Dell Configuration Guide for the S3048–ON System 9.10(0.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your computer. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2016 Dell Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws.
Contents 1 About this Guide...........................................................................................................................................30 Audience........................................................................................................................................................................... 30 Conventions.....................................................................................................................................................
Verify Software Images Before Installation...................................................................................................................53 Using HTTP for File Transfers........................................................................................................................................ 54 4 Management...............................................................................................................................................
Viewing the Configuration Lock Status...................................................................................................................76 Reloading the system...................................................................................................................................................... 76 5 802.1X..........................................................................................................................................................
Configure a Standard IP ACL.........................................................................................................................................110 Configuring a Standard IP ACL Filter.......................................................................................................................111 Configure an Extended IP ACL......................................................................................................................................
Establish a Session................................................................................................................................................... 158 Route Reflectors.............................................................................................................................................................159 BGP Attributes......................................................................................................................................................
Configuring BGP Route Reflectors........................................................................................................................ 196 Aggregating Routes..................................................................................................................................................197 Configuring BGP Confederations...........................................................................................................................
Configure the System to be a DHCP Client............................................................................................................... 236 Configuring the DHCP Client System................................................................................................................... 237 DHCP Client on a Management Interface............................................................................................................ 238 DHCP Client Operation with Other Features...........
Setting the FRRP Timers........................................................................................................................................262 Clearing the FRRP Counters.................................................................................................................................. 263 Viewing the FRRP Configuration...........................................................................................................................263 Viewing the FRRP Information...
Adjusting Query and Response Timers................................................................................................................. 283 Preventing a Host from Joining a Group.................................................................................................................... 283 Enabling IGMP Immediate-Leave.................................................................................................................................286 IGMP Snooping.........................
Port Channel Interfaces................................................................................................................................................ 308 Port Channel Definition and Standards.................................................................................................................308 Port Channel Benefits.............................................................................................................................................
Assigning IP Addresses to an Interface.......................................................................................................................334 Configuring Static Routes............................................................................................................................................ 335 Configure Static Routes for the Management Interface.......................................................................................... 336 IPv4 Path MTU Discovery Overview..
IPv6 Neighbor Discovery.............................................................................................................................................. 357 IPv6 Neighbor Discovery of MTU Packets...........................................................................................................358 Configuration Task List for IPv6 RDNSS....................................................................................................................
24 Link Aggregation Control Protocol (LACP).............................................................................................. 392 Introduction to Dynamic LAGs and LACP.................................................................................................................. 392 Important Points to Remember............................................................................................................................. 392 LACP Modes..............................................
TIA-1057 (LLDP-MED) Overview.................................................................................................................................424 TIA Organizationally Specific TLVs........................................................................................................................ 424 Configure LLDP..............................................................................................................................................................
Logging Changes in Peership States........................................................................................................................... 457 Terminating a Peership.................................................................................................................................................. 457 Clearing Peer Statistics.................................................................................................................................................
Track an IPv4/IPv6 Route...................................................................................................................................... 492 Displaying Tracked Objects...........................................................................................................................................496 32 Open Shortest Path First (OSPFv2 and OSPFv3)....................................................................................498 Protocol Overview............................
Implementation Information..........................................................................................................................................544 Protocol Overview......................................................................................................................................................... 544 Requesting Multicast Traffic...................................................................................................................................
Inspecting the Private VLAN Configuration............................................................................................................... 576 38 Per-VLAN Spanning Tree Plus (PVST+)....................................................................................................578 Protocol Overview......................................................................................................................................................... 578 Implementation Information............
Sample configuration to mark non-ecn packets as “yellow” with single traffic class...................................... 614 Applying Layer 2 Match Criteria on a Layer 3 Interface............................................................................................ 615 Applying DSCP and VLAN Match Criteria on a Service Queue............................................................................... 615 Classifying Incoming Packets Using ECN and Color-Marking........................................
AAA Authentication.......................................................................................................................................................650 Configuration Task List for AAA Authentication................................................................................................... 651 Obscuring Passwords and Keys...................................................................................................................................653 AAA Authorization.........
VLAN Stacking Packet Drop Precedence.................................................................................................................. 695 Enabling Drop Eligibility........................................................................................................................................... 695 Honoring the Incoming DEI Value..........................................................................................................................
Enabling an SNMP Agent to Notify Syslog Server Failure........................................................................................ 719 Copy Configuration Files Using SNMP....................................................................................................................... 720 Copying a Configuration File...................................................................................................................................722 Copying Configuration Files via SNMP.......
Influencing Management Unit Selection on a Stack............................................................................................ 751 Managing Redundancy on a Stack......................................................................................................................... 751 Resetting a Unit on a Stack.....................................................................................................................................751 Verify a Stack Configuration...................
52 System Time and Date..............................................................................................................................781 Network Time Protocol..................................................................................................................................................781 Protocol Overview...................................................................................................................................................
Assigning an IP Address to a VLAN....................................................................................................................... 810 Configuring Native VLANs............................................................................................................................................ 810 Enabling Null VLAN as the Default VLAN.................................................................................................................... 811 57 VLT Proxy Gateway.......
PVLAN Operations When a VLT Peer is Restarted.............................................................................................853 Interoperation of VLT Nodes in a PVLAN with ARP Requests.......................................................................... 853 Scenarios for VLAN Membership and MAC Synchronization With VLT Nodes in PVLAN............................ 853 Configuring a VLT VLAN or LAG in a PVLAN.....................................................................................
VRRP for IPv6 Configuration.................................................................................................................................906 61 Debugging and Diagnostics.......................................................................................................................910 Offline Diagnostics.........................................................................................................................................................
1 About this Guide This guide describes the protocols and features the Dell Networking Operating System (OS) supports and provides configuration instructions and examples for implementing them. For complete information about all the CLI commands, see the Dell Command Line Reference Guide for your system. S3048–ON stacking is supported with Dell Networking OS version 9.7(0.1) and beyond. Though this guide contains information about protocols, it is not intended to be a complete reference.
2 Configuration Fundamentals The Dell Networking Operating System (OS) command line interface (CLI) is a text-based interface you can use to configure interfaces and protocols. The CLI is largely the same for each platform except for some commands and command outputs. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels.
For more information about privilege levels and security options, refer to the Privilege Levels Overview section in the Security chapter. The Dell Networking OS CLI is divided into three major mode levels: • EXEC mode is the default mode and has a privilege level of 1, which is the most restricted level. Only a limited selection of commands is available, notably the show commands, which allow you to view system information.
uBoot QOS POLICY RSTP ROUTE-MAP ROUTER BGP BGP ADDRESS-FAMILY ROUTER ISIS ISIS ADDRESS-FAMILY ROUTER OSPF ROUTER OSPFV3 ROUTER RIP SPANNING TREE TRACE-LIST VLT DOMAIN VRRP UPLINK STATE GROUP Navigating CLI Modes The Dell Networking OS prompt changes to indicate the CLI mode. The following table lists the CLI mode, its prompt, and information about how to access and exit the CLI mode.
CLI Command Mode Prompt Access Command Loopback Interface Dell(conf-if-lo-0)# interface (INTERFACE modes) Management Ethernet Interface Dell(conf-if-ma-1/1)# interface (INTERFACE modes) Null Interface Dell(conf-if-nu-0)# interface (INTERFACE modes) Port-channel Interface Dell(conf-if-po-1)# interface (INTERFACE modes) Tunnel Interface Dell(conf-if-tu-1)# interface (INTERFACE modes) VLAN Interface Dell(conf-if-vl-1)# interface (INTERFACE modes) STANDARD ACCESS-LIST Dell(config-std-nacl)
CLI Command Mode Prompt Access Command CONTROL-PLANE Dell(conf-control-cpuqos)# control-plane-cpuqos DHCP Dell(config-dhcp)# ip dhcp server DHCP POOL Dell(config-dhcp-pool-name)# pool (DHCP Mode) ECMP Dell(conf-ecmp-group-ecmpgroup-id)# ecmp-group EIS Dell(conf-mgmt-eis)# management egress-interfaceselection FRRP Dell(conf-frrp-ring-id)# protocol frrp LLDP Dell(conf-lldp)# or Dell(conf-if —interface-lldp)# protocol lldp (CONFIGURATION or INTERFACE Modes) LLDP MANAGEMENT INTERFACE De
2 3 4 5 6 Member Member Member Member Member not not not not not present present present present present -- Power Supplies -Unit Bay Status Type FanStatus FanSpeed(rpm) ------------------------------------------------------------1 1 up AC absent 0 1 2 absent absent 0 -- Fan Status -Unit Bay TrayStatus Fan0 Speed Fan1 Speed -----------------------------------------------------------------1 1 up up 0 up 0 1 2 up up 0 up 0 1 3 up up 0 up 0 Speed in RPM Undoing Commands When you enter a command, the comman
• Enter [space]? after a keyword lists all of the keywords that can follow the specified keyword. Dell(conf)#clock ? summer-time Configure summer (daylight savings) time timezone Configure time zone Dell(conf)#clock Entering and Editing Commands Notes for entering commands. • The CLI is not case-sensitive. • You can enter partial CLI keywords. • Enter the minimum number of letters to uniquely identify a command.
• When you are in CONFIGURATION mode, the UP or DOWN arrows keys recall the previously-entered CONFIGURATION mode commands. Filtering show Command Outputs Filter the output of a show command to display specific information by adding | [except | find | grep | no-more | save] specified_text after the command. The variable specified_text is the text for which you are filtering and it IS case sensitive unless you use the ignore-case suboption. Starting with Dell Networking OS version 7.8.1.
1 1 1 2 down absent AC up absent 8128 0 -- Fan Status -Unit Bay TrayStatus Fan0 Speed -----------------------------------------------------------------------------------1 1 up up 9900 1 2 up up 9900 1 3 up up 9900 Speed in RPM The display command displays additional configuration information. The no-more command displays the output all at once rather than one screen at a time.
3 Getting Started This chapter describes how you start configuring your system. When you power up the chassis, the system performs a power-on self test (POST) and system then loads the Dell Networking Operating System. Boot messages scroll up the terminal window during this process. No user interaction is required if the boot process proceeds without interruption. When the boot process completes, the system status LEDs remain online (green) and the console monitor displays the EXEC mode prompt.
Console Access The device has one RJ-45/RS-232 console port, an out-of-band (OOB) Ethernet port, and a micro USB-B console port. Serial Console The RJ-45/RS-232 console port is labeled on the upper right-hand side, as you face the I/O side of the chassis. Figure 1. RJ-45 Console Port Accessing the Console Port To access the console port, follow these steps: For the console port pinout, refer to Accessing the RJ-45 Console Port with a DB-9 Adapter. 1 Install an RJ-45 copper cable into the console port.
Table 2.
• If you issue an interactive command in the SSH session, the behavior may not really be interactive. • In some cases, when you use an SSH session, when certain show commands such as show tech-support produce large volumes of output, sometimes few characters from the output display are truncated and not displayed. This may cause one of the commands to fail for syntax error. In such cases, if you add few newline characters before the failed command, the output displays completely.
interface ManagementEthernet slot/port 2 Assign an IP address to the interface. INTERFACE mode ip address ip-address/mask 3 • ip-address: an address in dotted-decimal format (A.B.C.D). • mask: a subnet mask in /prefix-length format (/ xx). Enable the interface. INTERFACE mode no shutdown Configure a Management Route Define a path from the system to the network from which you are accessing the system remotely.
• Create a password to access EXEC Privilege mode. CONFIGURATION mode enable [password | secret | sha256-password] [level level] [encryption-type] password • level: is the privilege level, is 15 by default, and is not required. • encryption-type: specifies how you input the password, is 0 by default, and is not required. • 0 is to input the password in clear text. • 5 is to input a password that is already encrypted using MD5 encryption method.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 27952672 bytes successfully copied Example of Importing a File to the Local System core1#$//copy ftp://myusername:mypassword@10.10.10.10//Dell/ Dell-EF-8.2.1.0.bin flash:// Destination file name [Dell-EF-8.2.1.0.bin.bin]: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 26292881 bytes successfully copied Mounting an NFS File System This feature enables you to quickly access data on an NFS mounted file system.
Source file name []: test.c User name to login remote host: username Example of Logging in to Copy from NFS Mount Dell#copy nfsmount:///test flash: Destination file name [test]: test2 ! 5592 bytes successfully copied Dell# Dell#copy nfsmount:///test.txt ftp://10.16.127.35 Destination file name [test.txt]: User name to login remote host: username Password to login remote host: ! Example of Copying to NFS Mount Dell#copy flash://test.txt nfsmount:/// Destination file name [test.
NOTE: When copying to a server, a host name can only be used if a DNS server is configured. Configure the Overload Bit for a Startup Scenario For information about setting the router overload bit for a specific period of time after a switch reload is implemented, see the Intermediate System to Intermediate System (IS-IS) section in the Dell Command Line Reference Guide for your system. Viewing Files You can only view file information and content on local file systems.
! Version 9.4(0.0) ! Last configuration change at Tue Mar 11 21:33:56 2014 by admin ! Startup-config last updated at Tue Mar 11 12:11:00 2014 by default !
no ip address no ip address shutdown shutdown ! ! interface TenGigabitEthernet 1/3 interface TenGigabitEthernet 1/34 no ip address ip address 2.1.1.1/16 shutdown shutdown ! ! interface TenGigabitEthernet 1/4 interface group Vlan 2 , Vlan 100 no ip address no ip address shutdown no shutdown ! ! interface TenGigabitEthernet 1/10 interface group Vlan 3 – 5 no ip address tagged te 1/1 shutdown no ip address ! shutdown interface TenGigabitEthernet 1/34 ! ip address 2.1.1.
interface Vlan 5 tagged te 1/1 no ip address shutdown ! interface Vlan 100 no ip address no shutdown ! interface Vlan 1000 ip address 1.1.1.1/16 no shutdown Uncompressed config size – 52 lines write memory compressed The write memory compressed CLI will write the operating configuration to the startup-config file in the compressed mode. In stacking scenario, it will also take care of syncing it to all the standby and member units.
- - - network - network rw tftp: rw scp: You can change the default file system so that file management commands apply to a particular device or memory. To change the default directory, use the following command. • Change the default directory. EXEC Privilege mode cd directory Enabling Software Features on Devices Using a Command Option The capability to activate software applications or components on a device using a command is supported on this platform. Starting with Release 9.4(0.
[12/5 10:57:12]: CMD-(CLI):line vty 0 9 [12/5 10:57:13]: CMD-(CLI):boot system rpm0 primary flash://FTOS-CB-1.1.1.2E2.bin Upgrading Dell Networking OS NOTE: To upgrade Dell Networking Operating System (OS), refer to the Release Notes for the version you want to load on the system.
MD5 Dell# verify md5 flash://FTOS-SE-9.5.0.0.bin 275ceb73a4f3118e1d6bcf7d75753459 MD5 hash VERIFIED for FTOS-SE-9.5.0.0.bin SHA256 Dell# verify sha256 flash://FTOS-SE-9.5.0.0.bin e6328c06faf814e6899ceead219afbf9360e986d692988023b749e6b2093e933 SHA256 hash VERIFIED for FTOS-SE-9.5.0.0.bin Using HTTP for File Transfers Stating with Release 9.3(0.1), you can use HTTP to copy files or configuration details to a remote server.
4 Management This chapter describes the different protocols or services used to manage the Dell Networking system.
• moving commands from EXEC Privilege to EXEC mode • restricting access A user can access all commands at his privilege level and below. Removing a Command from EXEC Mode To remove a command from the list of available commands in EXEC mode for a specific privilege level, use the privilege exec command from CONFIGURATION mode. In the command, specify a level greater than the level given to a user or terminal line, then the first keyword of each command you wish to restrict.
• privilege exec level level {command ||...|| command} Move a command from EXEC Privilege to EXEC mode. CONFIGURATION mode • privilege exec level level {command ||...|| command} Allow access to CONFIGURATION mode. CONFIGURATION mode • privilege exec level level configure Allow access to INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode. Specify all the keywords in the command. CONFIGURATION mode • privilege configure level level {interface | line | route-map | router} {command-keyword ||...
vlan VLAN interface Dell(conf)#interface tengigabitethernet 1/1 Dell(conf-if-gi-1/1)#? end Exit from configuration mode exit Exit from interface configuration mode Dell(conf-if-gi-1/1)#exit Dell(conf)#line ? aux Auxiliary line console Primary terminal line vty Virtual terminal Dell(conf)#line vty 0 Dell(config-line-vty)#? exit Exit from line configuration mode Dell(config-line-vty)# Dell(conf)#interface group ? gigabitethernet GigabitEthernet interface IEEE 802.
CONFIGURATION mode no logging buffer • Disable logging to terminal lines. CONFIGURATION mode no logging monitor • Disable console logging. CONFIGURATION mode no logging console Audit and Security Logs This section describes how to configure, display, and clear audit and security logs.
When you enabled RBAC and extended logging: • Only the system administrator user role can execute this command. • The system administrator and system security administrator user roles can view security events and system events. • The system administrator user roles can view audit, security, and system events. • Only the system administrator and security administrator user roles can view security logs. • The network administrator and network operator user roles can view system events.
Example of Configuring the Logging Message Format Dell(conf)#logging version ? <0-1> Select syslog version (default = 0) Dell(conf)#logging version 1 Display the Logging Buffer and the Logging Configuration To display the current contents of the logging buffer and the logging settings for the system, use the show logging command in EXEC privilege mode. When RBAC is enabled, the security logs are filtered based on the user roles.
Figure 2. Setting Up a Secure Connection to a Syslog Server Pre-requisites To configure a secure connection from the switch to the syslog server: 1 On the switch, enable the SSH server Dell(conf)#ip ssh server enable 2 On the syslog server, create a reverse SSH tunnel from the syslog server to the Dell OS switch, using following syntax: ssh -R :: user@remote_host -nNf In the following example the syslog server IP address is 10.156.166.
Sending System Messages to a Syslog Server To send system messages to a specified syslog server, use the following command. The following syslog standards are supported: RFC 5424 The SYSLOG Protocol, R.Gerhards and Adiscon GmbH, March 2009, obsoletes RFC 3164 and RFC 5426 Transmission of Syslog Messages over UDP. • Specify the server to which you want to send system messages. You can configure up to eight syslog servers.
The following example enables login activity tracking and configures the system to store the login activity details for 12 days. Dell(config)#login statistics enable Dell(config)#login statistics time-period 12 Display Login Statistics To view the login statistics, use the show login statistics command. Example of the show login statistics Command The show login statistics command displays the successful and failed login details of the current user in the last 30 days or the custom defined time period.
Example of the show login statistics user user-id command The show login statistics user user-id command displays the successful and failed login details of a specific user in the last 30 days or the custom defined time period. Dell# show login statistics user admin -----------------------------------------------------------------User: admin Last login time: 12:52:01 UTC Tue Mar 22 2016 Last login location: Line vty0 ( 10.16.127.
Example of Configuring Concurrent Session Limit The following example limits the permitted number of concurrent login sessions to 4. Dell(config)#login concurrent-session limit 4 Enabling the System to Clear Existing Sessions To enable the system to clear existing login sessions, follow this procedure: • Use the following command.
Configuration Task List for System Log Management There are two configuration tasks for system log management: • Disable System Logging • Send System Messages to a Syslog Server Disabling System Logging By default, logging is enabled and log messages are sent to the logging buffer, all terminal lines, the console, and the syslog servers. To disable system logging, use the following commands. • Disable all logging except on the console.
Changing System Logging Settings You can change the default settings of the system logging by changing the severity level and the storage location. The default is to log all messages up to debug level, that is, all system messages. By changing the severity level in the logging commands, you control the number of system messages logged. To specify the system logging settings, use the following commands. • Specify the minimum severity level for logging to the logging buffer.
Console logging: level Debugging Monitor logging: level Debugging Buffer logging: level Debugging, 40 Messages Logged, Size (40960 bytes) Trap logging: level Informational %IRC-6-IRC_COMMUP: Link to peer RPM is up %RAM-6-RAM_TASK: RPM1 is transitioning to Primary RPM.
• news (for USENET news messages) • sys9 (system use) • sys10 (system use) • sys11 (system use) • sys12 (system use) • sys13 (system use) • sys14 (system use) • syslog (for syslog messages) • user (for user programs) • uucp (UNIX to UNIX copy protocol) Example of the show running-config logging Command To view nondefault settings, use the show running-config logging command in EXEC mode.
Enabling Timestamp on Syslog Messages By default, syslog messages do not include a time/date stamp stating when the error or message was created. To enable timestamp, use the following command. • Add timestamp to syslog messages. CONFIGURATION mode service timestamps [log | debug] [datetime [localtime] [msec] [show-timezone] | uptime] Specify the following optional parameters: • You can add the keyword localtime to include the localtime, msec, and show-timezone.
ftp-server enable Example of Viewing FTP Configuration Dell#show running ftp ! ftp-server enable ftp-server username nairobi password 0 zanzibar Dell# Configuring FTP Server Parameters After you enable the FTP server on the system, you can configure different parameters. To specify the system logging settings, use the following commands. • Specify the directory for users using FTP to reach the system. CONFIGURATION mode ftp-server topdir dir • The default is the internal flash directory.
ip ftp username name To view the FTP configuration, use the show running-config ftp command in EXEC privilege mode, as shown in the example for Enable FTP Server. Terminal Lines You can access the system remotely and restrict access to the system by creating user profiles. Terminal lines on the system provide different means of accessing the system. The console line (console) connects you through the console port in the route processor modules (RPMs).
seq 15 permit ip any any ! ipv6 access-list testv6deny seq 10 deny ipv6 3001::/64 any seq 15 permit ipv6 any any ! Dell(conf)# Dell(conf)#line vty 0 0 Dell(config-line-vty)#access-class testv6deny ipv6 Dell(config-line-vty)#access-class testvpermit ipv4 Dell(config-line-vty)#show c line vty 0 exec-timeout 0 0 access-class testpermit ipv4 access-class testv6deny ipv6 ! Configuring Login Authentication for Terminal Lines You can use any combination of up to six authentication methods to authenticate a user o
line vty 1 password myvtypassword login authentication myvtymethodlist line vty 2 password myvtypassword login authentication myvtymethodlist Dell(config-line-vty)# Setting Timeout for EXEC Privilege Mode EXEC timeout is a basic security feature that returns Dell Networking OS to EXEC mode after a period of inactivity on the terminal lines. To set timeout, use the following commands. • Set the number of minutes and seconds. The default is 10 minutes on the console and 30 minutes on VTY.
Trying 2200:2200:2200:2200:2200::2201... Connected to 2200:2200:2200:2200:2200::2201. Exit character is '^]'. FreeBSD/i386 (freebsd2.force10networks.com) (ttyp1) login: admin Dell# Lock CONFIGURATION Mode Dell Networking OS allows multiple users to make configurations at the same time. You can lock CONFIGURATION mode so that only one user can be in CONFIGURATION mode at any time (Message 2). You can set two types of lockst: auto and manual.
• Reload the system if a configuration change to the NVRAM requires a device reload. EXEC Privilege mode reload conditional nvram-cfg-change • Reload the system into the Dell diagnostics mode. EXEC Privilege mode reload dell-diag • Reload the system into the ONIE mode. EXEC Privilege mode reload onie [install | uninstall | rescue] Use the install parameter to reload the system and enter the Install mode to install a networking OS.
5 802.1X 802.1X is a port-based Network Access Control (PNAC) that provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity is verified (through a username and password, for example). 802.
Figure 4. EAP Frames Encapsulated in Ethernet and RADUIS The authentication process involves three devices: • The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests. • The device with which the supplicant communicates is the authenticator. The authenticator is the gate keeper of the network.
• Configuring Dynamic VLAN Assignment with Port Authentication • Guest and Authentication-Fail VLANs Port-Authentication Process The authentication process begins when the authenticator senses that a link status has changed from down to up: 1 When the authenticator senses a link state change, it requests that the supplicant identify itself using an EAP Identity Request frame. 2 The supplicant responds with its identity in an EAP Response Identity frame.
EAP over RADIUS 802.1X uses RADIUS to shuttle EAP packets between the authenticator and the authentication server, as defined in RFC 3579. EAP messages are encapsulated in RADIUS packets as a type of attribute in Type, Length, Value (TLV) format. The Type value for EAP messages is 79. Figure 6. EAP Over RADIUS RADIUS Attributes for 802.1X Support Dell Networking systems include the following RADIUS attributes in all 802.
• If the primary RADIUS server becomes unresponsive, the authenticator begins using a secondary RADIUS server, if configured. • 802.1X is not supported on port-channels or port-channel members. Configuring dot1x Profile You can configure a dot1x profile for defining a list of trusted supplicant MAC addresses. A maximum of 10 dot1x profiles can be configured. The profile name length is limited to 32 characters.
INTERFACE mode dot1x static-mab profile profile-name Eenter a name to configure the static MAB profile name. The profile name length is limited to a maximum of 32 characters. Example of Static MAB and MAB Profile for an Interface Dell(conf-if-Te-2/1)#dot1x static-mab profile sample Dell(conf-if-Te 2/1))#show config ! interface TenGigabitEthernet 21 switchport dot1x static-mab profile sample no shutdown Dell(conf-if-Te 2/1))#show dot1x interface TenGigabitEthernet 2/1 802.
no shutdown Dell#show dot1x interface tengigabitethernet 2/1 802.
Enabling 802.1X Enable 802.1X globally. Figure 7. 802.1X Enabled 1 Enable 802.1X globally. CONFIGURATION mode dot1x authentication 2 Enter INTERFACE mode on an interface or a range of interfaces. INTERFACE mode interface [range] 3 Enable 802.1X on the supplicant interface only. INTERFACE mode dot1x authentication Examples of Verifying that 802.1X is Enabled Globally and on an Interface Verify that 802.
In the following example, the bold lines show that 802.1X is enabled. Dell#show running-config | find dot1x dot1x authentication ! [output omitted] ! interface GigabitEthernet 2/1 no ip address dot1x authentication no shutdown ! Dell# To view 802.1X configuration information for an interface, use the show dot1x interface command. In the following example, the bold lines show that 802.1X is enabled on all ports unauthorized by default. Dell#show dot1x interface GigabitEthernet 2/1/ 802.
INTERFACE mode dot1x max-eap-req number The range is from 1 to 10. The default is 2. The example in Configuring a Quiet Period after a Failed Authentication shows configuration information for a port for which the authenticator re-transmits an EAP Request Identity frame after 90 seconds and re-transmits for 10 times. Configuring a Quiet Period after a Failed Authentication If the supplicant fails the authentication process, the authenticator sends another Request Identity frame after 30 seconds by default.
Forcibly Authorizing or Unauthorizing a Port The 802.1X ports can be placed into any of the three states: • ForceAuthorized — an authorized state. A device connected to this port in this state is never subjected to the authentication process, but is allowed to communicate on the network. Placing the port in this state is same as disabling 802.1X on the port. • ForceUnauthorized — an unauthorized state.
The range is from 1 to 31536000. • The default is 3600. Configure the maximum number of times the supplicant can be re-authenticated. INTERFACE mode dot1x reauth-max number The range is from 1 to 10. The default is 2. Example of Re-Authenticating a Port and Verifying the Configuration The bold lines show that re-authentication is enabled and the new maximum and re-authentication time period.
Example of Viewing Configured Server Timeouts The example shows configuration information for a port for which the authenticator terminates the authentication process for an unresponsive supplicant or server after 15 seconds. The bold lines show the new supplicant and server timeouts. Dell(conf-if-Gi-1/1)#dot1x port-control force-authorized Dell(conf-if-Gi-1/1)#do show dot1x interface GigabitEthernet 1/1 802.
Figure 8. Dynamic VLAN Assignment 1 Configure 8021.x globally (refer to Enabling 802.1X) along with relevant RADIUS server configurations (refer to the illustration inDynamic VLAN Assignment with Port Authentication). 2 Make the interface a switchport so that it can be assigned to a VLAN. 3 Create the VLAN to which the interface will be assigned. 4 Connect the supplicant to the port configured for 802.1X.
• If a port is already forwarding on the Guest VLAN when 802.1X is enabled, the port is moved out of the Guest VLAN and the authentication process begins. Configuring a Guest VLAN If the supplicant does not respond within a determined amount of time ([reauth-max + 1] * tx-period, the system assumes that the host does not have 802.1X capability and the port is placed in the Guest VLAN. NOTE: For more information about configuring timeouts, refer to Configuring Timeouts.
Example of Viewing Configured Authentication View your configuration using the show config command from INTERFACE mode, as shown in the example in Configuring a Guest VLAN or using the show dot1x interface command from EXEC Privilege mode. 802.
6 Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM) This section describes the access control list (ACL) virtual local area network (VLAN) group, and content addressable memory (CAM) enhancements. Optimizing CAM Utilization During the Attachment of ACLs to VLANs To minimize the number of entries in CAM, enable and configure the ACL CAM feature. Use this feature when you apply ACLs to a VLAN (or a set of VLANs) and when you apply ACLs to a set of ports.
• The ACL is applied or removed from a group and the ACL group does not contain a VLAN member. • The description of the ACL group is added or removed. Guidelines for Configuring ACL VLAN Groups Keep the following points in mind when you configure ACL VLAN groups: • The interfaces where you apply the ACL VLAN group function as restricted interfaces. The ACL VLAN group name identifies the group of VLANs that performs hierarchical filtering. • You can add only one ACL to an interface at a time.
description description 3 Apply an egress IP ACL to the ACL VLAN group. CONFIGURATION (conf-acl-vl-grp) mode ip access-group {group name} out implicit-permit 4 Add VLAN member(s) to an ACL VLAN group. CONFIGURATION (conf-acl-vl-grp) mode member vlan {VLAN-range} 5 Display all the ACL VLAN groups or display a specific ACL VLAN group, identified by name.
1 | | 0 | IN-L2 ACL | | OUT-L2 ACL | Codes: * - cam usage is above 90%. 1536 206 | | 0 9 | | 1536 197 Viewing CAM Usage View the amount of CAM space available, used, and remaining in each partition (including IPv4Flow and Layer 2 ACL sub- partitions) using the show cam-usage command in EXEC Privilege mode. Display Layer 2, Layer 3, ACL, or all CAM usage statistics.
| | OUT-L2 ACL | | | OUT-L3 ACL | | | OUT-V6 ACL | Codes: * - cam usage is above 90%.
7 Access Control Lists (ACLs) This chapter describes access control lists (ACLs), prefix lists, and route-maps. At their simplest, access control lists (ACLs), prefix lists, and route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps. For MAC ACLS, refer to Layer 2.
Topics: • IP Access Control Lists (ACLs) • Important Points to Remember • IP Fragment Handling • Configure a Standard IP ACL • Configure an Extended IP ACL • Configure Layer 2 and Layer 3 ACLs • Assign an IP ACL to an Interface • Applying an IP ACL • Configure Ingress ACLs • Configure Egress ACLs • IP Prefix Lists • ACL Resequencing • Route Maps • Logging of ACL Processes • Flow-Based Monitoring Support for ACLs IP Access Control Lists (ACLs) In Dell Networking switch/routers,
User Configurable CAM Allocation Allocate space for IPV6 ACLs by using the cam-acl command in CONFIGURATION mode. The CAM space is allotted in filter processor (FP) blocks. The total space allocated must equal 13 FP blocks. (There are 16 FP blocks, but System Flow requires three blocks that cannot be reallocated.) Enter the ipv6acl allocation as a factor of 2 (2, 4, 6, 8, 10). All other profile allocations can use either even or odd numbered ranges.
Assigning ACLs to VLANs When you apply an ACL to a VLAN using single port-pipe, a copy of the ACL entries gets installed in the ACL CAM on the port-pipe. The entry looks for the incoming VLAN in the packet. When you apply an ACL on individual ports of a VLAN, separate copies of the ACL entries are installed for each port belonging to a port-pipe. You can use the log keyword to log the details about the packets that match.
• • • Two or more match clauses within the same route-map sequence have different match commands, matching a packet against these clauses is a logical AND operation. If no match is found in a route-map sequence, the process moves to the next route-map sequence until a match is found, or there are no more sequences. When a match is found, the packet is forwarded and no more route-map sequences are processed.
interface GigabitEthernet 1/1 Set clauses: tag 35 level stub-area Dell# To delete all instances of that route map, use the no route-map map-name command. To delete just one instance, add the sequence number to the command syntax. Dell(conf)#no route-map zakho 10 Dell(conf)#end Dell#show route-map route-map zakho, permit, sequence 20 Match clauses: interface GigabitEthernet 1/1 Set clauses: tag 35 level stub-area Dell# The following example shows a route map with multiple instances.
Also, if there are different instances of the same route-map, then it’s sufficient if a permit match happens in any instance of that routemap. Dell(conf)#route-map force permit 10 Dell(config-route-map)#match tag 1000 Dell(config-route-map)#match metric 2000 In the following example, instance 10 permits the route having a tag value of 1000 and instances 20 and 30 deny the route having a tag value of 1000. In this scenario, Dell Networking OS scans all the instances of the route-map for any permit statement.
• Match next-hop routes specified in a prefix list (IPv6). CONFIG-ROUTE-MAP mode • match ipv6 next-hop {access-list-name | prefix-list prefix-list-name} Match source routes specified in a prefix list (IPv4). CONFIG-ROUTE-MAP mode • match ip route-source {access-list-name | prefix-list prefix-list-name} Match source routes specified in a prefix list (IPv6). CONFIG-ROUTE-MAP mode • match ipv6 route-source {access-list-name | prefix-list prefix-list-name} Match routes with a specific value.
• Specify an OSPF or ISIS type for redistributed routes. CONFIG-ROUTE-MAP mode set metric-type {external | internal | type-1 | type-2} • Assign an IP address as the route’s next hop. CONFIG-ROUTE-MAP mode set next-hop ip-address • Assign an IPv6 address as the route’s next hop. CONFIG-ROUTE-MAP mode set ipv6 next-hop ip-address • Assign an ORIGIN attribute. CONFIG-ROUTE-MAP mode set origin {egp | igp | incomplete} • Specify a tag for the redistributed routes.
Configure a Route Map for Route Tagging One method for identifying routes from different routing protocols is to assign a tag to routes from that protocol. As the route enters a different routing domain, it is tagged. The tag is passed along with the route as it passes through different routing protocols. You can use this tag when the route leaves a routing domain to redistribute those routes again.
IP Fragments ACL Examples The following examples show how you can use ACL commands with the fragment keyword to filter fragmented packets. Example of Permitting All Packets on an Interface The following configuration permits all packets (both fragmented and non-fragmented) with destination IP 10.1.1.1. The second rule does not get hit at all. Dell(conf)#ip access-list extended ABC Dell(conf-ext-nacl)#permit ip any 10.1.1.1/32 Dell(conf-ext-nacl)#deny ip any 10.1.1.
Example of Logging Denied Packets To log all the packets denied and to override the implicit deny rule and the implicit permit rule for TCP/ UDP fragments, use a configuration similar to the following. Dell(conf)#ip access-list extended ABC Dell(conf-ext-nacl)#permit tcp any any fragment Dell(conf-ext-nacl)#permit udp any any fragment Dell(conf-ext-nacl)#deny ip any any log Dell(conf-ext-nacl) When configuring ACLs with the fragments keyword, be aware of the following.
ip access-list standard dilling seq 15 permit tcp 10.3.0.0/16 any seq 25 deny ip host 10.5.0.0 any log Dell(config-std-nacl)# To delete a filter, use the no seq sequence-number command in IP ACCESS LIST mode. If you are creating a standard ACL with only one or two filters, you can let Dell Networking OS assign a sequence number based on the order in which the filters are configured. The software assigns filters in multiples of 5.
Configure an Extended IP ACL Extended IP ACLs filter on source and destination IP addresses, IP host addresses, TCP addresses, TCP host addresses, UDP addresses, and UDP host addresses. The traffic passes through the filter in the order of the filter’s sequence and hence you can configure the extended IP ACL by first entering IP ACCESS LIST mode, and then assigning a sequence number to the filter.
Example of the seq Command When you create the filters with a specific sequence number, you can create the filters in any order and the filters are placed in the correct order. NOTE: When assigning sequence numbers to filters, you may have to insert a new filter. To prevent reconfiguring multiple filters, assign sequence numbers in multiples of five or another number. The example below shows how the seq command orders the filters according to the sequence number assigned.
Configure Layer 2 and Layer 3 ACLs Both Layer 2 and Layer 3 ACLs may be configured on an interface in Layer 2 mode. If both L2 and L3 ACLs are applied to an interface, the following rules apply: • When Dell Networking OS routes the packets, only the L3 ACL governs them because they are not filtered against an L2 ACL. • When Dell Networking OS switches the packets, first the L3 ACL filters them, then the L2 ACL filters them.
interface interface slot/port 2 Configure an IP address for the interface, placing it in Layer-3 mode. INTERFACE mode ip address ip-address 3 Apply an IP ACL to traffic entering or exiting an interface. INTERFACE mode ip access-group access-list-name {in} [implicit-permit] [vlan vlan-range | vrf vrf-range] NOTE: The number of entries allowed per ACL is hardware-dependent. For detailed specification about entries allowed per ACL, refer to your line card documentation. 4 Apply rules to the new ACL.
! gigabitethernet 1/1 no ip address ip access-group abcd in no shutdown Dell(conf-if-gi1/1)#end Dell#configure terminal Dell(conf)#ip access-list extended abcd Dell(config-ext-nacl)#permit tcp any any Dell(config-ext-nacl)#deny icmp any any Dell(config-ext-nacl)#permit 1.1.1.2 Dell(config-ext-nacl)#end Dell#show ip accounting access-list ! Extended Ingress IP access list abcd on gigabitethernet 1/1 seq 5 permit tcp any any seq 10 deny icmp any any seq 15 permit 1.1.1.
ip vrf forwarding blue no ip address shutdown Dell(conf-if-gi-1/2)# Dell(conf-if-gi-1/2)# Dell(conf-if-gi-1/2)#end Dell# Applying Egress Layer 3 ACLs (Control-Plane) By default, packets originated from the system are not filtered by egress ACLs. For example, if you initiate a ping session from the system and apply an egress ACL to block this type of traffic on the interface, the ACL does not affect that ping traffic.
• • • A prefix list without any permit or deny filters allows all routes. An “implicit deny” is assumed (that is, the route is dropped) for all route prefixes that do not match a permit or deny filter in a configured prefix list. After a route matches a filter, the filter’s action is applied. No additional filters are applied to the route.
! ip prefix-list juba seq 12 deny 134.23.0.0/16 seq 15 deny 120.0.0.0/8 le 16 seq 20 permit 0.0.0.0/0 le 32 Dell(conf-nprefixl)# NOTE: The last line in the prefix list Juba contains a “permit all” statement. By including this line in a prefix list, you specify that all routes not matching any criteria in the prefix list are forwarded. To delete a filter, use the no seq sequence-number command in PREFIX LIST mode.
Examples of the show ip prefix-list Command The following example shows the show ip prefix-list detail command. Dell>show ip prefix detail Prefix-list with the last deletion/insertion: filter_ospf ip prefix-list filter_in: count: 3, range entries: 3, sequences: 5 - 10 seq 5 deny 1.102.0.0/16 le 32 (hit count: 0) seq 6 deny 2.1.0.0/16 ge 23 (hit count: 0) seq 10 permit 0.0.0.0/0 le 32 (hit count: 0) ip prefix-list filter_ospf: count: 4, range entries: 1, sequences: 5 - 10 seq 5 deny 100.100.1.
Applying a Filter to a Prefix List (OSPF) To apply a filter to routes in open shortest path first (OSPF), use the following commands. • Enter OSPF mode. CONFIGURATION mode router ospf • Apply a configured prefix list to incoming routes. You can specify an interface. If you enter the name of a non-existent prefix list, all routes are forwarded. CONFIG-ROUTER-OSPF mode distribute-list prefix-list-name in [interface] • Apply a configured prefix list to incoming routes.
Rules Resquencing Rules After Resequencing: seq 5 permit any host 1.1.1.1 seq 10 permit any host 1.1.1.2 seq 15 permit any host 1.1.1.3 seq 20 permit any host 1.1.1.4 Resequencing an ACL or Prefix List Resequencing is available for IPv4 and IPv6 ACLs, prefix lists, and MAC ACLs. To resequence an ACL or prefix list, use the following commands. You must specify the list name, starting number, and increment when using these commands.
seq 5 permit ip any host 1.1.1.1 remark 9 ABC remark 10 this remark corresponds to permit ip any host 1.1.1.2 seq 10 permit ip any host 1.1.1.2 seq 15 permit ip any host 1.1.1.3 seq 20 permit ip any host 1.1.1.4 Dell# end Dell# resequence access-list ipv4 test 2 2 Dell# show running-config acl ! ip access-list extended test remark 2 XYZ remark 4 this remark corresponds to permit any host 1.1.1.1 seq 4 permit ip any host 1.1.1.
entries, which relate to each of the ACL entries configured in an ACL. Dell Networking OS saves a table that maps each ACL entry that matches the ACL name on the received packet, sequence number of the rule, and the interface index in the database. When the configured maximum threshold has exceeded, log generation stops. When the interval at which ACL logs are configured to be recorded expires, a fresh interval timer starts and the packet count for that new interval commences from zero.
Configuring ACL Logging This functionality is supported on the platform. To configure the maximum number of ACL log messages to be generated and the frequency at which these messages must be generated, perform the following steps: NOTE: This example describes the configuration of ACL logging for standard IP access lists. You can enable the logging capability for standard and extended IPv4 ACLs, IPv6 ACLs, and standard and extended MAC ACLs.
monitor with the seq, permit, or deny command for the ACL rules to allow or drop IPv4, IPv6, ARP, UDP, EtherType, ICMP, and TCP packets. The ACL rule describes the traffic that you want to monitor, and the ACL in which you are creating the rule will be applied to the monitored interface. Flow monitoring is supported for standard and extended IPv4 ACLs, standard and extended IPv6 ACLs, and standard and extended MAC ACLs.
Enabling Flow-Based Monitoring Flow-based monitoring is supported on the platform. Flow-based monitoring conserves bandwidth by monitoring only specified traffic instead of all traffic on the interface. This feature is particularly useful when looking for malicious traffic. It is available for Layer 2 and Layer 3 ingress and egress traffic. You can specify traffic using standard or extended access-lists. 1 Enable flow-based monitoring for a monitoring session.
8 Bidirectional Forwarding Detection (BFD) BFD is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It also provides a failure detection solution for links on which no routing protocol is used. BFD is a simple hello mechanism. Two neighboring systems running BFD establish a session using a three-way handshake.
BFD Packet Format Control packets are encapsulated in user datagram protocol (UDP) packets. The following illustration shows the complete encapsulation of a BFD control packet inside an IPv4 packet. Figure 9. BFD in IPv4 Packet Format Field Description Diagnostic Code The reason that the last session failed. State The current local session state. Refer to BFD Sessions. Flag A bit that indicates packet function.
Field Description Length The entire length of the BFD packet. My Discriminator A random number generated by the local system to identify the session. Your Discriminator A random number generated by the remote system to identify the session. Discriminator values are necessary to identify the session to which a control packet belongs because there can be many sessions running on a single interface.
A session can have four states: Administratively Down, Down, Init, and Up. State Description Administratively Down The local system does not participate in a particular session. Down The remote system is not sending control packets or at least not within the detection time for a particular session. Init The local system is communicating. Up Both systems are exchanging control packets. The session is declared down if: • A control packet is not received within the detection time.
Figure 10.
Session State Changes The following illustration shows how the session state on a system changes based on the status notification it receives from the remote system. For example, if a session on a system is down and it receives a Down status notification from the remote system, the session state on the local system changes to Init. Figure 11.
