Dell Configuration Guide for the Z9000 System 9.7(0.
Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your computer. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. NOTE: A WARNING indicates a potential for property damage, personal injury, or death. Copyright © 2015 Dell Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws.
Contents 1 About this Guide......................................................................................................................... 25 Audience............................................................................................................................................................................... 25 Conventions..................................................................................................................................................................
Moving a Command from EXEC Privilege Mode to EXEC Mode........................................................................... 48 Allowing Access to CONFIGURATION Mode Commands....................................................................................... 48 Allowing Access to the Following Modes................................................................................................................... 48 Applying a Privilege Level to a Username.............................................
6 Access Control Lists (ACLs)........................................................................................................ 78 IP Access Control Lists (ACLs)......................................................................................................................................... 78 CAM Usage....................................................................................................................................................................
BFD Packet Format...................................................................................................................................................... 110 BFD Sessions..................................................................................................................................................................111 BFD Three-Way Handshake........................................................................................................................................
Regular Expressions as Filters..................................................................................................................................... 161 Redistributing Routes.................................................................................................................................................. 162 Enabling Additional Paths............................................................................................................................................
DHCP Packet Format and Options.................................................................................................................................200 Assign an IP Address using DHCP................................................................................................................................... 201 Implementation Information.............................................................................................................................................
Protocol Overview............................................................................................................................................................ 224 Ring Status...................................................................................................................................................................225 Multiple FRRP Rings.........................................................................................................................................
View Basic Interface Information.................................................................................................................................... 253 Enabling a Physical Interface........................................................................................................................................... 254 Physical Interfaces.......................................................................................................................................................
Auto-Negotiation on Ethernet Interfaces...................................................................................................................... 280 Setting the Speed and Duplex Mode of Ethernet Interfaces................................................................................ 280 Set Auto-Negotiation Options....................................................................................................................................281 View Advanced Interface Information..........
Protocol Overview............................................................................................................................................................ 304 Extended Address Space........................................................................................................................................... 304 Stateless Autoconfiguration.......................................................................................................................................
Debugging IS-IS........................................................................................................................................................... 336 IS-IS Metric Styles.............................................................................................................................................................337 Configure Metric Values......................................................................................................................................
25 Link Layer Discovery Protocol (LLDP).......................................................................................370 802.1AB (LLDP) Overview............................................................................................................................................... 370 Protocol Data Units..................................................................................................................................................... 370 Optional TLVs.........................
Configuring Anycast RP................................................................................................................................................... 407 Reducing Source-Active Message Flooding............................................................................................................ 408 Specifying the RP Address Used in SA Messages..................................................................................................408 MSDP Sample Configurations.............
Router Types................................................................................................................................................................446 Designated and Backup Designated Routers...........................................................................................................447 Link-State Advertisements (LSAs)........................................................................................................................... 447 Router Priority and Cost.
34 PIM Source-Specific Mode (PIM-SSM).................................................................................... 492 Implementation Information............................................................................................................................................. 492 Configure PIM-SMM........................................................................................................................................................ 492 Enabling PIM-SSM........................
Honoring dot1p Priorities on Ingress Traffic.............................................................................................................528 Configuring Port-Based Rate Policing......................................................................................................................529 Configuring Port-Based Rate Shaping..................................................................................................................... 529 Policy-Based QoS Configurations.........
Modifying Global Parameters...........................................................................................................................................567 Enabling SNMP Traps for Root Elections and Topology Changes....................................................................... 568 Modifying Interface Parameters.....................................................................................................................................
VLAN Stacking.................................................................................................................................................................. 605 Configure VLAN Stacking.......................................................................................................................................... 606 Creating Access and Trunk Ports.............................................................................................................................
Configuring Contact and Location Information using SNMP.......................................................................................631 Subscribing to Managed Object Value Updates using SNMP.....................................................................................632 Enabling a Subset of SNMP Traps..................................................................................................................................633 Copy Configuration Files Using SNMP.......................
Configuring Spanning Trees as Hitless...........................................................................................................................658 STP Loop Guard................................................................................................................................................................658 Configuring Loop Guard.............................................................................................................................................
VLT Terminology............................................................................................................................................................... 682 Configure Virtual Link Trunking....................................................................................................................................... 682 Important Points to Remember.................................................................................................................................
Running Offline Diagnostics....................................................................................................................................... 747 TRACE Logs........................................................................................................................................................................751 Auto Save on Crash or Rollover.................................................................................................................................
1 About this Guide This guide describes the protocols and features the Dell Networking Operating System (OS) supports and provides configuration instructions and examples for implementing them. The Z9000 platform is available with Dell Networking OS version 8.3.11.1 and beyond. Though this guide contains information on protocols, it is not intended to be a complete reference. This guide is a reference for configuring protocols on Dell Networking systems.
2 Configuration Fundamentals The Dell Networking Operating System (OS) command line interface (CLI) is a text-based interface you can use to configure interfaces and protocols. The CLI is largely the same for each platform except for some commands and command outputs. The CLI is structured in modes for security and management purposes. Different sets of commands are available in each mode, and you can limit user access to modes using privilege levels.
• • EXEC Privilege mode has commands to view configurations, clear counters, manage configuration files, run diagnostics, and enable or disable debug operations. The privilege level is 15, which is unrestricted. You can configure a password for this mode; refer to the Configure the Enable Password section in the Getting Started chapter.
ROUTER OSPF ROUTER OSPFV3 ROUTER RIP SPANNING TREE TRACE-LIST VLT DOMAIN VRRP UPLINK STATE GROUP GRUB Navigating CLI Modes The Dell Networking OS prompt changes to indicate the CLI mode. The following table lists the CLI mode, its prompt, and information about how to access and exit the CLI mode. Move linearly through the command modes, except for the end command which takes you directly to EXEC Privilege mode and the exit command which moves you up one command mode level.
CLI Command Mode Prompt Access Command EXTENDED ACCESS-LIST Dell(config-ext-nacl)# ip access-list extended (IP ACCESS-LIST Modes) IP COMMUNITY-LIST Dell(config-community-list)# ip community-list AUXILIARY Dell(config-line-aux)# line (LINE Modes) CONSOLE Dell(config-line-console)# line (LINE Modes) VIRTUAL TERMINAL Dell(config-line-vty)# line (LINE Modes) STANDARD ACCESS-LIST Dell(config-std-macl)# mac access-list standard (MAC ACCESS-LIST Modes) EXTENDED ACCESS-LIST Dell(config-ext-mac
CLI Command Mode Prompt Access Command MONITOR SESSION Dell(conf-mon-sess-sessionID)# monitor session OPENFLOW INSTANCE Dell(conf-of-instance-of-id)# openflow of-instance PORT-CHANNEL FAILOVER-GROUP Dell(conf-po-failover-grp)# port-channel failover-group PRIORITY GROUP Dell(conf-pg)# priority-group PROTOCOL GVRP Dell(config-gvrp)# protocol gvrp QOS POLICY Dell(conf-qos-policy-out-ets)# qos-policy-output VLT DOMAIN Dell(conf-vlt-domain)# vlt domain VRRP Dell(conf-if-interface-typeslo
-----------------------------------------------------------------------------------0 0 up up 9120 up 9120 0 1 up up 9120 up 9120 Speed in RPM Dell(conf)# Undoing Commands When you enter a command, the command line is added to the running configuration file (running-config). To disable a command and remove it from the running-config, enter the no command, then the original command. For example, to delete an IP address configured on an interface, use the no ip address ip-address command.
Entering and Editing Commands Notes for entering commands. • • The CLI is not case-sensitive. You can enter partial CLI keywords. • • • • • Enter the minimum number of letters to uniquely identify a command. For example, you cannot enter cl as a partial keyword because both the clock and class-map commands begin with the letters “cl.” You can enter clo, however, as a partial keyword because only one command begins with those three letters. The TAB key auto-completes keywords in commands.
Filtering show Command Outputs Filter the output of a show command to display specific information by adding | [except | find | grep | no-more | save] specified_text after the command. The variable specified_text is the text for which you are filtering and it IS case sensitive unless you use the ignore-case suboption. Starting with Dell Networking OS version 7.8.1.0, the grep command accepts an ignore-case sub-option that forces the search to case-insensitive.
Multiple Users in Configuration Mode Dell Networking OS notifies all users when there are multiple users logged in to CONFIGURATION mode. A warning message indicates the username, type of connection (console or VTY), and in the case of a VTY connection, the IP address of the terminal on which the connection was established.
3 Getting Started This chapter describes how you start configuring your system. When you power up the chassis, the system performs a power-on self test (POST) during which the line card status light emitting diodes (LEDs) blink green. The system then loads the Dell Networking Operating System (OS). Boot messages scroll up the terminal window during this process. No user interaction is required if the boot process proceeds without interruption.
Accessing the Console Port To access the console port, follow these steps: For the console port pinout, refer to Accessing the RJ-45 Console Port with a DB-9 Adapter. 1. Install an RJ-45 copper cable into the console port.Use a rollover (crossover) cable to connect the S4810 console port to a terminal server. 2. Connect the other end of the cable to the DTE terminal server. 3.
Executing Local CLI Scripts Using an SSH Connection You can execute CLI commands by entering a CLI script in one of the following ways: ssh username@hostname or cat < CLIscript.file > | ssh admin@hostname The script is run and the actions contained in the script are performed. Following are the points to remember, when you are trying to establish an SSH session to the device to run commands or script files: • • • • There is an upper limit of 10 concurrent sessions in SSH.
Configure the Management Port IP Address To access the system remotely, assign IP addresses to the management ports. 1. Enter INTERFACE mode for the Management port. CONFIGURATION mode interface ManagementEthernet slot/port • • slot: the range is from 0 to 7. port: the range is 0. 2. Assign an IP address to the interface. INTERFACE mode ip address ip-address/mask • • ip-address: an address in dotted-decimal format (A.B.C.D). mask: a subnet mask in /prefix-length format (/ xx). 3. Enable the interface.
To configure an enable password, use the following command. • Create a password to access EXEC Privilege mode. CONFIGURATION mode enable [password | secret] [level level] [encryption-type] password • • level: is the privilege level, is 15 by default, and is not required encryption-type: specifies how you are inputting the password, is 0 by default, and is not required. • • • 0 is for inputting the password in clear text. 7 is for inputting a password that is already encrypted using a DES hash.
Destination file name [Dell-EF-8.2.1.0.bin.bin]: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 26292881 bytes successfully copied Mounting an NFS File System This feature enables you to quickly access data on an NFS mounted file system. You can perform file operations on an NFS mounted file system using supported file commands. This feature allows an NFS mounted device to be recognized as a file system.
Password to login remote host: ! Example of Copying to NFS Mount Dell#copy flash://test.txt nfsmount:/// Destination file name [test.txt]: ! 15 bytes successfully copied Dell#copy flash://ashu/capture.txt.pcap nfsmount:/// Destination file name [test.txt]: ! 15 bytes successfully copied Dell#copy flash://ashu/capture.txt.pcap nfsmount:///ashutosh/snoop.pcap ! 24 bytes successfully copied Dell# Dell#copy tftp://10.16.127.
Configure the Overload Bit for a Startup Scenario For information about setting the router overload bit for a specific period of time after a switch reload is implemented, refer to the Intermediate System to Intermediate System (IS-IS) section in the Dell Networking OS Command Line Reference Guide. Viewing Files You can only view file information and content on local file systems. To view a list of files or the contents of a file, use the following commands. • View a list of files on the internal flash.
Page 57 - The output of show file-systems must be modified as follows. Dell#show file-systems Size(b) 2056916992 Dell# Free(b) 2056540160 - Feature Type FAT32 USERFLASH network network network Flags rw rw rw rw Prefixes flash: ftp: tftp: scp: Managing the File System The Dell Networking system can use the internal Flash, external Flash, or remote devices to store files. The system stores files on the internal Flash by default but can be configured to store files elsewhere.
Enabling Software Features on Devices Using a Command Option This capability to activate software applications or components on a device using a command is supported on the S4810, S4820T, and S6000, platforms. Starting with Release 9.4(0.0), you can enable or disable specific software functionalities or applications that need to run on a device by using a command attribute in the CLI interface.
Using HTTP for File Transfers Stating with Release 9.3(0.1), you can use HTTP to copy files or configuration details to a remote server. Use the copy source-file-url http://host[:port]/file-path command to transfer files to an external server. Enter the following source-file-url keywords and information: • • • • To copy a file from the internal FLASH, enter flash:// followed by the filename. To copy the running configuration, enter the keyword running-config.
SHA256 Dell# verify sha256 flash://FTOS-SE-9.5.0.0.bin e6328c06faf814e6899ceead219afbf9360e986d692988023b749e6b2093e933 SHA256 hash VERIFIED for FTOS-SE-9.5.0.0.
4 Management This chapter describes the different protocols or services used to manage the Dell Networking system.
Removing a Command from EXEC Mode To remove a command from the list of available commands in EXEC mode for a specific privilege level, use the privilege exec command from CONFIGURATION mode. In the command, specify a level greater than the level given to a user or terminal line, then the first keyword of each command you wish to restrict.
• privilege configure level level {interface | line | route-map | router} {command-keyword ||...|| command-keyword} Allow access to a CONFIGURATION, INTERFACE, LINE, ROUTE-MAP, and/or ROUTER mode command. CONFIGURATION mode privilege {configure |interface | line | route-map | router} level level {command ||...
vlan VLAN keyword Dell(conf)# interface group vlan 1 - 2 , tengigabitethernet 1/1 Dell(conf-if-group-vl-1-2,te-1/1)# no shutdown Dell(conf-if-group-vl-1-2,te-1/1)# end Applying a Privilege Level to a Username To set the user privilege level, use the following command. • Configure a privilege level for a user. CONFIGURATION mode username username privilege level Applying a Privilege Level to a Terminal Line To set a privilege level for a terminal line, use the following command.
Enabling Audit and Security Logs You enable audit and security logs to monitor configuration changes or determine if these changes affect the operation of the system in the network. You log audit and security events to a system log server, using the logging extended command in CONFIGURATION mode. Audit Logs The audit log contains configuration events and information. The types of information in this log consist of the following: • • • • User logins to the switch.
Clearing Audit Logs To clear audit logs, use the clear logging auditlog command in Exec mode. When RBAC is enabled, only the system administrator user role can issue this command. Example of the clear logging auditlog Command Dell# clear logging auditlog Configuring Logging Format To display syslog messages in a RFC 3164 or RFC 5424 format, use the logging version [0 | 1} command in CONFIGURATION mode. By default, the system log version is set to 0.
Pre-requisites To configure a secure connection from the switch to the syslog server: 1. On the switch, enable the SSH server Dell(conf)#ip ssh server enable 2. On the syslog server, create a reverse SSH tunnel from the syslog server to FTOS switch, using following syntax: ssh -R :: user@remote_host -nNf In the following example the syslog server IP address is 10.156.166.48 and the listening port is 5141. The switch IP address is 10.16.131.
• Specify the server to which you want to send system messages. You can configure up to eight syslog servers. CONFIGURATION mode logging {ip-address | ipv6-address | hostname} {{udp {port}} | {tcp {port}}} Configuring a UNIX System as a Syslog Server To configure a UNIX System as a syslog server, use the following command. • Configure a UNIX system as a syslog server by adding the following lines to /etc/syslog.conf on the UNIX system and assigning write permissions to the file. • • Add line on a 4.
Display the Logging Buffer and the Logging Configuration To display the current contents of the logging buffer and the logging settings for the system, use the show logging command in EXEC privilege mode. When RBAC is enabled, the security logs are filtered based on the user roles. Only the security administrator and system administrator can view the security logs.
• • • • • • • • • • • • • • • • • local3 (for local use) local4 (for local use) local5 (for local use) local6 (for local use) local7 (for local use) lpr (for line printer system messages) mail (for mail system messages) news (for USENET news messages) sys9 (system use) sys10 (system use) sys11 (system use) sys12 (system use) sys13 (system use) sys14 (system use) syslog (for syslog messages) user (for user programs) uucp (UNIX to UNIX copy protocol) To view nondefault settings, use the show running-config
Enabling Timestamp on Syslog Messages By default, syslog messages do not include a time/date stamp stating when the error or message was created. To enable timestamp, use the following command. • Add timestamp to syslog messages. CONFIGURATION mode service timestamps [log | debug] [datetime [localtime] [msec] [show-timezone] | uptime] Specify the following optional parameters: • • You can add the keyword localtime to include the localtime, msec, and show-timezone.
CONFIGURATION mode ftp-server topdir dir • The default is the internal flash directory. Specify a user name for all FTP users and configure either a plain text or encrypted password. CONFIGURATION mode ftp-server username username password [encryption-type] password Configure the following optional and required parameters: • • • username: enter a text string. encryption-type: enter 0 for plain text or 7 for encrypted text. password: enter a text string.
To view the configuration, use the show config command in LINE mode. Dell(config-std-nacl)#show config ! ip access-list standard myvtyacl seq 5 permit host 10.11.0.1 Dell(config-std-nacl)#line vty 0 Dell(config-line-vty)#show config line vty 0 access-class myvtyacl Dell Networking OS Behavior: Prior to Dell Networking OS version 7.4.2.0, in order to deny access on a VTY line, apply an ACL and accounting, authentication, and authorization (AAA) to the line.
login authentication myvtymethodlist Dell(config-line-vty)# Setting Time Out of EXEC Privilege Mode EXEC time-out is a basic security feature that returns Dell Networking OS to EXEC mode after a period of inactivity on the terminal lines. To set time out, use the following commands. Set the number of minutes and seconds. The default is 10 minutes on the console and 30 minutes on VTY. Disable EXEC time out by setting the time-out period to 0.
Lock CONFIGURATION Mode Dell Networking OS allows multiple users to make configurations at the same time. You can lock CONFIGURATION mode so that only one user can be in CONFIGURATION mode at any time (Message 2). You can set two types of lockst: auto and manual. • • Set auto-lock using the configuration mode exclusive auto command from CONFIGURATION mode. When you set autolock, every time a user is in CONFIGURATION mode, all other users are denied access.
Enter c to get to the Grub boot load command line grub> prompt. 5. Set the system parameters to ignore the enable password when the system reloads and reboot the environment. grub>set stconfigignore=true grub>save_env stconfigignore grub>reboot 6. The Z9000 boots up with the factory default configuration. The default Dell Networking OS system prompt displays when the system boot up is complete. NOTE: Do not press any keys during the boot-up process. 7. Copy the startup-config into the running-config.
copy running-config startup-config Recovering from a Failed Start on the Z9000 System A system that does not start correctly might be attempting to boot from a corrupted Dell Networking OS image or from a mis-specified location. In this case, you can restart the system and interrupt the boot process to point the system to another boot location. Use the set command, as described in the following steps.
The following example illustrates the restore factory-defaults command to restore the factory default settings. Dell#restore factory-defaults stack-unit 0 nvram *********************************************************************** * Warning - Restoring factory defaults will delete the existing * * persistent settings (stacking, fanout, etc.) * * After restoration the unit(s) will be powercycled immediately.
grub> set gatewayip="10.16.151.254" 7. Save the modified environmental variables. grub> save_env environment_variables NOTE: Repeat this step for all the environment variables. 8. Reload the system.
5 802.1X 802.1X is a method of port security. A device connected to a port that is enabled with 802.1X is disallowed from sending or receiving packets on the network until its identity can be verified (through a username and password, for example). This feature is named for its IEEE specification. 802.
Figure 3. EAP Frames Encapsulated in Ethernet and RADUIS The authentication process involves three devices: • • • The device attempting to access the network is the supplicant. The supplicant is not allowed to communicate on the network until the authenticator authorizes the port. It can only communicate with the authenticator in response to 802.1X requests. The device with which the supplicant communicates is the authenticator. The authenticator is the gate keeper of the network.
4. The authentication server replies with an Access-Challenge frame. The Access-Challenge frame requests that the supplicant prove that it is who it claims to be, using a specified method (an EAP-Method). The challenge is translated and forwarded to the supplicant by the authenticator. 5.
Figure 5. EAP Over RADIUS RADIUS Attributes for 802.1 Support Dell Networking systems include the following RADIUS attributes in all 802.1X-triggered Access-Request messages: Attribute 31 Calling-station-id: relays the supplicant MAC address to the authentication server. Attribute 41 NAS-Port-Type: NAS-port physical port type. 15 indicates Ethernet. Attribute 61 NAS-Port: the physical port number by which the authenticator is connected to the supplicant.
Enabling 802.1X Enable 802.1X globally. Figure 6. 802.1X Enabled 1. Enable 802.1X globally. CONFIGURATION mode dot1x authentication 2. Enter INTERFACE mode on an interface or a range of interfaces. INTERFACE mode interface [range] 3. Enable 802.1X on the supplicant interface only. INTERFACE mode dot1x authentication Verify that 802.1X is enabled globally and at the interface level using the show running-config | find dot1x command from EXEC Privilege mode.
no shutdown ! Dell# To view 802.1X configuration information for an interface, use the show dot1x interface command. In the following example, the bold lines show that 802.1X is enabled on all ports unauthorized by default. Dell#show dot1x interface TenGigabitEthernet 2/1/ 802.
Configuring a Quiet Period after a Failed Authentication If the supplicant fails the authentication process, the authenticator sends another Request Identity frame after 30 seconds by default, but you can configure this period. NOTE: The quiet period (dot1x quiet-period) is a transmit interval for after a failed authentication; the Request Identity Re-transmit interval (dot1x tx-period) is for an unresponsive supplicant. To configure a quiet period, use the following command.
The bold line shows the new port-control state. Dell(conf-if-Te-1/1)#dot1x port-control force-authorized Dell(conf-if-Te-1/1)#show dot1x interface TenGigabitEthernet 1/1 802.
Auth PAE State: Backend State: Auth PAE State: Backend State: Initialize Initialize Initialize Initialize Configuring Timeouts If the supplicant or the authentication server is unresponsive, the authenticator terminates the authentication process after 30 seconds by default. You can configure the amount of time the authenticator waits for a response. To terminate the authentication process, use the following commands. • Terminate the authentication process due to an unresponsive supplicant.
Configuring Dynamic VLAN Assignment with Port Authentication Dell Networking OS supports dynamic VLAN assignment when using 802.1X. The basis for VLAN assignment is RADIUS attribute 81, Tunnel-Private-Group-ID. Dynamic VLAN assignment uses the standard dot1x procedure: 1. The host sends a dot1x packet to the Dell Networking system 2. The system forwards a RADIUS REQEST packet containing the host MAC address and ingress port number 3.
Guest and Authentication-Fail VLANs Typically, the authenticator (the Dell system) denies the supplicant access to the network until the supplicant is authenticated. If the supplicant is authenticated, the authenticator enables the port and places it in either the VLAN for which the port is configured or the VLAN that the authentication server indicates in the authentication data. NOTE: Ports cannot be dynamically assigned to the default VLAN.
Dell(conf-if-Te-2/1)# Dell(conf-if-Te-2/1)#dot1x auth-fail-vlan 100 max-attempts 5 Dell(conf-if-Te-2/1)#show config ! interface TenGigabitEthernet 2/1 switchport dot1x authentication dot1x guest-vlan 200 dot1x auth-fail-vlan 100 max-attempts 5 no shutdown Dell(conf-if-Te-2/1)# View your configuration using the show config command from INTERFACE mode, as shown in the example in Configuring a Guest VLAN or using the show dot1x interface command from EXEC Privilege mode.
6 Access Control Lists (ACLs) This chapter describes access control lists (ACLs), prefix lists, and route-maps. At their simplest, access control lists (ACLs), prefix lists, and route-maps permit or deny traffic based on MAC and/or IP addresses. This chapter describes implementing IP ACLs, IP prefix lists and route-maps. For MAC ACLS, refer to Layer 2.
When creating an access list, the sequence of the filters is important. You have a choice of assigning sequence numbers to the filters as you enter them, or the Dell Networking Operating System (OS) assigns numbers in the order the filters are created. The sequence numbers are listed in the display output of the show config and show ip accounting access-list commands.
If counters are enabled on ACL rules that are already configured, those counters are reset when a new rule which is inserted or prepended or appended requires a hardware shift in the flow table. Resetting the counters to 0 is transient as the proginal counter values are retained after a few seconds. If there is no need to shift the flow in the hardware, the counters are not disturbed.
IP Fragment Handling Dell Networking OS supports a configurable option to explicitly deny IP fragmented packets, particularly second and subsequent packets. It extends the existing ACL command syntax with the fragments keyword for all Layer 3 rules applicable to all Layer protocols (permit/ deny ip/tcp/udp/icmp). • • • • • • • Both standard and extended ACLs support IP fragments. Second and subsequent fragments are allowed because a Layer 4 rule cannot be applied to these fragments.
In the following example, the TCP packets that are first fragments or non-fragmented from host 10.1.1.1 with TCP destination port equal to 24 are permitted. Additionally, all TCP non-first fragments from host 10.1.1.1 are permitted. All other IP packets that are non-first fragments are denied. Example of Permitting Only First Fragments and Non-Fragmented Packets from a Specified Host Dell(conf)#ip access-list extended ABC Dell(conf-ext-nacl)#permit tcp host 10.1.1.
The following example shows how the seq command orders the filters according to the sequence number assigned. In the example, filter 25 was configured before filter 15, but the show config command displays the filters in the correct order. Dell(config-std-nacl)#seq 25 deny ip host 10.5.0.0 any log Dell(config-std-nacl)#seq 15 permit tcp 10.3.0.0 /16 any Dell(config-std-nacl)#show config ! ip access-list standard dilling seq 15 permit tcp 10.3.0.0/16 any seq 25 deny ip host 10.5.0.
Configure an Extended IP ACL Extended IP ACLs filter on source and destination IP addresses, IP host addresses, TCP addresses, TCP host addresses, UDP addresses, and UDP host addresses. Because traffic passes through the filter in the order of the filter’s sequence, you can configure the extended IP ACL by first entering IP ACCESS LIST mode and then assigning a sequence number to the filter. Configuring Filters with a Sequence Number To configure filters with a sequence number, use the following commands.
seq 5 permit tcp 12.1.0.0 0.0.255.255 any seq 15 deny ip host 112.45.0.0 any log Dell(config-ext-nacl)# Configuring Filters Without a Sequence Number If you are creating an extended ACL with only one or two filters, you can let Dell Networking OS assign a sequence number based on the order in which the filters are configured. Dell Networking OS assigns filters in multiples of five.
L2 ACL Behavior L3 ACL Behavior Decision on Targeted Traffic Deny Permit L3 ACL permits. Permit Deny L3 ACL denies. Permit Permit L3 ACL permits. NOTE: If you configure an interface as a vlan-stack access port, only the L2 ACL filters the packets. The L3 ACL applied to such a port does not affect traffic. That is, existing rules for other features (such as trace-list, policy-based routing [PBR], and QoS) are applied to the permitted traffic. For information about MAC ACLs, refer to Layer 2.
Counting ACL Hits You can view the number of packets matching the ACL by using the count option when creating ACL entries. 1. Create an ACL that uses rules with the count option. Refer to Configure a Standard IP ACL Filter. 2. Apply the ACL as an inbound or outbound ACL on an interface. 3. show ip accounting access-list EXEC Privilege mode View the number of packets matching the ACL. Configure Ingress ACLs Ingress ACLs are applied to interfaces and to traffic entering the system.
seq 10 deny icmp any any seq 15 permit 1.1.1.2 Configure Egress ACLs Egress ACLs are applied to line cards and affect the traffic leaving the system. Configuring egress ACLs onto physical interfaces protects the system infrastructure from attack — malicious and incidental — by explicitly allowing only authorized traffic. These system-wide ACLs eliminate the need to apply ACLs onto each interface and achieves the same results. By localizing target traffic, it is a simpler implementation.
1. Apply Egress ACLs to IPv4 system traffic. CONFIGURATION mode ip control-plane [egress filter] 2. Apply Egress ACLs to IPv6 system traffic. CONFIGURATION mode ipv6 control-plane [egress filter] 3. Create a Layer 3 ACL using permit rules with the count option to describe the desired CPU traffic.
Creating a Prefix List To create a prefix list, use the following commands. 1. Create a prefix list and assign it a unique name. You are in PREFIX LIST mode. CONFIGURATION mode ip prefix-list prefix-name 2. Create a prefix list with a sequence number and a deny or permit action. CONFIG-NPREFIXL mode seq sequence-number {deny | permit} ip-prefix [ge min-prefix-length] [le max-prefix-length] The optional parameters are: • • ge min-prefix-length: the minimum prefix length to match (from 0 to 32).
! ip prefix-list awe seq 5 permit 123.23.0.0/16 seq 10 deny 133.0.0.0/8 Dell(conf-nprefixl)# To delete a filter, enter the show config command in PREFIX LIST mode and locate the sequence number of the filter you want to delete, then use the no seq sequence-number command in PREFIX LIST mode. Viewing Prefix Lists To view all configured prefix lists, use the following commands. • Show detailed information about configured prefix lists.
CONFIG-ROUTER-RIP mode distribute-list prefix-list-name out [interface | connected | static | ospf] To view the configuration, use the show config command in ROUTER RIP mode, or the show running-config rip command in EXEC mode. Dell(conf-router_rip)#show config ! router rip distribute-list prefix juba out network 10.0.0.0 Dell(conf-router_rip)#router ospf 34 Applying a Filter to a Prefix List (OSPF) To apply a filter to routes in open shortest path first (OSPF), use the following commands.
Rules Resquencing seq 7 permit any host 1.1.1.3 seq 10 permit any host 1.1.1.4 Rules After Resequencing: seq 5 permit any host 1.1.1.1 seq 10 permit any host 1.1.1.2 seq 15 permit any host 1.1.1.3 seq 20 permit any host 1.1.1.4 Resequencing an ACL or Prefix List Resequencing is available for IPv4 and IPv6 ACLs, prefix lists, and MAC ACLs. To resequence an ACL or prefix list, use the following commands. You must specify the list name, starting number, and increment when using these commands.
remark 9 ABC remark 10 this remark corresponds to permit ip any host 1.1.1.2 seq 10 permit ip any host 1.1.1.2 seq 15 permit ip any host 1.1.1.3 seq 20 permit ip any host 1.1.1.4 Dell# end Dell# resequence access-list ipv4 test 2 2 Dell# show running-config acl ! ip access-list extended test remark 2 XYZ remark 4 this remark corresponds to permit any host 1.1.1.1 seq 4 permit ip any host 1.1.1.1 remark 6 this remark has no corresponding rule remark 8 this remark corresponds to permit ip any host 1.1.1.
Creating a Route Map Route maps, ACLs, and prefix lists are similar in composition because all three contain filters, but route map filters do not contain the permit and deny actions found in ACLs and prefix lists. Route map filters match certain routes and set or specify values. To create a route map, use the following command. • Create a route map and assign it a unique name. The optional permit and deny keywords are the action of the route map.
tag 3444 Dell# To delete a route map, use the no route-map map-name command in CONFIGURATION mode. Configure Route Map Filters Within ROUTE-MAP mode, there are match and set commands. match commands search for a certain criterion in the routes. set commands change the characteristics of routes, either adding something or specifying a level.
match interface interface The parameters are: • • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. • For a Loopback interface, enter the keyword loopback then a number from 0 to 16383. • For a port channel interface, enter the keywords port-channel then a number. • For a VLAN interface, enter the keyword vlan then a number from 1 to 4094.
• set level {backbone | level-1 | level-1-2 | level-2 | stub-area} Specify a value for the BGP route’s LOCAL_PREF attribute. • CONFIG-ROUTE-MAP mode set local-preference value Specify a value for redistributed routes. • CONFIG-ROUTE-MAP mode set metric {+ | - | metric-value} Specify an OSPF or ISIS type for redistributed routes. • CONFIG-ROUTE-MAP mode set metric-type {external | internal | type-1 | type-2} Assign an IP address as the route’s next hop.
Configure a Route Map for Route Tagging One method for identifying routes from different routing protocols is to assign a tag to routes from that protocol. As the route enters a different routing domain, it is tagged. The tag is passed along with the route as it passes through different routing protocols. You can use this tag when the route leaves a routing domain to redistribute those routes again.
expires, a fresh interval timer starts and the packet count for that new interval commences from zero. If ACL logging was stopped previously because the configured threshold has exceeded, it is reenabled for this new interval. The ACL application sends the ACL logging configuration information and other details, such as the action, sequence number, and the ACL parameters that pertain to that ACL entry. The ACL service collects the ACL log and records the following attributes per log message.
seq sequence-number {deny | permit} {source [mask] | any | host ip-address} [log [thresholdin-msgs count] ] 2. Specify the interval in minutes at which ACL logs must be generated. You can enter an interval in the range of 1-10 minutes. The default frequency at which ACL logs are generated is 5 minutes. If ACL logging is stopped because the configured threshold has exceeded, it is re-enabled after the logging interval period elapses.
Example Output of the show Command Dell(conf-mon-sess-0)#do show monitor session 0 SessID -----0 Source -----Te 1/1 Destination ----------Te 1/2 Dir --rx Mode Source IP ---- --------Flow N/A Dest IP -------N/A The show config command has been modified to display monitoring configuration in a particular session.
ip access-group testflow in shutdown Dell(conf-if-te-1/1)#exit Dell(conf)#do show ip accounting access-list testflow ! Extended Ingress IP access list testflow on TenGigabitEthernet 1/1 Total cam count 4 seq 5 permit icmp any any monitor count bytes (0 packets 0 bytes) seq 10 permit ip 102.1.1.
7 Access Control List (ACL) VLAN Groups and Content Addressable Memory (CAM) This chapter describes the access control list (ACL) VLAN group and content addressable memory (CAM) enhancements.
• • A line card returns to the active state after going down, and this line card contains a VLAN that is a member of an ACL group. The ACL VLAN group is deleted and it contains VLAN members. The ACL manager does not notify the ACL agent in the following cases: • • • • The ACL VLAN group is created. The ACL VLAN group is deleted and it does not contain any VLAN members. The ACL is applied or removed from a group, and the ACL group does not contain a VLAN member.
2. Add a description to the ACL VLAN group. CONFIGURATION (conf-acl-vl-grp) mode description description 3. Apply an egress IP ACL to the ACL VLAN group. CONFIGURATION (conf-acl-vl-grp) mode ip access-group {group name} out implicit-permit 4. Add VLAN member(s) to an ACL VLAN group. CONFIGURATION (conf-acl-vl-grp) mode member vlan {VLAN-range} 5. Display all the ACL VLAN groups or display a specific ACL VLAN group, identified by name.
11 | | | | 1 | | | | OUT-L2 ACL IN-L2 ACL IN-L2 FIB OUT-L2 ACL | | | | 0 7152 32768 0 | | | | 0 0 1081 0 | | | | 0 7152 31687 0 Viewing CAM Usage This functionality is supported on the Z9000 platform. View the amount of CAM space available, used, and remaining in each partition (including IPv4Flow and Layer 2 ACL sub- partitions) using the show cam-usage command in EXEC Privilege mode Display Layer 2, Layer 3, ACL, or all CAM usage statistics.
The following sample output displays the CAM space utilization for Layer 3 ACLs: Dell#show cam-usage router Linecard|Portpipe| CAM Partition | Total CAM | Used CAM |Available CAM ========|========|=================|=============|=============|============== 11 | 0 | IN-L3 ACL | 8192 | 3 | 8189 | | IN-L3 FIB | 196607 | 1 | 196606 | | IN-L3-SysFlow | 2878 | 0 | 2878 | | IN-L3-TrcList | 1024 | 0 | 1024 | | IN-L3-McastFib | 9215 | 0 | 9215 | | IN-L3-Qos | 8192 | 0 | 8192 | | IN-L3-PBR | 1024 | 0 | 1024 | | OUT-
8 Bidirectional Forwarding Detection (BFD) BFD is a protocol that is used to rapidly detect communication failures between two adjacent systems. It is a simple and lightweight replacement for existing routing protocol link state detection mechanisms. It also provides a failure detection solution for links on which no routing protocol is used. BFD is a simple hello mechanism. Two neighboring systems running BFD establish a session using a three-way handshake.
BFD Packet Format Control packets are encapsulated in user datagram protocol (UDP) packets. The following illustration shows the complete encapsulation of a BFD control packet inside an IPv4 packet. Figure 8. BFD in IPv4 Packet Format Field Description Diagnostic Code The reason that the last session failed. State The current local session state. Refer to BFD Sessions. Flag A bit that indicates packet function.
Field Description Your Discriminator A random number generated by the remote system to identify the session. Discriminator values are necessary to identify the session to which a control packet belongs because there can be many sessions running on a single interface. Desired Min TX Interval The minimum rate at which the local system would like to send control packets to the remote system.
The session is declared down if: • • • A control packet is not received within the detection time. Sufficient echo packets are lost. Demand mode is active and a control packet is not received in response to a poll packet. BFD Three-Way Handshake A three-way handshake must take place between the systems that participate in the BFD session.
