Dell Configuration Guide for the S4048–ON System 9.10(0.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your computer. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2016 Dell Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws.
Contents 1 About this Guide.................................................................................................................................................... 33 Audience.....................................................................................................................................................................33 Conventions..................................................................................................................................................
Verify Software Images Before Installation......................................................................................................... 56 Using HTTP for File Transfers.................................................................................................................................57 4 Management.......................................................................................................................................................... 59 Configuring Privilege Levels..
Viewing the Configuration Lock Status......................................................................................................... 80 Reloading the system...............................................................................................................................................81 Restoring the Factory Default Settings................................................................................................................ 82 Important Points to Remember..................
Guest and Authentication-Fail VLANs................................................................................................................ 110 Configuring a Guest VLAN.............................................................................................................................. 110 Configuring an Authentication-Fail VLAN...................................................................................................
Guidelines for Configuring ACL Logging.....................................................................................................143 Configuring ACL Logging............................................................................................................................... 144 Flow-Based Monitoring Support for ACLs........................................................................................................ 144 Behavior of Flow-Based Monitoring..................................
Important Points to Remember.....................................................................................................................193 Configuration Information................................................................................................................................... 194 BGP Configuration................................................................................................................................................. 194 Enabling BGP.......................
View CAM Usage.................................................................................................................................................... 239 CAM Optimization..................................................................................................................................................239 Troubleshoot CAM Profiling................................................................................................................................
DCBx Operation................................................................................................................................................ 271 DCBx Port Roles................................................................................................................................................272 DCB Configuration Exchange........................................................................................................................273 Configuration Source Election.......
15 Equal Cost Multi-Path (ECMP)........................................................................................................................ 314 ECMP for Flow-Based Affinity..............................................................................................................................314 Configuring the Hash Algorithm................................................................................................................... 314 Enabling Deterministic ECMP Next Hop............
FRRP Configuration............................................................................................................................................... 343 Creating the FRRP Group............................................................................................................................... 343 Configuring the Control VLAN...................................................................................................................... 344 Configuring and Adding the Member VLANs.
Viewing IGMP Enabled Interfaces.......................................................................................................................365 Selecting an IGMP Version................................................................................................................................... 365 Viewing IGMP Groups........................................................................................................................................... 366 Adjusting Timers..................
Configuring a Management Interface on an Ethernet Port.................................................................... 390 VLAN Interfaces.......................................................................................................................................................391 Loopback Interfaces.............................................................................................................................................. 391 Null Interfaces..................................
Clearing Interface Counters...........................................................................................................................416 23 Internet Protocol Security (IPSec)................................................................................................................. 418 Configuring IPSec ................................................................................................................................................. 418 24 IPv4 Routing....................
Extended Address Space.................................................................................................................................437 Stateless Autoconfiguration........................................................................................................................... 437 IPv6 Headers......................................................................................................................................................437 IPv6 Header Fields..................
IS-IS Addressing......................................................................................................................................................465 Multi-Topology IS-IS.............................................................................................................................................466 Transition Mode...............................................................................................................................................
Setting the MAC Learning Limit.....................................................................................................................505 mac learning-limit Dynamic.......................................................................................................................... 505 mac learning-limit mac-address-sticky...................................................................................................... 505 mac learning-limit station-move.................................
Microsoft Clustering.............................................................................................................................................. 539 Enable and Disable VLAN Flooding ................................................................................................................... 539 Configuring a Switch for NLB .............................................................................................................................
Configuring an EdgePort.......................................................................................................................................571 Flush MAC Addresses after a Topology Change..............................................................................................572 MSTP Sample Configurations..............................................................................................................................
Assigning IPv6 Addresses on an Interface.................................................................................................. 634 Assigning Area ID on an Interface................................................................................................................ 634 Assigning OSPFv3 Process ID and Router ID Globally............................................................................. 635 Assigning OSPFv3 Process ID and Router ID to a VRF.....................................
40 Port Monitoring................................................................................................................................................ 668 Important Points to Remember..........................................................................................................................668 Port Monitoring......................................................................................................................................................
Configuring Port-Based Rate Policing.........................................................................................................707 Configuring Port-Based Rate Shaping......................................................................................................... 707 Policy-Based QoS Configurations......................................................................................................................708 Classify Traffic.....................................................
Configuring an RMON Event..........................................................................................................................753 Configuring RMON Collection Statistics..................................................................................................... 754 Configuring the RMON Collection History................................................................................................. 754 46 Rapid Spanning Tree Protocol (RSTP)......................................
Configuring the SSH Server Cipher List....................................................................................................... 787 Configuring the SSH Client Cipher List....................................................................................................... 788 Secure Shell Authentication...........................................................................................................................788 Troubleshooting SSH...............................................
sFlow Show Commands.......................................................................................................................................826 Displaying Show sFlow Global...................................................................................................................... 826 Displaying Show sFlow on an Interface.......................................................................................................827 Displaying Show sFlow on a Stack-unit......................
Fetch Dynamic MAC Entries using SNMP......................................................................................................... 851 Deriving Interface Indices.....................................................................................................................................852 Monitor Port-Channels.........................................................................................................................................
Important Points to Remember.......................................................................................................................... 883 Configuring Interfaces for Layer 2 Mode..........................................................................................................884 Enabling Spanning Tree Protocol Globally.......................................................................................................885 Adding an Interface to the Spanning Tree Group...............
Configuring Tunnel Keepalive Settings.............................................................................................................. 917 Configuring a Tunnel Interface............................................................................................................................917 Configuring Tunnel Allow-Remote Decapsulation........................................................................................ 918 Configuring the Tunnel Source Anylocal..........................
RSTP and VLT.................................................................................................................................................... 950 VLT Bandwidth Monitoring............................................................................................................................ 950 VLT and Stacking.............................................................................................................................................. 951 VLT and IGMP Snooping..........
Functional Overview of VXLAN Gateway..........................................................................................................996 VXLAN Frame Format............................................................................................................................................996 Components of VXLAN Frame Format........................................................................................................996 Configuring and Controlling VXLAN from the NVP Controller GUI...
Trace Logs............................................................................................................................................................. 1052 Auto Save on Crash or Rollover........................................................................................................................ 1052 Last Restart Reason..............................................................................................................................................
1 About this Guide This guide describes the protocols and features the Dell Networking Operating System (OS) supports and provides configuration instructions and examples for implementing them. For complete information about all the CLI commands, see the Dell Command Line Reference Guide for your system. The S4048–ON platform is available with Dell Networking OS version 9.7.(0.1) and beyond.S4048–ON stacking is supported with Dell Networking OS version 9.7(0.1) and beyond.
2 Configuration Fundamentals The Dell Networking Operating System (OS) command line interface (CLI) is a text-based interface you can use to configure interfaces and protocols. The CLI is largely the same for each platform except for some commands and command outputs. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels.
For more information about privilege levels and security options, refer to the Privilege Levels Overview section in the Security chapter. The Dell Networking OS CLI is divided into three major mode levels: • EXEC mode is the default mode and has a privilege level of 1, which is the most restricted level. Only a limited selection of commands is available, notably the show commands, which allow you to view system information.
OPENFLOW INSTANCE PVST PORT-CHANNEL FAILOVER-GROUP PREFIX-LIST PRIORITY-GROUP PROTOCOL GVRP QOS POLICY RSTP ROUTE-MAP ROUTER BGP BGP ADDRESS-FAMILY ROUTER ISIS ISIS ADDRESS-FAMILY ROUTER OSPF ROUTER OSPFV3 ROUTER RIP SPANNING TREE SUPPORTASSIST TRACE-LIST VLT DOMAIN VRRP UPLINK STATE GROUP uBoot Navigating CLI Modes The Dell Networking OS prompt changes to indicate the CLI mode. The following table lists the CLI mode, its prompt, and information about how to access and exit the CLI mode.
CLI Command Mode Prompt Access Command Interface Group Dell(conf-if-group)# interface(INTERFACE modes) Interface Range Dell(conf-if-range)# interface (INTERFACE modes) Loopback Interface Dell(conf-if-lo-0)# interface (INTERFACE modes) Management Ethernet Interface Dell(conf-if-ma-1/1)# interface (INTERFACE modes) Null Interface Dell(conf-if-nu-0)# interface (INTERFACE modes) Port-channel Interface Dell(conf-if-po-1)# interface (INTERFACE modes) Tunnel Interface Dell(conf-if-tu-1)# int
CLI Command Mode Prompt Access Command CLASS-MAP Dell(config-class-map)# class-map CONTROL-PLANE Dell(conf-control-cpuqos)# control-plane-cpuqos DHCP Dell(config-dhcp)# ip dhcp server DHCP POOL Dell(config-dhcp-pool-name)# pool (DHCP Mode) ECMP Dell(conf-ecmp-group-ecmpgroup-id)# ecmp-group EIS Dell(conf-mgmt-eis)# management egress-interfaceselection FRRP Dell(conf-frrp-ring-id)# protocol frrp LLDP Dell(conf-lldp)# or Dell(conf-if —interface-lldp)# protocol lldp (CONFIGURATION or
Stack MAC Reload-Type : 34:17:eb:f2:c2:c4 : normal-reload [Next boot : normal-reload] -- Stack Info -Unit UnitType Status ReqTyp CurTyp Version Ports -----------------------------------------------------------------------1 Management online S4048-ON S4048-ON 1-0(0-3932) 72 2 Member not present 3 Member not present 4 Member not present 5 Member not present 6 Member not present -- Power Supplies -Unit Bay Status Type FanStatus FanSpeed(rpm) --------------------------------------------------------------1 1 u
clear clock Reset functions Manage the system clock • Enter ? after a partial keyword lists all of the keywords that begin with the specified letters. Dell(conf)#cl? class-map clock Dell(conf)#cl • Enter [space]? after a keyword lists all of the keywords that can follow the specified keyword. Dell(conf)#clock ? summer-time Configure summer (daylight savings) time timezone Configure time zone Dell(conf)#clock Entering and Editing Commands Notes for entering commands. • The CLI is not case-sensitive.
Short-Cut Key Combination Action Esc F Moves the cursor forward one word. Esc D Deletes all characters from the cursor to the end of the word. Command History The Dell Networking OS maintains a history of previously-entered commands for each mode. For example: • When you are in EXEC mode, the UP and DOWN arrow keys display the previously-entered EXEC mode commands. • When you are in CONFIGURATION mode, the UP or DOWN arrows keys recall the previously-entered CONFIGURATION mode commands.
The no-more command displays the output all at once rather than one screen at a time. This is similar to the terminal length command except that the no-more option affects the output of the specified command only. The save command copies the output to a file for future reference. NOTE: You can filter a single command output multiple times. The save option must be the last option entered.
3 Getting Started This chapter describes how you start configuring your system. When you power up the chassis, the system performs a power-on self test (POST) and system then loads the Dell Networking Operating System. Boot messages scroll up the terminal window during this process. No user interaction is required if the boot process proceeds without interruption. When the boot process completes, the system status LEDs remain online (green) and the console monitor displays the EXEC mode prompt.
Console Access The device has one RJ-45/RS-232 console port, an out-of-band (OOB) Ethernet port, and a micro USB-B console port. Serial Console The RJ-45/RS-232 console port is labeled on the upper right-hand side, as you face the PSU side of the chassis. Figure 1. RJ-45 Console Port 1. RJ-45 management Ethernet port. 2. RS-232 console port.
Table 2.
• To avoid denial of service (DoS) attacks, a rate-limit of 10 concurrent sessions per minute in SSH is devised. Therefore, you might experience a failure in executing SSH-related scripts when multiple short SSH commands are executed. • If you issue an interactive command in the SSH session, the behavior may not really be interactive.
Configure the Management Port IP Address To access the system remotely, assign IP addresses to the management ports. 1 Enter INTERFACE mode for the Management port. CONFIGURATION mode interface ManagementEthernet slot/port 2 Assign an IP address to the interface. INTERFACE mode ip address ip-address/mask 3 • ip-address: an address in dotted-decimal format (A.B.C.D). • mask: a subnet mask in /prefix-length format (/ xx). Enable the interface.
Configuring the Enable Password Access EXEC Privilege mode using the enable command. EXEC Privilege mode is unrestricted by default. Configure a password as a basic security measure. There are three types of enable passwords: • enable password is stored in the running/startup configuration using a DES encryption method. • enable secret is stored in the running/startup configuration using MD5 encryption method.
Location source-file-url Syntax destination-file-url Syntax copy tftp://{hostip | hostname}/filepath/ filename tftp://{hostip | hostname}/ filepath/filename FTP server For a remote file location: TFTP server For a remote file location: SCP server copy scp://{hostip | hostname}/ scp://{hostip | hostname}/ filepath/ filename filepath/filename Important Points to Remember • You may not copy a file from one remote system to another. • You may not copy a file from one location to the same location.
Table 5. Forming a copy Command Location source-file-url Syntax destination-file-url Syntax For a remote file location: copy nfsmount://{}/filepath/filename} username:password tftp://{hostip | hostname}/ filepath/filename NFS File System Important Points to Remember • You cannot copy a file from one remote system to another. • You cannot copy a file from one location to the same location.
Save the Running-Configuration The running-configuration contains the current system configuration. Dell Networking recommends coping your runningconfiguration to the startup-configuration. The commands in this section follow the same format as those commands in the Copy Files to and from the System section but use the filenames startup-configuration and running-configuration. These commands assume that current directory is the internal flash, which is the system default.
Example of the dir Command The output of the dir command also shows the read/write privileges, size (in bytes), and date of modification for each file.
Table 6. Standard and Compressed Configurations int vlan 2 int vlan 3 int vlan 4 int vlan 5 int vlan 100 int vlan 1000 no ip address tagged te 1/1 tagged te 1/1 tagged te 1/1 no ip address ip address 1.1.1.1/16 no shut no ip address no ip address no ip address no shut no shut shut shut shut int te 1/1 int te 1/2 int te 1/3 int te 1/4 int te 1/10 int te 1/34 no ip address no ip address no ip address no ip address no ip address ip address 2.1.1.
interface TenGigabitEthernet 1/34 ! ip address 2.1.1.1/16 interface Vlan 1000 shutdown ip address 1.1.1.1/16 ! no shutdown interface Vlan 2 ! no ip address no shutdown Compressed config size – 27 lines. ! interface Vlan 3 tagged te 1/1 no ip address shutdown ! interface Vlan 4 tagged te 1/1 no ip address shutdown ! interface Vlan 5 tagged te 1/1 no ip address shutdown ! interface Vlan 100 no ip address no shutdown ! interface Vlan 1000 ip address 1.1.1.
The following is the sample output: Dell#write memory compressed ! Jul 30 08:50:26: %STKUNIT0-M:CP %FILEMGR-5-FILESAVED: Copied running-config to startup-config in flash by default copy compressed-config Copy one file, after optimizing and reducing the size of the configuration file, to another location. Dell Networking OS supports IPv4 and IPv6 addressing for FTP, TFTP, and SCP (in the hostip field).
To enable the VRF feature and cause all VRF-related commands to be available or viewable in the CLI interface, use the following command. You must enable the VRF feature before you can configure its related attributes. Dell(conf)# feature vrf Based on if the VRF feature is identified as supported in the Feature Configuration file, configuration command feature vrf becomes available for usage. This command is stored in the running-configuration and precedes all other VRF-related configurations.
To validate a software image: 1. Download Dell Networking OS software image file from the iSupport page to the local (FTP or TFTP) server. The published hash for that file displays next to the software image file on the iSupport page. 2. Go on to the Dell Networking system and copy the software image to the flash drive, using the copy command. 3. Run the verify {md5 | sha256} [ flash://]img-file sha256 flash://FTOS-SE-9.5.0.0.bin 4.
NOTE: To enable HTTP to be VRF-aware, as a prerequisite you must first define the VRF. You can specify either the management VRF or a nondefault VRF to configure the VRF awareness setting. When you specify the management VRF, the copy operation that is used to transfer files to and from an HTTP server utilizes the VRF table corresponding to the Management VRF to look up the destination. When you specify a nondefault VRF, the VRF table corresponding to that nondefault VRF is used to look up the HTTP server.
4 Management This chapter describes the different protocols or services used to manage the Dell Networking system.
• restricting access to an EXEC mode command • moving commands from EXEC Privilege to EXEC mode • restricting access A user can access all commands at his privilege level and below. Removing a Command from EXEC Mode To remove a command from the list of available commands in EXEC mode for a specific privilege level, use the privilege exec command from CONFIGURATION mode.
• Remove a command from the list of available commands in EXEC mode. CONFIGURATION mode • privilege exec level level {command ||...|| command} Move a command from EXEC Privilege to EXEC mode. CONFIGURATION mode • privilege exec level level {command ||...|| command} Allow access to CONFIGURATION mode. CONFIGURATION mode • privilege exec level level configure Allow access to INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode. Specify all the keywords in the command.
null Null interface port-channel Port-channel interface range Configure interface range sonet SONET interface tengigabitethernet TenGigabit Ethernet interface vlan VLAN interface Dell(conf)#interface tengigabitethernet 1/1 Dell(conf-if-te-1/1)#? end Exit from configuration mode exit Exit from interface configuration mode Dell(conf-if-te-1/1)#exit Dell(conf)#line ? aux Auxiliary line console Primary terminal line vty Virtual terminal Dell(conf)#line vty 0 Dell(config-line-vty)#? exit Exit from line configura
CONFIGURATION mode • no logging on Disable logging to the logging buffer. CONFIGURATION mode • no logging buffer Disable logging to terminal lines. CONFIGURATION mode • no logging monitor Disable console logging. CONFIGURATION mode no logging console Audit and Security Logs This section describes how to configure, display, and clear audit and security logs.
• User access and configuration changes to the security and crypto parameters (not the key information but the crypto configuration) Important Points to Remember When you enabled RBAC and extended logging: • Only the system administrator user role can execute this command. • The system administrator and system security administrator user roles can view security events and system events. • The system administrator user roles can view audit, security, and system events.
The following describes the two log messages formats: • 0 – Displays syslog messages format as described in RFC 3164, The BSD syslog Protocol • 1 – Displays syslog message format as described in RFC 5424, The SYSLOG Protocol Example of Configuring the Logging Message Format Dell(conf)#logging version ? <0-1> Select syslog version (default = 0) Dell(conf)#logging version 1 Display the Logging Buffer and the Logging Configuration To display the current contents of the logging buffer and the logging setti
Setting Up a Secure Connection to a Syslog Server You can use reverse tunneling with the port forwarding to securely connect to a syslog server. Figure 2. Setting Up a Secure Connection to a Syslog Server Pre-requisites To configure a secure connection from the switch to the syslog server: 1. On the switch, enable the SSH server Dell(conf)#ip ssh server enable 2.
If you do not, the system displays an error when you attempt to enable role-based only AAA authorization. Dell(conf)# logging localhost tcp port Dell(conf)#logging 127.0.0.1 tcp 5140 Sending System Messages to a Syslog Server To send system messages to a specified syslog server, use the following command. The following syslog standards are supported: RFC 5424 The SYSLOG Protocol, R.Gerhards and Adiscon GmbH, March 2009, obsoletes RFC 3164 and RFC 5426 Transmission of Syslog Messages over UDP.
Example of Configuring Login Activity Tracking The following example enables login activity tracking. The system stores the login activity details for the last 30 days. Dell(config)#login statistics enable The following example enables login activity tracking and configures the system to store the login activity details for 12 days. Dell(config)#login statistics enable Dell(config)#login statistics time-period 12 Display Login Statistics To view the login statistics, use the show login statistics command.
Unsuccessful login attempt(s) since the last successful login: 0 Unsuccessful login attempt(s) in last 30 day(s): 3 Successful login attempt(s) in last 30 day(s): 2 Example of the show login statistics user user-id command The show login statistics user user-id command displays the successful and failed login details of a specific user in the last 30 days or the custom defined time period.
Configuring Concurrent Session Limit To configure concurrent session limit, follow this procedure: • Limit the number of concurrent sessions for all users. CONFIGURATION mode login concurrent-session limit number-of-sessions Example of Configuring Concurrent Session Limit The following example limits the permitted number of concurrent login sessions to 4.
5 vty 3 10.14.1.97 Kill existing session? [line number/Enter to cancel]: Log Messages in the Internal Buffer All error messages, except those beginning with %BOOTUP (Message), are log in the internal buffer.
• Configure a UNIX system as a syslog server by adding the following lines to /etc/syslog.conf on the UNIX system and assigning write permissions to the file. – Add line on a 4.1 BSD UNIX system. local7.debugging /var/log/ftos.log – Add line on a 5.7 SunOS UNIX system. local7.debugging /var/adm/ftos.log In the previous lines, local7 is the logging facility level and debugging is the severity level.
Display the Logging Buffer and the Logging Configuration To display the current contents of the logging buffer and the logging settings for the system, use the show logging command in EXEC privilege mode. When RBAC is enabled, the security logs are filtered based on the user roles. Only the security administrator and system administrator can view the security logs.
– local1 (for local use) – local2 (for local use) – local3 (for local use) – local4 (for local use) – local5 (for local use) – local6 (for local use) – local7 (for local use) – lpr (for line printer system messages) – mail (for mail system messages) – news (for USENET news messages) – sys9 (system use) – sys10 (system use) – sys11 (system use) – sys12 (system use) – sys13 (system use) – sys14 (system use) – syslog (for syslog messages) – user (for user programs) – uucp (UNIX to UNIX copy protocol) Example o
logging synchronous [level severity-level | all] [limit] Configure the following optional parameters: • level severity-level: the range is from 0 to 7. The default is 2. Use the all keyword to include all messages. • limit: the range is from 20 to 300. The default is 20. To view the logging synchronous configuration, use the show config command in LINE mode. Enabling Timestamp on Syslog Messages By default, syslog messages do not include a time/date stamp stating when the error or message was created.
Enabling the FTP Server To enable the system as an FTP server, use the following command. To view FTP configuration, use the show running-config ftp command in EXEC privilege mode. • Enable FTP on the system. CONFIGURATION mode ftp-server enable Example of Viewing FTP Configuration Dell#show running ftp ! ftp-server enable ftp-server username nairobi password 0 zanzibar Dell# Configuring FTP Server Parameters After you enable the FTP server on the system, you can configure different parameters.
– For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. CONFIGURATION mode • ip ftp source-interface interface Configure a password. CONFIGURATION mode • ip ftp password password Enter a username to use on the FTP client. CONFIGURATION mode ip ftp username name To view the FTP configuration, use the show running-config ftp command in EXEC privilege mode, as shown in the example for Enable FTP Server.
Example of an ACL that Permits Terminal Access Example Configuration To view the configuration, use the show config command in LINE mode. Dell(config-std-nacl)#show config ! ip access-list standard myvtyacl seq 5 permit host 10.11.0.1 Dell(config-std-nacl)#line vty 0 Dell(config-line-vty)#show config line vty 0 access-class myvtyacl Dell(conf-ipv6-acl)#do show run acl ! ip access-list extended testdeny seq 10 deny ip 30.1.1.
CONFIGURATION mode login authentication {method-list-name | default} 3 If you used the line authentication method in the method list you applied to the terminal line, configure a password for the terminal line. LINE mode password Example of Terminal Line Authentication In the following example, VTY lines 0-2 use a single authentication method, line.
Using Telnet to get to Another Network Device To telnet to another device, use the following commands. NOTE: The device allows 120 Telnet sessions per minute, allowing the login and logout of 10 Telnet sessions, 12 times in a minute. If the system reaches this non-practical limit, the Telnet service is stopped for 10 minutes. You can use console and SSH service to access the system during downtime. • Telnet to a device with an IPv4 or IPv6 address.
3d23h35m: %RPM0-P:CP %SYS-5-CONFIG_I: Configured from console by console Dell#config ! Locks configuration mode exclusively. Dell(conf)# If another user attempts to enter CONFIGURATION mode while a lock is in place, the following appears on their terminal (message 1): % Error: User "" on line console0 is in exclusive configuration mode.
The following example shows how to reload the system into ONIE prompt and enter the install mode directly: Dell#reload onie install Proceed with reload [confirm yes/no]: yes Restoring the Factory Default Settings Restoring the factory-default settings deletes the existing NVRAM settings, startup configuration, and all configured settings such as, stacking or fanout.
primary boot line is set to A: and the secondary and default boot lines are set to a Null string. If the secondary partition also contains a valid image, then the primary boot line value is set to the partition that is configured to be used to boot the device in a network failure scenario. The secondary and default boot line values are set to a Null string. Important Points to Remember • The Chassis remains in boot prompt if none of the partitions contain valid images.
5 802.1ag Ethernet operations, administration, and maintenance (OAM) are a set of tools used to install, monitor, troubleshoot, and manage Ethernet infrastructure deployments. Ethernet OAM consists of three main areas: • Service layer OAM — IEEE 802.1ag connectivity fault management (CFM) • Link layer OAM — IEEE 802.
• routing protocols choose a subset of the total network topology for forwarding, making it hard to detect faults in links and nodes that are not included in the active routing topology. This is made more complex when using some form of traffic engineering (TE) based routing. • network and element discovery and cataloging is not clearly defined using IP troubleshooting tools. There is a need for Layer 2 equivalents to manage and troubleshoot native Layer 2 Ethernet networks.
These roles define the relationships between all devices so that each device can monitor the layers under its responsibility. Maintenance points drop all lower-level frames and forward all higher-level frames. Figure 4. Maintenance Points Maintenance End Points A maintenance end point (MEP) is a logical entity that marks the end point of a domain. There are two types of MEPs defined in 802.1ag for an 802.
Implementation Information The S-Series has a single MAC address for all physical/LAG interfaces and hence only one MEP is allowed per MA (per VLAN or per MD level). Configuring the CFM To configure the CFM, follow these steps: 1. Configure the ecfmacl CAM region using the cam-acl command. 2. Enable Ethernet CFM. 3. Create a Maintenance Domain. 4. Create a Maintenance Association. 5. Create Maintenance Points. 6. Use CFM tools: a Continuity Check Messages. b Loopback Message and Response.
Example of Viewing Configured Maintenance Domains Dell# show ethernet cfm domain Domain Name: customer Level: 7 Total Service: 1 Services MA-Name VLAN CC-Int My_MA 200 10s X-CHK Status enabled Domain Name: praveen Level: 6 Total Service: 1 Services MA-Name VLAN CC-Int Your_MA 100 10s X-CHK Status enabled Creating a Maintenance Association A Maintenance association (MA) is a subdivision of an MD that contains all managed entities corresponding to a single end-toend service, typically a virtual area netwo
show ethernet cfm maintenance-points local [mep | mip] Dell#show ethernet cfm maintenance-points local mep --------------------------------------------------------------MPID Domain Name Level Type Port CCM-Status MA Name VLAN Dir MAC ---------------------------------------------------------------100 cfm0 7 MEP Te 4/10 Enabled test0 10 DOWN 00:01:e8:59:23:45 200 cfm1 6 MEP Te 4/10 Enabled test1 20 DOWN 00:01:e8:59:23:45 300 cfm2 5 MEP Te 4/10 Enabled test2 30 DOWN 00:01:e8:59:23:45 Creating a Maintenance In
show ethernet cfm mipdb Example of Displaying the MEP Database Dell#show ethernet cfm maintenance-points remote detail MAC Address: 00:01:e8:58:68:78 Domain Name: cfm0 MA Name: test0 Level: 7 VLAN: 10 MP ID: 900 Sender Chassis ID: Force10 MEP Interface status: Up MEP Port status: Forwarding Receive RDI: FALSE MP Status: Active Setting the MP Database Persistence To set the database persistence, use the following command.
Frames at Frames from UP-MEP Action Down-MEP Action MIP Action Greater than my level Bridge-relay side or Wire side Forward Forward Forward All the remote MEPs in the maintenance domain are defined on each MEP. Each MEP then expects a periodic CCM from the configured list of MEPs. A connectivity failure is then defined as: • Loss of three consecutive CCMs from any of the remote MEP, which indicates a network failure.
Sending Loopback Messages and Responses Loopback message and response (LBM, LBR), also called Layer 2 Ping, is an administrative echo transmitted by MEPs to verify reachability to another MEP or MIP within the maintenance domain. LBM and LBR are unicast frames.
Caching Link Trace After you execute a Link Trace command, the trace information can be cached so that you can view it later without retracing. To enable, set, display, and delete link trace caching, use the following commands. • Enable Link Trace caching. CONFIGURATION mode • traceroute cache Set the amount of time a trace result is cached. ETHERNET CFM mode traceroute cache hold-time minutes The default is 100 minutes. • The range is from 10 to 65535 minutes. Set the size of the Link Trace Cache.
Enabling CFM SNMP Traps An SNMP trap is sent only when one of the five highest priority defects occur. Table 8.
Displaying Ethernet CFM Statistics To display Ethernet CFM statistics, use the following commands. • Display MEP CCM statistics. EXEC Privilege mode • show ethernet cfm statistics [domain {name | level} vlan-id vlan-id mpid mpid Display CFM statistics by port.
6 802.1X 802.1X is a port-based Network Access Control (PNAC) that provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity is verified (through a username and password, for example). 802.
The following figures show how the EAP frames are encapsulated in Ethernet and RADIUS frames. Figure 7. EAP Frames Encapsulated in Ethernet and RADUIS Figure 8. EAP Frames Encapsulated in Ethernet and RADUIS The authentication process involves three devices: • The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests.
• Ports are in an unauthorized state by default. In this state, non-802.1X traffic cannot be forwarded in or out of the port. • The authenticator changes the port state to authorized if the server can authenticate the supplicant. In this state, network traffic can be forwarded normally. NOTE: The Dell Networking switches place 802.1X-enabled ports in the unauthorized state by default. Topics: • Port-Authentication Process • Configuring 802.1X • Important Points to Remember • Enabling 802.
Success frame. If the identity information is invalid, the server sends an Access-Reject frame. If the port state remains unauthorized, the authenticator forwards an EAP Failure frame. Figure 9. EAP Port-Authentication EAP over RADIUS 802.1X uses RADIUS to shuttle EAP packets between the authenticator and the authentication server, as defined in RFC 3579. EAP messages are encapsulated in RADIUS packets as a type of attribute in Type, Length, Value (TLV) format. The Type value for EAP messages is 79.
RADIUS Attributes for 802.1X Support Dell Networking systems include the following RADIUS attributes in all 802.1X-triggered Access-Request messages: Attribute 31 Calling-station-id: relays the supplicant MAC address to the authentication server. Attribute 41 NAS-Port-Type: NAS-port physical port type. 15 indicates Ethernet. Attribute 61 NAS-Port: the physical port number by which the authenticator is connected to the supplicant.
Enabling 802.1X Enable 802.1X globally. Figure 11. 802.1X Enabled 1 Enable 802.1X globally. CONFIGURATION mode dot1x authentication 2 Enter INTERFACE mode on an interface or a range of interfaces. INTERFACE mode interface [range] 3 Enable 802.1X on the supplicant interface only. INTERFACE mode dot1x authentication Examples of Verifying that 802.1X is Enabled Globally and on an Interface Verify that 802.
In the following example, the bold lines show that 802.1X is enabled. Dell#show running-config | find dot1x dot1x authentication ! [output omitted] ! interface TenGigabitEthernet 2/1 no ip address dot1x authentication no shutdown ! Dell# To view 802.1X configuration information for an interface, use the show dot1x interface command. In the following example, the bold lines show that 802.1X is enabled on all ports unauthorized by default. Dell#show dot1x interface TenGigabitEthernet 2/1/ 802.
Dot1x Profile test Profile MACs 00:00:00:00:01:11 Configuring MAC addresses for a do1x Profile To configure a list of MAC addresses for a dot1x profile, use the mac command. You can configure 1 to 6 MAC addresses. • Configure a list of MAC addresses for a dot1x profile. DOT1X PROFILE CONFIG (conf-dot1x-profile) mac mac-address mac-address — Enter the keyword mac and type up to the 48– bit MAC addresses using the nn:nn:nn:nn:nn:nn format. A maximum of 6 MAC addresses are allowed.
Auth-Fail VLAN id: Auth-Fail Max-Attempts:3 Critical VLAN: Critical VLAN id: Mac-Auth-Bypass Only: Static-MAB: Static-MAB Profile: Tx Period: Quiet Period: ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Auth Type: Auth PAE State: Backend State: 200 Enable 300 Disable Enable Sample 90 seconds 120 seconds 10 30 seconds 30 seconds 7200 seconds 10 SINGLE_HOST Authenticated Idle Configuring Critical VLAN By default, critical-VLAN is not configured.
Auth PAE State: Backend State: Authenticated Idle Configuring Request Identity Re-Transmissions When the authenticator sends a Request Identity frame and the supplicant does not respond, the authenticator waits for 30 seconds and then re-transmits the frame. The amount of time that the authenticator waits before re-transmitting and the maximum number of times that the authenticator re-transmits can be configured.
• re-transmits an EAP Request Identity frame The bold lines show the new re-transmit interval, new quiet period, and new maximum re-transmissions. Dell(conf-if-range-Te-2/1)#dot1x tx-period 90 Dell(conf-if-range-Te-2/1)#dot1x max-eap-req 10 Dell(conf-if-range-Te-2/1)#dot1x quiet-period 120 Dell#show dot1x interface TenGigabitEthernet 2/1 802.
ReAuth Max: Supplicant Timeout: Server Timeout: Re-Auth Interval: Max-EAP-Req: Auth Type: Auth PAE State: Backend State: Auth PAE State: Backend State: 2 30 seconds 30 seconds 3600 seconds 10 SINGLE_HOST Initialize Initialize Initialize Initialize Re-Authenticating a Port You can configure the authenticator for periodic re-authentication. After the supplicant has been authenticated, and the port has been authorized, you can configure the authenticator to reauthenticate the supplicant periodically.
Configuring Timeouts If the supplicant or the authentication server is unresponsive, the authenticator terminates the authentication process after 30 seconds by default. You can configure the amount of time the authenticator waits for a response. To terminate the authentication process, use the following commands: • Terminate the authentication process due to an unresponsive supplicant. INTERFACE mode dot1x supplicant-timeout seconds The range is from 1 to 300. • The default is 30.
Configuring Dynamic VLAN Assignment with Port Authentication Dell Networking OS supports dynamic VLAN assignment when using 802.1X. The basis for VLAN assignment is RADIUS attribute 81, Tunnel-Private-Group-ID. Dynamic VLAN assignment uses the standard dot1x procedure: 1. The host sends a dot1x packet to the Dell Networking system 2. The system forwards a RADIUS REQEST packet containing the host MAC address and ingress port number 3.
5 Verify that the port has been authorized and placed in the desired VLAN (refer to the illustration in Dynamic VLAN Assignment with Port Authentication). Guest and Authentication-Fail VLANs Typically, the authenticator (the Dell system) denies the supplicant access to the network until the supplicant is authenticated.
Example of Configuring Maximum Authentication Attempts Dell(conf-if-Te-2/1)#dot1x guest-vlan 200 Dell(conf-if-Te 2/1)#show config ! interface TenGigabitEthernet 2/1 switchport dot1x authentication dot1x guest-vlan 200 no shutdown Dell(conf-if-Te-2/1)# Dell(conf-if-Te-2/1)#dot1x auth-fail-vlan 100 max-attempts 5 Dell(conf-if-Te-2/1)#show config ! interface TenGigabitEthernet 2/1 switchport dot1x authentication dot1x guest-vlan 200 dot1x auth-fail-vlan 100 max-attempts 5 no shutdown Dell(conf-if-Te-2/1)# Exam
7 Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM) This section describes the access control list (ACL) virtual local area network (VLAN) group, and content addressable memory (CAM) enhancements. Optimizing CAM Utilization During the Attachment of ACLs to VLANs To minimize the number of entries in CAM, enable and configure the ACL CAM feature. Use this feature when you apply ACLs to a VLAN (or a set of VLANs) and when you apply ACLs to a set of ports.
• The ACL is applied or removed from a group and the ACL group does not contain a VLAN member. • The description of the ACL group is added or removed. Guidelines for Configuring ACL VLAN Groups Keep the following points in mind when you configure ACL VLAN groups: • The interfaces where you apply the ACL VLAN group function as restricted interfaces. The ACL VLAN group name identifies the group of VLANs that performs hierarchical filtering. • You can add only one ACL to an interface at a time.
CONFIGURATION (conf-acl-vl-grp) mode description description 3 Apply an egress IP ACL to the ACL VLAN group. CONFIGURATION (conf-acl-vl-grp) mode ip access-group {group name} out implicit-permit 4 Add VLAN member(s) to an ACL VLAN group. CONFIGURATION (conf-acl-vl-grp) mode member vlan {VLAN-range} 5 Display all the ACL VLAN groups or display a specific ACL VLAN group, identified by name.
EXEC Privilege mode Dell#show cam-usage switch Stackunit|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM ========|========|=================|============|============|============= 1 | 0 | IN-L2 ACL | 1536 | 0 | 1536 | | OUT-L2 ACL | 206 | 9 | 197 Codes: * - cam usage is above 90%. Viewing CAM Usage View the amount of CAM space available, used, and remaining in each partition (including IPv4Flow and Layer 2 ACL subpartitions) using the show cam-usage command in EXEC Privilege mode.
| | OUT-L3 ACL | | OUT-V6 ACL 3 | 0 | IN-L2 ACL | | IN-L3 ACL | | IN-V6 ACL | | OUT-L2 ACL | | OUT-L3 ACL | | OUT-V6 ACL Codes: * - cam usage is above 90%.
To display the number of FP blocks that is allocated for the different VLAN services, use the show cam-acl-vlan command. After you configure the ACL VLAN groups, reboot the system to store the settings in nonvolatile storage. During CAM initialization, the chassis manager reads the NVRAM and allocates the dynamic VCAP regions.
8 Access Control Lists (ACLs) This chapter describes access control lists (ACLs), prefix lists, and route-maps. At their simplest, access control lists (ACLs), prefix lists, and route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps. For MAC ACLS, refer to Layer 2.
Topics: • IP Access Control Lists (ACLs) • Important Points to Remember • IP Fragment Handling • Configure a Standard IP ACL • Configure an Extended IP ACL • Configure Layer 2 and Layer 3 ACLs • Assign an IP ACL to an Interface • Applying an IP ACL • Configure Ingress ACLs • Configure Egress ACLs • IP Prefix Lists • ACL Resequencing • Route Maps • Logging of ACL Processes • Flow-Based Monitoring Support for ACLs • Configuring UDF ACL IP Access Control Lists (ACLs) In Dell Net
CAM Usage The following section describes CAM allocation and CAM optimization. • • User Configurable CAM Allocation CAM Optimization User Configurable CAM Allocation Allocate space for IPV6 ACLs by using the cam-acl command in CONFIGURATION mode. The CAM space is allotted in filter processor (FP) blocks. The total space allocated must equal 13 FP blocks. (There are 16 FP blocks, but System Flow requires three blocks that cannot be reallocated.
If counters are enabled on ACL rules that are already configured, those counters are reset when a new rule which is inserted or prepended or appended requires a hardware shift in the flow table. Resetting the counters to 0 is transient as the proginal counter values are retained after a few seconds. If there is no need to shift the flow in the hardware, the counters are not affected.
Dell(conf)#interface te 10/1 Dell(conf-if-te-10/1)#service-policy input pmap Important Points to Remember • • • For route-maps with more than one match clause: – Two or more match clauses within the same route-map sequence have the same match commands (though the values are different), matching a packet against these clauses is a logical OR operation.
map is applied to a command, such as redistribute, traffic passes through all instances of that route map until a match is found. The following is an example with two instances of a route map. The following example shows matching instances of a route-map.
Dell(config-route-map)#match tag 2000 Dell(config-route-map)#match tag 3000 Example of the match Command to Match All Specified Values In the next example, there is a match only if a route has both of the specified characteristics. In this example, there a match only if the route has a tag value of 1000 and a metric value of 2000. Also, if there are different instances of the same route-map, then it’s sufficient if a permit match happens in any instance of that route-map.
• match ipv6 address prefix-list-name Match next-hop routes specified in a prefix list (IPv4). CONFIG-ROUTE-MAP mode • match ip next-hop {access-list-name | prefix-list prefix-list-name} Match next-hop routes specified in a prefix list (IPv6). CONFIG-ROUTE-MAP mode • match ipv6 next-hop {access-list-name | prefix-list prefix-list-name} Match source routes specified in a prefix list (IPv4).
CONFIG-ROUTE-MAP mode • set local-preference value Specify a value for redistributed routes. CONFIG-ROUTE-MAP mode • set metric {+ | - | metric-value} Specify an OSPF or ISIS type for redistributed routes. CONFIG-ROUTE-MAP mode • set metric-type {external | internal | type-1 | type-2} Assign an IP address as the route’s next hop. CONFIG-ROUTE-MAP mode • set next-hop ip-address Assign an IPv6 address as the route’s next hop.
Example of Calling a Route Map to Redistribute Specified Routes router ospf 34 default-information originate metric-type 1 redistribute static metric 20 metric-type 2 tag 0 route-map staticospf ! route-map staticospf permit 10 match interface TenGigabitEthernet 1/1 match metric 255 set level backbone Configure a Route Map for Route Tagging One method for identifying routes from different routing protocols is to assign a tag to routes from that protocol.
• For IP ACL, Dell Networking OS always applies implicit deny. You do not have to configure it. • For IP ACL, Dell Networking OS applies implicit permit for second and subsequent fragment just prior to the implicit deny. • If you configure an explicit deny, the second and subsequent fragments do not hit the implicit permit rule for fragments. • Loopback interfaces do not support ACLs using the IP fragment option.
Example of Permitting Only First Fragments and Non-Fragmented Packets from a Specified Host In the following example, the TCP packets that are first fragments or non-fragmented from host 10.1.1.1 with TCP destination port equal to 24 are permitted. Additionally, all TCP non-first fragments from host 10.1.1.1 are permitted. All other IP packets that are non-first fragments are denied. Dell(conf)#ip access-list extended ABC Dell(conf-ext-nacl)#permit tcp host 10.1.1.
seq 40 deny 10.8.0.0 /16 seq 45 deny 10.9.0.0 /16 seq 50 deny 10.10.0.0 /16 Dell# The following example shows how the seq command orders the filters according to the sequence number assigned. In the example, filter 25 was configured before filter 15, but the show config command displays the filters in the correct order. Dell(config-std-nacl)#seq 25 deny ip host 10.5.0.0 any log Dell(config-std-nacl)#seq 15 permit tcp 10.3.0.
seq 50 permit tcp 10.8.0.0 /16 10.50.188.118 /31 eq 49 seq 55 permit udp 10.15.1.0 /24 10.50.188.118 /31 range 1812 1813 To delete a filter, enter the show config command in IP ACCESS LIST mode and locate the sequence number of the filter you want to delete. Then use the no seq sequence-number command in IP ACCESS LIST mode.
CONFIG-EXT-NACL mode seq sequence-number {deny | permit} tcp {source mask | any | host ip-address} [count [byte]] [order] [fragments] Example of the seq Command When you create the filters with a specific sequence number, you can create the filters in any order and the filters are placed in the correct order. NOTE: When assigning sequence numbers to filters, you may have to insert a new filter. To prevent reconfiguring multiple filters, assign sequence numbers in multiples of five or another number.
Configure Layer 2 and Layer 3 ACLs Both Layer 2 and Layer 3 ACLs may be configured on an interface in Layer 2 mode. If both L2 and L3 ACLs are applied to an interface, the following rules apply: • When Dell Networking OS routes the packets, only the L3 ACL governs them because they are not filtered against an L2 ACL. • When Dell Networking OS switches the packets, first the L3 ACL filters them, then the L2 ACL filters them.
CONFIGURATION mode interface interface slot/port 2 Configure an IP address for the interface, placing it in Layer-3 mode. INTERFACE mode ip address ip-address 3 Apply an IP ACL to traffic entering or exiting an interface. INTERFACE mode ip access-group access-list-name {in} [implicit-permit] [vlan vlan-range | vrf vrf-range] NOTE: The number of entries allowed per ACL is hardware-dependent. For detailed specification about entries allowed per ACL, refer to your line card documentation.
Example of Applying ACL Rules to Ingress Traffic and Viewing ACL Configuration To specify ingress, use the in keyword. Begin applying rules to the ACL with the ip access-list extended abcd command. To view the access-list, use the show command.
Dell#configure terminal Dell(conf)#interface te 1/2 Dell(conf-if-te-1/2)#ip vrf forwarding blue Dell(conf-if-te-1/2)#show config ! interface TenGigabitEthernet 1/2 ip vrf forwarding blue no ip address shutdown Dell(conf-if-te-1/2)# Dell(conf-if-te-1/2)# Dell(conf-if-te-1/2)#end Dell# Applying Egress Layer 3 ACLs (Control-Plane) By default, packets originated from the system are not filtered by egress ACLs.
• To deny only /8 prefixes, enter deny x.x.x.x/x ge 8 le 8. • To permit routes with the mask greater than /8 but less than /12, enter permit x.x.x.x/x ge 8. • To deny routes with a mask less than /24, enter deny x.x.x.x/x le 24. • To permit routes with a mask greater than /20, enter permit x.x.x.x/x ge 20. The following rules apply to prefix lists: • A prefix list without any permit or deny filters allows all routes.
Example of Assigning Sequence Numbers to Filters If you want to forward all routes that do not match the prefix list criteria, configure a prefix list filter to permit all routes (permit 0.0.0.0/0 le 32). The “permit all” filter must be the last filter in your prefix list. To permit the default route only, enter permit 0.0.0.0/0. The following example shows how the seq command orders the filters according to the sequence number assigned.
Viewing Prefix Lists To view all configured prefix lists, use the following commands. • Show detailed information about configured prefix lists. EXEC Privilege mode • show ip prefix-list detail [prefix-name] Show a table of summarized information about configured Prefix lists. EXEC Privilege mode show ip prefix-list summary [prefix-name] Examples of the show ip prefix-list Command The following example shows the show ip prefix-list detail command.
If you enter the name of a non-existent prefix list, all routes are forwarded. CONFIG-ROUTER-RIP mode distribute-list prefix-list-name out [interface | connected | static | ospf] Example of Viewing Configured Prefix Lists (ROUTER RIP mode) To view the configuration, use the show config command in ROUTER RIP mode, or the show running-config rip command in EXEC mode. Dell(conf-router_rip)#show config ! router rip distribute-list prefix juba out network 10.0.0.
You can resequence IPv4 and IPv6 ACLs, prefixes, and MAC ACLs. No CAM writes happen as a result of resequencing, so there is no packet loss; the behavior is similar Hot-lock ACLs. NOTE: ACL resequencing does not affect the rules, remarks, or order in which they are applied. Resequencing merely renumbers the rules so that you can place new rules within the list as needed. Table 10. ACL Resequencing Rules Resquencing Rules Before Resequencing: seq 5 permit any host 1.1.1.1 seq 6 permit any host 1.1.1.
remark 4 this remark corresponds to permit any host 1.1.1.1 seq 4 permit ip any host 1.1.1.1 remark 6 this remark has no corresponding rule remark 8 this remark corresponds to permit ip any host 1.1.1.2 seq 8 permit ip any host 1.1.1.2 seq 10 permit ip any host 1.1.1.3 seq 12 permit ip any host 1.1.1.4 Remarks that do not have a corresponding rule are incremented as a rule. These two mechanisms allow remarks to retain their original position in the list.
necessary to monitor and examine the traffic that passes through the device. To evaluate network traffic that is subjected to ACLs, configure the logs to be triggered for ACL operations. This functionality is primarily needed for network supervision and maintenance activities of the handled subscriber traffic. When ACL logging is configured, and a frame reaches an ACL-enabled interface and matches the ACL, a log is generated to indicate that the ACL entry matched the packet.
• A maximum of 125 ACL entries with permit action can be logged. A maximum of 126 ACL entries with deny action can be logged. • For virtual ACL entries, the same match rule number is reused. Similarly, when an ACL entry is deleted that was previously enabled for ACL logging, the match rule number used by it is released back to the pool or available set of match indices so that it can be reused for subsequent allocations.
The port mirroring application maintains and performs all the monitoring operations on the chassis. ACL information is sent to the ACL manager, which in turn notifies the ACL agent to add entries in the CAM area. Duplicate entries in the ACL are not saved. When a packet arrives at a port that is being monitored, the packet is validated against the configured ACL rules. If the packet matches an ACL rule, the system examines the corresponding flow processor to perform the action specified for that port.
The show config command has been modified to display monitoring configuration in a particular session. Example Output of the show Command (conf-mon-sess-11)#show config ! monitor session 11 flow-based enable source TenGigabitEthernet 1/1 destination TenGigabitEthernet 1/1 direction both The show ip | mac | ipv6 accounting commands have been enhanced to display whether monitoring is enabled for traffic that matches with the rules of the specific ACL.
Dell(conf)#interface TenGigabitEthernet 1/1 Dell(conf-if-te-1/1)#ip access-group testflow in Dell(conf-if-te-1/1)#show config ! interface TenGigabitEthernet 1/1 ip address 10.11.1.254/24 ip access-group testflow in shutdown Dell(conf-if-te-1/1)#exit Dell(conf)#do show ip accounting access-list testflow ! Extended Ingress IP access list testflow on TenGigabitEthernet 1/1 Total cam count 4 seq 5 permit icmp any any monitor count bytes (0 packets 0 bytes) seq 10 permit ip 102.1.1.
EcfmAcl : FcoeAcl : iscsiOptAcl : ipv4pbr : vrfv4Acl : Openflow : fedgovacl : nlbclusteracl: 2 4 0 0 0 0 0 0 -- stack-unit 0 -Current Settings(in block sizes) 1 block = 256 entries L2Acl : 2 Ipv4Acl : 2 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 EcfmAcl : 2 FcoeAcl : 4 iscsiOptAcl : 0 ipv4pbr : 0 vrfv4Acl : 0 Openflow : 0 fedgovacl : 0 nlbclusteracl: 0 0 0 0 0 0 0 0 0 Next Boot(in block sizes) 1 8(UdfEnabled) 2 0 2 0 0 0 0 0 0 0 0 0 0 0 Dell# 4 Create a UDF packet format in the
show config Dell(conf-udf-tcam)#show config ! udf-tcam ipnip seq 1 match l2ethertype ipv4 ipprotocol 4 vlantag any Dell(conf-udf-tcam)# 9 Create a UDF qualifier to assign values to UDF IDs. CONFIGURATION-UDF TCAM mode udf-qualifier-value name Dell(conf-udf-tcam)# udf-qualifier-value ipnip_val1 10 Assign a value to a UDF ID.