• Configure BFD for OSPFv3 • Configure BFD for IS-IS • Configure BFD for BGP • Configure BFD for VRRP • Configuring Protocol Liveness • Troubleshooting BFD Configure BFD for Physical Ports Configuring BFD for physical ports is supported on the C-Series and E-Series platforms only. BFD on physical ports is useful when you do not enable the routing protocol.
Establishing a Session on Physical Ports To establish a session, enable BFD at the interface level on both ends of the link, as shown in the following illustration. The configuration parameters do not need to match. Figure 12. Establishing a BFD Session on Physical Ports 1 Enter interface mode. CONFIGURATION mode interface 2 Assign an IP address to the interface if one is not already assigned.
Configured parameters: TX: 100ms, RX: 100ms, Multiplier: 3 Neighbor parameters: TX: 100ms, RX: 100ms, Multiplier: 3 Actual parameters: TX: 100ms, RX: 100ms, Multiplier: 3 Role: Active Delete session on Down: False Client Registered: CLI Uptime: 00:03:57 Statistics: Number of packets received from neighbor: 1775 Number of packets sent to neighbor: 1775 Number of state changes: 1 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 4 Log messages displa
• Disable BFD on an interface. INTERFACE mode no bfd enable • Enable BFD on an interface. INTERFACE mode bfd enable If you disable BFD on a local interface, this message displays: R1(conf-if-gi-4/24)#01:00:52: %RPM0-P:RP2 %BFDMGR-1-BFD_STATE_CHANGE: Changed session state to Ad Dn for neighbor 2.2.2.
To establish a BFD session, use the following command. • Establish BFD sessions for all neighbors that are the next hop of a static route. CONFIGURATION mode ip route bfd Example of the show bfd neighbors Command to Verify Static Routes To verify that sessions have been created for static routes, use the show bfd neighbors command. R1(conf)#ip route 2.2.3.0/24 2.2.2.
Configure BFD for OSPF When using BFD with OSPF, the OSPF protocol registers with the BFD manager. BFD sessions are established with all neighboring interfaces participating in OSPF. If a neighboring interface fails, the BFD agent notifies the BFD manager, which in turn notifies the OSPF protocol that a link state change has occurred. Configuring BFD for OSPF is a two-step process: 1 Enable BFD globally. 2 Establish sessions with OSPF neighbors.
Establishing Sessions with OSPF Neighbors BFD sessions can be established with all OSPF neighbors at once or sessions can be established with all neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the Full state. Figure 14. Establishing Sessions with OSPF Neighbors To establish BFD with all OSPF neighbors or with OSPF neighbors on a single interface, use the following commands. • Establish sessions with all OSPF neighbors.
The bold line shows the OSPF BFD sessions. R2(conf-router_ospf)#bfd all-neighbors R2(conf-router_ospf)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr * 2.2.2.2 * 2.2.3.1 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 Gi 2/1 Up 100 100 3 O 2.2.3.2 Gi 2/2 Up 100 100 3 O Changing OSPFv3 Session Parameters Configure BFD sessions with default intervals and a default role.
Configure BFD for OSPFv3 BFD for OSPFv3 provides support for IPV6. Configuring BFD for OSPFv3 is a two-step process: 1 Enable BFD globally. 2 Establish sessions with OSPFv3 neighbors. Related Configuration Tasks • Changing OSPFv3 Session Parameters • Disabling BFD for OSPFv3 Establishing Sessions with OSPFv3 Neighbors You can establish BFD sessions with all OSPFv3 neighbors at once or with all neighbors out of a specific interface.
Disabling BFD for OSPF If you disable BFD globally, all sessions are torn down and sessions on the remote system are placed in a Down state. If you disable BFD on an interface, sessions on the interface are torn down and sessions on the remote system are placed in a Down state. Disabling BFD does not trigger a change in BFD clients; a final Admin Down packet is sent before the session is terminated. To disable BFD sessions, use the following commands. • Disable BFD sessions with all OSPF neighbors.
Establishing Sessions with IS-IS Neighbors BFD sessions can be established for all IS-IS neighbors at once or sessions can be established for all neighbors out of a specific interface. Figure 15. Establishing Sessions with IS-IS Neighbors To establish BFD with all IS-IS neighbors or with IS-IS neighbors on a single interface, use the following commands. • Establish sessions with all IS-IS neighbors. ROUTER-ISIS mode • bfd all-neighbors Establish sessions with IS-IS neighbors on a single interface.
I O R - ISIS - OSPF - Static Route (RTM) LocalAddr * 2.2.2.2 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 Gi 2/1 Up 100 100 3 I Changing IS-IS Session Parameters BFD sessions are configured with default intervals and a default role. The parameters that you can configure are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. These parameters are configured for all IS-IS sessions or all IS-IS sessions out of an interface.
Prerequisites Before configuring BFD for BGP, you must first configure the following settings: 1 Configure BGP on the routers that you want to interconnect, as described in Border Gateway Protocol IPv4 (BGPv4). 2 Enable fast fall-over for BGP neighbors to reduce convergence time (the neighbor fall-over command), as described in BGP Fast Fall-Over. Establishing Sessions with BGP Neighbors Before configuring BFD for BGP, you must first configure BGP on the routers that you want to interconnect.
BFD for BGP is supported only on directly-connected BGP neighbors and only in BGP IPv4 networks. Up to 128 simultaneous BFD sessions are supported As long as each BFD for BGP neighbor receives a BFD control packet within the configured BFD interval for failure detection, the BFD session remains up and BGP maintains its adjacencies.
ROUTER BGP mode neighbor {ip-address | peer-group-name} bfd disable • Remove the disabled state of a BFD for BGP session with a specified neighbor. ROUTER BGP mode no neighbor {ip-address | peer-group-name} bfd disable Use BFD in a BGP Peer Group You can establish a BFD session for the members of a peer group (the neighbor peer-group-name bfd command in ROUTER BGP configuration mode).
Examples of Verifying BGP Information The following example shows verifying a BGP configuration. R2# show running-config bgp ! router bgp 2 neighbor 1.1.1.2 remote-as 1 neighbor 1.1.1.2 no shutdown neighbor 2.2.2.2 remote-as 1 neighbor 2.2.2.2 no shutdown neighbor 3.3.3.2 remote-as 1 neighbor 3.3.3.2 no shutdown bfd all-neighbors The following example shows viewing all BFD neighbors.
Remote MAC Addr: 00:01:e8:8a:da:7b Int: TenGigabitEthernet 6/2 State: Up Configured parameters: TX: 100ms, RX: 100ms, Multiplier: 3 Neighbor parameters: TX: 100ms, RX: 100ms, Multiplier: 3 Actual parameters: TX: 100ms, RX: 100ms, Multiplier: 3 Role: Active Delete session on Down: True Client Registered: BGP Uptime: 00:02:22 Statistics: Number of packets received from neighbor: 1428 Number of packets sent to neighbor: 1428 Number of state changes: 1 Number of messages from IFA about port state change: 0 Numb
2.2.2.2 3.3.3.2 1 1 273 282 273 281 0 0 0 0 (0) 0 04:32:26 00:38:12 0 0 The following example shows viewing BFD information for a specified neighbor. The bold lines show the message displayed when you enable a BFD session with different configurations: • Message displays when you enable a BFD session with a BGP neighbor that inherits the global BFD session settings configured with the global bfd all-neighbors command.
Neighbor is using BGP peer-group mode BFD configuration Peer active in peer-group outbound optimization ... Configure BFD for VRRP When using BFD with VRRP, the VRRP protocol registers with the BFD manager on the route processor module (RPM). BFD sessions are established with all neighboring interfaces participating in VRRP. If a neighboring interface fails, the BFD agent on the line card notifies the BFD manager, which in turn notifies the VRRP protocol that a link state change occurred.
vrrp bfd all-neighbors Establishing VRRP Sessions on VRRP Neighbors The master router does not care about the state of the backup router, so it does not participate in any VRRP BFD sessions. VRRP BFD sessions on the backup router cannot change to the UP state. Configure the master router to establish an individual VRRP session the backup router. To establish a session with a particular VRRP neighbor, use the following command. • Establish a session with a particular VRRP neighbor.
vrrp bfd all-neighbors interval milliseconds min_rx milliseconds multiplier value role [active | passive] • Change parameters for a particular VRRP session. INTERFACE mode vrrp bfd neighbor ip-address interval milliseconds min_rx milliseconds multiplier value role [active | passive] To view session parameters, use the show bfd neighbors detail command, as shown in the example in Verifying BFD Sessions with BGP Neighbors Using the show bfd neighbors command example in Displaying BFD for BGP Information.
CONFIGURATION debug bfd packet Examples of Output from the debug bfd Commands The following example shows a three-way handshake using the debug bfd detail command. R1(conf-if-gi-4/24)#00:54:38: %RPM0-P:RP2 %BFDMGR-1-BFD_STATE_CHANGE: Changed session state to Down for neighbor 2.2.2.2 on interface Gi 4/24 (diag: 0) 00:54:38 : Sent packet for session with neighbor 2.2.2.
9 Border Gateway Protocol IPv4 (BGPv4) This chapter provides a general description of BGPv4 as it is supported in the Dell Networking Operating System (OS). BGP protocol standards are listed in the Standards Compliance chapter. BGP is an external gateway protocol that transmits interdomain routing information within and between autonomous systems (AS). The primary function of the BGP is to exchange network reachability information with other BGP systems.
IBGP provides routers inside the AS with the knowledge to reach routers external to the AS. EBGP routers exchange information with other EBGP routers as well as IBGP routers to maintain connectivity and accessibility. Figure 18. Internal BGP BGP version 4 (BGPv4) supports classless interdomain routing and aggregate routes and AS paths. BGP is a path vector protocol — a computer network in which BGP maintains the path that updated information takes as it diffuses through the network.
Figure 19. BGP Routers in Full Mesh The number of BGP speakers each BGP peer must maintain increases exponentially. Network management quickly becomes impossible. Sessions and Peers When two routers communicate using the BGP protocol, a BGP session is started. The two end-points of that session are Peers. A Peer is also called a Neighbor. Establish a Session Information exchange between peers is driven by events and timers. The focus in BGP is on the traffic routing policies.
State Description Idle BGP initializes all resources, refuses all inbound BGP connection attempts, and initiates a TCP connection to the peer. Connect In this state the router waits for the TCP connection to complete, transitioning to the OpenSent state if successful. If that transition is not successful, BGP resets the ConnectRetry timer and transitions to the Active state when the timer expires. Active The router resets the ConnectRetry timer to zero and returns to the Connect state.
Figure 20. BGP Router Rules 1 Router B receives an advertisement from Router A through eBGP. Because the route is learned through eBGP, Router B advertises it to all its iBGP peers: Routers C and D. 2 Router C receives the advertisement but does not advertise it to any peer because its only other peer is Router D, an iBGP peer, and Router D has already learned it through iBGP from Router B.
preferences. BGP sees that the Weight criteria results in two potential “best paths” and moves to local preference to reduce the options. If a number of best paths is determined, this selection criteria is applied to group’s best to determine the ultimate best path. In non-deterministic mode (the bgp non-deterministic-med command is applied), paths are compared in the order in which they arrive.
c AS_CONFED_SET is not included in the AS_PATH length. d AS_CONFED_SEQUENCE has a path length of 1, no matter how many ASs are in the AS_CONFED_SEQUENCE. 5 Prefer the path with the lowest ORIGIN type (IGP is lower than EGP, and EGP is lower than INCOMPLETE). 6 Prefer the path with the lowest multi-exit discriminator (MED) attribute.
Figure 22. BGP Local Preference Multi-Exit Discriminators (MEDs) If two ASs connect in more than one place, a multi-exit discriminator (MED) can be used to assign a preference to a preferred path. MED is one of the criteria used to determine the best path, so keep in mind that other criteria may impact selection, as shown in the illustration in Best Path Selection Criteria. One AS assigns the MED a value and the other AS uses that value to decide the preferred path.
Figure 23. Multi-Exit Discriminators NOTE: Configuring the set metric-type internal command in a route-map advertises the IGP cost as MED to outbound EBGP peers when redistributing routes. The configured set metric value overwrites the default IGP cost. If the outbound route-map uses MED, it overwrites IGP MED. Origin The origin indicates the origin of the prefix, or how the prefix came into BGP. There are three origin codes: IGP, EGP, INCOMPLETE.
NOTE: Any update that contains the AS path number 0 is valid. The AS path is shown in the following example. The origin attribute is shown following the AS path information (shown in bold).
Implement BGP with Dell Networking OS The following sections describe how to implement BGP on Dell Networking OS. Additional Path (Add-Path) Support The add-path feature reduces convergence times by advertising multiple paths to its peers for the same address prefix without replacing existing paths with new ones. By default, a BGP speaker advertises only the best path to its peers for a given address prefix.
Ignore Router-ID in Best-Path Calculation You can avoid unnecessary BGP best-path transitions between external paths under certain conditions. The bgp bestpath routerid ignore command reduces network disruption caused by routing and forwarding plane changes and allows for faster convergence. Four-Byte AS Numbers You can use the 4-Byte (32-bit) format when configuring autonomous system numbers (ASNs). The 4-Byte support is advertised as a new BGP capability (4-BYTE-AS) in the OPEN message.
ASDOT representation combines the ASPLAIN and ASDOT+ representations. AS numbers less than 65536 appear in integer format (asplain); AS numbers equal to or greater than 65536 appear in the decimal format (asdot+). For example, the AS number 65526 appears as 65526 and the AS number 65546 appears as 1.10. Dynamic AS Number Notation Application Dell Networking OS applies the ASN notation type change dynamically to the running-config statements.
router bgp 100 neighbor 172.30.1.250 local-as 65057 Dell(conf-router_bgp)#do show ip bgp BGP table version is 28093, local router ID is 172.30.1.57 AS Number Migration With this feature you can transparently change the AS number of an entire BGP network and ensure that the routes are propagated throughout the network while the migration is in progress. When migrating one AS to another, perhaps combining ASs, an eBGP network may lose its routing to an iBGP if the ASN changes.
If you use the “no prepend” option, the Local-AS does not prepend to the updates received from the eBGP peer. If you do not select “no prepend” (the default), the Local-AS is added to the first AS segment in the AS-PATH. If an inbound route-map is used to prepend the aspath to the update from the peer, the Local-AS is added first. For example, consider the topology described in the previous illustration.
• High CPU utilization may be observed during an SNMP walk of a large BGP Loc-RIB. • To avoid SNMP timeouts with a large-scale configuration (large number of BGP neighbors and a large BGP Loc-RIB), Dell Networking recommends setting the timeout and retry count values to a relatively higher number. For example, t = 60 or r = 5. • To return all values on an snmpwalk for the f10BgpM2Peer sub-OID, use the -C c option, such as snmpwalk -v 2c -C c -c public.
Item Default Local preference 100 MED 0 Route Flap Damping Parameters half-life = 15 minutes reuse = 750 suppress = 2000 max-suppress-time = 60 minutes external distance = 20 Distance internal distance = 200 local distance = 200 keepalive = 60 seconds Timers holdtime = 180 seconds Add-path Disabled Enabling BGP By default, BGP is not enabled on the system. Dell Networking OS supports one autonomous system (AS) and assigns the AS number (ASN).
bgp four-octet-as-support NOTE: Use it only if you support 4-Byte AS numbers or if you support AS4 number representation. If you are supporting 4-Byte ASNs, enable this command. Disable 4-Byte support and return to the default 2-Byte format by using the no bgp four-octet-as-support command. You cannot disable 4-Byte support if you currently have a 4-Byte ASN configured. b Disabling 4-Byte AS numbers also disables ASDOT and ASDOT+ number representation. All AS numbers are displayed in ASPLAIN format.
The following example shows the show ip bgp summary command output (4–byte AS number displays). R2#show ip bgp summary BGP router identifier 192.168.10.2, local AS number 48735.
Received 0 messages, 0 notifications, 0 in queue Sent 0 messages, 0 notifications, 0 in queue Received 0 updates, Sent 0 updates Minimum time between advertisement runs is 5 seconds For address family: IPv4 Unicast BGP table version 0, neighbor version 0 0 accepted prefixes consume 0 bytes Prefix advertised 0, rejected 0, withdrawn 0 Connections established 0; dropped 0 Last reset never No active TCP connection Dell# The following example shows verifying the BGP configuration using the show running-config b
CONFIG-ROUTER-BGP mode bgp asnotation asplain • NOTE: ASPLAIN is the default method Dell Networking OS uses and does not appear in the configuration display. Enable ASDOT AS Number representation. CONFIG-ROUTER-BGP mode • bgp asnotation asdot Enable ASDOT+ AS Number representation. CONFIG-ROUTER-BGP mode bgp asnotation asdot+ Examples of the bgp asnotation Commands The following example shows the bgp asnotation asplain command output.
A maximum of 256 peer groups are allowed on the system. Create a peer group by assigning it a name, then adding members to the peer group. After you create a peer group, you can configure route policies for it. For information about configuring route policies for a peer group, refer to Filtering BGP Routes. NOTE: Sample Configurations for enabling peer groups are found at the end of this chapter. 1 Create a peer group by assigning a name to it.
• • • • neighbor neighbor neighbor neighbor next-hop-self route-map out route-reflector-client send-community A neighbor may keep its configuration after it was added to a peer group if the neighbor’s configuration is more specific than the peer group’s and if the neighbor’s configuration does not affect outgoing updates. NOTE: When you configure a new set of BGP policies for a peer group, always reset the peer group by entering the clear ip bgp peer-group peer-group-name command in EXEC Privilege mode.
10.68.164.1 10.68.165.1 10.68.166.1 10.68.167.1 10.68.168.1 10.68.169.1 10.68.170.1 10.68.171.1 10.68.172.1 10.68.173.1 10.68.174.1 10.68.175.1 10.68.176.1 10.68.177.1 10.68.178.1 10.68.179.1 10.68.180.1 10.68.181.1 10.68.182.1 10.68.183.1 10.68.184.1 10.68.185.1 Dell> Configuring BGP Fast Fall-Over By default, a BGP session is governed by the hold time. BGP routers typically carry large routing tables, so frequent session resets are not desirable.
Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) fall-over enabled Update source set to Loopback 0 Peer active in peer-group outbound optimization For address family: IPv4 Unicast BGP table version 52, neighbor version 52 4 accepted prefixes consume 16 bytes Prefix advertised 0, denied 0, withdrawn 0 Connections established 6; dr
When a BGP neighbor connection with authentication configured is rejected by a passive peer-group, Dell Networking OS does not allow another passive peer-group on the same subnet to connect with the BGP neighbor. To work around this, change the BGP configuration or change the order of the peer group configuration. You can constrain the number of passive sessions accepted by the neighbor. The limit keyword allows you to set the total number of sessions the neighbor will accept, between 2 and 265.
To disable this feature, use the no neighbor local-as command in CONFIGURATION ROUTER BGP mode. R2(conf-router_bgp)#show conf ! router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list Laura in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.
neighbor 100.10.92.9 local-as 6500 neighbor 100.10.92.9 no shutdown neighbor 192.168.10.1 remote-as 65123 neighbor 192.168.10.1 update-source Loopback 0 neighbor 192.168.10.1 no shutdown neighbor 192.168.12.2 remote-as 65123 neighbor 192.168.12.2 allowas-in 9 neighbor 192.168.12.2 update-source Loopback 0 neighbor 192.168.12.2 no shutdown R2(conf-router_bgp)#R2(conf-router_bgp)# Enabling Graceful Restart Use this feature to lessen the negative effects of a BGP restart.
Enabling Neighbor Graceful Restart BGP graceful restart is active only when the neighbor becomes established. Otherwise, it is disabled. Graceful-restart applies to all neighbors with established adjacency. With the graceful restart feature, Dell Networking OS enables the receiving/restarting mode by default. In Receiver-Only mode, graceful restart saves the advertised routes of peers that support this capability when they restart.
You can enter this command multiple times if multiple filters are desired. For accepted expressions, refer to Regular Expressions as Filters. 3 Return to CONFIGURATION mode. AS-PATH ACL mode exit 4 Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5 Use a configured AS-PATH ACL for route filtering and manipulation.
Regular Expression Definition ^ (caret) Matches the beginning of the input string. Alternatively, when used as the first character within brackets [^ ], this matches any number except the ones specified within the brackets. $ (dollar) Matches the end of the input string. . (period) Matches any single character, including white space. * (asterisk) Matches 0 or more sequences of the immediately previous character or pattern.
Dell#show ip as-path-access-lists ip as-path access-list Eagle deny 32$ Dell# Redistributing Routes In addition to filtering routes, you can add routes from other routing instances or protocols to the BGP process. With the redistribute command, you can include ISIS, OSPF, static, or directly connected routes in the BGP process. To add routes from other routing instances or protocols, use any of the following commands in ROUTER BGP mode.
The range is from 2 to 64. 2 Allow the specified neighbor/peer group to send/ receive multiple path advertisements. CONFIG-ROUTER-BGP mode neighbor add-path NOTE: The path-count parameter controls the number of paths that are advertised, not the number of paths that are received. Configuring IP Community Lists Within Dell Networking OS, you have multiple methods of manipulating routing attributes. One attribute you can manipulate is the COMMUNITY attribute.
deny deny deny deny deny deny deny deny deny deny deny deny deny Dell# 14551:20 701:112 702:112 703:112 704:112 705:112 14551:112 701:667 702:667 703:667 704:666 705:666 14551:666 Configuring an IP Extended Community List To configure an IP extended community list, use these commands. 1 Create a extended community list and enter the EXTCOMMUNITY-LIST mode. CONFIGURATION mode ip extcommunity-list extcommunity-list-name 2 Two types of extended communities are supported.
Filtering Routes with Community Lists To use an IP community list or IP extended community list to filter routes, you must apply a match community filter to a route map and then apply that route map to a BGP neighbor or peer group. 1 Enter the ROUTE-MAP mode and assign a name to a route map. CONFIGURATION mode route-map map-name [permit | deny] [sequence-number] 2 Configure a match filter for all routes meeting the criteria in the IP community or IP extended community list.
route-map map-name [permit | deny] [sequence-number] 2 Configure a set filter to delete all COMMUNITY numbers in the IP community list. CONFIG-ROUTE-MAP mode set comm-list community-list-name delete OR set community {community-number | local-as | no-advertise | no-export | none} Configure a community list by denying or permitting specific community numbers or types of community.
*>i 6.133.0.0/21 *>i 6.151.0.0/16 --More-- 205.171.0.16 205.171.0.16 100 100 0 0 209 7170 1455 i 209 7170 1455 i Changing MED Attributes By default, Dell Networking OS uses the MULTI_EXIT_DISC or MED attribute when comparing EBGP paths from the same AS. To change how the MED attribute is used, enter any or all of the following commands. • Enable MED comparison in the paths from neighbors with different ASs. CONFIG-ROUTER-BGP mode bgp always-compare-med • By default, this comparison is not performed.
4 Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5 Apply the route map to the neighbor or peer group’s incoming or outgoing routes. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} route-map map-name {in | out} To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode. To view a route map configuration, use the show route-map command in EXEC Privilege mode. Changing the NEXT_HOP Attribute You can change how the NEXT_HOP attribute is used.
Enabling Multipath By default, the software allows one path to a destination. You can enable multipath to allow up to 64 parallel paths to a destination. NOTE: Dell Networking recommends not using multipath and add path simultaneously in a route reflector. To allow more than one path, use the following command. The show ip bgp network command includes multipath information for that network. • Enable multiple parallel paths.
CONFIG-PREFIX LIST mode exit 4 Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5 Filter routes based on the criteria in the configured prefix list. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} distribute-list prefix-list-name {in | out} Configure the following parameters: • ip-address or peer-group-name: enter the neighbor’s IP address or the peer group’s name. • prefix-list-name: enter the name of a configured prefix list.
Configure the following parameters: • ip-address or peer-group-name: enter the neighbor’s IP address or the peer group’s name. • map-name: enter the name of a configured route map. • in: apply the route map to inbound routes. • out: apply the route map to outbound routes. To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode. To view a route map configuration, use the show route-map command in EXEC Privilege mode.
Configure clusters of routers where one router is a concentration router and the others are clients who receive their updates from the concentration router. To configure a route reflector, use the following commands. • Assign an ID to a router reflector cluster. CONFIG-ROUTER-BGP mode bgp cluster-id cluster-id • You can have multiple clusters in an AS. Configure the local router as a route reflector and the neighbor or peer group identified is the route reflector client.
confederations appear as one AS. Within the confederation sub-AS, the IBGP neighbors are fully meshed and the MED, NEXT_HOP, and LOCAL_PREF attributes are maintained between confederations. To configure BGP confederations, use the following commands. • Specifies the confederation ID. CONFIG-ROUTER-BGP mode bgp confederation identifier as-number • • as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte). Specifies which confederation sub-AS are peers.
• half-life: the range is from 1 to 45. Number of minutes after which the Penalty is decreased. After the router assigns a Penalty of 1024 to a route, the Penalty is decreased by half after the half-life period expires. The default is 15 minutes. • reuse: the range is from 1 to 20000. This number is compared to the flapping route’s Penalty value. If the Penalty value is less than the reuse value, the flapping route is once again advertised (or no longer suppressed).
The following example shows how to configure values to reuse or restart a route. In the following example, default = 15 is the set time before the value decrements, bgp dampening 2 ? is the set re-advertise value, bgp dampening 2 2000 ? is the suppress value, and bgp dampening 2 2000 3000 ? is the time to suppress a route. Default values are also shown.
• keepalive: the range is from 1 to 65535. Time interval, in seconds, between keepalive messages sent to the neighbor routers. The default is 60 seconds. • holdtime: the range is from 3 to 65536. Time interval, in seconds, between the last keepalive message and declaring the router dead. The default is 180 seconds. To view non-default values, use the show config command in CONFIGURATION ROUTER BGP mode or the show runningconfig bgp command in EXEC Privilege mode.
Example of Soft-Reconfigration of a BGP Neighbor The example enables inbound soft reconfiguration for the neighbor 10.108.1.1. All updates received from this neighbor are stored unmodified, regardless of the inbound policy. When inbound soft reconfiguration is done later, the stored information is used to generate a new set of inbound updates. Dell>router bgp 100 neighbor 10.108.1.1 remote-as 200 neighbor 10.108.1.
• When exchanging updates with the peer, BGP sends and receives IPv4 multicast routes if the peer is marked as supporting that AFI/ SAFI. • Exchange of IPv4 multicast route information occurs through the use of two new attributes called MP_REACH_NLRI and MP_UNREACH_NLRI, for feasible and withdrawn routes, respectively. • If the peer has not been activated in any AFI/SAFI, the peer remains in Idle state.
• Enable soft-reconfiguration debug. EXEC Privilege mode debug ip bgp {ip-address | peer-group-name} soft-reconfiguration To enhance debugging of soft reconfig, use the bgp soft-reconfig-backup command only when route-refresh is not negotiated to avoid the peer from resending messages. In-BGP is shown using the show ip protocols command. Dell Networking OS displays debug messages on the console. To view which debugging commands are enabled, use the show debugging command in EXEC Privilege mode.
Last notification (len 21) sent 00:26:02 ago ffffffff ffffffff ffffffff ffffffff 00160303 03010000 Last notification (len 21) received 00:26:20 ago ffffffff ffffffff ffffffff ffffffff 00150306 00000000 Last PDU (len 41) received 00:26:02 ago that caused notification to be issued ffffffff ffffffff ffffffff ffffffff 00290200 00000e01 02040201 00024003 04141414 0218c0a8 01000000 Local host: 1.1.1.1, Local port: 179 Foreign host: 1.1.1.
Incoming packet capture enabled for BGP neighbor 172.30.1.250 Available buffer size 29165743, 192991 packet(s) captured using 11794257 bytes [. . .] Dell(conf-router_bgp)#do sho ip bg s BGP router identifier 172.30.1.
Figure 25. Sample Configurations Example of Enabling BGP (Router 1) R1# conf R1(conf)#int loop 0 R1(conf-if-lo-0)#ip address 192.168.128.1/24 R1(conf-if-lo-0)#no shutdown R1(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.1/24 no shutdown R1(conf-if-lo-0)#int gi 1/21 R1(conf-if-gi-1/21)#ip address 10.0.1.21/24 R1(conf-if-gi-1/21)#no shutdown R1(conf-if-gi-1/21)#show config ! interface GigabitEthernet 1/21 ip address 10.0.1.
R1(conf-router_bgp)#neighbor 192.168.128.3 no shut R1(conf-router_bgp)#neighbor 192.168.128.3 update-source loop 0 R1(conf-router_bgp)#show config ! router bgp 99 network 192.168.128.0/24 neighbor 192.168.128.2 remote-as 99 neighbor 192.168.128.2 update-source Loopback 0 neighbor 192.168.128.2 no shutdown neighbor 192.168.128.3 remote-as 100 neighbor 192.168.128.
ip address 10.0.3.33/24 no shutdown R3(conf-if-lo-0)#int gi 3/21 R3(conf-if-gi-3/21)#ip address 10.0.2.3/24 R3(conf-if-gi-3/21)#no shutdown R3(conf-if-gi-3/21)#show config ! interface GigabitEthernet 3/21 ip address 10.0.2.3/24 no shutdown R3(conf-if-gi-3/21)# R3(conf-if-gi-3/21)#router bgp 100 R3(conf-router_bgp)#show config ! router bgp 100 R3(conf-router_bgp)#network 192.168.128.0/24 R3(conf-router_bgp)#neighbor 192.168.128.1 remote 99 R3(conf-router_bgp)#neighbor 192.168.128.
Peer active in peer-group outbound optimization For address family: IPv4 Unicast BGP table version 1, neighbor version 1 Prefixes accepted 1 (consume 4 bytes), withdrawn 0 by peer Prefixes advertised 1, denied 0, withdrawn 0 from peer Connections established 2; dropped 1 Last reset 00:00:57, due to user reset Notification History 'Connection Reset' Sent : 1 Recv: 0 Last notification (len 21) sent 00:00:57 ago ffffffff ffffffff ffffffff ffffffff 00150306 00000000 Local host: 192.168.128.
Example of Enabling Peer Groups (Router 3) R3#conf R3(conf)#router bgp 100 R3(conf-router_bgp)# neighbor AAA peer-group R3(conf-router_bgp)# neighbor AAA no shutdown R3(conf-router_bgp)# neighbor CCC peer-group R3(conf-router_bgp)# neighbor CCC no shutdown R3(conf-router_bgp)# neighbor 192.168.128.2 peer-group BBB R3(conf-router_bgp)# neighbor 192.168.128.2 no shutdown R3(conf-router_bgp)# neighbor 192.168.128.1 peer-group BBB R3(conf-router_bgp)# neighbor 192.168.128.
10 Content Addressable Memory (CAM) CAM is a type of memory that stores information in the form of a lookup table. On Dell Networking systems, CAM stores Layer 2 (L2) and Layer 3 (L3) forwarding information, access-lists (ACLs), flows, and routing policies. CAM Allocation CAM Allocation for Ingress To allocate the space for regions such has L2 ingress ACL, IPV4 ingress ACL, IPV6 ingress ACL, IPV4 QoS, L2 QoS, PBR, VRF ACL, and so forth, use the cam-acl command in CONFIGURATION mode.
NOTE: When you reconfigure CAM allocation, use the nlbclusteracl number command to change the number of NLB ARP entries. The range is from 0 to 2. The default value is 0. At the default value of 0, eight NLB ARP entries are available for use. This platform supports upto 512 CAM entries. Select 1 to configure 256 entries. Select 2 to configure 512 entries.
cam-acl {default | l2acl number ipv4acl number ipv6acl number ipv4qos number l2qos number l2pt number ipmacacl number vman-qos | vman-dual-qos number ecfmacl number nlbcluster number ipv4pbr number openflow number | fcoe number iscsioptacl number [vrfv4acl number] NOTE: If you do not enter the allocation values for the CAM regions, the value is 0. 3 Execute write memory and verify that the new settings are written to the CAM on the next boot. EXEC Privilege mode show cam-acl 4 Reload the system.
L2PT IpMacAcl VmanQos VmanDualQos EcfmAcl FcoeAcl iscsiOptAcl ipv4pbr vrfv4Acl Openflow fedgovacl : : : : : : : : : : : 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 2 0 0 Dell(conf)# Example of Viewing CAM-ACL Settings NOTE: If you change the cam-acl setting from CONFIGURATION mode, the output of this command does not reflect any changes until you save the running-configuration and reload the chassis.
L2PT IpMacAcl VmanQos VmanDualQos EcfmAcl FcoeAcl iscsiOptAcl ipv4pbr vrfv4Acl Openflow fedgovacl : : : : : : : : : : : 0 0 0 0 0 0 0 0 0 0 0 Dell# View CAM Usage View the amount of CAM space available, used, and remaining in each ACL partition using the show cam-usage command from EXEC Privilege mode.
• Use the EXEC Privilege mode commands to match the profile of a component to the profile of the target system. QoS CAM Region Limitation To store QoS service policies, the default CAM profile allocates a partition within the IPv4Flow region. If the QoS CAM space is exceeded, a message similar to the following displays.
11 Control Plane Policing (CoPP) Control plane policing (CoPP) uses access control list (ACL) rules and quality of service (QoS) policies to create filters for a system’s control plane. That filter prevents traffic not specifically identified as legitimate from reaching the system control plane, rate-limits, traffic to an acceptable level.
Figure 27. CoPP Implemented Versus CoPP Not Implemented Configure Control Plane Policing The system can process a maximum of 4200 packets per second (PPS). Protocols that share a single queue may experience flaps if one of the protocols receives a high rate of control traffic even though per protocol CoPP is applied. This happens because queue-based rate limiting is applied first.
Configuring CoPP for Protocols This section lists the commands necessary to create and enable the service-policies for CoPP. For complete information about creating ACLs and QoS rules, refer to Access Control Lists (ACLs) and Quality of Service (QoS). The basics for creating a CoPP service policy are to create a Layer 2, Layer 3, and/or an IPv6 ACL rule for the desired protocol type. Then, create a QoS input policy to rate-limit the protocol traffics according to the ACL.
Examples of Configuring CoPP for Different Protocols The following example shows creating the IP/IPv6/MAC extended ACL.
Configuring CoPP for CPU Queues Controlling traffic on the CPU queues does not require ACL rules, but does require QoS policies. CoPP for CPU queues converts the input rate from kbps to pps, assuming 64 bytes is the average packet size, and applies that rate to the corresponding queue. Consequently, 1 kbps is roughly equivalent to 2 pps. The basics for creating a CoPP service policy is to create QoS policies for the desired CPU bound queue and associate it with a particular rate-limit.
CoPP for OSPFv3 Packets You can create an IPv6 ACL for control-plane traffic policing for OSPFv3, in addition to the CoPP support for VRRP, BGP, and ICMP. You can use the ipv6 access-list name cpu-qos permit ospfv3 command to allow CoPP traffic for OSPFv3. Control Plane Policing (CoPP) enables more number of CPU queues to be made available on ports for IPv6 and ICMPv6 packets.
The backplane ports can have a maximum of 4 control queues. So, when we have more than ‘n’ CMIC queues for well-known protocols and n > 4, then streams on ‘n’ CMIC queues must be multiplexed on 4 control queues on back-plane ports and on the Master unit, these streams must be de-multiplexed to ‘n’ CMIC queues on the Master CPU. After control packets reach the CPU through the CMIC port, the software schedules to process traffic on each 12 CPU queues.
Table 13.
To configure control-plane policing, perform the following: 1 Create an IPv6 ACL for control-plane traffic policing for ospfv3. CONFIGURATION mode Dell(conf)#ipv6 access-list ospfv3 cpu-qos Dell(conf-ipv6-acl-cpuqos)#permit ospf 2 Create a QoS input policy for the router and assign the policing.
Q7 Dell# 1100 Example of Viewing Queue Mapping To view the queue mapping for each configured protocol, use the show ip protocol-queue-mapping command.
12 Dynamic Host Configuration Protocol (DHCP) DHCP is an application layer protocol that dynamically assigns IP addresses and other configuration parameters to network end-stations (hosts) based on configuration policies determined by network administrators.
Option Number and Description Subnet Mask Option 1 Specifies the client’s subnet mask. Router Option 3 Specifies the router IP addresses that may serve as the client’s default gateway. Domain Name Server Option 6 Domain Name Option 15 Specifies the domain name servers (DNSs) that are available to the client. Specifies the domain name that clients should use when resolving hostnames via DNS.
Option Number and Description End Option 255 Signals the last option in the DHCP packet. Assign an IP Address using DHCP The following section describes DHCP and the client in a network. When a client joins a network: 1 The client initially broadcasts a DHCPDISCOVER message on the subnet to discover available DHCP servers. This message includes the parameters that the client requires and might include suggested values for those parameters.
Implementation Information The following describes DHCP implementation. • Dell Networking implements DHCP based on RFC 2131 and RFC 3046. • IP source address validation is a sub-feature of DHCP Snooping; the Dell Networking OS uses access control lists (ACLs) internally to implement this feature and as such, you cannot apply ACLs to an interface which has IP source address validation.
Configuring the Server for Automatic Address Allocation Automatic address allocation is an address assignment method by which the DHCP server leases an IP address to a client from a pool of available addresses. An address pool is a range of IP addresses that the DHCP server may assign. The subnet number indexes the address pools. To create an address pool, follow these steps. 1 Access the DHCP server CLI context. CONFIGURATION mode ip dhcp server 2 Create an address pool and give it a name.
Excluding Addresses from the Address Pool The DHCP server assumes that all IP addresses in a DHCP address pool are available for assigning to DHCP clients. You must specify the IP address that the DHCP server should not assign to clients. To exclude an address, follow this step. • Exclude an address range from DHCP assignment. The exclusion applies to all configured pools. DHCP mode excluded-address Specifying an Address Lease Time To specify an address lease time, use the following command.
Using NetBIOS WINS for Address Resolution Windows internet naming service (WINS) is a name resolution service that Microsoft DHCP clients use to correlate host names to IP addresses within a group of networks. Microsoft DHCP clients can be one of four types of NetBIOS nodes: broadcast, peer-to-peer, mixed, or hybrid. 1 Specify the NetBIOS WINS name servers, in order of preference, that are available to Microsoft Dynamic Host Configuration Protocol (DHCP) clients.
Using DHCP Clear Commands To clear DHCP binding entries, address conflicts, and server counters, use the following commands. • Clear DHCP binding entries for the entire binding table. EXEC Privilege mode. clear ip dhcp binding • Clear a DHCP binding entry for an individual IP address. EXEC Privilege mode. clear ip dhcp binding ip address Configure the System to be a Relay Agent DHCP clients and servers request and offer configuration information via broadcast DHCP messages.
Figure 30. Configuring a Relay Agent To view the ip helper-address configuration for an interface, use the show ip interface command from EXEC privilege mode. Example of the show ip interface Command R1_E600#show ip int gigabitethernet 1/3 GigabitEthernet 1/3 is up, line protocol is down Internet address is 10.11.0.1/24 Broadcast address is 10.11.0.255 Address determined by user input IP MTU is 1500 bytes Helper address is 192.168.0.1 192.168.0.
• The switch can obtain a dynamically assigned IP address from a DHCP server. A start-up configuration is not received. Use bare metal provisioning (BMP) to receive configuration parameters (Dell Networking OS version and a configuration file). BMP is enabled as a factory-default setting on a switch. A switch cannot operate with BMP and as a DHCP client simultaneously. To disable BMP in EXEC mode, use the stop bmp command. After BMP stops, the switch acts as a DHCP client.
NOTE: To verify the currently configured dynamic IP address on an interface, use the show ip dhcp lease command. The show running-configuration command output only displays ip address dhcp. The currently assigned dynamic IP address does not display. To configure and view an interface as a DHCP client to receive an IP address, use the following commands. 1 Enter INTERFACE Configuration mode on an Ethernet interface.
• Management routes added by the DHCP client have higher precedence over the same statically configured management route. Static routes are not removed from the running configuration if a dynamically acquired management route added by the DHCP client overwrites a static management route. • Management routes added by the DHCP client are not added to the running configuration.
To use the router as the VRRP owner, if you enable a DHCP client on an interface that is added to a VRRP group, assign a priority less than 255 but higher than any other priority assigned in the group. Configure the System for User Port Stacking (Option 230) Set the stacking-option variable to provide stack-port detail on the DHCP server when you set the DHCP offer. A stack can be formed when the units are connected. Option 230 is the option for user port stacking.
CONFIGURATION mode ip dhcp relay information-option [trust-downstream] For routers between the relay agent and the DHCP server, enter the trust-downstream option. • Manually reset the remote ID for Option 82. CONFIGURATION mode ip dhcp relay information-option remote-id DHCP Snooping DHCP snooping protects networks from spoofing. In the context of DHCP snooping, ports are either trusted or not trusted. By default, all ports are not trusted. Trusted ports are ports through which attackers cannot connect.
ip dhcp snooping vlan name Enabling IPv6 DHCP Snooping To enable IPv6 DHCP snooping, use the following commands. 1 Enable IPv6 DHCP snooping globally. CONFIGURATION mode ipv6 dhcp snooping 2 Specify ports connected to IPv6 DHCP servers as trusted. INTERFACE mode ipv6 dhcp snooping trust 3 Enable IPv6 DHCP snooping on a VLAN or range of VLANs.
clear ipv6 dhcp snooping binding Dell# clear ipv6 dhcp snooping? binding Clear the snooping binding database Displaying the Contents of the Binding Table To display the contents of the binding table, use the following command. • Display the contents of the binding table. EXEC Privilege mode show ip dhcp snooping Example of the show ip dhcp snooping Command View the DHCP snooping statistics with the show ip dhcp snooping command.
Debugging the IPv6 DHCP To debug the IPv6 DHCP, use the following command. • Display debug information for IPV6 DHCP. EXEC Privilege mode debug ipv6 dhcp IPv6 DHCP Snooping MAC-Address Verification Configure to enable verify source mac-address in the DHCP packet against the mac address stored in the snooping binding table. • Enable IPV6 DHCP snooping .
attacker’s MAC address and the gateway’s IP address. The client then thinks that the attacker is the gateway, and sends all internet-bound packets to it. Likewise, the attacker sends the gateway an ARP message containing the attacker’s MAC address and the client’s IP address. The gateway then thinks that the attacker is the client and forwards all packets addressed to the client to it. As a result, the attacker is able to sniff all packets to and from the client.
To see how many valid and invalid ARP packets have been processed, use the show arp inspection statistics command. Dell#show arp inspection statistics Dynamic ARP Inspection (DAI) Statistics --------------------------------------Valid ARP Requests : 0 Valid ARP Replies : 1000 Invalid ARP Requests : 1000 Invalid ARP Replies : 0 Dell# Bypassing the ARP Inspection You can configure a port to skip ARP inspection by defining the interface as trusted, which is useful in multi-switch environments.
NOTE: If you enable IP source guard using the ip dhcp source-address-validation command and if there are more entries in the current DHCP snooping binding table than the available CAM space, SAV may not be applied to all entries. To ensure that SAV is applied correctly to all entries, enable the ip dhcp source-address-validation command before adding entries to the binding table. • Enable IP source address validation.
INTERFACE mode ip dhcp source-address-validation ipmac vlan vlan-id Dell Networking OS creates an ACL entry for each IP+MAC address pair and optionally with its VLAN ID in the binding table and applies it to the interface. To display the IP+MAC ACL for an interface for the entire system, use the show ip dhcp snooping source-addressvalidation [interface] command in EXEC Privilege mode.