Session State Changes The following illustration shows how the session state on a system changes based on the status notification it receives from the remote system. For example, if a session on a system is down and it receives a Down status notification from the remote system, the session state on the local system changes to Init. Figure 10. Session State Changes Important Points to Remember • • • • • • Enable BFD on both ends of a link.
Configure BFD for Physical Ports Configuring BFD for physical ports is supported on the C-Series and E-Series platforms only. BFD on physical ports is useful when you do not enable the routing protocol. Without BFD, if the remote system fails, the local system does not remove the connected route until the first failed attempt to send a packet. When you enable BFD, the local system removes the route as soon as it stops receiving periodic control packets from the remote system.
CONFIGURATION mode interface 2. Assign an IP address to the interface if one is not already assigned. INTERFACE mode ip address ip-address 3. Identify the neighbor that the interface participates with the BFD session. INTERFACE mode bfd neighbor ip-address To verify that the session is established, use the show bfd neighbors command. The bold line shows the BFD session.
Example of Viewing Session Parameters R1(conf-if-te-4/24)#bfd interval 100 min_rx 100 multiplier 4 role passive R1(conf-if-te-4/24)#do show bfd neighbors detail Session Discriminator: 1 Neighbor Discriminator: 1 Local Addr: 2.2.2.1 Local MAC Addr: 00:01:e8:09:c3:e5 Remote Addr: 2.2.2.
3. Configure an IP route to connect BFD on the static routes using the ip route bfd command. Related Configuration Tasks • • Changing Static Route Session Parameters Disabling BFD for Static Routes Establishing Sessions for Static Routes Sessions are established for all neighbors that are the next hop of a static route. Figure 12. Establishing Sessions for Static Routes To establish a BFD session, use the following command.
ip route bfd interval milliseconds min_rx milliseconds multiplier value role [active | passive] To view session parameters, use the show bfd neighbors detail command, as shown in the examples in Displaying BFD for BGP Information Disabling BFD for Static Routes If you disable BFD, all static route BFD sessions are torn down. A final Admin Down packet is sent to all neighbors on the remote systems, and those neighbors change to the Down state. To disable BFD for static routes, use the following command.
Establishing Sessions with OSPF Neighbors BFD sessions can be established with all OSPF neighbors at once or sessions can be established with all neighbors out of a specific interface. Sessions are only established when the OSPF adjacency is in the Full state. Figure 13. Establishing Sessions with OSPF Neighbors To establish BFD with all OSPF neighbors or with OSPF neighbors on a single interface, use the following commands. • Establish sessions with all OSPF neighbors.
I O R - ISIS - OSPF - Static Route (RTM) LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients * 2.2.2.2 2.2.2.1 Te 2/1 Up 100 100 3 O * 2.2.3.1 2.2.3.2 Te 2/2 Up 100 100 3 O Changing OSPF Session Parameters Configure BFD sessions with default intervals and a default role. The parameters that you can configure are: desired tx interval, required min rx interval, detection multiplier, and system role. Configure these parameters for all OSPF sessions or all OSPF sessions on a particular interface.
Establishing Sessions with OSPFv3 Neighbors You can establish BFD sessions with all OSPFv3 neighbors at once or with all neighbors out of a specific interface. Sessions are only established when the OSPFv3 adjacency is in the Full state. To establish BFD with all OSPFv3 neighbors or with OSPFv3 neighbors on a single interface, use the following commands. • Establish sessions with all OSPFv3 neighbors. • ROUTER-OSPFv3 mode bfd all-neighbors Establish sessions with OSPFv3 neighbors on a single interface.
Related Configuration Tasks • • Changing IS-IS Session Parameters Disabling BFD for IS-IS Establishing Sessions with IS-IS Neighbors BFD sessions can be established for all IS-IS neighbors at once or sessions can be established for all neighbors out of a specific interface. Figure 14. Establishing Sessions with IS-IS Neighbors To establish BFD with all IS-IS neighbors or with IS-IS neighbors on a single interface, use the following commands. • Establish sessions with all IS-IS neighbors.
O R - OSPF - Static Route (RTM) LocalAddr * 2.2.2.2 RemoteAddr Interface State Rx-int Tx-int Mult Clients 2.2.2.1 Te 2/1 Up 100 100 3 I Changing IS-IS Session Parameters BFD sessions are configured with default intervals and a default role. The parameters that you can configure are: Desired TX Interval, Required Min RX Interval, Detection Multiplier, and system role. These parameters are configured for all IS-IS sessions or all IS-IS sessions out of an interface.
For example, the following illustration shows a sample BFD configuration on Router 1 and Router 2 that use eBGP in a transit network to interconnect AS1 and AS2. The eBGP routers exchange information with each other as well as with iBGP routers to maintain connectivity and accessibility within each autonomous system. Figure 15.
neighbor {ip-address | peer-group name} remote-as as-number 4. Enable the BGP neighbor. CONFIG-ROUTERBGP mode neighbor {ip-address | peer-group-name} no shutdown 5. Configure parameters for a BFD session established with all neighbors discovered by BGP. OR Establish a BFD session with a specified BGP neighbor or peer group using the default BFD session parameters.
Displaying BFD for BGP Information You can display related information for BFD for BGP. To display information about BFD for BGP sessions on a router, use the following commands and refer to the following examples. • Verify a BFD for BGP configuration. EXEC Privilege mode show running-config bgp • Verify that a BFD for BGP session has been successfully established with a BGP neighbor. A line-by-line listing of established BFD adjacencies is displayed.
TX: 100ms, RX: 100ms, Multiplier: 3 Neighbor parameters: TX: 100ms, RX: 100ms, Multiplier: 3 Actual parameters: TX: 100ms, RX: 100ms, Multiplier: 3 Role: Active Delete session on Down: True Client Registered: BGP Uptime: 00:07:55 Statistics: Number of packets received from neighbor: 4762 Number of packets sent to neighbor: 4490 Number of state changes: 2 Number of messages from IFA about port state change: 0 Number of messages communicated b/w Manager and Agent: 5 Session Discriminator: 10 Neighbor Discrimi
De-registration Init Up Down Admin Down : : : : : 0 0 1 0 2 The following example shows viewing BFD summary information. The bold line shows the message displayed when you enable BFD for BGP connections. R2# show ip bgp summary BGP router identifier 10.0.0.1, local AS number 2 BGP table version is 0, main routing table version 0 BFD is enabled, Interval 100 Min_rx 100 Multiplier 3 Role Active 3 neighbor(s) using 24168 bytes of memory Neighbor AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/Pfx 1.1.1.
BGP neighbor is 2.2.2.3, remote AS 1, external link Member of peer-group pg1 for session parameters BGP version 4, remote router ID 12.0.0.4 BGP state ESTABLISHED, in this state for 00:05:33 ... Neighbor is using BGP neighbor mode BFD configuration Peer active in peer-group outbound optimization ... R2# show ip bgp neighbors 2.2.2.4 BGP neighbor is 2.2.2.4, remote AS 1, external link Member of peer-group pg1 for session parameters BGP version 4, remote router ID 12.0.0.
Establishing Sessions with All VRRP Neighbors BFD sessions can be established for all VRRP neighbors at once, or a session can be established with a particular neighbor. Figure 16. Establishing Sessions with All VRRP Neighbors To establish sessions with all VRRP neighbors, use the following command. • Establish sessions with all VRRP neighbors.
LocalAddr RemoteAddr Interface State Rx-int Tx-int Mult Clients * 2.2.5.1 2.2.5.2 Te 4/25 Down 1000 1000 3 V To view session state information, use the show vrrp command. The bold line shows the VRRP BFD session. Dell(conf-if-te-4/25)#do show vrrp -----------------TenGigabitEthernet 4/1, VRID: 1, Net: 2.2.5.1 State: Backup, Priority: 1, Master: 2.2.5.
• no vrrp bfd all-neighbors Disable all VRRP sessions in a VRRP group. • VRRP mode bfd disable Disable a particular VRRP session on an interface. INTERFACE mode no vrrp bfd neighbor ip-address Configuring Protocol Liveness Protocol liveness is a feature that notifies the BFD manager when a client protocol is disabled. When you disable a client, all BFD sessions for that protocol are torn down. Neighbors on the remote system receive an Admin Down control packet and are placed in the Down state.
TX packet dump: 20 c0 03 18 00 00 00 04 00 00 00 05 00 01 86 a0 00 01 86 a0 00 00 00 00 00:34:14 : Received packet for session with neighbor 2.2.2.2 on Te 4/24 RX packet dump: 20 c0 03 18 00 00 00 05 00 00 00 04 00 01 86 a0 00 01 86 a0 00 00 00 00 00:34:14 : Sent packet for session with neighbor 2.2.2.2 on Te 4/24 L The output for the debug bfd event command is the same as the log messages that appear on the console by default.
9 Border Gateway Protocol IPv4 (BGPv4) This chapter provides a general description of BGPv4 as it is supported in the Dell Networking Operating System (OS). BGP protocol standards are listed in the Standards Compliance chapter. BGP is an external gateway protocol that transmits interdomain routing information within and between autonomous systems (AS). The primary function of the BGP is to exchange network reachability information with other BGP systems.
Figure 17. Internal BGP BGP version 4 (BGPv4) supports classless interdomain routing and aggregate routes and AS paths. BGP is a path vector protocol — a computer network in which BGP maintains the path that updated information takes as it diffuses through the network. Updates traveling through the network and returning to the same node are easily detected and discarded.
Figure 18. BGP Routers in Full Mesh The number of BGP speakers each BGP peer must maintain increases exponentially. Network management quickly becomes impossible. Sessions and Peers When two routers communicate using the BGP protocol, a BGP session is started. The two end-points of that session are Peers. A Peer is also called a Neighbor. Establish a Session Information exchange between peers is driven by events and timers. The focus in BGP is on the traffic routing policies.
State Description Connect In this state the router waits for the TCP connection to complete, transitioning to the OpenSent state if successful. If that transition is not successful, BGP resets the ConnectRetry timer and transitions to the Active state when the timer expires. Active The router resets the ConnectRetry timer to zero and returns to the Connect state. OpenSent After successful OpenSent transition, the router sends an Open message and waits for one in return.
1. Router B receives an advertisement from Router A through eBGP. Because the route is learned through eBGP, Router B advertises it to all its iBGP peers: Routers C and D. 2. Router C receives the advertisement but does not advertise it to any peer because its only other peer is Router D, an iBGP peer, and Router D has already learned it through iBGP from Router B. 3.
Figure 20. BGP Best Path Selection Best Path Selection Details 1. Prefer the path with the largest WEIGHT attribute. 2. Prefer the path with the largest LOCAL_PREF attribute. 3. Prefer the path that was locally Originated via a network command, redistribute command or aggregate-address command. a. Routes originated with the Originated via a network or redistribute commands are preferred over routes originated with the aggregate-address command. 4.
a. if the Router-ID is the same for multiple paths (because the routes were received from the same route) skip this step. b. if the Router-ID is NOT the same for multiple paths, prefer the path that was first received as the Best Path. The path selection algorithm returns without performing any of the checks detailed here. 11. Prefer the external path originated from the BGP router with the lowest router ID. If both paths are external, prefer the oldest path (first received path).
Figure 21. BGP Local Preference Multi-Exit Discriminators (MEDs) If two ASs connect in more than one place, a multi-exit discriminator (MED) can be used to assign a preference to a preferred path. MED is one of the criteria used to determine the best path, so keep in mind that other criteria may impact selection, as shown in the illustration in Best Path Selection Criteria. One AS assigns the MED a value and the other AS uses that value to decide the preferred path.
Figure 22. Multi-Exit Discriminators NOTE: Configuring the set metric-type internal command in a route-map advertises the IGP cost as MED to outbound EBGP peers when redistributing routes. The configured set metric value overwrites the default IGP cost. If the outbound route-map uses MED, it overwrites IGP MED. Origin The origin indicates the origin of the prefix, or how the prefix came into BGP. There are three origin codes: IGP, EGP, INCOMPLETE.
Example of Viewing AS Paths Dell#show ip bgp paths Total 30655 Paths Address Hash Refcount Metric 0x4014154 0 3 18508 0x4013914 0 3 18508 0x5166d6c 0 3 18508 0x5e62df4 0 2 18508 0x3a1814c 0 26 18508 0x567ea9c 0 75 18508 0x6cc1294 0 2 18508 0x6cc18d4 0 1 18508 0x5982e44 0 162 18508 0x67d4a14 0 2 18508 0x559972c 0 31 18508 0x59cd3b4 0 2 18508 0x7128114 0 10 18508 0x536a914 0 3 18508 0x2ffe884 0 1 18508 Path 701 3549 19421 i 701 7018 14990 i 209 4637 1221 9249 9249 i 701 17302 i 209 22291 i 209 3356 2529 i 20
path becomes unavailable, the BGP speaker withdraws its path from its local RIB and recalculates a new best path. This situation requires both IGP and BGP convergence and can be a lengthy process. BGP add-path also helps switchover to the next new best path when the current best path is unavailable. Advertise IGP Cost as MED for Redistributed Routes When using multipath connectivity to an external AS, you can advertise the MED value selectively to each peer for redistributed routes.
Traditional Format DOT Format 65536 1.0 100000 1.34464 4294967295 65535.65535 When creating Confederations, all the routers in a Confederation must be either 4-Byte or 2-Byte identified routers. You cannot mix them. Configure 4-byte AS numbers with the four-octet-support command. AS4 Number Representation Dell Networking OS supports multiple representations of 4-byte AS numbers: asplain, asdot+, and asdot.
bgp four-octet-as-support neighbor 172.30.1.250 local-as 65057
Figure 23. Before and After AS Number Migration with Local-AS Enabled When you complete your migration, and you have reconfigured your network with the new information, disable this feature. If you use the “no prepend” option, the Local-AS does not prepend to the updates received from the eBGP peer. If you do not select “no prepend” (the default), the Local-AS is added to the first AS segment in the AS-PATH.
Important Points to Remember • • • • • • • • • • • • • • • • • • • • • • • • Because eBGP packets are not controlled by the ACL, packets from BGP neighbors cannot be blocked using the deny ip command. The f10BgpM2AsPathTableEntry table, f10BgpM2AsPathSegmentIndex, and f10BgpM2AsPathElementIndex are used to retrieve a particular ASN from the AS path. These indices are assigned to the AS segments and individual ASN in each segment starting from 0.
• delayed configuration (the software at system boot reads the entire configuration file prior to sending messages to start BGP peer sessions) The following are not yet supported: • • auto-summarization (the default is no auto-summary) synchronization (the default is no synchronization) BGP Configuration To enable the BGP process and begin exchanging information, assign an AS number and use commands in ROUTER BGP mode to configure a BGP neighbor. By default, BGP is disabled.
NOTE: Sample Configurations for enabling BGP routers are found at the end of this chapter. 1. Assign an AS number and enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number • as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte) or 0.1 to 65535.65535 (Dotted format). Only one AS is supported per system. NOTE: If you enter a 4-Byte AS number, 4-Byte AS support is enabled automatically. a) Enable 4-Byte support for the BGP process. NOTE: This command is OPTIONAL.
10.10.21.1 10.10.32.3 100.10.92.9 192.168.10.1 192.168.12.2 R2# 65123 65123 65192 65123 65123 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 never never never never never Active Active Active Active Active The following example shows the show ip bgp summary command output (4–byte AS number displays). R2#show ip bgp summary BGP router identifier 192.168.10.2, local AS number 48735.
BGP state IDLE, in this state for 17:12:40 Last read 17:12:40, hold time is 180, keepalive interval is 60 seconds Received 0 messages, 0 notifications, 0 in queue Sent 0 messages, 0 notifications, 0 in queue Received 0 updates, Sent 0 updates Minimum time between advertisement runs is 5 seconds For address family: IPv4 Unicast BGP table version 0, neighbor version 0 0 accepted prefixes consume 0 bytes Prefix advertised 0, rejected 0, withdrawn 0 Connections established 0; dropped 0 Last reset never No activ
NOTE: ASPLAIN is the default method Dell Networking OS uses and does not appear in the configuration display. • Enable ASDOT AS Number representation. • CONFIG-ROUTER-BGP mode bgp asnotation asdot Enable ASDOT+ AS Number representation. CONFIG-ROUTER-BGP mode bgp asnotation asdot+ The following example shows the bgp asnotation asplain command output. Dell(conf-router_bgp)#bgp asnotation asplain Dell(conf-router_bgp)#sho conf ! router bgp 100 bgp four-octet-as-support neighbor 172.30.1.
CONFIG-ROUTERBGP mode neighbor peer-group-name peer-group 2. Enable the peer group. CONFIG-ROUTERBGP mode neighbor peer-group-name no shutdown By default, all peer groups are disabled. 3. Create a BGP neighbor. CONFIG-ROUTERBGP mode neighbor ip-address remote-as as-number 4. Enable the neighbor. CONFIG-ROUTERBGP mode neighbor ip-address no shutdown 5. Add an enabled neighbor to the peer group. CONFIG-ROUTERBGP mode neighbor ip-address peer-group peer-group-name 6. Add a neighbor as a remote AS.
neighbor 10.14.8.60 remote-as 18505 neighbor 10.14.8.60 no shutdown Dell(conf-router_bgp)# To enable a peer group, use the neighbor peer-group-name no shutdown command in CONFIGURATION ROUTER BGP mode (shown in bold). Dell(conf-router_bgp)#neighbor zanzibar no shutdown Dell(conf-router_bgp)#show config ! router bgp 45 bgp fast-external-fallover bgp log-neighbor-changes neighbor zanzibar peer-group neighbor zanzibar no shutdown neighbor 10.1.1.1 remote-as 65535 neighbor 10.1.1.1 shutdown neighbor 10.14.8.
Configuring BGP Fast Fall-Over By default, a BGP session is governed by the hold time. BGP routers typically carry large routing tables, so frequent session resets are not desirable. The BGP fast fall-over feature reduces the convergence time while maintaining stability. The connection to a BGP peer is immediately reset if a link to a directly connected external peer fails. When you enable fall-over, BGP tracks IP reachability to the peer remote address and the peer local address.
To verify that fast fall-over is enabled on a peer-group, use the show ip bgp peer-group command (shown in bold). Dell#sh ip bgp peer-group Peer-group test fall-over enabled BGP version 4 Minimum time between advertisement runs is 5 seconds For address family: IPv4 Unicast BGP neighbor is test Number of peers in this group 1 Peer-group members (* - outbound optimized): 100.100.100.
Maintaining Existing AS Numbers During an AS Migration The local-as feature smooths out the BGP network migration operation and allows you to maintain existing ASNs during a BGP network migration. When you complete your migration, be sure to reconfigure your routers with the new information and disable this feature. • Allow external routes from this neighbor. CONFIG-ROUTERBGP mode neighbor {IP address | peer-group-name local-as as number [no prepend] • • • Peer Group Name: 16 characters.
To disable this feature, use the no neighbor allow-as in number command in CONFIGURATION ROUTER BGP mode. R2(conf-router_bgp)#show conf ! router bgp 65123 bgp router-id 192.168.10.2 network 10.10.21.0/24 network 10.10.32.0/24 network 100.10.92.0/24 network 192.168.10.0/24 bgp four-octet-as-support neighbor 10.10.21.1 remote-as 65123 neighbor 10.10.21.1 filter-list Laura in neighbor 10.10.21.1 no shutdown neighbor 10.10.32.3 remote-as 65123 neighbor 10.10.32.3 no shutdown neighbor 100.10.92.
CONFIG-ROUTER-BGP mode bgp graceful-restart [stale-path-time time-in-seconds] • The default is 360 seconds. Local router supports graceful restart as a receiver only. CONFIG-ROUTER-BGP mode bgp graceful-restart [role receiver-only] Enabling Neighbor Graceful Restart BGP graceful restart is active only when the neighbor becomes established. Otherwise, it is disabled. Graceful-restart applies to all neighbors with established adjacency.
exit 4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5. Use a configured AS-PATH ACL for route filtering and manipulation. CONFIG-ROUTER-BGP mode neighbor {ip-address | peer-group-name} filter-list as-path-name {in | out} If you assign an non-existent or empty AS-PATH ACL, the software allows all routes. To view all BGP path attributes in the BGP database, use the show ip bgp paths command in EXEC Privilege mode.
Regular Expression Definition - (hyphen) Used within brackets to specify a range of AS or community numbers. _ (underscore) Matches a ^, a $, a comma, a space, or a {, or a }. Placed on either side of a string to specify a literal and disallow substring matching. You can precede or follow numerals enclosed by underscores by any of the characters listed. | (pipe) Matches characters on either side of the metacharacter; logical OR.
• Include specific ISIS routes in BGP. ROUTER BGP or CONF-ROUTER_BGPv6_ AF mode redistribute isis [level-1 | level-1-2 | level-2] [metric value] [route-map map-name] Configure the following parameters: • • level-1, level-1-2, or level-2: Assign all redistributed routes to a level. The default is level-2. • metric value: The value is from 0 to 16777215. The default is 0. • map-name: name of a configured route map. Include specific OSPF routes in IS-IS.
CONFIGURATION mode ip community-list community-list-name 2. Configure a community list by denying or permitting specific community numbers or types of community. CONFIG-COMMUNITYLIST mode {deny | permit} {community-number | local-AS | no-advertise | no-export | quote-regexp regular-expression-list | regexp regular-expression} • • • • • • community-number: use AA:NN format where AA is the AS number (2 Bytes or 4 Bytes) and NN is a value specific to that autonomous system.
Dell#show ip community-lists ip community-list standard 1 deny 701:20 deny 702:20 deny 703:20 deny 704:20 deny 705:20 deny 14551:20 deny 701:112 deny 702:112 deny 703:112 deny 704:112 deny 705:112 deny 14551:112 deny 701:667 deny 702:667 deny 703:667 deny 704:666 deny 705:666 deny 14551:666 Dell# Filtering Routes with Community Lists To use an IP community list or IP extended community list to filter routes, you must apply a match community filter to a route map and then apply that route map to a BGP neigh
neighbor {ip-address | peer-group-name} send-community To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode. If you want to remove or add a specific COMMUNITY number from a BGP path, you must create a route map with one or both of the following statements in the route map. Then apply that route map to a BGP neighbor or peer group. 1. Enter ROUTE-MAP mode and assign a name to a route map. CONFIGURATION mode route-map map-name [permit | deny] [sequence-number] 2.
*>i 6.151.0.0/16 --More-- 205.171.0.16 100 0 209 7170 1455 i Changing MED Attributes By default, Dell Networking OS uses the MULTI_EXIT_DISC or MED attribute when comparing EBGP paths from the same AS. To change how the MED attribute is used, enter any or all of the following commands. • Enable MED comparison in the paths from neighbors with different ASs. CONFIG-ROUTER-BGP mode bgp always-compare-med • By default, this comparison is not performed. Change the bestpath MED selection.
Changing the NEXT_HOP Attribute You can change how the NEXT_HOP attribute is used. To change how the NEXT_HOP attribute is used, enter the first command. To view the BGP configuration, use the show config command in CONFIGURATION ROUTER BGP mode or the show running-config bgp command in EXEC Privilege mode. You can also use route maps to change this and other BGP attributes. For example, you can include the second command in a route map to specify the next hop address.
NOTE: With Dell Networking OS, you can create inbound and outbound policies. Each of the commands used for filtering has in and out parameters that you must apply. In Dell Networking OS, the order of preference varies depending on whether the attributes are applied for inbound updates or outbound updates.
route-map map-name [permit | deny] [sequence-number] 2. Create multiple route map filters with a match or set action. CONFIG-ROUTE-MAP mode {match | set} For information about configuring route maps, refer to Access Control Lists (ACLs). 3. Return to CONFIGURATION mode. CONFIG-ROUTE-MAP mode exit 4. Enter ROUTER BGP mode. CONFIGURATION mode router bgp as-number 5. Filter routes based on the criteria in the configured route map.
Configuring BGP Route Reflectors BGP route reflectors are intended for ASs with a large mesh; they reduce the amount of BGP control traffic. NOTE: Dell Networking recommends not using multipath and add path simultaneously in a route reflector. With route reflection configured properly, IBGP routers are not fully meshed within a cluster but all receive routing information.
confederations appear as one AS. Within the confederation sub-AS, the IBGP neighbors are fully meshed and the MED, NEXT_HOP, and LOCAL_PREF attributes are maintained between confederations. To configure BGP confederations, use the following commands. • Specifies the confederation ID. CONFIG-ROUTER-BGP mode bgp confederation identifier as-number • • as-number: from 0 to 65535 (2 Byte) or from 1 to 4294967295 (4 Byte). Specifies which confederation sub-AS are peers.
CONFIG-ROUTE-MAP mode set dampening half-life reuse suppress max-suppress-time • • half-life: the range is from 1 to 45. Number of minutes after which the Penalty is decreased. After the router assigns a Penalty of 1024 to a route, the Penalty is decreased by half after the half-life period expires. The default is 15 minutes. • reuse: the range is from 1 to 20000. This number is compared to the flapping route’s Penalty value.
184 BGP community entrie(s) using 7616 bytes of memory Dampening enabled. 0 history paths, 0 dampened paths, 0 penalized paths Neighbor AS MsgRcvd MsgSent TblVer 10.114.8.34 18508 82883 79977 780266 10.114.8.33 18508 117265 25069 780266 Dell> InQ OutQ Up/Down State/PfxRcd 0 2 00:38:51 118904 0 20 00:38:50 102759 To view which routes are dampened (non-active), use the show ip bgp dampened-routes command in EXEC Privilege mode.
If you specify a BGP peer group by using the peer-group-name argument, all members of the peer group inherit the characteristic configured with this command. • Clear all information or only specific details. EXEC Privilege mode clear ip bgp {* | neighbor-address | AS Numbers | ipv4 | peer-group-name} [soft [in | out]] • • *: Clears all peers. • neighbor-address: Clears the neighbor with this IP address. • AS Numbers: Peers’ AS numbers to be cleared. • ipv4: Clears information for the IPv4 address family.
Enabling MBGP Configurations Multiprotocol BGP (MBGP) is an enhanced BGP that carries IP multicast routes. BGP carries two sets of routes: one set for unicast routing and one set for multicast routing. The routes associated with multicast routing are used by the protocol independent multicast (PIM) to build data distribution trees. Dell Networking OS MBGP is implemented per RFC 1858. You can enable the MBGP feature per router and/or per peer/peer-group. The default is IPv4 Unicast routes.
• debug ip bgp [ip-address | peer-group peer-group-name] notifications [in | out] View information about BGP updates and filter by prefix name. • EXEC Privilege mode debug ip bgp [ip-address | peer-group peer-group-name] updates [in | out] [prefix-list name] Enable soft-reconfiguration debug.
ffffffff ffffffff ffffffff ffffffff 00160303 03010000 Last notification (len 21) received 00:26:20 ago ffffffff ffffffff ffffffff ffffffff 00150306 00000000 Last PDU (len 41) received 00:26:02 ago that caused notification to be issued ffffffff ffffffff ffffffff ffffffff 00290200 00000e01 02040201 00024003 04141414 0218c0a8 01000000 Local host: 1.1.1.1, Local port: 179 Foreign host: 1.1.1.
Dell(conf-router_bgp)#do sho ip bg s BGP router identifier 172.30.1.56, local AS number 65056 BGP table version is 313511, main routing table version 313511 207896 network entrie(s) and 207896 paths using 42364576 bytes of memory 59913 BGP path attribute entrie(s) using 2875872 bytes of memory 59910 BGP AS-PATH entrie(s) using 2679698 bytes of memory 3 BGP community entrie(s) using 81 bytes of memory Neighbor AS 1.1.1.2 2 172.30.1.
Example of Enabling BGP (Router 1) R1# conf R1(conf)#int loop 0 R1(conf-if-lo-0)#ip address 192.168.128.1/24 R1(conf-if-lo-0)#no shutdown R1(conf-if-lo-0)#show config ! interface Loopback 0 ip address 192.168.128.1/24 no shutdown R1(conf-if-lo-0)#int te 1/21 R1(conf-if-te-1/21)#ip address 10.0.1.21/24 R1(conf-if-te-1/21)#no shutdown R1(conf-if-te-1/21)#show config ! interface TengigabitEthernet 1/21 ip address 10.0.1.21/24 no shutdown R1(conf-if-te-1/21)#int te 1/31 R1(conf-if-te-1/31)#ip address 10.0.3.
no shutdown R2(conf-if-te-2/31)# R2(conf-if-te-2/31)#router bgp 99 R2(conf-router_bgp)#network 192.168.128.0/24 R2(conf-router_bgp)#neighbor 192.168.128.1 remote 99 R2(conf-router_bgp)#neighbor 192.168.128.1 no shut R2(conf-router_bgp)#neighbor 192.168.128.1 update-source loop 0 R2(conf-router_bgp)#neighbor 192.168.128.3 remote 100 R2(conf-router_bgp)#neighbor 192.168.128.3 no shut R2(conf-router_bgp)#neighbor 192.168.128.3 update loop 0 R2(conf-router_bgp)#show config ! router bgp 99 bgp router-id 192.168.
router bgp 99 network 192.168.128.0/24 neighbor AAA peer-group neighbor AAA no shutdown neighbor BBB peer-group neighbor BBB no shutdown neighbor 192.168.128.2 remote-as 99 neighbor 192.168.128.2 peer-group AAA neighbor 192.168.128.2 update-source Loopback 0 neighbor 192.168.128.2 no shutdown neighbor 192.168.128.3 remote-as 100 neighbor 192.168.128.3 peer-group BBB neighbor 192.168.128.3 update-source Loopback 0 neighbor 192.168.128.3 no shutdown R1# R1#show ip bgp summary BGP router identifier 192.168.
R2(conf-router_bgp)# neighbor 192.168.128.3 peer BBB R2(conf-router_bgp)# neighbor 192.168.128.3 no shut R2(conf-router_bgp)#show conf ! router bgp 99 network 192.168.128.0/24 neighbor AAA peer-group neighbor AAA no shutdown neighbor BBB peer-group neighbor BBB no shutdown neighbor 192.168.128.1 remote-as 99 neighbor 192.168.128.1 peer-group CCC neighbor 192.168.128.1 update-source Loopback 0 neighbor 192.168.128.1 no shutdown neighbor 192.168.128.3 remote-as 100 neighbor 192.168.128.
ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Capabilities advertised to neighbor for IPv4 Unicast : MULTIPROTO_EXT(1) ROUTE_REFRESH(2) CISCO_ROUTE_REFRESH(128) Update source set to Loopback 0 Peer active in peer-group outbound optimization For address family: IPv4 Unicast BGP table version 2, neighbor version 2 Prefixes accepted 1 (consume 4 bytes), withdrawn 0 by peer Prefixes advertised 1, denied 0, withdrawn 0 from peer Connections established 6; dropped 5 Last reset 00:12:01, due to Closed by neighbor Noti
10 Content Addressable Memory (CAM) CAM is a type of memory that stores information in the form of a lookup table. On Dell Networking systems, CAM stores Layer 2 and Layer 3 forwarding information, access-lists (ACLs), flows, and routing policies.
The following additional CAM allocation settings are supported on the S6000, S4810, S4820T, or S6000–ON platforms. Table 11. Additional Default CAM Allocation Settings Additional CAM Allocation Setting FCoE ACL (fcoeacl) 0 ISCSI Opt ACL (iscsioptacl) 0 The ipv6acl and vman-dual-qos allocations must be entered as a factor of 2 (2, 4, 6, 8, 10). All other profile allocations can use either even or odd numbered ranges.
Test CAM Usage Use this command to determine whether sufficient CAM space is available to enable a service-policy. Create a Class Map with all required ACL rules, then execute the test cam-usage command in Privilege mode to verify the actual CAM space required. The Status column in the command output indicates whether or not the policy can be enabled.
Example of Viewing CAM-ACL Settings Dell(conf)#do show cam-acl -- Chassis Cam ACL -Current Settings(in block sizes) Next Boot(in block sizes) 1 block = 128 entries L2Acl : 6 4 Ipv4Acl : 4 2 Ipv6Acl : 0 0 Ipv4Qos : 2 2 L2Qos : 1 1 L2PT : 0 0 IpMacAcl : 0 0 VmanQos : 0 0 VmanDualQos : 0 0 EcfmAcl : 0 0 FcoeAcl : 0 0 iscsiOptAcl : 0 0 ipv4pbr : 0 2 vrfv4Acl : 0 2 Openflow : 0 0 fedgovacl : 0 0 -- Stack unit 0 -Current Settings(in block sizes) Next Boot(in block sizes) 1 block = 128 entries L2Acl : 6 4 Ipv4Acl
Openflow fedgovacl : : 0 0 -- Stack unit 0 -Current Settings(in block sizes) 1 block = 128 entries L2Acl : 6 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 VmanDualQos : 0 EcfmAcl : 0 FcoeAcl : 0 iscsiOptAcl : 0 ipv4pbr : 0 vrfv4Acl : 0 Openflow : 0 fedgovacl : 0 -- Stack unit 7 -Current Settings(in block sizes) 1 block = 128 entries L2Acl : 6 Ipv4Acl : 4 Ipv6Acl : 0 Ipv4Qos : 2 L2Qos : 1 L2PT : 0 IpMacAcl : 0 VmanQos : 0 VmanDualQos : 0 EcfmAcl : 0 FcoeAcl : 0 iscsiOptAc
CAM Optimization When you enable this command, if a Policy Map containing classification rules (ACL and/or dscp/ ip-precedence rules) is applied to more than one physical interface on the same port-pipe, only a single copy of the policy is written (only 1 FP entry is used). Troubleshoot CAM Profiling The following section describes CAM profiling troubleshooting. CAM Profile Mismatches The CAM profile on all cards must match the system profile.
11 Control Plane Policing (CoPP) Control plane policing (CoPP) uses access control list (ACL) rules and quality of service (QoS) policies to create filters for a system’s control plane. That filter prevents traffic not specifically identified as legitimate from reaching the system control plane, rate-limits, traffic to an acceptable level.
Figure 26. CoPP Implemented Versus CoPP Not Implemented Topics: • Configure Control Plane Policing Configure Control Plane Policing The system can process a maximum of 4200 packets per second (PPS). Protocols that share a single queue may experience flaps if one of the protocols receives a high rate of control traffic even though per protocol CoPP is applied. This happens because queue-based rate limiting is applied first.
Configuring CoPP for Protocols This section lists the commands necessary to create and enable the service-policies for CoPP. For complete information about creating ACLs and QoS rules, refer to Access Control Lists (ACLs) and Quality of Service (QoS). The basics for creating a CoPP service policy are to create a Layer 2, Layer 3, and/or an IPv6 ACL rule for the desired protocol type. Then, create a QoS input policy to rate-limit the protocol traffics according to the ACL.
The following example shows creating the QoS input policy.
4. Assign a CPU queue-based service policy on the control plane in cpu-qos mode. Enabling this command sets the queue rates according to those configured. CONTROL-PLANE mode service-policy rate-limit-cpu-queues name The following example shows creating the QoS policy.
Increased CPU Queues for CoPP FTOS classifies every packet ingress from the front end port to system as control traffic or data traffic by having the pre-defined rules based on protocol type or packets types like ttl, slow path etc. FP is used to classify the traffic to transmit the control traffic to CMIC port. Other major function performed by the FP rule is to decide to which CPU queue the packet must be sent. All other packets will be forwarded or dropped at the ingress.
CPU Queue Weights Rate (pps) Protocol 0 100 1300 BFD 1 1 300 MC 2 2 300 TTL0, TTL1, IP with options, Mac limit violation, Hyper pull, L3 with Bcast MacDA, Unknown L3, ARP unresolved, ACL Logging 3 4 400 sFlow, L3 MTU Fail frames 4 127 2000 IPC/IRC, VLT Control frames 5 16 300 ARP Request, NS, RS, iSCSI OPT Snooping 6 16 400 ICMP, ARP Reply, NTP, Local terminated L3, NA, RA,ICMPv6 (other Than NDP and MLD) 7 64 400 xSTP, FRRP, LACP, 802.
Dell(conf)#ipv6 access-list ospfv3 cpu-qos Dell(conf-ipv6-acl-cpuqos)#permit ospf 2. Create a QoS input policy for the router and assign the policing. CONFIGURATION mode Dell(conf)#qos-policy-input ospfv3_rate cpu-qos Dell(conf-in-qos-policy-cpuqos)#rate-police 1500 16 peak 1500 16 3. Create a QoS class map to differentiate the control-plane traffic and assign to the ACL. CONFIGURATION mode Dell(conf)#class-map match-any ospfv3 cpu-qos Dell(conf-class-map-cpuqos)#match ipv6 access-group ospfv3 4.
TCP (TELNET) any VRRP any Dell# 23 any _ _ Q6 Q7 CP CP _ _ To view the queue mapping for the MAC protocols, use the show mac protocol-queue-mapping command.
12 Dynamic Host Configuration Protocol (DHCP) DHCP is an application layer protocol that dynamically assigns IP addresses and other configuration parameters to network end-stations (hosts) based on configuration policies determined by network administrators.
