security procedures require RADIUS authentication, the administrator must configure the RADIUS server information on the switch (see "Using RADIUS" on page 282). The RADIUS administrator must also configure the RADIUS attributes for CP users on the RADIUS server. For information about the RADIUS attributes to configure, see Table 10-15.
the network. If traps are enabled, the switch also writes a message to the trap log when the event occurs. To enable the CP traps, see "Configuring SNMP Notifications (Traps and Informs)" on page 501. What Factors Should Be Considered When Designing and Configuring a Captive Portal? Before enabling the CP feature, decide what type (or types) of authentication will be supported.
Figure 10-14. Customized Captive Portal Welcome Screen How Does Captive Portal Work? When a port is enabled for CP, all the traffic coming onto the port from the unverified clients is dropped except for the ARP, DHCP, NetBIOS, and DNS packets. These packets are forwarded by the switch so that the unverified clients can get an IP address and are able to resolve host or domain names.
• Logout Page — If the user logout mode is enabled, this page displays in a pop-up window after the user successfully authenticates. This window contains the logout button. • Logout Success Page — If the user logout mode is enabled, this page displays after a user clicks the logout button and successfully deauthenticates. Understanding User Logout Mode The User Logout Mode feature allows a user who successfully authenticates to the network through the CP to explicitly deauthenticate from the network.
Captive Portal and DNS CP allows unauthenticated users access to DNS services on TCP and UDP destination port 53. CP inspects all DNS traffic to ensure that it conforms with the DNS protocol (RFC 1035/1996). CP checks the format of DNS messages and discards packets that do not conform to the minimum standards.
Table 10-13. Captive Portal Status Values (Continued) Status Value Description Browser Action RADIUS_WIP Indicates that RADIUS validation is in progress. The browser action is the same as for the WIP status. Success Indicates that authentication is Displays either the customized a success. welcome page or an external URL. Denied Indicates that the user has failed to enter credentials that match the expected configuration.
Default Captive Portal Behavior and Settings CP is disabled by default. If you enable CP, no interfaces are associated with the default CP. After you associate an interface with the CP and globally enable the CP feature, a user who connects to the switch through that interface is presented with the CP Welcome screen shown in Figure 10-15. Figure 10-15.
Table 10-14. Default Captive Portal Values Feature Value Configured Captive Portals 1 Captive Portal Name Default Protocol Mode HTTP Verification Mode Guest URL Redirect Mode Off User Group 1-Default Session Timeout 86400 seconds Local Users None configured Interface associations None Interface status Not blocked If the CP is blocked, users cannot gain access to the network through the CP.
Configuring Captive Portal (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring CP settings on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100ON, and N4000 Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page.
Figure 10-17. Captive Portal Configuration From the Captive Portal Configuration page, click Add to create a new CP instance. Figure 10-18. Add Captive Portal Configuration From the Captive Portal Configuration page, click Summary to view summary information about the CP instances configured on the switch.
Figure 10-19. Captive Portal Summary Customizing a Captive Portal The procedures in this section customize the pages that the user sees when he or she attempts to connect to (and log off of) a network through the CP. These procedures configure the English version of the Default Captive Portal. To configure the switch: 1 From the Captive Portal Configuration page click the (English) tab. The settings for the Authentication Page display, and the links to the CP customization appear.
3 Make sure Download is selected in the Available Images menu, and click Browse. 4 Browse to the directory where the image to be downloaded is located and select the image. 5 Click Apply to download the selected file to the switch. 6 To customize the Authentication Page, which is the page that a user sees upon attempting to connect to the network, click the Authentication Page link.
Figure 10-21. Captive Portal Authentication Page 7 Select the branding image to use and customize other page components such as the font for all text the page displays, the page title, and the acceptance use policy. 8 Click Apply to save the settings to the running configuration or click Preview to view what the user will see. To return to the default views, click Clear.
9 Click the Logout Page link to configure the page that contains the logout window. NOTE: The Logout Page settings can be configured only if the User Logout Mode is selected on the Configuration page. The User Logout Mode allows an authenticated client to deauthenticate from the network. Figure 10-22. Captive Portal Logout Page 10 Customize the look and feel of the Logout Page, such as the page title and logout instructions.
13 Customize the look and feel of the Logout Page, such as the background image and successful logout message. 14 Click Apply to save the settings to the running configuration or click Preview to view what the user will see. To return to the default views, click Clear. Local User A portal can be configured to accommodate guest users and authorized users. Guest users do not have assigned user names and passwords.
Figure 10-24. Local User Configuration From the Local User page, click Add to add a new user to the local database. Figure 10-25. Add Local User From the Local User page, click Show All to view summary information about the local users configured in the local database. Figure 10-26.
To delete a configured user from the database, select the Remove check box associated with the user and click Apply. Configuring Users in a Remote RADIUS Server A remote RADIUS server client authorization can be used. All users must be added to the RADIUS server. The local database does not share any information with the remote RADIUS database. Table 10-15 indicates the RADIUS attributes you use to configure authorized CP clients.
User Group Local Users can be assigned to User Groups. If the Verification Mode is Local or RADIUS, a User Group is assigned to a CP Configuration. All users who belong to the group are permitted to access the network through this portal. The User Group list is the same for all CP configurations on the switch. To display the User Group page, click System Captive Portal User Group. Figure 10-27. User Group From the User Group page, click Add to configure a new user group. Figure 10-28.
Figure 10-29. Captive Portal User Group Summary To delete a configured group, select the Remove check box associated with the group and click Apply. Interface Association Using the Interface Association page, a configured CP can be associated with specific interfaces. The CP feature only runs on the interfaces that you specify. A CP can have multiple interfaces associated with it, but an interface can be associated to only one CP at a time.
NOTE: When you associate an interface with a CP, the interface is disabled in the Interface List. Each interface can be associated with only one CP at a time. Captive Portal Global Status The Captive Portal Global Status page contains a variety of information about the CP feature, including information about the CP activity and interfaces. To display the Global Status page, click System Captive Portal Status Global Status. Figure 10-31.
Figure 10-32. Captive Portal Activation and Activity Status NOTE: Use the Block and Unblock buttons to control the blocked status. If the CP is blocked, users cannot gain access to the network through the CP. Use this function to temporarily protect the network during unexpected events, such as denial of service attacks. Interface Activation Status The Interface Activation Status page shows information for every interface assigned to a CP instance.
Interface Capability Status The Interface Capability Status page contains information about interfaces that can have CPs associated with them. The page also contains status information for various capabilities. Specifically, this page indicates what services are provided through the CP to clients connected on this interface. The list of services is determined by the interface capabilities.
Figure 10-35. Client Summary To force the CP to disconnect an authenticated client, select the Remove check box next to the client MAC address and click Apply. To disconnect all clients from all CPs, click Delete All. Client Detail The Client page shows detailed information about each client connected to the network through a CP. To display the Client page, click System Captive Portal Client Connection Status Client. Figure 10-36.
Figure 10-37. Interface - Client Status Captive Portal Client Status Use the Client Status page to view clients that are authenticated to a specific CP configuration. To display the Client Status page, click System Captive Portal Client Connection Status Client Status. Figure 10-38.
Configuring Captive Portal (CLI) This section provides information about the commands you use to create and configure Captive Portal (CP) settings. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring Global Captive Portal Settings Use the following commands to configure global CP settings. Command Purpose configure Enter global configuration mode.
Command Purpose CTRL + Z Exit to Privileged Exec mode. show captive-portal [status] View the CP administrative and operational status. Use the status keyword to view additional global CP information and summary information about all configured CP instances. Creating and Configuring a Captive Portal Use the following commands to create a CP instance and configure its settings. Command Purpose configure Enter global configuration mode. captive-portal Enter Captive Portal mode.
Command Purpose user-logout (Optional) Enable user logout mode to allow an authenticated client to deauthenticate from the network. If this option is clear or the user does not specifically request logout, the client connection status remains authenticated until the CP deauthenticates the user, for example by reaching the idle timeout or session timeout values.
Command Purpose block (Optional) Block all traffic for a CP configuration. If the CP is blocked, users cannot gain access to the network through the CP. Use this function to temporarily protect the network during unexpected events, such as denial of service attacks. CTRL + Z Exit to Privileged Exec mode. show captive-portal configuration cp-id [status | interface] View summary information about a CP instance. • cp-id — The CP instance (Range: 1–10).
Command Purpose user group group-id [name name] Configure a group. Each CP that requires authentication has a group associated with it. Only the users who are members of that group can be authenticated if they connect to the CP. • group-id — Group ID (Range: 1–10). • name — Group name (Range: 1–32 characters). user user-id name name Create a new user for the local user authentication database. • user-id — User ID (Range: 1–128). • name — user name (Range: 1–32 characters).
Command Purpose clear captive portal users (Optional) Delete all CP user entries from the local database. Managing Captive Portal Clients Use the following commands to view and manage clients that are connected to a CP. Command Purpose show captive-portal configuration [cp-id] client status Display information about the clients authenticated to all CP configurations or a to specific configuration. cp-id — The CP instance (Range: 1–10).
Captive Portal Configuration Example The manager of a resort and conference center needs to provide wired Internet access to each guest room at the resort and in each conference room. Due to legal reasons, visitors and guests must agree to the resort’s acceptable use policy to gain network access. Additionally, network access from the conference rooms must be authenticated. The person who rents the conference room space receives a list username and password combinations upon arrival.
1. If a RADIUS server is selected for authentication, configure the RADIUS server settings on the switch. 2. If authentication is required, configure the user groups to associate with each CP. 3. Create (add) the CPs. 4. Configure the CP settings for each CP, such as the verification mode. 5. Associate interfaces with the CP instances. 6. Download the branding images, such as the company logo, to the switch.
Detailed Configuration Procedures Use the following steps to perform the CP configuration: 1. Configure the RADIUS server information on the switch. In this example, the RADIUS server IP address is 192.168.2.188, and the RADIUS server name is luxury-radius. console#configure console(config)#radius server 192.168.12.182 console(config-auth-radius)#name luxury-radius console(config-auth-radius)#exit 2. Configure the CP groups.
console(config-CP 4)#interface te1/0/18 ... console(config-CP 4)#interface te1/0/40 console(config-CP 4)#exit 6. Use the web interface to customize the CP pages that are presented to users when they attempt to connect to the network. NOTE: CP page customization is supported only through the web interface. For information about customizing the CP pages, see "Customizing a Captive Portal" on page 368. 7. Add the Conference users to the local database.
In Case Of Problems in Captive Portal Deployment When configuring captive portal, many administrators will find that the web browsers or hosts are not able to reach the captive portal web page. This is most often due to network issues as opposed to issues with the captive portal service. When deploying captive portal, first ensure that web clients on the internal network can reach the external network by disabling captive portal entirely and verifying connectivity.
11 Monitoring and Logging System Information Dell EMC Networking N-Series Switches This chapter provides information about the features used for monitoring the switch, including logging, cable tests, and email alerting.
Why Is System Information Needed? The information the switch provides can help the switch administrator troubleshoot issues that might be affecting system performance. The cable diagnostics test help the administrator troubleshoot problems with the physical connections to the switch. Auditing access to the switch and the activities an administrator performed while managing the switch can help provide security and accountability.
What Are the Severity Levels? The severity of the messages to be logged for each local or remote log file can be specified. Each severity level is identified by a name and a number. Table 11-1 provides information about the severity levels. Table 11-1. Log Message Severity Severity Keyword Severity Level Description emergencies 0 The switch is unusable. alerts 1 Action must be taken immediately. critical 2 The switch is experiencing critical conditions.
To view the log messages in the system startup and operational log files, the log files must be download to an administrative host. The startup log files are named slogX.txt and the operation log files are named ologX.txt. When enabled, the system stores the startup and operation log files for the last three switch boots.
• Timestamp—This is the system up time. For systems that use SNTP, this is UTC. When time zones are enabled, local time will be used. • Host IP address or Host Name—This is the IP address of the local system, if known. • Stack Member—This is the assigned stack member number which originated the message. For the Dell EMC Networking switches, the stack ID number may range from 1 to 12. The number 1 is used for systems without stacking ability.
• Message — Contains the text of the log message. While RFC 5424 is enabled, the logging output will appear as follows. RFC 5424 may be enabled using the logging protocol command. <189>1 2013-06-13T23:24:15.652+5:30Z 10.130.185.84 TRAPMGR trapTask traputil.
Default Log Settings System logging is enabled, and messages are sent to the console (severity level: warning and above) and RAM log (severity level: informational and above). Switch auditing is enabled. CLI command logging, Web logging, and SNMP logging are disabled. By default, no messages are sent to the log file that is stored in flash, and no remote log servers are defined. Email alerting is disabled, and no recipient email address is configured. Additionally, no mail server is defined.
Monitoring System Information and Configuring Logging (Web) This section provides information about the OpenManage Switch Administrator pages to use to monitor system information and configure logging on the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page.
Figure 11-2. Stack View For more information about the device view features, see "Understanding the Device View" on page 188.
System Health Use the Health page to view status information about the switch power and ventilation sources. To display the Health page, click System General Health in the navigation panel. Figure 11-3.
System Resources Use the System Resources page to view information about memory usage and task utilization. To display the System Resources page, click System General System Resources in the navigation panel. Figure 11-4.
Unit Power Usage History Use the Unit Power Usage History page to view information about switch power consumption. To display the Unit Power Usage History page, click System General Unit Power Usage History in the navigation panel. Figure 11-5.
Integrated Cable Test for Copper Cables Use the Integrated Cable Test for Copper Cables page to perform tests on copper cables. Cable testing provides information about where errors occurred in the cable, the last time a cable test was performed, and the type of cable error which occurred. The tests use Time Domain Reflectometry (TDR) technology to test the quality and characteristics of a copper cable attached to a port. Cables up to 120 meters long can be tested.
To view a summary of all integrated cable tests performed, click the Results link. Figure 11-7. Integrated Cable Test Results Optical Transceiver Diagnostics Use the Transceiver Diagnostics page to perform tests on Fiber Optic cables. To display the Transceiver Diagnostics page, click System Diagnostics Transceiver Diagnostics in the navigation panel. NOTE: Optical transceiver diagnostics can be performed only when the link is present.
Figure 11-8. Transceiver Diagnostics To view a summary of all optical transceiver diagnostics tests performed, click the Results link. Figure 11-9. Transceiver Diagnostics Results Log Global Settings Use the Global Settings page to enable logging globally, to enable other types of logging. The severity of messages that are logged to the console, RAM log, and flash-based log file can also be specified.
The Severity table lists log messages from the highest severity (Emergency) to the lowest (Debug). When a severity level is selected, all higher levels are automatically selected. To prevent log messages from being sent to the console, RAM log, or flash log file, clear all check boxes in the Severity column. To display the Global Settings page, click System Logs Global Settings in the navigation panel. Figure 11-10.
Figure 11-11.
Log File The Log File contains information about specific log entries, including the time the log was entered, the log severity, and a description of the log. To display the Log File, click System Logs Log File in the navigation panel. Figure 11-12. Log File SYSLOG Server Use the Remote Log Server page to view and configure the available SYSLOG servers, to define new SYSLOG servers, and to set the severity of the log events sent to the SYSLOG server.
Figure 11-13. Remote Log Server Adding a New Remote Log Server To add a SYSLOG server: 1 Open the Remote Log Server page. 2 Click Add to display the Add Remote Log Server page. 3 Specify the IP address or hostname of the remote server. 4 Define the UDP Port and Description fields.
Figure 11-14. Add Remote Log Server 5 Select the severity of the messages to send to the remote server. NOTE: When a severity level is selected, all higher (numerically lower) severity levels are automatically selected. 6 Click Apply. Click the Show All link to view or remove remote log servers configured on the system. Figure 11-15.
Email Alert Global Configuration Use the Email Alert Global Configuration page to enable the email alerting feature and configure global settings so that system log messages can be sent to from the switch to one or more email accounts. To display the Email Alert Global Configuration page, click System Email Alerts Email Alert Global Configuration in the navigation panel. Figure 11-16.
Figure 11-17. Email Alert Mail Server Configuration Adding a Mail Server To add a mail server: 1 Open the Email Alert Mail Server Configuration page. 2 Click Add to display the Email Alert Mail Server Add page. 3 Specify the hostname of the mail server. Figure 11-18. Add Mail Server 4 Click Apply. 5 If desired, click Configuration to return to the Email Alert Mail Server Configuration page to specify port and security settings for the mail server.
Figure 11-19. Show All Mali Servers Email Alert Subject Configuration Use the Email Alert Subject Configuration page to configure the subject line for email alerts that are sent by the switch. The subject for the message severity and entry status can customize be customized. To display the Email Alert Subject Configuration page, click System Email Alerts Email Alert Subject Configuration in the navigation panel. Figure 11-20.
Email Alert To Address Configuration Use the Email Alert To Address Configuration page to specify where the email alerts are sent. Multiple recipients can be configured and different message severity levels can be associated with different recipient addresses. To display the Email Alert To Address Configuration page, click System Email Alerts Email Alert To Address Configuration in the navigation panel. Figure 11-22.
Figure 11-24.
Monitoring System Information and Configuring Logging (CLI) This section provides information about the commands used for configuring features for monitoring on the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series switches. For more information about these commands, see the Dell EMC Networking N1100ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series Switches CLI Reference Guide at www.dell.com/support.
Command Purpose test copper-port tdr interface Perform the Time Domain Reflectometry (TDR) test to diagnose the quality and characteristics of a copper cable attached to the specified port. SFP, SFP+, and QSFP cables with passive copper assemblies are not capable of performing TDR tests. CAUTION: Issuing the test copper-port tdr command will bring the interface down. NOTE: To ensure accurate measurements, disable all Green Ethernet modes (EEE and energy-detect mode) on the port before running the test.
Configuring Local Logging Use the following commands to configure the type of messages that are logged and where the messages are logged locally. Command Purpose configure Enter Global Configuration mode. logging on Globally enables logging. logging audit Enable switch auditing. logging cli-command Enable CLI command logging logging monitor Enable logging to stations other than the console. logging web-session Enable logging of the switch management Web page visits.
Command Purpose CTRL + Z Exit to Privileged Exec mode. show logging Displays the state of logging and the SYSLOG messages stored in the internal buffer. show logging file View information about the flash (persistent) log file. clear logging Use to clear messages from the logging buffer. Configuring Remote Logging Use the following commands to define a remote server to which the switch sends log messages. Command Purpose configure Enter Global Configuration mode.
Configuring Mail Server Settings Use the following commands to configure information about the mail server (SMTP host) on the network that will initially receive the email alerts from the switch and relay them to the correct recipient. Command Purpose configure Enter Global Configuration mode. mail-server ip-address Specify the IP address of the SMTP server on the network and enter the configuration mode for the mail server.
Configuring Email Alerts for Log Messages Use the following commands to configure email alerts so that log messages are sent to the specified address. Command Purpose configure Enter Global Configuration mode. logging email [severity] Enable email alerting and determine which non-critical log messages should be emailed. Use logging email with no parameter to enable email logging. Including the severity value sets the lowest severity for which log messages are emailed.
Command Purpose logging email test message-type {urgent | non-urgent | both} message-body body Send a test email to the configured recipient to verify that the feature is properly configured. CTRL + Z Exit to Privileged Exec mode. show logging email config View the configured settings for email alerts. show logging email statistics View information about the number of emails sent and the time they were sent. clear logging email statistics Clear the email alerting statistics.
Logging Configuration Examples This section contains the following examples: • Configuring Local and Remote Logging • Configuring Email Alerting Configuring Local and Remote Logging This example shows how to enable switch auditing and CLI command logging. Log messages with a severity level of Notification (level 5) and above are sent to the RAM (buffered) log. Emergency, Critical, and Alert (level 2) log messages are written to the log file on the flash drive.
4 Verify the remote log server configuration. console#show syslog-servers IP/IPv6 Address/Hostname Port ------------------------ ---192.168.2.10 514 Severity ---------debugging Description -----------Syslog Server Transport Type Authentication Certificate Index -------------- ----------------- ------------------UDP 5 Verify the local logging configuration and view the log messages stored in the buffer (RAM log). console#show logging Logging is enabled Logging protocol version: 0 Source Interface........
<189> Oct 18 07:09:12 0.0.0.0-1 OSAPI[fp_main_task]: osapi_netlink.c(551) 11 %% NOTE Unable to add the entry to /etc/iproute2/rt_protos. <186> Oct 18 07:09:12 0.0.0.0-1 General[fp_main_task]: bootos.c(191) 10 %% CRIT Event(0xaaaaaaaa) <189> Oct 18 07:09:12 0.0.0.0-1 BSP[fp_main_task]: bootos.c(175) 9 %% NOTE BSP initialization complete, starting switch firmware. <190> Oct 18 07:09:12 0.0.0.0-1 OSAPI[fp_main_task]: osapi_crash.c(1297) 8 %% INFO Oldest crashlog (5) will be deleted if another crash happens.
Configuring Email Alerting The commands in this example define the SMTP server to use for sending email alerts. The mail server does not require authentication and uses the standard TCP port for SMTP, port 25, which are the default values. Only Emergency messages (severity level 0) will be sent immediately as individual emails, and messages with a severity of alert, critical, and error (levels 1-3) will be sent in a single email every 120 minutes.
2 Configure the username and password that the switch must use to authenticate with the mail server. console(Mail-Server)#username switchN3048 console(Mail-Server)#password passwordN3048 console(Mail-Server)#exit 3 Configure emergencies and alerts to be sent immediately, and all other messages to be sent in a single email every 120 minutes.
Email Alert Non Urgent Severity Level.......... 3 Email Alert Trap Severity Level................ 6 Email Alert Notification Period................ 120 min Email Alert To Address Table: For Msg Type..........................1 Address1..............................administrator@dell.com For Msg Type..........................2 Address1..............................administrator@dell.com Email Alert Subject Table : For Msg Type 1, subject is............LOG MESSAGES - EMERGENCY For Msg Type 2, subject is....
12 Managing General System Settings Dell EMC Networking N-Series Switches This chapter describes how to set system information, such as the hostname, and time settings, and how to select the Switch Database Management (SDM) template to use on the switch. For the Dell EMC Networking N1500, N2000, N2100-ON, N3000, and N3100-ON Series switches, this chapter also describes how to configure the Power over Ethernet (PoE) settings.
Table 12-1. System Information (Continued) Feature Description CLI Banner Displays a message upon connecting to the switch or logging on to the switch by using the CLI. SDM Template Determines the maximum resources a switch or router can use for various features. For more information, see "What Are SDM Templates?" on page 433 The switch can obtain the time from a Simple Network Time Protocol (SNTP) server, or the time can be set manually.
Why Does System Information Need to Be Configured? Configuring system information is optional. However, it can be helpful in providing administrative information about the switch. For example, if an administrator manages several standalone Dell EMC Networking N-Series switches and has Telnet sessions open with several different switches, the system name can help quickly identify the switch because the host name replaces console as the CLI command prompt.
Table 12-3 describes the parameters that are scaled for each template and the per-template maximum value of the parameter. The N1100-ON Series switches do not support routing. The N3000EP-ON scales identically to the other N3000 Series switches, depending on the selected firmware. Table 12-3.
Table 12-3.
SDM Template Configuration Guidelines When the switch is configured to use an SDM template that is not currently in use, the switch must be reloaded for the configuration to take effect. NOTE: If a unit is attached to a stack and its template does not match the stack's template, then the new unit will automatically reboot using the template used by the management unit. To avoid the automatic reboot, you may first set the template to the template used by the management unit.
Requesting the time from a unicast SNTP server is more secure. Use this method if you know the IP address of the SNTP server on your network. If you allow the switch to receive SNTP broadcasts, any clock synchronization information is accepted, even if it has not been requested by the device. This method is less secure than polling a specified SNTP server. To increase security, authentication can be required between the configured SNTP server and the SNTP client on the switch.
Configuring General System Settings (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring general system settings on the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page.
Initiating a Telnet Session from the Web Interface NOTE: The Telnet client feature does not work with Microsoft Windows Internet Explorer 7 and later versions. Initiating this feature from any browser running on a Linux operating system is not supported. To launch a Telnet session: 1 From the System General System Information page, click the Telnet link. 2 Click the Telnet button. Figure 12-2. Telnet 3 Select the Telnet client, and click OK. Figure 12-3.
The selected Telnet client launches and connects to the switch CLI. Figure 12-4.
CLI Banner Use the CLI Banner page to configure a message for the switch to display when a user connects to the switch by using the CLI. Different banners can be configured for various CLI modes and access methods. To display the CLI Banner page, click System General CLI Banner in the navigation panel. Figure 12-5.
SDM Template Preference Use the SDM Template Preference page to view information about template resource settings and to select the template that the switch uses. If a new SDM template is selected for the switch to use, the switch must be rebooted before the template is applied. To display the SDM Template Preference page, click System General SDM Template Preference in the navigation panel. Figure 12-6.
Clock If the switch is not configured to obtain the system time from an SNTP server, the date and time can be manually set on the switch using the Clock page. The Clock page also displays information about the time settings configured on the switch. To display the Clock page, click System Time Synchronization Clock in the navigation panel. Figure 12-7. Clock NOTE: The system time cannot be set manually if the SNTP client is enabled.
SNTP Global Settings Use the SNTP Global Settings page to enable or disable the SNTP client, configure whether and how often the client sends SNTP requests, and determine whether the switch can receive SNTP broadcasts. To display the SNTP Global Settings page, click System Time Synchronization SNTP Global Settings in the navigation panel. Figure 12-8.
SNTP Authentication Use the SNTP Authentication page to enable or disable SNTP authentication, to modify the authentication key for a selected encryption key ID, to designate the selected authentication key as a trusted key, and to remove the selected encryption key ID. NOTE: The SNTP server must be configured with the same authentication information to allow time synchronization to take place between the two devices.
Figure 12-10. Add Authentication Key 3 Enter a numerical encryption key ID and an authentication key in the appropriate fields. 4 If the key is to be used to authenticate a unicast SNTP server, select the Trusted Key check box. If the check box is clear, the key is untrusted and cannot be used for authentication. 5 Click Apply. The SNTP authentication key is added, and the device is updated. To view all configured authentication keys, click the Show All link. The Authentication Key Table displays.
SNTP Server Use the SNTP Server page to view and modify information about SNTP servers, and to add new SNTP servers that the switch can use for time synchronization. The switch can accept time information from both IPv4 and IPv6 SNTP servers. To display the SNTP Server page, click System Time Synchronization SNTP Server in the navigation panel. If no servers have been configured, the fields in the following image are not displayed. Figure 12-12.
Figure 12-13. Add SNTP Server 3 In the SNTP Server field, enter the IP address or host name for the new SNTP server. 4 Specify whether the information entered in the SNTP Server field is an IPv4 address, IPv6 address, or a hostname (DNS). 5 If authentication is required between the SNTP client on the switch and the SNTP server, select the Encryption Key ID check box, and then select the key ID to use. To define a new encryption key, see "Adding an SNTP Authentication Key" on page 445.
To view all configured SNTP servers, click the Show All link. The SNTP Server Table displays. The SNTP Server Table page can also be used to remove or edit existing SNTP servers. Figure 12-14.
Summer Time Configuration Use the Summer Time Configuration page to configure summer time (daylight saving time) settings. To display the Summer Time Configuration page, click System Time Synchronization Summer Time Configuration in the navigation panel. Figure 12-15. Summer Time Configuration NOTE: The fields on the Summer Time Configuration page change when the Recurring check box is selected or cleared.
Time Zone Configuration Use the Time Zone Configuration to configure time zone information, including the amount time the local time is offset from UTC and the acronym that represents the local time zone. To display the Time Zone Configuration page, click System Time Synchronization Time Zone Configuration in the navigation panel. Figure 12-16.
Card Configuration Use the Card Configuration page to control the administrative status of the rear-panel expansion slots (Slot 1 or Slot 2), if present, and to configure the plug-in module to use in the slot. To display the Card Configuration page, click Switching Slots Card Configuration in the navigation panel. Figure 12-17.
Slot Summary Use the Slot Summary page to view information about the expansion slot status. To display the Slot Summary page, click Switching Slots Summary in the navigation panel. Figure 12-18.
Supported Cards Use the Supported Cards page to view information about the supported plug-in modules for the switch. To display the Supported Cards page, click Switching Slots Supported Cards in the navigation panel. Figure 12-19.
Power Over Ethernet Global Configuration (Dell EMC Networking N1108P-ON/N1124P-ON/N1148P-ON, N1524P/N1548P, N2024P/N2048P/N2128PX-ON, and N3024P/N3048P/N3132PX-ON Only) Use the PoE Global Configuration page to configure the PoE settings for the switch. To display the PoE Global Configuration page, click System General Power over Ethernet Global Configuration in the navigation panel. Figure 12-20.
Power Over Ethernet Unit Configuration (Dell EMC Networking N1124P-ON/N1148P-ON, N1524P/N1548P, N2024P/N2048P/N2128PX-ON, and N3024P/N3048P/N3132PX-ON Only) Use the PoE Unit Configuration page to configure the PoE settings for switch stack members. This page is not available on the N1108P-ON switch because it does not support stacking. To display the PoE Unit Configuration page, click System General Power over Ethernet Unit Configuration in the navigation panel. Figure 12-21.
Power Over Ethernet Interface Configuration (Dell EMC Networking N1108P-ON/N1124P-ON/N1148P-ON, N1524P/N1548P, N2024P/N2048P/N2128PX-ON, and N3024P/N3048P/N3132PX-ON Only) Use the PoE Interface Configuration page to configure the per-port PoE settings. This page also provides access to the PoE Counters table and PoE Port Table. The PoE Port table allows viewing and configuring PoE settings for multiple ports on the same page.
To view PoE statistics for each port, click Counters. Figure 12-23. PoE Counters Table To view the PoE Port Table, click Show All. Figure 12-24. PoE Port Table If you change any settings for one or more ports on the PoE Port Table page, click Apply to update the switch with the new settings.
Configuring System Settings (CLI) This section provides information about the commands used for configuring system information and time settings on the Dell EMC Networking N1100ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series switches. For more information about these commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series Switches CLI Reference Guide at www.dell.com/support.
Configuring the Banner Use the following commands to configure the MOTD, login, or User Exec banner. The switch supports the following banner messages: • MOTD—Displays when a user connects to the switch. • Login—Displays after the MOTD banner and before the login prompt. • Exec—Displays immediately after the user logs on to the switch. Command Purpose configure Enter Global Configuration mode.
Managing the SDM Template Use the following commands to set the SDM template preference and to view information about the available SDM templates. Command Purpose configure Enter Global Configuration mode. sdm prefer {dual-ipv4- Select the SDM template to apply to the switch after the and-ipv6 default| ipv4- next boot. routing {data-center | default}} CTRL + Z Exit to Privileged Exec mode. show sdm prefer [template] View information about the SDM template the switch is currently using.
Command Purpose sntp trusted-key key_id Specify the authentication key the SNTP server must include in SNTP packets that it sends to the switch. The key_id number must be an encryption key ID defined in the previous step. sntp authenticate Require authentication for communication with the SNTP server. A trusted key must be configured before this command is executed. sntp server {ip_address | Define the SNTP server.
Setting the System Time and Date Manually Use the following commands to configure the time and date, time zone, and summer time settings. Command Purpose clock set {hh:mm:ss} | Configure the time and date. Enter the time first and then {mm/dd/yyyy} the date, or the date and then the time. • hh:mm:ss —Time in hours (24-hour format, from 01-24), minutes (00-59), and seconds (00-59). • mm/dd/yyyy — Two digit month (1-12), two-digit date of the month (01-31), and four-digit year.
Command Purpose clock summer-time date {date month | month date} year hh:mm {date month | month date} year hh:mm [offset offset] [zone acronym] Use this command if the summer time does not start and end every year according to a recurring pattern. Enter the month and then the date, or the date and then the month. • date— Day of the month. (Range: 1-31.) • month — Month. (Range: The first three letters by name) • hh:mm — Time in 24-hour format in hours and minutes.
Viewing Slot Information (Dell EMC Networking N4000 Series Only) Use the following commands to view information about Slot 0 and its support. Command Purpose show slot Display status information about the expansion slots. show supported cardtype Display information about the modules the switch supports.
Command Purpose power inline {auto | never} Set the PoE device discovery admin mode. • auto — Enables the device discovery protocol and, if found, supplies power to the device. • never — Disables the device discovery protocol and stops supplying power to the device. power inline priority {critical | high | low} Configures the port priority level for the delivery of power to an attached device. power inline four-pair forced Enable power feed on all pairs.
General System Settings Configuration Examples This section contains the following examples: • Configuring System and Banner Information • Configuring SNTP • Configuring the Time Manually Configuring System and Banner Information In this example, an administrator configures the following system information: • System name: N2048 • System contact: Jane Doe • System location: RTP100 • Asset tag: 006429 The administrator then configures the MOTD banner to alert other switch administrators of the c
System Location: RTP100 Burned In MAC Address: 001E.C9AA.AA07 System Object ID: 1.3.6.1.4.1.674.10895.3035 System Model ID: N2048 Machine Type: Dell EMC Networking N2048 Temperature Sensors: Unit Temperature (Celsius) Status ----------------------------1 43 OK Power Supplies: Unit Description Status Source ----------------------------1 Main OK AC 1 Secondary Error DC 5 View additional information about the system.
Figure 12-25.
Configuring SNTP The commands in this example configure the switch to poll an SNTP server to synchronize the time. Additionally, the SNTP sessions between the client and server must be authenticated. To configure the switch: 1 Configure the authentication information. The SNTP server must be configured with the same authentication key and ID.
4 View the SNTP status on the switch. console#show sntp status Client Mode: Last Update Time: Unicast MAR 01 09:12:43 2010 Unicast servers: Server Status Last response --------------- ------------ --------------------192.168.10.
Configuring the Time Manually The commands in this example manually set the system time and date. The time zone is set to Eastern Standard Time (EST), which has an offset of -5 hours. Summer time is enabled and uses the pre-configured United States settings. To configure the switch: 1 Configure the time zone offset and acronym. console#configure console(config)#clock timezone -5 zone EST 2 Configure the summer time (daylight saving time) to use the preconfigured settings for the United States.
SNMP 13 Dell EMC Networking N-Series Switches The topics covered in this chapter include: • SNMP Overview • Default SNMP Values • Configuring SNMP (Web) • Configuring SNMP (CLI) • SNMP Configuration Examples SNMP Overview Simple Network Management Protocol (SNMP) provides a method for managing network devices. The Dell EMC Networking N-Series switches support SNMP version 1, SNMP version 2, and SNMP version 3. Dell EMC Networking switches support SNMP over both IPv4 and IPv6.
The SNMP agent maintains a list of variables that are used to manage the switch. The variables are defined in the MIB. The MIB presents the variables controlled by the agent. The SNMP agent defines the MIB specification format, as well as the format used to access the information over the network. Access rights to the SNMP agent are controlled by access strings. SNMP v3 also applies access control and a new traps mechanism to SNMPv1 and SNMPv2 PDUs.
Various features can be configured on the switch to generate SNMP traps that inform the NMS about events or problems that occur on the switch. Traps generated by the switch can also be viewed locally by using the web-based interface or CLI. Why Is SNMP Needed? Some network administrators prefer to use SNMP as the switch management interface. Settings that you view and configure by using the web-based Dell EMC OpenManage Switch Administrator and the CLI are also available by using SNMP.
Table 13-1. SNMP Defaults Parameter Default Value QoS traps Enabled Multicast traps Disabled Captive Portal traps Disabled OSPF traps Disabled Table 13-2 describes the two views that are defined by default. Table 13-2. SNMP Default Views View Name OID Subtree View Type Default iso Included snmpVacmMIB Excluded usmUser Excluded snmpCommunityTable Excluded iso Included DefaultSuper By default, three groups are defined. Table 13-3 describes the groups.
Configuring SNMP (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring the SNMP agent on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100ON, and N4000 Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page.
SNMP View Settings Use the SNMP View Settings page to create views that define which features of the device are accessible and which are blocked. A view can be created that includes or excludes OIDs corresponding to interfaces. To display the View Settings page, click System SNMP View Settings in the navigation panel. Figure 13-2. SNMP View Settings Adding an SNMP View To add a view: 1 Open the View Settings page. 2 Click Add.
Figure 13-3. Add View 3 Specify a name for the view and a valid SNMP OID string. 4 Select the view type. 5 Click Apply. The SNMP view is added, and the device is updated. Click Show All to view information about configured SNMP Views.
Access Control Group Use the Access Control Group page to view information for creating SNMP groups, and to assign SNMP access privileges. Groups allow network managers to assign access rights to specific device features or features aspects. To display the Access Control Group page, click System SNMP Access Control in the navigation panel. Figure 13-4. SNMP Access Control Group Adding an SNMP Group To add a group: 1 Open the Access Control Configuration page. 2 Click Add.
Figure 13-5. Add Access Control Group 3 Specify a name for the group. 4 Select a security model and level 5 Define the context prefix and the operation. 6 Click Apply to update the switch. Click Show All to view information about existing access control configurations.
SNMPv3 User Security Model (USM) Use the User Security Model page to assign system users to SNMP groups and to define the user authentication method. NOTE: The Local User Database page under Management Security can also be used for configuring SNMPv3 settings for users. For more information, see "Authentication, Authorization, and Accounting" on page 269. To display the User Security Model page, click System SNMP User Security Model in the navigation panel. Figure 13-6.
Figure 13-7. Add Local Users 3 Define the relevant fields. 4 Click Apply to update the switch. Click Show All to view the User Security Model Table, which contains information about configured Local and Remote Users. Adding Remote SNMPv3 Users to a USM To add remote users: 1 Open the SNMPv3 User Security Model page. 2 Click Add Remote User.
Figure 13-8. Add Remote Users 3 Define the relevant fields. 4 Click Apply to update the switch. Click Show All to view the User Security Model Table, which contains information about configured Local and Remote Users.
Communities Access rights for SNMPv1 and SNMPv2 are managed by defining communities Communities page. When the community names are changed, access rights are also changed. SNMP Communities are defined only for SNMP v1 and SNMP v2. To display the Communities page, click System SNMP Communities in the navigation panel. Figure 13-9. SNMP Communities Adding SNMP Communities To add a community: 1 Open the Communities page. 2 Click Add.
Figure 13-10. Add SNMPv1,2 Community 3 Specify the IP address of an SNMP management station and the community string to act as a password that will authenticate the management station to the SNMP agent on the switch. 4 Select the access mode. 5 Click Apply to update the switch. Click Show All to view the communities that have already been configured.
Notification Filter Use the Notification Filter page to set filtering traps based on OIDs. Each OID is linked to a device feature or a feature aspect. The Notification Filter page also allows you to filter notifications. To display the Notification Filter page, click System SNMP Notification Filters in the navigation panel. Figure 13-11. SNMP Notification Filter Adding a Notification Filter To add a filter: 1 Open the Notification Filter page. 2 Click Add. The Add Filter page displays: Figure 13-12.
3 Specify the name of the filter, the OID for the filter. 4 Choose whether to send (include) traps or informs to the trap recipient or prevent the switch from sending (exclude) the traps or informs. 5 Click Apply to update the switch. Click Show All to view information about the filters that have already been configured. Notification Recipients Use the Notification Recipients page to view information for defining filters that determine whether traps are sent to specific users, and the trap type sent.
Figure 13-13. SNMP Notification Recipient Adding a Notification Recipient To add a recipient: 1 Open the Notification Recipient page. 2 Click Add.
Figure 13-14. Add Notification Recipient 3 Specify the IP address or hostname of the host to receive notifications. 4 Select whether to send traps or informs to the specified recipient 5 Define the relevant fields for the SNMP version you use. 6 Configure information about the port on the recipient. 7 Click Apply to update the switch. Click Show All to view information about the recipients that have already been configured.
To access the Trap Flags page, click Statistics/RMON Trap Manager Trap Flags in the navigation panel. Figure 13-15. Trap Flags OSPFv2 Trap Flags The OSPFv2 Trap Flags page is used to specify which OSPFv2 traps you want to enable or disable. When the condition identified by an active trap is encountered by the switch, a trap message is sent to any enabled SNMP Trap Receivers, and a message is written to the trap log.
Figure 13-16. OSPFv2 Trap Flags OSPFv3 Trap Flags The OSPFv3 Trap Flags page is used to specify which OSPFv3 traps you want to enable or disable. When the condition identified by an active trap is encountered by the switch, a trap message is sent to any enabled SNMP Trap Receivers, and a message is written to the trap log. To access the OSPFv3 Trap Flags page, click Statistics/RMON Trap Manager OSPFv3 Trap Flags in the navigation panel.
Figure 13-17. OSPFv3 Trap Flags Trap Log The Trap Log page is used to view entries that have been written to the trap log. To access the Trap Log page, click Statistics/RMON Trap Manager Trap Log in the navigation panel.
Figure 13-18. Trap Logs Click Clear to delete all entries from the trap log.
Configuring SNMP (CLI) This section provides information about the commands you use to manage and view SNMP features on the switch. For more information about these commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring the SNMPv3 Engine ID To use SNMPv3, the switch must have an engine ID configured.
Command Purpose snmp-server engineID local {engineid-string | default} Configure the SNMPv3 Engine ID. • engineid-string — The character string that identifies the engine ID. The engine ID is a concatenated hexadecimal string. Each byte in the character string consists of two hexadecimal digits. Each byte can be separated by a period or colon. (Range: 6-32 characters) • default — The engineID is created automatically, based on the device MAC address. exit Exit to Privileged Exec mode.
Command Purpose snmp-server group groupname {v1 | v2 | v3 {noauth | auth | priv} [notify view-name]} [context view-name] [read view-name] [write view-name] Specify the identity string of the receiver and set the receiver timeout value. • groupname — Specifies the name of the group. (Range: 1-30 characters.) • v1 — Indicates the SNMP Version 1 security model. • v2 — Indicates the SNMP Version 2 security model. • v3 — Indicates the SNMP Version 3 security model.
Command Purpose snmp-server user username groupname [remote engineid-string] [{authmd5 password | auth-sha password | auth-md5-key md5-key | auth-sha-key sha-key} [priv-des password | priv-des-key des-key | priv-3des password | priv-3des-key des-key | priv-aes128 password | priv-aes128-key aes-key]] Configure a new SNMPv3 user. • username — Specifies the name of the user on the host that connects to the agent. (Range: 1-32 characters.
Command Purpose (continued) • des-key — A pregenerated DES encryption key. Length is determined by authentication method selected: 32 hex characters if MD5 Authentication is selected, 40 hex characters if SHA Authentication is selected. • priv-aes128 — The CBC-AES128 Symmetric Encryption privacy level. • priv-aes128-key — The CBC-AES128 Symmetric Encryption privacy level. The user must enter a pregenerated MD5 or SHA key depending on the authentication level selected. exit Exit to Privileged Exec mode.
Command Purpose snmp-server community Configure the community string and specify access criteria for the community. string [ro | rw | su] [view view-name | • community-string — Acts as a password and is used to ipaddress ip_address authenticate the SNMP management station to the ipmask] switch. The string must also be defined on the NMS in order for the NMS to access the SNMP agent on the switch (Range: 1-20 characters). Any printable character is allowed other than the @ \ ? characters.
Configuring SNMP Notifications (Traps and Informs) Use the following commands to allow the switch to send SNMP traps and to configure which traps are sent. Command Purpose configure Enter Global Configuration mode snmp-server enable traps [ acl |all |auto-copy-sw | bgp |buffers | captiveportal | cpu | dot1q | dvmrp | link |multipleusers | ospf | ospfv3 | pim | poe | portsecurity | snmp | spanning-tree | vrf | vrrp] Specify the traps to enable.
Command Purpose snmp-server host host- For SNMPv1 and SNMPv2, identify the system to receive addr [informs [timeout SNMP traps or informs. seconds] [retries retries] • host-addr — Specifies the IP address of the host (targeted | traps version {1 | 2}]] recipient) or the name of the host. (Range:1-158 community-string [udpcharacters).
Command Purpose snmp-server v3-host {ipaddress | hostname} username {traps | informs} [noauth | auth | priv] [timeout seconds] [retries retries] [udpport port] [filter filtername] For SNMPv3, identify the system to receive SNMP traps or informs. • ip-address — Specifies the IP address of the host (targeted recipient). • hostname — Specifies the name of the host. (Range: 1158 characters.) • username — Specifies user name used to generate the notification. (Range: 1-25 characters.
SNMP Configuration Examples This section contains the following examples: • Configuring SNMPv1 and SNMPv2 • Configuring SNMPv3 Configuring SNMPv1 and SNMPv2 This example shows how to complete a basic SNMPv1/v2 configuration. The commands enable read-only access from any host to all objects on the switch using the community string public, and enable read-write access from any host to all objects on the switch using the community string private.
Community-String ---------private public Group Name ---------DefaultWrite DefaultRead IP Address ---------All All IP Mask ------All All Traps are enabled. Authentication trap is enabled.
read-write MIB access privileges are configured individually, and are then combined into a community-group which is configured for subnet 10.85.234.0/24. NOTE: The community name may need to be escaped if attempting to use it in a shell environment with tools like snmpstatus or snmpwalk. 1 Create a view with write access to the private MIB. console#configure console(config)#snmp-server view MyWriteView private included 2 Create a view with read access to the entire SNMP MIB except the community table.
console(config)#snmp-server group group_snmpv3 v3 auth read view_snmpv3 write view_snmpv3 3 Create the user admin, assign the user to the group, and specify the authentication credentials. console(config)#snmp-server user admin group_snmpv3 auth-md5 secretkey 4 Specify the IP address of the host where traps are to be sent. Packet authentication using MD5-SHA is enabled for the traps. console(config)#snmp-server v3-host 192.168.3.
Version 3 notifications Target Addr. Type Username Security UDP Filter TO Level Port Name Sec ------------ ---- --------- ------- ----- ----- --192.168.3.35 Trap admin Auth-NoP 162 15 Retries ------3 System Contact: System Location: Source Interface: SNMP trap Client Source Interface..............
Name Group Name --------admin ----------group_snmpv3 Auth Meth ----MD5 Priv Meth ----- Remote Engine ID ---------------800002a203001ec9aaaa07 SNMP 509
510 SNMP
14 Images and File Management Dell EMC Networking N-Series Switches This chapter describes how to upload, download, and copy files, such as firmware images and configuration files, on the switch.
Table 14-1. Files to Manage File Action Description image Download Upload Copy Firmware for the switch. The switch can maintain two images: the active image and the backup image. startup-config Download Upload Copy Contains the software configuration that loads during the boot process. running-config Download Upload Copy Contains the current switch configuration. This file may be loaded by the stack standby unit during master failover.
Table 14-1. File Files to Manage Action Download SSH certificate files (Not supported on Dell EMC Networking N1500 switches) Description Contains information to encrypt, authenticate, and validate HTTPS sessions. The switch supports the following files for SSL: • SSL Trusted Root (or Intermediary) Certificate File (PEM Encoded) [CA.pem] • SSH Server Certificate File (PEM Encoded) [ssl_cert.pem] • SSH Diffie-Hellman Weak Encryption Key File (PEM Encoded) [sslt_key.
Advvv.stk AdvLitev.stk The Dell EMC Networking N-Series firmware releases for mixed stacking environments are named as follows: N2000N2100Stdv.itb - N2000/N2100 mixed stack firmware N3000N3100AdvLitev.itb - N3000/N3048EPON/N3100-ON mixed stack firmware N3000N3100Advv.
Version number Description Denotes the build number. Denotes a scheduled maintenance release of the firmware. Denotes a minor release of the firmware. Denotes a major release of the firmware. • Major release numbers start at 6. • Minor release numbers start at 0. • Maintenance release numbers start at 0. • Web release build numbers start at 1. A build number of 0 indicates a factory build, which should be upgraded using a web release build from www.dell.com/support. Examples: • N1500v6.2.5.0.
Configuration scripts, which are text files that contains CLI commands, can also be created. NOTE: You must use the CLI to manage configuration scripts. The configuration scripting feature is not available from the web interface. When you apply (run) a configuration script on the switch, the commands in the script are executed in the order in which they are written as if you were typing them into the CLI. The commands that are executed in the configuration script are added to the running-config file.
• SFTP • SCP • FTP • HTTP (Web only) • HTTPS (Web only) Files can also be copied between the file system on the internal flash and a USB flash drive that is connected to the external USB port. NOTE: The use of SFTP, SCP or HTTPS may require RSA/DSA keys to be generated prior to use.
switch. The PHY firmware may be updated to the firmware version supported by the switch firmware during the boot process or, in the case of switches that support the hot swap of cards, when the card is inserted into the switch. Editing and Downloading Configuration Files Each configuration file contains a list of executable CLI commands. The commands must be complete and in a logical order, as if you were entering them by using the switch CLI.
line, and all input following this character to the end of the line is ignored. Any line in the file that begins with the “!” character is recognized as a comment line and ignored by the parser.
Managing Files on a Stack Image files downloaded to the master unit of a stack are automatically downloaded to all stack members. If you activate the backup image on the master, it is activated on all units as well so that when you reload the stack, all units use the same image. The running-config, startup-config, and backup-config files, as well as all keys and certificates are synchronized across the stack when the running-config file is saved to the startup-config file.
Table 14-2 shows the feature set differences for this image (features not shown are included in the image). This image is the default image present on switches shipped from the factory. Table 14-2.
Aggregation Router Role New naming format: N3000_BGPvA.B.C.D.stk. This image should only be downloaded to the Dell EMC Networking N3000 Series switches. Table 14-3 shows the feature set for this image (features not shown are included in the image). Table 14-3.
Managing Images and Files (Web) This section provides information about the OpenManage Switch Administrator pages to use to manage images and files on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. File System Use the File System page to view a list of the files on the device and to modify the image file descriptions.
Active Images Use the Active Images page to set the firmware image to use when the switch boots. If you change the boot image, it does not become the active image until you reset the switch. On the Dell EMC Networking N-Series switches, the images are named active and backup. To display the Active Images page, click System File Management Active Images in the navigation panel. Figure 14-2.
USB Flash Drive Use the USB Flash Drive page to view information about a USB flash drive connected to the USB port on the front panel of the switch. The page also displays information about the files stored on the USB flash drive. A USB flash drive must be un-mounted by the operator before removing it from the switch. If a new USB flash drive is installed without un-mounting the previous drive, the new flash drive may not be recognized.
File Download Use the File Download page to download image (binary) files, SSH and SSL certificates, IAS User files, and configuration (ASCII) files from a remote server to the switch. To display the File Download page, click System File Management File Download in the navigation panel. Figure 14-4. File Download Downloading Files To download a file to the switch: 1 Open the File Download page. 2 Select the type of file to download to the switch. 3 Select the transfer mode.
4 To download using HTTP, click Choose Files and select the file to download, then click Apply. 5 To download using any method other than HTTP, enter the IP address of the server that contains the file to download, the name of the file and the path on the server where it is located. For SFTP and SCP, provide the user name and password. 6 Click Apply to begin the download.
File Upload Use the File Upload: Detail page to upload configuration (ASCII), image (binary), IAS user, operational log, and startup log files from the switch to a remote server. To display the File Upload: Detail page, click System File Management File Upload in the navigation panel. Figure 14-6. File Upload Uploading Files To upload a file from the switch to a remote system: 1 Open the File Upload page. 2 Select the type of file to download to the remote server. 3 Select the transfer mode.
4 To upload by using HTTP, click Apply. A dialog box opens to allow you to open or save the file. Figure 14-7. File Upload 5 To upload by using any method other than HTTP, enter the IP address of the server and specify a name for the file. For SFTP and SCP, provide the user name and password. 6 Click Apply to begin the upload. NOTE: For some file uploads and methods, the page refreshes and a transfer status field appears to indicate the number of bytes transferred.
Copy Files Use the Copy Files page to: • Copy the active firmware image to one or all members of a stack. • Copy the running, startup, or backup configuration file to the startup or backup configuration file. • Restore the running configuration to the factory default settings. To display the Copy Files page, click System File Management Copy Files in the navigation panel. Figure 14-8.
Managing Images and Files (CLI) This section provides information about the commands you use to upload, download, and copy files to and from the Dell EMC Networking N-Series switches. For more information about these commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. It also describes the commands that control the Auto Configuration feature.
Downloading and Activating a New Image (TFTP) Use the following commands to download a new firmware image to the switch and to make it the active image. This example shows how to use TFTP to download the image. Command Purpose copy tftp://{ip-address| Use TFTP to download the firmware image at the hostname}/path/filespecified source to the non-active image. name {active | backup} If the image file is in the TFTP file system root (download path), you do not need to specify the path in the command.
Managing Files in Internal Flash Use the following commands to copy, rename, delete and list the files in the internal flash. Command Purpose dir [filepath] List the files in the flash file system. copy flash://filename usb://filename Copy a file from the internal flash to a USB flash drive. Use the dir command to see a list of the files that can be copied from the internal flash. Make sure a flash drive has been inserted in the USB port on the front panel before executing the command.
Managing Files on a USB Flash Device Use the following commands to manage files that are on a USB device that is plugged into the USB flash port on the front panel of the switch.
Uploading a Configuration File (SCP) Use the following commands to upload a configuration file from the switch to a remote system by using SCP. Command Purpose copy file scp://user@{ip- Copy a file from the switch using SCP.
Managing Configuration Scripts (SFTP) Use the following commands to download a configuration script from a remote system to the switch, validate the script, and activate it. NOTE: The startup-config and backup-config files are essentially configuration scripts and can be validated and applied by using the commands in this section. Command Purpose Downloads the specified script from the remote server to copy sftp://user@{ipaddress|hostname}/path the switch.
File and Image Management Configuration Examples This section contains the following examples: • Upgrading the Firmware • Managing Configuration Scripts Upgrading the Firmware This example shows how to download a firmware image to the switch and activate it. The TFTP server in this example is PumpKIN, an open source TFTP server running on a Windows system. • TFTP server IP address: 10.27.65.103 • File path: \image • File name: dell_0308.
Figure 14-9. Image Path 3 View information about the current image. console#show version Machine Description............ Dell Networking Switch System Model ID................ N2128PX Machine Type................... Dell EMC Networking N2128PX-ON Serial Number..................... Manufacturer................... 0xbc00 Burned In MAC Address.......... 1418.770C.9DD8 System Object ID............... 1.3.6.1.4.1.674.10895.3077 SOC Version.................... BCM56547_A0 HW Version.....................
Server IP Address.............................. 10.27.65.103 Source File Path............................... images/ Source Filename................................ dell_0308.stk Data Type...................................... Code Destination Filename........................... active Management access will be blocked for the duration of the transfer Are you sure you want to start? (y/n) 5 Activate the new image (backup) so that it becomes the active image after the switch resets.
8 Reset the switch to boot the system with the new image. console#reload Are you sure you want to continue? (y/n)y Reloading all switches... Managing Configuration Scripts This example shows how to create a configuration script that adds three hostname-to-IP address mappings to the host table. To configure the switch: 1 Open a text editor on an administrative computer and type the commands as if you were entering them by using the CLI. Figure 14-10. Create Config Script 2 Save the file with an *.
Source File Path............................... ./ Source Filename................................ labhost.scr Data Type...................................... Config Script Destination Filename........................... labhost.scr Management access will be blocked for the duration of the transfer Are you sure you want to start? (y/n) 4 After you confirm the download information and the script successfully downloads, it is automatically validated for correct syntax.
6 Verify that the script was successfully applied. console#show hosts Host name: jmclendon Default domain: rtp.dell.com Name/address lookup is enabled DNS source interface :Default Name servers (Preference order): 192.168.3.20, 192.168.3.21 Configured host name-to-address mapping: Host Addresses ------------------------ ----------------------------------labpc1 192.168.3.56 labpc2 192.168.3.58 labpc3 192.168.3.
3 Copy the running-config to the USB flash drive. console#copy running-config usb://rc_backup.scr Mode............................. Binary Data Type........................ Config Script Source Filename.................. temp-config.scr Management access will be blocked for the duration of the transfer Are you sure you want to start? (y/n) y 4 Download the new image from the USB flash drive to the switch. The image overwrites the backup image. console#copy usb://new_image.stk backup Mode...................
544 Images and File Management
15 DHCP and USB Auto-Configuration Dell EMC Networking N-Series Switches The topics covered in this chapter include: • Auto Configuration Overview • What Are the Dependencies for DHCP Auto Configuration? • Default Auto Configuration Values • Managing Auto Configuration (Web) • Managing Auto Configuration (CLI) • Auto Configuration Example Auto Configuration Overview The Auto Configuration feature can automatically update the firmware image and obtain configuration information when the switch bo
NOTE: Neither USB Configuration nor Auto Install is invoked if a saved startup configuration file is on the switch. What Is USB Auto Configuration? The USB Auto Configuration feature can be used to configure or upgrade one or more switches that have not been previously configured, such as when new switches are deployed.
files exist, the switch uses the dellswitch.text file. If only a *.stk file is present, the switch checks the .stk file version and loads it into the backup image if the version is later than the current active image. If multiple *.stk files are present, the switch checks the image with the highest (most recent) version. Finally, if no *.setup, *.text, or *.stk files are found, the switch proceeds to the DHCP Auto Configuration process.
different IP addresses to be assigned, but the same configuration file or image is downloaded to multiple switches. Alternatively, the line may contain a specific configuration or image file name, or both. After the current switch has been configured and/or upgraded and the completion message is displayed on the switch, the current line in the *.setup text file will be marked as used. This allows using the *.setup file for additional switches without manually changing the file.
single image for all switches being upgraded, it is not necessary to include the image file name in the .setup file as long as it is present on the USB device. The specified image file should exist on the USB device. What Is the Setup File Format? The setup file must have a *.setup extension or this part of the Auto Configuration process will never begin. If there are multiple .setup files located on the USB device, the dellswitch.setup file will be utilized. If no dellswitch.