13 Equal Cost Multi-Path (ECMP) This chapter describes configuring ECMP. This chapter describes configuring ECMP. ECMP for Flow-Based Affinity ECMP for flow-based affinity includes link bundle monitoring. Configuring the Hash Algorithm TeraScale has one algorithm that is used for link aggregation groups (LAGs), ECMP, and NH-ECMP, and ExaScale can use three different algorithms for each of these features. To adjust the ExaScale behavior to match TeraScale, use the following command.
Configuring the Hash Algorithm Seed Deterministic ECMP sorts ECMPs in order even though RTM provides them in a random order. However, the hash algorithm uses as a seed the lower 12 bits of the chassis MAC, which yields a different hash result for every chassis. This behavior means that for a given flow, even though the prefixes are sorted, two unrelated chassis can select different hops.
Gi 1/1 Gi 1/1 Up Up 36 52 Managing ECMP Group Paths To avoid path degeneration, configure the maximum number of paths for an ECMP route that the L3 CAM can hold. When you do not configure the maximum number of routes, the CAM can hold a maximum ECMP per route. To configure the maximum number of paths, use the following command. NOTE: For the new settings to take effect, save the new ECMP settings to the startup-config (write-mem) then reload the system.
link-bundle-distribution trigger-threshold {percent} The range is from 1 to 90%. • The default is 60%. Display details for an ECMP group bundle. EXEC mode show link-bundle-distribution ecmp-group ecmp-group-id The range is from 1 to 64. Viewing an ECMP Group NOTE: An ecmp-group index is generated automatically for each unique ecmp-group when you configure multipath routes to the same network. The system can generate a maximum of 512 unique ecmp-groups.
14 FIPS Cryptography Federal information processing standard (FIPS) cryptography provides cryptographic algorithms conforming to various FIPS standards published by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the US Department of Commerce. FIPS mode is also validated for numerous platforms to meet the FIPS-140-2 standard for a software-based cryptographic module. This chapter describes how to enable FIPS cryptography requirements on Dell Networking platforms.
Enabling FIPS Mode To enable or disable FIPS mode, use the console port. Secure the host attached to the console port against unauthorized access. Any attempts to enable or disable FIPS mode from a virtual terminal session are denied. When you enable FIPS mode, the following actions are taken: • If enabled, the SSH server is disabled. • All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, are closed.
Examples of the show fips status and show system Commands The following example shows the show fips status command. Dell#show fips status FIPS Mode : Enabled for the system using the show system command. The following example shows the show system command. Disabling FIPS Mode When you disable FIPS mode, the following changes occur: • The SSH server disables. • All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, close.
15 Force10 Resilient Ring Protocol (FRRP) FRRP provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a metropolitan area network (MAN) or large campuses. FRRP is similar to what can be achieved with the spanning tree protocol (STP), though even with optimizations, STP can take up to 50 seconds to converge (depending on the size of network and node of failure) and may require 4 to 5 seconds to reconverge.
Ring Status The ring failure notification and the ring status checks provide two ways to ensure the ring remains up and active in the event of a switch or port failure. Ring Checking At specified intervals, the Master node sends a ring health frame (RHF) through the ring. If the ring is complete, the frame is received on its secondary port and the Master node resets its fail-period timer and continues normal operation.
In the following example, FRRP 101 is a ring with its own Control VLAN, and FRRP 202 has its own Control VLAN running on another ring. A Member VLAN that spans both rings is added as a Member VLAN to both FRRP groups. Switch R3 has two instances of FRRP running on it: one for each ring. The example topology that follows shows R3 assuming the role of a Transit node for both FRRP 101 and FRRP 202. Figure 31.
• Master node secondary port is in blocking state during Normal operation. • Ring health frames (RHF) • Hello RHF: sent at 500ms (hello interval); Only the Master node transmits and processes these. • Topology Change RHF: triggered updates; processed at all nodes. Important FRRP Concepts The following table lists some important FRRP concepts.
Implementing FRRP • FRRP is media and speed independent. • FRRP is a Dell proprietary protocol that does not interoperate with any other vendor. • You must disable the spanning tree protocol (STP) on both the Primary and Secondary interfaces before you can enable FRRP. • All ring ports must be Layer 2 ports. This is required for both Master and Transit nodes. • A VLAN configured as a control VLAN for a ring cannot be configured as a control or member VLAN for any other ring.
• Tag control VLAN ports. • All ports on the ring must use the same VLAN ID for the control VLAN. • You cannot configure a VLAN as both a control VLAN and member VLAN on the same ring. • Only two interfaces can be members of a control VLAN (the Master Primary and Secondary ports). • Member VLANs across multiple rings are not supported in Master nodes. To create the control VLAN for this FRRP group, use the following commands on the switch that is to act as the Master node.
• The control VLAN must be the same for all nodes on the ring. To create the Members VLANs for this FRRP group, use the following commands on all of the Transit switches in the ring. 1 Create a VLAN with this ID number. CONFIGURATION mode. interface vlan vlan-id VLAN ID: the range is from 1 to 4094. 2 Tag the specified interface or range of interfaces to this VLAN. CONFIG-INT-VLAN mode.
• Dead-Interval: the range is from 50 to 6000, in increments of 50 (default is 1500). Clearing the FRRP Counters To clear the FRRP counters, use one of the following commands. • Clear the counters associated with this Ring ID. EXEC PRIVELEGED mode. clear frrp ring-id • Ring ID: the range is from 1 to 255. Clear the counters associated with all FRRP groups. EXEC PRIVELEGED mode. clear frrp Viewing the FRRP Configuration To view the configuration for the FRRP group, use the following command.
• There can be only one Master node for any FRRP group. • You can configure FRRP on Layer 2 interfaces only. • Spanning Tree (if you enable it globally) must be disabled on both Primary and Secondary interfaces when you enable FRRP. • • When the interface ceases to be a part of any FRRP process, if you enable Spanning Tree globally, also enable it explicitly for the interface. The maximum number of rings allowed on a chassis is 255.
Example of R3 TRANSIT interface GigabitEthernet 3/14 no ip address switchport no shutdown ! interface GigabitEthernet 3/21 no ip address switchport no shutdown ! interface Vlan 101 no ip address tagged GigabitEthernet 3/14,21 no shutdown ! interface Vlan 201 no ip address tagged GigabitEthernet 3/14,21 no shutdown ! protocol frrp 101 interface primary GigabitEthernet 3/21 secondary GigabitEthernet 3/14 control-vlan 101 member-vlan 201 mode transit no disable Force10 Resilient Ring Protocol (FRRP) 265
16 GARP VLAN Registration Protocol (GVRP) The generic attribute registration protocol (GARP) VLAN registration protocol (GVRP), defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches. GVRP-compliant switches use GARP to register and deregister attribute values, such as VLAN IDs, with each other.
• RPM Redundancy Configure GVRP To begin, enable GVRP. To facilitate GVRP communications, enable GVRP globally on each switch. Then, GVRP configuration is per interface on a switch-by-switch basis. Enable GVRP on each port that connects to a switch where you want GVRP information exchanged. In the following example, GVRP is configured on VLAN trunk ports. Figure 32.
• Enable GVRP for the entire switch. CONFIGURATION mode gvrp enable Example of Configuring GVRP Dell(conf)#protocol gvrp Dell(config-gvrp)#no disable Dell(config-gvrp)#show config ! protocol gvrp no disable Dell(config-gvrp)# To inspect the global configuration, use the show gvrp brief command. Enabling GVRP on a Layer 2 Interface To enable GVRP on a Layer 2 interface, use the following command. • Enable GVRP on a Layer 2 interface.
no ip address switchport gvrp enable gvrp registration fixed 34-35 gvrp registration forbidden 45-46 no shutdown Dell(conf-if-gi-1/21)# Configure a GARP Timer Set GARP timers to the same values on all devices that are exchanging information using GVRP. There are three GARP timer settings. • Join — A GARP device reliably transmits Join messages to other devices by sending each Join message two times. To define the interval between the two sending operations of each Join message, use this parameter.
17 High Availability (HA) High availability (HA) is supported on Dell Networking OS. HA is a collection of features that preserves system continuity by maximizing uptime and minimizing packet loss during system disruptions. To support all the features within the HA collection, you should have the latest boot code. The following table lists the boot code requirements as of this Dell Networking OS release. Table 16. Boot Code Requirements Component Boot Code S3048–ON 1 2.0.
Example of the show redundancy Command Dell#show redundancy -- Stack-unit Status ------------------------------------------------Mgmt ID: 0 Stack-unit ID: 0 Stack-unit Redundancy Role: Primary Stack-unit State: Active Stack-unit SW Version: 9.6(0.
Proceed with Stack-unit hot failover [confirm yes/no]:yes Dell# Specifying an Auto-Failover Limit When a non-recoverable fatal error is detected, an automatic failover occurs. However, Dell Networking OS is configured to auto-failover only three times within any 60 minute period. You may specify a different autofailover count. To re-enable the auto-failover-limit with its default parameters, use the redundancy auto-failover-limit command without parameters. • Set a different auto-failover count.
Removing a Provisioned Logical Stack Unit To remove the line card configuration, use the following command. • To remove a logical stack-unit configuration, use the following command: CONFIGURATION mode no stack-unit unit_id provision Hitless Behavior Hitless is a protocol-based system behavior that makes a stack unit failover on the local system transparent to remote systems.
System Health Monitoring Dell Networking OS also monitors the overall health of the system. Key parameters such as CPU utilization, free memory, and error counters (for example, CRC failures and packet loss) are measured, and after exceeding a threshold can be used to initiate recovery mechanism. Failure and Event Logging Dell Networking systems provide multiple options for logging failures and events. Trace Log Developers interlace messages with software code to track the execution of a program.
Hot-Lock Behavior Dell Networking OS hot-lock features allow you to append and delete their corresponding content addressable memory (CAM) entries dynamically without disrupting traffic. Existing entries are simply shuffled to accommodate new entries. Hot-Lock IP ACLs allows you to append rules to and delete rules from an access control list (ACL) that is already written to CAM. This behavior is enabled by default and is available for both standard and extended ACLs on ingress and egress.
18 Internet Group Management Protocol (IGMP) Internet group management protocol (IGMP) is a Layer 3 multicast protocol that hosts use to join or leave a multicast group. Multicast is premised on identifying many hosts by a single destination IP address; hosts represented by the same IP address are a multicast group. Multicast routing protocols (such as protocol-independent multicast [PIM]) use the information in IGMP messages to discover which groups are active and to populate the multicast routing table.
leaves a multicast group by sending an IGMP message to its IGMP Querier. The querier is the router that surveys a subnet for multicast receivers and processes survey responses to populate the multicast routing table. IGMP messages are encapsulated in IP packets, as shown in the following illustration. Figure 33.
still receives no response, the querier removes the group from the list associated with forwarding port and stops forwarding traffic for that group to the subnet. IGMP Version 3 Conceptually, IGMP version 3 behaves the same as version 2. However, there are differences. • Version 3 adds the ability to filter by multicast source, which helps multicast routing protocols avoid forwarding traffic to subnets where there are no interested receivers.
Figure 35. IGMP Version 3–Capable Multicast Routers Address Structure Joining and Filtering Groups and Sources The following illustration shows how multicast routers maintain the group and source information from unsolicited reports. 1 The first unsolicited report from the host indicates that it wants to receive traffic for group 224.1.1.1. 2 The host’s second report indicates that it is only interested in traffic from group 224.1.1.1, source 10.11.1.1.
Figure 36. Membership Reports: Joining and Filtering Leaving and Staying in Groups The following illustration shows how multicast routers track and refresh state changes in response to group-and-specific and general queries. 1 Host 1 sends a message indicating it is leaving group 224.1.1.1 and that the included filter for 10.11.1.1 and 10.11.1.2 are no longer necessary.
Figure 37. Membership Queries: Leaving and Staying Configure IGMP Configuring IGMP is a two-step process. 1 Enable multicast routing using the ip multicast-routing command. 2 Enable a multicast routing protocol.
Viewing IGMP Enabled Interfaces Interfaces that are enabled with PIM-SM are automatically enabled with IGMP. To view IGMP-enabled interfaces, use the following command. • View IGMP-enabled interfaces. EXEC Privilege mode show ip igmp interface Example of the show ip igmp interface Command Dell#show ip igmp interface GigabitEthernet 3/10 Inbound IGMP access group is not set Internet address is 165.87.34.
Example of the show ip igmp groups Command Dell#show ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface 225.1.1.1 GigabitEthernet 1/1 225.1.2.1 GigabitEthernet 1/1 Mode IGMPV2 IGMPV2 Uptime 00:11:19 00:10:19 Expires 00:01:50 00:01:50 Last Reporter 165.87.34.100 165.87.31.100 Adjusting Timers The following sections describe viewing and adjusting timers. To view the current value of all IGMP timers, use the following command.
To apply the access list, use the following command. • Apply the access list. INTERFACE mode ip igmp access-group access-list-name Dell Networking OS Behavior: Do not enter the ip igmp access-group command before creating the access-list. If you do, after entering your first deny rule, the Dell Networking OS clears the multicast routing table and re-learns all groups, even those not covered by the rules in the access-list, because there is an implicit deny all rule at the end of all access-lists.
The following table lists the location and description shown in the previous illustration. Table 17. Preventing a Host from Joining a Group — Description Location Description 1/21 • • • • Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 • • • • Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.1/24 no shutdown 2/1 • • • • Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.
Location Description Receiver 2 • • • • • • Interface VLAN 400 ip pim sparse-mode ip address 10.11.4.1/24 untagged GigabitEthernet 1/2 ip igmp access-group igmpjoinfilR2G2 no shutdown Enabling IGMP Immediate-Leave If the querier does not receive a response to a group-specific or group-and-source query, it sends another (querier robustness value). Then, after no response, it removes the group from the outgoing interface for the subnet.
CONFIGURATION mode ip igmp snooping enable • View the configuration. CONFIGURATION mode show running-config • Disable snooping on a VLAN.
CONFIGURATION mode no ip igmp snooping flood Specifying a Port as Connected to a Multicast Router To statically specify or view a port in a VLAN, use the following commands. • Statically specify a port in a VLAN as connected to a multicast router. INTERFACE VLAN mode ip igmp snooping mrouter • View the ports that are connected to multicast routers. EXEC Privilege mode. show ip igmp snooping mrouter Configuring the Switch as Querier To configure the switch as a querier, use the following command.
Fast Convergence after MSTP Topology Changes When a port transitions to the Forwarding state as a result of an STP or MSTP topology change, Dell Networking OS sends a general query out of all ports except the multicast router ports. The host sends a response to the general query and the forwarding database is updated without having to wait for the query interval to expire.
Application Name Port Number Client SNMP 162 for SNMP Traps (client), Supported Server 161 for SNMP MIB response (server) NTP 123 Supported DNS 53 Supported FTP 20/21 Supported Syslog 514 Supported Telnet 23 Supported TFTP 69 Supported Radius 1812,1813 Supported Tacacs 49 Supported HTTP 80 for httpd Supported Supported Supported 443 for secure httpd 8008 HTTP server port for confd application 8888 secure HTTP server port for confd application If you configure a source int
• Applications can be configured or unconfigured as management applications using the application or no application command. All configured applications are considered as management applications and the rest of them as non-management applications. • All the management routes (connected, static and default) are duplicated and added to the management EIS routing table. • Any new management route added is installed to both the EIS routing table and default routing table.
Handling of Switch-Initiated Traffic When the control processor (CP) initiates a control packet, the following processing occurs: • TCP/UDP port number is extracted from the sockaddr structure in the in_selectsrc call which is called as part of the connect system call or in the ip_output function.
• If route lookup in the EIS routing table fails or if the management port is down, then packets are dropped. The management application drop counter is incremented. • Whenever IP address is assigned to the management port, it is stored in a global variable in the IP stack, which is used for comparison with the source IP address of the packet. • Rest of the response traffic is handled as per existing behavior by doing route lookup in the default routing table.
• EIS is enabled implies that EIS feature is enabled and the application might or might not be configured as a management application • EIS is disabled implies that either EIS feature itself is disabled or that the application is not configured as a management application Transit Traffic This phenomenon occurs where traffic is transiting the switch. Traffic has not originated from the switch and is not terminating on the switch.
Protocol Behavior when EIS is Enabled Behavior when EIS is Disabled radius EIS Behavior Default Behavior Sflow-collector Default Behavior Snmp (SNMP Mib response and SNMP Traps) EIS Behavior Default Behavior ssh EIS Behavior Default Behavior syslog EIS Behavior Default Behavior tacacs EIS Behavior Default Behavior telnet EIS Behavior Default Behavior tftp EIS Behavior Default Behavior icmp (ping and traceroute) EIS Behavior for ICMP Default Behavior Behavior of Various Applicati
Protocol Behavior when EIS is Enabled Behavior when EIS is Disabled icmp (ping and traceroute) EIS Behavior for ICMP Default Behavior Interworking of EIS With Various Applications Stacking • The management EIS is enabled on the master and the standby unit. • Because traffic can be initiated from the Master unit only, the preference to management EIS table for switch-initiated traffic and all its related ARP processing is done in the Master unit only.
19 Interfaces This chapter describes interface types, both physical and logical, and how to configure them with Dell Networking Operating System (OS). The system supports 1 Gigabit Ethernet and 10 Gigabit Ethernet interfaces.
• Bulk Configuration • Defining Interface Range Macros • Monitoring and Maintaining Interfaces • Configuring wavelength for 10–Gigabit SFP+ optics • Link Dampening • Link Bundle Monitoring • Using Ethernet Pause Frames for Flow Control • Configure the MTU Size on an Interface • Port-Pipes • Auto-Negotiation on Ethernet Interfaces • View Advanced Interface Information • Dynamic Counters Interface Types The following table describes different interface types. Table 22.
Examples of the show Commands The following example shows the configuration and status information for one interface. Dell#show interfaces gigabitethernet 1/1 GigabitEthernet 1/1 is up, line protocol is up Hardware is Force10Eth, address is 00:01:e8:05:f3:6a Current address is 00:01:e8:05:f3:6a Pluggable media present, XFP type is 10GBASE-LR. Medium is MultiRate, Wavelength is 1310nm XFP receive power reading is -3.7685 Interface index is 67436603 Internet address is 65.113.24.
interface GigabitEthernet 2/8 no ip address shutdown ! interface GigabitEthernet 2/9 no ip address shutdown Resetting an Interface to its Factory Default State You can reset the configurations applied on an interface to its factory default state. To reset the configuration, perform the following steps: 1 View the configurations applied on an interface.
To confirm that the interface is enabled, use the show config command in INTERFACE mode. To leave INTERFACE mode, use the exit command or end command. You cannot delete a physical interface. Physical Interfaces The Management Ethernet interface is a single RJ-45 Fast Ethernet port on a switch. The interface provides dedicated management access to the system. Stack-unit interfaces support Layer 2 and Layer 3 traffic over the 1-Gigabit Ethernet and 10-Gigabit Ethernet interfaces.
Configuring Layer 2 (Data Link) Mode Do not configure switching or Layer 2 protocols such as spanning tree protocol (STP) on an interface unless the interface has been set to Layer 2 mode. To set Layer 2 data transmissions through an individual interface, use the following command. • Enable Layer 2 data transmissions through an individual interface.
Example of Error Due to Issuing a Layer 3 Command on a Layer 2 Interface If an interface is in the incorrect layer mode for a given command, an error message is displayed (shown in bold). In the following example, the ip address command triggered an error message because the interface is in Layer 2 mode and the ip address command is a Layer 3 command only. Dell(conf-if)#show config ! interface GigabitEthernet 1/2 no ip address switchport no shutdown Dell(conf-if)#ip address 10.10.1.
When you enable this feature, all management routes (connected, static, and default) are copied to the management EIS routing table. Use the management route command to add new management routes to the default and EIS routing tables. Use the show ip management-eis-route command to view the EIS routes. Important Points to Remember • Deleting a management route removes the route from both the EIS routing table and the default routing table.
• Configure an IP address and mask on a Management interface. INTERFACE mode ip address ip-address mask • ip-address mask: enter an address in dotted-decimal format (A.B.C.D). The mask must be in /prefix format (/x). Viewing Two Global IPv6 Addresses Important Points to Remember — virtual-ip You can configure two global IPv6 addresses on the system in EXEC Privilege mode. To view the addresses, use the show interface managementethernet command, as shown in the following example.
• • • The primary management interface uses only the virtual IP address if it is configured. The system cannot be accessed through the native IP address of the primary RPM’s management interface. After the virtual IP address is removed, the system is accessible through the native IP address of the primary RPM’s management interface. Primary and secondary management interface IP and virtual IP must be in the same subnet.
NOTE: To monitor VLAN interfaces, use Management Information Base for Network Management of TCP/IP-based internets: MIB-II (RFC 1213). NOTE: You cannot simultaneously use egress rate shaping and ingress rate policing on the same VLAN. Dell Networking OS supports Inter-VLAN routing (Layer 3 routing in VLANs). You can add IP addresses to VLANs and use them in routing protocols in the same manner that physical interfaces are used.
Null Interfaces The Null interface is another virtual interface. There is only one Null interface. It is always up, but no traffic is transmitted through this interface. To enter INTERFACE mode of the Null interface, use the following command. • Enter INTERFACE mode of the Null interface. CONFIGURATION mode interface null 0 The only configurable command in INTERFACE mode of the Null interface is the ip unreachable command.
As soon as you configure a port channel, Dell Networking OS treats it like a physical interface. For example, IEEE 802.1Q tagging is maintained while the physical interface is in the port channel. Member ports of a LAG are added and programmed into the hardware in a predictable order based on the port ID, instead of in the order in which the ports come up. With this implementation, load balancing yields predictable results across device reloads.
Creating a Port Channel You can create up to 128 port channels with up to 16 port members per group on the platform. To configure a port channel, use the following commands. 1 Create a port channel. CONFIGURATION mode interface port-channel id-number 2 Ensure that the port channel is active. INTERFACE PORT-CHANNEL mode no shutdown After you enable the port channel, you can place it in Layer 2 or Layer 3 mode.
Examples of the show interfaces port-channel Commands To view the port channel’s status and channel members in a tabular format, use the show interfaces port-channel brief command in EXEC Privilege mode, as shown in the following example.
Reassigning an Interface to a New Port Channel An interface can be a member of only one port channel. If the interface is a member of a port channel, remove it from the first port channel and then add it to the second port channel. Each time you add or remove a channel member from a port channel, Dell Networking OS recalculates the hash algorithm for the port channel. To reassign an interface to a new port channel, use the following commands. 1 Remove the interface from the first port channel.
Example of Configuring the Minimum Oper Up Links in a Port Channel Dell#config t Dell(conf)#int po 1 Dell(conf-if-po-1)#minimum-links 5 Dell(conf-if-po-1)# Adding or Removing a Port Channel from a VLAN As with other interfaces, you can add Layer 2 port channel interfaces to VLANs. To add a port channel to a VLAN, place the port channel in Layer 2 mode (by using the switchport command). To add or remove a VLAN port channel and to view VLAN port channel members, use the following commands.
Dell#show interfaces switchport gi 1/1 Codes: U x G i - Untagged, T - Tagged Dot1x untagged, X - Dot1x tagged GVRP tagged, M - Trunk, H - VSN tagged Internal untagged, I - Internal tagged, v - VLT untagged, V - VLT tagged Name: GigabitEthernet 1/1 802.1QTagged: True Vlan membership: Q Vlans T 2-5,100,4010 Dell# Assigning an IP Address to a Port Channel You can assign an IP address to a port channel and use port channels in Layer 3 routing protocols. To assign an IP address, use the following command.
Changing the Hash Algorithm The load-balance command selects the hash criteria applied to port channels. If you do not obtain even distribution with the load-balance command, you can use the hash-algorithm command to select the hash scheme for LAG, ECMP and NH-ECMP. You can rotate or shift the 12–bit Lag Hash until the desired hash is achieved. The nh-ecmp option allows you to change the hash value for recursive ECMP routes independently of non-recursive ECMP routes.
• xor16 — uses 16 bit XOR. Bulk Configuration Bulk configuration allows you to determine if interfaces are present for physical interfaces or configured for logical interfaces. Interface Range An interface range is a set of interfaces to which other commands may be applied and may be created if there is at least one valid interface within the range. Bulk configuration excludes from configuration any non-existing interfaces from an interface range.
Create a Single-Range The following is an example of a single range. Example of the interface range Command (Single Range) Dell(config)# interface range gigabitethernet 1/1 - 1/23 Dell(config-if-range-gi-1/1-1/23)# no shutdown Dell(config-if-range-gi-1/1-1/23)# Create a Multiple-Range The following is an example of multiple range.
Add Ranges The following example shows how to use commas to add VLAN and port-channel interfaces to the range. Example of Adding VLAN and Port-Channel Interface Ranges Dell(config-if-range-gi-1/1-1/2)# interface range Vlan 2 – 100 , Port 1 – 25 Dell(config-if-range-gi-1/1-1/2-vl-2-100-po-1-25)# no shutdown Defining Interface Range Macros You can define an interface-range macro to automatically select a range of interfaces for configuration.
• For a 1-GigabitEthernet interface, enter the keyword GigabitEthernet then the slot/port information. • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. Example of the monitor interface Command The information displays in a continuous run, refreshing every 2 seconds by default. To manage the output, use the following keys.
To test and display TDR results, use the following commands. 1 To test for cable faults on the TenGigabitEthernet cable. EXEC Privilege mode tdr-cable-test tengigabitethernet slot/port Between two ports, do not start the test on both ends of the cable. Enable the interface before starting the test. Enable the port to run the test or the test prints an error message. 2 Displays TDR test results.
• You can apply link dampening to Layer 2 and Layer 3 interfaces. • You can configure link dampening on individual interfaces in a LAG. Enabling Link Dampening To enable link dampening, use the following command. • Enable link dampening. INTERFACE mode dampening Examples of the show interfaces dampening Commands To view the link dampening configuration on an interface, use the show config command. R1(conf-if-gi-1/1)#show config ! interface GigabitEthernet 1/1 ip address 10.10.19.
Link Dampening Support for XML View the output of the following show commands in XML by adding | display xml to the end of the command. • show interfaces dampening • show interfaces dampening summary • show interfaces interface slot/port Configure MTU Size on an Interface In Dell Networking OS, Maximum Transmission Unit (MTU) is defined as the entire Ethernet packet (Ethernet header + FCS + payload). The link MTU is the frame size of a packet, and the IP MTU size is used for IP fragmentation.
show link-bundle-distribution Using Ethernet Pause Frames for Flow Control Ethernet pause frames and threshold settings are supported on the Dell Networking OS. Ethernet Pause Frames allow for a temporary stop in data transmission. A situation may arise where a sending device may transmit data faster than a destination device can accept it. The destination sends a PAUSE frame back to the source, stopping the sender’s transmission for a period of time.
• rx on: enter the keywords rx on to process the received flow control frames on this port. • rx off: enter the keywords rx off to ignore the received flow control frames on this port. • tx on: enter the keywords tx on to send control frames from this port to the connected device when a higher rate of traffic is received. • tx off: enter the keywords tx off so that flow control frames are not sent from this port to the connected device when a higher rate of traffic is received.
For example, the VLAN contains tagged members with Link MTU of 1522 and IP MTU of 1500 and untagged members with Link MTU of 1518 and IP MTU of 1500. The VLAN’s Link MTU cannot be higher than 1518 bytes and its IP MTU cannot be higher than 1500 bytes. Port-Pipes A port pipe is a Dell Networking-specific term for the hardware packet-processing elements that handle network traffic to and from a set of front-end I/O ports. The physical, front-end I/O ports are referred to as a port-set.
NOTE: If you use an active optical cable (AOC), you can convert the QSFP+ port to a 10 Gigabit SFP+ port or 1 Gigabit SFP port. You can use the speed command to enable the required speed. 6 Optionally, set duplex. INTERFACE mode duplex full 7 Disable auto-negotiation on the port. INTERFACE mode no negotiation auto If the speed was set to 1000, do not disable auto-negotiation. 8 Verify configuration changes.
Example of the negotiation auto Command Dell(conf)# int gigabitethernet 1/1 Dell(conf-if-gi-1/1)#neg auto Dell(conf-if-gi-1/1-autoneg)# ? end Exit from configuration mode exit Exit from autoneg configuration mode mode Specify autoneg mode no Negate a command or set its defaults show Show autoneg configuration information Dell(conf-if-gi-1/1-autoneg)#mode ? forced-master Force port to master mode forced-slave Force port to slave mode Dell(conf-if-gi-1/1-autoneg)# For details about the speed, duplex, and nego
Name: GigabitEthernet 3/2 802.1QTagged: True Vlan membership: Vlan 2 Name: GigabitEthernet 3/3 802.1QTagged: True Vlan membership: Vlan 2 Name: GigabitEthernet 3/4 802.1QTagged: True Vlan membership: Vlan 2 --More-- Configuring the Interface Sampling Size Although you can enter any value between 30 and 299 seconds (the default), software polling is done once every 15 seconds. So, for example, if you enter “19”, you actually get a sample of the past 15 seconds.
MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 10000 Mbit ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 1d23h45m Queueing strategy: fifo 0 packets input, 0 bytes Input 0 IP Packets, 0 Vlans 0 MPLS 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts Received 0 input symbol errors, 0 runts, 0 giants, 0 throttles 0 CRC, 0 IP Checksum, 0 overrun, 0 discarded 0 packets output, 0 bytes, 0 underruns Output 0 Mult
• For a Loopback interface, enter the keyword loopback then a number from 0 to 16383. • For the Management interface on the stack-unit, enter the keyword ManagementEthernet then the slot/port information. • For a port channel interface, enter the keywords port-channel then a number. • For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. • (OPTIONAL) To clear statistics for all VRRP groups configured, enter the keyword vrrp. Enter a number from 1 to 255 as the vrid.
20 Internet Protocol Security (IPSec) Internet protocol security (IPSec) is an end-to-end security scheme for protecting IP communications by authenticating and encrypting all packets in a communication session. Use IPSec between hosts, between gateways, or between hosts and gateways. IPSec is compatible with Telnet and FTP protocols. It supports two operational modes: Transport and Tunnel. • Transport mode — (default) Use to encrypt only the payload of the packet. Routing information is unchanged.
transform-set myXform-set session-key inbound esp 256 auth encrypt session-key outbound esp 257 auth encrypt match 0 tcp a::1 /128 0 a::2 /128 23 match 1 tcp a::1 /128 23 a::2 /128 0 match 2 tcp a::1 /128 0 a::2 /128 21 match 3 tcp a::1 /128 21 a::2 /128 0 match 4 tcp 1.1.1.1 /32 0 1.1.1.2 /32 23 match 5 tcp 1.1.1.1 /32 23 1.1.1.2 /32 0 match 6 tcp 1.1.1.1 /32 0 1.1.1.2 /32 21 match 7 tcp 1.1.1.1 /32 21 1.1.1.2 /32 0 3 Apply the crypto policy to management traffic.
21 IPv4 Routing The Dell Networking Operating System (OS) supports various IP addressing features. This chapter describes the basics of domain name service (DNS), address resolution protocol (ARP), and routing principles and their implementation in the Dell Networking OS.
• Configurations Using UDP Helper • UDP Helper with Broadcast-All Addresses • UDP Helper with Subnet Broadcast Addresses • UDP Helper with Configured Broadcast Addresses • UDP Helper with No Configured Broadcast Addresses • Troubleshooting UDP Helper IP Addresses Dell Networking OS supports IP version 4 (as described in RFC 791), classful routing, and variable length subnet masks (VLSM). With VLSM, you can configure one network with different masks.
2 • For a port channel interface, enter the keywords port-channel then a number. • For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. Enable the interface. INTERFACE mode no shutdown 3 Configure a primary IP address and mask on the interface. INTERFACE mode ip address ip-address mask [secondary] • • ip-address mask: the IP address must be in dotted decimal format (A.B.C.D). The mask must be in slash prefix-length format (/24).
----------S 2.1.2.0/24 S 6.1.2.0/24 S 6.1.2.2/32 S 6.1.2.3/32 S 6.1.2.4/32 S 6.1.2.5/32 S 6.1.2.6/32 S 6.1.2.7/32 S 6.1.2.8/32 S 6.1.2.9/32 S 6.1.2.10/32 S 6.1.2.11/32 S 6.1.2.12/32 S 6.1.2.13/32 S 6.1.2.14/32 S 6.1.2.15/32 S 6.1.2.16/32 S 6.1.2.17/32 S 11.1.1.0/24 Direct, Lo 0 --More-- ------Direct, Nu 0 via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.20.2, via 6.1.
Path MTU discovery (PMTD) identifies the path MTU value between the sender and the receiver, and uses the determined value to transmit packets across the network. PMTD, as described in RFC 1191, denotes that the default byte size of an IP packet is 576. This packet size is called the maximum transmission unit (MTU) for IPv4 frames. PMTD operates by containing the do not fragment (DF) bit set in the IP headers of outgoing packets.
the wait time to be 10 seconds or lower. If the device does not contain any BGP connections with the BGP neighbors across WAN links, you must set this interval to a higher value, depending on the complexity of your network and the configuration attributes. To configure the duration for which the device waits for the ACK packet to be sent from the requesting host to establish the TCP connection, perform the following steps: 1 Define the wait duration in seconds for the TCP connection to be established.
• Specify up to six name servers. CONFIGURATION mode ip name-server ip-address [ip-address2 ... ip-address6] The order you entered the servers determines the order of their use. Example of the show hosts Command To view current bindings, use the show hosts command. Dell>show host Default domain is force10networks.com Name/address lookup uses domain service Name servers are not set Host Flags TTL Type Address -------- ----- ------- ------ks (perm, OK) - IP 2.2.2.2 patch1 (perm, OK) - IP 192.68.69.
• The order you entered the servers determines the order of their use. When you enter the traceroute command without specifying an IP address (Extended Traceroute), you are prompted for a target and source IP address, timeout in seconds (default is 5), a probe count (default is 3), minimum TTL (default is 1), maximum TTL (default is 30), and port number (default is 33434). CONFIGURATION mode traceroute [host | ip-address] To keep the default setting for these parameters, press the ENTER key.
Configuring Static ARP Entries ARP dynamically maps the MAC and IP addresses, and while most network host support dynamic mapping, you can configure an ARP entry (called a static ARP) for the ARP cache. To configure a static ARP entry, use the following command. • Configure an IP address and MAC address mapping for an interface. CONFIGURATION mode arp vrf vrf-name ip-address mac-address interface • vrf vrf-name: use the VRF option to configure a static ARP on that particular VRF.
• For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. NOTE: Transit traffic may not be forwarded during the period when deleted ARP entries are resolved again and re-installed in CAM. Use this option with extreme caution. ARP Learning via Gratuitous ARP Gratuitous ARP can mean an ARP request or reply. In the context of ARP learning via gratuitous ARP on Dell Networking OS, the gratuitous ARP is a request.
Figure 40. ARP Learning via ARP Request with ARP Learning via Gratuitous ARP Enabled Whether you enable or disable ARP learning via gratuitous ARP, the system does not look up the target IP. It only updates the ARP entry for the Layer 3 interface with the source IP of the request. Configuring ARP Retries You can configure the number of ARP retries. The default backoff interval remains at 20 seconds. On the device, the time between ARP resend is configurable. This timer is an exponential backoff timer.
Configuration Tasks for ICMP The following lists the configuration tasks for ICMP. • Enabling ICMP Unreachable Messages For a complete listing of all commands related to ICMP, refer to the Dell Networking OS Command Line Reference Guide. Enabling ICMP Unreachable Messages By default, ICMP unreachable messages are disabled. When enabled, ICMP unreachable messages are created and sent out all interfaces. To disable and re-enable ICMP unreachable messages, use the following commands.
Example of Enabling UDP Helper and Using the UDP Helper show Command Dell(conf-if-gi-1/1)#ip udp-helper udp-port 1000 Dell(conf-if-gi-1/1)#show config ! interface GigabitEthernet 1/1 ip address 2.1.1.1/24 ip udp-helper udp-port 1000 no shutdown To view the interfaces and ports on which you enabled UDP helper, use the show ip udp-helper command from EXEC Privilege mode.
UDP Helper with Broadcast-All Addresses When the destination IP address of an incoming packet is the IP broadcast address, Dell Networking OS rewrites the address to match the configured broadcast address. In the following illustration: 1 Packet 1 is dropped at ingress if you did not configure UDP helper address.
Figure 42. UDP Helper with Subnet Broadcast Addresses UDP Helper with Configured Broadcast Addresses Incoming packets with a destination IP address matching the configured broadcast address of any interface are forwarded to the matching interfaces. In the following illustration, Packet 1 has a destination IP address that matches the configured broadcast address of VLAN 100 and 101.
Troubleshooting UDP Helper To display debugging information for troubleshooting, use the debug ip udp-helper command. Example of the debug ip udp-helper Command Dell(conf)# debug ip udp-helper 01:20:22: Pkt rcvd on Gi 5/1 with IP DA (0xffffffff) will be sent on Gi 5/2 Gi 5/3 Vlan 3 01:44:54: Pkt rcvd on Gi 7/1 is handed over for DHCP processing. When using the IP helper and UDP helper on the same interface, use the debug ip dhcp command. Example Output from the debug ip dhcp Command Packet 0.0.0.
22 IPv6 Routing Internet protocol version 6 (IPv6) routing is the successor to IPv4. Due to the rapid growth in internet users and IP addresses, IPv4 is reaching its maximum usage. IPv6 will eventually replace IPv4 usage to allow for the constant expansion. This chapter provides a brief description of the differences between IPv4 and IPv6, and the Dell Networking support of IPv6. This chapter is not intended to be a comprehensive description of IPv6.
Extended Address Space The address format is extended from 32 bits to 128 bits. This not only provides room for all anticipated needs, it allows for the use of a hierarchical address space structure to optimize global addressing. Stateless Autoconfiguration When a booting device comes up in IPv6 and asks for its network prefix, the device can get the prefix (or prefixes) from an IPv6 router on its link.
• Next Header (8 bits) • Hop Limit (8 bits) • Source Address (128 bits) • Destination Address (128 bits) IPv6 provides for extension headers. Extension headers are used only if necessary. There can be no extension headers, one extension header or more than one extension header in an IPv6 packet. Extension headers are defined in the Next Header field of the preceding IPv6 header. IPv6 Header Fields The 40 bytes of the IPv6 header are ordered, as shown in the following illustration. Figure 44.
Payload Length (16 bits) The Payload Length field specifies the packet payload. This is the length of the data following the IPv6 header. IPv6 Payload Length only includes the data following the header, not the header itself. The Payload Length limit of 2 bytes requires that the maximum packet payload be 64 KB. However, the Jumbogram option type Extension header supports larger packet sizes when required. Next Header (8 bits) The Next Header field identifies the next header’s type.
Source Address (128 bits) The Source Address field contains the IPv6 address for the packet originator. Destination Address (128 bits) The Destination Address field contains the intended recipient’s IPv6 address. This can be either the ultimate destination or the address of the next hop router. Extension Header Fields Extension headers are used only when necessary. Due to the streamlined nature of the IPv6 header, adding extension headers do not severely impact performance.
11 Discard the packet and send an ICMP Parameter Problem, Code 2 message to the packet’s Source IP Address only if the Destination IP Address is not a multicast address. The second byte contains the Option Data Length. The third byte specifies whether the information can change en route to the destination. The value is 1 if it can change; the value is 0 if it cannot change.
In IPv6, every interface, whether using static or dynamic address assignments, also receives a local-link address automatically in the fe80::/64 subnet. Implementing IPv6 with Dell Networking OS Dell Networking OS supports both IPv4 and IPv6 and both may be used simultaneously in your system. The following table lists the Dell Networking OS version in which an IPv6 feature became available for each platform. The sections following the table give greater detail about the feature. Table 25.
Feature and Functionality Dell Networking OS Release Introduction Documentation and Chapter Location S3048–ON IPv6 IS-IS in the Dell Networking OS Command Line Reference Guide. ISIS for IPv6 support for distribute lists and administrative distance 9.7.(0.1) OSPF for IPv6 (OSPFv3) 9.7.(0.1) Equal Cost Multipath for IPv6 9.7.(0.1) Intermediate System to Intermediate System IPv6 IS-IS in the Dell Networking OS Command Line Reference Guide. OSPFv3 in the Dell Networking OS Command Line Reference Guide.
The Dell Networking OS ping and traceroute commands extend to support IPv6 addresses. These commands use ICMPv6 Type-2 messages. Path MTU Discovery Path MTU, in accordance with RFC 1981, defines the largest packet size that can traverse a transmission path without suffering fragmentation. Path MTU for IPv6 uses ICMPv6 Type-2 messages to discover the largest MTU along the path from source to destination and avoid the need to fragment the packet. The recommended MTU for IPv6 is 1280.
Figure 46. NDP Router Redirect IPv6 Neighbor Discovery of MTU Packets You can set the MTU advertised through the RA packets to incoming routers, without altering the actual MTU setting on the interface. The ipv6 nd mtu command sets the value advertised to routers. It does not set the actual MTU rate. For example, if you set ipv6 nd mtu to 1280, the interface still passes 1500-byte packets, if that is what is set with the mtu command.
• prefix addresses • multicast addresses • invalid host addresses If you specify this information in the IPv6 RDNSS configuration, a DNS error is displayed. Example for Configuring an IPv6 Recursive DNS Server The following example configures a RDNNS server with an IPv6 address of 1000::1 and a lifetime of 1 second.
Remaining lifetime: infinite Global Anycast address(es): Joined Group address(es): ff02::1 ff02::2 ff02::1:ff00:12 ff02::1:ff8b:7570 ND MTU is 0 ICMP redirects are not sent DAD is enabled, number of DAD attempts: 3 ND reachable time is 20120 milliseconds ND base reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 198 to 600 seconds ND router advertisements live for 1800 seconds ND adve
You must enter the ipv6acl allocation as a factor of 2 (2, 4, 6, 8, 10). All other profile allocations can use either even or odd-numbered ranges. The default option sets the CAM Profile as follows: • L3 ACL (ipv4acl): 6 • L2 ACL(l2acl): 5 • IPv6 L3 ACL (ipv6acl): 0 • L3 QoS (ipv4qos): 1 • L2 QoS (l2qos): 1 To have the changes take effect, save the new CAM settings to the startup-config (write-mem or copy run start) then reload the system for the new settings. • Allocate space for IPV6 ACLs.
NOTE: IPv6 addresses are normally written as eight groups of four hexadecimal digits. Separate each group by a colon (:). Omitting zeros is accepted as described in Addressing. Assigning a Static IPv6 Route To configure IPv6 static routes, use the ipv6 route command.
For more information regarding SNMP commands, refer to the SNMP and SYSLOG chapters in the Dell Networking OS Command Line Interface Reference Guide. • snmp-server host • snmp-server user ipv6 • snmp-server community ipv6 • snmp-server community access-list-name ipv6 • snmp-server group ipv6 • snmp-server group access-list-name ipv6 Displaying IPv6 Information View specific IPv6 configuration with the following commands. • List the IPv6 show options.
IPV6 is enabled Stateless address autoconfiguration is enabled Link Local address: fe80::201:e8ff:fe8b:386e Global Unicast address(es): Actual address is 400::201:e8ff:fe8b:386e, subnet is 400::/64 Actual address is 412::201:e8ff:fe8b:386e, subnet is 412::/64 Virtual-IP IPv6 address is not set Received Prefix(es): 400::/64 onlink autoconfig Valid lifetime: 2592000, Preferred lifetime: 604800 Advertised by: fe80::201:e8ff:fe8b:3166 412::/64 onlink autoconfig Valid lifetime: 2592000, Preferred lifetime: 60480
The following example shows the show ipv6 route command.