9 Bidirectional Forwarding Detection (BFD) BFD is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It also provides a failure detection solution for links on which no routing protocol is used. BFD is a simple hello mechanism. Two neighboring systems running BFD establish a session using a three-way handshake.
BFD Packet Format Control packets are encapsulated in user datagram protocol (UDP) packets. The following illustration shows the complete encapsulation of a BFD control packet inside an IPv4 packet. Figure 13. BFD in IPv4 Packet Format Field Description Diagnostic Code The reason that the last session failed. State The current local session state. Refer to BFD Sessions. Flag A bit that indicates packet function.
Field Description Detection Multiplier The number of packets that must be missed in order to declare a session down. Length The entire length of the BFD packet. My Discriminator A random number generated by the local system to identify the session. Your Discriminator A random number generated by the remote system to identify the session. Discriminator values are necessary to identify the session to which a control packet belongs because there can be many sessions running on a single interface.
Demand mode If one system requests Demand mode, the other system stops sending periodic control packets; it only sends a response to status inquiries from the Demand mode initiator. Either system (but not both) can request Demand mode at any time. NOTE: Dell Networking OS supports Asynchronous mode only. A session can have four states: Administratively Down, Down, Init, and Up. State Description Administratively Down The local system does not participate in a particular session.
state change or change in a session parameter, the passive system sends a final response indicating the state change. After this, periodic control packets are exchanged. Figure 14.
Session State Changes The following illustration shows how the session state on a system changes based on the status notification it receives from the remote system. For example, if a session on a system is down and it receives a Down status notification from the remote system, the session state on the local system changes to Init. Figure 15.
• Configure BFD for OSPFv3 • Configure BFD for IS-IS • Configure BFD for BGP • Configure BFD for VRRP • Configuring Protocol Liveness • Troubleshooting BFD Configure BFD for Physical Ports Configuring BFD for physical ports is supported on the C-Series and E-Series platforms only. BFD on physical ports is useful when you do not enable the routing protocol.
Establishing a Session on Physical Ports To establish a session, enable BFD at the interface level on both ends of the link, as shown in the following illustration. The configuration parameters do not need to match. Figure 16. Establishing a BFD Session on Physical Ports 1 Enter interface mode. CONFIGURATION mode interface 2 Assign an IP address to the interface if one is not already assigned.
State: Up Configured parameters: TX: 100ms, RX: 100ms, Multiplier: 3 Neighbor parameters: TX: 100ms, RX: 100ms, Multiplier: 3 Actual parameters: TX: 100ms, RX: 100ms, Multiplier: 3 Role: Active Delete session on Down: False Client Registered: CLI Uptime: 00:03:57 Statistics: Number of packets received from neighbor: 1775 Number of packets sent to neighbor: 1775 Number of state changes: 1 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 4 Log messa
To disable and re-enable BFD on an interface, use the following commands. • Disable BFD on an interface. INTERFACE mode • no bfd enable Enable BFD on an interface. INTERFACE mode bfd enable If you disable BFD on a local interface, this message displays: R1(conf-if-te-4/24)#01:00:52: %RPM0-P:RP2 %BFDMGR-1-BFD_STATE_CHANGE: Changed session state to Ad Dn for neighbor 2.2.2.
To establish a BFD session, use the following command. • Establish BFD sessions for all neighbors that are the next hop of a static route. CONFIGURATION mode ip route bfd Example of the show bfd neighbors Command to Verify Static Routes To verify that sessions have been created for static routes, use the show bfd neighbors command. R1(conf)#ip route 2.2.3.0/24 2.2.2.
Configure BFD for OSPF When using BFD with OSPF, the OSPF protocol registers with the BFD manager. BFD sessions are established with all neighboring interfaces participating in OSPF. If a neighboring interface fails, the BFD agent notifies the BFD manager, which in turn notifies the OSPF protocol that a link state change has occurred. Configuring BFD for OSPF is a two-step process: 1. Enable BFD globally. 2. Establish sessions with OSPF neighbors.
Establishing Sessions with OSPF Neighbors BFD sessions can be established with all OSPF neighbors at once or sessions can be established with all neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the Full state. Figure 18. Establishing Sessions with OSPF Neighbors To establish BFD with all OSPF neighbors or with OSPF neighbors on a single interface, use the following commands. • Establish sessions with all OSPF neighbors.
The bold line shows the OSPF BFD sessions. R2(conf-router_ospf)#bfd all-neighbors R2(conf-router_ospf)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr * 2.2.2.2 * 2.2.3.1 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 Te 2/1 Up 100 100 3 O 2.2.3.2 Te 2/2 Up 100 100 3 O Changing OSPFv3 Session Parameters Configure BFD sessions with default intervals and a default role.
Configure BFD for OSPFv3 BFD for OSPFv3 provides support for IPV6. Configuring BFD for OSPFv3 is a two-step process: 1. Enable BFD globally. 2. Establish sessions with OSPFv3 neighbors. Related Configuration Tasks • Changing OSPFv3 Session Parameters • Disabling BFD for OSPFv3 Establishing Sessions with OSPFv3 Neighbors You can establish BFD sessions with all OSPFv3 neighbors at once or with all neighbors out of a specific interface.
Disabling BFD for OSPF If you disable BFD globally, all sessions are torn down and sessions on the remote system are placed in a Down state. If you disable BFD on an interface, sessions on the interface are torn down and sessions on the remote system are placed in a Down state. Disabling BFD does not trigger a change in BFD clients; a final Admin Down packet is sent before the session is terminated. To disable BFD sessions, use the following commands. • Disable BFD sessions with all OSPF neighbors.
Establishing Sessions with IS-IS Neighbors BFD sessions can be established for all IS-IS neighbors at once or sessions can be established for all neighbors out of a specific interface. Figure 19. Establishing Sessions with IS-IS Neighbors To establish BFD with all IS-IS neighbors or with IS-IS neighbors on a single interface, use the following commands. • Establish sessions with all IS-IS neighbors. ROUTER-ISIS mode • bfd all-neighbors Establish sessions with IS-IS neighbors on a single interface.
C I O R - CLI ISIS OSPF Static Route (RTM) LocalAddr * 2.2.2.2 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 Te 2/1 Up 100 100 3 I Changing IS-IS Session Parameters BFD sessions are configured with default intervals and a default role. The parameters that you can configure are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. These parameters are configured for all IS-IS sessions or all IS-IS sessions out of an interface.
Prerequisites Before configuring BFD for BGP, you must first configure the following settings: 1. Configure BGP on the routers that you want to interconnect, as described in Border Gateway Protocol IPv4 (BGPv4). 2. Enable fast fall-over for BGP neighbors to reduce convergence time (the neighbor fall-over command), as described in BGP Fast Fall-Over. Establishing Sessions with BGP Neighbors Before configuring BFD for BGP, you must first configure BGP on the routers that you want to interconnect.
BFD for BGP is supported only on directly-connected BGP neighbors and only in BGP IPv4 networks. Up to 128 simultaneous BFD sessions are supported As long as each BFD for BGP neighbor receives a BFD control packet within the configured BFD interval for failure detection, the BFD session remains up and BGP maintains its adjacencies.
ROUTER BGP mode • neighbor {ip-address | peer-group-name} bfd disable Remove the disabled state of a BFD for BGP session with a specified neighbor. ROUTER BGP mode no neighbor {ip-address | peer-group-name} bfd disable Use BFD in a BGP Peer Group You can establish a BFD session for the members of a peer group (the neighbor peer-group-name bfd command in ROUTER BGP configuration mode).
Examples of Verifying BGP Information The following example shows verifying a BGP configuration. R2# show running-config bgp ! router bgp 2 neighbor 1.1.1.2 remote-as 1 neighbor 1.1.1.2 no shutdown neighbor 2.2.2.2 remote-as 1 neighbor 2.2.2.2 no shutdown neighbor 3.3.3.2 remote-as 1 neighbor 3.3.3.2 no shutdown bfd all-neighbors The following example shows viewing all BFD neighbors.
Remote MAC Addr: 00:01:e8:8a:da:7b Int: TenGigabitEthernet 6/2 State: Up Configured parameters: TX: 100ms, RX: 100ms, Multiplier: 3 Neighbor parameters: TX: 100ms, RX: 100ms, Multiplier: 3 Actual parameters: TX: 100ms, RX: 100ms, Multiplier: 3 Role: Active Delete session on Down: True Client Registered: BGP Uptime: 00:02:22 Statistics: Number of packets received from neighbor: 1428 Number of packets sent to neighbor: 1428 Number of state changes: 1 Number of messages from IFA about port state change: 0 Numb
2.2.2.2 3.3.3.2 1 1 273 282 273 281 0 0 0 0 (0) 0 04:32:26 00:38:12 0 0 The following example shows viewing BFD information for a specified neighbor. The bold lines show the message displayed when you enable a BFD session with different configurations: • • • Message displays when you enable a BFD session with a BGP neighbor that inherits the global BFD session settings configured with the global bfd all-neighbors command.
Peer active in peer-group outbound optimization ... Configure BFD for VRRP When using BFD with VRRP, the VRRP protocol registers with the BFD manager on the route processor module (RPM). BFD sessions are established with all neighboring interfaces participating in VRRP. If a neighboring interface fails, the BFD agent on the line card notifies the BFD manager, which in turn notifies the VRRP protocol that a link state change occurred. Configuring BFD for VRRP is a three-step process: 1. Enable BFD globally.
Establishing VRRP Sessions on VRRP Neighbors The master router does not care about the state of the backup router, so it does not participate in any VRRP BFD sessions. VRRP BFD sessions on the backup router cannot change to the UP state. Configure the master router to establish an individual VRRP session the backup router. To establish a session with a particular VRRP neighbor, use the following command. • Establish a session with a particular VRRP neighbor.
• vrrp bfd all-neighbors interval milliseconds min_rx milliseconds multiplier value role [active | passive] Change parameters for a particular VRRP session. INTERFACE mode vrrp bfd neighbor ip-address interval milliseconds min_rx milliseconds multiplier value role [active | passive] To view session parameters, use the show bfd neighbors detail command, as shown in the example in Verifying BFD Sessions with BGP Neighbors Using the show bfd neighbors command example in Displaying BFD for BGP Information.
debug bfd packet Examples of Output from the debug bfd Commands The following example shows a three-way handshake using the debug bfd detail command. R1(conf-if-te-4/24)#00:54:38: %RPM0-P:RP2 %BFDMGR-1-BFD_STATE_CHANGE: Changed session state to Down for neighbor 2.2.2.2 on interface Te 4/24 (diag: 0) 00:54:38 : Sent packet for session with neighbor 2.2.2.
10 Border Gateway Protocol IPv4 (BGPv4) This chapter provides a general description of BGPv4 as it is supported in the Dell Networking Operating System (OS). BGP protocol standards are listed in the Standards Compliance chapter. BGP is an external gateway protocol that transmits interdomain routing information within and between autonomous systems (AS). The primary function of the BGP is to exchange network reachability information with other BGP systems.
because they provide connections from one network to another. The ISP is considered to be “selling transit service” to the customer network, so thus the term Transit AS. When BGP operates inside an AS (AS1 or AS2, as seen in the following illustration), it is referred to as Internal BGP (IBGP Internal Border Gateway Protocol). When BGP operates between ASs (AS1 and AS2), it is called External BGP (EBGP External Border Gateway Protocol).
four routers connected in a full mesh have three peers each, six routers have five peers each, and eight routers in full mesh have seven peers each. Figure 23. BGP Routers in Full Mesh The number of BGP speakers each BGP peer must maintain increases exponentially. Network management quickly becomes impossible. Sessions and Peers When two routers communicate using the BGP protocol, a BGP session is started. The two end-points of that session are Peers. A Peer is also called a Neighbor.
Establish a Session Information exchange between peers is driven by events and timers. The focus in BGP is on the traffic routing policies. In order to make decisions in its operations with other BGP peers, a BGP process uses a simple finite state machine that consists of six states: Idle, Connect, Active, OpenSent, OpenConfirm, and Established. For each peer-to-peer session, a BGP implementation tracks which of these six states the session is in.
To illustrate how these rules affect routing, refer to the following illustration and the following steps. Routers B, C, D, E, and G are members of the same AS (AS100). These routers are also in the same Route Reflection Cluster, where Router D is the Route Reflector. Router E and H are client peers of Router D; Routers B and C and nonclient peers of Router D. Figure 24. BGP Router Rules 1. Router B receives an advertisement from Router A through eBGP.
Best Path Selection Criteria Paths for active routes are grouped in ascending order according to their neighboring external AS number (BGP best path selection is deterministic by default, which means the bgp non-deterministic-med command is NOT applied). The best path in each group is selected based on specific criteria. Only one “best path” is selected at a time. If any of the criteria results in more than one path, BGP moves on to the next option in the list.
Best Path Selection Details 1. Prefer the path with the largest WEIGHT attribute. 2. Prefer the path with the largest LOCAL_PREF attribute. 3. Prefer the path that was locally Originated via a network command, redistribute command or aggregateaddress command. a 4. Routes originated with the Originated via a network or redistribute commands are preferred over routes originated with the aggregate-address command.
Weight The weight attribute is local to the router and is not advertised to neighboring routers. If the router learns about more than one route to the same destination, the route with the highest weight is preferred. The route with the highest weight is installed in the IP routing table. Local Preference Local preference (LOCAL_PREF) represents the degree of preference within the entire AS. The higher the number, the greater the preference for the route.
One AS assigns the MED a value and the other AS uses that value to decide the preferred path. For this example, assume the MED is the only attribute applied. In the following illustration, AS100 and AS200 connect in two places. Each connection is a BGP session. AS200 sets the MED for its T1 exit point to 100 and the MED for its OC3 exit point to 50. This sets up a path preference through the OC3 link. The MEDs are advertised to AS100 routers so they know which is the preferred path.
Network *> 7.0.0.0/29 *> 7.0.0.0/30 *> 9.2.0.0/16 Next Hop 10.114.8.33 10.114.8.33 10.114.8.33 Metric 0 0 10 LocPrf 0 0 0 Weight 18508 18508 18508 Path ? ? 701 i AS Path The AS path is the list of all ASs that all the prefixes listed in the update have passed through. The local AS number is added by the BGP speaker when advertising to a eBGP neighbor. NOTE: Any update that contains the AS path number 0 is valid. The AS path is shown in the following example.
MBGP uses either an IPv4 address configured on the interface (which is used to establish the IPv6 session) or a stable IPv4 address that is available in the box as the next-hop address. As a result, while advertising an IPv6 network, exchange of IPv4 routes does not lead to martian next-hop message logs. NOTE: It is possible to configure BGP peers that exchange both unicast and multicast network layer reachability information (NLRI), but you cannot connect multiprotocol BGP with BGP.
Command Settings BGP Local Routing Information Base MED Advertised to Peer MED Advertised to Peer WITH route-map metric-type WITHOUT route-map internal metric-type internal redistribute isis metric 100 MED: IGP cost 100 MED: 100 MED: 100 Ignore Router-ID in Best-Path Calculation You can avoid unnecessary BGP best-path transitions between external paths under certain conditions.
• • All AS numbers between 0 and 65535 are represented as a decimal number, when entered in the CLI and when displayed in the show commands outputs. AS Numbers larger than 65535 is represented using ASDOT notation as .. For example: AS 65546 is represented as 1.10. ASDOT representation combines the ASPLAIN and ASDOT+ representations.
Dell(conf-router_bgp)#do sho ip bgp BGP table version is 28093, local router ID is 172.30.1.57 AS4 SUPPORT DISABLED Dell(conf-router_bgp)#no bgp four-octet-as-support Dell(conf-router_bgp)#sho conf ! router bgp 100 neighbor 172.30.1.250 local-as 65057 Dell(conf-router_bgp)#do show ip bgp BGP table version is 28093, local router ID is 172.30.1.
behavior to happen by allowing Router B to appear as if it still belongs to Router B’s old network (AS 200) as far as communicating with Router C is concerned. Figure 28. Before and After AS Number Migration with Local-AS Enabled When you complete your migration, and you have reconfigured your network with the new information, disable this feature. If you use the “no prepend” option, the Local-AS does not prepend to the updates received from the eBGP peer.
BGP4 Management Information Base (MIB) The FORCE10-BGP4-V2-MIB enhances support for BGP management information base (MIB) with many new simple network management protocol (SNMP) objects and notifications (traps) defined in draft-ietf-idr-bgp4-mibv2-05. To see these enhancements, download the MIB from the Dell website. NOTE: For the Force10-BGP4-V2-MIB and other MIB documentation, refer to the Dell iSupport web page.
• Multiple instances of the same NLRI in the BGP RIB are not supported and are set to zero in the SNMP query response. • The f10BgpM2NlriIndex and f10BgpM2AdjRibsOutIndex fields are not used. • Carrying MPLS labels in BGP is not supported. The f10BgpM2NlriOpaqueType and f10BgpM2NlriOpaquePointer fields are set to zero. • 4-byte ASN is supported. The f10BgpM2AsPath4byteEntry table contains 4-byte ASN-related parameters based on the configuration.
Item Default suppress = 2000 max-suppress-time = 60 minutes external distance = 20 Distance internal distance = 200 local distance = 200 keepalive = 60 seconds Timers holdtime = 180 seconds Add-path Disabled Enabling BGP By default, BGP is not enabled on the system. Dell Networking OS supports one autonomous system (AS) and assigns the AS number (ASN). To establish BGP sessions and route traffic, configure at least one BGP neighbor or peer.
Disable 4-Byte support and return to the default 2-Byte format by using the no bgp four-octet-as-support command. You cannot disable 4-Byte support if you currently have a 4-Byte ASN configured. Disabling 4-Byte AS numbers also disables ASDOT and ASDOT+ number representation. All AS numbers are displayed in ASPLAIN format. b Enable IPv4 multicast or IPv6 mode. CONFIG-ROUTER-BGP mode address-family [ipv4 | ipv6} vrf Use this command to enter BGP for IPv6 mode (CONF-ROUTER_BGPv6_AF).
1 network entrie(s) using 132 bytes of memory 1 paths using 72 bytes of memory BGP-RIB over all using 73 bytes of memory 1 BGP path attribute entrie(s) using 72 bytes of memory 1 BGP AS-PATH entrie(s) using 47 bytes of memory 5 neighbor(s) using 23520 bytes of memory Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 10.10.21.1 10.10.32.3 100.10.92.9 192.168.10.1 192.168.12.
For address family: IPv4 Unicast BGP table version 0, neighbor version 0 0 accepted prefixes consume 0 bytes Prefix advertised 0, rejected 0, withdrawn 0 Connections established 0; dropped 0 Last reset never No active TCP connection Dell# The following example shows verifying the BGP configuration using the show running-config bgp command.. Dell#show running-config bgp ! router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.
bgp asnotation asplain NOTE: ASPLAIN is the default method Dell Networking OS uses and does not appear in the configuration display. • Enable ASDOT AS Number representation. CONFIG-ROUTER-BGP mode • bgp asnotation asdot Enable ASDOT+ AS Number representation. CONFIG-ROUTER-BGP mode bgp asnotation asdot+ Examples of the bgp asnotation Commands The following example shows the bgp asnotation asplain command output.
Create a peer group by assigning it a name, then adding members to the peer group. After you create a peer group, you can configure route policies for it. For information about configuring route policies for a peer group, refer to Filtering BGP Routes. NOTE: Sample Configurations for enabling peer groups are found at the end of this chapter. 1 Create a peer group by assigning a name to it. CONFIG-ROUTERBGP mode neighbor peer-group-name peer-group 2 Enable the peer group.
• neighbor route-map out • neighbor route-reflector-client • neighbor send-community A neighbor may keep its configuration after it was added to a peer group if the neighbor’s configuration is more specific than the peer group’s and if the neighbor’s configuration does not affect outgoing updates. NOTE: When you configure a new set of BGP policies for a peer group, always reset the peer group by entering the clear ip bgp peer-group peer-group-name command in EXEC Privilege mode.
10.68.164.1 10.68.165.1 10.68.166.1 10.68.167.1 10.68.168.1 10.68.169.1 10.68.170.1 10.68.171.1 10.68.172.1 10.68.173.1 10.68.174.1 10.68.175.1 10.68.176.1 10.68.177.1 10.68.178.1 10.68.179.1 10.68.180.1 10.68.181.1 10.68.182.1 10.68.183.1 10.68.184.1 10.68.185.1 Dell> Configuring BGP Fast Fall-Over By default, a BGP session is governed by the hold time. BGP routers typically carry large routing tables, so frequent session resets are not desirable.
Capabilities received from neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) fall-over enabled Update source set to Loopback 0 Peer active in peer-group outbound optimization For address family: IPv4 Unicast BGP table version 52, neighbor version 52 4 accepted prefixes consume 16 bytes Prefix advertised 0, denied 0, withdrawn 0 Connections established 6; dr
When a BGP neighbor connection with authentication configured is rejected by a passive peer-group, Dell Networking OS does not allow another passive peer-group on the same subnet to connect with the BGP neighbor. To work around this, change the BGP configuration or change the order of the peer group configuration. You can constrain the number of passive sessions accepted by the neighbor. The limit keyword allows you to set the total number of sessions the neighbor will accept, between 2 and 265.
To disable this feature, use the no neighbor local-as command in CONFIGURATION ROUTER BGP mode. R2(conf-router_bgp)#show conf ! router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list Laura in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.
neighbor 100.10.92.9 local-as 6500 neighbor 100.10.92.9 no shutdown neighbor 192.168.10.1 remote-as 65123 neighbor 192.168.10.1 update-source Loopback 0 neighbor 192.168.10.1 no shutdown neighbor 192.168.12.2 remote-as 65123 neighbor 192.168.12.2 allowas-in 9 neighbor 192.168.12.2 update-source Loopback 0 neighbor 192.168.12.2 no shutdown R2(conf-router_bgp)#R2(conf-router_bgp)# Enabling Graceful Restart Use this feature to lessen the negative effects of a BGP restart.
bgp graceful-restart [role receiver-only] Enabling Neighbor Graceful Restart BGP graceful restart is active only when the neighbor becomes established. Otherwise, it is disabled. Graceful-restart applies to all neighbors with established adjacency. With the graceful restart feature, Dell Networking OS enables the receiving/restarting mode by default. In Receiver-Only mode, graceful restart saves the advertised routes of peers that support this capability when they restart.
This is the filter that is used to match the AS-path. The entries can be any format, letters, numbers, or regular expressions. You can enter this command multiple times if multiple filters are desired. For accepted expressions, refer to Regular Expressions as Filters. 3 Return to CONFIGURATION mode. AS-PATH ACL mode exit 4 Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5 Use a configured AS-PATH ACL for route filtering and manipulation.
Regular Expression Definition ^ (caret) Matches the beginning of the input string. Alternatively, when used as the first character within brackets [^ ], this matches any number except the ones specified within the brackets. $ (dollar) Matches the end of the input string. . (period) Matches any single character, including white space. * (asterisk) Matches 0 or more sequences of the immediately previous character or pattern.
Dell(conf)#ex Dell#show ip as-path-access-lists ip as-path access-list Eagle deny 32$ Dell# Redistributing Routes In addition to filtering routes, you can add routes from other routing instances or protocols to the BGP process. With the redistribute command, you can include ISIS, OSPF, static, or directly connected routes in the BGP process. To add routes from other routing instances or protocols, use any of the following commands in ROUTER BGP mode.
The range is from 2 to 64. 2 Allow the specified neighbor/peer group to send/ receive multiple path advertisements. CONFIG-ROUTER-BGP mode neighbor add-path NOTE: The path-count parameter controls the number of paths that are advertised, not the number of paths that are received. Configuring IP Community Lists Within Dell Networking OS, you have multiple methods of manipulating routing attributes. One attribute you can manipulate is the COMMUNITY attribute.
deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny deny Dell# 703:20 704:20 705:20 14551:20 701:112 702:112 703:112 704:112 705:112 14551:112 701:667 702:667 703:667 704:666 705:666 14551:666 Configuring an IP Extended Community List To configure an IP extended community list, use these commands. 1 Create a extended community list and enter the EXTCOMMUNITY-LIST mode.
deny 14551:666 Dell# Filtering Routes with Community Lists To use an IP community list or IP extended community list to filter routes, you must apply a match community filter to a route map and then apply that route map to a BGP neighbor or peer group. 1 Enter the ROUTE-MAP mode and assign a name to a route map. CONFIGURATION mode route-map map-name [permit | deny] [sequence-number] 2 Configure a match filter for all routes meeting the criteria in the IP community or IP extended community list.
CONFIGURATION mode route-map map-name [permit | deny] [sequence-number] 2 Configure a set filter to delete all COMMUNITY numbers in the IP community list. CONFIG-ROUTE-MAP mode set comm-list community-list-name delete OR set community {community-number | local-as | no-advertise | no-export | none} Configure a community list by denying or permitting specific community numbers or types of community.
*>i 6.10.0.0/15 *>i 6.14.0.0/15 *>i 6.133.0.0/21 *>i 6.151.0.0/16 --More-- 195.171.0.16 205.171.0.16 205.171.0.16 205.171.0.16 100 100 100 100 0 0 0 0 209 209 209 209 7170 7170 7170 7170 1455 1455 1455 1455 i i i i Changing MED Attributes By default, Dell Networking OS uses the MULTI_EXIT_DISC or MED attribute when comparing EBGP paths from the same AS. To change how the MED attribute is used, enter any or all of the following commands.
4 Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5 Apply the route map to the neighbor or peer group’s incoming or outgoing routes. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} route-map map-name {in | out} To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode. To view a route map configuration, use the show route-map command in EXEC Privilege mode. Changing the NEXT_HOP Attribute You can change how the NEXT_HOP attribute is used.
Enabling Multipath By default, the software allows one path to a destination. You can enable multipath to allow up to 64 parallel paths to a destination. NOTE: Dell Networking recommends not using multipath and add path simultaneously in a route reflector. To allow more than one path, use the following command. The show ip bgp network command includes multipath information for that network. • Enable multiple parallel paths.
3 Return to CONFIGURATION mode. CONFIG-PREFIX LIST mode exit 4 Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5 Filter routes based on the criteria in the configured prefix list. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} distribute-list prefix-list-name {in | out} Configure the following parameters: • • • • ip-address or peer-group-name: enter the neighbor’s IP address or the peer group’s name. prefix-list-name: enter the name of a configured prefix list.
Configure the following parameters: • ip-address or peer-group-name: enter the neighbor’s IP address or the peer group’s name. • map-name: enter the name of a configured route map. • in: apply the route map to inbound routes. • out: apply the route map to outbound routes. To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode. To view a route map configuration, use the show route-map command in EXEC Privilege mode.
Configure clusters of routers where one router is a concentration router and the others are clients who receive their updates from the concentration router. To configure a route reflector, use the following commands. • Assign an ID to a router reflector cluster. CONFIG-ROUTER-BGP mode bgp cluster-id cluster-id • You can have multiple clusters in an AS. Configure the local router as a route reflector and the neighbor or peer group identified is the route reflector client.
network, the confederations appear as one AS. Within the confederation sub-AS, the IBGP neighbors are fully meshed and the MED, NEXT_HOP, and LOCAL_PREF attributes are maintained between confederations. To configure BGP confederations, use the following commands. • Specifies the confederation ID. CONFIG-ROUTER-BGP mode bgp confederation identifier as-number • – as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte). Specifies which confederation sub-AS are peers.
– half-life: the range is from 1 to 45. Number of minutes after which the Penalty is decreased. After the router assigns a Penalty of 1024 to a route, the Penalty is decreased by half after the half-life period expires. The default is 15 minutes. – reuse: the range is from 1 to 20000. This number is compared to the flapping route’s Penalty value. If the Penalty value is less than the reuse value, the flapping route is once again advertised (or no longer suppressed).
The following example shows how to configure values to reuse or restart a route. In the following example, default = 15 is the set time before the value decrements, bgp dampening 2 ? is the set re-advertise value, bgp dampening 2 2000 ? is the suppress value, and bgp dampening 2 2000 3000 ? is the time to suppress a route. Default values are also shown.
– keepalive: the range is from 1 to 65535. Time interval, in seconds, between keepalive messages sent to the neighbor routers. The default is 60 seconds. – holdtime: the range is from 3 to 65536. Time interval, in seconds, between the last keepalive message and declaring the router dead. The default is 180 seconds. To view non-default values, use the show config command in CONFIGURATION ROUTER BGP mode or the show running-config bgp command in EXEC Privilege mode.
Example of Soft-Reconfigration of a BGP Neighbor The example enables inbound soft reconfiguration for the neighbor 10.108.1.1. All updates received from this neighbor are stored unmodified, regardless of the inbound policy. When inbound soft reconfiguration is done later, the stored information is used to generate a new set of inbound updates. Dell>router bgp 100 neighbor 10.108.1.1 remote-as 200 neighbor 10.108.1.
• If the corresponding capability is received in the peer’s Open message, BGP marks the peer as supporting the AFI/SAFI. • When exchanging updates with the peer, BGP sends and receives IPv4 multicast routes if the peer is marked as supporting that AFI/SAFI. • Exchange of IPv4 multicast route information occurs through the use of two new attributes called MP_REACH_NLRI and MP_UNREACH_NLRI, for feasible and withdrawn routes, respectively.
EXEC Privilege mode • debug ip bgp [ip-address | peer-group peer-group-name] updates [in | out] [prefix-list name] Enable soft-reconfiguration debug. EXEC Privilege mode debug ip bgp {ip-address | peer-group-name} soft-reconfiguration To enhance debugging of soft reconfig, use the bgp soft-reconfig-backup command only when route-refresh is not negotiated to avoid the peer from resending messages. In-BGP is shown using the show ip protocols command.
'UPDATE error/Missing well-known attr' Sent : 1 Recv: 0 'Connection Reset' Sent : 1 Recv: 0 Last notification (len 21) sent 00:26:02 ago ffffffff ffffffff ffffffff ffffffff 00160303 03010000 Last notification (len 21) received 00:26:20 ago ffffffff ffffffff ffffffff ffffffff 00150306 00000000 Last PDU (len 41) received 00:26:02 ago that caused notification to be issued ffffffff ffffffff ffffffff ffffffff 00290200 00000e01 02040201 00024003 04141414 0218c0a8 01000000 Local host: 1.1.1.
The following example shows how to view space requirements for storing all the PDUs. With full internet feed (205K) captured, approximately 11.8MB is required to store all of the PDUs. Dell(conf-router_bgp)#do show capture bgp-pdu neighbor 172.30.1.250 Incoming packet capture enabled for BGP neighbor 172.30.1.250 Available buffer size 29165743, 192991 packet(s) captured using 11794257 bytes [. . .] Dell(conf-router_bgp)#do sho ip bg s BGP router identifier 172.30.1.
Example of Enabling BGP (Router 1) R1# conf R1(conf)#int loop 0 R1(conf-if-lo-0)#ip address 192.168.128.1/24 R1(conf-if-lo-0)#no shutdown R1(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.1/24 no shutdown R1(conf-if-lo-0)#int te 1/21 R1(conf-if-te-1/21)#ip address 10.0.1.21/24 R1(conf-if-te-1/21)#no shutdown R1(conf-if-te-1/21)#show config ! interface TengigabitEthernet 1/21 ip address 10.0.1.21/24 no shutdown R1(conf-if-te-1/21)#int te 1/31 R1(conf-if-te-1/31)#ip address 10.0.3.
R1(conf-router_bgp)#show config ! router bgp 99 network 192.168.128.0/24 neighbor 192.168.128.2 remote-as 99 neighbor 192.168.128.2 update-source Loopback 0 neighbor 192.168.128.2 no shutdown neighbor 192.168.128.3 remote-as 100 neighbor 192.168.128.3 update-source Loopback 0 neighbor 192 168 128 3 no shutdown Example of Enabling BGP (Router 2) R2# conf R2(conf)#int loop 0 R2(conf-if-lo-0)#ip address 192.168.128.
R3(conf-if-lo-0)#int te 3/21 R3(conf-if-te-3/21)#ip address 10.0.2.3/24 R3(conf-if-te-3/21)#no shutdown R3(conf-if-te-3/21)#show config ! interface TengigabitEthernet 3/21 ip address 10.0.2.3/24 no shutdown R3(conf-if-te-3/21)# R3(conf-if-te-3/21)#router bgp 100 R3(conf-router_bgp)#show config ! router bgp 100 R3(conf-router_bgp)#network 192.168.128.0/24 R3(conf-router_bgp)#neighbor 192.168.128.1 remote 99 R3(conf-router_bgp)#neighbor 192.168.128.1 no shut R3(conf-router_bgp)#neighbor 192.168.128.
BGP table version 1, neighbor version 1 Prefixes accepted 1 (consume 4 bytes), withdrawn 0 by peer Prefixes advertised 1, denied 0, withdrawn 0 from peer Connections established 2; dropped 1 Last reset 00:00:57, due to user reset Notification History 'Connection Reset' Sent : 1 Recv: 0 Last notification (len 21) sent 00:00:57 ago ffffffff ffffffff ffffffff ffffffff 00150306 00000000 Local host: 192.168.128.1, Local port: 179 Foreign host: 192.168.128.2, Foreign port: 65464 BGP neighbor is 192.168.128.
R3(conf-router_bgp)# neighbor AAA peer-group R3(conf-router_bgp)# neighbor AAA no shutdown R3(conf-router_bgp)# neighbor CCC peer-group R3(conf-router_bgp)# neighbor CCC no shutdown R3(conf-router_bgp)# neighbor 192.168.128.2 peer-group BBB R3(conf-router_bgp)# neighbor 192.168.128.2 no shutdown R3(conf-router_bgp)# neighbor 192.168.128.1 peer-group BBB R3(conf-router_bgp)# neighbor 192.168.128.1 no shutdown R3(conf-router_bgp)# R3(conf-router_bgp)#end R3#show ip bgp summary BGP router identifier 192.168.
11 Content Addressable Memory (CAM) CAM is a type of memory that stores information in the form of a lookup table. On Dell Networking systems, CAM stores Layer 2 (L2) and Layer 3 (L3) forwarding information, access-lists (ACLs), flows, and routing policies. CAM Allocation CAM Allocation for Ingress To allocate the space for regions such has L2 ingress ACL, IPV4 ingress ACL, IPV6 ingress ACL, IPV4 QoS, L2 QoS, PBR, VRF ACL, and so forth, use the cam-acl command in CONFIGURATION mode.
NOTE: When you reconfigure CAM allocation, use the nlbclusteracl number command to change the number of NLB ARP entries. The range is from 0 to 2. The default value is 0. At the default value of 0, eight NLB ARP entries are available for use. This platform supports upto 512 CAM entries. Select 1 to configure 256 entries. Select 2 to configure 512 entries.
cam-acl {default | l2acl number ipv4acl number ipv6acl number ipv4qos number l2qos number l2pt number ipmacacl number vman-qos | vman-dual-qos number ecfmacl number nlbcluster number ipv4pbr number openflow number | fcoe number iscsioptacl number [vrfv4acl number] NOTE: If you do not enter the allocation values for the CAM regions, the value is 0. 3 Execute write memory and verify that the new settings are written to the CAM on the next boot. EXEC Privilege mode show cam-acl 4 Reload the system.
IpMacAcl VmanQos VmanDualQos EcfmAcl FcoeAcl iscsiOptAcl ipv4pbr vrfv4Acl Openflow fedgovacl : : : : : : : : : : 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 2 0 0 Dell(conf)# Example of Viewing CAM-ACL Settings NOTE: If you change the cam-acl setting from CONFIGURATION mode, the output of this command does not reflect any changes until you save the running-configuration and reload the chassis.
IpMacAcl VmanQos VmanDualQos EcfmAcl FcoeAcl iscsiOptAcl ipv4pbr vrfv4Acl Openflow fedgovacl : : : : : : : : : : 0 0 0 0 0 0 0 0 0 0 Dell# View CAM Usage View the amount of CAM space available, used, and remaining in each ACL partition using the show cam-usage command from EXEC Privilege mode.
• Use the EXEC Privilege mode commands to match the profile of a component to the profile of the target system. QoS CAM Region Limitation To store QoS service policies, the default CAM profile allocates a partition within the IPv4Flow region. If the QoS CAM space is exceeded, a message similar to the following displays.
12 Control Plane Policing (CoPP) Control plane policing (CoPP) uses access control list (ACL) rules and quality of service (QoS) policies to create filters for a system’s control plane. That filter prevents traffic not specifically identified as legitimate from reaching the system control plane, rate-limits, traffic to an acceptable level.
The following illustration shows an example of the difference between having CoPP implemented and not having CoPP implemented. Figure 30. Control Plane Policing Figure 31.
Configure Control Plane Policing The system can process a maximum of 4200 packets per second (PPS). Protocols that share a single queue may experience flaps if one of the protocols receives a high rate of control traffic even though per protocol CoPP is applied. This happens because queue-based rate limiting is applied first. For example, border gateway protocol (BGP) and internet control message protocol (ICMP) share same queue (Q6); Q6 has 400 PPS of bandwidth by default.
CONFIGURATION mode class-map match-any name cpu-qos match {ip | mac | ipv6} access-group name 6 Create a QoS input policy map to match to the class-map and qos-policy for each desired protocol. CONFIGURATION mode policy-map-input name cpu-qos class-map name qos-policy name 7 Enter Control Plane mode. CONFIGURATION mode control-plane-cpuqos 8 Assign the protocol based the service policy on the control plane.
Dell(conf-class-map-cpuqos)#match ip access-group bgp Dell(conf-class-map-cpuqos)#exit Dell(conf)#class-map match-any class_lacp cpu-qos Dell(conf-class-map-cpuqos)#match mac access-group lacp Dell(conf-class-map-cpuqos)#exit Dell(conf)#class-map match-any class-ipv6-icmp cpu-qos Dell(conf-class-map-cpuqos)#match ipv6 access-group ipv6-icmp Dell(conf-class-map-cpuqos)#exit The following example shows matching the QoS class map to the QoS policy.
Dell(conf)#qos-policy-input cpuq_2 Dell(conf-qos-policy-in)#rate-police 5000 80 peak 600 50 Dell(conf-qos-policy-in)#exit The following example shows assigning the QoS policy to the queues. Dell(conf)#policy-map-input cpuq_rate_policy cpu-qos Dell(conf-qos-policy-in)#service-queue 5 qos-policy cpuq_1 Dell(conf-qos-policy-in)#service-queue 6 qos-policy cpuq_2 Dell(conf-qos-policy-in)#service-queue 7 qos-policy cpuq_1 The following example shows creating the control plane service policy.
Increased CPU Queues for CoPP FTOS classifies every packet ingress from the front end port to system as control traffic or data traffic by having the pre-defined rules based on protocol type or packets types like ttl, slow path etc. FP is used to classify the traffic to transmit the control traffic to CMIC port. Other major function performed by the FP rule is to decide to which CPU queue the packet must be sent. All other packets will be forwarded or dropped at the ingress.
• * Unknown traffic in IP Subnet range * Unknown traffic hitting the default route entry. Multicast NDP packets – NDP packets with destination MAC is multicast * • DST MAC 33:33:XX:XX:XX:XX NDP Packets in VLT peer routing enable – VLT peer routing enable cases each VLT node will have route entry for link local address of both self and peer VLT node. Peer VLT link local entry will have egress port as ICL link. And Actual link local address will have entry to CopyToCpu.
handling of >/64 subnets and doesn’t require any additional work. The default catch-all entry is put in the LPM table for IPv4 and IPv6. If this is included for IPv6, you can disable this capability by using the no ipv6 unknown-unicast command. Typically, the catch-all entry in LPM table is used for soft forwarding and generating ICMP unreachable messages to the source.
Displaying CoPP Configuration The CLI provides show commands to display the protocol traffic assigned to each control-plane queue and the current ratelimit applied to each queue. Other show commands display statistical information for trouble shooting CoPP operation. To view the rates for each queue, use the show cpu-queue rate cp command.
Example of Viewing Queue Mapping for IPv6 Protocols Dell#show ipv6 protocol-queue-mapping Protocol Src-Port Dst-Port TcpFlag Queue EgPort Rate (kbps) --------------- -------- ------- ----- ------ ----------TCP (BGP) any/179 179/any _ Q6 CP _ ICMP any any _ Q6 CP _ VRRP any any _ Q7 CP _ Dell# Control Plane Policing (CoPP) 251
13 Data Center Bridging (DCB) Data center bridging (DCB) refers to a set of enhancements to Ethernet local area networks used in data center environments, particularly with clustering and storage area networks.
DCB results in reduced operational cost, simplified management, and easy scalability by avoiding the need to deploy separate application-specific networks. For example, instead of deploying an Ethernet network for LAN traffic, include additional storage area networks (SANs) to ensure lossless Fibre Channel traffic, and a separate InfiniBand network for high-performance inter-processor computing within server clusters, only one DCB-enabled network is required in a data center.
The following illustration shows how PFC handles traffic congestion by pausing the transmission of incoming traffic with dot1p priority 4. Figure 32. Illustration of Traffic Congestion The system supports loading two DCB_Config files: • FCoE converged traffic with priority 3. • iSCSI storage traffic with priority 4. In the Dell Networking OS, PFC is implemented as follows: • PFC is supported on specified 802.1p priority traffic (dot1p 0 to 7) and is configured per interface.
The following figure shows how ETS allows you to allocate bandwidth when different traffic types are classed according to 802.1p priority and mapped to priority groups. Figure 33. Enhanced Transmission Selection The following table lists the traffic groupings ETS uses to select multiprotocol traffic for transmission. Table 16. ETS Traffic Groupings Traffic Groupings Description Group ID A 4-bit identifier assigned to each priority group. The range is from 0 to 7 configurable; 8 - 14 reservation and 15.
PFC parameters PFC Configuration TLV and Application Priority Configuration TLV. ETS parameters ETS Configuration TLV and ETS Recommendation TLV. Data Center Bridging in a Traffic Flow The following figure shows how DCB handles a traffic flow on an interface. Figure 34. DCB PFC and ETS Traffic Handling Enabling Data Center Bridging DCB is automatically configured when you configure FCoE or iSCSI optimization. Data center bridging supports converged enhanced Ethernet (CEE) in a data center network.
dcb enable 2 Set PFC buffering on the DCB stack unit. CONFIGURATION mode Dell(conf)#dcb enable pfc-queues NOTE: To save the pfc buffering configuration changes, save the configuration and reboot the system. NOTE: Dell Networking OS Behavior: DCB is not supported if you enable link-level flow control on one or more interfaces. For more information, refer to Ethernet Pause Frames.
Data Center Bridging: Default Configuration Before you configure PFC and ETS on a switch see the priority group setting taken into account the following default settings: DCB is enabled. PFC and ETS are globally enabled by default. The default dot1p priority-queue assignments are applied as follows: Dell(conf)#do show qos dot1p-queue-mapping Dot1p Priority : 0 1 2 3 4 5 6 7 Queue : 0 0 0 1 2 3 3 3 Dell(conf)# PFC is not applied on specific dot1p priorities.
priority-pgid dot1p0_group_num dot1p1_group_num ...dot1p7_group_num Priority group range is from 0 to 7. All priorities that map to the same queue must be in the same priority group. Leave a space between each priority group number. For example: priority-pgid 0 0 0 1 2 4 4 4 in which priority group 0 maps to dot1p priorities 0, 1, and 2; priority group 1 maps to dot1p priority 3; priority group 2 maps to dot1p priority 4; priority group 4 maps to dot1p priorities 5, 6, and 7.
INTERFACE mode pfc no-drop queues queue-range For the dot1p-queue assignments, refer to the dot1p Priority-Queue Assignment table. The maximum number of lossless queues globally supported on the switch is two. The range is from 0 to 3. Separate the queue values with a comma; specify a priority range with a dash; for example, pfc no-drop queues 1,3 or pfc no-drop queues 2-3. The default: No lossless queues are configured.
• Traffic may be interrupted when you reconfigure PFC no-drop priorities in a DCB map or re-apply the DCB map to an interface. • For PFC to be applied, the configured priority traffic must be supported by a PFC peer (as detected by DCBx). • If you apply a DCB map with PFC disabled (pfc off), you can enable link-level flow control on the interface using the flowcontrol rx on tx on command. To delete the DCB map, first disable link-level flow control.
Step Task Command Command Mode Dell# interface tengigabitEthernet 1/1 Dell(config-if-te-1/1)# dcb-map SAN_A_dcb_map1 Repeat Steps 1 and 2 to apply a DCB map to more than one port. You cannot apply a DCB map on an interface that has been already configured for PFC using thepfc priority command or which is already configured for lossless queues (pfc no-drop queues command).
Port B acting as Egress During the congestion, [traffic pump on priorities 3 and 4 from PORT A and PORT C is at full line rate], PORT A and C send out the PFCs to rate the traffic limit. Egress drops are not observed on Port B since traffic flow on priorities is mapped to loss less queues. Port B acting as Ingress If the traffic congestion is on PORT B , Egress DROP is on PORT A or C, as the PFC is not enabled on PORT B.
Step Task Command Command Mode Range: 0-3. Separate queue values with a comma; specify a priority range with a dash; for example: pfc no-drop queues 1,3 or pfc no-drop queues 2-3 Default: No lossless queues are configured. Priority-Based Flow Control Using Dynamic Buffer Method In a data center network, priority-based flow control (PFC) manages large bursts of one traffic type in multiprotocol links so that it does not affect other traffic types and no frames are lost due to congestion.
By default the total available buffer for PFC is 6.6 MB and when you configure dynamic ingress buffering, a minimum of least 52 KB per queue is used when all ports are congested. This default behavior is impacted if you modify the total buffer available for PFC or assign static buffer configurations to the individual PFC queues. Behavior of Tagged Packets The below is example for enabling PFC for priority 2 for tagged packets. Priority (Packet Dot1p) 2 will be mapped to PG6 on PRIO2PG setting.
3. 4. Dot1p->Queue Mapping Configuration is retained at the default value. Default dot1p-queue mapping is, Dell#show qos dot1p-queue-mapping Dot1p Priority : 0 1 2 3 4 5 Queue : 0 0 0 1 2 3 6 3 7 3 Default dot1p-queue mapping is, Dell#show qos dot1p-queue-mapping Dot1p Priority : 0 1 2 3 4 5 Queue : 2 0 1 3 4 5 6 6 7 7 Interface Configurations on server connected ports. a Enable DCB globally. Dell(conf)#dcb enable b Apply PFC Priority configuration. Configure priorities on which PFC is enabled.
The dcb-map-name variable can have a maximum of 32 characters. 2 Create an ETS priority group. CONFIGURATION mode priority-group group-num {bandwidth bandwidth | strict-priority} pfc off The range for priority group is from 0 to 7. Set the bandwidth in percentage. The percentage range is from 1 to 100% in units of 1%. Committed and peak bandwidth is in megabits per second. The range is from 0 to 40000. Committed and peak burst size is in kilobytes. Default is 50. The range is from 0 to 10000.
ETS Operation with DCBx The following section describes DCBx negotiation with peer ETS devices. In DCBx negotiation with peer ETS devices, ETS configuration is handled as follows: • ETS TLVs are supported in DCBx versions CIN, CEE, and IEEE2.5. • The DCBx port-role configurations determine the ETS operational parameters (refer to Configure a DCBx Operation). • ETS configurations received from TLVs from a peer are validated.
5 Enter INTERFACE Configuration mode. CONFIGURATION mode interface type slot/port 6 Apply the QoS output policy with the bandwidth percentage for specified priority queues to an egress interface. INTERFACE mode Dell(conf-if-te-0/1)#service-policy output test12 Configuring ETS in a DCB Map A switch supports the use of a DCB map in which you configure enhanced transmission selection (ETS) setting. To configure ETS parameters, you must apply a DCB map on an interface.
ETS Prerequisites and Restrictions On a switch, ETS is enabled by default on Ethernet ports with equal bandwidth assigned to each 802.1p priority. You can change the default ETS configuration only by using a DCB map.
• Strict-priority groups: If priority group 1 or 2 has free bandwidth, (20 + 30)% of the free bandwidth is distributed to priority group 3. Priority groups 1 and 2 retain whatever free bandwidth remains up to the (20+ 30)%. If two priority groups have strict-priority scheduling, traffic assigned from the priority group with the higher priority-queue number is scheduled first.
• Reconfigures a peer device with the DCB configuration from its configuration source if the peer device is willing to accept configuration. • Accepts the DCB configuration from a peer if a DCBx port is in “willing” mode to accept a peer’s DCB settings and then internally propagates the received DCB configuration to its peer ports.
Manual The port is configured to operate only with administrator-configured settings and does not autoconfigure with DCB settings received from a DCBx peer or from an internally propagated configuration from the configuration source. If you enable DCBx, ports in Manual mode advertise their configurations to peer devices but do not accept or propagate internal or external configurations. Unlike other userconfigured ports, the configuration of DCBx ports in Manual mode is saved in the running configuration.
– – – – – No other port is the configuration source. The port role is auto-upstream. The port is enabled with link up and DCBx enabled. The port has performed a DCBx exchange with a DCBx peer. The switch is capable of supporting the received DCB configuration values through either a symmetric or asymmetric parameter exchange. A newly elected configuration source propagates configuration changes received from a peer to the other auto-configuration ports.
DCBx Example The following figure shows how to use DCBx. The external 40GbE 40GbE ports on the base module (ports 33 and 37) of two switches are used for uplinks configured as DCBx auto-upstream ports. The device is connected to third-party, top-of-rack (ToR) switches through 40GbE uplinks. The ToR switches are part of a Fibre Channel storage network. The internal ports (ports 1-32) connected to the 10GbE backplane are configured as auto-downstream ports.
3. Configure a port to operate in a configuration-source role. 4. Configure ports to operate in a manual role. 1 Enter INTERFACE Configuration mode. CONFIGURATION mode interface type slot/port[/subport] 2 Enter LLDP Configuration mode to enable DCBx operation. INTERFACE mode [no] protocol lldp 3 Configure the DCBx version used on the interface, where: auto configures the port to operate using the DCBx version received from a peer. PROTOCOL LLDP mode [no] DCBx version {auto | cee | cin | ieee-v2.
• fcoe: enables the advertisement of FCoE in Application Priority TLVs. • iscsi: enables the advertisement of iSCSI in Application Priority TLVs. The default is Application Priority TLVs are enabled to advertise FCoE and iSCSI. NOTE: To disable TLV transmission, use the no form of the command; for example, no advertise DCBx-appln-tlv iscsi. For information about how to use iSCSI, refer to iSCSI Optimization To verify the DCBx configuration on a port, use the show interface DCBx detail command.