Auto Configuration is successful when an image or configuration file is downloaded to the switch or stack master from a TFTP server and processed. NOTE: The downloaded configuration file is not automatically saved to startup- config. You must explicitly issue a save request (copy running-config startupconfig) in order to save the configuration. If the downloaded configuration is not saved to the startup-config, DHCP auto configuration will be done every time the DHCP lease expires.
• • Domain Name - Option 15 NTP Server - Option 42 When a DHCP OFFER identifies the TFTP server more than once, the DHCP client selects one of the options in the following order: sname, option 66, option 150, siaddr. If the TFTP server is identified by hostname, a DNS server is required to translate the name to an IP address.
or mytftpserverpath/N3000_N2000v6.3.0.1.stk Option 125 also supports sub-option 6, which is the path to a configuration file on the TFTP server. Only the path name is relevant. Configure the DHCP server to use vendor ID 674 and the required sub-option 6 and a hexadecimal encoded ASCII path value. If sub-option 6 is specified, the switch attempts to download the configuration file .cfg using the DHCP-supplied host name (DHCP option 12).
Obtaining the Configuration File If the DHCP OFFER identifies a specific configuration file, either as option 67 or in the file field of the DHCP header, the switch attempts to download a network configuration file. NOTE: The configuration file is required to have a file name that matches the following pattern: "*.cfg" The TFTP client makes three unicast requests if the TFTP server is reachable.
If the switch is unable to map its IP address to a hostname, or no configuration file has been downloaded, Auto Configuration sends up to three TFTP requests for the default host-specific configuration file host.cfg. Table 15-1 summarizes the config files that may be downloaded and the order in which they are sought. Table 15-1. Configuration File Possibilities Order Sought File Name Description Final File Sought 1 bootfile.cfg Host-specific config file, ending in a *.
Monitoring and Completing the DHCP Auto Configuration Process When the switch boots and triggers an Auto Configuration, a message displays on the console screen to indicate that the process is starting. After the process completes, the Auto Configuration process writes a log message. When Auto Configuration has successfully completed, the show runningconfig command can be used to validate the contents of configuration.
A file is not automatically deleted after it is downloaded. The file does not take effect upon a reboot unless you explicitly save the configuration (the saved configuration takes effect upon reboot). If you do not save the configuration downloaded by the Auto Configuration feature, the Auto Configuration process occurs again on a subsequent reboot or when the DHCP lease expires. This may result in one of the previously downloaded files being overwritten.
Default Auto Configuration Values Table 15-3 describes the Auto Configuration defaults. Table 15-3. Auto Configuration Defaults Feature Default Description Auto Install Mode Enabled When the switch boots and no saved configuration is found, the Auto Configuration automatically begins. Retry Count 3 When the DHCP or BootP server returns information about the TFTP server and bootfile, the switch makes three unicast TFTP requests for the specified bootfile.
Managing Auto Configuration (Web) This section provides information about the OpenManage Switch Administrator pages to use to manage images and files on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page.
Managing Auto Configuration (CLI) This section provides information about the commands you manage the Auto-Install Configuration feature on the switch. For more information about these commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series Switches CLI Reference Guide at www.dell.com/support.
Auto Configuration Example A network administrator is deploying three Dell EMC Networking N-Series switches and wants to quickly and automatically install the latest image and a common configuration file that configures basic settings such as VLAN creation and membership, RADIUS server settings, and 802.1X information. The configuration file also contains the command boot host auto-save so that the downloaded configuration is automatically saved to the startup config.
4 Create a setup file named dellswitch.setup. The setup file contains the following lines: 192.168.0.1 255.255.255.0 switchA.txt N2000v6.1.0.1.stk 192.168.0.2 255.255.255.0 switchB.txt N2000v6.2.0.1.stk 192.168.0.3 255.255.255.0 switchC.txt N2000v6.2.0.1.stk 5 Copy the dellswitch.setup file to the USB device. 6 Connect the USB device to Switch A. 7 Insert the USB device into the USB port on the front panel of Switch A. 8 Power on Switch A.
1 Create a default config file for the switches named host.cfg. The host.cfg file contains the path and name of the image file on the TFTP server (option 125, sub-option 5). For information about creating configuration files, see Images and File Management. 2 Upload the host.cfg file to the TFTP server. 3 Upload the image file to the TFTP server.
Easy Firmware Upgrade via USB If a USB device is detected during bootup and there is an image on the USB device (and no .setup files and no .text files), and the switch has no saved startup config file, then the image version on the USB device is checked against the active image version on the switch. If a newer1 image version is found on the USB device, the image is copied to the switch backup image and the switch reloads using the new image. 1 Copy the startup-config file to the backup-config,; e.g.
564 DHCP and USB Auto-Configuration
Monitoring Switch Traffic 16 Dell EMC Networking N-Series Switches This chapter describes sFlow features, Remote Monitoring (RMON), and Port Mirroring features. The topics covered in this chapter include: • Traffic Monitoring Overview • Default Traffic Monitoring Values • Monitoring Switch Traffic (Web) • Monitoring Switch Traffic (CLI) • Traffic Monitoring Examples Traffic Monitoring Overview The switch maintains statistics about network traffic that it handles.
from monitored devices. sFlow datagrams forward sampled traffic statistics to the sFlow Collector for analysis. Up to eight different sFlow receivers can be specified to which the switch sends sFlow datagrams. Figure 16-1. sFlow Architecture The advantages of using sFlow are: 566 • It is possible to monitor all ports of the switch continuously, with no impact on the distributed switching performance. • Minimal memory/CPU is required.
sFlow Sampling The sFlow Agent in the Dell EMC Networking software uses two forms of sampling: • Statistical packet-based sampling of switched or routed Packet Flows • Time-based sampling of counters Packet Flow Sampling and Counter Sampling are performed by sFlow Instances associated with individual Data Sources within an sFlow Agent. Both types of samples are combined in sFlow datagrams. Packet Flow Sampling creates a steady, but random, stream of sFlow datagrams that are sent to the sFlow Collector.
• When a sample is taken, the counter indicating how many packets to skip before taking the next sample is reset. The value of the counter is set to a random integer where the sequence of random integers used over time is the Sampling Rate. Counter Sampling The primary objective of Counter Sampling is to efficiently, periodically export counters associated with Data Sources. A maximum Sampling Interval is assigned to each sFlow instance associated with a Data Source.
• Specify the network management system IP address or permit management access from all IP addresses. For more information about configuring SNMP, see "SNMP" on page 473. The RMON agent in the switch supports the following groups: • Group 1—Statistics. Contains cumulative traffic and error statistics. • Group 2—History. Generates reports from periodic traffic sampling that are useful for analyzing trends. • Group 3 —Alarm. Enables the definition and setting of thresholds for various counters.
in spanning tree, IGMP/MLD snooping, or GVRP; do not learn MAC addresses (learned MAC addresses are purged); do not participate in routing (route entries are purged); and do not utilize any static filter configuration. Incoming packets are dropped. Probe ports “lose” their VLAN membership, i.e. they do not forward/flood packets based on VLAN membership. Changing VLAN membership does not affect a probe port until the port is removed from probe status.
The packet that is mirrored to the destination port is normally in the same format as the original packet on the wire, except as noted in the following section: Port Mirroring Behaviors. This means that the mirrored packet is VLAN tagged or untagged as it was received/transmitted on the source port. Destinations include physical interfaces and RSPAN VLANs. Mirrored traffic is subject to the same QoS constraints as normal traffic.
572 • When port mirroring is enabled, all MAC address entries associated with destination ports are purged. This prevents transmitting packets out of the port that are not seen on the mirrored port. If spanning tree is enabled, this is treated as a topology change. • The spanning tree protocol is disabled on destination ports such that frames are always received from or transmitted out of the port as soon as the port is up (spanning tree status is forwarding and role is disabled).
processing stage. This means that on egress, packets may not appear as they do on the wire if processing such as VLAN or CoS value rewriting is programmed. RSPAN Administrators should consider reserving a few VLANs across the network for the exclusive use of RSPAN. The RSPAN VLANs should only be configured on the reflector interfaces (generally the uplink/transit/downlink interface). Each RSPAN session must use a unique reflector port, destination port, and RSPAN VLAN.
The reflector port must be configured as the only member of the RSPAN VLAN on the source switch. The source interface must be configured as the only member of the RSPAN VLAN on the destination switch. Configuring a source that mirrors to the RSPAN VLAN on the destination switch is not supported. RSPAN intermediate switches may also be configured with multiple source ports feeding into an existing RSPAN VLAN.
Why is Traffic Monitoring Needed? Monitoring the traffic that the switch handles, as well as monitoring all traffic in the network, can help provide information about network performance and utilization. This information can be useful in network planning and resource allocation. Information about traffic flows can also help troubleshoot problems in the network. Default Traffic Monitoring Values The sFlow agent is enabled by default, but sampling and polling are disabled on all ports.
Monitoring Switch Traffic (Web) This section provides information about the OpenManage Switch Administrator pages to use to monitor network traffic on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. sFlow Agent Summary Use the sFlow Agent Summary page to view information about sFlow MIB and the sFlow Agent IP address.
sFlow Receiver Configuration Use the sFlow Receiver Configuration page to configure settings for the sFlow receiver to which the switch sends sFlow datagrams. Up to eight sFlow receivers can be configured to receive datagrams. To display the Receiver Configuration page, click System sFlow Receiver Configuration in the navigation panel. Figure 16-3. sFlow Receiver Configuration Click Show All to view information about configured sFlow receivers.
sFlow Sampler Configuration Use the sFlow Sampler Configuration page to configure the sFlow sampling settings for switch ports. To display the Sampler Configuration page, click System sFlow Sampler Configuration in the navigation panel. Figure 16-4. sFlow Sampler Configuration Click Show All to view information about configured sampler data sources.
sFlow Poll Configuration Use the sFlow Poll Configuration page to configure how often a port should collect counter samples. To display the Poll Configuration page, click System sFlow Poll Configuration in the navigation panel. Figure 16-5. sFlow Poll Configuration Click Show All to view information about the ports configured to collect counter samples.
Interface Statistics Use the Interface Statistics page to display statistics for both received and transmitted packets. The fields for both received and transmitted packets are identical. To display the page, click Statistics/RMON Table Views Interface Statistics in the navigation panel. Figure 16-6.
Etherlike Statistics Use the Etherlike Statistics page to display interface statistics. To display the page, click Statistics/RMON Table Views Etherlike Statistics in the navigation panel. Figure 16-7.
GVRP Statistics Use the GVRP Statistics page to display switch statistics for GVRP. To display the page, click Statistics/RMON Table Views GVRP Statistics in the navigation panel. Figure 16-8.
EAP Statistics Use the EAP Statistics page to display information about EAP packets received on a specific port. For more information about EAP, see "Port and System Security" on page 669. To display the EAP Statistics page, click Statistics/RMON Table Views EAP Statistics in the navigation panel. Figure 16-9.
Utilization Summary Use the Utilization Summary page to display interface utilization statistics. To display the page, click Statistics/RMON Table Views Utilization Summary in the navigation panel. Figure 16-10.
Counter Summary Use the Counter Summary page to display interface utilization statistics in numeric sums as opposed to percentages. To display the page, click Statistics/RMON Table Views Counter Summary in the navigation panel. Figure 16-11.
Switchport Statistics Use the Switchport Statistics page to display statistical summary information about switch traffic, address tables, and VLANs. To display the page, click Statistics/RMON Table Views Switchport Statistics in the navigation panel. Figure 16-12.
RMON Statistics Use the RMON Statistics page to display details about switch use such as packet processing statistics and errors that have occurred on the switch. To display the page, click Statistics/RMON RMON Statistics in the navigation panel. Figure 16-13. RMON Statistics RMON History Control Statistics Use the RMON History Control page to maintain a history of statistics on each port.
To display the page, click Statistics/RMON RMON History Control in the navigation panel. Figure 16-14. RMON History Control Adding a History Control Entry To add an entry: 1 Open the RMON History Control page. 2 Click Add. The Add History Entry page displays.
Figure 16-15. Add History Entry 3 Select the port or LAG on which you want to maintain a history of statistics. 4 Specify an owner, the number of historical buckets to keep, and the sampling interval. 5 Click Apply to add the entry to the RMON History Control Table. To view configured history entries, click the Show All tab. The RMON History Control Table displays. Configured history entries can be removed using this page.
RMON History Table Use the RMON History Table page to display interface-specific statistical network samplings. Each table entry represents all counter values compiled during a single sample. To display the RMON History Table page, click Statistics/RMON RMON History Table in the navigation panel. Figure 16-16.
RMON Event Control Use the RMON Events Control page to define RMON events. Events are used by RMON alarms to force some action when a threshold is crossed for a particular RMON counter. The event information can be stored in a log and/or sent as a trap to a trap receiver. To display the page, click Statistics/RMON RMON Event Control in the navigation panel. Figure 16-17. RMON Event Control Adding an RMON Event To add an event: 1 Open the RMON Event Control page. 2 Click Add.
Figure 16-18. Add an Event Entry 3 If the event sends an SNMP trap, specify the SNMP community to receive the trap. 4 Optionally, provide a description of the event and the name of the event owner. 5 Select an event type. 6 Click Apply. The event is added to the RMON Event Table, and the device is updated. Viewing, Modifying, or Removing an RMON Event To manage an event: 1 Open the RMON Event Control page. 2 Click Show All to display the Event Control Table page.
RMON Event Log Use the RMON Event Log page to display a list of RMON events. To display the page, click Statistics/RMON RMON Events Log in the navigation panel. Figure 16-19.
RMON Alarms Use the RMON Alarms page to set network alarms. Alarms occur when certain thresholds are crossed for the configured RMON counters. The alarm triggers an event to occur. The events can be configured as part of the RMON Events group. For more information about events, see "RMON Event Log" on page 593. To display the page, click Statistics/RMON RMON Alarms in the navigation panel. Figure 16-20.
Adding an Alarm Table Entry To add an alarm: 1. Open the RMON Alarms page. 2. Click Add. The Add an Alarm Entry page displays. Figure 16-21. Add an Alarm Entry 3. Complete the fields on this page as needed. Use the help menu to learn more information about the data required for each field. 4. Click Apply. The RMON alarm is added, and the device is updated. To view configured alarm entries, click the Show All tab. The Alarms Table displays. Configured alarms can be removed using this page.
Port Statistics Use the Port Statistics page to chart port-related statistics on a graph. To display the page, click Statistics/RMON Charts Port Statistics in the navigation panel. Figure 16-22. Ports Statistics To chart port statistics, select the type of statistics to chart and (if desired) the refresh rate, then click Draw.
LAG Statistics Use the LAG Statistics page to chart LAG-related statistics on a graph. To display the page, click Statistics/RMON Charts LAG Statistics in the navigation panel. Figure 16-23. LAG Statistics To chart LAG statistics, select the type of statistics to chart and (if desired) the refresh rate, then click Draw.
Port Mirroring Use the Port Mirroring page to create a mirroring session in which all traffic that is sent or received (or both) on one or more source ports is mirrored to a destination port. To display the Port Mirroring page, click Switching Ports Traffic Mirroring Port Mirroring in the navigation panel. Figure 16-24. Port Mirroring Configuring a Port Mirror Session To configure port mirroring: 1 Open the Port Mirroring page. 2 Click Add. The Add Source Port page displays.
Figure 16-25. Add Source Port 5 Click Apply. 6 Repeat the previous steps to add additional source ports. 7 Click Port Mirroring to return to the Port Mirroring page. 8 Enable the administrative mode and specify the destination port. Figure 16-26. Configure Additional Port Mirroring Settings 9 Click Apply.
Monitoring Switch Traffic (CLI) This section provides information about the commands you use to manage traffic monitoring features on the switch and to view information about switch traffic. For more information about these commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100ON, and N4000 Series Switches CLI Reference Guide at www.dell.com/support.
Command Purpose sflow rcvr-index polling if_type if_number pollinterval Enable a new sFlow poller instance on an interface range. • rcvr-index — The sFlow Receiver associated with the poller (Range: 1–8). • if_type if_number — The list of interfaces to poll. The interface type can be Gigabitethernet (gi) or Tengigabitethernet (te), for example te1/0/3-5 enables polling on ports 3, 4, and 5. • poll-interval — The sFlow instance polling interval.
Command Purpose sflow rcvr-index sampling Enable a new sflow sampler instance for the interface. sampling-rate [size] show sflow agent View information about the switch sFlow agent. show sflow index destination View information about a configured sFlow receivers. show sflow index polling View information about the configured sFlow poller instances for the specified receiver. show sflow index sampling View information about the configured sFlow sampler instances for the specified receiver.
Command Purpose rmon alarm number variable interval {absolute |delta} risingthreshold value [eventnumber] risingthreshold value [eventnumber] [startup direction] [owner string] Add an alarm entry • number — The alarm index. (Range: 1–65535) • variable — A fully qualified SNMP object identifier that resolves to a particular instance of an MIB object. • interval — The interval in seconds over which the data is sampled and compared with the rising and falling thresholds.
Command Purpose rmon collection history index [owner ownername] [buckets bucket-number] [interval seconds] Enable an RMON MIB history statistics group on the interface. NOTE: You must configure RMON alarms and events before RMON collection history is able to display. • index — The requested statistics index group. (Range: 1– 65535) • ownername — Records the RMON statistics group owner name. If unspecified, the name is an empty string.
Command Purpose show interfaces traffic [interface-id] Display the current TX and RX queue congestion and congestion discards. Configuring Port Mirroring Use the following commands in Privileged Exec mode to configure a port mirroring session. Command Purpose configure Enter Global Configuration mode monitor session session_number source interface {interface-id} [rx | tx | both] Configure a source (monitored) port or CPU interface for a monitor session.
Configuring RSPAN RSPAN is an extension of port mirroring that operates across multiple switches. Mirrored traffic is tagged with the RSPAN VLAN and is flooded in the RSPAN VLAN. This allows considerable flexibility in the placement of probe ports. Use the following commands in Privileged Exec mode to configure RSPAN. Remember to assign VLANs to physical interfaces (steps not shown). Configuring RSPAN (Source Switch) Command Purpose configure Enter Global Configuration mode.
Command Purpose monitor session session- Configure a local RSPAN reflector port on the source switch. The reflector port should be configured as a trunk number destination {interface interface–id | port. remote vlan rspan-vlanid reflector-port interface–id} monitor session session_number mode Enable the administrative mode for the configured port mirroring session to start sending the traffic from the source port to the destination (probe) port. exit Exit to Privileged Exec mode.
Command Purpose monitor session Configure a source RSPAN VLAN on the destination session_id source remote switch. vlan vlan_id monitor session session_id destination interface interface Configure the destination port on the RSPAN destination switch. monitor session session_id mode Enable the monitor session. Configuring RSPAN (Filtering Traffic) Command Purpose configure Enter Global Configuration mode. vlan vlan-id Create a VLAN. remote-span Configure the VLAN as an RSPAN VLAN.
Command Purpose interface Te1/0/1 Enter Interface Configuration mode for interface Te1/0/1 (the source interface). switchport mode trunk Configure the source as a trunk port (multiple VLANs). switchport trunk allowed Remove the RSPAN VLAN from the source port. vlan remove vlan-id exit Exit to Global Configuration mode. interface Te1/0/24 Enter Interface Configuration mode for interface Te1/0/24 (the RSPAN reflector port).
Traffic Monitoring Examples This section contains the following examples: • Showing Interface Traffic • Configuring sFlow • Configuring RMON • Configuring Remote Capture • Configuring RSPAN Showing Interface Traffic Use the show interfaces utilization and show interfaces traffic commands to display information about interface traffic and internal packet buffer usage. The following are examples of the output of these commands.
console#show interfaces utilization Port ------Gi1/0/1 Gi1/0/2 Gi1/0/3 Gi1/0/4 Gi1/0/5 Gi1/0/6 Gi1/0/7 Gi1/0/8 Load Interval -------300 300 300 300 300 300 300 300 Oper.
Receiver Index.................... Owner String...................... Time out.......................... IP Address:....................... Address Type...................... Port.............................. Datagram Version.................. Maximum Datagram Size............. 1 receiver1 99994 192.168.30.
Configuring RMON This example generates a trap and creates a log entry when the number of inbound packets are undeliverable due to errors increases by 20 or more. First, an RMON event is created. Then, the alarm is created. The event (event 1) generates a trap and creates a log entry. The alarm is configured for the MIB object ifInErrors (OID: 1.3.6.1.2.1.2.2.1.14.1). The OID is the variable.
Configuring Remote Capture This example configures the switch to mirror packets transmitted and received by the switch CPU to a Wireshark client. This is useful to diagnose switch behavior and to determine if an attached device is sending properly formatted packets with correct information to the switch, or just to monitor traffic sent to the switch CPU. The capture feature can also be configured to capture to a local file in pcap format or to capture to an in-memory buffer (text format).
5 On the Capture Options dialog, click Manage Interfaces.
6 Add a new interface by giving the switch IP address and the default remote port (2002). First, select the Remote Interfaces tab and click Add. 7 Enter the switch IP address and port (2002). Choose Null authentication (default).
8 Click OK to accept the entry. 9 On the Add new interfaces dialog, click Apply and then click Close.
10 From the Wireshark:Capture Options dialog, select the remote switch and click Start. Remote Capture Caveats Remote capture over an in-band port captures the capture packets transmitted to the Wireshark client. Therefore, when using remote capture over an in-band port, it is best to configure remote capture to capture only received packets, to configure remote capture to operate over the out-of-band port, or to configure local capture to capture to the in-memory buffer or a local pcap file.
Configuring RSPAN RSPAN supports the transport of mirrored packets across the network to a remote switch. Ports may be configured as source ports, intermediate ports, or destination ports. RSPAN Source Switch This example mirrors interface gi1/0/3 to VLAN 723. VLAN 723 is the selected transit VLAN. Administrators should reserve a VLAN as the RSPAN VLAN when designing their network. The source switch requires a reflector port to carry packets to the transit switch.
RSPAN cannot use the CPU as a mirror source. Instead, configure remote capture to view packets sent to or from the switch CPU. RSPAN Transit Switch The following is an example of an RSPAN transit switch configuration. The RSPAN VLAN should be configured as a remote-span in order to disable MAC learning on the VLAN. In this case, the transit switch ports are configured as trunk ports (members of all VLANs) and may be used by other traffic.
3 Configure a mirroring session with the remote VLAN 723 as the source and interface gi1/0/1 as the destination port: console(config)#monitor session 1 source remote vlan 723 console(config)#monitor session 1 destination interface gi1/0/1 4 Enable the mirroring session: console(config)#monitor session 1 mode Monitoring Switch Traffic 621
622 Monitoring Switch Traffic
iSCSI Optimization 17 Dell EMC Networking N2000, N2100-ON, N3000, N3100-ON, and N4000 Series Switches NOTE: This feature is not available on the Dell EMC Networking N1100-ON or N1500 Series switches. This chapter describes how to configure Internet Small Computer System Interface (iSCSI) optimization, which enables special quality of service (QoS) treatment for iSCSI traffic.
The preferential treatment of iSCSI traffic needs to be balanced against the needs of other critical data in the network. What Occurs When iSCSI Optimization Is Enabled or Disabled? The iSCSI feature is enabled on all ports by default. When iSCSI is enabled on the switch, the following actions occur: • Flow control is globally enabled, if it is not already enabled. • iSCSI LLDP monitoring starts to automatically detect Dell EqualLogic arrays.
When iSCSI CoS mode is enabled, iSCSI login sessions up to the switch limits are tracked, and data packets for those sessions are given the configured CoS treatment. iSCSI sessions in excess of the switch limits are not given the configured CoS treatment; therefore, it is not advisable to exceed the iSCSI session limit. Multiple connections within a session are counted against the session limit, even though they show in the session table as a single session.
If no iSCSI traffic is detected for a session for a configurable aging period, the session data is cleared.
How Does iSCSI Optimization Interact With Dell EqualLogic and Compellant Arrays? The iSCSI feature includes auto-provisioning support with the ability to detect directly connected Dell EqualLogic (EQL) or Compellant SAN storage arrays and automatically reconfigure the switch to enhance storage traffic flows. The Dell EMC Networking N-Series switches use LLDP, a vendor-neutral protocol, to discover Dell SAN devices on the network. LLDP is enabled by default.
How Does iSCSI Optimization Interact with DCBx? NOTE: The DCBx feature is available on the Dell EMC Networking N4000 Series switches only. The Data Center Bridging Exchange (DCBx) component supports the reception, decoding, and transmission of the Application Priority TLV. In general, if the Application Priority TLV has been received from the configuration source, it will be transmitted to the other auto configuration ports.
NOTE: If it is desired to utilize DCBX to configure lossless transport of iSCSI using PFC, the operator MUST configure a non-default VLAN end-to-end in order to transport the VLAN priority tag and ensure proper CoS treatment on every network enabled device, including CNAs and the EQL arrays. iSCSI CoS and Priority Flow Control/Enhanced Transmission Selection Interactions NOTE: The ETS feature is available on the Dell EMC Networking N4000 Series switches only.
Default iSCSI Optimization Values Table 17-1 shows the default values for the iSCSI optimization feature. Table 17-1. iSCSI Optimization Defaults Parameter Default Value iSCSI optimization global status Enabled iSCSI CoS mode Disabled Jumbo frames Disabled Spanning tree portfast Disabled Unicast storm control Disabled Classification iSCSI packets are classified by VLAN instead of by DSCP values. VLAN priority tag iSCSI flows are assigned by default the highest 802.
Configuring iSCSI Optimization (Web) This section provides information about the OpenManage Switch Administrator pages to use to the iSCSI features on Dell EMC Networking N2000, N2100-ON, N3000, N3100-ON, and N4000 Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. iSCSI Global Configuration Use the Global Configuration page to configure QoS treatment for packets where the iSCSI protocol is detected.
Configuring iSCSI Optimization (CLI) This section provides information about the commands used for configuring iSCSI settings on the switch. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Command Purpose configure Enter Global Configuration mode. iSCSI optimization is enabled by default.
iSCSI Optimization Configuration Examples iSCSI optimization is enabled by default. The following procedure illustrates the configuration steps required if configuring iSCSI manually. Configuring iSCSI Optimization Between Servers and a Disk Array Figure 17-2 illustrates a stack of three Dell EMC Networking N-Series switches connecting two servers (iSCSI initiators) to a disk array (iSCSI targets).
The following commands show how to configure the iSCSI example depicted in Figure 17-2. Remember that iSCSI optimization is enabled by default. 1 Set the system MTU to 9216 to enable the use of jumbo frames. console#config console(config)#system jumbo mtu 9216 2 Optionally configure the switch to associate CoS queue 5 with detected iSCSI session traffic.
console(config)#interface range te1/0/1-4 console(config-if)#switchport mode trunk 4 Configure the DCBx port role as auto-downstream. This step automatically enables PFC and ETS on the ports using the configuration received from the other switch. console(config-if)#lldp dcbx port-role auto-down console(config-if)#exit 5 Enter interface configuration mode for the switch-facing ports and configure the DCBx port role as auto-up.
4 Map VLAN priority 4 onto traffic class 4. (config)#classofservice dot1p-mapping 4 4 5 Enter Interface Configuration mode for CNA connected ports 1-4 and array connected ports 16-17. console(config)#interface range te1/0/1-4,te1/0/16-17 6 Enable VLAN tagging to allow the CNA connected ports to carry 802.1p priority values through the network. console(config-if)#switchport mode trunk 7 Enter datacenter bridging mode to enable PFC on the ports.
18 Port Characteristics Dell EMC Networking N-Series Switches This chapter describes how to configure physical switch port characteristics, including settings such as administrative status and maximum frame size. This chapter also describes the link dependency feature.
Table 18-1. Port Characteristics Feature Description Speed Specifies the transmission rate for frames. Duplex mode Specifies whether the interface supports transmission between the switch and the connected client in one direction at a time (half) or both directions simultaneously (both). Maximum frame size Indicates the maximum frame size that can be handled by the port.
Auto-Negotiation Dell EMC Networking N-Series switches implement IEEE 802.3 autonegotiation for 1000BASE-T, 1000BASE-X, NBASE-T and 10GBASE-T based copper interfaces. 1000BASE-X fiber interfaces also implement autonegotiation. Auto-negotiation is required to be present and enabled for 1000BASE-T, NBASE-T, and 10GBASE-T copper interfaces in order for a clock master to be selected.
a VLAN header) to 9216 bytes. Dell EMC Networking N-Series switches assumes that all packets are in Ethernet format. Any device connecting to the same broadcast domain must support the same MTU. Dell EMC Networking N-Series switches do not fragment L2 or L3 forwarded traffic. Received frames larger than the system MTU are discarded. The switch will not transmit a frame larger than the system MTU. Packets originated by the switch are fragmented based upon path MTU discovery.
Link Action The link action specifies the action that the group members will take when the dependent port is down. The group members can transition to the same state as the dependant port, or they can transition to the opposite state. In other words, if the link action is down and the dependent port goes down, the members ports will go down as well. Conversely, when the link action is up and the dependant link goes down, the group member ports are enabled (brought up).
What Interface Types are Supported? The physical ports on the switch include the out-of-band (OOB) interface (Dell EMC Networking N3000, N3100-ON, and N4000 Series only) and Ethernet switch ports. The OOB interface supports a limited set of features and is for switch management only. The Ethernet switch ports support many logical features that are often supported by logical interfaces.
To enter Interface Configuration mode for a physical switch port, the following information is required: • Type — For physical switch ports, the type is Gigabit Ethernet (gigabitethernet or gi) for 10/100/1000 Mbps Ethernet ports or 10-Gibabit Ethernet (tengigabitethernet or te) for 10,000 Mbps Ethernet ports. • Stack member number— The unit number within the stack. The range is 1–12. The default unit number for a switch that has not been in a stack is 1.
For many features, a range of interfaces can be specified. When you enter Interface Configuration mode for multiple interfaces, the commands you execute apply to all interfaces specified in the range. To enter Interface Configuration mode for a range of interfaces, include the keyword range and specify the interfaces to configure.
Switchport Modes Each port on the Dell EMC Networking N-Series switches can be configured to be in one of the following modes: • Access — Access ports are intended to connect end-stations to the system, especially when the end-stations are incapable of generating VLAN tags. Access ports support a single VLAN (the PVID). Packets received untagged are processed as if they are tagged with the access port PVID. Packets received that are tagged with the PVID are also processed.
General mode ports may be configured to accept only tagged traffic, or only untagged traffic, or both. When ingress filtering is enabled, the frame is dropped if the port is not a member of the VLAN identified by the VLAN ID in the tag. If ingress filtering is disabled, all tagged frames are forwarded. VLAN membership rules that apply to a port are based on the switchport mode configured for the port. Table 18-2 shows the behavior of the three switchport modes. Table 18-2.
Table 18-3. Default Port Values Feature Description Energy Detect mode Enabled EEE mode Enabled Link Dependency None configured Switchport mode Access The settings in Table 18-4 show recommended port settings by port type. Table 18-4. Recommended Port Settings Port Settings 1000M Copper Auto-Neg (100,1000), Full Duplex 2.
Configuring Port Characteristics (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring port characteristics on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. Port Configuration Use the Port Configuration page to define port parameters.
Configuring Multiple Ports To configure port settings on multiple ports: 1 Open the Port Configuration page. 2 Click Show All to display the Port Configuration Table page. 3 In the Ports list, select the check box in the Edit column for the port to configure. 4 Select the desired settings. 5 Click Apply. Figure 18-2. Configure Port Settings 6 Select the Copy Parameters From check box, and select the port with the settings to apply to other ports.
Figure 18-3. Copy Port Settings 8 Click Apply.
Link Dependency Configuration Use the Link Dependency Configuration page to create link dependency groups. The page displays the groups whether they have been configured or not. To display the Link Dependency Configuration page, click Switching Link Dependency Configuration in the navigation panel. Figure 18-4. Link Dependency Configuration Creating a Link Dependency Group To create link dependencies: 1 Open the Link Dependency Configuration page.
Figure 18-5. Link Dependency Group Configuration 6 Click Apply. The Link Dependency settings for the group are modified, and the device is updated.
Link Dependency Summary Use the Link Dependency Summary page to view all link dependencies on the system and to access the Link Dependency Configuration page. The page displays the groups whether they have been configured or not. To display the Link Dependency Summary page, click Switching Link Dependency Link Dependency Summary in the navigation panel. Figure 18-6. Link Dependency Summary To configure a group, click the Modify link associated with the ID of the group to configure.
Port Green Ethernet Configuration Use the Green Ethernet Configuration page to enable or disable energysaving modes on each port. To display the Green Ethernet Configuration page, click System Green Ethernet Green Ethernet Configuration in the navigation panel. Figure 18-7.
Port Green Ethernet Statistics Use the Green Ethernet Statistics page to view information about per-port energy savings. To display the Green Ethernet Statistics page, click System Green Ethernet Green Ethernet Statistics in the navigation panel. Figure 18-8.
To view a summary of energy savings for the switch and all ports, click Summary. Figure 18-9. Green Ethernet Statistics Summary To view a chart that shows the estimated per-port energy savings, click Chart. Figure 18-10.
Port Green Ethernet LPI History Use the Green Ethernet LPI History page to view data about the amount of time the switch has spent in low-power idle (LPI) mode. To display the Green Ethernet LPI History page, click System Green Ethernet Green Ethernet LPI History in the navigation panel. Figure 18-11.
Configuring Port Characteristics (CLI) This section provides information about the commands used for configuring port characteristics. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100ON, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring Port Settings Use the following commands to configure various port settings. Command Purpose configure Enter Global Configuration mode.
Command Purpose speed {10 | 100 | 1000 | 10000 | auto [100 | 1000 | 2500 | 5000 | 10000 ]} Configure the speed of a given Ethernet interface or allow the interface to automatically detect the speed. If you use the 100, 1000, 2500, 5000, 10000 keywords with the auto keyword, the port auto-negotiates only at the specified speeds. Setting the speed without the auto keyword forces the speed to the single selected value and disables auto-negotiation.
Configuring Link Dependencies Use the following commands to configure ports that are dependent on the state of other ports. Command Purpose configure Enter Global Configuration mode. link-dependency group group_id Enter the link-dependency mode to configure a linkdependency group. add interface Add member ports to the group. The interface variable includes the interface type and number, for example tengigabitethernet 1/0/3.
Configuring Green Features Use the following commands to configure and monitor energy-saving features for the ports and the switch. Command Purpose configure Enter Global Configuration mode. interface interface Enter interface configuration mode for the specified interface. The interface variable includes the interface type and number, for example gigabitethernet 1/0/3. A range of interfaces can be specified using the interface range command.
Port Configuration Examples This section contains the following examples: • Configuring Port Settings • Configuring a Link Dependency Groups Configuring Port Settings The commands in this example specify the speed for port 1 (gigabitEthernet 1/0/1) and change the system MTU size. To configure the switch: 1 Enter Interface Configuration mode for port 1. console#configure console(config)#interface gigabitEthernet 1/0/1 2 Change the speed settings for the port.
Configuring a Link Dependency Groups The commands in this example create two link dependency groups. Group 1 has port 3 as a member port that is dependent on port 4. The group uses the default link action, which is down. This means that if port 4 goes down, port 3 goes down. When port 4 returns to the up state, port 3 is brought back up. In Group 2, port 6 dependent on port-channel (LAG) 1, and the link action is up. If port-channel 1 goes down, port 6 is brought up.
with the voice VLAN on ports configured for voice VLAN. When configuring an interface as an access mode port, the interface is automatically made a member of VLAN 1 by default and removed from all other VLAN memberships. Each interface can be configured separately, or a range of interfaces can be configured with the same settings. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified interface.
created VLANs. Trunk ports can be removed from membership in specific VLANs, including VLANs that are not yet configured on the switch. By default, the native VLAN for a trunk port is VLAN 1. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified interface. The interface variable includes the interface type and number, for example tengigabitethernet 1/0/3.
Command Purpose switchport trunk Set the list of allowed VLANs that can receive and send {allowed vlan vlantraffic on this interface in tagged format when in trunking list|native vlan vlan-id} mode. • allowed vlan-list — Set the list of allowed VLANs that can receive and send traffic on this interface in tagged format when in trunking mode. Separate non-consecutive VLAN IDs with a comma and no spaces. Use a hyphen to designate a range of IDs.
Configuring a Port in General Mode Use the following commands to configure an interface with full 802.1q support and configure the VLAN membership information for the interface. General mode allows the configuration of the full range of VLAN tagging, including configuring a port with no default or native VLAN. In general, it is recommended that operators use either trunk or access mode as their default behaviors better match operator expectations.
Command Purpose switchport general pvid vlan-id (Optional) Set the port VLAN ID. Untagged traffic that enters the switch through this port is tagged with the PVID. vlan-id — PVID. The selected PVID assignment must be to an existing VLAN. (Range: 1–4093). Entering a PVID value does not remove the previous PVID value from the list of allowed VLANs. switchport general acceptable-frame-type tagged-only (Optional) Specifies that the port will only accept tagged frames.
Port and System Security 19 Dell EMC Networking N-Series Switches This chapter describes how to configure port-based and system security features, which control access to the network through the switch ports, and the denial of service (DoS) feature. The topics covered in this chapter include: • Port-based Security—Port MAC Locking • Denial of Service Port-based Security—Port MAC Locking Port MAC locking is used to enable security on a per-port basis.
Two methods are used to implement Port MAC locking: dynamic locking and static locking. Static locking further has an optional sticky mode. Dynamic locking implements a first arrival mechanism for MAC locking. The administrator specifies how many dynamic addresses may be learned on the locked port. If the limit has not been reached, then a packet with an unknown source MAC address is learned and forwarded normally. If the MAC address limit has been reached, the packet is discarded.
the difference is that all sticky addresses for an interface are removed from the running-config when the interface is taken out of sticky mode. Static addresses must be removed from the running-config individually. Sticky MAC addresses appear in the running-config in the following form: switchport port-security mac-address sticky 0011.2233.4455 vlan 33 Statically locked MAC addresses appear in the running-config in the following form: switchport port-security mac-address 0011.2233.
To display the Port Security page, click Switching Network Security Port Security in the navigation panel. Figure 19-1. Network Security Port Security Configuring Port Security Settings on Multiple Ports To configure port security on multiple ports: 1 Open the Port Security page. 2 Click Show All to display the Port Security Table page. 3 In the Ports list, select the check box in the Edit column for the port to configure. 4 Select the desired settings for all ports that are selected for editing.
Figure 19-2. Configure Port Security Settings 5 Click Apply.
Configuring Port Security (CLI) Use the following commands to enable port security on an interface to limit the number of source MAC addresses that can be learned. Command Purpose configure Enter Global Configuration mode. switchport port-security Enable port-security administrative mode. Port security must be enabled globally in order to operate on any interfaces. interface interface Enter interface configuration mode for the specified interface.
Command Purpose show port-security [interface-id | all | dynamic interface-id | static interface-id | violation interface-id] View port security settings on all interfaces or the specified interface. Use the dynamic keyword to display learned MAC addresses and the static keyword to display configured MAC addresses.
Denial of Service Denial of Service (DoS) refers to the exploitation of a variety of vulnerabilities which would interrupt the service of a host or make a network unstable. Use the Denial of Service page to configure settings to help prevent DoS attacks. DoS protection is disabled by default. To display the Denial of Service page, click System Management Security Denial of Service in the navigation panel. Figure 19-3.
Access Control Lists 20 Dell EMC Networking N-Series Switches This chapter describes how to configure Access Control Lists (ACLs), including IPv4, IPv6, and MAC ACLs. This chapter also describes how to configure time ranges that can be applied to any of the ACL types.
Depending on whether an ingress or egress ACL is applied to a port, when the traffic enters (ingress) or leaves (egress) a port, the ACL compares the criteria configured in its rules, in list order, to the fields in a packet or frame to check for matching conditions. The ACL processes the traffic based on the actions contained in the rules. ACLs are organized into access groups. Access groups are numbered in priority (lowest number has highest priority).
ACLs may be used to control traffic at layer 2, layer 3, or layer 4. MAC ACLs contain packet match criteria based on layer-2 fields in Ethernet frames. IP ACLs contain packet match criteria based on layer-3 and layer-4 fields in the packet. Dell EMC Networking N-Series switches support both IPv4 and IPv6 ACLs and supports ACLs applied to up to 24 VLAN interfaces. ACL Counters Matching rules in an ACL are counted. The counts may be displayed using the show ip access-list or show mac access-list commands.
MAC access list actions include CoS queue assignment, logging, mirroring, redirection to another port, and logging, as well as the usual permit and deny actions. It is possible to configure MAC access groups in conjunction with IP access groups on the same interface. MAC ACLs can be configured on a VLAN interface as well as a physical interface or port channel. What Are IP ACLs? IP ACLs contain filters for layers 3 and 4 on IPv4 or IPv6 traffic.
• Log — perform the logging action on the matching packet as described below. • Mirror — forward a copy of the matching packet to the designated interface. The original packet continues to be forwarded to its original destination. • Redirect — forward the matching packet to the designated interface. The original destination of the packet is ignored. • Rate limit — forward matching packets that do not exceed the rate limit. Drop packets exceeding the rate limit.
What Is the ACL Mirror Function? ACL mirroring provides the ability to send a copy of traffic that matches a permit rule to a specific physical port or LAG. Using ACLs to mirror traffic is called flow-based mirroring, since the traffic flow is defined by the ACL classification rules. This is in contrast to port mirroring, where all traffic encountered on a specific interface is replicated out of another interface.
NOTE: Adding a conflicting periodic time range to an absolute time range will cause the time range to become inactive. For example, consider an absolute time range from 8:00 AM Tuesday March 1st 2011 to 10 PM Tuesday March 1st 2011. Adding a periodic entry using the 'weekend' keyword will cause the time-range to become inactive because Tuesdays are not on the weekend. A named time range can contain up to 10 configured time ranges. Only one absolute time range can be configured per time range.
supports a fixed number of matching criteria (values and masks). Slices operate in parallel to perform the configured matching operations. An ACL with a different offset requires the use of a new hardware slice but multiple matching values can be specified for a single slice (e.g., an IPv4 destination address with a 32-bit mask is 192.168.21.1 or 192.168.12.3).
Table 20-1.
Table 20-2. ACL Software Limits (Continued) Dell EMC Networking N2000/ N2100-ON Series Dell EMC Networking N3000/ N3100-ON Series Dell EMC Networking N4000 Series Maximum VLAN interfaces 24 with ACLs applied 24 24 24 Maximum ACL Logging Rules (system-wide) 128 128 128 Limitation Dell EMC Networking N1500 Series 128 Please note the following additional limitations on ingress and egress ACLs: 686 • Port ranges are not supported for egress ACLs for either IPv4 or IPv6 ACLs.
• Ingress ACLs filter packets before they are processed by the switching fabric. Egress ACLs filter packets after they have been processed by the switching fabric. • User-defined ingress ACLs are prioritized before system ACLs. Userdefined ingress ACLs that match control plane packets such as BPDUs may interfere with switch operation. • The fragments and routing keywords are not supported for egress IPv6 ACLs. The fragments keyword is not supported on IPv4 egress ACLs.
ACL Configuration Details How Are ACLs Configured? To configure ACLs, follow these steps: 1 Create a IP or MAC ACL by specifying a name. 2 Add new rules to the ACL. 3 Configure the match criteria for the rules. 4 Apply the ACL to one or more interfaces. Editing Access Lists When editing access lists, entries are added in the order specified by the rule sequence number. It is recommended that rule sequence number indices be separated by a fixed offset (e.g., 10).
frame should also specify a source or destination MAC address wherever possible. Likewise, MAC ACLs that specify a source MAC address should specify an Ethertype to avoid interfering with control-plane traffic. In general, any rule that specifies matching on an upper-layer protocol field should also include matching constraints for as many of the lower-layer as where possible.
Table 20-4. Common IP Protocol Numbers (Continued) IP Protocol Number Protocol 0x02 IGMP 0x06 TCP 0x08 EGP 0x09 IGP 0x11 UDP Using IP and MAC Address Masks Masks are used with IP and MAC addresses to specify what should be considered in the address for a match. Masks are expanded internally into a bit mask and are applied bit-wise in the hardware even though they are entered in decimal or hexadecimal format. Masks need not have contiguous 0 or 1 bits.
Policy-Based Routing In contemporary inter-networks, network administrators often need to implement packet forwarding/routing according to specific organizational policies. Policy-Based Routing (PBR) exactly fits this purpose. Policy-Based Routing provides a flexible mechanism to implement solutions where organizational constraints dictate that traffic be routed through specific network paths. PBR does not affect route redistribution that occurs via routing protocols. PBR is a true routing policy solution.
Additional match criteria may be configured by the administrator if desired. Since a route-map is configured in the context of a routing VLAN, a VLAN tag is automatically added to the match criteria without the need for the administrator to specify the VLAN ID. Route-Map Processing An incoming packet is matched against the criteria in the 'match' terms specified in each route-map in the policy. The 'match' terms (clauses) must refer to one or more MAC or IPv4 access-groups or a packet length.
• For a permit route-map, if the decision reached in the above step is deny, then PBR does not apply any action that is specified in set term(s) in the route-map statement. In this situation, the counter for this match statement is not incremented. The processing logic terminates, and the packet goes through the standard destination-based routing logic.
• List of default next-hop IP addresses — The set ip default next-hop command checks the list of destination IP addresses in the routing table and, if there is no explicit route for the packet's destination address in the routing table, the next-hop destinations are evaluated, and packets are routed to the first-available next hop. Packets that do not match are routed using the routing table. A default route in the routing table is not considered an explicit route for an unknown destination address.
In the last column of the table (Optimized), a Yes entry means the rule is never processed in hardware because the action, if any, is to fall through to the next match criteria. The system optimizes out deny ACL match clauses and never processes them in the system hardware. Counters for these match clauses will always show 0. Interface ACLs and PBR Interaction PBR can be configured only on VLAN routing interfaces.
PBR Action (VLAN) ACL Action (Interface) Result set interface null0 deny deny (see Note 2) mirror mirror redirect redirect rate limit deny deny deny mirror both redirect both (see Note 1) rate limit both set ip next-hop (default) 1. In the case of redirect ACL action, both the redirect and PBR actions are honored, if possible.
No Implicit “deny all” Rule When an access-group is configured on an interface, an implicit rule of “deny all” is applied to the last access-group on the interface. Since PBR processing occurs after normal ACL processing, when a “permit” route-map associated ACL is applied to an interface, the implicit “deny all” rule is not applied. When match rules in an ACL associated with a route-map are successful, packets are considered as candidates for routing according to rules specified in route-map.
PBR Associated ACLs Processed After User-defined ACLs Each ACL in an access-group is associated with a sequence number indicating the order in which the ACL is processed by the hardware. Likewise, a route-map may have multiple statements with different sequence numbers associated with each ACL entry. These statements are processed in sequential order beginning with the lowest numbered rule, but only after all user configured ACLs that are not associated with any route-map.
ACL rule. However, if conflicting actions are specified, an error is thrown when the switch attempts to configure the conflicting actions in the hardware. No IPv6 support PBR does not support IPv6 match ACLs. Locally Generated Packets Policy-Based Routing does not affect locally generated packets, i.e. packets generated by protocols running on the switch.
Adding an IPv4 ACL To add an IPv4 ACL: 1 Open the IP ACL Configuration page. 2 Click Add to display the Add IP ACL page. 3 Specify an ACL name. Figure 20-2. Add IP ACL 4 Click Apply. Removing IPv4 ACLs To delete an IPv4 ACL: 1 From the IP ACL Name menu on the IP ACL Configuration page, select the ACL to remove. 2 Select the Remove checkbox. 3 Click Apply. Viewing IPv4 ACLs To view configured ACLs, click Show All from the IP ACL Configuration page. Figure 20-3.
IP ACL Rule Configuration Use the IP ACL Rule Configuration page to define rules for IP-based ACLs. The access list definition includes rules that specify whether traffic matching the criteria is forwarded normally or discarded. Additionally, rules can be used to assign traffic to a particular queue, filter on some traffic, change a VLAN tag, and/or redirect the traffic to a particular port. NOTE: There is an implicit deny all rule at the end of an ACL list.
Figure 20-4. IP ACL - Rule Configuration Removing an IP ACL Rule To delete an IP ACL rule: 1 From the Rule ID menu, select the ID of the rule to delete. 2 Select the Remove option near the bottom of the page. 3 Click Apply to remove the selected rule.
MAC ACL Configuration Use the MAC ACL Configuration page to define a MAC-based ACL. To display the MAC ACL Configuration page, click Switching Network Security Access Control Lists MAC Access Control Lists Configuration in the navigation panel. Figure 20-5. MAC ACL Configuration Adding a MAC ACL To add a MAC ACL: 1 Open the MAC ACL Configuration page. 2 Click Add to display the Add MAC ACL page. 3 Specify an ACL name. Figure 20-6. Add MAC ACL 4 Click Apply.
1 From the MAC ACL Name menu on the MAC ACL Configuration page, select the ACL to rename or remove. 2 To rename the ACL, select the Rename checkbox and enter a new name in the associated field. 3 To remove the ACL, select the Remove checkbox. 4 Click Apply. Viewing MAC ACLs To view configured ACLs, click Show All from the MAC ACL Configuration page. Figure 20-7.
MAC ACL Rule Configuration Use the MAC ACL Rule Configuration page to define rules for MAC-based ACLs. The access list definition includes rules that specify whether traffic matching the criteria is forwarded normally or discarded. A default deny all rule is the last rule of every list. To display the MAC ACL Rule Configuration page, click Switching Network Security Access Control Lists MAC Access Control Lists Rule Configuration in the navigation panel. Figure 20-8.
IPv6 ACL Configuration Use the IPv6 ACL Configuration page to add or remove IP-based ACLs. To display the IP ACL Configuration page, click Switching Network Security Access Control Lists IPv6 Access Control Lists IPv6 ACL Configuration in the navigation panel. Figure 20-9. IPv6 ACL Configuration Adding an IPv6 ACL To add an IPv6 ACL: 1 Open the IPv6 ACL Configuration page. 2 Click Add to display the Add IPv6 ACL page. 3 Specify an ACL name. Figure 20-10. Add IPv6 ACL 4 Click Apply.
1 From the IPv6 ACL Name menu on the IPv6 ACL Configuration page, select the ACL to rename or remove. a To rename the ACL, select the Rename checkbox and enter a new name in the associated field b To delete the ACL, select the Remove checkbox. 2 Click Apply. Viewing IPv6 ACLs To view configured ACLs, click Show All from the IPv6 ACL Configuration page. The IPv6 ACL Table page displays. Figure 20-11.
Figure 20-12. IPv6 ACL - Rule Configuration Removing an IPv6 ACL Rule To delete an IPv6 ACL rule: 1 From the Rule ID menu, select the ID of the rule to delete. 2 Select the Remove option near the bottom of the page. 3 Click Apply to remove the selected rule.
ACL Binding Configuration When an ACL is bound to an interface, all the rules that have been defined are applied to the selected interface. Use the ACL Binding Configuration page to assign ACL lists to ACL Priorities and Interfaces. From the web interface, the ACLs rules can be configured in the ingress or egress direction so that they implement security rules for packets entering or exiting the port. ACLs can be applied to any physical (including 10 Gb) interface, LAG, or routing port.
Time Range Configuration Use the Time Range Configuration page to define time ranges to associate with ACL rules. To display the Time Range Configuration page, click System Time Synchronization Time Range Configuration in the navigation panel. The following image shows the page after at least one time range has been added. Otherwise, the page indicates that no time ranges are configured, and the time range configuration fields are not displayed. Figure 20-14.
Figure 20-15. Add a Time Range 3 Click Apply. 4 Click Detail to return to the Time Range Configuration page. 5 In the Time Range Name field, select the name of the time range to configure. 6 Specify an ID for the time range. Up to 10 different time range entries can be configured to include in the named range. However, only one absolute time entry is allowed per time range. 7 Configure the values for the time range entry. 8 Click Apply.
Configuring ACLs (CLI) This section provides guidelines for the commands you use to create and configure ACLs. For a complete description of the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100ON, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring an IPv4 ACL Use the following commands to create an IPv4 ACL, configure rules for the ACL, and bind the ACL to an interface.
Command Purpose [sequence-number] {deny | permit} {{ipv4protocol | 0-255 | every} {srcip srcmask | any | host srcip} [{range {portkey | startport} {portkey | endport} | {eq | neq | lt | gt} {portkey | 0-65535}] {dstip dstmask | any | host dstip} [{range {portkey | startport} {portkey | endport} | {eq | neq | lt | gt} {portkey | 0-65535}] [flag [+fin | -fin] [+syn | -syn] [+rst | -rst] [+psh | -psh] [+ack | ack] [+urg | -urg] [established]] [icmptype icmp-type [icmpcode icmp-code] | icmpmessage icmp-messag
Command Purpose continued – When range is specified, TCP or UDP ACL rule matches only if the layer-4 port number falls within the specified port range. The startport and endport parameters identify the first and last ports that are part of the port range. They have values from 0 to 65535. The ending port must have a value equal or greater than the starting port. The starting port, ending port, and all ports in between will be part of the layer-4 port range.
Command Purpose continued • flag [+fin | -fin] [+syn | -syn] [+rst | -rst] [+psh | psh] [+ack | -ack] [+urg | -urg] [established]— Specifies that the IP/TCP/UDP ACL rule matches on the TCP flags. – Ack – Acknowledgement bit – Fin – Finished bit – Psh – push bit – Rst – reset bit – Syn – Synchronize bit – Urg – Urgent bit – When “+” is specified, a match occurs if specified flag is set in the TCP header.
Command Purpose continued • igmp-type igmp-type—When igmp-type is specified, the IP ACL rule matches on the specified IGMP message type (i.e., a number from 0 to 255). • fragments—Specifies the rule matches packets that are non-initial fragments (fragment bit asserted). Not valid for rules that match L4 information such as TCP port number since that information is carried in the initial packet. This keyword is also not valid for IPv6 packets since they should never be fragmented.
Command Purpose interface interface (Optional) Enter interface configuration mode for the specified interface. The interface variable includes the interface type and number, for example tengigabitethernet 1/0/3. A range of interfaces can be specified using the interface range command. For example, interface range tengigabitethernet 1/0/8-12 configures interfaces 8, 9, 10, 11, and 12. ip access-group name direction seqnum Bind the specified ACL to an interface.
Configuring a MAC ACL Use the following commands to create an MAC ACL, configure rules for the ACL, and bind the ACL to an interface. Command Purpose configure Enter global configuration mode. mac access-list extended Create a named MAC ACL. This command also enters name MAC Access List Configuration mode. If a MAC ACL with this name already exists, this command enters the mode to update the existing ACL.
Command Purpose [sequence-number] {deny | permit} {srcmac srcmacmask | any} {dstmac dstmacmask | any | bpdu} [{ethertypekey | 0x06000xFFFF} [vlan eq 04095] [cos 0-7] [secondary-vlan eq 04095] [log] [time-range time-range-name] [assign-queue queue-id] [{mirror |redirect} interface] [rate-limit rate burst-size] Specify the rules (match conditions) for the MAC access list. • sequence-number — Identifies the order of application of the permit/deny statement.
Command Purpose continued • log—Specifies that this rule is to be logged. • time-range time-range-name—Allows imposing time limitation on the ACL rule as defined by the parameter time-range-name. If a time range with the specified name does not exist and the ACL containing this ACL rule is applied to an interface or bound to a VLAN, then the ACL rule is applied immediately.
Command Purpose mac access-group name direction seqnum NOTE: To apply this ACL to all interfaces, issue the command Bind the specified MAC ACL to an interface. in Global Configuration mode. • name — Access list name. (Range: Valid MAC access-list name up to 31 characters in length) • direction — Direction of the ACL. (Range: In or out. Default is in.) • seqnum — Precedence for this interface and direction. A lower sequence number has higher precedence. Range: 1 – 4294967295. Default is 1.
Configuring an IPv6 ACL Use the following commands to create an IPv6 ACL, configure rules for the ACL, and bind the ACL to an interface. Command Purpose configure Enter global configuration mode. ipv6 access-list name Create an extended IPv6 ACL. This command also enters IPv6 Access List Configuration mode. If an IPv6 ACL with this name already exists, this command enters the mode to update the existing ACL.
Command Purpose [sequence-number] {deny | permit} {ipv6protocol | number | every} {source-ipv6prefix/prefix-length | any | host source-ipv6address} [{range {portkey | startport} {portkey | endport} | {eq | neq | lt | gt} {portkey | 0-65535}] {destination-ipv6prefix/prefix-length | any | host destination-ipv6address} [{range {portkey | startport} {portkey | endport} | {eq | neq | lt | gt} {portkey | 0-65535}] [flag [+fin | -fin] [+syn | -syn] [+rst | -rst] [+psh | -psh] [+ack | ack] [+urg | -urg] [establis
Command Purpose (Continued) – When eq is specified, IPv6 ACL rule matches only if the layer-4 port number is equal to the specified port number or portkey. – When lt is specified, IPv6 ACL rule matches if the layer-4 destination port number is less than the specified port number or portkey. It is equivalent to specifying the range as 0 to . • destination ipv6 prefix — IPv6 prefix in IPv6 global address format.
Command Purpose ipv6 traffic-filter name Bind the specified IPv6 ACL to an interface. direction [sequence seq- NOTE: To apply this ACL to all interfaces, issue the command num] in Global Configuration mode. • name — Access list name. (Range: Valid IPv6 access-list name up to 31 characters in length) • direction — Direction of the ACL. (Range: In or out. Default is in.) • seqnum — Precedence for this interface and direction. A lower sequence number has higher precedence. Range: 1 – 4294967295.