• Clear (refresh) all or a specific route from the IPv6 routing table. EXEC mode clear ipv6 route {* | ipv6 address prefix-length} • *: all routes. • ipv6 address: the format is x:x:x:x::x. • mask: the prefix length is from 0 to 128. NOTE: IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:). Omitting zeros is accepted as described in Addressing.
9 Enable verification of the advertised default router preference value. The preference value must be less than or equal to the specified limit. POLICY LIST CONFIGURATION mode router-preference maximum {high | low | medium} 10 Set the router lifetime. POLICY LIST CONFIGURATION mode router—lifetime value The router lifetime range is from 0 to 9,000 seconds. 11 Apply the policy to trusted ports. POLICY LIST CONFIGURATION mode trusted-port 12 Set the maximum transmission unit (MTU) value.
CONFIGURATION mode interface interface-type slot/port 2 Apply the IPv6 RA guard to a specific interface. INTERFACE mode ipv6 nd ra-guard attach policy policy-name [vlan [vlan 1, vland 2, vlan 3.....]] 3 Display the configurations applied on all the RA guard policies or a specific RA guard policy. EXEC Privilege mode show ipv6 nd ra-guard policy policy-name The policy name string can be up to 140 characters.
23 Intermediate System to Intermediate System The intermediate system to intermediate system (IS-IS) protocol that uses a shortest-path-first algorithm. Dell Networking supports both IPv4 and IPv6 versions of IS-IS.
• area address — within your routing domain or area, each area must have a unique area value. The first byte is called the authority and format indicator (AFI). • system address — the router’s MAC address. • N-selector — this is always 0. The following illustration is an example of the ISO-style address to show the address format IS-IS uses. In this example, the first five bytes (47.0005.0001) are the area address. The system portion is 000c.000a.4321 and the last byte is always 0. Figure 47.
Adjacencies Adjacencies on point-to-point interfaces are formed as usual, where IS-IS routers do not implement MT extensions. If a local router does not participate in certain MTs, it does not advertise those MT IDs in its IS-IS hellos (IIHs) and so does not include that neighbor within its LSPs. If an MT ID is not detected in the remote side’s IIHs, the local router does not include that neighbor within its LSPs.
• MT Intermediate Systems TLV — appears for every topology a node supports. An MT ID is added to the extended IS reachability TLV type 22. • MT Reachable IPv4 Prefixes TLV — appears for each IPv4 an IS announces for a given MT ID. Its structure is aligned with the extended IS Reachability TLV Type 236 and it adds an MT ID. • MT Reachable IPv6 Prefixes TLV — appears for each IPv6 an IS announces for a given MT ID. Its structure is aligned with the extended IS Reachability TLV Type 236 and add an MT ID.
• Configuring IS-IS Graceful Restart • Changing LSP Attributes • Configuring the IS-IS Metric Style • Configuring IS-IS Cost • Changing the IS-Type • Controlling Routing Updates • Configuring Authentication Passwords • Setting the Overload Bit • Debuging IS-IS Enabling IS-IS By default, IS-IS is not enabled. The system supports one instance of IS-IS. To enable IS-IS globally, create an IS-IS routing process and assign a NET address.
The IP address must be on the same subnet as other IS-IS neighbors, but the IP address does not need to relate to the NET address. 5 Enter an IPv6 Address. INTERFACE mode ipv6 address ipv6-address mask • • ipv6 address: x:x:x:x::x mask: The prefix length is from 0 to 128. The IPv6 address must be on the same subnet as other IS-IS neighbors, but the IP address does not need to relate to the NET address. 6 Enable IS-IS on the IPv4 interface.
IS-IS: IS-IS: IS-IS: IS-IS: IS-IS: IS-IS: Dell# Level-1 DR Elections : 2 Level-2 DR Elections : 2 Level-1 SPF Calculations : 29 Level-2 SPF Calculations : 29 LSP checksum errors received : 0 LSP authentication failures : 0 You can assign more NET addresses, but the System ID portion of the NET address must remain the same. Dell Networking OS supports up to six area addresses. Some address considerations are: • In order to be neighbors, configure Level 1 routers with at least one common area address.
• graceful-restart ietf Configure the time during which the graceful restart attempt is prevented. ROUTER-ISIS mode graceful-restart interval minutes The range is from 1 to 120 minutes. • The default is 5 minutes. Enable the graceful restart maximum wait time before a restarting peer comes up. ROUTER-ISIS mode graceful-restart restart-wait seconds When implementing this command, be sure to set the t3 timer to adjacency on the restarting router. The range is from 1 to 120 minutes.
Graceful Restart Interval/Blackout time T3 Timer T3 Timeout Value T2 Timeout Value T1 Timeout Value Adjacency wait time : : : : : : : Operational Timer Value ====================== Current Mode/State : T3 Time left : T2 Time left : Restart ACK rcv count : Restart Req rcv count : Suppress Adj rcv count : Restart CSNP rcv count : Database Sync count : Enabled 1 min Manual 30 30 (level-1), 30 (level-2) 5, retry count: 1 30 Normal/RUNNING 0 0 (level-1), 0 0 (level-1), 0 0 (level-1), 0 0 (level-1), 0 0 (leve
• seconds: the range is from 0 to 120. The default is 5 seconds. • The default level is Level 1. Set the LSP size. ROUTER ISIS mode lsp-mtu size • • size: the range is from 128 to 9195. The default is 1497. Set the LSP refresh interval. ROUTER ISIS mode lsp-refresh-interval seconds • • seconds: the range is from 1 to 65535. The default is 900 seconds. Set the maximum time LSPs lifetime. ROUTER ISIS mode max-lsp-lifetime seconds • seconds: the range is from 1 to 65535.
Table 27. Metric Styles Metric Style Characteristics Cost Range Supported on IS-IS Interfaces narrow Sends and accepts narrow or old TLVs (Type, Length, Value). 0 to 63 wide Sends and accepts wide or new TLVs. 0 to 16777215 transition Sends both wide (new) and narrow (old) TLVs. 0 to 63 narrow transition Sends narrow (old) TLVs and accepts both narrow (old) and wide (new) TLVs. 0 to 63 wide transition Sends wide (new) TLVs and accepts both narrow (old) and wide (new) TLVs.
• • default-metric: the range is from 0 to 63 if the metric-style is narrow, narrow-transition, or transition. The range is from 0 to 16777215 if the metric style is wide or wide transition. Assign a metric for an IPv6 link or interface. INTERFACE mode isis ipv6 metric default-metric [level-1 | level-2] • default-metric: the range is from 0 to 63 for narrow and transition metric styles. The range is from 0 to 16777215 for wide metric styles. The default is 10. The default level is level-1.
Example of the show isis database Command to View Level 1-2 Link State Databases To view which IS-type is configured, use the show isis protocol command in EXEC Privilege mode. The show config command in ROUTER ISIS mode displays only non-default information. If you do not change the IS-type, the default value (level-1-2) is not displayed. The default is Level 1-2 router. When the IS-type is Level 1-2, the software maintains two Link State databases, one for each level.
Enter the type of interface and the interface information: • • For a 1-GigabitEthernet interface, enter the keyword GigabitEthernet then the slot/port information. • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. • For a Loopback interface, enter the keyword loopback then a number from 0 to 16383. • For a port channel interface, enter the keywords port-channel then a number.
• • static: for user-configured routes. • bgp: for BGP routes only. Deny RTM download for pre-existing redistributed IPv6 routes. ROUTER ISIS-AF IPV6 mode distribute-list redistributed-override in Redistributing IPv4 Routes In addition to filtering routes, you can add routes from other routing instances or protocols to the IS-IS process. With the redistribute command syntax, you can include BGP, OSPF, RIP, static, or directly connected routes in the IS-IS process.
redistribute {bgp as-number | connected | rip | static} [level-1 level-1-2 | level-2] [metric metric-value] [metric-type {external | internal}] [route-map map-name] Configure the following parameters: • • level-1, level-1-2, or level-2: assign all redistributed routes to a level. The default is level-2. • metric-value: the range is from 0 to 16777215. The default is 0. • metric-type: choose either external or internal. The default is internal. • map-name: enter the name of a configured route map.
Setting the Overload Bit Another use for the overload bit is to prevent other routers from using this router as an intermediate hop in their shortest path first (SPF) calculations. For example, if the IS-IS routing database is out of memory and cannot accept new LSPs, Dell Networking OS sets the overload bit and IS-IS traffic continues to transit the system. To set or remove the overload bit manually, use the following commands. • Set the overload bit in LSPs.
To view specific information, enter the following optional parameter: • • interface: Enter the type of interface and slot/port information to view IS-IS information on that interface only. View IS-IS SNP packets, include CSNPs and PSNPs. EXEC Privilege mode debug isis snp-packets [interface] To view specific information, enter the following optional parameter: • • interface: Enter the type of interface and slot/port information to view IS-IS information on that interface only.
Metric Style Correct Value Range for the isis metric Command narrow 0 to 63 wide transition 0 to 16777215 narrow transition 0 to 63 transition 0 to 63 Maximum Values in the Routing Table IS-IS metric styles support different cost ranges for the route. The cost range for the narrow metric style is 0 to 1023, while all other metric styles support a range of 0 to 0xFE000000. Change the IS-IS Metric Style in One Level Only By default, the IS-IS metric style is narrow.
Beginning Metric Style Final Metric Style Resulting IS-IS Metric Value transition wide transition original value narrow transition wide original value narrow transition narrow original value narrow transition wide transition original value narrow transition transition original value wide transition wide original value wide transition narrow default value (10) if the original value is greater than 63. A message is sent to the console.
Level-1 Metric Style Level-2 Metric Style Resulting Metric Value wide narrow truncated value wide narrow transition truncated value wide wide transition original value wide transition truncated value narrow transition wide original value narrow transition narrow original value narrow transition wide transition original value narrow transition transition original value transition wide original value transition narrow original value transition wide transition original value
Figure 48. IPv6 IS-IS Sample Topography IS-IS Sample Configuration — Congruent Topology IS-IS Sample Configuration — Multi-topology IS-IS Sample Configuration — Multi-topology Transition The following is a sample configuration for enabling IPv6 IS-IS. Dell(conf-if-gi-3/17)#show config ! interface GigabitEthernet 3/17 ip address 24.3.1.
exit-address-family Dell (conf-router_isis)# Dell (conf-if-gi-3/17)#show config ! interface GigabitEthernet 3/17 ipv6 address 24:3::1/76 ipv6 router isis no shutdown Dell (conf-if-gi-3/17)# Dell (conf-router_isis)#show config ! router isis net 34.0000.0000.AAAA.
24 Link Aggregation Control Protocol (LACP) A link aggregation group (LAG), referred to as a port channel by the Dell Networking OS, can provide both load-sharing and port redundancy across line cards. You can enable LAGs as static or dynamic. Introduction to Dynamic LAGs and LACP A link aggregation group (LAG), referred to as a port channel by Dell Networking OS, can provide both load-sharing and port redundancy across line cards. You can enable LAGs as static or dynamic.
LACP Modes Dell Networking OS provides three modes for configuration of LACP — Off, Active, and Passive. • Off — In this state, an interface is not capable of being part of a dynamic LAG. LACP does not run on any port that is configured to be in this state. • Active — In this state, the interface is said to be in the “active negotiating state.” LACP runs on any link that is configured to be in this state.
LACP Configuration Tasks The following configuration tasks apply to LACP. • Creating a LAG • Configuring the LAG Interfaces as Dynamic • Setting the LACP Long Timeout • Monitoring and Debugging LACP • Configuring Shared LAG State Tracking Creating a LAG To create a dynamic port channel (LAG), use the following command. First you define the LAG and then the LAG interfaces. • Create a dynamic port channel (LAG). CONFIGURATION mode interface port-channel • Create a dynamic port channel (LAG).
Dell(conf-if-gi-4/15-lacp)#port-channel 32 mode active ... Dell(conf)#interface Gigabitethernet 4/16 Dell(conf-if-gi-4/16)#no shutdown Dell(conf-if-gi-4/16)#port-channel-protocol lacp Dell(conf-if-gi-4/16-lacp)#port-channel 32 mode active The port-channel 32 mode active command shown here may be successfully issued as long as there is no existing static channel-member configuration in LAG 32. Setting the LACP Long Timeout PDUs are exchanged between port channel (LAG) interfaces to maintain LACP sessions.
Shared LAG State Tracking Shared LAG state tracking provides the flexibility to bring down a port channel (LAG) based on the operational state of another LAG. At any time, only two LAGs can be a part of a group such that the fate (status) of one LAG depends on the other LAG. As shown in the following illustration, the line-rate traffic from R1 destined for R4 follows the lowest-cost route via R2. Traffic is equally distributed between LAGs 1 and 2.
To view the failover group configuration, use the show running-configuration po-failover-group command. Dell#show running-config po-failover-group ! port-channel failover-group group 1 port-channel 1 port-channel 2 As shown in the following illustration, LAGs 1 and 2 are members of a failover group. LAG 1 fails and LAG 2 is brought down after the failure. This effect is logged by Message 1, in which a console message declares both LAGs down at the same time. Figure 50.
• • If a LAG that is part of a failover group is deleted, the failover group is deleted. If a LAG moves to the Down state due to this feature, its members may still be in the Up state. LACP Basic Configuration Example The screenshots in this section are based on the following example topology. Two routers are named ALPHA and BRAVO, and their hostname prompts reflect those names. Figure 51. LACP Basic Configuration Example Configure a LAG on ALPHA The following example creates a LAG on ALPHA.
0 Vlans 0 64-byte pkts, 12 over 64-byte pkts, 120 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 132 Multicasts, 0 Broadcasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics 136 packets, 16718 bytes, 0 underruns 0 64-byte pkts, 15 over 64-byte pkts, 121 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 136 Multicasts, 0 Broadcasts, 0 Unicasts 0 Vlans, 0 throttles, 0 discarded, 0 collisions, 0 wreddrops Ra
Figure 52.
Figure 53.
Figure 54.
Summary of the LAG Configuration on Bravo Bravo(conf-if-gi-3/21)#int port-channel 10 Bravo(conf-if-po-10)#no ip add Bravo(conf-if-po-10)#switch Bravo(conf-if-po-10)#no shut Bravo(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Bravo(conf-if-po-10)#exit Bravo(conf)#int gig 3/21 Bravo(conf)#no ip address Bravo(conf)#no switchport Bravo(conf)#shutdown Bravo(conf-if-gi-3/21)#port-channel-protocol lacp Bravo(conf-if-gi-3/21-lacp)#port-channel 10 mode active Bravo(con
Figure 55.
Figure 56.
Figure 57. Inspecting the LAG Status Using the show lacp command The point-to-point protocol (PPP) is a connection-oriented protocol that enables layer two links over various different physical layer connections. It is supported on both synchronous and asynchronous lines, and can operate in Half-Duplex or Full-Duplex mode. It was designed to carry IP traffic but is general enough to allow any type of network layer datagram to be sent over a PPP connection.
25 Layer 2 This chapter describes the Layer 2 features supported on the device. Manage the MAC Address Table You can perform the following management tasks in the MAC address table. • Clearing the MAC Address Table • Setting the Aging Time for Dynamic Entries • Configuring a Static MAC Address • Displaying the MAC Address Table Clearing the MAC Address Table You may clear the MAC address table of dynamic entries. To clear a MAC address table, use the following command.
Configuring a Static MAC Address A static entry is one that is not subject to aging. Enter static entries manually. To create a static MAC address entry, use the following command. • Create a static MAC address entry in the MAC address table. CONFIGURATION mode mac-address-table static Displaying the MAC Address Table To display the MAC address table, use the following command. • Display the contents of the MAC address table.
NOTE: The CAM-check failure message beginning in Dell Networking OS version 8.3.1.0 is different from versions 8.2.1.1 and earlier, which read: % Error: ACL returned error % Error: Remove existing limit configuration if it was configured before Setting the MAC Learning Limit To set a MAC learning limit on an interface, use the following command. • Specify the number of MAC addresses that the system can learn off a Layer 2 interface.
mac learning-limit station-move The mac learning-limit station-move command allows a MAC address already in the table to be learned from another interface. For example, if you disconnect a network device from one interface and reconnect it to another interface, the MAC address is learned on the new interface. When the system detects this “station move,” the system clears the entry learned on the original interface and installs a new entry on the new interface.
To display a list of interfaces configured with MAC learning limit or station move violation actions, use the following commands. • Generate a system log message indicating a station move. INTERFACE mode station-move-violation log • Shut down the first port to learn the MAC address. INTERFACE mode station-move-violation shutdown-original • Shut down the second port to learn the MAC address.
mac-address-table disable-learning lacp • Disable source MAC address learning from LLDP BPDUs. CONFIGURATION mode mac-address-table disable-learning lldp • Disable source MAC address learning from LACP and LLDP BPDUs. CONFIGURATION mode mac-address-table disable-learning If you don’t use any option, the mac-address-table disable-learning command disables source MAC address learning from both LACP and LLDP BPDUs.
Figure 59. Configuring the mac-address-table station-move refresh-arp Command Configure Redundant Pairs Networks that employ switches that do not support the spanning tree protocol (STP) — for example, networks with digital subscriber line access multiplexers (DSLAM) — cannot have redundant links between switches because they create switching loops (as shown in the following illustration).
Figure 60. Configuring Redundant Layer 2 Pairs without Spanning Tree You configure a redundant pair by assigning a backup interface to a primary interface with the switchport backup interface command. Initially, the primary interface is active and transmits traffic and the backup interface remains down. If the primary fails for any reason, the backup transitions to an active Up state. If the primary interface fails and later comes back up, it remains as the backup interface for the redundant pair.
• • • The active or backup interface may not be a member of a LAG. The active and standby do not have to be of the same type (1G, 10G, and so on). You may not enable any Layer 2 protocol on any interface of a redundant pair or to ports connected to them. As shown in the above illustration, interface 3/41 is a backup interface for 3/42, and 3/42 is in the Down state. If 3/41 fails, 3/42 transitions to the Up state, which makes the backup link active.
Dell(conf-if-po-1)#switchport backup interface gigabitethernet 1/2 Apr 9 00:16:29: %STKUNIT0-M:CP %IFMGR-5-L2BKUP_WARN: Do not run any Layer2 protocols on Po 1 and Gi 1/2 Dell(conf-if-po-1)# Far-End Failure Detection Far-end failure detection (FEFD) is a protocol that senses remote data link errors in a network. FEFD responds by sending a unidirectional report that triggers an echoed response after a specified time interval. You can enable FEFD globally or locally on an interface basis.
3 When the local interface receives the echoed packet from the remote end, the local interface transitions to the Bi-directional state. 4 If the FEFD enabled system is configured to use FEFD in Normal mode and neighboring echoes are not received after three intervals, (you can set each interval can be set between 3 and 300 seconds) the state changes to unknown.
no shutdown 3 Enable fefd globally. CONFIGURATION mode fefd-global {interval | mode} Example of the show fefd Command To display information about the state of each interface, use the show fefd command in EXEC privilege mode. Dell#show fefd FEFD is globally 'ON', interval is 3 seconds, mode is 'Normal'.
Example of Viewing FEFD Configuration Dell(conf-if-gi-1/1)#show config ! interface GigabitEthernet 1/1 no ip address switchport fefd mode normal no shutdown Dell(conf-if-gi-1/1)#do show fefd | grep 1/1 Gi 1/1 Normal 3 Unknown Debugging FEFD To debug FEFD, use the first command. To provide output for each packet transmission over the FEFD enabled connection, use the second command. • Display output whenever events occur that initiate or disrupt an FEFD enabled connection.
with its peer 420 Layer 2
26 Link Layer Discovery Protocol (LLDP) This chapter describes how to configure and use the link layer discovery protocol (LLDP). 802.1AB (LLDP) Overview LLDP — defined by IEEE 802.1AB — is a protocol that enables a local area network (LAN) device to advertise its configuration and receive configuration information from adjacent LLDP-enabled LAN infrastructure devices.
Table 32. Type, Length, Value (TLV) Types Type TLV Description 0 End of LLDPDU Marks the end of an LLDPDU. 1 Chassis ID An administratively assigned name that identifies the LLDP agent. 2 Port ID An administratively assigned name that identifies a port through which TLVs are sent and received. 3 Time to Live An administratively assigned name that identifies a port through which TLVs are sent and received.
Figure 64. Organizationally Specific TLV IEEE Organizationally Specific TLVs Eight TLV types have been defined by the IEEE 802.1 and 802.3 working groups as a basic part of LLDP; the IEEE OUI is 00-80-C2. You can configure the Dell Networking system to advertise any or all of these TLVs. Table 33. Optional TLV Types Type TLV Description 4 Port description A user-defined alphanumeric string that describes the port. Dell Networking OS does not currently support this TLV.
Type TLV Description configurable) in the LLDP-MED implementation. 127 Power via MDI Dell Networking supports the LLDP-MED protocol, which recommends that Power via MDI TLV be not implemented, and therefore Dell Networking implements Extended Power via MDI TLV only. 127 Link Aggregation Indicates whether the link is capable of being aggregated, whether it is currently in a LAG, and the port identification of the LAG. Dell Networking OS does not currently support this TLV.
Type SubType TLV Description • • what LLDP-MED TLVs it supports LLDP device class 127 2 Network Policy Indicates the application type, VLAN ID, Layer 2 Priority, and DSCP value. 127 3 Location Identification Indicates that the physical location of the device expressed in one of three possible formats: • • • 127 4 Inventory Management TLVs Implementation of this set of TLVs is optional in LLDP-MED devices. None or all TLVs must be supported.
When you enable LLDP-MED in Dell Networking OS (using the advertise med command), the system begins transmitting this TLV. Figure 65. LLDP-MED Capabilities TLV Table 35. Dell Networking OS LLDP-MED Capabilities Bit Position TLV Dell Networking OS Support 0 LLDP-MED Capabilities Yes 1 Network Policy Yes 2 Location Identification Yes 3 Extended Power via MDI-PSE Yes 4 Extended Power via MDI-PD No 5 Inventory No 6–15 reserved No Table 36.
NOTE: As shown in the following table, signaling is a series of control packets that are exchanged between an endpoint device and a network connectivity device to establish and maintain a connection. These signal packets might require a different network policy than the media packets for which a connection is made. In this case, configure the signaling application. Table 37.
the max-milliwatts option with the power inline auto | static command. Dell Networking also honors the power value (power requirement) the powered device sends when the port is configured for power inline auto. Figure 67. Extended Power via MDI TLV Configure LLDP Configuring LLDP is a two-step process. 1 Enable LLDP globally. 2 Advertise TLVs out of an interface.
advertise disable end exit hello mode multiplier no show Advertise TLVs Disable LLDP protocol globally Exit from configuration mode Exit from LLDP configuration mode LLDP hello configuration LLDP mode configuration (default = rx and tx) LLDP multiplier configuration Negate a command or set its defaults Show LLDP configuration Dell(conf-lldp)#exit Dell(conf)#interface gigabitethernet 1/3 Dell(conf-if-gi-1/3)#protocol lldp Dell(conf-if-gi-1/3-lldp)#? advertise Advertise TLVs disable Disable LLDP protocol on
management-interface 3 Enable LLDP. PROTOCOL LLDP mode no disable Disabling and Undoing LLDP on Management Ports To disable or undo LLDP on management ports, use the following command. 1 Enter Protocol LLDP mode. CONFIGURATION mode. protocol lldp 2 Enter LLDP management-interface mode. LLDP-MANAGEMENT-INTERFACE mode. management-interface 3 Enter the disable command. LLDP-MANAGEMENT-INTERFACE mode. To undo an LLDP management port configuration, precede the relevant command with the keyword no.
• softphone-voice • streaming-video • video-conferencing • video-signaling • voice • voice-signaling In the following example, LLDP is enabled globally. R1 and R2 are transmitting periodic LLDPDUs that contain management, 802.1, and 802.3 TLVs. Figure 68. Configuring LLDP Viewing the LLDP Configuration To view the LLDP configuration, use the following command. • Display the LLDP configuration.
protocol lldp Dell(conf-if-gi-1/31-lldp)# Viewing Information Advertised by Adjacent LLDP Agents To view brief information about adjacent devices or to view all the information that neighbors are advertising, use the following commands. • Display brief information about adjacent devices. show lldp neighbors • Display all of the information that neighbors are advertising.
Configuring LLDPDU Intervals LLDPDUs are transmitted periodically; the default interval is 30 seconds. To configure LLDPDU intervals, use the following command. • Configure a non-default transmit interval.
! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)#mode ? rx Rx only tx Tx only R1(conf-lldp)#mode tx R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description mode tx no disable R1(conf-lldp)#no mode R1(conf-lldp)#show config ! proto
advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)# Debugging LLDP You can view the TLVs that your system is sending and receiving. To view the TLVs, use the following commands. • View a readable version of the TLVs. debug lldp brief • View a readable version of the TLVs plus a hexadecimal version of the entire LLDPDU. debug lldp detail To stop viewing the LLDP TLVs sent and received by the system, use the no debug lldp command. Figure 69.
Table 38. LLDP Configuration MIB Objects MIB Object Category LLDP Variable LLDP MIB Object Description LLDP Configuration adminStatus lldpPortConfigAdminStatus Whether you enable the local LLDP agent for transmit, receive, or both. msgTxHold lldpMessageTxHoldMultiplier Multiplier value. msgTxInterval lldpMessageTxInterval Transmit Interval value. rxInfoTTL lldpRxInfoTTL Time to live for received TLVs. txInfoTTL lldpTxInfoTTL Time to live for transmitted TLVs.
TLV Type TLV Name TLV Variable System LLDP MIB Object 4 Port Description port description Local lldpLocPortDesc Remote lldpRemPortDesc Local lldpLocSysName Remote lldpRemSysName Local lldpLocSysDesc Remote lldpRemSysDesc Local lldpLocSysCapSupported Remote lldpRemSysCapSupported Local lldpLocSysCapEnabled Remote lldpRemSysCapEnabled Local lldpLocManAddrLen Remote lldpRemManAddrLen Local lldpLocManAddrSubtype Remote lldpRemManAddrSubtype Local lldpLocManAddr Remote lldp
TLV Type 127 TLV Name VLAN Name TLV Variable VID VLAN name length VLAN name System LLDP MIB Object Remote lldpXdot1RemProtoVlanId Local lldpXdot1LocVlanId Remote lldpXdot1RemVlanId Local lldpXdot1LocVlanName Remote lldpXdot1RemVlanName Local lldpXdot1LocVlanName Remote lldpXdot1RemVlanName Table 41.
TLV Sub-Type 3 TLV Name Location Identifier TLV Variable System LLDP-MED MIB Object DSCP Value Local lldpXMedLocMediaPolicyDs cp Remote lldpXMedRemMediaPolicyD scp Local lldpXMedLocLocationSubty pe Remote lldpXMedRemLocationSubt ype Local lldpXMedLocLocationInfo Remote lldpXMedRemLocationInfo Local lldpXMedLocXPoEDeviceTy pe Remote lldpXMedRemXPoEDeviceT ype Local lldpXMedLocXPoEPSEPow erSource Location Data Format Location ID Data 4 Extended Power via MDI Power Device Type Po
27 Microsoft Network Load Balancing Network load balancing (NLB) is a clustering functionality that is implemented by Microsoft on Windows 2000 Server and Windows Server 2003 operating systems (OSs). NLB uses a distributed methodology or pattern to equally split and balance the network traffic load across a set of servers that are part of the cluster or group.
Limitations of the NLB Feature The following limitations apply to switches on which you configure NLB: • The NLB Unicast mode uses switch flooding to transmit all packets to all the servers that are part of the VLAN. When a large volume of traffic is processed, the clustering performance might be impacted in a small way. This limitation is applicable to switches that perform unicast flooding in the software. • The ip vlan-flooding command applies globally across the system and for all VLANs.
There might be some ARP table entries that are resolved through ARP packets, which had the Ethernet MAC SA different from the MAC information inside the ARP packet. This unicast data traffic flooding occurs only for those packets that use these ARP entries.
28 Multicast Source Discovery Protocol (MSDP) Multicast source discovery protocol (MSDP) is supported on Dell Networking OS. Protocol Overview MSDP is a Layer 3 protocol that connects IPv4 protocol-independent multicast-sparse mode (PIM-SM) domains. A domain in the context of MSDP is a contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as border gateway protocol (BGP).
Figure 71.
active sources in the area of the other RPs. If any of the RPs fail, IP routing converges and one of the RPs becomes the active RP in more than one area. New sources register with the backup RP. Receivers join toward the new RP and connectivity is maintained. Implementation Information The Dell Networking OS implementation of MSDP is in accordance with RFC 3618 and Anycast RP is in accordance with RFC 3446. Configure Multicast Source Discovery Protocol Configuring MSDP is a four-step process.
Figure 72.
Figure 73.
Figure 74.
Figure 75. Configuring MSDP Enable MSDP Enable MSDP by peering RPs in different administrative domains. 1 Enable MSDP. CONFIGURATION mode ip multicast-msdp 2 Peer PIM systems in different administrative domains. CONFIGURATION mode ip msdp peer connect-source Examples of Configuring and Viewing MSDP R3(conf)#ip multicast-msdp R3(conf)#ip msdp peer 192.168.0.
Peer Addr Description Local Addr State Source SA Up/Down To view details about a peer, use the show ip msdp peer command in EXEC privilege mode. Multicast sources in remote domains are stored on the RP in the source-active cache (SA cache). The system does not create entries in the multicast routing table until there is a local receiver for the corresponding multicast group. R3#show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.
Clearing the Source-Active Cache To clear the source-active cache, use the following command. • Clear the SA cache of all, local, or rejected entries, or entries for a specific group. CONFIGURATION mode clear ip msdp sa-cache [group-address | local | rejected-sa] Enabling the Rejected Source-Active Cache To cache rejected sources, use the following command.
Figure 76.
Figure 77.
Figure 78. MSDP Default Peer, Scenario 4 Specifying Source-Active Messages To specify messages, use the following command. • Specify the forwarding-peer and originating-RP from which all active sources are accepted without regard for the RPF check. CONFIGURATION mode ip msdp default-peer ip-address list If you do not specify an access list, the peer accepts all sources that peer advertises. All sources from RPs that the ACL denies are subject to the normal RPF check.
229.0.50.3 229.0.50.4 24.0.50.3 24.0.50.4 200.0.0.50 200.0.0.50 10.0.50.2 10.0.50.2 Dell#ip msdp sa-cache rejected-sa MSDP Rejected SA Cache 3 rejected SAs received, cache-size 32766 UpTime GroupAddr SourceAddr RPAddr 00:33:18 229.0.50.64 24.0.50.64 200.0.1.50 00:33:18 229.0.50.65 24.0.50.65 200.0.1.50 00:33:18 229.0.50.66 24.0.50.66 200.0.1.50 73 73 00:13:49 00:13:49 LearnedFrom 10.0.50.2 10.0.50.2 10.0.50.
UpTime 00:02:20 GroupAddr 239.0.0.1 SourceAddr 10.11.4.2 RPAddr 192.168.0.1 LearnedFrom local Reason Redistribute Preventing MSDP from Caching a Remote Source To prevent MSDP from caching a remote source, use the following commands. 1 OPTIONAL: Cache sources that the SA filter denies in the rejected SA cache. CONFIGURATION mode ip msdp cache-rejected-sa 2 Prevent the system from caching remote sources learned from a specific peer based on source and group.
ip msdp peer 192.168.0.3 connect-source Loopback 0 ip msdp sa-filter out 192.168.0.3 list mylocalfilter R1(conf)#do show run acl ! ip access-list extended mylocalfilter seq 5 deny ip host 239.0.0.1 host 10.11.4.2 seq 10 deny ip any any R1(conf)#do show ip msdp sa-cache MSDP Source-Active Cache - 1 entries GroupAddr SourceAddr RPAddr LearnedFrom Expire 239.0.0.1 10.11.4.2 192.168.0.
SAs learned from this peer: 0 SA Filtering: Clearing Peer Statistics To clear the peer statistics, use the following command. • Reset the TCP connection to the peer and clear all peer statistics. CONFIGURATION mode clear ip msdp peer peer-address Example of the clear ip msdp peer Command and Verifying Statistics are Cleared R3(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.
• • • traffic concentration: PIM-SM allows only one active group to RP mapping which means that all traffic for the group must, at least initially, travel over the same part of the network. You can load balance source registration between multiple RPs by strategically mapping groups to RPs, but this technique is less effective as traffic increases because preemptive load balancing requires prior knowledge of traffic distributions.
CONFIGURATION mode interface loopback 2 Make this address the RP for the group. CONFIGURATION mode ip pim rp-address 3 In each routing domain that has multiple RPs serving a group, create another Loopback interface on each RP serving the group with a unique IP address. CONFIGURATION mode interface loopback 4 Peer each RP with every other RP using MSDP, specifying the unique Loopback address as the connect-source.
interface GigabitEthernet 1/2 ip address 10.11.2.1/24 no shutdown ! interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.1.12/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32 no shutdown ! interface Loopback 1 ip address 192.168.0.11/32 no shutdown ! router ospf 1 network 10.11.2.0/24 area 0 network 10.11.1.0/24 area 0 network 10.11.3.0/24 area 0 network 192.168.0.11/32 area 0 ! ip multicast-msdp ip msdp peer 192.168.0.
neighbor 192.168.0.3 ebgp-multihop 255 neighbor 192.168.0.3 no shutdown ! ip ip ip ip ip ! ip ! ip multicast-msdp msdp peer 192.168.0.3 connect-source Loopback 1 msdp peer 192.168.0.11 connect-source Loopback 1 msdp mesh-group AS100 192.168.0.11 msdp originator-id Loopback 1 route 192.168.0.3/32 10.11.0.32 pim rp-address 192.168.0.1 group-address 224.0.0.0/4 The following example shows an R3 configuration for MSDP with Anycast RP.
no shutdown ! interface GigabitEthernet 1/2 ip address 10.11.2.1/24 no shutdown ! interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.1.12/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32 no shutdown ! router ospf 1 network 10.11.2.0/24 area 0 network 10.11.1.0/24 area 0 network 192.168.0.1/32 area 0 network 10.11.3.0/24 area 0 ! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 0 ! ip pim rp-address 192.168.0.1 group-address 224.0.0.
MSDP Sample Configuration: R3 Running-Config ip multicast-routing ! interface GigabitEthernet 3/21 ip pim sparse-mode ip address 10.11.0.32/24 no shutdown ! interface GigabitEthernet 3/41 ip pim sparse-mode ip address 10.11.6.34/24 no shutdown ! interface ManagementEthernet 1/1 ip address 10.11.80.3/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.
29 Multiple Spanning Tree Protocol (MSTP) Multiple spanning tree protocol (MSTP) — specified in IEEE 802.1Q-2003 — is a rapid spanning tree protocol (RSTP)-based spanning tree variation that improves per-VLAN spanning tree plus (PVST+). MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances. Protocol Overview MSTP — specified in IEEE 802.
• Adding and Removing Interfaces • Creating Multiple Spanning Tree Instances • Influencing MSTP Root Selection • Interoperate with Non-Dell Bridges • Changing the Region Name or Revision • Modifying Global Parameters • Modifying the Interface Parameters • Configuring an EdgePort • Flush MAC Addresses after a Topology Change • MSTP Sample Configurations • Debugging and Verifying MSTP Configurations Spanning Tree Variations The Dell Networking OS supports four variations of spanning tree
• Adding and Removing Interfaces • Influencing MSTP Root Selection • Interoperate with Non-Dell Networking OS Bridges • Changing the Region Name or Revision • Modifying Global Parameters • Modifying the Interface Parameters • Configuring an EdgePort • Flush MAC Addresses after a Topology Change • Debugging and Verifying MSTP Configurations • Prevent Network Disruptions with BPDU Guard • Enabling SNMP Traps for Root Elections and Topology Changes • Configuring Spanning Trees as Hitless
• Create an MSTI. PROTOCOL MSTP mode msti Specify the keyword vlan then the VLANs that you want to participate in the MSTI. Examples of Configuring and Viewing MSTI The following examples shows the msti command. Dell(conf)#protocol spanning-tree mstp Dell(conf-mstp)#msti 1 vlan 100 Dell(conf-mstp)#msti 2 vlan 200-300 Dell(conf-mstp)#show config ! protocol spanning-tree mstp no disable MSTI 1 VLAN 100 MSTI 2 VLAN 200-300 All bridges in the MSTP region must have the same VLAN-to-instance mapping.
Influencing MSTP Root Selection MSTP determines the root bridge, but you can assign one bridge a lower priority to increase the probability that it becomes the root bridge. To change the bridge priority, use the following command. • Assign a number as the bridge priority. PROTOCOL MSTP mode msti instance bridge-priority priority A lower number increases the probability that the bridge becomes the root bridge. The range is from 0 to 61440, in increments of 4096. The default is 32768.
PROTOCOL MSTP mode revision number Example of the name Command To view the current region name and revision, use the show spanning-tree mst configuration command from EXEC Privilege mode.
4 Change the max-hops parameter. PROTOCOL MSTP mode max-hops number The range is from 1 to 40. The default is 20. Example of the forward-delay Parameter To view the current values for MSTP parameters, use the show running-config spanning-tree mstp command from EXEC privilege mode.
To change the port cost or priority of an interface, use the following commands. 1 Change the port cost of an interface. INTERFACE mode spanning-tree msti number cost cost The range is from 0 to 200000. For the default, refer to the default values shown in the table.. 2 Change the port priority of an interface. INTERFACE mode spanning-tree msti number priority priority The range is from 0 to 240, in increments of 16. The default is 128.
no ip address switchport spanning-tree mstp edge-port spanning-tree MSTI 1 priority 144 no shutdown Dell(conf-if-gi-3/11)# Flush MAC Addresses after a Topology Change Dell Networking OS has an optimized MAC address flush mechanism for RSTP, MSTP, and PVST+ that flushes addresses only when necessary, which allows for faster convergence during topology changes. However, you may activate the flushing mechanism defined by 802.
MSTI 2 VLAN 200,300 ! (Step 2) interface GigabitEthernet 1/21 no ip address switchport no shutdown ! interface GigabitEthernet 1/31 no ip address switchport no shutdown ! (Step 3) interface Vlan 100 no ip address tagged GigabitEthernet 1/21,31 no shutdown ! interface Vlan 200 no ip address tagged GigabitEthernet 1/21,31 no shutdown ! interface Vlan 300 no ip address tagged GigabitEthernet 1/21,31 no shutdown Router 2 Running-Configuration This example uses the following steps: 1 Enable MSTP globally and s
no ip address tagged GigabitEthernet 2/11,31 no shutdown Router 3 Running-Configuration This example uses the following steps: 1 Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2 Assign Layer-2 interfaces to the MSTP topology. 3 Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
(Step 2) interface 1/0/31 no shutdown spanning-tree port mode enable switchport protected 0 exit interface 1/0/32 no shutdown spanning-tree port mode enable switchport protected 0 exit (Step 3) interface vlan 100 tagged 1/0/31 tagged 1/0/32 exit interface vlan 200 tagged 1/0/31 tagged 1/0/32 exit interface vlan 300 tagged 1/0/31 tagged 1/0/32 exit Debugging and Verifying MSTP Configurations To debut and verify MSTP configuration, use the following commands. • Display BPDUs.
• MSTP Instances. • To verify the VLAN to MSTP instance mapping, use the show commands. • Are there “extra” MSTP instances in the Sending or Received logs? This may mean that an additional MSTP instance was configured on one router but not the others. The following example shows the show run spanning-tree mstp command.
30 Multicast Features NOTE: Multicast routing is supported on secondary IP addresses; it is not supported on IPv6. NOTE: Multicast routing is supported across default and non-default virtual routing and forwarding (VRFs).
Protocol Ethernet Address PIM-SM 01:00:5e:00:00:0d • The Dell Networking OS implementation of MTRACE is in accordance with IETF draft draft-fenner-traceroute-ipm. • Multicast is not supported on secondary IP addresses. • If you enable multicast routing, egress Layer 3 ACL is not applied to multicast data traffic. Multicast Policies The Dell Networking OS supports multicast features for IPv4. IPv4 Multicast Policies The following sections describe IPv4 multicast policies.
NOTE: The IN-L3-McastFib CAM partition stores multicast routes and is a separate hardware limit that exists per port-pipe. Any software-configured limit may supersede this hardware space limitation. The opposite is also true, the CAM partition might not be exhausted at the time the system-wide route limit is reached using the ip multicast-limit command.
Figure 82. Preventing a Host from Joining a Group The following table lists the location and description shown in the previous illustration. Table 44. Preventing a Host from Joining a Group — Description Location Description 1/21 • • • • Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 • • • • Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.
Location Description 2/1 • • • • Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface GigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown 3/11 • • • • Interface GigabitEthernet 3/11 ip pim sparse-mode ip address 10.11.
ip pim neighbor-filter Preventing a Source from Registering with the RP To prevent the PIM source DR from sending register packets to route processor (RP) for the specified multicast source and group, use the following command. If the source DR never sends register packets to the RP, no hosts can ever discover the source and create a shortest path tree (SPT) to it. • Prevent a source from transmitting to a particular group.
Figure 83. Preventing a Source from Transmitting to a Group The following table lists the location and description shown in the previous illustration. Table 45. Preventing a Source from Transmitting to a Group — Description Location Description 1/21 • • • • Interface GigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 • • • • Interface GigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.
Location Description 2/1 • • • • Interface GigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface GigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface GigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface GigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown 3/11 • • • • Interface GigabitEthernet 3/11 ip pim sparse-mode ip address 10.11.
Preventing a PIM Router from Processing a Join To permit or deny PIM Join/Prune messages on an interface using an extended IP access list, use the following command. NOTE: Dell Networking recommends not using the ip pim join-filter command on an interface between a source and the RP router. Using this command in this scenario could cause problems with the PIM-SM source registration process resulting in excessive traffic being sent to the CPU of both the RP and PIM DR of the source.
31 Object Tracking IPv4 or IPv6 object tracking is available on Dell Networking OS. Object tracking allows the Dell Networking OS client processes, such as virtual router redundancy protocol (VRRP), to monitor tracked objects (for example, interface or link status) and take appropriate action when the state of an object changes. NOTE: In Dell Networking OS release version 8.4.1.0, object tracking is supported only on VRRP.
Figure 84. Object Tracking Example When you configure a tracked object, such as an IPv4/IPv6 a route or interface, you specify an object number to identify the object. Optionally, you can also specify: • UP and DOWN thresholds used to report changes in a route metric. • A time delay before changes in a tracked object’s state are reported to a client. Track Layer 2 Interfaces You can create an object to track the line-protocol state of a Layer 2 interface.
Track IPv4 and IPv6 Routes You can create an object that tracks an IPv4 or IPv6 route entry in the routing table. Specify a tracked route by its IPv4 or IPv6 address and prefix-length. Optionally specify a tracked route by a virtual routing and forwarding (VRF) instance name if the route to be tracked is part of a VRF. The next-hop address is not part of the definition of the tracked object.
Set Tracking Delays You can configure an optional UP and/or DOWN timer for each tracked object to set the time delay before a change in the state of a tracked object is communicated to clients. The configured time delay starts when the state changes from UP to DOWN or the opposite way. If the state of an object changes back to its former UP/DOWN state before the timer expires, the timer is cancelled and the client is not notified.
track object-id interface interface line-protocol Valid object IDs are from 1 to 65535. 2 (Optional) Configure the time delay used before communicating a change in the status of a tracked interface. OBJECT TRACKING mode delay {[up seconds] [down seconds]} Valid delay times are from 0 to 180 seconds. The default is 0. 3 (Optional) Identify the tracked object with a text description. OBJECT TRACKING mode description text The text string can be up to 80 characters.