Option Number and Description Router Option 3 Specifies the router IP addresses that may serve as the client’s default gateway. Domain Name Server Option 6 Domain Name Option 15 Specifies the domain name servers (DNSs) that are available to the client. Specifies the domain name that clients should use when resolving hostnames via DNS. IP Address Lease Time Option 51 DHCP Message Type Option 53 Specifies the amount of time that the client is allowed to use an assigned IP address.
2. Servers unicast or broadcast a DHCPOFFER message in response to the DHCPDISCOVER that offers to the client values for the requested parameters. Multiple servers might respond to a single DHCPDISCOVER; the client might wait a period of time and then act on the most preferred offer. 3. The client broadcasts a DHCPREQUEST message in response to the offer, requesting the offered values. 4.
• • This platform supports 4000 DHCP Snooping entries. All platforms support Dynamic ARP Inspection on 16 VLANs per system. For more information, refer to Dynamic ARP Inspection. NOTE: If the DHCP server is on the top of rack (ToR) and the VLTi (ICL) is down due to a failed link, when a VLT node is rebooted in BMP (Bare Metal Provisioning) mode, it is not able to reach the DHCP server, resulting in BMP failure.
After an IP address is leased to a client, only that client may release the address. Dell Networking OS performs a IP + MAC source address validation to ensure that no client can release another clients address. This validation is a default behavior and is separate from IP+MAC source address validation.
DHCP domain-name name 2. Specify in order of preference the DNS servers that are available to a DHCP client. DHCP dns-server address Using NetBIOS WINS for Address Resolution Windows internet naming service (WINS) is a name resolution service that Microsoft DHCP clients use to correlate host names to IP addresses within a group of networks. Microsoft DHCP clients can be one of four types of NetBIOS nodes: broadcast, peer-to-peer, mixed, or hybrid. 1.
• Clear DHCP binding entries for the entire binding table. • EXEC Privilege mode. clear ip dhcp binding Clear a DHCP binding entry for an individual IP address. EXEC Privilege mode. clear ip dhcp binding ip address Configure the System to be a Relay Agent DHCP clients and servers request and offer configuration information via broadcast DHCP messages.
Figure 29. Configuring a Relay Agent To view the ip helper-address configuration for an interface, use the show ip interface command from EXEC privilege mode. Example of the show ip interface Command R1_E600#show ip int tengigabitethernet 1/3 TenGigabitEthernet 1/3 is up, line protocol is down Internet address is 10.11.0.1/24 Broadcast address is 10.11.0.255 Address determined by user input IP MTU is 1500 bytes Helper address is 192.168.0.1 192.168.0.
• The switch can obtain a dynamically assigned IP address from a DHCP server. A start-up configuration is not received. Use bare metal provisioning (BMP) to receive configuration parameters (Dell Networking OS version and a configuration file). BMP is enabled as a factory-default setting on a switch. A switch cannot operate with BMP and as a DHCP client simultaneously. To disable BMP in EXEC mode, use the stop bmp command. After BMP stops, the switch acts as a DHCP client.
Virtual Link Trunking (VLT) A DHCP client is not supported on VLT interfaces. VLAN and Port Channels DHCP client configuration and behavior are the same on Virtual LAN (VLAN) and port-channel (LAG) interfaces as on a physical interface.
Option 82 RFC 3046 (the relay agent information option, or Option 82) is used for class-based IP address assignment. The code for the relay agent information option is 82, and is comprised of two sub-options, circuit ID and remote ID. Circuit ID This is the interface on which the client-originated message is received. Remote ID This identifies the host from which the message is received. The value of this sub-option is the MAC address of the relay agent that adds Option 82.
Enabling DHCP Snooping To enable DHCP snooping, use the following commands. 1. Enable DHCP snooping globally. CONFIGURATION mode ip dhcp snooping 2. Specify ports connected to DHCP servers as trusted. INTERFACE mode ip dhcp snooping trust 3. Enable DHCP snooping on a VLAN. CONFIGURATION mode ip dhcp snooping vlan name Enabling IPv6 DHCP Snooping To enable IPv6 DHCP snooping, use the following commands. 1. Enable IPv6 DHCP snooping globally. CONFIGURATION mode ipv6 dhcp snooping 2.
clear ipv6 dhcp snooping binding Dell# clear ipv6 dhcp snooping? binding Clear the snooping binding database Displaying the Contents of the Binding Table To display the contents of the binding table, use the following command. • Display the contents of the binding table. EXEC Privilege mode show ip dhcp snooping View the DHCP snooping statistics with the show ip dhcp snooping command.
IPv6 DHCP Snooping MAC-Address Verification Configure to enable verify source mac-address in the DHCP packet against the mac address stored in the snooping binding table. • Enable IPV6 DHCP snooping . CONFIGURATION mode ipv6 dhcp snooping verify mac-address Drop DHCP Packets on Snooped VLANs Only Binding table entries are deleted when a lease expires or the relay agent encounters a DHCPRELEASE. Line cards maintain a list of snooped VLANs.
ExaScale default CAM profile allocates only nine entries to the L2SysFlow region for DAI. You can configure 10 to 16 DAIenabled VLANs by allocating more CAM space to the L2SysFlow region before enabling DAI. SystemFlow has 102 entries by default. This region is comprised of two sub-regions: L2Protocol and L2SystemFlow. L2Protocol has 87 entries; L2SystemFlow has 15 entries. Six L2SystemFlow entries are used by Layer 2 protocols, leaving nine for DAI.
Source Address Validation Using the DHCP binding table, Dell Networking OS can perform three types of source address validation (SAV). Table 13. Three Types of Source Address Validation Source Address Validation Description IP Source Address Validation Prevents IP spoofing by forwarding only IP packets that have been validated against the DHCP binding table.
Enabling IP+MAC Source Address Validation IP source address validation (SAV) validates the IP source address of an incoming packet and optionally the VLAN ID of the client against the DHCP snooping binding table. IP+MAC SAV ensures that the IP source address and MAC source address are a legitimate pair, rather than validating each attribute individually. You cannot configure IP+MAC SAV with IP SAV. 1. Allocate at least one FP block to the ipmacacl CAM region. CONFIGURATION mode cam-acl l2acl 2.
Clearing the Number of SAV Dropped Packets To clear the number of SAV dropped packets, use the clear ip dhcp snooping source-address-validation discardcounters command. Dell>clear ip dhcp snooping source-address-validation discard-counters To clear the number of SAV dropped packets on a particular interface, use the clear ip dhcp snooping source-addressvalidation discard-counters interface interface command.
13 Equal Cost Multi-Path (ECMP) ECMP for Flow-Based Affinity Flow-based affinity includes the following: • Link Bundle Monitoring Configuring the Hash Algorithm TeraScale has one algorithm that is used for link aggregation groups (LAGs), ECMP, and NH-ECMP, and ExaScale can use three different algorithms for each of these features. To adjust the ExaScale behavior to match TeraScale, use the following command. • Change the ExaScale hash-algorithm for LAG, ECMP, and NH-ECMP to match TeraScale.
NOTE: You cannot separate LAG and ECMP, but you can use different algorithms across the chassis with the same seed. If LAG member ports span multiple port-pipes and line cards, set the seed to the same value on each port-pipe to achieve deterministic behavior. NOTE: If you remove the hash algorithm configuration, the hash seed does not return to the original factory default setting. To configure the hash algorithm seed, use the following command. • Specify the hash algorithm seed. CONFIGURATION mode.
Dell(conf)#ip ecmp-group maximum-paths 3 User configuration has been changed. Save the configuration and reload to take effect Dell(conf)# Creating an ECMP Group Bundle Within each ECMP group, you can specify an interface. If you enable monitoring for the ECMP group, the utilization calculation is performed when the average utilization of the link-bundle (as opposed to a single link within the bundle) exceeds 60%. 1. Create a user-defined ECMP group bundle.
14 Enabling FIPS Cryptography This chapter describes how to enable FIPS cryptography requirements on Dell Networking platforms. This feature provides cryptographic algorithms conforming to various FIPS standards published by the National Institute of Standards and Technology (NIST), a nonregulatory agency of the US Department of Commerce. FIPS mode is also validated for numerous platforms to meet the FIPS-140-2 standard for a software-based cryptographic module.
• • Any existing host keys (both RSA and RSA1) are deleted from system memory and NVRAM storage. FIPS mode is enabled. • • If you enable the SSH server when you enter the fips mode enable command, it is re-enabled for version 2 only. If you re-enable the SSH server, a new RSA host key-pair is generated automatically. You can also manually create this key-pair using the crypto key generate command. NOTE: Under certain unusual circumstances, it is possible for the fips enable command to indicate a failure.
Hardware Rev Num Ports Up Time Dell Networking Jumbo Capable POE Capable FIPS Mode Burned In MAC No Of MACs ... : 3.0 : 64 : 7 hr, 3 min OS Version : 4810-8-3-7-1061 : yes : no : enabled : 00:01:e8:8a:ff:0c : 3 Disabling FIPS Mode The following describes disabling FIPS mode. When you disable FIPS mode, the following changes occur: • • • • • • • The SSH server disables. All open SSH and Telnet sessions, as well as all SCP and FTP file transfers, close.
15 Force10 Resilient Ring Protocol (FRRP) FRRP provides fast network convergence to Layer 2 switches interconnected in a ring topology, such as a metropolitan area network (MAN) or large campuses. FRRP is similar to what can be achieved with the spanning tree protocol (STP), though even with optimizations, STP can take up to 50 seconds to converge (depending on the size of network and node of failure) may require 4 to 5 seconds to reconverge.
Ring Status The ring failure notification and the ring status checks provide two ways to ensure the ring remains up and active in the event of a switch or port failure. Ring Checking At specified intervals, the Master node sends a ring health frame (RHF) through the ring. If the ring is complete, the frame is received on its secondary port and the Master node resets its fail-period timer and continues normal operation.
• • • • • • • • One Master node per ring — all other nodes are Transit. Each node has two member interfaces — primary and secondary. There is no limit to the number of nodes on a ring. Master node ring port states — blocking, pre-forwarding, forwarding, and disabled. Transit node ring port states — blocking, pre-forwarding, forwarding, and disabled. STP disabled on ring interfaces. Master node secondary port is in blocking state during Normal operation.
Implementing FRRP • • • • • • • • • • FRRP is media and speed independent. FRRP is a Dell proprietary protocol that does not interoperate with any other vendor. You must disable the spanning tree protocol (STP) on both the Primary and Secondary interfaces before you can enable FRRP. All ring ports must be Layer 2 ports. This is required for both Master and Transit nodes. A VLAN configured as a control VLAN for a ring cannot be configured as a control or member VLAN for any other ring.
CONFIGURATION mode. interface vlan vlan-id VLAN ID: from 1 to 4094. 2. Tag the specified interface or range of interfaces to this VLAN. CONFIG-INT-VLAN mode. tagged interface slot/ port {range} Interface: • • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. Slot/Port, Range: Slot and Port ID for the interface. Range is entered Slot/Port-PortSlot/Port. 3.
• For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. 3. Assign the Primary and Secondary ports and the Control VLAN for the ports on the ring. CONFIG-FRRP mode. interface primary interface slot/port secondary interface slot/port control-vlan vlan id Interface: • • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information.
Viewing the FRRP Information To view general FRRP information, use one of the following commands. • Show the information for the identified FRRP group. EXEC or EXEC PRIVELEGED mode. show frrp ring-id • Ring ID: the range is from 1 to 255. Show the state of all FRRP groups. EXEC or EXEC PRIVELEGED mode. show frrp summary Ring ID: the range is from 1 to 255. Troubleshooting FRRP To troubleshoot FRRP, use the following information.
Example of R2 TRANSIT interface TenGigabitEthernet 2/14 no ip address switchport no shutdown ! interface TenGigabitEthernet 2/31 no ip address switchport no shutdown ! interface Vlan 101 no ip address tagged TenGigabitEthernet 2/14,31 no shutdown ! interface Vlan 201 no ip address tagged TenGigabitEthernet 2/14,31 no shutdown ! protocol frrp 101 interface primary TenGigabitEthernet 2/14 secondary TenGigabitEthernet 2/31 control-vlan 101 member-vlan 201 mode transit no disable Example of R3 TRANSIT interface
16 GARP VLAN Registration Protocol (GVRP) GARP VLAN registration protocol (GVRP) is supported on Dell Networking OS. Typical virtual local area network (VLAN) implementation involves manually configuring each Layer 2 switch that participates in a given VLAN. GVRP, defined by the IEEE 802.1q specification, is a Layer 2 network protocol that provides for automatic VLAN configuration of switches. GVRP-compliant switches use GARP to register and de-register attribute values, such as VLAN IDs, with each other.
Figure 30. Global GVRP Configuration Example Basic GVRP configuration is a two-step process: 1. Enabling GVRP Globally 2. Enabling GVRP on a Layer 2 Interface Related Configuration Tasks • • Configure GVRP Registration Configure a GARP Timer Enabling GVRP Globally To configure GVRP globally, use the following command. • Enable GVRP for the entire switch.
To inspect the global configuration, use the show gvrp brief command. Enabling GVRP on a Layer 2 Interface To enable GVRP on a Layer 2 interface, use the following command. • Enable GVRP on a Layer 2 interface.
• • • Join — A GARP device reliably transmits Join messages to other devices by sending each Join message two times. To define the interval between the two sending operations of each Join message, use this parameter. The Dell Networking OS default is 200ms. Leave — When a GARP device expects to de-register a piece of attribute information, it sends out a Leave message and starts this timer. If a Join message does not arrive before the timer expires, the information is de-registered.
17 Internet Group Management Protocol (IGMP) Internet group management protocol (IGMP) is supported on Dell Networking OS. Multicast is premised on identifying many hosts by a single destination IP address; hosts represented by the same IP address are a multicast group. IGMP is a Layer 3 multicast protocol that hosts use to join or leave a multicast group.
Figure 31. IGMP Messages in IP Packets Join a Multicast Group There are two ways that a host may join a multicast group: it may respond to a general query from its querier or it may send an unsolicited report to its querier. Responding to an IGMP Query The following describes how a host can join a multicast group. 1. One router on a subnet is elected as the querier. The querier periodically multicasts (to all-multicast-systems address 224.0.0.1) a general query to all hosts on the subnet. 2.
• • To enable filtering, routers must keep track of more state information, that is, the list of sources that must be filtered. An additional query type, the Group-and-Source-Specific Query, keeps track of state changes, while the Group-Specific and General queries still refresh the existing state.
3. The host’s third message indicates that it is only interested in traffic from sources 10.11.1.1 and 10.11.1.2. Because this request again prevents all other sources from reaching the subnet, the router sends another group-and-source query so that it can satisfy all other hosts. There are no other interested hosts so the request is recorded. Figure 34.
Figure 35. Membership Queries: Leaving and Staying Configure IGMP Configuring IGMP is a two-step process. 1. Enable multicast routing using the ip multicast-routing command. 2. Enable a multicast routing protocol.
• View IGMP-enabled interfaces. EXEC Privilege mode show ip igmp interface Dell#show ip igmp interface TenGigabitEthernet 3/10 Inbound IGMP access group is not set Internet address is 165.87.34.5/24 IGMP is up on the interface IGMP query interval is 60 seconds IGMP querier timeout is 0 seconds IGMP max query response time is 10 seconds IGMP last member query response interval is 1000 ms IGMP immediate-leave is disabled IGMP activity: 2 joins IGMP querying router is 165.87.34.
Adjusting Timers The following sections describe viewing and adjusting timers. To view the current value of all IGMP timers, use the following command. • View the current value of all IGMP timers. EXEC Privilege mode show ip igmp interface For more information, refer to the example shown in Viewing IGMP Enabled Interfaces. Adjusting Query and Response Timers The querier periodically sends a general query to discover which multicast groups are active. A group must have at least one host to be active.
Static groups have an expiration value of Never and a Last Reporter value of CLI, as shown in the example in Viewing IGMP Groups. • Configure a static IGMP group. • INTERFACE mode ip igmp static-group View the static groups. EXEC Privilege mode. show ip igmp groups Enabling IGMP Immediate-Leave If the querier does not receive a response to a group-specific or group-and-source query, it sends another (querier robustness value).
INTERFACE VLAN mode no ip igmp snooping Related Configuration Tasks • • • • Removing a Group-Port Association Disabling Multicast Flooding Specifying a Port as Connected to a Multicast Router Configuring the Switch as Querier Dell(conf)#ip igmp snooping enable Dell(conf)#do show running-config igmp ip igmp snooping enable Dell(conf)# Removing a Group-Port Association To configure or view the remove a group-port association feature, use the following commands.
Configuring the Switch as Querier To configure the switch as a querier, use the following command. Hosts that do not support unsolicited reporting wait for a general query before sending a membership report. When the multicast source and receivers are in the same VLAN, multicast traffic is not routed and so there is no querier. Configure the switch to be the querier for a VLAN so that hosts send membership reports and the switch can generate a forwarding table by snooping.
Traffic (switch initiated management traffic or responses to switch-destined traffic with management port IP address as the source IP address) for user-specified management protocols must exit out of the management port. In this chapter, all the references to traffic indicate switch-initiated traffic and responses to switch-destined traffic with management port IP address as the source IP address.
Enabling and Disabling Management Egress Interface Selection You can enable or disable egress-interface-selection using the management egress-interface-selection command. NOTE: Egress Interface Selection (EIS) works only with IPv4 routing. When the feature is enabled using the management egress-interface-selection command, the following events are performed: • • • • • • • • • • • • • The CLI prompt changes to the EIS mode.
• • • • • • • • • • • • TCP/UDP port number is extracted from the sockaddr structure in the in_selectsrc call which is called as part of the connect system call or in the ip_output function. If the destination TCP/UDP port number belongs to a configured management application, then sin_port of destination sockaddr structure is set to Management EIS ID 2 so that route lookup can be done in the management EIS routing table.
Handling of Transit Traffic (Traffic Separation) This is forwarded traffic where destination IP is not an IP address configured in the switch. • • • Packets received on the management port with destination on the front-end port is dropped. Packets received on the front-end port with destination on the management port is dropped. A separate drop counter is incremented for this case. This counter is viewed using the netstat command, like all other IP layer counters.
The management port is an egress port for management applications. If the management port is down or the destination is not reachable through the management port (next hop ARP is not resolved, and so on), and if the destination is reachable through a data port, then the management application traffic is sent out through the front-end data port. This fallback mechanism is required. 2.
If the source TCP/UDP port or source IP address does not match the management port IP address, a route lookup is done in the default routing table. EIS behavior for ICMP: ICMP packets do not have TCP/UDP ports. In this case, to perform an EIS route lookup for ICMP-based applications (ping and traceroute), you must configure ICMP as a management application. If the management port is down or the route lookup fails, packets are dropped.
18 Interfaces This chapter describes interface types, both physical and logical, and how to configure them with Dell Networking Operating System (OS). • 10 Gigabit Ethernet / 40 Gigabit Ethernet interfaces are supported on the Z9000 platform.
• • • • • • Configure the MTU Size on an Interface Port-Pipes Auto-Negotiation on Ethernet Interfaces View Advanced Interface Information Dynamic Counters Enhanced Validation of Interface Ranges Interface Types The following table describes different interface types.
0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 0 Broadcasts 0 runts, 0 giants, 0 throttles 0 CRC, 0 overrun, 0 discarded Output Statistics: 3 packets, 192 bytes, 0 underruns 3 64-byte pkts, 0 over 64-byte pkts, 0 over 127-byte pkts 0 over 255-byte pkts, 0 over 511-byte pkts, 0 over 1023-byte pkts 0 Multicasts, 3 Broadcasts, 0 Unicasts 0 Vlans, 0 throttles, 0 discarded, 0 collisions Rate info (interval 299 seconds): Input 00.00 Mbits/sec, 0 packets/sec, 0.
• • For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. For the Management interface on the RPM, enter the keyword ManagementEthernet then the slot/port information. The slot range is from 0 to 1. The port range is 0. 2. Enable the interface. INTERFACE mode no shutdown To confirm that the interface is enabled, use the show config command in INTERFACE mode. To leave INTERFACE mode, use the exit command or end command. You cannot delete a physical interface.
Configuring Layer 2 (Data Link) Mode Do not configure switching or Layer 2 protocols such as spanning tree protocol (STP) on an interface unless the interface has been set to Layer 2 mode. To set Layer 2 data transmissions through an individual interface, use the following command. • Enable Layer 2 data transmissions through an individual interface.
To determine the configuration of an interface, use the show config command in INTERFACE mode or the various show interface commands in EXEC mode. Configuring Layer 3 (Interface) Mode To assign an IP address, use the following commands. • Enable the interface. • INTERFACE mode no shutdown Configure a primary IP address and mask on the interface. INTERFACE mode ip address ip-address mask [secondary] The ip-address must be in dotted-decimal format (A.B.C.D) and the mask must be in slash format (/xx).
1. Enter EIS mode. CONFIGURATION mode management egress-interface-selection 2. Configure which applications uses EIS. EIS mode application {all | application-type} NOTE: If you configure SNMP as the management application for EIS and you add a default management route, when you perform an SNMP walk and check the debugging logs for the source and destination IPs, the SNMP agent uses the destination address of incoming SNMP packets as the source address for outgoing SNMP responses for security.
Hardware is Force10Eth, address is 00:01:e8:cc:cc:ce Current address is 00:01:e8:cc:cc:ce Pluggable media not present Interface index is 46449666 Internet address is 10.11.131.
Loopback Interfaces A Loopback interface is a virtual interface in which the software emulates an interface. Packets routed to it are processed locally. Because this interface is not a physical interface, you can configure routing protocols on this interface to provide protocol stability. You can place Loopback interfaces in default Layer 3 mode. To configure, view, or delete a Loopback interface, use the following commands. • Enter a number as the Loopback interface.
Port Channel Benefits A port channel interface provides many benefits, including easy management, link redundancy, and sharing. Port channels are transparent to network configurations and can be modified and managed as one interface. For example, you configure one IP address for the group and that IP address is used for all routed traffic on the port channel. With this feature, you can create larger-capacity interfaces by utilizing a group of lower-speed links.
Configuration Tasks for Port Channel Interfaces To configure a port channel (LAG), use the commands similar to those found in physical interfaces. By default, no port channels are configured in the startup configuration.
INTERFACE PORT-CHANNEL mode channel-member interface The interface variable is the physical interface type and slot/port information. 2. Double check that the interface was added to the port channel. INTERFACE PORT-CHANNEL mode show config To view the port channel’s status and channel members in a tabular format, use the show interfaces port-channel brief command in EXEC Privilege mode, as shown in the following example.
% Error: Port is part of a LAG Te 1/6. Dell(conf-if)# Reassigning an Interface to a New Port Channel An interface can be a member of only one port channel. If the interface is a member of a port channel, remove it from the first port channel and then add it to the second port channel. Each time you add or remove a channel member from a port channel, Dell Networking OS recalculates the hash algorithm for the port channel. To reassign an interface to a new port channel, use the following commands. 1.
Configuring VLAN Tags for Member Interfaces To configure and verify VLAN tags for individual members of a port channel, perform the following: 1. Configure VLAN membership on individual ports INTERFACE mode Dell(conf-if)#vlan tagged 2,3-4 2. Use the switchport command in INTERFACE mode to enable Layer 2 data transmissions through an individual interface INTERFACE mode Dell(conf-if)#switchport 3. Verify the manually configured VLAN membership (show interfaces switchport interface command).
Load Balancing Through Port Channels Dell Networking OS uses hash algorithms for distributing traffic evenly over channel members in a port channel (LAG). The hash algorithm distributes traffic among Equal Cost Multi-path (ECMP) paths and LAG members. The distribution is based on a flow, except for packet-based hashing. A flow is identified by the hash and is assigned to one link. In packet-based hashing, a single flow can be distributed on the LAG and uses one link.
Hash seed is used to compute the hash value. By default hash seed is chassis MAC 32 bits. we can also change the hash seed by the following command. • CONFIGURATION mode hash-algorithm seed {seed value} Change to another algorithm. CONFIGURATION mode hash-algorithm [ecmp{crc16|crc16cc|crc32LSB|crc32MSB|crc-upper|dest-ip|lsb|xor1|xor2|xor4| xor8|xor16}] Dell(conf)#hash-algorithm ecmp xor 26 lag crc 26 nh-ecmp checksum 26 Dell(conf)# The hash-algorithm command is specific to ECMP group.
Bulk Configuration Examples Use the interface range command for bulk configuration. • • • • • • • Create a Single-Range Create a Multiple-Range Exclude Duplicate Entries Exclude a Smaller Port Range Overlap Port Ranges Commas Add Ranges Create a Single-Range The following is an example of a single range.
Commas The following is an example of how to use commas to add different interface types to the range, enabling all TenGigabitEthernet interfaces in the range 5/1 to 5/23 and both Ten Gigabit Ethernet interfaces 1/1 and 1/2.
Monitoring and Maintaining Interfaces Monitor interface statistics with the monitor interface command. This command displays an ongoing list of the interface status (up/down), number of packets, traffic statistics, and so on. To view the interface’s statistics, use the following command. • View the interface’s statistics. EXEC Privilege mode Enter the type of interface and slot/port information: • • • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information.
Maintenance Using TDR The time domain reflectometer (TDR) is supported on all Dell Networking switch/routers. TDR is an assistance tool to resolve link issues that helps detect obvious open or short conditions within any of the four copper pairs. TDR sends a signal onto the physical cable and examines the reflection of the signal that returns.
Converting a QSFP or QSFP+ Port to an SFP or SFP+ Port You can convert a QSFP or QSFP+ port to an SFP or SFP+ port using the Quad to Small Form Factor Pluggable Adapter (QSA). QSA provides smooth connectivity between devices that use Quad Lane Ports (such as the 40 Gigabit Ethernet adapters) and 10 Gigabit hardware that uses SFP+ based cabling. Using this adapter, you can effectively use a QSFP or QSFP+ module to connect to a lower-end switch or server that uses an SFP or SFP+ based module.
• • • QSFP port 4 is connected to a QSA with SFP optical cables plugged in. QSFP port 8 in fanned-out mode is plugged in with QSFP optical cables. QSFP port 12 in 40 G mode is plugged in with QSFP optical cables.
NOTE: In the following show interfaces tengigbitethernet transceiver commands, the ports 5,6, and 7 are inactive and no physical SFP or SFP+ connection actually exists on these ports. However, Dell Networking OS still perceives these ports as valid and the output shows that pluggable media (optical cables) is inserted into these ports. This is a software limitation for this release.
tengigabitethernet 0/0 is up, line protocol is up Hardware is DellEth, address is 90:b1:1c:f4:9a:fa Current address is 90:b1:1c:f4:9a:fa Pluggable media present, SFP+ type is 10GBASE-SX Interface index is 35012865 Internet address is not set Mode of IPv4 Address Assignment : NONE DHCP Client-ID :90b11cf49afa MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 10000 Mbit Dell#show interfaces tengigabitethernet 0/1 tengigabitethernet 0/1 is up, line protocol is down Hardware is DellEth, address is 90:b1:1c:f4:9a:fa C
…….. LineSpeed 10000 Mbit The show inventory command shows the following output: NOTE: In the following show inventory media command output, the port numbers 1, 2, 3, 5, 6, and 7 ports are actually inactive. However, Dell Networking OS still shows that optical cables are inserted into these ports. This is a software limitation for this release.
interface TenGigabitEthernet 1/1 ip address 10.10.19.1/24 dampening 1 2 3 4 no shutdown To view dampening information on all or specific dampened interfaces, use the show interfaces dampening command from EXEC Privilege mode.
Link Bundle Monitoring Monitoring linked LAG bundles allows traffic distribution amounts in a link to be monitored for unfair distribution at any given time. A threshold of 60% is defined as an acceptable amount of traffic on a member link. Links are monitored in 15-second intervals for three consecutive instances. Any deviation within that time sends Syslog and an alarm event generates. When the deviation clears, another Syslog sends and a clear alarm event generates.
• Control how the system responds to and generates 802.3x pause frames on 1 and 10 Gig ports. INTERFACE mode flowcontrol rx [off | on] tx [off | on] • • • • • rx on: enter the keywords rx on to process the received flow control frames on this port. rx off: enter the keywords rx off to ignore the received flow control frames on this port. tx on: enter the keywords tx on to send control frames from this port to the connected device when a higher rate of traffic is received.
Auto-Negotiation on Ethernet Interfaces By default, auto-negotiation of speed and duplex mode is enabled on 10/100/1000 Base-T Ethernet interfaces. Only 10GE interfaces do not support auto-negotiation. When using 10GE interfaces, verify that the settings on the connecting devices are set to no auto-negotiation. NOTE: When you use a copper SFP2 module with catalog number GP-SFP2-1T in the S25P model, you can manually set its speed with the speed command.
Te 1/1 Down Te 1/2 Down Te 1/3 Down Te 1/4 Force10Port Up Te 1/5 Down Te 1/6 Down Te 1/7 Up Te 1/8 Down Te 1/9 Down Te 1/10 Down Te 1/11 Down Te 1/12 Down [output omitted] 1000 Mbit Auto Auto 1000 Mbit Auto Auto 1000 Mbit Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto Auto 1 1 -30-130 --1502,1504,1506-1508,1602 ------ In the previous example, several ports display “Auto” in the Speed field.
For details about the speed, duplex, and negotiation auto commands, refer to the Interfaces chapter of the Dell Networking OS Command Reference Guide. Adjusting the Keepalive Timer To change the time interval between keepalive messages on the interfaces, use the keepalive command. The interface sends keepalive messages to itself to test network connectivity on the interface. To change the default time interval between keepalive messages, use the following command.
Configuring the Interface Sampling Size Although you can enter any value between 30 and 299 seconds (the default), software polling is done once every 15 seconds. So, for example, if you enter “19”, you actually get a sample of the past 15 seconds. All LAG members inherit the rate interval configuration from the LAG. The following example shows how to configure rate interval when changing the default value.
Dynamic Counters By default, counting is enabled for IPFLOW, IPACL, L2ACL, L2FIB. For the remaining applications, Dell Networking OS automatically turns on counting when you enable the application, and is turned off when you disable the application. NOTE: If you enable more than four counter-dependent applications on a port pipe, there is an impact on line rate performance.
0/0, this configuration is considered valid. The comma-separated list is not required to be separated by spaces in between the ranges. You can associate multicast MAC or hardware addresses to an interface range and VLANs by using the mac-address-table static multicast-mac-address vlan vlan-id output-range interface command.
19 Internet Protocol Security (IPSec) Internet protocol security (IPSec) is available on Dell Networking OS. IPSec is an end-to-end security scheme for protecting IP communications by authenticating and encrypting all packets in a communication session. Use IPSec between hosts, between gateways, or between hosts and gateways. IPSec is compatible with Telnet and FTP protocols. It supports two operational modes: Transport and Tunnel.
session-key outbound esp 257 auth encrypt match 0 tcp a::1 /128 0 a::2 /128 23 match 1 tcp a::1 /128 23 a::2 /128 0 match 2 tcp a::1 /128 0 a::2 /128 21 match 3 tcp a::1 /128 21 a::2 /128 0 match 4 tcp 1.1.1.1 /32 0 1.1.1.2 /32 23 match 5 tcp 1.1.1.1 /32 23 1.1.1.2 /32 0 match 6 tcp 1.1.1.1 /32 0 1.1.1.2 /32 21 match 7 tcp 1.1.1.1 /32 21 1.1.1.2 /32 0 3. Apply the crypto policy to management traffic.
20 IPv4 Routing IPv4 routing is supported on Dell Networking OS. The Dell Networking Operating System (OS) supports various IP addressing features. This chapter describes the basics of domain name service (DNS), address resolution protocol (ARP), and routing principles and their implementation in the Dell Networking OS.
IP Addresses Dell Networking OS supports IP version 4, as described in RFC 791. Dell Networking OS also supports classful routing and variable length subnet masks (VLSM). With VLSM, you can configure one network with different masks. Supernetting, which increases the number of subnets, is also supported. To subnet, you add a mask to the IP address to separate the network and host portions of the IP address.
• secondary: add the keyword secondary if the IP address is the interface’s backup IP address. You can configure up to eight secondary IP addresses. To view the configuration, use the show config command in INTERFACE mode or use the show ip interface command in EXEC privilege mode, as shown in the second example. Dell(conf-if)#show conf ! interface TenGigabitEthernet 1/1 ip address 10.11.1.
Direct, Lo 0 --More-Dell#show ip route static Destination Gateway ----------------S 2.1.2.0/24 Direct, Nu 0 S 6.1.2.0/24 via 6.1.20.2, S 6.1.2.2/32 via 6.1.20.2, S 6.1.2.3/32 via 6.1.20.2, S 6.1.2.4/32 via 6.1.20.2, S 6.1.2.5/32 via 6.1.20.2, S 6.1.2.6/32 via 6.1.20.2, S 6.1.2.7/32 via 6.1.20.2, S 6.1.2.8/32 via 6.1.20.2, S 6.1.2.9/32 via 6.1.20.2, S 6.1.2.10/32 via 6.1.20.2, S 6.1.2.11/32 via 6.1.20.2, S 6.1.2.12/32 via 6.1.20.2, S 6.1.2.13/32 via 6.1.20.2, S 6.1.2.14/32 via 6.1.20.2, S 6.1.2.15/32 via 6.
Configure Static Routes for the Management Interface When an IP address that a protocol uses and a static management route exists for the same prefix, the protocol route takes precedence over the static management route. To configure a static route for the management port, use the following command. • Assign a static route to point to the management interface or forwarding router.
both IPv4 and IPv6 addresses configured on it, both the IPv4 and IPv6 traffic are applied the same MTU size; you cannot specify different MTU values for IPv4 and IPv6 packets. Using the Configured Source IP Address in ICMP Messages This feature is supported on the Z9000 platform. ICMP error or unreachable messages are now sent with the configured IP address of the source interface instead of the front-end port IP address as the source IP address.
Enabling Directed Broadcast By default, Dell Networking OS drops directed broadcast packets destined for an interface. This default setting provides some protection against denial of service (DoS) attacks. To enable Dell Networking OS to receive directed broadcasts, use the following command. • Enable directed broadcast. INTERFACE mode ip directed-broadcast To view the configuration, use the show config command in INTERFACE mode.
Specifying the Local System Domain and a List of Domains If you enter a partial domain, Dell Networking OS can search different domains to finish or fully qualify that partial domain. A fully qualified domain name (FQDN) is any name that is terminated with a period/dot. Dell Networking OS searches the host table first to resolve the partial domain. The host table contains both statically configured and dynamically learnt host and IP addresses.
ARP Dell Networking OS uses two forms of address resolution: address resolution protocol (ARP) and Proxy ARP. ARP runs over Ethernet and enables endstations to learn the MAC addresses of neighbors on an IP network. Over time, Dell Networking OS creates a forwarding table mapping the MAC addresses to their corresponding IP address. This table is called the ARP Cache and dynamically learned addresses are removed after a defined period of time.
ip proxy-arp To view if Proxy ARP is enabled on the interface, use the show config command in INTERFACE mode. If it is not listed in the show config command output, it is enabled. Only non-default information is displayed in the show config command output. Clearing ARP Cache To clear the ARP cache of dynamically learnt ARP information, use the following command. • Clear the ARP caches for all interfaces or for a specific interface by entering the following information.
Figure 36. ARP Learning via ARP Request Beginning with Dell Networking OS version 8.3.1.0, when you enable ARP learning via gratuitous ARP, the system installs a new ARP entry, or updates an existing entry for all received ARP requests. Figure 37. ARP Learning via ARP Request with ARP Learning via Gratuitous ARP Enabled Whether you enable or disable ARP learning via gratuitous ARP, the system does not look up the target IP.
show arp retries ICMP For diagnostics, the internet control message protocol (ICMP) provides routing information to end stations by choosing the best route (ICMP redirect messages) or determining if a router is reachable (ICMP Echo or Echo Reply). ICMP error messages inform the router of problems in a particular packet. These messages are sent only on unicast traffic. Configuration Tasks for ICMP The following lists the configuration tasks for ICMP.
Enabling UDP Helper To enable UDP helper, use the following command. • Enable UPD helper. ip udp-helper udp-ports Dell(conf-if-te-1/1)#ip udp-helper udp-port 1000 Dell(conf-if-te-1/1)#show config ! interface TenGigabitEthernet 1/1 ip address 2.1.1.1/24 ip udp-helper udp-port 1000 no shutdown To view the interfaces and ports on which you enabled UDP helper, use the show ip udp-helper command from EXEC Privilege mode.
• • • • UDP Helper with Broadcast-All Addresses UDP Helper with Subnet Broadcast Addresses UDP Helper with Configured Broadcast Addresses UDP Helper with No Configured Broadcast Addresses UDP Helper with Broadcast-All Addresses When the destination IP address of an incoming packet is the IP broadcast address, Dell Networking OS rewrites the address to match the configured broadcast address. In the following illustration: 1. Packet 1 is dropped at ingress if you did not configure UDP helper address. 2.