• fcoe: enables the advertisement of FCoE in Application Priority TLVs. • iscsi: enables the advertisement of iSCSI in Application Priority TLVs. The default is Application Priority TLVs are enabled and advertise FCoE and iSCSI. NOTE: To disable TLV transmission, use the no form of the command; for example, no advertise DCBx-appln-tlv iscsi. 6 Configure the FCoE priority advertised for the FCoE protocol in Application Priority TLVs.
– resource: enables traces for DCBx system resource frames. – sem: enables traces for the DCBx state machine. – tlv: enables traces for DCBx TLVs. Verifying the DCB Configuration To display DCB configurations, use the following show commands. Table 21. Displaying DCB Configurations Command Output show qos dot1p-queue mapping Displays the current 802.1p priority-queue mapping.
PFC Port Count : 56 (current), 56 (configured) PFC Queue Count : 2 (current), 2 (configured) The following example shows the show qos priority-groups command. Dell#show qos priority-groups priority-group ipc priority-list 4 set-pgid 2 The following example shows the output of the show qos dcb-map test command.
The following table describes the show interface pfc summary command fields. Table 22. show interface pfc summary Command Description Fields Description Interface Interface type with stack-unit and port number. Admin mode is on; Admin is enabled PFC Admin mode is on or off with a list of the configured PFC priorities . When PFC admin mode is on, PFC advertisements are enabled to be sent and received from peers; received PFC configuration takes effect.
Fields Description Application Priority TLV: Remote ISCSI Priority Map Status of iSCSI advertisements in application priority TLVs from remote peer port: enabled or disabled. PFC TLV Statistics: Input TLV pkts Number of PFC TLVs received. PFC TLV Statistics: Output TLV pkts Number of PFC TLVs transmitted. PFC TLV Statistics: Error pkts Number of PFC error packets received. PFC TLV Statistics: Pause Tx pkts Number of PFC pause frames transmitted.
5 6 7 - - - - - - Oper status is init ETS DCBX Oper status is Down Reason: Port Shutdown State Machine Type is Asymmetric Conf TLV Tx Status is enabled Reco TLV Tx Status is enabled The following example shows the show interface ets detail command.
0 Input Traffic Class TLV Pkts, 0 Output Traffic Class TLV Pkts, 0 Error Traffic Class TLV Pkts The following table describes the show interface ets detail command fields. Table 23. show interface ets detail Command Description Field Description Interface Interface type with stack-unit and port number. Maximum Supported TC Group Maximum number of priority groups supported. Number of Traffic Classes Number of 802.1p priorities currently configured. Admin mode ETS mode: on or off.
0 Pause Tx pkts, 0 Pause Rx pkts stack unit 2 stack-port all Admin mode is On Admin is enabled, Priority list is 4-5 Local is enabled, Priority list is 4-5 Link Delay 45556 pause quantum 0 Pause Tx pkts, 0 Pause Rx pkts The following example shows the show stack-unit all stack-ports all ets details command.
Stack unit 2 stack port all Max Supported TC Groups is 4 Number of Traffic Classes is 1 Admin mode is on Admin Parameters: -------------------Admin is enabled TC-grp Priority# Bandwidth TSA -----------------------------------------------0 0,1,2,3,4,5,6,7 100% ETS 1 2 3 4 5 6 7 8 The following example shows the show interface DCBx detail command (IEEE).
Acknowledgment Number: 1 Protocol State: In-Sync Peer DCBx Status: ---------------DCBx Operational Version is 0 DCBx Max Version Supported is 0 Sequence Number: 1 Acknowledgment Number: 1 Total DCBx Frames transmitted 994 Total DCBx Frames received 646 Total DCBx Frame errors 0 Total DCBx Frames unrecognized 0 The following table describes the show interface DCBx detail command fields. Table 24.
Field Description Peer DCBx Status: Acknowledgment Number Acknowledgement number transmitted in Control TLVs received from peer device. Total DCBx Frames transmitted Number of DCBx frames sent from local port. Total DCBx Frames received Number of DCBx frames received from remote peer port. Total DCBx Frame errors Number of DCBx frames with errors received. Total DCBx Frames unrecognized Number of unrecognizable DCBx frames received.
dot1p Value in the Incoming Frame Egress Queue Assignment 0 2 1 0 2 1 3 3 4 4 5 5 6 6 7 7 Configuring the Dynamic Buffer Method Priority-based flow control using dynamic buffer spaces is supported on the switch. To configure the dynamic buffer capability, perform the following steps: 1 Enable the DCB application. By default, DCB is enabled and link-level flow control is disabled on all interfaces.
INTERFACE mode (conf-if-te) dcb-policy buffer-threshold buffer-threshold 8 Configuring Global total buffer size on stack ports. CONFIGURATION mode dcb pfc-total-buffer-size buffer-size stack-unit all port-set {port-pipe |all} Port-set number range is from 0 to 3. Sample DCB Configuration The following shows examples of using PFC and ETS to manage your data center traffic. In the following example: • • • Incoming SAN traffic is configured for priority-based flow control.
QoS Traffic Classification: The service-class dynamic dot1p command has been used in Global Configuration mode to map ingress dot1p frames to the queues shown in the following table. For more information, refer to QoS dot1p Traffic Classification and Queue Assignment.
14 Dynamic Host Configuration Protocol (DHCP) DHCP is an application layer protocol that dynamically assigns IP addresses and other configuration parameters to network end-stations (hosts) based on configuration policies determined by network administrators.
The following table lists common DHCP options. Option Number and Description Subnet Mask Option 1 Specifies the client’s subnet mask. Router Option 3 Specifies the router IP addresses that may serve as the client’s default gateway. Domain Name Server Option 6 Domain Name Option 15 Specifies the domain name servers (DNSs) that are available to the client. Specifies the domain name that clients should use when resolving hostnames via DNS.
Option Number and Description User Port Stacking Option 230 Set the stacking option variable to provide DHCP server stack-port detail when the DHCP offer is set. End Option 255 Signals the last option in the DHCP packet. Assign an IP Address using DHCP The following section describes DHCP and the client in a network. When a client joins a network: 1. The client initially broadcasts a DHCPDISCOVER message on the subnet to discover available DHCP servers.
DHCPNAK A server sends this message to the client if it is not able to fulfill a DHCPREQUEST; for example, if the requested address is already in use. In this case, the client starts the configuration process over by sending a DHCPDISCOVER. Figure 38. Client and Server Messaging Implementation Information The following describes DHCP implementation. • Dell Networking implements DHCP based on RFC 2131 and RFC 3046.
Table 25. DHCP Server Responsibilities DHCP Server Responsibilities Description Address Storage and Management DHCP servers are the owners of the addresses used by DHCP clients.The server stores the addresses and manages their use, keeping track of which addresses have been allocated and which are still available. Configuration Parameter Storage and Management DHCP servers also store and maintain other parameters that are sent to clients when requested.
Configuration Tasks To configure DHCP, an administrator must first set up a DHCP server and provide it with configuration parameters and policy information including IP address ranges, lease length specifications, and configuration data that DHCP hosts need. Configuring the Dell system to be a DHCP server is a three-step process: 1. Configuring the Server for Automatic Address Allocation 2.
Configure a Method of Hostname Resolution Dell systems are capable of providing DHCP clients with parameters for two methods of hostname resolution—using DNS or NetBIOS WINS. Using DNS for Address Resolution A domain is a group of networks. DHCP clients query DNS IP servers when they need to correlate host names to IP addresses. 1 Create a domain. DHCP domain-name name 2 Specify in order of preference the DNS servers that are available to a DHCP client.
DHCP host address 3 Specify the client hardware address. DHCP hardware-address hardware-address type • hardware-address: the client MAC address. • type: the protocol of the hardware platform. The default protocol is Ethernet. Debugging the DHCP Server To debug the DHCP server, use the following command. • Display debug information for DHCP server.
NOTE: DHCP Relay is not available on Layer 2 interfaces and VLANs on the Z-Series and S4820T platforms. DHCP relay agent is supported on Layer 2 interfaces and VLANs on the S3048–ON, S4810 and S4048–ON platforms. Figure 39. Configuring a Relay Agent To view the ip helper-address configuration for an interface, use the show ip interface command from EXEC privilege mode.
Configure the System to be a DHCP Client A DHCP client is a network device that requests an IP address and configuration parameters from a DHCP server. Implement the DHCP client functionality as follows: • The switch can obtain a dynamically assigned IP address from a DHCP server. A start-up configuration is not received. Use bare metal provisioning (BMP) to receive configuration parameters (Dell Networking OS version and a configuration file). BMP is enabled as a factory-default setting on a switch.
To manually configure a static IP address on an interface, use the ip address command. A prompt displays to release an existing dynamically acquired IP address. If you confirm, the ability to receive a DHCP server-assigned IP address is removed. To enable acquiring a dynamic IP address from a DHCP server on an interface configured with a static IP address, use the ip address dhcp command. A prompt displays to confirm the IP address reconfiguration.
when the DHCP client and server are in the same or different subnets. The management default route is deleted if the management IP address is released like other DHCP client management routes. • ip route for 0.0.0.0 takes precedence if it is present or added later. • Management routes added by a DHCP client display with Route Source as DHCP in the show ip management route and show ip management-route dynamic command output.
– The chaddr (change address) in the DHCP header of the packet is the same as the interface’s MAC address. • An entry in the DHCP snooping table is not added for a DHCP client interface. DHCP Server A switch can operate as a DHCP client and a DHCP server. DHCP client interfaces cannot acquire a dynamic IP address from the DHCP server running on the switch. Acquire a dynamic IP address from another DHCP server.
• track the number of address requests per relay agent. Restricting the number of addresses available per relay agent can harden a server against address exhaustion attacks. • associate client MAC addresses with a relay agent to prevent offering an IP address to a client spoofing the same MAC address on a different relay agent. • assign IP addresses according to the relay agent. This prevents generating DHCP offers in response to requests from an unauthorized relay agent.
Enabling DHCP Snooping To enable DHCP snooping, use the following commands. 1 Enable DHCP snooping globally. CONFIGURATION mode ip dhcp snooping 2 Specify ports connected to DHCP servers as trusted. INTERFACE mode INTERFACE PORT EXTENDER mode ip dhcp snooping trust 3 Enable DHCP snooping on a VLAN. CONFIGURATION mode ip dhcp snooping vlan name Enabling IPv6 DHCP Snooping To enable IPv6 DHCP snooping, use the following commands. 1 Enable IPv6 DHCP snooping globally.
ipv6 dhcp snooping binding mac address vlan-id vlan-id ipv6 ipv6-address interface interfacetype | interface-number lease value Clearing the Binding Table To clear the binding table, use the following command. • Delete all of the entries in the binding table. EXEC Privilege mode clear ip dhcp snooping binding Clearing the DHCP IPv6 Binding Table To clear the DHCP IPv6 binding table, use the following command. • Delete all of the entries in the binding table.
Displaying the Contents of the DHCPv6 Binding Table To display the contents of the DHCP IPv6 binding table, use the following command. • Display the contents of the binding table. EXEC Privilege mode show ipv6 dhcp snooping biniding Example of the show ipv6 dhcp snooping binding Command View the DHCP snooping statistics with the show ipv6 dhcp snooping command.
10.1.1.251 10.1.1.252 10.1.1.253 10.1.1.254 00:00:4d:57:f2:50 00:00:4d:57:e6:f6 00:00:4d:57:f8:e8 00:00:4d:69:e8:f2 172800 172800 172740 172740 D D D D Vl Vl Vl Vl 10 10 10 10 Te Te Te Te 1/2 1/1 1/3 1/5 Total number of Entries in the table : 4 Dynamic ARP Inspection Dynamic address resolution protocol (ARP) inspection prevents ARP spoofing by forwarding only ARP frames that have been validated against the DHCP binding table. ARP is a stateless protocol that provides no authentication mechanism.
Configuring Dynamic ARP Inspection To enable dynamic ARP inspection, use the following commands. 1 Enable DHCP snooping. 2 Validate ARP frames against the DHCP snooping binding table. INTERFACE VLAN mode arp inspection Examples of Viewing the ARP Information To view entries in the ARP database, use the show arp inspection database command.
Source Address Validation Using the DHCP binding table, Dell Networking OS can perform three types of source address validation (SAV). Table 26. Three Types of Source Address Validation Source Address Validation Description IP Source Address Validation Prevents IP spoofing by forwarding only IP packets that have been validated against the DHCP binding table.
DHCP MAC Source Address Validation DHCP MAC source address validation (SAV) validates a DHCP packet’s source hardware address against the client hardware address field (CHADDR) in the payload. Dell Networking OS ensures that the packet’s source MAC address is checked against the CHADDR field in the DHCP header only for packets from snooped VLANs. • Enable DHCP MAC SAV.
Total cam count 1 deny count (0 packets) deny access-list on TenGigabitEthernet 1/2 Total cam count 2 deny vlan 10 count (0 packets) deny vlan 20 count (0 packets) The following output of the show ip dhcp snooping source-address-validation discard-counters interface interface command displays the number of SAV dropped packets on a particular interface.
15 Equal Cost Multi-Path (ECMP) This chapter describes configuring ECMP. This chapter describes configuring ECMP. ECMP for Flow-Based Affinity ECMP for flow-based affinity includes link bundle monitoring. Configuring the Hash Algorithm TeraScale has one algorithm that is used for link aggregation groups (LAGs), ECMP, and NH-ECMP, and ExaScale can use three different algorithms for each of these features. To adjust the ExaScale behavior to match TeraScale, use the following command.
Configuring the Hash Algorithm Seed Deterministic ECMP sorts ECMPs in order even though RTM provides them in a random order. However, the hash algorithm uses as a seed the lower 12 bits of the chassis MAC, which yields a different hash result for every chassis. This behavior means that for a given flow, even though the prefixes are sorted, two unrelated chassis can select different hops.
Te 1/1 Te 1/1 Up Up 36 52 Managing ECMP Group Paths To avoid path degeneration, configure the maximum number of paths for an ECMP route that the L3 CAM can hold. When you do not configure the maximum number of routes, the CAM can hold a maximum ECMP per route. To configure the maximum number of paths, use the following command. NOTE: For the new settings to take effect, save the new ECMP settings to the startup-config (write-mem) then reload the system.
link-bundle-distribution trigger-threshold {percent} The range is from 1 to 90%. • The default is 60%. Display details for an ECMP group bundle. EXEC mode show link-bundle-distribution ecmp-group ecmp-group-id The range is from 1 to 64. Viewing an ECMP Group NOTE: An ecmp-group index is generated automatically for each unique ecmp-group when you configure multipath routes to the same network. The system can generate a maximum of 512 unique ecmp-groups.
ipv6-over-gre-ipv6 Payload header mac-in-mac header based hashing is disabled TcpUdp Load Balancing Enabled Dell(conf)# • Packet Header parameters for the first portion of the RTAG7 hash can be controlled. By default, all the listed parameters from the Packet header are considered for hash computation. Few parameters [on demand] can be removed using the given CLIs.
explains the traffic polarization effect. Router B performs the same hash as router A and all the traffic goes through the same path to router D, while no traffic is redirected to router E. The following figure explains the traffic polarization effect: Figure 40. Before Polarization Effect Router B performs the same hash as router A and all the traffic goes through the same path to router D, while no traffic is redirected to router E.
crc32MSB crc32LSB xor1 of xor1 xor2 of xor2 xor4 of xor4 xor8 of xor8 xor16 CRC32_UPPER - MSB 16 bits of computed CRC32 CRC32_LOWER - LSB 16 bits of computed CRC32 CRC16_BISYNC_AND_XOR1 - Upper 8 bits of CRC16-BISYNC and lower 8 bits CRC16_BISYNC_AND_XOR2 - Upper 8 bits of CRC16-BISYNC and lower 8 bits CRC16_BISYNC_AND_XOR4 - Upper 8 bits of CRC16-BISYNC and lower 8 bits CRC16_BISYNC_AND_XOR8 - Upper 8 bits of CRC16-BISYNC and lower 8 bits CR16 - 16 bit XOR] Example to view show hash-algorithm: Dell(conf)
16 FIP Snooping The Fibre Channel over Ethernet (FCoE) Transit feature is supported on Ethernet interfaces. When you enable the switch for FCoE transit, the switch functions as a FIP snooping bridge. NOTE: FIP snooping is not supported on Fibre Channel interfaces or in a switch stack.
• Allow transit Ethernet bridges to efficiently monitor FIP frames passing between FCoE end-devices and an FCF. To dynamically configure ACLs on the bridge to only permit traffic authorized by the FCF, use the FIP snooping data. FIP enables FCoE devices to discover one another, initialize and maintain virtual links over an Ethernet network, and access storage devices in a storage area network (SAN).
FIP Function Description Logout On receiving a FLOGI packet, FSB deletes all existing sessions from the ENode to the FCF. Figure 42. FIP Discovery and Login Between an ENode and an FCF FIP Snooping on Ethernet Bridges In a converged Ethernet network, intermediate Ethernet bridges can snoop on FIP packets during the login process on an FCF. Then, using ACLs, a transit bridge can permit only authorized FCoE traffic to be transmitted between an FCoE end-device and an FCF.
S4048–ON switch.The switch operates as a lossless FIP snooping bridge to transparently forward FCoE frames between the ENode servers and the FCF switch. Figure 43. FIP Snooping on a Dell Networking Switch The following sections describe how to configure the FIP snooping feature on a switch: • Allocate CAM resources for FCoE. • Perform FIP snooping (allowing and parsing FIP frames) globally on all VLANs or on a per-VLAN basis.
FIP Snooping in a Switch Stack FIP snooping supports switch stacking as follows: • A switch stack configuration is synchronized with the standby stack unit. • Dynamic population of the FCoE database (ENode, Session, and FCF tables) is synchronized with the standby stack unit. The FCoE database is maintained by snooping FIP keep-alive messages. • In case of a failover, the new master switch starts the required timers for the FCoE database tables. Timers run only on the master stack unit.
• • You can configure multiple FCF-trusted interfaces in a VLAN. When you disable FIP snooping: – ACLs are not installed, FIP and FCoE traffic is not blocked, and FIP packets are not processed. – The existing per-VLAN and FIP snooping configuration is stored. The configuration is re-applied the next time you enable the FIP snooping feature. • You must apply the CAM-ACL space for the FCoE region before enabling the FIP-Snooping feature.
• FIP frames are allowed to pass through the switch on the enabled VLANs and are processed to generate FIP snooping ACLs. • FCoE traffic is allowed on VLANs only after a successful virtual-link initialization (fabric login FLOGI) between an ENode and an FCF. All other FCoE traffic is dropped. • You must configure at least one interface for FCF (FCoE Forwarder) mode on a FIP snooping-enabled VLAN. You can configure multiple FCF trusted interfaces in a VLAN.
Table 28. Impact of Enabling FIP Snooping Impact Description MAC address learning MAC address learning is not performed on FIP and FCoE frames, which are denied by ACLs dynamically created by FIP snooping on server-facing ports in ENode mode. MTU auto-configuration MTU size is set to mini-jumbo (2500 bytes) when a port is in Switchport mode, the FIP snooping feature is enabled on the switch, and FIP snooping is enabled on all or individual VLANs.
CONFIGURATION mode. feature fip-snooping 5 Enable FIP snooping on all VLANs or on a specified VLAN. CONFIGURATION mode or VLAN INTERFACE mode. fip-snooping enable 6 Configure the port for bridge-to-FCF links. INTERFACE mode or CONFIGURATION mode fip-snooping port-mode fcf NOTE: To disable the FCoE transit feature or FIP snooping on VLANs, use the no version of a command; for example, no feature fip-snooping or no fip-snooping enable.
aa:bb:cc:00:00:00 aa:bb:cc:00:00:00 aa:bb:cc:00:00:00 aa:bb:cc:00:00:00 aa:bb:cc:00:00:00 FCoE MAC 0e:fc:00:01:00:01 0e:fc:00:01:00:02 0e:fc:00:01:00:03 0e:fc:00:01:00:04 0e:fc:00:01:00:05 Te Te Te Te Te 1/42 1/42 1/42 1/42 1/42 FC-ID 01:00:01 01:00:02 01:00:03 01:00:04 01:00:05 aa:bb:cd:00:00:00 aa:bb:cd:00:00:00 aa:bb:cd:00:00:00 aa:bb:cd:00:00:00 aa:bb:cd:00:00:00 Te Te Te Te Te Port WWPN 31:00:0e:fc:00:00:00:00 41:00:0e:fc:00:00:00:00 41:00:0e:fc:00:00:00:01 41:00:0e:fc:00:00:00:02 41:00:0e:fc:00:
Field Description VLAN VLAN ID number used by the session. FC-ID Fibre Channel session ID assigned by the FCF. The following example shows the show fip-snooping fcf command. Dell# show fip-snooping fcf FCF MAC FCF Interface VLAN FC-MAP FKA_ADV_PERIOD No. of Enodes ------------------- ---- ------------------- ------------54:7f:ee:37:34:40 Po 22 100 0e:fc:00 4000 2 The following table describes the show fip-snooping fcf command fields. Table 32.
Number Number Number Number Number Number Number Number Number Number Number Number Number Number Number of of of of of of of of of of of of of of of FLOGO Enode Keep Alive VN Port Keep Alive Multicast Discovery Advertisement Unicast Discovery Advertisement FLOGI Accepts FLOGI Rejects FDISC Accepts FDISC Rejects FLOGO Accepts FLOGO Rejects CVL FCF Discovery Timeouts VN Port Session Timeouts Session failures due to Hardware Config :0 :4416 :3136 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 :0 The following example s
Field Description Number of ENode Keep Alives Number of FIP-snooped ENode keep-alive frames received on the interface. Number of VN Port Keep Alives Number of FIP-snooped VN port keep-alive frames received on the interface. Number of Multicast Discovery Advertisements Number of FIP-snooped multicast discovery advertisements received on the interface. Number of Unicast Discovery Advertisements Number of FIP-snooped unicast discovery advertisements received on the interface.
FCoE Transit Configuration Example The following illustration shows a switch used as a FIP snooping bridge for FCoE traffic between an ENode (server blade) and an FCF (ToR switch). The ToR switch operates as an FCF and FCoE gateway. Figure 44. Configuration Example: FIP Snooping on a Switch In this example, DCBx and PFC are enabled on the FIP snooping bridge and on the FCF ToR switch.
Example of Configuring the ENode Server-Facing Port Dell(conf)# interface tengigabitethernet 1/1 Dell(conf-if-te-1/1)# portmode hybrid Dell(conf-if-te-1/1)# switchport Dell(conf-if-te-1/1)# protocol lldp Dell(conf-if-te-1/1-lldp)# dcbx port-role auto-downstream NOTE: A port is enabled by default for bridge-ENode links.
17 FIPS Cryptography Federal information processing standard (FIPS) cryptography provides cryptographic algorithms conforming to various FIPS standards published by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the US Department of Commerce. FIPS mode is also validated for numerous platforms to meet the FIPS-140-2 standard for a software-based cryptographic module. This chapter describes how to enable FIPS cryptography requirements on Dell Networking platforms.
Enabling FIPS Mode To enable or disable FIPS mode, use the console port. Secure the host attached to the console port against unauthorized access. Any attempts to enable or disable FIPS mode from a virtual terminal session are denied. When you enable FIPS mode, the following actions are taken: • If enabled, the SSH server is disabled. • All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, are closed.
Examples of the show fips status and show system Commands The following example shows the show fips status command. Dell#show fips status FIPS Mode : Enabled for the system using the show system command. The following example shows the show system command. Disabling FIPS Mode When you disable FIPS mode, the following changes occur: • The SSH server disables. • All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, close.
18 Force10 Resilient Ring Protocol (FRRP) FRRP provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a metropolitan area network (MAN) or large campuses. FRRP is similar to what can be achieved with the spanning tree protocol (STP), though even with optimizations, STP can take up to 50 seconds to converge (depending on the size of network and node of failure) and may require 4 to 5 seconds to reconverge.
The Control VLAN is used to perform the health checks on the ring. The Control VLAN can always pass through all ports in the ring, including the secondary port of the Master node. Ring Status The ring failure notification and the ring status checks provide two ways to ensure the ring remains up and active in the event of a switch or port failure. Ring Checking At specified intervals, the Master node sends a ring health frame (RHF) through the ring.
Member VLAN Spanning Two Rings Connected by One Switch A member VLAN can span two rings interconnected by a common switch, in a figure-eight style topology. A switch can act as a Master node for one FRRP group and a Transit for another FRRP group, or it can be a Transit node for both rings. In the following example, FRRP 101 is a ring with its own Control VLAN, and FRRP 202 has its own Control VLAN running on another ring. A Member VLAN that spans both rings is added as a Member VLAN to both FRRP groups.
• The Master node transmits ring status check frames at specified intervals. • You can run multiple physical rings on the same switch. • One Master node per ring — all other nodes are Transit. • Each node has two member interfaces — primary and secondary. • There is no limit to the number of nodes on a ring. • Master node ring port states — blocking, pre-forwarding, forwarding, and disabled. • Transit node ring port states — blocking, pre-forwarding, forwarding, and disabled.
Concept Explanation Ring Health-Check The Master node generates two types of RHFs. RHFs never loop the ring because they terminate at the Frame (RHF) Master node’s secondary port. • Hello RHF (HRHF) — These frames are processed only on the Master node’s Secondary port. The Transit nodes pass the HRHF through without processing it. An HRHF is sent at every Hello interval. • Topology Change RHF (TCRHF) — These frames contains ring status, keepalive, and the control and member VLAN hash.
Ring ID: the range is from 1 to 255. Configuring the Control VLAN Control and member VLANS are configured normally for Layer 2. Their status as control or member is determined at the FRRP group commands. For more information about configuring VLANS in Layer 2 mode, refer to Layer 2. Be sure to follow these guidelines: • All VLANS must be in Layer 2 mode. • You can only add ring nodes to the VLAN. • A control VLAN can belong to one FRRP group only. • Tag control VLAN ports.
no disable Configuring and Adding the Member VLANs Control and member VLANS are configured normally for Layer 2. Their status as Control or Member is determined at the FRRP group commands. For more information about configuring VLANS in Layer 2 mode, refer to the Layer 2 chapter. Be sure to follow these guidelines: • All VLANS must be in Layer 2 mode. • Tag control VLAN ports. Member VLAN ports, except the Primary/Secondary interface, can be tagged or untagged.
Setting the FRRP Timers To set the FRRP timers, use the following command. NOTE: Set the Dead-Interval time 3 times the Hello-Interval. • Enter the desired intervals for Hello-Interval or Dead-Interval times. CONFIG-FRRP mode. timer {hello-interval|dead-interval} milliseconds – Hello-Interval: the range is from 50 to 2000, in increments of 50 (default is 500). – Dead-Interval: the range is from 50 to 6000, in increments of 50 (default is 1500).
Ring ID: the range is from 1 to 255. Troubleshooting FRRP To troubleshoot FRRP, use the following information. Configuration Checks • Each Control Ring must use a unique VLAN ID. • Only two interfaces on a switch can be Members of the same control VLAN. • There can be only one Master node for any FRRP group. • You can configure FRRP on Layer 2 interfaces only. • Spanning Tree (if you enable it globally) must be disabled on both Primary and Secondary interfaces when you enable FRRP.
tagged TenGigabitEthernet 2/14,31 no shutdown ! interface Vlan 201 no ip address tagged TenGigabitEthernet 2/14,31 no shutdown ! protocol frrp 101 interface primary TenGigabitEthernet 2/14 secondary TenGigabitEthernet 2/31 control-vlan 101 member-vlan 201 mode transit no disable Example of R3 TRANSIT interface TenGigabitEthernet 3/14 no ip address switchport no shutdown ! interface TenGigabitEthernet 3/21 no ip address switchport no shutdown ! interface Vlan 101 no ip address tagged TenGigabitEthernet 3/14
19 GARP VLAN Registration Protocol (GVRP) The generic attribute registration protocol (GARP) VLAN registration protocol (GVRP), defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches. GVRP-compliant switches use GARP to register and de-register attribute values, such as VLAN IDs, with each other.
• Configure a GARP Timer • RPM Redundancy Configure GVRP To begin, enable GVRP. To facilitate GVRP communications, enable GVRP globally on each switch. Then, GVRP configuration is per interface on a switch-by-switch basis. Enable GVRP on each port that connects to a switch where you want GVRP information exchanged. In the following example, GVRP is configured on VLAN trunk ports. Figure 46. Global GVRP Configuration Example Basic GVRP configuration is a two-step process: 1. Enabling GVRP Globally 2.
Enabling GVRP Globally To configure GVRP globally, use the following command. • Enable GVRP for the entire switch. CONFIGURATION mode gvrp enable Example of Configuring GVRP Dell(conf)#protocol gvrp Dell(config-gvrp)#no disable Dell(config-gvrp)#show config ! protocol gvrp no disable Dell(config-gvrp)# To inspect the global configuration, use the show gvrp brief command. Enabling GVRP on a Layer 2 Interface To enable GVRP on a Layer 2 interface, use the following command.
Based on the configuration in the following example, the interface is not removed from VLAN 34 or VLAN 35 despite receiving a GVRP Leave message. Additionally, the interface is not dynamically added to VLAN 45 or VLAN 46, even if a GVRP Join message is received.
• RPM Synchronization GARP VLAN Registration Protocol (GVRP) 353
20 High Availability (HA) High availability (HA) is supported on Dell Networking OS. HA is a collection of features that preserves system continuity by maximizing uptime and minimizing packet loss during system disruptions. To support all the features within the HA collection, you should have the latest boot code. The following table lists the boot code requirements as of this Dell Networking OS release. Table 34. Boot Code Requirements Component Boot Code S4048–ON 1 2.0.
Example of the show redundancy Command Dell#show redundancy -- Stack-unit Status ------------------------------------------------Mgmt ID: 0 Stack-unit ID: 0 Stack-unit Redundancy Role: Primary Stack-unit State: Active Stack-unit SW Version: 9.6(0.
Proceed with Stack-unit hot failover [confirm yes/no]:yes Dell# Specifying an Auto-Failover Limit When a non-recoverable fatal error is detected, an automatic failover occurs. However, Dell Networking OS is configured to auto-failover only three times within any 60 minute period. You may specify a different auto-failover count. To re-enable the auto-failover-limit with its default parameters, use the redundancy auto-failover-limit command without parameters. • Set a different auto-failover count.
Removing a Provisioned Logical Stack Unit To remove the line card configuration, use the following command. • To remove a logical stack-unit configuration, use the following command: CONFIGURATION mode no stack-unit unit_id provision Hitless Behavior Hitless is a protocol-based system behavior that makes a stack unit failover on the local system transparent to remote systems.
Software Resiliency During normal operations, Dell Networking OS monitors the health of both hardware and software components in the background to identify potential failures, even before these failures manifest. Software Component Health Monitoring On each of the line cards and the stack unit, there are a number of software components.
System Log Event messages provide system administrators diagnostics and auditing information. Dell Networking OS sends event messages to the internal buffer, all terminal lines, the console, and optionally to a syslog server. For more information about event messages and configurable options, refer to Management. Hot-Lock Behavior Dell Networking OS hot-lock features allow you to append and delete their corresponding content addressable memory (CAM) entries dynamically without disrupting traffic.
21 Internet Group Management Protocol (IGMP) Internet group management protocol (IGMP) is a Layer 3 multicast protocol that hosts use to join or leave a multicast group. Multicast is premised on identifying many hosts by a single destination IP address; hosts represented by the same IP address are a multicast group. Multicast routing protocols (such as protocol-independent multicast [PIM]) use the information in IGMP messages to discover which groups are active and to populate the multicast routing table.
time. A host joins and leaves a multicast group by sending an IGMP message to its IGMP Querier. The querier is the router that surveys a subnet for multicast receivers and processes survey responses to populate the multicast routing table. IGMP messages are encapsulated in IP packets, as shown in the following illustration. Figure 47.
period and sends another query. If it still receives no response, the querier removes the group from the list associated with forwarding port and stops forwarding traffic for that group to the subnet. IGMP Version 3 Conceptually, IGMP version 3 behaves the same as version 2. However, there are differences. • Version 3 adds the ability to filter by multicast source, which helps multicast routing protocols avoid forwarding traffic to subnets where there are no interested receivers.
Joining and Filtering Groups and Sources The following illustration shows how multicast routers maintain the group and source information from unsolicited reports. 1. The first unsolicited report from the host indicates that it wants to receive traffic for group 224.1.1.1. 2. The host’s second report indicates that it is only interested in traffic from group 224.1.1.1, source 10.11.1.1. Include messages prevents traffic from all other sources in the group from reaching the subnet.
Leaving and Staying in Groups The following illustration shows how multicast routers track and refresh state changes in response to group-and-specific and general queries. 1. Host 1 sends a message indicating it is leaving group 224.1.1.1 and that the included filter for 10.11.1.1 and 10.11.1.2 are no longer necessary. 2.
Related Configuration Tasks • Viewing IGMP Enabled Interfaces • Selecting an IGMP Version • Viewing IGMP Groups • Adjusting Timers • Preventing a Host from Joining a Group • Enabling IGMP Immediate-Leave • IGMP Snooping • Fast Convergence after MSTP Topology Changes • Designating a Multicast Router Interface Viewing IGMP Enabled Interfaces Interfaces that are enabled with PIM-SM are automatically enabled with IGMP. To view IGMP-enabled interfaces, use the following command.
IGMP IGMP IGMP IGMP IGMP IGMP IGMP IGMP query interval is 60 seconds querier timeout is 125 seconds max query response time is 10 seconds last member query response interval is 1000 ms immediate-leave is disabled activity: 0 joins, 0 leaves, 0 channel joins, 0 channel leaves querying router is 1.1.1.1 (this system) version is 3 Viewing IGMP Groups To view both learned and statically configured IGMP groups, use the following command. • View both learned and statically configured IGMP groups.
• Adjust the maximum response time. INTERFACE mode • ip igmp query-max-resp-time Adjust the last member query interval. INTERFACE mode ip igmp last-member-query-interval Preventing a Host from Joining a Group You can prevent a host from joining a particular group by blocking specific IGMP reports using an extended access list containing the permissible source-group pairs. NOTE: For rules in IGMP access lists, source is the multicast source, not the source of the IGMP packet.
entry is created only for group 239.0.0.1. VLAN 300 has no access list limiting Receiver 1, so both IGMP reports are accepted and two corresponding entries are created in the routing table. Figure 52. Preventing a Host from Joining a Group The following table lists the location and description shown in the previous illustration. Table 35. Preventing a Host from Joining a Group — Description Location Description 1/21 • • • • Interface TenGigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.
Location Description • no shutdown 2/1 • • • • Interface TenGigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface TenGigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface TenGigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface TenGigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.
Enabling IGMP Immediate-Leave If the querier does not receive a response to a group-specific or group-and-source query, it sends another (querier robustness value). Then, after no response, it removes the group from the outgoing interface for the subnet. IGMP immediate leave reduces leave latency by enabling a router to immediately delete the group membership on an interface after receiving a Leave message (it does not send any group-specific or group-and-source queries before deleting the entry).
INTERFACE VLAN mode no ip igmp snooping Related Configuration Tasks • Removing a Group-Port Association • Disabling Multicast Flooding • Specifying a Port as Connected to a Multicast Router • Configuring the Switch as Querier Example of ip igmp snooping enable Command Dell(conf)#ip igmp snooping enable Dell(conf)#do show running-config igmp ip igmp snooping enable Dell(conf)# Removing a Group-Port Association To configure or view the remove a group-port association feature, use the following comman
• Statically specify a port in a VLAN as connected to a multicast router. INTERFACE VLAN mode • ip igmp snooping mrouter View the ports that are connected to multicast routers. EXEC Privilege mode. show ip igmp snooping mrouter Configuring the Switch as Querier To configure the switch as a querier, use the following command. Hosts that do not support unsolicited reporting wait for a general query before sending a membership report.
address as the source IP address. This information is sent out of the switch through the management port instead of the frontend port. The management EIS feature is applicable only for the out-of-band (OOB) management port. References in this section to the management default route or static route denote the routes configured using the management route command. The management default route can be either configured statically or returned dynamically by the DHCP client.
Application Name Port Number Client TFTP 69 Supported Radius 1812,1813 Supported Tacacs 49 Supported HTTP 80 for httpd Server Supported 443 for secure httpd 8008 HTTP server port for confd application 8888 secure HTTP server port for confd application If you configure a source interface is for any EIS management application, EIS might not coexist with that interface and the behavior is undefined in such a case.
• If the SSH request is received on the front-end port destined for the front-end IP address, the response traffic is sent by doing a route lookup in the default routing table only. • If the management port is down or route lookup fails in the management EIS routing table, packets are dropped. • For all non-management applications, traffic exits out of either front-end data port or management port based on route lookup in default routing table.
• For TFTP, data transfer is initiated on port 69, but the data transfer ports are chosen independently by the sender and receiver during initialization of the connection. The ports are chosen at random according to the parameters of the networking stack, typically from the range of temporary ports. • If route lookup in EIS routing table succeeds, the application-specific packet count is incremented. This counter is viewed using the show management application pkt-cntr command.
Handling of Transit Traffic (Traffic Separation) This is forwarded traffic where destination IP is not an IP address configured in the switch. • Packets received on the management port with destination on the front-end port is dropped. • Packets received on the front-end port with destination on the management port is dropped. • A separate drop counter is incremented for this case. This counter is viewed using the netstat command, like all other IP layer counters.
This phenomenon occurs where traffic is terminated on the switch. Traffic has not originated from the switch and is not transiting the switch. The switch accepts all traffic destined to the switch, which is received on management or front-end data port. Response traffic with management port IP address as source IP address is handled in the same manner as switch originated traffic. Switch-Originated Traffic This phenomenon occurs where traffic is originating from the switch. 1.
Protocol Behavior when EIS is Enabled Behavior when EIS is Disabled syslog EIS Behavior Default Behavior tacacs EIS Behavior Default Behavior telnet EIS Behavior Default Behavior tftp EIS Behavior Default Behavior icmp (ping and traceroute) EIS Behavior for ICMP Default Behavior Behavior of Various Applications for Switch-Destined Traffic This section describes the different system behaviors that occur when traffic is terminated on the switch.
Interworking of EIS With Various Applications Stacking • The management EIS is enabled on the master and the standby unit. • Because traffic can be initiated from the Master unit only, the preference to management EIS table for switch-initiated traffic and all its related ARP processing is done in the Master unit only. • ARP-related processing for switch-destined traffic is done by both master and standby units. VLT VLT feature is for the front-end port only.
22 Interfaces This chapter describes interface types, both physical and logical, and how to configure them with Dell Networking Operating System (OS). The system supports 10 Gigabit Ethernet and 40 Gigabit Ethernet interfaces. NOTE: Only Dell-qualified optics are supported on these interfaces. Non-Dell 40G optics are set to error-disabled state.
• Loopback Interfaces • Null Interfaces • Port Channel Interfaces • Bulk Configuration • Defining Interface Range Macros • Monitoring and Maintaining Interfaces • Non Dell-Qualified Transceivers • Splitting QSFP Ports to SFP+ Ports • Converting a QSFP or QSFP+ Port to an SFP or SFP+ Port • Configuring wavelength for 10–Gigabit SFP+ optics • Link Dampening • Link Bundle Monitoring • Using Ethernet Pause Frames for Flow Control • Configure the MTU Size on an Interface • Port-Pipes
NOTE: To end output from the system, such as the output from the show interfaces command, enter CTRL+C and Dell Networking OS returns to the command prompt. NOTE: The CLI output may be incorrectly displayed as 0 (zero) for the Rx/Tx power values. To obtain the correct power information, perform a simple network management protocol (SNMP) query. Examples of the show Commands The following example shows the configuration and status information for one interface.
shutdown ! interface TenGigabitEthernet 2/7 no ip address shutdown ! interface TenGigabitEthernet 2/8 no ip address shutdown ! interface TenGigabitEthernet 2/9 no ip address shutdown Resetting an Interface to its Factory Default State You can reset the configurations applied on an interface to its factory default state. To reset the configuration, perform the following steps: 1 View the configurations applied on an interface.
2 • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port[/subport] information. • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. Enable the interface. INTERFACE mode no shutdown To confirm that the interface is enabled, use the show config command in INTERFACE mode. To leave INTERFACE mode, use the exit command or end command. You cannot delete a physical interface.
Type of Interface Possible Modes Requires Creation Default State Port Channel Layer 2 Yes Shutdown (disabled) Yes, except for the default VLAN. No shutdown (active for Layer 2) Layer 3 VLAN Layer 2 Layer 3 Shutdown (disabled for Layer 3) Configuring Layer 2 (Data Link) Mode Do not configure switching or Layer 2 protocols such as spanning tree protocol (STP) on an interface unless the interface has been set to Layer 2 mode.
INTERFACE mode • ip address ip-address Enable the interface. INTERFACE mode no shutdown Example of Error Due to Issuing a Layer 3 Command on a Layer 2 Interface If an interface is in the incorrect layer mode for a given command, an error message is displayed (shown in bold). In the following example, the ip address command triggered an error message because the interface is in Layer 2 mode and the ip address command is a Layer 3 command only.
ICMP redirects are not sent ICMP unreachables are not sent Egress Interface Selection (EIS) EIS allows you to isolate the management and front-end port domains by preventing switch-initiated traffic routing between the two domains. This feature provides additional security by preventing flooding attacks on front-end ports. The following protocols support EIS: DNS, FTP, NTP, RADIUS, sFlow, SNMP, SSH, Syslog, TACACS, Telnet, and TFTP. This feature does not support sFlow on stacked units.
• Enter the slot and the port (1) to configure a Management interface. CONFIGURATION mode interface managementethernet interface The slot range is 1. • The port range is 1. Configure an IP address and mask on a Management interface. INTERFACE mode ip address ip-address mask – ip-address mask: enter an address in dotted-decimal format (A.B.C.D). The mask must be in /prefix format (/x).
• virtual-ip is a CONFIGURATION mode command. • When applied, the management port on the primary RPM assumes the virtual IP address. Executing the show interfaces and show ip interface brief commands on the primary RPM management interface displays the virtual IP address and not the actual IP address assigned on that interface. A duplicate IP address message is printed for the management port’s virtual IP address on an RPM failover.
C 10.11.130.0/23 Dell# Direct, Te 1/1 0/0 1d2h VLAN Interfaces VLANs are logical interfaces and are, by default, in Layer 2 mode. Physical interfaces and port channels can be members of VLANs. For more information about VLANs and Layer 2, see Layer 2 and Virtual LANs (VLANs). NOTE: To monitor VLAN interfaces, use Management Information Base for Network Management of TCP/IP-based internets: MIB-II (RFC 1213).
• show interface loopback number Delete a Loopback interface. CONFIGURATION mode no interface loopback number Many of the commands supported on physical interfaces are also supported on a Loopback interface. Null Interfaces The Null interface is another virtual interface. There is only one Null interface. It is always up, but no traffic is transmitted through this interface. To enter INTERFACE mode of the Null interface, use the following command. • Enter INTERFACE mode of the Null interface.
Port Channel Implementation Dell Networking OS supports static and dynamic port channels. • Static — Port channels that are statically configured. • Dynamic — Port channels that are dynamically configured using the link aggregation control protocol (LACP). For details, see Link Aggregation Control Protocol (LACP). There are 128 port-channels with 16 members per channel. As soon as you configure a port channel, Dell Networking OS treats it like a physical interface. For example, IEEE 802.
Configuration Tasks for Port Channel Interfaces To configure a port channel (LAG), use the commands similar to those found in physical interfaces. By default, no port channels are configured in the startup configuration.
NOTE: The system supports jumbo frames by default (the default maximum transmission unit (MTU) is 1554 bytes). To configure the MTU, use the mtu command from INTERFACE mode. To view the interface’s configuration, enter INTERFACE mode for that interface and use the show config command or from EXEC Privilege mode, use the show running-config interface interface command. When an interface is added to a port channel, Dell Networking OS recalculates the hash algorithm.
When more than one interface is added to a Layer 2-port channel, Dell Networking OS selects one of the active interfaces in the port channel to be the primary port. The primary port replies to flooding and sends protocol data units (PDUs). An asterisk in the show interfaces port-channel brief command indicates the primary port. As soon as a physical interface is added to a port channel, the properties of the port channel determine the properties of the physical interface.
Configuring the Minimum Oper Up Links in a Port Channel You can configure the minimum links in a port channel (LAG) that must be in “oper up” status to consider the port channel to be in “oper up” status. To set the “oper up” status of your links, use the following command. • Enter the number of links in a LAG that must be in “oper up” status. INTERFACE mode minimum-links number The default is 1.
Configuring VLAN Tags for Member Interfaces To configure and verify VLAN tags for individual members of a port channel, perform the following: 1 Configure VLAN membership on individual ports INTERFACE mode Dell(conf-if)#vlan tagged 2,3-4 2 Use the switchport command in INTERFACE mode to enable Layer 2 data transmissions through an individual interface INTERFACE mode Dell(conf-if)#switchport 3 Verify the manually configured VLAN membership (show interfaces switchport interface command).
When you disable a port channel, all interfaces within the port channel are operationally down also. Load Balancing Through Port Channels Dell Networking OS uses hash algorithms for distributing traffic evenly over channel members in a port channel (LAG). The hash algorithm distributes traffic among Equal Cost Multi-path (ECMP) paths and LAG members. The distribution is based on a flow, except for packet-based hashing. A flow is identified by the hash and is assigned to one link.
Bulk Configuration Bulk configuration allows you to determine if interfaces are present for physical interfaces or configured for logical interfaces. Interface Range An interface range is a set of interfaces to which other commands may be applied and may be created if there is at least one valid interface within the range. Bulk configuration excludes from configuration any non-existing interfaces from an interface range.
Create a Single-Range The following is an example of a single range. Example of the interface range Command (Single Range) Dell(config)# interface range tengigabitethernet 1/1 - 1/23 Dell(config-if-range-te-1/1-1/23)# no shutdown Dell(config-if-range-te-1/1-1/23)# Create a Multiple-Range The following is an example of multiple range.
Add Ranges The following example shows how to use commas to add VLAN and port-channel interfaces to the range. Example of Adding VLAN and Port-Channel Interface Ranges Dell(config-if-range-te-1/1-1/2)# interface range Vlan 2 – 100 , Port 1 – 25 Dell(config-if-range-te-1/1-1/2-vl-2-100-po-1-25)# no shutdown Defining Interface Range Macros You can define an interface-range macro to automatically select a range of interfaces for configuration.
– For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port[/subport] information. – For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. Example of the monitor interface Command The information displays in a continuous run, refreshing every 2 seconds by default. To manage the output, use the following keys.
NOTE: TDR is an intrusive test. Do not run TDR on a link that is up and passing traffic. To test and display TDR results, use the following commands. 1 To test for cable faults on the TenGigabitEthernet cable. EXEC Privilege mode tdr-cable-test tengigabitethernet slot/port[/subport] Between two ports, do not start the test on both ends of the cable. Enable the interface before starting the test. Enable the port to run the test or the test prints an error message. 2 Displays TDR test results.
CONFIGURATION mode stack-unit stack-unit-number port number portmode quad – number: enter the port number of the 40G port to be split. NOTE: To revert the port mode to 40G, use the no stack-unit stack-unit-number port port-number portmode quad command. Important Points to Remember • Splitting a 40G port into four 10G ports is supported on standalone and stacked units. • You cannot use split ports as stack-link to stack a system.
• You cannot use QSFP Optical cables on the same port where QSA is used. • When you remove the QSA module alone from a 40 Gigabit port, without connecting any SFP or SFP+ cables; Dell Networking OS does not generate any event. However, when you remove a QSA module that has SFP or SFP+ optical cables plugged in, Dell Networking OS generates an SFP or SFP+ Removed event. Example Scenarios Consider the following scenarios: • QSFP port 0 is connected to a QSA with SFP+ optical cables plugged in.
SFP 1 Serial ID Base Fields SFP 1 Id = 0x0d SFP 1 Ext Id = 0x00 SFP 1 Connector = 0x23 SFP 1 Transceiver Code = 0x08 0x00 0x00 0x00 0x00 0x00 0x00 0x00 SFP 1 Encoding = 0x00 ……………… ……………… SFP 1 Diagnostic Information =================================== SFP 1 Rx Power measurement type = OMA =================================== SFP 1 Temp High Alarm threshold = 0.000C SFP 1 Voltage High Alarm threshold = 0.000V SFP 1 Bias High Alarm threshold = 0.
• You can configure link dampening on individual interfaces in a LAG. Enabling Link Dampening To enable link dampening, use the following command. • Enable link dampening. INTERFACE mode dampening Examples of the show interfaces dampening Commands To view the link dampening configuration on an interface, use the show config command. R1(conf-if-te-1/1)#show config ! interface TenGigabitEthernet 1/1 ip address 10.10.19.
Link Dampening Support for XML View the output of the following show commands in XML by adding | display xml to the end of the command. • show interfaces dampening • show interfaces dampening summary • show interfaces interface slot/port[/subport] Configure MTU Size on an Interface In Dell Networking OS, Maximum Transmission Unit (MTU) is defined as the entire Ethernet packet (Ethernet header + FCS + payload).
• View the link bundle monitoring status. show link-bundle-distribution Using Ethernet Pause Frames for Flow Control Ethernet pause frames and threshold settings are supported on the Dell Networking OS. Ethernet Pause Frames allow for a temporary stop in data transmission. A situation may arise where a sending device may transmit data faster than a destination device can accept it. The destination sends a PAUSE frame back to the source, stopping the sender’s transmission for a period of time.
INTERFACE mode flowcontrol rx [off | on] tx [off | on] [negotiate] – rx on: enter the keywords rx on to process the received flow control frames on this port. – rx off: enter the keywords rx off to ignore the received flow control frames on this port. – tx on: enter the keywords tx on to send control frames from this port to the connected device when a higher rate of traffic is received.
• Members can have different Link MTU values. Tagged members must have a link MTU 4–bytes higher than untagged members to account for the packet tag. • The VLAN link MTU and IP MTU must be less than or equal to the link MTU and IP MTU values configured on the VLAN members. For example, the VLAN contains tagged members with Link MTU of 1522 and IP MTU of 1500 and untagged members with Link MTU of 1518 and IP MTU of 1500.
INTERFACE mode speed {10 | 100 | 1000 | 10000 | auto} NOTE: If you use an active optical cable (AOC), you can convert the QSFP+ port to a 10 Gigabit SFP+ port or 1 Gigabit SFP port. You can use the speed command to enable the required speed. 6 Optionally, set full- or half-duplex. INTERFACE mode duplex {half | full} 7 Disable auto-negotiation on the port. INTERFACE mode no negotiation auto If the speed was set to 1000, do not disable auto-negotiation. 8 Verify configuration changes.
