Dell EMC Configuration Guide for the S4048T–ON System 9.14.2.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2020 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Contents 1 About this Guide......................................................................................................................... 33 Audience............................................................................................................................................................................... 33 Conventions..................................................................................................................................................................
Removing a Command from EXEC Mode..................................................................................................................58 Moving a Command from EXEC Privilege Mode to EXEC Mode........................................................................... 58 Allowing Access to CONFIGURATION Mode Commands....................................................................................... 58 Allowing Access to Different Modes..........................................................
Enabling 802.1X................................................................................................................................................................... 85 Configuring Request Identity Re-Transmissions............................................................................................................. 86 Configuring a Quiet Period after a Failed Authentication.........................................................................................
Configuration Task List for Prefix Lists......................................................................................................................115 ACL Remarks.......................................................................................................................................................................118 Configuring a Remark...................................................................................................................................................
Prerequisite for configuring a BGP network.............................................................................................................174 Restrictions................................................................................................................................................................... 174 Enabling BGP................................................................................................................................................................
11 Control Plane Policing (CoPP).................................................................................................. 230 Configure Control Plane Policing..................................................................................................................................... 231 Configuring CoPP for Protocols................................................................................................................................232 Configuring CoPP for CPU Queues..............
Sample DCB Configuration.............................................................................................................................................. 272 13 Dynamic Host Configuration Protocol (DHCP)........................................................................... 275 DHCP Packet Format and Options.................................................................................................................................275 Assign an IP Address using DHCP......................
Modifying the ECMP Group Threshold.................................................................................................................... 300 RTAG7................................................................................................................................................................................. 301 Flow-based Hashing for ECMP.......................................................................................................................................
18 GARP VLAN Registration Protocol (GVRP)................................................................................332 Configure GVRP................................................................................................................................................................ 333 Enabling GVRP Globally....................................................................................................................................................
Interface Types.................................................................................................................................................................. 361 View Basic Interface Information.....................................................................................................................................361 Resetting an Interface to its Factory Default State.....................................................................................................
Enabling Link Dampening............................................................................................................................................388 Link Bundle Monitoring.....................................................................................................................................................389 Using Ethernet Pause Frames for Flow Control...........................................................................................................
Enabling UDP Helper......................................................................................................................................................... 413 Configuring a Broadcast Address.................................................................................................................................... 413 Configurations Using UDP Helper....................................................................................................................................
Configuring Detection and Ports for Dell Compellent Arrays................................................................................ 438 Synchronizing iSCSI Sessions Learned on VLT-Lags with VLT-Peer.................................................................. 438 Enable and Disable iSCSI Optimization..................................................................................................................... 439 Default iSCSI Optimization Values............................................
28 Layer 2...................................................................................................................................476 Manage the MAC Address Table.................................................................................................................................... 476 Clearing the MAC Address Table..............................................................................................................................
Relevant Management Objects.......................................................................................................................................504 30 Microsoft Network Load Balancing...........................................................................................509 Configuring a Switch for NLB ......................................................................................................................................... 510 Enabling a Switch for Multicast NLB..........
Enable Multiple Spanning Tree Globally.......................................................................................................................... 541 Adding and Removing Interfaces..................................................................................................................................... 541 Creating Multiple Spanning Tree Instances....................................................................................................................
Tracking a Layer 2 Interface.......................................................................................................................................577 Tracking a Layer 3 Interface...................................................................................................................................... 578 Track an IPv4/IPv6 Route.........................................................................................................................................
39 PIM Sparse-Mode (PIM-SM)................................................................................................... 638 Implementation Information............................................................................................................................................. 638 Protocol Overview............................................................................................................................................................ 638 Requesting Multicast Traffic...
Inspecting the Private VLAN Configuration...................................................................................................................675 43 Per-VLAN Spanning Tree Plus (PVST+).................................................................................... 677 Protocol Overview.............................................................................................................................................................677 Implementation Information.....................
Guidelines for Configuring ECN for Classifying and Color-Marking Packets............................................................. 710 Sample configuration to mark non-ecn packets as “yellow” with Multiple traffic class............................................ 711 Sample configuration to mark non-ecn packets as “yellow” with single traffic class................................................ 711 Enabling Buffer Statistics Tracking ......................................................................
Configuration Task List for Privilege Levels............................................................................................................. 748 RADIUS............................................................................................................................................................................... 752 RADIUS Authentication..............................................................................................................................................
Debugging VLAN Stacking......................................................................................................................................... 796 VLAN Stacking in Multi-Vendor Networks.............................................................................................................. 796 VLAN Stacking Packet Drop Precedence..................................................................................................................... 800 Enabling Drop Eligibility...........
Copy Configuration Files Using SNMP...........................................................................................................................824 Copying a Configuration File...................................................................................................................................... 825 Copying Configuration Files via SNMP.....................................................................................................................
53 Stacking................................................................................................................................ 854 Stacking Overview............................................................................................................................................................ 854 Stack Management Roles.......................................................................................................................................... 854 Stack Master Election....
Enabling PortFast..............................................................................................................................................................884 Prevent Network Disruptions with BPDU Guard.................................................................................................... 885 Selecting STP Root...........................................................................................................................................................
How Uplink Failure Detection Works...............................................................................................................................913 UFD and NIC Teaming.......................................................................................................................................................914 Important Points to Remember.......................................................................................................................................
Dell-2 Switch Configuration....................................................................................................................................... 957 R1 Configuration.......................................................................................................................................................... 960 Access Switch A1 Configurations and Verification..................................................................................................
Disabling MAC Address Learning on Static VXLAN Tunnels................................................................................. 1011 Preserving 802.1 p value across VXLAN tunnels..........................................................................................................1012 VXLAN Scenario............................................................................................................................................................... 1012 Routing in and out of VXLAN tunnels.
Running Offline Diagnostics...................................................................................................................................... 1071 Trace Logs........................................................................................................................................................................ 1074 Auto Save on Crash or Rollover...................................................................................................................................
Configuring OSCP responder preference................................................................................................................1107 Verifying certificates........................................................................................................................................................ 1107 Verifying Server certificates......................................................................................................................................
1 About this Guide This guide describes the protocols and features the Dell EMC Networking Operating System (OS) supports and provides configuration instructions and examples for implementing them. For complete information about all the CLI commands, see the Dell EMC Command Line Reference Guide for your system. The S4048–ON platform is available with Dell EMC Networking OS version 9.7.(0.1) and beyond.S4048–ON stacking is supported with Dell EMC Networking OS version 9.7(0.1) and beyond.
2 Configuration Fundamentals The Dell EMC Networking Operating System (OS) command line interface (CLI) is a text-based interface you can use to configure interfaces and protocols. The CLI is largely the same for each platform except for some commands and command outputs. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels.
• • EXEC Privilege mode has commands to view configurations, clear counters, manage configuration files, run diagnostics, and enable or disable debug operations. The privilege level is 15, which is unrestricted. You can configure a password for this mode; refer to the Configure the Enable Password section in the Getting Started chapter.
ROUTER OSPF ROUTER OSPFV3 ROUTER RIP SPANNING TREE SUPPORTASSIST TRACE-LIST VLT DOMAIN VRRP UPLINK STATE GROUP uBoot Navigating CLI Modes The Dell EMC Networking OS prompt changes to indicate the CLI mode. The following table lists the CLI mode, its prompt, and information about how to access and exit the CLI mode. Move linearly through the command modes, except for the end command which takes you directly to EXEC Privilege mode and the exit command which moves you up one command mode level.
CLI Command Mode Prompt Access Command EXTENDED ACCESS-LIST DellEMC(config-ext-nacl)# ip access-list extended (IP ACCESS-LIST Modes) IP COMMUNITY-LIST DellEMC(config-community-list)# ip community-list AUXILIARY DellEMC(config-line-aux)# line (LINE Modes) CONSOLE DellEMC(config-line-console)# line (LINE Modes) VIRTUAL TERMINAL DellEMC(config-line-vty)# line (LINE Modes) STANDARD ACCESS-LIST DellEMC(config-std-macl)# mac access-list standard (MAC ACCESS-LIST Modes) EXTENDED ACCESS-LIST De
CLI Command Mode Prompt Access Command MONITOR SESSION DellEMC(conf-mon-sesssessionID)# monitor session OPENFLOW INSTANCE DellEMC(conf-of-instance-ofid)# openflow of-instance PORT-CHANNEL FAILOVER-GROUP DellEMC(conf-po-failover-grp)# port-channel failover-group PRIORITY GROUP DellEMC(conf-pg)# priority-group PROTOCOL GVRP DellEMC(config-gvrp)# protocol gvrp QOS POLICY DellEMC(conf-qos-policy-outets)# qos-policy-output SUPPORTASSIST DellEMC(support-assist)# support-assist VLT DOMAIN
1 1 2 3 up up up up 0 0 up up 0 0 Speed in RPM Undoing Commands When you enter a command, the command line is added to the running configuration file (running-config). To disable a command and remove it from the running-config, enter the no command, then the original command. For example, to delete an IP address configured on an interface, use the no ip address ip-address command. NOTE: Use the help or ? command as described in Obtaining Help.
• • • • • Enter the minimum number of letters to uniquely identify a command. For example, you cannot enter cl as a partial keyword because both the clock and class-map commands begin with the letters “cl.” You can enter clo, however, as a partial keyword because only one command begins with those three letters. The TAB key auto-completes keywords in commands. Enter the minimum number of letters to uniquely identify a command.
• • show run | grep ethernet does not return that search result because it only searches for instances containing a noncapitalized “ethernet.” show run | grep Ethernet ignore-case returns instances containing both “Ethernet” and “ethernet.” The grep command displays only the lines containing specified text. The following example shows this command used in combination with the show system brief command.
3 Getting Started This chapter describes how you start configuring your system. When you power up the chassis, the system performs a power-on self test (POST) and system then loads the Dell EMC Networking Operating System. Boot messages scroll up the terminal window during this process. No user interaction is required if the boot process proceeds without interruption. When the boot process completes, the system status LEDs remain online (green) and the console monitor displays the EXEC mode prompt.
Accessing the Console Port To access the console port, follow these steps: For the console port pinout, refer to Accessing the RJ-45 Console Port with a DB-9 Adapter. 1. Install an RJ-45 copper cable into the console port. Use a rollover (crossover) cable to connect the console port to a terminal server. 2. Connect the other end of the cable to the DTE terminal server. 3.
Executing Local CLI Scripts Using an SSH Connection You can execute CLI commands by entering a CLI script in one of the following ways: ssh username@hostname or cat < CLIscript.file > | ssh admin@hostname The script is run and the actions contained in the script are performed. Following are the points to remember, when you are trying to establish an SSH session to the device to run commands or script files: • • There is an upper limit of 10 concurrent sessions in SSH.
CONFIGURATION mode interface ManagementEthernet slot/port 2. Assign an IP address to the interface. INTERFACE mode ip address ip-address/mask • • ip-address: an address in dotted-decimal format (A.B.C.D). mask: a subnet mask in /prefix-length format (/ xx). 3. Enable the interface. INTERFACE mode no shutdown Configure a Management Route Define a path from the system to the network from which you are accessing the system remotely.
In dynamic-salt configuration, the length of type 5 secret and type 7 password is 32 and 16 characters more compared to the secret and password length without dynamic-salt configuration. An error message appears if the username command reaches the maximum length, which is 256 characters. The dynamic-salt support for the user configuration is added in REST API. For more information on REST support, see Dell EMC Networking Open Automation guide.
Location source-file-url Syntax For a remote file location: copy scp://{hostip | hostname}/ scp://{hostip | hostname}/ filepath/ filename filepath/filename SCP server destination-file-url Syntax Important Points to Remember • • • You may not copy a file from one remote system to another. You may not copy a file from one location to the same location. When copying to a server, you can only use a hostname if a domain name server (DNS) server is configured.
Example of Copying a File to current File System DellEMC#copy tftp://10.16.127.35/dv-maa-test nfsmount:// Destination file name [dv-maa-test]: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!.! 44250499 bytes successfully copied DellEMC# DellEMC#copy ftp://10.16.127.35 nfsmount: Source file name []: test.
• Save the running-configuration to an SCP server. EXEC Privilege mode copy running-config scp://{hostip | hostname}/ filepath/filename NOTE: When copying to a server, a host name can only be used if a DNS server is configured. NOTE: When you load the startup configuration or a configuration file from a network server such as TFTP to the running configuration, the configuration is added to the running configuration. This does not replace the existing running configuration.
Example of the show running-config Command DellEMC#show running-config Current Configuration ... ! Version 9.4(0.0) ! Last configuration change at Tue Mar 11 21:33:56 2014 by admin ! Startup-config last updated at Tue Mar 11 12:11:00 2014 by default !
Uncompressed Compressed shutdown tagged te 1/1 ! no ip address interface TenGigabitEthernet 1/34 shutdown ip address 2.1.1.1/16 ! shutdown interface Vlan 1000 ! ip address 1.1.1.1/16 interface Vlan 2 no shutdown no ip address ! no shutdown ! Compressed config size – 27 lines.
copy compressed-config Copy one file, after optimizing and reducing the size of the configuration file, to another location. Dell EMC Networking OS supports IPv4 and IPv6 addressing for FTP, TFTP, and SCP (in the hostip field). Managing the File System The Dell EMC Networking system can use the internal Flash, external Flash, or remote devices to store files. The system stores files on the internal Flash by default but can be configured to store files elsewhere.
For a particular target where VRF is enabled, the show output is similar to the following: Feature State -----------------------VRF Enabled View Command History The command-history trace feature captures all commands entered by all users of the system with a time stamp and writes these messages to a dedicated trace log buffer. The system generates a trace message for each executed command. No password information is saved to the file.
DellEMC(conf)#service timestamps log uptime DellEMC# show command-history - Repeated 1 time. [May 17 10:20:37]: CMD-(CLI):[configure]by default from console - Repeated 1 time.
3. Run the verify {md5 | sha256} [ flash://]img-file [hash-value] command. For example, verify sha256 flash://FTOS-SE-9.5.0.0.bin 4. Compare the generated hash value to the expected hash value published on the iSupport page. To validate the software image on the flash drive after the image is transferred to the system, but before you install the image, use the verify {md5 | sha256} [ flash://]img-file [hash-value] command in EXEC mode.
• Configure an HTTP client with a VRF that is used to connect to the HTTP server.
4 Management This chapter describes the different protocols or services used to manage the Dell EMC Networking system.
Removing a Command from EXEC Mode To remove a command from the list of available commands in EXEC mode for a specific privilege level, use the privilege exec command from CONFIGURATION mode. In the command, specify a level greater than the level given to a user or terminal line, then the first keyword of each command you wish to restrict.
• privilege configure level level {interface | line | route-map | router} {command-keyword ||...|| command-keyword} Allow access to a CONFIGURATION, INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode command. CONFIGURATION mode privilege {configure |interface | line | route-map | router} level level {command ||...
DellEMC(conf)# interface group vlan 1 - 2 , tengigabitethernet 1/1 DellEMC(conf-if-group-vl-1-2,te-1/1)# no shutdown DellEMC(conf-if-group-vl-1-2,te-1/1)# end Applying a Privilege Level to a Username To set the user privilege level, use the following command. • Configure a privilege level for a user. CONFIGURATION mode username username privilege level Applying a Privilege Level to a Terminal Line To set a privilege level for a terminal line, use the following command.
Enabling Audit and Security Logs You enable audit and security logs to monitor configuration changes or determine if these changes affect the operation of the system in the network. You log audit and security events to a system log server, using the logging extended command in CONFIGURATION mode. This command is available with or without RBAC enabled. For information about RBAC, see Role-Based Access Control. Audit Logs The audit log contains configuration events and information.
line vty0 ( 10.14.1.91 ) Clearing Audit Logs To clear audit logs, use the clear logging auditlog command in Exec mode. When RBAC is enabled, only the system administrator user role can issue this command. Example of the clear logging auditlog Command DellEMC# clear logging auditlog Configuring Logging Format To display syslog messages in a RFC 3164 or RFC 5424 format, use the logging version {0 | 1} command in CONFIGURATION mode. By default, the system log version is set to 0.
%TSM-6-PORT_CONFIG: Port link status for LC 12 => portpipe 0: OK portpipe 1: N/A %CHMGR-5-LINECARDUP: Line card 12 is up %IFMGR-5-CSTATE_UP: changed interface Physical state to up: So 12/8 %IFMGR-5-CSTATE_DN: changed interface Physical state to down: So 12/8 To view any changes made, use the show running-config logging command in EXEC privilege mode. Setting Up a Secure Connection to a Syslog Server You can use reverse tunneling with the port forwarding to securely connect to a syslog server. Figure 2.
If you do not, the system displays an error when you attempt to enable role-based only AAA authorization. DellEMC(conf)# logging localhost tcp port DellEMC(conf)#logging 127.0.0.1 tcp 5140 Sending System Messages to a Syslog Server To send system messages to a specified syslog server, use the following command. The following syslog standards are supported: RFC 5424 The SYSLOG Protocol, R.Gerhards and Adiscon GmbH, March 2009, obsoletes RFC 3164 and RFC 5426 Transmission of Syslog Messages over UDP.
Display Login Statistics To view the login statistics, use the show login statistics command. Example of the show login statistics Command The show login statistics command displays the successful and failed login details of the current user in the last 30 days or the custom defined time period. DellEMC#show login statistics -----------------------------------------------------------------User: admin Last login time: 12:52:01 UTC Tue Mar 22 2016 Last login location: Line vty0 ( 10.16.127.
Last login time: 12:52:01 UTC Tue Mar 22 2016 Last login location: Line vty0 ( 10.16.127.143 ) Unsuccessful login attempt(s) since the last successful login: 0 Unsuccessful login attempt(s) in last 30 day(s): 0 Successful login attempt(s) in last 30 day(s): 1 -----------------------------------------------------------------The following is sample output of the show login statistics unsuccessful-attempts command.
Enabling the System to Clear Existing Sessions To enable the system to clear existing login sessions, follow this procedure: • Use the following command. CONFIGURATION mode login concurrent-session clear-line enable NOTE: If both concurrent sessions and the maximum number of VTY lines used are the same, the next or the following attempt will be unsuccessful and the system displays access denied message.
secure-cli enable After entering the command, save the running-configuration. Once you save the running-configuration, the secured CLI mode is enabled. If you do not want to enter the secured mode, do not save the running-configuration. Once saved, to disable the secured CLI mode, you need to manually edit the startup-configuration file and reboot the system. Log Messages in the Internal Buffer All error messages, except those beginning with %BOOTUP (Message), are log in the internal buffer.
In the previous lines, local7 is the logging facility level and debugging is the severity level. Changing System Logging Settings You can change the default settings of the system logging by changing the severity level and the storage location. The default is to log all messages up to debug level, that is, all system messages. By changing the severity level in the logging commands, you control the number of system messages logged. To specify the system logging settings, use the following commands.
%CHMGR-5-CARDDETECTED: Line card 2 present %CHMGR-5-CARDDETECTED: Line card 4 present %CHMGR-5-CARDDETECTED: Line card 5 present %CHMGR-5-CARDDETECTED: Line card 8 present %CHMGR-5-CARDDETECTED: Line card 10 present %CHMGR-5-CARDDETECTED: Line card 12 present %TSM-6-SFM_DISCOVERY: Found SFM 0 %TSM-6-SFM_DISCOVERY: Found SFM 1 %TSM-6-SFM_DISCOVERY: Found SFM 2 %TSM-6-SFM_DISCOVERY: Found SFM 3 %TSM-6-SFM_DISCOVERY: Found SFM 4 %TSM-6-SFM_DISCOVERY: Found SFM 5 %TSM-6-SFM_DISCOVERY: Found SFM 6 %TSM-6-SFM_DIS
To view nondefault settings, use the show running-config logging command in EXEC mode. DellEMC#show running-config logging ! logging buffered 524288 debugging service timestamps log datetime msec service timestamps debug datetime msec ! logging trap debugging logging facility user logging source-interface Loopback 0 logging 10.10.10.
Example 1: Default configuration service timestamps log datetime or service timestamps log datetime localtime DellEMC(conf)#service timestamps log datetime DellEMC#show clock 15:42:42.804 IST Fri May 17 2019 DellEMC# show command-history [May 17 15:38:55]: CMD-(CLI):[service timestamps log datetime]by default from console [May 17 15:41:40]: CMD-(CLI):[write memory]by default from console - Repeated 1 time.
May 17 10:17:40 %STKUNIT1-M:CP in flash by default May 17 10:17:37 %STKUNIT1-M:CP May 17 10:17:34 %STKUNIT1-M:CP May 17 10:17:32 %STKUNIT1-M:CP May 17 10:17:32 %STKUNIT1-M:CP 1/2 %FILEMGR-5-FILESAVED: Copied running-config to startup-config %IFMGR-5-OSTATE_UP: %IFMGR-5-ASTATE_UP: %IFMGR-5-OSTATE_DN: %IFMGR-5-ASTATE_DN: Changed Changed Changed Changed interface interface interface interface state Admin state Admin to up: Te 1/2 state to up: Te 1/2 to down: Te 1/2 state to down: Te Example 3: service ti
[May 17 15:55:22]: CMD-(CLI):[show running-config]by default from console [May 17 15:55:27]: CMD-(CLI):[show command-history]by default from console DellEMC# show logging Syslog logging: enabled Console logging: disabled Monitor logging: level debugging Buffer logging: level debugging, 3 Messages Logged, Size (40960 bytes) Trap logging: level informational Last logging buffer cleared: May 17 15:52:54 %STKUNIT1-M:CP %SYS-5-CONFIG_I: Configured from console %STKUNIT1-M:CP %FILEMGR-5-FILESAVED: Copied running-
CONFIGURATION mode ftp-server topdir dir • The default is the internal flash directory. Specify a user name for all FTP users and configure either a plain text or encrypted password. CONFIGURATION mode ftp-server username username password [encryption-type] password Configure the following optional and required parameters: • • • username: enter a text string. encryption-type: enter 0 for plain text or 7 for encrypted text. password: enter a text string.
• To be able to filter access exclusively using either IPv4 or IPv6 rules, use either the ipv4 or ipv6 attribute along with the accessclass access-list-name command. Depending on the attribute that you specify (ipv4 or ipv6), the ACL processes either IPv4 or IPv6 rules, but not both. Using this configuration, you can set up two different types of access classes with each class processing either IPv4 or IPv6 rules separately. To apply an IP ACL to a line, Use the following command.
none Do not authenticate the user. radius Prompt for a username and password and use a RADIUS server to authenticate. tacacs+ Prompt for a username and password and use a TACACS+ server to authenticate. 1. Configure an authentication method list. You may use a mnemonic name or use the keyword default. The default authentication method for terminal lines is local and the default method list is empty.
Using Telnet to get to Another Network Device To telnet to another device, use the following commands. NOTE: The device allows 120 Telnet sessions per minute, allowing the login and logout of 10 Telnet sessions, 12 times in a minute. If the system reaches this non-practical limit, the Telnet service is stopped for 10 minutes. You can use console and SSH service to access the system during downtime. • Telnet to a device with an IPv4 or IPv6 address.
If another user attempts to enter CONFIGURATION mode while a lock is in place, the following appears on their terminal (message 1): % Error: User "" on line console0 is in exclusive configuration mode. If any user is already in CONFIGURATION mode when while a lock is in place, the following appears on their terminal (message 2): % Error: Can't lock configuration mode exclusively since the following users are currently configuring the system: User "admin" on line vty1 ( 10.1.1.1 ).
Important Points to Remember • • • • When you restore all the units in a stack, these units are placed in standalone mode. When you restore a single unit in a stack, only that unit is placed in standalone mode. No other units in the stack are affected. When you restore the units in standalone mode, the units remain in standalone mode after the restoration. After the restore is complete, the units power cycle immediately.
• flash1 — to boot from flash partition B. • tftp://server-ip/image-file-name — to boot from the network. 4. Assign an IP address to the Management Ethernet interface. uBoot mode => setenv ipaddr ip_address For example, 10.16.150.105. => setenv netmask mask For example, 255.255.0.0. 5. Assign an IP address as the default gateway for the system. uBoot mode => setenv gatewayip gateway_ip_address For example, 10.16.150.254. 6. Save the modified environmental variables. uBoot mode => saveenv 7.
5 802.1X 802.1X is a port-based Network Access Control (PNAC) that provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity is verified (through a username and password, for example). 802.
• • • The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests. The device with which the supplicant communicates is the authenticator. The authenticator is the gate keeper of the network. It translates and forwards requests and responses between the authentication server and the supplicant.
Figure 5. EAP Port-Authentication EAP over RADIUS 802.1X uses RADIUS to shuttle EAP packets between the authenticator and the authentication server, as defined in RFC 3579. EAP messages are encapsulated in RADIUS packets as a type of attribute in Type, Length, Value (TLV) format. The Type value for EAP messages is 79. Figure 6. EAP Over RADIUS RADIUS Attributes for 802.1X Support Dell EMC Networking systems include the following RADIUS attributes in all 802.
Related Configuration Tasks • • • • • • Configuring Request Identity Re-Transmissions Forcibly Authorizing or Unauthorizing a Port Re-Authenticating a Port Configuring Timeouts Configuring a Guest VLAN Configuring an Authentication-Fail VLAN Important Points to Remember • • • • • Dell EMC Networking OS supports 802.1X with EAP-MD5, EAP-OTP, EAP-TLS, EAP-TTLS, PEAPv0, PEAPv1, and MS-CHAPv2 with PEAP. All platforms support only RADIUS as the authentication server.
1. Enable 802.1X globally. CONFIGURATION mode dot1x authentication 2. Enter INTERFACE mode on an interface or a range of interfaces. INTERFACE mode interface [range] 3. Enable 802.1X on the supplicant interface only. INTERFACE mode dot1x authentication Verify that 802.1X is enabled globally and at the interface level using the show running-config | find dot1x command from EXEC Privilege mode. In the following example, the bold lines show that 802.1X is enabled.
NOTE: There are several reasons why the supplicant might fail to respond; for example, the supplicant might have been booting when the request arrived or there might be a physical layer problem. To configure re-transmissions, use the following commands. • Configure the amount of time that the authenticator waits before re-transmitting an EAP Request Identity frame. INTERFACE mode dot1x tx-period number The range is from 1 to 65535 (1 year) • The default is 30.
Forcibly Authorizing or Unauthorizing a Port The 802.1X ports can be placed into any of the three states: • ForceAuthorized — an authorized state. A device connected to this port in this state is never subjected to the authentication process, but is allowed to communicate on the network. Placing the port in this state is same as disabling 802.1X on the port. ForceUnauthorized — an unauthorized state.
The range is from 1 to 10. The default is 2. The bold lines show that re-authentication is enabled and the new maximum and re-authentication time period. DellEMC(conf-if-Te-1/1)#dot1x reauthentication interval 7200 DellEMC(conf-if-Te-1/1)#dot1x reauth-max 10 DellEMC(conf-if-Te-1/1)#do show dot1x interface TenGigabitEthernet 1/1 802.
Tx Period: 90 seconds Quiet Period: 120 seconds ReAuth Max: 10 Supplicant Timeout: 15 seconds Server Timeout: 15 seconds Re-Auth Interval: 7200 seconds Max-EAP-Req: 10 Auth Type: Auth PAE State: Backend State: SINGLE_HOST Initialize Initialize Enter the tasks the user should do after finishing this task (optional). Configuring Dynamic VLAN Assignment with Port Authentication Dell EMC Networking OS supports dynamic VLAN assignment when using 802.1X.
1. Configure 8021.x globally (refer to Enabling 802.1X) along with relevant RADIUS server configurations (refer to the illustration inDynamic VLAN Assignment with Port Authentication). 2. Make the interface a switchport so that it can be assigned to a VLAN. 3. Create the VLAN to which the interface will be assigned. 4. Connect the supplicant to the port configured for 802.1X. 5.
Example of Configuring Maximum Authentication Attempts DellEMC(conf-if-Te-2/1)#dot1x guest-vlan 200 DellEMC(conf-if-Te 2/1)#show config ! interface TenGigabitEthernet 2/1 switchport dot1x authentication dot1x guest-vlan 200 no shutdown DellEMC(conf-if-Te-2/1)# DellEMC(conf-if-Te-2/1)#dot1x auth-fail-vlan 100 max-attempts 5 DellEMC(conf-if-Te-2/1)#show config ! interface TenGigabitEthernet 2/1 switchport dot1x authentication dot1x guest-vlan 200 dot1x auth-fail-vlan 100 max-attempts 5 no shutdown DellEMC(con
6 Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM) Optimizing CAM Utilization During the Attachment of ACLs to VLANs To minimize the number of entries in CAM, enable and configure the ACL CAM feature. Use this feature when you apply ACLs to a VLAN (or a set of VLANs) and when you apply ACLs to a set of ports. The ACL CAM feature allows you to effectively use the Layer 3 CAM space with VLANs and Layer 2 and Layer 3 CAM space with ports.
• • • • • • • The maximum number of members in an ACL VLAN group is determined by the type of switch and its hardware capabilities. This scaling limit depends on the number of slices that are allocated for ACL CAM optimization. If one slice is allocated, the maximum number of VLAN members is 256 for all ACL VLAN groups. If two slices are allocated, the maximum number of VLAN members is 512 for all ACL VLAN groups.
1,1000 DellEMC# Configuring FP Blocks for VLAN Parameters To allocate the number of FP blocks for the various VLAN processes on the system, use the cam-acl-vlan command. To reset the number of FP blocks to the default, use the no version of this command. By default, 0 groups are allocated for the ACL in VLAN contentaware processor (VCAP). ACL VLAN groups or CAM optimization is not enabled by default. You also must allocate the slices for CAM optimization. 1.
| | IN-L3 ACL | | IN-L3 FIB | | IN-V6 ACL | | IN-NLB ACL | | IPMAC ACL | | OUT-L2 ACL | | OUT-L3 ACL | | OUT-V6 ACL Codes: * - cam usage is above 90%.
| | OUT-V6 ACL | Codes: * - cam usage is above 90%. 178 | 4 | 174 Allocating FP Blocks for VLAN Processes The VLAN contentaware processor (VCAP) application is a pre-ingress CAP that modifies the VLAN settings before packets are forwarded. To support ACL CAM optimization, the CAM carving feature is enhanced. A total of four VCAP groups are present: two fixed groups and two dynamic groups.
7 Access Control Lists (ACLs) This chapter describes access control lists (ACLs), prefix lists, and route-maps. At their simplest, access control lists (ACLs), prefix lists, and route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps. For MAC ACLS, refer to Layer 2.
• • • • • • • • • • • Applying an IP ACL Configure Ingress ACLs Configure Egress ACLs IP Prefix Lists ACL Remarks ACL Resequencing Route Maps Logging of ACL Processes Flow-Based Monitoring Configuring UDF ACL Configuring IP Mirror Access Group IP Access Control Lists (ACLs) In Dell EMC Networking switch/routers, you can create two different types of IP ACLs: standard or extended. A standard ACL filters packets based on the source IP packet.
CAM Optimization When you enable this command, if a policy map containing classification rules (ACL and/or dscp/ ip-precedence rules) is applied to more than one physical interface on the same port-pipe, only a single copy of the policy is written (only one FP entry is used). When you disable this command, the system behaves as described in this chapter. Test CAM Usage This command applies to both IPv4 and IPv6 CAM profiles, but is best used when verifying QoS optimization for IPv6 ACLs.
Determine the Order in which ACLs are Used to Classify Traffic When you link class-maps to queues using the service-queue command, Dell EMC Networking OS matches the class-maps according to queue priority (queue numbers closer to 0 have lower priorities). As shown in the following example, class-map cmap2 is matched against ingress packets before cmap1. ACLs acl1 and acl2 have overlapping rules because the address range 20.1.1.0/24 is within 20.0.0.0/8.
Creating a Route Map Route maps, ACLs, and prefix lists are similar in composition because all three contain filters, but route map filters do not contain the permit and deny actions found in ACLs and prefix lists. Route map filters match certain routes and set or specific values. To create a route map, use the following command. • Create a route map and assign it a unique name. The optional permit and deny keywords are the actions of the route map.
tag 3444 DellEMC# To delete a route map, use the no route-map map-name command in CONFIGURATION mode. Configure Route Map Filters Within ROUTE-MAP mode, there are match and set commands. • • match commands search for a certain criterion in the routes. set commands change the characteristics of routes, either adding something or specifying a level.
match interface interface The parameters are: • • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port/subport[/subport] information. • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. • For a Loopback interface, enter the keyword loopback then a number from 0 to 16383. • For a port channel interface, enter the keywords port-channel then a number.
• set level {backbone | level-1 | level-1-2 | level-2 | stub-area} Specify a value for the BGP route’s LOCAL_PREF attribute. • CONFIG-ROUTE-MAP mode set local-preference value Specify a value for redistributed routes. • CONFIG-ROUTE-MAP mode set metric {+ | - | metric-value} Specify an OSPF or ISIS type for redistributed routes. • CONFIG-ROUTE-MAP mode set metric-type {external | internal | type-1 | type-2} Assign an IP address as the route’s next hop.
Configure a Route Map for Route Tagging One method for identifying routes from different routing protocols is to assign a tag to routes from that protocol. As the route enters a different routing domain, it is tagged. The tag is passed along with the route as it passes through different routing protocols. You can use this tag when the route leaves a routing domain to redistribute those routes again.
Example of Permitting All Packets on an Interface DellEMC(conf)#ip access-list extended ABC DellEMC(conf-ext-nacl)#permit ip any 10.1.1.1/32 DellEMC(conf-ext-nacl)#deny ip any 10.1.1.1/32 fragments DellEMC(conf-ext-nacl) To deny the second/subsequent fragments, use the same rules in a different order. These ACLs deny all second and subsequent fragments with destination IP 10.1.1.1 but permit the first fragment and non-fragmented packets with destination IP 10.1.1.1.
• FO > 0 means it is dealing with the fragments of the original packet. Configure a Standard IP ACL To configure an ACL, use commands in IP ACCESS LIST mode and INTERFACE mode. For a complete list of all the commands related to IP ACLs, refer to the Dell EMC Networking OS Command Line Interface Reference Guide. To set up extended ACLs, refer to Configure an Extended IP ACL. A standard IP ACL uses the source IP address as its match criterion. 1.
2. Configure a drop or forward IP ACL filter. CONFIG-STD-NACL mode {deny | permit} {source [mask] | any | host ip-address} [count [byte] [dscp] [order] [monitor [session-id]] [fragments] When you use the log keyword, the CP logs details about the packets that match. Depending on how many packets match the log entry and at what rate, the CP may become busy as it has to log these packets’ details. The following example shows a standard IP ACL in which Dell EMC Networking OS assigns the sequence numbers.
Configure Filters, TCP Packets To create a filter for TCP packets with a specified sequence number, use the following commands. 1. Create an extended IP ACL and assign it a unique name. CONFIGURATION mode ip access-list extended access-list-name 2. Configure an extended IP ACL filter for TCP packets.
When you use the log keyword, the CP logs details about the packets that match. Depending on how many packets match the log entry and at what rate, the CP may become busy as it has to log these packets’ details. The following example shows an extended IP ACL in which the sequence numbers were assigned by the software. The filters were assigned sequence numbers based on the order in which they were configured (for example, the first filter was given the lowest sequence number).
Applying an IP ACL To apply an IP ACL (standard or extended) to a physical or port channel interface, use the following commands. 1. Enter the interface number. CONFIGURATION mode interface interface slot/port 2. Configure an IP address for the interface, placing it in Layer-3 mode. INTERFACE mode ip address ip-address 3. Apply an IP ACL to traffic entering or exiting an interface.
Example of Applying ACL Rules to Ingress Traffic and Viewing ACL Configuration To specify ingress, use the in keyword. Begin applying rules to the ACL with the ip access-list extended abcd command. To view the access-list, use the show command.
DellEMC(conf)#interface te 1/2 DellEMC(conf-if-te-1/2)#ip vrf forwarding blue DellEMC(conf-if-te-1/2)#show config ! interface TenGigabitEthernet 1/2 ip vrf forwarding blue no ip address shutdown DellEMC(conf-if-te-1/2)# DellEMC(conf-if-te-1/2)# DellEMC(conf-if-te-1/2)#end DellEMC# Applying Egress Layer 3 ACLs (Control-Plane) By default, packets originated from the system are not filtered by egress ACLs.
• After a route matches a filter, the filter’s action is applied. No additional filters are applied to the route. Implementation Information In Dell EMC Networking OS, prefix lists are used in processing routes for routing protocols (for example, router information protocol [RIP], open shortest path first [OSPF], and border gateway protocol [BGP]). NOTE: It is important to know which protocol your system supports prior to implementing prefix-lists.
Creating a Prefix List Without a Sequence Number To create a filter without a specified sequence number, use the following commands. 1. Create a prefix list and assign it a unique name. CONFIGURATION mode ip prefix-list prefix-name 2. Create a prefix list filter with a deny or permit action. CONFIG-NPREFIXL mode {deny | permit} ip-prefix [ge min-prefix-length] [le max-prefix-length] The optional parameters are: • • ge min-prefix-length: is the minimum prefix length to be matched (0 to 32).
count: 4, range entries: 1, sequences: 5 - 10 DellEMC> Applying a Prefix List for Route Redistribution To pass traffic through a configured prefix list, use the prefix list in a route redistribution command. Apply the prefix list to all traffic redistributed into the routing process. The traffic is either forwarded or dropped, depending on the criteria and actions specified in the prefix list. To apply a filter to routes in RIP, use the following commands. • Enter RIP mode.
ACL Remarks While defining ACL rules, you can optionally include a remark to make the ACLs more descriptive. You can include a remark with a maximum of 80 characters in length. The remark command is available in each ACL mode. You can configure up to 4294967291 remarks for a given IP ACL and 65536 remarks for a given MAC ACL. You can include a remark with or without a remark number. If you do not enter a remark number, the remark inherits the sequence number of the last ACL rule.
seq 10 permit ip any any Dell(config-ext-nacl)#no remark 10 Dell(config-ext-nacl)#show config ! ip access-list extended test seq 10 permit ip any any ACL Resequencing ACL resequencing allows you to re-number the rules and remarks in an access or prefix list. The placement of rules within the list is critical because packets are matched against rules in sequential order. To order new rules using the current numbering scheme, use resequencing whenever there is no opportunity.
remark 5 this remark corresponds to permit any host 1.1.1.1 seq 5 permit ip any host 1.1.1.1 remark 9 ABC remark 10 this remark corresponds to permit ip any host 1.1.1.2 seq 10 permit ip any host 1.1.1.2 seq 15 permit ip any host 1.1.1.3 seq 20 permit ip any host 1.1.1.4 DellEMC# end DellEMC# resequence access-list ipv4 test 2 2 DellEMC# show running-config acl ! ip access-list extended test remark 2 XYZ remark 4 this remark corresponds to permit any host 1.1.1.1 seq 4 permit ip any host 1.1.1.
Logging of ACL Processes This functionality is supported on the platform. To assist in the administration and management of traffic that traverses the device after being validated by the configured ACLs, you can enable the generation of logs for access control list (ACL) processes.
• • • For ACL entries applied on port-channel interfaces, one match index for every member interface of the port-channel interface is assigned. Therefore, the total available match indices of 251 are split (125 match indices for permit action and 126 match indices for the deny action). You can configure ACL logging only on ACLs that are applied to ingress interfaces; you cannot enable logging for ACLs on egress interfaces.
Flow-based monitoring is supported for SPAN, RSPAN, and ERSPAN sessions. If there are overlapping rules between ACLs applied on different monitor sessions, the session with the highest monitor session ID takes precedence. NOTE: You can apply only IPv4 ACL rules under monitor session context.
Enabling Flow-Based Monitoring Flow-based monitoring is supported on the platform. Flow-based monitoring conserves bandwidth by monitoring only specified traffic instead of all traffic on the interface. This feature is particularly useful when looking for malicious traffic. It is available for Layer 2 and Layer 3 ingress traffic. You can specify traffic using standard or extended access-lists. 1. Enable flow-based monitoring for a monitoring session. MONITOR SESSION mode flow-based enable 2.
feature udf-acl DellEMC(conf)#feature udf-acl 2. Change the default CAM allocation settings or reconfigure new CAM allocation settings and enable IPV4 UDF.
5. Configure a UDF ID to parse packet headers using the specified number of offset and required bytes. CONFIGURATION-UDF TCAM mode key description udf-id id packetbase PacketBase offset bytes length bytes DellEMC(conf-udf-tcam)#key innerL3header udf-id 6 packetbase innerL3Header offset 0 length 2 6. View the UDF TCAM configuration.
Configuring IP Mirror Access Group To configure an IP mirror access group on an interface, use the following commands: 1. Allocate CAM profile for IPv4 ACL. CONFIGURATION mode cam-acl {default | l2acl number ipv4acl number ipv6acl number ipv4qos number l2qos number l2pt number ipmacacl number [vman-qos | vman-qos—dual— number | vman-qos—dual—fp number] ipv4pbr number} ecfmacl number [nlbclusteraclnumber]fcoeacl number iscsioptacl number ipv4udfmirracl number | ipv4mirracl number} 2.
interface TenGigabitEthernet 1/5 no ip address ip mirror-access-group acl3 in shutdown Dell(conf-if-te-1/5)# 128 Access Control Lists (ACLs)
8 Bidirectional Forwarding Detection (BFD) BFD is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It also provides a failure detection solution for links on which no routing protocol is used. BFD is a simple hello mechanism. Two neighboring systems running BFD establish a session using a three-way handshake.
BFD Packet Format Control packets are encapsulated in user datagram protocol (UDP) packets. The following illustration shows the complete encapsulation of a BFD control packet inside an IPv4 packet. Figure 9. BFD in IPv4 Packet Format Field Description Diagnostic Code The reason that the last session failed. State The current local session state. Refer to BFD Sessions. Flag A bit that indicates packet function.
Field Description Your Discriminator A random number generated by the remote system to identify the session. Discriminator values are necessary to identify the session to which a control packet belongs because there can be many sessions running on a single interface. Desired Min TX Interval The minimum rate at which the local system would like to send control packets to the remote system.
State Description Up Both systems are exchanging control packets. The session is declared down if: • • • A control packet is not received within the detection time. Sufficient echo packets are lost. Demand mode is active and a control packet is not received in response to a poll packet. BFD Three-Way Handshake A three-way handshake must take place between the systems that participate in the BFD session.
Session State Changes The following illustration shows how the session state on a system changes based on the status notification it receives from the remote system. For example, if a session on a system is down and it receives a Down status notification from the remote system, the session state on the local system changes to Init. Figure 11.
• Configuring Protocol Liveness Configure BFD for Physical Ports Configuring BFD for physical ports is supported on the C-Series and E-Series platforms only. BFD on physical ports is useful when you do not enable the routing protocol. Without BFD, if the remote system fails, the local system does not remove the connected route until the first failed attempt to send a packet.
TX: 100ms, RX: 100ms, Multiplier: 4 Role: Passive Delete session on Down: False Client Registered: CLI Uptime: 00:09:06 Statistics: Number of packets received from neighbor: 4092 Number of packets sent to neighbor: 4093 Number of state changes: 1 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 7 Disabling and Re-Enabling BFD BFD is enabled on all interfaces by default, though sessions are not created unless explicitly configured.
Establishing Sessions for Static Routes for Default VRF Sessions are established for all neighbors that are the next hop of a static route on the default VRF. Figure 12. Establishing Sessions for Static Routes To establish a BFD session, use the following command. • Establish BFD sessions for all neighbors that are the next hop of a static route.
ip route bfd vrf vrf2 ip route bfd vrf vrf1 prefix-list p4_le The following example shows that sessions are created for static routes for the default VRF. Dell#show bfd neighbors * Ad Dn B C I O O3 R M V VT - Active session role Admin Down BGP CLI ISIS OSPF OSPFv3 Static Route (RTM) MPLS VRRP Vxlan Tunnel LocalAddr * 11.1.1.1 RemoteAddr 11.1.1.2 Interface Te 1/1 State Rx-int Tx-int Mult Clients Up 200 200 3 R * 21.1.1.1 21.1.1.2 Vl 100 Up 200 200 3 R * 31.1.1.1 31.1.1.
For more information on prefix lists, see IP Prefix Lists. To enable BFD sessions on specific neighbors, perform the following steps: Enter the following command to enable BFD session on specific next-hop neighbors: CONFIGURATION ip route bfd prefix-list prefix-list-name The BFD session is established for the next-hop neighbors that are specified in the prefix-list. • • • • • • • • • The absence of a prefix-list causes BFD sessions to be enabled on all the eligible next-hop neighbors.
Related Configuration Tasks • • Changing IPv6 Static Route Session Parameters Disabling BFD for Static Routes Establishing Sessions for IPv6 Static Routes for Default VRF Sessions are established for all neighbors that are the next hop of a static route on the default VRF. To establish a BFD session, use the following command. • Establish BFD sessions for all IPv6 neighbors that are the next hop of a static route.
I O O3 R M V VT - ISIS OSPF OSPFv3 Static Route (RTM) MPLS VRRP Vxlan Tunnel LocalAddr * 11::1 RemoteAddr 11::2 Interface Te 1/1 State Rx-int Tx-int Mult Clients Up 200 200 3 R * 21::1 21::2 Vl 100 Up 200 200 3 R * 31::1 31::2 Vl 101 Up 200 200 3 R The following example shows that sessions are created for static routes for the nondefault VRFs.
Related Configuration Tasks • • Changing OSPF Session Parameters Disabling BFD for OSPF Establishing Sessions with OSPF Neighbors for the Default VRF BFD sessions can be established with all OSPF neighbors at once or sessions can be established with all neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the Full state. Figure 13.
To view the established sessions, use the show bfd neighbors command. The bold line shows the OSPF BFD sessions. R2(conf-router_ospf)#bfd all-neighbors R2(conf-router_ospf)#do show bfd neighbors * - Active session role Ad Dn - Admin Down C - CLI I - ISIS O - OSPF R - Static Route (RTM) LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients * 2.2.2.2 2.2.2.1 Te 2/1 Up 100 100 3 O * 2.2.3.1 2.2.3.
* 7.1.1.1 7.1.1.2 Te 1/21 Up 200 200 3 O The following example shows the show bfd vrf neighbors command output showing the nondefault VRF. show bfd vrf VRF_blue neighbors * Ad Dn B C I O O3 R M V VT - Active session role Admin Down BGP CLI ISIS OSPF OSPFv3 Static Route (RTM) MPLS VRRP Vxlan Tunnel LocalAddr * 5.1.1.1 RemoteAddr 5.1.1.2 Interface Po 30 State Rx-int Tx-int Mult VRF Clients Up 200 200 3 255 O * 6.1.1.1 6.1.1.2 Vl 30 Up 200 200 3 255 O * 7.1.1.1 7.1.1.
Delete session on Down: True VRF: VRF_blue Client Registered: OSPF Uptime: 00:00:15 Statistics: Number of packets received from neighbor: 78 Number of packets sent to neighbor: 78 Number of state changes: 1 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 4 Session Discriminator: 6 Neighbor Discriminator: 1 Local Addr: 7.1.1.1 Local MAC Addr: 00:a0:c9:00:00:02 Remote Addr: 7.1.1.
• no bfd all-neighbors Disable BFD sessions with all OSPF neighbors on an interface. INTERFACE mode ip ospf bfd all-neighbors disable Configure BFD for OSPFv3 BFD for OSPFv3 provides support for IPV6. Configuring BFD for OSPFv3 is a two-step process: 1. Enable BFD globally. 2. Establish sessions with OSPFv3 neighbors.
Establishing BFD Sessions with OSPFv3 Neighbors for nondefault VRFs To configure BFD in a nondefault VRF, use the following procedure: • Enable BFD globally. • CONFIGURATION mode bfd enable Establish sessions with all OSPFv3 neighbors in a specific VRF. • ROUTER-OSPFv3 mode bfd all-neighbors Establish sessions with the OSPFv3 neighbors on a single interface in a specific VRF.
* fe80::2a0:c9ff:fe00:2 511 O3 fe80::3617:98ff:fe34:12 Vl 102 Up 150 150 3 * fe80::2a0:c9ff:fe00:2 511 O3 DellEMC# fe80::3617:98ff:fe34:12 Vl 103 Up 150 150 3 Changing OSPFv3 Session Parameters Configure BFD sessions with default intervals and a default role. The parameters that you can configure are: desired tx interval, required min rx interval, detection multiplier, and system role. Configure these parameters for all OSPFv3 sessions or all OSPFv3 sessions on a particular interface.
Establishing Sessions with IS-IS Neighbors BFD sessions can be established for all IS-IS neighbors at once or sessions can be established for all neighbors out of a specific interface. Figure 14. Establishing Sessions with IS-IS Neighbors To establish BFD with all IS-IS neighbors or with IS-IS neighbors on a single interface, use the following commands. • Establish sessions with all IS-IS neighbors. • ROUTER-ISIS mode bfd all-neighbors Establish sessions with IS-IS neighbors on a single interface.
Changing IS-IS Session Parameters BFD sessions are configured with default intervals and a default role. The parameters that you can configure are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. These parameters are configured for all IS-IS sessions or all IS-IS sessions out of an interface. If you change a parameter globally, the change affects all IS-IS neighbors sessions.
Figure 15. Establishing Sessions with BGP Neighbors The sample configuration shows alternative ways to establish a BFD session with a BGP neighbor: • • By establishing BFD sessions with all neighbors discovered by BGP (the bfd all-neighbors command). By establishing a BFD session with a specified BGP neighbor (the neighbor {ip-address | peer-group-name} bfd command) BFD packets originating from a router are assigned to the highest priority egress queue to minimize transmission delays.
2. Specify the AS number and enter ROUTER BGP configuration mode. CONFIGURATION mode router bgp as-number 3. Add a BGP neighbor or peer group in a remote AS. CONFIG-ROUTERBGP mode neighbor {ip-address | peer-group name} remote-as as-number 4. Enable the BGP neighbor. CONFIG-ROUTERBGP mode neighbor {ip-address | peer-group-name} no shutdown 5. Add a BGP neighbor or peer group in a remote AS. CONFIG-ROUTERBGP mode neighbor {ipv6-address | peer-group name} remote-as as-number 6. Enable the BGP neighbor.
3. Specify the address family as IPv4. CONFIG-ROUTERBGP mode address-family ipv4 vrf vrf-name 4. Add an IPv4 BGP neighbor or peer group in a remote AS. CONFIG-ROUTERBGP_ADDRESSFAMILY mode neighbor {ip-address | peer-group name} remote-as as-number 5. Enable the BGP neighbor. CONFIG-ROUTERBGP_ADDRESSFAMILY mode neighbor {ip-address | peer-group-name} no shutdown 6. Add an IPv6 BGP neighbor or peer group in a remote AS.
Disabling BFD for BGP You can disable BFD for BGP. To disable a BFD for BGP session with a specified neighbor, use the first command. To remove the disabled state of a BFD for BGP session with a specified neighbor, use the second command. The BGP link with the neighbor returns to normal operation and uses the BFD session parameters globally configured with the bfd allneighbors command or configured for the peer group to which the neighbor belongs. • Disable a BFD for BGP session with a specified neighbor.
* 2.2.2.3 * 3.3.3.3 2.2.2.2 3.3.3.2 Te 6/2 Te 6/3 Up Up 200 200 200 200 3 3 B B The following example shows viewing BFD neighbors with full detail. The bold lines show the BFD session parameters: TX (packet transmission), RX (packet reception), and multiplier (maximum number of missed packets). R2# show bfd neighbors detail Session Discriminator: 9 Neighbor Discriminator: 10 Local Addr: 1.1.1.3 Local MAC Addr: 00:01:e8:66:da:33 Remote Addr: 1.1.1.
1.1.1.2 2.2.2.2 3.3.3.2 1 1 1 282 273 282 281 273 281 0 0 0 0 0 0 0 (0) 0 00:38:12 04:32:26 00:38:12 0 0 0 The following example shows viewing BFD information for a specified neighbor. The bold lines show the message displayed when you enable a BFD session with different configurations: • • • Message displays when you enable a BFD session with a BGP neighbor that inherits the global BFD session settings configured with the global bfd all-neighbors command.