Figure 39. UDP Helper with Subnet Broadcast Addresses UDP Helper with Configured Broadcast Addresses Incoming packets with a destination IP address matching the configured broadcast address of any interface are forwarded to the matching interfaces. In the following illustration, Packet 1 has a destination IP address that matches the configured broadcast address of VLAN 100 and 101.
Example of the debug ip udp-helper Command Dell(conf)# debug ip udp-helper 01:20:22: Pkt rcvd on Te 5/1 with IP DA (0xffffffff) will be sent on Te 5/2 Te 5/3 Vlan 3 01:44:54: Pkt rcvd on Te 7/1 is handed over for DHCP processing. When using the IP helper and UDP helper on the same interface, use the debug ip dhcp command. Example Output from the debug ip dhcp Command Packet 0.0.0.0:68 -> 255.255.255.255:67 TTL 128 2005-11-05 11:59:35 %RELAY-I-PACKET, BOOTP REQUEST (Unicast) received at interface 172.21.50.
21 IPv6 Routing Internet protocol version 6 (IPv6) routing is supported on Dell Networking OS. NOTE: The IPv6 basic commands are supported on all platforms. However, not all features are supported on all platforms, nor for all releases. To determine the Dell Networking Operating System (OS) version supporting which features and platforms, refer to Implementing IPv6 with Dell Networking OS. IPv6 is the successor to IPv4.
NOTE: As an alternative to stateless autoconfiguration, network hosts can obtain their IPv6 addresses using the dynamic host control protocol (DHCP) servers via stateful auto-configuration. NOTE: Dell Networking OS provides the flexibility to add prefixes on Router Advertisements (RA) to advertise responses to Router Solicitations (RS). By default, RA response messages are sent when an RS message is received. Dell Networking OS manipulation of IPv6 stateless autoconfiguration supports the router side only.
IPv6 Header Fields The 40 bytes of the IPv6 header are ordered, as shown in the following illustration. Figure 41. IPv6 Header Fields Version (4 bits) The Version field always contains the number 6, referring to the packet’s IP version. Traffic Class (8 bits) The Traffic Class field deals with any data that needs special handling. These bits define the packet priority and are defined by the packet Source. Sending and forwarding routers use this field to identify different IPv6 classes and priorities.
Value Description 41 IPv6 43 Routing header 44 Fragmentation header 50 Encrypted Security 51 Authentication header 59 No Next Header 60 Destinations option header NOTE: This table is not a comprehensive list of Next Header field values. For a complete and current listing, refer to the Internet Assigned Numbers Authority (IANA) web page at . Hop Limit (8 bits) The Hop Limit field shows the number of hops remaining for packet processing.
This field identifies the length of the Hop-by-Hop Options header in 8-byte units, but does not include the first 8 bytes. Consequently, if the header is less than 8 bytes, the value is 0 (zero). • Options (size varies) This field can contain one or more options. The first byte if the field identifies the Option type, and directs the router how to handle the option. 00 Skip and continue processing. 01 Discard the packet.
In IPv6, every interface, whether using static or dynamic address assignments, also receives a local-link address automatically in the fe80::/64 subnet. Implementing IPv6 with Dell Networking OS Dell Networking OS supports both IPv4 and IPv6 and both may be used simultaneously in your system. The following table lists the Dell Networking OS version in which an IPv6 feature became available for each platform. The sections following the table give greater detail about the feature.
Feature and Functionality Dell Networking OS Release Introduction Documentation and Chapter Location Z9000 IPv6 IS-IS in the Dell Networking OS Command Line Reference Guide. OSPF for IPv6 (OSPFv3) 8.3.11 Equal Cost Multipath for IPv6 8.3.11 OSPFv3 in the Dell Networking OS Command Line Reference Guide. IPv6 Services and Management Telnet client over IPv6 (outbound Telnet) 8.3.11 Configuring Telnet with IPv6 Telnet server over IPv6 (inbound Telnet) 8.3.
The recommended MTU for IPv6 is 1280. Greater MTU settings increase processing efficiency because each packet carries more data while protocol overheads (for example, headers) or underlying per-packet delays remain fixed. Figure 42. Path MTU Discovery Process IPv6 Neighbor Discovery NDP is a top-level protocol for neighbor discovery on an IPv6 network.
Figure 43. NDP Router Redirect IPv6 Neighbor Discovery of MTU Packets You can set the MTU advertised through the RA packets to incoming routers, without altering the actual MTU setting on the interface. The ipv6 nd mtu command sets the value advertised to routers. It does not set the actual MTU rate. For example, if you set ipv6 nd mtu to 1280, the interface still passes 1500-byte packets, if that is what is set with the mtu command.
The following example configures a RDNNS server with an IPv6 address of 1000::1 and a lifetime of 1 second.
ND reachable time is 20120 milliseconds ND base reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 198 to 600 seconds ND router advertisements live for 1800 seconds ND advertised hop limit is 64 IPv6 hop limit for originated packets is 64 ND dns-server address is 1000::1 with lifetime of 1 seconds ND dns-server address is 3000::1 with lifetime of 1 seconds ND dns-server address is 200
To have the changes take effect, save the new CAM settings to the startup-config (write-mem or copy run start) then reload the system for the new settings. • Allocate space for IPV6 ACLs. Enter the CAM profile name then the allocated amount. CONFIGURATION mode cam-acl { ipv6acl } When not selecting the default option, enter all of the profiles listed and a range for each. The total space allocated must equal 13. • The ipv6acl range must be a factor of 2. Show the current CAM settings.
• • • • For a Loopback interface, enter the keyword loopback then a number from 0 to 16383. For a port channel interface, enter the keywords port-channel then a number. For a Null interface, enter the keyword null then the Null interface number. For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. Configuring Telnet with IPv6 The Telnet client and server in Dell Networking OS supports IPv6 connections.
Showing an IPv6 Interface To view the IPv6 configuration for a specific interface, use the following command. • Show the currently running configuration for the specified interface. EXEC mode show ipv6 interface interface {slot/port} Enter the keyword interface then the type of interface and slot/port information: • • • • • • • For all brief summary of IPv6 status and configuration, enter the keyword brief. For all IPv6 configured interfaces, enter the keyword configured.
• • • To display information about Routing Information Protocol (RIP), enter rip. To display information about static IPv6 routes, enter static. To display information about an IPv6 Prefix lists, enter list and the prefix-list name. The following example shows the show ipv6 route summary command. Dell#show ipv6 route summary Route Source Active Routes Non-active Routes connected 5 0 static 0 0 Total 5 0 The following example shows the show ipv6 route command.
ipv6 address 3:4:5:6::8/24 shutdown Dell# Clearing IPv6 Routes To clear routes from the IPv6 routing table, use the following command. • Clear (refresh) all or a specific route from the IPv6 routing table. EXEC mode clear ipv6 route {* | ipv6 address prefix-length} • • • *: all routes. ipv6 address: the format is x:x:x:x::x. mask: the prefix length is from 0 to 128. NOTE: IPv6 addresses are normally written as eight groups of four hexadecimal digits, where each group is separated by a colon (:).
POLICY LIST CONFIGURATION mode router-preference maximum {high | low | medium} 10. Set the router lifetime. POLICY LIST CONFIGURATION mode router—lifetime value The router lifetime range is from 0 to 9,000 seconds. 11. Apply the policy to trusted ports. POLICY LIST CONFIGURATION mode trusted-port 12. Set the maximum transmission unit (MTU) value. POLICY LIST CONFIGURATION mode mtu value The MTU range is from 1,280 to 11,982 bytes. 13. Set the advertised reachability time.
Example of the show ipv6 nd ra-guard policy Command Dell#show ipv6 nd ra-guard policy test ipv6 nd ra-guard policy test device-role router hop-limit maximum 1 match ra ipv6-access-list access other-config-flag on router-preference maximum medium trusted-port Interfaces : Te 1/1 Dell# Monitoring IPv6 RA Guard To debug IPv6 RA guard, use the following command. EXEC Privilege mode debug ipv6 nd ra-guard [interface_type slot/port | count value] The count range is from 1 to 65534. The default is infinity.
22 Intermediate System to Intermediate System Intermediate system to intermediate system (Is-IS) is supported on Dell Networking OS. • • • • IS-IS is supported on the Z9000 with Dell Networking OS 9.0(0.0). The IS-IS protocol is an interior gateway protocol (IGP) that uses a shortest-path-first algorithm. Dell Networking supports both IPv4 and IPv6 versions of IS-IS. The IS-IS protocol standards are listed in the Standards Compliance chapter.
• N-selector — this is always 0. The following illustration is an example of the ISO-style address to show the address format IS-IS uses. In this example, the first five bytes (47.0005.0001) are the area address. The system portion is 000c.000a.4321 and the last byte is always 0. Figure 44. ISO Address Format Multi-Topology IS-IS Multi-topology IS-IS (MT IS-IS) allows you to create multiple IS-IS topologies on a single router with separate databases.
Graceful Restart Both Helper and Restart modes of Graceful restart are supported on the device. Graceful restart is a protocol-based mechanism that preserves the forwarding table of the restarting router and its neighbors for a specified period to minimize the loss of packets. A graceful-restart router does not immediately assume that a neighbor is permanently down and does not trigger a topology change.
• • Downloads IPv6 routes to the RTM for installing in the FIB. Accepts external IPv6 information and advertises this information in the PDUs. The following table lists the default IS-IS values. Table 17.
To configure IS-IS globally, use the following commands. 1. Create an IS-IS routing process. CONFIGURATION mode router isis [tag] tag: (optional) identifies the name of the IS-IS process. 2. Configure an IS-IS network entity title (NET) for a routing process. ROUTER ISIS mode net network-entity-title Specify the area address and system ID for an IS-IS routing process. The last byte must be 00. For more information about configuring a NET, refer to IS-IS Addressing. 3. Enter the interface configuration mode.
Loopback 0 Redistributing: Distance: 115 Generate narrow metrics: Accept narrow metrics: Generate wide metrics: Accept wide metrics: Dell# level-1-2 level-1-2 none none To view IS-IS protocol statistics, use the show isis traffic command in EXEC Privilege mode.
Configuring IS-IS Graceful Restart To enable IS-IS graceful restart globally, use the following commands. Additionally, you can implement optional commands to enable the graceful restart settings. • Enable graceful restart on ISIS processes. • ROUTER-ISIS mode graceful-restart ietf Configure the time during which the graceful restart attempt is prevented. ROUTER-ISIS mode graceful-restart interval minutes The range is from 1 to 120 minutes. • The default is 5 minutes.
T1 Timeout Value Adjacency wait time : 5, retry count: 1 : 30 Operational Timer Value ====================== Current Mode/State : T3 Time left : T2 Time left : Restart ACK rcv count : Restart Req rcv count : Suppress Adj rcv count : Restart CSNP rcv count : Database Sync count : Normal/RUNNING 0 0 (level-1), 0 0 (level-1), 0 0 (level-1), 0 0 (level-1), 0 0 (level-1), 0 0 (level-1), 0 (level-2) (level-2) (level-2) (level-2) (level-2) (level-2) Circuit TenGigabitEthernet 2/10: Mode: Normal L1-State:NORMA
• Set the LSP refresh interval. ROUTER ISIS mode lsp-refresh-interval seconds • • seconds: the range is from 1 to 65535. The default is 900 seconds. Set the maximum time LSPs lifetime. ROUTER ISIS mode max-lsp-lifetime seconds • seconds: the range is from 1 to 65535. The default is 1200 seconds. To view the configuration, use the show config command in ROUTER ISIS mode or the show running-config isis command in EXEC Privilege mode.
To view which metric types are generated and received, use the show isis protocol command in EXEC Privilege mode. The IS-IS matrixes settings are in bold. Example of Viewing IS-IS Metric Types Dell#show isis protocol IS-IS Router: System Id: EEEE.EEEE.EEEE IS-Type: level-1-2 Manual area address(es): 47.0004.004d.0001 Routing for area address(es): 21.2223.2425.2627.2829.3031.3233 47.0004.004d.
Configuring the Distance of a Route To configure the distance for a route, use the following command. • Configure the distance for a route. ROUTER ISIS mode distance Changing the IS-Type To change the IS-type, use the following commands. You can configure the system to act as a Level 1 router, a Level 1-2 router, or a Level 2 router. To change the IS-type for the router, use the following commands. • Configure IS-IS operating level for a router.
Distribute Routes Another method of controlling routing information is to filter the information through a prefix list. Prefix lists are applied to incoming or outgoing routes and routes must meet the conditions of the prefix lists or Dell Networking OS does not install the route in the routing table. The prefix lists are globally applied on all interfaces running IS-IS. Configure the prefix list in PREFIX LIST mode prior to assigning it to the IS-IS process.
distribute-list prefix-list-name out [bgp as-number | connected | ospf process-id | rip | static] You can configure one of the optional parameters: • • connected: for directly connected routes. • ospf process-id: for OSPF routes only. • rip: for RIP routes only. • static: for user-configured routes. • bgp: for BGP routes only. Deny RTM download for pre-existing redistributed IPv6 routes.
redistribute {bgp as-number | connected | rip | static} [level-1 level-1-2 | level-2] [metric metric-value] [metric-type {external | internal}] [route-map map-name] Configure the following parameters: • • level-1, level-1-2, or level-2: assign all redistributed routes to a level. The default is level-2. • metric-value: the range is from 0 to 16777215. The default is 0. • metric-type: choose either external or internal. The default is internal. • map-name: enter the name of a configured route map.
set-overload-bit • This setting prevents other routers from using it as an intermediate hop in their shortest path first (SPF) calculations. Remove the overload bit. ROUTER ISIS mode no set-overload-bit When the bit is set, a 1 is placed in the OL column in the show isis database command output. The overload bit is set in both the Level-1 and Level-2 database because the IS type for the router is Level-1-2. Dell#show isis database IS-IS Level-1 Link State Database LSPID LSP Seq Num LSP Checksum B233.
Dell Networking OS displays debug messages on the console. To view which debugging commands are enabled, use the show debugging command in EXEC Privilege mode. To disable a specific debug command, enter the keyword no then the debug command. For example, to disable debugging of IS-IS updates, use the no debug isis updates-packets command. To disable all IS-IS debugging, use the no debug isis command. To disable all debugging, use the undebug all command.
Beginning Metric Style Final Metric Style Resulting IS-IS Metric Value metric value is displayed in the show config and show running-config commands and is used if you change back to transition metric style. NOTE: A truncated value is a value that is higher than 63, but set back to 63 because the higher value is not supported. wide narrow transition default value (10) if the original value is greater than 63. A message is sent to the console.
Beginning Metric Style Next Metric Style Resulting Metric Value Next Metric Style Final Metric Value wide transition truncated value narrow transition default value (10). A message is sent to the logging buffer transition Leaks from One Level to Another In the following scenarios, each IS-IS level is configured with a different metric style. Table 21.
You can configure IPv6 IS-IS routes in one of the following three different methods: • • • Congruent Topology — You must configure both IPv4 and IPv6 addresses on the interface. Enable the ip router isis and ipv6 router isis commands on the interface. Enable the wide-metrics parameter in router isis configuration mode. Multi-topology — You must configure the IPv6 address. Configuring the IPv4 address is optional. You must enable the ipv6 router isis command on the interface.
Dell (conf-router_isis)#show config ! router isis net 34.0000.0000.AAAA.00 ! address-family ipv6 unicast multi-topology exit-address-family Dell (conf-router_isis)# IS-IS Sample Configuration — Multi-topology Transition Dell (conf-if-te-3/17)#show config ! interface TenGigabitEthernet 3/17 ipv6 address 24:3::1/76 ipv6 router isis no shutdown Dell (conf-if-te-3/17)# Dell (conf-router_isis)#show config ! router isis net 34.0000.0000.AAAA.
23 Link Aggregation Control Protocol (LACP) Introduction to Dynamic LAGs and LACP A link aggregation group (LAG), referred to as a port channel by Dell Networking OS, can provide both load-sharing and port redundancy across line cards. You can enable LAGs as static or dynamic. The benefits and constraints are basically the same, as described in Port Channel Interfaces in the Interfaces chapter.
• Passive — In this state, the interface is not in an active negotiating state, but LACP runs on the link. A port in Passive state also responds to negotiation requests (from ports in Active state). Ports in Passive state respond to LACP packets. Dell Networking OS supports LAGs in the following cases: • • A port in Active state can set up a port channel (LAG) with another port in Active state. A port in Active state can set up a LAG with another port in Passive state.
switchport Dell(conf)#interface port-channel 32 Dell(conf-if-po-32)#no shutdown Dell(conf-if-po-32)#switchport The LAG is in the default VLAN. To place the LAG into a non-default VLAN, use the tagged command on the LAG. Dell(conf)#interface vlan 10 Dell(conf-if-vl-10)#tagged port-channel 32 Configuring the LAG Interfaces as Dynamic After creating a LAG, configure the dynamic LAG interfaces. To configure the dynamic LAG interfaces, use the following command. • Configure the dynamic LAG interfaces.
Dell(conf-if-po-32)#end Dell# show lacp 32 Port-channel 32 admin up, oper up, mode lacp Actor System ID: Priority 32768, Address 0001.e800.a12b Partner System ID: Priority 32768, Address 0001.e801.
Configuring Shared LAG State Tracking To configure shared LAG state tracking, you configure a failover group. NOTE: If a LAG interface is part of a redundant pair, you cannot use it as a member of a failover group created for shared LAG state tracking. 1. Enter port-channel failover group mode. CONFIGURATION mode port-channel failover-group 2. Create a failover group and specify the two port-channels that will be members of the group.
ARP type: ARPA, ARP Timeout 04:00:00 Last clearing of "show interface" counters 00:01:28 Queueing strategy: fifo NOTE: The set of console messages shown above appear only if you configure shared LAG state tracking on that router (you can configure the feature on one or both sides of a link). For example, as previously shown, if you configured shared LAG state tracking on R2 only, no messages appear on R4 regarding the state of LAGs in a failover group.
Example of Viewing a LAG Port Configuration Alpha#sh int TenGigabitEthernet 2/31 TenGigabitEthernet 2/31 is up, line protocol is up Port is part of Port-channel 10 Hardware is Force10Eth, address is 00:01:e8:06:95:c0 Current address is 00:01:e8:06:95:c0 Interface Index is 109101113 Port will not be disabled on partial SFM failure Internet address is not set MTU 1554 bytes, IP MTU 1500 bytes LineSpeed 10000 Mbit, Mode full duplex, Slave Flowcontrol rx on tx on ARP type: ARPA, ARP Timeout 04:00:00 Last cleari
Figure 50.
Figure 51.
Bravo(conf-if-po-10)#switch Bravo(conf-if-po-10)#no shut Bravo(conf-if-po-10)#show config ! interface Port-channel 10 no ip address switchport no shutdown ! Bravo(conf-if-po-10)#exit Bravo(conf)#int gig 3/21 Bravo(conf)#no ip address Bravo(conf)#no switchport Bravo(conf)#shutdown Bravo(conf-if-gi-3/21)#port-channel-protocol lacp Bravo(conf-if-gi-3/21-lacp)#port-channel 10 mode active Bravo(conf-if-gi-3/21-lacp)#no shut Bravo(conf-if-gi-3/21)#end ! interface GigabitEthernet 3/21 no ip address ! port-channel-
Figure 52.
Figure 53.
Figure 54. Inspecting the LAG Status Using the show lacp command The point-to-point protocol (PPP) is a connection-oriented protocol that enables layer two links over various different physical layer connections. It is supported on both synchronous and asynchronous lines, and can operate in Half-Duplex or Full-Duplex mode. It was designed to carry IP traffic but is general enough to allow any type of network layer datagram to be sent over a PPP connection.
The collected and derived data rates for the configured rate-interval monitor and examine the working efficiency and traffic-handling capacity of the LAG bundles on high-Gigabit Ethernet trunk interfaces that are created statically. To adjust and modify the switch for effective utilization of backplane links, examine the working efficiency of the LAG bundle interfaces.
Enabling the Verification of Member Links Utilization in a High-Gigabit Port Channel This procedure is supported on the Z9000 platform. To examine the working efficiency of the high-Gigabit Ethernet port channel interfaces, perform the following steps: 1. Use the hg-link-bundle-monitor slot slotId npuUnit npuUnitId hg-port-channel portChannelId enable command in Global Configuration mode to enable this functionality to detect the working efficiency of the high-Gigabit port channel bundle interfaces.
• • • • • • • The shared buffer space that is available to be allotted to the specific port for the corresponding stack unit. • The shared buffer space that is in use by the packets • Whether dynamic packet buffering allocation is activated are displayed. show hardware stack-unit 0 buffer unit {0-5} port all buffer-info—Supports backplane or high-Gigabit ports for all queues in all ports in a specific unit.
24 Layer 2 Manage the MAC Address Table Dell Networking OS provides the following management activities for the MAC address table. • • • • Clearing the MAC Address Table Setting the Aging Time for Dynamic Entries Configuring a Static MAC Address Displaying the MAC Address Table Clearing the MAC Address Table You may clear the MAC address table of dynamic entries. To clear a MAC address table, use the following command. • Clear a MAC address table of dynamic entries.
Displaying the MAC Address Table To display the MAC address table, use the following command. • Display the contents of the MAC address table. EXEC Privilege mode show mac-address-table [address | aging-time [vlan vlan-id]| count | dynamic | interface | static | vlan] • • • • • • • address: displays the specified entry. aging-time: displays the configured aging-time. count: displays the number of dynamic and static entries for all VLANs, and the total number of entries.
NOTE: An SNMP trap is available for mac learning-limit station-move. No other SNMP traps are available for MAC Learning Limit, including limit violations. mac learning-limit Dynamic The MAC address table is stored on the Layer 2 forwarding information base (FIB) region of the CAM. The Layer 2 FIB region allocates space for static MAC address entries and dynamic MAC address entries. When you enable MAC learning limit, entries created on this port are static by default.
mac learning-limit station-move-violation log no shutdown Learning Limit Violation Actions To configure the system to take an action when the MAC learning limit is reached on an interface and a new address is received using one the following options with the mac learning-limit command, use the following commands. • Generate a system log message when the MAC learning limit is exceeded.
• mac learning-limit reset learn-limit-violation [interface | all] Reset interfaces in the ERR_Disabled state caused by a station move violation. EXEC Privilege mode mac learning-limit reset station-move-violation [interface | all] NIC Teaming Network interface controller (NIC) teaming is available on the Z-Series platform.
Figure 56. Configuring the mac-address-table station-move refresh-arp Command Configure Redundant Pairs Networks that employ switches that do not support the spanning tree protocol (STP) — for example, networks with digital subscriber line access multiplexers (DSLAM) — cannot have redundant links between switches because they create switching loops (as shown in the following illustration).
Figure 57. Configuring Redundant Layer 2 Pairs without Spanning Tree You configure a redundant pair by assigning a backup interface to a primary interface with the switchport backup interface command. Initially, the primary interface is active and transmits traffic and the backup interface remains down. If the primary fails for any reason, the backup transitions to an active Up state. If the primary interface fails and later comes back up, it remains as the backup interface for the redundant pair.
As shown in the previous illustration, interface 3/41 is a backup interface for 3/42, and 3/42 is in the Down state. If 3/41 fails, 3/42 transitions to the Up state, which makes the backup link active. A message similar to the following message appears whenever you configure a backup port.
and Te 1/2 Dell(conf-if-po-1)# Far-End Failure Detection FEFD is a protocol that senses remote data link errors in a network. FEFD responds by sending a unidirectional report that triggers an echoed response after a specified time interval. You can enable FEFD globally or locally on an interface basis. Disabling the global FEFD configuration does not disable the interface configuration. Figure 58.
EXEC privilege mode (it can be done globally or one interface at a time) before the FEFD enabled system can become operational again. Table 22.
Te 1/4 Normal 3 Admin Shutdown Dell#show run fefd ! fefd-global mode normal fefd-global interval 3 Enabling FEFD on an Interface To enable, change, or disable FEFD on an interface, use the following commands. • Enable FEFD on a per interface basis. INTERFACE mode • fefd Change the FEFD mode. INTERFACE mode • fefd [mode {aggressive | normal}] Disable FEFD protocol on one interface. INTERFACE mode fefd disable Disabling an interface shuts down all protocols working on that interface’s connected line.
debug fefd packets Dell#debug fefd events Dell#config Dell(conf)#int te 1/1 Dell(conf-if-te-1/1)#shutdown 2w1d22h: %RPM0-P:CP %IFMGR-5-ASTATE_DN: Changed interface Admin state to down: Te 1/1 Dell(conf-if-te-1/1)#2w1d22h : FEFD state on Te 1/1 changed from ANY to Unknown 2w1d22h: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Te 1/1 2w1d22h: %RPM0-P:CP %IFMGR-5-OSTATE_DN: Changed interface state to down: Te 4/1 2w1d22h: %RPM0-P:CP %IFMGR-5-INACTIVE: Changed Vlan interface state to inactive:
25 Link Layer Discovery Protocol (LLDP) 802.1AB (LLDP) Overview LLDP — defined by IEEE 802.1AB — is a protocol that enables a local area network (LAN) device to advertise its configuration and receive configuration information from adjacent LLDP-enabled LAN infrastructure devices. The collected information is stored in a management information base (MIB) on each device, and is accessible via simple network management protocol (SNMP).
Type TLV Description — Optional Includes sub-types of TLVs that advertise specific configuration information. These sub-types are Management TLVs, IEEE 802.1, IEEE 802.3, and TIA-1057 Organizationally Specific TLVs. Figure 60. LLDPDU Frame Optional TLVs The Dell Networking OS supports these optional TLVs: management TLVs, IEEE 802.1 and 802.3 organizationally specific TLVs, and TIA-1057 organizationally specific TLVs. Management TLVs A management TLV is an optional TLVs sub-type.
Type TLV Description 7 System capabilities Identifies the chassis as one or more of the following: repeater, bridge, WLAN Access Point, Router, Telephone, DOCSIS cable device, end station only, or other. 8 Management address Indicates the network address of the management interface. Dell Networking OS does not currently support this TLV. 127 Port-VLAN ID On Dell Networking systems, indicates the untagged VLAN to which a port belongs.
• • identify physical location identify network policy LLDP-MED is designed for, but not limited to, VoIP endpoints. TIA Organizationally Specific TLVs The Dell Networking system is an LLDP-MED Network Connectivity Device (Device Type 4). Network connectivity devices are responsible for: • • transmitting an LLDP-MED capability TLV to endpoint devices storing the information that endpoint devices advertise The following table describes the five types of TIA-1057 Organizationally Specific TLVs. Table 25.
Type SubType TLV Description 127 11 Inventory — Asset ID Indicates a user specified device number to manage inventory. 127 12–255 Reserved — LLDP-MED Capabilities TLV The LLDP-MED capabilities TLV communicates the types of TLVs that the endpoint device and the network connectivity device support. LLDP-MED network connectivity devices must transmit the Network Policies TLV.
An integer represents the application type (the Type integer shown in the following table), which indicates a device function for which a unique network policy is defined. An individual LLDP-MED network policy TLV is generated for each application type that you specify with the Dell Networking OS CLI (Advertising TLVs).
using the max-milliwatts option with the power inline auto | static command. Dell Networking also honors the power value (power requirement) the powered device sends when the port is configured for power inline auto. Figure 64. Extended Power via MDI TLV Configure LLDP Configuring LLDP is a two-step process. 1. Enable LLDP globally. 2. Advertise TLVs out of an interface.
exit hello mode multiplier no show Exit from LLDP configuration mode LLDP hello configuration LLDP mode configuration (default = rx and tx) LLDP multiplier configuration Negate a command or set its defaults Show LLDP configuration Dell(conf-lldp)#exit Dell(conf)#interface tengigabitethernet 1/3 Dell(conf-if-te-1/3)#protocol lldp Dell(conf-if-te-1/3-lldp)#? advertise Advertise TLVs disable Disable LLDP protocol on this interface end Exit from configuration mode exit Exit from LLDP configuration mode hello
1. Enter Protocol LLDP mode. CONFIGURATION mode. protocol lldp 2. Enter LLDP management-interface mode. LLDP-MANAGEMENT-INTERFACE mode. management-interface 3. Enter the disable command. LLDP-MANAGEMENT-INTERFACE mode. To undo an LLDP management port configuration, precede the relevant command with the keyword no. Advertising TLVs You can configure the system to advertise TLVs out of all interfaces or out of specific interfaces.
Figure 65. Configuring LLDP Viewing the LLDP Configuration To view the LLDP configuration, use the following command. • Display the LLDP configuration.
show lldp neighbors detail Example of Viewing Brief Information Advertised by Neighbors Dell(conf-if-te-1/3-lldp)#end Dell (conf-if-te-1/3)#do show lldp neighbors Loc PortID Rem Host Name Rem Port Id Rem Chassis Id -------------------------------------------------------------------Te 1/1 TenGigabitEthernet 1/5 00:01:e8:05:40:46 Te 1/2 TenGigabitEthernet 1/6 00:01:e8:05:40:46 Dell (conf-if-te-1/3)# Example of Viewing Details Advertised by Neighbors Dell#show lldp neighbors detail ============================
rx Rx only tx Tx only R1(conf-lldp)#mode tx R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description mode tx no disable R1(conf-lldp)#no mode R1(conf-lldp)#show config ! protocol lldp advertise dot1-tlv port-protocol-vlan-id port-vlan-id advertise dot3-tlv max-frame-size advertise management-tlv system-capabilities system-description no disable R1(conf-lldp)# Configuring
Configuring a Time to Live The information received from a neighbor expires after a specific amount of time (measured in seconds) called a time to live (TTL). The TTL is the product of the LLDPDU transmit interval (hello) and an integer called a multiplier. The default multiplier is 4, which results in a default TTL of 120 seconds. • Adjust the TTL value. • CONFIGURATION mode or INTERFACE mode. multiplier Return to the default multiplier value. CONFIGURATION mode or INTERFACE mode.
Figure 66. The debug lldp detail Command — LLDPDU Packet Dissection Relevant Management Objects Dell Networking OS supports all IEEE 802.1AB MIB objects. The following tables list the objects associated with: • • • • received and transmitted TLVs the LLDP configuration on the local agent IEEE 802.1AB Organizationally Specific TLVs received and transmitted LLDP-MED TLVs Table 29.
MIB Object Category LLDP Variable LLDP MIB Object Description LLDP Statistics statsAgeoutsTotal lldpStatsRxPortAgeoutsTotal Total number of times that a neighbor’s information is deleted on the local system due to an rxInfoTTL timer expiration. statsFramesDiscardedTotal lldpStatsRxPortFramesDiscardedTot al Total number of LLDP frames received then discarded. statsFramesInErrorsTotal lldpStatsRxPortFramesErrors Total number of LLDP frames received on a port with errors.
TLV Type TLV Name TLV Variable interface numbering subtype interface number OID System LLDP MIB Object Remote lldpRemManAddr Local lldpLocManAddrIfSubtype Remote lldpRemManAddrIfSubtype Local lldpLocManAddrIfId Remote lldpRemManAddrIfId Local lldpLocManAddrOID Remote lldpRemManAddrOID Table 31. LLDP 802.
TLV Sub-Type TLV Name TLV Variable Unknown Policy Flag Tagged Flag VLAN ID L2 Priority DSCP Value 3 Location Identifier Location Data Format Location ID Data 4 Extended Power via MDI Power Device Type Power Source System LLDP-MED MIB Object Remote lldpXMedRemMediaPolicyA ppType Local lldpXMedLocMediaPolicyU nknown Remote lldpXMedLocMediaPolicyU nknown Local lldpXMedLocMediaPolicyTa gged Remote lldpXMedLocMediaPolicyTa gged Local lldpXMedLocMediaPolicyVl anID Remote lldpXMedRem
TLV Sub-Type TLV Name TLV Variable System LLDP-MED MIB Object Power Value Local lldpXMedLocXPoEPSEPort PowerAv lldpXMedLocXPoEPDPowe rReq Remote lldpXMedRemXPoEPSEPo werAv lldpXMedRemXPoEPDPow erReq Link Layer Discovery Protocol (LLDP) 387
26 Microsoft Network Load Balancing This functionality is supported on Dell Networking OS. Network Load Balancing (NLB) is a clustering functionality that is implemented by Microsoft on Windows 2000 Server and Windows Server 2003 operating systems. NLB uses a distributed methodology or pattern to equally split and balance the network traffic load across a set of servers that are part of the cluster or group.
• • • The NLB unicast mode uses switch flooding to transmit all packets to all the servers that are part of the VLAN. When a large volume of traffic is processed, the clustering performance might be impacted in a small way. This limitation is applicable to switches that perform unicast flooding in the software. The ip vlan-flooding command applies globally across the system and for all VLANs.
arp ip-address multicast-mac-address interface 2. Associate specific MAC or hardware addresses to VLANs.
27 Multicast Source Discovery Protocol (MSDP) Multicast source discovery protocol (MSDP) is supported on Dell Networking OS. Protocol Overview MSDP is a Layer 3 protocol that connects IPv4 protocol-independent multicast-sparse mode (PIM-SM) domains. A domain in the context of MSDP is a contiguous set of routers operating PIM within a common boundary defined by an exterior gateway protocol, such as border gateway protocol (BGP).
Figure 68.
Implementation Information The Dell Networking OS implementation of MSDP is in accordance with RFC 3618 and Anycast RP is in accordance with RFC 3446. Configure Multicast Source Discovery Protocol Configuring MSDP is a four-step process. 1. Enable an exterior gateway protocol (EGP) with at least two routing domains. Refer to the following figures. The MSDP Sample Configurations show the OSPF-BGP configuration used in this chapter for MSDP.
Figure 69.
Figure 70.
Figure 71.
Figure 72. Configuring MSDP Enable MSDP Enable MSDP by peering RPs in different administrative domains. 1. Enable MSDP. CONFIGURATION mode ip multicast-msdp 2. Peer PIM systems in different administrative domains. CONFIGURATION mode ip msdp peer connect-source R3_E600(conf)#ip multicast-msdp R3_E600(conf)#ip msdp peer 192.168.0.
Multicast sources in remote domains are stored on the RP in the source-active cache (SA cache). The system does not create entries in the multicast routing table until there is a local receiver for the corresponding multicast group. R3_E600#show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 192.168.0.
Enabling the Rejected Source-Active Cache To cache rejected sources, use the following command. Active sources can be rejected because the RPF check failed, the SA limit is reached, the peer RP is unreachable, or the SA message has a format error. • Cache rejected sources. CONFIGURATION mode ip msdp cache-rejected-sa Accept Source-Active Messages that Fail the RFP Check A default peer is a peer from which active sources are accepted even though they fail the RFP check.
Figure 74.
Figure 75.
Figure 76. MSDP Default Peer, Scenario 4 Specifying Source-Active Messages To specify messages, use the following command. • Specify the forwarding-peer and originating-RP from which all active sources are accepted without regard for the RPF check. CONFIGURATION mode ip msdp default-peer ip-address list If you do not specify an access list, the peer accepts all sources that peer advertises. All sources from RPs that the ACL denies are subject to the normal RPF check. Dell(conf)#ip msdp peer 10.0.50.
MSDP Rejected SA Cache 3 rejected SAs received, cache-size 32766 UpTime GroupAddr SourceAddr RPAddr 00:33:18 229.0.50.64 24.0.50.64 200.0.1.50 00:33:18 229.0.50.65 24.0.50.65 200.0.1.50 00:33:18 229.0.50.66 24.0.50.66 200.0.1.50 LearnedFrom 10.0.50.2 10.0.50.2 10.0.50.2 Reason Rpf-Fail Rpf-Fail Rpf-Fail Limiting the Source-Active Messages from a Peer To limit the source-active messages from a peer, use the following commands. 1.
ip msdp cache-rejected-sa 2. Prevent the system from caching remote sources learned from a specific peer based on source and group. CONFIGURATION mode ip msdp sa-filter list out peer list ext-acl As shown in the following example, R1 is advertising source 10.11.4.2. It is already in the SA cache of R3 when an ingress SA filter is applied to R3. The entry remains in the SA cache until it expires and is not stored in the rejected SA cache.
R3_E600(conf)#do show ip msdp sa-cache R3_E600(conf)# To display the configured SA filters for a peer, use the show ip msdp peer command from EXEC Privilege mode. Logging Changes in Peership States To log changes in peership states, use the following command. • Log peership state changes. CONFIGURATION mode ip msdp log-adjacency-changes Terminating a Peership MSDP uses TCP as its transport protocol.
SA Filtering: Input (S,G) filter: myremotefilter Output (S,G) filter: none R3_E600(conf)#do clear ip msdp peer 192.168.0.1 R3_E600(conf)#do show ip msdp peer Peer Addr: 192.168.0.1 Local Addr: 0.0.0.0(0) Connect Source: Lo 0 State: Inactive Up/Down Time: 00:00:04 Timers: KeepAlive 30 sec, Hold time 75 sec SourceActive packet count (in/out): 0/0 SAs learned from this peer: 0 SA Filtering: Input (S,G) filter: myremotefilter Output (S,G) filter: none Debugging MSDP To debug MSDP, use the following command.