Set Auto-Negotiation Options The negotiation auto command provides a mode option for configuring an individual port to forced master/ forced slave once auto-negotiation is enabled. CAUTION: Ensure that only one end of the node is configured as forced-master and the other is configured as forcedslave. If both are configured the same (that is, both as forced-master or both as forced-slave), the show interface command flaps between an auto-neg-error and forced-master/slave states.
Dell#show running-config interfaces configured Dell#show running-config interface tengigabitEthernet 1 configured In EXEC mode, the show interfaces switchport command displays only interfaces in Layer 2 mode and their relevant configuration information. The show interfaces switchport command displays the interface, whether it supports IEEE 802.1Q tagging or not, and the VLANs to which the interface belongs. Dell#show interfaces switchport Name: TenGigabitEthernet 3/1 802.
0 throttles, 0 discarded Rate info (interval 299 seconds): Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec, 0 packets/sec, 0.
• Clear the counters used in the show interface commands for all VRRP groups, VLANs, and physical interfaces or selected ones. Without an interface specified, the command clears all interface counters. EXEC Privilege mode clear counters [interface] [vrrp [vrid] | learning-limit] (OPTIONAL) Enter the following interface keywords and slot/port or number information: – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port[/subport] information.
23 Internet Protocol Security (IPSec) Internet protocol security (IPSec) is an end-to-end security scheme for protecting IP communications by authenticating and encrypting all packets in a communication session. Use IPSec between hosts, between gateways, or between hosts and gateways. IPSec is compatible with Telnet and FTP protocols. It supports two operational modes: Transport and Tunnel. • Transport mode — (default) Use to encrypt only the payload of the packet. Routing information is unchanged.
crypto ipsec policy myCryptoPolicy 10 ipsec-manual transform-set myXform-set session-key inbound esp 256 auth encrypt session-key outbound esp 257 auth encrypt match 0 tcp a::1 /128 0 a::2 /128 23 match 1 tcp a::1 /128 23 a::2 /128 0 match 2 tcp a::1 /128 0 a::2 /128 21 match 3 tcp a::1 /128 21 a::2 /128 0 match 4 tcp 1.1.1.1 /32 0 1.1.1.2 /32 23 match 5 tcp 1.1.1.1 /32 23 1.1.1.2 /32 0 match 6 tcp 1.1.1.1 /32 0 1.1.1.2 /32 21 match 7 tcp 1.1.1.1 /32 21 1.1.1.
24 IPv4 Routing The Dell Networking Operating System (OS) supports various IP addressing features. This chapter describes the basics of domain name service (DNS), address resolution protocol (ARP), and routing principles and their implementation in the Dell Networking OS.
• Configuring a Broadcast Address • Configurations Using UDP Helper • UDP Helper with Broadcast-All Addresses • UDP Helper with Subnet Broadcast Addresses • UDP Helper with Configured Broadcast Addresses • UDP Helper with No Configured Broadcast Addresses • Troubleshooting UDP Helper IP Addresses Dell Networking OS supports IP version 4 (as described in RFC 791), classful routing, and variable length subnet masks (VLSM). With VLSM, you can configure one network with different masks.
2 • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. • For a Loopback interface, enter the keyword loopback then a number from 0 to 16383. • For the Management interface on the stack-unit, enter the keyword ManagementEthernet then the slot/port information. • For a port channel interface, enter the keywords port-channel then a number. • For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. Enable the interface.
– tag tag-value: the range is from 1 to 4294967295. (optional) Example of the show ip route static Command To view the configured routes, use the show ip route static command. Dell#show ip route static Destination Gateway ----------------S 2.1.2.0/24 Direct, Nu 0 S 6.1.2.0/24 via 6.1.20.2, S 6.1.2.2/32 via 6.1.20.2, S 6.1.2.3/32 via 6.1.20.2, S 6.1.2.4/32 via 6.1.20.2, S 6.1.2.5/32 via 6.1.20.2, S 6.1.2.6/32 via 6.1.20.2, S 6.1.2.7/32 via 6.1.20.2, S 6.1.2.8/32 via 6.1.20.2, S 6.1.2.9/32 via 6.1.20.2, S 6.
IPv4 Path MTU Discovery Overview The size of the packet that can be sent across each hop in the network path without being fragmented is called the path maximum transmission unit (PMTU). This value might vary for the same route between two devices, mainly over a public network, depending on the network load and speed, and it is not a consistent value. The MTU size can also be different for various types of traffic sent from one host to the same endpoint.
Configuring the Duration to Establish a TCP Connection You can configure the duration for which the device must wait before it attempts to establish a TCP connection. Using this capability, you can limit the wait times for TCP connection requests.
• Specifying the Local System Domain and a List of Domains • Configuring DNS with Traceroute Name server, Domain name, and Domain list are VRF specific. The maximum number of Name servers and Domain lists per VRF is six. Enabling Dynamic Resolution of Host Names By default, dynamic resolution of host names (DNS) is disabled. To enable DNS, use the following commands. • Enable dynamic resolution of host names. CONFIGURATION mode • ip domain-lookup Specify up to six name servers.
Configure this command up to six times to specify a list of possible domain names. Dell Networking OS searches the domain names in the order they were configured until a match is found or the list is exhausted. Configuring DNS with Traceroute To configure your switch to perform DNS with traceroute, use the following commands. • Enable dynamic resolution of host names. CONFIGURATION mode • ip domain-lookup Specify up to six name servers. CONFIGURATION mode ip name-server ip-address [ip-address2 ...
Configuration Tasks for ARP For a complete listing of all ARP-related commands, refer to the Dell Networking OS Command Line Reference Guide.
Clearing ARP Cache To clear the ARP cache of dynamically learnt ARP information, use the following command. • Clear the ARP caches for all interfaces or for a specific interface by entering the following information. EXEC privilege clear arp-cache [interface | ip ip-address] [no-refresh] – ip ip-address (OPTIONAL): enter the keyword ip then the IP address of the ARP entry you wish to clear. – no-refresh (OPTIONAL): enter the keywords no-refresh to delete the ARP entry from CAM.
ARP Learning via ARP Request In Dell Networking OS versions prior to 8.3.1.0, Dell Networking OS learns via ARP requests only if the target IP specified in the packet matches the IP address of the receiving router interface. This is the case when a host is attempting to resolve the gateway address. If the target IP does not match the incoming interface, the packet is dropped. If there is an existing entry for the requesting host, it is updated. Figure 53.
CONFIGURATION mode arp retries number The default is 5. • The range is from 1 to 20. Set the exponential timer for resending unresolved ARPs. CONFIGURATION mode arp backoff-time The default is 30. • The range is from 1 to 3600. Display all ARP entries learned via gratuitous ARP.
UDP Helper User datagram protocol (UDP) helper allows you to direct the forwarding IP/UDP broadcast traffic by creating special broadcast addresses and rewriting the destination IP address of packets to match those addresses. Configure UDP Helper To configure Dell Networking OS to direct UDP broadcast, enable UDP helper and specify the UDP ports for which traffic is forwarded.
! interface Vlan 100 ip address 1.1.0.1/24 ip udp-broadcast-address 1.1.255.255 untagged TenGigabitEthernet 1/2 no shutdown To view the configured broadcast address for an interface, use show interfaces command. Dell#show interfaces vlan 100 Vlan 100 is up, line protocol is down Address is 00:01:e8:0d:b9:7a, Current address is 00:01:e8:0d:b9:7a Interface index is 1107787876 Internet address is 1.1.0.1/24 IP UDP-Broadcast address is 1.1.255.
3. Packet 2 is also forwarded to the ingress interface with an unchanged destination address because it does not have broadcast address configured. Figure 55. UDP Helper with Broadcast-All Addresses UDP Helper with Subnet Broadcast Addresses When the destination IP address of an incoming packet matches the subnet broadcast address of any interface, the system changes the address to the configured broadcast address and sends it to matching interface.
Packet 2 is sent from a host on VLAN 101. It has broadcast MAC address and a destination IP address that matches the configured broadcast address on VLAN 101. In this case, Packet 2 is flooded on VLAN 101 with the destination address unchanged because the forwarding process is Layer 2. If you enabled UDP helper, the packet is flooded on VLAN 100 as well. Figure 57.
25 IPv6 Routing Internet protocol version 6 (IPv6) routing is the successor to IPv4. Due to the rapid growth in internet users and IP addresses, IPv4 is reaching its maximum usage. IPv6 will eventually replace IPv4 usage to allow for the constant expansion. This chapter provides a brief description of the differences between IPv4 and IPv6, and the Dell Networking support of IPv6. This chapter is not intended to be a comprehensive description of IPv6.
Extended Address Space The address format is extended from 32 bits to 128 bits. This not only provides room for all anticipated needs, it allows for the use of a hierarchical address space structure to optimize global addressing. Stateless Autoconfiguration When a booting device comes up in IPv6 and asks for its network prefix, the device can get the prefix (or prefixes) from an IPv6 router on its link.
• Payload Length (16 bits) • Next Header (8 bits) • Hop Limit (8 bits) • Source Address (128 bits) • Destination Address (128 bits) IPv6 provides for extension headers. Extension headers are used only if necessary. There can be no extension headers, one extension header or more than one extension header in an IPv6 packet. Extension headers are defined in the Next Header field of the preceding IPv6 header.
Payload Length (16 bits) The Payload Length field specifies the packet payload. This is the length of the data following the IPv6 header. IPv6 Payload Length only includes the data following the header, not the header itself. The Payload Length limit of 2 bytes requires that the maximum packet payload be 64 KB. However, the Jumbogram option type Extension header supports larger packet sizes when required. Next Header (8 bits) The Next Header field identifies the next header’s type.
Source Address (128 bits) The Source Address field contains the IPv6 address for the packet originator. Destination Address (128 bits) The Destination Address field contains the intended recipient’s IPv6 address. This can be either the ultimate destination or the address of the next hop router. Extension Header Fields Extension headers are used only when necessary. Due to the streamlined nature of the IPv6 header, adding extension headers do not severely impact performance.
11 Discard the packet and send an ICMP Parameter Problem, Code 2 message to the packet’s Source IP Address only if the Destination IP Address is not a multicast address. The second byte contains the Option Data Length. The third byte specifies whether the information can change en route to the destination. The value is 1 if it can change; the value is 0 if it cannot change.
In IPv6, every interface, whether using static or dynamic address assignments, also receives a local-link address automatically in the fe80::/64 subnet. Implementing IPv6 with Dell Networking OS Dell Networking OS supports both IPv4 and IPv6 and both may be used simultaneously in your system. The following table lists the Dell Networking OS version in which an IPv6 feature became available for each platform. The sections following the table give greater detail about the feature. Table 43.
Feature and Functionality Dell Networking OS Release Introduction Documentation and Chapter Location S4048–ON IS-IS for IPv6 support for redistribution 9.7.(0.1) Intermediate System to Intermediate System IPv6 IS-IS in the Dell Networking OS Command Line Reference Guide. ISIS for IPv6 support for distribute lists and administrative distance 9.7.(0.1) OSPF for IPv6 (OSPFv3) 9.7.(0.1) Equal Cost Multipath for IPv6 9.7.(0.
Generally, ICMPv6 uses two message types: • • Error reporting messages indicate when the forwarding or delivery of the packet failed at the destination or intermediate node. These messages include Destination Unreachable, Packet Too Big, Time Exceeded and Parameter Problem messages. Informational messages provide diagnostic functions and additional host functions, such as Neighbor Discovery and Multicast Listener Discovery. These messages also include Echo Request and Echo Reply messages.
used as the last 24 bits. Other hosts on the link do not participate in the process, greatly increasing network bandwidth efficiency. Figure 60. NDP Router Redirect IPv6 Neighbor Discovery of MTU Packets You can set the MTU advertised through the RA packets to incoming routers, without altering the actual MTU setting on the interface. The ipv6 nd mtu command sets the value advertised to routers. It does not set the actual MTU rate.
• link local addresses • loopback addresses • prefix addresses • multicast addresses • invalid host addresses If you specify this information in the IPv6 RDNSS configuration, a DNS error is displayed. Example for Configuring an IPv6 Recursive DNS Server The following example configures a RDNNS server with an IPv6 address of 1000::1 and a lifetime of 1 second.
Link Local address: fe80::201:e8ff:fe8b:7570 Global Unicast address(es): 1212::12, subnet is 1212::/64 (MANUAL) Remaining lifetime: infinite Global Anycast address(es): Joined Group address(es): ff02::1 ff02::2 ff02::1:ff00:12 ff02::1:ff8b:7570 ND MTU is 0 ICMP redirects are not sent DAD is enabled, number of DAD attempts: 3 ND reachable time is 20120 milliseconds ND base reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds N
The CAM space is allotted in FP blocks. The total space allocated must equal 13 FP blocks. There are 16 FP blocks, but the System Flow requires three blocks that cannot be reallocated. You must enter the ipv6acl allocation as a factor of 2 (2, 4, 6, 8, 10). All other profile allocations can use either even or oddnumbered ranges.
– mask: The prefix length is from 0 to 128 NOTE: IPv6 addresses are normally written as eight groups of four hexadecimal digits. Separate each group by a colon (:). Omitting zeros is accepted as described in Addressing. Assigning a Static IPv6 Route To configure IPv6 static routes, use the ipv6 route command.
to support IPv6. For more information regarding SNMP commands, refer to the SNMP and SYSLOG chapters in the Dell Networking OS Command Line Interface Reference Guide. • snmp-server host • snmp-server user ipv6 • snmp-server community ipv6 • snmp-server community access-list-name ipv6 • snmp-server group ipv6 • snmp-server group access-list-name ipv6 Displaying IPv6 Information View specific IPv6 configuration with the following commands. • List the IPv6 show options.
IPV6 is enabled Stateless address autoconfiguration is enabled Link Local address: fe80::201:e8ff:fe8b:386e Global Unicast address(es): Actual address is 400::201:e8ff:fe8b:386e, subnet is 400::/64 Actual address is 412::201:e8ff:fe8b:386e, subnet is 412::/64 Virtual-IP IPv6 address is not set Received Prefix(es): 400::/64 onlink autoconfig Valid lifetime: 2592000, Preferred lifetime: 604800 Advertised by: fe80::201:e8ff:fe8b:3166 412::/64 onlink autoconfig Valid lifetime: 2592000, Preferred lifetime: 60480
The following example shows the show ipv6 route command.
Clearing IPv6 Routes To clear routes from the IPv6 routing table, use the following command. • Clear (refresh) all or a specific route from the IPv6 routing table. EXEC mode clear ipv6 route {* | ipv6 address prefix-length} – *: all routes. – ipv6 address: the format is x:x:x:x::x. – mask: the prefix length is from 0 to 128. NOTE: IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:).
match ra{ipv6-access-list name | ipv6-prefix-list name | mac-access-list name} 8 Enable verification of the advertised other configuration parameter. POLICY LIST CONFIGURATION mode other-config-flag {on | off} 9 Enable verification of the advertised default router preference value. The preference value must be less than or equal to the specified limit. POLICY LIST CONFIGURATION mode router-preference maximum {high | low | medium} 10 Set the router lifetime.
Configuring IPv6 RA Guard on an Interface To configure the IPv6 Router Advertisement (RA) guard on an interface, perform the following steps: 1 Configure the terminal to enter the Interface mode. CONFIGURATION mode interface interface-type slot/port 2 Apply the IPv6 RA guard to a specific interface. INTERFACE mode ipv6 nd ra-guard attach policy policy-name [vlan [vlan 1, vland 2, vlan 3.....]] 3 Display the configurations applied on all the RA guard policies or a specific RA guard policy.
26 iSCSI Optimization This chapter describes how to configure internet small computer system interface (iSCSI) optimization, which enables qualityof-service (QoS) treatment for iSCSI traffic.
• iSCSI QoS — A user-configured iSCSI class of service (CoS) profile is applied to all iSCSI traffic. Classifier rules are used to direct the iSCSI data traffic to queues that can be given preferential QoS treatment over other data passing through the switch. Preferential treatment helps to avoid session interruptions during times of congestion that would otherwise cause dropped iSCSI packets. • iSCSI DCBx TLVs are supported.
Application of Quality of Service to iSCSI Traffic Flows You can configure iSCSI CoS mode. This mode controls whether CoS (dot1p priority) queue assignment and/or packet marking is performed on iSCSI traffic. When you enable iSCSI CoS mode, the CoS policy is applied to iSCSI traffic. When you disable iSCSI CoS mode, iSCSI sessions and connections are still detected and displayed in the status tables, but no CoS policy is applied to iSCSI traffic.
After a switch is reloaded, any information exchanged during the initial handshake is not available. If the switch picks up the communication after reloading, it would detect a session was in progress but could not obtain complete information for it. Any incomplete information of this type would not be available in the show commands.
Synchronizing iSCSI Sessions Learned on VLT-Lags with VLT-Peer The following behavior occurs during synchronization of iSCSI sessions. • If the iSCSI login request packet is received on a port belonging to a VLT lag, the information is synced to the VLT peer and the connection is associated with this interface. • Additional updates to connections (including aging updates) that are learnt on VLT lag members are synced to the peer.
Default iSCSI Optimization Values The following table lists the default values for the iSCSI optimization feature. Table 44. iSCSI Optimization Defaults Parameter Default Value iSCSI Optimization global setting Disabled on the S4810, S4820T, S3048–ON, S4048–ON, and S3100 series. iSCSI CoS mode (802.1p priority queue mapping) dot1p priority 4 without the remark setting when you enable iSCSI. If you do not enable iSCSI, this feature is disabled.
NOTE: Content addressable memory (CAM) allocation is optional. If CAM is not allocated, the following features are disabled: • session monitoring • aging • class of service You can enable iSCSI even when allocated with zero (0) CAM blocks. However, if no CAM blocks are allocated, session monitoring is disabled and this information the show iscsi command displays this information. 2 For a non-DCB environment: Enable iSCSI.
[no] iscsi cos {enable | disable | dot1p vlan-priority-value [remark] | dscp dscp-value [remark]} • enable: enables the application of preferential QoS treatment to iSCSI traffic so that iSCSI packets are scheduled in the switch with a dot1p priority 4 regardless of the VLAN priority tag in the packet. The default is: iSCSI packets are handled with dotp1 priority 4 without remark. • disable: disables the application of preferential QoS treatment to iSCSI frames.
• Display all globally configured non-default iSCSI settings in the current Dell Networking OS session. show run iscsi Examples of the show iscsi Commands The following example shows the show iscsi command.
27 Intermediate System to Intermediate System The intermediate system to intermediate system (IS-IS) protocol that uses a shortest-path-first algorithm. Dell Networking supports both IPv4 and IPv6 versions of IS-IS.
• area address — within your routing domain or area, each area must have a unique area value. The first byte is called the authority and format indicator (AFI). • system address — the router’s MAC address. • N-selector — this is always 0. The following illustration is an example of the ISO-style address to show the address format IS-IS uses. In this example, the first five bytes (47.0005.0001) are the area address. The system portion is 000c.000a.4321 and the last byte is always 0. Figure 62.
Interface Support MT IS-IS is supported on physical Ethernet interfaces, physical synchronous optical network technologies (SONET) interfaces, port-channel interfaces (static and dynamic using LACP), and virtual local area network (VLAN) interfaces. Adjacencies Adjacencies on point-to-point interfaces are formed as usual, where IS-IS routers do not implement MT extensions.
Implementation Information IS-IS implementation supports one instance of IS-IS and six areas. You can configure the system as a Level 1 router, a Level 2 router, or a Level 1-2 router. For IPv6, the IPv4 implementation has been expanded to include two new type, length, values (TLVs) in the PDU that carry information required for IPv6 routing. The new TLVs are IPv6 Reachability and IPv6 Interface Address. Also, a new IPv6 protocol identifier has also been included in the supported TLVs.
NOTE: When using the IS-IS routing protocol to exchange IPv6 routing information and to determine destination reachability, you can route IPv6 along with IPv4 while using a single intra-domain routing protocol. The configuration commands allow you to enable and disable IPv6 routing and to configure or remove IPv6 prefixes on links. Except where identified, the commands described in this chapter apply to both IPv4 and IPv6 versions of IS-IS.
Enter the keyword interface then the type of interface and slot/port information: 4 • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port[/subport] information. • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. • For a Loopback interface, enter the keyword loopback then a number from 0 to 16383. • For a port channel interface, enter the keywords port-channel then a number.
Generate narrow metrics: Accept narrow metrics: Generate wide metrics: Accept wide metrics: Dell# level-1-2 level-1-2 none none To view IS-IS protocol statistics, use the show isis traffic command in EXEC Privilege mode.
Use this command for IPv6 route computation only when you enable multi-topology. If using single-topology mode, to apply to both IPv4 and IPv6 route computations, use the spf-interval command in CONFIG ROUTER ISIS mode. 4 Implement a wide metric-style globally. ROUTER ISIS AF IPV6 mode isis ipv6 metric metric-value [level-1 | level-2 | level-1-2] To configure wide or wide transition metric style, the cost can be between 0 and 16,777,215.
graceful-restart t3 {adjacency | manual seconds} – adjacency: the restarting router receives the remaining time value from its peer and adjusts its T3 value so if user has configured this option. – manual: allows you to specify a fixed value that the restarting router should use. The range is from 50 to 120 seconds. The default is 30 seconds.
LSP Interval: 33 Next IS-IS LAN Level-1 Hello in 4 seconds Next IS-IS LAN Level-2 Hello in 6 seconds LSP Interval: 33 Restart Capable Neighbors: 2, In Start: 0, In Restart: 0 Dell# Changing LSP Attributes IS-IS routers flood link state PDUs (LSPs) to exchange routing information. LSP attributes include the generation interval, maximum transmission unit (MTU) or size, and the refresh interval. You can modify the LSP attribute defaults, but it is not necessary.
Configuring the IS-IS Metric Style All IS-IS links or interfaces are associated with a cost that is used in the shortest path first (SPF) calculations. The possible cost varies depending on the metric style supported. If you configure narrow, transition, or narrow transition metric style, the cost can be a number between 0 and 63. If you configure wide or wide transition metric style, the cost can be a number between 0 and 16,777,215.
Distance: 115 Generate narrow metrics: Accept narrow metrics: Generate wide metrics: Accept wide metrics: Dell# level-1-2 level-1-2 none none Configuring the IS-IS Cost When you change from one IS-IS metric style to another, the IS-IS metric value could be affected. For each interface with IS-IS enabled, you can assign a cost or metric that is used in the link state calculation. To change the metric or cost of the interface, use the following commands. • Assign an IS-IS metric.
Changing the IS-Type To change the IS-type, use the following commands. You can configure the system to act as a Level 1 router, a Level 1-2 router, or a Level 2 router. To change the IS-type for the router, use the following commands. • Configure IS-IS operating level for a router. ROUTER ISIS mode is-type {level-1 | level-1-2 | level-2-only} • Default is level-1-2. Change the IS-type for the IS-IS process.
– For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. Distribute Routes Another method of controlling routing information is to filter the information through a prefix list. Prefix lists are applied to incoming or outgoing routes and routes must meet the conditions of the prefix lists or Dell Networking OS does not install the route in the routing table. The prefix lists are globally applied on all interfaces running IS-IS.
ROUTER ISIS-AF IPV6 mode distribute-list prefix-list-name in [interface] Enter the type of interface and the interface information: – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port[/subport] information. – For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. – For a Loopback interface, enter the keyword loopback then a number from 0 to 16383.
redistribute ospf process-id [level-1| level-1-2 | level-2] [metric value] [match external {1 | 2} | match internal] [metric-type {external | internal}] [route-map map-name] Configure the following parameters: – process-id the range is from 1 to 65535. – level-1, level-1-2, or level-2: assign all redistributed routes to a level. The default is level-2. – metric value the range is from 0 to 16777215. The default is 0. – match external the range is from 1 or 2.
Configuring Authentication Passwords You can assign an authentication password for routers in Level 1 and for routers in Level 2. Because Level 1 and Level 2 routers do not communicate with each other, you can assign different passwords for Level 1 routers and for Level 2 routers. However, if you want the routers in the level to communicate with each other, configure them with the same password. To configure a simple text password, use the following commands.
eljefe.01-00 * 0x00000001 0x68DF eljefe.02-00 * 0x00000001 0x2E7F Force10.00-00 0x00000002 0xD1A7 IS-IS Level-2 Link State Database LSPID LSP Seq Num LSP Checksum B233.00-00 0x00000006 0xC38A eljefe.00-00 * 0x0000000E 0x53BF eljefe.01-00 * 0x00000001 0x68DF eljefe.02-00 * 0x00000001 0x2E7F Force10.
To disable all IS-IS debugging, use the no debug isis command. To disable all debugging, use the undebug all command. IS-IS Metric Styles The following sections provide additional information about the IS-IS metric styles.
Table 47. Metric Value When the Metric Style Changes Beginning Metric Style Final Metric Style Resulting IS-IS Metric Value wide narrow default value (10) if the original value is greater than 63. A message is sent to the console. wide transition truncated value (the truncated value appears in the LSP only). The original isis metric value is displayed in the show config and show runningconfig commands and is used if you change back to transition metric style.
Moving to transition and then to another metric style produces different results. Table 48. Metric Value when the Metric Style Changes Multiple Times Beginning Metric Style Next Metric Style Resulting Metric Value Next Metric Style Final Metric Value wide transition truncated value wide original value is recovered wide transition transition truncated value wide transition original value is recovered wide transition truncated value narrow default value (10).
Sample Configurations The following configurations are examples for enabling IPv6 IS-IS. These examples are not comprehensive directions. They are intended to give you some guidance with typical configurations. NOTE: Only one IS-IS process can run on the router, even if both IPv4 and IPv6 routing is being used. You can copy and paste from these examples to your CLI. To support your own IP addresses, interfaces, names, and so on, be sure that you make the necessary changes.
interface TenGigabitEthernet 3/17 ip address 24.3.1.1/24 ipv6 address 24:3::1/76 ip router isis ipv6 router isis no shutdown Dell (conf-if-te-3/17)# Dell (conf-router_isis)#show config ! router isis metric-style wide level-1 metric-style wide level-2 net 34.0000.0000.AAAA.00 Dell (conf-router_isis)# Dell (conf-if-te-3/17)#show config ! interface TenGigabitEthernet 3/17 ipv6 address 24:3::1/76 ipv6 router isis no shutdown Dell (conf-if-te-3/17)# Dell (conf-router_isis)#show config ! router isis net 34.0000.
28 Link Aggregation Control Protocol (LACP) A link aggregation group (LAG), referred to as a port channel by the Dell Networking OS, can provide both load-sharing and port redundancy across line cards. You can enable LAGs as static or dynamic. Introduction to Dynamic LAGs and LACP A link aggregation group (LAG), referred to as a port channel by Dell Networking OS, can provide both load-sharing and port redundancy across line cards. You can enable LAGs as static or dynamic.
LACP Modes Dell Networking OS provides three modes for configuration of LACP — Off, Active, and Passive. • Off — In this state, an interface is not capable of being part of a dynamic LAG. LACP does not run on any port that is configured to be in this state. • Active — In this state, the interface is said to be in the “active negotiating state.” LACP runs on any link that is configured to be in this state.
LACP Configuration Tasks The following configuration tasks apply to LACP. • • • • • Creating a LAG Configuring the LAG Interfaces as Dynamic Setting the LACP Long Timeout Monitoring and Debugging LACP Configuring Shared LAG State Tracking Creating a LAG To create a dynamic port channel (LAG), use the following command. First you define the LAG and then the LAG interfaces. • Create a dynamic port channel (LAG). CONFIGURATION mode • interface port-channel Create a dynamic port channel (LAG).
... Dell(conf)#interface TenGigabitethernet 4/16 Dell(conf-if-te-4/16)#no shutdown Dell(conf-if-te-4/16)#port-channel-protocol lacp Dell(conf-if-te-4/16-lacp)#port-channel 32 mode active The port-channel 32 mode active command shown here may be successfully issued as long as there is no existing static channel-member configuration in LAG 32. Setting the LACP Long Timeout PDUs are exchanged between port channel (LAG) interfaces to maintain LACP sessions.
Shared LAG State Tracking Shared LAG state tracking provides the flexibility to bring down a port channel (LAG) based on the operational state of another LAG. At any time, only two LAGs can be a part of a group such that the fate (status) of one LAG depends on the other LAG. As shown in the following illustration, the line-rate traffic from R1 destined for R4 follows the lowest-cost route via R2. Traffic is equally distributed between LAGs 1 and 2.
To view the failover group configuration, use the show running-configuration po-failover-group command. Dell#show running-config po-failover-group ! port-channel failover-group group 1 port-channel 1 port-channel 2 As shown in the following illustration, LAGs 1 and 2 are members of a failover group. LAG 1 fails and LAG 2 is brought down after the failure. This effect is logged by Message 1, in which a console message declares both LAGs down at the same time. Figure 65.
• If a LAG moves to the Down state due to this feature, its members may still be in the Up state. LACP Basic Configuration Example The screenshots in this section are based on the following example topology. Two routers are named ALPHA and BRAVO, and their hostname prompts reflect those names. Figure 66. LACP Basic Configuration Example Configure a LAG on ALPHA The following example creates a LAG on ALPHA.
0 64-byte pkts, 12 over 64-byte pkts, 120 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 132 Multicasts, 0 Broadcasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics 136 packets, 16718 bytes, 0 underruns 0 64-byte pkts, 15 over 64-byte pkts, 121 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 136 Multicasts, 0 Broadcasts, 0 Unicasts 0 Vlans, 0 throttles, 0 discarded, 0 collisions, 0 wreddrops Rate info
Figure 67.
Figure 68.
Figure 69.
Summary of the LAG Configuration on Bravo Bravo(conf-if-te-3/21)#int port-channel 10 Bravo(conf-if-po-10)#no ip add Bravo(conf-if-po-10)#switch Bravo(conf-if-po-10)#no shut Bravo(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Bravo(conf-if-po-10)#exit Bravo(conf)#int tengig 3/21 Bravo(conf)#no ip address Bravo(conf)#no switchport Bravo(conf)#shutdown Bravo(conf-if-te-3/21)#port-channel-protocol lacp Bravo(conf-if-te-3/21-lacp)#port-channel 10 mode active Bravo(
Figure 70.
Figure 71.
Figure 72. Inspecting the LAG Status Using the show lacp command The point-to-point protocol (PPP) is a connection-oriented protocol that enables layer two links over various different physical layer connections. It is supported on both synchronous and asynchronous lines, and can operate in Half-Duplex or Full-Duplex mode. It was designed to carry IP traffic but is general enough to allow any type of network layer datagram to be sent over a PPP connection.
29 Layer 2 This chapter describes the Layer 2 features supported on the device. Manage the MAC Address Table You can perform the following management tasks in the MAC address table. • Clearing the MAC Address Table • Setting the Aging Time for Dynamic Entries • Configuring a Static MAC Address • Displaying the MAC Address Table Clearing the MAC Address Table You may clear the MAC address table of dynamic entries. To clear a MAC address table, use the following command.
Configuring a Static MAC Address A static entry is one that is not subject to aging. Enter static entries manually. To create a static MAC address entry, use the following command. • Create a static MAC address entry in the MAC address table. CONFIGURATION mode mac-address-table static Displaying the MAC Address Table To display the MAC address table, use the following command. • Display the contents of the MAC address table.
NOTE: The CAM-check failure message beginning in Dell Networking OS version 8.3.1.0 is different from versions 8.2.1.1 and earlier, which read: % Error: ACL returned error % Error: Remove existing limit configuration if it was configured before Setting the MAC Learning Limit To set a MAC learning limit on an interface, use the following command. • Specify the number of MAC addresses that the system can learn off a Layer 2 interface.
mac learning-limit station-move The mac learning-limit station-move command allows a MAC address already in the table to be learned from another interface. For example, if you disconnect a network device from one interface and reconnect it to another interface, the MAC address is learned on the new interface. When the system detects this “station move,” the system clears the entry learned on the original interface and installs a new entry on the new interface.
Setting Station Move Violation Actions no-station-move is the default behavior. You can configure the system to take an action if a station move occurs using one the following options with the mac learning-limit command. To display a list of interfaces configured with MAC learning limit or station move violation actions, use the following commands. • Generate a system log message indicating a station move. INTERFACE mode • station-move-violation log Shut down the first port to learn the MAC address.
Disabling MAC Address Learning on the System You can configure the system to not learn MAC addresses from LACP and LLDP BPDUs. To disable source MAC address learning from LACP and LLDP BPDUs, follow this procedure: • Disable source MAC address learning from LACP BPDUs. CONFIGURATION mode • mac-address-table disable-learning lacp Disable source MAC address learning from LLDP BPDUs. CONFIGURATION mode • mac-address-table disable-learning lldp Disable source MAC address learning from LACP and LLDP BPDUs.
NOTE: If you have configured the no mac-address-table station-move refresh-arp command, traffic continues to be forwarded to the failed NIC until the ARP entry on the switch times out. Figure 74.
Apply all other configurations to each interface in the redundant pair such that their configurations are identical, so that transition to the backup interface in the event of a failure is transparent to rest of the network. Figure 75. Configuring Redundant Layer 2 Pairs without Spanning Tree You configure a redundant pair by assigning a backup interface to a primary interface with the switchport backup interface command.
Important Points about Configuring Redundant Pairs • You may not configure any interface to be a backup for more than one interface, no interface can have more than one backup, and a backup interface may not have a backup interface. • The active or backup interface may not be a member of a LAG. • The active and standby do not have to be of the same type (1G, 10G, and so on). • You may not enable any Layer 2 protocol on any interface of a redundant pair or to ports connected to them.
Apr 9 00:15:13: %STKUNIT0-M:CP %IFMGR-5-STATE_ACT_STBY: Changed interface state to standby: Po 2 Dell(conf-if-po-1)# Dell# Dell#show interfaces switchport backup Interface Status Paired Interface Status Port-channel 1 Active Port-chato mannel 2 Standby Port-channel 2 Standby Port-channel 1 Active Dell# Dell(conf-if-po-1)#switchport backup interface tengigabitethernet 1/2 Apr 9 00:16:29: %STKUNIT0-M:CP %IFMGR-5-L2BKUP_WARN: Do not run any Layer2 protocols on Po 1 and Te 1/2 Dell(conf-if-po-1)# Far-End Failu
FEFD State Changes FEFD has two operational modes, Normal and Aggressive. When you enable Normal mode on an interface and a far-end failure is detected, no intervention is required to reset the interface to bring it back to an FEFD operational state. When you enable Aggressive mode on an interface in the same state, manual intervention is required to reset the interface.
Configuring FEFD You can configure FEFD for all interfaces from CONFIGURATION mode, or on individual interfaces from INTERFACE mode. To enable FEFD globally on all interfaces, use the following command. • Enable FEFD globally on all interfaces. CONFIGURATION mode fefd-global To report interval frequency and mode adjustments, use the following commands. 1 Setup two or more connected interfaces for Layer 2 or Layer 3.
• Disable FEFD protocol on one interface. INTERFACE mode fefd disable Disabling an interface shuts down all protocols working on that interface’s connected line. It does not delete your previous FEFD configuration which you can enable again at any time. To set up and activate two or more connected interfaces, use the following commands. 1 Setup two or more connected interfaces for Layer 2 or Layer 3. INTERFACE mode ip address ip address, switchport 2 Activate the necessary ports administratively.
Sender state -- Bi-directional Sender info -- Mgmt Mac(00:01:e8:14:89:25), Slot-Port(Te 1/1) Peer info -- Mgmt Mac (00:01:e8:14:89:25), Slot-Port(Te 4/1) Sender hold time -- 3 (second) 2w1d22h : FEFD packet received on interface Te 4/1 Sender state -- Bi-directional Sender info -- Mgmt Mac(00:01:e8:14:89:25), Slot-Port(Te 1/1) Peer info -- Mgmt Mac (00:01:e8:14:89:25), Slot-Port(Te 4/1) Sender hold time -- 3 (second) An RPM Failover In the event that an RPM failover occurs, FEFD becomes operationally down
30 Link Layer Discovery Protocol (LLDP) This chapter describes how to configure and use the link layer discovery protocol (LLDP). 802.1AB (LLDP) Overview LLDP — defined by IEEE 802.1AB — is a protocol that enables a local area network (LAN) device to advertise its configuration and receive configuration information from adjacent LLDP-enabled LAN infrastructure devices.
Table 51. Type, Length, Value (TLV) Types Type TLV Description 0 End of LLDPDU Marks the end of an LLDPDU. 1 Chassis ID An administratively assigned name that identifies the LLDP agent. 2 Port ID An administratively assigned name that identifies a port through which TLVs are sent and received. 3 Time to Live An administratively assigned name that identifies a port through which TLVs are sent and received.
Management TLVs A management TLV is an optional TLVs sub-type. This kind of TLV contains essential management information about the sender. Organizationally Specific TLVs A professional organization or a vendor can define organizationally specific TLVs. They have two mandatory fields (as shown in the following illustration) in addition to the basic TLV fields. Figure 79. Organizationally Specific TLV IEEE Organizationally Specific TLVs Eight TLV types have been defined by the IEEE 802.1 and 802.
Type TLV Description 127 Port and Protocol VLAN ID On Dell Networking systems, indicates the tagged VLAN to which a port belongs (and the untagged VLAN to which a port belongs if the port is in Hybrid mode). 127 Protocol Identity Indicates the protocols that the port can process. Dell Networking OS does not currently support this TLV.
TIA Organizationally Specific TLVs The Dell Networking system is an LLDP-MED Network Connectivity Device (Device Type 4). Network connectivity devices are responsible for: • transmitting an LLDP-MED capability TLV to endpoint devices • storing the information that endpoint devices advertise The following table describes the five types of TIA-1057 Organizationally Specific TLVs. Table 53.
Type SubType TLV Description 127 8 Inventory — Serial Number Indicates the device serial number of the LLDP-MED device. 127 9 Inventory — Manufacturer Name Indicates the manufacturer of the LLDP-MED device. 127 10 Inventory — Model Name Indicates the model of the LLDP-MED device. 127 11 Inventory — Asset ID Indicates a user specified device number to manage inventory.
Table 55. LLDP-MED Device Types Value Device Type 0 Type Not Defined 1 Endpoint Class 1 2 Endpoint Class 2 3 Endpoint Class 3 4 Network Connectivity 5–255 Reserved LLDP-MED Network Policies TLV A network policy in the context of LLDP-MED is a device’s VLAN configuration and associated Layer 2 and Layer 3 configurations.
Type Application Description 6 Video Conferencing Specify this application type for dedicated video conferencing and other similar appliances supporting realtime interactive video. 7 Streaming Video Specify this application type for dedicated video conferencing and other similar appliances supporting realtime interactive video. 8 Video Signaling Specify this application type only if video control packets use a separate network policy than video data. 9–255 Reserved — Figure 81.
2. Advertise TLVs out of an interface. Related Configuration Tasks • Viewing the LLDP Configuration • Viewing Information Advertised by Adjacent LLDP Agents • Configuring LLDPDU Intervals • Configuring Transmit and Receive Mode • Configuring a Time to Live • Debugging LLDP Important Points to Remember • LLDP is enabled by default. • Dell Networking systems support up to eight neighbors per interface. • Dell Networking systems support a maximum of 8000 total neighbors per system.
end Exit from configuration mode exit Exit from LLDP configuration mode hello LLDP hello configuration mode LLDP mode configuration (default = rx and tx) multiplier LLDP multiplier configuration no Negate a command or set its defaults show Show LLDP configuration Dell(conf-if-te-1/3-lldp)# Enabling LLDP LLDP is enabled by default. Enable and disable LLDP globally or per interface. If you enable LLDP globally, all UP interfaces send periodic LLDPDUs. To enable LLDP, use the following command.
CONFIGURATION mode. protocol lldp 2 Enter LLDP management-interface mode. LLDP-MANAGEMENT-INTERFACE mode. management-interface 3 Enter the disable command. LLDP-MANAGEMENT-INTERFACE mode. To undo an LLDP management port configuration, precede the relevant command with the keyword no. Advertising TLVs You can configure the system to advertise TLVs out of all interfaces or out of specific interfaces. • If you configure the system globally, all interfaces send LLDPDUs with the specified TLVs.
In the following example, LLDP is enabled globally. R1 and R2 are transmitting periodic LLDPDUs that contain management, 802.1, and 802.3 TLVs. Figure 83. Configuring LLDP Viewing the LLDP Configuration To view the LLDP configuration, use the following command. • Display the LLDP configuration. CONFIGURATION or INTERFACE mode show config Examples of Viewing LLDP Configurations The following example shows viewing an LLDP global configuration.
Viewing Information Advertised by Adjacent LLDP Agents To view brief information about adjacent devices or to view all the information that neighbors are advertising, use the following commands. • Display brief information about adjacent devices. • show lldp neighbors Display all of the information that neighbors are advertising.
Configuring LLDPDU Intervals LLDPDUs are transmitted periodically; the default interval is 30 seconds. To configure LLDPDU intervals, use the following command. • Configure a non-default transmit interval.
! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)#mode ? rx Rx only tx Tx only R1(conf-lldp)#mode tx R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description mode tx no disable R1(conf-lldp)#no mode R1(conf-lldp)#show config ! proto
advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)# Debugging LLDP You can view the TLVs that your system is sending and receiving. To view the TLVs, use the following commands. • View a readable version of the TLVs. • debug lldp brief View a readable version of the TLVs plus a hexadecimal version of the entire LLDPDU.
• received and transmitted LLDP-MED TLVs Table 57. LLDP Configuration MIB Objects MIB Object Category LLDP Variable LLDP MIB Object Description LLDP Configuration adminStatus lldpPortConfigAdminStatus Whether you enable the local LLDP agent for transmit, receive, or both. msgTxHold lldpMessageTxHoldMultiplier Multiplier value. msgTxInterval lldpMessageTxInterval Transmit Interval value. rxInfoTTL lldpRxInfoTTL Time to live for received TLVs.
TLV Type 4 5 6 7 8 TLV Name Port Description System Name System Description System Capabilities Management Address TLV Variable System LLDP MIB Object port ID Local lldpLocPortId Remote lldpRemPortId Local lldpLocPortDesc Remote lldpRemPortDesc Local lldpLocSysName Remote lldpRemSysName Local lldpLocSysDesc Remote lldpRemSysDesc Local lldpLocSysCapSupported Remote lldpRemSysCapSupporte d Local lldpLocSysCapEnabled Remote lldpRemSysCapEnabled Local lldpLocManAddrLen
TLV Type TLV Name TLV Variable System LLDP MIB Object port and protocol VLAN enabled Local lldpXdot1LocProtoVlanEn abled Remote lldpXdot1RemProtoVlanE nabled Local lldpXdot1LocProtoVlanId Remote lldpXdot1RemProtoVlanI d Local lldpXdot1LocVlanId Remote lldpXdot1RemVlanId Local lldpXdot1LocVlanName Remote lldpXdot1RemVlanName Local lldpXdot1LocVlanName Remote lldpXdot1RemVlanName PPVID 127 VLAN Name VID VLAN name length VLAN name Table 60.
TLV Sub-Type TLV Name TLV Variable L2 Priority DSCP Value 3 Location Identifier Location Data Format Location ID Data 4 Extended Power via MDI Power Device Type Power Source System LLDP-MED MIB Object Remote lldpXMedRemMediaPolic yVlanID Local lldpXMedLocMediaPolicy Priority Remote lldpXMedRemMediaPolic yPriority Local lldpXMedLocMediaPolicy Dscp Remote lldpXMedRemMediaPolic yDscp Local lldpXMedLocLocationSub type Remote lldpXMedRemLocationSu btype Local lldpXMedLocLocationInf
TLV Sub-Type TLV Name TLV Variable System LLDP-MED MIB Object Remote lldpXMedRemXPoEPSEPo werAv lldpXMedRemXPoEPDPo werReq Link Layer Discovery Protocol (LLDP) 537
31 Microsoft Network Load Balancing Network load balancing (NLB) is a clustering functionality that is implemented by Microsoft on Windows 2000 Server and Windows Server 2003 operating systems (OSs). NLB uses a distributed methodology or pattern to equally split and balance the network traffic load across a set of servers that are part of the cluster or group.
With Multicast NLB mode, the data forwards to all the servers based on the port specified using the following Layer 2 multicast command in CONFIGURATION MODE: mac-address-table static multicast vlan output-range , Limitations of the NLB Feature The following limitations apply to switches on which you configure NLB: • The NLB Unicast mode uses switch flooding to transmit all packets to all the servers that are part of the VLAN.
CONFIGURATION mode ip vlan-flooding There might be some ARP table entries that are resolved through ARP packets, which had the Ethernet MAC SA different from the MAC information inside the ARP packet. This unicast data traffic flooding occurs only for those packets that use these ARP entries.
32 Multicast Source Discovery Protocol (MSDP) Multicast source discovery protocol (MSDP) is supported on Dell Networking OS. Protocol Overview MSDP is a Layer 3 protocol that connects IPv4 protocol-independent multicast-sparse mode (PIM-SM) domains. A domain in the context of MSDP is a contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as border gateway protocol (BGP).
RPs advertise each (S,G) in its domain in type, length, value (TLV) format. The total number of TLVs contained in the SA is indicated in the “Entry Count” field. SA messages are transmitted every 60 seconds, and immediately when a new source is detected. Figure 86.
With Anycast RP, all the RPs are configured to be MSDP peers of each other. When a source registers with one RP, an SA message is sent to the other RPs informing them that there is an active source for a particular multicast group. The result is that each RP is aware of the active sources in the area of the other RPs. If any of the RPs fail, IP routing converges and one of the RPs becomes the active RP in more than one area. New sources register with the backup RP.
Figure 87.
Figure 88.
Figure 89.
Figure 90. Configuring MSDP Enable MSDP Enable MSDP by peering RPs in different administrative domains. 1 Enable MSDP. CONFIGURATION mode ip multicast-msdp 2 Peer PIM systems in different administrative domains. CONFIGURATION mode ip msdp peer connect-source Examples of Configuring and Viewing MSDP R3(conf)#ip multicast-msdp R3(conf)#ip msdp peer 192.168.0.
Peer Addr Description Local Addr State Source SA Up/Down To view details about a peer, use the show ip msdp peer command in EXEC privilege mode. Multicast sources in remote domains are stored on the RP in the source-active cache (SA cache). The system does not create entries in the multicast routing table until there is a local receiver for the corresponding multicast group. R3#show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.
If the total number of active sources is already larger than the limit when limiting is applied, the sources that are already in Dell Networking OS are not discarded. To enforce the limit in such a situation, use the clear ip msdp sa-cache command to clear all existing entries. Clearing the Source-Active Cache To clear the source-active cache, use the following command. • Clear the SA cache of all, local, or rejected entries, or entries for a specific group.
Figure 91.
Figure 92.
Figure 93. MSDP Default Peer, Scenario 4 Specifying Source-Active Messages To specify messages, use the following command. • Specify the forwarding-peer and originating-RP from which all active sources are accepted without regard for the RPF check. CONFIGURATION mode ip msdp default-peer ip-address list If you do not specify an access list, the peer accepts all sources that peer advertises. All sources from RPs that the ACL denies are subject to the normal RPF check.
MSDP Source-Active Cache - 3 entries GroupAddr SourceAddr RPAddr LearnedFrom 229.0.50.2 24.0.50.2 200.0.0.50 10.0.50.2 229.0.50.3 24.0.50.3 200.0.0.50 10.0.50.2 229.0.50.4 24.0.50.4 200.0.0.50 10.0.50.2 Dell#ip msdp sa-cache rejected-sa MSDP Rejected SA Cache 3 rejected SAs received, cache-size 32766 UpTime GroupAddr SourceAddr RPAddr 00:33:18 229.0.50.64 24.0.50.64 200.0.1.50 00:33:18 229.0.50.65 24.0.50.65 200.0.1.50 00:33:18 229.0.50.66 24.0.50.66 200.0.1.
R1_E600(conf)#do show ip msdp sa-cache rejected-sa MSDP Rejected SA Cache 1 rejected SAs received, cache-size 1000 UpTime GroupAddr SourceAddr RPAddr LearnedFrom 00:02:20 239.0.0.1 10.11.4.2 192.168.0.1 local Reason Redistribute Preventing MSDP from Caching a Remote Source To prevent MSDP from caching a remote source, use the following commands. 1 OPTIONAL: Cache sources that the SA filter denies in the rejected SA cache.
! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 0 ip msdp sa-filter out 192.168.0.3 list mylocalfilter R1(conf)#do show run acl ! ip access-list extended mylocalfilter seq 5 deny ip host 239.0.0.1 host 10.11.4.2 seq 10 deny ip any any R1(conf)#do show ip msdp sa-cache MSDP Source-Active Cache - 1 entries GroupAddr SourceAddr RPAddr LearnedFrom Expire 239.0.0.1 10.11.4.2 192.168.0.
Timers: KeepAlive 30 sec, Hold time 75 sec SourceActive packet count (in/out): 0/0 SAs learned from this peer: 0 SA Filtering: Clearing Peer Statistics To clear the peer statistics, use the following command. • Reset the TCP connection to the peer and clear all peer statistics. CONFIGURATION mode clear ip msdp peer peer-address Example of the clear ip msdp peer Command and Verifying Statistics are Cleared R3(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.
MSDP with Anycast RP Anycast RP uses MSDP with PIM-SM to allow more than one active group to use RP mapping. PIM-SM allows only active groups to use RP mapping, which has several implications: • traffic concentration: PIM-SM allows only one active group to RP mapping which means that all traffic for the group must, at least initially, travel over the same part of the network.
3. RPs use MSDP to peer with each other using a unique address. Figure 94. MSDP with Anycast RP Configuring Anycast RP To configure anycast RP, use the following commands. 1 In each routing domain that has multiple RPs serving a group, create a Loopback interface on each RP serving the group with the same IP address. CONFIGURATION mode interface loopback 2 Make this address the RP for the group.
4 Peer each RP with every other RP using MSDP, specifying the unique Loopback address as the connect-source. CONFIGURATION mode ip msdp peer 5 Advertise the network of each of the unique Loopback addresses throughout the network. ROUTER OSPF mode network Reducing Source-Active Message Flooding RPs flood source-active messages to all of their peers away from the RP.
no shutdown ! router ospf 1 network 10.11.2.0/24 area 0 network 10.11.1.0/24 area 0 network 10.11.3.0/24 area 0 network 192.168.0.11/32 area 0 ! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 1 ip msdp peer 192.168.0.22 connect-source Loopback 1 ip msdp mesh-group AS100 192.168.0.22 ip msdp originator-id Loopback 1! ip pim rp-address 192.168.0.1 group-address 224.0.0.0/4 The following example shows an R2 configuration for MSDP with Anycast RP.