Peer active in peer-group outbound optimization ... Configure BFD for VRRP When using BFD with VRRP, the VRRP protocol registers with the BFD manager on the route processor module (RPM). BFD sessions are established with all neighboring interfaces participating in VRRP. If a neighboring interface fails, the BFD agent on the line card notifies the BFD manager, which in turn notifies the VRRP protocol that a link state change occurred. Configuring BFD for VRRP is a three-step process: 1. Enable BFD globally.
Establishing VRRP Sessions on VRRP Neighbors The master router does not care about the state of the backup router, so it does not participate in any VRRP BFD sessions. VRRP BFD sessions on the backup router cannot change to the UP state. Configure the master router to establish an individual VRRP session the backup router. To establish a session with a particular VRRP neighbor, use the following command. • Establish a session with a particular VRRP neighbor.
Disabling BFD for VRRP If you disable any or all VRRP sessions, the sessions are torn down. A final Admin Down control packet is sent to all neighbors and sessions on the remote system change to the Down state. To disable all VRRP sessions on an interface, sessions for a particular VRRP group, or for a particular VRRP session on an interface, use the following commands. • Disable all VRRP sessions on an interface. • INTERFACE mode no vrrp bfd all-neighbors Disable all VRRP sessions in a VRRP group.
9 Border Gateway Protocol (BGP) Border Gateway Protocol (BGP) is an interdomain routing protocol that manages routing between edge routers. BGP uses an algorithm to exchange routing information between switches enabled with BGP. BGP determines a path to reach a particular destination using certain attributes while avoiding routing loops. BGP selects a single path as the best path to a destination network or host. You can also influence BGP to select different path by altering some of the BGP attributes.
Figure 17. BGP Topology with autonomous systems (AS) BGP version 4 (BGPv4) supports classless interdomain routing (CIDR) and aggregate routes and AS paths. BGP is a path vector protocol — a computer network in which BGP maintains the path that updated information takes as it diffuses through the network. Updates traveling through the network and returning to the same node are easily detected and discarded.
Figure 18. BGP Routers in Full Mesh The number of BGP speakers each BGP peer must maintain increases exponentially. Network management quickly becomes impossible. AS4 Number Representation Dell EMC Networking OS supports multiple representations of 4-byte AS numbers: asplain, asdot+, and asdot. NOTE: The ASDOT and ASDOT+ representations are supported only with the 4-Byte AS numbers feature. If 4-Byte AS numbers are not implemented, only ASPLAIN representation is supported.
• AS Numbers larger than 65535 is represented using ASDOT notation as .. For example: AS 65546 is represented as 1.10. ASDOT representation combines the ASPLAIN and ASDOT+ representations. AS numbers less than 65536 appear in integer format (asplain); AS numbers equal to or greater than 65536 appear in the decimal format (asdot+). For example, the AS number 65526 appears as 65526 and the AS number 65546 appears as 1.10.
DellEMC(conf-router_bgp)#no bgp four-octet-as-support DellEMC(conf-router_bgp)#sho conf ! router bgp 100 neighbor 172.30.1.250 local-as 65057 DellEMC(conf-router_bgp)#do show ip bgp BGP table version is 28093, local router ID is 172.30.1.57 Four-Byte AS Numbers You can use the 4-Byte (32-bit) format when configuring autonomous system numbers (ASNs). The 4-Byte support is advertised as a new BGP capability (4-BYTE-AS) in the OPEN message.
State Description If that transition is not successful, BGP resets the ConnectRetry timer and transitions to the Active state when the timer expires. Active The router resets the ConnectRetry timer to zero and returns to the Connect state. OpenSent After successful OpenSent transition, the router sends an Open message and waits for one in return. OpenConfirm After the Open message parameters are agreed between peers, the neighbor relation is established and is in the OpenConfirm state.
mode, Dell EMC Networking OS compares MED between the adjacent paths within an AS group because all paths in the AS group are from the same AS. NOTE: The bgp bestpath as-path multipath-relax command is disabled by default, preventing BGP from loadbalancing a learned route across two or more eBGP peers. To enable load-balancing across different eBGP peers, enable the bgp bestpath as-path multipath-relax command.
c. the paths were received from IBGP or EBGP neighbor respectively. 10. If the bgp bestpath router-id ignore command is enabled and: a. if the Router-ID is the same for multiple paths (because the routes were received from the same route) skip this step. b. if the Router-ID is NOT the same for multiple paths, prefer the path that was first received as the Best Path. The path selection algorithm returns without performing any of the checks detailed here. 11.
Figure 20. BGP Local Preference Multi-Exit Discriminators (MEDs) If two ASs connect in more than one place, a multi-exit discriminator (MED) can be used to assign a preference to a preferred path. MED is one of the criteria used to determine the best path, so keep in mind that other criteria may impact selection, as shown in the illustration in Best Path Selection Criteria. One AS assigns the MED a value and the other AS uses that value to decide the preferred path.
Figure 21. Multi-Exit Discriminators NOTE: Configuring the set metric-type internal command in a route-map advertises the IGP cost as MED to outbound EBGP peers when redistributing routes. The configured set metric value overwrites the default IGP cost. If the outbound route-map uses MED, it overwrites IGP MED. Origin The origin indicates the origin of the prefix, or how the prefix came into BGP. There are three origin codes: IGP, EGP, INCOMPLETE.
Example of Viewing AS Paths DellEMC#show ip bgp paths Total 30655 Paths Refcount Metric Path 3 18508 701 3549 19421 i 3 18508 701 7018 14990 i 3 18508 209 4637 1221 9249 9249 i 2 18508 701 17302 i 26 18508 209 22291 i 75 18508 209 3356 2529 i 2 18508 209 1239 19265 i 1 18508 701 2914 4713 17935 i 162 18508 209 i 2 18508 701 19878 ? 31 18508 209 18756 i 2 18508 209 7018 15227 i 10 18508 209 3356 13845 i 3 18508 209 701 6347 7781 i 1 18508 701 3561 9116 21350 i Next Hop The next hop is the IP address used to
IPv4 and IPv6 address family The IPv4 address family configuration in Dell EMC Networking OS is used for identifying routing sessions for protocols that use IPv4 address. You can specify multicast within the IPv4 address family. The default of address family configuration is IPv4 unicast. You can configure the VRF instances for IPv4 address family configuration. The IPv6 address family configuration is used for identifying routing sessions for protocols that use IPv6 address.
Item Default reuse = 750 suppress = 2000 max-suppress-time = 60 minutes Distance external distance = 20 internal distance = 200 local distance = 200 Timers keepalive = 60 seconds holdtime = 180 seconds Add-path Disabled Implement BGP with Dell EMC Networking OS The following sections describe how to implement BGP on Dell EMC Networking OS.
Ignore Router-ID in Best-Path Calculation You can avoid unnecessary BGP best-path transitions between external paths under certain conditions. The bgp bestpath routerid ignore command reduces network disruption caused by routing and forwarding plane changes and allows for faster convergence. AS Number Migration With this feature you can transparently change the AS number of an entire BGP network and ensure that the routes are propagated throughout the network while the migration is in progress.
BGP4 Management Information Base (MIB) The FORCE10-BGP4-V2-MIB enhances support for BGP management information base (MIB) with many new simple network management protocol (SNMP) objects and notifications (traps) defined in draft-ietf-idr-bgp4-mibv2-05. To see these enhancements, download the MIB from the Dell website. NOTE: For the Force10-BGP4-V2-MIB and other MIB documentation, refer to the Dell iSupport web page.
Configuration Information The software supports BGPv4 as well as the following: • • • • deterministic multi-exit discriminator (MED) (default) a path with a missing MED is treated as worst path and assigned an MED value of (0xffffffff) the community format follows RFC 1998 delayed configuration (the software at system boot reads the entire configuration file prior to sending messages to start BGP peer sessions) The following are not yet supported: • • auto-summarization (the default is no auto-summary) s
CONFIGURATION mode router bgp as-number • as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte) or 0.1 to 65535.65535 (Dotted format). Only one AS is supported per system. NOTE: If you enter a 4-Byte AS number, 4-Byte AS support is enabled automatically. 2. Add a BGP neighbor or peer and AS number.
NOTE: The showconfig command in CONFIGURATION ROUTER BGP mode gives the same information as the show running-config bgp command. The following example displays two neighbors: one is an external internal BGP neighbor and the second one is an internal BGP neighbor. The first line of the output for each neighbor displays the AS number and states whether the link is an external or internal (shown in bold). The third line of the show ip bgp neighbors output contains the BGP State.
The following example shows the show ip bgp summary command output (4–byte AS number displays). R2#show ip bgp summary BGP router identifier 1.1.1.1, local 80000 BGP local RIB : Routes to be Added 0, Replaced 0, Withdrawn 0 1 neighbor(s) using 40960 bytes of memory Neighbor 20.20.20.1 AS 200 MsgRcvd 0 MsgSent 0 TblVer 0 InQ 0 OutQ Up/Down State/Pfx 0 00:00:00 0 Changing a BGP router ID BGP uses the configured router ID to identify the devices in the network.
• Enable ASPLAIN AS Number representation. • CONFIG-ROUTER-BGP mode bgp asnotation asplain NOTE: ASPLAIN is the default method Dell EMC Networking OS uses and does not appear in the configuration display. Enable ASDOT AS Number representation. • CONFIG-ROUTER-BGP mode bgp asnotation asdot Enable ASDOT+ AS Number representation. CONFIG-ROUTER-BGP mode bgp asnotation asdot+ The following example shows the bgp asnotation asplain command output.
• Enter the router configuration mode and the AS number. • CONFIG mode router bgp as-number Add the IP address of the neighbor for the specified autonomous system. • CONFIG-ROUTER-BGP mode neighbor {ip-address | ipv6–address | peer-group-name} remote-as as-number Enable the neighbor. • CONFIG-ROUTERBGP mode neighbor ip-address | ipv6-address | peer-group-name no shutdown Specify the IPv4 address family configuration.
To support your own IP addresses, interfaces, names, and so on, you can copy and paste from these examples to your CLI. Be sure that you make the necessary changes. Example-Configuring BGP routing between peers Example of enabling BGP in Router A Following is an example to enable BGP configuration in the router A. RouterA# configure terminal RouterA(conf)# router bgp 40000 RouterA(conf-router_bgp)# bgp router-id 10.1.1.99 RouterA(conf-router_bgp)# timers bgp 80 130 RouterA(conf-router_bgp)# neighbor 192.
• • • • • • • You must create a peer group first before adding the neighbors in the peer group. If you remove any configuration parameters from a peer group, it will apply to all the neighbors configured under that peer group. If you have not configured a parameter for an individual neighbor in the peer group, the neighbor uses the value configured in the peer group. If you reset any parameter for an individual neighbor, it will override the value set in the peer group.
• • • • • • neighbor neighbor neighbor neighbor neighbor neighbor distribute-list out filter-list out next-hop-self route-map out route-reflector-client send-community A neighbor may keep its configuration after it was added to a peer group if the neighbor’s configuration is more specific than the peer group’s and if the neighbor’s configuration does not affect outgoing updates.
The following illustration shows the configurations described on the following examples. These configurations show how to create BGP areas using physical and virtual links. They include setting up the interfaces and peers groups with each other. Figure 24. BGP peer group example configurations Example of Enabling BGP (Router 1) R1# conf R1(conf)#int loop 0 R1(conf-if-lo-0)#ip address 192.168.128.1/32 R1(conf-if-lo-0)#no shutdown R1(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.
R1(conf-router_bgp)#neighbor 192.168.128.2 no shut R1(conf-router_bgp)#neighbor 192.168.128.2 update-source loop 0 R1(conf-router_bgp)#neighbor 10.0.3.33 remote 100 R1(conf-router_bgp)#neighbor 10.0.3.33 no shut R1(conf-router_bgp)#show config ! router bgp 99 network 192.168.128.0/24 neighbor 192.168.128.2 remote-as 99 neighbor 192.168.128.2 update-source Loopback 0 neighbor 10.0.3.33 no shutdown neighbor 10.0.3.
R3(conf-if-te-3/21)#show config ! interface TengigabitEthernet 3/21 ip address 10.0.2.3/24 no shutdown R3(conf-if-te-3/21)# R3(conf-if-te-3/21)#router bgp 100 R3(conf-router_bgp)#show config ! router bgp 100 R3(conf-router_bgp)#neighbor 10.0.3.31 remote 99 R3(conf-router_bgp)#neighbor 10.0.3.31 no shut R3(conf-router_bgp)#neighbor 10.0.2.2 remote 99 R3(conf-router_bgp)#neighbor 10.0.2.2 no shut R3(conf-router_bgp)#show config ! router bgp 100 neighbor 10.0.3.31 remote 99 neighbor 10.0.3.
R2(conf-router_bgp)# neighbor 192.168.128.1 no shut R2(conf-router_bgp)# neighbor 192.168.128.3 peer BBB R2(conf-router_bgp)# neighbor 192.168.128.3 no shut R2(conf-router_bgp)#show conf ! router bgp 99 network 192.168.128.0/24 neighbor AAA peer-group neighbor AAA no shutdown neighbor BBB peer-group neighbor BBB no shutdown neighbor 192.168.128.1 remote-as 99 neighbor 192.168.128.1 peer-group CCC neighbor 192.168.128.1 update-source Loopback 0 neighbor 192.168.128.1 no shutdown neighbor 192.168.128.
Advanced BGP configuration tasks The following sections describe how to configure the advanced (optional) BGP configuration tasks. Route-refresh and Soft-reconfiguration BGP soft-reconfiguration allows for faster and easier route changing. Changing routing policies typically requires a reset of BGP sessions (the TCP connection) for the policies to take effect. Such resets cause undue interruption to traffic due to hard reset of the BGP cache and the time it takes to re-establish the session.
Route-refresh This section explains how the soft-reconfiguration and route-refresh works. Soft-reconfiguration has to be configured explicitly for a neighbor unlike route refresh, which is automatically negotiated between BGP peers when establishing a peer session. The route-refresh updates will be sent, only if the neighbor soft-reconfiguration inbound command is not configured in a BGP neighbor and when you do a soft reset using clear ip bgp {neighbor-address | peer-group-name} soft in command.
neighbor 20.1.1.2 no shutdown neighbor 20::2 remote-as 200 neighbor 20::2 no shutdown ! address-family ipv6 unicast redistribute connected neighbor 20::2 activate exit-address-family ! DellEMC(conf-router_bgp)#do clear ip bgp 20.1.1.2 soft in May 8 15:28:11 : BGP: 20.1.1.2 sending ROUTE_REFRESH AFI/SAFI (1/1) May 8 15:28:12 : BGP: 20.1.1.2 UPDATE rcvd packet len 56 May 8 15:28:12 : BGP: 20.1.1.2 rcvd UPDATE w/ attr: origin ?, path 200, nexthop 20.1.1.
Configuring BGP aggregate routes To create an aggregate route entry in the BGP routing table, use the following commands. The aggregate route is advertised from the autonomous system. • Enter the router configuration mode and the AS number for the specific BGP routing process. • CONFIG mode router bgp as-number Create an aggregate entry in the BGP routing table.
Following is the sample configuration to suppress the advertisement of specific aggregate routes to all neighbors. DellEMC# configure terminal DellEMC(conf)# router bgp 100 DellEMC(conf-router_bgp)# aggregate-address 10.1.1.0 255.255.255.0 summary-only DellEMC(conf-router_bgp)# exit DellEMC(conf)# Filtering BGP The following section describes the methods used to filter the updates received from BGP neighbors.
DellEMC(conf-router_bgp)#neigh AAA no shut DellEMC(conf-router_bgp)#show conf ! router bgp 99 neighbor AAA peer-group neighbor AAA no shutdown neighbor 10.155.15.2 remote-as 32 neighbor 10.155.15.2 shutdown DellEMC(conf-router_bgp)#neigh 10.155.15.
1. Create a prefix list and assign it a name. CONFIGURATION mode ip prefix-list prefix-name 2. Create multiple prefix list filters with a deny or permit action. CONFIG-PREFIX LIST mode seq sequence-number {deny | permit} {any | ip-prefix [ge | le] } • • ge: minimum prefix length to be matched. le: maximum prefix length to me matched. For information about configuring prefix lists, refer to Access Control Lists (ACLs). 3. Return to CONFIGURATION mode. CONFIG-PREFIX LIST mode exit 4. Enter ROUTER BGP mode.
For information about configuring route maps, see Access Control Lists (ACLs). 3. Return to CONFIGURATION mode. CONFIG-ROUTE-MAP mode exit 4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5. Filter routes based on the criteria in the configured route map.
CONFIG-ROUTER-BGP mode neighbor {ip-address | ipv6-address | peer-group-name} filter-list as-path-name {in | out} If you assign an non-existent or empty AS-PATH ACL, the software allows all routes. To view all BGP path attributes in the BGP database, use the show ip bgp paths command in EXEC Privilege mode.
DellEMC(conf)# exit DellEMC# In the above example, add a BGP neighbor to the AS 400 and the route-map called route2 applied to inbound routes from the BGP neighbor at 10.10.10.1. A route map route2 is created with a permit clause and the route’s community attribute is matched to communities in community list 1. A community list 1 that permits routes with a communities attribute of 100. To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode.
fall-over enabled Update source set to Loopback 0 Peer active in peer-group outbound optimization For address family: IPv4 Unicast BGP table version 52, neighbor version 52 4 accepted prefixes consume 16 bytes Prefix advertised 0, denied 0, withdrawn 0 Connections established 6; dropped 5 Last reset 00:19:37, due to Reset by peer Notification History 'Connection Reset' Sent : 5 Recv: 0 Local host: 20.20.20.2, Local port: 65519 Foreign host: 10.10.10.
neighbor peer-group-name subnet subnet-number mask The peer group responds to OPEN messages sent on this subnet. 3. Enable the peer group. CONFIG-ROUTER-BGP mode neighbor peer-group-name no shutdown 4. Create and specify a remote peer for BGP neighbor. CONFIG-ROUTER-BGP mode neighbor peer-group-name remote-as as-number Only after the peer group responds to an OPEN message sent on the subnet does its BGP state change to ESTABLISHED.
The below example configuration shows how to enable the BGP graceful restart. DellEMC# configure terminal DellEMC(conf)# router bgp 400 DellEMC(conf-router_bgp)# bgp graceful-restart DellEMC(conf-router_bgp)# exit Redistributing Routes In addition to filtering routes, you can add routes from other routing instances or protocols to the BGP process. You can configure the device to redistribute ISIS, OSPF, static, or directly connected routes into BGP process using the redistribute command.
ROUTER BGP, ROUTER BGP-address-family, ROUTER BGP-address-family-IPv6, IPv4 VRF mode, and IPv6 Unicast VRF mode bgp redistribute-internal The following is an example configuration of redistributing iBGP routes into OSPF with the default VRF: ! router ospf 100 router-id 1.1.1.1 network 10.10.10.0/24 area 0 redistribute bgp 65535 route-map bgp2ospf4 ! ipv6 router ospf 1 router-id 1.1.1.1 redistribute bgp 65535 route-map bgp2ospf6 ! router bgp 65535 maximum-paths ibgp 8 bgp redistribute-internal neighbor 20.
The following is an example configuration of redistributing iBGP routes into IS-IS with the default VRF: router isis 100 advertise level2-into-level1 isis_static is-type level-1 net 49.1000.6000.6006.00 redistribute static level-1 redistribute connected MAA-S3048-6592# router isis 100 metric-style wide level-1 metric-style wide level-2 net 49.1000.6000.6006.
Enabling Additional Paths The additional path allows the advertisement of more paths in addition to the best path. Enabling additional path allows the advertisement of multiple paths for the same address prefix without the new paths replacing any previous paths. The additional path feature is disabled by default. NOTE: Dell EMC Networking OS recommends not to use multipath and add path simultaneously in a route reflector. To allow multiple paths sent to peers, use the following commands. 1.
ip community-list community-list-name 2. Configure a community list by denying or permitting specific community numbers or types of community. CONFIG-COMMUNITYLIST mode {deny | permit} {community-number | local-AS | no-advertise | no-export | quote-regexp regular-expression-list | regexp regular-expression} • • • • • • community-number: use AA:NN format where AA is the AS number (2 Bytes or 4 Bytes) and NN is a value specific to that autonomous system.
deny 701:20 deny 702:20 deny 703:20 deny 704:20 deny 705:20 deny 14551:20 deny 701:112 deny 702:112 deny 703:112 deny 704:112 deny 705:112 deny 14551:112 deny 701:667 deny 702:667 deny 703:667 deny 704:666 deny 705:666 deny 14551:666 DellEMC# Configure BGP attributes Following sections explain how to configure the BGP attributes such as MED, COMMUNITY, WEIGHT, and LOCAL_PREFERENCE.
1. Enter ROUTE-MAP mode and assign a name to a route map. CONFIGURATION mode route-map map-name [permit | deny] [sequence-number] 2. Configure a set filter to delete all COMMUNITY numbers in the IP community list. CONFIG-ROUTE-MAP mode set comm-list community-list-name delete OR set community {community-number | local-as | no-advertise | no-export | none} Configure a community list by denying or permitting specific community numbers or types of community.
Changing the LOCAL_PREFERENCE Attribute In Dell EMC Networking OS, you can change the value of the LOCAL_PREFERENCE attribute, so that the preferred path can be changed. To change the default values of this attribute for all routes received by the router, use the following command. • Change the LOCAL_PREF value. CONFIG-ROUTER-BGP mode bgp default local-preference value value: the range is from 0 to 4294967295. The default is 100.
Configuring the local System or a Different System to be the Next Hop for BGP-Learned Routes You can configure the local router or a different router as the next hop for BGP-learned routes. To change how the NEXT_HOP attribute is used, enter the first command. To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode or the show running-config bgp command in EXEC Privilege mode. You can also use route maps to change this and other BGP attributes.
maximum-paths {ebgp | ibgp} number Configure the following parameters: • • • ebgp: Enable multipath support for external BGP routes. ibgp: Enable multipath support for internal BGP routes. number: Maximum number of parallel paths. The range is from 2 to 64.
Configure clusters of routers where one router is a concentration router and the others are clients who receive their updates from the concentration router. To configure a route reflector, use the following commands. • Assign a cluster ID or an IP address to a router reflector cluster. CONFIG-ROUTER-BGP mode bgp cluster-id ip-address | number • • • ip-address: IP address as the route reflector cluster ID. number: A route reflector cluster ID as a number from 1 to 4294967295.
• • reuse: the range is from 1 to 20000. This number is compared to the flapping route’s Penalty value. If the Penalty value is less than the reuse value, the flapping route is once again advertised (or no longer suppressed). Withdrawn routes are removed from history state. The default is 750. • suppress: the range is from 1 to 20000. This number is compared to the flapping route’s Penalty value.
route-map Route-map to specify criteria for dampening To view a count of dampened routes, history routes, and penalized routes when you enable route dampening, look at the seventh line of the show ip bgp summary command output, as shown in the following example (bold). DellEMC>show ip bgp summary BGP router identifier 10.114.8.
In the above example configuration, the BGP timers are set with keepalive time as 80 seconds with which the system sends keepalive messages to the BGP peer and holdtime as 120 seconds with which the system waits for a message from the BGP peer before concluding that the peer is dead. To view non-default values, use the show config command in CONFIGURATION ROUTER BGP mode or the show runningconfig bgp command in EXEC Privilege mode.
1. Enter the router bgp mode using the following command: CONFIGURATION Mode router bgp as-number 2. Shut down the BGP neighbors corresponding to IPv4 multicast address family using the following command: ROUTER-BGP Mode shutdown address-family-ipv4-multicast To enable or disable BGP neighbors corresponding to the IPv6 unicast address family: 1. Enter the router bgp mode using the following command: CONFIGURATION Mode router bgp as-number 2.
• If the next route map entry does not contain a continue clause, the route map evaluates normally. If a match does not occur, the route map does not continue and falls-through to the next sequence number, if one exists Set a Clause with a Continue Clause If the route-map entry contains sets with the continue clause, the set actions operation is performed first followed by the continue clause jump to the specified route map entry.
• Specify the number of prefixes that can be received from a neighbor. CONFIG-ROUTER-BGP-AF mode neighbor {ip-address | ipv6–address | peer-group-name} maximum—prefix maximum [threshold] [warning-only]as-number The following are the sample steps performed to configure a VRF, and VRF address families for IPv4 (unicast and multicast) and IPv6.
• • • peer-group-name: 16 characters. AS-number: 0 to 65535 (2-Byte) or 1 to 4294967295 (4-Byte) or 0.1 to 65535.65535 (Dotted format). No Prepend: specifies that local AS values are not prepended to announcements from the neighbor. Format: IPv4 Address: A.B.C.D and IPv6 address: X:X:X:X::X. You must Configure Peer Groups before assigning it to an AS. This feature is not supported on passive peer groups. The first line in bold shows the actual AS number.
neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.9 remote-as 65192 neighbor 100.10.92.9 local-as 6500 neighbor 100.10.92.9 no shutdown neighbor 192.168.10.1 remote-as 65123 neighbor 192.168.10.1 update-source Loopback 0 neighbor 192.168.10.1 no shutdown neighbor 192.168.12.2 remote-as 65123 neighbor 192.168.12.2 allowas-in 9 neighbor 192.168.12.2 update-source Loopback 0 neighbor 192.168.12.
CONFIG-ROUTER-BGP mode address-family ipv6 [unicast | vrf vrf-name] unicast — Specifies the IPv6 unicast address family. The default address-family is IPv6 unicast. vrf vrf-name — Specifies the name of VRF instance associated with the IPv6 address-family configuration. Enable the neighbor to exchange prefixes for IPv6 unicast address family.
If you do not want a neighbor to exchange IPv4 unicast prefixes, you have to manually deactivate the peer with the no neighbor activate command under the CONFIGURATION-ROUTER-BGP mode. If any neighbor is already activated to exchange IPv4 multicast or IPv6 unicast prefixes, exchanging of prefixes can be deactivated using no neighbor activate command under the IPv4 multicast or IPv6 unicast address family.
Neighbor 20.20.20.1 2001::1 AS 10 10 MsgRcvd 10 40 MsgSent 20 45 TblVer 0 0 InQ 0 0 OutQ Up/Down State/Pfx 0 00:06:11 0 0 00:03:14 0 Following is the sample output of show ip bgp ipv4 multicast summary command. R2# show ip bgp ipv4 multicast summary BGP router identifier 2.2.2.2, local AS number 200 BGP local RIB : Routes to be Added 0, Replaced 0, Withdrawn 0 1 neighbor(s) using 24576 bytes of memory Neighbor 20.20.20.
Example configuration performed in R1 DellEMC# configure terminal DellEMC(conf)# router bgp 655 DellEMC(conf-router_bgp)# neighbor 10.1.1.2 remote-as 20 DellEMC(conf-router_bgp)# neighbor 10.1.1.2 auto-local-address DellEMC(conf-router_bgp)# neighbor 10.1.1.2 no shutdown DellEMC(conf-router_bgp)# bgp router-id 1.1.1.1 DellEMC(conf-router_bgp)# address-family ipv6 unicast DellEMC(conf-router_bgpv6_af)# neighbor 10.1.1.
BGP Regular Expression Optimization Dell EMC Networking OS optimizes processing time when using regular expressions by caching and re-using regular expression evaluated results, at the expense of some memory in RP1 processor. BGP policies that contain regular expressions to match against as-paths and communities might take a lot of CPU processing time, thus affect BGP routing convergence.
Example of the show ip bgp neighbor Command to View Last and Bad PDUs DellEMC(conf-router_bgp)#do show ip bgp neighbors 1.1.1.2 BGP neighbor is 1.1.1.2, remote AS 2, external link BGP version 4, remote router ID 2.4.0.
10 Content Addressable Memory (CAM) CAM Allocation CAM Allocation for Ingress To allocate the space for regions such has L2 ingress ACL, IPV4 ingress ACL, IPV6 ingress ACL, IPV4 QoS, L2 QoS, PBR, VRF ACL, and so forth, use the cam-acl command in CONFIGURATION mode. The CAM space is allotted in field processor (FP) blocks. The total space allocated must equal FP blocks. The following table lists the default CAM allocation settings.
Table 13. Additional Default CAM Allocation Settings Additional CAM Allocation Setting FCoE ACL (fcoeacl) 0 ISCSI Opt ACL (iscsioptacl) 0 You must enter the ipv6acl and vman-dual-qos allocations as a factor of 2 (2, 4, 6, 8, 10). All other profile allocations can use either even or odd numbered ranges. NOTE: You can only have one odd number of blocks in the CLI configuration; the other blocks must be in factors of 2.
Example of the test cam-usage Command DellEMC#test cam-usage service-policy input test-cam-usage stack-unit 1 po 0 Stack-Unit| Portpipe|CAM Partition|Available CAM|Estimated CAM per Port|Status -----------------------------------------------------------------------------------2 | 0 |IPv4Flow |192 |3 |Allowed (64) DellEMC# View CAM-ACL Settings The show cam-acl command shows the cam-acl setting that will be loaded after the next reload.
L2Acl Ipv4Acl Ipv6Acl Ipv4Qos L2Qos L2PT IpMacAcl VmanQos VmanDualQos EcfmAcl FcoeAcl iscsiOptAcl ipv4pbr vrfv4Acl Openflow fedgovacl : : : : : : : : : : : : : : : : 1 block = 128 entries 6 4 0 2 1 0 0 0 0 0 0 0 0 0 0 0 -- Stack unit 0 -Current Settings(in block sizes) 1 block = 128 entries L2Acl : 6 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 VmanDualQos : 0 EcfmAcl : 0 FcoeAcl : 0 iscsiOptAcl : 0 ipv4pbr : 0 vrfv4Acl : 0 Openflow : 0 fedgovacl : 0 -- Stack unit 7 -Cu
0 | | | | | | | 7 0 | | | | | | Codes: * - cam usage DellEMC# | | | | | | | | | | | | 0 IN-L3 ACL | IN-V6 ACL | IN-L2 ACL | OUT-L3 ACL | IN-L3 ECMP GRP| OUT-V6 ACL | OUT-L2 ACL | IN-L3 ACL | IN-V6 ACL | IN-L2 ACL | OUT-L3 ACL | OUT-V6 ACL | OUT-L2 ACL | is above 90%.
• • Re-configure the CAM threshold Add or delete an ACL rule Example of Syslog message on CAM usage Following table shows few possible scenarios during which the syslog message appear on re-configuring the CAM usage threshold value. Consider if the last CAM threshold was set to 90 percent and now you re-configure the CAM threshold to 80. And, if the current CAM usage is 85 percent, then the system displays the syslog message saying that the CAM usage is above the configured CAM threshold value. Table 14.
11 Control Plane Policing (CoPP) Control plane policing (CoPP) uses access control list (ACL) rules and quality of service (QoS) policies to create filters for a system’s control plane. That filter prevents traffic not specifically identified as legitimate from reaching the system control plane, rate-limits, traffic to an acceptable level.
Figure 28. CoPP Implemented Versus CoPP Not Implemented Topics: • Configure Control Plane Policing Configure Control Plane Policing The system can process a maximum of 4200 packets per second (PPS). Protocols that share a single queue may experience flaps if one of the protocols receives a high rate of control traffic even though per protocol CoPP is applied. This happens because queue-based rate limiting is applied first.
Configuring CoPP for Protocols This section lists the commands necessary to create and enable the service-policies for CoPP. For complete information about creating ACLs and QoS rules, refer to Access Control Lists (ACLs) and Quality of Service (QoS). The basics for creating a CoPP service policy are to create a Layer 2, Layer 3, and/or an IPv6 ACL rule for the desired protocol type. Then, create a QoS input policy to rate-limit the protocol traffics according to the ACL.
DellEMC(conf)#ipv6 access-list ipv6-icmp cpu-qos DellEMC(conf-ipv6-acl-cpuqos)#permit icmp DellEMC(conf-ipv6-acl-cpuqos)#exit DellEMC(conf)#ipv6 access-list ipv6-vrrp cpu-qos DellEMC(conf-ipv6-acl-cpuqos)#permit vrrp DellEMC(conf-ipv6-acl-cpuqos)#exit The following example shows creating the QoS input policy.
2. Create an input policy-map to assign the QoS policy to the desired service queues.l. CONFIGURATION mode policy-map--input name cpu-qos service-queue queue-number qos-policy name 3. Enter Control Plane mode. CONFIGURATION mode control-plane-cpuqos 4. Assign a CPU queue-based service policy on the control plane in cpu-qos mode. Enabling this command sets the queue rates according to those configured.
queues are shared to multiple protocols. So, increasing the number of CMIC queues will reduce the contention among the protocols for the queue bandwidth. Currently, there are 4 Queues for data and 4 for control in both front-end and back-plane ports. In stacked systems, the control streams that reach standby or slave units will be tunneled through the backplane ports across stack-units to reach the CPU of the master unit.
• • VLT peer routing enable cases each VLT node will have route entry for link local address of both self and peer VLT node. Peer VLT link local entry will have egress port as ICL link. And Actual link local address will have entry to CopyToCpu. But NDP packets destined to peer VLT node needs to be taken to CPU and tunneled to the peer VLT node.. NDP packets in VLT peer routing disable case • NDP packets intended to peer VLT chassis taken to CPU and tunnel to peer.
1. Create an IPv6 ACL for control-plane traffic policing for ospfv3. CONFIGURATION mode Dell(conf)#ipv6 access-list ospfv3 cpu-qos Dell(conf-ipv6-acl-cpuqos)#permit ospf 2. Create a QoS input policy for the router and assign the policing. CONFIGURATION mode Dell(conf)#qos-policy-input ospfv3_rate cpu-qos Dell(conf-in-qos-policy-cpuqos)#rate-police 1500 16 peak 1500 16 3. Create a QoS class map to differentiate the control-plane traffic and assign to the ACL.
TCP (MSDP) UDP (NTP) OSPF PIM UDP (RIP) TCP (SSH) TCP (TELNET) VRRP DellEMC# any/639 any any any any any any any 639/any 123 any any 520 22 23 any _ _ _ _ _ _ _ _ Q6 Q6 Q7 Q7 Q7 Q6 Q6 Q7 CP CP CP CP CP CP CP CP _ _ _ _ _ _ _ _ To view the queue mapping for the MAC protocols, use the show mac protocol-queue-mapping command.
12 Data Center Bridging (DCB) Data center bridging (DCB) refers to a set of enhancements to Ethernet local area networks used in data center environments, particularly with clustering and storage area networks.
Traffic Description LAN traffic LAN traffic consists of many flows that are insensitive to latency requirements, while certain applications, such as streaming video, are more sensitive to latency. Ethernet functions as a best-effort network that may drop packets in the case of network congestion.
• iSCSI storage traffic with priority 4. In the Dell EMC Networking OS, PFC is implemented as follows: • • • • • • PFC is supported on specified 802.1p priority traffic (dot1p 0 to 7) and is configured per interface. However, only two lossless queues are supported on an interface: one for Fibre Channel over Ethernet (FCoE) converged traffic and one for Internet Small Computer System Interface (iSCSI) storage traffic. Configure the same lossless queues on all ports.
• • No bandwidth limit or no ETS processing ETS uses the DCB MIB IEEE 802.1azd2.5. Data Center Bridging Exchange Protocol (DCBx) DCBx allows a switch to automatically discover DCB-enabled peers and exchange configuration information. PFC and ETS use DCBx to exchange and negotiate parameters with peer devices. DCBx capabilities include: • • • Discovery of DCB capabilities on peer-device connections. Determination of possible mismatch in DCB configuration on a peer link.
For DCB to operate effectively, you can classify ingress traffic according to its dot1p priority so that it maps to different data queues. The dot1p-queue assignments used are shown in the following table. To enable DCB, enable either the iSCSI optimization configuration or the FCoE configuration. To enable DCB with PFC buffers on a switch, enter the following commands, save the configuration, and reboot the system to allow the changes to take effect. 1. Enable DCB. CONFIGURATION mode dcb enable 2.
DCB is enabled. PFC and ETS are globally enabled by default. The default dot1p priority-queue assignments are applied as follows: DellEMC(conf)#do show qos dot1p-queue-mapping Dot1p Priority : 0 1 2 3 4 5 6 7 Queue : 0 0 0 1 2 3 3 3 DellEMC(conf)# PFC is not applied on specific dot1p priorities. ETS: Equal bandwidth is assigned to each port queue and each dot1p priority in a priority group.
• No PFC priority classes are configured (no pfc priority priority-range). Example: Port A —> Port B Port C —> Port B PFC no-drop queues are configured for queues 1, 2 on Port B. PFC capability is enabled on priorities 3, 4 on PORT A and C. Port B acting as Egress During the congestion, [traffic pump on priorities 3 and 4 from PORT A and PORT C is at full line rate], PORT A and C send out the PFCs to rate the traffic limit.
Configuring PFC in a DCB Map A switch supports the use of a DCB map in which you configure priority-based flow control (PFC) setting. To configure PFC parameters, you must apply a DCB map on an interface. PFC Configuration Notes PFC provides flow control based on the 802.1p priorities in a converged Ethernet traffic that is received on an interface and is enabled by default when you enable DCB.
• • You can enable PFC on a maximum of four priority queues on an interface. The default is two. Enabling PFC for dot1p priorities configures the corresponding port queue as lossless. You cannot enable PFC and link-level flow control at the same time on an interface. Applying a DCB Map on a Port When you apply a DCB map with PFC enabled on a switch interface, a memory buffer for PFC-enabled priority traffic is automatically allocated.
Example: Port A —> Port B Port C —> Port B PFC no-drop queues are configured for queues 1, 2 on Port B. PFC capability is enabled on priorities 3, 4 on PORT A and C. Port B acting as Egress During the congestion, [traffic pump on priorities 3 and 4 from PORT A and PORT C is at full line rate], PORT A and C send out the PFCs to rate the traffic limit. Egress drops are not observed on Port B since traffic flow on priorities is mapped to loss less queues.
Priority-Based Flow Control Using Dynamic Buffer Method In a data center network, priority-based flow control (PFC) manages large bursts of one traffic type in multiprotocol links so that it does not affect other traffic types and no frames are lost due to congestion. When PFC detects congestion on a queue for a specified priority, it sends a pause frame for the 802.1p priority traffic to the transmitting device.
The packets come in with packet-dot1p 2 alone are assign to PG6 on ingress. The packets come in with packet-dot1p 2 alone use Q1 (as per dot1p to Queue classification – Table 2) on the egress port. • • • When Peer sends a PFC message for Priority 2, based on above PRIO2COS table (TABLE 2), Queue 1 is halted. Queue 1 starts buffering the packets with Dot1p 2. This causes PG6 buffer counter to increase on the ingress, since P-dot1p 2 is mapped to PG6.
a. Enable DCB globally. DellEMC(conf)#dcb enable b. Apply PFC Priority configuration. Configure priorities on which PFC is enabled. DellEMC(conf-if-te-1/1)#pfc priority 1,2 Using PFC to Manage Converged Ethernet Traffic To use PFC for managing converged Ethernet traffic, use the following command: dcb-map stack-unit all dcb-map-name Configure Enhanced Transmission Selection ETS provides a way to optimize bandwidth allocation to outbound 802.1p classes of converged Ethernet traffic.
The default is none. Separate priority values with a comma. Specify a priority range with a dash. For example, priority-list 3,5-7. 4. Exit priority-group configuration mode. PRIORITY-GROUP mode exit 5. Repeat Steps 1 to 4 to configure all remaining dot1p priorities in an ETS priority group. 6. Specify the dot1p priority-to-priority group mapping for each priority. priority-pgid dot1p0_group_num dot1p1_group_num ...dot1p7_group_num Priority group range is from 0 to 7.
Configuring Bandwidth Allocation for DCBx CIN After you apply an ETS output policy to an interface, if the DCBx version used in your data center network is CIN, you may need to configure a QoS output policy to overwrite the default CIN bandwidth allocation. This default setting divides the bandwidth allocated to each port queue equally between the dot1p priority traffic assigned to the queue.
• • • Bandwidth assignment: By default, equal bandwidth is assigned to each dot1p priority in a priority group. To configure the bandwidth assigned to the port queues associated with dot1p priorities in a priority group, use the bandwidth percentage parameter. The sum of the bandwidth allocated to all priority groups in a DCB map must be 100% of the bandwidth on the link. You must allocate at least 1% of the total bandwidth to each priority group.
strict-priority scheduling (such as groups 1 and 3 in the example), the strict priority group whose traffic is mapped to one queue takes precedence over the strict priority group whose traffic is mapped to two queues. Therefore, in this example, scheduling traffic to priority group 1 (mapped to one strict-priority queue) takes precedence over scheduling traffic to priority group 3 (mapped to two strict-priority queues).
The first auto-upstream that is capable of receiving a peer configuration is elected as the configuration source. The elected configuration source then internally propagates the configuration to other auto-upstream and autodownstream ports. A port that receives an internally propagated configuration overwrites its local configuration with the new parameter values.
• • If a configuration source is elected, the ports send an application priority TLV based on the application priority TLV received on the configuration-source port. When an application priority TLV is received on the configurationsource port, the auto-upstream and auto-downstream ports use the internally propagated PFC priorities to match against the received application priority. Otherwise, these ports use their locally configured PFC priorities in application priority TLVs.
NOTE: DCB configurations internally propagated from a configuration source do not overwrite the configuration on a DCBx port in a manual role. When a configuration source is elected, all auto-upstream ports other than the configuration source are marked as willing disabled. The internally propagated DCB configuration is refreshed on all autoconfiguration ports and each port may begin configuration negotiation with a DCBx peer again.
Figure 32. DCBx Sample Topology DCBx Prerequisites and Restrictions The following prerequisites and restrictions apply when you configure DCBx operation on a port: • • For DCBx, on a port interface, enable LLDP in both Send (TX) and Receive (RX) mode (the protocol lldp mode command; refer to the example in CONFIGURATION versus INTERFACE Configurations in the Link Layer Discovery Protocol (LLDP) chapter). If multiple DCBx peer ports are detected on a local DCBx interface, LLDP is shut down.
The default is Auto. 4. Configure the DCBx port role the interface uses to exchange DCB information. PROTOCOL LLDP mode [no] DCBx port-role {config-source | auto-downstream | auto-upstream | manual} • • • • auto-upstream: configures the port to receive a peer configuration. The configuration source is elected from auto-upstream ports. auto-downstream: configures the port to accept the internally propagated DCB configuration from a configuration source.
NOTE: To configure the DCBx port role the interfaces use to exchange DCB information, use the DCBx port-role command in INTERFACE Configuration mode (Step 3). 4. Configure the PFC and ETS TLVs that advertise on unconfigured interfaces with a manual port-role. PROTOCOL LLDP mode [no] advertise DCBx-tlv {ets-conf | ets-reco | pfc} [ets-conf | ets-reco | pfc] [ets-conf | ets-reco | pfc] • • • ets-conf: enables transmission of ETS Configuration TLVs. ets-reco: enables transmission of ETS Recommend TLVs.
Debugging DCBx on an Interface To enable DCBx debug traces for all or a specific control paths, use the following command. • Enable DCBx debugging. EXEC PRIVILEGE mode debug DCBx {all | auto-detect-timer | config-exchng | fail | mgmt | resource | sem | tlv} • • • • • • • • all: enables all DCBx debugging operations. auto-detect-timer: enables traces for DCBx auto-detect timers. config-exchng: enables traces for DCBx configuration exchanges. fail: enables traces for DCBx failures.
The following example shows the show dot1p-queue mapping command. DellEMC(conf)# show qos dot1p-queue-mapping Dot1p Priority: 0 1 2 3 4 5 6 7 Queue : 0 0 0 1 2 3 3 3 The following example shows the show dcb command. DellEMC# show dcb stack-unit 2 port-set 0 DCB Status : Enabled PFC Port Count : 56 (current), 56 (configured) PFC Queue Count : 2 (current), 2 (configured) The following example shows the show qos priority-groups command.
PFC Link Delay 45556 pause quanta Application Priority TLV Parameters : -------------------------------------FCOE TLV Tx Status is disabled ISCSI TLV Tx Status is disabled Local FCOE PriorityMap is 0x8 Local ISCSI PriorityMap is 0x10 Remote FCOE PriorityMap is 0x8 Remote ISCSI PriorityMap is 0x8 0 Input TLV pkts, 1 Output TLV pkts, 0 Error pkts, 0 Pause Tx pkts, 0 Pause Rx pkts The following table describes the show interface pfc summary command fields. Table 22.
Fields Description Application Priority TLV: Remote ISCSI Priority Map Status of iSCSI advertisements in application priority TLVs from remote peer port: enabled or disabled. PFC TLV Statistics: Input TLV pkts Number of PFC TLVs received. PFC TLV Statistics: Output TLV pkts Number of PFC TLVs transmitted. PFC TLV Statistics: Error pkts Number of PFC error packets received. PFC TLV Statistics: Pause Tx pkts Number of PFC pause frames transmitted.
5 6 7 - - - - - - Oper status is init ETS DCBX Oper status is Down Reason: Port Shutdown State Machine Type is Asymmetric Conf TLV Tx Status is enabled Reco TLV Tx Status is enabled The following example shows the show interface ets detail command.
The following table describes the show interface ets detail command fields. Table 23. show interface ets detail Command Description Field Description Interface Interface type with stack-unit and port number. Maximum Supported TC Group Maximum number of priority groups supported. Number of Traffic Classes Number of 802.1p priorities currently configured. Admin mode ETS mode: on or off.
The following example shows the show stack-unit all stack-ports all ets details command.
0 1 2 3 4 5 6 7 8 0,1,2,3,4,5,6,7 100% - ETS - The following example shows the show interface DCBx detail command (IEEE).
Total DCBx Frame errors 0 Total DCBx Frames unrecognized 0 The following table describes the show interface DCBx detail command fields. Table 24. show interface DCBx detail Command Description Field Description Interface Interface type with chassis slot and port number. Port-Role Configured DCBx port role: auto-upstream, auto-downstream, config-source, or manual.
Honor dot1p You can honor dot1p priorities in ingress traffic at the port or global switch level (refer to Default dot1p to Queue Mapping) using the service-class dynamic dot1p command in INTERFACE configuration mode. Layer 2 class maps You can use dot1p priorities to classify traffic in a class map and apply a service policy to an ingress port to map traffic to egress queues. NOTE: Dell EMC Networking does not recommend mapping all ingress traffic to a single queue when using PFC and ETS.
CONFIGURATION mode dcb pfc-shared-buffer-size value dcb pfc-total-buffer-size value The buffer size range is from 0 to 3399. Default is 3088. 3. Configure the number of PFC queues. CONFIGURATION mode dcb enable pfc-queues pfc-queues The number of ports supported based on lossless queues configured depends on the buffer. The default number of PFC queues in the system is two.
Figure 33. PFC and ETS Applied to LAN, IPC, and SAN Priority Traffic QoS Traffic Classification: The service-class dynamic dot1p command has been used in Global Configuration mode to map ingress dot1p frames to the queues shown in the following table. For more information, refer to QoS dot1p Traffic Classification and Queue Assignment.
The following describes the priority group-bandwidth assignment. Priority Group Bandwidth Assignment IPC 5% SAN 50% LAN 45% PFC and ETS Configuration Command Examples The following examples show PFC and ETS configuration commands to manage your data center traffic. 1. Enabling DCB DellEMC(conf)#dcb enable 2. Configure DCB map and enable PFC, and ETS DellEMC(conf)# service-class dynamic dot1p Or DellEMC(conf)# interface tengigabitethernet 1/1 DellEMC(conf-if-te-1/1)# service-class dynamic dot1p 3.
13 Dynamic Host Configuration Protocol (DHCP) DHCP is an application layer protocol that dynamically assigns IP addresses and other configuration parameters to network end-stations (hosts) based on configuration policies determined by network administrators.
Option Number and Description Subnet Mask Option 1 Specifies the client’s subnet mask. Router Option 3 Specifies the router IP addresses that may serve as the client’s default gateway. Domain Name Server Option 6 Domain Name Option 15 Specifies the domain name servers (DNSs) that are available to the client. Specifies the domain name that clients should use when resolving hostnames via DNS.
1. The client initially broadcasts a DHCPDISCOVER message on the subnet to discover available DHCP servers. This message includes the parameters that the client requires and might include suggested values for those parameters. 2. Servers unicast or broadcast a DHCPOFFER message in response to the DHCPDISCOVER that offers to the client values for the requested parameters. Multiple servers might respond to a single DHCPDISCOVER; the client might wait a period of time and then act on the most preferred offer.
NOTE: If the DHCP server is on the top of rack (ToR) and the VLTi (ICL) is down due to a failed link, when a VLT node is rebooted in BMP (Bare Metal Provisioning) mode, it is not able to reach the DHCP server, resulting in BMP failure. Configure the System to be a DHCP Server A DHCP server is a network device that has been programmed to provide network configuration parameters to clients upon request. Servers typically serve many clients, making host management much more organized and efficient.
After an IP address is leased to a client, only that client may release the address. Dell EMC Networking OS performs a IP + MAC source address validation to ensure that no client can release another clients address. This validation is a default behavior and is separate from IP +MAC source address validation.
DHCP domain-name name 2. Specify in order of preference the DNS servers that are available to a DHCP client. DHCP dns-server address Using NetBIOS WINS for Address Resolution Windows internet naming service (WINS) is a name resolution service that Microsoft DHCP clients use to correlate host names to IP addresses within a group of networks. Microsoft DHCP clients can be one of four types of NetBIOS nodes: broadcast, peer-to-peer, mixed, or hybrid. 1.
• Clear DHCP binding entries for the entire binding table. • EXEC Privilege mode. clear ip dhcp binding Clear a DHCP binding entry for an individual IP address. EXEC Privilege mode. clear ip dhcp binding ip address Configure the System to be a Relay Agent DHCP clients and servers request and offer configuration information via broadcast DHCP messages.
To view the ip helper-address configuration for an interface, use the show ip interface command from EXEC privilege mode. Example of the show ip interface Command R1_E600#show ip int tengigabitethernet 1/3 TenGigabitEthernet 1/3 is up, line protocol is down Internet address is 10.11.0.1/24 Broadcast address is 10.11.0.255 Address determined by user input IP MTU is 1500 bytes Helper address is 192.168.0.1 192.168.0.
• • • Release the IP address dynamically acquired from a DHCP server from the interface. Disable the DHCP client on the interface so it cannot acquire a dynamic IP address from a DHCP server. Stop DHCP packet transactions on the interface. When you enter the release dhcp command, the IP address dynamically acquired from a DHCP server is released from an interface. The ability to acquire a new DHCP server-assigned address remains in the running configuration for the interface.
• • • • • • ip route for 0.0.0.0 takes precedence if it is present or added later. Management routes added by a DHCP client display with Route Source as DHCP in the show ip management route and show ip management-route dynamic command output. Management routes added by DHCP are automatically reinstalled if you configure a static IP route with the ip route command that replaces a management route added by the DHCP client.
DHCP Relay When DHCP Server and Client are in Different VRFs When the DHCP server and DHCP clients belong to different VRFs on the relay agent, you can configure the system to leak routes across VRFs. You can configure the system to leak the following routes across VRFs: • • • Connected routes The complete routing table Selective routes The following illustration depicts the topology in which routes are leaked between VRFs in the relay agent.
ip route-export 1:1 ! ! route-map map1 permit 10 match ip address ip1 ! route-map map2 permit 20 match ip address ip2 ! ip prefix-list ip1 seq 5 permit 20.0.0.0/24 <----- This is needed for data forwarding seq 10 permit 20.0.0.2/32 <---- This is specific to internal operation of DHCP relay ! ip prefix-list ip2 seq 5 permit 10.0.0.0/24 Non-default VRF configuration for DHCPv6 helper address The ipv6 helper-address command is enhanced to provide support for configuring VRF for DHCPv6 relay helper address.
To configure the loopback interface as IPv4 or IPv6 DHCP relay source interface, enter the following commands in the CONFIGURATION MODE. Dell(conf)# ip dhcp relay source-interface loopback 1 Dell(conf)# ipv6 dhcp relay source-interface loopback 1 When you configure the above commands in the CONFIGURATION MODE, it will configure the loopback interface as the DHCP relay source interface for forwarding the DHCP packets from DHCP client to server.