Figure 77. MSDP with Anycast RP Configuring Anycast RP To configure anycast RP, use the following commands. 1. In each routing domain that has multiple RPs serving a group, create a Loopback interface on each RP serving the group with the same IP address. CONFIGURATION mode interface loopback 2. Make this address the RP for the group. CONFIGURATION mode ip pim rp-address 3.
network Reducing Source-Active Message Flooding RPs flood source-active messages to all of their peers away from the RP. When multiple RPs exist within a domain, the RPs forward received active source information back to the originating RP, which violates the RFP rule. You can prevent this unnecessary flooding by creating a mesh-group. A mesh in this context is a topology in which each RP in a set of RPs has a peership with all other RPs in the set.
The following example shows an R2 configuration for MSDP with Anycast RP. ip multicast-routing ! interface TenGigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.4.1/24 no shutdown ! interface TenGigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.1.21/24 no shutdown ! interface TenGigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.0.23/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32 no shutdown ! interface Loopback 1 ip address 192.168.0.
network 10.11.6.0/24 area 0 network 192.168.0.3/32 area 0 redistribute static redistribute connected redistribute bgp 200 ! router bgp 200 redistribute ospf 1 neighbor 192.168.0.22 remote-as 100 neighbor 192.168.0.22 ebgp-multihop 255 neighbor 192.168.0.22 update-source Loopback 0 neighbor 192.168.0.22 no shutdown ! ip multicast-msdp ip msdp peer 192.168.0.11 connect-source Loopback 0 ip msdp peer 192.168.0.22 connect-source Loopback 0 ip msdp sa-filter out 192.168.0.22 ! ip route 192.168.0.1/32 10.11.0.
MSDP Sample Configuration: R1 Running-Config ip multicast-routing ! interface TenGigabitEthernet 1/1 ip pim sparse-mode ip address 10.11.3.1/24 no shutdown ! interface TenGigabitEthernet 1/2 ip address 10.11.2.1/24 no shutdown ! interface TenGigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.1.12/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.1/32 no shutdown ! router ospf 1 network 10.11.2.0/24 area 0 network 10.11.1.0/24 area 0 network 192.168.0.1/32 area 0 network 10.
ip route 192.168.0.3/32 10.11.0.32 ! ip pim rp-address 192.168.0.1 group-address 224.0.0.0/4 MSDP Sample Configuration: R3 Running-Config ip multicast-routing ! interface TenGigabitEthernet 3/21 ip pim sparse-mode ip address 10.11.0.32/24 no shutdown ! interface TenGigabitEthernet 3/41 ip pim sparse-mode ip address 10.11.6.34/24 no shutdown ! interface ManagementEthernet 1/1 ip address 10.11.80.3/24 no shutdown ! interface Loopback 0 ip pim sparse-mode ip address 192.168.0.
network 192.168.0.4/32 area 0 ! ip pim rp-address 192.168.0.3 group-address 224.0.0.
28 Multiple Spanning Tree Protocol (MSTP) Multiple spanning tree protocol (MSTP) is supported on Dell Networking OS. Protocol Overview MSTP — specified in IEEE 802.1Q-2003 — is a rapid spanning tree protocol (RSTP)-based spanning tree variation that improves on perVLAN spanning tree plus (PVST+). MSTP allows multiple spanning tree instances and allows you to map many VLANs to one spanning tree instance to reduce the total number of required instances.
• • • Flush MAC Addresses after a Topology Change MSTP Sample Configurations Debugging and Verifying MSTP Configurations Spanning Tree Variations The Dell Networking OS supports four variations of spanning tree, as shown in the following table. Table 33. Spanning Tree Variations Dell Networking Term IEEE Specification Spanning Tree Protocol (STP) 802 .1d Rapid Spanning Tree Protocol (RSTP) 802 .1w Multiple Spanning Tree Protocol (MSTP) 802 .
Enable Multiple Spanning Tree Globally MSTP is not enabled by default. To enable MSTP globally, use the following commands. When you enable MSTP, all physical, VLAN, and port-channel interfaces that are enabled and in Layer 2 mode are automatically part of the MSTI 0. • • Within an MSTI, only one path from any bridge to any other bridge is enabled. Bridges block a redundant path by disabling one of the link ports. 1. Enter PROTOCOL MSTP mode. CONFIGURATION mode protocol spanning-tree mstp 2. Enable MSTP.
To view which instance a VLAN is mapped to, use the show spanning-tree mst vlan command from EXEC Privilege mode. Dell(conf-mstp)#name my-mstp-region Dell(conf-mstp)#exit Dell(conf)#do show spanning-tree mst config MST region name: my-mstp-region Revision: 0 MSTI VID 1 100 2 200-300 To view the forwarding/discarding state of the ports participating in an MSTI, use the show spanning-tree msti command from EXEC Privilege mode.
protocol spanning-tree mstp no disable MSTI 1 VLAN 100 MSTI 2 VLAN 200,300 MSTI 2 bridge-priority 0 Interoperate with Non-Dell Networking OS Bridges Dell Networking OS supports only one MSTP region. A region is a combination of three unique qualities: • • • Name is a mnemonic string you assign to the region. The default region name on Dell Networking OS is null. Revision is a 2-byte number. The default revision number on Dell Networking OS is 0.
PROTOCOL MSTP mode forward-delay seconds The range is from 4 to 30. The default is 15 seconds. 2. Change the hello-time parameter. PROTOCOL MSTP mode hello-time seconds NOTE: With large configurations (especially those configurations with more ports) Dell Networking recommends increasing the hello-time. The range is from 1 to 10. The default is 2 seconds. 3. Change the max-age parameter. PROTOCOL MSTP mode max-age seconds The range is from 6 to 40. The default is 20 seconds. 4.
Port Cost Default Value Port Channel with 10-Gigabit Ethernet interfaces 1800 To change the port cost or priority of an interface, use the following commands. 1. Change the port cost of an interface. INTERFACE mode spanning-tree msti number cost cost The range is from 0 to 200000. For the default, refer to the default values shown in the table.. 2. Change the port priority of an interface. INTERFACE mode spanning-tree msti number priority priority The range is from 0 to 240, in increments of 16.
no shutdown Dell(conf-if-te-3/11)# Flush MAC Addresses after a Topology Change Dell Networking OS has an optimized MAC address flush mechanism for RSTP, MSTP, and PVST+ that flushes addresses only when necessary, which allows for faster convergence during topology changes. However, you may activate the flushing mechanism defined by 802.1Q-2003 using the tc-flush-standard command, which flushes MAC addresses after every topology change notification.
! interface TenGigabitEthernet 1/31 no ip address switchport no shutdown ! (Step 3) interface Vlan 100 no ip address tagged TenGigabitEthernet 1/21,31 no shutdown ! interface Vlan 200 no ip address tagged TenGigabitEthernet 1/21,31 no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 1/21,31 no shutdown Router 2 Running-Configuration This example uses the following steps: 1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2.
1. Enable MSTP globally and set the region name and revision map MSTP instances to the VLANs. 2. Assign Layer-2 interfaces to the MSTP topology. 3. Create VLANs mapped to MSTP instances tag interfaces to the VLANs.
(Step 3) interface vlan 100 tagged 1/0/31 tagged 1/0/32 exit interface vlan 200 tagged 1/0/31 tagged 1/0/32 exit interface vlan 300 tagged 1/0/31 tagged 1/0/32 exit Debugging and Verifying MSTP Configurations To debut and verify MSTP configuration, use the following commands. • • Display BPDUs. EXEC Privilege mode debug spanning-tree mstp bpdu Display MSTP-triggered topology change messages.
Dell# 4w0d4h : MSTP: Sending BPDU on Te 2/21 : ProtId: 0, Ver: 3, Bpdu Type: MSTP, Flags 0x6e CIST Root Bridge Id: 32768:0001.e806.953e, Ext Path Cost: 0 Regional Bridge Id: 32768:0001.e806.953e, CIST Port Id: 128:470 Msg Age: 0, Max Age: 20, Hello: 2, Fwd Delay: 15, Ver1 Len: 0, Ver3 Len: 96 Name: Tahiti, Rev: 123, Int Root Path Cost: 0 Rem Hops: 20, Bridge Id: 32768:0001.e806.953e 4w0d4h : INST 1: Flags: 0x6e, Reg Root: 32768:0001.e806.
29 Multicast Features Multicast features are supported on Dell Networking OS. NOTE: Multicast is supported on secondary IP addresses on the platform. NOTE: Multicast routing for IPv6 is not supported. NOTE: Multicast routing is supported across default and non-default VRFs.
Figure 80. Multicast with ECMP Implementation Information Because protocol control traffic in Dell Networking OS is redirected using the MAC address, and multicast control traffic and multicast data traffic might map to the same MAC address, Dell Networking OS might forward data traffic with certain MAC addresses to the CPU in addition to control traffic. As the upper5 bits of an IP Multicast address are dropped in the translation, 32 different multicast group IDs all map to the same Ethernet address.
First Packet Forwarding for Lossless Multicast All initial multicast packets are forwarded to receivers to achieve lossless multicast. In previous versions, when the Dell Networking system is an RP, all initial packets are dropped until PIM creates an (S,G) entry. When the system is an RP and a Source DR, these initial packet drops represent a loss of native data, and when the system is an RP only, the initial packets drops represent a loss of register packets.
NOTE: The IN-L3-McastFib CAM partition is used to store multicast routes and is a separate hardware limit that exists per port-pipe. Any software-configured limit may supersede by this hardware space limitation. The opposite is also true, the CAM partition might not be exhausted at the time the system-wide route limit the ip multicast-limit command sets is reached. Preventing a Host from Joining a Group You can prevent a host from joining a particular group by blocking specific IGMP reports.
Figure 81. Preventing a Host from Joining a Group Table 35. Preventing a Host from Joining a Group — Description Location Description 1/21 • • • • Interface TenGigabitEthernet 1/21 ip pim sparse-mode ip address 10.11.12.1/24 no shutdown 1/31 • • • • Interface TenGigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.1/24 no shutdown 2/1 • • • • Interface TenGigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.
Location Description • • • ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface TenGigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.1/24 no shutdown 3/1 • • • • Interface TenGigabitEthernet 3/1 ip pim sparse-mode ip address 10.11.5.1/24 no shutdown 3/11 • • • • Interface TenGigabitEthernet 3/11 ip pim sparse-mode ip address 10.11.13.2/24 no shutdown 3/21 • • • • Interface TenGigabitEthernet 3/21 ip pim sparse-mode ip address 10.11.23.
Preventing a Source from Registering with the RP To prevent the PIM source DR from sending register packets to RP for the specified multicast source and group, use the following command. If the source DR never sends register packets to the RP, no hosts can ever discover the source and create a shortest path tree (SPT) to it. • Prevent a source from transmitting to a particular group.
Location Description • no shutdown 1/31 • • • • Interface TenGigabitEthernet 1/31 ip pim sparse-mode ip address 10.11.13.1/24 no shutdown 2/1 • • • • Interface TenGigabitEthernet 2/1 ip pim sparse-mode ip address 10.11.1.1/24 no shutdown 2/11 • • • • Interface TenGigabitEthernet 2/11 ip pim sparse-mode ip address 10.11.12.2/24 no shutdown 2/31 • • • • Interface TenGigabitEthernet 2/31 ip pim sparse-mode ip address 10.11.23.
Excessive traffic is generated when the join process from the RP back to the source is blocked due to a new source group being permitted in the join-filter. This results in the new source becoming stuck in registering on the DR and the continuous generation of UDP-encapsulated registration messages between the DR and RP routers which are being sent to the CPU. • Prevent the PIM SM router from creating state based on multicast source and/ or group.
30 Object Tracking IPv4/IPv6 object tracking is available on Dell Networking OS. Object tracking allows the Dell Networking Operating System (OS) client processes, such as virtual router redundancy protocol (VRRP), to monitor tracked objects (for example, interface or link status) and take appropriate action when the state of an object changes. NOTE: In Dell Networking OS release version 8.4.1.0, object tracking is supported only on VRRP.
Figure 83. Object Tracking Example When you configure a tracked object, such as an IPv4/IPv6 a route or interface, you specify an object number to identify the object. Optionally, you can also specify: • • UP and DOWN thresholds used to report changes in a route metric. A time delay before changes in a tracked object’s state are reported to a client. Track Layer 2 Interfaces You can create an object to track the line-protocol state of a Layer 2 interface.
A tracked route matches a route in the routing table only if the exact address and prefix length match an entry in the routing table. For example, when configured as a tracked route, 10.0.0.0/24 does not match the routing table entry 10.0.0.0/8. If no route-table entry has the exact address and prefix length, the tracked route is considered to be DOWN.
NOTE: In VRRP object tracking, the sum of the priority costs for all tracked objects and interfaces cannot equal or exceed the priority of the VRRP group. Object Tracking Configuration You can configure three types of object tracking for a client. • • • Track Layer 2 Interfaces Track Layer 3 Interfaces Track an IPv4/IPv6 Route For a complete listing of all commands related to object tracking, refer to the Dell Networking OS Command Line Interface Reference Guide.
Interface TenGigabitEthernet 7/1 line-protocol Description: San Jose data center Tracking a Layer 3 Interface You can create an object that tracks the routing status of an IPv4 or IPv6 Layer 3 interface. You can track the routing status of any of the following Layer 3 interfaces: • • • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. For a port channel interface, enter the keywords port-channel then a number.
Track 103 Interface TenGigabitEthernet 7/11 ipv6 routing Description: Austin access point Track an IPv4/IPv6 Route You can create an object that tracks the reachability or metric of an IPv4 or IPv6 route. You specify the route to be tracked by its address and prefix-length values. Optionally, for an IPv4 route, you can enter a VRF instance name if the route is part of a VPN routing and forwarding (VRF) table. The next-hop address is not part of the definition of a tracked IPv4/IPv6 route.
Enter an IPv6 address in X:X:X:X::X format; valid IPv6 prefix lengths are from / 0 to /128. (Optional) E-Series only: For an IPv4 route, you can enter a VRF name to specify the virtual routing table to which the tracked route belongs. 2. (Optional) Configure the time delay used before communicating a change in the status of a tracked route. OBJECT TRACKING mode delay {[up seconds] [down seconds]} Valid delay times are from 0 to 180 seconds. The default is 0. 3.
Enter an IPv6 address in X:X:X:X::X format. Valid IPv6 prefix lengths are from /0 to /128. (Optional) E-Series only: For an IPv4 route, you can enter a VRF name. 3. (Optional) Configure the time delay used before communicating a change in the UP and/or DOWN status of a tracked route. OBJECT TRACKING mode delay {[up seconds] [down seconds]} Valid delay times are from 0 to 180 seconds. The default is 0. 4. (Optional) Identify the tracked object with a text description.
Track 2 IPv6 route 2040::/64 metric threshold Metric threshold is Up (STATIC/0/0) 5 changes, last change 00:02:16 Metric threshold down 255 up 254 First-hop interface is GigabitEthernet 13/2 Tracked by: VRRP GigabitEthernet 7/30 IPv6 VRID 1 Track 3 IPv6 route 2050::/64 reachability Reachability is Up (STATIC) 5 changes, last change 00:02:16 First-hop interface is GigabitEthernet 13/2 Tracked by: VRRP GigabitEthernet 7/30 IPv6 VRID 1 Track 4 Interface GigabitEthernet 13/4 ip routing IP routing is Up 3 change
31 Open Shortest Path First (OSPFv2 and OSPFv3) Open shortest path first (OSPFv2 for IPv4) and OSPF version 3 (OSPF for IPv6) are supported on Dell Networking OS. This chapter provides a general description of OSPFv2 (OSPF for IPv4) and OSPFv3 (OSPF for IPv6) as supported in the Dell Networking Operating System (OS). NOTE: The fundamental mechanisms of OSPF (flooding, DR election, area support, SPF calculations, and so on) are the same between OSPFv2 and OSPFv3.
Figure 84. Autonomous System Areas Area Types The backbone of the network is Area 0. It is also called Area 0.0.0.0 and is the core of any AS. All other areas must connect to Area 0. Areas can be defined in such a way that the backbone is not contiguous. In this case, backbone connectivity must be restored through virtual links. Virtual links are configured between any backbone routers that share a link to a nonbackbone area and function as if they were direct links.
Networks and Neighbors As a link-state protocol, OSPF sends routing information to other OSPF routers concerning the state of the links between them. The state (up or down) of those links is important. Routers that share a link become neighbors on that segment. OSPF uses the Hello protocol as a neighbor discovery and keep alive mechanism. After two routers are neighbors, they may proceed to exchange and synchronize their databases, which creates an adjacency.
Backbone Router (BR) A backbone router (BR) is part of the OSPF Backbone, Area 0. This includes all ABRs. It can also include any routers that connect only to the backbone and another ABR, but are only part of Area 0, such as Router I in the previous example. Area Border Router (ABR) Within an AS, an area border router (ABR) connects one or more areas to the backbone. The ABR keeps a copy of the link-state database for every area it connects to, so it may keep multiple copies of the link state database.
• • • • • Type 5: LSA — These LSAs contain information imported into OSPF from other routing processes. They are flooded to all areas, except stub areas. The link-state ID of the Type 5 LSA is the external network number. Type 7: External LSA — Routers in an NSSA do not receive external LSAs from ABRs, but are allowed to send external routing information for redistribution.
Figure 86. Priority and Cost Examples OSPF with Dell Networking OS Dell Networking OS supports up to 10,000 OSPF routes for OSPFv2. Within that 10,000 routes, you can designate up to 8,000 routes as external and up to 2,000 as inter/intra area routes. Dell Networking OS version 9.4(0.0) and later support only one OSPFv2 process per VRF. Dell Networking OS version 9.7(0.0) and later support OSPFv3 in VRF. Also, on OSPFv3, Dell Networking OS supports only one OSPFv3 process per VRF.
OSPF graceful restart understands that in a modern router, the control plane and data plane functionality are separate, restarting the control plane functionality (such as the failover of the active RPM to the backup in a redundant configuration), does not necessarily have to interrupt the forwarding of data packets.
Each OSPFv2 process has a unique process ID and must have an associated router ID. There must be an equal number of interfaces and must be in Layer-3 mode for the number of processes created. For example, if you create five OSPFv2 processes on a system, there must be at least five interfaces assigned in Layer 3 mode. Each OSPFv2 process is independent. If one process loses adjacency, the other processes continue to function.
Number of area in this router is 1, normal 0 stub 0 nssa 1 --More-- OSPF ACK Packing The OSPF ACK packing feature bundles multiple LS acknowledgements in a single packet, significantly reducing the number of ACK packets transmitted when the number of LSAs increases. This feature also enhances network utilization and reduces the number of small ACK packets sent to a neighboring router. OSPF ACK packing is enabled by default and non-configurable.
Configuration Task List for OSPFv2 (OSPF for IPv4) The following configuration tasks include two mandatory tasks and several optional tasks: • • • • • • • • • • • • • • Enabling OSPFv2 (mandatory) Assigning a Router ID Enabling Multi-Process OSPF Assigning an OSPFv2 Area (mandatory) Enable OSPFv2 on Interfaces Configuring Stub Areas Enabling Passive Interfaces Enabling Fast-Convergence Changing OSPFv2 Parameters on Interfaces Enabling OSPFv2 Authentication Creating Filter Routes Applying Prefix Lists Redis
Assigning a Router ID In CONFIGURATION ROUTER OSPF mode, assign the router ID. The router ID is not required to be the router’s IP address. However, Dell Networking recommends using the IP address as the router ID for easier management and troubleshooting. Optional process-id commands are also described. • Assign the router ID for the OSPFv2 process. • CONFIG-ROUTER-OSPF-id mode router-id ip address Disable OSPF. • CONFIGURATION mode no router ospf process-id Reset the OSPFv2 process.
Assigning an OSPFv2 Area After you enable OSPFv2, assign the interface to an OSPF area. Set up OSPF areas and enable OSPFv2 on an interface with the network command. You must have at least one AS area: Area 0. This is the backbone area. If your OSPF network contains more than one area, configure a backbone area (Area ID 0.0.0.0). Any area besides Area 0 can have any number ID assigned to it. The OSPFv2 process evaluates the network commands in the order they are configured.
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:04 Neighbor Count is 0, Adjacent neighbor count is 0 TenGigabitEthernet 1/21 is up, line protocol is up Internet Address 10.2.3.1/24, Area 0.0.0.0 Process ID 1, Router ID 11.1.2.1, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State BDR, Priority 1 Designated Router (ID) 13.1.1.1, Interface address 10.2.3.2 Backup Designated Router (ID) 11.1.2.1, Interface address 10.2.3.
Area ID is the number or IP address assigned when creating the area. To view which LSAs are transmitted, use the show ip ospf database process-id database-summary command in EXEC Privilege mode. Dell#show ip ospf 34 database database-summary OSPF Router with ID (10.1.2.100) (Process ID 34) Area 2.2.2.2 3.3.3.3 Dell# ID Router Network S-Net S-ASBR Type-7 Subtotal 1 0 0 0 0 1 1 0 0 0 0 1 To view information on areas, use the show ip ospf process-id command in EXEC Privilege mode.
Internet Address 10.1.1.23/24, Area 2.2.2.2 Process ID 34, Router ID 10.1.2.100, Network Type LOOPBACK, Cost: 1 Enabling Fast-Convergence The fast-convergence CLI sets the minimum origination and arrival LSA parameters to zero (0), allowing rapid route calculation. When you disable fast-convergence, origination and arrival LSA parameters are set to 5 seconds and 1 second, respectively. Setting the convergence parameter (from 1 to 4) indicates the actual convergence level.
• • cost: The range is from 1 to 65535 (the default depends on the interface speed). Change the time interval the router waits before declaring a neighbor dead. CONFIG-INTERFACE mode ip ospf dead-interval seconds • seconds: the range is from 1 to 65535 (the default is 40 seconds). The dead interval must be four times the hello interval. • The dead interval must be the same on all routers in the OSPF network. Change the time interval between hello-packet transmission.
Transmit Delay is 1 sec, State DR, Priority 1 Designated Router (ID) 10.1.2.100, Interface address 10.1.2.100 Backup Designated Router (ID) 10.1.2.100, Interface address 0.0.0.0 Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:06 Neighbor Count is 0, Adjacent neighbor count is 0 Dell# Enabling OSPFv2 Authentication To enable or change various OSPF authentication parameters, use the following commands. • Set a clear text authentication scheme on the interface.
By default, OSPFv2 supports both planned and unplanned restarts. Selecting one or the other mode restricts OSPFv2 to the single selected mode. 3. Configure the graceful restart role or roles that this OSPFv2 router performs. CONFIG-ROUTEROSPF- id mode graceful-restart role [helper-only | restart-only] Dell Networking OS supports the following options: • • Helper-only: the OSPFv2 router supports graceful-restart only as a helper router.
distribute-list prefix-list-name out [connected | isis | rip | static] Redistributing Routes You can add routes from other routing instances or protocols to the OSPF process. With the redistribute command, you can include RIP, static, or directly connected routes in the OSPF process. NOTE: Do not route iBGP routes to OSPF unless there are route-maps associated with the OSPF redistribution. To redistribute routes, use the following command. • Specify which routes are redistributed into OSPF process.
• EXEC Privilege mode show ip route summary View the summary information for the OSPF database. • EXEC Privilege mode show ip ospf database View the configuration of OSPF neighbors connected to the local router. • EXEC Privilege mode show ip ospf neighbor View the LSAs currently in the queue. • EXEC Privilege mode show ip ospf timers rate-limit View debug messages.
Figure 87. Basic Topology and CLI Commands for OSPFv2 OSPF Area 0 — Te 1/1 and 1/2 router ospf 11111 network 10.0.11.0/24 area 0 network 10.0.12.0/24 area 0 network 192.168.100.0/24 area 0 ! interface TenGigabitEthernet 1/1 ip address 10.1.11.1/24 no shutdown ! interface TenGigabitEthernet 1/2 ip address 10.2.12.2/24 no shutdown ! interface Loopback 10 ip address 192.168.100.100/24 no shutdown OSPF Area 0 — Te 3/1 and 3/2 router ospf 33333 network 192.168.100.0/24 area 0 network 10.0.13.
OSPF Area 0 — Te 2/1 and 2/2 router ospf 22222 network 192.168.100.0/24 area 0 network 10.2.21.0/24 area 0 network 10.2.22.0/24 area 0 ! interface Loopback 20 ip address 192.168.100.20/24 no shutdown ! interface TenGigabitEthernet 2/1 ip address 10.2.21.2/24 no shutdown ! interface TenGigabitEthernet 2/2 ip address 10.2.22.
no shutdown Assigning Area ID on an Interface To assign the OSPFv3 process to an interface, use the following command. The ipv6 ospf area command enables OSPFv3 on an interface and places the interface in the specified area. Additionally, the command creates the OSPFv3 process with ID on the router. OSPFv2 requires two commands to accomplish the same tasks — the router ospf command to create the OSPF process, then the network area command to enable OSPFv2 on an interface.
• Specify whether some or all some of the interfaces are passive. CONF-IPV6-ROUTER-OSPF mode passive-interface {interface slot/port} Interface: identifies the specific interface that is passive. • • • • For a 10-Gigabit Ethernet interface, enter the keyword TenGigabitEthernet then the slot/port information. For a 40-Gigabit Ethernet interface, enter the keyword fortyGigE then the slot/port information. For a port channel interface, enter the keywords port-channel then a number.
OSPFv3 neighbors continue to advertise the restarting router as though it is fully adjacent. When you enable graceful restart (restarting role), an OSPFv3 restarting expects its OSPFv3 neighbors to help when it restarts by not advertising the broken link. When you enable the helper-reject role on an interface using the ipv6 ospf graceful-restart helper-reject command, you reconfigure OSPFv3 graceful restart to function in a restarting-only role.
The following example shows the show ipv6 ospf database database-summary command. Dell#show ipv6 ospf database database-summary ! OSPFv3 Router with ID (200.1.1.
• • HA — IPsec authentication header is used in packet authentication to verify that data is not altered during transmission and ensures that users are communicating with the intended individual or organization. Insert the authentication header after the IP header with a value of 51. AH provides integrity and validation of data origin by authenticating every OSPFv3 packet. For detailed information about the IP AH protocol, refer to RFC 4302.
Configuring IPsec Authentication on an Interface To configure, remove, or display IPsec authentication on an interface, use the following commands. Prerequisite: Before you enable IPsec authentication on an OSPFv3 interface, first enable IPv6 unicast routing globally, configure an IPv6 address and enable OSPFv3 on the interface, and assign it to an area (refer to Configuration Task List for OSPFv3 (OSPF for IPv6)).
• • • • • key-authentication-type: (optional) specifies if the authentication key is encrypted. The valid values are 0 or 7. Remove an IPsec encryption policy from an interface. no ipv6 ospf encryption ipsec spi number Remove null encryption on an interface to allow the interface to inherit the encryption policy configured for the OSPFv3 area. no ipv6 ospf encryption null Display the configuration of IPsec encryption policies on the router.
CONF-IPV6-ROUTER-OSPF mode area area-id encryption ipsec spi number esp encryption-algorithm [key-encryption-type] key authentication-algorithm [key-authentication-type] key • • • • • • • • • • area area-id: specifies the area for which OSPFv3 traffic is to be encrypted. For area-id, enter a number or an IPv6 prefix. spi number: is the security policy index (SPI) value. The range is from 256 to 4294967295. esp encryption-algorithm: specifies the encryption algorithm used with ESP.
Policy name Policy refcount Inbound AH SPI Outbound AH SPI Inbound AH Key Outbound AH Key Transform set : : : : : : : OSPFv3-1-500 2 500 (0x1F4) 500 (0x1F4) bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba8ed8bb5efe91e97e bbdd96e6eb4828e2e27bc3f9ff541e43faa759c9ef5706ba8ed8bb5efe91e97e ah-md5-hmac Crypto IPSec client security policy data Policy name : OSPFv3-0-501 Policy refcount : 1 Inbound ESP SPI : 501 (0x1F5) Outbound ESP SPI : 501 (0x1F5) Inbound ESP Auth Key : bbdd96e6eb4828e2e27bc3f9ff541e43faa759
Troubleshooting OSPFv3 Dell Networking OS has several tools to make troubleshooting easier. Consider the following information as these are typical issues that interrupt the OSPFv3 process. NOTE: The following troubleshooting section is not meant to be a comprehensive list, only examples of typical troubleshooting checks.
32 Policy-based Routing (PBR) Policy-based Routing (PBR) allows a switch to make routing decisions based on policies applied to an interface.
To enable a PBR, you create a redirect list. Redirect lists are defined by rules, or routing policies.
Configuration Task List for Policy-based Routing To enable the PBR: • • • • Create a Redirect List Create a Rule for a Redirect-list Create a Track-id list. For complete tracking information, refer to Object Tracking chapter. Apply a Redirect-list to an Interface using a Redirect-group Create a Redirect List Use the following command in CONFIGURATION mode: Command Syntax Command Mode Purpose ip redirect-list redirect-list-name CONFIGURATION Create a redirect list by entering the list name.
• • Source address with mask information Destination address with mask information Creating a Rule Example: Dell(conf-redirect-list)#redirect ? A.B.C.D Forwarding router's address Dell(conf-redirect-list)#redirect 3.3.3.3 ? <0-255> An IP protocol number icmp Internet Control Message Protocol ip Any Internet Protocol tcp Transmission Control Protocol udp User Datagram Protocol Dell(conf-redirect-list)#redirect 3.3.3.3 ip ? A.B.C.
Dell Networking OS assigns the first available sequence number to a rule configured without a sequence number and inserts the rule into the PBR CAM region next to the existing entries. Since the order of rules is important, ensure that you configure any necessary sequence numbers. The permit statement is never applied because the redirect list covers all source and destination IP addresses. Ineffective PBR Exception due to Low Sequence Number ip redirect-list rcl0 seq 5 redirect 2.2.2.
shutdown Dell(conf-if-te-1/2)# In addition to supporting multiple redirect-lists in a redirect-group, multiple redirect-groups are supported on a single interface. Dell Networking OS has the capability to support multiple groups on an interface for backup purposes.
Cam Port VlanID Proto Tcp Src Dst SrcIp DstIp Next-hop Egress Index Flag Port Port MAC Port ---------------------------------------------------------------------------------------------------------------06080 0 N/A IP 0x0 0 0 200.200.200.200 200.200.200.200 199.199.199.199 199.199.199.199 N/A NA 06081 0 N/A TCP 0x10 0 40 234.234.234.234 255.234.234.234 222.222.222.222/24 00:00:00:00:00:09 8/1 Sample Configuration The following configuration is an example for setting up a PBR.
EDGE_ROUTER(conf-redirect-list)# seq 15 permit ip any any EDGE_ROUTER(conf-redirect-list)#show config ! ip redirect-list GOLD description Route GOLD traffic to ISP_GOLD. seq 5 redirect 10.99.99.254 ip 192.168.1.0/24 any seq 10 redirect 10.99.99.254 ip 192.168.2.0/24 any seq 15 permit ip any any Assign Redirect-List GOLD to Interface 2/11 EDGE_ROUTER(conf)#int Te 2/11 EDGE_ROUTER(conf-if-Te-2/11)#ip add 192.168.3.
2 3 4 Interface ipv6 routing IP Host reachability IP Host reachability Tunnel 2 42.1.1.2/32 43.1.1.2/32 Up Up Up 00:03:31 00:00:59 00:00:59 Apply the Redirect Rule to an Interface: Dell# Dell(conf)#int TenGigabitEthernet 2/28 Dell(conf-if-te-2/28)#ip redirect-group redirect_list_with_track Dell(conf-if-te-2/28)#end Verify the Applied Redirect Rules: Dell#show ip redirect-list redirect_list_with_track IP redirect-list redirect_list_with_track Defined as: seq 5 redirect 42.1.1.2 track 3 tcp 155.55.2.
2 Dell# Interface ipv6 routing Tunnel 2 Up 00:00:00 Create a Redirect-list with Track Objects pertaining to Tunnel Interfaces: Dell#configure terminal Dell(conf)#ip redirect-list explicit_tunnel Dell(conf-redirect-list)#redirect tunnel 1 track Dell(conf-redirect-list)#redirect tunnel 1 track Dell(conf-redirect-list)#redirect tunnel 1 track Dell(conf-redirect-list)#redirect tunnel 2 track Dell(conf-redirect-list)#redirect tunnel 2 track Dell(conf-redirect-list)#end Dell# 1 1 1 2 2 tcp tcp udp tcp tcp
33 PIM Sparse-Mode (PIM-SM) Protocol-independent multicast sparse-mode (PIM-SM) is supported on Dell Networking OS. PIM-SM is a multicast protocol that forwards multicast traffic to a subnet only after a request using a PIM Join message; this behavior is the opposite of PIM-Dense mode, which forwards multicast traffic to all subnets until a request to stop.
which the message was received is added to the outgoing interface list associated with the (*,G) entry, and the message is not (and does not need to be) forwarded towards the RP. Refuse Multicast Traffic A host requesting to leave a multicast group sends an IGMP Leave message to the last-hop DR. If the host is the only remaining receiver for that group on the subnet, the last-hop DR is responsible for sending a PIM Prune message up the RPT to prune its branch to the RP. 1.
• Creating Multicast Boundaries and Domains Enable PIM-SM You must enable PIM-SM on each participating interface. 1. Enable multicast routing on the system. CONFIGURATION mode ip multicast-routing 2. Enable PIM-Sparse mode. INTERFACE mode ip pim sparse-mode To display which interfaces are enabled with PIM-SM, use the show ip pim interface command from EXEC Privilege mode. Dell#show ip pim interface Address Interface Ver/ Mode 165.87.34.5 Te 1/10 v2/S 10.1.1.2 Vl 10 v2/S 20.1.1.5 Vl 20 v2/S 165.87.31.
When you create, delete, or update an expiry time, the changes are applied when the keep alive timer refreshes. To configure a global expiry time or to configure the expiry time for a particular (S,G) entry, use the following commands. 1. Enable global expiry timer for S, G entries. CONFIGURATION mode ip pim sparse-mode sg-expiry-timer seconds The range is from 211 to 86,400 seconds. The default is 210. 2. Set the expiry time for a specific (S,G) entry (as shown in the following example).
• Use the override option to override bootstrap router updates with your static RP configuration. ip pim rp-address To display the assigned RP for a group, use the show ip pim rp command from EXEC privilege mode. Dell#show ip Group 225.0.1.40 226.1.1.1 pim rp RP 165.87.50.5 165.87.50.5 To display the assigned RP for a group range (group-to-RP mapping), use the show ip pim rp mapping command in EXEC privilege mode. Dell#show ip pim rp mapping PIM Group-to-RP Mappings Group(s): 224.0.0.
• • (option) stale-entry-time: the maximum amount of time that the Dell Networking system preserves entries from a restarting neighbor. The default value is 60 seconds. (option) helper-only: this mode takes precedence over any graceful restart configuration. NOTE: In helper-only mode, the system preserves the PIM states of a neighboring router while the neighbor gracefully restarts, but the Dell Networking system allows itself to be taken off the forwarding path if it restarts.
34 PIM Source-Specific Mode (PIM-SSM) PIM source-specific mode (PIM-SSM) is supported on Dell Networking OS. PIM-SSM is a multicast protocol that forwards multicast traffic from a single source to a subnet. In the other versions of protocol independent multicast (PIM), a receiver subscribes to a group only. The receiver receives traffic not just from the source in which it is interested but from all sources sending to that group.
Enabling PIM-SSM To enable PIM-SSM, follow these steps. 1. Create an ACL that uses permit rules to specify what range of addresses should use SSM. CONFIGURATION mode ip access-list standard name 2. Enter the ip pim ssm-range command and specify the ACL you created. CONFIGURATION mode ip pim ssm-range acl-name To display address ranges in the PIM-SSM range, use the show ip pim ssm-range command from EXEC Privilege mode. R1(conf)#do show run pim ! ip pim rp-address 10.11.12.2 group-address 224.0.0.
seq 5 permit host 239.0.0.2 R1(conf)#ip igmp ssm-map map 10.11.5.2 R1(conf)#do show ip igmp groups Total Number of Groups: 2 IGMP Connected Group Membership Group Address Interface Mode Uptime Expires 239.0.0.2 Vlan 300 IGMPv2-Compat 00:00:07 Never Member Ports: Te 1/1 239.0.0.1 Vlan 400 INCLUDE 00:00:10 Never 10.11.4.2 R1(conf)#show ip igmp ssm-map Last Reporter 10.11.3.2 Interface Vlan 101 Group 226.0.0.0 Uptime 10:40:31 Expires Never Router mode IGMPv2 Last reporter 110.0.101.