The following example shows an R3 configuration for MSDP with Anycast RP. ip multicast-routing ! interface TenGigabitEthernet 3/21 ip pim sparse-mode ip address 10.11.0.32/24 no shutdown interface TenGigabitEthernet 3/41 ip pim sparse-mode ip address 10.11.6.34/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.
ip address 192.168.0.1/32 no shutdown ! router ospf 1 network 10.11.2.0/24 area 0 network 10.11.1.0/24 area 0 network 192.168.0.1/32 area 0 network 10.11.3.0/24 area 0 ! ip multicast-msdp ip msdp peer 192.168.0.3 connect-source Loopback 0 ! ip pim rp-address 192.168.0.1 group-address 224.0.0.0/4 MSDP Sample Configuration: R2 Running-Config ip multicast-routing ! interface TenGigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.
ip address 10.11.80.3/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.3/32 no shutdown ! router ospf 1 network 10.11.6.0/24 area 0 network 192.168.0.3/32 area 0 redistribute static redistribute connected redistribute bgp 200 ! router bgp 200 redistribute ospf 1 neighbor 192.168.0.2 remote-as 100 neighbor 192.168.0.2 ebgp-multihop 255 neighbor 192.168.0.2 update-source Loopback 0 neighbor 192.168.0.2 no shutdown ! ip multicast-msdp ip msdp peer 192.168.0.
33 Multiple Spanning Tree Protocol (MSTP) Multiple spanning tree protocol (MSTP) — specified in IEEE 802.1Q-2003 — is a rapid spanning tree protocol (RSTP)-based spanning tree variation that improves per-VLAN spanning tree plus (PVST+). MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances. Protocol Overview MSTP — specified in IEEE 802.
• Creating Multiple Spanning Tree Instances • Influencing MSTP Root Selection • Interoperate with Non-Dell Bridges • Changing the Region Name or Revision • Modifying Global Parameters • Modifying the Interface Parameters • Configuring an EdgePort • Flush MAC Addresses after a Topology Change • MSTP Sample Configurations • Debugging and Verifying MSTP Configurations Spanning Tree Variations The Dell Networking OS supports four variations of spanning tree, as shown in the following table.
• Influencing MSTP Root Selection • Interoperate with Non-Dell Networking OS Bridges • Changing the Region Name or Revision • Modifying Global Parameters • Modifying the Interface Parameters • Configuring an EdgePort • Flush MAC Addresses after a Topology Change • Debugging and Verifying MSTP Configurations • Prevent Network Disruptions with BPDU Guard • Enabling SNMP Traps for Root Elections and Topology Changes • Configuring Spanning Trees as Hitless Enable Multiple Spanning Tree Glo
• Create an MSTI. PROTOCOL MSTP mode msti Specify the keyword vlan then the VLANs that you want to participate in the MSTI. Examples of Configuring and Viewing MSTI The following examples shows the msti command. Dell(conf)#protocol spanning-tree mstp Dell(conf-mstp)#msti 1 vlan 100 Dell(conf-mstp)#msti 2 vlan 200-300 Dell(conf-mstp)#show config ! protocol spanning-tree mstp no disable MSTI 1 VLAN 100 MSTI 2 VLAN 200-300 All bridges in the MSTP region must have the same VLAN-to-instance mapping.
Influencing MSTP Root Selection MSTP determines the root bridge, but you can assign one bridge a lower priority to increase the probability that it becomes the root bridge. To change the bridge priority, use the following command. • Assign a number as the bridge priority. PROTOCOL MSTP mode msti instance bridge-priority priority A lower number increases the probability that the bridge becomes the root bridge. The range is from 0 to 61440, in increments of 4096. The default is 32768.
• Change the region revision number. PROTOCOL MSTP mode revision number Example of the name Command To view the current region name and revision, use the show spanning-tree mst configuration command from EXEC Privilege mode.
The default is 20 seconds. 4 Change the max-hops parameter. PROTOCOL MSTP mode max-hops number The range is from 1 to 40. The default is 20. Example of the forward-delay Parameter To view the current values for MSTP parameters, use the show running-config spanning-tree mstp command from EXEC privilege mode.
To change the port cost or priority of an interface, use the following commands. 1 Change the port cost of an interface. INTERFACE mode spanning-tree msti number cost cost The range is from 0 to 200000. For the default, refer to the default values shown in the table.. 2 Change the port priority of an interface. INTERFACE mode spanning-tree msti number priority priority The range is from 0 to 240, in increments of 16. The default is 128.
interface TenGigabitEthernet 3/11 no ip address switchport spanning-tree mstp edge-port spanning-tree MSTI 1 priority 144 no shutdown Dell(conf-if-te-3/11)# Flush MAC Addresses after a Topology Change Dell Networking OS has an optimized MAC address flush mechanism for RSTP, MSTP, and PVST+ that flushes addresses only when necessary, which allows for faster convergence during topology changes. However, you may activate the flushing mechanism defined by 802.
revision 123 MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 ! (Step 2) interface TenGigabitEthernet 1/21 no ip address switchport no shutdown ! interface TenGigabitEthernet 1/31 no ip address switchport no shutdown ! (Step 3) interface Vlan 100 no ip address tagged TenGigabitEthernet 1/21,31 no shutdown ! interface Vlan 200 no ip address tagged TenGigabitEthernet 1/21,31 no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 1/21,31 no shutdown Router 2 Running-Configuration This example uses the f
! interface Vlan 300 no ip address tagged TenGigabitEthernet 2/11,31 no shutdown Router 3 Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3. Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
spanning-tree MSTi vlan 2 200 spanning-tree MSTi vlan 2 300 (Step 2) interface 1/0/31 no shutdown spanning-tree port mode enable switchport protected 0 exit interface 1/0/32 no shutdown spanning-tree port mode enable switchport protected 0 exit (Step 3) interface vlan 100 tagged 1/0/31 tagged 1/0/32 exit interface vlan 200 tagged 1/0/31 tagged 1/0/32 exit interface vlan 300 tagged 1/0/31 tagged 1/0/32 exit Debugging and Verifying MSTP Configurations To debut and verify MSTP configuration, use the following
– Is the Region name blank? That may mean that a name was configured on one router and but was not configured or was configured differently on another router (spelling and capitalization counts). • MSTP Instances. – To verify the VLAN to MSTP instance mapping, use the show commands. – Are there “extra” MSTP instances in the Sending or Received logs? This may mean that an additional MSTP instance was configured on one router but not the others.
34 Multicast Features NOTE: Multicast routing is supported on secondary IP addresses; it is not supported on IPv6. NOTE: Multicast routing is supported across default and non-default virtual routing and forwarding (VRFs).
Protocol Ethernet Address NTP 01:00:5e:00:01:01 VRRP 01:00:5e:00:00:12 PIM-SM 01:00:5e:00:00:0d • The Dell Networking OS implementation of MTRACE is in accordance with IETF draft draft-fenner-traceroute-ipm. • Multicast is not supported on secondary IP addresses. • If you enable multicast routing, egress Layer 3 ACL is not applied to multicast data traffic. Multicast Policies The Dell Networking OS supports multicast features for IPv4.
NOTE: The IN-L3-McastFib CAM partition stores multicast routes and is a separate hardware limit that exists per port-pipe. Any software-configured limit may supersede this hardware space limitation. The opposite is also true, the CAM partition might not be exhausted at the time the system-wide route limit is reached using the ip multicast-limit command.
entry is created only for group 239.0.0.1. VLAN 300 has no access list limiting Receiver 1, so both IGMP reports are accepted and two corresponding entries are created in the routing table. Figure 97. Preventing a Host from Joining a Group The following table lists the location and description shown in the previous illustration. Table 63. Preventing a Host from Joining a Group — Description Location Description 1/21 • • • • Interface TenGigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.
Location Description • no shutdown 2/1 • • • • Interface TenGigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface TenGigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface TenGigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface TenGigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.
Preventing a PIM Router from Forming an Adjacency To prevent a router from participating in PIM (for example, to configure stub multicast routing), use the following command. • Prevent a router from participating in PIM. INTERFACE mode ip pim neighbor-filter Preventing a Source from Registering with the RP To prevent the PIM source DR from sending register packets to route processor (RP) for the specified multicast source and group, use the following command.
Figure 98. Preventing a Source from Transmitting to a Group The following table lists the location and description shown in the previous illustration. Table 64. Preventing a Source from Transmitting to a Group — Description Location Description 1/21 • • • • Interface TenGigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 • • • • Interface TenGigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.
Location Description 2/1 • • • • Interface TenGigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface TenGigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface TenGigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown • • • • Interface TenGigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.
Preventing a PIM Router from Processing a Join To permit or deny PIM Join/Prune messages on an interface using an extended IP access list, use the following command. NOTE: Dell Networking recommends not using the ip pim join-filter command on an interface between a source and the RP router. Using this command in this scenario could cause problems with the PIM-SM source registration process resulting in excessive traffic being sent to the CPU of both the RP and PIM DR of the source.
35 Object Tracking IPv4 or IPv6 object tracking is available on Dell Networking OS. Object tracking allows the Dell Networking OS client processes, such as virtual router redundancy protocol (VRRP), to monitor tracked objects (for example, interface or link status) and take appropriate action when the state of an object changes. NOTE: In Dell Networking OS release version 8.4.1.0, object tracking is supported only on VRRP.
the default route in each router changes, the mastership of the VRRP group is automatically reassigned to the router with the better metric. Figure 99. Object Tracking Example When you configure a tracked object, such as an IPv4/IPv6 a route or interface, you specify an object number to identify the object. Optionally, you can also specify: • UP and DOWN thresholds used to report changes in a route metric. • A time delay before changes in a tracked object’s state are reported to a client.
Track IPv4 and IPv6 Routes You can create an object that tracks an IPv4 or IPv6 route entry in the routing table. Specify a tracked route by its IPv4 or IPv6 address and prefix-length. Optionally specify a tracked route by a virtual routing and forwarding (VRF) instance name if the route to be tracked is part of a VRF. The next-hop address is not part of the definition of the tracked object.
DOWN. For example, to configure object tracking for a RIP route to be considered UP only if the RIP hop count is less than or equal to 4, you would configure the UP threshold to be 64 (4 x 16) and the DOWN threshold to be 65. Set Tracking Delays You can configure an optional UP and/or DOWN timer for each tracked object to set the time delay before a change in the state of a tracked object is communicated to clients.
To configure object tracking on the status of a Layer 2 interface, use the following commands. 1 Configure object tracking on the line-protocol state of a Layer 2 interface. CONFIGURATION mode track object-id interface interface line-protocol Valid object IDs are from 1 to 65535. 2 (Optional) Configure the time delay used before communicating a change in the status of a tracked interface. OBJECT TRACKING mode delay {[up seconds] [down seconds]} Valid delay times are from 0 to 180 seconds.
• The status of an IPv6 interface is UP only if the Layer 2 status of the interface is UP and the interface has a valid IPv6 address. • The Layer 3 status of an IPv6 interface goes DOWN when its Layer 2 status goes down (for a Layer 3 VLAN, all VLAN ports must be down) or the IPv6 address is removed from the routing table. To remove object tracking on a Layer 3 IPv4/IPv6 interface, use the no track object-id command.
Track an IPv4/IPv6 Route You can create an object that tracks the reachability or metric of an IPv4 or IPv6 route. You specify the route to be tracked by its address and prefix-length values. Optionally, for an IPv4 route, you can enter a VRF instance name if the route is part of a VPN routing and forwarding (VRF) table. The next-hop address is not part of the definition of a tracked IPv4/IPv6 route.
CONFIGURATION mode track object-id {ip route ip-address/prefix-len | ipv6 route ipv6-address/prefix-len} reachability [vrf vrf-name] Valid object IDs are from 1 to 65535. Enter an IPv4 address in dotted decimal format; valid IPv4 prefix lengths are from / 0 to /32. Enter an IPv6 address in X:X:X:X::X format; valid IPv6 prefix lengths are from / 0 to /128. (Optional) E-Series only: For an IPv4 route, you can enter a VRF name to specify the virtual routing table to which the tracked route belongs.
Reachability is Down (route not in route table) 2 changes, last change 00:03:03 Tracking a Metric Threshold Use the following commands to configure object tracking on the metric threshold of an IPv4 or IPv6 route. To remove object tracking, use the no track object-id command. 1 (Optional) Reconfigure the default resolution value used by the specified protocol to scale the metric for IPv4 or IPv6 routes.
Example of IPv4 and IPv6 Tracking Metric Thresholds The following example configures object tracking on the metric threshold of an IPv4 route: Dell(conf)#track 6 ip route 2.1.1.0/24 metric threshold Dell(conf-track-6)#delay down 20 Dell(conf-track-6)#delay up 20 Dell(conf-track-6)#description track ip route metric Dell(conf-track-6)#threshold metric down 40 Dell(conf-track-6)#threshold metric up 40 Dell(conf-track-6)#exit Dell(conf)#track 10 ip route 3.1.1.
IP routing is Up 3 changes, last change 00:03:30 Tracked by: Example of the show track brief Command Router# show track brief ResId State 1 Resource LastChange IP route reachability Parameter 10.16.0.0/16 Example of the show track resolution Command Dell#show track resolution IP Route Resolution ISIS 1 OSPF 1 IPv6 Route Resolution ISIS 1 Example of the show track vrf Command Dell#show track vrf red Track 5 IP route 192.168.0.
36 Open Shortest Path First (OSPFv2 and OSPFv3) Open shortest path first (OSPFv2 for IPv4) and OSPF version 3 (OSPF for IPv6) are supported on Dell Networking OS. This chapter provides a general description of OSPFv2 (OSPF for IPv4) and OSPFv3 (OSPF for IPv6) as supported in the Dell Networking Operating System (OS). NOTE: The fundamental mechanisms of OSPF (flooding, DR election, area support, SPF calculations, and so on) are the same between OSPFv2 and OSPFv3.
area within the AS may not see the details of another area’s topology. AS areas are known by their area number or the router’s IP address. Figure 100. Autonomous System Areas Area Types The backbone of the network is Area 0. It is also called Area 0.0.0.0 and is the core of any AS. All other areas must connect to Area 0. An OSPF backbone is responsible for distributing routing information between areas.
• Totally stubby areas are referred to as no summary areas in the Dell Networking OS. Networks and Neighbors As a link-state protocol, OSPF sends routing information to other OSPF routers concerning the state of the links between them. The state (up or down) of those links is important. Routers that share a link become neighbors on that segment. OSPF uses the Hello protocol as a neighbor discovery and keep alive mechanism.
The following example shows different router designations. Figure 101. OSPF Routing Examples Backbone Router (BR) A backbone router (BR) is part of the OSPF Backbone, Area 0. This includes all ABRs. It can also include any routers that connect only to the backbone and another ABR, but are only part of Area 0, such as Router I in the previous example. Area Border Router (ABR) Within an AS, an area border router (ABR) connects one or more areas to the backbone.
An ABR can connect to many areas in an AS, and is considered a member of each area it connects to. Autonomous System Border Router (ASBR) The autonomous system border area router (ASBR) connects to more than one AS and exchanges information with the routers in other ASs. Generally, the ASBR connects to a non-interior gate protocol (IGP) such as BGP or uses static routes.
• Type 7: External LSA — Routers in an NSSA do not receive external LSAs from ABRs, but are allowed to send external routing information for redistribution. They use Type 7 LSAs to tell the ABRs about these external routes, which the ABR then translates to Type 5 external LSAs and floods as normal to the rest of the OSPF network. • Type 8: Link LSA (OSPFv3) — This LSA carries the IPv6 address information of the local links.
Figure 102. Priority and Cost Examples OSPF with Dell Networking OS The Dell Networking OS supports up to 10,000 OSPF routes for OSPFv2. Within the that 10,000 routes, you can designate up to 8,000 routes as external and up to 2,000 as inter/intra area routes. Dell Networking OS version 9.4(0.0) and later support only one OSPFv2 process per VRF. Dell Networking OS version 9.7(0.0) and later support OSPFv3 in VRF. Also, on OSPFv3, Dell Networking OS supports only one OSPFv3 process per VRF.
Graceful Restart Graceful restart for OSPFv2 and OSPFv3 are supported on the S4048–ON platform in Helper and Restart modes. When a router goes down without a graceful restart, there is a possibility for loss of access to parts of the network due to ongoing network topology changes. Additionally, LSA flooding and reconvergence can cause substantial delays. It is, therefore, desirable that the network maintains a stable topology if it is possible for data flow to continue uninterrupted.
An unplanned restart occurs when an unplanned event causes the active RPM to switch to the backup RPM, such as when an active process crashes, the active RPM is removed, or a power failure happens. During an unplanned restart, OSPF sends out a Grace LSA when the backup RPM comes online. To display the configuration values for OSPF graceful restart, enter the show run ospf command for OSPFv2 and the show run ospf and show ipv6 ospf database database-summary commands for OSPFv3.
• Manually set the dead interval of the Dell Networking router to match the Cisco configuration. INTERFACE mode ip ospf dead-interval Examples of Setting and Viewing a Dead Interval In the following example, the dead interval is set at 4x the hello interval (shown in bold).
• Creating Filter Routes • Applying Prefix Lists • Redistributing Routes • Troubleshooting OSPFv2 1 Configure a physical interface. Assign an IP address, physical or Loopback, to the interface to enable Layer 3 routing. 2 Enable OSPF globally. Assign network area and neighbors. 3 Add interfaces or configure other attributes. 4 Set the time interval between when the switch receives a topology change and starts a shortest path first (SPF) calculation.
The OSPF process ID is the identifying number assigned to the OSPF process. The router ID is the IP address associated with the OSPF process. After the OSPF process and the VRF are tied together, the OSPF process ID cannot be used again in the system.
CONFIG-ROUTER-OSPF-id mode network ip-address mask area area-id The IP Address Format is A.B.C.D/M. The area ID range is from 0 to 65535 or A.B.C.D/M. Enable OSPFv2 on Interfaces Enable and configure OSPFv2 on each interface (configure for Layer 3 protocol), and not shutdown. You can also assign OSPFv2 to a Loopback interface as a virtual interface. OSPF functions and features, such as MD5 Authentication, Grace Period, Authentication Wait Time, are assigned on a per interface basis.
Designated Router (ID) 13.1.1.1, Interface address 10.2.3.2 Backup Designated Router (ID) 11.1.2.1, Interface address 10.2.3.1 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:05 Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 13.1.1.1 (Designated Router) Dell> Loopback interfaces also help the OSPF process.
Use the keywords no-summary to prevent transmission into the area of summary ASBR LSAs. Area ID is the number or IP address assigned when creating the area. Example of the show ip ospf database database-summary Command To view which LSAs are transmitted, use the show ip ospf database process-id database-summary command in EXEC Privilege mode. Dell#show ip ospf 34 database database-summary OSPF Router with ID (10.1.2.100) (Process ID 34) Area 2.2.2.2 3.3.3.
TenGigabitEthernet 2/1 is up, line protocol is down Internet Address 10.1.3.100/24, Area 2.2.2.2 Process ID 34, Router ID 10.1.2.100, Network Type BROADCAST, Cost: 10 Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 10.1.2.100, Interface address 10.1.3.100 Backup Designated Router (ID) 0.0.0.0, Interface address 0.0.0.
Convergence Level 0 Min LSA origination 5 secs, Min LSA arrival 1 secs Number of area in this router is 0, normal 0 stub 0 nssa 0 Dell# Changing OSPFv2 Parameters on Interfaces In Dell Networking OS, you can modify the OSPF settings on the interfaces. Some interface parameter values must be consistent across all interfaces to avoid routing errors. For example, set the same time interval for the hello packets on all routers in the OSPF network to prevent misconfiguration of OSPF neighbors.
– seconds: the range is from 1 to 65535 (the default is 5 seconds). • The retransmit interval must be the same on all routers in the OSPF network. Change the wait period between link state update packets sent out the interface. CONFIG-INTERFACE mode ip ospf transmit-delay seconds – seconds: the range is from 1 to 65535 (the default is 1 second). The transmit delay must be the same on all routers in the OSPF network.
both the old as well as new authentication schemes for a time period that is equal to two times the configured authentication change wait timer. After this time period, OSPF accepts only the new authentication scheme. This transmission stops when the period ends. The default is 0 seconds. Enabling OSPFv2 Graceful Restart Graceful restart is enabled for the global OSPF process.
NOTE: The Helper mode is enabled by default on the device. To enable the restart mode also on the device, you must configure the grace period using the graceful-restart grace-period command. After you enable restart mode the router advertises the neighbor as fully adjacent during a restart. For more information about OSPF graceful restart, refer to the Dell Networking OS Command Line Reference Guide.
Redistributing Routes You can add routes from other routing instances or protocols to the OSPF process. With the redistribute command, you can include RIP, static, or directly connected routes in the OSPF process. NOTE: Do not route iBGP routes to OSPF unless there are route-maps associated with the OSPF redistribution. To redistribute routes, use the following command. • Specify which routes are redistributed into OSPF process.
• show routes To help troubleshoot OSPFv2, use the following commands. • View the summary of all OSPF process IDs enables on the router. EXEC Privilege mode • show running-config ospf View the summary information of the IP routes. EXEC Privilege mode • show ip route summary View the summary information for the OSPF database. EXEC Privilege mode • show ip ospf database View the configuration of OSPF neighbors connected to the local router.
Basic OSPFv2 Router Topology The following illustration is a sample basic OSPFv2 topology. Figure 103. Basic Topology and CLI Commands for OSPFv2 OSPF Area 0 — Te 1/1 and 1/2 router ospf 11111 network 10.0.11.0/24 area 0 network 10.0.12.0/24 area 0 network 192.168.100.0/24 area 0 ! interface TenGigabitEthernet 1/1 ip address 10.1.11.1/24 no shutdown ! interface TenGigabitEthernet 1/2 ip address 10.2.12.2/24 no shutdown ! interface Loopback 10 ip address 192.168.100.
OSPF Area 0 — Te 2/1 and 2/2 router ospf 22222 network 192.168.100.0/24 area 0 network 10.2.21.0/24 area 0 network 10.2.22.0/24 area 0 ! interface Loopback 20 ip address 192.168.100.20/24 no shutdown ! interface TenGigabitEthernet 2/1 ip address 10.2.21.2/24 no shutdown ! interface TenGigabitEthernet 2/2 ip address 10.2.22.2/24 no shutdown Configuration Task List for OSPFv3 (OSPF for IPv6) This section describes the configuration tasks for Open Shortest Path First version 3 (OSPF for IPv6) on the switch.
Enabling IPv6 Unicast Routing To enable IPv6 unicast routing, use the following command. • Enable IPv6 unicast routing globally. CONFIGURATION mode ipv6 unicast routing Assigning IPv6 Addresses on an Interface To assign IPv6 addresses to an interface, use the following commands. 1 Assign an IPv6 address to the interface. CONF-INT-type slot/port mode ipv6 address ipv6 address IPv6 addresses are normally written as eight groups of four hexadecimal digits; separate each group by a colon (:).
• The range is from 0 to 65535. Assign the router ID for this OSPFv3 process. CONF-IPV6-ROUTER-OSPF mode router-id {number} – number: the IPv4 address. The format is A.B.C.D. NOTE: Enter the router-id for an OSPFv3 router as an IPv4 IP address. • Disable OSPF. CONFIGURATION mode • no ipv6 router ospf process-id Reset the OSPFv3 process.
– no-summary: use these keywords to prevent transmission in to the area of summary ASBR LSAs. – Area ID: a number or IP address assigned when creating the area. You can represent the area ID as a number from 0 to 65536 if you assign a dotted decimal format rather than an IP address. Configuring Passive-Interface To suppress the interface’s participation on an OSPFv3 interface, use the following command. This command stops the router from sending updates on that interface.
default-information originate [always [metric metric-value] [metric-type type-value]] [routemap map-name] Configure the following required and optional parameters: – always: indicate that default route information is always advertised. – metric metric-value: The range is from 0 to 4294967295. – metric-type metric-type: enter 1 for OSPFv3 external route type 1 OR 2 for OSPFv3 external route type 2. – route-map map-name: enter a name of a configured route map.
Displaying Graceful Restart To display information on the use and configuration of OSPFv3 graceful restart, enter any of the following commands. • Display the graceful-restart configuration for OSPFv2 and OSPFv3 (shown in the following example). EXEC Privilege mode • show run ospf Display the Type-11 Grace LSAs sent and received on an OSPFv3 router (shown in the following example).
The following example shows the show ipv6 ospf database grace-lsa command. Dell#show ipv6 ospf database grace-lsa ! Type-11 Grace LSA (Area 0) LS Age Link State ID Advertising Router LS Seq Number Checksum Length Associated Interface Restart Interval Restart Reason : : : : : : : : : 10 6.16.192.66 100.1.1.1 0x80000001 0x1DF1 36 Te 5/3 180 Switch to Redundant Processor OSPFv3 Authentication Using IPsec OSPFv3 uses IPsec to provide authentication for OSPFv3 packets.
OSPFv3 Authentication Using IPsec: Configuration Notes OSPFv3 authentication using IPsec is implemented according to the specifications in RFC 4552. • To use IPsec, configure an authentication (using AH) or encryption (using ESP) security policy on an interface or in an OSPFv3 area. Each security policy consists of a security policy index (SPI) and the key used to validate OSPFv3 packets. After IPsec is configured for OSPFv3, IPsec operation is invisible to the user.
– null: causes an authentication policy configured for the area to not be inherited on the interface. – ipsec spi number: the security policy index (SPI) value. The range is from 256 to 4294967295. – MD5 | SHA1: specifies the authentication type: Message Digest 5 (MD5) or Secure Hash Algorithm 1 (SHA-1). – key-encryption-type: (optional) specifies if the key is encrypted. The valid values are 0 (key is not encrypted) or 7 (key is encrypted). • • – key: specifies the text string used in authentication.
• no ipv6 ospf encryption null Display the configuration of IPsec encryption policies on the router. • show crypto ipsec policy Display the security associations set up for OSPFv3 interfaces in encryption policies. show crypto ipsec sa ipv6 Configuring IPSec Authentication for an OSPFv3 Area To configure, remove, or display IPSec authentication for an OSPFv3 area, use the following commands.
• Enable IPsec encryption for OSPFv3 packets in an area. CONF-IPV6-ROUTER-OSPF mode area area-id encryption ipsec spi number esp encryption-algorithm [key-encryption-type] key authentication-algorithm [key-authentication-type] key – area area-id: specifies the area for which OSPFv3 traffic is to be encrypted. For area-id, enter a number or an IPv6 prefix. – spi number: is the security policy index (SPI) value. The range is from 256 to 4294967295.
The following example shows the show crypto ipsec policy command.
outbound ah sas inbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE outbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE Troubleshooting OSPFv3 The system provides several tools to troubleshoot OSPFv3 operation on the switch. This section describes typical, OSPFv3 troubleshooting scenarios.
debug ipv6 ospf [vrf vrf-name] [event | packet] {type slot/port[/subport]} – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port[/subport] information. – For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. – For a port channel interface, enter the keywords port-channel then a number. – For a VLAN interface, enter the keyword vlan then a number from 1 to 4094.
Applying cost for OSPFv3 Change in bandwidth directly affects the cost of OSPF routes. • Explicitly specify the cost of sending a packet on an interface. INTERFACE mode ipv6 ospf interface-cost • – interface-cost:The range is from 1 to 65535. Default cost is based on the bandwidth. Specify how the OSPF interface cost is calculated based on the reference bandwidth method. The cost of an interface is calculated as Reference Bandwidth/Interface speed.
– process-id: the process ID number assigned. – area-id: the area ID for this interface. Assigning OSPFv3 Process ID and Router ID Globally To assign, disable, or reset OSPFv3 globally, use the following commands. • Enable the OSPFv3 process globally and enter OSPFv3 mode. CONFIGURATION mode ipv6 router ospf {process ID} • The range is from 0 to 65535. Assign the router ID for this OSPFv3 process. CONF-IPV6-ROUTER-OSPF mode router-id {number} – number: the IPv4 address. The format is A.B.C.D.
• Reset the OSPFv3 process. EXEC Privilege mode clear ipv6 ospf process Configuring Stub Areas To configure IPv6 stub areas, use the following command. • Configure the area as a stub area. CONF-IPV6-ROUTER-OSPF mode area area-id stub [no-summary] – no-summary: use these keywords to prevent transmission in to the area of summary ASBR LSAs. – Area ID: a number or IP address assigned when creating the area.
– bgp | connected | static: enter one of the keywords to redistribute those routes. – metric metric-value: The range is from 0 to 4294967295. – metric-type metric-type: enter 1 for OSPFv3 external route type 1 OR 2 for OSPFv3 external route type 2. – route-map map-name: enter a name of a configured route map. – tag tag-value: The range is from 0 to 4294967295. Configuring a Default Route To generate a default external route into the OSPFv3 routing domain, configure the following parameters.
• Specify the operating mode and type of events that trigger a graceful restart. CONF-IPV6-ROUTER-OSPF mode graceful-restart mode [planned-only | unplanned-only] – Planned-only: the OSPFv3 router supports graceful restart only for planned restarts. A planned restart is when you manually enter a redundancy force-failover rpm command to force the primary RPM over to the secondary RPM. During a planned restart, OSPFv3 sends out a Grace LSA before the system switches over to the secondary RPM.
Area Bdr Rtr Status AS Bdr Rtr Status AS Scope LSA Count AS Scope LSA Cksum sum Originate New LSAS Rx New LSAS Ext LSA Count Rte Max Eq Cost Paths GR grace-period GR mode 0 1 0 0 73 114085 0 5 180 planned and unplanned Area 0 database summary Type Brd Rtr Count AS Bdr Rtr Count LSA count Summary LSAs Rtr LSA Count Net LSA Count Inter Area Pfx LSA Count Inter Area Rtr LSA Count Group Mem LSA Count Count/Status 2 2 12010 1 4 3 12000 0 0 The following example shows the show ipv6 ospf database grace-lsa com
• ESP — encapsulating security payload encapsulates data, enabling the protection of data that follows in the datagram. ESP provides authentication and confidentiality of every packet. The ESP extension header is designed to provide a combination of security services for both IPv4 and IPv6. Insert the ESP header after the IP header and before the next layer protocol header in Transport mode.
Configuring IPsec Authentication on an Interface To configure, remove, or display IPsec authentication on an interface, use the following commands. Prerequisite: Before you enable IPsec authentication on an OSPFv3 interface, first enable IPv6 unicast routing globally, configure an IPv6 address and enable OSPFv3 on the interface, and assign it to an area (refer to Configuration Task List for OSPFv3 (OSPF for IPv6)).
– ipsec spi number: is the security policy index (SPI) value. The range is from 256 to 4294967295. – esp encryption-algorithm: specifies the encryption algorithm used with ESP. The valid values are 3DES, DES, AESCBC, and NULL. For AES-CBC, only the AES-128 and AES-192 ciphers are supported. – key: specifies the text string used in the encryption. All neighboring OSPFv3 routers must share the same key to decrypt information.
show crypto ipsec policy Configuring IPsec Encryption for an OSPFv3 Area To configure, remove, or display IPsec encryption in an OSPFv3 area, use the following commands. Prerequisite: Before you enable IPsec encryption in an OSPFv3 area, first enable OSPFv3 globally on the router (refer to Configuration Task List for OSPFv3 (OSPF for IPv6)). The SPI value must be unique to one IPsec security policy (authentication or encryption) on the router.
• – name: displays configuration details about a specified policy. Display security associations set up for OSPFv3 links in IPsec authentication and encryption policies on the router. EXEC Privilege show crypto ipsec sa ipv6 [interface interface] To display information on the SAs used on a specific interface, enter interface interface, where interface is one of the following values: – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port[/subport] information.
spi : 500 (0x1f4) transform : ah-md5-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE outbound ah sas spi : 500 (0x1f4) transform : ah-md5-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE inbound esp sas outbound esp sas Interface: TenGigabitEthernet 1/2 Link Local address: fe80::201:e8ff:fe40:4d11 IPSecv6 policy name: OSPFv3-1-600 inbound ah sas outbound ah sas inbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hmac in use settin
Viewing Summary Information To get general route, configuration, links status, and debug information, use the following commands. • View the summary information of the IPv6 routes. EXEC Privilege mode • show ipv6 route [vrf vrf-name] summary View the summary information for the OSPFv3 database. EXEC Privilege mode • show ipv6 ospf [vrf vrf-name] database View the configuration of OSPFv3 neighbors.
37 Policy-based Routing (PBR) Policy-based routing (PBR) allows a switch to make routing decisions based on policies applied to an interface. Overview When a router receives a packet, the router decides where to forward the packet based on the destination address in the packet, which is used to look up an entry in a routing table. However, in some cases, there may be a need to forward the packet based on other criteria: size, source, protocol type, destination, and so on.
• TCP Flags After you apply a redirect-list to an interface, all traffic passing through it is subjected to the rules defined in the redirect-list. Traffic is forwarded based on the following: • Next-hop addresses are verified. If the specified next hop is reachable, traffic is forwarded to the specified next-hop. • If the specified next-hops are not reachable, the normal routing table is used to forward the traffic. • Dell Networking OS supports multiple next-hop entries in the redirect lists.
PBR Exceptions (Permit) To create an exception to a redirect list, use thepermit command. Exceptions are used when a forwarding decision should be based on the routing table rather than a routing policy. The Dell Networking OS assigns the first available sequence number to a rule configured without a sequence number and inserts the rule into the PBR CAM region next to the existing entries. Because the order of rules is important, ensure that you configure any necessary sequence numbers.
• • • • • • • • • • • • tunnel is used to configure the tunnel settings tunnel-id is used to redirect the traffic track is used to track the object-id track is to enable the tracking FORMAT: A.B.C.D FORMAT: slot/port[/subport] ip-protocol-number or protocol-type is the type of protocol to be redirected FORMAT: 0-255 for IP protocol number, or enter protocol type source ip-address or any or host ip-address is the Source’s IP address FORMAT: A.B.C.
Dell(conf-redirect-list)#seq 15 redirect Dell(conf-redirect-list)#seq 20 redirect Dell(conf-redirect-list)#show config ! ip redirect-list test seq 10 redirect 10.1.1.2 ip 20.1.1.0/24 seq 15 redirect 10.1.1.3 ip 20.1.1.0/25 seq 20 redirect 10.1.1.3 ip 20.1.1.0/24 Dell(conf-redirect-list)# 10.1.1.3 ip 20.1.1.0/25 any 10.1.1.3 ip 20.1.1.128/24 any any any any NOTE: Starting with the Dell Networking OS version 9.4(0.
shutdown Dell(conf-if-te-1/1)# Dell(conf-if-gi-1/1)#ip redirect-group test Dell(conf-if-gi-1/1)#ip redirect-group xyz Dell(conf-if-gi-1/1)#show config ! interface GigabitEthernet 1/1 no ip address ip redirect-group test ip redirect-group xyz shutdown Dell(conf-if-gi-1/1)# In addition to supporting multiple redirect-lists in a redirect-group, multiple redirect-groups are supported on a single interface. Dell Networking OS has the capability to support multiple groups on an interface for backup purposes.
Use the show ip redirect-list (without the list name) to display all the redirect-lists configured on the device. Dell#show ip redirect-list IP redirect-list rcl0: Defined as: seq 5 permit ip 200.200.200.200 200.200.200.200 199.199.199.199 199.199.199.199 seq 10 redirect 1.1.1.2 tcp 234.224.234.234 255.234.234.234 222.222.222.
Create the Redirect-List GOLD EDGE_ROUTER(conf-if-Te-2/23)#ip redirect-list GOLD EDGE_ROUTER(conf-redirect-list)#description Route GOLD traffic to ISP_GOLD. EDGE_ROUTER(conf-redirect-list)#direct 10.99.99.254 ip 192.168.1.0/24 any EDGE_ROUTER(conf-redirect-list)#redirect 10.99.99.254 ip 192.168.2.0/24 any EDGE_ROUTER(conf-redirect-list)# seq 15 permit ip any any EDGE_ROUTER(conf-redirect-list)#show config ! ip redirect-list GOLD description Route GOLD traffic to ISP_GOLD. seq 5 redirect 10.99.99.254 ip 192.
View Redirect-List GOLD EDGE_ROUTER#show ip redirect-list IP redirect-list GOLD: Defined as: seq 5 redirect 10.99.99.254 ip 192.168.1.0/24 any, Next-hop reachable (via Te 3/23) seq 10 redirect 10.99.99.254 ip 192.168.2.0/24 any, Next-hop reachable (via Te 3/23) seq 15 permit ip any any Applied interfaces: Te 2/11 EDGE_ROUTER# Creating a PBR list using Explicit Track Objects for Redirect IPs Create Track Objects to track the Redirect IPs: Dell#configure terminal Dell(conf)#track 3 ip host 42.1.1.
seq 25 redirect 43.1.1.2 track 4 ip host 7.7.7.7 host 144.144.144.144, Track 4 [up], Next-hop reachable (via Vl 20) Applied interfaces: Te 2/28 Dell# Creating a PBR list using Explicit Track Objects for Tunnel Interfaces Creating steps for Tunnel Interfaces: Dell#configure terminal Dell(conf)#interface tunnel 1 Dell(conf-if-tu-1)#tunnel destination 40.1.1.2 Dell(conf-if-tu-1)#tunnel source 40.1.1.1 Dell(conf-if-tu-1)#tunnel mode ipip Dell(conf-if-tu-1)#tunnel keepalive 60.1.1.
Verify the Applied Redirect Rules: Dell#show ip redirect-list explicit_tunnel IP redirect-list explicit_tunnel: Defined as: seq 5 redirect tunnel 1 track 1 tcp 155.55.2.0/24 222.22.2.0/24, Track 1 [up], Next-hop reachable (via Te 1/32) seq 10 redirect tunnel 1 track 1 tcp any any, Track 1 [up], Next-hop reachable (via Te 1/32) seq 15 redirect tunnel 1 track 1 udp 155.55.0.0/16 host 144.144.144.144, Track 1 [up], Nexthop reachable (via Te 1/32) seq 20 redirect tunnel 2 track 2 tcp 155.55.2.0/24 222.22.2.
38 PIM Sparse-Mode (PIM-SM) Protocol-independent multicast sparse-mode (PIM-SM) is a multicast protocol that forwards multicast traffic to a subnet only after a request using a PIM Join message; this behavior is the opposite of PIM-Dense mode, which forwards multicast traffic to all subnets until a request to stop. Implementation Information The following information is necessary for implementing PIM-SM.
Refuse Multicast Traffic A host requesting to leave a multicast group sends an IGMP Leave message to the last-hop DR. If the host is the only remaining receiver for that group on the subnet, the last-hop DR is responsible for sending a PIM Prune message up the RPT to prune its branch to the RP. 1. After receiving an IGMP Leave message, the gateway removes the interface on which it is received from the outgoing interface list of the (*,G) entry.
ip multicast-routing Related Configuration Tasks The following are related PIM-SM configuration tasks. • Configuring S,G Expiry Timers • Configuring a Static Rendezvous Point • Configuring a Designated Router • Creating Multicast Boundaries and Domains Enable PIM-SM You must enable PIM-SM on each participating interface. 1 Enable multicast routing on the system. CONFIGURATION mode ip multicast-routing 2 Enable PIM-Sparse mode.
TenGigabitEthernet 1/11 TenGigabitEthernet 2/13 (10.87.31.5, 192.1.2.1), uptime 00:01:24, expires 00:02:26, flags: FT Incoming interface: TenGigabitEthernet 2/11, RPF neighbor 0.0.0.0 Outgoing interface list: TenGigabitEthernet 1/11 TenGigabitEthernet 1/12 TenGigabitEthernet 2/13 --More-- Configuring S,G Expiry Timers By default, S, G entries expire in 210 seconds. You can configure a global expiry time (for all [S,G] entries) or configure an expiry time for a particular entry.
Configuring a Static Rendezvous Point The rendezvous point (RP) is a PIM-enabled interface on a router that acts as the root a group-specific tree; every group must have an RP. • Identify an RP by the IP address of a PIM-enabled or Loopback interface. ip pim rp-address Example of Viewing an RP on a Loopback Interface Dell#sh run int loop0 ! interface Loopback 0 ip address 1.1.1.1/32 ip pim sparse-mode no shutdown Dell#sh run pim ! ip pim rp-address 1.1.1.1 group-address 224.0.0.
• Change the interval at which a router sends hello messages. INTERFACE mode • ip pim query-interval seconds Display the current value of these parameter. EXEC Privilege mode show ip pim interface Creating Multicast Boundaries and Domains A PIM domain is a contiguous set of routers that all implement PIM and are configured to operate within a common boundary defined by PIM multicast border routers (PMBRs). PMBRs connect each PIM domain to the rest of the Internet.
39 PIM Source-Specific Mode (PIM-SSM) PIM source-specific mode (PIM-SSM) is a multicast protocol that forwards multicast traffic from a single source to a subnet. In the other versions of protocol independent multicast (PIM), a receiver subscribes to a group only. The receiver receives traffic not just from the source in which it is interested but from all sources sending to that group.
Configure PIM-SSM Configuring PIM-SSM is a two-step process. 1. Configure PIM-SSM. 2. Enable PIM-SSM for a range of addresses. Related Configuration Tasks • Use PIM-SSM with IGMP Version 2 Hosts Enabling PIM-SSM To enable PIM-SSM, follow these steps. 1 Create an ACL that uses permit rules to specify what range of addresses should use SSM. CONFIGURATION mode ip access-list standard name 2 Enter the ip pim ssm-range command and specify the ACL you created.
If you do not specify the group option, the display is a list of groups currently in the IGMP group table that has a group-tosource mapping. To display the list of sources mapped to a group currently in the IGMP group table, use the show ip igmp groups group detail command. Configuring PIM-SSM with IGMPv2 R1(conf)#do show run pim ! ip pim rp-address 10.11.12.2 group-address 224.0.0.0/4 ip pim ssm-range ssm R1(conf)#do show run acl ! ip access-list standard map seq 5 permit host 239.0.0.
R1(conf)#ip igmp ssm-map map 10.11.5.2 R1(conf)#do show ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Mode Uptime 239.0.0.2 Vlan 300 IGMPv2-Compat 00:00:07 Member Ports: Te 1/1 239.0.0.1 Vlan 400 INCLUDE 00:00:10 Never 10.11.4.2 R1(conf)#do show ip igmp ssm-map IGMP Connected Group Membership Group Address Interface Mode Uptime 239.0.0.2 Vlan 300 IGMPv2-Compat 00:00:36 Member Ports: Te 1/1 R1(conf)#do show ip igmp ssm-map 239.0.0.
40 Port Monitoring Port monitoring (also referred to as mirroring ) allows you to monitor ingress and/or egress traffic on specified ports. The mirrored traffic can be sent to a port to which a network analyzer is connected to inspect or troubleshoot the traffic. Mirroring is used for monitoring Ingress or Egress or both Ingress and Egress traffic on a specific port(s). This mirrored traffic can be sent to a port where a network sniffer can connect and monitor the traffic.
• Single MD can be monitored on max. of 4 MG ports. Port Monitoring Port monitoring is supported on both physical and logical interfaces, such as VLAN and port-channel interfaces. The source port (MD) with monitored traffic and the destination ports (MG) to which an analyzer can be attached must be on the same switch. You can configure up to 128 source ports in a monitoring session. Only one destination port is supported in a monitoring session.
Example of Viewing a Monitoring Session In the example below, 0/25 and 0/26 belong to Port-pipe 1. This port-pipe has the same restriction of only four destination ports, new or used.
MONITOR SESSION mode source Example of Viewing Port Monitoring Configuration To display information on currently configured port-monitoring sessions, use the show monitor session command from EXEC Privilege mode.
In the following example, the host and server are exchanging traffic which passes through the uplink interface 1/1. Port 1/1 is the monitored port and port 1/42 is the destination port, which is configured to only monitor traffic received on tengigabitethernet 1/1 (host-originated traffic). Figure 105. Port Monitoring Example Configuring Monitor Multicast Queue To configure monitor QoS multicast queue ID, use the following commands. 1 Configure monitor QoS multicast queue ID.
Enabling Flow-Based Monitoring Flow-based monitoring conserves bandwidth by monitoring only specified traffic instead of all traffic on the interface. This feature is particularly useful when looking for malicious traffic. It is available for Layer 2 and Layer 3 ingress and egress traffic. You can specify traffic using standard or extended access-lists. 1 Enable flow-based monitoring for a monitoring session.
Remote port mirroring helps network administrators monitor and analyze traffic to troubleshoot network problems in a timesaving and efficient way. In a remote-port mirroring session, monitored traffic is tagged with a VLAN ID and switched on a user-defined, non-routable L2 VLAN. The VLAN is reserved in the network to carry only mirrored traffic, which is forwarded on all egress ports of the VLAN.
Configuring Remote Port Mirroring Remote port mirroring requires a source session (monitored ports on different source switches), a reserved tagged VLAN for transporting mirrored traffic (configured on source, intermediate, and destination switches), and a destination session (destination ports connected to analyzers on destination switches).
• • • • • • • Maximum number of destination sessions supported on a switch: 64 Maximum number ports supported in a destination session: 64. You can configure any port as a destination port. You can configure additional destination ports in an active session. You can tunnel the mirrored traffic from multiple remote-port source sessions to the same destination port. By default, destination port sends the mirror traffic to the probe port by stripping off the rpm header.
R R 100 300 Active Active T Fo 1/49 T Fo 1/51 Configuring the Sample Remote Port Mirroring Remote port mirroring requires a source session (monitored ports on different source switches), a reserved tagged VLAN for transporting mirrored traffic (configured on source, intermediate, and destination switches), and a destination session (destination ports connected to analyzers on destination switches). Table 65.
Dell(conf)#inte te 1/30 Dell(conf-if-te-1/30)#no shutdown Dell(conf-if-te-1/30)#switchport Dell(conf-if-te-1/30)#exit Dell(conf)#interface vlan 30 Dell(conf-if-vl-30)#mode remote-port-mirroring Dell(conf-if-vl-30)#tagged te 1/30 Dell(conf-if-vl-30)#exit Dell(conf)#interface port-channel 10 Dell(conf-if-po-10)#channel-member te 1/28-29 Dell(conf-if-po-10)#no shutdown Dell(conf-if-po-10)#exit Dell(conf)#monitor session 3 type rpm Dell(conf-mon-sess-3)#source port-channel 10 dest remote-vlan 30 dir both Dell(c
Dell(conf)#monitor session 3 type rpm Dell(conf-mon-sess-3)#source remote-vlan 30 destination te 1/6 Dell(conf-mon-sess-3)#tagged destination te 1/6 Dell(conf-mon-sess-3)#end Dell# Dell#show monitor session SessID Source Destination Dir Mode Source IP ------ ------------------ ---- --------1 remote-vlan 10 Te 1/4 N/A N/A N/A 2 remote-vlan 20 Te 1/5 N/A N/A N/A 3 remote-vlan 30 Te 1/6 N/A N/A N/A Dell# Dest IP -------N/A N/A N/A Configuring RSPAN Source Sessions to Avoid BPD Issues When ever you configure
Encapsulated Remote Port Monitoring Encapsulated Remote Port Monitoring (ERPM) copies traffic from source ports/port-channels or source VLANs and forwards the traffic using routable GRE-encapsulated packets to the destination IP address specified in the session. NOTE: When configuring ERPM, follow these guidelines • The Dell Networking OS supports ERPM source session only. Encapsulated packets terminate at the destination IP address or at the analyzer.
5 no flow-based enable ERPM to be performed on a flow-by-flow basis or if you configure a VLAN source interface. Enter the no flow-based command to disable to disable flow-based ERPM. 6 no disable Enter the no disable command to activate the ERPM session.. The following example shows an ERPM configuration .
ERPM Behavior on a typical Dell Networking OS The Dell Networking OS is designed to support only the Encapsulation of the data received / transmitted at the specified source port (Port A). An ERPM destination session / decapsulation of the ERPM packets at the destination Switch are not supported. Figure 107.
– Some tools support options to edit the capture file. We can make use of such features (for example: editcap ) and chop the ERPM header part and save it to a new trace file. This new file (i.e. the original mirrored packet) can be converted back into stream and fed to any egress interface. b Using Python script – Either have a Linux server's ethernet port ip as the ERPM destination ip or connect the ingress interface of the server to the ERPM MirrorToPort.
41 Private VLANs (PVLAN) The private VLAN (PVLAN) feature is supported on Dell Networking OS. For syntax details about the commands described in this chapter, refer to the Private VLANs commands chapter in the Dell Networking OS Command Line Reference Guide. Private VLANs extend the Dell Networking OS security suite by providing Layer 2 isolation between ports within the same virtual local area network (VLAN).
– A primary VLAN and each of its secondary VLANs decrement the available number of VLAN IDs in the switch. – A primary VLAN has one or more promiscuous ports. – A primary VLAN might have one or more trunk ports, or none. • Secondary VLAN — a subdomain of the primary VLAN. – There are two types of secondary VLAN — community VLAN and isolated VLAN.
• show vlan private-vlan [community | interface | isolated | primary | primary_vlan | interface interface] Display primary-secondary VLAN mapping. EXEC mode or EXEC Privilege mode • show vlan private-vlan mapping Set the PVLAN mode of the selected port. INTERFACE switchport mode private-vlan {host | promiscuous | trunk} NOTE: Secondary VLANs are Layer 2 VLANs, so even if they are operationally down while primary VLANs are operationally up, Layer 3 traffic is still transmitted across secondary VLANs.
NOTE: You cannot add interfaces that are configured as PVLAN ports to regular VLANs. You also cannot add “regular” ports (ports not configured as PVLAN ports) to PVLANs. The following example shows the switchport mode private-vlan command on a port and on a port channel.
6 (OPTIONAL) Assign an IP address to the VLAN. INTERFACE VLAN mode ip address ip address 7 (OPTIONAL) Enable/disable Layer 3 communication between secondary VLANs. INTERFACE VLAN mode ip local-proxy-arp NOTE: If a promiscuous or host port is untagged in a VLAN and it receives a tagged packet in the same VLAN, the packet is NOT dropped. Creating a Community VLAN A community VLAN is a secondary VLAN of the primary VLAN in a private VLAN.