Command Purpose periodic {days-of-theConfigure a recurring time entry for the named time week time} to {[days-of- range. the-week] time} • days-of-the-week —The first occurrence indicates the starting day(s) the ACL goes into effect. The second occurrence is the ending day(s) when the ACL rule is no longer in effect.
ACL Configuration Examples This section contains the following examples: • "Basic Rules" on page 727 • "Internal System ACLs" on page 728 • "Complete ACL Example" on page 729 • "Advanced Examples" on page 733 • "Policy-Based Routing Examples" on page 745 NOTE: None of these ACL rules are applicable to the OOB interface. Basic Rules • Inbound rule allowing all packets sequenced after all other rules.
• Inbound rule allowing access FROM hosts with IP addresses ranging from 10.0.46.0 to 10.0.47.254: permit ip 10.0.46.0 0.0.1.255 any • Inbound rule allowing access TO hosts with IP addresses ranging from 10.0.48.0 to 10.0.49.254: permit ip any 10.0.48.0 0.0.1.255 As the last rule in an administrator-defined list, the narrower scope of this inbound rule has no effect other than to possibly interfere with switch management access or router operations.
Complete ACL Example The following example is a complete inbound ACL that allows access for hosts connected to gi1/0/1 with IP address in 10.1.1.x range to send IP packets to 192.168.0.X hosts on gi1/0/2. IP packets not from 10.1.1.x addresses or not addressed to 192.168.0.x hosts are dropped. Packets with protocols other than IP, DNS, ARP, or ICMP are dropped. Allowing ICMP supports the 10.1.1.x hosts in reliably receiving and initiating TCP connections and pinging through the switch.
console(config-if-gi1/0/2)#exit Consider the following inbound rules that allow Telnet connections and UDP traffic from the 192.168.0.x network to host 10.1.1.23: ip access-list Host10-1-1-23 ! Permit Telnet traffic from 192.168.0.X network to host 10.1.1.23: permit tcp 192.168.0.0 0.0.0.255 host 10.1.1.23 eq telnet ! Permit TCP traffic from 192.168.0.X network to host 10.1.1.23: permit tcp 192.168.0.0 0.0.0.255 host 10.1.1.23 ! Permit UDP traffic from 192.168.0.X network to host 10.1.1.23 permit udp 192.
packets with either the RST or ACK bits set (logical OR). Flags that are neither set nor cleared in the rule are not checked in the ACL (don't care or wildcard). console(config)#ip access-list flags-demo console(config-ip-acl)#permit tcp any any flag ? established Enter a TCP Flag (+fin, -fin, +syn, -syn, +rst, -rst, +psh, -psh, +ack, -ack, +urg, -urg, established). Enter a flag (+|-) only once.
console(config-ip-acl)#permit tcp 10.1.1.0 0.0.0.255 eq ? <0-65535> Enter the layer 4 port number in the range 0 to 65535. Enter a keyword { domain | echo | ftp | ftp-data | http | smtp | snmp | telnet | tftp | www | bgp | pop2 | pop3 | ntp | rip | time | who }. To bind an access-list to an interface, use the access-group command. The in parameter specifies that the ACL is applied to ingress packets.
Advanced Examples Configuring a Time-Based ACL The following example configures an ACL that denies HTTP traffic from 8:00 pm to 12:00 pm and 1:00 pm to 6:00 pm on weekdays and from 8:30 am to 12:30 pm on weekends. The ACL affects all hosts connected to ports that are members of VLAN 100. The ACL permits VLAN 100 members to browse the Internet only during lunch and after hours. To configure the switch: 1 Create a time range called work-hours.
console#show ip access-lists web-limit IP ACL Name: web-limit Rule Number: 1000 Action......................................... Match All...................................... Protocol....................................... Source IP Address.............................. Destination IP Address......................... Destination Layer 4 Operator................... Destination L4 Port Keyword.................... ACL Hit Count..................................
Allow FTP Traffic Only to an FTP Server This ACL limits traffic from a router to a directly connected FTP server (172.16.0.5) on gi1/0/11. Notice that this is an “out” or egress ACL. Traffic to the router from the FTP server is not affected by this rule. Traffic from the router to the FTP server is limited to ICMP and packets destined to the FTP ports. There is no need to add permit rules for all the protocols the router can send to the host (e.g., ARP, ICMP, LLDP, etc.
Block Incoming Pings and Responses This example configures an ingress ACL that blocks incoming pings and ping responses. Since packets generated by the CPU are not affected by ACLs, to block pinging from the switch we add a rule to block the ping responses on ingress.
Assign Ingress Packets to a CoS Queue Assign a range of source or destination TCP ports to CoS queue 3 to provide elevated service. Two rules are necessary to handle packets that have source or destination ports outside the range.
Schedule Forwarding of Packets to a Different Port This ACL layer-2 forwards matching packets to a different port based on a time schedule. This is not equivalent to Policy-Based Forwarding, as the TTL in the packet is not decremented, nor is a new destination MAC address written into the packet. The access-group policy is globally configured on all switch interfaces.
Rate limit WWW traffic (ACL) This example creates an ACL to rate-limit WWW traffic ingressing the switch on te1/0/1. Initial and established values require tuning for local traffic patterns and link speeds. Note that this ACL applies to traffic sent to the switch IP address as well as traffic forwarded by the switch (in rule). Permit rules with a rate-limit parameter do not require a following deny rule as matching packets exceeding the rate limit are discarded. Compare this with the example above.
console(config-ip-acl)#permit tcp any any eq 22 flag established rate-limit 1024 128 console(config-ip-acl)#permit tcp any any eq telnet rate-limit 12 2 console(config-ip-acl)#permit tcp any any eq 22 rate-limit 12 2 console(config-ip-acl)#2147483647 permit every console(config-ip-acl)#exit console(config)#ip access-group rate-limit-inband-mgmt controlplane The following commands block fragmented traffic from being sent to the CPU: console#config console(config)#ip access-list no-frag-inband-mgmt console(c
Expedite DSCP(EF) Traffic/Limit Background Traffic By default (with no CoS or DSCP configuration), packets are assigned to User Priority 1/CoS queue 0 (see the output from show classofservice trust and show classofservice dot1p-mapping). When incast occurs (multiple ports sending to a single output port at a rate greater than can be accommodated), the switch buffer capacity can be exhausted.
3 Match source MAC 001E.C9XX.XXXX. Rate limit to 100 Kbps with a burst of 32 Kbytes: console(config-mac-access-list)#permit 001E.C900.0000 0000.00FF.
A Consolidated DoS Example This example includes some ACL rules to consider to reduce DoS attacks on the switch. It does not represent a complete DoS suite. A firewall with deep packet inspection capabilities should be used for true DoS protection. NOTE: The rate limits below should be adjusted to match the expected rates of traffic coming to the CPU.
console(config)#ip access-group squelch-dos-attacks controlplane 9 Further limit inbound traffic on in-band management ports. Allow only VLAN 99 SSH and TFTP, no telnet, HTTP, HTTPS, or SNMP. The management access list actions are performed by the switch firmware in addition to the access list actions performed by the switching silicon, e.g., squelch-dos-attacks.
Policy-Based Routing Examples Route-Map with Scheduled Redirection of RFC 1918 Addresses to a Different NextHop 1 Create a time range named “work-hours” the from 7:30 AM to 6:00 PM: console#config console(config)#time-range work-hours console(config-time-range)#periodic weekdays 07:30 to 18:00 console(config-time-range)#exit 2 Define an IP ACL named “subnet-172-16” and permit all accesses on the subnet during the work-hours time range: console(config)#ip access-list subnet-172-16 console(config-ip-acl)#pe
Complete Example of Policy-Based Routing on VLAN Routing Interfaces In this example, an layer-3 router with four VLAN routing interfaces (VLAN 10, VLAN 20, VLAN 30 and VLAN 40) is configured. Each of these interfaces is connected to layer-2 switches. Traffic sent to host 2.2.2.2 from host 1.1.1.2 on VLAN interface 10 is normally routed over VLAN interface 20.
console(config-if-gi1/0/2)#exit console(config)#interface gi 1/0/4 console(config-if-gi1/0/4)#switchport mode trunk console(config-if-gi1/0/4)#switchport trunk allowed vlan remove 1 console(config-if-gi1/0/4)#switchport trunk native vlan 20 console(config-if-gi1/0/4)#exit console(config)#interface gi1/0/22 console(config-if-gi1/0/22)#switchport mode trunk console(config-if-gi1/0/22)#switch trunk allowed vlan remove 1 console(config-if-gi1/0/22)#switch trunk native vlan 30 console(config-if-gi1/0/22)#exit co
5 Configure Policy Routing. To policy-route such traffic to VLAN routing interface 30, the following additional steps should be performed: a Create an access-list matching all incoming IP traffic from host 1.1.1.1 destined to host 2.2.2.2: console(config)#ip access-list Match-ip-1_1_1_2-to-2_2_2_2 console(config-ip-acl)#permit ip host 1.1.1.2 host 2.2.2.
VLANs 21 Dell EMC Networking N-Series Switches This chapter describes how to configure VLANs, including port-based VLANs, protocol-based VLANs, double-tagged VLANs, subnet-based VLANs, and Voice VLANs. The topics covered in this chapter include: • VLAN Overview • Default VLAN Behavior • Configuring VLANs (Web) • Configuring VLANs (CLI) • VLAN Configuration Examples VLAN Overview By default, all ports on Dell EMC Networking N-Series switches are in the same broadcast domain (VLAN 1).
sensitive traffic, like voice traffic, has priority over other traffic, such as data. Administrators also use VLANs to protect network resources. Traffic sent by authenticated clients might be assigned to one VLAN, while traffic sent from unauthenticated clients might be assigned to a different VLAN that allows limited network access. When one host in a VLAN sends a broadcast, the switch forwards traffic only to other members of that VLAN.
Figure 21-1. Simple VLAN Topology Router Engineering VLAN 100 Switch Payroll VLAN 300 Tech Pubs VLAN 200 In this example, each port is manually configured so that the end station attached to the port is a member of the VLAN configured for the port. The VLAN membership for this network is port-based or static.
Table 21-1 provides an overview of the types of VLANs that can be used to logically divide the network. Table 21-1. VLAN Assignment VLAN Assignment Description Port-based (Static) This is the most common way to assign hosts to VLANs. The port where the traffic enters the switch determines the VLAN membership. Trunk ports are automatically members of all VLANs, unless specifically configured otherwise. IP Subnet Hosts are assigned to a VLAN based on their IP address.
NOTE: A stack of switches behaves as a single switch, so VLAN tagging is not required for packets traversing different stack members. Tagging may be required when a single port supports multiple devices that are members of different VLANs. For example, a single port might be connected to an IP phone, a PC, and a printer (the PC and printer are connected via ports on the IP phone).
The operation of GVRP relies upon the services provided by the Generic Attribute Registration Protocol (GARP). GVRP can create up to 1024 VLANs. For information about GARP timers, see "What Are GARP and GMRP?" on page 932. Double-VLAN Tagging For trunk ports, which are ports that connect one switch to another switch, the Dell EMC Networking N-Series switches support double-VLAN tagging as an option. This feature allows service providers to connect to Virtual Metropolitan Area Networks (VMANs).
Figure 21-2. Double VLAN Tagging Network Example Voice VLAN The Voice VLAN feature enables switch ports to carry voice traffic from IP phones with an administrator-defined priority. When multiple devices, such as a PC and an IP phone, are connected to the same port, the port can be configured to use one VLAN for voice traffic and another VLAN for data traffic. Multiple IP phones per port are supported.
The Voice VLAN feature can be enabled on a per-port basis. Voice VLAN supports a configurable Voice VLAN DSCP or IEEE 802.1p value. This value is transmitted by LLDP when the LLDPDU is transmitted, if LLDP has been enabled on the port, the DSCP/802.1p value is configured, and the LLDP network policy TLV has not been suppressed for the port. LLDP-MED is enabled by default on all ports. Voice VLAN is supported on ports configured in access mode or in general mode. Both MAC-based and auto mode 802.
Some VoIP phones contain full support for IEEE 802.1X. For each VoIP device to authenticate independently of the data device, configure the port in general mode, add the Voice VLAN to the port and configure the port to use MAC-based authentication. With MAC-based authentication, voice packets are identified by the MAC address of the phone. The RADIUS server must be configured to enable Voice VLAN by sending the vendor proprietary VSA device-traffic-class=voice in the RADIUS Access-Accept message.
• Cisco Discovery Protocol (CDP) or Industry Standard Discovery Protocol (ISDP) for Cisco VoIP phones • DHCP vendor-specific option 176 for Avaya VoIP phones • LLDP-MED for many VoIP phones • For ports configured for 802.1X MAC-based mode or Auto mode that 802.1X enabled system wide, an Access-Accept received from the AAA service with a vendor-proprietary VSA device-traffic-class = voice. DHCP/ISDP/CDP/LLDP information is not used to identify VoIP devices for assignment to the Voice VLAN.
• When an 802.1p priority is associated with a Voice VLAN, then the priority information is passed onto the VoIP phone using the LLDP-MED or CDP protocol, along with the Voice VLAN ID, if any. With this method, the voice data coming from the VoIP phone is tagged with VLAN 0 (or the configured Voice VLAN) and with the configured priority; regular data arriving on the switch is given the default priority of the port, and the voice traffic is received with the operator-configured priority from the IP phone.
If no RADIUS server is reachable and the port is configured in MAC-based authentication mode, newly authenticating voice devices, i.e., devices just powered on or connected to the network, are denied access to the Voice VLAN. The phone will be authenticated and allowed access to the Voice VLAN when a RADIUS server becomes reachable. Use the authentication event server dead action authorize voice command to enable critical Voice VLAN treatment on an interface. Critical Voice VLAN is supported on 802.
particular private VLAN instance. The secondary VLAN ID differentiates the subdomains from each other and provides layer-2 isolation between ports on the same private VLAN. The following types of VLANs can be configured in a private VLAN: • Primary VLAN—Forwards the traffic from the promiscuous ports to isolated ports, community ports and other promiscuous ports in the same private VLAN. Only one primary VLAN can be configured per private VLAN. All ports within a private VLAN share the same primary VLAN.
The same traffic isolation can be achieved by assigning each port with a different VLAN, allocating an IP subnet for each VLAN, and enabling layer-3 routing between them. In a private VLAN domain, on the other hand, all members can share the common address space of a single subnet, which is associated with a primary VLAN. So, the advantage of the private VLANs feature is that it reduces the number of consumed VLANs, improves IP addressing space utilization, and helps to avoid layer-3 routing.
In the configuration shown in Figure 21-3, the port connected from SW1 to R1 (TE1/1/1) is configured as a promiscuous port. It is possible to configure a port-channel as a promiscuous port in order to provide a level of redundancy on the private VLAN uplink. Isolated Ports An endpoint connected to an isolated port is allowed to communicate with endpoints connected to promiscuous ports only. Endpoints connected to adjacent isolated ports cannot communicate with each other.
and community ports in the same secondary VLAN. A promiscuous port broadcasts traffic to other promiscuous ports, isolated ports, and community ports. Table 21-2. Forwarding Rules for Traffic in Primary VLAN To From promiscuous community 1 community 2 isolated stack (trunk) promiscuous allow allow allow allow allow community 1 N/A N/A N/A N/A N/A community 2 N/A N/A N/A N/A N/A isolated N/A N/A N/A N/A N/A stack (trunk) allow allow allow allow allow Table 21-3.
To From promiscuous community 1 community 2 isolated stack (trunk) isolated allow deny deny deny allow stack (trunk) allow deny deny deny Allow Limitations and Recommendations • Only a single isolated VLAN can be associated with a primary VLAN. Multiple community VLANs can be associated with a primary VLAN. • Trunk and general modes are not supported on private VLAN ports. • Do not configure access ports using the VLANs participating in any of the private VLANs.
• A private VLAN cannot be enabled on the default VLAN. • VLAN routing can be enabled on private VLANs. It is not very useful to enable routing on secondary VLANs, as the access to them is restricted. However, primary VLANs can be enabled for routing. • It is recommended that the private VLAN IDs be removed from the trunk ports connected to devices that do not participate in the private VLAN traffic. Private VLAN Configuration Example See "Configuring a Private VLAN" on page 816.
Default VLAN Behavior One VLAN is configured on the Dell EMC Networking N-Series switches by default. The VLAN ID is 1, and all ports are included in the VLAN as access ports, which are untagged. This means when a device connects to any port on the switch, the port forwards the packets without inserting a VLAN tag. If a device sends a tagged frame to a port with a VLAN ID other than 1, the frame is dropped.
Table 21-6 shows the default values or maximum values for VLAN features. Table 21-6. Additional VLAN Default and Maximum Values Feature Value Default VLAN VLAN 1 VLAN Name No VLAN name is configured except for VLAN 1, whose name “default” cannot be changed. VLAN Range 2–4093 Switchport mode Access Double-VLAN tagging Disabled If double-VLAN tagging is enabled, the default EtherType value is 802.
Configuring VLANs (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring VLANs on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. VLAN Membership Use the VLAN Membership page to create VLANs and define VLAN groups stored in the VLAN membership table.
Table 21-7. VLAN Port Membership Definitions Port Control Definition F Forbidden: indicates that the interface is forbidden from becoming a member of the VLAN. This setting is primarily for GVRP, which enables dynamic VLAN assignment. Blank Blank: the interface is not a VLAN member. Packets in this VLAN are not forwarded on this interface. To perform additional port configuration, such as making the port a trunk port, use the Port Settings page. Figure 21-4.
Figure 21-5. Add VLAN 4 Click Apply. Configuring Ports as VLAN Members To add member ports to a VLAN: 1 Open the VLAN Membership page. 2 From the Show VLAN menu, select the VLAN to which you want to assign ports. 3 In the Static row of the VLAN Membership table, click the blank field to assign the port as an untagged member. Figure 21-6 shows Gigabit Ethernet ports 8–10 being added to VLAN 300.
Figure 21-6. Add Ports to VLAN 4 Click Apply. 5 Verify that the ports have been added to the VLAN.
In Figure 21-7, the presence of the letter U in the Current row indicates that the port is an untagged member of the VLAN. Figure 21-7.
VLAN Port Settings Use the VLAN Port Settings page to add ports to an existing VLAN and to configure settings for the port. If you select Trunk or Access as the Port VLAN Mode, some of the fields are not configurable because of the requirements for that mode. NOTE: Ports can be added to a VLAN through the table on the VLAN Membership page or through the PVID field on the Port Settings page. The PVID is the VLAN that untagged received packets are assigned to.
Figure 21-9. VLAN Settings for All Ports VLAN LAG Settings Use the VLAN LAG Settings page to map a LAG to a VLAN and to configure specific VLAN settings for the LAG. To display the LAG Settings page, click Switching VLAN LAG Settings in the navigation panel. Figure 21-10. VLAN LAG Settings From the LAG Settings page, click Show All to see the current VLAN settings for all LAGs. To change the settings for one or more LAGs, click the Edit option for a port and select or enter new values.
Figure 21-11.
Bind MAC to VLAN Use the Bind MAC to VLAN page to map a MAC address to a VLAN. After the source MAC address and the VLAN ID are specified, the MAC to VLAN configurations are shared across all ports of the switch. The MAC to VLAN table supports up to 128 entries. To display the Bind MAC to VLAN page, click Switching VLAN Bind MAC to VLAN in the navigation panel. Figure 21-12. Bind MAC to VLAN From the Bind MAC to VLAN page, click Show All to see the MAC addresses that are mapped to VLANs.
To display the Bind IP Subnet to VLAN page, click Switching VLAN Bind IP Subnet to VLAN in the navigation panel. Figure 21-14. Bind IP Subnet to VLAN From the Bind IP Subnet to VLAN page, click Show All to see the IP subnets that are mapped to VLANs. From this page, settings can be changed for one or more entries or entries can be removed. Figure 21-15.
GVRP Parameters Use the GVRP Parameters page to enable GVRP globally and configure the port settings. To display the GVRP Parameters page, click Switching VLAN GVRP Parameters in the navigation panel. Figure 21-16. GVRP Parameters From the GVRP Parameters page, click Show All to see the GVRP configuration for all ports. From this page, settings can be changed for one or more entries. NOTE: Per-port and per-LAG GVRP Statistics are available from the Statistics/RMON page.
Figure 21-17.
Protocol Group Use the Protocol Group page to configure which EtherTypes go to which VLANs, and then enable certain ports to use these settings. Protocol-based VLANs are most often used in situations where network segments contain hosts running multiple protocols. Protocol-based VLANs are not compatible with STP-PV/RSTP-PV. Ensure that the spanning tree protocol is set to something other than one of the perVLAN protocols.
Adding a Protocol Group To add a protocol group: 1 Open the Protocol Group page. 2 Click Add to display the Add Protocol Group page. 3 Create a name for the group and associate a VLAN with the group. Figure 21-19. Add Protocol Group 4 Click Apply. 5 Click Protocol Group to return to the main Protocol Group page. 6 From the Group ID field, select the group to configure. 7 In the Protocol Settings table, select the protocol and interfaces to associate with the protocol-based VLAN.
Figure 21-20. Configure Protocol Group 8 Click Apply. 9 Click Show All to see the protocol-based VLANs and their members. Figure 21-21.
Double VLAN Global Configuration Use the Double VLAN Global Configuration page to specify the value of the EtherType field in the first EtherType/tag pair of the double-tagged frame. To display the Double VLAN Global Configuration page, click Switching VLAN Double VLAN Global Configuration in the navigation panel. Figure 21-22.
Double VLAN Interface Configuration Use the Double VLAN Interface Configuration page to specify the value of the EtherType field in the first EtherType/tag pair of the double-tagged frame. To display the Double VLAN Interface Configuration page, click Switching VLAN Double VLAN Interface Configuration in the navigation panel. Figure 21-23.
Figure 21-24.
Voice VLAN Use the Voice VLAN Configuration page to configure and view Voice VLAN settings that apply to the entire system and to specific interfaces. To display the page, click Switching VLAN Voice VLAN Configuration in the navigation panel. Figure 21-25. Voice VLAN Configuration NOTE: IEEE 802.1X must be enabled on the switch before you disable IP phone authentication.
Configuring VLANs (CLI) This section provides information about the commands you use to create and configure VLANs. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100ON, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Creating a VLAN Use the following commands to configure a VLAN and associate a name with the VLAN. Command Purpose configure Enter global configuration mode.
Configuring VLAN Settings for a LAG The VLAN mode and memberships settings you configure for a port are also valid for a LAG (port-channel). Use the following commands to configure the VLAN mode for a LAG. Once the switchport mode settings are specified for a LAG, other VLAN memberships settings can be specified that are valid for the switchport mode. Command Purpose configure Enter global configuration mode.
Configuring Double VLAN Tagging Dell EMC Networking N-Series switches use switchport dot1q-tunnel mode to configure an interface as a customer edge (CE) interface. The dot1qtunnel mode is an overlay on switchport access mode. In particular, configuring the access mode PVID sets the outer dot1q-tunnel VLAN ID. Changing the switchport mode on a CE port to access, general, or trunk, effectively disables tunneling on the interface. CE interfaces can be physical ports or port-channels.
DVLAN CE interfaces must be configured for tagging (dot1q-tunnel mode) for double tags to be observed on frames egressing the service provider (SP) interface. The DVLAN uplink interface should be configured to accept tagged frames for the DVLAN or outer VLAN (trunk or general mode). Ensure that the native (access mode) VLAN on the customer edge (CE) port is set to the DVLAN ID. MAC address learning on DVLAN enabled ports occurs on the DVLAN CE port's native VLAN.
Command Purpose spanning-tree guard root (Optional) Disable the ability of the CE port to become spanning tree root. spanning-tree tcnguard (Optional) Ignore topology changes received from CE ports. exit Exit to global configuration mode CTRL + Z Exit to Privileged Exec mode.
Command Purpose switchport trunk allowed Only allow VLAN 100 packets on the interface. vlan 100 switchport trunk native vlan 100 Configure untagged packets to be members of VLAN 100. Configuring MAC-Based VLANs Use the following commands to associate a MAC address with a configured VLAN. The VLAN does not need to be configured on the system to associate a MAC address with it.
Command Purpose vlan association mac mac-address Associate a MAC address with a VLAN. CTRL + Z Exit to Privileged Exec mode. show vlan association mac [mac-address] Display the VLAN associated with a specific configured MAC address. If no MAC address is specified, the VLAN associations of all the configured MAC addresses are displayed. 794 VLANs • mac-address — MAC address to associate. (Range: Any MAC address in the format xxxx.xxxx.
Configuring IP-Based VLANs Use the following commands to associate an IP subnet with a configured VLAN. The VLAN does not need to be configured on the system to associate an IP subnet with it. However, the subnet VLAN must be configured on a port in order for the system to map packets matching the IP address to the subnet VLAN and to learn the associated MAC address on the subnet VLAN so that packets addressed to the associated IP address are forwarded properly.
Command Purpose exit Exit to Global Config mode. CTRL + Z Exit to Privileged Exec mode. show vlan association subnet [ip-address ipmask ] Display the VLAN associated with a specific configured IPAddress and netmask. If no IP Address and net mask are specified, the VLAN associations of all the configured IPsubnets are displayed.
Configuring a Protocol-Based VLAN Use the following commands to create and name a protocol group, and associate VLANs with the protocol group. When you create a protocol group, the switch automatically assigns it a unique group ID number. The group ID is used for both configuration and script generation to identify the group in subsequent commands. A protocol group may have more than one interface associated with it, but each interface and protocol combination can be associated with one group only.
Command Purpose exit Exit to Global Config Mode show port protocol all Obtain the group ID for the newly configured group. configure Enter global configuration mode. vlan protocol group add Add any EtherType protocol to the protocol-based VLAN protocol groupid groups identified by groupid. A group may have more than ethertype protocol one protocol associated with it. Each interface and protocol combination can be associated with one group only.
Command Purpose protocol group groupid vlanid Attach a VLAN ID to the protocol-based group identified by groupid. A group may only be associated with one VLAN at a time. However, the VLAN association can be changed. • groupid — The protocol-based VLAN group ID, which is automatically generated when you create a protocolbased VLAN group with the vlan protocol group command. To see the group ID associated with the name of a protocol group, use the show port protocol all command. • vlanid — A valid VLAN ID.
Configuring GVRP Use the following commands to enable GVRP on the switch and on an interface, and to configure various GVRP settings. Command Purpose configure Enter global configuration mode. gvrp enable Enable GVRP on the switch. interface interface-id Enter interface configuration mode for the specified port or LAG. The interface-id parameter includes the interface type and number, for example tengigabitethernet 1/0/3 or port-channel 3.
Command Purpose vlan makestatic vlan-id (Optional) Change a dynamically created VLAN (one that is created by GVRP registration) to a static VLAN (one that is permanently configured and defined). vlan-id — Valid vlan ID. Range is 2-4093. CTRL + Z Exit to Privileged Exec mode. show gvrp configuration Display GVRP configuration information. Timer values are displayed. Other data shows whether GVRP is enabled and which ports are running GVRP.
Configuring Voice VLANs Use the following commands to enable the Voice VLAN feature on the switch and on an interface. Command Purpose configure Enter global configuration mode. switchport voice vlan Enable the Voice VLAN capability on the switch. interface interface Enter interface configuration mode for the specified interface. interface — Specific interface, such as gi1/0/8. A range of interfaces can be specified using the interface range command.
Command Purpose switchport voice vlan {vlanid | dot1p priority | none | untagged | data priority {trust | untrust} | overrideauthentication| dscp value} Enable the Voice VLAN capability on the interface. • vlanid —The Voice VLAN ID. This VLAN ID is sent to IP phones via LLDP. • priority —The IEEE 802.1p priority sent to IP phones on the port. This value is transmitted to the IP phone via LLDP. The switch must be configured locally to give packets using the transmitted priority the appropriate QoS.
Configuring a Voice VLAN (Extended Example) The commands in this example create a VLAN for voice traffic with a VLAN ID of 25 using an IP phone that does not support 802.1X authentication. Port gi1/0/10 is set to an 802.1Q VLAN. Next, Voice VLAN is enabled on the port with the Voice VLAN ID set to 25. Finally, Voice VLAN authentication is disabled on port gi1/0/10 because the phone connected to that port does not support 802.1X authentication. All other devices connected to the port are required to use 802.
console(config-if-Gi1/0/10)#dot1x port-control mac-based 5 Enable the Voice VLAN feature on the interface console(config-if-Gi1/0/10)#switchport voice vlan 25 6 Disable authentication for the Voice VLAN on the port. This step is required only if the voice phone does not support port-based authentication. MAB is not enabled on this port as other devices such as a PC will still authenticate using 802.1X.
console(config-vlan25)#exit 2 Globally enable the Voice VLAN feature on the switch. console(config)#switchport voice vlan 3 Configure a rate-limiting ACL to ensure that the Voice VLAN does not present a denial-of-service threat. A G.711 voice stream generates 64 Kbps, which translates to 80 bytes of uncompressed voice every 10 ms. Overhead adds 40 bytes, so the phone will generate 100 to 120 byte packets every second per voice stream, or about 96 Kbps.
console(config-if-Gi1/0/10)#classofservice dot1p-mapping 5 2 9 Rate limit incoming IEEE 802.1p priority 5 traffic console(config-if-Gi1/0/10)#mac access-group dot1p-5-limit in Steps 6–8 are required to be configured on all ports that carry voice traffic end-to-end, including the switch ports connected to other switches and the ports on other switches that will carry voice traffic. It may be desirable to configure steps 6–8 globally.
Assign CoS for Voice Packets via Policy The following example configures a DiffServ policy that remarks the CoS value in voice packets and assigns the voice packets to an internal queue for expedited service. The policy can be assigned to an interface using the service-policy command. 1 Create the Voice VLAN in Global Configuration mode. vlan 100 exit 2 Create a class map that matches the Voice VLAN.
Figure 21-26. Network Topology for LAG with RPVST and Voice VLAN MLAG Primary Peer Configuration 1 Configure the MLAG primary switch. Keepalives are disabled on the peer links (optional). The four peer-links are placed in port-channel 3. Port-channel 1 is the northbound (partner 1) MLAG interface in VPC 1 and port-channel 4 is the southbound (partner 2) interface in VPC 4. Finally, VPC is enabled and the VPC domain is set to 1.
console(config-if-Te1/0/2)#channel-group 3 mode active console(config-if-Te1/0/2)#no keepalive console(config-if-Te1/0/2)#exit console(config)#interface Te1/0/3 console(config-if-Te1/0/3)#channel-group 3 mode active console(config-if-Te1/0/3)#no keepalive console(config-if-Te1/0/3)#exit console(config)#interface Te1/0/4 console(config-if-Te1/0/4)#channel-group 3 mode active console(config-if-Te1/0/4)#no keepalive console(config-if-Te1/0/4)#exit console(config)#interface Te1/0/19 console(config-if-Te1/0/19)#
console(config-if)#no keepalive console(config-if)#exit 3 Configure spanning-tree mode as RPVST. console(config)#spanning-tree mode rapid-pvst 4 Create VLAN-2 for voice traffic. console(config)#vlan 2 console(config)#exit 5 Enable Voice VLAN globally. console(config)#voice vlan 6 Configure CoS queue 2 as strict. By default, the VoIP phone sends voice traffic with 802.1p priority 5, which is mapped to CoS queue 2 by default.
console(config)#interface Te1/0/24 console(config-if-Te1/0/24)#channel-group 1 mode active console(config-if-Te1/0/24)#no keepalive console(config-if-Te1/0/24)#exit console(config)#interface port-channel 1 console(config-if-Po1)#vpc 1 console(config-if-Po1)#switchport mode trunk console(config-if-Po1)#exit console(config)#interface port-channel 3 console(config-if-Po3)#vpc peer-link console(config-if-Po3)#switchport mode trunk console(config-if-Po3)#exit console(config)#interface port-channel 4 console(conf
MLAG Partner Switch Configuration 1 Configure partner switch 1 with a port-channel connected to the MLAG aware switches.
console(config)#cos-queue strict 2 8 Configure an ACL to rate-limit the voice traffic in case of DoS attacks and apply the ACL on the phone-connected interfaces. The administrator should consider whether to apply this configuration on all perimeter ports.
console(config)#vlan 2 console(config-vlan-2)#exit 5 Enable Voice VLAN globally. console(config)#voice vlan 6 Configure the VoIP phone connected port as follows: console(config)#interface Gi2/0/11 console(config-if-Gi2/0/11)#switchport mode access console(config-if-Gi2/0/11)#voice vlan 2 console(config-if-Gi2/0/11)#exit 7 Configure CoS queue 2 as strict. By default, the VoIP phone sends voice traffic with 802.1p priority 5, which is mapped to egress queue 2 by default.
To ensure that CoS queue 4 packets are always transmitted first, CoS queue 4 could be made a strict-priority queue. In this case, it would be prudent to rate limit CoS queue 4 traffic. 1 Create an access list that permits all traffic and assign it to CoS queue 4. console#config console(config)#ip access-list voice-vlan console(config-ip-acl)#permit every assign-queue 4 console(config-ip-acl)#exit 2 Assign the access list to VLAN 25. The access-group is given sequence number 100.
console(config)#interface te1/1/1 console(config-if-Te1/1/1)#switchport mode private-vlan promiscuous console(config-if-Te1/1/1)#switchport private-vlan mapping 100 101-102 console(config-if-Te1/1/1)#exit 4 Assign the community VLAN ports: console(config)#interface gi1/0/11 console(config-if-Gi1/0/11)#switchport mode private-vlan host console(config-if-Gi1/0/11)#switchport private-vlan hostassociation 100 101 console(config-if-Gi1/0/11)#interface gi1/0/12 console(config-if-Gi1/0/12)#switchport mode private
console(config)#show vlan VLAN ----1 100 101 102 818 Name Ports ----------- ------------default Po1-128, Gi1/0/1-10, Gi1/0/13-24 VLAN0100 Te1/1/1, Gi1/0/11-12 VLAN0101 Gi1/0/11 VLAN0102 Gi1/0/12 VLANs Type ------------Default Static Static Static
VLAN Configuration Examples This section contains the following examples: • Configuring VLANs Using the Dell EMC OpenManage Switch Administrator • Configuring VLANs Using the CLI • Configuring a Voice VLAN (Extended Example) NOTE: For an example that shows how to use a RADIUS server to provide VLAN information, see "Controlling Authentication-Based VLAN Assignment" on page 348.
Figure 21-27 shows the network topology for this example. As the figure shows, there are two switches, two file servers, and many hosts. One switch has an uplink port that connects it to a layer-3 device and the rest of the corporate network. Figure 21-27.
Table 21-9 shows the port assignments on the switches. Table 21-9. Switch Port Connections Port/LAG Function Switch 1 1 Connects to Switch 2 2–15 Host ports for Payroll 16–20 Host ports for Marketing LAG1 (ports 21–24) Connects to Payroll server Switch 2 1 Connects to Switch 1 2–10 Host ports for Marketing 11–30 Host ports for Engineering LAG1 (ports 35–39) Connects to file server LAG2 (ports 40–44) Uplink to router.
Figure 21-28. e Add VLANs Repeat steps b–d to create VLANs 300 (Sales) and 400 (Payroll). 2 Assign ports 16–20 to the Marketing VLAN. a From the Switching VLAN VLAN Membership page, select 200-Marketing from the Show VLAN field. b In the Static row, click the space for ports 16–20 so the U (untagged) displays for each port. Figure 21-29. VLAN Membership - VLAN 200 3 Click Apply. 4 Assign ports 2–15 and LAG1 to the Payroll VLAN.
a From the Switching VLAN VLAN Membership page, select 400-Payroll from the Show VLAN field. b In the Static row, click the space for ports 2–15 and LAG 1 so the U (untagged) displays for each port, and then click Apply. 5. Configure LAG 1 to be in general mode and specify that the LAG will accept tagged or untagged frames, but that untagged frames will be transmitted tagged with PVID 400. a. From the Switching VLAN LAG Settings page, make sure Po1 is selected. b.
Figure 21-31. Trunk Port Configuration 7 From the Switching VLAN VLAN Membership page, verify that port 1 is marked as a tagged member (T) for each VLAN. Figure 21-32 shows VLAN 200, in which port 1 is a tagged member, and ports 13–16 are untagged members. Figure 21-32. Trunk Port Configuration 8 Configure the MAC-based VLAN information. 824 a Go to the Switching VLAN Bind MAC to VLAN page. b In the MAC Address field, enter a valid MAC address, for example 00:1C:23:55:E9:8B.
Figure 21-33. e Trunk Port Configuration Repeat steps b–d to add additional MAC address-to-VLAN information for the Sales department. 9 To save the configuration so that it persists across a system reset, use the following steps: a Go to the System File Management Copy Files page b Select Copy Configuration and ensure that Running Config is the source and Startup Config is the destination. c Click Apply.
c. Click Apply. 3. Configure port 1 as a trunk port. 4. Configure LAG2 as a trunk port. 5. Assign ports 2–10 to VLAN 200 as untagged (U) members. 6. Assign ports 11–30 to VLAN 100 as untagged (U) members. 7. Assign LAG1 to VLAN 100 and 200 as a tagged (T) member. 8. Assign port 1 and LAG2 to VLAN 100, VLAN 200, VLAN 300, and VLAN 400 as a tagged (T) member. 9. Configure the MAC-based VLAN information. 10. If desired, copy the running configuration to the startup configuration.
Configuring VLANs Using the CLI This example shows how to perform the same configuration by using CLI commands. Configure the VLANs and Ports on Switch 1 Use the following steps to configure the VLANs and ports on Switch 1. None of the hosts that connect to Switch 1 use the Engineering VLAN (VLAN 100), so it is not necessary to create it on that switch. To configure Switch 1: 1. Create VLANs 200 (Marketing), 300 (Sales), and 400 (Payroll), and associate the VLAN ID with the appropriate name.
4. Assign LAG1 to the Payroll VLAN and specify that frames will always be transmitted untagged with a VLAN ID of 400. By default, all VLANs are members of a trunk port. VLAN 200 and 300 frames will be transmitted tagged. This port is removed from VLAN 1 membership. console(config)#interface port-channel 1 console(config-if-Po1)#switchport mode trunk console(config-if-Po1)#switchport trunk native vlan 400 console(config-if-Po1)#exit 5.
8. View the VLAN settings. console#show vlan VLAN ----1 Name --------Default 200 Marketing 300 400 Sales Payroll Ports Type -------------------Po1-12, Te1/0/2-15, Default Te1/0/21-24 Te1/12 Te1/0/1, Static Te1/0/16-20 Te1/0/1 Static Te1/0/1-15 Static 9. View the VLAN membership information for a port.
Configure the VLANs and Ports on Switch 2 Use the following steps to configure the VLANs and ports on Switch 2. Many of the procedures in this section are the same as procedures used to configure Switch 1. For more information about specific procedures, see the details and figures in the previous section. To configure Switch 2: 1. Create the Engineering, Marketing, Sales, and Payroll VLANs.
Spanning Tree Protocol 22 Dell EMC Networking N-Series Switches This chapter describes how to configure the Spanning Tree Protocol (STP) settings on the switch. The topics covered in this chapter include: • STP Overview • RSTP-PV • Default STP Values • Configuring Spanning Tree (Web) • Configuring Spanning Tree (CLI) • STP Configuration Examples STP Overview STP is a layer-2 protocol that provides a tree topology for switches on a bridged LAN.
transitioning of the port to Forwarding). The difference between RSTP and the traditional STP (IEEE 802.1d) is the ability to recognize full-duplex connectivity and ports which are connected to end stations, resulting in rapid transitioning of the port to the Forwarding state and the suppression of Topology Change Notifications. MSTP is compatible with both RSTP and STP. It behaves appropriately when connected to STP and RSTP bridges.
How Does MSTP Operate in the Network? In the following diagram of a small 802.1d bridged network, STP is necessary to create an environment with full connectivity and without loops. Figure 22-1. Small Bridged Network Assume that Switch A is elected to be the Root Bridge, and Port 1 on Switch B and Switch C are calculated to be the root ports for those bridges, Port 2 on Switch B and Switch C would be placed into the Blocking state. This creates a loop-free topology.
Figure 22-2 shows the logical single STP network topology. Figure 22-2. Single STP Topology For VLAN 10 this single STP topology is fine and presents no limitations or inefficiencies. On the other hand, VLAN 20's traffic pattern is inefficient. All frames from Switch B will have to traverse a path through Switch A before arriving at Switch C. If the Port 2 on Switch B and Switch C could be used, these inefficiencies could be eliminated.
The logical representation of the MSTP environment for these three switches is shown in Figure 22-3. Figure 22-3.
In order for MSTP to correctly establish the different MSTIs as above, some additional changes are required. For example, the configuration would have to be the same on each and every bridge. That means that Switch B would have to add VLAN 10 to its list of supported VLANs (shown in Figure 22-3 with a *). This is necessary with MSTP to allow the formation of Regions made up of all switches that exchange the same MST Configuration Identifier.
MSTP with Multiple Forwarding Paths Consider the physical topology shown in Figure 22-4. It might be assumed that MSTI 2 and MSTI 3 would follow the most direct path for VLANs 20 and 30. However, using the default path costs, this is not the case. MSTI operates without considering the VLAN membership of the ports. This results in unexpected behavior if the active topology of an MSTI depends on a port that is not a member of the VLAN assigned to the MSTI and the port is selected as root port.
MSTP and VLAN IDs MSTP allows VLAN 4094 to be configured in the MD5 digest of an MSTI region for compatibility purposes. However, the switch reserves VLAN 4094 internally for use in stacking and will drop received packets tagged with VLAN 4094.
If BPDU filtering is configured globally on the switch, the feature is automatically enabled on all operational PortFast-enabled ports. These ports are typically connected to hosts that drop BPDUs. However, if an operational edge port receives a BPDU, the BPDU filtering feature disables PortFast and allows the port to participate in the spanning tree calculation. Enabling BPDU filtering on a specific port prevents the port from sending BPDUs and allows the port to drop any BPDUs it receives.
Enabling loop guard prevents such accidental loops. When a port is no longer receiving BPDUs and the max age timer expires, the port is moved to a loopinconsistent blocking state. In the loop-inconsistent blocking state, traffic is not forwarded so the port behaves as if it is in the blocking state; that is, it discards received traffic, does not learn MAC addresses, and is not part of the active topology. The port will remain in this state until it receives a BPDU.
STP-PV is the IEEE 802.1s (STP) standard implemented per VLAN. The STP-PV-related state machine, roles, and timers are similar to those defined for STP. STP-PV does not have the DirectLink Rapid Convergence (DRC) or IndirectLink Rapid Convergence (IRC) features enabled by default. These features can be enabled by the switch administrator. STP-PV/RSTP-PV are not compatible with protocol-based VLANs . Ensure that ports enabled for per-VLAN spanning tree are not configured for protocol-based VLAN capability.
DirectLink Rapid Convergence The DirectLink Rapid Convergence (DRC) feature is designed for an accesslayer switch that has redundant blocked uplinks. It operates on ports blocked by spanning tree. DRC can be configured for the entire switch; it cannot be enabled for individual VLANs. The DRC feature is based on the concept of an uplink group. An uplink group consists of all the ports that provide a path to the root bridge (the root port and any blocked ports).
by default. Delaying the switchover allows the connected port to go to through the listening and learning states while the switch is still transmitting packets on the original uplink. The optimal behavior is to keep the current uplink active and hold the new port in the blocked state for twice the forwarding delay.
IndirectLink Rapid Convergence Feature To handle indirect link failure, the STP standard requires that a switch passively wait for “max_age” seconds once a topology change has been detected. IndirectLink Rapid Convergence (IRC) handles these failures in two phases: • Rapid detection of an indirect link failure. Tracking the inferior BPDUs that a designated bridge detects when it transmits a direct link failure indicates that a failure has occurred elsewhere in the network.
on ports that should have a path to the root. The port where the switch received the inferior BPDU is excluded because it already failed; self-looped and designated ports are eliminated as they do not have a path to the root. Figure 22-5. IRC Flow Upon receiving a negative RLQ response on a port, the port has lost connection to the root and the switch ages-out its BPDU. If all other nondesignated ports received a negative answer, the switch has lost the root and restarts the STP calculation.
Interoperability Between STP-PV and RSTP-PV Modes STP-PV is derived from 802.1D and RSTP-PV is derived from 802.1w. The fallback mechanism is the same as between a standard 802.1D switch and a standard 802.1w switch. When a lower protocol version BPDU is received on a switch that runs a higher protocol version, the latter falls back to the lower version after its migration delay timer expires.
RSTP-PV region and the MSTP region, the RSTP-PV switch sends VLAN1 BPDUs in IEEE standard format, so they can be interpreted by the MSTP peers. Similarly, the RSTP-PV switch processes incoming MSTP BPDUs as though they were BPDUs for the VLAN 1 RSTP-PV instance.
Figure 22-7. RSTP-PV and RSTP Interoperability SW3 sends IEEE STP BPDUs to the IEEE multicast MAC address as untagged frames. These BPDUs are processed by the VLAN 1 STP instance on the RSTP-PV switch as part of the VLAN 1 STP instance. The RSTP-PV side sends IEEE STP BPDUs corresponding to the VLAN 1 STP to the IEEE MAC address as untagged frames across the link. At the same time, SSTP BPDUs are sent as untagged frames. IEEE switches simply flood the SSTP BPDUs throughout VLAN 1.
The VLAN 1 STP instance of SW1 and SW2 are joined with the STP instance running in SW3. VLANs 2 and 3 consider the path across SW3 as another segment linking SW1 and SW2, and their SSTP information is multicast across SW3. The bridge priority of SW1 and SW2 for VLAN1 instance is 32769 (bridge priority + VLAN identifier). The bridge priority of SW3 is 32768, per the IEEE 802.w standard.
• The MSTP domain contains the root bridge for ALL VLANs. This implies that the CIST Root Bridge ID is configured to be better than any RSTPPV STP root Bridge ID. If there is only one MSTP region connected to the RSTP-PV domain, then all boundary ports on the virtual-bridge will be unblocked and used by RSTP-PV. This is the only supported topology, as the administrator can manipulate uplink costs on the RSTP-PV side and obtain optimal traffic engineering results.
• The alternative is that the RSTP-PV domain contains the root bridges for ALL VLANs. This is only true if all RSTP-PV root bridges’ Bridge IDs for all VLANs are better than the MSTP CIST Root Bridge ID. This is not a supported topology, because all MSTIs map to CIST on the border link, and it is not possible to load-balance the MSTIs as they enter the RSTPPV domain. The Dell EMC Networking RSTP-PV implementation does not support the second option.
Default STP Values Spanning tree is globally enabled on the switch and on all ports and LAGs. Table 22-1 summarizes the default values for STP. Table 22-1.
Configuring Spanning Tree (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring STP settings on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100ON, and N4000 Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. STP Global Settings The STP Global Settings page contains fields for enabling STP on the switch.
Figure 22-9.
STP Port Settings Use the STP Port Settings page to assign STP properties to individual ports. To display the STP Port Settings page, click Switching Spanning Tree STP Port Settings in the navigation panel. Figure 22-10.
Configuring STP Settings for Multiple Ports To configure STP settings for multiple ports: 1 Open the STP Port Settings page. 2 Click Show All to display the STP Port Table. Figure 22-11. Configure STP Port Settings 3 For each port to configure, select the check box in the Edit column in the row associated with the port. 4 Select the desired settings. 5 Click Apply.
STP LAG Settings Use the STP LAG Settings page to assign STP aggregating ports parameters. To display the STP LAG Settings page, click Switching Spanning Tree STP LAG Settings in the navigation panel. Figure 22-12. STP LAG Settings Configuring STP Settings for Multiple LAGs To configure STP settings on multiple LAGS: 1 Open the STP LAG Settings page. 2 Click Show All to display the STP LAG Table.
Figure 22-13. Configure STP LAG Settings 3 For each LAG to configure, select the check box in the Edit column in the row associated with the LAG. 4 Select the desired settings. 5 Click Apply. Rapid Spanning Tree Rapid Spanning Tree Protocol (RSTP) detects and uses network topologies that allow a faster convergence of the spanning tree without creating forwarding loops. To display the Rapid Spanning Tree page, click Switching Spanning Tree Rapid Spanning Tree in the navigation panel. Figure 22-14.
To view RSTP Settings for all interfaces, click the Show All link. The Rapid Spanning Tree Table displays. Figure 22-15.
MSTP Settings The Multiple Spanning Tree Protocol (MSTP) supports multiple instances of Spanning Tree to efficiently channel VLAN traffic over different interfaces. MSTP is compatible with both RSTP and STP; a MSTP bridge can be configured to behave entirely as a RSTP bridge or a STP bridge. To display the MSTP Settings page, click Switching Spanning Tree MSTP Settings in the navigation panel. Figure 22-16.
Viewing and Modifying the Instance ID for Multiple VLANs To configure MSTP settings for multiple VLANS: 1 Open the MSTP Settings page. 2 Click Show All to display the MSTP Settings Table. Figure 22-17. Configure MSTP Settings 3 For each Instance ID to modify, select the check box in the Edit column in the row associated with the VLAN. 4 Update the Instance ID settings for the selected VLANs. 5 Click Apply.
MSTP Interface Settings Use the MSTP Interface Settings page to assign MSTP settings to specific interfaces. To display the MSTP Interface Settings page, click Switching Spanning Tree MSTP Interface Settings in the navigation panel. Figure 22-18. MSTP Interface Settings Configuring MSTP Settings for Multiple Interfaces To configure MSTP settings for multiple interfaces: 1 Open the MSTP Interface Settings page. 2 Click Show All to display the MSTP Interface Table.
PVST/RPVST Global Configuration Use the PVST/RPVST Global Configuration page to enable or disable the global per-VLAN spanning tree (PVST) and per-VLAN rapid spanning tree (RPVST) features on the switch. To display the PVST/RPVST Global Configuration page, click Switching Spanning Tree PVST Global Configuration in the navigation panel. Figure 22-19.
PVST/RPVST VLAN Configuration Use the PVST/RPVST VLAN Configuration page to configure the PVST/RPVST settings for VLANs that are enabled for PVST/RPVST. To display the PVST/RPVST VLAN Configuration page, click Switching Spanning Tree PVST VLAN Configuration in the navigation panel. Figure 22-20. PVST/RPVST VLAN Configuration Enabling a VLAN for PVST/RPVST To enable PVST/RPVST on a VLAN: 1 Open the PVST/RPVST VLAN Configuration page. 2 Click Add to display the PVST/RPVST VLAN Configuration: Add page.
Figure 22-21. PVST/RPVST VLAN Configuration: Add Only VLANS with the PVST/RPVST feature disabled appear in the list. 4 Click Apply. Viewing VLAN PVST/RPVST Settings To view PVST/RPVST settings for each VLAN, click the Show All link. The PVST/RPVST VLAN Configuration: Show All page displays. Figure 22-22.
PVST/RPVST Interface Configuration Use the PVST/RPVST Interface Configuration page to configure the PVST/RPVST settings for an interface. To display the PVST/RPVST Interface Configuration page, click Switching Spanning Tree PVST Interface Configuration in the navigation panel. Figure 22-23.
PVST/RPVST Statistics Use the PVST/RPVST Statistics page to configure the PVST/RPVST settings for an interface. To display the PVST/RPVST Statistics page, click Switching Spanning Tree PVST Statistics in the navigation panel. Figure 22-24.
Configuring Spanning Tree (CLI) This section provides information about the commands used for configuring STP settings on the switch. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring Global STP Bridge Settings Use the following commands to configure the global STP settings for the switch, such as the priority and timers.
Command Purpose View information about spanning tree and the spanning show spanning-tree tree configuration on the switch. [detail [active | blockedports | instance instance-id ]] Configuring Optional STP Features Use the following commands to configure the optional STP features on the switch or on specific interfaces. Command Purpose configure Enter global configuration mode.
Command Purpose spanning-tree guard {root | loop | none} Enable loop guard or root guard (or disable both) on the interface. spanning-tree tcnguard Prevent the port from propagating topology change notifications. CTRL + Z Exit to Privileged Exec mode. show spanning-tree summary View various spanning tree settings and parameters for the switch. Configuring STP Interface Settings Use the following commands to configure the STP settings for a specific interface.
Command Purpose show spanning-tree interface View spanning tree configuration information for the specified port or LAG (port-channel). Configuring MSTP Switch Settings Use the following commands to configure MSTP settings for the switch. Command Purpose configure Enter global configuration mode. spanning-tree mst configuration Enable configuring an MST region by entering the multiple spanning tree (MST) mode. name string Define the MST configuration name.
Configuring MSTP Interface Settings Use the following commands to configure MSTP settings for the switch. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified interface. The interface variable includes the interface type and number, for example tengigabitethernet 1/0/3 or port-channel 4. A range of interfaces can be specified using the interface range command.
STP Configuration Examples This section contains the following examples: • STP Configuration Example • MSTP Configuration Example • RSTP-PV Access Switch Configuration Example STP Configuration Example This example shows a LAN with four switches. On each switch, ports 1, 2, and 3 connect to other switches, and ports 4–20 connect to hosts (in Figure 22-25, each PC represents 17 host systems).
Figure 22-25. STP Example Network Diagram Of the four switches in Figure 22-25, the administrator decides that Switch A is the most centrally located in the network and is the least likely to be moved or redeployed. For these reasons, the administrator selects it as the root bridge for the spanning tree. The administrator configures Switch A with the highest priority and uses the default priority values for Switch B, Switch C, and Switch D.
The administrator also configures Port Fast BPDU filtering and Loop Guard to extend STP’s capability to prevent network loops. For all other STP settings, the administrator uses the default STP values. To configure the switch: 1 Connect to Switch A and configure the priority to be higher (a lower value) than the other switches, which use the default value of 32768. console#config console(config)#spanning-tree priority 8192 2 Configure ports 4–20 to be in Port Fast mode.
Figure 22-26. MSTP Configuration Example To make multiple switches be part of the same MSTP region, make sure the STP operational mode for all switches is MSTP. Also, make sure the MST region name and revision level are the same for all switches in the region. To configure the switches: 1 Create VLAN 10 (Switch A and Switch B) and VLAN 20 (all switches).
4 Create MST instances 20 and associate it to VLAN 20. console(config-mst)#instance 20 add vlan 20 5 Change the region name and revision number so that all the bridges that want to be part of the same region can form the region. This step is required for MST to operate properly.
RSTP-PV Access Switch Configuration Example In this configuration, all 1G ports are presumed to be connected to host machines, and the two 10G uplink ports are connected to an aggregationlayer switch with a total layer-2 network diameter of 4. The aggregation-layer switch can be a single switch or multiple switches, running either RSTP-PV or MSTP. For fastest convergence during failover scenarios, it is recommended that the uplink switches be configured in RSTP-PV mode.
console(config)#interface range gi1/0/37-48 console(config-if)#switchport access vlan 4 console(config-if)#exit Spanning Tree Protocol 879
RSTP-PV Aggregation-Layer Switch Configuration Example In this configuration example, two aggregation-layer switches are configured. Ports 1–4 are configured in a LAG connecting the two aggregation-layer switches. Ports 12–24 are configured as down-links to twelve access-layer switches configured as in the previous example. Down-links to the accesslayer switches have physical diversity; there is one downlink to each of the twelve access-layer switches from each of the paired aggregation-layer switches.
console(config-if-fo1/0/1-2)#channel-group 1 mode active console(config-if-fo1/0/1-2)#exit 8 Configure peer switch links: console(config)#interface range te1/0/1-4 console(config-if-te1/0/1-4)#channel-group 2 mode active console(config-if-te1/0/1-4)#exit 9 Configure the uplinks into a port channel: console(config)#interface port-channel 1 console(config-if-port-channel 1)#switchport mode trunk console(config-if-port-channel 1)#exit 10 Configure the peer links into a port channel and prefer to go to the c
882 Spanning Tree Protocol
23 Discovering Network Devices Dell EMC Networking N-Series Switches This chapter describes the Industry Standard Discovery Protocol (ISDP) feature and the Link Layer Discovery Protocol (LLDP) feature, including LLDP for Media Endpoint Devices (LLDP-MED).
LLDP is a one-way protocol; there are no request/response sequences. Information is advertised by stations implementing the transmit function, and is received and processed by stations implementing the receive function. The transmit and receive functions can be enabled/disabled separately on each switch port. What is LLDP-MED? LLDP-MED is an extension of the LLDP standard.
Default IDSP and LLDP Values ISDP and LLDP are globally enabled on the switch and enabled on all ports by default. By default, the switch transmits and receives LLDP information on all ports. LLDP-MED is enabled on all ports. Table 23-1 summarizes the default values for ISDP. Table 23-1.
Table 23-3 summarizes the default values for LLDP-MED. Table 23-3.
Configuring ISDP and LLDP (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring IDSP and LLDP/LLDPMED on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page.
ISDP Neighbor Table The ISDP Neighbor Table page enables viewing information about other devices the switch has discovered through the ISDP. To access the ISDP Neighbor Table page, click System ISDP Neighbor Table in the navigation panel. Figure 23-2.
ISDP Interface Configuration The ISDP Interface Configuration page enables configuring the ISDP settings for each interface. If ISDP is enabled on an interface, it must also be enabled globally in order for the interface to transmit ISDP packets. If the ISDP mode on the ISDP Global Configuration page is disabled, the interface will not transmit ISDP packets, regardless of the mode configured on the interface.
ISDP Statistics The ISDP Statistics page enables viewing information about the ISDP packets sent and received by the switch. To access the ISDP Statistics page, click System ISDP Statistics in the navigation panel. Figure 23-5.