Router mode Last reporter Last reporter mode Last report Group source Source address 10.11.5.2 00:00:01 IGMPv2-Compat 10.11.3.2 IGMPv2 received Join list Uptime Expires Never Interface Vlan 400 Group 239.0.0.1 Uptime 00:00:05 Expires Never Router mode INCLUDE Last reporter 10.11.4.2 Last reporter mode INCLUDE Last report received ALLOW Group source list Source address Uptime Expires 10.11.5.
35 Port Monitoring Port monitoring is supported on Dell Networking OS. Mirroring is used for monitoring Ingress or Egress or both Ingress and Egress traffic on a specific port(s). This mirrored traffic can be sent to a port where a network sniffer can connect and monitor the traffic.
In the following examples, ports 1/13, 1/14, 1/15, and 1/16 all belong to the same port-pipe. They are pointing to four different destinations (1/1, 1/2, 1/3, and 1/37). Now it is not possible for another source port from the same port-pipe (for example, 1/17) to point to another new destination (for example, 1/4). If you attempt to configure another destination (to create 5 MG port), this message displays: % Error will be thrown in case of RPM and ERPM features.
Figure 88. Port Monitoring Configurations on the S-Series Dell Networking OS Behavior: All monitored frames are tagged if the configured monitoring direction is egress (TX), regardless of whether the monitored port (MD) is a Layer 2 or Layer 3 port. If the MD port is a Layer 2 port, the frames are tagged with the VLAN ID of the VLAN to which the MD belongs. If the MD port is a Layer 3 port, the frames are tagged with VLAN ID 4095.
Dell(conf)#monitor session 1 Dell(conf-mon-sess-1)#source vl 40 dest ten 1/3 dir rx Dell(conf-mon-sess-1)#flow-based enable Dell(conf-mon-sess-1)#exit Dell(conf)#do show monitor session SessID Source Destination Dir Mode Source IP ------ ------------------ ---- --------0 Te 1/1 Te 1/2 rx Port N/A 0 Po 10 Te 1/2 rx Port N/A 1 Vl 40 Te 1/3 rx Flow N/A Dest IP -------N/A N/A N/A Note: Source as VLAN is achieved via Flow based mirroring. Please refer section Enabling Flow-Based Monitoring.
INTERFACE mode ip access-group access-list To view an access-list that you applied to an interface, use the show ip accounting access-list command from EXEC Privilege mode. Dell(conf)#monitor session 0 Dell(conf-mon-sess-0)#flow-based enable Dell(conf)#ip access-list ext testflow Dell(config-ext-nacl)#seq 5 permit icmp any any count bytes monitor Dell(config-ext-nacl)#seq 10 permit ip 102.1.1.
Configuring Remote Port Mirroring Remote port mirroring requires a source session (monitored ports on different source switches), a reserved tagged VLAN for transporting mirrored traffic (configured on source, intermediate, and destination switches), and a destination session (destination ports connected to analyzers on destination switches).
• • There is no restriction on the VLAN IDs used for the reserved remote-mirroring VLAN. Valid VLAN IDs are from 2 to 4094. The default VLAN ID is not supported. In mirrored traffic, packets that have the same destination MAC address as an intermediate or destination switch in the path used by the reserved VLAN to transport the mirrored traffic are dropped by the switch that receives the traffic if the switch has a L3 VLAN configured.
2 2 Fo 1/4 Po 10 remote-vlan 300 remote-vlan 300 rx rx Port Port N/A N/A N/A N/A To display the current configuration of the reserved VLAN, enter the show vlan command.
Dell(conf-if-vl-20)#exit Dell(conf)#monitor session 2 type rpm Dell(conf-mon-sess-2)#source vlan 100 destination remote-vlan 20 dir rx Dell(conf-mon-sess-2)#no disable Dell(conf-mon-sess-2)#flow-based enable Dell(conf-mon-sess-2)#exit Dell(conf)#mac access-list standard mac_acl Dell(config-std-macl)#permit 00:00:00:00:11:22 count monitor Dell(config-std-macl)#exit Dell(conf)#interface vlan 100 Dell(conf-if-vl-100)#mac access-group mac_acl1 in Dell(conf-if-vl-100)#exit Dell(conf)#inte te 1/30 Dell(conf-if-te
Dell(conf)#interface vlan 30 Dell(conf-if-vl-30)#mode remote-port-mirroring Dell(conf-if-vl-30)#tagged te 1/3 Dell(conf-if-vl-30)#exit Dell(conf)#monitor session 1 type rpm Dell(conf-mon-sess-1)#source remote-vlan 10 dest te 1/4 Dell(conf-mon-sess-1)#exit Dell(conf)#monitor session 2 type rpm Dell(conf-mon-sess-2)#source remote-vlan 20 destination te 1/5 Dell(conf-mon-sess-2)#tagged destination te 0/4 Dell(conf-mon-sess-2)#exit Dell(conf)#monitor session 3 type rpm Dell(conf-mon-sess-3)#source remote-vlan 3
Configuring the Encapsulated Remote Port Mirroring The ERPM session copies traffic from the source ports/lags or source VLANs and forwards the traffic using routable GRE-encapsulated packets to the destination ip address specified in the session. NOTE: The steps to be followed for the ERPM Encapsulation : • Dell Networking OS supports ERPM Source session only. The Encapsulated packets terminate at the destination ip or at the analyzer.
7 no enable (Optional) No disable command is mandatory in order for a erpm session to be active. The following example shows a sample configuration . Dell(conf)#monitor session 0 type erpm Dell(conf-mon-sess-0)#source tengigabitethernet 1/9 direction rx Dell(conf-mon-sess-0)#source port-channel 1 direction tx Dell(conf-mon-sess-0)#erpm source-ip 1.1.1.1 dest-ip 7.1.1.
ERPM Behavior on a typical Dell Networking OS The Dell Networking OS is designed to support only the Encapsulation of the data received / transmitted at the specified source port (Port A). An ERPM destination session / decapsulation of the ERPM packets at the destination Switch are not supported. As seen in the above figure, the packets received/transmitted on Port A will be encapsulated with an IP/GRE header plus a new L2 header and sent to the destination ip address (Port D’s ip address) on the sniffer.
• • • • Download/ Write a small script (for example: erpm.py) such that it will strip the given ERPM packet starting from the bit where GRE header ends. Basically all the bits after 0x88BE need to be removed from the packet and sent out through another interface. This script erpm.zip is available for download at the following location: http://en.community.dell.com/techcenter/ networking/m/force10_networking_scripts/20438882.aspx Unzip the erpm.zip and copy the erpm.py file to the Linux server.
36 Private VLANs (PVLAN) The private VLAN (PVLAN) feature is supported on Dell Networking OS. For syntax details about the commands described in this chapter, refer to the Private VLANs commands chapter in the Dell Networking OS Command Line Reference Guide. Private VLANs extend the Dell Networking OS security suite by providing Layer 2 isolation between ports within the same virtual local area network (VLAN).
PVLAN port types include: • • Community port — a port that belongs to a community VLAN and is allowed to communicate with other ports in the same community VLAN and with promiscuous ports. Host port — in the context of a private VLAN, is a port in a secondary VLAN: • • • The port must first be assigned that role in INTERFACE mode. • A port assigned the host role cannot be added to a regular VLAN.
Configuration Task List The following sections contain the procedures that configure a private VLAN. • • • • Creating PVLAN Ports Creating a Primary VLAN Creating a Community VLAN Creating an Isolated VLAN Creating PVLAN ports PVLAN ports are ports that will be assigned to the PVLAN. 1. Access INTERFACE mode for the port that you want to assign to a PVLAN. CONFIGURATION mode interface interface 2. Enable the port. INTERFACE mode no shutdown 3. Set the port in Layer 2 mode. INTERFACE mode switchport 4.
interface vlan vlan-id 2. Enable the VLAN. INTERFACE VLAN mode no shutdown 3. Set the PVLAN mode of the selected VLAN to primary. INTERFACE VLAN mode private-vlan mode primary 4. Map secondary VLANs to the selected primary VLAN. INTERFACE VLAN mode private-vlan mapping secondary-vlan vlan-list The list of secondary VLANs can be: • • • Specified in comma-delimited (VLAN-ID,VLAN-ID) or hyphenated-range format (VLAN-ID-VLAN-ID). Specified with this command even before they have been created.
Creating an Isolated VLAN An isolated VLAN is a secondary VLAN of a primary VLAN. An isolated VLAN port can only talk with the promiscuous ports in that primary VLAN. 1. Access INTERFACE VLAN mode for the VLAN that you want to make an isolated VLAN. CONFIGURATION mode interface vlan vlan-id 2. Enable the VLAN. INTERFACE VLAN mode no shutdown 3. Set the PVLAN mode of the selected VLAN to isolated. INTERFACE VLAN mode private-vlan mode isolated 4. Add one or more host ports to the VLAN.
Private VLAN Configuration Example The following example shows a private VLAN topology. Figure 90. Sample Private VLAN Topology The following configuration is based on the example diagram for the Z9500: • • • • • Te 1/1 and Te 1/23 are configured as promiscuous ports, assigned to the primary VLAN, VLAN 4000. Te 1/25 is configured as a PVLAN trunk port, also assigned to the primary VLAN 4000. Te 1/24 and Te 1/47 are configured as host ports and assigned to the isolated VLAN, VLAN 4003.
• • The S4810 ports would have the same intra-switch communication characteristics as described for the Z9500. For transmission between switches, tagged packets originating from host PVLAN ports in one secondary VLAN and destined for host PVLAN ports in the other switch travel through the promiscuous ports in the local VLAN 4000 and then through the trunk ports (1/25 in each switch). Inspecting the Private VLAN Configuration The standard methods of inspecting configurations also apply in PVLANs.
* 1 100 P 200 I 201 Inactive Inactive Inactive Inactive primary VLAN in PVLAN T Te 1/19-20 isolated VLAN in VLAN 200 T Te 1/21 The following example shows viewing a private VLAN configuration.
37 Per-VLAN Spanning Tree Plus (PVST+) Protocol Overview PVST+ is a variation of spanning tree — developed by a third party — that allows you to configure a separate spanning tree instance for each virtual local area network (VLAN). For more information about spanning tree, refer to the Spanning Tree Protocol (STP) chapter. Figure 91. Per-VLAN Spanning Tree The Dell Networking OS supports three other variations of spanning tree, as shown in the following table. Table 37.
Implementation Information • • The Dell Networking OS implementation of PVST+ is based on IEEE Standard 802.1w. The Dell Networking OS implementation of PVST+ uses IEEE 802.1s costs as the default costs (as shown in the following table). Other implementations use IEEE 802.1w costs as the default costs. If you are using Dell Networking systems in a multivendor network, verify that the costs are values you intended. Configure Per-VLAN Spanning Tree Plus Configuring PVST+ is a four-step process. 1. 2. 3. 4.
no disable vlan 100 bridge-priority 4096 Influencing PVST+ Root Selection As shown in the previous per-VLAN spanning tree illustration, all VLANs use the same forwarding topology because R2 is elected the root, and all TenGigabitEthernet ports have the same cost. The following per-VLAN spanning tree illustration changes the bridge priority of each bridge so that a different forwarding topology is generated for each VLAN. This behavior demonstrates how you can use PVST+ to achieve load balancing.
Bridge Identifier has priority 4096, Address 0001.e80d.b6d6 Configured hello time 2, max age 20, forward delay 15 We are the root of VLAN 100 Current root has priority 4096, Address 0001.e80d.b6d6 Number of topology changes 5, last change occurred 00:34:37 ago on Te 1/32 Port 375 (TenGigabitEthernet 1/22) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.375 Designated root has priority 4096, address 0001.e80d.b6:d6 Designated bridge has priority 4096, address 0001.e80d.
The following tables lists the default values for port cost by interface. Table 38. Default Values for Port Cost Port Cost Default Value 100-Mb/s Ethernet interfaces 200000 1-Gigabit Ethernet interfaces 20000 10-Gigabit Ethernet interfaces 2000 Port Channel with 100 Mb/s Ethernet interfaces 180000 Port Channel with 1-Gigabit Ethernet interfaces 18000 Port Channel with 10-Gigabit Ethernet interfaces 1800 NOTE: The Dell Networking OS implementation of PVST+ uses IEEE 802.
• • The reset linecard command does not clear the Error Disabled state of the port or the hardware Disabled state. The interface continues to be disables in the hardware. You can clear the Error Disabled state with any of the following methods: • • • • Perform a shutdown command on the interface. Disable the shutdown-on-violation command on the interface (the no spanning-tree stp-id portfast [bpduguard | [shutdown-on-violation]] command).
Executing IEEE compatible Spanning Tree Protocol Root ID Priority 32773, Address 0001.e832.73f7 Root Bridge hello time 2, max age 20, forward delay 15 Bridge ID Priority 32773 (priority 32768 sys-id-ext 5), Address 0001.e832.73f7 We are the root of Vlan 5 Configured hello time 2, max age 20, forward delay 15 PVST+ Sample Configurations The following examples provide the running configurations for the topology shown in the previous illustration.
no shutdown ! protocol spanning-tree pvst no disable vlan 200 bridge-priority 4096 Example of PVST+ Configuration (R3) interface TenGigabitEthernet 3/12 no ip address switchport no shutdown ! interface TenGigabitEthernet 3/22 no ip address switchport no shutdown ! interface Vlan 100 no ip address tagged TenGigabitEthernet 3/12,22 no shutdown ! interface Vlan 200 no ip address tagged TenGigabitEthernet 3/12,22 no shutdown ! interface Vlan 300 no ip address tagged TenGigabitEthernet 3/12,22 no shutdown ! prot
38 Quality of Service (QoS) Quality of service (QoS) is supported on Dell Networking OS. Differentiated service is accomplished by classifying and queuing traffic, and assigning priorities to those queues. Table 39.
Feature Direction Specify an Aggregate QoS Policy Egress Create Output Policy Maps Egress Enabling QoS Rate Adjustment Enabling Strict-Priority Queueing Weighted Random Early Detection Egress Create WRED Profiles Egress Figure 94.
Implementation Information The Dell Networking QoS implementation complies with IEEE 802.1p User Priority Bits for QoS Indication. It also implements these Internet Engineering Task Force (IETF) documents: • • • • RFC 2474, Definition of the Differentiated Services Field (DS Field) in the IPv4 Headers RFC 2475, An Architecture for Differentiated Services RFC 2597, Assured Forwarding PHB Group RFC 2598, An Expedited Forwarding PHB You cannot configure port-based and policy-based QoS on the same interface.
You can configure service-class dynamic dot1p from CONFIGURATION mode, which applies the configuration to all interfaces. A CONFIGURATION mode service-class dynamic dot1p entry supersedes any INTERFACE entries. For more information, refer to Mapping dot1p Values to Service Queues. NOTE: You cannot configure service-policy input and service-class dynamic dot1p on the same interface. • Honor dot1p priorities on ingress traffic.
Policy-Based QoS Configurations Policy-based QoS configurations consist of the components shown in the following example. Figure 95. Constructing Policy-Based QoS Configurations Classify Traffic Class maps differentiate traffic so that you can apply separate quality of service policies to different types of traffic. For both class maps, Layer 2 and Layer 3, Dell Networking OS matches packets against match criteria in the order that you configure them.
CONFIGURATION mode class-map match-all 3. Specify your match criteria. CLASS MAP mode match {ip | ipv6 | ip-any} After you create a class-map, Dell Networking OS places you in CLASS MAP mode. Match-any class maps allow up to five ACLs. Match-all class-maps allow only one ACL. 4. Link the class-map to a queue. POLICY MAP mode service-queue Dell(conf)#ip access-list standard acl1 Dell(config-std-nacl)#permit 20.0.0.
4. Link the class-map to a queue. POLICY MAP mode service-queue Determining the Order in Which ACLs are Used to Classify Traffic When you link class-maps to queues using the service-queue command, Dell Networking OS matches the class-maps according to queue priority (queue numbers closer to 0 have lower priorities). For example, as described in the previous example, class-map cmap2 is matched against ingress packets before cmap1. ACLs acl1 and acl2 have overlapping rules because the address range 20.1.1.
Dell# show cam layer3-qos interface tengigabitethernet 2/4 Cam Port Dscp Proto Tcp Src Dst SrcIp DstIp DSCP Queue Index Flag Port Port Marking ----------------------------------------------------------------------20416 1 18 IP 0x0 0 0 23.64.0.5/32 0.0.0.0/0 20 2 20417 1 18 IP 0x0 0 0 0.0.0.0/0 0.0.0.0/0 0 20418 1 0 IP 0x0 0 0 23.64.0.2/32 0.0.0.0/0 10 1 20419 1 0 IP 0x0 0 0 0.0.0.0/0 0.0.0.0/0 0 20420 1 0 IP 0x0 0 0 23.64.0.3/32 0.0.0.0/0 12 1 20421 1 0 IP 0x0 0 0 0.0.0.0/0 0.0.0.
Configuring Policy-Based Rate Policing To configure policy-based rate policing, use the following command. • Configure rate police ingress traffic. QOS-POLICY-IN mode rate-police Setting a dot1p Value for Egress Packets To set a dot1p value for egress packets, use the following command. • Set a dscp or dot1p value for egress packets. QOS-POLICY-IN mode set mac-dot1p Creating an Output QoS Policy To create an output QoS policy, use the following commands. 1. Create an output QoS policy.
Create Policy Maps There are two types of policy maps: input and output. Creating Input Policy Maps There are two types of input policy-maps: Layer 3 and Layer 2. 1. Create a Layer 3 input policy map. CONFIGURATION mode policy-map-input Create a Layer 2 input policy map by specifying the keyword layer2 with the policy-map-input command. 2.
trust diffserv Honoring dot1p Values on Ingress Packets Dell Networking OS honors dot1p values on ingress packets with the Trust dot1p feature. The following table specifies the queue to which the classified traffic is sent based on the dot1p value. Table 43. Default dot1p to Queue Mapping dot1p Queue ID 0 2 1 0 2 1 3 3 4 4 5 5 6 6 7 7 The dot1p value is also honored for frames on the default VLAN. For more information, refer to Priority-Tagged Frames on the Default VLAN.
INTERFACE mode service-policy input Specify the keyword layer2 if the policy map you are applying a Layer 2 policy map. DSCP Color Maps This section describes how to configure color maps and how to display the color map and color map configuration.
Displaying DSCP Color Maps To display DSCP color maps, use the show qos dscp-color-map command in EXEC mode. Examples for Creating a DSCP Color Map Display all DSCP color maps. Dell# show qos dscp-color-map Dscp-color-map mapONE yellow 4,7 red 20,30 Dscp-color-map mapTWO yellow 16,55 Display a specific DSCP color map.
Applying an Output QoS Policy to a Queue To apply an output QoS policy to a queue, use the following command. • Apply an output QoS policy to queues. INTERFACE mode service-queue Specifying an Aggregate QoS Policy To specify an aggregate QoS policy, use the following command. • Specify an aggregate QoS policy. POLICY-MAP-OUT mode policy-aggregate Applying an Output Policy Map to an Interface To apply an output policy map to an interface, use the following command.
The range is from 1 to 3. Weighted Random Early Detection The WRED congestion avoidance mechanism drops packets to prevent buffering resources from being consumed. Traffic is a mixture of various kinds of packets. The rate at which some types of packets arrive might be greater than others. In this case, the space on the buffer and traffic manager (BTM) (ingress or egress) can be consumed by only one or a few types of traffic, leaving no space for other types.
• • DP values of 110 and 100, 101 map to yellow; all other values map to green. If you do not configure Dell Networking OS to honor DSCP values on ingress (refer to Honoring DSCP Values on Ingress Packets), all traffic defaults to green drop precedence. • Assign a WRED profile to either yellow or green traffic. QOS-POLICY-OUT mode wred Displaying Default and Configured WRED Profiles To display the default and configured WRED profiles, use the following command.
NOTE: The show cam-usage command provides much of the same information as the test cam-usage command, but whether a policy-map can be successfully applied to an interface cannot be determined without first measuring how many CAM entries the policy-map would consume; the test cam-usage command is useful because it provides this measurement. • Verify that there are enough available CAM entries.
• • • If WRED/ECN is enabled on the global service-pool with threshold values and if it is not enabled on the queues, WRED/ECN are not effective based on global service-pool WRED thresholds. The queue on which the traffic is scheduled must contain WRED/ECN settings, which are enabled for WRED, to be valid for that traffic.
Dell(conf-wred) #threshold min 100 max 200 max-drop-rate 40 3. Configure another WRED profile, and specify the threshold and maximum drop rate. WRED mode Dell(conf-wred) #wred—profile thresh-2 Dell(conf-wred) #threshold min 300 max 400 max-drop-rate 80 4. Associate the service class with the WRED profile, and assign the WRED profile to specific queues on backplane ports.
Sample configuration to mark non-ecn packets as “yellow” with Multiple traffic class Consider the example where there are no different traffic classes that is all the packets are egressing on the default ‘queue0’. Dell Networking OS can be configured as below to mark the non-ecn packets as yellow packets.
Dell Networking OS supports the capability to contain DSCP and ECN classifiers simultaneously for the same ACL entry. You can use the ecn keyword with the ip access-list standard, ip access-list extended, seq, and permit commands for standard and extended IPv4 ACLs to match incoming packets with the specified ECN values.
! ip access-list standard dscp_40_non_ecn seq 5 permit any dscp 40 ecn 0 ! class-map match-any class_dscp_40 match ip access-group dscp_40_non_ecn set-color yellow match ip access-group dscp_40 ! class-map match-any class_dscp_50 match ip access-group dscp_50_non_ecn set-color yellow match ip access-group dscp_50 ! policy-map-input pmap_dscp_40_50 service-queue 2 class-map class_dscp_40 service-queue 3 class-map class_dscp_50 Approach with explicit ECN match qualifiers for ECN packets: ! ip access-list stan
2. Configure a Layer 2 QoS policy with Layer 2 (Dot1p or source MAC-based) match criteria. CONFIGURATION mode Dell(conf)# policy-map-input l2p layer2 3. Apply the Layer 2 policy on a Layer 3 interface.
39 Routing Information Protocol (RIP) Routing information protocol (RIP) is supported on Dell Networking OS. RIP is based on a distance-vector algorithm; it tracks distances or hop counts to nearby routers when establishing network connections. RIP protocol standards are listed in the Standards Compliance chapter. Topics: • • • Protocol Overview Implementation Information Configuration Information Protocol Overview RIP is the oldest interior gateway protocol.
Feature Default RIP timers • • • • Auto summarization Enabled ECMP paths supported 16 update timer = 30 seconds invalid timer = 180 seconds holddown timer = 180 seconds flush timer = 240 seconds Configuration Information By default, RIP is disabled in Dell Networking OS. To configure RIP, you must use commands in two modes: ROUTER RIP and INTERFACE.
When the RIP process has learned the RIP routes, use the show ip rip database command in EXEC mode to view those routes. Dell#show ip rip database Total number of routes in RIP database: 978 160.160.0.0/16 [120/1] via 29.10.10.12, 00:00:26, Fa 1/4 160.160.0.0/16 auto-summary 2.0.0.0/8 [120/1] via 29.10.10.12, 00:01:22, Fa 1/4 2.0.0.0/8 auto-summary 4.0.0.0/8 [120/1] via 29.10.10.12, 00:01:22, Fa 1/4 4.0.0.0/8 auto-summary 8.0.0.0/8 [120/1] via 29.10.10.12, 00:00:26, Fa 1/4 8.0.0.0/8 auto-summary 12.0.0.
To disable RIP globally, use the no router rip command in CONFIGURATION mode. Configure RIP on Interfaces When you enable RIP globally on the system, interfaces meeting certain conditions start receiving RIP routes. By default, interfaces that you enable and configure with an IP address in the same subnet as the RIP network address receive RIPv1 and RIPv2 routes and send RIPv1 routes.
ROUTER RIP mode redistribute ospf process-id [match external {1 | 2} | match internal] [metric value] [routemap map-name] Configure the following parameters: • • • process-id: the range is from 1 to 65535. metric: the range is from 0 to 16. map-name: the name of a configured route map. To view the current RIP configuration, use the show running-config command in EXEC mode or the show config command in ROUTER RIP mode.
To configure an interface to receive or send both versions of RIP, include 1 and 2 in the command syntax. The command syntax for sending both RIPv1 and RIPv2 and receiving only RIPv2 is shown in the following example. Dell(conf-if)#ip rip send version 1 2 Dell(conf-if)#ip rip receive version 2 The following example of the show ip protocols command confirms that both versions are sent out that interface.
Controlling Route Metrics As a distance-vector protocol, RIP uses hop counts to determine the best route, but sometimes the shortest hop count is a route over the lowest-speed link. To manipulate RIP routes so that the routing protocol prefers a different route, manipulate the route by using the offset command. Exercise caution when applying an offset command to routers on a broadcast network, as the router using the offset command is modifying RIP advertisements before sending out those advertisements.
• RIP Configuration Summary Figure 97. RIP Topology Example RIP Configuration on Core2 The following example shows how to configure RIPv2 on a host named Core2. Core2(conf-if-te-2/3)# Core2(conf-if-te-2/3)#router rip Core2(conf-router_rip)#ver 2 Core2(conf-router_rip)#network 10.200.10.0 Core2(conf-router_rip)#network 10.300.10.0 Core2(conf-router_rip)#network 10.11.10.0 Core2(conf-router_rip)#network 10.11.20.0 Core2(conf-router_rip)#show config ! router rip network 10.0.0.
B - BGP, IN - internal BGP, EX - external BGP,LO - Locally Originated, O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2, E1 - OSPF external type 1, E2 - OSPF external type 2, i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, IA - IS-IS inter area, * - candidate default, > - non-active route, + - summary route Gateway of last resort is not set Destination Gateway Dist/Metric Last Change ----------- ------- ----------- ----------C 10.11.10.
version 2 Core3(conf-router_rip)# Core 3 RIP Output The examples in this section show the core 2 RIP output. • • • To display Core 3 RIP database, use the show ip rip database command. To display Core 3 RIP setup, use the show ip route command. To display Core 3 RIP activity, use the show ip protocols command. The following example shows the show ip rip database command to view the learned RIP routes on Core 3. Core3#show ip rip database Total number of routes in RIP database: 7 10.11.10.
TenGigabitEthernet 3/24 2 2 TenGigabitEthernet 3/23 2 2 Routing for Networks: 10.11.20.0 10.11.30.0 192.168.2.0 192.168.1.0 Routing Information Sources: Gateway Distance Last Update 10.11.20.2 120 00:00:22 Distance: (default is 120) Core3# RIP Configuration Summary The following example shows viewing the RIP configuration on Core 2. ! interface TenGigabitEthernet ip address 10.11.10.1/24 no shutdown ! interface TenGigabitEthernet ip address 10.11.20.
network 192.168.1.0 network 192.168.2.
40 Remote Monitoring (RMON) Remote monitoring (RMON) is supported on Dell Networking OS. RMON is an industry-standard implementation that monitors network traffic by sharing network monitoring information. RMON provides both 32-bit and 64-bit monitoring facility and long-term statistics collection on Dell Networking Ethernet interfaces. RMON operates with the simple network management protocol (SNMP) and monitors all nodes on a local area network (LAN) segment.
• Set an alarm on any MIB object.
In the following example, the configuration creates RMON event number 1, with the description “High ifOutErrors”, and generates a log entry when an alarm triggers the event. The user nms1 owns the row that is created in the event table by this command. This configuration also generates an SNMP trap when the event is triggered using the SNMP community string “eventtrap”.
41 Rapid Spanning Tree Protocol (RSTP) Protocol Overview RSTP is a Layer 2 protocol — specified by IEEE 802.1w — that is essentially the same as spanning-tree protocol (STP) but provides faster convergence and interoperability with switches configured with STP and multiple spanning tree protocol (MSTP). The Dell Networking OS supports three other variations of spanning tree, as shown in the following table. Table 46.
RSTP and VLT Virtual link trunking (VLT) provides loop-free redundant topologies and does not require RSTP. RSTP can cause temporary port state blocking and may cause topology changes after link or node failures. Spanning tree topology changes are distributed to the entire Layer 2 network, which can cause a network-wide flush of learned media access control (MAC) and address resolution protocol (ARP) addresses, requiring these addresses to be re-learned.
To verify that RSTP is enabled, use the show config command from PROTOCOL SPANNING TREE RSTP mode. The bold line indicates that RSTP is enabled. Dell(conf-rstp)#show config ! protocol spanning-tree rstp no disable Dell(conf-rstp)# Figure 98. Rapid Spanning Tree Enabled Globally To view the interfaces participating in RSTP, use the show spanning-tree rstp command from EXEC privilege mode. If a physical interface is part of a port channel, only the port channel is listed in the command output.
The port is not in the Edge port mode Port 379 (TenGigabitEthernet 2/3) is designated Forwarding Port path cost 20000, Port priority 128, Port Identifier 128.379 Designated root has priority 32768, address 0001.e801.cbb4 Designated bridge has priority 32768, address 0001.e801.cbb4 Designated port id is 128.
NOTE: Dell Networking recommends that only experienced network administrators change the Rapid Spanning Tree group parameters. Poorly planned modification of the RSTP parameters can negatively affect network performance. The following table displays the default values for RSTP. Table 47.
Modifying Interface Parameters On interfaces in Layer 2 mode, you can set the port cost and port priority values. • • Port cost — a value that is based on the interface type. The previous table lists the default values. The greater the port cost, the less likely the port is selected to be a forwarding port. Port priority — influences the likelihood that a port is selected to be a forwarding port in case that several ports have the same port cost.
Configuring an EdgePort The EdgePort feature enables interfaces to begin forwarding traffic approximately 30 seconds sooner. In this mode an interface forwards frames by default until it receives a BPDU that indicates that it should behave otherwise; it does not go through the Learning and Listening states. The bpduguard shutdown-on-violation option causes the interface hardware to be shut down when it receives a BPDU.
Dell(conf-rstp)#do show spanning-tree rstp brief Executing IEEE compatible Spanning Tree Protocol Root ID Priority 0, Address 0001.e811.2233 Root Bridge hello time 50 ms, max age 20, forward delay 15 Bridge ID Priority 0, Address 0001.e811.2233 We are the root Configured hello time 50 ms, max age 20, forward delay 15 NOTE: The hello time is encoded in BPDUs in increments of 1/256ths of a second. The standard minimum hello time in seconds is 1 second, which is encoded as 256. Millisecond.
42 Software-Defined Networking (SDN) 572 Software-Defined Networking (SDN)
43 Security Security features are supported on Dell Networking OS. This chapter describes several ways to provide security to the Dell Networking system. For details about all the commands described in this chapter, refer to the Security chapter in the Dell Networking OS Command Reference Guide.
• • • • • • • • • system: sends accounting information of any other AAA configuration. exec: sends accounting information when a user has logged in to EXEC mode. command level: sends accounting of commands executed at the specified privilege level. suppress: Do not generate accounting records for a specific type of user. default | name: enter the name of a list of accounting methods.
• Step through all active sessions and print all the accounting records for the actively accounted functions.
• • • • • line: use the password you defined using the password command in LINE mode. local: use the username/password database defined in the local configuration. none: no authentication. radius: use the RADIUS servers configured with the radius-server host command. tacacs+: use the TACACS+ servers configured with the tacacs-server host command. 2. Enter LINE mode. CONFIGURATION mode line {aux 0 | console 0 | vty number [... end-number]} 3.
The following example shows enabling local authentication for console and remote authentication for the VTY lines. Dell(config)# aaa authentication enable mymethodlist radius tacacs Dell(config)# line vty 0 9 Dell(config-line-vty)# enable authentication mymethodlist Server-Side Configuration • • TACACS+ — When using TACACS+, Dell Networking sends an initial packet with service type SVC_ENABLE, and then sends a second packet with just the password.
• • Privilege level 0 — contains only the end, enable, and disable commands. Privilege level 15 — the default level for the enable command, is the highest level. In this level you can access any command in Dell Networking OS. Privilege levels 2 through 14 are not configured and you can customize them for different users and access.
enable password [level level] [encryption-mode] password Configure the optional and required parameters: • • • level level: Specify a level from 0 to 15. Level 15 includes all levels. encryption-type: Enter 0 for plain text or 7 for encrypted text. password: Enter a string. To change only the password for the enable command, configure only the password parameter. To view the configuration for the enable secret command, use the show running-config command in EXEC Privilege mode.
The following example shows a configuration to allow a user john to view only EXEC mode commands and all snmp-server commands. Because the snmp-server commands are enable level commands and, by default, found in CONFIGURATION mode, also assign the launch command for CONFIGURATION mode, configure, to the same privilege level as the snmp-server commands. Line 1: The user john is assigned privilege level 8 and assigned a password. Line 2: All other users are assigned a password to access privilege level 8.
• • level level: The range is from 0 to 15. Levels 0, 1, and 15 are pre-configured. Levels 2 to 14 are available for custom configuration. Specify either a plain text or encrypted password. LINE mode password [encryption-type] password Configure the following optional and required parameters: • • encryption-type: Enter 0 for plain text or 7 for encrypted text. password: Enter a text string up to 32 characters long. To view the password configured for a terminal, use the show config command in LINE mode.
| | | | | | | | | | | | | | | | +-----------------------------+ Use the ^ and v keys to select which entry is highlighted. Press enter to boot the selected OS, 'e' to edit the commands before booting or 'c' for a command-line. RADIUS Remote authentication dial-in user service (RADIUS) is a distributed client/server protocol. This protocol transmits authentication, authorization, and configuration information between a central RADIUS server and a RADIUS client (the Dell Networking system).
auto-command Privilege Levels Through the RADIUS server, you can configure a privilege level for the user to enter into when they connect to a session. This value is configured on the client system. • Set a privilege level. privilege level Configuration Task List for RADIUS To authenticate users using RADIUS, you must specify at least one RADIUS server so that the system can communicate with and configure RADIUS as one of your authentication methods.
• To use the method list. CONFIGURATION mode authorization exec methodlist Specifying a RADIUS Server Host When configuring a RADIUS server host, you can set different communication parameters, such as the UDP port, the key password, the number of retries, and the timeout. To specify a RADIUS server host and configure its communication parameters, use the following command. • Enter the host name or IP address of the RADIUS server host.
radius-server timeout seconds • seconds: the range is from 0 to 1000. Default is 5 seconds. To view the configuration of RADIUS communication parameters, use the show running-config command in EXEC Privilege mode. Monitoring RADIUS To view information on RADIUS transactions, use the following command. • View RADIUS transactions to troubleshoot problems.
First bold line: Server key purposely changed to incorrect value. Second bold line: User authenticated using the secondary method.
• • • port port-number: the range is from 0 to 65535. Enter a TCP port number. The default is 49. timeout seconds: the range is from 0 to 1000. Default is 10 seconds. key key: enter a string for the key. The key can be up to 42 characters long. This key must match a key configured on the TACACS+ server host. This parameter must be the last parameter you configure. If you do not configure these optional parameters, the default global values are applied.
ssh {hostname} [-l username | -p port-number | -v {1 | 2}| -c encryption cipher | -m HMAC algorithm • • hostname is the IP address or host name of the remote device. Enter an IPv4 or IPv6 address in dotted decimal format (A.B.C.D). SSH V2 is enabled by default on all the modes. Display SSH connection information. EXEC Privilege mode show ip ssh The following example uses the ip ssh server version 2 command to enable SSH version 2 and the show ip ssh command to confirm the setting.
Configuring When to Re-generate an SSH Key You can configure the time-based or volume-based rekey threshold for an SSH session. If both threshold types are configured, the session rekeys when either one of the thresholds is reached. To configure the time or volume rekey threshold at which to re-generate the SSH key during an SSH session, use the ip ssh rekey [time rekey-interval] [volume rekey-limit] command. CONFIGURATION mode.
The default HMAC algorithms are the following: • • • • • • hmac-md5 hmac-md5-96 hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-sha2-256-96 When FIPS is enabled, the default HMAC algorithm is hmac-sha1-96. Example of Configuring a HMAC Algorithm The following example shows you how to configure a HMAC algorithm list.
ctr,aes256-ctr. SSH server macs : hmac-md5,hmac-md5-96,hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmacsha2-256-96. SSH server kex algorithms : diffie-hellman-group-exchange-sha1,diffie-hellman-group1sha1,diffie-hellman-group14-sha1. Password Authentication : enabled. Hostbased Authentication : disabled. RSA Authentication : disabled. Vty Encryption HMAC Remote IP Using RSA Authentication of SSH The following procedure authenticates an SSH client based on an RSA key using RSA authentication.
The following example shows creating shosts. admin@Unix_client# cd /etc/ssh admin@Unix_client# ls moduli sshd_config ssh_host_dsa_key.pub ssh_host_key.pub ssh_host_rsa_key.pub ssh_config ssh_host_dsa_key ssh_host_key ssh_host_rsa_key admin@Unix_client# cat ssh_host_rsa_key.