INTERFACE VLAN mode private-vlan mode isolated 4 Add one or more host ports to the VLAN. INTERFACE VLAN mode tagged interface or untagged interface You can enter the interfaces singly or in range format, either comma-delimited (slot/port,port,port) or hyphenated (slot/ port-port). You can only add ports defined as host to the VLAN.
Private VLAN Configuration Example The following example shows a private VLAN topology. Figure 108. Sample Private VLAN Topology The following configuration is based on the example diagram for the Z9500: • Te 1/1 and Te 1/23 are configured as promiscuous ports, assigned to the primary VLAN, VLAN 4000. • Te 1/25 is configured as a PVLAN trunk port, also assigned to the primary VLAN 4000. • Te 1/24 and Te 1/47 are configured as host ports and assigned to the isolated VLAN, VLAN 4003.
• • Te 1/3 is a promiscuous port and Te 1/25 is a PVLAN trunk port, assigned to the primary VLAN 4000. Te 1/4-6 are host ports. Te 1/4 and Te 1/5 are assigned to the community VLAN 4001, while Te 1/6 is assigned to the isolated VLAN 4003. The result is that: • • The S4810 ports would have the same intra-switch communication characteristics as described for the Z9500.
Primary Isolated Community : 4000 : 4003 : 4001 NOTE: In the following example, notice the addition of the PVLAN codes – P, I, and C – in the left column. The following example shows viewing the VLAN status.
42 Per-VLAN Spanning Tree Plus (PVST+) Per-VLAN spanning tree plus (PVST+) is a variation of spanning tree — developed by a third party — that allows you to configure a separate spanning tree instance for each virtual local area network (VLAN). Protocol Overview PVST+ is a variation of spanning tree — developed by a third party — that allows you to configure a separate spanning tree instance for each virtual local area network (VLAN).
Figure 109. Per-VLAN Spanning Tree The Dell Networking OS supports three other variations of spanning tree, as shown in the following table. Table 67. Spanning Tree Variations Dell Networking OS Supports Dell Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .1w Multiple Spanning Tree Protocol (MSTP) 802 .
Configure Per-VLAN Spanning Tree Plus Configuring PVST+ is a four-step process. 1. Configure interfaces for Layer 2. 2. Place the interfaces in VLANs. 3. Enable PVST+. 4. Optionally, for load balancing, select a nondefault bridge-priority for a VLAN.
no disable vlan 100 bridge-priority 4096 Influencing PVST+ Root Selection As shown in the previous per-VLAN spanning tree illustration, all VLANs use the same forwarding topology because R2 is elected the root, and all TenGigabitEthernet ports have the same cost. The following per-VLAN spanning tree illustration changes the bridge priority of each bridge so that a different forwarding topology is generated for each VLAN. This behavior demonstrates how you can use PVST+ to achieve load balancing.
Example of the show spanning-tree pvst vlan Command To display the PVST+ forwarding topology, use the show spanning-tree pvst [vlan vlan-id] command from EXEC Privilege mode. Dell_E600(conf)#do show spanning-tree pvst vlan 100 VLAN 100 Root Identifier has priority 4096, Address 0001.e80d.b6d6 Root Bridge hello time 2, max age 20, forward delay 15 Bridge Identifier has priority 4096, Address 0001.e80d.
The range is from 6 to 40. The default is 20 seconds. The values for global PVST+ parameters are given in the output of the show spanning-tree pvst command. Modifying Interface PVST+ Parameters You can adjust two interface parameters (port cost and port priority) to increase or decrease the probability that a port becomes a forwarding port. • Port cost — a value that is based on the interface type. The greater the port cost, the less likely the port is selected to be a forwarding port.
The range is from 0 to 240, in increments of 16. The default is 128. The values for interface PVST+ parameters are given in the output of the show spanning-tree pvst command, as previously shown. Configuring an EdgePort The EdgePort feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner. In this mode an interface forwards frames by default until it receives a BPDU that indicates that it should behave otherwise; it does not go through the Learning and Listening states.
Enabling PVST+ Extend System ID In the following example, ports P1 and P2 are untagged members of different VLANs. These ports are untagged because the hub is VLAN unaware. There is no data loop in this scenario; however, you can employ PVST+ to avoid potential misconfigurations. If you enable PVST+ on the Dell Networking switch in this network, P1 and P2 receive BPDUs from each other.
no ip address switchport no shutdown ! protocol spanning-tree pvst no disable vlan 100 bridge-priority 4096 interface Vlan 100 no ip address tagged TenGigabitEthernet 1/22,32 no shutdown ! interface Vlan 200 no ip address tagged TenGigabitEthernet 1/22,32 no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 1/22,32 no shutdown ! protocol spanning-tree pvst no disable vlan 100 bridge-priority 4096 Example of PVST+ Configuration (R2) interface TenGigabitEthernet 2/12 no ip address switchp
! interface Vlan 200 no ip address tagged TenGigabitEthernet 3/12,22 no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 3/12,22 no shutdown ! protocol spanning-tree pvst no disable vlan 300 bridge-priority 4096 Per-VLAN Spanning Tree Plus (PVST+) 702
43 Quality of Service (QoS) This chapter describes how to use and configure Quality of Service service (QoS) features on the switch. Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. Table 69.
Feature Direction Create Input Policy Maps Ingress Honor DSCP Values on Ingress Packets Ingress Honoring dot1p Values on Ingress Packets Ingress Create Output Policy Maps Egress Specify an Aggregate QoS Policy Egress Create Output Policy Maps Egress Enabling QoS Rate Adjustment Enabling Strict-Priority Queueing Weighted Random Early Detection Egress Create WRED Profiles Egress Figure 112.
• Enabling QoS Rate Adjustment • Enabling Strict-Priority Queueing • Weighted Random Early Detection • Pre-Calculating Available QoS CAM Space • Configuring Weights and ECN for WRED • Configuring WRED and ECN Attributes • Guidelines for Configuring ECN for Classifying and Color-Marking Packets • Applying Layer 2 Match Criteria on a Layer 3 Interface • Applying DSCP and VLAN Match Criteria on a Service Queue • Classifying Incoming Packets Using ECN and Color-Marking • Guidelines for Conf
dot1p Queue Number 3 1 4 2 5 3 6 3 7 3 • Change the priority of incoming traffic on the interface. dot1p-priority Example of Configuring a dot1p Priority on an Interface Dell#configure terminal Dell(conf)#interface tengigabitethernet 1/1 Dell(conf-if-te-1/1)#switchport Dell(conf-if-te-1/1)#dot1p-priority 1 Dell(conf-if-te-1/1)#end Honoring dot1p Priorities on Ingress Traffic By default, Dell Networking OS does not honor dot1p priorities on ingress traffic.
Configuring Port-Based Rate Policing If the interface is a member of a VLAN, you may specify the VLAN for which ingress packets are policed. • Rate policing ingress traffic on an interface. INTERFACE mode rate police Example of the rate police Command The following example shows configuring rate policing.
Policy-Based QoS Configurations Policy-based QoS configurations consist of the components shown in the following example. Figure 113. Constructing Policy-Based QoS Configurations Classify Traffic Class maps differentiate traffic so that you can apply separate quality of service policies to different types of traffic. For both class maps, Layer 2 and Layer 3, Dell Networking OS matches packets against match criteria in the order that you configure them.
Use step 1 or step 2 to start creating a Layer 3 class map. 1 Create a match-any class map. CONFIGURATION mode class-map match-any 2 Create a match-all class map. CONFIGURATION mode class-map match-all 3 Specify your match criteria. CLASS MAP mode match {ip | ipv6 | ip-any} After you create a class-map, Dell Networking OS places you in CLASS MAP mode. Match-any class maps allow up to five ACLs. Match-all class-maps allow only one ACL. 4 Link the class-map to a queue.
Use Step 1 or Step 2 to start creating a Layer 2 class map. 1 Create a match-any class map. CONFIGURATION mode class-map match-any 2 Create a match-all class map. CONFIGURATION mode class-map match-all 3 Specify your match criteria. CLASS MAP mode match mac After you create a class-map, Dell Networking OS places you in CLASS MAP mode. Match-any class maps allow up to five access-lists. Match-all class-maps allow only one. You can match against only one VLAN ID. 4 Link the class-map to a queue.
Examples of Traffic Classifications The following example shows incorrect traffic classifications.
Create a QoS Policy There are two types of QoS policies — input and output. Input QoS policies regulate Layer 3 and Layer 2 ingress traffic. The regulation mechanisms for input QoS policies are rate policing and setting priority values. • Layer 3 — QoS input policies allow you to rate police and set a DSCP or dot1p value. In addition, you can configure a drop precedence for incoming packets based on their DSCP value by using a DSCP color map. For more information, see DSCP Color Maps.
Creating an Output QoS Policy To create an output QoS policy, use the following commands. 1 Create an output QoS policy. CONFIGURATION mode qos-policy-output 2 After you configure an output QoS policy, do one or more of the following: Scheduler Strict — Policy-based Strict-priority Queueing configuration is done through scheduler strict. It is applied to Qos-policy-output. When scheduler strict is applied to multiple Queues, high queue number takes precedence.
bandwidth-percentage Specifying WRED Drop Precedence You can configure the WRED drop precedence in an output QoS policy. • Specify a WRED profile to yellow and/or green traffic. QOS-POLICY-OUT mode wred For more information, refer to Applying a WRED Profile to Traffic. Create Policy Maps There are two types of policy maps: input and output. Creating Input Policy Maps There are two types of input policy-maps: Layer 3 and Layer 2. 1 Create a Layer 3 input policy map.
Honoring DSCP Values on Ingress Packets Dell Networking OS provides the ability to honor DSCP values on ingress packets using Trust DSCP feature. The following table lists the standard DSCP definitions and indicates to which queues Dell Networking OS maps DSCP values. When you configure trust DSCP, the matched packets and matched bytes counters are not incremented in the show qos statistics. Table 72.
Table 74. Default dot1p to Queue Mapping dot1p Queue ID 0 0 1 0 2 0 3 1 4 2 5 3 6 3 7 3 The dot1p value is also honored for frames on the default VLAN. For more information, refer to Priority-Tagged Frames on the Default VLAN. • Enable the trust dot1p feature. POLICY-MAP-IN mode trust dot1p Mapping dot1p Values to Service Queues All traffic is by default mapped to the same queue, Queue 0.
• If you apply a service policy that contains an ACL to more than one interface, Dell Networking OS uses ACL optimization to conserve CAM space. The ACL optimization behavior detects when an ACL exists in the CAM rather than writing it to the CAM multiple times. • Apply an input policy map to an interface. INTERFACE mode service-policy input Specify the keyword layer2 if the policy map you are applying a Layer 2 policy map. Creating Output Policy Maps 1 Create an output policy map.
DSCP Color Maps This section describes how to configure color maps and how to display the color map and color map configuration. This sections consists of the following topics: • Creating a DSCP Color Map • Displaying Color Maps • Display Color Map Configuration Creating a DSCP Color Map You can create a DSCP color map to outline the differentiated services codepoint (DSCP) mappings to the appropriate color mapping (green, yellow, red) for the input traffic.
Create the DSCP color map profile, bat-enclave-map, with a yellow drop precedence , and set the DSCP values to 9,10,11,13,15,16 Dell(conf)# qos dscp-color-map bat-enclave-map Dell(conf-dscp-color-map)# dscp yellow 9,10,11,13,15,16 Dell (conf-dscp-color-map)# exit Assign the color map, bat-enclave-map to interface te 1/11 .
Display detailed information about a color policy for a specific interface Dell# show qos dscp-color-policy detail tengigabitethernet 1/10 Interface TenGigabitEthernet 1/10 Dscp-color-map mapONE yellow 4,7 red 20,30 Enabling QoS Rate Adjustment By default while rate limiting, policing, and shaping, Dell Networking OS does not include the Preamble, SFD, or the IFG fields.
Weighted Random Early Detection Weighted random early detection (WRED) is a congestion avoidance mechanism that drops packets to prevent buffering resources from being consumed. The WRED congestion avoidance mechanism drops packets to prevent buffering resources from being consumed. Traffic is a mixture of various kinds of packets. The rate at which some types of packets arrive might be greater than others.
Figure 114. Packet Drop Rate for WRED You can create a custom WRED profile or use one of the five pre-defined profiles. Table 75. Pre-Defined WRED Profiles Default Profile Name Minimum Threshold Maximum Threshold Maximum Drop Rate wred_drop 0 0 100 wred_teng_y 467 4671 100 wred_teng_g 467 4671 50 wred_fortyg_y 467 4671 50 wred_fortyg_g 467 4671 25 Creating WRED Profiles To create WRED profiles, use the following commands. 1 Create a WRED profile.
DSCP is a 6–bit field. Dell Networking uses the first three bits (LSB) of this field (DP) to determine the drop precedence. • DP values of 110 and 100, 101 map to yellow; all other values map to green. • If you do not configure Dell Networking OS to honor DSCP values on ingress (refer to Honoring DSCP Values on Ingress Packets), all traffic defaults to green drop precedence. • Assign a WRED profile to either yellow or green traffic.
Displaying egress-queue Statistics To display the number of transmitted and dropped packets on the egress queues of a WRED-configured interface, use the following command. • Display the number of packets and number of bytes on the egress-queue profile. EXEC Privilege mode show qos statistics egress-queue Example of the show qos statistics egress-queue Command Pre-Calculating Available QoS CAM Space Before Dell Networking OS version 7.3.
Example of the test cam-usage Command Dell# test cam-usage service-policy input pmap_l2 port-set 0 | port pipe Port-pipe | CAM Partition | Available CAM | Estimated CAM | Status ===================================================================== 0 L2ACL 500 200 Allowed(2) Configuring Weights and ECN for WRED The WRED congestion avoidance functionality drops packets to prevent buffering resources from being consumed. Traffic is a mixture of various kinds of packets.
You can define WRED profiles and weight on each of the global service-pools for both loss-based and lossless (PFC) servicepools. The following events occur when you configure WRED and ECN on global service-pools: • If WRED/ECN is enabled on the global service-pool with threshold values and if it is not enabled on the queues, WRED/ECN are not effective based on global service-pool WRED thresholds.
To configure the weight factor for WRED and ECN capabilities, global buffer pools for multiple queues, and associating a service class with ECN marking, perform the following: 1 Configure the weight factor for the computation of average-queue size. This weight value applies to front-end ports. QOS-POLICY-OUT mode Dell(conf-qos-policy-out)#wred—profile weight number 2 Configure a WRED profile, and specify the threshold and maximum drop rate.
– CIR < x< PIR – will be marked as “Yellow” – PIR < x – will be marked as “Red” But ‘Green’ packets matching the specific match criteria for which ‘color-marking’ is configured will be over-written and marked as “Yellow”. Sample configuration to mark non-ecn packets as “yellow” with Multiple traffic class Consider the example where there are no different traffic classes that is all the packets are egressing on the default ‘queue0’.
As a part of this feature, the 2-bit ECN field of the IPv4 packet will also be available to be configured as one of the match qualifier. This way the entire 8-bit ToS field of the IPv4 header shall be used to classify traffic. The Dell Networking OS Release 9.3(0.0) supports the following QOS actions in the ingress policy based QOS: 1. Rate Policing 2. Queuing 3. Marking For the L3 Routed packets, the DSCP marking is the only marking action supported in the software.
• set the packet color as ‘yellow’ and set a new DSCP for the packet This marking action to set the color of the packet is allowed only on the ‘match-any’ logical operator of the class-map.
! ip access-list standard dscp_40_non_ecn seq 5 permit any dscp 40 ecn 0 ! class-map match-any class_dscp_40 match ip access-group dscp_40_non_ecn set-color yellow match ip access-group dscp_40_ecn ! class-map match-any class_dscp_50 match ip access-group dscp_50_non_ecn set-color yellow match ip access-group dscp_50_ecn ! policy-map-input pmap_dscp_40_50 service-queue 2 class-map class_dscp_40 service-queue 3 class-map class_dscp_50 Applying Layer 2 Match Criteria on a Layer 3 Interface To process Layer 3
To configure IP VLAN and DSCP match criteria in a Layer 3 class map, and apply the class and policy maps to a service queue: 1 Create a match-any or a match-all Layer 3 class map, depending on whether you want the packets to meet all or any of the match criteria. By default, a Layer 3 class map is created if you do not enter the layer2 option with the class-map command. When you create a class map, you enter the class-map configuration mode.
2. Specify the differentiated actions for different traffic class. 3. Attach the policy-map to the interface. Dell Networking OS support different types of match qualifiers to classify the incoming traffic. Match qualifiers can be directly configured in the class-map command or it can be specified through one or more ACL which in turn specifies the combination of match qualifiers. Until Release 9.3(0.0), support is available for classifying traffic based on the 6-bit DSCP field of the IPv4 packet.
By default, all packets are considered as ‘green’ (without the rate-policer and trust-diffserve configuration) and hence support would be provided to mark the packets as ‘yellow’ alone will be provided. By default Dell Networking OS drops all the ‘RED’ or ‘violate’ packets.
Sample configuration to mark non-ecn packets as “yellow” with Multiple traffic class Consider the example where there are no different traffic classes that is all the packets are egressing on the default ‘queue0’. Dell Networking OS can be configured as below to mark the non-ecn packets as yellow packets.
ip access-list standard dscp_40_ecn seq 5 permit any dscp 40 ecn 1 seq 10 permit any dscp 40 ecn 2 seq 15 permit any dscp 40 ecn 3 ! ip access-list standard dscp_50_non_ecn seq 5 permit any dscp 50 ecn 0 ! ip access-list standard dscp_40_non_ecn seq 5 permit any dscp 40 ecn 0 ! class-map match-any class_dscp_40 match ip access-group dscp_40_non_ecn set-color yellow match ip access-group dscp_40_ecn ! class-map match-any class_dscp_50 match ip access-group dscp_50_non_ecn set-color yellow match ip access-gro
Unit 1 unit: 3 port: 5 (interface Fo 1/148) --------------------------------------Q# TYPE Q# TOTAL BUFFERED CELLS --------------------------------------MCAST 3 0 Unit 1 unit: 3 port: 9 (interface Fo 1/152) --------------------------------------Q# TYPE Q# TOTAL BUFFERED CELLS --------------------------------------MCAST 3 0 Unit 1 unit: 3 port: 13 (interface Fo 1/156) --------------------------------------Q# TYPE Q# TOTAL BUFFERED CELLS --------------------------------------MCAST 3 0 Unit 1 unit: 3 port: 17 (
UCAST UCAST UCAST UCAST UCAST UCAST UCAST MCAST MCAST MCAST MCAST MCAST MCAST MCAST MCAST MCAST 5 6 7 8 9 10 11 0 1 2 3 4 5 6 7 8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Quality of Service (QoS) 738
44 Routing Information Protocol (RIP) The Routing Information Protocol (RIP) tracks distances or hop counts to nearby routers when establishing network connections and is based on a distance-vector algorithm. RIP is based on a distance-vector algorithm; it tracks distances or hop counts to nearby routers when establishing network connections. RIP protocol standards are listed in the Standards Compliance chapter.
Implementation Information Dell Networking OS supports both versions of RIP and allows you to configure one version globally and the other version on interfaces or both versions on the interfaces. The following table lists the defaults for RIP in Dell Networking OS. Table 77.
Enabling RIP Globally By default, RIP is not enabled in Dell Networking OS. To enable RIP globally, use the following commands. 1 Enter ROUTER RIP mode and enable the RIP process on Dell Networking OS. CONFIGURATION mode router rip 2 Assign an IP network address as a RIP network to exchange routing information.
192.161.1.0/24 auto-summary 192.162.3.0/24 [120/1] via 29.10.10.12, 00:01:22, Fa 1/49 192.162.3.0/24 auto-summary To disable RIP globally, use the no router rip command in CONFIGURATION mode. Configure RIP on Interfaces When you enable RIP globally on the system, interfaces meeting certain conditions start receiving RIP routes. By default, interfaces that you enable and configure with an IP address in the same subnet as the RIP network address receive RIPv1 and RIPv2 routes and send RIPv1 routes.
Adding RIP Routes from Other Instances In addition to filtering routes, you can add routes from other routing instances or protocols to the RIP process. With the redistribute command, you can include open shortest path first (OSPF), static, or directly connected routes in the RIP process. To add routes from other routing instances or protocols, use the following commands. • Include directly connected or user-configured (static) routes in RIP.
Examples of the RIP Process To see whether the version command is configured, use the show config command in ROUTER RIP mode. The following example shows the RIP configuration after the ROUTER RIP mode version command is set to RIPv2. When you set the ROUTER RIP mode version command, the interface (TenGigabitEthernet 1/1) participating in the RIP process is also set to send and receive RIPv2 (shown in bold). To view the routing protocols configuration, use the show ip protocols command in EXEC mode.
Generating a Default Route Traffic is forwarded to the default route when the traffic’s network is not explicitly listed in the routing table. Default routes are not enabled in RIP unless specified. Use the default-information originate command in ROUTER RIP mode to generate a default route into RIP. In Dell Networking OS, default routes received in RIP updates from other routes are advertised if you configure the default-information originate command. • Specify the generation of a default route in RIP.
• – ip-address mask: the IP address in dotted decimal format (A.B.C.D), and the mask in slash format (/x). – access-list-name: the name of a configured IP ACL. Apply an additional number to the incoming or outgoing route metrics. ROUTER RIP mode offset-list access-list-name {in | out} offset [interface] Configure the following parameters: – prefix-list-name: the name of an established Prefix list to determine which incoming routes are modified – offset: the range is from 0 to 16.
RIP Configuration on Core2 The following example shows how to configure RIPv2 on a host named Core2. Example of Configuring RIPv2 on Core 2 Core2(conf-if-te-2/3)# Core2(conf-if-te-2/3)#router rip Core2(conf-router_rip)#ver 2 Core2(conf-router_rip)#network 10.200.10.0 Core2(conf-router_rip)#network 10.300.10.0 Core2(conf-router_rip)#network 10.11.10.0 Core2(conf-router_rip)#network 10.11.20.0 Core2(conf-router_rip)#show config ! router rip network 10.0.0.
C 10.11.10.0/24 C 10.11.20.0/24 R 10.11.30.0/24 C 10.200.10.0/24 C 10.300.10.0/24 R 192.168.1.0/24 R 192.168.2.0/24 Core2# R 192.168.1.0/24 R 192.168.2.0/24 Direct, Te 2/11 Direct, Te 2/3 via 10.11.20.1, Te 2/3 Direct, Te 2/4 Direct, Te 2/5 via 10.11.20.1, Te 2/3 via 10.11.20.1, Te 2/3 0/0 0/0 120/1 0/0 0/0 120/1 120/1 00:02:26 00:02:02 00:01:20 00:03:03 00:02:42 00:01:20 00:01:20 via 10.11.20.1, Te 2/3 via 10.11.20.
Core 3 RIP Output The examples in this section show the core 2 RIP output. • • • To display Core 3 RIP database, use the show ip rip database command. To display Core 3 RIP setup, use the show ip route command. To display Core 3 RIP activity, use the show ip protocols command. Examples of the show ip Commands to View Learned RIP Routes on Core 3 The following example shows the show ip rip database command to view the learned RIP routes on Core 3.
TenGigabitEthernet 3/11 2 2 TenGigabitEthernet 3/24 2 2 TenGigabitEthernet 3/23 2 2 Routing for Networks: 10.11.20.0 10.11.30.0 192.168.2.0 192.168.1.0 Routing Information Sources: Gateway Distance Last Update 10.11.20.2 120 00:00:22 Distance: (default is 120) Core3# RIP Configuration Summary Examples of Viewing RIP Configuration on Core 2 and Core 3 The following example shows viewing the RIP configuration on Core 2. ! interface TenGigabitEthernet ip address 10.11.10.
router rip version 2 network 10.11.20.0 network 10.11.30.0 network 192.168.1.0 network 192.168.2.
45 Remote Monitoring (RMON) RMON is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell Networking Ethernet interfaces. RMON operates with the simple network management protocol (SNMP) and monitors all nodes on a local area network (LAN) segment. RMON monitors traffic passing through the router and segment traffic not destined for the router.
Setting the RMON Alarm To set an alarm on any MIB object, use the rmon alarm or rmon hc-alarm command in GLOBAL CONFIGURATION mode. • Set an alarm on any MIB object.
[no] rmon event number [log] [trap community] [description string] [owner string] – number: assigned event number, which is identical to the eventIndex in the eventTable in the RMON MIB. The value must be an integer from 1 to 65,535 and be unique in the RMON Event Table. – log: (Optional) generates an RMON log entry when the event is triggered and sets the eventType in the RMON MIB to log or log-and-trap. Default is no log. – trap community: (Optional) SNMP community string used for this trap.
[no] rmon collection history {controlEntry integer} [owner ownername] [buckets bucket-number] [interval seconds] – controlEntry: specifies the RMON group of statistics using a value. – integer: a value from 1 to 65,535 that identifies the RMON group of statistics. The value must be a unique index in the RMON History Table. – owner: (Optional) specifies the name of the owner of the RMON group of statistics. The default is a null-terminated string.
46 Rapid Spanning Tree Protocol (RSTP) The Rapid Spanning Tree Protocol (RSTP) is a Layer 2 protocol — specified by IEEE 802.1w — that is essentially the same as spanning-tree protocol (STP) but provides faster convergence and interoperability with switches configured with STP and multiple spanning tree protocol (MSTP). Protocol Overview RSTP is a Layer 2 protocol — specified by IEEE 802.
• All interfaces in virtual local area networks (VLANs) and all enabled interfaces in Layer 2 mode are automatically added to the RST topology. • Adding a group of ports to a range of VLANs sends multiple messages to the rapid spanning tree protocol (RSTP) task, avoid using the range command. When using the range command, Dell Networking recommends limiting the range to five ports and 40 VLANs. RSTP and VLT Virtual link trunking (VLT) provides loop-free redundant topologies and does not require RSTP.
Enabling Rapid Spanning Tree Protocol Globally Enable RSTP globally on all participating bridges; it is not enabled by default. When you enable RSTP, all physical and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the RST topology. • Only one path from any bridge to any other bridge is enabled. • Bridges block a redundant path by disabling one of the link ports. To enable RSTP globally for all Layer 2 interfaces, use the following commands.
no disable Dell(conf-rstp)# Figure 116. Rapid Spanning Tree Enabled Globally To view the interfaces participating in RSTP, use the show spanning-tree rstp command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output. Dell#show spanning-tree rstp Root Identifier has priority 32768, Address 0001.e801.cbb4 Root Bridge hello time 2, max age 20, forward delay 15, max hops 0 Bridge Identifier has priority 32768, Address 0001.e801.
Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.379, designated path cost 0 Number of transitions to forwarding state 1 BPDU : sent 121, received 5 The port is not in the Edge port mode Port 380 (TenGigabitEthernet 2/4) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.380 Designated root has priority 32768, address 0001.e801.cbb4 Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.
The following table displays the default values for RSTP. Table 79.
Enabling SNMP Traps for Root Elections and Topology Changes To enable SNMP traps, use the following command. • Enable SNMP traps for RSTP, MSTP, and PVST+ collectively. snmp-server enable traps xstp Modifying Interface Parameters On interfaces in Layer 2 mode, you can set the port cost and port priority values. • Port cost — a value that is based on the interface type. The previous table lists the default values. The greater the port cost, the less likely the port is selected to be a forwarding port.
PROTOCOL SPANNING TREE RSTP mode bridge-priority priority-value – priority-value The range is from 0 to 65535. The lower the number assigned, the more likely this bridge becomes the root bridge. The default is 32768. Entries must be multiples of 4096. Example of the bridge-priority Command A console message appears when a new root bridge has been assigned. The following example example shows the console message after the bridge-priority command is used to make R2 the root bridge (shown in bold).
no ip address switchport spanning-tree rstp edge-port shutdown Dell(conf-if-te-2/1)# Configuring Fast Hellos for Link State Detection Use RSTP fast hellos to achieve sub-second link-down detection so that convergence is triggered faster. The standard RSTP link-state detection mechanism does not offer the same low link-state detection speed. To achieve sub-second link-down detection so that convergence is triggered faster, use RSTP fast hellos.
47 Software-Defined Networking (SDN) The Dell Networking OS supports software-defined networking (SDN). For more information, see the SDN Deployment Guide.
48 Security This chapter describes several ways to provide security to the Dell Networking system. For details about all the commands described in this chapter, refer to the Security chapter in the Dell Networking OS Command Reference Guide.
Enabling AAA Accounting The aaa accounting command allows you to create a record for any or all of the accounting functions monitored. To enable AAA accounting, use the following command. • Enable AAA accounting and create a record for monitoring the accounting function. CONFIGURATION mode aaa accounting {commands | exec | suppress | system level} {default | name} {start-stop | wait-start | stop-only} {tacacs+} The variables are: – system: sends accounting information of any other AAA configuration.
Example of Configuring AAA Accounting to Track EXEC and EXEC Privilege Level Command Use In the following sample configuration, AAA accounting is set to track all usage of EXEC commands and commands on privilege level 15.
NOTE: If a console user logs in with RADIUS authentication, the privilege level is applied from the RADIUS server if the privilege level is configured for that user in RADIUS, whether you configure RADIUS authorization. NOTE: RADIUS and TACACS servers support VRF-awareness functionality. You can create RADIUS and TACACS groups and then map multiple servers to a group. The group to which you map multiple servers is bound to a single VRF.
LINE mode login authentication {method-list-name | default} To view the configuration, use the show config command in LINE mode or the show running-config in EXEC Privilege mode. NOTE: Dell Networking recommends using the none method only as a backup. This method does not authenticate users. The none and enable methods do not work with secure shell (SSH). You can create multiple method lists and assign them to different terminal lines.
The following example shows enabling local authentication for console and remote authentication for the VTY lines. Dell(config)# aaa authentication enable mymethodlist radius tacacs Dell(config)# line vty 0 9 Dell(config-line-vty)# enable authentication mymethodlist Server-Side Configuration Using AAA authentication, the switch acts as a RADIUS or TACACS+ client to send authentication requests to a TACACS+ or RADIUS server.
Privilege Levels Overview Limiting access to the system is one method of protecting the system and your network. However, at times, you might need to allow others access to the router and you can limit that access to a subset of commands. In Dell Networking OS, you can configure a privilege level for users who need limited access to the system. Every command in Dell Networking OS is assigned a privilege level of 0, 1, or 15. You can configure up to 16 privilege levels in Dell Networking OS.
username name [access-class access-list-name] [nopassword | password [encryption-type] password] [privilege level][secret] Configure the optional and required parameters: – name: Enter a text string up to 63 characters long. – access-class access-list-name: Enter the name of a configured IP ACL. – nopassword: Do not require the user to enter a password. – encryption-type: Enter 0 for plain text or 7 for encrypted text. – password: Enter a string. – privilege level The range is from 0 to 15.
CONFIGURATION mode username name [access-class access-list-name] [privilege level] [nopassword | password [encryption-type] password Secret] Configure the optional and required parameters: 2 • name: Enter a text string up to 63 characters(maximum) long. • access-class access-list-name: Restrict access by access-class.. • privilege level: The range is from 0 to 15. • nopassword: No password is required for the user to log in. • encryption-type: Enter 0 for plain text or 7 for encrypted text.
Dell(conf)#end Dell#show running-config Current Configuration ... ! hostname Force10 ! enable password level 8 notjohn enable password Force10 ! username admin password 0 admin username john password 0 john privilege 8 ! The following example shows the Telnet session for user john. The show privilege command output confirms that john is in privilege level 8. In EXEC Privilege mode, john can access only the commands listed. In CONFIGURATION mode, john can access only the snmp-server commands.
– password: Enter a text string up to 32 characters long. To view the password configured for a terminal, use the show config command in LINE mode. Enabling and Disabling Privilege Levels To enable and disable privilege levels, use the following commands. • Set a user’s security level. EXEC Privilege mode enable or enable privilege-level • If you do not enter a privilege level, Dell Networking OS sets it to 15 by default. Move to a lower privilege level.
After gaining authorization for the first time, you may configure these attributes. NOTE: RADIUS authentication/authorization is done for every login. There is no difference between first-time login and subsequent logins. Idle Time Every session line has its own idle-time. If the idle-time value is not changed, the default value of 30 minutes is used. RADIUS specifies idle-time allow for a user during a session before timeout.
• Specifying a RADIUS Server Host (mandatory) • Setting Global Communication Parameters for all RADIUS Server Hosts (optional) • Monitoring RADIUS (optional) For a complete listing of all Dell Networking OS commands related to RADIUS, refer to the Security chapter in the Dell Networking OS Command Reference Guide. NOTE: RADIUS authentication and authorization are done in a single step. Hence, authorization cannot be used independent of authentication.
Specifying a RADIUS Server Host When configuring a RADIUS server host, you can set different communication parameters, such as the UDP port, the key password, the number of retries, and the timeout. To specify a RADIUS server host and configure its communication parameters, use the following command. • Enter the host name or IP address of the RADIUS server host.
• – key: enter a string. The key can be up to 42 characters long. You cannot use spaces in the key. Configure the number of times Dell Networking OS retransmits RADIUS requests. CONFIGURATION mode radius-server retransmit retries • – retries: the range is from 0 to 100. Default is 3 retries. Configure the time interval the system waits for a RADIUS server host response. CONFIGURATION mode radius-server timeout seconds – seconds: the range is from 0 to 1000. Default is 5 seconds.
Enter the IP address or host name of the TACACS+ server. Use this command multiple times to configure multiple TACACS+ server hosts. 2 Enter a text string (up to 16 characters long) as the name of the method list you wish to use with the TACAS+ authentication method. CONFIGURATION mode aaa authentication login {method-list-name | default} tacacs+ [...method3] The TACACS+ method must not be the last method specified. 3 Enter LINE mode.
Monitoring TACACS+ To view information on TACACS+ transactions, use the following command. • View TACACS+ transactions to troubleshoot problems. EXEC Privilege mode debug tacacs+ TACACS+ Remote Authentication The system takes the access class from the TACACS+ server. Access class is the class of service that restricts Telnet access and packet sizes.
To view the TACACS+ configuration, use the show running-config tacacs+ command in EXEC Privilege mode. To delete a TACACS+ server host, use the no tacacs-server host {hostname | ip-address} command. freebsd2# telnet 2200:2200:2200:2200:2200::2202 Trying 2200:2200:2200:2200:2200::2202... Connected to 2200:2200:2200:2200:2200::2202. Escape character is '^]'.
ssh {hostname} [-l username | -p port-number | -v {1 | 2}| -c encryption cipher | -m HMAC algorithm • • hostname is the IP address or host name of the remote device. Enter an IPv4 or IPv6 address in dotted decimal format (A.B.C.D). SSH V2 is enabled by default on all the modes. Display SSH connection information.
Example of Using SCP to Copy from an SSH Server on Another Switch The following example shows the use of SCP and SSH to copy a software image from one switch running SSH server on UDP port 99 to the local switch. Other SSH related command include: • crypto key generate : generate keys for the SSH server. • debug ip ssh : enables collecting SSH debug information. • ip scp topdir : identify a location for files used in secure copy transfer.
• rekey-limit: volume-based rekey threshold for an SSH session. The range is from 1 to 4096 to megabytes. The default is 1024 megabytes. Examples The following example configures the time-based rekey threshold for an SSH session to 30 minutes. Dell(conf)#ip ssh rekey time 30 The following example configures the volume-based rekey threshold for an SSH session to 4096 megabytes.
The default HMAC algorithms are the following: • hmac-sha2-256 • hmac-sha1 • hmac-sha1-96 • hmac-md5 • hmac-md5-96 When FIPS is enabled, the default HMAC algorithm is hmac-sha2-256,hmac-sha1,hmac-sha1-96. Example of Configuring a HMAC Algorithm The following example shows you how to configure a HMAC algorithm list.
The following ciphers are available. • 3des-cbc • aes128-cbc • aes192-cbc • aes256-cbc • aes128-ctr • aes192-ctr • aes256-ctr The default cipher list is aes256-ctr, aes256-cbc, aes192-ctr, aes192-cbc, aes128-ctr, aes128-cbc, 3des-cbc. Example of Configuring a Cipher List The following example shows you how to configure a cipher list.
• Enable SSH password authentication. CONFIGURATION mode ip ssh password-authentication enable Example of Enabling SSH Password Authentication To view your SSH configuration, use the show ip ssh command from EXEC Privilege mode. Dell(conf)#ip ssh server enable Dell(conf)#ip ssh password-authentication enable Dell# show ip ssh SSH server : enabled. SSH server version : v1 and v2. SSH server vrf : default. SSH server ciphers : 3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192ctr,aes256-ctr.
Configuring Host-Based SSH Authentication Authenticate a particular host. This method uses SSH version 2. To configure host-based authentication, use the following commands. 1 Configure RSA Authentication. Refer to Using RSA Authentication of SSH. 2 Create shosts by copying the public RSA key to the file shosts in the directory .ssh, and write the IP address of the host to the file. cp /etc/ssh/ssh_host_rsa_key.pub /.ssh/shosts Refer to the first example.
Using Client-Based SSH Authentication To SSH from the chassis to the SSH client, use the following command. This method uses SSH version 1 or version 2. If the SSH port is a non-default value, use the ip ssh server port number command to change the default port number. You may only change the port number when SSH is disabled. Then use the -p option with the ssh command. • SSH from the chassis to the SSH client. ssh ip_address Example of Client-Based SSH Authentication Dell#ssh 10.16.127.
VTY Line and Access-Class Configuration Various methods are available to restrict VTY access in Dell Networking OS. These depend on which authentication scheme you use — line, local, or remote. Table 80. VTY Access Authentication Method VTY access-class support? Username access-class support? Remote authorization support? Line YES NO NO Local NO YES NO TACACS+ YES NO YES (with Dell Networking OS version 5.2.1.0 and later) RADIUS YES NO YES (with Dell Networking OS version 6.1.1.
Dell(config-line-vty)#login authentication localmethod Dell(config-line-vty)#end VTY Line Remote Authentication and Authorization Dell Networking OS retrieves the access class from the VTY line. The Dell Networking OS takes the access class from the VTY line and applies it to ALL users. Dell Networking OS does not need to know the identity of the incoming user and can immediately apply the access class.
• Creating a New User Role • Modifying Command Permissions for Roles • Adding and Deleting Users from a Role • Role Accounting • Configuring AAA Authentication for Roles • Configuring AAA Authorization for Roles • Configuring an Accounting for Roles • Applying an Accounting Method to a Role • Displaying Active Accounting Sessions for Roles • Configuring TACACS+ and RADIUS VSA Attributes for RBAC • Displaying User Roles • Displaying Accounting for User Roles • Displaying Information
Configuring Role-based Only AAA Authorization You can configure authorization so that access to commands is determined only by the user’s role. If the user has no user role, access to the system is denied as the user will not be able to login successfully.
System-Defined RBAC User Roles By default, the Dell Networking OS provides 4 system defined user roles. You can create up to 8 additional user roles. NOTE: You cannot delete any system defined roles. The system defined user roles are as follows: • Network Operator (netoperator) - This user role has no privilege to modify any configuration on the switch. You can access Exec mode (monitoring) to view the current configuration and status information.
Consider the following when creating a user role: • Only the system administrator and user-defined roles inherited from the system administrator can create roles and user names. Only the system administrator, security administrator, and roles inherited from these can use the "role" command to modify command permissions. The security administrator and roles inherited by security administrator can only modify permissions for commands they already have access to.
The following output displays the modes available for the role command. Dell (conf)#role configure exec interface line route-map router ? Global configuration mode Exec Mode Interface configuration mode Line Configuration mode Route map configuration mode Router configuration mode Examples: Deny Network Administrator from Using the show users Command.
Dell(conf)#do show role mode ? configure Global configuration mode exec Exec Mode interface Interface configuration mode line Line Configuration mode route-map Route map configuration mode router Router configuration mode Dell(conf)#do show role mode configure line Role access:sysadmin Example: Grant and Remove Security Administrator Access to Configure Protocols By default, the system defined role, secadmin, is not allowed to configure protocols.
• Configuring TACACS+ and RADIUS VSA Attributes for RBAC Configure AAA Authentication for Roles Authentication services verify the user ID and password combination. Users with defined roles and users with privileges are authenticated with the same mechanism. There are six methods available for authentication: radius, tacacs+, local, enable, line, and none. When role-based only AAA authorization is enabled, the enable, line, and none methods are not available.
The following configuration example applies a method list other than default to each VTY line. NOTE: Note that the methods were not applied to the console so the default methods (if configured) are applied there.
The format to create a Dell Network OS AV pair for privilege level is shell:priv-lvl= where number is a value between 0 and 15. Force10-avpair= ”shell:priv-lvl=15“ Example for Creating a AVP Pair for System Defined or User-Defined Role The following section shows you how to create an AV pair to allow a user to login from a network access server to have access to commands based on the user’s role.
Displaying Active Accounting Sessions for Roles To display active accounting sessions for each user role, use the show accounting command in EXEC mode.
Dell#show role mode configure username Role access: sysadmin Dell##show role mode configure password-attributes Role access: secadmin,sysadmin Dell#show role mode configure interface Role access: netadmin, sysadmin Dell#show role mode configure line Role access: netadmin,sysadmin Displaying Information About Users Logged into the Switch To display information on all users logged into the switch, using the show users command in EXEC Privilege mode. The output displays privilege level and/or user role.
49 Service Provider Bridging Service provider bridging provides the ability to add a second VLAN ID tag in an Ethernet frame and is referred to as VLAN stacking in the Dell Networking OS. VLAN Stacking VLAN stacking, also called Q-in-Q, is defined in IEEE 802.1ad — Provider Bridges, which is an amendment to IEEE 802.1Q — Virtual Bridged Local Area Networks. It enables service providers to use 802.
Figure 117. VLAN Stacking in a Service Provider Network Important Points to Remember • Interfaces that are members of the Default VLAN and are configured as VLAN-Stack access or trunk ports do not switch untagged traffic. To switch traffic, add these interfaces to a non-default VLAN-Stack-enabled VLAN. • Dell Networking cautions against using the same MAC address on different customer VLANs, on the same VLAN-Stack VLAN.
Configure VLAN Stacking Configuring VLAN-Stacking is a three-step process. 1. Creating Access and Trunk Ports 2. Assign access and trunk ports to a VLAN (Creating Access and Trunk Ports). 3. Enabling VLAN-Stacking for a VLAN.
Enable VLAN-Stacking for a VLAN To enable VLAN-Stacking for a VLAN, use the following command. • Enable VLAN-Stacking for the VLAN. INTERFACE VLAN mode vlan-stack compatible Example of Viewing VLAN Stack Member Status To display the status and members of a VLAN, use the show vlan command from EXEC Privilege mode. Members of a VLANStacking-enabled VLAN are marked with an M in column Q.
NOTE: You can add a trunk port to an 802.1Q VLAN as well as a Stacking VLAN only when the TPID 0x8100. 2 Add the port to a 802.1Q VLAN as tagged or untagged. INTERFACE VLAN mode [tagged | untagged] Example of Configuring a Trunk Port as a Hybrid Port and Adding it to Stacked VLANs In the following example, TenGigabitEthernet 1/1 is a trunk port that is configured as a hybrid port and then added to VLAN 100 as untagged VLAN 101 as tagged, and VLAN 103, which is a stacking VLAN.
vlan id Dell# : 603 (MT), 100(T), 101(NU) VLAN Stacking in Multi-Vendor Networks The first field in the VLAN tag is the tag protocol identifier (TPID), which is 2 bytes. In a VLAN-stacking network, after the frame is double tagged, the outer tag TPID must match the TPID of the next-hop system. While 802.1Q requires that the inner tag TPID is 0x8100, it does not require a specific value for the outer tag TPID.
Therefore, a mismatched TPID results in the port not differentiating between tagged and untagged traffic. Figure 118.
Figure 119.
Figure 120. Single and Double-Tag TPID Mismatch The following table details the outcome of matched and mismatched TPIDs in a VLAN-stacking network with the S-Series. Table 81. Behaviors for Mismatched TPID Network Position Incoming Packet TPID System TPID Match Type Pre-Version 8.2.1.0 Version 8.2.1.
Network Position Incoming Packet TPID System TPID Match Type Pre-Version 8.2.1.0 Version 8.2.1.
Honoring the Incoming DEI Value To honor the incoming DEI value, you must explicitly map the DEI bit to an Dell Networking OS drop precedence. Precedence can have one of three colors. Precedence Description Green High-priority packets that are the least preferred to be dropped. Yellow Lower-priority packets that are treated as best-effort. Red Lowest-priority packets that are always dropped (regardless of congestion status).
Dynamic Mode CoS for VLAN Stacking One of the ways to ensure quality of service for customer VLAN-tagged frames is to use the 802.1p priority bits in the tag to indicate the level of QoS desired. When an S-Tag is added to incoming customer frames, the 802.1p bits on the S-Tag may be configured statically for each customer or derived from the C-Tag using Dynamic Mode CoS. Dynamic Mode CoS maps the C-Tag 802.1p value to a S-Tag 802.1p value. Figure 121.
Likewise, in the following configuration, packets with dot1p priority 0–3 are marked as dot1p 7 in the outer tag and queued to Queue 3. Rate policing is according to qos-policy-input 3. All other packets will have outer dot1p 0 and hence are queued to Queue 1. They are therefore policed according to qos-policy-input 1.
Layer 2 Protocol Tunneling Spanning tree bridge protocol data units (BPDUs) use a reserved destination MAC address called the bridge group address, which is 01-80-C2-00-00-00. Only spanning-tree bridges on the local area network (LAN) recognize this address and process the BPDU.
Figure 122. VLAN Stacking without L2PT You might need to transport control traffic transparently through the intermediate network to the other region. Layer 2 protocol tunneling enables BPDUs to traverse the intermediate network by identifying frames with the Bridge Group Address, rewriting the destination MAC to a user-configured non-reserved address, and forwarding the frames.
Figure 123. VLAN Stacking with L2PT Implementation Information • L2PT is available for STP, RSTP, MSTP, and PVST+ BPDUs. • No protocol packets are tunneled when you enable VLAN stacking. • L2PT requires the default CAM profile. Enabling Layer 2 Protocol Tunneling To enable Layer 2 protocol tunneling, use the following command. 1 Verify that the system is running the default CAM profile. Use this CAM profile for L2PT.
show cam-profile 2 Enable protocol tunneling globally on the system. CONFIGURATION mode protocol-tunnel enable 3 Tunnel BPDUs the VLAN. INTERFACE VLAN mode protocol-tunnel stp Specifying a Destination MAC Address for BPDUs By default, Dell Networking OS uses a Dell Networking-unique MAC address for tunneling BPDUs. You can configure another value. To specify a destination MAC address for BPDUs, use the following command.
Debugging Layer 2 Protocol Tunneling To debug Layer 2 protocol tunneling, use the following command. • Display debugging information for L2PT. EXEC Privilege mode debug protocol-tunnel Provider Backbone Bridging IEEE 802.1ad—Provider Bridges amends 802.1Q—Virtual Bridged Local Area Networks so that service providers can use 802.1Q architecture to offer separate VLANs to customers with no coordination between customers, and minimal coordination between customers and the provider. 802.
50 sFlow sFlow is a standard-based sampling technology embedded within switches and routers which is used to monitor network traffic. It is designed to provide traffic monitoring for high-speed networks with many switches and routers.
occurs, a back-off is triggered and the hardware sampling rate is backed-off from 512 to 1024. Note that port 1 maintains its sampling rate of 16384; port 1 is unaffected because it maintains its configured sampling rate of 16384.: • If the interface states are up and the sampling rate is not configured on the port, the default sampling rate is calculated based on the line speed. • If the interface states are shut down, the sampling rate is set using the global sampling rate.
Egress Management Interface sFlow services are disabled Global default sampling rate: 32768 Global default counter polling interval: 20 Global default extended maximum header size: 128 bytes Global extended information enabled: none 1 collectors configured Collector IP addr: 100.1.1.1, Agent IP addr: 1.1.1.
Example of the show sflow command when the sflow max-header-size extended is configured globally Dell(conf-if-te-1/10)#show sflow sFlow services are enabled Egress Management Interface sFlow services are disabled Global default sampling rate: 32768 Global default counter polling interval: 86400 Global default extended maximum header size: 256 bytes Global extended information enabled: none 1 collectors configured Collector IP addr: 100.1.1.12, Agent IP addr: 100.1.1.
The second bold lines indicate sFlow is enabled on Te 1/16 and Te 1/17 Dell#show sflow sFlow services are enabled Global default sampling rate: 32768 Global default counter polling interval: 20 1 collectors configured Collector IP addr: 133.33.33.53, Agent IP addr: 133.33.33.
Samples rcvd from h/w Total UDP packets exported UDP packets exported via RPM UDP packets dropped :0 :0 :0 :36 Configuring Specify Collectors The sflow collector command allows identification of sFlow collectors to which sFlow datagrams are forwarded. You can specify up to two sFlow collectors. If you specify two collectors, the samples are sent to both. • Identify sFlow collectors to which sFlow datagrams are forwarded.
sFlow on LAG ports When a physical port becomes a member of a LAG, it inherits the sFlow configuration from the LAG port. Enabling Extended sFlow Extended sFlow packs additional information in the sFlow datagram depend on the type of sampled packet. The platform supports extended-switch information processing only. Extended sFlow packs additional information in the sFlow datagram depending on the type of sampled packet. You can enable the following options: • extended-switch — 802.1Q VLAN ID and 802.
Important Points to Remember • To export extended-gateway data, BGP must learn the IP destination address. • If the IP destination address is not learned via BGP the Dell Networking system does not export extended-gateway data. • If the IP source address is learned via IGP, srcAS and srcPeerAS are zero. • The srcAS and srcPeerAS might be zero even though the IP source address is learned via BGP.
51 Simple Network Management Protocol (SNMP) The Simple Network Management Protocol (SNMP) is designed to manage devices on IP networks by monitoring device operation, which might require administrator intervention. NOTE: On Dell Networking routers, standard and private SNMP management information bases (MIBs) are supported, including all Get and a limited number of Set operations (such as set vlan and copy cmd).
You can download the latest MIB files from the following path: • https://www.force10networks.com/CSPortal20/Main/SupportMain.aspx. Implementation Information The following describes SNMP implementation information. • Dell Networking OS supports SNMP version 1 as defined by RFC 1155, 1157, and 1212, SNMP version 2c as defined by RFC 1901, and SNMP version 3 as defined by RFC 2571. • Dell Networking OS supports up to 16 trap receivers.