Dell(conf-if-vl-4)# Dell(conf-if-vl-4)# Dell(conf-if-vl-4)# Dell(conf-if-vl-4)# Dell(conf-if-vl-4)# tagged fortyGigE 0/4 ip helper-address vrf vrf1 100.0.0.1 ipv6 helper-address vrf vrf1 100::1 ip dhcp relay source-interface loopback 3 ipv6 dhcp relay source-interface loopback 3 3. In the below configuration, the DHCP relay source interface is not configured in the VLAN interface.
Table 26. Circuit ID Format VLAN ID LAG ID Slot ID Port Str 723 0 1 1 The DHCP relay agent inserts Option 82 before forwarding DHCP packets to the server. The server can use this information to: • • • Track the number of address requests per relay agent. Restricting the number of addresses available per relay agent can harden a server against address exhaustion attacks.
port are also dropped. This checkpoint prevents an attacker from acting as an imposter as a DHCP server to facilitate a man-in-the-middle attack. Binding table entries are deleted when a lease expires, or the relay agent encounters a DHCPRELEASE, DHCPNACK, or DHCPDECLINE. DHCP snooping is supported on Layer 2 and Layer 3 traffic. DHCP snooping on Layer 2 interfaces does not require a relay agent.
3. Enable IPv6 DHCP snooping on a VLAN or range of VLANs. CONFIGURATION mode ipv6 dhcp snooping vlan vlan-id Adding a Static Entry in the Binding Table To add a static entry in the binding table, use the following command. • Add a static entry in the binding table.
Database write-delay (In minutes) : 0 DHCP packets information Relay Information-option packets Relay Trust downstream packets Snooping packets : 0 : 0 : 0 Packets received on snooping disabled L3 Ports Snooping packets processed on L2 vlans : 0 : 142 DHCP Binding File Details Invalid File Invalid Binding Entry Binding Entry lease expired List of Trust Ports List of DHCP Snooping Enabled Vlans List of DAI Trust ports : 0 : 0 : 0 :Te 1/4 :Vl 10 :Te 1/4 View the DHCP snooping binding table using the s
10.1.1.11 10.1.1.25 00:00:a0:00:00:00 00:00:a0:00:00:00 39736 162 S D Vl 200 Vl 200 Po 10 Po 10 Displaying the Contents of the DHCPv6 Binding Table To display the contents of the DHCP IPv6 binding table, use the following command. • Display the contents of the binding table. EXEC Privilege mode show ipv6 dhcp snooping biniding View the DHCP snooping statistics with the show ipv6 dhcp snooping command.
Dynamic ARP Inspection Dynamic address resolution protocol (ARP) inspection prevents ARP spoofing by forwarding only ARP frames that have been validated against the DHCP binding table. ARP is a stateless protocol that provides no authentication mechanism. Network devices accept ARP requests and replies from any device. ARP replies are accepted even when no request was sent.
Configuring dynamic ARP inspection-limit To configure dynamic ARP inspection rate limit on a port, perform the following task. 1. Enter into global configuration mode. EXEC Privilege mode configure terminal 2. Select the interface to be configured. CONFIGURATION mode interface interface-name 3. Configure ARP packet inspection rate limiting. INTERFACE CONFIGURATION mode arp inspection-limit {rate pps [interval seconds]} The rate packet per second (pps) range is from 1 to 2048. The default is 15.
The DHCP binding table associates addresses the DHCP servers assign with the port or the port channel interface on which the requesting client is attached and the VLAN the client belongs to. When you enable IP source address validation on a port, the system verifies that the source IP address is one that is associated with the incoming port and optionally that the client belongs to the permissible VLAN.
Dell EMC Networking OS creates an ACL entry for each IP+MAC address pair and optionally with its VLAN ID in the binding table and applies it to the interface. To display the IP+MAC ACL for an interface for the entire system, use the show ip dhcp snooping source-addressvalidation [interface] command in EXEC Privilege mode. Viewing the Number of SAV Dropped Packets The following output of the show ip dhcp snooping source-address-validation discard-counters command displays the number of SAV dropped packets.
14 Equal Cost Multi-Path (ECMP) ECMP for Flow-Based Affinity ECMP for flow-based affinity includes link bundle monitoring. Configuring the Hash Algorithm TeraScale has one algorithm that is used for link aggregation groups (LAGs), ECMP, and NH-ECMP, and ExaScale can use three different algorithms for each of these features. To adjust the ExaScale behavior to match TeraScale, use the following command. • Change the ExaScale hash-algorithm for LAG, ECMP, and NH-ECMP to match TeraScale. CONFIGURATION mode.
NOTE: You cannot separate LAG and ECMP, but you can use different algorithms across the chassis with the same seed. If LAG member ports span multiple port-pipes and line cards, set the seed to the same value on each port-pipe to achieve deterministic behavior. NOTE: If you remove the hash algorithm configuration, the hash seed does not return to the original factory default setting. To configure the hash algorithm seed, use the following command. • Specify the hash algorithm seed. CONFIGURATION mode.
ip ecmp-group path-fallback DellEMC(conf)#ip ecmp-group maximum-paths 3 User configuration has been changed. Save the configuration and reload to take effect DellEMC(conf)# Creating an ECMP Group Bundle Within each ECMP group, you can specify an interface. If you enable monitoring for the ECMP group, the utilization calculation is performed when the average utilization of the link-bundle (as opposed to a single link within the bundle) exceeds 60%. 1. Create a user-defined ECMP group bundle.
RTAG7 RTAG7 is a hashing algorithm that load balances the traffic within a trunk group in a controlled manner. In order to effectively increase the bandwidth of the LAG/Equal Cost Multiple Path routes, traffic is balanced across the member links. The balancing is performed by using the RTAG7 hashing, which is designed to have the member links used efficiently as the traffic profile gets more diverse.
xor1 bits of xor2 bits of xor4 bits of xor8 bits of xor16 xor1 xor2 xor4 xor8 CRC16_BISYNC_AND_XOR1 - Upper 8 bits of CRC16-BISYNC and lower 8 CRC16_BISYNC_AND_XOR2 - Upper 8 bits of CRC16-BISYNC and lower 8 CRC16_BISYNC_AND_XOR4 - Upper 8 bits of CRC16-BISYNC and lower 8 CRC16_BISYNC_AND_XOR8 - Upper 8 bits of CRC16-BISYNC and lower 8 CR16 - 16 bit XOR] Flow-based Hashing for ECMP Flow-based hashing is one of RTAG7 hashing techniques to cater to ECMP routing in multi-tier networks.
1. Configuring different hash-seed values at each node - Hash seed is the primary parameter in hash computations that determine distribution of traffic among the ECMP paths. The ECMP path can be configured different in each of the nodes “hash-algorithm seedvalue” would result in better traffic distribution for a given flow, by reducing Polarization effect. 2. Configuring Ingress port as an additional load-balancing parameters [using “load-balance ingress-port enable”] would reduce the polarization effect.
Figure 38. After Polarization Effect Traffic flow after enabling flow-based hashing When the flow-based hashing is enabled at all the nodes in the multi-tier network, traffic distribution is balanced at all tiers of the network nullifying the polarization effect. Traffic occurs by the randomness for the flow-based hashing algorithm across multiple nodes in a given network.
15 FIP Snooping The Fibre Channel over Ethernet (FCoE) Transit feature is supported on Ethernet interfaces. When you enable the switch for FCoE transit, the switch functions as a FIP snooping bridge. NOTE: FIP snooping is not supported on Fibre Channel interfaces or in a switch stack.
The following table lists the FIP functions. Table 28. FIP Functions FIP Function Description FIP VLAN discovery FCoE devices (ENodes) discover the FCoE VLANs on which to transmit and receive FIP and FCoE traffic. FIP discovery FCoE end-devices and FCFs are automatically discovered. Initialization FCoE devices learn ENodes from the FLOGI and FDISC to allow immediate login and create a virtual link with an FCoE switch.
Port-based ACLs These ACLs are applied on all three port modes: on ports directly connected to an FCF, server-facing ENode ports, and bridge-to-bridge links. Port-based ACLs take precedence over global ACLs. FCoE-generated ACLs These take precedence over user-configured ACLs. A user-configured ACL entry cannot deny FCoE and FIP snooping frames. The following illustration shows a switch used as a FIP snooping bridge in a converged Ethernet network.
• • To ensure that they are operationally active, check FIP snooping-enabled VLANs. Process FIP VLAN discovery requests and responses, advertisements, solicitations, FLOGI/FDISC requests and responses, FLOGO requests and responses, keep-alive packets, and clear virtual-link messages. FIP Snooping in a Switch Stack FIP snooping supports switch stacking as follows: • • • A switch stack configuration is synchronized with the standby stack unit.
• • The existing per-VLAN and FIP snooping configuration is stored. The configuration is re-applied the next time you enable the FIP snooping feature. You must apply the CAM-ACL space for the FCoE region before enabling the FIP-Snooping feature. If you do not apply CAM-ACL space, the following error message is displayed: DellEMC(conf)#feature fip-snooping % Error: Cannot enable fip snooping. CAM Region not allocated for Fcoe.
• A maximum of eight VLANS are supported for FIP snooping on the switch. When enabled globally, FIP snooping processes FIP packets in traffic only from the first eight incoming VLANs. When enabled on a per-VLAN basis, FIP snooping is supported on up to eight VLANs. Configure the FC-MAP Value You can configure the FC-MAP value to be applied globally by the switch on all or individual FCoE VLANs to authorize FCoE traffic.
• • • The maximum number of FIP snooping sessions supported per ENode server is 32. To increase the maximum number of sessions to 64, use the fip-snooping max-sessions-per-enodemac command. The maximum number of FCFs supported per FIP snooping-enabled VLAN is twelve. When FCoE is configured on fanned-out ports or unusable 100G ports, traffic outage occurs for about 45 seconds. Configuring FIP Snooping You can enable FIP snooping globally on all FCoE VLANs on a switch or on an individual FCoE VLAN.
Command Output show fip-snooping fcf [fcf-mac-address] Displays information on the FCFs in FIP-snooped sessions, including the FCF interface and MAC address, FCF interface, VLAN ID, FCMAP value, FKA advertisement period, and number of ENodes connected.
FIP Snooping enabled VLANs VLAN Enabled FC-MAP ---- -------------100 TRUE 0X0EFC00 The following example shows the show fip-snooping enode command. DellEMC# show fip-snooping enode Enode MAC Enode Interface FCF MAC VLAN ----------------------- ---------d4:ae:52:1b:e3:cd Te 1/11 54:7f:ee:37:34:40 100 FC-ID ----62:00:11 The following table describes the show fip-snooping enode command fields. Table 32. show fip-snooping enode Command Description Field Description ENode MAC MAC address of the ENode.
Number of FLOGI Accepts Number of FLOGI Rejects Number of FDISC Accepts Number of FDISC Rejects Number of FLOGO Accepts Number of FLOGO Rejects Number of CVL Number of FCF Discovery Timeouts Number of VN Port Session Timeouts Number of Session failures due to Hardware Config DellEMC(conf)# :2 :0 :16 :0 :0 :0 :0 :0 :0 :0 DellEMC# show fip-snooping statistics int tengigabitethernet 1/11 Number of Vlan Requests :1 Number of Vlan Notifications :0 Number of Multicast Discovery Solicits :1 Number of Unicast Dis
Field Description Number of Multicast Discovery Solicits Number of FIP-snooped multicast discovery solicit frames received on the interface. Number of Unicast Discovery Solicits Number of FIP-snooped unicast discovery solicit frames received on the interface. Number of FLOGI Number of FIP-snooped FLOGI request frames received on the interface. Number of FDISC Number of FIP-snooped FDISC request frames received on the interface.
FCoE Transit Configuration Example The following illustration shows a switch used as a FIP snooping bridge for FCoE traffic between an ENode (server blade) and an FCF (ToR switch). The ToR switch operates as an FCF and FCoE gateway. Figure 41. Configuration Example: FIP Snooping on a Switch In this example, DCBx and PFC are enabled on the FIP snooping bridge and on the FCF ToR switch.
DellEMC(conf-if-te-1/1)# protocol lldp DellEMC(conf-if-te-1/1-lldp)# dcbx port-role auto-downstream NOTE: A port is enabled by default for bridge-ENode links.
16 FIPS Cryptography Federal information processing standard (FIPS) cryptography provides cryptographic algorithms conforming to various FIPS standards published by the National Institute of Standards and Technology (NIST), a non-regulatory agency of the US Department of Commerce. FIPS mode is also validated for numerous platforms to meet the FIPS-140-2 standard for a software-based cryptographic module. This chapter describes how to enable FIPS cryptography requirements on Dell EMC Networking platforms.
• • • All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, are closed. Any existing host keys (both RSA and RSA1) are deleted from system memory and NVRAM storage. FIPS mode is enabled. • • If you enable the SSH server when you enter the fips mode enable command, it is re-enabled for version 2 only. If you re-enable the SSH server, a new RSA host key-pair is generated automatically. You can also manually create this key-pair using the crypto key generate command.
• • The Telnet server re-enables (if it is present in the configuration). New 1024–bit RSA and RSA1 host key-pairs are created. To disable FIPS mode, use the following command. • To disable FIPS mode from a console port. CONFIGURATION mode no fips mode enable The following Warning message displays: WARNING: Disabling FIPS mode will close all SSH/Telnet connections, restart those servers, and destroy all configured host keys.
17 Force10 Resilient Ring Protocol (FRRP) FRRP provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a metropolitan area network (MAN) or large campuses. FRRP is similar to what can be achieved with the spanning tree protocol (STP), though even with optimizations, STP can take up to 50 seconds to converge (depending on the size of network and node of failure) and may require 4 to 5 seconds to reconverge.
Ring Status The ring failure notification and the ring status checks provide two ways to ensure the ring remains up and active in the event of a switch or port failure. Ring Checking At specified intervals, the Master node sends a ring health frame (RHF) through the ring. If the ring is complete, the frame is received on its secondary port and the Master node resets its fail-period timer and continues normal operation.
Figure 42. Example of Multiple Rings Connected by Single Switch Important FRRP Points FRRP provides a convergence time that can generally range between 150ms and 1500ms for Layer 2 networks. The Master node originates a high-speed frame that circulates around the ring. This frame, appropriately, sets up or breaks down the ring. • • • • • • • • • • The Master node transmits ring status check frames at specified intervals. You can run multiple physical rings on the same switch.
Important FRRP Concepts The following table lists some important FRRP concepts. Concept Explanation Ring ID Each ring has a unique 8-bit ring ID through which the ring is identified (for example, FRRP 101 and FRRP 202, as shown in the illustration in Member VLAN Spanning Two Rings Connected by One Switch. Control VLAN Each ring has a unique Control VLAN through which tagged ring health frames (RHF) are sent. Control VLANs are used only for sending RHF, and cannot be used for any other purpose.
• Each ring has only one Master node; all others are transit nodes. FRRP Configuration These are the tasks to configure FRRP.
3. Assign the Primary and Secondary ports and the control VLAN for the ports on the ring. CONFIG-FRRP mode. interface primary interface secondary interface control-vlan vlan id Interface: • • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port/subport[/subport] information. For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. 4. Configure the Master node. CONFIG-FRRP mode. mode master 5.
5. Identify the Member VLANs for this FRRP group. CONFIG-FRRP mode. member-vlan vlan-id {range} VLAN-ID, Range: VLAN IDs for the ring’s Member VLANs. 6. Enable this FRRP group on this switch. CONFIG-FRRP mode. no disable Setting the FRRP Timers To set the FRRP timers, use the following command. NOTE: Set the Dead-Interval time 3 times the Hello-Interval. • Enter the desired intervals for Hello-Interval or Dead-Interval times. CONFIG-FRRP mode.
Troubleshooting FRRP To troubleshoot FRRP, use the following information. Configuration Checks • • • • • Each Control Ring must use a unique VLAN ID. Only two interfaces on a switch can be Members of the same control VLAN. There can be only one Master node for any FRRP group. You can configure FRRP on Layer 2 interfaces only. Spanning Tree (if you enable it globally) must be disabled on both Primary and Secondary interfaces when you enable FRRP.
interface Vlan 201 no ip address tagged TenGigabitEthernet 2/14,31 no shutdown ! protocol frrp 101 interface primary TenGigabitEthernet 2/14 secondary TenGigabitEthernet 2/31 control-vlan 101 member-vlan 201 mode transit no disable Example of R3 TRANSIT interface TenGigabitEthernet 3/14 no ip address switchport no shutdown ! interface TenGigabitEthernet 3/21 no ip address switchport no shutdown ! interface Vlan 101 no ip address tagged TenGigabitEthernet 3/14,21 no shutdown ! interface Vlan 201 no ip addres
Figure 43. FRRP Ring Connecting VLT Devices You can also configure an FRRP ring where both the VLT peers are connected to the FRRP ring and the VLTi acts as the primary interface for the FRRP Master and transit nodes. This active-active FRRP configuration blocks the FRRP ring on a per VLAN or VLAN group basis enabling the configuration to spawn across different set of VLANs.
multiple member VLANS are configured (for example, M1 to M10) that carry the data traffic across the FRRP rings. The secondary port P2 is tagged to the control VLAN (V1). VLTi is implicitly tagged to the member VLANs when these VLANs are configured in the VLT peer. As a result of the VLT Node2 configuration on R2, the secondary interface P2 is blocked for the member VLANs (M11 to Mn). Following figure illustrated the FRRP Ring R1 topology: Figure 44.
18 GARP VLAN Registration Protocol (GVRP) The generic attribute registration protocol (GARP) VLAN registration protocol (GVRP), defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches. GVRP-compliant switches use GARP to register and deregister attribute values, such as VLAN IDs, with each other.
Configure GVRP To begin, enable GVRP. To facilitate GVRP communications, enable GVRP globally on each switch. Then, GVRP configuration is per interface on a switch-byswitch basis. Enable GVRP on each port that connects to a switch where you want GVRP information exchanged. In the following example, GVRP is configured on VLAN trunk ports. Figure 45. Global GVRP Configuration Example Basic GVRP configuration is a two-step process: 1. Enabling GVRP Globally 2.
gvrp enable DellEMC(conf)#protocol gvrp DellEMC(config-gvrp)#no disable DellEMC(config-gvrp)#show config ! protocol gvrp no disable DellEMC(config-gvrp)# To inspect the global configuration, use the show gvrp brief command. Enabling GVRP on a Layer 2 Interface To enable GVRP on a Layer 2 interface, use the following command. • Enable GVRP on a Layer 2 interface.
Configure a GARP Timer Set GARP timers to the same values on all devices that are exchanging information using GVRP. There are three GARP timer settings. • • • Join — A GARP device reliably transmits Join messages to other devices by sending each Join message two times. To define the interval between the two sending operations of each Join message, use this parameter. The Dell EMC Networking OS default is 200ms.
19 High Availability (HA) High availability (HA) is supported on Dell EMC Networking OS. HA is a collection of features that preserves system continuity by maximizing uptime and minimizing packet loss during system disruptions. To support all the features within the HA collection, you should have the latest boot code. The following table lists the boot code requirements as of this Dell EMC Networking OS release. Table 35. Boot Code Requirements Component Boot Code S4048–ON 1 2.0.
Peer Stack-unit: not present -- Stack-unit Redundancy Configuration ------------------------------------------------Primary Stack-unit: mgmt-id 0 Auto Data Sync: Full Failover Type: Hot Failover Auto reboot Stack-unit: Enabled Auto failover limit: 3 times in 60 minutes -- Stack-unit Failover Record ------------------------------------------------Failover Count: 0 Last failover timestamp: None Last failover Reason: None Last failover type: None -- Last Data Block Sync Record: ------------------------------
CONFIGURATION mode redundancy disable-auto-reboot Pre-Configuring a Stack Unit Slot You may also pre-configure an empty stack unit slot with a logical stack unit. To pre-configure an empty stack unit slot, use the following command. • Pre-configure an empty stack unit slot with a logical stack unit. CONFIGURATION mode stack-unit unit_id provisionS4048–ON After creating the logical stack unit, you can configure the interfaces on the stack unit as if it is present.
Software Resiliency During normal operations, Dell EMC Networking OS monitors the health of both hardware and software components in the background to identify potential failures, even before these failures manifest. Software Component Health Monitoring On each of the line cards and the stack unit, there are a number of software components.
Hot-Lock Behavior Dell EMC Networking OS hot-lock features allow you to append and delete their corresponding content addressable memory (CAM) entries dynamically without disrupting traffic. Existing entries are simply shuffled to accommodate new entries. Hot-Lock IP ACLs allows you to append rules to and delete rules from an access control list (ACL) that is already written to CAM. This behavior is enabled by default and is available for both standard and extended ACLs on ingress and egress.
20 Internet Group Management Protocol (IGMP) Internet group management protocol (IGMP) is a Layer 3 multicast protocol that hosts use to join or leave a multicast group. Multicast is premised on identifying many hosts by a single destination IP address; hosts represented by the same IP address are a multicast group. Multicast routing protocols (such as protocol-independent multicast [PIM]) use the information in IGMP messages to discover which groups are active and to populate the multicast routing table.
Figure 46. IGMP Messages in IP Packets Join a Multicast Group There are two ways that a host may join a multicast group: it may respond to a general query from its querier or it may send an unsolicited report to its querier. Responding to an IGMP Query The following describes how a host can join a multicast group. 1. One router on a subnet is elected as the querier. The querier periodically multicasts (to all-multicast-systems address 224.0.0.1) a general query to all hosts on the subnet. 2.
• • To enable filtering, routers must keep track of more state information, that is, the list of sources that must be filtered. An additional query type, the Group-and-Source-Specific Query, keeps track of state changes, while the Group-Specific and General queries still refresh the existing state.
3. The host’s third message indicates that it is only interested in traffic from sources 10.11.1.1 and 10.11.1.2. Because this request again prevents all other sources from reaching the subnet, the router sends another group-and-source query so that it can satisfy all other hosts. There are no other interested hosts so the request is recorded. Figure 49.
Figure 50. Membership Queries: Leaving and Staying Configure IGMP Configuring IGMP is a two-step process. 1. Enable multicast routing using the ip multicast-routing command. 2. Enable a multicast routing protocol.
• View IGMP-enabled IPv4 interfaces. • EXEC Privilege mode show ip igmp interface View IGMP-enabled IPv6 interfaces. EXEC Privilege mode show ipv6 mld interface DellEMC#show ip igmp interface TenGigabitEthernet 3/10 Inbound IGMP access group is not set Internet address is 165.87.34.
Viewing IGMP Groups To view both learned and statically configured IGMP groups, use the following command. • View both learned and statically configured IGMP groups. EXEC Privilege mode show ip igmp groups show ipv6 mld groups DellEMC# show ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface 225.1.1.1 TenGigabitEthernet 1/1 225.1.2.
• Interface mode ipv6 mld query-max-response-time Adjust the last member query interval. • INTERFACE mode ip igmp last-member-query-interval Adjust the amount of time the querier waits, for the initial query response, before sending the next IPv6 query.
Figure 51. Preventing a Host from Joining a Group The following table lists the location and description shown in the previous illustration. Table 36. Preventing a Host from Joining a Group — Description Location Description 1/21 • • • • Interface TenGigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 • • • • Interface TenGigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.
Location Description 2/11 • • • • Interface TenGigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface TenGigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface TenGigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown 3/11 • • • • Interface TenGigabitEthernet 3/11 ip pim sparse-mode ip address 10.11.13.
IGMP Snooping IGMP snooping enables switches to use information in IGMP packets to generate a forwarding table that associates ports with multicast groups so that when they receive multicast frames, they can forward them only to interested receivers. Multicast packets are addressed with multicast MAC addresses, which represent a group of devices, rather than one unique device.
show config DellEMC(conf-if-vl-100)#show config ! interface Vlan 100 no ip address ip igmp snooping fast-leave shutdown DellEMC(conf-if-vl-100)# Disabling Multicast Flooding If the switch receives a multicast packet that has an IP address of a group it has not learned (unregistered frame), the switch floods that packet out of all ports on the VLAN. When you configure the no ip igmp snooping flood command, the system drops the packets immediately.
ip igmp snooping last-member-query-interval Fast Convergence after MSTP Topology Changes When a port transitions to the Forwarding state as a result of an STP or MSTP topology change, Dell EMC Networking OS sends a general query out of all ports except the multicast router ports. The host sends a response to the general query and the forwarding database is updated without having to wait for the query interval to expire.
Application Name Port Number Client Server FTP 20/21 Supported Supported Syslog 514 Supported Telnet 23 Supported TFTP 69 Supported Radius 1812,1813 Supported Tacacs 49 Supported HTTP 80 for httpd Supported Supported 443 for secure httpd 8008 HTTP server port for confd application 8888 secure HTTP server port for confd application If you configure a source interface is for any EIS management application, EIS might not coexist with that interface and the behavior is undefined in su
• • • • For all non-management applications, traffic exits out of either front-end data port or management port based on route lookup in default routing table. Ping and traceroute are always non-management applications and route lookup for these applications is done in the default routing table only. For ping and traceroute utilities that are initiated from the switch, if reachability needs to be tested through routes in the management EIS routing table, you must configure ICMP as a management application.
• • Therefore, a separate control over clearing the ARP entries learned via routes in the EIS table is not present. If the ARP entry for a destination is cleared in the default routing table, then if an ARP entry for the destination exists in the EIS table, that entry is also cleared. Because fallback support is removed, if the management port is down or the route lookup in EIS table fails packets are dropped.
Traffic type / Application type Non-EIS management application Switch initiated traffic Switch-destined traffic Transit Traffic route lookup fails, packets are dropped. on route lookup in EIS table. If management port management port is is down or route lookup fails, packets are blocked dropped Front-end default route will take higher precedence over management default route and SSH session to an unknown destination uses the front-end default route only. No change in the existing behavior.
Protocol Behavior when EIS is Enabled Behavior when EIS is Disabled ftp EIS Behavior Default Behavior ntp EIS Behavior Default Behavior radius EIS Behavior Default Behavior Sflow-collector Default Behavior Snmp (SNMP Mib response and SNMP Traps) EIS Behavior Default Behavior ssh EIS Behavior Default Behavior syslog EIS Behavior Default Behavior tacacs EIS Behavior Default Behavior telnet EIS Behavior Default Behavior tftp EIS Behavior Default Behavior icmp (ping and tracerout
Interworking of EIS With Various Applications Stacking • • • The management EIS is enabled on the master and the standby unit. Because traffic can be initiated from the Master unit only, the preference to management EIS table for switch-initiated traffic and all its related ARP processing is done in the Master unit only. ARP-related processing for switch-destined traffic is done by both master and standby units. VLT VLT feature is for the front-end port only.
21 Interfaces This chapter describes interface types, both physical and logical, and how to configure them with Dell EMC Networking Operating System (OS). The system supports 10 Gigabit Ethernet and 40 Gigabit Ethernet interfaces. NOTE: Only Dell-qualified optics are supported on these interfaces. Non-Dell 40G optics are set to error-disabled state.
• • • • • • • • • • • • • • • Monitoring and Maintaining Interfaces Non Dell-Qualified Transceivers Splitting 40G Ports without Reload Splitting QSFP Ports to SFP+ Ports Converting a QSFP or QSFP+ Port to an SFP or SFP+ Port Link Dampening Link Bundle Monitoring Using Ethernet Pause Frames for Flow Control Configure the MTU Size on an Interface Port-Pipes Auto-Negotiation on Ethernet Interfaces View Advanced Interface Information Configuring the Traffic Sampling Size Globally Dynamic Counters Discard Count
Medium is MultiRate, Wavelength is 1310nm XFP receive power reading is -3.7685 Interface index is 67436603 Internet address is 65.113.24.
Resetting an Interface to its Factory Default State You can reset the configurations applied on an interface to its factory default state. To reset the configuration, perform the following steps: 1. View the configurations applied on an interface. INTERFACE mode show config DellEMC(conf-if-te-1/5)#show config ! interface TenGigabitEthernet 1/5 no ip address portmode hybrid switchport rate-interval 8 mac learning-limit 10 no-station-move no shutdown 2. Reset an interface to its factory default state.
Stack-unit interfaces support Layer 2 and Layer 3 traffic over the and 40-Gigabit Ethernet interfaces. These interfaces can also become part of virtual interfaces such as virtual local area networks (VLANs) or port channels. For more information about VLANs, refer to Bulk Configuration. For more information on port channels, refer to Port Channel Interfaces. Dell EMC Networking OS Behavior: The system uses a single MAC address for all physical interfaces.
no shutdown DellEMC(conf-if)# Configuring Layer 2 (Interface) Mode To configure an interface in Layer 2 mode, use the following commands. • Enable the interface. • INTERFACE mode no shutdown Place the interface in Layer 2 (switching) mode. INTERFACE mode switchport To view the interfaces in Layer 2 mode, use the show interfaces switchport command in EXEC mode. Configuring Layer 3 (Network) Mode When you assign an IP address to a physical interface, you place it in Layer 3 mode.
Add the keyword secondary if the IP address is the interface’s backup IP address. You can only configure one primary IP address per interface. You can configure up to 255 secondary IP addresses on a single interface. To view all interfaces to see with an IP address assigned, use the show ip interfaces brief command in EXEC mode as shown in View Basic Interface Information. To view IP information on an interface in Layer 3 mode, use the show ip interface command in EXEC Privilege mode.
2. Configure the recovery time-out interval. You can enter the interval from the range of 30 to 86,400 seconds. The default is 300 seconds. CONFIGURATION mode errdisable recovery interval seconds NOTE: In Dell EMC Networking OS, for optimal performance of FEFD, the best practice is to set the error disable recover timer not exceeding 30 seconds with FEFD interval set to default.
Management Interfaces The system supports the Management Ethernet interface as well as the standard interface on any port. You can use either method to connect to the system. Configuring Management Interfaces The dedicated Management interface provides management access to the system. You can configure this interface using the CLI, but the configuration options on this interface are limited.
Alternatively, you can use the virtual-ip command to manage a system with one or two RPMs. A virtual IP is an IP address assigned to the system (not to any management interfaces) and is a CONFIGURATION mode command. When a virtual IP address is assigned to the system, the active management interface of the RPM is recognized by the virtual IP address — not by the actual interface IP address assigned to it.
C 10.11.130.0/23 DellEMC# Direct, Te 1/1 0/0 1d2h VLAN Interfaces VLANs are logical interfaces and are, by default, in Layer 2 mode. Physical interfaces and port channels can be members of VLANs. For more information about VLANs and Layer 2, see Layer 2 and Virtual LANs (VLANs). NOTE: To monitor VLAN interfaces, use Management Information Base for Network Management of TCP/IP-based internets: MIB-II (RFC 1213).
Null Interfaces The Null interface is another virtual interface. There is only one Null interface. It is always up, but no traffic is transmitted through this interface. To enter INTERFACE mode of the Null interface, use the following command. • Enter INTERFACE mode of the Null interface. CONFIGURATION mode interface null 0 The only configurable command in INTERFACE mode of the Null interface is the ip unreachable command.
Port Channel Benefits A port channel interface provides many benefits, including easy management, link redundancy, and sharing. Port channels are transparent to network configurations and can be modified and managed as one interface. For example, you configure one IP address for the group and that IP address is used for all routed traffic on the port channel. With this feature, you can create larger-capacity interfaces by utilizing a group of lower-speed links.
• • • • • • • Adding a Physical Interface to a Port Channel (mandatory) Reassigning an Interface to a New Port Channel (optional) Configuring the Minimum Oper Up Links in a Port Channel (optional) Adding or Removing a Port Channel from a VLAN (optional) Assigning an IP Address to a Port Channel (optional) Deleting or Disabling a Port Channel (optional) Load Balancing Through Port Channels (optional) Creating a Port Channel You can create up to 128 port channels with up to 16 port members per group on the
To view the port channel’s status and channel members in a tabular format, use the show interfaces port-channel brief command in EXEC Privilege mode, as shown in the following example.
Reassigning an Interface to a New Port Channel An interface can be a member of only one port channel. If the interface is a member of a port channel, remove it from the first port channel and then add it to the second port channel. Each time you add or remove a channel member from a port channel, Dell EMC Networking OS recalculates the hash algorithm for the port channel. To reassign an interface to a new port channel, use the following commands. 1. Remove the interface from the first port channel.
• Add the port channel to the VLAN as a tagged interface. INTERFACE VLAN mode tagged port-channel id number • An interface with tagging enabled can belong to multiple VLANs. Add the port channel to the VLAN as an untagged interface. INTERFACE VLAN mode untagged port-channel id number • An interface without tagging enabled can belong to only one VLAN. Remove the port channel with tagging enabled from the VLAN.
Deleting or Disabling a Port Channel To delete or disable a port channel, use the following commands. • • Delete a port channel. CONFIGURATION mode no interface portchannel channel-number Disable a port channel. shutdown When you disable a port channel, all interfaces within the port channel are operationally down also. Load Balancing Through Port Channels Dell EMC Networking OS uses hash algorithms for distributing traffic evenly over channel members in a port channel (LAG).
Bulk Configuration Bulk configuration allows you to determine if interfaces are present for physical interfaces or configured for logical interfaces. Interface Range An interface range is a set of interfaces to which other commands may be applied and may be created if there is at least one valid interface within the range. Bulk configuration excludes from configuration any non-existing interfaces from an interface range.
Create a Multiple-Range The following is an example of multiple range. Example of the interface range Command (Multiple Ranges) DellEMC(conf)#interface range tengigabitethernet 1/5 - 1/10 , tengigabitethernet 1/1 , vlan 1 DellEMC(conf-if-range-te-1/1,te-1/5-1/10,vl-1)# Exclude Duplicate Entries The following is an example showing how duplicate entries are omitted from the interface-range prompt.
To define an interface-range macro, use the following command. • Defines the interface-range macro and saves it in the running configuration file.
Traffic statistics: Current Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 64B packets: 0 Over 64B packets: 0 Over 127B packets: 0 Over 255B packets: 0 Over 511B packets: 0 Over 1023B packets: 0 Error statistics: Input underruns: 0 Input giants: 0 Input throttles: 0 Input CRC: 0 Input IP checksum: 0 Input overrun: 0 Output underruns: 0 Output throttles: 0 m l T q - Change mode Page up Increase refresh interval Quit Rate 0 Bps 0 Bps 0 pps 0 pps 0 pps 0 pps 0 pps 0 pps 0 pps 0 pps 0 0 0
The following command output displays that the interface is in error-disabled state: DellEMC#show interfaces fortyGigE 1/50 fortyGigE 1/50 is up, line protocol is down(error-disabled[Transceiver Unsupported]) Hardware is DellEMCEth, address is 34:17:eb:f2:25:c6 Current address is 34:17:eb:f2:25:c6 Non-qualified pluggable media present, QSFP type is 40GBASE-SR4 Wavelength is 850nm No power Interface index is 2103813 Internet address is not set Mode of IPv4 Address Assignment : NONE DHCP Client-ID :3417ebf225
Dell(conf)#Jan 1 13:37:01: %STKUNIT1-M:CP %IFMGR-5-DYNAMIC_FANOUT: Port 49 in slot 1 has been fanned-out TenGigabitEthernet 1/49/1 unassigned NO Manual administratively down down TenGigabitEthernet 1/49/2 unassigned NO Manual administratively down down TenGigabitEthernet 1/49/3 unassigned NO Manual administratively down down TenGigabitEthernet 1/49/4 unassigned NO Manual administratively down down The following example shows the split interfaces: Dell#show interfaces status Port Description Te 1/49/1 Te 1/4
NOTE: To revert the port mode to 40G, use the no stack-unit stack-unit-number port port-number portmode quad command. Important Points to Remember • • Splitting a 40G port into four 10G ports is supported on standalone and stacked units. You cannot use split ports as stack-link to stack a system. To verify port splitting, use the show system stack-unit stack-unit-number fanout {count | configure} command.
• • • QSFP port 4 is connected to a QSA with SFP optical cables plugged in. QSFP port 8 in fanned-out mode is plugged in with QSFP optical cables. QSFP port 12 in 40 G mode is plugged in with QSFP optical cables.
Link Dampening Interface state changes occur when interfaces are administratively brought up or down or if an interface state changes. Every time an interface changes a state or flaps, routing protocols are notified of the status of the routes that are affected by the change in state. These protocols go through the momentous task of re-converging. Flapping; therefore, puts the status of entire network at risk of transient loops and black holes.
Figure 52. Interface State Change Consider an interface periodically flaps as shown above. Every time the interface goes down, a penalty (1024) is added. In the above example, during the first interface flap (flap 1), the penalty is added to 1024. And, the accumulated penalty will exponentially decay based on the set half-life, which is set as 10 seconds in the above example. During the second interface flap (flap 2), again the penalty (1024) is accumulated.
Enabling Link Dampening To enable link dampening, use the following command. • Enable link dampening. INTERFACE mode dampening To view the link dampening configuration on an interface, use the show config command. R1(conf-if-te-1/1)#show config ! interface TenGigabitEthernet 1/1 ip address 10.10.19.1/24 dampening 1 2 3 4 no shutdown To view dampening information on all or specific dampened interfaces, use the show interfaces dampening command from EXEC Privilege mode.
Configure MTU Size on an Interface In Dell EMC Networking OS, Maximum Transmission Unit (MTU) is defined as the entire Ethernet packet (Ethernet header + FCS + payload). The following table lists the range for each transmission media. Transmission Media MTU Range (in bytes) Ethernet 592-9216 = link MTU 576-9398 = IP MTU The IP MTU automatically configures.
Control how the system responds to and generates 802.3x pause frames on Ethernet interfaces. The default is rx off tx off. INTERFACE mode. flowcontrol rx [off | on] tx [off | on]| [monitor session-ID] Where: rx on: Processes the received flow control frames on this port. rx off: Ignores the received flow control frames on this port. tx on: Sends control frames from this port to the connected device when a higher rate of traffic is received.
Layer 2 Overhead Difference Between Link MTU and IP MTU VLAN Tag 22 bytes Untagged Packet with VLAN-Stack Header 22 bytes Tagged Packet with VLAN-Stack Header 26 bytes Link MTU and IP MTU considerations for port channels and VLANs are as follows. Port Channels: • • All members must have the same link MTU value and the same IP MTU value. The port channel link MTU and IP MTU must be less than or equal to the link MTU and IP MTU values configured on the channel members.
Setting the Speed of Ethernet Interfaces To discover whether the remote and local interface requires manual speed synchronization, and to manually synchronize them if necessary, use the following command sequence. 1. Determine the local interface status. Refer to the following example. EXEC Privilege mode show interfaces [interface | stack—unit stack-unit-number] status 2. Determine the remote interface status.
DellEMC(conf-if-te-1/1)#no negotiation auto DellEMC(conf-if-te-1/1)#show config ! interface TenGigabitEthernet 1/1 no ip address speed 100 duplex full no shutdown Set Auto-Negotiation Options The negotiation auto command provides a mode option for configuring an individual port to forced master/ forced slave once autonegotiation is enabled. CAUTION: Ensure that only one end of the node is configured as forced-master and the other is configured as forcedslave.
The following example lists the possible show commands that have the configured keyword available: DellEMC#show DellEMC#show DellEMC#show DellEMC#show DellEMC#show DellEMC#show DellEMC#show DellEMC#show DellEMC#show DellEMC#show DellEMC#show interfaces configured interfaces stack-unit 1 configured interfaces tengigabitEthernet 1 configured ip interface configured ip interface stack-unit 1 configured ip interface tengigabitEthernet 1 configured ip interface br configured ip interface br stack-unit 1 configu
0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts Received 0 input symbol errors, 0 runts, 0 giants, 0 throttles 0 CRC, 0 IP Checksum, 0 overrun, 0 discarded 0 packets output, 0 bytes, 0 underruns Output 0 Multicasts, 0 Broadcasts, 0 Unicasts 0 IP Packets, 0 Vlans, 0 MPLS 0 throttles, 0 discarded Rate info (interval 299 seconds): Input 00.00 Mbits/sec, 0 packets/sec, 0.00% of line-rate Output 00.00 Mbits/sec, 0 packets/sec, 0.
Internet address is not set Mode of IPv4 Address Assignment : NONE DHCP Client-ID :3417eb0120f3 MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 10000 Mbit Flowcontrol rx off tx off ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 2w6d21h Queueing strategy: fifo Input Statistics: 3106 packets, 226755 bytes 133 64-byte pkts, 2973 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 406 Multicasts, 0 Broadcasts, 2700 Unicasts 0 run
• • • • • • • • • • • Egress VLAN Ingress VLAN Next Hop 2 Next Hop 1 Egress ACLs ILM IP FLOW IP ACL IP FIB L2 ACL L2 FIB Clearing Interface Counters The counters in the show interfaces command are reset by the clear counters command. This command does not clear the counters any SNMP program captures. To clear the counters, use the following the command. • Clear the counters used in the show interface commands for all VRRP groups, VLANs, and physical interfaces or selected ones.
show interfaces DellEMC# show interfaces tengigabitethernet 1/1 TenGigabitEthernet 1/1 is up, line protocol is down Hardware is DellEMCEth, address is 00:01:e8:41:77:95 Current address is 00:01:e8:41:77:95 Pluggable media present, SFP type is 1000BASE-SX Wavelength is 850nm Interface index is 100974648 Port will not be disabled on partial SFM failure Internet address is not set MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 1000 Mbit Flowcontrol rx on tx on ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of
22 Internet Protocol Security (IPSec) Internet protocol security (IPSec) is an end-to-end security scheme for protecting IP communications by authenticating and encrypting all packets in a communication session. Use IPSec between hosts, between gateways, or between hosts and gateways. IPSec is compatible with Telnet and FTP protocols. It supports two operational modes: Transport and Tunnel. • • Transport mode — (default) Use to encrypt only the payload of the packet. Routing information is unchanged.
match 0 tcp a::1 /128 0 a::2 /128 23 match 1 tcp a::1 /128 23 a::2 /128 0 match 2 tcp a::1 /128 0 a::2 /128 21 match 3 tcp a::1 /128 21 a::2 /128 0 match 4 tcp 1.1.1.1 /32 0 1.1.1.2 /32 23 match 5 tcp 1.1.1.1 /32 23 1.1.1.2 /32 0 match 6 tcp 1.1.1.1 /32 0 1.1.1.2 /32 21 match 7 tcp 1.1.1.1 /32 21 1.1.1.2 /32 0 3. Apply the crypto policy to management traffic.
23 IPv4 Routing The Dell EMC Networking Operating System (OS) supports various IP addressing features. This chapter describes the basics of domain name service (DNS), address resolution protocol (ARP), and routing principles and their implementation in the Dell EMC Networking OS.
IP Addresses Dell EMC Networking OS supports IP version 4 (as described in RFC 791), classful routing, and variable length subnet masks (VLSM). With VLSM, you can configure one network with different masks. Supernetting, which increases the number of subnets, is also supported. To subnet, you add a mask to the IP address to separate the network and host portions of the IP address.
• • ip-address mask: the IP address must be in dotted decimal format (A.B.C.D). The mask must be in slash prefix-length format (/24). secondary: add the keyword secondary if the IP address is the interface’s backup IP address. You can configure up to eight secondary IP addresses. To view the configuration, use the show config command in INTERFACE mode or use the show ip interface command in EXEC privilege mode, as shown in the second example.
S 11.1.1.0/24 Direct, Lo 0 --More-- Direct, Nu 0 0/0 00:02:30 Dell EMC Networking OS installs a next hop that is on the directly connected subnet of current IP address on the interface. Dell EMC Networking OS also installs a next hop that is not on the directly connected subnet but which recursively resolves to a next hop on the interface's configured subnet. • • • • When the interface goes down, Dell EMC Networking OS withdraws the route.
To view the configured static routes for the management port, use the show ip management-route command in EXEC privilege mode. DellEMC#show ip management-route Destination ----------10.16.0.0/16 172.16.1.0/24 Gateway ------ManagementEthernet 1/1 10.16.151.
Configure the source to send the configured source interface IP address instead of using its front-end IP address in the ICMP unreachable messages and in the traceroute command output. Use the ip icmp source-interface interface or the ipv6 icmp source-interface interface commands in Configuration mode to enable the ICMP error messages to be sent with the source interface IP address. This functionality is supported on loopback, VLAN, port channel, and physical interfaces for IPv4 and IPv6 messages.
Name server, Domain name, and Domain list are VRF specific. The maximum number of Name servers and Domain lists per VRF is six. Enabling Dynamic Resolution of Host Names By default, dynamic resolution of host names (DNS) is disabled. To enable DNS, use the following commands. • Enable dynamic resolution of host names. • CONFIGURATION mode ip domain-lookup Specify up to six name servers. CONFIGURATION mode ip name-server ip-address [ip-address2 ...
• Specify up to six name servers. CONFIGURATION mode ip name-server ip-address [ip-address2 ... ip-address6] • The order you entered the servers determines the order of their use. When you enter the traceroute command without specifying an IP address (Extended Traceroute), you are prompted for a target and source IP address, timeout in seconds (default is 5), a probe count (default is 3), minimum TTL (default is 1), maximum TTL (default is 30), and port number (default is 33434).
• Configure an IP address and MAC address mapping for an interface. CONFIGURATION mode arp vrf vrf-name ip-address mac-address interface • • • • vrf vrf-name: use the VRF option to configure a static ARP on that particular VRF. ip-address: IP address in dotted decimal format (A.B.C.D). mac-address: MAC address in nnnn.nnnn.nnnn format. interface: enter the interface type slot/port information. For 10G interfaces, enter the slot/port information. These entries do not age and can only be removed manually.
• update the ARP table of other nodes on the network in case of an address change In the request, the host uses its own IP address in the Sender Protocol Address and Target Protocol Address fields. Enabling ARP Learning via Gratuitous ARP To enable ARP learning via gratuitous ARP, use the following command. • Enable ARP learning via gratuitous ARP. CONFIGURATION mode arp learn-enable ARP Learning via ARP Request In Dell EMC Networking OS versions prior to 8.3.1.
Configuring ARP Retries You can configure the number of ARP retries. The default backoff interval remains at 20 seconds. On the device, the time between ARP resend is configurable. This timer is an exponential backoff timer. Over the specified period, the time between ARP requests increases. This time increase reduces the potential for the system to slow down while waiting for a multitude of ARP responses. To set and display ARP retries, use the following commands. • Set the number of ARP retries.
ICMP Redirects When a host sends a packet to a destination, it sends the packet to the configured default gateway. If the gateway router finds that a better route is available through a different router in the same network, that is, the same data link, the gateway router sends the source host an ICMP redirect message with the better route. The gateway router routes the packet to its destination and the host sends subsequent packets to that particular destination through the correct router.
Important Points to Remember • • • • The existing ip directed broadcast command is rendered meaningless if you enable UDP helper on the same interface. The broadcast traffic rate should not exceed 200 packets per second when you enable UDP helper. You may specify a maximum of 16 UDP ports.
Input Statistics: 0 packets, 0 bytes Time since last interface status change: 00:07:44 Configurations Using UDP Helper When you enable UDP helper and the destination IP address of an incoming packet is a broadcast address, Dell EMC Networking OS suppresses the destination address of the packet. The following sections describe various configurations that employ UDP helper to direct broadcasts.
UDP Helper with Subnet Broadcast Addresses When the destination IP address of an incoming packet matches the subnet broadcast address of any interface, the system changes the address to the configured broadcast address and sends it to matching interface. In the following illustration, Packet 1 has the destination IP address 1.1.1.255, which matches the subnet broadcast address of VLAN 101.
UDP Helper with No Configured Broadcast Addresses The following describes UDP helper with no broadcast addresses configured. • • If the incoming packet has a broadcast destination IP address, the unaltered packet is routed to all Layer 3 interfaces. If the Incoming packet has a destination IP address that matches the subnet broadcast address of any interface, the unaltered packet is routed to the matching interfaces.
24 IPv6 Routing Internet protocol version 6 (IPv6) routing is the successor to IPv4. Due to the rapid growth in internet users and IP addresses, IPv4 is reaching its maximum usage. IPv6 will eventually replace IPv4 usage to allow for the constant expansion. This chapter provides a brief description of the differences between IPv4 and IPv6, and the Dell EMC Networking support of IPv6. This chapter is not intended to be a comprehensive description of IPv6.
• Prefix Renumbering — Useful in transparent renumbering of hosts in the network when an organization changes its service provider. NOTE: As an alternative to stateless autoconfiguration, network hosts can obtain their IPv6 addresses using the dynamic host control protocol (DHCP) servers via stateful auto-configuration. NOTE: Dell EMC Networking OS provides the flexibility to add prefixes on Router Advertisements (RA) to advertise responses to Router Solicitations (RS).
Version (4 bits) The Version field always contains the number 6, referring to the packet’s IP version. Traffic Class (8 bits) The Traffic Class field deals with any data that needs special handling. These bits define the packet priority and are defined by the packet Source. Sending and forwarding routers use this field to identify different IPv6 classes and priorities. Routers understand the priority settings and handle them appropriately during conditions of congestion.
Source Address (128 bits) The Source Address field contains the IPv6 address for the packet originator. Destination Address (128 bits) The Destination Address field contains the intended recipient’s IPv6 address. This can be either the ultimate destination or the address of the next hop router. Extension Header Fields Extension headers are used only when necessary. Due to the streamlined nature of the IPv6 header, adding extension headers do not severely impact performance.
Addressing IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:). For example, 2001:0db8:0000:0000:0000:0000:1428:57ab is a valid IPv6 address. If one or more four-digit group(s) is 0000, the zeros may be omitted and replaced with two colons(::). For example, 2001:0db8:0000:0000:0000:0000:1428:57ab can be shortened to 2001:0db8::1428:57ab. Only one set of double colons is supported in a single address.
Feature and Functionality Dell EMC Networking OS Release Introduction Documentation and Chapter Location S4048–ON IPv6 Basic Addressing IPv6 address types: Unicast 9.7.(0.1) Extended Address Space IPv6 neighbor discovery 9.7.(0.1) IPv6 Neighbor Discovery IPv6 stateless autoconfiguration 9.7.(0.1) Stateless Autoconfiguration IPv6 MTU path discovery 9.7.(0.1) Path MTU Discovery IPv6 ICMPv6 9.7.(0.1) ICMPv6 IPv6 ping 9.7.(0.1) ICMPv6 IPv6 traceroute 9.7.(0.1) ICMPv6 IPv6 SNMP 9.7.(0.
Feature and Functionality Dell EMC Networking OS Release Introduction Documentation and Chapter Location S4048–ON Command Line Reference Guide. Telnet server over IPv6 (inbound Telnet) 9.7.(0.1) Configuring Telnet with IPv6 Secure Shell (SSH) client support over IPv6 (outbound SSH) Layer 3 only 9.7.(0.1) Secure Shell (SSH) Over an IPv6 Transport Secure Shell (SSH) server support over IPv6 (inbound SSH) Layer 3 only 9.7.(0.1) Secure Shell (SSH) Over an IPv6 Transport IPv6 Access Control Lists 9.
Figure 60. Path MTU discovery process IPv6 Neighbor Discovery The IPv6 neighbor discovery protocol (NDP) is a top-level protocol for neighbor discovery on an IPv6 network. In place of address resolution protocol (ARP), NDP uses “Neighbor Solicitation” and “Neighbor Advertisement” ICMPv6 messages for determining relationships between neighboring nodes.
Figure 61. NDP Router Redirect IPv6 Neighbor Discovery of MTU Packets You can set the MTU advertised through the RA packets to incoming routers, without altering the actual MTU setting on the interface. The ipv6 nd mtu command sets the value advertised to routers. It does not set the actual MTU rate. For example, if you set ipv6 nd mtu to 1280, the interface still passes 1500-byte packets, if that is what is set with the mtu command.
The following example configures a RDNNS server with an IPv6 address of 1000::1 and a lifetime of 1 second.
ND reachable time is 20120 milliseconds ND base reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 198 to 600 seconds ND router advertisements live for 1800 seconds ND advertised hop limit is 64 IPv6 hop limit for originated packets is 64 ND dns-server address is 1000::1 with lifetime of 1 seconds ND dns-server address is 3000::1 with lifetime of 1 seconds ND dns-server address is 200
To have the changes take effect, save the new CAM settings to the startup-config (write-mem or copy run start) then reload the system for the new settings. • Allocate space for IPV6 ACLs. Enter the CAM profile name then the allocated amount. CONFIGURATION mode cam-acl { ipv6acl } When not selecting the default option, enter all of the profiles listed and a range for each. The total space allocated must equal 13. • The ipv6acl range must be a factor of 2. Show the current CAM settings.