To configure object tracking on the routing status of a Layer 3 interface, use the following commands. 1 Configure object tracking on the routing status of an IPv4 or IPv6 interface. CONFIGURATION mode track object-id interface interface {ip routing | ipv6 routing} Valid object IDs are from 1 to 65535. 2 (Optional) Configure the time delay used before communicating a change in the status of a tracked interface.
In order for an route’s reachability or metric to be tracked, the route must appear as an entry in the routing table. A tracked route is considered to match an entry in the routing table only if the exact IPv4 or IPv6 address and prefix length match an entry in the table. For example, when configured as a tracked route, 10.0.0.0/24 does not match the routing table entry 10.0.0.0/8. Similarly, for an IPv6 address, 3333:100:200:300:400::/80 does not match routing table entry 3333:100:200:300::/64.
(Optional) E-Series only: For an IPv4 route, you can enter a VRF name to specify the virtual routing table to which the tracked route belongs. 2 (Optional) Configure the time delay used before communicating a change in the status of a tracked route. OBJECT TRACKING mode delay {[up seconds] [down seconds]} Valid delay times are from 0 to 180 seconds. The default is 0. 3 (Optional) Identify the tracked object with a text description.
track resolution {ip route | ipv6 route} {isis resolution-value | ospf resolution-value} The range of resolution values is: • 2 ISIS routes - 1 to 1000. The default is 1. • OSPF routes - 1 to 1592. The efault is 1. Configure object tracking on the metric of an IPv4 or IPv6 route. CONFIGURATION mode track object-id {ip route ip-address/prefix-len | ipv6 route ipv6-address/prefix-len} metric threshold [vrf vrf-name] Valid object IDs are from 1 to 65535. Enter an IPv4 address in dotted decimal format.
Example of IPv4 and IPv6 Tracking Metric Thresholds The following example configures object tracking on the metric threshold of an IPv6 route: Dell(conf)#track 8 ipv6 route 2::/64 metric threshold Dell(conf-track-8)#threshold metric up 30 Dell(conf-track-8)#threshold metric down 40 Displaying Tracked Objects To display the currently configured objects used to track Layer 2 and Layer 3 interfaces, and IPv4 and IPv6 routes, use the following show commands.
IP Route Resolution ISIS 1 OSPF 1 IPv6 Route Resolution ISIS 1 Example of the show track vrf Command Dell#show track vrf red Track 5 IP route 192.168.0.0/24 reachability, Vrf: red Reachability is Up (CONNECTED) 3 changes, last change 00:02:39 First-hop interface is GigabitEthernet 1/4 Example of Viewing Object Tracking Configuration Dell#show running-config track track 1 ip route 23.0.0.
32 Open Shortest Path First (OSPFv2 and OSPFv3) Open shortest path first (OSPFv2 for IPv4) and OSPF version 3 (OSPF for IPv6) are supported on Dell Networking OS. This chapter provides a general description of OSPFv2 (OSPF for IPv4) and OSPFv3 (OSPF for IPv6) as supported in the Dell Networking Operating System (OS). NOTE: The fundamental mechanisms of OSPF (flooding, DR election, area support, SPF calculations, and so on) are the same between OSPFv2 and OSPFv3.
Figure 85. Autonomous System Areas Area Types The backbone of the network is Area 0. It is also called Area 0.0.0.0 and is the core of any AS. All other areas must connect to Area 0. An OSPF backbone is responsible for distributing routing information between areas. It consists of all area border routers, networks not wholly contained in any area, and their attached routers. NOTE: If you configure two non-backbone areas, then you must enable the B bit in OSPF.
Networks and Neighbors As a link-state protocol, OSPF sends routing information to other OSPF routers concerning the state of the links between them. The state (up or down) of those links is important. Routers that share a link become neighbors on that segment. OSPF uses the Hello protocol as a neighbor discovery and keep alive mechanism. After two routers are neighbors, they may proceed to exchange and synchronize their databases, which creates an adjacency.
Figure 86. OSPF Routing Examples Backbone Router (BR) A backbone router (BR) is part of the OSPF Backbone, Area 0. This includes all ABRs. It can also include any routers that connect only to the backbone and another ABR, but are only part of Area 0, such as Router I in the previous example. Area Border Router (ABR) Within an AS, an area border router (ABR) connects one or more areas to the backbone.
Autonomous System Border Router (ASBR) The autonomous system border area router (ASBR) connects to more than one AS and exchanges information with the routers in other ASs. Generally, the ASBR connects to a non-interior gate protocol (IGP) such as BGP or uses static routes. Internal Router (IR) The internal router (IR) has adjacencies with ONLY routers in the same area, as Router E, M, and I shown in the example in the Router Types.
• Type 8: Link LSA (OSPFv3) — This LSA carries the IPv6 address information of the local links. • Type 9: Link Local LSA (OSPFv2), Intra-Area-Prefix LSA (OSPFv3) — For OSPFv2, this is a link-local "opaque" LSA as defined by RFC2370. For OSPFv3, this LSA carries the IPv6 prefixes of the router and network links. • Type 11 - Grace LSA (OSPFv3) — For OSPFv3 only, this LSA is a link-local “opaque” LSA sent by a restarting OSPFv3 router during a graceful restart.
Figure 87. Priority and Cost Examples OSPF with Dell Networking OS The Dell Networking OS supports up to 10,000 OSPF routes for OSPFv2. Within the that 10,000 routes, you can designate up to 8,000 routes as external and up to 2,000 as inter/intra area routes. Dell Networking OS version 9.4(0.0) and later support only one OSPFv2 process per VRF. Dell Networking OS version 9.7(0.0) and later support OSPFv3 in VRF. Also, on OSPFv3, Dell Networking OS supports only one OSPFv3 process per VRF.
Graceful Restart When a router goes down without a graceful restart, there is a possibility for loss of access to parts of the network due to ongoing network topology changes. Additionally, LSA flooding and reconvergence can cause substantial delays. It is, therefore, desirable that the network maintains a stable topology if it is possible for data flow to continue uninterrupted.
Fast Convergence (OSPFv2, IPv4 Only) Fast convergence allows you to define the speeds at which LSAs are originated and accepted, and reduce OSPFv2 end-to-end convergence time. Dell Networking OS allows you to accept and originate LSAs as soon as they are available to speed up route information propagation. NOTE: The faster the convergence, the more frequent the route calculations and updates. This impacts CPU utilization and may impact adjacency stability in larger topologies.
Examples of Setting and Viewing a Dead Interval In the following example, the dead interval is set at 4x the hello interval (shown in bold). Dell(conf)#int gigabitethernet 2/2 Dell(conf-if-gi-2/2)#ip ospf hello-interval 20 Dell(conf-if-gi-2/2)#ip ospf dead-interval 80 Dell(conf-if-gi-2/2)# In the following example, the dead interval is set at 4x the hello interval (shown in bold).
• Troubleshooting OSPFv2 1 Configure a physical interface. Assign an IP address, physical or Loopback, to the interface to enable Layer 3 routing. 2 Enable OSPF globally. Assign network area and neighbors. 3 Add interfaces or configure other attributes. 4 Set the time interval between when the switch receives a topology change and starts a shortest path first (SPF) calculation.
After the OSPF process and the VRF are tied together, the OSPF process ID cannot be used again in the system. If you try to enter an OSPF process ID, or if you try to enable more OSPF processes than available Layer 3 interfaces, prior to assigning an IP address to an interface and setting the no shutdown command, the following message displays: Dell(conf)#router ospf 1 % Error: No router ID available. Assigning a Router ID In CONFIGURATION ROUTER OSPF mode, assign the router ID.
The IP Address Format is A.B.C.D/M. The area ID range is from 0 to 65535 or A.B.C.D/M. Enable OSPFv2 on Interfaces Enable and configure OSPFv2 on each interface (configure for Layer 3 protocol), and not shutdown. You can also assign OSPFv2 to a Loopback interface as a virtual interface. OSPF functions and features, such as MD5 Authentication, Grace Period, Authentication Wait Time, are assigned on a per interface basis.
Adjacent with neighbor 13.1.1.1 (Designated Router) Dell> Loopback interfaces also help the OSPF process. OSPF picks the highest interface address as the router-id and a Loopback interface address has a higher precedence than other interface addresses. Example of Viewing OSPF Status on a Loopback Interface Dell#show ip ospf 1 int GigabitEthernet 1/23 is up, line protocol is up Internet Address 10.168.0.1/24, Area 0.0.0.1 Process ID 1, Router ID 10.168.253.
Example of the show ip ospf database database-summary Command To view which LSAs are transmitted, use the show ip ospf database process-id database-summary command in EXEC Privilege mode. Dell#show ip ospf 34 database database-summary OSPF Router with ID (10.1.2.100) (Process ID 34) Area 2.2.2.2 3.3.3.3 Dell# ID Router Network S-Net S-ASBR Type-7 Subtotal 1 0 0 0 0 1 1 0 0 0 0 1 To view information on areas, use the show ip ospf process-id command in EXEC Privilege mode.
Backup Designated Router (ID) 0.0.0.0, Interface address 0.0.0.0 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 No Hellos (Passive interface) Neighbor Count is 0, Adjacent neighbor count is 0 Loopback 45 is up, line protocol is up Internet Address 10.1.1.23/24, Area 2.2.2.2 Process ID 34, Router ID 10.1.2.
Changing OSPFv2 Parameters on Interfaces In Dell Networking OS, you can modify the OSPF settings on the interfaces. Some interface parameter values must be consistent across all interfaces to avoid routing errors. For example, set the same time interval for the hello packets on all routers in the OSPF network to prevent misconfiguration of OSPF neighbors. To change OSPFv2 parameters on the interfaces, use any or all of the following commands. • Change the cost associated with OSPF traffic on the interface.
• Change the wait period between link state update packets sent out the interface. CONFIG-INTERFACE mode ip ospf transmit-delay seconds • seconds: the range is from 1 to 65535 (the default is 1 second). The transmit delay must be the same on all routers in the OSPF network. Example of Changing and Verifying the cost Parameter and Viewing Interface Status To view interface configurations, use the show config command in CONFIGURATION INTERFACE mode.
The default is 0 seconds. Enabling OSPFv2 Graceful Restart Graceful restart is enabled for the global OSPF process. The Dell Networking implementation of OSPFv2 graceful restart enables you to specify: • • • • grace period — the length of time the graceful restart process can last before OSPF terminates it. helper-reject neighbors — the router ID of each restart router that does not receive assistance from the configured router. mode — the situation or situations that trigger a graceful restart.
Example of the show run ospf Command When you configure a graceful restart on an OSPFv2 router, the show run ospf command displays information similar to the following. Dell#show run ospf ! router ospf 1 graceful-restart grace-period 300 graceful-restart role helper-only graceful-restart mode unplanned-only graceful-restart helper-reject 10.1.1.1 graceful-restart helper-reject 20.1.1.1 network 10.0.2.0/24 area 0 Dell# Creating Filter Routes To filter routes, use prefix lists.
• Specify which routes are redistributed into OSPF process. CONFIG-ROUTEROSPF-id mode redistribute {bgp | connected | isis | rip | static} [metric metric-value | metric-type typevalue] [route-map map-name] [tag tag-value] Configure the following required and optional parameters: • bgp, connected, isis, rip, static: enter one of the keywords to redistribute those routes. • metric metric-value: the range is from 0 to 4294967295. • metric-type metric-type: 1 for OSPF external route type 1.
show ip route summary • View the summary information for the OSPF database. EXEC Privilege mode show ip ospf database • View the configuration of OSPF neighbors connected to the local router. EXEC Privilege mode show ip ospf neighbor • View the LSAs currently in the queue. EXEC Privilege mode show ip ospf timers rate-limit • View debug messages.
Figure 88. Basic Topology and CLI Commands for OSPFv2 OSPF Area 0 — Te 1/1 and 1/2 router ospf 11111 network 10.0.11.0/24 area 0 network 10.0.12.0/24 area 0 network 192.168.100.0/24 area 0 ! interface GigabitEthernet 1/1 ip address 10.1.11.1/24 no shutdown ! interface GigabitEthernet 1/2 ip address 10.2.12.2/24 no shutdown ! interface Loopback 10 ip address 192.168.100.100/24 no shutdown OSPF Area 0 — Te 3/1 and 3/2 router ospf 33333 network 192.168.100.0/24 area 0 network 10.0.13.0/24 area 0 network 10.
network 10.2.21.0/24 area 0 network 10.2.22.0/24 area 0 ! interface Loopback 20 ip address 192.168.100.20/24 no shutdown ! interface GigabitEthernet 2/1 ip address 10.2.21.2/24 no shutdown ! interface GigabitEthernet 2/2 ip address 10.2.22.2/24 no shutdown Configuration Task List for OSPFv3 (OSPF for IPv6) This section describes the configuration tasks for Open Shortest Path First version 3 (OSPF for IPv6) on the switch.
ipv6 unicast routing Applying cost for OSPFv3 Change in bandwidth directly affects the cost of OSPF routes. • Explicitly specify the cost of sending a packet on an interface. INTERFACE mode ipv6 ospf interface-cost • • interface-cost:The range is from 1 to 65535. Default cost is based on the bandwidth. Specify how the OSPF interface cost is calculated based on the reference bandwidth method. The cost of an interface is calculated as Reference Bandwidth/Interface speed.
• process-id: the process ID number assigned. • area-id: the area ID for this interface. Assigning OSPFv3 Process ID and Router ID Globally To assign, disable, or reset OSPFv3 globally, use the following commands. • Enable the OSPFv3 process globally and enter OSPFv3 mode. CONFIGURATION mode ipv6 router ospf {process ID} • The range is from 0 to 65535. Assign the router ID for this OSPFv3 process. CONF-IPV6-ROUTER-OSPF mode router-id {number} • number: the IPv4 address. The format is A.B.C.D.
• Reset the OSPFv3 process. EXEC Privilege mode clear ipv6 ospf process Configuring Stub Areas To configure IPv6 stub areas, use the following command. • Configure the area as a stub area. CONF-IPV6-ROUTER-OSPF mode area area-id stub [no-summary] • no-summary: use these keywords to prevent transmission in to the area of summary ASBR LSAs. • Area ID: a number or IP address assigned when creating the area.
• bgp | connected | static: enter one of the keywords to redistribute those routes. • metric metric-value: The range is from 0 to 4294967295. • metric-type metric-type: enter 1 for OSPFv3 external route type 1 OR 2 for OSPFv3 external route type 2. • route-map map-name: enter a name of a configured route map. • tag tag-value: The range is from 0 to 4294967295. Configuring a Default Route To generate a default external route into the OSPFv3 routing domain, configure the following parameters.
graceful-restart mode [planned-only | unplanned-only] • • • Planned-only: the OSPFv3 router supports graceful restart only for planned restarts. A planned restart is when you manually enter a redundancy force-failover rpm command to force the primary RPM over to the secondary RPM. During a planned restart, OSPFv3 sends out a Grace LSA before the system switches over to the secondary RPM. OSPFv3 is notified that a planned restart is happening.
Originate New LSAS Rx New LSAS Ext LSA Count Rte Max Eq Cost Paths GR grace-period GR mode 73 114085 0 5 180 planned and unplanned Area 0 database summary Type Brd Rtr Count AS Bdr Rtr Count LSA count Summary LSAs Rtr LSA Count Net LSA Count Inter Area Pfx LSA Count Inter Area Rtr LSA Count Group Mem LSA Count Count/Status 2 2 12010 1 4 3 12000 0 0 The following example shows the show ipv6 ospf database grace-lsa command.
possible to insert the ESP header between the next layer protocol header and encapsulated IP header in Tunnel mode. However, Tunnel mode is not supported in Dell Networking OS. For detailed information about the IP ESP protocol, refer to RFC 4303. In OSPFv3 communication, IPsec provides security services between a pair of communicating hosts or security gateways using either AH or ESP.
Configuring IPsec Authentication on an Interface To configure, remove, or display IPsec authentication on an interface, use the following commands. Prerequisite: Before you enable IPsec authentication on an OSPFv3 interface, first enable IPv6 unicast routing globally, configure an IPv6 address and enable OSPFv3 on the interface, and assign it to an area (refer to Configuration Task List for OSPFv3 (OSPF for IPv6)).
• • key: specifies the text string used in the encryption. All neighboring OSPFv3 routers must share the same key to decrypt information. Required lengths of a non-encrypted or encrypted key are: 3DES - 48 or 96 hex digits; DES - 16 or 32 hex digits; AESCBC - 32 or 64 hex digits for AES-128 and 48 or 96 hex digits for AES-192. • key-encryption-type: (optional) specifies if the key is encrypted. The valid values are 0 (key is not encrypted) or 7 (key is encrypted).
Configuring IPsec Encryption for an OSPFv3 Area To configure, remove, or display IPsec encryption in an OSPFv3 area, use the following commands. Prerequisite: Before you enable IPsec encryption in an OSPFv3 area, first enable OSPFv3 globally on the router (refer to Configuration Task List for OSPFv3 (OSPF for IPv6)). The SPI value must be unique to one IPsec security policy (authentication or encryption) on the router.
EXEC Privilege show crypto ipsec sa ipv6 [interface interface] To display information on the SAs used on a specific interface, enter interface interface, where interface is one of the following values: • For a 1-GigabitEthernet interface, enter the keyword GigabitEthernet then the slot/port information. • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. • For a port channel interface, enter the keywords port-channel then a number.
STATUS : ACTIVE outbound ah sas spi : 500 (0x1f4) transform : ah-md5-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE inbound esp sas outbound esp sas Interface: GigabitEthernet 1/2 Link Local address: fe80::201:e8ff:fe40:4d11 IPSecv6 policy name: OSPFv3-1-600 inbound ah sas outbound ah sas inbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE outbound esp sas spi : 600 (0x258) transfo
Viewing Summary Information To get general route, configuration, links status, and debug information, use the following commands. • View the summary information of the IPv6 routes. EXEC Privilege mode show ipv6 route [vrf vrf-name] summary • View the summary information for the OSPFv3 database. EXEC Privilege mode show ipv6 ospf [vrf vrf-name] database • View the configuration of OSPFv3 neighbors.
33 Policy-based Routing (PBR) Policy-based routing (PBR) allows a switch to make routing decisions based on policies applied to an interface. Overview When a router receives a packet, the router decides where to forward the packet based on the destination address in the packet, which is used to look up an entry in a routing table. However, in some cases, there may be a need to forward the packet based on other criteria: size, source, protocol type, destination, and so on.
After you apply a redirect-list to an interface, all traffic passing through it is subjected to the rules defined in the redirect-list. Traffic is forwarded based on the following: • Next-hop addresses are verified. If the specified next hop is reachable, traffic is forwarded to the specified next-hop. • If the specified next-hops are not reachable, the normal routing table is used to forward the traffic. • Dell Networking OS supports multiple next-hop entries in the redirect lists.
Never apply the permit statement because the redirect list covers all source and destination IP addresses. ip redirect-list rcl0 seq 5 redirect 2.2.2.2 ip any any seq 10 permit ip host 3.3.3.3 any To ensure the permit permit statement or PBR exception is effective, use a lower sequence number, as shown: ip redirect-list rcl0 seq 10 permit ip host 3.3.3.3 any seq 15 redirect 2.2.2.2 ip any any Create a Redirect List To create a redirect list, use the following commands.
• FORMAT: A.B.C.D/NN, or ANY or HOST IP address • destination ip-address or any or host ip-address is the Destination’s IP address • FORMAT: A.B.C.D/NN, or ANY or HOST IP address To delete a rule, use the no redirect command.
NOTE: Starting with the Dell Networking OS version 9.4(0.0), the use of multiple recursive routes with the same source-address and destination-address combination in a redirect policy on an router. A recursive route is a route for which the immediate next-hop address is learned dynamically through a routing protocol and acquired through a route lookup in the routing table.
List the redirect list configuration using the show ip redirect-list redirect-list-name command. The non-contiguous mask displays in dotted format (x.x.x.x). The contiguous mask displays in /x format. Dell#show ip redirect-list explicit_tunnel IP redirect-list explicit_tunnel: Defined as: seq 5 redirect tunnel 1 track 1 tcp 155.55.2.0/24 222.22.2.
Sample Configuration You can use the following example configuration to set up a PBR. These are not comprehensive directions but are intended to give you a guidance with typical configurations. You can copy and paste from these examples to your CLI. Make the necessary changes to support your own IP addresses, interfaces, names, and so on. The Redirect-List GOLD defined in this example creates the following rules: • description Route Gold traffic to the DS3 • seq 5 redirect 10.99.99.254 ip 192.168.1.
Dell(conf-track-3)#probe icmp Dell(conf-track-3)#track 4 ip host 43.1.1.2 reachability Dell(conf-track-4)#probe icmp Dell(conf-track-4)#end Create a Redirect-list with Track Objects pertaining to Redirect-IPs: Dell#configure terminal Dell(conf)#ip redirect-list redirect_list_with_track Dell(conf-redirect-list)#redirect 42.1.1.2 track 3 tcp 155.55.2.0/24 222.22.2.0/24 Dell(conf-redirect-list)#redirect 42.1.1.2 track 3 tcp any any Dell(conf-redirect-list)#redirect 42.1.1.2 track 3 udp 155.55.0.0/16 host 144.
Dell#configure terminal Dell(conf)#interface tunnel 2 Dell(conf-if-tu-2)#tunnel destination 441:10::2 Dell(conf-if-tu-2)#tunnel source 441:10::1 Dell(conf-if-tu-2)#tunnel mode ipv6 Dell(conf-if-tu-2)#tunnel keepalive 601:10::2 Dell(conf-if-tu-2)#ipv6 address 601:10::1/64 Dell(conf-if-tu-2)#no shutdown Dell(conf-if-tu-2)#end Dell# Create Track Objects to track the Tunnel Interfaces: Dell#configure terminal Dell(conf)#track 1 interface tunnel 1 ip routing Dell(conf-track-1)#exit Dell(conf)#track 2 interface t
34 PIM Sparse-Mode (PIM-SM) Protocol-independent multicast sparse-mode (PIM-SM) is a multicast protocol that forwards multicast traffic to a subnet only after a request using a PIM Join message; this behavior is the opposite of PIM-Dense mode, which forwards multicast traffic to all subnets until a request to stop. Implementation Information The following information is necessary for implementing PIM-SM.
Refuse Multicast Traffic A host requesting to leave a multicast group sends an IGMP Leave message to the last-hop DR. If the host is the only remaining receiver for that group on the subnet, the last-hop DR is responsible for sending a PIM Prune message up the RPT to prune its branch to the RP. 1 After receiving an IGMP Leave message, the gateway removes the interface on which it is received from the outgoing interface list of the (*,G) entry.
ip multicast-routing Related Configuration Tasks The following are related PIM-SM configuration tasks. • Configuring S,G Expiry Timers • Configuring a Static Rendezvous Point • Configuring a Designated Router • Creating Multicast Boundaries and Domains Enable PIM-SM You must enable PIM-SM on each participating interface. 1 Enable multicast routing on the system. CONFIGURATION mode ip multicast-routing 2 Enable PIM-Sparse mode.
GigabitEthernet 2/13 (10.87.31.5, 192.1.2.1), uptime 00:01:24, expires 00:02:26, flags: FT Incoming interface: GigabitEthernet 2/11, RPF neighbor 0.0.0.0 Outgoing interface list: GigabitEthernet 1/11 GigabitEthernet 1/12 GigabitEthernet 2/13 --More-- Configuring S,G Expiry Timers By default, S, G entries expire in 210 seconds. You can configure a global expiry time (for all [S,G] entries) or configure an expiry time for a particular entry.
Configuring a Static Rendezvous Point The rendezvous point (RP) is a PIM-enabled interface on a router that acts as the root a group-specific tree; every group must have an RP. • Identify an RP by the IP address of a PIM-enabled or Loopback interface. ip pim rp-address Example of Viewing an RP on a Loopback Interface Dell#sh run int loop0 ! interface Loopback 0 ip address 1.1.1.1/32 ip pim sparse-mode no shutdown Dell#sh run pim ! ip pim rp-address 1.1.1.1 group-address 224.0.0.
INTERFACE mode ip pim query-interval seconds • Display the current value of these parameter. EXEC Privilege mode show ip pim interface Creating Multicast Boundaries and Domains A PIM domain is a contiguous set of routers that all implement PIM and are configured to operate within a common boundary defined by PIM multicast border routers (PMBRs). PMBRs connect each PIM domain to the rest of the Internet.
35 PIM Source-Specific Mode (PIM-SSM) PIM source-specific mode (PIM-SSM) is a multicast protocol that forwards multicast traffic from a single source to a subnet. In the other versions of protocol independent multicast (PIM), a receiver subscribes to a group only. The receiver receives traffic not just from the source in which it is interested but from all sources sending to that group.
Related Configuration Tasks • Use PIM-SSM with IGMP Version 2 Hosts Enabling PIM-SSM To enable PIM-SSM, follow these steps. 1 Create an ACL that uses permit rules to specify what range of addresses should use SSM. CONFIGURATION mode ip access-list standard name 2 Enter the ip pim ssm-range command and specify the ACL you created. CONFIGURATION mode ip pim ssm-range acl-name Enabling PIM-SSM To display address ranges in the PIM-SSM range, use the show ip pim ssm-range command from EXEC Privilege mode.
Configuring PIM-SSM with IGMPv2 R1(conf)#do show run pim ! ip pim rp-address 10.11.12.2 group-address 224.0.0.0/4 ip pim ssm-range ssm R1(conf)#do show run acl ! ip access-list standard map seq 5 permit host 239.0.0.2 ! ip access-list standard ssm seq 5 permit host 239.0.0.2 R1(conf)#ip igmp ssm-map map 10.11.5.2 R1(conf)#do show ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Mode Uptime Expires 239.0.0.
36 Port Monitoring Port monitoring (also referred to as mirroring ) allows you to monitor ingress and/or egress traffic on specified ports. The mirrored traffic can be sent to a port to which a network analyzer is connected to inspect or troubleshoot the traffic. Mirroring is used for monitoring Ingress or Egress or both Ingress and Egress traffic on a specific port(s). This mirrored traffic can be sent to a port where a network sniffer can connect and monitor the traffic.
Port Monitoring Port monitoring is supported on both physical and logical interfaces, such as VLAN and port-channel interfaces. The source port (MD) with monitored traffic and the destination ports (MG) to which an analyzer can be attached must be on the same switch. You can configure up to 128 source ports in a monitoring session. Only one destination port is supported in a monitoring session. The platform supports multiple source-destination statements in a single monitor session.
Example of Viewing a Monitoring Session In the example below, 0/25 and 0/26 belong to Port-pipe 1. This port-pipe has the same restriction of only four destination ports, new or used.
source Example of Viewing Port Monitoring Configuration To display information on currently configured port-monitoring sessions, use the show monitor session command from EXEC Privilege mode.
Figure 90. Port Monitoring Example Configuring Monitor Multicast Queue To configure monitor QoS multicast queue ID, use the following commands. 1 Configure monitor QoS multicast queue ID. CONFIGURATION mode monitor multicast-queue queue-id Dell(conf)#monitor multicast-queue 7 2 Verify information about monitor configurations.
flow-based enable 2 Define in access-list rules that include the keyword monitor. For port monitoring, Dell Networking OS only considers traffic matching rules with the keyword monitor. CONFIGURATION mode ip access-list Refer to Access Control Lists (ACLs). 3 Apply the ACL to the monitored port.
Remote Port Mirroring Example Remote port mirroring uses the analyzers shown in the aggregation network in Site A. The VLAN traffic on monitored links from the access network is tagged and assigned to a dedicated L2 VLAN. Monitored links are configured in two source sessions shown with orange and green circles. Each source session uses a separate reserved VLAN to transmit mirrored packets (mirrored source-session traffic is shown with an orange or green circle with a blue border).
• You can configure any switch in the network with source ports and destination ports, and allow it to function in an intermediate transport session for a reserved VLAN at the same time for multiple remote-port mirroring sessions. You can enable and disable individual mirroring sessions. • BPDU monitoring is not required to use remote port mirroring.
Restrictions When you configure remote port mirroring, the following restrictions apply: • You can configure the same source port to be used in multiple source sessions. • You cannot configure a source port channel or source VLAN in a source session if the port channel or VLAN has a member port that is configured as a destination port in a remote-port mirroring session.
Configuring the Sample Remote Port Mirroring Remote port mirroring requires a source session (monitored ports on different source switches), a reserved tagged VLAN for transporting mirrored traffic (configured on source, intermediate, and destination switches), and a destination session (destination ports connected to analyzers on destination switches). Table 46. Configuration Steps for RPM Step Command Purpose 1 configure terminal Enter global configuration mode.
Dell(conf-if-gi-1/30)#switchport Dell(conf-if-gi-1/30)#exit Dell(conf)#interface vlan 30 Dell(conf-if-vl-30)#mode remote-port-mirroring Dell(conf-if-vl-30)#tagged gi 1/30 Dell(conf-if-vl-30)#exit Dell(conf)#interface port-channel 10 Dell(conf-if-po-10)#channel-member gi 1/28-29 Dell(conf-if-po-10)#no shutdown Dell(conf-if-po-10)#exit Dell(conf)#monitor session 3 type rpm Dell(conf-mon-sess-3)#source port-channel 10 dest remote-vlan 30 dir both Dell(conf-mon-sess-3)#no disable Dell(conf-mon-sess-3)# Dell(con
Dell(conf-mon-sess-3)#source remote-vlan 30 destination gi 1/6 Dell(conf-mon-sess-3)#tagged destination gi 1/6 Dell(conf-mon-sess-3)#end Dell# Dell#show monitor session SessID Source Destination Dir Mode Source IP ------ ------------------ ---- --------1 remote-vlan 10 gi 1/4 N/A N/A N/A 2 remote-vlan 20 gi 1/5 N/A N/A N/A 3 remote-vlan 30 gi 1/6 N/A N/A N/A Dell# Dest IP -------N/A N/A N/A Configuring RSPAN Source Sessions to Avoid BPD Issues When ever you configure an RPM source session, you must ensure
Encapsulated Remote Port Monitoring Encapsulated Remote Port Monitoring (ERPM) copies traffic from source ports/port-channels or source VLANs and forwards the traffic using routable GRE-encapsulated packets to the destination IP address specified in the session. NOTE: When configuring ERPM, follow these guidelines • The Dell Networking OS supports ERPM source session only. Encapsulated packets terminate at the destination IP address or at the analyzer.
flow-based command to disable to disable flowbased ERPM. 6 no disable Enter the no disable command to activate the ERPM session.. The following example shows an ERPM configuration . Dell(conf)#monitor session 0 type erpm Dell(conf-mon-sess-0)#source gigabitethernet 1/9 direction rx Dell(conf-mon-sess-0)#source port-channel 1 direction tx Dell(conf-mon-sess-0)#erpm source-ip 1.1.1.1 dest-ip 7.1.1.
ERPM Behavior on a typical Dell Networking OS The Dell Networking OS is designed to support only the Encapsulation of the data received / transmitted at the specified source port (Port A). An ERPM destination session / decapsulation of the ERPM packets at the destination Switch are not supported. Figure 92.
b Using Python script • Either have a Linux server's ethernet port ip as the ERPM destination ip or connect the ingress interface of the server to the ERPM MirrorToPort. The analyzer should listen in the forward/egress interface. If there is only one interface, one can choose the ingress and forward interface to be same and listen in the tx direction of the interface. • Download/ Write a small script (for example: erpm.
37 Private VLANs (PVLAN) The private VLAN (PVLAN) feature is supported on Dell Networking OS. For syntax details about the commands described in this chapter, refer to the Private VLANs commands chapter in the Dell Networking OS Command Line Reference Guide. Private VLANs extend the Dell Networking OS security suite by providing Layer 2 isolation between ports within the same virtual local area network (VLAN).
• • A primary VLAN and each of its secondary VLANs decrement the available number of VLAN IDs in the switch. • A primary VLAN has one or more promiscuous ports. • A primary VLAN might have one or more trunk ports, or none. Secondary VLAN — a subdomain of the primary VLAN. • There are two types of secondary VLAN — community VLAN and isolated VLAN.
show vlan private-vlan [community | interface | isolated | primary | primary_vlan | interface interface] • Display primary-secondary VLAN mapping. EXEC mode or EXEC Privilege mode show vlan private-vlan mapping • Set the PVLAN mode of the selected port. INTERFACE switchport mode private-vlan {host | promiscuous | trunk} NOTE: Secondary VLANs are Layer 2 VLANs, so even if they are operationally down while primary VLANs are operationally up, Layer 3 traffic is still transmitted across secondary VLANs.
NOTE: You cannot add interfaces that are configured as PVLAN ports to regular VLANs. You also cannot add “regular” ports (ports not configured as PVLAN ports) to PVLANs. The following example shows the switchport mode private-vlan command on a port and on a port channel.
6 (OPTIONAL) Assign an IP address to the VLAN. INTERFACE VLAN mode ip address ip address 7 (OPTIONAL) Enable/disable Layer 3 communication between secondary VLANs. INTERFACE VLAN mode ip local-proxy-arp NOTE: If a promiscuous or host port is untagged in a VLAN and it receives a tagged packet in the same VLAN, the packet is NOT dropped. Creating a Community VLAN A community VLAN is a secondary VLAN of the primary VLAN in a private VLAN.
INTERFACE VLAN mode private-vlan mode isolated 4 Add one or more host ports to the VLAN. INTERFACE VLAN mode tagged interface or untagged interface You can enter the interfaces singly or in range format, either comma-delimited (slot/port,port,port) or hyphenated (slot/ port-port). You can only add ports defined as host to the VLAN.
Private VLAN Configuration Example The following example shows a private VLAN topology. Figure 93. Sample Private VLAN Topology The following configuration is based on the example diagram for the Z9500: • Te 1/1 and Te 1/23 are configured as promiscuous ports, assigned to the primary VLAN, VLAN 4000. • Te 1/25 is configured as a PVLAN trunk port, also assigned to the primary VLAN 4000. • Te 1/24 and Te 1/47 are configured as host ports and assigned to the isolated VLAN, VLAN 4003.
• Te 1/3 is a promiscuous port and Te 1/25 is a PVLAN trunk port, assigned to the primary VLAN 4000. • Te 1/4-6 are host ports. Te 1/4 and Te 1/5 are assigned to the community VLAN 4001, while Te 1/6 is assigned to the isolated VLAN 4003. The result is that: • The S4810 ports would have the same intra-switch communication characteristics as described for the Z9500.
Primary Isolated Community : 4000 : 4003 : 4001 NOTE: In the following example, notice the addition of the PVLAN codes – P, I, and C – in the left column. The following example shows viewing the VLAN status.
38 Per-VLAN Spanning Tree Plus (PVST+) Per-VLAN spanning tree plus (PVST+) is a variation of spanning tree — developed by a third party — that allows you to configure a separate spanning tree instance for each virtual local area network (VLAN). Protocol Overview PVST+ is a variation of spanning tree — developed by a third party — that allows you to configure a separate spanning tree instance for each virtual local area network (VLAN).
Dell Networking Term IEEE Specification Multiple Spanning Tree Protocol (MSTP) 802 .1s Per-VLAN Spanning Tree Plus (PVST+) Third Party Implementation Information • The Dell Networking OS implementation of PVST+ is based on IEEE Standard 802.1w. • The Dell Networking OS implementation of PVST+ uses IEEE 802.1s costs as the default costs (as shown in the following table). Other implementations use IEEE 802.1w costs as the default costs.
• Disable PVST+ globally. PROTOCOL PVST mode • disable Disable PVST+ on an interface, or remove a PVST+ parameter configuration. INTERFACE mode no spanning-tree pvst Example of Viewing PVST+ Configuration To display your PVST+ configuration, use the show config command from PROTOCOL PVST mode.
To assign a bridge priority, use the following command. • Assign a bridge priority. PROTOCOL PVST mode vlan bridge-priority The range is from 0 to 61440. The default is 32768. Example of the show spanning-tree pvst vlan Command To display the PVST+ forwarding topology, use the show spanning-tree pvst [vlan vlan-id] command from EXEC Privilege mode. Dell_E600(conf)#do show spanning-tree pvst vlan 100 VLAN 100 Root Identifier has priority 4096, Address 0001.e80d.
NOTE: With large configurations (especially those configurations with more ports), Dell Networking recommends increasing the hello-time. The range is from 1 to 10. • The default is 2 seconds. Change the max-age parameter. PROTOCOL PVST mode vlan max-age The range is from 6 to 40. The default is 20 seconds. The values for global PVST+ parameters are given in the output of the show spanning-tree pvst command.
spanning-tree pvst vlan cost. The range is from 0 to 200000. • Refer to the table for the default values. Change the port priority of an interface. INTERFACE mode spanning-tree pvst vlan priority. The range is from 0 to 240, in increments of 16. The default is 128. The values for interface PVST+ parameters are given in the output of the show spanning-tree pvst command, as previously shown.
executing this action, use the no spanning-tree pvst err-disable cause invalid-pvst-bpdu command. After you configure this command, if the port receives a PVST+ BPDU, the BPDU is dropped and the port remains operational. Enabling PVST+ Extend System ID In the following example, ports P1 and P2 are untagged members of different VLANs. These ports are untagged because the hub is VLAN unaware. There is no data loop in this scenario; however, you can employ PVST+ to avoid potential misconfigurations.
! interface GigabitEthernet 1/32 no ip address switchport no shutdown ! protocol spanning-tree pvst no disable vlan 100 bridge-priority 4096 interface Vlan 100 no ip address tagged GigabitEthernet 1/22,32 no shutdown ! interface Vlan 200 no ip address tagged GigabitEthernet 1/22,32 no shutdown ! interface Vlan 300 no ip address tagged GigabitEthernet 1/22,32 no shutdown ! protocol spanning-tree pvst no disable vlan 100 bridge-priority 4096 Example of PVST+ Configuration (R2) interface GigabitEthernet 2/12 n
tagged GigabitEthernet 3/12,22 no shutdown ! interface Vlan 200 no ip address tagged GigabitEthernet 3/12,22 no shutdown ! interface Vlan 300 no ip address tagged GigabitEthernet 3/12,22 no shutdown ! protocol spanning-tree pvst no disable vlan 300 bridge-priority 4096 586 Per-VLAN Spanning Tree Plus (PVST+)
39 Quality of Service (QoS) This chapter describes how to use and configure Quality of Service service (QoS) features on the switch. Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. Table 50.
Feature Direction Create Input Policy Maps Ingress Honor DSCP Values on Ingress Packets Ingress Honoring dot1p Values on Ingress Packets Ingress Create Output Policy Maps Egress Specify an Aggregate QoS Policy Egress Create Output Policy Maps Egress Enabling QoS Rate Adjustment Enabling Strict-Priority Queueing Weighted Random Early Detection Egress Create WRED Profiles Egress Figure 97.
• DSCP Color Maps • Enabling QoS Rate Adjustment • Enabling Strict-Priority Queueing • Weighted Random Early Detection • Pre-Calculating Available QoS CAM Space • Configuring Weights and ECN for WRED • Configuring WRED and ECN Attributes • Guidelines for Configuring ECN for Classifying and Color-Marking Packets • Applying Layer 2 Match Criteria on a Layer 3 Interface • Applying DSCP and VLAN Match Criteria on a Service Queue • Classifying Incoming Packets Using ECN and Color-Marking •
dot1p Queue Number 3 1 4 2 5 3 6 3 7 3 • Change the priority of incoming traffic on the interface. dot1p-priority Example of Configuring a dot1p Priority on an Interface Dell#configure terminal Dell(conf)#interface gigabitethernet 1/1 Dell(conf-if-gi-1/1)#switchport Dell(conf-if-gi-1/1)#dot1p-priority 1 Dell(conf-if-gi-1/1)#end Honoring dot1p Priorities on Ingress Traffic By default, Dell Networking OS does not honor dot1p priorities on ingress traffic.
Configuring Port-Based Rate Policing If the interface is a member of a VLAN, you may specify the VLAN for which ingress packets are policed. • Rate policing ingress traffic on an interface. INTERFACE mode rate police Example of the rate police Command The following example shows configuring rate policing.
Example of rate shape Command Dell#configure terminal Dell(conf)#interface gigabitethernet 1/1 Dell(conf-if-gi-1/1)#rate shape 500 50 Dell(conf-if-gi-1/1)#end Policy-Based QoS Configurations Policy-based QoS configurations consist of the components shown in the following example. Figure 98. Constructing Policy-Based QoS Configurations Classify Traffic Class maps differentiate traffic so that you can apply separate quality of service policies to different types of traffic.
Creating a Layer 3 Class Map A Layer 3 class map differentiates ingress packets based on the DSCP value or IP precedence, and characteristics defined in an IP ACL. You can also use VLAN IDs and VRF IDs to classify the traffic using layer 3 class-maps. You may specify more than one DSCP and IP precedence value, but only one value must match to trigger a positive match for the class map. NOTE: IPv6 and IP-any class maps cannot match on ACLs or VLANs. Use step 1 or step 2 to start creating a Layer 3 class map.
The following example matches IPv4 and IPv6 traffic with a precedence value of 3. Dell(conf)# class-map match-any test1 Dell(conf-class-map)#match ip-any precedence 3 Creating a Layer 2 Class Map All class maps are Layer 3 by default; however, you can create a Layer 2 class map by specifying the layer2 option with the class-map command. A Layer 2 class map differentiates traffic according to 802.1p value and/or VLAN and/or characteristics defined in a MAC ACL..
Displaying Configured Class Maps and Match Criteria To display all class-maps or a specific class map, use the following command. Dell Networking OS Behavior: An explicit “deny any" rule in a Layer 3 ACL used in a (match any or match all) class-map creates a "default to Queue 0" entry in the CAM, which causes unintended traffic classification. In the following example, traffic is classified in two Queues, 1 and 2. Class-map ClassAF1 is “match any,” and ClassAF2 is “match all”.
Create a QoS Policy There are two types of QoS policies — input and output. Input QoS policies regulate Layer 3 and Layer 2 ingress traffic. The regulation mechanisms for input QoS policies are rate policing and setting priority values. • Layer 3 — QoS input policies allow you to rate police and set a DSCP or dot1p value. In addition, you can configure a drop precedence for incoming packets based on their DSCP value by using a DSCP color map. For more information, see DSCP Color Maps.
Creating an Output QoS Policy To create an output QoS policy, use the following commands. 1 Create an output QoS policy. CONFIGURATION mode qos-policy-output 2 After you configure an output QoS policy, do one or more of the following: Scheduler Strict — Policy-based Strict-priority Queueing configuration is done through scheduler strict. It is applied to Qos-policyoutput. When scheduler strict is applied to multiple Queues, high queue number takes precedence.
bandwidth-percentage Specifying WRED Drop Precedence You can configure the WRED drop precedence in an output QoS policy. • Specify a WRED profile to yellow and/or green traffic. QOS-POLICY-OUT mode wred For more information, refer to Applying a WRED Profile to Traffic. Create Policy Maps There are two types of policy maps: input and output. Creating Input Policy Maps There are two types of input policy-maps: Layer 3 and Layer 2. 1 Create a Layer 3 input policy map.
Honoring DSCP Values on Ingress Packets Dell Networking OS provides the ability to honor DSCP values on ingress packets using Trust DSCP feature. The following table lists the standard DSCP definitions and indicates to which queues Dell Networking OS maps DSCP values. When you configure trust DSCP, the matched packets and matched bytes counters are not incremented in the show qos statistics. Table 53.
dot1p Queue ID 2 0 3 1 4 2 5 3 6 3 7 3 The dot1p value is also honored for frames on the default VLAN. For more information, refer to Priority-Tagged Frames on the Default VLAN. • Enable the trust dot1p feature. POLICY-MAP-IN mode trust dot1p Mapping dot1p Values to Service Queues All traffic is by default mapped to the same queue, Queue 0. If you honor dot1p on ingress, you can create service classes based the queueing strategy in Honoring dot1p Values on Ingress Packets.