LLDP Configuration Use the LLDP Configuration page to specify LLDP parameters. Parameters that affect the entire system as well as those for a specific interface can be specified here. To display the LLDP Configuration page, click Switching LLDP Configuration in the navigation panel. Figure 23-6.
To view the LLDP Interface Settings Table, click Show All. The LLDP Interface Settings Table page enables viewing and editing information about the LLDP settings for multiple interfaces. Figure 23-7.
LLDP Statistics Use the LLDP Statistics page to view LLPD-related statistics. To display the LLDP Statistics page, click Switching LLDP Statistics in the navigation panel. Figure 23-8.
LLDP Connections Use the LLDP Connections page to view the list of ports with LLDP enabled. Basic connection details are displayed. To display the LLDP Connections page, click Switching LLDP Connections in the navigation panel. Figure 23-9.
To view additional information about a device connected to a port that has been discovered through LLDP, click the port number in the Local Interface table (it is a hyperlink), or click Details and select the port with the connected device. Figure 23-10.
LLDP-MED Global Configuration Use the LLDP-MED Global Configuration page to change or view the LLDP-MED parameters that affect the entire system. To display the LLDP-MED Global Configuration page, click Switching LLDP LLDP-MED Global Configuration in the navigation panel. Figure 23-11.
LLDP-MED Interface Configuration Use the LLDP-MED Interface Configuration page to specify LLDP-MED parameters that affect a specific interface. To display the LLDP-MED Interface Configuration page, click Switching LLDP LLDP-MED Interface Configuration in the navigation panel. Figure 23-12. LLDP-MED Interface Configuration To view the LLDP-MED Interface Summary table, click Show All. Figure 23-13.
LLDP-MED Local Device Information Use the LLDP-MED Local Device Information page to view the advertised LLDP local data for each port. To display the LLDP-MED Local Device Information page, click Switching LLDP LLDP-MED Local Device Information in the navigation panel. Figure 23-14. LLDP-MED Local Device Information LLDP-MED Remote Device Information Use the LLDP-MED Remote Device Information page to view the advertised LLDP data advertised by remote devices.
Configuring ISDP and LLDP (CLI) This section provides information about the commands you use to manage and view the device discovery protocol features on the switch. For more information about these commands, see the Dell EMC Networking N1100ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring Global ISDP Settings Use the following commands to configure ISDP settings that affect the entire switch.
Enabling ISDP on a Port Use the following commands to enable ISDP on a port. Command Purpose configure Enter Global Configuration mode. interface interface Enter interface configuration mode for the specified interface. isdp enable Administratively enable ISDP on the switch. exit Exit to Global Config mode. exit Exit to Privileged Exec mode. show isdp interface all View the ISDP mode on all interfaces.
Configuring Global LLDP Settings Use the following commands to configure LLDP settings that affect the entire switch. Command Purpose configure Enter Global Configuration mode. lldp notificationinterval interval Specify how often, in seconds, the switch should send remote data change notifications. Configure the timing for local data transmission on ports lldp timers [interval transmit-interval] [hold enabled for LLDP.
Command Purpose lldp notification Enable remote data change notifications on the interface. lldp tlv-select [sysdesc][sys-name][syscap][port-desc][port vlan] Specify which optional type-length-value settings (TLVs) in the 802.1AB basic management set will be transmitted in the LLDP PDUs.
Configuring LLDP-MED Settings Use the following commands to configure LLDP-MED settings that affect the entire switch. Command Purpose configure Enter Global Configuration mode. lldp med faststartrepeatcount count Specifies the number of LLDP PDUs that will be transmitted when the protocol is enabled. interface interface Enter interface configuration mode for the specified Ethernet interface. lldp med Enable LLDP-MED on the interface.
Viewing LLDP-MED Information Use the following commands to view information about the LLDP-MED Protocol Data Units (PDUs) that are sent and have been received. Command Purpose show lldp med localdevice detail interface View LLDP information advertised by the specified port. show lldp remote-device View LLDP-MED information received by all ports or by {all | interface | detail the specified port. Include the keyword detail to see additional information.
Hold Time................................60 Version 2 Advertisements.................Enabled Neighbors table time since last change...00 days 00:00:00 Device ID................................none Device ID format capability..............Serial Number, Host Name Device ID format.........................
7 View global LLDP settings on the switch. console#show lldp LLDP Global Configuration Transmit Interval..................... Transmit Hold Multiplier.............. Reinit Delay.......................... Notification Interval................. 60 seconds 5 3 seconds 5 seconds 8 View summary information about the LLDP configuration on port 1/0/3.
Port-Based Traffic Control 24 Dell EMC Networking N-Series Switches This chapter describes how to configure features that provide traffic control through filtering the type of traffic or limiting the speed or amount of traffic on a per-port basis. The features this section describes includes flow control, storm control, protected ports, and Link Local Protocol Filtering (LLPF), which is also known as Cisco Protocol Filtering.
Table 24-1. Port-Based Traffic Control Features Feature Description LLPF Filters proprietary protocols that should not normally be relayed by a bridge. The Priority Flow Control (PFC) feature, which is available on the Dell EMC Networking N4000 Series switches only, provides a way to distinguish which traffic on a physical link is paused when congestion occurs based on the priority of the traffic. For more information, see "Data Center Bridging Features" on page 1109. What is Flow Control? IEEE 802.
bandwidth on the port. If the ingress rate of that type of packet is greater than the configured threshold level the port drops the excess traffic until the ingress rate for the packet type falls below the threshold.
What is Link Local Protocol Filtering? The Link Local Protocol Filtering (LLPF) feature can help troubleshoot network problems that occur when a network includes proprietary protocols running on standards-based switches. LLPF allows Dell EMC Networking N-Series switches to filter out various Cisco proprietary protocol data units (PDUs) and/or ISDP packets if problems occur with these protocols running on standards-based switches.
What is Loop Protection? Dell EMC Networking implements a subset of the Configuration Testing Protocol (CTP) for the detection of network loops. The Configuration Testing Protocol is part of the original Ethernet specification. It does not appear in the IEEE 802 standard.
Default Port-Based Traffic Control Values Table 24-2 lists the default values for the port-based traffic control features that this chapter describes. Table 24-2. Default Port-Based Traffic Control Values Feature Default Flow control Enabled Storm control Disabled Protected ports None LLPF UDLD is blocked by default.
Configuring Port-Based Traffic Control (Web) This section provides information about the OpenManage Switch Administrator pages to use to control port-based traffic on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page.
Storm Control Use the Storm Control page to enable and configure the storm control feature. To display the Storm Control interface, click Switching Ports Storm Control in the navigation menu. Figure 24-2. Storm Control Configuring Storm Control Settings on Multiple Ports To configure storm control on multiple ports: 1 Open the Storm Control page. 2 Click Show All to display the Storm Control Settings Table. 3 In the Ports list, select the check box in the Edit column for the port to configure.
Figure 24-3. Storm Control 5 Click Apply.
Protected Port Configuration Use the Protected Port Configuration page to prevent ports in the same protected ports group from being able to see each other’s traffic. To display the Protected Port Configuration page, click Switching Ports Protected Port Configuration in the navigation menu. Figure 24-4. Protected Port Configuration Configuring Protected Ports To configure protected ports: 1 Open the Protected Ports page. 2 Click Add to display the Add Protected Group page. 3 Select a group (0–2).
6 Click Protected Port Configuration to return to the main page. 7 Select the port to add to the group. 8 Select the protected port group ID. Figure 24-6. Add Protected Ports 9 Click Apply. 10 To view protected port group membership information, click Show All. Figure 24-7. View Protected Port Information 11 To remove a port from a protected port group, select the Remove check box associated with the port and click Apply.
LLPF Configuration Use the LLPF Interface Configuration page to filter out various proprietary protocol data units (PDUs) and/or ISDP if problems occur with these protocols running on standards-based switches. To display the LLPF Interface Configuration page, click Switching Network Security Proprietary Protocol Filtering LLPF Interface Configuration the navigation menu. Figure 24-8. LLPF Interface Configuration To view the protocol types that have been blocked for an interface, click Show All.
Configuring Port-Based Traffic Control (CLI) This section provides information about the commands used for configuring port-based traffic control settings. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring Flow Control and Storm Control Use the following commands to configure the flow control and storm control features.
Command Purpose storm-control unicast [level rate] Enable unknown unicast storm recovery mode on the interface and (optionally) set the threshold. rate — threshold as percentage of port speed. The percentage is converted to a PacketsPerSecond value based on a 512 byte average packet size. CTRL + Z Exit to Privileged Exec mode. show interfaces detail interface Display detailed information about the specified interface, including the flow control status. show storm-control View whether 802.
Configuring LLPF NOTE: LLPF is not supported on the N1500 Series switches. Use the following commands to configure LLPF settings. Most of these protocols (other than CDP and UDLD) are obsolete and may cause excessive CPU usage. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified interface. The interface variable includes the interface type and number, for example tengigabitethernet 1/0/3.
Port-Based Traffic Control Configuration Example The commands in this example configure storm control, LLPF, and protected port settings for various interfaces on the switch. The storm control configuration in this example sets thresholds on the switch so that if broadcast traffic occupies more than 10% on the bandwidth on any physical port, the interface blocks the broadcast traffic until the measured amount of this traffic drops below the threshold.
5 Verify the configuration. console#show storm-control te1/0/1 Bcast Bcast Mcast Mcast Ucast Ucast Intf Mode Level Mode Level Mode Level ------ ------- ------- ------- ------- ------- ------Te1/0/1 Enable 10 Enable 5 Disable 5 console#show service-acl interface te1/0/1 Protocol --------------CDP VTP DTP UDLD PAGP SSTP ALL Mode ---------Disabled Enabled Disabled Disabled Enabled Disabled Disabled console#show switchport protected 0 Name.........................................
924 Port-Based Traffic Control
Layer-2 Multicast Features 25 Dell EMC Networking N-Series Switches This chapter describes the layer-2 (L2) multicast features on the Dell EMC Networking N-Series switches. The features this chapter describes include bridge multicast flooding and forwarding, Internet Group Management Protocol (IGMP) snooping, Multicast Listener Discovery (MLD) snooping, and Multicast VLAN Registration (MVR).
desirable as it reduces the network load by sending packets only to other hosts/switches/routers that have indicated an interest in receiving the multicast. If L2 snooping is not enabled, multicast packets are flooded in the ingress VLAN. What Are the Multicast Bridging Features? The Dell EMC Networking N-Series switches support multicast forwarding and multicast flooding.
What Is L2 Multicast Traffic? L3 IP multicast traffic is traffic that is destined to a host group. Host groups are identified by class D IPv4 addresses, which range from 224.0.1.0 to 239.255.255.255, or by FF0x:: or FF3x:: IPv6 addresses. In contrast to L3 multicast traffic, layer-2 multicast traffic is identified by the MAC address, i.e., the range 01:00:5e:00:00:00 to 01:00:5e:7f:ff:ff:ff for IPv4 multicast traffic or 33:33:xx:xx:xx:xx for IPv6 multicast traffic.
Group addresses that fall into the reserved range 224.0.0.x are never pruned by IGMP snooping—they are always flooded to all ports in the VLAN. Note that this flooding is based on the IP address, not the corresponding 01-00-5e00-00-xx MAC address. When a multicast router is discovered (or locally configured on the switch), its interface is added to the interface distribution list for all multicast groups in the VLAN.
• Unregistered multicast traffic may be flooded in the VLAN by a user configuration option. NOTE: It is strongly recommended that operators enable MLD snooping if IGMP snooping is enabled and vice-versa. This is because both IGMP snooping and MLD snooping utilize the same forwarding table. Not enabling both may cause unwanted pruning of protocol packets utilized by other protocols, e.g. OSPFv3. NOTE: IGMP snooping (and IGMP querier) validates IGMP packets.
associated with a multicast router or host that has indicated an interest in receiving a particular multicast group. In IPv6, MLD snooping performs a similar function. With MLD snooping, IPv6 multicast data is selectively forwarded to a list of ports that want to receive the data instead of being flooded to all ports in a VLAN. This list is constructed in the MFDB by snooping IPv6 multicast control packets. MLD snooping floods multicast data packets until a multicast router port has been identified.
NOTE: It is strongly recommended that users enable IGMP snooping if MLD snooping is enabled and vice-versa. This is because both IGMP snooping and MLD snooping utilize the same forwarding table, and not enabling both may cause unwanted pruning of protocol packets utilized by other protocols, e.g. OSPFv2.
Enabling MVR and IGMP Snooping on the Same Interface MVR and IGMP snooping operate independently and can both be enabled on an interface. When both MVR and IGMP snooping are enabled, MVR listens to the IGMP join and report messages for static multicast group information, and IGMP snooping manages dynamic multicast groups. When Are Layer-3 Multicast Features Required? In addition to L2 multicast features, the switch suports IPv4 and IPv6 multicast features.
• GARP Multicast Registration Protocol (GMRP) to help control the flooding of multicast traffic by keeping track of group membership information. GVRP and GMRP use the same set of GARP Timers to specify the amount of time to wait before transmitting various GARP messages. GMRP is similar to IGMP snooping in its purpose, but IGMP snooping is more widely used.
Snooping Switch Restrictions MAC Address-Based Multicast Group The L2 multicast forwarding table consists of the Multicast group MAC address filtering entries. For IPv4 multicast groups, 16 IP multicast group addresses map to the same multicast MAC address. For example, 224.1.1.1 and 225.1.1.1 map to the MAC address 01:00:5E:01:01:01, and IP addresses in the range [224-239].3.3.3 map to 01:00:5E:03:03:03. As a result, if a host requests 225.1.1.1, then it might receive the multicast traffic of group 226.1.
Default L2 Multicast Values Details about the L2 multicast are in Table 25-1. Table 25-1.
Table 25-1.
Configuring L2 Multicast Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring L2 multicast features on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page.
Bridge Multicast Group Use the Bridge Multicast Group page to create new multicast service groups or to modify ports and LAGs assigned to existing multicast service groups. Attached interfaces display in the Port and LAG tables and reflect the manner in which each is joined to the Multicast group. To display the Bridge Multicast Group page, click Switching Multicast Support Bridge Multicast Group in the navigation menu. Figure 25-2.
Table 25-2 contains definitions for port/LAG IGMP management settings. Table 25-2. Port/LAG IGMP Management Settings Port Control Definition D Dynamic: Indicates that the port/LAG was dynamically joined to the Multicast group (displays in the Current row). S Static: Attaches the port to the Multicast group as a static member in the Static row. Displays in the Current row once Apply is clicked. F Forbidden: Indicates that the port/LAG is forbidden entry into the Multicast group in the Static row.
4 In the Bridge Multicast Group tables, assign a setting by clicking in the Static row for a specific port/LAG. Each click toggles between S, F, and blank. (not a member). 5 Click Apply. The bridge multicast address is assigned to the multicast group, ports/LAGs are assigned to the group (with the Current rows being updated with the Static settings), and the switch is updated. Removing a Bridge Multicast Group To delete a bridge multicast group: 1 Open the Bridge Multicast Group page.
MFDB Summary Use the MFDB Summary page to view all entries in the multicast forwarding database. To access this page, click Switching Multicast Support MFDB Summary in the navigation panel. Figure 25-4.
MRouter Status Use the MRouter Status page to display the status of dynamically learned multicast router interfaces. To access this page, click Switching Multicast Support MRouter Status in the navigation panel. Figure 25-5.
General IGMP Snooping Use the General IGMP snooping page to configure IGMP snooping settings on specific VLANs. To display the General IGMP snooping page, click Switching Multicast Support IGMP Snooping General in the navigation menu. Figure 25-6. General IGMP Snooping Modifying IGMP Snooping Settings for VLANs To modify the IGMP snooping settings: 1 From the General IGMP snooping page, click Show All. The IGMP Snooping Table displays. 2 Select the Edit checkbox for each VLAN to modify.
Figure 25-7. Edit IGMP Snooping Settings 3 Edit the IGMP snooping fields as needed. 4 Click Apply. The IGMP snooping settings are modified, and the device is updated. Copying IGMP Snooping Settings to Multiple VLANs To copy IGMP snooping settings: 1 From the General IGMP snooping page, click Show All. The IGMP Snooping Table displays. 2 Select the Copy Parameters From checkbox. 3 Select a VLAN to use as the source of the desired parameters.
Figure 25-8. Copy IGMP Snooping Settings 5 Click Apply. The IGMP snooping settings are modified, and the device is updated.
Global Querier Configuration Use the Global Querier Configuration page to configure IGMP snooping querier settings, such as the IP address to use as the source in periodic IGMP queries when no source address has been configured on the VLAN. To display the Global Querier Configuration page, click Switching Multicast Support IGMP Snooping Global Querier Configuration in the navigation menu. Figure 25-9.
VLAN Querier Use the VLAN Querier page to specify the IGMP snooping querier settings for individual VLANs. To display the VLAN Querier page, click Switching Multicast Support IGMP Snooping VLAN Querier in the navigation menu. Figure 25-10. VLAN Querier Adding a New VLAN and Configuring its VLAN Querier Settings To configure a VLAN querier: 1 From the VLAN Querier page, click Add. The page refreshes, and the Add VLAN page displays. Figure 25-11.
5 Click Apply. The VLAN Querier settings are modified, and the device is updated. To view a summary of the IGMP snooping VLAN querier settings for all VLANs on the switch, click Show All. Figure 25-12.
VLAN Querier Status Use the VLAN Querier Status page to view the IGMP snooping querier settings for individual VLANs. To display the VLAN Querier Status page, click Switching Multicast Support IGMP Snooping VLAN Querier Status in the navigation menu. Figure 25-13.
MFDB IGMP Snooping Table Use the MFDB IGMP Snooping Table page to view the multicast forwarding database (MFDB) IGMP Snooping Table and Forbidden Ports settings for individual VLANs. To display the MFDB IGMP Snooping Table page, click Switching Multicast Support IGMP Snooping MFDB IGMP Snooping Table in the navigation menu. Figure 25-14.
MLD Snooping General Use the MLD Snooping General page to add MLD members. To access this page, click Switching Multicast Support MLD Snooping General in the navigation panel. Figure 25-15. MLD Snooping General Modifying MLD Snooping Settings for VLANs To configure MLD snooping: 1 From the General MLD snooping page, click Show All. The MLD Snooping Table displays.
Figure 25-16. MLD Snooping Table 2 Select the Edit checkbox for each VLAN to modify. 3 Edit the MLD snooping fields as needed. 4 Click Apply. The MLD snooping settings are modified, and the device is updated.
Copying MLD Snooping Settings to VLANs To copy MLD snooping settings: 1 From the General MLD snooping page, click Show All. The MLD Snooping Table displays. 2 Select the Copy Parameters From checkbox. 3 Select a VLAN to use as the source of the desired parameters. 4 Select the Copy To checkbox for the VLANs that these parameters will be copied to. 5 Click Apply. The MLD snooping settings are modified, and the device is updated.
MLD Snooping VLAN Querier Use the MLD Snooping VLAN Querier page to specify the MLD snooping querier settings for individual VLANs. To display the MLD Snooping VLAN Querier page, click Switching Multicast Support MLD Snooping VLAN Querier in the navigation menu. Figure 25-18. MLD Snooping VLAN Querier Adding a New VLAN and Configuring its MLD Snooping VLAN Querier Settings To configure an MLD snooping VLAN querier: 1 From the VLAN Querier page, click Add.
2 Enter the VLAN ID and, if desired, an optional VLAN name. 3 Return to the VLAN Querier page and select the new VLAN from the VLAN ID menu. 4 Specify the VLAN querier settings. 5 Click Apply. The VLAN Querier settings are modified, and the device is updated. To view a summary of the IGMP snooping VLAN querier settings for all VLANs on the switch, click Show All. Figure 25-20.
MLD Snooping VLAN Querier Status Use the VLAN Querier Status page to view the MLD snooping querier settings for individual VLANs. To display the VLAN Querier Status page, click Switching Multicast Support MLD Snooping VLAN Querier Status in the navigation menu. Figure 25-21.
MFDB MLD Snooping Table Use the MFDB MLD Snooping Table page to view the MFDB MLD snooping table settings for individual VLANs. To display the MFDB MLD Snooping Table page, click Switching Multicast Support MLD Snooping MFDB MLD Snooping Table in the navigation menu. Figure 25-22.
MVR Global Configuration Use the MVR Global Configuration page to enable the MVR feature and configure global parameters. To display the MVR Global Configuration page, click Switching MVR Configuration Global Configuration in the navigation panel. Figure 25-23.
MVR Members Use the MVR Members page to view and configure MVR group members. To display the MVR Members page, click Switching MVR Configuration MVR Members in the navigation panel. Figure 25-24. MVR Members Adding an MVR Membership Group To add an MVR membership group: 1 From the MVR Membership page, click Add. The MVR Add Group page displays. Figure 25-25. MVR Member Group 2 Specify the MVR group IP multicast address. 3 Click Apply.
Figure 25-26. MVR Interface Configuration To view a summary of the MVR interface configuration, click Show All. Figure 25-27. MVR Interface Summary Adding an Interface to an MVR Group To add an interface to an MVR group: 1 From the MVR Interface page, click Add. Figure 25-28.
2 Select the interface to add to the MVR group. 3 Specify the MVR group IP multicast address. 4 Click Apply. Removing an Interface from an MVR Group To remove an interface from an MVR group: 1 From the MVR Interface page, click Remove. Figure 25-29. MVR - Remove from Group 2 Select the interface to remove from an MVR group. 3 Specify the IP multicast address of the MVR group. 4 Click Apply.
MVR Statistics Use the MVR Statistics page to view MVR statistics on the switch. To display the MVR Statistics page, click Switching MVR Configuration MVR Statistics in the navigation panel. Figure 25-30.
GARP Timers The Timers page contains fields for setting the GARP timers used by GVRP and GMRP on the switch. To display the Timers page, click Switching GARP Timers in the navigation panel. Figure 25-31. GARP Timers Configuring GARP Timer Settings for Multiple Ports To configure GARP timers on multiple ports: 1 Open the Timers page. 2 Click Show All to display the GARP Timers Table.
Figure 25-32. Garp Timers Table 3 For each port or LAG to configure, select the check box in the Edit column in the row associated with the port. 4 Specify the desired timer values. 5 Click Apply.
Copying GARP Timer Settings From One Port to Others To copy GARP timer settings: 1 Select the Copy Parameters From check box, and select the port or LAG with the settings to apply to other ports or LAGs. 2 In the Ports or LAGs list, select the check box(es) in the Copy To column that will have the same settings as the port selected in the Copy Parameters From field. 3 Click Apply to copy the settings.
Figure 25-34. GMRP Port Configuration Table 3 For each port or LAG to configure, select the check box in the Edit column in the row associated with the port. 4 Specify the desired timer values. 5 Click Apply.
Copying Settings From One Port or LAG to Others To copy GMRP settings: 1 Select the Copy Parameters From check box, and select the port or LAG with the settings to apply to other ports or LAGs. 2 In the Ports or LAGs list, select the check box(es) in the Copy To column that will have the same settings as the port selected in the Copy Parameters From field. 3 Click Apply to copy the settings.
Configuring L2 Multicast Features (CLI) This section provides information about the commands used for configuring L2 multicast settings on the switch. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring Layer-2 Multicasting Use the following commands to configure MAC address table features. Command Purpose configure Enter global configuration mode.
Command Purpose show mac address-table multicast [vlan vlan-id] [address mac-multicastaddress | ip-multicastaddress] [format ip | mac]] View entries in the multicast MAC address table. The show mac address-table multicast command shows only multicast addresses. Multicast address are shown along with unicast addresses if the multicast keyword is not used. Configuring IGMP Snooping on VLANs Use the following commands to configure IGMP snooping settings on VLANs.
Command Purpose ip igmp snooping vlan vlan-id mcrtexpiretime seconds Specify the multicast router time-out value for to associate with a VLAN. This command sets the number of seconds to wait to age out an automatically-learned multicast router port. Identify an interface as an mrouter interface. IGMP interface teX/Y/Z switchport mode trunk ip snooping floods all multicast in the VLAN until an igmp snooping vlan vlan- mrouter has either been detected or configured.
Command Purpose ip igmp snooping querier Set the IGMP version of the query that the switch sends version version periodically. The version range is 1–2. ip igmp snooping querier Enable the IGMP snooping querier on the specified vlan-id VLAN. ip igmp snooping querier Allow the IGMP snooping querier to participate in the election participate vlan- querier election process when it discovers the presence of id another querier in the VLAN.
Command Purpose ipv6 mld snooping vlan- Specify the leave time-out value for the VLAN. If an MLD id last-listener-queryreport for a multicast group is not received within the interval seconds number of seconds configured with this command after an MLD leave was received from a specific interface, the current port is deleted from the VLAN member list of that multicast group. ipv6 mld snooping vlan Enables MLD snooping immediate-leave mode on the vlan-id immediate-leave specified VLAN.
Command Purpose ipv6 mld snooping querier election participate vlan-id Allow the MLD snooping querier to participate in the querier election process when it discovers the presence of another querier in the VLAN. When this mode is enabled, if the snooping querier finds that the other querier source address is more than the snooping querier address, it stops sending periodic queries. If the snooping querier wins the election, then it continues sending periodic queries.
Command Purpose mvr querytime time Set the MVR query response time. The value for time is in units of tenths of a second. This is the time to wait for a response to the query sent after receiving a leave message and before removing the port from the group. mvr mode {compatible | Specify the MVR mode of operation. dynamic} mvr group mcast-address Add an MVR membership group.
Configuring GARP Timers and GMRP Use the following commands to configure the GARP timers and to control the administrative mode GMRP on the switch and per-interface. Command Purpose configure Enter global configuration mode. gmrp enable Enable GMRP globally on the switch. interface interface Enter interface configuration mode for the specified port or LAG. The interface variable includes the interface type and number, for example tengigabitethernet 1/0/3.
Case Study on a Real-World Network Topology Multicast Snooping Case Study Figure 25-36 shows the topology that the scenarios in this case study use. Figure 25-36. Case Study Topology The topology in Figure 25-36 includes the following elements: 976 • Snooping Switches: D1, D2, D3 with IGMP snooping enabled on VLANs 10, 20 • Multicast Router: D4 with PIM-SM enabled on VLANs 10, 20 • Multicast Listeners: Client A-G • Multicast Sources: Server A – 239.20.30.40, Server B – 239.20.30.
• Subnets: VLAN 10 – 192.168.10.x, VLAN 20 – 192.168.20.x • Mrouter ports: D3 – 1/0/20, D2 – PortChannel1, D1 – 1/0/15 Snooping Within a Subnet In the example network topology, the multicast source and listeners are in the same subnet VLAN 20 – 192.168.20.x/24. D4 sends periodic queries on VLAN 10 and 20, and these queries are forwarded to D1, D2, and D3 via trunk links. Snooping switches D1, D2, and D3 flood these queries in VLANs 10 and 20 to clients G, F, and D, respectively.
4 Client D will receive the multicast stream from Server B because it is forwarded by D1 to D3 and then to D4 because D4 is a multicast router. Because the multicast stream is present on D3, a L2 forwarding entry is created on D3, where 239.20.30.42 is not a registered group. 5 Client F does not receive the multicast stream because it did not respond to queries from D4. Snooping Switch Interaction with a Multicast Router In the example network topology, consider Client B and Server A.
2 A multicast forwarding entry is created on D2 VLAN20, 239.20.30.40 – 1/0/20, PortChannel1. 3 The Client F report message is forwarded to D3-PortChannel1 (multicast router attached port). 4 A multicast forwarding entry is created on D3 VLAN 20, 239.20.30.40 – PortChannel1, 1/0/20. 5 The Client F report message is forwarded to D4 via D3 – 1/0/20 (multicast router attached port). 6 An IP multicast routing entry is created on D4 VLAN 10 – VLAN 20 with the layer-3 outgoing port list as VLAN 20 – 1/0/20.
Multicast Source and Listener connected to Multicast Router via intermediate snooping switches and are part of different routing VLANs: Server B Client E Clients E, B, and C are on the same subnet VLAN10 – 192.168.10.70/24. Server B is in a different subnet VLAN20 – 192.168.20.70/24. 1 Client E sends a report for 239.20.30.42. 2 A multicast forwarding entry is created on D2 VLAN10, 239.20.30.42 – 1/0/2, PortChannel 1. 3 The report from Client E is forwarded to D3 via D2 – PortChannel 1.
26 Connectivity Fault Management Dell EMC Networking N4000 Series Switches NOTE: This feature is supported only on the Dell EMC Networking N4000 Series switches. This chapter describes how to configure the Connectivity Fault Management feature, which is specified in IEEE 802.1ag (IEEE Standard for Local and Metropolitan Area Networks Virtual Bridged Local Area Networks Amendment 5: Connectivity Fault Management).
IEEE Std. 802.3 LAN, Dot1ag addresses fault diagnosis at the service layer across networks comprising multiple LANs, including LANs other than 802.3 media. How Does Dot1ag Work Across a Carrier Network? A typical metropolitan area network comprises operator, service provider, and customer networks. To suit this business model, CFM relies on a functional model of hierarchical maintenance domains (MDs). These domains are assigned a unique MD level.
Higher levels have a broader, but less detailed, view of the network. As a result, a provider could include multiple operators, provided that the domains never intersect. The operator transparently passes frames from the customer and provider, and the customer does not see the operator frames. Multiple levels within a domain (say, operator) are supported for flexibility.
Figure 26-2 depicts two MEPs and the MIPs that connect them in a maintenance domain. Figure 26-2. Maintenance Endpoints and Intermediate Points Maintenance Associations An MA is a logical connection between one or more MEPs that enables monitoring a particular service instance. Each MA is associated with a unique SVLAN ID. An MA is identified by a maintenance association ID. All MEPs in the MA are assigned the maintenance identifier (MAID) for the association.
Figure 26-3. Provider View for Service Level OAM What is the Administrator’s Role? On the switch, the administrator configures the customer-level maintenance domains, associations, and endpoints used to participate in Dot1ag services with other switches connected through the provider network. The Administrator can also use utilities to troubleshoot connectivity faults when reported via SNMP traps. All the domains within the customer domain should use different domain levels.
Troubleshooting Tasks In the event of a connectivity loss between MEPs, the administrator can perform path discovery, similar to traceroute, from one MEP to any MEP or MIP in a maintenance domain using Link Trace Messages (LTMs). The connectivity loss is narrowed down using path discovery and is verified using Loop-back Messages (LBMs), which are similar to ping operations in IP networks.
Configuring Dot1ag (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring Dot1ag features on a Dell EMC Networking N4000 switch. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. Dot1ag Global Configuration Use the Global Configuration page to enable and disable the Dot1ag admin mode and to configure the time after which inactive RMEP messages are removed from the MEP database.
Figure 26-5. Dot1ag MD Configuration Dot1ag MA Configuration Use the MA Configuration page to associate a maintenance domain level with one or more VLAN ID, provide a name for each maintenance association (MA), and to set the interval between continuity check messages sent by MEPs for the MA. To display the page, click Switching Dot1ag MA Configuration in the tree view. Figure 26-6.
To add an MA, click the Add link at the top of the page. Dot1ag MEP Configuration Use the MEP Configuration page to define switch ports as Management End Points. MEPs are configured per domain and per VLAN. To display the page, click Switching Dot1ag MEP Configuration in the tree view. Figure 26-7.
To add a MEP, click the Add link at the top of the page. A VLAN must be associated with the selected domain before you configure a MEP to be used within an MA (see the MA Configuration page). Dot1ag MIP Configuration Use the MIP Configuration page to define a switch port as an intermediate bridge for a selected domain. To display the page, click Switching Dot1ag MIP Configuration in the tree view. Figure 26-8.
Dot1ag RMEP Summary Use the RMEP Summary page to view information on remote MEPs that the switch has learned through CFM PDU exchanges with MEPs on the switch. To display the page, click Switching Dot1ag RMEP Summary in the tree view. Figure 26-9.
Dot1ag L2 Ping Use the L2 Ping page to generate a loopback message from a specified MEP. The MEP can be identified by the MEP ID or by its MAC address. To display the page, click Switching Dot1ag L2 Ping in the tree view. Figure 26-10. Dot1ag L2 Ping Dot1ag L2 Traceroute Use the L2 Traceroute page to generate a Link Trace message from a specified MEP. The MEP can be specified by the MAC address, or by the remote MEP ID. To display the page, click Switching Dot1ag L2 Traceroute in the tree view.
Figure 26-11. Dot1ag L2 Traceroute Dot1ag L2 Traceroute Cache Use the L2 Traceroute Cache page to view link traces retained in the link trace database. To display the page, click Switching Dot1ag L2 Traceroute Cache in the tree view. Figure 26-12. Dot1ag L2 Traceroute Cache Dot1ag Statistics Use the Statistics page to view Dot1ag information for a selected domain and VLAN ID. To display the page, click Switching Dot1ag Statistics in the tree view.
Figure 26-13.
Configuring Dot1ag (CLI) This section provides information about the commands used for configuring Dot1ag settings on the switch. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring Dot1ag Global Settings and Creating Domains Use the following commands to configure CFM settings and to view global status and domain information.
Configuring MEP Information Use the following commands to configure the mode and view related settings. CLI Command Description configure Enter global configuration mode. interface interface Enter Interface Config mode for the specified interface, where interface is replaced by gigabitethernet unit/slot/port, or tengigabitethernet unit/slot/port. ethernet cfm mep enable level Define the port as a maintenance endpoint (MEP) level vlan vlan-id mpid mep-id and associate it with an SVLAN in a domain.
Dot1ag Ping and Traceroute Use the following commands to help identify and troubleshoot Ethernet CFM settings. CLI Command Description ping ethernet cfm mac macaddr Generate a loopback message from the MEP with the specified MAC address. ping ethernet cfm remote– mpid mep-id Generate a loopback message from the MEP with the specified MEP ID. traceroute ethernet cfm mac mac-addr Generate a Link Trace message from the MEP with the specified MAC address.
Dot1ag Configuration Example In the following example, the switch at the customer site is part of a Metro Ethernet network that is bridged to remote sites through a provider network. A service VLAN (SVID 200) identifies a particular set of customer traffic on the provider network. Figure 26-14.
2 Configure port 1/0/5 as an MEP for service VLAN 200 so that the port can exchange CFM PDUs with its counterpart MEPs on the customer network. The port is first configured as a MEP with MEP ID 20 on domain level 6 for VLAN 200. Then the port is enabled and activated as a MEP.
1000 Connectivity Fault Management
27 Snooping and Inspecting Traffic Dell EMC Networking N-Series Switches This chapter describes Dynamic Host Configuration Protocol (DHCP) Snooping, IP Source Guard (IPSG), and Dynamic ARP Inspection (DAI), which are layer-2 security features that examine traffic to help prevent accidental and malicious attacks on the switch or network.
What Is DHCP Snooping? Dynamic Host Configuration Protocol (DHCP) Snooping is a security feature that monitors DHCP messages between a DHCP client and DHCP server to accomplish the following tasks: • Ensure that only authorized DHCP clients are able to utilize the network.
• On untrusted DHCP client interfaces, the switch may be configured to drop DHCP packets with a source MAC address that does not match the client hardware address. How Is the DHCP Snooping Bindings Database Populated? The DHCP snooping application uses DHCP messages to build and maintain the binding’s database. DHCP snooping creates a tentative binding from DHCP DISCOVER and REQUEST messages. Tentative bindings tie a client to a port (the port where the DHCP client message was received).
Figure 27-1. DHCP Binding No Binding Discover Request Tentative Binding Decline NACK Discover ACK Release NACK Complete Binding The binding database includes data for clients only on untrusted ports. DHCP Snooping and VLANs DHCP snooping forwards valid DHCP client messages received on nonrouting VLANs. The message is forwarded on all trusted interfaces in the VLAN. DHCP snooping can be configured on switching VLANs and routing VLANs.
If DHCP relay co-exists with DHCP snooping, DHCP client messages are sent to DHCP relay for further processing. To prevent DHCP packets from being used as a DoS attack when DHCP snooping is enabled, the snooping application enforces a rate limit for DHCP packets received on interfaces. DHCP rate limiting can be configured on both trusted and untrusted interfaces. DHCP snooping monitors the receive rate on each interface separately.
What Is IP Source Guard? IPSG is a security feature that filters IP packets based on source ID. This feature helps protect the network from attacks that use IP address spoofing to compromise or overwhelm the network. The source ID may be either the source IP address or a {source IP address, source MAC address} pair.
What is Dynamic ARP Inspection? NOTE: Dynamic ARP Inspection (DAI) is not supported on the N1100 Series switches. Dynamic ARP Inspection (DAI) is a security feature that rejects invalid and malicious ARP packets. DAI prevents a class of man-in-the-middle attacks where an unfriendly station intercepts traffic for other stations by poisoning the ARP caches of its unsuspecting neighbors. The malicious attacker sends ARP requests or responses mapping another station’s IP address to its own MAC address.
re-enable the port. DAI rate limiting cannot be enabled on trusted interfaces. Use the no ip arp inspection limit command to disable diagnostic disabling of untrusted ports due to DAI. Why Is Traffic Snooping and Inspection Necessary? DHCP Snooping, IPSG, and DAI are security features that can help protect the switch and the network against various types of accidental or malicious attacks.
Table 27-1.
Configuring Traffic Snooping and Inspection (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring DHCP snooping, IPSG, and DAI features on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page.
DHCP Snooping Interface Configuration Use the DHCP Snooping Interface Configuration page to configure the DHCP Snooping settings on individual ports and LAGs. To access the DHCP Snooping Interface Configuration page, click Switching DHCP Snooping Interface Configuration in the navigation panel. Figure 27-3.
To view a summary of the DHCP snooping configuration for all interfaces, click Show All. Figure 27-4.
DHCP Snooping VLAN Configuration Use the DHCP Snooping VLAN Configuration page to control the DHCP snooping mode on each VLAN. To access the DHCP Snooping VLAN Configuration page, click Switching DHCP Snooping VLAN Configuration in the navigation panel. Figure 27-5. DHCP Snooping VLAN Configuration To view a summary of the DHCP snooping status for all VLANs, click Show All. Figure 27-6.
DHCP Snooping Persistent Configuration Use the DHCP Snooping Persistent Configuration page to configure the persistent location of the DHCP snooping database. The bindings database can be stored locally on the switch or on a remote system somewhere else in the network. The switch must be able to reach the IP address of the remote system to send bindings to a remote database.
DHCP Snooping Static Bindings Configuration Use the DHCP Snooping Static Bindings Configuration page to add static DHCP bindings to the binding database. To access the DHCP Snooping Static Bindings Configuration page, click Switching DHCP Snooping Static Bindings Configuration in the navigation panel. Figure 27-8. DHCP Snooping Static Bindings Configuration To view a summary of the DHCP snooping status for all VLANs, click Show All. Figure 27-9.
DHCP Snooping Dynamic Bindings Summary The DHCP Snooping Dynamic Bindings Summary lists all the DHCP snooping dynamic binding entries learned on the switch ports. To access the DHCP Snooping Dynamic Bindings Summary page, click Switching DHCP Snooping Dynamic Bindings Summary in the navigation panel. Figure 27-10.
DHCP Snooping Statistics The DHCP Snooping Statistics page displays DHCP snooping interface statistics. To access the DHCP Snooping Statistics page, click Switching DHCP Snooping Statistics in the navigation panel. Figure 27-11.
IPSG Interface Configuration Use the IPSG Interface Configuration page to configure IPSG on an interface. To access the IPSG Interface Configuration page, click Switching IP Source Guard IPSG Interface Configuration in the navigation panel. Figure 27-12. IPSG Interface Configuration IPSG Binding Configuration Use the IPSG Binding Configuration page displays DHCP snooping interface statistics.
IPSG Binding Summary The IPSG Binding Summary page displays the IPSG Static binding list and IPSG dynamic binding list (the static bindings configured in Binding configuration page). To access the IPSG Binding Summary page, click Switching IP Source Guard IPSG Binding Summary in the navigation panel. Figure 27-14.
DAI Global Configuration Use the DAI Configuration page to configure global DAI settings. To display the DAI Configuration page, click Switching Dynamic ARP Inspection Global Configuration in the navigation panel. Figure 27-15.
DAI Interface Configuration Use the DAI Interface Configuration page to select the DAI Interface for which information is to be displayed or configured. To display the DAI Interface Configuration page, click Switching Dynamic ARP Inspection Interface Configuration in the navigation panel. Figure 27-16. Dynamic ARP Inspection Interface Configuration To view a summary of the DAI status for all interfaces, click Show All.
Figure 27-17.
DAI VLAN Configuration Use the DAI VLAN Configuration page to select the VLANs for which information is to be displayed or configured. To display the DAI VLAN Configuration page, click Switching Dynamic ARP Inspection VLAN Configuration in the navigation panel. Figure 27-18. Dynamic ARP Inspection VLAN Configuration To view a summary of the DAI status for all VLANs, click Show All. Figure 27-19.
DAI ACL Configuration Use the DAI ACL Configuration page to add or remove ARP ACLs. To display the DAI ACL Configuration page, click Switching Dynamic ARP Inspection ACL Configuration in the navigation panel. Figure 27-20. Dynamic ARP Inspection ACL Configuration To view a summary of the ARP ACLs that have been created, click Show All. Figure 27-21. Dynamic ARP Inspection ACL Summary To remove an ARP ACL, select the Remove checkbox associated with the ACL and click Apply.
Figure 27-22. Dynamic ARP Inspection Rule Configuration To view a summary of the ARP ACL rules that have been created, click Show All. Figure 27-23. Dynamic ARP Inspection ACL Rule Summary To remove an ARP ACL rule, select the Remove checkbox associated with the rule and click Apply. DAI Statistics Use the DAI Statistics page to display the statistics per VLAN. To display the DAI Statistics page, click Switching Dynamic ARP Inspection Statistics in the navigation panel.
Figure 27-24.
Configuring Traffic Snooping and Inspection (CLI) This section provides information about the commands used for configuring DHCP snooping, IPSG, and DAI settings on the switch. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring DHCP Snooping Use the following commands to configure and view DHCP snooping settings.
Command Purpose ip dhcp snooping database write-delay seconds Configure the interval, in seconds, at which the DHCP Snooping database will be stored in persistent storage. The number of seconds can range from 15–86400. interface interface Enter interface configuration mode for the specified port or LAG. The interface variable includes the interface type and number, for example tengigabitethernet 1/0/3. For a LAG, the interface type is port-channel.
Command Purpose clear ip dhcp snooping bindings Clear the DHCP snooping bindings for an interface. Configuring IP Source Guard Use the following commands to configure IPSG settings on the switch. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified port or LAG. The interface variable includes the interface type and number, for example tengigabitethernet 1/0/3. For a LAG, the interface type is port-channel.
Command Purpose show ip verify interface interface View IPSG parameters for a specific port or LAG. The interface parameter includes the interface type (gigabitethernet, tengigabitethernet, or port-channel) and number. show ip verify source [interface interface] View IPSG bindings configured on the switch or on a specific port or LAG. show ip source binding View IPSG bindings. Configuring Dynamic ARP Inspection Use the following commands to configure DAI settings on the switch.
Command Purpose remark string Configure a remark for the ACL. permit ip host sender-ip Configure a rule for a valid IP address and MAC address mac host sender-mac combination used in ARP packet validation. • sender-ip — Valid IP address used by a host. • sender-mac —Valid MAC address in combination with the above sender-ip used by a host. exit Exit to Global Config mode.
Command Purpose show ip arp inspection vlan [vlan-list ] View the Dynamic ARP Inspection configuration on the specified VLAN(s). This command also displays the global configuration values for source MAC validation, destination MAC validation and invalid IP validation. show ip arp inspection statistics [vlan vlan-list] View the statistics of the ARP packets processed by Dynamic ARP Inspection for the switch or for the specified VLAN(s).
Traffic Snooping and Inspection Configuration Examples This section contains the following examples: • Configuring DHCP Snooping • Configuring IPSG Configuring DHCP Snooping In this example, DHCP snooping is enabled on VLAN 100. Ports 1-20 connect end users to the network and are members of VLAN 100. These ports are configured to limit the maximum number of DHCP packets with a rate limit of 100 packets per second.
To configure the switch: 1 Enable DHCP snooping on VLAN 100. console#config console(config)#ip dhcp snooping vlan 100 2 Configure LAG 1, which includes ports 21-24, as a trusted port. All other interfaces are untrusted by default.
Configuring IPSG This example builds on the previous example and uses the same topology shown in Figure 27-25. In this configuration example, IP source guard is enabled on ports 1-20. DHCP snooping must also be enabled on these ports. Additionally, because the ports use IP source guard with source IP and MAC address filtering, port security must be enabled on the ports as well. To configure the switch: 1 Enter interface configuration mode for the host ports and enable IPSG.
1036 Snooping and Inspecting Traffic
Link Aggregation 28 Dell EMC Networking N-Series Switches This chapter describes how to create and configure link aggregation groups (LAGs), which are also known as port-channels. The topics covered in this chapter include: • Link Aggregation • Multi-Switch LAG (MLAG) • Configuring Link Aggregation (Web) • Configuring Link Aggregation (CLI) Link Aggregation Overview Link Aggregation allows one or more full-duplex Ethernet links of the same speed to be aggregated together to form a LAG.
Figure 28-1 shows an example of a switch in the wiring closet connected to a switch in the data center by a LAG that consists of four physical 10 Gbps links. The LAG provides full-duplex bandwidth of 40 Gbps between the two switches. Figure 28-1. LAG Configuration LAGs can be configured on stand-alone or stacked switches. In a stack of switches, the LAG can consist of ports on a single unit or across multiple stack members.
and thus cause undesirable network behavior. Both static and dynamic LAGs (via LACP) can detect physical link failures within the LAG and continue forwarding traffic through the other connected links within that same LAG. LACP can also detect switch or port failures that do not result in loss of link. This provides a more resilient LAG. Best practices suggest using dynamic link aggregation instead of static link aggregation.
• Excellent load balancing performance. How Do LAGs Interact with Other Features? From a system perspective, a LAG is treated just as a physical port, with the same configuration parameters for administrative enable/disable, spanning tree port priority, path cost as may be for any other physical port. VLAN When members are added to a LAG, they are removed from all existing VLAN membership.
• Each member of the LAG must be running at the same speed and must be in full duplex mode. • The port cannot be a mirrored port The following are the interface restrictions • The configured speed of a LAG member cannot be changed. • An interface can be a member of only one LAG. Default Link Aggregation Values The LAGs on the switch are created by default, but no ports are members. Table 28-1 summarizes the default values for the MAC address table. The default for the is 5 Table 28-1.
Configuring Link Aggregation (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring LAGs on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. LAG Configuration Use the LAG Configuration page to set the name and administrative status (up/down) of a LAG.
To view or edit settings for multiple LAGs, click Show All. LACP Parameters Dynamic link aggregation is initiated and maintained by the periodic exchanges of LACP PDUs. Use the LACP Parameters page to configure LACP LAGs. To display the LACP Parameters page, click Switching Link Aggregation LACP Parameters in the navigation panel.
Figure 28-3. LACP Parameters Configuring LACP Parameters for Multiple Ports To configure LACP settings: 1 Open the LACP Parameters page. 2 Click Show All. The LACP Parameters Table page displays.
Figure 28-4. LACP Parameters Table 3 Select the Edit check box associated with each port to configure. 4 Specify the LACP port priority and LACP timeout for each port. 5 Click Apply. LAG Membership Your switch supports 48 LAGs per system, and eight ports per LAG. Use the LAG Membership page to assign ports to static and dynamic LAGs. To display the LAG Membership page, click Switching Link Aggregation LAG Membership in the navigation panel.
Figure 28-5. LAG Membership Adding a Port to a Static LAG To add a static LAG member: 1 Open the LAG Membership page. 2 Click in the LAG row on the desired port and enter the number of the LAG to which the port should be added. For example, the following figure shows ports Gi1-Gi4 being added to LAG 1, and ports Gi5-Gi8 being added to LAG 2. 3 Click Apply. The port is assigned to the selected LAG, and the device is updated.
LAG Hash Configuration Use the LAG Hash Configuration page to set the traffic distribution mode on the LAG. The hash type can be set for each LAG. To display the LAG Hash Configuration page, click Switching Link Aggregation LAG Hash Configuration in the navigation panel. Figure 28-6. LAG Hash Configuration LAG Hash Summary The LAG Hash Summary page lists the channels on the system and their assigned hash algorithm type.
Configuring Link Aggregation (CLI) This section provides information about the commands used for configuring link aggregation settings on the switch. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring LAG Characteristics Use the following commands to configure a few of the available LAG characteristics.
Configuring Link Aggregation Groups Use the following commands to add ports as LAG members and to configure the LAG hashing mode. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified port. The interface variable includes the interface type and number, for example interface tengigabitethernet 1/0/3. A range of ports can be specified using the interface range command.
Command Purpose hashing-mode mode Set the hashing algorithm on the LAG. The mode value is a number from 1 to 7.
Command Purpose interface gi1/0/1 Enter physical interface configuration mode for a member of the desired LAG. A range of physical interfaces can be specified using the interface range command. For example, interface range gi1-3,10 configures Gigabit Ethernet interfaces 1, 2, 3, and 10. lacp port-priority value Set the Link Aggregation Control Protocol priority for the port or range of ports. The priority value range is 1–65535.
Link Aggregation Configuration Examples This section contains the following examples: • Configuring Dynamic LAGs • Configuring Static LAGs NOTE: The examples in this section show the configuration of only one switch. Because LAGs involve physical links between two switches, the LAG settings and member ports must be configured on both switches. Configuring Dynamic LAGs The commands in this example show how to configure a static LAG on a switch.
3 View information about LAG 1.
3 View information about LAG 2.
Multi-Switch LAG (MLAG) NOTE: This feature is not available on the Dell EMC Networking N1100-ON or N1500 Series switches. Overview In a typical layer-2 network, the Spanning Tree Protocol (STP) is deployed to avoid packet storms due to loops in the network. To perform this function, STP sets ports into either a forwarding state or a blocking state. Ports in the blocking state do not carry traffic. In the case of a topology change, STP reconverges to a new loop-free network and updates the port states.
Deployment Scenarios MLAG is intended to support higher bandwidth utilization in scenarios where a redundant layer-2 network is desired. In such scenarios the effects of STP on link utilization are profound. Large percentages of links do not carry data because they are blocked and only a single path through the network carries traffic. Figure 28-8. STP Blocking MLAG reduces some of the bandwidth shortcomings of STP in a layer-2 network.
Figure 28-9.
Definitions Refer to Figure 28-10 for the definitions that follow. Figure 28-10. MLAG Components MLAG switches: MLAG aware switches running Dell EMC Networking Series switch firmware. No more than two MLAG aware switches can pair to form one end of the LAG. Stacked switches do not support MLAGs. In the above figure, SW1 and SW2 are MLAG peer switches. These two switches form a single logical end point for the MLAG from the perspective of switch A.
switches. Port-channel limitations and capabilities like min-links and maximum number of ports supported per LAG also apply to MLAG interfaces. MLAG member ports: Ports on the peer MLAG switches that are part of the MLAG interface (P1 on SW1 and S1 on SW2). Non-redundant ports: Ports on either of the peer switches that are not part of the MLAG (ports P4 and S4). MLAG interfaces and non-redundant ports cannot be members of the same VLAN, i.e.
– LACP parameters • Actor parameters • Admin key • Collector max-delay • Partner parameters 2 STP The default STP mode for Dell EMC Networking N-Series switches is RSTP. VLANs cannot be configured to contain both MLAG ports and nonMLAG (non-redundant) ports. RSTP, MSTP, and STP-PV/RSTP-PV are supported with MLAG. The following STP configuration parameters must be the identical on both MLAG peers.
– MTU – Bandwidth – VLAN configuration The administrator should also ensure that the following are identical before enabling MLAG: – FDB entry aging timers – Static MAC entries. – ACL configuration 4 Interface Configuration – PFC configuration – CoS queue assignments 5 VLAN configuration in an L2 topology – MLAG VLANs must span the MLAG topology and be configured on both MLAG peers. This means that every MLAG VLAN must connect to two partner LAGs.
Operation in the Network Below is a sample MLAG topology and discussion: Figure 28-11. Example MLAG Topology In Figure 28-11: 1 VLAN 10 spans the MLAG network. 2 P and S are MLAG-aware peer devices. P stands for primary and S stands for secondary. The roles are elected after the DUTs exchange keep-alive messages. The two devices are connected with a peer-link {P3/P4–S3/S4}. Ports P1, S1 are members of MLAG1 and ports P2, S2 are members of MLAG2. 3 A port-channel must be configured as the peer-link.
Supported topologies and the way traffic is handled in these topologies is explained in the following sections. The MLAG component uses the keep-alive protocol to select a primary and a secondary device. The primary switch owns the MLAG member ports on the secondary device. It handles the control plane functionality of supported protocols for the MLAG member ports on the secondary. Peer-Link The peer-link is a crucial for MLAG operation. The peer-link must be configured on a port-channel interface.
MLAG switch and traffic must egress through selected ports on the MLAG peer. These filters block incoming traffic on all VLANs configured on the peer link, not just those configured as part of an MLAG. Therefore, there is no connectivity between non-redundant ports across the peer-link. Control Plane Election in MLAG Switches The MLAG component uses the keep-alive protocol running on the peer link to select a primary and a secondary switch. The keep-alive protocol is mandatory.
DCPDP and Peer Link Failures DCPDP is intended to provide a secondary layer of protection against peer link failures. If the peer-link goes down while the DCPDP protocol is enabled and remains up, the MLAG links on the MLAG secondary peer are disabled. The primary switch continues to forward traffic and, if LACP is enabled, send LACPDUs using the system MAC of the MLAG. Spanning tree reconvergence on the partner devices is avoided.
configured in a unique MST instance not shared with the MLAG domain. If the VLAN assigned to the redundant link is also configured on the peer link, traffic on that VLAN is blocked by MLAG. To configure the redundant link to be the forwarding for the redundant MST instance, the link cost needs to be reduced in order to be the root port.
console(config-vpc 1)#role 10 console(config-vpc 1)#exit Modifications to priority and timeout interval are effective only before the keep-alive protocol is enabled. Once enabled, MLAG switches contest in an election to select the primary and secondary switch. The election is non-preemptive. If configured, the system virtual MAC address MUST be the same on both of the MLAG peers. 3 Configure the peer-link. On each MLAG peer: • Configure a port-channel as the peer-link for the MLAG devices.
4 Configure DCPDP (optional): a Configure a VLAN routing interface and assign a local IP address (different from the peer address). b Configure the peer-switch IP address (the destination IP address) c If needed, configure the UDP port number to send and receive the protocol messages. d Configure the source IP address e Enable the protocol. The protocol starts running if MLAG is globally enabled.
to the primary switch for handling. FDB entries learned on MLAG interfaces are synced between the two devices.
2 On the MLAG secondary switch, shut down the MLAG peer-link. 3 Reload the secondary switch. 4 Re-enable the peer-link, if disabled, and ensure that it is up. Re-enable the MLAG-associated physical ports. 5 Wait until traffic is re-established on the standby switch. Repeat the upgrade procedure on the MLAG primary peer: 1 On MLAG primary switch, shut down the MLAG enabled physical links. 2 On MLAG primary switch, shut down the MLAG peer-link. 3 Reload the primary switch.
assigned, but MLAG VLANs cannot be used to route across MLAG or nonredundant VLANs, as the MLAG feature does not correlate failures in one VLAN with another VLAN to unblock packets crossing the MLAG peer-link. Recommended Layer-3 Connectivity The topology shown in Figure 28-12 uses the MLAG switches as layer-2 switches. All VLANs traverse the MLAG topology from the top switches/routers to the bottom switches/routers. The LAGs for each VLAN host are in a separate VPC.
Alternative Recommended Layer-3 Connectivity The loop-free topology shown in Figure 28-13 uses the MLAG switches as layer-2 switches in an EOR role. The single VLAN traverses the MLAG topology from the top router to the bottom storage and servers. Multiple VLANs in different VPCs may be used to isolate clusters of storage/servers from each other.
Layer-3 VLAN Termination on MLAG Not Supported In the “two-armed” fully routed scenario shown in Figure 28-14, both the routed network and the switched network are in the MLAG. Switched traffic to and from the upstream network is automatically unblocked over the peerlink when an MLAG link fails.
In the scenario shown in Figure 28-15(similar to the previous scenario), the downstream router is not configured with port-channel and uses ECMP or some other load sharing scheme to send packets to routed MLAG peers. MLAG cannot react appropriately to a link failure on the upstream router because the VLANs are routed across the MLAG peers. MLAG cannot logically connect the failure on VLAN 30 with non-redundant VLAN 20. Consequently, MLAG does not unblock VLAN 20 from traversing the peer link.
required to handle the case where a link from the router to one of the MLAG peers fails. Static routes must be added to the primary and secondary MLAG peers to route traffic addressed to the connected router across the backup routed link in the case of a failure of an MLAG link to the router.
Virtual Router Redundancy Protocol If VRRP is enabled on a VLAN that has an MLAG port as its member, both VRRP routers become VRRP masters operationally in the VLAN. This is to allow load balancing of the northbound layer-3 traffic on the MLAG. Since the peer-link is a member of the same routing VLANs as all MLAGs, both the primary and secondary MLAG routers see VRRP advertisements sent by the other router.
transmitted with the source MAC address as the physical MAC address and not the virtual MAC address. In the example in Figure 28-17, if the virtual MAC address is used as the source MAC address in the ARP from P to A, then S will consume the packet, as it is operationally a VRRP master too. The packet is forwarded to P if the physical MAC address is used. Note that the VLANs connecting A and B to the MLAG peers are extended to R1. P and S do not actually route packets.