Enter the keyword interface then the type of interface and slot/port information: • • • • • • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port/subport[/subport] information. For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. For a Loopback interface, enter the keyword loopback then a number from 0 to 16383. For a port channel interface, enter the keywords port-channel then a number.
rpf DellEMC# RPF table Displaying an IPv6 Interface Information To view the IPv6 configuration for a specific interface, use the following command. • Show the currently running configuration for the specified interface. EXEC mode show ipv6 interface interface {slot/port} Enter the keyword interface then the type of interface and slot/port information: • • • • • • • For all brief summary of IPv6 status and configuration, enter the keyword brief.
• • • • • • • To display information about brief summary of all IPv6 routes, enter summary. To display information about Border Gateway Protocol (BGP) routes, enter bgp. To display information about ISO IS-IS routes, enter isis. To display information about Open Shortest Path First (OSPF) routes, enter ospf. To display information about Routing Information Protocol (RIP), enter rip. To display information about static IPv6 routes, enter static.
• For the Management interface on the stack-unit, enter the keyword ManagementEthernet then the slot/port information. DellEMC#show run int Te 2/2 ! interface TenGigabitEthernet 2/2 no ip address ipv6 address 3:4:5:6::8/24 shutdown DellEMC# Clearing IPv6 Routes To clear routes from the IPv6 routing table, use the following command. • Clear (refresh) all or a specific route from the IPv6 routing table. EXEC mode clear ipv6 route {* | ipv6 address prefix-length} • • • *: all routes.
POLICY LIST CONFIGURATION mode device-role {host | router} Use the keyword host to set the device role as host. Use the keyword router to set the device role as router. 5. Set the hop count limit. POLICY LIST CONFIGURATION mode hop-limit {maximum | minimum limit} The hop limit range is from 0 to 254. 6. Set the managed address configuration flag. POLICY LIST CONFIGURATION mode managed-config-flag {on | off} 7.
trusted-port DellEMC(conf-ra_guard_policy_list)# Configuring IPv6 RA Guard on an Interface To configure the IPv6 Router Advertisement (RA) guard on an interface, perform the following steps: 1. Configure the terminal to enter the Interface mode. CONFIGURATION mode interface interface-type slot/port 2. Apply the IPv6 RA guard to a specific interface. INTERFACE mode ipv6 nd ra-guard attach policy policy-name [vlan [vlan 1, vland 2, vlan 3.....]] 3.
25 iSCSI Optimization This chapter describes how to configure internet small computer system interface (iSCSI) optimization, which enables quality-of-service (QoS) treatment for iSCSI traffic.
This cannot be inferred as the maximum supported iSCSI sessions are reached. Also, number of iSCSI sessions displayed on the system may show any number equal to or less than the maximum. The following illustration shows iSCSI optimization between servers and a storage array in which a stack of three switches connect installed servers (iSCSI initiators) to a storage array (iSCSI targets) in a SAN network.
You can configure whether the iSCSI optimization feature uses the VLAN priority or IP DSCP mapping to determine the traffic class queue. By default, iSCSI flows are assigned to dot1p priority 4. To map incoming iSCSI traffic on an interface to a dot1p priority-queue other than 4, use the QoS dot1p-priority command (refer to QoS dot1p Traffic Classification and Queue Assignment). Dell EMC Networking recommends setting the CoS dot1p priority-queue to 0 (zero).
The following message displays the first time a Dell EqualLogic array is detected and describes the configuration changes that are automatically performed: %STKUNIT0-M:CP %IFMGR-5-IFM_ISCSI_AUTO_CONFIG: This switch is being configured for optimal conditions to support iSCSI traffic which will cause some automatic configuration to occur including jumbo frames and flow-control on all ports; no storm control and spanning-tree port fast to be enabled on the port of detection.
Enable and Disable iSCSI Optimization The following describes enabling and disabling iSCSI optimizaiton. NOTE: iSCSI monitoring is disabled by default. iSCSI auto-configuration and auto-detection is enabled by default. If you enable iSCSI, flow control is automatically enabled on all interfaces. To disable flow control on all interfaces, use the no flow control rx on tx off command and save the configuration.
Configuring iSCSI Optimization To configure iSCSI optimization, use the following commands. 1. For a non-DCB environment: Enable session monitoring. CONFIGURATION mode cam-acl l2acl 4 ipv4acl 4 ipv6acl 0 ipv4qos 2 l2qos 1 l2pt 0 ipmacacl 0 vman-qos 0 ecfmacl 0 fcoeacl 0 iscsioptacl 2 NOTE: Content addressable memory (CAM) allocation is optional.
• • • • • enable: enables the application of preferential QoS treatment to iSCSI traffic so that iSCSI packets are scheduled in the switch with a dot1p priority 4 regardless of the VLAN priority tag in the packet. The default is: iSCSI packets are handled with dotp1 priority 4 without remark. disable: disables the application of preferential QoS treatment to iSCSI frames.
The following example shows the show iscsi session command. VLT PEER1 DellEMC#show iscsi session Session 0: ----------------------------------------------------------------------------------Target: iqn.2001-05.com.equallogic:0-8a0906-0e70c2002-10a0018426a48c94-iom010 Initiator: iqn.1991-05.com.microsoft:win-x9l8v27yajg ISID: 400001370000 VLT PEER2 Session 0: -----------------------------------------------------------------------------------Target: iqn.2001-05.com.
26 Intermediate System to Intermediate System The intermediate system to intermediate system (IS-IS) protocol that uses a shortest-path-first algorithm. Dell EMC Networking supports both IPv4 and IPv6 versions of IS-IS.
Figure 63. ISO Address Format Multi-Topology IS-IS Multi-topology IS-IS (MT IS-IS) allows you to create multiple IS-IS topologies on a single router with separate databases. Use this feature to place a virtual physical topology into logical routing domains, which can each support different routing and security policies. All routers on a LAN or point-to-point must have at least one common supported topology when operating in Multi-Topology IS-IS mode.
Graceful Restart Graceful restart is a protocol-based mechanism that preserves the forwarding table of the restarting router and its neighbors for a specified period to minimize the loss of packets. A graceful-restart router does not immediately assume that a neighbor is permanently down and so does not trigger a topology change. Normally, when an IS-IS router is restarted, temporary disruption of routing occurs due to events in both the restarting router and the neighbors of the restarting router.
• Accepts external IPv6 information and advertises this information in the PDUs. The following table lists the default IS-IS values. Table 46.
1. Create an IS-IS routing process. CONFIGURATION mode router isis [tag] tag: (optional) identifies the name of the IS-IS process. 2. Configure an IS-IS network entity title (NET) for a routing process. ROUTER ISIS mode net network-entity-title Specify the area address and system ID for an IS-IS routing process. The last byte must be 00. For more information about configuring a NET, refer to IS-IS Addressing. 3. Enter the interface configuration mode.
Loopback 0 Redistributing: Distance: 115 Generate narrow metrics: Accept narrow metrics: Generate wide metrics: Accept wide metrics: DellEMC# level-1-2 level-1-2 none none To view IS-IS protocol statistics, use the show isis traffic command in EXEC Privilege mode.
Configuring IS-IS Graceful Restart To enable IS-IS graceful restart globally, use the following commands. Additionally, you can implement optional commands to enable the graceful restart settings. • Enable graceful restart on ISIS processes. • ROUTER-ISIS mode graceful-restart ietf Configure the time during which the graceful restart attempt is prevented. ROUTER-ISIS mode graceful-restart interval minutes The range is from 1 to 120 minutes. • The default is 5 minutes.
T1 Timeout Value Adjacency wait time : 5, retry count: 1 : 30 Operational Timer Value ====================== Current Mode/State : T3 Time left : T2 Time left : Restart ACK rcv count : Restart Req rcv count : Suppress Adj rcv count : Restart CSNP rcv count : Database Sync count : Normal/RUNNING 0 0 (level-1), 0 0 (level-1), 0 0 (level-1), 0 0 (level-1), 0 0 (level-1), 0 0 (level-1), 0 (level-2) (level-2) (level-2) (level-2) (level-2) (level-2) Circuit TenGigabitEthernet 2/10: Mode: Normal L1-State:NORMA
• • size: the range is from 128 to 9195. The default is 1497. Set the LSP refresh interval. ROUTER ISIS mode lsp-refresh-interval seconds • • seconds: the range is from 1 to 65535. The default is 900 seconds. Set the maximum time LSPs lifetime. ROUTER ISIS mode max-lsp-lifetime seconds • seconds: the range is from 1 to 65535. The default is 1200 seconds. To view the configuration, use the show config command in ROUTER ISIS mode or the show running-config isis command in EXEC Privilege mode.
The default is Level 1 and Level 2 (level-1–2) To view which metric types are generated and received, use the show isis protocol command in EXEC Privilege mode. The IS-IS matrixes settings are in bold. Example of Viewing IS-IS Metric Types DellEMC#show isis protocol IS-IS Router: System Id: EEEE.EEEE.EEEE IS-Type: level-1-2 Manual area address(es): 47.0004.004d.0001 Routing for area address(es): 21.2223.2425.2627.2829.3031.3233 47.0004.004d.
Configuring the Distance of a Route To configure the distance for a route, use the following command. • Configure the distance for a route. ROUTER ISIS mode distance Changing the IS-Type To change the IS-type, use the following commands. You can configure the system to act as a Level 1 router, a Level 1-2 router, or a Level 2 router. To change the IS-type for the router, use the following commands. • Configure IS-IS operating level for a router.
Distribute Routes Another method of controlling routing information is to filter the information through a prefix list. Prefix lists are applied to incoming or outgoing routes and routes must meet the conditions of the prefix lists or Dell EMC Networking OS does not install the route in the routing table. The prefix lists are globally applied on all interfaces running IS-IS. Configure the prefix list in PREFIX LIST mode prior to assigning it to the IS-IS process.
ROUTER ISIS-AF IPV6 mode distribute-list prefix-list-name out [bgp as-number | connected | ospf process-id | rip | static] You can configure one of the optional parameters: • • connected: for directly connected routes. • ospf process-id: for OSPF routes only. • rip: for RIP routes only. • static: for user-configured routes. • bgp: for BGP routes only. Deny RTM download for pre-existing redistributed IPv6 routes.
redistribute {bgp as-number | connected | rip | static} [level-1 level-1-2 | level-2] [metric metric-value] [metric-type {external | internal}] [route-map map-name] Configure the following parameters: • • level-1, level-1-2, or level-2: assign all redistributed routes to a level. The default is level-2. • metric-value: the range is from 0 to 16777215. The default is 0. • metric-type: choose either external or internal. The default is internal. • map-name: enter the name of a configured route map.
set-overload-bit • This setting prevents other routers from using it as an intermediate hop in their shortest path first (SPF) calculations. Remove the overload bit. ROUTER ISIS mode no set-overload-bit When the bit is set, a 1 is placed in the OL column in the show isis database command output. The overload bit is set in both the Level-1 and Level-2 database because the IS type for the router is Level-1-2. DellEMC#show isis database IS-IS Level-1 Link State Database LSPID LSP Seq Num LSP Checksum B233.
Dell EMC Networking OS displays debug messages on the console. To view which debugging commands are enabled, use the show debugging command in EXEC Privilege mode. To disable a specific debug command, enter the keyword no then the debug command. For example, to disable debugging of IS-IS updates, use the no debug isis updates-packets command. To disable all IS-IS debugging, use the no debug isis command. To disable all debugging, use the undebug all command.
Beginning Metric Style Final Metric Style Resulting IS-IS Metric Value metric value is displayed in the show config and show running-config commands and is used if you change back to transition metric style. NOTE: A truncated value is a value that is higher than 63, but set back to 63 because the higher value is not supported. wide narrow transition default value (10) if the original value is greater than 63. A message is sent to the console.
Beginning Metric Style Next Metric Style Resulting Metric Value Next Metric Style Final Metric Value wide transition truncated value narrow transition default value (10). A message is sent to the logging buffer transition Leaks from One Level to Another In the following scenarios, each IS-IS level is configured with a different metric style. Table 50.
You can configure IPv6 IS-IS routes in one of the following three different methods: • • • Congruent Topology — You must configure both IPv4 and IPv6 addresses on the interface. Enable the ip router isis and ipv6 router isis commands on the interface. Enable the wide-metrics parameter in router isis configuration mode. Multi-topology — You must configure the IPv6 address. Configuring the IPv4 address is optional. You must enable the ipv6 router isis command on the interface.
DellEMC(conf-router_isis)#show config ! router isis net 34.0000.0000.AAAA.00 ! address-family ipv6 unicast multi-topology exit-address-family DellEMC(conf-router_isis)# IS-IS Sample Configuration — Multi-topology Transition DellEMC(conf-if-te-3/17)#show config ! interface TenGigabitEthernet 3/17 ipv6 address 24:3::1/76 ipv6 router isis no shutdown DellEMC(conf-if-te-3/17)# DellEMC(conf-router_isis)#show config ! router isis net 34.0000.0000.AAAA.
27 Link Aggregation Control Protocol (LACP) Introduction to Dynamic LAGs and LACP A link aggregation group (LAG), referred to as a port channel by Dell EMC Networking OS, can provide both load-sharing and port redundancy across line cards. You can enable LAGs as static or dynamic. The benefits and constraints are basically the same, as described in Port Channel Interfaces in the Interfaces chapter.
• Passive — In this state, the interface is not in an active negotiating state, but LACP runs on the link. A port in Passive state also responds to negotiation requests (from ports in Active state). Ports in Passive state respond to LACP packets. Dell EMC Networking OS supports LAGs in the following cases: • • A port in Active state can set up a port channel (LAG) with another port in Active state. A port in Active state can set up a LAG with another port in Passive state.
switchport DellEMC(conf)#interface port-channel 32 DellEMC(conf-if-po-32)#no shutdown DellEMC(conf-if-po-32)#switchport The LAG is in the default VLAN. To place the LAG into a non-default VLAN, use the tagged command on the LAG. DellEMC(conf)#interface vlan 10 DellEMC(conf-if-vl-10)#tagged port-channel 32 Configuring the LAG Interfaces as Dynamic After creating a LAG, configure the dynamic LAG interfaces. To configure the dynamic LAG interfaces, use the following command.
DellEMC# show lacp 32 Port-channel 32 admin up, oper up, mode lacp Actor System ID: Priority 32768, Address 0001.e800.a12b Partner System ID: Priority 32768, Address 0001.e801.
Configuring Shared LAG State Tracking To configure shared LAG state tracking, you configure a failover group. NOTE: If a LAG interface is part of a redundant pair, you cannot use it as a member of a failover group created for shared LAG state tracking. 1. Enter port-channel failover group mode. CONFIGURATION mode port-channel failover-group 2. Create a failover group and specify the two port-channels that will be members of the group.
Members in this channel: Te 1/17(U) ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 00:01:28 Queueing strategy: fifo NOTE: The set of console messages shown above appear only if you configure shared LAG state tracking on that router (you can configure the feature on one or both sides of a link). For example, as previously shown, if you configured shared LAG state tracking on R2 only, no messages appear on R4 regarding the state of LAGs in a failover group.
Example of Viewing a LAG Port Configuration Alpha#sh int TenGigabitEthernet 2/31 TenGigabitEthernet 2/31 is up, line protocol is up Port is part of Port-channel 10 Hardware is DellEMCEth, address is 00:01:e8:06:95:c0 Current address is 00:01:e8:06:95:c0 Interface Index is 109101113 Port will not be disabled on partial SFM failure Internet address is not set MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 10000 Mbit, Mode full duplex, Slave Flowcontrol rx on tx on ARP type: ARPA, ARP Timeout 04:00:00 Last cleari
Figure 69.
Figure 70.
Bravo(conf-if-po-10)#switch Bravo(conf-if-po-10)#no shut Bravo(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Bravo(conf-if-po-10)#exit Bravo(conf)#int tengig 3/21 Bravo(conf)#no ip address Bravo(conf)#no switchport Bravo(conf)#shutdown Bravo(conf-if-te-3/21)#port-channel-protocol lacp Bravo(conf-if-te-3/21-lacp)#port-channel 10 mode active Bravo(conf-if-te-3/21-lacp)#no shut Bravo(conf-if-te-3/21)#end ! interface TenGigabitEthernet 3/21 no ip address ! port-ch
Figure 71.
Figure 72.
Figure 73. Inspecting the LAG Status Using the show lacp command The point-to-point protocol (PPP) is a connection-oriented protocol that enables layer two links over various different physical layer connections. It is supported on both synchronous and asynchronous lines, and can operate in Half-Duplex or Full-Duplex mode. It was designed to carry IP traffic but is general enough to allow any type of network layer datagram to be sent over a PPP connection.
28 Layer 2 Manage the MAC Address Table You can perform the following management tasks in the MAC address table. • • • • Clearing the MAC Address Table Setting the Aging Time for Dynamic Entries Configuring a Static MAC Address Displaying the MAC Address Table Clearing the MAC Address Table You may clear the MAC address table of dynamic entries. To clear a MAC address table, use the following command. • Clear a MAC address table of dynamic entries.
Displaying the MAC Address Table To display the MAC address table, use the following command. • Display the contents of the MAC address table. EXEC Privilege mode show mac-address-table [address | aging-time [vlan vlan-id]| count | dynamic | interface | static | vlan] • • • • • • • address: displays the specified entry. aging-time: displays the configured aging-time. count: displays the number of dynamic and static entries for all VLANs, and the total number of entries.
NOTE: An SNMP trap is available for mac learning-limit station-move. No other SNMP traps are available for MAC Learning Limit, including limit violations. mac learning-limit Dynamic The MAC address table is stored on the Layer 2 forwarding information base (FIB) region of the CAM. The Layer 2 FIB region allocates space for static MAC address entries and dynamic MAC address entries. When you enable MAC learning limit, entries created on this port are static by default.
interface TenGigabitEthernet 1/1 no ip address switchport mac learning-limit 1 dynamic no-station-move mac learning-limit station-move-violation log no shutdown Learning Limit Violation Actions To configure the system to take an action when the MAC learning limit is reached on an interface and a new address is received using one the following options with the mac learning-limit command, use the following commands. • Generate a system log message when the MAC learning limit is exceeded.
• mac learning-limit reset Reset interfaces in the ERR_Disabled state caused by a learning limit violation. • EXEC Privilege mode mac learning-limit reset learn-limit-violation [interface | all] Reset interfaces in the ERR_Disabled state caused by a station move violation. EXEC Privilege mode mac learning-limit reset station-move-violation [interface | all] Enabling port security You can enable or disable port security feature globally on the Dell EMC Networking OS.
Figure 75. Configuring the mac-address-table station-move refresh-arp Command Configure Redundant Pairs Networks that employ switches that do not support the spanning tree protocol (STP) — for example, networks with digital subscriber line access multiplexers (DSLAM) — cannot have redundant links between switches because they create switching loops (as shown in the following illustration).
Figure 76. Configuring Redundant Layer 2 Pairs without Spanning Tree You configure a redundant pair by assigning a backup interface to a primary interface with the switchport backup interface command. Initially, the primary interface is active and transmits traffic and the backup interface remains down. If the primary fails for any reason, the backup transitions to an active Up state. If the primary interface fails and later comes back up, it remains as the backup interface for the redundant pair.
As shown in the above illustration, interface 3/41 is a backup interface for 3/42, and 3/42 is in the Down state. If 3/41 fails, 3/42 transitions to the Up state, which makes the backup link active. A message similar to the following message appears whenever you configure a backup port.
and Te 1/2 DellEMC(conf-if-po-1)# Far-End Failure Detection Far-end failure detection (FEFD) is a protocol that senses remote data link errors in a network. FEFD responds by sending a unidirectional report that triggers an echoed response after a specified time interval. You can enable FEFD globally or locally on an interface basis. Disabling the global FEFD configuration does not disable the interface configuration. Figure 77.
EXEC privilege mode (it can be done globally or one interface at a time) before the FEFD enabled system can become operational again. Table 51.
Te 1/2 Te 1/3 Te 1/4 Normal 3 Normal 3 Normal 3 Admin Shutdown Admin Shutdown Admin Shutdown DellEMC#show run fefd ! fefd-global mode normal fefd-global interval 3 Enabling FEFD on an Interface To enable, change, or disable FEFD on an interface, use the following commands. • Enable FEFD on a per interface basis. INTERFACE mode • fefd Change the FEFD mode. INTERFACE mode • fefd [mode {aggressive | normal}] Disable FEFD protocol on one interface.
debug fefd packets DellEMC#debug fefd events DellEMC#config DellEMC(conf)#int te 1/1 DellEMC(conf-if-te-1/1)#shutdown 2w1d22h: %RPM0-P:CP %IFMGR-5-ASTATE_DN: Changed interface Admin state to down: Te 1/1 DellEMC(conf-if-te-1/1)#2w1d22h : FEFD state on Te 1/1 changed from ANY to Unknown 2w1d22h: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Te 1/1 2w1d22h: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Te 4/1 2w1d22h: %RPM0-P:CP %IFMGR-5-INACTIVE: Changed Vlan interface sta
29 Link Layer Discovery Protocol (LLDP) 802.1AB (LLDP) Overview LLDP — defined by IEEE 802.1AB — is a protocol that enables a local area network (LAN) device to advertise its configuration and receive configuration information from adjacent LLDP-enabled LAN infrastructure devices. The collected information is stored in a management information base (MIB) on each device, and is accessible via simple network management protocol (SNMP).
Type TLV Description — Optional Includes sub-types of TLVs that advertise specific configuration information. These sub-types are Management TLVs, IEEE 802.1, IEEE 802.3, and TIA-1057 Organizationally Specific TLVs. Figure 79. LLDPDU Frame Optional TLVs The Dell EMC Networking OS supports these optional TLVs: management TLVs, IEEE 802.1 and 802.3 organizationally specific TLVs, and TIA-1057 organizationally specific TLVs. Management TLVs A management TLV is an optional TLVs sub-type.
Type TLV Description 7 System capabilities Identifies the chassis as one or more of the following: repeater, bridge, WLAN Access Point, Router, Telephone, DOCSIS cable device, end station only, or other. 8 Management address Indicates the network address of the management interface. Dell EMC Networking OS does not currently support this TLV. 127 Port-VLAN ID On Dell EMC Networking systems, indicates the untagged VLAN to which a port belongs.
• • • • manage inventory manage Power over Ethernet (PoE) identify physical location identify network policy LLDP-MED is designed for, but not limited to, VoIP endpoints. TIA Organizationally Specific TLVs The Dell EMC Networking system is an LLDP-MED Network Connectivity Device (Device Type 4).
Type SubType TLV Description 127 10 Inventory — Model Name Indicates the model of the LLDP-MED device. 127 11 Inventory — Asset ID Indicates a user specified device number to manage inventory. 127 12–255 Reserved — LLDP-MED Capabilities TLV The LLDP-MED capabilities TLV communicates the types of TLVs that the endpoint device and the network connectivity device support. LLDP-MED network connectivity devices must transmit the Network Policies TLV.
• • • VLAN tagged or untagged status Layer 2 priority DSCP value An integer represents the application type (the Type integer shown in the following table), which indicates a device function for which a unique network policy is defined. An individual LLDP-MED network policy TLV is generated for each application type that you specify with the Dell EMC Networking OS CLI (Advertising TLVs).
• through the CLI. Dell EMC Networking also honors the power priority value the powered device sends; however, the CLI configuration takes precedence. Power Value — Dell EMC Networking advertises the maximum amount of power that can be supplied on the port. By default the power is 15.4W, which corresponds to a power value of 130, based on the TIA-1057 specification. You can advertise a different power value using the max-milliwatts option with the power inline auto | static command.
Example of the protocol lldp Command (CONFIGURATION Level) R1(conf)#protocol lldp R1(conf-lldp)#? advertise Advertise TLVs disable Disable LLDP protocol globally end Exit from configuration mode exit Exit from LLDP configuration mode hello LLDP hello configuration mode LLDP mode configuration (default = rx and tx) multiplier LLDP multiplier configuration no Negate a command or set its defaults show Show LLDP configuration DellEMC(conf-lldp)#exit DellEMC(conf)#interface tengigabitethernet 1/3 DellEMC(conf-if
management-interface 3. Enable LLDP. PROTOCOL LLDP mode no disable Disabling and Undoing LLDP on Management Ports To disable or undo LLDP on management ports, use the following command. 1. Enter Protocol LLDP mode. CONFIGURATION mode. protocol lldp 2. Enter LLDP management-interface mode. LLDP-MANAGEMENT-INTERFACE mode. management-interface 3. Enter the disable command. LLDP-MANAGEMENT-INTERFACE mode. To undo an LLDP management port configuration, precede the relevant command with the keyword no.
Figure 84. Configuring LLDP Storing and Viewing Unrecognized LLDP TLVs Dell EMC Networking OS provides support to store unrecognized (reserved and organizational specific) LLDP TLVs. Also, support is extended to retrieve the stored unrecognized TLVs using SNMP. When the incoming TLV from LLDP neighbors is not recognized, the TLV is categorized as unrecognized TLV. The unrecognized TLVs is categorized into two types: 1. Reserved unrecognized LLDP TLV 2.
Viewing Unrecognized LLDP TLVs You can view or retrieve the stored unrecognized (reserved and organizational specific) TLVs using the show lldp neighbor details command. View all the LLDP TLV information including unrecognized TLVs, using the snmpwalk and snmpget commands. Viewing the LLDP Configuration To view the LLDP configuration, use the following command. • Display the LLDP configuration. CONFIGURATION or INTERFACE mode show config The following example shows viewing an LLDP global configuration.
Te 1/1 TenGigabitEthernet 1/5 Te 1/2 TenGigabitEthernet 1/6 Ma 1/1 swlab2-maa-tor-...TenGigabitEthernet 1/3 DellEMC(conf-if-te-1/3)# 00:01:e8:05:40:46 00:01:e8:05:40:46 d8:9e:f3:b2:61:20 The length of the LLDP neighbors (Remote host) name is truncated if it is above 15 characters.
Total TLVs Discarded: 16 Next packet will be sent after 9 seconds The neighbors are given below: ----------------------------------------------------------------------Remote Chassis ID Subtype: Mac address (4) Remote Chassis ID: 00:00:00:00:00:01 Remote Port Subtype: Interface name (5) Remote Port ID: TenGigabitEthernEt 1/40 Local Port ID: TenGigabitEthernet 1/1 Locally assigned remote Neighbor Index: 1 Remote TTL: 120 Information valid for next 44 seconds Time since last information change of this neighbor
Time since last information change of this neighbor: 00:01:39 UnknownTLVList: OrgUnknownTLVList: ((00-01-66),127, 4) ((00-01-66),126, 4) ((00-01-66),125, 4) ((00-01-66),124, ((00-01-66),122, 4) ((00-01-66),121, 4) ((00-01-66),120, 4) ((00-01-66),119, --------------------------------------------------------------------------Remote Chassis ID Subtype: Mac address (4) Remote Chassis ID: 4c:76:25:f4:ab:03 Remote Port Subtype: Interface name (5) Remote Port ID: fortyGigE 1/2/8/1 Local Port ID: TenGigabitEthernet
• CLI — Through the snmp-notification-interval CLI. • • Example: snmp-notification-interval [5–3600] SNMP — Through the snmpset command. • • Example: snmpset —c public —v2c 10.16.127.10 LLDP-MIB::lldpNotificationInterval.0 I 20 REST API — Through configuring by REST API method. Configuring LLDP Notification Interval This implementation has been introduced to adhere to the IEEE 802.1AB standard.
protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)# Configuring the Time to Live Value The information received from a neighbor expires after a specific amount of time (measured in seconds) called a time to live (TTL). The TTL is the product of the LLDPDU transmit interval (hello) and an integer called a multiplier.
Figure 85. The debug lldp detail Command — LLDPDU Packet Dissection Example of debug lldp Command Output with Unrecognized Reserved and Organizational Specific LLDP TLVs The following is an example of LLDPDU with both (Reserved and Organizational specific) unrecognized TLVs.
Table 58. LLDP Configuration MIB Objects MIB Object Category LLDP Variable LLDP MIB Object Description LLDP Configuration adminStatus lldpPortConfigAdminStatus Whether you enable the local LLDP agent for transmit, receive, or both. msgTxHold lldpMessageTxHoldMultiplier Multiplier value. msgTxInterval lldpMessageTxInterval Transmit Interval value. rxInfoTTL lldpRxInfoTTL Time to live for received TLVs. txInfoTTL lldpTxInfoTTL Time to live for transmitted TLVs.
TLV Type 7 TLV Name System Capabilities 8 Management Address TLV Variable system capabilities enabled capabilities management address length management address subtype management address interface numbering subtype interface number OID System LLDP MIB Object Remote lldpRemSysDesc Local lldpLocSysCapSupported Remote lldpRemSysCapSupported Local lldpLocSysCapEnabled Remote lldpRemSysCapEnabled Local lldpLocManAddrLen Remote lldpRemManAddrLen Local lldpLocManAddrSubtype Remote
Table 61.
TLV Sub-Type TLV Name TLV Variable System LLDP-MED MIB Object lldpXMedLocXPoEPDPowe rSource Remote lldpXMedRemXPoEPSEPo werSource lldpXMedRemXPoEPDPow erSource Power Priority Local lldpXMedLocXPoEPDPowe rPriority lldpXMedLocXPoEPSEPort PDPriority Remote lldpXMedRemXPoEPSEPo werPriority lldpXMedRemXPoEPDPow erPriority Power Value Local lldpXMedLocXPoEPSEPort PowerAv lldpXMedLocXPoEPDPowe rReq Remote lldpXMedRemXPoEPSEPo werAv lldpXMedRemXPoEPDPow erReq 508 Link Layer Discovery Protocol (LLD
30 Microsoft Network Load Balancing Network load balancing (NLB) is a clustering functionality that is implemented by Microsoft on Windows 2000 Server and Windows Server 2003 operating systems (OSs). NLB uses a distributed methodology or pattern to equally split and balance the network traffic load across a set of servers that are part of the cluster or group.
• • • The NLB Unicast mode uses switch flooding to transmit all packets to all the servers that are part of the VLAN. When a large volume of traffic is processed, the clustering performance might be impacted in a small way. This limitation is applicable to switches that perform unicast flooding in the software. The ip vlan-flooding command applies globally across the system and for all VLANs.
This setting causes the multicast MAC address to be mapped to the Cluster IP address for the NLB mode of operation of the switch. NOTE: While configuring static ARP for the Cluster IP, provide any one of the interfaces that is used in the static multicast MAC configuration, where the Cluster host is connected. As the switch does not accept only one ARPinterface pair, if you configure static ARP with each egress interface, the switch overwrites the previous egressinterface configuration. 2.
31 Multicast Source Discovery Protocol (MSDP) Multicast source discovery protocol (MSDP) is supported on Dell EMC Networking OS. Protocol Overview MSDP is a Layer 3 protocol that connects IPv4 protocol-independent multicast-sparse mode (PIM-SM) domains. A domain in the context of MSDP is a contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as border gateway protocol (BGP).
Figure 87.
Implementation Information The Dell EMC Networking OS implementation of MSDP is in accordance with RFC 3618 and Anycast RP is in accordance with RFC 3446. Configure Multicast Source Discovery Protocol Configuring MSDP is a four-step process. 1. Enable an exterior gateway protocol (EGP) with at least two routing domains. Refer to the following figures. The MSDP Sample Configurations show the OSPF-BGP configuration used in this chapter for MSDP.
Figure 88.
Figure 89.
Figure 90.
Figure 91. Configuring MSDP Enable MSDP Enable MSDP by peering RPs in different administrative domains. 1. Enable MSDP. CONFIGURATION mode ip multicast-msdp 2. Peer PIM systems in different administrative domains. CONFIGURATION mode ip msdp peer connect-source R3(conf)#ip multicast-msdp R3(conf)#ip msdp peer 192.168.0.
Multicast sources in remote domains are stored on the RP in the source-active cache (SA cache). The system does not create entries in the multicast routing table until there is a local receiver for the corresponding multicast group. R3#show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.
Enabling the Rejected Source-Active Cache To cache rejected sources, use the following command. Active sources can be rejected because the RPF check failed, the SA limit is reached, the peer RP is unreachable, or the SA message has a format error. • Cache rejected sources. CONFIGURATION mode ip msdp cache-rejected-sa Accept Source-Active Messages that Fail the RFP Check A default peer is a peer from which active sources are accepted even though they fail the RFP check.
Figure 93.
Figure 94. MSDP Default Peer, Scenario 4 Specifying Source-Active Messages To specify messages, use the following command. • Specify the forwarding-peer and originating-RP from which all active sources are accepted without regard for the RPF check. CONFIGURATION mode ip msdp default-peer ip-address list If you do not specify an access list, the peer accepts all sources that peer advertises. All sources from RPs that the ACL denies are subject to the normal RPF check. DellEMC(conf)#ip msdp peer 10.0.50.
3 rejected SAs received, cache-size 32766 UpTime GroupAddr SourceAddr RPAddr 00:33:18 229.0.50.64 24.0.50.64 200.0.1.50 00:33:18 229.0.50.65 24.0.50.65 200.0.1.50 00:33:18 229.0.50.66 24.0.50.66 200.0.1.50 LearnedFrom 10.0.50.2 10.0.50.2 10.0.50.2 Reason Rpf-Fail Rpf-Fail Rpf-Fail Limiting the Source-Active Messages from a Peer To limit the source-active messages from a peer, use the following commands. 1. OPTIONAL: Store sources that are received after the limit is reached in the rejected SA cache.
2. Prevent the system from caching remote sources learned from a specific peer based on source and group. CONFIGURATION mode ip msdp sa-filter list out peer list ext-acl As shown in the following example, R1 is advertising source 10.11.4.2. It is already in the SA cache of R3 when an ingress SA filter is applied to R3. The entry remains in the SA cache until it expires and is not stored in the rejected SA cache. [Router 3] R3(conf)#do show run msdp ! ip multicast-msdp ip msdp peer 192.168.0.
To display the configured SA filters for a peer, use the show ip msdp peer command from EXEC Privilege mode. Logging Changes in Peership States To log changes in peership states, use the following command. • Log peership state changes. CONFIGURATION mode ip msdp log-adjacency-changes Terminating a Peership MSDP uses TCP as its transport protocol. In a peering relationship, the peer with the lower IP address initiates the TCP session, while the peer with the higher IP address listens on port 639.
R3(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 0.0.0.0(0) Connect Source: Lo 0 State: Inactive Up/Down Time: 00:00:04 Timers: KeepAlive 30 sec, Hold time 75 sec SourceActive packet count (in/out): 0/0 SAs learned from this peer: 0 SA Filtering: Input (S,G) filter: myremotefilter Output (S,G) filter: none Debugging MSDP To debug MSDP, use the following command. • Display the information exchanged between peers.
Figure 95. MSDP with Anycast RP Configuring Anycast RP To configure anycast RP, use the following commands. 1. In each routing domain that has multiple RPs serving a group, create a Loopback interface on each RP serving the group with the same IP address. CONFIGURATION mode interface loopback 2. Make this address the RP for the group. CONFIGURATION mode ip pim rp-address 3.
network Reducing Source-Active Message Flooding RPs flood source-active messages to all of their peers away from the RP. When multiple RPs exist within a domain, the RPs forward received active source information back to the originating RP, which violates the RFP rule. You can prevent this unnecessary flooding by creating a mesh-group. A mesh in this context is a topology in which each RP in a set of RPs has a peership with all other RPs in the set.
The following example shows an R2 configuration for MSDP with Anycast RP. ip multicast-routing ! interface TenGigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.1/24 no shutdown ! interface TenGigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown ! interface TenGigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32 no shutdown ! interface Loopback 1 ip address 192.168.0.
network 10.11.6.0/24 area 0 network 192.168.0.3/32 area 0 redistribute static redistribute connected redistribute bgp 200 ! router bgp 200 redistribute ospf 1 neighbor 192.168.0.22 remote-as 100 neighbor 192.168.0.22 ebgp-multihop 255 neighbor 192.168.0.22 update-source Loopback 0 neighbor 192.168.0.22 no shutdown ! ip multicast-msdp ip msdp peer 192.168.0.11 connect-source Loopback 0 ip msdp peer 192.168.0.22 connect-source Loopback 0 ip msdp sa-filter out 192.168.0.22 ! ip route 192.168.0.1/32 10.11.0.
! interface TenGigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown ! interface TenGigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown ! interface Loopback 0 ip address 192.168.0.2/32 no shutdown ! router ospf 1 network 10.11.1.0/24 area 0 network 10.11.4.0/24 area 0 network 192.168.0.2/32 area 0 redistribute static redistribute connected redistribute bgp 100 ! router bgp 100 redistribute ospf 1 neighbor 192.168.0.3 remote-as 200 neighbor 192.168.0.
! ip route 192.168.0.2/32 10.11.0.23 MSDP Sample Configuration: R4 Running-Config ip multicast-routing ! interface TenGigabitEthernet 4/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown ! interface TenGigabitEthernet 4/22 ip address 10.10.42.1/24 no shutdown ! interface TenGigabitEthernet 4/31 ip pim sparse-mode ip address 10.11.6.43/24 no shutdown ! interface Loopback 0 ip address 192.168.0.4/32 no shutdown ! router ospf 1 network 10.11.5.0/24 area 0 network 10.11.6.0/24 area 0 network 192.168.0.
32 Multicast Listener Discovery Protocol Dell Networking OS Supports Multicast Listener Discovery (MLD) protocol. Multicast Listener Discovery (MLD) is a Layer 3 protocol that IPv6 routers use to learn of the multicast receivers that are directly connected to them and the groups in which the receivers are interested. Multicast routing protocols (like PIM) use the information learned from MLD to route multicast traffic to all interested receivers.
Destination Address field). To avoid duplicate reporting, any host that hears a report from another host for the same group in which it itself is interested cancels its report for that group. A host does not have to wait for a General Query to join a group. If a host wants to become a member of a group for which the router is not currently forwarding traffic, it should send an unsolicited report.
| | * * | | +. -+ . . . . . . +-+ | | * * | | * Source Address [N] * | | * * | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Version 2 multicast listener reports are sent by IP nodes to report (to neighboring routers) the current multicast listening state, or changes in the multicast listening state, of their interfaces.
| | * Source Address [2] * | | * * | | +-+ . . . . . . . . . +-+ | | * * | | * Source Address [N] * | | * * | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | . . . Auxiliary Data . . .
INTERFACE Mode ipv6 mld version {1 | 2} If you do not configure the MLD version, the system defaults to version 2. The ipv6 mld version command is applicable for MLD snooping-enabled interfaces. Clearing MLD groups Clear a specific group or all groups on an interface from the multicast routing table. To clear MLD groups, use the following command: EXEC Privilege clear ipv6 mld groups Debugging MLD Display Dell Networking OS messages about the MLD process.
Group Address Ff08::12 Interface Vlan 10 Mode MLDv2 Uptime 00:00:12 Expires 00:02:05 Displaying MLD Interfaces Display MLD interfaces.
33 Multiple Spanning Tree Protocol (MSTP) Multiple spanning tree protocol (MSTP) — specified in IEEE 802.1Q-2003 — is a rapid spanning tree protocol (RSTP)-based spanning tree variation that improves per-VLAN spanning tree plus (PVST+). MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances. Protocol Overview MSTP — specified in IEEE 802.
• • • • • • Modifying the Interface Parameters Setting STP path cost as constant Configuring an EdgePort Flush MAC Addresses after a Topology Change MSTP Sample Configurations Debugging and Verifying MSTP Configurations Spanning Tree Variations The Dell EMC Networking OS supports four variations of spanning tree, as shown in the following table. Table 62. Spanning Tree Variations Dell EMC Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .
Enable Multiple Spanning Tree Globally MSTP is not enabled by default. To enable MSTP globally, use the following commands. When you enable MSTP, all physical, VLAN, and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the MSTI 0. • • Within an MSTI, only one path from any bridge to any other bridge is enabled. Bridges block a redundant path by disabling one of the link ports. 1. Enter PROTOCOL MSTP mode. CONFIGURATION mode protocol spanning-tree mstp 2. Enable MSTP.
To view which instance a VLAN is mapped to, use the show spanning-tree mst vlan command from EXEC Privilege mode. DellEMC(conf-mstp)#name my-mstp-region DellEMC(conf-mstp)#exit DellEMC(conf)#do show spanning-tree mst config MST region name: my-mstp-region Revision: 0 MSTI VID 1 100 2 200-300 To view the forwarding/discarding state of the ports participating in an MSTI, use the show spanning-tree msti command from EXEC Privilege mode.
no disable MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 MSTI 2 bridge-priority 0 Interoperate with Non-Dell Bridges Dell EMC Networking OS supports only one MSTP region. A region is a combination of three unique qualities: • • • Name is a mnemonic string you assign to the region. The default region name is null. Revision is a 2-byte number. The default revision number OS is 0. VLAN-to-instance mapping is the placement of a VLAN in an MSTI.
forward-delay seconds The range is from 4 to 30. The default is 15 seconds. 2. Change the hello-time parameter. PROTOCOL MSTP mode hello-time seconds NOTE: With large configurations (especially those configurations with more ports) Dell EMC Networking recommends increasing the hello-time. The range is from 1 to 10. The default is 2 seconds. 3. Change the max-age parameter. PROTOCOL MSTP mode max-age seconds The range is from 6 to 40. The default is 20 seconds. 4. Change the max-hops parameter.
Port Cost Default Value 100-Gigabit Ethernet interfaces 200 Port Channel with 100 Mb/s Ethernet interfaces 100000 Port Channel with 1-Gigabit Ethernet interfaces 10000 Port Channel with 10-Gigabit Ethernet interfaces 1000 Port Channel with 25-Gigabit Ethernet interfaces 400 Port Channel with 50-Gigabit Ethernet interfaces 200 Port Channel with 100-Gigabit Ethernet interfaces 100 To change the port cost or priority of an interface, use the following commands. 1.
Dell EMC Networking OS Behavior: Regarding bpduguard shutdown-on-violation behavior: • • • • If the interface to be shut down is a port channel, all the member ports are disabled in the hardware. When you add a physical port to a port channel already in the Error Disable state, the new member port is also disabled in the hardware.
Figure 97. MSTP with Three VLANs Mapped to Two Spanning Tree Instances Router 1 Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3. Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
Router 2 Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3. Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
no shutdown ! (Step 3) interface Vlan 100 no ip address tagged TenGigabitEthernet 3/11,21 no shutdown ! interface Vlan 200 no ip address tagged TenGigabitEthernet 3/11,21 no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 3/11,21 no shutdown SFTOS Example Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3.
Debugging and Verifying MSTP Configurations To debut and verify MSTP configuration, use the following commands. • • Display BPDUs. EXEC Privilege mode debug spanning-tree mstp bpdu Display MSTP-triggered topology change messages. debug spanning-tree mstp events To ensure all the necessary parameters match (region name, region version, and VLAN to instance mapping), examine your individual routers. To show various portions of the MSTP configuration, use the show spanning-tree mst commands.
Name: Tahiti, Rev: 123 (MSTP region name and revision), Int Root Path Cost: 0 Rem Hops: 19, Bridge Id: 32768:0001.e8d5.cbbd 4w0d4h : INST 1 (MSTP Instance): Flags: 0x78, Reg Root: 32768:0001.e806.953e, Int Root Cost: 0 Brg/Port Prio: 32768/128, Rem Hops: 19 INST 2 (MSTP Instance): Flags: 0x78, Reg Root: 32768:0001.e806.
34 Multicast Features NOTE: Multicast routing is supported on secondary IP addresses; it is not supported on IPv6. NOTE: Multicast routing is supported across default and non-default virtual routing and forwarding (VRFs).
Protocol Ethernet Address PIM-SM 01:00:5e:00:00:0d • • • • The Dell EMC Networking OS implementation of MTRACE is in accordance with IETF draft draft-fenner-traceroute-ipm. Multicast is not supported on secondary IP addresses. If you enable multicast routing, egress Layer 3 ACL is not applied to multicast data traffic. Multicast traffic can be forwarded to a maximum of 15 VLANs with the same outgoing interface.
NOTE: The IN-L3-McastFib CAM partition stores multicast routes and is a separate hardware limit that exists per portpipe. Any software-configured limit may supersede this hardware space limitation. The opposite is also true, the CAM partition might not be exhausted at the time the system-wide route limit is reached using the ip multicast-limit command.
Figure 98. Preventing a Host from Joining a Group The following table lists the location and description shown in the previous illustration. Table 64. Preventing a Host from Joining a Group — Description Location Description 1/21 • • • • Interface TenGigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 • • • • Interface TenGigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.
Location Description 2/11 • • • • Interface TenGigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface TenGigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface TenGigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown 3/11 • • • • Interface TenGigabitEthernet 3/11 ip pim sparse-mode ip address 10.11.13.
interfaces are listed. R2 has no filter, so it is allowed to forward both groups. As a result, Receiver 1 receives only one transmission, while Receiver 2 receives duplicate transmissions. Figure 99. Preventing a Source from Transmitting to a Group The following table lists the location and description shown in the previous illustration. Table 65.
Location Description • • ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface TenGigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface TenGigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface TenGigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown 3/11 • • • • Interface TenGigabitEthernet 3/11 ip pim sparse-mode ip address 10.11.13.
Understanding Multicast Traceroute (mtrace) Multicast Traceroute (mtrace) is a multicast diagnostic facility used for tracing multicast paths. Mtrace enables you to trace the path that a multicast packet takes from its source to the destination. When you initiate mtrace from a source to a destination, an mtrace Query packet with IGMP type 0x1F is sent to the last-hop multicast router for the given destination. The mtrace query packet is forwarded hop-by-hop untill it reaches the last-hop router.
the RPF neighbor. When a Dell EMC Networking system is the last hop to the destination, Dell EMC Networking OS sends a response to the query. To print the network path, use the following command. • Print the network path that a multicast packet takes from a multicast source to receiver, for a particular group.
Command Output Description • • • • -4 103.103.103.3 --> Source o (1.1.1.1) Outgoing interface address at that node for the source and group o (PIM) Multicast protocol used at the node to retrieve the information o (Reached RP/Core) Forwarding code in mtrace to denote that RP node is reached o (103.103.103.0/24) Source network and mask. In case (*G) tree is used, this field will have the value as (shared tree).
Scenario destination by using the multicast tables for that group. Output destination 1.1.1.1 via group 226.0.0.3 From source (?) to destination (?) ---------------------------------------------------------------|Hop| OIF IP |Proto| Forwarding Code |Source Network/ Mask| ---------------------------------------------------------------0 1.1.1.1 --> Destination -1 1.1.1.1 PIM Reached RP/Core 103.103.103.0/24 -2 101.101.101.102 PIM 103.103.103.0/24 -3 2.2.2.1 PIM 103.103.103.0/24 -4 103.103.103.
Scenario Output Querying reverse path for source 103.103.103.3 to destination 1.1.1.1 via RPF From source (?) to destination (?) ---------------------------------------------------------------|Hop| OIF IP |Proto| Forwarding Code |Source Network/ Mask| ---------------------------------------------------------------0 1.1.1.1 --> Destination -1 1.1.1.1 PIM 103.103.103.0/24 -2 101.101.101.102 PIM 103.103.103.0/24 -3 2.2.2.1 PIM 103.103.103.0/24 -4 103.103.103.
Scenario is not PIM enabled, the output of the command displays a NO ROUTE error code in the Forwarding Code column. In the command output, the entry for that node in the Source Network/Mask column displays the value as default. If a multicast tree is not formed due to a configuration issue (for example, PIM is not enabled on one of the interfaces on the path), you can invoke a weak mtrace to identify the location in the network where the error has originated. Output Querying reverse path for source 6.6.
Scenario output of the command displays a ‘*’ indicating that no response is received for an mtrace request. The following message appears when the system performs a hopby-hop search: “switching to hop-by-hop:” Output 1.1.1.1 via RPF From source (?) to destination (?) * * * * switching to hop-by-hop: ---------------------------------------------------------------|Hop| OIF IP |Proto| Forwarding Code |Source Network/ Mask| ---------------------------------------------------------------0 1.1.1.
Scenario Output . . . -146 17.17.17.17 PIM No space in packet 99.99.0.0/16 ----------------------------------------------------------------- In a valid scenario, mtrace request packets are expected to be received on the OIF of the node. However, due to incorrect formation of the multicast tree, the packet may be received on a wrong interface. In such a scenario, a corresponding error message is displayed. R1>mtrace 6.6.6.6 4.4.4.5 Type Ctrl-C to abort. Querying reverse path for source 6.6.6.
35 Multicast Listener Discovery Protocol Dell Networking OS Supports Multicast Listener Discovery (MLD) protocol. Multicast Listener Discovery (MLD) is a Layer 3 protocol that IPv6 routers use to learn of the multicast receivers that are directly connected to them and the groups in which the receivers are interested. Multicast routing protocols (like PIM) use the information learned from MLD to route multicast traffic to all interested receivers.
Destination Address field). To avoid duplicate reporting, any host that hears a report from another host for the same group in which it itself is interested cancels its report for that group. A host does not have to wait for a General Query to join a group. If a host wants to become a member of a group for which the router is not currently forwarding traffic, it should send an unsolicited report.
| | * * | | +. -+ . . . . . . +-+ | | * * | | * Source Address [N] * | | * * | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Version 2 multicast listener reports are sent by IP nodes to report (to neighboring routers) the current multicast listening state, or changes in the multicast listening state, of their interfaces.
| | * Source Address [2] * | | * * | | +-+ . . . . . . . . . +-+ | | * * | | * Source Address [N] * | | * * | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | . . . Auxiliary Data . . .
To clear MLD groups, use the following command: EXEC Privilege clear ipv6 mld groups Debugging MLD Display Dell Networking OS messages about the MLD process. To display debugging messages, use the following command: EXEC Privilege debug ipv6 mld Explicit Tracking If the Querier does not receive a response to a Multicast-Address-Specific Query, it sends another. Then, after no response, it removes the group entry from the group membership table.
show ipv6 mld interface vlan 20 Dell#show ipv6 mld interface vlan 20 Vlan 20 is up, line protocol is up Inbound MLD access group is not set Internet address is fe80::92b1:1cff:fef4:9b63/64 MLD is enabled on interface MLD query interval is 60 seconds MLD querier timeout is 125 seconds MLD max query response time is 10 seconds MLD last member query response interval is 1000 ms MLD immediate-leave is enabled for all groups MLD activity: 0 joins MLD querying router is 35::1 (this system) MLD version is 2 MLD S
Specify port as connected to multicast router To statically specify or view a port in a VLAN, use the following commands: 1. Statically specify a port in a VLAN as connected to a multicast router. INTERFACE VLAN mode ipv6 mld snooping mrouter 2. View the ports that are connected to multicast routers. EXEC Privilege mode show ipv6 mld snooping mrouter Enable Snooping Explicit Tracking The switch can be a querier, and therefore also has an option of updating the group table through explicit-tracking.
36 Object Tracking IPv4 or IPv6 object tracking is available on Dell EMC Networking OS. Object tracking allows the Dell EMC Networking OS client processes, such as virtual router redundancy protocol (VRRP), to monitor tracked objects (for example, interface or link status) and take appropriate action when the state of an object changes. NOTE: In Dell EMC Networking OS release version 8.4.1.0, object tracking is supported only on VRRP.
Figure 100. Object Tracking Example When you configure a tracked object, such as an IPv4/IPv6 a route or interface, you specify an object number to identify the object. Optionally, you can also specify: • • UP and DOWN thresholds used to report changes in a route metric. A time delay before changes in a tracked object’s state are reported to a client. Track Layer 2 Interfaces You can create an object to track the line-protocol state of a Layer 2 interface.
A tracked route matches a route in the routing table only if the exact address and prefix length match an entry in the routing table. For example, when configured as a tracked route, 10.0.0.0/24 does not match the routing table entry 10.0.0.0/8. If no route-table entry has the exact address and prefix length, the tracked route is considered to be DOWN.
VRRP Object Tracking As a client, VRRP can track up to 20 objects (including route entries, and Layer 2 and Layer 3 interfaces) in addition to the 12 tracked interfaces supported for each VRRP group. You can assign a unique priority-cost value from 1 to 254 to each tracked VRRP object or group interface. The priority cost is subtracted from the VRRP group priority if a tracked VRRP object is in a DOWN state.