You can enable or disable FIPS mode only if SNMPv3 users are not previously set up. If previously configured users exist on the system, you must delete the existing users before you change the FIPS mode. Keep the following points in mind when you configure the AES128-CFB algorithm for SNMPv3: 1. SNMPv3 authentication provides only the sha option when the FIPS mode is enabled. 2. SNMPv3 privacy provides only the aes128 privacy option when the FIPS mode is enabled. 3.
SNMP version 3 (SNMPv3) is a user-based security model that provides password authentication for user security and encryption for data security and privacy. Three sets of configurations are available for SNMP read/write operations: no password or privacy, password privileges, password and privacy privileges. You can configure a maximum of 16 users even if they are in different groups.
snmp-server view view-name oid-tree {included | excluded} NOTE: To give a user read and write view privileges, repeat this step for each privilege type. • Configure the user with an authorization password (password privileges only). CONFIGURATION mode • snmp-server user name group-name 3 noauth auth md5 auth-password Configure an SNMP group (password privileges only). CONFIGURATION mode • snmp-server group groupname {oid-tree} auth read name write name Configure an SNMPv3 view.
Examples of Reading the Value of Managed Objects In the following example, the value “4” displays in the OID before the IP address for IPv4. For an IPv6 IP address, a value of “16” displays. > snmpget -v 2c -c mycommunity 10.11.131.161 sysUpTime.0 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (32852616) 3 days, 19:15:26.16 > snmpget -v 2c -c mycommunity 10.11.131.161 .1.3.6.1.2.1.1.3.0 The following example shows reading the value of the next managed object. > snmpgetnext -v 2c -c mycommunity 10.11.131.
You may use up to 55 characters. • The default is None. (From a management station) Identify the system manager along with this person’s contact information (for example, an email address or phone number). CONFIGURATION mode snmpset -v version -c community agent-ip sysContact.0 s “contact-info” You may use up to 55 characters. • The default is None. (From a management station) Identify the physical location of the system (for example, San Jose, 350 Holger Way, 1st floor lab, rack A1-1).
3 Specify the interfaces out of which Dell Networking OS sends SNMP traps. CONFIGURATION mode snmp-server trap-source Example of RFC-Defined SNMP Traps and Related Enable Commands The following example lists the RFC-defined SNMP traps and the command used to enable each. The coldStart and warmStart traps are enabled using a single command. snmp authentication string. snmp coldstart snmp linkdown snmp linkup SNMP_AUTH_FAIL:SNMP Authentication failed.
exceeds threshold of %dC) MAJOR_TEMP_CLR: Major alarm cleared: chassis temperature lower (%s %d temperature is within threshold of %dC) envmon fan FAN_TRAY_BAD: Major alarm: fantray %d is missing or down FAN_TRAY_OK: Major alarm cleared: fan tray %d present FAN_BAD: Minor alarm: some fans in fan tray %d are down FAN_OK: Minor alarm cleared: all fans in fan tray %d are good vlt Enable VLT traps.
Enabling an SNMP Agent to Notify Syslog Server Failure You can configure a network device to send an SNMP trap if an audit processing failure occurs due to loss of connectivity with the syslog server. If a connectivity failure occurs on a syslog server that is configured for reliable transmission, an SNMP trap is sent and a message is displayed on the console.
Copy Configuration Files Using SNMP To do the following, use SNMP from a remote client. • copy the running-config file to the startup-config file • copy configuration files from the Dell Networking system to a server • copy configuration files from a server to the Dell Networking system You can perform all of these tasks using IPv4 or IPv6 addresses. The examples in this section use IPv4 addresses; however, you can substitute IPv6 addresses for the IPv4 addresses in all of the examples.
MIB Object OID Object Values Description copyDestFileLocation .1.3.6.1.4.1.6027.3.5.1.1.1.1.6 1 = flash Specifies the location of destination file. 2 = slot0 3 = tftp • 4 = ftp 5 = scp If copyDestFileLocation is FTP or SCP, you must specify copyServerAddress, copyUserName, and copyUserPassword. copyDestFileName .1.3.6.1.4.1.6027.3.5.1.1.1.1.7 Path (if the file is not in the default directory) and filename. Specifies the name of destination file. copyServerAddress .1.3.6.1.4.1.6027.3.5.1.1.
NOTE: You can use the entire OID rather than the object name. Use the form: OID.index i object-value. To view more information, use the following options in the snmpset command. • -c: View the community, either public or private. • -m: View the MIB files for the SNMP command. • -r: Number of retries using the option • -t: View the timeout. • -v: View the SNMP version (either 1, 2, 2d, or 3). The following examples show the snmpset command to copy a configuration.
The following example shows how to copy configuration files from a UNIX machine using OID. >snmpset -c public -v 2c 10.11.131.162 .1.3.6.1.4.1.6027.3.5.1.1.1.1.2.8 i 3 .1.3.6.1.4.1.6027.3.5.1.1.1.1.5.8 i 2 SNMPv2-SMI::enterprises.6027.3.5.1.1.1.1.2.8 = INTEGER: 3 SNMPv2-SMI::enterprises.6027.3.5.1.1.1.1.5.8 = INTEGER: 2 Copying the Startup-Config Files to the Server via FTP To copy the startup-config to the server via FTP from the UNIX machine, use the following command.
filename copyDestFileType.index i 3 copyServerAddress.index a server-ip-address copyUserName.index s server-login-id copyUserPassword.index s server-login-password Example of Copying a Binary File From the Server to the Startup-Configuration via FTP > snmpset -v 2c -c private -m ./f10-copy-config.mib 10.10.10.10 copySrcFileType.10 i 1 copySrcFileLocation.10 i 4 copyDestFileType.10 i 3 copySrcFileName.10 s /home/myfilename copyServerAddress.10 a 172.16.1.56 copyUserName.10 s mylogin copyUserPassword.
NOTE: You can use the entire OID rather than the object name. Use the form: OID.index. Examples of Getting MIB Object Values The following examples show the snmpget command to obtain a MIB object value. These examples assume that: • the server OS is UNIX • you are using SNMP version 2c • the community name is public • the file f10-copy-config.mib is in the current directory NOTE: In UNIX, enter the snmpset command for help using this command.
MIB Support to Display the Software Core Files Generated by the System Dell Networking provides MIB objects to display the software core files generated by the system. The chSysSwCoresTable contains the list of software core files generated by the system. The following table lists the related MIB objects. Table 89. MIB Objects for Displaying the Software Core Files Generated by the System MIB Object OID Description chSysSwCoresTable 1.3.6.1.4.1.6027.3.10.1.2.
enterprises.6027.3.10.1.2.10.1.5.1.3 = "vrrp" Hex: 76 72 72 70 enterprises.6027.3.10.1.2.10.1.5.2.1 = "sysd" Hex: 73 79 73 64 The output above displays that the software core files generated by the system. Manage VLANs using SNMP The qBridgeMIB managed objects in Q-BRIDGE-MIB, defined in RFC 2674, allows you to use SNMP to manage VLANs. Creating a VLAN To create a VLAN, use the dot1qVlanStaticRowStatus object.
To display the ports in a VLAN, send an snmpget request for the object dot1qStaticEgressPorts using the interface index as the instance number, as shown for an S-Series. The following example shows viewing VLAN ports using SNMP with no ports assigned. > snmpget -v2c -c mycommunity 10.11.131.185 .1.3.6.1.2.1.17.7.1.4.3.1.2.1107787786 SNMPv2-SMI::mib-2.17.7.1.4.3.1.2.
NOTE: Whether adding a tagged or untagged port, specify values for both dot1qVlanStaticEgressPorts and dot1qVlanStaticUntaggedPorts. Example of Adding an Untagged Port to a VLAN using SNMP In the following example, Port 0/2 is added as an untagged member of VLAN 10. >snmpset -v2c -c mycommunity 10.11.131.185 .1.3.6.1.2.1.17.7.1.4.3.1.2.
To set time to wait till bgp session are up set 1.3.6.1.4.1.6027.3.18.1.3 and 1.3.6.1.4.1.6027.3.18.1.6 Enabling and Disabling a Port using SNMP To enable and disable a port using SNMP, use the following commands. 1 Create an SNMP community on the Dell system. CONFIGURATION mode snmp-server community 2 From the Dell Networking system, identify the interface index of the port for which you want to change the admin status.
Each object comprises an OID concatenated with an instance number. In the case of these objects, the instance number is the decimal equivalent of the MAC address; derive the instance number by converting each hex pair to its decimal equivalent. For example, the decimal equivalent of E8 is 232, and so the instance number for MAC address 00:01:e8:06:95:ac is. 0.1.232.6.149.172. The value of dot1dTpFdbPort is the port number of the port off which the system learns the MAC address.
the final, unused bit are not given. The interface is physical, so represent this type of interface by a 0 bit, and the unused bit is always 0. These 2 bits are not given because they are the most significant bits, and leading zeros are often omitted. NOTE: The interface index does not change if the interface reloads or fails over. If the unit is renumbered (for any reason) the interface index changes during a reload. To display the interface number, use the following command.
Example of Viewing Status of Learned MAC Addresses If we learn MAC addresses for the LAG, status is shown for those as well. dot3aCurAggVlanId SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.1.1.0.0.0.0.0.1.1 dot3aCurAggMacAddr SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.2.1.0.0.0.0.0.1.1 dot3aCurAggIndex SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.3.1.0.0.0.0.0.1.1 dot3aCurAggStatus SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.4.1.0.0.0.0.0.1.
Table 92. List of Syslog Server MIBS that have read access MIB Object OID Object Values Description dF10SysLogTraps 1.3.6.1.4.1.6027.3.30.1.1 1 = reachable2 = unreachable Specifies whether the syslog server is reachable or unreachable. The following example shows the SNMP trap that is sent when connectivity to the syslog server is lost: DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (19738) 0:03:17.38 SNMPv2-MIB::snmpTrapOID. 0 = OID: SNMPv2SMI::enterprises.6027.3.30.1.1.1 SNMPv2-SMI::enterprises.
52 Stacking Using the Dell Networking OS stacking feature, you can interconnect multiple switch units with stacking ports or front end user ports. The stack becomes manageable as a single switch through the stack management unit. The system accepts Unit ID numbers from 1 to 6 and it supports stacking up to six units.
• Switch insertion • Switch removal If the master switch goes off line, the standby replaces it as the new master and the switch with the next highest priority or MAC address becomes standby. Stack Master Election The stack elects a master and standby unit at bootup time based on two criteria. • Unit priority — User-configurable. The range is from 1 to 14. A higher value (14) means a higher priority. The default is 0.
Up Time : 33 min, 52 sec Dell Networking OS Version : 1-0(0-5005) Jumbo Capable : yes POE Capable : no FIPS Mode : disabled Burned In MAC : 34:17:eb:f2:83:c4 No Of MACs : 3 -- Power Supplies -Unit Bay Status Type FanStatus FanSpeed(rpm) --------------------------------------------------------------------------2 1 up UNKNOWN up 10768 2 2 down UNKNOWN down 0 -- Fan Status -Unit Bay TrayStatus Fan1 Speed Fan2 Speed -----------------------------------------------------------------------------------2 1 up up 100
higher priority configured. This happens because the master and standby have already been elected, hence the unit that boots up late joins only as a member. When an up and running standalone unit or stack is merged with another stack, based on election, the losing stack reloads and the master unit of the winning stack becomes the master of the merged stack. For more details, see sectionsAdd Units to an Existing Stack and Remove a Unit from a Stack.
1 Member not present 2 Member not present 3 Member not present 4 Member not present 5 Member not present 6 Member not present [output omitted] Standalone#show system | grep priority Master priority : 0 -----------STACK BEFORE CONNECTION---------------Stack#show system brief Stack MAC : 00:01:e8:d5:f9:6f -- Stack Info -Unit UnitType Status ReqTyp CurTyp Version --------------------------------------------------0 Standby online S4048-ON S4048-ON 1 Management online 2 Member not present 3 Member not present 4
Supported Stacking Topologies The device supports stacking in a ring or a daisy chain topology. Dell Networking recommends the ring topology when stacking the switches to provide redundant connectivity. Figure 124. Supported Stacking Topologies High Availability on Stacks Stacks have master and standby management units analogous to Dell Networking route processor modules (RPM).
Stack-unit SW Version: 1-0(0-3387) -- Stack-unit Redundancy Configuration ------------------------------------------------Primary Stack-unit: mgmt-id 0 Auto Data Sync: Full Failover Type: Hot Failover Auto reboot Stack-unit: Disabled Auto failover limit: 3 times in 60 minutes -- Stack-unit Failover Record ------------------------------------------------Failover Count: 0 Last failover timestamp: None Last failover Reason: None Last failover type: None -- Last Data Block Sync Record: -----------------------
You can connect two units with two or more stacking cables in case of a stacking port or cable failure. Removal of only one of the cables does not trigger a reset. Important Points to Remember • You can stack up to six systems. • You cannot stack one system with other system types. • You cannot enable stacking and virtual link trunking (VLT) simultaneously on the device. To convert a stacked unit to VLT, see Reconfiguring Stacked Switches as VLT.
3. Stack-group 2 (Ports 9, 10, 11, and 12) 4. Stack-group 3 (Ports 13, 14, 15, and 16) 5. Stack-group 12 (Port 49) 6. Stack-group 14 (Port 51) 7. Stack-group 16 (Port 53) 8. Stack-group 13 (Port 50) 9. Stack-group 15 (Port 52) 10. Stack-group 17 (Port 54) You can connect the units while they are powered down or up. Stacking ports are bi-directional. When a unit is added to a stack, the management unit performs a system check on the new unit to ensure the hardware type is compatible.
EXEC Privilege mode reload Dell Networking OS automatically assigns a number to the new unit and adds it as member switch in the stack. The new unit synchronizes its running and startup configurations with the stack. 4 After the units are reloaded, the system reboots. The units come up in a stack after the reboot completes. To view the port assignments, use the show system stack-unit command.
Example of a Syslog Figure 126. Creating a New Stack In the above example, stack unit 1 is the master management unit, stack unit 2 is the standby unit. The cables are connected to each unit.
5 6 Member Member not present not present -- Power Supplies -Unit Bay Status Type FanStatus FanSpeed(rpm) --------------------------------------------------------------------------1 1 up UNKNOWN up 10736 1 2 absent absent 0 2 1 up UNKNOWN up 10768 2 2 down UNKNOWN down 0 3 1 up UNKNOWN up 10672 3 2 absent absent 0 -- Fan Status -Unit Bay TrayStatus Fan0 Speed Fan1 Speed -----------------------------------------------------------------------------------1 1 up up 10134 up 10031 1 2 up up 10031 up 9929 1 3
• If you add a unit that has a stack number that conflicts with the stack, the stack assigns the first available stack number. • If the stack has a provision for the stack-number that will be assigned to the new unit, the provision must match the unit type, or Dell Networking OS generates a type mismatch error. After the new unit loads, it synchronizes its running and startup configurations with the stack.
3 4 5 6 Member Standby Member Member not present online not present not present S4048-ON S4048-ON 9-10-0-0 72 Adding a Configured Unit to an Existing Stack To add a configured unit to an existing stack, use the following commands. If a stack unit goes down and is removed from the stack, the logical provisioning configured for that stack-unit number is saved on the master and standby units.
Merge Two Stacks You may merge two stacks while they are powered and online. To merge two stacks, connect one stack to the other using user port cables from the front end user portusing the mini-SAS cables from the stacking ports. • Dell Networking OS selects a master stack manager from the two existing managers based on the priority of the stack. • Dell Networking OS resets all the units in the losing stack; they all become stack members.
Renumbering the stack manager triggers the whole stack to reload, as shown in the message below. When the stack comes back online, the master unit remains the management unit. Dell#stack-unit 2 renumber 1 Renumbering master unit will reload the stack. WARNING: Interface configuration for current unit will be lost! Proceed to renumber [confirm yes/no]: yes Creating a Virtual Stack Unit on a Stack Use virtual stack units to configure ports on the stack before adding a new unit.
FIPS Mode Burned In MAC No Of MACs : disabled : 34:17:eb:f2:94:c4 : 3 -- Power Supplies -Unit Bay Status Type FanStatus FanSpeed(rpm) --------------------------------------------------------------------------1 1 up UNKNOWN up 10704 1 2 absent absent 0 -- Fan Status -Unit Bay TrayStatus Fan1 Speed Fan2 Speed -----------------------------------------------------------------------------------1 1 up up 10134 up 10031 1 2 up up 10031 up 10031 1 3 up up 10031 up 10031 Speed in RPM -- Unit 2 -Unit Type : Standby
3 3 1 2 up absent UNKNOWN up absent 10704 0 -- Fan Status -Unit Bay TrayStatus Fan1 Speed Fan2 Speed -----------------------------------------------------------------------------------3 1 up up 10031 up 10031 3 2 up up 9929 up 10031 3 3 up up 10031 up 10134 Speed in RPM Dell# The following is an example of the show system brief command to view the stack summary information.
Influencing Management Unit Selection on a Stack Stack priority is the system variable that Dell Networking OS uses to determine which units in the stack are the master and standby management units. If multiple units tie for highest priority, the unit with the highest MAC address prevails. If management was determined by priority only, a change in management occurs when: • the management unit is powered down or a failover occurs. • you disconnect the management unit from the stack.
• Reload a stack-unit. EXEC Privilege mode • reset stack-unit unit-number Reload a member unit, from the unit itself. EXEC Privilege mode • reset-self Reset a stack-unit when the unit is in a problem state. EXEC Privilege mode reset stack-unit unit-number {hard} Verify a Stack Configuration The light of the LED status indicator on the front panel of the stack identifies the unit’s role in the stack. • Off indicates the unit is a stack member. • The master LED is in OFF state for the standby unit.
Memory Size Temperature Voltage Serial Number Part Number Vendor Id Date Code Country Code Piece Part ID PPID Revision Service Tag Expr Svc Code Auto Reboot Burned In MAC No Of MACs : : : : : : : : : : : : : : : 2147483648 bytes 44C ok H1DL104400018 Rev N/A N/A N/A N/A disabled 00:01:e8:8c:53:32 3 -- Power Supplies -Unit Bay Status Type FanStatus --------------------------------------------Unit Bay Status Type FanStatus --------------------------------------------1 0 absent absent 1 1 up AC up -- Fan St
Removing a Unit from a Stack The running-configuration and startup-configuration are synchronized on all stack units. A stack member that is disconnected from the stack maintains this configuration. To remove a stack member from the stack, disconnect the stacking cables from the unit. You may do this at any time, whether the unit is powered or unpowered, online or offline.
write memory 3 Reload the switch. EXEC Privilege mode reload After the units are reloaded, the system reboots. The units come up as standalone units after the reboot completes. Troubleshoot a Stack To troubleshoot a stack, use the following recovery tasks.
-- Stack Info -Unit UnitType Status ReqTyp CurTyp Version Ports ----------------------------------------------------------0 Standby card problem S4810 unknown 64 1 Management online S4810 S4810 8-3-10-223 64 2 Member not present 3 Member not present 4 Member not present 5 Member not present 6 Member not present 7 Member not present 8 Member not present 9 Member not present 10 Member not present 11 Member not present -- Power Supplies -Unit Bay Status Type FanStatus -----------------------------------0 0 dow
53 Storm Control Storm control allows you to control unknown-unicast, muticast, and broadcast traffic on Layer 2 and Layer 3 physical interfaces. Dell Networking Operating System (OS) Behavior: Dell Networking OS supports unknown-unicast, muticast, and broadcast control for Layer 2 and Layer 3 traffic. Dell Networking OS Behavior: The minimum number of packets per second (PPS) that storm control can limit on the device is two.
• Configure storm control. • INTERFACE mode Configure the packets per second of broadcast traffic allowed on an interface (ingress only). INTERFACE mode • storm-control broadcast packets_per_second in Configure the packets per second of multicast traffic allowed on C-Series or S-Series interface (ingress only) network only. INTERFACE mode • storm-control multicast packets_per_second in Shut down the port if it receives the PFC/LLFC packets more than the configured rate.
54 Spanning Tree Protocol (STP) The spanning tree protocol (STP) is supported on Dell Networking OS.
• Enabling Spanning Tree Protocol Globally Related Configuration Tasks • Adding an Interface to the Spanning Tree Group • Modifying Global Parameters • Modifying Interface STP Parameters • Enabling PortFast • Prevent Network Disruptions with BPDU Guard • STP Root Guard • Enabling SNMP Traps for Root Elections and Topology Changes • Configuring Spanning Trees as Hitless Important Points to Remember • STP is disabled by default.
Configuring Interfaces for Layer 2 Mode All interfaces on all switches that participate in spanning tree must be in Layer 2 mode and enabled. Figure 127. Example of Configuring Interfaces for Layer 2 Mode To configure and enable the interfaces for Layer 2, use the following command. 1 If the interface has been assigned an IP address, remove it. INTERFACE mode no ip address 2 Place the interface in Layer 2 mode. INTERFACE switchport 3 Enable the interface.
Example of the show config Command To verify that an interface is in Layer 2 mode and enabled, use the show config command from INTERFACE mode. Dell(conf-if-te-1/1)#show config ! interface TenGigabitEthernet 1/1 no ip address switchport no shutdown Dell(conf-if-te-1/1)# Enabling Spanning Tree Protocol Globally Enable the spanning tree protocol globally; it is not enabled by default.
Figure 128. Spanning Tree Enabled Globally To enable STP globally, use the following commands. 1 Enter PROTOCOL SPANNING TREE mode. CONFIGURATION mode protocol spanning-tree 0 2 Enable STP. PROTOCOL SPANNING TREE mode no disable Examples of Verifying Spanning Tree Information To disable STP globally for all Layer 2 interfaces, use the disable command from PROTOCOL SPANNING TREE mode. To verify that STP is enabled, use the show config command from PROTOCOL SPANNING TREE mode.
Root Port is 289 (TenGigabitEthernet 2/1), cost of root path is 4 Topology change flag not set, detected flag not set Number of topology changes 3 last change occurred 0:16:11 ago from TenGigabitEthernet 2/3 Timers: hold 1, topology change 35 hello 2, max age 20, forward delay 15 Times: hello 0, topology change 0, notification 0, aging Normal Port 289 (TenGigabitEthernet 2/1) is Forwarding Port path cost 4, Port priority 8, Port Identifier 8.289 Designated root has priority 32768, address 0001.e80d.
Table 94.
The default values are listed in Modifying Global Parameters. To change the port cost or priority of an interface, use the following commands. • Change the port cost of an interface. INTERFACE mode spanning-tree 0 cost cost The range is from 0 to 65535. • The default values are listed in Modifying Global Parameters. Change the port priority of an interface. INTERFACE mode spanning-tree 0 priority priority-value The range is from 0 to 15. The default is 8.
Prevent Network Disruptions with BPDU Guard Configure the Portfast (and Edgeport, in the case of RSTP, PVST+, and MSTP) feature on ports that connect to end stations. End stations do not generate BPDUs, so ports configured with Portfast/ Edgport (edgeports) do not expect to receive BDPUs. If an edgeport does receive a BPDU, it likely means that it is connected to another part of the network, which can negatively affect the STP topology.
– Disabling global spanning tree (the no spanning-tree in CONFIGURATION mode). Figure 129. Enabling BPDU Guard Dell Networking OS Behavior: BPDU guard and BPDU filtering both block BPDUs, but are two separate features. BPDU guard: • • is used on edgeports and blocks all traffic on edgeport if it receives a BPDU. drops the BPDU after it reaches the RP and generates a console message.
Interface IP-Address OK Method Status Protocol TenGigabitEthernet 1/7 unassigned YES Manual up up Selecting STP Root The STP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it becomes the root bridge. You can also specify that a bridge is the root or the secondary root. To change the bridge priority or specify that a bridge is the root or secondary root, use the following command.
the BPDU is ignored and the port on Switch C transitions from a forwarding to a root-inconsistent state (shown by the green X icon). As a result, Switch A becomes the root bridge. Figure 130. STP Root Guard Prevents Bridging Loops Configuring Root Guard Enable STP root guard on a per-port or per-port-channel basis.
– 0: enables root guard on an STP-enabled port assigned to instance 0. – mstp: enables root guard on an MSTP-enabled port. – rstp: enables root guard on an RSTP-enabled port. – pvst: enables root guard on a PVST-enabled port. To disable STP root guard on a port or port-channel interface, use the no spanning-tree 0 rootguard command in an interface configuration mode.
As shown in the following illustration (STP topology 2, upper right), a loop can also be created if the forwarding port on Switch B becomes busy and does not forward BPDUs within the configured forward-delay time. As a result, the blocking port on Switch C transitions to a forwarding state, and both Switch A and Switch C transmit traffic to Switch B (STP topology 2, lower right).
• Loop guard is supported on any STP-enabled port or port-channel interface. • Loop guard is supported on a port or port-channel in any spanning tree mode: – Spanning Tree Protocol (STP) – Rapid Spanning Tree Protocol (RSTP) – Multiple Spanning Tree Protocol (MSTP) – Per-VLAN Spanning Tree Plus (PVST+) • You cannot enable root guard and loop guard at the same time on an STP port.
55 SupportAssist SupportAssist sends troubleshooting data securely to Dell. SupportAssist in this Dell Networking OS release does not support automated email notification at the time of hardware fault alert, automatic case creation, automatic part dispatch, or reports. SupportAssist requires Dell Networking OS 9.9(0.0) and SmartScripts 9.7 or later to be installed on the Dell Networking device. For more information on SmartScripts, see Dell Networking Open Automation guide. Figure 132.
• Configuring SupportAssist Person • Configuring SupportAssist Server • Viewing SupportAssist Configuration Configuring SupportAssist Using a Configuration Wizard You are guided through a series of queries to configure SupportAssist. The generated commands are added to the running configuration, including the DNS resolve commands, if configured. This command starts the configuration wizard for the SupportAssist. At any time, you can exit by entering Ctrl-C. If necessary, you can skip some data entry.
involve international transfers of data from you to Dell and/or to Dells affiliates, subcontractors or business partners. When making such transfers, Dell shall ensure appropriate protection is in place to safeguard the Collected Data being transferred in connection with SupportAssist. If you are downloading SupportAssist on behalf of a company or other legal entity, you are further certifying to Dell that you have appropriate authority to provide this consent on behalf of that entity.
support-assist activity {full-transfer} start now Dell#support-assist activity full-transfer start now Configuring SupportAssist Activity SupportAssist Activity mode allows you to configure and view the action-manifest file for a specific activity. To configure SupportAssist activity, use the following commands. 1 Move to the SupportAssist Activity mode for an activity. Allows you to configure customized details for a specific activity.
SUPPORTASSIST ACTIVITY mode action-manifest show {all} Dell(conf-supportassist-act-full-transfer)#action-manifest show all Dell(conf-supportassist-act-full-transfer)# 6 Enable a specific SupportAssist activity. SUPPORTASSIST ACTIVITY mode [no] enable Dell(conf-supportassist-act-full-transfer)#enable Dell(conf-supportassist-act-full-transfer)# Configuring SupportAssist Company SupportAssist Company mode allows you to configure name, address and territory information of the company.
[no] contact-person [first ] last Dell(conf-supportassist)#contact-person first john last doe Dell(conf-supportassist-pers-john_doe)# 2 Configure the email addresses to reach the contact person. SUPPORTASSIST PERSON mode [no] email-address primary email-address [alternate email-address] Dell(conf-supportassist-pers-john_doe)#email-address primary jdoe@mycompany.com Dell(conf-supportassist-pers-john_doe)# 3 Configure phone numbers of the contact person.
[no] enable Dell(conf-supportassist-serv-default)#enable Dell(conf-supportassist-serv-default)# 4 Configure the URL to reach the SupportAssist remote server. SUPPORTASSIST SERVER mode [no] url uniform-resource-locator Dell(conf-supportassist-serv-default)#url https://192.168.1.1/index.htm Dell(conf-supportassist-serv-default)# Viewing SupportAssist Configuration To view the SupportAssist configurations, use the following commands.
show eula-consent {support-assist | other feature} Dell#show eula-consent SupportAssist EULA has been: Accepted Additional information about the SupportAssist EULA is as follows: By installing SupportAssist, you allow Dell to save your contact information (e.g. name, phone number and/or email address) which would be used to provide technical support for your Dell products and services. Dell may use the information for providing recommendations to improve your IT infrastructure.
56 System Time and Date System time and date settings and the network time protocol (NTP) are supported on Dell Networking OS. You can set system times and dates and maintained through the NTP. They are also set through the Dell Networking Operating System (OS) command line interfaces (CLIs) and hardware settings. The Dell Networking OS supports reaching an NTP server through different VRFs. You can configure a maximum of eight logging servers across different VRFs or the same VRF.
Following conventions established by the telephone industry [BEL86], the accuracy of each server is defined by a number called the stratum, with the topmost level (primary servers) assigned as one and each level downwards (secondary servers) in the hierarchy assigned as one greater than the preceding level. Dell Networking OS synchronizes with a time-serving host to get the correct time. You can set Dell Networking OS to poll specific NTP time-serving hosts for the current time.
Figure 133. NTP Fields Implementation Information Dell Networking systems can only be an NTP client. Configure the Network Time Protocol Configuring NTP is a one-step process. • Enabling NTP Related Configuration Tasks • Configuring NTP Broadcasts • Disabling NTP on an Interface • Configuring a Source IP Address for NTP Packets (optional) Enabling NTP NTP is disabled by default. To enable NTP, specify an NTP server to which the Dell Networking system synchronizes.
Examples of Viewing System Clock To display the system clock state with respect to NTP, use the show ntp status command from EXEC Privilege mode. R6_E300(conf)#do show ntp status Clock is synchronized, stratum 2, reference is 192.168.1.1 frequency is -369.623 ppm, stability is 53.319 ppm, precision is 4294967279 reference time is CD63BCC2.0CBBD000 (16:54:26.049 UTC Thu Mar 12 2009) clock offset is 997.529984 msec, root delay is 0.00098 sec root dispersion is 10.04271 sec, peer dispersion is 10032.
CONFIGURATION mode ntp source interface Enter the following keywords and slot/port or number information: – For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port[/subport] information. – For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. – For a Loopback interface, enter the keyword loopback then a number from 0 to 16383. – For a port channel interface, enter the keywords port-channel then a number.
ntp server [vrf] {hostname | ipv4-address |ipv6-address} [ key keyid] [prefer] [version number] Configure the IP address of a server and the following optional parameters: • – vrf-name : Enter the name of the VRF through which the NTP server is reachable. – hostname : Enter the keyword hostname to see the IP address or host name of the remote device. – ipv4-address : Enter an IPv4 address in dotted decimal format (A.B.C.D).
NOTE: • Leap Indicator (sys.leap, peer.leap, pkt.leap) — This is a two-bit code warning of an impending leap second to be inserted in the NTP time scale. The bits are set before 23:59 on the day of insertion and reset after 00:00 on the following day. This causes the number of seconds (rollover interval) in the day of insertion to be increased or decreased by one.
Dell Networking OS Time and Date You can set the time and date using the Dell Networking OS CLI. Configuration Task List The following is a configuration task list for configuring the time and date settings.
– offset: enter one of the following: * a number from 1 to 23 as the number of hours in addition to UTC for the timezone. * a minus sign (-) then a number from 1 to 23 as the number of hours.
To set a recurring daylight saving time, use the following command. • Set the clock to the appropriate timezone and adjust to daylight saving time every year. CONFIGURATION mode clock summer-time time-zone recurring start-week start-day start-month start-time end-week end-day end-month end-time [offset] – time-zone: Enter the three-letter name for the time zone. This name displays in the show clock output.
7 2009" to "Summer time starts 02:00:00 Pacific Sun Mar 8 2009;Summer time ends 02:00:00 pacific Sun Nov 1 2009" System Time and Date 915
57 Tunneling Tunnel interfaces create a logical tunnel for IPv4 or IPv6 traffic. Tunneling supports RFC 2003, RFC 2473, and 4213. DSCP, hop-limits, flow label values, open shortest path first (OSPF) v2, and OSPFv3 are supported. Internet control message protocol (ICMP) error relay, PATH MTU transmission, and fragmented packets are not supported.
tunnel destination 90.1.1.1 tunnel source 60.1.1.1 tunnel mode ipv6ip no shutdown The following sample configuration shows a tunnel configured in IPIP mode (IPv4 tunnel carries IPv4 and IPv6 traffic): Dell(conf)#interface tunnel 3 Dell(conf-if-tu-3)#tunnel source 5::5 Dell(conf-if-tu-3)#tunnel destination 8::9 Dell(conf-if-tu-3)#tunnel mode ipv6 Dell(conf-if-tu-3)#ip address 3.1.1.
interface TenGigabitEthernet 1/1 ip address 20.1.1.1/24 ipv6 address 20:1::1/64 no shutdown Dell(conf)#interface tunnel 1 Dell(conf-if-tu-1)#ip unnumbered tengigabitethernet 1/1 Dell(conf-if-tu-1)#ipv6 unnumbered tengigabitethernet 1/1 Dell(conf-if-tu-1)#tunnel source 40.1.1.1 Dell(conf-if-tu-1)#tunnel mode ipip decapsulate-any Dell(conf-if-tu-1)#no shutdown Dell(conf-if-tu-1)#show config ! interface Tunnel 1 ip unnumbered TenGigabitEthernet 1/1 ipv6 unnumbered TenGigabitEthernet 1/1 tunnel source 40.1.1.
no shutdown Tunneling 919
58 Uplink Failure Detection (UFD) Uplink failure detection (UFD) provides detection of the loss of upstream connectivity and, if used with network interface controller (NIC) teaming, automatic recovery from a failed link. Feature Description A switch provides upstream connectivity for devices, such as servers. If a switch loses its upstream connectivity, downstream devices also lose their connectivity.
• In Step C, UFD on S1 disables the link to the server. The server then stops using the link to S1 and switches to using its link to S2 to send traffic upstream to R1. Figure 134. Uplink Failure Detection How Uplink Failure Detection Works UFD creates an association between upstream and downstream interfaces. The association of uplink and downlink interfaces is called an uplink-state group.
protection or recovery procedures they have in place to establish alternate connectivity paths, as shown in the following illustration. Figure 135. Uplink Failure Detection Example If only one of the upstream interfaces in an uplink-state group goes down, a specified number of downstream ports associated with the upstream interface are put into a Link-Down state.
– If you assign a port channel as an upstream interface, the port channel interface enters a Link-Down state when the number of port-channel member interfaces in a Link-Up state drops below the configured minimum number of members parameter. • If one of the upstream interfaces in an uplink-state group goes down, either a user-configurable set of downstream ports or all the downstream ports in the group are put in an Operationally Down state with an UFD Disabled error.
NOTE: Downstream interfaces in an uplink-state group are put into a Link-Down state with an UFD-Disabled error message only when all upstream interfaces in the group go down. To revert to the default setting, use the no downstream disable links command. 4 (Optional) Enable auto-recovery so that UFD-disabled downstream ports in the uplink-state group come up when a disabled upstream port in the group comes back up.
Example of Syslog Messages Before and After Entering the clear ufd-disable uplink-state-group Command (S50) The following example message shows the Syslog messages that display when you clear the UFD-Disabled state from all disabled downstream interfaces in an uplink-state group by using the clear ufd-disable uplink-state-group groupid command. All downstream interfaces return to an operationally up state.
• If a downstream interface in an uplink-state group is disabled (Oper Down state) by uplink-state tracking because an upstream port is down, the message error-disabled[UFD] displays in the output. Display the current configuration of all uplink-state groups or a specified group. EXEC mode or UPLINK-STATE-GROUP mode (For EXEC mode) show running-config uplink-state-group [group-id] (For UPLINK-STATE-GROUP mode) show configuration – group-id: The values are from 1 to 16.
0 packets, 0 bytes 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 0 Broadcasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics: 0 packets, 0 bytes, 0 underruns 0 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 throttles, 0 discarded, 0 collisions Rate info (interval 299 seco
description Testing UFD feature downstream disable links 2 downstream TenGigabitEthernet 1/1-2,5,9,11-12 upstream TenGigabitEthernet 1/3-4 Dell(conf-uplink-state-group-3)# Dell(conf-uplink-state-group-3)#exit Dell(conf)#exit Dell# 00:13:06: %STKUNIT0-M:CP %SYS-5-CONFIG_I: Configured from console by console Dell# show running-config uplink-state-group ! uplink-state-group 3 description Testing UFD feature downstream disable links 2 downstream TenGigabitEthernet 1/1-2,5,9,11-12 upstream TenGigabitEthernet 1/3
59 Upgrade Procedures To find the upgrade procedures, go to the Dell Networking OS Release Notes for your system type to see all the requirements needed to upgrade to the desired Dell Networking OS version. To upgrade your system type, follow the procedures in the Dell Networking OS Release Notes. Get Help with Upgrades Direct any questions or concerns about the Dell Networking OS upgrade procedures to the Dell Technical Support Center. You can reach Technical Support: • On the web: http://www.dell.
60 Virtual LANs (VLANs) Virtual LANs (VLANs) are a logical broadcast domain or logical grouping of interfaces in a local area network (LAN) in which all data received is kept locally and broadcast to all members of the group. When in Layer 2 mode, VLANs move traffic at wire speed and can span multiple devices. The system supports up to 4093 portbased VLANs and one default VLAN, as specified in IEEE 802.1Q.
Default VLAN When you configure interfaces for Layer 2 mode, they are automatically placed in the Default VLAN as untagged interfaces. Only untagged interfaces can belong to the Default VLAN. The following example displays the outcome of placing an interface in Layer 2 mode. To configure an interface for Layer 2 mode, use the switchport command.
the network. The following example shows the structure of a frame with a tag header. The VLAN ID is inserted in the tag header. Figure 136. Tagged Frame Format The tag header contains some key information that Dell Networking OS uses: • • The VLAN protocol identifier identifies the frame as tagged according to the IEEE 802.1Q specifications (2 bytes). Tag control information (TCI) includes the VLAN ID (2 bytes total). The VLAN ID can have 4,096 values, but two are reserved.
Example of Verifying a Port-Based VLAN To view the configured VLANs, use the show vlan command in EXEC Privilege mode. Dell#show vlan Codes: * - Default VLAN, G - GVRP VLANs NUM * 1 2 3 4 5 6 Status Inactive Active Active Active Active Active Q U U U T U U U Ports So 9/4-11 Te 1/1,18 Te 1/2,19 Te 1/3,20 Po 1 Te 1/12 So 9/0 Assigning Interfaces to a VLAN You can only assign interfaces in Layer 2 mode to a VLAN using the tagged and untagged commands.
Dell#config Dell(conf)#interface vlan 4 Dell(conf-if-vlan)#tagged po 1 Dell(conf-if-vlan)#show conf ! interface Vlan 4 no ip address tagged Port-channel 1 Dell(conf-if-vlan)#end Dell#show vlan Codes: * - Default VLAN, G - GVRP VLANs NUM Status Q * 1 Inactive 2 Active T T 3 Active T T 4 Active T Ports Po1(So 0/0-1) Te 1/1 Po1(So 0/0-1) Te 1/2 Po1(So 0/0-1) When you remove a tagged interface from a VLAN (using the no tagged interface command), it remains tagged only if it is a tagged interface in another VL
Dell(conf)#interface vlan 4 Dell(conf-if-vlan)#untagged tengigabitethernet 1/2 Dell(conf-if-vlan)#show config ! interface Vlan 4 no ip address untagged TenGigabitEthernet 1/2 Dell(conf-if-vlan)#end Dell#show vlan Codes: * - Default VLAN, G - GVRP VLANs NUM * 1 2 3 4 Status Q Inactive Active T T Active T T Active U Ports Po1(So 0/0-1) Te 1/3 Po1(So 0/0-1) Te 1/1 Te 1/2 The only way to remove an interface from the Default VLAN is to place the interface in Default mode by using the no switchport command in
NOTE: You cannot configure an existing switchport or port channel interface for Native VLAN. Interfaces must have no other Layer 2 or Layer 3 configurations when using the portmode hybrid command or a message similar to this displays: % Error: Port is in Layer-2 mode Gi 5/6. To configure a port so that it can be a member of an untagged and tagged VLANs, use the following commands. 1 Remove any Layer 2 or Layer 3 configurations from the interface. INTERFACE mode 2 Configure the interface for Hybrid mode.
61 VLT Proxy Gateway The virtual link trucking (VLT) proxy gateway feature allows a VLT domain to locally terminate and route L3 packets that are destined to a Layer 3 (L3) end point in another VLT domain. Enable the VLT proxy gateway using the link layer discover protocol (LLDP) method or the static configuration. For more information, see the Dell Networking OS Command Line Reference Guide.
For more information about eVLT, refer to the Virtual Link Trunking (VLT) chapter. The core or Layer 3 routers C and D in local VLT Domain and C1 and D1 in the remote VLT Domain are then part of a Layer 3 cloud. Figure 137. Sample Configuration for a VLT Proxy Gateway Guidelines for Enabling the VLT Proxy Gateway Keep the following points in mind when you enable a VLT proxy gateway: • • Proxy gateway is supported only for VLT; for example, across a VLT domain.
• If the port-channel specified in the proxy-gateway command is not a VLT LAG, the configuration is rejected by the CLI. • You cannot change the VLT LAG to a legacy LAG when it is part of proxy-gateway. • You cannot change the link layer discovery protocol (LLDP) port channel interface to a legacy LAG when you enable a proxy gateway. • Dell Networking recommends the vlt-peer-mac transmit command only for square VLTs without diagonal links.
The LLDP organizational TLV passes local destination MAC address information to peer VLT domain devices so they can act as a proxy gateway. To enable proxy gateway LLDP, two configurations are required: • You must configure the global proxy gateway LLDP to enable the proxy-gateway LLDP TLV. • You must configure the interface proxy gateway LLDP to enable or disable a proxy-gateway LLDP TLV on specific interfaces. • The interface is typically a VLT port-channel that connects to a remote VLT domain.
• LLDP packets fail to reach the remote VLT domain devices (for example, because the system is down, rebooting, or the port physical link connection is down). Figure 138. Sample Configuration for a VLT Proxy Gateway • The above figure shows a sample VLT Proxy gateway scenario. There are no diagonal links in the square VLT connection between the C and D in VLT domain 1 and C1 and D1 in the VLT domain 2. This causes sub-optimal routing with the VLT Proxy Gateway LLDP method.
Sample Configuration LLDP Method Dell(conf-vlt-domain)#proxy-gateway ll Dell(conf-vlt-domain-pxy-gw-lldp)#peer-domain-link port-channel 1 exclude-vlan 10 Sample Configuration Static Method Dell(conf-vlt-domain)#proxy-gateway static Dell(conf-vlt-domain-pxy-gw-static)#remote-mac-address exclude-vlan 10 • Packet duplication may happen with “Exclude-VLAN” configuration – Assume you used the exclude-vlan option (called VLAN 10) in C and D and in C1 and D1; If packets for VLAN 10 with C’s MA
62 Virtual Link Trunking (VLT) Virtual link trunking (VLT) allows physical links between two chassis to appear as a single virtual link to the network core or other switches such as Edge, Access, or top-of-rack (ToR). Overview VLT reduces the role of spanning tree protocols (STPs) by allowing link aggregation group (LAG) terminations on two separate distribution or core switches and supporting a loop-free topology.
The following example shows how VLT is deployed. The switches appear as a single virtual switch from the point of view of the switch or server supporting link aggregation control protocol (LACP). Figure 139. Example of VLT Deployment VLT on Core Switches Uplinks from servers to the access layer and from access layer to the aggregation layer are bundled in LAG groups with end-toend Layer 2 multipathing.
Enhanced VLT An enhanced VLT (eVLT) configuration creates a port channel between two VLT domains by allowing two different VLT domains, using different VLT domain ID numbers, connected by a standard link aggregation control protocol (LACP) LAG to form a loop-free Layer 2 topology in the aggregation layer. This configuration supports a maximum of four switches, increasing the number of available ports and allowing for dual redundancy of the VLT.
ensures that local traffic on a chassis does not traverse the VLTi and takes the shortest path to the destination via directly attached links. Configure Virtual Link Trunking VLT requires that you enable the feature and then configure the same VLT domain, backup link, and VLT interconnect on both peer switches. Important Points to Remember • You cannot enable stacking simultaneously with VLT. If you enable both at the same time, unexpected behavior occurs. Refer to VLT and Stacking.
these ARP requests reach Peer1, while the remaining half reach Peer2 (because of LAG hashing). The reason for this behavior is that Peer1 ignores the ARP requests that it receives on VLTi (ICL) and updates only the ARP requests that it receives on the local VLT. As a result, the remaining ARP requests still points to the Non-VLT links and traffic does not reach half of the hosts.
– MAC addresses for VLANs configured across VLT peer chassis are synchronized over the VLT interconnect on an egress port such as a VLT LAG. MAC addresses are the same on both VLT peer nodes. – ARP entries configured across the VLTi are the same on both VLT peer nodes. – If you shut down the port channel used in the VLT interconnect on a peer switch in a VLT domain in which you did not configure a backup link, the switch’s role displays in the show vlt brief command output as Primary instead of Standalone.
port in Hybrid mode so that it can carry untagged, single-tagged, and double-tagged traffic, use the portmode hybrid command in Interface Configuration mode as described in Configuring Native VLANs. * • For example, if the DHCP server is on the ToR and VLTi (ICL) is down (due to either an unavailable peer or a link failure), whether you configured the VLT LAG as static or LACP, when a single VLT peer is rebooted in BMP mode, it cannot reach the DHCP server, resulting in BMP failure.
or whether the remote peer has failed entirely. If the remote peer is still alive (heartbeat messages are still being received), the VLT secondary switch disables its VLT port channels. If keepalive messages from the peer are not being received, the peer continues to forward traffic, assuming that it is the last device available in the network.
When the bandwidth usage drops below the 80% threshold, the system generates another syslog message (shown in the following message) and an SNMP trap. %STKUNIT0-M:CP %VLTMGR-6-VLT-LAG-ICL: Overall Bandwidth utilization of VLT-ICL-LAG (portchannel 25) reaches below threshold. Bandwidth usage (74 )VLT show remote port channel status VLT and Stacking You cannot enable stacking on the units with VLT.
PIM-Sparse Mode Support on VLT The designated router functionality of the PIM Sparse-Mode multicast protocol is supported on VLT peer switches for multicast sources and receivers that are connected to VLT ports. VLT peer switches can act as a last-hop router for IGMP receivers and as a first-hop router for multicast sources. Figure 141.
domain. This does not apply to server-side L2 VLT ports because they do not connect to any PIM routers. These VLT ports can be members of multiple PIM-enabled L3 VLANs for compatibility with IGMP. To route traffic to and from the multicast source and receiver, enable PIM on the L3 side connected to the PIM router using the ip pim sparse-mode command. Each VLT peer runs its own PIM protocol independently of other VLT peers.
NOTE: If the CAM is full, do not enable peer-routing. NOTE: The peer routing and peer-routing-timeout is applicable for both IPv6/ IPv4. Configuring VLT Unicast To enable and configure VLT unicast, follow these steps. 1 Enable VLT on a switch, then configure a VLT domain and enter VLT-domain configuration mode. CONFIGURATION mode vlt domain domain-id 2 Enable peer-routing. VLT DOMAIN mode peer-routing 3 Configure the peer-routing timeout.
Configuring VLT Multicast To enable and configure VLT multicast, follow these steps. 1 Enable VLT on a switch, then configure a VLT domain and enter VLT-domain configuration mode. CONFIGURATION mode vlt domain domain-id 2 Enable peer-routing. VLT DOMAIN mode peer-routing 3 Configure the multicast peer-routing timeout. VLT DOMAIN mode multicast peer-routing—timeout value value: Specify a value (in seconds) from 1 to 1200. 4 Configure a PIM-SM compatible VLT node as a designated router (DR).
Preventing Forwarding Loops in a VLT Domain During the bootup of VLT peer switches, a forwarding loop may occur until the VLT configurations are applied on each switch and the primary/secondary roles are determined. To prevent the interfaces in the VLT interconnect trunk and RSTP-enabled VLT ports from entering a Forwarding state and creating a traffic loop in a VLT domain, take the following steps.
Configuring VLT To configure VLT, use the following procedure. Prerequisites: Before you begin, make sure that both VLT peer switches are running the same Dell Networking OS version and are configured for RSTP as described in RSTP Configuration. For VRRP operation, ensure that you configure VRRP groups and L3 routing on each VLT peer as described in VLT and VRRP interoperability in the Configuration Notes section.
Enabling VLT and Creating a VLT Domain To enable VLT and create a VLT domain, use the following steps. 1 Enable VLT on a switch, then configure a VLT domain and enter VLT-domain configuration mode. CONFIGURATION mode vlt domain domain-id The domain ID range is from 1 to 1000. Configure the same domain ID on the peer switch to allow for common peering. VLT uses the domain ID to automatically create a VLT MAC address for the domain.
Configuring a VLT Backup Link To configure a VLT backup link, use the following command. 1 Specify the management interface to be used for the backup link through an out-of-band management network. CONFIGURATION mode interface managementethernet slot/port Enter the slot (0-1) and the port (0). 2 Configure an IPv4 address (A.B.C.D) or IPv6 address (X:X:X:X::X) and mask (/x) on the interface.
CONFIGURATION mode vlt domain domain-id The range of domain IDs is from 1 to 1000. 2 After you configure a VLT domain on each peer switch and connect (cable) the two VLT peers on each side of the VLT interconnect, the system elects a primary and secondary VLT peer device. To configure the primary and secondary roles before the election process, use the primary-priority command. Enter a lower value on the primary peer and a higher value on the secondary peer.
INTERFACE PORT-CHANNEL mode switchport 4 Add one or more port interfaces to the port channel. INTERFACE PORT-CHANNEL mode channel-member interface interface: specify one of the following interface types: 5 • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port[/subport] information. • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. Ensure that the port channel is active.
CONFIGURATION mode interface port-channel id-number Enter the same port-channel number configured with the peer-link port-channel command in the Enabling VLT and Creating a VLT Domain. 2 Add one or more port interfaces to the port channel. INTERFACE PORT-CHANNEL mode channel-member interface interface: specify one of the following interface types: 3 • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port[/subport] information.
Use this command to minimize the time required for the VLT system to determine the unit ID assigned to each peer switch when one peer switch reboots. 8 Configure enhanced VLT. Configure the port channel to be used for the VLT interconnect on a VLT switch and enter interface configuration mode. CONFIGURATION mode interface port-channel id-number Enter the same port-channel number configured with the peer-link port-channel command in the Enabling VLT and Creating a VLT Domain.