Telnet To use Telnet with SSH, first enable SSH, as previously described. By default, the Telnet daemon is enabled. If you want to disable the Telnet daemon, use the following command, or disable Telnet in the startup config. To enable or disable the Telnet daemon, use the [no] ip telnet server enable command.
Dell(conf)#aaa authentication login localmethod local Dell(conf)# Dell(conf)#line vty 0 9 Dell(config-line-vty)#login authentication localmethod Dell(config-line-vty)#end VTY Line Remote Authentication and Authorization Dell Networking OS retrieves the access class from the VTY line. The Dell Networking OS takes the access class from the VTY line and applies it to ALL users. Dell Networking OS does not need to know the identity of the incoming user and can immediately apply the access class.
• • • • • • • • • • • • • • Creating a New User Role Modifying Command Permissions for Roles Adding and Deleting Users from a Role Role Accounting Configuring AAA Authentication for Roles Configuring AAA Authorization for Roles Configuring an Accounting for Roles Applying an Accounting Method to a Role Displaying Active Accounting Sessions for Roles Configuring TACACS+ and RADIUS VSA Attributes for RBAC Displaying User Roles Displaying Accounting for User Roles Displaying Information About Roles Logged int
If you do not configure login the authentication on the console, the system displays an error when you attempt to enable role-based only AAA authorization. 3. Specify an authentication method list (RADIUS, TACACS+, or Local). You must specify at least local authentication. For consistency, the best practice is to define the same authentication method list across all lines, in the same order of comparison; for example VTY and console port.
secadmin Exec Config Line sysadmin Exec Config Interface Line Router IP Route-map Protocol MAC User Roles This section describes how to create a new user role and configure command permissions and contains the following topics. • • • Creating a New User Role Modifying Command Permissions for Roles Adding and Deleting Users from a Role Creating a New User Role Instead of using the system defined user roles, you can create a new user role that best matches your organization.
Modifying Command Permissions for Roles You can modify (add or delete) command permissions for newly created user roles and system defined roles using the role mode { { { addrole | deleterole } role-name } | reset } command command in Configuration mode. NOTE: You cannot modify system administrator command permissions. If you add or delete command permissions using the role command, those changes only apply to the specific user role. They do not apply to other roles that have inheritance from that role.
netadmin secadmin sysadmin Exec Config Interface Router IP RouteMap Protocol MAC Exec Config Interface Line Exec Config Interface Line Router IP RouteMap Protocol MAC Example: Remove Security Administrator Access to Line Mode. The following example removes the secadmin access to LINE mode and then verifies that the security administrator can no longer access LINE mode, using the show role mode configure line command in EXEC Privilege mode.
AAA Authentication and Authorization for Roles This section describes how to configure AAA Authentication and Authorization for Roles.
aaa accounting commands role netadmin ucraaa start-stop tacacs+ ! The following configuration example applies a method list other than default to each VTY line. NOTE: Note that the methods were not applied to the console so the default methods (if configured) are applied there.
Force10-avpair= ”shell:priv-lvl=15“ Example for Creating a AVP Pair for System Defined or User-Defined Role The following section shows you how to create an AV pair to allow a user to login from a network access server to have access to commands based on the user’s role. The format to create an AV pair for a user role is Force10-avpair= ”shell:role=“ where user-role is a user defined or system-defined role. In the following example, you create an AV pair for a system-defined role, sysadmin.
service=shell Active accounted actions on tty3, User admin Priv 15 Role sysadmin Task ID 2, EXEC Accounting record, 00:00:26 Elapsed, service=shell Display Information About User Roles This section describes how to display information about user roles.
Displaying Information About Users Logged into the Switch To display information on all users logged into the switch, using the show users command in EXEC Privilege mode. The output displays privilege level and/or user role. The mode is displayed at the start of the output and both the privilege and roles for all users is also displayed. If the role is not defined, the system displays "unassigned" .
44 Service Provider Bridging VLAN Stacking VLAN stacking, also called Q-in-Q, is defined in IEEE 802.1ad — Provider Bridges, which is an amendment to IEEE 802.1Q — Virtual Bridged Local Area Networks. It enables service providers to use 802.1Q architecture to offer separate VLANs to customers with no coordination between customers, and minimal coordination between customers and the provider. Using only 802.
Figure 99. VLAN Stacking in a Service Provider Network Important Points to Remember • • • Interfaces that are members of the Default VLAN and are configured as VLAN-Stack access or trunk ports do not switch untagged traffic. To switch traffic, add these interfaces to a non-default VLAN-Stack-enabled VLAN. Dell Networking cautions against using the same MAC address on different customer VLANs, on the same VLAN-Stack VLAN.
• • Debugging VLAN Stacking VLAN Stacking in Multi-Vendor Networks Creating Access and Trunk Ports To create access and trunk ports, use the following commands. • • Access port — a port on the service provider edge that directly connects to the customer. An access port may belong to only one service provider VLAN. Trunk port — a port on a service provider bridge that connects to another service provider bridge and is a member of multiple service provider VLANs.
M Te 3/13 Dell# Configuring the Protocol Type Value for the Outer VLAN Tag The tag protocol identifier (TPID) field of the S-Tag is user-configurable. To set the S-Tag TPID, use the following command. • Select a value for the S-Tag TPID. CONFIGURATION mode vlan-stack protocol-type The default is 9100. To display the S-Tag TPID for a VLAN, use the show running-config command from EXEC privilege mode. Dell Networking OS displays the S-Tag TPID only if it is a non-default value.
101 103 Inactive Inactive T Te 1/1 M Te 1/1 Debugging VLAN Stacking To debug VLAN stacking, use the following command. • Debug the internal state and membership of a VLAN and its ports. debug member The port notations are as follows: • • • • • MT — stacked trunk MU — stacked access port T — 802.1Q trunk port U — 802.
Figure 100.
Figure 101.
Figure 102. Single and Double-Tag TPID Mismatch VLAN Stacking Packet Drop Precedence The drop eligible indicator (DEI) bit in the S-Tag indicates to a service provider bridge which packets it should prefer to drop when congested. Enabling Drop Eligibility Enable drop eligibility globally before you can honor or mark the DEI value. When you enable drop eligibility, DEI mapping or marking takes place according to the defaults. In this case, the CFI is affected according to the following table. Table 49.
Ingress Egress DEI Disabled DEI Enabled Access Port Trunk Port Retain inner tag CFI Retain inner tag CFI Set outer tag CFI to 0 Set outer tag CFI to 0 To enable drop eligibility globally, use the following command. • Make packets eligible for dropping based on their DEI value. CONFIGURATION mode dei enable By default, packets are colored green, and DEI is marked 0 on egress.
Te Te Te Te 1/1 1/1 2/9 2/10 Green Yellow Yellow Yellow 0 1 0 0 Dynamic Mode CoS for VLAN Stacking One of the ways to ensure quality of service for customer VLAN-tagged frames is to use the 802.1p priority bits in the tag to indicate the level of QoS desired. When an S-Tag is added to incoming customer frames, the 802.1p bits on the S-Tag may be configured statically for each customer or derived from the C-Tag using Dynamic Mode CoS. Dynamic Mode CoS maps the C-Tag 802.1p value to a S-Tag 802.1p value.
qos-policy-input 3 layer2 rate-police 40 Likewise, in the following configuration, packets with dot1p priority 0–3 are marked as dot1p 7 in the outer tag and queued to Queue 3. Rate policing is according to qos-policy-input 3. All other packets will have outer dot1p 0 and hence are queued to Queue 1. They are therefore policed according to qos-policy-input 1.
Figure 104. VLAN Stacking without L2PT You might need to transport control traffic transparently through the intermediate network to the other region. Layer 2 protocol tunneling enables BPDUs to traverse the intermediate network by identifying frames with the Bridge Group Address, rewriting the destination MAC to a user-configured non-reserved address, and forwarding the frames.
Figure 105. VLAN Stacking with L2PT Implementation Information • • • L2PT is available for STP, RSTP, MSTP, and PVST+ BPDUs. No protocol packets are tunneled when you enable VLAN stacking. L2PT requires the default CAM profile. Enabling Layer 2 Protocol Tunneling To enable Layer 2 protocol tunneling, use the following command. 1. Verify that the system is running the default CAM profile. Use this CAM profile for L2PT. EXEC Privilege mode show cam-profile 2.
protocol-tunnel stp Specifying a Destination MAC Address for BPDUs By default, Dell Networking OS uses a Dell Networking-unique MAC address for tunneling BPDUs. You can configure another value. To specify a destination MAC address for BPDUs, use the following command. • Overwrite the BPDU with a user-specified destination MAC address when BPDUs are tunneled across the provider network.
the GVRP Address, 01-80-C2-00-00-21, specified in 802.1Q. Only bridges in the service provider network use this destination MAC address so these bridges treat GARP PDUs originating from the customer network as normal data frames, rather than consuming them. Provider backbone bridging through IEEE 802.
45 sFlow Configuring sFlow is supported on Dell Networking OS. Topics: • • • • • • • • • • • Overview Implementation Information Enabling Extended sFlow Enabling and Disabling sFlow on an Interface Enabling sFlow Max-Header Size Extended sFlow Show Commands Configuring Specify Collectors Changing the Polling Intervals Back-Off Mechanism sFlow on LAG ports Enabling Extended sFlow Overview The Dell Networking Operating System (OS) supports sFlow version 5.
Important Points to Remember • • • • • • • • • The Dell Networking OS implementation of the sFlow MIB supports sFlow configuration via snmpset. By default, sFlow collection is supported only on data ports. If you want to enable sFlow collection through management ports, use the management egress-interface-selection and application sflow-collector commands in Configuration and EIS modes respectively. Dell Networking OS exports all sFlow packets to the collector.
0 UDP packets dropped 0 sFlow samples collected 0 sFlow samples dropped due to sub-sampling Enabling and Disabling sFlow on an Interface By default, sFlow is disabled on all interfaces. This CLI is supported on physical ports and link aggregation group (LAG) ports. To enable sFlow on a specific interface, use the following command. • Enable sFlow on an interface. INTERFACE mode [no] sflow ingress-enable To disable sFlow on an interface, use the no version of this command.
sflow collector 100.1.1.12 agent-addr 100.1.1.1 sflow enable sflow max-header-size extended Dell#show run int tengigabitEthernet 1/10 ! interface TenGigabitEthernet 1/10 no ip address switchport sflow ingress-enable sflow max-header-size extended no shutdown sFlow Show Commands Dell Networking OS includes the following sFlow display commands.
Extended max header size Samples rcvd from h/w :128 :0 The following example shows the show running-config interface command. Dell#show running-config interface tengigabitethernet 1/16 ! interface TenGigabitEthernet 1/16 no ip address mtu 9252 ip mtu 9234 switchport sflow ingress-enable sflow sample-rate 8192 no shutdown Displaying Show sFlow on a Stack-unit To view sFlow statistics on a specified stack-unit, use the following command.
Back-Off Mechanism If the sampling rate for an interface is set to a very low value, the CPU can get overloaded with flow samples under high-traffic conditions. In such a scenario, a binary back-off mechanism gets triggered, which doubles the sampling-rate (halves the number of samples per second) for all interfaces. The backoff mechanism continues to double the sampling-rate until the CPU condition is cleared. This is as per sFlow version 5 draft.
0 sFlow samples collected 0 sFlow samples dropped due to sub-sampling Important Points to Remember • • • • • To export extended-gateway data, BGP must learn the IP destination address. If the IP destination address is not learned via BGP the Dell Networking system does not export extended-gateway data. If the IP source address is learned via IGP, srcAS and srcPeerAS are zero. The srcAS and srcPeerAS might be zero even though the IP source address is learned via BGP.
46 Simple Network Management Protocol (SNMP) Simple network management protocol (SNMP) is supported on Dell Networking OS. NOTE: On Dell Networking routers, standard and private SNMP management information bases (MIBs) are supported, including all Get and a limited number of Set operations (such as set vlan and copy cmd).
SNMPv3 Compliance With FIPS This functionality is supported on the Z9000 platform. SNMPv3 is compliant with the Federal information processing standard (FIPS) cryptography standard. The Advanced Encryption Standard (AES) Cipher Feedback (CFB) 128-bit encryption algorithm is in compliance with RFC 3826. SNMPv3 provides multiple authentication and privacy options for user configuration. A subset of these options are the FIPS-approved algorithms: HMAC-SHA1-96 for authentication and AES128-CFB for privacy.
Related Configuration Tasks • • • • • • • • • • Managing Overload on Startup Reading Managed Object Values Writing Managed Object Values Subscribing to Managed Object Value Updates using SNMP Copying Configuration Files via SNMP Manage VLANs Using SNMP Enabling and Disabling a Port using SNMP Fetch Dynamic MAC Entries using SNMP Deriving Interface Indices Monitor Port-channels Important Points to Remember • • Typically, 5-second timeout and 3-second retry values on an SNMP server are sufficient for both
Setting Up User-Based Security (SNMPv3) When setting up SNMPv3, you can set users up with one of the following three types of configuration for SNMP read/write operations. Users are typically associated to an SNMP group with permissions provided, such as OID view. • • • noauth — no password or privacy. Select this option to set up a user with no password or privacy privileges. This setting is the basic configuration. Users must have a group and profile that do not require password privileges.
• • • Read the value of a single managed object. snmpget -v version -c community agent-ip {identifier.instance | descriptor.instance} Read the value of the managed object directly below the specified object. snmpgetnext -v version -c community agent-ip {identifier.instance | descriptor.instance} Read the value of many objects at once. snmpwalk -v version -c community agent-ip {identifier.instance | descriptor.
CONFIGURATION mode snmp-server location text You may use up to 55 characters. • The default is None. (From a management station) Identify the system manager along with this person’s contact information (for example, an email address or phone number). CONFIGURATION mode snmpset -v version -c community agent-ip sysContact.0 s “contact-info” You may use up to 55 characters. • The default is None.
snmp linkdown snmp linkup PORT_LINKDN:changed interface state to down:%d PORT_LINKUP:changed interface state to up:%d Enabling a Subset of SNMP Traps You can enable a subset of Dell Networking enterprise-specific SNMP traps using one of the following listed command options. To enable a subset of Dell Networking enterprise-specific SNMP traps, use the following command. • Enable a subset of SNMP traps.
xstp %SPANMGR-5-STP_NEW_ROOT: New Spanning Tree Root, Bridge ID Priority 32768, Address 0001.e801.fc35. %SPANMGR-5-STP_TOPOLOGY_CHANGE: Bridge port TenGigabitEthernet 1/8 transitioned from Forwarding to Blocking state. %SPANMGR-5-MSTP_NEW_ROOT_BRIDGE: Elected root bridge for instance 0. %SPANMGR-5-MSTP_NEW_ROOT_PORT: MSTP root changed to port Te 1/8 for instance 0. My Bridge ID: 40960:0001.e801.fc35 Old Root: 40960:0001.e801.fc35 New Root: 32768:00d0.038a.2c01.
MIB Object OID Object Values Description • copySrcFileLocation .1.3.6.1.4.1.6027.3.5.1.1.1.1.3 1 = flash 2 = slot0 3 = tftp config, the default copySrcFileLocation is flash. If copySrcFileType is a binary file, you must also specify copySrcFileLocation and copySrcFileName. Specifies the location of source file. • 4 = ftp 5 = scp If copySrcFileLocation is FTP or SCP, you must specify copyServerAddress, copyUserName, and copyUserPassword. 6 = usbflash copySrcFileName copyDestFileType .1.3.6.1.4.
Copying a Configuration File To copy a configuration file, use the following commands. NOTE: In UNIX, enter the snmpset command for help using the following commands. Place the f10-copy-config.mib file in the directory from which you are executing the snmpset command or in the snmpset tool path. 1. Create an SNMP community string with read/write privileges. CONFIGURATION mode snmp-server community community-name rw 2. Copy the f10-copy-config.
FTOS-COPY-CONFIG-MIB::copySrcFileType.100 = INTEGER: runningConfig(2) FTOS-COPY-CONFIG-MIB::copyDestFileType.100 = INTEGER: startupConfig(3) Copying the Startup-Config Files to the Running-Config To copy the startup-config to the running-config from a UNIX machine, use the following command. • Copy the startup-config to the running-config from a UNIX machine. snmpset -c private -v 2c force10system-ip-address copySrcFileType.index i 3 copyDestFileType.
copyDestFileName.4 s /home/myfilename copyServerAddress.4 a 11.11.11.11 Copy a Binary File to the Startup-Configuration To copy a binary file from the server to the startup-configuration on the Dell Networking system via FTP, use the following command. • Copy a binary file from the server to the startup-configuration on the Dell Networking system via FTP. snmpset -v 2c -c public -m ./f10-copy-config.mib force10system-ip-address copySrcFileType.index i 1 copySrcFileLocation.index i 4 copySrcFileName.
index: the index value used in the snmpset command used to complete the copy operation. NOTE: You can use the entire OID rather than the object name. Use the form: OID.index. The following examples show the snmpget command to obtain a MIB object value. These examples assume that: • • • • the server OS is UNIX you are using SNMP version 2c the community name is public the file f10-copy-config.mib is in the current directory NOTE: In UNIX, enter the snmpset command for help using this command.
MIB Support to Display the Software Core Files Generated by the System Dell Networking provides MIB objects to display the software core files generated by the system. The chSysSwCoresTable contains the list of software core files generated by the system. The following table lists the related MIB objects. Table 54. MIB Objects for Displaying the Software Core Files Generated by the System MIB Object OID Description chSysSwCoresTable 1.3.6.1.4.1.6027.3.10.1.2.
Manage VLANs using SNMP The qBridgeMIB managed objects in Q-BRIDGE-MIB, defined in RFC 2674, allows you to use SNMP to manage VLANs. Creating a VLAN To create a VLAN, use the dot1qVlanStaticRowStatus object. The snmpset operation shown in the following example creates VLAN 10 by specifying a value of 4 for instance 10 of the dot1qVlanStaticRowStatus object. > snmpset -v2c -c mycommunity 123.45.6.78 .1.3.6.1.2.1.17.7.1.4.3.1.5.10 i 4 SNMPv2-SMI::mib-2.17.7.1.4.3.1.5.
SNMPv2-SMI::mib-2.17.7.1.4.3.1.2.1107787786 = Hex-STRING: 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 SNMPv2-SMI::mib-2.17.7.1.4.3.1.4.
EXEC Privilege mode show interface Or, from the management system, use the snmpwwalk command to identify the interface index. 3. Enter the snmpset command to change the admin status using either the object descriptor or the OID. snmpset with descriptor: snmpset -v version -c community agent-ip ifAdminStatus.ifindex i {1 | 2} snmpset with OID: snmpset -v version -c community agent-ip .1.3.6.1.2.1.2.2.1.7.
VlanId Mac Address Type Interface State 1000 00:01:e8:06:95:ac Dynamic Te 1/21 Active ---------------Query from Management Station--------------->snmpwalk -v 2c -c techpubs 10.11.131.162 .1.3.6.1.2.1.17.7.1.2.2.1 Example of Fetching MAC Addresses Learned on a Port-Channel Using SNMP Use dot3aCurAggFdbTable to fetch the learned MAC address of a port-channel. The instance number is the decimal conversion of the MAC address concatenated with the port-channel number.
Dell#show interface Tengigabitethernet 1/21 TenGigabitEthernet 1/21 is up, line protocol is up Monitor Port-Channels To check the status of a Layer 2 port-channel, use f10LinkAggMib (.1.3.6.1.4.1.6027.3.2). In the following example, Po 1 is a switchport and Po 2 is in Layer 3 mode. Example of SNMP Trap for Monitored Port-Channels [senthilnathan@lithium ~]$ snmpwalk -v 2c -c public 10.11.1.1 .1.3.6.1.4.1.6027.3.2.1.1 SNMPv2-SMI::enterprises.6027.3.2.1.1.1.1.1.1 = INTEGER: 1 SNMPv2-SMI::enterprises.6027.3.2.
IF-MIB::linkUp IF-MIB::ifIndex.1107755009 = INTEGER: 1107755009 SNMPv2-SMI::enterprises.6027.3.1.1.4.1.2 = STRING: "OSTATE_UP: Changed interface state to up: Po 1" Troubleshooting SNMP Operation When you use SNMP to retrieve management data from an SNMP agent on a Dell Networking router, take into account the following behavior. • • • When you query an IPv4 icmpMsgStatsInPkts object in the ICMP table by using the snmpwalk command, the output for echo replies may be incorrectly displayed.
47 Storm Control Storm control is supported on Dell Networking OS. The storm control feature allows you to control unknown-unicast and broadcast traffic on Layer 2 and Layer 3 physical interfaces. Dell Networking Operating System (OS) Behavior: Dell Networking OS supports broadcast control (the storm-control broadcast command) for Layer 2 and Layer 3 traffic. Topics: • Configure Storm Control Configure Storm Control Storm control is supported in INTERFACE mode and CONFIGURATION mode.
48 Spanning Tree Protocol (STP) The spanning tree protocol (STP) is supported on Dell Networking OS.
• • • • • Enabling PortFast Prevent Network Disruptions with BPDU Guard STP Root Guard Enabling SNMP Traps for Root Elections and Topology Changes Configuring Spanning Trees as Hitless Important Points to Remember • • • • • STP is disabled by default. The Dell Networking OS supports only one spanning tree instance (0). For multiple instances, enable the multiple spanning tree protocol (MSTP) or per-VLAN spanning tree plus (PVST+). You may only enable one flavor of spanning tree at any one time.
1. If the interface has been assigned an IP address, remove it. INTERFACE mode no ip address 2. Place the interface in Layer 2 mode. INTERFACE switchport 3. Enable the interface. INTERFACE mode no shutdown To verify that an interface is in Layer 2 mode and enabled, use the show config command from INTERFACE mode.
1. Enter PROTOCOL SPANNING TREE mode. CONFIGURATION mode protocol spanning-tree 0 2. Enable STP. PROTOCOL SPANNING TREE mode no disable To disable STP globally for all Layer 2 interfaces, use the disable command from PROTOCOL SPANNING TREE mode. To verify that STP is enabled, use the show config command from PROTOCOL SPANNING TREE mode.
Te 1/4 Dell# 8.514 8 4 FWD 0 32768 0001.e80d.2462 8.514 Adding an Interface to the Spanning Tree Group To add a Layer 2 interface to the spanning tree topology, use the following command. • Enable spanning tree on a Layer 2 interface. INTERFACE mode spanning-tree 0 Modifying Global Parameters You can modify the spanning tree parameters. The root bridge sets the values for forward-delay, hello-time, and max-age and overwrites the values set on other bridges participating in STP.
To view the current values for global parameters, use the show spanning-tree 0 command from EXEC privilege mode. Refer to the second example in Enabling Spanning Tree Protocol Globally. Modifying Interface STP Parameters You can set the port cost and port priority values of interfaces in Layer 2 mode. • • Port cost — a value that is based on the interface type. The greater the port cost, the less likely the port is selected to be a forwarding port.
Prevent Network Disruptions with BPDU Guard Configure the Portfast (and Edgeport, in the case of RSTP, PVST+, and MSTP) feature on ports that connect to end stations. End stations do not generate BPDUs, so ports configured with Portfast/ Edgport (edgeports) do not expect to receive BDPUs. If an edgeport does receive a BPDU, it likely means that it is connected to another part of the network, which can negatively affect the STP topology.
Figure 108. Enabling BPDU Guard Dell Networking OS Behavior: BPDU guard and BPDU filtering both block BPDUs, but are two separate features. BPDU guard: • • is used on edgeports and blocks all traffic on edgeport if it receives a BPDU. drops the BPDU after it reaches the RPM and generates a console message.
Selecting STP Root The STP determines the root bridge, but you can assign one bridge a lower priority to increase the likelihood that it becomes the root bridge. You can also specify that a bridge is the root or the secondary root. To change the bridge priority or specify that a bridge is the root or secondary root, use the following command. • Assign a number as the bridge priority or designate it as the root or secondary root.
Figure 109. STP Root Guard Prevents Bridging Loops Configuring Root Guard Enable STP root guard on a per-port or per-port-channel basis. Dell Networking OS Behavior: The following conditions apply to a port enabled with STP root guard: • • • • • Root guard is supported on any STP-enabled port or port-channel interface except when used as a stacking port.
To verify the STP root guard configuration on a port or port-channel interface, use the show spanning-tree 0 guard [interface interface] command in a global configuration mode. Enabling SNMP Traps for Root Elections and Topology Changes To enable SNMP traps individually or collectively, use the following commands. • • Enable SNMP traps for spanning tree state changes. snmp-server enable traps stp Enable SNMP traps for RSTP, MSTP, and PVST+ collectively.
Figure 110. STP Loop Guard Prevents Forwarding Loops Configuring Loop Guard Enable STP loop guard on a per-port or per-port channel basis. Dell Networking OS Behavior: The following conditions apply to a port enabled with loop guard: • • Loop guard is supported on any STP-enabled port or port-channel interface.
• • If no BPDU is received from a remote device, loop guard places the port in a Loop-Inconsistent Blocking state and no traffic is forwarded on the port. When used in a PVST+ network, STP loop guard is performed per-port or per-port channel at a VLAN level. If no BPDUs are received on a VLAN interface, the port or port-channel transitions to a Loop-Inconsistent (Blocking) state only for this VLAN. To enable a loop guard on an STP-enabled port or port-channel interface, use the following command.
49 System Time and Date System time and date settings and the network time protocol (NTP) are supported on Dell Networking OS. You can set system times and dates and maintained through the NTP. They are also set through the Dell Networking Operating System (OS) command line interfaces (CLIs) and hardware settings.
Protocol Overview The NTP messages to one or more servers and processes the replies as received. The server interchanges addresses and ports, fills in or overwrites certain fields in the message, recalculates the checksum, and returns it immediately. Information included in the NTP message allows each client/server peer to determine the timekeeping characteristics of its other peers, including the expected accuracies of their clocks.
To display the system clock state with respect to NTP, use the show ntp status command from EXEC Privilege mode. R6_E300(conf)#do show ntp status Clock is synchronized, stratum 2, reference is 192.168.1.1 frequency is -369.623 ppm, stability is 53.319 ppm, precision is 4294967279 reference time is CD63BCC2.0CBBD000 (16:54:26.049 UTC Thu Mar 12 2009) clock offset is 997.529984 msec, root delay is 0.00098 sec root dispersion is 10.04271 sec, peer dispersion is 10032.
• • For a port channel interface, enter the keywords port-channel then a number. For a VLAN interface, enter the keyword vlan then a number from 1 to 4094. To view the configuration, use the show running-config ntp command in EXEC privilege mode (refer to the example in Configuring NTP Authentication). Configuring NTP Authentication NTP authentication and the corresponding trusted key provide a reliable means of exchanging NTP packets with trusted time sources.
The following example shows configuring an NTP server. R6_E300(conf)#1w6d23h : NTP: xmit packet to 192.168.1.1: leap 0, mode 3, version 3, stratum 2, ppoll 1024 rtdel 0219 (8.193970), rtdsp AF928 (10973.266602), refid C0A80101 (192.168.1.1) ref CD7F4F63.6BE8F000 (14:51:15.421 UTC Thu Apr 2 2009) org CD7F4F63.68000000 (14:51:15.406 UTC Thu Apr 2 2009) rec CD7F4F63.6BE8F000 (14:51:15.421 UTC Thu Apr 2 2009) xmt CD7F5368.D0535000 (15:8:24.813 UTC Thu Apr 2 2009) 1w6d23h : NTP: rcv packet from 192.168.1.
• Filter dispersion — the error in calculating the minimum delay from a set of sample data from a peer. To view the NTP configuration, use the show running-config ntp command in EXEC privilege mode. The following example shows an encrypted authentication key (in bold). All keys are encrypted. Dell#show running ntp ! ntp authenticate ntp authentication-key 345 md5 5A60910F3D211F02 ntp server 11.1.1.
• • timezone-name: enter the name of the timezone. Do not use spaces. offset: enter one of the following: • • a number from 1 to 23 as the number of hours in addition to UTC for the timezone. a minus sign (-) then a number from 1 to 23 as the number of hours.
clock summer-time time-zone recurring start-week start-day start-month start-time end-week end-day end-month end-time [offset] • • • • • • • • • • • • time-zone: Enter the three-letter name for the time zone. This name displays in the show clock output. start-week: (OPTIONAL) Enter one of the following as the week that daylight saving begins and then enter values for startday through end-time: • week-number: Enter a number from 1 to 4 as the number of the week in the month to start daylight saving time.
50 Tunneling Tunnel interfaces create a logical tunnel for IPv4 or IPv6 traffic. Tunneling supports RFC 2003, RFC 2473, and 4213. DSCP, hop-limits, flow label values, OSPFv2, and OSPFv3 are also supported. ICMP error relay, PATH MTU transmission, and fragmented packets are not supported.
tunnel source 60.1.1.1 tunnel mode ipv6ip no shutdown The following sample configuration shows a tunnel configured in IPIP mode (IPv4 tunnel carries IPv4 and IPv6 traffic): Dell(conf)#interface tunnel 3 Dell(conf-if-tu-3)#tunnel source 5::5 Dell(conf-if-tu-3)#tunnel destination 8::9 Dell(conf-if-tu-3)#tunnel mode ipv6 Dell(conf-if-tu-3)#ip address 3.1.1.1/24 Dell(conf-if-tu-3)#ipv6 address 3::1/64 Dell(conf-if-tu-3)#no shutdown Dell(conf-if-tu-3)#show config ! interface Tunnel 3 ip address 3.1.1.
interface TenGigabitEthernet 1/1 ip address 20.1.1.1/24 ipv6 address 20:1::1/64 no shutdown Dell(conf)#interface tunnel 1 Dell(conf-if-tu-1)#ip unnumbered tengigabitethernet 1/1 Dell(conf-if-tu-1)#ipv6 unnumbered tengigabitethernet 1/1 Dell(conf-if-tu-1)#tunnel source 40.1.1.1 Dell(conf-if-tu-1)#tunnel mode ipip decapsulate-any Dell(conf-if-tu-1)#no shutdown Dell(conf-if-tu-1)#show config ! interface Tunnel 1 ip unnumbered TenGigabitEthernet 1/1 ipv6 unnumbered TenGigabitEthernet 1/1 tunnel source 40.1.1.
tunnel source anylocal tunnel allow-remote 40.1.1.2 tunnel mode ipip decapsulate-any no shutdown Guidelines for Configuring Multipoint ReceiveOnly Tunnels • • • • • Maximum number of allowed remote end-points that can be configured for a single multipoint receive-only tunnel is eight.
51 Upgrade Procedures To find the upgrade procedures, go to the Dell Networking OS Release Notes for your system type to see all the requirements needed to upgrade to the desired Dell Networking OS version. To upgrade your system type, follow the procedures in the Dell Networking OS Release Notes. Get Help with Upgrades Direct any questions or concerns about the Dell Networking OS upgrade procedures to the Dell Technical Support Center. You can reach Technical Support: • • • On the web: http://www.dell.
52 Virtual LANs (VLANs) Virtual LANs (VLANs) are supported on Dell Networking OS. VLANs are a logical broadcast domain or logical grouping of interfaces in a local area network (LAN) in which all data received is kept locally and broadcast to all members of the group. When in Layer 2 mode, VLANs move traffic at wire speed and can span multiple devices. The Dell Networking Operating System (OS) supports up to 4093 port-based VLANs and one default VLAN, as specified in IEEE 802.1Q.
NOTE: You cannot assign an IP address to the Default VLAN. To assign an IP address to a VLAN that is currently the Default VLAN, create another VLAN and assign it to be the Default VLAN. For more information about assigning IP addresses, refer to Assigning an IP Address to a VLAN. • • Untagged interfaces must be part of a VLAN. To remove an untagged interface from the Default VLAN, create another VLAN and place the interface into that VLAN.
NOTE: The insertion of the tag header into the Ethernet frame increases the size of the frame to more than the 1,518 bytes as specified in the IEEE 802.3 standard. Some devices that are not compliant with IEEE 802.3 may not support the larger frame size. Information contained in the tag header allows the system to prioritize traffic and to forward information to ports associated with a specific VLAN ID. Tagged interfaces can belong to multiple VLANs, while untagged interfaces can belong only to one VLAN.
To view which interfaces are tagged or untagged and to which VLAN they belong, use the show vlan command. The following example shows that six VLANs are configured, and two interfaces are assigned to VLAN 2. The Q column in the show vlan command example notes whether the interface is tagged (T) or untagged (U). For more information about this command, refer to the Layer 2 chapter of the Dell Networking OS Command Reference Guide.
CONFIGURATION mode interface vlan vlan-id 2. Configure an interface as untagged. INTERFACE mode untagged interface This command is available only in VLAN interfaces. The no untagged interface command removes the untagged interface from a port-based VLAN and places the interface in the Default VLAN. You cannot use the no untagged interface command in the Default VLAN. The following example shows the steps and commands to move an untagged interface from the Default VLAN to another VLAN.
INTERFACE mode ip address ip-address mask [secondary] • • ip-address mask — Enter an address in dotted-decimal format (A.B.C.D) and the mask must be in slash format (/24). secondary — This is the interface’s backup IP address. You can configure up to eight secondary IP addresses. Configuring Native VLANs Traditionally, ports can be either untagged for membership to one VLAN or tagged for membership to multiple VLANs.
53 Virtual Link Trunking (VLT) Overview VLT allows physical links between two chassis to appear as a single virtual link to the network core or other switches such as Edge, Access, or top-of-rack (ToR). VLT reduces the role of spanning tree protocols (STPs) by allowing link aggregation group (LAG) terminations on two separate distribution or core switches, and by supporting a loop-free topology. (To prevent the initial loop that may occur prior to VLT being established, use a spanning tree protocol.
Figure 113. VLT on Switches VLT on Core Switches You can also deploy VLT on core switches. Uplinks from servers to the access layer and from access layer to the aggregation layer are bundled in LAG groups with end-to-end Layer 2 multipathing. This set up requires “horizontal” stacking at the access layer and VLT at the aggregation layer such that all the uplinks from servers to access and access to aggregation are in Active-Active Load Sharing mode.
Figure 114. Enhanced VLT VLT Terminology The following are key VLT terms. • • • • • Virtual link trunk (VLT) — The combined port channel between an attached device and the VLT peer switches. VLT backup link — The backup link monitors the vitality of VLT peer switches. The backup link sends configurable, periodic keep alive messages between the VLT peer switches. VLT interconnect (VLTi) — The link used to synchronize states between the VLT peer switches.
• • • • • • • • • the VLT peers with LACP. If supported by the ToR, enable the lacp-ungroup feature on the ToR using the lacp ungroup member-independent port-channel command. If the lacp-ungroup feature is not supported on the ToR, reboot the VLT peers one at a time. After rebooting, verify that VLTi (ICL) is active before attempting DHCP connectivity. When you enable IGMP snooping on the VLT peers, ensure the value of the delay-restore command is not less than the query interval.
• • One chassis in the VLT domain is assigned a primary role; the other chassis takes the secondary role. The primary and secondary roles are required for scenarios when connectivity between the chassis is lost. VLT assigns the primary chassis role according to the lowest MAC address. You can configure the primary role. • In a VLT domain, the peer switches must run the same Dell Networking OS software version. • Separately configure each VLT peer switch with the same VLT domain ID and the VLT version.
• Virtual link trunks (VLTs) between access devices and VLT peer switches • • • • • • • To connect servers and access switches with VLT peer switches, you use a VLT port channel, as shown in Overview. Up to 48 port-channels are supported; up to 16 member links are supported in each port channel between the VLT domain and an access device. The discovery protocol running between VLT peers automatically generates the ID number of the port channel that connects an access device and a VLT switch.
• • In a VLT domain, although both VLT peers actively participate in L3 forwarding as the VRRP master or backup router, the show vrrp command output displays one peer as master and the other peer as backup. Failure scenarios • • On a link failover, when a VLT port channel fails, the traffic destined for that VLT port channel is redirected to the VLTi to avoid flooding.
VLT Bandwidth Monitoring When bandwidth usage of the VLTi (ICL) exceeds 80%, a syslog error message (shown in the following message) and an SNMP trap are generated. %STKUNIT0-M:CP %VLTMGR-6-VLT-LAG-ICL: Overall Bandwidth utilization of VLT-ICL-LAG (portchannel 25) crosses threshold. Bandwidth usage (80 ) When the bandwidth usage drops below the 80% threshold, the system generates another syslog message (shown in the following message) and an SNMP trap.
Figure 115. PIM-Sparse Mode Support on VLT On each VLAN where the VLT peer nodes act as the first hop or last hop routers, one of the VLT peer nodes is elected as the PIM designated router. If you configured IGMP snooping along with PIM on the VLT VLANs, you must configure VLTi as the static multicast router port on both VLT peer switches. This ensures that for first hop routers, the packets from the source are redirected to the designated router (DR) if they are incorrectly hashed.