Track 100 Interface TenGigabitEthernet 1/1 line-protocol Description: San Jose data center Tracking a Layer 3 Interface You can create an object that tracks the routing status of an IPv4 or IPv6 Layer 3 interface. You can track the routing status of any of the following Layer 3 interfaces: • • • • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port/subport[/subport] information.
The following is an example of configuring object tracking for an IPv6 interface: DellEMC(conf)#track 103 interface tengigabitethernet 1/11 ipv6 routing DellEMC(conf-track-103)#description Austin access point DellEMC(conf-track-103)#end DellEMC#show track 103 Track 103 Interface TenGigabitEthernet 7/11 ipv6 routing Description: Austin access point Track an IPv4/IPv6 Route You can create an object that tracks the reachability or metric of an IPv4 or IPv6 route.
CONFIGURATION mode track object-id {ip route ip-address/prefix-len | ipv6 route ipv6-address/prefix-len} reachability [vrf vrf-name] Valid object IDs are from 1 to 500. Enter an IPv4 address in dotted decimal format; valid IPv4 prefix lengths are from / 0 to /32. Enter an IPv6 address in X:X:X:X::X format; valid IPv6 prefix lengths are from / 0 to /128. (Optional) E-Series only: For an IPv4 route, you can enter a VRF name to specify the virtual routing table to which the tracked route belongs. 2.
To change the refresh interval for tracking an IPv4 or IPv6 route, use the following command. Change the reachability refresh interval for tracking of an IPv4 or IPv6 route. CONFIGURATION mode track reachability refresh interval The refresh interval range is from 0 to 60 seconds. The default is 60 seconds.
The following example configures object tracking on the metric threshold of an IPv4 route: DellEMC(conf)#track 6 ip route 2.1.1.0/24 metric threshold DellEMC(conf-track-6)#delay down 20 DellEMC(conf-track-6)#delay up 20 DellEMC(conf-track-6)#description track ip route metric DellEMC(conf-track-6)#threshold metric down 40 DellEMC(conf-track-6)#threshold metric up 40 DellEMC(conf-track-6)#exit DellEMC(conf)#track 10 ip route 3.1.1.
Example of the show track brief Command Router# show track brief ResId State 1 Resource LastChange IP route reachability Parameter 10.16.0.0/16 Example of the show track resolution Command DellEMC#show track resolution IP Route Resolution ISIS 1 OSPF 1 IPv6 Route Resolution ISIS 1 Example of the show track vrf Command DellEMC#show track vrf red Track 5 IP route 192.168.0.
37 Open Shortest Path First (OSPFv2 and OSPFv3) Open shortest path first (OSPFv2 for IPv4) and OSPF version 3 (OSPF for IPv6) are supported on Dell EMC Networking OS. This chapter provides a general description of OSPFv2 (OSPF for IPv4) and OSPFv3 (OSPF for IPv6) as supported in the Dell EMC Networking Operating System (OS). NOTE: The fundamental mechanisms of OSPF (flooding, DR election, area support, SPF calculations, and so on) are the same between OSPFv2 and OSPFv3.
Figure 101. Autonomous System Areas Area Types The backbone of the network is Area 0. It is also called Area 0.0.0.0 and is the core of any AS. All other areas must connect to Area 0. An OSPF backbone is responsible for distributing routing information between areas. It consists of all area border routers, networks not wholly contained in any area, and their attached routers. NOTE: If you configure two non-backbone areas, then you must enable the B bit in OSPF.
Networks and Neighbors As a link-state protocol, OSPF sends routing information to other OSPF routers concerning the state of the links between them. The state (up or down) of those links is important. Routers that share a link become neighbors on that segment. OSPF uses the Hello protocol as a neighbor discovery and keep alive mechanism. After two routers are neighbors, they may proceed to exchange and synchronize their databases, which creates an adjacency.
Backbone Router (BR) A backbone router (BR) is part of the OSPF Backbone, Area 0. This includes all ABRs. It can also include any routers that connect only to the backbone and another ABR, but are only part of Area 0, such as Router I in the previous example. Area Border Router (ABR) Within an AS, an area border router (ABR) connects one or more areas to the backbone. The ABR keeps a copy of the link-state database for every area it connects to, so it may keep multiple copies of the link state database.
• • • • • (for example, the ASBR where the Type 5 advertisement originated. The link-state ID for Type 4 LSAs is the router ID of the described ASBR). Type 5: LSA — These LSAs contain information imported into OSPF from other routing processes. They are flooded to all areas, except stub areas. The link-state ID of the Type 5 LSA is the external network number.
Figure 103. Priority and Cost Examples OSPF with Dell EMC Networking OS The Dell EMC Networking OS supports up to 128,000 OSPF routes for OSPFv2. Dell EMC Networking OS version 9.4(0.0) and later support only one OSPFv2 process per VRF. Dell EMC Networking OS version 9.7(0.0) and later support OSPFv3 in VRF. Also, on OSPFv3, Dell EMC Networking OS supports only one OSPFv3 process per VRF. OSPFv2 and OSPFv3 can co-exist but you must configure them individually.
to interrupt the forwarding of data packets. This behavior is supported because the forwarding tables previously computed by an active RPM have been downloaded into the forwarding information base (FIB) on the line cards (the data plane) and are still resident. For packets that have existing FIB/CAM entries, forwarding between ingress and egress ports/VLANs, and so on, can continue uninterrupted while the control plane OSPF process comes back to full functionality and rebuilds its routing tables.
Processing SNMP and Sending SNMP Traps Only the process in default vrf can process the SNMP requests and send SNMP traps. NOTE: SNMP gets request corresponding to the OspfNbrOption field in the OspfNbrTable returns a value of 66. OSPF ACK Packing The OSPF ACK packing feature bundles multiple LS acknowledgements in a single packet, significantly reducing the number of ACK packets transmitted when the number of LSAs increases.
NOTE: By default, OSPF is disabled. Configuration Task List for OSPFv2 (OSPF for IPv4) You can perform the following tasks to configure Open Shortest Path First version 2 (OSPF for IPv4) on the switch. Two of the tasks are mandatory; others are optional.
If you are using a Loopback interface, refer to Loopback Interfaces. 2. Enable the interface. CONFIG-INTERFACE mode no shutdown 3. Return to CONFIGURATION mode to enable the OSPFv2 process globally. CONFIGURATION mode router ospf process-id [vrf {vrf name}] • vrf name: enter the keyword VRF and the instance name to tie the OSPF instance to the VRF. All network commands under this OSPF instance are later tied to the VRF instance. The range is from 0 to 65535.
You can assign the area in the following step by a number or with an IP interface address. • Enable OSPFv2 on an interface and assign a network address range to a specific OSPF area. CONFIG-ROUTER-OSPF-id mode network ip-address mask area area-id The IP Address Format is A.B.C.D/M. The area ID range is from 0 to 65535 or A.B.C.D/M. Enable OSPFv2 on Interfaces Enable and configure OSPFv2 on each interface (configure for Layer 3 protocol), and not shutdown.
Adjacent with neighbor 13.1.1.1 (Designated Router) DellEMC> Loopback interfaces also help the OSPF process. OSPF picks the highest interface address as the router-id and a Loopback interface address has a higher precedence than other interface addresses. Example of Viewing OSPF Status on a Loopback Interface DellEMC#show ip ospf 1 int TenGigabitEthernet 1/23 is up, line protocol is up Internet Address 10.168.0.1/24, Area 0.0.0.1 Process ID 1, Router ID 10.168.253.
3.3.3.3 1 DellEMC# 0 0 0 0 1 To view information on areas, use the show ip ospf process-id command in EXEC Privilege mode. Enabling Passive Interfaces A passive interface is one that does not send or receive routing information. Enabling passive interface suppresses routing updates on an interface. Although the passive interface does not send or receive routing updates, the network on that interface is still included in OSPF updates sent via other interfaces.
Setting the convergence parameter (from 1 to 4) indicates the actual convergence level. Each convergence setting adjusts the LSA parameters to zero, but the fast-convergence parameter setting allows for even finer tuning of the convergence speed. The higher the number, the faster the convergence. To enable or disable fast-convergence, use the following command. • Enable OSPF fast-convergence and specify the convergence level.
• Change the time interval between hello-packet transmission. CONFIG-INTERFACE mode ip ospf hello-interval seconds • • seconds: the range is from 1 to 65535 (the default is 10 seconds). The hello interval must be the same on all routers in the OSPF network. Use the MD5 algorithm to produce a message digest or key, which is sent instead of the key. CONFIG-INTERFACE mode ip ospf message-digest-key keyid md5 key • • keyid: the range is from 1 to 255. Key: a character string.
Enabling OSPFv2 Authentication To enable or change various OSPF authentication parameters, use the following commands. • Set a clear text authentication scheme on the interface. CONFIG-INTERFACE mode ip ospf authentication-key key Configure a key that is a text string no longer than eight characters. • All neighboring routers must share password to exchange OSPF information. Set the authentication change wait time in seconds between 0 and 300 for the interface.
By default, OSPFv2 supports both restarting and helper roles. Selecting one or the other role restricts OSPFv2 to the single selected role. To disable OSPFv2 graceful-restart after you have enabled it, use the no graceful-restart grace-period command in CONFIG-ROUTEROSPF- id mode. The command returns OSPF graceful-restart to its default state. NOTE: The Helper mode is enabled by default on the device.
• Specify which routes are redistributed into OSPF process. CONFIG-ROUTEROSPF-id mode redistribute {bgp | connected | isis | rip | static} [metric metric-value | metric-type typevalue] [route-map map-name] [tag tag-value] Configure the following required and optional parameters: • • • • • bgp, connected, isis, rip, static: enter one of the keywords to redistribute those routes. metric metric-value: the range is from 0 to 4294967295. metric-type metric-type: 1 for OSPF external route type 1.
• show ip ospf timers rate-limit View debug messages. EXEC Privilege mode debug ip ospf process-id [event | packet | spf | database-timers rate-limit] To view debug messages for a specific OSPF process ID, use the debug ip ospf process-id command. If you do not enter a process ID, the command applies to the first OSPF process. To view debug messages for a specific operation, enter one of the optional keywords: • • • • event: view OSPF event messages. packet: view OSPF packet information.
network 192.168.100.0/24 area 0 ! interface TenGigabitEthernet 1/1 ip address 10.1.11.1/24 no shutdown ! interface TenGigabitEthernet 1/2 ip address 10.2.12.2/24 no shutdown ! interface Loopback 10 ip address 192.168.100.100/24 no shutdown OSPF Area 0 — Te 3/1 and 3/2 router ospf 33333 network 192.168.100.0/24 area 0 network 10.0.13.0/24 area 0 network 10.0.23.0/24 area 0 ! interface Loopback 30 ip address 192.168.100.100/24 no shutdown ! interface TenGigabitEthernet 3/1 ip address 10.1.13.
2. No-redistribute – To restrict Type-7 LSAs — When NSSA ASBR is also an ABR, redistributed external routes need not be translated from Type-7 to Type-5 LSAs. ABR will directly inject external routes through Type-5 LSAs into the OSPF domain. It does not send Type-7 LSAs into the NSSA area. 3. No-summary – To act as totally stubby area — NSSA area can be converted intoa totally stubby area to reduce the number of Type-3 LSAs.
IPv6 addresses are normally written as eight groups of four hexadecimal digits; separate each group by a colon (:). The format is A:B:C::F/128. 2. Bring up the interface. CONF-INT-type slot/port mode no shutdown Assigning Area ID on an Interface To assign the OSPFv3 process to an interface, use the following command. The ipv6 ospf area command enables OSPFv3 on an interface and places the interface in the specified area. Additionally, the command creates the OSPFv3 process with ID on the router.
The format is A.B.C.D. NOTE: Enter the router-id for an OSPFv3 router as an IPv4 IP address. • Disable OSPF. • CONFIGURATION mode no ipv6 router ospf process-id vrf {vrf-name} Reset the OSPFv3 process. EXEC Privilege mode clear ipv6 ospf [vrf vrf-name] process Configuring Stub Areas To configure IPv6 stub areas, use the following command. • Configure the area as a stub area.
Configuring a Default Route To generate a default external route into the OSPFv3 routing domain, configure the following parameters. To specify the information for the default route, use the following command. • Specify the information for the default route.
Displaying Graceful Restart To display information on the use and configuration of OSPFv3 graceful restart, enter any of the following commands. • Display the graceful-restart configuration for OSPFv2 and OSPFv3 (shown in the following example). • EXEC Privilege mode show run ospf Display the Type-11 Grace LSAs sent and received on an OSPFv3 router (shown in the following example).
LS Age Link State ID Advertising Router LS Seq Number Checksum Length Associated Interface Restart Interval Restart Reason : : : : : : : : : 10 6.16.192.66 100.1.1.1 0x80000001 0x1DF1 36 Te 5/3 180 Switch to Redundant Processor OSPFv3 Authentication Using IPsec OSPFv3 uses IPsec to provide authentication for OSPFv3 packets. IPsec authentication ensures security in the transmission of OSPFv3 packets between IPsec-enabled routers.
• In an OSPFv3 authentication policy: • • AH is used to authenticate OSPFv3 headers and certain fields in IPv6 headers and extension headers. • MD5 and SHA1 authentication types are supported; encrypted and unencrypted keys are supported. In an OSPFv3 encryption policy: • • • • • Both encryption and authentication are used. IPsec security associations (SAs) are supported only in Transport mode (Tunnel mode is not supported).
NOTE: When you configure encryption using the ipv6 ospf encryption ipsec command, you enable both IPsec encryption and authentication. However, when you enable authentication on an interface using the ipv6 ospf authentication ipsec command, you do not enable encryption at the same time. The SPI value must be unique to one IPsec security policy (authentication or encryption) on the router. Configure the same authentication policy (the same SPI and key) on each OSPFv3 interface in a link.
• • • key: specifies the text string used in authentication. All neighboring OSPFv3 routers must share key to exchange information. For MD5 authentication, the key must be 32 hex digits (non-encrypted) or 64 hex digits (encrypted). For SHA-1 authentication, the key must be 40 hex digits (non-encrypted) or 80 hex digits (encrypted). Remove an IPSec authentication policy from an OSPFv3 area.
show crypto ipsec sa ipv6 [interface interface] To display information on the SAs used on a specific interface, enter interface interface, where interface is one of the following values: • • • • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port[/subport] information. For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. For a port channel interface, enter the keywords port-channel then a number.
replay detection support : N STATUS : ACTIVE inbound esp sas outbound esp sas Interface: TenGigabitEthernet 1/2 Link Local address: fe80::201:e8ff:fe40:4d11 IPSecv6 policy name: OSPFv3-1-600 inbound ah sas outbound ah sas inbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE outbound esp sas spi : 600 (0x258) transform : esp-des esp-sha1-hmac in use settings : {Transport, } replay detection support : N STATUS : ACTIVE
• View debug messages for all OSPFv3 interfaces. EXEC Privilege mode debug ipv6 ospf [vrf vrf-name] [event | packet] {type slot/port[/subport]} • • • • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port/subport[/subport] information. For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. For a port channel interface, enter the keywords port-channel then a number.
SNMPv2-SMI::mib-2.191.1.1.19.0 = Gauge32: 0 SNMPv2-SMI::mib-2.191.1.1.20.0 = INTEGER: 1 Configuration Task List for OSPFv3 (OSPF for IPv6) This section describes the configuration tasks for Open Shortest Path First version 3 (OSPF for IPv6) on the switch. The configuration options of OSPFv3 are the same as those options for OSPFv2, but you may configure OSPFv3 with differently labeled commands. Specify process IDs and areas and include interfaces and addresses in the process.
• • interface-cost:The range is from 1 to 65535. Default cost is based on the bandwidth. Specify how the OSPF interface cost is calculated based on the reference bandwidth method. The cost of an interface is calculated as Reference Bandwidth/Interface speed. ROUTER OSPFv3 auto-cost [reference-bandwidth ref-bw] To return to the default bandwidth or to assign cost based on the interface type, use the no auto-cost [referencebandwidth ref-bw] command. • ref-bw: The range is from 1 to 4294967.
• CONFIGURATION mode no ipv6 router ospf process-id Reset the OSPFv3 process. EXEC Privilege mode clear ipv6 ospf process Assigning OSPFv3 Process ID and Router ID to a VRF To assign, disable, or reset OSPFv3 on a non-default VRF, use the following commands. • Enable the OSPFv3 process on a non-default VRF and enter OSPFv3 mode. CONFIGURATION mode ipv6 router ospf {process ID}} • The process ID range is from 0 to 65535. Assign the router ID for this OSPFv3 process.
To indicate that hello packets are not transmitted on that interface, when you configure a passive interface, the show ipv6 ospf [vrf vrf-name] interface command adds the words passive interface. Redistributing Routes You can add routes from other routing instances or protocols to the OSPFv3 process. With the redistribute command, you can include RIP, static, or directly connected routes in the OSPF process. Route redistribution is also supported between OSPF Routing process IDs.
NOTE: For graceful-restart configuration to work, you must configure grace-period. Use graceful-restart graceperiod command to configure grace-period. • Enable OSPFv3 graceful restart globally by setting the grace period (in seconds). CONF-IPV6-ROUTER-OSPF mode graceful-restart grace-period seconds • The valid values are from 40 to 1800 seconds. Configure an OSPFv3 interface to not act on the Grace LSAs that it receives from a restarting OSPFv3 neighbor.
Process 1 database summary Type Count/Status Oper Status 1 Admin Status 1 Area Bdr Rtr Status 0 AS Bdr Rtr Status 1 AS Scope LSA Count 0 AS Scope LSA Cksum sum 0 Originate New LSAS 73 Rx New LSAS 114085 Ext LSA Count 0 Rte Max Eq Cost Paths 5 GR grace-period 180 GR mode planned and unplanned Area 0 database summary Type Brd Rtr Count AS Bdr Rtr Count LSA count Summary LSAs Rtr LSA Count Net LSA Count Inter Area Pfx LSA Count Inter Area Rtr LSA Count Group Mem LSA Count Count/Status 2 2 12010 1 4 3 12000 0
• ESP — encapsulating security payload encapsulates data, enabling the protection of data that follows in the datagram. ESP provides authentication and confidentiality of every packet. The ESP extension header is designed to provide a combination of security services for both IPv4 and IPv6. Insert the ESP header after the IP header and before the next layer protocol header in Transport mode.
The SPI value must be unique to one IPsec security policy (authentication or encryption) on the router. Configure the same authentication policy (the same SPI and key) on each OSPFv3 interface in a link. • Enable IPsec authentication for OSPFv3 packets on an IPv6-based interface. INTERFACE mode ipv6 ospf authentication {null | ipsec spi number {MD5 | SHA1} [key-encryption-type] key} • • • • • • • • null: causes an authentication policy configured for the area to not be inherited on the interface.
• show crypto ipsec policy Display the security associations set up for OSPFv3 interfaces in encryption policies. show crypto ipsec sa ipv6 Configuring IPSec Authentication for an OSPFv3 Area To configure, remove, or display IPSec authentication for an OSPFv3 area, use the following commands. Prerequisite: Before you enable IPsec authentication on an OSPFv3 area, first enable OSPFv3 globally on the router (refer to Configuration Task List for OSPFv3 (OSPF for IPv6)).
• • • • • • • • esp encryption-algorithm: specifies the encryption algorithm used with ESP. The valid values are 3DES, DES, AES-CBC, and NULL. For AES-CBC, only the AES-128 and AES-192 ciphers are supported. key: specifies the text string used in the encryption. All neighboring OSPFv3 routers must share the same key to decrypt information.
Transform set : ah-md5-hmac Crypto IPSec client security policy data Policy name : OSPFv3-0-501 Policy refcount : 1 Inbound ESP SPI : 501 (0x1F5) Outbound ESP SPI : 501 (0x1F5) Inbound ESP Auth Key : bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba8ed8bb5efe91e97eb7c0c30808825fb5 Outbound ESP Auth Key : bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba8ed8bb5efe91e97eb7c0c30808825fb5 Inbound ESP Cipher Key : bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba10345a1039ba8f8a Outbound ESP Cipher Key : bbdd96e6
Troubleshooting OSPFv3 The system provides several tools to troubleshoot OSPFv3 operation on the switch. This section describes typical, OSPFv3 troubleshooting scenarios. NOTE: The following troubleshooting section is meant to be a comprehensive list, but only to provide some examples of typical troubleshooting checks.
38 Policy-based Routing (PBR) Overview When a router receives a packet, the router decides where to forward the packet based on the destination address in the packet, which is used to look up an entry in a routing table. However, in some cases, there may be a need to forward the packet based on other criteria: size, source, protocol type, destination, and so on.
• • Dell EMC Networking OS supports multiple next-hop entries in the redirect lists. Redirect-lists are applied at Ingress. PBR with Redirect-to-Tunnel Option: You can provide a tunnel ID for a redirect rule. In this case, the resolved next hop is the tunnel interface IP. The qualifiers of the rule pertain to the inner IP details. You must provide a tunnel ID for the next hop to be a tunnel interface.
To ensure the permit permit statement or PBR exception is effective, use a lower sequence number, as shown: ip redirect-list rcl0 seq 10 permit ip host 3.3.3.3 any seq 15 redirect 2.2.2.2 ip any any Create a Redirect List To create a redirect list, use the following commands. Create a redirect list by entering the list name. CONFIGURATION mode ip redirect-list redirect-list-name redirect-list-name: 16 characters. To delete the redirect list, use the no ip redirect-list command.
Example: Creating a Rule DellEMC(conf-redirect-list)#redirect ? A.B.C.D Forwarding router's address DellEMC(conf-redirect-list)#redirect 3.3.3.3 ? <0-255> An IP protocol number icmp Internet Control Message Protocol ip Any Internet Protocol tcp Transmission Control Protocol udp User Datagram Protocol DellEMC(conf-redirect-list)#redirect 3.3.3.3 ip ? A.B.C.D Source address any Any source host host A single source host DellEMC(conf-redirect-list)#redirect 3.3.3.3 ip 222.1.1.1 ? Mask A.B.C.
To apply a redirect list to an interface, use the following command. You can apply multiple redirect-lists can be applied to a redirect-group. It is also possible to create two or more redirect-groups on one interface for backup purposes. Apply a redirect list (policy-based routing) to an interface. INTERFACE mode ip redirect-group redirect-list-name test l2–switch • • • redirect-list-name is the name of a redirect list to apply to this interface.
show cam-usage List the redirect list configuration using the show ip redirect-list redirect-list-name command. The non-contiguous mask displays in dotted format (x.x.x.x). The contiguous mask displays in /x format. DellEMC#show ip redirect-list explicit_tunnel IP redirect-list explicit_tunnel: Defined as: seq 5 redirect tunnel 1 track 1 tcp 155.55.2.0/24 222.22.2.
Sample Configuration You can use the following example configuration to set up a PBR. These are not comprehensive directions but are intended to give you a guidance with typical configurations. You can copy and paste from these examples to your CLI. Make the necessary changes to support your own IP addresses, interfaces, names, and so on. The Redirect-List GOLD defined in this example creates the following rules: • • • • description Route Gold traffic to the DS3 seq 5 redirect 10.99.99.254 ip 192.168.1.
Assign Redirect-List GOLD to Interface 2/11 EDGE_ROUTER(conf)#int Te 2/11 EDGE_ROUTER(conf-if-Te-2/11)#ip add 192.168.3.2/24 EDGE_ROUTER(conf-if-Te-2/11)#no shut EDGE_ROUTER(conf-if-Te-2/11)# EDGE_ROUTER(conf-if-Te-2/11)#ip redirect-group GOLD EDGE_ROUTER(conf-if-Te-2/11)#no shut EDGE_ROUTER(conf-if-Te-2/11)#end EDGE_ROUTER(conf-redirect-list)#end EDGE_ROUTER# View Redirect-List GOLD EDGE_ROUTER#show ip redirect-list IP redirect-list GOLD: Defined as: seq 5 redirect 10.99.99.254 ip 192.168.1.
Verify the Applied Redirect Rules: DellEMC#show ip redirect-list redirect_list_with_track IP redirect-list redirect_list_with_track Defined as: seq 5 redirect 42.1.1.2 track 3 tcp 155.55.2.0/24 222.22.2.0/24, Track 3 [up], Next-hop reachable (via Vl 20) seq 10 redirect 42.1.1.2 track 3 tcp any any, Track 3 [up], Next-hop reachable (via Vl 20) seq 15 redirect 42.1.1.2 track 3 udp 155.55.0.0/16 host 144.144.144.144, Track 3 [up], Nexthop reachable (via Vl 20) seq 20 redirect 42.1.1.2 track 3 udp any host 144.
DellEMC(conf-redirect-list)#redirect tunnel 2 track 2 tcp any any DellEMC(conf-redirect-list)#end DellEMC# Apply the Redirect Rule to an Interface: DellEMC#configure terminal DellEMC(conf)#interface TenGigabitEthernet 2/28 DellEMC(conf-if-te-2/28)#ip redirect-group explicit_tunnel DellEMC(conf-if-te-2/28)#exit DellEMC(conf)#end Verify the Applied Redirect Rules: DellEMC#show ip redirect-list explicit_tunnel IP redirect-list explicit_tunnel: Defined as: seq 5 redirect tunnel 1 track 1 tcp 155.55.2.0/24 222.
39 PIM Sparse-Mode (PIM-SM) Implementation Information The following information is necessary for implementing PIM-SM. • • • • • The Dell EMC Networking implementation of PIM-SM is based on IETF Internet Draft draft-ietf-pim-sm-v2-new-05. The platform supports a maximum of 95 IPv4 and IPv6 PIM interfaces and 2000 multicast entries including (*,G), and (S,G) entries. The maximum number of PIM neighbors is the same as the maximum number of PIM-SM interfaces.
Send Multicast Traffic With PIM-SM, all multicast traffic must initially originate from the RP. A source must unicast traffic to the RP so that the RP can learn about the source and create an SPT to it. Then the last-hop DR may create an SPT directly to the source. 1. The source gateway router (first-hop DR) receives the multicast packets and creates an (S,G) entry in its multicast routing table. The first-hop DR encapsulates the initial multicast packets in PIM Register packets and unicasts them to the RP.
INTERFACE mode {ip | ipv6} pim sparse-mode To display which interfaces are enabled with PIM-SM, use the show {ip | ipv6} pim interface command from EXEC Privilege mode. Following is an example of show ip pim interface command output: DellEMC#show ip pim interface Address Interface Ver/ Mode 165.87.34.5 Te 1/10 v2/S 10.1.1.2 Vl 10 v2/S 20.1.1.5 Vl 20 v2/S 165.87.31.200 Vl 30 v2/S Nbr Count 0 1 1 1 Query Intvl 30 30 30 30 DR Prio 1 1 1 1 DR 165.87.34.5 10.1.1.2 20.1.1.5 165.87.31.
(*, 192.1.2.1), uptime 00:29:36, expires 00:03:26, RP 10.87.2.6, flags: SCJ Incoming interface: TenGigabitEthernet 1/12, RPF neighbor 10.87.3.5 Outgoing interface list: TenGigabitEthernet 1/11 TenGigabitEthernet 1/13 (10.87.31.5, 192.1.2.1), uptime 00:01:24, expires 00:02:26, flags: FT Incoming interface: TenGigabitEthernet 1/10, RPF neighbor 0.0.0.
Configuring a Static Rendezvous Point The rendezvous point (RP) is a PIM-enabled interface on a router that acts as the root a group-specific tree; every group must have an RP. • Identify an RP by the IP address of a PIM-enabled or Loopback interface. {ip | ipv6} pim rp-address address group-address group-address mask [override] Following is an example of IPv4 configuration: DellEMC#show running-configuration interface loop0 ! interface Loopback 0 ip address 1.1.1.
Following is an example of show ip pim rp mapping command output: DellEMC#show ip pim rp mapping PIM Group-to-RP Mappings Group(s): 224.0.0.0/4, Static RP: 165.87.50.5, v2 Following is an example of show ipv6 pim rp mapping command output: Dell#show ipv6 pim rp mapping PIM Group-to-RP Mappings Group(s): ff00::/8, Static RP: 2001:100::1, v2 Dell# Configuring a Designated Router Multiple PIM-SM routers might be connected to a single local area network (LAN) segment.
0/0 0/0 0/0 0/0 State-Refresh messages sent/received MSDP updates sent/received Null Register messages sent/received Register-stop messages sent/received Data path event summary: 0 no-cache messages received 0 last-hop switchover messages received 0/0 pim-assert messages sent/received 0/0 register messages sent/received DellEMC# Following is an example of show ipv6 pim interface command output: Dell#show ipv6 pim interface Interface Ver/ Nbr Query DR Mode Count Intvl Prio Te 1/3 v2/S 1 30 1 Address : fe80
3. If you configure a secondary VLT peer as an E-BSR and in case of ICL flap or failover, the VLT lag will be down resulting a BSM timeout in the PIM domain and a new BSR will be elected. Hence, it is recommended to configure the primary VLT peer as E-BSR. NOTE: BSR configuration in the multicast topology should ensure that secondary VLT node is not selected as E-BSR. If selected as E-BSR during ICL flap or VLT failover, traffic disruption will be reported.
40 PIM Source-Specific Mode (PIM-SSM) PIM source-specific mode (PIM-SSM) is a multicast protocol that forwards multicast traffic from a single source to a subnet. In the other versions of protocol independent multicast (PIM), a receiver subscribes to a group only. The receiver receives traffic not just from the source in which it is interested but from all sources sending to that group.
Enabling PIM-SSM To enable PIM-SSM, follow these steps. 1. Create an ACL that uses permit rules to specify what range of addresses should use SSM. CONFIGURATION mode ip access-list standard name 2. Enter the ip pim ssm-range command and specify the ACL you created. CONFIGURATION mode ip pim ssm-range acl-name To display address ranges in the PIM-SSM range, use the show ip pim ssm-range command from EXEC Privilege mode. R1(conf)#do show run pim ! ip pim rp-address 10.11.12.2 group-address 224.0.0.
R1(conf)#ip igmp ssm-map map 10.11.5.2 R1(conf)#do show ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Mode Uptime Expires 239.0.0.2 Vlan 300 IGMPv2-Compat 00:00:07 Never Member Ports: Te 1/1 239.0.0.1 Vlan 400 INCLUDE 00:00:10 Never 10.11.4.2 R1(conf)#show ip igmp ssm-map Last Reporter 10.11.3.2 Interface Vlan 101 Group 226.0.0.0 Uptime 10:40:31 Expires Never Router mode IGMPv2 Last reporter 110.0.101.
Last reporter Last reporter mode Last report Group source Source address 10.11.5.2 00:00:01 10.11.3.2 IGMPv2 received Join list Uptime Expires Never Interface Vlan 400 Group 239.0.0.1 Uptime 00:00:05 Expires Never Router mode INCLUDE Last reporter 10.11.4.2 Last reporter mode INCLUDE Last report received ALLOW Group source list Source address Uptime Expires 10.11.5.
Example: DellEMC# show ip pim bsr-router PIMv2 Bootstrap information This system is the Bootstrap Router (v2) BSR address: 7.7.7.7 (?) BSR Priority: 0, Hash mask length: 30 Next bootstrap message in 00:00:08 This system is a candidate BSR Candidate BSR address: 7.7.7.
41 Port Monitoring Port monitoring (also referred to as mirroring ) allows you to monitor ingress and/or egress traffic on specified ports. The mirrored traffic can be sent to a port to which a network analyzer is connected to inspect or troubleshoot the traffic. Mirroring is used for monitoring Ingress or Egress or both Ingress and Egress traffic on a specific port(s). This mirrored traffic can be sent to a port where a network sniffer can connect and monitor the traffic.
configure up to 128 source ports in a monitoring session. Only one destination port is supported in a monitoring session. The platform supports multiple source-destination statements in a single monitor session. The maximum number of source ports that can be supported in a session is 128. The maximum number of destination ports that can be supported depends on the port mirroring directions as follows: • • • 4 per port pipe, if the four destination ports mirror in one direction, either rx or tx.
Drop Rate Gre-Protocol FcMonitor ------ --------------------- -------------- --------0 Te 1/13 Te 1/1 rx No N/A N/A yes 10 Te 1/14 Te 1/1 rx No N/A N/A yes 20 Te 1/15 Te 1/1 rx No N/A N/A yes 30 Te 1/16 Te 1/1 rx No N/A N/A yes 300 Te 1/17 Te 1/1 rx No N/A N/A yes DellEMC# ---- --------- -------- ---- --- interface 0.0.0.0 0.0.0.0 0 0 interface 0.0.0.0 0.0.0.0 0 0 interface 0.0.0.0 0.0.0.0 0 0 interface 0.0.0.0 0.0.0.0 0 0 interface 0.0.0.0 0.0.0.
Configuring Port Monitoring To configure port monitoring, use the following commands. 1. Verify that the intended monitoring port has no configuration other than no shutdown, as shown in the following example. EXEC Privilege mode show interface 2. Create a monitoring session using the command monitor session from CONFIGURATION mode, as shown in the following example. CONFIGURATION mode monitor session monitor session type rpm/erpm type is an optional keyword, required only for rpm and erpm 3.
In the following example, the host and server are exchanging traffic which passes through the uplink interface 1/1. Port 1/1 is the monitored port and port 1/42 is the destination port, which is configured to only monitor traffic received on tengigabitethernet 1/1 (hostoriginated traffic). Figure 106. Port Monitoring Example Configuring Monitor Multicast Queue To configure monitor QoS multicast queue ID, use the following commands. 1. Configure monitor QoS multicast queue ID.
monitor session session-id 2. Enable flow-based monitoring for a monitoring session. MONITOR SESSION mode flow-based enable 3. Specify the source and destination port and direction of traffic. MONITOR SESSION mode source source—port destination destination-port direction rx 4. Define IP access-list rules that include the monitor keyword. For port monitoring, Dell EMC Networking OS only considers traffic matching rules with the monitor keyword.
Remote port mirroring helps network administrators monitor and analyze traffic to troubleshoot network problems in a time-saving and efficient way. In a remote-port mirroring session, monitored traffic is tagged with a VLAN ID and switched on a user-defined, non-routable L2 VLAN. The VLAN is reserved in the network to carry only mirrored traffic, which is forwarded on all egress ports of the VLAN.
• • • • • • • • • • • BPDU monitoring is not required to use remote port mirroring. A remote port mirroring session mirrors monitored traffic by prefixing the reserved VLAN tag to monitored packets so that they are copied to the reserve VLAN. Mirrored traffic is transported across the network using 802.1Q-in-802.1Q tunneling. The source address, destination address and original VLAN ID of the mirrored packet are preserved with the tagged VLAN header.
• On a source switch on which you configure source ports for remote port mirroring, you can add only one port to the dedicated RPM VLAN which is used to transport mirrored traffic. You can configure multiple ports for the dedicated RPM VLAN on intermediate and destination switches. Displaying Remote-Port Mirroring Configurations To display the current configuration of remote port mirroring for a specified session, enter the show config command in MONITOR SESSION configuration mode.
CONFIGURATION mode interface vlan vlan-id 3. Configure the RSPAN VLAN to be used to transport mirrored traffic in RPM. VLAN INTERFACE mode mode remote-port-mirroring 4. Configure a tagged port to carry mirrored traffic in the VLAN. VLAN INTERFACE mode tagged interface You can repeat this command to configure additional tagged ports for the VLAN. Configuring a source session Following are the steps for configuring a source session on a switch.
Configuration Example of Remote Port Mirroring This example provides a sample configuration of remote port mirroring (RPM) on a source switch, an intermediate switch, and a destination switch based on the following illustration. Figure 108.
Following is a sample configuration of RPM on an a destination switch.
Configuration Example of RPM for port-channel This example provides a sample configuration of remote port mirroring for the port-channel source interface. Configuring Remote Port Mirroring on source switch The below configuration example shows that the source is a source port-channel and the destination is the reserved VLAN (for example, remote-vlan 30).
• Configure the system MTU to accommodate the increased size of the ERPM mirrored packet. • The maximum number of source ports you can define in a session is 128. • The system encapsulates the complete ingress or egress data under GRE header, IP header, and outer MAC header and sends it out at the next hop interface as pointed by the routing table. • Specify flow-based enable in case of source as VLAN or where you need monitoring on a per-flow basis.
No 0 No 1 No Enabled Po 1 remote-ip Enabled Vl 11 remote-ip Enabled tx Port 1.1.1.1 7.1.1.2 0 255 No 100 111 rx Flow 5.1.1.1 3.1.1.2 0 255 No 100 139 The next example shows the configuration of an ERPM session in which VLAN 11 is monitored as the source interface and a MAC ACL filters the monitored ingress traffic.
Decapsulation of ERPM packets at the Destination IP/ Analyzer • In order to achieve the decapsulation of the original payload from the ERPM header. The below two methods are suggested : 1. Using Network Analyzer • Install any well-known Network Packet Analyzer tool which is open source and free to download. • • Start capture of ERPM packets on the Sniffer and save it to the trace file (for example : erpmwithheader.pcap). The Header that gets attached to the packet is 38 bytes long.
VLT Non-fail over Scenario Consider a scenario where port monitoring is configured to mirror traffic on a VLT device's port or LAG to a destination port on some other device (TOR) on the network. When there is no fail over to the VLT peer, the VLTi link (ICL LAG) also receives the mirrored traffic as the VLTi link is added as an implicit member of the RPM vlan. As a result, the mirrored traffic also reaches the peer VLT device effecting VLTi link's bandwidth usage.
Scenario RPM Restriction Recommended Solution orphan port on the secondary VLT device through the ICL LAG. The port analyzer is connected to the secondary VLT device. device:source orphan port destination remote vlan direction rx/tx/both.The following example shows the configuration on the secondary VLT device:source remote vlan destination orphan port.
42 Private VLANs (PVLAN) The private VLAN (PVLAN) feature is supported on Dell EMC Networking OS. For syntax details about the commands described in this chapter, refer to the Private VLANs commands chapter in the Dell EMC Networking OS Command Line Reference Guide. Private VLANs extend the Dell EMC Networking OS security suite by providing Layer 2 isolation between ports within the same virtual local area network (VLAN).
PVLAN port types include: • • Community port — a port that belongs to a community VLAN and is allowed to communicate with other ports in the same community VLAN and with promiscuous ports. Host port — in the context of a private VLAN, is a port in a secondary VLAN: • • • The port must first be assigned that role in INTERFACE mode. • A port assigned the host role cannot be added to a regular VLAN.
Configuration Task List The following sections contain the procedures that configure a private VLAN. • • • • Creating PVLAN Ports Creating a Primary VLAN Creating a Community VLAN Creating an Isolated VLAN Creating PVLAN ports PVLAN ports are ports that will be assigned to the PVLAN. 1. Access INTERFACE mode for the port that you want to assign to a PVLAN. CONFIGURATION mode interface interface 2. Enable the port. INTERFACE mode no shutdown 3. Set the port in Layer 2 mode. INTERFACE mode switchport 4.
2. Enable the VLAN. INTERFACE VLAN mode no shutdown 3. Set the PVLAN mode of the selected VLAN to primary. INTERFACE VLAN mode private-vlan mode primary 4. Map secondary VLANs to the selected primary VLAN. INTERFACE VLAN mode private-vlan mapping secondary-vlan vlan-list The list of secondary VLANs can be: • • • Specified in comma-delimited (VLAN-ID,VLAN-ID) or hyphenated-range format (VLAN-ID-VLAN-ID). Specified with this command even before they have been created.
Creating an Isolated VLAN An isolated VLAN is a secondary VLAN of a primary VLAN. An isolated VLAN port can only talk with the promiscuous ports in that primary VLAN. 1. Access INTERFACE VLAN mode for the VLAN that you want to make an isolated VLAN. CONFIGURATION mode interface vlan vlan-id 2. Enable the VLAN. INTERFACE VLAN mode no shutdown 3. Set the PVLAN mode of the selected VLAN to isolated. INTERFACE VLAN mode private-vlan mode isolated 4. Add one or more host ports to the VLAN.
Private VLAN Configuration Example The following example shows a private VLAN topology. Figure 110. Sample Private VLAN Topology The following configuration is based on the example diagram for the Z9500: • • • • • Te 1/1 and Te 1/23 are configured as promiscuous ports, assigned to the primary VLAN, VLAN 4000. Te 1/25 is configured as a PVLAN trunk port, also assigned to the primary VLAN 4000. Te 1/24 and Te 1/47 are configured as host ports and assigned to the isolated VLAN, VLAN 4003.
• • The S4810 ports would have the same intra-switch communication characteristics as described for the Z9500. For transmission between switches, tagged packets originating from host PVLAN ports in one secondary VLAN and destined for host PVLAN ports in the other switch travel through the promiscuous ports in the local VLAN 4000 and then through the trunk ports (1/25 in each switch). Inspecting the Private VLAN Configuration The standard methods of inspecting configurations also apply in PVLANs.
* 1 100 P 200 I 201 Inactive Inactive Inactive Inactive primary VLAN in PVLAN T Te 1/19-20 isolated VLAN in VLAN 200 T Te 1/21 The following example shows viewing a private VLAN configuration.
43 Per-VLAN Spanning Tree Plus (PVST+) Protocol Overview PVST+ is a variation of spanning tree — developed by a third party — that allows you to configure a separate spanning tree instance for each virtual local area network (VLAN). For more information about spanning tree, refer to the Spanning Tree Protocol (STP) chapter. Figure 111. Per-VLAN Spanning Tree The Dell EMC Networking OS supports three other variations of spanning tree, as shown in the following table. Table 72.
Implementation Information • • • The Dell EMC Networking OS implementation of PVST+ is based on IEEE Standard 802.1w. The Dell EMC Networking OS implementation of PVST+ uses IEEE 802.1s costs as the default costs (as shown in the following table). Other implementations use IEEE 802.1w costs as the default costs. If you are using Dell EMC Networking systems in a multivendor network, verify that the costs are values you intended. You can enable PVST+ on 254 VLANs.
To display your PVST+ configuration, use the show config command from PROTOCOL PVST mode. Dell_E600(conf-pvst)#show config verbose ! protocol spanning-tree pvst no disable vlan 100 bridge-priority 4096 Influencing PVST+ Root Selection As shown in the previous per-VLAN spanning tree illustration, all VLANs use the same forwarding topology because R2 is elected the root, and all TenGigabitEthernet ports have the same cost.
To display the PVST+ forwarding topology, use the show spanning-tree pvst [vlan vlan-id] command from EXEC Privilege mode. Dell_E600(conf)#do show spanning-tree pvst vlan 100 VLAN 100 Root Identifier has priority 4096, Address 0001.e80d.b6d6 Root Bridge hello time 2, max age 20, forward delay 15 Bridge Identifier has priority 4096, Address 0001.e80d.b6d6 Configured hello time 2, max age 20, forward delay 15 We are the root of VLAN 100 Current root has priority 4096, Address 0001.e80d.
Modifying Interface PVST+ Parameters You can adjust two interface parameters (port cost and port priority) to increase or decrease the probability that a port becomes a forwarding port. • • Port cost — a value that is based on the interface type. The greater the port cost, the less likely the port is selected to be a forwarding port. Port priority — influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost.
shut down when it receives a BPDU. When you only implement bpduguard, although the interface is placed in an Error Disabled state when receiving the BPDU, the physical interface remains up and spanning-tree drops packets in the hardware after a BPDU violation. BPDUs are dropped in the software after receiving the BPDU violation. This feature is the same as PortFast mode in spanning tree. CAUTION: Configure EdgePort only on links connecting to an end station.
Figure 113. PVST+ with Extend System ID • Augment the bridge ID with the VLAN ID. PROTOCOL PVST mode extend system-id DellEMC(conf-pvst)#do show spanning-tree pvst vlan 5 brief VLAN 5 Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32773, Address 0001.e832.73f7 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32773 (priority 32768 sys-id-ext 5), Address 0001.e832.
! interface Vlan 300 no ip address tagged TenGigabitEthernet 1/22,32 no shutdown ! protocol spanning-tree pvst no disable vlan 100 bridge-priority 4096 Example of PVST+ Configuration (R2) interface TenGigabitEthernet 2/12 no ip address switchport no shutdown ! interface TenGigabitEthernet 2/32 no ip address switchport no shutdown ! interface Vlan 100 no ip address tagged TenGigabitEthernet 2/12,32 no shutdown ! interface Vlan 200 no ip address tagged TenGigabitEthernet 2/12,32 no shutdown ! interface Vlan 3
44 Quality of Service (QoS) This chapter describes how to use and configure Quality of Service service (QoS) features on the switch. Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. Table 74.
Feature Direction Specify an Aggregate QoS Policy Egress Create Output Policy Maps Egress Enabling QoS Rate Adjustment Enabling Strict-Priority Queueing Weighted Random Early Detection Egress Create WRED Profiles Egress Figure 114.
• • • Sample configuration to mark non-ecn packets as “yellow” with Multiple traffic class Sample configuration to mark non-ecn packets as “yellow” with single traffic class Enabling Buffer Statistics Tracking Implementation Information The Dell EMC Networking QoS implementation complies with IEEE 802.1p User Priority Bits for QoS Indication.
Honoring dot1p Priorities on Ingress Traffic By default, Dell EMC Networking OS does not honor dot1p priorities on ingress traffic. You can configure this feature on physical interfaces and port-channels, but you cannot configure it on individual interfaces in a port channel. You can configure service-class dynamic dot1p from CONFIGURATION mode, which applies the configuration to all interfaces. A CONFIGURATION mode service-class dynamic dot1p entry supersedes any INTERFACE entries.
• Apply rate shaping to a queue. QoS Policy mode rate-shape DellEMC#configure terminal DellEMC(conf)#interface tengigabitethernet 1/1 DellEMC(conf-if-te-1/1)#rate shape 500 50 DellEMC(conf-if-te-1/1)#end Policy-Based QoS Configurations Policy-based QoS configurations consist of the components shown in the following example. Figure 115.
Creating a Layer 3 Class Map A Layer 3 class map differentiates ingress packets based on the DSCP value or IP precedence, and characteristics defined in an IP ACL. You can also use VLAN IDs and VRF IDs to classify the traffic using layer 3 class-maps. You may specify more than one DSCP and IP precedence value, but only one value must match to trigger a positive match for the class map. NOTE: IPv6 and IP-any class maps cannot match on ACLs or VLANs. Use step 1 or step 2 to start creating a Layer 3 class map.
Creating a Layer 2 Class Map All class maps are Layer 3 by default; however, you can create a Layer 2 class map by specifying the layer2 option with the classmap command. A Layer 2 class map differentiates traffic according to 802.1p value and/or VLAN and/or characteristics defined in a MAC ACL.. Use Step 1 or Step 2 to start creating a Layer 2 class map. 1. Create a match-any class map. CONFIGURATION mode class-map match-any 2. Create a match-all class map. CONFIGURATION mode class-map match-all 3.
class-map match-any ClassAF1 match ip access-group AF1-FB1 set-ip-dscp 10 match ip access-group AF1-FB2 set-ip-dscp 12 match ip dscp 10 set-ip-dscp 14 match ipv6 dscp 20 set-ip-dscp 14 ! class-map match-all ClassAF2 match ip access-group AF2 match ip dscp 18 DellEMC#show running-config ACL ! ip access-list extended AF1-FB1 seq 5 permit ip host 23.64.0.2 any seq 10 deny ip any any ! ip access-list extended AF1-FB2 seq 5 permit ip host 23.64.0.
NOTE: When changing a "service-queue" configuration in a QoS policy map, all QoS rules are deleted and re-added automatically to ensure that the order of the rules is maintained. As a result, the Matched Packets value shown in the show qos statistics command is reset. NOTE: To avoid issues misconfiguration causes, Dell EMC Networking recommends configuring either DCBX or Egress QoS features, but not both simultaneously.
The following table lists the default bandwidth weights for each queue, and their equivalent percentage which is derived by dividing the bandwidth weight by the sum of all queue weights. Table 76. Default Bandwidth Weights Queue Default Bandwidth Percentage for 4– Queue System Default Bandwidth Percentage for 8– Queue System 0 6.67% 1% 1 13.33% 2% 2 26.67% 3% 3 53.33% 4% 4 - 5% 5 - 10% 6 - 25% 7 - 50% NOTE: The system supports 8 data queues.
POLICY-MAP-IN mode service-queue Applying an Input QoS Policy to an Input Policy Map To apply an input QoS policy to an input policy map, use the following command. • Apply an input QoS policy to an input policy map. POLICY-MAP-IN mode policy-service-queue qos-polcy Honoring DSCP Values on Ingress Packets Dell EMC Networking OS provides the ability to honor DSCP values on ingress packets using Trust DSCP feature.
• Enable the trust dot1p feature. POLICY-MAP-IN mode trust dot1p Mapping dot1p Values to Service Queues All traffic is by default mapped to the same queue, Queue 0. If you honor dot1p on ingress, you can create service classes based the queueing strategy in Honoring dot1p Values on Ingress Packets. You may apply this queuing strategy globally by entering the following command from CONFIGURATION mode.
service-queue Specifying an Aggregate QoS Policy To specify an aggregate QoS policy, use the following command. • Specify an aggregate QoS policy. POLICY-MAP-OUT mode policy-aggregate Applying an Output Policy Map to an Interface To apply an output policy map to an interface, use the following command. • Apply an input policy map to an interface. INTERFACE mode service-policy output You can apply the same policy map to multiple interfaces, and you can modify a policy map after you apply it.
The following example creates a DSCP color map profile, color-awareness policy, and applies it to interface 1/11. Create the DSCP color map profile, bat-enclave-map, with a yellow drop precedence , and set the DSCP values to 9,10,11,13,15,16 DellEMC(conf)# qos dscp-color-map bat-enclave-map DellEMC(conf-dscp-color-map)# dscp yellow 9,10,11,13,15,16 DellEMC(conf-dscp-color-map)# exit Assign the color map, bat-enclave-map to the interface.
yellow 4,7 red 20,30 Enabling QoS Rate Adjustment By default while rate limiting, policing, and shaping, Dell EMC Networking OS does not include the Preamble, SFD, or the IFG fields. These fields are overhead; only the fields from MAC destination address to the CRC are used for forwarding and are included in these rate metering calculations.
maximum threshold, for example, 2000KB, is reached, all incoming packets are dropped until the buffer space consumes less than 2000KB of the specified traffic. Figure 116. Packet Drop Rate for WRED You can create a custom WRED profile or use one of the five pre-defined profiles. Table 79.
• If you do not configure Dell EMC Networking OS to honor DSCP values on ingress (refer to Honoring DSCP Values on Ingress Packets), all traffic defaults to green drop precedence. • Assign a WRED profile to either yellow or green traffic. QOS-POLICY-OUT mode wred Displaying Default and Configured WRED Profiles To display the default and configured WRED profiles, use the following command. • Display default and configured WRED profiles and their threshold values.
writes as many entries as possible, and then generates an CAM-full error message (shown in the following example). The partial policymap configuration might cause unintentional system behavior.
Using ECN, the packets are marked for transmission at a later time after the network recovers from the heavy traffic state to an optimal load. In this manner, enhanced performance and throughput are achieved. Also, the devices can respond to congestion before a queue overflows and packets are dropped, enabling improved queue management. When a packet reaches the device with ECN enabled for WRED, the average queue size is computed. To measure the average queue size, a weight factor is used.
Queue Configuration Service-Pool Configuration WRED Threshold Relationship Expected Functionality Q threshold = Q-T, Service pool threshold = SP-T 1 X Q-T < SP-T ECN marking to shared buffer limits of the service-pool and then packets are tail dropped. SP-T < Q-T Same as above but ECN marking starts above SP-T. Configuring WRED and ECN Attributes The functionality to configure a weight factor for the WRED and ECN functionality for backplane ports is supported on the platform.
• • • Because this functionality forcibly marks all the packets matching the specific match criteria as ‘yellow’, Dell EMC Networking OS does not support Policer based coloring and this feature concurrently. If single rate two color policer is configured along with this feature, then by default all packets less than PIR would be considered as “Green” But ‘Green’ packets matching the specific match criteria for which ‘color-marking’ is configured will be over-written and marked as “Yellow”.