Routing is not supported across multiple MLAGs (i.e., in two-tier topology). This is a fundamental limitation of MLAG, which is intended as a replacement for other, less efficient layer-2 topologies. Should a multi-tier layer-3 topology be desired, other well established and well understood techniques, such as ECMP and redundant router pairs, will allow a layer-3 routed network to utilize bandwidth efficiently. Layer-3 routing is capable of routing packets around failed links and failed routers.
• On a failover from the primary MLAG peer to the secondary MLAG peer, the ports are made members of the secondary MLAG peer switch's spanning tree and spanning tree reconvergence may occur.. The forwarding database and ARP cache are flushed and relearned. • MLAG (VPC) status only shows correctly on the primary MLAG peer and does not show correctly on the secondary MLAG peer. Status is not forwarded from the primary MLAG peer to the secondary MLAG peer.
work properly; e.g., port mirroring for an MLAG link must be configured on both MLAG peer switches to capture the conversation from the MLAG partner switch. • A Yes entry indicates that the feature may be configured on an MLAG VLAN and will synchronize state across the MLAG peers. The configuration for features marked Yes must be identical on both switches. MLAG does not synchronize configuration with the MLAG peer.
Table 28-2. MLAG State Synchronization Per Feature (Continued) Components MLAG State Synchronization Support DOT1S Yes Loop Guard No FDB Yes MACLOCK No DVLAN No DOT1AB No IP Subnet-based VLANs N/A MACVLAN N/A Protected Port No DHCP Snooping No IP Source Guard No Dynamic ARP Inspection No Auto-Negotiation N/A L2-Relay No MRP No MMRP No MVRP No DOT1AS No 802.
Table 28-2.
Basic Configuration Example This example shows the configuration of the two MLAG peers and a single MLAG partner in the simplest possible configuration. No MLAG peer priorities are configured, nor is UDLD enabled on the peer-link. DCPDP is not enabled. The default spanning tree configuration is used and spanningtree is disabled on the peer link. A system MAC address is assigned to both MLAG peers. The system virtual MAC address is used in the spanning-tree BPDUs and LACPDUs.
MLAG-Peer-A(config-if-Po2)#vpc 1 MLAG-Peer-A(config-if-Po2)#exit MLAG-Peer-A(config)#snmp-server engineid local 800002a203001ec9dec52b MLAG-Peer-A(config)#snmp-server agent boot count 2 MLAG-Peer-A(config)#feature vpc MLAG-Peer-A(config)#vpc domain 3 MLAG-Peer-A(config-vpc 3)#system-mac 0011.2233.
MLAG Peer B Current Configuration: • System Description “Dell EMC Networking N3024F, 6.0.0.0, Linux 3.6.5858bcf6e” • System Software Version 6.0.0.
MLAG-Peer-B(config)#exit MLAG Partner Current Configuration: • System Description “Dell EMC Networking N2048, 6.0.0.0, Linux 3.6.5858bcf6e” • System Software Version 6.0.0.
Status Reporting The status outputs of the various VPC commands are self-explanatory. Both the configured and operational status is shown in the outputs. Additional commands are shown below that may be useful in troubleshooting MLAG configuration or operational issues. All of the commands below are run on the MLAG primary switch except as noted otherwise. MLAG-Peer-A(config)#show vpc brief VPC admin status............................... Keep-alive admin status........................
LAG-SW(config)#show vpc role Self ---Keep-alive admin status........................ Keep-alive operational status.................. Priority....................................... System MAC address............................. Time-out....................................... VPC admin status............................... VPC role....................................... Disabled Disabled 100 001E.C9DE.B777 5 Disabled None Peer ---Priority....................................... 0 VPC role..................
MLAG-Peer-A(config)#show interfaces status po2 Port Description Channel ------- -----------------------------Po2 Operational State.............................. Up Admin Mode..................................... Enabled Port Channel Flap Count........................
MLAG-Peer-B#show vpc statistics peer-link Peer Peer Peer Peer Peer Peer Peer Peer Peer Peer Peer Peer Peer Peer Peer Peer Peer Peer link link link link link link link link link link link link link link link link link link control messages transmitted......... control messages Tx errors........... control messages Tx timeout.......... control messages ACK transmitted..... control messages ACK Tx errors....... control messages received............ data messages transmitted............
A Complete MLAG Example The following example configures eight VLANs (10–17) across two VPCs. VPC 1 is connected to a Dell EMC Networking N2048 over two links (gi1/0/23-24) over port-channel 2 on each MLAG peer. Interfaces Te1/0/1-2 on each MLAG peer connect to each other on port-channel 1 utilizing LACP. UDLD is enabled on the two MLAG peer-links and the timers are configured to the minimum values. DCPDP is enabled on VLAN 100 (interface gi1/0/8 on each MLAG peer).
MLAG-Peer-A(config-if-vlan100)#ip address 192.168.0.1 255.255.255.
MLAG-Peer-A(config-if-Te1/0/2)#exit MLAG-Peer-A(config)#interface port-channel 1 MLAG-Peer-A(config-if-Po1)#description “MLAG-Peer-Link” MLAG-Peer-A(config-if-Po1)#switchport mode trunk MLAG-Peer-A(config-if-Po1)#switchport trunk allowed vlan 1-99,1014093 MLAG-Peer-A(config-if-Po1)#vpc peer-link MLAG-Peer-A(config-if-Po1)#spanning-tree mst 2 cost 50000 MLAG-Peer-A(config-if-Po1)#exit MLAG-Peer-A(config)#interface port-channel 2 MLAG-Peer-A(config-if-Po2)#switchport mode trunk MLAG-Peer-A(config-if-Po2)#swit
MLAG Peer B Configuration Current Configuration: • System Description “Dell EMC Networking N3024F, 6.0.0.0, Linux 3.6.5858bcf6e” • System Software Version 6.0.0.
MLAG-Peer-B(config-if-Gi1/0/23)#description “MLAG-Partner-Link” MLAG-Peer-B(config-if-Gi1/0/23)#exit MLAG-Peer-B(config)#interface Gi1/0/24 MLAG-Peer-B(config-if-Gi1/0/24)#channel-group 2 mode active MLAG-Peer-B(config-if-Gi1/0/24)#description “MLAG-Partner-Link” MLAG-Peer-B(config-if-Gi1/0/24)#exit MLAG-Peer-B(config)#interface Te1/0/1 MLAG-Peer-B(config-if-Te1/0/1)#channel-group 1 mode active MLAG-Peer-B(config-if-Te1/0/1)#description “MLAG-Peer-Link” MLAG-Peer-B(config-if-Te1/0/1)#udld enable MLAG-Peer-B
MLAG-Peer-B(config)#snmp-server engineid local 800002a203001ec9dec513 MLAG-Peer-B(config)#snmp-server agent boot count 3 MLAG-Peer-B(config)#feature vpc MLAG-Peer-B(config)#vpc domain 1 MLAG-Peer-B(config-vpc 1)#peer-keepalive enable MLAG-Peer-B(config-vpc 1)#peer-keepalive destination 192.168.0.1 source 192.168.0.
LAG-SW(config-if-Gi1/0/3)#channel-group 1 mode active LAG-SW(config-if-Gi1/0/3)#exit LAG-SW(config)#interface Gi1/0/4 LAG-SW(config-if-Gi1/0/4)#channel-group 1 mode active LAG-SW(config-if-Gi1/0/4)#exit LAG-SW(config)#interface port-channel 1 LAG-SW(config-if-Po1)#switchport mode trunk LAG-SW(config-if-Po1)#exit LAG-SW(config)#snmp-server engineid local 800002a203001ec9deb777 LAG-SW(config)#snmp-server agent boot count 3 LAG-SW(config)#exit Cisco 3750 MLAG Partner Configuration Current configuration: 1913
vlan internal allocation policy ascending interface Port-channel1 switchport trunk encapsulation dot1q switchport mode trunk interface GigabitEthernet1/0/1 interface GigabitEthernet1/0/2 interface GigabitEthernet1/0/3 interface GigabitEthernet1/0/4 interface GigabitEthernet1/0/5 interface GigabitEthernet1/0/6 interface GigabitEthernet1/0/7 interface GigabitEthernet1/0/8 interface GigabitEthernet1/0/9 interface GigabitEthernet1/0/10 interface GigabitEthernet1/0/11 interface GigabitEthernet1/0/12 interface Gi
ip classless ip http server ip http secure-server control-plane line con 0 line vty 5 15 end Link Aggregation 1099
Status Reporting The following shows the status of various components of the switches in the above configuration. The switch prompts identify the switch on which the status is shown. To obtain accurate status, the commands below are run on the primary MLAG switch unless noted otherwise. Spanning Tree Status Old-Iron-3750#show spanning-tree MST0 Spanning tree enabled protocol mstp Root ID Priority 32768 Address 0013.c4bd.
LAG-SW#show spanning-tree Spanning tree Enabled BPDU flooding Disabled Portfast BPDU filtering Disabled mode mst CST Regional Root: 80:00:00:1E:C9:DE:B7:77 Regional Root Path Cost: 0 ###### MST 0 Vlan Mapped: 1 ROOT ID Priority 32768 Address 0013.C4BD.F080 Path Cost 5000 Root Port Po1 Hello Time 2 Sec Max Age 20 sec Forward Delay 15 sec Bridge Max Hops 20 Bridge ID Priority 32768 Address 001E.C9DE.
Gi1/0/24 Gi1/0/25 Gi1/0/26 Gi1/0/27 Gi1/0/28 Gi1/0/29 Gi1/0/30 Gi1/0/31 Gi1/0/32 Gi1/0/33 Gi1/0/34 Gi1/0/35 Gi1/0/36 Gi1/0/37 Gi1/0/38 Gi1/0/39 Gi1/0/40 Gi1/0/41 Gi1/0/42 Gi1/0/43 Gi1/0/44 Gi1/0/45 Gi1/0/46 Gi1/0/47 Gi1/0/48 Te1/0/1 Te1/0/2 Tw1/0/1 Tw1/0/2 Po1 Po2 Po3 Po4 Po5 Po6 Po7 Po8 Po9 Po10 Po11 Po12 Po13 Po14 Po15 Po16 Po17 1102 Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enab
Po18 Po19 Po20 Po21 Po22 Po23 Po24 Po25 Po26 Po27 Po28 Po29 Po30 Po31 Po32 Po33 Po34 Po35 Po36 Po37 Po38 Po39 Po40 Po41 Po42 Po43 Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled 96.667 96.668 96.669 96.670 96.671 96.672 96.673 96.674 96.675 96.676 96.677 96.678 96.679 96.680 96.681 96.682 96.683 96.684 96.685 96.686 96.687 96.688 96.689 96.690 96.
Hello Time 2 Sec Max Age 20 sec Forward Delay 15 sec TxHoldCount 6 sec Name --------Gi1/0/1 Gi1/0/2 Gi1/0/3 Gi1/0/4 Gi1/0/5 Gi1/0/6 Gi1/0/7 Gi1/0/8 Gi1/0/9 Gi1/0/10 Gi1/0/11 Gi1/0/12 Gi1/0/13 Gi1/0/14 Gi1/0/15 Gi1/0/16 Gi1/0/17 Gi1/0/18 Gi1/0/19 Gi1/0/20 Gi1/0/21 Gi1/0/22 Gi1/0/23 Gi1/0/24 Te1/0/1 Te1/0/2 Tw1/0/1 Tw1/0/2 Po1 Po2 Po3 Po4 1104 State -------Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled Enabled E
MLAG Status MLAG-Peer-A#show vpc brief VPC config Mode................................ Keepalive config mode.......................... VPC operational Mode........................... Self Role...................................... Peer Role...................................... Peer detection................................. Operational Enabled Enabled Enabled Primary Secondary Peer detected, VPC Peer-Link details ----------------Interface...................................... Po1 Peer link status........
VPC id# 2 ----------Interface...................................... Po3 Configured Vlans............................... 1,10,11,12,13,14,15,16,17 VPC Interface State............................ Active MLAG-Peer-A#show vpc 1 VPC id# 1 ----------------Config mode.................................... Enabled Operational mode............................... Enabled Port channel...................................
MLAG-Peer-A#show vpc peer-keepalive Peer IP address................................ Source IP address.............................. UDP port....................................... Peer detection................................. Peer detection operational status.............. Peer is detected............................... 192.168.0.2 192.168.0.1 50000 Enabled Up TRUE MLAG-Peer-A#show vpc statistics peer-keepalive Total transmitted.............................. Tx successful................................
1108 Link Aggregation
29 Data Center Bridging Features Dell EMC Networking N4000 Series Switches This chapter describes how to manage the features developed for use in data center environments but often used in a variety of 10G applications. NOTE: The data center bridging features described in this chapter are available on the Dell EMC Networking N4000 Series switches only.
Table 29-1. Data Center Features (Continued) Feature Description DCBx Allows DCB devices to exchange configuration information, using type-length-value (TLV) information elements over LLDP, with directly connected peers. ETS Supports the ETS configuration and Application Priority TLVs, which are accepted from auto-upstream devices and propagated to auto-downstream devices. The Dell EMC Networking N4000 Series switches support the automatic configuration of the switch with received ETS parameters.
Priority Flow Control Ordinarily, when flow control is enabled on a physical link, it applies to all traffic on the link. When congestion occurs, the hardware sends pause frames that temporarily suspend traffic flow to help prevent buffer overflow and dropped frames. PFC provides a means of pausing individual priorities within a single physical link.
Operator configuration of PFC is used only when the port is configured in a manual role. When interoperating with other equipment in a manual role, the peer equipment must be configured with identical PFC priorities and VLAN assignments. Interfaces not enabled for PFC ignore received PFC frames. Ports configured in auto-upstream or auto-downstream roles receive their PFC configuration from the configuration source and ignore any manually configured information.
PFC Configuration Page Use the PFC Configuration page to enable priority flow control on one or more interfaces and to configure which priorities are subject to being paused to prevent data loss. To display the PFC Configuration page, click Switching PFC PFC Configuration in the navigation menu. Figure 29-1. PFC Configuration PFC Statistics Page Use the PFC Statistics page to view the PFC statistics for interfaces on the switch.
Figure 29-2. PFC Statistics Configuring PFC Using the CLI Use the following commands to configure PFC. NOTE: If DCBx is enabled and the switch is set to autoconfigure from a DCBX peer, configuring PFC is not necessary because the DCBx protocol automatically configures the PFC parameters. Command Purpose configure Enter global configuration mode.
Command Purpose interface interface Enter interface configuration mode for the specified interface. The interface variable includes the interface type and number, for example tengigabitethernet 1/0/3. A range of interfaces can be specified using the interface range command. For example, interface range tengigabitethernet 1/0/8-12 configures interfaces 8, 9, 10, 11, and 12. datacenter-bridging Enter the Data Center Bridging mode. PFC commands are issued from within this mode.
PFC Configuration Example The network in this example handles both data and voice traffic. Because the voice traffic is time sensitive, it requires a higher priority than standard data traffic. The voice traffic uses VLAN 100 and has an 802.1p priority of 5, which is mapped to hardware queue 4. IP phones are connected to ports 3, 5, and 10, so PFC is enabled on these ports with 802.1p priority 5 traffic as no-drop. The configuration also enables VLAN tagging so that the 802.1p priority is identified.
4 Enable VLAN tagging on the ports so the 802.1p priority is identified. Trunk mode can also be enabled on port-channels.
DCB Capability Exchange The Data Center Bridging Exchange Protocol (DCBx) is used by DCB devices to exchange configuration information with directly connected peers. DCBx uses type-length-value (TLV) information elements over LLDP to exchange information, so LLDP must be enabled on the port to enable the information exchange. By default, LLDP is enabled on all ports. For more information, see "Discovering Network Devices" on page 883.
Interoperability with IEEE DCBx To be interoperable with legacy industry implementations of the DCBx protocol, The Dell EMC Networking N4000 Series switches use a hybrid model to support both the IEEE version of DCBx (IEEE 802.1Qaz) and legacy DCBx versions. The Dell EMC Networking N4000 Series switch automatically detects whether a peer is operating with either of the two CEE DCBx versions or the IEEE standard DCBx version (the default mode).
explicitly by the operator. These ports advertise their configuration to their peer if DCBx is enabled on that port. Incompatible peer configurations are logged and counted with an error counter. The default operating mode for each port is manual. A port that is set to manual mode sets the willing bit for DCBx client TLVs to false.
the willing parameter is disabled on auto-downstream. By default, autodownstream ports have the recommendation TLV parameter enabled. Autodownstream ports that receive internally propagated information ignore their local configuration and utilize the internally propagated information. Autodownstream ports propagate PFC, ETS, and application priority information received from the configuration source. In the Configuration Source role, the port has been manually selected to be the configuration source.
• The port role is auto-upstream. • The port is enabled with link up and DCBx enabled. • The port has negotiated a DCBx relationship with the partner. • The switch is capable of supporting the received configuration values, either directly or by translating the values into an equivalent configuration. Whether or not the peer configuration is compatible with the configured values is NOT considered.
no lldp tlv-select dcbxp pfc These commands eliminate only the DCBX TLVs from use by LLDP. They do not otherwise affect any manually configured DCBX capabilities or the normal operation of LLDP. Configuring DCBx The CLI can be used to configure DCBX on Dell EMC Networking N4000 Series switches. Use the following commands to configure DCBx. Command Purpose configure Enter global configuration mode.
Command Purpose lldp tlv-select dcbxp [pfc | applicationpriority] Override the global configuration for the LLDP DCBx TLVs on this interface. Entering the command with no parameters enables transmission of all TLVs. • pfc—Transmit the PFC configuration TLV. • application-priority—Transmit the application priority TLV.
Command Purpose show lldp tlv-select Display the interface TLV configuration for all interfaces interface {all |interface} or for the specified interface. show lldp dcbx interface Display the interface TLV configuration for all interfaces {all status |interface or for the specified interface. [detail]} Enhanced Transmission Selection Networks classify and prioritize traffic to provide different service characteristics to end user traffic flows.
NOTE: Minimum bandwidth guarantees and scheduling mechanisms apply only when the switch is congested. When the switch is not congested, packets egress the switch as soon as they are received. ETS provides a second level of scheduling for packets selected for transmission by the CoS scheduler. ETS operates at the traffic class group (TCG) level and supports sharing of bandwidth across TCGs, bandwidth assignment for each TCG, and queue discipline (drop behavior) for each TCG.
The minimum bandwidth setting can be used to override the strict priority and weighted settings. The highest numbered strict priority queue will receive no more bandwidth than 100 percent minus the sum of the minimum bandwidth percentages assigned to the other queues. If used, it is recommended that minimum bandwidth percentages only be set high enough to ensure a minimum level of service for any queue; i.e., the sum of the minimum bandwidth percentages is a fraction of 100%.
Commands This section provides information about the commands you use to manually configure and monitor ETS. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. On Dell EMC Networking N4000 Series switches, the following steps are not required if using the DCBX protocol to obtain ETS configuration from an auto-configuration source.
ETS Configuration Example This example configures four classes of traffic: Best effort traffic CoS Queue 0 for untagged and VLAN-tagged frames with VPTs 0, 1, and 2 Lossless iSCSI traffic CoS Queues 1 & 2 for VLAN tagged frames with VPTs 3 & 4 respectively Expedited traffic CoS Queue 3 on VLAN tagged frames with VPTs 5, 6, and 7 1. Enable Trust Mode on an Interface The following command enables the use of the 802.1p priority of the incoming packet.
This example maps user priorities 0, 1, and 2 to CoS queue 0 (background or best effort traffic), user priorities 3 and 4 to CoS queues 1 and 2 (iSCSI traffic), and all other priorities to CoS queue 2 (low latency and network control traffic).
The minimum bandwidth setting on the CoS queues comes into effect only when there is congestion among the CoS queues belonging to a single TCG. This is an optional setting and is not generally required, as the secondary scheduler has the capability of guaranteeing minimum bandwidth for a TCG.
4 5 6 0 0 0 Weighted Weighted Weighted Tail Drop Tail Drop Tail Drop 5. Map the CoS Queues to TCGs In this step, CoS queues are mapped to Traffic Class Groups (TCGs). Since TCGs are serviced from highest numbered TCG to lowest, higher priority traffic should be assigned to higher numbered TCGs. In general, strict priority traffic (typically control plane or low bandwidth, low latency traffic) is assigned the highest numbered TCG. It is recommended that WDRR queues be assigned to TCG0.
Each WDRR TCG should be assigned a nonzero weight. Weights may be configured on a single interface, a range of interfaces, or all interfaces, and must sum to 100%. It is recommended that strict priority TCGs be assigned a weight of 0%, since they are processed first and ignore the configured TCG weight.
percentage of the total bandwidth and is used to shape egress traffic bursts to no greater than the configured value. The maximum bandwidth may be configured on a single interface, range of interfaces or all interfaces. When configured to be 0, unlimited bandwidth is allowed on the TCG. It is recommended that the maximum bandwidth be configured to be greater than the minimum bandwidth or the weight or be configured to 0 (unlimited burst size).
ETS Theory of Operation First Level of Scheduling To understand the first level of scheduling, consider Table 29-1. Assume that we have eight ingress ports, each one receiving line rate traffic with one 802.1p priority each. The table shows the mapping of 802.1p priorities to the cos-queues, the min-bandwidth settings, and scheduler modes. Table 29-3. First Level of Scheduling 802.
Second Level of Scheduling To consolidate different traffic classes within different traffic types in a typical DCB environment, ETS provides an operational model for prioritization and bandwidth allocation for traffic. Figure 29-3 illustrates a typical example that consolidates three traffic types on a single 10GE link. For consolidation to be effective all traffic types must be serviced according to their requirements.
At time t2, a burst of LAN traffic is incoming at the rate of 4 Gbps, this burst is allowed to borrow the unused 0.5 Gbps bandwidth from SAN TCG and transmitted since the offered load of SAN is only 3 Gbps. At time t3, when the offered load of IPC falls to 2 Gbps and the bursty LAN traffic is at 6 Gbps, the available bandwidth for SAN and LAN is 4 Gbps each according to the TCG weights, which are set as 50% each.
Traffic is passed across stacking links using WDRR for all CoS queues. This will affect the observed behavior of ETS on egress ports scheduling traffic from over-subscribed stacking links.
console(config-if-Te1/0/1)#classofservice traffic-class-group 2 2 console(config-if-Te1/0/1)#traffic-class-group weight 30 70 0 console(config-if-Te1/0/1)#traffic-class-group strict 2 Dell EMC Networking N4000 Series Operation When DCBx is enabled on manually configured ports, it is not necessary for the ETS parameters to match, regardless of the version of DCBX negotiated or configured. Configuration mismatches are logged.
processing strict priority traffic is skewed to be the bandwidth of the individual TCG divided by the sum of the weights of all WDRR configured TCGs. The administrator may configure other parameters to work in conjunction with the received DCBX configuration, e.g. min-bandwidth per CoS queue and minimum or maximum bandwidth per TCG.
30 MAC Addressing and Forwarding Dell EMC Networking N-Series Switches Dell EMC Networking N-Series switches implement a MAC Learning Bridge in compliance with IEEE 802.1Q. The N-Series switches implement independent VLAN learning (IVL).
Static addresses are configured by the administrator and added to the table. Dynamic addresses are learned by examining information in the Ethernet frame. When a frame arrives on a port, the switch looks at the frame header to learn the source MAC address of the frame, then adds the address, VLAN ID, and the ingress port to the MAC address table. The address table is constantly updated as new addresses are learned, and unused addresses age out.
Managing the MAC Address Table (Web) This section provides information about the OpenManage Switch Administrator pages to use to manage the MAC address table on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page.
Figure 30-2. Adding Static MAC Address 3 Select the interface to associate with the static address. 4 Specify the MAC address and an associated VLAN ID. 5 Click Apply. The new static address is added to the Static MAC Address Table, and the device is updated.
Global Address Table The Global Address Table page contains fields for querying information in the MAC address table, including the interface type, MAC addresses, VLAN, and table sorting key. Packets forwarded to an address stored in the address table are forwarded directly to those ports. The Global Address Table also contains information about the type of MAC address, i.e. Static, Learned, or Other.
Managing the MAC Address Table (CLI) This section provides information about the commands you use to manage the MAC address table on the switch. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series Switches CLI Reference Guide at www.dell.com/support.
Command Purpose show mac address-table View information about the MAC addresses that have been {vlan vlan | interface configured or learned on the switch, a specific VLAN, or an interface [vlan vlan-id]} interface (Ethernet port or LAG/port-channel). show mac address-table View information about the number of addresses that have count [{vlan vlan-id been configured or learned on the switch, a specific VLAN, |interface interface}] or an interface (Ethernet port or LAG/port-channel).
1148 MAC Addressing and Forwarding
DHCP Server Settings 31 Dell EMC Networking N2000, N2100-ON, N3000, N3100-ON, and N4000 Series Switches This chapter describes how to configure the switch to dynamically assign network information to hosts by using the Dynamic Host Configuration Protocol (DHCP). NOTE: The DHCP server is not available on the Dell EMC Networking N1500 Series switches.
Dell EMC Networking N-Series switches support a DHCP client for obtaining the switch address from the network, an IPv4 DHCP server for serving IPv4 addresses to DHCP clients in the network, layer-2 and layer-3 DHCP relay for relaying IPv4 address assignments from network-based DHCP servers to clients in the same or different subnets, and DHCP snooping for protecting the switch and DHCP clients from certain security risks.
What are DHCP Options? DHCP options are collections of data with type codes that indicate how the options should be used. Options can specify information that is required for the DHCP protocol, IP stack configuration parameters for the client, information allowing the client to rendezvous with DHCP servers, and so on. When a client broadcasts a request for information, the request includes the option codes that correspond to the information the client wants the DHCP server to supply.
Default DHCP Server Values By default, the DHCP server is disabled, and no address pools are configured. You must create at least one address pool and enable the DHCP server to allow the switch to dynamically assign network information to hosts with DHCP clients that broadcast requests. The DHCP server can lease a maximum of 256 addresses. The Dell EMC Networking DHCP server does not offer infinite leases. The maximum lease time offered is 60 days, which corresponds to an infinite setting in the UI.
Configuring the DHCP Server (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring the DHCP server on a Dell EMC Networking N-Series switch. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. DHCP Server Network Properties Use the Network Properties page to define global DHCP server settings and to configure addresses that are not included in any address pools.
Adding Excluded Addresses To exclude an address: 1 Open the Network Properties page. 2 Click Add Excluded Addresses to display the Add Excluded Addresses page. 3 In the From field, enter the first IP address to exclude from any configured address pool. 4 If the address in the From field is the only address to exclude, or if the excluded addresses are non-contiguous, leave the To field as the default value of 0.0.0.0. Otherwise, enter the last IP address to excluded from a contiguous range of IP addresses.
Deleting Excluded Addresses To remove an excluded address: 1 Open the Network Properties page. 2 Click Delete Excluded Addresses to display the Delete Excluded Addresses page. 3 Select the check box next to the address or address range to delete. Figure 31-4. Delete Excluded Addresses 4 Click Apply. Address Pool Use the Address Pool page to create the pools of IP addresses and other network information that can be assigned by the server.
Figure 31-5. Address Pool Adding a Network Pool To create and configure a network pool: 1 Open the Address Pool page. 2 Click Add Network Pool to display the Add Network Pool page. 3 Assign a name to the pool and complete the desired fields. In Figure 31-6, the network pool name is Engineering, and the address pool contains all IP addresses in the 192.168.5.0 subnet, which means a client that receives an address from the DHCP server might lease an address in the range of 192.168.5.1 to 192.168.5.254.
Figure 31-6. Add Network Pool The Engineering pool also configures clients to use 192.168.5.1 as the default gateway IP address and 192.168.1.5 and 192.168.2.5 as the primary and secondary DNS servers. NOTE: The IP address 192.168.5.1 should be added to the global list of excluded addresses so that it is not leased to a client. 4 Click Apply. Adding a Static Pool To create and configure a static pool of IP addresses: 1 Open the Address Pool page.
In Figure 31-7, the Static pool name is Lab, and the name of the client in the pool is LabHost1. The client’s MAC address is mapped to the IP address 192.168.11.54, the default gateway is 192.168.11.1, and the DNS servers the client will use have IP addresses of 192.168.5.100 and 192.168.2.5. Figure 31-7. Add Static Pool 4 Click Apply.
Address Pool Options Use the Address Pool Options page to view manually configured options. Options can be defined when an address pool is created or can be added to existing address pools. To display the Address Pool Options page, click Routing IP DHCP Server Address Pool Options in the navigation panel. Figure 31-8. Address Pool Options Defining DHCP Options To configure DHCP options: 1 Open the Address Pool page. 2 Select the Add Options check box.
Figure 31-9. Add DHCP Option 5 Click Apply. 6 To verify that the option has been added to the address pool, open the Address Pool Options page.
Figure 31-10. View Address Pool Options DHCP Bindings Use the DHCP Bindings page to view information about the clients that have leased IP addresses from the DHCP server. To display the DHCP Bindings page, click Routing IP DHCP Server DHCP Bindings in the navigation panel. Figure 31-11. DHCP Bindings DHCP Server Reset Configuration Use the Reset Configuration page to clear the client bindings for one or more clients.
To display the Reset Configuration page, click Routing IP DHCP Server Reset Configuration in the navigation panel. Figure 31-12. Reset DHCP Bindings DHCP Server Conflicts Information Use the Conflicts Information page to view information about clients that have leased an IP address that is already in use on the network. To display the Conflicts Information page, click Routing IP DHCP Server Conflicts Information in the navigation panel. Figure 31-13.
DHCP Server Statistics Use the Server Statistics page to view general DHCP server statistics, messages received from DHCP clients, and messages sent to DHCP clients. To display the Server Statistics page, click Routing IP DHCP Server Server Statistics in the navigation panel. Figure 31-14.
Configuring the DHCP Server (CLI) This section provides information about the commands used for configuring and monitoring the DHCP server and address pools. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring Global DHCP Server Settings Use the following commands to configure settings for the DHCP server.
Configuring a Dynamic Address Pool Use the following commands to create an address pool with network information that is dynamically assigned to hosts with DHCP clients that request the information. Command Purpose configure Enter Global Configuration mode. ip dhcp pool name Create a DHCP address pool and enters DHCP pool configuration mode. network network-ip [mask | prefixlength] Configure the subnet number and mask for a DHCP address pool.
Configuring a Static Address Pool Use the following commands to create a static address pool and specify the network information for the pool. The network information configured in the static address pool is assigned only to the host with the hardware address or client identifier that matches the information configured in the static pool. Command Purpose configure Enter Global Configuration mode. ip dhcp pool name Create a DHCP address pool and enters DHCP pool configuration mode.
Command Purpose lease Specify the duration of the lease for an IP address that is {days[hours][minutes] | assigned from a DHCP server to a DHCP client. infinite} • days— Days the lease is valid (Range 0–59, Default is 1). The hours and minutes can optionally be specified after the days. • infinite — 60 day lease. The Dell EMC Networking DHCP server does not offer infinite leases. A setting of infinite corresponds to 60 days. default-router address1 [address2....
Command Purpose clear ip dhcp conflict {address | *} Clear an address conflict from the DHCP Server database. Use * to clear all conflicts. show ip dhcp server statistics View DHCP server statistics. clear ip dhcp server statistics Reset all DHCP server statistics to zero.
5 Specify the domain name to be assigned to clients that lease an address from this pool. console(config-dhcp-pool)#domain-name engineering.dell.com console(config-dhcp-pool)#exit 6 In Global Configuration mode, add the addresses to exclude from the pool. Clients will not be assigned these IP addresses. console(config)#ip dhcp excluded-address 192.168.5.1 192.168.5.20 console(config)#ip dhcp excluded-address 192.168.5.100 7 Enable the DHCP server on the switch.
Configuring a Static Address Pool The commands in this example create an address pool that assigns the address 192.168.2.10 to the host with a MAC address of 00:1C:23:55:E9:F3. When this hosts sends a DHCP message requesting network information, the switch will offer the information configured in this example, which includes a custom DHCP option to assign the SMTP server IP address.
Lease Time........................ DNS Servers....................... Default Routers................... Domain Name....................... Option............................ 1 days 0 hrs 0 mins 192.168.2.101 192.168.2.1 executive.dell.com 69 ip 192.168.1.
1172 DHCP Server Settings
32 IP Routing Dell EMC Networking N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series Switches NOTE: Dell EMC Networking N1100-ON Series switches do not support IP routing. This chapter describes how to configure routing on the switch, including global routing settings, Address Resolution Protocol (ARP), router discovery, and static routes.
Table 32-1. IP Routing Features (Continued) Feature Description Default gateway The switch supports a single default gateway. A manually configured default gateway is more preferable than a default gateway learned from a DHCP server. ARP table The switch maintains an ARP table that maps an IP address to a MAC address. Static ARP entries can be created in the table and various ARP table settings can be managed, such as the aging time of dynamically-learned entries.
Default IP Routing Values Table 32-2 shows the default values for the IP routing features this chapter describes. Table 32-2.
Table 32-2. IP Routing Defaults (Continued) Parameter Default Value Route Preference Values Preference values are as follows: • Local—0 • Static—1 • OSPF Intra—110 • OSPF Inter—110 • OSPF External—110 • RIP—120 IP Path MTU and Path MTU Discovery The IP stack maintains an IP MTU for each route in its routing table. Conceptually, the route’s path MTU defaults to the IP MTU of the outgoing interface. The IP MTU of an interface is set automatically based upon the switch MTU.
ARP Table The router maintains an ARP table that associates a MAC address (Link layer address) and outgoing port with an IP address and VLAN (Network layer address). The ARP table is dynamically updated with the station MAC address and outgoing port information for directly attached subnets. ARP entries are associated with the VLAN (subnet) on which the IP address or route is known. The router broadcasts an ARP request in the associated VLAN for any unknown MAC address to which it needs to route packets.
Configuring IP Routing Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring IPv4 routing features on Dell EMC Networking N-Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. IP Configuration Use the Configuration page to configure routing parameters for the switch as opposed to an interface.
IP Statistics The IP statistics reported on the Statistics page are as specified in RFC 1213. To display the page, click Routing IP Statistics in the navigation panel. Figure 32-2.
ARP Create Use the Create page to add a static ARP entry to the Address Resolution Protocol table. To display the page, click Routing ARP Create in the navigation panel. Figure 32-3.
ARP Table Configuration Use the Table Configuration page to change the configuration parameters for the Address Resolution Protocol Table. This page can also display the contents of the table. To display the page, click Routing ARP Table Configuration in the navigation panel. Figure 32-4.
Router Discovery Configuration Use the Configuration page to enter or change router discovery parameters. To display the page, click Routing Router Discovery Configuration in the navigation panel. Figure 32-5.
Router Discovery Status Use the Status page to display router discovery data for each interface. To display the page, click Routing Router Discovery Status in the navigation panel. Figure 32-6.
Route Table Use the Route Table page to display the contents of the routing table. To display the page, click Routing Router Route Table in the navigation panel. Figure 32-7.
Best Routes Table Use the Best Routes Table page to display the best routes from the routing table. To display the page, click Routing Router Best Routes Table in the navigation panel. Figure 32-8.
Route Entry Configuration Use the Route Entry Configuration page to add new and configure router routes. To display the page, click Routing Router Route Entry Configuration in the navigation panel. Figure 32-9. Route Entry Configuration Adding a Route and Configuring Route Preference To configure routing table entries: 1 Open the Route Entry Configuration page. Figure 32-10.
2 Next to Route Type, use the drop-down box to add a Default, Static, or Static Reject route. The fields to configure are different for each route type. • Default — Enter the default gateway address in the Next Hop IP Address field. • Static — Enter values for Network Address, Subnet Mask, Next Hop IP Address, and Preference. • Static Reject — Enter values for Network Address, Subnet Mask, and Preference. 3 Click Apply. The new route is added to the routing table.
Configured Routes Use the Configured Routes page to display the routes that have been manually configured. NOTE: For a static reject route, the next hop interface value is Null0. Packets to the network address specified in static reject routes are intentionally dropped. To display the page, click Routing Router Configured Routes in the navigation panel. Figure 32-11. Configured Routes To remove a configured route, select the check box in the Remove column of the route to delete, and click Apply.
Route Preferences Configuration Use the Route Preferences Configuration page to configure the default preference for each protocol (for example 60 for static routes). These values are arbitrary values that range from 1 to 255, and are independent of route metrics. Most routing protocols use a route metric to determine the shortest path known to the protocol, independent of any other protocol. To display the page, click Routing Router Route Preferences Configuration in the navigation panel. Figure 32-12.
Configuring IP Routing Features (CLI) This section provides information about the commands used for configuring IPv4 routing on the switch. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring Global IP Routing Settings Use the following commands to configure various global IP routing settings for the switch.
Adding Static ARP Entries and Configuring ARP Table Settings Use the following commands to configure static ARP entries in the ARP cache and to specify the settings for the ARP cache. Command Purpose configure Enter global configuration mode. arp ip-address hardware- Create a static ARP entry in the ARP table. address • ip-address — IP address of a device on a subnet attached to an existing routing interface. • hardware-address — A unicast MAC address for that device.
Configuring Router Discovery (IRDP) Use the following commands to configure IRDP settings. Command Purpose configure Enter global configuration mode. interface interface Enter interface configuration mode for the specified VLAN routing interface. The interface variable includes the interface type (vlan) and number, for example vlan 100. ip irdp Enable IRDP on the interface. ip irdp address ip-address Configure the address that the interface uses to send the router discovery advertisements.
Configuring Route Table Entries and Route Preferences Use the following commands to configure IRDP settings. Command Purpose configure Enter global configuration mode. ip route default nextHopIp[preference ] Configure the default route. • nextHopIp— IP address of the next hop router. • preference — Specifies the preference value (administrative distance) of an individual static route.
Command Purpose show ip route [ip-address View the routing table. [mask | prefix-length] • ip-address — Specifies the network for which the route is to be displayed and displays the best matching bestroute for the address. • mask — Subnet mask of the IP address. • prefix-length — Length of prefix, in bits. Must be preceded with a forward slash (‘/’). (Range: 0-32 bits) show ip route summary View summary information about the routing table.
IP Routing Configuration Example In this example, the Dell EMC Networking N-Series switches are layer-3 switches with VLAN routing interfaces. VLAN routing is configured on Dell EMC Networking N-Series Switch A and Dell EMC Networking N-Series Switch B. This allows the host in VLAN 10 to communicate with the server in VLAN 30. A static route to the VLAN 30 subnet is configured on Switch A.
Configuring Dell EMC Networking N-Series Switch A To configure Switch A. 1 Enable routing on the switch. console#configure console(config)#ip routing 2 Assign an IP address to VLAN 10. This command also enables IP routing on the VLAN. console(config)#interface vlan 10 console(config-if-vlan10)#ip address 192.168.10.10 255.255.255.0 console(config-if-vlan10)#exit 3 Assign an IP address to VLAN 20. console#configure console(config)#interface vlan 20 console(config-if-vlan20)#ip address 192.168.20.20 255.
Configuring Dell EMC Networking N-Series Switch B To configure Switch B: 1 Enable routing on the switch. console#configure console(config)#ip routing 2 Assign an IP address to VLAN 20. This command also enables IP routing on the VLAN. console#configure console(config)#interface vlan 20 console(config-if-vlan20)#ip address 192.168.20.25 255.255.255.0 console(config-if-vlan20)#exit 3 Assign an IP address to VLAN 30. This command also enables IP routing on the VLAN.
1198 IP Routing
Routing Interfaces 33 Dell EMC Networking N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series Switches This chapter describes the routing (layer-3) interfaces the Dell EMC Networking N-Series switches support, which includes VLAN routing interfaces, loopback interfaces, and tunnel interfaces.
interfaces make it possible to transmit traffic between VLANs while still containing broadcast traffic within VLAN boundaries. The configuration of VLAN routing interfaces makes inter-VLAN routing possible. For each VLAN routing interface a static IP address can be assigned, or a network DHCP server can assign a dynamic IP address.
services such as Telnet and SSH. In this way, the IP address on a loopback behaves identically to any of the local addresses of the VLAN routing interfaces in terms of the processing of incoming packets. What Are Tunnel Interfaces? Tunnels are a mechanism for transporting a packet across a network so that it can be evaluated at a remote location or tunnel endpoint. The tunnel, effectively, hides the packet from the network used to transport the packet to the endpoint.
Why Are Routing Interfaces Needed? The routing interfaces this chapter describes have very different applications and uses, as this section describes. If you use the switch as a layer-2 device that handles switching only, routing interface configuration is not required. When the switch is used as a layer-2 device, it typically connects to an external layer-3 device that handles the routing functions. VLAN Routing VLAN routing is required when the switch is used as a layer-3 device.
Loopback Interfaces When packets are sent to the loopback IP address, the network should be able to deliver the packets as long as any physical interface on the switch is up. There are many cases where you need to send traffic to a switch, such as in switch management. The loopback interface IP address is a good choice for communicating with the switch in these cases because the loopback interface cannot go down when the switch is powered on and operational.
Default Routing Interface Values By default, no routing interfaces are configured. When you create a VLAN, no IP address is configured, and DHCP is disabled. After you configure an IP address on a VLAN or loopback interface, the VLAN interface is available for layer-3 routing (if enabled) and is capable of resolved ARPs and responding to pings, and the interface has the default configuration shown in Table 33-1.
Configuring Routing Interfaces (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring VLAN routing interfaces, loopback interfaces, and tunnels on Dell EMC Networking N-Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. IP Interface Configuration Use the IP Interface Configuration page to update IP interface data for this switch.
DHCP Lease Parameters Use the DHCP Lease Parameters page to view information about the network information automatically assigned to an interface by the DHCP server. To display the page, click Routing IP DHCP Lease Parameters in the navigation panel. Figure 33-3. DHCP Lease Parameters VLAN Routing Summary Use the VLAN Routing Summary page to view summary information about VLAN routing interfaces configured on the switch.
Figure 33-4. VLAN Routing Summary Tunnel Configuration Use the Tunnels Configuration page to create, configure, or delete a tunnel. To display the page, click Routing Tunnels Configuration in the navigation panel. Figure 33-5.
Tunnels Summary Use the Tunnels Summary page to display a summary of configured tunnels. To display the page, click Routing Tunnels Summary in the navigation panel. Figure 33-6.
Loopbacks Configuration Use the Loopbacks Configuration page to create, configure, or remove loopback interfaces. A secondary address for a loopback can also be set up or deleted. To display the page, click Routing Loopback Interfaces Loopback Interfaces Configuration in the navigation panel. Figure 33-7.
Loopbacks Summary Use the Loopbacks Summary page to display a summary of configured loopback interfaces on the switch. To display the page, click Routing Loopback Interfaces Loopback Interfaces Summary in the navigation panel. Figure 33-8.
Configuring Routing Interfaces (CLI) This section provides information about the commands used for configuring VLAN routing interfaces, loopbacks, and tunnels on the switch. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series Switches CLI Reference Guide at www.dell.com/support.
Command Purpose bandwidth size Set the configured bandwidth on this interface to communicate the speed of the interface to higher level protocols. OSPF uses the bandwidth value to compute link cost. The range is 1–10000000. ip unreachables Allow the switch to send ICMP Destination Unreachable messages in response to packets received on the interface. ip redirects Allow the switch to send ICMP Redirect messages in response to packets received on the interface. exit Exit to Global Config mode.
Configuring Loopback Interfaces Use the following commands to configure a loopback interface. Command Purpose configure Enter Global Configuration mode. interface loopback loopback-id Create the loopback interface and enter Interface Configuration mode for the specified loopback interface. ip address ip_address subnet_mask [secondary] Configure a static IP address and subnet mask. Use the secondary keyword to specify that the address is a secondary IP address. CTRL + Z Exit to Privileged Exec mode.
Configuring Tunnels Use the following commands to configure a loopback interface. NOTE: For information about configuring the IPv6 interface characteristics for a tunnel, see "IPv6 Routing" on page 1459. Command Purpose configure Enter Global Configuration mode. interface tunnel tunnel-id Create the tunnel interface and enter Interface Configuration mode for the specified tunnel. tunnel mode ipv6ip [6to4] Specify the mode of the tunnel. If you use the 6to4 keyword, the tunnel is an automatic tunnel.
34 Layer-2 and Layer-3 Relay Features Dell EMC Networking N-Series Switches NOTE: Dell EMC Networking N1100-ON Series switches do not support the L3 relay. feature. This chapter describes how to configure the Layer-2 (L2) DHCP relay, Layer3 (L3) DHCP relay, and IP Helper features on Dell EMC Networking N-Series switches.
relay agent can be used to add the information that the DHCP server needs to perform its role in address and configuration and assignment. The information added by the L2 relay agent can include location and identification information that can assist the DHCP server in applying policies such as service offerings or address assignment. Before it relays DHCP requests from clients, the switch can add a Circuit ID and a Remote ID.
The administrator globally enables DHCP relay and configures DHCP relay on the end-user ports of each switch as follows: console(config)#dhcp l2relay console(config)#interface range gi1/0/1-24 console(config-if)#dhcp l2relay console(config-if)#exit Then, the administrator configures the remote-id and circuit-id: console(config)#dhcp l2relay circuit-id vlan 10,20 console(config)#dhcp l2relay remote-id “Switch A” vlan 10,20 Finally, the administrator configures the uplink for DHCP relay and sets the interfa
subclass “Pool1” “Switch A” “Gi1/0/1”; subclass “Pool1” “Switch A” “Gi1/0/2”; subclass “Pool1” “Switch A” “Gi1/0/3”; class “Pool2” { match option agent.remote-id; match option agent.circuit-id; } subclass “Pool2” “Switch B” “Gi1/0/1”; subclass “Pool2” “Switch B” “Gi1/0/2”; subclass “Pool2” “Switch B” “Gi1/0/3”; shared-network Public { subnet 10.1.222.0 netmask 255.255.254.0 { pool { deny members of “Pool1”; deny members of “Pool2”; option routers 10.1.222.1; option subnet-mask 255.255.254.
option domain-name-servers 10.1.218.3,10.1.219.3; default-lease-time 21600; max-lease-time 43200; } } } } What Is L3 DHCP Relay? Network infrastructure devices can be used to relay packets between a DHCP client and server on different subnets. Such a device, a layer-3 relay agent, is often a router or L3 switch. The L3 relay agent must have an IP interface on the client subnets and, if it does not have an IP interface on the server’s subnet, it should be able to route traffic toward the server’s subnet.
What Is the IP Helper Feature? The IP Helper feature provides the ability for a router to unicast-forward configured UDP broadcast packets to a particular IP address (including DHCP packets). This allows applications to reach servers on non-local subnets. This is possible even when the application is designed to assume a server is always on a local subnet or when the application uses broadcast packets to reach the server (with the limited broadcast address 255.255.255.
Table 34-1. Default Ports - UDP Port Numbers Implied By Wildcard Protocol UDP Port Number IEN-116 Name Service 42 DNS 53 NetBIOS Name Server 137 NetBIOS Datagram Server 138 TACACS Server 49 Time Service 37 DHCP 67 Trivial File Transfer Protocol 69 The system limits the total number of relay entries to four times the maximum number of routing interfaces (512 relay entries).
addresses. Otherwise, the relay agent verifies that there is a global configuration for the destination UDP port. If so, the relay agent unicasts the packet to the configured server IP addresses. Otherwise the packet is not relayed. NOTE: If the packet matches a discard relay entry on the ingress interface, the packet is not forwarded, regardless of the global configuration.
Table 34-2 shows the most common protocols and their UDP port numbers and names that are relayed. Table 34-2.
Default L2/L3 Relay Values By default L2 DHCP relay is disabled. L3 relay (UDP) is enabled, but no UDP destination ports or server addresses are defined on the switch or on any interfaces. Table 34-3.
Configuring L2 and L3 Relay Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring L2 and L3 relay features on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. L2 DHCP Relay Global Configuration Use this page to enable or disable the switch to act as a DHCP Relay agent.
L2 DHCP Relay Interface Configuration Use this page to enable L2 DHCP relay on individual ports. NOTE: L2 DHCP relay must also be enabled globally on the switch. To access this page, click Switching DHCP Relay Interface Configuration in the navigation panel. Figure 34-2. DHCP Relay Interface Configuration To view a summary of the L2 DHCP relay configuration on all ports and LAGS, click Show All.
Figure 34-3.
L2 DHCP Relay Interface Statistics Use this page to display statistics on DHCP Relay requests received on a selected port. To access this page, click Switching DHCP Relay Interface Statistics in the navigation panel. Figure 34-4.
L2 DHCP Relay VLAN Configuration Use this page to enable and configure DHCP Relay on specific VLANs. To access this page, click Switching DHCP Relay VLAN Configuration in the navigation panel. Figure 34-5. DHCP Relay VLAN Configuration To view a summary of the L2 DHCP relay configuration on all VLANs, click Show All. Figure 34-6. DHCP Relay VLAN Summary DHCP Relay Agent Configuration Use the Configuration page to configure and display a DHCP relay agent.
Figure 34-7.
IP Helper (L3 DHCP Relay) Global Configuration NOTE: The IP Helper feature is not supported on the Dell EMC Networking N1100ON Series switches. Use the Global Configuration page to add, show, or delete UDP Relay and Helper IP configuration To display the page, click Routing IP Helper Global Configuration in the navigation panel. Figure 34-8. IP Helper Global Configuration Adding an IP Helper Entry To configure an IP helper entry: 1. Open the IP Helper Global Configuration page. 2.
Figure 34-9. Add Helper IP Address 3. Select a UDP Destination port name from the menu or enter the UDP Destination Port ID. Select the Default Set to configure for the relay entry for the default set of protocols. NOTE: If the DefaultSet option is specified, the device by default forwards UDP Broadcast packets for the following services: IEN-116 Name Service (port 42), DNS (port 53), NetBIOS Name Server (port 137), NetBIOS Datagram Server (port 138), TACACS Server (Port 49), and Time Service (port 37).
IP Helper (L3 DHCP Relay) Interface Configuration Use the Interface Configuration page to add, show, or delete UDP Relay and Helper IP configuration for a specific interface. To display the page, click Routing IP Helper Interface Configuration in the navigation panel. Figure 34-10. IP Helper Interface Configuration Adding an IP Helper Entry to an Interface To add an IP helper entry to an interface: 1. Open the IP Helper Interface Configuration page. 2.
Figure 34-11. Add Helper IP Address 3. Select the interface to use for the relay. 4. Select a UDP Destination port name from the menu or enter the UDP Destination Port ID. Select the Default Set to configure for the relay entry for the default set of protocols.
IP Helper Statistics Use the Statistics page to view UDP Relay Statistics for the switch. To display the page, click Routing IP Helper Statistics in the navigation panel. Figure 34-12.
Configuring L2 and L3 Relay Features (CLI) This section provides information about the commands used for configuring L2 and L3 relay features on the switch. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring L2 DHCP Relay Use the following commands to configure switch and interface L2 DHCP relay settings.
Command Purpose dhcp l2relay remote-id remoteId vlan vlan-list Enable setting the DHCP Option 82 Remote ID for a VLAN. When enabled, the supplied string is used for the Remote ID in DHCP Option 82. The remoteId variable is a string to be used as the remote ID in the Option 82 (Range: 1 - 128 characters). exit Exit to Privileged Exec mode. show dhcp l2relay all View L2 DHCP relay settings on the switch.
Configuring L3 Relay (IP Helper) Settings Use the following commands to configure switch and interface L3 DHCP relay and IP helper settings. NOTE: The IP Helper feature is not supported on the Dell EMC Networking N1100ON Series switches. Command Purpose configure Enter global configuration mode. ip helper enable Use this command to enable the IP helper feature. It is enabled by default.
Command Purpose ip helper-address {server-address | discard} [dest-udp-port | dhcp | domain | isakmp | mobile-ip | nameserver | netbiosdgm | netbios-ns | ntp | pim-auto-rp | rip | tacacs | tftp | time] Configure the relay of certain UDP broadcast packets received on the VLAN routing interface(s). This command takes precedence over an ip helper-address command given in global configuration mode. Specify the one of the protocols defined in the command or the UDP port number.
Relay Agent Configuration Example The example in this section shows how to configure the L3 relay agent (IP helper) to relay and discard various protocols. Figure 34-13. L3 Relay Network Diagram This example assumes that multiple VLAN routing interfaces have been created, and configured with IP addresses. To configure the switch: 1 Relay DHCP packets received on VLAN 10 to 192.168.40.35 console#config console(config)#interface vlan 10 console(config-if-vlan10)#ip helper-address 192.168.40.
console(config-if-vlan10)#ip helper-address 192.168.40.35 domain console(config-if-vlan10)#exit 3 Relay SNMP traps (port 162) received on VLAN 20 to 192.168.23.1 console(config)#interface vlan 20 console(config-if-vlan20)#ip helper-address 192.168.23.
1242 Layer-2 and Layer-3 Relay Features
OSPF and OSPFv3 35 Dell EMC Networking N2000, N2100-ON, N3000, N3100-ON and N4000 Series Switches This chapter describes how to configure Open Shortest Path First (OSPF) and OSPFv3. OSPF is a dynamic routing protocol for IPv4 networks, and OSPFv3 is used to route traffic in IPv6 networks. The protocols are configured separately within the software, but their functionality is largely similar for IPv4 and IPv6 networks.
OSPF Overview OSPF is an Interior Gateway Protocol (IGP) that performs dynamic routing within a network. Dell EMC Networking N-Series switches support two dynamic routing protocols: OSPF and Routing Information Protocol (RIP). Unlike RIP, OSPF is a link-state protocol. Larger networks typically use the OSPF protocol instead of RIP. What Are OSPF Areas and Other OSPF Topology Features? The top level of the hierarchy of an OSPF network is known as an OSPF domain. The domain can be divided into areas.
What Are OSPF Routers and LSAs? When a Dell EMC Networking N-Series switch is configured to use OSPF for dynamic routing, it is considered to be an OSPF router. OSPF routers keep track of the state of the various links they send data to. Routers exchange OSPF link state advertisements (LSAs) with other routers. External LSAs provide information on static routes or routes learned from other routing protocols. OSPF defines various router types: • Backbone routers have an interface in Area 0.
OSPF Feature Details This section provides details on the following OSPF features: • Stub Router • Static Area Range Cost • LSA Pacing • LSA Pacing Stub Router RFC 3137 introduced stub router behavior to OSPFv2. As a stub, a router can inform other routers that it is not available to forward data packets.
begin in stub router mode when OSPF is globally enabled. If the operator wants to avoid routing transients when he enables or configures OSPF, he can manually set OSPF in stub router mode. If OSPF is in startup stub router mode and encounters a resource limitation that would normally cause OSPF to become a stub router, OSPF cancels the timer to exit startup stub router and remains in stub router mode until the network administrator takes action.
Static Area Range Cost This feature allows a network operator to configure a fixed OSPF cost that is always advertised when an area range is active. This feature applies to both OSPFv2 and OSPFv3. An OSPF domain can be divided into areas to limit the processing required on each router. Area Border Routers (ABRs) advertise reachability across area boundaries. It is common to summarize the set of prefixes that an ABR advertises across an area boundary.
LSA Pacing OSPF refreshes each self-originated LSA every 30 minutes. Because a router tends to originate many LSAs at the same time, either at startup or when adjacencies are formed or when routes are first learned, LSA refreshes tend to be grouped. Further, Area Border Routers (ABRs) attached to the same area tend to originate summary LSAs into the area at the same time. This behavior leads to periodic bursts of LS Update packets.
Flood Blocking OSPF is a link state routing protocol. Routers describe their local environment in Link State Advertisements (LSAs), which are distributed throughout an area or OSPF domain. Through this process, each router learns enough information to compute a set of routes consistent with the routes computed by all other routers. Normally, OSPF floods an LSA on all interfaces within the LSA's flooding scope. Flooding ensures that all routers receive all LSAs.
Flood blocking cannot be enabled on virtual interfaces. While the feature could be allowed on virtual interfaces, it is less likely to be used on a virtual interface, since virtual interfaces are created specifically to allow flooding between two backbone routers. So the option of flood blocking on virtual interfaces is not supported. See "Configuring Flood Blocking" on page 1326 for a configuration example.
Default OSPF Values OSPF is globally enabled by default. To make it operational on the router, you must configure a router ID and enable OSPF on at least one interface. Table 35-1 shows the global default values for OSPF and OSPFv3. Table 35-1.
Table 35-2 shows the per-interface default values for OSPF and OSPFv3. Table 35-2.
Configuring OSPF Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring OSPF features on Dell EMC Networking N-Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. OSPF Configuration Use the Configuration page to enable OSPF on a router and to configure the related OSPF settings.
OSPF Area Configuration The Area Configuration page lets you create a Stub area configuration and NSSA once you’ve enabled OSPF on an interface through Routing OSPF Interface Configuration. At least one router must have OSPF enabled for this web page to display. To display the page, click Routing OSPF Area Configuration in the navigation panel. If a Stub Area has been created, the fields in the Stub Area Information are available.
Configuring an OSPF Stub Area To configure the area as an OSPF stub area, click Create Stub Area. The pages refreshes, and displays additional fields that are specific to the stub area. Figure 35-3. OSPF Stub Area Configuration Use the Delete Stub Area button to remove the stub area.
Configuring an OSPF Not-So-Stubby Area To configure the area as an OSPF not-so-stubby area (NSSA), click NSSA Create. The pages refreshes, and displays additional fields that are specific to the NSSA. Figure 35-4. OSPF NSSA Configuration Use the NSSA Delete button to remove the NSSA area.
OSPF Stub Area Summary The Stub Area Summary page displays OSPF stub area detail. To display the page, click Routing OSPF Stub Area Summary in the navigation panel. Figure 35-5.
OSPF Area Range Configuration Use the Area Range Configuration page to configure and display an area range for a specified NSSA. To display the page, click Routing OSPF Area Range Configuration in the navigation panel. Figure 35-6.