Specify the keyword layer2 if the policy map you are applying a Layer 2 policy map. Creating Output Policy Maps 1 Create an output policy map. CONFIGURATION mode policy-map-output 2 After you create an output policy map, do one or more of the following: Applying an Output QoS Policy to a Queue Specifying an Aggregate QoS Policy Applying an Output Policy Map to an Interface 3 Apply the policy map to an interface.
Creating a DSCP Color Map You can create a DSCP color map to outline the differentiated services codepoint (DSCP) mappings to the appropriate color mapping (green, yellow, red) for the input traffic. The system uses this information to classify input traffic on an interface based on the DSCP value of each packet and assigns it an initial drop precedence of green, yellow, or red The default setting for each DSCP value (0-63) is green (low drop precedence).
Displaying DSCP Color Maps To display DSCP color maps, use the show qos dscp-color-map command in EXEC mode. Examples for Creating a DSCP Color Map Display all DSCP color maps. Dell# show qos dscp-color-map Dscp-color-map mapONE yellow 4,7 red 20,30 Dscp-color-map mapTWO yellow 16,55 Display a specific DSCP color map.
Enabling QoS Rate Adjustment By default while rate limiting, policing, and shaping, Dell Networking OS does not include the Preamble, SFD, or the IFG fields. These fields are overhead; only the fields from MAC destination address to the CRC are used for forwarding and are included in these rate metering calculations.
space for other types. You can apply a WRED profile to a policy-map so that specified traffic can be prevented from consuming too much of the BTM resources. WRED uses a profile to specify minimum and maximum threshold values. The minimum threshold is the allotted buffer space for specified traffic, for example, 1000KB on egress.
Figure 99. Packet Drop Rate for WRED You can create a custom WRED profile or use one of the five pre-defined profiles. Table 56. Pre-Defined WRED Profiles Default Profile Name Minimum Threshold Maximum Threshold Maximum Drop Rate wred_drop 0 0 100 wred_teng_y 467 4671 100 wred_teng_g 467 4671 50 wred_fortyg_y 467 4671 50 wred_fortyg_g 467 4671 25 Creating WRED Profiles To create WRED profiles, use the following commands. 1 Create a WRED profile.
DSCP is a 6–bit field. Dell Networking uses the first three bits (LSB) of this field (DP) to determine the drop precedence. • DP values of 110 and 100, 101 map to yellow; all other values map to green. • If you do not configure Dell Networking OS to honor DSCP values on ingress (refer to Honoring DSCP Values on Ingress Packets), all traffic defaults to green drop precedence. • Assign a WRED profile to either yellow or green traffic.
Displaying egress-queue Statistics To display the number of transmitted and dropped packets on the egress queues of a WRED-configured interface, use the following command. • Display the number of packets and number of bytes on the egress-queue profile.
Specifically: • Available CAM — the available number of CAM entries in the specified CAM partition for the specified line card or stack-unit portpipe. • Estimated CAM — the estimated number of CAM entries that the policy will consume when it is applied to an interface. • Status — indicates whether the specified policy-map can be completely applied to an interface in the port-pipe.
You can enable WRED and ECN capabilities per queue for granularity. You can disable these functionality per queue, and you can also specify the minimum and maximum buffer thresholds for each color-coding of the packets. You can configure maximum drop rate percentage of yellow and green profiles. You can set up these parameters for both front-end and backplane ports. Global Service Pools With WRED and ECN Settings Support for global service pools is now available.
Configuring WRED and ECN Attributes The functionality to configure a weight factor for the WRED and ECN functionality for backplane ports is supported on the platform. WRED drops packets when the average queue length exceeds the configured threshold value to signify congestion. Explicit Congestion Notification (ECN) is a capability that enhances WRED by marking the packets instead of causing WRED to drop them when the threshold value is exceeded.
• • • Because this functionality forcibly marks all the packets matching the specific match criteria as ‘yellow’, Dell Networking OS does not support Policer based coloring and this feature concurrently. If single rate two color policer is configured along with this feature, then by default all packets less than PIR would be considered as “Green” But ‘Green’ packets matching the specific match criteria for which ‘color-marking’ is configured will be over-written and marked as “Yellow”.
Match qualifiers can be directly configured in the class-map command or it can be specified through one or more ACL which in turn specifies the combination of match qualifiers. Until Release 9.3(0.0), support is available for classifying traffic based on the 6-bit DSCP field of the IPv4 packet. As a part of this feature, the 2-bit ECN field of the IPv4 packet will also be available to be configured as one of the match qualifier.
• set a new DSCP for the packet • set the packet color as ‘yellow’ • set the packet color as ‘yellow’ and set a new DSCP for the packet This marking action to set the color of the packet is allowed only on the ‘match-any’ logical operator of the class-map.
! ip access-list standard dscp_50_non_ecn seq 5 permit any dscp 50 ecn 0 ! ip access-list standard dscp_40_non_ecn seq 5 permit any dscp 40 ecn 0 ! class-map match-any class_dscp_40 match ip access-group dscp_40_non_ecn set-color yellow match ip access-group dscp_40_ecn ! class-map match-any class_dscp_50 match ip access-group dscp_50_non_ecn set-color yellow match ip access-group dscp_50_ecn ! policy-map-input pmap_dscp_40_50 service-queue 2 class-map class_dscp_40 service-queue 3 class-map class_dscp_50
To configure IP VLAN and DSCP match criteria in a Layer 3 class map, and apply the class and policy maps to a service queue: 1 Create a match-any or a match-all Layer 3 class map, depending on whether you want the packets to meet all or any of the match criteria. By default, a Layer 3 class map is created if you do not enter the layer2 option with the class-map command. When you create a class map, you enter the class-map configuration mode.
3 Attach the policy-map to the interface. Dell Networking OS support different types of match qualifiers to classify the incoming traffic. Match qualifiers can be directly configured in the class-map command or it can be specified through one or more ACL which in turn specifies the combination of match qualifiers. Until Release 9.3(0.0), support is available for classifying traffic based on the 6-bit DSCP field of the IPv4 packet.
By default Dell Networking OS drops all the ‘RED’ or ‘violate’ packets. The following combination of marking actions to be specified match sequence of the class-map command: • set a new DSCP for the packet • set the packet color as ‘yellow’ • set the packet color as ‘yellow’ and set a new DSCP for the packet This marking action to set the color of the packet is allowed only on the ‘match-any’ logical operator of the class-map.
seq 5 permit any ecn 0 class-map match-any ecn_0_cmap match ip access-group ecn_0 set-color yellow ! policy-map-input ecn_0_pmap service-queue 0 class-map ecn_0_cmap Applying this policy-map “ecn_0_pmap” will mark all the packets with ‘ecn == 0’ as yellow packets on queue0 (default queue).
seq 5 permit any dscp 40 ecn 0 ! class-map match-any class_dscp_40 match ip access-group dscp_40_non_ecn set-color yellow match ip access-group dscp_40_ecn ! class-map match-any class_dscp_50 match ip access-group dscp_50_non_ecn set-color yellow match ip access-group dscp_50_ecn ! policy-map-input pmap_dscp_40_50 service-queue 2 class-map class_dscp_40 service-queue 3 class-map class_dscp_50 620 Quality of Service (QoS)
40 Routing Information Protocol (RIP) The Routing Information Protocol (RIP) tracks distances or hop counts to nearby routers when establishing network connections and is based on a distance-vector algorithm. RIP is based on a distance-vector algorithm; it tracks distances or hop counts to nearby routers when establishing network connections. RIP protocol standards are listed in the Standards Compliance chapter.
Implementation Information Dell Networking OS supports both versions of RIP and allows you to configure one version globally and the other version on interfaces or both versions on the interfaces. The following table lists the defaults for RIP in Dell Networking OS. Table 58.
CONFIGURATION mode router rip 2 Assign an IP network address as a RIP network to exchange routing information. ROUTER RIP mode network ip-address Examples of Verifying RIP is Enabled and Viewing RIP Routes After designating networks with which the system is to exchange RIP information, ensure that all devices on that network are configured to exchange RIP information. The Dell Networking OS default is to send RIPv1 and to receive RIPv1 and RIPv2.
Configure RIP on Interfaces When you enable RIP globally on the system, interfaces meeting certain conditions start receiving RIP routes. By default, interfaces that you enable and configure with an IP address in the same subnet as the RIP network address receive RIPv1 and RIPv2 routes and send RIPv1 routes. Assign IP addresses to interfaces that are part of the same subnet as the RIP network identified in the network command syntax.
To add routes from other routing instances or protocols, use the following commands. • Include directly connected or user-configured (static) routes in RIP. ROUTER RIP mode redistribute {connected | static} [metric metric-value] [route-map map-name] • • metric-value: the range is from 0 to 16. • map-name: the name of a configured route map. Include IS-IS routes in RIP.
The following example shows the RIP configuration after the ROUTER RIP mode version command is set to RIPv2. When you set the ROUTER RIP mode version command, the interface () participating in the RIP process is also set to send and receive RIPv2 (shown in bold). To view the routing protocols configuration, use the show ip protocols command in EXEC mode.
• Specify the generation of a default route in RIP. ROUTER RIP mode default-information originate [always] [metric value] [route-map route-map-name] • always: Enter the keyword always to always generate a default route. • value The range is from 1 to 16. • route-map-name: The name of a configured route map. To confirm that the default route configuration is completed, use the show config command in ROUTER RIP mode.
• prefix-list-name: the name of an established Prefix list to determine which incoming routes are modified • offset: the range is from 0 to 16. • interface: the type, slot, and number of an interface. To view the configuration changes, use the show config command in ROUTER RIP mode. Debugging RIP The debug ip rip command enables RIP debugging. When you enable debugging, you can view information on RIP protocol changes or RIP routes. To enable RIP debugging, use the following command.
RIP Configuration on Core2 The following example shows how to configure RIPv2 on a host named Core2. Example of Configuring RIPv2 on Core 2 Core2(conf-if-gi-2/3)# Core2(conf-if-gi-2/3)#router rip Core2(conf-router_rip)#ver 2 Core2(conf-router_rip)#network 10.200.10.0 Core2(conf-router_rip)#network 10.300.10.0 Core2(conf-router_rip)#network 10.11.10.0 Core2(conf-router_rip)#network 10.11.20.0 Core2(conf-router_rip)#show config ! router rip network 10.0.0.
C 10.11.10.0/24 C 10.11.20.0/24 R 10.11.30.0/24 C 10.200.10.0/24 C 10.300.10.0/24 R 192.168.1.0/24 R 192.168.2.0/24 Core2# R 192.168.1.0/24 R 192.168.2.0/24 Direct, Gi 2/11 Direct, Gi 2/3 via 10.11.20.1, Gi 2/3 Direct, Gi 2/4 Direct, Gi 2/5 via 10.11.20.1, Gi 2/3 via 10.11.20.1, Gi 2/3 0/0 0/0 120/1 0/0 0/0 120/1 120/1 00:02:26 00:02:02 00:01:20 00:03:03 00:02:42 00:01:20 00:01:20 via 10.11.20.1, Gi 2/3 via 10.11.20.
Core 3 RIP Output The examples in this section show the core 2 RIP output. • To display Core 3 RIP database, use the show ip rip database command. • To display Core 3 RIP setup, use the show ip route command. • To display Core 3 RIP activity, use the show ip protocols command. Examples of the show ip Commands to View Learned RIP Routes on Core 3 The following example shows the show ip rip database command to view the learned RIP routes on Core 3.
GigabitEthernet GigabitEthernet GigabitEthernet GigabitEthernet Routing for Networks: 10.11.20.0 10.11.30.0 192.168.2.0 192.168.1.0 3/21 3/11 3/24 3/23 2 2 2 2 2 2 2 2 Routing Information Sources: Gateway Distance Last Update 10.11.20.2 120 00:00:22 Distance: (default is 120) Core3# RIP Configuration Summary Examples of Viewing RIP Configuration on Core 2 and Core 3 The following example shows viewing the RIP configuration on Core 2. ! interface GigabitEthernet 2/1 ip address 10.11.10.
! router rip version 2 network 10.11.20.0 network 10.11.30.0 network 192.168.1.0 network 192.168.2.
41 Remote Monitoring (RMON) RMON is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell Networking Ethernet interfaces. RMON operates with the simple network management protocol (SNMP) and monitors all nodes on a local area network (LAN) segment. RMON monitors traffic passing through the router and segment traffic not destined for the router.
Setting the RMON Alarm To set an alarm on any MIB object, use the rmon alarm or rmon hc-alarm command in GLOBAL CONFIGURATION mode. • Set an alarm on any MIB object.
• number: assigned event number, which is identical to the eventIndex in the eventTable in the RMON MIB. The value must be an integer from 1 to 65,535 and be unique in the RMON Event Table. • log: (Optional) generates an RMON log entry when the event is triggered and sets the eventType in the RMON MIB to log or logand-trap. Default is no log. • trap community: (Optional) SNMP community string used for this trap.
• integer: a value from 1 to 65,535 that identifies the RMON group of statistics. The value must be a unique index in the RMON History Table. • owner: (Optional) specifies the name of the owner of the RMON group of statistics. The default is a null-terminated string. • ownername: (Optional) records the name of the owner of the RMON group of statistics. • buckets: (Optional) specifies the maximum number of buckets desired for the RMON collection history group of statistics.
42 Rapid Spanning Tree Protocol (RSTP) The Rapid Spanning Tree Protocol (RSTP) is a Layer 2 protocol — specified by IEEE 802.1w — that is essentially the same as spanningtree protocol (STP) but provides faster convergence and interoperability with switches configured with STP and multiple spanning tree protocol (MSTP). Protocol Overview RSTP is a Layer 2 protocol — specified by IEEE 802.
• All interfaces in virtual local area networks (VLANs) and all enabled interfaces in Layer 2 mode are automatically added to the RST topology. • Adding a group of ports to a range of VLANs sends multiple messages to the rapid spanning tree protocol (RSTP) task, avoid using the range command. When using the range command, Dell Networking recommends limiting the range to five ports and 40 VLANs. RSTP and VLT Virtual link trunking (VLT) provides loop-free redundant topologies and does not require RSTP.
Enabling Rapid Spanning Tree Protocol Globally Enable RSTP globally on all participating bridges; it is not enabled by default. When you enable RSTP, all physical and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the RST topology. • Only one path from any bridge to any other bridge is enabled. • Bridges block a redundant path by disabling one of the link ports. To enable RSTP globally for all Layer 2 interfaces, use the following commands.
Figure 101. Rapid Spanning Tree Enabled Globally To view the interfaces participating in RSTP, use the show spanning-tree rstp command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. Dell#show spanning-tree rstp Root Identifier has priority 32768, Address 0001.e801.cbb4 Root Bridge hello time 2, max age 20, forward delay 15, max hops 0 Bridge Identifier has priority 32768, Address 0001.e801.
Number of transitions to forwarding state 1 BPDU : sent 121, received 5 The port is not in the Edge port mode Port 380 (GigabitEthernet 2/4) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.380 Designated root has priority 32768, address 0001.e801.cbb4 Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.
Table 60.
Enabling SNMP Traps for Root Elections and Topology Changes To enable SNMP traps, use the following command. • Enable SNMP traps for RSTP, MSTP, and PVST+ collectively. snmp-server enable traps xstp Modifying Interface Parameters On interfaces in Layer 2 mode, you can set the port cost and port priority values. • Port cost — a value that is based on the interface type. The previous table lists the default values. The greater the port cost, the less likely the port is selected to be a forwarding port.
bridge-priority priority-value • priority-value The range is from 0 to 65535. The lower the number assigned, the more likely this bridge becomes the root bridge. The default is 32768. Entries must be multiples of 4096. Example of the bridge-priority Command A console message appears when a new root bridge has been assigned. The following example example shows the console message after the bridge-priority command is used to make R2 the root bridge (shown in bold).
shutdown Dell(conf-if-gi-2/1)# Configuring Fast Hellos for Link State Detection Use RSTP fast hellos to achieve sub-second link-down detection so that convergence is triggered faster. The standard RSTP link-state detection mechanism does not offer the same low link-state detection speed. To achieve sub-second link-down detection so that convergence is triggered faster, use RSTP fast hellos. The standard RSTP link-state detection mechanism does not offer the same low link-state detection speed.
43 Software-Defined Networking (SDN) The Dell Networking OS supports software-defined networking (SDN). For more information, see the SDN Deployment Guide.
44 Security This chapter describes several ways to provide security to the Dell Networking system. For details about all the commands described in this chapter, refer to the Security chapter in the Dell Networking OS Command Reference Guide.
• Enable AAA accounting and create a record for monitoring the accounting function. CONFIGURATION mode aaa accounting {commands | exec | suppress | system level} {default | name} {start-stop | wait-start | stop-only} {tacacs+} The variables are: • system: sends accounting information of any other AAA configuration. • exec: sends accounting information when a user has logged in to EXEC mode. • command level: sends accounting of commands executed at the specified privilege level.
Configuring AAA Accounting for Terminal Lines To enable AAA accounting with a named method list for a specific terminal line (where com15 and execAcct are the method list names), use the following commands. • Configure AAA accounting for terminal lines.
Configuration Task List for AAA Authentication The following sections provide the configuration tasks. • Configuring AAA Authentication Login Methods • Enabling AAA Authentication • Enabling AAA Authentication - RADIUS For a complete list of all commands related to login authentication, refer to the Security chapter in the Dell Networking OS Command Reference Guide. Configure Login Authentication for Terminal Lines You can assign up to five authentication methods to a method list.
NOTE: Dell Networking recommends using the none method only as a backup. This method does not authenticate users. The none and enable methods do not work with secure shell (SSH). You can create multiple method lists and assign them to different terminal lines. Enabling AAA Authentication To enable AAA authentication, use the following command. • Enable AAA authentication. CONFIGURATION mode aaa authentication enable {method-list-name | default} method1 [...
Server-Side Configuration Using AAA authentication, the switch acts as a RADIUS or TACACS+ client to send authentication requests to a TACACS+ or RADIUS server. • TACACS+ — When using TACACS+, Dell Networking sends an initial packet with service type SVC_ENABLE, and then sends a second packet with just the password. The TACACS server must have an entry for username $enable$.
• Privilege level 1 — is the default level for EXEC mode. At this level, you can interact with the router, for example, view some show commands and Telnet and ping to test connectivity, but you cannot configure the router. This level is often called the “user” level. One of the commands available in Privilege level 1 is the enable command, which you can use to enter a specific privilege level. • Privilege level 0 — contains only the end, enable, and disable commands.
Configuring the Enable Password Command To configure Dell Networking OS, use the enable command to enter EXEC Privilege level 15. After entering the command, Dell Networking OS requests that you enter a password. Privilege levels are not assigned to passwords, rather passwords are assigned to a privilege level. You can always change a password for any privilege level. To change to a different privilege level, enter the enable command, then the privilege level.
CONFIGURATION mode enable password [level level] [encryption-mode] password Configure the optional and required parameters: • level level: specify a level from 0 to 15. Level 15 includes all levels. • encryption-type: enter 0 for plain text or 7 for encrypted text. • password: enter a string up to 32 characters long. To change only the password for the enable command, configure only the password parameter. 3 Configure level and commands for a mode or reset a command’s level.
Escape character is '^]'.
• level-number: The level-number you wish to set. If you enter disable without a level-number, your security level is 1. RADIUS Remote authentication dial-in user service (RADIUS) is a distributed client/server protocol. This protocol transmits authentication, authorization, and configuration information between a central RADIUS server and a RADIUS client (the Dell Networking system). The system sends user information to the RADIUS server and requests authentication of the user and password.
ACL Configuration Information The RADIUS server can specify an ACL. If an ACL is configured on the RADIUS server, and if that ACL is present, the user may be allowed access based on that ACL. If the ACL is absent, authorization fails, and a message is logged indicating this. RADIUS can specify an ACL for the user if both of the following are true: • If an ACL is absent. • If there is a very long delay for an entry, or a denied entry because of an ACL, and a message is logged.
Defining a AAA Method List to be Used for RADIUS To configure RADIUS to authenticate or authorize users on the system, create a AAA method list. Default method lists do not need to be explicitly applied to the line, so they are not mandatory. To create a method list, use the following commands. • Enter a text string (up to 16 characters long) as the name of the method list you wish to use with the RADIUS authentication method.
• retransmit retries: the range is from 0 to 100. Default is 3. • timeout seconds: the range is from 0 to 1000. Default is 5 seconds. • key [encryption-type] key: enter 0 for plain text or 7 for encrypted text, and a string for the key. The key can be up to 42 characters long. This key must match the key configured on the RADIUS server host. If you do not configure these optional parameters, the global default values for all RADIUS host are applied.
Monitoring RADIUS To view information on RADIUS transactions, use the following command. • View RADIUS transactions to troubleshoot problems. EXEC Privilege mode debug radius TACACS+ Dell Networking OS supports terminal access controller access control system (TACACS+ client, including support for login authentication. Configuration Task List for TACACS+ The following list includes the configuration task for TACACS+ functions.
login authentication {method-list-name | default} Example of a Failed Authentication To view the configuration, use the show config in LINE mode or the show running-config tacacs+ command in EXEC Privilege mode. If authentication fails using the primary method, Dell Networking OS employs the second method (or third method, if necessary) automatically. For example, if the TACACS+ server is reachable, but the server key is invalid, Dell Networking OS proceeds to the next authentication method.
closes the Telnet session immediately. The following example demonstrates how to configure the access-class from a TACACS+ server. This configuration ignores the configured access-class on the VTY line. If you have configured a deny10 ACL on the TACACS+ server, the system downloads it and applies it. If the user is found to be coming from the 10.0.0.0 subnet, the system also immediately closes the Telnet connection. Note, that no matter where the user is coming from, they see the login prompt.
If rejected by the AAA server, the command is not added to the running config, and a message displays: 04:07:48: %RPM0-P:CP %SEC-3-SEC_AUTHORIZATION_FAIL: Authorization failure Command authorization failed for user (denyall) on vty0 ( 10.11.9.209 ) Certain TACACS+ servers do not authenticate the device if you use the aaa authorization commands level default local tacacs+ command. To resolve the issue, use the aaa authorization commands level default tacacs+ local command.
RSA Authentication : disabled. Vty Encryption HMAC Dell(conf)# Remote IP To disable SSH server functions, use the no ip ssh server enable command. Using SCP with SSH to Copy a Software Image To use secure copy (SCP) to copy a software image through an SSH connection from one switch to another, use the following commands. 1 On Switch 1, set the SSH port number ( port 22 by default). CONFIGURATION MODE ip ssh server port number 2 On Switch 1, enable SSH.
User name to login remote host: admin Password to login remote host: Removing the RSA Host Keys and Zeroizing Storage Use the crypto key zeroize rsa command to delete the host key pairs, both the public and private key information for RSA 1 and or RSA 2 types. Note that when FIPS mode is enabled there is no RSA 1 key pair. Any memory currently holding these keys is zeroized (written over with zeroes) and the NVRAM location where the keys are stored for persistence across reboots is also zeroized.
• diffie-hellman-group1-sha1 • diffie-hellman-group14-sha1 When FIPS is enabled, the default is diffie-hellman-group14-sha1. Example of Configuring a Key Exchange Algorithm The following example shows you how to configure a key exchange algorithm.
• hmac-md5-96 • hmac-sha1 • hmac-sha1-96 • hmac-sha2-256 The default list of HMAC algorithm is in the following order: • hmac-sha2-256 • hmac-sha1 • hmac-sha1-96 • hmac-md5 • hmac-md5-96 When FIPS is enabled, the default HMAC algorithm is hmac-sha2-256, hmac-sha1, hmac-sha1-96. Example of Configuring a HMAC Algorithm The following example shows you how to configure a HMAC algorithm list.
The following ciphers are available. • 3des-cbc • aes128-cbc • aes192-cbc • aes256-cbc • aes128-ctr • aes192-ctr • aes256-ctr The default cipher list is in the given order: aes256-ctr, aes256-cbc, aes192-ctr, aes192-cbc, aes128-ctr, aes128-cbc, 3des-cbc. Example of Configuring a Cipher List The following example shows you how to configure a cipher list.
Using RSA Authentication of SSH The following procedure authenticates an SSH client based on an RSA key using RSA authentication. This method uses SSH version 2. 1 On the SSH client (Unix machine), generate an RSA key, as shown in the following example. 2 Copy the public key id_rsa.pub to the Dell Networking system. 3 Disable password authentication if enabled. CONFIGURATION mode no ip ssh password-authentication enable 4 Enable RSA authentication in SSH.
ip ssh pub-key-file flash://filename or ip ssh rhostsfile flash://filename Examples of Creating shosts and rhosts The following example shows creating shosts. admin@Unix_client# cd /etc/ssh admin@Unix_client# ls moduli sshd_config ssh_host_dsa_key.pub ssh_host_key.pub ssh_host_rsa_key.pub ssh_config ssh_host_dsa_key ssh_host_key ssh_host_rsa_key admin@Unix_client# cat ssh_host_rsa_key.
If the IP address in the RSA key does not match the IP address from which you attempt to log in, the following message appears. In this case, verify that the name and IP address of the client is contained in the file /etc/hosts: RSA Authentication Error. Telnet To use Telnet with SSH, first enable SSH, as previously described. By default, the Telnet daemon is enabled. If you want to disable the Telnet daemon, use the following command, or disable Telnet in the startup config.
them from the VTY line with a deny-all access class. After users identify themselves, Dell Networking OS retrieves the access class from the local database and applies it. (Dell Networking OS then can close the connection if a user is denied access.) NOTE: If a VTY user logs in with RADIUS authentication, the privilege level is applied from the RADIUS server only if you configure RADIUS authentication. The following example shows how to allow or deny a Telnet connection to a user.
Dell(config-line-vty)#access-class sourcemac Dell(config-line-vty)#end Role-Based Access Control With Role-Based Access Control (RBAC), access and authorization is controlled based on a user’s role. Users are granted permissions based on their user roles, not on their individual user ID. User roles are created for job functions and through those roles they acquire the permissions to perform their associated job function.
NOTE: When you enter a user role, you have already been authenticated and authorized. You do not need to enter an enable password because you will be automatically placed in EXEC Priv mode. For greater security, the ability to view event, audit, and security system log is associated with user roles. For information about these topics, see Audit and Security Logs.
login authentication test authorization exec test exec-timeout 0 0 line vty 0 login authentication test authorization exec test line vty 1 login authentication test authorization exec test To enable role-based only AAA authorization: Dell(conf)#aaa authorization role-only System-Defined RBAC User Roles By default, the Dell Networking OS provides 4 system defined user roles. You can create up to 8 additional user roles. NOTE: You cannot delete any system defined roles.
permissions from scratch. You then restrict commands or add commands to that role. For more information about this topic, see Modifying Command Permissions for Roles. NOTE: You can change user role permissions on system pre-defined user roles or user-defined user roles. Important Points to Remember Consider the following when creating a user role: • Only the system administrator and user-defined roles inherited from the system administrator can create roles and user names.
When you modify a command for a role, you specify the role, the mode, and whether you want to restrict access using the deleterole keyword or grant access using the addrole keyword followed by the command you are controlling access. For information about how to create new roles, see also Creating a New User Role. The following output displays the modes available for the role command.
The following example removes the secadmin access to LINE mode and then verifies that the security administrator can no longer access LINE mode, using the show role mode configure line command in EXEC Privilege mode.
This section contains the following AAA Authentication and Authorization for Roles configuration tasks: • Configuring AAA Authentication for Roles • Configuring AAA Authorization for Roles • Configuring TACACS+ and RADIUS VSA Attributes for RBAC Configure AAA Authentication for Roles Authentication services verify the user ID and password combination. Users with defined roles and users with privileges are authenticated with the same mechanism.
aaa authorization exec ucraaa tacacs+ radius local aaa accounting commands role netadmin ucraaa start-stop tacacs+ ! The following configuration example applies a method list other than default to each VTY line. NOTE: Note that the methods were not applied to the console so the default methods (if configured) are applied there.
The following example configures an AV pair which allows a user to login from a network access server with a privilege level of 15, to have access to EXEC commands. The format to create a Dell Network OS AV pair for privilege level is shell:priv-lvl= where number is a value between 0 and 15.
The following example applies the accounting default method to the user role secadmin (security administrator). Dell(conf-vty-0)# accounting commands role secadmin default Displaying Active Accounting Sessions for Roles To display active accounting sessions for each user role, use the show accounting command in EXEC mode.
line route-map router Line Configuration mode Route map configuration mode Router configuration mode Dell#show role mode configure username Role access: sysadmin Dell##show role mode configure password-attributes Role access: secadmin,sysadmin Dell#show role mode configure interface Role access: netadmin, sysadmin Dell#show role mode configure line Role access: netadmin,sysadmin Displaying Information About Users Logged into the Switch To display information on all users logged into the switch, using the
45 Service Provider Bridging Service provider bridging provides the ability to add a second VLAN ID tag in an Ethernet frame and is referred to as VLAN stacking in the Dell Networking OS. VLAN Stacking VLAN stacking, also called Q-in-Q, is defined in IEEE 802.1ad — Provider Bridges, which is an amendment to IEEE 802.1Q — Virtual Bridged Local Area Networks. It enables service providers to use 802.
Figure 102. VLAN Stacking in a Service Provider Network Important Points to Remember • Interfaces that are members of the Default VLAN and are configured as VLAN-Stack access or trunk ports do not switch untagged traffic. To switch traffic, add these interfaces to a non-default VLAN-Stack-enabled VLAN. • Dell Networking cautions against using the same MAC address on different customer VLANs, on the same VLAN-Stack VLAN.
3 Enabling VLAN-Stacking for a VLAN. Related Configuration Tasks • Configuring the Protocol Type Value for the Outer VLAN Tag • Configuring Dell Networking OS Options for Trunk Ports • Debugging VLAN Stacking • VLAN Stacking in Multi-Vendor Networks Creating Access and Trunk Ports To create access and trunk ports, use the following commands. • Access port — a port on the service provider edge that directly connects to the customer. An access port may belong to only one service provider VLAN.
vlan-stack compatible Example of Viewing VLAN Stack Member Status To display the status and members of a VLAN, use the show vlan command from EXEC Privilege mode. Members of a VLAN-Stackingenabled VLAN are marked with an M in column Q.
Dell(conf-if-gi-1/1)#vlan-stack trunk Dell(conf-if-gi-1/1)#show config ! interface GigabitEthernet 1/1 no ip address portmode hybrid switchport vlan-stack trunk shutdown Dell(conf-if-gi-1/1)#interface vlan 100 Dell(conf-if-vl-100)#untagged gigabitethernet 1/1 Dell(conf-if-vl-100)#interface vlan 101 Dell(conf-if-vl-101)#tagged gigabitethernet 1/1 Dell(conf-if-vl-101)#interface vlan 103 Dell(conf-if-vl-103)#vlan-stack compatible Dell(conf-if-vl-103-stack)#member gigabitethernet 1/1 Dell(conf-if-vl-103-stack)#
If the next-hop system’s TPID does not match the outer-tag TPID of the incoming frame, the system drops the frame. For example, as shown in the following, the frame originating from Building A is tagged VLAN RED, and then double-tagged VLAN PURPLE on egress at R4. The TPID on the outer tag is 0x9100. R2’s TPID must also be 0x9100, and it is, so R2 forwards the frame.
Figure 103.
Figure 104.
Figure 105. Single and Double-Tag TPID Mismatch The following table details the outcome of matched and mismatched TPIDs in a VLAN-stacking network with the S-Series. Table 62. Behaviors for Mismatched TPID Network Position Incoming Packet TPID System TPID Match Type Pre-Version 8.2.1.0 Version 8.2.1.
Network Position Egress Access Point Incoming Packet TPID System TPID Match Type Pre-Version 8.2.1.0 Version 8.2.1.
Precedence Description Green High-priority packets that are the least preferred to be dropped. Yellow Lower-priority packets that are treated as best-effort. Red Lowest-priority packets that are always dropped (regardless of congestion status). • Honor the incoming DEI value by mapping it to an Dell Networking OS drop precedence. INTERFACE mode dei honor {0 | 1} {green | red | yellow} You may enter the command once for 0 and once for 1. Packets with an unmapped DEI value are colored green.
Figure 106. Statically and Dynamically Assigned dot1p for VLAN Stacking When configuring Dynamic Mode CoS, you have two options: • • Mark the S-Tag dot1p and queue the frame according to the original C-Tag dot1p. In this case, you must have other dot1p QoS configurations; this option is classic dot1p marking. Mark the S-Tag dot1p and queue the frame according to the S-Tag dot1p.
rate-police 30 ! interface GigabitEthernet 1/21 no ip address switchport vlan-stack access vlan-stack dot1p-mapping c-tag-dot1p 0-3 sp-tag-dot1p 7 service-policy input in layer2 no shutdown Mapping C-Tag to S-Tag dot1p Values To map C-Tag dot1p values to S-Tag dot1p values and mark the frames accordingly, use the following commands. 1 Allocate CAM space to enable queuing frames according to the C-Tag or the S-Tag.
Figure 107. VLAN Stacking without L2PT You might need to transport control traffic transparently through the intermediate network to the other region. Layer 2 protocol tunneling enables BPDUs to traverse the intermediate network by identifying frames with the Bridge Group Address, rewriting the destination MAC to a user-configured non-reserved address, and forwarding the frames.
Figure 108. VLAN Stacking with L2PT Implementation Information • L2PT is available for STP, RSTP, MSTP, and PVST+ BPDUs. • No protocol packets are tunneled when you enable VLAN stacking. • L2PT requires the default CAM profile. Enabling Layer 2 Protocol Tunneling To enable Layer 2 protocol tunneling, use the following command. 1 Verify that the system is running the default CAM profile. Use this CAM profile for L2PT.
show cam-profile 2 Enable protocol tunneling globally on the system. CONFIGURATION mode protocol-tunnel enable 3 Tunnel BPDUs the VLAN. INTERFACE VLAN mode protocol-tunnel stp Specifying a Destination MAC Address for BPDUs By default, Dell Networking OS uses a Dell Networking-unique MAC address for tunneling BPDUs. You can configure another value. To specify a destination MAC address for BPDUs, use the following command.
Debugging Layer 2 Protocol Tunneling To debug Layer 2 protocol tunneling, use the following command. • Display debugging information for L2PT. EXEC Privilege mode debug protocol-tunnel Provider Backbone Bridging IEEE 802.1ad—Provider Bridges amends 802.1Q—Virtual Bridged Local Area Networks so that service providers can use 802.1Q architecture to offer separate VLANs to customers with no coordination between customers, and minimal coordination between customers and the provider. 802.
46 sFlow sFlow is a standard-based sampling technology embedded within switches and routers which is used to monitor network traffic. It is designed to provide traffic monitoring for high-speed networks with many switches and routers.
hardware sampling rate is backed-off from 512 to 1024. Note that port 1 maintains its sampling rate of 16384; port 1 is unaffected because it maintains its configured sampling rate of 16384.: • If the interface states are up and the sampling rate is not configured on the port, the default sampling rate is calculated based on the line speed. • If the interface states are shut down, the sampling rate is set using the global sampling rate.
Global default sampling rate: 32768 Global default counter polling interval: 20 Global default extended maximum header size: 128 bytes Global extended information enabled: none 1 collectors configured Collector IP addr: 100.1.1.1, Agent IP addr: 1.1.1.
Egress Management Interface sFlow services are disabled Global default sampling rate: 32768 Global default counter polling interval: 86400 Global default extended maximum header size: 256 bytes Global extended information enabled: none 1 collectors configured Collector IP addr: 100.1.1.12, Agent IP addr: 100.1.1.
Global default sampling rate: 32768 Global default counter polling interval: 20 1 collectors configured Collector IP addr: 133.33.33.53, Agent IP addr: 133.33.33.
UDP packets exported via RPM UDP packets dropped :0 :36 Configuring Specify Collectors The sflow collector command allows identification of sFlow collectors to which sFlow datagrams are forwarded. You can specify up to two sFlow collectors. If you specify two collectors, the samples are sent to both. • Identify sFlow collectors to which sFlow datagrams are forwarded.
• extended-switch — 802.1Q VLAN ID and 802.1p priority information. • extended-router — Next-hop and source and destination mask length. • extended-gateway — Source and destination AS number and the BGP next-hop. NOTE: The entire AS path is not included. BGP community-list and local preference information are not included. These fields are assigned default values and are not interpreted by the collector. • • Enable extended sFlow.
Table 64. Extended Gateway Summary IP SA IP DA srcAS and srcPeerAS dstAS and dstPeerAS Description static/connected/IGP static/connected/IGP — — Extended gateway data is not exported because there is no AS information. static/connected/IGP BGP 0 Exported src_as and src_peer_as are zero because there is no AS information for IGP. BGP static/connected/IGP — — Exported Exported Prior to Dell Networking OS version 7.8.1.
47 Simple Network Management Protocol (SNMP) The Simple Network Management Protocol (SNMP) is designed to manage devices on IP networks by monitoring device operation, which might require administrator intervention. NOTE: On Dell Networking routers, standard and private SNMP management information bases (MIBs) are supported, including all Get and a limited number of Set operations (such as set vlan and copy cmd).
Implementation Information The following describes SNMP implementation information. • Dell Networking OS supports SNMP version 1 as defined by RFC 1155, 1157, and 1212, SNMP version 2c as defined by RFC 1901, and SNMP version 3 as defined by RFC 2571. • Dell Networking OS supports up to 16 trap receivers. • Dell Networking OS implementation of the sFlow MIB supports sFlow configuration via SNMP sets.
1 SNMPv3 authentication provides only the sha option when the FIPS mode is enabled. 2 SNMPv3 privacy provides only the aes128 privacy option when the FIPS mode is enabled. 3 If you attempt to enable or disable FIPS mode and if any SNMPv3 users are previously configured, an error message is displayed stating you must delete all of the SNMP users before changing the FIPS mode. 4 A message is logged indicating whether FIPS mode is enabled for SNMPv3.
Creating a Community For SNMPv1 and SNMPv2, create a community to enable the community-based security in Dell Networking OS. The management station generates requests to either retrieve or alter the value of a management object and is called the SNMP manager. A network element that processes SNMP requests is called an SNMP agent. An SNMP community is a group of SNMP agents and managers that are allowed to interact.
snmp-server user name group-name 3 noauth auth md5 auth-password • Configure an SNMP group (password privileges only). CONFIGURATION mode snmp-server group groupname {oid-tree} auth read name write name • Configure an SNMPv3 view. CONFIGURATION mode snmp-server view view-name 3 noauth {included | excluded} NOTE: To give a user read and write privileges, repeat this step for each privilege type. • Configure an SNMP group (with password or privacy privileges).
The following example shows reading the value of the many managed objects at one time. > snmpwalk -v 2c -c mycommunity 10.11.131.161 .1.3.6.1.2.1.1 SNMPv2-MIB::sysDescr.0 = STRING: Dell Real Time Operating System Software Dell Operating System Version: 1.0 Dell Application Software Version: E_MAIN4.9.4.0.0 Copyright (c) 1999-2014 by Dell Build Time: Mon May 12 14:02:22 PDT 2008 SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.6027.1.3.
• The default is None. (From a management station) Identify the physical location of the system (for example, San Jose, 350 Holger Way, 1st floor lab, rack A1-1). CONFIGURATION mode snmpset -v version -c community agent-ip sysLocation.0 s “location-info” You may use up to 55 characters. The default is None. Subscribing to Managed Object Value Updates using SNMP By default, the Dell Networking system displays some unsolicited SNMP messages (traps) upon certain events and conditions.
snmp linkdown snmp linkup SNMP_WARM_START:Agent Initialized - SNMP WARM_START. PORT_LINKDN:changed interface state to down:%d PORT_LINKUP:changed interface state to up:%d Enabling a Subset of SNMP Traps You can enable a subset of Dell Networking enterprise-specific SNMP traps using one of the following listed command options. To enable a subset of Dell Networking enterprise-specific SNMP traps, use the following command. • Enable a subset of SNMP traps.
%SPANMGR-5-STP_NEW_ROOT: New Spanning Tree Root, Bridge ID Priority 32768, Address 0001.e801.fc35. %SPANMGR-5-STP_TOPOLOGY_CHANGE: Bridge port GigabitEthernet 1/8 transitioned from Forwarding to Blocking state. %SPANMGR-5-MSTP_NEW_ROOT_BRIDGE: Elected root bridge for instance 0. %SPANMGR-5-MSTP_NEW_ROOT_PORT: MSTP root changed to port Gi 1/8 for instance 0. My Bridge ID: 40960:0001.e801.fc35 Old Root: 40960:0001.e801.fc35 New Root: 32768:00d0.038a.2c01.
To enable an SNMP agent to send a trap when the syslog server resumes connectivity, enter the following command: CONFIGURATION MODE snmp-server enable traps snmp syslog-reachable Table 66. List of Syslog Server MIBS that have read access MIB Object OID Object Values Description dF10SysLogTraps 1.3.6.1.4.1.6027.3.30.1.1 1 = reachable2 = unreachable Specifies whether the syslog server is reachable or unreachable.
MIB Object OID Object Values Description copySrcFileLocation and copySrcFileName. copySrcFileLocation .1.3.6.1.4.1.6027.3.5.1.1.1.1.3 1 = flash Specifies the location of source file. 2 = slot0 • 3 = tftp 4 = ftp If copySrcFileLocation is FTP or SCP, you must specify copyServerAddress, copyUserName, and copyUserPassword. 5 = scp 6 = usbflash copySrcFileName copyDestFileType .1.3.6.1.4.1.6027.3.5.1.1.1.1.4 .1.3.6.1.4.1.6027.3.5.1.1.1.1.
MIB Object OID Object Values Description copyUserPassword .1.3.6.1.4.1.6027.3.5.1.1.1.1.10 Password for the server. Password for the FTP, TFTP, or SCP server. Copying a Configuration File To copy a configuration file, use the following commands. NOTE: In UNIX, enter the snmpset command for help using the following commands. Place the f10-copy-config.mib file in the directory from which you are executing the snmpset command or in the snmpset tool path.
Examples of Copying Configuration Files The following examples show the command syntax using MIB object names and the same command using the object OIDs. In both cases, a unique index number follows the object. The following example shows copying configuration files using MIB object names. > snmpset -v 2c -r 0 -t 60 -c private -m ./f10-copy-config.mib 10.10.10.10 copySrcFileType.101 i 2 copyDestFileType.101 i 3 FTOS-COPY-CONFIG-MIB::copySrcFileType.
FTOS-COPY-CONFIG-MIB::copyServerAddress.110 = IpAddress: 11.11.11.11 FTOS-COPY-CONFIG-MIB::copyUserName.110 = STRING: mylogin FTOS-COPY-CONFIG-MIB::copyUserPassword.110 = STRING: mypass Copying the Startup-Config Files to the Server via TFTP To copy the startup-config to the server via TFTP from the UNIX machine, use the following command. NOTE: Verify that the file exists and its permissions are set to 777. Specify the relative path to the TFTP root directory.
MIB Object OID Values Description copyTimeCompleted .1.3.6.1.4.1.6027.3.5.1.1.1.1.13 Time value Specifies the point in the uptime clock that the copy operation completed. copyFailCause .1.3.6.1.4.1.6027.3.5.1.1.1.1.14 1 = bad filename Specifies the reason the copy request failed. 2 = copy in progress 3 = disk full 4 = file exists 5 = file not found 6 = timeout 7 = unknown copyEntryRowStatus .1.3.6.1.4.1.6027.3.5.1.1.1.1.15 Row status Specifies the state of the copy operation.