As a part of this feature, the 2-bit ECN field of the IPv4 packet will also be available to be configured as one of the match qualifier. This way the entire 8-bit ToS field of the IPv4 header shall be used to classify traffic. The Dell EMC Networking OS Release 9.3(0.0) supports the following QOS actions in the ingress policy based QOS: 1. Rate Policing 2. Queuing 3. Marking For the L3 Routed packets, the DSCP marking is the only marking action supported in the software.
Sample configuration to mark non-ecn packets as “yellow” with single traffic class Consider the use case where the packet with DSCP value “40” need to be enqueued in queue#2 and packets with DSCP value as 50 need to be enqueued in queue#3. And all the packets with ecn value as ‘0’ must be marked as ‘yellow’. The above requirement can be achieved using either of the two approaches. The above requirement can be achieved using either of the two approaches.
service-queue 2 class-map class_dscp_40 service-queue 3 class-map class_dscp_50 Applying Layer 2 Match Criteria on a Layer 3 Interface To process Layer 3 packets that contain a dot1p (IEEE 802.1p) VLAN Layer 2 header, configure VLAN tags on a Layer 3 port interface which is configured with an IP address but has no VLAN associated with it. You can also configure a VLAN sub-interface on the port interface and apply a policy map that classifies packets using the dot1p VLAN ID.
Dell(conf-qos-policy-in)#set ip-dscp 5 6. Create an input policy map. CONFIGURATION mode Dell(conf)#policy-map-input pp_policmap 7. Create a service queue to associate the class map and QoS policy map.
• • • • SYN PSH RST URG You can now use the ‘ecn’ match qualifier along with the above TCP flag for classification.
Sample configuration to mark non-ecn packets as “yellow” with Multiple traffic class Consider the example where there are no different traffic classes that is all the packets are egressing on the default ‘queue0’. Dell EMC Networking OS can be configured as below to mark the non-ecn packets as yellow packets.
! ip access-list standard dscp_40_ecn seq 5 permit any dscp 40 ecn 1 seq 10 permit any dscp 40 ecn 2 seq 15 permit any dscp 40 ecn 3 ! ip access-list standard dscp_50_non_ecn seq 5 permit any dscp 50 ecn 0 ! ip access-list standard dscp_40_non_ecn seq 5 permit any dscp 40 ecn 0 ! class-map match-any class_dscp_40 match ip access-group dscp_40_non_ecn set-color yellow match ip access-group dscp_40_ecn ! class-map match-any class_dscp_50 match ip access-group dscp_50_non_ecn set-color yellow match ip access-g
--------------------------------------MCAST 3 0 Unit 1 unit: 3 port: 13 (interface Fo 1/156) --------------------------------------Q# TYPE Q# TOTAL BUFFERED CELLS --------------------------------------MCAST 3 0 Unit 1 unit: 3 port: 17 (interface Fo 1/160) --------------------------------------Q# TYPE Q# TOTAL BUFFERED CELLS --------------------------------------MCAST 3 0 Unit 1 unit: 3 port: 21 (interface Fo 1/164) --------------------------------------Q# TYPE Q# TOTAL BUFFERED CELLS -----------------------
MCAST MCAST MCAST 714 6 7 8 0 0 0 Quality of Service (QoS)
45 Routing Information Protocol (RIP) The Routing Information Protocol (RIP) tracks distances or hop counts to nearby routers when establishing network connections and is based on a distance-vector algorithm. RIP is based on a distance-vector algorithm; it tracks distances or hop counts to nearby routers when establishing network connections. RIP protocol standards are listed in the Standards Compliance chapter.
Feature Default • Transmit RIPv1 RIP timers • • • • update timer = 30 seconds invalid timer = 180 seconds holddown timer = 180 seconds flush timer = 240 seconds Auto summarization Enabled ECMP paths supported 16 Configuration Information By default, RIP is disabled in Dell EMC Networking OS. To configure RIP, you must use commands in two modes: ROUTER RIP and INTERFACE.
network 10.0.0.0 DellEMC(conf-router_rip)# When the RIP process has learned the RIP routes, use the show ip rip database command in EXEC mode to view those routes. DellEMC#show ip rip database Total number of routes in RIP database: 978 160.160.0.0/16 [120/1] via 29.10.10.12, 00:00:26, Fa 1/49 160.160.0.0/16 auto-summary 2.0.0.0/8 [120/1] via 29.10.10.12, 00:01:22, Fa 1/49 2.0.0.0/8 auto-summary 4.0.0.0/8 [120/1] via 29.10.10.12, 00:01:22, Fa 1/49 4.0.0.0/8 auto-summary 8.0.0.0/8 [120/1] via 29.10.10.
Assigning a Prefix List to RIP Routes Another method of controlling RIP (or any routing protocol) routing information is to filter the information through a prefix list. A prefix list is applied to incoming or outgoing routes. Those routes must meet the conditions of the prefix list; if not, Dell EMC Networking OS drops the route. Prefix lists are globally applied on all interfaces running RIP. Configure the prefix list in PREFIX LIST mode prior to assigning it to the RIP process.
• ROUTER RIP mode version {1 | 2} Set the RIP versions received on that interface. • INTERFACE mode ip rip receive version [1] [2] Set the RIP versions sent out on that interface. INTERFACE mode ip rip send version [1] [2] To see whether the version command is configured, use the show config command in ROUTER RIP mode. The following example shows the RIP configuration after the ROUTER RIP mode version command is set to RIPv2.
DellEMC# Generating a Default Route Traffic is forwarded to the default route when the traffic’s network is not explicitly listed in the routing table. Default routes are not enabled in RIP unless specified. Use the default-information originate command in ROUTER RIP mode to generate a default route into RIP. In Dell EMC Networking OS, default routes received in RIP updates from other routes are advertised if you configure the default-information originate command.
• • offset: the range is from 0 to 16. interface: the type, slot, and number of an interface. To view the configuration changes, use the show config command in ROUTER RIP mode. Debugging RIP The debug ip rip command enables RIP debugging. When you enable debugging, you can view information on RIP protocol changes or RIP routes. To enable RIP debugging, use the following command. • debug ip rip [interface | database | events | trigger] EXEC privilege mode Enable debugging of RIP.
network 10.0.0.0 version 2 Core2(conf-router_rip)# Core 2 RIP Output The examples in the section show the core 2 RIP output. • • • To display Core 2 RIP database, use the show ip rip database command. To display Core 2 RIP setup, use the show ip route command. To display Core 2 RIP activity, use the show ip protocols command. The following example shows the show ip rip database command to view the learned RIP routes on Core 2.
Outgoing filter for all interfaces is Incoming filter for all interfaces is Default redistribution metric is 1 Default version control: receive version 2, send version 2 Interface Recv Send TenGigabitEthernet 2/4 2 2 TenGigabitEthernet 2/5 2 2 TenGigabitEthernet 2/3 2 2 TenGigabitEthernet 2/11 2 2 Routing for Networks: 10.300.10.0 10.200.10.0 10.11.20.0 10.11.10.0 Routing Information Sources: Gateway Distance Last Update 10.11.20.
The following command shows the show ip routes command to view the RIP setup on Core 3.
no shutdown ! interface TenGigabitEthernet 2/5 ip address 10.250.10.1/24 no shutdown router rip version 2 10.200.10.0 10.300.10.0 10.11.10.0 10.11.20.0 The following example shows viewing the RIP configuration on Core 3. ! interface TenGigabitEthernet 3/1 ip address 10.11.30.1/24 no shutdown ! interface TenGigabitEthernet 3/2 ip address 10.11.20.1/24 no shutdown ! interface TenGigabitEthernet 3/4 ip address 192.168.1.1/24 no shutdown ! interface TenGigabitEthernet 3/5 ip address 192.168.2.
46 Remote Monitoring (RMON) RMON is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell EMC Networking Ethernet interfaces. RMON operates with the simple network management protocol (SNMP) and monitors all nodes on a local area network (LAN) segment. RMON monitors traffic passing through the router and segment traffic not destined for the router.
[no] rmon hc-alarm number variable interval {delta | absolute} rising-threshold value eventnumber falling-threshold value event-number [owner string] Configure the alarm using the following optional parameters: • • • • • • • • • • number: alarm number, an integer from 1 to 65,535, the value must be unique in the RMON Alarm Table. variable: the MIB object to monitor — the variable must be in SNMP OID format; for example, 1.3.6.1.2.1.1.3.
Configuring RMON Collection Statistics To enable RMON MIB statistics collection on an interface, use the RMON collection statistics command in INTERFACE CONFIGURATION mode. • Enable RMON MIB statistics collection. CONFIGURATION INTERFACE (config-if) mode [no] rmon collection statistics {controlEntry integer} [owner ownername] • • • • controlEntry: specifies the RMON group of statistics using a value. integer: a value from 1 to 65,535 that identifies the RMON Statistics Table.
47 Rapid Spanning Tree Protocol (RSTP) Protocol Overview RSTP is a Layer 2 protocol — specified by IEEE 802.1w — that is essentially the same as spanning-tree protocol (STP) but provides faster convergence and interoperability with switches configured with STP and multiple spanning tree protocol (MSTP). The Dell EMC Networking OS supports three other variations of spanning tree, as shown in the following table. Table 82.
RSTP and VLT Virtual link trunking (VLT) provides loop-free redundant topologies and does not require RSTP. RSTP can cause temporary port state blocking and may cause topology changes after link or node failures. Spanning tree topology changes are distributed to the entire Layer 2 network, which can cause a network-wide flush of learned media access control (MAC) and address resolution protocol (ARP) addresses, requiring these addresses to be re-learned.
To verify that RSTP is enabled, use the show config command from PROTOCOL SPANNING TREE RSTP mode. The bold line indicates that RSTP is enabled. DellEMC(conf-rstp)#show config ! protocol spanning-tree rstp no disable DellEMC(conf-rstp)# Figure 118. Rapid Spanning Tree Enabled Globally To view the interfaces participating in RSTP, use the show spanning-tree rstp command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output.
The port is not in the Edge port mode Port 379 (TenGigabitEthernet 2/3) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.379 Designated root has priority 32768, address 0001.e801.cbb4 Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.
NOTE: Dell EMC Networking recommends that only experienced network administrators change the Rapid Spanning Tree group parameters. Poorly planned modification of the RSTP parameters can negatively affect network performance. The following table displays the default values for RSTP. Table 83.
Modifying Interface Parameters On interfaces in Layer 2 mode, you can set the port cost and port priority values. • • Port cost — a value that is based on the interface type. The previous table lists the default values. The greater the port cost, the less likely the port is selected to be a forwarding port. Port priority — influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost.
shut down when it receives a BPDU. When only bpduguard is implemented, although the interface is placed in an Error Disabled state when receiving the BPDU, the physical interface remains up and spanning-tree drops packets in the hardware after a BPDU violation. BPDUs are dropped in the software after receiving the BPDU violation. This feature is the same as PortFast mode in Spanning Tree. CAUTION: Configure EdgePort only on links connecting to an end station.
NOTE: The hello time is encoded in BPDUs in increments of 1/256ths of a second. The standard minimum hello time in seconds is 1 second, which is encoded as 256. Millisecond. hello times are encoded using values less than 256; the millisecond hello time equals (x/1000)*256. When you configure millisecond hellos, the default hello interval of 2 seconds is still used for edge ports; the millisecond hello interval is not used.
48 Software-Defined Networking (SDN) Software-Defined Networking (SDN) 737
49 Security This chapter describes several ways to provide security to the Dell EMC Networking system. For details about all the commands described in this chapter, refer to the Security chapter in the Dell EMC Networking OS Command Reference Guide.
aaa accounting {commands level | dot1x | exec | rest | suppress | system} {default | name} {start-stop | wait-start | stop-only} {radius | tacacs+} The variables are: • • • • • • • • • • • system: sends accounting information of any other AAA configuration. exec: sends accounting information when a user has logged in to EXEC mode. dot1x: sends accounting information when a dot1x user has logged in to EXEC mode. command level: sends accounting of commands executed at the specified privilege level.
Monitoring AAA Accounting Dell EMC Networking OS does not support periodic interim accounting because the periodic command can cause heavy congestion when many users are logged in to the network. No specific show command exists for TACACS+ accounting. To obtain accounting records displaying information about users currently logged in, use the following command. • Step through all active sessions and print all the accounting records for the actively accounted functions.
Acct-Multi-Session-Id = "1e-3c-39-b3-00-00-00-11-33-44-77-88-6c-b3-d5-5cc" Acct-Status-Type = Start Event-Timestamp = "May 10 2019 12:20:43 CDT" Tmp-String-9 = "ai:" Acct-Unique-Session-Id = "2d6c5beef615d18fa21bbde29411f6d5" Timestamp = 1557508843 EAP STOP accounting record: Fri May 10 12:22:15 2019 NAS-IP-Address = 10.16.133.
RADIUS Accounting attributes The following tables describe the various types of attributes that identify the supplicant sessions: Table 84. RADIUS Accounting Start Record Attributes for CLI user RADIUS Attribute code RADIUS Attribute Description 4 NAS-IP-Address IPv4 address of the NAS. 95 NAS-IPv6–Address IPv6 address of the NAS. NAS Identification Attributes Session Identification Attributes 1 User-Name User name. 5 NAS-Port Port on which session is connected (CLI Session-Id).
CLI event Accounting type Attributes CLI user session disconnects due to Dynamic authorization Stop Stop record attributes with termination cause as Admin Reset (6). Table 87. RADIUS Accounting Start Record Attributes for dot1x supplicant RADIUS Attribute code RADIUS Attribute Description 4 NAS-IP-Address IPv4 address of the NAS. 95 NAS-IPv6–Address IPv6 address of the NAS.
RADIUS Attribute code RADIUS Attribute Description 51 Acct-Link-Count 1 46 Acct-Session Time Time the user has received the service. 49 Acct-Terminate-Cause Reason for session termination. 61 NAS-Port-Type Ethernet NOTE: During the administrative initiated reload and system failover events, the accounting Stop records for the 802.1x authorized supplicants are not sent to RADIUS server. Table 89.
AAA Authentication Dell EMC Networking OS supports a distributed client/server system implemented through authentication, authorization, and accounting (AAA) to help secure networks against unauthorized access.
CONFIGURATION mode line {aux 0 | console 0 | vty number [... end-number]} 3. Assign a method-list-name or the default list to the terminal line. LINE mode login authentication {method-list-name | default} To view the configuration, use the show config command in LINE mode or the show running-config in EXEC Privilege mode. NOTE: Dell EMC Networking recommends using the none method only as a backup. This method does not authenticate users. The none and enable methods do not work with secure shell (SSH).
Server-Side Configuration Using AAA authentication, the switch acts as a RADIUS or TACACS+ client to send authentication requests to a TACACS+ or RADIUS server. • • TACACS+ — When using TACACS+, Dell EMC Networking sends an initial packet with service type SVC_ENABLE, and then sends a second packet with just the password. The TACACS server must have an entry for username $enable$.
If you are using role-based access control (RBAC), only the system administrator and security administrator roles can enable the service obscure-password command. To enable the obscuring of passwords and keys, use the following command. • Turn on the obscuring of passwords and keys in the configuration. CONFIGURATION mode service obscure-passwords Example of Obscuring Password and Keys DellEMC(config)# service obscure-passwords AAA Authorization Dell EMC Networking OS enables AAA new-model by default.
Configuring a Username and Password In Dell EMC Networking OS, you can assign a specific username to limit user access to the system. To configure a username and password, use the following command. • Assign a user name and password. CONFIGURATION mode username name [access-class access-list-name] [nopassword | password [encryption-type] password] [privilege level][secret] Configure the optional and required parameters: • • • • • • • name: Enter a text string up to 63 characters long.
Configure the optional and required parameters: • • • • • • • name: Enter a text string up to 63 characters(maximum) long. access-class access-list-name: Restrict access by access-class.. privilege level: The range is from 0 to 15. nopassword: No password is required for the user to log in. encryption-type: Enter 0 for plain text or 7 for encrypted text. password: Enter a string. Specify the password for the user. Secret: Specify the secret for the user. 2. Configure a password for privilege level.
The following example shows the Telnet session for user john. The show privilege command output confirms that john is in privilege level 8. In EXEC Privilege mode, john can access only the commands listed. In CONFIGURATION mode, john can access only the snmpserver commands. apollo% telnet 172.31.1.53 Trying 172.31.1.53... Connected to 172.31.1.53. Escape character is '^]'.
If you enter disable without a level-number, your security level is 1. RADIUS Remote authentication dial-in user service (RADIUS) is a distributed client/server protocol. This protocol transmits authentication, authorization, and configuration information between a central RADIUS server and a RADIUS client (the Dell EMC Networking system). The system sends user information to the RADIUS server and requests authentication of the user and password.
Auto-Command You can configure the system through the RADIUS server to automatically execute a command when you connect to a specific line. The auto-command command is executed when the user is authenticated and before the prompt appears to the user. • Automatically execute a command. auto-command Privilege Levels Through the RADIUS server, you can configure a privilege level for the user to enter into when they connect to a session. This value is configured on the client system. • Set a privilege level.
• line {aux 0 | console 0 | vty number [end-number]} Enable AAA login authentication for the specified RADIUS method list. LINE mode login authentication {method-list-name | default} • This procedure is mandatory if you are not using default lists. To use the method list.
CONFIGURATION mode radius-server retransmit retries • • retries: the range is from 0 to 100. Default is 3 retries. Configure the time interval the system waits for a RADIUS server host response. CONFIGURATION mode radius-server timeout seconds • seconds: the range is from 0 to 1000. Default is 5 seconds. To view the configuration of RADIUS communication parameters, use the show running-config command in EXEC Privilege mode.
Support for Change of Authorization and Disconnect Messages packets The Network Access Server (NAS) uses RADIUS to authenticate AAA or dot1x user-access to the switch. The RADIUS service does not support unsolicited messages sent from the RADIUS server to the NAS. However, there are many instances in which it is desirable for changes to be made to session characteristics, without requiring the NAS to initiate the exchange.
Table 92. Session Identification Attributes Attribute code Attribute Description 31 Calling-Station-Id (MAC Address) The link address from which session is connected. Table 93.
Radius Attribute code Radius Attribute Description Mandatory 4 NAS-IP-Address IPv4 address of the NAS. No 95 NAS-IPv6–Address IPv6 address of the NAS. No Port on which session is terminated Yes t=26(vendor-specific);l=length;vendor-identificationattribute;Length=value; Data=”cmd=bounce-host-port” Yes Description Mandatory Session Identification Attributes 5 NAS-Port Authorization Attributes 26 Vendor-Specific Table 97.
Radius Attribute code Radius Attribute Description Mandatory 5 NAS-Port Port on which session is terminated No t=26(vendor-specific);l=length;vendor-identificationattribute;Length=value; Data=”cmd=disconnect-user” Yes Authorization Attributes 26 Vendor-Specific Error-cause Values It is possible that a Dynamic Authorization Server cannot honor Disconnect Message request or CoA request packets for some reason. The Error-Cause Attribute provides more detail on the cause of the problem.
• • rejects the CoA-Request containing NAS-IP-Address or NAS-IPV6-Address attribute that does not match the NAS with a CoA-Nak; Error-Cause value is “NAS Identification Mismatch” (403). responds with a CoA-Nak, if it is configured to prohibit honoring of corresponding CoA-Request messages; Error-Cause value is “Administratively Prohibited” (501). NOTE: The Administratively Prohibited Error-Cause is also applicable to following scenarios: • if the dot1x feature is not enabled in the NAS-port.
• • NOTE: Unsupported attributes are the ones that are not mentioned in the RFC 5176 but present in the disconnect message that is received by the NAS. rejects the disconnect message containing NAS-IP-Address or NAS-IPV6-Address attribute that does not match NAS with DM-Nak; Error-Cause value is “NAS Identification Mismatch” (403). responds with a DM-Nak, if the NAS is configured to prohibit honoring of disconnect messages; Error-Cause value is “Administratively Prohibited” (501).
NAS takes the following actions: • • • • • validates the DM request and the session identification attributes. sends a DM-Nak with an error-cause of 402 (missing attribute), if the DM request does not contain the User-Name. sends a DM-Ack, if it is able to successfully disconnect the admin user. sends a DM-Nak with an error-cause value of 506 (resource unavailable), if it is not able to disconnect the admin user.
NAS re-initiates the user authentication state. Dell(conf#)radius dynamic-auth Dell(conf-dynamic-auth#)coa-reauthenticate NAS takes the following actions whenever re-authentication is triggered: • • • • • • • • • • validates the CoA request and the session identification attributes. sends a CoA-Nak with an error-cause of 402 (missing attribute), if the CoA request does not contain both the calling-station-id as well as the NAS-port attribute. sends a CoA-Ack if the re-authentication of the 802.
To initiate shutting down of the 802.1x enabled port, the DAC sends a standard CoA request that contains one or more session identification attributes. NAS uses the NAS-port attributes to identify the 802.1x enabled physical port. 1. Enter the following command to configure the dynamic authorization feature: radius dynamic-auth 2. Enter the following command to disable the 802.1x enabled physical port: coa-disable-port NAS administratively shuts down the 802.1x enabled port that is hosting the session.
Rate-limiting RADIUS packets NAS enables you to allow or reject RADIUS dynamic authorization packets based on the rate-limiting value that you specify. NAS lets you to configure number of RADIUS dynamic authorization packets allowed per minute. The default value is 30 packets per minute. NAS discards the packets, if the number of RADIUS dynamic authorization packets in the current interval cross the configured rate-limit value.
3. Enter LINE mode. CONFIGURATION mode line {aux 0 | console 0 | vty number [end-number]} 4. Assign the method-list to the terminal line. LINE mode login authentication {method-list-name | default} To view the configuration, use the show config in LINE mode or the show running-config tacacs+ command in EXEC Privilege mode. If authentication fails using the primary method, Dell EMC Networking OS employs the second method (or third method, if necessary) automatically.
system closes the Telnet session immediately. The following example demonstrates how to configure the access-class from a TACACS+ server. This configuration ignores the configured access-class on the VTY line. If you have configured a deny10 ACL on the TACACS+ server, the system downloads it and applies it. If the user is found to be coming from the 10.0.0.0 subnet, the system also immediately closes the Telnet connection. Note, that no matter where the user is coming from, they see the login prompt.
Protection from TCP Tiny and Overlapping Fragment Attacks Tiny and overlapping fragment attack is a class of attack where configured ACL entries — denying TCP port-specific traffic — is bypassed and traffic is sent to its destination although denied by the ACL. RFC 1858 and 3128 proposes a countermeasure to the problem. This countermeasure is configured into the line cards and enabled by default.
CONFIGURATION MODE ip ssh server port number 2. On Switch 1, enable SSH. CONFIGURATION MODE copy ssh server enable 3. On Switch 2, invoke SCP. CONFIGURATION MODE copy scp: flash: 4. On Switch 2, in response to prompts, enter the path to the desired file and enter the port number specified in Step 1. EXEC Privilege Mode 5. On the chassis, invoke SCP.
To configure the time or volume rekey threshold at which to re-generate the SSH key during an SSH session, use the ip ssh rekey [time rekey-interval] [volume rekey-limit] command. CONFIGURATION mode. Configure the following parameters: • • rekey-interval: time-based rekey threshold for an SSH session. The range is from 10 to 1440 minutes. The default is 60 minutes. rekey-limit: volume-based rekey threshold for an SSH session. The range is from 1 to 4096 to megabytes. The default is 1024 megabytes.
• • hmac-md5 hmac-md5-96 When FIPS is enabled, the default HMAC algorithm is hmac-sha2-256,hmac-sha1,hmac-sha1-96. Example of Configuring a HMAC Algorithm The following example shows you how to configure a HMAC algorithm list. DellEMC(conf)# ip ssh server mac hmac-sha1-96 Configuring the SSH Server Cipher List To configure the cipher list supported by the SSH server, use the ip ssh server cipher cipher-list command in CONFIGURATION mode.
Secure Shell Authentication Secure Shell (SSH) is enabled by default using the SSH Password Authentication method. Enabling SSH Authentication by Password Authenticate an SSH client by prompting for a password when attempting to connect to the Dell EMC Networking system. This setup is the simplest method of authentication and uses SSH version 2. To enable SSH password authentication, use the following command. • Enable SSH password authentication.
Configuring Host-Based SSH Authentication Authenticate a particular host. This method uses SSH version 2. To configure host-based authentication, use the following commands. 1. Configure RSA Authentication. Refer to Using RSA Authentication of SSH. 2. Create shosts by copying the public RSA key to the file shosts in the directory .ssh, and write the IP address of the host to the file. cp /etc/ssh/ssh_host_rsa_key.pub /.ssh/shosts Refer to the first example. 3.
ssh ip_address DellEMC#ssh 10.16.127.201 ? -c Encryption cipher to use (for v2 clients only) -l User name option -m HMAC algorithm to use (for v2 clients only) -p SSH server port option (default 22) -v SSH protocol version Troubleshooting SSH To troubleshoot SSH, use the following information. You may not bind id_rsa.pub to RSA authentication while logged in via the console. In this case, this message displays:%Error: No username set for this term.
VTY Line Local Authentication and Authorization retrieves the access class from the local database. To use this feature: 1. 2. 3. 4. Create a username. Enter a password. Assign an access class. Enter a privilege level. You can assign line authentication on a per-VTY basis; it is a simple password authentication, using an access-class as authorization. Configure local authentication globally and configure access classes on a per-user basis.
To apply a MAC ACL on a VTY line, use the same access-class command as IP ACLs. The following example shows how to deny incoming connections from subnet 10.0.0.0 without displaying a login prompt.
For greater security, the ability to view event, audit, and security system log is associated with user roles. For information about these topics, see Audit and Security Logs. Privilege-or-Role Mode versus Role-only Mode By default, the system provides access to commands determined by the user’s role or by the user’s privilege level. The user’s role takes precedence over a user’s privilege level.
System-Defined RBAC User Roles By default, the Dell EMC Networking OS provides 4 system defined user roles. You can create up to 8 additional user roles. NOTE: You cannot delete any system defined roles. The system defined user roles are as follows: • • • • Network Operator (netoperator) - This user role has no privilege to modify any configuration on the switch. You can access Exec mode (monitoring) to view the current configuration and status information.
Example of Creating a User Role The configuration in the following example creates a new user role, myrole, which inherits the security administrator (secadmin) permissions. Create a new user role, myrole and inherit security administrator permissions. DellEMC(conf)#userrole myrole inherit secadmin Verify that the user role, myrole, has inherited the security administrator permissions.
The following example allows the security administrator (secadmin) to access Interface mode.
Adding and Deleting Users from a Role To create a user name that is authenticated based on a user role, use the username name password encryption-type password role role-name command in CONFIGURATION mode. Example The following example creates a user name that is authenticated based on a user role. DellEMC(conf)# username john password 0 password role secadmin The following example deletes a user role.
To configure AAA authorization, use the aaa authorization exec command in CONFIGURATION mode. The aaa authorization exec command determines which CLI mode the user will start in for their session; for example, Exec mode or Exec Privilege mode. For information about how to configure authentication for roles, see Configure AAA Authentication for Roles.
authorization exec ucraaa accounting commands role netadmin ucraaa ! Configuring TACACS+ and RADIUS VSA Attributes for RBAC For RBAC and privilege levels, the Dell EMC Networking OS RADIUS and TACACS+ implementation supports two vendor-specific options: privilege level and roles. The Dell EMC Networking vendor-ID is 6027 and the supported option has attribute of type string, which is titled “Force10-avpair”.
Applying an Accounting Method to a Role To apply an accounting method list to a role executed by a user with that user role, use the accounting command in LINE mode. accounting {exec | commands {level | role role-name}} method-list Example of Applying an Accounting Method to a Role The following example applies the accounting default method to the user role secadmin (security administrator).
Role access: sysadmin DellEMC##show role mode configure password-attributes Role access: secadmin,sysadmin DellEMC#show role mode configure interface Role access: netadmin, sysadmin DellEMC#show role mode configure line Role access: netadmin,sysadmin Displaying Information About Users Logged into the Switch To display information on all users logged into the switch, using the show users command in EXEC Privilege mode. The output displays privilege level and/or user role.
CONFIGURATION mode ip ssh challenge-response-authentication enable 2. View the configuration. EXEC mode show ip ssh DellEMC# show ip ssh SSH server : enabled. SSH server version : v2. SSH server vrf : default. SSH server ciphers : aes256-ctr,aes256-cbc,aes192-ctr,aes192-cbc,aes128-ctr,aes128cbc,3des-cbc. SSH server macs : hmac-sha2-256,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96. SSH server kex algorithms : diffie-hellman-group-exchange-sha1,diffie-hellman-group1sha1,diffie-hellman-group14-sha1.
ICMPv4 message types Router solicitation (10) Time exceeded (11) IP header bad (12) Timestamp request (13) Timestamp reply (14) Information request (15) Information reply (16) Address mask request (17) Address mask reply (18) NOTE: The Dell EMC Networking OS does not suppress the ICMP message type echo request (8). Table 103.
Dell EMC Networking OS Security Hardening The security of a network consists of multiple factors. Apart from access to the device, best practices, and implementing various security features, security also lies with the integrity of the device. If the software itself is compromised, all of the aforementioned methods become ineffective. The Dell EMC Networking OS is enhanced verify whether the OS image and the startup configuration file are altered before loading.
upgrade system DellEMC# upgrade system tftp://10.16.127.35/FTOS-SE-9.11.0.1 A: Hash Value: e42e2548783c2d5db239ea2fa9de4232 !!!!!!!!!!!!!!... Startup Configuration Verification Dell EMC Networking OS comes with startup configuration verification feature. When enabled, it checks the integrity of the startup configuration that the system uses while the system reboots and loads only if it is intact.
Configuring the root User Password For added security, you can change the root user password. If you configure the secure-cli command on the system, the Dell EMC Networking OS resets any previously-configured root access password without displaying any warning message. With the secure-cli command enabled on the system, the CONFIGURATION mode does not display the root access password option. To change the default root user password, follow these steps: • Change the default root user password.
Do you want to configure boot-access password? Proceed [yes/no]:yes DellEMC(conf)# Enabling User Lockout for Failed Login Attempts You can configure the system to lock out local users for a specific period for unsuccessful login attempts. This feature enhances the security of the switch by locking out the local user account if there are more number of unsuccessful login attempts than what is configured using the max-retry parameter.
50 Service Provider Bridging VLAN Stacking VLAN stacking, also called Q-in-Q, is defined in IEEE 802.1ad — Provider Bridges, which is an amendment to IEEE 802.1Q — Virtual Bridged Local Area Networks. It enables service providers to use 802.1Q architecture to offer separate VLANs to customers with no coordination between customers, and minimal coordination between customers and the provider. Using only 802.
Figure 119. VLAN Stacking in a Service Provider Network Important Points to Remember • • • • Interfaces that are members of the Default VLAN and are configured as VLAN-Stack access or trunk ports do not switch untagged traffic. To switch traffic, add these interfaces to a non-default VLAN-Stack-enabled VLAN. Dell EMC Networking cautions against using the same MAC address on different customer VLANs, on the same VLAN-Stack VLAN.
• • • Configuring Dell EMC Networking OS Options for Trunk Ports Debugging VLAN Stacking VLAN Stacking in Multi-Vendor Networks Creating Access and Trunk Ports To create access and trunk ports, use the following commands. • • Access port — a port on the service provider edge that directly connects to the customer. An access port may belong to only one service provider VLAN.
DellEMC# M Te 3/13 Configuring the Protocol Type Value for the Outer VLAN Tag The tag protocol identifier (TPID) field of the S-Tag is user-configurable. To set the S-Tag TPID, use the following command. • Select a value for the S-Tag TPID. CONFIGURATION mode vlan-stack protocol-type The default is 9100. To display the S-Tag TPID for a VLAN, use the show running-config command from EXEC privilege mode. Dell EMC Networking OS displays the S-Tag TPID only if it is a non-default value.
NUM * 1 100 101 103 Status Inactive Inactive Inactive Inactive Description Q Ports U Te 1/1 T Te 1/1 M Te 1/1 Debugging VLAN Stacking To debug VLAN stacking, use the following command. • Debug the internal state and membership of a VLAN and its ports. debug member The port notations are as follows: • • • • • MT — stacked trunk MU — stacked access port T — 802.1Q trunk port U — 802.
Figure 120.
Figure 121.
Figure 122. Single and Double-Tag TPID Mismatch The following table details the outcome of matched and mismatched TPIDs in a VLAN-stacking network with the S-Series. Table 104. Behaviors for Mismatched TPID Network Position Incoming Packet TPID Ingress Access Point untagged single-tag (0x8100) Core untagged System TPID Match Type Pre-Version 8.2.1.0 Version 8.2.1.
Network Position Egress Access Point Incoming Packet TPID untagged System TPID Match Type 0xQRST double-tag mismatch switch to default VLAN switch to default VLAN 0xUVWX — switch to default VLAN switch to default VLAN double-tag match switch to VLAN switch to VLAN double-tag 0xUVWX 0xUVWX Pre-Version 8.2.1.0 Version 8.2.1.
dei honor {0 | 1} {green | red | yellow} You may enter the command once for 0 and once for 1. Packets with an unmapped DEI value are colored green. To display the DEI-honoring configuration, use the show interface dei-honor [interface slot/port[/subport]] in EXEC Privilege mode.
Figure 123. Statically and Dynamically Assigned dot1p for VLAN Stacking When configuring Dynamic Mode CoS, you have two options: • • Mark the S-Tag dot1p and queue the frame according to the original C-Tag dot1p. In this case, you must have other dot1p QoS configurations; this option is classic dot1p marking. Mark the S-Tag dot1p and queue the frame according to the S-Tag dot1p.
! interface TenGigabitEthernet 1/21 no ip address switchport vlan-stack access vlan-stack dot1p-mapping c-tag-dot1p 0-3 sp-tag-dot1p 7 service-policy input in layer2 no shutdown Mapping C-Tag to S-Tag dot1p Values To map C-Tag dot1p values to S-Tag dot1p values and mark the frames accordingly, use the following commands. 1. Allocate CAM space to enable queuing frames according to the C-Tag or the S-Tag.
Figure 124. VLAN Stacking without L2PT You might need to transport control traffic transparently through the intermediate network to the other region. Layer 2 protocol tunneling enables BPDUs to traverse the intermediate network by identifying frames with the Bridge Group Address, rewriting the destination MAC to a user-configured non-reserved address, and forwarding the frames.
Figure 125. VLAN Stacking with L2PT Implementation Information • • • L2PT is available for STP, RSTP, MSTP, and PVST+ BPDUs. No protocol packets are tunneled when you enable VLAN stacking. L2PT requires the default CAM profile. Enabling Layer 2 Protocol Tunneling To enable Layer 2 protocol tunneling, use the following command. 1. Verify that the system is running the default CAM profile. Use this CAM profile for L2PT. EXEC Privilege mode show cam-profile 2.
protocol-tunnel stp Specifying a Destination MAC Address for BPDUs By default, Dell EMC Networking OS uses a Dell EMC Networking-unique MAC address for tunneling BPDUs. You can configure another value. To specify a destination MAC address for BPDUs, use the following command. • Overwrite the BPDU with a user-specified destination MAC address when BPDUs are tunneled across the provider network.
The same is true for GARP VLAN registration protocol (GVRP). 802.1ad specifies that provider bridges participating in GVRP use a reserved destination MAC address called the Provider Bridge GVRP Address, 01-80-C2-00-00-0D, to exchange GARP PDUs instead of the GVRP Address, 01-80-C2-00-00-21, specified in 802.1Q. Only bridges in the service provider network use this destination MAC address so these bridges treat GARP PDUs originating from the customer network as normal data frames, rather than consuming them.
51 sFlow sFlow is a standard-based sampling technology embedded within switches and routers which is used to monitor network traffic. It is designed to provide traffic monitoring for high-speed networks with many switches and routers.
To avoid the back-off, either increase the global sampling rate or configure all the line card ports with the desired sampling rate even if some ports have no sFlow configured. Important Points to Remember • • • • • • • • • • The Dell EMC Networking OS implementation of the sFlow MIB supports sFlow configuration via snmpset. By default, sFlow collection is supported only on data ports.
If you did not enable any extended information, the show output displays the following (shown in bold). DellEMC#show sflow sFlow services are disabled Global default sampling rate: 32768 Global default counter polling interval: 20 Global extended information enabled: none 0 collectors configured 0 UDP packets exported 0 UDP packets dropped 0 sFlow samples collected 0 sFlow samples dropped due to sub-sampling Enabling and Disabling sFlow on an Interface By default, sFlow is disabled on all interfaces.
Collector IP addr: 100.1.1.12, Agent IP addr: 100.1.1.
Te 1/16: configured rate 8192, actual rate 8192, sub-sampling rate 1 Te 1/17: configured rate 16384, actual rate 16384, sub-sampling rate 2 Displaying Show sFlow on an Interface To view sFlow information on a specific interface, use the following command. • Display sFlow configuration information and statistics on a specific interface. EXEC mode show sflow interface interface-name The following example shows the show sflow interface command.
Changing the Polling Intervals The sflow polling-interval command configures the polling interval for an interface in the maximum number of seconds between successive samples of counters sent to the collector. This command changes the global default counter polling (20 seconds) interval. You can configure an interface to use a different polling interval. To configure the polling intervals globally (in CONFIGURATION mode) or by interface (in INTERFACE mode), use the following command.
1 collectors configured Collector IP addr: 100.1.1.1, Agent IP addr: 1.1.1.2, UDP port: 6343 VRF: Default 0 UDP packets exported 0 UDP packets dropped 0 sFlow samples collected stack-unit 1 Port set 0 Te 1/1: configured rate 16384, actual rate 16384 DellEMC# If you did not enable any extended information, the show output displays the following (shown in bold).
52 Simple Network Management Protocol (SNMP) The Simple Network Management Protocol (SNMP) is designed to manage devices on IP networks by monitoring device operation, which might require administrator intervention. NOTE: On Dell EMC Networking routers, standard and private SNMP management information bases (MIBs) are supported, including all Get and a limited number of Set operations (such as set vlan and copy cmd).
Protocol Overview Network management stations use SNMP to retrieve or alter management data from network elements. A datum of management information is called a managed object; the value of a managed object can be static or variable. Network elements store managed objects in a database called a management information base (MIB). MIBs are hierarchically structured and use object identifiers to address managed objects, but managed objects also have a textual name called an object descriptor.
Keep the following points in mind when you configure the AES128-CFB algorithm for SNMPv3: 1. SNMPv3 authentication provides only the sha option when the FIPS mode is enabled. 2. SNMPv3 privacy provides only the aes128 privacy option when the FIPS mode is enabled. 3. If you attempt to enable or disable FIPS mode and if any SNMPv3 users are previously configured, an error message is displayed stating you must delete all of the SNMP users before changing the FIPS mode. 4.
Creating a Community For SNMPv1 and SNMPv2, create a community to enable the community-based security in Dell EMC Networking OS. The management station generates requests to either retrieve or alter the value of a management object and is called the SNMP manager. A network element that processes SNMP requests is called an SNMP agent. An SNMP community is a group of SNMP agents and managers that are allowed to interact.
NOTE: To give a user read and write privileges, repeat this step for each privilege type. • Configure an SNMP group (with password or privacy privileges). • CONFIGURATION mode snmp-server group group-name {oid-tree} priv read name write name Configure the user with a secure authorization password and privacy password. • CONFIGURATION mode snmp-server user name group-name {oid-tree} auth md5 auth-password priv des56 priv password Configure an SNMPv3 view.
The following example shows reading the value of the many managed objects at one time. > snmpwalk -v 2c -c mycommunity 10.11.131.161 .1.3.6.1.2.1.1 SNMPv2-MIB::sysDescr.0 = STRING: Dell EMC Real Time Operating System Software Dell Operating System Version: 1.0 Dell Application Software Version: E_MAIN4.9.4.0.0 Copyright (c) 1999-2014 by Dell Build Time: Mon May 12 14:02:22 PDT 2008 SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.6027.1.3.
The default is None. Subscribing to Managed Object Value Updates using SNMP By default, the Dell EMC Networking system displays some unsolicited SNMP messages (traps) upon certain events and conditions. You can also configure the system to send the traps to a management station. Traps cannot be saved on the system. Dell EMC Networking OS supports the following three sets of traps: • • • RFC 1157-defined traps — coldStart, warmStart, linkDown, linkUp, authenticationFailure, and egpNeighbborLoss.
CARD_DOWN: %sLine card %d down - %s LINECARDUP: %sLine card %d is up CARD_MISMATCH: Mismatch: line card %d is type %s - type %s required.
customer1 at Level 7 VLAN 1000 %ECFM-5-ECFM_RDI_ALARM: RDI Defect detected by MEP 3 in Domain customer1 at Level 7 VLAN 1000 entity Enable entity change traps Trap SNMPv2-MIB::sysUpTime.0 = Timeticks: (1487406) 4:07:54.06, SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::mib-2.47.2.0.1, SNMPv2-SMI::enterprises.6027.3.6.1.1.2.0 = INTEGER: 4 Trap SNMPv2-MIB::sysUpTime.0 = Timeticks: (1488564) 4:08:05.64, SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::mib-2.47.2.0.1, SNMPv2-SMI::enterprises.6027.3.6.1.1.2.
10.11.226.121 (port: 9140) is not reachable" SNMPv2-SMI::enterprises.6027.3.6.1.1.2.0 = INTEGER: 2 Following is the sample audit log message that other syslog servers that are reachable receive: Oct 21 00:46:13: dv-fedgov-s4810-6: %EVL-6-NOT_REACHABLE:Syslog server 10.11.226.121 (port: 9140) is not reachable Following example shows the SNMP trap that is sent when connectivity to the syslog server is resumed: DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (10230) 0:01:42.30 SNMPv2MIB::snmpTrapOID.
MIB Object OID Object Values copyDestFileType .1.3.6.1.4.1.6027.3.5.1.1.1.1.5 1 = Dell EMC Networking OS file Specifies the type of file to copy to. 2 = running-config • If copySourceFileType is 3 = startup-config running-config or startupconfig, the default copyDestFileLocation is flash. • If copyDestFileType is a binary, you must specify copyDestFileLocation and copyDestFileName. copyDestFileLocation .1.3.6.1.4.1.6027.3.5.1.1.1.1.
• index must be unique to all previously executed snmpset commands. If an index value has been used previously, a message like the following appears. In this case, increment the index value and enter the command again. Error in packet. Reason: notWritable (that object does not support modification) Failed object: FTOS-COPY-CONFIG-MIB::copySrcFileType.101 • To complete the command, use as many MIB objects in the command as required by the MIB object descriptions shown in the previous table.
FTOS-COPY-CONFIG-MIB::copySrcFileType.7 = INTEGER: runningConfig(3) FTOS-COPY-CONFIG-MIB::copyDestFileType.7 = INTEGER: startupConfig(2) The following example shows how to copy configuration files from a UNIX machine using OID. >snmpset -c public -v 2c 10.11.131.162 .1.3.6.1.4.1.6027.3.5.1.1.1.1.2.8 i 3 .1.3.6.1.4.1.6027.3.5.1.1.1.1.5.8 i 2 SNMPv2-SMI::enterprises.6027.3.5.1.1.1.1.2.8 = INTEGER: 3 SNMPv2-SMI::enterprises.6027.3.5.1.1.1.1.5.
> snmpset -v 2c -c private -m ./f10-copy-config.mib 10.10.10.10 copySrcFileType.10 i 1 copySrcFileLocation.10 i 4 copyDestFileType.10 i 3 copySrcFileName.10 s /home/myfilename copyServerAddress.10 a 172.16.1.56 copyUserName.10 s mylogin copyUserPassword.10 s mypass Additional MIB Objects to View Copy Statistics Dell EMC Networking provides more MIB objects to view copy statistics, as shown in the following table. Table 110.
The following examples show the command syntax using MIB object names and the same command using the object OIDs. In both cases, the same index number used in the snmpset command follows the object. The following command shows how to get a MIB object value using the object name. > snmpget -v 2c -c private -m ./f10-copy-config.mib 10.11.131.140 copyTimeCompleted.110 FTOS-COPY-CONFIG-MIB::copyTimeCompleted.110 = Timeticks: (1179831) 3:16:38.
MIB Object OID Description envMonSupplyAveragePower 1.3.6.1.4.1.674.10895.3000.1.2.110.7.2.1.6 Displays average input power. envMonSupplyAvgStartTime 1.3.6.1.4.1.674.10895.3000.1.2.110.7.2.1.7 Displays average input-power start time. SNMP Walk Example Output snmpwalk -v 2c -c public 10.16.131.156 1.3.6.1.4.1.674.10895.3000.1.2.110.7.2.1.5 SNMPv2-SMI::enterprises.674.10895.3000.1.2.110.7.2.1.5.11 = INTEGER: 48 SNMPv2-SMI::enterprises.674.10895.3000.1.2.110.7.2.1.5.
MIB Object OID Description chSysCoresInstance 1.3.6.1.4.1.6027.3.10.1.2.10.1.1 Stores the indexed information about the available software core files. chSysCoresFileName 1.3.6.1.4.1.6027.3.10.1.2.10.1.2 Contains the core file names and the file paths. chSysCoresTimeCreated 1.3.6.1.4.1.6027.3.10.1.2.10.1.3 Contains the time at which core files are created. chSysCoresStackUnitNumber 1.3.6.1.4.1.6027.3.10.1.2.10.1.
MIB Object OID Description dellNetFlashPartitionUsed 1.3.6.1.4.1.6027.3.26.1.4.8.1.4 Contains the amount of space used by the files on the partition. dellNetFlashPartitionFree 1.3.6.1.4.1.6027.3.26.1.4.8.1.5 Contains the amount of free space available on the partition. dellNetFlashPartitionMountPoint 1.3.6.1.4.1.6027.3.26.1.4.8.1.6 Symbolic or Alias name for the partition.
MIB Support to Display Egress Queue Statistics Dell EMC Networking OS provides MIB objects to display the information of the packets transmitted or dropped per unicast or multicast egress queue. The following table lists the related MIB objects: Table 116. MIB Objects to display egress queue statistics MIB Object OID Description dellNetFpEgrQTxPacketsRate 1.3.6.1.4.1.6027.3.27.1.20.1.6 Rate of Packets transmitted per Unicast/ Multicast Egress queue. dellNetFpEgrQTxBytesRate 1.3.6.1.4.1.6027.3.27.1.
SNMPv2-SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.80.80.80.0.24.1.4.20.1.1.1.1.4.20.1.1.1 = INTEGER: 1258296320 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.80.80.80.0.24.1.4.30.1.1.1.1.4.30.1.1.1 = INTEGER: 1275078656 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.90.90.90.0.24.0.0.0.0 = INTEGER: 2097157 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.90.90.90.1.32.1.4.127.0.0.1.1.4.127.0.0.1 = INTEGER: 0 SNMPv2-SMI::enterprises.6027.3.9.1.5.1.8.1.1.4.90.90.90.2.32.1.4.90.90.90.2.1.4.90.90.90.
STRING: "Po 10" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.80.80.80.0.24.1.4.30.1.1.1.1.4.30.1.1.1 = STRING: "Po 20" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.90.90.90.0.24.0.0.0.0 = STRING: "CP" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.90.90.90.1.32.1.4.127.0.0.1.1.4.127.0.0.1 = STRING: "CP" SNMPv2SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.90.90.90.2.32.1.4.90.90.90.2.1.4.90.90.90.2 = STRING: "Fo 1/1/1" SNMPv2-SMI::enterprises.6027.3.9.1.5.1.10.1.1.4.100.100.100.0.24.1.4.10.1.1.1.1.4.10.1.
MIB Support for entAliasMappingTable Dell EMC Networking provides a method to map the physical interface to its corresponding ifindex value. The entAliasMappingTable table contains zero or more rows, representing the logical entity mapping and physical component to external MIB identifiers. The following table lists the related MIB objects: Table 118. MIB Objects for entAliasMappingTable MIB Object OID Description entAliasMappingTable 1.3.6.1.2.1.47.1.3.
MIB Object OID Description dot3adAggMACAddress 1.2.840.10006.300.43.1.1.1.1.1 Contains a six octet read–only value carrying the individual MAC address assigned to the Aggregator. dot3adAggActorSystemPriority 1.2.840.10006.300.43.1.1.1.1.2 Contains a two octet read–write value indicating the priority value associated with the Actor’s system ID. dot3adAggActorSystemID 1.2.840.10006.300.43.1.1.1.1.
iso.2.840.10006.300.43.1.1.1.1.4.1258356736 = INTEGER: 1 iso.2.840.10006.300.43.1.1.1.1.5.1258356224 = INTEGER: 127 iso.2.840.10006.300.43.1.1.1.1.5.1258356736 = INTEGER: 128 MIB Support to Display Unrecognized LLDP TLVs This section provides information about MIB objects that display unrecognized LLDP TLV information about reserved and organizational specific unrecognized LLDP TLVs.
MIB Support to Display Organizational Specific Unrecognized LLDP TLVs The lldpRemOrgDefInfoTable contains organizationally defined information that is not recognized by the local neighbor. The following table lists the related MIB objects: Table 121. MIB Objects for Displaying Organizational Specific Unrecognized LLDP TLVs MIB Object OID Description lldpRemOrgDefInfoTable 1.0.8802.1.1.2.1.4.4 This table contains organizationally defined information that is not recognized by the local neighbor.
SNMP Walk Output snmpwalk -c public -v 2c 10.16.132.55 1.0.8802.1.1.2.1.1.5 .1.0.8802.1.1.2.1.1.5.0 = INTEGER: 5 seconds snmpset -c public -v 2c 10.16.132.55 1.0.8802.1.1.2.1.1.5.0 i 20 .1.0.8802.1.1.2.1.1.5.0 = INTEGER: 20 seconds MIB support for Port Security Dell EMC Networking OS provides MIB objects to enable or disable port security feature on the physical and port channel interfaces. The port security DELL-NETWORKING-PORT-SECURITY-MIB object contains both the global and interface level MIB objects.
MIB Object OID Access or Permission Description dellNetPortSecIfStationMoveEn 1.3.6.1.4.1.6027.3.31.1.2.1.1.5 able read-write Enable or disable station movement on the dynamically secured MAC addresses learnt on the interface. dellNetPortSecIfSecureMacViola 1.3.6.1.4.1.6027.3.31.1.2.1.1.6 tionAction read-write Determines the action to be taken when MAC limit violation occurs in the system. dellNetPortSecIfStmvViolationA ction 1.3.6.1.4.1.6027.3.31.1.2.1.1.
Table 125. MIB Objects for configuring MAC addresses MIB Object OID dellNetPortSecIfSecureStaticMa 1.3.6.1.4.1.6027.3.31.1.2.2.1.4 cRowStatus Access or Permission Description read-write Allows adding or deleting entries to or from the table dellNetPortSecSecureStaticMac AddrTable. Enabling and viewing SNMP for static MAC addresses You can enable and view SNMP for static MAC addresses using snmpset and snmpget command. Following example shows how to enable and view the static MAC addresses.
Manage VLANs using SNMP The qBridgeMIB managed objects in Q-BRIDGE-MIB, defined in RFC 2674, allows you to use SNMP to manage VLANs. Creating a VLAN To create a VLAN, use the dot1qVlanStaticRowStatus object. The snmpset operation shown in the following example creates VLAN 10 by specifying a value of 4 for instance 10 of the dot1qVlanStaticRowStatus object. > snmpset -v2c -c mycommunity 123.45.6.78 .1.3.6.1.2.1.17.7.1.4.3.1.5.10 i 4 SNMPv2-SMI::mib-2.17.7.1.4.3.1.5.
The table that the Dell EMC Networking system sends in response to the snmpget request is a table that contains hexadecimal (hex) pairs, each pair representing a group of eight ports. • Seven hex pairs represent a stack unit. Seven pairs accommodate the greatest number of ports available — 64 ports on the device. The last stack unit begins on the 66th bit. The first hex pair, 00 in the previous example, represents ports 1 to 7 in Stack Unit 1. The next pair to the right represents ports 8 to 15.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Example of Adding a Tagged Port to a VLAN using SNMP In the following example, Port 0/2 is added as a tagged member of VLAN 10. >snmpset -v2c -c mycommunity 10.11.131.185 .1.3.6.1.2.1.17.7.1.4.3.1.2.
snmpset with descriptor: snmpset -v version -c community agent-ip ifAdminStatus.ifindex i {1 | 2} snmpset with OID: snmpset -v version -c community agent-ip .1.3.6.1.2.1.2.2.1.7.ifindex i {1 | 2} Choose integer 1 to change the admin status to Up, or 2 to change the admin status to Down. Fetch Dynamic MAC Entries using SNMP Dell EMC Networking supports the RFC 1493 dot1d table for the default VLAN and the dot1q table for all other VLANs. NOTE: The 802.1q Q-BRIDGE MIB defines VLANs regarding 802.1d, as 802.