OSPF Interface Statistics Use the Interface Statistics page to display statistics for the selected interface. The information is displayed only if OSPF is enabled. To display the page, click Routing OSPF Interface Statistics in the navigation panel. Figure 35-7.
OSPF Interface Configuration Use the Interface Configuration page to configure an OSPF interface. To display the page, click Routing OSPF Interface Configuration in the navigation panel. Figure 35-8.
OSPF Neighbor Table Use the Neighbor Table page to display the OSPF neighbor table list. When a particular neighbor ID is specified, detailed information about a neighbor is given. The information below is only displayed if OSPF is enabled. To display the page, click Routing OSPF Neighbor Table in the navigation panel. Figure 35-9.
OSPF Neighbor Configuration Use the Neighbor Configuration page to display the OSPF neighbor configuration for a selected neighbor ID. When a particular neighbor ID is specified, detailed information about a neighbor is given. The information below is only displayed if OSPF is enabled and the interface has a neighbor. The IP address is the IP address of the neighbor. To display the page, click Routing OSPF Neighbor Configuration in the navigation panel. Figure 35-10.
OSPF Link State Database Use the Link State Database page to display OSPF link state, external LSDB table, and AS opaque LSDB table information. To display the page, click Routing OSPF Link State Database in the navigation panel. Figure 35-11. OSPF Link State Database OSPF Virtual Link Configuration Use the Virtual Link Configuration page to create or configure virtual interface information for a specific area and neighbor. A valid OSPF area must be configured before this page can be displayed.
Figure 35-12. OSPF Virtual Link Creation After you create a virtual link, additional fields display, as the Figure 35-13 shows. Figure 35-13.
OSPF Virtual Link Summary Use the Virtual Link Summary page to display all of the configured virtual links. To display the page, click Routing OSPF Virtual Link Summary in the navigation panel. Figure 35-14.
OSPF Route Redistribution Configuration Use the Route Redistribution Configuration page to configure redistribution in OSPF for routes learned through various protocols. Routes learned from all available protocols, or from selected protocols, can be redistributed. To display the page, click Routing OSPF Route Redistribution Configuration in the navigation panel. Figure 35-15.
OSPF Route Redistribution Summary Use the Route Redistribution Summary page to display OSPF Route Redistribution configurations. To display the page, click Routing OSPF Route Redistribution Summary in the navigation panel. Figure 35-16.
NSF OSPF Configuration Use the NSF OSPF Configuration page to configure the non-stop forwarding (NSF) support mode and to view NSF summary information for the OSPF feature. NSF is a feature used in switch stacks to maintain switching and routing functions in the event of a stack unit failure. For information about NSF, see "What is Nonstop Forwarding?" on page 241 in the Stacking chapter. To display the page, click Routing OSPF NSF OSPF Configuration in the navigation panel. Figure 35-17.
Configuring OSPFv3 Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring OSPFv3 features on Dell EMC Networking N-Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. OSPFv3 Configuration Use the Configuration page to activate and configure OSPFv3 for a switch. To display the page, click IPv6 OSPFv3 Configuration in the navigation panel. Figure 35-18.
To display the page, click IPv6 OSPFv3 Area Configuration in the navigation panel. Figure 35-19.
Configuring an OSPFv3 Stub Area To configure the area as an OSPFv3 stub area, click Create Stub Area. The pages refreshes, and displays additional fields that are specific to the stub area. Figure 35-20. OSPFv3 Stub Area Configuration Use the Delete Stub Area button to remove the stub area.
Configuring an OSPFv3 Not-So-Stubby Area To configure the area as an OSPFv3 not-so-stubby area (NSSA), click Create NSSA. The pages refreshes, and displays additional fields that are specific to the NSSA. Figure 35-21. OSPFv3 NSSA Configuration Use the Delete NSSA button to remove the NSSA area.
OSPFv3 Stub Area Summary Use the Stub Area Summary page to display OSPFv3 stub area detail. To display the page, click IPv6 OSPFv3 Stub Area Summary in the navigation panel. Figure 35-22.
OSPFv3 Area Range Configuration Use the Area Range Configuration page to configure OSPFv3 area ranges. To display the page, click IPv6 OSPFv3 Area Range Configuration in the navigation panel. Figure 35-23.
OSPFv3 Interface Configuration Use the Interface Configuration page to create and configure OSPFv3 interfaces. To display the page, click IPv6 OSPFv3 Interface Configuration in the navigation panel. Figure 35-24.
OSPFv3 Interface Statistics Use the Interface Statistics page to display OSPFv3 interface statistics. Information is only displayed if OSPF is enabled. To display the page, click IPv6 OSPFv3 Interface Statistics in the navigation panel. Figure 35-25.
OSPFv3 Neighbors Use the Neighbors page to display the OSPF neighbor configuration for a selected neighbor ID. When a particular neighbor ID is specified, detailed information about that neighbor is given. Neighbor information only displays if OSPF is enabled and the interface has a neighbor. The IP address is the IP address of the neighbor. To display the page, click IPv6 OSPFv3 Neighbors in the navigation panel. Figure 35-26.
OSPFv3 Neighbor Table Use the Neighbor Table page to display the OSPF neighbor table list. When a particular neighbor ID is specified, detailed information about a neighbor is given. The neighbor table is only displayed if OSPF is enabled. To display the page, click IPv6 OSPFv3 Neighbor Table in the navigation panel. Figure 35-27.
OSPFv3 Link State Database Use the Link State Database page to display the link state and external LSA databases. The OSPFv3 Link State Database page has been updated to display external LSDB table information in addition to OSPFv3 link state information. To display the page, click IPv6 OSPFv3 Link State Database in the navigation panel. Figure 35-28.
OSPFv3 Virtual Link Configuration Use the Virtual Link Configuration page to define a new or configure an existing virtual link. To display this page, a valid OSPFv3 area must be defined through the OSPFv3 Area Configuration page. To display the page, click IPv6 OSPFv3 Virtual Link Configuration in the navigation panel. Figure 35-29.
After you create a virtual link, additional fields display, as the Figure 35-30 shows. Figure 35-30.
OSPFv3 Virtual Link Summary Use the Virtual Link Summary page to display virtual link data by Area ID and Neighbor Router ID. To display the page, click IPv6 OSPFv3 Virtual Link Summary in the navigation panel. Figure 35-31.
OSPFv3 Route Redistribution Configuration Use the Route Redistribution Configuration page to configure route redistribution. To display the page, click IPv6 OSPFv3 Route Redistribution Configuration in the navigation panel. Figure 35-32.
OSPFv3 Route Redistribution Summary Use the Route Redistribution Summary page to display route redistribution settings by source. To display the page, click IPv6 OSPFv3 Route Redistribution Summary in the navigation panel. Figure 35-33.
NSF OSPFv3 Configuration Use the NSF OSPFv3 Configuration page to configure the non-stop forwarding (NSF) support mode and to view NSF summary information for the OSPFv3 feature. NSF is a feature used in switch stacks to maintain switching and routing functions in the event of a stack unit failure. For information about NSF, see "What is Nonstop Forwarding?" on page 241 in the Stacking chapter. To display the page, click Routing OSPFv3 NSF OSPFv3 Configuration in the navigation panel. Figure 35-34.
Configuring OSPF Features (CLI) This section provides information about the commands used for configuring and viewing OSPF settings on the switch. This section does not describe all available show commands. For more information about all available OSPF commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series Switches CLI Reference Guide at www.dell.com/support.
Command Purpose Control the advertisement of default routes. default-information originate [always] • always — Normally, OSPF originates a default route only [metric metric-value] if a default route is redistributed into OSPF (and default[metric-type type-value] information originate is configured). When the always option is configured, OSPF originates a default route, even if no default route is redistributed. • metric-value — The metric (or preference) value of the default route.
Command Purpose passive-interface default Configure OSPF interfaces as passive by default. This command overrides any interface-level passive mode settings.OSPF does not form adjacencies on passive interfaces but does advertise attached networks as stub networks. timers spf delay-time hold-time Specify the SPF delay and hold time. • delay-time — SPF delay time. (Range: 0–65535 seconds) • hold-time — SPF hold time. (Range: 0–65535 seconds) exit Exit to Global Configuration mode.
Configuring OSPF Interface Settings Use the following commands to configure per-interface OSPF settings. Command Purpose configure Enter global configuration mode. interface vlan vlan-id Enter Interface Configuration mode for the specified VLAN. ip ospf area area-id [secondaries none] Enables OSPFv2 on the interface and sets the area ID of an interface. This command supersedes the effects of network area command.
Command Purpose ip ospf dead-interval seconds Set the OSPF dead interval for the interface. The seconds variable indicates the number of seconds a router waits to see a neighbor router's Hello packets before declaring that the router is down (Range: 1–65535). This parameter must be the same for all routers attached to a network. This value should be some multiple of the Hello Interval. ip ospf transmit-delay seconds Set the OSPF Transit Delay for the interface.
Command Purpose exit Exit to Global Configuration Mode router ospf Enter OSPF configuration mode. passive-interface vlan vlan-id Make an interface passive to prevent OSPF from forming an adjacency on an interface. OSPF advertises networks attached to passive interfaces as stub networks. network ip-address Enable OSPFv2 on interfaces whose primary IP address wildcard-mask area area- matches this command, and make the interface a member id of the specified area.
Command Purpose area area-id default-cost integer Configure the metric value (default cost) for the type 3 summary LSA sent into the stub area. Range: 1– 16777215) area area-id nssa Create an NSSA for the specified area ID. area area-id nssa nosummary Configure the NSSA so that summary LSAs are not advertised into the NSSA. area area-id nssa Configure the translator role of the NSSA.
Configuring Virtual Links Use the following commands to configure OSPF Virtual Links. Command Purpose configure Enter global configuration mode. router ospf Enter OSPF configuration mode. area area-id virtual-link neighbor-id Create the OSPF virtual interface for the specified areaid and neighbor router. The neighbor-id variable is the IP address of the neighboring router.
Command Purpose area area-id virtual-link Set the OSPF hello interval for the virtual link. neighbor-id hello-interval The seconds variable indicates the number of seconds to seconds wait before sending Hello packets from the virtual interface. (Range: 1–65535). Set the OSPF dead interval for the virtual link. area area-id virtual-link neighbor-id dead-interval The seconds variable indicates the number of seconds to seconds wait before the virtual interface is assumed to be dead.
Configuring OSPF Area Range Settings Use the following commands to configure an OSPF area range. Command Purpose configure Enter global configuration mode. router ospf Enter OSPF configuration mode. area area-id range ip-address mask {summarylink | nssaexternallink} [advertise |not-advertise] Configure a summary prefix for routes learned in a given area. • area-id — Identifies the OSPF NSSA to configure. (Range: IP address or decimal from 0–4294967295) • ip-address — IP address.
Command Purpose distribute-list Specify the access list to filter routes received from the accesslistname out {bgp | source protocol. The ACL must already exist on the rip | static | connected} switch. For information about the commands used for configuring ACLs, see "Configuring ACLs (CLI)" on page 712. • accesslistname — The name used to identify an existing ACL. • bgp — Apply the specified access list when BGP is the source protocol.
Command Purpose show ip ospf View OSPF configuration and status information, including route distribution information. Configuring NSF Settings for OSPF Use the following commands to configure the non-stop forwarding settings for OSPF. Command Purpose configure Enter global configuration mode. router ospf Enter OSPF configuration mode. nsf [ietf ] helper strict-lsa- Require that an OSPF helpful neighbor exit helper mode checking whenever a topology change occurs.
Configuring OSPFv3 Features (CLI) This section provides information about the commands used for configuring OSPFv3 settings on the switch. For more information about the commands and about additional show commands, see the Dell EMC Networking N1100ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring Global OSPFv3 Settings Use the following commands to configure various global OSPFv3 settings for the switch.
Command Purpose distance ospf {external | Set the preference values of OSPFv3 route types in the inter-area | intra-area } router. distance The range for the distance variable is 1–255. Lower route preference values are preferred when determining the best route. enable Enable OSPFv3. exit-overflow-interval seconds Specify the exit overflow interval for OSPFv3 as defined in RFC 1765.
Configuring OSPFv3 Interface Settings Use the following commands to configure per-interface OSPFv3 settings. Command Purpose configure Enter global configuration mode. interface vlan vlan-id Enter Interface Configuration mode for the specified VLAN. ipv6 ospf areaid area-id Enables OSPFv3 on the interface and sets the area ID of an interface. This command supersedes the effects of network area command.
Command Purpose ipv6 ospf dead-interval seconds Set the OSPFv3 dead interval for the interface. The seconds variable indicates the number of seconds a router waits to see a neighbor router's Hello packets before declaring that the router is down (Range: 1–65535). This parameter must be the same for all routers attached to a network. This value should be some multiple of the Hello Interval. ipv6 ospf transmit-delay Set the OSPFv3 Transit Delay for the interface.
Command Purpose show ipv6 ospf interface View summary information for all OSPFv3 interfaces [interface-type interface- configured on the switch or for the specified routing number] interface. show ipv6 ospf interface View per-interface OSPFv3 statistics. stats interface-type interface-number Configuring Stub Areas and NSSAs Use the following commands to configure OSPFv3 stub areas and NSSAs. Command Purpose configure Enter global configuration mode. ipv6 router ospf Enter OSPFv3 configuration mode.
Command Purpose Create and configure an NSSA for the specified area ID. area area-id nssa [noredistribution] [default- • metric-value—Specifies the metric of the default route information-originate advertised to the NSSA.
Configuring Virtual Links Use the following commands to configure OSPFv3 Virtual Links. Command Purpose configure Enter global configuration mode. ipv6 router ospf Enter OSPFv3 configuration mode. area area-id virtual-link neighbor-id Create the OSPFv3 virtual interface for the specified area-id and neighbor router. The neighbor-id variable is the IP address of the neighboring router.
Configuring an OSPFv3 Area Range Use the following commands to configure an OSPFv3 area range. Command Purpose configure Enter global configuration mode. ipv6 router ospf Enter OSPFv3 configuration mode. Configure a summary prefix for routes learned in a given area area-id range ipv6area. prefix/prefix-length {summarylink | • area-id — Identifies the OSPFv3 NSSA to configure.
Configuring OSPFv3 Route Redistribution Settings Use the following commands to configure OSPFv3 route redistribution settings. Command Purpose configure Enter global configuration mode. ipv6 router ospf Enter OSPFv3 configuration mode. redistribute {bgp | static Configure OSPFv3 to allow redistribution of routes from the specified source protocol/routers. | connected} [metric metric] [metric-type {1 | • bgp — Specifies BGP as the source protocol.
Configuring NSF Settings for OSPFv3 Use the following commands to configure the non-stop forwarding settings for OSPFv3. Command Purpose configure Enter global configuration mode. ipv6 router ospf Enter OSPFv3 configuration mode. nsf [ietf ] helper strict-lsa- Require that an OSPFv3 helpful neighbor exit helper checking mode whenever a topology change occurs. Use the ietf keyword to distinguish the IETF standard implementation of graceful restart from other implementations.
OSPF Configuration Examples This section contains the following examples: • Configuring an OSPF Border Router and Setting Interface Costs • Configuring Stub and NSSA Areas for OSPF and OSPFv3 • Configuring a Virtual Link for OSPF and OSPFv3 Configuring an OSPF Border Router and Setting Interface Costs This example shows how to configure the Dell EMC Networking N-Series switch as an OSPF border router.
To Configure Border Router A: 1 Enable routing on the switch. console#configure console(config)#ip routing 2 Create VLANS 70, 80, and 90 and assign them to interfaces.
5 Configure the OSPF area ID, priority, and cost for each interface. NOTE: OSPF is globally enabled by default. To make it operational on the router, you configure OSPF for particular interfaces and identify which area the interface is associated with. console(config)#interface vlan 70 console(config-if-vlan70)#ip ospf area 0.0.0.
Configuring Stub and NSSA Areas for OSPF and OSPFv3 In this example, Area 0 connects directly to two other areas: Area 1 is defined as a stub area and Area 2 is defined as an NSSA area. NOTE: OSPFv2 and OSPFv3 can operate concurrently on a network and on the same interfaces (although they do not interact). This example configures both protocols simultaneously. Figure 35-36 illustrates this example OSPF configuration. Figure 35-36.
Switch A is a backbone router. It links to an ASBR (not defined here) that routes traffic outside the AS. To configure Switch A: 1 Globally enable IPv6 and IPv4 routing: console#configure console(config)#ipv6 unicast-routing console(config)#ip routing 2 Create VLANs 6 and 12 and assign them to interfaces.
To configure Switch B: 1 Configure IPv6 and IPv4 routing. The static routes are included for illustration only. Redistributed static routes, like routes distributed from other protocols, are not injected into stub areas such as Area 1: console#configure console(config)#ipv6 unicast-routing console(config)#ipv6 route 3000:44:44::/64 3000:2:3::210:18ff:fe82:c14 console(config)#ip route 10.23.67.0 255.255.255.0 10.2.3.3 2 Create VLANs 5, 10, and 17.
console(config)#router ospf console(config-router)#router-id 2.2.2.2 console(config-router)#area 0.0.0.1 stub console(config-router)#area 0.0.0.1 stub no-summary console(config-router)#area 0.0.0.2 nssa 5 For IPv4: Enable OSPF for IPv4 on VLANs 10, 5, and 17 by globally defining the range of IP addresses associated with each interface, and then associating those ranges with Areas 1, 0, and 2, respectively. console(config-router)#network 10.1.2.0 0.0.0.255 area 0.0.0.1 console(config-router)#network 10.2.3.
Figure 35-37. OSPF Configuration—Virtual Link Switch B is an ABR that directly connects Area 0 to Area 1. Note that in the previous example, Switch B connected to a stub area and an NSSA. Virtual links cannot be created across stub areas or NSSAs. The following commands define a virtual link that traverses Area 1 to Switch C (5.5.5.5). To configure Switch B: 1 Configure the virtual link to Switch C for IPv4. console#configure console(config)#router ospf console(config-router)#area 0.0.0.1 virtual-link 5.
Switch C is a ABR that enables a virtual link from the remote Area 2 in the AS to Area 0. The following commands define a virtual link that traverses Area 1 to Switch B (2.2.2.2). To configure Switch C: 1 For IPv4, assign the router ID, create the virtual link to Switch B, and associate the VLAN routing interfaces with the appropriate areas. console(config)#router ospf console(config-router)#area 0.0.0.1 virtual-link 2.2.2.
Interconnecting an IPv4 Backbone and Local IPv6 Network In Figure 35-38, two Dell EMC Networking L3 switches are connected as shown in the diagram. The VLAN 15 routing interface on both switches connects to an IPv4 backbone network where OSPF is used as the dynamic routing protocol to exchange IPv4 routes. OSPF allows device 1 and device 2 to learn routes to each other (from the 20.20.20.x network to the 10.10.10.x network and vice versa).
4 Set the OSPFv3 router ID. console(config)#ipv6 router ospf console(config-rtr)#router-id 1.1.1.1 console(config-rtr)#exit 5 Configure the IPv4 address and OSPF area for VLAN 15. console(config)#interface vlan 15 console(config-if-vlan15)#ip address 20.20.20.1 255.255.255.0 console(config-if-vlan15)#ip ospf area 0.0.0.0 console(config-if-vlan15)#exit 6 Configure the IPv6 address and OSPFv3 information for VLAN 2.
To configure Switch B: 1 Create the VLANs. console(config)#vlan 2,15 console(config-vlan70,80,90)#interface te1/0/1 console(config-if-Te1/0/1)#switchport mode trunk console(config-if-Te1/0/1)#interface gi1/0/1 console(config-if-Gi1/0/1)#switchport access vlan 2 2 Enable IPv4 and IPv6 routing on the switch. console(config)#ip routing console(config)#ipv6 unicast-routing 3 Set the OSPF router ID. console(config)#router ospf console(config-router)#router-id 2.2.2.
8 Configure the loopback interface. The switch uses the loopback IP address as the OSPF and OSPFv3 router ID. console(config)#interface loopback 0 console(config-if-loopback0)#ip address 2.2.2.2 255.255.255.0 console(config-if-loopback0)#exit console(config)#exit Configuring the Static Area Range Cost Figure 35-39 shows a topology for the configuration that follows. Figure 35-39. Static Area Range Cost Example Topology 1 Configure R0.
network 172.20.0.0 0.0.255.255 area 0 network 172.21.0.0 0.0.255.255 area 1 area 1 range 172.21.0.0 255.255.0.0 summarylink timers spf 3 5 exit interface vlan 101 ip address 172.21.1.10 255.255.255.0 ip ospf hello-interval 1 ip ospf dead-interval 4 ip ospf network point-to-point exit interface te1/0/21 switchport mode trunk description “R1” exit interface vlan 102 ip address 172.21.2.10 255.255.255.
ip routing router ospf router-id 1.1.1.1 network 172.21.0.0 0.0.255.255 area 1 timers spf 3 5 exit interface vlan 101 ip address 172.21.1.1 255.255.255.0 ip ospf hello-interval 1 ip ospf dead-interval 4 ip ospf network point-to-point exit interface te1/0/21 switchport mode trunk exit interface vlan 104 ip address 172.21.3.1 255.255.255.0 ip ospf hello-interval 1 ip ospf dead-interval 4 ip ospf network point-to-point exit interface te1/0/22 switchport mode trunk exit interface loopback 0 ip address 172.21.
interface te1/0/21 switchport mode trunk exit interface vlan 104 ip address 172.21.3.2 255.255.255.0 ip ospf hello-interval 1 ip ospf dead-interval 4 ip ospf network point-to-point exit interface te1/0/22 switchport mode trunk exit interface loopback 0 ip address 172.21.254.2 255.255.255.255 exit exit 4 R3 config: terminal length 0 config ip routing router ospf router-id 3.3.3.3 network 172.21.0.0 0.0.255.255 area 0 timers spf 3 5 exit vlan 103 exit interface vlan 103 ip address 172.21.1.1 255.255.255.
Discussion With no area range cost specified, the range uses auto cost: (ABR-R0) #show ip ospf range 1 Prefix 172.21.0.0 Subnet Mask 255.255.0.0 Type S Action Advertise Cost Auto Active Y (ABR-R0) #show ip ospf database summary Network Summary States (Area 0.0.0.0) LS Age: 644 LS options: (E-Bit) LS Type: Network Summary LSA LS Id: 172.21.0.0 (network prefix) Advertising Router: 10.10.10.10 LS Seq Number: 0x80000002 Checksum: 0x8ee1 Length: 28 Network Mask: 255.255.0.
LS Seq Number: 0x80000003 Checksum: 0x78f8 Length: 28 Network Mask: 255.255.0.0 Metric: 0 The cost can be set to the maximum value, 16,777,215, which is LSInfinity. Since OSPF cannot send a type 3 summary LSA with this metric (according to RFC 2328), the summary LSA is flushed. The individual routes are not readvertised. Configuring Flood Blocking Figure 35-40 shows an example topology for flood blocking. The configuration follows. Figure 35-40.
router-id 10.10.10.10 network 172.20.0.0 0.0.255.255 area 0 network 172.21.0.0 0.0.255.255 area 0 timers spf 3 5 exit interface vlan 101 ip address 172.21.1.10 255.255.255.0 ip ospf hello-interval 1 ip ospf dead-interval 4 ip ospf network point-to-point exit interface te1/0/21 switchport mode trunk description “R1” exit interface vlan 102 ip address 172.21.2.10 255.255.255.
exit ip routing router ospf router-id 1.1.1.1 network 172.21.0.0 0.0.255.255 area 0 timers spf 3 5 exit interface vlan 101 ip address 172.21.1.1 255.255.255.0 ip ospf hello-interval 1 ip ospf dead-interval 4 ip ospf network point-to-point exit interface te1/0/21 switchport mode trunk exit interface vlan 104 ip address 172.21.3.1 255.255.255.0 ip ospf hello-interval 1 ip ospf dead-interval 4 ip ospf network point-to-point exit interface te1/0/22 switchport mode trunk exit interface loopback 0 ip address 172.
ip ospf network point-to-point exit interface te1/0/21 switchport mode trunk exit interface vlan 104 ip address 172.21.3.2 255.255.255.0 ip ospf hello-interval 1 ip ospf dead-interval 4 ip ospf network point-to-point exit interface te1/0/22 switchport mode trunk exit interface loopback 0 ip address 172.21.254.2 255.255.255.255 exit exit 4 Configure R3: terminal length 0 config ip routing router ospf router-id 3.3.3.3 network 172.21.0.0 0.0.255.
Discussion With flood blocking disabled on all interfaces, sending a T3 summary LSA from R3 to R0 will cause R0 to forward the LSA on its interface to R1. Enabling flood blocking on R0's interface to R1 will inhibit this behavior. (R0)(config-if-vlan101)ip ospf database-filter all out A trace on the R3-R0 link shows that the LSA is actually flooded from R1 to R0, since R1 received the LSA via R2.
Configuring OSPF VRFs Dell EMC Networking VRF is an implementation of Virtual Routing and Forwarding (VRF) for OSPF for IPv4 networks. Virtual Routing and Forwarding allows multiple independent instances for the forwarding plane to exist simultaneously. Refer to "VRF" on page 1335 for more information. VRF configuration follows the same steps as configuration for the default routing instance with two additional steps: creating the VRF instance and associating VLANs to the instance.
console(config-if-vlan100)#ip address 192.168.0.1 /24 Put the VLAN interface into the VRF: console(config-if-vlan100)#ip vrf forwarding red console(config-if-vlan100)#exit Routing interface moved from Default router instance to red router instance. Enable OSPF on the VRF, assign a network and enable OSPF for the VRF: console(config)#router ospf vrf red console(Config-router-vrf-red)#network 192.168.0.0 0.0.0.255 area 0 console(Config-router-vrf-red)#router-id 192.168.0.
Number of Active Areas......................... stub, 0 nssa) ABR Status..................................... ASBR Status.................................... Stub Router Status............................. External LSDB Overflow......................... External LSA Count............................. External LSA Checksum.......................... AS_OPAQUE LSA Count............................ AS_OPAQUE LSA Checksum......................... New LSAs Originated............................ LSAs Received.....
1334 OSPF and OSPFv3
36 VRF Dell EMC Networking N3000, N3100-ON, and N4000 Series Switches NOTE: This feature is not available on Dell EMC Networking N1100-ON, N1500, N2000, or N2100-ON Series switches. Virtual Routing and Forwarding (VRF) allows multiple independent instances of the forwarding plane to exist simultaneously. (The terms VRF, VRF instance, and virtual forwarding instance all refer to the same thing.) VRF allows the administrator to segment the network without incurring the costs of multiple routers.
• DHCP relay (IP helper) • ICMP echo reply configuration • ICMP error interval configuration VRF Resource Sharing Hardware resources such as routes and ARP entries are shared between VRFs. If a VRF allocates the maximum routes supported by the system, no VRF will be able to add a new route. VRF ARP Entries There is no support to reserve ARP entries per VRF instance as the system purges the least recently used ARP entry automatically.
enabled for VRF accept an additional VRF instance identifier (name). VRF names can be up to 32 characters in length. If a VRF instance identifier is not used in the command, it applies to the global routing instance by default. Follow the steps below to create a VRF and enable OSPF routing in the VRF: First, create the VLAN instances associated to the VRF.
Use the show ip ospf vrf command to view the configuration of the VRF: console(config)#show ip ospf vrf red Router ID...................................... OSPF Admin Mode................................ RFC 1583 Compatibility......................... External LSDB Limit............................ Exit Overflow Interval......................... Spf Delay Time................................. Spf Hold Time.................................. Flood Pacing Interval..........................
Retransmit Entries High Water Mark............. 0 NSF NSF NSF NSF NSF NSF NSF Support.................................... Restart Interval........................... Restart Status............................. Restart Age................................ Restart Exit Reason........................ Helper Support............................. Helper Strict LSA Checking.................
1340 VRF
RIP 37 Dell EMC Networking N2000, N2100-ON, N3000, N3100-ON, and N4000 Switches NOTE: Dell EMC Networking N1100-ON/N1500 Series switches do not support RIP. This chapter describes how to configure Routing Information Protocol (RIP) on the switch. RIP is a dynamic routing protocol for IPv4 networks.
RIP uses hop count, which is the number of routers an IP packet must pass through, to calculate the best route for a packet. A route with a low hop count is preferred over a route with a higher hop count. A directly-connected route has a hop-count of 0. With RIP, the maximum number of hops from source to destination is 15. Packets with a hop count greater than 15 are dropped because the destination network is considered unreachable.
Default RIP Values RIP is globally enabled by default. To make it operational on the router, you configure and enable RIP for particular VLAN routing interfaces. Table 37-1 shows the global default values for RIP. Table 37-1. RIP Global Defaults Parameter Default Value Admin Mode Enabled Split Horizon Mode Simple Auto Summary Mode Disabled Host Routes Accept Mode Enabled Default Information Originate Disabled Default Metric None configured Route Redistribution Disabled for all sources.
Configuring RIP Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring RIP features on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100ON, and N4000 Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. RIP Configuration Use the Configuration page to enable and configure or disable RIP in Global mode.
RIP Interface Configuration Use the Interface Configuration page to enable and configure or to disable RIP on a specific interface. To display the page, click Routing RIP Interface Configuration in the navigation panel. Figure 37-2.
RIP Interface Summary Use the Interface Summary page to display RIP configuration status on an interface. To display the page, click Routing RIP Interface Summary in the navigation panel. Figure 37-3.
RIP Route Redistribution Configuration Use the Route Redistribution Configuration page to configure the RIP Route Redistribution parameters. The allowable values for each fields are displayed next to the field. If any invalid values are entered, an alert message is displayed with the list of all the valid values. To display the page, click Routing RIP Route Redistribution Configuration in the navigation panel. Figure 37-4.
RIP Route Redistribution Summary Use the Route Redistribution Summary page to display Route Redistribution configurations. To display the page, click Routing RIP Route Redistribution Summary in the navigation panel. Figure 37-5.
Configuring RIP Features (CLI) This section provides information about the commands used for configuring RIP settings on the switch. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring Global RIP Settings Use the following commands to configure various global RIP settings for the switch. NOTE: RIP is enabled by default. The Global RIP Settings are optional.
Command Purpose show ip rip View various RIP settings for the switch. Configuring RIP Interface Settings Use the following commands to configure per-interface RIP settings. Command Purpose configure Enter global configuration mode. interface vlan vlan-id Enter Interface Configuration mode for the specified VLAN. ip rip Enable RIP on the interface. ip rip send version {rip1 Configure the interface to allow RIP control packets of the rip1c | rip2 |none} specified version(s) to be sent.
Configuring Route Redistribution Settings Use the following commands to configure an OSPF area range and to configure route redistribution settings. Command Purpose configure Enter global configuration mode. router rip Enter RIP configuration mode. distribute-list Specify the access list to filter routes received from the accesslistname out {bgp | source protocol. The ACL must already exist on the ospf | static | connected} switch.
Command Purpose redistribute ospf [metric Configure RIP to redistribute routes from OSPF. metric] [match [internal] • ospf— Specifies OSPF as the source protocol. [external 1] [external 2] • metric — Specifies the metric to use when [nssa-external 1] [nssaredistributing the route. Range: 1-15. external 2]] • internal — Adds internal matches to any match types presently being redistributed.
RIP Configuration Example This example includes four Dell EMC Networking N-Series switches that use RIP to determine network topology and route information. The commands in this example configure Switch A shown in Figure 37-6. Figure 37-6. RIP Network Diagram To configure the switch: 1 Enable routing on the switch console#config console(config)#ip routing 2 Create VLANs 10, 20, and 30.
console(config-if-vlan10)#ip address 192.168.10.1 255.255.255.0 console(config-if-vlan10)#ip rip console(config-if-vlan10)#ip rip receive version both console(config-if-vlan10)#ip rip send version rip2 console(config-if-vlan10)#exit console(config)#interface vlan 20 console(config-if-vlan20)#ip address 192.168.20.1 255.255.255.
console#show ip rip interface brief Interface IP Address ---------Vl1 Vl10 Vl20 Vl30 -----------0.0.0.0 192.168.10.1 192.168.10.1 192.168.10.
1356 RIP
VRRP 38 Dell EMC Networking N-Series Switches This chapter describes how to configure Virtual Routing Redundancy Protocol (VRRP) on the switch. VRRP can help create redundancy on networks in which end-stations are statically configured with the default gateway IP address.
With VRRP, a virtual router is associated with one or more IP addresses that serve as default gateways. In the event that the VRRP router controlling these IP addresses (formally known as the master) fails, the group of IP addresses and the default forwarding role is taken over by a Backup VRRP router. What Is the VRRP Router Priority? The VRRP router priority is a value from 1–255 that determines which router is the master. The greater the number, the higher the priority.
What Is VRRP Accept Mode? The accept mode allows the switch to respond to pings (ICMP Echo Requests) sent to the VRRP virtual IP address. The VRRP specification (RFC 3768) indicates that a router may accept IP packets sent to the virtual router IP address only if the router is the address owner. In practice, this restriction makes it more difficult to troubleshoot network connectivity problems.
With standard VRRP, the backup router takes over only if the router goes down. With VRRP interface tracking, if a tracked interface goes down on the VRRP master, the priority decrement value is subtracted from the router priority. If the master router priority becomes less than the priority on the backup router, the backup router takes over. If the tracked interface becomes up, the value of the priority decrement is added to the current router priority.
Default VRRP Values Table 38-1 shows the global default values for VRRP. Table 38-1.
Configuring VRRP Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring VRRP features on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100ON, and N4000 Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. VRRP Configuration Use the Configuration page to enable or disable the administrative status of a virtual router.
VRRP Virtual Router Status Use the Router Status page to display virtual router status. To display the page, click Routing VRRP Router Status in the navigation panel. Figure 38-2.
VRRP Virtual Router Statistics Use the Router Statistics page to display statistics for a specified virtual router. To display the page, click Routing VRRP Router Statistics in the navigation panel. Figure 38-3.
VRRP Router Configuration Use the Configuration page to configure a virtual router. To display the page, click Routing VRRP Router Configuration Configuration in the navigation panel. Figure 38-4.
VRRP Route Tracking Configuration Use the Route Tracking Configuration page to view routes that are tracked by VRRP and to add new tracked routes. To display the page, click Routing VRRP Router Configuration Route Tracking Configuration in the navigation panel. Figure 38-5. VRRP Route Tracking Configuration Configuring VRRP Route Tracking To configure VRRP route tracking: 1 From the Route Tracking Configuration page, click Add. The Add Route Tracking page displays. Figure 38-6.
2 Select the virtual router ID and VLAN routing interface that will track the route. 3 Specify the destination network address (track route prefix) for the route to track. Use dotted decimal format, for example 192.168.10.0. 4 Specify the prefix length for the tracked route. 5 Specify a value for the Priority Decrement to define the amount that the router priority will be decreased when a tracked route becomes unreachable. 6. Click Apply to update the switch.
VRRP Interface Tracking Configuration Use the Interface Tracking Configuration page to view interfaces that are tracked by VRRP and to add new tracked interfaces. To display the page, click Routing VRRP Router Configuration Interface Tracking Configuration in the navigation panel. Figure 38-7. VRRP Interface Tracking Configuration Configuring VRRP Interface Tracking To configure VRRP interface tracking: 1 From the Interface Tracking Configuration page, click Add.
Figure 38-8. VRRP Interface Tracking Configuration 2 Select the virtual router ID and VLAN routing interface that will track the interface. 3 Specify the interface to track. 4 Specify a value for the Priority Decrement to define the amount that the router priority will be decreased when a tracked interface goes down. 5. Click Apply to update the switch.
Configuring VRRP Features (CLI) This section provides information about the commands used for configuring VRRP settings on the switch. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring VRRP Settings Use the following commands to configure switch and interface VRRP settings.
Command Purpose vrrp vr-id timers {learn | Configure the VRRP timer settings. advertise seconds} Use the keyword learn to enable VRRP to learn the advertisement timer interval of the master router. Use the keyword advertise to set the frequency, in seconds, that an interface on the specified virtual router sends a virtual router advertisement. vrrp vr-id authentication Set the authorization details value for the virtual router {none | simple key} configured on a specified interface.
VRRP Configuration Example This section contains the following VRRP examples: • VRRP with Load Sharing • Troubleshooting VRRP • VRRP with Route and Interface Tracking • Configuring VRRP in a VRF VRRP with Load Sharing In Figure 38-9, two L3 Dell EMC Networking N-Series switches are performing the routing for network clients. Router A is the default gateway for some clients, and Router B is the default gateway for other clients. Figure 38-9.
This example configures two VRRP groups on each router. Router A is the VRRP master for the VRRP group with VRID 10 and the backup for VRID 20. Router B is the VRRP master for VRID 20 and the backup for VRID 10. If Router A fails, Router B will become the master of VRID 10 and will use the virtual IP address 192.168.10.1. Traffic from the clients configured to use Router A as the default gateway will be handled by Router B. To configure Router A: 1 Enable routing for the switch.
9 Configure an optional description to help identify the VRRP group. console(config-if-vlan10)#vrrp 20 description backup 10 Enable the VRRP groups on the interface. console(config-if-vlan10)#vrrp 10 mode console(config-if-vlan10)#vrrp 20 mode console(config-if-vlan10)#exit console(config)#exit The only difference between the Router A and Router B configurations is the IP address assigned to VLAN 10. On Router B, the IP address of VLAN 10 is 192.168.10.2.
8 Specify the IP address that the virtual router function will use. The router is the virtual IP address owner of this address, so the priority value is 255 by default. console(config-if-vlan10)#vrrp 20 ip 192.168.10.1 9 Configure an optional description to help identify the VRRP group. console(config-if-vlan10)#vrrp 20 description backup 10 Enable the VRRP groups on the interface.
VRRP with Route and Interface Tracking In Figure 38-10, the VRRP priorities are configured so that Router A is the VRRP master, and Router B is the VRRP backup. Router A forwards IP traffic from clients to the external network through the VLAN 25 routing interface. The clients are configured to use the virtual IP address 192.168.10.15 as the default gateway. Figure 38-10.
To configure Router A: 1 Enable routing for the switch. console#config console(config)#ip routing 2 Create and configure the VLAN routing interface to use as the default gateway for network clients. This example assumes all other routing interfaces, such as the interface to the external network, have been configured. console(config)#interface vlan 10 console(config-if-vlan10)#ip address 192.168.10.1 255.255.255.0 console(config-if-vlan10)#exit 3 Enable VRRP for the switch.
10 Track the route to the 192.168.200.0 network. If it becomes unavailable, the priority of VRID 10 on Router A is decreased by 10, which is the default decrement priority value. console(config-if-vlan10)#vrrp 10 track ip route 192.168.200.0/24 console(config-if-vlan10)#exit Router B is the backup router for VRID 10. The configured priority is 195.
7 Enable preempt mode so that the router can regain its position as VRRP master if its priority is greater than the priority of the backup router. console(config-if-vlan10)#vrrp 10 preempt 8 Enable the VRRP groups on the interface. console(config-if-vlan10)#vrrp 10 mode console(config-if-vlan10)#exit console(config)#exit Configuring VRRP in a VRF In this example, a VRRP master is configured in VRF red-1. Interface gi1/0/1 on each of the VRRP peers is connected to the other switch.
10 Set the VRRP priority and accept pings: console(config-if-vlan10)#vrrp 1 priority 1 console(config-if-vlan10)#vrrp 1 accept-mode console(config-if-vlan10)#exit 11 Configure the physical interface as a VLAN 10 member: console(config)#interface Gi1/0/1 console(config-if-Gi1/0/1)#switchport access vlan 10 console(config-if-Gi1/0/1)#exit The following steps provide configure the companion VRRP peer: 1 Create a VLAN: console#configure console(config)#vlan 10 console(config-vlan)#exit 2 Create a VRF and ena
console(config-if-vlan10)#vrrp 1 priority 2 console(config-if-vlan10)#vrrp 1 accept-mode console(config-if-vlan10)#exit 11 Configure the physical interface as a VLAN 10 member: console(config)#interface Gi1/0/1 console(config-if-Gi1/0/1)#switchport access vlan 10 console(config-if-Gi1/0/1)#exit For VRRP to become active, other interfaces need to be enabled for VLAN 10 such that the VRRP peers are able to establish connectivity to each other over those interfaces as well as over Gi1/0/1.
1382 VRRP
39 BGP Dell EMC Networking N3000, N3100-ON, and N4000 Series Switches NOTE: This feature is not available on Dell EMC Networking N1100-ON, N1500, N2000, and N2100-ON Series switches. BGP is enabled on Dell EMC Networking N3000 Series switches through use of the AGGREGATION ROUTER firmware. Border Gateway Protocol (BGP) is a standardized exterior gateway pathvector or distance-vector protocol. BGP makes routing decisions based upon paths and network policies configured by the administrator.
Table 39-1. BGP-Related Terms Term Definition RIB Routing Information Base RTO Routing Table Object. The common routing table, or "RIB," which collects routes from all sources (local, static, dynamic) and determines the most preferred route to each destination. TCP Transmission Control Protocol Overview BGP operates by establishing adjacencies (connections) with other BGP peers (routers). BGP peers are configured manually.
Dell EMC Networking BGP supports the following RFCs in whole or in part as indicated: • RFC 1997 – BGP Communities Attribute • RFC 2385 – Protection of BGP Sessions via the TCP MD5 Signature Option • RFC 2545 – Use of BGP-4 Multiprotocol Extensions for IPv6 InterDomain Routing • RFC 2918 – Route Refresh Capability for BGP-4 • RFC 4271 – A Border Gateway Protocol 4 (BGP-4) • RFC 4273 – Definitions of Managed Objects for BGP-4 • RFC 4456 – BGP Route Reflection: An Alternative to Full Mesh Interna
Autonomous Systems Dell EMC Networking BGP supports both exterior routing (eBGP) between autonomous systems (inter-AS) and interior routing within an AS (iBGP). Dell EMC Networking BGP is suitable for use in enterprise and data center deployments. Dell EMC Networking switches do not have sufficient capacity to hold a full Internet routing table. Dell EMC Networking supports BGP version 4 with 2-byte Autonomous System Numbers (ASN).
Figure 39-1. BGP Decision Process BGP Route Selection Dell EMC Networking BGP uses the following route selection rules in order from 1 to N: 1 Prefer the route with the higher local preference 2 Prefer a locally-originated route over a non-locally originated route 3 Prefer the route with the shorter AS Path 4 Prefer the route with the lower ORIGIN. IGP is better than EGP is better than INCOMPLETE. 5 Prefer the route with the lower MED.
Limiting Phase 2 CPU Usage In a network with a large number of prefixes, phase 2 of the decision process can consume a significant amount of time. If the BGP hold timers are configured to be shorter than the duration of the decision process, the timers can expire causing a loss of adjacency. If the decision process runs frequently, it may consume significant CPU resources, starving other processes. Two mechanisms mitigate these potential issues. First, a hold timer prevents phase 2 from running too often.
Networking BGP retains the NEXT_HOP address if it is an address on the subnet used to connect the peers but is not the peer's IP address. Otherwise, Dell EMC Networking BGP sets the NEXT_HOP path attribute to the local IP address on the interface to the peer. Dell EMC Networking BGP does not support “first party” next hop. Dell EMC Networking does not allow the network operator to disable third party next hop. Dell EMC Networking does not support multihop EBGP. (RFC 4271 section 5.1.
BGP Finite State Machine (FSM) Dell EMC Networking BGP supports all mandatory FSM session attributes and the following optional session attributes (RFC 4271 section 8): • AllowAutomaticStart — Connections are automatically restarted after an error closes a connection. An adjacency to an external peer in the IDLE state is automatically started if the routing interface to that peer comes up.
Dell EMC Networking BGP supports manual start and stop events. A manual start event occurs when the user first configures a peer (neighbor remote-as) or administratively enables a peer (no neighbor shutdown). A manual stop event occurs when the user administratively disables a neighbor (neighbor shutdown). Of the optional events in RFC 4271 section 8.1.2 - 8.1.
Detecting Loss of Adjacency Dell EMC Networking optionally drops an adjacency with an external peer when the routing interface to that peer goes down. This behavior can be enabled globally or on specific interfaces using the bgp fast-external-fallover and ip bgp fast-external-fallover commands. BGP accomplishes this behavior by listening to router events.
the adjacency to the unreachable neighbor is no longer ESTABLISHED, and if an UPDATE is sent to the neighbor's update group, BGP does not try to send to the failed neighbor. When the failed adjacency is reestablished, BGP resends all routing information to the neighbor. Both internal and external fallover should happen within a second of the loss of reachability. Enabling fast fallover should relax the need to set a short hold time and send KEEPALIVE messages rapidly.
peer session (if the network administrator activates IPv6 on the peer session) and in an IPv6 update group for an IPv6 peer session. Such a configuration is probably a misconfiguration. BGP will send IPv6 NLRI to the neighbor twice. BGP assigns peers to update groups automatically. The Dell EMC Networking UI has no configuration associated with update groups and the UI does report update group membership. Removing Private AS Numbers An organization may use private AS numbers internally.
Session parameters that may be configured in a template are as follows: Table 39-2. Configurable Session Parameters in BGP Peer Templates Parameter Description allowas-in Configure to accept routes with my ASN in the as-path. connect-retry-interval Configure the connection retry interval for the peer. description Configure a description for the peer. ebgp-multihop Configure to allow non-directly-connected eBGP neighbors. fall-over Configure fast fall-over. local-as Configure local-as.
Table 39-3. Session Parameters in BGP Peer Templates—Configurable Per-Address Family Parameter Description remove-private-as Remove private ASNs from AS_PATH when sending to inheriting peers. route-map Configure a route map for the peer. route-reflector-client Configure a peer as a route reflector client. send-community Configure this peer to send BGP communities. Resolving Interface Routes In Dell EMC Networking, the next hop of a route is always a set of next-hop IP addresses.
routes. Delay and hold timers limit how often phase 2 of the decision process runs. This phase 2 dampening limits route origination, as does IP event dampening when interface flaps would otherwise cause rapid origination. BGP originates a default route to all neighbors if the default-information originate command is given and the default route is among the routes BGP redistributes.
• origin • MED • IGP distance to the BGP next hop Dell EMC Networking BGP does not require ECMP next hops to be in a common AS. This behavior is enabled by default. To disable this behavior, use the no bgp always-compare-med command. When advertising to neighbors, BGP always advertises the single best path to each destination prefix, even if BGP has an ECMP route to a destination. NOTE: The maximum ECMP width is limited by the chosen SDM template.
A BGP NEXT_HOP can resolve to an ECMP IGP route. When BGP is configured to allow ECMP iBGP routes, the BGP NEXT_HOP resolves to multiple next hops. BGP retains up to the number of resolved next hops allowed for an iBGP route. For example, in Figure 39-2, R4 receives an iBGP route from internal peer R1. The BGP NEXT_HOP of this path resolves to an ECMP OSPF route through R2 and R3.
Figure 39-3. Combining iBGP Routes Address Aggregation Dell EMC Networking BGP supports address aggregation. The network administrator can configure up to 128 aggregate addresses. BGP compares active prefixes in the local RIB to the set of aggregate addresses. To be considered a match for an aggregate address, a prefix must be more specific (i.e., have a longer prefix length) than the aggregate address.
adds a discard route to RTO with prefix and network mask equal to those defined for the aggregate address. Aggregate addresses apply to both locallyoriginated routes and routes learned from peers. Address aggregation is done prior to application of outbound policy. Thus, an active aggregate may be advertised to a neighbor, even if the outbound policy to the neighbor filters all of the aggregate's more specific routes (but permits the aggregate itself).
• If the individual routes have communities and the aggregate does not have the ATOMIC_AGGREGATE attribute set, the aggregate is advertised with the union of the communities from the individual routes. If the aggregate carries the ATOMIC_AGGREGATE attribute, the aggregate is advertised with no communities. Dell EMC Networking BGP never aggregates paths with unknown attributes.
Inbound Policy An inbound policy is a policy applied to UPDATE messages received from peers.
When processing list terms, a match for any term indicates a match and processing stops. Routing Policy Changes When the user makes a routing policy configuration change, Dell EMC Networking BGP automatically applies the new policy. Like any other configuration change, routing policy changes are immediately saved in the running configuration, as soon as the user enters the command.
At startup, when the saved configuration is applied, there could potentially be a lot of churn to outbound update groups and filtering of routing information. This startup churn is avoided by keeping BGP globally disabled until after the entire configuration is applied and the status of all routing interfaces is known. BGP Timers Dell EMC Networking BGP supports the five mandatory timers described in RFC 4271 section 10.
Communities Dell EMC Networking BGP supports BGP standard communities as defined in RFC 1997. Dell EMC Networking supports community lists for matching routes based on community, and supports matching and setting communities in route maps. Dell EMC Networking BGP recognizes and honors the following well-known communities (RFC 1997): • NO_EXPORT — A route carrying this community is not advertised to external peers. • NO_ADVERTISE — A route carrying this community is not advertised to any peer.
in this state, BGP periodically checks if there is space available in the BGP routing table, and if so, runs phase 2. When space becomes available in the BGP routing table, these routes are added. RTO Full Condition If BGP computes a new route but the routing table does not accept the route because it is full, BGP flags the route as one not added to RTO. BGP periodically tries to add these routes to RTO. BGP will continue to advertise the best routes to neighbors, even if they are not added to RTO.
For this reason, if a route reflector client has an outbound neighbor routemap configured, the set statements in the route map are ignored. VRF Support Dell EMC Networking switches that support BGP and VRFs also support BGP in conjunction with OSPF or statically routed VRFs. When configured in a VRF, the single instance of BGP runs independent sessions to neighbors in the VRF and forwards independently.
Extended Community Attribute Structure Each Extended Community attribute has a community type code of 16 and is encoded into an 8-octet value. The first 2 octets are the attribute type and the remaining 6 octets contain the value of attribute. The values from 0 through 0x7FFF are assigned by IANA and values from 0x8000 through 0xFFFF are vendor-specific.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Global Administrator (cont.) | Local Administrator | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The value of the high-order octet of this extended type is either 0x01 or 0x41. The low-order octet of this extended type is used to indicate sub-types.
Route Origin Community Attribute The Route Origin Community attribute identifies one or more routers that advertise routes via BGP. The attribute is transitive across Autonomous System boundaries. The Route Origin Community attribute is used to prevent routing loops when BGP speakers are multi-homed to another site and that site uses the AS-Override feature.
If two VRFs use the same IPv4 address prefix, the router translates these into unique VPN-IPv4 address prefixes by prepending the RD (configured per VRF) to the address. The purpose of the RD is to allow the router to install unique routes with an identical IPv4 address prefix. The structuring of the RD provides no semantics. When BGP compares two such addresses, it ignores the RD structure completely and compares it as a 12-byte entity. It is recommended that each VPN within a site utilize a unique RD.
A VRF may be configured to associate all the routes that belong to the VRF with a particular Route Target attribute. Dell EMC Networking allows a finer selection of routes with the use of Export and Import maps. Export and Import maps provides greater flexibility to the administrator where she can associate some routes of a VRF with a particular Route Target attribute and some other routes with a different Route Target attribute.
In order for two BGP speakers to exchange labeled VPN-IPv4 NLRI, they must use the BGP Capabilities Advertisement (in the OPEN message) to ensure that they both are capable of properly processing VPN-IPv4 NLRI. This is done by using capability code 1 (multiprotocol BGP), with an AFI of 1 and an SAFI of 128. The VPNv4 NLRI is encoded as specified in the above sections, where the prefix consists of an 8-byte RD followed by an IPv4 prefix.
IPv6 prefixes can be originated through route redistribution or a network command. Both can be configured with a route map to set path attributes. BGP can also originate an IPv6 default route. Default-origination can be neighbor-specific. IPv6 routes can be filtered using prefix lists, route maps with community lists, and using AS path access lists. BGP can compute IPv6 routes with up to 16 ECMP next hops.
the NEXT_HOP to one of its own global addresses before forwarding routes from an external peer with a link local address (or the implementation must do this automatically). A primary consideration in using link-local addresses is the user interface. With IPv4 addresses and global IPv6 addresses, the user interface simply identifies the neighbor by IP address: router bgp 1 neighbor neighbor neighbor neighbor 10.1.1.1 remote-as 100 10.1.1.
configuration of the specific neighbors is time-consuming and error-prone, and where security concerns are lessened due to the closed nature of the network. Configuration includes the address range on which to listen and, optionally, a peer template from which the neighbor's properties may be inherited. Because Dell EMC Networking routing is configured on routed VLANs, it is required that dynamic neighbor peering never be configured on a multiaccess VLAN.
R3(config)#router bgp 5500 R3(config-router)#bgp log-neighbor-changes 7 The router ID is required. R3(config-router)#bgp router-id 11.11.11.11 8 Set the listen range to the local routed interface subnet and use template T1. R3(config-router)#bgp listen range 192.168.100.0/24 inherit peer T1 9 Configure template T1 to indicate an IGP peer.
Network Address of Next Hop When advertising IPv6 routes, the Network Address of Next Hop field in MP_REACH_NLRI is set according to RFC 2545. Under conditions specified in this RFC, both a global and a link local next-hop address may be included. The primary purpose of the global address is an address that can be readvertised to internal peers. The primary purpose of the link local address is for use as the next hop of routes.
Alternatively, the network administrator can configure inbound policy on the receiver to set IPv6 next hops. BGP Limitations Dell EMC Networking BGP does not support configuration via the Web interface. Dell EMC Networking supports the following RFCs with the exceptions listed in Table 39-4: Table 39-4. BGP Limitations Description Source Compliance A BGP speaker MUST be able to support the disabling advertisement of third party NEXT_HOP attributes in order to handle imperfectly bridged media.
Table 39-4. BGP Limitations (Continued) Description Source Compliance Dell EMC Networking BGP can only be Dell EMC Networking configured through the CLI. SNMP support is limited to the standard MIB, requirement which primarily provides status reporting, and a proprietary MIB which provides additional status variables. Configuration through SNMP is not supported.
BGP Configuration Examples This section includes the following configuration examples: • Enabling BGP • BGP Example • Network Example • BGP Redistribution of OSPF Example • Configuring the Multi-Exit Discriminator in BGP Advertised Routes • Configuring Communities in BGP • Configuring a Route Reflector • Campus Network MP-BGP and OSPF Configuration • Configuring MP-eBGP and Extended Communities Enabling BGP The following are rules to remember when enabling BGP: • IP routing must be enable
BGP Example This example configures iBGP between two routers using the same AS and each using their own loopback address as update-source. Router A Configuration On a router, a loopback interface is created and assigned an IP address. The router ID is assigned (the same IPv4 address as the loopback interface) and the IPv4 address of the neighbor (Router B IP address) is assigned. Finally, the neighbor's update source is assigned to the local loopback interface.
Network Example The following configuration uses the network command to inject received iBGP routes into the BGP routing table. The network mask allows subnetting and super-netting. An alternative to the network command is to use the redistribute command. Interface Gi1/0/1 is configured as a member of VLAN 10, VLAN 10 is assigned an IP address, IP routing is enabled, and BGP router 65001 is created with a router ID of 129.168.1.254. A static subnet route 129.168.0.X is created for VLAN 10.
BGP Redistribution of OSPF Example The following configuration uses the redistribute command to inject received eBGP routes into the BGP routing table. Interface Te1/0/1 is configured in trunk mode with a native VLAN 10 and VLAN 10 is assigned an IP address with a /30 subnet. BGP fast fallover is enabled for VLAN 10. IP routing is enabled and a default route is configured that points to the neighbor router. BGP router 3434 is created with a router ID of 172.16.64.1. An eBGP neighbor 216.31.219.
Configuring the Multi-Exit Discriminator in BGP Advertised Routes The following example configures an egress routing policy that sets the metric for matching routes. In the example, VLAN 10 is created, followed by an access list matching directly connected source address 5.5.5.x for which the metric will be injected into the advertised routes. A route map “Inject-MED” is created. This route map sets the match criteria as ACL MED-Hosts and configures the metric for matching routes to be 100.
console(config-router)#neighbor 129.168.0.254 remote-as 65001 console(config-router)#network 129.168.0.0 mask 255.255.0.0 routemap Inject-MED console(config0router)#redistribute connected console(config-router)#exit Configuring Communities in BGP The following example configures an egress routing policy that sets the community attribute for matching routes. In the example, VLAN 10 is created, followed by an access list Comm-Hosts matching directly connected source address 5.5.5.
console(config-if-loopback0)#ip address 129.168.1.254 /24 console(config-if-loopback0)#exit console(config)#ip routing console(config)#router bgp 65001 console(config-router)#bgp router-id 129.168.1.254 console(config-router)#neighbor 129.168.0.254 remote-as 65001 console(config-router)#neighbor 129.168.0.254 send-community console(config-router)#neighbor 129.168.0.
This iBGP neighbor is designated a route reflector client. Other iBGP neighbors can be configured as route reflector clients in order to reduce the explosion of neighbor configuration required to implement a full mesh iBGP network. console(config-router)#neighbor 129.168.0.254 remote-as 65001 console(config-router)#neighbor 129.168.0.254 update-source loopback 0 console(config-router)#neighbor 129.168.0.
Campus Network MP-BGP and OSPF Configuration Consider the topology below, which is a subset of what might be found on a small campus. This network services three customers (Red, Green, and Blue). The Internet connection to the outside world is hosted in router S1. Router S2 hosts the Red and Green network. Router S3 hosts the Red and Blue network. A common service is supplied over the 192.168.99.1/24 network. Figure 39-4.
Four VRFs are created on S1. Each VRF is assigned a unique route distinguisher (RD). The RDs utilized here are taken from the private ASN address space. Three of the VRFs are assigned to the Red, Green, and Blue networks and the last VRF is utilized for the common service. We use a loopback on S1 to emulate the common service network instead of a VLAN and physical interface. The VRF configuration on the loopback is identical to the case of a VLAN and physical interface.