3 You can configure LACP/static LAG between the peer units (not shown). CONFIGURATION mode interface port-channel port-channel id NOTE: To benefit from the protocol negotiations, Dell Networking recommends configuring VLTs used as facing hosts/ switches with LACP. Ensure both peers use the same port channel ID. 4 Configure the peer-link port-channel in the VLT domains of each peer unit.
1. You can configure the LACP/static LAG between the peer units (not shown). 2. Configure the peer-link port-channel in the VLT domains of each peer unit. Dell-2(conf)#interface port-channel Dell-2(conf-if-po-1)#channel-member Dell-4(conf)#interface port-channel Dell-4(conf-if-po-1)#channel-member 1 TenGigabitEthernet 1/4-1/7 1 TenGigabitEthernet 1/4-1/7 Configure the backup link between the VLT peer units. 1.
! no ip address port-channel-protocol LACP port-channel 100 mode active no shutdown s60-1#show running-config interface tengigabitethernet 1/30 ! interface TenGigabitEthernet 1/30 no ip address ! port-channel-protocol LACP port-channel 100 mode active no shutdown s60-1#show running-config interface port-channel 100 ! interface Port-channel 100 no ip address switchport no shutdown s60-1#show interfaces port-channel 100 brief Codes: L - LACP Port-channel L LAG 100 Mode L2 Status up Uptime 03:33:48 Port
PVST+ Configuration PVST+ is supported in a VLT domain. Before you configure VLT on peer switches, configure PVST+ in the network. PVST+ is required for initial loop prevention during the VLT startup phase. You may also use PVST+ for loop prevention in the network outside of the VLT port channel. Run PVST+ on both VLT peer switches. A PVST+ instance is created for every VLAN configured in the system. PVST+ instances running in the Primary Peer control the VLT-LAGs on both Primary and Secondary peers.
eVLT Configuration Example The following example demonstrates the steps to configure enhanced VLT (eVLT) in a network. In this example, you are configuring two domains. Domain 1 consists of Peer 1 and Peer 2; Domain 2 consists of Peer 3 and Peer 4, as shown in the following example. In Domain 1, configure Peer 1 fist, then configure Peer 2. When that is complete, perform the same steps for the peer nodes in Domain 2. The interface used in this example is TenGigabitEthernet.
Figure 142. eVLT Configuration Example eVLT Configuration Step Examples In Domain 1, configure the VLT domain and VLTi on Peer 1. Domain_1_Peer1#configure Domain_1_Peer1(conf)#interface port-channel 1 Domain_1_Peer1(conf-if-po-1)# channel-member TenGigabitEthernet 1/8-1/9 Domain_1_Peer1(conf)#vlt domain 1000 Domain_1_Peer1(conf-vlt-domain)# peer-link port-channel 1 Domain_1_Peer1(conf-vlt-domain)# back-up destination 10.16.130.
Configure eVLT on Peer 2. Domain_1_Peer2(conf)#interface port-channel 100 Domain_1_Peer2(conf-if-po-100)# switchport Domain_1_Peer2(conf-if-po-100)# vlt-peer-lag port-channel 100 Domain_1_Peer2(conf-if-po-100)# no shutdown Add links to the eVLT port-channel on Peer 2.
PIM-Sparse Mode Configuration Example The following sample configuration shows how to configure the PIM Sparse mode designated router functionality on the VLT domain with two VLT port-channels that are members of VLAN 4001. For more information, refer to PIM-Sparse Mode Support on VLT. Examples of Configuring PIM-Sparse Mode The following example shows how to enable PIM multicast routing on the VLT node globally.
EXEC mode • show vlt role Display the current configuration of all VLT domains or a specified group on the switch. EXEC mode • show running-config vlt Display statistics on VLT operation. EXEC mode • show vlt statistics Display the RSTP configuration on a VLT peer switch, including the status of port channels used in the VLT interconnect trunk and to connect to access devices. EXEC mode • show spanning-tree rstp Display the current status of a port or port-channel interface used in the VLT domain.
Version Local System MAC address Remote System MAC address Remote system version Delay-Restore timer : : : : : 6(3) 00:01:e8:8a:e9:91 00:01:e8:8a:e9:76 6(3) 90 seconds Delay-Restore Abort Threshold Peer-Routing Peer-Routing-Timeout timer Multicast peer-routing timeout Dell# : : : : 60 seconds Disabled 0 seconds 150 seconds The following example shows the show vlt detail command.
HeartBeat Messages Received: 986 ICL Hello's Sent: 148 ICL Hello's Received: 98 Dell_VLTpeer2# show vlt statistics VLT Statistics ---------------HeartBeat Messages Sent: HeartBeat Messages Received: ICL Hello's Sent: ICL Hello's Received: 994 978 89 89 The following example shows the show spanning-tree rstp command. The bold section displays the RSTP state of port channels in the VLT domain. Port channel 100 is used in the VLT interconnect trunk (VLTi) to connect to VLT peer2.
Enable VLT and create a VLT domain with a backup-link and interconnect trunk (VLTi). Dell_VLTpeer1(conf)#vlt domain 999 Dell_VLTpeer1(conf-vlt-domain)#peer-link port-channel 100 Dell_VLTpeer1(conf-vlt-domain)#back-up destination 10.11.206.35 Dell_VLTpeer1(conf-vlt-domain)#exit Configure the backup link. Dell_VLTpeer1(conf)#interface ManagementEthernet 1/1 Dell_VLTpeer1(conf-if-ma-1/1)#ip address 10.11.206.
Configure the port channel to an attached device. Dell_VLTpeer2(conf)#interface port-channel 110 Dell_VLTpeer2(conf-if-po-110)#no ip address Dell_VLTpeer2(conf-if-po-110)#switchport Dell_VLTpeer2(conf-if-po-110)#channel-member fortyGigE 1/53 Dell_VLTpeer2(conf-if-po-110)#no shutdown Dell_VLTpeer2(conf-if-po-110)#vlt-peer-lag port-channel 110 Dell_VLTpeer2(conf-if-po-110)#end Verify that the port channels used in the VLT domain are assigned to the same VLAN.
Description Behavior at Peer Up Behavior During Run Time Action to Take commands to view the VLT port channel status information. All VLT port channels go down on both VLT peers. A syslog error message is generated. No traffic is passed on the port channels. Spanning tree mismatch at port level A syslog error message is generated. A one-time informational syslog message is generated. Correct the spanning tree configuration on the ports.
Specifying VLT Nodes in a PVLAN You can configure VLT peer nodes in a private VLAN (PVLAN). VLT enables redundancy without the implementation of Spanning Tree Protocol (STP), and provides a loop-free network with optimal bandwidth utilization. Because the VLT LAG interfaces are terminated on two different nodes, PVLAN configuration of VLT VLANs and VLT LAGs are symmetrical and identical on both the VLT peers. PVLANs provide Layer 2 isolation between ports within the same VLAN.
information is synchronized with the other peer and VLTi is either added or removed from the VLAN based on the validation of the VLAN parity. For VLT VLANs, the association between primary VLAN and secondary VLANs is examined on both the peers. Only if the association is identical on both the peers, VLTi is configured as a member of those VLANs. This behavior is because of security functionalities in a PVLAN.
Interoperation of VLT Nodes in a PVLAN with ARP Requests When an ARP request is received, and the following conditions are applicable, the IP stack performs certain operations. • The VLAN on which the ARP request is received is a secondary VLAN (community or isolated VLAN). • Layer 3 communication between secondary VLANs in a private VLAN is enabled by using the ip local-proxy-arp command in INTERFACE VLAN configuration mode.
VLT LAG Mode Peer1 Promiscuous PVLAN Mode of VLT VLAN Peer2 Promiscuous Peer1 Peer2 • • Primary X Primary X ICL VLAN Membership Mac Synchronization Yes Yes Primary Primary Yes Yes - Secondary (Community) - Secondary (Community) Yes Yes - Secondary (Isolated) - Secondary (Isolated) Yes Yes Promiscuous Trunk Primary Normal No No Promiscuous Trunk Primary Primary Yes No Access Access Secondary (Community) Secondary (Community) Yes Yes - Primary VLAN X - Primary VLAN
Enter the same port-channel number configured with the peer-link port-channel command as described in Enabling VLT and Creating a VLT Domain. NOTE: To be included in the VLTi, the port channel must be in Default mode (no switchport or VLAN assigned). 2 Remove an IP address from the interface. INTERFACE PORT-CHANNEL mode no ip address 3 Add one or more port interfaces to the port channel.
switchport mode private-vlan {host | promiscuous | trunk} • • • 5 host (isolated or community VLAN port) promiscuous (intra-VLAN communication port) trunk (inter-switch PVLAN hub port) Access INTERFACE VLAN mode for the VLAN to which you want to assign the PVLAN interfaces. CONFIGURATION mode interface vlan vlan-id 6 Enable the VLAN. INTERFACE VLAN mode no shutdown 7 To obtain maximum VLT resiliency, configure the PVLAN IDs and mappings to be identical on both the VLT peer nodes.
the ARP-requested IP address is different from the received interface IP subnet. For example, if you configure VLAN 100 and 200 on the VLT peers, and if you configured the VLAN 100 IP address as 10.1.1.0/24 and you configured the VLAN 200 IP address as 20.1.1.0/24, the proxy ARP is not performed if the VLT node receives an ARP request for 20.1.1.0/24 on VLAN 100. Working of Proxy ARP for VLT Peer Nodes Proxy ARP is enabled only when you enable peer routing on both the VLT peers.
You can configure a VLT node to be an RP using the ip pim rp-address command in Global Configuration mode. When you configure a VLT node as an RP, the (*, G) routes that are synchronized from the VLT peers are ignored and not downloaded to the device. For the (S, G) routes that are synchronized from the VLT peer, after the RP starts receiving multicast traffic via these routes, these (S, G) routes are considered valid and are downloaded to the device.
Dell#show running-config vlt ! vlt domain 1 peer-link port-channel 1 back-up destination 10.16.151.
G - GVRP tagged, M - Vlan-stack i - Internal untagged, I - Internal tagged, v - VLT untagged, V - VLT tagged NUM 50 Status Active Description Dell# Q M M V Ports Po10(Te 1/8) Po20(Te 1/12) Po1(Te 1/30-32) Sample Configuration of VLAN-Stack Over VLT (Peer 2) Configure the VLT domain Dell(conf)#vlt domain 1 Dell(conf-vlt-domain)#peer-link port-channel 1 Dell(conf-vlt-domain)#back-up destination 10.16.151.
! interface Vlan 50 vlan-stack compatible member Port-channel 10,20 shutdown Dell# Verify that the Port Channels used in the VLT Domain are Assigned to the VLAN-Stack VLAN Dell#show vlan id 50 Codes: * - Default VLAN, G - GVRP VLANs, R - Remote Port Mirroring VLANs, P - Primary, C Community, I - Isolated O - Openflow Q: U - Untagged, T - Tagged x - Dot1x untagged, X - Dot1x tagged o - OpenFlow untagged, O - OpenFlow tagged G - GVRP tagged, M - Vlan-stack i - Internal untagged, I - Internal tagged, v - VLT u
Synchronization of IPv6 ND Entries in a VLT Domain Because the VLT nodes appear as a single unit, the ND entries learned via the VLT interface are expected to be the same on both VLT nodes. VLT V6 VLAN and neighbor discovery protocol monitor (NDPM) entries synchronization between VLT nodes is performed. The VLT V6 VLAN information must synchronize with peer VLT node. Therefore, both the VLT nodes are aware of the VLT VLAN information associated with the peers.
another node, Node A, and Unit2 is linked to a node, Node C. When an NS traverses from Unit2 to Node B(ToR) and a corresponding NA reaches Unit1 because of LAG hashing, this NA is tunneled to Unit 2 along with some control information. The control information present in the tunneled NA packet is processed in such a way so that the ingress port is marked as the link from Node B to Unit 2 rather than pointing to ICL link through which tunneled NA arrived. Figure 143.
the VLT nodes is Layer 2. Servers or hosts that are connected to the ToR (Node B) generate Layer 3 control/data traffic from the South or lower-end of the vertically-aligned network. Figure 144. Sample Configuration of IPv6 Peer Routing in a VLT Domain Neighbor Solicitation from VLT Hosts Consider a case in which NS for VLT node1 IP reaches VLT node1 on the VLT interface and NS for VLT node1 IP reaches VLT node2 due to LAG level hashing in the ToR.
Neighbor Advertisement from Non-VLT Hosts Consider a situation in which NA for VLT node1 reaches VLT node1 on a non-VLT interface and NA for VLT node1 reaches VLT node2 on a non-VLT interface. When VLT node1 receives NA on a VLT interface, it learns the Host MAC address on the received interface. This learned neighbor entry is synchronized to VLT node2 as it is learned on ICL.
When VLT node receives traffic from north bound intended to the non-VLT host, it does neighbor entry lookup and routes traffic to VLT interface. If traffic reaches wrong VLT peer, it routes the traffic over ICL. Non-VLT host to Non-VLT host traffic flow When VLT node receives traffic from non-VLT host intended to the non-VLT host, it does neighbor entry lookup and routes traffic over ICL interface. If traffic reaches wrong VLT peer, it routes the traffic over ICL.
63 Virtual Extensible LAN (VXLAN) Virtual Extensible LAN (VXLAN) is supported on Dell Networking OS. Overview The switch acts as the VXLAN gateway and performs the VXLAN Tunnel End Point (VTEP) functionality. VXLAN is a technology where in the data traffic from the virtualized servers is transparently transported over an existing legacy network. Figure 145.
Components of VXLAN network VXLAN provides a mechanism to extend an L2 network over an L3 network. In short, VXLAN is an L2 overlay scheme over an L3 network and this overlay is termed as a VXLAN segment.
Functional Overview of VXLAN Gateway The following section is the functional overview of VXLAN Gateway: 1. Provides connectivity between a Virtual server infrastructure and a Physical server infrastructure. 2. Provides the functions performed by a VTEP in a virtual server infrastructure. The functions of a VTEP are: • VTEP is responsible for creating one or more logical networks.
Outer IP Header: Outer UDP Header: VXLAN Header : Frame Check Sequence (FCS): • Destination Address: Generally, it is a first hop router's MAC address when the VTEP is on a different address. • Source Address : It is the source MAC address of the router that routes the packet. • VLAN: It is optional in a VXLAN implementation and will be designated by an ethertype of 0×8100 and has an associated VLAN ID tag. • Ethertype: It is set to 0×0800 because the payload packet is an IPv4 packet.
Figure 147. Create Hypervisor Figure 148. Edit Hypervisor Figure 149. Create Transport Connector 2.
To create service node, the required fields are the IP address and SSL certificate of the server. The Service node is responsible for broadcast/unknown unicast/multicast traffic replication. The following is the snapshot of the user interface for the creation of service node: Figure 150. Create Service Node 3. Create VXLAN Gateway To create a VXLAN L2 Gateway, the IP address of the Gateway is mandatory. The following is the snapshot of the user interface in creating a VXLAN Gateway Figure 151.
A logical switch port provides a logical connection point for a VM interface (VIF) and a L2 gateway connection to an external network. It binds the virtual access ports in the GW to logical network (VXLAN) and VLAN. Figure 153. Create Logical Switch Port NOTE: For more details about NVP controller configuration, refer to the NVP user guide from VMWare . Configuring VxLAN Gateway To configure the VxLAN gateway on the switch, follow these steps: 1. Connecting to NVP controller 2.
6 fail-mode (Optional) VxLAN INSTANCE mode fail-mode secure If the local VTEP loses connectivity with the controller, it will delete all its database and hardware flows/resources. 7 no shut VxLAN INSTANCE mode Advertising VXLAN Access Ports to Controller To advertise the access ports to the controller, use the following command. In INTERFACE mode, vxlan-instance command configures a VXLAN-Access Port into a VXLAN-instance.
The following example shows the show vxlan vxlan-instance physical-locator command. Dell#show vxlan vxlan-instance 1 physical-locator Instance : 1 Tunnel : count 1 36.1.1.1 : vxlan_over_ipv4 (up) The following example shows the show vxlan vxlan-instance unicast-mac-local command.
Te 0/80: VLAN: 0 (0x80000001), Fo 0/124: VLAN: 0 (0x80000004), The following example shows the show vxlan vxlan-instance statistics interface command. Dell#show vxlan vxlan-instance 1 statistics interface fortyGigE 0/124 100 Port : Fo 0/124 Vlan : 100 Rx Packets : 13 Rx Bytes : 1317 Tx Packets : 13 Tx Bytes : 1321 The following example shows the show vxlan vxlan-instance physical-locator command. Dell#show vxlan vxlan-instance 1 physical-locator Instance : 1 Tunnel : count 1 36.1.1.
VT * * * * * * - Vxlan Tunnel LocalAddr 1.0.1.1 3.3.3.3 3.3.3.3 3.3.3.3 3.3.3.3 3.3.3.3 RemoteAddr 1.0.1.2 192.168.122.135 192.168.122.136 192.168.122.137 192.168.122.138 192.168.122.
64 Virtual Routing and Forwarding (VRF) Virtual Routing and Forwarding (VRF) allows a physical router to partition itself into multiple Virtual Routers (VRs). The control and data plane are isolated in each VR so that traffic does NOT flow across VRs.Virtual Routing and Forwarding (VRF) allows multiple instances of a routing table to co-exist within the same router at the same time. VRF Overview VRF improves functionality by allowing network paths to be segmented without using multiple devices.
Figure 154. VRF Network Example VRF Configuration Notes Although there is no restriction on the number of VLANs that can be assigned to a VRF instance, the total number of routes supported in VRF is limited by the size of the IPv4 CAM. VRF is implemented in a network device by using Forwarding Information Bases (FIBs). A network device may have the ability to configure different virtual routers, where entries in the FIB that belong to one VRF cannot be accessed by another VRF on the same device.
Table 97. Software Features Supported on VRF Feature/Capability Support Status for Default VRF Support Status for Non-default VRF Configuration rollback for commands introduced or modified Yes No LLDP protocol on the port Yes No 802.
Feature/Capability Support Status for Default VRF Support Status for Non-default VRF sFlow Yes No VRRP on physical and logical interfaces Yes Yes VRRPV3 Yes Yes Secondary IP Addresses Yes No Following IPv6 capabilities No Basic Yes No OSPFv3 Yes Yes IS-IS Yes Yes BGP Yes Yes ACL Yes No Multicast Yes No NDP Yes Yes RAD Yes Yes Ingress/Egress Storm-Control (perinterface/global) Yes No DHCP DHCP requests are not forwarded across VRF instances.
Creating a Non-Default VRF Instance VRF is enabled by default on the switch and supports up to 64 VRF instances: 1 to 63 and the default VRF (0). • Create a non-default VRF instance by specifying a name and VRF ID number, and enter VRF configuration mode. CONFIGURATION ip vrf vrf-name vrf-id The VRF ID range is from 1 to 63. 0 is the default VRF ID. Assigning an Interface to a VRF You must enter the ip vrf forwarding command before you configure the IP address or any other setting on an interface.
View VRF Instance Information To display information about VRF configuration, enter the show ip vrf command. To display information on all VRF instances (including the default VRF 0), do not enter a value for vrf-name. • Display the interfaces assigned to a VRF instance. EXEC show ip vrf [vrf-name] Assigning an OSPF Process to a VRF Instance OSPF routes are supported on all VRF instances. SeeOpen Shortest Path First (OSPFv2) for complete OSPF configuration information.
Task Command Syntax Command Mode ip vrf forwarding vrf1 ip address 10.1.1.1/24 ! vrrp-group 10 virtual-address 10.1.1.100 no shutdown View VRRP command output for the VRF vrf1 show vrrp vrf vrf1 -----------------TenGigabitEthernet 1/13, IPv4 VRID: 10, Version: 2, Net: 10.1.1.1 VRF: 2 vrf1 State: Master, Priority: 100, Master: 10.1.1.
• ipv6 address — Configure IPv6 address on an interface NOTE: The command line help still displays relevant details corresponding to each of these commands. However, these interface range or interface group commands are not supported when Management VRF is configured. Configuring a Static Route • Configure a static route that points to a management interface.
Figure 156. Setup VRF Interfaces The following example relates to the configuration shown in the above illustrations. Router 1 ip vrf blue 1 ! ip vrf orange 2 ! ip vrf green 3 ! interface TenGigabitEthernet no ip address switchport no shutdown ! interface TenGigabitEthernet ip vrf forwarding blue ip address 10.0.0.1/24 no shutdown ! interface TenGigabitEthernet ip vrf forwarding orange ip address 20.0.0.
ip address 30.0.0.1/24 no shutdown ! interface Vlan 128 ip vrf forwarding blue ip address 1.0.0.1/24 tagged TenGigabitEthernet 3/1 no shutdown ! interface Vlan 192 ip vrf forwarding orange ip address 2.0.0.1/24 tagged TenGigabitEthernet 3/1 no shutdown ! interface Vlan 256 ip vrf forwarding green ip address 3.0.0.1/24 tagged TenGigabitEthernet 3/1 no shutdown ! router ospf 1 vrf blue router-id 1.0.0.1 network 1.0.0.0/24 area 0 network 10.0.0.0/24 area 0 ! router ospf 2 vrf orange router-id 2.0.0.
! interface Vlan 256 ip vrf forwarding green ip address 3.0.0.2/24 tagged TenGigabitEthernet 3/1 no shutdown ! router ospf 1 vrf blue router-id 1.0.0.2 network 11.0.0.0/24 area 0 network 1.0.0.0/24 area 0 passive-interface TenGigabitEthernet 2/1 ! router ospf 2 vrf orange router-id 2.0.0.2 network 21.0.0.0/24 area 0 network 2.0.0.0/24 area 0 passive-interface TenGigabitEthernet 2/2 ! ip route vrf green30.0.0.0/24 3.0.0.1 ! The following shows the output of the show commands on Router 1.
O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, > - non-active route, + - summary route Gateway of last resort is not set C C O Destination ----------2.0.0.0/24 20.0.0.0/24 21.0.0.0/24 Gateway ------Direct, Vl 192 Direct, Te 1/2 via 2.0.0.
C O C Destination ----------1.0.0.0/24 10.0.0.0/24 11.0.0.0/24 Gateway ------Direct, Vl 128 via 1.0.0.
Dynamic Route Leaking Route Leaking is a powerful feature that enables communication between isolated (virtual) routing domains by segregating and sharing a set of services such as VOIP, Video, and so on that are available on one routing domain with other virtual domains. Inter-VRF Route Leaking enables a VRF to leak or export routes that are present in its RTM to one or more VRFs.
ip route-export 1:1 3 Configure VRF-red. ip vrf vrf-red interface-type slot/port[/subport] ip vrf forwarding VRF-red ip address ip—address mask A non-default VRF named VRF-red is created and the interface is assigned to this VRF. 4 Configure the import target in VRF-red. ip route-import 1:1 5 Configure the export target in VRF-red. ip route-export 2:2 6 Configure VRF-blue.
ip route-export ip route-import ip route-import 1:1 2:2 3:3 Show routing tables of all the VRFs (without any route-export and route-import tags being configured) Dell# show ip route vrf VRF-Red O 11.1.1.1/32 via 111.1.1.1 110/0 C 111.1.1.0/24 Direct, Te 1/11 0/0 00:00:10 22:39:59 Dell# show ip route vrf VRF-Blue O 22.2.2.2/32 via 122.2.2.2 110/0 00:00:11 C 122.2.2.0/24 Direct, Te 1/12 0/0 Dell# show ip route vrf VRF-Green O 33.3.3.3/32 via 133.3.3.3 00:00:11 C 133.3.3.
• • • • • • If the target VRF conatins the same prefix as either the sourced or Leaked route from some other VRF, then route Leaking for that particular prefix fails and the following error-log is thrown. SYSLOG (“Duplicate prefix found %s in the target VRF %d”, address, import_vrf_id) with The type/level is EVT_LOGWARNING. The source routes always take precedence over leaked routes. The leaked routes are deleted as soon as routes are locally learnt by the VRF using other means.
This action specifies that the route-map contains OSPF and BGP as the matching criteria for exporting routes from vrf-red. 4 Configure the export target in the source VRF with route-map export_ospfbgp_protocol. ip route-export 1:1 export_ospfbgp_protocol 5 Configure VRF-blue. ip vrf vrf-blue interface-type slot/port[/subport] ip vrf forwarding VRF-blue ip address ip—address mask A non-default VRF named VRF-blue is created and the interface 1/22 is assigned to it.
to some other VRF. Similarly, when two VRFs leak or export routes, there is no option to discretely filter leaked routes from each source VRF. Meaning, you cannot import one set of routes from VRF-red and another set of routes from VRF-blue.
65 Virtual Router Redundancy Protocol (VRRP) Virtual router redundancy protocol (VRRP) is designed to eliminate a single point of failure in a statically routed network. VRRP Overview VRRP is designed to eliminate a single point of failure in a statically routed network. VRRP specifies a MASTER router that owns the next hop IP and MAC address for end stations on a local area network (LAN).
Figure 157. Basic VRRP Configuration VRRP Benefits With VRRP configured on a network, end-station connectivity to the network is not subject to a single point-of-failure. Endstation connections to the network are redundant and are not dependent on internal gateway protocol (IGP) protocols to converge or update routing tables. VRRP Implementation Within a single VRRP group, up to 12 virtual IP addresses are supported.
Table 99. Recommended VRRP Advertise Intervals Recommended Advertise Interval Groups/Interface Total VRRP Groups Groups/Interface Less than 250 1 second 12 Between 250 and 450 2–3 seconds 24 Between 450 and 600 3–4 seconds 36 Between 600 and 800 4 seconds 48 Between 800 and 1000 5 seconds 84 Between 1000 and 1200 7 seconds 100 Between 1200 and 1500 8 seconds 120 VRRP Configuration By default, VRRP is not configured.
no vrrp-group vrid Examples of Configuring and Verifying VRRP The following examples how to configure VRRP. Dell(conf)#interface tengigabitethernet 1/1 Dell(conf-if-te-1/1)#vrrp-group 111 Dell(conf-if-te-1/1-vrid-111)# The following examples how to verify the VRRP configuration. Dell(conf-if-te-1/1)#show conf ! interface TenGigabitEthernet 1/1 ip address 10.10.10.
2. Set the master switch to VRRP protocol version 3. Dell_master_switch(conf-if-te-1/1-vrid-100)#version 3 3. Set the backup switches to version 3. Dell_backup_switch1(conf-if-te-1/1-vrid-100)#version 3 Dell_backup_switch2(conf-if-te-1/2-vrid-100)#version 3 Assign Virtual IP addresses Virtual routers contain virtual IP addresses configured for that VRRP group (VRID). A VRRP group does not transmit VRRP packets until you assign the Virtual IP address to the VRRP group.
Examples of the Configuring and Verifying a Virtual IP Address The following example shows how to configure a virtual IP address. Dell(conf-if-te-1/1-vrid-111)#virtual-address 10.10.10.1 Dell(conf-if-te-1/1-vrid-111)#virtual-address 10.10.10.2 Dell(conf-if-te-1/1-vrid-111)#virtual-address 10.10.10.3 The following example shows how to verify a virtual IP address configuration. NOTE: In the following example, the primary IP address and the virtual IP addresses are on the same subnet.
priority priority The range is from 1 to 255. The default is 100. Examples of the priority Command Dell(conf-if-te-1/2)#vrrp-group 111 Dell(conf-if-te-1/2-vrid-111)#priority 125 To verify the VRRP group priority, use the show vrrp command. Dellshow vrrp -----------------TenGigabitEthernet 1/1, VRID: 111, Net: 10.10.10.1 State: Master, Priority: 255, Master: 10.10.10.
The following example shows verifying the VRRP authentication configuration using the show conf command. The bold section shows the encrypted password. Dell(conf-if-te-1/1-vrid-111)#show conf ! vrrp-group 111 authentication-type simple 7 387a7f2df5969da4 priority 255 virtual-address 10.10.10.1 virtual-address 10.10.10.2 virtual-address 10.10.10.3 virtual-address 10.10.10.10 Disabling Preempt The preempt command is enabled by default.
If are using VRRP version 2, you must configure the timer values in multiple of whole seconds. For example a timer value of 3 seconds or 300 centisecs are valid and equivalent. However, a time value of 50 centisecs is invalid because it not a multiple of 1 second. If you are using VRRP version 3, you must configure the timer values in multiples of 25 centisecs. If you are configured for VRRP version 2, the timer values must be in multiples of whole seconds.
Owner router (priority 255), tracking for that group is disabled, irrespective of the state of the tracked interfaces. The priority of the owner group always remains at 255. For a virtual group, you can track the line-protocol state or the routing status of any of the following interfaces with the interface interface parameter: • • • • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port[/subport] information.
vrrp-group 111 advertise-interval 10 authentication-type simple 7 387a7f2df5969da4 no preempt priority 255 track TenGigabitEthernet 1/2 virtual-address 10.10.10.1 virtual-address 10.10.10.2 virtual-address 10.10.10.3 virtual-address 10.10.10.10 The following example shows verifying the tracking status.
Setting VRRP Initialization Delay When configured, VRRP is enabled immediately upon system reload or boot. You can delay VRRP initialization to allow the IGP and EGP protocols to be enabled prior to selecting the VRRP Master. This delay ensures that VRRP initializes with no errors or conflicts. You can configure the delay for up to 15 minutes, after which VRRP enables normally.
Figure 158. VRRP for IPv4 Topology Examples of Configuring VRRP for IPv4 and IPv6 The following example shows configuring VRRP for IPv4 Router 2. R2(conf)#interface tengigabitethernet 2/31 R2(conf-if-te-2/31)#ip address 10.1.1.1/24 R2(conf-if-te-2/31)#vrrp-group 99 R2(conf-if-te-2/31-vrid-99)#priority 200 R2(conf-if-te-2/31-vrid-99)#virtual 10.1.1.3 R2(conf-if-te-2/31-vrid-99)#no shut R2(conf-if-te-2/31)#show conf ! interface TenGigabitEthernet 2/31 ip address 10.1.1.
TenGigabitEthernet 2/31, VRID: 99, Net: 10.1.1.1 State: Master, Priority: 200, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 817, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:63 Virtual IP address: 10.1.1.3 Authentication: (none) R2# Router 3 R3(conf)#interface tengigabitethernet 3/21 R3(conf-if-te-3/21)#ip address 10.1.1.2/24 R3(conf-if-te-3/21)#vrrp-group 99 R3(conf-if-te-3/21-vrid-99)#virtual 10.1.1.
10.1.1.3 Authentication: (none) Figure 159. VRRP for an IPv6 Configuration NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be MASTER even if one of two routers has a higher IP or IPv6 address. The following example shows configuring VRRP for IPv6 Router 2 and Router 3. Configure a virtual link local (fe80) address for each VRRPv3 group created for an interface.
R2(conf-if-te-1/1-vrid-10)#virtual-address fe80::10 R2(conf-if-te-1/1-vrid-10)#virtual-address 1::10 R2(conf-if-te-1/1-vrid-10)#no shutdown R2(conf-if-te-1/1)#show config interface TenGigabitEthernet 1/1 ipv6 address 1::1/64 vrrp-group 10 priority 100 virtual-address fe80::10 virtual-address 1::10 no shutdown R2(conf-if-te-1/1)#end R2#show vrrp -----------------TenGigabitEthernet 1/1, IPv6 VRID: 10, Version: 3, Net:fe80::201:e8ff:fe6a:c59f VRF: 0 default-vrf State: Master, Priority: 100, Master: fe80::201:e
VRRP in a VRF: Non-VLAN Scenario The following example shows how to enable VRRP in a non-VLAN. The following example shows a typical use case in which you create three virtualized overlay networks by configuring three VRFs in two switches. The default gateway to reach the Internet in each VRF is a static route with the next hop being the virtual IP address configured in VRRP. In this scenario, a single VLAN is associated with each VRF.
Figure 160. VRRP in a VRF: Non-VLAN Example Example of Configuring VRRP in a VRF on Switch-1 (Non-VLAN) Switch-1 S1(conf)#ip vrf default-vrf 0 ! S1(conf)#ip vrf VRF-1 1 ! S1(conf)#ip vrf VRF-2 2 ! S1(conf)#ip vrf VRF-3 3 ! S1(conf)#interface TenGigabitEthernet 1/1 S1(conf-if-te-1/1)#ip vrf forwarding VRF-1 S1(conf-if-te-1/1)#ip address 10.10.1.5/24 S1(conf-if-te-1/1)#vrrp-group 11 % Info: The VRID used by the VRRP group 11 in VRF 1 will be 177.
S1(conf-if-te-1/3-vrid-105)#virtual-address 20.1.1.5 S1(conf-if-te-1/3)#no shutdown Dell#show vrrp tengigabitethernet 2/8 -----------------TenGigabitEthernet 2/8, IPv4 VRID: 1, Version: 2, Net: 10.1.1.1 VRF: 0 default State: Master, Priority: 100, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 119, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:01 Virtual IP address: 10.1.1.
VRRP in VRF: Switch-1 VLAN Configuration Switch-1 S1(conf)#ip vrf VRF-1 1 ! S1(conf)#ip vrf VRF-2 2 ! S1(conf)#ip vrf VRF-3 3 ! S1(conf)#interface TenGigabitEthernet 1/1 S1(conf-if-te-1/1)#no ip address S1(conf-if-te-1/1)#switchport S1(conf-if-te-1/1)#no shutdown ! S1(conf-if-te-1/1)#interface vlan 100 S1(conf-if-vl-100)#ip vrf forwarding VRF-1 S1(conf-if-vl-100)#ip address 10.10.1.
VRRP in VRF: Switch-2 VLAN Configuration Switch-2 S2(conf)#ip vrf VRF-1 1 ! S2(conf)#ip vrf VRF-2 2 ! S2(conf)#ip vrf VRF-3 3 ! S2(conf)#interface TenGigabitEthernet 1/1 S2(conf-if-te-1/1)#no ip address S2(conf-if-te-1/1)#switchport S2(conf-if-te-1/1)#no shutdown ! S2(conf-if-te-1/1)#interface vlan 100 S2(conf-if-vl-100)#ip vrf forwarding VRF-1 S2(conf-if-vl-100)#ip address 10.10.1.
VRF: 2 vrf2 State: Master, Priority: 100, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 419, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:01 Virtual IP address: 10.1.1.100 Authentication: (none) VRRP for IPv6 Configuration This section shows VRRP IPv6 topology with CLI configurations. Consider an example VRRP for IPv6 configuration in which the IPv6 VRRP group consists of two routers. Figure 161.
NOTE: This example does not contain comprehensive directions and is intended to provide guidance for only a typical VRRP configuration. You can copy and paste from the example to your CLI. Be sure you make the necessary changes to support your own IP addresses, interfaces, names, and so on.
State: Backup, Priority: 100, Master: fe80::201:e8ff:fe6a:c59f Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 11, Bad pkts rcvd: 0, Adv sent: 0 Virtual MAC address: 00:00:5e:00:02:0a Virtual IP address: 1::10 fe80::10 Dell#show vrrp tengigabitethernet 0/0 TenGigabitEthernet 0/0, IPv6 VRID: 255, Version: 3, Net: fe80::201:e8ff:fe8a:fd76 VRF: 0 default State: Backup, Priority: 90, Master: fe80::201:e8ff:fe8a:e9ed Hold Down: 0 centisec, Pree
Dell#show vrrp vrf vrf2 port-channel 1 Port-channel 1, IPv6 VRID: 255, Version: 3, Net: fe80::201:e8ff:fe8a:fd76 VRF: 2 vrf2 State: Backup, Priority: 90, Master: fe80::201:e8ff:fe8a:e9ed Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 548, Bad pkts rcvd: 0, Adv sent: 0 Virtual MAC address: 00:00:5e:00:02:ff Virtual IP address: 10:1:1::255 fe80::255 Virtual Router Redundancy Protocol (VRRP) 1048
66 Debugging and Diagnostics This chapter describes debugging and diagnostics for the device. Offline Diagnostics The offline diagnostics test suite is useful for isolating faults and debugging hardware. The diagnostics tests are grouped into three levels: • Level 0 — Level 0 diagnostics check for the presence of various components and perform essential path verifications. In addition, Level 0 diagnostics verify the identification registers of the components on the board.
EXEC Privilege mode show system brief 3 Start diagnostics on the unit. diag stack-unit stack-unit-number When the tests are complete, the system displays the following message and automatically reboots the unit. Dell#00:09:42 : Diagnostic test results are stored on file: flash:/TestReport-SU-0.txt Diags completed...
Dell#Jan 16 02:22:46: %S4810:0 %DIAGAGT-6-DA_DIAG_STARTED: Starting diags on stack unit 1 00:06:47 : Approximate time to complete the Diags ... 13 Mins The following example shows the diag command (stack member).
Test Test Test Test Test Test Test Test Test Test Test Test Test Test Test 4.001 - Board Fan Status Test .................................. 4.002 - Board Fan Status Test .................................. 4.003 - Board Fan Status Test .................................. 4 - Board Fan Status Test ..................................... 5 - Fan Tray Air Flow Status Test ............................. 6.000 - TMP75A-CPU ............................................. 6.001 - TMP75B-MAC .............................
Using the Show Hardware Commands The show hardware command tree consists of commands used with the system. These commands display information from a hardware sub-component and from hardware-based feature tables. NOTE: Use the show hardware commands only under the guidance of the Dell Technical Assistance Center. The following lists the show hardware commands available as of the latest Dell Networking OS version.
EXEC Privilege mode • show hardware stack-unit {1–6} unit {0-1} details Execute a specified bShell command from the CLI without going into the bShell. EXEC Privilege mode • show hardware stack-unit {1–6} unit {0-1} execute-shell-cmd {command} View the Multicast IPMC replication table from the bShell. EXEC Privilege mode • show hardware stack-unit {1–6} unit {0-1} ipmc-replication View the internal statistics for each port-pipe (unit) on per port basis.
QSFP 52 Bias High Alarm threshold QSFP 52 RX Power High Alarm threshold QSFP 52 Temp Low Alarm threshold QSFP 52 Voltage Low Alarm threshold QSFP 52 Bias Low Alarm threshold QSFP 52 RX Power Low Alarm threshold =================================== QSFP 52 Temp High Warning threshold QSFP 52 Voltage High Warning threshold QSFP 52 Bias High Warning threshold QSFP 52 RX Power High Warning threshold QSFP 52 Temp Low Warning threshold QSFP 52 Voltage Low Warning threshold QSFP 52 Bias Low Warning threshold QSFP 5
2. Check air flow through the system. Ensure that the air ducts are clean and that all fans are working correctly. 3. After the software has determined that the temperature levels are within normal limits, you can re-power the card safely. To bring back the line card online, use the power-on command in EXEC mode. In addition, to control airflow for adequate system cooling, Dell Networking requires that you install blanks in all slots without a line card.
OID String OID Name Description .1.3.6.1.4.1.6027.3.27.1.6 dellNetFpStatsPerCOSTable View the forwarding plane statistics containing the packet buffer statistics per COS per port. Buffer Tuning Buffer tuning allows you to modify the way your switch allocates buffers from its available memory and helps prevent packet drops during a temporary burst of traffic. The application-specific integrated circuit (ASICs) implement the key functions of queuing, feature lookups, and forwarding lookups in hardware.
• Dynamic Cell Limit Per port = 59040/29 = 2036 cells Figure 162. Buffer Tuning Points Deciding to Tune Buffers Dell Networking recommends exercising caution when configuring any non-default buffer settings, as tuning can significantly affect system performance. The default values work for most cases. As a guideline, consider tuning buffers if traffic is bursty (and coming from several interfaces). In this case: • Reduce the dedicated buffer on all queues/interfaces.
• Change the maximum number of dynamic buffers an interface can request. BUFFER PROFILE mode • buffer dynamic Change the number of packet-pointers per queue. BUFFER PROFILE mode • buffer packet-pointers Apply the buffer profile to a line card. CONFIGURATION mode • buffer fp-uplink linecard Apply the buffer profile to a CSF to FP link.
The following example shows viewing the buffer profile allocations. Dell#show running-config interface tengigabitethernet 2/1 ! interface TenGigabitEthernet 2/1 no ip address mtu 9252 switchport no shutdown buffer-policy myfsbufferprofile The following example shows viewing the default buffer profile on an interface. Dell#show buffer-profile detail interface tengigabitethernet 1/10 Interface Te 1/10 Buffer-profile fsqueue-fp Dynamic buffer 1256.
Similarly, when you configure buffer-profile global, you cannot not apply a buffer profile on any single interface. A message similar to the following displays: % Error: Global pre-defined buffer profile already applied. Failed to apply user-defined buffer profile on interface Te 1/1. Please remove global predefined buffer profile. To apply a predefined buffer profile, use the following command. • Apply one of the pre-defined buffer profiles for all port pipes in the system.
• • • • • • show hardware buffer-stats-snapshot resource interface interface{priority-group { id | all } | queue { ucast{id | all}{ mcast {id | all} | all} show hardware drops interface interface clear hardware stack-unit stack-unit-number counters clear hardware stack-unit stack-unit-number unit 0-1 counters clear hardware stack-unit stack-unit-number cpu data-plane statistics clear hardware stack-unit stack-unit-number cpu party-bus statistics Displaying Drop Counters To display drop counters, use the f
L2MC Drops PKT Drops of ANY Conditions Hg MacUnderflow TX Err PKT Counter --- Error counters--Internal Mac Transmit Errors Unknown Opcodes Internal Mac Receive Errors : : : : 0 0 0 0 : 0 : 0 : 0 Dell#show hardware stack-unit 1 drops UNIT No: 1 Total Total Total Total Total Ingress Drops IngMac Drops Mmu Drops EgMac Drops Egress Drops : : : : : 6804353 0 124904297 0 0 Dell#show hardware stack-unit 1 drops unit 0 UserPort PortNumber Egress Drops 1 1 0 0 2 2 0 0 3 3 0 0 4 4 0 0 5 5 0 0 6 6 0 0 7 7 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 49 49 49 52 52 52 52 53 53 53 53 26 0 0 0 27 0 0 0 28 0 0 0 29 0 0 0 30 0 0 0 31 0 0 0 32 0 0 0 33 0 0 0 34 0 0 0 35 0 0 0 36 0 0 0 37 0 0 0 38 0 0 0 39 0 0 0 40 0 0
54/1 0 72 0 0 0 53 0 0 0 57 4659499 0 0 0 0 0 0 0 71 0 0 0 0 0 0 0 70 0 0 0 0 0 0 0 69 0 54/2 54/3 54/4 Internal Internal Dataplane Statistics The show hardware stack-unit cpu data-plane statistics command provides insight into the packet types coming to the CPU. The show hardware stack-unit cpu party-bus statistics command displays input and output statistics on the party bus, which carries inter-process communication traffic between CPUs.
txPkt(COS11) txPkt(UNIT0) :0 :0 Example of Viewing Party Bus Statistics Dell#sh hardware stack-unit 1 cpu party-bus statistics Input Statistics: 27550 packets, 2559298 bytes 0 dropped, 0 errors Output Statistics: 1649566 packets, 1935316203 bytes 0 errors Display Stack Port Statistics The show hardware stack-unit stack-port command displays input and output statistics for a stack-port interface.
RX RX RX RX RX RX RX RX RX RX RX RX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX - Multicast Packet Counter Broadcast Frame Counter Byte Counter Control frame counter PAUSE frame counter Oversized frame counter Jabber frame counter VLAN tag frame counter Double VLAN tag frame counter RUNT frame counter Fragment counter VLAN tagged packets 64 Byte Frame Counter 64 to 127 Byte Frame Counter 128 to 255 Byte Frame Counter 256 to 511 Byte Frame Counter 512 to 1023 Byte Frame Counter
RX RX RX RX RX RX RX RX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX TX - PAUSE frame counter Oversized frame counter Jabber frame counter VLAN tag frame counter Double VLAN tag frame counter RUNT frame counter Fragment counter VLAN tagged packets 64 Byte Frame Counter 64 to 127 Byte Frame Counter 128 to 255 Byte Frame Counter 256 to 511 Byte Frame Counter 512 to 1023 Byte Frame Counter 1024 to 1518 Byte Frame Counter 1519 to 1522 Byte Good VLAN Frame Counter 1519 to 2047 Byte Fram
RX - PFC Frame Priority 1 RX - PFC Frame Priority 2 RX - PFC Frame Priority 3 RX - PFC Frame Priority 4 RX - PFC Frame Priority 5 RX - PFC Frame Priority 6 RX - PFC Frame Priority 7 RX - Debug Counter 0 RX - Debug Counter 1 RX - Debug Counter 2
0024dee8 : 0024d9c4 : 002522b0 : 0026a8d0 : 0026a00c : ----------------STACK TRACE END-----------------------------------FREE MEMORY--------------uvmexp.free = 0x2312 Enabling TCP Dumps A TCP dump captures CPU-bound control plane traffic to improve troubleshooting and system manageability. When you enable TCP dump, it captures all the packets on the local CPU, as specified in the CLI.
67 Standards Compliance This chapter describes standards compliance for Dell Networking products. NOTE: Unless noted, when a standard cited here is listed as supported by the Dell Networking OS, the system also supports predecessor standards. One way to search for predecessor standards is to use the http://tools.ietf.org/ website. Click “Browse and search IETF documents,” enter an RFC number, and inspect the top of the resulting document for obsolescence citations to related RFCs.
MTU 9,252 bytes RFC and I-D Compliance Dell Networking OS supports the following standards. The standards are grouped by related protocol. The columns showing support by platform indicate which version of Dell Networking OS first supports the standard. General Internet Protocols The following table lists the Dell Networking OS support per platform for general internet protocols. Table 103. General Internet Protocols RFC# Full Name Z-Series S-Series 768 User Datagram Protocol 7.6.
General IPv4 Protocols The following table lists the Dell Networking OS support per platform for general IPv4 protocols. Table 104. General IPv4 Protocols R F C # Full Name Z-Series S-Series 7 Internet Protocol 91 7.6.1 7 9 2 Internet Control Message Protocol 7.6.1 8 2 6 An Ethernet Address Resolution Protocol 7.6.1 1 0 2 7 Using ARP to Implement Transparent Subnet Gateways 7.6.1 1 0 3 5 DOMAIN NAMES IMPLEMENTATION AND SPECIFICATION (client) 7.6.
R F C # Full Name Z-Series S-Series 18 Requirements for 12 IP Version 4 Routers 7.6.1 21 Dynamic Host 31 Configuration Protocol 7.6.1 2 3 3 8 Virtual Router Redundancy Protocol (VRRP) 7.6.1 3 Using 31-Bit 0 Prefixes on IPv4 21 Point-to-Point Links 7.7.1 3 0 4 6 DHCP Relay Agent Information Option 7.8.1 3 0 6 9 VLAN Aggregation for Efficient IP Address Allocation 7.8.1 31 Protection Against 2 a Variant of the 8 Tiny Fragment Attack 7.6.
RFC Full Name # Z-Series S-Series (IPv6) Specification 246 2 (Par tial) IPv6 Stateless Address Autoconfigura tion 7.8.1 246 Transmission 4 of IPv6 Packets over Ethernet Networks 7.8.1 267 IPv6 5 Jumbograms 7.8.1 271 1 8.3.12.0 IPv6 Router Alert Option 358 IPv6 Global 7 Unicast Address Format 7.8.1 400 IPv6 Scoped 7 Address Architecture 8.3.12.0 429 Internet 1 Protocol Version 6 (IPv6) Addressing Architecture 7.8.
Border Gateway Protocol (BGP) The following table lists the Dell Networking OS support per platform for BGP protocols. Table 106. Border Gateway Protocol (BGP) RFC# Full Name S-Series/Z-Series 1997 BGP ComAmtturnibituitees 7.8.1 2385 Protection of BGP Sessions via the TCP MD5 Signature Option 7.8.1 2439 BGP Route Flap Damping 7.8.1 2545 Use of BGP-4 Multiprotocol Extensions for IPv6 Inter-Domain Routing 2796 BGP Route Reflection: An Alternative to Full Mesh Internal BGP (IBGP) 7.8.
Intermediate System to Intermediate System (IS-IS) The following table lists the Dell Networking OS support per platform for IS-IS protocol. Table 108.
Multicast The following table lists the Dell Networking OS support per platform for Multicast protocol. Table 110. Multicast RFC# Full Name Z-Series S-Series 1112 Host Extensions for IP Multicasting 7.8.1 2236 Internet Group Management Protocol, Version 2 7.8.1 3376 Internet Group Management Protocol, Version 3 7.8.1 3569 An Overview of SourceSpecific Multicast (SSM) 7.8.
RFC# Full Name S4810 1724 RIP Version 2 MIB Extension 1850 OSPF Version 2 Management Information Base 7.6.1 1901 Introduction to Community-based SNMPv2 7.6.1 2011 SNMPv2 Management Information Base for the Internet Protocol using SMIv2 7.6.1 2012 SNMPv2 Management Information Base for the Transmission Control Protocol using SMIv2 7.6.1 2013 SNMPv2 Management Information Base for the User Datagram Protocol using SMIv2 7.6.
RFC# Full Name S4810 3635 Definitions of Managed Objects for the Ethernetlike Interface Types 7.6.1 2674 Definitions of Managed Objects for Bridges with Traffic Classes, Multicast Filtering and Virtual LAN Extensions 7.6.1 2787 Definitions of Managed Objects for the Virtual Router Redundancy Protocol 7.6.1 2819 Remote Network Monitoring Management Information Base: Ethernet Statistics Table, Ethernet History Control Table, Ethernet History Table, Alarm Table, Event Table, Log Table 7.6.
RFC# Full Name S4810 isisSysObject (top level scalar objects) isisISAdjTable isisISAdjAreaAddrTable isisISAdjIPAddrTable isisISAdjProtSuppTable draft-ietf-netmod-interfaces-cfg-03 Defines a YANG data model for the configuration of network interfaces. Used in the Programmatic Interface RESTAPI feature. 9.2(0.0) IEEE 802.1AB Management Information Base module for LLDP configuration, statistics, local system data and remote systems data components. 7.7.1 IEEE 802.
RFC# Full Name S4810 FORCE10-PRODUCTS-MIB Force10 Product Object Identifier MIB 7.6.1 FORCE10-SS-CHASSIS-MIB Force10 S-Series Enterprise Chassis MIB 7.6.1 FORCE10-SMI Force10 Structure of Management Information 7.6.1 FORCE10-SYSTEM-COMPONENTMIB Force10 System Component MIB (enables the user 7.6.1 to view CAM usage information) FORCE10-TC-MIB Force10 Textual Convention 7.6.1 FORCE10-TRAP-ALARM-MIB Force10 Trap Alarm MIB 7.6.