Example of Fetching MAC Addresses Learned on a Port-Channel Using SNMP Use dot3aCurAggFdbTable to fetch the learned MAC address of a port-channel. The instance number is the decimal conversion of the MAC address concatenated with the port-channel number.
To map the context to a VRF instance for SNMPv2c, follow these steps: 1. Create a community and map a VRF to it. Create a context and map the context and community, to a community map. • sho run snmp • snmp-server community public ro • snmp-server community public ro • snmp-server community vrf1 ro • snmp-server community vrf2 ro • snmp-server context context1 • snmp-server context context2 • snmp mib community-map vrf1 context context1 • snmp mib community-map vrf1 context context2 2.
Example of SNMP Walk Output for BGP timer configured for vrf1 (SNMPv2c) snmpwalk -v 2c -c vrf1 10.16.131.125 1.3.6.1.4.1.6027.20.1.2.3 SNMPv2-SMI::enterprises.6027.20.1.2.3.1.1.1.0.1.20.1.1.2.1.20.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.3.1.1.2.0.1.20.1.1.2.1.20.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.3.2.1.1.0.1.20.1.1.2.1.20.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.3.2.1.2.0.1.20.1.1.2.1.20.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.3.2.1.3.0.1.20.1.1.2.1.20.1.1.1 SNMPv2-SMI::enterprises.6027.20.1.2.
dot3aCurAggMacAddr SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.2.1.0.0.0.0.0.1.1 = Hex-STRING: 00 00 00 00 00 01 dot3aCurAggIndex SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.3.1.0.0.0.0.0.1.1 = INTEGER: 1 dot3aCurAggStatus SNMPv2-SMI::enterprises.6027.3.2.1.1.4.1.4.1.0.0.0.0.0.1.1 = INTEGER: 1 << Status active, 2 – status inactive Layer 3 LAG does not include this support. SNMP trap works for the Layer 2 / Layer 3 / default mode LAG.
The following example shows the SNMP trap that is sent when connectivity to the syslog server is lost: DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (19738) 0:03:17.38 SNMPv2MIB::snmpTrapOID.0 = OID: SNMPv2SMI::enterprises.6027.3.30.1.1.1 SNMPv2-SMI::enterprises.6027.3.30.1.1 = STRING: "NOT_REACHABLE: Syslog server 10.11.226.121 (port: 9140) is not reachable" SNMPv2-SMI::enterprises.6027.3.6.1.1.2.
SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.14.2113540 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.15.2113540 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.16.2113540 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.17.2113540 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.18.2113540 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.19.2113540 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.20.2113540 SNMPv2-SMI::enterprises.6027.3.11.1.3.1.1.21.2113540 = = = = = = = = "" "" STRING: "29.109375" STRING: "3.286000" STRING: "7.
router-id 10.10.10.
53 Stacking Using the Dell EMC Networking OS stacking feature, you can interconnect multiple switch units with stacking ports or front end user ports. The stack becomes manageable as a single switch through the stack management unit. The system accepts Unit ID numbers from 1 to 6 and it supports stacking up to six units.
Stack Master Election The stack elects a master and standby unit at bootup time based on two criteria. • • Unit priority — User-configurable. The range is from 1 to 14. A higher value (14) means a higher priority. The default is 0. By removing the stack-unit priority using the no stack-unit priority command, you can set the priority back to the default value of zero.
-- Fan Status -Unit Bay TrayStatus Fan1 Speed Fan2 Speed -----------------------------------------------------------------------------------2 1 up up 10031 up 10031 2 2 up up 10031 up 10031 2 3 up up 10134 up 10031 Speed in RPM -- Unit 3 -Unit Type : Member Unit Status : online Next Boot : online Required Type : S4048-ON - 54-port TE/FG (SK-ON) Current Type : S4048-ON - 54-port TE/FG (SK-ON) Master priority : 5 Hardware Rev : 2.
Use the following command to configure a virtual IP: Dell(conf)#virtual-ip {ip-address | ipv6–address | dhcp} Failover Roles If the stack master fails (for example, is powered off), it is removed from the stack topology. The standby unit detects the loss of peering communication and takes ownership of the stack management, switching from the standby role to the master role. The distributed forwarding tables are retained during the failover, as is the stack MAC address.
Stack#show system stack-unit 2 | grep priority Master priority : 0 Example of Adding a Standalone with a Lower MAC Address and Equal Priority to a Stack Stacking LAG When multiple links are used between stack units, Dell EMC Networking OS automatically bundles them in a stacking LAG to provide aggregated throughput and redundancy.
-----------------------------------------------Mgmt ID: 0 Stack-unit ID: 5 Stack-unit Redundancy Role: Primary Stack-unit State: Active Stack-unit SW Version: 1-0(0-3387) Link to Peer: Up -- PEER Stack-unit Status ------------------------------------------------Stack-unit State: Standby Peer Stack-unit ID: 2 Stack-unit SW Version: 1-0(0-3387) -- Stack-unit Redundancy Configuration ------------------------------------------------Primary Stack-unit: mgmt-id 0 Auto Data Sync: Full Failover Type: Hot Failover A
terminal upload Dell(standby)# Set terminal line parameters Upload file -----------------CONSOLE ACCESS ON A MEMBER---------------------------Dell(stack-member-1)#? reset-self Reset this unit alone show Show running system information You can connect two units with two or more stacking cables in case of a stacking port or cable failure. Removal of only one of the cables does not trigger a reset.
Hardware Watchdog in Mixed-mode stacking The Hardware watchdog command is enabled by default in the S4048T-ON. In the S4048-ON switch, hardware watchdog is not supported. In a mixed-mode stacking scenario, you must enable Hardware Watchdog on the S4048T-ON switch.
Figure 127. Stack-Group Assignments 1. 3. 5. 7. 9. Stack-group 0 (Ports 1, 2, 3, and 4) Stack-group 2 (Ports 9, 10, 11, and 12) Stack-group 12 (Port 49) Stack-group 16 (Port 53) Stack-group 15 (Port 52) 2. 4. 6. 8. 10. Stack-group 1 (Ports 5, 6, 7, and 8) Stack-group 3 (Ports 13, 14, 15, and 16) Stack-group 14 (Port 51) Stack-group 17 (Port 54) Stack-group 13 (Port 50) You can connect the units while they are powered down or up. Stacking ports are bi-directional.
To view the port assignments, use the show system stack-unit command. Creating a New Stack Prior to creating a stack, know which unit will be the management unit and which will be the standby unit. Enable the front ports of the units for stacking. For more information, refer to Enabling Front End Port Stacking. To create a new stack, use the following commands. 1. Power up all units in the stack. 2. Verify that each unit has the same Dell EMC Networking OS version prior to stacking them together.
• • • • Configure the stack groups on unit 2: stack-unit 2 stack-group 14 and stack-unit 2 Configure the stack groups on unit 3: stack-unit 3 stack-group 12 and stack-unit 3 Configure the stack groups on unit 4: stack-unit 4 stack-group 13 and stack-unit 4 Configure the final stack-group on unit 1 to complete the stack: stack-unit 1 stack-group stack-group 15 stack-group 13 stack-group 14 12 When the stack-group configuration is complete, the system prints a syslog for reload.
DellEMC# The following example shows how to configure two new switches for stacking using 10G ports. Dell-1(conf)#stack-unit 1 stack-group 0 Setting ports Te 1/1 Te 1/2 Te 1/3 Te 1/4 as stack group will make their interface configs obsolete after a reload. [confirm yes/no]:yes Dell-2(conf)#stack-unit 1 stack-group 0 Setting ports Te 1/1 Te 1/2 Te 1/3 as stack group will make their interface configs obsolete after a reload.
The following example shows adding a stack unit with a conflicting stack number (before).
reload Dell EMC Networking OS automatically assigns a number to the new unit and adds it as member switch in the stack. The new unit synchronizes its running and startup configurations with the stack. 8. If a standalone switch already has stack groups configured. Attach cables to connect the ports already configured as stack groups on the switch to one or more switches in the stack. Dell EMC Networking OS automatically assigns a number to the new unit and adds it as member switch in the stack.
• Assign a stack-number to a unit. EXEC Privilege mode stack-unit old-unit-number renumber new-unit-number Renumbering the stack manager triggers the whole stack to reload, as shown in the message below. When the stack comes back online, the master unit remains the management unit. Dell#stack-unit 2 renumber 1 Renumbering master unit will reload the stack.
Unit Bay Status Type FanStatus FanSpeed(rpm) --------------------------------------------------------------------------1 1 up UNKNOWN up 10704 1 2 absent absent 0 -- Fan Status -Unit Bay TrayStatus Fan1 Speed Fan2 Speed -----------------------------------------------------------------------------------1 1 up up 10134 up 10031 1 2 up up 10031 up 10031 1 3 up up 10031 up 10031 Speed in RPM -- Unit 2 -Unit Type : Standby Unit Status : online Next Boot : online Required Type : S4048-ON - 54-port TE/FG (SK-ON) C
3 3 2 3 up up up up 9929 10031 up up 10031 10134 Speed in RPM DellEMC# The following is an example of the show system brief command to view the stack summary information.
• • the management unit is powered down or a failover occurs. you disconnect the management unit from the stack. When the management unit fails, the unit disappears from the stack topology. At that time, the standby unit detects the communication loss and switches from the standby unit role to the management unit role in the stack. From the remaining units in the stack, the system selects a new standby unit based on the unit priority using the same algorithm used when the stack was initially created.
The following message appears prompting you to confirm the configuration: Enabling mixed-mode-stacking requires configuration save and reload to operate in compatible with S4048-ON. Do you want to reload? Proceed[confirm yes/no]: 2. Enter yes at this prompt and press the return key. The following message appears prompting you to save the configuration: System configuration has been modified. Save? [yes/no]: 3. Enter yes again and press the return key.
Piece Part ID PPID Revision Service Tag Expr Svc Code Auto Reboot Burned In MAC No Of MACs : : : : : : : N/A N/A N/A N/A disabled 00:01:e8:8c:53:32 3 -- Power Supplies -Unit Bay Status Type FanStatus --------------------------------------------Unit Bay Status Type FanStatus --------------------------------------------1 0 absent absent 1 1 up AC up -- Fan Status -Unit Bay TrayStatus Fan0 Speed Fan1 Speed -------------------------------------------1 0 up up 7200 up 7200 1 1 up up 7200 up 7440 Speed in RP T
The following example shows removing a stack member (before). DellEMC#show system brief Stack MAC : 00:01:e8:8a:df:e6 Reload Type : normal-reload -- Stack Info -Unit UnitType Status ReqTyp CurTyp Version Ports ----------------------------------------------------0 Management online S4810 S4810 8-3-7-13 64 1 Member online S4810 S4810 8-3-7-13 64 2 Member not present 3 Standby online S4810 S4810 8-3-7-13 64 The following example shows removing a stack member (after).
• Recover from a Card Problem State on a Stack Recover from Stack Link Flaps Stack link integrity monitoring enables units to monitor their own stack ports and disable any stack port that flaps five times within 10 seconds. Dell EMC Networking OS displays console messages for the local and remote members of a flapping link, and on the primary (master) and standby management units as KERN-2-INT messages if the flapping port belongs to either of these units.
0 1 1 1 0 1 up DC up absent absent up AC up -- Fan Status -Unit Bay TrayStatus Fan0 Speed Fan1 Speed -------------------------------------------0 0 up up 9360 up 9360 0 1 up up 9600 up 9360 1 0 up up 6720 up 6720 1 1 up up 6960 up 6720 Speed in RPM stack-1# 876 Stacking
54 Storm Control Storm control allows you to control unknown-unicast, muticast, and broadcast traffic on Layer 2 and Layer 3 physical interfaces. Dell EMC Networking Operating System (OS) Behavior: Dell EMC Networking OS supports unknown-unicast, muticast, and broadcast control for Layer 2 and Layer 3 traffic. Dell EMC Networking OS Behavior: The minimum number of packets per second (PPS) that storm control can limit on the device is two.
• Configure the packets per second of multicast traffic allowed on C-Series or S-Series interface (ingress only) network only. • INTERFACE mode storm-control multicast packets_per_second in Shut down the port if it receives the PFC/LLFC packets more than the configured rate. INTERFACE mode storm-control pfc-llfc pps in shutdown NOTE: PFC/LLFC storm control enabled interface disables the interfaces if it receives continuous PFC/LLFC packets.
55 Spanning Tree Protocol (STP) The spanning tree protocol (STP) is supported on Dell EMC Networking OS.
• • • • • Enabling PortFast Prevent Network Disruptions with BPDU Guard STP Root Guard Enabling SNMP Traps for Root Elections and Topology Changes Configuring Spanning Trees as Hitless Important Points to Remember • • • • • STP is disabled by default. The Dell EMC Networking OS supports only one spanning tree instance (0). For multiple instances, enable the multiple spanning tree protocol (MSTP) or per-VLAN spanning tree plus (PVST+). You may only enable one flavor of spanning tree at any one time.
1. If the interface has been assigned an IP address, remove it. INTERFACE mode no ip address 2. Place the interface in Layer 2 mode. INTERFACE switchport 3. Enable the interface. INTERFACE mode no shutdown To verify that an interface is in Layer 2 mode and enabled, use the show config command from INTERFACE mode.
CONFIGURATION mode protocol spanning-tree 0 2. Enable STP. PROTOCOL SPANNING TREE mode no disable To disable STP globally for all Layer 2 interfaces, use the disable command from PROTOCOL SPANNING TREE mode. To verify that STP is enabled, use the show config command from PROTOCOL SPANNING TREE mode.
Adding an Interface to the Spanning Tree Group To add a Layer 2 interface to the spanning tree topology, use the following command. • Enable spanning tree on a Layer 2 interface. INTERFACE mode spanning-tree 0 Modifying Global Parameters You can modify the spanning tree parameters. The root bridge sets the values for forward-delay, hello-time, and max-age and overwrites the values set on other bridges participating in STP.
To view the current values for global parameters, use the show spanning-tree 0 command from EXEC privilege mode. Refer to the second example in Enabling Spanning Tree Protocol Globally. Modifying Interface STP Parameters You can set the port cost and port priority values of interfaces in Layer 2 mode. • • Port cost — a value that is based on the interface type. The greater the port cost, the less likely the port is selected to be a forwarding port.
Prevent Network Disruptions with BPDU Guard Configure the Portfast (and Edgeport, in the case of RSTP, PVST+, and MSTP) feature on ports that connect to end stations. End stations do not generate BPDUs, so ports configured with Portfast/ Edgport (edgeports) do not expect to receive BDPUs. If an edgeport does receive a BPDU, it likely means that it is connected to another part of the network, which can negatively affect the STP topology.
Figure 131. Enabling BPDU Guard Dell EMC Networking OS Behavior BPDU guard: • • is used on edgeports and blocks all traffic on edgeport if it receives a BPDU. drops the BPDU after it reaches the RP and generates a console message. Example of Blocked BPDUs DellEMC(conf-if-te-1/7)#do show spanning-tree rstp brief Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32768, Address 0001.e805.fb07 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32768, Address 0001.e85d.
Selecting STP Root The STP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it becomes the root bridge. You can also specify that a bridge is the root or the secondary root. To change the bridge priority or specify that a bridge is the root or secondary root, use the following command. • Assign a number as the bridge priority or designate it as the root or secondary root.
Figure 132. STP Root Guard Prevents Bridging Loops Configuring Root Guard Enable STP root guard on a per-port or per-port-channel basis. Dell EMC Networking OS Behavior: The following conditions apply to a port enabled with STP root guard: • • • • • Root guard is supported on any STP-enabled port or port-channel interface except when used as a stacking port.
To verify the STP root guard configuration on a port or port-channel interface, use the show spanning-tree 0 guard [interface interface] command in a global configuration mode. Enabling SNMP Traps for Root Elections and Topology Changes To enable SNMP traps individually or collectively, use the following commands. • • Enable SNMP traps for spanning tree state changes. snmp-server enable traps stp Enable SNMP traps for RSTP, MSTP, and PVST+ collectively.
Figure 133. STP Loop Guard Prevents Forwarding Loops Configuring Loop Guard Enable STP loop guard on a per-port or per-port channel basis. The following conditions apply to a port enabled with loop guard: • • Loop guard is supported on any STP-enabled port or port-channel interface.
• • If no BPDU is received from a remote device, loop guard places the port in a Loop-Inconsistent Blocking state and no traffic is forwarded on the port. When used in a PVST+ network, STP loop guard is performed per-port or per-port channel at a VLAN level. If no BPDUs are received on a VLAN interface, the port or port-channel transitions to a Loop-Inconsistent (Blocking) state only for this VLAN. To enable a loop guard on an STP-enabled port or port-channel interface, use the following command.
56 SupportAssist SupportAssist sends troubleshooting data securely to Dell. SupportAssist in this Dell EMC Networking OS release does not support automated email notification at the time of hardware fault alert, automatic case creation, automatic part dispatch, or reports. SupportAssist requires Dell EMC Networking OS 9.9(0.0) and SmartScripts 9.7 or later to be installed on the Dell EMC Networking device. For more information on SmartScripts, see Dell EMC Networking Open Automation guide. Figure 134.
Enable the SupportAssist service. CONFIGURATION mode support-assist activate DellEMC(conf)#support-assist activate This command guides you through steps to configure SupportAssist. Configuring SupportAssist Manually To manually configure SupportAssist service, use the following commands. 1. Accept the end-user license agreement (EULA). CONFIGURATION mode eula-consent {support-assist} {accept | reject} NOTE: Once accepted, you do not have to accept the EULA again.
support-assist DellEMC(conf)#support-assist DellEMC(conf-supportassist)# 3. (Optional) Configure the contact information for the company. SUPPORTASSIST mode contact-company name {company-name}[company-next-name] ... [company-next-name] DellEMC(conf)#support-assist DellEMC(conf-supportassist)#contact-company name test DellEMC(conf-supportassist-cmpy-test)# 4. (Optional) Configure the contact name for an individual.
[no] activity {full-transfer|core-transfer|event-transfer} DellEMC(conf-supportassist)#activity full-transfer DellEMC(conf-supportassist-act-full-transfer)# DellEMC(conf-supportassist)#activity core-transfer DellEMC(conf-supportassist-act-core-transfer)# DellEMC(conf-supportassist)#activity event-transfer DellEMC(conf-supportassist-act-event-transfer)# 2. Copy an action-manifest file for an activity to the system.
[no] enable DellEMC(conf-supportassist-act-full-transfer)#enable DellEMC(conf-supportassist-act-full-transfer)# DellEMC(conf-supportassist-act-core-transfer)#enable DellEMC(conf-supportassist-act-core-transfer)# DellEMC(conf-supportassist-act-event-transfer)#enable DellEMC(conf-supportassist-act-event-transfer)# Configuring SupportAssist Company SupportAssist Company mode allows you to configure name, address and territory information of the company.
SUPPORTASSIST PERSON mode [no] email-address primary email-address [alternate email-address] DellEMC(conf-supportassist-pers-john_doe)#email-address primary jdoe@mycompany.com DellEMC(conf-supportassist-pers-john_doe)# 3. Configure phone numbers of the contact person. SUPPORTASSIST PERSON mode [no] phone primary phone [alternate phone] DellEMC(conf-supportassist-pers-john_doe)#phone primary +919999999999 DellEMC(conf-supportassist-pers-john_doe)# 4. Configure the preferred method for contacting the person.
[no] url uniform-resource-locator DellEMC(conf-supportassist-serv-default)#url https://192.168.1.1/index.htm DellEMC(conf-supportassist-serv-default)# Viewing SupportAssist Configuration To view the SupportAssist configurations, use the following commands: 1. Display information on the SupportAssist feature status including any activities, status of communication, last time communication sent, and so on.
show eula-consent {support-assist | other feature} DellEMC#show eula-consent support-assist SupportAssist EULA has been: Accepted Additional information about the SupportAssist EULA is as follows: By installing SupportAssist, you allow Dell to save your contact information (e.g. name, phone number and/or email address) which would be used to provide technical support for your Dell products and services. Dell may use the information for providing recommendations to improve your IT infrastructure.
57 System Time and Date System time and date settings and the network time protocol (NTP) are supported on Dell EMC Networking OS. You can set system times and dates and maintained through the NTP. They are also set through the Dell EMC Networking Operating System (OS) command line interfaces (CLIs) and hardware settings. The Dell EMC Networking OS supports reaching an NTP server through different VRFs. You can configure a maximum of eight logging servers across different VRFs or the same VRF.
Protocol Overview The NTP messages to one or more servers and processes the replies as received. The server interchanges addresses and ports, fills in or overwrites certain fields in the message, recalculates the checksum, and returns it immediately. Information included in the NTP message allows each client/server peer to determine the timekeeping characteristics of its other peers, including the expected accuracies of their clocks.
To display the system clock state with respect to NTP, use the show ntp status command from EXEC Privilege mode. DellEMC#show ntp status Clock is synchronized, stratum 4, reference is 10.16.151.117, vrf-id is 0 frequency is -44.862 ppm, stability is 0.050 ppm, precision is -18 reference time deeef7ef.85eeaa10 Tue, Jul 10 2018 9:16:31.523 UTC clock offset is -0.167449 msec, root delay is 149.194 msec root dispersion is 54.557 msec, peer dispersion is 0.
• • • • • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. For a Loopback interface, enter the keyword loopback then a number from 0 to 16383. For the Management interface, enter the keyword ManagementEthernet then the slot/port information. For a port channel interface, enter the keywords port-channel then a number. For a VLAN interface, enter the keyword vlan then a number from 1 to 4094.
ntp master To configure the switch as NTP Server use the ntp master command. stratum number identifies the NTP Server's hierarchy. The following example shows configuring an NTP server. Dell EMC(conf)#show running-config ntp ! ntp master ntp server 10.16.127.44 ntp server 10.16.127.86 ntp server 10.16.127.
• Filter dispersion — the error in calculating the minimum delay from a set of sample data from a peer. To view the NTP configuration, use the show running-config ntp command in EXEC privilege mode. The following example shows an encrypted authentication key (in bold). All keys are encrypted. DellEMC#show running ntp ! ntp authenticate ntp authentication-key 345 md5 5A60910F3D211F02 ntp server 11.1.1.
• Set the system software clock to the current time and date. EXEC Privilege mode clock set time month day year • • • • time: enter the time in hours:minutes:seconds. For the hour variable, use the 24-hour format; for example, 17:15:00 is 5:15 pm. month: enter the name of one of the 12 months in English. You can enter the name of a day to change the order of the display to time day month year. day: enter the number of the day. The range is from 1 to 31.
• • • • • • start-time: enter the time in hours:minutes. For the hour variable, use the 24-hour format; example, 17:15 is 5:15 pm. end-month: enter the name of one of the 12 months in English. You can enter the name of a day to change the order of the display to time day month year. end-day: enter the number of the day. The range is from 1 to 31. You can enter the name of a month to change the order of the display to time day month year. end-year: enter a four-digit number as the year.
pacific Sat Nov 7 2009" NOTE: If you enter after entering the recurring command parameter, and you have already set a one-time daylight saving time/date, the system uses that time and date as the recurring setting. The following example shows the clock summer-time recurring parameters.
58 Tunneling Tunnel interfaces create a logical tunnel for IPv4 or IPv6 traffic. Tunneling supports RFC 2003, RFC 2473, and 4213. DSCP, hop-limits, flow label values, open shortest path first (OSPF) v2, and OSPFv3 are supported. Internet control message protocol (ICMP) error relay, PATH MTU transmission, and fragmented packets are not supported.
The following sample configuration shows a tunnel configured in IPIP mode (IPv4 tunnel carries IPv4 and IPv6 traffic): DellEMC(conf)#interface tunnel 3 DellEMC(conf-if-tu-3)#tunnel source 5::5 DellEMC(conf-if-tu-3)#tunnel destination 8::9 DellEMC(conf-if-tu-3)#tunnel mode ipv6 DellEMC(conf-if-tu-3)#ip address 3.1.1.1/24 DellEMC(conf-if-tu-3)#ipv6 address 3::1/64 DellEMC(conf-if-tu-3)#no shutdown DellEMC(conf-if-tu-3)#show config ! interface Tunnel 3 ip address 3.1.1.
DellEMC(conf)#interface tunnel 1 DellEMC(conf-if-tu-1)#ip unnumbered tengigabitethernet 1/1 DellEMC(conf-if-tu-1)#ipv6 unnumbered tengigabitethernet 1/1 DellEMC(conf-if-tu-1)#tunnel source 40.1.1.1 DellEMC(conf-if-tu-1)#tunnel mode ipip decapsulate-any DellEMC(conf-if-tu-1)#no shutdown DellEMC(conf-if-tu-1)#show config ! interface Tunnel 1 ip unnumbered TenGigabitEthernet 1/1 ipv6 unnumbered TenGigabitEthernet 1/1 tunnel source 40.1.1.
59 Uplink Failure Detection (UFD) Feature Description A switch provides upstream connectivity for devices, such as servers. If a switch loses its upstream connectivity, downstream devices also lose their connectivity. However, the devices do not receive a direct indication that upstream connectivity is lost because connectivity to the switch is still operational. UFD allows a switch to associate downstream interfaces with upstream interfaces.
Figure 136. Uplink Failure Detection How Uplink Failure Detection Works UFD creates an association between upstream and downstream interfaces. The association of uplink and downlink interfaces is called an uplink-state group. An interface in an uplink-state group can be a physical interface or a port-channel (LAG) aggregation of physical interfaces. An enabled uplink-state group tracks the state of all assigned upstream interfaces.
Figure 137. Uplink Failure Detection Example If only one of the upstream interfaces in an uplink-state group goes down, a specified number of downstream ports associated with the upstream interface are put into a Link-Down state. You can configure this number and is calculated by the ratio of the upstream port bandwidth to the downstream port bandwidth in the same uplink-state group.
• If you disable an uplink-state group, the downstream interfaces are not disabled regardless of the state of the upstream interfaces. • • If an uplink-state group has no upstream interfaces assigned, you cannot disable downstream interfaces when an upstream link goes down. To enable the debug messages for events related to a specified uplink-state group or all groups, use the debug uplink-stategroup [group-id] command, where the group-id is from 1 to 16.
6. (Optional) Disable upstream-link tracking without deleting the uplink-state group. UPLINK-STATE-GROUP mode no enable The default is upstream-link tracking is automatically enabled in an uplink-state group. To re-enable upstream-link tracking, use the enable command. Clearing a UFD-Disabled Interface You can manually bring up a downstream interface in an uplink-state group that UFD disabled and is in a UFD-Disabled Error state.
Displaying Uplink Failure Detection To display information on the UFD feature, use any of the following commands. • Display status information on a specified uplink-state group or all groups. EXEC mode show uplink-state-group [group-id] [detail] • • group-id: The values are from 1 to 16. • detail: displays additional status information on the upstream and downstream interfaces in each group. Display the current status of a port or port-channel interface assigned to an uplink-state group.
Uplink State Group : 16 Status: Disabled, Up Upstream Interfaces : Te 1/4(Dwn) Po 8(Dwn) Downstream Interfaces : Te 1/10(Dwn) The following example shows viewing the interface status with UFD information.
• • Add a text description for the group. Verify the configuration with various show commands.
60 Upgrade Procedures To find the upgrade procedures, go to the Dell EMC Networking OS Release Notes for your system type to see all the requirements needed to upgrade to the desired Dell EMC Networking OS version. To upgrade your system type, follow the procedures in the Dell EMC Networking OS Release Notes. You can download the release notes of your platform at https://www.force10networks.com. Use your login ID to log in to the website.
61 Virtual LANs (VLANs) Virtual LANs (VLANs) are a logical broadcast domain or logical grouping of interfaces in a local area network (LAN) in which all data received is kept locally and broadcast to all members of the group. When in Layer 2 mode, VLANs move traffic at wire speed and can span multiple devices. The system supports up to 4093 port-based VLANs and one default VLAN, as specified in IEEE 802.1Q.
• • Untagged interfaces must be part of a VLAN. To remove an untagged interface from the Default VLAN, create another VLAN and place the interface into that VLAN. Alternatively, use the no switchport command, and Dell EMC Networking OS removes the interface from the Default VLAN. A tagged interface requires an additional step to remove it from Layer 2 mode. Because tagged interfaces can belong to multiple VLANs, remove the tagged interface from all VLANs using the no tagged interface command.
Information contained in the tag header allows the system to prioritize traffic and to forward information to ports associated with a specific VLAN ID. Tagged interfaces can belong to multiple VLANs, while untagged interfaces can belong only to one VLAN. Configuration Task List This section contains the following VLAN configuration tasks.
To tag frames leaving an interface in Layer 2 mode, assign that interface to a port-based VLAN to tag it with that VLAN ID. To tag interfaces, use the following commands. 1. Access INTERFACE VLAN mode of the VLAN to which you want to assign the interface. CONFIGURATION mode interface vlan vlan-id 2. Enable an interface to include the IEEE 802.1Q tag header.
untagged interface This command is available only in VLAN interfaces. The no untagged interface command removes the untagged interface from a port-based VLAN and places the interface in the Default VLAN. You cannot use the no untagged interface command in the Default VLAN. The following example shows the steps and commands to move an untagged interface from the Default VLAN to another VLAN. To determine interface status, use the show vlan command.
Configuring Native VLANs Traditionally, ports can be either untagged for membership to one VLAN or tagged for membership to multiple VLANs. You must connect an untagged port to a VLAN-unaware station (one that does not understand VLAN tags), and you must connect a tagged port to a VLAN-aware station (one that generates and understands VLAN tags). Native VLAN support breaks this barrier so that you can connect a port to both VLAN-aware and VLAN-unaware stations. Such ports are referred to as hybrid ports.
62 Virtual Link Trunking (VLT) Overview In a traditional switched topology as shown below, spanning tree protocols (STPs) are used to block one or more links to prevent loops in the network. Although loops are prevented, bandwidth of all links is not effectively utilized by the connected devices. Figure 139. Traditional switched topology VLT not only overcomes this caveat, but also provides a multipath to the connected devices.
To prevent the initial loop that may occur prior to VLT being established, use a spanning tree protocol. After VLT is established, you may use rapid spanning tree protocol (RSTP) to prevent loops from forming with new links that are incorrectly connected and outside the VLT domain. VLT provides Layer 2 multipathing, creating redundancy through increased bandwidth, enabling multiple parallel paths between nodes, and load-balancing traffic where alternate paths exist.
between the two VLT chassis. IGMP and VLT configurations must be identical on both sides of the trunk to ensure the same behavior on both sides. The following example shows how VLT is deployed. The switches appear as a single virtual switch from the point of view of the switch or server supporting link aggregation control protocol (LACP). VLT Terminology The following are key VLT terms. • • • • • • Virtual link trunk (VLT) — The combined port channel between an attached device and the VLT peer switches.
If Host 1 from a VLT domain sends a frame to Host 2 in another VLT domain, the frame can use any link shown to reach Host 2. MAC synchronization between VLT peers handles the traffic flow even if it is hashed and forwarded through the other member of the portchannel.
VLT on Core Switches Uplinks from servers to the access layer and from access layer to the aggregation layer are bundled in LAG groups with end-to-end Layer 2 multipathing. This set up requires “horizontal” stacking at the access layer and VLT at the aggregation layer such that all the uplinks from servers to access and access to aggregation are in Active-Active Load Sharing mode. This example provides the highest form of resiliency, scaling, and load balancing in data center switching networks.
Figure 144. Enhanced VLT Configure Virtual Link Trunking VLT requires that you enable the feature and then configure the same VLT domain, backup link, and VLT interconnect on both peer switches. Important Points to Remember • • • • • • • • • • • • • You cannot enable stacking simultaneously with VLT. If you enable both at the same time, unexpected behavior can occur. VLT port channel interfaces must be switch ports. If you include RSTP on the system, configure it before VLT.
• • • • • • • • When you enable IGMP snooping on the VLT peers, ensure the value of the delay-restore command is not less than the query interval. When you enable Layer 3 routing protocols on VLT peers, make sure the delay-restore timer is set to a value that allows sufficient time for all routes to establish adjacency and exchange all the L3 routes between the VLT peers before you enable the VLT ports.
• • One device in the VLT domain is assigned a primary role; the other device takes the secondary role. The primary and secondary roles are required for scenarios when connectivity between the chassis is lost. VLT assigns the primary chassis role according to the lowest MAC address. You can configure the primary role manually. • In a VLT domain, the peer switches must run the same Dell EMC Networking OS software version.
• • • • • • • To connect servers and access switches with VLT peer switches, you use a VLT port channel, as shown in Overview. Up to 48 port-channels are supported; up to 16 member links are supported in each port channel between the VLT domain and an access device. The discovery protocol running between VLT peers automatically generates the ID number of the port channel that connects an access device and a VLT switch.
• • To verify that a VLT peer is consistently configured for either the master or backup role in all VRRP groups, use the show vrrp command on each peer. • Configure the same L3 routing (static and dynamic) on each peer so that the L3 reachability and routing tables are identical on both VLT peers. Both the VRRP master and backup peers must be able to locally forward L3 traffic in the same way.
VLT Bandwidth Monitoring When bandwidth usage of the VLTi (ICL) exceeds 80%, a syslog error message (shown in the following message) and an SNMP trap are generated. %STKUNIT0-M:CP %VLTMGR-6-VLT-LAG-ICL: Overall Bandwidth utilization of VLT-ICL-LAG (portchannel 25) crosses threshold. Bandwidth usage (80 ) When the bandwidth usage drops below the 80% threshold, the system generates another syslog message (shown in the following message) and an SNMP trap.
PIM-Sparse Mode Support on VLT The designated router functionality of the PIM Sparse-Mode multicast protocol is supported on VLT peer switches for multicast sources and receivers that are connected to VLT ports. VLT peer switches can act as a last-hop router for IGMP receivers and as a first-hop router for multicast sources. Figure 145.
Each VLT peer runs its own PIM protocol independently of other VLT peers. To ensure the PIM protocol states or multicast routing information base (MRIB) on the VLT peers are synced, if the incoming interface (IIF) and outgoing interface (OIF) are Spanned, the multicast route table is synced between the VLT peers. To verify the PIM neighbors on the VLT VLAN and on the multicast port, use the show ip pim neighbor, show ip igmp snooping mrouter, and show running config commands.
Figure 146. Packets without peer routing enabled If you enable peer routing, a VLT node acts as a proxy gateway for its connected VLT peer as shown in the image below. Even though the gateway address of the packet is different, Peer-1 routes the packet to its destination on behalf of Peer-2 to avoid sub-optimal routing. Figure 147. Packets with peer routing enabled Benefits of Peer Routing • • • • Avoids sub-optimal routing Reduces latency by avoiding another hop in the traffic path.
VLT Unicast Routing VLT unicast routing is a type of VLT peer routing that locally routes unicast packets destined for the L3 endpoint of the VLT peer. This method avoids sub-optimal routing. Peer-routing syncs the MAC addresses of both VLT peers and requires two local DA entries in TCAM. If a VLT node is down, a timer that allows you to configure the amount of time needed for peer recovery provides resiliency. You can enable VLT unicast across multiple configurations using VLT links.
• • When using factory default settings on a new switch deployed as a VLT node, packet loss may occur due to the requirement that all ports must be open. ECMP is not compatible on VLT nodes using VLT multicast. You must use a single VLAN. Configuring VLT Multicast To enable and configure VLT multicast, follow these steps. 1. Enable VLT on a switch, then configure a VLT domain and enter VLT-domain configuration mode. CONFIGURATION mode vlt domain domain-id 2. Enable peer-routing.
1. Configure RSTP in the core network and on each peer switch as described in Rapid Spanning Tree Protocol (RSTP). Disabling RSTP on one VLT peer may result in a VLT domain failure. 2. Enable RSTP on each peer switch. PROTOCOL SPANNING TREE RSTP mode no disable 3. Configure each peer switch with a unique bridge priority.
1. Configure the VLT interconnect for the VLT domain. The primary and secondary switch roles in the VLT domain are automatically assigned after you configure both sides of the VLTi. NOTE: If you use a third-party ToR unit, to avoid potential problems if you reboot the VLT peers, Dell EMC recommends using static LAGs on the VLTi between VLT peers. 2. Enable VLT and create a VLT domain ID. VLT automatically selects a system MAC address. 3. Configure a backup link for the VLT domain. 4.
You can optionally specify the time interval used to send hello messages. The range is from 1 to 5 seconds. 3. Configure the port channel to be used as the VLT interconnect between VLT peers in the domain. VLT DOMAIN CONFIGURATION mode peer-link port-channel id-number 4. Enable peer routing. VLT DOMAIN CONFIGURATION mode peer-routing If you enable peer routing, a VLT node acts as the proxy gateway for its peer. 5.
2. Enter an amount of time, in seconds, to delay the restoration of the VLT ports after the system is rebooted. CONFIGURATION mode delay-restore delay-restore-time The range is from 1 to 1200. The default is 90 seconds. Reconfiguring the Default VLT Settings (Optional) To reconfigure the default VLT settings, use the following commands. 1. Enter VLT-domain configuration mode for a specified VLT domain. CONFIGURATION mode vlt domain domain-id The range of domain IDs is from 1 to 1000. 2.
INTERFACE PORT-CHANNEL mode channel-member interface interface: specify one of the following interface types: • • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port/subport[/subport] information. For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. 5. Ensure that the port channel is active. INTERFACE PORT-CHANNEL mode no shutdown 6.
The range of domain IDs is from 1 to 1000. 4. Enter the port-channel number that acts as the interconnect trunk. VLT DOMAIN CONFIGURATION mode peer-link port-channel id-number 5. Configure the IP address of the management interface on the remote VLT peer to be used as the endpoint of the VLT backup link for sending out-of-band hello messages. VLT DOMAIN CONFIGURATION mode back-up destination ip-address [interval seconds] You can optionally specify the time interval used to send hello messages.
no shutdown 16. Enable peer routing. VLT DOMAIN CONFIGURATION mode peer-routing If you enable peer routing, a VLT node acts as the proxy gateway for its peer. 17. Repeat steps 1 through 16 for the VLT peer node in Domain 1. 18. Repeat steps 1 through 16 for the first VLT node in Domain 2. 19. Repeat steps 1 through 16 for the VLT peer node in Domain 2. To verify the configuration of a VLT domain, use any of the show commands described in Verifying a VLT Configuration.
Configure the VLT domain with the same ID in VLT peer 1 and VLT peer 2. Dell-2(conf)#vlt domain 5 Dell-2(conf-vlt-domain)# Dell-4(conf)#vlt domain 5 Dell-4(conf-vlt-domain)# Configure the VLTi between VLT peer 1 and VLT peer 2. 1. You can configure the LACP/static LAG between the peer units (not shown). 2. Configure the peer-link port-channel in the VLT domains of each peer unit.
L LAG 2 Mode L2L3 Status up Uptime 03:33:14 Ports Te 1/4 (Up) In the ToR unit, configure LACP on the physical ports.
LAG L 2 Mode L2L3 Status up Uptime 03:33:31 Ports Te 1/18 (Up) PVST+ Configuration PVST+ is supported in a VLT domain. Before you configure VLT on peer switches, configure PVST+ in the network. PVST+ is required for initial loop prevention during the VLT startup phase. You may also use PVST+ for loop prevention in the network outside of the VLT port channel. Run PVST+ on both VLT peer switches. A PVST+ instance is created for every VLAN configured in the system.
Peer Routing Configuration Example This section provides a detailed explanation of how to configure peer routing in a VLT domain. In the following example, devices are configured as follows: • • • • • • • Access switch A1 is connected to two VLT peers (Dell-1 and Dell-2). The two VLT peers are connected to an upstream switch R1. OSPF is configured in Dell-1, Dell-2, and R1 switches. Dell-1 is configured as the root bridge. Dell-1 is configured as the VLT primary.
* 1 Active 20 Active OSPF PEERING VLAN 800 900 Active Active Client-VLAN Client-VLAN-2 U U Po10 (Te 0/0-1) U Te 0/4,47 Po1 (Te 0/6) V Po10 (Te 0/0-1) V Po10 (Te 0/0-1) V Po10 (Te 0/0-1) The following is the configuration in interfaces: DellEMC#1#sh run int ma0/0 interface ManagementEthernet 0/0 description Used_for_VLT_Keepalive ip address 10.10.10.1/24 no shutdown (The management interfaces are part of a default VRF and are isolated from the switch’s data plane.
vlt-peer-lag port-channel 1 no shutdown Port channel 2 connects the access switch A1. DellEMC#1#sh run int po2 interface Port-channel 2 description port-channel_to_access_switch_A1 no ip address portmode hybrid switchport vlt-peer-lag port-channel 2 no shutdown Vlan 20 is used in Dell-1, Dell-2, and R1 to form OSPF adjacency. When OSPF is converged, the routing tables in all devices are synchronized. DellEMC#1#sh run int vlan 20 interface Vlan 20 description OSPF PEERING VLAN ip address 192.168.20.
Verify that the heartbeat mechanism is operational DellEMC#1#sh vlt backup-link VLT Backup Link ----------------Destination: Peer HeartBeat status: Destination VRF: HeartBeat Timer Interval: HeartBeat Timeout: UDP Port: HeartBeat Messages Sent: HeartBeat Messages Received: 10.10.10.2 Up default 1 3 34998 4 5 Use the show vlt detail command to verify that VLT is functional and that the correct VLANs are allowed.
Verify if peer routing has populated the CAM table with the correct information using the show cam mac command.
The following example shows that te 0/0 and te 0/1 are included in port channel 10. Also note that configuration on the VLTi links does not contain the switchport command. Dell-2#sh run int po10 interface Port-channel 10 description VLTi Port-Channel no ip address channel-member TenGigabitEthernet 0/0-1 no shutdown Te 0/4 connects to the access switch A1.
The following output shows Dell-2 is configured with VLT domain 1. The peer-link port-channel command makes port channel 10 as the VLTi link. The peer-routing command enables peer routing between VLT peers in VLT domain 1. The IP address configured with the backup-destination command is the management IP address of the VLT peer (Dell-1). A priority value of 55000 makes Dell-2 as the secondary VLT peer. Dell-2#sh run | find vlt vlt domain 1 peer-link port-channel 10 back-up destination 10.10.10.
passive-interface default no passive-interface vlan 20 While the passive-interface default command prevents all interfaces from establishing an OSPF neighborship, the no passive-interface vlan 20 command allows the interface for VLAN 20, the OSPF peering VLAN, to establish OSPF adjacencies. The following output displays that Dell-1 forms neighborship with Dell-2 and R1. Dell-2#show ip ospf neighbor Neighbor ID Pri State 172.17.1.1 1 FULL/DR 172.15.1.
R1#show run | find router router ospf 1 router-id 172.15.1.1 passive-interface default no passive-interface Port-channel1 network 2.2.2.0 0.0.0.255 area 0 network 3.3.3.0 0.0.0.255 area 0 network 4.4.4.0 0.0.0.255 area 0 (The above subnets correspond to loopback interfaces lo2, lo3 and lo4. These three loopback interfaces are advertised to the VLT pair, DellEMC#1 and DellEMC#2) network 172.15.1.0 0.0.0.255 area 0 network 192.168.20.0 0.0.0.
eVLT Configuration Example The following example demonstrates the steps to configure enhanced VLT (eVLT) in a network. In this example, you are configuring two domains. Domain 1 consists of Peer 1 and Peer 2; Domain 2 consists of Peer 3 and Peer 4, as shown in the following example. In Domain 1, configure Peer 1 fist, then configure Peer 2. When that is complete, perform the same steps for the peer nodes in Domain 2. The interface used in this example is TenGigabitEthernet. Figure 149.
Domain_1_Peer2(conf) #vlt domain Domain_1_Peer2(conf-vlt-domain)# Domain_1_Peer2(conf-vlt-domain)# Domain_1_Peer2(conf-vlt-domain)# Domain_1_Peer2(conf-vlt-domain)# Domain_1_Peer2(conf-vlt-domain)# 1000 peer-link port-channel 1 back-up destination 10.16.130.12 system-mac mac-address 00:0a:00:0a:00:0a peer-routing unit-id 1 Configure eVLT on Peer 2.
Add links to the eVLT port-channel on Peer 4.
• EXEC mode show vlt detail Display the VLT peer status, role of the local VLT switch, VLT system MAC address and system priority, and the MAC address and priority of the locally-attached VLT device. • EXEC mode show vlt role Display the current configuration of all VLT domains or a specified group on the switch. • EXEC mode show running-config vlt Display statistics on VLT operation.
Remote System MAC address Remote system version Delay-Restore timer : 00:01:e8:8a:e9:76 : 6(3) : 90 seconds Delay-Restore Abort Threshold Peer-Routing Peer-Routing-Timeout timer Multicast peer-routing timeout DellEMC# : : : : 60 seconds Disabled 0 seconds 150 seconds The following example shows the show vlt detail command.
ICL Hello's Received: 98 Dell_VLTpeer2# show vlt statistics VLT Statistics ---------------HeartBeat Messages Sent: HeartBeat Messages Received: ICL Hello's Sent: ICL Hello's Received: 994 978 89 89 The following example shows the show spanning-tree rstp command. The bold section displays the RSTP state of port channels in the VLT domain. Port channel 100 is used in the VLT interconnect trunk (VLTi) to connect to VLT peer2.
Configure the backup link. Dell_VLTpeer1(conf)#interface ManagementEthernet 1/1 Dell_VLTpeer1(conf-if-ma-1/1)#ip address 10.11.206.23/ Dell_VLTpeer1(conf-if-ma-1/1)#no shutdown Dell_VLTpeer1(conf-if-ma-1/1)#exit Configure the VLT interconnect (VLTi).
Dell_VLTpeer2(conf-if-po-110)#vlt-peer-lag port-channel 110 Dell_VLTpeer2(conf-if-po-110)#end Verify that the port channels used in the VLT domain are assigned to the same VLAN.
Description Behavior at Peer Up Behavior During Run Time Action to Take Spanning tree mismatch at port level A syslog error message is generated. A one-time informational syslog message is generated. Correct the spanning tree configuration on the ports. System MAC mismatch A syslog error message and an SNMP trap are generated. A syslog error message and an SNMP trap are generated.
peer-down-vlan vlan interface number command and the switchport command. After you specify the VLTi link and VLT LAGs, you can associate the same port channel or LAG bundle that is a part of a VLT to a PVLAN by using the interface interface and switchport mode private-vlan commands. When a VLTi port in trunk mode is a member of symmetric VLT PVLANs, the PVLAN packets are forwarded only if the PVLAN settings of both the VLT nodes are identical.
PVLAN Operations When a VLT Peer is Restarted When the VLT peer node is rebooted, the VLAN membership of the VLTi link is preserved and when the peer node comes back online, a verification is performed with the newly received PVLAN configuration from the peer. If any differences are identified, the VLTi link is either added or removed from the VLAN. When the peer node restarts and returns online, all the PVLAN configurations are exchanged across the peers.
VLT LAG Mode PVLAN Mode of VLT VLAN ICL VLAN Membership Mac Synchronization Peer1 Peer2 Peer1 Peer2 Access Access Secondary (Community) Secondary (Isolated) No No • • Yes Yes Promiscuous Promiscuous Primary X Primary X Primary Primary Yes Yes - Secondary (Community) - Secondary (Community) Yes Yes - Secondary (Isolated) - Secondary (Isolated) Yes Yes Promiscuous Trunk Primary Normal No No Promiscuous Trunk Primary Primary Yes No Access Access Secondary (Communi
2. Remove an IP address from the interface. INTERFACE PORT-CHANNEL mode no ip address 3. Add one or more port interfaces to the port channel. INTERFACE PORT-CHANNEL mode channel-member interface interface: specify one of the following interface types: • • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port/subport[/subport] information. For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. 4.
INTERFACE VLAN mode private-vlan mode primary 8. Map secondary VLANs to the selected primary VLAN. INTERFACE VLAN mode private-vlan mapping secondary-vlan vlan-list The list of secondary VLANs can be: • • • Specified in comma-delimited (VLAN-ID,VLAN-ID) or hyphenated-range format (VLAN-ID-VLAN-ID). Specified with this command even before they have been created. Amended by specifying the new secondary VLAN to be added to the list.
Proxy ARP is enabled only if you enable peer routing on both the VLT peers. If you disable peer routing by using the no peerroutingcommand in VLT DOMAIN node, a notification is sent to the VLT peer to disable the proxy ARP. If you disable peer routing when ICL link is down, a notification is not sent to the VLT peer and in such a case, the VLT peer does not disable the proxy ARP operation. When you remove the VLT domain on one of the VLT nodes, the peer routing configuration removal is notified to the peer.
show running-config Sample configuration of VLAN-stack over VLT (Peer 1) Configure the VLT domain DellEMC(conf)#vlt domain 1 DellEMC(conf-vlt-domain)#peer-link port-channel 1 DellEMC(conf-vlt-domain)#back-up destination 10.16.151.116 DellEMC(conf-vlt-domain)#primary-priority 100 DellEMC(conf-vlt-domain)#system-mac mac-address 00:00:00:11:11:11 DellEMC(conf-vlt-domain)#unit-id 0 DellEMC(conf-vlt-domain)# DellEMC#show running-config vlt ! vlt domain 1 peer-link port-channel 1 back-up destination 10.16.151.
shutdown DellEMC# Verify that the Port Channels used in the VLT Domain are Assigned to the VLAN-Stack VLAN DellEMC#show vlan id 50 Codes: * - Default VLAN, G - GVRP VLANs, R - Remote Port Mirroring VLANs, P - Primary, C Community, I - Isolated O - Openflow Q: U - Untagged, T - Tagged x - Dot1x untagged, X - Dot1x tagged o - OpenFlow untagged, O - OpenFlow tagged G - GVRP tagged, M - Vlan-stack i - Internal untagged, I - Internal tagged, v - VLT untagged, V - VLT tagged NUM 50 Status Active Description De
no shutdown DellEMC# Configure the VLAN as a VLAN-Stack VLAN and add the VLT LAG as members to the VLAN DellEMC(conf)#interface vlan 50 DellEMC(conf-if-vl-50)#vlan-stack compatible DellEMC(conf-if-vl-50-stack)#member port-channel 10 DellEMC(conf-if-vl-50-stack)#member port-channel 20 DellEMC(conf-if-vl-50-stack)# DellEMC#show running-config interface vlan 50 ! interface Vlan 50 vlan-stack compatible member Port-channel 10,20 shutdown DellEMC# Verify that the Port Channels used in the VLT Domain are Assigned
level hashing in the ToR switch, it is routed instead of forwarding the packet to node1. This processing occurs because of the match or hit for the entry in the TCAM of the VLT node2. Synchronization of IPv6 ND Entries in a VLT Domain Because the VLT nodes appear as a single unit, the ND entries learned via the VLT interface are expected to be the same on both VLT nodes. VLT V6 VLAN and neighbor discovery protocol monitor (NDPM) entries synchronization between VLT nodes is performed.
Figure 150. Sample Configuration of IPv6 Peer Routing in a VLT Domain Sample Configuration of IPv6 Peer Routing in a VLT Domain Consider a sample scenario as shown in the following figure in which two VLT nodes, Unit1 and Unit2, are connected in a VLT domain using an ICL or VLTi link. To the south of the VLT domain, Unit1 and Unit2 are connected to a ToR switch named Node B. Also, Unit1 is connected to another node, Node A, and Unit2 is linked to a node, Node C.
Neighbor Solicitation from VLT Hosts Consider a case in which NS for VLT node1 IP reaches VLT node1 on the VLT interface and NS for VLT node1 IP reaches VLT node2 due to LAG level hashing in the ToR. When VLT node1 receives NS from VLT VLAN interface, it unicasts the NA packet on the VLT interface. When NS reaches VLT node2, it is flooded on all interfaces including ICL. When VLT node 1 receives NS on ICL, it floods the NA packet on the VLAN.