6 Create VRF Red, import the common service, and export the Red network. S1(config)#ip vrf Red S1(config-ip-vrf-Red)#rd 65000:1 S1(config-ip-vrf-Red)#route-target export 65000:1 S1(config-ip-vrf-Red)#route-target import 65000:99 S1(config-ip-vrf-Red)#exit 7 Create VRF Shared, import the Red and Green network, and export the common service.
12 Associate the Red VRF with a VLAN routed interface. S1(config)#interface vlan 16 S1(config-if-vlan16)#ip vrf forwarding Red S1(config-if-vlan16)#ip address 172.16.0.1 255.255.255.0 S1(config-if-vlan16)#exit 13 Associate the Green VRF with a VLAN routed interface. S1(config)#interface vlan 17 S1(config-if-vlan17)#ip vrf forwarding Green S1(config-if-vlan17)#ip address 172.17.0.1 255.255.255.0 S1(config-if-vlan17)#exit 14 Associate the Blue VRF with a VLAN routed interface.
Next, configure OSPF to exchange routes with the other routers. OSPF runs in the VRFs and area 0 is used within each VRF. Each VRF is configured to redistribute BGP subnets advertised by S1. 1 Configure router Blue. S1(config)#router ospf vrf "Blue" 2 A router ID is required. S1(config-router-vrf-Blue)#router-id 172.18.0.1 3 Configure network as 'don't care'. A non-zero IP address is required. S1(config-router-vrf-Blue)#network 172.18.0.0 255.255.255.255 area 0 4 Redistribute BGP subnets.
Next, assign the VRF associated VLANs to the interfaces connected to the rest of the Red, Green, and Blue networks: 1 Configure the S1-S2 trunk. S1(config)#interface Gi1/0/13 S1(config-if-Gi1/0/13)#switchport mode trunk S1(config-if-Gi1/0/13)#switchport trunk allowed vlan 1,16-17 S1(config-if-Gi1/0/13)#exit 2 Configure the S1-S3 trunk.
7 Emulate a network in the Green VRF. The loopback network can be replaced with a VLAN-routed interface. S2(config)#interface loopback 17 S2(config-if-loopback17)#ip vrf forwarding Green S2(config-if-loopback17)#ip address 172.17.2.1 255.255.255.0 S2(config-if-loopback17)#exit 8 Create a VLAN routed interface to router S1 for VRF Red. S2(config)#interface vlan 16 S2(config-if-vlan16)#ip vrf forwarding Red S2(config-if-vlan16)#ip address 172.16.0.2 255.255.255.
4 Enable routing. S3(config)#ip routing 5 Emulate the Red network using a loopback. S3(config)#interface loopback 16 S3(config-if-loopback16)#ip vrf forwarding Red S3(config-if-loopback16)#ip address 172.16.3.1 255.255.255.0 S3(config-if-loopback16)#exit 6 Emulate the Blue network using a loopback. S3(config)#interface loopback 18 S3(config-if-loopback18)#ip vrf forwarding Blue S3(config-if-loopback18)#ip address 172.18.3.1 255.255.255.0 S3(config-if-loopback18)#exit 7 Assign VLANs to the VRFs.
This is a very simple OSPF configuration for each of the routers. In this case, a loopback is used to emulate an OSPF connected interface. If an actual VLAN-routed interface is used, declare it a passive interface in the OSPF configuration. For router S2, VRF Green and Red are configured. 1 Create an OSPF instance for VRF Green S2(config)#router ospf vrf "Green" 2 Router ID is required. S2(config-router-vrf-Green)#router-id 172.17.0.99 3 Network is all 'don't care'.
OSPF on S3 is configured similarly to S2 with VRF Red and Blue: 1 Create OSPF sessions in each VRF. Assign area 0. Router ID assignment is required. S3(config)#router ospf vrf "Blue" S3(config-router-vrf-Blue)#router-id 172.18.0.99 S3(config-router-vrf-Blue)#network 172.18.0.0 255.255.255.255 area 0 S3(config-router-vrf-Blue)#exit S3(config)#router ospf vrf "Red" S3(config-router-vrf-Red)#router-id 172.16.0.98 S3(config-router-vrf-Red)#network 172.16.0.0 255.255.255.
The VRFs should all have full connectivity. S1#show ip route vrf Red Route Codes: R - RIP Derived, O - OSPF Derived, C - Connected, K - Kernel S - Static B - BGP Derived, E - Externally Derived, IA - OSPF Inter Area E1 - OSPF External Type 1, E2 - OSPF External Type 2 N1 - OSPF NSSA External Type 1, N2 - OSPF NSSA External Type 2 S U - Unnumbered Peer, L - Leaked Route * Indicates the best (lowest metric) route for the subnet. No default gateway is C *172.16.0.0/24 C *172.16.1.0/30 O *172.16.2.0/24 O *172.
To provision MPBGP to distribute routes for the shared service, on S1 configure a loopback to emulate the common service network: 1 Set a loopback for the BGP router. S1(config)#interface loopback 0 S1(config-if-loopback0)#ip address 192.0.2.1 255.255.255.255 S1(config-if-loopback0)#exit Next, configure a BGP router and allow route redistribution to occur. Configuration of the router ID is required. 2 Configure a BGP router.
Verify that BGP maintains routes for each of the VRFs. The common service VRF "Shared" is exported via the route-target 65000:99 and imported into the Red and Green VRFs. S1(config-router)#show ip bgp vpnv4 all BGP table version is 0, local router ID is 192.0.2.1 Status codes: s suppressed, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network ------------------Route Distinguisher *>i 172.18.0.
The best routes are placed into the route table in each of the VRFs. VRF Blue does not import or export any routes and does not have access to the common services.
S1#show ip route vrf Blue Route Codes: R - RIP Derived, O - OSPF Derived, C - Connected, K - Kernel S - Static B - BGP Derived, E - Externally Derived, IA - OSPF Inter Area E1 - OSPF External Type 1, E2 - OSPF External Type 2 N1 - OSPF NSSA External Type 1, N2 - OSPF NSSA External Type 2 S U - Unnumbered Peer, L - Leaked Route * Indicates the best (lowest metric) route for the subnet. No default gateway is C *172.18.0.0/24 C *172.18.1.0/30 O *172.18.3.0/24 configured.
* Indicates the best (lowest metric) route for the subnet. No default gateway is configured. C *172.16.0.0/24 [0/0] directly connected, O *172.16.1.0/30 [110/11] via 172.16.0.1, O *172.16.2.0/24 [110/11] via 172.16.0.2, C *172.16.3.0/24 [0/0] directly connected, O E2 *192.168.99.0/24 [110/1] via 172.16.0.
Configuring MP-eBGP and Extended Communities In this configuration, router R1 is connected to router R2 (via VLAN 100 on Gi1/0/13) and router R3 (via VLAN 200 in Gi1/0/16). Router R1 (AS 5500) and R2 (AS 6500) communicate via MP-eBGP. Router R1 and R3 are both in AS 5500 and for an iBGP relationship. R3's purpose in this configuration is to show that routes received from R2 are redistributed within the IGP and to inject routes into the IGP.
R1(config-if-Gi1/0/16)#switchport access vlan 200 R1(config-if-Gi1/0/16)#exit 7 Configure the BGP router. R1(config)#router bgp 5500 R1(config-router)#bgp log-neighbor-changes 8 Configure the router ID. R1(config-router)#bgp router-id 10.10.10.10 9 This router advertises the 192.168.100.0/24 network. R1(config-router)#network 192.168.100.0 mask 255.255.255.0 10 Redistribute connected routes (10.10.10.10/32). R1(config-router)#redistribute connected 11 Configure the R2 neighbor.
3 Disable domain lookup and enable IP routing. R2(config)#no ip domain-lookup R2(config)#ip routing 4 Create a loopback for the BGP router. R2(config)#interface loopback 0 R2(config-if-loopback0)#ip address 20.20.20.20 255.255.255.255 R2(config-if-loopback0)#exit 5 Create a loopback to emulate a subnet in the VRF. This could be assigned to a real VLAN. R2(config)#interface loopback 1 R2(config-if-loopback1)#ip vrf forwarding WAN R2(config-if-loopback1)#ip address 30.30.30.30 255.255.255.
R2(config-router-af)#redistribute static R2(config-router-af)#exit 13 Advertise the VPNv4 routes (30.30.30.0/24). These routes are transmitted with the extended community attribute (2020:1). R2(config-router)#address-family vpnv4 unicast R2(config-router-af)#neighbor 172.16.10.1 send-community both R2(config-router-af)#neighbor 172.16.10.1 activate R2(config-router-af)#exit R2(config-router)#exit R2(config)#exit Router R3 Configuration 1 Configure a VLAN for connection to R1.
R3(config-router)#neighbor 192.168.100.10 remote-as 5500 9 Redistribute connected and static routes. R3(config-router)#redistribute connected R3(config-router)#redistribute static R3(config-router)#exit R3(config)#exit R3#exit Discussion Verify that the routes on R2 are being distributed to R1 and R3. This shows the R2 BGP and routing tables.
B *192.168.100.0/24 [20/0] via 172.16.10.1, Vl100 This is the resulting R1 routing table. R1#show ip route Route Codes: R - RIP Derived, O - OSPF Derived, C - Connected, K - Kernel S - Static B - BGP Derived, E - Externally Derived, IA - OSPF Inter Area E1 - OSPF External Type 1, E2 - OSPF External Type 2 N1 - OSPF NSSA External Type 1, N2 - OSPF NSSA External Type 2 S U - Unnumbered Peer, L - Leaked Route * Indicates the best (lowest metric) route for the subnet. No default gateway is configured. C *10.
20.20.20.20/32 30.30.30.0/24 172.16.10.2 172.16.10.2 6500 6500 ? ? Use the routes option to display routes received from R2. R1#show ip bgp neighbors 172.16.10.2 routes Local router ID is 10.10.10.10 Origin codes: i - IGP, e - EGP, ? - incomplete Network ------------------172.16.10.0/24 20.20.20.20/32 30.30.30.0/24 Next Hop Metric LocPref ---------------- ---------- ---------172.16.10.2 172.16.10.2 172.16.10.
40 Bidirectional Forwarding Detection Dell EMC Networking N3000, N3100-ON and N4000 Series Switches NOTE: This feature is not available on Dell EMC Networking N1100-ON, N1500, N2000, and N2100-ON Series switches. Bidirectional Forwarding Detection (BFD) provides a lightweight fast failure detection mechanism to verify bidirectional connectivity between forwarding engines, which may be a single hop or multiple hops away from each other.
to the applications. The pair of devices transmits BFD packets between them periodically and, if one stops receiving peer packets within the detection time limit, it considers the bidirectional path to have failed. It then notifies the application protocol of this failure. BFD allows each device to estimate how quickly it can send and receive BFD packets to agree with its neighbor upon how fast detection of failure may be performed.
explicitly. In this case, a short sequence of BFD Control packets, known as the Poll Sequence, is exchanged to ascertain the connectivity. Demand mode may operate independently in either direction. Demand mode is advantageous in cases when the overhead of a periodic protocol appears burdensome on a device, e.g., a router with a large number of BFD sessions running. Dell EMC Networking BFD does not support demand mode. Echo Function Echo mode is an auxiliary operation that may be used with either BFD mode.
BFD Example This example configures BFD for a BGP peer session. BFD is only supported in conjunction with BGP. The BGP configuration is taken from BGP Redistribution of OSPF Example in the BGP Configuration Examples section and is not explained further here. The fast-external-fallover is not enabled in this example, as BFD will provide failure detection. 1 Enable the BFD feature.
console(config-router)#neighbor 216.31.219.19 remote-as 200 console(config-router)#redistribute static console(config-router)#redistribute ospf match external 1 console(config-router)#redistribute ospf match external 2 3 Enable a BFD session on the BGP peer link: console(config-router)#neighbor 216.31.219.
1458 Bidirectional Forwarding Detection
IPv6 Routing 41 Dell EMC Networking N3000, N3100-ON, and N4000 Series Switches NOTE: This feature is not available on Dell EMC Networking N1100-ON, N1500, N2000, and N2100-ON Series switches. This chapter describes how to configure general IPv6 routing information on the switch, including global routing settings and IPv6 static routes.
On the Dell EMC Networking N3000, N3100-ON, and N4000 Series switches, IPv6 coexists with IPv4. As with IPv4, IPv6 routing can be enabled on loopback and VLAN interfaces. Each L3 routing interface can be used for IPv4, IPv6, or both. IP protocols running over L3 (for example, UDP and TCP) are common to both IPv4 and IPv6. How Does IPv6 Compare with IPv4? There are many conceptual similarities between IPv4 and IPv6 network operation.
Neighbor Discovery (ND) protocol is the IPv6 replacement for Address Resolution Protocol (ARP) in IPv4. The IPv6 Neighbor Discovery protocol is described in detail in RFC7048. Dell EMC Networking IPv6 supports neighbor advertise and solicit, duplicate address detection, and unreachability detection. Router advertisement is part of the Neighbor Discovery process and is required for IPv6.
Default IPv6 Routing Values IPv6 is disabled by default on the switch and on all interfaces. Table 41-1 shows the default values for the IP routing features this chapter describes. Table 41-1.
Table 41-2.
Configuring IPv6 Routing Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring IPv6 unicast routing features on a Dell EMC Networking N3000, N3100-ON, and N4000 Series switch. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page.
Interface Configuration Use the Interface Configuration page to configure IPv6 interface parameters. This page has been updated to include the IPv6 Destination Unreachables field. To display the page, click Routing IPv6 Interface Configuration in the navigation panel. Figure 41-2.
Interface Summary Use the Interface Summary page to display settings for all IPv6 interfaces. To display the page, click Routing IPv6 Interface Summary in the navigation panel. Figure 41-3.
IPv6 Statistics Use the IPv6 Statistics page to display IPv6 traffic statistics for one or all interfaces. To display the page, click Routing IPv6 IPv6 Statistics in the navigation panel. Figure 41-4.
IPv6 Neighbor Table Use the IPv6 Neighbor Table page to display IPv6 neighbor details for a specified interface. To display the page, click IPv6 IPv6 Neighbor Table in the navigation panel. Figure 41-5.
DHCPv6 Client Parameters Use the DHCPv6 Client Parameters page to view information about the network information automatically assigned to an interface by the DHCPv6 server. This page displays information only if the DHCPv6 client has been enabled on an IPv6 routing interface. To display the page, click Routing IPv6 DHCPv6 Client Lease Parameters in the navigation panel. Figure 41-6.
DHCPv6 Client Statistics Use the DHCPv6 Client Statistics page to view information about DHCPv6 packets received and transmitted on a DHCPv6 client interface. To display the page, click Routing IPv6 DHCPv6 Client Statistics in the navigation panel. Figure 41-7.
IPv6 Router Entry Configuration Use the IPv6 Route Entry Configuration page to configure information for IPv6 routes. To display the page, click Routing IPv6 IPv6 Routes IPv6 Route Entry Configuration in the navigation panel. Figure 41-8.
IPv6 Route Table Use the IPv6 Route Table page to display all active IPv6 routes and their settings. To display the page, click Routing IPv6 IPv6 Routes IPv6 Route Table in the navigation panel. Figure 41-9.
IPv6 Route Preferences Use the IPv6 Route Preferences page to configure the default preference for each protocol. These values are arbitrary values in the range of 1 to 255 and are independent of route metrics. Most routing protocols use a route metric to determine the shortest path known to the protocol, independent of any other protocol. The best route to a destination is chosen by selecting the route with the lowest preference value.
Configured IPv6 Routes Use the Configured IPv6 Routes page to display selected IPv6 routes. NOTE: For a static reject route, the next hop interface value is Null0. Packets to the network address specified in static reject routes are intentionally dropped. To display the page, click Routing IPv6 IPv6 Routes Configured IPv6 Routes in the navigation panel. Figure 41-11.
Configuring IPv6 Routing Features (CLI) This section provides information about the commands used for configuring IPv6 routing on the switch. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring Global IP Routing Settings Use the following commands to configure various global IP routing settings for the switch.
Configuring IPv6 Interface Settings Use the following commands to configure IPv6 settings for VLAN, tunnel, or loopback interfaces. Command Purpose configure Enter Global Configuration mode. interface {vlan | tunnel | loopback} interface-id Enter Interface Configuration mode for the specified VLAN, tunnel, or loopback interface. ipv6 enable Enable IPv6 on the interface. Configuring an IPv6 address will automatically enable IPv6 on the interface.
Configuring IPv6 Neighbor Discovery Use the following commands to configure IPv6 Neighbor Discovery settings. Command Purpose ipv6 nd prefix prefix/prefix-length [{valid-lifetime| infinite} {preferredlifetime| infinite}] [no-autoconfig] [offlink] Configure parameters associated with network prefixes that the router advertises in its Neighbor Discovery advertisements. • ipv6-prefix—IPv6 network prefix. • prefix-length—IPv6 network prefix length. • valid-lifetime—Valid lifetime of the router in seconds.
Command Purpose ipv6 nd ns-interval milliseconds Set the interval between router advertisements for advertised neighbor solicitations. The range is 1000 to 4294967295 milliseconds. ipv6 nd other-configflag Set the other stateful configuration flag in router advertisements sent from the interface. ipv6 nd managedconfig-flag Set the managed address configuration flag in router advertisements. When the value is true, end nodes use DHCPv6.
Configuring IPv6 Route Table Entries and Route Preferences Use the following commands to configure IPv6 Static Routes. Command Purpose configure Enter global configuration mode. ipv6 route ipv6prefix/prefix-length {nexthop-address | interfacetype interface-number next-hop-address } [preference] Configure a static route.Use the keyword null instead of the next hop router IP address to configure a static reject route.
Command Purpose ipv6 route distance integer Set the default distance (preference) for static IPv6 routes. Lower route preference values are preferred when determining the best route. The default distance (preference) for static routes is 1. exit Exit to Global Config mode.
IPv6 Show Commands Use the following commands in Privileged Exec mode to view IPv6 configuration status and related data. Command Purpose show sdm prefer Show the currently active SDM template. show sdm prefer dualipv4-and-ipv6 default Show parameters for the SDM template. show ipv6 dhcp interface View information about the DHCPv6 lease acquired by vlan vlan-id the specified interface.
IPv6 Static Reject and Discard Routes A static configured route with a next-hop of “null” causes any packet matching the route to disappear or vanish from the network. This type of route is called a “Discard” route if the router returns an ICMP “networkunreachable” message, or is called a “Reject” route if no ICMP message is returned. The Dell EMC Networking N-Series switches support “Reject” routes, where any packets matching the route network prefix silently disappear.
• ipv6 route 2001::/16 null 254 ipv6 route 2002::/16 null 254 These address ranges are reserved and not reachable in the Internet. If for some reason you have local networks in this range, a more specific route will have precedence. Another use for the Reject route is to prevent internal hosts from communication with specific addresses or ranges of addresses. The effect is the same as an outgoing access-list with a “deny” statement.
access mode, meaning untagged incoming and outgoing packets are processed on VLAN 10. RA-Guard is enabled on interface Gi1/0/1 and then the configuration is verified with the show command.
console(config-if-Gi1/0/1)#ipv6 nd raguard attach-policy console(config-if-Gi1/0/1)#show ipv6 nd raguard policy Ipv6 RA-Guard Configured Interfaces Interface --------------Gi1/0/1 Role ------Host IPv6 Routing 1485
1486 IPv6 Routing
DHCPv6 Server Settings 42 Dell EMC Networking N2000, N2100-ON, N3000, N3100-ON, and N4000 Series Switches NOTE: The DHCPv6 Server is not available on the Dell EMC Networking N1100-ON, N1500 Series switches. This chapter describes how to configure the switch to dynamically assign network information to IPv6 hosts by using the Dynamic Host Configuration Protocol for IPv6 (DHCPv6).
What Is a DHCPv6 Pool? DHCPv6 pools are used to specify information for DHCPv6 server to distribute to DHCPv6 clients. These pools are shared between multiple interfaces over which DHCPv6 server capabilities are configured. What Is a Stateless Server? DHCPv6 incorporates the notion of the stateless server, where DHCPv6 is not used for IP address assignment to a client; rather, it provides other networking information such as DNS or NTP information.
Figure 42-1. DHCPv6 Prefix Delegation Scenario In Figure 42-1, the Dell EMC Networking switch acts as the Prefix Delegation (PD) server and defines one or more general prefixes to allocate and assign addresses to hosts that may be utilizing IPv6 auto-address configuration or acting as DHCPv6 clients. DHCPv6 clients may request multiple IPv6 prefixes. Also, DHCPv6 clients may request specific IPv6 prefixes.
Configuring the DHCPv6 Server and Relay (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring the DHCPv6 server on a Dell EMC Networking N2000, N2100-ON, N3000, N3100-ON, and N4000 Series switch. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. DHCPv6 Global Configuration Use the Global Configuration page to configure DHCPv6 global parameters.
DHCPv6 Pool Configuration Use the Pool Configuration page to set up a pool of DHCPv6 parameters for DHCPv6 clients. The pool is identified with a pool name and contains IPv6 addresses and domain names of DNS servers. To display the page, click Routing IPv6 DHCPv6 Pool Configuration in the navigation panel. Figure 42-3 shows the page when no pools have been created. After a pool has been created, additional fields display. Figure 42-3.
Figure 42-4. Pool Configuration 4 From the DNS Server Address menu, select an existing DNS Server Address to associate with this pool, or select Add and specify a new server to add. 5 From the Domain Name menu, select an existing domain name to associate with this pool, or select Add and specify a new domain name. 6 Click Apply.
Prefix Delegation Configuration Use the Prefix Delegation Configuration page to configure a delegated prefix for a pool. At least one pool must be created using DHCPv6 Pool Configuration before a delegated prefix can be configured. To display the page, click Routing IPv6 DHCPv6 Prefix Delegation Configuration in the navigation panel. Figure 42-5.
DHCPv6 Pool Summary Use the Pool Summary page to display settings for all DHCPv6 Pools. At least one pool must be created using DHCPv6 Pool Configuration before the Pool Summary displays. To display the page, click Routing IPv6 DHCPv6 Pool Summary in the navigation panel. Figure 42-6.
DHCPv6 Interface Configuration Use the DHCPv6 Interface Configuration page to configure a DHCPv6 interface. To display the page, click Routing IPv6 DHCPv6 Interface Configuration in the navigation panel. The fields that display on the page depend on the selected interface mode. Figure 42-7. DHCPv6 Interface Configuration Figure 42-8 shows the screen when the selected interface mode is Server. Figure 42-8.
Figure 42-9.
DHCPv6 Server Bindings Summary Use the Server Bindings Summary page to display all DHCPv6 server bindings. To display the page, click Routing IPv6 DHCPv6 Bindings Summary in the navigation panel. Figure 42-10.
DHCPv6 Statistics Use the DHCPv6 Statistics page to display DHCPv6 statistics for one or all interfaces. To display the page, click Routing IPv6 DHCPv6 Statistics in the navigation panel. Figure 42-11.
Configuring the DHCPv6 Server and Relay (CLI) This section provides information about the commands used for configuring and monitoring the DHCP server and address pools. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Configuring Global DHCP Server and Relay Agent Settings Use the following commands to configure settings for the DHCPv6 server.
Command Purpose domain-name domain Set up to five DNS domain names to provide to a DHCPv6 client by the DHCPv6 server. CTRL + Z Exit to Privileged Exec mode. show ipv6 dhcp pool [name] View the settings for all DHCPv6 pools or for the specified pool. Configuring a DHCPv6 Pool for Specific Hosts Use the following commands to create a pool and/or configure pool parameters for specific DHCPv6 clients. Command Purpose configure Enter Global Configuration mode.
Configuring DHCPv6 Interface Information Use the following commands to configure an interface as a DHCPv6 server or a DHCPv6 relay agent. The server and relay functionality are mutually exclusive. In other words, a VLAN routing interface can be configured as a DHCPv6 server or a DHCPv6 relay agent, but not both. Command Purpose configure Enter Global Configuration mode.
Command Purpose ipv6 dhcp server poolname [rapid-commit] [preference pref-value] Configure DHCPv6 server functionality on the interface. • pool-name — The name of the DHCPv6 pool containing stateless and/or prefix delegation parameters • rapid-commit — Is an option that allows for an abbreviated exchange between the client and server. • pref-value — Preference value —used by clients to determine preference between multiple DHCPv6 servers. (Range: 0-4294967295) CTRL + Z Exit to Privileged Exec Mode.
DHCPv6 Configuration Examples This section contains the following examples: • Configuring a DHCPv6 Stateless Server • Configuring the DHCPv6 Server for Prefix Delegation • Configuring an Interface as a DHCPv6 Relay Agent Configuring a DHCPv6 Stateless Server This example configures a DHCPv6 pool that will provide information for the DHCPv6 server to distribute to DHCPv6 clients that are members of VLAN 100.
console(config-if-vlan100)#ipv6 nd other-config-flag console(config-if-vlan100)#exit Configuring the DHCPv6 Server for Prefix Delegation In this example, VLAN routing interface 200 is configured to delegate specific prefixes to certain DHCPv6 clients. The prefix-to-DUID mapping is defined within the DHCPv6 pool. To configure the switch: 1 Create the DHCPv6 pool and specify the domain name and DNS server information. console(config)#ipv6 dhcp pool my-pool2 console(config-dhcp6s-pool)#domain-name dell.
1 Create VLAN 300 and define its IPv6 address. console(config)#interface vlan 300 console(config-if-vlan300)#ipv6 address 2001:DB8:03a::14/64 2 Configure the interface as a DHCPv6 relay agent and specify the IPv6 address of the relay server. The command also specifies that the route to the server is through the VLAN 100 routing interface.
1506 DHCPv6 Server Settings
Differentiated Services 43 Dell EMC Networking N-Series Switches This chapter describes how to configure the Differentiated Services (DiffServ) feature. DiffServ enables traffic to be classified into streams and given certain QoS treatment in accordance with defined per-hop behaviors.
How Does DiffServ Functionality Vary Based on the Role of the Switch? How you configure DiffServ support in Dell EMC Networking N-Series switch software varies depending on the role of the switch in your network: • Edge device: An edge device handles ingress traffic, flowing towards the core of the network, and egress traffic, flowing away from the core. An edge device segregates inbound traffic into a small set of traffic classes, and is responsible for determining a packet’s classification.
Dell EMC Networking N-Series switch software supports the Traffic Conditioning Policy type which is associated with an inbound traffic class and specifies the actions to be performed on packets meeting the class rules: • – Marking the packet with a given DSCP, IP precedence, or CoS value. Traffic to be processed by the DiffServ feature requires an IP header if the system uses IP Precedence or IP DSCP marking. – Policing packets by dropping or re-marking those that exceed the class’s assigned data rate.
parallel at once, and the priority of the ACL is used to implement the conceptual match process. There are no counters instantiated for ACLs referred to by a class-map. An ACL that is used in a class-map match term itself has one or more permit and/or deny rules. The incoming packet is matched sequentially against the permit rules in each ACL in the match list, in order, and a match/no match decision is reached.
Table 43-1.
Configuring DiffServ (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring DiffServ features on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100ON, and N4000 Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page.
Class Configuration Use the DiffServ Class Configuration page to add a new DiffServ class name, or to rename or delete an existing class. To display the page, click Quality of Service Differentiated Services Class Configuration in the navigation panel. Figure 43-2. DiffServ Class Configuration Adding a DiffServ Class To add a DiffServ class: 1 From the DiffServ Class Configuration page, click Add to display the Add Class page. Figure 43-3.
3 Click Apply to add the new class. 4 To view a summary of the classes configured on the switch, click Show All. Figure 43-4. View DiffServ Class Summary Class Criteria Use the DiffServ Class Criteria page to define the criteria to associate with a DiffServ class. As packets are received, these DiffServ classes are used to identify packets. To display the page, click Quality of Service Differentiated Services Class Criteria in the navigation panel.
Figure 43-5.
Policy Configuration Use the DiffServ Policy Configuration page to associate a collection of classes with one or more policy statements. To display the page, click Quality of Service Differentiated Services Policy Configuration in the navigation panel. Figure 43-6. DiffServ Policy Configuration Adding a New Policy Name To add a policy: 1 From the DiffServ Policy Configuration page, click Add to display the Add Policy page.
Figure 43-7. Add DiffServ Policy 2 Enter the new Policy Name. 3 Click Apply to save the new policy. 4 To view a summary of the policies configured on the switch, click Show All. Figure 43-8.
Policy Class Definition Use the DiffServ Policy Class Definition page to associate a class to a policy, and to define attributes for that policy-class instance. To display the page, click Quality of Service Differentiated Services Policy Class Definition in the navigation panel. Figure 43-9. DiffServ Policy Class Definition To view a summary of the policy attributes, click Show All.
Figure 43-10. Policy Class Definition Packet Marking Traffic Condition Follow these steps to have packets that match the class criteria for this policy marked with a marked with either an IP DSCP, IP precedence, or CoS value: 1 Select Marking from the Traffic Conditioning drop-down menu on the DiffServ Policy Class Definition page. The Packet Marking page displays. Figure 43-11. Policy Class Definition - Attributes 2 Select IP DSCP, IP Precedence, or Class of Service to mark for this policyclass.
Policing Traffic Condition Follow these steps to perform policing on the packets that match this policy class: 1 Select Policing from the Traffic Conditioning drop-down menu on the DiffServ Policy Class Definition page to display the DiffServ Policy Policing page. Figure 43-12. Policy Class Definition - Policing The DiffServ Policy - Policing page displays the Policy Name, Class Name, and Policing Style.
Service Configuration Use the DiffServ Service Configuration page to activate a policy on a port. To display the page, click Quality of Service Differentiated Services Service Configuration in the navigation panel. Figure 43-13. DiffServ Service Configuration To view a summary of the services configured on the switch, click Show All. Figure 43-14.
Service Detailed Statistics Use the DiffServ Service Detailed Statistics page to display packet details for a particular port and class. To display the page, click Quality of Service Differentiated Services Service Detailed Statistics in the navigation panel. Figure 43-15.
Flow-Based Mirroring Use the Flow-Based Mirroring page to create a mirroring session in which the traffic that matches the specified policy and member class is mirrored to a destination port. To display the Flow-Based Mirroring page, click Switching Ports Traffic Mirroring Flow-Based Mirroring in the navigation panel. Figure 43-16.
Configuring DiffServ (CLI) This section provides information about the commands used for configuring DiffServ settings on the switch. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. DiffServ Configuration (Global) Use the following commands to configure the global DiffServ mode and view related settings.
DiffServ Class Configuration for IPv4 Use the following commands to configure DiffServ classes for IPv4 and view related information. CLI Command Description configure Enter global configuration mode. class-map [match-all|matchany] class-map-name Define a new DiffServ class and enter Class-Map Configuration mode for the specified class. The match-all parameter indicates that all match criteria must match. The match-any parameter indicates that at least one match criteria must match.
CLI Command Description match ip dscp Add to the specified class definition a match condition based on the value of the IP DiffServ Code Point (DSCP) field in a packet. match ip precedence Add to the specified class definition a match condition based on the value of the IP. match ip tos Add to the specified class definition a match condition based on the value of the IP TOS field in a packet.
CLI Command Description match [any] Configure the match condition for the class-map. Match any indicates that at least one match criteria must match. This configuration does not affect the processing of access-groups. match class-map Add to the specified class definition, the set of match conditions defined for another class. match dstip6 Add to the specified class definition a match condition based on the destination IPv6 address of a packet.
DiffServ Protocol Matching DiffServ may be configured to match on protocols other than IPv4 or IPv6. Use the following commands to specify L2 or other match criteria. CLI Command Description match cos Add to the specified class definition, a match condition for the Class of Service value. match destination-address mac Add to the specified class definition, a match condition based on the destination MAC address of a packet.
DiffServ Policy Creation Use the following commands to configure DiffServ policies and view related information. CLI Command Description configure Enter global configuration mode. policy-map policy-name in Create a new DiffServ policy for ingress traffic and enter Policy Map Configuration mode for the policy. exit Exit to Privilege Exec mode. show policy-map Displays all configuration information for the specified policy.
CLI Command Description police-simple {datarate burstsize conform-action {drop | set-cos-transmit cos | set-prec-transmit cos | setdscp-transmit dscpval | transmit} [violate-action {drop | set-cos-transmit cos | set-prec-transmit cos | setdscp-transmit dscpval | transmit}]} Establish the traffic policing style for the specified class. The simple form of the police command uses a single data rate and burst size, resulting in two outcomes: conform and nonconform.
CLI Command Description mirror interface | redirect interface Use mirror to mirror all packets for the associated traffic stream that matches the defined class to the specified destination port or LAG. Use redirect to specify that all incoming packets for the associated traffic stream are redirected to the specified destination port or LAG. exit Exit to Policy-Map Config mode. exit Exit to Global Config mode. exit Exit to Privilege Exec mode.
DiffServ Service Configuration Beginning Privilege Exec mode, use the following commands to associate a policy with an interface and view related information. CLI Command Description configure Enter Global Configuration mode. interface interface-idd Enter interface configuration mode for the desired interface. service-policy {in | out} policy-map-name Attach a policy to an interface in the inbound or outbound direction.
DiffServ Configuration Examples This section contains the following examples: • Providing Subnets Equal Access to External Network • DiffServ for VoIP Providing Subnets Equal Access to External Network This example shows how a network administrator can provide equal access to the Internet (or other external network) to different departments within a company. Each of four departments has its own Class B subnet that is allocated 25% of the available bandwidth on the port accessing the Internet.
The following commands show how to configure the DiffServ example depicted in Figure 43-17. 1 Enable DiffServ operation for the switch. console#config console(config)#diffserv 2 Create a DiffServ class of type all for each of the departments, and name them. Also, define the match criteria—Source IP address—for the new classes. console(config)#class-map match-all finance_dept console(config-classmap)#match srcip 172.16.10.0 255.255.255.
console(config-policy-map)#class development_dept console(config-policy-classmap)#assign-queue 4 console(config-policy-classmap)#exit console(config-policy-map)#exit 4 Attach the defined policy to 10-Gigabit Ethernet interfaces 1/0/1 through 1/0/4 in the inbound direction console(config)#interface tengigabitethernet 1/0/1 console(config-if-Te1/0/1)#service-policy in internet_access console(config-if-Te1/0/1)#exit console(config)#interface tengigabitethernet 1/0/2 console(config-if-Te1/0/2)#service-policy i
ip access-list 1000 permit ip exit ip access-list 1000 permit ip exit ten-one-subnet 10.1.0.0 0.0.255.255 any ten-two-subnet 10.2.0.0 0.0.255.255 any Create a class map (ten-subnet) using the match-any attribute to allow matching of both access-lists. The choice of using one access list with multiple permit clauses is also possible. class-map match-any ten-subnet match access-group name ten-one-subnet match access-group name ten-two-subnet exit Create a policy map (p1) and include the matching class.
cos-queue random-detect 2 Apply the policy to an interface. Incoming traffic on this interface will be matched against the policy. Matching packets will be assigned to CoS queue 2 and policed per the above. interface Te1/0/1 service-policy in p1 exit DiffServ for VoIP One of the most valuable uses of DiffServ is to support Voice over IP (VoIP). VoIP traffic is inherently time-sensitive: for a network to provide acceptable service, a guaranteed transmission rate is vital.
Figure 43-18. DiffServ VoIP Example Network Diagram The following commands show how to configure the DiffServ example depicted in Figure 43-18. 1 Set queue 6 on all ports to use strict priority mode. This queue shall be used for all VoIP packets. Activate DiffServ for the switch.
2 Create a DiffServ classifier named class_voip and define a single match criterion to detect UDP packets. The class type match-all indicates that all match criteria defined for the class must be satisfied in order for a packet to be considered a match.
WRED NOTE: SRED is not supported on the Dell EMC Networking N1500 Series switch. WRED Processing Traffic ingressing the switch can be assigned to one of four drop probabilities based on a set of matching criteria. There are three drop probabilities for TCP traffic (green, yellow, and red) and one drop probability for non-TCP traffic (all colors). Users may configure the congestion thresholds at which packets queued for transmission are dropped for each color.
Exponential Weighting Constant The degree of congestion is determined by sampling the egress queue depth and calculating an average queue size. The exponential weighting constant smooths the result of the average queue depth calculation by the function: average depth = (previous queue depth * (1-1/2^n)) + (current queue depth * 1/2^n) The average queue depth is used to select the drop probability for packets queued for egress.
• Packets that are pre-colored yellow and exceed the PIR will be colored red. This does not apply to the simple algorithm since there is no yellow precoloring. • Packets that are pre-colored red remain colored red. Refer to RFC 2697 and RFC 2698 for further detail on color-aware and colorblind processing.
them as a result of exceeding the meter. Pre-colored packets are not re-colored to green or yellow by the meter. Yellow packets may be colored red as a result of exceeding the meter. Refer to RFC 2697 for further details. Two-Rate Meter Implementation The police-two-rate algorithm implements a two-rate Three-Color Marker (trTCM) per RFC 2698. The trTCM algorithm is useful in situations where a peak rate needs to be enforced separately from a committed rate.
1544 Differentiated Services
Class-of-Service 44 Dell EMC Networking N-Series Switches This chapter describes how to configure the Class-of-Service (CoS) feature. The CoS queuing feature lets you directly configure certain aspects of switch queuing. This provides the desired QoS behavior for different types of network traffic when the complexities of DiffServ are not required. The priority of a packet arriving at an interface can be used to steer the packet to the appropriate outbound CoS queue through a mapping table.
Each ingress port on the switch has a default priority value (set by configuring VLAN Port Priority in the Switching sub-menu) that determines the egress queue its traffic gets forwarded to. Packets that arrive without a VLAN user priority, or packets from ports you’ve identified as “untrusted,” get forwarded according to this default. What Are Trusted and Untrusted Port Modes? Ports can be configured in “trusted” mode or “untrusted” mode with respect to ingress traffic.
How Are Traffic Queues Defined? For each queue, the following can be specified: • Minimum bandwidth guarantee—A percentage of the port’s maximum negotiated bandwidth reserved for the queue. Unreserved bandwidth can be utilized by lower-priority queues. If the sum of the minimum bandwidth is 100%, then there is no unreserved bandwidth and no sharing of bandwidth is possible.
• Weighted Random Early Detection (WRED)—Drops packets queued for transmission on an interface selectively based their drop precedence level. For each of four drop precedence levels on each WRED-enabled interface queue, the following parameters can be configured: – Minimum Threshold: A percentage of the interface queue size below which no packets of the selected drop precedence level are dropped.
CoS Queue Usage CoS queue 7 is reserved by the system and is not assignable. It is generally recommended that the administrator utilize CoS queues 0 to 3, as CoS queues 4-6 may be used by the system for other types of system traffic, for example, routing protocol PDU handling. Default CoS Values Table 44-1 shows the global default values for CoS. Table 44-1. CoS Global Defaults Parameter Default Value Trust Mode 802.1p User Priority 802.1p CoS value to queue mapping 802.
Table 44-1.
Configuring CoS (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring CoS features on Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100ON, and N4000 Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. Mapping Table Configuration Use the Mapping Table Configuration page to define how class of service is assigned to a packet.
To display the Queue Mapping Table for the selected Trust Mode, click the Show All link at the top of the page. The following figure shows the queue mapping table when CoS (802.1p) is selected as the Trust Mode. Figure 44-2.
Interface Configuration Use the Interface Configuration page to define the interface shaping rate for egress packets on an interface and the decay exponent for WRED queues defined on the interface. Each interface CoS parameter can be configured globally or per-port. A global configuration change is applied to all interfaces in the system. To display the Interface Configuration page, click Quality of Service Class of Service Interface Configuration in the navigation panel. Figure 44-3.
Interface Queue Configuration Use the Interface Queue Configuration page to configure egress queues on interfaces. The settings you configure control the amount of bandwidth the queue uses, the scheduling method, and the queue management method. The configuration process is simplified by allowing each CoS queue parameter to be configured globally or per-port. A global configuration change is applied to the same queue ID on all ports in the system.
To access the Interface Queue Status page, click the Show All link at the top of the page. Interface Queue Drop Precedence Configuration Use the Interface Queue Drop Precedence Configuration page to configure thresholds and scaling values for each of four drop precedence levels on a WRED-enabled interface queue. The settings you configure control the minimum and maximum thresholds and a drop probability scaling factor for the selected drop precedence level.
Figure 44-5. Interface Queue Drop Precedence Configuration To access the Interface Queue Drop Precedence Status page, click the Show All link at the top of the page.
Configuring CoS (CLI) This section provides information about the commands used for configuring CoS settings on the switch. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. The interface mode commands shown in this section may also be used in Global Configuration mode to configure CoS for all interfaces.
CLI Command Description show classofservice ip-dscpmapping Display the current IP DSCP mapping to internal traffic classes for a specific interface. show classofservice trust Display the current trust mode setting for a specific interface. CoS Interface Configuration Commands Use the following commands to configure the traffic shaping and WRED exponent values for an interface. CLI Command Description configure Enter Global Configuration mode.
CLI Command Description configure Enter Global Configuration mode. interface interface Enter Interface Configuration mode, where interface is replaced by gigabitethernet unit/slot/port, tengigabitethernet unit/slot/port., or port-channel portchannel number. cos-queue min-bandwidth bw Specify the minimum transmission bandwidth (range: 0-100% in 1% increments) for each interface queue. The sum of the configured minimum bandwidths should be less than 100% to allow for buffering of bursty traffic.
Configuring Interface Queue Drop Probability Use the following commands to configure characteristics of the drop probability and view related settings. The drop probability supports configuration in the range of 0 to 10%, and the discrete values 25%, 50%, and 75%. Values not listed are truncated to the next lower value in hardware. Not all switches support all colors (or non-TCP thresholds) or thresholds. Drop probability settings also vary among the switch families.
CoS Configuration Example Figure 44-6 illustrates the network operation as it relates to CoS mapping and queue configuration. Four packets arrive at the ingress port te1/0/10 in the order A, B, C, and D. port te1/0/10 is configured to trust the 802.1p field of the packet, which serves to direct packets A, B, and D to their respective queues on the egress port. These three packets utilize the 802.1p to CoS Mapping Table for port te1/0/10. In this example, the 802.
Continuing this example, the egress port te1/0/8 is configured for strict priority on queue 4, and a weighted scheduling scheme is configured for queues 3-0. Assuming queue 3 has a higher minimum bandwidth than queue 1 (relative bandwidth values are shown as a percentage, with 0% indicating the bandwidth is shared according to the default weighting), the queue service order, when congested, is 4 followed by 3 followed by 1.
classes generally use the default WRR scheduling mode as opposed to strict priority, to avoid starving other traffic. For example, the following commands assign 802.1p user priority 4 to CoS queue 4 and reserves 50% of the scheduler time slices to CoS queue 4. This implies that, when the switch is congested, the scheduler will service CoS queue 4 fifty percent of the time to the exclusion of all other CoS queues, including higher-priority CoS queues.
Explicit Congestion Notification Explicit Congestion Notification (ECN) is defined in RFC 3168. Conventional TCP networks signal congestion by dropping packets. A Random Early Discard scheme provides earlier notification than tail drop. ECN marks congested packets that would otherwise have been dropped and expects a ECN capable receiver to signal congestion back to the transmitter without the need to retransmit the packet that would have been dropped.
Dell EMC Networking implements ECN capability as part of the WRED configuration process. Eligible packets are marked by hardware based upon the WRED configuration. The network operator can configure any CoS queue to operate in ECN marking mode and can configure different discard thresholds for each color.
Example 1: SLA Configuration The following example configures a simple meter and a trTCM meter is support of a network SLA. The SLA classes are segregated by CoS class as described in the comments. 1 Define a class-map so that all traffic will be in the set of traffic “cos-any”. console#config console(config)#class-map match-all cos-any ipv4 console(config-classmap)#match any console(config-classmap)#exit 2 Define a class-map such that all traffic with a CoS value of 1 will be in the set of traffic “cos1.
6 Create a simple policer in color blind mode. Packets below the committed information rate (CIR) or committed burst size (CBS) are assigned drop precedence green. Packets that exceed the CIR (in Kbps) or CBS (in Kbytes) are colored red. Both the conform and violate actions are set to transmit as WRED is used to drop packets when congested.
• TCP packets with rates higher than the PIR/PBS or which belong to neither class CoS 1 or class CoS 2 violate the rate (red). These packets will be dropped randomly at an increasing rate between 0 and 10% when the outgoing interface is congested between 50 and 100%. • Non-TCP packets in CoS queue 0 or 1 will be dropped randomly at an increasing rate between 0 and 15% when the outgoing interface is congested between 50 and 100%.
console(config)#interface Te1/0/22 console(config-if-Te1/0/22)#service-policy in simple-policy console(config-if-Te1/0/22)#exit console(config)#interface Te1/0/23 console(config-if-Te1/0/23)#service-policy in two-rate-policy console(config-if-Te1/0/23)#exit Class-of-Service 1569
Example 2: Long-Lived Congestion The following example enables WRED discard for non-color-aware traffic. Since a color-aware policer is not enabled, all traffic is treated as if it were colored “green.” This means that only the “green” TCP and non-TCP WRED thresholds are active. Since the default CoS queue is 1, this example is suitable as a starting point for configuring WRED on a switch using the default settings.
In the first line of the configuration below, the first integer after the minthresh keyword configures green-colored Congestion Enabled TCP packets in CoS queues 0 and 1 that exceed the WRED threshold (13% or ~38 Kbytes) to mark packets as Congestion Experienced. The first integer after the maxthresh parameter configures the upper threshold for green-colored TCP packets to the same value as the min-thresh threshold.
1572 Class-of-Service
Auto VoIP 45 Dell EMC Networking N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series Switches Voice over Internet Protocol (VoIP) allows you to make telephone calls using a computer network over a data network like the Internet. With the increased prominence of delay-sensitive applications (voice, video, and other multimedia applications) deployed in networks today, proper QoS configuration will ensure high-quality application performance.
Auto VoIP is limited to 16 active sessions and makes use of the switch CPU to classify traffic. It is preferable to use the Voice VLAN feature in larger enterprise environments as it uses the switching silicon to classify voice traffic onto a VLAN. Auto VoIP is incompatible with Voice VLAN and should not be enabled on switches on which Voice VLAN is enabled. How Does Auto VoIP Use ACLs? Auto VoIP utilizes ACL lists from the global system pool.
Configuring Auto VoIP (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring Auto VoIP features on Dell EMC Networking N-Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. Auto VoIP Global Configuration Use the Global Configuration page to enable or disable Auto VoIP on all interfaces.
Figure 45-2. Auto VoIP Interface Configuration To display summary Auto VoIP configuration information for all interfaces, click the Show All link at the top of the page. Figure 45-3.
Configuring Auto VoIP (CLI) This section provides information about the commands used for configuring Auto VoIP settings on the switch. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series Switches CLI Reference Guide at www.dell.com/support. Mapping Table Configuration Use the following commands to enable Auto VoIP and view its configuration. CLI Command Description configure Enter Global Configuration mode.
1578 Auto VoIP
IPv4 and IPv6 Multicast 46 Dell EMC Networking N3000, N3100-ON, and N4000 Series Switches NOTE: This feature is available only on Dell EMC Networking N3000, N3100-ON and N4000 Series switches. This chapter describes how to configure and monitor layer-3 (L3) multicast features for IPv4 and IPv6, including global IP and IPv6 multicast features as well as multicast protocols, including IGMP, DVMRP, and PIM for IPv4 and MLD and PIM for IPv6.
recipient host. The IP routing protocols can route multicast traffic, but the IP multicast protocols handle the multicast traffic more efficiently with better use of network bandwidth. Applications that often send multicast traffic include video or audio conferencing, Whiteboard tools, stock distribution tickers, and IP-based television (IP/TV). What Is IP Multicast Traffic? IP multicast traffic is traffic that is destined to a host group.
239.0.0.0/8 is the locally scoped IPv4 multicast address range. Use addresses from this block for local/intra-domain multicast traffic. See RFC 2365 for further information 233.0.0.0/8 is the GLOP IPv4 public address range and is suitable for interdomain multicast traffic. See RFC 2770 for further information. 232.0.0.0/8 is the PIM-SSM IPv4 public address space and is suitable for interdomain traffic. See RFC 4608 for further information.
What Are the Multicast Protocol Roles? Hosts must have a way to identify their interest in joining any particular multicast group, and routers must have a way to collect and maintain group memberships. These functions are handled by the IGMP protocol in IPv4. In IPv6, multicast routers use the Multicast Listener Discover (MLD) protocol to maintain group membership information.
contain two ports, one on each connecting switch. A VLAN carrying multicast traffic should never traverse a multicast router, as ingress multicast traffic is layer-2-switched across the VLAN, defeating the purpose of the multicast router. Determining Which Multicast Protocols to Enable IGMP is required on any multicast router that serves IPv4 hosts. IGMP is not required on inter-router links. MLD is required on any router that serves IPv6 hosts. MLD is not required on inter-router links.
What Is IGMP? The Internet Group Management Protocol (IGMP) is used by IPv4 systems (hosts, L3 switches, and routers) to report their IP multicast group memberships to any neighboring multicast routers. The Dell EMC Networking N-Series switch performs the multicast router role of the IGMP protocol, which means it collects the membership information needed by the active multicast routing protocol. IGMP is automatically enabled when PIM or DVMRP are enabled via the CLI.
What Is MLD? Multicast Listener Discovery (MLD) protocol enables IPv6 routers to discover the presence of multicast listeners, the hosts that wish to receive the multicast data packets, on its directly-attached interfaces. The protocol specifically discovers which multicast addresses are of interest to its neighboring nodes and provides this information to the active multicast routing protocol that makes decisions on the flow of multicast data packets.
Using PIM-SM as the Multicast Routing Protocol PIM-SM is used to efficiently route multicast traffic to multicast groups that may span wide area networks and where bandwidth is constrained. PIM-SM uses shared trees by default and implements source-based trees for efficiency. PIM-SM assumes that no hosts want the multicast traffic unless they specifically ask for it.
PIM-SM Protocol Operation This section describes the workings of PIM-SM protocol per RFC 4601. The protocol operates essentially in three phases, as explained in the following sections. Phase-1: RP Tree Figure 46-1. PIM-SM Shared Tree Join • In this example, an active receiver (attached to leaf router at the bottom of the drawing) has joined multicast group “G”.
Phase-2: Register Stop Figure 46-2. PIM-SM Sender Registration—Part1 • As soon as an active source for group G sends a packet, the designated router (DR) that is attached to this source is responsible for “Registering” this source with the RP and requesting the RP to build a tree back to that router. • To do this, the source router encapsulates the multicast data from the source in a special PIM-SM message, called the Register message, and unicasts that data to the RP.
Figure 46-3. PIM-SM Sender Registration—Part 2 • As soon as the SPT is built from the Source router to the RP, multicast traffic begins to flow unencapsulated from source S to the RP. • Once this is complete, the RP Router will send a “Register Stop” message to the first-hop router to tell it to stop sending the encapsulated data to the RP.
Phase 3: Shortest Path Tree Figure 46-4. PIM-SM SPT—Part 1 • PIM-SM has the capability for last-hop routers (i.e., routers with directly connected group members) to switch to the Shortest-Path Tree and bypass the RP. This switchover is based upon an implementation-specific function called SwitchToSptDesired(S,G) in the standard and generally takes a number of seconds to switch to the SPT.
Figure 46-5. PIM-SM SPT—Part 2 • Finally, special (S, G) RP-bit Prune messages are sent up the Shared Tree to prune off this (S, G) traffic from the Shared Tree. If this were not done, (S, G) traffic would continue flowing down the Shared Tree resulting in duplicate (S, G) packets arriving at the receiver.
Figure 46-6. • 1592 PIM-SM SPT—Part 3 At this point, (S, G) traffic is now flowing directly from the first -hop router to the last-hop router and from there to the receiver.
Figure 46-7. PIM-SM SPT—Part 4 • At this point, the RP no longer needs the flow of (S, G) traffic since all branches of the Shared Tree (in this case there is only one) have pruned off the flow of (S, G) traffic. • As a result, the RP will send (S, G) Prunes back toward the source to shut off the flow of the now unnecessary (S, G) traffic to the RP. NOTE: This will occur if the RP has received an (S, G) RP-bit Prune on all interfaces on the Shared Tree.
Figure 46-8. • PIM-SM SPT—Part 5 As a result of the SPT-Switchover, (S, G) traffic is now flowing only from the first-hop router to the last-hop router and from there to the receiver. Notice that traffic is no longer flowing to the RP. The PIM standard requires support for multi-hop RP in that a router running PIM can act as an RP even if it is multiple router hops away from the multicast source.
• Limiting the number of packets sent to the RP by the first-hop router. When a multicast data source (S) starts sending data destined for a multicast group (G), the first-hop router receives these packets and traps them to its local CPU. A Dell EMC Networking first-hop router immediately blocks further data packets in the stream and prevents them from reaching the CPU.
leads to significantly faster response times for receiving the full multicast stream directly from the first-hop router (as opposed to the typical bandwidth-limited stream traversing the RP). Using PIM-DM as the Multicast Routing Protocol Unlike PIM-SM, PIM-DM creates source-based shortest-path distribution trees that make use of reverse-path forwarding (RPF). PIM-DM assumes that when a sender starts sending data, all downstream routers and hosts want to receive a multicast datagram.
NOTE: In addition to DVMRP, the switch supports the Protocol-Independent Multicast (PIM) sparse-mode (PIM-SM) and dense-mode (PIM-SM) routing protocol. Only one multicast routing protocol can be operational on the switch at any time. If you enable DVMRP, PIM must be disabled. Similarly, if PIM is enabled, DVMRP must be disabled. DVMRP exchanges probe packets with all its DVMRP-enabled routers, it establishes two-way neighboring relationships, and it builds a neighbor table.
DVMRP is best suited for small networks where the majority of hosts request a given multicast traffic stream. DVMRP is similar to PIM-DM in that it floods multicast packets throughout the network and prunes branches where the multicast traffic is not desired. DVMRP was developed before PIM-DM, and it has several limitations that do not exist with PIM-DM. You might use DVMRP as the multicast routing protocol if it has already been widely deployed within the network.
Default L3 Multicast Values IP and IPv6 multicast is disabled by default. Table 46-2 shows the default values for L3 multicast and the multicast protocols. Table 46-2.
Table 46-2.
Configuring General IPv4 Multicast Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring the L3 multicast features that are not protocol-specific on Dell EMC Networking N3000, N3100-ON, and N4000 Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page.
Multicast Interface Configuration Use the Interface Configuration page to configure the TTL threshold of a multicast interface. At least one VLAN routing interface must be configured on the switch before fields display on this page. To display the page, click IPv4 Multicast Multicast Interface Configuration in the navigation panel. Figure 46-10.
Multicast Route Table Use the Route Table page to view information about the multicast routes in the IPv4 multicast routing table. To display the page, click IPv4 Multicast Multicast Multicast Route Table Multicast Route Table Figure 46-11.
Multicast Admin Boundary Configuration The definition of an administratively scoped boundary is a way to stop the ingress and egress of multicast traffic for a given range of multicast addresses on a given routing interface. Use the Admin Boundary Configuration page to configure a new or existing administratively scoped boundary. To see this page, you must have configured a valid routing interface and multicast.
Multicast Admin Boundary Summary Use the Admin Boundary Summary page to display existing administratively scoped boundaries. To display the page, click IPv4 Multicast Multicast Admin Boundary Summary in the navigation panel. Figure 46-13. Multicast Admin Boundary Summary Multicast Static MRoute Configuration Use the Static MRoute Configuration page to configure a new static entry in the Mroute table or to modify an existing entry.
Multicast Static MRoute Summary Use the Static MRoute Summary page to display static routes and their configurations. To display the page, click IPv4 Multicast Multicast Static MRoute Summary in the navigation panel. Figure 46-15.
Configuring IPv6 Multicast Features (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring the IPv6 multicast features that are not protocol-specific on Dell EMC Networking N3000, N3100-ON, and N4000 Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page.
Configuring IGMP and IGMP Proxy (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring the IGMP and IGMP proxy features on Dell EMC Networking N3000, N3100-ON, and N4000 Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. IGMP Global Configuration Use the Global Configuration page to set IGMP on the system to active or inactive.
IGMP Interface Configuration Use the Interface Configuration page to configure and/or display router interface parameters. At least one valid routing interface must be configured before this page can be accessed to configure IP Multicast IGMP. To display the page, click IPv4 Multicast IGMP Routing Interface Interface Configuration in the navigation panel. Figure 46-18.
IGMP Interface Summary Use the Interface Summary page to display IGMP routing parameters and data. You must configure at least one IGMP router interface to access this page. To display the page, click IPv4 Multicast IGMP Routing Interface Interface Summary in the navigation panel. Figure 46-19. IGMP Interface Summary IGMP Cache Information Use the Cache Information page to display cache parameters and data for an IP multicast group address.
Figure 46-20. IGMP Cache Information IGMP Interface Source List Information Use the Source List Information page to display detailed membership information for an interface. Group membership reports must have been received on the selected interface for data to display information. To display the page, click IPv4 Multicast IGMP Routing Interface Source List Information in the navigation panel. Figure 46-21.
IGMP Proxy Interface Configuration The IGMP Proxy is used by IGMP Router (IPv4 system) to enable the system to issue IGMP host messages on behalf of hosts that the system discovered through standard IGMP router interfaces. Thus, this feature acts as proxy to all hosts residing on its router interfaces. Use the Interface Configuration page to configure IGMP proxy for a VLAN interface.