MIB Support to Display the Available Memory Size on Flash Dell Networking provides more MIB objects to display the available memory size on flash memory. The following table lists the MIB object that contains the available memory size on flash memory. Table 69. MIB Objects for Displaying the Available Memory Size on Flash via SNMP MIB Object OID Description chStackUnitFlashUsageUtil 1.3.6.1.4.1.6027.3.10.1.2.9.1.6 Contains flash memory usage in percentage.
Viewing the Software Core Files Generated by the System • To view the viewing the software core files generated by the system, use the following command. snmpwalk -v2c -c public 192.168.60.120 .1.3.6.1.4.1.6027.3.10.1.2.10 enterprises.6027.3.10.1.2.10.1.1.1.1 = 1 enterprises.6027.3.10.1.2.10.1.1.1.2 = 2 enterprises.6027.3.10.1.2.10.1.1.1.3 = 3 enterprises.6027.3.10.1.2.10.1.1.2.1 = 1 enterprises.6027.3.10.1.2.10.1.2.1.1 = "/CORE_DUMP_DIR/flashmntr.core.gz" enterprises.6027.3.10.1.2.10.1.2.1.
Vlan 10 is down, line protocol is down Vlan alias name is: My VLAN Address is 00:01:e8:cc:cc:ce, Current address is 00:01:e8:cc:cc:ce Interface index is 1107787786 Internet address is not set MTU 1554 bytes, IP MTU 1500 bytes LineSpeed auto Displaying the Ports in a VLAN Dell Networking OS identifies VLAN interfaces using an interface index number that is displayed in the output of the show interface vlan command.
10 Inactive U Gi 1/2 [Unix system output] > snmpget -v2c -c mycommunity 10.11.131.185 .1.3.6.1.2.1.17.7.1.4.3.1.2.1107787786 SNMPv2-SMI::mib-2.17.7.1.4.3.1.2.1107787786 = Hex-STRING: 40 00 00 00 00 00 00 00 00 00 00 The value 40 is in the first set of 7 hex pairs, indicating that these ports are in Stack Unit 1. The hex value 40 is 0100 0000 in binary. As described, the left-most position in the string represents Port 1.
Managing Overload on Startup If you are running IS-IS, you can set a specific amount of time to prevent ingress traffic from being received after a reload and allow the routing protocol upgrade process to complete. To prevent ingress traffic on a router while the IS reload is implemented, use the following command. • Set the amount of time after an IS-IS reload is performed before ingress traffic is allowed at startup.
Fetch Dynamic MAC Entries using SNMP Dell Networking supports the RFC 1493 dot1d table for the default VLAN and the dot1q table for all other VLANs. NOTE: The 802.1q Q-BRIDGE MIB defines VLANs regarding 802.1d, as 802.1d itself does not define them. As a switchport must belong a VLAN (the default VLAN or a configured VLAN), all MAC address learned on a switchport are associated with a VLAN. For this reason, the Q-Bridge MIB is used for MAC address query.
Example of Fetching MAC Addresses Learned on a Port-Channel Using SNMP Use dot3aCurAggFdbTable to fetch the learned MAC address of a port-channel. The instance number is the decimal conversion of the MAC address concatenated with the port-channel number.
Table 72. MIB Objects for Viewing the System Image on Flash Partitions MIB Object OID Description MIB chSysSwInPartitionAImgVers 1.3.6.1.4.1.6027.3.10.1.2.8.1.11 List the version string of the system image in Flash Partition A. Chassis MIB chSysSwInPartitionBImgVers 1.3.6.1.4.1.6027.3.10.1.2.8.1.12 List the version string of the system image in Flash Partition B.
Example of Viewing Changed Interface State for Monitored Ports Layer 3 LAG does not include this support. SNMP trap works for the Layer 2 / Layer 3 / default mode LAG. SNMPv2-MIB::sysUpTime.0 = Timeticks: (8500842) 23:36:48.42 SNMPv2-MIB::snmpTrapOID.0 = OID: IF-MIB::linkDown IF-MIB::ifIndex.33865785 = INTEGER: 33865785 SNMPv2-SMI::enterprises.6027.3.1.1.4.1.2 = STRING: "OSTATE_DN: Changed interface state Gi 1/1" 2010-02-10 14:22:39 10.16.130.4 [10.16.130.4]: SNMPv2-MIB::sysUpTime.
10.11.226.121 (port: 9140) is not reachable" SNMPv2-SMI::enterprises.6027.3.6.1.1.2.0 = INTEGER: 2 Following is the sample audit log message that other syslog servers that are reachable receive: Oct 21 00:46:13: dv-fedgov-s4810-6: %EVL-6-NOT_REACHABLE:Syslog server 10.11.226.121 (port: 9140) is not reachable Following example shows the SNMP trap that is sent when connectivity to the syslog server is resumed: DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (10230) 0:01:42.30 SNMPv2-MIB::snmpTrapOID.
48 Stacking Using the Dell Networking OS stacking feature, you can interconnect multiple switch units with stacking ports or front end user ports. The stack becomes manageable as a single switch through the stack management unit. The system accepts Unit ID numbers from 1 to 6 and it supports stacking up to six units.
• • Switch insertion Switch removal If the master switch goes off line, the standby replaces it as the new master and the switch with the next highest priority or MAC address becomes standby. Stack Master Election The stack elects a master and standby unit at bootup time based on two criteria. • • Unit priority — User-configurable. The range is from 1 to 14. A higher value (14) means a higher priority. The default is 0.
To view failover details, use the show redundancy command. MAC Addressing on Stacks The stack has three MAC addresses: the chassis MAC, interface MAC, and null interface MAC. All interfaces in the stack use the interface MAC address of the management unit, and the chassis MAC for the stack is the master’s chassis MAC. The stack continues to use the master’s chassis MAC address even after a failover. The MAC address is not refreshed until the stack is reloaded and a different unit becomes the stack master.
3w1d14h: 3w1d14h: 3w1d14h: 3w1d14h: %STKUNIT1-M:CP %CHMGR-5-STACKUNITDETECTED: Stack unit 2 present %STKUNIT1-M:CP %CHMGR-5-CHECKIN: Checkin from Stack unit 2 (type , 52 ports) % %CHMGR-0-PS_UP: Power supply 0 in unit 2 is up %STKUNIT1-M:CP%CHMGR-5-STACKUNITUP: Stack unit 2 is up Stack#show system brief Stack MAC : 00:01:e8:d5:f9:6f Reload-Type : normal-reload [Next boot : normal-reload] -- Stack Info -Unit UnitType Status ReqTyp CurTyp Version Ports -------------------------------------------------------
Figure 109. Supported Stacking Topologies High Availability on Stacks Stacks have master and standby management units analogous to Dell Networking route processor modules (RPM). The master unit synchronizes the running configuration and protocol states so that the system fails over in the event of a hardware or software fault on the master unit. In such an event, or when the master unit is removed, the standby unit becomes the stack manager and Dell Networking OS elects a new standby unit.
Last failover Reason: Last failover type: None None -- Last Data Block Sync Record: ------------------------------------------------stack-unit Config: no block sync done Start-up Config: no block sync done Runtime Event Log: no block sync done Running Config: no block sync done ACL Mgr: no block sync done LACP: no block sync done STP: no block sync done SPAN: no block sync done Dell# Management Access on Stacks You can access the stack via the console port or VTY line.
• • • • • Each 10G data port is configured as stacking port in predefined groups called stack-group. When using the 40G ports, you can configure a single port as a stack port; each 40G port is a stack-group. The S3048–ON has one port assigned to each stack group. Stack Group Port 0 49 1 50 2 51 3 52 Stacking on the device is accomplished through 10G SFP+ front-end user ports on the chassis. All stack units must have the same version of Dell Networking OS.
You can connect the units while they are powered down or up. Stacking ports are bi-directional. When a unit is added to a stack, the management unit performs a system check on the new unit to ensure the hardware type is compatible. A similar check is performed on the Dell Networking OS version. Syslog messages are generated by the management unit: • the syslog includes the unit number, previous version, and version being downloaded. • when the firmware synchronization is complete.
To create a new stack, use the following commands. 1 Power up all units in the stack. 2 Verify that each unit has the same Dell Networking OS version prior to stacking them together. EXEC Privilege mode show version 3 Manually configure unit numbers for each unit, so that the stacking is deterministic upon boot up. EXEC Privilege mode stack-unit stack—unit—number renumber stack—unit—number. Renumbering causes the unit to reboot. The stack-unit default for all new units is stack-unit 1.
Dell(conf)# Dell#02:39:18: %STKUNIT4-M:CP %SYS-5-CONFIG_I: Configured from console Reload each unit in the stack. After the reload is complete, the four units come up as a stack with unit 1 as the management unit, unit 2 as the standby unit, and the remaining units as stack-members. All units in the stack can be accessed from the management unit. To view the stack unit information after the reload, use the show system brief command.
Add Units to an Existing Stack You can add units to an existing stack in one of three ways. • By manually assigning a new unconfigured unit a position in an existing stack. • By adding a configured unit to an existing stack. • By merging two stacks.
5 6 Member Member not present not present The following example shows adding a stack unit with a conflicting stack number (after).
Dell Networking OS Behavior: When you add a switch to a stack • If you configure the new unit with a stack number that is already assigned to a stack member, the stack avoids a numbering conflict by assigning the new switch the first available stack number. • If the stack has been provisioned for the stack number that is assigned to the new unit, the pre-configured provisioning must match the switch type.
• Assign a stack-number to a unit. EXEC Privilege mode stack-unit old-unit-number renumber new-unit-number Renumbering the stack manager triggers the whole stack to reload, as shown in the message below. When the stack comes back online, the master unit remains the management unit. Dell#stack-unit 2 renumber 1 Renumbering master unit will reload the stack.
Hardware Rev : 0.0 Num Ports : 52 Up Time : 18 min, 28 sec Dell Networking OS Version : 9.8(0.
3/52 3/56 3/60 0/56 0/60 40 40 40 up up up down up up Influencing Management Unit Selection on a Stack Stack priority is the system variable that Dell Networking OS uses to determine which units in the stack are the master and standby management units. If multiple units tie for highest priority, the unit with the highest MAC address prevails. If management was determined by priority only, a change in management occurs when: • the management unit is powered down or a failover occurs.
To rest a unit on a stack, use the following commands. • Reload a stack-unit. EXEC Privilege mode • reset stack-unit unit-number Reload a member unit, from the unit itself. EXEC Privilege mode • reset-self Reset a stack-unit when the unit is in a problem state. EXEC Privilege mode reset stack-unit unit-number {hard} Verify a Stack Configuration The light of the LED status indicator on the front panel of the stack identifies the unit’s role in the stack. • • • Off indicates the unit is a stack member.
Memory Size Temperature Voltage Serial Number Part Number Vendor Id Date Code Country Code Piece Part ID PPID Revision Service Tag Expr Svc Code Auto Reboot Burned In MAC No Of MACs : : : : : : : : : : : : : : : 2127622144 bytes 34C ok NA Rev NA NA NA N/A N/A N/A 0 enabled 00:12:13:34:12:40 3 -- Power Supplies -Unit Bay Status Type FanStatus FanSpeed(rpm) --------------------------------------------------------------------------3 1 up AC up 8032 3 2 absent absent 0 -- Fan Status -Unit Bay TrayStatus Fan1
Removing a Unit from a Stack The running-configuration and startup-configuration are synchronized on all stack units. A stack member that is disconnected from the stack maintains this configuration. To remove a stack member from the stack, disconnect the stacking cables from the unit. You may do this at any time, whether the unit is powered or unpowered, online or offline.
reload After the units are reloaded, the system reboots. The units come up as standalone units after the reboot completes. Troubleshoot a Stack To troubleshoot a stack, use the following recovery tasks. • • Recover from Stack Link Flaps Recover from a Card Problem State on a Stack Recover from Stack Link Flaps Stack link integrity monitoring enables units to monitor their own stack ports and disable any stack port that flaps five times within 10 seconds.
2 3 4 5 6 7 8 9 10 11 Member Member Member Member Member Member Member Member Member Member not not not not not not not not not not present present present present present present present present present present -- Power Supplies -Unit Bay Status Type FanStatus -----------------------------------0 0 down DC down 0 1 up DC up 1 0 absent absent 1 1 up AC up -- Fan Status -Unit Bay TrayStatus Fan0 Speed Fan1 Speed -------------------------------------------0 0 up up 9360 up 9360 0 1 up up 9600 up 9360 1 0
49 Storm Control Storm control allows you to control unknown-unicast, muticast, and broadcast traffic on Layer 2 and Layer 3 physical interfaces. Dell Networking Operating System (OS) Behavior: Dell Networking OS supports unknown-unicast, muticast, and broadcast control for Layer 2 and Layer 3 traffic. Dell Networking OS Behavior: The minimum number of packets per second (PPS) that storm control can limit on the device is two.
• Configure the packets per second of broadcast traffic allowed on an interface (ingress only). INTERFACE mode storm-control broadcast packets_per_second in • Configure the packets per second of multicast traffic allowed on C-Series or S-Series interface (ingress only) network only. INTERFACE mode storm-control multicast packets_per_second in • Shut down the port if it receives the PFC/LLFC packets more than the configured rate.
50 Spanning Tree Protocol (STP) The spanning tree protocol (STP) is supported on Dell Networking OS.
• Enabling Spanning Tree Protocol Globally Related Configuration Tasks • Adding an Interface to the Spanning Tree Group • Modifying Global Parameters • Modifying Interface STP Parameters • Enabling PortFast • Prevent Network Disruptions with BPDU Guard • STP Root Guard • Enabling SNMP Traps for Root Elections and Topology Changes • Configuring Spanning Trees as Hitless Important Points to Remember • STP is disabled by default.
Configuring Interfaces for Layer 2 Mode All interfaces on all switches that participate in spanning tree must be in Layer 2 mode and enabled. Figure 111. Example of Configuring Interfaces for Layer 2 Mode To configure and enable the interfaces for Layer 2, use the following command. 1 If the interface has been assigned an IP address, remove it. INTERFACE mode no ip address 2 Place the interface in Layer 2 mode. INTERFACE switchport 3 Enable the interface.
Example of the show config Command To verify that an interface is in Layer 2 mode and enabled, use the show config command from INTERFACE mode. Dell(conf-if-gi-1/1)#show config ! interface GigabitEthernet 1/1 no ip address switchport no shutdown Dell(conf-if-gi-1/1)# Enabling Spanning Tree Protocol Globally Enable the spanning tree protocol globally; it is not enabled by default.
Examples of Verifying Spanning Tree Information To disable STP globally for all Layer 2 interfaces, use the disable command from PROTOCOL SPANNING TREE mode. To verify that STP is enabled, use the show config command from PROTOCOL SPANNING TREE mode.
Adding an Interface to the Spanning Tree Group To add a Layer 2 interface to the spanning tree topology, use the following command. • Enable spanning tree on a Layer 2 interface. INTERFACE mode spanning-tree 0 Modifying Global Parameters You can modify the spanning tree parameters. The root bridge sets the values for forward-delay, hello-time, and max-age and overwrites the values set on other bridges participating in STP.
• Change the max-age parameter (the refresh interval for configuration information that is generated by recomputing the spanning tree topology). PROTOCOL SPANNING TREE mode max-age seconds The range is from 6 to 40. The default is 20 seconds. To view the current values for global parameters, use the show spanning-tree 0 command from EXEC privilege mode. Refer to the second example in Enabling Spanning Tree Protocol Globally.
• Enable PortFast on an interface. INTERFACE mode spanning-tree stp-id portfast [bpduguard | [shutdown-on-violation]] Example of Verifying PortFast is Enabled on an Interface To verify that PortFast is enabled on a port, use the show spanning-tree command from EXEC Privilege mode or the show config command from INTERFACE mode. Dell Networking recommends using the show config command.
Figure 113. Enabling BPDU Guard Dell Networking OS Behavior: BPDU guard and BPDU filtering both block BPDUs, but are two separate features. BPDU guard: • is used on edgeports and blocks all traffic on edgeport if it receives a BPDU. • drops the BPDU after it reaches the RP and generates a console message.
Interface GigabitEthernet IP-Address OK Method Status Protocol 1/7 unassigned YES Manual up up Selecting STP Root The STP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it becomes the root bridge. You can also specify that a bridge is the root or the secondary root. To change the bridge priority or specify that a bridge is the root or secondary root, use the following command.
Figure 114. STP Root Guard Prevents Bridging Loops Configuring Root Guard Enable STP root guard on a per-port or per-port-channel basis. Dell Networking OS Behavior: The following conditions apply to a port enabled with STP root guard: • Root guard is supported on any STP-enabled port or port-channel interface except when used as a stacking port.
• mstp: enables root guard on an MSTP-enabled port. • rstp: enables root guard on an RSTP-enabled port. • pvst: enables root guard on a PVST-enabled port. To disable STP root guard on a port or port-channel interface, use the no spanning-tree 0 rootguard command in an interface configuration mode. To verify the STP root guard configuration on a port or port-channel interface, use the show spanning-tree 0 guard [interface interface] command in a global configuration mode.
As shown in STP topology 3 (bottom middle), after you enable loop guard on an STP port or port-channel on Switch C, if no BPDUs are received and the max-age timer expires, the port transitions from a blocked state to a Loop-Inconsistent state (instead of to a Forwarding state). Loop guard blocks the STP port so that no traffic is transmitted and no loop is created. As soon as a BPDU is received on an STP port in a Loop-Inconsistent state, the port returns to a blocking state.
• Multiple Spanning Tree Protocol (MSTP) • Per-VLAN Spanning Tree Plus (PVST+) • You cannot enable root guard and loop guard at the same time on an STP port. For example, if you configure loop guard on a port on which root guard is already configured, the following error message is displayed: % Error: RootGuard is configured. Cannot configure LoopGuard.
51 SupportAssist SupportAssist sends troubleshooting data securely to Dell. SupportAssist in this Dell Networking OS release does not support automated email notification at the time of hardware fault alert, automatic case creation, automatic part dispatch, or reports. SupportAssist requires Dell Networking OS 9.9(0.0) and SmartScripts 9.7 or later to be installed on the Dell Networking device. For more information on SmartScripts, see Dell Networking Open Automation guide. Figure 116.
• Configuring SupportAssist Person • Configuring SupportAssist Server • Viewing SupportAssist Configuration Configuring SupportAssist Using a Configuration Wizard You are guided through a series of queries to configure SupportAssist. The generated commands are added to the running configuration, including the DNS resolve commands, if configured. This command starts the configuration wizard for the SupportAssist. At any time, you can exit by entering Ctrl-C. If necessary, you can skip some data entry.
involve international transfers of data from you to Dell and/or to Dells affiliates, subcontractors or business partners. When making such transfers, Dell shall ensure appropriate protection is in place to safeguard the Collected Data being transferred in connection with SupportAssist. If you are downloading SupportAssist on behalf of a company or other legal entity, you are further certifying to Dell that you have appropriate authority to provide this consent on behalf of that entity.
support-assist activity {full-transfer} start now Dell#support-assist activity full-transfer start now Configuring SupportAssist Activity SupportAssist Activity mode allows you to configure and view the action-manifest file for a specific activity. To configure SupportAssist activity, use the following commands. 1 Move to the SupportAssist Activity mode for an activity. Allows you to configure customized details for a specific activity.
SUPPORTASSIST ACTIVITY mode action-manifest show {all} Dell(conf-supportassist-act-full-transfer)#action-manifest show all Dell(conf-supportassist-act-full-transfer)# 6 Enable a specific SupportAssist activity. SUPPORTASSIST ACTIVITY mode [no] enable Dell(conf-supportassist-act-full-transfer)#enable Dell(conf-supportassist-act-full-transfer)# Configuring SupportAssist Company SupportAssist Company mode allows you to configure name, address and territory information of the company.
[no] contact-person [first ] last Dell(conf-supportassist)#contact-person first john last doe Dell(conf-supportassist-pers-john_doe)# 2 Configure the email addresses to reach the contact person. SUPPORTASSIST PERSON mode [no] email-address primary email-address [alternate email-address] Dell(conf-supportassist-pers-john_doe)#email-address primary jdoe@mycompany.com Dell(conf-supportassist-pers-john_doe)# 3 Configure phone numbers of the contact person.
[no] enable Dell(conf-supportassist-serv-default)#enable Dell(conf-supportassist-serv-default)# 4 Configure the URL to reach the SupportAssist remote server. SUPPORTASSIST SERVER mode [no] url uniform-resource-locator Dell(conf-supportassist-serv-default)#url https://192.168.1.1/index.htm Dell(conf-supportassist-serv-default)# Viewing SupportAssist Configuration To view the SupportAssist configurations, use the following commands.
show eula-consent {support-assist | other feature} Dell#show eula-consent SupportAssist EULA has been: Accepted Additional information about the SupportAssist EULA is as follows: By installing SupportAssist, you allow Dell to save your contact information (e.g. name, phone number and/or email address) which would be used to provide technical support for your Dell products and services. Dell may use the information for providing recommendations to improve your IT infrastructure.
52 System Time and Date System time and date settings and the network time protocol (NTP) are supported on Dell Networking OS. You can set system times and dates and maintained through the NTP. They are also set through the Dell Networking Operating System (OS) command line interfaces (CLIs) and hardware settings. The Dell Networking OS supports reaching an NTP server through different VRFs. You can configure a maximum of eight logging servers across different VRFs or the same VRF.
Following conventions established by the telephone industry [BEL86], the accuracy of each server is defined by a number called the stratum, with the topmost level (primary servers) assigned as one and each level downwards (secondary servers) in the hierarchy assigned as one greater than the preceding level. Dell Networking OS synchronizes with a time-serving host to get the correct time. You can set Dell Networking OS to poll specific NTP time-serving hosts for the current time.
Related Configuration Tasks • Configuring NTP Broadcasts • Disabling NTP on an Interface • Configuring a Source IP Address for NTP Packets (optional) Enabling NTP NTP is disabled by default. To enable NTP, specify an NTP server to which the Dell Networking system synchronizes. To specify multiple servers, enter the command multiple times. You may specify an unlimited number of servers at the expense of CPU resources. • Specify the NTP server to which the Dell Networking system synchronizes.
Disabling NTP on an Interface By default, NTP is enabled on all active interfaces. If you disable NTP on an interface, Dell Networking OS drops any NTP packets sent to that interface. To disable NTP on an interface, use the following command. • Disable NTP on the interface. INTERFACE mode ntp disable To view whether NTP is configured on the interface, use the show config command in INTERFACE mode. If ntp disable is not listed in the show config command output, NTP is enabled.
ntp authenticate 2 Set an authentication key. CONFIGURATION mode ntp authentication-key number md5 key Configure the following parameters: • • 3 number: the range is from 1 to 4294967295. This number must be the same as the number in the ntp trusted-key command. key: enter a text string. This text string is encrypted. Define a trusted key. CONFIGURATION mode ntp trusted-key number Configure a number from 1 to 4294967295.
rtdel-root delay rtdsp - round trip dispersion refid - reference id org rec - (last?) receive timestamp xmt - transmit timestamp mode - 3 client, 4 server stratum - 1 primary reference clock, 2 secondary reference clock (via NTP) version - NTP version 3 leap NOTE: • Leap Indicator (sys.leap, peer.leap, pkt.leap) — This is a two-bit code warning of an impending leap second to be inserted in the NTP time scale. The bits are set before 23:59 on the day of insertion and reset after 00:00 on the following day.
Configuring a Custom-defined Period for NTP time Synchronization You can configure the system to send an audit log message to a syslog server if the time difference from the NTP server is greater than a threshold value (offset-threshold). However, time synchronization still occurs. To configure the offset-threshold, follow this procedure. • Specify the threshold time interval before which the system generates an NTP audit log message if the system time deviates from the NTP server.
Setting the Timezone Universal time coordinated (UTC) is the time standard based on the International Atomic Time standard, commonly known as Greenwich Mean time. When determining system time, include the differentiator between UTC and your local timezone. For example, San Jose, CA is the Pacific Timezone with a UTC offset of -8. To set the clock timezone, use the following command. • Set the clock to the appropriate timezone.
• end-year: enter a four-digit number as the year. The range is from 1993 to 2035. • end-time: enter the time in hours:minutes. For the hour variable, use the 24-hour format; example, 17:15 is 5:15 pm. • offset: (OPTIONAL) enter the number of minutes to add during the summer-time period. The range is from 1 to1440. The default is 60 minutes.
"none" to "Summer time starts 00:00:00 Pacific Sat Mar 14 2009;Summer time ends 00:00:00 pacific Sat Nov 7 2009" Dell(conf)#clock summer-time pacific recurring Mar 14 2009 00:00 Nov 7 2009 00:00 ? Dell(conf)#02:02:13: %SYSTEM-P:CP %CLOCK-6-TIME CHANGE: Summertime configuration changed from "none" to "Summer time starts 00:00:00 Pacific Sat Mar 14 2009;Summer time ends 00:00:00 pacific Sat Nov 7 2009" NOTE: If you enter after entering the recurring command parameter, and you have already set a one-time
53 Tunneling Tunnel interfaces create a logical tunnel for IPv4 or IPv6 traffic. Tunneling supports RFC 2003, RFC 2473, and 4213. DSCP, hop-limits, flow label values, open shortest path first (OSPF) v2, and OSPFv3 are supported. Internet control message protocol (ICMP) error relay, PATH MTU transmission, and fragmented packets are not supported.
tunnel destination 90.1.1.1 tunnel source 60.1.1.1 tunnel mode ipv6ip no shutdown The following sample configuration shows a tunnel configured in IPIP mode (IPv4 tunnel carries IPv4 and IPv6 traffic): Dell(conf)#interface tunnel 3 Dell(conf-if-tu-3)#tunnel source 5::5 Dell(conf-if-tu-3)#tunnel destination 8::9 Dell(conf-if-tu-3)#tunnel mode ipv6 Dell(conf-if-tu-3)#ip address 3.1.1.
The following sample configuration shows how to use the interface tunnel configuration commands. Dell(conf-if-gi-1/1)#show config ! interface GigabitEthernet 1/1 ip address 20.1.1.1/24 ipv6 address 20:1::1/64 no shutdown Dell(conf)#interface tunnel 1 Dell(conf-if-tu-1)#ip unnumbered gigabitethernet 1/1 Dell(conf-if-tu-1)#ipv6 unnumbered gigabitethernet 1/1 Dell(conf-if-tu-1)#tunnel source 40.1.1.
ip address 1.1.1.1/24 ipv6 address 1abd::1/64 tunnel source anylocal tunnel allow-remote 40.1.1.
54 Uplink Failure Detection (UFD) Uplink failure detection (UFD) provides detection of the loss of upstream connectivity and, if used with network interface controller (NIC) teaming, automatic recovery from a failed link. Feature Description A switch provides upstream connectivity for devices, such as servers. If a switch loses its upstream connectivity, downstream devices also lose their connectivity.
Figure 118. Uplink Failure Detection How Uplink Failure Detection Works UFD creates an association between upstream and downstream interfaces. The association of uplink and downlink interfaces is called an uplink-state group. An interface in an uplink-state group can be a physical interface or a port-channel (LAG) aggregation of physical interfaces. An enabled uplink-state group tracks the state of all assigned upstream interfaces.
Figure 119. Uplink Failure Detection Example If only one of the upstream interfaces in an uplink-state group goes down, a specified number of downstream ports associated with the upstream interface are put into a Link-Down state. You can configure this number and is calculated by the ratio of the upstream port bandwidth to the downstream port bandwidth in the same uplink-state group.
• • If one of the upstream interfaces in an uplink-state group that was down comes up, the set of UFD-disabled downstream ports (which were previously disabled due to this upstream port going down) is brought up and the UFD Disabled error is cleared. If you disable an uplink-state group, the downstream interfaces are not disabled regardless of the state of the upstream interfaces.
downstream auto-recover The default is auto-recovery of UFD-disabled downstream ports is enabled. To disable auto-recovery, use the no downstream auto-recover command. 5 (Optional) Enter a text description of the uplink-state group. UPLINK-STATE-GROUP mode description text The maximum length is 80 alphanumeric characters. 6 (Optional) Disable upstream-link tracking without deleting the uplink-state group.
02:37:29: %RPM0-P:CP %IFMGR-5-ASTATE_DN: Changed interface Admin state to down: Gi 1/7 02:37:29: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Gi 1/7 02:37:29 : UFD: Group:3, UplinkState: DOWN 02:37:29: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed uplink state group state to down: Group 3 02:37:29: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Downstream interface set to UFD error-disabled: Te 3/52 02:37:29: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Te 3/52 02:38:31 : UFD: Group:3, Uplink
Uplink Uplink Uplink Uplink Uplink State State State State State Group: Group: Group: Group: Group: 3 5 6 7 16 Status: Status: Status: Status: Status: Enabled, Up Enabled, Down Enabled, Up Enabled, Up Disabled, Up Dell# show uplink-state-group 16 Uplink State Group: 16 Status: Disabled, Up Dell#show uplink-state-group detail (Up): Interface up (Dwn): Interface down (Dis): Interface disabled Uplink State Group : 1 Upstream Interfaces : Downstream Interfaces : Status: Enabled, Up Uplink State Group :
The following example shows viewing the UFD configuration.
upstream GigabitEthernet 1/3-4 Dell# show uplink-state-group 3 Uplink State Group: 3 Status: Enabled, Up Dell# show uplink-state-group detail (Up): Interface up (Dwn): Interface down (Dis): Interface disabled Uplink State Group : 3 Status: Enabled, Up Upstream Interfaces : Gi 1/3(Up) Gi 1/4(Dwn) Downstream Interfaces : Gi 1/1(Dis) Gi 1/2(Dwn) Gi 1/5(Dwn) Gi 1/9(Dwn) Gi 1/11(Dwn) Gi 1/12(Dwn) Uplink Failure Detection (UFD) 803
55 Upgrade Procedures To find the upgrade procedures, go to the Dell Networking OS Release Notes for your system type to see all the requirements needed to upgrade to the desired Dell Networking OS version. To upgrade your system type, follow the procedures in the Dell Networking OS Release Notes. Get Help with Upgrades Direct any questions or concerns about the Dell Networking OS upgrade procedures to the Dell Technical Support Center. You can reach Technical Support: • On the web: http://www.dell.
56 Virtual LANs (VLANs) Virtual LANs (VLANs) are a logical broadcast domain or logical grouping of interfaces in a local area network (LAN) in which all data received is kept locally and broadcast to all members of the group. When in Layer 2 mode, VLANs move traffic at wire speed and can span multiple devices. The system supports up to 4093 port-based VLANs and one default VLAN, as specified in IEEE 802.1Q.
Default VLAN When you configure interfaces for Layer 2 mode, they are automatically placed in the Default VLAN as untagged interfaces. Only untagged interfaces can belong to the Default VLAN. The following example displays the outcome of placing an interface in Layer 2 mode. To configure an interface for Layer 2 mode, use the switchport command.
Figure 120. Tagged Frame Format The tag header contains some key information that Dell Networking OS uses: • • The VLAN protocol identifier identifies the frame as tagged according to the IEEE 802.1Q specifications (2 bytes). Tag control information (TCI) includes the VLAN ID (2 bytes total). The VLAN ID can have 4,096 values, but two are reserved. NOTE: The insertion of the tag header into the Ethernet frame increases the size of the frame to more than the 1,518 bytes as specified in the IEEE 802.
Codes: * - Default VLAN, G - GVRP VLANs NUM * 1 2 3 4 5 6 Status Inactive Active Active Active Active Active Q U U U T U U U Ports So 9/4-11 Gi 1/1,18 Gi 1/2,19 Gi 1/3,20 Po 1 Gi 1/12 So 9/0 Assigning Interfaces to a VLAN You can only assign interfaces in Layer 2 mode to a VLAN using the tagged and untagged commands. To place an interface in Layer 2 mode, use the switchport command. You can further designate these Layer 2 interfaces as tagged or untagged.
interface Vlan 4 no ip address tagged Port-channel 1 Dell(conf-if-vlan)#end Dell#show vlan Codes: * - Default VLAN, G - GVRP VLANs NUM Status Q * 1 Inactive 2 Active T T 3 Active T T 4 Active T Ports Po1(So 0/0-1) Gi 1/1 Po1(So 0/0-1) Gi 1/2 Po1(So 0/0-1) When you remove a tagged interface from a VLAN (using the no tagged interface command), it remains tagged only if it is a tagged interface in another VLAN.
untagged GigabitEthernet 1/2 Dell(conf-if-vlan)#end Dell#show vlan Codes: * - Default VLAN, G - GVRP VLANs NUM * 1 2 3 4 Status Q Inactive Active T T Active T T Active U Ports Po1(So 0/0-1) Gi 1/3 Po1(So 0/0-1) Gi 1/1 Gi 1/2 The only way to remove an interface from the Default VLAN is to place the interface in Default mode by using the no switchport command in INTERFACE mode. Assigning an IP Address to a VLAN VLANs are a Layer 2 feature.
To configure a port so that it can be a member of an untagged and tagged VLANs, use the following commands. 1 Remove any Layer 2 or Layer 3 configurations from the interface. INTERFACE mode 2 Configure the interface for Hybrid mode. INTERFACE mode portmode hybrid 3 Configure the interface for Switchport mode. INTERFACE mode switchport 4 Add the interface to a tagged or untagged VLAN.
57 VLT Proxy Gateway The virtual link trucking (VLT) proxy gateway feature allows a VLT domain to locally terminate and route L3 packets that are destined to a Layer 3 (L3) end point in another VLT domain. Enable the VLT proxy gateway using the link layer discover protocol (LLDP) method or the static configuration. For more information, see the Dell Networking OS Command Line Reference Guide.
Figure 121. Sample Configuration for a VLT Proxy Gateway Guidelines for Enabling the VLT Proxy Gateway Keep the following points in mind when you enable a VLT proxy gateway: • Proxy gateway is supported only for VLT; for example, across a VLT domain. • You must enable the VLT peer-routing command for the VLT proxy gateway to function.
• You cannot change the link layer discovery protocol (LLDP) port channel interface to a legacy LAG when you enable a proxy gateway. • Dell Networking recommends the vlt-peer-mac transmit command only for square VLTs without diagonal links. • The virtual router redundancy (VRRP) protocol and IPv6 routing is not supported. • Private VLANs (PVLANs) are not supported.
• The interface is typically a VLT port-channel that connects to a remote VLT domain. • The new proxy gateway TLV is carried on the physical links under the port channel only. • You must have at least one link connection to each unit of the VLT domain. Following are the prerequisites for Proxy Gateway LLDP configuration: • You must globally enable LLDP.
Figure 122. Sample Configuration for a VLT Proxy Gateway • The above figure shows a sample VLT Proxy gateway scenario. There are no diagonal links in the square VLT connection between the C and D in VLT domain 1 and C1 and D1 in the VLT domain 2. This causes sub-optimal routing with the VLT Proxy Gateway LLDP method.
Sample Configuration Static Method Dell(conf-vlt-domain)#proxy-gateway static Dell(conf-vlt-domain-pxy-gw-static)#remote-mac-address exclude-vlan 10 • Packet duplication may happen with “Exclude-VLAN” configuration – Assume you used the exclude-vlan option (called VLAN 10) in C and D and in C1 and D1; If packets for VLAN 10 with C’s MAC address (C is in VLT domain 1) gets an L3 hit at C1 in VLT domain 2, they are switched to both D1 (via ICL) and C via inter DC link.
58 Virtual Link Trunking (VLT) Virtual link trunking (VLT) allows physical links between two chassis to appear as a single virtual link to the network core or other switches such as Edge, Access, or top-of-rack (ToR). Overview VLT reduces the role of spanning tree protocols (STPs) by allowing link aggregation group (LAG) terminations on two separate distribution or core switches and supporting a loop-free topology.
Figure 123. Example of VLT Deployment VLT on Core Switches Uplinks from servers to the access layer and from access layer to the aggregation layer are bundled in LAG groups with end-to-end Layer 2 multipathing. This set up requires “horizontal” stacking at the access layer and VLT at the aggregation layer such that all the uplinks from servers to access and access to aggregation are in Active-Active Load Sharing mode.
Figure 124. Enhanced VLT VLT Terminology The following are key VLT terms. • Virtual link trunk (VLT) — The combined port channel between an attached device and the VLT peer switches. • VLT backup link — The backup link monitors the vitality of VLT peer switches. The backup link sends configurable, periodic keep alive messages between the VLT peer switches. • VLT interconnect (VLTi) — The link used to synchronize states between the VLT peer switches.
• If you include RSTP on the system, configure it before VLT. Refer to Configure Rapid Spanning Tree. • If you include PVST on the system, configure it before VLT. Refer to PVST Configuration. • Dell Networking strongly recommends that the VLTi (VLT interconnect) be a static LAG and that you disable LACP on the VLTi. • Ensure that the spanning tree root bridge is at the Aggregation layer. Refer to RSTP and VLT for guidelines to avoid traffic loss, if you enable RSTP on the VLT device.
Configuration Notes When you configure VLT, the following conditions apply. • • VLT domain • A VLT domain supports two chassis members, which appear as a single logical device to network access devices connected to VLT ports through a port channel. • A VLT domain consists of the two core chassis, the interconnect trunk, backup link, and the LAG members connected to attached devices. • Each VLT domain has a unique MAC address that you create or VLT creates automatically.
• • • • If the link between the VLT peer switches is established, changing the VLT system MAC address or the VLT unit-id causes the link between the VLT peer switches to become disabled. However, removing the VLT system MAC address or the VLT unit-id may disable the VLT ports if you happen to configure the unit ID or system MAC address on only one VLT peer at any time.
• • Enable Layer 3 VLAN connectivity VLT peers by configuring a VLAN network interface for the same VLAN on both switches. • Dell Networking does not recommend enabling peer-routing if the CAM is full. To enable peer-routing, a minimum of two local DA spaces for wild-card functionality are required. Software features supported on VLT physical ports • • Software features not supported with VLT • • • • In a VLT domain, the following software features are supported on VLT physical ports: 802.
RSTP and VLT VLT provides loop-free redundant topologies and does not require RSTP. RSTP can cause temporary port state blocking and may cause topology changes after link or node failures. Spanning tree topology changes are distributed to the entire layer 2 network, which can cause a network-wide flush of learned MAC and ARP addresses, requiring these addresses to be re-learned. However, enabling RSTP can detect potential loops caused by non-system issues such as cabling errors or incorrect configurations.
VLT IPv6 The following features have been enhanced to support IPv6: • VLT Sync — Entries learned on the VLT interface are synced on both VLT peers. • Non-VLT Sync — Entries learned on non-VLT interfaces are synced on both VLT peers. • Tunneling — Control information is associated with tunnel traffic so that the appropriate VLT peer can mirror the ingress port as the VLT interface rather than pointing to the VLT peer’s VLTi link.
Figure 125. PIM-Sparse Mode Support on VLT On each VLAN where the VLT peer nodes act as the first hop or last hop routers, one of the VLT peer nodes is elected as the PIM designated router. If you configured IGMP snooping along with PIM on the VLT VLANs, you must configure VLTi as the static multicast router port on both VLT peer switches. This ensures that for first hop routers, the packets from the source are redirected to the designated router (DR) if they are incorrectly hashed.
To verify the PIM neighbors on the VLT VLAN and on the multicast port, use the show ip pim neighbor, show ip igmp snooping mrouter, and show running config commands. You can configure virtual link trunking (VLT) peer nodes as rendezvous points (RPs) in a Protocol Independent Multicast (PIM) domain. If the VLT node elected as the designated router fails and you enable VLT Multicast Routing, multicast routes are synced to the other peer for traffic forwarding to ensure minimal traffic loss.
vlt domain domain-id 2 Enable peer-routing. VLT DOMAIN mode peer-routing 3 Configure the peer-routing timeout. VLT DOMAIN mode peer-routing—timeout value value: Specify a value (in seconds) from 1 to 65535. The default value is infinity (without configuring the timeout).
VLT DOMAIN mode multicast peer-routing—timeout value value: Specify a value (in seconds) from 1 to 1200. 4 Configure a PIM-SM compatible VLT node as a designated router (DR). For more information, refer to Configuring a Designated Router. 5 Configure a PIM-enabled external neighboring router as a rendezvous point (RP). For more information, refer to Configuring a Static Rendezvous Point. 6 Configure the VLT VLAN routing metrics to prefer VLT VLAN interfaces over non-VLT VLAN interfaces.
Sample RSTP Configuration The following is a sample of an RSTP configuration. Using the example shown in the Overview section as a sample VLT topology, the primary VLT switch sends BPDUs to an access device (switch or server) with its own RSTP bridge ID. BPDUs generated by an RSTP-enabled access device are only processed by the primary VLT switch. The secondary VLT switch tunnels the BPDUs that it receives to the primary VLT switch over the VLT interconnect.
Configuring a VLT Interconnect To configure a VLT interconnect, follow these steps. 1 Configure the port channel for the VLT interconnect on a VLT switch and enter interface configuration mode. CONFIGURATION mode interface port-channel id-number Enter the same port-channel number configured with the peer-link port-channel command as described in Enabling VLT and Creating a VLT Domain. NOTE: To be included in the VLTi, the port channel must be in Default mode (no switchport or VLAN assigned).
back-up destination {ipv4-address | ipv6-address} [interval seconds] You can optionally specify the time interval used to send hello messages. The range is from 1 to 5 seconds. 3 Configure the port channel to be used as the VLT interconnect between VLT peers in the domain.
To set an amount of time, in seconds, to delay the system from restoring the VLT port, use the delay-restore command at any time. For more information, refer to VLT Port Delayed Restoration. Configuring a VLT Port Delay Period To configure a VLT port delay period, use the following commands. 1 Enter VLT-domain configuration mode for a specified VLT domain. CONFIGURATION mode vlt domain domain-id The range of domain IDs from 1 to 1000.
To explicitly configure the default values on each peer switch, use the unit-id command. Configure a different unit ID (0 or 1) on each peer switch. Unit IDs are used for internal system operations. Use this command to minimize the time required for the VLT system to determine the unit ID assigned to each peer switch when one peer switch reboots. Connecting a VLT Domain to an Attached Access Device (Switch or Server) To connect a VLT domain to an attached access device, use the following commands.
Configuring a VLT VLAN Peer-Down (Optional) To configure a VLT VLAN peer-down, use the following commands. 1 Enter VLT-domain configuration mode for a specified VLT domain. CONFIGURATION mode vlt domain domain-id The range of domain IDs is from 1 to 1000. 2 Enter the port-channel number that acts as the interconnect trunk.
back-up destination ip-address [interval seconds] You can optionally specify the time interval used to send hello messages. The range is from 1 to 5 seconds. 6 When you create a VLT domain on a switch, Dell Networking OS automatically creates a VLT-system MAC address used for internal system operations. VLT DOMAIN CONFIGURATION mode system-mac mac-address mac-address To explicitly configure the default MAC address for the domain by entering a new MAC address, use the system-mac command. The format is aaaa.
port-channel-protocol lacp 14 Configure the LACP port channel mode. INTERFACE mode port-channel number mode [active] 15 Ensure that the interface is active. MANAGEMENT INTERFACE mode no shutdown 16 Repeat steps 1 through 15 for the VLT peer node in Domain 1. 17 Repeat steps 1 through 15 for the first VLT node in Domain 2. 18 Repeat steps 1 through 15 for the VLT peer node in Domain 2.