When VLT node receives traffic from non-VLT host intended to VLT host, it routes the traffic to VLT interface. If VLT interface is not operationally up VLT node will route the traffic over ICL. Non-VLT host to North Bound traffic flow When VLT node receives traffic from non-VLT host intended to north bound with DMAC as self MAC it routes traffic to next hop.
ToR 1. Enable BFD globally. TOR(conf)# bfd enable 2. Configure a VLT peer LAG. TOR(conf)#interface tengigabitethernet 1/1 TOR(conf-if-te-1/1)#no ip address TOR(conf-if-te-1/1)#port-channel-protocol lacp TOR(conf-if-te-1/1)#port-channel 10 mode active TOR(conf-if-te-1/1)#no shutdown TOR(conf)#interface tengigabitethernet 1/2 TOR(conf-if-te-1/2)#no ip address TOR(conf-if-te-1/2)#port-channel-protocol lacp TOR(conf-if-te-1/2)#port-channel 10 mode active TOR(conf-if-te-1/2)#no shutdown 3.
VLT Primary 1. Enable BFD globally. VLT_Primary(conf)# bfd enable 2. Configure port channel which is used as VLTi link. VLT_Primary(conf)# interface VLT_Primary(conf-if-po-100)# VLT_Primary(conf-if-po-100)# VLT_Primary(conf-if-po-100)# port-channel 100 no ip address channel-member tengigabitethernet 1/1, 1/2 no shutdown 3. Enable VLT and configure a VLT domain.
4. Configure a VLT peer LAG. VLT_Primary(conf)#interface tengigabitethernet 1/3 VLT_Primary(conf-if-te-1/3)#no ip address VLT_Primary(conf-if-te-1/3)#port-channel-protocol lacp VLT_Primary(conf-if-te-1/3)#port-channel 10 mode active VLT_Primary(conf-if-te-1/3)#no shutdown VLT_Primary(conf)#interface port-channel 10 VLT_Primary(conf-if-po-10)#no ip address VLT_Primary(conf-if-po-10)#switchport VLT_Primary(conf-if-po-10)#vlt-peer-lag port-channel 10 VLT_Primary(conf-if-po-10)#no shutdown 5.
Remote System MAC address: Remote system version: Delay-Restore timer: Delay-Restore Abort Threshold: Peer-Routing : Peer-Routing-Timeout timer: Multicast peer-routing timeout: f4:8e:38:6a:97:3f 6(9) 90 seconds 60 seconds Enabled 0 seconds 150 seconds VXLAN on VLT VLT peers are two nodes in the network that are loosely coupled. It provides high availability to the other ends.
Static VXLAN Configuration in a VLT setup Configuration steps are covered below: 1. Both Gateway VTEPs need VLT configured. • ICL port configuration interface Port-channel 1 no ip address channel-member TenGigabitEthernet 0/4-5 no shutdown • VLT Domain Configuration vlt domain 100 peer-link port-channel 1 back-up destination 10.11.70.14 • this is ip address of the peer node VXLAN Instance Configuration vxlan-instance 1 static local-vtep-ip 14.14.14.
63 VLT Proxy Gateway The virtual link trucking (VLT) proxy gateway feature allows a VLT domain to locally terminate and route L3 packets that are destined to a Layer 3 (L3) end point in another VLT domain. Enable the VLT proxy gateway using the link layer discover protocol (LLDP) method or the static configuration. For more information, see the Command Line Reference Guide.
Figure 152. Sample Configuration for a VLT Proxy Gateway Guidelines for Enabling the VLT Proxy Gateway Keep the following points in mind when you enable a VLT proxy gateway: • • • • • • • • • • • • • Proxy gateway is supported only for VLT; for example, across a VLT domain. You must enable the VLT peer-routing command for the VLT proxy gateway to function.
• • • • When a Virtual Machine (VM) moves from one VLT domain to the another VLT domain, the VM host sends the gratuitous ARP (GARP) , which in-turn triggers a mac movement from the previous VLT domain to the newer VLT domain. After a station move, if the host sends a TTL1 packet destined to its gateway; for example, a previous VLT node, the packet can be dropped.
• LLDP packets fail to reach the remote VLT domain devices (for example, because the system is down, rebooting, or the port’s physical link connection is down). LLDP VLT Proxy Gateway in a Square VLT Topology Figure 153. Sample Configuration for a VLT Proxy Gateway • The preceding figure shows a sample square VLT Proxy gateway topology. There are no diagonal links in the square VLT connection between the C and D in VLT domain 1 and C1 and D1 in the VLT domain 2. This causes sub-optimal routing.
• You can disable the VLT Proxy Gateway for a particular VLAN using an "Exclude-VLAN" configuration. The configuration has to be done in both the VLT domains [C and D in VLT domain 1 and C1 and D1 in VLT domain 2].
Figure 154. VLT Proxy Gateway Sample Topology VLT Domain Configuration Dell-1 and Dell-2 constitute VLT domain 120. Dell-3 and Dell-4 constitute VLT domain 110. These two VLT domains are connected using a VLT LAG P0 50. To know how to configure the interfaces in VLT domains, see the Configuring VLT section. Dell-1 VLT Configuration vlt domain 120 peer-link port-channel 120 back-up destination 10.1.1.
Note that on the inter-domain link, the switchport command is enabled. On a VLTi link between VLT peers in a VLT domain, the switchport command is not used. VLAN 100 is used as the OSPF peering VLAN between Dell-1 and Dell-2. interface Vlan 100 description OSPF Peering VLAN to Dell-2 ip address 10.10.100.1/30 ip ospf network point-to-point no shutdown VLAN 101 is used as the OSPF peering VLAN between the two VLT domains. interface Vlan 101 description ospf peering vlan across VLTPG_Po50 ip address 10.10.
Neighbor ID Pri State Dead Time Address Interface Area 4.4.4.4 1 FULL/ - 00:00:33 10.10.100.1 Vl 100 0 Dell-3 VLT Configuration vlt domain 110 peer-link port-channel 110 back-up destination 10.1.1.1 primary-priority 4096 system-mac mac-address 02:01:e8:d8:93:02 unit-id 0 peer-routing ! proxy-gateway static remote-mac-address 00:01:e8:d8:93:07 remote-mac-address 00:01:e8:d8:93:e5 These MAC addresses are the system L2 interface addresses for each switch at the remote site, Dell-1 and Dell-2.
Dell-4 VLT Configuration vlt domain 110 peer-link port-channel 110 back-up destination 10.1.1.0 primary-priority 24576 system-mac mac-address 02:01:e8:d8:93:02 unit-id 1 peer-routing ! proxy-gateway static remote-mac-address 00:01:e8:d8:93:07 remote-mac-address 00:01:e8:d8:93:e5 These MAC addresses are the system L2 interface addresses for each switch at the remote site, Dell-1 and Dell-2. interface Vlan 102 description ospf peering vlan to DELL-3 ip address 10.10.102.
64 Virtual Extensible LAN (VXLAN) Virtual Extensible LAN (VXLAN) is supported on Dell EMC Networking OS. Overview The switch acts as the VXLAN gateway and performs the VXLAN Tunnel End Point (VTEP) functionality. VXLAN is a technology where in the data traffic from the virtualized servers is transparently transported over an existing legacy network. Figure 155. VXLAN Gateway NOTE: In a stack setup, the Dell EMC Networking OS does not support VXLAN.
• • Routing in and out of VXLAN tunnels NSX Controller-based VXLAN for VLT advertise-local-mac Enable advertisement of the locally-learnt MAC addresses to OVSDB. Syntax advertise-local-mac To advertisement of the locally-learnt MAC addresses to OVSDB, use the advertise-local-mac command. Defaults Disabled Command Modes VXLAN-INSTANCE Command History This guide is platform-specific. For command information about other platforms, refer to the relevant Dell Networking OS Command Line Reference Guide.
VXLAN Gateways VXLAN Gateways act as the VTEPs that encapsulate and decapsulate VXLAN headers. The roles and responsibilities of the Gateway are: • • • • • • • Connects to the NVP client based on user configuration. Advertises south-facing VXLAN capable ports to the NVP client. Creates logical networks based on messages from the NVP. Creates tunnels to VTEPs based on messages from the NVP. Binds the Port and VLAN to logical networks based on messages from the NVP.
Components of VXLAN Frame Format Some of the important fields of the VXLAN frame format are described below: Outer Ethernet Header: The Outer Ethernet Header consists of the following components: • • • • Outer IP Header: The Outer IP Header consists of the following components: • • • Outer UDP Header: Destination Address: Generally, it is a first hop router's MAC address when the VTEP is on a different address. Source Address : It is the source MAC address of the router that routes the packet.
• In a Nuage controller-based VXLAN deployment, station moves of non-virtualized entities may not work as expected due to a possible issue in the Nuage contoller. NOTE: When more than 15000 learned MAC addresses are synchronized from the Nuage controller to one of the VTEPs, the SSL connection between the controller and the VTEP flaps continuously.
Figure 157. Create VXLAN Gateway To create a VXLAN L2 Gateway, the IP address of the Gateway is required. After connectivity is established between the VTEP and NSX controller, the management IP address and the connectivity status are populated as shown in the following image. Figure 158. Hardware Devices 3. Add a service node or replicator. Under Home > Networking and Security > Service Definition > Hardware Devices > Replication Cluster, click the Edit button.
Figure 159. Add Service Node or Replicator NOTE: Ensure L3 reachability between the VTEP and the replicator. 4. Create Logical Switch. You can create a logical network by creating a logical switch. The logical network acts as the forwarding domain for workloads on the physical as well as virtual infrastructure. Click Home > Networking and Security > Logical Switches and click Add. The New Logical Switch window opens. Enter a name and select Unicast as the replication mode and click OK. Figure 160.
In the Manage Hardware Bindings window, expand a VTEP and click Add. The Manage Hardware Bindings Window opens. Click the Select link and the Specify Hardware Port window opens. Click the hardware port and click OK. Figure 161. Specify Hardware Port In the Manage Hardware Bindings window, under the VLAN column, enter the VLAN ID and press OK. Figure 162. Create Logical Switch Port 6. (Optional) Enable or disable BFD globally. Go to Hardware Devices tab > BFD Configuration, and click the Edit button.
Figure 163. Edit VXLAN BFD Configuration NOTE: For more details about NSX controller configuration, refer to the NSX user guide from VMWare . Configuring and Controling VXLAN from Nuage Controller GUI The Dell EMC Networking OS supports Nuage controller for VXLAN. You can configure and control VXLAN from the Nuage controller GUI, by adding a hardware device to the Nuage controller and authenticating the device. 1. Under the Infrastructure tab, add a datacenter gateway. Figure 164.
Figure 165. Port-to-VLAN mappings 3. Under the Networks tab, create an L2 domain. Under the L2 domain, create a logical network (VNI) and add access ports of the VTEP in the logical network. Figure 166. Access ports of the VTEP Configuring VxLAN Gateway To configure the VxLAN gateway on the switch, follow these steps: 1. Connecting to NVP controller 2. Advertising VXLAN access ports to controller Connecting to an NVP Controller To connect to an NVP controller, use the following commands. 1.
4. Enter the gateway IP VxLAN INSTANCE mode gateway-ip IP address 5. Enter the maximum backoff time (Optional). VxLAN INSTANCE mode max_backoff time The range is from 1000-180000. The default value is 30000 milliseconds. 6. Enter the fail mode (Optional). VxLAN INSTANCE mode fail-mode secure Dell EMC Networking recommends non-secure mode for an NSX controller-based VXLAN in a VLT setup. 7. Enable the VXLAN instance.
The following example shows the show vxlan vxlan-instance statistics interface command. DellEMC#show vxlan vxlan-instance 1 statistics interface fortyGigE 1/49/1 100 Port : Fo 1/49/1 Vlan : 100 Rx Packets : 13 Rx Bytes : 1317 Tx Packets : 13 Tx Bytes : 1321 The following example shows the show vxlan vxlan-instance physical-locator command. Instance: 1 Tunnel : count 3 4.3.3.3 : vxlan_over_ipv4 (up) 6.6.6.2 : vxlan_over_ipv4 (up) 6.6.6.
O O3 R M V VT * * * * * * - OSPF OSPFv3 Static Route (RTM) MPLS VRRP Vxlan Tunnel LocalAddr 1.0.1.1 3.3.3.3 3.3.3.3 3.3.3.3 3.3.3.3 3.3.3.3 RemoteAddr 1.0.1.2 192.168.122.135 192.168.122.136 192.168.122.137 192.168.122.138 192.168.122.
9. Associate VNID to VLAN. INTERFACE VLAN mode vxlan-vnid VNID Displaying Static VXLAN Configurations To display the static VXLAN configurations, use the following commands. The following example displays the basic configuration details. DellEMC# show vxlan vxlan-instance 1 Instance : 1 Mode : Static Admin State : Up Local vtep ip : 101.101.101.101 Port List : Fo 1/49 The following example displays VTEP to VNI mapping for a specific remote VTEP.
• • The remote VTEP should already be configured. • In case of static VXLAN VLT deployments, this configuration should be symmetric across VLT nodes. Disable MAC address learning on static VXLAN tunnels. VXLAN-INSTANCE mode disable-mac-learning remote-vtep-ip DellEMC(conf-vxlan-inst-1-static)#disable-mac-learning 24.1.1.0 • Enable MAC address learning on static VXLAN tunnels. VXLAN-INSTANCE mode no disable-mac-learning remote-vtep-ip DellEMC(conf-vxlan-inst-1-static)#no disable-mac-learning 24.1.1.
Routing in and out of VXLAN tunnels VXLAN provides a way to extend a VLAN over a Layer3 tunnel (VXLAN tunnel) across data centers. This functionality can also be extended one step further by enabling routing from a VLAN on one data center to a different VLAN on another data center. This scheme to route in and out of tunnels (RIOT) requires setting up of hardware VTEPs that are capable of routing over a VXLAN tunnel using a physical loopback configuration.
• • • • • • • When you ping for 10.1.2.1 (Vlan 20’s IP on R2) from R1, the packet would get to P1 on VTEP 1 with Vlan 10, and try to get routed out of P2 on Vlan 20. VTEP 1 sends an ARP request for 10.1.2.1 out of P2. This gets VXLAN encapsulated at P2, and gets sent out of P3. VXLAN encapsulated ARP request lands on VTEP 2 which is decapsulated and sent out of P5 and P6. Packets looped back to P5 will not be forwarded again to either to P4 or P6 because of the added ACL rule 4.4.3.
In order for this configuration to work, the physical loopback ports are required to be in port-channels. There are two types of physical loopback interfaces: VXLAN Loopback Port and Non-VXLAN Loopback Port. These two port-channels are implicitly made no spanning tree, so that they do not go into a blocked state if xSTP is enabled. Internal Loopback To configure internal loopback port-channels, add free ports in the device as members of a port-channel, say 10, then configure vxlaninstance 1 loopback.
For VLT, in addition to the masks specified earlier, the VLT specific mask, to disallow frames that ingress on an ICL from going out of a VLT port channel would be permanently in place. These masks won’t be removed for the loopback ports even if the VLT peer LAG goes down (this is a deviation from standard VLT behavior, when these loopbacks are provisioned as VLT port-channels.). NSX Controller-based VXLAN for VLT Apart from static VXLAN for VLT, you can also use an NSX controller for VXLAN in a VLT setup.
• • before configuring controller-based VXLAN with VLT, remove any existing standalone VXLAN configuration. BFD tunnels come up only after the NSX controller sends tunnel details. The details come after the remote MAC addresses are downloaded from NSX controller. Configure NSX Controller-based VxLAN in VLT Setup You can configure NSX controller-based VxLAN in a VLT setup. To configure NSX controller-based VxLAN in a VLT setup, perform the following tasks: 1. (Optional) Configure BFD and UFD.
gateway-ip gateway-IP-address 5. Enter the IP address of the peer OVSDB server. peer-ovsdbserver-ip ovsdb-IP-address The peer OVSDB server is the peer VLT device. 6. Enter the fail mode. VxLAN INSTANCE mode fail-mode secure 7. Enable the VxLAN instance. VxLAN INSTANCE mode no shutdown NOTE: Dell EMC Networking recommends the non-secure fail mode if you are configuring VxLAN for a VLT setup and use a physical L3 link for peer OVSDB connectivity.
unit-id 0 peer-routing Configuration on an interface that is not part of VLT (orphan port): DellEMC#show run interface te 1/21 ! interface TenGigabitEthernet 1/21 1122 Virtual Extensible LAN (VXLAN) vxlan-instance 1 no ip address switchport no shutdown DellEMC# Configuration on VLT port channel: DellEMC#show run int po 10 ! interface Port-channel 10 vxlan-instance 1 no ip address switchport vlt-peer-lag port-channel 10 no shutdown The following are some of the show command outputs on the VLT primary: DellEM
* - No VLAN mapping exists and yet to be installed Name VNID a35fe7f7-fe82-37b4-b69a-0af4244d1fca 5000 DellEMC#$nstance 1 logical-network name a35fe7f7-fe82-37b4-b69a-0af4244d1fca Name : a35fe7f7-fe82-37b4-b69a-0af4244d1fca Description : Type : ELAN Tunnel Key : 5000 VFI : 28674 Unknown Multicast MAC Tunnels: 6.6.6.
DellEMC#show cam mac stack-unit 1 port-set 0 VlanId Mac Address Region Interface 500 ff:ff:ff:ff:ff:ff STATIC 00001 28674 00:00:00:cc:00:00 DYNAMIC 0x80000004(vxlan) 28674 00:00:bb:00:00:00 DYNAMIC 0x80000006(vxlan) 0 ff:ff:ff:ff:ff:ff STATIC 00001 1 00:01:e8:8b:7a:6e DYNAMIC Po 11 20 00:00:00:cc:00:00 STATIC Te 1/21 500 f4:8e:38:2b:3e:87 STATIC Po 1 0 00:10:18:ff:ff:ff STATIC Invalid 500 34:17:eb:37:11:02 DYNAMIC Te 1/51/1 0 14:18:77:0a:53:82 LOCAL_DA 00001 0 14:18:77:0a:53:82 LOCAL_DA 00001 0 f4:8e:38:2b:
Tunnel Key : 5000 VFI : 28674 Unknown Multicast MAC Tunnels: 6.6.6.2 : vxlan_over_ipv4 (up)(Active) Port Vlan Bindings: Te 1/21: VLAN: 20 (0x80000004), Po 1: VLAN: 20 (0x80000001), Po 10: VLAN: 20 (0x80000002), Po 20: VLAN: 20 (0x80000005), DellEMC# DellEMC# DellEMC# DellEMC# DellEMC# DellEMC#show vxlan vxlan-instance 1 multicast-mac * - Active Replicator LN-Name VNID a35fe7f7-fe82-37b4-b69a-0af4244d1fca 5000 MAC unknown dst TUNNEL-LIST 6.6.6.
• show file flash://vtep-cert.
Figure 170. Hardware Devices 3. Add a service node or replicator. Under Home > Networking and Security > Service Definition > Hardware Devices > Replication Cluster, click the Edit button. Select required hosts for replication and click OK. Figure 171. Add Service Node or Replicator NOTE: Ensure L3 reachability between the VTEP and the replicator. 4. Create Logical Switch. You can create a logical network by creating a logical switch.
Figure 172. Create Logical Switch 5. Create Logical Switch Port. A logical switch port provides a logical connection point for a VM interface (VIF) and a L2 gateway connection to an external network. It binds the virtual access ports in the gateway to logical network (VXLAN) and VLAN. In the Manage Hardware Bindings window, expand a VTEP and click Add. The Manage Hardware Bindings Window opens. Click the Select link and the Specify Hardware Port window opens. Click the hardware port and click OK.
Figure 174. Create Logical Switch Port 6. (Optional) Enable or disable BFD globally. Go to Hardware Devices tab > BFD Configuration, and click the Edit button. The Edit BFD Configuration windows opens. Check or uncheck the Enable BFD check box. You can also change the probe interval if required. Figure 175. Edit VXLAN BFD Configuration NOTE: For more details about NSX controller configuration, refer to the NSX user guide from VMWare .
65 Virtual Routing and Forwarding (VRF) VRF Overview VRF improves functionality by allowing network paths to be segmented without using multiple devices. Using VRF also increases network security and can eliminate the need for encryption and authentication due to traffic segmentation. Internet service providers (ISPs) often take advantage of VRF to create separate virtual private networks (VPNs) for customers; VRF is also referred to as VPN routing and forwarding.
VRF Configuration Notes Although there is no restriction on the number of VLANs that can be assigned to a VRF instance, the total number of routes supported in VRF is limited by the size of the IPv4 CAM. VRF is implemented in a network device by using Forwarding Information Bases (FIBs). A network device may have the ability to configure different virtual routers, where entries in the FIB that belong to one VRF cannot be accessed by another VRF on the same device.
Feature/Capability Support Status for Default VRF Support Status for Non-default VRF PBR, L3 QoS on VLANs Yes No NOTE: QoS not supported on VLANs. IPv4 ARP Yes Yes sFlow Yes No VRRP on physical and logical interfaces Yes Yes VRRPV3 Yes Yes Secondary IP Addresses Yes Yes Basic Yes Yes OSPFv3 Yes Yes IS-IS Yes Yes BGP Yes Yes ACL Yes No Multicast No No NDP Yes Yes RAD Yes Yes DHCP DHCP requests are not forwarded across VRF instances.
The VRF ID range is from 1 to 511. 0 is the default VRF ID. Assigning an Interface to a VRF You must enter the ip vrf forwarding command before you configure the IP address or any other setting on an interface. NOTE: You can configure an IP address or subnet on a physical or VLAN interface that overlaps the same IP address or subnet configured on another interface only if the interfaces are assigned to different VRFs.
CONFIGURATION router ospf process-id vrf vrf name The process-id range is from 0-65535. Configuring VRRP on a VRF Instance You can configure the VRRP feature on interfaces that belong to a VRF instance. In a virtualized network that consists of multiple VRFs, various overlay networks can exist on a shared physical infrastructure. Nodes (hosts and servers) that are part of the VRFs can be configured with IP static routes for reaching specific destinations through a given gateway in a VRF.
VRF MODE interface management When Management VRF is configured, the following interface range or interface group commands are disabled: • • • • • • • • • • • • • • • • ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6 nd dad — Duplicated Address Detection nd dns-server — Configure DNS distribution option in RA packets originated by the router nd hop-limit — Set hop limit advertised in RA and used in IPv6 data packets originated by the router nd managed-config-flag — Hosts sh
Figure 177.
Figure 178. Setup VRF Interfaces The following example relates to the configuration shown in the above illustrations. Router 1 ip vrf blue 1 ! ip vrf orange 2 ! ip vrf green 3 ! interface TenGigabitEthernet no ip address switchport no shutdown ! interface TenGigabitEthernet ip vrf forwarding blue ip address 10.0.0.1/24 no shutdown ! interface TenGigabitEthernet ip vrf forwarding orange ip address 20.0.0.1/24 no shutdown ! interface TenGigabitEthernet ip vrf forwarding green ip address 30.0.0.
ip vrf forwarding blue ip address 1.0.0.1/24 tagged TenGigabitEthernet 3/1 no shutdown ! interface Vlan 192 ip vrf forwarding orange ip address 2.0.0.1/24 tagged TenGigabitEthernet 3/1 no shutdown ! interface Vlan 256 ip vrf forwarding green ip address 3.0.0.1/24 tagged TenGigabitEthernet 3/1 no shutdown ! router ospf 1 vrf blue router-id 1.0.0.1 network 1.0.0.0/24 area 0 network 10.0.0.0/24 area 0 ! router ospf 2 vrf orange router-id 2.0.0.1 network 2.0.0.0/24 area 0 network 20.0.0.
! router ospf 1 vrf blue router-id 1.0.0.2 network 11.0.0.0/24 area 0 network 1.0.0.0/24 area 0 passive-interface TenGigabitEthernet 2/1 ! router ospf 2 vrf orange router-id 2.0.0.2 network 21.0.0.0/24 area 0 network 2.0.0.0/24 area 0 passive-interface TenGigabitEthernet 2/2 ! ip route vrf green30.0.0.0/24 3.0.0.1 ! The following shows the output of the show commands on Router 1.
C C O Destination ----------2.0.0.0/24 20.0.0.0/24 21.0.0.0/24 Gateway ------Direct, Vl 192 Direct, Te 1/2 via 2.0.0.
O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, > - non-active route, + - summary route Gateway of last resort is not set Destination ----------2.0.0.0/24 20.0.0.0/24 21.0.0.0/24 C O C Gateway ------Direct, Vl 192 via 2.0.0.
You can also leak global routes to be made available to VRFs. As the global RTM usually contains a large pool of routes, when the destination VRF imports global routes, these routes will be duplicated into the VRF's RTM. As a result, it is mandatory to use route-maps to filter out leaked routes while sharing global routes with VRFs. Configuring Route Leaking without Filtering Criteria You can use the ip route-export tag command to export all the IPv4 routes corresponding to a source VRF.
A non-default VRF named VRF-blue is created and the interface 1/12 is assigned to it. 7. Configure the import target in VRF-blue. ip route-import 1:1 8. Configure the export target in VRF-blue. ip route-import 3:3 9. Configure VRF-green. ip vrf vrf-green interface-type slot/port[/subport] ip vrf forwarding VRF-green ip address ip—address mask A non-default VRF named VRF-green is created and the interface is assigned to it. 10.
O C 44.4.4.4/32 144.4.4.0/24 via VRF-shared:144.4.4.4 0/0 Direct, VRF-shared:Te 1/4 0/0 DellEMC# show ip route vrf VRF-Blue O 22.2.2.2/32 via 122.2.2.2 00:00:11 C O C 122.2.2.0/24 44.4.4.4/32 144.4.4.0/24 00:32:36 00:32:36 110/0 Direct, Te 1/12 0/0 22:39:61 via vrf-shared:144.4.4.4 0/0 00:32:36 Direct, vrf-shared:Te 1/4 0/0 00:32:36 DellEMC# show ip route vrf VRF-Green O 33.3.3.3/32 00:00:11 via 133.3.3.3 C Direct, Te 1/13 0/0 133.3.3.
While importing these routes into VRF-blue, you can further specify match conditions at the import end to define the filtering criteria based on which the routes are imported into VRF-blue. You can define a route-map import_ospf_protocol and then specify the match criteria as OSPF using the match source-protocol ospf command. You can then use the ip route-import route-map command to import routes matching the filtering criteria defined in the import_ospf_protocol route-map.
O 22.2.2.2/32 00:00:11 via 122.2.2.2 O via vrf-red:144.4.4.4 0/0 00:32:36 << only OSPF and BGP leaked from VRF-red 44.4.4.4/32 110/0 Important Points to Remember • • • Only Active routes are eligible for leaking. For example, if VRF-A has two routes from BGP and OSPF, in which the BGP route is not active. In this scenario, the OSPF route takes precedence over BGP.
66 Virtual Router Redundancy Protocol (VRRP) VRRP Overview VRRP is designed to eliminate a single point of failure in a statically routed network. VRRP specifies a MASTER router that owns the next hop IP and MAC address for end stations on a local area network (LAN). The MASTER router is chosen from the virtual routers by an election process and forwards packets sent to the next hop IP address.
Figure 179. Basic VRRP Configuration VRRP Benefits With VRRP configured on a network, end-station connectivity to the network is not subject to a single point-of-failure. End-station connections to the network are redundant and are not dependent on internal gateway protocol (IGP) protocols to converge or update routing tables. In conjunction with Virtual Link Trunking (VLT), you can configure optimized forwarding with virtual router redundancy protocol (VRRP).
NOTE: In a VLT environment, VRRP configuration acts as active-active and if route is not present in any of the VRRP nodes, the packet to the destination is dropped on that VRRP node. Table 137.
The following examples how to verify the VRRP configuration. DellEMC(conf-if-te-1/1)#show conf ! interface TenGigabitEthernet 1/1 ip address 10.10.10.
You can configure up to 12 virtual IP addresses on a single VRRP group (VRID). The following rules apply to virtual IP addresses: • The virtual IP addresses must be in the same subnet as the primary or secondary IP addresses configured on the interface. Though a single VRRP group can contain virtual IP addresses belonging to multiple IP subnets configured on the interface, Dell EMC Networking recommends configuring virtual IP addresses belonging to the same IP subnet for any one VRRP group.
Virtual IP address: 10.10.10.1 10.10.10.2 10.10.10.3 10.10.10.10 Authentication: (none) -----------------TenGigabitEthernet 1/2, VRID: 111, Version: 2 Net: 10.10.2.1 VRF: 0 default State: Master, Priority: 100, Master: 10.10.2.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 27, Gratuitous ARP sent: 2 Virtual MAC address: 00:00:5e:00:01:6f Virtual IP address: 10.10.2.2 10.10.2.
Configuring VRRP Authentication Simple authentication of VRRP packets ensures that only trusted routers participate in VRRP processes. When you enable authentication, Dell EMC Networking OS includes the password in its VRRP transmission. The receiving router uses that password to verify the transmission. NOTE: You must configure all virtual routers in the VRRP group the same: you must enable authentication with the same password or authentication is disabled.
vrrp-group 111 authentication-type simple 7 387a7f2df5969da4 no preempt priority 255 virtual-address 10.10.10.1 virtual-address 10.10.10.2 virtual-address 10.10.10.3 virtual-address 10.10.10.10 Changing the Advertisement Interval By default, the MASTER router transmits a VRRP advertisement to all members of the VRRP group every one second, indicating it is operational and is the MASTER router.
Track an Interface or Object You can set Dell EMC Networking OS to monitor the state of any interface according to the virtual group. Each VRRP group can track up to 12 interfaces and up to 20 additional objects, which may affect the priority of the VRRP group. If the tracked interface goes down, the VRRP group’s priority decreases by a default value of 10 (also known as cost). If the tracked interface’s state goes up, the VRRP group’s priority increases by 10.
The following example shows how to verify tracking using the show conf command. DellEMC(conf-if-te-1/1-vrid-111)#show conf ! vrrp-group 111 advertise-interval 10 authentication-type simple 7 387a7f2df5969da4 no preempt priority 255 track TenGigabitEthernet 1/2 virtual-address 10.10.10.1 virtual-address 10.10.10.2 virtual-address 10.10.10.3 virtual-address 10.10.10.10 The following example shows verifying the tracking status.
Setting VRRP Initialization Delay When configured, VRRP is enabled immediately upon system reload or boot. You can delay VRRP initialization to allow the IGP and EGP protocols to be enabled prior to selecting the VRRP Master. This delay ensures that VRRP initializes with no errors or conflicts. You can configure the delay for up to 15 minutes, after which VRRP enables normally.
Figure 180. VRRP for IPv4 Topology Examples of Configuring VRRP for IPv4 and IPv6 The following example shows configuring VRRP for IPv4 Router 2. R2(conf)#interface tengigabitethernet 2/31 R2(conf-if-te-2/31)#ip address 10.1.1.1/24 R2(conf-if-te-2/31)#vrrp-group 99 R2(conf-if-te-2/31-vrid-99)#priority 200 R2(conf-if-te-2/31-vrid-99)#virtual 10.1.1.3 R2(conf-if-te-2/31-vrid-99)#no shut R2(conf-if-te-2/31)#show conf ! interface TenGigabitEthernet 2/31 ip address 10.1.1.
-----------------TenGigabitEthernet 2/31, VRID: 99, Net: 10.1.1.1 VRF: 0 default State: Master, Priority: 200, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 817, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:63 Virtual IP address: 10.1.1.3 Authentication: (none) R2# Router 3 R3(conf)#interface tengigabitethernet 3/21 R3(conf-if-te-3/21)#ip address 10.1.1.
Figure 181. VRRP for an IPv6 Configuration NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be MASTER even if one of two routers has a higher IP or IPv6 address. The following example shows configuring VRRP for IPv6 Router 2 and Router 3. Configure a virtual link local (fe80) address for each VRRPv3 group created for an interface.
ipv6 address 1::1/64 vrrp-group 10 priority 100 virtual-address fe80::10 virtual-address 1::10 no shutdown R2(conf-if-te-1/1)#end R2#show vrrp -----------------TenGigabitEthernet 1/1, IPv6 VRID: 10, Version: 3, Net:fe80::201:e8ff:fe6a:c59f VRF: 0 default State: Master, Priority: 100, Master: fe80::201:e8ff:fe6a:c59f (local) Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 135 Virtual MAC address: 00:00:5e:00:0
Both Switch-1 and Switch-2 have three VRF instances defined: VRF-1, VRF-2, and VRF-3. Each VRF has a separate physical interface to a LAN switch and an upstream VPN interface to connect to the Internet. Both Switch-1 and Switch-2 use VRRP groups on each VRF instance in order that there is one MASTER and one backup router for each VRF. In VRF-1 and VRF-2, Switch-2 serves as owner-master of the VRRP group and Switch-1 serves as the backup. On VRF-3, Switch-1 is the owner-master and Switch-2 is the backup.
S1(conf-if-te-1/2-vrid-101)#virtual-address 10.10.1.2 S1(conf-if-te-1/2)#no shutdown ! S1(conf)#interface TenGigabitEthernet 1/3 S1(conf-if-te-1/3)#ip vrf forwarding VRF-3 S1(conf-if-te-1/3)#ip address 20.1.1.5/24 S1(conf-if-te-1/3)#vrrp-group 15 % Info: The VRID used by the VRRP group 15 in VRF 3 will be 243. S1(conf-if-te-1/3-vrid-105)#priority 255 S1(conf-if-te-1/3-vrid-105)#virtual-address 20.1.1.
This VLAN scenario often occurs in a service-provider network in which you configure VLAN tags for traffic from multiple customers on customer-premises equipment (CPE), and separate VRF instances associated with each VLAN are configured on the provider edge (PE) router in the point-of-presence (POP).
10.1.1.100 Authentication: (none) VRRP in VRF: Switch-2 VLAN Configuration Switch-2 S2(conf)#ip vrf VRF-1 1 ! S2(conf)#ip vrf VRF-2 2 ! S2(conf)#ip vrf VRF-3 3 ! S2(conf)#interface TenGigabitEthernet 1/1 S2(conf-if-te-1/1)#no ip address S2(conf-if-te-1/1)#switchport S2(conf-if-te-1/1)#no shutdown ! S2(conf-if-te-1/1)#interface vlan 100 S2(conf-if-vl-100)#ip vrf forwarding VRF-1 S2(conf-if-vl-100)#ip address 10.10.1.
Port-channel 1, IPv4 VRID: 1, Version: 2, Net: 10.1.1.1 VRF: 2 vrf2 State: Master, Priority: 100, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 419, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:01 Virtual IP address: 10.1.1.100 Authentication: (none) VRRP for IPv6 Configuration This section shows VRRP IPv6 topology with CLI configurations.
NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be master even if one of two routers has a higher IP or IPv6 address. Router 2 R2(conf)#interface tengigabitethernet 1/1 R2(conf-if-te-1/1)#no ip address R2(conf-if-te-1/1)#ipv6 address 1::1/64 R2(conf-if-te-1/1)#vrrp-group 10 NOTE: You must configure a virtual link local (fe80) address for each VRRPv3 group created for an interface.
VRF: 0 default State: Backup, Priority: 100, Master: fe80::201:e8ff:fe6a:c59f Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 11, Bad pkts rcvd: 0, Adv sent: 0 Virtual MAC address: 00:00:5e:00:02:0a Virtual IP address: 1::10 fe80::10 DellEMC#show vrrp tengigabitethernet 0/0 TenGigabitEthernet 0/0, IPv6 VRID: 255, Version: 3, Net: fe80::201:e8ff:fe8a:fd76 VRF: 0 default State: Backup, Priority: 90, Master: fe80::201:e8ff:fe8a:e9ed Hold Down
DellEMC#show vrrp vrf vrf2 port-channel 1 Port-channel 1, IPv6 VRID: 255, Version: 3, Net: fe80::201:e8ff:fe8a:fd76 VRF: 2 vrf2 State: Backup, Priority: 90, Master: fe80::201:e8ff:fe8a:e9ed Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 548, Bad pkts rcvd: 0, Adv sent: 0 Virtual MAC address: 00:00:5e:00:02:ff Virtual IP address: 10:1:1::255 fe80::255 Proxy Gateway with VRRP VLT proxy gateway solves the inefficient traffic trombone proble
• • • • • • A VLT link aggregation group (LAG) is present between A1 and B1 as well as A2 and B2. A1 and B1 are connected to core routers, C1 and D1 with VLT routing enabled. A2 and B2 are connected to core routers, C2 and D2, with VLT routing enabled. The core routers C1 and D1 in the local VLT domain are connected to the core routers C2 and D2 in the remote VLT Domain using VLT links. The core routers C1 and D1 in local VLT Domain along with C2 and D2 in the remote VLT Domain are part of a Layer 3 cloud.
Sample configuration of D1: vlt domain 10 peer-link port-channel 128 back-up destination 10.16.140.
port-channel 10 mode active no shut int ten 1/4/1 port-channel-protocol lacp port-channel 20 mode active no shut interface port-channel 10 vlt-peer-lag po 10 switchport no shutdown interface port-channel 20 vlt-peer-lag po 20 switchport no shutdown int vlan 100 ip address 100.1.1.3/24 tagged port-channel 10 vrrp-group 10 advertise-interval 60 virtual-ip 100.1.1.254 priority 100 no shutdown int vlan 200 tagged port-channel 20 no shutdown router ospf 10 network 100.1.1.
ip address 100.1.1.4/24 tagged port-channel 10 vrrp-group 10 advertise-interval 60 virtual-ip 100.1.1.254 priority 100 no shutdown int vlan 200 tagged port-channel 20 no shutdown router ospf 10 network 100.1.1.
67 Debugging and Diagnostics Offline Diagnostics The offline diagnostics test suite is useful for isolating faults and debugging hardware. The diagnostics tests are grouped into three levels: • • • Level 0 — Level 0 diagnostics check for the presence of various components and perform essential path verifications. In addition, Level 0 diagnostics verify the identification registers of the components on the board. Level 1 — A smaller set of diagnostic tests.
Mar 12 10:40:35: %S4810:0 %DIAGAGT-6-DA_DIAG_DONE: Diags finished on stack unit 0 DellEMC#00:09:42 : Diagnostic test results are stored on file: flash:/TestReport-SU-0.txt Diags completed... Rebooting the system now!!! Mar 12 10:40:35: %S6000:0 %DIAGAGT-6-DA_DIAG_DONE: Diags finished on stack unit 1 Diagnostic results are printed to a file in the flash using the filename format TestReport-SU-.txt.
to shut directly connected ports Proceed with Diags [confirm yes/no]: yes DellEMC#00:03:13: %S25P:2 %DIAGAGT-6-DA_DIAG_STARTED: Starting diags on stack unit 2 00:03:13 : Approximate time to complete these Diags ... 6 Min 00:03:13 : Diagnostic test results will be stored on stack unit 2 file: flash:/ TestReport-SU-2.
Test 11 - MGMT PHY Presence Test .................................... PASS Test 12 - Board voltage Test ........................................ PASS Trace Logs In addition to the syslog buffer, Dell EMC Networking OS buffers trace messages which are continuously written by various Dell EMC Networking OS software tasks to report hardware and software events and status information. Each trace message provides the date, time, and name of the Dell EMC Networking OS process.
• This view provides insight into the packet types entering the CPU to see whether CPU-bound traffic is internal (IPC traffic) or network control traffic, which the CPU must process. View the modular packet buffers details per stack unit and the mode of allocation. • EXEC Privilege mode show hardware stack-unit {1–6} buffer total-buffer View the modular packet buffers details per unit and the mode of allocation.
enable optic-info-update interval DellEMC#show interfaces fortyGigE 1/52 transceiver QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP QSFP 52 52 52 52 52 52 52 52 52 52 52 52 52 52 52 52 52 52 52 52 Serial ID Base Fields Id = Ext Id = Connector = Transceiver Code = Encoding = Length(SFM) Km = Length(OM3) 2m = Length(OM2) 1m = Length(OM1) 1m = Length(Copper) 1m = Vendor Rev = Laser Wavelength = CheckCodeBase = Serial ID Extended Fields BR max = BR min = Vendor
When the system detects a genuine over-temperature condition, it powers off the card. To recognize this condition, look for the following system messages: CHMGR-2-MAJOR_TEMP: Major alarm: chassis temperature high (temperature reaches or exceeds threshold of [value]C) CHMGR-2-TEMP_SHUTDOWN_WARN: WARNING! temperature is [value]C; approaching shutdown threshold of [value]C To view the programmed alarm thresholds levels, including the shutdown value, use the show alarms threshold command.
OID String OID Name Description .1.3.6.1.4.1.6027.3.10.1.2.5.1.8 chSysPortXfpTxPower OID displays the transmitting power of the connected optics. chSysPortXfpRecvTemp OID displays the temperature of the connected optics. NOTE: These OIDs only generate if you enable the enable opticinfo-update-interval is enabled command. .1.3.6.1.4.1.6027.3.27.1.4 dellNetFpPacketBufferTable View the modular packet buffers details per stack unit and the mode of allocation. .1.3.6.1.4.1.6027.3.27.1.
show hardware drops interface interface Example of show hardware drops interface interface DellEMC#show hardware drops interface tengigabitethernet 2/1 Drops in Interface Te 2/1: --- Ingress Drops --Ingress Drops IBP CBP Full Drops PortSTPnotFwd Drops IPv4 L3 Discards Policy Discards Packets dropped by FP (L2+L3) Drops Port bitmap zero Drops Rx VLAN Drops --- Ingress MAC counters--Ingress FCSDrops Ingress MTUExceeds --- MMU Drops --Ingress MMU Drops HOL DROPS(TOTAL) HOL DROPS on COS0 HOL DROPS on COS1 HOL D
0 0 0 0 2 3 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 1080 2 0 0 0 3 0 0 0 4 0 0 0 5 0 0 0 6 0 0 0 7 0 0 0 8 0 0 0 9 0 0 0 10 0 0 0 11 0 0 0 12 0 0 0 13 0 0 0 14 0 0 0 15 0 0 0 16 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 38 39 40 41 42 43 44 45 46 47 48 49 49 49 49 52 52 52 52 53 53 53 53 54/1 54/2 54/3 54/4 Internal Internal 38 0 39 0 40 0 41 0 42 0 43 0 44 0 45 0 46 0 47 0 48 0 49 0 50 0 51 0 52 0 61 0 62 0 63 0 64 0 65 0 66 0 67 0 68 0 69 0 70 0 71 0 72 0 53 0 57 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Example of Viewing Dataplane Statistics DellEMC#show hardware stack-unit 1 cpu data-plane statistics bc pci driver statistics for device: rxHandle :773 noMhdr :0 noMbuf :0 noClus :0 recvd :773 dropped :0 recvToNet :773 rxError :0 rxFwdError :0 rxDatapathErr :0 rxPkt(COS0 ) :0 rxPkt(COS1 ) :0 rxPkt(COS2 ) :0 rxPkt(COS3 ) :0 rxPkt(COS4 ) :0 rxPkt(COS5 ) :0 rxPkt(COS6 ) :0 rxPkt(COS7 ) :0 rxPkt(COS8 ) :773 rxPkt(COS9 ) :0 rxPkt(COS10) :0 rxPkt(COS11) :0 rxPkt(UNIT0) :773 transmitted :12698 txRequested :12698 n
0 Multicasts, 5 Broadcasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics: 1649714 packets, 1948622676 bytes, 0 underruns 0 64-byte pkts, 27234 over 64-byte pkts, 107970 over 127-byte pkts 34 over 255-byte pkts, 504838 over 511-byte pkts, 1009638 over 1023-byte pkts 0 Multicasts, 0 Broadcasts, 1649714 Unicasts 0 throttles, 0 discarded, 0 collisions Rate info (interval 45 seconds): Input 00.00 Mbits/sec, 2 packets/sec, 0.00% of line-rate Output 00.
TX TX TX TX TX TX TX TX TX - Byte Counter Control frame counter Pause control frame counter Over size packet counter Jabber counter VLAN tag frame counter Double VLAN tag frame counter RUNT frame counter Fragment counter Interface Te 0/1 : Description RX - IPV4 L3 Unicast Frame Counter RX - IPV4 L3 routed multicast Packets RX - IPV6 L3 Unicast Frame Counter --------------------Interface Fo 0/60 : Description RX - IPV4 L3 Unicast Frame Counter RX - IPV4 L3 routed multicast Packets RX - IPV6 L3 Unicast Fra
TX - Double VLAN tag frame counter TX - RUNT frame counter TX - Fragment counter 0 0 0 Example of Displaying Counter Information for a Specific Interface DellEMC#show hardware counters interfac tengigabitethernet 5/1 unit: 0 port: 2 (interface Te 5/1) Description Value RX - IPV4 L3 Unicast Frame Counter RX - IPV4 L3 Routed Multicast Packets RX - IPV6 L3 Unicast Frame Counter RX - IPV6 L3 Routed Multicast Packets RX - Unicast Packet Counter RX - 64 Byte Frame Counter RX - 65 to 127 Byte Frame Counter RX -
Mini Core Dumps Dell EMC Networking OS supports mini core dumps on the application and kernel crashes. The mini core dump applies to Master, Standby, and Member units. Application and kernel mini core dumps are always enabled. The mini core dumps contain the stack space and some other minimal information that you can use to debug a crash. These files are small files and are written into flash until space is exhausted. When the flash is full, the write process is stopped.
You can use the capture-duration timer and the packet-count counter at the same time. The TCP dump stops when the first of the thresholds is met. That means that even if the duration timer is 9000 seconds, if the maximum file count parameter is met first, the dumps stop. To enable a TCP dump, use the following command. • Enable a TCP dump for CPU bound traffic.
68 Standards Compliance This chapter describes standards compliance for Dell EMC Networking products. NOTE: Unless noted, when a standard cited here is listed as supported by the Dell EMC Networking OS, the system also supports predecessor standards. One way to search for predecessor standards is to use the http://tools.ietf.org/ website. Click “Browse and search IETF documents,” enter an RFC number, and inspect the top of the resulting document for obsolescence citations to related RFCs.
RFC and I-D Compliance Dell EMC Networking OS supports the following standards. The standards are grouped by related protocol. The columns showing support by platform indicate which version of Dell EMC Networking OS first supports the standard. General Internet Protocols The following table lists the Dell EMC Networking OS support per platform for general internet protocols. Table 140.
R F C # Full Name S-Series S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 24 Definition of 7.7.1 74 the Differentiate d Services Field (DS Field) in the IPv4 and IPv6 Headers 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2 PPP over 61 SONET/SDH 5 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2 6 9 8 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.
RF C# Full Name S-Series S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 130 5 Network Time Protocol (Version 3) Specification, Implementation and Analysis 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 1519 Classless Inter-Domain Routing 7.6.1 (CIDR): an Address Assignment and Aggregation Strategy 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 154 2 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) Clarifications and Extensions for 7.6.
RFC Full Name # S-Series S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 4291 Internet Protocol Version 6 (IPv6) Addressing Architecture 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 4443 Internet Control Message Protocol (ICMPv6) for the IPv6 Specification 7.8.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 4861 8.3.12.0 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 4862 IPv6 Stateless Address Autoconfiguration 8.3.12.0 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.
Open Shortest Path First (OSPF) The following table lists the Dell EMC Networking OS support per platform for OSPF protocol. Table 144. Open Shortest Path First (OSPF) RFC # Full Name S-Series/ZSeries S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 1587 The OSPF Not-SoStubby Area (NSSA) Option 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2154 OSPF with Digital Signatures 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) 2370 The OSPF Opaque LSA Option 7.6.1 9.8(0.
RFC# Full Name S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 5308 Routing IPv6 with IS-IS 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) draft-ietfisisigpp2poverlan-06 Point-to-point operation over LAN in link-state routing protocols 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.1) draftkaplanisis-e xteth-02 Extended Ethernet Frame Size 9.8(0.0P2) Support 9.8(0.0P5) 9.8(1.0) 9.10(0.1) 9.10(0.
Network Management The following table lists the Dell EMC Networking OS support per platform for network management protocol. Table 148. Network Management RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 1155 Structure and Identification of Management Information for TCP/IP-based Internets 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 1156 Management Information Base for 7.6.1 Network Management of TCP/IP-based internets 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.
RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 2572 Message Processing and Dispatching for the Simple Network Management Protocol (SNMP) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 2574 User-based Security Model 7.6.1 (USM) for version 3 of the Simple Network Management Protocol (SNMPv3) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 2575 View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP) 7.6.1 9.8(0.0P2) 9.8(0.
RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON High Capacity Networks (64 bits): Ethernet Statistics High-Capacity Table, Ethernet History HighCapacity Table 3416 Version 2 of the Protocol Operations for the Simple Network Management Protocol (SNMP) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 3418 Management Information Base (MIB) for the Simple Network Management Protocol (SNMP) 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.
RFC# Full Name S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON draftietfnetmod interfac escfg-03 Defines a YANG data model for the configuration of network interfaces. Used in the Programmatic Interface RESTAPI feature. 9.2(0.0) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) IEEE 802.1A B Management Information Base module for LLDP configuration, statistics, local system data and remote systems data components. 7.7.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) IEEE 802.
RFC# Full Name SIONMIB by providing proprietary SNMP OIDs for other counters displayed in the "show interfaces" output) FORCE Force10 Enterprise Link 10Aggregation MIB LINKA GGMIB S4810 S3048–ON S4048–ON Z9100–ON S4048T-ON S6010–ON 7.6.1 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) 9.8(0.0P2) 9.8(0.0P5) 9.8(1.0) 9.8(1.0) 9.8(1.0) FORCE Force10 E-Series Enterprise 10Chassis MIB CHASS IS-MIB FORCE Force10 File Copy MIB 10(supporting SNMP SET COPY- operation) CONFI G-MIB 7.7.1 9.8(0.
Some pages of iSupport require a login. To request an iSupport account, go to: https://www.force10networks.com/CSPortal20/AccountRequest/AccountRequest.aspx If you have forgotten or lost your account information, contact Dell TAC for assistance.
69 X.509v3 supports X.509v3 standards. Topics: • • • • • • • • • Introduction to X.509v3 certificates X.509v3 support in Information about installing CA certificates Information about Creating Certificate Signing Requests (CSR) Information about installing trusted certificates Transport layer security (TLS) Online Certificate Status Protocol (OSCP) Verifying certificates Event logging Introduction to X.509v3 certificates X.
Advantages of X.509v3 certificates Public key authentication is preferred over password-based authentication, although both may be used in conjunction, for various reasons. Public-key authentication provides the following advantages over normal password-based authentication: • • • Public-key authentication avoids the human problems of low-entropy password selection and provides more resistance to brute-force attacks than password-based authentication.
The other hosts on the network, such as the SUT switch, syslog server, and OCSP server, generate private keys and create Certificate Signing Requests (CSRs). The hosts then upload the CSRs to the Intermediate CA or make the CSRs available for the Intermediate CA to download. generates a CSR using the crypto cert generate request command. The hosts on the network (SUT, syslog, OCSP…) also download and install the CA certificates from the Root and Intermediate CAs.
Installing CA certificate To install a CA certificate, enter the crypto ca-cert install {path} command in Global Configuration mode. Information about Creating Certificate Signing Requests (CSR) Certificate Signing Request (CSR) enables a device to get a X.509v3 certificate from a CA. In order for a device to get a X.509v3 certificate, the device first requests a certificate from a CA through a Certificate Signing Request (CSR).
NOTE: The command contains multiple options with the Common Name being a required field and blanks being filled in for unspecified fields. Information about installing trusted certificates Dell EMC Networking OS also enables you to install a trusted certificate. The system can then present this certificate for authentication to clients such as SSH and HTTPS. This trusted certificate is also presented to the TLS server implementations that require client authentication such as Syslog.
TLS compression is disabled by default. TLS session resumption is also supported to reduce processor and traffic overhead due to public key cryptographic operations and handshake traffic. However, the maximum time allowed for a TLS session to resume without repeating the TLS authentication or handshake process is configurable with a default of 1 hour. You can also disable session resumption.
Configuring Revocation Behavior You can configure the system behavior if an OCSP responder fails. By default, when all the OCSP responders fail to send a response to an OSCP request, the system accepts the certificate and logs the event. However, you can configure the system to reject the certificate in case OCSP responders fail.
• A secure session negotiation fails due to invalid, expired, or revoked certificate. 1108 X.