IGMP Proxy Configuration Summary Use the Configuration Summary page to display proxy interface configurations by interface. You must have configured at least one VLAN routing interface configured before data displays on this page. To display the page, click IPv4 Multicast IGMP Proxy Interface Configuration Summary in the navigation panel. Figure 46-23.
IGMP Proxy Interface Membership Info Use the Interface Membership Info page to display interface membership data for a specific IP multicast group address. At least one VLAN routing interface must be configured for this page to display interface membership information, and it should not be an IGMP routing interface. Also, if no group membership reports have been received on the selected interface, no data displays on this page.
Detailed IGMP Proxy Interface Membership Information Use the Interface Membership Info Detailed page to display detailed interface membership data. At least one VLAN routing interface must be configured before detailed interface membership information can be displayed, and it should not be an IGMP routing interface. Also, if no group membership reports have been received on the selected interface, then no data can be displayed.
Configuring MLD and MLD Proxy (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring the MLD and MLD proxy features on Dell EMC Networking N3000, N3100-ON, and N4000 Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. MLD Global Configuration Use the Global Configuration page to administratively enable and disable the MLD service.
MLD Routing Interface Configuration Use the Interface Configuration page to enable selected IPv6 router interfaces to discover the presence of multicast listeners, the nodes who wish to receive the multicast data packets, on its directly attached interfaces. To access this page, click IPv6 Multicast MLD Routing Interface Interface Configuration in the navigation panel. Figure 46-27.
MLD Routing Interface Summary Use the Interface Summary page to display information and statistics on a selected MLD-enabled interface. You must configure at least one IGMP VLAN routing interface to access this page. To access this page, click IPv6 Multicast MLD Routing Interface Interface Summary in the navigation panel. Figure 46-28.
Figure 46-29. MLD Routing Interface Cache Information MLD Routing Interface Source List Information The Interface Source List Information page displays detailed membership information for an interface. You must configure at least one MLD VLAN routing interface to access this page. Also, group membership reports must have been received on the selected interface in order for data to be displayed here.
MLD Traffic The MLD Traffic page displays summary statistics on the MLD messages sent to and from the router. To access this page, click IPv6 Multicast MLD Routing Interface MLD Traffic in the navigation panel. Figure 46-31.
MLD Proxy Configuration When you configure an interface in MLD proxy mode, it acts as a proxy multicast host that sends MLD membership reports on one VLAN interface for MLD Membership reports received on all other MLD-enabled VLAN routing interfaces. Use the Interface Configuration page to enable and disable ports as MLD proxy interfaces. To display this page, click IPv6 Multicast MLD Proxy Interface Interface Configuration in the navigation panel. Figure 46-32.
MLD Proxy Configuration Summary Use the Configuration Summary page to view configuration and statistics on MLD proxy-enabled interfaces. To display this page, click IPv6 Multicast MLD Proxy Interface Configuration Summary in the navigation panel. Figure 46-33.
MLD Proxy Interface Membership Information The Interface Membership Information page lists each IP multicast group for which the MLD proxy interface has received membership reports. To display this page, click IPv6 Multicast MLD Proxy interface Interface Membership Info in the navigation panel. Figure 46-34.
Detailed MLD Proxy Interface Membership Information The Interface Membership Information Detailed page provides additional information about the IP multicast groups for which the MLD proxy interface has received membership reports. To display this page, click IPv6 Multicast MLD Proxy Interface Interface Membership Info Detailed in the navigation panel. Figure 46-35.
Configuring PIM for IPv4 and IPv6 (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring PIM-SM and PIM-DM for IPv4 and IPv6 multicast routing on Dell EMC Networking N3000, N3100-ON, and N4000 Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page.
Figure 46-36.
PIM Global Status Use the Global Status page to view the administrative status of PIM-DM or PIM-SM on the switch. To display the page, click IPv4 Multicast PIM Global Status or IPv6 Multicast PIM Global Status in the navigation panel. Figure 46-37.
PIM Interface Configuration Use the Interface Configuration page to configure specific VLAN routing interfaces with PIM. To display the page, click IPv4 Multicast PIM Interface Configuration or IPv6 Multicast PIM Interface Configuration in the navigation panel. Figure 46-38.
PIM Interface Summary Use the Interface Summary page to display a PIM-enabled VLAN routing interface and its settings. To display the page, click IPv4 Multicast PIM Interface Summary or IPv6 Multicast PIM Interface Summary in the navigation panel. Figure 46-39.
Candidate RP Configuration The Candidate RP is configured on the Add Candidate RP page. Use the Candidate RP Configuration page to display and delete the configured rendezvous points (RPs) for each port using PIM. To access the page, click IPv4 Multicast PIM Candidate RP Configuration or IPv6 Multicast PIM Candidate RP Configuration. Figure 46-40.
3 Select the VLAN interface for which the Candidate RP is to be configured. 4 Enter the group address transmitted in Candidate-RP-Advertisements. 5 Enter the prefix length transmitted in Candidate-RP-Advertisements to fully identify the scope of the group which the router supports if elected as a Rendezvous Point. 6 Click Apply Changes. The new Candidate RP is added, and the device is updated.
Static RP Configuration Use the Static RP Configuration page to display or remove the configured RP. The page also allows adding new static RPs by clicking the Add button. Only one RP address can be used at a time within a PIM domain. If the PIM domain uses the BSR to dynamically learn the RP, configuring a static RP is not required. However, the static RP can be configured to override any dynamically learned RP from the BSR.
Figure 46-43. Add Static RP 3 Enter the IP address of the RP for the group range. 4 Enter the group address of the RP. 5 Enter the group mask of the RP. 6 Check the Override option to configure the static RP to override the dynamic (candidate) RPs learned for same group ranges. 7 Click Apply. The new Static RP is added, and the device is updated.
SSM Range Configuration Use this page to display or remove the Source Specific Multicast (SSM) group IP address and group mask for the PIM router. To display the page, click IPv4 Multicast PIM SSM Range Configuration or IPv6 Multicast PIM SSM Range Configuration. Figure 46-44. SSM Range Configuration Adding an SSM Range To add the Source-Specific Multicast (SSM) Group IP Address and Group Mask (IPv4) or Prefix Length (IPv6) for the PIM router: 1 Open the SSM Range Configuration page. 2 Click Add.
Figure 46-45. Add SSM Range 3 Click the Add Default SSM Range check box to add the default SSM Range. The default SSM Range is 232.0.0.0/8 for IPv4 multicast and ff3x::/32 for IPv6 multicast. 4 Enter the SSM Group IP Address. 5 Enter the SSM Group Mask (IPv4) or SSM Prefix Length (IPv6). 6 Click Apply. The new SSM Range is added, and the device is updated.
BSR Candidate Configuration Use this page to configure information to be used if the interface is selected as a bootstrap router. To display the page, click IPv4 Multicast PIM BSR Candidate Configuration or IPv6 Multicast PIM BSR Candidate Configuration. Figure 46-46.
BSR Candidate Summary Use this page to display information about the configured BSR candidates. To display this page, click IPv4 Multicast PIM BSR Candidate Summary or IPv6 Multicast PIM BSR Elected Summary. Figure 46-47.
Configuring DVMRP (Web) This section provides information about the OpenManage Switch Administrator pages for configuring and monitoring DVMRP on Dell EMC Networking N3000, N3100-ON, and N4000 Series switches. For details about the fields on a page, click at the top of the Dell EMC OpenManage Switch Administrator web page. DVMRP Global Configuration Use the Global Configuration page to configure global DVMRP settings. It is strongly recommended that IGMP be enabled on any switch on which DVMRP is enabled.
DVMRP Interface Configuration Use the Interface Configuration page to configure a DVMRP VLAN routing interface. You must configure at least one router interface before you configure a DVMRP interface. Otherwise you see a message telling you that no router interfaces are available, and the configuration screen is not displayed. It is strongly recommended that IGMP be enabled on any interface on which DVMRP is enabled. This ensures that the multicast router behaves as expected.
DVMRP Configuration Summary Use the Configuration Summary page to display the DVMRP configuration and data for a selected interface. At least one VLAN routing interface must be configured before data can be displayed for a DVMRP interface. Otherwise, a message displays that no VLAN router interfaces are available, and the configuration summary screen is not displayed. To display the page, click IPv4 Multicast DVMRP Configuration Summary in the navigation panel. Figure 46-50.
DVMRP Next Hop Summary Use the Next Hop Summary page to display the next hop summary by Source IP. To display the page, click IPv4 Multicast DVMRP Next Hop Summary in the navigation panel. Figure 46-51.
DVMRP Prune Summary Use the Prune Summary page to display the prune summary by Group IP. To display the page, click IPv4 Multicast DVMRP Prune Summary in the navigation panel. Figure 46-52. DVMRP Prune Summary DVMRP Route Summary Use the Route Summary page to display the DVMRP route summary. To display the page, click IPv4 Multicast DVMRP Route Summary in the navigation panel. Figure 46-53.
Configuring L3 Multicast Features (CLI) This section provides information about the commands used for configuring general IPv4 multicast settings on the switch. For more information about the commands, see the Dell EMC Networking N1100-ON, N1500, N2000, N2100-ON, N3000, N3100-ON, and N4000 Series Switches CLI Reference Guide at www.dell.com/support.
Command Purpose ip multicast ttl-threshold ttlvalue Apply a Time to Live (TTL) value to the VLAN interface. The ttlvalue is the TTL threshold which is applied to the multicast data packets forwarded through the interface. exit Exit to Global Config mode. exit Exit to Privileged Exec mode. show ip multicast View system-wide multicast information. show ip mcast boundary {vlan vlan-id | all} View all the configured administrative scoped multicast boundaries.
Configuring and Viewing IPv6 Multicast Route Information Use the following commands to configure static IPv6 multicast routes on the switch and to view IPv6 multicast table information. Command Purpose configure Enter global configuration mode. ip multicast-routing Enable IPv4/IPv6 multicast routing. ip pim sparse-mode Enable PIM/IGMP. Multicast routing is not operationally enabled until IGMP or MLD is enabled. Create a static multicast route for a source range.
Configuring and Viewing IGMP Use the following commands to configure IGMP on the switch and on VLAN routing interfaces and to view IGMP information. Command Purpose configure Enter global configuration mode. ip multicast-routing Enable IPv4/IPv6 multicast routing. ip pim sparse-mode Enable PIM/IGMP on the switch. IGMP is implicitly enabled with PIM. interface vlan vlan-id Enter Interface Configuration mode for the specified VLAN. ip igmp version version Set the version of IGMP for an interface.
Command Purpose ip igmp last-memberquery-interval tenthsofseconds Configure the Maximum Response Time inserted in Group-Specific Queries which are sent in response to Leave Group messages. The range is 0–255 tenths of a second. ip igmp last-memberquery-count count Set the number of Group-Specific Queries sent before the router assumes that there are no local members on the interface. The range for count is 1–20. CTRL + Z Exit to Privileged Exec mode. show ip igmp View system-wide IGMP information.
Configuring and Viewing IGMP Proxy Use the following commands to configure the upstream VLAN routing interface as an IGMP proxy. The IGMP proxy issues host messages on behalf of the hosts that have been discovered on IGMP-enabled interfaces. The upstream interface is the interface closest to the root multicast router, which should be running IGMP. NOTE: Configure only the upstream interface as the IGMP proxy. IGMP should be enabled on all downstream interfaces.
Configuring and Viewing MLD Use the following commands to configure MLD on the switch and on VLAN routing interfaces and to view IGMP information. Command Purpose configure Enter global configuration mode. ip multicast-routing Enable IPv4/IPv6 multicast routing. ipv6 pim sparse-mode Enable PIM/MLD on the switch. interface vlan vlan-id Enter Interface Configuration mode for the specified VLAN. ipv6 mld version version Set the version of MLD for an interface. The version variable can be 1 or 2.
Command Purpose show ipv6 mld interface stats [vlan vlan-id] View MLD statistics for all interfaces or for the specified interface. show ipv6 mld groups [interface vlan vlan-id] View the registered multicast groups on the interface. show ipv6 mld membership View the list of interfaces that have registered in any multicast group. Configuring and Viewing MLD Proxy Use the following commands to configure the upstream VLAN routing interface as an MLD proxy.
Command Purpose show ipv6 mld host-proxy interface View a detailed list of the host interface status parameters. This command displays information only when MLD Proxy is operational. show ipv6 mld host-proxy groups View a table of information about multicast groups that MLD Proxy reported. This command displays information only when MLD Proxy is operational.
Configuring and Viewing PIM-DM for IPv6 Multicast Routing Use the following commands to configure PIM-DM for IPv6 multicast routing on the switch and on VLAN routing interfaces and to view PIM-DM information. Command Purpose configure Enter global configuration mode. ipv6 unicast-routing Enable IPv6 routing. IPv6 routing is required for the operation of PIM. ipv6 pim dense-mode Enable PIM-DM on the switch. Enabling IPv6 PIM enables MLD. ip multicast-routing Enable IPv6/IPv6 multicast routing.
Configuring and Viewing PIM-SM for IPv4 Multicast Routing Use the following commands to configure PIM-SM for IPv4 multicast routing on the switch and on VLAN routing interfaces and to view PIM-SM information. Command Purpose configure Enter global configuration mode. ip routing Enable IP routing. Routing is required for PIM operation. ip pim sparse-mode Enable PIM-SM as the multicast routing protocol on the switch. This command also enables IGMP.
Command Purpose ip pim rp-candidate vlan Configure the router to advertise itself to the BSR vlan-id group-address group- router as a PIM candidate Rendezvous Point (RP) for mask [interval interval] a specific multicast group range. • vlan-id — A valid VLAN ID. • group-address — Group IP address supported by RP. • group-mask — Group subnet mask for group address. • interval — (Optional) Indicates the RP candidate advertisement interval. The range is from 1 to 16383 seconds.
Command Purpose show ip pim interface vlan vlan-id View the PIM information for the specified interface. show ip pim neighbor [interface vlan vlan-id | all] View a summary or all the details of the multicast table. show ip pim rp-hash groupaddr View the RP router being selected for the specified multicast group address from the set of active RP routers. The RP router for the group is selected by using a hash algorithm.
Command Purpose ipv6 pim bsr-candidate vlan Configure the switch to announce its candidacy as a vlan-id hash-mask-length bootstrap router (BSR) [priority] [interval interval] • vlan-id — A valid VLAN ID. • hash-mask-length — The length of a mask that is to be ANDed with the group address before the hash function is called. All groups with the same seed hash correspond to the same RP. For example, if this value is 24, only the first 24 bits of the group addresses matter.
Command Purpose ipv6 enable Enable IPv6 on the VLAN. ipv6 pim hello-interval seconds Specify the number of seconds (range: 0–65535) to wait between sending PIM hello messages on the interface. ipv6 pim bsr-border Prevent bootstrap router (BSR) messages from being sent or received through the interface. ipv6 pim dr-priority priority Set the priority value for which a router is elected as the designated router (DR). The election priority range is 0–2147483647.
Configuring and Viewing DVMRP Information Use the following commands to configure DVMRP on the switch and on VLAN routing interfaces and to view DVMRP information. Command Purpose configure Enter global configuration mode. ip dvmrp Enable DVMRP on the switch. This command also enables IGMP. ip routing Enable IP routing on the switch. IP routing is required for DVMRP. ip multicast-routing Enable IP multicast.
L3 Multicast Configuration Examples This section contains the following configuration examples: • Configuring Multicast VLAN Routing With IGMP and PIM-SM • Configuring DVMRP Configuring Multicast VLAN Routing With IGMP and PIM-SM This example describes how to configure a Dell EMC Networking N-Series switch with two VLAN routing interfaces that route IP multicast traffic between the VLANs. PIM and IGMP are enabled on the switch and interfaces to manage the multicast routing.
Figure 46-54. IPv4 Multicast VLAN Routing In addition to multicast configuration, this example includes commands to configure STP and OSPF on L3 Switch A. STP is configured on the ports that connects the switch to other switches. OSPF is configured to route unicast traffic between the VLANs and PIM is enabled to rout multicast traffic between the two VLANs. Since IGMP snooping is enabled by default on all VLANs, no commands to enable it appear in the example below.
console#configure console(config)#vlan 10,20 console(config-vlan10,20)#exit 2 Configure port 23 and 24 as trunk ports.
8 Globally enable IP multicast, IGMP, and PIM-SM on the switch. console(config)#ip multicast-routing console(config)#ip pim sparse-mode 9 Configure VLAN 10 as the RP and specify the range of multicast groups for PIM-SM to control. The 239.9.x.x address is chosen as it is a locally administered address that maps to MAC addresses that do not conflict with control plane protocols. console(config)#ip pim rp-address 192.168.10.4 239.9.0.0 255.255.0.
Configuring DVMRP The following example configures two DVMRP interfaces on the switch to enable inter-VLAN multicast routing. To configure the switch: 1 Globally enable IP routing and IP multicast. console#configure console(config)#ip routing console(config)#ip multicast-routing 2 Globally enable DVMRP and IGMP so that this L3 switch can manage group membership information for its directly-connected hosts.
1664 IPv4 and IPv6 Multicast
47 Audio Video Bridging Dell EMC Networking N4000 Series Switches NOTE: Full AVB support, including MSRP and 802.1AS, is available on Dell EMC Networking N4000 Series switches only. Support for MMRP/MVRP is available on the N3132P-ON AND N3048EP-ON models when utilizing the Advanced firmware. Overview Audio Video Bridging (AVB) is a suite of protocols for reserving resources in the network to facilitate an end-to-end time-sensitive traffic flow. AVB uses the following protocols: • IEEE 802.
AVB data is usually multicast traffic, not necessarily in standard IPv4 multicast format. For example, the IEEE 1722 Audio Video Transport Protocol uses MAC addresses in the following ranges: Address Range Function 91:E0:F0:00:00:00–91:E0:F0:00:FD:FF Dynamic Allocation Pool 91:E0:F0:00:FE:00–91:E0:F0:00:FE:FF Locally administered pool 91:E0:F0:00:FF:00–91:E0:F0:00:FF:FF Reserved pool MMRP, MVRP and MSRP share a common framework that provides services to the individual protocols.
The Dell EMC Networking N4000 AVB feature supports: • • • IEEE 802.1ak (D8.0) Multiple Registration Protocol (MRP) – MVRP — Multiple VLAN Registration Protocol – MMRP — Multiple Multicast Registration Protocol IEEE 802.1as (D7.6) – Single unit only. No support on stack members. – Clock Master – Timing propagation IEEE 802.1Qat (D6.1) – • IEEE 802.1Qav (D7.0) – • Stream Reservation Protocol (MSRP) Forwarding and Queuing Enhancements for Time-Sensitive Streams IEEE 802.1ba (D2.
MSRP MSRP provides a mechanism for the reservation of resources for specific traffic streams traversing a bridged network. MSRP categorizes AVB devices into talkers (stream sources) and listeners (stream destinations). An AVB device may be both a talker and a listener. MSRP operates via several types of announcements (MRP declarations). The announcements are propagated throughout the AVB network. Announcements may occur in any order except when noted otherwise.
MVRP MVRP provides a mechanism for the declaration of dynamic registration of VLANs and propagation of VLAN information over a bridged network. The propagation of VLAN information via MRP allows MVRP-aware devices to dynamically establish and update the set of VLANs that are active on network devices and the ports through which those devices can be reached. With MVRP both end stations and bridges may issue and revoke VLAN membership declarations.
Declarations are “alive” while at least one registration exists. Registrations can be purged by LeaveTimer if no MVRPDUs with confirmation are received within the LeaveTimer value after LeaveAll timer expiration, or by receiving an MSRPDU with the Leave event. The LeaveAll timer is running constantly. The purging time is variable and depends on when the LeaveAll timer expires after traffic has been stopped. The possible range is [LeaveTimerValue, LeaveTimerValue + LeaveAllTimerValue * 1.5].
IEEE 802.1AS IEEE 802.1AS is a protocol designed to synchronize clocks in the nodes of a distributed system that communicate in a bridged network. 802.1AS also provides a mechanism to measure link delays, which may be used to calculate end-to-end propagation delay. The IEEE 802.1AS standard specifies the protocol and procedures for ensuring that QoS requirements are met for time-sensitive applications such as audio and video. The IEEE 1588 Precision Time Protocol (PTP) forms the basis of the IEEE 802.
Figure 47-1. IEEE 802.1S Master/Slave Device Relationships The 802.1AS implementation described in this document is based on the IEEE P802.1AS/D7.6 draft standard [1]. IEEE 802.1AS time synchronization provides a common time base for sampling data streams at a source device and presenting those streams at a destination device with the same relative timing. End-to-end synchronization of clocks is critical for traffic that is highly time-sensitive and has stringent latency and jitter requirements.
A device that can issue or receive IEEE 802.1AS communications is termed a “time-aware system", a time-aware system can either be an end station device attached to a network or a bridge that interconnects end stations. Typically, an end station device has single port and a bridge has multiple ports. The segment of an 802.1AS network that enables direct communication between two time-aware systems is defined as an 802.1AS communication path. The port on time-aware end station can be a master or slave.
clock. If the best master clock is grandmaster-capable, then the clock becomes the grandmaster clock for the 802.1AS domain, generating time synchronization information periodically. The ANNOUNCE message also includes a path trace TLV that tracks the path to best master clock. Each time-aware system updates the received ANNOUNCE message by appending its clock identity to the path trace TLV.
field in the SYNC and FOLLOW_UP messages. The master sends the FOLLOW_UP message with the same sequence ID as the SYNC message. The value (t2 – t1) gives the (offset + link delay) between the master and slave. The link delay is calculated as described below. Assuming that the link delay is symmetric, the offset value can be derived from (t2 – t1). This sequence of SYNC and FOLLOW_UP messages is repeated at every SYNC transmission interval.
conveyed using the follow up message. The delay requestor captures RX timestamp of PDELAY_RESP_FOLLOWUP message (t4). This sequence is shown in the below diagram: Figure 47-3. Link Delay Measurement Sequence After the completion of delay request/response exchange, the delay requestor has all four time stamps (t1, t2, t3, t4).
the same as the delay from responder to the requestor. The peer delay mechanism also requires that there are no transparent devices (bridges) that can add extra delay between the peers. As part of the PDELAY exchange, the requestor computes the ratio of the frequency of the responder’s local clock at the other end of the link and the frequency of the requestor’s local clock. To account for the frequency offset between the clocks at each end, the peer delay is adjusted based on the computed ratio.
In compliance with sections 11.2.3 and 11.2.4 of IEEE 802.1AS, canonical flow control (PAUSE) and Priority Flow Control (PFC) must be disabled on bridges that are enabled for PTP. This configuration is not enforced by bridge management. In-situ measurements have shown residence times of up to 10 ms and PDELAY turnaround times of up to 1 ms. AVB Configuration Example The following example configures an AVB switch. 1 Create VLAN 2. This VLAN is used to carry the MSRP traffic.
5 Globally enable IEEE 802.1AS and set the local clock type to 2 with a priority of 128. console(config)#dot1as console(config)#dot1as priority 2 128 6 Globally enable MVRP, MMRP, and MSRP and enable the periodic state machines to purge registrations periodically. Also enable MSRP talker pruning.
802.1AS Global Admin Mode...................... Grandmaster Capable............................ Best Clock Identity............................ F8:B1:56:FF:FE:0F:2B:49 Best Clock Priority1........................... Best Clock Priority2........................... Steps to Best Clock............................ Local Clock Identity........................... F8:B1:56:FF:FE:0F:2B:49 Local Clock Priority1.......................... Local Clock Priority2.......................... Grandmaster Change Count........
48 OpenFlow Dell EMC Networking N2000, N2100-ON, N3000, N3100-ON, and N4000 Series Switches Dell EMC Networking OpenFlow Hybrid Overview The following acronyms are used in this chapter. Table 48-1. OpenFlow Acronyms Acronym Definition ICAP Ingress Content Aware Processor. This is a hardware flow matching table. The term ICAP is used synonymously with IFP. IFP Ingress Field Processor. The IFP is a hardware flow matching table. OVS Open vSwitch VCAP VLAN Content Aware Processor.
Dell EMC Networking partially supports the OpenFlow 1.0 and OpenFlow 1.3 standards. The Dell EMC Networking OpenFlow Hybrid switch contains OpenFlow agent version 2.3.0 from the Open vSwitch (OVS) project. The Open vSwitch code is licensed under the Apache 2 license. The OpenFlow agent has been validated with the Helium release of OpenDaylight (ODL). The OpenFlow 1.0 standard supports a single-table data forwarding path.
If the address is assigned automatically and the interface with the assigned address goes down, the switch selects another active interface if one is available. Dell EMC Networking OpenFlow Hybrid becomes operationally disabled and re-enabled when a new IP address is selected. If the address is assigned statically, the OpenFlow feature comes up only when a switch interface with the matching IP address becomes active. Automatic IP address selection is done in the following order of preference.
Interaction with OpenFlow Controllers Dell EMC Networking OpenFlow Hybrid implements a subset of the OpenFlow 1.0 protocol and a subset of the OpenFlow 1.3 protocol. Dell EMC Networking OpenFlow Hybrid also implements certain enhancements to the OpenFlow protocol to optimize it for the Data Center environment and to make it compatible with Open vSwitch. Dell EMC Networking OpenFlow Hybrid interacts with any OpenFlow controller that supports OpenFlow 1.0 or the OpenFlow 1.3 standards.
The Dell EMC Networking OpenFlow Hybrid implements the following behaviors: 1 The switch behaves as an OpenFlow-Enabled Hybrid switch. This means that the switch can forward OpenFlow and normal layer-2 and layer-3 traffic on the same ports and the same VLANs at the same time.
9 The switch does not support adding flow match criteria and forwarding actions for ports that are not currently present in the system. However, if ports are removed after the flow is installed, then the flow is updated with the correct port forwarding rules. If the match port is not present on the switch, the switch holds the flow in a software table and applies the flow to the hardware when the port becomes available.
17 The switch supports flow aging. The switch checks the flow install time and idle time every 30 seconds. If either of the timers exceeds the configured values for the flow, the switch deletes the flow. For hardware tables that do not support flow statistics, the switch does not support the idle timeout. OpenFlow 1.0 Supported Flow Match Criteria, Actions and Status The Dell EMC Networking OpenFlow Hybrid switch supports a limited set of match criteria and actions.
Table 48-2. Flow Table Identifiers ID Usage Description 0 User-Configured table. This table ID in the OFPT_FLOW_MOD messages indicates that the rule should be added to the default table configured by the administrator. The standard OpenFlow 1.0 controllers always send 0 to the switch. Table 0 is not reported in the OFPST_TABLE message. 1–3 Reserved Unused. 4 Source MAC VLAN This table is in the VLAN Field Processor. Assignment 5–23 Reserved 24 OpenFlow 1.0 Rule IFP table containing OpenFlow 1.
Although the OpenFlow IFP slices are lower priority than IFP slices used by other Dell EMC Networking OpenFlow Hybrid components, the IFP itself is positioned in the ingress pipeline after the forwarding database and the routing tables. This means that IFP rules inserted by the OpenFlow feature can affect switching and routing decisions. VFP-based flows also may affect switching decisions and alter switching protocols behavior by changing MAC addresses or/and VLAN IDs.
OpenFlow 1.0 Rule Table The OpenFlow 1.0 rule table implements many of the OpenFlow match criteria and actions defined in the OpenFlow 1.0 standard. The table is implemented in the Ingress Field Processor using slices configured in the intra-slice double-wide mode. This means that the number of rules in each IFP slice is divided in half to provide the necessary rule width. The following sections describe the match criteria and actions supported by the OpenFlow 1.0 table. • OpenFlow 1.
Table 48-3. Supported OpenFlow Match Criteria (Continued) Match Field Description Ethernet Type The Ethertype in Ethernet V2 tagged and untagged packets. VLAN ID The VLAN Identifier field in the VLAN header. The valid range for the VLAN ID is 1 to 4094. Note that all packets are tagged in the system when they are processed by the OpenFlow 1.0 classifier. The packets that entered the switch without a tag are assigned a tag either by the ingress port PVID or by the Source MAC VLAN Assignment Table.
Table 48-3. Supported OpenFlow Match Criteria (Continued) Match Field Description IP Destination Address The 4-byte IP destination address in IPv4 packets. Only packets with Ethertype 0x0800 can match to the IP Destination Address field. The OpenFlow controller is not required to explicitly set up the Ethernet Type match field. The Ethernet Type field may be wildcarded and the switch can still match IPv4 packets. The switch supports subnet masking for the IP Destination Address.
• OpenFlow 1.0 Actions The switch supports single-port and multi-port forwarding actions as well as some optional packet modifications actions. Table 48-4 defines the supported and unsupported forwarding actions. Table 48-4. Supported/Unsupported OpenFlow Forwarding Actions Forwarding Action Description Forward— Physical Port The switch can redirect traffic to one or more ports. A valid port can be a physical port or a LAG.
Table 48-4. Supported/Unsupported OpenFlow Forwarding Actions (Continued) Forwarding Action Description Forward— NORMAL This is a supported forwarding action. "NORMAL" reserved port can be either the only action in the list, or can be specified along with the "CONTROLLER" port. No packet modifications are allowed when this action is specified. The packet is forwarded according to normal layer-2 or layer-3 tables.
Table 48-4. Supported/Unsupported OpenFlow Forwarding Actions (Continued) Forwarding Action Description Modify Field The switch supports modifying certain fields in the packet. The feature can be used to give higher priority to certain packets by modifying the 802.1p and DSCP fields. The feature can also be used to implement policy based routing. The packet modifications can be made to the single-port and multi-port flows.
Source MAC VLAN Assignment Table The Source MAC VLAN Assignment table matches on SA MAC, VLAN, and Input Port. Dell EMC Networking OpenFlow Hybrid checks the 'wildcards' field in the ofp_match structure and returns an error if any of the bits other than OFPFW_IN_PORT, OFPFW_DL_VLAN, or OFPFW_DL_SRC are set to 0. If the OpenFlow Controller specifies an unsupported action, the switch rejects the flow with an error. Table 48-5.
MAC Forwarding Table The MAC Forwarding table matches on DA MAC, SA MAC, VLAN, and Input Port. Dell EMC Networking OpenFlow Hybrid checks the 'wildcards' field in the ofp_match structure and returns an error if any of the bits other than OFPFW_IN_PORT, OFPFW_DL_VLAN, OFPFW_DL_SRC, or OFPFW_DL_DST are set to 0. 0xFFFF, a special VLAN designator indicating that entry should match untagged traffic, cannot be used as a match criteria for VLAN ID field dl_vlan. Table 48-6.
Table 48-6. MAC Forwarding Table Match Criteria (Continued) Name Description Match Criteria/Actions Local — Multicast Match on any MAC address with the multicast bit enabled. All other bits in the destination MAC are implicitly masked. dl_vlan — Valid VLAN ID dl_dst – 01:00:00:00:00:00 — Special MAC address in_port — Valid Physical Port or LAG. dl_src — Wildcard Action Type — OFPAT_OUTPUT (Can be repeated) • port — Valid physical port or LAG.
Table 48-6. MAC Forwarding Table Match Criteria (Continued) Name Description Match Criteria/Actions Controller — VLAN Match traffic for a specific VLAN and send the packet to the OpenFlow Controller. dl_vlan — Valid VLAN ID dl_dst — Wildcard in_port — Wildcard dl_src — Wildcard Action Type — OFPAT_OUTPUT (Can be specified only one time) • port — OFPP_CONTROLLER (0xfffd) • max_len — An integer from 0 to 9216.
Flow Addition and Modification Error Messages If the switch detects a problem with a newly added flow, or is unable to add or modify a flow due to lack of hardware resources, the switch generates an error message in response to the ofproto_class Flow Put function and generates a syslog message with a text string representing the error type. Table 48-7 lists the syslog messages that can be generated by the switch in response to the flow modification requests.
Flow Status and Statistics The OpenFlow Controller uses the OFPT_STATS_REQUEST message with the type OFPST_FLOW to request flow status and statistics. The switch supports all flow match criteria in the OFPT_STATS_REQUEST defined by the OpenFlow 1.0 standard. The switch supports packet and byte counters for the OpenFlow 1.0 Rule Table and the MAC Forwarding Table. The OFPT_STATS_REPLY message includes the flow match criteria and actions. OpenFlow 1.
Flow Match Fields The available match fields for Policy ACL Flow Table flow entry types are as described in the following tables. Table 48-8. Policy ACL Flow Table Layer 2 Match Fields Field Bits Maskable Optional Description or Prerequisite IN_PORT 32 No Yes Physical or logical ingress port. ETH_SRC 48 Yes Yes Ethernet source MAC ETH_DST 48 Yes Yes Ethernet destination MAC ETH_TYPE 16 No Yes Any value except 0x86dd.
Table 48-9. Policy ACL Flow Table IPv4 Match Fields (Continued) Field Bits Maskable Optional Description or Prerequisite VLAN_PCP 3 No Yes 802.1p priority field from VLAN tag. Always has a value, will be zero if packet did not have a VLAN tag.
Table 48-10. Policy ACL Flow Table IPv6 Match Fields Field Bits Maskable Optional Description IN_PORT 32 No Yes Physical or logical ingress port. ETH_SRC 48 Yes Yes Ethernet source MAC ETH_DST 48 Yes Yes Ethernet destination MAC ETH_TYPE 16 No Yes Must be 0x86dd VLAN_VID 16 Yes Yes VLAN ID. Cannot be masked for a VLAN bridging rule that redirects to a different L2 output group. Only applicable to VLAN flow entry types. VLAN_PCP 3 No Yes 802.
Table 48-10. Policy ACL Flow Table IPv6 Match Fields (Continued) Field Bits Maskable Optional Description TCP_DST 16 No Yes If Ethertype = 0x86dd 00 and IP_PROTO = 6 UDP_DST 16 No Yes If Ethertype = 0x86dd and IP_PROTO = 17 SCTP_DST 16 No Yes If Ethertype = 0x86dd and IP_PROTO = 132 No Yes If Ethertype = 0x86dd and IP_PROTO = 58 ICMPv6_COD 8 E Notes: The following table lists OpenFlow 1.3 match criteria that are NOT supported. Table 48-11.
Table 48-11. Match Criteria Not Supported (Continued) Field Description IPV6_ND_TLL Target link-layer for ND. IPV6_EXTHDR IPv6 Extension Header pseudo-field Action Set Actions The Policy ACL Flow Table action set supports the actions listed in Table 48-12. Table 48-12. Policy ACL Flow Table Flow Entry Action Set Name Argument Description Group Group Sets output group entry for processing the packet after this table.
Counters and Flow Expiration The Policy ACL Flow Table counters are listed in Table 48-13. Table 48-13. Policy ACL Flow Table Counters Name Bits Type Description Active Entries 32 Table Reference count of number of active entries in the table. Duration (sec) 32 Per-entry Seconds since this flow entry was installed Received Packets 64 Per-entry Number of packets that hit this flow entry. Received Bytes 64 Per-entry Number of bytes that hit this flow entry.
Group Table The group abstraction enables OpenFlow to represent a set of ports as a single entity for forwarding packets. Different types of groups are provided, to represent different abstractions such as multicasting or multipathing. Each group is composed of a set group buckets, and each group bucket contains the set of actions to be applied before forwarding to the port. Groups buckets can also forward to other groups, enabling groups to be chained together.
• The “All” group type creates an IPMC replication group that points to one or more next hops. Depending on the SA/DA/VLAN modifications actions, the next hops may be added to the IPMC group as routed or switches. (L3 Multicast group entry) • The “Select” group type creates an ECMP group object which points to one or more next hops. (L3 ECMP group entry) • The OpenFlow fast failover group type is unsupported. The following sections provide additional details on each of these group types.
Table 48-15. Unicast Bucket Actions (Continued) Field Argument Description Set Field MAC_DST Write the next hop destination MAC. Optional. Set Field MAC_SRC Write the source MAC corresponding to the L3 output interface. Optional. Set Field VLAN-id Write the VLAN ID corresponding to the L3 output interface. Optional. • Counters The L3 Unicast group entry counters are as shown in Table 48-16. Table 48-16.
All (L3 Multicast) Group Type L3 Multicast group entries are of OpenFlow ALL type. The action buckets describe the interfaces to which multicast packet replicas are forwarded. Figure 48-2 illustrates L3 Multicast group entries. Figure 48-2. L3 Multicast Group Entry Usage IP multicast packets are forwarded differently depending on whether they are switched or routed. Packets must be switched in the VLAN in which they came, and cannot be output to IN_PORT.
For replication of IP packets, at least one of (MAC-Src, MAC-dest and VLAN-ID) should be valid. L2 multicast is supported. It is done using IPMC L2 replication when all of (MAC-Src, MAC-dest, VLAN-ID) action bucket fields are left empty. So an "All (L3 Multicast) Group" can have a mix of buckets — few with L3 replication and few with L2 replication. To use the L2 multicast, the user should not qualify the IP fields in flow match criteria.
An L3 ECMP Group entry can be specified as a routing target instead of an L3 Unicast Group entry. Selection of an action bucket for forwarding a particular packet is hardware specific. • Action Buckets The action buckets contain the single value listed in Table 48-19. Table 48-19. L3 ECMP Group Entry Bucket Actions Field Argument Description Group Group-id May chain to an L3 Unicast Group. • Counters The L3 ECMP group entry counters are as shown in Table 48-20. Table 48-20.
The desc field in the message contains port information. This field of type ofp_ port contains the following elements: 1 port_no — Set to the MIB-2 ifIndex field for the port. 2 hw_addr — All ports in the switch have the same MAC address. The switch reports the lowest MAC assigned to the unit. This address is typically printed on the MAC address label on the switch. 3 name — A unit/slot/port designation for physical ports and LAGs. The LAGs are also identified with the symbolic name lag-.
The queue configuration reply message of type ofp_queue_get_config_reply includes an array of ofp_packet_queue structures. For each interface, the queues are numbered 0 to 7, with queue 7 representing the highest priority queue. The port queues do not have any queue properties. The OpenFlow Controller requests queue statistics using the OFPT_STATS_REQUEST message with type OFPST_QUEUE. Dell EMC Networking OpenFlow Hybrid reports the tx_bytes, tx_packets, and tx_errors statistics for each queue.
To accommodate the scenario where the Flow Controller removes many flows and quickly adds many new flows, the OpenFlow flow database is twice the size of the hardware database. The extra headroom provides enough space to buffer the new flows before the old flows are removed from the hardware. If the OpenFlow Controller adds a flow with the same match criteria as an existing flow, Dell EMC Networking OpenFlow Hybrid treats the new flow as a flow modification action.
Interaction between Flows and VLANs The OpenFlow Controller can add flows for any VLAN ID. The VLANs for which flows are added are created in the Dell EMC Networking OpenFlow Hybrid VLAN database as dynamic VLANs if they are not already configured on the switch. Learning is enabled on the dynamic VLAN. The switch never adds ports to OpenFlow dynamic VLANs, but instead disables ingress and egress filtering on the ports on which the OpenFlow flows are installed.
For the switch to receive the untagged traffic and map it to the appropriate VLAN, the OpenFlow controller can install a flow that maps the incoming MAC address to the VLAN. This is done with the flow type "Phase-1Untagged-MAC" and action OFPAT_SET_VLAN_ID (see "Source MAC VLAN Assignment Table" on page 1696).
If an unknown interface is used in the match criteria for a new flow, the flow is held in the application table until the interface is attached. Dell EMC Networking OpenFlow Hybrid does not generate any error for the flow. Once the interface is attached, the flow is added to the hardware. If the flow is already installed and the interface in the match criteria goes away, the flow is removed from the hardware.
Collect Port and Queue Status and Statistics The OpenFlow Controller can collect status and statistics for ports and queues. When ports are created, Dell EMC Networking OpenFlow Hybrid sends an OFPT_PORT_STATUS message to the OpenFlow Controller. The status message is triggered by creation of entries in the Physical Port Table. The same tables are used for reporting port status information. The port status is updated by a separate task that periodically polls the status for all physical ports.
OpenFlow Hybrid The operation of the OpenFlow switch in a network largely depends on the functionality of the OpenFlow controller. The OpenFlow feature is a powerful tool that enables the OpenFlow controller to forward packets in the network without regard to the Layer-2 forwarding database and the IPv4 routing tables. Refer to the OpenFlow Controller documentation to understand how the switch behaves in the customer network.
Interaction with Other Switch Functions The Dell EMC Networking OpenFlow Hybrid component interacts with multiple Dell EMC Networking switch components by either communicating with these components or sharing common resources with the components. The following sections describe these interactions. OpenSSL The OpenFlow component establishes SSL connections to the OpenFlow controllers and OpenFlow Managers.
LAGs When physical ports become LAG members, the flows installed by the OpenFlow Controller on these ports are removed from the hardware and the flows that are installed for the LAG are activated for the new LAG member port. The reverse action takes place when the ports are removed from the LAG. Ports The OpenFlow component installs flows in the hardware and removes flows from the hardware as ports become attached and detached or join and leave the LAG.
IP Routing, IP Multicast, and Layer-2 Multicast The OpenFlow component uses the same hardware resources as the routing and IP multicast components. Namely, the OpenFlow component uses the Next-Hop entries and Multicast Group entries in the hardware. The routing and multicast Dell EMC Networking OpenFlow Hybrid feature gracefully handles the out-of-resources errors. Port Mirroring The OpenFlow component is not active on probe ports.
Limitations, Restrictions, and Assumptions The following OpenFlow features are not supported: 1 Flow installation in the MAC Forwarding table. 2 Uplink Rate Limiting, including the flow installation in the Uplink Rate Limiter Table, traffic rate control, the rate limiter table, and the rate limiter statistics. 3 On the N4000 Series switches, flow installation is not supported if MAC ACLs exist. 4 OpenFlow functionality currently interoperates with the Open vSwitch command line utility ovs-ofctl2.3.0.
OpenFlow Configuration Example This example enables OpenFlow 1.3 on the switch and configures a connection to a controller at IPv4 address 172.16.0.3 over TCP port 3435 using no encryption on the out-of-band interface. This example presumes the out-of-band interface has obtained an IP address on the 172.16.0.X subnet. console(config)#openflow WARNING! OpenFlow does not operate on stack members. Enable OpenFlow on stand-alone switches only. console(config-of-switch)#protocol-version 1.
Dell EMC Networking Python Support 49 Dell EMC Networking switches support installation and execution of Python applications. Python applications that are to be executed on the switch must be developed and tested offline to the maximum degree possible. The switch does not offer interactive shell access for development of Python scripts, nor does the Dell EMC Networking switch come with all of the normal Python “batteries included” modules. A list of the included packages is in the example below.
Copy the resulting file to the switch using the copy command with the application keyword. The application may be a single script, or it may be a collection of scripts in a compressed or uncompressed tarball. Applications are copied to the user-apps directory. If a single file is downloaded, the destination file name is the same as the source file name (if the optional destination file name is not given). If a tarball is downloaded, the original file names within the archive are retained.
console(config)#application install app console(config)#show application OpEN application table contains 2 entries. Name ---------------SupportAssist app StartOnBoot ----------Yes No AutoRestart ----------Yes No CPU Sharing ----------0 0 Max Memory ---------0 0 CAUTION: The application install command has an auto-restart parameter. Do NOT use this parameter while debugging or on any short-lived application. The switch does NOT limit restarts and attempts to restart a failed application immediately.
OpEN OpENUtil OpEN_py Queue SimpleHTTPServer SimpleXMLRPCServer SocketServer StringIO UserDict UserList UserString _LWPCookieJar _MozillaCookieJar _OpEN __builtin__ __future__ _abcoll _ast _bisect _codecs _codecs_cn _codecs_hk _codecs_iso2022 _codecs_jp _codecs_kr _codecs_tw _collections _csv _ctypes _ctypes_test _elementtree _functools _heapq _hotshot _io _json _locale _lsprof _md5 _multibytecodec _multiprocessing _osx_support _pyio _random _sha _sha256 1730 cProfile cStringIO calendar cgi cgitb chunk cm
_sha512 _socket _sre _ssl _strptime _struct _symtable _sysconfigdata _testcapi _threading_local _warnings _weakref _weakrefset abc aifc antigravity anydbm argparse array ast asynchat asyncore atexit audiodev functools future_builtins gc genericpath getopt getpass gettext glob grp gzip hashlib heapq hmac hotshot htmlentitydefs htmllib httplib ihooks imaplib imghdr imp importlib imputil inspect platform plistlib popen2 poplib posix posixfile posixpath pprint profile pstats pty pwd py_compile pyclbr pydoc py
import sys HOST = '127.0.0.1' PORT = 23 LOGIN_STRING = "Login:" PASSWORD_STRING = "Password:" TERMINAL_LEN_ZERO = "terminal length 0\n" TERMINAL_MONITOR = "terminal monitor\n" ENABLE_STRING = "enable\n" CONFIG_STRING = "configure\n" USERNAME = 'admin' PASSWORD = 'password' ENABLE_PASSWORD = '' TIMEOUT = 3 def do_terminal_settings(tn): tn.write(TERMINAL_MONITOR) tn.read_until("#") tn.write(TERMINAL_LEN_ZERO) tn.read_until("#") def do_login(tn): print "TN object created\n" tn.
def main(): telnet = telnetlib.Telnet(HOST,PORT) do_login(telnet) do_terminal_settings(telnet) do_config(telnet) telnet.close() sys.
1734 Dell EMC Networking Python Support
A Appendix The topics covered in this appendix include: • Feature Limits and Platform Constants • System Process Definitions • SupportAssist Feature Limits and Platform Constants Table A-1 lists the feature limits and Table A-2 lists the platform constants for the Dell EMC Networking N-Series switches. Certain platform constants may be adjusted by selecting a different SDM template.
Table A-1.
Table A-1.
Table A-1.
Table A-1. Feature Limits (Continued) Feature N1100-ON N1500 N2000/ N3000/ N4000 Series Series N2100-ON N3100-ON Series Series Series OpenFlow 1.
Table A-2.
Table A-2.
Table A-2.
Table A-2.
Table A-2.
Table A-2.
Table A-2. Platform Constants (Continued) Feature N1100-ON N1500 Series Series N2000/ N2100ON Series N3000/ N3100ON Series N4000 Series ACL limits Maximum number of ACLs (any type) Maximum number of configurable rules per list.
Table A-2.
System Process Definitions The following process/thread definitions are intended to assist the end user in troubleshooting switch issues. Only the most often seen threads/processes are listed here. Other processes or threads may be seen occasionally but are not a cause for concern. Table A-3. System Process Definitions Name Task Summary aclClusterTask ACL tasks aclEventTask aclLogTask ARP Timer ARP tasks autoInstTask Auto Install task - USB, etc.
Table A-3.
Table A-3. System Process Definitions (Continued) Name Task Summary Dot1s transport task Spanning Tree tasks dot1s_helper_task dot1s_task dot1s_timer_task dot1xTask 802.
Table A-3. System Process Definitions (Continued) Name Task Summary hapiBpduTxTask High Level API - SDK Integration Layer hapiL2AsyncTask hapiL2FlushTask hapiL3AsyncTask hapiLinkStatusTask hapiMcAsyncTask hapiRxTask hapiTxTask hpcBroadRpcTask SDK Remote messaging task.
Table A-3.
Table A-3. System Process Definitions (Continued) Name Task Summary simPts_task System Interface Manager (time zone, system name, service port config, file transfers, ...
Table A-3. System Process Definitions (Continued) Name Task Summary TransferTask TFTP Processing trapTask Trap handler tRipTask RIP Routing tRtrDiscProcessingTask Router Discovery packet processing usbFlashDriveTask USB Flash driver processing umCfgUpdateTask Stack Management: Unit Manager tasks umWorkerTask unitMgrTask USL Worker Task USL Message processing (primarily MAC address table CLI commands) UtilTask Mgmt.
SupportAssist SupportAssist sends troubleshooting data securely to Dell. SupportAssist in this Dell EMC Networking OS release does not support automated email notification at the time of hardware fault alert, automatic case creation, automatic part dispatch, or reports. SupportAssist requires Dell EMC Networking OS 6.3 or later and the SupportAssist Package to be installed on the Dell EMC Networking device. SupportAssist is enabled by default on all Dell EMC Networking switches.
SupportAssist operates by periodically reporting switch identity (service tag and serial number), configuration, logs, status, and diagnostic information to an external SupportAssist server operated by Dell, Inc. Information is logged periodically on the SupportAssist server. It is recommended that Dell EMC Networking customers utilizing SupportAssist configure the appropriate contact information using the contact-person and contact-company commands in Support-Assist Configuration mode.
of a company or other legal entity, you are further certifying to Dell that you have appropriate authority to provide this consent on behalf of that entity. If you do not consent to the collection, transmission and/or use of the Collected Data, you may not download, install or otherwise use SupportAssist.
1758 Appendix
Index Numerics active images, 524 10GBase-T copper uplink module, 174 address table. See MAC address table. 802.x - see IEEE802.
defined, 545 DHCP, 561 configuration file, 553 image, 551 IP address, obtaining, 550 example, 560 files, managing, 555 IP address lookup, 547 MAC address lookup, 547 setup file, 549 stopping, 555 using a USB device, 560 web-based configuration, 558 auto image download DHCP, 561 USB, 560 auto install. See auto configuration.
BPDU filtering, 95, 838 flooding, 838 guard, 95 protection, 840 bridge multicast group table, 938 bridge table, 1141 broadcast storm control. See storm control.
configuration scripts, 518, 540 connectivity fault management. See IEEE 802.1ag.
DHCP client, 1151 default VLAN, 218 OOB port, 218 DHCP relay, 90, 100, 1151 CLI configuration, 1236 defaults, 1224 example, 1240 layer 2, 1215 layer 3, 1215 understanding, 1215 VLAN, 1216 web-based configuration, 1225 DHCP server, 59 address pool configuration, 1168 CLI configuration, 1164 defaults, 1152 examples, 1168 leases, 219 options, 1151 web-based configuration, 1153 DHCP snooping, 75, 1151 bindings database, 1003 defaults, 1008 example, 1033 logging, 1004 purpose, 1008 understanding, 1002 VLANs, 100
double-VLAN tagging, 754 energy savings, port, 638 downloading files, 526 enhanced transmission selection - see ETS DSCP value and iSCSI, 625 dual images, 60 dual IPv4 and IPv6 template, 433 duplex mode, 121, 130, 149 EqualLogic and iSCSI, 627 error messages, CLI, 197 error-disabled state, 71 DVMRP, 106 configuring, 1658 defaults, 1599 example, 1663 understanding, 1596 web-based configuration, 1638 when to use, 1597 Etherlike statistics, 581 dynamic ARP inspection - see DAI exec authorization, 307
and stacking, 520 downloading to the switch, 517 types, 511 uploading from the switch, 517 guest VLAN, 327, 351 GVRP, 92, 753 statistics, 582 filter assignments, authentication server, 353 H filter, DiffServ, 330 hardware description, 171 finite state machine BGP attributes, 1390 head of line blocking prevention, 84 firmware managing, 517 updating the stack, 240 upgrade example, 537 health, system, 402 firmware synchronization, stacking, 240 host name, 431 flow control configuring, 919 default,
administrator, 985 carrier network, 982 configuration (CLI), 995 configuration (web), 987 defaults, 986 defining domains and ports, 985 example, 998 MEPs and MIPs, 983 troubleshooting tasks, 986 understanding, 981 IEEE 802.1AS, 1665, 1671 IEEE 802.1d, 94 IEEE 802.1p see CoS queuing IEEE 802.1Q, 92 IEEE 802.1Qaz, 1119 IEEE 802.
internal authentication server, see IAS IP helper, 100, 1220 IPv6 ACL configuration, 706 compared to IPv4, 1460 DHCP client, 1469-1470 DHCPv6, 102 interface configuration, 1460 management, 60 OSPFv3, 102 routes, 102 static reject and discard routes, 1482 tunnel, 101 IP multicast traffic layer 2, 927 layer 3, 1580 IPv6 multicast CLI configuration, 1645 web-based configuration, 1607 IP protocol numbers, common, 689 IPv6 routing CLI configuration, 1475 defaults, 1462 features, 102 understanding, 1459 web
servers and a disk array, 633 understanding, 623 using, 623 web-based configuration, 631 ISDP CDP and, 63 CLI configuration, 899 configuring, 900 enabling, 900 example, 904 understanding, 883 web-based configuration, 887 J languages, captive portal, 361 LED 100/1000/10000Base-T port, 124, 133, 154, 164, 177 SFP port, 124, 133, 154, 164, 177 system, 114, 125, 134, 143, 155, 166, 178 link aggregation group. See LAG.
viewing information, 904 voice VLANs and, 759 LLPF defaults, 912 example, 922 understanding, 910 localization, captive portal, 361 locating the switch, 189 locator LED enabling, 189, 418 log messages, 59 log server, remote, 411 M MAC ACL understanding, 679 MAC address table and port security, 1006 contents, 1142 defaults, 1142 defined, 1141 dynamic, 1145 managing, CLI, 1146 populating, 1141 stacking, 1142 web-based management, 1143 logging ACL, 682 CLI configuration, 418 considerations, 398 defaults, 399
mirror, ACL, 682 mirroring, flow-based, 1523 MLAG, 97, 1055 MLD, 107 configuring, 1649 defaults, 1599 understanding, 1585 web-based configuration, 1616 MLD proxy configuring, 1650 MLD snooping, 105 defaults, 935, 1008 understanding, 929 VLAN configuration, 971 MMRP, 1670 monitor mode, IEEE 802.
Multiple VLAN Registration Protocol, 1665, 1669 N N1500 hardware back panel, 122 front panel, 119 LEDs, 124 power consumption for PoE switches, 126 N2000 hardware back panel, 131 front panel, 128 LEDs, 112, 133, 140 power consumption for PoE switches, 136 N3000 hardware back panel, 152 front panel, 147 LEDs, 154 power consumption for PoE switches, 159 N4000 hardware back panel, 175 front panel, 171 LEDs, 177 network information CLI configuration, 218 default, 208 defined, 203 example, 224 purpose, 204 web-
stub routers, 1246 topology, 1244 trap flags, 491 understanding, 1244 web-based configuration, 1254 SSM range, 1634 understanding, 1585 PIM-DM configuring for IPv4 multicast, 1651 configuring for IPv6 multicast, 1652 using, 1596 OSPFv3, 102 CLI configuration, 1299 difference from OSPF, 1245 global settings, 1299 interface settings, 1301 NSSA, 1312 stub area, 1312 trap flags, 492 web-based configuration, 1270 PIM-SM configuring for IPv4 multicast, 1653 configuring for IPv6 multicast, 1655 using, 1586 out
USB N1500, N2000, N3000, N4000, 122 130 150 175 port control, 334 port fast, STP, 838 port LEDs N1500, 124 N2000, 112, 133, 141 N3000, 154 N4000, 177 port mirroring, 86 configuring, 598 mode, enabling, 571 understanding, 569 port protection diagnostically disabled state, 71 port security configuring, 674 MAC-based port locking, 73 port-based flow control, 913 port-based traffic control, 907 CLI configuration, 919 web-based configuration, 913 port-based VLAN, 752 power utilization reporting, 76 power, pe
for management access control, 282 supported attributes, 284 understanding, 282 RAM log, 408 real-time clock, 432 redirect, ACL, 681 relay agent DHCP, 1215 relay agent, DHCPv6, 1488 remote logging, 421 RIP, 100 CLI configuration, 1349 defaults, 1343 determining route information, 1341 example, 1353 supported versions, 1342 understanding, 1341 web-based configuration, 1344 RMON, 63 CLI management, 600 defaults, 575 example, 613 understanding, 568 web-based configuration, 576 route reflection, 1428 BGP, 1407
configuration guidelines, 436 managing, 461 understanding, 433 security port-based CLI configuration, 337 defaults, 330, 671 examples, 343 web-based configuration, 331 setup file format, auto configuration, 549 sFlow, 62 CLI management, 600 defaults, 575 example, 611 understanding, 565 web-based management, 576 SFP port LEDs N1500, 124 N2000, 133 N3000, 154, 164 N4000, 177 SFP+ module, 174 SFTP, managing files, 536 slots, 437 SNMP CLI configuration, 495 defaults, 475 examples, 504 MIB, 473 purpose, 475 trap
failover, 67 example, 258 initiating, 242 features, 66 file management, 520 firmware synchronization, 240 firmware update, 240 MAC address table, 1142 MAC addresses, 244 NSF and, 68 NSF usage scenario, 258 preconfiguration, 260 purpose, 245 removing a switch, 239 standby, 240 web-based configuration, 247 static reject route, 1174 statistics Etherlike, 581 IPv6, 1467 storage arrays and iSCSI, 627 storage arrays, Compellent, 627 storm control configuring, 919 default, 912 example, 922 understanding, 908 STP c
management access control, 287 supported attributes, 288 understanding, 287 interfaces, 1201 tagging, VLAN, 752 U Telnet configuration options, 70 connecting to the switch, 192 UDP relay, 1220 TFTP, image download, 532 tiered authentication, 276 time management, 58 setting in system, 472 time zone, 451 time domain reflectometry, 405 time range, 725 time-based ACLs, 682 traffic monitoring, 565 snooping, 1001 traffic class queue, 624 traffic control port based, 907 uploading files, 528 USB auto configu
authenticated and unauthenticated, 326 CLI configuration, 788 defaults, 767 defining membership, 769 double, 92 double-VLAN tagging, 754 dynamic, 326 dynamically created, 351 example, 827 guest, 92, 327, 351 IP subnet-based, 91 MAC-based, 91, 752 port-based, 91, 752 private, 760, 816 protocol-based, 91, 752 RADIUS-assigned, 351 routing, 98 routing interfaces, 1199, 1211 static, 752 support, 91 switchport modes, 645 trunk port, 664 understanding, 749 voice, 92, 758 voice traffic, 756 voice, example, 804 voic