EXEC Privilege mode show running-config entity 12 Verify that VLT is running. EXEC mode show vlt brief or show vlt detail 13 Verify that the VLT LAG is running in both VLT peer units. EXEC mode or EXEC Privilege mode show interfaces interface Example of Configuring VLT In the following sample VLT configuration steps, VLT peer 1 is Dell-2, VLT peer 2 is Dell-4, and the ToR is S60-1.
2 Configure the VLT peer link port channel id in VLT peer 1 and VLT peer 2. 3 In the Top of Rack unit, configure LACP in the physical ports (shown for VLT peer 1 only. Repeat steps for VLT peer 2. The bold vltpeer-lag port-channel 2 indicates that port-channel 2 is the port-channel id configured in VLT peer 2).
ICL Link Status HeartBeat Status VLT Peer Status Version Local System MAC address Remote System MAC address Remote system version Delay-Restore timer : : : : : : : : Up Up Up 6(3) 00:01:e8:8a:e9:91 00:01:e8:8a:e9:76 6(3) 90 seconds Delay-Restore Abort Threshold Peer-Routing Peer-Routing-Timeout timer Multicast peer-routing timeout Dell# : : : : 60 seconds Disabled 0 seconds 150 seconds Verify that the VLT LAG is up in VLT peer unit.
Executing IEEE compatible Spanning Tree Protocol Root ID Priority 0, Address 90b1.1cf4.9b79 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 0, Address 90b1.1cf4.9b79 We are the root of Vlan 1000 Configured hello time 2, max age 20, forward delay 15 Interface Name ---------Po 1 Po 2 Te 1/10 Te 1/13 Interface Name ---------Po 1 Po 2 Gi 1/10 Gi 1/13 Dell# PortID -------128.2 128.3 128.230 128.
Domain_1_Peer1(conf)#vlt domain 1000 Domain_1_Peer1(conf-vlt-domain)# peer-link port-channel 1 Domain_1_Peer1(conf-vlt-domain)# back-up destination 10.16.130.11 Domain_1_Peer1(conf-vlt-domain)# system-mac mac-address 00:0a:00:0a:00:0a Domain_1_Peer1(conf-vlt-domain)# unit-id 0 Configure eVLT on Peer 1.
Next, configure the VLT domain and VLTi on Peer 4. Domain_2_Peer4#configure Domain_2_Peer4(conf)#interface port-channel 1 Domain_2_Peer4(conf-if-po-1)# channel-member GigabitEthernet 1/8-1/9 Domain_1_Peer4#no shutdown Domain_2_Peer4(conf)#vlt domain 200 Domain_2_Peer4(conf-vlt-domain)# peer-link port-channel 1 Domain_2_Peer4(conf-vlt-domain)# back-up destination 10.18.130.
VLT_Peer2(conf-if-vl-4001)#exit VLT_Peer2(conf)#end Verifying a VLT Configuration To monitor the operation or verify the configuration of a VLT domain, use any of the following show commands on the primary and secondary VLT switches. • Display information on backup link operation. EXEC mode • show vlt backup-link Display general status information about VLT domains currently configured on the switch.
HeartBeat Timeout: UDP Port: HeartBeat Messages Sent: HeartBeat Messages Received: 3 34998 1026 1025 Dell_VLTpeer2# show vlt backup-link VLT Backup Link ----------------Destination: Peer HeartBeat status: HeartBeat Timer Interval: HeartBeat Timeout: UDP Port: HeartBeat Messages Sent: HeartBeat Messages Received: 10.11.200.20 Up 1 3 34998 1030 1014 The following example shows the show vlt brief command.
---------VLT Role: System MAC address: System Role Priority: Local System MAC address: Local System Role Priority: Secondary 00:01:e8:8a:df:bc 32768 00:01:e8:8a:df:e6 32768 The following example shows the show running-config vlt command. Dell_VLTpeer1# show running-config vlt ! vlt domain 30 peer-link port-channel 60 back-up destination 10.11.200.18 Dell_VLTpeer2# show running-config vlt ! vlt domain 30 peer-link port-channel 60 back-up destination 10.11.200.
Bridge ID Priority 0, Address 0001.e88a.dff8 We are the root Configured hello time 2, max age 20, forward delay 15 Interface Designated Name PortID Prio Cost Sts Cost Bridge ID PortID ---------- -------- ---- ------- -------- - ------- ------------Po 1 128.2 128 200000 DIS 0 0 0001.e88a.dff8 128.2 Po 3 128.4 128 200000 DIS 0 0 0001.e88a.dff8 128.4 Po 4 128.5 128 200000 DIS 0 0 0001.e88a.dff8 128.5 Po 100 128.101 128 800 FWD(VLTi)0 0 0001.e88a.dff8 128.101 Po 110 128.111 128 00 FWD(vlt) 0 0 0001.e88a.
Configuring Virtual Link Trunking (VLT Peer 2) Enable VLT and create a VLT domain with a backup-link VLT interconnect (VLTi). Dell_VLTpeer2(conf)#vlt domain 999 Dell_VLTpeer2(conf-vlt-domain)#peer-link port-channel 100 Dell_VLTpeer2(conf-vlt-domain)#back-up destination 10.11.206.23 Dell_VLTpeer2(conf-vlt-domain)#exit Configure the backup link. Dell_VLTpeer2(conf)#interface ManagementEthernet 1/1 Dell_VLTpeer2(conf-if-ma-1/1)#ip address 10.11.206.
Table 76. Troubleshooting VLT Description Behavior at Peer Up Behavior During Run Time Action to Take Bandwidth monitoring A syslog error message and an SNMP trap is generated when the VLTi bandwidth usage goes above the 80% threshold and when it drops below 80%. A syslog error message and an SNMP trap is generated when the VLTi bandwidth usage goes above its threshold. Depending on the traffic that is received, the traffic can be offloaded inVLTi. Domain ID mismatch The VLT peer does not boot up.
Description Behavior at Peer Up Behavior During Run Time A syslog error message is generated. A syslog error message is generated. Action to Take Reconfiguring Stacked Switches as VLT To convert switches that have been stacked to VLT peers, use the following procedure. 1 Remove the current configuration from the switches. You will need to split the configuration up for each switch. 2 Copy the files to the flash memory of the appropriate switch.
Any VLAN that contains at least one VLT port as a member is treated as a VLT VLAN. You can configure a VLT VLAN to be a primary, secondary, or a normal VLAN. However, the VLT VLAN configuration must be symmetrical across peers. If the VLT LAG is tagged to any one of the primary or secondary VLANs of a PVLAN, then both the primary and secondary VLANs are considered as VLT VLANs.
PVLAN Operations When a VLT Peer is Restarted When the VLT peer node is rebooted, the VLAN membership of the VLTi link is preserved and when the peer node comes back online, a verification is performed with the newly received PVLAN configuration from the peer. If any differences are identified, the VLTi link is either added or removed from the VLAN. When the peer node restarts and returns online, all the PVLAN configurations are exchanged across the peers.
VLT LAG Mode PVLAN Mode of VLT VLAN ICL VLAN Membership Mac Synchronization Peer1 Peer2 Peer1 Peer2 Trunk Access Primary Secondary No No Promiscuous Promiscuous Primary Primary Yes Yes Promiscuous Access Primary Secondary No No Promiscuous Promiscuous Primary Primary Yes Yes - Secondary (Community) - Secondary (Isolated) No No Secondary (Community) Secondary (Isolated) No No • • Yes Yes Access Access Promiscuous Promiscuous Primary X Primary X Primary Primar
security functionalities to be achieved. This section describe how to configure a VLT VLAN or a VLT LAG (VLTi link) and assign that VLT interface to a PVLAN. Creating a VLT LAG or a VLT VLAN 1 Configure the port channel for the VLT interconnect on a VLT switch and enter interface configuration mode CONFIGURATION mode interface port-channel id-number. Enter the same port-channel number configured with the peer-link port-channel command as described in Enabling VLT and Creating a VLT Domain.
interface interface 2 Enable the port. INTERFACE mode no shutdown 3 Set the port in Layer 2 mode. INTERFACE mode switchport 4 Select the PVLAN mode. INTERFACE mode switchport mode private-vlan {host | promiscuous | trunk} 5 • host (isolated or community VLAN port) • promiscuous (intra-VLAN communication port) • trunk (inter-switch PVLAN hub port) Access INTERFACE VLAN mode for the VLAN to which you want to assign the PVLAN interfaces.
forwarding level. VLT peer routing allows you to replace VRRP with routed VLT to route the traffic from Layer 2 access nodes. With proxy ARP, hosts can resolve the MAC address of the VLT node even when VLT node is down. If the ICL link is down when a VLT node receives an ARP request for the IP address of the VLT peer, owing to LAG-level hashing algorithm in the top-of-rack (ToR) switch, the incorrect VLT node responds to the ARP request with the peer MAC address.
VLT Nodes as Rendezvous Points for Multicast Resiliency You can configure VLT peer nodes as rendezvous points (RPs) in a Protocol Independent Multicast (PIM) domain. PIM uses a VLT node as the RP to distribute multicast traffic to a multicast group. Messages to join the multicast group (Join messages) and data are sent towards the RP, so that receivers can discover who the senders are and begin receiving traffic destined for the multicast group.
4 Verify the VLAN-stack configurations. EXEC Privilege show running-config Sample configuration of VLAN-stack over VLT (Peer 1) Configure the VLT domain Dell(conf)#vlt domain 1 Dell(conf-vlt-domain)#peer-link port-channel 1 Dell(conf-vlt-domain)#back-up destination 10.16.151.
Dell#show running-config interface vlan 50 ! interface Vlan 50 vlan-stack compatible member Port-channel 10,20 shutdown Dell# Verify that the Port Channels used in the VLT Domain are Assigned to the VLAN-Stack VLAN Dell#show vlan id 50 Codes: * - Default VLAN, G - GVRP VLANs, R - Remote Port Mirroring VLANs, P - Primary, C Community, I - Isolated O - Openflow Q: U - Untagged, T - Tagged x - Dot1x untagged, X - Dot1x tagged o - OpenFlow untagged, O - OpenFlow tagged G - GVRP tagged, M - Vlan-stack i - Intern
! interface Port-channel 20 no ip address switchport vlan-stack trunk vlt-peer-lag port-channel 20 no shutdown Dell# Configure the VLAN as a VLAN-Stack VLAN and add the VLT LAG as members to the VLAN Dell(conf)#interface vlan 50 Dell(conf-if-vl-50)#vlan-stack compatible Dell(conf-if-vl-50-stack)#member port-channel 10 Dell(conf-if-vl-50-stack)#member port-channel 20 Dell(conf-if-vl-50-stack)# Dell#show running-config interface vlan 50 ! interface Vlan 50 vlan-stack compatible member Port-channel 10,20 shutd
The neighbor entries are typically learned by a node using neighbor solicitation (NS) and ND messages. These NS or neighbor advertisement (NA) messages can be either destined to the VLT node or to any nodes on the same network as the VLT interface. These learned neighbor entries are propagated to another VLT node so that the peer does not need to relearn the entries.
NA messages can be sent in two scenarios: • NA messages are almost always sent in response to an NS message from a node. In this case, the solicited NA has the destination address field set to the unicast MAC address of the initial NS sender. This solicited NA must be tunneled when they reach the wrong peer. • Sometimes NA messages are sent by a node when its link-layer address changes.
Figure 128. Sample Configuration of IPv6 Peer Routing in a VLT Domain Neighbor Solicitation from VLT Hosts Consider a case in which NS for VLT node1 IP reaches VLT node1 on the VLT interface and NS for VLT node1 IP reaches VLT node2 due to LAG level hashing in the ToR. When VLT node1 receives NS from VLT VLAN interface, it unicasts the NA packet on the VLT interface. When NS reaches VLT node2, it is flooded on all interfaces including ICL.
Consider a situation in which NA for VLT node1 reaches VLT node1 on a non-VLT interface and NA for VLT node1 reaches VLT node2 on a non-VLT interface. When VLT node1 receives NA on a VLT interface, it learns the Host MAC address on the received interface. This learned neighbor entry is synchronized to VLT node2 as it is learned on ICL.
When VLT node receives traffic from non-VLT host intended to the non-VLT host, it does neighbor entry lookup and routes traffic over ICL interface. If traffic reaches wrong VLT peer, it routes the traffic over ICL. Router Solicitation When VLT node receives router Solicitation on VLT interface/non-VLT interface it consumes the packets and will send RA back on the received interface. VLT node will drop the RS message if it is received over ICL interface.
59 Virtual Routing and Forwarding (VRF) Virtual Routing and Forwarding (VRF) allows a physical router to partition itself into multiple Virtual Routers (VRs). The control and data plane are isolated in each VR so that traffic does NOT flow across VRs.Virtual Routing and Forwarding (VRF) allows multiple instances of a routing table to co-exist within the same router at the same time. VRF Overview VRF improves functionality by allowing network paths to be segmented without using multiple devices.
Figure 129. VRF Network Example VRF Configuration Notes Although there is no restriction on the number of VLANs that can be assigned to a VRF instance, the total number of routes supported in VRF is limited by the size of the IPv4 CAM. VRF is implemented in a network device by using Forwarding Information Bases (FIBs). A network device may have the ability to configure different virtual routers, where entries in the FIB that belong to one VRF cannot be accessed by another VRF on the same device.
Table 78. Software Features Supported on VRF Feature/Capability Support Status for Default VRF Support Status for Non-default VRF Configuration rollback for commands introduced or modified Yes No LLDP protocol on the port Yes No 802.
Feature/Capability Support Status for Default VRF Support Status for Non-default VRF VRRP on physical and logical interfaces Yes Yes VRRPV3 Yes Yes Secondary IP Addresses Yes No Following IPv6 capabilities No Basic Yes No OSPFv3 Yes Yes IS-IS Yes Yes BGP Yes Yes ACL Yes No Multicast Yes No NDP Yes Yes RAD Yes Yes Ingress/Egress Storm-Control (perinterface/global) Yes No DHCP DHCP requests are not forwarded across VRF instances.
Creating a Non-Default VRF Instance VRF is enabled by default on the switch and supports up to 64 VRF instances: 1 to 63 and the default VRF (0). • Create a non-default VRF instance by specifying a name and VRF ID number, and enter VRF configuration mode. CONFIGURATION ip vrf vrf-name vrf-id The VRF ID range is from 1 to 63. 0 is the default VRF ID. Assigning an Interface to a VRF You must enter the ip vrf forwarding command before you configure the IP address or any other setting on an interface.
View VRF Instance Information To display information about VRF configuration, enter the show ip vrf command. To display information on all VRF instances (including the default VRF 0), do not enter a value for vrf-name. • Display the interfaces assigned to a VRF instance. EXEC show ip vrf [vrf-name] Assigning an OSPF Process to a VRF Instance OSPF routes are supported on all VRF instances. SeeOpen Shortest Path First (OSPFv2) for complete OSPF configuration information.
Task Command Syntax Command Mode vrrp-group 10 virtual-address 10.1.1.100 no shutdown View VRRP command output for the VRF vrf1 show vrrp vrf vrf1 -----------------GigabitEthernet 1/13, IPv4 VRID: 10, Version: 2, Net: 10.1.1.1 VRF: 2 vrf1 State: Master, Priority: 100, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 43, Gratuitous ARP sent: 0 Virtual MAC address: 00:00:5e:00:01:0a Virtual IP address: 10.1.1.
NOTE: The command line help still displays relevant details corresponding to each of these commands. However, these interface range or interface group commands are not supported when Management VRF is configured. Configuring a Static Route • Configure a static route that points to a management interface.
Figure 131. Setup VRF Interfaces The following example relates to the configuration shown in the above illustrations. Router 1 ip vrf blue 1 ! ip vrf orange 2 ! ip vrf green 3 ! interface GigabitEthernet 3/1 no ip address switchport no shutdown ! interface GigabitEthernet 1/1 ip vrf forwarding blue ip address 10.0.0.1/24 no shutdown ! interface GigabitEthernet 1/2 ip vrf forwarding orange ip address 20.0.0.1/24 no shutdown ! interface GigabitEthernet 1/3 ip vrf forwarding green ip address 30.0.0.
no shutdown ! interface Vlan 128 ip vrf forwarding blue ip address 1.0.0.1/24 tagged GigabitEthernet 3/1 no shutdown ! interface Vlan 192 ip vrf forwarding orange ip address 2.0.0.1/24 tagged GigabitEthernet 3/1 no shutdown ! interface Vlan 256 ip vrf forwarding green ip address 3.0.0.1/24 tagged GigabitEthernet 3/1 no shutdown ! router ospf 1 vrf blue router-id 1.0.0.1 network 1.0.0.0/24 area 0 network 10.0.0.0/24 area 0 ! router ospf 2 vrf orange router-id 2.0.0.1 network 2.0.0.0/24 area 0 network 20.0.0.
interface Vlan 256 ip vrf forwarding green ip address 3.0.0.2/24 tagged GigabitEthernet 3/1 no shutdown ! router ospf 1 vrf blue router-id 1.0.0.2 network 11.0.0.0/24 area 0 network 1.0.0.0/24 area 0 passive-interface GigabitEthernet 2/1 ! router ospf 2 vrf orange router-id 2.0.0.2 network 21.0.0.0/24 area 0 network 2.0.0.0/24 area 0 passive-interface GigabitEthernet 2/2 ! ip route vrf green30.0.0.0/24 3.0.0.1 ! The following shows the output of the show commands on Router 1.
N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, > - non-active route, + - summary route Gateway of last resort is not set C C O Destination ----------2.0.0.0/24 20.0.0.0/24 21.0.0.0/24 Gateway ------Direct, Vl 192 Direct, Gi 1/2 via 2.0.0.
C O C ----------1.0.0.0/24 10.0.0.0/24 11.0.0.0/24 ------Direct, Vl 128 via 1.0.0.
Dynamic Route Leaking Route Leaking is a powerful feature that enables communication between isolated (virtual) routing domains by segregating and sharing a set of services such as VOIP, Video, and so on that are available on one routing domain with other virtual domains. Inter-VRF Route Leaking enables a VRF to leak or export routes that are present in its RTM to one or more VRFs.
3 Configure VRF-red. ip vrf vrf-red interface-type slot/port ip vrf forwarding VRF-red ip address ip—address mask A non-default VRF named VRF-red is created and the interface is assigned to this VRF. 4 Configure the import target in VRF-red. ip route-import 1:1 5 Configure the export target in VRF-red. ip route-export 2:2 6 Configure VRF-blue.
ip route-import ip route-import 2:2 3:3 Show routing tables of all the VRFs (without any route-export and route-import tags being configured) Dell# show ip route vrf VRF-Red O 11.1.1.1/32 via 111.1.1.1 110/0 C 111.1.1.0/24 Direct, Gi 1/11 0/0 00:00:10 22:39:59 Dell# show ip route vrf VRF-Blue O 22.2.2.2/32 via 122.2.2.2 110/0 00:00:11 C 122.2.2.0/24 Direct, Gi 1/12 0/0 Dell# show ip route vrf VRF-Green O 33.3.3.3/32 via 133.3.3.3 00:00:11 C 133.3.3.
• If the target VRF conatins the same prefix as either the sourced or Leaked route from some other VRF, then route Leaking for that particular prefix fails and the following error-log is thrown. SYSLOG (“Duplicate prefix found %s in the target VRF %d”, address, import_vrf_id) with The type/level is EVT_LOGWARNING. • The source routes always take precedence over leaked routes. The leaked routes are deleted as soon as routes are locally learnt by the VRF using other means.
Dell(config-route-map)match source-protocol bgp This action specifies that the route-map contains OSPF and BGP as the matching criteria for exporting routes from vrf-red. 4 Configure the export target in the source VRF with route-map export_ospfbgp_protocol. ip route-export 1:1 export_ospfbgp_protocol 5 Configure VRF-blue. ip vrf vrf-blue interface-type slot/port ip vrf forwarding VRF-blue ip address ip—address mask A non-default VRF named VRF-blue is created and the interface 1/22 is assigned to it.
• You can expose a unique set of routes from the Source VRF for Leaking to other VRFs. For example, in VRF-red there is no option for exporting one set of routes (for example, OSPF) to VRF- blue and another set of routes (for example, BGP routes) to some other VRF. Similarly, when two VRFs leak or export routes, there is no option to discretely filter leaked routes from each source VRF. Meaning, you cannot import one set of routes from VRF-red and another set of routes from VRF-blue.
60 Virtual Router Redundancy Protocol (VRRP) Virtual router redundancy protocol (VRRP) is designed to eliminate a single point of failure in a statically routed network. VRRP Overview VRRP is designed to eliminate a single point of failure in a statically routed network. VRRP specifies a MASTER router that owns the next hop IP and MAC address for end stations on a local area network (LAN).
Figure 132. Basic VRRP Configuration VRRP Benefits With VRRP configured on a network, end-station connectivity to the network is not subject to a single point-of-failure. End-station connections to the network are redundant and are not dependent on internal gateway protocol (IGP) protocols to converge or update routing tables. VRRP Implementation Within a single VRRP group, up to 12 virtual IP addresses are supported.
Table 80. Recommended VRRP Advertise Intervals Recommended Advertise Interval Groups/Interface Total VRRP Groups Groups/Interface Less than 250 1 second 12 Between 250 and 450 2–3 seconds 24 Between 450 and 600 3–4 seconds 36 Between 600 and 800 4 seconds 48 Between 800 and 1000 5 seconds 84 Between 1000 and 1200 7 seconds 100 Between 1200 and 1500 8 seconds 120 VRRP Configuration By default, VRRP is not configured.
no vrrp-group vrid Examples of Configuring and Verifying VRRP The following examples how to configure VRRP. Dell(conf)#interface gigabitethernet 1/1 Dell(conf-if-gi-1/1)#vrrp-group 111 Dell(conf-if-gi-1/1-vrid-111)# The following examples how to verify the VRRP configuration. Dell(conf-if-gi-1/1)#show conf ! interface GigabitEthernet 1/1 ip address 10.10.10.
2 Set the master switch to VRRP protocol version 3. Dell_master_switch(conf-if-gi-1/1-vrid-100)#version 3 3 Set the backup switches to version 3. Dell_backup_switch1(conf-if-gi-1/1-vrid-100)#version 3 Dell_backup_switch2(conf-if-gi-1/2-vrid-100)#version 3 Assign Virtual IP addresses Virtual routers contain virtual IP addresses configured for that VRRP group (VRID). A VRRP group does not transmit VRRP packets until you assign the Virtual IP address to the VRRP group.
Examples of the Configuring and Verifying a Virtual IP Address The following example shows how to configure a virtual IP address. Dell(conf-if-gi-1/1-vrid-111)#virtual-address 10.10.10.1 Dell(conf-if-gi-1/1-vrid-111)#virtual-address 10.10.10.2 Dell(conf-if-gi-1/1-vrid-111)#virtual-address 10.10.10.3 The following example shows how to verify a virtual IP address configuration. NOTE: In the following example, the primary IP address and the virtual IP addresses are on the same subnet.
priority priority The range is from 1 to 255. The default is 100. Examples of the priority Command Dell(conf-if-gi-1/2)#vrrp-group 111 Dell(conf-if-gi-1/2-vrid-111)#priority 125 To verify the VRRP group priority, use the show vrrp command. Dellshow vrrp -----------------GigabitEthernet 1/1, VRID: 111, Net: 10.10.10.1 State: Master, Priority: 255, Master: 10.10.10.
The following example shows verifying the VRRP authentication configuration using the show conf command. The bold section shows the encrypted password. Dell(conf-if-gi-1/1-vrid-111)#show conf ! vrrp-group 111 authentication-type simple 7 387a7f2df5969da4 priority 255 virtual-address 10.10.10.1 virtual-address 10.10.10.2 virtual-address 10.10.10.3 virtual-address 10.10.10.10 Disabling Preempt The preempt command is enabled by default.
If are using VRRP version 2, you must configure the timer values in multiple of whole seconds. For example a timer value of 3 seconds or 300 centisecs are valid and equivalent. However, a time value of 50 centisecs is invalid because it not a multiple of 1 second. If you are using VRRP version 3, you must configure the timer values in multiples of 25 centisecs. If you are configured for VRRP version 2, the timer values must be in multiples of whole seconds.
For a virtual group, you can track the line-protocol state or the routing status of any of the following interfaces with the interface interface parameter: • For a 1-GigabitEthernet interface, enter the keyword GigabitEthernet then the slot/port information. • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. • For a port channel interface, enter the keywords port-channel then a number.
authentication-type simple 7 387a7f2df5969da4 no preempt priority 255 track GigabitEthernet 1/2 virtual-address 10.10.10.1 virtual-address 10.10.10.2 virtual-address 10.10.10.3 virtual-address 10.10.10.10 The following example shows verifying the tracking status.
Setting VRRP Initialization Delay When configured, VRRP is enabled immediately upon system reload or boot. You can delay VRRP initialization to allow the IGP and EGP protocols to be enabled prior to selecting the VRRP Master. This delay ensures that VRRP initializes with no errors or conflicts. You can configure the delay for up to 15 minutes, after which VRRP enables normally.
Figure 133. VRRP for IPv4 Topology Examples of Configuring VRRP for IPv4 and IPv6 The following example shows configuring VRRP for IPv4 Router 2. R2(conf)#interface gigabitethernet 2/31 R2(conf-if-gi-2/31)#ip address 10.1.1.1/24 R2(conf-if-gi-2/31)#vrrp-group 99 R2(conf-if-gi-2/31-vrid-99)#priority 200 R2(conf-if-gi-2/31-vrid-99)#virtual 10.1.1.3 R2(conf-if-gi-2/31-vrid-99)#no shut R2(conf-if-gi-2/31)#show conf ! interface GigabitEthernet 2/31 ip address 10.1.1.
GigabitEthernet 2/31, VRID: 99, Net: 10.1.1.1 State: Master, Priority: 200, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 817, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:63 Virtual IP address: 10.1.1.3 Authentication: (none) R2# Router 3 R3(conf)#interface tengigabitethernet 3/21 R3(conf-if-gi-3/21)#ip address 10.1.1.2/24 R3(conf-if-gi-3/21)#vrrp-group 99 R3(conf-if-gi-3/21-vrid-99)#virtual 10.1.1.
Figure 134. VRRP for an IPv6 Configuration NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be MASTER even if one of two routers has a higher IP or IPv6 address. The following example shows configuring VRRP for IPv6 Router 2 and Router 3. Configure a virtual link local (fe80) address for each VRRPv3 group created for an interface.
R2(conf-if-gi-1/1-vrid-10)#no shutdown R2(conf-if-gi-1/1)#show config interface GigabitEthernet 1/1 ipv6 address 1::1/64 vrrp-group 10 priority 100 virtual-address fe80::10 virtual-address 1::10 no shutdown R2(conf-if-gi-1/1)#end R2#show vrrp -----------------GigabitEthernet 1/1, IPv6 VRID: 10, Version: 3, Net:fe80::201:e8ff:fe6a:c59f VRF: 0 default-vrf State: Master, Priority: 100, Master: fe80::201:e8ff:fe6a:c59f (local) Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master
VRRP in a VRF: Non-VLAN Scenario The following example shows how to enable VRRP in a non-VLAN. The following example shows a typical use case in which you create three virtualized overlay networks by configuring three VRFs in two switches. The default gateway to reach the Internet in each VRF is a static route with the next hop being the virtual IP address configured in VRRP. In this scenario, a single VLAN is associated with each VRF.
S1(conf)#interface GigabitEthernet 1/1 S1(conf-if-gi-1/1)#ip vrf forwarding VRF-1 S1(conf-if-gi-1/1)#ip address 10.10.1.5/24 S1(conf-if-gi-1/1)#vrrp-group 11 % Info: The VRID used by the VRRP group 11 in VRF 1 will be 177. S1(conf-if-gi-1/1-vrid-101)#priority 100 S1(conf-if-gi-1/1-vrid-101)#virtual-address 10.10.1.2 S1(conf-if-gi-1/1)#no shutdown ! S1(conf)#interface GigabitEthernet 1/2 S1(conf-if-gi-1/2)#ip vrf forwarding VRF-2 S1(conf-if-gi-1/2)#ip address 10.10.1.
S2(conf-if-gi-1/3)#vrrp-group 15 % Info: The VRID used by the VRRP group 15 in VRF 3 will be 243. S2(conf-if-gi-1/3-vrid-105)#priority 100 S2(conf-if-gi-1/3-vrid-105)#virtual-address 20.1.1.5 S2(conf-if-gi-1/3)#no shutdown VLAN Scenario In another scenario, to connect to the LAN, VRF-1, VRF-2, and VRF-3 use a single physical interface with multiple tagged VLANs (instead of separate physical interfaces). In this case, you configure three VLANs: VLAN-100, VLAN-200, and VLAN-300.
Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 278, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:01 Virtual IP address: 10.1.1.100 Authentication: (none) Dell#show vrrp vrf vrf2 port-channel 1 -----------------Port-channel 1, IPv4 VRID: 1, Version: 2, Net: 10.1.1.1 VRF: 2 vrf2 State: Master, Priority: 100, Master: 10.1.1.
Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 278, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:01 Virtual IP address: 10.1.1.100 Authentication: (none) Vlan 400, IPv4 VRID: 10, Version: 2, Net: 20.1.1.2 VRF: 1 vrf1 State: Backup, Priority: 90, Master: 20.1.1.1 Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 377, Bad pkts rcvd: 0, Adv sent: 0, Gratuitous ARP sent: 0 Virtual MAC address: 00:00:5e:00:01:0a Virtual IP address: 20.1.1.
Figure 136. VRRP for IPv6 Topology NOTE: This example does not contain comprehensive directions and is intended to provide guidance for only a typical VRRP configuration. You can copy and paste from the example to your CLI. Be sure you make the necessary changes to support your own IP addresses, interfaces, names, and so on.
R2(conf-if-gi-1/1)#show config interface GigabitEthernet 1/1 ipv6 address 1::1/64 vrrp-group 10 priority 100 virtual-address fe80::10 virtual-address 1::10 no shutdown R2(conf-if-gi-1/1)#end R2#show vrrp -----------------GigabitEthernet 1/1, IPv6 VRID: 10, Version: 3, Net:fe80::201:e8ff:fe6a:c59f State: Master, Priority: 100, Master: fe80::201:e8ff:fe6a:c59f (local) Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 0, Bad pkts rcvd: 0, Adv s
State: Master, Priority: 110, Master: fe80::201:e8ff:fe8a:e9ed (local) Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 120 Virtual MAC address: 00:00:5e:00:02:ff Virtual IP address: 10:1:1::255 fe80::255 Dell# Dell#show vrrp vrf vrf1 vlan 400 Vlan 400, IPv6 VRID: 255, Version: 3, Net: fe80::201:e8ff:fe8a:e9ed VRF: 1 vrf1 State: Master, Priority: 200, Master: fe80::201:e8ff:fe8a:e9ed (local) Hold Down: 0 centi
61 Debugging and Diagnostics This chapter describes debugging and diagnostics for the device. Offline Diagnostics The offline diagnostics test suite is useful for isolating faults and debugging hardware. The diagnostics tests are grouped into three levels: • • • Level 0 — Level 0 diagnostics check for the presence of various components and perform essential path verifications. In addition, Level 0 diagnostics verify the identification registers of the components on the board.
3 Start diagnostics on the unit. diag stack-unit stack-unit-number When the tests are complete, the system displays the following message and automatically reboots the unit. Diagnostic results are printed to a file in the flash using the filename format TestReport-SU-.txt. Log messages differ somewhat when diagnostics are done on a standalone unit and on a stack member. 4 View the results of the diagnostic tests. EXEC Privilege mode show file flash://TestReport-SU-stack-unit-id.
Using the Show Hardware Commands The show hardware command tree consists of commands used with the system. These commands display information from a hardware sub-component and from hardware-based feature tables. NOTE: Use the show hardware commands only under the guidance of the Dell Technical Assistance Center. The following lists the show hardware commands available as of the latest Dell Networking OS version.
EXEC Privilege mode • show hardware stack-unit {1–6} unit {0-1} details Execute a specified bShell command from the CLI without going into the bShell. EXEC Privilege mode • show hardware stack-unit {1–6} unit {0-1} execute-shell-cmd {command} View the Multicast IPMC replication table from the bShell. EXEC Privilege mode • show hardware stack-unit {1–6} unit {0-1} ipmc-replication View the internal statistics for each port-pipe (unit) on per port basis.
QSFP 52 Bias High Alarm threshold QSFP 52 RX Power High Alarm threshold QSFP 52 Temp Low Alarm threshold QSFP 52 Voltage Low Alarm threshold QSFP 52 Bias Low Alarm threshold QSFP 52 RX Power Low Alarm threshold =================================== QSFP 52 Temp High Warning threshold QSFP 52 Voltage High Warning threshold QSFP 52 Bias High Warning threshold QSFP 52 RX Power High Warning threshold QSFP 52 Temp Low Warning threshold QSFP 52 Voltage Low Warning threshold QSFP 52 Bias Low Warning threshold QSFP 5
3 After the software has determined that the temperature levels are within normal limits, you can re-power the card safely. To bring back the line card online, use the power-on command in EXEC mode. In addition, to control airflow for adequate system cooling, Dell Networking requires that you install blanks in all slots without a line card. NOTE: Exercise care when removing a card; if it has exceeded the major or shutdown thresholds, the card could be hot to the touch.
Troubleshooting Packet Loss The show hardware stack-unit command is intended primarily to troubleshoot packet loss. To troubleshoot packet loss, use the following commands.
HOL DROPS on COS2 HOL DROPS on COS3 HOL DROPS on COS4 HOL DROPS on COS5 HOL DROPS on COS6 HOL DROPS on COS7 HOL DROPS on COS8 HOL DROPS on COS9 HOL DROPS on COS10 HOL DROPS on COS11 HOL DROPS on COS12 HOL DROPS on COS13 HOL DROPS on COS14 HOL DROPS on COS15 HOL DROPS on COS16 HOL DROPS on COS17 TxPurge CellErr Aged Drops --- Egress MAC counters--Egress FCS Drops --- Egress FORWARD PROCESSOR IPv4 L3UC Aged & Drops TTL Threshold Drops INVALID VLAN CNTR Drops L2MC Drops PKT Drops of ANY Conditions Hg MacUnderf
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 918 14 0 0 0 15 0 0 0 16 0 0 0 17 2144854 0 124904297 18 0 0 0 19 0 0 0 20 0 0 0 21 0 0 0 22 0 0 0 23 0 0 0 24 0 0 0 25 0 0 0 26 0 0 0 27
49 0 66 0 0 0 67 0 0 0 68 0 0 0 69 0 0 0 70 0 0 0 71 0 0 0 72 0 0 0 53 0 0 0 57 4659499 0 0 0 0 0 0 0 65 0 0 0 0 0 0 0 64 0 0 0 0 0 0 0 63 0 0 0 0 0 0 0 62 0 0 0 0 0 0 0 61 0 0 0 0 0 0 0 52 0 0 0 0 0 0 0 51 0 0 0 0 0 0 0 50 0 0 0 0 0 0 0 49 0 49 49 49 52 52 52 52 53 53 53 53 54/1 54/2 54/3 54/4 Internal Internal Dataplane Statistics The show hardware stack-unit cpu data-plane statistics command prov
rxPkt(COS7 ) :0 rxPkt(COS8 ) :773 rxPkt(COS9 ) :0 rxPkt(COS10) :0 rxPkt(COS11) :0 rxPkt(UNIT0) :773 transmitted :12698 txRequested :12698 noTxDesc :0 txError :0 txReqTooLarge :0 txInternalError :0 txDatapathErr :0 txPkt(COS0 ) :0 txPkt(COS1 ) :0 txPkt(COS2 ) :0 txPkt(COS3 ) :0 txPkt(COS4 ) :0 txPkt(COS5 ) :0 txPkt(COS6 ) :0 txPkt(COS7 ) :0 txPkt(COS8 ) :0 txPkt(COS9 ) :0 txPkt(COS10) :0 txPkt(COS11) :0 txPkt(UNIT0) :0 Example of Viewing Party Bus Statistics Dell#sh hardware stack-unit 1 cpu party-bus statis
Example of Displaying Counter Values for all Interface in the Selected Stack-Member and Port-Pipe Dell# show hardware stack-unit 1 unit 0 counters Interface Gi 1/1 : Description RX - IPV4 L3 Unicast Frame Counter RX - IPV4 L3 routed multicast Packets RX - IPV6 L3 Unicast Frame Counter RX - IPV6 L3 routed multicast Packets RX - Unicast Packet Counter RX - 64 Byte Frame Counter RX - 64 to 127 Byte Frame Counter RX - 128 to 255 Byte Frame Counter RX - 256 to 511 Byte Frame Counter RX - 512 to 1023 Byte Frame C
Example of Displaying Counter Information for a Specific Interface Dell#show hardware counters interfac gigabitethernet 5/1 unit: 0 port: 2 (interface Gi 5/1) Description Value RX - IPV4 L3 Unicast Frame Counter RX - IPV4 L3 Routed Multicast Packets RX - IPV6 L3 Unicast Frame Counter RX - IPV6 L3 Routed Multicast Packets RX - Unicast Packet Counter RX - 64 Byte Frame Counter RX - 65 to 127 Byte Frame Counter RX - 128 to 255 Byte Frame Counter RX - 256 to 511 Byte Frame Counter RX - 512 to 1023 Byte Frame Co
Mini Core Dumps Dell Networking OS supports mini core dumps on the application and kernel crashes. The mini core dump applies to Master, Standby, and Member units. Application and kernel mini core dumps are always enabled. The mini core dumps contain the stack space and some other minimal information that you can use to debug a crash. These files are small files and are written into flash until space is exhausted. When the flash is full, the write process is stopped.
You can use the capture-duration timer and the packet-count counter at the same time. The TCP dump stops when the first of the thresholds is met. That means that even if the duration timer is 9000 seconds, if the maximum file count parameter is met first, the dumps stop. To enable a TCP dump, use the following command. • Enable a TCP dump for CPU bound traffic.
62 Standards Compliance This chapter describes standards compliance for Dell Networking products. NOTE: Unless noted, when a standard cited here is listed as supported by the Dell Networking OS, the system also supports predecessor standards. One way to search for predecessor standards is to use the http://tools.ietf.org/ website. Click “Browse and search IETF documents,” enter an RFC number, and inspect the top of the resulting document for obsolescence citations to related RFCs.
MTU 9,252 bytes RFC and I-D Compliance Dell Networking OS supports the following standards. The standards are grouped by related protocol. The columns showing support by platform indicate which version of Dell Networking OS first supports the standard. General Internet Protocols The following table lists the Dell Networking OS support per platform for general internet protocols. Table 83. General Internet Protocols RFC# Full Name 768 User Datagram Protocol 7.6.
General IPv4 Protocols The following table lists the Dell Networking OS support per platform for general IPv4 protocols. Table 84. General IPv4 Protocols R F C # Full Name Z-Series S-Series 79 Internet Protocol 1 7.6.1 79 Internet Control 2 Message Protocol 7.6.1 82 An Ethernet Address 6 Resolution Protocol 7.6.1 10 Using ARP to 27 Implement Transparent Subnet Gateways 7.6.1 10 DOMAIN NAMES 3 IMPLEMENTATION 5 AND SPECIFICATION (client) 7.6.
R F C # Full Name Z-Series S-Series 21 Dynamic Host 31 Configuration Protocol 7.6.1 23 Virtual Router 38 Redundancy Protocol (VRRP) 7.6.1 3 Using 31-Bit Prefixes 02 on IPv4 Point-to1 Point Links 7.7.1 3 DHCP Relay Agent 0 Information Option 46 7.8.1 3 0 6 9 7.8.1 VLAN Aggregation for Efficient IP Address Allocation 31 Protection Against a 28 Variant of the Tiny Fragment Attack 7.6.
RF C# Full Name Z-Series S-Series over Ethernet Networks 267 5 IPv6 Jumbograms 7.8.1 2711 IPv6 Router Alert Option 8.3.12.0 358 IPv6 Global 7 Unicast Address Format 7.8.1 400 IPv6 Scoped 7 Address Architecture 8.3.12.0 429 Internet 1 Protocol Version 6 (IPv6) Addressing Architecture 7.8.1 444 3 7.8.1 Internet Control Message Protocol (ICMPv6) for the IPv6 Specification 486 Neighbor 1 Discovery for IPv6 8.3.12.0 486 IPv6 Stateless 2 Address Autoconfigurati on 8.3.12.0 517 5 8.3.12.
RFC# Full Name S-Series/Z-Series 2545 Use of BGP-4 Multiprotocol Extensions for IPv6 Inter-Domain Routing 2796 BGP Route Reflection: An Alternative to Full Mesh Internal BGP (IBGP) 7.8.1 2842 Capabilities Advertisement with BGP-4 7.8.1 2858 Multiprotocol Extensions for BGP-4 7.8.1 2918 Route Refresh Capability for BGP-4 7.8.1 3065 Autonomous System Confederations for BGP 7.8.1 4360 BGP Extended Communities Attribute 7.8.1 4893 BGP Support for Four-octet AS Number Space 7.8.
RFC# Full Name S-Series 2763 Dynamic Hostname Exchange Mechanism for IS-IS 2966 Domain-wide Prefix Distribution with Two-Level ISIS 3373 Three-Way Handshake for Intermediate System to Intermediate System (IS-IS) Point-to-Point Adjacencies 3567 IS-IS ACruythpetongtircaapthioicn 3784 Intermediate System to Intermediate System (ISIS) Extensions in Support of Generalized MultiProtocol Label Switching (GMPLS) 5120 MT-ISIS: Multi Topology (MT) Routing in Intermediate System to Intermediate Systems (
RFC# Full Name Z-Series S-Series 3376 Internet Group Management Protocol, Version 3 7.8.1 3569 An Overview of SourceSpecific Multicast (SSM) 7.8.1 SSM for IPv4 3618 Multicast Source Discovery Protocol (MSDP) draftietfpim smv2new05 Protocol Independent Multicast - Sparse Mode (PIM-SM): Protocol Specification (Revised) 7.8.1 PIM-SM for IPv4 Network Management The following table lists the Dell Networking OS support per platform for network management protocol. Table 91.
RFC# Full Name S4810 2558 Definitions of Managed Objects for the Synchronous Optical Network/Synchronous Digital Hierarchy (SONET/SDH) Interface Type 2570 Introduction and Applicability Statements for Internet Standard Management Framework 7.6.1 2571 An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks 7.6.1 2572 Message Processing and Dispatching for the Simple Network Management Protocol (SNMP) 7.6.
RFC# Full Name S4810 Statistics High-Capacity Table, Ethernet History HighCapacity Table 3416 Version 2 of the Protocol Operations for the Simple Network Management Protocol (SNMP) 7.6.1 3418 Management Information Base (MIB) for the Simple Network Management Protocol (SNMP) 7.6.1 3434 Remote Monitoring MIB Extensions for High Capacity Alarms, High-Capacity Alarm Table (64 bits) 7.6.1 3580 IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines 7.6.
RFC# Full Name S4810 IEEE 802.1AB The LLDP Management Information Base extension module for IEEE 802.3 organizationally defined discovery information. (LLDP DOT1 MIB and LLDP DOT3 MIB) 7.7.1 ruzin-mstp-mib-0 2 (Traps) Definitions of Managed Objects for Bridges with Multiple Spanning Tree Protocol 7.6.1 sFlow.org sFlow Version 5 7.7.1 sFlow.org sFlow Version 5 MIB 7.7.1 FORCE10-BGP4-V2-MIB Force10 BGP MIB (draft-ietf-idr-bgp4-mibv2-05) 7.8.
https://www.force10networks.com/CSPortal20/AccountRequest/AccountRequest.aspx If you have forgotten or lost your account information, contact Dell TAC for assistance.