If the VLT node elected as the designated router fails and you enable VLT Multicast Routing, multicast routes are synced to the other peer for traffic forwarding to ensure minimal traffic loss. If you did not enable VLT Multicast Routing, traffic loss occurs until the other VLT peer is selected as the DR. VLT Routing Layer 2 protocols from the ToR to the server are intra-rack and inter-rack. No spanning tree is required, but interoperability with spanning trees at the aggregation layer is supported.
Unlike VLT Unicast Routing, a normal multicast routing protocol does not exchange multicast routes between VLT peers. When you enable VLT Multicast Routing, the multicast routing table is synced between the VLT peers. Only multicast routes configured with a Spanned VLAN IP as their IIF are synced between VLT peers. For multicast routes with a Spanned VLAN IIF, only OIFs configured with a Spanned VLAN IP interface are synced between VLT peers.
RSTP Configuration RSTP is supported in a VLT domain. Before you configure VLT on peer switches, configure RSTP in the network. RSTP is required for initial loop prevention during the VLT startup phase. You may also use RSTP for loop prevention in the network outside of the VLT port channel. For information about how to configure RSTP, Rapid Spanning Tree Protocol (RSTP). Run RSTP on both VLT peer switches.
Configure RSTP on VLT Peers to Prevent Forwarding Loops (VLT Peer 2) Dell_VLTpeer2(conf)#protocol spanning-tree rstp Dell_VLTpeer2(conf-rstp)#no disable Dell_VLTpeer2(conf-rstp)#bridge-priority 0 Configuring VLT To configure VLT, use the following procedure. Prerequisites: Before you begin, make sure that both VLT peer switches are running the same Dell Networking OS version and are configured for RSTP as described in RSTP Configuration.
Configure the same domain ID on the peer switch to allow for common peering. VLT uses the domain ID to automatically create a VLT MAC address for the domain. If you do not configure the system explicitly, the system mac-address of the primary will be the VLT MAC address for the domain. To disable VLT, use the no vlt domain command. NOTE: Do not use MAC addresses such as “reserved” or “multicast.” 2.
Reconfiguring the Default VLT Settings (Optional) To reconfigure the default VLT settings, use the following commands. 1. Enter VLT-domain configuration mode for a specified VLT domain. CONFIGURATION mode vlt domain domain-id The range of domain IDs is from 1 to 1000. 2. (Optional) After you configure the VLT domain on each peer switch on both sides of the interconnect trunk, by default, Dell Networking OS elects a primary and secondary VLT peer device.
• 10-Gigabit Ethernet: enter tengigabitethernet slot/port. 5. Ensure that the port channel is active. INTERFACE PORT-CHANNEL mode no shutdown 6. Associate the port channel to the corresponding port channel in the VLT peer for the VLT connection to an attached device. INTERFACE PORT-CHANNEL mode vlt-peer-lag port-channel id-number The valid port-channel ID numbers are from 1 to 128. 7. Repeat Steps 1 to 6 on the VLT peer switch to configure the same port channel as part of the VLT domain. 8.
peer-link port-channel id-number The range is from 1 to 128. 5. Configure the IP address of the management interface on the remote VLT peer to be used as the endpoint of the VLT backup link for sending out-of-band hello messages. VLT DOMAIN CONFIGURATION mode back-up destination ip-address [interval seconds] You can optionally specify the time interval used to send hello messages. The range is from 1 to 5 seconds. 6.
16. Repeat steps 1 through 15 for the VLT peer node in Domain 1. 17. Repeat steps 1 through 15 for the first VLT node in Domain 2. 18. Repeat steps 1 through 15 for the VLT peer node in Domain 2. To verify the configuration of a VLT domain, use any of the show commands described in Verifying a VLT Configuration. VLT Sample Configuration To review a sample VLT configuration setup, study these steps. 1. Configure the VLT domain with the same ID in VLT peer 1 and VLT peer 2.
s4810-4(conf)#vlt domain 5 s4810-4(conf-vlt-domain)# Configure the VLTi between VLT peer 1 and VLT peer 2. 1. You can configure the LACP/static LAG between the peer units (not shown). 2. Configure the peer-link port-channel in the VLT domains of each peer unit.
In the ToR unit, configure LACP on the physical ports.
PVST+ Configuration PVST+ is supported in a VLT domain. Before you configure VLT on peer switches, configure PVST+ in the network. PVST+ is required for initial loop prevention during the VLT startup phase. You may also use PVST+ for loop prevention in the network outside of the VLT port channel. Run PVST+ on both VLT peer switches. PVST+ instance will be created for every VLAN configured in the system.
In Domain 1, configure Peer 1 fist, then configure Peer 2. When that is complete, perform the same steps for the peer nodes in Domain 2. The interface used in this example is TenGigabitEthernet. Figure 116. eVLT Configuration Example eVLT Configuration Step Examples In Domain 1, configure the VLT domain and VLTi on Peer 1.
Configure eVLT on Peer 2. Domain_1_Peer2(conf)#interface port-channel 100 Domain_1_Peer2(conf-if-po-100)# switchport Domain_1_Peer2(conf-if-po-100)# vlt-peer-lag port-channel 100 Domain_1_Peer2(conf-if-po-100)# no shutdown Add links to the eVLT port-channel on Peer 2.
Domain_2_Peer4(conf-if-range-te-1/31-32)# port-channel 100 mode active Domain_2_Peer4(conf-if-range-te-1/31-32)# no shutdown PIM-Sparse Mode Configuration Example The following sample configuration shows how to configure the PIM Sparse mode designated router functionality on the VLT domain with two VLT port-channels that are members of VLAN 4001. For more information, refer to PIM-Sparse Mode Support on VLT.
• Display the VLT peer status, role of the local VLT switch, VLT system MAC address and system priority, and the MAC address and priority of the locally-attached VLT device. • EXEC mode show vlt role Display the current configuration of all VLT domains or a specified group on the switch. • EXEC mode show running-config vlt Display statistics on VLT operation.
Remote system version: Delay-Restore timer: 5(1) 90 seconds Dell_VLTpeer2# show vlt brief VLT Domain Brief -----------------Domain ID: Role: Role Priority: ICL Link Status: HeartBeat Status: VLT Peer Status: Local Unit Id: Version: Local System MAC address: Remote System MAC address: Configured System MAC address: Remote system version: Delay-Restore timer: 1000 Primary 32768 Up Up Up 1 5(1) 00:01:e8:8a:e7:e7 00:01:e8:8a:e9:70 00:0a:0a:01:01:0a 5(1) 90 seconds The following example shows the show vlt de
The following example shows the show vlt statistics command. Dell_VLTpeer1# show vlt statistics VLT Statistics ---------------HeartBeat Messages Sent: HeartBeat Messages Received: ICL Hello's Sent: ICL Hello's Received: 987 986 148 98 Dell_VLTpeer2# show vlt statistics VLT Statistics ---------------HeartBeat Messages Sent: HeartBeat Messages Received: ICL Hello's Sent: ICL Hello's Received: 994 978 89 89 The following example shows the show spanning-tree rstp command.
Configuring Virtual Link Trunking (VLT Peer 1) Enable VLT and create a VLT domain with a backup-link and interconnect trunk (VLTi). Dell_VLTpeer1(conf)#vlt domain 999 Dell_VLTpeer1(conf-vlt-domain)#peer-link port-channel 100 Dell_VLTpeer1(conf-vlt-domain)#back-up destination 10.11.206.35 Dell_VLTpeer1(conf-vlt-domain)#exit Configure the backup link. Dell_VLTpeer1(conf)#interface ManagementEthernet 0/0 Dell_VLTpeer1(conf-if-ma-0/0)#ip address 10.11.206.
Configure the VLT interconnect (VLTi). Dell_VLTpeer2(conf)#interface port-channel 100 Dell_VLTpeer2(conf-if-po-100)#no ip address Dell_VLTpeer2(conf-if-po-100)#channel-member fortyGigE 1/56,60 Dell_VLTpeer2(conf-if-po-100)#no shutdown Dell_VLTpeer2(conf-if-po-100)#exit Configure the port channel to an attached device.
Description Behavior at Peer Up Behavior During Run Time A syslog error message and an SNMP trap are generated. A syslog error message and an SNMP trap are generated. A syslog error message is generated. A syslog error message is generated. Follow the correct upgrade procedure for the unit with the mismatched Dell Networking OS version. Remote VLT port channel status N/A N/A Use the show vlt detail and show vlt brief commands to view the VLT port channel status information.
9. Confirm that the management ports are interconnected or connected to a switch that can transfer Heartbeat information. Specifying VLT Nodes in a PVLAN You can configure VLT peer nodes in a private VLAN (PVLAN). VLT enables redundancy without the implementation of Spanning Tree Protocol (STP), and provides a loop-free network with optimal bandwidth utilization.
The PVLAN mode of VLT LAGs on one peer is validated against the PVLAN mode of VLT LAGs on the other peer. MAC addresses that are learned on that VLT LAG are synchronized between the peers only if the PVLAN mode on both the peers is identical. For example, if the MAC address is learned on a VLT LAG and the VLAN is a primary VLT VLAN on one peer and not a primary VLT VLAN on the other peer, MAC synchronization does not occur.
Table 60.
Configuring a VLT VLAN or LAG in a PVLAN You can configure the VLT peers or nodes in a private VLAN (PVLAN). Because the VLT LAG interfaces are terminated on two different nodes, PVLAN configuration of VLT VLANs and VLT LAGs are symmetrical and identical on both the VLT peers. PVLANs provide Layer 2 isolation between ports within the same VLAN. A PVLAN partitions a traditional VLAN into subdomains identified by a primary and secondary VLAN pair.
no shutdown 3. Set the port in Layer 2 mode. INTERFACE mode switchport 4. Select the PVLAN mode. INTERFACE mode switchport mode private-vlan {host | promiscuous | trunk} • • • host (isolated or community VLAN port) promiscuous (intra-VLAN communication port) trunk (inter-switch PVLAN hub port) 5. Access INTERFACE VLAN mode for the VLAN to which you want to assign the PVLAN interfaces. CONFIGURATION mode interface vlan vlan-id 6. Enable the VLAN. INTERFACE VLAN mode no shutdown 7.
Working of Proxy ARP for VLT Peer Nodes Proxy ARP is enabled only when peer routing is enabled on both the VLT peers. If peer routing is disabled on one of the VLT peers, proxy ARP is not performed when the ICL link goes down. Proxy ARP is performed only when the VLT peer's MAC address is installed in the database. Proxy ARP is stopped when the VLT peer's MAC address is removed from the ARP database because of the peer routing timer expiry.
command in VLT DOMAIN mode. Using the bootstrap router (BSR) mechanism, both the VLT nodes in a VLT domain can be configured as the candidate RP for the same group range. When an RP fails, the VLT peer automatically takes over the role of the RP. This phenomenon enables resiliency to be achieved by the PIM BSR protocol. Configuring VLAN-Stack over VLT To configure VLAN-stack over VLT, follow these steps. 1. Configure the VLT LAG as VLAN-stack access or trunk mode on both the peers.
Dell(conf-if-po-20)#vlan-stack trunk Dell(conf-if-po-20)#no shutdown Dell#show running-config interface port-channel 20 ! interface Port-channel 20 no ip address switchport vlan-stack trunk vlt-peer-lag port-channel 20 no shutdown Dell# Configure VLAN as VLAN-Stack VLAN and add the VLT LAG as Members to the VLAN Dell(conf)#interface vlan 50 Dell(conf-if-vl-50)#vlan-stack compatible Dell(conf-if-vl-50-stack)#member port-channel 10 Dell(conf-if-vl-50-stack)#member port-channel 20 Dell#show running-config inte
Dell(conf-if-po-10)#vlan-stack access Dell(conf-if-po-10)#no shutdown Dell#show running-config interface port-channel 10 ! interface Port-channel 10 no ip address switchport vlan-stack access vlt-peer-lag port-channel 10 no shutdown Dell# Dell(conf)#interface port-channel 20 Dell(conf-if-po-20)#switchport Dell(conf-if-po-20)#vlt-peer-lag port-channel 20 Dell(conf-if-po-20)#vlan-stack trunk Dell(conf-if-po-20)#no shutdown Dell#show running-config interface port-channel 20 ! interface Port-channel 20 no ip ad
54 VLT Proxy Gateway Proxy Gateway in VLT Domains Using a proxy gateway, the VLT peers in a domain can route the L3 packets destined for VLT peers in another domain as long as they have L3 reachability for the IP destinations. A proxy gateway in a VLT domain provides the following benefits: • • Avoids sub-optimal routing of packets by a VLT domain when packets are destined to the endpoint in another VLT domain.
Guidelines for Enabling the VLT Proxy Gateway Keep the following points in mind when you enable this functionality: 1. The proxy gateway is supported only for VLT; for example, across VLT domain. 2. You must enable the VLT peer-routing command for the VLT proxy gateway to function. 3. The current design does not handle asymmetric virtual local area network (VLAN) configuration scenarios such as the same VLAN configured with L2 mode on one VLT domain and L3 mode on another VLT domain.
14. After a station move, if a host sends a TTL1 packet destined to its gateway; for example, a previous VLT node, the packet may be dropped. 15. After a station move, if a host first PINGs its gateway; for example, a previous VLT node it results a 40 to 60% success rate considering it takes a longer path. 16. L3 frames can be received out-of-order at the L3 cloud when you remove and add back a MAC. This can happen when proxy gateway routing and sub-optimal routing intersperse witth each other.
• LLDP packets fail to reach the remote VLT domain devices (due to system down, rebooting, port down or physical link connection) Sample Configurations for LLDP VLT Proxy Gateway Apply the following configurations in the Core L3 Routers C and D in the local VLT domain and C1 and D1 in the remote VLT domain: 1. Configure proxy-gateway lldp in VLT Domain CONFIG mode. 2. Configure peer-domain-link port-channel in VLT Domain Proxy Gateway LLDP mode.
1. The above figure show a sample VLT Proxy gateway scenario. Their are no diagonal links in the square VLT connection between the C and D in VLT domain 1 and C1 and D1 in the VLT domain 2. This undergo sub-optimal routing with the VLT Proxy Gateway LLDP method. For VLT Proxy Gateway to work in this scenario you must configure the , VLT-peer-mac transmit command under VLT Domain Proxy Gateway LLDP mode, in both C and D (VLT domain 1) and C1 and D1 (VLT domain 2).
55 Virtual Router Redundancy Protocol (VRRP) VRRP Overview VRRP is designed to eliminate a single point of failure in a statically routed network. VRRP specifies a MASTER router that owns the next hop IP and MAC address for end stations on a local area network (LAN). The MASTER router is chosen from the virtual routers by an election process and forwards packets sent to the next hop IP address.
Figure 117. Basic VRRP Configuration VRRP Benefits With VRRP configured on a network, end-station connectivity to the network is not subject to a single point-of-failure. End-station connections to the network are redundant and are not dependent on internal gateway protocol (IGP) protocols to converge or update routing tables. VRRP Implementation Within a single VRRP group, up to 12 virtual IP addresses are supported.
Recommended Advertise Interval Groups/Interface Total VRRP Groups Between 250 and 450 2–3 seconds 24 Between 450 and 600 3–4 seconds 36 Between 600 and 800 4 seconds 48 Between 800 and 1000 5 seconds 84 Between 1000 and 1200 7 seconds 100 Between 1200 and 1500 8 seconds 120 VRRP Configuration By default, VRRP is not configured. Configuration Task List The following list specifies the configuration tasks for VRRP.
ip address 10.10.10.1/24 ! vrrp-group 111 no shutdown Configuring the VRRP Version for an IPv4 Group For IPv4, you can configure a VRRP group to use one of the following VRRP versions: • • VRRPv2 as defined in RFC 3768, Virtual Router Redundancy Protocol (VRRP) VRRPv3 as defined in RFC 5798, Virtual Router Redundancy Protocol (VRRP) Version 3 for IPv4 and IPv6 You can also migrate a IPv4 group from VRRPv2 to VRRP3. To configure the VRRP version for IPv4, use the version command in INTERFACE mode.
• The virtual IP addresses must be in the same subnet as the primary or secondary IP addresses configured on the interface. Though a single VRRP group can contain virtual IP addresses belonging to multiple IP subnets configured on the interface, Dell Networking recommends configuring virtual IP addresses belonging to the same IP subnet for any one VRRP group. • • • For example, an interface (on which you enable VRRP) contains a primary IP address of 50.1.1.1/24 and a secondary IP address of 60.1.1.1/24.
Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 27, Gratuitous ARP sent: 2 Virtual MAC address: 00:00:5e:00:01:6f Virtual IP address: 10.10.2.2 10.10.2.3 Authentication: When the VRRP process completes its initialization, the State field contains either Master or Backup. Setting VRRP Group (Virtual Router) Priority Setting a virtual router priority to 255 ensures that router is the “owner” virtual router for the VRRP group.
authentication-type simple [encryption-type] password Parameters: • • encryption-type: 0 indicates unencrypted; 7 indicates encrypted. password: plain text. The bold section shows the encryption type (encrypted) and the password. Dell(conf-if-te-1/1-vrid-111)#authentication-type ? Dell(conf-if-te-1/1-vrid-111)#authentication-type simple 7 force10 The following example shows verifying the VRRP authentication configuration using the show conf command. The bold section shows the encrypted password.
NOTE: To avoid throttling VRRP advertisement packets, Dell Networking OS recommends increasing the VRRP advertisement interval to a value higher than the default value of one second. If you do change the time interval between VRRP advertisements on one router, change it on all participating routers. If are using VRRP version 2, you must configure the timer values in multiple of whole seconds. For example a timer value of 3 seconds or 300 centisecs are valid and equivalent.
For a virtual group, you can also track the status of a configured object (the track object-id command) by entering its object number. NOTE: You can configure a tracked object for a VRRP group (using the track object-id command in INTERFACEVRID mode) before you actually create the tracked object (using a track object-id command in CONFIGURATION mode). However, no changes in the VRRP group’s priority occur until the tracked object is defined and determined to be down.
Tracked by: VRRP TenGigabitEthernet 1/8 IPv6 VRID 1 Track 3 IPv6 route 2050::/64 reachability Reachability is Up (STATIC) 5 changes, last change 00:02:16 First-hop interface is TenGigabitEthernet 1/3 Tracked by: VRRP TenGigabitEthernet 1/8 IPv6 VRID 1 The following example shows verifying the VRRP status.
vrrp delay minimum seconds This time is the gap between an interface coming up and being operational, and VRRP enabling. The seconds range is from 0 to 900. • The default is 0. Set the delay time for VRRP initialization on all the interfaces in the system configured for VRRP. INTERFACE mode vrrp delay reload seconds This time is the gap between system boot up completion and VRRP enabling. The seconds range is from 0 to 900. The default is 0.
Figure 118. VRRP for IPv4 Topology Examples of Configuring VRRP for IPv4 and IPv6 The following example shows configuring VRRP for IPv4 Router 2. R2(conf)#interface tengigabitethernet 2/31 R2(conf-if-te-2/31)#ip address 10.1.1.1/24 R2(conf-if-te-2/31)#vrrp-group 99 R2(conf-if-te-2/31-vrid-99)#priority 200 R2(conf-if-te-2/31-vrid-99)#virtual 10.1.1.3 R2(conf-if-te-2/31-vrid-99)#no shut R2(conf-if-te-2/31)#show conf ! interface TenGigabitEthernet 2/31 ip address 10.1.1.
State: Master, Priority: 200, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 817, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:63 Virtual IP address: 10.1.1.3 Authentication: (none) R2# Router 3 R3(conf)#interface tengigabitethernet 3/21 R3(conf-if-te-3/21)#ip address 10.1.1.2/24 R3(conf-if-te-3/21)#vrrp-group 99 R3(conf-if-te-3/21-vrid-99)#virtual 10.1.1.
Figure 119. VRRP for an IPv6 Configuration NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be MASTER even if one of two routers has a higher IP or IPv6 address. The following example shows configuring VRRP for IPv6 Router 2 and Router 3. Configure a virtual link local (fe80) address for each VRRPv3 group created for an interface.
ipv6 address 1::1/64 vrrp-group 10 priority 100 virtual-address fe80::10 virtual-address 1::10 no shutdown R2(conf-if-te-1/1)#end R2#show vrrp -----------------TenGigabitEthernet 1/1, IPv6 VRID: 10, Version: 3, Net:fe80::201:e8ff:fe6a:c59f VRF: 0 default-vrf State: Master, Priority: 100, Master: fe80::201:e8ff:fe6a:c59f (local) Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 135 Virtual MAC address: 00:00:5e:
instance in order that there is one MASTER and one backup router for each VRF. In VRF-1 and VRF-2, Switch-2 serves as owner-master of the VRRP group and Switch-1 serves as the backup. On VRF-3, Switch-1 is the owner-master and Switch-2 is the backup. In VRF-1 and VRF-2 on Switch-2, the virtual IP and node IP address, subnet, and VRRP group are the same. On Switch-1, the virtual IP address, subnet, and VRRP group are the same in VRF-1 and VRF-2, but the IP address of the node interface is unique.
! S1(conf)#interface TenGigabitEthernet 1/3 S1(conf-if-te-1/3)#ip vrf forwarding VRF-3 S1(conf-if-te-1/3)#ip address 20.1.1.5/24 S1(conf-if-te-1/3)#vrrp-group 15 % Info: The VRID used by the VRRP group 15 in VRF 3 will be 243. S1(conf-if-te-1/3-vrid-105)#priority 255 S1(conf-if-te-1/3-vrid-105)#virtual-address 20.1.1.5 S1(conf-if-te-1/3)#no shutdown Dell#show vrrp tengigabitethernet 2/8 -----------------TenGigabitEthernet 2/8, IPv4 VRID: 1, Version: 2, Net: 10.1.1.
This VLAN scenario often occurs in a service-provider network in which you configure VLAN tags for traffic from multiple customers on customer-premises equipment (CPE), and separate VRF instances associated with each VLAN are configured on the provider edge (PE) router in the point-of-presence (POP).
10.1.1.100 Authentication: (none) VRRP in VRF: Switch-2 VLAN Configuration Switch-2 S2(conf)#ip vrf VRF-1 1 ! S2(conf)#ip vrf VRF-2 2 ! S2(conf)#ip vrf VRF-3 3 ! S2(conf)#interface TenGigabitEthernet 1/1 S2(conf-if-te-1/1)#no ip address S2(conf-if-te-1/1)#switchport S2(conf-if-te-1/1)#no shutdown ! S2(conf-if-te-1/1)#interface vlan 100 S2(conf-if-vl-100)#ip vrf forwarding VRF-1 S2(conf-if-vl-100)#ip address 10.10.1.
-----------------Port-channel 1, IPv4 VRID: 1, Version: 2, Net: 10.1.1.1 VRF: 2 vrf2 State: Master, Priority: 100, Master: 10.1.1.1 (local) Hold Down: 0 sec, Preempt: TRUE, AdvInt: 1 sec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 419, Gratuitous ARP sent: 1 Virtual MAC address: 00:00:5e:00:01:01 Virtual IP address: 10.1.1.
Figure 121. VRRP for IPv6 Topology NOTE: In a VRRP or VRRPv3 group, if two routers come up with the same priority and another router already has MASTER status, the router with master status continues to be master even if one of two routers has a higher IP or IPv6 address.
R2(conf-if-te-1/1)#show config interface TenGigabitEthernet 1/1 ipv6 address 1::1/64 vrrp-group 10 priority 100 virtual-address fe80::10 virtual-address 1::10 no shutdown R2(conf-if-te-1/1)#end R2#show vrrp -----------------TenGigabitEthernet 1/1, IPv6 VRID: 10, Version: 3, Net:fe80::201:e8ff:fe6a:c59f State: Master, Priority: 100, Master: fe80::201:e8ff:fe6a:c59f (local) Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 0, Bad pkts rcvd: 0,
VRF: 0 default State: Master, Priority: 110, Master: fe80::201:e8ff:fe8a:e9ed (local) Hold Down: 0 centisec, Preempt: TRUE, AdvInt: 100 centisec Accept Mode: FALSE, Master AdvInt: 100 centisec Adv rcvd: 0, Bad pkts rcvd: 0, Adv sent: 120 Virtual MAC address: 00:00:5e:00:02:ff Virtual IP address: 10:1:1::255 fe80::255 Dell# Dell#show vrrp vrf vrf1 vlan 400 Vlan 400, IPv6 VRID: 255, Version: 3, Net: fe80::201:e8ff:fe8a:e9ed VRF: 1 vrf1 State: Master, Priority: 200, Master: fe80::201:e8ff:fe8a:e9ed (local) Hol
56 Z-Series Debugging and Diagnostics This chapter describes debugging and diagnostics for the Z-Series platform. Topics: • • • • • • • • • • • Offline Diagnostics TRACE Logs Last Restart Reason Hardware Watchdog Timer show hardware Commands Environmental Monitoring Buffer Tuning Troubleshooting Packet Loss Enabling Application Core Dumps Mini Core Dumps Enabling TCP Dumps Offline Diagnostics The offline diagnostics test suite is useful for isolating faults and debugging hardware.
NOTE: The system reboots when the offline diagnostics completes. This is an automatic process in default mode. A warning message appears when you implement the offline stack-unit command: Warning - offline of stack unit will bring down all the protocols and the unit will be operationally down, except for running Diagnostics. Proceed with Offline-Diags [confirm yes/no]:y 2. Confirm offline status. EXEC Privilege mode show system brief Results are captured in one file whether for one unit or multiple units.
---------------------------------------0 0 up up 0 up 0 0 1 up up 16000 up 16000 0 2 up up 16000 up 16000 0 3 up up 16000 up 16000 Speed in RPM Dell# As shown in the following output example, log messages differ somewhat when diagnostics are done on a standalone unit.
Test 3 - Psu Temperature Test ...................................... FAIL + TEST - 4 PSU [0] Fan Speed ---> 17441 RPM Test 4.000 - Psu Fan Speed Monitor Test ............................. PASS diagS3240GetPsuOnStatus[580]: ERROR: PSU-1 is not present... diagS3240PsuFanSpeedMonitorTest[378]: ERROR: Getting PSU -1 power status failed.. Test 4.001 - Psu Fan Speed Monitor Test ............................. FAIL Test 4 - Psu Fan Speed Monitor Test ................................
Serial Number : Z1FX111100005 Part Number : 7520051802 Product Revision : 02 Version : 8-3-11-631 --More- TRACE Logs In addition to the syslog buffer, to report hardware and software events and status information, Dell Networking OS buffers trace messages which are continuously written by various Dell Networking OS software tasks. Each TRACE message provides the date, time, and name of the Dell Networking OS process.
• • • • • • • • • • • • • show hardware stack-unit {0-11} buffer total-buffer View the modular packet buffers details per unit and the mode of allocation. show hardware stack-unit {0-11} buffer unit {0-1} total-buffer View the forwarding plane statistics containing the packet buffer usage per port per stack unit. show hardware stack-unit {0-11} buffer unit {0-1} port {1-64 | all} buffer-info View the forwarding plane statistics containing the packet buffer statistics per COS per port.
Internal Unit Port Number User Ports from User Ports from User Ports from User Ports from No User Ports 0 to 31 on Unit 0 32 to 63 on Unit 64 to 95 on Unit 96 to 127 on on Unit 4 1 2 Unit 3 No User Ports on Unit 5 14 13 45 77 109 Internal Internal 15 14 46 78 110 Internal Internal 16 15 47 79 111 Internal Internal 17 16 48 80 112 Internal Internal 18 17 49 81 113 Internal Internal 19 18 50 82 114 Internal Internal 20 19 51 83 115 Internal Internal 21 20
0 1 active 33C not present ok Recognize an Over-Temperature Condition An overtemperature condition occurs, for one of two reasons: the card genuinely is too hot or a sensor has malfunctioned. To discover the cause, inspect cards near the one reporting the condition. • • If directly adjacent cards are not normal temperature, suspect a genuine overheating condition. If directly adjacent cards are normal temperature, suspect a faulty sensor.
OID String OID Name Description chSysPortXfpTxPower OID to display the transmitting power of the connected optics. chSysPortXfpRecvTemp OID to display the Temperature of the connected optics. NOTE: These OIDs are only generated if you enable the enable optic-info-update-interval command. .1.3.6.1.4.1.6027.3.16.1.1.4 fpPacketBufferTable View the modular packet buffers details per stack unit and the mode of allocation. .1.3.6.1.4.1.6027.3.16.1.1.
Buffer Tuning Points Decide to Tune Buffers Dell Networking recommends exercising caution when configuring any non-default buffer settings, as tuning can significantly affect system performance. The default values work for most cases. As a guideline, consider tuning buffers if traffic is very bursty (and coming from several interfaces). In this case: • • • Reduce the dedicated buffer on all queues/interfaces. Increase the dynamic buffer on all interfaces.
• BUFFER PROFILE mode buffer dynamic Change the number of packet-pointers per queue. • BUFFER PROFILE mode buffer packet-pointers Apply the buffer profile to a line card. • CONFIGURATION mode buffer fp-uplink linecard Apply the buffer profile to a CSF to FP link. CONFIGURATION mode buffer csf linecard Dell Networking OS Behavior: If you attempt to apply a buffer profile to a non-existent port-pipe, Dell Networking OS displays the following message.
Dell#show buffer-profile detail int gi 0/10 Interface Gi 0/10 Buffer-profile fsqueue-fp Dynamic buffer 1256.00 (Kilobytes) Queue# Dedicated Buffer Buffer Packets (Kilobytes) 0 3.00 256 1 3.00 256 2 3.00 256 3 3.00 256 4 3.00 256 5 3.00 256 6 3.00 256 7 3.00 256 Dell#show buffer-profile detail fp-uplink stack-unit 0 port-set 0 Linecard 0 Port-set 0 Buffer-profile fsqueue-hig Dynamic Buffer 1256.00 (Kilobytes) Queue# Dedicated Buffer Buffer Packets (Kilobytes) 0 3.00 256 1 3.00 256 2 3.00 256 3 3.00 256 4 3.
• • • • • • • • • • show hardware stack-unit 0-7 drops unit 0-5 port 0-49 show hardware stack-unit 0-7 unit 0-5 {counters | details | port-stats [detail] | register | execute-shell-cmd | ipmc-replication | table-dump}: show hardware {layer2| layer3} {e.g. acl |in acl} stack-unit 0-7 port-set 0-5 show hardware layer3 qos stack-unit 0-7 port-set 0-5 show hardware ipv6 {e.g.
Displaying Dataplane Statistics The show hardware stack-unit cpu data-plane statistics command provides insight into the packet types coming to the CPU. As shown in the following example, the show hardware stack-unit cpu data-plane statistics command output has been augmented, providing detailed RX/TX packet statistics on a per-queue basis. The objective is to see whether CPU-bound traffic is internal (so-called party bus or IPC traffic) or network control traffic, which the CPU must process.
• RIPC4.ge0 RUC.ge0 RDBGC0.ge0 RDBGC1.ge0 RDBGC5.ge0 RDBGC7.ge0 GR64.ge0 GR127.ge0 GR255.ge0 GRPKT.ge0 GRBYT.ge0 GRMCA.ge0 GRBCA.ge0 GT64.ge0 GT127.ge0 GT255.ge0 GT511.ge0 GTPKT.ge0 GTBCA.ge0 GTBYT.ge0 RUC.cpu0 TDBGC6.
0026a8d0 : 0026a00c : ------------------------STACK TRACE END------------------------------------------FREE MEMORY--------------uvmexp.free = 0x2312 Enabling TCP Dumps TCP dump captures CPU bound control plane traffic to improve troubleshooting and system manageability. When you enable TCP dumps, a dump captures all the packets on the local CPU, as specified in the CLI. You can save the traffic capture files to flash, to FTP, SCP, or TFTP.
57 Standards Compliance This chapter describes standards compliance for Dell Networking products. NOTE: Unless noted, when a standard cited here is listed as supported by the Dell Networking Operating System (OS), Dell Networking OS also supports predecessor standards. One way to search for predecessor standards is to use the http://tools.ietf.org/ website. Click “Browse and search IETF documents,” enter an RFC number, and inspect the top of the resulting document for obsolescence citations to related RFCs.
RFC and I-D Compliance Dell Networking OS supports the following standards. The standards are grouped by related protocol. The columns showing support by platform indicate which version of Dell Networking OS first supports the standard. General Internet Protocols The following table lists the Dell Networking OS support per platform for general internet protocols. Table 64. General Internet Protocols RFC# Full Name S-Series 768 User Datagram Protocol 7.6.1 793 Transmission Control Protocol 7.6.
RFC# Full Name S-Series 1305 Network Time Protocol (Version 3) Specification, Implementation and Analysis 7.6.1 1519 Classless Inter-Domain Routing (CIDR): an Address 7.6.1 Assignment and Aggregation Strategy 1542 Clarifications and Extensions for the Bootstrap Protocol 7.6.1 1812 Requirements for IP Version 4 Routers 7.6.1 2131 Dynamic Host Configuration Protocol 7.6.1 2338 Virtual Router Redundancy Protocol (VRRP) 7.6.1 3021 Using 31-Bit Prefixes on IPv4 Point-to-Point Links 7.7.
Border Gateway Protocol (BGP) The following table lists the Dell Networking OS support per platform for BGP protocols. Table 67. Border Gateway Protocol (BGP) RFC# Full Name S-Series/Z-Series 1997 BGP ComAmtturnibituitees 7.8.1 2385 Protection of BGP Sessions via the TCP MD5 Signature Option 7.8.1 2439 BGP Route Flap Damping 7.8.1 2545 Use of BGP-4 Multiprotocol Extensions for IPv6 Inter-Domain Routing 2796 BGP Route Reflection: An Alternative to Full Mesh Internal BGP (IBGP) 7.8.
RFC# Full Name 1195 Use of OSI IS-IS for Routing in TCP/IP and Dual Environments 2763 Dynamic Hostname Exchange Mechanism for IS-IS 2966 Domain-wide Prefix Distribution with Two-Level ISIS 3373 Three-Way Handshake for Intermediate System to Intermediate System (IS-IS) Point-to-Point Adjacencies 3567 IS-IS ACruythpetongtircaapthioicn 3784 Intermediate System to Intermediate System (ISIS) Extensions in Support of Generalized MultiProtocol Label Switching (GMPLS) 5120 MT-ISIS: Multi Topology (MT
RFC# Full Name S-Series 3973 Protocol Independent Multicast - Dense Mode (PIM-DM): Protocol Specification (Revised) 4541 Considerations for Internet Group Management Protocol (IGMP) and Multicast Listener Discovery (MLD) Snooping Switches 7.6.1 (IGMPv1/v2) draft-ietf-pim -sm-v2-new- 05 Protocol Independent Multicast - Sparse Mode (PIM-SM): Protocol Specification (Revised) 7.8.
RFC# Full Name S4810 S4820T Z-Series 9.5.(0.0) 9.5.(0.0) Hierarchy (SONET/SDH) Interface Type 2570 Introduction and Applicability Statements for Internet Standard Management Framework 7.6.1 2571 An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks 7.6.1 2572 Message Processing and Dispatching for the Simple Network Management Protocol (SNMP) 7.6.1 2574 User-based Security Model 7.6.
RFC# Full Name S4810 S4820T Z-Series History Control Table, Ethernet History Table, Alarm Table, Event Table, Log Table 2863 The Interfaces Group MIB 7.6.1 2865 Remote Authentication Dial In User Service (RADIUS) 7.6.1 3273 Remote Network Monitoring 7.6.1 Management Information Base for High Capacity Networks (64 bits): Ethernet Statistics High-Capacity Table, Ethernet History HighCapacity Table 3416 Version 2 of the Protocol Operations for the Simple Network Management Protocol (SNMP) 7.6.
RFC# Full Name S4810 S4820T Z-Series 9.2(0.0) 9.2(0.0) 9.2(0.0) 9.2.(0.0) 9.2.(0.0) isisISAdjTable isisISAdjAreaAddrTable isisISAdjIPAddrTable isisISAdjProtSuppTable draft-ietf-netmodinterfaces-cfg-03 Defines a YANG data model for the configuration of network interfaces. Used in the Programmatic Interface RESTAPI feature. IEEE 802.1AB Management Information Base 7.7.1 module for LLDP configuration, statistics, local system data and remote systems data components. IEEE 802.
RFC# Full Name S4810 FORCE10-LINKAGG-MIB Force10 Enterprise Link Aggregation MIB 7.6.1 FORCE10-CHASSIS-MIB Force10 E-Series Enterprise Chassis MIB FORCE10-COPYCONFIG-MIB Force10 File Copy MIB (supporting 7.7.1 SNMP SET operation) FORCE10-MONMIB Force10 Monitoring MIB 7.6.1 FORCE10-PRODUCTSMIB Force10 Product Object Identifier MIB 7.6.1 FORCE10-SS-CHASSISMIB Force10 S-Series Enterprise Chassis MIB 7.6.1 FORCE10-SMI Force10 Structure of Management 7.6.